1 /* l2cap_br.c - L2CAP BREDR oriented handling */
2
3 /*
4 * Copyright (c) 2016 Intel Corporation
5 *
6 * SPDX-License-Identifier: Apache-2.0
7 */
8
9 #include <zephyr.h>
10 #include <string.h>
11 #include <errno.h>
12 #include <sys/atomic.h>
13 #include <sys/byteorder.h>
14 #include <sys/util.h>
15
16 #include <bluetooth/hci.h>
17 #include <bluetooth/bluetooth.h>
18 #include <bluetooth/conn.h>
19 #include <drivers/bluetooth/hci_driver.h>
20
21 #define BT_DBG_ENABLED IS_ENABLED(CONFIG_BT_DEBUG_L2CAP)
22 #define LOG_MODULE_NAME bt_l2cap_br
23 #include "common/log.h"
24
25 #include "hci_core.h"
26 #include "conn_internal.h"
27 #include "l2cap_internal.h"
28 #include "avdtp_internal.h"
29 #include "a2dp_internal.h"
30 #include "rfcomm_internal.h"
31 #include "sdp_internal.h"
32
33 #define BR_CHAN(_ch) CONTAINER_OF(_ch, struct bt_l2cap_br_chan, chan)
34 #define BR_CHAN_RTX(_w) CONTAINER_OF(_w, struct bt_l2cap_br_chan, chan.rtx_work)
35
36 #define L2CAP_BR_PSM_START 0x0001
37 #define L2CAP_BR_PSM_END 0xffff
38
39 #define L2CAP_BR_CID_DYN_START 0x0040
40 #define L2CAP_BR_CID_DYN_END 0xffff
41 #define L2CAP_BR_CID_IS_DYN(_cid) \
42 (_cid >= L2CAP_BR_CID_DYN_START && _cid <= L2CAP_BR_CID_DYN_END)
43
44 #define L2CAP_BR_MIN_MTU 48
45 #define L2CAP_BR_DEFAULT_MTU 672
46
47 #define L2CAP_BR_PSM_SDP 0x0001
48
49 #define L2CAP_BR_INFO_TIMEOUT K_SECONDS(4)
50 #define L2CAP_BR_CFG_TIMEOUT K_SECONDS(4)
51 #define L2CAP_BR_DISCONN_TIMEOUT K_SECONDS(1)
52 #define L2CAP_BR_CONN_TIMEOUT K_SECONDS(40)
53
54 /*
55 * L2CAP extended feature mask:
56 * BR/EDR fixed channel support enabled
57 */
58 #define L2CAP_FEAT_FIXED_CHAN_MASK 0x00000080
59
60 enum {
61 /* Connection oriented channels flags */
62 L2CAP_FLAG_CONN_LCONF_DONE, /* local config accepted by remote */
63 L2CAP_FLAG_CONN_RCONF_DONE, /* remote config accepted by local */
64 L2CAP_FLAG_CONN_ACCEPTOR, /* getting incoming connection req */
65 L2CAP_FLAG_CONN_PENDING, /* remote sent pending result in rsp */
66
67 /* Signaling channel flags */
68 L2CAP_FLAG_SIG_INFO_PENDING, /* retrieving remote l2cap info */
69 L2CAP_FLAG_SIG_INFO_DONE, /* remote l2cap info is done */
70
71 /* fixed channels flags */
72 L2CAP_FLAG_FIXED_CONNECTED, /* fixed connected */
73 };
74
75 static sys_slist_t br_servers;
76
77
78 /* Pool for outgoing BR/EDR signaling packets, min MTU is 48 */
79 NET_BUF_POOL_FIXED_DEFINE(br_sig_pool, CONFIG_BT_MAX_CONN,
80 BT_L2CAP_BUF_SIZE(L2CAP_BR_MIN_MTU), NULL);
81
82 /* BR/EDR L2CAP signalling channel specific context */
83 struct bt_l2cap_br {
84 /* The channel this context is associated with */
85 struct bt_l2cap_br_chan chan;
86 uint8_t info_ident;
87 uint8_t info_fixed_chan;
88 uint32_t info_feat_mask;
89 };
90
91 static struct bt_l2cap_br bt_l2cap_br_pool[CONFIG_BT_MAX_CONN];
92
bt_l2cap_br_lookup_rx_cid(struct bt_conn * conn,uint16_t cid)93 struct bt_l2cap_chan *bt_l2cap_br_lookup_rx_cid(struct bt_conn *conn,
94 uint16_t cid)
95 {
96 struct bt_l2cap_chan *chan;
97
98 SYS_SLIST_FOR_EACH_CONTAINER(&conn->channels, chan, node) {
99 if (BR_CHAN(chan)->rx.cid == cid) {
100 return chan;
101 }
102 }
103
104 return NULL;
105 }
106
bt_l2cap_br_lookup_tx_cid(struct bt_conn * conn,uint16_t cid)107 struct bt_l2cap_chan *bt_l2cap_br_lookup_tx_cid(struct bt_conn *conn,
108 uint16_t cid)
109 {
110 struct bt_l2cap_chan *chan;
111
112 SYS_SLIST_FOR_EACH_CONTAINER(&conn->channels, chan, node) {
113 if (BR_CHAN(chan)->tx.cid == cid) {
114 return chan;
115 }
116 }
117
118 return NULL;
119 }
120
121 static struct bt_l2cap_br_chan*
l2cap_br_chan_alloc_cid(struct bt_conn * conn,struct bt_l2cap_chan * chan)122 l2cap_br_chan_alloc_cid(struct bt_conn *conn, struct bt_l2cap_chan *chan)
123 {
124 struct bt_l2cap_br_chan *ch = BR_CHAN(chan);
125 uint16_t cid;
126
127 /*
128 * No action needed if there's already a CID allocated, e.g. in
129 * the case of a fixed channel.
130 */
131 if (ch->rx.cid > 0) {
132 return ch;
133 }
134
135 /*
136 * L2CAP_BR_CID_DYN_END is 0xffff so we don't check against it since
137 * cid is uint16_t, just check against uint16_t overflow
138 */
139 for (cid = L2CAP_BR_CID_DYN_START; cid; cid++) {
140 if (!bt_l2cap_br_lookup_rx_cid(conn, cid)) {
141 ch->rx.cid = cid;
142 return ch;
143 }
144 }
145
146 return NULL;
147 }
148
l2cap_br_chan_cleanup(struct bt_l2cap_chan * chan)149 static void l2cap_br_chan_cleanup(struct bt_l2cap_chan *chan)
150 {
151 bt_l2cap_chan_remove(chan->conn, chan);
152 bt_l2cap_chan_del(chan);
153 }
154
l2cap_br_chan_destroy(struct bt_l2cap_chan * chan)155 static void l2cap_br_chan_destroy(struct bt_l2cap_chan *chan)
156 {
157 BT_DBG("chan %p cid 0x%04x", BR_CHAN(chan), BR_CHAN(chan)->rx.cid);
158
159 /* Cancel ongoing work. Since the channel can be re-used after this
160 * we need to sync to make sure that the kernel does not have it
161 * in its queue anymore.
162 */
163 k_work_cancel_delayable_sync(&chan->rtx_work, &chan->rtx_sync);
164
165 atomic_clear(BR_CHAN(chan)->flags);
166 }
167
l2cap_br_rtx_timeout(struct k_work * work)168 static void l2cap_br_rtx_timeout(struct k_work *work)
169 {
170 struct bt_l2cap_br_chan *chan = BR_CHAN_RTX(work);
171
172 BT_WARN("chan %p timeout", chan);
173
174 if (chan->rx.cid == BT_L2CAP_CID_BR_SIG) {
175 BT_DBG("Skip BR/EDR signalling channel ");
176 atomic_clear_bit(chan->flags, L2CAP_FLAG_SIG_INFO_PENDING);
177 return;
178 }
179
180 BT_DBG("chan %p %s scid 0x%04x", chan,
181 bt_l2cap_chan_state_str(chan->chan.state),
182 chan->rx.cid);
183
184 switch (chan->chan.state) {
185 case BT_L2CAP_CONFIG:
186 bt_l2cap_br_chan_disconnect(&chan->chan);
187 break;
188 case BT_L2CAP_DISCONNECT:
189 case BT_L2CAP_CONNECT:
190 l2cap_br_chan_cleanup(&chan->chan);
191 break;
192 default:
193 break;
194 }
195 }
196
l2cap_br_chan_add(struct bt_conn * conn,struct bt_l2cap_chan * chan,bt_l2cap_chan_destroy_t destroy)197 static bool l2cap_br_chan_add(struct bt_conn *conn, struct bt_l2cap_chan *chan,
198 bt_l2cap_chan_destroy_t destroy)
199 {
200 struct bt_l2cap_br_chan *ch = l2cap_br_chan_alloc_cid(conn, chan);
201
202 if (!ch) {
203 BT_DBG("Unable to allocate L2CAP CID");
204 return false;
205 }
206
207 /* All dynamic channels have the destroy handler which makes sure that
208 * the RTX work structure is properly released with a cancel sync.
209 * The fixed signal channel is only removed when disconnected and the
210 * disconnected handler is always called from the workqueue itself so
211 * canceling from there should always succeed.
212 */
213 k_work_init_delayable(&chan->rtx_work, l2cap_br_rtx_timeout);
214 bt_l2cap_chan_add(conn, chan, destroy);
215
216 return true;
217 }
218
l2cap_br_get_ident(void)219 static uint8_t l2cap_br_get_ident(void)
220 {
221 static uint8_t ident;
222
223 ident++;
224 /* handle integer overflow (0 is not valid) */
225 if (!ident) {
226 ident++;
227 }
228
229 return ident;
230 }
231
232 /* Send the buffer and release it in case of failure.
233 * Any other cleanup in failure to send should be handled by the disconnected
234 * handler.
235 */
l2cap_send(struct bt_conn * conn,uint16_t cid,struct net_buf * buf)236 static inline void l2cap_send(struct bt_conn *conn, uint16_t cid,
237 struct net_buf *buf)
238 {
239 if (bt_l2cap_send(conn, cid, buf)) {
240 net_buf_unref(buf);
241 }
242 }
243
l2cap_br_chan_send_req(struct bt_l2cap_br_chan * chan,struct net_buf * buf,k_timeout_t timeout)244 static void l2cap_br_chan_send_req(struct bt_l2cap_br_chan *chan,
245 struct net_buf *buf, k_timeout_t timeout)
246 {
247
248 if (bt_l2cap_send(chan->chan.conn, BT_L2CAP_CID_BR_SIG, buf)) {
249 net_buf_unref(buf);
250 return;
251 }
252
253 /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part A] page 126:
254 *
255 * The value of this timer is implementation-dependent but the minimum
256 * initial value is 1 second and the maximum initial value is 60
257 * seconds. One RTX timer shall exist for each outstanding signaling
258 * request, including each Echo Request. The timer disappears on the
259 * final expiration, when the response is received, or the physical
260 * link is lost.
261 */
262 k_work_reschedule(&chan->chan.rtx_work, timeout);
263 }
264
l2cap_br_get_info(struct bt_l2cap_br * l2cap,uint16_t info_type)265 static void l2cap_br_get_info(struct bt_l2cap_br *l2cap, uint16_t info_type)
266 {
267 struct bt_l2cap_info_req *info;
268 struct net_buf *buf;
269 struct bt_l2cap_sig_hdr *hdr;
270
271 BT_DBG("info type %u", info_type);
272
273 if (atomic_test_bit(l2cap->chan.flags, L2CAP_FLAG_SIG_INFO_PENDING)) {
274 return;
275 }
276
277 switch (info_type) {
278 case BT_L2CAP_INFO_FEAT_MASK:
279 case BT_L2CAP_INFO_FIXED_CHAN:
280 break;
281 default:
282 BT_WARN("Unsupported info type %u", info_type);
283 return;
284 }
285
286 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
287
288 atomic_set_bit(l2cap->chan.flags, L2CAP_FLAG_SIG_INFO_PENDING);
289 l2cap->info_ident = l2cap_br_get_ident();
290
291 hdr = net_buf_add(buf, sizeof(*hdr));
292 hdr->code = BT_L2CAP_INFO_REQ;
293 hdr->ident = l2cap->info_ident;
294 hdr->len = sys_cpu_to_le16(sizeof(*info));
295
296 info = net_buf_add(buf, sizeof(*info));
297 info->type = sys_cpu_to_le16(info_type);
298
299 l2cap_br_chan_send_req(&l2cap->chan, buf, L2CAP_BR_INFO_TIMEOUT);
300 }
301
connect_fixed_channel(struct bt_l2cap_br_chan * chan)302 static void connect_fixed_channel(struct bt_l2cap_br_chan *chan)
303 {
304 if (atomic_test_and_set_bit(chan->flags, L2CAP_FLAG_FIXED_CONNECTED)) {
305 return;
306 }
307
308 if (chan->chan.ops && chan->chan.ops->connected) {
309 chan->chan.ops->connected(&chan->chan);
310 }
311 }
312
connect_optional_fixed_channels(struct bt_l2cap_br * l2cap)313 static void connect_optional_fixed_channels(struct bt_l2cap_br *l2cap)
314 {
315 /* can be change to loop if more BR/EDR fixed channels are added */
316 if (l2cap->info_fixed_chan & BIT(BT_L2CAP_CID_BR_SMP)) {
317 struct bt_l2cap_chan *chan;
318
319 chan = bt_l2cap_br_lookup_rx_cid(l2cap->chan.chan.conn,
320 BT_L2CAP_CID_BR_SMP);
321 if (chan) {
322 connect_fixed_channel(BR_CHAN(chan));
323 }
324 }
325 }
326
l2cap_br_info_rsp(struct bt_l2cap_br * l2cap,uint8_t ident,struct net_buf * buf)327 static int l2cap_br_info_rsp(struct bt_l2cap_br *l2cap, uint8_t ident,
328 struct net_buf *buf)
329 {
330 struct bt_l2cap_info_rsp *rsp;
331 uint16_t type, result;
332 int err = 0;
333
334 if (atomic_test_bit(l2cap->chan.flags, L2CAP_FLAG_SIG_INFO_DONE)) {
335 return 0;
336 }
337
338 if (atomic_test_and_clear_bit(l2cap->chan.flags,
339 L2CAP_FLAG_SIG_INFO_PENDING)) {
340 /*
341 * Release RTX timer since got the response & there's pending
342 * command request.
343 */
344 k_work_cancel_delayable(&l2cap->chan.chan.rtx_work);
345 }
346
347 if (buf->len < sizeof(*rsp)) {
348 BT_ERR("Too small info rsp packet size");
349 err = -EINVAL;
350 goto done;
351 }
352
353 if (ident != l2cap->info_ident) {
354 BT_WARN("Idents mismatch");
355 err = -EINVAL;
356 goto done;
357 }
358
359 rsp = net_buf_pull_mem(buf, sizeof(*rsp));
360 result = sys_le16_to_cpu(rsp->result);
361 if (result != BT_L2CAP_INFO_SUCCESS) {
362 BT_WARN("Result unsuccessful");
363 err = -EINVAL;
364 goto done;
365 }
366
367 type = sys_le16_to_cpu(rsp->type);
368
369 switch (type) {
370 case BT_L2CAP_INFO_FEAT_MASK:
371 l2cap->info_feat_mask = net_buf_pull_le32(buf);
372 BT_DBG("remote info mask 0x%08x", l2cap->info_feat_mask);
373
374 if (!(l2cap->info_feat_mask & L2CAP_FEAT_FIXED_CHAN_MASK)) {
375 break;
376 }
377
378 l2cap_br_get_info(l2cap, BT_L2CAP_INFO_FIXED_CHAN);
379 return 0;
380 case BT_L2CAP_INFO_FIXED_CHAN:
381 l2cap->info_fixed_chan = net_buf_pull_u8(buf);
382 BT_DBG("remote fixed channel mask 0x%02x",
383 l2cap->info_fixed_chan);
384
385 connect_optional_fixed_channels(l2cap);
386
387 break;
388 default:
389 BT_WARN("type 0x%04x unsupported", type);
390 err = -EINVAL;
391 break;
392 }
393 done:
394 atomic_set_bit(l2cap->chan.flags, L2CAP_FLAG_SIG_INFO_DONE);
395 l2cap->info_ident = 0U;
396 return err;
397 }
398
get_fixed_channels_mask(void)399 static uint8_t get_fixed_channels_mask(void)
400 {
401 uint8_t mask = 0U;
402
403 /* this needs to be enhanced if AMP Test Manager support is added */
404 STRUCT_SECTION_FOREACH(bt_l2cap_br_fixed_chan, fchan) {
405 mask |= BIT(fchan->cid);
406 }
407
408 return mask;
409 }
410
l2cap_br_info_req(struct bt_l2cap_br * l2cap,uint8_t ident,struct net_buf * buf)411 static int l2cap_br_info_req(struct bt_l2cap_br *l2cap, uint8_t ident,
412 struct net_buf *buf)
413 {
414 struct bt_conn *conn = l2cap->chan.chan.conn;
415 struct bt_l2cap_info_req *req = (void *)buf->data;
416 struct bt_l2cap_info_rsp *rsp;
417 struct net_buf *rsp_buf;
418 struct bt_l2cap_sig_hdr *hdr_info;
419 uint16_t type;
420
421 if (buf->len < sizeof(*req)) {
422 BT_ERR("Too small info req packet size");
423 return -EINVAL;
424 }
425
426 rsp_buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
427
428 type = sys_le16_to_cpu(req->type);
429 BT_DBG("type 0x%04x", type);
430
431 hdr_info = net_buf_add(rsp_buf, sizeof(*hdr_info));
432 hdr_info->code = BT_L2CAP_INFO_RSP;
433 hdr_info->ident = ident;
434
435 rsp = net_buf_add(rsp_buf, sizeof(*rsp));
436
437 switch (type) {
438 case BT_L2CAP_INFO_FEAT_MASK:
439 rsp->type = sys_cpu_to_le16(BT_L2CAP_INFO_FEAT_MASK);
440 rsp->result = sys_cpu_to_le16(BT_L2CAP_INFO_SUCCESS);
441 net_buf_add_le32(rsp_buf, L2CAP_FEAT_FIXED_CHAN_MASK);
442 hdr_info->len = sys_cpu_to_le16(sizeof(*rsp) + sizeof(uint32_t));
443 break;
444 case BT_L2CAP_INFO_FIXED_CHAN:
445 rsp->type = sys_cpu_to_le16(BT_L2CAP_INFO_FIXED_CHAN);
446 rsp->result = sys_cpu_to_le16(BT_L2CAP_INFO_SUCCESS);
447 /* fixed channel mask protocol data is 8 octets wide */
448 (void)memset(net_buf_add(rsp_buf, 8), 0, 8);
449 rsp->data[0] = get_fixed_channels_mask();
450
451 hdr_info->len = sys_cpu_to_le16(sizeof(*rsp) + 8);
452 break;
453 default:
454 rsp->type = req->type;
455 rsp->result = sys_cpu_to_le16(BT_L2CAP_INFO_NOTSUPP);
456 hdr_info->len = sys_cpu_to_le16(sizeof(*rsp));
457 break;
458 }
459
460 l2cap_send(conn, BT_L2CAP_CID_BR_SIG, rsp_buf);
461
462 return 0;
463 }
464
bt_l2cap_br_connected(struct bt_conn * conn)465 void bt_l2cap_br_connected(struct bt_conn *conn)
466 {
467 struct bt_l2cap_chan *chan;
468
469 STRUCT_SECTION_FOREACH(bt_l2cap_br_fixed_chan, fchan) {
470 struct bt_l2cap_br_chan *ch;
471
472 if (!fchan->accept) {
473 continue;
474 }
475
476 if (fchan->accept(conn, &chan) < 0) {
477 continue;
478 }
479
480 ch = BR_CHAN(chan);
481
482 ch->rx.cid = fchan->cid;
483 ch->tx.cid = fchan->cid;
484
485 if (!l2cap_br_chan_add(conn, chan, NULL)) {
486 return;
487 }
488
489 /*
490 * other fixed channels will be connected after Information
491 * Response is received
492 */
493 if (fchan->cid == BT_L2CAP_CID_BR_SIG) {
494 struct bt_l2cap_br *sig_ch;
495
496 connect_fixed_channel(ch);
497
498 sig_ch = CONTAINER_OF(ch, struct bt_l2cap_br, chan);
499 l2cap_br_get_info(sig_ch, BT_L2CAP_INFO_FEAT_MASK);
500 }
501 }
502 }
503
l2cap_br_server_lookup_psm(uint16_t psm)504 static struct bt_l2cap_server *l2cap_br_server_lookup_psm(uint16_t psm)
505 {
506 struct bt_l2cap_server *server;
507
508 SYS_SLIST_FOR_EACH_CONTAINER(&br_servers, server, node) {
509 if (server->psm == psm) {
510 return server;
511 }
512 }
513
514 return NULL;
515 }
516
l2cap_br_conf_add_mtu(struct net_buf * buf,const uint16_t mtu)517 static void l2cap_br_conf_add_mtu(struct net_buf *buf, const uint16_t mtu)
518 {
519 net_buf_add_u8(buf, BT_L2CAP_CONF_OPT_MTU);
520 net_buf_add_u8(buf, sizeof(mtu));
521 net_buf_add_le16(buf, mtu);
522 }
523
l2cap_br_conf(struct bt_l2cap_chan * chan)524 static void l2cap_br_conf(struct bt_l2cap_chan *chan)
525 {
526 struct bt_l2cap_sig_hdr *hdr;
527 struct bt_l2cap_conf_req *conf;
528 struct net_buf *buf;
529
530 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
531
532 hdr = net_buf_add(buf, sizeof(*hdr));
533 hdr->code = BT_L2CAP_CONF_REQ;
534 hdr->ident = l2cap_br_get_ident();
535 conf = net_buf_add(buf, sizeof(*conf));
536 (void)memset(conf, 0, sizeof(*conf));
537
538 conf->dcid = sys_cpu_to_le16(BR_CHAN(chan)->tx.cid);
539 /*
540 * Add MTU option if app set non default BR/EDR L2CAP MTU,
541 * otherwise sent empty configuration data meaning default MTU
542 * to be used.
543 */
544 if (BR_CHAN(chan)->rx.mtu != L2CAP_BR_DEFAULT_MTU) {
545 l2cap_br_conf_add_mtu(buf, BR_CHAN(chan)->rx.mtu);
546 }
547
548 hdr->len = sys_cpu_to_le16(buf->len - sizeof(*hdr));
549
550 /*
551 * TODO:
552 * might be needed to start tracking number of configuration iterations
553 * on both directions
554 */
555 l2cap_br_chan_send_req(BR_CHAN(chan), buf, L2CAP_BR_CFG_TIMEOUT);
556 }
557
558 enum l2cap_br_conn_security_result {
559 L2CAP_CONN_SECURITY_PASSED,
560 L2CAP_CONN_SECURITY_REJECT,
561 L2CAP_CONN_SECURITY_PENDING
562 };
563
564 /*
565 * Security helper against channel connection.
566 * Returns L2CAP_CONN_SECURITY_PASSED if:
567 * - existing security on link is applicable for requested PSM in connection,
568 * - legacy (non SSP) devices connecting with low security requirements,
569 * Returns L2CAP_CONN_SECURITY_PENDING if:
570 * - channel connection process is on hold since there were valid security
571 * conditions triggering authentication indirectly in subcall.
572 * Returns L2CAP_CONN_SECURITY_REJECT if:
573 * - bt_conn_set_security API returns < 0.
574 */
575
576 static enum l2cap_br_conn_security_result
l2cap_br_conn_security(struct bt_l2cap_chan * chan,const uint16_t psm)577 l2cap_br_conn_security(struct bt_l2cap_chan *chan, const uint16_t psm)
578 {
579 int check;
580
581 /* For SDP PSM there's no need to change existing security on link */
582 if (chan->required_sec_level == BT_SECURITY_L0) {
583 return L2CAP_CONN_SECURITY_PASSED;
584 }
585
586 /*
587 * No link key needed for legacy devices (pre 2.1) and when low security
588 * level is required.
589 */
590 if (chan->required_sec_level == BT_SECURITY_L1 &&
591 !BT_FEAT_HOST_SSP(chan->conn->br.features)) {
592 return L2CAP_CONN_SECURITY_PASSED;
593 }
594
595 switch (chan->required_sec_level) {
596 case BT_SECURITY_L4:
597 case BT_SECURITY_L3:
598 case BT_SECURITY_L2:
599 break;
600 default:
601 /*
602 * For non SDP PSM connections GAP's Security Mode 4 requires at
603 * least unauthenticated link key and enabled encryption if
604 * remote supports SSP before any L2CAP CoC traffic. So preset
605 * local to MEDIUM security to trigger it if needed.
606 */
607 if (BT_FEAT_HOST_SSP(chan->conn->br.features)) {
608 chan->required_sec_level = BT_SECURITY_L2;
609 }
610 break;
611 }
612
613 check = bt_conn_set_security(chan->conn, chan->required_sec_level);
614
615 /*
616 * Check case when on existing connection security level already covers
617 * channel (service) security requirements against link security and
618 * bt_conn_set_security API returns 0 what implies also there was no
619 * need to trigger authentication.
620 */
621 if (check == 0 &&
622 chan->conn->sec_level >= chan->required_sec_level) {
623 return L2CAP_CONN_SECURITY_PASSED;
624 }
625
626 /*
627 * If 'check' still holds 0, it means local host just sent HCI
628 * authentication command to start procedure to increase link security
629 * since service/profile requires that.
630 */
631 if (check == 0) {
632 return L2CAP_CONN_SECURITY_PENDING;
633 }
634
635 /*
636 * For any other values in 'check' it means there was internal
637 * validation condition forbidding to start authentication at this
638 * moment.
639 */
640 return L2CAP_CONN_SECURITY_REJECT;
641 }
642
l2cap_br_send_conn_rsp(struct bt_conn * conn,uint16_t scid,uint16_t dcid,uint8_t ident,uint16_t result)643 static void l2cap_br_send_conn_rsp(struct bt_conn *conn, uint16_t scid,
644 uint16_t dcid, uint8_t ident, uint16_t result)
645 {
646 struct net_buf *buf;
647 struct bt_l2cap_conn_rsp *rsp;
648 struct bt_l2cap_sig_hdr *hdr;
649
650 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
651
652 hdr = net_buf_add(buf, sizeof(*hdr));
653 hdr->code = BT_L2CAP_CONN_RSP;
654 hdr->ident = ident;
655 hdr->len = sys_cpu_to_le16(sizeof(*rsp));
656
657 rsp = net_buf_add(buf, sizeof(*rsp));
658 rsp->dcid = sys_cpu_to_le16(dcid);
659 rsp->scid = sys_cpu_to_le16(scid);
660 rsp->result = sys_cpu_to_le16(result);
661
662 if (result == BT_L2CAP_BR_PENDING) {
663 rsp->status = sys_cpu_to_le16(BT_L2CAP_CS_AUTHEN_PEND);
664 } else {
665 rsp->status = sys_cpu_to_le16(BT_L2CAP_CS_NO_INFO);
666 }
667
668 l2cap_send(conn, BT_L2CAP_CID_BR_SIG, buf);
669 }
670
l2cap_br_conn_req_reply(struct bt_l2cap_chan * chan,uint16_t result)671 static int l2cap_br_conn_req_reply(struct bt_l2cap_chan *chan, uint16_t result)
672 {
673 /* Send response to connection request only when in acceptor role */
674 if (!atomic_test_bit(BR_CHAN(chan)->flags, L2CAP_FLAG_CONN_ACCEPTOR)) {
675 return -ESRCH;
676 }
677
678 l2cap_br_send_conn_rsp(chan->conn, BR_CHAN(chan)->tx.cid,
679 BR_CHAN(chan)->rx.cid, chan->ident, result);
680 chan->ident = 0U;
681
682 return 0;
683 }
684
l2cap_br_conn_req(struct bt_l2cap_br * l2cap,uint8_t ident,struct net_buf * buf)685 static void l2cap_br_conn_req(struct bt_l2cap_br *l2cap, uint8_t ident,
686 struct net_buf *buf)
687 {
688 struct bt_conn *conn = l2cap->chan.chan.conn;
689 struct bt_l2cap_chan *chan;
690 struct bt_l2cap_server *server;
691 struct bt_l2cap_conn_req *req = (void *)buf->data;
692 uint16_t psm, scid, result;
693
694 if (buf->len < sizeof(*req)) {
695 BT_ERR("Too small L2CAP conn req packet size");
696 return;
697 }
698
699 psm = sys_le16_to_cpu(req->psm);
700 scid = sys_le16_to_cpu(req->scid);
701
702 BT_DBG("psm 0x%02x scid 0x%04x", psm, scid);
703
704 /* Check if there is a server registered */
705 server = l2cap_br_server_lookup_psm(psm);
706 if (!server) {
707 result = BT_L2CAP_BR_ERR_PSM_NOT_SUPP;
708 goto no_chan;
709 }
710
711 /*
712 * Report security violation for non SDP channel without encryption when
713 * remote supports SSP.
714 */
715 if (server->sec_level != BT_SECURITY_L0 &&
716 BT_FEAT_HOST_SSP(conn->br.features) && !conn->encrypt) {
717 result = BT_L2CAP_BR_ERR_SEC_BLOCK;
718 goto no_chan;
719 }
720
721 if (!L2CAP_BR_CID_IS_DYN(scid)) {
722 result = BT_L2CAP_BR_ERR_INVALID_SCID;
723 goto no_chan;
724 }
725
726 chan = bt_l2cap_br_lookup_tx_cid(conn, scid);
727 if (chan) {
728 /*
729 * we have a chan here but this is due to SCID being already in
730 * use so it is not channel we are suppose to pass to
731 * l2cap_br_conn_req_reply as wrong DCID would be used
732 */
733 result = BT_L2CAP_BR_ERR_SCID_IN_USE;
734 goto no_chan;
735 }
736
737 /*
738 * Request server to accept the new connection and allocate the
739 * channel. If no free channels available for PSM server reply with
740 * proper result and quit since chan pointer is uninitialized then.
741 */
742 if (server->accept(conn, &chan) < 0) {
743 result = BT_L2CAP_BR_ERR_NO_RESOURCES;
744 goto no_chan;
745 }
746
747 chan->required_sec_level = server->sec_level;
748
749 l2cap_br_chan_add(conn, chan, l2cap_br_chan_destroy);
750 BR_CHAN(chan)->tx.cid = scid;
751 chan->ident = ident;
752 bt_l2cap_chan_set_state(chan, BT_L2CAP_CONNECT);
753 atomic_set_bit(BR_CHAN(chan)->flags, L2CAP_FLAG_CONN_ACCEPTOR);
754
755 /* Disable fragmentation of l2cap rx pdu */
756 BR_CHAN(chan)->rx.mtu = MIN(BR_CHAN(chan)->rx.mtu, BT_L2CAP_RX_MTU);
757
758 switch (l2cap_br_conn_security(chan, psm)) {
759 case L2CAP_CONN_SECURITY_PENDING:
760 result = BT_L2CAP_BR_PENDING;
761 /* TODO: auth timeout */
762 break;
763 case L2CAP_CONN_SECURITY_PASSED:
764 result = BT_L2CAP_BR_SUCCESS;
765 break;
766 case L2CAP_CONN_SECURITY_REJECT:
767 default:
768 result = BT_L2CAP_BR_ERR_SEC_BLOCK;
769 break;
770 }
771 /* Reply on connection request as acceptor */
772 l2cap_br_conn_req_reply(chan, result);
773
774 if (result != BT_L2CAP_BR_SUCCESS) {
775 /* Disconnect link when security rules were violated */
776 if (result == BT_L2CAP_BR_ERR_SEC_BLOCK) {
777 bt_conn_disconnect(conn, BT_HCI_ERR_AUTH_FAIL);
778 }
779
780 return;
781 }
782
783 bt_l2cap_chan_set_state(chan, BT_L2CAP_CONFIG);
784 l2cap_br_conf(chan);
785 return;
786
787 no_chan:
788 l2cap_br_send_conn_rsp(conn, scid, 0, ident, result);
789 }
790
l2cap_br_conf_rsp(struct bt_l2cap_br * l2cap,uint8_t ident,uint16_t len,struct net_buf * buf)791 static void l2cap_br_conf_rsp(struct bt_l2cap_br *l2cap, uint8_t ident,
792 uint16_t len, struct net_buf *buf)
793 {
794 struct bt_conn *conn = l2cap->chan.chan.conn;
795 struct bt_l2cap_chan *chan;
796 struct bt_l2cap_conf_rsp *rsp = (void *)buf->data;
797 uint16_t flags, scid, result, opt_len;
798
799 if (buf->len < sizeof(*rsp)) {
800 BT_ERR("Too small L2CAP conf rsp packet size");
801 return;
802 }
803
804 flags = sys_le16_to_cpu(rsp->flags);
805 scid = sys_le16_to_cpu(rsp->scid);
806 result = sys_le16_to_cpu(rsp->result);
807 opt_len = len - sizeof(*rsp);
808
809 BT_DBG("scid 0x%04x flags 0x%02x result 0x%02x len %u", scid, flags,
810 result, opt_len);
811
812 chan = bt_l2cap_br_lookup_rx_cid(conn, scid);
813 if (!chan) {
814 BT_ERR("channel mismatch!");
815 return;
816 }
817
818 /* Release RTX work since got the response */
819 k_work_cancel_delayable(&chan->rtx_work);
820
821 /*
822 * TODO: handle other results than success and parse response data if
823 * available
824 */
825 switch (result) {
826 case BT_L2CAP_CONF_SUCCESS:
827 atomic_set_bit(BR_CHAN(chan)->flags, L2CAP_FLAG_CONN_LCONF_DONE);
828
829 if (chan->state == BT_L2CAP_CONFIG &&
830 atomic_test_bit(BR_CHAN(chan)->flags,
831 L2CAP_FLAG_CONN_RCONF_DONE)) {
832 BT_DBG("scid 0x%04x rx MTU %u dcid 0x%04x tx MTU %u",
833 BR_CHAN(chan)->rx.cid, BR_CHAN(chan)->rx.mtu,
834 BR_CHAN(chan)->tx.cid, BR_CHAN(chan)->tx.mtu);
835
836 bt_l2cap_chan_set_state(chan, BT_L2CAP_CONNECTED);
837 if (chan->ops && chan->ops->connected) {
838 chan->ops->connected(chan);
839 }
840 }
841 break;
842 default:
843 /* currently disconnect channel on non success result */
844 bt_l2cap_chan_disconnect(chan);
845 break;
846 }
847 }
848
bt_l2cap_br_server_register(struct bt_l2cap_server * server)849 int bt_l2cap_br_server_register(struct bt_l2cap_server *server)
850 {
851 if (server->psm < L2CAP_BR_PSM_START || !server->accept) {
852 return -EINVAL;
853 }
854
855 /* PSM must be odd and lsb of upper byte must be 0 */
856 if ((server->psm & 0x0101) != 0x0001) {
857 return -EINVAL;
858 }
859
860 if (server->sec_level > BT_SECURITY_L4) {
861 return -EINVAL;
862 } else if (server->sec_level == BT_SECURITY_L0 &&
863 server->psm != L2CAP_BR_PSM_SDP) {
864 server->sec_level = BT_SECURITY_L1;
865 }
866
867 /* Check if given PSM is already in use */
868 if (l2cap_br_server_lookup_psm(server->psm)) {
869 BT_DBG("PSM already registered");
870 return -EADDRINUSE;
871 }
872
873 BT_DBG("PSM 0x%04x", server->psm);
874
875 sys_slist_append(&br_servers, &server->node);
876
877 return 0;
878 }
879
l2cap_br_send_reject(struct bt_conn * conn,uint8_t ident,uint16_t reason,void * data,uint8_t data_len)880 static void l2cap_br_send_reject(struct bt_conn *conn, uint8_t ident,
881 uint16_t reason, void *data, uint8_t data_len)
882 {
883 struct bt_l2cap_cmd_reject *rej;
884 struct bt_l2cap_sig_hdr *hdr;
885 struct net_buf *buf;
886
887 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
888
889 hdr = net_buf_add(buf, sizeof(*hdr));
890 hdr->code = BT_L2CAP_CMD_REJECT;
891 hdr->ident = ident;
892 hdr->len = sys_cpu_to_le16(sizeof(*rej) + data_len);
893
894 rej = net_buf_add(buf, sizeof(*rej));
895 rej->reason = sys_cpu_to_le16(reason);
896
897 /*
898 * optional data if available must be already in little-endian format
899 * made by caller.and be compliant with Core 4.2 [Vol 3, Part A, 4.1,
900 * table 4.4]
901 */
902 if (data) {
903 net_buf_add_mem(buf, data, data_len);
904 }
905
906 l2cap_send(conn, BT_L2CAP_CID_BR_SIG, buf);
907 }
908
l2cap_br_conf_opt_mtu(struct bt_l2cap_chan * chan,struct net_buf * buf,size_t len)909 static uint16_t l2cap_br_conf_opt_mtu(struct bt_l2cap_chan *chan,
910 struct net_buf *buf, size_t len)
911 {
912 uint16_t mtu, result = BT_L2CAP_CONF_SUCCESS;
913
914 /* Core 4.2 [Vol 3, Part A, 5.1] MTU payload length */
915 if (len != 2) {
916 BT_ERR("tx MTU length %zu invalid", len);
917 result = BT_L2CAP_CONF_REJECT;
918 goto done;
919 }
920
921 /* pulling MTU value moves buf data to next option item */
922 mtu = net_buf_pull_le16(buf);
923 if (mtu < L2CAP_BR_MIN_MTU) {
924 result = BT_L2CAP_CONF_UNACCEPT;
925 BR_CHAN(chan)->tx.mtu = L2CAP_BR_MIN_MTU;
926 BT_DBG("tx MTU %u invalid", mtu);
927 goto done;
928 }
929
930 BR_CHAN(chan)->tx.mtu = mtu;
931 BT_DBG("tx MTU %u", mtu);
932 done:
933 return result;
934 }
935
l2cap_br_conf_req(struct bt_l2cap_br * l2cap,uint8_t ident,uint16_t len,struct net_buf * buf)936 static void l2cap_br_conf_req(struct bt_l2cap_br *l2cap, uint8_t ident,
937 uint16_t len, struct net_buf *buf)
938 {
939 struct bt_conn *conn = l2cap->chan.chan.conn;
940 struct bt_l2cap_chan *chan;
941 struct bt_l2cap_conf_req *req;
942 struct bt_l2cap_sig_hdr *hdr;
943 struct bt_l2cap_conf_rsp *rsp;
944 struct bt_l2cap_conf_opt *opt;
945 uint16_t flags, dcid, opt_len, hint, result = BT_L2CAP_CONF_SUCCESS;
946
947 if (buf->len < sizeof(*req)) {
948 BT_ERR("Too small L2CAP conf req packet size");
949 return;
950 }
951
952 req = net_buf_pull_mem(buf, sizeof(*req));
953 flags = sys_le16_to_cpu(req->flags);
954 dcid = sys_le16_to_cpu(req->dcid);
955 opt_len = len - sizeof(*req);
956
957 BT_DBG("dcid 0x%04x flags 0x%02x len %u", dcid, flags, opt_len);
958
959 chan = bt_l2cap_br_lookup_rx_cid(conn, dcid);
960 if (!chan) {
961 BT_ERR("rx channel mismatch!");
962 struct bt_l2cap_cmd_reject_cid_data data = {.scid = req->dcid,
963 .dcid = 0,
964 };
965
966 l2cap_br_send_reject(conn, ident, BT_L2CAP_REJ_INVALID_CID,
967 &data, sizeof(data));
968 return;
969 }
970
971 if (!opt_len) {
972 BT_DBG("tx default MTU %u", L2CAP_BR_DEFAULT_MTU);
973 BR_CHAN(chan)->tx.mtu = L2CAP_BR_DEFAULT_MTU;
974 goto send_rsp;
975 }
976
977 while (buf->len >= sizeof(*opt)) {
978 opt = net_buf_pull_mem(buf, sizeof(*opt));
979
980 /* make sure opt object can get safe dereference in iteration */
981 if (buf->len < opt->len) {
982 BT_ERR("Received too short option data");
983 result = BT_L2CAP_CONF_REJECT;
984 break;
985 }
986
987 hint = opt->type & BT_L2CAP_CONF_HINT;
988
989 switch (opt->type & BT_L2CAP_CONF_MASK) {
990 case BT_L2CAP_CONF_OPT_MTU:
991 /* getting MTU modifies buf internals */
992 result = l2cap_br_conf_opt_mtu(chan, buf, opt->len);
993 /*
994 * MTU is done. For now bailout the loop but later on
995 * there can be a need to continue checking next options
996 * that are after MTU value and then goto is not proper
997 * way out here.
998 */
999 goto send_rsp;
1000 default:
1001 if (!hint) {
1002 BT_DBG("option %u not handled", opt->type);
1003 goto send_rsp;
1004 }
1005
1006 /* Update buffer to point at next option */
1007 net_buf_pull(buf, opt->len);
1008 break;
1009 }
1010 }
1011
1012 send_rsp:
1013 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
1014
1015 hdr = net_buf_add(buf, sizeof(*hdr));
1016 hdr->code = BT_L2CAP_CONF_RSP;
1017 hdr->ident = ident;
1018 rsp = net_buf_add(buf, sizeof(*rsp));
1019 (void)memset(rsp, 0, sizeof(*rsp));
1020
1021 rsp->result = sys_cpu_to_le16(result);
1022 rsp->scid = sys_cpu_to_le16(BR_CHAN(chan)->tx.cid);
1023
1024 /*
1025 * TODO: If options other than MTU bacame meaningful then processing
1026 * the options chain need to be modified and taken into account when
1027 * sending back to peer.
1028 */
1029 if (result == BT_L2CAP_CONF_UNACCEPT) {
1030 l2cap_br_conf_add_mtu(buf, BR_CHAN(chan)->tx.mtu);
1031 }
1032
1033 hdr->len = sys_cpu_to_le16(buf->len - sizeof(*hdr));
1034
1035 l2cap_send(conn, BT_L2CAP_CID_BR_SIG, buf);
1036
1037 if (result != BT_L2CAP_CONF_SUCCESS) {
1038 return;
1039 }
1040
1041 atomic_set_bit(BR_CHAN(chan)->flags, L2CAP_FLAG_CONN_RCONF_DONE);
1042
1043 if (atomic_test_bit(BR_CHAN(chan)->flags, L2CAP_FLAG_CONN_LCONF_DONE) &&
1044 chan->state == BT_L2CAP_CONFIG) {
1045 BT_DBG("scid 0x%04x rx MTU %u dcid 0x%04x tx MTU %u",
1046 BR_CHAN(chan)->rx.cid, BR_CHAN(chan)->rx.mtu,
1047 BR_CHAN(chan)->tx.cid, BR_CHAN(chan)->tx.mtu);
1048
1049 bt_l2cap_chan_set_state(chan, BT_L2CAP_CONNECTED);
1050 if (chan->ops && chan->ops->connected) {
1051 chan->ops->connected(chan);
1052 }
1053 }
1054 }
1055
l2cap_br_remove_tx_cid(struct bt_conn * conn,uint16_t cid)1056 static struct bt_l2cap_br_chan *l2cap_br_remove_tx_cid(struct bt_conn *conn,
1057 uint16_t cid)
1058 {
1059 struct bt_l2cap_chan *chan;
1060 sys_snode_t *prev = NULL;
1061
1062 /* Protect fixed channels against accidental removal */
1063 if (!L2CAP_BR_CID_IS_DYN(cid)) {
1064 return NULL;
1065 }
1066
1067 SYS_SLIST_FOR_EACH_CONTAINER(&conn->channels, chan, node) {
1068 if (BR_CHAN(chan)->tx.cid == cid) {
1069 sys_slist_remove(&conn->channels, prev, &chan->node);
1070 return BR_CHAN(chan);
1071 }
1072
1073 prev = &chan->node;
1074 }
1075
1076 return NULL;
1077 }
1078
l2cap_br_disconn_req(struct bt_l2cap_br * l2cap,uint8_t ident,struct net_buf * buf)1079 static void l2cap_br_disconn_req(struct bt_l2cap_br *l2cap, uint8_t ident,
1080 struct net_buf *buf)
1081 {
1082 struct bt_conn *conn = l2cap->chan.chan.conn;
1083 struct bt_l2cap_br_chan *chan;
1084 struct bt_l2cap_disconn_req *req = (void *)buf->data;
1085 struct bt_l2cap_disconn_rsp *rsp;
1086 struct bt_l2cap_sig_hdr *hdr;
1087 uint16_t scid, dcid;
1088
1089 if (buf->len < sizeof(*req)) {
1090 BT_ERR("Too small disconn req packet size");
1091 return;
1092 }
1093
1094 dcid = sys_le16_to_cpu(req->dcid);
1095 scid = sys_le16_to_cpu(req->scid);
1096
1097 BT_DBG("scid 0x%04x dcid 0x%04x", dcid, scid);
1098
1099 chan = l2cap_br_remove_tx_cid(conn, scid);
1100 if (!chan) {
1101 struct bt_l2cap_cmd_reject_cid_data data;
1102
1103 data.scid = req->scid;
1104 data.dcid = req->dcid;
1105 l2cap_br_send_reject(conn, ident, BT_L2CAP_REJ_INVALID_CID,
1106 &data, sizeof(data));
1107 return;
1108 }
1109
1110 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
1111
1112 hdr = net_buf_add(buf, sizeof(*hdr));
1113 hdr->code = BT_L2CAP_DISCONN_RSP;
1114 hdr->ident = ident;
1115 hdr->len = sys_cpu_to_le16(sizeof(*rsp));
1116
1117 rsp = net_buf_add(buf, sizeof(*rsp));
1118 rsp->dcid = sys_cpu_to_le16(chan->rx.cid);
1119 rsp->scid = sys_cpu_to_le16(chan->tx.cid);
1120
1121 bt_l2cap_chan_del(&chan->chan);
1122
1123 l2cap_send(conn, BT_L2CAP_CID_BR_SIG, buf);
1124 }
1125
l2cap_br_connected(struct bt_l2cap_chan * chan)1126 static void l2cap_br_connected(struct bt_l2cap_chan *chan)
1127 {
1128 BT_DBG("ch %p cid 0x%04x", BR_CHAN(chan), BR_CHAN(chan)->rx.cid);
1129 }
1130
l2cap_br_disconnected(struct bt_l2cap_chan * chan)1131 static void l2cap_br_disconnected(struct bt_l2cap_chan *chan)
1132 {
1133 BT_DBG("ch %p cid 0x%04x", BR_CHAN(chan), BR_CHAN(chan)->rx.cid);
1134
1135 if (atomic_test_and_clear_bit(BR_CHAN(chan)->flags,
1136 L2CAP_FLAG_SIG_INFO_PENDING)) {
1137 /* Cancel RTX work on signal channel.
1138 * Disconnected callback is always called from system worqueue
1139 * so this should always succeed.
1140 */
1141 (void)k_work_cancel_delayable(&chan->rtx_work);
1142 }
1143 }
1144
bt_l2cap_br_chan_disconnect(struct bt_l2cap_chan * chan)1145 int bt_l2cap_br_chan_disconnect(struct bt_l2cap_chan *chan)
1146 {
1147 struct bt_conn *conn = chan->conn;
1148 struct net_buf *buf;
1149 struct bt_l2cap_disconn_req *req;
1150 struct bt_l2cap_sig_hdr *hdr;
1151 struct bt_l2cap_br_chan *ch;
1152
1153 if (!conn) {
1154 return -ENOTCONN;
1155 }
1156
1157 if (chan->state == BT_L2CAP_DISCONNECT) {
1158 return -EALREADY;
1159 }
1160
1161 ch = BR_CHAN(chan);
1162
1163 BT_DBG("chan %p scid 0x%04x dcid 0x%04x", chan, ch->rx.cid,
1164 ch->tx.cid);
1165
1166 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
1167
1168 hdr = net_buf_add(buf, sizeof(*hdr));
1169 hdr->code = BT_L2CAP_DISCONN_REQ;
1170 hdr->ident = l2cap_br_get_ident();
1171 hdr->len = sys_cpu_to_le16(sizeof(*req));
1172
1173 req = net_buf_add(buf, sizeof(*req));
1174 req->dcid = sys_cpu_to_le16(ch->tx.cid);
1175 req->scid = sys_cpu_to_le16(ch->rx.cid);
1176
1177 l2cap_br_chan_send_req(ch, buf, L2CAP_BR_DISCONN_TIMEOUT);
1178 bt_l2cap_chan_set_state(chan, BT_L2CAP_DISCONNECT);
1179
1180 return 0;
1181 }
1182
l2cap_br_disconn_rsp(struct bt_l2cap_br * l2cap,uint8_t ident,struct net_buf * buf)1183 static void l2cap_br_disconn_rsp(struct bt_l2cap_br *l2cap, uint8_t ident,
1184 struct net_buf *buf)
1185 {
1186 struct bt_conn *conn = l2cap->chan.chan.conn;
1187 struct bt_l2cap_br_chan *chan;
1188 struct bt_l2cap_disconn_rsp *rsp = (void *)buf->data;
1189 uint16_t dcid, scid;
1190
1191 if (buf->len < sizeof(*rsp)) {
1192 BT_ERR("Too small disconn rsp packet size");
1193 return;
1194 }
1195
1196 dcid = sys_le16_to_cpu(rsp->dcid);
1197 scid = sys_le16_to_cpu(rsp->scid);
1198
1199 BT_DBG("dcid 0x%04x scid 0x%04x", dcid, scid);
1200
1201 chan = l2cap_br_remove_tx_cid(conn, dcid);
1202 if (!chan) {
1203 BT_WARN("No dcid 0x%04x channel found", dcid);
1204 return;
1205 }
1206
1207 bt_l2cap_chan_del(&chan->chan);
1208 }
1209
bt_l2cap_br_chan_connect(struct bt_conn * conn,struct bt_l2cap_chan * chan,uint16_t psm)1210 int bt_l2cap_br_chan_connect(struct bt_conn *conn, struct bt_l2cap_chan *chan,
1211 uint16_t psm)
1212 {
1213 struct net_buf *buf;
1214 struct bt_l2cap_sig_hdr *hdr;
1215 struct bt_l2cap_conn_req *req;
1216
1217 if (!psm) {
1218 return -EINVAL;
1219 }
1220
1221 if (chan->psm) {
1222 return -EEXIST;
1223 }
1224
1225 /* PSM must be odd and lsb of upper byte must be 0 */
1226 if ((psm & 0x0101) != 0x0001) {
1227 return -EINVAL;
1228 }
1229
1230 if (chan->required_sec_level > BT_SECURITY_L4) {
1231 return -EINVAL;
1232 } else if (chan->required_sec_level == BT_SECURITY_L0 &&
1233 psm != L2CAP_BR_PSM_SDP) {
1234 chan->required_sec_level = BT_SECURITY_L1;
1235 }
1236
1237 switch (chan->state) {
1238 case BT_L2CAP_CONNECTED:
1239 /* Already connected */
1240 return -EISCONN;
1241 case BT_L2CAP_DISCONNECTED:
1242 /* Can connect */
1243 break;
1244 case BT_L2CAP_CONFIG:
1245 case BT_L2CAP_DISCONNECT:
1246 default:
1247 /* Bad context */
1248 return -EBUSY;
1249 }
1250
1251 if (!l2cap_br_chan_add(conn, chan, l2cap_br_chan_destroy)) {
1252 return -ENOMEM;
1253 }
1254
1255 chan->psm = psm;
1256 bt_l2cap_chan_set_state(chan, BT_L2CAP_CONNECT);
1257 atomic_set_bit(BR_CHAN(chan)->flags, L2CAP_FLAG_CONN_PENDING);
1258
1259 switch (l2cap_br_conn_security(chan, psm)) {
1260 case L2CAP_CONN_SECURITY_PENDING:
1261 /*
1262 * Authentication was triggered, wait with sending request on
1263 * connection security changed callback context.
1264 */
1265 return 0;
1266 case L2CAP_CONN_SECURITY_PASSED:
1267 break;
1268 case L2CAP_CONN_SECURITY_REJECT:
1269 default:
1270 l2cap_br_chan_cleanup(chan);
1271 return -EIO;
1272 }
1273
1274 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
1275
1276 hdr = net_buf_add(buf, sizeof(*hdr));
1277 hdr->code = BT_L2CAP_CONN_REQ;
1278 hdr->ident = l2cap_br_get_ident();
1279 hdr->len = sys_cpu_to_le16(sizeof(*req));
1280
1281 req = net_buf_add(buf, sizeof(*req));
1282 req->psm = sys_cpu_to_le16(psm);
1283 req->scid = sys_cpu_to_le16(BR_CHAN(chan)->rx.cid);
1284
1285 l2cap_br_chan_send_req(BR_CHAN(chan), buf, L2CAP_BR_CONN_TIMEOUT);
1286
1287 return 0;
1288 }
1289
l2cap_br_conn_rsp(struct bt_l2cap_br * l2cap,uint8_t ident,struct net_buf * buf)1290 static void l2cap_br_conn_rsp(struct bt_l2cap_br *l2cap, uint8_t ident,
1291 struct net_buf *buf)
1292 {
1293 struct bt_conn *conn = l2cap->chan.chan.conn;
1294 struct bt_l2cap_chan *chan;
1295 struct bt_l2cap_conn_rsp *rsp = (void *)buf->data;
1296 uint16_t dcid, scid, result, status;
1297
1298 if (buf->len < sizeof(*rsp)) {
1299 BT_ERR("Too small L2CAP conn rsp packet size");
1300 return;
1301 }
1302
1303 dcid = sys_le16_to_cpu(rsp->dcid);
1304 scid = sys_le16_to_cpu(rsp->scid);
1305 result = sys_le16_to_cpu(rsp->result);
1306 status = sys_le16_to_cpu(rsp->status);
1307
1308 BT_DBG("dcid 0x%04x scid 0x%04x result %u status %u", dcid, scid,
1309 result, status);
1310
1311 chan = bt_l2cap_br_lookup_rx_cid(conn, scid);
1312 if (!chan) {
1313 BT_ERR("No scid 0x%04x channel found", scid);
1314 return;
1315 }
1316
1317 /* Release RTX work since got the response */
1318 k_work_cancel_delayable(&chan->rtx_work);
1319
1320 if (chan->state != BT_L2CAP_CONNECT) {
1321 BT_DBG("Invalid channel %p state %s", chan,
1322 bt_l2cap_chan_state_str(chan->state));
1323 return;
1324 }
1325
1326 switch (result) {
1327 case BT_L2CAP_BR_SUCCESS:
1328 chan->ident = 0U;
1329 BR_CHAN(chan)->tx.cid = dcid;
1330 l2cap_br_conf(chan);
1331 bt_l2cap_chan_set_state(chan, BT_L2CAP_CONFIG);
1332 atomic_clear_bit(BR_CHAN(chan)->flags, L2CAP_FLAG_CONN_PENDING);
1333 break;
1334 case BT_L2CAP_BR_PENDING:
1335 k_work_reschedule(&chan->rtx_work, L2CAP_BR_CONN_TIMEOUT);
1336 break;
1337 default:
1338 l2cap_br_chan_cleanup(chan);
1339 break;
1340 }
1341 }
1342
bt_l2cap_br_chan_send(struct bt_l2cap_chan * chan,struct net_buf * buf)1343 int bt_l2cap_br_chan_send(struct bt_l2cap_chan *chan, struct net_buf *buf)
1344 {
1345 struct bt_l2cap_br_chan *ch = BR_CHAN(chan);
1346
1347 if (buf->len > ch->tx.mtu) {
1348 return -EMSGSIZE;
1349 }
1350
1351 return bt_l2cap_send_cb(ch->chan.conn, ch->tx.cid, buf, NULL, NULL);
1352 }
1353
l2cap_br_recv(struct bt_l2cap_chan * chan,struct net_buf * buf)1354 static int l2cap_br_recv(struct bt_l2cap_chan *chan, struct net_buf *buf)
1355 {
1356 struct bt_l2cap_br *l2cap = CONTAINER_OF(chan, struct bt_l2cap_br, chan);
1357 struct bt_l2cap_sig_hdr *hdr;
1358 uint16_t len;
1359
1360 if (buf->len < sizeof(*hdr)) {
1361 BT_ERR("Too small L2CAP signaling PDU");
1362 return 0;
1363 }
1364
1365 hdr = net_buf_pull_mem(buf, sizeof(*hdr));
1366 len = sys_le16_to_cpu(hdr->len);
1367
1368 BT_DBG("Signaling code 0x%02x ident %u len %u", hdr->code,
1369 hdr->ident, len);
1370
1371 if (buf->len != len) {
1372 BT_ERR("L2CAP length mismatch (%u != %u)", buf->len, len);
1373 return 0;
1374 }
1375
1376 if (!hdr->ident) {
1377 BT_ERR("Invalid ident value in L2CAP PDU");
1378 return 0;
1379 }
1380
1381 switch (hdr->code) {
1382 case BT_L2CAP_INFO_RSP:
1383 l2cap_br_info_rsp(l2cap, hdr->ident, buf);
1384 break;
1385 case BT_L2CAP_INFO_REQ:
1386 l2cap_br_info_req(l2cap, hdr->ident, buf);
1387 break;
1388 case BT_L2CAP_DISCONN_REQ:
1389 l2cap_br_disconn_req(l2cap, hdr->ident, buf);
1390 break;
1391 case BT_L2CAP_CONN_REQ:
1392 l2cap_br_conn_req(l2cap, hdr->ident, buf);
1393 break;
1394 case BT_L2CAP_CONF_RSP:
1395 l2cap_br_conf_rsp(l2cap, hdr->ident, len, buf);
1396 break;
1397 case BT_L2CAP_CONF_REQ:
1398 l2cap_br_conf_req(l2cap, hdr->ident, len, buf);
1399 break;
1400 case BT_L2CAP_DISCONN_RSP:
1401 l2cap_br_disconn_rsp(l2cap, hdr->ident, buf);
1402 break;
1403 case BT_L2CAP_CONN_RSP:
1404 l2cap_br_conn_rsp(l2cap, hdr->ident, buf);
1405 break;
1406 default:
1407 BT_WARN("Unknown/Unsupported L2CAP PDU code 0x%02x", hdr->code);
1408 l2cap_br_send_reject(chan->conn, hdr->ident,
1409 BT_L2CAP_REJ_NOT_UNDERSTOOD, NULL, 0);
1410 break;
1411 }
1412
1413 return 0;
1414 }
1415
l2cap_br_conn_pend(struct bt_l2cap_chan * chan,uint8_t status)1416 static void l2cap_br_conn_pend(struct bt_l2cap_chan *chan, uint8_t status)
1417 {
1418 struct net_buf *buf;
1419 struct bt_l2cap_sig_hdr *hdr;
1420 struct bt_l2cap_conn_req *req;
1421
1422 if (chan->state != BT_L2CAP_CONNECT) {
1423 return;
1424 }
1425
1426 BT_DBG("chan %p status 0x%02x encr 0x%02x", chan, status,
1427 chan->conn->encrypt);
1428
1429 if (status) {
1430 /*
1431 * Security procedure status is non-zero so respond with
1432 * security violation only as channel acceptor.
1433 */
1434 l2cap_br_conn_req_reply(chan, BT_L2CAP_BR_ERR_SEC_BLOCK);
1435
1436 /* Release channel allocated to outgoing connection request */
1437 if (atomic_test_bit(BR_CHAN(chan)->flags,
1438 L2CAP_FLAG_CONN_PENDING)) {
1439 l2cap_br_chan_cleanup(chan);
1440 }
1441
1442 return;
1443 }
1444
1445 if (!chan->conn->encrypt) {
1446 return;
1447 }
1448
1449 /*
1450 * For incoming connection state send confirming outstanding
1451 * response and initiate configuration request.
1452 */
1453 if (l2cap_br_conn_req_reply(chan, BT_L2CAP_BR_SUCCESS) == 0) {
1454 bt_l2cap_chan_set_state(chan, BT_L2CAP_CONFIG);
1455 /*
1456 * Initialize config request since remote needs to know
1457 * local MTU segmentation.
1458 */
1459 l2cap_br_conf(chan);
1460 } else if (atomic_test_and_clear_bit(BR_CHAN(chan)->flags,
1461 L2CAP_FLAG_CONN_PENDING)) {
1462 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
1463
1464 hdr = net_buf_add(buf, sizeof(*hdr));
1465 hdr->code = BT_L2CAP_CONN_REQ;
1466 hdr->ident = l2cap_br_get_ident();
1467 hdr->len = sys_cpu_to_le16(sizeof(*req));
1468
1469 req = net_buf_add(buf, sizeof(*req));
1470 req->psm = sys_cpu_to_le16(chan->psm);
1471 req->scid = sys_cpu_to_le16(BR_CHAN(chan)->rx.cid);
1472
1473 l2cap_br_chan_send_req(BR_CHAN(chan), buf,
1474 L2CAP_BR_CONN_TIMEOUT);
1475 }
1476 }
1477
l2cap_br_encrypt_change(struct bt_conn * conn,uint8_t hci_status)1478 void l2cap_br_encrypt_change(struct bt_conn *conn, uint8_t hci_status)
1479 {
1480 struct bt_l2cap_chan *chan;
1481
1482 SYS_SLIST_FOR_EACH_CONTAINER(&conn->channels, chan, node) {
1483 l2cap_br_conn_pend(chan, hci_status);
1484
1485 if (chan->ops && chan->ops->encrypt_change) {
1486 chan->ops->encrypt_change(chan, hci_status);
1487 }
1488 }
1489 }
1490
check_fixed_channel(struct bt_l2cap_chan * chan)1491 static void check_fixed_channel(struct bt_l2cap_chan *chan)
1492 {
1493 struct bt_l2cap_br_chan *br_chan = BR_CHAN(chan);
1494
1495 if (br_chan->rx.cid < L2CAP_BR_CID_DYN_START) {
1496 connect_fixed_channel(br_chan);
1497 }
1498 }
1499
bt_l2cap_br_recv(struct bt_conn * conn,struct net_buf * buf)1500 void bt_l2cap_br_recv(struct bt_conn *conn, struct net_buf *buf)
1501 {
1502 struct bt_l2cap_hdr *hdr;
1503 struct bt_l2cap_chan *chan;
1504 uint16_t cid;
1505
1506 if (buf->len < sizeof(*hdr)) {
1507 BT_ERR("Too small L2CAP PDU received");
1508 net_buf_unref(buf);
1509 return;
1510 }
1511
1512 hdr = net_buf_pull_mem(buf, sizeof(*hdr));
1513 cid = sys_le16_to_cpu(hdr->cid);
1514
1515 chan = bt_l2cap_br_lookup_rx_cid(conn, cid);
1516 if (!chan) {
1517 BT_WARN("Ignoring data for unknown channel ID 0x%04x", cid);
1518 net_buf_unref(buf);
1519 return;
1520 }
1521
1522 /*
1523 * if data was received for fixed channel before Information
1524 * Response we connect channel here.
1525 */
1526 check_fixed_channel(chan);
1527
1528 chan->ops->recv(chan, buf);
1529 net_buf_unref(buf);
1530 }
1531
l2cap_br_accept(struct bt_conn * conn,struct bt_l2cap_chan ** chan)1532 static int l2cap_br_accept(struct bt_conn *conn, struct bt_l2cap_chan **chan)
1533 {
1534 int i;
1535 static const struct bt_l2cap_chan_ops ops = {
1536 .connected = l2cap_br_connected,
1537 .disconnected = l2cap_br_disconnected,
1538 .recv = l2cap_br_recv,
1539 };
1540
1541 BT_DBG("conn %p handle %u", conn, conn->handle);
1542
1543 for (i = 0; i < ARRAY_SIZE(bt_l2cap_br_pool); i++) {
1544 struct bt_l2cap_br *l2cap = &bt_l2cap_br_pool[i];
1545
1546 if (l2cap->chan.chan.conn) {
1547 continue;
1548 }
1549
1550 l2cap->chan.chan.ops = &ops;
1551 *chan = &l2cap->chan.chan;
1552 atomic_set(l2cap->chan.flags, 0);
1553 return 0;
1554 }
1555
1556 BT_ERR("No available L2CAP context for conn %p", conn);
1557
1558 return -ENOMEM;
1559 }
1560
1561 BT_L2CAP_BR_CHANNEL_DEFINE(br_fixed_chan, BT_L2CAP_CID_BR_SIG, l2cap_br_accept);
1562
bt_l2cap_br_init(void)1563 void bt_l2cap_br_init(void)
1564 {
1565 sys_slist_init(&br_servers);
1566
1567 if (IS_ENABLED(CONFIG_BT_RFCOMM)) {
1568 bt_rfcomm_init();
1569 }
1570
1571 if (IS_ENABLED(CONFIG_BT_AVDTP)) {
1572 bt_avdtp_init();
1573 }
1574
1575 bt_sdp_init();
1576
1577 if (IS_ENABLED(CONFIG_BT_A2DP)) {
1578 bt_a2dp_init();
1579 }
1580 }
1581
