1 /******************************************************************************
3 * Copyright 1999-2012 Broadcom Corporation
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
17 ******************************************************************************/
19 /******************************************************************************
21 * this file contains the main GATT client functions
23 ******************************************************************************/
25 #define LOG_TAG "bluetooth"
29 #include "bt_common.h"
30 #include "bt_target.h"
34 #include "osi/include/log.h"
35 #include "osi/include/osi.h"
36 #include "stack/eatt/eatt.h"
38 #define GATT_WRITE_LONG_HDR_SIZE 5 /* 1 opcode + 2 handle + 2 offset */
39 #define GATT_READ_CHAR_VALUE_HDL (GATT_READ_CHAR_VALUE | 0x80)
40 #define GATT_READ_INC_SRV_UUID128 (GATT_DISC_INC_SRVC | 0x90)
42 #define GATT_PREP_WRITE_RSP_MIN_LEN 4
43 #define GATT_NOTIFICATION_MIN_LEN 2
44 #define GATT_WRITE_RSP_MIN_LEN 2
45 #define GATT_INFO_RSP_MIN_LEN 1
46 #define GATT_MTU_RSP_MIN_LEN 2
47 #define GATT_READ_BY_TYPE_RSP_MIN_LEN 1
49 #define L2CAP_PKT_OVERHEAD 4
51 using base::StringPrintf;
52 using bluetooth::Uuid;
53 using bluetooth::eatt::EattExtension;
54 using bluetooth::eatt::EattChannel;
56 /*******************************************************************************
57 * G L O B A L G A T T D A T A *
58 ******************************************************************************/
59 void gatt_send_prepare_write(tGATT_TCB& tcb, tGATT_CLCB* p_clcb);
61 uint8_t disc_type_to_att_opcode[GATT_DISC_MAX] = {
63 GATT_REQ_READ_BY_GRP_TYPE, /* GATT_DISC_SRVC_ALL = 1, */
64 GATT_REQ_FIND_TYPE_VALUE, /* GATT_DISC_SRVC_BY_UUID, */
65 GATT_REQ_READ_BY_TYPE, /* GATT_DISC_INC_SRVC, */
66 GATT_REQ_READ_BY_TYPE, /* GATT_DISC_CHAR, */
67 GATT_REQ_FIND_INFO /* GATT_DISC_CHAR_DSCPT, */
70 uint16_t disc_type_to_uuid[GATT_DISC_MAX] = {
72 GATT_UUID_PRI_SERVICE, /* <service> DISC_SRVC_ALL */
73 GATT_UUID_PRI_SERVICE, /* <service> for DISC_SERVC_BY_UUID */
74 GATT_UUID_INCLUDE_SERVICE, /* <include_service> for DISC_INC_SRVC */
75 GATT_UUID_CHAR_DECLARE, /* <characteristic> for DISC_CHAR */
76 0 /* no type filtering for DISC_CHAR_DSCPT */
79 /*******************************************************************************
81 * Function gatt_act_discovery
83 * Description GATT discovery operation.
87 ******************************************************************************/
88 void gatt_act_discovery(tGATT_CLCB* p_clcb) {
89 uint8_t op_code = disc_type_to_att_opcode[p_clcb->op_subtype];
91 if (p_clcb->s_handle > p_clcb->e_handle || p_clcb->s_handle == 0) {
92 LOG_DEBUG("Completed GATT discovery of all handle ranges");
93 gatt_end_operation(p_clcb, GATT_SUCCESS, NULL);
98 memset(&cl_req, 0, sizeof(tGATT_CL_MSG));
100 cl_req.browse.s_handle = p_clcb->s_handle;
101 cl_req.browse.e_handle = p_clcb->e_handle;
103 if (disc_type_to_uuid[p_clcb->op_subtype] != 0) {
105 bluetooth::Uuid::From16Bit(disc_type_to_uuid[p_clcb->op_subtype]);
108 if (p_clcb->op_subtype ==
109 GATT_DISC_SRVC_BY_UUID) /* fill in the FindByTypeValue request info*/
111 cl_req.find_type_value.uuid =
112 bluetooth::Uuid::From16Bit(disc_type_to_uuid[p_clcb->op_subtype]);
113 cl_req.find_type_value.s_handle = p_clcb->s_handle;
114 cl_req.find_type_value.e_handle = p_clcb->e_handle;
116 size_t size = p_clcb->uuid.GetShortestRepresentationSize();
117 cl_req.find_type_value.value_len = size;
118 if (size == Uuid::kNumBytes16) {
119 uint8_t* p = cl_req.find_type_value.value;
120 UINT16_TO_STREAM(p, p_clcb->uuid.As16Bit());
121 } else if (size == Uuid::kNumBytes32) {
122 /* if service type is 32 bits UUID, convert it now */
123 memcpy(cl_req.find_type_value.value, p_clcb->uuid.To128BitLE().data(),
125 cl_req.find_type_value.value_len = Uuid::kNumBytes128;
127 memcpy(cl_req.find_type_value.value, p_clcb->uuid.To128BitLE().data(),
131 tGATT_STATUS st = attp_send_cl_msg(*p_clcb->p_tcb, p_clcb, op_code, &cl_req);
132 if (st != GATT_SUCCESS && st != GATT_CMD_STARTED) {
133 LOG_WARN("Unable to send ATT message");
134 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
138 /*******************************************************************************
140 * Function gatt_act_read
142 * Description GATT read operation.
146 ******************************************************************************/
147 void gatt_act_read(tGATT_CLCB* p_clcb, uint16_t offset) {
148 tGATT_TCB& tcb = *p_clcb->p_tcb;
149 tGATT_STATUS rt = GATT_INTERNAL_ERROR;
153 memset(&msg, 0, sizeof(tGATT_CL_MSG));
155 switch (p_clcb->op_subtype) {
156 case GATT_READ_CHAR_VALUE:
157 case GATT_READ_BY_TYPE:
158 op_code = GATT_REQ_READ_BY_TYPE;
159 msg.browse.s_handle = p_clcb->s_handle;
160 msg.browse.e_handle = p_clcb->e_handle;
161 if (p_clcb->op_subtype == GATT_READ_BY_TYPE)
162 msg.browse.uuid = p_clcb->uuid;
164 msg.browse.uuid = bluetooth::Uuid::From16Bit(GATT_UUID_CHAR_DECLARE);
168 case GATT_READ_CHAR_VALUE_HDL:
169 case GATT_READ_BY_HANDLE:
170 if (!p_clcb->counter) {
171 op_code = GATT_REQ_READ;
172 msg.handle = p_clcb->s_handle;
174 if (!p_clcb->first_read_blob_after_read)
175 p_clcb->first_read_blob_after_read = true;
177 p_clcb->first_read_blob_after_read = false;
179 VLOG(1) << __func__ << ": first_read_blob_after_read="
180 << p_clcb->first_read_blob_after_read;
181 op_code = GATT_REQ_READ_BLOB;
182 msg.read_blob.offset = offset;
183 msg.read_blob.handle = p_clcb->s_handle;
185 p_clcb->op_subtype &= ~0x80;
188 case GATT_READ_PARTIAL:
189 op_code = GATT_REQ_READ_BLOB;
190 msg.read_blob.handle = p_clcb->s_handle;
191 msg.read_blob.offset = offset;
194 case GATT_READ_MULTIPLE:
195 op_code = GATT_REQ_READ_MULTI;
196 memcpy(&msg.read_multi, p_clcb->p_attr_buf, sizeof(tGATT_READ_MULTI));
199 case GATT_READ_INC_SRV_UUID128:
200 op_code = GATT_REQ_READ;
201 msg.handle = p_clcb->s_handle;
202 p_clcb->op_subtype &= ~0x90;
206 LOG(ERROR) << "Unknown read type:" << +p_clcb->op_subtype;
210 if (op_code != 0) rt = attp_send_cl_msg(tcb, p_clcb, op_code, &msg);
212 if (op_code == 0 || (rt != GATT_SUCCESS && rt != GATT_CMD_STARTED)) {
213 gatt_end_operation(p_clcb, rt, NULL);
217 /** GATT write operation */
218 void gatt_act_write(tGATT_CLCB* p_clcb, uint8_t sec_act) {
219 tGATT_TCB& tcb = *p_clcb->p_tcb;
221 CHECK(p_clcb->p_attr_buf);
222 tGATT_VALUE& attr = *((tGATT_VALUE*)p_clcb->p_attr_buf);
224 uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, p_clcb->cid);
226 switch (p_clcb->op_subtype) {
227 case GATT_WRITE_NO_RSP: {
228 p_clcb->s_handle = attr.handle;
229 uint8_t op_code = (sec_act == GATT_SEC_SIGN_DATA) ? GATT_SIGN_CMD_WRITE
231 tGATT_STATUS rt = gatt_send_write_msg(tcb, p_clcb, op_code, attr.handle,
232 attr.len, 0, attr.value);
233 if (rt != GATT_CMD_STARTED) {
234 if (rt != GATT_SUCCESS) {
235 LOG(ERROR) << StringPrintf(
236 "gatt_act_write() failed op_code=0x%x rt=%d", op_code, rt);
238 gatt_end_operation(p_clcb, rt, NULL);
244 if (attr.len <= (payload_size - GATT_HDR_SIZE)) {
245 p_clcb->s_handle = attr.handle;
247 tGATT_STATUS rt = gatt_send_write_msg(
248 tcb, p_clcb, GATT_REQ_WRITE, attr.handle, attr.len, 0, attr.value);
249 if (rt != GATT_SUCCESS && rt != GATT_CMD_STARTED &&
250 rt != GATT_CONGESTED) {
251 if (rt != GATT_SUCCESS) {
252 LOG(ERROR) << StringPrintf(
253 "gatt_act_write() failed op_code=0x%x rt=%d", GATT_REQ_WRITE,
256 gatt_end_operation(p_clcb, rt, NULL);
260 /* prepare write for long attribute */
261 gatt_send_prepare_write(tcb, p_clcb);
266 case GATT_WRITE_PREPARE:
267 gatt_send_prepare_write(tcb, p_clcb);
271 CHECK(false) << "Unknown write type" << p_clcb->op_subtype;
275 /*******************************************************************************
277 * Function gatt_send_queue_write_cancel
279 * Description send queue write cancel
283 ******************************************************************************/
284 void gatt_send_queue_write_cancel(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
285 tGATT_EXEC_FLAG flag) {
290 tGATT_CL_MSG gatt_cl_msg;
291 gatt_cl_msg.exec_write = flag;
292 rt = attp_send_cl_msg(tcb, p_clcb, GATT_REQ_EXEC_WRITE, &gatt_cl_msg);
294 if (rt != GATT_SUCCESS) {
295 gatt_end_operation(p_clcb, rt, NULL);
298 /*******************************************************************************
300 * Function gatt_check_write_long_terminate
302 * Description To terminate write long or not.
304 * Returns true: write long is terminated; false keep sending.
306 ******************************************************************************/
307 bool gatt_check_write_long_terminate(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
308 tGATT_VALUE* p_rsp_value) {
309 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
310 bool terminate = false;
311 tGATT_EXEC_FLAG flag = GATT_PREP_WRITE_EXEC;
314 /* check the first write response status */
315 if (p_rsp_value != NULL) {
316 if (p_rsp_value->handle != p_attr->handle ||
317 p_rsp_value->len != p_clcb->counter ||
318 memcmp(p_rsp_value->value, p_attr->value + p_attr->offset,
320 /* data does not match */
321 p_clcb->status = GATT_ERROR;
322 flag = GATT_PREP_WRITE_CANCEL;
324 } else /* response checking is good */
326 p_clcb->status = GATT_SUCCESS;
327 /* update write offset and check if end of attribute value */
328 if ((p_attr->offset += p_rsp_value->len) >= p_attr->len) terminate = true;
331 if (terminate && p_clcb->op_subtype != GATT_WRITE_PREPARE) {
332 gatt_send_queue_write_cancel(tcb, p_clcb, flag);
337 /** Send prepare write */
338 void gatt_send_prepare_write(tGATT_TCB& tcb, tGATT_CLCB* p_clcb) {
339 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
340 uint8_t type = p_clcb->op_subtype;
342 VLOG(1) << __func__ << StringPrintf(" type=0x%x", type);
343 uint16_t to_send = p_attr->len - p_attr->offset;
345 uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, p_clcb->cid);
346 if (to_send > (payload_size -
347 GATT_WRITE_LONG_HDR_SIZE)) /* 2 = uint16_t offset bytes */
348 to_send = payload_size - GATT_WRITE_LONG_HDR_SIZE;
350 p_clcb->s_handle = p_attr->handle;
352 uint16_t offset = p_attr->offset;
353 if (type == GATT_WRITE_PREPARE) {
354 offset += p_clcb->start_offset;
357 VLOG(1) << StringPrintf("offset =0x%x len=%d", offset, to_send);
359 tGATT_STATUS rt = gatt_send_write_msg(
360 tcb, p_clcb, GATT_REQ_PREPARE_WRITE, p_attr->handle, to_send, /* length */
361 offset, /* used as offset */
362 p_attr->value + p_attr->offset); /* data */
364 /* remember the write long attribute length */
365 p_clcb->counter = to_send;
367 if (rt != GATT_SUCCESS && rt != GATT_CMD_STARTED && rt != GATT_CONGESTED) {
368 gatt_end_operation(p_clcb, rt, NULL);
372 /*******************************************************************************
374 * Function gatt_process_find_type_value_rsp
376 * Description This function handles the find by type value response.
381 ******************************************************************************/
382 void gatt_process_find_type_value_rsp(UNUSED_ATTR tGATT_TCB& tcb,
383 tGATT_CLCB* p_clcb, uint16_t len,
385 tGATT_DISC_RES result;
389 /* unexpected response */
390 if (p_clcb->operation != GATTC_OPTYPE_DISCOVERY ||
391 p_clcb->op_subtype != GATT_DISC_SRVC_BY_UUID)
394 memset(&result, 0, sizeof(tGATT_DISC_RES));
395 result.type = bluetooth::Uuid::From16Bit(GATT_UUID_PRI_SERVICE);
397 /* returns a series of handle ranges */
399 STREAM_TO_UINT16(result.handle, p);
400 STREAM_TO_UINT16(result.value.group_value.e_handle, p);
401 result.value.group_value.service_type = p_clcb->uuid;
405 if (p_clcb->p_reg->app_cb.p_disc_res_cb)
406 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
407 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
411 /* last handle + 1 */
412 p_clcb->s_handle = (result.value.group_value.e_handle == 0)
414 : (result.value.group_value.e_handle + 1);
415 /* initiate another request */
416 gatt_act_discovery(p_clcb);
418 /*******************************************************************************
420 * Function gatt_process_read_info_rsp
422 * Description This function is called to handle the read information
428 ******************************************************************************/
429 void gatt_process_read_info_rsp(UNUSED_ATTR tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
430 UNUSED_ATTR uint8_t op_code, uint16_t len,
432 tGATT_DISC_RES result;
433 uint8_t *p = p_data, uuid_len = 0, type;
435 if (len < GATT_INFO_RSP_MIN_LEN) {
436 LOG(ERROR) << "invalid Info Response PDU received, discard.";
437 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
440 /* unexpected response */
441 if (p_clcb->operation != GATTC_OPTYPE_DISCOVERY ||
442 p_clcb->op_subtype != GATT_DISC_CHAR_DSCPT)
445 STREAM_TO_UINT8(type, p);
448 if (type == GATT_INFO_TYPE_PAIR_16)
449 uuid_len = Uuid::kNumBytes16;
450 else if (type == GATT_INFO_TYPE_PAIR_128)
451 uuid_len = Uuid::kNumBytes128;
453 while (len >= uuid_len + 2) {
454 STREAM_TO_UINT16(result.handle, p);
457 if (!gatt_parse_uuid_from_cmd(&result.type, uuid_len, &p)) break;
459 result.type = p_clcb->uuid;
461 len -= (uuid_len + 2);
463 if (p_clcb->p_reg->app_cb.p_disc_res_cb)
464 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
465 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
469 p_clcb->s_handle = (result.handle == 0) ? 0 : (result.handle + 1);
470 /* initiate another request */
471 gatt_act_discovery(p_clcb);
473 /*******************************************************************************
475 * Function gatt_proc_disc_error_rsp
477 * Description Process the read by type response and send another request
482 ******************************************************************************/
483 void gatt_proc_disc_error_rsp(UNUSED_ATTR tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
484 uint8_t opcode, UNUSED_ATTR uint16_t handle,
486 tGATT_STATUS status = (tGATT_STATUS)reason;
489 << StringPrintf("reason: %02x cmd_code %04x", reason, opcode);
492 case GATT_REQ_READ_BY_GRP_TYPE:
493 case GATT_REQ_FIND_TYPE_VALUE:
494 case GATT_REQ_READ_BY_TYPE:
495 case GATT_REQ_FIND_INFO:
496 if (reason == GATT_NOT_FOUND) {
497 status = GATT_SUCCESS;
498 VLOG(1) << "Discovery completed";
502 LOG(ERROR) << StringPrintf("Incorrect discovery opcode %04x", opcode);
506 gatt_end_operation(p_clcb, status, NULL);
509 /*******************************************************************************
511 * Function gatt_process_error_rsp
513 * Description This function is called to handle the error response
518 ******************************************************************************/
519 void gatt_process_error_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
520 UNUSED_ATTR uint8_t op_code,
521 UNUSED_ATTR uint16_t len, uint8_t* p_data) {
522 uint8_t opcode, *p = p_data;
525 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
530 android_errorWriteLog(0x534e4554, "79591688");
531 LOG(ERROR) << "Error response too short";
532 // Specification does not clearly define what should happen if error
533 // response is too short. General rule in BT Spec 5.0 Vol 3, Part F 3.4.1.1
534 // is: "If an error code is received in the Error Response that is not
535 // understood by the client, for example an error code that was reserved for
536 // future use that is now being used in a future version of this
537 // specification, then the Error Response shall still be considered to state
538 // that the given request cannot be performed for an unknown reason."
540 reason = static_cast<tGATT_STATUS>(0x7f);
542 STREAM_TO_UINT8(opcode, p);
543 STREAM_TO_UINT16(handle, p);
544 STREAM_TO_UINT8(reason, p);
547 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY) {
548 gatt_proc_disc_error_rsp(tcb, p_clcb, opcode, handle,
549 static_cast<tGATT_STATUS>(reason));
551 if ((p_clcb->operation == GATTC_OPTYPE_WRITE) &&
552 (p_clcb->op_subtype == GATT_WRITE) &&
553 (opcode == GATT_REQ_PREPARE_WRITE) && (p_attr) &&
554 (handle == p_attr->handle)) {
555 p_clcb->status = static_cast<tGATT_STATUS>(reason);
556 gatt_send_queue_write_cancel(tcb, p_clcb, GATT_PREP_WRITE_CANCEL);
557 } else if ((p_clcb->operation == GATTC_OPTYPE_READ) &&
558 ((p_clcb->op_subtype == GATT_READ_CHAR_VALUE_HDL) ||
559 (p_clcb->op_subtype == GATT_READ_BY_HANDLE)) &&
560 (opcode == GATT_REQ_READ_BLOB) &&
561 p_clcb->first_read_blob_after_read &&
562 (reason == GATT_NOT_LONG)) {
563 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p_clcb->p_attr_buf);
565 gatt_end_operation(p_clcb, static_cast<tGATT_STATUS>(reason), NULL);
568 /*******************************************************************************
570 * Function gatt_process_prep_write_rsp
572 * Description This function is called to handle the read response
577 ******************************************************************************/
578 void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
579 uint8_t op_code, uint16_t len,
583 tGATT_VALUE value = {
584 .conn_id = p_clcb->conn_id, .auth_req = GATT_AUTH_REQ_NONE,
587 VLOG(1) << StringPrintf("value resp op_code = %s len = %d",
588 gatt_dbg_op_name(op_code), len);
590 if (len < GATT_PREP_WRITE_RSP_MIN_LEN) {
591 LOG(ERROR) << "illegal prepare write response length, discard";
592 gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
596 STREAM_TO_UINT16(value.handle, p);
597 STREAM_TO_UINT16(value.offset, p);
601 memcpy(value.value, p, value.len);
603 if (!gatt_check_write_long_terminate(tcb, p_clcb, &value)) {
604 gatt_send_prepare_write(tcb, p_clcb);
608 if (p_clcb->op_subtype == GATT_WRITE_PREPARE) {
609 /* application should verify handle offset
610 and value are matched or not */
611 gatt_end_operation(p_clcb, p_clcb->status, &value);
615 /*******************************************************************************
617 * Function gatt_process_notification
619 * Description Handle the handle value indication/notification.
623 ******************************************************************************/
624 void gatt_process_notification(tGATT_TCB& tcb, uint16_t cid, uint8_t op_code,
625 uint16_t len, uint8_t* p_data) {
626 tGATT_VALUE value = {};
629 tGATT_STATUS encrypt_status = {};
632 tGATTC_OPTYPE event = (op_code == GATT_HANDLE_VALUE_IND)
633 ? GATTC_OPTYPE_INDICATION
634 : GATTC_OPTYPE_NOTIFICATION;
638 // Ensure our packet has enough data (2 bytes)
639 if (len < GATT_NOTIFICATION_MIN_LEN) {
640 LOG(ERROR) << "illegal notification PDU length, discard";
645 STREAM_TO_UINT16(value.handle, p);
647 // Fail early if the GATT handle is not valid
648 if (!GATT_HANDLE_IS_VALID(value.handle)) {
649 /* illegal handle, send ack now */
650 if (op_code == GATT_HANDLE_VALUE_IND)
651 attp_send_cl_confirmation_msg(tcb, cid);
655 // Calculate value length based on opcode
656 if (op_code == GATT_HANDLE_MULTI_VALUE_NOTIF) {
657 // Ensure our packet has enough data; MIN + 2 more bytes for len value
658 if (len < GATT_NOTIFICATION_MIN_LEN + 2) {
659 LOG(ERROR) << "illegal notification PDU length, discard";
663 // Allow multi value opcode to set value len from the packet
664 STREAM_TO_UINT16(value.len, p);
666 if (value.len > len - 4) {
667 LOG(ERROR) << "value.len (" << value.len << ") greater than length ("
673 // For single value, just use the passed in len minus opcode length (2)
677 // Verify the new calculated length
678 if (value.len > GATT_MAX_ATTR_LEN) {
679 LOG(ERROR) << "value.len larger than GATT_MAX_ATTR_LEN, discard";
683 // Handle indications differently
684 if (event == GATTC_OPTYPE_INDICATION) {
686 /* this is an error case that receiving an indication but we
687 still has an indication not being acked yet.
688 For now, just log the error reset the counter.
689 Later we need to disconnect the link unconditionally.
691 LOG(ERROR) << __func__ << " rcv Ind. but ind_count=" << tcb.ind_count
692 << " (will reset ind_count)";
695 // Zero out the ind_count
698 // Notify all registered clients with the handle value
699 // notification/indication
700 // Note: need to do the indication count and start timer first then do
702 for (i = 0, p_reg = gatt_cb.cl_rcb; i < GATT_MAX_APPS; i++, p_reg++) {
703 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) tcb.ind_count++;
706 /* start a timer for app confirmation */
707 if (tcb.ind_count > 0) {
708 gatt_start_ind_ack_timer(tcb, cid);
709 } else { /* no app to indicate, or invalid handle */
710 attp_send_cl_confirmation_msg(tcb, cid);
714 encrypt_status = gatt_get_link_encrypt_status(tcb);
716 STREAM_TO_ARRAY(value.value, p, value.len);
718 tGATT_CL_COMPLETE gatt_cl_complete;
719 gatt_cl_complete.att_value = value;
720 gatt_cl_complete.cid = cid;
722 for (i = 0, p_reg = gatt_cb.cl_rcb; i < GATT_MAX_APPS; i++, p_reg++) {
723 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) {
724 conn_id = GATT_CREATE_CONN_ID(tcb.tcb_idx, p_reg->gatt_if);
725 (*p_reg->app_cb.p_cmpl_cb)(conn_id, event, encrypt_status,
730 // If this is single value, then nothing is left to do
731 if (op_code != GATT_HANDLE_MULTI_VALUE_NOTIF) return;
733 // Need a signed type to check if the value is below 0
734 // as uint16_t doesn't have negatives so the negatives register as a number
735 // thus anything less than zero won't trigger the conditional and it is not
737 // when done looping as value.len is arbitrary.
738 int16_t rem_len = (int16_t)len - (4 /* octets */ + value.len);
740 // Already streamed the first value and sent it, lets send the rest
741 while (rem_len > 4 /* octets */) {
743 STREAM_TO_UINT16(value.handle, p);
745 STREAM_TO_UINT16(value.len, p);
748 // Make sure we don't read past the remaining data even if the length says
749 // we can Also need to watch comparing the int16_t with the uint16_t
750 value.len = std::min((uint16_t)rem_len, value.len);
751 STREAM_TO_ARRAY(value.value, p, value.len);
753 rem_len -= value.len;
755 gatt_cl_complete.att_value = value;
756 gatt_cl_complete.cid = cid;
758 for (i = 0, p_reg = gatt_cb.cl_rcb; i < GATT_MAX_APPS; i++, p_reg++) {
759 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) {
760 conn_id = GATT_CREATE_CONN_ID(tcb.tcb_idx, p_reg->gatt_if);
761 (*p_reg->app_cb.p_cmpl_cb)(conn_id, event, encrypt_status,
768 /*******************************************************************************
770 * Function gatt_process_read_by_type_rsp
772 * Description This function is called to handle the read by type response.
773 * read by type can be used for discovery, or read by type or
774 * read characteristic value.
778 ******************************************************************************/
779 void gatt_process_read_by_type_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
780 uint8_t op_code, uint16_t len,
782 tGATT_DISC_RES result;
783 tGATT_DISC_VALUE record_value;
784 uint8_t *p = p_data, value_len, handle_len = 2;
787 /* discovery procedure and no callback function registered */
788 if (((!p_clcb->p_reg) || (!p_clcb->p_reg->app_cb.p_disc_res_cb)) &&
789 (p_clcb->operation == GATTC_OPTYPE_DISCOVERY))
792 if (len < GATT_READ_BY_TYPE_RSP_MIN_LEN) {
793 LOG(ERROR) << "Illegal ReadByType/ReadByGroupType Response length, discard";
794 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
798 STREAM_TO_UINT8(value_len, p);
799 uint16_t payload_size = gatt_tcb_get_payload_size_rx(tcb, p_clcb->cid);
800 if ((value_len > (payload_size - 2)) || (value_len > (len - 1))) {
801 /* this is an error case that server's response containing a value length
802 which is larger than MTU-2
803 or value_len > message total length -1 */
804 LOG(ERROR) << __func__
806 ": Discard response op_code=%d "
807 "vale_len=%d > (MTU-2=%d or msg_len-1=%d)",
808 op_code, value_len, (payload_size - 2), (len - 1));
809 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
813 if (op_code == GATT_RSP_READ_BY_GRP_TYPE) handle_len = 4;
815 value_len -= handle_len; /* substract the handle pairs bytes */
818 while (len >= (handle_len + value_len)) {
819 STREAM_TO_UINT16(handle, p);
821 if (!GATT_HANDLE_IS_VALID(handle)) {
822 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
826 memset(&result, 0, sizeof(tGATT_DISC_RES));
827 memset(&record_value, 0, sizeof(tGATT_DISC_VALUE));
829 result.handle = handle;
831 bluetooth::Uuid::From16Bit(disc_type_to_uuid[p_clcb->op_subtype]);
833 /* discover all services */
834 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
835 p_clcb->op_subtype == GATT_DISC_SRVC_ALL &&
836 op_code == GATT_RSP_READ_BY_GRP_TYPE) {
837 STREAM_TO_UINT16(handle, p);
839 if (!GATT_HANDLE_IS_VALID(handle)) {
840 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
843 record_value.group_value.e_handle = handle;
844 if (!gatt_parse_uuid_from_cmd(&record_value.group_value.service_type,
846 LOG(ERROR) << "discover all service response parsing failure";
851 /* discover included service */
852 else if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
853 p_clcb->op_subtype == GATT_DISC_INC_SRVC) {
855 android_errorWriteLog(0x534e4554, "158833854");
856 LOG(ERROR) << __func__ << " Illegal Response length, must be at least 4.";
857 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
860 STREAM_TO_UINT16(record_value.incl_service.s_handle, p);
861 STREAM_TO_UINT16(record_value.incl_service.e_handle, p);
863 if (!GATT_HANDLE_IS_VALID(record_value.incl_service.s_handle) ||
864 !GATT_HANDLE_IS_VALID(record_value.incl_service.e_handle)) {
865 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
869 if (value_len == 6) {
871 STREAM_TO_UINT16(tmp, p);
872 record_value.incl_service.service_type =
873 bluetooth::Uuid::From16Bit(tmp);
874 } else if (value_len == 4) {
875 p_clcb->s_handle = record_value.incl_service.s_handle;
876 p_clcb->read_uuid128.wait_for_read_rsp = true;
877 p_clcb->read_uuid128.next_disc_start_hdl = handle + 1;
878 memcpy(&p_clcb->read_uuid128.result, &result, sizeof(result));
879 memcpy(&p_clcb->read_uuid128.result.value, &record_value,
880 sizeof(result.value));
881 p_clcb->op_subtype |= 0x90;
882 gatt_act_read(p_clcb, 0);
885 LOG(ERROR) << __func__
886 << ": INCL_SRVC failed with invalid data value_len="
888 gatt_end_operation(p_clcb, GATT_INVALID_PDU, (void*)p);
893 else if (p_clcb->operation == GATTC_OPTYPE_READ &&
894 p_clcb->op_subtype == GATT_READ_BY_TYPE) {
895 p_clcb->counter = len - 2;
896 p_clcb->s_handle = handle;
897 if (p_clcb->counter == (payload_size - 4)) {
898 p_clcb->op_subtype = GATT_READ_BY_HANDLE;
899 if (!p_clcb->p_attr_buf)
900 p_clcb->p_attr_buf = (uint8_t*)osi_malloc(GATT_MAX_ATTR_LEN);
901 if (p_clcb->counter <= GATT_MAX_ATTR_LEN) {
902 memcpy(p_clcb->p_attr_buf, p, p_clcb->counter);
903 gatt_act_read(p_clcb, p_clcb->counter);
905 gatt_end_operation(p_clcb, GATT_INTERNAL_ERROR, (void*)p);
908 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p);
911 } else /* discover characterisitic */
914 android_errorWriteLog(0x534e4554, "158778659");
915 LOG(ERROR) << __func__ << " Illegal Response length, must be at least 3.";
916 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
919 STREAM_TO_UINT8(record_value.dclr_value.char_prop, p);
920 STREAM_TO_UINT16(record_value.dclr_value.val_handle, p);
921 if (!GATT_HANDLE_IS_VALID(record_value.dclr_value.val_handle)) {
922 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
925 if (!gatt_parse_uuid_from_cmd(&record_value.dclr_value.char_uuid,
926 (uint16_t)(value_len - 3), &p)) {
927 gatt_end_operation(p_clcb, GATT_SUCCESS, NULL);
928 /* invalid format, and skip the result */
932 /* UUID not matching */
933 if (!p_clcb->uuid.IsEmpty() &&
934 !record_value.dclr_value.char_uuid.IsEmpty() &&
935 record_value.dclr_value.char_uuid != p_clcb->uuid) {
936 len -= (value_len + 2);
937 continue; /* skip the result, and look for next one */
940 if (p_clcb->operation == GATTC_OPTYPE_READ)
941 /* UUID match for read characteristic value */
943 /* only read the first matching UUID characteristic value, and
944 discard the rest results */
945 p_clcb->s_handle = record_value.dclr_value.val_handle;
946 p_clcb->op_subtype |= 0x80;
947 gatt_act_read(p_clcb, 0);
951 len -= (value_len + handle_len);
953 /* result is (handle, 16bits UUID) pairs */
954 memcpy(&result.value, &record_value, sizeof(result.value));
956 /* send callback if is discover procedure */
957 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
958 p_clcb->p_reg->app_cb.p_disc_res_cb)
959 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
960 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
964 p_clcb->s_handle = (handle == 0) ? 0 : (handle + 1);
966 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY) {
967 /* initiate another request */
968 gatt_act_discovery(p_clcb);
969 } else /* read characteristic value */
971 gatt_act_read(p_clcb, 0);
975 /*******************************************************************************
977 * Function gatt_process_read_rsp
979 * Description This function is called to handle the read BLOB response
984 ******************************************************************************/
985 void gatt_process_read_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
986 UNUSED_ATTR uint8_t op_code, uint16_t len,
988 uint16_t offset = p_clcb->counter;
991 uint16_t payload_size = gatt_tcb_get_payload_size_rx(tcb, p_clcb->cid);
993 if (p_clcb->operation == GATTC_OPTYPE_READ) {
994 if (p_clcb->op_subtype != GATT_READ_BY_HANDLE) {
995 p_clcb->counter = len;
996 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p);
998 /* allocate GKI buffer holding up long attribute value */
999 if (!p_clcb->p_attr_buf)
1000 p_clcb->p_attr_buf = (uint8_t*)osi_malloc(GATT_MAX_ATTR_LEN);
1002 /* copy attrobute value into cb buffer */
1003 if (offset < GATT_MAX_ATTR_LEN) {
1004 if ((len + offset) > GATT_MAX_ATTR_LEN)
1005 len = GATT_MAX_ATTR_LEN - offset;
1007 p_clcb->counter += len;
1009 memcpy(p_clcb->p_attr_buf + offset, p, len);
1011 /* full packet for read or read blob rsp */
1012 bool packet_is_full;
1013 if (payload_size == p_clcb->read_req_current_mtu) {
1014 packet_is_full = (len == (payload_size - 1));
1016 packet_is_full = (len == (p_clcb->read_req_current_mtu - 1) ||
1017 len == (payload_size - 1));
1018 p_clcb->read_req_current_mtu = payload_size;
1021 /* send next request if needed */
1022 if (packet_is_full && (len + offset < GATT_MAX_ATTR_LEN)) {
1023 VLOG(1) << StringPrintf(
1024 "full pkt issue read blob for remianing bytes old offset=%d "
1025 "len=%d new offset=%d",
1026 offset, len, p_clcb->counter);
1027 gatt_act_read(p_clcb, p_clcb->counter);
1028 } else /* end of request, send callback */
1030 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p_clcb->p_attr_buf);
1032 } else /* exception, should not happen */
1034 LOG(ERROR) << "attr offset = " << +offset
1035 << " p_attr_buf = " << p_clcb->p_attr_buf;
1036 gatt_end_operation(p_clcb, GATT_NO_RESOURCES,
1037 (void*)p_clcb->p_attr_buf);
1041 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
1042 p_clcb->op_subtype == GATT_DISC_INC_SRVC &&
1043 p_clcb->read_uuid128.wait_for_read_rsp) {
1044 p_clcb->s_handle = p_clcb->read_uuid128.next_disc_start_hdl;
1045 p_clcb->read_uuid128.wait_for_read_rsp = false;
1046 if (len == Uuid::kNumBytes128) {
1047 p_clcb->read_uuid128.result.value.incl_service.service_type =
1048 bluetooth::Uuid::From128BitLE(p);
1049 if (p_clcb->p_reg->app_cb.p_disc_res_cb)
1050 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
1051 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
1052 &p_clcb->read_uuid128.result);
1053 gatt_act_discovery(p_clcb);
1055 gatt_end_operation(p_clcb, GATT_INVALID_PDU, (void*)p);
1061 /*******************************************************************************
1063 * Function gatt_process_handle_rsp
1065 * Description This function is called to handle the write response
1070 ******************************************************************************/
1071 void gatt_process_handle_rsp(tGATT_CLCB* p_clcb) {
1072 gatt_end_operation(p_clcb, GATT_SUCCESS, NULL);
1074 /*******************************************************************************
1076 * Function gatt_process_mtu_rsp
1078 * Description Process the configure MTU response.
1083 ******************************************************************************/
1084 void gatt_process_mtu_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, uint16_t len,
1087 tGATT_STATUS status = GATT_SUCCESS;
1089 if (len < GATT_MTU_RSP_MIN_LEN) {
1090 LOG(ERROR) << "invalid MTU response PDU received, discard.";
1091 status = GATT_INVALID_PDU;
1093 STREAM_TO_UINT16(mtu, p_data);
1095 if (mtu < tcb.payload_size && mtu >= GATT_DEF_BLE_MTU_SIZE)
1096 tcb.payload_size = mtu;
1099 BTM_SetBleDataLength(tcb.peer_bda, tcb.payload_size + L2CAP_PKT_OVERHEAD);
1101 gatt_end_operation(p_clcb, status, NULL);
1103 /*******************************************************************************
1105 * Function gatt_cmd_to_rsp_code
1107 * Description Convert an ATT command op code into the corresponding
1108 * response code assume no error occurs.
1110 * Returns response code.
1112 ******************************************************************************/
1113 uint8_t gatt_cmd_to_rsp_code(uint8_t cmd_code) {
1114 uint8_t rsp_code = 0;
1116 if (cmd_code > 1 && cmd_code != GATT_CMD_WRITE) {
1117 rsp_code = cmd_code + 1;
1122 /** Find next command in queue and sent to server */
1123 bool gatt_cl_send_next_cmd_inq(tGATT_TCB& tcb) {
1124 std::queue<tGATT_CMD_Q>* cl_cmd_q;
1126 while (!tcb.cl_cmd_q.empty() ||
1127 EattExtension::GetInstance()->IsOutstandingMsgInSendQueue(tcb.peer_bda)) {
1128 if (!tcb.cl_cmd_q.empty()) {
1129 cl_cmd_q = &tcb.cl_cmd_q;
1131 EattChannel* channel =
1132 EattExtension::GetInstance()->GetChannelWithQueuedData(tcb.peer_bda);
1133 cl_cmd_q = &channel->cl_cmd_q_;
1136 tGATT_CMD_Q& cmd = cl_cmd_q->front();
1137 if (!cmd.to_send || cmd.p_cmd == NULL) {
1141 tGATT_STATUS att_ret;
1142 att_ret = attp_send_msg_to_l2cap(tcb, cmd.cid, cmd.p_cmd);
1144 if (att_ret != GATT_SUCCESS && att_ret != GATT_CONGESTED) {
1145 LOG(ERROR) << __func__ << ": L2CAP sent error";
1150 cmd.to_send = false;
1153 if (cmd.op_code == GATT_CMD_WRITE || cmd.op_code == GATT_SIGN_CMD_WRITE) {
1154 /* dequeue the request if is write command or sign write */
1156 tGATT_CLCB* p_clcb = gatt_cmd_dequeue(tcb, cmd.cid, &rsp_code);
1158 /* send command complete callback here */
1159 gatt_end_operation(p_clcb, att_ret, NULL);
1161 /* if no ack needed, keep sending */
1162 if (att_ret == GATT_SUCCESS) continue;
1167 gatt_start_rsp_timer(cmd.p_clcb);
1174 /** This function is called to handle the server response to client */
1175 void gatt_client_handle_server_rsp(tGATT_TCB& tcb, uint16_t cid,
1176 uint8_t op_code, uint16_t len,
1178 VLOG(1) << __func__ << " opcode: " << loghex(op_code);
1180 uint16_t payload_size = gatt_tcb_get_payload_size_rx(tcb, cid);
1182 if (op_code == GATT_HANDLE_VALUE_IND || op_code == GATT_HANDLE_VALUE_NOTIF ||
1183 op_code == GATT_HANDLE_MULTI_VALUE_NOTIF) {
1184 if (len >= payload_size) {
1185 LOG(ERROR) << StringPrintf(
1186 "%s: invalid indicate pkt size: %d, PDU size: %d", __func__, len + 1,
1191 gatt_process_notification(tcb, cid, op_code, len, p_data);
1195 uint8_t cmd_code = 0;
1196 tGATT_CLCB* p_clcb = gatt_cmd_dequeue(tcb, cid, &cmd_code);
1197 uint8_t rsp_code = gatt_cmd_to_rsp_code(cmd_code);
1198 if (!p_clcb || (rsp_code != op_code && op_code != GATT_RSP_ERROR)) {
1199 LOG(WARNING) << StringPrintf(
1200 "ATT - Ignore wrong response. Receives (%02x) Request(%02x) Ignored",
1205 if (!p_clcb->in_use) {
1206 LOG(WARNING) << "ATT - clcb already not in use, ignoring response";
1207 gatt_cl_send_next_cmd_inq(tcb);
1211 gatt_stop_rsp_timer(p_clcb);
1212 p_clcb->retry_count = 0;
1214 /* the size of the message may not be bigger than the local max PDU size*/
1215 /* The message has to be smaller than the agreed MTU, len does not count
1217 if (len >= payload_size) {
1218 LOG(ERROR) << StringPrintf(
1219 "%s: invalid response pkt size: %d, PDU size: %d", __func__, len + 1,
1221 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
1224 case GATT_RSP_ERROR:
1225 gatt_process_error_rsp(tcb, p_clcb, op_code, len, p_data);
1228 case GATT_RSP_MTU: /* 2 bytes mtu */
1229 gatt_process_mtu_rsp(tcb, p_clcb, len, p_data);
1232 case GATT_RSP_FIND_INFO:
1233 gatt_process_read_info_rsp(tcb, p_clcb, op_code, len, p_data);
1236 case GATT_RSP_READ_BY_TYPE:
1237 case GATT_RSP_READ_BY_GRP_TYPE:
1238 gatt_process_read_by_type_rsp(tcb, p_clcb, op_code, len, p_data);
1242 case GATT_RSP_READ_BLOB:
1243 case GATT_RSP_READ_MULTI:
1244 case GATT_RSP_READ_MULTI_VAR:
1245 gatt_process_read_rsp(tcb, p_clcb, op_code, len, p_data);
1248 case GATT_RSP_FIND_TYPE_VALUE: /* disc service with UUID */
1249 gatt_process_find_type_value_rsp(tcb, p_clcb, len, p_data);
1252 case GATT_RSP_WRITE:
1253 gatt_process_handle_rsp(p_clcb);
1256 case GATT_RSP_PREPARE_WRITE:
1257 gatt_process_prep_write_rsp(tcb, p_clcb, op_code, len, p_data);
1260 case GATT_RSP_EXEC_WRITE:
1261 gatt_end_operation(p_clcb, p_clcb->status, NULL);
1265 LOG(ERROR) << __func__ << ": Unknown opcode = " << std::hex << op_code;
1270 gatt_cl_send_next_cmd_inq(tcb);