1 /* $OpenBSD: src/sys/netbt/rfcomm_session.c,v 1.3 2008/02/24 21:34:48 uwe Exp $ */
2 /* $NetBSD: rfcomm_session.c,v 1.12 2008/01/31 19:30:23 plunky Exp $ */
5 * Copyright (c) 2006 Itronix Inc.
8 * Written by Iain Hibbert for Itronix Inc.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. The name of Itronix Inc. may not be used to endorse
19 * or promote products derived from this software without specific
20 * prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
24 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
25 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY
26 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
27 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
29 * ON ANY THEORY OF LIABILITY, WHETHER IN
30 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
31 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32 * POSSIBILITY OF SUCH DAMAGE.
35 #include <sys/param.h>
36 #include <sys/kernel.h>
39 #include <sys/systm.h>
40 #include <sys/types.h>
41 #include <sys/endian.h>
45 #include <netbt/bluetooth.h>
46 #include <netbt/hci.h>
47 #include <netbt/l2cap.h>
48 #include <netbt/rfcomm.h>
50 /******************************************************************************
52 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can
53 * multiplex up to 30 incoming and 30 outgoing connections.
54 * Only one Multiplexer is allowed between any two devices.
57 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int);
58 static void rfcomm_session_recv_disc(struct rfcomm_session *, int);
59 static void rfcomm_session_recv_ua(struct rfcomm_session *, int);
60 static void rfcomm_session_recv_dm(struct rfcomm_session *, int);
61 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int);
62 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *);
63 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *);
64 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int);
65 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int);
66 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *);
67 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *);
68 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *);
69 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *);
70 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *);
73 static void rfcomm_session_connecting(void *);
74 static void rfcomm_session_connected(void *);
75 static void rfcomm_session_disconnected(void *, int);
76 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *);
77 static void rfcomm_session_complete(void *, int);
78 static void rfcomm_session_linkmode(void *, int);
79 static void rfcomm_session_input(void *, struct mbuf *);
81 static const struct btproto rfcomm_session_proto = {
82 rfcomm_session_connecting,
83 rfcomm_session_connected,
84 rfcomm_session_disconnected,
85 rfcomm_session_newconn,
86 rfcomm_session_complete,
87 rfcomm_session_linkmode,
91 struct rfcomm_session_list
92 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active);
94 struct rfcomm_session_list
95 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen);
97 vm_zone_t rfcomm_credit_pool;
100 * RFCOMM System Parameters (see section 5.3)
102 int rfcomm_mtu_default = 127; /* bytes */
103 int rfcomm_ack_timeout = 20; /* seconds */
104 int rfcomm_mcc_timeout = 20; /* seconds */
107 * Reversed CRC table as per TS 07.10 Annex B.3.5
109 static const uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */
110 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
111 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
112 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
113 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
115 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
116 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
117 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
118 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
120 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
121 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
122 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
123 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
125 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
126 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
127 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
128 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
130 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
131 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
132 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
133 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
135 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
136 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
137 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
138 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
140 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
141 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
142 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
143 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
145 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
146 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
147 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
148 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
151 #define FCS(f, d) crctable[(f) ^ (d)]
156 * initialize the "credit pool".
161 rfcomm_credit_pool = zinit("rfcomm_credit",
162 sizeof(struct rfcomm_credit), 0, 0, 0);
166 * rfcomm_session_alloc(list, sockaddr)
168 * allocate a new session and fill in the blanks, then
169 * attach session to front of specified list (active or listen)
171 struct rfcomm_session *
172 rfcomm_session_alloc(struct rfcomm_session_list *list,
173 struct sockaddr_bt *laddr)
175 struct rfcomm_session *rs;
178 rs = kmalloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO);
182 rs->rs_state = RFCOMM_SESSION_CLOSED;
184 callout_init(&rs->rs_timeout);
186 STAILQ_INIT(&rs->rs_credits);
187 LIST_INIT(&rs->rs_dlcs);
189 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs);
191 kfree(rs, M_BLUETOOTH);
195 (void)l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu);
197 if (laddr->bt_psm == L2CAP_PSM_ANY)
198 laddr->bt_psm = L2CAP_PSM_RFCOMM;
200 (void)l2cap_bind(rs->rs_l2cap, laddr);
202 LIST_INSERT_HEAD(list, rs, rs_next);
208 * rfcomm_session_free(rfcomm_session)
210 * release a session, including any cleanup
213 rfcomm_session_free(struct rfcomm_session *rs)
215 struct rfcomm_credit *credit;
217 KKASSERT(rs != NULL);
218 KKASSERT(LIST_EMPTY(&rs->rs_dlcs));
220 rs->rs_state = RFCOMM_SESSION_CLOSED;
223 * If the callout is already invoked we have no way to stop it,
224 * but it will call us back right away (there are no DLC's) so
227 callout_stop(&rs->rs_timeout);
228 if (callout_active(&rs->rs_timeout))
232 * Take care that rfcomm_session_disconnected() doesnt call
233 * us back either as it will do if the l2cap_channel has not
234 * been closed when we detach it..
236 if (rs->rs_flags & RFCOMM_SESSION_FREE)
239 rs->rs_flags |= RFCOMM_SESSION_FREE;
241 /* throw away any remaining credit notes */
242 while ((credit = STAILQ_FIRST(&rs->rs_credits)) != NULL) {
243 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
244 zfree(rfcomm_credit_pool, credit);
247 KKASSERT(STAILQ_EMPTY(&rs->rs_credits));
250 LIST_REMOVE(rs, rs_next);
251 l2cap_detach(&rs->rs_l2cap);
252 kfree(rs, M_BLUETOOTH);
256 * rfcomm_session_lookup(sockaddr, sockaddr)
258 * Find active rfcomm session matching src and dest addresses
259 * when src is BDADDR_ANY match any local address
261 struct rfcomm_session *
262 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest)
264 struct rfcomm_session *rs;
265 struct sockaddr_bt addr;
267 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) {
268 if (rs->rs_state == RFCOMM_SESSION_CLOSED)
271 l2cap_sockaddr(rs->rs_l2cap, &addr);
273 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0)
274 if (bdaddr_any(&src->bt_bdaddr) == 0)
277 l2cap_peeraddr(rs->rs_l2cap, &addr);
279 if (addr.bt_psm != dest->bt_psm)
282 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr))
290 * rfcomm_session_timeout(rfcomm_session)
292 * Session timeouts are scheduled when a session is left or
293 * created with no DLCs, and when SABM(0) or DISC(0) are
296 * So, if it is in an open state with DLC's attached then
297 * we leave it alone, otherwise the session is lost.
300 rfcomm_session_timeout(void *arg)
302 struct rfcomm_session *rs = arg;
303 struct rfcomm_dlc *dlc;
305 KKASSERT(rs != NULL);
309 if (rs->rs_state != RFCOMM_SESSION_OPEN) {
310 DPRINTF("timeout\n");
311 rs->rs_state = RFCOMM_SESSION_CLOSED;
313 while (!LIST_EMPTY(&rs->rs_dlcs)) {
314 dlc = LIST_FIRST(&rs->rs_dlcs);
316 rfcomm_dlc_close(dlc, ETIMEDOUT);
320 if (LIST_EMPTY(&rs->rs_dlcs)) {
321 DPRINTF("expiring\n");
322 rfcomm_session_free(rs);
327 /***********************************************************************
329 * RFCOMM Session L2CAP protocol callbacks
334 rfcomm_session_connecting(void *arg)
336 /* struct rfcomm_session *rs = arg; */
338 DPRINTF("Connecting\n");
342 rfcomm_session_connected(void *arg)
344 struct rfcomm_session *rs = arg;
346 DPRINTF("Connected\n");
351 * If we are initiator, we can send our SABM(0)
352 * a timeout should be active?
354 * We must take note of the L2CAP MTU because currently
355 * the L2CAP implementation can only do Basic Mode.
357 l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu);
359 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */
360 if (rs->rs_mtu < RFCOMM_MTU_MIN) {
361 rfcomm_session_disconnected(rs, EINVAL);
365 if (IS_INITIATOR(rs)) {
368 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0);
370 rfcomm_session_disconnected(rs, err);
372 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz,
373 rfcomm_session_timeout, rs);
378 rfcomm_session_disconnected(void *arg, int err)
380 struct rfcomm_session *rs = arg;
381 struct rfcomm_dlc *dlc;
383 DPRINTF("Disconnected\n");
385 rs->rs_state = RFCOMM_SESSION_CLOSED;
387 while (!LIST_EMPTY(&rs->rs_dlcs)) {
388 dlc = LIST_FIRST(&rs->rs_dlcs);
390 rfcomm_dlc_close(dlc, err);
393 rfcomm_session_free(rs);
397 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr,
398 struct sockaddr_bt *raddr)
400 struct rfcomm_session *new, *rs = arg;
402 DPRINTF("New Connection\n");
405 * Incoming session connect request. We should return a new
406 * session pointer if this is acceptable. The L2CAP layer
407 * passes local and remote addresses, which we must check as
408 * only one RFCOMM session is allowed between any two devices
410 new = rfcomm_session_lookup(laddr, raddr);
414 new = rfcomm_session_alloc(&rfcomm_session_active, laddr);
418 new->rs_mtu = rs->rs_mtu;
419 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT;
422 * schedule an expiry so that if nothing comes of it we
425 callout_reset(&rs->rs_timeout, rfcomm_mcc_timeout * hz,
426 rfcomm_session_timeout, rs);
428 return new->rs_l2cap;
432 rfcomm_session_complete(void *arg, int count)
434 struct rfcomm_session *rs = arg;
435 struct rfcomm_credit *credit;
436 struct rfcomm_dlc *dlc;
439 * count L2CAP packets are 'complete', meaning that they are cleared
440 * our buffers (for best effort) or arrived safe (for guaranteed) so
441 * we can take it off our list and pass the message on, so that
442 * eventually the data can be removed from the sockbuf
444 while (count-- > 0) {
445 credit = STAILQ_FIRST(&rs->rs_credits);
447 if (credit == NULL) {
448 kprintf("%s: too many packets completed!\n", __func__);
452 dlc = credit->rc_dlc;
455 (*dlc->rd_proto->complete)
456 (dlc->rd_upper, credit->rc_len);
459 * if not using credit flow control, we may push
462 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0
463 && dlc->rd_state == RFCOMM_DLC_OPEN) {
464 rfcomm_dlc_start(dlc);
468 * When shutdown is indicated, we are just waiting to
469 * clear outgoing data.
471 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN)
472 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) {
473 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
474 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
476 callout_reset(&dlc->rd_timeout,
477 rfcomm_ack_timeout * hz,
478 rfcomm_dlc_timeout, dlc);
482 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
483 zfree(rfcomm_credit_pool, credit);
487 * If session is closed, we are just waiting to clear the queue
489 if (rs->rs_state == RFCOMM_SESSION_CLOSED) {
490 if (STAILQ_EMPTY(&rs->rs_credits))
491 l2cap_disconnect(rs->rs_l2cap, 0);
498 * This is called when a mode change is complete. Proceed with connections
499 * where appropriate, or pass the new mode to any active DLCs.
502 rfcomm_session_linkmode(void *arg, int new)
504 struct rfcomm_session *rs = arg;
505 struct rfcomm_dlc *dlc, *next;
508 DPRINTF("auth %s, encrypt %s, secure %s\n",
509 (new & L2CAP_LM_AUTH ? "on" : "off"),
510 (new & L2CAP_LM_ENCRYPT ? "on" : "off"),
511 (new & L2CAP_LM_SECURE ? "on" : "off"));
513 if (new & L2CAP_LM_AUTH)
514 mode |= RFCOMM_LM_AUTH;
516 if (new & L2CAP_LM_ENCRYPT)
517 mode |= RFCOMM_LM_ENCRYPT;
519 if (new & L2CAP_LM_SECURE)
520 mode |= RFCOMM_LM_SECURE;
522 next = LIST_FIRST(&rs->rs_dlcs);
523 while ((dlc = next) != NULL) {
524 next = LIST_NEXT(dlc, rd_next);
526 switch (dlc->rd_state) {
527 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */
528 if ((mode & dlc->rd_mode) != dlc->rd_mode) {
529 rfcomm_dlc_close(dlc, ECONNABORTED);
531 err = rfcomm_session_send_frame(rs,
532 RFCOMM_FRAME_SABM, dlc->rd_dlci);
534 rfcomm_dlc_close(dlc, err);
536 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
537 callout_reset(&dlc->rd_timeout,
538 rfcomm_ack_timeout * hz,
539 rfcomm_dlc_timeout, dlc);
546 * If we aborted the connection and there are no more DLCs
547 * on the session, it is our responsibility to disconnect.
549 if (!LIST_EMPTY(&rs->rs_dlcs))
552 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
553 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
554 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz,
555 rfcomm_session_timeout, rs);
558 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */
559 if ((mode & dlc->rd_mode) != dlc->rd_mode) {
560 rfcomm_session_send_frame(rs,
561 RFCOMM_FRAME_DM, dlc->rd_dlci);
562 rfcomm_dlc_close(dlc, ECONNABORTED);
566 err = rfcomm_session_send_frame(rs,
567 RFCOMM_FRAME_UA, dlc->rd_dlci);
569 rfcomm_session_send_frame(rs,
570 RFCOMM_FRAME_DM, dlc->rd_dlci);
571 rfcomm_dlc_close(dlc, err);
575 err = rfcomm_dlc_open(dlc);
577 rfcomm_session_send_frame(rs,
578 RFCOMM_FRAME_DM, dlc->rd_dlci);
579 rfcomm_dlc_close(dlc, err);
585 case RFCOMM_DLC_WAIT_RECV_UA:
586 case RFCOMM_DLC_OPEN: /* already established */
587 (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode);
597 * Receive data from L2CAP layer for session. There is always exactly one
598 * RFCOMM frame contained in each L2CAP frame.
601 rfcomm_session_input(void *arg, struct mbuf *m)
603 struct rfcomm_session *rs = arg;
604 int dlci, len, type, pf;
608 KKASSERT(rs != NULL);
611 * UIH frames: FCS is only calculated on address and control fields
612 * For other frames: FCS is calculated on address, control and length
613 * Length may extend to two octets
617 if (m->m_pkthdr.len < 4) {
618 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len);
622 /* address - one octet */
623 m_copydata(m, 0, 1, &b);
626 dlci = RFCOMM_DLCI(b);
628 /* control - one octet */
629 m_copydata(m, 0, 1, &b);
632 type = RFCOMM_TYPE(b);
635 /* length - may be two octets */
636 m_copydata(m, 0, 1, &b);
638 if (type != RFCOMM_FRAME_UIH)
640 len = (b >> 1) & 0x7f;
642 if (RFCOMM_EA(b) == 0) {
643 if (m->m_pkthdr.len < 2) {
644 DPRINTF("short frame (%d, EA = 0), discarded\n",
649 m_copydata(m, 0, 1, &b);
651 if (type != RFCOMM_FRAME_UIH)
657 /* FCS byte is last octet in frame */
658 m_copydata(m, m->m_pkthdr.len - 1, 1, &b);
663 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs);
667 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len);
670 case RFCOMM_FRAME_SABM:
672 rfcomm_session_recv_sabm(rs, dlci);
675 case RFCOMM_FRAME_DISC:
677 rfcomm_session_recv_disc(rs, dlci);
680 case RFCOMM_FRAME_UA:
682 rfcomm_session_recv_ua(rs, dlci);
685 case RFCOMM_FRAME_DM:
686 rfcomm_session_recv_dm(rs, dlci);
689 case RFCOMM_FRAME_UIH:
690 rfcomm_session_recv_uih(rs, dlci, pf, m, len);
691 return; /* (no release) */
702 /***********************************************************************
704 * RFCOMM Session receive processing
708 * rfcomm_session_recv_sabm(rfcomm_session, dlci)
710 * Set Asyncrhonous Balanced Mode - open the channel.
713 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci)
715 struct rfcomm_dlc *dlc;
718 DPRINTFN(5, "SABM(%d)\n", dlci);
720 if (dlci == 0) { /* Open Session */
721 rs->rs_state = RFCOMM_SESSION_OPEN;
722 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
723 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
724 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
725 rfcomm_dlc_connect(dlc);
730 if (rs->rs_state != RFCOMM_SESSION_OPEN) {
731 DPRINTF("session was not even open!\n");
735 /* validate direction bit */
736 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci))
737 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) {
738 DPRINTF("Invalid direction bit on DLCI\n");
743 * look for our DLC - this may exist if we received PN
744 * already, or we may have to fabricate a new one.
746 dlc = rfcomm_dlc_lookup(rs, dlci);
748 dlc = rfcomm_dlc_newconn(rs, dlci);
750 return; /* (DM is sent) */
754 * ..but if this DLC is not waiting to connect, they did
755 * something wrong, ignore it.
757 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
761 err = rfcomm_dlc_setmode(dlc);
762 if (err == EINPROGRESS) {
763 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA;
764 (*dlc->rd_proto->connecting)(dlc->rd_upper);
770 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
774 /* and mark it open */
775 err = rfcomm_dlc_open(dlc);
782 rfcomm_dlc_close(dlc, err);
786 * Receive Disconnect Command
789 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci)
791 struct rfcomm_dlc *dlc;
793 DPRINTFN(5, "DISC(%d)\n", dlci);
799 * We set the session state to CLOSED so that when
800 * the UA frame is clear the session will be closed
801 * automatically. We wont bother to close any DLC's
802 * just yet as there should be none. In the unlikely
803 * event that something is left, it will get flushed
804 * out as the session goes down.
806 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
807 rs->rs_state = RFCOMM_SESSION_CLOSED;
811 dlc = rfcomm_dlc_lookup(rs, dlci);
813 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
817 rfcomm_dlc_close(dlc, ECONNRESET);
818 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
822 * Receive Unnumbered Acknowledgement Response
824 * This should be a response to a DISC or SABM frame that we
825 * have previously sent. If unexpected, ignore it.
828 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci)
830 struct rfcomm_dlc *dlc;
832 DPRINTFN(5, "UA(%d)\n", dlci);
835 switch (rs->rs_state) {
836 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */
837 callout_stop(&rs->rs_timeout);
838 rs->rs_state = RFCOMM_SESSION_OPEN;
839 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
840 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
841 rfcomm_dlc_connect(dlc);
845 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */
846 callout_stop(&rs->rs_timeout);
847 rs->rs_state = RFCOMM_SESSION_CLOSED;
848 l2cap_disconnect(rs->rs_l2cap, 0);
852 DPRINTF("Received spurious UA(0)!\n");
860 * If we have no DLC on this dlci, we may have aborted
861 * without shutting down properly, so check if the session
862 * needs disconnecting.
864 dlc = rfcomm_dlc_lookup(rs, dlci);
868 switch (dlc->rd_state) {
869 case RFCOMM_DLC_WAIT_RECV_UA: /* We sent SABM */
870 rfcomm_dlc_open(dlc);
873 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */
874 rfcomm_dlc_close(dlc, 0);
878 DPRINTF("Received spurious UA(%d)!\n", dlci);
882 check: /* last one out turns out the light */
883 if (LIST_EMPTY(&rs->rs_dlcs)) {
884 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
885 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
886 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout*hz,rfcomm_session_timeout,rs);
891 * Receive Disconnected Mode Response
893 * If this does not apply to a known DLC then we may ignore it.
896 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci)
898 struct rfcomm_dlc *dlc;
900 DPRINTFN(5, "DM(%d)\n", dlci);
902 dlc = rfcomm_dlc_lookup(rs, dlci);
906 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT)
907 rfcomm_dlc_close(dlc, ECONNREFUSED);
909 rfcomm_dlc_close(dlc, ECONNRESET);
913 * Receive Unnumbered Information with Header check (MCC or data packet)
916 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci,
917 int pf, struct mbuf *m, int len)
919 struct rfcomm_dlc *dlc;
922 DPRINTFN(10, "UIH(%d)\n", dlci);
925 rfcomm_session_recv_mcc(rs, m);
929 if (m->m_pkthdr.len != len + pf) {
930 DPRINTF("Bad Frame Length (%d), frame discarded\n",
936 dlc = rfcomm_dlc_lookup(rs, dlci);
938 DPRINTF("UIH received for non existent DLC, discarded\n");
939 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
943 if (dlc->rd_state != RFCOMM_DLC_OPEN) {
944 DPRINTF("non-open DLC (state = %d), discarded\n",
949 /* if PF is set, credits were included */
950 if (rs->rs_flags & RFCOMM_SESSION_CFC) {
952 if (m->m_pkthdr.len < sizeof(credits)) {
953 DPRINTF("Bad PF value, UIH discarded\n");
957 m_copydata(m, 0, sizeof(credits), &credits);
958 m_adj(m, sizeof(credits));
960 dlc->rd_txcred += credits;
962 if (credits > 0 && dlc->rd_txbuf != NULL)
963 rfcomm_dlc_start(dlc);
969 if (dlc->rd_rxcred == 0) {
970 DPRINTF("Credit limit reached, UIH discarded\n");
974 if (len > dlc->rd_rxsize) {
975 DPRINTF("UIH frame exceeds rxsize, discarded\n");
980 dlc->rd_rxsize -= len;
983 (*dlc->rd_proto->input)(dlc->rd_upper, m);
991 * Receive Multiplexer Control Command
994 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m)
1000 * Extract MCC header.
1002 * Fields are variable length using extension bit = 1 to signify the
1003 * last octet in the sequence.
1005 * Only single octet types are defined in TS 07.10/RFCOMM spec
1007 * Length can realistically only use 15 bits (max RFCOMM MTU)
1009 if (m->m_pkthdr.len < sizeof(b)) {
1010 DPRINTF("Short MCC header, discarded\n");
1014 m_copydata(m, 0, sizeof(b), &b);
1015 m_adj(m, sizeof(b));
1017 if (RFCOMM_EA(b) == 0) { /* verify no extensions */
1018 DPRINTF("MCC type EA = 0, discarded\n");
1022 type = RFCOMM_MCC_TYPE(b);
1027 if (m->m_pkthdr.len < sizeof(b)) {
1028 DPRINTF("Short MCC header, discarded\n");
1032 m_copydata(m, 0, sizeof(b), &b);
1033 m_adj(m, sizeof(b));
1035 len = (len << 7) | (b >> 1);
1036 len = min(len, RFCOMM_MTU_MAX);
1037 } while (RFCOMM_EA(b) == 0);
1039 if (len != m->m_pkthdr.len) {
1040 DPRINTF("Incorrect MCC length, discarded\n");
1044 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n",
1045 (cr ? "command" : "response"), type, len);
1048 * pass to command handler
1051 case RFCOMM_MCC_TEST: /* Test */
1052 rfcomm_session_recv_mcc_test(rs, cr, m);
1055 case RFCOMM_MCC_FCON: /* Flow Control On */
1056 rfcomm_session_recv_mcc_fcon(rs, cr);
1059 case RFCOMM_MCC_FCOFF: /* Flow Control Off */
1060 rfcomm_session_recv_mcc_fcoff(rs, cr);
1063 case RFCOMM_MCC_MSC: /* Modem Status Command */
1064 rfcomm_session_recv_mcc_msc(rs, cr, m);
1067 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */
1068 rfcomm_session_recv_mcc_rpn(rs, cr, m);
1071 case RFCOMM_MCC_RLS: /* Remote Line Status */
1072 rfcomm_session_recv_mcc_rls(rs, cr, m);
1075 case RFCOMM_MCC_PN: /* Parameter Negotiation */
1076 rfcomm_session_recv_mcc_pn(rs, cr, m);
1079 case RFCOMM_MCC_NSC: /* Non Supported Command */
1080 rfcomm_session_recv_mcc_nsc(rs, cr, m);
1084 b = RFCOMM_MKMCC_TYPE(cr, type);
1085 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b));
1093 * process TEST command/response
1096 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m)
1101 if (cr == 0) /* ignore ack */
1105 * we must send all the data they included back as is
1108 len = m->m_pkthdr.len;
1109 if (len > RFCOMM_MTU_MAX)
1112 data = kmalloc(len, M_BLUETOOTH, M_NOWAIT);
1116 m_copydata(m, 0, len, data);
1117 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len);
1118 kfree(data, M_BLUETOOTH);
1122 * process Flow Control ON command/response
1125 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr)
1128 if (cr == 0) /* ignore ack */
1131 rs->rs_flags |= RFCOMM_SESSION_RFC;
1132 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0);
1136 * process Flow Control OFF command/response
1139 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr)
1141 if (cr == 0) /* ignore ack */
1144 rs->rs_flags &= ~RFCOMM_SESSION_RFC;
1145 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0);
1149 * process Modem Status Command command/response
1152 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m)
1154 struct rfcomm_mcc_msc msc; /* (3 octets) */
1155 struct rfcomm_dlc *dlc;
1159 if (m->m_pkthdr.len < sizeof(msc.address))
1162 m_copydata(m, 0, sizeof(msc.address), &msc.address);
1163 m_adj(m, sizeof(msc.address));
1164 len += sizeof(msc.address);
1166 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address));
1168 if (cr == 0) { /* ignore acks */
1170 callout_stop(&dlc->rd_timeout);
1176 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM,
1177 RFCOMM_DLCI(msc.address));
1182 if (m->m_pkthdr.len < sizeof(msc.modem))
1185 m_copydata(m, 0, sizeof(msc.modem), &msc.modem);
1186 m_adj(m, sizeof(msc.modem));
1187 len += sizeof(msc.modem);
1189 dlc->rd_rmodem = msc.modem;
1190 /* XXX how do we signal this upstream? */
1192 if (RFCOMM_EA(msc.modem) == 0) {
1193 if (m->m_pkthdr.len < sizeof(msc.brk))
1196 m_copydata(m, 0, sizeof(msc.brk), &msc.brk);
1197 m_adj(m, sizeof(msc.brk));
1198 len += sizeof(msc.brk);
1200 /* XXX how do we signal this upstream? */
1203 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len);
1207 * process Remote Port Negotiation command/response
1210 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m)
1212 struct rfcomm_mcc_rpn rpn;
1215 if (cr == 0) /* ignore ack */
1218 /* default values */
1219 rpn.bit_rate = RFCOMM_RPN_BR_9600;
1220 rpn.line_settings = RFCOMM_RPN_8_N_1;
1221 rpn.flow_control = RFCOMM_RPN_FLOW_NONE;
1222 rpn.xon_char = RFCOMM_RPN_XON_CHAR;
1223 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR;
1225 if (m->m_pkthdr.len == sizeof(rpn)) {
1226 m_copydata(m, 0, sizeof(rpn), (caddr_t)&rpn);
1227 rpn.param_mask = RFCOMM_RPN_PM_ALL;
1228 } else if (m->m_pkthdr.len == 1) {
1229 m_copydata(m, 0, 1, (caddr_t)&rpn);
1230 rpn.param_mask = letoh16(rpn.param_mask);
1232 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len);
1238 if (rpn.param_mask & RFCOMM_RPN_PM_RATE)
1239 mask |= RFCOMM_RPN_PM_RATE;
1241 if (rpn.param_mask & RFCOMM_RPN_PM_DATA
1242 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8)
1243 mask |= RFCOMM_RPN_PM_DATA;
1245 if (rpn.param_mask & RFCOMM_RPN_PM_STOP
1246 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1)
1247 mask |= RFCOMM_RPN_PM_STOP;
1249 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY
1250 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE)
1251 mask |= RFCOMM_RPN_PM_PARITY;
1253 if (rpn.param_mask & RFCOMM_RPN_PM_XON
1254 && rpn.xon_char == RFCOMM_RPN_XON_CHAR)
1255 mask |= RFCOMM_RPN_PM_XON;
1257 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF
1258 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR)
1259 mask |= RFCOMM_RPN_PM_XOFF;
1261 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW
1262 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE)
1263 mask |= RFCOMM_RPN_PM_FLOW;
1265 rpn.param_mask = htole16(mask);
1267 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn));
1271 * process Remote Line Status command/response
1274 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m)
1276 struct rfcomm_mcc_rls rls;
1278 if (cr == 0) /* ignore ack */
1281 if (m->m_pkthdr.len != sizeof(rls)) {
1282 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len);
1286 m_copydata(m, 0, sizeof(rls), (caddr_t)&rls);
1289 * So far as I can tell, we just send back what
1290 * they sent us. This signifies errors that seem
1291 * irrelevent for RFCOMM over L2CAP.
1293 rls.address |= 0x03; /* EA = 1, CR = 1 */
1294 rls.status &= 0x0f; /* only 4 bits valid */
1296 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls));
1300 * process Parameter Negotiation command/response
1303 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m)
1305 struct rfcomm_dlc *dlc;
1306 struct rfcomm_mcc_pn pn;
1309 if (m->m_pkthdr.len != sizeof(pn)) {
1310 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len);
1314 m_copydata(m, 0, sizeof(pn), (caddr_t)&pn);
1317 pn.mtu = letoh16(pn.mtu);
1319 dlc = rfcomm_dlc_lookup(rs, pn.dlci);
1320 if (cr) { /* Command */
1322 * If there is no DLC present, this is a new
1323 * connection so attempt to make one
1326 dlc = rfcomm_dlc_newconn(rs, pn.dlci);
1328 return; /* (DM is sent) */
1331 /* accept any valid MTU, and offer it back */
1332 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX);
1333 pn.mtu = min(pn.mtu, rs->rs_mtu);
1334 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN);
1335 dlc->rd_mtu = pn.mtu;
1336 pn.mtu = htole16(pn.mtu);
1338 /* credits are only set before DLC is open */
1339 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT
1340 && (pn.flow_control & 0xf0) == 0xf0) {
1341 rs->rs_flags |= RFCOMM_SESSION_CFC;
1342 dlc->rd_txcred = pn.credits & 0x07;
1344 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu);
1345 dlc->rd_rxcred = min(dlc->rd_rxcred,
1346 RFCOMM_CREDITS_DEFAULT);
1348 pn.flow_control = 0xe0;
1349 pn.credits = dlc->rd_rxcred;
1351 pn.flow_control = 0x00;
1355 /* unused fields must be ignored and set to zero */
1359 /* send our response */
1360 err = rfcomm_session_send_mcc(rs, 0,
1361 RFCOMM_MCC_PN, &pn, sizeof(pn));
1365 } else { /* Response */
1366 /* ignore responses with no matching DLC */
1370 callout_stop(&dlc->rd_timeout);
1372 if (pn.mtu > RFCOMM_MTU_MAX || pn.mtu > dlc->rd_mtu) {
1373 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
1374 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
1379 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz,
1380 rfcomm_dlc_timeout, dlc);
1383 dlc->rd_mtu = pn.mtu;
1385 /* if DLC is not waiting to connect, we are done */
1386 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
1389 /* set initial credits according to RFCOMM spec */
1390 if ((pn.flow_control & 0xf0) == 0xe0) {
1391 rs->rs_flags |= RFCOMM_SESSION_CFC;
1392 dlc->rd_txcred = (pn.credits & 0x07);
1395 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz,
1396 rfcomm_dlc_timeout, dlc);
1399 err = rfcomm_dlc_setmode(dlc);
1400 if (err == EINPROGRESS) {
1401 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM;
1402 (*dlc->rd_proto->connecting)(dlc->rd_upper);
1408 /* we can proceed now */
1409 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci);
1413 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
1418 rfcomm_dlc_close(dlc, err);
1422 * process Non Supported Command command/response
1425 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs,
1426 int cr, struct mbuf *m)
1428 struct rfcomm_dlc *dlc, *next;
1431 * Since we did nothing that is not mandatory,
1432 * we just abort the whole session..
1435 next = LIST_FIRST(&rs->rs_dlcs);
1436 while ((dlc = next) != NULL) {
1437 next = LIST_NEXT(dlc, rd_next);
1438 rfcomm_dlc_close(dlc, ECONNABORTED);
1441 rfcomm_session_free(rs);
1444 /***********************************************************************
1446 * RFCOMM Session outward frame/uih/mcc building
1450 * SABM/DISC/DM/UA frames are all minimal and mostly identical.
1453 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci)
1455 struct rfcomm_cmd_hdr *hdr;
1456 struct rfcomm_credit *credit;
1460 credit = zalloc(rfcomm_credit_pool);
1464 m = m_gethdr(M_NOWAIT, MT_DATA);
1466 zfree(rfcomm_credit_pool, credit);
1471 * The CR (command/response) bit identifies the frame either as a
1472 * commmand or a response and is used along with the DLCI to form
1473 * the address. Commands contain the non-initiator address, whereas
1474 * responses contain the initiator address, so the CR value is
1475 * also dependent on the session direction.
1477 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM)
1478 cr = IS_INITIATOR(rs) ? 0 : 1;
1480 cr = IS_INITIATOR(rs) ? 1 : 0;
1482 hdr = mtod(m, struct rfcomm_cmd_hdr *);
1483 hdr->address = RFCOMM_MKADDRESS(cr, dlci);
1484 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */
1485 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */
1488 fcs = FCS(fcs, hdr->address);
1489 fcs = FCS(fcs, hdr->control);
1490 fcs = FCS(fcs, hdr->length);
1491 fcs = 0xff - fcs; /* ones complement */
1494 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr);
1496 /* empty credit note */
1497 credit->rc_dlc = NULL;
1498 credit->rc_len = m->m_pkthdr.len;
1499 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
1501 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n",
1502 dlci, type, m->m_pkthdr.len, fcs);
1504 return l2cap_send(rs->rs_l2cap, m);
1508 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf)
1510 * UIH frame is per DLC data or Multiplexer Control Commands
1511 * when no DLC is given. Data mbuf is optional (just credits
1512 * will be sent in that case)
1515 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc,
1516 int credits, struct mbuf *m)
1518 struct rfcomm_credit *credit;
1519 struct mbuf *m0 = NULL;
1523 KKASSERT(rs != NULL);
1525 len = (m == NULL) ? 0 : m->m_pkthdr.len;
1526 KKASSERT(!(credits == 0 && len == 0));
1529 * Make a credit note for the completion notification
1531 credit = zalloc(rfcomm_credit_pool);
1535 credit->rc_len = len;
1536 credit->rc_dlc = dlc;
1539 * Wrap UIH frame information around payload.
1541 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS]
1543 * Address is one octet.
1544 * Control is one octet.
1545 * Length is one or two octets.
1546 * Credits may be one octet.
1548 * FCS is one octet and calculated on address and
1549 * control octets only.
1551 * If there are credits to be sent, we will set the PF
1552 * flag and include them in the frame.
1554 m0 = m_gethdr(M_NOWAIT, MT_DATA);
1558 MH_ALIGN(m0, 5); /* (max 5 header octets) */
1559 hdr = mtod(m0, uint8_t *);
1561 /* CR bit is set according to the initiator of the session */
1562 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0),
1563 (dlc ? dlc->rd_dlci : 0));
1564 fcs = FCS(0xff, *hdr);
1567 /* PF bit is set if credits are being sent */
1568 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0));
1569 fcs = FCS(fcs, *hdr);
1572 if (len < (1 << 7)) {
1573 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1575 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1576 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */
1580 *hdr++ = (uint8_t)credits;
1582 m0->m_len = hdr - mtod(m0, uint8_t *);
1584 /* Append payload */
1588 m0->m_pkthdr.len = m0->m_len + len;
1591 fcs = 0xff - fcs; /* ones complement */
1592 len = m0->m_pkthdr.len;
1593 m_copyback(m0, len, sizeof(fcs), &fcs);
1594 if (m0->m_pkthdr.len != len + sizeof(fcs))
1597 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n",
1598 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len,
1602 * UIH frame ready to go..
1604 err = l2cap_send(rs->rs_l2cap, m0);
1608 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
1622 zfree(rfcomm_credit_pool, credit);
1628 * send Multiplexer Control Command (or Response) on session
1631 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr,
1632 uint8_t type, void *data, int len)
1638 m = m_gethdr(M_NOWAIT, MT_DATA);
1642 hdr = mtod(m, uint8_t *);
1645 * Technically the type field can extend past one octet, but none
1646 * currently defined will do that.
1648 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type);
1651 * In the frame, the max length size is 2 octets (15 bits) whereas
1652 * no max length size is specified for MCC commands. We must allow
1653 * for 3 octets since for MCC frames we use 7 bits + EA in each.
1655 * Only test data can possibly be that big.
1657 * XXX Should we check this against the MTU?
1659 if (len < (1 << 7)) {
1660 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1661 } else if (len < (1 << 14)) {
1662 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1663 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1664 } else if (len < (1 << 15)) {
1665 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1666 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */
1667 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */
1669 DPRINTF("incredible length! (%d)\n", len);
1675 * add command data (to same mbuf if possible)
1677 hlen = hdr - mtod(m, uint8_t *);
1680 m->m_pkthdr.len = m->m_len = MHLEN;
1681 m_copyback(m, hlen, len, data);
1682 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) {
1688 m->m_pkthdr.len = hlen + len;
1689 m->m_len = min(MHLEN, m->m_pkthdr.len);
1691 DPRINTFN(5, "%s type %2.2x len %d\n",
1692 (cr ? "command" : "response"), type, m->m_pkthdr.len);
1694 return rfcomm_session_send_uih(rs, NULL, 0, m);