hci/src/packet_fragmenter.cc

   1 /******************************************************************************
   2  *
   3  *  Copyright 2014 Google, Inc.
   4  *
   5  *  Licensed under the Apache License, Version 2.0 (the "License");
   6  *  you may not use this file except in compliance with the License.
   7  *  You may obtain a copy of the License at:
   8  *
   9  *  http://www.apache.org/licenses/LICENSE-2.0
  10  *
  11  *  Unless required by applicable law or agreed to in writing, software
  12  *  distributed under the License is distributed on an "AS IS" BASIS,
  13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14  *  See the License for the specific language governing permissions and
  15  *  limitations under the License.
  16  *
  17  ******************************************************************************/
  18
  19 #define LOG_TAG "bt_hci_packet_fragmenter"
  20
  21 #include "packet_fragmenter.h"
  22
  23 #include <base/logging.h>
  24 #include <string.h>
  25 #include <unordered_map>
  26
  27 #include "bt_target.h"
  28 #include "buffer_allocator.h"
  29 #include "device/include/controller.h"
  30 #include "hci_internals.h"
  31 #include "osi/include/log.h"
  32 #include "osi/include/osi.h"
  33
  34 #define APPLY_CONTINUATION_FLAG(handle) (((handle)&0xCFFF) | 0x1000)
  35 #define APPLY_START_FLAG(handle) (((handle)&0xCFFF) | 0x2000)
  36 #define SUB_EVENT(event) ((event)&MSG_SUB_EVT_MASK)
  37 #define GET_BOUNDARY_FLAG(handle) (((handle) >> 12) & 0x0003)
  38 #define GET_BROADCAST_FLAG(handle) (((handle) >> 14) & 0x0003)
  39
  40 #define HANDLE_MASK 0x0FFF
  41 #define START_PACKET_BOUNDARY 2
  42 #define CONTINUATION_PACKET_BOUNDARY 1
  43 #define POINT_TO_POINT 0
  44 #define L2CAP_HEADER_PDU_LEN_SIZE 2
  45 #define L2CAP_HEADER_CID_SIZE 2
  46 #define L2CAP_HEADER_SIZE (L2CAP_HEADER_PDU_LEN_SIZE + L2CAP_HEADER_CID_SIZE)
  47
  48 // Our interface and callbacks
  49
  50 static const allocator_t* buffer_allocator;
  51 static const controller_t* controller;
  52 static const packet_fragmenter_callbacks_t* callbacks;
  53
  54 static std::unordered_map<uint16_t /* handle */, BT_HDR*> partial_packets;
  55
  56 static void init(const packet_fragmenter_callbacks_t* result_callbacks) {
  57   callbacks = result_callbacks;
  58 }
  59
  60 static void cleanup() { partial_packets.clear(); }
  61
  62 static void fragment_and_dispatch(BT_HDR* packet) {
  63   CHECK(packet != NULL);
  64
  65   uint16_t event = packet->event & MSG_EVT_MASK;
  66   uint8_t* stream = packet->data + packet->offset;
  67
  68   // We only fragment ACL packets
  69   if (event != MSG_STACK_TO_HC_HCI_ACL) {
  70     callbacks->fragmented(packet, true);
  71     return;
  72   }
  73
  74   uint16_t max_data_size =
  75       SUB_EVENT(packet->event) == LOCAL_BR_EDR_CONTROLLER_ID
  76           ? controller->get_acl_data_size_classic()
  77           : controller->get_acl_data_size_ble();
  78
  79   uint16_t max_packet_size = max_data_size + HCI_ACL_PREAMBLE_SIZE;
  80   uint16_t remaining_length = packet->len;
  81
  82   uint16_t continuation_handle;
  83   STREAM_TO_UINT16(continuation_handle, stream);
  84   continuation_handle = APPLY_CONTINUATION_FLAG(continuation_handle);
  85
  86   while (remaining_length > max_packet_size) {
  87     // Make sure we use the right ACL packet size
  88     stream = packet->data + packet->offset;
  89     STREAM_SKIP_UINT16(stream);
  90     UINT16_TO_STREAM(stream, max_data_size);
  91
  92     packet->len = max_packet_size;
  93     callbacks->fragmented(packet, false);
  94
  95     packet->offset += max_data_size;
  96     remaining_length -= max_data_size;
  97     packet->len = remaining_length;
  98
  99     // Write the ACL header for the next fragment
 100     stream = packet->data + packet->offset;
 101     UINT16_TO_STREAM(stream, continuation_handle);
 102     UINT16_TO_STREAM(stream, remaining_length - HCI_ACL_PREAMBLE_SIZE);
 103
 104     // Apparently L2CAP can set layer_specific to a max number of segments to
 105     // transmit
 106     if (packet->layer_specific) {
 107       packet->layer_specific--;
 108
 109       if (packet->layer_specific == 0) {
 110         packet->event = MSG_HC_TO_STACK_L2C_SEG_XMIT;
 111         callbacks->transmit_finished(packet, false);
 112         return;
 113       }
 114     }
 115   }
 116
 117   callbacks->fragmented(packet, true);
 118 }
 119
 120 static bool check_uint16_overflow(uint16_t a, uint16_t b) {
 121   return (UINT16_MAX - a) < b;
 122 }
 123
 124 static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) {
 125   if ((packet->event & MSG_EVT_MASK) == MSG_HC_TO_STACK_HCI_ACL) {
 126     uint8_t* stream = packet->data;
 127     uint16_t handle;
 128     uint16_t acl_length;
 129
 130     STREAM_TO_UINT16(handle, stream);
 131     STREAM_TO_UINT16(acl_length, stream);
 132
 133     CHECK(acl_length == packet->len - HCI_ACL_PREAMBLE_SIZE);
 134
 135     uint8_t boundary_flag = GET_BOUNDARY_FLAG(handle);
 136     uint8_t broadcast_flag = GET_BROADCAST_FLAG(handle);
 137     handle = handle & HANDLE_MASK;
 138
 139     if (broadcast_flag != POINT_TO_POINT) {
 140       LOG_WARN(LOG_TAG, "dropping broadcast packet");
 141       android_errorWriteLog(0x534e4554, "169327567");
 142       buffer_allocator->free(packet);
 143       return;
 144     }
 145
 146     if (boundary_flag == START_PACKET_BOUNDARY) {
 147       if (acl_length < 2) {
 148         LOG_WARN(LOG_TAG, "%s invalid acl_length %d", __func__, acl_length);
 149         buffer_allocator->free(packet);
 150         return;
 151       }
 152       uint16_t l2cap_length;
 153       STREAM_TO_UINT16(l2cap_length, stream);
 154       auto map_iter = partial_packets.find(handle);
 155       if (map_iter != partial_packets.end()) {
 156         LOG_WARN(LOG_TAG,
 157                  "%s found unfinished packet for handle with start packet. "
 158                  "Dropping old.",
 159                  __func__);
 160
 161         BT_HDR* hdl = map_iter->second;
 162         partial_packets.erase(map_iter);
 163         buffer_allocator->free(hdl);
 164       }
 165
 166       if (acl_length < L2CAP_HEADER_PDU_LEN_SIZE) {
 167         LOG_WARN(LOG_TAG, "%s L2CAP packet too small (%d < %d). Dropping it.",
 168                  __func__, packet->len, L2CAP_HEADER_PDU_LEN_SIZE);
 169         buffer_allocator->free(packet);
 170         return;
 171       }
 172
 173       uint16_t full_length =
 174           l2cap_length + L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE;
 175
 176       // Check for buffer overflow and that the full packet size + BT_HDR size
 177       // is less than the max buffer size
 178       if (check_uint16_overflow(l2cap_length,
 179                                 (L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE)) ||
 180           ((full_length + sizeof(BT_HDR)) > BT_DEFAULT_BUFFER_SIZE)) {
 181         LOG_ERROR(LOG_TAG, "%s Dropping L2CAP packet with invalid length (%d).",
 182                   __func__, l2cap_length);
 183         buffer_allocator->free(packet);
 184         return;
 185       }
 186
 187       if (full_length <= packet->len) {
 188         if (full_length < packet->len)
 189           LOG_WARN(LOG_TAG,
 190                    "%s found l2cap full length %d less than the hci length %d.",
 191                    __func__, l2cap_length, packet->len);
 192
 193         callbacks->reassembled(packet);
 194         return;
 195       }
 196
 197       BT_HDR* partial_packet =
 198           (BT_HDR*)buffer_allocator->alloc(full_length + sizeof(BT_HDR));
 199       partial_packet->event = packet->event;
 200       partial_packet->len = full_length;
 201       partial_packet->offset = packet->len;
 202
 203       memcpy(partial_packet->data, packet->data, packet->len);
 204
 205       // Update the ACL data size to indicate the full expected length
 206       stream = partial_packet->data;
 207       STREAM_SKIP_UINT16(stream);  // skip the handle
 208       UINT16_TO_STREAM(stream, full_length - HCI_ACL_PREAMBLE_SIZE);
 209
 210       partial_packets[handle] = partial_packet;
 211
 212       // Free the old packet buffer, since we don't need it anymore
 213       buffer_allocator->free(packet);
 214     } else {
 215       auto map_iter = partial_packets.find(handle);
 216       if (map_iter == partial_packets.end()) {
 217         LOG_WARN(LOG_TAG,
 218                  "%s got continuation for unknown packet. Dropping it.",
 219                  __func__);
 220         buffer_allocator->free(packet);
 221         return;
 222       }
 223       BT_HDR* partial_packet = map_iter->second;
 224
 225       packet->offset = HCI_ACL_PREAMBLE_SIZE;
 226       uint16_t projected_offset =
 227           partial_packet->offset + (packet->len - HCI_ACL_PREAMBLE_SIZE);
 228       if (projected_offset >
 229           partial_packet->len) {  // len stores the expected length
 230         LOG_WARN(LOG_TAG,
 231                  "%s got packet which would exceed expected length of %d. "
 232                  "Truncating.",
 233                  __func__, partial_packet->len);
 234         packet->len =
 235             (partial_packet->len - partial_packet->offset) + packet->offset;
 236         projected_offset = partial_packet->len;
 237       }
 238
 239       memcpy(partial_packet->data + partial_packet->offset,
 240              packet->data + packet->offset, packet->len - packet->offset);
 241
 242       // Free the old packet buffer, since we don't need it anymore
 243       buffer_allocator->free(packet);
 244       partial_packet->offset = projected_offset;
 245
 246       if (partial_packet->offset == partial_packet->len) {
 247         partial_packets.erase(handle);
 248         partial_packet->offset = 0;
 249         callbacks->reassembled(partial_packet);
 250       }
 251     }
 252   } else {
 253     callbacks->reassembled(packet);
 254   }
 255 }
 256
 257 static const packet_fragmenter_t interface = {init, cleanup,
 258
 259                                               fragment_and_dispatch,
 260                                               reassemble_and_dispatch};
 261
 262 const packet_fragmenter_t* packet_fragmenter_get_interface() {
 263   controller = controller_get_interface();
 264   buffer_allocator = buffer_allocator_get_interface();
 265   return &interface;
 266 }
 267
 268 const packet_fragmenter_t* packet_fragmenter_get_test_interface(
 269     const controller_t* controller_interface,
 270     const allocator_t* buffer_allocator_interface) {
 271   controller = controller_interface;
 272   buffer_allocator = buffer_allocator_interface;
 273   return &interface;
 274 }