1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * this file contains the main GATT client functions
22 *
23 ******************************************************************************/
24
25 #define LOG_TAG "bluetooth"
26
27 #include <bluetooth/log.h>
28 #include <com_android_bluetooth_flags.h>
29 #include <string.h>
30
31 #include "gatt_int.h"
32 #include "hardware/bt_gatt_types.h"
33 #include "internal_include/bt_target.h"
34 #include "osi/include/allocator.h"
35 #include "stack/arbiter/acl_arbiter.h"
36 #include "stack/eatt/eatt.h"
37 #include "stack/include/bt_types.h"
38 #include "stack/include/btm_client_interface.h"
39 #include "stack/include/l2cdefs.h"
40 #include "types/bluetooth/uuid.h"
41
42 #define GATT_WRITE_LONG_HDR_SIZE 5 /* 1 opcode + 2 handle + 2 offset */
43 #define GATT_READ_CHAR_VALUE_HDL (GATT_READ_CHAR_VALUE | 0x80)
44 #define GATT_READ_INC_SRV_UUID128 (GATT_DISC_INC_SRVC | 0x90)
45
46 #define GATT_PREP_WRITE_RSP_MIN_LEN 4
47 #define GATT_NOTIFICATION_MIN_LEN 2
48 #define GATT_WRITE_RSP_MIN_LEN 2
49 #define GATT_INFO_RSP_MIN_LEN 1
50 #define GATT_MTU_RSP_MIN_LEN 2
51 #define GATT_READ_BY_TYPE_RSP_MIN_LEN 1
52
53 #define L2CAP_PKT_OVERHEAD 4
54
55 using namespace bluetooth;
56 using bluetooth::Uuid;
57 using bluetooth::eatt::EattChannel;
58 using bluetooth::eatt::EattExtension;
59
60 /*******************************************************************************
61 * G L O B A L G A T T D A T A *
62 ******************************************************************************/
63 void gatt_send_prepare_write(tGATT_TCB& tcb, tGATT_CLCB* p_clcb);
64
65 uint8_t disc_type_to_att_opcode[GATT_DISC_MAX] = {
66 0,
67 GATT_REQ_READ_BY_GRP_TYPE, /* GATT_DISC_SRVC_ALL = 1, */
68 GATT_REQ_FIND_TYPE_VALUE, /* GATT_DISC_SRVC_BY_UUID, */
69 GATT_REQ_READ_BY_TYPE, /* GATT_DISC_INC_SRVC, */
70 GATT_REQ_READ_BY_TYPE, /* GATT_DISC_CHAR, */
71 GATT_REQ_FIND_INFO /* GATT_DISC_CHAR_DSCPT, */
72 };
73
74 uint16_t disc_type_to_uuid[GATT_DISC_MAX] = {
75 0, /* reserved */
76 GATT_UUID_PRI_SERVICE, /* <service> DISC_SRVC_ALL */
77 GATT_UUID_PRI_SERVICE, /* <service> for DISC_SERVC_BY_UUID */
78 GATT_UUID_INCLUDE_SERVICE, /* <include_service> for DISC_INC_SRVC */
79 GATT_UUID_CHAR_DECLARE, /* <characteristic> for DISC_CHAR */
80 0 /* no type filtering for DISC_CHAR_DSCPT */
81 };
82
83 /*******************************************************************************
84 *
85 * Function gatt_act_discovery
86 *
87 * Description GATT discovery operation.
88 *
89 * Returns void.
90 *
91 ******************************************************************************/
gatt_act_discovery(tGATT_CLCB * p_clcb)92 void gatt_act_discovery(tGATT_CLCB* p_clcb) {
93 uint8_t op_code = disc_type_to_att_opcode[p_clcb->op_subtype];
94
95 if (p_clcb->s_handle > p_clcb->e_handle || p_clcb->s_handle == 0) {
96 log::debug("Completed GATT discovery of all handle ranges");
97 gatt_end_operation(p_clcb, GATT_SUCCESS, NULL);
98 return;
99 }
100
101 tGATT_CL_MSG cl_req;
102 memset(&cl_req, 0, sizeof(tGATT_CL_MSG));
103
104 cl_req.browse.s_handle = p_clcb->s_handle;
105 cl_req.browse.e_handle = p_clcb->e_handle;
106
107 if (disc_type_to_uuid[p_clcb->op_subtype] != 0) {
108 cl_req.browse.uuid = bluetooth::Uuid::From16Bit(disc_type_to_uuid[p_clcb->op_subtype]);
109 }
110
111 if (p_clcb->op_subtype == GATT_DISC_SRVC_BY_UUID) /* fill in the FindByTypeValue request info*/
112 {
113 cl_req.find_type_value.uuid = bluetooth::Uuid::From16Bit(disc_type_to_uuid[p_clcb->op_subtype]);
114 cl_req.find_type_value.s_handle = p_clcb->s_handle;
115 cl_req.find_type_value.e_handle = p_clcb->e_handle;
116
117 size_t size = p_clcb->uuid.GetShortestRepresentationSize();
118 cl_req.find_type_value.value_len = size;
119 if (size == Uuid::kNumBytes16) {
120 uint8_t* p = cl_req.find_type_value.value;
121 UINT16_TO_STREAM(p, p_clcb->uuid.As16Bit());
122 } else if (size == Uuid::kNumBytes32) {
123 /* if service type is 32 bits UUID, convert it now */
124 memcpy(cl_req.find_type_value.value, p_clcb->uuid.To128BitLE().data(), Uuid::kNumBytes128);
125 cl_req.find_type_value.value_len = Uuid::kNumBytes128;
126 } else {
127 memcpy(cl_req.find_type_value.value, p_clcb->uuid.To128BitLE().data(), size);
128 }
129 }
130
131 tGATT_STATUS st = attp_send_cl_msg(*p_clcb->p_tcb, p_clcb, op_code, &cl_req);
132 if (st != GATT_SUCCESS && st != GATT_CMD_STARTED) {
133 log::warn("Unable to send ATT message");
134 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
135 }
136 }
137
138 /*******************************************************************************
139 *
140 * Function gatt_act_read
141 *
142 * Description GATT read operation.
143 *
144 * Returns void.
145 *
146 ******************************************************************************/
gatt_act_read(tGATT_CLCB * p_clcb,uint16_t offset)147 void gatt_act_read(tGATT_CLCB* p_clcb, uint16_t offset) {
148 tGATT_TCB& tcb = *p_clcb->p_tcb;
149 tGATT_STATUS rt = GATT_INTERNAL_ERROR;
150 tGATT_CL_MSG msg;
151 uint8_t op_code = 0;
152
153 memset(&msg, 0, sizeof(tGATT_CL_MSG));
154
155 switch (p_clcb->op_subtype) {
156 case GATT_READ_CHAR_VALUE:
157 case GATT_READ_BY_TYPE:
158 op_code = GATT_REQ_READ_BY_TYPE;
159 msg.browse.s_handle = p_clcb->s_handle;
160 msg.browse.e_handle = p_clcb->e_handle;
161 if (p_clcb->op_subtype == GATT_READ_BY_TYPE) {
162 msg.browse.uuid = p_clcb->uuid;
163 } else {
164 msg.browse.uuid = bluetooth::Uuid::From16Bit(GATT_UUID_CHAR_DECLARE);
165 }
166 break;
167
168 case GATT_READ_CHAR_VALUE_HDL:
169 case GATT_READ_BY_HANDLE:
170 if (!p_clcb->counter) {
171 op_code = GATT_REQ_READ;
172 msg.handle = p_clcb->s_handle;
173 } else {
174 if (!p_clcb->first_read_blob_after_read) {
175 p_clcb->first_read_blob_after_read = true;
176 } else {
177 p_clcb->first_read_blob_after_read = false;
178 }
179
180 log::verbose("first_read_blob_after_read={}", p_clcb->first_read_blob_after_read);
181 op_code = GATT_REQ_READ_BLOB;
182 msg.read_blob.offset = offset;
183 msg.read_blob.handle = p_clcb->s_handle;
184 }
185 p_clcb->op_subtype &= ~0x80;
186 break;
187
188 case GATT_READ_PARTIAL:
189 op_code = GATT_REQ_READ_BLOB;
190 msg.read_blob.handle = p_clcb->s_handle;
191 msg.read_blob.offset = offset;
192 break;
193
194 case GATT_READ_MULTIPLE:
195 op_code = GATT_REQ_READ_MULTI;
196 memcpy(&msg.read_multi, p_clcb->p_attr_buf, sizeof(tGATT_READ_MULTI));
197 break;
198
199 case GATT_READ_MULTIPLE_VAR_LEN:
200 op_code = GATT_REQ_READ_MULTI_VAR;
201 memcpy(&msg.read_multi, p_clcb->p_attr_buf, sizeof(tGATT_READ_MULTI));
202 break;
203
204 case GATT_READ_INC_SRV_UUID128:
205 op_code = GATT_REQ_READ;
206 msg.handle = p_clcb->s_handle;
207 p_clcb->op_subtype &= ~0x90;
208 break;
209
210 default:
211 log::error("Unknown read type:{}", p_clcb->op_subtype);
212 break;
213 }
214
215 if (op_code != 0) {
216 rt = attp_send_cl_msg(tcb, p_clcb, op_code, &msg);
217 }
218
219 if (op_code == 0 || (rt != GATT_SUCCESS && rt != GATT_CMD_STARTED)) {
220 gatt_end_operation(p_clcb, rt, NULL);
221 }
222 }
223
224 /** GATT write operation */
gatt_act_write(tGATT_CLCB * p_clcb,uint8_t sec_act)225 void gatt_act_write(tGATT_CLCB* p_clcb, uint8_t sec_act) {
226 tGATT_TCB& tcb = *p_clcb->p_tcb;
227
228 log::assert_that(p_clcb->p_attr_buf != nullptr, "assert failed: p_clcb->p_attr_buf != nullptr");
229 tGATT_VALUE& attr = *((tGATT_VALUE*)p_clcb->p_attr_buf);
230
231 uint16_t payload_size = gatt_tcb_get_payload_size(tcb, p_clcb->cid);
232
233 switch (p_clcb->op_subtype) {
234 case GATT_WRITE_NO_RSP: {
235 p_clcb->s_handle = attr.handle;
236 uint8_t op_code = (sec_act == GATT_SEC_SIGN_DATA) ? GATT_SIGN_CMD_WRITE : GATT_CMD_WRITE;
237 tGATT_STATUS rt =
238 gatt_send_write_msg(tcb, p_clcb, op_code, attr.handle, attr.len, 0, attr.value);
239 if (rt != GATT_CMD_STARTED) {
240 if (rt != GATT_SUCCESS) {
241 log::error("gatt_act_write() failed op_code=0x{:x} rt={}", op_code, rt);
242 }
243 gatt_end_operation(p_clcb, rt, NULL);
244 }
245 return;
246 }
247
248 case GATT_WRITE: {
249 if ((attr.len + GATT_HDR_SIZE) <= payload_size) {
250 p_clcb->s_handle = attr.handle;
251
252 tGATT_STATUS rt = gatt_send_write_msg(tcb, p_clcb, GATT_REQ_WRITE, attr.handle, attr.len, 0,
253 attr.value);
254 if (rt != GATT_SUCCESS && rt != GATT_CMD_STARTED && rt != GATT_CONGESTED) {
255 if (rt != GATT_SUCCESS) {
256 log::error("gatt_act_write() failed op_code=0x{:x} rt={}", GATT_REQ_WRITE, rt);
257 }
258 gatt_end_operation(p_clcb, rt, NULL);
259 }
260
261 } else {
262 /* prepare write for long attribute */
263 gatt_send_prepare_write(tcb, p_clcb);
264 }
265 return;
266 }
267
268 case GATT_WRITE_PREPARE:
269 gatt_send_prepare_write(tcb, p_clcb);
270 return;
271
272 default:
273 log::fatal("Unknown write type {}", p_clcb->op_subtype);
274 return;
275 }
276 }
277
278 /*******************************************************************************
279 *
280 * Function gatt_send_queue_write_cancel
281 *
282 * Description send queue write cancel
283 *
284 * Returns void.
285 *
286 ******************************************************************************/
gatt_send_queue_write_cancel(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,tGATT_EXEC_FLAG flag)287 void gatt_send_queue_write_cancel(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, tGATT_EXEC_FLAG flag) {
288 tGATT_STATUS rt;
289
290 log::verbose("");
291
292 tGATT_CL_MSG gatt_cl_msg;
293 gatt_cl_msg.exec_write = flag;
294 rt = attp_send_cl_msg(tcb, p_clcb, GATT_REQ_EXEC_WRITE, &gatt_cl_msg);
295
296 if (rt != GATT_SUCCESS) {
297 gatt_end_operation(p_clcb, rt, NULL);
298 }
299 }
300
301 /*******************************************************************************
302 *
303 * Function gatt_check_write_long_terminate
304 *
305 * Description To terminate write long or not.
306 *
307 * Returns true: write long is terminated; false keep sending.
308 *
309 ******************************************************************************/
gatt_check_write_long_terminate(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,tGATT_VALUE * p_rsp_value)310 static bool gatt_check_write_long_terminate(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
311 tGATT_VALUE* p_rsp_value) {
312 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
313 bool terminate = false;
314 tGATT_EXEC_FLAG flag = GATT_PREP_WRITE_EXEC;
315
316 log::verbose("");
317 /* check the first write response status */
318 if (p_rsp_value != NULL) {
319 if (p_rsp_value->handle != p_attr->handle || p_rsp_value->len != p_clcb->counter ||
320 memcmp(p_rsp_value->value, p_attr->value + p_attr->offset, p_rsp_value->len)) {
321 /* data does not match */
322 p_clcb->status = GATT_ERROR;
323 flag = GATT_PREP_WRITE_CANCEL;
324 terminate = true;
325 } else /* response checking is good */
326 {
327 p_clcb->status = GATT_SUCCESS;
328 /* update write offset and check if end of attribute value */
329 if ((p_attr->offset += p_rsp_value->len) >= p_attr->len) {
330 terminate = true;
331 }
332 }
333 }
334 if (terminate && p_clcb->op_subtype != GATT_WRITE_PREPARE) {
335 gatt_send_queue_write_cancel(tcb, p_clcb, flag);
336 }
337 return terminate;
338 }
339
340 /** Send prepare write */
gatt_send_prepare_write(tGATT_TCB & tcb,tGATT_CLCB * p_clcb)341 void gatt_send_prepare_write(tGATT_TCB& tcb, tGATT_CLCB* p_clcb) {
342 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
343 uint8_t type = p_clcb->op_subtype;
344
345 log::verbose("type=0x{:x}", type);
346 uint16_t to_send = p_attr->len - p_attr->offset;
347
348 uint16_t payload_size = gatt_tcb_get_payload_size(tcb, p_clcb->cid);
349
350 if (payload_size <= GATT_WRITE_LONG_HDR_SIZE) {
351 log::error("too small mtu size {}, possibly due to disconnection", payload_size);
352 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
353 return;
354 }
355
356 if (to_send > (payload_size - GATT_WRITE_LONG_HDR_SIZE)) {
357 to_send = payload_size - GATT_WRITE_LONG_HDR_SIZE;
358 }
359
360 p_clcb->s_handle = p_attr->handle;
361
362 uint16_t offset = p_attr->offset;
363 if (type == GATT_WRITE_PREPARE) {
364 offset += p_clcb->start_offset;
365 }
366
367 log::verbose("offset =0x{:x} len={}", offset, to_send);
368
369 tGATT_STATUS rt = gatt_send_write_msg(tcb, p_clcb, GATT_REQ_PREPARE_WRITE, p_attr->handle,
370 to_send, /* length */
371 offset, /* used as offset */
372 p_attr->value + p_attr->offset); /* data */
373
374 /* remember the write long attribute length */
375 p_clcb->counter = to_send;
376
377 if (rt != GATT_SUCCESS && rt != GATT_CMD_STARTED && rt != GATT_CONGESTED) {
378 gatt_end_operation(p_clcb, rt, NULL);
379 }
380 }
381
382 /*******************************************************************************
383 *
384 * Function gatt_process_find_type_value_rsp
385 *
386 * Description This function handles the find by type value response.
387 *
388 *
389 * Returns void
390 *
391 ******************************************************************************/
gatt_process_find_type_value_rsp(tGATT_TCB &,tGATT_CLCB * p_clcb,uint16_t len,uint8_t * p_data)392 static void gatt_process_find_type_value_rsp(tGATT_TCB& /* tcb */, tGATT_CLCB* p_clcb, uint16_t len,
393 uint8_t* p_data) {
394 tGATT_DISC_RES result;
395 uint8_t* p = p_data;
396
397 log::verbose("");
398 /* unexpected response */
399 if (p_clcb->operation != GATTC_OPTYPE_DISCOVERY || p_clcb->op_subtype != GATT_DISC_SRVC_BY_UUID) {
400 return;
401 }
402
403 memset(&result, 0, sizeof(tGATT_DISC_RES));
404 result.type = bluetooth::Uuid::From16Bit(GATT_UUID_PRI_SERVICE);
405
406 /* returns a series of handle ranges */
407 while (len >= 4) {
408 STREAM_TO_UINT16(result.handle, p);
409 STREAM_TO_UINT16(result.value.group_value.e_handle, p);
410 result.value.group_value.service_type = p_clcb->uuid;
411
412 len -= 4;
413
414 if (p_clcb->p_reg->app_cb.p_disc_res_cb) {
415 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
416 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype), &result);
417 }
418 }
419
420 /* last handle + 1 */
421 p_clcb->s_handle =
422 (result.value.group_value.e_handle == 0) ? 0 : (result.value.group_value.e_handle + 1);
423 /* initiate another request */
424 gatt_act_discovery(p_clcb);
425 }
426 /*******************************************************************************
427 *
428 * Function gatt_process_read_info_rsp
429 *
430 * Description This function is called to handle the read information
431 * response.
432 *
433 *
434 * Returns void
435 *
436 ******************************************************************************/
gatt_process_read_info_rsp(tGATT_TCB &,tGATT_CLCB * p_clcb,uint8_t,uint16_t len,uint8_t * p_data)437 static void gatt_process_read_info_rsp(tGATT_TCB& /* tcb */, tGATT_CLCB* p_clcb,
438 uint8_t /* op_code */, uint16_t len, uint8_t* p_data) {
439 tGATT_DISC_RES result;
440 uint8_t *p = p_data, uuid_len = 0, type;
441
442 if (len < GATT_INFO_RSP_MIN_LEN) {
443 log::error("invalid Info Response PDU received, discard.");
444 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
445 return;
446 }
447 /* unexpected response */
448 if (p_clcb->operation != GATTC_OPTYPE_DISCOVERY || p_clcb->op_subtype != GATT_DISC_CHAR_DSCPT) {
449 return;
450 }
451
452 STREAM_TO_UINT8(type, p);
453 len -= 1;
454
455 if (type == GATT_INFO_TYPE_PAIR_16) {
456 uuid_len = Uuid::kNumBytes16;
457 } else if (type == GATT_INFO_TYPE_PAIR_128) {
458 uuid_len = Uuid::kNumBytes128;
459 }
460
461 while (len >= uuid_len + 2) {
462 STREAM_TO_UINT16(result.handle, p);
463
464 if (uuid_len > 0) {
465 if (!gatt_parse_uuid_from_cmd(&result.type, uuid_len, &p)) {
466 break;
467 }
468 } else {
469 result.type = p_clcb->uuid;
470 }
471
472 len -= (uuid_len + 2);
473
474 if (p_clcb->p_reg->app_cb.p_disc_res_cb) {
475 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
476 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype), &result);
477 }
478 }
479
480 p_clcb->s_handle = (result.handle == 0) ? 0 : (result.handle + 1);
481 /* initiate another request */
482 gatt_act_discovery(p_clcb);
483 }
484
485 /*******************************************************************************
486 *
487 * Function gatt_proc_disc_error_rsp
488 *
489 * Description Process the read by type response and send another request
490 * if needed.
491 *
492 * Returns void.
493 *
494 ******************************************************************************/
gatt_proc_disc_error_rsp(tGATT_TCB &,tGATT_CLCB * p_clcb,uint8_t opcode,uint16_t,uint8_t reason)495 static void gatt_proc_disc_error_rsp(tGATT_TCB& /* tcb */, tGATT_CLCB* p_clcb, uint8_t opcode,
496 uint16_t /* handle */, uint8_t reason) {
497 tGATT_STATUS status = (tGATT_STATUS)reason;
498
499 log::verbose("reason: {:02x} cmd_code {:04x}", reason, opcode);
500
501 switch (opcode) {
502 case GATT_REQ_READ_BY_GRP_TYPE:
503 case GATT_REQ_FIND_TYPE_VALUE:
504 case GATT_REQ_READ_BY_TYPE:
505 case GATT_REQ_FIND_INFO:
506 if (reason == GATT_NOT_FOUND) {
507 status = GATT_SUCCESS;
508 log::verbose("Discovery completed");
509 }
510 break;
511 default:
512 log::error("Incorrect discovery opcode {:04x}", opcode);
513 break;
514 }
515
516 gatt_end_operation(p_clcb, status, NULL);
517 }
518
519 /*******************************************************************************
520 *
521 * Function gatt_process_error_rsp
522 *
523 * Description This function is called to handle the error response
524 *
525 *
526 * Returns void
527 *
528 ******************************************************************************/
gatt_process_error_rsp(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,uint8_t,uint16_t len,uint8_t * p_data)529 static void gatt_process_error_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, uint8_t /* op_code */,
530 uint16_t len, uint8_t* p_data) {
531 uint8_t opcode, *p = p_data;
532 uint8_t reason;
533 uint16_t handle;
534 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
535
536 log::verbose("");
537
538 if (len < 4) {
539 log::error("Error response too short");
540 // Specification does not clearly define what should happen if error
541 // response is too short. General rule in BT Spec 5.0 Vol 3, Part F 3.4.1.1
542 // is: "If an error code is received in the Error Response that is not
543 // understood by the client, for example an error code that was reserved for
544 // future use that is now being used in a future version of this
545 // specification, then the Error Response shall still be considered to state
546 // that the given request cannot be performed for an unknown reason."
547 opcode = handle = 0;
548 reason = static_cast<tGATT_STATUS>(0x7f);
549 } else {
550 STREAM_TO_UINT8(opcode, p);
551 STREAM_TO_UINT16(handle, p);
552 STREAM_TO_UINT8(reason, p);
553 }
554
555 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY) {
556 gatt_proc_disc_error_rsp(tcb, p_clcb, opcode, handle, static_cast<tGATT_STATUS>(reason));
557 } else {
558 if ((p_clcb->operation == GATTC_OPTYPE_WRITE) && (p_clcb->op_subtype == GATT_WRITE) &&
559 (opcode == GATT_REQ_PREPARE_WRITE) && (p_attr) && (handle == p_attr->handle)) {
560 p_clcb->status = static_cast<tGATT_STATUS>(reason);
561 gatt_send_queue_write_cancel(tcb, p_clcb, GATT_PREP_WRITE_CANCEL);
562 } else if ((p_clcb->operation == GATTC_OPTYPE_READ) &&
563 ((p_clcb->op_subtype == GATT_READ_CHAR_VALUE_HDL) ||
564 (p_clcb->op_subtype == GATT_READ_BY_HANDLE)) &&
565 (opcode == GATT_REQ_READ_BLOB) && p_clcb->first_read_blob_after_read &&
566 (reason == GATT_NOT_LONG)) {
567 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p_clcb->p_attr_buf);
568 } else {
569 gatt_end_operation(p_clcb, static_cast<tGATT_STATUS>(reason), NULL);
570 }
571 }
572 }
573
574 /*******************************************************************************
575 *
576 * Function gatt_process_prep_write_rsp
577 *
578 * Description This function is called to handle the read response
579 *
580 *
581 * Returns void
582 *
583 ******************************************************************************/
gatt_process_prep_write_rsp(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,uint8_t op_code,uint16_t len,uint8_t * p_data)584 static void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, uint8_t op_code,
585 uint16_t len, uint8_t* p_data) {
586 uint8_t* p = p_data;
587
588 tGATT_VALUE value = {
589 .conn_id = p_clcb->conn_id,
590 .auth_req = GATT_AUTH_REQ_NONE,
591 };
592
593 log::verbose("value resp op_code = {} len = {}", gatt_dbg_op_name(op_code), len);
594
595 if (len < GATT_PREP_WRITE_RSP_MIN_LEN ||
596 len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) {
597 log::error("illegal prepare write response length, discard");
598 gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
599 return;
600 }
601
602 STREAM_TO_UINT16(value.handle, p);
603 STREAM_TO_UINT16(value.offset, p);
604
605 value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN;
606
607 memcpy(value.value, p, value.len);
608
609 bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE);
610
611 if (!gatt_check_write_long_terminate(tcb, p_clcb, &value)) {
612 gatt_send_prepare_write(tcb, p_clcb);
613 return;
614 }
615
616 // We now know that we have not terminated, or else we would have returned
617 // early. We free the buffer only if the subtype is not equal to
618 // GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF.
619 if (subtype_is_write_prepare) {
620 /* application should verify handle offset
621 and value are matched or not */
622 gatt_end_operation(p_clcb, p_clcb->status, &value);
623 }
624 }
625
626 /*******************************************************************************
627 *
628 * Function gatt_process_notification
629 *
630 * Description Handle the handle value indication/notification.
631 *
632 * Returns void
633 *
634 ******************************************************************************/
gatt_process_notification(tGATT_TCB & tcb,uint16_t cid,uint8_t op_code,uint16_t len,uint8_t * p_data)635 static void gatt_process_notification(tGATT_TCB& tcb, uint16_t cid, uint8_t op_code, uint16_t len,
636 uint8_t* p_data) {
637 tGATT_VALUE value = {};
638 tGATT_REG* p_reg;
639 tCONN_ID conn_id;
640 tGATT_STATUS encrypt_status = {};
641 uint8_t* p = p_data;
642 uint8_t i;
643 tGATTC_OPTYPE event =
644 (op_code == GATT_HANDLE_VALUE_IND) ? GATTC_OPTYPE_INDICATION : GATTC_OPTYPE_NOTIFICATION;
645
646 log::verbose("");
647
648 // Ensure our packet has enough data (2 bytes)
649 if (len < GATT_NOTIFICATION_MIN_LEN) {
650 log::error("illegal notification PDU length, discard");
651 return;
652 }
653
654 // Get 2 byte handle
655 STREAM_TO_UINT16(value.handle, p);
656
657 // Fail early if the GATT handle is not valid
658 if (!GATT_HANDLE_IS_VALID(value.handle)) {
659 /* illegal handle, send ack now */
660 if (op_code == GATT_HANDLE_VALUE_IND) {
661 attp_send_cl_confirmation_msg(tcb, cid);
662 }
663 return;
664 }
665
666 // Calculate value length based on opcode
667 if (op_code == GATT_HANDLE_MULTI_VALUE_NOTIF) {
668 // Ensure our packet has enough data; MIN + 2 more bytes for len value
669 if (len < GATT_NOTIFICATION_MIN_LEN + 2) {
670 log::error("illegal notification PDU length, discard");
671 return;
672 }
673
674 // Allow multi value opcode to set value len from the packet
675 STREAM_TO_UINT16(value.len, p);
676
677 if (value.len > len - 4) {
678 log::error("value.len ({}) greater than length ({})", value.len, len - 4);
679 return;
680 }
681
682 } else {
683 // For single value, just use the passed in len minus opcode length (2)
684 value.len = len - 2;
685 }
686
687 // Verify the new calculated length
688 if (value.len > GATT_MAX_ATTR_LEN) {
689 log::error("value.len larger than GATT_MAX_ATTR_LEN, discard");
690 return;
691 }
692
693 // Handle indications differently
694 if (event == GATTC_OPTYPE_INDICATION) {
695 if (tcb.ind_count) {
696 /* this is an error case that receiving an indication but we
697 still has an indication not being acked yet.
698 For now, just log the error reset the counter.
699 Later we need to disconnect the link unconditionally.
700 */
701 log::error("rcv Ind. but ind_count={} (will reset ind_count)", tcb.ind_count);
702 }
703
704 // Zero out the ind_count
705 tcb.ind_count = 0;
706
707 // Notify all registered clients with the handle value
708 // notification/indication
709 // Note: need to do the indication count and start timer first then do
710 // callback
711 if (com::android::bluetooth::flags::gatt_client_dynamic_allocation()) {
712 for (auto& [i, p_reg] : gatt_cb.cl_rcb_map) {
713 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) {
714 tcb.ind_count++;
715 }
716 }
717 } else {
718 for (i = 0, p_reg = gatt_cb.cl_rcb; i < GATT_MAX_APPS; i++, p_reg++) {
719 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) {
720 tcb.ind_count++;
721 }
722 }
723 }
724
725 /* start a timer for app confirmation */
726 if (tcb.ind_count > 0) {
727 gatt_start_ind_ack_timer(tcb, cid);
728 } else { /* no app to indicate, or invalid handle */
729 attp_send_cl_confirmation_msg(tcb, cid);
730 }
731 }
732
733 encrypt_status = gatt_get_link_encrypt_status(tcb);
734
735 STREAM_TO_ARRAY(value.value, p, value.len);
736
737 tGATT_CL_COMPLETE gatt_cl_complete;
738 gatt_cl_complete.att_value = value;
739 gatt_cl_complete.cid = cid;
740
741 if (com::android::bluetooth::flags::gatt_client_dynamic_allocation()) {
742 for (auto& [i, p_reg] : gatt_cb.cl_rcb_map) {
743 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) {
744 conn_id = gatt_create_conn_id(tcb.tcb_idx, p_reg->gatt_if);
745 (*p_reg->app_cb.p_cmpl_cb)(conn_id, event, encrypt_status, &gatt_cl_complete);
746 }
747 }
748 } else {
749 for (i = 0, p_reg = gatt_cb.cl_rcb; i < GATT_MAX_APPS; i++, p_reg++) {
750 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) {
751 conn_id = gatt_create_conn_id(tcb.tcb_idx, p_reg->gatt_if);
752 (*p_reg->app_cb.p_cmpl_cb)(conn_id, event, encrypt_status, &gatt_cl_complete);
753 }
754 }
755 }
756
757 // If this is single value, then nothing is left to do
758 if (op_code != GATT_HANDLE_MULTI_VALUE_NOTIF) {
759 return;
760 }
761
762 // Need a signed type to check if the value is below 0
763 // as uint16_t doesn't have negatives so the negatives register as a number
764 // thus anything less than zero won't trigger the conditional and it is not
765 // always 0
766 // when done looping as value.len is arbitrary.
767 int16_t rem_len = (int16_t)len - (4 /* octets */ + value.len);
768
769 // Already streamed the first value and sent it, lets send the rest
770 while (rem_len > 4 /* octets */) {
771 // 2
772 STREAM_TO_UINT16(value.handle, p);
773 // + 2 = 4
774 STREAM_TO_UINT16(value.len, p);
775 // Accounting
776 rem_len -= 4;
777 // Make sure we don't read past the remaining data even if the length says
778 // we can Also need to watch comparing the int16_t with the uint16_t
779 value.len = std::min((uint16_t)rem_len, value.len);
780 if (value.len > sizeof(value.value)) {
781 log::error("Unexpected value.len (>GATT_MAX_ATTR_LEN), stop");
782 return;
783 }
784 STREAM_TO_ARRAY(value.value, p, value.len);
785 // Accounting
786 rem_len -= value.len;
787
788 gatt_cl_complete.att_value = value;
789 gatt_cl_complete.cid = cid;
790
791 if (com::android::bluetooth::flags::gatt_client_dynamic_allocation()) {
792 for (auto& [i, p_reg] : gatt_cb.cl_rcb_map) {
793 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) {
794 conn_id = gatt_create_conn_id(tcb.tcb_idx, p_reg->gatt_if);
795 (*p_reg->app_cb.p_cmpl_cb)(conn_id, event, encrypt_status, &gatt_cl_complete);
796 }
797 }
798 } else {
799 for (i = 0, p_reg = gatt_cb.cl_rcb; i < GATT_MAX_APPS; i++, p_reg++) {
800 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) {
801 conn_id = gatt_create_conn_id(tcb.tcb_idx, p_reg->gatt_if);
802 (*p_reg->app_cb.p_cmpl_cb)(conn_id, event, encrypt_status, &gatt_cl_complete);
803 }
804 }
805 }
806 }
807 }
808
809 /*******************************************************************************
810 *
811 * Function gatt_process_read_by_type_rsp
812 *
813 * Description This function is called to handle the read by type response.
814 * read by type can be used for discovery, or read by type or
815 * read characteristic value.
816 *
817 * Returns void
818 *
819 ******************************************************************************/
gatt_process_read_by_type_rsp(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,uint8_t op_code,uint16_t len,uint8_t * p_data)820 static void gatt_process_read_by_type_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, uint8_t op_code,
821 uint16_t len, uint8_t* p_data) {
822 tGATT_DISC_RES result;
823 tGATT_DISC_VALUE record_value;
824 uint8_t *p = p_data, value_len, handle_len = 2;
825 uint16_t handle = 0;
826
827 /* discovery procedure and no callback function registered */
828 if (((!p_clcb->p_reg) || (!p_clcb->p_reg->app_cb.p_disc_res_cb)) &&
829 (p_clcb->operation == GATTC_OPTYPE_DISCOVERY)) {
830 return;
831 }
832
833 if (len < GATT_READ_BY_TYPE_RSP_MIN_LEN) {
834 log::error("Illegal ReadByType/ReadByGroupType Response length, discard");
835 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
836 return;
837 }
838
839 STREAM_TO_UINT8(value_len, p);
840 uint16_t payload_size = gatt_tcb_get_payload_size(tcb, p_clcb->cid);
841 if ((value_len > (payload_size - 2)) || (value_len > (len - 1))) {
842 /* this is an error case that server's response containing a value length
843 which is larger than MTU-2
844 or value_len > message total length -1 */
845 log::error("Discard response op_code={} vale_len={} > (MTU-2={} or msg_len-1={})", op_code,
846 value_len, payload_size - 2, len - 1);
847 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
848 return;
849 }
850
851 if (op_code == GATT_RSP_READ_BY_GRP_TYPE) {
852 handle_len = 4;
853 }
854
855 value_len -= handle_len; /* subtract the handle pairs bytes */
856 len -= 1;
857
858 while (len >= (handle_len + value_len)) {
859 STREAM_TO_UINT16(handle, p);
860
861 if (!GATT_HANDLE_IS_VALID(handle)) {
862 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
863 return;
864 }
865
866 memset(&result, 0, sizeof(tGATT_DISC_RES));
867 memset(&record_value, 0, sizeof(tGATT_DISC_VALUE));
868
869 result.handle = handle;
870 result.type = bluetooth::Uuid::From16Bit(disc_type_to_uuid[p_clcb->op_subtype]);
871
872 /* discover all services */
873 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY && p_clcb->op_subtype == GATT_DISC_SRVC_ALL &&
874 op_code == GATT_RSP_READ_BY_GRP_TYPE) {
875 STREAM_TO_UINT16(handle, p);
876
877 if (!GATT_HANDLE_IS_VALID(handle)) {
878 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
879 return;
880 } else {
881 record_value.group_value.e_handle = handle;
882 if (!gatt_parse_uuid_from_cmd(&record_value.group_value.service_type, value_len, &p)) {
883 log::error("discover all service response parsing failure");
884 break;
885 }
886 }
887 } else if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
888 p_clcb->op_subtype == GATT_DISC_INC_SRVC) {
889 /* discover included service */
890 if (value_len < 4) {
891 log::error("Illegal Response length, must be at least 4.");
892 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
893 return;
894 }
895 STREAM_TO_UINT16(record_value.incl_service.s_handle, p);
896 STREAM_TO_UINT16(record_value.incl_service.e_handle, p);
897
898 if (!GATT_HANDLE_IS_VALID(record_value.incl_service.s_handle) ||
899 !GATT_HANDLE_IS_VALID(record_value.incl_service.e_handle)) {
900 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
901 return;
902 }
903
904 if (value_len == 6) {
905 uint16_t tmp;
906 STREAM_TO_UINT16(tmp, p);
907 record_value.incl_service.service_type = bluetooth::Uuid::From16Bit(tmp);
908 } else if (value_len == 4) {
909 p_clcb->s_handle = record_value.incl_service.s_handle;
910 p_clcb->read_uuid128.wait_for_read_rsp = true;
911 p_clcb->read_uuid128.next_disc_start_hdl = handle + 1;
912 memcpy(&p_clcb->read_uuid128.result, &result, sizeof(result));
913 memcpy(&p_clcb->read_uuid128.result.value, &record_value, sizeof(result.value));
914 p_clcb->op_subtype |= 0x90;
915 gatt_act_read(p_clcb, 0);
916 return;
917 } else {
918 log::error("INCL_SRVC failed with invalid data value_len={}", value_len);
919 gatt_end_operation(p_clcb, GATT_INVALID_PDU, (void*)p);
920 return;
921 }
922 } else if (p_clcb->operation == GATTC_OPTYPE_READ && p_clcb->op_subtype == GATT_READ_BY_TYPE) {
923 /* read by type */
924 p_clcb->counter = len - 2;
925 p_clcb->s_handle = handle;
926
927 if (p_clcb->counter == (payload_size - 4)) {
928 /* IOP: Some devices can't handle Read Blob request. Apps for such devices send their MTU
929 * preference with the connect request. Expectation is that the stack would exchange MTU
930 * immediately on connection and thereby avoid using Read Blob request.
931 * However, the stack does not support exchanging MTU immediately on connection at present.
932 * As a workaround, GATT client instead just avoids sending Read Blob request when certain
933 * conditions are met. */
934 tGATT_TCB* p_tcb = p_clcb->p_tcb;
935 if (p_tcb->transport == BT_TRANSPORT_LE && p_tcb->att_lcid == L2CAP_ATT_CID &&
936 p_tcb->app_mtu_pref > GATT_DEF_BLE_MTU_SIZE &&
937 p_tcb->payload_size <= GATT_DEF_BLE_MTU_SIZE && p_clcb->uuid.Is16Bit() &&
938 p_clcb->uuid.As16Bit() == GATT_UUID_GAP_DEVICE_NAME) {
939 log::warn("Skipping Read Blob request for reading device name {}", p_tcb->peer_bda);
940 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p);
941 return;
942 }
943
944 /* Continue reading rest of value */
945 p_clcb->op_subtype = GATT_READ_BY_HANDLE;
946 if (!p_clcb->p_attr_buf) {
947 p_clcb->p_attr_buf = (uint8_t*)osi_malloc(GATT_MAX_ATTR_LEN);
948 }
949 if (p_clcb->counter <= GATT_MAX_ATTR_LEN) {
950 memcpy(p_clcb->p_attr_buf, p, p_clcb->counter);
951 gatt_act_read(p_clcb, p_clcb->counter);
952 } else {
953 gatt_end_operation(p_clcb, GATT_INTERNAL_ERROR, (void*)p);
954 }
955 } else {
956 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p);
957 }
958 return;
959 } else /* discover characteristic */
960 {
961 if (value_len < 3) {
962 log::error("Illegal Response length, must be at least 3.");
963 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
964 return;
965 }
966 STREAM_TO_UINT8(record_value.dclr_value.char_prop, p);
967 STREAM_TO_UINT16(record_value.dclr_value.val_handle, p);
968 if (!GATT_HANDLE_IS_VALID(record_value.dclr_value.val_handle)) {
969 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
970 return;
971 }
972 if (!gatt_parse_uuid_from_cmd(&record_value.dclr_value.char_uuid, (uint16_t)(value_len - 3),
973 &p)) {
974 gatt_end_operation(p_clcb, GATT_SUCCESS, NULL);
975 /* invalid format, and skip the result */
976 return;
977 }
978
979 /* UUID not matching */
980 if (!p_clcb->uuid.IsEmpty() && !record_value.dclr_value.char_uuid.IsEmpty() &&
981 record_value.dclr_value.char_uuid != p_clcb->uuid) {
982 len -= (value_len + 2);
983 continue; /* skip the result, and look for next one */
984 }
985
986 if (p_clcb->operation == GATTC_OPTYPE_READ)
987 /* UUID match for read characteristic value */
988 {
989 /* only read the first matching UUID characteristic value, and
990 discard the rest results */
991 p_clcb->s_handle = record_value.dclr_value.val_handle;
992 p_clcb->op_subtype |= 0x80;
993 gatt_act_read(p_clcb, 0);
994 return;
995 }
996 }
997 len -= (value_len + handle_len);
998
999 /* result is (handle, 16bits UUID) pairs */
1000 memcpy(&result.value, &record_value, sizeof(result.value));
1001
1002 /* send callback if is discover procedure */
1003 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY && p_clcb->p_reg->app_cb.p_disc_res_cb) {
1004 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
1005 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype), &result);
1006 }
1007 }
1008
1009 p_clcb->s_handle = (handle == 0) ? 0 : (handle + 1);
1010
1011 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY) {
1012 /* initiate another request */
1013 gatt_act_discovery(p_clcb);
1014 } else /* read characteristic value */
1015 {
1016 gatt_act_read(p_clcb, 0);
1017 }
1018 }
1019
1020 /*******************************************************************************
1021 *
1022 * Function gatt_process_read_rsp
1023 *
1024 * Description This function is called to handle the read BLOB response
1025 *
1026 *
1027 * Returns void
1028 *
1029 ******************************************************************************/
gatt_process_read_rsp(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,uint8_t,uint16_t len,uint8_t * p_data)1030 static void gatt_process_read_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, uint8_t /* op_code */,
1031 uint16_t len, uint8_t* p_data) {
1032 uint16_t offset = p_clcb->counter;
1033 uint8_t* p = p_data;
1034
1035 uint16_t payload_size = gatt_tcb_get_payload_size(tcb, p_clcb->cid);
1036
1037 if (p_clcb->operation == GATTC_OPTYPE_READ) {
1038 if (p_clcb->op_subtype != GATT_READ_BY_HANDLE) {
1039 p_clcb->counter = len;
1040 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p);
1041 } else {
1042 /* allocate GKI buffer holding up long attribute value */
1043 if (!p_clcb->p_attr_buf) {
1044 p_clcb->p_attr_buf = (uint8_t*)osi_malloc(GATT_MAX_ATTR_LEN);
1045 }
1046
1047 /* copy attribute value into cb buffer */
1048 if (offset < GATT_MAX_ATTR_LEN) {
1049 if ((len + offset) > GATT_MAX_ATTR_LEN) {
1050 len = GATT_MAX_ATTR_LEN - offset;
1051 }
1052
1053 p_clcb->counter += len;
1054
1055 memcpy(p_clcb->p_attr_buf + offset, p, len);
1056
1057 /* full packet for read or read blob rsp */
1058 bool packet_is_full;
1059 if (payload_size == p_clcb->read_req_current_mtu) {
1060 packet_is_full = (len == (payload_size - 1));
1061 } else {
1062 packet_is_full = (len == (p_clcb->read_req_current_mtu - 1) || len == (payload_size - 1));
1063 p_clcb->read_req_current_mtu = payload_size;
1064 }
1065
1066 /* send next request if needed */
1067 if (packet_is_full && (len + offset < GATT_MAX_ATTR_LEN)) {
1068 log::verbose(
1069 "full pkt issue read blob for remaining bytes old offset={} len={} new offset={}",
1070 offset, len, p_clcb->counter);
1071 gatt_act_read(p_clcb, p_clcb->counter);
1072 } else /* end of request, send callback */
1073 {
1074 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p_clcb->p_attr_buf);
1075 }
1076 } else /* exception, should not happen */
1077 {
1078 log::error("attr offset = {} p_attr_buf = {}", offset, std::format_ptr(p_clcb->p_attr_buf));
1079 gatt_end_operation(p_clcb, GATT_NO_RESOURCES, (void*)p_clcb->p_attr_buf);
1080 }
1081 }
1082 } else {
1083 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY && p_clcb->op_subtype == GATT_DISC_INC_SRVC &&
1084 p_clcb->read_uuid128.wait_for_read_rsp) {
1085 p_clcb->s_handle = p_clcb->read_uuid128.next_disc_start_hdl;
1086 p_clcb->read_uuid128.wait_for_read_rsp = false;
1087 if (len == Uuid::kNumBytes128) {
1088 p_clcb->read_uuid128.result.value.incl_service.service_type =
1089 bluetooth::Uuid::From128BitLE(p);
1090 if (p_clcb->p_reg->app_cb.p_disc_res_cb) {
1091 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(p_clcb->conn_id,
1092 static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
1093 &p_clcb->read_uuid128.result);
1094 }
1095 gatt_act_discovery(p_clcb);
1096 } else {
1097 gatt_end_operation(p_clcb, GATT_INVALID_PDU, (void*)p);
1098 }
1099 }
1100 }
1101 }
1102
1103 /*******************************************************************************
1104 *
1105 * Function gatt_process_handle_rsp
1106 *
1107 * Description This function is called to handle the write response
1108 *
1109 *
1110 * Returns void
1111 *
1112 ******************************************************************************/
gatt_process_handle_rsp(tGATT_CLCB * p_clcb)1113 static void gatt_process_handle_rsp(tGATT_CLCB* p_clcb) {
1114 gatt_end_operation(p_clcb, GATT_SUCCESS, NULL);
1115 }
1116
1117 /*******************************************************************************
1118 *
1119 * Function gatt_process_mtu_rsp
1120 *
1121 * Description Process the configure MTU response.
1122 *
1123 *
1124 * Returns void
1125 *
1126 ******************************************************************************/
gatt_process_mtu_rsp(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,uint16_t len,uint8_t * p_data)1127 static void gatt_process_mtu_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, uint16_t len,
1128 uint8_t* p_data) {
1129 uint16_t mtu;
1130 tGATT_STATUS status = GATT_SUCCESS;
1131
1132 if (len < GATT_MTU_RSP_MIN_LEN) {
1133 log::error("invalid MTU response PDU received, discard.");
1134 status = GATT_INVALID_PDU;
1135 } else {
1136 STREAM_TO_UINT16(mtu, p_data);
1137
1138 log::info("Local pending MTU {}, Remote ({}) MTU {}", tcb.pending_user_mtu_exchange_value,
1139 tcb.peer_bda, mtu);
1140
1141 /* Aim for default as we did in the request */
1142 if (mtu < GATT_DEF_BLE_MTU_SIZE) {
1143 tcb.payload_size = GATT_DEF_BLE_MTU_SIZE;
1144 } else {
1145 tcb.payload_size = std::min(mtu, (uint16_t)(gatt_get_local_mtu()));
1146 }
1147
1148 bluetooth::shim::arbiter::GetArbiter().OnIncomingMtuResp(tcb.tcb_idx, tcb.payload_size);
1149
1150 /* This is just to track the biggest MTU requested by the user.
1151 * This value will be used in the BTM_SetBleDataLength */
1152 if (tcb.pending_user_mtu_exchange_value > tcb.max_user_mtu) {
1153 tcb.max_user_mtu = std::min(tcb.pending_user_mtu_exchange_value, tcb.payload_size);
1154 } else if (tcb.pending_user_mtu_exchange_value == 0) {
1155 tcb.max_user_mtu = tcb.payload_size;
1156 }
1157 tcb.pending_user_mtu_exchange_value = 0;
1158
1159 log::info("MTU Exchange resulted in: {}", tcb.payload_size);
1160
1161 if (get_btm_client_interface().ble.BTM_SetBleDataLength(
1162 tcb.peer_bda, tcb.max_user_mtu + L2CAP_PKT_OVERHEAD) != tBTM_STATUS::BTM_SUCCESS) {
1163 log::warn("Unable to set BLE data length peer:{} mtu:{}", tcb.peer_bda,
1164 tcb.max_user_mtu + L2CAP_PKT_OVERHEAD);
1165 }
1166 }
1167
1168 gatt_end_operation(p_clcb, status, NULL);
1169 }
1170 /*******************************************************************************
1171 *
1172 * Function gatt_cmd_to_rsp_code
1173 *
1174 * Description Convert an ATT command op code into the corresponding
1175 * response code assume no error occurs.
1176 *
1177 * Returns response code.
1178 *
1179 ******************************************************************************/
gatt_cmd_to_rsp_code(uint8_t cmd_code)1180 static uint8_t gatt_cmd_to_rsp_code(uint8_t cmd_code) {
1181 uint8_t rsp_code = 0;
1182
1183 if (cmd_code > 1 && cmd_code != GATT_CMD_WRITE) {
1184 rsp_code = cmd_code + 1;
1185 }
1186 return rsp_code;
1187 }
1188
1189 /** Find next command in queue and sent to server */
gatt_cl_send_next_cmd_inq(tGATT_TCB & tcb)1190 bool gatt_cl_send_next_cmd_inq(tGATT_TCB& tcb) {
1191 std::deque<tGATT_CMD_Q>* cl_cmd_q = nullptr;
1192
1193 while (gatt_is_outstanding_msg_in_att_send_queue(tcb) ||
1194 EattExtension::GetInstance()->IsOutstandingMsgInSendQueue(tcb.peer_bda)) {
1195 if (gatt_is_outstanding_msg_in_att_send_queue(tcb)) {
1196 cl_cmd_q = &tcb.cl_cmd_q;
1197 } else {
1198 EattChannel* channel =
1199 EattExtension::GetInstance()->GetChannelWithQueuedDataToSend(tcb.peer_bda);
1200 cl_cmd_q = &channel->cl_cmd_q_;
1201 }
1202
1203 tGATT_CMD_Q& cmd = cl_cmd_q->front();
1204 if (!cmd.to_send || cmd.p_cmd == NULL) {
1205 return false;
1206 }
1207
1208 tGATT_STATUS att_ret;
1209 att_ret = attp_send_msg_to_l2cap(tcb, cmd.cid, cmd.p_cmd);
1210
1211 if (att_ret != GATT_SUCCESS && att_ret != GATT_CONGESTED) {
1212 log::error("L2CAP sent error");
1213 cl_cmd_q->pop_front();
1214 continue;
1215 }
1216
1217 cmd.to_send = false;
1218 cmd.p_cmd = NULL;
1219
1220 if (cmd.op_code == GATT_CMD_WRITE || cmd.op_code == GATT_SIGN_CMD_WRITE) {
1221 /* dequeue the request if is write command or sign write */
1222 uint8_t rsp_code;
1223 tGATT_CLCB* p_clcb = gatt_cmd_dequeue(tcb, cmd.cid, &rsp_code);
1224
1225 /* send command complete callback here */
1226 gatt_end_operation(p_clcb, att_ret, NULL);
1227
1228 /* if no ack needed, keep sending */
1229 if (att_ret == GATT_SUCCESS) {
1230 continue;
1231 }
1232
1233 return true;
1234 }
1235
1236 gatt_start_rsp_timer(cmd.p_clcb);
1237 return true;
1238 }
1239
1240 return false;
1241 }
1242
1243 /** This function is called to handle the server response to client */
gatt_client_handle_server_rsp(tGATT_TCB & tcb,uint16_t cid,uint8_t op_code,uint16_t len,uint8_t * p_data)1244 void gatt_client_handle_server_rsp(tGATT_TCB& tcb, uint16_t cid, uint8_t op_code, uint16_t len,
1245 uint8_t* p_data) {
1246 log::verbose("opcode: 0x{:x} cid{}", op_code, cid);
1247
1248 uint16_t payload_size = gatt_tcb_get_payload_size(tcb, cid);
1249
1250 if (op_code == GATT_HANDLE_VALUE_IND || op_code == GATT_HANDLE_VALUE_NOTIF ||
1251 op_code == GATT_HANDLE_MULTI_VALUE_NOTIF) {
1252 if (len >= payload_size) {
1253 log::error("invalid indicate pkt size: {}, PDU size: {}", len + 1, payload_size);
1254 return;
1255 }
1256
1257 gatt_process_notification(tcb, cid, op_code, len, p_data);
1258 return;
1259 }
1260
1261 uint8_t cmd_code = 0;
1262 tGATT_CLCB* p_clcb = gatt_cmd_dequeue(tcb, cid, &cmd_code);
1263 if (!p_clcb) {
1264 log::warn("ATT - clcb already not in use, ignoring response");
1265 gatt_cl_send_next_cmd_inq(tcb);
1266 return;
1267 }
1268
1269 uint8_t rsp_code = gatt_cmd_to_rsp_code(cmd_code);
1270 if (!p_clcb) {
1271 log::warn("ATT - clcb already not in use, ignoring response");
1272 gatt_cl_send_next_cmd_inq(tcb);
1273 return;
1274 }
1275
1276 if (rsp_code != op_code && op_code != GATT_RSP_ERROR) {
1277 log::warn("ATT - Ignore wrong response. Receives ({:02x}) Request({:02x}) Ignored", op_code,
1278 rsp_code);
1279 return;
1280 }
1281
1282 gatt_stop_rsp_timer(p_clcb);
1283 p_clcb->retry_count = 0;
1284
1285 /* the size of the message may not be bigger than the local max PDU size*/
1286 /* The message has to be smaller than the agreed MTU, len does not count
1287 * op_code */
1288 if (len >= payload_size) {
1289 log::error("invalid response pkt size: {}, PDU size: {}", len + 1, payload_size);
1290 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
1291 } else {
1292 switch (op_code) {
1293 case GATT_RSP_ERROR:
1294 gatt_process_error_rsp(tcb, p_clcb, op_code, len, p_data);
1295 break;
1296
1297 case GATT_RSP_MTU: /* 2 bytes mtu */
1298 gatt_process_mtu_rsp(tcb, p_clcb, len, p_data);
1299 break;
1300
1301 case GATT_RSP_FIND_INFO:
1302 gatt_process_read_info_rsp(tcb, p_clcb, op_code, len, p_data);
1303 break;
1304
1305 case GATT_RSP_READ_BY_TYPE:
1306 case GATT_RSP_READ_BY_GRP_TYPE:
1307 gatt_process_read_by_type_rsp(tcb, p_clcb, op_code, len, p_data);
1308 break;
1309
1310 case GATT_RSP_READ:
1311 case GATT_RSP_READ_BLOB:
1312 case GATT_RSP_READ_MULTI:
1313 case GATT_RSP_READ_MULTI_VAR:
1314 gatt_process_read_rsp(tcb, p_clcb, op_code, len, p_data);
1315 break;
1316
1317 case GATT_RSP_FIND_TYPE_VALUE: /* disc service with UUID */
1318 gatt_process_find_type_value_rsp(tcb, p_clcb, len, p_data);
1319 break;
1320
1321 case GATT_RSP_WRITE:
1322 gatt_process_handle_rsp(p_clcb);
1323 break;
1324
1325 case GATT_RSP_PREPARE_WRITE:
1326 gatt_process_prep_write_rsp(tcb, p_clcb, op_code, len, p_data);
1327 break;
1328
1329 case GATT_RSP_EXEC_WRITE:
1330 gatt_end_operation(p_clcb, p_clcb->status, NULL);
1331 break;
1332
1333 default:
1334 log::error("Unknown opcode = {:x}", op_code);
1335 break;
1336 }
1337 }
1338
1339 gatt_cl_send_next_cmd_inq(tcb);
1340 }
1341