1 /******************************************************************************
3 * Copyright 1999-2012 Broadcom Corporation
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
17 ******************************************************************************/
19 /******************************************************************************
21 * this file contains the main GATT client functions
23 ******************************************************************************/
25 #define LOG_TAG "bluetooth"
29 #include "bt_common.h"
30 #include "bt_target.h"
34 #include "osi/include/log.h"
35 #include "osi/include/osi.h"
36 #include "stack/eatt/eatt.h"
38 #define GATT_WRITE_LONG_HDR_SIZE 5 /* 1 opcode + 2 handle + 2 offset */
39 #define GATT_READ_CHAR_VALUE_HDL (GATT_READ_CHAR_VALUE | 0x80)
40 #define GATT_READ_INC_SRV_UUID128 (GATT_DISC_INC_SRVC | 0x90)
42 #define GATT_PREP_WRITE_RSP_MIN_LEN 4
43 #define GATT_NOTIFICATION_MIN_LEN 2
44 #define GATT_WRITE_RSP_MIN_LEN 2
45 #define GATT_INFO_RSP_MIN_LEN 1
46 #define GATT_MTU_RSP_MIN_LEN 2
47 #define GATT_READ_BY_TYPE_RSP_MIN_LEN 1
49 using base::StringPrintf;
50 using bluetooth::Uuid;
51 using bluetooth::eatt::EattExtension;
52 using bluetooth::eatt::EattChannel;
54 /*******************************************************************************
55 * G L O B A L G A T T D A T A *
56 ******************************************************************************/
57 void gatt_send_prepare_write(tGATT_TCB& tcb, tGATT_CLCB* p_clcb);
59 uint8_t disc_type_to_att_opcode[GATT_DISC_MAX] = {
61 GATT_REQ_READ_BY_GRP_TYPE, /* GATT_DISC_SRVC_ALL = 1, */
62 GATT_REQ_FIND_TYPE_VALUE, /* GATT_DISC_SRVC_BY_UUID, */
63 GATT_REQ_READ_BY_TYPE, /* GATT_DISC_INC_SRVC, */
64 GATT_REQ_READ_BY_TYPE, /* GATT_DISC_CHAR, */
65 GATT_REQ_FIND_INFO /* GATT_DISC_CHAR_DSCPT, */
68 uint16_t disc_type_to_uuid[GATT_DISC_MAX] = {
70 GATT_UUID_PRI_SERVICE, /* <service> DISC_SRVC_ALL */
71 GATT_UUID_PRI_SERVICE, /* <service> for DISC_SERVC_BY_UUID */
72 GATT_UUID_INCLUDE_SERVICE, /* <include_service> for DISC_INC_SRVC */
73 GATT_UUID_CHAR_DECLARE, /* <characteristic> for DISC_CHAR */
74 0 /* no type filtering for DISC_CHAR_DSCPT */
77 /*******************************************************************************
79 * Function gatt_act_discovery
81 * Description GATT discovery operation.
85 ******************************************************************************/
86 void gatt_act_discovery(tGATT_CLCB* p_clcb) {
87 uint8_t op_code = disc_type_to_att_opcode[p_clcb->op_subtype];
89 if (p_clcb->s_handle > p_clcb->e_handle || p_clcb->s_handle == 0) {
90 LOG_DEBUG("Completed GATT discovery of all handle ranges");
91 gatt_end_operation(p_clcb, GATT_SUCCESS, NULL);
96 memset(&cl_req, 0, sizeof(tGATT_CL_MSG));
98 cl_req.browse.s_handle = p_clcb->s_handle;
99 cl_req.browse.e_handle = p_clcb->e_handle;
101 if (disc_type_to_uuid[p_clcb->op_subtype] != 0) {
103 bluetooth::Uuid::From16Bit(disc_type_to_uuid[p_clcb->op_subtype]);
106 if (p_clcb->op_subtype ==
107 GATT_DISC_SRVC_BY_UUID) /* fill in the FindByTypeValue request info*/
109 cl_req.find_type_value.uuid =
110 bluetooth::Uuid::From16Bit(disc_type_to_uuid[p_clcb->op_subtype]);
111 cl_req.find_type_value.s_handle = p_clcb->s_handle;
112 cl_req.find_type_value.e_handle = p_clcb->e_handle;
114 size_t size = p_clcb->uuid.GetShortestRepresentationSize();
115 cl_req.find_type_value.value_len = size;
116 if (size == Uuid::kNumBytes16) {
117 uint8_t* p = cl_req.find_type_value.value;
118 UINT16_TO_STREAM(p, p_clcb->uuid.As16Bit());
119 } else if (size == Uuid::kNumBytes32) {
120 /* if service type is 32 bits UUID, convert it now */
121 memcpy(cl_req.find_type_value.value, p_clcb->uuid.To128BitLE().data(),
123 cl_req.find_type_value.value_len = Uuid::kNumBytes128;
125 memcpy(cl_req.find_type_value.value, p_clcb->uuid.To128BitLE().data(),
129 tGATT_STATUS st = attp_send_cl_msg(*p_clcb->p_tcb, p_clcb, op_code, &cl_req);
130 if (st != GATT_SUCCESS && st != GATT_CMD_STARTED) {
131 LOG_WARN("Unable to send ATT message");
132 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
136 /*******************************************************************************
138 * Function gatt_act_read
140 * Description GATT read operation.
144 ******************************************************************************/
145 void gatt_act_read(tGATT_CLCB* p_clcb, uint16_t offset) {
146 tGATT_TCB& tcb = *p_clcb->p_tcb;
147 tGATT_STATUS rt = GATT_INTERNAL_ERROR;
151 memset(&msg, 0, sizeof(tGATT_CL_MSG));
153 switch (p_clcb->op_subtype) {
154 case GATT_READ_CHAR_VALUE:
155 case GATT_READ_BY_TYPE:
156 op_code = GATT_REQ_READ_BY_TYPE;
157 msg.browse.s_handle = p_clcb->s_handle;
158 msg.browse.e_handle = p_clcb->e_handle;
159 if (p_clcb->op_subtype == GATT_READ_BY_TYPE)
160 msg.browse.uuid = p_clcb->uuid;
162 msg.browse.uuid = bluetooth::Uuid::From16Bit(GATT_UUID_CHAR_DECLARE);
166 case GATT_READ_CHAR_VALUE_HDL:
167 case GATT_READ_BY_HANDLE:
168 if (!p_clcb->counter) {
169 op_code = GATT_REQ_READ;
170 msg.handle = p_clcb->s_handle;
172 if (!p_clcb->first_read_blob_after_read)
173 p_clcb->first_read_blob_after_read = true;
175 p_clcb->first_read_blob_after_read = false;
177 VLOG(1) << __func__ << ": first_read_blob_after_read="
178 << p_clcb->first_read_blob_after_read;
179 op_code = GATT_REQ_READ_BLOB;
180 msg.read_blob.offset = offset;
181 msg.read_blob.handle = p_clcb->s_handle;
183 p_clcb->op_subtype &= ~0x80;
186 case GATT_READ_PARTIAL:
187 op_code = GATT_REQ_READ_BLOB;
188 msg.read_blob.handle = p_clcb->s_handle;
189 msg.read_blob.offset = offset;
192 case GATT_READ_MULTIPLE:
193 op_code = GATT_REQ_READ_MULTI;
194 memcpy(&msg.read_multi, p_clcb->p_attr_buf, sizeof(tGATT_READ_MULTI));
197 case GATT_READ_INC_SRV_UUID128:
198 op_code = GATT_REQ_READ;
199 msg.handle = p_clcb->s_handle;
200 p_clcb->op_subtype &= ~0x90;
204 LOG(ERROR) << "Unknown read type:" << +p_clcb->op_subtype;
208 if (op_code != 0) rt = attp_send_cl_msg(tcb, p_clcb, op_code, &msg);
210 if (op_code == 0 || (rt != GATT_SUCCESS && rt != GATT_CMD_STARTED)) {
211 gatt_end_operation(p_clcb, rt, NULL);
215 /** GATT write operation */
216 void gatt_act_write(tGATT_CLCB* p_clcb, uint8_t sec_act) {
217 tGATT_TCB& tcb = *p_clcb->p_tcb;
219 CHECK(p_clcb->p_attr_buf);
220 tGATT_VALUE& attr = *((tGATT_VALUE*)p_clcb->p_attr_buf);
222 uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, p_clcb->cid);
224 switch (p_clcb->op_subtype) {
225 case GATT_WRITE_NO_RSP: {
226 p_clcb->s_handle = attr.handle;
227 uint8_t op_code = (sec_act == GATT_SEC_SIGN_DATA) ? GATT_SIGN_CMD_WRITE
229 tGATT_STATUS rt = gatt_send_write_msg(tcb, p_clcb, op_code, attr.handle,
230 attr.len, 0, attr.value);
231 if (rt != GATT_CMD_STARTED) {
232 if (rt != GATT_SUCCESS) {
233 LOG(ERROR) << StringPrintf(
234 "gatt_act_write() failed op_code=0x%x rt=%d", op_code, rt);
236 gatt_end_operation(p_clcb, rt, NULL);
242 if (attr.len <= (payload_size - GATT_HDR_SIZE)) {
243 p_clcb->s_handle = attr.handle;
245 tGATT_STATUS rt = gatt_send_write_msg(
246 tcb, p_clcb, GATT_REQ_WRITE, attr.handle, attr.len, 0, attr.value);
247 if (rt != GATT_SUCCESS && rt != GATT_CMD_STARTED &&
248 rt != GATT_CONGESTED) {
249 if (rt != GATT_SUCCESS) {
250 LOG(ERROR) << StringPrintf(
251 "gatt_act_write() failed op_code=0x%x rt=%d", GATT_REQ_WRITE,
254 gatt_end_operation(p_clcb, rt, NULL);
258 /* prepare write for long attribute */
259 gatt_send_prepare_write(tcb, p_clcb);
264 case GATT_WRITE_PREPARE:
265 gatt_send_prepare_write(tcb, p_clcb);
269 CHECK(false) << "Unknown write type" << p_clcb->op_subtype;
273 /*******************************************************************************
275 * Function gatt_send_queue_write_cancel
277 * Description send queue write cancel
281 ******************************************************************************/
282 void gatt_send_queue_write_cancel(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
283 tGATT_EXEC_FLAG flag) {
288 tGATT_CL_MSG gatt_cl_msg;
289 gatt_cl_msg.exec_write = flag;
290 rt = attp_send_cl_msg(tcb, p_clcb, GATT_REQ_EXEC_WRITE, &gatt_cl_msg);
292 if (rt != GATT_SUCCESS) {
293 gatt_end_operation(p_clcb, rt, NULL);
296 /*******************************************************************************
298 * Function gatt_check_write_long_terminate
300 * Description To terminate write long or not.
302 * Returns true: write long is terminated; false keep sending.
304 ******************************************************************************/
305 bool gatt_check_write_long_terminate(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
306 tGATT_VALUE* p_rsp_value) {
307 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
308 bool terminate = false;
309 tGATT_EXEC_FLAG flag = GATT_PREP_WRITE_EXEC;
312 /* check the first write response status */
313 if (p_rsp_value != NULL) {
314 if (p_rsp_value->handle != p_attr->handle ||
315 p_rsp_value->len != p_clcb->counter ||
316 memcmp(p_rsp_value->value, p_attr->value + p_attr->offset,
318 /* data does not match */
319 p_clcb->status = GATT_ERROR;
320 flag = GATT_PREP_WRITE_CANCEL;
322 } else /* response checking is good */
324 p_clcb->status = GATT_SUCCESS;
325 /* update write offset and check if end of attribute value */
326 if ((p_attr->offset += p_rsp_value->len) >= p_attr->len) terminate = true;
329 if (terminate && p_clcb->op_subtype != GATT_WRITE_PREPARE) {
330 gatt_send_queue_write_cancel(tcb, p_clcb, flag);
335 /** Send prepare write */
336 void gatt_send_prepare_write(tGATT_TCB& tcb, tGATT_CLCB* p_clcb) {
337 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
338 uint8_t type = p_clcb->op_subtype;
340 VLOG(1) << __func__ << StringPrintf(" type=0x%x", type);
341 uint16_t to_send = p_attr->len - p_attr->offset;
343 uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, p_clcb->cid);
344 if (to_send > (payload_size -
345 GATT_WRITE_LONG_HDR_SIZE)) /* 2 = uint16_t offset bytes */
346 to_send = payload_size - GATT_WRITE_LONG_HDR_SIZE;
348 p_clcb->s_handle = p_attr->handle;
350 uint16_t offset = p_attr->offset;
351 if (type == GATT_WRITE_PREPARE) {
352 offset += p_clcb->start_offset;
355 VLOG(1) << StringPrintf("offset =0x%x len=%d", offset, to_send);
357 tGATT_STATUS rt = gatt_send_write_msg(
358 tcb, p_clcb, GATT_REQ_PREPARE_WRITE, p_attr->handle, to_send, /* length */
359 offset, /* used as offset */
360 p_attr->value + p_attr->offset); /* data */
362 /* remember the write long attribute length */
363 p_clcb->counter = to_send;
365 if (rt != GATT_SUCCESS && rt != GATT_CMD_STARTED && rt != GATT_CONGESTED) {
366 gatt_end_operation(p_clcb, rt, NULL);
370 /*******************************************************************************
372 * Function gatt_process_find_type_value_rsp
374 * Description This function handles the find by type value response.
379 ******************************************************************************/
380 void gatt_process_find_type_value_rsp(UNUSED_ATTR tGATT_TCB& tcb,
381 tGATT_CLCB* p_clcb, uint16_t len,
383 tGATT_DISC_RES result;
387 /* unexpected response */
388 if (p_clcb->operation != GATTC_OPTYPE_DISCOVERY ||
389 p_clcb->op_subtype != GATT_DISC_SRVC_BY_UUID)
392 memset(&result, 0, sizeof(tGATT_DISC_RES));
393 result.type = bluetooth::Uuid::From16Bit(GATT_UUID_PRI_SERVICE);
395 /* returns a series of handle ranges */
397 STREAM_TO_UINT16(result.handle, p);
398 STREAM_TO_UINT16(result.value.group_value.e_handle, p);
399 result.value.group_value.service_type = p_clcb->uuid;
403 if (p_clcb->p_reg->app_cb.p_disc_res_cb)
404 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
405 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
409 /* last handle + 1 */
410 p_clcb->s_handle = (result.value.group_value.e_handle == 0)
412 : (result.value.group_value.e_handle + 1);
413 /* initiate another request */
414 gatt_act_discovery(p_clcb);
416 /*******************************************************************************
418 * Function gatt_process_read_info_rsp
420 * Description This function is called to handle the read information
426 ******************************************************************************/
427 void gatt_process_read_info_rsp(UNUSED_ATTR tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
428 UNUSED_ATTR uint8_t op_code, uint16_t len,
430 tGATT_DISC_RES result;
431 uint8_t *p = p_data, uuid_len = 0, type;
433 if (len < GATT_INFO_RSP_MIN_LEN) {
434 LOG(ERROR) << "invalid Info Response PDU received, discard.";
435 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
438 /* unexpected response */
439 if (p_clcb->operation != GATTC_OPTYPE_DISCOVERY ||
440 p_clcb->op_subtype != GATT_DISC_CHAR_DSCPT)
443 STREAM_TO_UINT8(type, p);
446 if (type == GATT_INFO_TYPE_PAIR_16)
447 uuid_len = Uuid::kNumBytes16;
448 else if (type == GATT_INFO_TYPE_PAIR_128)
449 uuid_len = Uuid::kNumBytes128;
451 while (len >= uuid_len + 2) {
452 STREAM_TO_UINT16(result.handle, p);
455 if (!gatt_parse_uuid_from_cmd(&result.type, uuid_len, &p)) break;
457 result.type = p_clcb->uuid;
459 len -= (uuid_len + 2);
461 if (p_clcb->p_reg->app_cb.p_disc_res_cb)
462 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
463 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
467 p_clcb->s_handle = (result.handle == 0) ? 0 : (result.handle + 1);
468 /* initiate another request */
469 gatt_act_discovery(p_clcb);
471 /*******************************************************************************
473 * Function gatt_proc_disc_error_rsp
475 * Description Process the read by type response and send another request
480 ******************************************************************************/
481 void gatt_proc_disc_error_rsp(UNUSED_ATTR tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
482 uint8_t opcode, UNUSED_ATTR uint16_t handle,
484 tGATT_STATUS status = (tGATT_STATUS)reason;
487 << StringPrintf("reason: %02x cmd_code %04x", reason, opcode);
490 case GATT_REQ_READ_BY_GRP_TYPE:
491 case GATT_REQ_FIND_TYPE_VALUE:
492 case GATT_REQ_READ_BY_TYPE:
493 case GATT_REQ_FIND_INFO:
494 if (reason == GATT_NOT_FOUND) {
495 status = GATT_SUCCESS;
496 VLOG(1) << "Discovery completed";
500 LOG(ERROR) << StringPrintf("Incorrect discovery opcode %04x", opcode);
504 gatt_end_operation(p_clcb, status, NULL);
507 /*******************************************************************************
509 * Function gatt_process_error_rsp
511 * Description This function is called to handle the error response
516 ******************************************************************************/
517 void gatt_process_error_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
518 UNUSED_ATTR uint8_t op_code,
519 UNUSED_ATTR uint16_t len, uint8_t* p_data) {
520 uint8_t opcode, *p = p_data;
523 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
528 android_errorWriteLog(0x534e4554, "79591688");
529 LOG(ERROR) << "Error response too short";
530 // Specification does not clearly define what should happen if error
531 // response is too short. General rule in BT Spec 5.0 Vol 3, Part F 3.4.1.1
532 // is: "If an error code is received in the Error Response that is not
533 // understood by the client, for example an error code that was reserved for
534 // future use that is now being used in a future version of this
535 // specification, then the Error Response shall still be considered to state
536 // that the given request cannot be performed for an unknown reason."
538 reason = static_cast<tGATT_STATUS>(0x7f);
540 STREAM_TO_UINT8(opcode, p);
541 STREAM_TO_UINT16(handle, p);
542 STREAM_TO_UINT8(reason, p);
545 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY) {
546 gatt_proc_disc_error_rsp(tcb, p_clcb, opcode, handle,
547 static_cast<tGATT_STATUS>(reason));
549 if ((p_clcb->operation == GATTC_OPTYPE_WRITE) &&
550 (p_clcb->op_subtype == GATT_WRITE) &&
551 (opcode == GATT_REQ_PREPARE_WRITE) && (p_attr) &&
552 (handle == p_attr->handle)) {
553 p_clcb->status = static_cast<tGATT_STATUS>(reason);
554 gatt_send_queue_write_cancel(tcb, p_clcb, GATT_PREP_WRITE_CANCEL);
555 } else if ((p_clcb->operation == GATTC_OPTYPE_READ) &&
556 ((p_clcb->op_subtype == GATT_READ_CHAR_VALUE_HDL) ||
557 (p_clcb->op_subtype == GATT_READ_BY_HANDLE)) &&
558 (opcode == GATT_REQ_READ_BLOB) &&
559 p_clcb->first_read_blob_after_read &&
560 (reason == GATT_NOT_LONG)) {
561 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p_clcb->p_attr_buf);
563 gatt_end_operation(p_clcb, static_cast<tGATT_STATUS>(reason), NULL);
566 /*******************************************************************************
568 * Function gatt_process_prep_write_rsp
570 * Description This function is called to handle the read response
575 ******************************************************************************/
576 void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
577 uint8_t op_code, uint16_t len,
581 tGATT_VALUE value = {
582 .conn_id = p_clcb->conn_id, .auth_req = GATT_AUTH_REQ_NONE,
585 VLOG(1) << StringPrintf("value resp op_code = %s len = %d",
586 gatt_dbg_op_name(op_code), len);
588 if (len < GATT_PREP_WRITE_RSP_MIN_LEN) {
589 LOG(ERROR) << "illegal prepare write response length, discard";
590 gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
594 STREAM_TO_UINT16(value.handle, p);
595 STREAM_TO_UINT16(value.offset, p);
599 memcpy(value.value, p, value.len);
601 if (!gatt_check_write_long_terminate(tcb, p_clcb, &value)) {
602 gatt_send_prepare_write(tcb, p_clcb);
606 if (p_clcb->op_subtype == GATT_WRITE_PREPARE) {
607 /* application should verify handle offset
608 and value are matched or not */
609 gatt_end_operation(p_clcb, p_clcb->status, &value);
613 /*******************************************************************************
615 * Function gatt_process_notification
617 * Description Handle the handle value indication/notification.
621 ******************************************************************************/
622 void gatt_process_notification(tGATT_TCB& tcb, uint16_t cid, uint8_t op_code,
623 uint16_t len, uint8_t* p_data) {
624 tGATT_VALUE value = {};
627 tGATT_STATUS encrypt_status = {};
630 tGATTC_OPTYPE event = (op_code == GATT_HANDLE_VALUE_IND)
631 ? GATTC_OPTYPE_INDICATION
632 : GATTC_OPTYPE_NOTIFICATION;
636 // Ensure our packet has enough data (2 bytes)
637 if (len < GATT_NOTIFICATION_MIN_LEN) {
638 LOG(ERROR) << "illegal notification PDU length, discard";
643 STREAM_TO_UINT16(value.handle, p);
645 // Fail early if the GATT handle is not valid
646 if (!GATT_HANDLE_IS_VALID(value.handle)) {
647 /* illegal handle, send ack now */
648 if (op_code == GATT_HANDLE_VALUE_IND)
649 attp_send_cl_confirmation_msg(tcb, cid);
653 // Calculate value length based on opcode
654 if (op_code == GATT_HANDLE_MULTI_VALUE_NOTIF) {
655 // Ensure our packet has enough data; MIN + 2 more bytes for len value
656 if (len < GATT_NOTIFICATION_MIN_LEN + 2) {
657 LOG(ERROR) << "illegal notification PDU length, discard";
661 // Allow multi value opcode to set value len from the packet
662 STREAM_TO_UINT16(value.len, p);
664 if (value.len > len - 4) {
665 LOG(ERROR) << "value.len (" << value.len << ") greater than length ("
671 // For single value, just use the passed in len minus opcode length (2)
675 // Verify the new calculated length
676 if (value.len > GATT_MAX_ATTR_LEN) {
677 LOG(ERROR) << "value.len larger than GATT_MAX_ATTR_LEN, discard";
681 // Handle indications differently
682 if (event == GATTC_OPTYPE_INDICATION) {
684 /* this is an error case that receiving an indication but we
685 still has an indication not being acked yet.
686 For now, just log the error reset the counter.
687 Later we need to disconnect the link unconditionally.
689 LOG(ERROR) << __func__ << " rcv Ind. but ind_count=" << tcb.ind_count
690 << " (will reset ind_count)";
693 // Zero out the ind_count
696 // Notify all registered clients with the handle value
697 // notification/indication
698 // Note: need to do the indication count and start timer first then do
700 for (i = 0, p_reg = gatt_cb.cl_rcb; i < GATT_MAX_APPS; i++, p_reg++) {
701 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) tcb.ind_count++;
704 /* start a timer for app confirmation */
705 if (tcb.ind_count > 0) {
706 gatt_start_ind_ack_timer(tcb, cid);
707 } else { /* no app to indicate, or invalid handle */
708 attp_send_cl_confirmation_msg(tcb, cid);
712 encrypt_status = gatt_get_link_encrypt_status(tcb);
714 STREAM_TO_ARRAY(value.value, p, value.len);
716 tGATT_CL_COMPLETE gatt_cl_complete;
717 gatt_cl_complete.att_value = value;
718 gatt_cl_complete.cid = cid;
720 for (i = 0, p_reg = gatt_cb.cl_rcb; i < GATT_MAX_APPS; i++, p_reg++) {
721 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) {
722 conn_id = GATT_CREATE_CONN_ID(tcb.tcb_idx, p_reg->gatt_if);
723 (*p_reg->app_cb.p_cmpl_cb)(conn_id, event, encrypt_status,
728 // If this is single value, then nothing is left to do
729 if (op_code != GATT_HANDLE_MULTI_VALUE_NOTIF) return;
731 // Need a signed type to check if the value is below 0
732 // as uint16_t doesn't have negatives so the negatives register as a number
733 // thus anything less than zero won't trigger the conditional and it is not
735 // when done looping as value.len is arbitrary.
736 int16_t rem_len = (int16_t)len - (4 /* octets */ + value.len);
738 // Already streamed the first value and sent it, lets send the rest
739 while (rem_len > 4 /* octets */) {
741 STREAM_TO_UINT16(value.handle, p);
743 STREAM_TO_UINT16(value.len, p);
746 // Make sure we don't read past the remaining data even if the length says
747 // we can Also need to watch comparing the int16_t with the uint16_t
748 value.len = std::min((uint16_t)rem_len, value.len);
749 STREAM_TO_ARRAY(value.value, p, value.len);
751 rem_len -= value.len;
753 gatt_cl_complete.att_value = value;
754 gatt_cl_complete.cid = cid;
756 for (i = 0, p_reg = gatt_cb.cl_rcb; i < GATT_MAX_APPS; i++, p_reg++) {
757 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) {
758 conn_id = GATT_CREATE_CONN_ID(tcb.tcb_idx, p_reg->gatt_if);
759 (*p_reg->app_cb.p_cmpl_cb)(conn_id, event, encrypt_status,
766 /*******************************************************************************
768 * Function gatt_process_read_by_type_rsp
770 * Description This function is called to handle the read by type response.
771 * read by type can be used for discovery, or read by type or
772 * read characteristic value.
776 ******************************************************************************/
777 void gatt_process_read_by_type_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
778 uint8_t op_code, uint16_t len,
780 tGATT_DISC_RES result;
781 tGATT_DISC_VALUE record_value;
782 uint8_t *p = p_data, value_len, handle_len = 2;
785 /* discovery procedure and no callback function registered */
786 if (((!p_clcb->p_reg) || (!p_clcb->p_reg->app_cb.p_disc_res_cb)) &&
787 (p_clcb->operation == GATTC_OPTYPE_DISCOVERY))
790 if (len < GATT_READ_BY_TYPE_RSP_MIN_LEN) {
791 LOG(ERROR) << "Illegal ReadByType/ReadByGroupType Response length, discard";
792 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
796 STREAM_TO_UINT8(value_len, p);
797 uint16_t payload_size = gatt_tcb_get_payload_size_rx(tcb, p_clcb->cid);
798 if ((value_len > (payload_size - 2)) || (value_len > (len - 1))) {
799 /* this is an error case that server's response containing a value length
800 which is larger than MTU-2
801 or value_len > message total length -1 */
802 LOG(ERROR) << __func__
804 ": Discard response op_code=%d "
805 "vale_len=%d > (MTU-2=%d or msg_len-1=%d)",
806 op_code, value_len, (payload_size - 2), (len - 1));
807 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
811 if (op_code == GATT_RSP_READ_BY_GRP_TYPE) handle_len = 4;
813 value_len -= handle_len; /* substract the handle pairs bytes */
816 while (len >= (handle_len + value_len)) {
817 STREAM_TO_UINT16(handle, p);
819 if (!GATT_HANDLE_IS_VALID(handle)) {
820 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
824 memset(&result, 0, sizeof(tGATT_DISC_RES));
825 memset(&record_value, 0, sizeof(tGATT_DISC_VALUE));
827 result.handle = handle;
829 bluetooth::Uuid::From16Bit(disc_type_to_uuid[p_clcb->op_subtype]);
831 /* discover all services */
832 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
833 p_clcb->op_subtype == GATT_DISC_SRVC_ALL &&
834 op_code == GATT_RSP_READ_BY_GRP_TYPE) {
835 STREAM_TO_UINT16(handle, p);
837 if (!GATT_HANDLE_IS_VALID(handle)) {
838 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
841 record_value.group_value.e_handle = handle;
842 if (!gatt_parse_uuid_from_cmd(&record_value.group_value.service_type,
844 LOG(ERROR) << "discover all service response parsing failure";
849 /* discover included service */
850 else if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
851 p_clcb->op_subtype == GATT_DISC_INC_SRVC) {
853 android_errorWriteLog(0x534e4554, "158833854");
854 LOG(ERROR) << __func__ << " Illegal Response length, must be at least 4.";
855 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
858 STREAM_TO_UINT16(record_value.incl_service.s_handle, p);
859 STREAM_TO_UINT16(record_value.incl_service.e_handle, p);
861 if (!GATT_HANDLE_IS_VALID(record_value.incl_service.s_handle) ||
862 !GATT_HANDLE_IS_VALID(record_value.incl_service.e_handle)) {
863 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
867 if (value_len == 6) {
869 STREAM_TO_UINT16(tmp, p);
870 record_value.incl_service.service_type =
871 bluetooth::Uuid::From16Bit(tmp);
872 } else if (value_len == 4) {
873 p_clcb->s_handle = record_value.incl_service.s_handle;
874 p_clcb->read_uuid128.wait_for_read_rsp = true;
875 p_clcb->read_uuid128.next_disc_start_hdl = handle + 1;
876 memcpy(&p_clcb->read_uuid128.result, &result, sizeof(result));
877 memcpy(&p_clcb->read_uuid128.result.value, &record_value,
878 sizeof(result.value));
879 p_clcb->op_subtype |= 0x90;
880 gatt_act_read(p_clcb, 0);
883 LOG(ERROR) << __func__
884 << ": INCL_SRVC failed with invalid data value_len="
886 gatt_end_operation(p_clcb, GATT_INVALID_PDU, (void*)p);
891 else if (p_clcb->operation == GATTC_OPTYPE_READ &&
892 p_clcb->op_subtype == GATT_READ_BY_TYPE) {
893 p_clcb->counter = len - 2;
894 p_clcb->s_handle = handle;
895 if (p_clcb->counter == (payload_size - 4)) {
896 p_clcb->op_subtype = GATT_READ_BY_HANDLE;
897 if (!p_clcb->p_attr_buf)
898 p_clcb->p_attr_buf = (uint8_t*)osi_malloc(GATT_MAX_ATTR_LEN);
899 if (p_clcb->counter <= GATT_MAX_ATTR_LEN) {
900 memcpy(p_clcb->p_attr_buf, p, p_clcb->counter);
901 gatt_act_read(p_clcb, p_clcb->counter);
903 gatt_end_operation(p_clcb, GATT_INTERNAL_ERROR, (void*)p);
906 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p);
909 } else /* discover characterisitic */
912 android_errorWriteLog(0x534e4554, "158778659");
913 LOG(ERROR) << __func__ << " Illegal Response length, must be at least 3.";
914 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
917 STREAM_TO_UINT8(record_value.dclr_value.char_prop, p);
918 STREAM_TO_UINT16(record_value.dclr_value.val_handle, p);
919 if (!GATT_HANDLE_IS_VALID(record_value.dclr_value.val_handle)) {
920 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
923 if (!gatt_parse_uuid_from_cmd(&record_value.dclr_value.char_uuid,
924 (uint16_t)(value_len - 3), &p)) {
925 gatt_end_operation(p_clcb, GATT_SUCCESS, NULL);
926 /* invalid format, and skip the result */
930 /* UUID not matching */
931 if (!p_clcb->uuid.IsEmpty() &&
932 !record_value.dclr_value.char_uuid.IsEmpty() &&
933 record_value.dclr_value.char_uuid != p_clcb->uuid) {
934 len -= (value_len + 2);
935 continue; /* skip the result, and look for next one */
938 if (p_clcb->operation == GATTC_OPTYPE_READ)
939 /* UUID match for read characteristic value */
941 /* only read the first matching UUID characteristic value, and
942 discard the rest results */
943 p_clcb->s_handle = record_value.dclr_value.val_handle;
944 p_clcb->op_subtype |= 0x80;
945 gatt_act_read(p_clcb, 0);
949 len -= (value_len + handle_len);
951 /* result is (handle, 16bits UUID) pairs */
952 memcpy(&result.value, &record_value, sizeof(result.value));
954 /* send callback if is discover procedure */
955 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
956 p_clcb->p_reg->app_cb.p_disc_res_cb)
957 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
958 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
962 p_clcb->s_handle = (handle == 0) ? 0 : (handle + 1);
964 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY) {
965 /* initiate another request */
966 gatt_act_discovery(p_clcb);
967 } else /* read characteristic value */
969 gatt_act_read(p_clcb, 0);
973 /*******************************************************************************
975 * Function gatt_process_read_rsp
977 * Description This function is called to handle the read BLOB response
982 ******************************************************************************/
983 void gatt_process_read_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
984 UNUSED_ATTR uint8_t op_code, uint16_t len,
986 uint16_t offset = p_clcb->counter;
989 uint16_t payload_size = gatt_tcb_get_payload_size_rx(tcb, p_clcb->cid);
991 if (p_clcb->operation == GATTC_OPTYPE_READ) {
992 if (p_clcb->op_subtype != GATT_READ_BY_HANDLE) {
993 p_clcb->counter = len;
994 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p);
996 /* allocate GKI buffer holding up long attribute value */
997 if (!p_clcb->p_attr_buf)
998 p_clcb->p_attr_buf = (uint8_t*)osi_malloc(GATT_MAX_ATTR_LEN);
1000 /* copy attrobute value into cb buffer */
1001 if (offset < GATT_MAX_ATTR_LEN) {
1002 if ((len + offset) > GATT_MAX_ATTR_LEN)
1003 len = GATT_MAX_ATTR_LEN - offset;
1005 p_clcb->counter += len;
1007 memcpy(p_clcb->p_attr_buf + offset, p, len);
1009 /* full packet for read or read blob rsp */
1010 bool packet_is_full;
1011 if (payload_size == p_clcb->read_req_current_mtu) {
1012 packet_is_full = (len == (payload_size - 1));
1014 packet_is_full = (len == (p_clcb->read_req_current_mtu - 1) ||
1015 len == (payload_size - 1));
1016 p_clcb->read_req_current_mtu = payload_size;
1019 /* send next request if needed */
1020 if (packet_is_full && (len + offset < GATT_MAX_ATTR_LEN)) {
1021 VLOG(1) << StringPrintf(
1022 "full pkt issue read blob for remianing bytes old offset=%d "
1023 "len=%d new offset=%d",
1024 offset, len, p_clcb->counter);
1025 gatt_act_read(p_clcb, p_clcb->counter);
1026 } else /* end of request, send callback */
1028 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p_clcb->p_attr_buf);
1030 } else /* exception, should not happen */
1032 LOG(ERROR) << "attr offset = " << +offset
1033 << " p_attr_buf = " << p_clcb->p_attr_buf;
1034 gatt_end_operation(p_clcb, GATT_NO_RESOURCES,
1035 (void*)p_clcb->p_attr_buf);
1039 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
1040 p_clcb->op_subtype == GATT_DISC_INC_SRVC &&
1041 p_clcb->read_uuid128.wait_for_read_rsp) {
1042 p_clcb->s_handle = p_clcb->read_uuid128.next_disc_start_hdl;
1043 p_clcb->read_uuid128.wait_for_read_rsp = false;
1044 if (len == Uuid::kNumBytes128) {
1045 p_clcb->read_uuid128.result.value.incl_service.service_type =
1046 bluetooth::Uuid::From128BitLE(p);
1047 if (p_clcb->p_reg->app_cb.p_disc_res_cb)
1048 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
1049 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
1050 &p_clcb->read_uuid128.result);
1051 gatt_act_discovery(p_clcb);
1053 gatt_end_operation(p_clcb, GATT_INVALID_PDU, (void*)p);
1059 /*******************************************************************************
1061 * Function gatt_process_handle_rsp
1063 * Description This function is called to handle the write response
1068 ******************************************************************************/
1069 void gatt_process_handle_rsp(tGATT_CLCB* p_clcb) {
1070 gatt_end_operation(p_clcb, GATT_SUCCESS, NULL);
1072 /*******************************************************************************
1074 * Function gatt_process_mtu_rsp
1076 * Description Process the configure MTU response.
1081 ******************************************************************************/
1082 void gatt_process_mtu_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, uint16_t len,
1085 tGATT_STATUS status = GATT_SUCCESS;
1087 if (len < GATT_MTU_RSP_MIN_LEN) {
1088 LOG(ERROR) << "invalid MTU response PDU received, discard.";
1089 status = GATT_INVALID_PDU;
1091 STREAM_TO_UINT16(mtu, p_data);
1093 if (mtu < tcb.payload_size && mtu >= GATT_DEF_BLE_MTU_SIZE)
1094 tcb.payload_size = mtu;
1097 BTM_SetBleDataLength(tcb.peer_bda, tcb.payload_size);
1099 gatt_end_operation(p_clcb, status, NULL);
1101 /*******************************************************************************
1103 * Function gatt_cmd_to_rsp_code
1105 * Description Convert an ATT command op code into the corresponding
1106 * response code assume no error occurs.
1108 * Returns response code.
1110 ******************************************************************************/
1111 uint8_t gatt_cmd_to_rsp_code(uint8_t cmd_code) {
1112 uint8_t rsp_code = 0;
1114 if (cmd_code > 1 && cmd_code != GATT_CMD_WRITE) {
1115 rsp_code = cmd_code + 1;
1120 /** Find next command in queue and sent to server */
1121 bool gatt_cl_send_next_cmd_inq(tGATT_TCB& tcb) {
1122 std::queue<tGATT_CMD_Q>* cl_cmd_q;
1124 while (!tcb.cl_cmd_q.empty() ||
1125 EattExtension::GetInstance()->IsOutstandingMsgInSendQueue(tcb.peer_bda)) {
1126 if (!tcb.cl_cmd_q.empty()) {
1127 cl_cmd_q = &tcb.cl_cmd_q;
1129 EattChannel* channel =
1130 EattExtension::GetInstance()->GetChannelWithQueuedData(tcb.peer_bda);
1131 cl_cmd_q = &channel->cl_cmd_q_;
1134 tGATT_CMD_Q& cmd = cl_cmd_q->front();
1135 if (!cmd.to_send || cmd.p_cmd == NULL) {
1139 tGATT_STATUS att_ret;
1140 att_ret = attp_send_msg_to_l2cap(tcb, cmd.cid, cmd.p_cmd);
1142 if (att_ret != GATT_SUCCESS && att_ret != GATT_CONGESTED) {
1143 LOG(ERROR) << __func__ << ": L2CAP sent error";
1148 cmd.to_send = false;
1151 if (cmd.op_code == GATT_CMD_WRITE || cmd.op_code == GATT_SIGN_CMD_WRITE) {
1152 /* dequeue the request if is write command or sign write */
1154 tGATT_CLCB* p_clcb = gatt_cmd_dequeue(tcb, cmd.cid, &rsp_code);
1156 /* send command complete callback here */
1157 gatt_end_operation(p_clcb, att_ret, NULL);
1159 /* if no ack needed, keep sending */
1160 if (att_ret == GATT_SUCCESS) continue;
1165 gatt_start_rsp_timer(cmd.p_clcb);
1172 /** This function is called to handle the server response to client */
1173 void gatt_client_handle_server_rsp(tGATT_TCB& tcb, uint16_t cid,
1174 uint8_t op_code, uint16_t len,
1176 VLOG(1) << __func__ << " opcode: " << loghex(op_code);
1178 uint16_t payload_size = gatt_tcb_get_payload_size_rx(tcb, cid);
1180 if (op_code == GATT_HANDLE_VALUE_IND || op_code == GATT_HANDLE_VALUE_NOTIF ||
1181 op_code == GATT_HANDLE_MULTI_VALUE_NOTIF) {
1182 if (len >= payload_size) {
1183 LOG(ERROR) << StringPrintf(
1184 "%s: invalid indicate pkt size: %d, PDU size: %d", __func__, len + 1,
1189 gatt_process_notification(tcb, cid, op_code, len, p_data);
1193 uint8_t cmd_code = 0;
1194 tGATT_CLCB* p_clcb = gatt_cmd_dequeue(tcb, cid, &cmd_code);
1195 uint8_t rsp_code = gatt_cmd_to_rsp_code(cmd_code);
1196 if (!p_clcb || (rsp_code != op_code && op_code != GATT_RSP_ERROR)) {
1197 LOG(WARNING) << StringPrintf(
1198 "ATT - Ignore wrong response. Receives (%02x) Request(%02x) Ignored",
1203 if (!p_clcb->in_use) {
1204 LOG(WARNING) << "ATT - clcb already not in use, ignoring response";
1205 gatt_cl_send_next_cmd_inq(tcb);
1209 gatt_stop_rsp_timer(p_clcb);
1210 p_clcb->retry_count = 0;
1212 /* the size of the message may not be bigger than the local max PDU size*/
1213 /* The message has to be smaller than the agreed MTU, len does not count
1215 if (len >= payload_size) {
1216 LOG(ERROR) << StringPrintf(
1217 "%s: invalid response pkt size: %d, PDU size: %d", __func__, len + 1,
1219 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
1222 case GATT_RSP_ERROR:
1223 gatt_process_error_rsp(tcb, p_clcb, op_code, len, p_data);
1226 case GATT_RSP_MTU: /* 2 bytes mtu */
1227 gatt_process_mtu_rsp(tcb, p_clcb, len, p_data);
1230 case GATT_RSP_FIND_INFO:
1231 gatt_process_read_info_rsp(tcb, p_clcb, op_code, len, p_data);
1234 case GATT_RSP_READ_BY_TYPE:
1235 case GATT_RSP_READ_BY_GRP_TYPE:
1236 gatt_process_read_by_type_rsp(tcb, p_clcb, op_code, len, p_data);
1240 case GATT_RSP_READ_BLOB:
1241 case GATT_RSP_READ_MULTI:
1242 case GATT_RSP_READ_MULTI_VAR:
1243 gatt_process_read_rsp(tcb, p_clcb, op_code, len, p_data);
1246 case GATT_RSP_FIND_TYPE_VALUE: /* disc service with UUID */
1247 gatt_process_find_type_value_rsp(tcb, p_clcb, len, p_data);
1250 case GATT_RSP_WRITE:
1251 gatt_process_handle_rsp(p_clcb);
1254 case GATT_RSP_PREPARE_WRITE:
1255 gatt_process_prep_write_rsp(tcb, p_clcb, op_code, len, p_data);
1258 case GATT_RSP_EXEC_WRITE:
1259 gatt_end_operation(p_clcb, p_clcb->status, NULL);
1263 LOG(ERROR) << __func__ << ": Unknown opcode = " << std::hex << op_code;
1268 gatt_cl_send_next_cmd_inq(tcb);