1 /* $OpenBSD: rfcomm_session.c,v 1.2 2007/09/17 01:33:33 krw Exp $ */
2 /* $NetBSD: rfcomm_session.c,v 1.9 2007/04/21 06:15:23 plunky Exp $ */
3 /* $DragonFly: src/sys/netbt/rfcomm_session.c,v 1.1 2007/12/30 20:02:56 hasso Exp $ */
6 * Copyright (c) 2006 Itronix Inc.
9 * Written by Iain Hibbert for Itronix Inc.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. The name of Itronix Inc. may not be used to endorse
20 * or promote products derived from this software without specific
21 * prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
25 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
26 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY
27 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
28 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
29 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
30 * ON ANY THEORY OF LIABILITY, WHETHER IN
31 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
36 #include <sys/cdefs.h>
38 #include <sys/param.h>
39 #include <sys/kernel.h>
42 #include <sys/systm.h>
43 #include <sys/types.h>
44 #include <sys/endian.h>
47 #include <net/pf/pfvar.h>
49 #include <netbt/bluetooth.h>
50 #include <netbt/hci.h>
51 #include <netbt/l2cap.h>
52 #include <netbt/rfcomm.h>
54 /******************************************************************************
56 * RFCOMM Multiplexer Sessions sit directly on L2CAP channels, and can
57 * multiplex up to 30 incoming and 30 outgoing connections.
58 * Only one Multiplexer is allowed between any two devices.
61 static void rfcomm_session_recv_sabm(struct rfcomm_session *, int);
62 static void rfcomm_session_recv_disc(struct rfcomm_session *, int);
63 static void rfcomm_session_recv_ua(struct rfcomm_session *, int);
64 static void rfcomm_session_recv_dm(struct rfcomm_session *, int);
65 static void rfcomm_session_recv_uih(struct rfcomm_session *, int, int, struct mbuf *, int);
66 static void rfcomm_session_recv_mcc(struct rfcomm_session *, struct mbuf *);
67 static void rfcomm_session_recv_mcc_test(struct rfcomm_session *, int, struct mbuf *);
68 static void rfcomm_session_recv_mcc_fcon(struct rfcomm_session *, int);
69 static void rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *, int);
70 static void rfcomm_session_recv_mcc_msc(struct rfcomm_session *, int, struct mbuf *);
71 static void rfcomm_session_recv_mcc_rpn(struct rfcomm_session *, int, struct mbuf *);
72 static void rfcomm_session_recv_mcc_rls(struct rfcomm_session *, int, struct mbuf *);
73 static void rfcomm_session_recv_mcc_pn(struct rfcomm_session *, int, struct mbuf *);
74 static void rfcomm_session_recv_mcc_nsc(struct rfcomm_session *, int, struct mbuf *);
77 static void rfcomm_session_connecting(void *);
78 static void rfcomm_session_connected(void *);
79 static void rfcomm_session_disconnected(void *, int);
80 static void *rfcomm_session_newconn(void *, struct sockaddr_bt *, struct sockaddr_bt *);
81 static void rfcomm_session_complete(void *, int);
82 static void rfcomm_session_linkmode(void *, int);
83 static void rfcomm_session_input(void *, struct mbuf *);
85 static const struct btproto rfcomm_session_proto = {
86 rfcomm_session_connecting,
87 rfcomm_session_connected,
88 rfcomm_session_disconnected,
89 rfcomm_session_newconn,
90 rfcomm_session_complete,
91 rfcomm_session_linkmode,
95 struct rfcomm_session_list
96 rfcomm_session_active = LIST_HEAD_INITIALIZER(rfcomm_session_active);
98 struct rfcomm_session_list
99 rfcomm_session_listen = LIST_HEAD_INITIALIZER(rfcomm_session_listen);
101 vm_zone_t rfcomm_credit_pool;
104 * RFCOMM System Parameters (see section 5.3)
106 int rfcomm_mtu_default = 127; /* bytes */
107 int rfcomm_ack_timeout = 20; /* seconds */
108 int rfcomm_mcc_timeout = 20; /* seconds */
111 * Reversed CRC table as per TS 07.10 Annex B.3.5
113 static const uint8_t crctable[256] = { /* reversed, 8-bit, poly=0x07 */
114 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
115 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
116 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
117 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
119 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
120 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
121 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
122 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
124 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
125 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
126 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
127 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
129 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
130 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
131 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
132 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
134 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
135 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
136 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
137 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
139 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
140 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
141 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
142 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
144 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
145 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
146 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
147 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
149 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
150 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
151 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
152 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
155 #define FCS(f, d) crctable[(f) ^ (d)]
160 * initialize the "credit pool".
165 rfcomm_credit_pool = zinit("rfcomm_credit",
166 sizeof(struct rfcomm_credit), 0, 0, 0);
170 * rfcomm_session_alloc(list, sockaddr)
172 * allocate a new session and fill in the blanks, then
173 * attach session to front of specified list (active or listen)
175 struct rfcomm_session *
176 rfcomm_session_alloc(struct rfcomm_session_list *list,
177 struct sockaddr_bt *laddr)
179 struct rfcomm_session *rs;
182 rs = kmalloc(sizeof(*rs), M_BLUETOOTH, M_NOWAIT | M_ZERO);
186 rs->rs_state = RFCOMM_SESSION_CLOSED;
188 callout_init(&rs->rs_timeout);
190 STAILQ_INIT(&rs->rs_credits);
191 LIST_INIT(&rs->rs_dlcs);
193 err = l2cap_attach(&rs->rs_l2cap, &rfcomm_session_proto, rs);
195 kfree(rs, M_BLUETOOTH);
199 (void)l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu);
201 if (laddr->bt_psm == L2CAP_PSM_ANY)
202 laddr->bt_psm = L2CAP_PSM_RFCOMM;
204 (void)l2cap_bind(rs->rs_l2cap, laddr);
206 LIST_INSERT_HEAD(list, rs, rs_next);
212 * rfcomm_session_free(rfcomm_session)
214 * release a session, including any cleanup
217 rfcomm_session_free(struct rfcomm_session *rs)
219 struct rfcomm_credit *credit;
221 KKASSERT(rs != NULL);
222 KKASSERT(LIST_EMPTY(&rs->rs_dlcs));
224 rs->rs_state = RFCOMM_SESSION_CLOSED;
227 * If the callout is already invoked we have no way to stop it,
228 * but it will call us back right away (there are no DLC's) so
231 callout_stop(&rs->rs_timeout);
232 if (callout_active(&rs->rs_timeout))
236 * Take care that rfcomm_session_disconnected() doesnt call
237 * us back either as it will do if the l2cap_channel has not
238 * been closed when we detach it..
240 if (rs->rs_flags & RFCOMM_SESSION_FREE)
243 rs->rs_flags |= RFCOMM_SESSION_FREE;
245 /* throw away any remaining credit notes */
246 while ((credit = STAILQ_FIRST(&rs->rs_credits)) != NULL) {
247 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
248 pool_put(&rfcomm_credit_pool, credit);
251 KKASSERT(STAILQ_EMPTY(&rs->rs_credits));
254 LIST_REMOVE(rs, rs_next);
255 l2cap_detach(&rs->rs_l2cap);
256 kfree(rs, M_BLUETOOTH);
260 * rfcomm_session_lookup(sockaddr, sockaddr)
262 * Find active rfcomm session matching src and dest addresses
263 * when src is BDADDR_ANY match any local address
265 struct rfcomm_session *
266 rfcomm_session_lookup(struct sockaddr_bt *src, struct sockaddr_bt *dest)
268 struct rfcomm_session *rs;
269 struct sockaddr_bt addr;
271 LIST_FOREACH(rs, &rfcomm_session_active, rs_next) {
272 if (rs->rs_state == RFCOMM_SESSION_CLOSED)
275 l2cap_sockaddr(rs->rs_l2cap, &addr);
277 if (bdaddr_same(&src->bt_bdaddr, &addr.bt_bdaddr) == 0)
278 if (bdaddr_any(&src->bt_bdaddr) == 0)
281 l2cap_peeraddr(rs->rs_l2cap, &addr);
283 if (addr.bt_psm != dest->bt_psm)
286 if (bdaddr_same(&dest->bt_bdaddr, &addr.bt_bdaddr))
294 * rfcomm_session_timeout(rfcomm_session)
296 * Session timeouts are scheduled when a session is left or
297 * created with no DLCs, and when SABM(0) or DISC(0) are
300 * So, if it is in an open state with DLC's attached then
301 * we leave it alone, otherwise the session is lost.
304 rfcomm_session_timeout(void *arg)
306 struct rfcomm_session *rs = arg;
307 struct rfcomm_dlc *dlc;
309 KKASSERT(rs != NULL);
313 if (rs->rs_state != RFCOMM_SESSION_OPEN) {
314 DPRINTF("timeout\n");
315 rs->rs_state = RFCOMM_SESSION_CLOSED;
317 while (!LIST_EMPTY(&rs->rs_dlcs)) {
318 dlc = LIST_FIRST(&rs->rs_dlcs);
320 rfcomm_dlc_close(dlc, ETIMEDOUT);
324 if (LIST_EMPTY(&rs->rs_dlcs)) {
325 DPRINTF("expiring\n");
326 rfcomm_session_free(rs);
331 /***********************************************************************
333 * RFCOMM Session L2CAP protocol callbacks
338 rfcomm_session_connecting(void *arg)
340 /* struct rfcomm_session *rs = arg; */
342 DPRINTF("Connecting\n");
346 rfcomm_session_connected(void *arg)
348 struct rfcomm_session *rs = arg;
350 DPRINTF("Connected\n");
355 * If we are initiator, we can send our SABM(0)
356 * a timeout should be active?
358 * We must take note of the L2CAP MTU because currently
359 * the L2CAP implementation can only do Basic Mode.
361 l2cap_getopt(rs->rs_l2cap, SO_L2CAP_OMTU, &rs->rs_mtu);
363 rs->rs_mtu -= 6; /* (RFCOMM overhead could be this big) */
364 if (rs->rs_mtu < RFCOMM_MTU_MIN) {
365 rfcomm_session_disconnected(rs, EINVAL);
369 if (IS_INITIATOR(rs)) {
372 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, 0);
374 rfcomm_session_disconnected(rs, err);
376 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz,
377 rfcomm_session_timeout, rs);
382 rfcomm_session_disconnected(void *arg, int err)
384 struct rfcomm_session *rs = arg;
385 struct rfcomm_dlc *dlc;
387 DPRINTF("Disconnected\n");
389 rs->rs_state = RFCOMM_SESSION_CLOSED;
391 while (!LIST_EMPTY(&rs->rs_dlcs)) {
392 dlc = LIST_FIRST(&rs->rs_dlcs);
394 rfcomm_dlc_close(dlc, err);
397 rfcomm_session_free(rs);
401 rfcomm_session_newconn(void *arg, struct sockaddr_bt *laddr,
402 struct sockaddr_bt *raddr)
404 struct rfcomm_session *new, *rs = arg;
406 DPRINTF("New Connection\n");
409 * Incoming session connect request. We should return a new
410 * session pointer if this is acceptable. The L2CAP layer
411 * passes local and remote addresses, which we must check as
412 * only one RFCOMM session is allowed between any two devices
414 new = rfcomm_session_lookup(laddr, raddr);
418 new = rfcomm_session_alloc(&rfcomm_session_active, laddr);
422 new->rs_mtu = rs->rs_mtu;
423 new->rs_state = RFCOMM_SESSION_WAIT_CONNECT;
426 * schedule an expiry so that if nothing comes of it we
429 callout_reset(&rs->rs_timeout, rfcomm_mcc_timeout * hz,
430 rfcomm_session_timeout, rs);
432 return new->rs_l2cap;
436 rfcomm_session_complete(void *arg, int count)
438 struct rfcomm_session *rs = arg;
439 struct rfcomm_credit *credit;
440 struct rfcomm_dlc *dlc;
443 * count L2CAP packets are 'complete', meaning that they are cleared
444 * our buffers (for best effort) or arrived safe (for guaranteed) so
445 * we can take it off our list and pass the message on, so that
446 * eventually the data can be removed from the sockbuf
448 while (count-- > 0) {
449 credit = STAILQ_FIRST(&rs->rs_credits);
451 if (credit == NULL) {
452 kprintf("%s: too many packets completed!\n", __func__);
456 dlc = credit->rc_dlc;
459 (*dlc->rd_proto->complete)
460 (dlc->rd_upper, credit->rc_len);
463 * if not using credit flow control, we may push
466 if ((rs->rs_flags & RFCOMM_SESSION_CFC) == 0
467 && dlc->rd_state == RFCOMM_DLC_OPEN) {
468 rfcomm_dlc_start(dlc);
472 * When shutdown is indicated, we are just waiting to
473 * clear outgoing data.
475 if ((dlc->rd_flags & RFCOMM_DLC_SHUTDOWN)
476 && dlc->rd_txbuf == NULL && dlc->rd_pending == 0) {
477 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
478 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
480 callout_reset(&dlc->rd_timeout,
481 rfcomm_ack_timeout * hz,
482 rfcomm_dlc_timeout, dlc);
486 STAILQ_REMOVE_HEAD(&rs->rs_credits, rc_next);
487 pool_put(&rfcomm_credit_pool, credit);
491 * If session is closed, we are just waiting to clear the queue
493 if (rs->rs_state == RFCOMM_SESSION_CLOSED) {
494 if (STAILQ_EMPTY(&rs->rs_credits))
495 l2cap_disconnect(rs->rs_l2cap, 0);
502 * This is called when a mode change is complete. Proceed with connections
503 * where appropriate, or pass the new mode to any active DLCs.
506 rfcomm_session_linkmode(void *arg, int new)
508 struct rfcomm_session *rs = arg;
509 struct rfcomm_dlc *dlc, *next;
512 DPRINTF("auth %s, encrypt %s, secure %s\n",
513 (new & L2CAP_LM_AUTH ? "on" : "off"),
514 (new & L2CAP_LM_ENCRYPT ? "on" : "off"),
515 (new & L2CAP_LM_SECURE ? "on" : "off"));
517 if (new & L2CAP_LM_AUTH)
518 mode |= RFCOMM_LM_AUTH;
520 if (new & L2CAP_LM_ENCRYPT)
521 mode |= RFCOMM_LM_ENCRYPT;
523 if (new & L2CAP_LM_SECURE)
524 mode |= RFCOMM_LM_SECURE;
526 next = LIST_FIRST(&rs->rs_dlcs);
527 while ((dlc = next) != NULL) {
528 next = LIST_NEXT(dlc, rd_next);
530 switch (dlc->rd_state) {
531 case RFCOMM_DLC_WAIT_SEND_SABM: /* we are connecting */
532 if ((mode & dlc->rd_mode) != dlc->rd_mode) {
533 rfcomm_dlc_close(dlc, ECONNABORTED);
535 err = rfcomm_session_send_frame(rs,
536 RFCOMM_FRAME_SABM, dlc->rd_dlci);
538 rfcomm_dlc_close(dlc, err);
540 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
541 callout_reset(&dlc->rd_timeout,
542 rfcomm_ack_timeout * hz,
543 rfcomm_dlc_timeout, dlc);
550 * If we aborted the connection and there are no more DLCs
551 * on the session, it is our responsibility to disconnect.
553 if (!LIST_EMPTY(&rs->rs_dlcs))
556 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
557 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
558 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout * hz,
559 rfcomm_session_timeout, rs);
562 case RFCOMM_DLC_WAIT_SEND_UA: /* they are connecting */
563 if ((mode & dlc->rd_mode) != dlc->rd_mode) {
564 rfcomm_session_send_frame(rs,
565 RFCOMM_FRAME_DM, dlc->rd_dlci);
566 rfcomm_dlc_close(dlc, ECONNABORTED);
570 err = rfcomm_session_send_frame(rs,
571 RFCOMM_FRAME_UA, dlc->rd_dlci);
573 rfcomm_session_send_frame(rs,
574 RFCOMM_FRAME_DM, dlc->rd_dlci);
575 rfcomm_dlc_close(dlc, err);
579 err = rfcomm_dlc_open(dlc);
581 rfcomm_session_send_frame(rs,
582 RFCOMM_FRAME_DM, dlc->rd_dlci);
583 rfcomm_dlc_close(dlc, err);
589 case RFCOMM_DLC_WAIT_RECV_UA:
590 case RFCOMM_DLC_OPEN: /* already established */
591 (*dlc->rd_proto->linkmode)(dlc->rd_upper, mode);
601 * Receive data from L2CAP layer for session. There is always exactly one
602 * RFCOMM frame contained in each L2CAP frame.
605 rfcomm_session_input(void *arg, struct mbuf *m)
607 struct rfcomm_session *rs = arg;
608 int dlci, len, type, pf;
612 KKASSERT(rs != NULL);
615 * UIH frames: FCS is only calculated on address and control fields
616 * For other frames: FCS is calculated on address, control and length
617 * Length may extend to two octets
621 if (m->m_pkthdr.len < 4) {
622 DPRINTF("short frame (%d), discarded\n", m->m_pkthdr.len);
626 /* address - one octet */
627 m_copydata(m, 0, 1, &b);
630 dlci = RFCOMM_DLCI(b);
632 /* control - one octet */
633 m_copydata(m, 0, 1, &b);
636 type = RFCOMM_TYPE(b);
639 /* length - may be two octets */
640 m_copydata(m, 0, 1, &b);
642 if (type != RFCOMM_FRAME_UIH)
644 len = (b >> 1) & 0x7f;
646 if (RFCOMM_EA(b) == 0) {
647 if (m->m_pkthdr.len < 2) {
648 DPRINTF("short frame (%d, EA = 0), discarded\n",
653 m_copydata(m, 0, 1, &b);
655 if (type != RFCOMM_FRAME_UIH)
661 /* FCS byte is last octet in frame */
662 m_copydata(m, m->m_pkthdr.len - 1, 1, &b);
667 DPRINTF("Bad FCS value (%#2.2x), frame discarded\n", fcs);
671 DPRINTFN(10, "dlci %d, type %2.2x, len = %d\n", dlci, type, len);
674 case RFCOMM_FRAME_SABM:
676 rfcomm_session_recv_sabm(rs, dlci);
679 case RFCOMM_FRAME_DISC:
681 rfcomm_session_recv_disc(rs, dlci);
684 case RFCOMM_FRAME_UA:
686 rfcomm_session_recv_ua(rs, dlci);
689 case RFCOMM_FRAME_DM:
690 rfcomm_session_recv_dm(rs, dlci);
693 case RFCOMM_FRAME_UIH:
694 rfcomm_session_recv_uih(rs, dlci, pf, m, len);
695 return; /* (no release) */
706 /***********************************************************************
708 * RFCOMM Session receive processing
712 * rfcomm_session_recv_sabm(rfcomm_session, dlci)
714 * Set Asyncrhonous Balanced Mode - open the channel.
717 rfcomm_session_recv_sabm(struct rfcomm_session *rs, int dlci)
719 struct rfcomm_dlc *dlc;
722 DPRINTFN(5, "SABM(%d)\n", dlci);
724 if (dlci == 0) { /* Open Session */
725 rs->rs_state = RFCOMM_SESSION_OPEN;
726 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
727 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
728 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
729 rfcomm_dlc_connect(dlc);
734 if (rs->rs_state != RFCOMM_SESSION_OPEN) {
735 DPRINTF("session was not even open!\n");
739 /* validate direction bit */
740 if ((IS_INITIATOR(rs) && !RFCOMM_DIRECTION(dlci))
741 || (!IS_INITIATOR(rs) && RFCOMM_DIRECTION(dlci))) {
742 DPRINTF("Invalid direction bit on DLCI\n");
747 * look for our DLC - this may exist if we received PN
748 * already, or we may have to fabricate a new one.
750 dlc = rfcomm_dlc_lookup(rs, dlci);
752 dlc = rfcomm_dlc_newconn(rs, dlci);
754 return; /* (DM is sent) */
758 * ..but if this DLC is not waiting to connect, they did
759 * something wrong, ignore it.
761 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
765 err = rfcomm_dlc_setmode(dlc);
766 if (err == EINPROGRESS) {
767 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_UA;
768 (*dlc->rd_proto->connecting)(dlc->rd_upper);
774 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
778 /* and mark it open */
779 err = rfcomm_dlc_open(dlc);
786 rfcomm_dlc_close(dlc, err);
790 * Receive Disconnect Command
793 rfcomm_session_recv_disc(struct rfcomm_session *rs, int dlci)
795 struct rfcomm_dlc *dlc;
797 DPRINTFN(5, "DISC(%d)\n", dlci);
803 * We set the session state to CLOSED so that when
804 * the UA frame is clear the session will be closed
805 * automatically. We wont bother to close any DLC's
806 * just yet as there should be none. In the unlikely
807 * event that something is left, it will get flushed
808 * out as the session goes down.
810 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, 0);
811 rs->rs_state = RFCOMM_SESSION_CLOSED;
815 dlc = rfcomm_dlc_lookup(rs, dlci);
817 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
821 rfcomm_dlc_close(dlc, ECONNRESET);
822 rfcomm_session_send_frame(rs, RFCOMM_FRAME_UA, dlci);
826 * Receive Unnumbered Acknowledgement Response
828 * This should be a response to a DISC or SABM frame that we
829 * have previously sent. If unexpected, ignore it.
832 rfcomm_session_recv_ua(struct rfcomm_session *rs, int dlci)
834 struct rfcomm_dlc *dlc;
836 DPRINTFN(5, "UA(%d)\n", dlci);
839 switch (rs->rs_state) {
840 case RFCOMM_SESSION_WAIT_CONNECT: /* We sent SABM */
841 callout_stop(&rs->rs_timeout);
842 rs->rs_state = RFCOMM_SESSION_OPEN;
843 LIST_FOREACH(dlc, &rs->rs_dlcs, rd_next) {
844 if (dlc->rd_state == RFCOMM_DLC_WAIT_SESSION)
845 rfcomm_dlc_connect(dlc);
849 case RFCOMM_SESSION_WAIT_DISCONNECT: /* We sent DISC */
850 callout_stop(&rs->rs_timeout);
851 rs->rs_state = RFCOMM_SESSION_CLOSED;
852 l2cap_disconnect(rs->rs_l2cap, 0);
856 DPRINTF("Received spurious UA(0)!\n");
864 * If we have no DLC on this dlci, we may have aborted
865 * without shutting down properly, so check if the session
866 * needs disconnecting.
868 dlc = rfcomm_dlc_lookup(rs, dlci);
872 switch (dlc->rd_state) {
873 case RFCOMM_DLC_WAIT_RECV_UA: /* We sent SABM */
874 rfcomm_dlc_open(dlc);
877 case RFCOMM_DLC_WAIT_DISCONNECT: /* We sent DISC */
878 rfcomm_dlc_close(dlc, 0);
882 DPRINTF("Received spurious UA(%d)!\n", dlci);
886 check: /* last one out turns out the light */
887 if (LIST_EMPTY(&rs->rs_dlcs)) {
888 rs->rs_state = RFCOMM_SESSION_WAIT_DISCONNECT;
889 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC, 0);
890 callout_reset(&rs->rs_timeout, rfcomm_ack_timeout*hz,rfcomm_session_timeout,rs);
895 * Receive Disconnected Mode Response
897 * If this does not apply to a known DLC then we may ignore it.
900 rfcomm_session_recv_dm(struct rfcomm_session *rs, int dlci)
902 struct rfcomm_dlc *dlc;
904 DPRINTFN(5, "DM(%d)\n", dlci);
906 dlc = rfcomm_dlc_lookup(rs, dlci);
910 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT)
911 rfcomm_dlc_close(dlc, ECONNREFUSED);
913 rfcomm_dlc_close(dlc, ECONNRESET);
917 * Receive Unnumbered Information with Header check (MCC or data packet)
920 rfcomm_session_recv_uih(struct rfcomm_session *rs, int dlci,
921 int pf, struct mbuf *m, int len)
923 struct rfcomm_dlc *dlc;
926 DPRINTFN(10, "UIH(%d)\n", dlci);
929 rfcomm_session_recv_mcc(rs, m);
933 if (m->m_pkthdr.len != len + pf) {
934 DPRINTF("Bad Frame Length (%d), frame discarded\n",
940 dlc = rfcomm_dlc_lookup(rs, dlci);
942 DPRINTF("UIH received for non existent DLC, discarded\n");
943 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM, dlci);
947 if (dlc->rd_state != RFCOMM_DLC_OPEN) {
948 DPRINTF("non-open DLC (state = %d), discarded\n",
953 /* if PF is set, credits were included */
954 if (rs->rs_flags & RFCOMM_SESSION_CFC) {
956 if (m->m_pkthdr.len < sizeof(credits)) {
957 DPRINTF("Bad PF value, UIH discarded\n");
961 m_copydata(m, 0, sizeof(credits), &credits);
962 m_adj(m, sizeof(credits));
964 dlc->rd_txcred += credits;
966 if (credits > 0 && dlc->rd_txbuf != NULL)
967 rfcomm_dlc_start(dlc);
973 if (dlc->rd_rxcred == 0) {
974 DPRINTF("Credit limit reached, UIH discarded\n");
978 if (len > dlc->rd_rxsize) {
979 DPRINTF("UIH frame exceeds rxsize, discarded\n");
984 dlc->rd_rxsize -= len;
987 (*dlc->rd_proto->input)(dlc->rd_upper, m);
995 * Receive Multiplexer Control Command
998 rfcomm_session_recv_mcc(struct rfcomm_session *rs, struct mbuf *m)
1004 * Extract MCC header.
1006 * Fields are variable length using extension bit = 1 to signify the
1007 * last octet in the sequence.
1009 * Only single octet types are defined in TS 07.10/RFCOMM spec
1011 * Length can realistically only use 15 bits (max RFCOMM MTU)
1013 if (m->m_pkthdr.len < sizeof(b)) {
1014 DPRINTF("Short MCC header, discarded\n");
1018 m_copydata(m, 0, sizeof(b), &b);
1019 m_adj(m, sizeof(b));
1021 if (RFCOMM_EA(b) == 0) { /* verify no extensions */
1022 DPRINTF("MCC type EA = 0, discarded\n");
1026 type = RFCOMM_MCC_TYPE(b);
1031 if (m->m_pkthdr.len < sizeof(b)) {
1032 DPRINTF("Short MCC header, discarded\n");
1036 m_copydata(m, 0, sizeof(b), &b);
1037 m_adj(m, sizeof(b));
1039 len = (len << 7) | (b >> 1);
1040 len = min(len, RFCOMM_MTU_MAX);
1041 } while (RFCOMM_EA(b) == 0);
1043 if (len != m->m_pkthdr.len) {
1044 DPRINTF("Incorrect MCC length, discarded\n");
1048 DPRINTFN(2, "MCC %s type %2.2x (%d bytes)\n",
1049 (cr ? "command" : "response"), type, len);
1052 * pass to command handler
1055 case RFCOMM_MCC_TEST: /* Test */
1056 rfcomm_session_recv_mcc_test(rs, cr, m);
1059 case RFCOMM_MCC_FCON: /* Flow Control On */
1060 rfcomm_session_recv_mcc_fcon(rs, cr);
1063 case RFCOMM_MCC_FCOFF: /* Flow Control Off */
1064 rfcomm_session_recv_mcc_fcoff(rs, cr);
1067 case RFCOMM_MCC_MSC: /* Modem Status Command */
1068 rfcomm_session_recv_mcc_msc(rs, cr, m);
1071 case RFCOMM_MCC_RPN: /* Remote Port Negotiation */
1072 rfcomm_session_recv_mcc_rpn(rs, cr, m);
1075 case RFCOMM_MCC_RLS: /* Remote Line Status */
1076 rfcomm_session_recv_mcc_rls(rs, cr, m);
1079 case RFCOMM_MCC_PN: /* Parameter Negotiation */
1080 rfcomm_session_recv_mcc_pn(rs, cr, m);
1083 case RFCOMM_MCC_NSC: /* Non Supported Command */
1084 rfcomm_session_recv_mcc_nsc(rs, cr, m);
1088 b = RFCOMM_MKMCC_TYPE(cr, type);
1089 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_NSC, &b, sizeof(b));
1097 * process TEST command/response
1100 rfcomm_session_recv_mcc_test(struct rfcomm_session *rs, int cr, struct mbuf *m)
1105 if (cr == 0) /* ignore ack */
1109 * we must send all the data they included back as is
1112 len = m->m_pkthdr.len;
1113 if (len > RFCOMM_MTU_MAX)
1116 data = kmalloc(len, M_BLUETOOTH, M_NOWAIT);
1120 m_copydata(m, 0, len, data);
1121 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_TEST, data, len);
1122 kfree(data, M_BLUETOOTH);
1126 * process Flow Control ON command/response
1129 rfcomm_session_recv_mcc_fcon(struct rfcomm_session *rs, int cr)
1132 if (cr == 0) /* ignore ack */
1135 rs->rs_flags |= RFCOMM_SESSION_RFC;
1136 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCON, NULL, 0);
1140 * process Flow Control OFF command/response
1143 rfcomm_session_recv_mcc_fcoff(struct rfcomm_session *rs, int cr)
1145 if (cr == 0) /* ignore ack */
1148 rs->rs_flags &= ~RFCOMM_SESSION_RFC;
1149 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_FCOFF, NULL, 0);
1153 * process Modem Status Command command/response
1156 rfcomm_session_recv_mcc_msc(struct rfcomm_session *rs, int cr, struct mbuf *m)
1158 struct rfcomm_mcc_msc msc; /* (3 octets) */
1159 struct rfcomm_dlc *dlc;
1163 if (m->m_pkthdr.len < sizeof(msc.address))
1166 m_copydata(m, 0, sizeof(msc.address), &msc.address);
1167 m_adj(m, sizeof(msc.address));
1168 len += sizeof(msc.address);
1170 dlc = rfcomm_dlc_lookup(rs, RFCOMM_DLCI(msc.address));
1172 if (cr == 0) { /* ignore acks */
1174 callout_stop(&dlc->rd_timeout);
1180 rfcomm_session_send_frame(rs, RFCOMM_FRAME_DM,
1181 RFCOMM_DLCI(msc.address));
1186 if (m->m_pkthdr.len < sizeof(msc.modem))
1189 m_copydata(m, 0, sizeof(msc.modem), &msc.modem);
1190 m_adj(m, sizeof(msc.modem));
1191 len += sizeof(msc.modem);
1193 dlc->rd_rmodem = msc.modem;
1194 /* XXX how do we signal this upstream? */
1196 if (RFCOMM_EA(msc.modem) == 0) {
1197 if (m->m_pkthdr.len < sizeof(msc.brk))
1200 m_copydata(m, 0, sizeof(msc.brk), &msc.brk);
1201 m_adj(m, sizeof(msc.brk));
1202 len += sizeof(msc.brk);
1204 /* XXX how do we signal this upstream? */
1207 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_MSC, &msc, len);
1211 * process Remote Port Negotiation command/response
1214 rfcomm_session_recv_mcc_rpn(struct rfcomm_session *rs, int cr, struct mbuf *m)
1216 struct rfcomm_mcc_rpn rpn;
1219 if (cr == 0) /* ignore ack */
1222 /* default values */
1223 rpn.bit_rate = RFCOMM_RPN_BR_9600;
1224 rpn.line_settings = RFCOMM_RPN_8_N_1;
1225 rpn.flow_control = RFCOMM_RPN_FLOW_NONE;
1226 rpn.xon_char = RFCOMM_RPN_XON_CHAR;
1227 rpn.xoff_char = RFCOMM_RPN_XOFF_CHAR;
1229 if (m->m_pkthdr.len == sizeof(rpn)) {
1230 m_copydata(m, 0, sizeof(rpn), (caddr_t)&rpn);
1231 rpn.param_mask = RFCOMM_RPN_PM_ALL;
1232 } else if (m->m_pkthdr.len == 1) {
1233 m_copydata(m, 0, 1, (caddr_t)&rpn);
1234 rpn.param_mask = letoh16(rpn.param_mask);
1236 DPRINTF("Bad RPN length (%d)\n", m->m_pkthdr.len);
1242 if (rpn.param_mask & RFCOMM_RPN_PM_RATE)
1243 mask |= RFCOMM_RPN_PM_RATE;
1245 if (rpn.param_mask & RFCOMM_RPN_PM_DATA
1246 && RFCOMM_RPN_DATA_BITS(rpn.line_settings) == RFCOMM_RPN_DATA_8)
1247 mask |= RFCOMM_RPN_PM_DATA;
1249 if (rpn.param_mask & RFCOMM_RPN_PM_STOP
1250 && RFCOMM_RPN_STOP_BITS(rpn.line_settings) == RFCOMM_RPN_STOP_1)
1251 mask |= RFCOMM_RPN_PM_STOP;
1253 if (rpn.param_mask & RFCOMM_RPN_PM_PARITY
1254 && RFCOMM_RPN_PARITY(rpn.line_settings) == RFCOMM_RPN_PARITY_NONE)
1255 mask |= RFCOMM_RPN_PM_PARITY;
1257 if (rpn.param_mask & RFCOMM_RPN_PM_XON
1258 && rpn.xon_char == RFCOMM_RPN_XON_CHAR)
1259 mask |= RFCOMM_RPN_PM_XON;
1261 if (rpn.param_mask & RFCOMM_RPN_PM_XOFF
1262 && rpn.xoff_char == RFCOMM_RPN_XOFF_CHAR)
1263 mask |= RFCOMM_RPN_PM_XOFF;
1265 if (rpn.param_mask & RFCOMM_RPN_PM_FLOW
1266 && rpn.flow_control == RFCOMM_RPN_FLOW_NONE)
1267 mask |= RFCOMM_RPN_PM_FLOW;
1269 rpn.param_mask = htole16(mask);
1271 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RPN, &rpn, sizeof(rpn));
1275 * process Remote Line Status command/response
1278 rfcomm_session_recv_mcc_rls(struct rfcomm_session *rs, int cr, struct mbuf *m)
1280 struct rfcomm_mcc_rls rls;
1282 if (cr == 0) /* ignore ack */
1285 if (m->m_pkthdr.len != sizeof(rls)) {
1286 DPRINTF("Bad RLS length %d\n", m->m_pkthdr.len);
1290 m_copydata(m, 0, sizeof(rls), (caddr_t)&rls);
1293 * So far as I can tell, we just send back what
1294 * they sent us. This signifies errors that seem
1295 * irrelevent for RFCOMM over L2CAP.
1297 rls.address |= 0x03; /* EA = 1, CR = 1 */
1298 rls.status &= 0x0f; /* only 4 bits valid */
1300 rfcomm_session_send_mcc(rs, 0, RFCOMM_MCC_RLS, &rls, sizeof(rls));
1304 * process Parameter Negotiation command/response
1307 rfcomm_session_recv_mcc_pn(struct rfcomm_session *rs, int cr, struct mbuf *m)
1309 struct rfcomm_dlc *dlc;
1310 struct rfcomm_mcc_pn pn;
1313 if (m->m_pkthdr.len != sizeof(pn)) {
1314 DPRINTF("Bad PN length %d\n", m->m_pkthdr.len);
1318 m_copydata(m, 0, sizeof(pn), (caddr_t)&pn);
1321 pn.mtu = letoh16(pn.mtu);
1323 dlc = rfcomm_dlc_lookup(rs, pn.dlci);
1324 if (cr) { /* Command */
1326 * If there is no DLC present, this is a new
1327 * connection so attempt to make one
1330 dlc = rfcomm_dlc_newconn(rs, pn.dlci);
1332 return; /* (DM is sent) */
1335 /* accept any valid MTU, and offer it back */
1336 pn.mtu = min(pn.mtu, RFCOMM_MTU_MAX);
1337 pn.mtu = min(pn.mtu, rs->rs_mtu);
1338 pn.mtu = max(pn.mtu, RFCOMM_MTU_MIN);
1339 dlc->rd_mtu = pn.mtu;
1340 pn.mtu = htole16(pn.mtu);
1342 /* credits are only set before DLC is open */
1343 if (dlc->rd_state == RFCOMM_DLC_WAIT_CONNECT
1344 && (pn.flow_control & 0xf0) == 0xf0) {
1345 rs->rs_flags |= RFCOMM_SESSION_CFC;
1346 dlc->rd_txcred = pn.credits & 0x07;
1348 dlc->rd_rxcred = (dlc->rd_rxsize / dlc->rd_mtu);
1349 dlc->rd_rxcred = min(dlc->rd_rxcred,
1350 RFCOMM_CREDITS_DEFAULT);
1352 pn.flow_control = 0xe0;
1353 pn.credits = dlc->rd_rxcred;
1355 pn.flow_control = 0x00;
1359 /* unused fields must be ignored and set to zero */
1363 /* send our response */
1364 err = rfcomm_session_send_mcc(rs, 0,
1365 RFCOMM_MCC_PN, &pn, sizeof(pn));
1369 } else { /* Response */
1370 /* ignore responses with no matching DLC */
1374 callout_stop(&dlc->rd_timeout);
1376 if (pn.mtu > RFCOMM_MTU_MAX || pn.mtu > dlc->rd_mtu) {
1377 dlc->rd_state = RFCOMM_DLC_WAIT_DISCONNECT;
1378 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_DISC,
1383 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz,
1384 rfcomm_dlc_timeout, dlc);
1387 dlc->rd_mtu = pn.mtu;
1389 /* if DLC is not waiting to connect, we are done */
1390 if (dlc->rd_state != RFCOMM_DLC_WAIT_CONNECT)
1393 /* set initial credits according to RFCOMM spec */
1394 if ((pn.flow_control & 0xf0) == 0xe0) {
1395 rs->rs_flags |= RFCOMM_SESSION_CFC;
1396 dlc->rd_txcred = (pn.credits & 0x07);
1399 callout_reset(&dlc->rd_timeout, rfcomm_ack_timeout * hz,
1400 rfcomm_dlc_timeout, dlc);
1403 err = rfcomm_dlc_setmode(dlc);
1404 if (err == EINPROGRESS) {
1405 dlc->rd_state = RFCOMM_DLC_WAIT_SEND_SABM;
1406 (*dlc->rd_proto->connecting)(dlc->rd_upper);
1412 /* we can proceed now */
1413 err = rfcomm_session_send_frame(rs, RFCOMM_FRAME_SABM, pn.dlci);
1417 dlc->rd_state = RFCOMM_DLC_WAIT_RECV_UA;
1422 rfcomm_dlc_close(dlc, err);
1426 * process Non Supported Command command/response
1429 rfcomm_session_recv_mcc_nsc(struct rfcomm_session *rs,
1430 int cr, struct mbuf *m)
1432 struct rfcomm_dlc *dlc, *next;
1435 * Since we did nothing that is not mandatory,
1436 * we just abort the whole session..
1439 next = LIST_FIRST(&rs->rs_dlcs);
1440 while ((dlc = next) != NULL) {
1441 next = LIST_NEXT(dlc, rd_next);
1442 rfcomm_dlc_close(dlc, ECONNABORTED);
1445 rfcomm_session_free(rs);
1448 /***********************************************************************
1450 * RFCOMM Session outward frame/uih/mcc building
1454 * SABM/DISC/DM/UA frames are all minimal and mostly identical.
1457 rfcomm_session_send_frame(struct rfcomm_session *rs, int type, int dlci)
1459 struct rfcomm_cmd_hdr *hdr;
1460 struct rfcomm_credit *credit;
1464 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT);
1468 m = m_gethdr(MB_DONTWAIT, MT_DATA);
1470 pool_put(&rfcomm_credit_pool, credit);
1475 * The CR (command/response) bit identifies the frame either as a
1476 * commmand or a response and is used along with the DLCI to form
1477 * the address. Commands contain the non-initiator address, whereas
1478 * responses contain the initiator address, so the CR value is
1479 * also dependent on the session direction.
1481 if (type == RFCOMM_FRAME_UA || type == RFCOMM_FRAME_DM)
1482 cr = IS_INITIATOR(rs) ? 0 : 1;
1484 cr = IS_INITIATOR(rs) ? 1 : 0;
1486 hdr = mtod(m, struct rfcomm_cmd_hdr *);
1487 hdr->address = RFCOMM_MKADDRESS(cr, dlci);
1488 hdr->control = RFCOMM_MKCONTROL(type, 1); /* PF = 1 */
1489 hdr->length = (0x00 << 1) | 0x01; /* len = 0x00, EA = 1 */
1492 fcs = FCS(fcs, hdr->address);
1493 fcs = FCS(fcs, hdr->control);
1494 fcs = FCS(fcs, hdr->length);
1495 fcs = 0xff - fcs; /* ones complement */
1498 m->m_pkthdr.len = m->m_len = sizeof(struct rfcomm_cmd_hdr);
1500 /* empty credit note */
1501 credit->rc_dlc = NULL;
1502 credit->rc_len = m->m_pkthdr.len;
1503 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
1505 DPRINTFN(5, "dlci %d type %2.2x (%d bytes, fcs=%#2.2x)\n",
1506 dlci, type, m->m_pkthdr.len, fcs);
1508 return l2cap_send(rs->rs_l2cap, m);
1512 * rfcomm_session_send_uih(rfcomm_session, rfcomm_dlc, credits, mbuf)
1514 * UIH frame is per DLC data or Multiplexer Control Commands
1515 * when no DLC is given. Data mbuf is optional (just credits
1516 * will be sent in that case)
1519 rfcomm_session_send_uih(struct rfcomm_session *rs, struct rfcomm_dlc *dlc,
1520 int credits, struct mbuf *m)
1522 struct rfcomm_credit *credit;
1523 struct mbuf *m0 = NULL;
1527 KKASSERT(rs != NULL);
1529 len = (m == NULL) ? 0 : m->m_pkthdr.len;
1530 KKASSERT(!(credits == 0 && len == 0));
1533 * Make a credit note for the completion notification
1535 credit = pool_get(&rfcomm_credit_pool, PR_NOWAIT);
1539 credit->rc_len = len;
1540 credit->rc_dlc = dlc;
1543 * Wrap UIH frame information around payload.
1545 * [ADDRESS] [CONTROL] [LENGTH] [CREDITS] [...] [FCS]
1547 * Address is one octet.
1548 * Control is one octet.
1549 * Length is one or two octets.
1550 * Credits may be one octet.
1552 * FCS is one octet and calculated on address and
1553 * control octets only.
1555 * If there are credits to be sent, we will set the PF
1556 * flag and include them in the frame.
1558 m0 = m_gethdr(MB_DONTWAIT, MT_DATA);
1562 MH_ALIGN(m0, 5); /* (max 5 header octets) */
1563 hdr = mtod(m0, uint8_t *);
1565 /* CR bit is set according to the initiator of the session */
1566 *hdr = RFCOMM_MKADDRESS((IS_INITIATOR(rs) ? 1 : 0),
1567 (dlc ? dlc->rd_dlci : 0));
1568 fcs = FCS(0xff, *hdr);
1571 /* PF bit is set if credits are being sent */
1572 *hdr = RFCOMM_MKCONTROL(RFCOMM_FRAME_UIH, (credits > 0 ? 1 : 0));
1573 fcs = FCS(fcs, *hdr);
1576 if (len < (1 << 7)) {
1577 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1579 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1580 *hdr++ = ((len >> 7) & 0xff); /* 8 bits, no EA */
1584 *hdr++ = (uint8_t)credits;
1586 m0->m_len = hdr - mtod(m0, uint8_t *);
1588 /* Append payload */
1592 m0->m_pkthdr.len = m0->m_len + len;
1595 fcs = 0xff - fcs; /* ones complement */
1596 len = m0->m_pkthdr.len;
1597 m_copyback(m0, len, sizeof(fcs), &fcs);
1598 if (m0->m_pkthdr.len != len + sizeof(fcs))
1601 DPRINTFN(10, "dlci %d, pktlen %d (%d data, %d credits), fcs=%#2.2x\n",
1602 dlc ? dlc->rd_dlci : 0, m0->m_pkthdr.len, credit->rc_len,
1606 * UIH frame ready to go..
1608 err = l2cap_send(rs->rs_l2cap, m0);
1612 STAILQ_INSERT_TAIL(&rs->rs_credits, credit, rc_next);
1626 pool_put(&rfcomm_credit_pool, credit);
1632 * send Multiplexer Control Command (or Response) on session
1635 rfcomm_session_send_mcc(struct rfcomm_session *rs, int cr,
1636 uint8_t type, void *data, int len)
1642 m = m_gethdr(MB_DONTWAIT, MT_DATA);
1646 hdr = mtod(m, uint8_t *);
1649 * Technically the type field can extend past one octet, but none
1650 * currently defined will do that.
1652 *hdr++ = RFCOMM_MKMCC_TYPE(cr, type);
1655 * In the frame, the max length size is 2 octets (15 bits) whereas
1656 * no max length size is specified for MCC commands. We must allow
1657 * for 3 octets since for MCC frames we use 7 bits + EA in each.
1659 * Only test data can possibly be that big.
1661 * XXX Should we check this against the MTU?
1663 if (len < (1 << 7)) {
1664 *hdr++ = ((len << 1) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1665 } else if (len < (1 << 14)) {
1666 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1667 *hdr++ = ((len >> 6) & 0xfe) | 0x01; /* 7 bits, EA = 1 */
1668 } else if (len < (1 << 15)) {
1669 *hdr++ = ((len << 1) & 0xfe); /* 7 bits, EA = 0 */
1670 *hdr++ = ((len >> 6) & 0xfe); /* 7 bits, EA = 0 */
1671 *hdr++ = ((len >> 13) & 0x02) | 0x01; /* 1 bit, EA = 1 */
1673 DPRINTF("incredible length! (%d)\n", len);
1679 * add command data (to same mbuf if possible)
1681 hlen = hdr - mtod(m, uint8_t *);
1684 m->m_pkthdr.len = m->m_len = MHLEN;
1685 m_copyback(m, hlen, len, data);
1686 if (m->m_pkthdr.len != max(MHLEN, hlen + len)) {
1692 m->m_pkthdr.len = hlen + len;
1693 m->m_len = min(MHLEN, m->m_pkthdr.len);
1695 DPRINTFN(5, "%s type %2.2x len %d\n",
1696 (cr ? "command" : "response"), type, m->m_pkthdr.len);
1698 return rfcomm_session_send_uih(rs, NULL, 0, m);