1 /****************************************************************************** 2 * 3 * Copyright 2014 Google, Inc. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19 #define LOG_TAG "bt_hci_packet_fragmenter" 20 21 #include "packet_fragmenter.h" 22 23 #include <base/logging.h> 24 #include <string.h> 25 #include <unordered_map> 26 27 #include "bt_target.h" 28 #include "buffer_allocator.h" 29 #include "device/include/controller.h" 30 #include "hci_internals.h" 31 #include "osi/include/log.h" 32 #include "osi/include/osi.h" 33 34 #define APPLY_CONTINUATION_FLAG(handle) (((handle)&0xCFFF) | 0x1000) 35 #define APPLY_START_FLAG(handle) (((handle)&0xCFFF) | 0x2000) 36 #define SUB_EVENT(event) ((event)&MSG_SUB_EVT_MASK) 37 #define GET_BOUNDARY_FLAG(handle) (((handle) >> 12) & 0x0003) 38 39 #define HANDLE_MASK 0x0FFF 40 #define START_PACKET_BOUNDARY 2 41 #define CONTINUATION_PACKET_BOUNDARY 1 42 #define L2CAP_HEADER_PDU_LEN_SIZE 2 43 #define L2CAP_HEADER_CID_SIZE 2 44 #define L2CAP_HEADER_SIZE (L2CAP_HEADER_PDU_LEN_SIZE + L2CAP_HEADER_CID_SIZE) 45 46 // Our interface and callbacks 47 48 static const allocator_t* buffer_allocator; 49 static const controller_t* controller; 50 static const packet_fragmenter_callbacks_t* callbacks; 51 52 static std::unordered_map<uint16_t /* handle */, BT_HDR*> partial_packets; 53 54 static void init(const packet_fragmenter_callbacks_t* result_callbacks) { 55 callbacks = result_callbacks; 56 } 57 58 static void cleanup() { partial_packets.clear(); } 59 60 static void fragment_and_dispatch(BT_HDR* packet) { 61 CHECK(packet != NULL); 62 63 uint16_t event = packet->event & MSG_EVT_MASK; 64 uint8_t* stream = packet->data + packet->offset; 65 66 // We only fragment ACL packets 67 if (event != MSG_STACK_TO_HC_HCI_ACL) { 68 callbacks->fragmented(packet, true); 69 return; 70 } 71 72 uint16_t max_data_size = 73 SUB_EVENT(packet->event) == LOCAL_BR_EDR_CONTROLLER_ID 74 ? controller->get_acl_data_size_classic() 75 : controller->get_acl_data_size_ble(); 76 77 uint16_t max_packet_size = max_data_size + HCI_ACL_PREAMBLE_SIZE; 78 uint16_t remaining_length = packet->len; 79 80 uint16_t continuation_handle; 81 STREAM_TO_UINT16(continuation_handle, stream); 82 continuation_handle = APPLY_CONTINUATION_FLAG(continuation_handle); 83 84 while (remaining_length > max_packet_size) { 85 // Make sure we use the right ACL packet size 86 stream = packet->data + packet->offset; 87 STREAM_SKIP_UINT16(stream); 88 UINT16_TO_STREAM(stream, max_data_size); 89 90 packet->len = max_packet_size; 91 callbacks->fragmented(packet, false); 92 93 packet->offset += max_data_size; 94 remaining_length -= max_data_size; 95 packet->len = remaining_length; 96 97 // Write the ACL header for the next fragment 98 stream = packet->data + packet->offset; 99 UINT16_TO_STREAM(stream, continuation_handle); 100 UINT16_TO_STREAM(stream, remaining_length - HCI_ACL_PREAMBLE_SIZE); 101 102 // Apparently L2CAP can set layer_specific to a max number of segments to 103 // transmit 104 if (packet->layer_specific) { 105 packet->layer_specific--; 106 107 if (packet->layer_specific == 0) { 108 packet->event = MSG_HC_TO_STACK_L2C_SEG_XMIT; 109 callbacks->transmit_finished(packet, false); 110 return; 111 } 112 } 113 } 114 115 callbacks->fragmented(packet, true); 116 } 117 118 static bool check_uint16_overflow(uint16_t a, uint16_t b) { 119 return (UINT16_MAX - a) < b; 120 } 121 122 static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) { 123 if ((packet->event & MSG_EVT_MASK) == MSG_HC_TO_STACK_HCI_ACL) { 124 uint8_t* stream = packet->data; 125 uint16_t handle; 126 uint16_t l2cap_length; 127 uint16_t acl_length; 128 129 STREAM_TO_UINT16(handle, stream); 130 STREAM_TO_UINT16(acl_length, stream); 131 STREAM_TO_UINT16(l2cap_length, stream); 132 133 CHECK(acl_length == packet->len - HCI_ACL_PREAMBLE_SIZE); 134 135 uint8_t boundary_flag = GET_BOUNDARY_FLAG(handle); 136 handle = handle & HANDLE_MASK; 137 138 if (boundary_flag == START_PACKET_BOUNDARY) { 139 auto map_iter = partial_packets.find(handle); 140 if (map_iter != partial_packets.end()) { 141 LOG_WARN(LOG_TAG, 142 "%s found unfinished packet for handle with start packet. " 143 "Dropping old.", 144 __func__); 145 146 BT_HDR* hdl = map_iter->second; 147 partial_packets.erase(map_iter); 148 buffer_allocator->free(hdl); 149 } 150 151 if (acl_length < L2CAP_HEADER_PDU_LEN_SIZE) { 152 LOG_WARN(LOG_TAG, "%s L2CAP packet too small (%d < %d). Dropping it.", 153 __func__, packet->len, L2CAP_HEADER_PDU_LEN_SIZE); 154 buffer_allocator->free(packet); 155 return; 156 } 157 158 uint16_t full_length = 159 l2cap_length + L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE; 160 161 // Check for buffer overflow and that the full packet size + BT_HDR size 162 // is less than the max buffer size 163 if (check_uint16_overflow(l2cap_length, 164 (L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE)) || 165 ((full_length + sizeof(BT_HDR)) > BT_DEFAULT_BUFFER_SIZE)) { 166 LOG_ERROR(LOG_TAG, "%s Dropping L2CAP packet with invalid length (%d).", 167 __func__, l2cap_length); 168 buffer_allocator->free(packet); 169 return; 170 } 171 172 if (full_length <= packet->len) { 173 if (full_length < packet->len) 174 LOG_WARN(LOG_TAG, 175 "%s found l2cap full length %d less than the hci length %d.", 176 __func__, l2cap_length, packet->len); 177 178 callbacks->reassembled(packet); 179 return; 180 } 181 182 BT_HDR* partial_packet = 183 (BT_HDR*)buffer_allocator->alloc(full_length + sizeof(BT_HDR)); 184 partial_packet->event = packet->event; 185 partial_packet->len = full_length; 186 partial_packet->offset = packet->len; 187 188 memcpy(partial_packet->data, packet->data, packet->len); 189 190 // Update the ACL data size to indicate the full expected length 191 stream = partial_packet->data; 192 STREAM_SKIP_UINT16(stream); // skip the handle 193 UINT16_TO_STREAM(stream, full_length - HCI_ACL_PREAMBLE_SIZE); 194 195 partial_packets[handle] = partial_packet; 196 197 // Free the old packet buffer, since we don't need it anymore 198 buffer_allocator->free(packet); 199 } else { 200 auto map_iter = partial_packets.find(handle); 201 if (map_iter == partial_packets.end()) { 202 LOG_WARN(LOG_TAG, 203 "%s got continuation for unknown packet. Dropping it.", 204 __func__); 205 buffer_allocator->free(packet); 206 return; 207 } 208 BT_HDR* partial_packet = map_iter->second; 209 210 packet->offset = HCI_ACL_PREAMBLE_SIZE; 211 uint16_t projected_offset = 212 partial_packet->offset + (packet->len - HCI_ACL_PREAMBLE_SIZE); 213 if (projected_offset > 214 partial_packet->len) { // len stores the expected length 215 LOG_WARN(LOG_TAG, 216 "%s got packet which would exceed expected length of %d. " 217 "Truncating.", 218 __func__, partial_packet->len); 219 packet->len = partial_packet->len - partial_packet->offset; 220 projected_offset = partial_packet->len; 221 } 222 223 memcpy(partial_packet->data + partial_packet->offset, 224 packet->data + packet->offset, packet->len - packet->offset); 225 226 // Free the old packet buffer, since we don't need it anymore 227 buffer_allocator->free(packet); 228 partial_packet->offset = projected_offset; 229 230 if (partial_packet->offset == partial_packet->len) { 231 partial_packets.erase(handle); 232 partial_packet->offset = 0; 233 callbacks->reassembled(partial_packet); 234 } 235 } 236 } else { 237 callbacks->reassembled(packet); 238 } 239 } 240 241 static const packet_fragmenter_t interface = {init, cleanup, 242 243 fragment_and_dispatch, 244 reassemble_and_dispatch}; 245 246 const packet_fragmenter_t* packet_fragmenter_get_interface() { 247 controller = controller_get_interface(); 248 buffer_allocator = buffer_allocator_get_interface(); 249 return &interface; 250 } 251 252 const packet_fragmenter_t* packet_fragmenter_get_test_interface( 253 const controller_t* controller_interface, 254 const allocator_t* buffer_allocator_interface) { 255 controller = controller_interface; 256 buffer_allocator = buffer_allocator_interface; 257 return &interface; 258 } 259