Home | History | Annotate | Download | only in rfcomm
      1 /******************************************************************************
      2  *
      3  *  Copyright (C) 1999-2012 Broadcom Corporation
      4  *
      5  *  Licensed under the Apache License, Version 2.0 (the "License");
      6  *  you may not use this file except in compliance with the License.
      7  *  You may obtain a copy of the License at:
      8  *
      9  *  http://www.apache.org/licenses/LICENSE-2.0
     10  *
     11  *  Unless required by applicable law or agreed to in writing, software
     12  *  distributed under the License is distributed on an "AS IS" BASIS,
     13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     14  *  See the License for the specific language governing permissions and
     15  *  limitations under the License.
     16  *
     17  ******************************************************************************/
     18 
     19 /******************************************************************************
     20  *
     21  *  This file contains functions to send TS 07.10 frames
     22  *
     23  ******************************************************************************/
     24 #include "bt_target.h"
     25 #include "gki.h"
     26 #include "rfcdefs.h"
     27 #include "port_api.h"
     28 #include "l2c_api.h"
     29 #include "port_int.h"
     30 #include "rfc_int.h"
     31 
     32 /*******************************************************************************
     33 **
     34 ** Function         rfc_send_sabme
     35 **
     36 ** Description      This function sends SABME frame.
     37 **
     38 *******************************************************************************/
     39 void rfc_send_sabme (tRFC_MCB *p_mcb, UINT8 dlci)
     40 {
     41     BT_HDR  *p_buf;
     42     UINT8   *p_data;
     43     UINT8   cr = RFCOMM_CR(p_mcb->is_initiator, TRUE);
     44 
     45     if ((p_buf = (BT_HDR *)GKI_getpoolbuf (RFCOMM_CMD_POOL_ID)) == NULL)
     46         return;
     47 
     48     p_buf->offset = L2CAP_MIN_OFFSET;
     49     p_data = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
     50 
     51     /* SABME frame, command, PF = 1, dlci */
     52     *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
     53     *p_data++ = RFCOMM_SABME | RFCOMM_PF;
     54     *p_data++ = RFCOMM_EA | 0;
     55 
     56     *p_data   = RFCOMM_SABME_FCS ((UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET, cr, dlci);
     57 
     58     p_buf->len = 4;
     59 
     60     rfc_check_send_cmd(p_mcb, p_buf);
     61 }
     62 
     63 
     64 /*******************************************************************************
     65 **
     66 ** Function         rfc_send_ua
     67 **
     68 ** Description      This function sends UA frame.
     69 **
     70 *******************************************************************************/
     71 void rfc_send_ua (tRFC_MCB *p_mcb, UINT8 dlci)
     72 {
     73     BT_HDR  *p_buf;
     74     UINT8   *p_data;
     75     UINT8   cr = RFCOMM_CR(p_mcb->is_initiator, FALSE);
     76 
     77     if ((p_buf = (BT_HDR *)GKI_getpoolbuf (RFCOMM_CMD_POOL_ID)) == NULL)
     78         return;
     79 
     80     p_buf->offset = L2CAP_MIN_OFFSET;
     81     p_data = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
     82 
     83     /* ua frame, response, PF = 1, dlci */
     84     *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
     85     *p_data++ = RFCOMM_UA | RFCOMM_PF;
     86     *p_data++ = RFCOMM_EA | 0;
     87 
     88     *p_data   = RFCOMM_UA_FCS ((UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET, cr, dlci);
     89 
     90     p_buf->len = 4;
     91 
     92     rfc_check_send_cmd(p_mcb, p_buf);
     93 }
     94 
     95 
     96 /*******************************************************************************
     97 **
     98 ** Function         rfc_send_dm
     99 **
    100 ** Description      This function sends DM frame.
    101 **
    102 *******************************************************************************/
    103 void rfc_send_dm (tRFC_MCB *p_mcb, UINT8 dlci, BOOLEAN pf)
    104 {
    105     BT_HDR  *p_buf;
    106     UINT8   *p_data;
    107     UINT8   cr = RFCOMM_CR(p_mcb->is_initiator, FALSE);
    108 
    109     if ((p_buf = (BT_HDR *)GKI_getpoolbuf (RFCOMM_CMD_POOL_ID)) == NULL)
    110         return;
    111 
    112     p_buf->offset = L2CAP_MIN_OFFSET;
    113     p_data = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
    114 
    115     /* DM frame, response, PF = 1, dlci */
    116     *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
    117     *p_data++ = RFCOMM_DM | ((pf) ? RFCOMM_PF : 0);
    118     *p_data++ = RFCOMM_EA | 0;
    119 
    120     *p_data   = RFCOMM_DM_FCS ((UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET, cr, dlci);
    121 
    122     p_buf->len = 4;
    123 
    124     rfc_check_send_cmd(p_mcb, p_buf);
    125 }
    126 
    127 
    128 /*******************************************************************************
    129 **
    130 ** Function         rfc_send_disc
    131 **
    132 ** Description      This function sends DISC frame.
    133 **
    134 *******************************************************************************/
    135 void rfc_send_disc (tRFC_MCB *p_mcb, UINT8 dlci)
    136 {
    137     BT_HDR  *p_buf;
    138     UINT8   *p_data;
    139     UINT8   cr = RFCOMM_CR(p_mcb->is_initiator, TRUE);
    140 
    141     if ((p_buf = (BT_HDR *)GKI_getpoolbuf (RFCOMM_CMD_POOL_ID)) == NULL)
    142         return;
    143 
    144     p_buf->offset = L2CAP_MIN_OFFSET;
    145     p_data = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
    146 
    147     /* DISC frame, command, PF = 1, dlci */
    148     *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
    149     *p_data++ = RFCOMM_DISC | RFCOMM_PF;
    150     *p_data++ = RFCOMM_EA | 0;
    151 
    152     *p_data   = RFCOMM_DISC_FCS ((UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET, cr, dlci);
    153 
    154     p_buf->len = 4;
    155 
    156     rfc_check_send_cmd(p_mcb, p_buf);
    157 }
    158 
    159 
    160 /*******************************************************************************
    161 **
    162 ** Function         rfc_send_buf_uih
    163 **
    164 ** Description      This function sends UIH frame.
    165 **
    166 *******************************************************************************/
    167 void rfc_send_buf_uih (tRFC_MCB *p_mcb, UINT8 dlci, BT_HDR *p_buf)
    168 {
    169     UINT8   *p_data;
    170     UINT8   cr = RFCOMM_CR(p_mcb->is_initiator, TRUE);
    171     UINT8   credits;
    172 
    173     p_buf->offset -= RFCOMM_CTRL_FRAME_LEN;
    174     if (p_buf->len > 127)
    175         p_buf->offset--;
    176 
    177     if (dlci)
    178         credits = (UINT8)p_buf->layer_specific;
    179     else
    180         credits = 0;
    181 
    182     if (credits)
    183         p_buf->offset--;
    184 
    185     p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
    186 
    187     /* UIH frame, command, PF = 0, dlci */
    188     *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
    189     *p_data++ = RFCOMM_UIH | ((credits) ? RFCOMM_PF : 0);
    190     if (p_buf->len <= 127)
    191     {
    192         *p_data++   = RFCOMM_EA | (p_buf->len << 1);
    193         p_buf->len += 3;
    194     }
    195     else
    196     {
    197         *p_data++   = (p_buf->len & 0x7f) << 1;
    198         *p_data++   = p_buf->len >> RFCOMM_SHIFT_LENGTH2;
    199         p_buf->len += 4;
    200     }
    201 
    202     if (credits)
    203     {
    204         *p_data++ = credits;
    205         p_buf->len++;
    206     }
    207 
    208     p_data  = (UINT8 *)(p_buf + 1) + p_buf->offset + p_buf->len++;
    209 
    210     *p_data = RFCOMM_UIH_FCS ((UINT8 *)(p_buf + 1) + p_buf->offset, dlci);
    211 
    212     if (dlci == RFCOMM_MX_DLCI)
    213     {
    214         rfc_check_send_cmd(p_mcb, p_buf);
    215     }
    216     else
    217     {
    218 
    219         L2CA_DataWrite (p_mcb->lcid, p_buf);
    220     }
    221 }
    222 
    223 
    224 /*******************************************************************************
    225 **
    226 ** Function         rfc_send_pn
    227 **
    228 ** Description      This function sends DLC Parameters Negotiation Frame.
    229 **
    230 *******************************************************************************/
    231 void rfc_send_pn (tRFC_MCB *p_mcb, UINT8 dlci, BOOLEAN is_command, UINT16 mtu, UINT8 cl, UINT8 k)
    232 {
    233     BT_HDR   *p_buf;
    234     UINT8    *p_data;
    235 
    236     if ((p_buf = (BT_HDR *)GKI_getpoolbuf (RFCOMM_CMD_POOL_ID)) == NULL)
    237         return;
    238 
    239     p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
    240     p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
    241 
    242     *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_PN;
    243     *p_data++ = RFCOMM_EA | (RFCOMM_MX_PN_LEN << 1);
    244 
    245     *p_data++ = dlci;
    246     *p_data++ = RFCOMM_PN_FRAM_TYPE_UIH | cl;
    247 
    248     /* It appeared that we need to reply with the same priority bits as we received.
    249     ** We will use the fact that we reply in the same context so rx_frame can still be used.
    250     */
    251     if (is_command)
    252         *p_data++ = RFCOMM_PN_PRIORITY_0;
    253     else
    254         *p_data++ = rfc_cb.rfc.rx_frame.u.pn.priority;
    255 
    256     *p_data++ = RFCOMM_T1_DSEC;
    257     *p_data++ = mtu & 0xFF;
    258     *p_data++ = mtu >> 8;
    259     *p_data++ = RFCOMM_N2;
    260     *p_data   = k;
    261 
    262     /* Total length is sizeof PN data + mx header 2 */
    263     p_buf->len = RFCOMM_MX_PN_LEN + 2;
    264 
    265     rfc_send_buf_uih (p_mcb, RFCOMM_MX_DLCI, p_buf);
    266 }
    267 
    268 
    269 /*******************************************************************************
    270 **
    271 ** Function         rfc_send_fcon
    272 **
    273 ** Description      This function sends Flow Control On Command.
    274 **
    275 *******************************************************************************/
    276 void rfc_send_fcon (tRFC_MCB *p_mcb, BOOLEAN is_command)
    277 {
    278     BT_HDR  *p_buf;
    279     UINT8   *p_data;
    280 
    281     if ((p_buf = (BT_HDR *)GKI_getpoolbuf (RFCOMM_CMD_POOL_ID)) == NULL)
    282         return;
    283 
    284     p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
    285     p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
    286 
    287     *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_FCON;
    288     *p_data++ = RFCOMM_EA | (RFCOMM_MX_FCON_LEN << 1);
    289 
    290     /* Total length is sizeof FCON data + mx header 2 */
    291     p_buf->len = RFCOMM_MX_FCON_LEN + 2;
    292 
    293     rfc_send_buf_uih (p_mcb, RFCOMM_MX_DLCI, p_buf);
    294 }
    295 
    296 
    297 /*******************************************************************************
    298 **
    299 ** Function         rfc_send_fcoff
    300 **
    301 ** Description      This function sends Flow Control Off Command.
    302 **
    303 *******************************************************************************/
    304 void rfc_send_fcoff (tRFC_MCB *p_mcb, BOOLEAN is_command)
    305 {
    306     BT_HDR  *p_buf;
    307     UINT8   *p_data;
    308 
    309     if ((p_buf = (BT_HDR *)GKI_getpoolbuf (RFCOMM_CMD_POOL_ID)) == NULL)
    310         return;
    311 
    312     p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
    313     p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
    314 
    315     *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_FCOFF;
    316     *p_data++ = RFCOMM_EA | (RFCOMM_MX_FCOFF_LEN << 1);
    317 
    318     /* Total length is sizeof FCOFF data + mx header 2 */
    319     p_buf->len = RFCOMM_MX_FCOFF_LEN + 2;
    320 
    321     rfc_send_buf_uih (p_mcb, RFCOMM_MX_DLCI, p_buf);
    322 }
    323 
    324 
    325 /*******************************************************************************
    326 **
    327 ** Function         rfc_send_msc
    328 **
    329 ** Description      This function sends Modem Status Command Frame.
    330 **
    331 *******************************************************************************/
    332 void rfc_send_msc (tRFC_MCB *p_mcb, UINT8 dlci, BOOLEAN is_command,
    333                    tPORT_CTRL *p_pars)
    334 {
    335     BT_HDR  *p_buf;
    336     UINT8   *p_data;
    337     UINT8   signals;
    338     UINT8   break_duration;
    339     UINT8   len;
    340 
    341     signals        = p_pars->modem_signal;
    342     break_duration = p_pars->break_signal;
    343 
    344     if ((p_buf = (BT_HDR *)GKI_getpoolbuf (RFCOMM_CMD_POOL_ID)) == NULL)
    345         return;
    346 
    347     p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
    348     p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
    349 
    350     if (break_duration)
    351         len = RFCOMM_MX_MSC_LEN_WITH_BREAK;
    352     else
    353         len = RFCOMM_MX_MSC_LEN_NO_BREAK;
    354 
    355     *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_MSC;
    356     *p_data++ = RFCOMM_EA | (len << 1);
    357 
    358     *p_data++ = RFCOMM_EA | RFCOMM_CR_MASK | (dlci << RFCOMM_SHIFT_DLCI);
    359     *p_data++ = RFCOMM_EA |
    360                 ((p_pars->fc)                    ? RFCOMM_MSC_FC : 0)  |
    361                 ((signals & MODEM_SIGNAL_DTRDSR) ? RFCOMM_MSC_RTC : 0) |
    362                 ((signals & MODEM_SIGNAL_RTSCTS) ? RFCOMM_MSC_RTR : 0) |
    363                 ((signals & MODEM_SIGNAL_RI)     ? RFCOMM_MSC_IC : 0)  |
    364                 ((signals & MODEM_SIGNAL_DCD)    ? RFCOMM_MSC_DV : 0);
    365 
    366     if (break_duration)
    367     {
    368         *p_data++ = RFCOMM_EA | RFCOMM_MSC_BREAK_PRESENT_MASK |
    369                     (break_duration << RFCOMM_MSC_SHIFT_BREAK);
    370     }
    371 
    372     /* Total length is sizeof MSC data + mx header 2 */
    373     p_buf->len = len + 2;
    374 
    375     rfc_send_buf_uih (p_mcb, RFCOMM_MX_DLCI, p_buf);
    376 }
    377 
    378 
    379 /*******************************************************************************
    380 **
    381 ** Function         rfc_send_rls
    382 **
    383 ** Description      This function sends Remote Line Status Command Frame.
    384 **
    385 *******************************************************************************/
    386 void rfc_send_rls (tRFC_MCB *p_mcb, UINT8 dlci, BOOLEAN is_command, UINT8 status)
    387 {
    388     BT_HDR  *p_buf;
    389     UINT8   *p_data;
    390 
    391     if ((p_buf = (BT_HDR *)GKI_getpoolbuf (RFCOMM_CMD_POOL_ID)) == NULL)
    392         return;
    393 
    394     p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
    395     p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
    396 
    397     *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_RLS;
    398     *p_data++ = RFCOMM_EA | (RFCOMM_MX_RLS_LEN << 1);
    399 
    400     *p_data++ = RFCOMM_EA | RFCOMM_CR_MASK | (dlci << RFCOMM_SHIFT_DLCI);
    401     *p_data++ = RFCOMM_RLS_ERROR | status;
    402 
    403     /* Total length is sizeof RLS data + mx header 2 */
    404     p_buf->len = RFCOMM_MX_RLS_LEN + 2;
    405 
    406     rfc_send_buf_uih (p_mcb, RFCOMM_MX_DLCI, p_buf);
    407 }
    408 
    409 
    410 /*******************************************************************************
    411 **
    412 ** Function         rfc_send_nsc
    413 **
    414 ** Description      This function sends Non Supported Command Response.
    415 **
    416 *******************************************************************************/
    417 void rfc_send_nsc (tRFC_MCB *p_mcb)
    418 {
    419     BT_HDR  *p_buf;
    420     UINT8   *p_data;
    421 
    422     if ((p_buf = (BT_HDR *)GKI_getpoolbuf (RFCOMM_CMD_POOL_ID)) == NULL)
    423         return;
    424 
    425     p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
    426     p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
    427 
    428     *p_data++ = RFCOMM_EA | RFCOMM_I_CR(FALSE) | RFCOMM_MX_NSC;
    429     *p_data++ = RFCOMM_EA | (RFCOMM_MX_NSC_LEN << 1);
    430 
    431     *p_data++ =  rfc_cb.rfc.rx_frame.ea |
    432                 (rfc_cb.rfc.rx_frame.cr << RFCOMM_SHIFT_CR) |
    433                  rfc_cb.rfc.rx_frame.type;
    434 
    435     /* Total length is sizeof NSC data + mx header 2 */
    436     p_buf->len = RFCOMM_MX_NSC_LEN + 2;
    437 
    438     rfc_send_buf_uih (p_mcb, RFCOMM_MX_DLCI, p_buf);
    439 }
    440 
    441 
    442 /*******************************************************************************
    443 **
    444 ** Function         rfc_send_rpn
    445 **
    446 ** Description      This function sends Remote Port Negotiation Command
    447 **
    448 *******************************************************************************/
    449 void rfc_send_rpn (tRFC_MCB *p_mcb, UINT8 dlci, BOOLEAN is_command,
    450                    tPORT_STATE *p_pars, UINT16 mask)
    451 {
    452     BT_HDR   *p_buf;
    453     UINT8    *p_data;
    454 
    455     if ((p_buf = (BT_HDR *)GKI_getpoolbuf (RFCOMM_CMD_POOL_ID)) == NULL)
    456         return;
    457 
    458     p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_CTRL_FRAME_LEN;
    459     p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
    460 
    461     *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_RPN;
    462 
    463     if (!p_pars)
    464     {
    465         *p_data++ = RFCOMM_EA | (RFCOMM_MX_RPN_REQ_LEN << 1);
    466 
    467         *p_data++ = RFCOMM_EA | RFCOMM_CR_MASK | (dlci << RFCOMM_SHIFT_DLCI);
    468 
    469         p_buf->len = RFCOMM_MX_RPN_REQ_LEN + 2;
    470     }
    471     else
    472     {
    473         *p_data++ = RFCOMM_EA | (RFCOMM_MX_RPN_LEN << 1);
    474 
    475         *p_data++ = RFCOMM_EA | RFCOMM_CR_MASK | (dlci << RFCOMM_SHIFT_DLCI);
    476         *p_data++ = p_pars->baud_rate;
    477         *p_data++ =  (p_pars->byte_size << RFCOMM_RPN_BITS_SHIFT)
    478                    | (p_pars->stop_bits << RFCOMM_RPN_STOP_BITS_SHIFT)
    479                    | (p_pars->parity << RFCOMM_RPN_PARITY_SHIFT)
    480                    | (p_pars->parity_type << RFCOMM_RPN_PARITY_TYPE_SHIFT);
    481         *p_data++ = p_pars->fc_type;
    482         *p_data++ = p_pars->xon_char;
    483         *p_data++ = p_pars->xoff_char;
    484         *p_data++ = (mask & 0xFF);
    485         *p_data++ = (mask >> 8);
    486 
    487         /* Total length is sizeof RPN data + mx header 2 */
    488         p_buf->len = RFCOMM_MX_RPN_LEN + 2;
    489     }
    490 
    491     rfc_send_buf_uih (p_mcb, RFCOMM_MX_DLCI, p_buf);
    492 }
    493 
    494 
    495 /*******************************************************************************
    496 **
    497 ** Function         rfc_send_test
    498 **
    499 ** Description      This function sends Test frame.
    500 **
    501 *******************************************************************************/
    502 void rfc_send_test (tRFC_MCB *p_mcb, BOOLEAN is_command, BT_HDR *p_buf)
    503 {
    504     UINT8    *p_data;
    505     UINT16   xx;
    506     UINT8    *p_src, *p_dest;
    507 
    508     /* Shift buffer to give space for header */
    509     if (p_buf->offset < (L2CAP_MIN_OFFSET + RFCOMM_MIN_OFFSET + 2))
    510     {
    511         p_src  = (UINT8 *) (p_buf + 1) + p_buf->offset + p_buf->len - 1;
    512         p_dest = (UINT8 *) (p_buf + 1) + L2CAP_MIN_OFFSET + RFCOMM_MIN_OFFSET + 2 + p_buf->len - 1;
    513 
    514         for (xx = 0; xx < p_buf->len; xx++)
    515             *p_dest-- = *p_src--;
    516 
    517         p_buf->offset = L2CAP_MIN_OFFSET + RFCOMM_MIN_OFFSET + 2;
    518     }
    519 
    520     /* Adjust offset by number of bytes we are going to fill */
    521     p_buf->offset -= 2;
    522     p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
    523 
    524     *p_data++ = RFCOMM_EA | RFCOMM_I_CR(is_command) | RFCOMM_MX_TEST;
    525     *p_data++ = RFCOMM_EA | (p_buf->len << 1);
    526 
    527     p_buf->len += 2;
    528 
    529     rfc_send_buf_uih (p_mcb, RFCOMM_MX_DLCI, p_buf);
    530 }
    531 
    532 /*******************************************************************************
    533 **
    534 ** Function         rfc_send_credit
    535 **
    536 ** Description      This function sends a flow control credit in UIH frame.
    537 **
    538 *******************************************************************************/
    539 void rfc_send_credit(tRFC_MCB *p_mcb, UINT8 dlci, UINT8 credit)
    540 {
    541     BT_HDR   *p_buf;
    542     UINT8    *p_data;
    543     UINT8    cr = RFCOMM_CR(p_mcb->is_initiator, TRUE);
    544 
    545     if ((p_buf = (BT_HDR *)GKI_getpoolbuf (RFCOMM_CMD_POOL_ID)) == NULL)
    546         return;
    547 
    548     p_buf->offset = L2CAP_MIN_OFFSET;
    549     p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
    550 
    551     *p_data++ = RFCOMM_EA | cr | (dlci << RFCOMM_SHIFT_DLCI);
    552     *p_data++ = RFCOMM_UIH | RFCOMM_PF;
    553     *p_data++ = RFCOMM_EA | 0;
    554     *p_data++ = credit;
    555     *p_data   = RFCOMM_UIH_FCS ((UINT8 *)(p_buf + 1) + p_buf->offset, dlci);
    556 
    557     p_buf->len = 5;
    558 
    559     rfc_check_send_cmd(p_mcb, p_buf);
    560 }
    561 
    562 
    563 /*******************************************************************************
    564 **
    565 ** Function         rfc_parse_data
    566 **
    567 ** Description      This function processes data packet received from L2CAP
    568 **
    569 *******************************************************************************/
    570 UINT8 rfc_parse_data (tRFC_MCB *p_mcb, MX_FRAME *p_frame, BT_HDR *p_buf)
    571 {
    572     UINT8     ead, eal, fcs;
    573     UINT8     *p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
    574     UINT8     *p_start = p_data;
    575     UINT16    len;
    576 
    577     if (p_buf->len < RFCOMM_CTRL_FRAME_LEN)
    578     {
    579         RFCOMM_TRACE_ERROR1 ("Bad Length1: %d", p_buf->len);
    580         return (RFC_EVENT_BAD_FRAME);
    581     }
    582 
    583     RFCOMM_PARSE_CTRL_FIELD (ead, p_frame->cr, p_frame->dlci, p_data);
    584     if( !ead )
    585     {
    586         RFCOMM_TRACE_ERROR0 ("Bad Address(EA must be 1)");
    587         return (RFC_EVENT_BAD_FRAME);
    588     }
    589     RFCOMM_PARSE_TYPE_FIELD (p_frame->type, p_frame->pf, p_data);
    590     RFCOMM_PARSE_LEN_FIELD (eal, len, p_data);
    591 
    592     p_buf->len      -= (3 + !ead + !eal + 1);  /* Additional 1 for FCS */
    593     p_buf->offset   += (3 + !ead + !eal);
    594 
    595     /* handle credit if credit based flow control */
    596     if ((p_mcb->flow == PORT_FC_CREDIT) && (p_frame->type == RFCOMM_UIH) &&
    597         (p_frame->dlci != RFCOMM_MX_DLCI) && (p_frame->pf == 1))
    598     {
    599         p_frame->credit = *p_data++;
    600         p_buf->len--;
    601         p_buf->offset++;
    602     }
    603     else
    604         p_frame->credit = 0;
    605 
    606     if (p_buf->len != len)
    607     {
    608         RFCOMM_TRACE_ERROR2 ("Bad Length2 %d %d", p_buf->len, len);
    609         return (RFC_EVENT_BAD_FRAME);
    610     }
    611 
    612     fcs = *(p_data + len);
    613 
    614     /* All control frames that we are sending are sent with P=1, expect */
    615     /* reply with F=1 */
    616     /* According to TS 07.10 spec ivalid frames are discarded without */
    617     /* notification to the sender */
    618     switch (p_frame->type)
    619     {
    620     case RFCOMM_SABME:
    621         if (RFCOMM_FRAME_IS_RSP(p_mcb->is_initiator, p_frame->cr)
    622          || !p_frame->pf || len || !RFCOMM_VALID_DLCI (p_frame->dlci)
    623          || !rfc_check_fcs (RFCOMM_CTRL_FRAME_LEN, p_start, fcs))
    624         {
    625             RFCOMM_TRACE_ERROR0 ("Bad SABME");
    626             return (RFC_EVENT_BAD_FRAME);
    627         }
    628         else
    629             return (RFC_EVENT_SABME);
    630 
    631     case RFCOMM_UA:
    632         if (RFCOMM_FRAME_IS_CMD(p_mcb->is_initiator, p_frame->cr)
    633           || !p_frame->pf || len || !RFCOMM_VALID_DLCI (p_frame->dlci)
    634           || !rfc_check_fcs (RFCOMM_CTRL_FRAME_LEN, p_start, fcs))
    635         {
    636             RFCOMM_TRACE_ERROR0 ("Bad UA");
    637             return (RFC_EVENT_BAD_FRAME);
    638         }
    639         else
    640             return (RFC_EVENT_UA);
    641 
    642     case RFCOMM_DM:
    643         if (RFCOMM_FRAME_IS_CMD(p_mcb->is_initiator, p_frame->cr)
    644          || len || !RFCOMM_VALID_DLCI(p_frame->dlci)
    645          || !rfc_check_fcs (RFCOMM_CTRL_FRAME_LEN, p_start, fcs))
    646         {
    647             RFCOMM_TRACE_ERROR0 ("Bad DM");
    648             return (RFC_EVENT_BAD_FRAME);
    649         }
    650         else
    651             return (RFC_EVENT_DM);
    652 
    653     case RFCOMM_DISC:
    654         if (RFCOMM_FRAME_IS_RSP(p_mcb->is_initiator, p_frame->cr)
    655           || !p_frame->pf || len || !RFCOMM_VALID_DLCI(p_frame->dlci)
    656           || !rfc_check_fcs (RFCOMM_CTRL_FRAME_LEN, p_start, fcs))
    657         {
    658             RFCOMM_TRACE_ERROR0 ("Bad DISC");
    659             return (RFC_EVENT_BAD_FRAME);
    660         }
    661         else
    662             return (RFC_EVENT_DISC);
    663 
    664     case RFCOMM_UIH:
    665         if (!RFCOMM_VALID_DLCI(p_frame->dlci))
    666         {
    667             RFCOMM_TRACE_ERROR0 ("Bad UIH - invalid DLCI");
    668             return (RFC_EVENT_BAD_FRAME);
    669         }
    670         else if (!rfc_check_fcs (2, p_start, fcs))
    671         {
    672             RFCOMM_TRACE_ERROR0 ("Bad UIH - FCS");
    673             return (RFC_EVENT_BAD_FRAME);
    674         }
    675         else if (RFCOMM_FRAME_IS_RSP(p_mcb->is_initiator, p_frame->cr))
    676         {
    677             /* we assume that this is ok to allow bad implementations to work */
    678             RFCOMM_TRACE_ERROR0 ("Bad UIH - response");
    679             return (RFC_EVENT_UIH);
    680         }
    681         else
    682             return (RFC_EVENT_UIH);
    683     }
    684 
    685     return (RFC_EVENT_BAD_FRAME);
    686 }
    687 
    688 
    689 /*******************************************************************************
    690 **
    691 ** Function         rfc_process_mx_message
    692 **
    693 ** Description      This function processes UIH frames received on the
    694 **                  multiplexer control channel.
    695 **
    696 *******************************************************************************/
    697 void rfc_process_mx_message (tRFC_MCB *p_mcb, BT_HDR *p_buf)
    698 {
    699     UINT8       *p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
    700     MX_FRAME    *p_rx_frame = &rfc_cb.rfc.rx_frame;
    701     UINT16       length  = p_buf->len;
    702     UINT8        ea, cr, mx_len;
    703     BOOLEAN      is_command;
    704 
    705     p_rx_frame->ea   = *p_data & RFCOMM_EA;
    706     p_rx_frame->cr   = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
    707     p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK);
    708 
    709     if (!p_rx_frame->ea || !length)
    710     {
    711         RFCOMM_TRACE_ERROR2 ("Illegal MX Frame ea:%d len:%d", p_rx_frame->ea, length);
    712         GKI_freebuf (p_buf);
    713         return;
    714     }
    715 
    716     length--;
    717 
    718     is_command = p_rx_frame->cr;
    719 
    720     ea = *p_data & RFCOMM_EA;
    721 
    722     mx_len = *p_data++ >> RFCOMM_SHIFT_LENGTH1;
    723     length--;
    724 
    725     if (!ea)
    726     {
    727         mx_len += *p_data++ << RFCOMM_SHIFT_LENGTH2;
    728         length --;
    729     }
    730 
    731     if (mx_len != length)
    732     {
    733         RFCOMM_TRACE_ERROR0 ("Bad MX frame");
    734         GKI_freebuf (p_buf);
    735         return;
    736     }
    737 
    738     switch (p_rx_frame->type)
    739     {
    740     case RFCOMM_MX_PN:
    741         if (length != RFCOMM_MX_PN_LEN)
    742             break;
    743 
    744         p_rx_frame->dlci            = *p_data++ & RFCOMM_PN_DLCI_MASK;
    745         p_rx_frame->u.pn.frame_type = *p_data & RFCOMM_PN_FRAME_TYPE_MASK;
    746         p_rx_frame->u.pn.conv_layer = *p_data++ & RFCOMM_PN_CONV_LAYER_MASK;
    747         p_rx_frame->u.pn.priority   = *p_data++ & RFCOMM_PN_PRIORITY_MASK;
    748         p_rx_frame->u.pn.t1         = *p_data++;
    749         p_rx_frame->u.pn.mtu        = *p_data + (*(p_data + 1) << 8);
    750         p_data += 2;
    751         p_rx_frame->u.pn.n2         = *p_data++;
    752         p_rx_frame->u.pn.k          = *p_data++ & RFCOMM_PN_K_MASK;
    753 
    754         if (!p_rx_frame->dlci
    755          || !RFCOMM_VALID_DLCI (p_rx_frame->dlci)
    756          || (p_rx_frame->u.pn.mtu < RFCOMM_MIN_MTU)
    757          || (p_rx_frame->u.pn.mtu > RFCOMM_MAX_MTU))
    758         {
    759             RFCOMM_TRACE_ERROR0 ("Bad PN frame");
    760             break;
    761         }
    762 
    763         GKI_freebuf (p_buf);
    764 
    765         rfc_process_pn (p_mcb, is_command, p_rx_frame);
    766         return;
    767 
    768     case RFCOMM_MX_TEST:
    769         if (!length)
    770             break;
    771 
    772         p_rx_frame->u.test.p_data   = p_data;
    773         p_rx_frame->u.test.data_len = length;
    774 
    775         p_buf->offset += 2;
    776         p_buf->len    -= 2;
    777 
    778         if (is_command)
    779             rfc_send_test (p_mcb, FALSE, p_buf);
    780         else
    781             rfc_process_test_rsp (p_mcb, p_buf);
    782         return;
    783 
    784     case RFCOMM_MX_FCON:
    785         if (length != RFCOMM_MX_FCON_LEN)
    786             break;
    787 
    788         GKI_freebuf (p_buf);
    789 
    790         rfc_process_fcon (p_mcb, is_command);
    791         return;
    792 
    793     case RFCOMM_MX_FCOFF:
    794         if (length != RFCOMM_MX_FCOFF_LEN)
    795             break;
    796 
    797         GKI_freebuf (p_buf);
    798 
    799         rfc_process_fcoff (p_mcb, is_command);
    800         return;
    801 
    802     case RFCOMM_MX_MSC:
    803 
    804         ea                   = *p_data & RFCOMM_EA;
    805         cr                   = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
    806         p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI;
    807 
    808         if (!ea || !cr || !p_rx_frame->dlci
    809          || !RFCOMM_VALID_DLCI (p_rx_frame->dlci))
    810         {
    811             RFCOMM_TRACE_ERROR0 ("Bad MSC frame");
    812             break;
    813         }
    814 
    815         p_rx_frame->u.msc.signals        = *p_data++;
    816 
    817         if (mx_len == RFCOMM_MX_MSC_LEN_WITH_BREAK)
    818         {
    819             p_rx_frame->u.msc.break_present  = *p_data & RFCOMM_MSC_BREAK_PRESENT_MASK;
    820             p_rx_frame->u.msc.break_duration = (*p_data & RFCOMM_MSC_BREAK_MASK) >> RFCOMM_MSC_SHIFT_BREAK;
    821         }
    822         else
    823         {
    824             p_rx_frame->u.msc.break_present  = FALSE;
    825             p_rx_frame->u.msc.break_duration = 0;
    826         }
    827         GKI_freebuf (p_buf);
    828 
    829         rfc_process_msc (p_mcb, is_command, p_rx_frame);
    830         return;
    831 
    832     case RFCOMM_MX_NSC:
    833         if ((length != RFCOMM_MX_NSC_LEN) || !is_command)
    834             break;
    835 
    836         p_rx_frame->u.nsc.ea   = *p_data & RFCOMM_EA;
    837         p_rx_frame->u.nsc.cr   = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
    838         p_rx_frame->u.nsc.type = *p_data++ >> RFCOMM_SHIFT_DLCI;
    839 
    840         GKI_freebuf (p_buf);
    841 
    842         rfc_process_nsc (p_mcb, p_rx_frame);
    843         return;
    844 
    845     case RFCOMM_MX_RPN:
    846         if ((length != RFCOMM_MX_RPN_REQ_LEN) && (length != RFCOMM_MX_RPN_LEN))
    847             break;
    848 
    849         ea                   = *p_data & RFCOMM_EA;
    850         cr                   = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
    851         p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI;
    852 
    853         if (!ea || !cr || !p_rx_frame->dlci
    854          || !RFCOMM_VALID_DLCI (p_rx_frame->dlci))
    855         {
    856             RFCOMM_TRACE_ERROR0 ("Bad RPN frame");
    857             break;
    858         }
    859 
    860         p_rx_frame->u.rpn.is_request  = (length == RFCOMM_MX_RPN_REQ_LEN);
    861 
    862         if (!p_rx_frame->u.rpn.is_request)
    863         {
    864             p_rx_frame->u.rpn.baud_rate   = *p_data++;
    865             p_rx_frame->u.rpn.byte_size   = (*p_data >> RFCOMM_RPN_BITS_SHIFT) & RFCOMM_RPN_BITS_MASK;
    866             p_rx_frame->u.rpn.stop_bits   = (*p_data >> RFCOMM_RPN_STOP_BITS_SHIFT) & RFCOMM_RPN_STOP_BITS_MASK;
    867             p_rx_frame->u.rpn.parity      = (*p_data >> RFCOMM_RPN_PARITY_SHIFT) & RFCOMM_RPN_PARITY_MASK;
    868             p_rx_frame->u.rpn.parity_type = (*p_data++ >> RFCOMM_RPN_PARITY_TYPE_SHIFT) & RFCOMM_RPN_PARITY_TYPE_MASK;
    869 
    870             p_rx_frame->u.rpn.fc_type     = *p_data++ & RFCOMM_FC_MASK;
    871             p_rx_frame->u.rpn.xon_char    = *p_data++;
    872             p_rx_frame->u.rpn.xoff_char   = *p_data++;
    873             p_rx_frame->u.rpn.param_mask  = (*p_data + (*(p_data + 1) << 8)) & RFCOMM_RPN_PM_MASK;
    874         }
    875         GKI_freebuf (p_buf);
    876 
    877         rfc_process_rpn (p_mcb, is_command, p_rx_frame->u.rpn.is_request, p_rx_frame);
    878         return;
    879 
    880     case RFCOMM_MX_RLS:
    881         if (length != RFCOMM_MX_RLS_LEN)
    882             break;
    883 
    884         ea = *p_data & RFCOMM_EA;
    885         cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
    886 
    887         p_rx_frame->dlci              = *p_data++ >> RFCOMM_SHIFT_DLCI;
    888         p_rx_frame->u.rls.line_status = (*p_data & ~0x01);
    889 
    890         if (!ea || !cr || !p_rx_frame->dlci
    891          || !RFCOMM_VALID_DLCI (p_rx_frame->dlci))
    892         {
    893             RFCOMM_TRACE_ERROR0 ("Bad RPN frame");
    894             break;
    895         }
    896 
    897         GKI_freebuf (p_buf);
    898 
    899         rfc_process_rls (p_mcb, is_command, p_rx_frame);
    900         return;
    901     }
    902 
    903     GKI_freebuf (p_buf);
    904 
    905     if (is_command)
    906         rfc_send_nsc (p_mcb);
    907 }
    908 
    909