1 /******************************************************************************
2 *
3 * Copyright 2002-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This module contains functions for parsing and building AVDTP signaling
22 * messages. It also contains functions called by the SCB or CCB state
23 * machines for sending command, response, and reject messages. It also
24 * contains a function that processes incoming messages and dispatches them
25 * to the appropriate SCB or CCB.
26 *
27 ******************************************************************************/
28
29 #define LOG_TAG "bluetooth-a2dp"
30
31 #include <bluetooth/log.h>
32 #include <com_android_bluetooth_flags.h>
33 #include <string.h>
34
35 #include <cstdint>
36
37 #include "avdt_api.h"
38 #include "avdt_defs.h"
39 #include "avdt_int.h"
40 #include "avdtc_api.h"
41 #include "internal_include/bt_target.h"
42 #include "l2cap_types.h"
43 #include "osi/include/alarm.h"
44 #include "osi/include/allocator.h"
45 #include "osi/include/fixed_queue.h"
46 #include "stack/include/bt_hdr.h"
47 #include "stack/include/bt_types.h"
48
49 using namespace bluetooth;
50
51 /*****************************************************************************
52 * constants
53 ****************************************************************************/
54
55 /* mask of all psc values */
56 #define AVDT_MSG_PSC_MASK \
57 (AVDT_PSC_TRANS | AVDT_PSC_REPORT | AVDT_PSC_DELAY_RPT | AVDT_PSC_RECOV | AVDT_PSC_HDRCMP | \
58 AVDT_PSC_MUX)
59 #define AVDT_PSC_PROTECT (1 << 4) /* Content Protection */
60 #define AVDT_PSC_CODEC (1 << 7) /* codec */
61
62 /*****************************************************************************
63 * type definitions
64 ****************************************************************************/
65
66 /* type for message building functions */
67 typedef void (*tAVDT_MSG_BLD)(uint8_t** p, tAVDT_MSG* p_msg);
68
69 /* type for message parsing functions */
70 typedef uint8_t (*tAVDT_MSG_PRS)(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len);
71
72 /*****************************************************************************
73 * local function declarations
74 ****************************************************************************/
75
76 static void avdt_msg_bld_none(uint8_t** p, tAVDT_MSG* p_msg);
77 static void avdt_msg_bld_single(uint8_t** p, tAVDT_MSG* p_msg);
78 static void avdt_msg_bld_setconfig_cmd(uint8_t** p, tAVDT_MSG* p_msg);
79 static void avdt_msg_bld_reconfig_cmd(uint8_t** p, tAVDT_MSG* p_msg);
80 static void avdt_msg_bld_multi(uint8_t** p, tAVDT_MSG* p_msg);
81 static void avdt_msg_bld_security_cmd(uint8_t** p, tAVDT_MSG* p_msg);
82 static void avdt_msg_bld_discover_rsp(uint8_t** p, tAVDT_MSG* p_msg);
83 static void avdt_msg_bld_svccap(uint8_t** p, tAVDT_MSG* p_msg);
84 static void avdt_msg_bld_security_rsp(uint8_t** p, tAVDT_MSG* p_msg);
85 static void avdt_msg_bld_all_svccap(uint8_t** p, tAVDT_MSG* p_msg);
86 static void avdt_msg_bld_delay_rpt(uint8_t** p, tAVDT_MSG* p_msg);
87
88 static uint8_t avdt_msg_prs_none(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len);
89 static uint8_t avdt_msg_prs_single(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len);
90 static uint8_t avdt_msg_prs_setconfig_cmd(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len);
91 static uint8_t avdt_msg_prs_reconfig_cmd(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len);
92 static uint8_t avdt_msg_prs_multi(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len);
93 static uint8_t avdt_msg_prs_security_cmd(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len);
94 static uint8_t avdt_msg_prs_discover_rsp(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len);
95 static uint8_t avdt_msg_prs_svccap(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len);
96 static uint8_t avdt_msg_prs_all_svccap(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len);
97 static uint8_t avdt_msg_prs_security_rsp(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len);
98 static uint8_t avdt_msg_prs_delay_rpt(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len);
99
100 /*****************************************************************************
101 * constants
102 ****************************************************************************/
103
104 /* table of information element minimum lengths used for parsing */
105 const uint8_t avdt_msg_ie_len_min[] = {
106 0, /* unused */
107 AVDT_LEN_TRANS_MIN, /* media transport */
108 AVDT_LEN_REPORT_MIN, /* reporting */
109 AVDT_LEN_RECOV_MIN, /* recovery */
110 AVDT_LEN_PROTECT_MIN, /* content protection */
111 AVDT_LEN_HDRCMP_MIN, /* header compression */
112 AVDT_LEN_MUX_MIN, /* multiplexing */
113 AVDT_LEN_CODEC_MIN, /* codec */
114 AVDT_LEN_DELAY_RPT_MIN /* delay report */
115 };
116
117 /* table of information element minimum lengths used for parsing */
118 const uint8_t avdt_msg_ie_len_max[] = {
119 0, /* unused */
120 AVDT_LEN_TRANS_MAX, /* media transport */
121 AVDT_LEN_REPORT_MAX, /* reporting */
122 AVDT_LEN_RECOV_MAX, /* recovery */
123 AVDT_LEN_PROTECT_MAX, /* content protection */
124 AVDT_LEN_HDRCMP_MAX, /* header compression */
125 AVDT_LEN_MUX_MAX, /* multiplexing */
126 AVDT_LEN_CODEC_MAX, /* codec */
127 AVDT_LEN_DELAY_RPT_MAX /* delay report */
128 };
129
130 /* table of error codes used when decoding information elements */
131 const uint8_t avdt_msg_ie_err[] = {
132 0, /* unused */
133 AVDT_ERR_MEDIA_TRANS, /* media transport */
134 AVDT_ERR_LENGTH, /* reporting */
135 AVDT_ERR_RECOV_FMT, /* recovery */
136 AVDT_ERR_CP_FMT, /* content protection */
137 AVDT_ERR_ROHC_FMT, /* header compression */
138 AVDT_ERR_MUX_FMT, /* multiplexing */
139 AVDT_ERR_SERVICE, /* codec */
140 AVDT_ERR_SERVICE /* delay report ?? */
141 };
142
143 /* table of packet type minimum lengths */
144 static const uint8_t avdt_msg_pkt_type_len[] = {AVDT_LEN_TYPE_SINGLE, AVDT_LEN_TYPE_START,
145 AVDT_LEN_TYPE_CONT, AVDT_LEN_TYPE_END};
146
147 /* function table for building command messages */
148 const tAVDT_MSG_BLD avdt_msg_bld_cmd[] = {
149 avdt_msg_bld_none, /* discover */
150 avdt_msg_bld_single, /* get capabilities */
151 avdt_msg_bld_setconfig_cmd, /* set configuration */
152 avdt_msg_bld_single, /* get configuration */
153 avdt_msg_bld_reconfig_cmd, /* reconfigure */
154 avdt_msg_bld_single, /* open */
155 avdt_msg_bld_multi, /* start */
156 avdt_msg_bld_single, /* close */
157 avdt_msg_bld_multi, /* suspend */
158 avdt_msg_bld_single, /* abort */
159 avdt_msg_bld_security_cmd, /* security control */
160 avdt_msg_bld_single, /* get all capabilities */
161 avdt_msg_bld_delay_rpt /* delay report */
162 };
163
164 /* function table for building response messages */
165 const tAVDT_MSG_BLD avdt_msg_bld_rsp[] = {
166 avdt_msg_bld_discover_rsp, /* discover */
167 avdt_msg_bld_svccap, /* get capabilities */
168 avdt_msg_bld_none, /* set configuration */
169 avdt_msg_bld_all_svccap, /* get configuration */
170 avdt_msg_bld_none, /* reconfigure */
171 avdt_msg_bld_none, /* open */
172 avdt_msg_bld_none, /* start */
173 avdt_msg_bld_none, /* close */
174 avdt_msg_bld_none, /* suspend */
175 avdt_msg_bld_none, /* abort */
176 avdt_msg_bld_security_rsp, /* security control */
177 avdt_msg_bld_all_svccap, /* get all capabilities */
178 avdt_msg_bld_none /* delay report */
179 };
180
181 /* function table for parsing command messages */
182 const tAVDT_MSG_PRS avdt_msg_prs_cmd[] = {
183 avdt_msg_prs_none, /* discover */
184 avdt_msg_prs_single, /* get capabilities */
185 avdt_msg_prs_setconfig_cmd, /* set configuration */
186 avdt_msg_prs_single, /* get configuration */
187 avdt_msg_prs_reconfig_cmd, /* reconfigure */
188 avdt_msg_prs_single, /* open */
189 avdt_msg_prs_multi, /* start */
190 avdt_msg_prs_single, /* close */
191 avdt_msg_prs_multi, /* suspend */
192 avdt_msg_prs_single, /* abort */
193 avdt_msg_prs_security_cmd, /* security control */
194 avdt_msg_prs_single, /* get all capabilities */
195 avdt_msg_prs_delay_rpt /* delay report */
196 };
197
198 /* function table for parsing response messages */
199 const tAVDT_MSG_PRS avdt_msg_prs_rsp[] = {
200 avdt_msg_prs_discover_rsp, /* discover */
201 avdt_msg_prs_svccap, /* get capabilities */
202 avdt_msg_prs_none, /* set configuration */
203 avdt_msg_prs_all_svccap, /* get configuration */
204 avdt_msg_prs_none, /* reconfigure */
205 avdt_msg_prs_none, /* open */
206 avdt_msg_prs_none, /* start */
207 avdt_msg_prs_none, /* close */
208 avdt_msg_prs_none, /* suspend */
209 avdt_msg_prs_none, /* abort */
210 avdt_msg_prs_security_rsp, /* security control */
211 avdt_msg_prs_all_svccap, /* get all capabilities */
212 avdt_msg_prs_none /* delay report */
213 };
214
215 /* command message-to-event lookup table */
216 const uint8_t avdt_msg_cmd_2_evt[] = {
217 AVDT_CCB_MSG_DISCOVER_CMD_EVT + AVDT_CCB_MKR, /* discover */
218 AVDT_CCB_MSG_GETCAP_CMD_EVT + AVDT_CCB_MKR, /* get capabilities */
219 AVDT_SCB_MSG_SETCONFIG_CMD_EVT, /* set configuration */
220 AVDT_SCB_MSG_GETCONFIG_CMD_EVT, /* get configuration */
221 AVDT_SCB_MSG_RECONFIG_CMD_EVT, /* reconfigure */
222 AVDT_SCB_MSG_OPEN_CMD_EVT, /* open */
223 AVDT_CCB_MSG_START_CMD_EVT + AVDT_CCB_MKR, /* start */
224 AVDT_SCB_MSG_CLOSE_CMD_EVT, /* close */
225 AVDT_CCB_MSG_SUSPEND_CMD_EVT + AVDT_CCB_MKR, /* suspend */
226 AVDT_SCB_MSG_ABORT_CMD_EVT, /* abort */
227 AVDT_SCB_MSG_SECURITY_CMD_EVT, /* security control */
228 AVDT_CCB_MSG_GETCAP_CMD_EVT + AVDT_CCB_MKR, /* get all capabilities */
229 AVDT_SCB_MSG_DELAY_RPT_CMD_EVT /* delay report */
230 };
231
232 /* response message-to-event lookup table */
233 const uint8_t avdt_msg_rsp_2_evt[] = {
234 AVDT_CCB_MSG_DISCOVER_RSP_EVT + AVDT_CCB_MKR, /* discover */
235 AVDT_CCB_MSG_GETCAP_RSP_EVT + AVDT_CCB_MKR, /* get capabilities */
236 AVDT_SCB_MSG_SETCONFIG_RSP_EVT, /* set configuration */
237 AVDT_SCB_MSG_GETCONFIG_RSP_EVT, /* get configuration */
238 AVDT_SCB_MSG_RECONFIG_RSP_EVT, /* reconfigure */
239 AVDT_SCB_MSG_OPEN_RSP_EVT, /* open */
240 AVDT_CCB_MSG_START_RSP_EVT + AVDT_CCB_MKR, /* start */
241 AVDT_SCB_MSG_CLOSE_RSP_EVT, /* close */
242 AVDT_CCB_MSG_SUSPEND_RSP_EVT + AVDT_CCB_MKR, /* suspend */
243 AVDT_SCB_MSG_ABORT_RSP_EVT, /* abort */
244 AVDT_SCB_MSG_SECURITY_RSP_EVT, /* security control */
245 AVDT_CCB_MSG_GETCAP_RSP_EVT + AVDT_CCB_MKR, /* get all capabilities */
246 AVDT_SCB_MSG_DELAY_RPT_RSP_EVT /* delay report */
247 };
248
249 /* reject message-to-event lookup table */
250 const uint8_t avdt_msg_rej_2_evt[] = {
251 AVDT_CCB_MSG_DISCOVER_RSP_EVT + AVDT_CCB_MKR, /* discover */
252 AVDT_CCB_MSG_GETCAP_RSP_EVT + AVDT_CCB_MKR, /* get capabilities */
253 AVDT_SCB_MSG_SETCONFIG_REJ_EVT, /* set configuration */
254 AVDT_SCB_MSG_GETCONFIG_RSP_EVT, /* get configuration */
255 AVDT_SCB_MSG_RECONFIG_RSP_EVT, /* reconfigure */
256 AVDT_SCB_MSG_OPEN_REJ_EVT, /* open */
257 AVDT_CCB_MSG_START_RSP_EVT + AVDT_CCB_MKR, /* start */
258 AVDT_SCB_MSG_CLOSE_RSP_EVT, /* close */
259 AVDT_CCB_MSG_SUSPEND_RSP_EVT + AVDT_CCB_MKR, /* suspend */
260 AVDT_SCB_MSG_ABORT_RSP_EVT, /* abort */
261 AVDT_SCB_MSG_SECURITY_RSP_EVT, /* security control */
262 AVDT_CCB_MSG_GETCAP_RSP_EVT + AVDT_CCB_MKR, /* get all capabilities */
263 0 /* delay report */
264 };
265
266 /*******************************************************************************
267 *
268 * Function avdt_msg_bld_cfg
269 *
270 * Description This function builds the configuration parameters contained
271 * in a command or response message.
272 *
273 *
274 * Returns void.
275 *
276 ******************************************************************************/
avdt_msg_bld_cfg(uint8_t ** p,AvdtpSepConfig * p_cfg)277 static void avdt_msg_bld_cfg(uint8_t** p, AvdtpSepConfig* p_cfg) {
278 uint8_t len;
279
280 /* for now, just build media transport, codec, and content protection, and
281 * multiplexing */
282
283 /* media transport */
284 if (p_cfg->psc_mask & AVDT_PSC_TRANS) {
285 *(*p)++ = AVDT_CAT_TRANS;
286 *(*p)++ = 0; /* length */
287 }
288
289 /* reporting transport */
290 if (p_cfg->psc_mask & AVDT_PSC_REPORT) {
291 *(*p)++ = AVDT_CAT_REPORT;
292 *(*p)++ = 0; /* length */
293 }
294
295 /* codec */
296 if (p_cfg->num_codec != 0) {
297 *(*p)++ = AVDT_CAT_CODEC;
298 len = p_cfg->codec_info[0] + 1;
299 if (len > AVDT_CODEC_SIZE) {
300 len = AVDT_CODEC_SIZE;
301 }
302
303 memcpy(*p, p_cfg->codec_info, len);
304 *p += len;
305 }
306
307 /* content protection */
308 if (p_cfg->num_protect != 0) {
309 *(*p)++ = AVDT_CAT_PROTECT;
310 len = p_cfg->protect_info[0] + 1;
311 if (len > AVDT_PROTECT_SIZE) {
312 len = AVDT_PROTECT_SIZE;
313 }
314
315 memcpy(*p, p_cfg->protect_info, len);
316 *p += len;
317 }
318
319 /* delay report */
320 if (p_cfg->psc_mask & AVDT_PSC_DELAY_RPT) {
321 *(*p)++ = AVDT_CAT_DELAY_RPT;
322 *(*p)++ = 0; /* length */
323 }
324 }
325
326 /*******************************************************************************
327 *
328 * Function avdt_msg_bld_none
329 *
330 * Description This message building function builds an empty message.
331 *
332 *
333 * Returns void.
334 *
335 ******************************************************************************/
avdt_msg_bld_none(uint8_t **,tAVDT_MSG *)336 static void avdt_msg_bld_none(uint8_t** /* p */, tAVDT_MSG* /* p_msg */) { return; }
337
338 /*******************************************************************************
339 *
340 * Function avdt_msg_bld_single
341 *
342 * Description This message building function builds a message containing
343 * a single SEID.
344 *
345 *
346 * Returns void.
347 *
348 ******************************************************************************/
avdt_msg_bld_single(uint8_t ** p,tAVDT_MSG * p_msg)349 static void avdt_msg_bld_single(uint8_t** p, tAVDT_MSG* p_msg) {
350 AVDT_MSG_BLD_SEID(*p, p_msg->single.seid);
351 }
352
353 /*******************************************************************************
354 *
355 * Function avdt_msg_bld_setconfig_cmd
356 *
357 * Description This message building function builds a set configuration
358 * command message.
359 *
360 *
361 * Returns void.
362 *
363 ******************************************************************************/
avdt_msg_bld_setconfig_cmd(uint8_t ** p,tAVDT_MSG * p_msg)364 static void avdt_msg_bld_setconfig_cmd(uint8_t** p, tAVDT_MSG* p_msg) {
365 AVDT_MSG_BLD_SEID(*p, p_msg->config_cmd.hdr.seid);
366 AVDT_MSG_BLD_SEID(*p, p_msg->config_cmd.int_seid);
367 avdt_msg_bld_cfg(p, p_msg->config_cmd.p_cfg);
368 }
369
370 /*******************************************************************************
371 *
372 * Function avdt_msg_bld_reconfig_cmd
373 *
374 * Description This message building function builds a reconfiguration
375 * command message.
376 *
377 *
378 * Returns void.
379 *
380 ******************************************************************************/
avdt_msg_bld_reconfig_cmd(uint8_t ** p,tAVDT_MSG * p_msg)381 static void avdt_msg_bld_reconfig_cmd(uint8_t** p, tAVDT_MSG* p_msg) {
382 AVDT_MSG_BLD_SEID(*p, p_msg->reconfig_cmd.hdr.seid);
383
384 /* force psc mask zero to build only codec and security */
385 p_msg->reconfig_cmd.p_cfg->psc_mask = 0;
386 avdt_msg_bld_cfg(p, p_msg->reconfig_cmd.p_cfg);
387 }
388
389 /*******************************************************************************
390 *
391 * Function avdt_msg_bld_multi
392 *
393 * Description This message building function builds a message containing
394 * multiple SEID's.
395 *
396 *
397 * Returns void.
398 *
399 ******************************************************************************/
avdt_msg_bld_multi(uint8_t ** p,tAVDT_MSG * p_msg)400 static void avdt_msg_bld_multi(uint8_t** p, tAVDT_MSG* p_msg) {
401 int i;
402
403 for (i = 0; i < p_msg->multi.num_seps; i++) {
404 AVDT_MSG_BLD_SEID(*p, p_msg->multi.seid_list[i]);
405 }
406 }
407
408 /*******************************************************************************
409 *
410 * Function avdt_msg_bld_security_cmd
411 *
412 * Description This message building function builds a security
413 * command message.
414 *
415 * Returns void.
416 *
417 ******************************************************************************/
avdt_msg_bld_security_cmd(uint8_t ** p,tAVDT_MSG * p_msg)418 static void avdt_msg_bld_security_cmd(uint8_t** p, tAVDT_MSG* p_msg) {
419 AVDT_MSG_BLD_SEID(*p, p_msg->security_cmd.hdr.seid);
420 memcpy(*p, p_msg->security_cmd.p_data, p_msg->security_cmd.len);
421 *p += p_msg->security_cmd.len;
422 }
423
424 /*******************************************************************************
425 *
426 * Function avdt_msg_bld_delay_rpt
427 *
428 * Description This message building function builds a delay report
429 * command message.
430 *
431 * Returns void.
432 *
433 ******************************************************************************/
avdt_msg_bld_delay_rpt(uint8_t ** p,tAVDT_MSG * p_msg)434 static void avdt_msg_bld_delay_rpt(uint8_t** p, tAVDT_MSG* p_msg) {
435 AVDT_MSG_BLD_SEID(*p, p_msg->delay_rpt_cmd.hdr.seid);
436 UINT16_TO_BE_STREAM(*p, p_msg->delay_rpt_cmd.delay);
437 }
438
439 /*******************************************************************************
440 *
441 * Function avdt_msg_bld_discover_rsp
442 *
443 * Description This message building function builds a discover
444 * response message.
445 *
446 *
447 * Returns void.
448 *
449 ******************************************************************************/
avdt_msg_bld_discover_rsp(uint8_t ** p,tAVDT_MSG * p_msg)450 static void avdt_msg_bld_discover_rsp(uint8_t** p, tAVDT_MSG* p_msg) {
451 int i;
452
453 for (i = 0; i < p_msg->discover_rsp.num_seps; i++) {
454 /* build discover rsp info */
455 AVDT_MSG_BLD_DISC(
456 *p, p_msg->discover_rsp.p_sep_info[i].seid, p_msg->discover_rsp.p_sep_info[i].in_use,
457 p_msg->discover_rsp.p_sep_info[i].media_type, p_msg->discover_rsp.p_sep_info[i].tsep);
458 }
459 }
460
461 /*******************************************************************************
462 *
463 * Function avdt_msg_bld_svccap
464 *
465 * Description This message building function builds a message containing
466 * service capabilities parameters.
467 *
468 *
469 * Returns void.
470 *
471 ******************************************************************************/
avdt_msg_bld_svccap(uint8_t ** p,tAVDT_MSG * p_msg)472 static void avdt_msg_bld_svccap(uint8_t** p, tAVDT_MSG* p_msg) {
473 AvdtpSepConfig cfg = *p_msg->svccap.p_cfg;
474
475 // Include only the Basic Capability
476 cfg.psc_mask &= AVDT_LEG_PSC;
477
478 avdt_msg_bld_cfg(p, &cfg);
479 }
480
481 /*******************************************************************************
482 *
483 * Function avdt_msg_bld_all_svccap
484 *
485 * Description This message building function builds a message containing
486 * service capabilities parameters.
487 *
488 *
489 * Returns void.
490 *
491 ******************************************************************************/
avdt_msg_bld_all_svccap(uint8_t ** p,tAVDT_MSG * p_msg)492 static void avdt_msg_bld_all_svccap(uint8_t** p, tAVDT_MSG* p_msg) {
493 avdt_msg_bld_cfg(p, p_msg->svccap.p_cfg);
494 }
495
496 /*******************************************************************************
497 *
498 * Function avdt_msg_bld_security_rsp
499 *
500 * Description This message building function builds a security
501 * response message.
502 *
503 *
504 * Returns void.
505 *
506 ******************************************************************************/
avdt_msg_bld_security_rsp(uint8_t ** p,tAVDT_MSG * p_msg)507 static void avdt_msg_bld_security_rsp(uint8_t** p, tAVDT_MSG* p_msg) {
508 memcpy(*p, p_msg->security_rsp.p_data, p_msg->security_rsp.len);
509 *p += p_msg->security_rsp.len;
510 }
511
512 /*******************************************************************************
513 *
514 * Function avdt_msg_prs_cfg
515 *
516 * Description This message parsing function parses the configuration
517 * parameters field of a message.
518 *
519 *
520 * Returns Error code or zero if no error, and element that failed
521 * in p_elem.
522 *
523 ******************************************************************************/
avdt_msg_prs_cfg(AvdtpSepConfig * p_cfg,uint8_t * p,uint16_t len,uint8_t * p_elem,uint8_t sig_id)524 static uint8_t avdt_msg_prs_cfg(AvdtpSepConfig* p_cfg, uint8_t* p, uint16_t len, uint8_t* p_elem,
525 uint8_t sig_id) {
526 uint8_t* p_end;
527 uint8_t elem = 0;
528 uint8_t elem_len;
529 uint8_t tmp;
530 uint8_t err = 0;
531 uint8_t protect_offset = 0;
532
533 if (!p_cfg) {
534 log::error("not expecting this cfg");
535 return AVDT_ERR_BAD_STATE;
536 }
537
538 p_cfg->psc_mask = 0;
539 p_cfg->num_codec = 0;
540 p_cfg->num_protect = 0;
541
542 /* while there is still data to parse */
543 p_end = p + len;
544 while ((p < p_end) && (err == 0)) {
545 /* verify overall length */
546 if ((p_end - p) < AVDT_LEN_CFG_MIN) {
547 err = AVDT_ERR_PAYLOAD;
548 break;
549 }
550
551 /* get and verify info elem id, length */
552 elem = *p++;
553 elem_len = *p++;
554
555 if ((elem == 0) || (elem > AVDT_CAT_MAX_CUR)) {
556 /* this may not be really bad.
557 * It may be a service category that is too new for us.
558 * allow these to be parsed without reporting an error.
559 * If this is a "capability" (as in GetCapRsp & GetConfigRsp), this is
560 * filtered out.
561 * If this is a Configuration (as in SetConfigCmd & ReconfigCmd),
562 * this will be marked as an error in the caller of this function */
563 if ((sig_id == AVDT_SIG_SETCONFIG) || (sig_id == AVDT_SIG_RECONFIG)) {
564 /* Cannot accept unknown category. */
565 err = AVDT_ERR_CATEGORY;
566 break;
567 } else /* GETCAP or GET_ALLCAP */
568 {
569 /* Skip unknown categories. */
570 p += elem_len;
571 log::verbose("skipping unknown service category={} len: {}", elem, elem_len);
572 continue;
573 }
574 }
575
576 if ((elem_len > avdt_msg_ie_len_max[elem]) || (elem_len < avdt_msg_ie_len_min[elem])) {
577 err = avdt_msg_ie_err[elem];
578 break;
579 }
580
581 /* add element to psc mask, but mask out codec or protect */
582 p_cfg->psc_mask |= (1 << elem);
583 log::verbose("elem={} elem_len: {} psc_mask=0x{:x}", elem, elem_len, p_cfg->psc_mask);
584
585 /* parse individual information elements with additional parameters */
586 switch (elem) {
587 case AVDT_CAT_RECOV:
588 if ((p_end - p) < 3) {
589 err = AVDT_ERR_PAYLOAD;
590 break;
591 }
592 p_cfg->recov_type = *p++;
593 p_cfg->recov_mrws = *p++;
594 p_cfg->recov_mnmp = *p++;
595 if (p_cfg->recov_type != AVDT_RECOV_RFC2733) {
596 err = AVDT_ERR_RECOV_TYPE;
597 } else if ((p_cfg->recov_mrws < AVDT_RECOV_MRWS_MIN) ||
598 (p_cfg->recov_mrws > AVDT_RECOV_MRWS_MAX) ||
599 (p_cfg->recov_mnmp < AVDT_RECOV_MNMP_MIN) ||
600 (p_cfg->recov_mnmp > AVDT_RECOV_MNMP_MAX)) {
601 err = AVDT_ERR_RECOV_FMT;
602 }
603 break;
604
605 case AVDT_CAT_PROTECT:
606 p_cfg->psc_mask &= ~AVDT_PSC_PROTECT;
607 if (p + elem_len > p_end) {
608 err = AVDT_ERR_LENGTH;
609 break;
610 }
611 if ((elem_len + protect_offset) < AVDT_PROTECT_SIZE) {
612 p_cfg->num_protect++;
613 p_cfg->protect_info[protect_offset] = elem_len;
614 protect_offset++;
615 memcpy(&p_cfg->protect_info[protect_offset], p, elem_len);
616 protect_offset += elem_len;
617 }
618 p += elem_len;
619 break;
620
621 case AVDT_CAT_HDRCMP:
622 if ((p_end - p) < 1) {
623 err = AVDT_ERR_PAYLOAD;
624 break;
625 }
626 p_cfg->hdrcmp_mask = *p++;
627 break;
628
629 case AVDT_CAT_CODEC:
630 p_cfg->psc_mask &= ~AVDT_PSC_CODEC;
631 tmp = elem_len;
632 if (elem_len >= AVDT_CODEC_SIZE) {
633 tmp = AVDT_CODEC_SIZE - 1;
634 }
635 if (p + tmp > p_end) {
636 err = AVDT_ERR_LENGTH;
637 break;
638 }
639 p_cfg->num_codec++;
640 p_cfg->codec_info[0] = elem_len;
641 memcpy(&p_cfg->codec_info[1], p, tmp);
642 p += elem_len;
643 break;
644
645 case AVDT_CAT_DELAY_RPT:
646 log::verbose("Remote device supports delay reporting");
647 break;
648
649 default:
650 p += elem_len;
651 break;
652 } /* switch */
653 } /* while ! err, !end*/
654 *p_elem = elem;
655 log::verbose("err=0x{:x}, elem:0x{:x} psc_mask=0x{:x}", err, elem, p_cfg->psc_mask);
656
657 return err;
658 }
659
660 /*******************************************************************************
661 *
662 * Function avdt_msg_prs_none
663 *
664 * Description This message parsing function parses a message with no
665 * parameters.
666 *
667 *
668 * Returns Error code or zero if no error.
669 *
670 ******************************************************************************/
avdt_msg_prs_none(tAVDT_MSG *,uint8_t *,uint16_t)671 static uint8_t avdt_msg_prs_none(tAVDT_MSG* /* p_msg */, uint8_t* /* p */, uint16_t /* len */) {
672 return 0;
673 }
674
675 /*******************************************************************************
676 *
677 * Function avdt_msg_prs_single
678 *
679 * Description This message parsing function parses a message with a
680 * single SEID.
681 *
682 *
683 * Returns Error code or zero if no error.
684 *
685 ******************************************************************************/
avdt_msg_prs_single(tAVDT_MSG * p_msg,uint8_t * p,uint16_t len)686 static uint8_t avdt_msg_prs_single(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len) {
687 uint8_t err = 0;
688
689 /* verify len */
690 if (len != AVDT_LEN_SINGLE) {
691 err = AVDT_ERR_LENGTH;
692 } else {
693 AVDT_MSG_PRS_SEID(p, p_msg->single.seid);
694
695 if (avdt_scb_by_hdl(p_msg->single.seid) == NULL) {
696 err = AVDT_ERR_SEID;
697 }
698 }
699 return err;
700 }
701
702 /*******************************************************************************
703 *
704 * Function avdt_msg_prs_setconfig_cmd
705 *
706 * Description This message parsing function parses a set configuration
707 * command message.
708 *
709 *
710 * Returns Error code or zero if no error.
711 *
712 ******************************************************************************/
avdt_msg_prs_setconfig_cmd(tAVDT_MSG * p_msg,uint8_t * p,uint16_t len)713 static uint8_t avdt_msg_prs_setconfig_cmd(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len) {
714 uint8_t err = 0;
715
716 p_msg->hdr.err_param = 0;
717
718 /* verify len */
719 if (len < AVDT_LEN_SETCONFIG_MIN) {
720 err = AVDT_ERR_LENGTH;
721 } else {
722 /* get seids */
723 AVDT_MSG_PRS_SEID(p, p_msg->config_cmd.hdr.seid);
724 if (avdt_scb_by_hdl(p_msg->config_cmd.hdr.seid) == NULL) {
725 err = AVDT_ERR_SEID;
726 }
727
728 AVDT_MSG_PRS_SEID(p, p_msg->config_cmd.int_seid);
729 if ((p_msg->config_cmd.int_seid < AVDT_SEID_MIN) ||
730 (p_msg->config_cmd.int_seid > AVDT_SEID_MAX)) {
731 err = AVDT_ERR_SEID;
732 }
733 }
734
735 if (!err) {
736 /* parse configuration parameters */
737 len -= 2;
738 err = avdt_msg_prs_cfg(p_msg->config_cmd.p_cfg, p, len, &p_msg->hdr.err_param,
739 AVDT_SIG_SETCONFIG);
740
741 if (!err) {
742 /* verify protocol service capabilities are supported */
743 if (((p_msg->config_cmd.p_cfg->psc_mask & (~AVDT_PSC)) != 0) ||
744 (p_msg->config_cmd.p_cfg->num_codec == 0)) {
745 err = AVDT_ERR_INVALID_CAP;
746 }
747 }
748 }
749
750 return err;
751 }
752
753 /*******************************************************************************
754 *
755 * Function avdt_msg_prs_reconfig_cmd
756 *
757 * Description This message parsing function parses a reconfiguration
758 * command message.
759 *
760 *
761 * Returns Error code or zero if no error.
762 *
763 ******************************************************************************/
avdt_msg_prs_reconfig_cmd(tAVDT_MSG * p_msg,uint8_t * p,uint16_t len)764 static uint8_t avdt_msg_prs_reconfig_cmd(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len) {
765 uint8_t err = 0;
766
767 p_msg->hdr.err_param = 0;
768
769 /* verify len */
770 if (len < AVDT_LEN_RECONFIG_MIN) {
771 err = AVDT_ERR_LENGTH;
772 } else {
773 /* get seid */
774 AVDT_MSG_PRS_SEID(p, p_msg->reconfig_cmd.hdr.seid);
775 if (avdt_scb_by_hdl(p_msg->reconfig_cmd.hdr.seid) == NULL) {
776 err = AVDT_ERR_SEID;
777 } else {
778 /* parse config parameters */
779 len--;
780 err = avdt_msg_prs_cfg(p_msg->config_cmd.p_cfg, p, len, &p_msg->hdr.err_param,
781 AVDT_SIG_RECONFIG);
782
783 /* verify no protocol service capabilities in parameters */
784 if (!err) {
785 log::verbose("avdt_msg_prs_reconfig_cmd psc_mask=0x{:x}/0x{:x}",
786 p_msg->config_cmd.p_cfg->psc_mask, AVDT_MSG_PSC_MASK);
787 if ((p_msg->config_cmd.p_cfg->psc_mask != 0) ||
788 (p_msg->config_cmd.p_cfg->num_codec == 0 &&
789 p_msg->config_cmd.p_cfg->num_protect == 0)) {
790 err = AVDT_ERR_INVALID_CAP;
791 }
792 }
793 }
794 }
795 return err;
796 }
797
798 /*******************************************************************************
799 *
800 * Function avdt_msg_prs_multi
801 *
802 * Description This message parsing function parses a message containing
803 * multiple SEID's.
804 *
805 *
806 * Returns Error code or zero if no error.
807 *
808 ******************************************************************************/
avdt_msg_prs_multi(tAVDT_MSG * p_msg,uint8_t * p,uint16_t len)809 static uint8_t avdt_msg_prs_multi(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len) {
810 int i;
811 uint8_t err = 0;
812
813 p_msg->hdr.err_param = 0;
814
815 /* verify len */
816 if (len < AVDT_LEN_MULTI_MIN || (len > AVDT_NUM_SEPS)) {
817 err = AVDT_ERR_LENGTH;
818 } else {
819 /* get and verify all seps */
820 for (i = 0; i < len; i++) {
821 AVDT_MSG_PRS_SEID(p, p_msg->multi.seid_list[i]);
822 if (avdt_scb_by_hdl(p_msg->multi.seid_list[i]) == NULL) {
823 err = AVDT_ERR_SEID;
824 p_msg->hdr.err_param = p_msg->multi.seid_list[i];
825 break;
826 }
827 }
828 p_msg->multi.num_seps = (uint8_t)i;
829 }
830
831 return err;
832 }
833
834 /*******************************************************************************
835 *
836 * Function avdt_msg_prs_security_cmd
837 *
838 * Description This message parsing function parses a security
839 * command message.
840 *
841 *
842 * Returns Error code or zero if no error.
843 *
844 ******************************************************************************/
avdt_msg_prs_security_cmd(tAVDT_MSG * p_msg,uint8_t * p,uint16_t len)845 static uint8_t avdt_msg_prs_security_cmd(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len) {
846 uint8_t err = 0;
847
848 /* verify len */
849 if (len < AVDT_LEN_SECURITY_MIN) {
850 err = AVDT_ERR_LENGTH;
851 } else {
852 /* get seid */
853 AVDT_MSG_PRS_SEID(p, p_msg->security_cmd.hdr.seid);
854 if (avdt_scb_by_hdl(p_msg->security_cmd.hdr.seid) == NULL) {
855 err = AVDT_ERR_SEID;
856 } else {
857 p_msg->security_cmd.p_data = p;
858 p_msg->security_cmd.len = len - 1;
859 }
860 }
861 return err;
862 }
863
864 /*******************************************************************************
865 *
866 * Function avdt_msg_prs_discover_rsp
867 *
868 * Description This message parsing function parses a discover
869 * response message.
870 *
871 *
872 * Returns Error code or zero if no error.
873 *
874 ******************************************************************************/
avdt_msg_prs_discover_rsp(tAVDT_MSG * p_msg,uint8_t * p,uint16_t len)875 static uint8_t avdt_msg_prs_discover_rsp(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len) {
876 int i;
877 uint8_t err = 0;
878
879 /* determine number of seps; seps in msg is len/2, but set to minimum
880 ** of seps app has supplied memory for and seps in msg
881 */
882 if (p_msg->discover_rsp.num_seps > (len / 2)) {
883 p_msg->discover_rsp.num_seps = (len / 2);
884 }
885
886 /* parse out sep info */
887 for (i = 0; i < p_msg->discover_rsp.num_seps; i++) {
888 /* parse discover rsp info */
889 AVDT_MSG_PRS_DISC(
890 p, p_msg->discover_rsp.p_sep_info[i].seid, p_msg->discover_rsp.p_sep_info[i].in_use,
891 p_msg->discover_rsp.p_sep_info[i].media_type, p_msg->discover_rsp.p_sep_info[i].tsep);
892
893 /* verify that seid is valid */
894 if ((p_msg->discover_rsp.p_sep_info[i].seid < AVDT_SEID_MIN) ||
895 (p_msg->discover_rsp.p_sep_info[i].seid > AVDT_SEID_MAX)) {
896 err = AVDT_ERR_SEID;
897 break;
898 }
899 }
900
901 return err;
902 }
903
904 /*******************************************************************************
905 *
906 * Function avdt_msg_prs_svccap
907 *
908 * Description This message parsing function parses a message containing
909 * service capabilities parameters.
910 *
911 *
912 * Returns Error code or zero if no error.
913 *
914 ******************************************************************************/
avdt_msg_prs_svccap(tAVDT_MSG * p_msg,uint8_t * p,uint16_t len)915 static uint8_t avdt_msg_prs_svccap(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len) {
916 /* parse parameters */
917 uint8_t err =
918 avdt_msg_prs_cfg(p_msg->svccap.p_cfg, p, len, &p_msg->hdr.err_param, AVDT_SIG_GETCAP);
919 if (p_msg->svccap.p_cfg) {
920 p_msg->svccap.p_cfg->psc_mask &= AVDT_LEG_PSC;
921 }
922
923 return err;
924 }
925
926 /*******************************************************************************
927 *
928 * Function avdt_msg_prs_all_svccap
929 *
930 * Description This message parsing function parses a message containing
931 * service capabilities parameters.
932 *
933 *
934 * Returns Error code or zero if no error.
935 *
936 ******************************************************************************/
avdt_msg_prs_all_svccap(tAVDT_MSG * p_msg,uint8_t * p,uint16_t len)937 static uint8_t avdt_msg_prs_all_svccap(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len) {
938 uint8_t err =
939 avdt_msg_prs_cfg(p_msg->svccap.p_cfg, p, len, &p_msg->hdr.err_param, AVDT_SIG_GET_ALLCAP);
940 if (p_msg->svccap.p_cfg) {
941 p_msg->svccap.p_cfg->psc_mask &= AVDT_MSG_PSC_MASK;
942 }
943 return err;
944 }
945
946 /*******************************************************************************
947 *
948 * Function avdt_msg_prs_security_rsp
949 *
950 * Description This message parsing function parsing a security
951 * response message.
952 *
953 *
954 * Returns Error code or zero if no error.
955 *
956 ******************************************************************************/
avdt_msg_prs_security_rsp(tAVDT_MSG * p_msg,uint8_t * p,uint16_t len)957 static uint8_t avdt_msg_prs_security_rsp(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len) {
958 p_msg->security_rsp.p_data = p;
959 p_msg->security_rsp.len = len;
960
961 return 0;
962 }
963
964 /*******************************************************************************
965 *
966 * Function avdt_msg_prs_rej
967 *
968 * Description
969 *
970 *
971 * Returns Error code or zero if no error.
972 *
973 ******************************************************************************/
avdt_msg_prs_rej(tAVDT_MSG * p_msg,uint8_t * p,uint16_t len,uint8_t sig)974 static uint8_t avdt_msg_prs_rej(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len, uint8_t sig) {
975 uint8_t error = 0;
976
977 if (len > 0) {
978 if ((sig == AVDT_SIG_SETCONFIG) || (sig == AVDT_SIG_RECONFIG)) {
979 p_msg->hdr.err_param = *p++;
980 len--;
981 } else if ((sig == AVDT_SIG_START) || (sig == AVDT_SIG_SUSPEND)) {
982 AVDT_MSG_PRS_SEID(p, p_msg->hdr.err_param);
983 len--;
984 }
985 }
986
987 if (len < 1) {
988 error = AVDT_ERR_LENGTH;
989 } else {
990 p_msg->hdr.err_code = *p;
991 }
992
993 return error;
994 }
995
996 /*******************************************************************************
997 *
998 * Function avdt_msg_prs_delay_rpt
999 *
1000 * Description This message parsing function parses a security
1001 * command message.
1002 *
1003 *
1004 * Returns Error code or zero if no error.
1005 *
1006 ******************************************************************************/
avdt_msg_prs_delay_rpt(tAVDT_MSG * p_msg,uint8_t * p,uint16_t len)1007 static uint8_t avdt_msg_prs_delay_rpt(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len) {
1008 uint8_t err = 0;
1009
1010 /* verify len */
1011 if (len != AVDT_LEN_DELAY_RPT) {
1012 log::warn("avdt_msg_prs_delay_rpt expected len: {} got: {}", AVDT_LEN_DELAY_RPT, len);
1013 err = AVDT_ERR_LENGTH;
1014 } else {
1015 /* get seid */
1016 AVDT_MSG_PRS_SEID(p, p_msg->delay_rpt_cmd.hdr.seid);
1017
1018 if (avdt_scb_by_hdl(p_msg->delay_rpt_cmd.hdr.seid) == NULL) {
1019 err = AVDT_ERR_SEID;
1020 } else {
1021 BE_STREAM_TO_UINT16(p_msg->delay_rpt_cmd.delay, p);
1022 log::verbose("avdt_msg_prs_delay_rpt delay: {}", p_msg->delay_rpt_cmd.delay);
1023 }
1024 }
1025 return err;
1026 }
1027
1028 /*******************************************************************************
1029 *
1030 * Function avdt_msg_send
1031 *
1032 * Description Send, and if necessary fragment the next message.
1033 *
1034 *
1035 * Returns Congested state; true if CCB congested, false if not.
1036 *
1037 ******************************************************************************/
avdt_msg_send(AvdtpCcb * p_ccb,BT_HDR * p_msg)1038 bool avdt_msg_send(AvdtpCcb* p_ccb, BT_HDR* p_msg) {
1039 uint16_t curr_msg_len;
1040 uint8_t pkt_type;
1041 uint8_t hdr_len;
1042 AvdtpTransportChannel* p_tbl;
1043 BT_HDR* p_buf;
1044 uint8_t* p;
1045 uint8_t label;
1046 uint8_t msg;
1047 uint8_t sig;
1048 uint8_t nosp = 0; /* number of subsequent packets */
1049
1050 /* look up transport channel table entry to get peer mtu */
1051 p_tbl = avdt_ad_tc_tbl_by_type(AVDT_CHAN_SIG, p_ccb, NULL);
1052
1053 /* set the current message if there is a message passed in */
1054 if (p_msg != NULL) {
1055 p_ccb->p_curr_msg = p_msg;
1056 }
1057
1058 /* store copy of curr_msg->len */
1059 curr_msg_len = p_ccb->p_curr_msg->len;
1060
1061 /* while not congested and we haven't sent it all */
1062 while ((!p_ccb->cong) && (p_ccb->p_curr_msg != NULL)) {
1063 /* check what kind of message we've got here; we are using the offset
1064 ** to indicate that a message is being fragmented
1065 */
1066
1067 /* if message isn't being fragmented and it fits in mtu */
1068 if ((p_ccb->p_curr_msg->offset == AVDT_MSG_OFFSET) &&
1069 (p_ccb->p_curr_msg->len <= p_tbl->peer_mtu - AVDT_LEN_TYPE_SINGLE)) {
1070 pkt_type = AVDT_PKT_TYPE_SINGLE;
1071 hdr_len = AVDT_LEN_TYPE_SINGLE;
1072 p_buf = p_ccb->p_curr_msg;
1073 } else if ((p_ccb->p_curr_msg->offset == AVDT_MSG_OFFSET) &&
1074 /* if message isn't being fragmented and it doesn't fit in mtu */
1075 (p_ccb->p_curr_msg->len > p_tbl->peer_mtu - AVDT_LEN_TYPE_SINGLE)) {
1076 pkt_type = AVDT_PKT_TYPE_START;
1077 hdr_len = AVDT_LEN_TYPE_START;
1078 nosp = (p_ccb->p_curr_msg->len + AVDT_LEN_TYPE_START - p_tbl->peer_mtu) /
1079 (p_tbl->peer_mtu - 1) +
1080 2;
1081
1082 /* get a new buffer for fragment we are sending */
1083 p_buf = (BT_HDR*)osi_malloc(AVDT_CMD_BUF_SIZE);
1084
1085 /* copy portion of data from current message to new buffer */
1086 p_buf->offset = L2CAP_MIN_OFFSET + hdr_len;
1087 p_buf->len = p_tbl->peer_mtu - hdr_len;
1088 memcpy((uint8_t*)(p_buf + 1) + p_buf->offset,
1089 (uint8_t*)(p_ccb->p_curr_msg + 1) + p_ccb->p_curr_msg->offset, p_buf->len);
1090 } else if ((p_ccb->p_curr_msg->offset > AVDT_MSG_OFFSET) &&
1091 /* if message is being fragmented and remaining bytes don't fit in mtu */
1092 (p_ccb->p_curr_msg->len > (p_tbl->peer_mtu - AVDT_LEN_TYPE_CONT))) {
1093 pkt_type = AVDT_PKT_TYPE_CONT;
1094 hdr_len = AVDT_LEN_TYPE_CONT;
1095
1096 /* get a new buffer for fragment we are sending */
1097 p_buf = (BT_HDR*)osi_malloc(AVDT_CMD_BUF_SIZE);
1098
1099 /* copy portion of data from current message to new buffer */
1100 p_buf->offset = L2CAP_MIN_OFFSET + hdr_len;
1101 p_buf->len = p_tbl->peer_mtu - hdr_len;
1102 memcpy((uint8_t*)(p_buf + 1) + p_buf->offset,
1103 (uint8_t*)(p_ccb->p_curr_msg + 1) + p_ccb->p_curr_msg->offset, p_buf->len);
1104 } else {
1105 /* if message is being fragmented and remaining bytes do fit in mtu */
1106 pkt_type = AVDT_PKT_TYPE_END;
1107 hdr_len = AVDT_LEN_TYPE_END;
1108 p_buf = p_ccb->p_curr_msg;
1109 }
1110
1111 /* label, sig id, msg type are in hdr of p_curr_msg */
1112 label = AVDT_LAYERSPEC_LABEL(p_ccb->p_curr_msg->layer_specific);
1113 msg = AVDT_LAYERSPEC_MSG(p_ccb->p_curr_msg->layer_specific);
1114 sig = (uint8_t)p_ccb->p_curr_msg->event;
1115 log::verbose("avdt_msg_send label:{}, msg:{}, sig:{}", label, msg, sig);
1116
1117 /* keep track of how much of msg we've sent */
1118 curr_msg_len -= p_buf->len;
1119 if (curr_msg_len == 0) {
1120 /* entire message sent; mark as finished */
1121 p_ccb->p_curr_msg = NULL;
1122
1123 /* start timer here for commands */
1124 if (msg == AVDT_MSG_TYPE_CMD) {
1125 /* if retransmit timeout set to zero, sig doesn't use retransmit */
1126 if ((sig == AVDT_SIG_DISCOVER) || (sig == AVDT_SIG_GETCAP) || (sig == AVDT_SIG_SECURITY) ||
1127 (avdtp_cb.rcb.ret_tout == 0)) {
1128 alarm_cancel(p_ccb->idle_ccb_timer);
1129 alarm_cancel(p_ccb->ret_ccb_timer);
1130 uint64_t interval_ms = avdtp_cb.rcb.sig_tout * 1000;
1131 alarm_set_on_mloop(p_ccb->rsp_ccb_timer, interval_ms, avdt_ccb_rsp_ccb_timer_timeout,
1132 p_ccb);
1133 } else if (sig != AVDT_SIG_DELAY_RPT) {
1134 alarm_cancel(p_ccb->idle_ccb_timer);
1135 alarm_cancel(p_ccb->rsp_ccb_timer);
1136 uint64_t interval_ms = avdtp_cb.rcb.ret_tout * 1000;
1137 alarm_set_on_mloop(p_ccb->ret_ccb_timer, interval_ms, avdt_ccb_ret_ccb_timer_timeout,
1138 p_ccb);
1139 }
1140 }
1141 } else {
1142 /* message being fragmented and not completely sent */
1143 p_ccb->p_curr_msg->len -= p_buf->len;
1144 p_ccb->p_curr_msg->offset += p_buf->len;
1145 }
1146
1147 /* set up to build header */
1148 p_buf->len += hdr_len;
1149 p_buf->offset -= hdr_len;
1150 p = (uint8_t*)(p_buf + 1) + p_buf->offset;
1151
1152 /* build header */
1153 AVDT_MSG_BLD_HDR(p, label, pkt_type, msg);
1154 if (pkt_type == AVDT_PKT_TYPE_START) {
1155 AVDT_MSG_BLD_NOSP(p, nosp);
1156 }
1157 if ((pkt_type == AVDT_PKT_TYPE_START) || (pkt_type == AVDT_PKT_TYPE_SINGLE)) {
1158 AVDT_MSG_BLD_SIG(p, sig);
1159 }
1160
1161 /* send msg buffer down */
1162 avdt_ad_write_req(AVDT_CHAN_SIG, p_ccb, NULL, p_buf);
1163 }
1164 return p_ccb->cong;
1165 }
1166
1167 /*******************************************************************************
1168 *
1169 * Function avdt_msg_asmbl
1170 *
1171 * Description Reassemble incoming message.
1172 *
1173 *
1174 * Returns Pointer to reassembled message; NULL if no message
1175 * available.
1176 *
1177 ******************************************************************************/
avdt_msg_asmbl(AvdtpCcb * p_ccb,BT_HDR * p_buf)1178 static BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) {
1179 uint8_t* p;
1180 uint8_t pkt_type;
1181 BT_HDR* p_ret;
1182
1183 /* parse the message header */
1184 p = (uint8_t*)(p_buf + 1) + p_buf->offset;
1185
1186 /* Check if is valid length */
1187 if (p_buf->len < 1) {
1188 osi_free(p_buf);
1189 p_ret = NULL;
1190 return p_ret;
1191 }
1192 AVDT_MSG_PRS_PKT_TYPE(p, pkt_type);
1193
1194 /* quick sanity check on length */
1195 if (p_buf->len < avdt_msg_pkt_type_len[pkt_type]) {
1196 osi_free(p_buf);
1197 log::warn("Bad length during reassembly");
1198 p_ret = NULL;
1199 } else if (pkt_type == AVDT_PKT_TYPE_SINGLE) {
1200 /* single packet */
1201 /* if reassembly in progress drop message and process new single */
1202 if (p_ccb->p_rx_msg != NULL) {
1203 log::warn("Got single during reassembly");
1204 }
1205
1206 osi_free_and_reset((void**)&p_ccb->p_rx_msg);
1207
1208 p_ret = p_buf;
1209 } else if (pkt_type == AVDT_PKT_TYPE_START) {
1210 /* start packet */
1211 /* if reassembly in progress drop message and process new single */
1212 if (p_ccb->p_rx_msg != NULL) {
1213 log::warn("Got start during reassembly");
1214 }
1215
1216 osi_free_and_reset((void**)&p_ccb->p_rx_msg);
1217
1218 /*
1219 * Allocate bigger buffer for reassembly. As lower layers are
1220 * not aware of possible packet size after reassembly, they
1221 * would have allocated smaller buffer.
1222 */
1223 if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
1224 osi_free(p_buf);
1225 p_ret = NULL;
1226 return p_ret;
1227 }
1228 p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
1229 memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);
1230
1231 /* Free original buffer */
1232 osi_free(p_buf);
1233
1234 /* update p to point to new buffer */
1235 p = (uint8_t*)(p_ccb->p_rx_msg + 1) + p_ccb->p_rx_msg->offset;
1236
1237 /* copy first header byte over nosp */
1238 *(p + 1) = *p;
1239
1240 /* set offset to point to where to copy next */
1241 p_ccb->p_rx_msg->offset += p_ccb->p_rx_msg->len;
1242
1243 /* adjust length for packet header */
1244 p_ccb->p_rx_msg->len -= 1;
1245
1246 p_ret = NULL;
1247 } else {
1248 /* continue or end */
1249 /* if no reassembly in progress drop message */
1250 if (p_ccb->p_rx_msg == NULL) {
1251 osi_free(p_buf);
1252 log::warn("Pkt type={} out of order", pkt_type);
1253 p_ret = NULL;
1254 } else {
1255 /* get size of buffer holding assembled message */
1256 /*
1257 * NOTE: The buffer is allocated above at the beginning of the
1258 * reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE.
1259 */
1260 size_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
1261
1262 /* adjust offset and len of fragment for header byte */
1263 p_buf->offset += AVDT_LEN_TYPE_CONT;
1264 p_buf->len -= AVDT_LEN_TYPE_CONT;
1265
1266 /* verify length */
1267 if (((size_t)p_ccb->p_rx_msg->offset + (size_t)p_buf->len) > buf_len) {
1268 /* won't fit; free everything */
1269 log::warn("Fragmented message too big!");
1270 osi_free_and_reset((void**)&p_ccb->p_rx_msg);
1271 osi_free(p_buf);
1272 p_ret = NULL;
1273 } else {
1274 /* copy contents of p_buf to p_rx_msg */
1275 memcpy((uint8_t*)(p_ccb->p_rx_msg + 1) + p_ccb->p_rx_msg->offset,
1276 (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);
1277
1278 if (pkt_type == AVDT_PKT_TYPE_END) {
1279 p_ccb->p_rx_msg->offset -= p_ccb->p_rx_msg->len;
1280 p_ccb->p_rx_msg->len += p_buf->len;
1281 p_ret = p_ccb->p_rx_msg;
1282 p_ccb->p_rx_msg = NULL;
1283 } else {
1284 p_ccb->p_rx_msg->offset += p_buf->len;
1285 p_ccb->p_rx_msg->len += p_buf->len;
1286 p_ret = NULL;
1287 }
1288 osi_free(p_buf);
1289 }
1290 }
1291 }
1292 return p_ret;
1293 }
1294
1295 /*******************************************************************************
1296 *
1297 * Function avdt_msg_send_cmd
1298 *
1299 * Description This function is called to send a command message. The
1300 * sig_id parameter indicates the message type, p_params
1301 * points to the message parameters, if any. It gets a buffer
1302 * from the AVDTP command pool, executes the message building
1303 * function for this message type. It then queues the message
1304 * in the command queue for this CCB.
1305 *
1306 *
1307 * Returns Nothing.
1308 *
1309 ******************************************************************************/
avdt_msg_send_cmd(AvdtpCcb * p_ccb,void * p_scb,uint8_t sig_id,tAVDT_MSG * p_params)1310 void avdt_msg_send_cmd(AvdtpCcb* p_ccb, void* p_scb, uint8_t sig_id, tAVDT_MSG* p_params) {
1311 uint8_t* p;
1312 uint8_t* p_start;
1313 BT_HDR* p_buf = (BT_HDR*)osi_malloc(AVDT_CMD_BUF_SIZE);
1314
1315 /* set up buf pointer and offset */
1316 p_buf->offset = AVDT_MSG_OFFSET;
1317 p_start = p = (uint8_t*)(p_buf + 1) + p_buf->offset;
1318
1319 /* execute parameter building function to build message */
1320 (*avdt_msg_bld_cmd[sig_id - 1])(&p, p_params);
1321
1322 /* set len */
1323 p_buf->len = (uint16_t)(p - p_start);
1324
1325 /* now store scb hdls, if any, in buf */
1326 if (p_scb != NULL) {
1327 p = (uint8_t*)(p_buf + 1);
1328
1329 /* for start and suspend, p_scb points to array of handles */
1330 if ((sig_id == AVDT_SIG_START) || (sig_id == AVDT_SIG_SUSPEND)) {
1331 memcpy(p, (uint8_t*)p_scb, p_buf->len);
1332 } else {
1333 /* for all others, p_scb points to scb as usual */
1334 *p = avdt_scb_to_hdl((AvdtpScb*)p_scb);
1335 }
1336 }
1337
1338 /* stash sig, label, and message type in buf */
1339 p_buf->event = sig_id;
1340 AVDT_BLD_LAYERSPEC(p_buf->layer_specific, AVDT_MSG_TYPE_CMD, p_ccb->label);
1341
1342 /* increment label */
1343 p_ccb->label = (p_ccb->label + 1) % 16;
1344
1345 /* queue message and trigger ccb to send it */
1346 fixed_queue_enqueue(p_ccb->cmd_q, p_buf);
1347 avdt_ccb_event(p_ccb, AVDT_CCB_SENDMSG_EVT, NULL);
1348 }
1349
1350 /*******************************************************************************
1351 *
1352 * Function avdt_msg_send_rsp
1353 *
1354 * Description This function is called to send a response message. The
1355 * sig_id parameter indicates the message type, p_params
1356 * points to the message parameters, if any. It gets a buffer
1357 * from the AVDTP command pool, executes the message building
1358 * function for this message type. It then queues the message
1359 * in the response queue for this CCB.
1360 *
1361 *
1362 * Returns Nothing.
1363 *
1364 ******************************************************************************/
avdt_msg_send_rsp(AvdtpCcb * p_ccb,uint8_t sig_id,tAVDT_MSG * p_params)1365 void avdt_msg_send_rsp(AvdtpCcb* p_ccb, uint8_t sig_id, tAVDT_MSG* p_params) {
1366 uint8_t* p;
1367 uint8_t* p_start;
1368 BT_HDR* p_buf = (BT_HDR*)osi_malloc(AVDT_CMD_BUF_SIZE);
1369
1370 /* set up buf pointer and offset */
1371 p_buf->offset = AVDT_MSG_OFFSET;
1372 p_start = p = (uint8_t*)(p_buf + 1) + p_buf->offset;
1373
1374 /* execute parameter building function to build message */
1375 (*avdt_msg_bld_rsp[sig_id - 1])(&p, p_params);
1376
1377 /* set length */
1378 p_buf->len = (uint16_t)(p - p_start);
1379
1380 /* stash sig, label, and message type in buf */
1381 p_buf->event = sig_id;
1382 AVDT_BLD_LAYERSPEC(p_buf->layer_specific, AVDT_MSG_TYPE_RSP, p_params->hdr.label);
1383
1384 /* queue message and trigger ccb to send it */
1385 fixed_queue_enqueue(p_ccb->rsp_q, p_buf);
1386 avdt_ccb_event(p_ccb, AVDT_CCB_SENDMSG_EVT, NULL);
1387 }
1388
1389 /*******************************************************************************
1390 *
1391 * Function avdt_msg_send_rej
1392 *
1393 * Description This function is called to send a reject message. The
1394 * sig_id parameter indicates the message type. It gets
1395 * a buffer from the AVDTP command pool and builds the
1396 * message based on the message type and the error code.
1397 * It then queues the message in the response queue for
1398 * this CCB.
1399 *
1400 *
1401 * Returns Nothing.
1402 *
1403 ******************************************************************************/
avdt_msg_send_rej(AvdtpCcb * p_ccb,uint8_t sig_id,tAVDT_MSG * p_params)1404 void avdt_msg_send_rej(AvdtpCcb* p_ccb, uint8_t sig_id, tAVDT_MSG* p_params) {
1405 uint8_t* p;
1406 uint8_t* p_start;
1407 BT_HDR* p_buf = (BT_HDR*)osi_malloc(AVDT_CMD_BUF_SIZE);
1408
1409 /* set up buf pointer and offset */
1410 p_buf->offset = AVDT_MSG_OFFSET;
1411 p_start = p = (uint8_t*)(p_buf + 1) + p_buf->offset;
1412
1413 /* if sig id included, build into message */
1414 if (sig_id != AVDT_SIG_NONE) {
1415 /* if this sig has a parameter, add the parameter */
1416 if ((sig_id == AVDT_SIG_SETCONFIG) || (sig_id == AVDT_SIG_RECONFIG)) {
1417 AVDT_MSG_BLD_PARAM(p, p_params->hdr.err_param);
1418 } else if ((sig_id == AVDT_SIG_START) || (sig_id == AVDT_SIG_SUSPEND)) {
1419 AVDT_MSG_BLD_SEID(p, p_params->hdr.err_param);
1420 }
1421
1422 /* add the error code */
1423 AVDT_MSG_BLD_ERR(p, p_params->hdr.err_code);
1424 }
1425 log::verbose("avdt_msg_send_rej");
1426
1427 /* calculate length */
1428 p_buf->len = (uint16_t)(p - p_start);
1429
1430 /* stash sig, label, and message type in buf */
1431 p_buf->event = sig_id;
1432 AVDT_BLD_LAYERSPEC(p_buf->layer_specific, AVDT_MSG_TYPE_REJ, p_params->hdr.label);
1433
1434 /* queue message and trigger ccb to send it */
1435 fixed_queue_enqueue(p_ccb->rsp_q, p_buf);
1436 avdt_ccb_event(p_ccb, AVDT_CCB_SENDMSG_EVT, NULL);
1437 }
1438
1439 /*******************************************************************************
1440 *
1441 * Function avdt_msg_send_grej
1442 *
1443 * Description This function is called to send a general reject message.
1444 * The sig_id parameter indicates the message type. It gets
1445 * a buffer from the AVDTP command pool and builds the
1446 * message based on the message type and the error code.
1447 * It then queues the message in the response queue for
1448 * this CCB.
1449 *
1450 *
1451 * Returns Nothing.
1452 *
1453 ******************************************************************************/
avdt_msg_send_grej(AvdtpCcb * p_ccb,uint8_t sig_id,tAVDT_MSG * p_params)1454 void avdt_msg_send_grej(AvdtpCcb* p_ccb, uint8_t sig_id, tAVDT_MSG* p_params) {
1455 uint8_t* p;
1456 uint8_t* p_start;
1457 BT_HDR* p_buf = (BT_HDR*)osi_malloc(AVDT_CMD_BUF_SIZE);
1458
1459 /* set up buf pointer and offset */
1460 p_buf->offset = AVDT_MSG_OFFSET;
1461 p_start = p = (uint8_t*)(p_buf + 1) + p_buf->offset;
1462
1463 /* calculate length */
1464 p_buf->len = (uint16_t)(p - p_start);
1465
1466 /* stash sig, label, and message type in buf */
1467 p_buf->event = sig_id;
1468 AVDT_BLD_LAYERSPEC(p_buf->layer_specific, AVDT_MSG_TYPE_GRJ, p_params->hdr.label);
1469 log::verbose("");
1470
1471 /* queue message and trigger ccb to send it */
1472 fixed_queue_enqueue(p_ccb->rsp_q, p_buf);
1473 avdt_ccb_event(p_ccb, AVDT_CCB_SENDMSG_EVT, NULL);
1474 }
1475
1476 /*******************************************************************************
1477 *
1478 * Function avdt_msg_ind
1479 *
1480 * Description This function is called by the adaptation layer when an
1481 * incoming message is received on the signaling channel.
1482 * It parses the message and sends an event to the appropriate
1483 * SCB or CCB for the message.
1484 *
1485 *
1486 * Returns Nothing.
1487 *
1488 ******************************************************************************/
avdt_msg_ind(AvdtpCcb * p_ccb,BT_HDR * p_buf)1489 void avdt_msg_ind(AvdtpCcb* p_ccb, BT_HDR* p_buf) {
1490 AvdtpScb* p_scb;
1491 uint8_t* p;
1492 bool ok = true;
1493 bool handle_rsp = false;
1494 bool gen_rej = false;
1495 uint8_t label;
1496 uint8_t pkt_type;
1497 uint8_t msg_type;
1498 uint8_t sig = 0;
1499 tAVDT_MSG msg{};
1500 AvdtpSepConfig cfg{};
1501 uint8_t err;
1502 uint8_t evt = 0;
1503 uint8_t scb_hdl;
1504
1505 /* reassemble message; if no message available (we received a fragment) return
1506 */
1507 p_buf = avdt_msg_asmbl(p_ccb, p_buf);
1508 if (p_buf == NULL) {
1509 return;
1510 }
1511
1512 p = (uint8_t*)(p_buf + 1) + p_buf->offset;
1513
1514 /* parse the message header */
1515 AVDT_MSG_PRS_HDR(p, label, pkt_type, msg_type);
1516
1517 /* set up label and ccb_idx in message hdr */
1518 msg.hdr.label = label;
1519 msg.hdr.ccb_idx = avdt_ccb_to_idx(p_ccb);
1520
1521 /* verify msg type */
1522 if (msg_type == AVDT_MSG_TYPE_GRJ) {
1523 log::warn("Dropping msg msg_type={}", msg_type);
1524 ok = false;
1525 } else if ((msg_type == AVDT_MSG_TYPE_REJ) && (p_buf->len == AVDT_LEN_GEN_REJ)) {
1526 /* check for general reject */
1527 gen_rej = true;
1528 if (p_ccb->p_curr_cmd != NULL) {
1529 msg.hdr.sig_id = sig = (uint8_t)p_ccb->p_curr_cmd->event;
1530 evt = avdt_msg_rej_2_evt[sig - 1];
1531 msg.hdr.err_code = AVDT_ERR_NSC;
1532 msg.hdr.err_param = 0;
1533 }
1534 } else /* not a general reject */
1535 {
1536 /* get and verify signal */
1537 AVDT_MSG_PRS_SIG(p, sig);
1538 msg.hdr.sig_id = sig;
1539 if ((sig == 0) || (sig > AVDT_SIG_MAX)) {
1540 log::warn("Dropping msg sig={} msg_type:{}", sig, msg_type);
1541 ok = false;
1542
1543 /* send a general reject */
1544 if (msg_type == AVDT_MSG_TYPE_CMD) {
1545 avdt_msg_send_grej(p_ccb, sig, &msg);
1546 }
1547 }
1548
1549 /* validate reject/response against cached sig */
1550 if (com::android::bluetooth::flags::btsec_avdt_msg_ind_type_confusion()) {
1551 if (((msg_type == AVDT_MSG_TYPE_RSP) || (msg_type == AVDT_MSG_TYPE_REJ)) &&
1552 (p_ccb->p_curr_cmd == nullptr || p_ccb->p_curr_cmd->event != sig)) {
1553 log::warn("Dropping msg with mismatched sig; sig={}", sig);
1554 ok = false;
1555 }
1556 }
1557 }
1558
1559 log::verbose("msg_type={}, sig={}", msg_type, sig);
1560
1561 if (ok && !gen_rej) {
1562 /* skip over header (msg length already verified during reassembly) */
1563 p_buf->len -= AVDT_LEN_TYPE_SINGLE;
1564
1565 /* set up to parse message */
1566 if ((msg_type == AVDT_MSG_TYPE_RSP) && (sig == AVDT_SIG_DISCOVER)) {
1567 /* parse discover rsp message to struct supplied by app */
1568 msg.discover_rsp.p_sep_info = (tAVDT_SEP_INFO*)p_ccb->p_proc_data;
1569 msg.discover_rsp.num_seps = p_ccb->proc_param;
1570 } else if ((msg_type == AVDT_MSG_TYPE_RSP) &&
1571 ((sig == AVDT_SIG_GETCAP) || (sig == AVDT_SIG_GET_ALLCAP))) {
1572 /* parse discover rsp message to struct supplied by app */
1573 msg.svccap.p_cfg = (AvdtpSepConfig*)p_ccb->p_proc_data;
1574 } else if ((msg_type == AVDT_MSG_TYPE_RSP) && (sig == AVDT_SIG_GETCONFIG)) {
1575 /* parse get config rsp message to struct allocated locally */
1576 msg.svccap.p_cfg = &cfg;
1577 } else if ((msg_type == AVDT_MSG_TYPE_CMD) && (sig == AVDT_SIG_SETCONFIG)) {
1578 /* parse config cmd message to struct allocated locally */
1579 msg.config_cmd.p_cfg = &cfg;
1580 } else if ((msg_type == AVDT_MSG_TYPE_CMD) && (sig == AVDT_SIG_RECONFIG)) {
1581 /* parse reconfig cmd message to struct allocated locally */
1582 msg.reconfig_cmd.p_cfg = &cfg;
1583 }
1584
1585 /* parse message; while we're at it map message sig to event */
1586 if (msg_type == AVDT_MSG_TYPE_CMD) {
1587 msg.hdr.err_code = err = (*avdt_msg_prs_cmd[sig - 1])(&msg, p, p_buf->len);
1588 evt = avdt_msg_cmd_2_evt[sig - 1];
1589 } else if (msg_type == AVDT_MSG_TYPE_RSP) {
1590 msg.hdr.err_code = err = (*avdt_msg_prs_rsp[sig - 1])(&msg, p, p_buf->len);
1591 evt = avdt_msg_rsp_2_evt[sig - 1];
1592 } else /* msg_type == AVDT_MSG_TYPE_REJ */
1593 {
1594 err = avdt_msg_prs_rej(&msg, p, p_buf->len, sig);
1595 evt = avdt_msg_rej_2_evt[sig - 1];
1596 }
1597
1598 /* if parsing failed */
1599 if (err != 0) {
1600 log::warn("Parsing failed sig={} err=0x{:x}", sig, err);
1601
1602 /* if its a rsp or rej, drop it; if its a cmd, send a rej;
1603 ** note special case for abort; never send abort reject
1604 */
1605 ok = false;
1606 if ((msg_type == AVDT_MSG_TYPE_CMD) && (sig != AVDT_SIG_ABORT)) {
1607 avdt_msg_send_rej(p_ccb, sig, &msg);
1608 }
1609 }
1610 }
1611
1612 /* if its a rsp or rej, check sent cmd to see if we're waiting for
1613 ** the rsp or rej. If we didn't send a cmd for it, drop it. If
1614 ** it does match a cmd, stop timer for the cmd.
1615 */
1616 if (ok) {
1617 if ((msg_type == AVDT_MSG_TYPE_RSP) || (msg_type == AVDT_MSG_TYPE_REJ)) {
1618 if ((p_ccb->p_curr_cmd != NULL) && (p_ccb->p_curr_cmd->event == sig) &&
1619 (AVDT_LAYERSPEC_LABEL(p_ccb->p_curr_cmd->layer_specific) == label)) {
1620 /* stop timer */
1621 alarm_cancel(p_ccb->idle_ccb_timer);
1622 alarm_cancel(p_ccb->ret_ccb_timer);
1623 alarm_cancel(p_ccb->rsp_ccb_timer);
1624
1625 /* clear retransmission count */
1626 p_ccb->ret_count = 0;
1627
1628 /* later in this function handle ccb event */
1629 handle_rsp = true;
1630 } else {
1631 ok = false;
1632 log::warn("Cmd not found for rsp sig={} label={}", sig, label);
1633 }
1634 }
1635 }
1636
1637 if (ok) {
1638 /* if it's a ccb event send to ccb */
1639 if (evt & AVDT_CCB_MKR) {
1640 tAVDT_CCB_EVT avdt_ccb_evt;
1641 avdt_ccb_evt.msg = msg;
1642 avdt_ccb_event(p_ccb, (uint8_t)(evt & ~AVDT_CCB_MKR), &avdt_ccb_evt);
1643 } else {
1644 /* if it's a scb event */
1645 /* Scb events always have a single seid. For cmd, get seid from
1646 ** message. For rej and rsp, get seid from p_curr_cmd.
1647 */
1648 if (msg_type == AVDT_MSG_TYPE_CMD) {
1649 scb_hdl = msg.single.seid;
1650 } else {
1651 scb_hdl = *((uint8_t*)(p_ccb->p_curr_cmd + 1));
1652 }
1653
1654 /* Map seid to the scb and send it the event. For cmd, seid has
1655 ** already been verified by parsing function.
1656 */
1657 if (evt) {
1658 p_scb = avdt_scb_by_hdl(scb_hdl);
1659 if (p_scb != NULL) {
1660 tAVDT_SCB_EVT avdt_scb_evt;
1661 avdt_scb_evt.msg = msg;
1662 avdt_scb_event(p_scb, evt, &avdt_scb_evt);
1663 }
1664 }
1665 }
1666 }
1667
1668 /* free message buffer */
1669 osi_free(p_buf);
1670
1671 /* if its a rsp or rej, send event to ccb to free associated
1672 ** cmd msg buffer and handle cmd queue
1673 */
1674 if (handle_rsp) {
1675 avdt_ccb_event(p_ccb, AVDT_CCB_RCVRSP_EVT, NULL);
1676 }
1677 }
1678