1 /******************************************************************************
2 *
3 * Copyright 2003-2016 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * Interface to AVRCP mandatory commands
22 *
23 ******************************************************************************/
24 #include "avrc_api.h"
25
26 #include <android_bluetooth_sysprop.h>
27 #include <bluetooth/log.h>
28 #include <string.h>
29
30 #include "avrc_int.h"
31 #include "btif/include/btif_av.h"
32 #include "btif/include/btif_config.h"
33 #include "internal_include/bt_target.h"
34 #include "os/log.h"
35 #include "osi/include/allocator.h"
36 #include "osi/include/fixed_queue.h"
37 #include "osi/include/properties.h"
38 #include "stack/avct/avct_defs.h"
39 #include "stack/include/bt_hdr.h"
40 #include "stack/include/bt_types.h"
41 #include "stack/include/bt_uuid16.h"
42 #include "storage/config_keys.h"
43 #include "types/raw_address.h"
44
45 using namespace bluetooth;
46
47 /*****************************************************************************
48 * Global data
49 ****************************************************************************/
50
51 #define AVRC_MAX_RCV_CTRL_EVT AVCT_BROWSE_UNCONG_IND_EVT
52
53 #ifndef MAX
54 #define MAX(a, b) ((a) > (b) ? (a) : (b))
55 #endif
56
57 static const uint8_t avrc_ctrl_event_map[] = {
58 AVRC_OPEN_IND_EVT, /* AVCT_CONNECT_CFM_EVT */
59 AVRC_OPEN_IND_EVT, /* AVCT_CONNECT_IND_EVT */
60 AVRC_CLOSE_IND_EVT, /* AVCT_DISCONNECT_CFM_EVT */
61 AVRC_CLOSE_IND_EVT, /* AVCT_DISCONNECT_IND_EVT */
62 AVRC_CONG_IND_EVT, /* AVCT_CONG_IND_EVT */
63 AVRC_UNCONG_IND_EVT, /* AVCT_UNCONG_IND_EVT */
64 AVRC_BROWSE_OPEN_IND_EVT, /* AVCT_BROWSE_CONN_CFM_EVT */
65 AVRC_BROWSE_OPEN_IND_EVT, /* AVCT_BROWSE_CONN_IND_EVT */
66 AVRC_BROWSE_CLOSE_IND_EVT, /* AVCT_BROWSE_DISCONN_CFM_EVT */
67 AVRC_BROWSE_CLOSE_IND_EVT, /* AVCT_BROWSE_DISCONN_IND_EVT */
68 AVRC_BROWSE_CONG_IND_EVT, /* AVCT_BROWSE_CONG_IND_EVT */
69 AVRC_BROWSE_UNCONG_IND_EVT /* AVCT_BROWSE_UNCONG_IND_EVT */
70 };
71
72 /* use this unused opcode to indication no need to call the callback function */
73 #define AVRC_OP_DROP 0xFE
74 /* use this unused opcode to indication no need to call the callback function &
75 * free buffer */
76 #define AVRC_OP_DROP_N_FREE 0xFD
77
78 #define AVRC_OP_UNIT_INFO_RSP_LEN 8
79 #define AVRC_OP_SUB_UNIT_INFO_RSP_LEN 8
80 #define AVRC_OP_REJ_MSG_LEN 11
81
82 /* Flags definitions for AVRC_MsgReq */
83 #define AVRC_MSG_MASK_IS_VENDOR_CMD 0x01
84 #define AVRC_MSG_MASK_IS_CONTINUATION_RSP 0x02
85
86 /******************************************************************************
87 *
88 * Function avrcp_absolute_volume_is_enabled
89 *
90 * Description Check if config support advance control (absolute volume)
91 *
92 * Returns return true if absolute_volume is enabled
93 *
94 *****************************************************************************/
avrcp_absolute_volume_is_enabled()95 bool avrcp_absolute_volume_is_enabled() {
96 return GET_SYSPROP(Avrcp, absolute_volume, true);
97 }
98
99 /******************************************************************************
100 *
101 * Function avrc_ctrl_cback
102 *
103 * Description This is the callback function used by AVCTP to report
104 * received link events.
105 *
106 * Returns Nothing.
107 *
108 *****************************************************************************/
avrc_ctrl_cback(uint8_t handle,uint8_t event,uint16_t result,const RawAddress * peer_addr)109 static void avrc_ctrl_cback(uint8_t handle, uint8_t event, uint16_t result,
110 const RawAddress* peer_addr) {
111 uint8_t avrc_event;
112
113 if (event <= AVRC_MAX_RCV_CTRL_EVT && avrc_cb.ccb[handle].ctrl_cback) {
114 avrc_event = avrc_ctrl_event_map[event];
115 if (event == AVCT_CONNECT_CFM_EVT) {
116 if (result != 0) /* failed */
117 avrc_event = AVRC_CLOSE_IND_EVT;
118 }
119 avrc_cb.ccb[handle].ctrl_cback.Run(handle, avrc_event, result, peer_addr);
120 }
121
122 if ((event == AVCT_DISCONNECT_CFM_EVT) ||
123 (event == AVCT_DISCONNECT_IND_EVT)) {
124 avrc_flush_cmd_q(handle);
125 alarm_free(avrc_cb.ccb_int[handle].tle);
126 avrc_cb.ccb_int[handle].tle = NULL;
127 }
128 }
129
130 /******************************************************************************
131 *
132 * Function avrc_flush_cmd_q
133 *
134 * Description Flush command queue for the specified avrc handle
135 *
136 * Returns Nothing.
137 *
138 *****************************************************************************/
avrc_flush_cmd_q(uint8_t handle)139 void avrc_flush_cmd_q(uint8_t handle) {
140 log::verbose("AVRC: Flushing command queue for handle=0x{:02x}", handle);
141 avrc_cb.ccb_int[handle].flags &= ~AVRC_CB_FLAGS_RSP_PENDING;
142
143 alarm_cancel(avrc_cb.ccb_int[handle].tle);
144 fixed_queue_free(avrc_cb.ccb_int[handle].cmd_q, osi_free);
145 avrc_cb.ccb_int[handle].cmd_q = NULL;
146 }
147
148 /******************************************************************************
149 *
150 * Function avrc_process_timeout
151 *
152 * Description Handle avrc command timeout
153 *
154 * Returns Nothing.
155 *
156 *****************************************************************************/
avrc_process_timeout(void * data)157 void avrc_process_timeout(void* data) {
158 tAVRC_PARAM* param = (tAVRC_PARAM*)data;
159
160 log::verbose("AVRC: command timeout (handle=0x{:02x}, label=0x{:02x})",
161 param->handle, param->label);
162
163 /* Notify app */
164 if (avrc_cb.ccb[param->handle].ctrl_cback) {
165 avrc_cb.ccb[param->handle].ctrl_cback.Run(
166 param->handle, AVRC_CMD_TIMEOUT_EVT, param->label, NULL);
167 }
168
169 /* If vendor command timed-out, then send next command in the queue */
170 if (param->msg_mask & AVRC_MSG_MASK_IS_VENDOR_CMD) {
171 avrc_send_next_vendor_cmd(param->handle);
172 }
173 osi_free(param);
174 }
175
176 /******************************************************************************
177 *
178 * Function avrc_send_next_vendor_cmd
179 *
180 * Description Dequeue and send next vendor command for given handle
181 *
182 * Returns Nothing.
183 *
184 *****************************************************************************/
avrc_send_next_vendor_cmd(uint8_t handle)185 void avrc_send_next_vendor_cmd(uint8_t handle) {
186 BT_HDR* p_next_cmd;
187 uint8_t next_label;
188
189 while ((p_next_cmd = (BT_HDR*)fixed_queue_try_dequeue(
190 avrc_cb.ccb_int[handle].cmd_q)) != NULL) {
191 p_next_cmd->event &= 0xFF; /* opcode */
192 next_label = (p_next_cmd->layer_specific) >> 8; /* extract label */
193 p_next_cmd->layer_specific &= 0xFF; /* AVCT_DATA_CTRL or AVCT_DATA_BROWSE */
194
195 log::verbose(
196 "AVRC: Dequeuing command 0x{} (handle=0x{:02x}, label=0x{:02x})",
197 fmt::ptr(p_next_cmd), handle, next_label);
198
199 /* Send the message */
200 if ((AVCT_MsgReq(handle, next_label, AVCT_CMD, p_next_cmd)) ==
201 AVCT_SUCCESS) {
202 /* Start command timer to wait for response */
203 avrc_start_cmd_timer(handle, next_label, AVRC_MSG_MASK_IS_VENDOR_CMD);
204 return;
205 }
206 }
207
208 if (p_next_cmd == NULL) {
209 /* cmd queue empty */
210 avrc_cb.ccb_int[handle].flags &= ~AVRC_CB_FLAGS_RSP_PENDING;
211 }
212 }
213
214 /******************************************************************************
215 *
216 * Function avrc_start_cmd_timer
217 *
218 * Description Start timer for waiting for responses
219 *
220 * Returns Nothing.
221 *
222 *****************************************************************************/
avrc_start_cmd_timer(uint8_t handle,uint8_t label,uint8_t msg_mask)223 void avrc_start_cmd_timer(uint8_t handle, uint8_t label, uint8_t msg_mask) {
224 tAVRC_PARAM* param =
225 static_cast<tAVRC_PARAM*>(osi_malloc(sizeof(tAVRC_PARAM)));
226 param->handle = handle;
227 param->label = label;
228 param->msg_mask = msg_mask;
229
230 log::verbose("AVRC: starting timer (handle=0x{:02x}, label=0x{:02x})", handle,
231 label);
232
233 alarm_set_on_mloop(avrc_cb.ccb_int[handle].tle, AVRC_CMD_TOUT_MS,
234 avrc_process_timeout, param);
235 }
236
237 /******************************************************************************
238 *
239 * Function avrc_get_data_ptr
240 *
241 * Description Gets a pointer to the data payload in the packet.
242 *
243 * Returns A pointer to the data payload.
244 *
245 *****************************************************************************/
avrc_get_data_ptr(BT_HDR * p_pkt)246 static uint8_t* avrc_get_data_ptr(BT_HDR* p_pkt) {
247 return (uint8_t*)(p_pkt + 1) + p_pkt->offset;
248 }
249
250 /******************************************************************************
251 *
252 * Function avrc_copy_packet
253 *
254 * Description Copies an AVRC packet to a new buffer. In the new buffer,
255 * the payload offset is at least AVCT_MSG_OFFSET octets.
256 *
257 * Returns The buffer with the copied data.
258 *
259 *****************************************************************************/
avrc_copy_packet(BT_HDR * p_pkt,int rsp_pkt_len)260 static BT_HDR* avrc_copy_packet(BT_HDR* p_pkt, int rsp_pkt_len) {
261 const int offset = MAX(AVCT_MSG_OFFSET, p_pkt->offset);
262 const int pkt_len = MAX(rsp_pkt_len, p_pkt->len);
263 BT_HDR* p_pkt_copy = (BT_HDR*)osi_calloc(BT_HDR_SIZE + offset + pkt_len);
264
265 /* Copy the packet header, set the new offset, and copy the payload */
266 memcpy(p_pkt_copy, p_pkt, BT_HDR_SIZE);
267 p_pkt_copy->offset = offset;
268 uint8_t* p_data = avrc_get_data_ptr(p_pkt);
269 uint8_t* p_data_copy = avrc_get_data_ptr(p_pkt_copy);
270 memcpy(p_data_copy, p_data, p_pkt->len);
271
272 return p_pkt_copy;
273 }
274
275 /******************************************************************************
276 *
277 * Function avrc_prep_end_frag
278 *
279 * Description This function prepares an end response fragment
280 *
281 * Returns Nothing.
282 *
283 *****************************************************************************/
avrc_prep_end_frag(uint8_t handle)284 static void avrc_prep_end_frag(uint8_t handle) {
285 tAVRC_FRAG_CB* p_fcb;
286 BT_HDR* p_pkt_new;
287 uint8_t *p_data, *p_orig_data;
288 uint8_t rsp_type;
289
290 log::verbose("");
291 p_fcb = &avrc_cb.fcb[handle];
292
293 /* The response type of the end fragment should be the same as the the PDU of
294 * "End Fragment Response" Errata:
295 * https://www.bluetooth.org/errata/errata_view.cfm?errata_id=4383
296 */
297 p_orig_data = ((uint8_t*)(p_fcb->p_fmsg + 1) + p_fcb->p_fmsg->offset);
298 rsp_type = ((*p_orig_data) & AVRC_CTYPE_MASK);
299
300 p_pkt_new = p_fcb->p_fmsg;
301 p_pkt_new->len -=
302 (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE - AVRC_MIN_META_HDR_SIZE);
303 p_pkt_new->offset +=
304 (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE - AVRC_MIN_META_HDR_SIZE);
305 p_data = (uint8_t*)(p_pkt_new + 1) + p_pkt_new->offset;
306 *p_data++ = rsp_type;
307 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
308 *p_data++ = AVRC_OP_VENDOR;
309 AVRC_CO_ID_TO_BE_STREAM(p_data, AVRC_CO_METADATA);
310 *p_data++ = p_fcb->frag_pdu;
311 *p_data++ = AVRC_PKT_END;
312
313 /* 4=pdu, pkt_type & len */
314 UINT16_TO_BE_STREAM(
315 p_data, (p_pkt_new->len - AVRC_VENDOR_HDR_SIZE - AVRC_MIN_META_HDR_SIZE));
316 }
317
318 /******************************************************************************
319 *
320 * Function avrc_send_continue_frag
321 *
322 * Description This function sends a continue response fragment
323 *
324 * Returns AVRC_SUCCESS if successful.
325 * AVRC_BAD_HANDLE if handle is invalid.
326 *
327 *****************************************************************************/
avrc_send_continue_frag(uint8_t handle,uint8_t label)328 static uint16_t avrc_send_continue_frag(uint8_t handle, uint8_t label) {
329 tAVRC_FRAG_CB* p_fcb;
330 BT_HDR *p_pkt_old, *p_pkt;
331 uint8_t *p_old, *p_data;
332 uint8_t cr = AVCT_RSP;
333
334 p_fcb = &avrc_cb.fcb[handle];
335 p_pkt = p_fcb->p_fmsg;
336
337 log::verbose("handle = {} label = {} len = {}", handle, label, p_pkt->len);
338 if (p_pkt->len > AVRC_MAX_CTRL_DATA_LEN) {
339 int offset_len = MAX(AVCT_MSG_OFFSET, p_pkt->offset);
340 p_pkt_old = p_fcb->p_fmsg;
341 p_pkt = (BT_HDR*)osi_calloc(AVRC_PACKET_LEN + offset_len + BT_HDR_SIZE);
342 p_pkt->len = AVRC_MAX_CTRL_DATA_LEN;
343 p_pkt->offset = AVCT_MSG_OFFSET;
344 p_pkt->layer_specific = p_pkt_old->layer_specific;
345 p_pkt->event = p_pkt_old->event;
346 p_old = (uint8_t*)(p_pkt_old + 1) + p_pkt_old->offset;
347 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
348 memcpy(p_data, p_old, AVRC_MAX_CTRL_DATA_LEN);
349 /* use AVRC continue packet type */
350 p_data += AVRC_VENDOR_HDR_SIZE;
351 p_data++; /* pdu */
352 *p_data++ = AVRC_PKT_CONTINUE;
353 /* 4=pdu, pkt_type & len */
354 UINT16_TO_BE_STREAM(p_data,
355 (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE - 4));
356
357 /* prepare the left over for as an end fragment */
358 avrc_prep_end_frag(handle);
359 } else {
360 /* end fragment. clean the control block */
361 p_fcb->frag_enabled = false;
362 p_fcb->p_fmsg = NULL;
363 }
364 return AVCT_MsgReq(handle, label, cr, p_pkt);
365 }
366
367 /******************************************************************************
368 *
369 * Function avrc_proc_vendor_command
370 *
371 * Description This function processes received vendor command.
372 *
373 * Returns if not NULL, the response to send right away.
374 *
375 *****************************************************************************/
avrc_proc_vendor_command(uint8_t handle,uint8_t label,BT_HDR * p_pkt,tAVRC_MSG_VENDOR * p_msg)376 static BT_HDR* avrc_proc_vendor_command(uint8_t handle, uint8_t label,
377 BT_HDR* p_pkt,
378 tAVRC_MSG_VENDOR* p_msg) {
379 BT_HDR* p_rsp = NULL;
380 uint8_t* p_data;
381 uint8_t* p_begin;
382 uint8_t pkt_type;
383 bool abort_frag = false;
384 tAVRC_STS status = AVRC_STS_NO_ERROR;
385 tAVRC_FRAG_CB* p_fcb;
386
387 p_begin = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
388 p_data = p_begin + AVRC_VENDOR_HDR_SIZE;
389 pkt_type = *(p_data + 1) & AVRC_PKT_TYPE_MASK;
390
391 if (pkt_type != AVRC_PKT_SINGLE) {
392 /* reject - commands can only be in single packets at AVRCP level */
393 log::error("commands must be in single packet pdu:0x{:x}", *p_data);
394 /* use the current GKI buffer to send the reject */
395 status = AVRC_STS_BAD_CMD;
396 }
397 /* check if there are fragments waiting to be sent */
398 else if (avrc_cb.fcb[handle].frag_enabled) {
399 p_fcb = &avrc_cb.fcb[handle];
400 if (p_msg->company_id == AVRC_CO_METADATA) {
401 switch (*p_data) {
402 case AVRC_PDU_ABORT_CONTINUATION_RSP:
403 /* aborted by CT - send accept response */
404 abort_frag = true;
405 p_begin = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
406 *p_begin = (AVRC_RSP_ACCEPT & AVRC_CTYPE_MASK);
407 if (*(p_data + 4) != p_fcb->frag_pdu) {
408 *p_begin = (AVRC_RSP_REJ & AVRC_CTYPE_MASK);
409 *(p_data + 4) = AVRC_STS_BAD_PARAM;
410 } else {
411 p_data = (p_begin + AVRC_VENDOR_HDR_SIZE + 2);
412 UINT16_TO_BE_STREAM(p_data, 0);
413 p_pkt->len = (p_data - p_begin);
414 }
415 AVCT_MsgReq(handle, label, AVCT_RSP, p_pkt);
416 p_msg->hdr.opcode =
417 AVRC_OP_DROP; /* used the p_pkt to send response */
418 break;
419
420 case AVRC_PDU_REQUEST_CONTINUATION_RSP:
421 if (*(p_data + 4) == p_fcb->frag_pdu) {
422 avrc_send_continue_frag(handle, label);
423 p_msg->hdr.opcode = AVRC_OP_DROP_N_FREE;
424 } else {
425 /* the pdu id does not match - reject the command using the current
426 * GKI buffer */
427 log::error(
428 "continue pdu: 0x{:x} does not match the current pdu: 0x{:x}",
429 *(p_data + 4), p_fcb->frag_pdu);
430 status = AVRC_STS_BAD_PARAM;
431 abort_frag = true;
432 }
433 break;
434
435 default:
436 /* implicit abort */
437 abort_frag = true;
438 }
439 } else {
440 abort_frag = true;
441 /* implicit abort */
442 }
443
444 if (abort_frag) {
445 osi_free_and_reset((void**)&p_fcb->p_fmsg);
446 p_fcb->frag_enabled = false;
447 }
448 }
449
450 if (status != AVRC_STS_NO_ERROR) {
451 p_rsp = (BT_HDR*)osi_calloc(BT_DEFAULT_BUFFER_SIZE);
452 p_rsp->offset = p_pkt->offset;
453 p_data = (uint8_t*)(p_rsp + 1) + p_pkt->offset;
454 *p_data++ = AVRC_RSP_REJ;
455 p_data += AVRC_VENDOR_HDR_SIZE; /* pdu */
456 *p_data++ = 0; /* pkt_type */
457 UINT16_TO_BE_STREAM(p_data, 1); /* len */
458 *p_data++ = status; /* error code */
459 p_rsp->len = AVRC_VENDOR_HDR_SIZE + 5;
460 }
461
462 return p_rsp;
463 }
464
465 /******************************************************************************
466 *
467 * Function avrc_proc_far_msg
468 *
469 * Description This function processes metadata fragmenation
470 * and reassembly
471 *
472 * Returns 0, to report the message with msg_cback .
473 *
474 *****************************************************************************/
avrc_proc_far_msg(uint8_t handle,uint8_t label,uint8_t cr,BT_HDR ** pp_pkt,tAVRC_MSG_VENDOR * p_msg)475 static uint8_t avrc_proc_far_msg(uint8_t handle, uint8_t label, uint8_t cr,
476 BT_HDR** pp_pkt, tAVRC_MSG_VENDOR* p_msg) {
477 BT_HDR* p_pkt = *pp_pkt;
478 uint8_t* p_data;
479 uint8_t drop_code = 0;
480 bool buf_overflow = false;
481 BT_HDR* p_rsp = NULL;
482 BT_HDR* p_cmd = NULL;
483 bool req_continue = false;
484 BT_HDR* p_pkt_new = NULL;
485 uint8_t pkt_type;
486 tAVRC_RASM_CB* p_rcb;
487 tAVRC_NEXT_CMD avrc_cmd;
488 tAVRC_STS status;
489
490 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
491
492 /* Skip over vendor header (ctype, subunit*, opcode, CO_ID) */
493 p_data += AVRC_VENDOR_HDR_SIZE;
494
495 pkt_type = *(p_data + 1) & AVRC_PKT_TYPE_MASK;
496 log::verbose("pkt_type {}", pkt_type);
497 p_rcb = &avrc_cb.rcb[handle];
498
499 /* check if the message needs to be re-assembled */
500 if (pkt_type == AVRC_PKT_SINGLE || pkt_type == AVRC_PKT_START) {
501 /* previous fragments need to be dropped, when received another new message
502 */
503 p_rcb->rasm_offset = 0;
504 osi_free_and_reset((void**)&p_rcb->p_rmsg);
505 }
506
507 if (pkt_type != AVRC_PKT_SINGLE && cr == AVCT_RSP) {
508 /* not a single response packet - need to re-assemble metadata messages */
509 if (pkt_type == AVRC_PKT_START) {
510 /* Allocate buffer for re-assembly */
511 p_rcb->rasm_pdu = *p_data;
512 p_rcb->p_rmsg = (BT_HDR*)osi_calloc(BT_DEFAULT_BUFFER_SIZE);
513 /* Copy START packet to buffer for re-assembling fragments */
514 memcpy(p_rcb->p_rmsg, p_pkt, sizeof(BT_HDR)); /* Copy bt hdr */
515
516 /* Copy metadata message */
517 memcpy((uint8_t*)(p_rcb->p_rmsg + 1),
518 (uint8_t*)(p_pkt + 1) + p_pkt->offset, p_pkt->len);
519
520 /* offset of start of metadata response in reassembly buffer */
521 p_rcb->p_rmsg->offset = p_rcb->rasm_offset = 0;
522
523 /*
524 * Free original START packet, replace with pointer to
525 * reassembly buffer.
526 */
527 osi_free(p_pkt);
528 *pp_pkt = p_rcb->p_rmsg;
529
530 /*
531 * Set offset to point to where to copy next - use the same
532 * reassembly logic as AVCT.
533 */
534 p_rcb->p_rmsg->offset += p_rcb->p_rmsg->len;
535 req_continue = true;
536 } else if (p_rcb->p_rmsg == NULL) {
537 /* Received a CONTINUE/END, but no corresponding START
538 (or previous fragmented response was dropped) */
539 log::verbose(
540 "Received a CONTINUE/END without no corresponding START (or previous "
541 "fragmented response was dropped)");
542 drop_code = 5;
543 osi_free(p_pkt);
544 *pp_pkt = NULL;
545 } else {
546 /* get size of buffer holding assembled message */
547 /*
548 * NOTE: The buffer is allocated above at the beginning of the
549 * reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE.
550 */
551 uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
552 /* adjust offset and len of fragment for header byte */
553 p_pkt->offset += (AVRC_VENDOR_HDR_SIZE + AVRC_MIN_META_HDR_SIZE);
554 p_pkt->len -= (AVRC_VENDOR_HDR_SIZE + AVRC_MIN_META_HDR_SIZE);
555 /* verify length */
556 if ((p_rcb->p_rmsg->offset + p_pkt->len) > buf_len) {
557 log::warn("Fragmented message too big! - report the partial message");
558 p_pkt->len = buf_len - p_rcb->p_rmsg->offset;
559 pkt_type = AVRC_PKT_END;
560 buf_overflow = true;
561 }
562
563 /* copy contents of p_pkt to p_rx_msg */
564 memcpy((uint8_t*)(p_rcb->p_rmsg + 1) + p_rcb->p_rmsg->offset,
565 (uint8_t*)(p_pkt + 1) + p_pkt->offset, p_pkt->len);
566
567 if (pkt_type == AVRC_PKT_END) {
568 p_rcb->p_rmsg->offset = p_rcb->rasm_offset;
569 p_rcb->p_rmsg->len += p_pkt->len;
570 p_pkt_new = p_rcb->p_rmsg;
571 p_rcb->rasm_offset = 0;
572 p_rcb->p_rmsg = NULL;
573 p_msg->p_vendor_data = (uint8_t*)(p_pkt_new + 1) + p_pkt_new->offset;
574 p_msg->hdr.ctype = p_msg->p_vendor_data[0] & AVRC_CTYPE_MASK;
575 /* 6 = ctype, subunit*, opcode & CO_ID */
576 p_msg->p_vendor_data += AVRC_VENDOR_HDR_SIZE;
577 p_msg->vendor_len = p_pkt_new->len - AVRC_VENDOR_HDR_SIZE;
578 p_data = p_msg->p_vendor_data + 1; /* skip pdu */
579 *p_data++ = AVRC_PKT_SINGLE;
580 UINT16_TO_BE_STREAM(p_data,
581 (p_msg->vendor_len - AVRC_MIN_META_HDR_SIZE));
582 log::verbose("end frag:{}, total len:{}, offset:{}", p_pkt->len,
583 p_pkt_new->len, p_pkt_new->offset);
584 } else {
585 p_rcb->p_rmsg->offset += p_pkt->len;
586 p_rcb->p_rmsg->len += p_pkt->len;
587 p_pkt_new = NULL;
588 req_continue = true;
589 }
590 osi_free(p_pkt);
591 *pp_pkt = p_pkt_new;
592 }
593 }
594
595 if (cr == AVCT_CMD) {
596 p_rsp = avrc_proc_vendor_command(handle, label, *pp_pkt, p_msg);
597 if (p_rsp) {
598 AVCT_MsgReq(handle, label, AVCT_RSP, p_rsp);
599 osi_free_and_reset((void**)pp_pkt);
600 drop_code = 3;
601 } else if (p_msg->hdr.opcode == AVRC_OP_DROP) {
602 drop_code = 1;
603 } else if (p_msg->hdr.opcode == AVRC_OP_DROP_N_FREE)
604 drop_code = 4;
605
606 } else if (cr == AVCT_RSP) {
607 if (req_continue) {
608 avrc_cmd.pdu = AVRC_PDU_REQUEST_CONTINUATION_RSP;
609 drop_code = 2;
610 } else if (buf_overflow) {
611 /* Incoming message too big to fit in BT_DEFAULT_BUFFER_SIZE. Send abort
612 * to peer */
613 avrc_cmd.pdu = AVRC_PDU_ABORT_CONTINUATION_RSP;
614 drop_code = 4;
615 } else {
616 return drop_code;
617 }
618 avrc_cmd.status = AVRC_STS_NO_ERROR;
619 avrc_cmd.opcode = AVRC_OP_INVALID;
620 avrc_cmd.target_pdu = p_rcb->rasm_pdu;
621
622 tAVRC_COMMAND avrc_command;
623 avrc_command.continu = avrc_cmd;
624 status = AVRC_BldCommand(&avrc_command, &p_cmd);
625 if (status == AVRC_STS_NO_ERROR) {
626 AVRC_MsgReq(handle, (uint8_t)(label), AVRC_CMD_CTRL, p_cmd, false);
627 }
628 }
629
630 return drop_code;
631 }
632
633 /******************************************************************************
634 *
635 * Function avrc_msg_cback
636 *
637 * Description This is the callback function used by AVCTP to report
638 * received AV control messages.
639 *
640 * Returns Nothing.
641 *
642 *****************************************************************************/
avrc_msg_cback(uint8_t handle,uint8_t label,uint8_t cr,BT_HDR * p_pkt)643 static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr,
644 BT_HDR* p_pkt) {
645 uint8_t opcode;
646 tAVRC_MSG msg;
647 uint8_t* p_data;
648 uint8_t* p_begin;
649 bool drop = false;
650 bool do_free = true;
651 BT_HDR* p_rsp = NULL;
652 uint8_t* p_rsp_data;
653 int xx;
654 bool reject = false;
655 const char* p_drop_msg = "dropped";
656 tAVRC_MSG_VENDOR* p_msg = &msg.vendor;
657
658 if (cr == AVCT_CMD && (p_pkt->layer_specific & AVCT_DATA_CTRL &&
659 p_pkt->len > AVRC_PACKET_LEN)) {
660 log::warn("Command length {} too long: must be at most {}", p_pkt->len,
661 AVRC_PACKET_LEN);
662 osi_free(p_pkt);
663 return;
664 }
665
666 if (cr == AVCT_REJ) {
667 /* The peer thinks that this PID is no longer open - remove this handle */
668 /* */
669 osi_free(p_pkt);
670 AVCT_RemoveConn(handle);
671 return;
672 } else if (cr == AVCT_RSP) {
673 /* Received response. Stop command timeout timer */
674 log::verbose("AVRC: stopping timer (handle=0x{:02x})", handle);
675 alarm_cancel(avrc_cb.ccb_int[handle].tle);
676 }
677
678 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
679 memset(&msg, 0, sizeof(tAVRC_MSG));
680
681 if (p_pkt->layer_specific == AVCT_DATA_BROWSE) {
682 opcode = AVRC_OP_BROWSE;
683 msg.browse.hdr.ctype = cr;
684 msg.browse.p_browse_data = p_data;
685 msg.browse.browse_len = p_pkt->len;
686 msg.browse.p_browse_pkt = p_pkt;
687 } else {
688 if (p_pkt->len < AVRC_AVC_HDR_SIZE) {
689 log::warn("message length {} too short: must be at least {}", p_pkt->len,
690 AVRC_AVC_HDR_SIZE);
691 osi_free(p_pkt);
692 return;
693 }
694 msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK;
695 log::verbose("handle:{}, ctype:{}, offset:{}, len: {}", handle,
696 msg.hdr.ctype, p_pkt->offset, p_pkt->len);
697 msg.hdr.subunit_type =
698 (p_data[1] & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
699 msg.hdr.subunit_id = p_data[1] & AVRC_SUBID_MASK;
700 opcode = p_data[2];
701 }
702
703 if (((avrc_cb.ccb[handle].control & AVRC_CT_TARGET) && (cr == AVCT_CMD)) ||
704 ((avrc_cb.ccb[handle].control & AVRC_CT_CONTROL) && (cr == AVCT_RSP))) {
705 switch (opcode) {
706 case AVRC_OP_UNIT_INFO:
707 if (cr == AVCT_CMD) {
708 /* send the response to the peer */
709 p_rsp = avrc_copy_packet(p_pkt, AVRC_OP_UNIT_INFO_RSP_LEN);
710 p_rsp_data = avrc_get_data_ptr(p_rsp);
711 *p_rsp_data = AVRC_RSP_IMPL_STBL;
712 /* check & set the offset. set response code, set subunit_type &
713 subunit_id,
714 set AVRC_OP_UNIT_INFO */
715 /* 3 bytes: ctype, subunit*, opcode */
716 p_rsp_data += AVRC_AVC_HDR_SIZE;
717 *p_rsp_data++ = 7;
718 /* Panel subunit & id=0 */
719 *p_rsp_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
720 AVRC_CO_ID_TO_BE_STREAM(p_rsp_data, avrc_cb.ccb[handle].company_id);
721 p_rsp->len =
722 (uint16_t)(p_rsp_data - (uint8_t*)(p_rsp + 1) - p_rsp->offset);
723 cr = AVCT_RSP;
724 p_drop_msg = "auto respond";
725 } else {
726 /* parse response */
727 if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) {
728 log::warn("message length {} too short: must be at least {}",
729 p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN);
730 drop = true;
731 p_drop_msg = "UNIT_INFO_RSP too short";
732 break;
733 }
734 p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/
735 msg.unit.unit_type =
736 (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
737 msg.unit.unit = *p_data & AVRC_SUBID_MASK;
738 p_data++;
739 AVRC_BE_STREAM_TO_CO_ID(msg.unit.company_id, p_data);
740 }
741 break;
742
743 case AVRC_OP_SUB_INFO:
744 if (cr == AVCT_CMD) {
745 /* send the response to the peer */
746 p_rsp = avrc_copy_packet(p_pkt, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);
747 p_rsp_data = avrc_get_data_ptr(p_rsp);
748 *p_rsp_data = AVRC_RSP_IMPL_STBL;
749 /* check & set the offset. set response code, set (subunit_type &
750 subunit_id),
751 set AVRC_OP_SUB_INFO, set (page & extention code) */
752 p_rsp_data += 4;
753 /* Panel subunit & id=0 */
754 *p_rsp_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
755 memset(p_rsp_data, AVRC_CMD_OPRND_PAD, AVRC_SUBRSP_OPRND_BYTES);
756 p_rsp_data += AVRC_SUBRSP_OPRND_BYTES;
757 p_rsp->len =
758 (uint16_t)(p_rsp_data - (uint8_t*)(p_rsp + 1) - p_rsp->offset);
759 cr = AVCT_RSP;
760 p_drop_msg = "auto responded";
761 } else {
762 /* parse response */
763 if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) {
764 log::warn("message length {} too short: must be at least {}",
765 p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);
766 drop = true;
767 p_drop_msg = "SUB_UNIT_INFO_RSP too short";
768 break;
769 }
770 p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */
771 msg.sub.page =
772 (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK;
773 xx = 0;
774 while (*p_data != AVRC_CMD_OPRND_PAD && xx < AVRC_SUB_TYPE_LEN) {
775 msg.sub.subunit_type[xx] = *p_data++ >> AVRC_SUBTYPE_SHIFT;
776 if (msg.sub.subunit_type[xx] == AVRC_SUB_PANEL)
777 msg.sub.panel = true;
778 xx++;
779 }
780 }
781 break;
782
783 case AVRC_OP_VENDOR: {
784 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
785 p_begin = p_data;
786 if (p_pkt->len <
787 AVRC_VENDOR_HDR_SIZE) /* 6 = ctype, subunit*, opcode & CO_ID */
788 {
789 if (cr == AVCT_CMD)
790 reject = true;
791 else
792 drop = true;
793 break;
794 }
795 p_data += AVRC_AVC_HDR_SIZE; /* skip the first 3 bytes: ctype, subunit*,
796 opcode */
797 AVRC_BE_STREAM_TO_CO_ID(p_msg->company_id, p_data);
798 p_msg->p_vendor_data = p_data;
799 p_msg->vendor_len = p_pkt->len - (p_data - p_begin);
800
801 uint8_t drop_code = 0;
802 if (p_msg->company_id == AVRC_CO_METADATA) {
803 /* Validate length for metadata message */
804 if (p_pkt->len < (AVRC_VENDOR_HDR_SIZE + AVRC_MIN_META_HDR_SIZE)) {
805 if (cr == AVCT_CMD)
806 reject = true;
807 else
808 drop = true;
809 break;
810 }
811
812 /* Check+handle fragmented messages */
813 drop_code = avrc_proc_far_msg(handle, label, cr, &p_pkt, p_msg);
814 if (drop_code > 0) drop = true;
815 }
816 if (drop_code > 0) {
817 if (drop_code != 4) do_free = false;
818 switch (drop_code) {
819 case 1:
820 p_drop_msg = "sent_frag";
821 break;
822 case 2:
823 p_drop_msg = "req_cont";
824 break;
825 case 3:
826 p_drop_msg = "sent_frag3";
827 break;
828 case 4:
829 p_drop_msg = "sent_frag_free";
830 break;
831 default:
832 p_drop_msg = "sent_fragd";
833 }
834 }
835 /* If vendor response received, and did not ask for continuation */
836 /* then check queue for addition commands to send */
837 if ((cr == AVCT_RSP) && (drop_code != 2)) {
838 avrc_send_next_vendor_cmd(handle);
839 }
840 } break;
841
842 case AVRC_OP_PASS_THRU:
843 if (p_pkt->len < 5) /* 3 bytes: ctype, subunit*, opcode & op_id & len */
844 {
845 if (cr == AVCT_CMD)
846 reject = true;
847 else
848 drop = true;
849 break;
850 }
851 p_data += AVRC_AVC_HDR_SIZE; /* skip the first 3 bytes: ctype, subunit*,
852 opcode */
853 msg.pass.op_id = (AVRC_PASS_OP_ID_MASK & *p_data);
854 if (AVRC_PASS_STATE_MASK & *p_data)
855 msg.pass.state = true;
856 else
857 msg.pass.state = false;
858 p_data++;
859 msg.pass.pass_len = *p_data++;
860 if (msg.pass.pass_len != p_pkt->len - 5)
861 msg.pass.pass_len = p_pkt->len - 5;
862 if (msg.pass.pass_len)
863 msg.pass.p_pass_data = p_data;
864 else
865 msg.pass.p_pass_data = NULL;
866 break;
867
868 case AVRC_OP_BROWSE:
869 /* If browse response received, then check queue for addition commands
870 * to send */
871 if (cr == AVCT_RSP) {
872 avrc_send_next_vendor_cmd(handle);
873 }
874 break;
875
876 default:
877 if ((avrc_cb.ccb[handle].control & AVRC_CT_TARGET) &&
878 (cr == AVCT_CMD)) {
879 /* reject unsupported opcode */
880 reject = true;
881 }
882 drop = true;
883 break;
884 }
885 } else /* drop the event */
886 {
887 if (opcode != AVRC_OP_BROWSE) drop = true;
888 }
889
890 if (reject) {
891 /* reject unsupported opcode */
892 p_rsp = avrc_copy_packet(p_pkt, AVRC_OP_REJ_MSG_LEN);
893 p_rsp_data = avrc_get_data_ptr(p_rsp);
894 *p_rsp_data = AVRC_RSP_REJ;
895 p_drop_msg = "rejected";
896 cr = AVCT_RSP;
897 drop = true;
898 }
899
900 if (p_rsp) {
901 /* set to send response right away */
902 AVCT_MsgReq(handle, label, cr, p_rsp);
903 drop = true;
904 }
905
906 if (!drop) {
907 msg.hdr.opcode = opcode;
908 avrc_cb.ccb[handle].msg_cback.Run(handle, label, opcode, &msg);
909 } else {
910 log::warn("{} msg handle:{}, control:{}, cr:{}, opcode:x{:x}", p_drop_msg,
911 handle, avrc_cb.ccb[handle].control, cr, opcode);
912 }
913
914 if (opcode == AVRC_OP_BROWSE && msg.browse.p_browse_pkt == NULL) {
915 do_free = false;
916 }
917
918 if (do_free) osi_free(p_pkt);
919 }
920
921 /******************************************************************************
922 *
923 * Function avrc_pass_msg
924 *
925 * Description Compose a PASS THROUGH command according to p_msg
926 *
927 * Input Parameters:
928 * p_msg: Pointer to PASS THROUGH message structure.
929 *
930 * Output Parameters:
931 * None.
932 *
933 * Returns pointer to a valid GKI buffer if successful.
934 * NULL if p_msg is NULL.
935 *
936 *****************************************************************************/
avrc_pass_msg(tAVRC_MSG_PASS * p_msg)937 static BT_HDR* avrc_pass_msg(tAVRC_MSG_PASS* p_msg) {
938 log::assert_that(p_msg != NULL, "assert failed: p_msg != NULL");
939 log::assert_that(AVRC_CMD_BUF_SIZE > (AVRC_MIN_CMD_LEN + p_msg->pass_len),
940 "assert failed: AVRC_CMD_BUF_SIZE > (AVRC_MIN_CMD_LEN + "
941 "p_msg->pass_len)");
942
943 BT_HDR* p_cmd = (BT_HDR*)osi_calloc(AVRC_CMD_BUF_SIZE);
944 p_cmd->offset = AVCT_MSG_OFFSET;
945 p_cmd->layer_specific = AVCT_DATA_CTRL;
946
947 uint8_t* p_data = (uint8_t*)(p_cmd + 1) + p_cmd->offset;
948 *p_data++ = (p_msg->hdr.ctype & AVRC_CTYPE_MASK);
949 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT); /* Panel subunit & id=0 */
950 *p_data++ = AVRC_OP_PASS_THRU;
951 *p_data = (AVRC_PASS_OP_ID_MASK & p_msg->op_id);
952 if (p_msg->state) *p_data |= AVRC_PASS_STATE_MASK;
953 p_data++;
954
955 if (p_msg->op_id == AVRC_ID_VENDOR) {
956 *p_data++ = p_msg->pass_len;
957 if (p_msg->pass_len && p_msg->p_pass_data) {
958 memcpy(p_data, p_msg->p_pass_data, p_msg->pass_len);
959 p_data += p_msg->pass_len;
960 }
961 } else {
962 /* set msg len to 0 for other op_id */
963 *p_data++ = 0;
964 }
965 p_cmd->len = (uint16_t)(p_data - (uint8_t*)(p_cmd + 1) - p_cmd->offset);
966
967 return p_cmd;
968 }
969
970 /******************************************************************************
971 *
972 * Function ARVC_GetControlProfileVersion
973 *
974 * Description Get the AVRCP profile version
975 *
976 * Returns The AVRCP control profile version
977 *
978 *****************************************************************************/
AVRC_GetControlProfileVersion()979 uint16_t AVRC_GetControlProfileVersion() {
980 char volume_disabled[PROPERTY_VALUE_MAX] = {0};
981 osi_property_get("persist.bluetooth.disableabsvol", volume_disabled, "false");
982
983 uint16_t profile_version = AVRC_REV_1_3;
984 char avrcp_version[PROPERTY_VALUE_MAX] = {0};
985 osi_property_get(AVRC_CONTROL_VERSION_PROPERTY, avrcp_version,
986 strncmp(volume_disabled, "true", 4) == 0 ? AVRC_1_3_STRING
987 : AVRC_1_4_STRING);
988
989 if (!strncmp(AVRC_1_6_STRING, avrcp_version, sizeof(AVRC_1_6_STRING))) {
990 profile_version = AVRC_REV_1_6;
991 } else if (!strncmp(AVRC_1_5_STRING, avrcp_version,
992 sizeof(AVRC_1_5_STRING))) {
993 profile_version = AVRC_REV_1_5;
994 } else if (!strncmp(AVRC_1_4_STRING, avrcp_version,
995 sizeof(AVRC_1_4_STRING))) {
996 profile_version = AVRC_REV_1_4;
997 }
998
999 return profile_version;
1000 }
1001
1002 /******************************************************************************
1003 *
1004 * Function ARVC_GetProfileVersion
1005 *
1006 * Description Get the user assigned AVRCP profile version
1007 *
1008 * Returns The AVRCP profile version
1009 *
1010 *****************************************************************************/
AVRC_GetProfileVersion()1011 uint16_t AVRC_GetProfileVersion() {
1012 uint16_t profile_version = AVRC_REV_1_4;
1013 char avrcp_version[PROPERTY_VALUE_MAX] = {0};
1014 osi_property_get(AVRC_VERSION_PROPERTY, avrcp_version, AVRC_DEFAULT_VERSION);
1015
1016 if (!strncmp(AVRC_1_6_STRING, avrcp_version, sizeof(AVRC_1_6_STRING))) {
1017 profile_version = AVRC_REV_1_6;
1018 } else if (!strncmp(AVRC_1_5_STRING, avrcp_version,
1019 sizeof(AVRC_1_5_STRING))) {
1020 profile_version = AVRC_REV_1_5;
1021 } else if (!strncmp(AVRC_1_3_STRING, avrcp_version,
1022 sizeof(AVRC_1_3_STRING))) {
1023 profile_version = AVRC_REV_1_3;
1024 }
1025
1026 return profile_version;
1027 }
1028
1029 /******************************************************************************
1030 *
1031 * Function AVRC_Open
1032 *
1033 * Description This function is called to open a connection to AVCTP.
1034 * The connection can be either an initiator or acceptor, as
1035 * determined by the p_ccb->stream parameter.
1036 * The connection can be a target, a controller or for both
1037 * role, as determined by the p_ccb->control parameter.
1038 * By definition, a target connection is an acceptor connection
1039 * that waits for an incoming AVCTP connection from the peer.
1040 * The connection remains available to the application until
1041 * the application closes it by calling AVRC_Close(). The
1042 * application does not need to reopen the connection after an
1043 * AVRC_CLOSE_IND_EVT is received.
1044 *
1045 * Input Parameters:
1046 * p_ccb->company_id: Company Identifier.
1047 *
1048 * p_ccb->p_ctrl_cback: Pointer to control callback
1049 * function.
1050 *
1051 * p_ccb->p_msg_cback: Pointer to message callback
1052 * function.
1053 *
1054 * p_ccb->conn: AVCTP connection role. This is set to
1055 * AVCTP_INT for initiator connections and AVCTP_ACP
1056 * for acceptor connections.
1057 *
1058 * p_ccb->control: Control role. This is set to
1059 * AVRC_CT_TARGET for target connections, AVRC_CT_CONTROL
1060 * for control connections or
1061 * (AVRC_CT_TARGET|AVRC_CT_CONTROL)
1062 * for connections that support both roles.
1063 *
1064 * peer_addr: BD address of peer device. This value is
1065 * only used for initiator connections; for acceptor
1066 * connections it can be set to NULL.
1067 *
1068 * Output Parameters:
1069 * p_handle: Pointer to handle. This parameter is only
1070 * valid if AVRC_SUCCESS is returned.
1071 *
1072 * Returns AVRC_SUCCESS if successful.
1073 * AVRC_NO_RESOURCES if there are not enough resources to open
1074 * the connection.
1075 *
1076 *****************************************************************************/
AVRC_Open(uint8_t * p_handle,tAVRC_CONN_CB * p_ccb,const RawAddress & peer_addr)1077 uint16_t AVRC_Open(uint8_t* p_handle, tAVRC_CONN_CB* p_ccb,
1078 const RawAddress& peer_addr) {
1079 uint16_t status;
1080 tAVCT_CC cc;
1081
1082 cc.p_ctrl_cback = avrc_ctrl_cback; /* Control callback */
1083 cc.p_msg_cback = avrc_msg_cback; /* Message callback */
1084 cc.pid = UUID_SERVCLASS_AV_REMOTE_CONTROL; /* Profile ID */
1085 cc.role = p_ccb->conn; /* Initiator/acceptor role */
1086 cc.control = p_ccb->control; /* Control role (Control/Target) */
1087
1088 status = AVCT_CreateConn(p_handle, &cc, peer_addr);
1089 if (status == AVCT_SUCCESS) {
1090 avrc_cb.ccb[*p_handle] = *p_ccb;
1091 memset(&avrc_cb.ccb_int[*p_handle], 0, sizeof(tAVRC_CONN_INT_CB));
1092 memset(&avrc_cb.fcb[*p_handle], 0, sizeof(tAVRC_FRAG_CB));
1093 memset(&avrc_cb.rcb[*p_handle], 0, sizeof(tAVRC_RASM_CB));
1094 avrc_cb.ccb_int[*p_handle].tle = alarm_new("avrcp.commandTimer");
1095 avrc_cb.ccb_int[*p_handle].cmd_q = fixed_queue_new(SIZE_MAX);
1096 }
1097 log::verbose("role: {}, control:{} status:{}, handle:{}", cc.role, cc.control,
1098 status, *p_handle);
1099
1100 return status;
1101 }
1102
1103 /******************************************************************************
1104 *
1105 * Function AVRC_Close
1106 *
1107 * Description Close a connection opened with AVRC_Open().
1108 * This function is called when the
1109 * application is no longer using a connection.
1110 *
1111 * Input Parameters:
1112 * handle: Handle of this connection.
1113 *
1114 * Output Parameters:
1115 * None.
1116 *
1117 * Returns AVRC_SUCCESS if successful.
1118 * AVRC_BAD_HANDLE if handle is invalid.
1119 *
1120 *****************************************************************************/
AVRC_Close(uint8_t handle)1121 uint16_t AVRC_Close(uint8_t handle) {
1122 log::verbose("handle:{}", handle);
1123 avrc_flush_cmd_q(handle);
1124 return AVCT_RemoveConn(handle);
1125 }
1126
1127 /******************************************************************************
1128 *
1129 * Function AVRC_OpenBrowse
1130 *
1131 * Description This function is called to open a browsing connection to
1132 * AVCTP. The connection can be either an initiator or
1133 * acceptor, as determined by the p_conn_role.
1134 * The handle is returned by a previous call to AVRC_Open.
1135 *
1136 * Returns AVRC_SUCCESS if successful.
1137 * AVRC_NO_RESOURCES if there are not enough resources to open
1138 * the connection.
1139 *
1140 *****************************************************************************/
AVRC_OpenBrowse(uint8_t handle,uint8_t conn_role)1141 uint16_t AVRC_OpenBrowse(uint8_t handle, uint8_t conn_role) {
1142 return AVCT_CreateBrowse(handle, conn_role);
1143 }
1144
1145 /******************************************************************************
1146 *
1147 * Function AVRC_CloseBrowse
1148 *
1149 * Description Close a connection opened with AVRC_OpenBrowse().
1150 * This function is called when the
1151 * application is no longer using a connection.
1152 *
1153 * Returns AVRC_SUCCESS if successful.
1154 * AVRC_BAD_HANDLE if handle is invalid.
1155 *
1156 *****************************************************************************/
AVRC_CloseBrowse(uint8_t handle)1157 uint16_t AVRC_CloseBrowse(uint8_t handle) { return AVCT_RemoveBrowse(handle); }
1158
1159 /******************************************************************************
1160 *
1161 * Function AVRC_MsgReq
1162 *
1163 * Description This function is used to send the AVRCP byte stream in p_pkt
1164 * down to AVCTP.
1165 *
1166 * It is expected that p_pkt->offset is at least
1167 * AVCT_MSG_OFFSET
1168 * p_pkt->layer_specific is AVCT_DATA_CTRL or AVCT_DATA_BROWSE
1169 * p_pkt->event is AVRC_OP_VENDOR, AVRC_OP_PASS_THRU or
1170 * AVRC_OP_BROWSE
1171 * The above BT_HDR settings are set by the AVRC_Bld*
1172 * functions.
1173 *
1174 * Returns AVRC_SUCCESS if successful.
1175 * AVRC_BAD_HANDLE if handle is invalid.
1176 *
1177 *****************************************************************************/
1178 /* legacy and new avrcp send the different packet format for VENDOR op */
AVRC_MsgReq(uint8_t handle,uint8_t label,uint8_t ctype,BT_HDR * p_pkt,bool is_new_avrcp)1179 uint16_t AVRC_MsgReq(uint8_t handle, uint8_t label, uint8_t ctype,
1180 BT_HDR* p_pkt, bool is_new_avrcp) {
1181 uint8_t* p_data;
1182 uint8_t cr = AVCT_CMD;
1183 bool chk_frag = true;
1184 uint8_t* p_start = NULL;
1185 tAVRC_FRAG_CB* p_fcb;
1186 uint16_t len;
1187 uint16_t status;
1188 uint8_t msg_mask = 0;
1189 uint16_t peer_mtu;
1190
1191 if (!p_pkt) return AVRC_BAD_PARAM;
1192
1193 log::verbose("handle = {} label = {} ctype = {} len = {}", handle, label,
1194 ctype, p_pkt->len);
1195 /* Handle for AVRCP fragment */
1196 if (btif_av_src_sink_coexist_enabled())
1197 is_new_avrcp =
1198 osi_property_get_bool("bluetooth.profile.avrcp.target.enabled", false);
1199 if (ctype >= AVRC_RSP_NOT_IMPL) cr = AVCT_RSP;
1200
1201 if (p_pkt->event == AVRC_OP_VENDOR) {
1202 if (is_new_avrcp) {
1203 p_start = (uint8_t*)(p_pkt + 1) + p_pkt->offset + AVRC_VENDOR_HDR_SIZE;
1204 } else {
1205 /* add AVRCP Vendor Dependent headers */
1206 p_start = ((uint8_t*)(p_pkt + 1) + p_pkt->offset);
1207 p_pkt->offset -= AVRC_VENDOR_HDR_SIZE;
1208 p_pkt->len += AVRC_VENDOR_HDR_SIZE;
1209 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
1210 *p_data++ = (ctype & AVRC_CTYPE_MASK);
1211 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
1212 *p_data++ = AVRC_OP_VENDOR;
1213 AVRC_CO_ID_TO_BE_STREAM(p_data, AVRC_CO_METADATA);
1214
1215 /* Check if this is a AVRC_PDU_REQUEST_CONTINUATION_RSP */
1216 if (cr == AVCT_CMD) {
1217 msg_mask |= AVRC_MSG_MASK_IS_VENDOR_CMD;
1218
1219 if ((*p_start == AVRC_PDU_REQUEST_CONTINUATION_RSP) ||
1220 (*p_start == AVRC_PDU_ABORT_CONTINUATION_RSP)) {
1221 msg_mask |= AVRC_MSG_MASK_IS_CONTINUATION_RSP;
1222 }
1223 }
1224 }
1225 } else if (p_pkt->event == AVRC_OP_PASS_THRU) {
1226 /* add AVRCP Pass Through headers */
1227 p_start = ((uint8_t*)(p_pkt + 1) + p_pkt->offset);
1228 p_pkt->offset -= AVRC_PASS_THRU_SIZE;
1229 p_pkt->len += AVRC_PASS_THRU_SIZE;
1230 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
1231 *p_data++ = (ctype & AVRC_CTYPE_MASK);
1232 *p_data++ = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
1233 *p_data++ = AVRC_OP_PASS_THRU; /* opcode */
1234 *p_data++ = AVRC_ID_VENDOR; /* operation id */
1235 *p_data++ = 5; /* operation data len */
1236 AVRC_CO_ID_TO_BE_STREAM(p_data, AVRC_CO_METADATA);
1237 } else {
1238 chk_frag = false;
1239 if (p_pkt->layer_specific == AVCT_DATA_BROWSE) {
1240 peer_mtu = AVCT_GetBrowseMtu(handle);
1241 } else {
1242 peer_mtu = AVCT_GetPeerMtu(handle);
1243 }
1244 if (p_pkt->len > (peer_mtu - AVCT_HDR_LEN_SINGLE)) {
1245 log::error("bigger than peer mtu (p_pkt->len({}) > peer_mtu({}-{}))",
1246 p_pkt->len, peer_mtu, AVCT_HDR_LEN_SINGLE);
1247 osi_free(p_pkt);
1248 return AVRC_MSG_TOO_BIG;
1249 }
1250 }
1251
1252 /* abandon previous fragments */
1253 p_fcb = &avrc_cb.fcb[handle];
1254
1255 if (p_fcb == NULL) {
1256 log::error("p_fcb is NULL");
1257 osi_free(p_pkt);
1258 return AVRC_NOT_OPEN;
1259 }
1260
1261 if (p_fcb->frag_enabled) p_fcb->frag_enabled = false;
1262
1263 osi_free_and_reset((void**)&p_fcb->p_fmsg);
1264
1265 /* AVRCP spec has not defined any control channel commands that needs
1266 * fragmentation at this level
1267 * check for fragmentation only on the response */
1268 if ((cr == AVCT_RSP) && (chk_frag)) {
1269 if (p_pkt->len > AVRC_MAX_CTRL_DATA_LEN) {
1270 int offset_len = MAX(AVCT_MSG_OFFSET, p_pkt->offset);
1271 BT_HDR* p_pkt_new =
1272 (BT_HDR*)osi_calloc(AVRC_PACKET_LEN + offset_len + BT_HDR_SIZE);
1273 if (p_start != NULL) {
1274 p_fcb->frag_enabled = true;
1275 p_fcb->p_fmsg = p_pkt;
1276 p_fcb->frag_pdu = *p_start;
1277 p_pkt = p_pkt_new;
1278 p_pkt_new = p_fcb->p_fmsg;
1279 p_pkt->len = AVRC_MAX_CTRL_DATA_LEN;
1280 p_pkt->offset = p_pkt_new->offset;
1281 p_pkt->layer_specific = p_pkt_new->layer_specific;
1282 p_pkt->event = p_pkt_new->event;
1283 p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
1284 p_start -= AVRC_VENDOR_HDR_SIZE;
1285 memcpy(p_data, p_start, AVRC_MAX_CTRL_DATA_LEN);
1286 /* use AVRC start packet type */
1287 p_data += AVRC_VENDOR_HDR_SIZE;
1288 p_data++; /* pdu */
1289 *p_data++ = AVRC_PKT_START;
1290
1291 /* 4 pdu, pkt_type & len */
1292 len = (AVRC_MAX_CTRL_DATA_LEN - AVRC_VENDOR_HDR_SIZE -
1293 AVRC_MIN_META_HDR_SIZE);
1294 UINT16_TO_BE_STREAM(p_data, len);
1295
1296 /* prepare the left over for as an end fragment */
1297 avrc_prep_end_frag(handle);
1298 log::verbose("p_pkt len:{}/{}, next len:{}", p_pkt->len, len,
1299 p_fcb->p_fmsg->len);
1300 } else {
1301 /* TODO: Is this "else" block valid? Remove it? */
1302 log::error("no buffers for fragmentation");
1303 osi_free(p_pkt);
1304 return AVRC_NO_RESOURCES;
1305 }
1306 }
1307 } else if ((p_pkt->event == AVRC_OP_VENDOR) && (cr == AVCT_CMD) &&
1308 (avrc_cb.ccb_int[handle].flags & AVRC_CB_FLAGS_RSP_PENDING) &&
1309 !(msg_mask & AVRC_MSG_MASK_IS_CONTINUATION_RSP)) {
1310 /* If we are sending a vendor specific command, and a response is pending,
1311 * then enqueue the command until the response has been received.
1312 * This is to interop with TGs that abort sending responses whenever a new
1313 * command
1314 * is received (exception is continuation request command
1315 * must sent that to get additional response frags) */
1316 log::verbose(
1317 "AVRC: Enqueuing command 0x{} (handle=0x{:02x}, label=0x{:02x})",
1318 fmt::ptr(p_pkt), handle, label);
1319
1320 /* label in BT_HDR (will need this later when the command is dequeued) */
1321 p_pkt->layer_specific = (label << 8) | (p_pkt->layer_specific & 0xFF);
1322
1323 /* Enqueue the command */
1324 fixed_queue_enqueue(avrc_cb.ccb_int[handle].cmd_q, p_pkt);
1325 return AVRC_SUCCESS;
1326 }
1327
1328 /* Send the message */
1329 status = AVCT_MsgReq(handle, label, cr, p_pkt);
1330 if ((status == AVCT_SUCCESS) && (cr == AVCT_CMD)) {
1331 /* If a command was successfully sent, indicate that a response is pending
1332 */
1333 avrc_cb.ccb_int[handle].flags |= AVRC_CB_FLAGS_RSP_PENDING;
1334
1335 /* Start command timer to wait for response */
1336 avrc_start_cmd_timer(handle, label, msg_mask);
1337 }
1338
1339 return status;
1340 }
1341
1342 /******************************************************************************
1343 *
1344 * Function AVRC_PassCmd
1345 *
1346 * Description Send a PASS THROUGH command to the peer device. This
1347 * function can only be called for controller role connections.
1348 * Any response message from the peer is passed back through
1349 * the tAVRC_MSG_CBACK callback function.
1350 *
1351 * Input Parameters:
1352 * handle: Handle of this connection.
1353 *
1354 * label: Transaction label.
1355 *
1356 * p_msg: Pointer to PASS THROUGH message structure.
1357 *
1358 * Output Parameters:
1359 * None.
1360 *
1361 * Returns AVRC_SUCCESS if successful.
1362 * AVRC_BAD_HANDLE if handle is invalid.
1363 *
1364 *****************************************************************************/
AVRC_PassCmd(uint8_t handle,uint8_t label,tAVRC_MSG_PASS * p_msg)1365 uint16_t AVRC_PassCmd(uint8_t handle, uint8_t label, tAVRC_MSG_PASS* p_msg) {
1366 BT_HDR* p_buf;
1367 uint16_t status = AVRC_NO_RESOURCES;
1368 if (!p_msg) return AVRC_BAD_PARAM;
1369
1370 p_msg->hdr.ctype = AVRC_CMD_CTRL;
1371 p_buf = avrc_pass_msg(p_msg);
1372 if (p_buf) {
1373 status = AVCT_MsgReq(handle, label, AVCT_CMD, p_buf);
1374 if (status == AVCT_SUCCESS) {
1375 /* Start command timer to wait for response */
1376 avrc_start_cmd_timer(handle, label, 0);
1377 }
1378 }
1379 return (status);
1380 }
1381
1382 /******************************************************************************
1383 *
1384 * Function AVRC_PassRsp
1385 *
1386 * Description Send a PASS THROUGH response to the peer device. This
1387 * function can only be called for target role connections.
1388 * This function must be called when a PASS THROUGH command
1389 * message is received from the peer through the
1390 * tAVRC_MSG_CBACK callback function.
1391 *
1392 * Input Parameters:
1393 * handle: Handle of this connection.
1394 *
1395 * label: Transaction label. Must be the same value as
1396 * passed with the command message in the callback
1397 * function.
1398 *
1399 * p_msg: Pointer to PASS THROUGH message structure.
1400 *
1401 * Output Parameters:
1402 * None.
1403 *
1404 * Returns AVRC_SUCCESS if successful.
1405 * AVRC_BAD_HANDLE if handle is invalid.
1406 *
1407 *****************************************************************************/
AVRC_PassRsp(uint8_t handle,uint8_t label,tAVRC_MSG_PASS * p_msg)1408 uint16_t AVRC_PassRsp(uint8_t handle, uint8_t label, tAVRC_MSG_PASS* p_msg) {
1409 BT_HDR* p_buf;
1410 if (!p_msg) return AVRC_BAD_PARAM;
1411
1412 p_buf = avrc_pass_msg(p_msg);
1413 if (p_buf) return AVCT_MsgReq(handle, label, AVCT_RSP, p_buf);
1414 return AVRC_NO_RESOURCES;
1415 }
1416
1417 /******************************************************************************
1418 *
1419 * Function AVRC_SaveControllerVersion
1420 *
1421 * Description Save AVRC controller version of peer device into bt_config.
1422 * This version is used to send same AVRC target version to
1423 * peer device to avoid version mismatch IOP issue.
1424 *
1425 * Input Parameters:
1426 * bdaddr: BD address of peer device.
1427 *
1428 * version: AVRC controller version of peer device.
1429 *
1430 * Output Parameters:
1431 * None.
1432 *
1433 * Returns Nothing
1434 *
1435 *****************************************************************************/
AVRC_SaveControllerVersion(const RawAddress & bdaddr,uint16_t new_version)1436 void AVRC_SaveControllerVersion(const RawAddress& bdaddr,
1437 uint16_t new_version) {
1438 // store AVRC controller version into BT config
1439 uint16_t old_version = 0;
1440 size_t version_value_size = sizeof(old_version);
1441 if (btif_config_get_bin(bdaddr.ToString(),
1442 BTIF_STORAGE_KEY_AVRCP_CONTROLLER_VERSION,
1443 (uint8_t*)&old_version, &version_value_size) &&
1444 new_version == old_version) {
1445 log::info("AVRC controller version same as cached config");
1446 } else if (btif_config_set_bin(
1447 bdaddr.ToString(), BTIF_STORAGE_KEY_AVRCP_CONTROLLER_VERSION,
1448 (const uint8_t*)&new_version, sizeof(new_version))) {
1449 log::info("store AVRC controller version {:x} for {} into config.",
1450 new_version, bdaddr);
1451 } else {
1452 log::warn("Failed to store AVRC controller version for {}", bdaddr);
1453 }
1454 }
1455
AVRC_UpdateCcb(RawAddress * addr,uint32_t company_id)1456 void AVRC_UpdateCcb(RawAddress* addr, uint32_t company_id) {
1457 for (uint8_t i = 0; i < AVCT_NUM_CONN; i++) {
1458 log::info("handle:{}, update cback:0x{:0x}", i, company_id);
1459 if (avrc_cb.ccb[i].company_id == company_id) {
1460 avrc_cb.ccb[i].ctrl_cback.Run(i, AVRC_CLOSE_IND_EVT, 0, addr);
1461 }
1462 }
1463 }
1464