1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * this file contains the main GATT client functions
22 *
23 ******************************************************************************/
24
25 #define LOG_TAG "bluetooth"
26
27 #include <string.h>
28
29 #include "bt_target.h"
30 #include "gatt_int.h"
31 #include "l2c_api.h"
32 #include "osi/include/allocator.h"
33 #include "osi/include/log.h"
34 #include "osi/include/osi.h"
35 #include "stack/arbiter/acl_arbiter.h"
36 #include "stack/eatt/eatt.h"
37 #include "stack/include/bt_types.h"
38 #include "types/bluetooth/uuid.h"
39
40 #include <base/logging.h>
41
42 #define GATT_WRITE_LONG_HDR_SIZE 5 /* 1 opcode + 2 handle + 2 offset */
43 #define GATT_READ_CHAR_VALUE_HDL (GATT_READ_CHAR_VALUE | 0x80)
44 #define GATT_READ_INC_SRV_UUID128 (GATT_DISC_INC_SRVC | 0x90)
45
46 #define GATT_PREP_WRITE_RSP_MIN_LEN 4
47 #define GATT_NOTIFICATION_MIN_LEN 2
48 #define GATT_WRITE_RSP_MIN_LEN 2
49 #define GATT_INFO_RSP_MIN_LEN 1
50 #define GATT_MTU_RSP_MIN_LEN 2
51 #define GATT_READ_BY_TYPE_RSP_MIN_LEN 1
52
53 #define L2CAP_PKT_OVERHEAD 4
54
55 using base::StringPrintf;
56 using bluetooth::Uuid;
57 using bluetooth::eatt::EattExtension;
58 using bluetooth::eatt::EattChannel;
59
60 /*******************************************************************************
61 * G L O B A L G A T T D A T A *
62 ******************************************************************************/
63 void gatt_send_prepare_write(tGATT_TCB& tcb, tGATT_CLCB* p_clcb);
64
65 uint8_t disc_type_to_att_opcode[GATT_DISC_MAX] = {
66 0,
67 GATT_REQ_READ_BY_GRP_TYPE, /* GATT_DISC_SRVC_ALL = 1, */
68 GATT_REQ_FIND_TYPE_VALUE, /* GATT_DISC_SRVC_BY_UUID, */
69 GATT_REQ_READ_BY_TYPE, /* GATT_DISC_INC_SRVC, */
70 GATT_REQ_READ_BY_TYPE, /* GATT_DISC_CHAR, */
71 GATT_REQ_FIND_INFO /* GATT_DISC_CHAR_DSCPT, */
72 };
73
74 uint16_t disc_type_to_uuid[GATT_DISC_MAX] = {
75 0, /* reserved */
76 GATT_UUID_PRI_SERVICE, /* <service> DISC_SRVC_ALL */
77 GATT_UUID_PRI_SERVICE, /* <service> for DISC_SERVC_BY_UUID */
78 GATT_UUID_INCLUDE_SERVICE, /* <include_service> for DISC_INC_SRVC */
79 GATT_UUID_CHAR_DECLARE, /* <characteristic> for DISC_CHAR */
80 0 /* no type filtering for DISC_CHAR_DSCPT */
81 };
82
83 /*******************************************************************************
84 *
85 * Function gatt_act_discovery
86 *
87 * Description GATT discovery operation.
88 *
89 * Returns void.
90 *
91 ******************************************************************************/
gatt_act_discovery(tGATT_CLCB * p_clcb)92 void gatt_act_discovery(tGATT_CLCB* p_clcb) {
93 uint8_t op_code = disc_type_to_att_opcode[p_clcb->op_subtype];
94
95 if (p_clcb->s_handle > p_clcb->e_handle || p_clcb->s_handle == 0) {
96 LOG_DEBUG("Completed GATT discovery of all handle ranges");
97 gatt_end_operation(p_clcb, GATT_SUCCESS, NULL);
98 return;
99 }
100
101 tGATT_CL_MSG cl_req;
102 memset(&cl_req, 0, sizeof(tGATT_CL_MSG));
103
104 cl_req.browse.s_handle = p_clcb->s_handle;
105 cl_req.browse.e_handle = p_clcb->e_handle;
106
107 if (disc_type_to_uuid[p_clcb->op_subtype] != 0) {
108 cl_req.browse.uuid =
109 bluetooth::Uuid::From16Bit(disc_type_to_uuid[p_clcb->op_subtype]);
110 }
111
112 if (p_clcb->op_subtype ==
113 GATT_DISC_SRVC_BY_UUID) /* fill in the FindByTypeValue request info*/
114 {
115 cl_req.find_type_value.uuid =
116 bluetooth::Uuid::From16Bit(disc_type_to_uuid[p_clcb->op_subtype]);
117 cl_req.find_type_value.s_handle = p_clcb->s_handle;
118 cl_req.find_type_value.e_handle = p_clcb->e_handle;
119
120 size_t size = p_clcb->uuid.GetShortestRepresentationSize();
121 cl_req.find_type_value.value_len = size;
122 if (size == Uuid::kNumBytes16) {
123 uint8_t* p = cl_req.find_type_value.value;
124 UINT16_TO_STREAM(p, p_clcb->uuid.As16Bit());
125 } else if (size == Uuid::kNumBytes32) {
126 /* if service type is 32 bits UUID, convert it now */
127 memcpy(cl_req.find_type_value.value, p_clcb->uuid.To128BitLE().data(),
128 Uuid::kNumBytes128);
129 cl_req.find_type_value.value_len = Uuid::kNumBytes128;
130 } else
131 memcpy(cl_req.find_type_value.value, p_clcb->uuid.To128BitLE().data(),
132 size);
133 }
134
135 tGATT_STATUS st = attp_send_cl_msg(*p_clcb->p_tcb, p_clcb, op_code, &cl_req);
136 if (st != GATT_SUCCESS && st != GATT_CMD_STARTED) {
137 LOG_WARN("Unable to send ATT message");
138 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
139 }
140 }
141
142 /*******************************************************************************
143 *
144 * Function gatt_act_read
145 *
146 * Description GATT read operation.
147 *
148 * Returns void.
149 *
150 ******************************************************************************/
gatt_act_read(tGATT_CLCB * p_clcb,uint16_t offset)151 void gatt_act_read(tGATT_CLCB* p_clcb, uint16_t offset) {
152 tGATT_TCB& tcb = *p_clcb->p_tcb;
153 tGATT_STATUS rt = GATT_INTERNAL_ERROR;
154 tGATT_CL_MSG msg;
155 uint8_t op_code = 0;
156
157 memset(&msg, 0, sizeof(tGATT_CL_MSG));
158
159 switch (p_clcb->op_subtype) {
160 case GATT_READ_CHAR_VALUE:
161 case GATT_READ_BY_TYPE:
162 op_code = GATT_REQ_READ_BY_TYPE;
163 msg.browse.s_handle = p_clcb->s_handle;
164 msg.browse.e_handle = p_clcb->e_handle;
165 if (p_clcb->op_subtype == GATT_READ_BY_TYPE)
166 msg.browse.uuid = p_clcb->uuid;
167 else {
168 msg.browse.uuid = bluetooth::Uuid::From16Bit(GATT_UUID_CHAR_DECLARE);
169 }
170 break;
171
172 case GATT_READ_CHAR_VALUE_HDL:
173 case GATT_READ_BY_HANDLE:
174 if (!p_clcb->counter) {
175 op_code = GATT_REQ_READ;
176 msg.handle = p_clcb->s_handle;
177 } else {
178 if (!p_clcb->first_read_blob_after_read)
179 p_clcb->first_read_blob_after_read = true;
180 else
181 p_clcb->first_read_blob_after_read = false;
182
183 VLOG(1) << __func__ << ": first_read_blob_after_read="
184 << p_clcb->first_read_blob_after_read;
185 op_code = GATT_REQ_READ_BLOB;
186 msg.read_blob.offset = offset;
187 msg.read_blob.handle = p_clcb->s_handle;
188 }
189 p_clcb->op_subtype &= ~0x80;
190 break;
191
192 case GATT_READ_PARTIAL:
193 op_code = GATT_REQ_READ_BLOB;
194 msg.read_blob.handle = p_clcb->s_handle;
195 msg.read_blob.offset = offset;
196 break;
197
198 case GATT_READ_MULTIPLE:
199 op_code = GATT_REQ_READ_MULTI;
200 memcpy(&msg.read_multi, p_clcb->p_attr_buf, sizeof(tGATT_READ_MULTI));
201 break;
202
203 case GATT_READ_MULTIPLE_VAR_LEN:
204 op_code = GATT_REQ_READ_MULTI_VAR;
205 memcpy(&msg.read_multi, p_clcb->p_attr_buf, sizeof(tGATT_READ_MULTI));
206 break;
207
208 case GATT_READ_INC_SRV_UUID128:
209 op_code = GATT_REQ_READ;
210 msg.handle = p_clcb->s_handle;
211 p_clcb->op_subtype &= ~0x90;
212 break;
213
214 default:
215 LOG(ERROR) << "Unknown read type:" << +p_clcb->op_subtype;
216 break;
217 }
218
219 if (op_code != 0) rt = attp_send_cl_msg(tcb, p_clcb, op_code, &msg);
220
221 if (op_code == 0 || (rt != GATT_SUCCESS && rt != GATT_CMD_STARTED)) {
222 gatt_end_operation(p_clcb, rt, NULL);
223 }
224 }
225
226 /** GATT write operation */
gatt_act_write(tGATT_CLCB * p_clcb,uint8_t sec_act)227 void gatt_act_write(tGATT_CLCB* p_clcb, uint8_t sec_act) {
228 tGATT_TCB& tcb = *p_clcb->p_tcb;
229
230 CHECK(p_clcb->p_attr_buf);
231 tGATT_VALUE& attr = *((tGATT_VALUE*)p_clcb->p_attr_buf);
232
233 uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, p_clcb->cid);
234
235 switch (p_clcb->op_subtype) {
236 case GATT_WRITE_NO_RSP: {
237 p_clcb->s_handle = attr.handle;
238 uint8_t op_code = (sec_act == GATT_SEC_SIGN_DATA) ? GATT_SIGN_CMD_WRITE
239 : GATT_CMD_WRITE;
240 tGATT_STATUS rt = gatt_send_write_msg(tcb, p_clcb, op_code, attr.handle,
241 attr.len, 0, attr.value);
242 if (rt != GATT_CMD_STARTED) {
243 if (rt != GATT_SUCCESS) {
244 LOG(ERROR) << StringPrintf(
245 "gatt_act_write() failed op_code=0x%x rt=%d", op_code, rt);
246 }
247 gatt_end_operation(p_clcb, rt, NULL);
248 }
249 return;
250 }
251
252 case GATT_WRITE: {
253 if (attr.len <= (payload_size - GATT_HDR_SIZE)) {
254 p_clcb->s_handle = attr.handle;
255
256 tGATT_STATUS rt = gatt_send_write_msg(
257 tcb, p_clcb, GATT_REQ_WRITE, attr.handle, attr.len, 0, attr.value);
258 if (rt != GATT_SUCCESS && rt != GATT_CMD_STARTED &&
259 rt != GATT_CONGESTED) {
260 if (rt != GATT_SUCCESS) {
261 LOG(ERROR) << StringPrintf(
262 "gatt_act_write() failed op_code=0x%x rt=%d", GATT_REQ_WRITE,
263 rt);
264 }
265 gatt_end_operation(p_clcb, rt, NULL);
266 }
267
268 } else {
269 /* prepare write for long attribute */
270 gatt_send_prepare_write(tcb, p_clcb);
271 }
272 return;
273 }
274
275 case GATT_WRITE_PREPARE:
276 gatt_send_prepare_write(tcb, p_clcb);
277 return;
278
279 default:
280 CHECK(false) << "Unknown write type" << p_clcb->op_subtype;
281 return;
282 }
283 }
284 /*******************************************************************************
285 *
286 * Function gatt_send_queue_write_cancel
287 *
288 * Description send queue write cancel
289 *
290 * Returns void.
291 *
292 ******************************************************************************/
gatt_send_queue_write_cancel(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,tGATT_EXEC_FLAG flag)293 void gatt_send_queue_write_cancel(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
294 tGATT_EXEC_FLAG flag) {
295 tGATT_STATUS rt;
296
297 VLOG(1) << __func__;
298
299 tGATT_CL_MSG gatt_cl_msg;
300 gatt_cl_msg.exec_write = flag;
301 rt = attp_send_cl_msg(tcb, p_clcb, GATT_REQ_EXEC_WRITE, &gatt_cl_msg);
302
303 if (rt != GATT_SUCCESS) {
304 gatt_end_operation(p_clcb, rt, NULL);
305 }
306 }
307 /*******************************************************************************
308 *
309 * Function gatt_check_write_long_terminate
310 *
311 * Description To terminate write long or not.
312 *
313 * Returns true: write long is terminated; false keep sending.
314 *
315 ******************************************************************************/
gatt_check_write_long_terminate(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,tGATT_VALUE * p_rsp_value)316 bool gatt_check_write_long_terminate(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
317 tGATT_VALUE* p_rsp_value) {
318 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
319 bool terminate = false;
320 tGATT_EXEC_FLAG flag = GATT_PREP_WRITE_EXEC;
321
322 VLOG(1) << __func__;
323 /* check the first write response status */
324 if (p_rsp_value != NULL) {
325 if (p_rsp_value->handle != p_attr->handle ||
326 p_rsp_value->len != p_clcb->counter ||
327 memcmp(p_rsp_value->value, p_attr->value + p_attr->offset,
328 p_rsp_value->len)) {
329 /* data does not match */
330 p_clcb->status = GATT_ERROR;
331 flag = GATT_PREP_WRITE_CANCEL;
332 terminate = true;
333 } else /* response checking is good */
334 {
335 p_clcb->status = GATT_SUCCESS;
336 /* update write offset and check if end of attribute value */
337 if ((p_attr->offset += p_rsp_value->len) >= p_attr->len) terminate = true;
338 }
339 }
340 if (terminate && p_clcb->op_subtype != GATT_WRITE_PREPARE) {
341 gatt_send_queue_write_cancel(tcb, p_clcb, flag);
342 }
343 return terminate;
344 }
345
346 /** Send prepare write */
gatt_send_prepare_write(tGATT_TCB & tcb,tGATT_CLCB * p_clcb)347 void gatt_send_prepare_write(tGATT_TCB& tcb, tGATT_CLCB* p_clcb) {
348 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
349 uint8_t type = p_clcb->op_subtype;
350
351 VLOG(1) << __func__ << StringPrintf(" type=0x%x", type);
352 uint16_t to_send = p_attr->len - p_attr->offset;
353
354 uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, p_clcb->cid);
355 if (to_send > (payload_size -
356 GATT_WRITE_LONG_HDR_SIZE)) /* 2 = uint16_t offset bytes */
357 to_send = payload_size - GATT_WRITE_LONG_HDR_SIZE;
358
359 p_clcb->s_handle = p_attr->handle;
360
361 uint16_t offset = p_attr->offset;
362 if (type == GATT_WRITE_PREPARE) {
363 offset += p_clcb->start_offset;
364 }
365
366 VLOG(1) << StringPrintf("offset =0x%x len=%d", offset, to_send);
367
368 tGATT_STATUS rt = gatt_send_write_msg(
369 tcb, p_clcb, GATT_REQ_PREPARE_WRITE, p_attr->handle, to_send, /* length */
370 offset, /* used as offset */
371 p_attr->value + p_attr->offset); /* data */
372
373 /* remember the write long attribute length */
374 p_clcb->counter = to_send;
375
376 if (rt != GATT_SUCCESS && rt != GATT_CMD_STARTED && rt != GATT_CONGESTED) {
377 gatt_end_operation(p_clcb, rt, NULL);
378 }
379 }
380
381 /*******************************************************************************
382 *
383 * Function gatt_process_find_type_value_rsp
384 *
385 * Description This function handles the find by type value response.
386 *
387 *
388 * Returns void
389 *
390 ******************************************************************************/
gatt_process_find_type_value_rsp(UNUSED_ATTR tGATT_TCB & tcb,tGATT_CLCB * p_clcb,uint16_t len,uint8_t * p_data)391 void gatt_process_find_type_value_rsp(UNUSED_ATTR tGATT_TCB& tcb,
392 tGATT_CLCB* p_clcb, uint16_t len,
393 uint8_t* p_data) {
394 tGATT_DISC_RES result;
395 uint8_t* p = p_data;
396
397 VLOG(1) << __func__;
398 /* unexpected response */
399 if (p_clcb->operation != GATTC_OPTYPE_DISCOVERY ||
400 p_clcb->op_subtype != GATT_DISC_SRVC_BY_UUID)
401 return;
402
403 memset(&result, 0, sizeof(tGATT_DISC_RES));
404 result.type = bluetooth::Uuid::From16Bit(GATT_UUID_PRI_SERVICE);
405
406 /* returns a series of handle ranges */
407 while (len >= 4) {
408 STREAM_TO_UINT16(result.handle, p);
409 STREAM_TO_UINT16(result.value.group_value.e_handle, p);
410 result.value.group_value.service_type = p_clcb->uuid;
411
412 len -= 4;
413
414 if (p_clcb->p_reg->app_cb.p_disc_res_cb)
415 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
416 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
417 &result);
418 }
419
420 /* last handle + 1 */
421 p_clcb->s_handle = (result.value.group_value.e_handle == 0)
422 ? 0
423 : (result.value.group_value.e_handle + 1);
424 /* initiate another request */
425 gatt_act_discovery(p_clcb);
426 }
427 /*******************************************************************************
428 *
429 * Function gatt_process_read_info_rsp
430 *
431 * Description This function is called to handle the read information
432 * response.
433 *
434 *
435 * Returns void
436 *
437 ******************************************************************************/
gatt_process_read_info_rsp(UNUSED_ATTR tGATT_TCB & tcb,tGATT_CLCB * p_clcb,UNUSED_ATTR uint8_t op_code,uint16_t len,uint8_t * p_data)438 void gatt_process_read_info_rsp(UNUSED_ATTR tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
439 UNUSED_ATTR uint8_t op_code, uint16_t len,
440 uint8_t* p_data) {
441 tGATT_DISC_RES result;
442 uint8_t *p = p_data, uuid_len = 0, type;
443
444 if (len < GATT_INFO_RSP_MIN_LEN) {
445 LOG(ERROR) << "invalid Info Response PDU received, discard.";
446 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
447 return;
448 }
449 /* unexpected response */
450 if (p_clcb->operation != GATTC_OPTYPE_DISCOVERY ||
451 p_clcb->op_subtype != GATT_DISC_CHAR_DSCPT)
452 return;
453
454 STREAM_TO_UINT8(type, p);
455 len -= 1;
456
457 if (type == GATT_INFO_TYPE_PAIR_16)
458 uuid_len = Uuid::kNumBytes16;
459 else if (type == GATT_INFO_TYPE_PAIR_128)
460 uuid_len = Uuid::kNumBytes128;
461
462 while (len >= uuid_len + 2) {
463 STREAM_TO_UINT16(result.handle, p);
464
465 if (uuid_len > 0) {
466 if (!gatt_parse_uuid_from_cmd(&result.type, uuid_len, &p)) break;
467 } else
468 result.type = p_clcb->uuid;
469
470 len -= (uuid_len + 2);
471
472 if (p_clcb->p_reg->app_cb.p_disc_res_cb)
473 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
474 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
475 &result);
476 }
477
478 p_clcb->s_handle = (result.handle == 0) ? 0 : (result.handle + 1);
479 /* initiate another request */
480 gatt_act_discovery(p_clcb);
481 }
482 /*******************************************************************************
483 *
484 * Function gatt_proc_disc_error_rsp
485 *
486 * Description Process the read by type response and send another request
487 * if needed.
488 *
489 * Returns void.
490 *
491 ******************************************************************************/
gatt_proc_disc_error_rsp(UNUSED_ATTR tGATT_TCB & tcb,tGATT_CLCB * p_clcb,uint8_t opcode,UNUSED_ATTR uint16_t handle,uint8_t reason)492 void gatt_proc_disc_error_rsp(UNUSED_ATTR tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
493 uint8_t opcode, UNUSED_ATTR uint16_t handle,
494 uint8_t reason) {
495 tGATT_STATUS status = (tGATT_STATUS)reason;
496
497 VLOG(1) << __func__
498 << StringPrintf("reason: %02x cmd_code %04x", reason, opcode);
499
500 switch (opcode) {
501 case GATT_REQ_READ_BY_GRP_TYPE:
502 case GATT_REQ_FIND_TYPE_VALUE:
503 case GATT_REQ_READ_BY_TYPE:
504 case GATT_REQ_FIND_INFO:
505 if (reason == GATT_NOT_FOUND) {
506 status = GATT_SUCCESS;
507 VLOG(1) << "Discovery completed";
508 }
509 break;
510 default:
511 LOG(ERROR) << StringPrintf("Incorrect discovery opcode %04x", opcode);
512 break;
513 }
514
515 gatt_end_operation(p_clcb, status, NULL);
516 }
517
518 /*******************************************************************************
519 *
520 * Function gatt_process_error_rsp
521 *
522 * Description This function is called to handle the error response
523 *
524 *
525 * Returns void
526 *
527 ******************************************************************************/
gatt_process_error_rsp(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,UNUSED_ATTR uint8_t op_code,UNUSED_ATTR uint16_t len,uint8_t * p_data)528 void gatt_process_error_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
529 UNUSED_ATTR uint8_t op_code,
530 UNUSED_ATTR uint16_t len, uint8_t* p_data) {
531 uint8_t opcode, *p = p_data;
532 uint8_t reason;
533 uint16_t handle;
534 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
535
536 VLOG(1) << __func__;
537
538 if (len < 4) {
539 LOG(ERROR) << "Error response too short";
540 // Specification does not clearly define what should happen if error
541 // response is too short. General rule in BT Spec 5.0 Vol 3, Part F 3.4.1.1
542 // is: "If an error code is received in the Error Response that is not
543 // understood by the client, for example an error code that was reserved for
544 // future use that is now being used in a future version of this
545 // specification, then the Error Response shall still be considered to state
546 // that the given request cannot be performed for an unknown reason."
547 opcode = handle = 0;
548 reason = static_cast<tGATT_STATUS>(0x7f);
549 } else {
550 STREAM_TO_UINT8(opcode, p);
551 STREAM_TO_UINT16(handle, p);
552 STREAM_TO_UINT8(reason, p);
553 }
554
555 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY) {
556 gatt_proc_disc_error_rsp(tcb, p_clcb, opcode, handle,
557 static_cast<tGATT_STATUS>(reason));
558 } else {
559 if ((p_clcb->operation == GATTC_OPTYPE_WRITE) &&
560 (p_clcb->op_subtype == GATT_WRITE) &&
561 (opcode == GATT_REQ_PREPARE_WRITE) && (p_attr) &&
562 (handle == p_attr->handle)) {
563 p_clcb->status = static_cast<tGATT_STATUS>(reason);
564 gatt_send_queue_write_cancel(tcb, p_clcb, GATT_PREP_WRITE_CANCEL);
565 } else if ((p_clcb->operation == GATTC_OPTYPE_READ) &&
566 ((p_clcb->op_subtype == GATT_READ_CHAR_VALUE_HDL) ||
567 (p_clcb->op_subtype == GATT_READ_BY_HANDLE)) &&
568 (opcode == GATT_REQ_READ_BLOB) &&
569 p_clcb->first_read_blob_after_read &&
570 (reason == GATT_NOT_LONG)) {
571 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p_clcb->p_attr_buf);
572 } else
573 gatt_end_operation(p_clcb, static_cast<tGATT_STATUS>(reason), NULL);
574 }
575 }
576 /*******************************************************************************
577 *
578 * Function gatt_process_prep_write_rsp
579 *
580 * Description This function is called to handle the read response
581 *
582 *
583 * Returns void
584 *
585 ******************************************************************************/
gatt_process_prep_write_rsp(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,uint8_t op_code,uint16_t len,uint8_t * p_data)586 void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
587 uint8_t op_code, uint16_t len,
588 uint8_t* p_data) {
589 uint8_t* p = p_data;
590
591 tGATT_VALUE value = {
592 .conn_id = p_clcb->conn_id, .auth_req = GATT_AUTH_REQ_NONE,
593 };
594
595 VLOG(1) << StringPrintf("value resp op_code = %s len = %d",
596 gatt_dbg_op_name(op_code), len);
597
598 if (len < GATT_PREP_WRITE_RSP_MIN_LEN ||
599 len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) {
600 LOG(ERROR) << "illegal prepare write response length, discard";
601 gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
602 return;
603 }
604
605 STREAM_TO_UINT16(value.handle, p);
606 STREAM_TO_UINT16(value.offset, p);
607
608 value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN;
609
610 memcpy(value.value, p, value.len);
611
612 bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE);
613
614 if (!gatt_check_write_long_terminate(tcb, p_clcb, &value)) {
615 gatt_send_prepare_write(tcb, p_clcb);
616 return;
617 }
618
619 // We now know that we have not terminated, or else we would have returned
620 // early. We free the buffer only if the subtype is not equal to
621 // GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF.
622 if (subtype_is_write_prepare) {
623 /* application should verify handle offset
624 and value are matched or not */
625 gatt_end_operation(p_clcb, p_clcb->status, &value);
626 }
627 }
628
629 /*******************************************************************************
630 *
631 * Function gatt_process_notification
632 *
633 * Description Handle the handle value indication/notification.
634 *
635 * Returns void
636 *
637 ******************************************************************************/
gatt_process_notification(tGATT_TCB & tcb,uint16_t cid,uint8_t op_code,uint16_t len,uint8_t * p_data)638 void gatt_process_notification(tGATT_TCB& tcb, uint16_t cid, uint8_t op_code,
639 uint16_t len, uint8_t* p_data) {
640 tGATT_VALUE value = {};
641 tGATT_REG* p_reg;
642 uint16_t conn_id;
643 tGATT_STATUS encrypt_status = {};
644 uint8_t* p = p_data;
645 uint8_t i;
646 tGATTC_OPTYPE event = (op_code == GATT_HANDLE_VALUE_IND)
647 ? GATTC_OPTYPE_INDICATION
648 : GATTC_OPTYPE_NOTIFICATION;
649
650 VLOG(1) << __func__;
651
652 // Ensure our packet has enough data (2 bytes)
653 if (len < GATT_NOTIFICATION_MIN_LEN) {
654 LOG(ERROR) << "illegal notification PDU length, discard";
655 return;
656 }
657
658 // Get 2 byte handle
659 STREAM_TO_UINT16(value.handle, p);
660
661 // Fail early if the GATT handle is not valid
662 if (!GATT_HANDLE_IS_VALID(value.handle)) {
663 /* illegal handle, send ack now */
664 if (op_code == GATT_HANDLE_VALUE_IND)
665 attp_send_cl_confirmation_msg(tcb, cid);
666 return;
667 }
668
669 // Calculate value length based on opcode
670 if (op_code == GATT_HANDLE_MULTI_VALUE_NOTIF) {
671 // Ensure our packet has enough data; MIN + 2 more bytes for len value
672 if (len < GATT_NOTIFICATION_MIN_LEN + 2) {
673 LOG(ERROR) << "illegal notification PDU length, discard";
674 return;
675 }
676
677 // Allow multi value opcode to set value len from the packet
678 STREAM_TO_UINT16(value.len, p);
679
680 if (value.len > len - 4) {
681 LOG(ERROR) << "value.len (" << value.len << ") greater than length ("
682 << (len - 4);
683 return;
684 }
685
686 } else {
687 // For single value, just use the passed in len minus opcode length (2)
688 value.len = len - 2;
689 }
690
691 // Verify the new calculated length
692 if (value.len > GATT_MAX_ATTR_LEN) {
693 LOG(ERROR) << "value.len larger than GATT_MAX_ATTR_LEN, discard";
694 return;
695 }
696
697 // Handle indications differently
698 if (event == GATTC_OPTYPE_INDICATION) {
699 if (tcb.ind_count) {
700 /* this is an error case that receiving an indication but we
701 still has an indication not being acked yet.
702 For now, just log the error reset the counter.
703 Later we need to disconnect the link unconditionally.
704 */
705 LOG(ERROR) << __func__ << " rcv Ind. but ind_count=" << tcb.ind_count
706 << " (will reset ind_count)";
707 }
708
709 // Zero out the ind_count
710 tcb.ind_count = 0;
711
712 // Notify all registered clients with the handle value
713 // notification/indication
714 // Note: need to do the indication count and start timer first then do
715 // callback
716 for (i = 0, p_reg = gatt_cb.cl_rcb; i < GATT_MAX_APPS; i++, p_reg++) {
717 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) tcb.ind_count++;
718 }
719
720 /* start a timer for app confirmation */
721 if (tcb.ind_count > 0) {
722 gatt_start_ind_ack_timer(tcb, cid);
723 } else { /* no app to indicate, or invalid handle */
724 attp_send_cl_confirmation_msg(tcb, cid);
725 }
726 }
727
728 encrypt_status = gatt_get_link_encrypt_status(tcb);
729
730 STREAM_TO_ARRAY(value.value, p, value.len);
731
732 tGATT_CL_COMPLETE gatt_cl_complete;
733 gatt_cl_complete.att_value = value;
734 gatt_cl_complete.cid = cid;
735
736 for (i = 0, p_reg = gatt_cb.cl_rcb; i < GATT_MAX_APPS; i++, p_reg++) {
737 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) {
738 conn_id = GATT_CREATE_CONN_ID(tcb.tcb_idx, p_reg->gatt_if);
739 (*p_reg->app_cb.p_cmpl_cb)(conn_id, event, encrypt_status,
740 &gatt_cl_complete);
741 }
742 }
743
744 // If this is single value, then nothing is left to do
745 if (op_code != GATT_HANDLE_MULTI_VALUE_NOTIF) return;
746
747 // Need a signed type to check if the value is below 0
748 // as uint16_t doesn't have negatives so the negatives register as a number
749 // thus anything less than zero won't trigger the conditional and it is not
750 // always 0
751 // when done looping as value.len is arbitrary.
752 int16_t rem_len = (int16_t)len - (4 /* octets */ + value.len);
753
754 // Already streamed the first value and sent it, lets send the rest
755 while (rem_len > 4 /* octets */) {
756 // 2
757 STREAM_TO_UINT16(value.handle, p);
758 // + 2 = 4
759 STREAM_TO_UINT16(value.len, p);
760 // Accounting
761 rem_len -= 4;
762 // Make sure we don't read past the remaining data even if the length says
763 // we can Also need to watch comparing the int16_t with the uint16_t
764 value.len = std::min((uint16_t)rem_len, value.len);
765 if (value.len > sizeof(value.value)) {
766 LOG(ERROR) << "Unexpected value.len (>GATT_MAX_ATTR_LEN), stop";
767 return ;
768 }
769 STREAM_TO_ARRAY(value.value, p, value.len);
770 // Accounting
771 rem_len -= value.len;
772
773 gatt_cl_complete.att_value = value;
774 gatt_cl_complete.cid = cid;
775
776 for (i = 0, p_reg = gatt_cb.cl_rcb; i < GATT_MAX_APPS; i++, p_reg++) {
777 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) {
778 conn_id = GATT_CREATE_CONN_ID(tcb.tcb_idx, p_reg->gatt_if);
779 (*p_reg->app_cb.p_cmpl_cb)(conn_id, event, encrypt_status,
780 &gatt_cl_complete);
781 }
782 }
783 }
784 }
785
786 /*******************************************************************************
787 *
788 * Function gatt_process_read_by_type_rsp
789 *
790 * Description This function is called to handle the read by type response.
791 * read by type can be used for discovery, or read by type or
792 * read characteristic value.
793 *
794 * Returns void
795 *
796 ******************************************************************************/
gatt_process_read_by_type_rsp(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,uint8_t op_code,uint16_t len,uint8_t * p_data)797 void gatt_process_read_by_type_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
798 uint8_t op_code, uint16_t len,
799 uint8_t* p_data) {
800 tGATT_DISC_RES result;
801 tGATT_DISC_VALUE record_value;
802 uint8_t *p = p_data, value_len, handle_len = 2;
803 uint16_t handle = 0;
804
805 /* discovery procedure and no callback function registered */
806 if (((!p_clcb->p_reg) || (!p_clcb->p_reg->app_cb.p_disc_res_cb)) &&
807 (p_clcb->operation == GATTC_OPTYPE_DISCOVERY))
808 return;
809
810 if (len < GATT_READ_BY_TYPE_RSP_MIN_LEN) {
811 LOG(ERROR) << "Illegal ReadByType/ReadByGroupType Response length, discard";
812 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
813 return;
814 }
815
816 STREAM_TO_UINT8(value_len, p);
817 uint16_t payload_size = gatt_tcb_get_payload_size_rx(tcb, p_clcb->cid);
818 if ((value_len > (payload_size - 2)) || (value_len > (len - 1))) {
819 /* this is an error case that server's response containing a value length
820 which is larger than MTU-2
821 or value_len > message total length -1 */
822 LOG(ERROR) << __func__
823 << StringPrintf(
824 ": Discard response op_code=%d "
825 "vale_len=%d > (MTU-2=%d or msg_len-1=%d)",
826 op_code, value_len, (payload_size - 2), (len - 1));
827 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
828 return;
829 }
830
831 if (op_code == GATT_RSP_READ_BY_GRP_TYPE) handle_len = 4;
832
833 value_len -= handle_len; /* substract the handle pairs bytes */
834 len -= 1;
835
836 while (len >= (handle_len + value_len)) {
837 STREAM_TO_UINT16(handle, p);
838
839 if (!GATT_HANDLE_IS_VALID(handle)) {
840 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
841 return;
842 }
843
844 memset(&result, 0, sizeof(tGATT_DISC_RES));
845 memset(&record_value, 0, sizeof(tGATT_DISC_VALUE));
846
847 result.handle = handle;
848 result.type =
849 bluetooth::Uuid::From16Bit(disc_type_to_uuid[p_clcb->op_subtype]);
850
851 /* discover all services */
852 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
853 p_clcb->op_subtype == GATT_DISC_SRVC_ALL &&
854 op_code == GATT_RSP_READ_BY_GRP_TYPE) {
855 STREAM_TO_UINT16(handle, p);
856
857 if (!GATT_HANDLE_IS_VALID(handle)) {
858 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
859 return;
860 } else {
861 record_value.group_value.e_handle = handle;
862 if (!gatt_parse_uuid_from_cmd(&record_value.group_value.service_type,
863 value_len, &p)) {
864 LOG(ERROR) << "discover all service response parsing failure";
865 break;
866 }
867 }
868 }
869 /* discover included service */
870 else if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
871 p_clcb->op_subtype == GATT_DISC_INC_SRVC) {
872 if (value_len < 4) {
873 LOG(ERROR) << __func__ << " Illegal Response length, must be at least 4.";
874 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
875 return;
876 }
877 STREAM_TO_UINT16(record_value.incl_service.s_handle, p);
878 STREAM_TO_UINT16(record_value.incl_service.e_handle, p);
879
880 if (!GATT_HANDLE_IS_VALID(record_value.incl_service.s_handle) ||
881 !GATT_HANDLE_IS_VALID(record_value.incl_service.e_handle)) {
882 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
883 return;
884 }
885
886 if (value_len == 6) {
887 uint16_t tmp;
888 STREAM_TO_UINT16(tmp, p);
889 record_value.incl_service.service_type =
890 bluetooth::Uuid::From16Bit(tmp);
891 } else if (value_len == 4) {
892 p_clcb->s_handle = record_value.incl_service.s_handle;
893 p_clcb->read_uuid128.wait_for_read_rsp = true;
894 p_clcb->read_uuid128.next_disc_start_hdl = handle + 1;
895 memcpy(&p_clcb->read_uuid128.result, &result, sizeof(result));
896 memcpy(&p_clcb->read_uuid128.result.value, &record_value,
897 sizeof(result.value));
898 p_clcb->op_subtype |= 0x90;
899 gatt_act_read(p_clcb, 0);
900 return;
901 } else {
902 LOG(ERROR) << __func__
903 << ": INCL_SRVC failed with invalid data value_len="
904 << +value_len;
905 gatt_end_operation(p_clcb, GATT_INVALID_PDU, (void*)p);
906 return;
907 }
908 }
909 /* read by type */
910 else if (p_clcb->operation == GATTC_OPTYPE_READ &&
911 p_clcb->op_subtype == GATT_READ_BY_TYPE) {
912 p_clcb->counter = len - 2;
913 p_clcb->s_handle = handle;
914 if (p_clcb->counter == (payload_size - 4)) {
915 p_clcb->op_subtype = GATT_READ_BY_HANDLE;
916 if (!p_clcb->p_attr_buf)
917 p_clcb->p_attr_buf = (uint8_t*)osi_malloc(GATT_MAX_ATTR_LEN);
918 if (p_clcb->counter <= GATT_MAX_ATTR_LEN) {
919 memcpy(p_clcb->p_attr_buf, p, p_clcb->counter);
920 gatt_act_read(p_clcb, p_clcb->counter);
921 } else {
922 gatt_end_operation(p_clcb, GATT_INTERNAL_ERROR, (void*)p);
923 }
924 } else {
925 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p);
926 }
927 return;
928 } else /* discover characterisitic */
929 {
930 if (value_len < 3) {
931 LOG(ERROR) << __func__ << " Illegal Response length, must be at least 3.";
932 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
933 return;
934 }
935 STREAM_TO_UINT8(record_value.dclr_value.char_prop, p);
936 STREAM_TO_UINT16(record_value.dclr_value.val_handle, p);
937 if (!GATT_HANDLE_IS_VALID(record_value.dclr_value.val_handle)) {
938 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
939 return;
940 }
941 if (!gatt_parse_uuid_from_cmd(&record_value.dclr_value.char_uuid,
942 (uint16_t)(value_len - 3), &p)) {
943 gatt_end_operation(p_clcb, GATT_SUCCESS, NULL);
944 /* invalid format, and skip the result */
945 return;
946 }
947
948 /* UUID not matching */
949 if (!p_clcb->uuid.IsEmpty() &&
950 !record_value.dclr_value.char_uuid.IsEmpty() &&
951 record_value.dclr_value.char_uuid != p_clcb->uuid) {
952 len -= (value_len + 2);
953 continue; /* skip the result, and look for next one */
954 }
955
956 if (p_clcb->operation == GATTC_OPTYPE_READ)
957 /* UUID match for read characteristic value */
958 {
959 /* only read the first matching UUID characteristic value, and
960 discard the rest results */
961 p_clcb->s_handle = record_value.dclr_value.val_handle;
962 p_clcb->op_subtype |= 0x80;
963 gatt_act_read(p_clcb, 0);
964 return;
965 }
966 }
967 len -= (value_len + handle_len);
968
969 /* result is (handle, 16bits UUID) pairs */
970 memcpy(&result.value, &record_value, sizeof(result.value));
971
972 /* send callback if is discover procedure */
973 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
974 p_clcb->p_reg->app_cb.p_disc_res_cb)
975 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
976 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
977 &result);
978 }
979
980 p_clcb->s_handle = (handle == 0) ? 0 : (handle + 1);
981
982 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY) {
983 /* initiate another request */
984 gatt_act_discovery(p_clcb);
985 } else /* read characteristic value */
986 {
987 gatt_act_read(p_clcb, 0);
988 }
989 }
990
991 /*******************************************************************************
992 *
993 * Function gatt_process_read_rsp
994 *
995 * Description This function is called to handle the read BLOB response
996 *
997 *
998 * Returns void
999 *
1000 ******************************************************************************/
gatt_process_read_rsp(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,UNUSED_ATTR uint8_t op_code,uint16_t len,uint8_t * p_data)1001 void gatt_process_read_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
1002 UNUSED_ATTR uint8_t op_code, uint16_t len,
1003 uint8_t* p_data) {
1004 uint16_t offset = p_clcb->counter;
1005 uint8_t* p = p_data;
1006
1007 uint16_t payload_size = gatt_tcb_get_payload_size_rx(tcb, p_clcb->cid);
1008
1009 if (p_clcb->operation == GATTC_OPTYPE_READ) {
1010 if (p_clcb->op_subtype != GATT_READ_BY_HANDLE) {
1011 p_clcb->counter = len;
1012 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p);
1013 } else {
1014 /* allocate GKI buffer holding up long attribute value */
1015 if (!p_clcb->p_attr_buf)
1016 p_clcb->p_attr_buf = (uint8_t*)osi_malloc(GATT_MAX_ATTR_LEN);
1017
1018 /* copy attrobute value into cb buffer */
1019 if (offset < GATT_MAX_ATTR_LEN) {
1020 if ((len + offset) > GATT_MAX_ATTR_LEN)
1021 len = GATT_MAX_ATTR_LEN - offset;
1022
1023 p_clcb->counter += len;
1024
1025 memcpy(p_clcb->p_attr_buf + offset, p, len);
1026
1027 /* full packet for read or read blob rsp */
1028 bool packet_is_full;
1029 if (payload_size == p_clcb->read_req_current_mtu) {
1030 packet_is_full = (len == (payload_size - 1));
1031 } else {
1032 packet_is_full = (len == (p_clcb->read_req_current_mtu - 1) ||
1033 len == (payload_size - 1));
1034 p_clcb->read_req_current_mtu = payload_size;
1035 }
1036
1037 /* send next request if needed */
1038 if (packet_is_full && (len + offset < GATT_MAX_ATTR_LEN)) {
1039 VLOG(1) << StringPrintf(
1040 "full pkt issue read blob for remianing bytes old offset=%d "
1041 "len=%d new offset=%d",
1042 offset, len, p_clcb->counter);
1043 gatt_act_read(p_clcb, p_clcb->counter);
1044 } else /* end of request, send callback */
1045 {
1046 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p_clcb->p_attr_buf);
1047 }
1048 } else /* exception, should not happen */
1049 {
1050 LOG(ERROR) << "attr offset = " << +offset
1051 << " p_attr_buf = " << p_clcb->p_attr_buf;
1052 gatt_end_operation(p_clcb, GATT_NO_RESOURCES,
1053 (void*)p_clcb->p_attr_buf);
1054 }
1055 }
1056 } else {
1057 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
1058 p_clcb->op_subtype == GATT_DISC_INC_SRVC &&
1059 p_clcb->read_uuid128.wait_for_read_rsp) {
1060 p_clcb->s_handle = p_clcb->read_uuid128.next_disc_start_hdl;
1061 p_clcb->read_uuid128.wait_for_read_rsp = false;
1062 if (len == Uuid::kNumBytes128) {
1063 p_clcb->read_uuid128.result.value.incl_service.service_type =
1064 bluetooth::Uuid::From128BitLE(p);
1065 if (p_clcb->p_reg->app_cb.p_disc_res_cb)
1066 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
1067 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
1068 &p_clcb->read_uuid128.result);
1069 gatt_act_discovery(p_clcb);
1070 } else {
1071 gatt_end_operation(p_clcb, GATT_INVALID_PDU, (void*)p);
1072 }
1073 }
1074 }
1075 }
1076
1077 /*******************************************************************************
1078 *
1079 * Function gatt_process_handle_rsp
1080 *
1081 * Description This function is called to handle the write response
1082 *
1083 *
1084 * Returns void
1085 *
1086 ******************************************************************************/
gatt_process_handle_rsp(tGATT_CLCB * p_clcb)1087 void gatt_process_handle_rsp(tGATT_CLCB* p_clcb) {
1088 gatt_end_operation(p_clcb, GATT_SUCCESS, NULL);
1089 }
1090 /*******************************************************************************
1091 *
1092 * Function gatt_process_mtu_rsp
1093 *
1094 * Description Process the configure MTU response.
1095 *
1096 *
1097 * Returns void
1098 *
1099 ******************************************************************************/
gatt_process_mtu_rsp(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,uint16_t len,uint8_t * p_data)1100 void gatt_process_mtu_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, uint16_t len,
1101 uint8_t* p_data) {
1102 uint16_t mtu;
1103 tGATT_STATUS status = GATT_SUCCESS;
1104
1105 if (len < GATT_MTU_RSP_MIN_LEN) {
1106 LOG(ERROR) << "invalid MTU response PDU received, discard.";
1107 status = GATT_INVALID_PDU;
1108 } else {
1109 STREAM_TO_UINT16(mtu, p_data);
1110
1111 LOG_INFO("Local pending MTU %d, Remote (%s) MTU %d",
1112 tcb.pending_user_mtu_exchange_value,
1113 tcb.peer_bda.ToString().c_str(), mtu);
1114
1115 /* Aim for MAX as we did in the request */
1116 if (mtu < GATT_DEF_BLE_MTU_SIZE) {
1117 tcb.payload_size = GATT_DEF_BLE_MTU_SIZE;
1118 } else {
1119 tcb.payload_size = std::min(mtu, (uint16_t)(GATT_MAX_MTU_SIZE));
1120 }
1121
1122 bluetooth::shim::arbiter::GetArbiter().OnIncomingMtuResp(tcb.tcb_idx,
1123 tcb.payload_size);
1124
1125 /* This is just to track the biggest MTU requested by the user.
1126 * This value will be used in the BTM_SetBleDataLength */
1127 if (tcb.pending_user_mtu_exchange_value > tcb.max_user_mtu) {
1128 tcb.max_user_mtu =
1129 std::min(tcb.pending_user_mtu_exchange_value, tcb.payload_size);
1130 }
1131 tcb.pending_user_mtu_exchange_value = 0;
1132
1133 LOG_INFO("MTU Exchange resulted in: %d", tcb.payload_size);
1134
1135 BTM_SetBleDataLength(tcb.peer_bda, tcb.max_user_mtu + L2CAP_PKT_OVERHEAD);
1136 }
1137
1138 gatt_end_operation(p_clcb, status, NULL);
1139 }
1140 /*******************************************************************************
1141 *
1142 * Function gatt_cmd_to_rsp_code
1143 *
1144 * Description Convert an ATT command op code into the corresponding
1145 * response code assume no error occurs.
1146 *
1147 * Returns response code.
1148 *
1149 ******************************************************************************/
gatt_cmd_to_rsp_code(uint8_t cmd_code)1150 uint8_t gatt_cmd_to_rsp_code(uint8_t cmd_code) {
1151 uint8_t rsp_code = 0;
1152
1153 if (cmd_code > 1 && cmd_code != GATT_CMD_WRITE) {
1154 rsp_code = cmd_code + 1;
1155 }
1156 return rsp_code;
1157 }
1158
1159 /** Find next command in queue and sent to server */
gatt_cl_send_next_cmd_inq(tGATT_TCB & tcb)1160 bool gatt_cl_send_next_cmd_inq(tGATT_TCB& tcb) {
1161 std::deque<tGATT_CMD_Q>* cl_cmd_q = nullptr;
1162
1163 while (
1164 gatt_is_outstanding_msg_in_att_send_queue(tcb) ||
1165 EattExtension::GetInstance()->IsOutstandingMsgInSendQueue(tcb.peer_bda)) {
1166 if (gatt_is_outstanding_msg_in_att_send_queue(tcb)) {
1167 cl_cmd_q = &tcb.cl_cmd_q;
1168 } else {
1169 EattChannel* channel =
1170 EattExtension::GetInstance()->GetChannelWithQueuedDataToSend(
1171 tcb.peer_bda);
1172 cl_cmd_q = &channel->cl_cmd_q_;
1173 }
1174
1175 tGATT_CMD_Q& cmd = cl_cmd_q->front();
1176 if (!cmd.to_send || cmd.p_cmd == NULL) {
1177 return false;
1178 }
1179
1180 tGATT_STATUS att_ret;
1181 att_ret = attp_send_msg_to_l2cap(tcb, cmd.cid, cmd.p_cmd);
1182
1183 if (att_ret != GATT_SUCCESS && att_ret != GATT_CONGESTED) {
1184 LOG(ERROR) << __func__ << ": L2CAP sent error";
1185 cl_cmd_q->pop_front();
1186 continue;
1187 }
1188
1189 cmd.to_send = false;
1190 cmd.p_cmd = NULL;
1191
1192 if (cmd.op_code == GATT_CMD_WRITE || cmd.op_code == GATT_SIGN_CMD_WRITE) {
1193 /* dequeue the request if is write command or sign write */
1194 uint8_t rsp_code;
1195 tGATT_CLCB* p_clcb = gatt_cmd_dequeue(tcb, cmd.cid, &rsp_code);
1196
1197 /* send command complete callback here */
1198 gatt_end_operation(p_clcb, att_ret, NULL);
1199
1200 /* if no ack needed, keep sending */
1201 if (att_ret == GATT_SUCCESS) continue;
1202
1203 return true;
1204 }
1205
1206 gatt_start_rsp_timer(cmd.p_clcb);
1207 return true;
1208 }
1209
1210 return false;
1211 }
1212
1213 /** This function is called to handle the server response to client */
gatt_client_handle_server_rsp(tGATT_TCB & tcb,uint16_t cid,uint8_t op_code,uint16_t len,uint8_t * p_data)1214 void gatt_client_handle_server_rsp(tGATT_TCB& tcb, uint16_t cid,
1215 uint8_t op_code, uint16_t len,
1216 uint8_t* p_data) {
1217 VLOG(1) << __func__ << " opcode: " << loghex(op_code) << " cid" << +cid;
1218
1219 uint16_t payload_size = gatt_tcb_get_payload_size_rx(tcb, cid);
1220
1221 if (op_code == GATT_HANDLE_VALUE_IND || op_code == GATT_HANDLE_VALUE_NOTIF ||
1222 op_code == GATT_HANDLE_MULTI_VALUE_NOTIF) {
1223 if (len >= payload_size) {
1224 LOG(ERROR) << StringPrintf(
1225 "%s: invalid indicate pkt size: %d, PDU size: %d", __func__, len + 1,
1226 payload_size);
1227 return;
1228 }
1229
1230 gatt_process_notification(tcb, cid, op_code, len, p_data);
1231 return;
1232 }
1233
1234 uint8_t cmd_code = 0;
1235 tGATT_CLCB* p_clcb = gatt_cmd_dequeue(tcb, cid, &cmd_code);
1236 if (!p_clcb) {
1237 LOG_WARN("ATT - clcb already not in use, ignoring response");
1238 gatt_cl_send_next_cmd_inq(tcb);
1239 return;
1240 }
1241
1242 uint8_t rsp_code = gatt_cmd_to_rsp_code(cmd_code);
1243 if (!p_clcb) {
1244 LOG_WARN("ATT - clcb already not in use, ignoring response");
1245 gatt_cl_send_next_cmd_inq(tcb);
1246 return;
1247 }
1248
1249 if (rsp_code != op_code && op_code != GATT_RSP_ERROR) {
1250 LOG(WARNING) << StringPrintf(
1251 "ATT - Ignore wrong response. Receives (%02x) Request(%02x) Ignored",
1252 op_code, rsp_code);
1253 return;
1254 }
1255
1256 gatt_stop_rsp_timer(p_clcb);
1257 p_clcb->retry_count = 0;
1258
1259 /* the size of the message may not be bigger than the local max PDU size*/
1260 /* The message has to be smaller than the agreed MTU, len does not count
1261 * op_code */
1262 if (len >= payload_size) {
1263 LOG(ERROR) << StringPrintf(
1264 "%s: invalid response pkt size: %d, PDU size: %d", __func__, len + 1,
1265 payload_size);
1266 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
1267 } else {
1268 switch (op_code) {
1269 case GATT_RSP_ERROR:
1270 gatt_process_error_rsp(tcb, p_clcb, op_code, len, p_data);
1271 break;
1272
1273 case GATT_RSP_MTU: /* 2 bytes mtu */
1274 gatt_process_mtu_rsp(tcb, p_clcb, len, p_data);
1275 break;
1276
1277 case GATT_RSP_FIND_INFO:
1278 gatt_process_read_info_rsp(tcb, p_clcb, op_code, len, p_data);
1279 break;
1280
1281 case GATT_RSP_READ_BY_TYPE:
1282 case GATT_RSP_READ_BY_GRP_TYPE:
1283 gatt_process_read_by_type_rsp(tcb, p_clcb, op_code, len, p_data);
1284 break;
1285
1286 case GATT_RSP_READ:
1287 case GATT_RSP_READ_BLOB:
1288 case GATT_RSP_READ_MULTI:
1289 case GATT_RSP_READ_MULTI_VAR:
1290 gatt_process_read_rsp(tcb, p_clcb, op_code, len, p_data);
1291 break;
1292
1293 case GATT_RSP_FIND_TYPE_VALUE: /* disc service with UUID */
1294 gatt_process_find_type_value_rsp(tcb, p_clcb, len, p_data);
1295 break;
1296
1297 case GATT_RSP_WRITE:
1298 gatt_process_handle_rsp(p_clcb);
1299 break;
1300
1301 case GATT_RSP_PREPARE_WRITE:
1302 gatt_process_prep_write_rsp(tcb, p_clcb, op_code, len, p_data);
1303 break;
1304
1305 case GATT_RSP_EXEC_WRITE:
1306 gatt_end_operation(p_clcb, p_clcb->status, NULL);
1307 break;
1308
1309 default:
1310 LOG(ERROR) << __func__ << ": Unknown opcode = " << std::hex << op_code;
1311 break;
1312 }
1313 }
1314
1315 gatt_cl_send_next_cmd_inq(tcb);
1316 }
1317