1 /******************************************************************************
2 *
3 * Copyright 2014 The Android Open Source Project
4 * Copyright 2003-2012 Broadcom Corporation
5 *
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at:
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 *
18 ******************************************************************************/
19
20 /******************************************************************************
21 *
22 * This file contains the audio gateway functions performing SDP
23 * operations.
24 *
25 ******************************************************************************/
26
27 #include <bluetooth/log.h>
28 #include <com_android_bluetooth_flags.h>
29
30 #include <cstddef>
31 #include <cstdint>
32 #include <cstring>
33
34 #include "bta/hf_client/bta_hf_client_int.h"
35 #include "bta/include/bta_hf_client_api.h"
36 #include "bta/include/bta_rfcomm_metrics.h"
37 #include "bta/include/bta_rfcomm_scn.h"
38 #include "bta/sys/bta_sys.h"
39 #include "bta_hfp_api.h"
40 #include "common/bind.h"
41 #include "common/time_util.h"
42 #include "internal_include/bt_target.h"
43 #include "osi/include/allocator.h"
44 #include "sdp_status.h"
45 #include "stack/include/bt_types.h"
46 #include "stack/include/bt_uuid16.h"
47 #include "stack/include/sdp_api.h"
48 #include "stack/include/sdpdefs.h"
49 #include "stack/sdp/sdp_discovery_db.h"
50 #include "types/bluetooth/uuid.h"
51 #include "types/raw_address.h"
52
53 using bluetooth::Uuid;
54 using namespace bluetooth::legacy::stack::sdp;
55 using namespace bluetooth;
56
57 /* Number of protocol elements in protocol element list. */
58 #define BTA_HF_CLIENT_NUM_PROTO_ELEMS 2
59
60 /* Number of elements in service class id list. */
61 #define BTA_HF_CLIENT_NUM_SVC_ELEMS 2
62
63 /*******************************************************************************
64 *
65 * Function bta_hf_client_sdp_cback
66 *
67 * Description SDP callback function.
68 *
69 *
70 * Returns void
71 *
72 ******************************************************************************/
bta_hf_client_sdp_cback(tBTA_HF_CLIENT_CB * client_cb,const RawAddress &,tSDP_STATUS status)73 static void bta_hf_client_sdp_cback(tBTA_HF_CLIENT_CB* client_cb, const RawAddress& /* bd_addr */,
74 tSDP_STATUS status) {
75 uint16_t event;
76 tBTA_HF_CLIENT_DISC_RESULT* p_buf =
77 (tBTA_HF_CLIENT_DISC_RESULT*)osi_malloc(sizeof(tBTA_HF_CLIENT_DISC_RESULT));
78
79 log::verbose("bta_hf_client_sdp_cback status:0x{:x}", status);
80
81 /* set event according to int/acp */
82 if (client_cb->role == BTA_HF_CLIENT_ACP) {
83 event = BTA_HF_CLIENT_DISC_ACP_RES_EVT;
84 } else {
85 event = BTA_HF_CLIENT_DISC_INT_RES_EVT;
86 }
87
88 p_buf->hdr.event = event;
89 p_buf->hdr.layer_specific = client_cb->handle;
90 p_buf->status = status;
91
92 client_cb->sdp_metrics.status =
93 (status == tSDP_STATUS::SDP_SUCCESS) ? tBTA_JV_STATUS::SUCCESS : tBTA_JV_STATUS::FAILURE;
94 client_cb->sdp_metrics.sdp_end_ms = common::time_gettimeofday_us() / 1000;
95
96 bta_sys_sendmsg(p_buf);
97 }
98
99 /******************************************************************************
100 *
101 * Function bta_hf_client_add_record
102 *
103 * Description This function is called by a server application to add
104 * HFP Client information to an SDP record. Prior to
105 * calling this function the application must call
106 * get_legacy_stack_sdp_api()->handle.SDP_CreateRecord() to
107 * create an SDP record.
108 *
109 * Returns true if function execution succeeded,
110 * false if function execution failed.
111 *
112 *****************************************************************************/
bta_hf_client_add_record(const char * p_service_name,uint8_t scn,tBTA_HF_CLIENT_FEAT features,uint32_t sdp_handle)113 bool bta_hf_client_add_record(const char* p_service_name, uint8_t scn, tBTA_HF_CLIENT_FEAT features,
114 uint32_t sdp_handle) {
115 tSDP_PROTOCOL_ELEM proto_elem_list[BTA_HF_CLIENT_NUM_PROTO_ELEMS];
116 uint16_t svc_class_id_list[BTA_HF_CLIENT_NUM_SVC_ELEMS];
117 uint16_t browse_list[] = {UUID_SERVCLASS_PUBLIC_BROWSE_GROUP};
118 uint16_t version;
119 uint16_t profile_uuid;
120 bool result = true;
121 uint8_t buf[2];
122 uint16_t sdp_features = 0;
123
124 log::verbose("bta_hf_client_add_record");
125 log::info("features: {}", features);
126
127 memset(proto_elem_list, 0, BTA_HF_CLIENT_NUM_PROTO_ELEMS * sizeof(tSDP_PROTOCOL_ELEM));
128
129 /* add the protocol element sequence */
130 proto_elem_list[0].protocol_uuid = UUID_PROTOCOL_L2CAP;
131 proto_elem_list[0].num_params = 0;
132 proto_elem_list[1].protocol_uuid = UUID_PROTOCOL_RFCOMM;
133 proto_elem_list[1].num_params = 1;
134 proto_elem_list[1].params[0] = scn;
135 result &= get_legacy_stack_sdp_api()->handle.SDP_AddProtocolList(
136 sdp_handle, BTA_HF_CLIENT_NUM_PROTO_ELEMS, proto_elem_list);
137
138 /* add service class id list */
139 svc_class_id_list[0] = UUID_SERVCLASS_HF_HANDSFREE;
140 svc_class_id_list[1] = UUID_SERVCLASS_GENERIC_AUDIO;
141 result &= get_legacy_stack_sdp_api()->handle.SDP_AddServiceClassIdList(
142 sdp_handle, BTA_HF_CLIENT_NUM_SVC_ELEMS, svc_class_id_list);
143
144 /* add profile descriptor list */
145 profile_uuid = UUID_SERVCLASS_HF_HANDSFREE;
146 version = get_default_hfp_version();
147
148 result &= get_legacy_stack_sdp_api()->handle.SDP_AddProfileDescriptorList(sdp_handle,
149 profile_uuid, version);
150
151 /* add service name */
152 if (p_service_name != NULL && p_service_name[0] != 0) {
153 result &= get_legacy_stack_sdp_api()->handle.SDP_AddAttribute(
154 sdp_handle, ATTR_ID_SERVICE_NAME, TEXT_STR_DESC_TYPE,
155 (uint32_t)(strlen(p_service_name) + 1), (uint8_t*)p_service_name);
156 }
157
158 /* add features */
159 if (features & BTA_HF_CLIENT_FEAT_ECNR) {
160 sdp_features |= BTA_HF_CLIENT_FEAT_ECNR;
161 }
162
163 if (features & BTA_HF_CLIENT_FEAT_3WAY) {
164 sdp_features |= BTA_HF_CLIENT_FEAT_3WAY;
165 }
166
167 if (features & BTA_HF_CLIENT_FEAT_CLI) {
168 sdp_features |= BTA_HF_CLIENT_FEAT_CLI;
169 }
170
171 if (features & BTA_HF_CLIENT_FEAT_VREC) {
172 sdp_features |= BTA_HF_CLIENT_FEAT_VREC;
173 }
174
175 if (features & BTA_HF_CLIENT_FEAT_VOL) {
176 sdp_features |= BTA_HF_CLIENT_FEAT_VOL;
177 }
178
179 /* Codec bit position is different in SDP (bit 5) and in BRSF (bit 7) */
180 if (features & BTA_HF_CLIENT_FEAT_CODEC) {
181 sdp_features |= BTA_HF_CLIENT_WBS_SUPPORT;
182 }
183
184 /* Support swb */
185 if (features & BTA_HF_CLIENT_FEAT_SWB) {
186 sdp_features |= BTA_HF_CLIENT_FEAT_SWB_SUPPORT;
187 }
188
189 UINT16_TO_BE_FIELD(buf, sdp_features);
190 result &= get_legacy_stack_sdp_api()->handle.SDP_AddAttribute(
191 sdp_handle, ATTR_ID_SUPPORTED_FEATURES, UINT_DESC_TYPE, 2, buf);
192
193 /* add browse group list */
194 result &= get_legacy_stack_sdp_api()->handle.SDP_AddUuidSequence(
195 sdp_handle, ATTR_ID_BROWSE_GROUP_LIST, 1, browse_list);
196
197 return result;
198 }
199
200 /*******************************************************************************
201 *
202 * Function bta_hf_client_create_record
203 *
204 * Description Create SDP record for registered service.
205 *
206 *
207 * Returns void
208 *
209 ******************************************************************************/
bta_hf_client_create_record(tBTA_HF_CLIENT_CB_ARR * client_cb_arr,const char * p_service_name)210 void bta_hf_client_create_record(tBTA_HF_CLIENT_CB_ARR* client_cb_arr, const char* p_service_name) {
211 /* add sdp record if not already registered */
212 if (client_cb_arr->sdp_handle == 0) {
213 client_cb_arr->sdp_handle = get_legacy_stack_sdp_api()->handle.SDP_CreateRecord();
214 client_cb_arr->scn = BTA_AllocateSCN();
215 bta_hf_client_add_record(p_service_name, client_cb_arr->scn, client_cb_arr->features,
216 client_cb_arr->sdp_handle);
217
218 bta_sys_add_uuid(UUID_SERVCLASS_HF_HANDSFREE);
219 }
220 }
221
222 /*******************************************************************************
223 *
224 * Function bta_hf_client_del_record
225 *
226 * Description Delete SDP record for registered service.
227 *
228 *
229 * Returns void
230 *
231 ******************************************************************************/
bta_hf_client_del_record(tBTA_HF_CLIENT_CB_ARR * client_cb)232 void bta_hf_client_del_record(tBTA_HF_CLIENT_CB_ARR* client_cb) {
233 log::verbose("");
234
235 if (client_cb->sdp_handle != 0) {
236 if (get_legacy_stack_sdp_api()->handle.SDP_DeleteRecord(client_cb->sdp_handle)) {
237 log::warn("Unable to delete SDP record handle:{}", client_cb->sdp_handle);
238 }
239 client_cb->sdp_handle = 0;
240 BTA_FreeSCN(client_cb->scn);
241 bta_sys_remove_uuid(UUID_SERVCLASS_HF_HANDSFREE);
242 }
243 }
244
245 /*******************************************************************************
246 *
247 * Function bta_hf_client_sdp_find_attr
248 *
249 * Description Process SDP discovery results to find requested attribute
250 *
251 *
252 * Returns true if results found, false otherwise.
253 *
254 ******************************************************************************/
bta_hf_client_sdp_find_attr(tBTA_HF_CLIENT_CB * client_cb)255 bool bta_hf_client_sdp_find_attr(tBTA_HF_CLIENT_CB* client_cb) {
256 tSDP_DISC_REC* p_rec = NULL;
257 tSDP_DISC_ATTR* p_attr;
258 tSDP_PROTOCOL_ELEM pe;
259 bool result = false;
260
261 client_cb->peer_version = HFP_VERSION_1_1; /* Default version */
262
263 /* loop through all records we found */
264 while (true) {
265 /* get next record; if none found, we're done */
266 p_rec = get_legacy_stack_sdp_api()->db.SDP_FindServiceInDb(client_cb->p_disc_db,
267 UUID_SERVCLASS_AG_HANDSFREE, p_rec);
268 if (p_rec == NULL) {
269 break;
270 }
271
272 /* get scn from proto desc list if initiator */
273 if (client_cb->role == BTA_HF_CLIENT_INT) {
274 if (get_legacy_stack_sdp_api()->record.SDP_FindProtocolListElemInRec(
275 p_rec, UUID_PROTOCOL_RFCOMM, &pe)) {
276 client_cb->peer_scn = (uint8_t)pe.params[0];
277 } else {
278 continue;
279 }
280 }
281
282 /* get profile version (if failure, version parameter is not updated) */
283 if (!get_legacy_stack_sdp_api()->record.SDP_FindProfileVersionInRec(
284 p_rec, UUID_SERVCLASS_HF_HANDSFREE, &client_cb->peer_version)) {
285 log::warn("Uable to find HFP profile version in SDP record peer:{}", p_rec->remote_bd_addr);
286 }
287
288 /* get features */
289 p_attr = get_legacy_stack_sdp_api()->record.SDP_FindAttributeInRec(p_rec,
290 ATTR_ID_SUPPORTED_FEATURES);
291 if (p_attr != NULL && SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&
292 SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {
293 /* Found attribute. Get value. */
294 /* There might be race condition between SDP and BRSF. */
295 /* Do not update if we already received BRSF. */
296 if (client_cb->peer_features == 0) {
297 client_cb->peer_features = p_attr->attr_value.v.u16;
298
299 /* SDP and BRSF WBS bit are different, correct it if set */
300 if (client_cb->peer_features & 0x0020) {
301 client_cb->peer_features &= ~0x0020;
302 client_cb->peer_features |= BTA_HF_CLIENT_PEER_CODEC;
303 }
304
305 /* get network for ability to reject calls */
306 p_attr = get_legacy_stack_sdp_api()->record.SDP_FindAttributeInRec(p_rec, ATTR_ID_NETWORK);
307 if (p_attr != NULL && SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&
308 SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {
309 if (p_attr->attr_value.v.u16 == 0x01) {
310 client_cb->peer_features |= BTA_HF_CLIENT_PEER_REJECT;
311 }
312 }
313 }
314 }
315
316 /* found what we needed */
317 result = true;
318 break;
319 }
320
321 log::verbose("peer_version=0x{:x} peer_features=0x{:x}", client_cb->peer_version,
322 client_cb->peer_features);
323
324 return result;
325 }
326
327 /*******************************************************************************
328 *
329 * Function bta_hf_client_do_disc
330 *
331 * Description Do service discovery.
332 *
333 *
334 * Returns void
335 *
336 ******************************************************************************/
bta_hf_client_do_disc(tBTA_HF_CLIENT_CB * client_cb)337 void bta_hf_client_do_disc(tBTA_HF_CLIENT_CB* client_cb) {
338 Uuid uuid_list[1];
339 uint16_t num_uuid = 1;
340 uint16_t attr_list[4];
341 uint8_t num_attr;
342 bool db_inited = false;
343
344 /* initiator; get proto list and features */
345 if (client_cb->role == BTA_HF_CLIENT_INT) {
346 attr_list[0] = ATTR_ID_SERVICE_CLASS_ID_LIST;
347 attr_list[1] = ATTR_ID_PROTOCOL_DESC_LIST;
348 attr_list[2] = ATTR_ID_BT_PROFILE_DESC_LIST;
349 attr_list[3] = ATTR_ID_SUPPORTED_FEATURES;
350 num_attr = 4;
351 uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_AG_HANDSFREE);
352 } else {
353 /* acceptor; get features */
354 attr_list[0] = ATTR_ID_SERVICE_CLASS_ID_LIST;
355 attr_list[1] = ATTR_ID_BT_PROFILE_DESC_LIST;
356 attr_list[2] = ATTR_ID_SUPPORTED_FEATURES;
357 num_attr = 3;
358 uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_AG_HANDSFREE);
359 }
360
361 /* If we already have a non-null discovery database at this point, we can get
362 * into a race condition leading to UAF once this connection is closed.
363 * This should only happen with malicious modifications to a client. */
364 if (com::android::bluetooth::flags::btsec_check_valid_discovery_database() &&
365 client_cb->p_disc_db != NULL) {
366 log::error("Tried to set up a HF client with a preexisting discovery database.");
367 client_cb->p_disc_db = NULL;
368 // We manually set the state here because it's possible to call this from an
369 // OPEN state, in which case the discovery fail event will be ignored.
370 client_cb->state = 0; // BTA_HF_CLIENT_INIT_ST
371 return;
372 }
373
374 /* allocate buffer for sdp database */
375 client_cb->p_disc_db = (tSDP_DISCOVERY_DB*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
376
377 /* set up service discovery database; attr happens to be attr_list len */
378 db_inited = get_legacy_stack_sdp_api()->service.SDP_InitDiscoveryDb(
379 client_cb->p_disc_db, BT_DEFAULT_BUFFER_SIZE, num_uuid, uuid_list, num_attr, attr_list);
380
381 if (db_inited) {
382 /*Service discovery not initiated */
383 db_inited = get_legacy_stack_sdp_api()->service.SDP_ServiceSearchAttributeRequest2(
384 client_cb->peer_addr, client_cb->p_disc_db,
385 base::BindRepeating(&bta_hf_client_sdp_cback, client_cb));
386 }
387
388 if (!db_inited) {
389 log::warn("Unable to start SDP service search request peer:{}", client_cb->peer_addr);
390 bta_collect_rfc_metrics_after_sdp_fail(tBTA_JV_STATUS::FAILURE, client_cb->peer_addr, 0,
391 BTA_SEC_AUTHENTICATE | BTA_SEC_ENCRYPT, false, 0);
392 /*free discover db */
393 osi_free_and_reset((void**)&client_cb->p_disc_db);
394 /* sent failed event */
395 tBTA_HF_CLIENT_DATA msg;
396 msg.hdr.layer_specific = client_cb->handle;
397 bta_hf_client_sm_execute(BTA_HF_CLIENT_DISC_FAIL_EVT, &msg);
398 }
399
400 // Successfully started - record time SDP started
401 client_cb->sdp_metrics.sdp_start_ms = common::time_gettimeofday_us() / 1000;
402 }
403
404 /*******************************************************************************
405 *
406 * Function bta_hf_client_free_db
407 *
408 * Description Free discovery database.
409 *
410 *
411 * Returns void
412 *
413 ******************************************************************************/
bta_hf_client_free_db(tBTA_HF_CLIENT_DATA * p_data)414 void bta_hf_client_free_db(tBTA_HF_CLIENT_DATA* p_data) {
415 log::assert_that(p_data != NULL, "assert failed: p_data != NULL");
416 tBTA_HF_CLIENT_CB* client_cb = bta_hf_client_find_cb_by_handle(p_data->hdr.layer_specific);
417 if (client_cb == NULL) {
418 log::error("cb not found for handle {}", p_data->hdr.layer_specific);
419 return;
420 }
421
422 osi_free_and_reset((void**)&client_cb->p_disc_db);
423 }
424