1 /* att.c - Attribute protocol handling */
2
3 /*
4 * Copyright (c) 2015-2016 Intel Corporation
5 *
6 * SPDX-License-Identifier: Apache-2.0
7 */
8
9 #include <zephyr.h>
10 #include <string.h>
11 #include <errno.h>
12 #include <stdbool.h>
13 #include <sys/atomic.h>
14 #include <sys/byteorder.h>
15 #include <sys/util.h>
16
17 #include <bluetooth/hci.h>
18 #include <bluetooth/bluetooth.h>
19 #include <bluetooth/uuid.h>
20 #include <bluetooth/gatt.h>
21 #include <drivers/bluetooth/hci_driver.h>
22
23 #define BT_DBG_ENABLED IS_ENABLED(CONFIG_BT_DEBUG_ATT)
24 #define LOG_MODULE_NAME bt_att
25 #include "common/log.h"
26
27 #include "hci_core.h"
28 #include "conn_internal.h"
29 #include "l2cap_internal.h"
30 #include "smp.h"
31 #include "att_internal.h"
32 #include "gatt_internal.h"
33
34 #define ATT_CHAN(_ch) CONTAINER_OF(_ch, struct bt_att_chan, chan.chan)
35 #define ATT_REQ(_node) CONTAINER_OF(_node, struct bt_att_req, node)
36
37 #define ATT_CMD_MASK 0x40
38
39 #if defined(CONFIG_BT_EATT)
40 #define ATT_CHAN_MAX (CONFIG_BT_EATT_MAX + 1)
41 #else
42 #define ATT_CHAN_MAX 1
43 #endif /* CONFIG_BT_EATT */
44
45 typedef enum __packed {
46 ATT_COMMAND,
47 ATT_REQUEST,
48 ATT_RESPONSE,
49 ATT_NOTIFICATION,
50 ATT_CONFIRMATION,
51 ATT_INDICATION,
52 ATT_UNKNOWN,
53 } att_type_t;
54
55 static att_type_t att_op_get_type(uint8_t op);
56
57 #if CONFIG_BT_ATT_PREPARE_COUNT > 0
58 struct bt_attr_data {
59 uint16_t handle;
60 uint16_t offset;
61 };
62
63 /* Pool for incoming ATT packets */
64 NET_BUF_POOL_DEFINE(prep_pool, CONFIG_BT_ATT_PREPARE_COUNT, BT_ATT_MTU,
65 sizeof(struct bt_attr_data), NULL);
66 #endif /* CONFIG_BT_ATT_PREPARE_COUNT */
67
68 K_MEM_SLAB_DEFINE(req_slab, sizeof(struct bt_att_req),
69 CONFIG_BT_L2CAP_TX_BUF_COUNT, __alignof__(struct bt_att_req));
70
71 enum {
72 ATT_PENDING_RSP,
73 ATT_PENDING_CFM,
74 ATT_DISCONNECTED,
75 ATT_ENHANCED,
76 ATT_PENDING_SENT,
77
78 /* Total number of flags - must be at the end of the enum */
79 ATT_NUM_FLAGS,
80 };
81
82 /* ATT channel specific data */
83 struct bt_att_chan {
84 /* Connection this channel is associated with */
85 struct bt_att *att;
86 struct bt_l2cap_le_chan chan;
87 ATOMIC_DEFINE(flags, ATT_NUM_FLAGS);
88 struct bt_att_req *req;
89 struct k_fifo tx_queue;
90 struct k_work_delayable timeout_work;
91 void (*sent)(struct bt_att_chan *chan);
92 sys_snode_t node;
93 };
94
95 /* ATT connection specific data */
96 struct bt_att {
97 struct bt_conn *conn;
98 /* Shared request queue */
99 sys_slist_t reqs;
100 struct k_fifo tx_queue;
101 #if CONFIG_BT_ATT_PREPARE_COUNT > 0
102 struct k_fifo prep_queue;
103 #endif
104 /* Contains bt_att_chan instance(s) */
105 sys_slist_t chans;
106 };
107
108 K_MEM_SLAB_DEFINE(att_slab, sizeof(struct bt_att),
109 CONFIG_BT_MAX_CONN, __alignof__(struct bt_att));
110 K_MEM_SLAB_DEFINE(chan_slab, sizeof(struct bt_att_chan),
111 CONFIG_BT_MAX_CONN * ATT_CHAN_MAX,
112 __alignof__(struct bt_att_chan));
113 static struct bt_att_req cancel;
114
115 typedef void (*bt_att_chan_sent_t)(struct bt_att_chan *chan);
116
117 static bt_att_chan_sent_t chan_cb(struct net_buf *buf);
118 static bt_conn_tx_cb_t att_cb(bt_att_chan_sent_t cb);
119
120 static void att_chan_mtu_updated(struct bt_att_chan *updated_chan);
121 static void bt_att_disconnected(struct bt_l2cap_chan *chan);
122
att_sent(struct bt_conn * conn,void * user_data)123 void att_sent(struct bt_conn *conn, void *user_data)
124 {
125 struct bt_l2cap_chan *chan = user_data;
126
127 BT_DBG("conn %p chan %p", conn, chan);
128
129 if (chan->ops->sent) {
130 chan->ops->sent(chan);
131 }
132 }
133
134 /* In case of success the ownership of the buffer is transferred to the stack
135 * which takes care of releasing it when it completes transmitting to the
136 * controller.
137 *
138 * In case bt_l2cap_send_cb fails the buffer state and ownership are retained
139 * so the buffer can be safely pushed back to the queue to be processed later.
140 */
chan_send(struct bt_att_chan * chan,struct net_buf * buf,bt_att_chan_sent_t cb)141 static int chan_send(struct bt_att_chan *chan, struct net_buf *buf,
142 bt_att_chan_sent_t cb)
143 {
144 struct bt_att_hdr *hdr;
145 struct net_buf_simple_state state;
146 int err;
147
148 hdr = (void *)buf->data;
149
150 BT_DBG("code 0x%02x", hdr->code);
151
152 if (IS_ENABLED(CONFIG_BT_EATT) &&
153 atomic_test_bit(chan->flags, ATT_ENHANCED)) {
154 /* Check if sent is pending already, if it does it cannot be
155 * modified so the operation will need to be queued.
156 */
157 if (atomic_test_and_set_bit(chan->flags, ATT_PENDING_SENT)) {
158 return -EAGAIN;
159 }
160
161 chan->sent = cb ? cb : chan_cb(buf);
162
163 if (hdr->code == BT_ATT_OP_SIGNED_WRITE_CMD) {
164 return -ENOTSUP;
165 }
166
167 /* Check if the channel is ready to send in case of a request */
168 if (att_op_get_type(hdr->code) == ATT_REQUEST &&
169 !atomic_test_bit(chan->chan.chan.status,
170 BT_L2CAP_STATUS_OUT)) {
171 return -EAGAIN;
172 }
173
174 /* bt_l2cap_chan_send does actually return the number of bytes
175 * that could be sent immediatelly.
176 */
177 err = bt_l2cap_chan_send(&chan->chan.chan, buf);
178 if (err < 0) {
179 return err;
180 }
181
182 return 0;
183 }
184
185 if (hdr->code == BT_ATT_OP_SIGNED_WRITE_CMD) {
186 int err;
187
188 err = bt_smp_sign(chan->att->conn, buf);
189 if (err) {
190 BT_ERR("Error signing data");
191 net_buf_unref(buf);
192 return err;
193 }
194 }
195
196 net_buf_simple_save(&buf->b, &state);
197
198 chan->sent = cb ? cb : chan_cb(buf);
199
200 err = bt_l2cap_send_cb(chan->att->conn, BT_L2CAP_CID_ATT,
201 buf, att_cb(chan->sent),
202 &chan->chan.chan);
203 if (err) {
204 /* In case of an error has occurred restore the buffer state */
205 net_buf_simple_restore(&buf->b, &state);
206 }
207
208 return err;
209 }
210
process_queue(struct bt_att_chan * chan,struct k_fifo * queue)211 static int process_queue(struct bt_att_chan *chan, struct k_fifo *queue)
212 {
213 struct net_buf *buf;
214 int err;
215
216 buf = net_buf_get(queue, K_NO_WAIT);
217 if (buf) {
218 err = chan_send(chan, buf, NULL);
219 if (err) {
220 /* Push it back if it could not be send */
221 k_queue_prepend(&queue->_queue, buf);
222 return err;
223 }
224
225 return 0;
226 }
227
228 return -ENOENT;
229 }
230
231 /* Send requests without taking tx_sem */
chan_req_send(struct bt_att_chan * chan,struct bt_att_req * req)232 static int chan_req_send(struct bt_att_chan *chan, struct bt_att_req *req)
233 {
234 struct net_buf *buf;
235 int err;
236
237 if (chan->chan.tx.mtu < net_buf_frags_len(req->buf)) {
238 return -EMSGSIZE;
239 }
240
241 BT_DBG("chan %p req %p len %zu", chan, req,
242 net_buf_frags_len(req->buf));
243
244 chan->req = req;
245
246 /* Release since bt_l2cap_send_cb takes ownership of the buffer */
247 buf = req->buf;
248 req->buf = NULL;
249
250 err = chan_send(chan, buf, NULL);
251 if (err) {
252 /* We still have the ownership of the buffer */
253 req->buf = buf;
254 chan->req = NULL;
255 }
256
257 return err;
258 }
259
bt_att_sent(struct bt_l2cap_chan * ch)260 static void bt_att_sent(struct bt_l2cap_chan *ch)
261 {
262 struct bt_att_chan *chan = ATT_CHAN(ch);
263 struct bt_att *att = chan->att;
264 int err;
265
266 BT_DBG("chan %p", chan);
267
268 if (chan->sent) {
269 chan->sent(chan);
270 }
271
272 atomic_clear_bit(chan->flags, ATT_PENDING_SENT);
273
274 if (!att) {
275 BT_DBG("Ignore sent on detached ATT chan");
276 return;
277 }
278
279 /* Process pending requests first since they require a response they
280 * can only be processed one at time while if other queues were
281 * processed before they may always contain a buffer starving the
282 * request queue.
283 */
284 if (!chan->req && !sys_slist_is_empty(&att->reqs)) {
285 sys_snode_t *node = sys_slist_get(&att->reqs);
286
287 if (chan_req_send(chan, ATT_REQ(node)) >= 0) {
288 return;
289 }
290
291 /* Prepend back to the list as it could not be sent */
292 sys_slist_prepend(&att->reqs, node);
293 }
294
295 /* Process channel queue */
296 err = process_queue(chan, &chan->tx_queue);
297 if (!err) {
298 return;
299 }
300
301 /* Process global queue */
302 (void)process_queue(chan, &att->tx_queue);
303 }
304
chan_cfm_sent(struct bt_att_chan * chan)305 static void chan_cfm_sent(struct bt_att_chan *chan)
306 {
307 BT_DBG("chan %p", chan);
308
309 if (IS_ENABLED(CONFIG_BT_ATT_ENFORCE_FLOW)) {
310 atomic_clear_bit(chan->flags, ATT_PENDING_CFM);
311 }
312 }
313
chan_rsp_sent(struct bt_att_chan * chan)314 static void chan_rsp_sent(struct bt_att_chan *chan)
315 {
316 BT_DBG("chan %p", chan);
317
318 if (IS_ENABLED(CONFIG_BT_ATT_ENFORCE_FLOW)) {
319 atomic_clear_bit(chan->flags, ATT_PENDING_RSP);
320 }
321 }
322
chan_req_sent(struct bt_att_chan * chan)323 static void chan_req_sent(struct bt_att_chan *chan)
324 {
325 BT_DBG("chan %p chan->req %p", chan, chan->req);
326
327 /* Start timeout work */
328 if (chan->req) {
329 k_work_reschedule(&chan->timeout_work, BT_ATT_TIMEOUT);
330 }
331 }
332
chan_cb(struct net_buf * buf)333 static bt_att_chan_sent_t chan_cb(struct net_buf *buf)
334 {
335 switch (att_op_get_type(buf->data[0])) {
336 case ATT_RESPONSE:
337 return chan_rsp_sent;
338 case ATT_CONFIRMATION:
339 return chan_cfm_sent;
340 case ATT_REQUEST:
341 case ATT_INDICATION:
342 return chan_req_sent;
343 default:
344 return NULL;
345 }
346 }
347
att_cfm_sent(struct bt_conn * conn,void * user_data)348 static void att_cfm_sent(struct bt_conn *conn, void *user_data)
349 {
350 struct bt_l2cap_chan *ch = user_data;
351 struct bt_att_chan *chan = ATT_CHAN(ch);
352
353 BT_DBG("conn %p chan %p", conn, chan);
354
355 chan->sent = chan_cfm_sent;
356
357 att_sent(conn, user_data);
358 }
359
att_rsp_sent(struct bt_conn * conn,void * user_data)360 static void att_rsp_sent(struct bt_conn *conn, void *user_data)
361 {
362 struct bt_l2cap_chan *ch = user_data;
363 struct bt_att_chan *chan = ATT_CHAN(ch);
364
365 BT_DBG("conn %p chan %p", conn, chan);
366
367 chan->sent = chan_rsp_sent;
368
369 att_sent(conn, user_data);
370 }
371
att_req_sent(struct bt_conn * conn,void * user_data)372 static void att_req_sent(struct bt_conn *conn, void *user_data)
373 {
374 struct bt_l2cap_chan *ch = user_data;
375 struct bt_att_chan *chan = ATT_CHAN(ch);
376
377 BT_DBG("conn %p chan %p", conn, chan);
378
379 chan->sent = chan_req_sent;
380
381 att_sent(conn, user_data);
382 }
383
att_cb(bt_att_chan_sent_t cb)384 static bt_conn_tx_cb_t att_cb(bt_att_chan_sent_t cb)
385 {
386 if (cb == chan_rsp_sent) {
387 return att_rsp_sent;
388 } else if (cb == chan_cfm_sent) {
389 return att_cfm_sent;
390 } else if (cb == chan_req_sent) {
391 return att_req_sent;
392 } else {
393 return att_sent;
394 }
395 }
396
bt_att_chan_create_pdu(struct bt_att_chan * chan,uint8_t op,size_t len)397 struct net_buf *bt_att_chan_create_pdu(struct bt_att_chan *chan, uint8_t op,
398 size_t len)
399 {
400 struct bt_att_hdr *hdr;
401 struct net_buf *buf;
402
403 if (len + sizeof(op) > chan->chan.tx.mtu) {
404 BT_WARN("ATT MTU exceeded, max %u, wanted %zu",
405 chan->chan.tx.mtu, len + sizeof(op));
406 return NULL;
407 }
408
409 switch (att_op_get_type(op)) {
410 case ATT_RESPONSE:
411 case ATT_CONFIRMATION:
412 /* Use a timeout only when responding/confirming */
413 buf = bt_l2cap_create_pdu_timeout(NULL, 0, BT_ATT_TIMEOUT);
414 break;
415 default:
416 buf = bt_l2cap_create_pdu(NULL, 0);
417 }
418
419 if (!buf) {
420 BT_ERR("Unable to allocate buffer for op 0x%02x", op);
421 return NULL;
422 }
423
424 hdr = net_buf_add(buf, sizeof(*hdr));
425 hdr->code = op;
426
427 return buf;
428 }
429
att_chan_is_connected(struct bt_att_chan * chan)430 static inline bool att_chan_is_connected(struct bt_att_chan *chan)
431 {
432 return (chan->att->conn->state != BT_CONN_CONNECTED ||
433 !atomic_test_bit(chan->flags, ATT_DISCONNECTED));
434 }
435
bt_att_chan_send(struct bt_att_chan * chan,struct net_buf * buf,bt_att_chan_sent_t cb)436 static int bt_att_chan_send(struct bt_att_chan *chan, struct net_buf *buf,
437 bt_att_chan_sent_t cb)
438 {
439 BT_DBG("chan %p flags %u code 0x%02x", chan, atomic_get(chan->flags),
440 ((struct bt_att_hdr *)buf->data)->code);
441
442 return chan_send(chan, buf, cb);
443 }
444
att_send_process(struct bt_att * att)445 static void att_send_process(struct bt_att *att)
446 {
447 struct bt_att_chan *chan, *tmp;
448 struct net_buf *buf;
449 int err = -ENOENT;
450
451 buf = net_buf_get(&att->tx_queue, K_NO_WAIT);
452 if (!buf) {
453 return;
454 }
455
456 SYS_SLIST_FOR_EACH_CONTAINER_SAFE(&att->chans, chan, tmp, node) {
457 err = bt_att_chan_send(chan, buf, NULL);
458 if (err >= 0) {
459 break;
460 }
461 }
462
463 if (err < 0) {
464 /* Push it back if it could not be send */
465 k_queue_prepend(&att->tx_queue._queue, buf);
466 }
467 }
468
bt_att_chan_send_rsp(struct bt_att_chan * chan,struct net_buf * buf,bt_att_chan_sent_t cb)469 static void bt_att_chan_send_rsp(struct bt_att_chan *chan, struct net_buf *buf,
470 bt_att_chan_sent_t cb)
471 {
472 int err;
473
474 err = bt_att_chan_send(chan, buf, cb);
475 if (err) {
476 /* Responses need to be sent back using the same channel */
477 net_buf_put(&chan->tx_queue, buf);
478 }
479 }
480
send_err_rsp(struct bt_att_chan * chan,uint8_t req,uint16_t handle,uint8_t err)481 static void send_err_rsp(struct bt_att_chan *chan, uint8_t req, uint16_t handle,
482 uint8_t err)
483 {
484 struct bt_att_error_rsp *rsp;
485 struct net_buf *buf;
486
487 /* Ignore opcode 0x00 */
488 if (!req) {
489 return;
490 }
491
492 buf = bt_att_chan_create_pdu(chan, BT_ATT_OP_ERROR_RSP, sizeof(*rsp));
493 if (!buf) {
494 return;
495 }
496
497 rsp = net_buf_add(buf, sizeof(*rsp));
498 rsp->request = req;
499 rsp->handle = sys_cpu_to_le16(handle);
500 rsp->error = err;
501
502 bt_att_chan_send_rsp(chan, buf, chan_rsp_sent);
503 }
504
att_mtu_req(struct bt_att_chan * chan,struct net_buf * buf)505 static uint8_t att_mtu_req(struct bt_att_chan *chan, struct net_buf *buf)
506 {
507 struct bt_conn *conn = chan->att->conn;
508 struct bt_att_exchange_mtu_req *req;
509 struct bt_att_exchange_mtu_rsp *rsp;
510 struct net_buf *pdu;
511 uint16_t mtu_client, mtu_server;
512
513 /* Exchange MTU sub-procedure shall only be supported on the
514 * LE Fixed Channel Unenhanced ATT bearer.
515 */
516 if (atomic_test_bit(chan->flags, ATT_ENHANCED)) {
517 return BT_ATT_ERR_NOT_SUPPORTED;
518 }
519
520 req = (void *)buf->data;
521
522 mtu_client = sys_le16_to_cpu(req->mtu);
523
524 BT_DBG("Client MTU %u", mtu_client);
525
526 /* Check if MTU is valid */
527 if (mtu_client < BT_ATT_DEFAULT_LE_MTU) {
528 return BT_ATT_ERR_INVALID_PDU;
529 }
530
531 pdu = bt_att_create_pdu(conn, BT_ATT_OP_MTU_RSP, sizeof(*rsp));
532 if (!pdu) {
533 return BT_ATT_ERR_UNLIKELY;
534 }
535
536 mtu_server = BT_ATT_MTU;
537
538 BT_DBG("Server MTU %u", mtu_server);
539
540 rsp = net_buf_add(pdu, sizeof(*rsp));
541 rsp->mtu = sys_cpu_to_le16(mtu_server);
542
543 bt_att_chan_send_rsp(chan, pdu, chan_rsp_sent);
544
545 /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part F] page 484:
546 *
547 * A device's Exchange MTU Request shall contain the same MTU as the
548 * device's Exchange MTU Response (i.e. the MTU shall be symmetric).
549 */
550 chan->chan.rx.mtu = MIN(mtu_client, mtu_server);
551 chan->chan.tx.mtu = chan->chan.rx.mtu;
552
553 BT_DBG("Negotiated MTU %u", chan->chan.rx.mtu);
554
555 att_chan_mtu_updated(chan);
556
557 return 0;
558 }
559
bt_att_chan_req_send(struct bt_att_chan * chan,struct bt_att_req * req)560 static int bt_att_chan_req_send(struct bt_att_chan *chan,
561 struct bt_att_req *req)
562 {
563 __ASSERT_NO_MSG(chan);
564 __ASSERT_NO_MSG(req);
565 __ASSERT_NO_MSG(req->func);
566 __ASSERT_NO_MSG(!chan->req);
567
568 BT_DBG("req %p", req);
569
570 return chan_req_send(chan, req);
571 }
572
att_req_send_process(struct bt_att * att)573 static void att_req_send_process(struct bt_att *att)
574 {
575 sys_snode_t *node;
576 struct bt_att_chan *chan, *tmp;
577
578 /* Pull next request from the list */
579 node = sys_slist_get(&att->reqs);
580 if (!node) {
581 return;
582 }
583
584 BT_DBG("req %p", ATT_REQ(node));
585
586 SYS_SLIST_FOR_EACH_CONTAINER_SAFE(&att->chans, chan, tmp, node) {
587 /* If there is nothing pending use the channel */
588 if (!chan->req) {
589 if (bt_att_chan_req_send(chan, ATT_REQ(node)) >= 0) {
590 return;
591 }
592 }
593 }
594
595 /* Prepend back to the list as it could not be sent */
596 sys_slist_prepend(&att->reqs, node);
597 }
598
att_handle_rsp(struct bt_att_chan * chan,void * pdu,uint16_t len,uint8_t err)599 static uint8_t att_handle_rsp(struct bt_att_chan *chan, void *pdu, uint16_t len,
600 uint8_t err)
601 {
602 bt_att_func_t func = NULL;
603 void *params;
604
605 BT_DBG("chan %p err 0x%02x len %u: %s", chan, err, len,
606 bt_hex(pdu, len));
607
608 /* Cancel timeout if ongoing */
609 k_work_cancel_delayable(&chan->timeout_work);
610
611 if (!chan->req) {
612 BT_WARN("No pending ATT request");
613 goto process;
614 }
615
616 /* Check if request has been cancelled */
617 if (chan->req == &cancel) {
618 chan->req = NULL;
619 goto process;
620 }
621
622 /* Reset func so it can be reused by the callback */
623 func = chan->req->func;
624 chan->req->func = NULL;
625 params = chan->req->user_data;
626
627 /* free allocated request so its memory can be reused */
628 bt_att_req_free(chan->req);
629 chan->req = NULL;
630
631 process:
632 /* Process pending requests */
633 att_req_send_process(chan->att);
634 if (func) {
635 func(chan->att->conn, err, pdu, len, params);
636 }
637
638 return 0;
639 }
640
641 #if defined(CONFIG_BT_GATT_CLIENT)
att_mtu_rsp(struct bt_att_chan * chan,struct net_buf * buf)642 static uint8_t att_mtu_rsp(struct bt_att_chan *chan, struct net_buf *buf)
643 {
644 struct bt_att_exchange_mtu_rsp *rsp;
645 uint16_t mtu;
646
647 rsp = (void *)buf->data;
648
649 mtu = sys_le16_to_cpu(rsp->mtu);
650
651 BT_DBG("Server MTU %u", mtu);
652
653 /* Check if MTU is valid */
654 if (mtu < BT_ATT_DEFAULT_LE_MTU) {
655 return att_handle_rsp(chan, NULL, 0, BT_ATT_ERR_INVALID_PDU);
656 }
657
658 chan->chan.rx.mtu = MIN(mtu, BT_ATT_MTU);
659
660 /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part F] page 484:
661 *
662 * A device's Exchange MTU Request shall contain the same MTU as the
663 * device's Exchange MTU Response (i.e. the MTU shall be symmetric).
664 */
665 chan->chan.tx.mtu = chan->chan.rx.mtu;
666
667 BT_DBG("Negotiated MTU %u", chan->chan.rx.mtu);
668
669 att_chan_mtu_updated(chan);
670
671 return att_handle_rsp(chan, rsp, buf->len, 0);
672 }
673 #endif /* CONFIG_BT_GATT_CLIENT */
674
range_is_valid(uint16_t start,uint16_t end,uint16_t * err)675 static bool range_is_valid(uint16_t start, uint16_t end, uint16_t *err)
676 {
677 /* Handle 0 is invalid */
678 if (!start || !end) {
679 if (err) {
680 *err = 0U;
681 }
682 return false;
683 }
684
685 /* Check if range is valid */
686 if (start > end) {
687 if (err) {
688 *err = start;
689 }
690 return false;
691 }
692
693 return true;
694 }
695
696 struct find_info_data {
697 struct bt_att_chan *chan;
698 struct net_buf *buf;
699 struct bt_att_find_info_rsp *rsp;
700 union {
701 struct bt_att_info_16 *info16;
702 struct bt_att_info_128 *info128;
703 };
704 };
705
find_info_cb(const struct bt_gatt_attr * attr,uint16_t handle,void * user_data)706 static uint8_t find_info_cb(const struct bt_gatt_attr *attr, uint16_t handle,
707 void *user_data)
708 {
709 struct find_info_data *data = user_data;
710 struct bt_att_chan *chan = data->chan;
711
712 BT_DBG("handle 0x%04x", handle);
713
714 /* Initialize rsp at first entry */
715 if (!data->rsp) {
716 data->rsp = net_buf_add(data->buf, sizeof(*data->rsp));
717 data->rsp->format = (attr->uuid->type == BT_UUID_TYPE_16) ?
718 BT_ATT_INFO_16 : BT_ATT_INFO_128;
719 }
720
721 switch (data->rsp->format) {
722 case BT_ATT_INFO_16:
723 if (attr->uuid->type != BT_UUID_TYPE_16) {
724 return BT_GATT_ITER_STOP;
725 }
726
727 /* Fast forward to next item position */
728 data->info16 = net_buf_add(data->buf, sizeof(*data->info16));
729 data->info16->handle = sys_cpu_to_le16(handle);
730 data->info16->uuid = sys_cpu_to_le16(BT_UUID_16(attr->uuid)->val);
731
732 if (chan->chan.tx.mtu - data->buf->len >
733 sizeof(*data->info16)) {
734 return BT_GATT_ITER_CONTINUE;
735 }
736
737 break;
738 case BT_ATT_INFO_128:
739 if (attr->uuid->type != BT_UUID_TYPE_128) {
740 return BT_GATT_ITER_STOP;
741 }
742
743 /* Fast forward to next item position */
744 data->info128 = net_buf_add(data->buf, sizeof(*data->info128));
745 data->info128->handle = sys_cpu_to_le16(handle);
746 memcpy(data->info128->uuid, BT_UUID_128(attr->uuid)->val,
747 sizeof(data->info128->uuid));
748
749 if (chan->chan.tx.mtu - data->buf->len >
750 sizeof(*data->info128)) {
751 return BT_GATT_ITER_CONTINUE;
752 }
753 }
754
755 return BT_GATT_ITER_STOP;
756 }
757
att_find_info_rsp(struct bt_att_chan * chan,uint16_t start_handle,uint16_t end_handle)758 static uint8_t att_find_info_rsp(struct bt_att_chan *chan, uint16_t start_handle,
759 uint16_t end_handle)
760 {
761 struct bt_conn *conn = chan->chan.chan.conn;
762 struct find_info_data data;
763
764 (void)memset(&data, 0, sizeof(data));
765
766 data.buf = bt_att_create_pdu(conn, BT_ATT_OP_FIND_INFO_RSP, 0);
767 if (!data.buf) {
768 return BT_ATT_ERR_UNLIKELY;
769 }
770
771 data.chan = chan;
772 bt_gatt_foreach_attr(start_handle, end_handle, find_info_cb, &data);
773
774 if (!data.rsp) {
775 net_buf_unref(data.buf);
776 /* Respond since handle is set */
777 send_err_rsp(chan, BT_ATT_OP_FIND_INFO_REQ, start_handle,
778 BT_ATT_ERR_ATTRIBUTE_NOT_FOUND);
779 return 0;
780 }
781
782 bt_att_chan_send_rsp(chan, data.buf, chan_rsp_sent);
783
784 return 0;
785 }
786
att_find_info_req(struct bt_att_chan * chan,struct net_buf * buf)787 static uint8_t att_find_info_req(struct bt_att_chan *chan, struct net_buf *buf)
788 {
789 struct bt_att_find_info_req *req;
790 uint16_t start_handle, end_handle, err_handle;
791
792 req = (void *)buf->data;
793
794 start_handle = sys_le16_to_cpu(req->start_handle);
795 end_handle = sys_le16_to_cpu(req->end_handle);
796
797 BT_DBG("start_handle 0x%04x end_handle 0x%04x", start_handle,
798 end_handle);
799
800 if (!range_is_valid(start_handle, end_handle, &err_handle)) {
801 send_err_rsp(chan, BT_ATT_OP_FIND_INFO_REQ, err_handle,
802 BT_ATT_ERR_INVALID_HANDLE);
803 return 0;
804 }
805
806 return att_find_info_rsp(chan, start_handle, end_handle);
807 }
808
809 struct find_type_data {
810 struct bt_att_chan *chan;
811 struct net_buf *buf;
812 struct bt_att_handle_group *group;
813 const void *value;
814 uint8_t value_len;
815 uint8_t err;
816 };
817
find_type_cb(const struct bt_gatt_attr * attr,uint16_t handle,void * user_data)818 static uint8_t find_type_cb(const struct bt_gatt_attr *attr, uint16_t handle,
819 void *user_data)
820 {
821 struct find_type_data *data = user_data;
822 struct bt_att_chan *chan = data->chan;
823 struct bt_conn *conn = chan->chan.chan.conn;
824 int read;
825 uint8_t uuid[16];
826 struct net_buf *frag;
827 size_t len;
828
829 /* Skip secondary services */
830 if (!bt_uuid_cmp(attr->uuid, BT_UUID_GATT_SECONDARY)) {
831 goto skip;
832 }
833
834 /* Update group end_handle if not a primary service */
835 if (bt_uuid_cmp(attr->uuid, BT_UUID_GATT_PRIMARY)) {
836 if (data->group &&
837 handle > sys_le16_to_cpu(data->group->end_handle)) {
838 data->group->end_handle = sys_cpu_to_le16(handle);
839 }
840 return BT_GATT_ITER_CONTINUE;
841 }
842
843 BT_DBG("handle 0x%04x", handle);
844
845 /* stop if there is no space left */
846 if (chan->chan.tx.mtu - net_buf_frags_len(data->buf) <
847 sizeof(*data->group)) {
848 return BT_GATT_ITER_STOP;
849 }
850
851 frag = net_buf_frag_last(data->buf);
852
853 len = MIN(chan->chan.tx.mtu - net_buf_frags_len(data->buf),
854 net_buf_tailroom(frag));
855 if (!len) {
856 frag = net_buf_alloc(net_buf_pool_get(data->buf->pool_id),
857 K_NO_WAIT);
858 /* If not buffer can be allocated immediately stop */
859 if (!frag) {
860 return BT_GATT_ITER_STOP;
861 }
862
863 net_buf_frag_add(data->buf, frag);
864 }
865
866 /* Read attribute value and store in the buffer */
867 read = attr->read(conn, attr, uuid, sizeof(uuid), 0);
868 if (read < 0) {
869 /*
870 * Since we don't know if it is the service with requested UUID,
871 * we cannot respond with an error to this request.
872 */
873 goto skip;
874 }
875
876 /* Check if data matches */
877 if (read != data->value_len) {
878 /* Use bt_uuid_cmp() to compare UUIDs of different form. */
879 struct bt_uuid_128 ref_uuid;
880 struct bt_uuid_128 recvd_uuid;
881
882 if (!bt_uuid_create(&recvd_uuid.uuid, data->value, data->value_len)) {
883 BT_WARN("Unable to create UUID: size %u", data->value_len);
884 goto skip;
885 }
886 if (!bt_uuid_create(&ref_uuid.uuid, uuid, read)) {
887 BT_WARN("Unable to create UUID: size %d", read);
888 goto skip;
889 }
890 if (bt_uuid_cmp(&recvd_uuid.uuid, &ref_uuid.uuid)) {
891 goto skip;
892 }
893 } else if (memcmp(data->value, uuid, read)) {
894 goto skip;
895 }
896
897 /* If service has been found, error should be cleared */
898 data->err = 0x00;
899
900 /* Fast forward to next item position */
901 data->group = net_buf_add(frag, sizeof(*data->group));
902 data->group->start_handle = sys_cpu_to_le16(handle);
903 data->group->end_handle = sys_cpu_to_le16(handle);
904
905 /* continue to find the end_handle */
906 return BT_GATT_ITER_CONTINUE;
907
908 skip:
909 data->group = NULL;
910 return BT_GATT_ITER_CONTINUE;
911 }
912
att_find_type_rsp(struct bt_att_chan * chan,uint16_t start_handle,uint16_t end_handle,const void * value,uint8_t value_len)913 static uint8_t att_find_type_rsp(struct bt_att_chan *chan, uint16_t start_handle,
914 uint16_t end_handle, const void *value,
915 uint8_t value_len)
916 {
917 struct bt_conn *conn = chan->chan.chan.conn;
918 struct find_type_data data;
919
920 (void)memset(&data, 0, sizeof(data));
921
922 data.buf = bt_att_create_pdu(conn, BT_ATT_OP_FIND_TYPE_RSP, 0);
923 if (!data.buf) {
924 return BT_ATT_ERR_UNLIKELY;
925 }
926
927 data.chan = chan;
928 data.group = NULL;
929 data.value = value;
930 data.value_len = value_len;
931
932 /* Pre-set error in case no service will be found */
933 data.err = BT_ATT_ERR_ATTRIBUTE_NOT_FOUND;
934
935 bt_gatt_foreach_attr(start_handle, end_handle, find_type_cb, &data);
936
937 /* If error has not been cleared, no service has been found */
938 if (data.err) {
939 net_buf_unref(data.buf);
940 /* Respond since handle is set */
941 send_err_rsp(chan, BT_ATT_OP_FIND_TYPE_REQ, start_handle,
942 data.err);
943 return 0;
944 }
945
946 bt_att_chan_send_rsp(chan, data.buf, chan_rsp_sent);
947
948 return 0;
949 }
950
att_find_type_req(struct bt_att_chan * chan,struct net_buf * buf)951 static uint8_t att_find_type_req(struct bt_att_chan *chan, struct net_buf *buf)
952 {
953 struct bt_att_find_type_req *req;
954 uint16_t start_handle, end_handle, err_handle, type;
955 uint8_t *value;
956
957 req = net_buf_pull_mem(buf, sizeof(*req));
958
959 start_handle = sys_le16_to_cpu(req->start_handle);
960 end_handle = sys_le16_to_cpu(req->end_handle);
961 type = sys_le16_to_cpu(req->type);
962 value = buf->data;
963
964 BT_DBG("start_handle 0x%04x end_handle 0x%04x type %u", start_handle,
965 end_handle, type);
966
967 if (!range_is_valid(start_handle, end_handle, &err_handle)) {
968 send_err_rsp(chan, BT_ATT_OP_FIND_TYPE_REQ, err_handle,
969 BT_ATT_ERR_INVALID_HANDLE);
970 return 0;
971 }
972
973 /* The Attribute Protocol Find By Type Value Request shall be used with
974 * the Attribute Type parameter set to the UUID for "Primary Service"
975 * and the Attribute Value set to the 16-bit Bluetooth UUID or 128-bit
976 * UUID for the specific primary service.
977 */
978 if (bt_uuid_cmp(BT_UUID_DECLARE_16(type), BT_UUID_GATT_PRIMARY)) {
979 send_err_rsp(chan, BT_ATT_OP_FIND_TYPE_REQ, start_handle,
980 BT_ATT_ERR_ATTRIBUTE_NOT_FOUND);
981 return 0;
982 }
983
984 return att_find_type_rsp(chan, start_handle, end_handle, value,
985 buf->len);
986 }
987
err_to_att(int err)988 static uint8_t err_to_att(int err)
989 {
990 BT_DBG("%d", err);
991
992 if (err < 0 && err >= -0xff) {
993 return -err;
994 }
995
996 return BT_ATT_ERR_UNLIKELY;
997 }
998
999 struct read_type_data {
1000 struct bt_att_chan *chan;
1001 struct bt_uuid *uuid;
1002 struct net_buf *buf;
1003 struct bt_att_read_type_rsp *rsp;
1004 struct bt_att_data *item;
1005 uint8_t err;
1006 };
1007
1008 typedef bool (*attr_read_cb)(struct net_buf *buf, ssize_t read,
1009 void *user_data);
1010
attr_read_type_cb(struct net_buf * frag,ssize_t read,void * user_data)1011 static bool attr_read_type_cb(struct net_buf *frag, ssize_t read,
1012 void *user_data)
1013 {
1014 struct read_type_data *data = user_data;
1015
1016 if (!data->rsp->len) {
1017 /* Set len to be the first item found */
1018 data->rsp->len = read + sizeof(*data->item);
1019 } else if (data->rsp->len != read + sizeof(*data->item)) {
1020 /* All items should have the same size */
1021 frag->len -= sizeof(*data->item);
1022 data->item = NULL;
1023 return false;
1024 }
1025
1026 return true;
1027 }
1028
att_chan_read(struct bt_att_chan * chan,const struct bt_gatt_attr * attr,struct net_buf * buf,uint16_t offset,attr_read_cb cb,void * user_data)1029 static ssize_t att_chan_read(struct bt_att_chan *chan,
1030 const struct bt_gatt_attr *attr,
1031 struct net_buf *buf, uint16_t offset,
1032 attr_read_cb cb, void *user_data)
1033 {
1034 struct bt_conn *conn = chan->chan.chan.conn;
1035 ssize_t read;
1036 struct net_buf *frag;
1037 size_t len, total = 0;
1038
1039 if (chan->chan.tx.mtu <= net_buf_frags_len(buf)) {
1040 return 0;
1041 }
1042
1043 frag = net_buf_frag_last(buf);
1044
1045 /* Create necessary fragments if MTU is bigger than what a buffer can
1046 * hold.
1047 */
1048 do {
1049 len = MIN(chan->chan.tx.mtu - net_buf_frags_len(buf),
1050 net_buf_tailroom(frag));
1051 if (!len) {
1052 frag = net_buf_alloc(net_buf_pool_get(buf->pool_id),
1053 K_NO_WAIT);
1054 /* If not buffer can be allocated immediately return */
1055 if (!frag) {
1056 return total;
1057 }
1058
1059 net_buf_frag_add(buf, frag);
1060
1061 len = MIN(chan->chan.tx.mtu - net_buf_frags_len(buf),
1062 net_buf_tailroom(frag));
1063 }
1064
1065 read = attr->read(conn, attr, frag->data + frag->len, len,
1066 offset);
1067 if (read < 0) {
1068 if (total) {
1069 return total;
1070 }
1071
1072 return read;
1073 }
1074
1075 if (cb && !cb(frag, read, user_data)) {
1076 break;
1077 }
1078
1079 net_buf_add(frag, read);
1080 total += read;
1081 offset += read;
1082 } while (chan->chan.tx.mtu > net_buf_frags_len(buf) && read == len);
1083
1084 return total;
1085 }
1086
read_type_cb(const struct bt_gatt_attr * attr,uint16_t handle,void * user_data)1087 static uint8_t read_type_cb(const struct bt_gatt_attr *attr, uint16_t handle,
1088 void *user_data)
1089 {
1090 struct read_type_data *data = user_data;
1091 struct bt_att_chan *chan = data->chan;
1092 struct bt_conn *conn = chan->chan.chan.conn;
1093 ssize_t read;
1094
1095 /* Skip if doesn't match */
1096 if (bt_uuid_cmp(attr->uuid, data->uuid)) {
1097 return BT_GATT_ITER_CONTINUE;
1098 }
1099
1100 BT_DBG("handle 0x%04x", handle);
1101
1102 /*
1103 * If an attribute in the set of requested attributes would cause an
1104 * Error Response then this attribute cannot be included in a
1105 * Read By Type Response and the attributes before this attribute
1106 * shall be returned
1107 *
1108 * If the first attribute in the set of requested attributes would
1109 * cause an Error Response then no other attributes in the requested
1110 * attributes can be considered.
1111 */
1112 data->err = bt_gatt_check_perm(conn, attr, BT_GATT_PERM_READ_MASK);
1113 if (data->err) {
1114 if (data->rsp->len) {
1115 data->err = 0x00;
1116 }
1117 return BT_GATT_ITER_STOP;
1118 }
1119
1120 /*
1121 * If any attribute is founded in handle range it means that error
1122 * should be changed from pre-set: attr not found error to no error.
1123 */
1124 data->err = 0x00;
1125
1126 /* Fast foward to next item position */
1127 data->item = net_buf_add(net_buf_frag_last(data->buf),
1128 sizeof(*data->item));
1129 data->item->handle = sys_cpu_to_le16(handle);
1130
1131 read = att_chan_read(chan, attr, data->buf, 0, attr_read_type_cb, data);
1132 if (read < 0) {
1133 data->err = err_to_att(read);
1134 return BT_GATT_ITER_STOP;
1135 }
1136
1137 if (!data->item) {
1138 return BT_GATT_ITER_STOP;
1139 }
1140
1141 /* continue only if there are still space for more items */
1142 return chan->chan.tx.mtu - net_buf_frags_len(data->buf) >
1143 data->rsp->len ? BT_GATT_ITER_CONTINUE : BT_GATT_ITER_STOP;
1144 }
1145
att_read_type_rsp(struct bt_att_chan * chan,struct bt_uuid * uuid,uint16_t start_handle,uint16_t end_handle)1146 static uint8_t att_read_type_rsp(struct bt_att_chan *chan, struct bt_uuid *uuid,
1147 uint16_t start_handle, uint16_t end_handle)
1148 {
1149 struct bt_conn *conn = chan->chan.chan.conn;
1150 struct read_type_data data;
1151
1152 (void)memset(&data, 0, sizeof(data));
1153
1154 data.buf = bt_att_create_pdu(conn, BT_ATT_OP_READ_TYPE_RSP,
1155 sizeof(*data.rsp));
1156 if (!data.buf) {
1157 return BT_ATT_ERR_UNLIKELY;
1158 }
1159
1160 data.chan = chan;
1161 data.uuid = uuid;
1162 data.rsp = net_buf_add(data.buf, sizeof(*data.rsp));
1163 data.rsp->len = 0U;
1164
1165 /* Pre-set error if no attr will be found in handle */
1166 data.err = BT_ATT_ERR_ATTRIBUTE_NOT_FOUND;
1167
1168 bt_gatt_foreach_attr(start_handle, end_handle, read_type_cb, &data);
1169
1170 if (data.err) {
1171 net_buf_unref(data.buf);
1172 /* Response here since handle is set */
1173 send_err_rsp(chan, BT_ATT_OP_READ_TYPE_REQ, start_handle,
1174 data.err);
1175 return 0;
1176 }
1177
1178 bt_att_chan_send_rsp(chan, data.buf, chan_rsp_sent);
1179
1180 return 0;
1181 }
1182
att_read_type_req(struct bt_att_chan * chan,struct net_buf * buf)1183 static uint8_t att_read_type_req(struct bt_att_chan *chan, struct net_buf *buf)
1184 {
1185 struct bt_att_read_type_req *req;
1186 uint16_t start_handle, end_handle, err_handle;
1187 union {
1188 struct bt_uuid uuid;
1189 struct bt_uuid_16 u16;
1190 struct bt_uuid_128 u128;
1191 } u;
1192 uint8_t uuid_len = buf->len - sizeof(*req);
1193
1194 /* Type can only be UUID16 or UUID128 */
1195 if (uuid_len != 2 && uuid_len != 16) {
1196 return BT_ATT_ERR_INVALID_PDU;
1197 }
1198
1199 req = net_buf_pull_mem(buf, sizeof(*req));
1200
1201 start_handle = sys_le16_to_cpu(req->start_handle);
1202 end_handle = sys_le16_to_cpu(req->end_handle);
1203 if (!bt_uuid_create(&u.uuid, req->uuid, uuid_len)) {
1204 return BT_ATT_ERR_UNLIKELY;
1205 }
1206
1207 BT_DBG("start_handle 0x%04x end_handle 0x%04x type %s",
1208 start_handle, end_handle, bt_uuid_str(&u.uuid));
1209
1210 if (!range_is_valid(start_handle, end_handle, &err_handle)) {
1211 send_err_rsp(chan, BT_ATT_OP_READ_TYPE_REQ, err_handle,
1212 BT_ATT_ERR_INVALID_HANDLE);
1213 return 0;
1214 }
1215
1216 return att_read_type_rsp(chan, &u.uuid, start_handle, end_handle);
1217 }
1218
1219 struct read_data {
1220 struct bt_att_chan *chan;
1221 uint16_t offset;
1222 struct net_buf *buf;
1223 uint8_t err;
1224 };
1225
read_cb(const struct bt_gatt_attr * attr,uint16_t handle,void * user_data)1226 static uint8_t read_cb(const struct bt_gatt_attr *attr, uint16_t handle,
1227 void *user_data)
1228 {
1229 struct read_data *data = user_data;
1230 struct bt_att_chan *chan = data->chan;
1231 struct bt_conn *conn = chan->chan.chan.conn;
1232 int ret;
1233
1234 BT_DBG("handle 0x%04x", handle);
1235
1236 /*
1237 * If any attribute is founded in handle range it means that error
1238 * should be changed from pre-set: invalid handle error to no error.
1239 */
1240 data->err = 0x00;
1241
1242 /* Check attribute permissions */
1243 data->err = bt_gatt_check_perm(conn, attr, BT_GATT_PERM_READ_MASK);
1244 if (data->err) {
1245 return BT_GATT_ITER_STOP;
1246 }
1247
1248 /* Read attribute value and store in the buffer */
1249 ret = att_chan_read(chan, attr, data->buf, data->offset, NULL, NULL);
1250 if (ret < 0) {
1251 data->err = err_to_att(ret);
1252 return BT_GATT_ITER_STOP;
1253 }
1254
1255 return BT_GATT_ITER_CONTINUE;
1256 }
1257
att_read_rsp(struct bt_att_chan * chan,uint8_t op,uint8_t rsp,uint16_t handle,uint16_t offset)1258 static uint8_t att_read_rsp(struct bt_att_chan *chan, uint8_t op, uint8_t rsp,
1259 uint16_t handle, uint16_t offset)
1260 {
1261 struct bt_conn *conn = chan->chan.chan.conn;
1262 struct read_data data;
1263
1264 if (!bt_gatt_change_aware(conn, true)) {
1265 return BT_ATT_ERR_DB_OUT_OF_SYNC;
1266 }
1267
1268 if (!handle) {
1269 return BT_ATT_ERR_INVALID_HANDLE;
1270 }
1271
1272 (void)memset(&data, 0, sizeof(data));
1273
1274 data.buf = bt_att_create_pdu(conn, rsp, 0);
1275 if (!data.buf) {
1276 return BT_ATT_ERR_UNLIKELY;
1277 }
1278
1279 data.chan = chan;
1280 data.offset = offset;
1281
1282 /* Pre-set error if no attr will be found in handle */
1283 data.err = BT_ATT_ERR_INVALID_HANDLE;
1284
1285 bt_gatt_foreach_attr(handle, handle, read_cb, &data);
1286
1287 /* In case of error discard data and respond with an error */
1288 if (data.err) {
1289 net_buf_unref(data.buf);
1290 /* Respond here since handle is set */
1291 send_err_rsp(chan, op, handle, data.err);
1292 return 0;
1293 }
1294
1295 bt_att_chan_send_rsp(chan, data.buf, chan_rsp_sent);
1296
1297 return 0;
1298 }
1299
att_read_req(struct bt_att_chan * chan,struct net_buf * buf)1300 static uint8_t att_read_req(struct bt_att_chan *chan, struct net_buf *buf)
1301 {
1302 struct bt_att_read_req *req;
1303 uint16_t handle;
1304
1305 req = (void *)buf->data;
1306
1307 handle = sys_le16_to_cpu(req->handle);
1308
1309 BT_DBG("handle 0x%04x", handle);
1310
1311 return att_read_rsp(chan, BT_ATT_OP_READ_REQ, BT_ATT_OP_READ_RSP,
1312 handle, 0);
1313 }
1314
att_read_blob_req(struct bt_att_chan * chan,struct net_buf * buf)1315 static uint8_t att_read_blob_req(struct bt_att_chan *chan, struct net_buf *buf)
1316 {
1317 struct bt_att_read_blob_req *req;
1318 uint16_t handle, offset;
1319
1320 req = (void *)buf->data;
1321
1322 handle = sys_le16_to_cpu(req->handle);
1323 offset = sys_le16_to_cpu(req->offset);
1324
1325 BT_DBG("handle 0x%04x offset %u", handle, offset);
1326
1327 return att_read_rsp(chan, BT_ATT_OP_READ_BLOB_REQ,
1328 BT_ATT_OP_READ_BLOB_RSP, handle, offset);
1329 }
1330
1331 #if defined(CONFIG_BT_GATT_READ_MULTIPLE)
att_read_mult_req(struct bt_att_chan * chan,struct net_buf * buf)1332 static uint8_t att_read_mult_req(struct bt_att_chan *chan, struct net_buf *buf)
1333 {
1334 struct bt_conn *conn = chan->chan.chan.conn;
1335 struct read_data data;
1336 uint16_t handle;
1337
1338 if (!bt_gatt_change_aware(conn, true)) {
1339 return BT_ATT_ERR_DB_OUT_OF_SYNC;
1340 }
1341
1342 (void)memset(&data, 0, sizeof(data));
1343
1344 data.buf = bt_att_create_pdu(conn, BT_ATT_OP_READ_MULT_RSP, 0);
1345 if (!data.buf) {
1346 return BT_ATT_ERR_UNLIKELY;
1347 }
1348
1349 data.chan = chan;
1350
1351 while (buf->len >= sizeof(uint16_t)) {
1352 handle = net_buf_pull_le16(buf);
1353
1354 BT_DBG("handle 0x%04x ", handle);
1355
1356 /* An Error Response shall be sent by the server in response to
1357 * the Read Multiple Request [....] if a read operation is not
1358 * permitted on any of the Characteristic Values.
1359 *
1360 * If handle is not valid then return invalid handle error.
1361 * If handle is found error will be cleared by read_cb.
1362 */
1363 data.err = BT_ATT_ERR_INVALID_HANDLE;
1364
1365 bt_gatt_foreach_attr(handle, handle, read_cb, &data);
1366
1367 /* Stop reading in case of error */
1368 if (data.err) {
1369 net_buf_unref(data.buf);
1370 /* Respond here since handle is set */
1371 send_err_rsp(chan, BT_ATT_OP_READ_MULT_REQ, handle,
1372 data.err);
1373 return 0;
1374 }
1375 }
1376
1377 bt_att_chan_send_rsp(chan, data.buf, chan_rsp_sent);
1378
1379 return 0;
1380 }
1381
1382 #if defined(CONFIG_BT_EATT)
read_vl_cb(const struct bt_gatt_attr * attr,uint16_t handle,void * user_data)1383 static uint8_t read_vl_cb(const struct bt_gatt_attr *attr, uint16_t handle,
1384 void *user_data)
1385 {
1386 struct read_data *data = user_data;
1387 struct bt_att_chan *chan = data->chan;
1388 struct bt_conn *conn = chan->chan.chan.conn;
1389 struct bt_att_read_mult_vl_rsp *rsp;
1390 int read;
1391
1392 BT_DBG("handle 0x%04x", handle);
1393
1394 /*
1395 * If any attribute is founded in handle range it means that error
1396 * should be changed from pre-set: invalid handle error to no error.
1397 */
1398 data->err = 0x00;
1399
1400 /* Check attribute permissions */
1401 data->err = bt_gatt_check_perm(conn, attr, BT_GATT_PERM_READ_MASK);
1402 if (data->err) {
1403 return BT_GATT_ITER_STOP;
1404 }
1405
1406 /* The Length Value Tuple List may be truncated within the first two
1407 * octets of a tuple due to the size limits of the current ATT_MTU.
1408 */
1409 if (chan->chan.tx.mtu - data->buf->len < 2) {
1410 return BT_GATT_ITER_STOP;
1411 }
1412
1413 rsp = net_buf_add(data->buf, sizeof(*rsp));
1414
1415 read = att_chan_read(chan, attr, data->buf, data->offset, NULL, NULL);
1416 if (read < 0) {
1417 data->err = err_to_att(read);
1418 return BT_GATT_ITER_STOP;
1419 }
1420
1421 rsp->len = read;
1422
1423 return BT_GATT_ITER_CONTINUE;
1424 }
1425
att_read_mult_vl_req(struct bt_att_chan * chan,struct net_buf * buf)1426 static uint8_t att_read_mult_vl_req(struct bt_att_chan *chan, struct net_buf *buf)
1427 {
1428 struct bt_conn *conn = chan->chan.chan.conn;
1429 struct read_data data;
1430 uint16_t handle;
1431
1432 if (!bt_gatt_change_aware(conn, true)) {
1433 return BT_ATT_ERR_DB_OUT_OF_SYNC;
1434 }
1435
1436 (void)memset(&data, 0, sizeof(data));
1437
1438 data.buf = bt_att_create_pdu(conn, BT_ATT_OP_READ_MULT_VL_RSP, 0);
1439 if (!data.buf) {
1440 return BT_ATT_ERR_UNLIKELY;
1441 }
1442
1443 data.chan = chan;
1444
1445 while (buf->len >= sizeof(uint16_t)) {
1446 handle = net_buf_pull_le16(buf);
1447
1448 BT_DBG("handle 0x%04x ", handle);
1449
1450 /* If handle is not valid then return invalid handle error.
1451 * If handle is found error will be cleared by read_cb.
1452 */
1453 data.err = BT_ATT_ERR_INVALID_HANDLE;
1454
1455 bt_gatt_foreach_attr(handle, handle, read_vl_cb, &data);
1456
1457 /* Stop reading in case of error */
1458 if (data.err) {
1459 net_buf_unref(data.buf);
1460 /* Respond here since handle is set */
1461 send_err_rsp(chan, BT_ATT_OP_READ_MULT_VL_REQ, handle,
1462 data.err);
1463 return 0;
1464 }
1465 }
1466
1467 bt_att_chan_send_rsp(chan, data.buf, chan_rsp_sent);
1468
1469 return 0;
1470 }
1471 #endif /* CONFIG_BT_EATT */
1472 #endif /* CONFIG_BT_GATT_READ_MULTIPLE */
1473
1474 struct read_group_data {
1475 struct bt_att_chan *chan;
1476 struct bt_uuid *uuid;
1477 struct net_buf *buf;
1478 struct bt_att_read_group_rsp *rsp;
1479 struct bt_att_group_data *group;
1480 };
1481
attr_read_group_cb(struct net_buf * frag,ssize_t read,void * user_data)1482 static bool attr_read_group_cb(struct net_buf *frag, ssize_t read,
1483 void *user_data)
1484 {
1485 struct read_group_data *data = user_data;
1486
1487 if (!data->rsp->len) {
1488 /* Set len to be the first group found */
1489 data->rsp->len = read + sizeof(*data->group);
1490 } else if (data->rsp->len != read + sizeof(*data->group)) {
1491 /* All groups entries should have the same size */
1492 data->buf->len -= sizeof(*data->group);
1493 data->group = NULL;
1494 return false;
1495 }
1496
1497 return true;
1498 }
1499
read_group_cb(const struct bt_gatt_attr * attr,uint16_t handle,void * user_data)1500 static uint8_t read_group_cb(const struct bt_gatt_attr *attr, uint16_t handle,
1501 void *user_data)
1502 {
1503 struct read_group_data *data = user_data;
1504 struct bt_att_chan *chan = data->chan;
1505 int read;
1506
1507 /* Update group end_handle if attribute is not a service */
1508 if (bt_uuid_cmp(attr->uuid, BT_UUID_GATT_PRIMARY) &&
1509 bt_uuid_cmp(attr->uuid, BT_UUID_GATT_SECONDARY)) {
1510 if (data->group &&
1511 handle > sys_le16_to_cpu(data->group->end_handle)) {
1512 data->group->end_handle = sys_cpu_to_le16(handle);
1513 }
1514 return BT_GATT_ITER_CONTINUE;
1515 }
1516
1517 /* If Group Type don't match skip */
1518 if (bt_uuid_cmp(attr->uuid, data->uuid)) {
1519 data->group = NULL;
1520 return BT_GATT_ITER_CONTINUE;
1521 }
1522
1523 BT_DBG("handle 0x%04x", handle);
1524
1525 /* Stop if there is no space left */
1526 if (data->rsp->len &&
1527 chan->chan.tx.mtu - data->buf->len < data->rsp->len) {
1528 return BT_GATT_ITER_STOP;
1529 }
1530
1531 /* Fast forward to next group position */
1532 data->group = net_buf_add(data->buf, sizeof(*data->group));
1533
1534 /* Initialize group handle range */
1535 data->group->start_handle = sys_cpu_to_le16(handle);
1536 data->group->end_handle = sys_cpu_to_le16(handle);
1537
1538 /* Read attribute value and store in the buffer */
1539 read = att_chan_read(chan, attr, data->buf, 0, attr_read_group_cb,
1540 data);
1541 if (read < 0) {
1542 /* TODO: Handle read errors */
1543 return BT_GATT_ITER_STOP;
1544 }
1545
1546 if (!data->group) {
1547 return BT_GATT_ITER_STOP;
1548 }
1549
1550 /* continue only if there are still space for more items */
1551 return BT_GATT_ITER_CONTINUE;
1552 }
1553
att_read_group_rsp(struct bt_att_chan * chan,struct bt_uuid * uuid,uint16_t start_handle,uint16_t end_handle)1554 static uint8_t att_read_group_rsp(struct bt_att_chan *chan, struct bt_uuid *uuid,
1555 uint16_t start_handle, uint16_t end_handle)
1556 {
1557 struct bt_conn *conn = chan->chan.chan.conn;
1558 struct read_group_data data;
1559
1560 (void)memset(&data, 0, sizeof(data));
1561
1562 data.buf = bt_att_create_pdu(conn, BT_ATT_OP_READ_GROUP_RSP,
1563 sizeof(*data.rsp));
1564 if (!data.buf) {
1565 return BT_ATT_ERR_UNLIKELY;
1566 }
1567
1568 data.chan = chan;
1569 data.uuid = uuid;
1570 data.rsp = net_buf_add(data.buf, sizeof(*data.rsp));
1571 data.rsp->len = 0U;
1572 data.group = NULL;
1573
1574 bt_gatt_foreach_attr(start_handle, end_handle, read_group_cb, &data);
1575
1576 if (!data.rsp->len) {
1577 net_buf_unref(data.buf);
1578 /* Respond here since handle is set */
1579 send_err_rsp(chan, BT_ATT_OP_READ_GROUP_REQ, start_handle,
1580 BT_ATT_ERR_ATTRIBUTE_NOT_FOUND);
1581 return 0;
1582 }
1583
1584 bt_att_chan_send_rsp(chan, data.buf, chan_rsp_sent);
1585
1586 return 0;
1587 }
1588
att_read_group_req(struct bt_att_chan * chan,struct net_buf * buf)1589 static uint8_t att_read_group_req(struct bt_att_chan *chan, struct net_buf *buf)
1590 {
1591 struct bt_att_read_group_req *req;
1592 uint16_t start_handle, end_handle, err_handle;
1593 union {
1594 struct bt_uuid uuid;
1595 struct bt_uuid_16 u16;
1596 struct bt_uuid_128 u128;
1597 } u;
1598 uint8_t uuid_len = buf->len - sizeof(*req);
1599
1600 /* Type can only be UUID16 or UUID128 */
1601 if (uuid_len != 2 && uuid_len != 16) {
1602 return BT_ATT_ERR_INVALID_PDU;
1603 }
1604
1605 req = net_buf_pull_mem(buf, sizeof(*req));
1606
1607 start_handle = sys_le16_to_cpu(req->start_handle);
1608 end_handle = sys_le16_to_cpu(req->end_handle);
1609
1610 if (!bt_uuid_create(&u.uuid, req->uuid, uuid_len)) {
1611 return BT_ATT_ERR_UNLIKELY;
1612 }
1613
1614 BT_DBG("start_handle 0x%04x end_handle 0x%04x type %s",
1615 start_handle, end_handle, bt_uuid_str(&u.uuid));
1616
1617 if (!range_is_valid(start_handle, end_handle, &err_handle)) {
1618 send_err_rsp(chan, BT_ATT_OP_READ_GROUP_REQ, err_handle,
1619 BT_ATT_ERR_INVALID_HANDLE);
1620 return 0;
1621 }
1622
1623 /* Core v4.2, Vol 3, sec 2.5.3 Attribute Grouping:
1624 * Not all of the grouping attributes can be used in the ATT
1625 * Read By Group Type Request. The "Primary Service" and "Secondary
1626 * Service" grouping types may be used in the Read By Group Type
1627 * Request. The "Characteristic" grouping type shall not be used in
1628 * the ATT Read By Group Type Request.
1629 */
1630 if (bt_uuid_cmp(&u.uuid, BT_UUID_GATT_PRIMARY) &&
1631 bt_uuid_cmp(&u.uuid, BT_UUID_GATT_SECONDARY)) {
1632 send_err_rsp(chan, BT_ATT_OP_READ_GROUP_REQ, start_handle,
1633 BT_ATT_ERR_UNSUPPORTED_GROUP_TYPE);
1634 return 0;
1635 }
1636
1637 return att_read_group_rsp(chan, &u.uuid, start_handle, end_handle);
1638 }
1639
1640 struct write_data {
1641 struct bt_conn *conn;
1642 struct net_buf *buf;
1643 uint8_t req;
1644 const void *value;
1645 uint16_t len;
1646 uint16_t offset;
1647 uint8_t err;
1648 };
1649
write_cb(const struct bt_gatt_attr * attr,uint16_t handle,void * user_data)1650 static uint8_t write_cb(const struct bt_gatt_attr *attr, uint16_t handle,
1651 void *user_data)
1652 {
1653 struct write_data *data = user_data;
1654 int write;
1655 uint8_t flags = 0U;
1656
1657 BT_DBG("handle 0x%04x offset %u", handle, data->offset);
1658
1659 /* Check attribute permissions */
1660 data->err = bt_gatt_check_perm(data->conn, attr,
1661 BT_GATT_PERM_WRITE_MASK);
1662 if (data->err) {
1663 return BT_GATT_ITER_STOP;
1664 }
1665
1666 /* Set command flag if not a request */
1667 if (!data->req) {
1668 flags |= BT_GATT_WRITE_FLAG_CMD;
1669 }
1670
1671 /* Write attribute value */
1672 write = attr->write(data->conn, attr, data->value, data->len,
1673 data->offset, flags);
1674 if (write < 0 || write != data->len) {
1675 data->err = err_to_att(write);
1676 return BT_GATT_ITER_STOP;
1677 }
1678
1679 data->err = 0U;
1680
1681 return BT_GATT_ITER_CONTINUE;
1682 }
1683
att_write_rsp(struct bt_att_chan * chan,uint8_t req,uint8_t rsp,uint16_t handle,uint16_t offset,const void * value,uint16_t len)1684 static uint8_t att_write_rsp(struct bt_att_chan *chan, uint8_t req, uint8_t rsp,
1685 uint16_t handle, uint16_t offset, const void *value,
1686 uint16_t len)
1687 {
1688 struct write_data data;
1689
1690 if (!bt_gatt_change_aware(chan->att->conn, req ? true : false)) {
1691 return BT_ATT_ERR_DB_OUT_OF_SYNC;
1692 }
1693
1694 if (!handle) {
1695 return BT_ATT_ERR_INVALID_HANDLE;
1696 }
1697
1698 (void)memset(&data, 0, sizeof(data));
1699
1700 /* Only allocate buf if required to respond */
1701 if (rsp) {
1702 data.buf = bt_att_chan_create_pdu(chan, rsp, 0);
1703 if (!data.buf) {
1704 return BT_ATT_ERR_UNLIKELY;
1705 }
1706 }
1707
1708 data.conn = chan->att->conn;
1709 data.req = req;
1710 data.offset = offset;
1711 data.value = value;
1712 data.len = len;
1713 data.err = BT_ATT_ERR_INVALID_HANDLE;
1714
1715 bt_gatt_foreach_attr(handle, handle, write_cb, &data);
1716
1717 if (data.err) {
1718 /* In case of error discard data and respond with an error */
1719 if (rsp) {
1720 net_buf_unref(data.buf);
1721 /* Respond here since handle is set */
1722 send_err_rsp(chan, req, handle, data.err);
1723 }
1724 return req == BT_ATT_OP_EXEC_WRITE_REQ ? data.err : 0;
1725 }
1726
1727 if (data.buf) {
1728 bt_att_chan_send_rsp(chan, data.buf, chan_rsp_sent);
1729 }
1730
1731 return 0;
1732 }
1733
att_write_req(struct bt_att_chan * chan,struct net_buf * buf)1734 static uint8_t att_write_req(struct bt_att_chan *chan, struct net_buf *buf)
1735 {
1736 uint16_t handle;
1737
1738 handle = net_buf_pull_le16(buf);
1739
1740 BT_DBG("handle 0x%04x", handle);
1741
1742 return att_write_rsp(chan, BT_ATT_OP_WRITE_REQ, BT_ATT_OP_WRITE_RSP,
1743 handle, 0, buf->data, buf->len);
1744 }
1745
1746 #if CONFIG_BT_ATT_PREPARE_COUNT > 0
1747 struct prep_data {
1748 struct bt_conn *conn;
1749 struct net_buf *buf;
1750 const void *value;
1751 uint16_t len;
1752 uint16_t offset;
1753 uint8_t err;
1754 };
1755
prep_write_cb(const struct bt_gatt_attr * attr,uint16_t handle,void * user_data)1756 static uint8_t prep_write_cb(const struct bt_gatt_attr *attr, uint16_t handle,
1757 void *user_data)
1758 {
1759 struct prep_data *data = user_data;
1760 struct bt_attr_data *attr_data;
1761 int write;
1762
1763 BT_DBG("handle 0x%04x offset %u", handle, data->offset);
1764
1765 /* Check attribute permissions */
1766 data->err = bt_gatt_check_perm(data->conn, attr,
1767 BT_GATT_PERM_WRITE_MASK);
1768 if (data->err) {
1769 return BT_GATT_ITER_STOP;
1770 }
1771
1772 /* Check if attribute requires handler to accept the data */
1773 if (!(attr->perm & BT_GATT_PERM_PREPARE_WRITE)) {
1774 goto append;
1775 }
1776
1777 /* Write attribute value to check if device is authorized */
1778 write = attr->write(data->conn, attr, data->value, data->len,
1779 data->offset, BT_GATT_WRITE_FLAG_PREPARE);
1780 if (write != 0) {
1781 data->err = err_to_att(write);
1782 return BT_GATT_ITER_STOP;
1783 }
1784
1785 append:
1786 /* Copy data into the outstanding queue */
1787 data->buf = net_buf_alloc(&prep_pool, K_NO_WAIT);
1788 if (!data->buf) {
1789 data->err = BT_ATT_ERR_PREPARE_QUEUE_FULL;
1790 return BT_GATT_ITER_STOP;
1791 }
1792
1793 attr_data = net_buf_user_data(data->buf);
1794 attr_data->handle = handle;
1795 attr_data->offset = data->offset;
1796
1797 net_buf_add_mem(data->buf, data->value, data->len);
1798
1799 data->err = 0U;
1800
1801 return BT_GATT_ITER_CONTINUE;
1802 }
1803
att_prep_write_rsp(struct bt_att_chan * chan,uint16_t handle,uint16_t offset,const void * value,uint8_t len)1804 static uint8_t att_prep_write_rsp(struct bt_att_chan *chan, uint16_t handle,
1805 uint16_t offset, const void *value, uint8_t len)
1806 {
1807 struct bt_conn *conn = chan->chan.chan.conn;
1808 struct prep_data data;
1809 struct bt_att_prepare_write_rsp *rsp;
1810
1811 if (!bt_gatt_change_aware(conn, true)) {
1812 return BT_ATT_ERR_DB_OUT_OF_SYNC;
1813 }
1814
1815 if (!handle) {
1816 return BT_ATT_ERR_INVALID_HANDLE;
1817 }
1818
1819 (void)memset(&data, 0, sizeof(data));
1820
1821 data.conn = conn;
1822 data.offset = offset;
1823 data.value = value;
1824 data.len = len;
1825 data.err = BT_ATT_ERR_INVALID_HANDLE;
1826
1827 bt_gatt_foreach_attr(handle, handle, prep_write_cb, &data);
1828
1829 if (data.err) {
1830 /* Respond here since handle is set */
1831 send_err_rsp(chan, BT_ATT_OP_PREPARE_WRITE_REQ, handle,
1832 data.err);
1833 return 0;
1834 }
1835
1836 BT_DBG("buf %p handle 0x%04x offset %u", data.buf, handle, offset);
1837
1838 /* Store buffer in the outstanding queue */
1839 net_buf_put(&chan->att->prep_queue, data.buf);
1840
1841 /* Generate response */
1842 data.buf = bt_att_create_pdu(conn, BT_ATT_OP_PREPARE_WRITE_RSP, 0);
1843 if (!data.buf) {
1844 return BT_ATT_ERR_UNLIKELY;
1845 }
1846
1847 rsp = net_buf_add(data.buf, sizeof(*rsp));
1848 rsp->handle = sys_cpu_to_le16(handle);
1849 rsp->offset = sys_cpu_to_le16(offset);
1850 net_buf_add(data.buf, len);
1851 memcpy(rsp->value, value, len);
1852
1853 bt_att_chan_send_rsp(chan, data.buf, chan_rsp_sent);
1854
1855 return 0;
1856 }
1857 #endif /* CONFIG_BT_ATT_PREPARE_COUNT */
1858
att_prepare_write_req(struct bt_att_chan * chan,struct net_buf * buf)1859 static uint8_t att_prepare_write_req(struct bt_att_chan *chan, struct net_buf *buf)
1860 {
1861 #if CONFIG_BT_ATT_PREPARE_COUNT == 0
1862 return BT_ATT_ERR_NOT_SUPPORTED;
1863 #else
1864 struct bt_att_prepare_write_req *req;
1865 uint16_t handle, offset;
1866
1867 req = net_buf_pull_mem(buf, sizeof(*req));
1868
1869 handle = sys_le16_to_cpu(req->handle);
1870 offset = sys_le16_to_cpu(req->offset);
1871
1872 BT_DBG("handle 0x%04x offset %u", handle, offset);
1873
1874 return att_prep_write_rsp(chan, handle, offset, buf->data, buf->len);
1875 #endif /* CONFIG_BT_ATT_PREPARE_COUNT */
1876 }
1877
1878 #if CONFIG_BT_ATT_PREPARE_COUNT > 0
att_exec_write_rsp(struct bt_att_chan * chan,uint8_t flags)1879 static uint8_t att_exec_write_rsp(struct bt_att_chan *chan, uint8_t flags)
1880 {
1881 struct bt_conn *conn = chan->chan.chan.conn;
1882 struct net_buf *buf;
1883 uint8_t err = 0U;
1884
1885 while ((buf = net_buf_get(&chan->att->prep_queue, K_NO_WAIT))) {
1886 struct bt_attr_data *data = net_buf_user_data(buf);
1887
1888 BT_DBG("buf %p handle 0x%04x offset %u", buf, data->handle,
1889 data->offset);
1890
1891 /* Just discard the data if an error was set */
1892 if (!err && flags == BT_ATT_FLAG_EXEC) {
1893 err = att_write_rsp(chan, BT_ATT_OP_EXEC_WRITE_REQ, 0,
1894 data->handle, data->offset,
1895 buf->data, buf->len);
1896 if (err) {
1897 /* Respond here since handle is set */
1898 send_err_rsp(chan, BT_ATT_OP_EXEC_WRITE_REQ,
1899 data->handle, err);
1900 }
1901 }
1902
1903 net_buf_unref(buf);
1904 }
1905
1906 if (err) {
1907 return 0;
1908 }
1909
1910 /* Generate response */
1911 buf = bt_att_create_pdu(conn, BT_ATT_OP_EXEC_WRITE_RSP, 0);
1912 if (!buf) {
1913 return BT_ATT_ERR_UNLIKELY;
1914 }
1915
1916 bt_att_chan_send_rsp(chan, buf, chan_rsp_sent);
1917
1918 return 0;
1919 }
1920 #endif /* CONFIG_BT_ATT_PREPARE_COUNT */
1921
1922
att_exec_write_req(struct bt_att_chan * chan,struct net_buf * buf)1923 static uint8_t att_exec_write_req(struct bt_att_chan *chan, struct net_buf *buf)
1924 {
1925 #if CONFIG_BT_ATT_PREPARE_COUNT == 0
1926 return BT_ATT_ERR_NOT_SUPPORTED;
1927 #else
1928 struct bt_att_exec_write_req *req;
1929
1930 req = (void *)buf->data;
1931
1932 BT_DBG("flags 0x%02x", req->flags);
1933
1934 return att_exec_write_rsp(chan, req->flags);
1935 #endif /* CONFIG_BT_ATT_PREPARE_COUNT */
1936 }
1937
att_write_cmd(struct bt_att_chan * chan,struct net_buf * buf)1938 static uint8_t att_write_cmd(struct bt_att_chan *chan, struct net_buf *buf)
1939 {
1940 uint16_t handle;
1941
1942 handle = net_buf_pull_le16(buf);
1943
1944 BT_DBG("handle 0x%04x", handle);
1945
1946 return att_write_rsp(chan, 0, 0, handle, 0, buf->data, buf->len);
1947 }
1948
1949 #if defined(CONFIG_BT_SIGNING)
att_signed_write_cmd(struct bt_att_chan * chan,struct net_buf * buf)1950 static uint8_t att_signed_write_cmd(struct bt_att_chan *chan, struct net_buf *buf)
1951 {
1952 struct bt_conn *conn = chan->chan.chan.conn;
1953 struct bt_att_signed_write_cmd *req;
1954 uint16_t handle;
1955 int err;
1956
1957 /* The Signed Write Without Response sub-procedure shall only be supported
1958 * on the LE Fixed Channel Unenhanced ATT bearer.
1959 */
1960 if (atomic_test_bit(chan->flags, ATT_ENHANCED)) {
1961 /* No response for this command */
1962 return 0;
1963 }
1964
1965 req = (void *)buf->data;
1966
1967 handle = sys_le16_to_cpu(req->handle);
1968
1969 BT_DBG("handle 0x%04x", handle);
1970
1971 /* Verifying data requires full buffer including attribute header */
1972 net_buf_push(buf, sizeof(struct bt_att_hdr));
1973 err = bt_smp_sign_verify(conn, buf);
1974 if (err) {
1975 BT_ERR("Error verifying data");
1976 /* No response for this command */
1977 return 0;
1978 }
1979
1980 net_buf_pull(buf, sizeof(struct bt_att_hdr));
1981 net_buf_pull(buf, sizeof(*req));
1982
1983 return att_write_rsp(chan, 0, 0, handle, 0, buf->data,
1984 buf->len - sizeof(struct bt_att_signature));
1985 }
1986 #endif /* CONFIG_BT_SIGNING */
1987
1988 #if defined(CONFIG_BT_GATT_CLIENT)
1989 #if defined(CONFIG_BT_SMP)
att_change_security(struct bt_conn * conn,uint8_t err)1990 static int att_change_security(struct bt_conn *conn, uint8_t err)
1991 {
1992 bt_security_t sec;
1993
1994 switch (err) {
1995 case BT_ATT_ERR_INSUFFICIENT_ENCRYPTION:
1996 if (conn->sec_level >= BT_SECURITY_L2)
1997 return -EALREADY;
1998 sec = BT_SECURITY_L2;
1999 break;
2000 case BT_ATT_ERR_AUTHENTICATION:
2001 if (conn->sec_level < BT_SECURITY_L2) {
2002 /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part C]
2003 * page 375:
2004 *
2005 * If an LTK is not available, the service request
2006 * shall be rejected with the error code 'Insufficient
2007 * Authentication'.
2008 * Note: When the link is not encrypted, the error code
2009 * "Insufficient Authentication" does not indicate that
2010 * MITM protection is required.
2011 */
2012 sec = BT_SECURITY_L2;
2013 } else if (conn->sec_level < BT_SECURITY_L3) {
2014 /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part C]
2015 * page 375:
2016 *
2017 * If an authenticated pairing is required but only an
2018 * unauthenticated pairing has occurred and the link is
2019 * currently encrypted, the service request shall be
2020 * rejected with the error code 'Insufficient
2021 * Authentication'.
2022 * Note: When unauthenticated pairing has occurred and
2023 * the link is currently encrypted, the error code
2024 * 'Insufficient Authentication' indicates that MITM
2025 * protection is required.
2026 */
2027 sec = BT_SECURITY_L3;
2028 } else if (conn->sec_level < BT_SECURITY_L4) {
2029 /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part C]
2030 * page 375:
2031 *
2032 * If LE Secure Connections authenticated pairing is
2033 * required but LE legacy pairing has occurred and the
2034 * link is currently encrypted, the service request
2035 * shall be rejected with the error code ''Insufficient
2036 * Authentication'.
2037 */
2038 sec = BT_SECURITY_L4;
2039 } else {
2040 return -EALREADY;
2041 }
2042 break;
2043 default:
2044 return -EINVAL;
2045 }
2046
2047 return bt_conn_set_security(conn, sec);
2048 }
2049 #endif /* CONFIG_BT_SMP */
2050
att_error_rsp(struct bt_att_chan * chan,struct net_buf * buf)2051 static uint8_t att_error_rsp(struct bt_att_chan *chan, struct net_buf *buf)
2052 {
2053 struct bt_att_error_rsp *rsp;
2054 uint8_t err;
2055
2056 rsp = (void *)buf->data;
2057
2058 BT_DBG("request 0x%02x handle 0x%04x error 0x%02x", rsp->request,
2059 sys_le16_to_cpu(rsp->handle), rsp->error);
2060
2061 /* Don't retry if there is no req pending or it has been cancelled */
2062 if (!chan->req || chan->req == &cancel) {
2063 err = BT_ATT_ERR_UNLIKELY;
2064 goto done;
2065 }
2066
2067 err = rsp->error;
2068 #if defined(CONFIG_BT_SMP)
2069 /* Check if error can be handled by elevating security. */
2070 if (!att_change_security(chan->chan.chan.conn, err)) {
2071 chan->req->retrying = true;
2072 return 0;
2073 }
2074 #endif /* CONFIG_BT_SMP */
2075
2076 done:
2077 return att_handle_rsp(chan, NULL, 0, err);
2078 }
2079
att_handle_find_info_rsp(struct bt_att_chan * chan,struct net_buf * buf)2080 static uint8_t att_handle_find_info_rsp(struct bt_att_chan *chan,
2081 struct net_buf *buf)
2082 {
2083 BT_DBG("");
2084
2085 return att_handle_rsp(chan, buf->data, buf->len, 0);
2086 }
2087
att_handle_find_type_rsp(struct bt_att_chan * chan,struct net_buf * buf)2088 static uint8_t att_handle_find_type_rsp(struct bt_att_chan *chan,
2089 struct net_buf *buf)
2090 {
2091 BT_DBG("");
2092
2093 return att_handle_rsp(chan, buf->data, buf->len, 0);
2094 }
2095
att_handle_read_type_rsp(struct bt_att_chan * chan,struct net_buf * buf)2096 static uint8_t att_handle_read_type_rsp(struct bt_att_chan *chan,
2097 struct net_buf *buf)
2098 {
2099 BT_DBG("");
2100
2101 return att_handle_rsp(chan, buf->data, buf->len, 0);
2102 }
2103
att_handle_read_rsp(struct bt_att_chan * chan,struct net_buf * buf)2104 static uint8_t att_handle_read_rsp(struct bt_att_chan *chan,
2105 struct net_buf *buf)
2106 {
2107 BT_DBG("");
2108
2109 return att_handle_rsp(chan, buf->data, buf->len, 0);
2110 }
2111
att_handle_read_blob_rsp(struct bt_att_chan * chan,struct net_buf * buf)2112 static uint8_t att_handle_read_blob_rsp(struct bt_att_chan *chan,
2113 struct net_buf *buf)
2114 {
2115 BT_DBG("");
2116
2117 return att_handle_rsp(chan, buf->data, buf->len, 0);
2118 }
2119
2120 #if defined(CONFIG_BT_GATT_READ_MULTIPLE)
att_handle_read_mult_rsp(struct bt_att_chan * chan,struct net_buf * buf)2121 static uint8_t att_handle_read_mult_rsp(struct bt_att_chan *chan,
2122 struct net_buf *buf)
2123 {
2124 BT_DBG("");
2125
2126 return att_handle_rsp(chan, buf->data, buf->len, 0);
2127 }
2128
2129 #if defined(CONFIG_BT_EATT)
att_handle_read_mult_vl_rsp(struct bt_att_chan * chan,struct net_buf * buf)2130 static uint8_t att_handle_read_mult_vl_rsp(struct bt_att_chan *chan,
2131 struct net_buf *buf)
2132 {
2133 BT_DBG("");
2134
2135 return att_handle_rsp(chan, buf->data, buf->len, 0);
2136 }
2137 #endif /* CONFIG_BT_EATT */
2138 #endif /* CONFIG_BT_GATT_READ_MULTIPLE */
2139
att_handle_read_group_rsp(struct bt_att_chan * chan,struct net_buf * buf)2140 static uint8_t att_handle_read_group_rsp(struct bt_att_chan *chan,
2141 struct net_buf *buf)
2142 {
2143 BT_DBG("");
2144
2145 return att_handle_rsp(chan, buf->data, buf->len, 0);
2146 }
2147
att_handle_write_rsp(struct bt_att_chan * chan,struct net_buf * buf)2148 static uint8_t att_handle_write_rsp(struct bt_att_chan *chan,
2149 struct net_buf *buf)
2150 {
2151 BT_DBG("");
2152
2153 return att_handle_rsp(chan, buf->data, buf->len, 0);
2154 }
2155
att_handle_prepare_write_rsp(struct bt_att_chan * chan,struct net_buf * buf)2156 static uint8_t att_handle_prepare_write_rsp(struct bt_att_chan *chan,
2157 struct net_buf *buf)
2158 {
2159 BT_DBG("");
2160
2161 return att_handle_rsp(chan, buf->data, buf->len, 0);
2162 }
2163
att_handle_exec_write_rsp(struct bt_att_chan * chan,struct net_buf * buf)2164 static uint8_t att_handle_exec_write_rsp(struct bt_att_chan *chan,
2165 struct net_buf *buf)
2166 {
2167 BT_DBG("");
2168
2169 return att_handle_rsp(chan, buf->data, buf->len, 0);
2170 }
2171
att_notify(struct bt_att_chan * chan,struct net_buf * buf)2172 static uint8_t att_notify(struct bt_att_chan *chan, struct net_buf *buf)
2173 {
2174 uint16_t handle;
2175
2176 handle = net_buf_pull_le16(buf);
2177
2178 BT_DBG("chan %p handle 0x%04x", chan, handle);
2179
2180 bt_gatt_notification(chan->att->conn, handle, buf->data, buf->len);
2181
2182 return 0;
2183 }
2184
att_indicate(struct bt_att_chan * chan,struct net_buf * buf)2185 static uint8_t att_indicate(struct bt_att_chan *chan, struct net_buf *buf)
2186 {
2187 uint16_t handle;
2188
2189 handle = net_buf_pull_le16(buf);
2190
2191 BT_DBG("chan %p handle 0x%04x", chan, handle);
2192
2193 bt_gatt_notification(chan->att->conn, handle, buf->data, buf->len);
2194
2195 buf = bt_att_chan_create_pdu(chan, BT_ATT_OP_CONFIRM, 0);
2196 if (!buf) {
2197 return 0;
2198 }
2199
2200 bt_att_chan_send_rsp(chan, buf, chan_cfm_sent);
2201
2202 return 0;
2203 }
2204
att_notify_mult(struct bt_att_chan * chan,struct net_buf * buf)2205 static uint8_t att_notify_mult(struct bt_att_chan *chan, struct net_buf *buf)
2206 {
2207 BT_DBG("chan %p", chan);
2208
2209 bt_gatt_mult_notification(chan->att->conn, buf->data, buf->len);
2210
2211 return 0;
2212 }
2213 #endif /* CONFIG_BT_GATT_CLIENT */
2214
att_confirm(struct bt_att_chan * chan,struct net_buf * buf)2215 static uint8_t att_confirm(struct bt_att_chan *chan, struct net_buf *buf)
2216 {
2217 BT_DBG("");
2218
2219 return att_handle_rsp(chan, buf->data, buf->len, 0);
2220 }
2221
2222 static const struct att_handler {
2223 uint8_t op;
2224 uint8_t expect_len;
2225 att_type_t type;
2226 uint8_t (*func)(struct bt_att_chan *chan, struct net_buf *buf);
2227 } handlers[] = {
2228 { BT_ATT_OP_MTU_REQ,
2229 sizeof(struct bt_att_exchange_mtu_req),
2230 ATT_REQUEST,
2231 att_mtu_req },
2232 { BT_ATT_OP_FIND_INFO_REQ,
2233 sizeof(struct bt_att_find_info_req),
2234 ATT_REQUEST,
2235 att_find_info_req },
2236 { BT_ATT_OP_FIND_TYPE_REQ,
2237 sizeof(struct bt_att_find_type_req),
2238 ATT_REQUEST,
2239 att_find_type_req },
2240 { BT_ATT_OP_READ_TYPE_REQ,
2241 sizeof(struct bt_att_read_type_req),
2242 ATT_REQUEST,
2243 att_read_type_req },
2244 { BT_ATT_OP_READ_REQ,
2245 sizeof(struct bt_att_read_req),
2246 ATT_REQUEST,
2247 att_read_req },
2248 { BT_ATT_OP_READ_BLOB_REQ,
2249 sizeof(struct bt_att_read_blob_req),
2250 ATT_REQUEST,
2251 att_read_blob_req },
2252 #if defined(CONFIG_BT_GATT_READ_MULTIPLE)
2253 { BT_ATT_OP_READ_MULT_REQ,
2254 BT_ATT_READ_MULT_MIN_LEN_REQ,
2255 ATT_REQUEST,
2256 att_read_mult_req },
2257 #if defined(CONFIG_BT_EATT)
2258 { BT_ATT_OP_READ_MULT_VL_REQ,
2259 BT_ATT_READ_MULT_MIN_LEN_REQ,
2260 ATT_REQUEST,
2261 att_read_mult_vl_req },
2262 #endif /* CONFIG_BT_EATT */
2263 #endif /* CONFIG_BT_GATT_READ_MULTIPLE */
2264 { BT_ATT_OP_READ_GROUP_REQ,
2265 sizeof(struct bt_att_read_group_req),
2266 ATT_REQUEST,
2267 att_read_group_req },
2268 { BT_ATT_OP_WRITE_REQ,
2269 sizeof(struct bt_att_write_req),
2270 ATT_REQUEST,
2271 att_write_req },
2272 { BT_ATT_OP_PREPARE_WRITE_REQ,
2273 sizeof(struct bt_att_prepare_write_req),
2274 ATT_REQUEST,
2275 att_prepare_write_req },
2276 { BT_ATT_OP_EXEC_WRITE_REQ,
2277 sizeof(struct bt_att_exec_write_req),
2278 ATT_REQUEST,
2279 att_exec_write_req },
2280 { BT_ATT_OP_CONFIRM,
2281 0,
2282 ATT_CONFIRMATION,
2283 att_confirm },
2284 { BT_ATT_OP_WRITE_CMD,
2285 sizeof(struct bt_att_write_cmd),
2286 ATT_COMMAND,
2287 att_write_cmd },
2288 #if defined(CONFIG_BT_SIGNING)
2289 { BT_ATT_OP_SIGNED_WRITE_CMD,
2290 (sizeof(struct bt_att_write_cmd) +
2291 sizeof(struct bt_att_signature)),
2292 ATT_COMMAND,
2293 att_signed_write_cmd },
2294 #endif /* CONFIG_BT_SIGNING */
2295 #if defined(CONFIG_BT_GATT_CLIENT)
2296 { BT_ATT_OP_ERROR_RSP,
2297 sizeof(struct bt_att_error_rsp),
2298 ATT_RESPONSE,
2299 att_error_rsp },
2300 { BT_ATT_OP_MTU_RSP,
2301 sizeof(struct bt_att_exchange_mtu_rsp),
2302 ATT_RESPONSE,
2303 att_mtu_rsp },
2304 { BT_ATT_OP_FIND_INFO_RSP,
2305 sizeof(struct bt_att_find_info_rsp),
2306 ATT_RESPONSE,
2307 att_handle_find_info_rsp },
2308 { BT_ATT_OP_FIND_TYPE_RSP,
2309 sizeof(struct bt_att_handle_group),
2310 ATT_RESPONSE,
2311 att_handle_find_type_rsp },
2312 { BT_ATT_OP_READ_TYPE_RSP,
2313 sizeof(struct bt_att_read_type_rsp),
2314 ATT_RESPONSE,
2315 att_handle_read_type_rsp },
2316 { BT_ATT_OP_READ_RSP,
2317 0,
2318 ATT_RESPONSE,
2319 att_handle_read_rsp },
2320 { BT_ATT_OP_READ_BLOB_RSP,
2321 0,
2322 ATT_RESPONSE,
2323 att_handle_read_blob_rsp },
2324 #if defined(CONFIG_BT_GATT_READ_MULTIPLE)
2325 { BT_ATT_OP_READ_MULT_RSP,
2326 0,
2327 ATT_RESPONSE,
2328 att_handle_read_mult_rsp },
2329 #if defined(CONFIG_BT_EATT)
2330 { BT_ATT_OP_READ_MULT_VL_RSP,
2331 sizeof(struct bt_att_read_mult_vl_rsp),
2332 ATT_RESPONSE,
2333 att_handle_read_mult_vl_rsp },
2334 #endif /* CONFIG_BT_EATT */
2335 #endif /* CONFIG_BT_GATT_READ_MULTIPLE */
2336 { BT_ATT_OP_READ_GROUP_RSP,
2337 sizeof(struct bt_att_read_group_rsp),
2338 ATT_RESPONSE,
2339 att_handle_read_group_rsp },
2340 { BT_ATT_OP_WRITE_RSP,
2341 0,
2342 ATT_RESPONSE,
2343 att_handle_write_rsp },
2344 { BT_ATT_OP_PREPARE_WRITE_RSP,
2345 sizeof(struct bt_att_prepare_write_rsp),
2346 ATT_RESPONSE,
2347 att_handle_prepare_write_rsp },
2348 { BT_ATT_OP_EXEC_WRITE_RSP,
2349 0,
2350 ATT_RESPONSE,
2351 att_handle_exec_write_rsp },
2352 { BT_ATT_OP_NOTIFY,
2353 sizeof(struct bt_att_notify),
2354 ATT_NOTIFICATION,
2355 att_notify },
2356 { BT_ATT_OP_INDICATE,
2357 sizeof(struct bt_att_indicate),
2358 ATT_INDICATION,
2359 att_indicate },
2360 { BT_ATT_OP_NOTIFY_MULT,
2361 sizeof(struct bt_att_notify_mult),
2362 ATT_NOTIFICATION,
2363 att_notify_mult },
2364 #endif /* CONFIG_BT_GATT_CLIENT */
2365 };
2366
att_op_get_type(uint8_t op)2367 static att_type_t att_op_get_type(uint8_t op)
2368 {
2369 switch (op) {
2370 case BT_ATT_OP_MTU_REQ:
2371 case BT_ATT_OP_FIND_INFO_REQ:
2372 case BT_ATT_OP_FIND_TYPE_REQ:
2373 case BT_ATT_OP_READ_TYPE_REQ:
2374 case BT_ATT_OP_READ_REQ:
2375 case BT_ATT_OP_READ_BLOB_REQ:
2376 case BT_ATT_OP_READ_MULT_REQ:
2377 case BT_ATT_OP_READ_GROUP_REQ:
2378 case BT_ATT_OP_WRITE_REQ:
2379 case BT_ATT_OP_PREPARE_WRITE_REQ:
2380 case BT_ATT_OP_EXEC_WRITE_REQ:
2381 return ATT_REQUEST;
2382 case BT_ATT_OP_CONFIRM:
2383 return ATT_CONFIRMATION;
2384 case BT_ATT_OP_WRITE_CMD:
2385 case BT_ATT_OP_SIGNED_WRITE_CMD:
2386 return ATT_COMMAND;
2387 case BT_ATT_OP_ERROR_RSP:
2388 case BT_ATT_OP_MTU_RSP:
2389 case BT_ATT_OP_FIND_INFO_RSP:
2390 case BT_ATT_OP_FIND_TYPE_RSP:
2391 case BT_ATT_OP_READ_TYPE_RSP:
2392 case BT_ATT_OP_READ_RSP:
2393 case BT_ATT_OP_READ_BLOB_RSP:
2394 case BT_ATT_OP_READ_MULT_RSP:
2395 case BT_ATT_OP_READ_GROUP_RSP:
2396 case BT_ATT_OP_WRITE_RSP:
2397 case BT_ATT_OP_PREPARE_WRITE_RSP:
2398 case BT_ATT_OP_EXEC_WRITE_RSP:
2399 return ATT_RESPONSE;
2400 case BT_ATT_OP_NOTIFY:
2401 return ATT_NOTIFICATION;
2402 case BT_ATT_OP_INDICATE:
2403 return ATT_INDICATION;
2404 }
2405
2406 if (op & ATT_CMD_MASK) {
2407 return ATT_COMMAND;
2408 }
2409
2410 return ATT_UNKNOWN;
2411 }
2412
bt_att_recv(struct bt_l2cap_chan * chan,struct net_buf * buf)2413 static int bt_att_recv(struct bt_l2cap_chan *chan, struct net_buf *buf)
2414 {
2415 struct bt_att_chan *att_chan = ATT_CHAN(chan);
2416 struct bt_att_hdr *hdr;
2417 const struct att_handler *handler;
2418 uint8_t err;
2419 size_t i;
2420
2421 if (buf->len < sizeof(*hdr)) {
2422 BT_ERR("Too small ATT PDU received");
2423 return 0;
2424 }
2425
2426 hdr = net_buf_pull_mem(buf, sizeof(*hdr));
2427 BT_DBG("Received ATT chan %p code 0x%02x len %zu", att_chan, hdr->code,
2428 net_buf_frags_len(buf));
2429
2430 if (!att_chan->att) {
2431 BT_DBG("Ignore recv on detached ATT chan");
2432 return 0;
2433 }
2434
2435 for (i = 0, handler = NULL; i < ARRAY_SIZE(handlers); i++) {
2436 if (hdr->code == handlers[i].op) {
2437 handler = &handlers[i];
2438 break;
2439 }
2440 }
2441
2442 if (!handler) {
2443 BT_WARN("Unhandled ATT code 0x%02x", hdr->code);
2444 if (att_op_get_type(hdr->code) != ATT_COMMAND &&
2445 att_op_get_type(hdr->code) != ATT_INDICATION) {
2446 send_err_rsp(att_chan, hdr->code, 0,
2447 BT_ATT_ERR_NOT_SUPPORTED);
2448 }
2449 return 0;
2450 }
2451
2452 if (IS_ENABLED(CONFIG_BT_ATT_ENFORCE_FLOW)) {
2453 if (handler->type == ATT_REQUEST &&
2454 atomic_test_and_set_bit(att_chan->flags, ATT_PENDING_RSP)) {
2455 BT_WARN("Ignoring unexpected request");
2456 return 0;
2457 } else if (handler->type == ATT_INDICATION &&
2458 atomic_test_and_set_bit(att_chan->flags,
2459 ATT_PENDING_CFM)) {
2460 BT_WARN("Ignoring unexpected indication");
2461 return 0;
2462 }
2463 }
2464
2465 if (buf->len < handler->expect_len) {
2466 BT_ERR("Invalid len %u for code 0x%02x", buf->len, hdr->code);
2467 err = BT_ATT_ERR_INVALID_PDU;
2468 } else {
2469 err = handler->func(att_chan, buf);
2470 }
2471
2472 if (handler->type == ATT_REQUEST && err) {
2473 BT_DBG("ATT error 0x%02x", err);
2474 send_err_rsp(att_chan, hdr->code, 0, err);
2475 }
2476
2477 return 0;
2478 }
2479
att_get(struct bt_conn * conn)2480 static struct bt_att *att_get(struct bt_conn *conn)
2481 {
2482 struct bt_l2cap_chan *chan;
2483 struct bt_att_chan *att_chan;
2484
2485 if (conn->state != BT_CONN_CONNECTED) {
2486 BT_WARN("Not connected");
2487 return NULL;
2488 }
2489
2490 chan = bt_l2cap_le_lookup_rx_cid(conn, BT_L2CAP_CID_ATT);
2491 if (!chan) {
2492 BT_ERR("Unable to find ATT channel");
2493 return NULL;
2494 }
2495
2496 att_chan = ATT_CHAN(chan);
2497 if (atomic_test_bit(att_chan->flags, ATT_DISCONNECTED)) {
2498 BT_WARN("ATT channel flagged as disconnected");
2499 return NULL;
2500 }
2501
2502 return att_chan->att;
2503 }
2504
bt_att_create_pdu(struct bt_conn * conn,uint8_t op,size_t len)2505 struct net_buf *bt_att_create_pdu(struct bt_conn *conn, uint8_t op, size_t len)
2506 {
2507 struct bt_att *att;
2508 struct bt_att_chan *chan, *tmp;
2509
2510 att = att_get(conn);
2511 if (!att) {
2512 return NULL;
2513 }
2514
2515 SYS_SLIST_FOR_EACH_CONTAINER_SAFE(&att->chans, chan, tmp, node) {
2516 if (len + sizeof(op) > chan->chan.tx.mtu) {
2517 continue;
2518 }
2519
2520 return bt_att_chan_create_pdu(chan, op, len);
2521 }
2522
2523 BT_WARN("No ATT channel for MTU %zu", len + sizeof(op));
2524
2525 return NULL;
2526 }
2527
att_reset(struct bt_att * att)2528 static void att_reset(struct bt_att *att)
2529 {
2530 struct net_buf *buf;
2531
2532 #if CONFIG_BT_ATT_PREPARE_COUNT > 0
2533 /* Discard queued buffers */
2534 while ((buf = net_buf_get(&att->prep_queue, K_NO_WAIT))) {
2535 net_buf_unref(buf);
2536 }
2537 #endif /* CONFIG_BT_ATT_PREPARE_COUNT > 0 */
2538
2539 while ((buf = net_buf_get(&att->tx_queue, K_NO_WAIT))) {
2540 net_buf_unref(buf);
2541 }
2542
2543 att->conn = NULL;
2544
2545 /* Notify pending requests */
2546 while (!sys_slist_is_empty(&att->reqs)) {
2547 struct bt_att_req *req;
2548 sys_snode_t *node;
2549
2550 node = sys_slist_get_not_empty(&att->reqs);
2551 req = CONTAINER_OF(node, struct bt_att_req, node);
2552 if (req->func) {
2553 req->func(NULL, BT_ATT_ERR_UNLIKELY, NULL, 0,
2554 req->user_data);
2555 }
2556
2557 bt_att_req_free(req);
2558 }
2559
2560 k_mem_slab_free(&att_slab, (void **)&att);
2561 }
2562
att_chan_detach(struct bt_att_chan * chan)2563 static void att_chan_detach(struct bt_att_chan *chan)
2564 {
2565 struct net_buf *buf;
2566
2567 BT_DBG("chan %p", chan);
2568
2569 sys_slist_find_and_remove(&chan->att->chans, &chan->node);
2570
2571 /* Release pending buffers */
2572 while ((buf = net_buf_get(&chan->tx_queue, K_NO_WAIT))) {
2573 net_buf_unref(buf);
2574 }
2575
2576 if (chan->req) {
2577 /* Notify outstanding request */
2578 att_handle_rsp(chan, NULL, 0, BT_ATT_ERR_UNLIKELY);
2579 }
2580
2581 chan->att = NULL;
2582 }
2583
att_timeout(struct k_work * work)2584 static void att_timeout(struct k_work *work)
2585 {
2586 struct k_work_delayable *dwork = k_work_delayable_from_work(work);
2587 struct bt_att_chan *chan = CONTAINER_OF(dwork, struct bt_att_chan,
2588 timeout_work);
2589
2590 BT_ERR("ATT Timeout");
2591
2592 /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part F] page 480:
2593 *
2594 * A transaction not completed within 30 seconds shall time out. Such a
2595 * transaction shall be considered to have failed and the local higher
2596 * layers shall be informed of this failure. No more attribute protocol
2597 * requests, commands, indications or notifications shall be sent to the
2598 * target device on this ATT Bearer.
2599 */
2600 bt_att_disconnected(&chan->chan.chan);
2601 }
2602
att_get_fixed_chan(struct bt_conn * conn)2603 static struct bt_att_chan *att_get_fixed_chan(struct bt_conn *conn)
2604 {
2605 struct bt_l2cap_chan *chan;
2606
2607 chan = bt_l2cap_le_lookup_tx_cid(conn, BT_L2CAP_CID_ATT);
2608 __ASSERT(chan, "No ATT channel found");
2609
2610 return ATT_CHAN(chan);
2611 }
2612
att_chan_attach(struct bt_att * att,struct bt_att_chan * chan)2613 static void att_chan_attach(struct bt_att *att, struct bt_att_chan *chan)
2614 {
2615 BT_DBG("att %p chan %p flags %u", att, chan, atomic_get(chan->flags));
2616
2617 if (sys_slist_is_empty(&att->chans)) {
2618 /* Init general queues when attaching the first channel */
2619 k_fifo_init(&att->tx_queue);
2620 #if CONFIG_BT_ATT_PREPARE_COUNT > 0
2621 k_fifo_init(&att->prep_queue);
2622 #endif
2623 }
2624
2625 sys_slist_prepend(&att->chans, &chan->node);
2626 }
2627
bt_att_connected(struct bt_l2cap_chan * chan)2628 static void bt_att_connected(struct bt_l2cap_chan *chan)
2629 {
2630 struct bt_att_chan *att_chan = att_get_fixed_chan(chan->conn);
2631 struct bt_att *att = att_chan->att;
2632 struct bt_l2cap_le_chan *ch = BT_L2CAP_LE_CHAN(chan);
2633
2634 BT_DBG("chan %p cid 0x%04x", ch, ch->tx.cid);
2635
2636 att_chan = ATT_CHAN(chan);
2637
2638 att_chan_attach(att, att_chan);
2639
2640 if (!atomic_test_bit(att_chan->flags, ATT_ENHANCED)) {
2641 ch->tx.mtu = BT_ATT_DEFAULT_LE_MTU;
2642 ch->rx.mtu = BT_ATT_DEFAULT_LE_MTU;
2643 }
2644
2645 att_chan_mtu_updated(att_chan);
2646
2647 k_work_init_delayable(&att_chan->timeout_work, att_timeout);
2648 }
2649
bt_att_disconnected(struct bt_l2cap_chan * chan)2650 static void bt_att_disconnected(struct bt_l2cap_chan *chan)
2651 {
2652 struct bt_att_chan *att_chan = ATT_CHAN(chan);
2653 struct bt_att *att = att_chan->att;
2654 struct bt_l2cap_le_chan *ch = BT_L2CAP_LE_CHAN(chan);
2655
2656 BT_DBG("chan %p cid 0x%04x", ch, ch->tx.cid);
2657
2658 if (!att_chan->att) {
2659 BT_DBG("Ignore disconnect on detached ATT chan");
2660 return;
2661 }
2662
2663 att_chan_detach(att_chan);
2664
2665 /* Don't reset if there are still channels to be used */
2666 if (!sys_slist_is_empty(&att->chans)) {
2667 return;
2668 }
2669
2670 att_reset(att);
2671
2672 bt_gatt_disconnected(ch->chan.conn);
2673 }
2674
2675 #if defined(CONFIG_BT_SMP)
att_req_retry(struct bt_att_chan * att_chan)2676 static uint8_t att_req_retry(struct bt_att_chan *att_chan)
2677 {
2678 struct bt_att_req *req = att_chan->req;
2679 struct net_buf *buf;
2680
2681 /* Resend buffer */
2682 if (!req->encode) {
2683 /* This request does not support resending */
2684 return BT_ATT_ERR_AUTHENTICATION;
2685 }
2686
2687
2688 buf = bt_att_chan_create_pdu(att_chan, req->att_op, req->len);
2689 if (!buf) {
2690 return BT_ATT_ERR_UNLIKELY;
2691 }
2692
2693 if (req->encode(buf, req->len, req->user_data)) {
2694 net_buf_unref(buf);
2695 return BT_ATT_ERR_UNLIKELY;
2696 }
2697
2698 if (chan_send(att_chan, buf, NULL)) {
2699 net_buf_unref(buf);
2700 return BT_ATT_ERR_UNLIKELY;
2701 }
2702
2703 return BT_ATT_ERR_SUCCESS;
2704 }
2705
bt_att_encrypt_change(struct bt_l2cap_chan * chan,uint8_t hci_status)2706 static void bt_att_encrypt_change(struct bt_l2cap_chan *chan,
2707 uint8_t hci_status)
2708 {
2709 struct bt_att_chan *att_chan = ATT_CHAN(chan);
2710 struct bt_l2cap_le_chan *ch = BT_L2CAP_LE_CHAN(chan);
2711 struct bt_conn *conn = ch->chan.conn;
2712 uint8_t err;
2713
2714 BT_DBG("chan %p conn %p handle %u sec_level 0x%02x status 0x%02x", ch,
2715 conn, conn->handle, conn->sec_level, hci_status);
2716
2717 if (!att_chan->att) {
2718 BT_DBG("Ignore encrypt change on detached ATT chan");
2719 return;
2720 }
2721
2722 /*
2723 * If status (HCI status of security procedure) is non-zero, notify
2724 * outstanding request about security failure.
2725 */
2726 if (hci_status) {
2727 if (att_chan->req && att_chan->req->retrying) {
2728 att_handle_rsp(att_chan, NULL, 0,
2729 BT_ATT_ERR_AUTHENTICATION);
2730 }
2731
2732 return;
2733 }
2734
2735 bt_gatt_encrypt_change(conn);
2736
2737 if (conn->sec_level == BT_SECURITY_L1) {
2738 return;
2739 }
2740
2741 if (!(att_chan->req && att_chan->req->retrying)) {
2742 return;
2743 }
2744
2745 BT_DBG("Retrying");
2746
2747 err = att_req_retry(att_chan);
2748 if (err) {
2749 BT_DBG("Retry failed (%d)", err);
2750 att_handle_rsp(att_chan, NULL, 0, err);
2751 }
2752 }
2753 #endif /* CONFIG_BT_SMP */
2754
bt_att_status(struct bt_l2cap_chan * ch,atomic_t * status)2755 static void bt_att_status(struct bt_l2cap_chan *ch, atomic_t *status)
2756 {
2757 struct bt_att_chan *chan = ATT_CHAN(ch);
2758 sys_snode_t *node;
2759
2760 BT_DBG("chan %p status %p", ch, status);
2761
2762 if (!atomic_test_bit(status, BT_L2CAP_STATUS_OUT)) {
2763 return;
2764 }
2765
2766 if (!chan->att) {
2767 BT_DBG("Ignore status on detached ATT chan");
2768 return;
2769 }
2770
2771 /* If there is a request pending don't attempt to send */
2772 if (chan->req) {
2773 return;
2774 }
2775
2776 /* Pull next request from the list */
2777 node = sys_slist_get(&chan->att->reqs);
2778 if (!node) {
2779 return;
2780 }
2781
2782 if (bt_att_chan_req_send(chan, ATT_REQ(node)) >= 0) {
2783 return;
2784 }
2785
2786 /* Prepend back to the list as it could not be sent */
2787 sys_slist_prepend(&chan->att->reqs, node);
2788 }
2789
bt_att_released(struct bt_l2cap_chan * ch)2790 static void bt_att_released(struct bt_l2cap_chan *ch)
2791 {
2792 struct bt_att_chan *chan = ATT_CHAN(ch);
2793
2794 BT_DBG("chan %p", chan);
2795
2796 k_mem_slab_free(&chan_slab, (void **)&chan);
2797 }
2798
att_chan_new(struct bt_att * att,atomic_val_t flags)2799 static struct bt_att_chan *att_chan_new(struct bt_att *att, atomic_val_t flags)
2800 {
2801 int quota = 0;
2802 static struct bt_l2cap_chan_ops ops = {
2803 .connected = bt_att_connected,
2804 .disconnected = bt_att_disconnected,
2805 .recv = bt_att_recv,
2806 .sent = bt_att_sent,
2807 .status = bt_att_status,
2808 #if defined(CONFIG_BT_SMP)
2809 .encrypt_change = bt_att_encrypt_change,
2810 #endif /* CONFIG_BT_SMP */
2811 .released = bt_att_released,
2812 };
2813 struct bt_att_chan *chan;
2814
2815 SYS_SLIST_FOR_EACH_CONTAINER(&att->chans, chan, node) {
2816 if (chan->att == att) {
2817 quota++;
2818 }
2819
2820 if (quota == ATT_CHAN_MAX) {
2821 BT_ERR("Maximum number of channels reached: %d", quota);
2822 return NULL;
2823 }
2824 }
2825
2826 if (k_mem_slab_alloc(&chan_slab, (void **)&chan, K_NO_WAIT)) {
2827 BT_ERR("No available ATT channel for conn %p", att->conn);
2828 return NULL;
2829 }
2830
2831 (void)memset(chan, 0, sizeof(*chan));
2832 chan->chan.chan.ops = &ops;
2833 k_fifo_init(&chan->tx_queue);
2834 atomic_set(chan->flags, flags);
2835 chan->att = att;
2836
2837 return chan;
2838 }
2839
bt_att_accept(struct bt_conn * conn,struct bt_l2cap_chan ** ch)2840 static int bt_att_accept(struct bt_conn *conn, struct bt_l2cap_chan **ch)
2841 {
2842 struct bt_att *att;
2843 struct bt_att_chan *chan;
2844
2845 BT_DBG("conn %p handle %u", conn, conn->handle);
2846
2847 if (k_mem_slab_alloc(&att_slab, (void **)&att, K_NO_WAIT)) {
2848 BT_ERR("No available ATT context for conn %p", conn);
2849 return -ENOMEM;
2850 }
2851
2852 (void)memset(att, 0, sizeof(*att));
2853 att->conn = conn;
2854 sys_slist_init(&att->reqs);
2855 sys_slist_init(&att->chans);
2856
2857 chan = att_chan_new(att, 0);
2858 if (!chan) {
2859 return -ENOMEM;
2860 }
2861
2862 *ch = &chan->chan.chan;
2863
2864 return 0;
2865 }
2866
2867 BT_L2CAP_CHANNEL_DEFINE(att_fixed_chan, BT_L2CAP_CID_ATT, bt_att_accept, NULL);
2868
2869 #if defined(CONFIG_BT_EATT)
bt_eatt_connect(struct bt_conn * conn,uint8_t num_channels)2870 int bt_eatt_connect(struct bt_conn *conn, uint8_t num_channels)
2871 {
2872 struct bt_att_chan *att_chan = att_get_fixed_chan(conn);
2873 struct bt_att *att = att_chan->att;
2874 struct bt_l2cap_chan *chan[CONFIG_BT_EATT_MAX] = {};
2875 int i = 0;
2876
2877 if (num_channels > CONFIG_BT_EATT_MAX) {
2878 return -EINVAL;
2879 }
2880
2881 while (num_channels--) {
2882 att_chan = att_chan_new(att, BIT(ATT_ENHANCED));
2883 if (!att_chan) {
2884 break;
2885 }
2886
2887 chan[i] = &att_chan->chan.chan;
2888 i++;
2889 }
2890
2891 if (!i) {
2892 return -ENOMEM;
2893 }
2894
2895 return bt_l2cap_ecred_chan_connect(conn, chan, BT_EATT_PSM);
2896 }
2897
bt_eatt_disconnect(struct bt_conn * conn)2898 int bt_eatt_disconnect(struct bt_conn *conn)
2899 {
2900 struct bt_att_chan *chan;
2901 struct bt_att *att;
2902 int err = -ENOTCONN;
2903
2904 if (!conn) {
2905 return -EINVAL;
2906 }
2907
2908 chan = att_get_fixed_chan(conn);
2909 att = chan->att;
2910
2911 SYS_SLIST_FOR_EACH_CONTAINER(&att->chans, chan, node) {
2912 if (atomic_test_bit(chan->flags, ATT_ENHANCED)) {
2913 err = bt_l2cap_chan_disconnect(&chan->chan.chan);
2914 }
2915 }
2916
2917 return err;
2918 }
2919
2920 #if defined(CONFIG_BT_TESTING)
bt_eatt_disconnect_one(struct bt_conn * conn)2921 int bt_eatt_disconnect_one(struct bt_conn *conn)
2922 {
2923 struct bt_att_chan *chan = att_get_fixed_chan(conn);
2924 struct bt_att *att = chan->att;
2925 int err = -ENOTCONN;
2926
2927 if (!conn) {
2928 return -EINVAL;
2929 }
2930
2931 SYS_SLIST_FOR_EACH_CONTAINER(&att->chans, chan, node) {
2932 if (atomic_test_bit(chan->flags, ATT_ENHANCED)) {
2933 err = bt_l2cap_chan_disconnect(&chan->chan.chan);
2934 return err;
2935 }
2936 }
2937
2938 return err;
2939 }
2940 #endif /* CONFIG_BT_TESTING */
2941 #endif /* CONFIG_BT_EATT */
2942
bt_eatt_accept(struct bt_conn * conn,struct bt_l2cap_chan ** chan)2943 static int bt_eatt_accept(struct bt_conn *conn, struct bt_l2cap_chan **chan)
2944 {
2945 struct bt_att_chan *att_chan = att_get_fixed_chan(conn);
2946 struct bt_att *att = att_chan->att;
2947
2948 BT_DBG("conn %p handle %u", conn, conn->handle);
2949
2950 att_chan = att_chan_new(att, BIT(ATT_ENHANCED));
2951 if (att_chan) {
2952 *chan = &att_chan->chan.chan;
2953 return 0;
2954 }
2955
2956 return -ENOMEM;
2957 }
2958
bt_eatt_init(void)2959 static void bt_eatt_init(void)
2960 {
2961 int err;
2962 static struct bt_l2cap_server eatt_l2cap = {
2963 .psm = BT_EATT_PSM,
2964 #if defined(CONFIG_BT_EATT_SEC_LEVEL)
2965 .sec_level = CONFIG_BT_EATT_SEC_LEVEL,
2966 #endif
2967 .accept = bt_eatt_accept,
2968 };
2969
2970 BT_DBG("");
2971
2972 err = bt_l2cap_server_register(&eatt_l2cap);
2973 if (err < 0) {
2974 BT_ERR("EATT Server registration failed %d", err);
2975 }
2976 }
2977
bt_att_init(void)2978 void bt_att_init(void)
2979 {
2980 bt_gatt_init();
2981
2982 if (IS_ENABLED(CONFIG_BT_EATT)) {
2983 bt_eatt_init();
2984 }
2985 }
2986
bt_att_get_mtu(struct bt_conn * conn)2987 uint16_t bt_att_get_mtu(struct bt_conn *conn)
2988 {
2989 struct bt_att_chan *chan, *tmp;
2990 struct bt_att *att;
2991 uint16_t mtu = 0;
2992
2993 att = att_get(conn);
2994 if (!att) {
2995 return 0;
2996 }
2997
2998 SYS_SLIST_FOR_EACH_CONTAINER_SAFE(&att->chans, chan, tmp, node) {
2999 if (chan->chan.tx.mtu > mtu) {
3000 mtu = chan->chan.tx.mtu;
3001 }
3002 }
3003
3004 return mtu;
3005 }
3006
att_chan_mtu_updated(struct bt_att_chan * updated_chan)3007 static void att_chan_mtu_updated(struct bt_att_chan *updated_chan)
3008 {
3009 struct bt_att *att = updated_chan->att;
3010 struct bt_att_chan *chan, *tmp;
3011 uint16_t max_tx = 0, max_rx = 0;
3012
3013 /* Get maximum MTU's of other channels */
3014 SYS_SLIST_FOR_EACH_CONTAINER_SAFE(&att->chans, chan, tmp, node) {
3015 if (chan == updated_chan) {
3016 continue;
3017 }
3018 max_tx = MAX(max_tx, chan->chan.tx.mtu);
3019 max_rx = MAX(max_rx, chan->chan.rx.mtu);
3020 }
3021
3022 /* If either maximum MTU has changed */
3023 if ((updated_chan->chan.tx.mtu > max_tx) ||
3024 (updated_chan->chan.rx.mtu > max_rx)) {
3025 max_tx = MAX(max_tx, updated_chan->chan.tx.mtu);
3026 max_rx = MAX(max_rx, updated_chan->chan.rx.mtu);
3027 bt_gatt_att_max_mtu_changed(att->conn, max_tx, max_rx);
3028 }
3029 }
3030
bt_att_req_alloc(k_timeout_t timeout)3031 struct bt_att_req *bt_att_req_alloc(k_timeout_t timeout)
3032 {
3033 struct bt_att_req *req = NULL;
3034
3035 /* Reserve space for request */
3036 if (k_mem_slab_alloc(&req_slab, (void **)&req, timeout)) {
3037 BT_DBG("No space for req");
3038 return NULL;
3039 }
3040
3041 BT_DBG("req %p", req);
3042
3043 memset(req, 0, sizeof(*req));
3044
3045 return req;
3046 }
3047
bt_att_req_free(struct bt_att_req * req)3048 void bt_att_req_free(struct bt_att_req *req)
3049 {
3050 BT_DBG("req %p", req);
3051
3052 if (req->buf) {
3053 net_buf_unref(req->buf);
3054 req->buf = NULL;
3055 }
3056
3057 k_mem_slab_free(&req_slab, (void **)&req);
3058 }
3059
bt_att_send(struct bt_conn * conn,struct net_buf * buf,bt_conn_tx_cb_t cb,void * user_data)3060 int bt_att_send(struct bt_conn *conn, struct net_buf *buf, bt_conn_tx_cb_t cb,
3061 void *user_data)
3062 {
3063 struct bt_att *att;
3064
3065 __ASSERT_NO_MSG(conn);
3066 __ASSERT_NO_MSG(buf);
3067
3068 att = att_get(conn);
3069 if (!att) {
3070 net_buf_unref(buf);
3071 return -ENOTCONN;
3072 }
3073
3074 /* If callback is set use the fixed channel since bt_l2cap_chan_send
3075 * cannot be used with a custom user_data.
3076 */
3077 if (cb) {
3078 return bt_l2cap_send_cb(conn, BT_L2CAP_CID_ATT, buf, cb,
3079 user_data);
3080 }
3081
3082 net_buf_put(&att->tx_queue, buf);
3083 att_send_process(att);
3084
3085 return 0;
3086 }
3087
bt_att_req_send(struct bt_conn * conn,struct bt_att_req * req)3088 int bt_att_req_send(struct bt_conn *conn, struct bt_att_req *req)
3089 {
3090 struct bt_att *att;
3091
3092 BT_DBG("conn %p req %p", conn, req);
3093
3094 __ASSERT_NO_MSG(conn);
3095 __ASSERT_NO_MSG(req);
3096
3097 att = att_get(conn);
3098 if (!att) {
3099 return -ENOTCONN;
3100 }
3101
3102 sys_slist_append(&att->reqs, &req->node);
3103 att_req_send_process(att);
3104
3105 return 0;
3106 }
3107
bt_att_chan_req_cancel(struct bt_att_chan * chan,struct bt_att_req * req)3108 static bool bt_att_chan_req_cancel(struct bt_att_chan *chan,
3109 struct bt_att_req *req)
3110 {
3111 if (chan->req != req) {
3112 return false;
3113 }
3114
3115 chan->req = &cancel;
3116
3117 bt_att_req_free(req);
3118
3119 return true;
3120 }
3121
bt_att_req_cancel(struct bt_conn * conn,struct bt_att_req * req)3122 void bt_att_req_cancel(struct bt_conn *conn, struct bt_att_req *req)
3123 {
3124 struct bt_att *att;
3125 struct bt_att_chan *chan, *tmp;
3126
3127 BT_DBG("req %p", req);
3128
3129 if (!conn || !req) {
3130 return;
3131 }
3132
3133 att = att_get(conn);
3134 if (!att) {
3135 return;
3136 }
3137
3138 SYS_SLIST_FOR_EACH_CONTAINER_SAFE(&att->chans, chan, tmp, node) {
3139 /* Check if request is outstanding */
3140 if (bt_att_chan_req_cancel(chan, req)) {
3141 return;
3142 }
3143 }
3144
3145 /* Remove request from the list */
3146 sys_slist_find_and_remove(&att->reqs, &req->node);
3147
3148 bt_att_req_free(req);
3149 }
3150
