• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * QEMU Bluetooth L2CAP logic.
3  *
4  * Copyright (C) 2008 Andrzej Zaborowski  <balrog@zabor.org>
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License as
8  * published by the Free Software Foundation; either version 2 of
9  * the License, or (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19 
20 #include "qemu-common.h"
21 #include "qemu-timer.h"
22 #include "bt.h"
23 
24 #define L2CAP_CID_MAX	0x100	/* Between 0x40 and 0x10000 */
25 
26 struct l2cap_instance_s {
27     struct bt_link_s *link;
28     struct bt_l2cap_device_s *dev;
29     int role;
30 
31     uint8_t frame_in[65535 + L2CAP_HDR_SIZE] __attribute__ ((aligned (4)));
32     int frame_in_len;
33 
34     uint8_t frame_out[65535 + L2CAP_HDR_SIZE] __attribute__ ((aligned (4)));
35     int frame_out_len;
36 
37     /* Signalling channel timers.  They exist per-request but we can make
38      * sure we have no more than one outstanding request at any time.  */
39     QEMUTimer *rtx;
40     QEMUTimer *ertx;
41 
42     int last_id;
43     int next_id;
44 
45     struct l2cap_chan_s {
46         struct bt_l2cap_conn_params_s params;
47 
48         void (*frame_in)(struct l2cap_chan_s *chan, uint16_t cid,
49                         const l2cap_hdr *hdr, int len);
50         int mps;
51         int min_mtu;
52 
53         struct l2cap_instance_s *l2cap;
54 
55         /* Only allocated channels */
56         uint16_t remote_cid;
57 #define L2CAP_CFG_INIT	2
58 #define L2CAP_CFG_ACC	1
59         int config_req_id; /* TODO: handle outgoing requests generically */
60         int config;
61 
62         /* Only connection-oriented channels.  Note: if we allow the tx and
63          * rx traffic to be in different modes at any time, we need two.  */
64         int mode;
65 
66         /* Only flow-controlled, connection-oriented channels */
67         uint8_t sdu[65536]; /* TODO: dynamically allocate */
68         int len_cur, len_total;
69         int rexmit;
70         int monitor_timeout;
71         QEMUTimer *monitor_timer;
72         QEMUTimer *retransmission_timer;
73     } *cid[L2CAP_CID_MAX];
74     /* The channel state machine states map as following:
75      * CLOSED           -> !cid[N]
76      * WAIT_CONNECT     -> never occurs
77      * WAIT_CONNECT_RSP -> never occurs
78      * CONFIG           -> cid[N] && config < 3
79      *   WAIT_CONFIG         -> never occurs, cid[N] && config == 0 && !config_r
80      *   WAIT_SEND_CONFIG    -> never occurs, cid[N] && config == 1 && !config_r
81      *   WAIT_CONFIG_REQ_RSP -> cid[N] && config == 0 && config_req_id
82      *   WAIT_CONFIG_RSP     -> cid[N] && config == 1 && config_req_id
83      *   WAIT_CONFIG_REQ     -> cid[N] && config == 2
84      * OPEN             -> cid[N] && config == 3
85      * WAIT_DISCONNECT  -> never occurs
86      */
87 
88     struct l2cap_chan_s signalling_ch;
89     struct l2cap_chan_s group_ch;
90 };
91 
92 struct slave_l2cap_instance_s {
93     struct bt_link_s link;	/* Underlying logical link (ACL) */
94     struct l2cap_instance_s l2cap;
95 };
96 
97 struct bt_l2cap_psm_s {
98     int psm;
99     int min_mtu;
100     int (*new_channel)(struct bt_l2cap_device_s *device,
101                     struct bt_l2cap_conn_params_s *params);
102     struct bt_l2cap_psm_s *next;
103 };
104 
105 static const uint16_t l2cap_fcs16_table[256] = {
106     0x0000, 0xc0c1, 0xc181, 0x0140, 0xc301, 0x03c0, 0x0280, 0xc241,
107     0xc601, 0x06c0, 0x0780, 0xc741, 0x0500, 0xc5c1, 0xc481, 0x0440,
108     0xcc01, 0x0cc0, 0x0d80, 0xcd41, 0x0f00, 0xcfc1, 0xce81, 0x0e40,
109     0x0a00, 0xcac1, 0xcb81, 0x0b40, 0xc901, 0x09c0, 0x0880, 0xc841,
110     0xd801, 0x18c0, 0x1980, 0xd941, 0x1b00, 0xdbc1, 0xda81, 0x1a40,
111     0x1e00, 0xdec1, 0xdf81, 0x1f40, 0xdd01, 0x1dc0, 0x1c80, 0xdc41,
112     0x1400, 0xd4c1, 0xd581, 0x1540, 0xd701, 0x17c0, 0x1680, 0xd641,
113     0xd201, 0x12c0, 0x1380, 0xd341, 0x1100, 0xd1c1, 0xd081, 0x1040,
114     0xf001, 0x30c0, 0x3180, 0xf141, 0x3300, 0xf3c1, 0xf281, 0x3240,
115     0x3600, 0xf6c1, 0xf781, 0x3740, 0xf501, 0x35c0, 0x3480, 0xf441,
116     0x3c00, 0xfcc1, 0xfd81, 0x3d40, 0xff01, 0x3fc0, 0x3e80, 0xfe41,
117     0xfa01, 0x3ac0, 0x3b80, 0xfb41, 0x3900, 0xf9c1, 0xf881, 0x3840,
118     0x2800, 0xe8c1, 0xe981, 0x2940, 0xeb01, 0x2bc0, 0x2a80, 0xea41,
119     0xee01, 0x2ec0, 0x2f80, 0xef41, 0x2d00, 0xedc1, 0xec81, 0x2c40,
120     0xe401, 0x24c0, 0x2580, 0xe541, 0x2700, 0xe7c1, 0xe681, 0x2640,
121     0x2200, 0xe2c1, 0xe381, 0x2340, 0xe101, 0x21c0, 0x2080, 0xe041,
122     0xa001, 0x60c0, 0x6180, 0xa141, 0x6300, 0xa3c1, 0xa281, 0x6240,
123     0x6600, 0xa6c1, 0xa781, 0x6740, 0xa501, 0x65c0, 0x6480, 0xa441,
124     0x6c00, 0xacc1, 0xad81, 0x6d40, 0xaf01, 0x6fc0, 0x6e80, 0xae41,
125     0xaa01, 0x6ac0, 0x6b80, 0xab41, 0x6900, 0xa9c1, 0xa881, 0x6840,
126     0x7800, 0xb8c1, 0xb981, 0x7940, 0xbb01, 0x7bc0, 0x7a80, 0xba41,
127     0xbe01, 0x7ec0, 0x7f80, 0xbf41, 0x7d00, 0xbdc1, 0xbc81, 0x7c40,
128     0xb401, 0x74c0, 0x7580, 0xb541, 0x7700, 0xb7c1, 0xb681, 0x7640,
129     0x7200, 0xb2c1, 0xb381, 0x7340, 0xb101, 0x71c0, 0x7080, 0xb041,
130     0x5000, 0x90c1, 0x9181, 0x5140, 0x9301, 0x53c0, 0x5280, 0x9241,
131     0x9601, 0x56c0, 0x5780, 0x9741, 0x5500, 0x95c1, 0x9481, 0x5440,
132     0x9c01, 0x5cc0, 0x5d80, 0x9d41, 0x5f00, 0x9fc1, 0x9e81, 0x5e40,
133     0x5a00, 0x9ac1, 0x9b81, 0x5b40, 0x9901, 0x59c0, 0x5880, 0x9841,
134     0x8801, 0x48c0, 0x4980, 0x8941, 0x4b00, 0x8bc1, 0x8a81, 0x4a40,
135     0x4e00, 0x8ec1, 0x8f81, 0x4f40, 0x8d01, 0x4dc0, 0x4c80, 0x8c41,
136     0x4400, 0x84c1, 0x8581, 0x4540, 0x8701, 0x47c0, 0x4680, 0x8641,
137     0x8201, 0x42c0, 0x4380, 0x8341, 0x4100, 0x81c1, 0x8081, 0x4040,
138 };
139 
l2cap_fcs16(const uint8_t * message,int len)140 static uint16_t l2cap_fcs16(const uint8_t *message, int len)
141 {
142     uint16_t fcs = 0x0000;
143 
144     while (len --)
145 #if 0
146     {
147         int i;
148 
149         fcs ^= *message ++;
150         for (i = 8; i; -- i)
151             if (fcs & 1)
152                 fcs = (fcs >> 1) ^ 0xa001;
153             else
154                 fcs = (fcs >> 1);
155     }
156 #else
157         fcs = (fcs >> 8) ^ l2cap_fcs16_table[(fcs ^ *message ++) & 0xff];
158 #endif
159 
160     return fcs;
161 }
162 
163 /* L2CAP layer logic (protocol) */
164 
l2cap_retransmission_timer_update(struct l2cap_chan_s * ch)165 static void l2cap_retransmission_timer_update(struct l2cap_chan_s *ch)
166 {
167 #if 0
168     if (ch->mode != L2CAP_MODE_BASIC && ch->rexmit)
169         qemu_mod_timer(ch->retransmission_timer);
170     else
171         qemu_del_timer(ch->retransmission_timer);
172 #endif
173 }
174 
l2cap_monitor_timer_update(struct l2cap_chan_s * ch)175 static void l2cap_monitor_timer_update(struct l2cap_chan_s *ch)
176 {
177 #if 0
178     if (ch->mode != L2CAP_MODE_BASIC && !ch->rexmit)
179         qemu_mod_timer(ch->monitor_timer);
180     else
181         qemu_del_timer(ch->monitor_timer);
182 #endif
183 }
184 
l2cap_command_reject(struct l2cap_instance_s * l2cap,int id,uint16_t reason,const void * data,int plen)185 static void l2cap_command_reject(struct l2cap_instance_s *l2cap, int id,
186                 uint16_t reason, const void *data, int plen)
187 {
188     uint8_t *pkt;
189     l2cap_cmd_hdr *hdr;
190     l2cap_cmd_rej *params;
191     uint16_t len;
192 
193     reason = cpu_to_le16(reason);
194     len = cpu_to_le16(L2CAP_CMD_REJ_SIZE + plen);
195 
196     pkt = l2cap->signalling_ch.params.sdu_out(&l2cap->signalling_ch.params,
197                     L2CAP_CMD_HDR_SIZE + L2CAP_CMD_REJ_SIZE + plen);
198     hdr = (void *) (pkt + 0);
199     params = (void *) (pkt + L2CAP_CMD_HDR_SIZE);
200 
201     hdr->code = L2CAP_COMMAND_REJ;
202     hdr->ident = id;
203     memcpy(&hdr->len, &len, sizeof(hdr->len));
204     memcpy(&params->reason, &reason, sizeof(reason));
205     if (plen)
206        memcpy(pkt + L2CAP_CMD_HDR_SIZE + L2CAP_CMD_REJ_SIZE, data, plen);
207 
208     l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params);
209 }
210 
l2cap_command_reject_cid(struct l2cap_instance_s * l2cap,int id,uint16_t reason,uint16_t dcid,uint16_t scid)211 static void l2cap_command_reject_cid(struct l2cap_instance_s *l2cap, int id,
212                 uint16_t reason, uint16_t dcid, uint16_t scid)
213 {
214     l2cap_cmd_rej_cid params = {
215         .dcid = dcid,
216         .scid = scid,
217     };
218 
219     l2cap_command_reject(l2cap, id, reason, &params, L2CAP_CMD_REJ_CID_SIZE);
220 }
221 
l2cap_connection_response(struct l2cap_instance_s * l2cap,int dcid,int scid,int result,int status)222 static void l2cap_connection_response(struct l2cap_instance_s *l2cap,
223                 int dcid, int scid, int result, int status)
224 {
225     uint8_t *pkt;
226     l2cap_cmd_hdr *hdr;
227     l2cap_conn_rsp *params;
228 
229     pkt = l2cap->signalling_ch.params.sdu_out(&l2cap->signalling_ch.params,
230                     L2CAP_CMD_HDR_SIZE + L2CAP_CONN_RSP_SIZE);
231     hdr = (void *) (pkt + 0);
232     params = (void *) (pkt + L2CAP_CMD_HDR_SIZE);
233 
234     hdr->code = L2CAP_CONN_RSP;
235     hdr->ident = l2cap->last_id;
236     hdr->len = cpu_to_le16(L2CAP_CONN_RSP_SIZE);
237 
238     params->dcid = cpu_to_le16(dcid);
239     params->scid = cpu_to_le16(scid);
240     params->result = cpu_to_le16(result);
241     params->status = cpu_to_le16(status);
242 
243     l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params);
244 }
245 
l2cap_configuration_request(struct l2cap_instance_s * l2cap,int dcid,int flag,const uint8_t * data,int len)246 static void l2cap_configuration_request(struct l2cap_instance_s *l2cap,
247                 int dcid, int flag, const uint8_t *data, int len)
248 {
249     uint8_t *pkt;
250     l2cap_cmd_hdr *hdr;
251     l2cap_conf_req *params;
252 
253     pkt = l2cap->signalling_ch.params.sdu_out(&l2cap->signalling_ch.params,
254                     L2CAP_CMD_HDR_SIZE + L2CAP_CONF_REQ_SIZE(len));
255     hdr = (void *) (pkt + 0);
256     params = (void *) (pkt + L2CAP_CMD_HDR_SIZE);
257 
258     /* TODO: unify the id sequencing */
259     l2cap->last_id = l2cap->next_id;
260     l2cap->next_id = l2cap->next_id == 255 ? 1 : l2cap->next_id + 1;
261 
262     hdr->code = L2CAP_CONF_REQ;
263     hdr->ident = l2cap->last_id;
264     hdr->len = cpu_to_le16(L2CAP_CONF_REQ_SIZE(len));
265 
266     params->dcid = cpu_to_le16(dcid);
267     params->flags = cpu_to_le16(flag);
268     if (len)
269         memcpy(params->data, data, len);
270 
271     l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params);
272 }
273 
l2cap_configuration_response(struct l2cap_instance_s * l2cap,int scid,int flag,int result,const uint8_t * data,int len)274 static void l2cap_configuration_response(struct l2cap_instance_s *l2cap,
275                 int scid, int flag, int result, const uint8_t *data, int len)
276 {
277     uint8_t *pkt;
278     l2cap_cmd_hdr *hdr;
279     l2cap_conf_rsp *params;
280 
281     pkt = l2cap->signalling_ch.params.sdu_out(&l2cap->signalling_ch.params,
282                     L2CAP_CMD_HDR_SIZE + L2CAP_CONF_RSP_SIZE(len));
283     hdr = (void *) (pkt + 0);
284     params = (void *) (pkt + L2CAP_CMD_HDR_SIZE);
285 
286     hdr->code = L2CAP_CONF_RSP;
287     hdr->ident = l2cap->last_id;
288     hdr->len = cpu_to_le16(L2CAP_CONF_RSP_SIZE(len));
289 
290     params->scid = cpu_to_le16(scid);
291     params->flags = cpu_to_le16(flag);
292     params->result = cpu_to_le16(result);
293     if (len)
294         memcpy(params->data, data, len);
295 
296     l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params);
297 }
298 
l2cap_disconnection_response(struct l2cap_instance_s * l2cap,int dcid,int scid)299 static void l2cap_disconnection_response(struct l2cap_instance_s *l2cap,
300                 int dcid, int scid)
301 {
302     uint8_t *pkt;
303     l2cap_cmd_hdr *hdr;
304     l2cap_disconn_rsp *params;
305 
306     pkt = l2cap->signalling_ch.params.sdu_out(&l2cap->signalling_ch.params,
307                     L2CAP_CMD_HDR_SIZE + L2CAP_DISCONN_RSP_SIZE);
308     hdr = (void *) (pkt + 0);
309     params = (void *) (pkt + L2CAP_CMD_HDR_SIZE);
310 
311     hdr->code = L2CAP_DISCONN_RSP;
312     hdr->ident = l2cap->last_id;
313     hdr->len = cpu_to_le16(L2CAP_DISCONN_RSP_SIZE);
314 
315     params->dcid = cpu_to_le16(dcid);
316     params->scid = cpu_to_le16(scid);
317 
318     l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params);
319 }
320 
l2cap_echo_response(struct l2cap_instance_s * l2cap,const uint8_t * data,int len)321 static void l2cap_echo_response(struct l2cap_instance_s *l2cap,
322                 const uint8_t *data, int len)
323 {
324     uint8_t *pkt;
325     l2cap_cmd_hdr *hdr;
326     uint8_t *params;
327 
328     pkt = l2cap->signalling_ch.params.sdu_out(&l2cap->signalling_ch.params,
329                     L2CAP_CMD_HDR_SIZE + len);
330     hdr = (void *) (pkt + 0);
331     params = (void *) (pkt + L2CAP_CMD_HDR_SIZE);
332 
333     hdr->code = L2CAP_ECHO_RSP;
334     hdr->ident = l2cap->last_id;
335     hdr->len = cpu_to_le16(len);
336 
337     memcpy(params, data, len);
338 
339     l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params);
340 }
341 
l2cap_info_response(struct l2cap_instance_s * l2cap,int type,int result,const uint8_t * data,int len)342 static void l2cap_info_response(struct l2cap_instance_s *l2cap, int type,
343                 int result, const uint8_t *data, int len)
344 {
345     uint8_t *pkt;
346     l2cap_cmd_hdr *hdr;
347     l2cap_info_rsp *params;
348 
349     pkt = l2cap->signalling_ch.params.sdu_out(&l2cap->signalling_ch.params,
350                     L2CAP_CMD_HDR_SIZE + L2CAP_INFO_RSP_SIZE + len);
351     hdr = (void *) (pkt + 0);
352     params = (void *) (pkt + L2CAP_CMD_HDR_SIZE);
353 
354     hdr->code = L2CAP_INFO_RSP;
355     hdr->ident = l2cap->last_id;
356     hdr->len = cpu_to_le16(L2CAP_INFO_RSP_SIZE + len);
357 
358     params->type = cpu_to_le16(type);
359     params->result = cpu_to_le16(result);
360     if (len)
361        memcpy(params->data, data, len);
362 
363     l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params);
364 }
365 
366 static uint8_t *l2cap_bframe_out(struct bt_l2cap_conn_params_s *parm, int len);
367 static void l2cap_bframe_submit(struct bt_l2cap_conn_params_s *parms);
368 #if 0
369 static uint8_t *l2cap_iframe_out(struct bt_l2cap_conn_params_s *parm, int len);
370 static void l2cap_iframe_submit(struct bt_l2cap_conn_params_s *parm);
371 #endif
372 static void l2cap_bframe_in(struct l2cap_chan_s *ch, uint16_t cid,
373                 const l2cap_hdr *hdr, int len);
374 static void l2cap_iframe_in(struct l2cap_chan_s *ch, uint16_t cid,
375                 const l2cap_hdr *hdr, int len);
376 
l2cap_cid_new(struct l2cap_instance_s * l2cap)377 static int l2cap_cid_new(struct l2cap_instance_s *l2cap)
378 {
379     int i;
380 
381     for (i = L2CAP_CID_ALLOC; i < L2CAP_CID_MAX; i ++)
382         if (!l2cap->cid[i])
383             return i;
384 
385     return L2CAP_CID_INVALID;
386 }
387 
l2cap_psm(struct bt_l2cap_device_s * device,int psm)388 static inline struct bt_l2cap_psm_s *l2cap_psm(
389                 struct bt_l2cap_device_s *device, int psm)
390 {
391     struct bt_l2cap_psm_s *ret = device->first_psm;
392 
393     while (ret && ret->psm != psm)
394         ret = ret->next;
395 
396     return ret;
397 }
398 
l2cap_channel_open(struct l2cap_instance_s * l2cap,int psm,int source_cid)399 static struct l2cap_chan_s *l2cap_channel_open(struct l2cap_instance_s *l2cap,
400                 int psm, int source_cid)
401 {
402     struct l2cap_chan_s *ch = NULL;
403     struct bt_l2cap_psm_s *psm_info;
404     int result, status;
405     int cid = l2cap_cid_new(l2cap);
406 
407     if (cid) {
408         /* See what the channel is to be used for.. */
409         psm_info = l2cap_psm(l2cap->dev, psm);
410 
411         if (psm_info) {
412             /* Device supports this use-case.  */
413             ch = qemu_mallocz(sizeof(*ch));
414             ch->params.sdu_out = l2cap_bframe_out;
415             ch->params.sdu_submit = l2cap_bframe_submit;
416             ch->frame_in = l2cap_bframe_in;
417             ch->mps = 65536;
418             ch->min_mtu = MAX(48, psm_info->min_mtu);
419             ch->params.remote_mtu = MAX(672, ch->min_mtu);
420             ch->remote_cid = source_cid;
421             ch->mode = L2CAP_MODE_BASIC;
422             ch->l2cap = l2cap;
423 
424             /* Does it feel like opening yet another channel though?  */
425             if (!psm_info->new_channel(l2cap->dev, &ch->params)) {
426                 l2cap->cid[cid] = ch;
427 
428                 result = L2CAP_CR_SUCCESS;
429                 status = L2CAP_CS_NO_INFO;
430             } else {
431                 qemu_free(ch);
432 
433                 result = L2CAP_CR_NO_MEM;
434                 status = L2CAP_CS_NO_INFO;
435             }
436         } else {
437             result = L2CAP_CR_BAD_PSM;
438             status = L2CAP_CS_NO_INFO;
439         }
440     } else {
441         result = L2CAP_CR_NO_MEM;
442         status = L2CAP_CS_NO_INFO;
443     }
444 
445     l2cap_connection_response(l2cap, cid, source_cid, result, status);
446 
447     return ch;
448 }
449 
l2cap_channel_close(struct l2cap_instance_s * l2cap,int cid,int source_cid)450 static void l2cap_channel_close(struct l2cap_instance_s *l2cap,
451                 int cid, int source_cid)
452 {
453     struct l2cap_chan_s *ch = NULL;
454 
455     /* According to Volume 3, section 6.1.1, pg 1048 of BT Core V2.0, a
456      * connection in CLOSED state still responds with a L2CAP_DisconnectRsp
457      * message on an L2CAP_DisconnectReq event.  */
458     if (unlikely(cid < L2CAP_CID_ALLOC)) {
459         l2cap_command_reject_cid(l2cap, l2cap->last_id, L2CAP_REJ_CID_INVAL,
460                         cid, source_cid);
461         return;
462     }
463     if (likely(cid >= L2CAP_CID_ALLOC && cid < L2CAP_CID_MAX))
464         ch = l2cap->cid[cid];
465 
466     if (likely(ch)) {
467         if (ch->remote_cid != source_cid) {
468             fprintf(stderr, "%s: Ignoring a Disconnection Request with the "
469                             "invalid SCID %04x.\n", __FUNCTION__, source_cid);
470             return;
471         }
472 
473         l2cap->cid[cid] = NULL;
474 
475         ch->params.close(ch->params.opaque);
476         qemu_free(ch);
477     }
478 
479     l2cap_disconnection_response(l2cap, cid, source_cid);
480 }
481 
l2cap_channel_config_null(struct l2cap_instance_s * l2cap,struct l2cap_chan_s * ch)482 static void l2cap_channel_config_null(struct l2cap_instance_s *l2cap,
483                 struct l2cap_chan_s *ch)
484 {
485     l2cap_configuration_request(l2cap, ch->remote_cid, 0, NULL, 0);
486     ch->config_req_id = l2cap->last_id;
487     ch->config &= ~L2CAP_CFG_INIT;
488 }
489 
l2cap_channel_config_req_event(struct l2cap_instance_s * l2cap,struct l2cap_chan_s * ch)490 static void l2cap_channel_config_req_event(struct l2cap_instance_s *l2cap,
491                 struct l2cap_chan_s *ch)
492 {
493     /* Use all default channel options and terminate negotiation.  */
494     l2cap_channel_config_null(l2cap, ch);
495 }
496 
l2cap_channel_config(struct l2cap_instance_s * l2cap,struct l2cap_chan_s * ch,int flag,const uint8_t * data,int len)497 static int l2cap_channel_config(struct l2cap_instance_s *l2cap,
498                 struct l2cap_chan_s *ch, int flag,
499                 const uint8_t *data, int len)
500 {
501     l2cap_conf_opt *opt;
502     l2cap_conf_opt_qos *qos;
503     uint32_t val;
504     uint8_t rsp[len];
505     int result = L2CAP_CONF_SUCCESS;
506 
507     data = memcpy(rsp, data, len);
508     while (len) {
509         opt = (void *) data;
510 
511         if (len < L2CAP_CONF_OPT_SIZE ||
512                         len < L2CAP_CONF_OPT_SIZE + opt->len) {
513             result = L2CAP_CONF_REJECT;
514             break;
515         }
516         data += L2CAP_CONF_OPT_SIZE + opt->len;
517         len -= L2CAP_CONF_OPT_SIZE + opt->len;
518 
519         switch (opt->type & 0x7f) {
520         case L2CAP_CONF_MTU:
521             if (opt->len != 2) {
522                 result = L2CAP_CONF_REJECT;
523                 break;
524             }
525 
526             /* MTU */
527             val = le16_to_cpup((void *) opt->val);
528             if (val < ch->min_mtu) {
529                 cpu_to_le16w((void *) opt->val, ch->min_mtu);
530                 result = L2CAP_CONF_UNACCEPT;
531                 break;
532             }
533 
534             ch->params.remote_mtu = val;
535             break;
536 
537         case L2CAP_CONF_FLUSH_TO:
538             if (opt->len != 2) {
539                 result = L2CAP_CONF_REJECT;
540                 break;
541             }
542 
543             /* Flush Timeout */
544             val = le16_to_cpup((void *) opt->val);
545             if (val < 0x0001) {
546                 opt->val[0] = 0xff;
547                 opt->val[1] = 0xff;
548                 result = L2CAP_CONF_UNACCEPT;
549                 break;
550             }
551             break;
552 
553         case L2CAP_CONF_QOS:
554             if (opt->len != L2CAP_CONF_OPT_QOS_SIZE) {
555                 result = L2CAP_CONF_REJECT;
556                 break;
557             }
558             qos = (void *) opt->val;
559 
560             /* Flags */
561             val = qos->flags;
562             if (val) {
563                 qos->flags = 0;
564                 result = L2CAP_CONF_UNACCEPT;
565             }
566 
567             /* Service type */
568             val = qos->service_type;
569             if (val != L2CAP_CONF_QOS_BEST_EFFORT &&
570                             val != L2CAP_CONF_QOS_NO_TRAFFIC) {
571                 qos->service_type = L2CAP_CONF_QOS_BEST_EFFORT;
572                 result = L2CAP_CONF_UNACCEPT;
573             }
574 
575             if (val != L2CAP_CONF_QOS_NO_TRAFFIC) {
576                 /* XXX: These values should possibly be calculated
577                  * based on LM / baseband properties also.  */
578 
579                 /* Token rate */
580                 val = le32_to_cpu(qos->token_rate);
581                 if (val == L2CAP_CONF_QOS_WILDCARD)
582                     qos->token_rate = cpu_to_le32(0x100000);
583 
584                 /* Token bucket size */
585                 val = le32_to_cpu(qos->token_bucket_size);
586                 if (val == L2CAP_CONF_QOS_WILDCARD)
587                     qos->token_bucket_size = cpu_to_le32(65500);
588 
589                 /* Any Peak bandwidth value is correct to return as-is */
590                 /* Any Access latency value is correct to return as-is */
591                 /* Any Delay variation value is correct to return as-is */
592             }
593             break;
594 
595         case L2CAP_CONF_RFC:
596             if (opt->len != 9) {
597                 result = L2CAP_CONF_REJECT;
598                 break;
599             }
600 
601             /* Mode */
602             val = opt->val[0];
603             switch (val) {
604             case L2CAP_MODE_BASIC:
605                 ch->mode = val;
606                 ch->frame_in = l2cap_bframe_in;
607 
608                 /* All other parameters shall be ignored */
609                 break;
610 
611             case L2CAP_MODE_RETRANS:
612             case L2CAP_MODE_FLOWCTL:
613                 ch->mode = val;
614                 ch->frame_in = l2cap_iframe_in;
615                 /* Note: most of these parameters refer to incoming traffic
616                  * so we don't need to save them as long as we can accept
617                  * incoming PDUs at any values of the parameters.  */
618 
619                 /* TxWindow size */
620                 val = opt->val[1];
621                 if (val < 1 || val > 32) {
622                     opt->val[1] = 32;
623                     result = L2CAP_CONF_UNACCEPT;
624                     break;
625                 }
626 
627                 /* MaxTransmit */
628                 val = opt->val[2];
629                 if (val < 1) {
630                     opt->val[2] = 1;
631                     result = L2CAP_CONF_UNACCEPT;
632                     break;
633                 }
634 
635                 /* Remote Retransmission time-out shouldn't affect local
636                  * operation (?) */
637 
638                 /* The Monitor time-out drives the local Monitor timer (?),
639                  * so save the value.  */
640                 val = (opt->val[6] << 8) | opt->val[5];
641                 if (val < 30) {
642                     opt->val[5] = 100 & 0xff;
643                     opt->val[6] = 100 >> 8;
644                     result = L2CAP_CONF_UNACCEPT;
645                     break;
646                 }
647                 ch->monitor_timeout = val;
648                 l2cap_monitor_timer_update(ch);
649 
650                 /* MPS */
651                 val = (opt->val[8] << 8) | opt->val[7];
652                 if (val < ch->min_mtu) {
653                     opt->val[7] = ch->min_mtu & 0xff;
654                     opt->val[8] = ch->min_mtu >> 8;
655                     result = L2CAP_CONF_UNACCEPT;
656                     break;
657                 }
658                 ch->mps = val;
659                 break;
660 
661             default:
662                 result = L2CAP_CONF_UNACCEPT;
663                 break;
664             }
665             break;
666 
667         default:
668             if (!(opt->type >> 7))
669                 result = L2CAP_CONF_UNKNOWN;
670             break;
671         }
672 
673         if (result != L2CAP_CONF_SUCCESS)
674             break;	/* XXX: should continue? */
675     }
676 
677     l2cap_configuration_response(l2cap, ch->remote_cid,
678                     flag, result, rsp, len);
679 
680     return result == L2CAP_CONF_SUCCESS && !flag;
681 }
682 
l2cap_channel_config_req_msg(struct l2cap_instance_s * l2cap,int flag,int cid,const uint8_t * data,int len)683 static void l2cap_channel_config_req_msg(struct l2cap_instance_s *l2cap,
684                 int flag, int cid, const uint8_t *data, int len)
685 {
686     struct l2cap_chan_s *ch;
687 
688     if (unlikely(cid >= L2CAP_CID_MAX || !l2cap->cid[cid])) {
689         l2cap_command_reject_cid(l2cap, l2cap->last_id, L2CAP_REJ_CID_INVAL,
690                         cid, 0x0000);
691         return;
692     }
693     ch = l2cap->cid[cid];
694 
695     /* From OPEN go to WAIT_CONFIG_REQ and from WAIT_CONFIG_REQ_RSP to
696      * WAIT_CONFIG_REQ_RSP.  This is assuming the transition chart for OPEN
697      * on pg 1053, section 6.1.5, volume 3 of BT Core V2.0 has a mistake
698      * and on options-acceptable we go back to OPEN and otherwise to
699      * WAIT_CONFIG_REQ and not the other way.  */
700     ch->config &= ~L2CAP_CFG_ACC;
701 
702     if (l2cap_channel_config(l2cap, ch, flag, data, len))
703         /* Go to OPEN or WAIT_CONFIG_RSP */
704         ch->config |= L2CAP_CFG_ACC;
705 
706     /* TODO: if the incoming traffic flow control or retransmission mode
707      * changed then we probably need to also generate the
708      * ConfigureChannel_Req event and set the outgoing traffic to the same
709      * mode.  */
710     if (!(ch->config & L2CAP_CFG_INIT) && (ch->config & L2CAP_CFG_ACC) &&
711                     !ch->config_req_id)
712         l2cap_channel_config_req_event(l2cap, ch);
713 }
714 
l2cap_channel_config_rsp_msg(struct l2cap_instance_s * l2cap,int result,int flag,int cid,const uint8_t * data,int len)715 static int l2cap_channel_config_rsp_msg(struct l2cap_instance_s *l2cap,
716                 int result, int flag, int cid, const uint8_t *data, int len)
717 {
718     struct l2cap_chan_s *ch;
719 
720     if (unlikely(cid >= L2CAP_CID_MAX || !l2cap->cid[cid])) {
721         l2cap_command_reject_cid(l2cap, l2cap->last_id, L2CAP_REJ_CID_INVAL,
722                         cid, 0x0000);
723         return 0;
724     }
725     ch = l2cap->cid[cid];
726 
727     if (ch->config_req_id != l2cap->last_id)
728         return 1;
729     ch->config_req_id = 0;
730 
731     if (result == L2CAP_CONF_SUCCESS) {
732         if (!flag)
733             ch->config |= L2CAP_CFG_INIT;
734         else
735             l2cap_channel_config_null(l2cap, ch);
736     } else
737         /* Retry until we succeed */
738         l2cap_channel_config_req_event(l2cap, ch);
739 
740     return 0;
741 }
742 
l2cap_channel_open_req_msg(struct l2cap_instance_s * l2cap,int psm,int source_cid)743 static void l2cap_channel_open_req_msg(struct l2cap_instance_s *l2cap,
744                 int psm, int source_cid)
745 {
746     struct l2cap_chan_s *ch = l2cap_channel_open(l2cap, psm, source_cid);
747 
748     if (!ch)
749         return;
750 
751     /* Optional */
752     if (!(ch->config & L2CAP_CFG_INIT) && !ch->config_req_id)
753         l2cap_channel_config_req_event(l2cap, ch);
754 }
755 
l2cap_info(struct l2cap_instance_s * l2cap,int type)756 static void l2cap_info(struct l2cap_instance_s *l2cap, int type)
757 {
758     uint8_t data[4];
759     int len = 0;
760     int result = L2CAP_IR_SUCCESS;
761 
762     switch (type) {
763     case L2CAP_IT_CL_MTU:
764         data[len ++] = l2cap->group_ch.mps & 0xff;
765         data[len ++] = l2cap->group_ch.mps >> 8;
766         break;
767 
768     case L2CAP_IT_FEAT_MASK:
769         /* (Prematurely) report Flow control and Retransmission modes.  */
770         data[len ++] = 0x03;
771         data[len ++] = 0x00;
772         data[len ++] = 0x00;
773         data[len ++] = 0x00;
774         break;
775 
776     default:
777         result = L2CAP_IR_NOTSUPP;
778     }
779 
780     l2cap_info_response(l2cap, type, result, data, len);
781 }
782 
l2cap_command(struct l2cap_instance_s * l2cap,int code,int id,const uint8_t * params,int len)783 static void l2cap_command(struct l2cap_instance_s *l2cap, int code, int id,
784                 const uint8_t *params, int len)
785 {
786     int err;
787 
788 #if 0
789     /* TODO: do the IDs really have to be in sequence?  */
790     if (!id || (id != l2cap->last_id && id != l2cap->next_id)) {
791         fprintf(stderr, "%s: out of sequence command packet ignored.\n",
792                         __FUNCTION__);
793         return;
794     }
795 #else
796     l2cap->next_id = id;
797 #endif
798     if (id == l2cap->next_id) {
799         l2cap->last_id = l2cap->next_id;
800         l2cap->next_id = l2cap->next_id == 255 ? 1 : l2cap->next_id + 1;
801     } else {
802         /* TODO: Need to re-send the same response, without re-executing
803          * the corresponding command!  */
804     }
805 
806     switch (code) {
807     case L2CAP_COMMAND_REJ:
808         if (unlikely(len != 2 && len != 4 && len != 6)) {
809             err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
810             goto reject;
811         }
812 
813         /* We never issue commands other than Command Reject currently.  */
814         fprintf(stderr, "%s: stray Command Reject (%02x, %04x) "
815                         "packet, ignoring.\n", __FUNCTION__, id,
816                         le16_to_cpu(((l2cap_cmd_rej *) params)->reason));
817         break;
818 
819     case L2CAP_CONN_REQ:
820         if (unlikely(len != L2CAP_CONN_REQ_SIZE)) {
821             err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
822             goto reject;
823         }
824 
825         l2cap_channel_open_req_msg(l2cap,
826                         le16_to_cpu(((l2cap_conn_req *) params)->psm),
827                         le16_to_cpu(((l2cap_conn_req *) params)->scid));
828         break;
829 
830     case L2CAP_CONN_RSP:
831         if (unlikely(len != L2CAP_CONN_RSP_SIZE)) {
832             err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
833             goto reject;
834         }
835 
836         /* We never issue Connection Requests currently. TODO  */
837         fprintf(stderr, "%s: unexpected Connection Response (%02x) "
838                         "packet, ignoring.\n", __FUNCTION__, id);
839         break;
840 
841     case L2CAP_CONF_REQ:
842         if (unlikely(len < L2CAP_CONF_REQ_SIZE(0))) {
843             err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
844             goto reject;
845         }
846 
847         l2cap_channel_config_req_msg(l2cap,
848                         le16_to_cpu(((l2cap_conf_req *) params)->flags) & 1,
849                         le16_to_cpu(((l2cap_conf_req *) params)->dcid),
850                         ((l2cap_conf_req *) params)->data,
851                         len - L2CAP_CONF_REQ_SIZE(0));
852         break;
853 
854     case L2CAP_CONF_RSP:
855         if (unlikely(len < L2CAP_CONF_RSP_SIZE(0))) {
856             err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
857             goto reject;
858         }
859 
860         if (l2cap_channel_config_rsp_msg(l2cap,
861                         le16_to_cpu(((l2cap_conf_rsp *) params)->result),
862                         le16_to_cpu(((l2cap_conf_rsp *) params)->flags) & 1,
863                         le16_to_cpu(((l2cap_conf_rsp *) params)->scid),
864                         ((l2cap_conf_rsp *) params)->data,
865                         len - L2CAP_CONF_RSP_SIZE(0)))
866             fprintf(stderr, "%s: unexpected Configure Response (%02x) "
867                             "packet, ignoring.\n", __FUNCTION__, id);
868         break;
869 
870     case L2CAP_DISCONN_REQ:
871         if (unlikely(len != L2CAP_DISCONN_REQ_SIZE)) {
872             err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
873             goto reject;
874         }
875 
876         l2cap_channel_close(l2cap,
877                         le16_to_cpu(((l2cap_disconn_req *) params)->dcid),
878                         le16_to_cpu(((l2cap_disconn_req *) params)->scid));
879         break;
880 
881     case L2CAP_DISCONN_RSP:
882         if (unlikely(len != L2CAP_DISCONN_RSP_SIZE)) {
883             err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
884             goto reject;
885         }
886 
887         /* We never issue Disconnection Requests currently. TODO  */
888         fprintf(stderr, "%s: unexpected Disconnection Response (%02x) "
889                         "packet, ignoring.\n", __FUNCTION__, id);
890         break;
891 
892     case L2CAP_ECHO_REQ:
893         l2cap_echo_response(l2cap, params, len);
894         break;
895 
896     case L2CAP_ECHO_RSP:
897         /* We never issue Echo Requests currently. TODO  */
898         fprintf(stderr, "%s: unexpected Echo Response (%02x) "
899                         "packet, ignoring.\n", __FUNCTION__, id);
900         break;
901 
902     case L2CAP_INFO_REQ:
903         if (unlikely(len != L2CAP_INFO_REQ_SIZE)) {
904             err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
905             goto reject;
906         }
907 
908         l2cap_info(l2cap, le16_to_cpu(((l2cap_info_req *) params)->type));
909         break;
910 
911     case L2CAP_INFO_RSP:
912         if (unlikely(len != L2CAP_INFO_RSP_SIZE)) {
913             err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
914             goto reject;
915         }
916 
917         /* We never issue Information Requests currently. TODO  */
918         fprintf(stderr, "%s: unexpected Information Response (%02x) "
919                         "packet, ignoring.\n", __FUNCTION__, id);
920         break;
921 
922     default:
923         err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
924     reject:
925         l2cap_command_reject(l2cap, id, err, 0, 0);
926         break;
927     }
928 }
929 
l2cap_rexmit_enable(struct l2cap_chan_s * ch,int enable)930 static void l2cap_rexmit_enable(struct l2cap_chan_s *ch, int enable)
931 {
932     ch->rexmit = enable;
933 
934     l2cap_retransmission_timer_update(ch);
935     l2cap_monitor_timer_update(ch);
936 }
937 
938 /* Command frame SDU */
l2cap_cframe_in(void * opaque,const uint8_t * data,int len)939 static void l2cap_cframe_in(void *opaque, const uint8_t *data, int len)
940 {
941     struct l2cap_instance_s *l2cap = opaque;
942     const l2cap_cmd_hdr *hdr;
943     int clen;
944 
945     while (len) {
946         hdr = (void *) data;
947         if (len < L2CAP_CMD_HDR_SIZE)
948             /* TODO: signal an error */
949             return;
950         len -= L2CAP_CMD_HDR_SIZE;
951         data += L2CAP_CMD_HDR_SIZE;
952 
953         clen = le16_to_cpu(hdr->len);
954         if (len < clen) {
955             l2cap_command_reject(l2cap, hdr->ident,
956                             L2CAP_REJ_CMD_NOT_UNDERSTOOD, 0, 0);
957             break;
958         }
959 
960         l2cap_command(l2cap, hdr->code, hdr->ident, data, clen);
961         len -= clen;
962         data += clen;
963     }
964 }
965 
966 /* Group frame SDU */
l2cap_gframe_in(void * opaque,const uint8_t * data,int len)967 static void l2cap_gframe_in(void *opaque, const uint8_t *data, int len)
968 {
969 }
970 
971 /* Supervisory frame */
l2cap_sframe_in(struct l2cap_chan_s * ch,uint16_t ctrl)972 static void l2cap_sframe_in(struct l2cap_chan_s *ch, uint16_t ctrl)
973 {
974 }
975 
976 /* Basic L2CAP mode Information frame */
l2cap_bframe_in(struct l2cap_chan_s * ch,uint16_t cid,const l2cap_hdr * hdr,int len)977 static void l2cap_bframe_in(struct l2cap_chan_s *ch, uint16_t cid,
978                 const l2cap_hdr *hdr, int len)
979 {
980     /* We have a full SDU, no further processing */
981     ch->params.sdu_in(ch->params.opaque, hdr->data, len);
982 }
983 
984 /* Flow Control and Retransmission mode frame */
l2cap_iframe_in(struct l2cap_chan_s * ch,uint16_t cid,const l2cap_hdr * hdr,int len)985 static void l2cap_iframe_in(struct l2cap_chan_s *ch, uint16_t cid,
986                 const l2cap_hdr *hdr, int len)
987 {
988     uint16_t fcs = le16_to_cpup((void *) (hdr->data + len - 2));
989 
990     if (len < 4)
991         goto len_error;
992     if (l2cap_fcs16((const uint8_t *) hdr, L2CAP_HDR_SIZE + len - 2) != fcs)
993         goto fcs_error;
994 
995     if ((hdr->data[0] >> 7) == ch->rexmit)
996         l2cap_rexmit_enable(ch, !(hdr->data[0] >> 7));
997 
998     if (hdr->data[0] & 1) {
999         if (len != 4) {
1000             /* TODO: Signal an error? */
1001             return;
1002         }
1003         return l2cap_sframe_in(ch, le16_to_cpup((void *) hdr->data));
1004     }
1005 
1006     switch (hdr->data[1] >> 6) {	/* SAR */
1007     case L2CAP_SAR_NO_SEG:
1008         if (ch->len_total)
1009             goto seg_error;
1010         if (len - 4 > ch->mps)
1011             goto len_error;
1012 
1013         return ch->params.sdu_in(ch->params.opaque, hdr->data + 2, len - 4);
1014 
1015     case L2CAP_SAR_START:
1016         if (ch->len_total || len < 6)
1017             goto seg_error;
1018         if (len - 6 > ch->mps)
1019             goto len_error;
1020 
1021         ch->len_total = le16_to_cpup((void *) (hdr->data + 2));
1022         if (len >= 6 + ch->len_total)
1023             goto seg_error;
1024 
1025         ch->len_cur = len - 6;
1026         memcpy(ch->sdu, hdr->data + 4, ch->len_cur);
1027         break;
1028 
1029     case L2CAP_SAR_END:
1030         if (!ch->len_total || ch->len_cur + len - 4 < ch->len_total)
1031             goto seg_error;
1032         if (len - 4 > ch->mps)
1033             goto len_error;
1034 
1035         memcpy(ch->sdu + ch->len_cur, hdr->data + 2, len - 4);
1036         return ch->params.sdu_in(ch->params.opaque, ch->sdu, ch->len_total);
1037 
1038     case L2CAP_SAR_CONT:
1039         if (!ch->len_total || ch->len_cur + len - 4 >= ch->len_total)
1040             goto seg_error;
1041         if (len - 4 > ch->mps)
1042             goto len_error;
1043 
1044         memcpy(ch->sdu + ch->len_cur, hdr->data + 2, len - 4);
1045         ch->len_cur += len - 4;
1046         break;
1047 
1048     seg_error:
1049     len_error:	/* TODO */
1050     fcs_error:	/* TODO */
1051         ch->len_cur = 0;
1052         ch->len_total = 0;
1053         break;
1054     }
1055 }
1056 
l2cap_frame_in(struct l2cap_instance_s * l2cap,const l2cap_hdr * frame)1057 static void l2cap_frame_in(struct l2cap_instance_s *l2cap,
1058                 const l2cap_hdr *frame)
1059 {
1060     uint16_t cid = le16_to_cpu(frame->cid);
1061     uint16_t len = le16_to_cpu(frame->len);
1062 
1063     if (unlikely(cid >= L2CAP_CID_MAX || !l2cap->cid[cid])) {
1064         fprintf(stderr, "%s: frame addressed to a non-existent L2CAP "
1065                         "channel %04x received.\n", __FUNCTION__, cid);
1066         return;
1067     }
1068 
1069     l2cap->cid[cid]->frame_in(l2cap->cid[cid], cid, frame, len);
1070 }
1071 
1072 /* "Recombination" */
l2cap_pdu_in(struct l2cap_instance_s * l2cap,const uint8_t * data,int len)1073 static void l2cap_pdu_in(struct l2cap_instance_s *l2cap,
1074                 const uint8_t *data, int len)
1075 {
1076     const l2cap_hdr *hdr = (void *) l2cap->frame_in;
1077 
1078     if (unlikely(len + l2cap->frame_in_len > sizeof(l2cap->frame_in))) {
1079         if (l2cap->frame_in_len < sizeof(l2cap->frame_in)) {
1080             memcpy(l2cap->frame_in + l2cap->frame_in_len, data,
1081                             sizeof(l2cap->frame_in) - l2cap->frame_in_len);
1082             l2cap->frame_in_len = sizeof(l2cap->frame_in);
1083             /* TODO: truncate */
1084             l2cap_frame_in(l2cap, hdr);
1085         }
1086 
1087         return;
1088     }
1089 
1090     memcpy(l2cap->frame_in + l2cap->frame_in_len, data, len);
1091     l2cap->frame_in_len += len;
1092 
1093     if (len >= L2CAP_HDR_SIZE)
1094         if (len >= L2CAP_HDR_SIZE + le16_to_cpu(hdr->len))
1095             l2cap_frame_in(l2cap, hdr);
1096             /* There is never a start of a new PDU in the same ACL packet, so
1097              * no need to memmove the remaining payload and loop.  */
1098 }
1099 
l2cap_pdu_out(struct l2cap_instance_s * l2cap,uint16_t cid,uint16_t len)1100 static inline uint8_t *l2cap_pdu_out(struct l2cap_instance_s *l2cap,
1101                 uint16_t cid, uint16_t len)
1102 {
1103     l2cap_hdr *hdr = (void *) l2cap->frame_out;
1104 
1105     l2cap->frame_out_len = len + L2CAP_HDR_SIZE;
1106 
1107     hdr->cid = cpu_to_le16(cid);
1108     hdr->len = cpu_to_le16(len);
1109 
1110     return l2cap->frame_out + L2CAP_HDR_SIZE;
1111 }
1112 
l2cap_pdu_submit(struct l2cap_instance_s * l2cap)1113 static inline void l2cap_pdu_submit(struct l2cap_instance_s *l2cap)
1114 {
1115     /* TODO: Fragmentation */
1116     (l2cap->role ?
1117      l2cap->link->slave->lmp_acl_data : l2cap->link->host->lmp_acl_resp)
1118             (l2cap->link, l2cap->frame_out, 1, l2cap->frame_out_len);
1119 }
1120 
l2cap_bframe_out(struct bt_l2cap_conn_params_s * parm,int len)1121 static uint8_t *l2cap_bframe_out(struct bt_l2cap_conn_params_s *parm, int len)
1122 {
1123     struct l2cap_chan_s *chan = (struct l2cap_chan_s *) parm;
1124 
1125     if (len > chan->params.remote_mtu) {
1126         fprintf(stderr, "%s: B-Frame for CID %04x longer than %i octets.\n",
1127                         __FUNCTION__,
1128                         chan->remote_cid, chan->params.remote_mtu);
1129         exit(-1);
1130     }
1131 
1132     return l2cap_pdu_out(chan->l2cap, chan->remote_cid, len);
1133 }
1134 
l2cap_bframe_submit(struct bt_l2cap_conn_params_s * parms)1135 static void l2cap_bframe_submit(struct bt_l2cap_conn_params_s *parms)
1136 {
1137     struct l2cap_chan_s *chan = (struct l2cap_chan_s *) parms;
1138 
1139     return l2cap_pdu_submit(chan->l2cap);
1140 }
1141 
1142 #if 0
1143 /* Stub: Only used if an emulated device requests outgoing flow control */
1144 static uint8_t *l2cap_iframe_out(struct bt_l2cap_conn_params_s *parm, int len)
1145 {
1146     struct l2cap_chan_s *chan = (struct l2cap_chan_s *) parm;
1147 
1148     if (len > chan->params.remote_mtu) {
1149         /* TODO: slice into segments and queue each segment as a separate
1150          * I-Frame in a FIFO of I-Frames, local to the CID.  */
1151     } else {
1152         /* TODO: add to the FIFO of I-Frames, local to the CID.  */
1153         /* Possibly we need to return a pointer to a contiguous buffer
1154          * for now and then memcpy from it into FIFOs in l2cap_iframe_submit
1155          * while segmenting at the same time.  */
1156     }
1157     return 0;
1158 }
1159 
1160 static void l2cap_iframe_submit(struct bt_l2cap_conn_params_s *parm)
1161 {
1162     /* TODO: If flow control indicates clear to send, start submitting the
1163      * invidual I-Frames from the FIFO, but don't remove them from there.
1164      * Kick the appropriate timer until we get an S-Frame, and only then
1165      * remove from FIFO or resubmit and re-kick the timer if the timer
1166      * expired.  */
1167 }
1168 #endif
1169 
l2cap_init(struct l2cap_instance_s * l2cap,struct bt_link_s * link,int role)1170 static void l2cap_init(struct l2cap_instance_s *l2cap,
1171                 struct bt_link_s *link, int role)
1172 {
1173     l2cap->link = link;
1174     l2cap->role = role;
1175     l2cap->dev = (struct bt_l2cap_device_s *)
1176             (role ? link->host : link->slave);
1177 
1178     l2cap->next_id = 1;
1179 
1180     /* Establish the signalling channel */
1181     l2cap->signalling_ch.params.sdu_in = l2cap_cframe_in;
1182     l2cap->signalling_ch.params.sdu_out = l2cap_bframe_out;
1183     l2cap->signalling_ch.params.sdu_submit = l2cap_bframe_submit;
1184     l2cap->signalling_ch.params.opaque = l2cap;
1185     l2cap->signalling_ch.params.remote_mtu = 48;
1186     l2cap->signalling_ch.remote_cid = L2CAP_CID_SIGNALLING;
1187     l2cap->signalling_ch.frame_in = l2cap_bframe_in;
1188     l2cap->signalling_ch.mps = 65536;
1189     l2cap->signalling_ch.min_mtu = 48;
1190     l2cap->signalling_ch.mode = L2CAP_MODE_BASIC;
1191     l2cap->signalling_ch.l2cap = l2cap;
1192     l2cap->cid[L2CAP_CID_SIGNALLING] = &l2cap->signalling_ch;
1193 
1194     /* Establish the connection-less data channel */
1195     l2cap->group_ch.params.sdu_in = l2cap_gframe_in;
1196     l2cap->group_ch.params.opaque = l2cap;
1197     l2cap->group_ch.frame_in = l2cap_bframe_in;
1198     l2cap->group_ch.mps = 65533;
1199     l2cap->group_ch.l2cap = l2cap;
1200     l2cap->group_ch.remote_cid = L2CAP_CID_INVALID;
1201     l2cap->cid[L2CAP_CID_GROUP] = &l2cap->group_ch;
1202 }
1203 
l2cap_teardown(struct l2cap_instance_s * l2cap,int send_disconnect)1204 static void l2cap_teardown(struct l2cap_instance_s *l2cap, int send_disconnect)
1205 {
1206     int cid;
1207 
1208     /* Don't send DISCONNECT if we are currently handling a DISCONNECT
1209      * sent from the other side.  */
1210     if (send_disconnect) {
1211         if (l2cap->role)
1212             l2cap->dev->device.lmp_disconnect_slave(l2cap->link);
1213             /* l2cap->link is invalid from now on.  */
1214         else
1215             l2cap->dev->device.lmp_disconnect_master(l2cap->link);
1216     }
1217 
1218     for (cid = L2CAP_CID_ALLOC; cid < L2CAP_CID_MAX; cid ++)
1219         if (l2cap->cid[cid]) {
1220             l2cap->cid[cid]->params.close(l2cap->cid[cid]->params.opaque);
1221             qemu_free(l2cap->cid[cid]);
1222         }
1223 
1224     if (l2cap->role)
1225         qemu_free(l2cap);
1226     else
1227         qemu_free(l2cap->link);
1228 }
1229 
1230 /* L2CAP glue to lower layers in bluetooth stack (LMP) */
1231 
l2cap_lmp_connection_request(struct bt_link_s * link)1232 static void l2cap_lmp_connection_request(struct bt_link_s *link)
1233 {
1234     struct bt_l2cap_device_s *dev = (struct bt_l2cap_device_s *) link->slave;
1235     struct slave_l2cap_instance_s *l2cap;
1236 
1237     /* Always accept - we only get called if (dev->device->page_scan).  */
1238 
1239     l2cap = qemu_mallocz(sizeof(struct slave_l2cap_instance_s));
1240     l2cap->link.slave = &dev->device;
1241     l2cap->link.host = link->host;
1242     l2cap_init(&l2cap->l2cap, &l2cap->link, 0);
1243 
1244     /* Always at the end */
1245     link->host->reject_reason = 0;
1246     link->host->lmp_connection_complete(&l2cap->link);
1247 }
1248 
1249 /* Stub */
l2cap_lmp_connection_complete(struct bt_link_s * link)1250 static void l2cap_lmp_connection_complete(struct bt_link_s *link)
1251 {
1252     struct bt_l2cap_device_s *dev = (struct bt_l2cap_device_s *) link->host;
1253     struct l2cap_instance_s *l2cap;
1254 
1255     if (dev->device.reject_reason) {
1256         /* Signal to upper layer */
1257         return;
1258     }
1259 
1260     l2cap = qemu_mallocz(sizeof(struct l2cap_instance_s));
1261     l2cap_init(l2cap, link, 1);
1262 
1263     link->acl_mode = acl_active;
1264 
1265     /* Signal to upper layer */
1266 }
1267 
1268 /* Stub */
l2cap_lmp_disconnect_host(struct bt_link_s * link)1269 static void l2cap_lmp_disconnect_host(struct bt_link_s *link)
1270 {
1271     struct bt_l2cap_device_s *dev = (struct bt_l2cap_device_s *) link->host;
1272     struct l2cap_instance_s *l2cap =
1273             /* TODO: Retrieve from upper layer */ (void *) dev;
1274 
1275     /* Signal to upper layer */
1276 
1277     l2cap_teardown(l2cap, 0);
1278 }
1279 
l2cap_lmp_disconnect_slave(struct bt_link_s * link)1280 static void l2cap_lmp_disconnect_slave(struct bt_link_s *link)
1281 {
1282     struct slave_l2cap_instance_s *l2cap =
1283             (struct slave_l2cap_instance_s *) link;
1284 
1285     l2cap_teardown(&l2cap->l2cap, 0);
1286 }
1287 
l2cap_lmp_acl_data_slave(struct bt_link_s * link,const uint8_t * data,int start,int len)1288 static void l2cap_lmp_acl_data_slave(struct bt_link_s *link,
1289                 const uint8_t *data, int start, int len)
1290 {
1291     struct slave_l2cap_instance_s *l2cap =
1292             (struct slave_l2cap_instance_s *) link;
1293 
1294     if (start)
1295         l2cap->l2cap.frame_in_len = 0;
1296 
1297     l2cap_pdu_in(&l2cap->l2cap, data, len);
1298 }
1299 
1300 /* Stub */
l2cap_lmp_acl_data_host(struct bt_link_s * link,const uint8_t * data,int start,int len)1301 static void l2cap_lmp_acl_data_host(struct bt_link_s *link,
1302                 const uint8_t *data, int start, int len)
1303 {
1304     struct bt_l2cap_device_s *dev = (struct bt_l2cap_device_s *) link->host;
1305     struct l2cap_instance_s *l2cap =
1306             /* TODO: Retrieve from upper layer */ (void *) dev;
1307 
1308     if (start)
1309         l2cap->frame_in_len = 0;
1310 
1311     l2cap_pdu_in(l2cap, data, len);
1312 }
1313 
l2cap_dummy_destroy(struct bt_device_s * dev)1314 static void l2cap_dummy_destroy(struct bt_device_s *dev)
1315 {
1316     struct bt_l2cap_device_s *l2cap_dev = (struct bt_l2cap_device_s *) dev;
1317 
1318     bt_l2cap_device_done(l2cap_dev);
1319 }
1320 
bt_l2cap_device_init(struct bt_l2cap_device_s * dev,struct bt_scatternet_s * net)1321 void bt_l2cap_device_init(struct bt_l2cap_device_s *dev,
1322                 struct bt_scatternet_s *net)
1323 {
1324     bt_device_init(&dev->device, net);
1325 
1326     dev->device.lmp_connection_request = l2cap_lmp_connection_request;
1327     dev->device.lmp_connection_complete = l2cap_lmp_connection_complete;
1328     dev->device.lmp_disconnect_master = l2cap_lmp_disconnect_host;
1329     dev->device.lmp_disconnect_slave = l2cap_lmp_disconnect_slave;
1330     dev->device.lmp_acl_data = l2cap_lmp_acl_data_slave;
1331     dev->device.lmp_acl_resp = l2cap_lmp_acl_data_host;
1332 
1333     dev->device.handle_destroy = l2cap_dummy_destroy;
1334 }
1335 
bt_l2cap_device_done(struct bt_l2cap_device_s * dev)1336 void bt_l2cap_device_done(struct bt_l2cap_device_s *dev)
1337 {
1338     bt_device_done(&dev->device);
1339 
1340     /* Should keep a list of all instances and go through it and
1341      * invoke l2cap_teardown() for each.  */
1342 }
1343 
bt_l2cap_psm_register(struct bt_l2cap_device_s * dev,int psm,int min_mtu,int (* new_channel)(struct bt_l2cap_device_s * dev,struct bt_l2cap_conn_params_s * params))1344 void bt_l2cap_psm_register(struct bt_l2cap_device_s *dev, int psm, int min_mtu,
1345                 int (*new_channel)(struct bt_l2cap_device_s *dev,
1346                         struct bt_l2cap_conn_params_s *params))
1347 {
1348     struct bt_l2cap_psm_s *new_psm = l2cap_psm(dev, psm);
1349 
1350     if (new_psm) {
1351         fprintf(stderr, "%s: PSM %04x already registered for device `%s'.\n",
1352                         __FUNCTION__, psm, dev->device.lmp_name);
1353         exit(-1);
1354     }
1355 
1356     new_psm = qemu_mallocz(sizeof(*new_psm));
1357     new_psm->psm = psm;
1358     new_psm->min_mtu = min_mtu;
1359     new_psm->new_channel = new_channel;
1360     new_psm->next = dev->first_psm;
1361     dev->first_psm = new_psm;
1362 }
1363