1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * this file contains the main GATT client functions
22 *
23 ******************************************************************************/
24
25 #define LOG_TAG "bluetooth"
26
27 #include <string.h>
28
29 #include "bt_common.h"
30 #include "bt_target.h"
31 #include "bt_utils.h"
32 #include "gatt_int.h"
33 #include "l2c_api.h"
34 #include "osi/include/log.h"
35 #include "osi/include/osi.h"
36 #include "stack/eatt/eatt.h"
37
38 #define GATT_WRITE_LONG_HDR_SIZE 5 /* 1 opcode + 2 handle + 2 offset */
39 #define GATT_READ_CHAR_VALUE_HDL (GATT_READ_CHAR_VALUE | 0x80)
40 #define GATT_READ_INC_SRV_UUID128 (GATT_DISC_INC_SRVC | 0x90)
41
42 #define GATT_PREP_WRITE_RSP_MIN_LEN 4
43 #define GATT_NOTIFICATION_MIN_LEN 2
44 #define GATT_WRITE_RSP_MIN_LEN 2
45 #define GATT_INFO_RSP_MIN_LEN 1
46 #define GATT_MTU_RSP_MIN_LEN 2
47 #define GATT_READ_BY_TYPE_RSP_MIN_LEN 1
48
49 #define L2CAP_PKT_OVERHEAD 4
50
51 using base::StringPrintf;
52 using bluetooth::Uuid;
53 using bluetooth::eatt::EattExtension;
54 using bluetooth::eatt::EattChannel;
55
56 /*******************************************************************************
57 * G L O B A L G A T T D A T A *
58 ******************************************************************************/
59 void gatt_send_prepare_write(tGATT_TCB& tcb, tGATT_CLCB* p_clcb);
60
61 uint8_t disc_type_to_att_opcode[GATT_DISC_MAX] = {
62 0,
63 GATT_REQ_READ_BY_GRP_TYPE, /* GATT_DISC_SRVC_ALL = 1, */
64 GATT_REQ_FIND_TYPE_VALUE, /* GATT_DISC_SRVC_BY_UUID, */
65 GATT_REQ_READ_BY_TYPE, /* GATT_DISC_INC_SRVC, */
66 GATT_REQ_READ_BY_TYPE, /* GATT_DISC_CHAR, */
67 GATT_REQ_FIND_INFO /* GATT_DISC_CHAR_DSCPT, */
68 };
69
70 uint16_t disc_type_to_uuid[GATT_DISC_MAX] = {
71 0, /* reserved */
72 GATT_UUID_PRI_SERVICE, /* <service> DISC_SRVC_ALL */
73 GATT_UUID_PRI_SERVICE, /* <service> for DISC_SERVC_BY_UUID */
74 GATT_UUID_INCLUDE_SERVICE, /* <include_service> for DISC_INC_SRVC */
75 GATT_UUID_CHAR_DECLARE, /* <characteristic> for DISC_CHAR */
76 0 /* no type filtering for DISC_CHAR_DSCPT */
77 };
78
79 /*******************************************************************************
80 *
81 * Function gatt_act_discovery
82 *
83 * Description GATT discovery operation.
84 *
85 * Returns void.
86 *
87 ******************************************************************************/
gatt_act_discovery(tGATT_CLCB * p_clcb)88 void gatt_act_discovery(tGATT_CLCB* p_clcb) {
89 uint8_t op_code = disc_type_to_att_opcode[p_clcb->op_subtype];
90
91 if (p_clcb->s_handle > p_clcb->e_handle || p_clcb->s_handle == 0) {
92 LOG_DEBUG("Completed GATT discovery of all handle ranges");
93 gatt_end_operation(p_clcb, GATT_SUCCESS, NULL);
94 return;
95 }
96
97 tGATT_CL_MSG cl_req;
98 memset(&cl_req, 0, sizeof(tGATT_CL_MSG));
99
100 cl_req.browse.s_handle = p_clcb->s_handle;
101 cl_req.browse.e_handle = p_clcb->e_handle;
102
103 if (disc_type_to_uuid[p_clcb->op_subtype] != 0) {
104 cl_req.browse.uuid =
105 bluetooth::Uuid::From16Bit(disc_type_to_uuid[p_clcb->op_subtype]);
106 }
107
108 if (p_clcb->op_subtype ==
109 GATT_DISC_SRVC_BY_UUID) /* fill in the FindByTypeValue request info*/
110 {
111 cl_req.find_type_value.uuid =
112 bluetooth::Uuid::From16Bit(disc_type_to_uuid[p_clcb->op_subtype]);
113 cl_req.find_type_value.s_handle = p_clcb->s_handle;
114 cl_req.find_type_value.e_handle = p_clcb->e_handle;
115
116 size_t size = p_clcb->uuid.GetShortestRepresentationSize();
117 cl_req.find_type_value.value_len = size;
118 if (size == Uuid::kNumBytes16) {
119 uint8_t* p = cl_req.find_type_value.value;
120 UINT16_TO_STREAM(p, p_clcb->uuid.As16Bit());
121 } else if (size == Uuid::kNumBytes32) {
122 /* if service type is 32 bits UUID, convert it now */
123 memcpy(cl_req.find_type_value.value, p_clcb->uuid.To128BitLE().data(),
124 Uuid::kNumBytes128);
125 cl_req.find_type_value.value_len = Uuid::kNumBytes128;
126 } else
127 memcpy(cl_req.find_type_value.value, p_clcb->uuid.To128BitLE().data(),
128 size);
129 }
130
131 tGATT_STATUS st = attp_send_cl_msg(*p_clcb->p_tcb, p_clcb, op_code, &cl_req);
132 if (st != GATT_SUCCESS && st != GATT_CMD_STARTED) {
133 LOG_WARN("Unable to send ATT message");
134 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
135 }
136 }
137
138 /*******************************************************************************
139 *
140 * Function gatt_act_read
141 *
142 * Description GATT read operation.
143 *
144 * Returns void.
145 *
146 ******************************************************************************/
gatt_act_read(tGATT_CLCB * p_clcb,uint16_t offset)147 void gatt_act_read(tGATT_CLCB* p_clcb, uint16_t offset) {
148 tGATT_TCB& tcb = *p_clcb->p_tcb;
149 tGATT_STATUS rt = GATT_INTERNAL_ERROR;
150 tGATT_CL_MSG msg;
151 uint8_t op_code = 0;
152
153 memset(&msg, 0, sizeof(tGATT_CL_MSG));
154
155 switch (p_clcb->op_subtype) {
156 case GATT_READ_CHAR_VALUE:
157 case GATT_READ_BY_TYPE:
158 op_code = GATT_REQ_READ_BY_TYPE;
159 msg.browse.s_handle = p_clcb->s_handle;
160 msg.browse.e_handle = p_clcb->e_handle;
161 if (p_clcb->op_subtype == GATT_READ_BY_TYPE)
162 msg.browse.uuid = p_clcb->uuid;
163 else {
164 msg.browse.uuid = bluetooth::Uuid::From16Bit(GATT_UUID_CHAR_DECLARE);
165 }
166 break;
167
168 case GATT_READ_CHAR_VALUE_HDL:
169 case GATT_READ_BY_HANDLE:
170 if (!p_clcb->counter) {
171 op_code = GATT_REQ_READ;
172 msg.handle = p_clcb->s_handle;
173 } else {
174 if (!p_clcb->first_read_blob_after_read)
175 p_clcb->first_read_blob_after_read = true;
176 else
177 p_clcb->first_read_blob_after_read = false;
178
179 VLOG(1) << __func__ << ": first_read_blob_after_read="
180 << p_clcb->first_read_blob_after_read;
181 op_code = GATT_REQ_READ_BLOB;
182 msg.read_blob.offset = offset;
183 msg.read_blob.handle = p_clcb->s_handle;
184 }
185 p_clcb->op_subtype &= ~0x80;
186 break;
187
188 case GATT_READ_PARTIAL:
189 op_code = GATT_REQ_READ_BLOB;
190 msg.read_blob.handle = p_clcb->s_handle;
191 msg.read_blob.offset = offset;
192 break;
193
194 case GATT_READ_MULTIPLE:
195 op_code = GATT_REQ_READ_MULTI;
196 memcpy(&msg.read_multi, p_clcb->p_attr_buf, sizeof(tGATT_READ_MULTI));
197 break;
198
199 case GATT_READ_INC_SRV_UUID128:
200 op_code = GATT_REQ_READ;
201 msg.handle = p_clcb->s_handle;
202 p_clcb->op_subtype &= ~0x90;
203 break;
204
205 default:
206 LOG(ERROR) << "Unknown read type:" << +p_clcb->op_subtype;
207 break;
208 }
209
210 if (op_code != 0) rt = attp_send_cl_msg(tcb, p_clcb, op_code, &msg);
211
212 if (op_code == 0 || (rt != GATT_SUCCESS && rt != GATT_CMD_STARTED)) {
213 gatt_end_operation(p_clcb, rt, NULL);
214 }
215 }
216
217 /** GATT write operation */
gatt_act_write(tGATT_CLCB * p_clcb,uint8_t sec_act)218 void gatt_act_write(tGATT_CLCB* p_clcb, uint8_t sec_act) {
219 tGATT_TCB& tcb = *p_clcb->p_tcb;
220
221 CHECK(p_clcb->p_attr_buf);
222 tGATT_VALUE& attr = *((tGATT_VALUE*)p_clcb->p_attr_buf);
223
224 uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, p_clcb->cid);
225
226 switch (p_clcb->op_subtype) {
227 case GATT_WRITE_NO_RSP: {
228 p_clcb->s_handle = attr.handle;
229 uint8_t op_code = (sec_act == GATT_SEC_SIGN_DATA) ? GATT_SIGN_CMD_WRITE
230 : GATT_CMD_WRITE;
231 tGATT_STATUS rt = gatt_send_write_msg(tcb, p_clcb, op_code, attr.handle,
232 attr.len, 0, attr.value);
233 if (rt != GATT_CMD_STARTED) {
234 if (rt != GATT_SUCCESS) {
235 LOG(ERROR) << StringPrintf(
236 "gatt_act_write() failed op_code=0x%x rt=%d", op_code, rt);
237 }
238 gatt_end_operation(p_clcb, rt, NULL);
239 }
240 return;
241 }
242
243 case GATT_WRITE: {
244 if (attr.len <= (payload_size - GATT_HDR_SIZE)) {
245 p_clcb->s_handle = attr.handle;
246
247 tGATT_STATUS rt = gatt_send_write_msg(
248 tcb, p_clcb, GATT_REQ_WRITE, attr.handle, attr.len, 0, attr.value);
249 if (rt != GATT_SUCCESS && rt != GATT_CMD_STARTED &&
250 rt != GATT_CONGESTED) {
251 if (rt != GATT_SUCCESS) {
252 LOG(ERROR) << StringPrintf(
253 "gatt_act_write() failed op_code=0x%x rt=%d", GATT_REQ_WRITE,
254 rt);
255 }
256 gatt_end_operation(p_clcb, rt, NULL);
257 }
258
259 } else {
260 /* prepare write for long attribute */
261 gatt_send_prepare_write(tcb, p_clcb);
262 }
263 return;
264 }
265
266 case GATT_WRITE_PREPARE:
267 gatt_send_prepare_write(tcb, p_clcb);
268 return;
269
270 default:
271 CHECK(false) << "Unknown write type" << p_clcb->op_subtype;
272 return;
273 }
274 }
275 /*******************************************************************************
276 *
277 * Function gatt_send_queue_write_cancel
278 *
279 * Description send queue write cancel
280 *
281 * Returns void.
282 *
283 ******************************************************************************/
gatt_send_queue_write_cancel(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,tGATT_EXEC_FLAG flag)284 void gatt_send_queue_write_cancel(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
285 tGATT_EXEC_FLAG flag) {
286 tGATT_STATUS rt;
287
288 VLOG(1) << __func__;
289
290 tGATT_CL_MSG gatt_cl_msg;
291 gatt_cl_msg.exec_write = flag;
292 rt = attp_send_cl_msg(tcb, p_clcb, GATT_REQ_EXEC_WRITE, &gatt_cl_msg);
293
294 if (rt != GATT_SUCCESS) {
295 gatt_end_operation(p_clcb, rt, NULL);
296 }
297 }
298 /*******************************************************************************
299 *
300 * Function gatt_check_write_long_terminate
301 *
302 * Description To terminate write long or not.
303 *
304 * Returns true: write long is terminated; false keep sending.
305 *
306 ******************************************************************************/
gatt_check_write_long_terminate(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,tGATT_VALUE * p_rsp_value)307 bool gatt_check_write_long_terminate(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
308 tGATT_VALUE* p_rsp_value) {
309 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
310 bool terminate = false;
311 tGATT_EXEC_FLAG flag = GATT_PREP_WRITE_EXEC;
312
313 VLOG(1) << __func__;
314 /* check the first write response status */
315 if (p_rsp_value != NULL) {
316 if (p_rsp_value->handle != p_attr->handle ||
317 p_rsp_value->len != p_clcb->counter ||
318 memcmp(p_rsp_value->value, p_attr->value + p_attr->offset,
319 p_rsp_value->len)) {
320 /* data does not match */
321 p_clcb->status = GATT_ERROR;
322 flag = GATT_PREP_WRITE_CANCEL;
323 terminate = true;
324 } else /* response checking is good */
325 {
326 p_clcb->status = GATT_SUCCESS;
327 /* update write offset and check if end of attribute value */
328 if ((p_attr->offset += p_rsp_value->len) >= p_attr->len) terminate = true;
329 }
330 }
331 if (terminate && p_clcb->op_subtype != GATT_WRITE_PREPARE) {
332 gatt_send_queue_write_cancel(tcb, p_clcb, flag);
333 }
334 return terminate;
335 }
336
337 /** Send prepare write */
gatt_send_prepare_write(tGATT_TCB & tcb,tGATT_CLCB * p_clcb)338 void gatt_send_prepare_write(tGATT_TCB& tcb, tGATT_CLCB* p_clcb) {
339 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
340 uint8_t type = p_clcb->op_subtype;
341
342 VLOG(1) << __func__ << StringPrintf(" type=0x%x", type);
343 uint16_t to_send = p_attr->len - p_attr->offset;
344
345 uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, p_clcb->cid);
346 if (to_send > (payload_size -
347 GATT_WRITE_LONG_HDR_SIZE)) /* 2 = uint16_t offset bytes */
348 to_send = payload_size - GATT_WRITE_LONG_HDR_SIZE;
349
350 p_clcb->s_handle = p_attr->handle;
351
352 uint16_t offset = p_attr->offset;
353 if (type == GATT_WRITE_PREPARE) {
354 offset += p_clcb->start_offset;
355 }
356
357 VLOG(1) << StringPrintf("offset =0x%x len=%d", offset, to_send);
358
359 tGATT_STATUS rt = gatt_send_write_msg(
360 tcb, p_clcb, GATT_REQ_PREPARE_WRITE, p_attr->handle, to_send, /* length */
361 offset, /* used as offset */
362 p_attr->value + p_attr->offset); /* data */
363
364 /* remember the write long attribute length */
365 p_clcb->counter = to_send;
366
367 if (rt != GATT_SUCCESS && rt != GATT_CMD_STARTED && rt != GATT_CONGESTED) {
368 gatt_end_operation(p_clcb, rt, NULL);
369 }
370 }
371
372 /*******************************************************************************
373 *
374 * Function gatt_process_find_type_value_rsp
375 *
376 * Description This function handles the find by type value response.
377 *
378 *
379 * Returns void
380 *
381 ******************************************************************************/
gatt_process_find_type_value_rsp(UNUSED_ATTR tGATT_TCB & tcb,tGATT_CLCB * p_clcb,uint16_t len,uint8_t * p_data)382 void gatt_process_find_type_value_rsp(UNUSED_ATTR tGATT_TCB& tcb,
383 tGATT_CLCB* p_clcb, uint16_t len,
384 uint8_t* p_data) {
385 tGATT_DISC_RES result;
386 uint8_t* p = p_data;
387
388 VLOG(1) << __func__;
389 /* unexpected response */
390 if (p_clcb->operation != GATTC_OPTYPE_DISCOVERY ||
391 p_clcb->op_subtype != GATT_DISC_SRVC_BY_UUID)
392 return;
393
394 memset(&result, 0, sizeof(tGATT_DISC_RES));
395 result.type = bluetooth::Uuid::From16Bit(GATT_UUID_PRI_SERVICE);
396
397 /* returns a series of handle ranges */
398 while (len >= 4) {
399 STREAM_TO_UINT16(result.handle, p);
400 STREAM_TO_UINT16(result.value.group_value.e_handle, p);
401 result.value.group_value.service_type = p_clcb->uuid;
402
403 len -= 4;
404
405 if (p_clcb->p_reg->app_cb.p_disc_res_cb)
406 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
407 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
408 &result);
409 }
410
411 /* last handle + 1 */
412 p_clcb->s_handle = (result.value.group_value.e_handle == 0)
413 ? 0
414 : (result.value.group_value.e_handle + 1);
415 /* initiate another request */
416 gatt_act_discovery(p_clcb);
417 }
418 /*******************************************************************************
419 *
420 * Function gatt_process_read_info_rsp
421 *
422 * Description This function is called to handle the read information
423 * response.
424 *
425 *
426 * Returns void
427 *
428 ******************************************************************************/
gatt_process_read_info_rsp(UNUSED_ATTR tGATT_TCB & tcb,tGATT_CLCB * p_clcb,UNUSED_ATTR uint8_t op_code,uint16_t len,uint8_t * p_data)429 void gatt_process_read_info_rsp(UNUSED_ATTR tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
430 UNUSED_ATTR uint8_t op_code, uint16_t len,
431 uint8_t* p_data) {
432 tGATT_DISC_RES result;
433 uint8_t *p = p_data, uuid_len = 0, type;
434
435 if (len < GATT_INFO_RSP_MIN_LEN) {
436 LOG(ERROR) << "invalid Info Response PDU received, discard.";
437 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
438 return;
439 }
440 /* unexpected response */
441 if (p_clcb->operation != GATTC_OPTYPE_DISCOVERY ||
442 p_clcb->op_subtype != GATT_DISC_CHAR_DSCPT)
443 return;
444
445 STREAM_TO_UINT8(type, p);
446 len -= 1;
447
448 if (type == GATT_INFO_TYPE_PAIR_16)
449 uuid_len = Uuid::kNumBytes16;
450 else if (type == GATT_INFO_TYPE_PAIR_128)
451 uuid_len = Uuid::kNumBytes128;
452
453 while (len >= uuid_len + 2) {
454 STREAM_TO_UINT16(result.handle, p);
455
456 if (uuid_len > 0) {
457 if (!gatt_parse_uuid_from_cmd(&result.type, uuid_len, &p)) break;
458 } else
459 result.type = p_clcb->uuid;
460
461 len -= (uuid_len + 2);
462
463 if (p_clcb->p_reg->app_cb.p_disc_res_cb)
464 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
465 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
466 &result);
467 }
468
469 p_clcb->s_handle = (result.handle == 0) ? 0 : (result.handle + 1);
470 /* initiate another request */
471 gatt_act_discovery(p_clcb);
472 }
473 /*******************************************************************************
474 *
475 * Function gatt_proc_disc_error_rsp
476 *
477 * Description Process the read by type response and send another request
478 * if needed.
479 *
480 * Returns void.
481 *
482 ******************************************************************************/
gatt_proc_disc_error_rsp(UNUSED_ATTR tGATT_TCB & tcb,tGATT_CLCB * p_clcb,uint8_t opcode,UNUSED_ATTR uint16_t handle,uint8_t reason)483 void gatt_proc_disc_error_rsp(UNUSED_ATTR tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
484 uint8_t opcode, UNUSED_ATTR uint16_t handle,
485 uint8_t reason) {
486 tGATT_STATUS status = (tGATT_STATUS)reason;
487
488 VLOG(1) << __func__
489 << StringPrintf("reason: %02x cmd_code %04x", reason, opcode);
490
491 switch (opcode) {
492 case GATT_REQ_READ_BY_GRP_TYPE:
493 case GATT_REQ_FIND_TYPE_VALUE:
494 case GATT_REQ_READ_BY_TYPE:
495 case GATT_REQ_FIND_INFO:
496 if (reason == GATT_NOT_FOUND) {
497 status = GATT_SUCCESS;
498 VLOG(1) << "Discovery completed";
499 }
500 break;
501 default:
502 LOG(ERROR) << StringPrintf("Incorrect discovery opcode %04x", opcode);
503 break;
504 }
505
506 gatt_end_operation(p_clcb, status, NULL);
507 }
508
509 /*******************************************************************************
510 *
511 * Function gatt_process_error_rsp
512 *
513 * Description This function is called to handle the error response
514 *
515 *
516 * Returns void
517 *
518 ******************************************************************************/
gatt_process_error_rsp(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,UNUSED_ATTR uint8_t op_code,UNUSED_ATTR uint16_t len,uint8_t * p_data)519 void gatt_process_error_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
520 UNUSED_ATTR uint8_t op_code,
521 UNUSED_ATTR uint16_t len, uint8_t* p_data) {
522 uint8_t opcode, *p = p_data;
523 uint8_t reason;
524 uint16_t handle;
525 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
526
527 VLOG(1) << __func__;
528
529 if (len < 4) {
530 android_errorWriteLog(0x534e4554, "79591688");
531 LOG(ERROR) << "Error response too short";
532 // Specification does not clearly define what should happen if error
533 // response is too short. General rule in BT Spec 5.0 Vol 3, Part F 3.4.1.1
534 // is: "If an error code is received in the Error Response that is not
535 // understood by the client, for example an error code that was reserved for
536 // future use that is now being used in a future version of this
537 // specification, then the Error Response shall still be considered to state
538 // that the given request cannot be performed for an unknown reason."
539 opcode = handle = 0;
540 reason = static_cast<tGATT_STATUS>(0x7f);
541 } else {
542 STREAM_TO_UINT8(opcode, p);
543 STREAM_TO_UINT16(handle, p);
544 STREAM_TO_UINT8(reason, p);
545 }
546
547 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY) {
548 gatt_proc_disc_error_rsp(tcb, p_clcb, opcode, handle,
549 static_cast<tGATT_STATUS>(reason));
550 } else {
551 if ((p_clcb->operation == GATTC_OPTYPE_WRITE) &&
552 (p_clcb->op_subtype == GATT_WRITE) &&
553 (opcode == GATT_REQ_PREPARE_WRITE) && (p_attr) &&
554 (handle == p_attr->handle)) {
555 p_clcb->status = static_cast<tGATT_STATUS>(reason);
556 gatt_send_queue_write_cancel(tcb, p_clcb, GATT_PREP_WRITE_CANCEL);
557 } else if ((p_clcb->operation == GATTC_OPTYPE_READ) &&
558 ((p_clcb->op_subtype == GATT_READ_CHAR_VALUE_HDL) ||
559 (p_clcb->op_subtype == GATT_READ_BY_HANDLE)) &&
560 (opcode == GATT_REQ_READ_BLOB) &&
561 p_clcb->first_read_blob_after_read &&
562 (reason == GATT_NOT_LONG)) {
563 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p_clcb->p_attr_buf);
564 } else
565 gatt_end_operation(p_clcb, static_cast<tGATT_STATUS>(reason), NULL);
566 }
567 }
568 /*******************************************************************************
569 *
570 * Function gatt_process_prep_write_rsp
571 *
572 * Description This function is called to handle the read response
573 *
574 *
575 * Returns void
576 *
577 ******************************************************************************/
gatt_process_prep_write_rsp(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,uint8_t op_code,uint16_t len,uint8_t * p_data)578 void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
579 uint8_t op_code, uint16_t len,
580 uint8_t* p_data) {
581 uint8_t* p = p_data;
582
583 tGATT_VALUE value = {
584 .conn_id = p_clcb->conn_id, .auth_req = GATT_AUTH_REQ_NONE,
585 };
586
587 VLOG(1) << StringPrintf("value resp op_code = %s len = %d",
588 gatt_dbg_op_name(op_code), len);
589
590 if (len < GATT_PREP_WRITE_RSP_MIN_LEN) {
591 LOG(ERROR) << "illegal prepare write response length, discard";
592 gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
593 return;
594 }
595
596 STREAM_TO_UINT16(value.handle, p);
597 STREAM_TO_UINT16(value.offset, p);
598
599 value.len = len - 4;
600
601 memcpy(value.value, p, value.len);
602
603 if (!gatt_check_write_long_terminate(tcb, p_clcb, &value)) {
604 gatt_send_prepare_write(tcb, p_clcb);
605 return;
606 }
607
608 if (p_clcb->op_subtype == GATT_WRITE_PREPARE) {
609 /* application should verify handle offset
610 and value are matched or not */
611 gatt_end_operation(p_clcb, p_clcb->status, &value);
612 }
613 }
614
615 /*******************************************************************************
616 *
617 * Function gatt_process_notification
618 *
619 * Description Handle the handle value indication/notification.
620 *
621 * Returns void
622 *
623 ******************************************************************************/
gatt_process_notification(tGATT_TCB & tcb,uint16_t cid,uint8_t op_code,uint16_t len,uint8_t * p_data)624 void gatt_process_notification(tGATT_TCB& tcb, uint16_t cid, uint8_t op_code,
625 uint16_t len, uint8_t* p_data) {
626 tGATT_VALUE value = {};
627 tGATT_REG* p_reg;
628 uint16_t conn_id;
629 tGATT_STATUS encrypt_status = {};
630 uint8_t* p = p_data;
631 uint8_t i;
632 tGATTC_OPTYPE event = (op_code == GATT_HANDLE_VALUE_IND)
633 ? GATTC_OPTYPE_INDICATION
634 : GATTC_OPTYPE_NOTIFICATION;
635
636 VLOG(1) << __func__;
637
638 // Ensure our packet has enough data (2 bytes)
639 if (len < GATT_NOTIFICATION_MIN_LEN) {
640 LOG(ERROR) << "illegal notification PDU length, discard";
641 return;
642 }
643
644 // Get 2 byte handle
645 STREAM_TO_UINT16(value.handle, p);
646
647 // Fail early if the GATT handle is not valid
648 if (!GATT_HANDLE_IS_VALID(value.handle)) {
649 /* illegal handle, send ack now */
650 if (op_code == GATT_HANDLE_VALUE_IND)
651 attp_send_cl_confirmation_msg(tcb, cid);
652 return;
653 }
654
655 // Calculate value length based on opcode
656 if (op_code == GATT_HANDLE_MULTI_VALUE_NOTIF) {
657 // Ensure our packet has enough data; MIN + 2 more bytes for len value
658 if (len < GATT_NOTIFICATION_MIN_LEN + 2) {
659 LOG(ERROR) << "illegal notification PDU length, discard";
660 return;
661 }
662
663 // Allow multi value opcode to set value len from the packet
664 STREAM_TO_UINT16(value.len, p);
665
666 if (value.len > len - 4) {
667 LOG(ERROR) << "value.len (" << value.len << ") greater than length ("
668 << (len - 4);
669 return;
670 }
671
672 } else {
673 // For single value, just use the passed in len minus opcode length (2)
674 value.len = len - 2;
675 }
676
677 // Verify the new calculated length
678 if (value.len > GATT_MAX_ATTR_LEN) {
679 LOG(ERROR) << "value.len larger than GATT_MAX_ATTR_LEN, discard";
680 return;
681 }
682
683 // Handle indications differently
684 if (event == GATTC_OPTYPE_INDICATION) {
685 if (tcb.ind_count) {
686 /* this is an error case that receiving an indication but we
687 still has an indication not being acked yet.
688 For now, just log the error reset the counter.
689 Later we need to disconnect the link unconditionally.
690 */
691 LOG(ERROR) << __func__ << " rcv Ind. but ind_count=" << tcb.ind_count
692 << " (will reset ind_count)";
693 }
694
695 // Zero out the ind_count
696 tcb.ind_count = 0;
697
698 // Notify all registered clients with the handle value
699 // notification/indication
700 // Note: need to do the indication count and start timer first then do
701 // callback
702 for (i = 0, p_reg = gatt_cb.cl_rcb; i < GATT_MAX_APPS; i++, p_reg++) {
703 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) tcb.ind_count++;
704 }
705
706 /* start a timer for app confirmation */
707 if (tcb.ind_count > 0) {
708 gatt_start_ind_ack_timer(tcb, cid);
709 } else { /* no app to indicate, or invalid handle */
710 attp_send_cl_confirmation_msg(tcb, cid);
711 }
712 }
713
714 encrypt_status = gatt_get_link_encrypt_status(tcb);
715
716 STREAM_TO_ARRAY(value.value, p, value.len);
717
718 tGATT_CL_COMPLETE gatt_cl_complete;
719 gatt_cl_complete.att_value = value;
720 gatt_cl_complete.cid = cid;
721
722 for (i = 0, p_reg = gatt_cb.cl_rcb; i < GATT_MAX_APPS; i++, p_reg++) {
723 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) {
724 conn_id = GATT_CREATE_CONN_ID(tcb.tcb_idx, p_reg->gatt_if);
725 (*p_reg->app_cb.p_cmpl_cb)(conn_id, event, encrypt_status,
726 &gatt_cl_complete);
727 }
728 }
729
730 // If this is single value, then nothing is left to do
731 if (op_code != GATT_HANDLE_MULTI_VALUE_NOTIF) return;
732
733 // Need a signed type to check if the value is below 0
734 // as uint16_t doesn't have negatives so the negatives register as a number
735 // thus anything less than zero won't trigger the conditional and it is not
736 // always 0
737 // when done looping as value.len is arbitrary.
738 int16_t rem_len = (int16_t)len - (4 /* octets */ + value.len);
739
740 // Already streamed the first value and sent it, lets send the rest
741 while (rem_len > 4 /* octets */) {
742 // 2
743 STREAM_TO_UINT16(value.handle, p);
744 // + 2 = 4
745 STREAM_TO_UINT16(value.len, p);
746 // Accounting
747 rem_len -= 4;
748 // Make sure we don't read past the remaining data even if the length says
749 // we can Also need to watch comparing the int16_t with the uint16_t
750 value.len = std::min((uint16_t)rem_len, value.len);
751 STREAM_TO_ARRAY(value.value, p, value.len);
752 // Accounting
753 rem_len -= value.len;
754
755 gatt_cl_complete.att_value = value;
756 gatt_cl_complete.cid = cid;
757
758 for (i = 0, p_reg = gatt_cb.cl_rcb; i < GATT_MAX_APPS; i++, p_reg++) {
759 if (p_reg->in_use && p_reg->app_cb.p_cmpl_cb) {
760 conn_id = GATT_CREATE_CONN_ID(tcb.tcb_idx, p_reg->gatt_if);
761 (*p_reg->app_cb.p_cmpl_cb)(conn_id, event, encrypt_status,
762 &gatt_cl_complete);
763 }
764 }
765 }
766 }
767
768 /*******************************************************************************
769 *
770 * Function gatt_process_read_by_type_rsp
771 *
772 * Description This function is called to handle the read by type response.
773 * read by type can be used for discovery, or read by type or
774 * read characteristic value.
775 *
776 * Returns void
777 *
778 ******************************************************************************/
gatt_process_read_by_type_rsp(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,uint8_t op_code,uint16_t len,uint8_t * p_data)779 void gatt_process_read_by_type_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
780 uint8_t op_code, uint16_t len,
781 uint8_t* p_data) {
782 tGATT_DISC_RES result;
783 tGATT_DISC_VALUE record_value;
784 uint8_t *p = p_data, value_len, handle_len = 2;
785 uint16_t handle = 0;
786
787 /* discovery procedure and no callback function registered */
788 if (((!p_clcb->p_reg) || (!p_clcb->p_reg->app_cb.p_disc_res_cb)) &&
789 (p_clcb->operation == GATTC_OPTYPE_DISCOVERY))
790 return;
791
792 if (len < GATT_READ_BY_TYPE_RSP_MIN_LEN) {
793 LOG(ERROR) << "Illegal ReadByType/ReadByGroupType Response length, discard";
794 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
795 return;
796 }
797
798 STREAM_TO_UINT8(value_len, p);
799 uint16_t payload_size = gatt_tcb_get_payload_size_rx(tcb, p_clcb->cid);
800 if ((value_len > (payload_size - 2)) || (value_len > (len - 1))) {
801 /* this is an error case that server's response containing a value length
802 which is larger than MTU-2
803 or value_len > message total length -1 */
804 LOG(ERROR) << __func__
805 << StringPrintf(
806 ": Discard response op_code=%d "
807 "vale_len=%d > (MTU-2=%d or msg_len-1=%d)",
808 op_code, value_len, (payload_size - 2), (len - 1));
809 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
810 return;
811 }
812
813 if (op_code == GATT_RSP_READ_BY_GRP_TYPE) handle_len = 4;
814
815 value_len -= handle_len; /* substract the handle pairs bytes */
816 len -= 1;
817
818 while (len >= (handle_len + value_len)) {
819 STREAM_TO_UINT16(handle, p);
820
821 if (!GATT_HANDLE_IS_VALID(handle)) {
822 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
823 return;
824 }
825
826 memset(&result, 0, sizeof(tGATT_DISC_RES));
827 memset(&record_value, 0, sizeof(tGATT_DISC_VALUE));
828
829 result.handle = handle;
830 result.type =
831 bluetooth::Uuid::From16Bit(disc_type_to_uuid[p_clcb->op_subtype]);
832
833 /* discover all services */
834 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
835 p_clcb->op_subtype == GATT_DISC_SRVC_ALL &&
836 op_code == GATT_RSP_READ_BY_GRP_TYPE) {
837 STREAM_TO_UINT16(handle, p);
838
839 if (!GATT_HANDLE_IS_VALID(handle)) {
840 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
841 return;
842 } else {
843 record_value.group_value.e_handle = handle;
844 if (!gatt_parse_uuid_from_cmd(&record_value.group_value.service_type,
845 value_len, &p)) {
846 LOG(ERROR) << "discover all service response parsing failure";
847 break;
848 }
849 }
850 }
851 /* discover included service */
852 else if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
853 p_clcb->op_subtype == GATT_DISC_INC_SRVC) {
854 if (value_len < 4) {
855 android_errorWriteLog(0x534e4554, "158833854");
856 LOG(ERROR) << __func__ << " Illegal Response length, must be at least 4.";
857 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
858 return;
859 }
860 STREAM_TO_UINT16(record_value.incl_service.s_handle, p);
861 STREAM_TO_UINT16(record_value.incl_service.e_handle, p);
862
863 if (!GATT_HANDLE_IS_VALID(record_value.incl_service.s_handle) ||
864 !GATT_HANDLE_IS_VALID(record_value.incl_service.e_handle)) {
865 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
866 return;
867 }
868
869 if (value_len == 6) {
870 uint16_t tmp;
871 STREAM_TO_UINT16(tmp, p);
872 record_value.incl_service.service_type =
873 bluetooth::Uuid::From16Bit(tmp);
874 } else if (value_len == 4) {
875 p_clcb->s_handle = record_value.incl_service.s_handle;
876 p_clcb->read_uuid128.wait_for_read_rsp = true;
877 p_clcb->read_uuid128.next_disc_start_hdl = handle + 1;
878 memcpy(&p_clcb->read_uuid128.result, &result, sizeof(result));
879 memcpy(&p_clcb->read_uuid128.result.value, &record_value,
880 sizeof(result.value));
881 p_clcb->op_subtype |= 0x90;
882 gatt_act_read(p_clcb, 0);
883 return;
884 } else {
885 LOG(ERROR) << __func__
886 << ": INCL_SRVC failed with invalid data value_len="
887 << +value_len;
888 gatt_end_operation(p_clcb, GATT_INVALID_PDU, (void*)p);
889 return;
890 }
891 }
892 /* read by type */
893 else if (p_clcb->operation == GATTC_OPTYPE_READ &&
894 p_clcb->op_subtype == GATT_READ_BY_TYPE) {
895 p_clcb->counter = len - 2;
896 p_clcb->s_handle = handle;
897 if (p_clcb->counter == (payload_size - 4)) {
898 p_clcb->op_subtype = GATT_READ_BY_HANDLE;
899 if (!p_clcb->p_attr_buf)
900 p_clcb->p_attr_buf = (uint8_t*)osi_malloc(GATT_MAX_ATTR_LEN);
901 if (p_clcb->counter <= GATT_MAX_ATTR_LEN) {
902 memcpy(p_clcb->p_attr_buf, p, p_clcb->counter);
903 gatt_act_read(p_clcb, p_clcb->counter);
904 } else {
905 gatt_end_operation(p_clcb, GATT_INTERNAL_ERROR, (void*)p);
906 }
907 } else {
908 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p);
909 }
910 return;
911 } else /* discover characterisitic */
912 {
913 if (value_len < 3) {
914 android_errorWriteLog(0x534e4554, "158778659");
915 LOG(ERROR) << __func__ << " Illegal Response length, must be at least 3.";
916 gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);
917 return;
918 }
919 STREAM_TO_UINT8(record_value.dclr_value.char_prop, p);
920 STREAM_TO_UINT16(record_value.dclr_value.val_handle, p);
921 if (!GATT_HANDLE_IS_VALID(record_value.dclr_value.val_handle)) {
922 gatt_end_operation(p_clcb, GATT_INVALID_HANDLE, NULL);
923 return;
924 }
925 if (!gatt_parse_uuid_from_cmd(&record_value.dclr_value.char_uuid,
926 (uint16_t)(value_len - 3), &p)) {
927 gatt_end_operation(p_clcb, GATT_SUCCESS, NULL);
928 /* invalid format, and skip the result */
929 return;
930 }
931
932 /* UUID not matching */
933 if (!p_clcb->uuid.IsEmpty() &&
934 !record_value.dclr_value.char_uuid.IsEmpty() &&
935 record_value.dclr_value.char_uuid != p_clcb->uuid) {
936 len -= (value_len + 2);
937 continue; /* skip the result, and look for next one */
938 }
939
940 if (p_clcb->operation == GATTC_OPTYPE_READ)
941 /* UUID match for read characteristic value */
942 {
943 /* only read the first matching UUID characteristic value, and
944 discard the rest results */
945 p_clcb->s_handle = record_value.dclr_value.val_handle;
946 p_clcb->op_subtype |= 0x80;
947 gatt_act_read(p_clcb, 0);
948 return;
949 }
950 }
951 len -= (value_len + handle_len);
952
953 /* result is (handle, 16bits UUID) pairs */
954 memcpy(&result.value, &record_value, sizeof(result.value));
955
956 /* send callback if is discover procedure */
957 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
958 p_clcb->p_reg->app_cb.p_disc_res_cb)
959 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
960 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
961 &result);
962 }
963
964 p_clcb->s_handle = (handle == 0) ? 0 : (handle + 1);
965
966 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY) {
967 /* initiate another request */
968 gatt_act_discovery(p_clcb);
969 } else /* read characteristic value */
970 {
971 gatt_act_read(p_clcb, 0);
972 }
973 }
974
975 /*******************************************************************************
976 *
977 * Function gatt_process_read_rsp
978 *
979 * Description This function is called to handle the read BLOB response
980 *
981 *
982 * Returns void
983 *
984 ******************************************************************************/
gatt_process_read_rsp(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,UNUSED_ATTR uint8_t op_code,uint16_t len,uint8_t * p_data)985 void gatt_process_read_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
986 UNUSED_ATTR uint8_t op_code, uint16_t len,
987 uint8_t* p_data) {
988 uint16_t offset = p_clcb->counter;
989 uint8_t* p = p_data;
990
991 uint16_t payload_size = gatt_tcb_get_payload_size_rx(tcb, p_clcb->cid);
992
993 if (p_clcb->operation == GATTC_OPTYPE_READ) {
994 if (p_clcb->op_subtype != GATT_READ_BY_HANDLE) {
995 p_clcb->counter = len;
996 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p);
997 } else {
998 /* allocate GKI buffer holding up long attribute value */
999 if (!p_clcb->p_attr_buf)
1000 p_clcb->p_attr_buf = (uint8_t*)osi_malloc(GATT_MAX_ATTR_LEN);
1001
1002 /* copy attrobute value into cb buffer */
1003 if (offset < GATT_MAX_ATTR_LEN) {
1004 if ((len + offset) > GATT_MAX_ATTR_LEN)
1005 len = GATT_MAX_ATTR_LEN - offset;
1006
1007 p_clcb->counter += len;
1008
1009 memcpy(p_clcb->p_attr_buf + offset, p, len);
1010
1011 /* full packet for read or read blob rsp */
1012 bool packet_is_full;
1013 if (payload_size == p_clcb->read_req_current_mtu) {
1014 packet_is_full = (len == (payload_size - 1));
1015 } else {
1016 packet_is_full = (len == (p_clcb->read_req_current_mtu - 1) ||
1017 len == (payload_size - 1));
1018 p_clcb->read_req_current_mtu = payload_size;
1019 }
1020
1021 /* send next request if needed */
1022 if (packet_is_full && (len + offset < GATT_MAX_ATTR_LEN)) {
1023 VLOG(1) << StringPrintf(
1024 "full pkt issue read blob for remianing bytes old offset=%d "
1025 "len=%d new offset=%d",
1026 offset, len, p_clcb->counter);
1027 gatt_act_read(p_clcb, p_clcb->counter);
1028 } else /* end of request, send callback */
1029 {
1030 gatt_end_operation(p_clcb, GATT_SUCCESS, (void*)p_clcb->p_attr_buf);
1031 }
1032 } else /* exception, should not happen */
1033 {
1034 LOG(ERROR) << "attr offset = " << +offset
1035 << " p_attr_buf = " << p_clcb->p_attr_buf;
1036 gatt_end_operation(p_clcb, GATT_NO_RESOURCES,
1037 (void*)p_clcb->p_attr_buf);
1038 }
1039 }
1040 } else {
1041 if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&
1042 p_clcb->op_subtype == GATT_DISC_INC_SRVC &&
1043 p_clcb->read_uuid128.wait_for_read_rsp) {
1044 p_clcb->s_handle = p_clcb->read_uuid128.next_disc_start_hdl;
1045 p_clcb->read_uuid128.wait_for_read_rsp = false;
1046 if (len == Uuid::kNumBytes128) {
1047 p_clcb->read_uuid128.result.value.incl_service.service_type =
1048 bluetooth::Uuid::From128BitLE(p);
1049 if (p_clcb->p_reg->app_cb.p_disc_res_cb)
1050 (*p_clcb->p_reg->app_cb.p_disc_res_cb)(
1051 p_clcb->conn_id, static_cast<tGATT_DISC_TYPE>(p_clcb->op_subtype),
1052 &p_clcb->read_uuid128.result);
1053 gatt_act_discovery(p_clcb);
1054 } else {
1055 gatt_end_operation(p_clcb, GATT_INVALID_PDU, (void*)p);
1056 }
1057 }
1058 }
1059 }
1060
1061 /*******************************************************************************
1062 *
1063 * Function gatt_process_handle_rsp
1064 *
1065 * Description This function is called to handle the write response
1066 *
1067 *
1068 * Returns void
1069 *
1070 ******************************************************************************/
gatt_process_handle_rsp(tGATT_CLCB * p_clcb)1071 void gatt_process_handle_rsp(tGATT_CLCB* p_clcb) {
1072 gatt_end_operation(p_clcb, GATT_SUCCESS, NULL);
1073 }
1074 /*******************************************************************************
1075 *
1076 * Function gatt_process_mtu_rsp
1077 *
1078 * Description Process the configure MTU response.
1079 *
1080 *
1081 * Returns void
1082 *
1083 ******************************************************************************/
gatt_process_mtu_rsp(tGATT_TCB & tcb,tGATT_CLCB * p_clcb,uint16_t len,uint8_t * p_data)1084 void gatt_process_mtu_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, uint16_t len,
1085 uint8_t* p_data) {
1086 uint16_t mtu;
1087 tGATT_STATUS status = GATT_SUCCESS;
1088
1089 if (len < GATT_MTU_RSP_MIN_LEN) {
1090 LOG(ERROR) << "invalid MTU response PDU received, discard.";
1091 status = GATT_INVALID_PDU;
1092 } else {
1093 STREAM_TO_UINT16(mtu, p_data);
1094
1095 if (mtu < tcb.payload_size && mtu >= GATT_DEF_BLE_MTU_SIZE)
1096 tcb.payload_size = mtu;
1097 }
1098
1099 BTM_SetBleDataLength(tcb.peer_bda, tcb.payload_size + L2CAP_PKT_OVERHEAD);
1100
1101 gatt_end_operation(p_clcb, status, NULL);
1102 }
1103 /*******************************************************************************
1104 *
1105 * Function gatt_cmd_to_rsp_code
1106 *
1107 * Description Convert an ATT command op code into the corresponding
1108 * response code assume no error occurs.
1109 *
1110 * Returns response code.
1111 *
1112 ******************************************************************************/
gatt_cmd_to_rsp_code(uint8_t cmd_code)1113 uint8_t gatt_cmd_to_rsp_code(uint8_t cmd_code) {
1114 uint8_t rsp_code = 0;
1115
1116 if (cmd_code > 1 && cmd_code != GATT_CMD_WRITE) {
1117 rsp_code = cmd_code + 1;
1118 }
1119 return rsp_code;
1120 }
1121
1122 /** Find next command in queue and sent to server */
gatt_cl_send_next_cmd_inq(tGATT_TCB & tcb)1123 bool gatt_cl_send_next_cmd_inq(tGATT_TCB& tcb) {
1124 std::queue<tGATT_CMD_Q>* cl_cmd_q;
1125
1126 while (!tcb.cl_cmd_q.empty() ||
1127 EattExtension::GetInstance()->IsOutstandingMsgInSendQueue(tcb.peer_bda)) {
1128 if (!tcb.cl_cmd_q.empty()) {
1129 cl_cmd_q = &tcb.cl_cmd_q;
1130 } else {
1131 EattChannel* channel =
1132 EattExtension::GetInstance()->GetChannelWithQueuedData(tcb.peer_bda);
1133 cl_cmd_q = &channel->cl_cmd_q_;
1134 }
1135
1136 tGATT_CMD_Q& cmd = cl_cmd_q->front();
1137 if (!cmd.to_send || cmd.p_cmd == NULL) {
1138 return false;
1139 }
1140
1141 tGATT_STATUS att_ret;
1142 att_ret = attp_send_msg_to_l2cap(tcb, cmd.cid, cmd.p_cmd);
1143
1144 if (att_ret != GATT_SUCCESS && att_ret != GATT_CONGESTED) {
1145 LOG(ERROR) << __func__ << ": L2CAP sent error";
1146 cl_cmd_q->pop();
1147 continue;
1148 }
1149
1150 cmd.to_send = false;
1151 cmd.p_cmd = NULL;
1152
1153 if (cmd.op_code == GATT_CMD_WRITE || cmd.op_code == GATT_SIGN_CMD_WRITE) {
1154 /* dequeue the request if is write command or sign write */
1155 uint8_t rsp_code;
1156 tGATT_CLCB* p_clcb = gatt_cmd_dequeue(tcb, cmd.cid, &rsp_code);
1157
1158 /* send command complete callback here */
1159 gatt_end_operation(p_clcb, att_ret, NULL);
1160
1161 /* if no ack needed, keep sending */
1162 if (att_ret == GATT_SUCCESS) continue;
1163
1164 return true;
1165 }
1166
1167 gatt_start_rsp_timer(cmd.p_clcb);
1168 return true;
1169 }
1170
1171 return false;
1172 }
1173
1174 /** This function is called to handle the server response to client */
gatt_client_handle_server_rsp(tGATT_TCB & tcb,uint16_t cid,uint8_t op_code,uint16_t len,uint8_t * p_data)1175 void gatt_client_handle_server_rsp(tGATT_TCB& tcb, uint16_t cid,
1176 uint8_t op_code, uint16_t len,
1177 uint8_t* p_data) {
1178 VLOG(1) << __func__ << " opcode: " << loghex(op_code);
1179
1180 uint16_t payload_size = gatt_tcb_get_payload_size_rx(tcb, cid);
1181
1182 if (op_code == GATT_HANDLE_VALUE_IND || op_code == GATT_HANDLE_VALUE_NOTIF ||
1183 op_code == GATT_HANDLE_MULTI_VALUE_NOTIF) {
1184 if (len >= payload_size) {
1185 LOG(ERROR) << StringPrintf(
1186 "%s: invalid indicate pkt size: %d, PDU size: %d", __func__, len + 1,
1187 payload_size);
1188 return;
1189 }
1190
1191 gatt_process_notification(tcb, cid, op_code, len, p_data);
1192 return;
1193 }
1194
1195 uint8_t cmd_code = 0;
1196 tGATT_CLCB* p_clcb = gatt_cmd_dequeue(tcb, cid, &cmd_code);
1197 uint8_t rsp_code = gatt_cmd_to_rsp_code(cmd_code);
1198 if (!p_clcb || (rsp_code != op_code && op_code != GATT_RSP_ERROR)) {
1199 LOG(WARNING) << StringPrintf(
1200 "ATT - Ignore wrong response. Receives (%02x) Request(%02x) Ignored",
1201 op_code, rsp_code);
1202 return;
1203 }
1204
1205 if (!p_clcb->in_use) {
1206 LOG(WARNING) << "ATT - clcb already not in use, ignoring response";
1207 gatt_cl_send_next_cmd_inq(tcb);
1208 return;
1209 }
1210
1211 gatt_stop_rsp_timer(p_clcb);
1212 p_clcb->retry_count = 0;
1213
1214 /* the size of the message may not be bigger than the local max PDU size*/
1215 /* The message has to be smaller than the agreed MTU, len does not count
1216 * op_code */
1217 if (len >= payload_size) {
1218 LOG(ERROR) << StringPrintf(
1219 "%s: invalid response pkt size: %d, PDU size: %d", __func__, len + 1,
1220 payload_size);
1221 gatt_end_operation(p_clcb, GATT_ERROR, NULL);
1222 } else {
1223 switch (op_code) {
1224 case GATT_RSP_ERROR:
1225 gatt_process_error_rsp(tcb, p_clcb, op_code, len, p_data);
1226 break;
1227
1228 case GATT_RSP_MTU: /* 2 bytes mtu */
1229 gatt_process_mtu_rsp(tcb, p_clcb, len, p_data);
1230 break;
1231
1232 case GATT_RSP_FIND_INFO:
1233 gatt_process_read_info_rsp(tcb, p_clcb, op_code, len, p_data);
1234 break;
1235
1236 case GATT_RSP_READ_BY_TYPE:
1237 case GATT_RSP_READ_BY_GRP_TYPE:
1238 gatt_process_read_by_type_rsp(tcb, p_clcb, op_code, len, p_data);
1239 break;
1240
1241 case GATT_RSP_READ:
1242 case GATT_RSP_READ_BLOB:
1243 case GATT_RSP_READ_MULTI:
1244 case GATT_RSP_READ_MULTI_VAR:
1245 gatt_process_read_rsp(tcb, p_clcb, op_code, len, p_data);
1246 break;
1247
1248 case GATT_RSP_FIND_TYPE_VALUE: /* disc service with UUID */
1249 gatt_process_find_type_value_rsp(tcb, p_clcb, len, p_data);
1250 break;
1251
1252 case GATT_RSP_WRITE:
1253 gatt_process_handle_rsp(p_clcb);
1254 break;
1255
1256 case GATT_RSP_PREPARE_WRITE:
1257 gatt_process_prep_write_rsp(tcb, p_clcb, op_code, len, p_data);
1258 break;
1259
1260 case GATT_RSP_EXEC_WRITE:
1261 gatt_end_operation(p_clcb, p_clcb->status, NULL);
1262 break;
1263
1264 default:
1265 LOG(ERROR) << __func__ << ": Unknown opcode = " << std::hex << op_code;
1266 break;
1267 }
1268 }
1269
1270 gatt_cl_send_next_cmd_inq(tcb);
1271 }
1272