1 /******************************************************************************
2  *
3  *  Copyright (C) 1999-2014 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  This file contains functions that interface with the NFC NCI transport.
22  *  On the receive side, it routes events to the appropriate handler
23  *  (callback). On the transmit side, it manages the command transmission.
24  *
25  ******************************************************************************/
26 #include <android-base/logging.h>
27 #include <android-base/stringprintf.h>
28 #include <fcntl.h>
29 #include <log/log.h>
30 #include <statslog_nfc.h>
31 #include <sys/stat.h>
32 #include <sys/time.h>
33 
34 #include "include/debug_nfcsnoop.h"
35 #include "metrics.h"
36 #include "nci_defs.h"
37 #include "nci_hmsgs.h"
38 #include "nfc_api.h"
39 #include "nfc_int.h"
40 #include "nfc_target.h"
41 #include "rw_api.h"
42 #include "rw_int.h"
43 
44 using android::base::StringPrintf;
45 
46 #if (NFC_RW_ONLY == FALSE)
47 static const uint8_t nfc_mpl_code_to_size[] = {64, 128, 192, 254};
48 
49 #endif /* NFC_RW_ONLY */
50 #if (APPL_DTA_MODE == TRUE)
51 // Global Structure varibale for FW Version
52 static tNFC_FW_VERSION nfc_fw_version;
53 #endif
54 #define NFC_PB_ATTRIB_REQ_FIXED_BYTES 1
55 #define NFC_LB_ATTRIB_REQ_FIXED_BYTES 8
56 
57 extern unsigned char appl_dta_mode_flag;
58 
59 extern std::string nfc_storage_path;
60 
61 static struct timeval timer_start;
62 static struct timeval timer_end;
63 
64 #define DEFAULT_CRASH_NFCSNOOP_PATH "/data/misc/nfc/logs/native_crash_logs"
65 static const off_t NATIVE_CRASH_FILE_SIZE = (1024 * 1024);
66 
67 /*******************************************************************************
68 **
69 ** Function         nfc_ncif_update_window
70 **
71 ** Description      Update tx cmd window to indicate that NFCC can received
72 **
73 ** Returns          void
74 **
75 *******************************************************************************/
nfc_ncif_update_window(void)76 void nfc_ncif_update_window(void) {
77   /* Sanity check - see if we were expecting a update_window */
78   if (nfc_cb.nci_cmd_window == NCI_MAX_CMD_WINDOW) {
79     if (nfc_cb.nfc_state != NFC_STATE_W4_HAL_CLOSE) {
80       LOG(ERROR) << StringPrintf("nfc_ncif_update_window: Unexpected call");
81     }
82     return;
83   }
84 
85   /* Stop command-pending timer */
86   nfc_stop_timer(&nfc_cb.nci_wait_rsp_timer);
87 
88   nfc_cb.p_vsc_cback = nullptr;
89   nfc_cb.nci_cmd_window++;
90 
91   /* Check if there were any commands waiting to be sent */
92   nfc_ncif_check_cmd_queue(nullptr);
93 }
94 
95 /*******************************************************************************
96 **
97 ** Function         nfc_ncif_cmd_timeout
98 **
99 ** Description      Handle a command timeout
100 **
101 ** Returns          void
102 **
103 *******************************************************************************/
nfc_ncif_cmd_timeout(void)104 void nfc_ncif_cmd_timeout(void) {
105   LOG(ERROR) << StringPrintf("nfc_ncif_cmd_timeout");
106 
107   /* report an error */
108   nfc_ncif_event_status(NFC_GEN_ERROR_REVT, NFC_STATUS_HW_TIMEOUT);
109   nfc_ncif_event_status(NFC_NFCC_TIMEOUT_REVT, NFC_STATUS_HW_TIMEOUT);
110 
111   /* if enabling NFC, notify upper layer of failure */
112   if (nfc_cb.nfc_state == NFC_STATE_CORE_INIT) {
113     nfc_enabled(NFC_STATUS_FAILED, nullptr);
114   }
115 }
116 
117 /*******************************************************************************
118 **
119 ** Function         nfc_wait_2_deactivate_timeout
120 **
121 ** Description      Handle a command timeout
122 **
123 ** Returns          void
124 **
125 *******************************************************************************/
nfc_wait_2_deactivate_timeout(void)126 void nfc_wait_2_deactivate_timeout(void) {
127   LOG(ERROR) << StringPrintf("nfc_wait_2_deactivate_timeout");
128   nfc_cb.flags &= ~NFC_FL_DEACTIVATING;
129   nci_snd_deactivate_cmd((uint8_t)nfc_cb.deactivate_timer.param);
130 }
131 
132 /*******************************************************************************
133 **
134 ** Function         nfc_ncif_send_data
135 **
136 ** Description      This function is called to add the NCI data header
137 **                  and send it to NCIT task for sending it to transport
138 **                  as credits are available.
139 **
140 ** Returns          void
141 **
142 *******************************************************************************/
nfc_ncif_send_data(tNFC_CONN_CB * p_cb,NFC_HDR * p_data)143 uint8_t nfc_ncif_send_data(tNFC_CONN_CB* p_cb, NFC_HDR* p_data) {
144   uint8_t* pp;
145   uint8_t* ps;
146   uint8_t ulen = NCI_MAX_PAYLOAD_SIZE;
147   NFC_HDR* p;
148   uint8_t pbf = 1;
149   uint8_t buffer_size = p_cb->buff_size;
150   uint8_t hdr0 = p_cb->conn_id;
151   bool fragmented = false;
152   bool empty_p_data = p_data == nullptr;
153 
154   LOG(VERBOSE) << StringPrintf("nfc_ncif_send_data :%d, num_buff:%d qc:%d",
155                              p_cb->conn_id, p_cb->num_buff, p_cb->tx_q.count);
156   if (p_cb->id == NFC_RF_CONN_ID) {
157     if (nfc_cb.nfc_state != NFC_STATE_OPEN) {
158       if (nfc_cb.nfc_state == NFC_STATE_CLOSING) {
159         if ((p_data == nullptr) && /* called because credit from NFCC */
160             (nfc_cb.flags & NFC_FL_DEACTIVATING)) {
161           if (p_cb->init_credits == p_cb->num_buff) {
162             /* all the credits are back */
163             nfc_cb.flags &= ~NFC_FL_DEACTIVATING;
164             LOG(VERBOSE) << StringPrintf(
165                 "deactivating NFC-DEP init_credits:%d, num_buff:%d",
166                 p_cb->init_credits, p_cb->num_buff);
167             nfc_stop_timer(&nfc_cb.deactivate_timer);
168             nci_snd_deactivate_cmd((uint8_t)nfc_cb.deactivate_timer.param);
169           }
170         }
171       }
172       return NCI_STATUS_FAILED;
173     }
174   }
175 
176   if (p_data) {
177     /* always enqueue the data to the tx queue */
178     GKI_enqueue(&p_cb->tx_q, p_data);
179   }
180 
181   /* try to send the first data packet in the tx queue  */
182   p_data = (NFC_HDR*)GKI_getfirst(&p_cb->tx_q);
183 
184   /* post data fragment to NCIT task as credits are available */
185   while (p_data && (p_cb->num_buff > 0)) {
186     if (p_data->len <= buffer_size) {
187       pbf = 0; /* last fragment */
188       ulen = (uint8_t)(p_data->len);
189       fragmented = false;
190     } else {
191       fragmented = true;
192       ulen = buffer_size;
193     }
194 
195     if (!fragmented) {
196       /* if data packet is not fragmented, use the original buffer */
197       p = p_data;
198       p_data = (NFC_HDR*)GKI_dequeue(&p_cb->tx_q);
199     } else {
200       /* the data packet is too big and need to be fragmented
201        * prepare a new GKI buffer
202        * (even the last fragment to avoid issues) */
203       p = NCI_GET_CMD_BUF(ulen);
204       if (p == nullptr) return (NCI_STATUS_BUFFER_FULL);
205       p->len = ulen;
206       p->offset = NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE + 1;
207       if (p->len) {
208         pp = (uint8_t*)(p + 1) + p->offset;
209         ps = (uint8_t*)(p_data + 1) + p_data->offset;
210         memcpy(pp, ps, ulen);
211       }
212       /* adjust the NFC_HDR on the old fragment */
213       p_data->len -= ulen;
214       p_data->offset += ulen;
215     }
216 
217     p->event = BT_EVT_TO_NFC_NCI;
218     p->layer_specific = pbf;
219     p->len += NCI_DATA_HDR_SIZE;
220     p->offset -= NCI_DATA_HDR_SIZE;
221     pp = (uint8_t*)(p + 1) + p->offset;
222     /* build NCI Data packet header */
223     NCI_DATA_PBLD_HDR(pp, pbf, hdr0, ulen);
224 
225     if (p_cb->num_buff != NFC_CONN_NO_FC) p_cb->num_buff--;
226 
227     /* send to HAL */
228     nfcsnoop_capture(p, false);
229     HAL_WRITE(p);
230 
231     if (!fragmented) {
232       /* check if there are more data to send */
233       p_data = (NFC_HDR*)GKI_getfirst(&p_cb->tx_q);
234     }
235   }
236 
237   // log duration for the first hce data response
238   if (!empty_p_data && (timer_start.tv_sec != 0 || timer_start.tv_usec != 0)) {
239     gettimeofday(&timer_end, nullptr);
240     uint32_t delta_time_ms = (timer_end.tv_sec - timer_start.tv_sec) * 1000 +
241                              (timer_end.tv_usec - timer_start.tv_usec) / 1000;
242     memset(&timer_start, 0, sizeof(timer_start));
243     memset(&timer_end, 0, sizeof(timer_end));
244     nfc::stats::stats_write(nfc::stats::NFC_HCE_TRANSACTION_OCCURRED,
245                             (int32_t)delta_time_ms);
246     LOG(VERBOSE) << StringPrintf("nfc_ncif_send_data delta_time:%d",
247                                delta_time_ms);
248   }
249   return (NCI_STATUS_OK);
250 }
251 
252 /*******************************************************************************
253 **
254 ** Function         nfc_ncif_check_cmd_queue
255 **
256 ** Description      Send NCI command to the transport
257 **
258 ** Returns          void
259 **
260 *******************************************************************************/
nfc_ncif_check_cmd_queue(NFC_HDR * p_buf)261 void nfc_ncif_check_cmd_queue(NFC_HDR* p_buf) {
262   uint8_t* ps;
263   /* If there are commands waiting in the xmit queue, or if the controller
264    * cannot accept any more commands, */
265   /* then enqueue this command */
266   if (p_buf) {
267     if ((nfc_cb.nci_cmd_xmit_q.count) || (nfc_cb.nci_cmd_window == 0)) {
268       GKI_enqueue(&nfc_cb.nci_cmd_xmit_q, p_buf);
269       p_buf = nullptr;
270     }
271   }
272 
273   /* If controller can accept another command, then send the next command */
274   if (nfc_cb.nci_cmd_window > 0) {
275     /* If no command was provided, or if older commands were in the queue, then
276      * get cmd from the queue */
277     if (!p_buf) p_buf = (NFC_HDR*)GKI_dequeue(&nfc_cb.nci_cmd_xmit_q);
278 
279     if (p_buf) {
280       /* save the message header to double check the response */
281       ps = (uint8_t*)(p_buf + 1) + p_buf->offset;
282       memcpy(nfc_cb.last_hdr, ps, NFC_SAVED_HDR_SIZE);
283       memcpy(nfc_cb.last_cmd, ps + NCI_MSG_HDR_SIZE, NFC_SAVED_CMD_SIZE);
284       // Check first byte to check if this is an NFCEE command
285       if (*ps == ((NCI_MT_CMD << NCI_MT_SHIFT) | NCI_GID_EE_MANAGE)) {
286         memcpy(nfc_cb.last_nfcee_cmd, ps + NCI_MSG_HDR_SIZE,
287                NFC_SAVED_CMD_SIZE);
288       }
289       if (p_buf->layer_specific == NFC_WAIT_RSP_VSC) {
290         /* save the callback for NCI VSCs)  */
291         nfc_cb.p_vsc_cback = (void*)((tNFC_NCI_VS_MSG*)p_buf)->p_cback;
292       } else if (p_buf->layer_specific == NFC_WAIT_RSP_RAW_VS) {
293         /* save the callback for RAW VS */
294         nfc_cb.p_vsc_cback = (void*)((tNFC_NCI_VS_MSG*)p_buf)->p_cback;
295         nfc_cb.rawVsCbflag = true;
296       }
297 
298       /* Indicate command is pending */
299       nfc_cb.nci_cmd_window--;
300 
301       /* send to HAL */
302       nfcsnoop_capture(p_buf, false);
303       HAL_WRITE(p_buf);
304       /* start NFC command-timeout timer */
305       nfc_start_timer(&nfc_cb.nci_wait_rsp_timer,
306                       (uint16_t)(NFC_TTYPE_NCI_WAIT_RSP),
307                       nfc_cb.nci_wait_rsp_tout);
308     }
309   }
310 
311   if (nfc_cb.nci_cmd_window == NCI_MAX_CMD_WINDOW) {
312     /* the command queue must be empty now */
313     if (nfc_cb.flags & NFC_FL_CONTROL_REQUESTED) {
314       /* HAL requested control or stack needs to handle pre-discover */
315       nfc_cb.flags &= ~NFC_FL_CONTROL_REQUESTED;
316       if (nfc_cb.flags & NFC_FL_DISCOVER_PENDING) {
317         if (nfc_cb.p_hal->prediscover()) {
318           /* HAL has the command window now */
319           nfc_cb.flags |= NFC_FL_CONTROL_GRANTED;
320           nfc_cb.nci_cmd_window = 0;
321         } else {
322           /* HAL does not need to send command,
323            * - restore the command window and issue the discovery command now */
324           nfc_cb.flags &= ~NFC_FL_DISCOVER_PENDING;
325           ps = (uint8_t*)nfc_cb.p_disc_pending;
326           nci_snd_discover_cmd(*ps, (tNFC_DISCOVER_PARAMS*)(ps + 1));
327           GKI_freebuf(nfc_cb.p_disc_pending);
328           nfc_cb.p_disc_pending = nullptr;
329         }
330       } else if (nfc_cb.flags & NFC_FL_HAL_REQUESTED) {
331         /* grant the control to HAL */
332         nfc_cb.flags &= ~NFC_FL_HAL_REQUESTED;
333         nfc_cb.flags |= NFC_FL_CONTROL_GRANTED;
334         nfc_cb.nci_cmd_window = 0;
335         nfc_cb.p_hal->control_granted();
336       }
337     }
338   }
339 }
340 
341 #if (APPL_DTA_MODE == TRUE)
342 /*******************************************************************************
343 **
344 ** Function         nfc_ncif_getFWVersion
345 **
346 ** Description      This function is called to fet the FW Version
347 **
348 ** Returns          tNFC_FW_VERSION
349 **
350 *******************************************************************************/
nfc_ncif_getFWVersion()351 tNFC_FW_VERSION nfc_ncif_getFWVersion() { return nfc_fw_version; }
352 #endif
353 
354 /*******************************************************************************
355 **
356 ** Function         nfc_ncif_send_cmd
357 **
358 ** Description      Send NCI command to the NCIT task
359 **
360 ** Returns          void
361 **
362 *******************************************************************************/
nfc_ncif_send_cmd(NFC_HDR * p_buf)363 void nfc_ncif_send_cmd(NFC_HDR* p_buf) {
364   /* post the p_buf to NCIT task */
365   p_buf->event = BT_EVT_TO_NFC_NCI;
366   p_buf->layer_specific = 0;
367   nfc_ncif_check_cmd_queue(p_buf);
368 }
369 
370 /*******************************************************************************
371 **
372 ** Function         nfc_ncif_process_event
373 **
374 ** Description      This function is called to process the
375 **                  data/response/notification from NFCC
376 **
377 ** Returns          TRUE if need to free buffer
378 **
379 *******************************************************************************/
nfc_ncif_process_event(NFC_HDR * p_msg)380 bool nfc_ncif_process_event(NFC_HDR* p_msg) {
381   uint8_t mt, pbf, gid, *p;
382   bool free = true;
383   uint8_t oid;
384   uint16_t len;
385   uint8_t *p_old, old_gid, old_oid, old_mt;
386 
387   p = (uint8_t*)(p_msg + 1) + p_msg->offset;
388 
389   if (p_msg->len < 3) {
390     // Per NCI spec, every packets should have at least 3 bytes: HDR0, HDR1, and
391     // LEN field.
392     LOG(ERROR) << StringPrintf("Invalid NCI packet: p_msg->len: %d",
393                                p_msg->len);
394     return free;
395   }
396 
397   // LEN field contains the size of the payload, not including the 3-byte packet
398   // header.
399   len = p[2] + 3;
400   if (p_msg->len < len) {
401     // Making sure the packet holds enough data than it claims.
402     LOG(ERROR) << StringPrintf("Invalid NCI packet: p_msg->len (%d) < len (%d)",
403                                p_msg->len, len);
404     return free;
405   }
406 
407   nfcsnoop_capture(p_msg, true);
408 
409   NCI_MSG_PRS_HDR0(p, mt, pbf, gid);
410   oid = ((*p) & NCI_OID_MASK);
411   if (nfc_cb.rawVsCbflag == true &&
412       nfc_ncif_proc_proprietary_rsp(mt, gid, oid) == true) {
413     nci_proc_prop_raw_vs_rsp(p_msg);
414     nfc_cb.rawVsCbflag = false;
415     return free;
416   }
417 
418   switch (mt) {
419     case NCI_MT_DATA:
420       LOG(VERBOSE) << StringPrintf("NFC received data");
421       nfc_ncif_proc_data(p_msg);
422       free = false;
423       break;
424 
425     case NCI_MT_RSP:
426       LOG(VERBOSE) << StringPrintf("NFC received rsp gid:%d", gid);
427       oid = ((*p) & NCI_OID_MASK);
428       p_old = nfc_cb.last_hdr;
429       NCI_MSG_PRS_HDR0(p_old, old_mt, pbf, old_gid);
430       old_oid = ((*p_old) & NCI_OID_MASK);
431       /* make sure this is the RSP we are waiting for before updating the
432        * command window */
433       if ((old_gid != gid) || (old_oid != oid)) {
434         LOG(ERROR) << StringPrintf(
435             "nfc_ncif_process_event unexpected rsp: gid:0x%x, oid:0x%x", gid,
436             oid);
437         return true;
438       }
439 
440       switch (gid) {
441         case NCI_GID_CORE: /* 0000b NCI Core group */
442           free = nci_proc_core_rsp(p_msg);
443           break;
444         case NCI_GID_RF_MANAGE: /* 0001b NCI Discovery group */
445           nci_proc_rf_management_rsp(p_msg);
446           break;
447 #if (NFC_NFCEE_INCLUDED == TRUE)
448 #if (NFC_RW_ONLY == FALSE)
449         case NCI_GID_EE_MANAGE: /* 0x02 0010b NFCEE Discovery group */
450           nci_proc_ee_management_rsp(p_msg);
451           break;
452 #endif
453 #endif
454         case NCI_GID_PROP: /* 1111b Proprietary */
455           nci_proc_prop_rsp(p_msg);
456           break;
457         default:
458           LOG(ERROR) << StringPrintf("NFC: Unknown gid:%d", gid);
459           break;
460       }
461 
462       nfc_ncif_update_window();
463       break;
464 
465     case NCI_MT_NTF:
466       LOG(VERBOSE) << StringPrintf("NFC received ntf gid:%d", gid);
467       switch (gid) {
468         case NCI_GID_CORE: /* 0000b NCI Core group */
469           nci_proc_core_ntf(p_msg);
470           break;
471         case NCI_GID_RF_MANAGE: /* 0001b NCI Discovery group */
472           nci_proc_rf_management_ntf(p_msg);
473           break;
474 #if (NFC_NFCEE_INCLUDED == TRUE)
475 #if (NFC_RW_ONLY == FALSE)
476         case NCI_GID_EE_MANAGE: /* 0x02 0010b NFCEE Discovery group */
477           nci_proc_ee_management_ntf(p_msg);
478           break;
479 #endif
480 #endif
481         case NCI_GID_PROP: /* 1111b Proprietary */
482           nci_proc_prop_ntf(p_msg);
483           break;
484         default:
485           LOG(ERROR) << StringPrintf("NFC: Unknown gid:%d", gid);
486           break;
487       }
488       break;
489 
490     default:
491       LOG(VERBOSE) << StringPrintf("NFC received unknown mt:0x%x, gid:%d", mt,
492                                  gid);
493   }
494 
495   return (free);
496 }
497 
498 /*******************************************************************************
499 **
500 ** Function         nfc_ncif_rf_management_status
501 **
502 ** Description      This function is called to report an event
503 **
504 ** Returns          void
505 **
506 *******************************************************************************/
nfc_ncif_rf_management_status(tNFC_DISCOVER_EVT event,uint8_t status)507 void nfc_ncif_rf_management_status(tNFC_DISCOVER_EVT event, uint8_t status) {
508   tNFC_DISCOVER evt_data;
509   if (nfc_cb.p_discv_cback) {
510     evt_data.status = (tNFC_STATUS)status;
511     (*nfc_cb.p_discv_cback)(event, &evt_data);
512   }
513 }
514 
515 /*******************************************************************************
516 **
517 ** Function         nfc_ncif_set_config_status
518 **
519 ** Description      This function is called to report NFC_SET_CONFIG_REVT
520 **
521 ** Returns          void
522 **
523 *******************************************************************************/
nfc_ncif_set_config_status(uint8_t * p,uint8_t len)524 void nfc_ncif_set_config_status(uint8_t* p, uint8_t len) {
525   tNFC_RESPONSE evt_data;
526   if (nfc_cb.p_resp_cback) {
527     evt_data.set_config.num_param_id = 0;
528     if (len == 0) {
529       LOG(ERROR) << StringPrintf("Insufficient RSP length");
530       evt_data.set_config.status = NFC_STATUS_SYNTAX_ERROR;
531       (*nfc_cb.p_resp_cback)(NFC_SET_CONFIG_REVT, &evt_data);
532       return;
533     }
534     evt_data.set_config.status = (tNFC_STATUS)*p++;
535     if (evt_data.set_config.status != NFC_STATUS_OK && len > 1) {
536       evt_data.set_config.num_param_id = *p++;
537       if (evt_data.set_config.num_param_id > NFC_MAX_NUM_IDS) {
538         android_errorWriteLog(0x534e4554, "114047681");
539         LOG(ERROR) << StringPrintf("OOB write num_param_id %d",
540                                    evt_data.set_config.num_param_id);
541         evt_data.set_config.num_param_id = 0;
542       } else if (evt_data.set_config.num_param_id <= len - 2) {
543         STREAM_TO_ARRAY(evt_data.set_config.param_ids, p,
544                         evt_data.set_config.num_param_id);
545       } else {
546         LOG(ERROR) << StringPrintf("Insufficient RSP length %d,num_param_id %d",
547                                    len, evt_data.set_config.num_param_id);
548         evt_data.set_config.num_param_id = 0;
549       }
550     }
551     (*nfc_cb.p_resp_cback)(NFC_SET_CONFIG_REVT, &evt_data);
552   }
553 }
554 
555 /*******************************************************************************
556 **
557 ** Function         nfc_ncif_event_status
558 **
559 ** Description      This function is called to report an event
560 **
561 ** Returns          void
562 **
563 *******************************************************************************/
nfc_ncif_event_status(tNFC_RESPONSE_EVT event,uint8_t status)564 void nfc_ncif_event_status(tNFC_RESPONSE_EVT event, uint8_t status) {
565   tNFC_RESPONSE evt_data;
566   if (event == NFC_NFCC_TIMEOUT_REVT && status == NFC_STATUS_HW_TIMEOUT) {
567     uint32_t cmd_hdr = (nfc_cb.last_hdr[0] << 8) | nfc_cb.last_hdr[1];
568     nfc::stats::stats_write(nfc::stats::NFC_ERROR_OCCURRED,
569                             (int32_t)NCI_TIMEOUT, (int32_t)cmd_hdr,
570                             (int32_t)status);
571   }
572   if (nfc_cb.p_resp_cback) {
573     evt_data.status = (tNFC_STATUS)status;
574     (*nfc_cb.p_resp_cback)(event, &evt_data);
575   }
576 }
577 
578 /*******************************************************************************
579 **
580 ** Function         nfc_ncif_error_status
581 **
582 ** Description      This function is called to report an error event to data
583 **                  cback
584 **
585 ** Returns          void
586 **
587 *******************************************************************************/
nfc_ncif_error_status(uint8_t conn_id,uint8_t status)588 void nfc_ncif_error_status(uint8_t conn_id, uint8_t status) {
589   tNFC_CONN_CB* p_cb = nfc_find_conn_cb_by_conn_id(conn_id);
590   if (p_cb && p_cb->p_cback) {
591     tNFC_CONN nfc_conn;
592     nfc_conn.status = status;
593     (*p_cb->p_cback)(conn_id, NFC_ERROR_CEVT, &nfc_conn);
594   }
595   nfc::stats::stats_write(nfc::stats::NFC_ERROR_OCCURRED, (int32_t)ERROR_NTF,
596                           (int32_t)0, (int32_t)status);
597 }
598 
599 /*******************************************************************************
600 **
601 ** Function         nfc_ncif_proc_rf_field_ntf
602 **
603 ** Description      This function is called to process RF field notification
604 **
605 ** Returns          void
606 **
607 *******************************************************************************/
608 #if (NFC_RW_ONLY == FALSE)
nfc_ncif_proc_rf_field_ntf(uint8_t rf_status)609 void nfc_ncif_proc_rf_field_ntf(uint8_t rf_status) {
610   tNFC_RESPONSE evt_data;
611   if (nfc_cb.p_resp_cback) {
612     evt_data.status = (tNFC_STATUS)NFC_STATUS_OK;
613     evt_data.rf_field.rf_field = rf_status;
614     (*nfc_cb.p_resp_cback)(NFC_RF_FIELD_REVT, &evt_data);
615   }
616 }
617 #endif
618 
619 /*******************************************************************************
620 **
621 ** Function         nfc_ncif_proc_credits
622 **
623 ** Description      This function is called to process data credits
624 **
625 ** Returns          void
626 **
627 *******************************************************************************/
nfc_ncif_proc_credits(uint8_t * p,uint16_t plen)628 void nfc_ncif_proc_credits(uint8_t* p, uint16_t plen) {
629   uint8_t num, xx;
630   tNFC_CONN_CB* p_cb;
631 
632   if (plen != 0) {
633     num = *p++;
634     plen--;
635     if (num * 2 > plen) {
636       android_errorWriteLog(0x534e4554, "118148142");
637       return;
638     }
639     for (xx = 0; xx < num; xx++) {
640       p_cb = nfc_find_conn_cb_by_conn_id(*p++);
641       if (p_cb && p_cb->num_buff != NFC_CONN_NO_FC) {
642         p_cb->num_buff += (*p);
643 #if (BT_USE_TRACES == TRUE)
644         if (p_cb->num_buff > p_cb->init_credits) {
645           if (nfc_cb.nfc_state == NFC_STATE_OPEN) {
646             /* if this happens in activated state, it's very likely that our
647              * NFCC has issues */
648             /* However, credit may be returned after deactivation */
649             LOG(ERROR) << StringPrintf("num_buff:0x%x, init_credits:0x%x",
650                                        p_cb->num_buff, p_cb->init_credits);
651           }
652           p_cb->num_buff = p_cb->init_credits;
653         }
654 #endif
655         /* check if there's nay data in tx q to be sent */
656         nfc_ncif_send_data(p_cb, nullptr);
657       }
658       p++;
659     }
660   }
661 }
662 /*******************************************************************************
663 **
664 ** Function         nfc_ncif_decode_rf_params
665 **
666 ** Description      This function is called to process the detected technology
667 **                  and mode and the associated parameters for DISCOVER_NTF and
668 **                  ACTIVATE_NTF
669 **
670 ** Returns          void
671 **
672 *******************************************************************************/
nfc_ncif_decode_rf_params(tNFC_RF_TECH_PARAMS * p_param,uint8_t * p)673 uint8_t* nfc_ncif_decode_rf_params(tNFC_RF_TECH_PARAMS* p_param, uint8_t* p) {
674   tNFC_RF_PA_PARAMS* p_pa;
675   uint8_t len, *p_start, u8;
676   tNFC_RF_PB_PARAMS* p_pb;
677   tNFC_RF_LF_PARAMS* p_lf;
678   tNFC_RF_PF_PARAMS* p_pf;
679   tNFC_RF_PISO15693_PARAMS* p_i93;
680   tNFC_RF_ACM_P_PARAMS* acm_p;
681   uint8_t mpl_idx = 0;
682   uint8_t gb_idx = 0, mpl;
683   uint8_t plen;
684   plen = len = *p++;
685   p_start = p;
686   memset(&p_param->param, 0, sizeof(tNFC_RF_TECH_PARAMU));
687 
688   if (NCI_DISCOVERY_TYPE_POLL_A == p_param->mode) {
689     p_pa = &p_param->param.pa;
690     /*
691 SENS_RES Response   2 bytes Defined in [DIGPROT] Available after Technology
692 Detection
693 NFCID1 length   1 byte  Length of NFCID1 Available after Collision Resolution
694 NFCID1  4, 7, or 10 bytes   Defined in [DIGPROT]Available after Collision
695 Resolution
696 SEL_RES Response    1 byte  Defined in [DIGPROT]Available after Collision
697 Resolution
698 HRx Length  1 Octets    Length of HRx Parameters collected from the response to
699 the T1T RID command.
700 HRx 0 or 2 Octets   If present, the first byte SHALL contain HR0 and the second
701 byte SHALL contain HR1 as defined in [DIGITAL].
702     */
703     if (plen < 3) {
704       goto invalid_packet;
705     }
706     plen -= 3;
707     STREAM_TO_ARRAY(p_pa->sens_res, p, 2);
708     p_pa->nfcid1_len = *p++;
709     if (p_pa->nfcid1_len > NCI_NFCID1_MAX_LEN)
710       p_pa->nfcid1_len = NCI_NFCID1_MAX_LEN;
711 
712     if (plen < p_pa->nfcid1_len + 1) {
713       goto invalid_packet;
714     }
715     plen -= (p_pa->nfcid1_len + 1);
716     STREAM_TO_ARRAY(p_pa->nfcid1, p, p_pa->nfcid1_len);
717     u8 = *p++;
718 
719     if (u8) {
720       if (plen < 1) {
721         goto invalid_packet;
722       }
723       plen--;
724       p_pa->sel_rsp = *p++;
725     }
726 
727     if (len ==
728         (7 + p_pa->nfcid1_len + u8)) /* 2(sens_res) + 1(len) +
729                                         p_pa->nfcid1_len + 1(len) + u8 + hr
730                                         (1:len + 2) */
731     {
732       p_pa->hr_len = *p++;
733       if (p_pa->hr_len == NCI_T1T_HR_LEN) {
734         p_pa->hr[0] = *p++;
735         p_pa->hr[1] = *p;
736       }
737     }
738   } else if (NCI_DISCOVERY_TYPE_POLL_B == p_param->mode) {
739     /*
740 SENSB_RES Response length (n)   1 byte  Length of SENSB_RES Response (Byte 2 -
741 Byte 12 or 13)Available after Technology Detection
742 SENSB_RES Response Byte 2 - Byte 12 or 13   11 or 12 bytes  Defined in [DIGPROT]
743 Available after Technology Detection
744     */
745     p_pb = &p_param->param.pb;
746 
747     if (plen < 1) {
748       goto invalid_packet;
749     }
750     plen--;
751     p_pb->sensb_res_len = *p++;
752     if (p_pb->sensb_res_len > NCI_MAX_SENSB_RES_LEN)
753       p_pb->sensb_res_len = NCI_MAX_SENSB_RES_LEN;
754 
755     if (plen < p_pb->sensb_res_len) {
756       goto invalid_packet;
757     }
758     plen -= p_pb->sensb_res_len;
759     STREAM_TO_ARRAY(p_pb->sensb_res, p, p_pb->sensb_res_len);
760     memcpy(p_pb->nfcid0, p_pb->sensb_res, NFC_NFCID0_MAX_LEN);
761     p_pb->fwi = p_pb->sensb_res[10] >> 4;
762   } else if (NCI_DISCOVERY_TYPE_POLL_F == p_param->mode) {
763     /*
764 Bit Rate    1 byte  1   212 kbps/2   424 kbps/0 and 3 to 255  RFU
765 SENSF_RES Response length.(n) 1 byte  Length of SENSF_RES (Byte 2 - Byte 17 or
766 19).Available after Technology Detection
767 SENSF_RES Response Byte 2 - Byte 17 or 19  n bytes Defined in [DIGPROT]
768 Available after Technology Detection
769     */
770     p_pf = &p_param->param.pf;
771 
772     if (plen < 2) {
773       goto invalid_packet;
774     }
775     plen -= 2;
776     p_pf->bit_rate = *p++;
777     p_pf->sensf_res_len = *p++;
778     if (p_pf->sensf_res_len > NCI_MAX_SENSF_RES_LEN)
779       p_pf->sensf_res_len = NCI_MAX_SENSF_RES_LEN;
780 
781     if (plen < p_pf->sensf_res_len) {
782       goto invalid_packet;
783     }
784     plen -= p_pf->sensf_res_len;
785     STREAM_TO_ARRAY(p_pf->sensf_res, p, p_pf->sensf_res_len);
786 
787     if (p_pf->sensf_res_len < NCI_MRTI_UPDATE_INDEX + 1) {
788       goto invalid_packet;
789     }
790     memcpy(p_pf->nfcid2, p_pf->sensf_res, NCI_NFCID2_LEN);
791     p_pf->mrti_check = p_pf->sensf_res[NCI_MRTI_CHECK_INDEX];
792     p_pf->mrti_update = p_pf->sensf_res[NCI_MRTI_UPDATE_INDEX];
793   } else if (NCI_DISCOVERY_TYPE_LISTEN_F == p_param->mode) {
794     p_lf = &p_param->param.lf;
795 
796     if (plen < 1) {
797       goto invalid_packet;
798     }
799     plen--;
800     u8 = *p++;
801     if (u8) {
802       if (plen < NCI_NFCID2_LEN) {
803         goto invalid_packet;
804       }
805       plen -= NCI_NFCID2_LEN;
806       STREAM_TO_ARRAY(p_lf->nfcid2, p, NCI_NFCID2_LEN);
807     }
808   } else if (NCI_DISCOVERY_TYPE_POLL_V == p_param->mode) {
809     p_i93 = &p_param->param.pi93;
810 
811     if (plen < 2) {
812       goto invalid_packet;
813     }
814     plen -= 2;
815     p_i93->flag = *p++;
816     p_i93->dsfid = *p++;
817 
818     if (plen < NFC_ISO15693_UID_LEN) {
819       goto invalid_packet;
820     }
821     plen -= NFC_ISO15693_UID_LEN;
822     STREAM_TO_ARRAY(p_i93->uid, p, NFC_ISO15693_UID_LEN);
823   } else if (NCI_DISCOVERY_TYPE_POLL_KOVIO == p_param->mode) {
824     p_param->param.pk.uid_len = len;
825     if (p_param->param.pk.uid_len > NFC_KOVIO_MAX_LEN) {
826       LOG(ERROR) << StringPrintf("Kovio UID len:0x%x exceeds max(0x%x)",
827                                  p_param->param.pk.uid_len, NFC_KOVIO_MAX_LEN);
828       p_param->param.pk.uid_len = NFC_KOVIO_MAX_LEN;
829     }
830     STREAM_TO_ARRAY(p_param->param.pk.uid, p, p_param->param.pk.uid_len);
831   }
832 
833 invalid_packet:
834   return (p_start + len);
835 }
836 
837 /*******************************************************************************
838 **
839 ** Function         nfc_ncif_proc_discover_ntf
840 **
841 ** Description      This function is called to process discover notification
842 **
843 ** Returns          void
844 **
845 *******************************************************************************/
nfc_ncif_proc_discover_ntf(uint8_t * p,uint16_t plen)846 void nfc_ncif_proc_discover_ntf(uint8_t* p, uint16_t plen) {
847   tNFC_DISCOVER evt_data;
848 
849   if (nfc_cb.p_discv_cback) {
850     // validate packet length should be larger than (NCI header + rf_disc_id +
851     // protocol + mode + length of rf parameters).
852     if (plen < NCI_MSG_HDR_SIZE + 4) {
853       evt_data.status = NCI_STATUS_FAILED;
854       goto invalid_packet;
855     }
856     plen -= (NCI_MSG_HDR_SIZE + 4);
857     p += NCI_MSG_HDR_SIZE;
858     evt_data.status = NCI_STATUS_OK;
859     evt_data.result.rf_disc_id = *p++;
860     evt_data.result.protocol = *p++;
861 
862     /* fill in tNFC_RESULT_DEVT */
863     evt_data.result.rf_tech_param.mode = *p++;
864 
865     // validate packet length should be larger than (rf_tech_param + ntf_type)
866     if (plen < *p + 1) {
867       evt_data.status = NCI_STATUS_FAILED;
868       goto invalid_packet;
869     }
870     plen -= (*p + 1);
871     p = nfc_ncif_decode_rf_params(&evt_data.result.rf_tech_param, p);
872 
873     evt_data.result.more = *p++;
874 
875   invalid_packet:
876     (*nfc_cb.p_discv_cback)(NFC_RESULT_DEVT, &evt_data);
877   }
878 }
879 
880 /*******************************************************************************
881 **
882 ** Function         nfc_ncif_proc_isodep_nak_presence_check_status
883 **
884 ** Description      This function is called to handle response and notification
885 **                  for presence check nak command
886 **
887 ** Returns          void
888 **
889 *******************************************************************************/
nfc_ncif_proc_isodep_nak_presence_check_status(uint8_t status,bool is_ntf)890 void nfc_ncif_proc_isodep_nak_presence_check_status(uint8_t status,
891                                                     bool is_ntf) {
892   rw_t4t_handle_isodep_nak_rsp(status, is_ntf);
893 }
894 
895 /*******************************************************************************
896 **
897 ** Function         nfc_ncif_proc_charging_status
898 **
899 ** Description      This function is called to process WPT start response
900 **
901 ** Returns          void
902 **
903 *******************************************************************************/
nfc_ncif_proc_charging_status(uint8_t * p,uint8_t len)904 void nfc_ncif_proc_charging_status(uint8_t* p, uint8_t len) {
905   tNFC_DISCOVER evt_data;
906 
907   if (len != 1) {
908     evt_data.status = NCI_STATUS_FAILED;
909     LOG(ERROR) << StringPrintf("%s; bad len:0x%x", __func__, len);
910     goto invalid_packet;
911   }
912 
913   evt_data.status = NCI_STATUS_OK;
914   /* Return WPT End Condition */
915   evt_data.wpt_result = *p;
916 
917   LOG(VERBOSE) << StringPrintf("%s; wpt_result=%d", __func__,
918                              evt_data.wpt_result);
919 
920 invalid_packet:
921   if (nfc_cb.p_discv_cback) {
922     (*nfc_cb.p_discv_cback)(NFC_WPT_RESULT_DEVT, &evt_data);
923   }
924 }
925 
926 /*******************************************************************************
927 **
928 ** Function         nfc_ncif_proc_activate
929 **
930 ** Description      This function is called to process de-activate
931 **                  response and notification
932 **
933 ** Returns          void
934 **
935 *******************************************************************************/
nfc_ncif_proc_activate(uint8_t * p,uint8_t len)936 void nfc_ncif_proc_activate(uint8_t* p, uint8_t len) {
937   tNFC_DISCOVER evt_data;
938   tNFC_INTF_PARAMS* p_intf = &evt_data.activate.intf_param;
939   tNFC_INTF_PA_ISO_DEP* p_pa_iso;
940   tNFC_INTF_LB_ISO_DEP* p_lb_iso;
941   tNFC_INTF_PB_ISO_DEP* p_pb_iso;
942 #if (NFC_RW_ONLY == FALSE)
943   tNFC_INTF_PA_NFC_DEP* p_pa_nfc;
944   int mpl_idx = 0;
945   uint8_t gb_idx = 0, mpl;
946 #endif
947   uint8_t t0;
948   tNCI_DISCOVERY_TYPE mode;
949   tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
950   uint8_t *pp, len_act;
951   uint8_t buff_size, num_buff;
952   tNFC_RF_PA_PARAMS* p_pa;
953   uint8_t plen = len, pplen = 0;
954 
955   nfc_set_state(NFC_STATE_OPEN);
956 
957   memset(p_intf, 0, sizeof(tNFC_INTF_PARAMS));
958   // validate packet length should be larger than (rf_disc_id + type +
959   // protocol + mode + buff_size + num_buff + length of rf parameters).
960   if (plen < 7) {
961     evt_data.status = NCI_STATUS_FAILED;
962     goto invalid_packet;
963   }
964   plen -= 7;
965 
966   evt_data.activate.rf_disc_id = *p++;
967   p_intf->type = *p++;
968   evt_data.activate.protocol = *p++;
969 
970   if (evt_data.activate.protocol == NCI_PROTOCOL_18092_ACTIVE)
971     evt_data.activate.protocol = NCI_PROTOCOL_NFC_DEP;
972 
973   evt_data.activate.rf_tech_param.mode = *p++;
974   buff_size = *p++;
975   num_buff = *p++;
976   /* fill in tNFC_activate_DEVT */
977   // validate remaining packet length should be larger than (rf_tech_param +
978   // data_mode + tx_bitrate + rx_bitrte + len_act).
979   if (plen < *p + 4) {
980     evt_data.status = NCI_STATUS_FAILED;
981     goto invalid_packet;
982   }
983   plen -= (*p + 4);
984   p = nfc_ncif_decode_rf_params(&evt_data.activate.rf_tech_param, p);
985 
986   evt_data.activate.data_mode = *p++;
987   evt_data.activate.tx_bitrate = *p++;
988   evt_data.activate.rx_bitrate = *p++;
989   mode = evt_data.activate.rf_tech_param.mode;
990   len_act = *p++;
991   LOG(VERBOSE) << StringPrintf("nfc_ncif_proc_activate:%d %d, mode:0x%02x", len,
992                              len_act, mode);
993   /* just in case the interface reports activation parameters not defined in the
994    * NCI spec */
995   p_intf->intf_param.frame.param_len = len_act;
996   if (p_intf->intf_param.frame.param_len > NFC_MAX_RAW_PARAMS)
997     p_intf->intf_param.frame.param_len = NFC_MAX_RAW_PARAMS;
998   pp = p;
999 
1000   if (plen < p_intf->intf_param.frame.param_len) {
1001     evt_data.status = NCI_STATUS_FAILED;
1002     goto invalid_packet;
1003   }
1004   STREAM_TO_ARRAY(p_intf->intf_param.frame.param, pp,
1005                   p_intf->intf_param.frame.param_len);
1006   if (evt_data.activate.intf_param.type == NCI_INTERFACE_ISO_DEP) {
1007     /* Make max payload of NCI aligned to max payload of ISO-DEP for better
1008      * performance */
1009     if (buff_size > NCI_ISO_DEP_MAX_INFO) buff_size = NCI_ISO_DEP_MAX_INFO;
1010 
1011     switch (mode) {
1012       case NCI_DISCOVERY_TYPE_POLL_A:
1013         p_pa_iso = &p_intf->intf_param.pa_iso;
1014 
1015         if (plen < 1) {
1016           evt_data.status = NCI_STATUS_FAILED;
1017           goto invalid_packet;
1018         }
1019         plen--;
1020         p_pa_iso->ats_res_len = *p++;
1021 
1022         if (p_pa_iso->ats_res_len == 0) break;
1023 
1024         if (p_pa_iso->ats_res_len > NFC_MAX_ATS_LEN)
1025           p_pa_iso->ats_res_len = NFC_MAX_ATS_LEN;
1026 
1027         if (plen < p_pa_iso->ats_res_len) {
1028           evt_data.status = NCI_STATUS_FAILED;
1029           goto invalid_packet;
1030         }
1031         plen -= p_pa_iso->ats_res_len;
1032         STREAM_TO_ARRAY(p_pa_iso->ats_res, p, p_pa_iso->ats_res_len);
1033 
1034         pplen = p_pa_iso->ats_res_len;
1035         pp = &p_pa_iso->ats_res[NCI_ATS_T0_INDEX];
1036         t0 = p_pa_iso->ats_res[NCI_ATS_T0_INDEX];
1037         pp++;                           /* T0 */
1038         pplen--;
1039         if (t0 & NCI_ATS_TA_MASK) {
1040           if (pplen < 1) {
1041             evt_data.status = NCI_STATUS_FAILED;
1042             goto invalid_packet;
1043           }
1044           pplen--;
1045           pp++; /* TA */
1046         }
1047         if (t0 & NCI_ATS_TB_MASK) {
1048           /* FWI (Frame Waiting time Integer) & SPGI (Start-up Frame Guard time
1049            * Integer) */
1050           if (pplen < 1) {
1051             evt_data.status = NCI_STATUS_FAILED;
1052             goto invalid_packet;
1053           }
1054           pplen--;
1055           p_pa_iso->fwi = (((*pp) >> 4) & 0x0F);
1056           p_pa_iso->sfgi = ((*pp) & 0x0F);
1057           pp++; /* TB */
1058         }
1059         if (t0 & NCI_ATS_TC_MASK) {
1060           if (pplen < 1) {
1061             evt_data.status = NCI_STATUS_FAILED;
1062             goto invalid_packet;
1063           }
1064           pplen--;
1065           p_pa_iso->nad_used = ((*pp) & 0x01);
1066           pp++; /* TC */
1067         }
1068         p_pa_iso->his_byte_len =
1069             (uint8_t)(p_pa_iso->ats_res_len - (pp - p_pa_iso->ats_res));
1070         if (p_pa_iso->his_byte_len > NFC_MAX_HIS_BYTES_LEN)
1071           p_pa_iso->his_byte_len = NFC_MAX_HIS_BYTES_LEN;
1072         if (pplen < p_pa_iso->his_byte_len) {
1073           evt_data.status = NCI_STATUS_FAILED;
1074           goto invalid_packet;
1075         }
1076         memcpy(p_pa_iso->his_byte, pp, p_pa_iso->his_byte_len);
1077         break;
1078 
1079       case NCI_DISCOVERY_TYPE_LISTEN_A:
1080         if (plen < 1) {
1081           evt_data.status = NCI_STATUS_FAILED;
1082           goto invalid_packet;
1083         }
1084         plen--;
1085         p_intf->intf_param.la_iso.rats = *p++;
1086         gettimeofday(&timer_start, nullptr);
1087         break;
1088 
1089       case NCI_DISCOVERY_TYPE_POLL_B:
1090         /* ATTRIB RSP
1091         Byte 1   Byte 2 ~ 2+n-1
1092         MBLI/DID Higher layer - Response
1093         */
1094         p_pb_iso = &p_intf->intf_param.pb_iso;
1095 
1096         if (plen < 1) {
1097           evt_data.status = NCI_STATUS_FAILED;
1098           goto invalid_packet;
1099         }
1100         plen--;
1101         p_pb_iso->attrib_res_len = *p++;
1102 
1103         if (p_pb_iso->attrib_res_len == 0) break;
1104 
1105         if (p_pb_iso->attrib_res_len > NFC_MAX_ATTRIB_LEN)
1106           p_pb_iso->attrib_res_len = NFC_MAX_ATTRIB_LEN;
1107 
1108         if (plen < p_pb_iso->attrib_res_len) {
1109           evt_data.status = NCI_STATUS_FAILED;
1110           goto invalid_packet;
1111         }
1112         plen -= p_pb_iso->attrib_res_len;
1113         STREAM_TO_ARRAY(p_pb_iso->attrib_res, p, p_pb_iso->attrib_res_len);
1114         p_pb_iso->mbli = (p_pb_iso->attrib_res[0]) >> 4;
1115         if (p_pb_iso->attrib_res_len > NFC_PB_ATTRIB_REQ_FIXED_BYTES) {
1116           p_pb_iso->hi_info_len =
1117               p_pb_iso->attrib_res_len - NFC_PB_ATTRIB_REQ_FIXED_BYTES;
1118           if (p_pb_iso->hi_info_len > NFC_MAX_GEN_BYTES_LEN)
1119             p_pb_iso->hi_info_len = NFC_MAX_GEN_BYTES_LEN;
1120           memcpy(p_pb_iso->hi_info,
1121                  &p_pb_iso->attrib_res[NFC_PB_ATTRIB_REQ_FIXED_BYTES],
1122                  p_pb_iso->hi_info_len);
1123         }
1124         break;
1125 
1126       case NCI_DISCOVERY_TYPE_LISTEN_B:
1127         /* ATTRIB CMD
1128         Byte 2~5 Byte 6  Byte 7  Byte 8  Byte 9  Byte 10 ~ 10+k-1
1129         NFCID0   Param 1 Param 2 Param 3 Param 4 Higher layer - INF
1130         */
1131         p_lb_iso = &p_intf->intf_param.lb_iso;
1132 
1133         if (plen < 1) {
1134           evt_data.status = NCI_STATUS_FAILED;
1135           goto invalid_packet;
1136         }
1137         plen--;
1138         p_lb_iso->attrib_req_len = *p++;
1139 
1140         if (p_lb_iso->attrib_req_len == 0) break;
1141 
1142         if (p_lb_iso->attrib_req_len > NFC_MAX_ATTRIB_LEN)
1143           p_lb_iso->attrib_req_len = NFC_MAX_ATTRIB_LEN;
1144 
1145         if (plen < p_lb_iso->attrib_req_len) {
1146           evt_data.status = NCI_STATUS_FAILED;
1147           goto invalid_packet;
1148         }
1149         plen -= p_lb_iso->attrib_req_len;
1150         STREAM_TO_ARRAY(p_lb_iso->attrib_req, p, p_lb_iso->attrib_req_len);
1151 
1152         if (p_lb_iso->attrib_req_len < NFC_NFCID0_MAX_LEN) {
1153           evt_data.status = NCI_STATUS_FAILED;
1154           goto invalid_packet;
1155         }
1156         memcpy(p_lb_iso->nfcid0, p_lb_iso->attrib_req, NFC_NFCID0_MAX_LEN);
1157         if (p_lb_iso->attrib_req_len > NFC_LB_ATTRIB_REQ_FIXED_BYTES) {
1158           p_lb_iso->hi_info_len =
1159               p_lb_iso->attrib_req_len - NFC_LB_ATTRIB_REQ_FIXED_BYTES;
1160           if (p_lb_iso->hi_info_len > NFC_MAX_GEN_BYTES_LEN)
1161             p_lb_iso->hi_info_len = NFC_MAX_GEN_BYTES_LEN;
1162           memcpy(p_lb_iso->hi_info,
1163                  &p_lb_iso->attrib_req[NFC_LB_ATTRIB_REQ_FIXED_BYTES],
1164                  p_lb_iso->hi_info_len);
1165         }
1166         gettimeofday(&timer_start, nullptr);
1167         break;
1168     }
1169 
1170   }
1171 #if (NFC_RW_ONLY == FALSE)
1172   else if (evt_data.activate.intf_param.type == NCI_INTERFACE_NFC_DEP) {
1173     /* Make max payload of NCI aligned to max payload of NFC-DEP for better
1174      * performance */
1175     if (buff_size > NCI_NFC_DEP_MAX_DATA) buff_size = NCI_NFC_DEP_MAX_DATA;
1176 
1177     p_pa_nfc = &p_intf->intf_param.pa_nfc;
1178 
1179     if (plen < 1) {
1180       evt_data.status = NCI_STATUS_FAILED;
1181       goto invalid_packet;
1182     }
1183     plen--;
1184     p_pa_nfc->atr_res_len = *p++;
1185 
1186     if (p_pa_nfc->atr_res_len > 0) {
1187       if (p_pa_nfc->atr_res_len > NFC_MAX_ATS_LEN)
1188         p_pa_nfc->atr_res_len = NFC_MAX_ATS_LEN;
1189 
1190       if (plen < p_pa_nfc->atr_res_len) {
1191         evt_data.status = NCI_STATUS_FAILED;
1192         goto invalid_packet;
1193       }
1194       plen -= p_pa_nfc->atr_res_len;
1195       STREAM_TO_ARRAY(p_pa_nfc->atr_res, p, p_pa_nfc->atr_res_len);
1196 
1197       if ((mode == NCI_DISCOVERY_TYPE_POLL_A) ||
1198           (mode == NCI_DISCOVERY_TYPE_POLL_F)) {
1199         /* ATR_RES
1200         Byte 3~12 Byte 13 Byte 14 Byte 15 Byte 16 Byte 17 Byte 18~18+n
1201         NFCID3T   DIDT    BST     BRT     TO      PPT     [GT0 ... GTn] */
1202         mpl_idx = 14;
1203         gb_idx = NCI_P_GEN_BYTE_INDEX;
1204 
1205         if (p_pa_nfc->atr_res_len < NCI_L_NFC_DEP_TO_INDEX + 1) {
1206           evt_data.status = NCI_STATUS_FAILED;
1207           goto invalid_packet;
1208         }
1209         p_pa_nfc->waiting_time =
1210             p_pa_nfc->atr_res[NCI_L_NFC_DEP_TO_INDEX] & 0x0F;
1211       } else if ((mode == NCI_DISCOVERY_TYPE_LISTEN_A) ||
1212                  (mode == NCI_DISCOVERY_TYPE_LISTEN_F)) {
1213         /* ATR_REQ
1214         Byte 3~12 Byte 13 Byte 14 Byte 15 Byte 16 Byte 17~17+n
1215         NFCID3I   DIDI    BSI     BRI     PPI     [GI0 ... GIn] */
1216         mpl_idx = 13;
1217         gb_idx = NCI_L_GEN_BYTE_INDEX;
1218       }
1219 
1220       if (p_pa_nfc->atr_res_len < mpl_idx + 1) {
1221         evt_data.status = NCI_STATUS_FAILED;
1222         goto invalid_packet;
1223       }
1224       mpl = ((p_pa_nfc->atr_res[mpl_idx]) >> 4) & 0x03;
1225       p_pa_nfc->max_payload_size = nfc_mpl_code_to_size[mpl];
1226       if (p_pa_nfc->atr_res_len > gb_idx) {
1227         p_pa_nfc->gen_bytes_len = p_pa_nfc->atr_res_len - gb_idx;
1228         if (p_pa_nfc->gen_bytes_len > NFC_MAX_GEN_BYTES_LEN)
1229           p_pa_nfc->gen_bytes_len = NFC_MAX_GEN_BYTES_LEN;
1230         memcpy(p_pa_nfc->gen_bytes, &p_pa_nfc->atr_res[gb_idx],
1231                p_pa_nfc->gen_bytes_len);
1232       }
1233     }
1234   }
1235 #endif
1236   else if ((evt_data.activate.intf_param.type == NCI_INTERFACE_FRAME) &&
1237            (evt_data.activate.protocol == NCI_PROTOCOL_T1T)) {
1238     p_pa = &evt_data.activate.rf_tech_param.param.pa;
1239     if ((len_act == NCI_T1T_HR_LEN) && (p_pa->hr_len == 0)) {
1240       p_pa->hr_len = NCI_T1T_HR_LEN;
1241 
1242       if (plen < 2) {
1243         evt_data.status = NCI_STATUS_FAILED;
1244         goto invalid_packet;
1245       }
1246       plen -= 2;
1247       p_pa->hr[0] = *p++;
1248       p_pa->hr[1] = *p++;
1249     }
1250   }
1251 
1252   p_cb->act_protocol = evt_data.activate.protocol;
1253   p_cb->act_interface = evt_data.activate.intf_param.type;
1254   p_cb->buff_size = buff_size;
1255   p_cb->num_buff = num_buff;
1256   p_cb->init_credits = num_buff;
1257 
1258 invalid_packet:
1259   if (nfc_cb.p_discv_cback) {
1260     (*nfc_cb.p_discv_cback)(NFC_ACTIVATE_DEVT, &evt_data);
1261   }
1262 }
1263 
1264 /*******************************************************************************
1265 **
1266 ** Function         nfc_ncif_proc_deactivate
1267 **
1268 ** Description      This function is called to process de-activate
1269 **                  response and notification
1270 **
1271 ** Returns          void
1272 **
1273 *******************************************************************************/
nfc_ncif_proc_deactivate(uint8_t status,uint8_t deact_type,bool is_ntf)1274 void nfc_ncif_proc_deactivate(uint8_t status, uint8_t deact_type, bool is_ntf) {
1275   tNFC_DISCOVER evt_data;
1276   tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
1277   void* p_data;
1278 
1279   nfc_set_state(NFC_STATE_IDLE);
1280   evt_data.deactivate.status = status;
1281   evt_data.deactivate.type = deact_type;
1282   evt_data.deactivate.is_ntf = is_ntf;
1283   if (NFC_GetNCIVersion() >= NCI_VERSION_2_0) {
1284     evt_data.deactivate.reason = nfc_cb.deact_reason;
1285   }
1286 
1287   while ((p_data = GKI_dequeue(&p_cb->rx_q)) != nullptr) {
1288     GKI_freebuf(p_data);
1289   }
1290 
1291   while ((p_data = GKI_dequeue(&p_cb->tx_q)) != nullptr) {
1292     GKI_freebuf(p_data);
1293   }
1294 
1295   if (p_cb->p_cback) {
1296     tNFC_CONN nfc_conn;
1297     nfc_conn.deactivate = evt_data.deactivate;
1298     (*p_cb->p_cback)(NFC_RF_CONN_ID, NFC_DEACTIVATE_CEVT, &nfc_conn);
1299   }
1300 
1301   if (nfc_cb.p_discv_cback) {
1302     (*nfc_cb.p_discv_cback)(NFC_DEACTIVATE_DEVT, &evt_data);
1303   }
1304 
1305   // clear previous stored tick count if not comsumed
1306   if (timer_start.tv_sec != 0 || timer_start.tv_usec != 0) {
1307     memset(&timer_start, 0, sizeof(timer_start));
1308   }
1309 }
1310 /*******************************************************************************
1311 **
1312 ** Function         nfc_ncif_proc_ee_action
1313 **
1314 ** Description      This function is called to process NFCEE ACTION NTF
1315 **
1316 ** Returns          void
1317 **
1318 *******************************************************************************/
1319 #if (NFC_NFCEE_INCLUDED == TRUE && NFC_RW_ONLY == FALSE)
nfc_ncif_proc_ee_action(uint8_t * p,uint16_t plen)1320 void nfc_ncif_proc_ee_action(uint8_t* p, uint16_t plen) {
1321   tNFC_EE_ACTION_REVT evt_data;
1322   tNFC_RESPONSE_CBACK* p_cback = nfc_cb.p_resp_cback;
1323   tNFC_RESPONSE nfc_response;
1324   uint8_t data_len, ulen, tag, *p_data;
1325   uint8_t max_len;
1326 
1327   if (p_cback) {
1328     memset(&evt_data.act_data, 0, sizeof(tNFC_ACTION_DATA));
1329     if (plen > 3) {
1330       plen -= 3;
1331     } else {
1332       evt_data.status = NFC_STATUS_FAILED;
1333       evt_data.nfcee_id = 0;
1334       nfc_response.ee_action = evt_data;
1335       (*p_cback)(NFC_EE_ACTION_REVT, &nfc_response);
1336       android_errorWriteLog(0x534e4554, "157649306");
1337       return;
1338     }
1339     evt_data.status = NFC_STATUS_OK;
1340     evt_data.nfcee_id = *p++;
1341     evt_data.act_data.trigger = *p++;
1342     data_len = *p++;
1343     if (data_len > plen) data_len = (uint8_t)plen;
1344 
1345     switch (evt_data.act_data.trigger) {
1346       case NCI_EE_TRIG_7816_SELECT:
1347         if (data_len > NFC_MAX_AID_LEN) data_len = NFC_MAX_AID_LEN;
1348         evt_data.act_data.param.aid.len_aid = data_len;
1349         STREAM_TO_ARRAY(evt_data.act_data.param.aid.aid, p, data_len);
1350         break;
1351       case NCI_EE_TRIG_RF_PROTOCOL:
1352         evt_data.act_data.param.protocol = *p++;
1353         break;
1354       case NCI_EE_TRIG_RF_TECHNOLOGY:
1355         evt_data.act_data.param.technology = *p++;
1356         break;
1357       case NCI_EE_TRIG_APP_INIT:
1358         while (data_len > NFC_TL_SIZE) {
1359           data_len -= NFC_TL_SIZE;
1360           tag = *p++;
1361           ulen = *p++;
1362           if (ulen > data_len) ulen = data_len;
1363           p_data = nullptr;
1364           max_len = ulen;
1365           switch (tag) {
1366             case NCI_EE_ACT_TAG_AID: /* AID                 */
1367               if (max_len > NFC_MAX_AID_LEN) max_len = NFC_MAX_AID_LEN;
1368               evt_data.act_data.param.app_init.len_aid = max_len;
1369               p_data = evt_data.act_data.param.app_init.aid;
1370               break;
1371             case NCI_EE_ACT_TAG_DATA: /* hex data for app    */
1372               if (max_len > NFC_MAX_APP_DATA_LEN)
1373                 max_len = NFC_MAX_APP_DATA_LEN;
1374               evt_data.act_data.param.app_init.len_data = max_len;
1375               p_data = evt_data.act_data.param.app_init.data;
1376               break;
1377           }
1378           if (p_data) {
1379             STREAM_TO_ARRAY(p_data, p, max_len);
1380           }
1381           data_len -= ulen;
1382         }
1383         break;
1384     }
1385     nfc_response.ee_action = evt_data;
1386     (*p_cback)(NFC_EE_ACTION_REVT, &nfc_response);
1387   }
1388 }
1389 
1390 /*******************************************************************************
1391 **
1392 ** Function         nfc_ncif_proc_ee_discover_req
1393 **
1394 ** Description      This function is called to process NFCEE DISCOVER REQ NTF
1395 **
1396 ** Returns          void
1397 **
1398 *******************************************************************************/
nfc_ncif_proc_ee_discover_req(uint8_t * p,uint16_t plen)1399 void nfc_ncif_proc_ee_discover_req(uint8_t* p, uint16_t plen) {
1400   tNFC_RESPONSE_CBACK* p_cback = nfc_cb.p_resp_cback;
1401   tNFC_EE_DISCOVER_REQ_REVT ee_disc_req;
1402   tNFC_EE_DISCOVER_INFO* p_info;
1403   uint8_t u8;
1404 
1405   if (!plen) {
1406     android_errorWriteLog(0x534e4554, "221856662");
1407     return;
1408   }
1409 
1410   LOG(VERBOSE) << StringPrintf("nfc_ncif_proc_ee_discover_req %d len:%d", *p,
1411                              plen);
1412 
1413   if (!plen) {
1414     android_errorWriteLog(0x534e4554, "221856662");
1415     return;
1416   }
1417 
1418   if (*p > NFC_MAX_EE_DISC_ENTRIES) {
1419     android_errorWriteLog(0x534e4554, "122361874");
1420     LOG(ERROR) << __func__ << "Exceed NFC_MAX_EE_DISC_ENTRIES";
1421     return;
1422   }
1423 
1424   if (p_cback) {
1425     u8 = *p;
1426     ee_disc_req.status = NFC_STATUS_OK;
1427     ee_disc_req.num_info = *p++;
1428     p_info = ee_disc_req.info;
1429     if (plen) plen--;
1430     while ((u8 > 0) && (plen >= NFC_EE_DISCOVER_ENTRY_LEN)) {
1431       p_info->op = *p++;                  /* T */
1432       if (*p != NFC_EE_DISCOVER_INFO_LEN) /* L */
1433       {
1434         LOG(VERBOSE) << StringPrintf("bad entry len:%d", *p);
1435         return;
1436       }
1437       p++;
1438       /* V */
1439       p_info->nfcee_id = *p++;
1440       p_info->tech_n_mode = *p++;
1441       p_info->protocol = *p++;
1442       u8--;
1443       plen -= NFC_EE_DISCOVER_ENTRY_LEN;
1444       p_info++;
1445     }
1446     tNFC_RESPONSE nfc_response;
1447     nfc_response.ee_discover_req = ee_disc_req;
1448     (*p_cback)(NFC_EE_DISCOVER_REQ_REVT, &nfc_response);
1449   }
1450 }
1451 
1452 /*******************************************************************************
1453 **
1454 ** Function         nfc_ncif_proc_get_routing
1455 **
1456 ** Description      This function is called to process get routing notification
1457 **
1458 ** Returns          void
1459 **
1460 *******************************************************************************/
nfc_ncif_proc_get_routing(uint8_t * p,uint8_t len)1461 void nfc_ncif_proc_get_routing(uint8_t* p, uint8_t len) {
1462   tNFC_GET_ROUTING_REVT evt_data;
1463   uint8_t more, num_entries, xx, *pn;
1464   tNFC_STATUS status = NFC_STATUS_CONTINUE;
1465 
1466   if (len >= 2 && nfc_cb.p_resp_cback) {
1467     more = *p++;
1468     num_entries = *p++;
1469     if (num_entries == 0) return;
1470     len -= 2;
1471     if (len < 2) {
1472       LOG(ERROR) << StringPrintf("Invalid len=%d", len);
1473       return;
1474     }
1475     for (xx = 0; xx < num_entries; xx++) {
1476       if ((more == false) && (xx == (num_entries - 1))) status = NFC_STATUS_OK;
1477       evt_data.status = (tNFC_STATUS)status;
1478       if (len >= 2)
1479         len -= 2;
1480       else
1481         return;
1482       evt_data.qualifier_type = *p++;
1483       evt_data.num_tlvs = 1;
1484       evt_data.tlv_size = *p++;
1485       if (evt_data.tlv_size > NFC_MAX_EE_TLV_SIZE) {
1486         android_errorWriteLog(0x534e4554, "117554809");
1487         LOG(ERROR) << __func__ << "Invalid data format";
1488         return;
1489       }
1490       if (evt_data.tlv_size > len) {
1491         LOG(ERROR) << StringPrintf("Invalid evt_data.tlv_size");
1492         return;
1493       } else
1494         len -= evt_data.tlv_size;
1495       pn = evt_data.param_tlvs;
1496       STREAM_TO_ARRAY(pn, p, evt_data.tlv_size);
1497       tNFC_RESPONSE nfc_response;
1498       nfc_response.get_routing = evt_data;
1499       (*nfc_cb.p_resp_cback)(NFC_GET_ROUTING_REVT, &nfc_response);
1500     }
1501   }
1502 }
1503 #endif
1504 
1505 /*******************************************************************************
1506 **
1507 ** Function         nfc_ncif_proc_conn_create_rsp
1508 **
1509 ** Description      This function is called to process connection create
1510 **                  response
1511 **
1512 ** Returns          void
1513 **
1514 *******************************************************************************/
nfc_ncif_proc_conn_create_rsp(uint8_t * p,uint16_t plen,uint8_t dest_type)1515 void nfc_ncif_proc_conn_create_rsp(uint8_t* p,
1516                                    __attribute__((unused)) uint16_t plen,
1517                                    uint8_t dest_type) {
1518   tNFC_CONN_CB* p_cb;
1519   tNFC_STATUS status;
1520   tNFC_CONN_CBACK* p_cback;
1521   tNFC_CONN evt_data;
1522   uint8_t conn_id;
1523 
1524   /* find the pending connection control block */
1525   p_cb = nfc_find_conn_cb_by_conn_id(NFC_PEND_CONN_ID);
1526   if (p_cb) {
1527     p += NCI_MSG_HDR_SIZE;
1528     status = *p++;
1529     p_cb->buff_size = *p++;
1530     p_cb->num_buff = p_cb->init_credits = *p++;
1531     conn_id = *p++;
1532     if (conn_id > NFC_MAX_CONN_ID) {
1533       status = NCI_STATUS_FAILED;
1534       conn_id = NFC_ILLEGAL_CONN_ID;
1535     }
1536     evt_data.conn_create.status = status;
1537     evt_data.conn_create.dest_type = dest_type;
1538     evt_data.conn_create.id = p_cb->id;
1539     evt_data.conn_create.buff_size = p_cb->buff_size;
1540     evt_data.conn_create.num_buffs = p_cb->num_buff;
1541     p_cback = p_cb->p_cback;
1542     if (status == NCI_STATUS_OK) {
1543       nfc_set_conn_id(p_cb, conn_id);
1544     } else {
1545       nfc_free_conn_cb(p_cb);
1546     }
1547 
1548     if (p_cback) (*p_cback)(conn_id, NFC_CONN_CREATE_CEVT, &evt_data);
1549   }
1550 }
1551 
1552 /*******************************************************************************
1553 **
1554 ** Function         nfc_ncif_report_conn_close_evt
1555 **
1556 ** Description      This function is called to report connection close event
1557 **
1558 ** Returns          void
1559 **
1560 *******************************************************************************/
nfc_ncif_report_conn_close_evt(uint8_t conn_id,tNFC_STATUS status)1561 void nfc_ncif_report_conn_close_evt(uint8_t conn_id, tNFC_STATUS status) {
1562   tNFC_CONN evt_data;
1563   tNFC_CONN_CBACK* p_cback;
1564   tNFC_CONN_CB* p_cb;
1565 
1566   p_cb = nfc_find_conn_cb_by_conn_id(conn_id);
1567   if (p_cb) {
1568     p_cback = p_cb->p_cback;
1569     nfc_free_conn_cb(p_cb);
1570     evt_data.status = status;
1571     if (p_cback) (*p_cback)(conn_id, NFC_CONN_CLOSE_CEVT, &evt_data);
1572   }
1573 }
1574 
1575 /*******************************************************************************
1576 **
1577 ** Function         nfc_ncif_proc_reset_rsp
1578 **
1579 ** Description      This function is called to process reset
1580 **                  response/notification
1581 **
1582 ** Returns          void
1583 **
1584 *******************************************************************************/
nfc_ncif_proc_reset_rsp(uint8_t * p,bool is_ntf)1585 void nfc_ncif_proc_reset_rsp(uint8_t* p, bool is_ntf) {
1586   uint8_t* p_len = p - 1;
1587   uint8_t status = NCI_STATUS_FAILED;
1588   uint8_t wait_for_ntf = FALSE;
1589 
1590   status = *p_len > 0 ? *p++ : NCI_STATUS_FAILED;
1591   if (*p_len > 2 && is_ntf) {
1592     LOG(WARNING) << StringPrintf("reset notification!!:0x%x ", status);
1593     /* clean up, if the state is OPEN
1594      * FW does not report reset ntf right now */
1595     if (status == NCI2_X_RESET_TRIGGER_TYPE_CORE_RESET_CMD_RECEIVED ||
1596         status == NCI2_X_RESET_TRIGGER_TYPE_POWERED_ON) {
1597       LOG(VERBOSE) << StringPrintf(
1598           "CORE_RESET_NTF Received status nfc_state : 0x%x : 0x%x", status,
1599           nfc_cb.nfc_state);
1600       nfc_stop_timer(&nfc_cb.nci_wait_rsp_timer);
1601       p++;
1602       STREAM_TO_UINT8(nfc_cb.nci_version, p);
1603       LOG(VERBOSE) << StringPrintf(" CORE_RESET_NTF nci_version%x",
1604                                  nfc_cb.nci_version);
1605       status = NCI_STATUS_OK;
1606     } else {
1607       /* CORE_RESET_NTF received error case , trigger recovery*/
1608       LOG(ERROR) << StringPrintf(
1609           "CORE_RESET_NTF Received status nfc_state : 0x%x : 0x%x", status,
1610           nfc_cb.nfc_state);
1611       nfc_ncif_cmd_timeout();
1612       status = NCI_STATUS_FAILED;
1613     }
1614     if (nfc_cb.nfc_state == NFC_STATE_OPEN) {
1615       /*if any conn_cb is connected, close it.
1616         if any pending outgoing packets are dropped.*/
1617       nfc_reset_all_conn_cbs();
1618     }
1619   } else {
1620     LOG(VERBOSE) << StringPrintf("CORE_RESET_RSP len :0x%x ", *p_len);
1621     if ((*p_len) == NCI_CORE_RESET_RSP_LEN(NCI_VERSION_2_0)) {
1622       wait_for_ntf = TRUE;
1623     } else if ((*p_len) == NCI_CORE_RESET_RSP_LEN(NCI_VERSION_1_0)) {
1624       nfc_cb.nci_version = NCI_VERSION_1_0;
1625     }
1626   }
1627 
1628   if (nfc_cb.flags & (NFC_FL_RESTARTING | NFC_FL_POWER_CYCLE_NFCC)) {
1629     nfc_reset_all_conn_cbs();
1630   }
1631 
1632   if (status == NCI_STATUS_OK) {
1633     if (wait_for_ntf == TRUE) {
1634       /* reset version reported by NFCC is NCI2.0 , start a timer for 2000ms to
1635        * wait for NTF*/
1636       nfc_start_timer(&nfc_cb.nci_wait_rsp_timer,
1637                       (uint16_t)(NFC_TTYPE_NCI_WAIT_RSP),
1638                       nfc_cb.nci_wait_rsp_tout);
1639     } else {
1640       if (nfc_cb.nci_version == NCI_VERSION_1_0)
1641         nci_snd_core_init(NCI_VERSION_1_0);
1642       else
1643         nci_snd_core_init(NCI_VERSION_2_0);
1644     }
1645   } else {
1646     LOG(ERROR) << StringPrintf("Failed to reset NFCC");
1647     nfc_enabled(status, nullptr);
1648   }
1649 }
1650 
1651 /*******************************************************************************
1652 **
1653 ** Function         nfc_ncif_proc_init_rsp
1654 **
1655 ** Description      This function is called to process init response
1656 **
1657 ** Returns          void
1658 **
1659 *******************************************************************************/
nfc_ncif_proc_init_rsp(NFC_HDR * p_msg)1660 void nfc_ncif_proc_init_rsp(NFC_HDR* p_msg) {
1661   uint8_t *p, status;
1662   tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
1663 
1664   p = (uint8_t*)(p_msg + 1) + p_msg->offset;
1665 
1666   /* handle init params in nfc_enabled */
1667   status = *(p + NCI_MSG_HDR_SIZE);
1668   if (status == NCI_STATUS_OK) {
1669     if (nfc_cb.nci_version == NCI_VERSION_UNKNOWN) {
1670       nci_snd_core_reset(NCI_RESET_TYPE_RESET_CFG);
1671     } else {
1672       p_cb->id = NFC_RF_CONN_ID;
1673       // check scbr bit as per NCI 2.0 spec
1674       nfc_cb.isScbrSupported = p[5] & NCI_SCBR_MASK;
1675       LOG(VERBOSE) << StringPrintf("scbr support: 0x%x", nfc_cb.isScbrSupported);
1676       p_cb->act_protocol = NCI_PROTOCOL_UNKNOWN;
1677 
1678       nfc_set_state(NFC_STATE_W4_POST_INIT_CPLT);
1679 
1680       nfc_cb.p_nci_init_rsp = p_msg;
1681       nfc_cb.p_hal->core_initialized(p_msg->len, p);
1682     }
1683   } else {
1684     if (nfc_cb.nci_version == NCI_VERSION_UNKNOWN) {
1685       nfc_cb.nci_version = NCI_VERSION_1_0;
1686       nci_snd_core_reset(NCI_RESET_TYPE_RESET_CFG);
1687     } else {
1688       nfc_enabled(status, nullptr);
1689       GKI_freebuf(p_msg);
1690     }
1691   }
1692 }
1693 
1694 /*******************************************************************************
1695 **
1696 ** Function         nfc_ncif_proc_get_config_rsp
1697 **
1698 ** Description      This function is called to process get config response
1699 **
1700 ** Returns          void
1701 **
1702 *******************************************************************************/
nfc_ncif_proc_get_config_rsp(NFC_HDR * p_evt)1703 void nfc_ncif_proc_get_config_rsp(NFC_HDR* p_evt) {
1704   uint8_t* p;
1705   tNFC_RESPONSE_CBACK* p_cback = nfc_cb.p_resp_cback;
1706   tNFC_RESPONSE evt_data;
1707 
1708   p_evt->offset += NCI_MSG_HDR_SIZE;
1709   p_evt->len -= NCI_MSG_HDR_SIZE;
1710   if (p_cback) {
1711     p = (uint8_t*)(p_evt + 1) + p_evt->offset;
1712     evt_data.get_config.status = *p++;
1713     evt_data.get_config.tlv_size = p_evt->len;
1714     evt_data.get_config.p_param_tlvs = p;
1715     (*p_cback)(NFC_GET_CONFIG_REVT, &evt_data);
1716   }
1717 }
1718 
1719 /*******************************************************************************
1720 **
1721 ** Function         nfc_ncif_proc_t3t_polling_rsp
1722 **
1723 ** Description      Handle NCI_MSG_RF_T3T_POLLING RSP
1724 **
1725 ** Returns          void
1726 **
1727 *******************************************************************************/
nfc_ncif_proc_t3t_polling_rsp(uint8_t status)1728 void nfc_ncif_proc_t3t_polling_rsp(uint8_t status) {
1729   rw_t3t_handle_nci_poll_rsp(status);
1730 }
1731 
1732 /*******************************************************************************
1733 **
1734 ** Function         nfc_ncif_proc_t3t_polling_ntf
1735 **
1736 ** Description      Handle NCI_MSG_RF_T3T_POLLING NTF
1737 **
1738 ** Returns          void
1739 **
1740 *******************************************************************************/
nfc_ncif_proc_t3t_polling_ntf(uint8_t * p,uint16_t plen)1741 void nfc_ncif_proc_t3t_polling_ntf(uint8_t* p, uint16_t plen) {
1742   uint8_t status;
1743   uint8_t num_responses;
1744 
1745   if (plen < NFC_TL_SIZE) {
1746     return;
1747   }
1748 
1749   /* Pass result to RW_T3T for processing */
1750   STREAM_TO_UINT8(status, p);
1751   STREAM_TO_UINT8(num_responses, p);
1752   plen -= NFC_TL_SIZE;
1753   rw_t3t_handle_nci_poll_ntf(status, num_responses, (uint8_t)plen, p);
1754 }
1755 
1756 /*******************************************************************************
1757 **
1758 ** Function         nfc_data_event
1759 **
1760 ** Description      Report Data event on the given connection control block
1761 **
1762 ** Returns          void
1763 **
1764 *******************************************************************************/
nfc_data_event(tNFC_CONN_CB * p_cb)1765 void nfc_data_event(tNFC_CONN_CB* p_cb) {
1766   NFC_HDR* p_evt;
1767   tNFC_DATA_CEVT data_cevt;
1768   uint8_t* p;
1769 
1770   if (p_cb->p_cback) {
1771     while ((p_evt = (NFC_HDR*)GKI_getfirst(&p_cb->rx_q)) != nullptr) {
1772       if (p_evt->layer_specific & NFC_RAS_FRAGMENTED) {
1773         /* Not the last fragment */
1774         if (!(p_evt->layer_specific & NFC_RAS_TOO_BIG)) {
1775           /* buffer can hold more */
1776           if ((p_cb->conn_id != NFC_RF_CONN_ID) || (nfc_cb.reassembly)) {
1777             /* If not rf connection or If rf connection and reassembly
1778              * requested,
1779              * try to Reassemble next packet */
1780             break;
1781           }
1782         }
1783       }
1784 
1785       p_evt = (NFC_HDR*)GKI_dequeue(&p_cb->rx_q);
1786       /* report data event */
1787       p_evt->offset += NCI_MSG_HDR_SIZE;
1788       p_evt->len -= NCI_MSG_HDR_SIZE;
1789 
1790       if (p_evt->layer_specific)
1791         data_cevt.status = NFC_STATUS_CONTINUE;
1792       else {
1793         nfc_cb.reassembly = true;
1794         data_cevt.status = NFC_STATUS_OK;
1795       }
1796 
1797       data_cevt.p_data = p_evt;
1798       /* adjust payload, if needed */
1799       if (p_cb->conn_id == NFC_RF_CONN_ID && p_evt->len) {
1800         /* if NCI_PROTOCOL_T1T/NCI_PROTOCOL_T2T/NCI_PROTOCOL_T3T, the status
1801          * byte needs to be removed
1802          */
1803         if ((p_cb->act_protocol >= NCI_PROTOCOL_T1T) &&
1804             (p_cb->act_protocol <= NCI_PROTOCOL_T3T)) {
1805           p_evt->len--;
1806           p = (uint8_t*)(p_evt + 1);
1807           data_cevt.status = *(p + p_evt->offset + p_evt->len);
1808           if ((NFC_GetNCIVersion() >= NCI_VERSION_2_0) &&
1809               (p_cb->act_protocol == NCI_PROTOCOL_T2T) &&
1810               (p_cb->act_interface == NCI_INTERFACE_FRAME)) {
1811             if ((data_cevt.status != NFC_STATUS_OK) &&
1812                 ((data_cevt.status >= T2T_STATUS_OK_1_BIT) &&
1813                  (data_cevt.status <= T2T_STATUS_OK_7_BIT))) {
1814               LOG(VERBOSE) << StringPrintf("%s: T2T tag data xchange", __func__);
1815               data_cevt.status = NFC_STATUS_OK;
1816             }
1817           }
1818         }
1819         if ((NFC_GetNCIVersion() >= NCI_VERSION_2_0) &&
1820             (p_cb->act_protocol == NCI_PROTOCOL_T5T)) {
1821           p_evt->len--;
1822           p = (uint8_t*)(p_evt + 1);
1823           data_cevt.status = *(p + p_evt->offset + p_evt->len);
1824         }
1825       }
1826       tNFC_CONN nfc_conn;
1827       nfc_conn.data = data_cevt;
1828       (*p_cb->p_cback)(p_cb->conn_id, NFC_DATA_CEVT, &nfc_conn);
1829       p_evt = nullptr;
1830     }
1831   }
1832 }
1833 
1834 /*******************************************************************************
1835 **
1836 ** Function         nfc_ncif_proc_data
1837 **
1838 ** Description      Find the connection control block associated with the data
1839 **                  packet. Assemble the data packet, if needed.
1840 **                  Report the Data event.
1841 **
1842 ** Returns          void
1843 **
1844 *******************************************************************************/
nfc_ncif_proc_data(NFC_HDR * p_msg)1845 void nfc_ncif_proc_data(NFC_HDR* p_msg) {
1846   uint8_t *pp, cid;
1847   tNFC_CONN_CB* p_cb;
1848   uint8_t pbf;
1849   NFC_HDR* p_last;
1850   uint8_t *ps, *pd;
1851   uint16_t size;
1852   NFC_HDR* p_max = nullptr;
1853   uint16_t len;
1854 
1855   pp = (uint8_t*)(p_msg + 1) + p_msg->offset;
1856   LOG(VERBOSE) << StringPrintf("nfc_ncif_proc_data 0x%02x%02x%02x", pp[0], pp[1],
1857                              pp[2]);
1858   NCI_DATA_PRS_HDR(pp, pbf, cid, len);
1859   p_cb = nfc_find_conn_cb_by_conn_id(cid);
1860   if (p_cb && (p_msg->len >= NCI_DATA_HDR_SIZE)) {
1861     LOG(VERBOSE) << StringPrintf("nfc_ncif_proc_data len:%d", len);
1862 
1863     len = p_msg->len - NCI_MSG_HDR_SIZE;
1864     p_msg->layer_specific = 0;
1865     if (pbf) {
1866       NFC_SetReassemblyFlag(true);
1867       p_msg->layer_specific = NFC_RAS_FRAGMENTED;
1868     }
1869     p_last = (NFC_HDR*)GKI_getlast(&p_cb->rx_q);
1870     if (p_last && (p_last->layer_specific & NFC_RAS_FRAGMENTED)) {
1871       /* last data buffer is not last fragment, append this new packet to the
1872        * last */
1873       size = GKI_get_buf_size(p_last);
1874       if (size < (NFC_HDR_SIZE + p_last->len + p_last->offset + len)) {
1875         /* the current size of p_last is not big enough to hold the new
1876          * fragment, p_msg */
1877         if (size != GKI_MAX_BUF_SIZE) {
1878           /* try the biggest GKI pool */
1879           p_max = (NFC_HDR*)GKI_getpoolbuf(GKI_MAX_BUF_SIZE_POOL_ID);
1880           if (p_max) {
1881             /* copy the content of last buffer to the new buffer */
1882             memcpy(p_max, p_last, NFC_HDR_SIZE);
1883             pd = (uint8_t*)(p_max + 1) + p_max->offset;
1884             ps = (uint8_t*)(p_last + 1) + p_last->offset;
1885             memcpy(pd, ps, p_last->len);
1886 
1887             /* place the new buffer in the queue instead */
1888             GKI_remove_from_queue(&p_cb->rx_q, p_last);
1889             GKI_freebuf(p_last);
1890             GKI_enqueue(&p_cb->rx_q, p_max);
1891             p_last = p_max;
1892           }
1893         }
1894         if (p_max == nullptr) {
1895           /* Biggest GKI Pool not available (or)
1896            * Biggest available GKI Pool is not big enough to hold the new
1897            * fragment, p_msg */
1898           p_last->layer_specific |= NFC_RAS_TOO_BIG;
1899         }
1900       }
1901 
1902       ps = (uint8_t*)(p_msg + 1) + p_msg->offset + NCI_MSG_HDR_SIZE;
1903 
1904       if (!(p_last->layer_specific & NFC_RAS_TOO_BIG)) {
1905         pd = (uint8_t*)(p_last + 1) + p_last->offset + p_last->len;
1906         memcpy(pd, ps, len);
1907         p_last->len += len;
1908         /* do not need to update pbf and len in NCI header.
1909          * They are stripped off at NFC_DATA_CEVT and len may exceed 255 */
1910         LOG(VERBOSE) << StringPrintf("nfc_ncif_proc_data len:%d", p_last->len);
1911         p_last->layer_specific = p_msg->layer_specific;
1912         GKI_freebuf(p_msg);
1913         nfc_data_event(p_cb);
1914       } else {
1915         /* Not enough memory to add new buffer
1916          * Send data already in queue first with status Continue */
1917         nfc_data_event(p_cb);
1918         /* now enqueue the new buffer to the rx queue */
1919         GKI_enqueue(&p_cb->rx_q, p_msg);
1920       }
1921     } else {
1922       /* if this is the first fragment on RF link */
1923       if ((p_msg->layer_specific & NFC_RAS_FRAGMENTED) &&
1924           (p_cb->conn_id == NFC_RF_CONN_ID) && (p_cb->p_cback)) {
1925         /* Indicate upper layer that local device started receiving data */
1926         (*p_cb->p_cback)(p_cb->conn_id, NFC_DATA_START_CEVT, nullptr);
1927       }
1928       /* enqueue the new buffer to the rx queue */
1929       GKI_enqueue(&p_cb->rx_q, p_msg);
1930       nfc_data_event(p_cb);
1931     }
1932     return;
1933   }
1934   GKI_freebuf(p_msg);
1935 }
1936 
1937 /*******************************************************************************
1938 **
1939 ** Function         nfc_ncif_process_proprietary_rsp
1940 **
1941 ** Description      Process the response to avoid collision
1942 **                  while rawVsCbflag is set
1943 **
1944 ** Returns          true if proprietary response else false
1945 **
1946 *******************************************************************************/
nfc_ncif_proc_proprietary_rsp(uint8_t mt,uint8_t gid,uint8_t oid)1947 bool nfc_ncif_proc_proprietary_rsp(uint8_t mt, uint8_t gid, uint8_t oid) {
1948   bool stat = FALSE;
1949   LOG(VERBOSE) << StringPrintf("%s: mt=%u, gid=%u, oid=%u", __func__, mt, gid,
1950                              oid);
1951 
1952   switch (mt) {
1953     case NCI_MT_DATA:
1954       /* check for Data Response */
1955       if (gid != 0x03 && oid != 0x00) stat = TRUE;
1956       break;
1957 
1958     case NCI_MT_NTF:
1959       switch (gid) {
1960         case NCI_GID_CORE:
1961           /* check for CORE_RESET_NTF or CORE_CONN_CREDITS_NTF */
1962           if (oid != 0x00 && oid != 0x06) stat = TRUE;
1963           break;
1964         case NCI_GID_RF_MANAGE:
1965           /* check for CORE_CONN_CREDITS_NTF or NFA_EE_ACTION_NTF or
1966            * NFA_EE_DISCOVERY_REQ_NTF */
1967           if (oid != 0x06 && oid != 0x09 && oid != 0x0A) stat = TRUE;
1968           break;
1969         case NCI_GID_EE_MANAGE:
1970           if (oid != 0x00) stat = TRUE;
1971           break;
1972         case NCI_GID_PROP:
1973           if (oid != 0x02) stat = TRUE;
1974           break;
1975         default:
1976           stat = TRUE;
1977           break;
1978       }
1979       break;
1980 
1981     default:
1982       stat = TRUE;
1983       break;
1984   }
1985   LOG(VERBOSE) << StringPrintf("%s: exit status=%u", __func__, stat);
1986   return stat;
1987 }
1988 
1989 /*******************************************************************************
1990 ** Function         nfc_mode_set_ntf_timeout
1991 **
1992 ** Description      This function is invoked on mode set ntf timeout
1993 **
1994 ** Returns          void
1995 **
1996 *******************************************************************************/
nfc_mode_set_ntf_timeout()1997 void nfc_mode_set_ntf_timeout() {
1998   LOG(ERROR) << StringPrintf("%s", __func__);
1999   tNFC_RESPONSE nfc_response;
2000   nfc_response.mode_set.status = NCI_STATUS_FAILED;
2001   nfc_response.mode_set.nfcee_id = *nfc_cb.last_nfcee_cmd;
2002   nfc_response.mode_set.mode = NCI_NFCEE_MD_DEACTIVATE;
2003 
2004   tNFC_RESPONSE_CBACK* p_cback = nfc_cb.p_resp_cback;
2005   tNFC_RESPONSE_EVT event = NFC_NFCEE_MODE_SET_REVT;
2006   if (p_cback) (*p_cback)(event, &nfc_response);
2007 }
2008