1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* SCTP kernel implementation
3 * (C) Copyright IBM Corp. 2001, 2004
4 * Copyright (c) 1999-2000 Cisco, Inc.
5 * Copyright (c) 1999-2001 Motorola, Inc.
6 * Copyright (c) 2001-2002 Intel Corp.
7 * Copyright (c) 2002 Nokia Corp.
8 *
9 * This is part of the SCTP Linux Kernel Implementation.
10 *
11 * These are the state functions for the state machine.
12 *
13 * Please send any bug reports or fixes you make to the
14 * email address(es):
15 * lksctp developers <linux-sctp@vger.kernel.org>
16 *
17 * Written or modified by:
18 * La Monte H.P. Yarroll <piggy@acm.org>
19 * Karl Knutson <karl@athena.chicago.il.us>
20 * Mathew Kotowsky <kotowsky@sctp.org>
21 * Sridhar Samudrala <samudrala@us.ibm.com>
22 * Jon Grimm <jgrimm@us.ibm.com>
23 * Hui Huang <hui.huang@nokia.com>
24 * Dajiang Zhang <dajiang.zhang@nokia.com>
25 * Daisy Chang <daisyc@us.ibm.com>
26 * Ardelle Fan <ardelle.fan@intel.com>
27 * Ryan Layer <rmlayer@us.ibm.com>
28 * Kevin Gao <kevin.gao@intel.com>
29 */
30
31 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
32
33 #include <linux/types.h>
34 #include <linux/kernel.h>
35 #include <linux/ip.h>
36 #include <linux/ipv6.h>
37 #include <linux/net.h>
38 #include <linux/inet.h>
39 #include <linux/slab.h>
40 #include <net/sock.h>
41 #include <net/inet_ecn.h>
42 #include <linux/skbuff.h>
43 #include <net/sctp/sctp.h>
44 #include <net/sctp/sm.h>
45 #include <net/sctp/structs.h>
46
47 #define CREATE_TRACE_POINTS
48 #include <trace/events/sctp.h>
49
50 static struct sctp_packet *sctp_abort_pkt_new(
51 struct net *net,
52 const struct sctp_endpoint *ep,
53 const struct sctp_association *asoc,
54 struct sctp_chunk *chunk,
55 const void *payload, size_t paylen);
56 static int sctp_eat_data(const struct sctp_association *asoc,
57 struct sctp_chunk *chunk,
58 struct sctp_cmd_seq *commands);
59 static struct sctp_packet *sctp_ootb_pkt_new(
60 struct net *net,
61 const struct sctp_association *asoc,
62 const struct sctp_chunk *chunk);
63 static void sctp_send_stale_cookie_err(struct net *net,
64 const struct sctp_endpoint *ep,
65 const struct sctp_association *asoc,
66 const struct sctp_chunk *chunk,
67 struct sctp_cmd_seq *commands,
68 struct sctp_chunk *err_chunk);
69 static enum sctp_disposition sctp_sf_do_5_2_6_stale(
70 struct net *net,
71 const struct sctp_endpoint *ep,
72 const struct sctp_association *asoc,
73 const union sctp_subtype type,
74 void *arg,
75 struct sctp_cmd_seq *commands);
76 static enum sctp_disposition sctp_sf_shut_8_4_5(
77 struct net *net,
78 const struct sctp_endpoint *ep,
79 const struct sctp_association *asoc,
80 const union sctp_subtype type,
81 void *arg,
82 struct sctp_cmd_seq *commands);
83 static enum sctp_disposition sctp_sf_tabort_8_4_8(
84 struct net *net,
85 const struct sctp_endpoint *ep,
86 const struct sctp_association *asoc,
87 const union sctp_subtype type,
88 void *arg,
89 struct sctp_cmd_seq *commands);
90 static enum sctp_disposition sctp_sf_new_encap_port(
91 struct net *net,
92 const struct sctp_endpoint *ep,
93 const struct sctp_association *asoc,
94 const union sctp_subtype type,
95 void *arg,
96 struct sctp_cmd_seq *commands);
97 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
98
99 static enum sctp_disposition sctp_stop_t1_and_abort(
100 struct net *net,
101 struct sctp_cmd_seq *commands,
102 __be16 error, int sk_err,
103 const struct sctp_association *asoc,
104 struct sctp_transport *transport);
105
106 static enum sctp_disposition sctp_sf_abort_violation(
107 struct net *net,
108 const struct sctp_endpoint *ep,
109 const struct sctp_association *asoc,
110 void *arg,
111 struct sctp_cmd_seq *commands,
112 const __u8 *payload,
113 const size_t paylen);
114
115 static enum sctp_disposition sctp_sf_violation_chunklen(
116 struct net *net,
117 const struct sctp_endpoint *ep,
118 const struct sctp_association *asoc,
119 const union sctp_subtype type,
120 void *arg,
121 struct sctp_cmd_seq *commands);
122
123 static enum sctp_disposition sctp_sf_violation_paramlen(
124 struct net *net,
125 const struct sctp_endpoint *ep,
126 const struct sctp_association *asoc,
127 const union sctp_subtype type,
128 void *arg, void *ext,
129 struct sctp_cmd_seq *commands);
130
131 static enum sctp_disposition sctp_sf_violation_ctsn(
132 struct net *net,
133 const struct sctp_endpoint *ep,
134 const struct sctp_association *asoc,
135 const union sctp_subtype type,
136 void *arg,
137 struct sctp_cmd_seq *commands);
138
139 static enum sctp_disposition sctp_sf_violation_chunk(
140 struct net *net,
141 const struct sctp_endpoint *ep,
142 const struct sctp_association *asoc,
143 const union sctp_subtype type,
144 void *arg,
145 struct sctp_cmd_seq *commands);
146
147 static enum sctp_ierror sctp_sf_authenticate(
148 const struct sctp_association *asoc,
149 struct sctp_chunk *chunk);
150
151 static enum sctp_disposition __sctp_sf_do_9_1_abort(
152 struct net *net,
153 const struct sctp_endpoint *ep,
154 const struct sctp_association *asoc,
155 const union sctp_subtype type,
156 void *arg,
157 struct sctp_cmd_seq *commands);
158
159 static enum sctp_disposition
160 __sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep,
161 const struct sctp_association *asoc,
162 const union sctp_subtype type, void *arg,
163 struct sctp_cmd_seq *commands);
164
165 /* Small helper function that checks if the chunk length
166 * is of the appropriate length. The 'required_length' argument
167 * is set to be the size of a specific chunk we are testing.
168 * Return Values: true = Valid length
169 * false = Invalid length
170 *
171 */
sctp_chunk_length_valid(struct sctp_chunk * chunk,__u16 required_length)172 static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk,
173 __u16 required_length)
174 {
175 __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
176
177 /* Previously already marked? */
178 if (unlikely(chunk->pdiscard))
179 return false;
180 if (unlikely(chunk_length < required_length))
181 return false;
182
183 return true;
184 }
185
186 /* Check for format error in an ABORT chunk */
sctp_err_chunk_valid(struct sctp_chunk * chunk)187 static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk)
188 {
189 struct sctp_errhdr *err;
190
191 sctp_walk_errors(err, chunk->chunk_hdr);
192
193 return (void *)err == (void *)chunk->chunk_end;
194 }
195
196 /**********************************************************
197 * These are the state functions for handling chunk events.
198 **********************************************************/
199
200 /*
201 * Process the final SHUTDOWN COMPLETE.
202 *
203 * Section: 4 (C) (diagram), 9.2
204 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
205 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
206 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
207 * should stop the T2-shutdown timer and remove all knowledge of the
208 * association (and thus the association enters the CLOSED state).
209 *
210 * Verification Tag: 8.5.1(C), sctpimpguide 2.41.
211 * C) Rules for packet carrying SHUTDOWN COMPLETE:
212 * ...
213 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
214 * if the Verification Tag field of the packet matches its own tag and
215 * the T bit is not set
216 * OR
217 * it is set to its peer's tag and the T bit is set in the Chunk
218 * Flags.
219 * Otherwise, the receiver MUST silently discard the packet
220 * and take no further action. An endpoint MUST ignore the
221 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.
222 *
223 * Inputs
224 * (endpoint, asoc, chunk)
225 *
226 * Outputs
227 * (asoc, reply_msg, msg_up, timers, counters)
228 *
229 * The return value is the disposition of the chunk.
230 */
sctp_sf_do_4_C(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)231 enum sctp_disposition sctp_sf_do_4_C(struct net *net,
232 const struct sctp_endpoint *ep,
233 const struct sctp_association *asoc,
234 const union sctp_subtype type,
235 void *arg, struct sctp_cmd_seq *commands)
236 {
237 struct sctp_chunk *chunk = arg;
238 struct sctp_ulpevent *ev;
239
240 if (!sctp_vtag_verify_either(chunk, asoc))
241 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
242
243 /* RFC 2960 6.10 Bundling
244 *
245 * An endpoint MUST NOT bundle INIT, INIT ACK or
246 * SHUTDOWN COMPLETE with any other chunks.
247 */
248 if (!chunk->singleton)
249 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
250
251 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */
252 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
253 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
254 commands);
255
256 /* RFC 2960 10.2 SCTP-to-ULP
257 *
258 * H) SHUTDOWN COMPLETE notification
259 *
260 * When SCTP completes the shutdown procedures (section 9.2) this
261 * notification is passed to the upper layer.
262 */
263 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
264 0, 0, 0, NULL, GFP_ATOMIC);
265 if (ev)
266 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
267 SCTP_ULPEVENT(ev));
268
269 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
270 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
271 * not the chunk should be discarded. If the endpoint is in
272 * the SHUTDOWN-ACK-SENT state the endpoint should stop the
273 * T2-shutdown timer and remove all knowledge of the
274 * association (and thus the association enters the CLOSED
275 * state).
276 */
277 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
278 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
279
280 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
281 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
282
283 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
284 SCTP_STATE(SCTP_STATE_CLOSED));
285
286 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
287 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
288
289 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
290
291 return SCTP_DISPOSITION_DELETE_TCB;
292 }
293
294 /*
295 * Respond to a normal INIT chunk.
296 * We are the side that is being asked for an association.
297 *
298 * Section: 5.1 Normal Establishment of an Association, B
299 * B) "Z" shall respond immediately with an INIT ACK chunk. The
300 * destination IP address of the INIT ACK MUST be set to the source
301 * IP address of the INIT to which this INIT ACK is responding. In
302 * the response, besides filling in other parameters, "Z" must set the
303 * Verification Tag field to Tag_A, and also provide its own
304 * Verification Tag (Tag_Z) in the Initiate Tag field.
305 *
306 * Verification Tag: Must be 0.
307 *
308 * Inputs
309 * (endpoint, asoc, chunk)
310 *
311 * Outputs
312 * (asoc, reply_msg, msg_up, timers, counters)
313 *
314 * The return value is the disposition of the chunk.
315 */
sctp_sf_do_5_1B_init(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)316 enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
317 const struct sctp_endpoint *ep,
318 const struct sctp_association *asoc,
319 const union sctp_subtype type,
320 void *arg,
321 struct sctp_cmd_seq *commands)
322 {
323 struct sctp_chunk *chunk = arg, *repl, *err_chunk;
324 struct sctp_unrecognized_param *unk_param;
325 struct sctp_association *new_asoc;
326 struct sctp_packet *packet;
327 int len;
328
329 /* 6.10 Bundling
330 * An endpoint MUST NOT bundle INIT, INIT ACK or
331 * SHUTDOWN COMPLETE with any other chunks.
332 *
333 * IG Section 2.11.2
334 * Furthermore, we require that the receiver of an INIT chunk MUST
335 * enforce these rules by silently discarding an arriving packet
336 * with an INIT chunk that is bundled with other chunks.
337 */
338 if (!chunk->singleton)
339 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
340
341 /* Make sure that the INIT chunk has a valid length.
342 * Normally, this would cause an ABORT with a Protocol Violation
343 * error, but since we don't have an association, we'll
344 * just discard the packet.
345 */
346 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
347 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
348
349 /* If the packet is an OOTB packet which is temporarily on the
350 * control endpoint, respond with an ABORT.
351 */
352 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
353 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
354 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
355 }
356
357 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
358 * Tag.
359 */
360 if (chunk->sctp_hdr->vtag != 0)
361 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
362
363 /* If the INIT is coming toward a closing socket, we'll send back
364 * and ABORT. Essentially, this catches the race of INIT being
365 * backloged to the socket at the same time as the user issues close().
366 * Since the socket and all its associations are going away, we
367 * can treat this OOTB
368 */
369 if (sctp_sstate(ep->base.sk, CLOSING))
370 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
371
372 /* Verify the INIT chunk before processing it. */
373 err_chunk = NULL;
374 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
375 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
376 &err_chunk)) {
377 /* This chunk contains fatal error. It is to be discarded.
378 * Send an ABORT, with causes if there is any.
379 */
380 if (err_chunk) {
381 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
382 (__u8 *)(err_chunk->chunk_hdr) +
383 sizeof(struct sctp_chunkhdr),
384 ntohs(err_chunk->chunk_hdr->length) -
385 sizeof(struct sctp_chunkhdr));
386
387 sctp_chunk_free(err_chunk);
388
389 if (packet) {
390 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
391 SCTP_PACKET(packet));
392 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
393 return SCTP_DISPOSITION_CONSUME;
394 } else {
395 return SCTP_DISPOSITION_NOMEM;
396 }
397 } else {
398 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
399 commands);
400 }
401 }
402
403 /* Grab the INIT header. */
404 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
405
406 /* Tag the variable length parameters. */
407 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
408
409 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
410 if (!new_asoc)
411 goto nomem;
412
413 /* Update socket peer label if first association. */
414 if (security_sctp_assoc_request(new_asoc, chunk->skb)) {
415 sctp_association_free(new_asoc);
416 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
417 }
418
419 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
420 sctp_scope(sctp_source(chunk)),
421 GFP_ATOMIC) < 0)
422 goto nomem_init;
423
424 /* The call, sctp_process_init(), can fail on memory allocation. */
425 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
426 (struct sctp_init_chunk *)chunk->chunk_hdr,
427 GFP_ATOMIC))
428 goto nomem_init;
429
430 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
431
432 /* If there are errors need to be reported for unknown parameters,
433 * make sure to reserve enough room in the INIT ACK for them.
434 */
435 len = 0;
436 if (err_chunk)
437 len = ntohs(err_chunk->chunk_hdr->length) -
438 sizeof(struct sctp_chunkhdr);
439
440 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
441 if (!repl)
442 goto nomem_init;
443
444 /* If there are errors need to be reported for unknown parameters,
445 * include them in the outgoing INIT ACK as "Unrecognized parameter"
446 * parameter.
447 */
448 if (err_chunk) {
449 /* Get the "Unrecognized parameter" parameter(s) out of the
450 * ERROR chunk generated by sctp_verify_init(). Since the
451 * error cause code for "unknown parameter" and the
452 * "Unrecognized parameter" type is the same, we can
453 * construct the parameters in INIT ACK by copying the
454 * ERROR causes over.
455 */
456 unk_param = (struct sctp_unrecognized_param *)
457 ((__u8 *)(err_chunk->chunk_hdr) +
458 sizeof(struct sctp_chunkhdr));
459 /* Replace the cause code with the "Unrecognized parameter"
460 * parameter type.
461 */
462 sctp_addto_chunk(repl, len, unk_param);
463 sctp_chunk_free(err_chunk);
464 }
465
466 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
467
468 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
469
470 /*
471 * Note: After sending out INIT ACK with the State Cookie parameter,
472 * "Z" MUST NOT allocate any resources, nor keep any states for the
473 * new association. Otherwise, "Z" will be vulnerable to resource
474 * attacks.
475 */
476 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
477
478 return SCTP_DISPOSITION_DELETE_TCB;
479
480 nomem_init:
481 sctp_association_free(new_asoc);
482 nomem:
483 if (err_chunk)
484 sctp_chunk_free(err_chunk);
485 return SCTP_DISPOSITION_NOMEM;
486 }
487
488 /*
489 * Respond to a normal INIT ACK chunk.
490 * We are the side that is initiating the association.
491 *
492 * Section: 5.1 Normal Establishment of an Association, C
493 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
494 * timer and leave COOKIE-WAIT state. "A" shall then send the State
495 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
496 * the T1-cookie timer, and enter the COOKIE-ECHOED state.
497 *
498 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound
499 * DATA chunks, but it MUST be the first chunk in the packet and
500 * until the COOKIE ACK is returned the sender MUST NOT send any
501 * other packets to the peer.
502 *
503 * Verification Tag: 3.3.3
504 * If the value of the Initiate Tag in a received INIT ACK chunk is
505 * found to be 0, the receiver MUST treat it as an error and close the
506 * association by transmitting an ABORT.
507 *
508 * Inputs
509 * (endpoint, asoc, chunk)
510 *
511 * Outputs
512 * (asoc, reply_msg, msg_up, timers, counters)
513 *
514 * The return value is the disposition of the chunk.
515 */
sctp_sf_do_5_1C_ack(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)516 enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
517 const struct sctp_endpoint *ep,
518 const struct sctp_association *asoc,
519 const union sctp_subtype type,
520 void *arg,
521 struct sctp_cmd_seq *commands)
522 {
523 struct sctp_init_chunk *initchunk;
524 struct sctp_chunk *chunk = arg;
525 struct sctp_chunk *err_chunk;
526 struct sctp_packet *packet;
527
528 if (!sctp_vtag_verify(chunk, asoc))
529 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
530
531 /* 6.10 Bundling
532 * An endpoint MUST NOT bundle INIT, INIT ACK or
533 * SHUTDOWN COMPLETE with any other chunks.
534 */
535 if (!chunk->singleton)
536 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
537
538 /* Make sure that the INIT-ACK chunk has a valid length */
539 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk)))
540 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
541 commands);
542 /* Grab the INIT header. */
543 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
544
545 /* Verify the INIT chunk before processing it. */
546 err_chunk = NULL;
547 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
548 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
549 &err_chunk)) {
550
551 enum sctp_error error = SCTP_ERROR_NO_RESOURCE;
552
553 /* This chunk contains fatal error. It is to be discarded.
554 * Send an ABORT, with causes. If there are no causes,
555 * then there wasn't enough memory. Just terminate
556 * the association.
557 */
558 if (err_chunk) {
559 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
560 (__u8 *)(err_chunk->chunk_hdr) +
561 sizeof(struct sctp_chunkhdr),
562 ntohs(err_chunk->chunk_hdr->length) -
563 sizeof(struct sctp_chunkhdr));
564
565 sctp_chunk_free(err_chunk);
566
567 if (packet) {
568 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
569 SCTP_PACKET(packet));
570 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
571 error = SCTP_ERROR_INV_PARAM;
572 }
573 }
574
575 /* SCTP-AUTH, Section 6.3:
576 * It should be noted that if the receiver wants to tear
577 * down an association in an authenticated way only, the
578 * handling of malformed packets should not result in
579 * tearing down the association.
580 *
581 * This means that if we only want to abort associations
582 * in an authenticated way (i.e AUTH+ABORT), then we
583 * can't destroy this association just because the packet
584 * was malformed.
585 */
586 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
587 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
588
589 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
590 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED,
591 asoc, chunk->transport);
592 }
593
594 /* Tag the variable length parameters. Note that we never
595 * convert the parameters in an INIT chunk.
596 */
597 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
598
599 initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr;
600
601 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
602 SCTP_PEER_INIT(initchunk));
603
604 /* Reset init error count upon receipt of INIT-ACK. */
605 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
606
607 /* 5.1 C) "A" shall stop the T1-init timer and leave
608 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie
609 * timer, and enter the COOKIE-ECHOED state.
610 */
611 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
612 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
613 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
614 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
615 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
616 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
617
618 /* SCTP-AUTH: generate the association shared keys so that
619 * we can potentially sign the COOKIE-ECHO.
620 */
621 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
622
623 /* 5.1 C) "A" shall then send the State Cookie received in the
624 * INIT ACK chunk in a COOKIE ECHO chunk, ...
625 */
626 /* If there is any errors to report, send the ERROR chunk generated
627 * for unknown parameters as well.
628 */
629 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
630 SCTP_CHUNK(err_chunk));
631
632 return SCTP_DISPOSITION_CONSUME;
633 }
634
sctp_auth_chunk_verify(struct net * net,struct sctp_chunk * chunk,const struct sctp_association * asoc)635 static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk,
636 const struct sctp_association *asoc)
637 {
638 struct sctp_chunk auth;
639
640 if (!chunk->auth_chunk)
641 return true;
642
643 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo
644 * is supposed to be authenticated and we have to do delayed
645 * authentication. We've just recreated the association using
646 * the information in the cookie and now it's much easier to
647 * do the authentication.
648 */
649
650 /* Make sure that we and the peer are AUTH capable */
651 if (!net->sctp.auth_enable || !asoc->peer.auth_capable)
652 return false;
653
654 /* set-up our fake chunk so that we can process it */
655 auth.skb = chunk->auth_chunk;
656 auth.asoc = chunk->asoc;
657 auth.sctp_hdr = chunk->sctp_hdr;
658 auth.chunk_hdr = (struct sctp_chunkhdr *)
659 skb_push(chunk->auth_chunk,
660 sizeof(struct sctp_chunkhdr));
661 skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr));
662 auth.transport = chunk->transport;
663
664 return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR;
665 }
666
667 /*
668 * Respond to a normal COOKIE ECHO chunk.
669 * We are the side that is being asked for an association.
670 *
671 * Section: 5.1 Normal Establishment of an Association, D
672 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
673 * with a COOKIE ACK chunk after building a TCB and moving to
674 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
675 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
676 * chunk MUST be the first chunk in the packet.
677 *
678 * IMPLEMENTATION NOTE: An implementation may choose to send the
679 * Communication Up notification to the SCTP user upon reception
680 * of a valid COOKIE ECHO chunk.
681 *
682 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
683 * D) Rules for packet carrying a COOKIE ECHO
684 *
685 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
686 * Initial Tag received in the INIT ACK.
687 *
688 * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
689 *
690 * Inputs
691 * (endpoint, asoc, chunk)
692 *
693 * Outputs
694 * (asoc, reply_msg, msg_up, timers, counters)
695 *
696 * The return value is the disposition of the chunk.
697 */
sctp_sf_do_5_1D_ce(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)698 enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
699 const struct sctp_endpoint *ep,
700 const struct sctp_association *asoc,
701 const union sctp_subtype type,
702 void *arg,
703 struct sctp_cmd_seq *commands)
704 {
705 struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL;
706 struct sctp_association *new_asoc;
707 struct sctp_init_chunk *peer_init;
708 struct sctp_chunk *chunk = arg;
709 struct sctp_chunk *err_chk_p;
710 struct sctp_chunk *repl;
711 struct sock *sk;
712 int error = 0;
713
714 if (asoc && !sctp_vtag_verify(chunk, asoc))
715 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
716
717 /* If the packet is an OOTB packet which is temporarily on the
718 * control endpoint, respond with an ABORT.
719 */
720 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
721 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
722 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
723 }
724
725 /* Make sure that the COOKIE_ECHO chunk has a valid length.
726 * In this case, we check that we have enough for at least a
727 * chunk header. More detailed verification is done
728 * in sctp_unpack_cookie().
729 */
730 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
731 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
732 commands);
733
734 /* If the endpoint is not listening or if the number of associations
735 * on the TCP-style socket exceed the max backlog, respond with an
736 * ABORT.
737 */
738 sk = ep->base.sk;
739 if (!sctp_sstate(sk, LISTENING) ||
740 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
741 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
742
743 /* "Decode" the chunk. We have no optional parameters so we
744 * are in good shape.
745 */
746 chunk->subh.cookie_hdr =
747 (struct sctp_signed_cookie *)chunk->skb->data;
748 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
749 sizeof(struct sctp_chunkhdr)))
750 goto nomem;
751
752 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
753 * "Z" will reply with a COOKIE ACK chunk after building a TCB
754 * and moving to the ESTABLISHED state.
755 */
756 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
757 &err_chk_p);
758
759 /* FIXME:
760 * If the re-build failed, what is the proper error path
761 * from here?
762 *
763 * [We should abort the association. --piggy]
764 */
765 if (!new_asoc) {
766 /* FIXME: Several errors are possible. A bad cookie should
767 * be silently discarded, but think about logging it too.
768 */
769 switch (error) {
770 case -SCTP_IERROR_NOMEM:
771 goto nomem;
772
773 case -SCTP_IERROR_STALE_COOKIE:
774 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
775 err_chk_p);
776 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
777
778 case -SCTP_IERROR_BAD_SIG:
779 default:
780 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
781 }
782 }
783
784 if (security_sctp_assoc_request(new_asoc, chunk->head_skb ?: chunk->skb)) {
785 sctp_association_free(new_asoc);
786 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
787 }
788
789 /* Delay state machine commands until later.
790 *
791 * Re-build the bind address for the association is done in
792 * the sctp_unpack_cookie() already.
793 */
794 /* This is a brand-new association, so these are not yet side
795 * effects--it is safe to run them here.
796 */
797 peer_init = (struct sctp_init_chunk *)(chunk->subh.cookie_hdr + 1);
798 if (!sctp_process_init(new_asoc, chunk,
799 &chunk->subh.cookie_hdr->c.peer_addr,
800 peer_init, GFP_ATOMIC))
801 goto nomem_init;
802
803 /* SCTP-AUTH: Now that we've populate required fields in
804 * sctp_process_init, set up the association shared keys as
805 * necessary so that we can potentially authenticate the ACK
806 */
807 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
808 if (error)
809 goto nomem_init;
810
811 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) {
812 sctp_association_free(new_asoc);
813 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
814 }
815
816 repl = sctp_make_cookie_ack(new_asoc, chunk);
817 if (!repl)
818 goto nomem_init;
819
820 /* RFC 2960 5.1 Normal Establishment of an Association
821 *
822 * D) IMPLEMENTATION NOTE: An implementation may choose to
823 * send the Communication Up notification to the SCTP user
824 * upon reception of a valid COOKIE ECHO chunk.
825 */
826 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
827 new_asoc->c.sinit_num_ostreams,
828 new_asoc->c.sinit_max_instreams,
829 NULL, GFP_ATOMIC);
830 if (!ev)
831 goto nomem_ev;
832
833 /* Sockets API Draft Section 5.3.1.6
834 * When a peer sends a Adaptation Layer Indication parameter , SCTP
835 * delivers this notification to inform the application that of the
836 * peers requested adaptation layer.
837 */
838 if (new_asoc->peer.adaptation_ind) {
839 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
840 GFP_ATOMIC);
841 if (!ai_ev)
842 goto nomem_aiev;
843 }
844
845 if (!new_asoc->peer.auth_capable) {
846 auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0,
847 SCTP_AUTH_NO_AUTH,
848 GFP_ATOMIC);
849 if (!auth_ev)
850 goto nomem_authev;
851 }
852
853 /* Add all the state machine commands now since we've created
854 * everything. This way we don't introduce memory corruptions
855 * during side-effect processing and correctly count established
856 * associations.
857 */
858 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
859 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
860 SCTP_STATE(SCTP_STATE_ESTABLISHED));
861 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
862 SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS);
863 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
864
865 if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
866 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
867 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
868
869 /* This will send the COOKIE ACK */
870 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
871
872 /* Queue the ASSOC_CHANGE event */
873 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
874
875 /* Send up the Adaptation Layer Indication event */
876 if (ai_ev)
877 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
878 SCTP_ULPEVENT(ai_ev));
879
880 if (auth_ev)
881 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
882 SCTP_ULPEVENT(auth_ev));
883
884 return SCTP_DISPOSITION_CONSUME;
885
886 nomem_authev:
887 sctp_ulpevent_free(ai_ev);
888 nomem_aiev:
889 sctp_ulpevent_free(ev);
890 nomem_ev:
891 sctp_chunk_free(repl);
892 nomem_init:
893 sctp_association_free(new_asoc);
894 nomem:
895 return SCTP_DISPOSITION_NOMEM;
896 }
897
898 /*
899 * Respond to a normal COOKIE ACK chunk.
900 * We are the side that is asking for an association.
901 *
902 * RFC 2960 5.1 Normal Establishment of an Association
903 *
904 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
905 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
906 * timer. It may also notify its ULP about the successful
907 * establishment of the association with a Communication Up
908 * notification (see Section 10).
909 *
910 * Verification Tag:
911 * Inputs
912 * (endpoint, asoc, chunk)
913 *
914 * Outputs
915 * (asoc, reply_msg, msg_up, timers, counters)
916 *
917 * The return value is the disposition of the chunk.
918 */
sctp_sf_do_5_1E_ca(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)919 enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
920 const struct sctp_endpoint *ep,
921 const struct sctp_association *asoc,
922 const union sctp_subtype type,
923 void *arg,
924 struct sctp_cmd_seq *commands)
925 {
926 struct sctp_chunk *chunk = arg;
927 struct sctp_ulpevent *ev;
928
929 if (!sctp_vtag_verify(chunk, asoc))
930 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
931
932 /* Set peer label for connection. */
933 if (security_sctp_assoc_established((struct sctp_association *)asoc,
934 chunk->head_skb ?: chunk->skb))
935 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
936
937 /* Verify that the chunk length for the COOKIE-ACK is OK.
938 * If we don't do this, any bundled chunks may be junked.
939 */
940 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
941 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
942 commands);
943
944 /* Reset init error count upon receipt of COOKIE-ACK,
945 * to avoid problems with the management of this
946 * counter in stale cookie situations when a transition back
947 * from the COOKIE-ECHOED state to the COOKIE-WAIT
948 * state is performed.
949 */
950 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
951
952 /* RFC 2960 5.1 Normal Establishment of an Association
953 *
954 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
955 * from the COOKIE-ECHOED state to the ESTABLISHED state,
956 * stopping the T1-cookie timer.
957 */
958 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
959 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
960 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
961 SCTP_STATE(SCTP_STATE_ESTABLISHED));
962 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
963 SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS);
964 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
965 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
966 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
967 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
968
969 /* It may also notify its ULP about the successful
970 * establishment of the association with a Communication Up
971 * notification (see Section 10).
972 */
973 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
974 0, asoc->c.sinit_num_ostreams,
975 asoc->c.sinit_max_instreams,
976 NULL, GFP_ATOMIC);
977
978 if (!ev)
979 goto nomem;
980
981 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
982
983 /* Sockets API Draft Section 5.3.1.6
984 * When a peer sends a Adaptation Layer Indication parameter , SCTP
985 * delivers this notification to inform the application that of the
986 * peers requested adaptation layer.
987 */
988 if (asoc->peer.adaptation_ind) {
989 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
990 if (!ev)
991 goto nomem;
992
993 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
994 SCTP_ULPEVENT(ev));
995 }
996
997 if (!asoc->peer.auth_capable) {
998 ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH,
999 GFP_ATOMIC);
1000 if (!ev)
1001 goto nomem;
1002 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1003 SCTP_ULPEVENT(ev));
1004 }
1005
1006 return SCTP_DISPOSITION_CONSUME;
1007 nomem:
1008 return SCTP_DISPOSITION_NOMEM;
1009 }
1010
1011 /* Generate and sendout a heartbeat packet. */
sctp_sf_heartbeat(const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)1012 static enum sctp_disposition sctp_sf_heartbeat(
1013 const struct sctp_endpoint *ep,
1014 const struct sctp_association *asoc,
1015 const union sctp_subtype type,
1016 void *arg,
1017 struct sctp_cmd_seq *commands)
1018 {
1019 struct sctp_transport *transport = (struct sctp_transport *) arg;
1020 struct sctp_chunk *reply;
1021
1022 /* Send a heartbeat to our peer. */
1023 reply = sctp_make_heartbeat(asoc, transport, 0);
1024 if (!reply)
1025 return SCTP_DISPOSITION_NOMEM;
1026
1027 /* Set rto_pending indicating that an RTT measurement
1028 * is started with this heartbeat chunk.
1029 */
1030 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
1031 SCTP_TRANSPORT(transport));
1032
1033 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1034 return SCTP_DISPOSITION_CONSUME;
1035 }
1036
1037 /* Generate a HEARTBEAT packet on the given transport. */
sctp_sf_sendbeat_8_3(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)1038 enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net,
1039 const struct sctp_endpoint *ep,
1040 const struct sctp_association *asoc,
1041 const union sctp_subtype type,
1042 void *arg,
1043 struct sctp_cmd_seq *commands)
1044 {
1045 struct sctp_transport *transport = (struct sctp_transport *) arg;
1046
1047 if (asoc->overall_error_count >= asoc->max_retrans) {
1048 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
1049 SCTP_ERROR(ETIMEDOUT));
1050 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
1051 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1052 SCTP_PERR(SCTP_ERROR_NO_ERROR));
1053 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1054 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1055 return SCTP_DISPOSITION_DELETE_TCB;
1056 }
1057
1058 /* Section 3.3.5.
1059 * The Sender-specific Heartbeat Info field should normally include
1060 * information about the sender's current time when this HEARTBEAT
1061 * chunk is sent and the destination transport address to which this
1062 * HEARTBEAT is sent (see Section 8.3).
1063 */
1064
1065 if (transport->param_flags & SPP_HB_ENABLE) {
1066 if (SCTP_DISPOSITION_NOMEM ==
1067 sctp_sf_heartbeat(ep, asoc, type, arg,
1068 commands))
1069 return SCTP_DISPOSITION_NOMEM;
1070
1071 /* Set transport error counter and association error counter
1072 * when sending heartbeat.
1073 */
1074 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
1075 SCTP_TRANSPORT(transport));
1076 }
1077 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
1078 SCTP_TRANSPORT(transport));
1079 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
1080 SCTP_TRANSPORT(transport));
1081
1082 return SCTP_DISPOSITION_CONSUME;
1083 }
1084
1085 /* resend asoc strreset_chunk. */
sctp_sf_send_reconf(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)1086 enum sctp_disposition sctp_sf_send_reconf(struct net *net,
1087 const struct sctp_endpoint *ep,
1088 const struct sctp_association *asoc,
1089 const union sctp_subtype type,
1090 void *arg,
1091 struct sctp_cmd_seq *commands)
1092 {
1093 struct sctp_transport *transport = arg;
1094
1095 if (asoc->overall_error_count >= asoc->max_retrans) {
1096 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
1097 SCTP_ERROR(ETIMEDOUT));
1098 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
1099 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1100 SCTP_PERR(SCTP_ERROR_NO_ERROR));
1101 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1102 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1103 return SCTP_DISPOSITION_DELETE_TCB;
1104 }
1105
1106 sctp_chunk_hold(asoc->strreset_chunk);
1107 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1108 SCTP_CHUNK(asoc->strreset_chunk));
1109 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
1110
1111 return SCTP_DISPOSITION_CONSUME;
1112 }
1113
1114 /* send hb chunk with padding for PLPMUTD. */
sctp_sf_send_probe(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)1115 enum sctp_disposition sctp_sf_send_probe(struct net *net,
1116 const struct sctp_endpoint *ep,
1117 const struct sctp_association *asoc,
1118 const union sctp_subtype type,
1119 void *arg,
1120 struct sctp_cmd_seq *commands)
1121 {
1122 struct sctp_transport *transport = (struct sctp_transport *)arg;
1123 struct sctp_chunk *reply;
1124
1125 if (!sctp_transport_pl_enabled(transport))
1126 return SCTP_DISPOSITION_CONSUME;
1127
1128 sctp_transport_pl_send(transport);
1129 reply = sctp_make_heartbeat(asoc, transport, transport->pl.probe_size);
1130 if (!reply)
1131 return SCTP_DISPOSITION_NOMEM;
1132 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1133 sctp_add_cmd_sf(commands, SCTP_CMD_PROBE_TIMER_UPDATE,
1134 SCTP_TRANSPORT(transport));
1135
1136 return SCTP_DISPOSITION_CONSUME;
1137 }
1138
1139 /*
1140 * Process an heartbeat request.
1141 *
1142 * Section: 8.3 Path Heartbeat
1143 * The receiver of the HEARTBEAT should immediately respond with a
1144 * HEARTBEAT ACK that contains the Heartbeat Information field copied
1145 * from the received HEARTBEAT chunk.
1146 *
1147 * Verification Tag: 8.5 Verification Tag [Normal verification]
1148 * When receiving an SCTP packet, the endpoint MUST ensure that the
1149 * value in the Verification Tag field of the received SCTP packet
1150 * matches its own Tag. If the received Verification Tag value does not
1151 * match the receiver's own tag value, the receiver shall silently
1152 * discard the packet and shall not process it any further except for
1153 * those cases listed in Section 8.5.1 below.
1154 *
1155 * Inputs
1156 * (endpoint, asoc, chunk)
1157 *
1158 * Outputs
1159 * (asoc, reply_msg, msg_up, timers, counters)
1160 *
1161 * The return value is the disposition of the chunk.
1162 */
sctp_sf_beat_8_3(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)1163 enum sctp_disposition sctp_sf_beat_8_3(struct net *net,
1164 const struct sctp_endpoint *ep,
1165 const struct sctp_association *asoc,
1166 const union sctp_subtype type,
1167 void *arg, struct sctp_cmd_seq *commands)
1168 {
1169 struct sctp_paramhdr *param_hdr;
1170 struct sctp_chunk *chunk = arg;
1171 struct sctp_chunk *reply;
1172 size_t paylen = 0;
1173
1174 if (!sctp_vtag_verify(chunk, asoc))
1175 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1176
1177 /* Make sure that the HEARTBEAT chunk has a valid length. */
1178 if (!sctp_chunk_length_valid(chunk,
1179 sizeof(struct sctp_heartbeat_chunk)))
1180 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1181 commands);
1182
1183 /* 8.3 The receiver of the HEARTBEAT should immediately
1184 * respond with a HEARTBEAT ACK that contains the Heartbeat
1185 * Information field copied from the received HEARTBEAT chunk.
1186 */
1187 chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data;
1188 param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr;
1189 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr);
1190
1191 if (ntohs(param_hdr->length) > paylen)
1192 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
1193 param_hdr, commands);
1194
1195 if (!pskb_pull(chunk->skb, paylen))
1196 goto nomem;
1197
1198 reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen);
1199 if (!reply)
1200 goto nomem;
1201
1202 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1203 return SCTP_DISPOSITION_CONSUME;
1204
1205 nomem:
1206 return SCTP_DISPOSITION_NOMEM;
1207 }
1208
1209 /*
1210 * Process the returning HEARTBEAT ACK.
1211 *
1212 * Section: 8.3 Path Heartbeat
1213 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
1214 * should clear the error counter of the destination transport
1215 * address to which the HEARTBEAT was sent, and mark the destination
1216 * transport address as active if it is not so marked. The endpoint may
1217 * optionally report to the upper layer when an inactive destination
1218 * address is marked as active due to the reception of the latest
1219 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
1220 * clear the association overall error count as well (as defined
1221 * in section 8.1).
1222 *
1223 * The receiver of the HEARTBEAT ACK should also perform an RTT
1224 * measurement for that destination transport address using the time
1225 * value carried in the HEARTBEAT ACK chunk.
1226 *
1227 * Verification Tag: 8.5 Verification Tag [Normal verification]
1228 *
1229 * Inputs
1230 * (endpoint, asoc, chunk)
1231 *
1232 * Outputs
1233 * (asoc, reply_msg, msg_up, timers, counters)
1234 *
1235 * The return value is the disposition of the chunk.
1236 */
sctp_sf_backbeat_8_3(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)1237 enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net,
1238 const struct sctp_endpoint *ep,
1239 const struct sctp_association *asoc,
1240 const union sctp_subtype type,
1241 void *arg,
1242 struct sctp_cmd_seq *commands)
1243 {
1244 struct sctp_sender_hb_info *hbinfo;
1245 struct sctp_chunk *chunk = arg;
1246 struct sctp_transport *link;
1247 unsigned long max_interval;
1248 union sctp_addr from_addr;
1249
1250 if (!sctp_vtag_verify(chunk, asoc))
1251 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1252
1253 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */
1254 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) +
1255 sizeof(*hbinfo)))
1256 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1257 commands);
1258
1259 hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data;
1260 /* Make sure that the length of the parameter is what we expect */
1261 if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo))
1262 return SCTP_DISPOSITION_DISCARD;
1263
1264 from_addr = hbinfo->daddr;
1265 link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1266
1267 /* This should never happen, but lets log it if so. */
1268 if (unlikely(!link)) {
1269 if (from_addr.sa.sa_family == AF_INET6) {
1270 net_warn_ratelimited("%s association %p could not find address %pI6\n",
1271 __func__,
1272 asoc,
1273 &from_addr.v6.sin6_addr);
1274 } else {
1275 net_warn_ratelimited("%s association %p could not find address %pI4\n",
1276 __func__,
1277 asoc,
1278 &from_addr.v4.sin_addr.s_addr);
1279 }
1280 return SCTP_DISPOSITION_DISCARD;
1281 }
1282
1283 /* Validate the 64-bit random nonce. */
1284 if (hbinfo->hb_nonce != link->hb_nonce)
1285 return SCTP_DISPOSITION_DISCARD;
1286
1287 if (hbinfo->probe_size) {
1288 if (hbinfo->probe_size != link->pl.probe_size ||
1289 !sctp_transport_pl_enabled(link))
1290 return SCTP_DISPOSITION_DISCARD;
1291
1292 if (sctp_transport_pl_recv(link))
1293 return SCTP_DISPOSITION_CONSUME;
1294
1295 return sctp_sf_send_probe(net, ep, asoc, type, link, commands);
1296 }
1297
1298 max_interval = link->hbinterval + link->rto;
1299
1300 /* Check if the timestamp looks valid. */
1301 if (time_after(hbinfo->sent_at, jiffies) ||
1302 time_after(jiffies, hbinfo->sent_at + max_interval)) {
1303 pr_debug("%s: HEARTBEAT ACK with invalid timestamp received "
1304 "for transport:%p\n", __func__, link);
1305
1306 return SCTP_DISPOSITION_DISCARD;
1307 }
1308
1309 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
1310 * the HEARTBEAT should clear the error counter of the
1311 * destination transport address to which the HEARTBEAT was
1312 * sent and mark the destination transport address as active if
1313 * it is not so marked.
1314 */
1315 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1316
1317 return SCTP_DISPOSITION_CONSUME;
1318 }
1319
1320 /* Helper function to send out an abort for the restart
1321 * condition.
1322 */
sctp_sf_send_restart_abort(struct net * net,union sctp_addr * ssa,struct sctp_chunk * init,struct sctp_cmd_seq * commands)1323 static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa,
1324 struct sctp_chunk *init,
1325 struct sctp_cmd_seq *commands)
1326 {
1327 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1328 union sctp_addr_param *addrparm;
1329 struct sctp_errhdr *errhdr;
1330 char buffer[sizeof(*errhdr) + sizeof(*addrparm)];
1331 struct sctp_endpoint *ep;
1332 struct sctp_packet *pkt;
1333 int len;
1334
1335 /* Build the error on the stack. We are way to malloc crazy
1336 * throughout the code today.
1337 */
1338 errhdr = (struct sctp_errhdr *)buffer;
1339 addrparm = (union sctp_addr_param *)(errhdr + 1);
1340
1341 /* Copy into a parm format. */
1342 len = af->to_addr_param(ssa, addrparm);
1343 len += sizeof(*errhdr);
1344
1345 errhdr->cause = SCTP_ERROR_RESTART;
1346 errhdr->length = htons(len);
1347
1348 /* Assign to the control socket. */
1349 ep = sctp_sk(net->sctp.ctl_sock)->ep;
1350
1351 /* Association is NULL since this may be a restart attack and we
1352 * want to send back the attacker's vtag.
1353 */
1354 pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len);
1355
1356 if (!pkt)
1357 goto out;
1358 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1359
1360 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1361
1362 /* Discard the rest of the inbound packet. */
1363 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1364
1365 out:
1366 /* Even if there is no memory, treat as a failure so
1367 * the packet will get dropped.
1368 */
1369 return 0;
1370 }
1371
list_has_sctp_addr(const struct list_head * list,union sctp_addr * ipaddr)1372 static bool list_has_sctp_addr(const struct list_head *list,
1373 union sctp_addr *ipaddr)
1374 {
1375 struct sctp_transport *addr;
1376
1377 list_for_each_entry(addr, list, transports) {
1378 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
1379 return true;
1380 }
1381
1382 return false;
1383 }
1384 /* A restart is occurring, check to make sure no new addresses
1385 * are being added as we may be under a takeover attack.
1386 */
sctp_sf_check_restart_addrs(const struct sctp_association * new_asoc,const struct sctp_association * asoc,struct sctp_chunk * init,struct sctp_cmd_seq * commands)1387 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1388 const struct sctp_association *asoc,
1389 struct sctp_chunk *init,
1390 struct sctp_cmd_seq *commands)
1391 {
1392 struct net *net = new_asoc->base.net;
1393 struct sctp_transport *new_addr;
1394 int ret = 1;
1395
1396 /* Implementor's Guide - Section 5.2.2
1397 * ...
1398 * Before responding the endpoint MUST check to see if the
1399 * unexpected INIT adds new addresses to the association. If new
1400 * addresses are added to the association, the endpoint MUST respond
1401 * with an ABORT..
1402 */
1403
1404 /* Search through all current addresses and make sure
1405 * we aren't adding any new ones.
1406 */
1407 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
1408 transports) {
1409 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
1410 &new_addr->ipaddr)) {
1411 sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init,
1412 commands);
1413 ret = 0;
1414 break;
1415 }
1416 }
1417
1418 /* Return success if all addresses were found. */
1419 return ret;
1420 }
1421
1422 /* Populate the verification/tie tags based on overlapping INIT
1423 * scenario.
1424 *
1425 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
1426 */
sctp_tietags_populate(struct sctp_association * new_asoc,const struct sctp_association * asoc)1427 static void sctp_tietags_populate(struct sctp_association *new_asoc,
1428 const struct sctp_association *asoc)
1429 {
1430 switch (asoc->state) {
1431
1432 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
1433
1434 case SCTP_STATE_COOKIE_WAIT:
1435 new_asoc->c.my_vtag = asoc->c.my_vtag;
1436 new_asoc->c.my_ttag = asoc->c.my_vtag;
1437 new_asoc->c.peer_ttag = 0;
1438 break;
1439
1440 case SCTP_STATE_COOKIE_ECHOED:
1441 new_asoc->c.my_vtag = asoc->c.my_vtag;
1442 new_asoc->c.my_ttag = asoc->c.my_vtag;
1443 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1444 break;
1445
1446 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
1447 * COOKIE-WAIT and SHUTDOWN-ACK-SENT
1448 */
1449 default:
1450 new_asoc->c.my_ttag = asoc->c.my_vtag;
1451 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1452 break;
1453 }
1454
1455 /* Other parameters for the endpoint SHOULD be copied from the
1456 * existing parameters of the association (e.g. number of
1457 * outbound streams) into the INIT ACK and cookie.
1458 */
1459 new_asoc->rwnd = asoc->rwnd;
1460 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams;
1461 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1462 new_asoc->c.initial_tsn = asoc->c.initial_tsn;
1463 }
1464
1465 /*
1466 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
1467 * handling action.
1468 *
1469 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
1470 *
1471 * Returns value representing action to be taken. These action values
1472 * correspond to Action/Description values in RFC 2960, Table 2.
1473 */
sctp_tietags_compare(struct sctp_association * new_asoc,const struct sctp_association * asoc)1474 static char sctp_tietags_compare(struct sctp_association *new_asoc,
1475 const struct sctp_association *asoc)
1476 {
1477 /* In this case, the peer may have restarted. */
1478 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1479 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1480 (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1481 (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1482 return 'A';
1483
1484 /* Collision case B. */
1485 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1486 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1487 (0 == asoc->c.peer_vtag))) {
1488 return 'B';
1489 }
1490
1491 /* Collision case D. */
1492 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1493 (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1494 return 'D';
1495
1496 /* Collision case C. */
1497 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1498 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1499 (0 == new_asoc->c.my_ttag) &&
1500 (0 == new_asoc->c.peer_ttag))
1501 return 'C';
1502
1503 /* No match to any of the special cases; discard this packet. */
1504 return 'E';
1505 }
1506
1507 /* Common helper routine for both duplicate and simultaneous INIT
1508 * chunk handling.
1509 */
sctp_sf_do_unexpected_init(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)1510 static enum sctp_disposition sctp_sf_do_unexpected_init(
1511 struct net *net,
1512 const struct sctp_endpoint *ep,
1513 const struct sctp_association *asoc,
1514 const union sctp_subtype type,
1515 void *arg,
1516 struct sctp_cmd_seq *commands)
1517 {
1518 struct sctp_chunk *chunk = arg, *repl, *err_chunk;
1519 struct sctp_unrecognized_param *unk_param;
1520 struct sctp_association *new_asoc;
1521 enum sctp_disposition retval;
1522 struct sctp_packet *packet;
1523 int len;
1524
1525 /* 6.10 Bundling
1526 * An endpoint MUST NOT bundle INIT, INIT ACK or
1527 * SHUTDOWN COMPLETE with any other chunks.
1528 *
1529 * IG Section 2.11.2
1530 * Furthermore, we require that the receiver of an INIT chunk MUST
1531 * enforce these rules by silently discarding an arriving packet
1532 * with an INIT chunk that is bundled with other chunks.
1533 */
1534 if (!chunk->singleton)
1535 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1536
1537 /* Make sure that the INIT chunk has a valid length. */
1538 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
1539 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1540
1541 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
1542 * Tag.
1543 */
1544 if (chunk->sctp_hdr->vtag != 0)
1545 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
1546
1547 if (SCTP_INPUT_CB(chunk->skb)->encap_port != chunk->transport->encap_port)
1548 return sctp_sf_new_encap_port(net, ep, asoc, type, arg, commands);
1549
1550 /* Grab the INIT header. */
1551 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
1552
1553 /* Tag the variable length parameters. */
1554 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
1555
1556 /* Verify the INIT chunk before processing it. */
1557 err_chunk = NULL;
1558 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
1559 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
1560 &err_chunk)) {
1561 /* This chunk contains fatal error. It is to be discarded.
1562 * Send an ABORT, with causes if there is any.
1563 */
1564 if (err_chunk) {
1565 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
1566 (__u8 *)(err_chunk->chunk_hdr) +
1567 sizeof(struct sctp_chunkhdr),
1568 ntohs(err_chunk->chunk_hdr->length) -
1569 sizeof(struct sctp_chunkhdr));
1570
1571 if (packet) {
1572 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1573 SCTP_PACKET(packet));
1574 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1575 retval = SCTP_DISPOSITION_CONSUME;
1576 } else {
1577 retval = SCTP_DISPOSITION_NOMEM;
1578 }
1579 goto cleanup;
1580 } else {
1581 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
1582 commands);
1583 }
1584 }
1585
1586 /*
1587 * Other parameters for the endpoint SHOULD be copied from the
1588 * existing parameters of the association (e.g. number of
1589 * outbound streams) into the INIT ACK and cookie.
1590 * FIXME: We are copying parameters from the endpoint not the
1591 * association.
1592 */
1593 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1594 if (!new_asoc)
1595 goto nomem;
1596
1597 /* Update socket peer label if first association. */
1598 if (security_sctp_assoc_request(new_asoc, chunk->skb)) {
1599 sctp_association_free(new_asoc);
1600 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1601 }
1602
1603 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
1604 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
1605 goto nomem;
1606
1607 /* In the outbound INIT ACK the endpoint MUST copy its current
1608 * Verification Tag and Peers Verification tag into a reserved
1609 * place (local tie-tag and per tie-tag) within the state cookie.
1610 */
1611 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
1612 (struct sctp_init_chunk *)chunk->chunk_hdr,
1613 GFP_ATOMIC))
1614 goto nomem;
1615
1616 /* Make sure no new addresses are being added during the
1617 * restart. Do not do this check for COOKIE-WAIT state,
1618 * since there are no peer addresses to check against.
1619 * Upon return an ABORT will have been sent if needed.
1620 */
1621 if (!sctp_state(asoc, COOKIE_WAIT)) {
1622 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1623 commands)) {
1624 retval = SCTP_DISPOSITION_CONSUME;
1625 goto nomem_retval;
1626 }
1627 }
1628
1629 sctp_tietags_populate(new_asoc, asoc);
1630
1631 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
1632
1633 /* If there are errors need to be reported for unknown parameters,
1634 * make sure to reserve enough room in the INIT ACK for them.
1635 */
1636 len = 0;
1637 if (err_chunk) {
1638 len = ntohs(err_chunk->chunk_hdr->length) -
1639 sizeof(struct sctp_chunkhdr);
1640 }
1641
1642 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1643 if (!repl)
1644 goto nomem;
1645
1646 /* If there are errors need to be reported for unknown parameters,
1647 * include them in the outgoing INIT ACK as "Unrecognized parameter"
1648 * parameter.
1649 */
1650 if (err_chunk) {
1651 /* Get the "Unrecognized parameter" parameter(s) out of the
1652 * ERROR chunk generated by sctp_verify_init(). Since the
1653 * error cause code for "unknown parameter" and the
1654 * "Unrecognized parameter" type is the same, we can
1655 * construct the parameters in INIT ACK by copying the
1656 * ERROR causes over.
1657 */
1658 unk_param = (struct sctp_unrecognized_param *)
1659 ((__u8 *)(err_chunk->chunk_hdr) +
1660 sizeof(struct sctp_chunkhdr));
1661 /* Replace the cause code with the "Unrecognized parameter"
1662 * parameter type.
1663 */
1664 sctp_addto_chunk(repl, len, unk_param);
1665 }
1666
1667 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1668 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1669
1670 /*
1671 * Note: After sending out INIT ACK with the State Cookie parameter,
1672 * "Z" MUST NOT allocate any resources for this new association.
1673 * Otherwise, "Z" will be vulnerable to resource attacks.
1674 */
1675 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1676 retval = SCTP_DISPOSITION_CONSUME;
1677
1678 return retval;
1679
1680 nomem:
1681 retval = SCTP_DISPOSITION_NOMEM;
1682 nomem_retval:
1683 if (new_asoc)
1684 sctp_association_free(new_asoc);
1685 cleanup:
1686 if (err_chunk)
1687 sctp_chunk_free(err_chunk);
1688 return retval;
1689 }
1690
1691 /*
1692 * Handle simultaneous INIT.
1693 * This means we started an INIT and then we got an INIT request from
1694 * our peer.
1695 *
1696 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
1697 * This usually indicates an initialization collision, i.e., each
1698 * endpoint is attempting, at about the same time, to establish an
1699 * association with the other endpoint.
1700 *
1701 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
1702 * endpoint MUST respond with an INIT ACK using the same parameters it
1703 * sent in its original INIT chunk (including its Verification Tag,
1704 * unchanged). These original parameters are combined with those from the
1705 * newly received INIT chunk. The endpoint shall also generate a State
1706 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
1707 * INIT to calculate the State Cookie.
1708 *
1709 * After that, the endpoint MUST NOT change its state, the T1-init
1710 * timer shall be left running and the corresponding TCB MUST NOT be
1711 * destroyed. The normal procedures for handling State Cookies when
1712 * a TCB exists will resolve the duplicate INITs to a single association.
1713 *
1714 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
1715 * its Tie-Tags with the Tag information of itself and its peer (see
1716 * section 5.2.2 for a description of the Tie-Tags).
1717 *
1718 * Verification Tag: Not explicit, but an INIT can not have a valid
1719 * verification tag, so we skip the check.
1720 *
1721 * Inputs
1722 * (endpoint, asoc, chunk)
1723 *
1724 * Outputs
1725 * (asoc, reply_msg, msg_up, timers, counters)
1726 *
1727 * The return value is the disposition of the chunk.
1728 */
sctp_sf_do_5_2_1_siminit(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)1729 enum sctp_disposition sctp_sf_do_5_2_1_siminit(
1730 struct net *net,
1731 const struct sctp_endpoint *ep,
1732 const struct sctp_association *asoc,
1733 const union sctp_subtype type,
1734 void *arg,
1735 struct sctp_cmd_seq *commands)
1736 {
1737 /* Call helper to do the real work for both simultaneous and
1738 * duplicate INIT chunk handling.
1739 */
1740 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1741 }
1742
1743 /*
1744 * Handle duplicated INIT messages. These are usually delayed
1745 * restransmissions.
1746 *
1747 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
1748 * COOKIE-ECHOED and COOKIE-WAIT
1749 *
1750 * Unless otherwise stated, upon reception of an unexpected INIT for
1751 * this association, the endpoint shall generate an INIT ACK with a
1752 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its
1753 * current Verification Tag and peer's Verification Tag into a reserved
1754 * place within the state cookie. We shall refer to these locations as
1755 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet
1756 * containing this INIT ACK MUST carry a Verification Tag value equal to
1757 * the Initiation Tag found in the unexpected INIT. And the INIT ACK
1758 * MUST contain a new Initiation Tag (randomly generated see Section
1759 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the
1760 * existing parameters of the association (e.g. number of outbound
1761 * streams) into the INIT ACK and cookie.
1762 *
1763 * After sending out the INIT ACK, the endpoint shall take no further
1764 * actions, i.e., the existing association, including its current state,
1765 * and the corresponding TCB MUST NOT be changed.
1766 *
1767 * Note: Only when a TCB exists and the association is not in a COOKIE-
1768 * WAIT state are the Tie-Tags populated. For a normal association INIT
1769 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
1770 * set to 0 (indicating that no previous TCB existed). The INIT ACK and
1771 * State Cookie are populated as specified in section 5.2.1.
1772 *
1773 * Verification Tag: Not specified, but an INIT has no way of knowing
1774 * what the verification tag could be, so we ignore it.
1775 *
1776 * Inputs
1777 * (endpoint, asoc, chunk)
1778 *
1779 * Outputs
1780 * (asoc, reply_msg, msg_up, timers, counters)
1781 *
1782 * The return value is the disposition of the chunk.
1783 */
sctp_sf_do_5_2_2_dupinit(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)1784 enum sctp_disposition sctp_sf_do_5_2_2_dupinit(
1785 struct net *net,
1786 const struct sctp_endpoint *ep,
1787 const struct sctp_association *asoc,
1788 const union sctp_subtype type,
1789 void *arg,
1790 struct sctp_cmd_seq *commands)
1791 {
1792 /* Call helper to do the real work for both simultaneous and
1793 * duplicate INIT chunk handling.
1794 */
1795 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1796 }
1797
1798
1799 /*
1800 * Unexpected INIT-ACK handler.
1801 *
1802 * Section 5.2.3
1803 * If an INIT ACK received by an endpoint in any state other than the
1804 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
1805 * An unexpected INIT ACK usually indicates the processing of an old or
1806 * duplicated INIT chunk.
1807 */
sctp_sf_do_5_2_3_initack(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)1808 enum sctp_disposition sctp_sf_do_5_2_3_initack(
1809 struct net *net,
1810 const struct sctp_endpoint *ep,
1811 const struct sctp_association *asoc,
1812 const union sctp_subtype type,
1813 void *arg,
1814 struct sctp_cmd_seq *commands)
1815 {
1816 /* Per the above section, we'll discard the chunk if we have an
1817 * endpoint. If this is an OOTB INIT-ACK, treat it as such.
1818 */
1819 if (ep == sctp_sk(net->sctp.ctl_sock)->ep)
1820 return sctp_sf_ootb(net, ep, asoc, type, arg, commands);
1821 else
1822 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
1823 }
1824
sctp_sf_do_assoc_update(struct sctp_association * asoc,struct sctp_association * new,struct sctp_cmd_seq * cmds)1825 static int sctp_sf_do_assoc_update(struct sctp_association *asoc,
1826 struct sctp_association *new,
1827 struct sctp_cmd_seq *cmds)
1828 {
1829 struct net *net = asoc->base.net;
1830 struct sctp_chunk *abort;
1831
1832 if (!sctp_assoc_update(asoc, new))
1833 return 0;
1834
1835 abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr));
1836 if (abort) {
1837 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
1838 sctp_add_cmd_sf(cmds, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
1839 }
1840 sctp_add_cmd_sf(cmds, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED));
1841 sctp_add_cmd_sf(cmds, SCTP_CMD_ASSOC_FAILED,
1842 SCTP_PERR(SCTP_ERROR_RSRC_LOW));
1843 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1844 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1845
1846 return -ENOMEM;
1847 }
1848
1849 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
1850 *
1851 * Section 5.2.4
1852 * A) In this case, the peer may have restarted.
1853 */
sctp_sf_do_dupcook_a(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,struct sctp_chunk * chunk,struct sctp_cmd_seq * commands,struct sctp_association * new_asoc)1854 static enum sctp_disposition sctp_sf_do_dupcook_a(
1855 struct net *net,
1856 const struct sctp_endpoint *ep,
1857 const struct sctp_association *asoc,
1858 struct sctp_chunk *chunk,
1859 struct sctp_cmd_seq *commands,
1860 struct sctp_association *new_asoc)
1861 {
1862 struct sctp_init_chunk *peer_init;
1863 enum sctp_disposition disposition;
1864 struct sctp_ulpevent *ev;
1865 struct sctp_chunk *repl;
1866 struct sctp_chunk *err;
1867
1868 /* new_asoc is a brand-new association, so these are not yet
1869 * side effects--it is safe to run them here.
1870 */
1871 peer_init = (struct sctp_init_chunk *)(chunk->subh.cookie_hdr + 1);
1872 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1873 GFP_ATOMIC))
1874 goto nomem;
1875
1876 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
1877 goto nomem;
1878
1879 if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
1880 return SCTP_DISPOSITION_DISCARD;
1881
1882 /* Make sure no new addresses are being added during the
1883 * restart. Though this is a pretty complicated attack
1884 * since you'd have to get inside the cookie.
1885 */
1886 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands))
1887 return SCTP_DISPOSITION_CONSUME;
1888
1889 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
1890 * the peer has restarted (Action A), it MUST NOT setup a new
1891 * association but instead resend the SHUTDOWN ACK and send an ERROR
1892 * chunk with a "Cookie Received while Shutting Down" error cause to
1893 * its peer.
1894 */
1895 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1896 disposition = __sctp_sf_do_9_2_reshutack(net, ep, asoc,
1897 SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1898 chunk, commands);
1899 if (SCTP_DISPOSITION_NOMEM == disposition)
1900 goto nomem;
1901
1902 err = sctp_make_op_error(asoc, chunk,
1903 SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1904 NULL, 0, 0);
1905 if (err)
1906 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1907 SCTP_CHUNK(err));
1908
1909 return SCTP_DISPOSITION_CONSUME;
1910 }
1911
1912 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked
1913 * data. Consider the optional choice of resending of this data.
1914 */
1915 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
1916 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1917 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK));
1918 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1919
1920 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue
1921 * and ASCONF-ACK cache.
1922 */
1923 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1924 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
1925 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());
1926
1927 /* Update the content of current association. */
1928 if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands))
1929 goto nomem;
1930
1931 repl = sctp_make_cookie_ack(asoc, chunk);
1932 if (!repl)
1933 goto nomem;
1934
1935 /* Report association restart to upper layer. */
1936 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1937 asoc->c.sinit_num_ostreams,
1938 asoc->c.sinit_max_instreams,
1939 NULL, GFP_ATOMIC);
1940 if (!ev)
1941 goto nomem_ev;
1942
1943 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1944 if ((sctp_state(asoc, SHUTDOWN_PENDING) ||
1945 sctp_state(asoc, SHUTDOWN_SENT)) &&
1946 (sctp_sstate(asoc->base.sk, CLOSING) ||
1947 sock_flag(asoc->base.sk, SOCK_DEAD))) {
1948 /* If the socket has been closed by user, don't
1949 * transition to ESTABLISHED. Instead trigger SHUTDOWN
1950 * bundled with COOKIE_ACK.
1951 */
1952 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1953 return sctp_sf_do_9_2_start_shutdown(net, ep, asoc,
1954 SCTP_ST_CHUNK(0), repl,
1955 commands);
1956 } else {
1957 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1958 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1959 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1960 }
1961 return SCTP_DISPOSITION_CONSUME;
1962
1963 nomem_ev:
1964 sctp_chunk_free(repl);
1965 nomem:
1966 return SCTP_DISPOSITION_NOMEM;
1967 }
1968
1969 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
1970 *
1971 * Section 5.2.4
1972 * B) In this case, both sides may be attempting to start an association
1973 * at about the same time but the peer endpoint started its INIT
1974 * after responding to the local endpoint's INIT
1975 */
1976 /* This case represents an initialization collision. */
sctp_sf_do_dupcook_b(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,struct sctp_chunk * chunk,struct sctp_cmd_seq * commands,struct sctp_association * new_asoc)1977 static enum sctp_disposition sctp_sf_do_dupcook_b(
1978 struct net *net,
1979 const struct sctp_endpoint *ep,
1980 const struct sctp_association *asoc,
1981 struct sctp_chunk *chunk,
1982 struct sctp_cmd_seq *commands,
1983 struct sctp_association *new_asoc)
1984 {
1985 struct sctp_init_chunk *peer_init;
1986 struct sctp_chunk *repl;
1987
1988 /* new_asoc is a brand-new association, so these are not yet
1989 * side effects--it is safe to run them here.
1990 */
1991 peer_init = (struct sctp_init_chunk *)(chunk->subh.cookie_hdr + 1);
1992 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1993 GFP_ATOMIC))
1994 goto nomem;
1995
1996 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
1997 goto nomem;
1998
1999 if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
2000 return SCTP_DISPOSITION_DISCARD;
2001
2002 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2003 SCTP_STATE(SCTP_STATE_ESTABLISHED));
2004 if (asoc->state < SCTP_STATE_ESTABLISHED)
2005 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
2006 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
2007
2008 /* Update the content of current association. */
2009 if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands))
2010 goto nomem;
2011
2012 repl = sctp_make_cookie_ack(asoc, chunk);
2013 if (!repl)
2014 goto nomem;
2015
2016 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
2017
2018 /* RFC 2960 5.1 Normal Establishment of an Association
2019 *
2020 * D) IMPLEMENTATION NOTE: An implementation may choose to
2021 * send the Communication Up notification to the SCTP user
2022 * upon reception of a valid COOKIE ECHO chunk.
2023 *
2024 * Sadly, this needs to be implemented as a side-effect, because
2025 * we are not guaranteed to have set the association id of the real
2026 * association and so these notifications need to be delayed until
2027 * the association id is allocated.
2028 */
2029
2030 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
2031
2032 /* Sockets API Draft Section 5.3.1.6
2033 * When a peer sends a Adaptation Layer Indication parameter , SCTP
2034 * delivers this notification to inform the application that of the
2035 * peers requested adaptation layer.
2036 *
2037 * This also needs to be done as a side effect for the same reason as
2038 * above.
2039 */
2040 if (asoc->peer.adaptation_ind)
2041 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
2042
2043 if (!asoc->peer.auth_capable)
2044 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL());
2045
2046 return SCTP_DISPOSITION_CONSUME;
2047
2048 nomem:
2049 return SCTP_DISPOSITION_NOMEM;
2050 }
2051
2052 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
2053 *
2054 * Section 5.2.4
2055 * C) In this case, the local endpoint's cookie has arrived late.
2056 * Before it arrived, the local endpoint sent an INIT and received an
2057 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
2058 * but a new tag of its own.
2059 */
2060 /* This case represents an initialization collision. */
sctp_sf_do_dupcook_c(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,struct sctp_chunk * chunk,struct sctp_cmd_seq * commands,struct sctp_association * new_asoc)2061 static enum sctp_disposition sctp_sf_do_dupcook_c(
2062 struct net *net,
2063 const struct sctp_endpoint *ep,
2064 const struct sctp_association *asoc,
2065 struct sctp_chunk *chunk,
2066 struct sctp_cmd_seq *commands,
2067 struct sctp_association *new_asoc)
2068 {
2069 /* The cookie should be silently discarded.
2070 * The endpoint SHOULD NOT change states and should leave
2071 * any timers running.
2072 */
2073 return SCTP_DISPOSITION_DISCARD;
2074 }
2075
2076 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
2077 *
2078 * Section 5.2.4
2079 *
2080 * D) When both local and remote tags match the endpoint should always
2081 * enter the ESTABLISHED state, if it has not already done so.
2082 */
2083 /* This case represents an initialization collision. */
sctp_sf_do_dupcook_d(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,struct sctp_chunk * chunk,struct sctp_cmd_seq * commands,struct sctp_association * new_asoc)2084 static enum sctp_disposition sctp_sf_do_dupcook_d(
2085 struct net *net,
2086 const struct sctp_endpoint *ep,
2087 const struct sctp_association *asoc,
2088 struct sctp_chunk *chunk,
2089 struct sctp_cmd_seq *commands,
2090 struct sctp_association *new_asoc)
2091 {
2092 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL;
2093 struct sctp_chunk *repl;
2094
2095 /* Clarification from Implementor's Guide:
2096 * D) When both local and remote tags match the endpoint should
2097 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
2098 * It should stop any cookie timer that may be running and send
2099 * a COOKIE ACK.
2100 */
2101
2102 if (!sctp_auth_chunk_verify(net, chunk, asoc))
2103 return SCTP_DISPOSITION_DISCARD;
2104
2105 /* Don't accidentally move back into established state. */
2106 if (asoc->state < SCTP_STATE_ESTABLISHED) {
2107 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2108 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2109 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2110 SCTP_STATE(SCTP_STATE_ESTABLISHED));
2111 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
2112 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
2113 SCTP_NULL());
2114
2115 /* RFC 2960 5.1 Normal Establishment of an Association
2116 *
2117 * D) IMPLEMENTATION NOTE: An implementation may choose
2118 * to send the Communication Up notification to the
2119 * SCTP user upon reception of a valid COOKIE
2120 * ECHO chunk.
2121 */
2122 ev = sctp_ulpevent_make_assoc_change(asoc, 0,
2123 SCTP_COMM_UP, 0,
2124 asoc->c.sinit_num_ostreams,
2125 asoc->c.sinit_max_instreams,
2126 NULL, GFP_ATOMIC);
2127 if (!ev)
2128 goto nomem;
2129
2130 /* Sockets API Draft Section 5.3.1.6
2131 * When a peer sends a Adaptation Layer Indication parameter,
2132 * SCTP delivers this notification to inform the application
2133 * that of the peers requested adaptation layer.
2134 */
2135 if (asoc->peer.adaptation_ind) {
2136 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
2137 GFP_ATOMIC);
2138 if (!ai_ev)
2139 goto nomem;
2140
2141 }
2142
2143 if (!asoc->peer.auth_capable) {
2144 auth_ev = sctp_ulpevent_make_authkey(asoc, 0,
2145 SCTP_AUTH_NO_AUTH,
2146 GFP_ATOMIC);
2147 if (!auth_ev)
2148 goto nomem;
2149 }
2150 }
2151
2152 repl = sctp_make_cookie_ack(asoc, chunk);
2153 if (!repl)
2154 goto nomem;
2155
2156 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
2157
2158 if (ev)
2159 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2160 SCTP_ULPEVENT(ev));
2161 if (ai_ev)
2162 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2163 SCTP_ULPEVENT(ai_ev));
2164 if (auth_ev)
2165 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2166 SCTP_ULPEVENT(auth_ev));
2167
2168 return SCTP_DISPOSITION_CONSUME;
2169
2170 nomem:
2171 if (auth_ev)
2172 sctp_ulpevent_free(auth_ev);
2173 if (ai_ev)
2174 sctp_ulpevent_free(ai_ev);
2175 if (ev)
2176 sctp_ulpevent_free(ev);
2177 return SCTP_DISPOSITION_NOMEM;
2178 }
2179
2180 /*
2181 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying
2182 * chunk was retransmitted and then delayed in the network.
2183 *
2184 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
2185 *
2186 * Verification Tag: None. Do cookie validation.
2187 *
2188 * Inputs
2189 * (endpoint, asoc, chunk)
2190 *
2191 * Outputs
2192 * (asoc, reply_msg, msg_up, timers, counters)
2193 *
2194 * The return value is the disposition of the chunk.
2195 */
sctp_sf_do_5_2_4_dupcook(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)2196 enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
2197 struct net *net,
2198 const struct sctp_endpoint *ep,
2199 const struct sctp_association *asoc,
2200 const union sctp_subtype type,
2201 void *arg,
2202 struct sctp_cmd_seq *commands)
2203 {
2204 struct sctp_association *new_asoc;
2205 struct sctp_chunk *chunk = arg;
2206 enum sctp_disposition retval;
2207 struct sctp_chunk *err_chk_p;
2208 int error = 0;
2209 char action;
2210
2211 /* Make sure that the chunk has a valid length from the protocol
2212 * perspective. In this case check to make sure we have at least
2213 * enough for the chunk header. Cookie length verification is
2214 * done later.
2215 */
2216 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) {
2217 if (!sctp_vtag_verify(chunk, asoc))
2218 asoc = NULL;
2219 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands);
2220 }
2221
2222 /* "Decode" the chunk. We have no optional parameters so we
2223 * are in good shape.
2224 */
2225 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
2226 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
2227 sizeof(struct sctp_chunkhdr)))
2228 goto nomem;
2229
2230 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
2231 * of a duplicate COOKIE ECHO match the Verification Tags of the
2232 * current association, consider the State Cookie valid even if
2233 * the lifespan is exceeded.
2234 */
2235 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
2236 &err_chk_p);
2237
2238 /* FIXME:
2239 * If the re-build failed, what is the proper error path
2240 * from here?
2241 *
2242 * [We should abort the association. --piggy]
2243 */
2244 if (!new_asoc) {
2245 /* FIXME: Several errors are possible. A bad cookie should
2246 * be silently discarded, but think about logging it too.
2247 */
2248 switch (error) {
2249 case -SCTP_IERROR_NOMEM:
2250 goto nomem;
2251
2252 case -SCTP_IERROR_STALE_COOKIE:
2253 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
2254 err_chk_p);
2255 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2256 case -SCTP_IERROR_BAD_SIG:
2257 default:
2258 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2259 }
2260 }
2261
2262 /* Set temp so that it won't be added into hashtable */
2263 new_asoc->temp = 1;
2264
2265 /* Compare the tie_tag in cookie with the verification tag of
2266 * current association.
2267 */
2268 action = sctp_tietags_compare(new_asoc, asoc);
2269
2270 /* In cases C and E the association doesn't enter the ESTABLISHED
2271 * state, so there is no need to call security_sctp_assoc_request().
2272 */
2273 switch (action) {
2274 case 'A': /* Association restart. */
2275 case 'B': /* Collision case B. */
2276 case 'D': /* Collision case D. */
2277 /* Update socket peer label if first association. */
2278 if (security_sctp_assoc_request((struct sctp_association *)asoc,
2279 chunk->head_skb ?: chunk->skb)) {
2280 sctp_association_free(new_asoc);
2281 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2282 }
2283 break;
2284 }
2285
2286 switch (action) {
2287 case 'A': /* Association restart. */
2288 retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands,
2289 new_asoc);
2290 break;
2291
2292 case 'B': /* Collision case B. */
2293 retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands,
2294 new_asoc);
2295 break;
2296
2297 case 'C': /* Collision case C. */
2298 retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands,
2299 new_asoc);
2300 break;
2301
2302 case 'D': /* Collision case D. */
2303 retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands,
2304 new_asoc);
2305 break;
2306
2307 default: /* Discard packet for all others. */
2308 retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2309 break;
2310 }
2311
2312 /* Delete the temporary new association. */
2313 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc));
2314 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
2315
2316 /* Restore association pointer to provide SCTP command interpreter
2317 * with a valid context in case it needs to manipulate
2318 * the queues */
2319 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC,
2320 SCTP_ASOC((struct sctp_association *)asoc));
2321
2322 return retval;
2323
2324 nomem:
2325 return SCTP_DISPOSITION_NOMEM;
2326 }
2327
2328 /*
2329 * Process an ABORT. (SHUTDOWN-PENDING state)
2330 *
2331 * See sctp_sf_do_9_1_abort().
2332 */
sctp_sf_shutdown_pending_abort(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)2333 enum sctp_disposition sctp_sf_shutdown_pending_abort(
2334 struct net *net,
2335 const struct sctp_endpoint *ep,
2336 const struct sctp_association *asoc,
2337 const union sctp_subtype type,
2338 void *arg,
2339 struct sctp_cmd_seq *commands)
2340 {
2341 struct sctp_chunk *chunk = arg;
2342
2343 if (!sctp_vtag_verify_either(chunk, asoc))
2344 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2345
2346 /* Make sure that the ABORT chunk has a valid length.
2347 * Since this is an ABORT chunk, we have to discard it
2348 * because of the following text:
2349 * RFC 2960, Section 3.3.7
2350 * If an endpoint receives an ABORT with a format error or for an
2351 * association that doesn't exist, it MUST silently discard it.
2352 * Because the length is "invalid", we can't really discard just
2353 * as we do not know its true length. So, to be safe, discard the
2354 * packet.
2355 */
2356 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2357 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2358
2359 /* ADD-IP: Special case for ABORT chunks
2360 * F4) One special consideration is that ABORT Chunks arriving
2361 * destined to the IP address being deleted MUST be
2362 * ignored (see Section 5.3.1 for further details).
2363 */
2364 if (SCTP_ADDR_DEL ==
2365 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2366 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2367
2368 if (!sctp_err_chunk_valid(chunk))
2369 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2370
2371 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2372 }
2373
2374 /*
2375 * Process an ABORT. (SHUTDOWN-SENT state)
2376 *
2377 * See sctp_sf_do_9_1_abort().
2378 */
sctp_sf_shutdown_sent_abort(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)2379 enum sctp_disposition sctp_sf_shutdown_sent_abort(
2380 struct net *net,
2381 const struct sctp_endpoint *ep,
2382 const struct sctp_association *asoc,
2383 const union sctp_subtype type,
2384 void *arg,
2385 struct sctp_cmd_seq *commands)
2386 {
2387 struct sctp_chunk *chunk = arg;
2388
2389 if (!sctp_vtag_verify_either(chunk, asoc))
2390 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2391
2392 /* Make sure that the ABORT chunk has a valid length.
2393 * Since this is an ABORT chunk, we have to discard it
2394 * because of the following text:
2395 * RFC 2960, Section 3.3.7
2396 * If an endpoint receives an ABORT with a format error or for an
2397 * association that doesn't exist, it MUST silently discard it.
2398 * Because the length is "invalid", we can't really discard just
2399 * as we do not know its true length. So, to be safe, discard the
2400 * packet.
2401 */
2402 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2403 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2404
2405 /* ADD-IP: Special case for ABORT chunks
2406 * F4) One special consideration is that ABORT Chunks arriving
2407 * destined to the IP address being deleted MUST be
2408 * ignored (see Section 5.3.1 for further details).
2409 */
2410 if (SCTP_ADDR_DEL ==
2411 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2412 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2413
2414 if (!sctp_err_chunk_valid(chunk))
2415 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2416
2417 /* Stop the T2-shutdown timer. */
2418 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2419 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2420
2421 /* Stop the T5-shutdown guard timer. */
2422 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2423 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2424
2425 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2426 }
2427
2428 /*
2429 * Process an ABORT. (SHUTDOWN-ACK-SENT state)
2430 *
2431 * See sctp_sf_do_9_1_abort().
2432 */
sctp_sf_shutdown_ack_sent_abort(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)2433 enum sctp_disposition sctp_sf_shutdown_ack_sent_abort(
2434 struct net *net,
2435 const struct sctp_endpoint *ep,
2436 const struct sctp_association *asoc,
2437 const union sctp_subtype type,
2438 void *arg,
2439 struct sctp_cmd_seq *commands)
2440 {
2441 /* The same T2 timer, so we should be able to use
2442 * common function with the SHUTDOWN-SENT state.
2443 */
2444 return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands);
2445 }
2446
2447 /*
2448 * Handle an Error received in COOKIE_ECHOED state.
2449 *
2450 * Only handle the error type of stale COOKIE Error, the other errors will
2451 * be ignored.
2452 *
2453 * Inputs
2454 * (endpoint, asoc, chunk)
2455 *
2456 * Outputs
2457 * (asoc, reply_msg, msg_up, timers, counters)
2458 *
2459 * The return value is the disposition of the chunk.
2460 */
sctp_sf_cookie_echoed_err(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)2461 enum sctp_disposition sctp_sf_cookie_echoed_err(
2462 struct net *net,
2463 const struct sctp_endpoint *ep,
2464 const struct sctp_association *asoc,
2465 const union sctp_subtype type,
2466 void *arg,
2467 struct sctp_cmd_seq *commands)
2468 {
2469 struct sctp_chunk *chunk = arg;
2470 struct sctp_errhdr *err;
2471
2472 if (!sctp_vtag_verify(chunk, asoc))
2473 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2474
2475 /* Make sure that the ERROR chunk has a valid length.
2476 * The parameter walking depends on this as well.
2477 */
2478 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
2479 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2480 commands);
2481
2482 /* Process the error here */
2483 /* FUTURE FIXME: When PR-SCTP related and other optional
2484 * parms are emitted, this will have to change to handle multiple
2485 * errors.
2486 */
2487 sctp_walk_errors(err, chunk->chunk_hdr) {
2488 if (SCTP_ERROR_STALE_COOKIE == err->cause)
2489 return sctp_sf_do_5_2_6_stale(net, ep, asoc, type,
2490 arg, commands);
2491 }
2492
2493 /* It is possible to have malformed error causes, and that
2494 * will cause us to end the walk early. However, since
2495 * we are discarding the packet, there should be no adverse
2496 * affects.
2497 */
2498 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2499 }
2500
2501 /*
2502 * Handle a Stale COOKIE Error
2503 *
2504 * Section: 5.2.6 Handle Stale COOKIE Error
2505 * If the association is in the COOKIE-ECHOED state, the endpoint may elect
2506 * one of the following three alternatives.
2507 * ...
2508 * 3) Send a new INIT chunk to the endpoint, adding a Cookie
2509 * Preservative parameter requesting an extension to the lifetime of
2510 * the State Cookie. When calculating the time extension, an
2511 * implementation SHOULD use the RTT information measured based on the
2512 * previous COOKIE ECHO / ERROR exchange, and should add no more
2513 * than 1 second beyond the measured RTT, due to long State Cookie
2514 * lifetimes making the endpoint more subject to a replay attack.
2515 *
2516 * Verification Tag: Not explicit, but safe to ignore.
2517 *
2518 * Inputs
2519 * (endpoint, asoc, chunk)
2520 *
2521 * Outputs
2522 * (asoc, reply_msg, msg_up, timers, counters)
2523 *
2524 * The return value is the disposition of the chunk.
2525 */
sctp_sf_do_5_2_6_stale(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)2526 static enum sctp_disposition sctp_sf_do_5_2_6_stale(
2527 struct net *net,
2528 const struct sctp_endpoint *ep,
2529 const struct sctp_association *asoc,
2530 const union sctp_subtype type,
2531 void *arg,
2532 struct sctp_cmd_seq *commands)
2533 {
2534 int attempts = asoc->init_err_counter + 1;
2535 struct sctp_chunk *chunk = arg, *reply;
2536 struct sctp_cookie_preserve_param bht;
2537 struct sctp_bind_addr *bp;
2538 struct sctp_errhdr *err;
2539 u32 stale;
2540
2541 if (attempts > asoc->max_init_attempts) {
2542 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2543 SCTP_ERROR(ETIMEDOUT));
2544 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2545 SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2546 return SCTP_DISPOSITION_DELETE_TCB;
2547 }
2548
2549 err = (struct sctp_errhdr *)(chunk->skb->data);
2550
2551 /* When calculating the time extension, an implementation
2552 * SHOULD use the RTT information measured based on the
2553 * previous COOKIE ECHO / ERROR exchange, and should add no
2554 * more than 1 second beyond the measured RTT, due to long
2555 * State Cookie lifetimes making the endpoint more subject to
2556 * a replay attack.
2557 * Measure of Staleness's unit is usec. (1/1000000 sec)
2558 * Suggested Cookie Life-span Increment's unit is msec.
2559 * (1/1000 sec)
2560 * In general, if you use the suggested cookie life, the value
2561 * found in the field of measure of staleness should be doubled
2562 * to give ample time to retransmit the new cookie and thus
2563 * yield a higher probability of success on the reattempt.
2564 */
2565 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err)));
2566 stale = (stale * 2) / 1000;
2567
2568 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2569 bht.param_hdr.length = htons(sizeof(bht));
2570 bht.lifespan_increment = htonl(stale);
2571
2572 /* Build that new INIT chunk. */
2573 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2574 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2575 if (!reply)
2576 goto nomem;
2577
2578 sctp_addto_chunk(reply, sizeof(bht), &bht);
2579
2580 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */
2581 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2582
2583 /* Stop pending T3-rtx and heartbeat timers */
2584 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2585 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2586
2587 /* Delete non-primary peer ip addresses since we are transitioning
2588 * back to the COOKIE-WAIT state
2589 */
2590 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2591
2592 /* If we've sent any data bundled with COOKIE-ECHO we will need to
2593 * resend
2594 */
2595 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
2596 SCTP_TRANSPORT(asoc->peer.primary_path));
2597
2598 /* Cast away the const modifier, as we want to just
2599 * rerun it through as a sideffect.
2600 */
2601 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2602
2603 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2604 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2605 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2606 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2607 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2608 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2609
2610 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2611
2612 return SCTP_DISPOSITION_CONSUME;
2613
2614 nomem:
2615 return SCTP_DISPOSITION_NOMEM;
2616 }
2617
2618 /*
2619 * Process an ABORT.
2620 *
2621 * Section: 9.1
2622 * After checking the Verification Tag, the receiving endpoint shall
2623 * remove the association from its record, and shall report the
2624 * termination to its upper layer.
2625 *
2626 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
2627 * B) Rules for packet carrying ABORT:
2628 *
2629 * - The endpoint shall always fill in the Verification Tag field of the
2630 * outbound packet with the destination endpoint's tag value if it
2631 * is known.
2632 *
2633 * - If the ABORT is sent in response to an OOTB packet, the endpoint
2634 * MUST follow the procedure described in Section 8.4.
2635 *
2636 * - The receiver MUST accept the packet if the Verification Tag
2637 * matches either its own tag, OR the tag of its peer. Otherwise, the
2638 * receiver MUST silently discard the packet and take no further
2639 * action.
2640 *
2641 * Inputs
2642 * (endpoint, asoc, chunk)
2643 *
2644 * Outputs
2645 * (asoc, reply_msg, msg_up, timers, counters)
2646 *
2647 * The return value is the disposition of the chunk.
2648 */
sctp_sf_do_9_1_abort(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)2649 enum sctp_disposition sctp_sf_do_9_1_abort(
2650 struct net *net,
2651 const struct sctp_endpoint *ep,
2652 const struct sctp_association *asoc,
2653 const union sctp_subtype type,
2654 void *arg,
2655 struct sctp_cmd_seq *commands)
2656 {
2657 struct sctp_chunk *chunk = arg;
2658
2659 if (!sctp_vtag_verify_either(chunk, asoc))
2660 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2661
2662 /* Make sure that the ABORT chunk has a valid length.
2663 * Since this is an ABORT chunk, we have to discard it
2664 * because of the following text:
2665 * RFC 2960, Section 3.3.7
2666 * If an endpoint receives an ABORT with a format error or for an
2667 * association that doesn't exist, it MUST silently discard it.
2668 * Because the length is "invalid", we can't really discard just
2669 * as we do not know its true length. So, to be safe, discard the
2670 * packet.
2671 */
2672 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2673 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2674
2675 /* ADD-IP: Special case for ABORT chunks
2676 * F4) One special consideration is that ABORT Chunks arriving
2677 * destined to the IP address being deleted MUST be
2678 * ignored (see Section 5.3.1 for further details).
2679 */
2680 if (SCTP_ADDR_DEL ==
2681 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2682 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2683
2684 if (!sctp_err_chunk_valid(chunk))
2685 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2686
2687 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2688 }
2689
__sctp_sf_do_9_1_abort(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)2690 static enum sctp_disposition __sctp_sf_do_9_1_abort(
2691 struct net *net,
2692 const struct sctp_endpoint *ep,
2693 const struct sctp_association *asoc,
2694 const union sctp_subtype type,
2695 void *arg,
2696 struct sctp_cmd_seq *commands)
2697 {
2698 __be16 error = SCTP_ERROR_NO_ERROR;
2699 struct sctp_chunk *chunk = arg;
2700 unsigned int len;
2701
2702 /* See if we have an error cause code in the chunk. */
2703 len = ntohs(chunk->chunk_hdr->length);
2704 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2705 error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2706
2707 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2708 /* ASSOC_FAILED will DELETE_TCB. */
2709 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2710 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2711 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
2712
2713 return SCTP_DISPOSITION_ABORT;
2714 }
2715
2716 /*
2717 * Process an ABORT. (COOKIE-WAIT state)
2718 *
2719 * See sctp_sf_do_9_1_abort() above.
2720 */
sctp_sf_cookie_wait_abort(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)2721 enum sctp_disposition sctp_sf_cookie_wait_abort(
2722 struct net *net,
2723 const struct sctp_endpoint *ep,
2724 const struct sctp_association *asoc,
2725 const union sctp_subtype type,
2726 void *arg,
2727 struct sctp_cmd_seq *commands)
2728 {
2729 __be16 error = SCTP_ERROR_NO_ERROR;
2730 struct sctp_chunk *chunk = arg;
2731 unsigned int len;
2732
2733 if (!sctp_vtag_verify_either(chunk, asoc))
2734 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2735
2736 /* Make sure that the ABORT chunk has a valid length.
2737 * Since this is an ABORT chunk, we have to discard it
2738 * because of the following text:
2739 * RFC 2960, Section 3.3.7
2740 * If an endpoint receives an ABORT with a format error or for an
2741 * association that doesn't exist, it MUST silently discard it.
2742 * Because the length is "invalid", we can't really discard just
2743 * as we do not know its true length. So, to be safe, discard the
2744 * packet.
2745 */
2746 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2747 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2748
2749 /* See if we have an error cause code in the chunk. */
2750 len = ntohs(chunk->chunk_hdr->length);
2751 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2752 error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2753
2754 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc,
2755 chunk->transport);
2756 }
2757
2758 /*
2759 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state)
2760 */
sctp_sf_cookie_wait_icmp_abort(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)2761 enum sctp_disposition sctp_sf_cookie_wait_icmp_abort(
2762 struct net *net,
2763 const struct sctp_endpoint *ep,
2764 const struct sctp_association *asoc,
2765 const union sctp_subtype type,
2766 void *arg,
2767 struct sctp_cmd_seq *commands)
2768 {
2769 return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR,
2770 ENOPROTOOPT, asoc,
2771 (struct sctp_transport *)arg);
2772 }
2773
2774 /*
2775 * Process an ABORT. (COOKIE-ECHOED state)
2776 */
sctp_sf_cookie_echoed_abort(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)2777 enum sctp_disposition sctp_sf_cookie_echoed_abort(
2778 struct net *net,
2779 const struct sctp_endpoint *ep,
2780 const struct sctp_association *asoc,
2781 const union sctp_subtype type,
2782 void *arg,
2783 struct sctp_cmd_seq *commands)
2784 {
2785 /* There is a single T1 timer, so we should be able to use
2786 * common function with the COOKIE-WAIT state.
2787 */
2788 return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands);
2789 }
2790
2791 /*
2792 * Stop T1 timer and abort association with "INIT failed".
2793 *
2794 * This is common code called by several sctp_sf_*_abort() functions above.
2795 */
sctp_stop_t1_and_abort(struct net * net,struct sctp_cmd_seq * commands,__be16 error,int sk_err,const struct sctp_association * asoc,struct sctp_transport * transport)2796 static enum sctp_disposition sctp_stop_t1_and_abort(
2797 struct net *net,
2798 struct sctp_cmd_seq *commands,
2799 __be16 error, int sk_err,
2800 const struct sctp_association *asoc,
2801 struct sctp_transport *transport)
2802 {
2803 pr_debug("%s: ABORT received (INIT)\n", __func__);
2804
2805 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2806 SCTP_STATE(SCTP_STATE_CLOSED));
2807 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2808 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2809 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2810 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2811 /* CMD_INIT_FAILED will DELETE_TCB. */
2812 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2813 SCTP_PERR(error));
2814
2815 return SCTP_DISPOSITION_ABORT;
2816 }
2817
2818 /*
2819 * sctp_sf_do_9_2_shut
2820 *
2821 * Section: 9.2
2822 * Upon the reception of the SHUTDOWN, the peer endpoint shall
2823 * - enter the SHUTDOWN-RECEIVED state,
2824 *
2825 * - stop accepting new data from its SCTP user
2826 *
2827 * - verify, by checking the Cumulative TSN Ack field of the chunk,
2828 * that all its outstanding DATA chunks have been received by the
2829 * SHUTDOWN sender.
2830 *
2831 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT
2832 * send a SHUTDOWN in response to a ULP request. And should discard
2833 * subsequent SHUTDOWN chunks.
2834 *
2835 * If there are still outstanding DATA chunks left, the SHUTDOWN
2836 * receiver shall continue to follow normal data transmission
2837 * procedures defined in Section 6 until all outstanding DATA chunks
2838 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept
2839 * new data from its SCTP user.
2840 *
2841 * Verification Tag: 8.5 Verification Tag [Normal verification]
2842 *
2843 * Inputs
2844 * (endpoint, asoc, chunk)
2845 *
2846 * Outputs
2847 * (asoc, reply_msg, msg_up, timers, counters)
2848 *
2849 * The return value is the disposition of the chunk.
2850 */
sctp_sf_do_9_2_shutdown(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)2851 enum sctp_disposition sctp_sf_do_9_2_shutdown(
2852 struct net *net,
2853 const struct sctp_endpoint *ep,
2854 const struct sctp_association *asoc,
2855 const union sctp_subtype type,
2856 void *arg,
2857 struct sctp_cmd_seq *commands)
2858 {
2859 enum sctp_disposition disposition;
2860 struct sctp_chunk *chunk = arg;
2861 struct sctp_shutdownhdr *sdh;
2862 struct sctp_ulpevent *ev;
2863 __u32 ctsn;
2864
2865 if (!sctp_vtag_verify(chunk, asoc))
2866 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2867
2868 /* Make sure that the SHUTDOWN chunk has a valid length. */
2869 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2870 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2871 commands);
2872
2873 /* Convert the elaborate header. */
2874 sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2875 skb_pull(chunk->skb, sizeof(*sdh));
2876 chunk->subh.shutdown_hdr = sdh;
2877 ctsn = ntohl(sdh->cum_tsn_ack);
2878
2879 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2880 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2881 asoc->ctsn_ack_point);
2882
2883 return SCTP_DISPOSITION_DISCARD;
2884 }
2885
2886 /* If Cumulative TSN Ack beyond the max tsn currently
2887 * send, terminating the association and respond to the
2888 * sender with an ABORT.
2889 */
2890 if (!TSN_lt(ctsn, asoc->next_tsn))
2891 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2892
2893 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
2894 * When a peer sends a SHUTDOWN, SCTP delivers this notification to
2895 * inform the application that it should cease sending data.
2896 */
2897 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2898 if (!ev) {
2899 disposition = SCTP_DISPOSITION_NOMEM;
2900 goto out;
2901 }
2902 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2903
2904 /* Upon the reception of the SHUTDOWN, the peer endpoint shall
2905 * - enter the SHUTDOWN-RECEIVED state,
2906 * - stop accepting new data from its SCTP user
2907 *
2908 * [This is implicit in the new state.]
2909 */
2910 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2911 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2912 disposition = SCTP_DISPOSITION_CONSUME;
2913
2914 if (sctp_outq_is_empty(&asoc->outqueue)) {
2915 disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type,
2916 arg, commands);
2917 }
2918
2919 if (SCTP_DISPOSITION_NOMEM == disposition)
2920 goto out;
2921
2922 /* - verify, by checking the Cumulative TSN Ack field of the
2923 * chunk, that all its outstanding DATA chunks have been
2924 * received by the SHUTDOWN sender.
2925 */
2926 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2927 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2928
2929 out:
2930 return disposition;
2931 }
2932
2933 /*
2934 * sctp_sf_do_9_2_shut_ctsn
2935 *
2936 * Once an endpoint has reached the SHUTDOWN-RECEIVED state,
2937 * it MUST NOT send a SHUTDOWN in response to a ULP request.
2938 * The Cumulative TSN Ack of the received SHUTDOWN chunk
2939 * MUST be processed.
2940 */
sctp_sf_do_9_2_shut_ctsn(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)2941 enum sctp_disposition sctp_sf_do_9_2_shut_ctsn(
2942 struct net *net,
2943 const struct sctp_endpoint *ep,
2944 const struct sctp_association *asoc,
2945 const union sctp_subtype type,
2946 void *arg,
2947 struct sctp_cmd_seq *commands)
2948 {
2949 struct sctp_chunk *chunk = arg;
2950 struct sctp_shutdownhdr *sdh;
2951 __u32 ctsn;
2952
2953 if (!sctp_vtag_verify(chunk, asoc))
2954 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2955
2956 /* Make sure that the SHUTDOWN chunk has a valid length. */
2957 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2958 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2959 commands);
2960
2961 sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2962 ctsn = ntohl(sdh->cum_tsn_ack);
2963
2964 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2965 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2966 asoc->ctsn_ack_point);
2967
2968 return SCTP_DISPOSITION_DISCARD;
2969 }
2970
2971 /* If Cumulative TSN Ack beyond the max tsn currently
2972 * send, terminating the association and respond to the
2973 * sender with an ABORT.
2974 */
2975 if (!TSN_lt(ctsn, asoc->next_tsn))
2976 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2977
2978 /* verify, by checking the Cumulative TSN Ack field of the
2979 * chunk, that all its outstanding DATA chunks have been
2980 * received by the SHUTDOWN sender.
2981 */
2982 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2983 SCTP_BE32(sdh->cum_tsn_ack));
2984
2985 return SCTP_DISPOSITION_CONSUME;
2986 }
2987
2988 /* RFC 2960 9.2
2989 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk
2990 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination
2991 * transport addresses (either in the IP addresses or in the INIT chunk)
2992 * that belong to this association, it should discard the INIT chunk and
2993 * retransmit the SHUTDOWN ACK chunk.
2994 */
2995 static enum sctp_disposition
__sctp_sf_do_9_2_reshutack(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)2996 __sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep,
2997 const struct sctp_association *asoc,
2998 const union sctp_subtype type, void *arg,
2999 struct sctp_cmd_seq *commands)
3000 {
3001 struct sctp_chunk *chunk = arg;
3002 struct sctp_chunk *reply;
3003
3004 /* Make sure that the chunk has a valid length */
3005 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3006 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3007 commands);
3008
3009 /* Since we are not going to really process this INIT, there
3010 * is no point in verifying chunk boundaries. Just generate
3011 * the SHUTDOWN ACK.
3012 */
3013 reply = sctp_make_shutdown_ack(asoc, chunk);
3014 if (NULL == reply)
3015 goto nomem;
3016
3017 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
3018 * the T2-SHUTDOWN timer.
3019 */
3020 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
3021
3022 /* and restart the T2-shutdown timer. */
3023 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3024 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3025
3026 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3027
3028 return SCTP_DISPOSITION_CONSUME;
3029 nomem:
3030 return SCTP_DISPOSITION_NOMEM;
3031 }
3032
3033 enum sctp_disposition
sctp_sf_do_9_2_reshutack(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)3034 sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep,
3035 const struct sctp_association *asoc,
3036 const union sctp_subtype type, void *arg,
3037 struct sctp_cmd_seq *commands)
3038 {
3039 struct sctp_chunk *chunk = arg;
3040
3041 if (!chunk->singleton)
3042 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3043
3044 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
3045 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3046
3047 if (chunk->sctp_hdr->vtag != 0)
3048 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
3049
3050 return __sctp_sf_do_9_2_reshutack(net, ep, asoc, type, arg, commands);
3051 }
3052
3053 /*
3054 * sctp_sf_do_ecn_cwr
3055 *
3056 * Section: Appendix A: Explicit Congestion Notification
3057 *
3058 * CWR:
3059 *
3060 * RFC 2481 details a specific bit for a sender to send in the header of
3061 * its next outbound TCP segment to indicate to its peer that it has
3062 * reduced its congestion window. This is termed the CWR bit. For
3063 * SCTP the same indication is made by including the CWR chunk.
3064 * This chunk contains one data element, i.e. the TSN number that
3065 * was sent in the ECNE chunk. This element represents the lowest
3066 * TSN number in the datagram that was originally marked with the
3067 * CE bit.
3068 *
3069 * Verification Tag: 8.5 Verification Tag [Normal verification]
3070 * Inputs
3071 * (endpoint, asoc, chunk)
3072 *
3073 * Outputs
3074 * (asoc, reply_msg, msg_up, timers, counters)
3075 *
3076 * The return value is the disposition of the chunk.
3077 */
sctp_sf_do_ecn_cwr(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)3078 enum sctp_disposition sctp_sf_do_ecn_cwr(struct net *net,
3079 const struct sctp_endpoint *ep,
3080 const struct sctp_association *asoc,
3081 const union sctp_subtype type,
3082 void *arg,
3083 struct sctp_cmd_seq *commands)
3084 {
3085 struct sctp_chunk *chunk = arg;
3086 struct sctp_cwrhdr *cwr;
3087 u32 lowest_tsn;
3088
3089 if (!sctp_vtag_verify(chunk, asoc))
3090 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3091
3092 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
3093 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3094 commands);
3095
3096 cwr = (struct sctp_cwrhdr *)chunk->skb->data;
3097 skb_pull(chunk->skb, sizeof(*cwr));
3098
3099 lowest_tsn = ntohl(cwr->lowest_tsn);
3100
3101 /* Does this CWR ack the last sent congestion notification? */
3102 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
3103 /* Stop sending ECNE. */
3104 sctp_add_cmd_sf(commands,
3105 SCTP_CMD_ECN_CWR,
3106 SCTP_U32(lowest_tsn));
3107 }
3108 return SCTP_DISPOSITION_CONSUME;
3109 }
3110
3111 /*
3112 * sctp_sf_do_ecne
3113 *
3114 * Section: Appendix A: Explicit Congestion Notification
3115 *
3116 * ECN-Echo
3117 *
3118 * RFC 2481 details a specific bit for a receiver to send back in its
3119 * TCP acknowledgements to notify the sender of the Congestion
3120 * Experienced (CE) bit having arrived from the network. For SCTP this
3121 * same indication is made by including the ECNE chunk. This chunk
3122 * contains one data element, i.e. the lowest TSN associated with the IP
3123 * datagram marked with the CE bit.....
3124 *
3125 * Verification Tag: 8.5 Verification Tag [Normal verification]
3126 * Inputs
3127 * (endpoint, asoc, chunk)
3128 *
3129 * Outputs
3130 * (asoc, reply_msg, msg_up, timers, counters)
3131 *
3132 * The return value is the disposition of the chunk.
3133 */
sctp_sf_do_ecne(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)3134 enum sctp_disposition sctp_sf_do_ecne(struct net *net,
3135 const struct sctp_endpoint *ep,
3136 const struct sctp_association *asoc,
3137 const union sctp_subtype type,
3138 void *arg, struct sctp_cmd_seq *commands)
3139 {
3140 struct sctp_chunk *chunk = arg;
3141 struct sctp_ecnehdr *ecne;
3142
3143 if (!sctp_vtag_verify(chunk, asoc))
3144 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3145
3146 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
3147 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3148 commands);
3149
3150 ecne = (struct sctp_ecnehdr *)chunk->skb->data;
3151 skb_pull(chunk->skb, sizeof(*ecne));
3152
3153 /* If this is a newer ECNE than the last CWR packet we sent out */
3154 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
3155 SCTP_U32(ntohl(ecne->lowest_tsn)));
3156
3157 return SCTP_DISPOSITION_CONSUME;
3158 }
3159
3160 /*
3161 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
3162 *
3163 * The SCTP endpoint MUST always acknowledge the reception of each valid
3164 * DATA chunk.
3165 *
3166 * The guidelines on delayed acknowledgement algorithm specified in
3167 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
3168 * acknowledgement SHOULD be generated for at least every second packet
3169 * (not every second DATA chunk) received, and SHOULD be generated within
3170 * 200 ms of the arrival of any unacknowledged DATA chunk. In some
3171 * situations it may be beneficial for an SCTP transmitter to be more
3172 * conservative than the algorithms detailed in this document allow.
3173 * However, an SCTP transmitter MUST NOT be more aggressive than the
3174 * following algorithms allow.
3175 *
3176 * A SCTP receiver MUST NOT generate more than one SACK for every
3177 * incoming packet, other than to update the offered window as the
3178 * receiving application consumes new data.
3179 *
3180 * Verification Tag: 8.5 Verification Tag [Normal verification]
3181 *
3182 * Inputs
3183 * (endpoint, asoc, chunk)
3184 *
3185 * Outputs
3186 * (asoc, reply_msg, msg_up, timers, counters)
3187 *
3188 * The return value is the disposition of the chunk.
3189 */
sctp_sf_eat_data_6_2(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)3190 enum sctp_disposition sctp_sf_eat_data_6_2(struct net *net,
3191 const struct sctp_endpoint *ep,
3192 const struct sctp_association *asoc,
3193 const union sctp_subtype type,
3194 void *arg,
3195 struct sctp_cmd_seq *commands)
3196 {
3197 union sctp_arg force = SCTP_NOFORCE();
3198 struct sctp_chunk *chunk = arg;
3199 int error;
3200
3201 if (!sctp_vtag_verify(chunk, asoc)) {
3202 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3203 SCTP_NULL());
3204 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3205 }
3206
3207 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream)))
3208 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3209 commands);
3210
3211 error = sctp_eat_data(asoc, chunk, commands);
3212 switch (error) {
3213 case SCTP_IERROR_NO_ERROR:
3214 break;
3215 case SCTP_IERROR_HIGH_TSN:
3216 case SCTP_IERROR_BAD_STREAM:
3217 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
3218 goto discard_noforce;
3219 case SCTP_IERROR_DUP_TSN:
3220 case SCTP_IERROR_IGNORE_TSN:
3221 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
3222 goto discard_force;
3223 case SCTP_IERROR_NO_DATA:
3224 return SCTP_DISPOSITION_ABORT;
3225 case SCTP_IERROR_PROTO_VIOLATION:
3226 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3227 (u8 *)chunk->subh.data_hdr,
3228 sctp_datahdr_len(&asoc->stream));
3229 default:
3230 BUG();
3231 }
3232
3233 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)
3234 force = SCTP_FORCE();
3235
3236 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
3237 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3238 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3239 }
3240
3241 /* If this is the last chunk in a packet, we need to count it
3242 * toward sack generation. Note that we need to SACK every
3243 * OTHER packet containing data chunks, EVEN IF WE DISCARD
3244 * THEM. We elect to NOT generate SACK's if the chunk fails
3245 * the verification tag test.
3246 *
3247 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3248 *
3249 * The SCTP endpoint MUST always acknowledge the reception of
3250 * each valid DATA chunk.
3251 *
3252 * The guidelines on delayed acknowledgement algorithm
3253 * specified in Section 4.2 of [RFC2581] SHOULD be followed.
3254 * Specifically, an acknowledgement SHOULD be generated for at
3255 * least every second packet (not every second DATA chunk)
3256 * received, and SHOULD be generated within 200 ms of the
3257 * arrival of any unacknowledged DATA chunk. In some
3258 * situations it may be beneficial for an SCTP transmitter to
3259 * be more conservative than the algorithms detailed in this
3260 * document allow. However, an SCTP transmitter MUST NOT be
3261 * more aggressive than the following algorithms allow.
3262 */
3263 if (chunk->end_of_packet)
3264 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3265
3266 return SCTP_DISPOSITION_CONSUME;
3267
3268 discard_force:
3269 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3270 *
3271 * When a packet arrives with duplicate DATA chunk(s) and with
3272 * no new DATA chunk(s), the endpoint MUST immediately send a
3273 * SACK with no delay. If a packet arrives with duplicate
3274 * DATA chunk(s) bundled with new DATA chunks, the endpoint
3275 * MAY immediately send a SACK. Normally receipt of duplicate
3276 * DATA chunks will occur when the original SACK chunk was lost
3277 * and the peer's RTO has expired. The duplicate TSN number(s)
3278 * SHOULD be reported in the SACK as duplicate.
3279 */
3280 /* In our case, we split the MAY SACK advice up whether or not
3281 * the last chunk is a duplicate.'
3282 */
3283 if (chunk->end_of_packet)
3284 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3285 return SCTP_DISPOSITION_DISCARD;
3286
3287 discard_noforce:
3288 if (chunk->end_of_packet)
3289 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3290
3291 return SCTP_DISPOSITION_DISCARD;
3292 }
3293
3294 /*
3295 * sctp_sf_eat_data_fast_4_4
3296 *
3297 * Section: 4 (4)
3298 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received
3299 * DATA chunks without delay.
3300 *
3301 * Verification Tag: 8.5 Verification Tag [Normal verification]
3302 * Inputs
3303 * (endpoint, asoc, chunk)
3304 *
3305 * Outputs
3306 * (asoc, reply_msg, msg_up, timers, counters)
3307 *
3308 * The return value is the disposition of the chunk.
3309 */
sctp_sf_eat_data_fast_4_4(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)3310 enum sctp_disposition sctp_sf_eat_data_fast_4_4(
3311 struct net *net,
3312 const struct sctp_endpoint *ep,
3313 const struct sctp_association *asoc,
3314 const union sctp_subtype type,
3315 void *arg,
3316 struct sctp_cmd_seq *commands)
3317 {
3318 struct sctp_chunk *chunk = arg;
3319 int error;
3320
3321 if (!sctp_vtag_verify(chunk, asoc)) {
3322 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3323 SCTP_NULL());
3324 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3325 }
3326
3327 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream)))
3328 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3329 commands);
3330
3331 error = sctp_eat_data(asoc, chunk, commands);
3332 switch (error) {
3333 case SCTP_IERROR_NO_ERROR:
3334 case SCTP_IERROR_HIGH_TSN:
3335 case SCTP_IERROR_DUP_TSN:
3336 case SCTP_IERROR_IGNORE_TSN:
3337 case SCTP_IERROR_BAD_STREAM:
3338 break;
3339 case SCTP_IERROR_NO_DATA:
3340 return SCTP_DISPOSITION_ABORT;
3341 case SCTP_IERROR_PROTO_VIOLATION:
3342 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3343 (u8 *)chunk->subh.data_hdr,
3344 sctp_datahdr_len(&asoc->stream));
3345 default:
3346 BUG();
3347 }
3348
3349 /* Go a head and force a SACK, since we are shutting down. */
3350
3351 /* Implementor's Guide.
3352 *
3353 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3354 * respond to each received packet containing one or more DATA chunk(s)
3355 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3356 */
3357 if (chunk->end_of_packet) {
3358 /* We must delay the chunk creation since the cumulative
3359 * TSN has not been updated yet.
3360 */
3361 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3362 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3363 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3364 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3365 }
3366
3367 return SCTP_DISPOSITION_CONSUME;
3368 }
3369
3370 /*
3371 * Section: 6.2 Processing a Received SACK
3372 * D) Any time a SACK arrives, the endpoint performs the following:
3373 *
3374 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,
3375 * then drop the SACK. Since Cumulative TSN Ack is monotonically
3376 * increasing, a SACK whose Cumulative TSN Ack is less than the
3377 * Cumulative TSN Ack Point indicates an out-of-order SACK.
3378 *
3379 * ii) Set rwnd equal to the newly received a_rwnd minus the number
3380 * of bytes still outstanding after processing the Cumulative TSN Ack
3381 * and the Gap Ack Blocks.
3382 *
3383 * iii) If the SACK is missing a TSN that was previously
3384 * acknowledged via a Gap Ack Block (e.g., the data receiver
3385 * reneged on the data), then mark the corresponding DATA chunk
3386 * as available for retransmit: Mark it as missing for fast
3387 * retransmit as described in Section 7.2.4 and if no retransmit
3388 * timer is running for the destination address to which the DATA
3389 * chunk was originally transmitted, then T3-rtx is started for
3390 * that destination address.
3391 *
3392 * Verification Tag: 8.5 Verification Tag [Normal verification]
3393 *
3394 * Inputs
3395 * (endpoint, asoc, chunk)
3396 *
3397 * Outputs
3398 * (asoc, reply_msg, msg_up, timers, counters)
3399 *
3400 * The return value is the disposition of the chunk.
3401 */
sctp_sf_eat_sack_6_2(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)3402 enum sctp_disposition sctp_sf_eat_sack_6_2(struct net *net,
3403 const struct sctp_endpoint *ep,
3404 const struct sctp_association *asoc,
3405 const union sctp_subtype type,
3406 void *arg,
3407 struct sctp_cmd_seq *commands)
3408 {
3409 struct sctp_chunk *chunk = arg;
3410 struct sctp_sackhdr *sackh;
3411 __u32 ctsn;
3412
3413 if (!sctp_vtag_verify(chunk, asoc))
3414 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3415
3416 /* Make sure that the SACK chunk has a valid length. */
3417 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_sack_chunk)))
3418 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3419 commands);
3420
3421 /* Pull the SACK chunk from the data buffer */
3422 sackh = sctp_sm_pull_sack(chunk);
3423 /* Was this a bogus SACK? */
3424 if (!sackh)
3425 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3426 chunk->subh.sack_hdr = sackh;
3427 ctsn = ntohl(sackh->cum_tsn_ack);
3428
3429 /* If Cumulative TSN Ack beyond the max tsn currently
3430 * send, terminating the association and respond to the
3431 * sender with an ABORT.
3432 */
3433 if (TSN_lte(asoc->next_tsn, ctsn))
3434 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
3435
3436 trace_sctp_probe(ep, asoc, chunk);
3437
3438 /* i) If Cumulative TSN Ack is less than the Cumulative TSN
3439 * Ack Point, then drop the SACK. Since Cumulative TSN
3440 * Ack is monotonically increasing, a SACK whose
3441 * Cumulative TSN Ack is less than the Cumulative TSN Ack
3442 * Point indicates an out-of-order SACK.
3443 */
3444 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
3445 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
3446 asoc->ctsn_ack_point);
3447
3448 return SCTP_DISPOSITION_DISCARD;
3449 }
3450
3451 /* Return this SACK for further processing. */
3452 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk));
3453
3454 /* Note: We do the rest of the work on the PROCESS_SACK
3455 * sideeffect.
3456 */
3457 return SCTP_DISPOSITION_CONSUME;
3458 }
3459
3460 /*
3461 * Generate an ABORT in response to a packet.
3462 *
3463 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41
3464 *
3465 * 8) The receiver should respond to the sender of the OOTB packet with
3466 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
3467 * MUST fill in the Verification Tag field of the outbound packet
3468 * with the value found in the Verification Tag field of the OOTB
3469 * packet and set the T-bit in the Chunk Flags to indicate that the
3470 * Verification Tag is reflected. After sending this ABORT, the
3471 * receiver of the OOTB packet shall discard the OOTB packet and take
3472 * no further action.
3473 *
3474 * Verification Tag:
3475 *
3476 * The return value is the disposition of the chunk.
3477 */
sctp_sf_tabort_8_4_8(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)3478 static enum sctp_disposition sctp_sf_tabort_8_4_8(
3479 struct net *net,
3480 const struct sctp_endpoint *ep,
3481 const struct sctp_association *asoc,
3482 const union sctp_subtype type,
3483 void *arg,
3484 struct sctp_cmd_seq *commands)
3485 {
3486 struct sctp_packet *packet = NULL;
3487 struct sctp_chunk *chunk = arg;
3488 struct sctp_chunk *abort;
3489
3490 packet = sctp_ootb_pkt_new(net, asoc, chunk);
3491 if (!packet)
3492 return SCTP_DISPOSITION_NOMEM;
3493
3494 /* Make an ABORT. The T bit will be set if the asoc
3495 * is NULL.
3496 */
3497 abort = sctp_make_abort(asoc, chunk, 0);
3498 if (!abort) {
3499 sctp_ootb_pkt_free(packet);
3500 return SCTP_DISPOSITION_NOMEM;
3501 }
3502
3503 /* Reflect vtag if T-Bit is set */
3504 if (sctp_test_T_bit(abort))
3505 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3506
3507 /* Set the skb to the belonging sock for accounting. */
3508 abort->skb->sk = ep->base.sk;
3509
3510 sctp_packet_append_chunk(packet, abort);
3511
3512 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(packet));
3513
3514 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3515
3516 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3517 return SCTP_DISPOSITION_CONSUME;
3518 }
3519
3520 /* Handling of SCTP Packets Containing an INIT Chunk Matching an
3521 * Existing Associations when the UDP encap port is incorrect.
3522 *
3523 * From Section 4 at draft-tuexen-tsvwg-sctp-udp-encaps-cons-03.
3524 */
sctp_sf_new_encap_port(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)3525 static enum sctp_disposition sctp_sf_new_encap_port(
3526 struct net *net,
3527 const struct sctp_endpoint *ep,
3528 const struct sctp_association *asoc,
3529 const union sctp_subtype type,
3530 void *arg,
3531 struct sctp_cmd_seq *commands)
3532 {
3533 struct sctp_packet *packet = NULL;
3534 struct sctp_chunk *chunk = arg;
3535 struct sctp_chunk *abort;
3536
3537 packet = sctp_ootb_pkt_new(net, asoc, chunk);
3538 if (!packet)
3539 return SCTP_DISPOSITION_NOMEM;
3540
3541 abort = sctp_make_new_encap_port(asoc, chunk);
3542 if (!abort) {
3543 sctp_ootb_pkt_free(packet);
3544 return SCTP_DISPOSITION_NOMEM;
3545 }
3546
3547 abort->skb->sk = ep->base.sk;
3548
3549 sctp_packet_append_chunk(packet, abort);
3550
3551 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3552 SCTP_PACKET(packet));
3553
3554 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3555
3556 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3557 return SCTP_DISPOSITION_CONSUME;
3558 }
3559
3560 /*
3561 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR
3562 * event as ULP notification for each cause included in the chunk.
3563 *
3564 * API 5.3.1.3 - SCTP_REMOTE_ERROR
3565 *
3566 * The return value is the disposition of the chunk.
3567 */
sctp_sf_operr_notify(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)3568 enum sctp_disposition sctp_sf_operr_notify(struct net *net,
3569 const struct sctp_endpoint *ep,
3570 const struct sctp_association *asoc,
3571 const union sctp_subtype type,
3572 void *arg,
3573 struct sctp_cmd_seq *commands)
3574 {
3575 struct sctp_chunk *chunk = arg;
3576 struct sctp_errhdr *err;
3577
3578 if (!sctp_vtag_verify(chunk, asoc))
3579 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3580
3581 /* Make sure that the ERROR chunk has a valid length. */
3582 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
3583 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3584 commands);
3585 sctp_walk_errors(err, chunk->chunk_hdr);
3586 if ((void *)err != (void *)chunk->chunk_end)
3587 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3588 (void *)err, commands);
3589
3590 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3591 SCTP_CHUNK(chunk));
3592
3593 return SCTP_DISPOSITION_CONSUME;
3594 }
3595
3596 /*
3597 * Process an inbound SHUTDOWN ACK.
3598 *
3599 * From Section 9.2:
3600 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3601 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its
3602 * peer, and remove all record of the association.
3603 *
3604 * The return value is the disposition.
3605 */
sctp_sf_do_9_2_final(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)3606 enum sctp_disposition sctp_sf_do_9_2_final(struct net *net,
3607 const struct sctp_endpoint *ep,
3608 const struct sctp_association *asoc,
3609 const union sctp_subtype type,
3610 void *arg,
3611 struct sctp_cmd_seq *commands)
3612 {
3613 struct sctp_chunk *chunk = arg;
3614 struct sctp_chunk *reply;
3615 struct sctp_ulpevent *ev;
3616
3617 if (!sctp_vtag_verify(chunk, asoc))
3618 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3619
3620 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3621 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3622 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3623 commands);
3624 /* 10.2 H) SHUTDOWN COMPLETE notification
3625 *
3626 * When SCTP completes the shutdown procedures (section 9.2) this
3627 * notification is passed to the upper layer.
3628 */
3629 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3630 0, 0, 0, NULL, GFP_ATOMIC);
3631 if (!ev)
3632 goto nomem;
3633
3634 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */
3635 reply = sctp_make_shutdown_complete(asoc, chunk);
3636 if (!reply)
3637 goto nomem_chunk;
3638
3639 /* Do all the commands now (after allocation), so that we
3640 * have consistent state if memory allocation fails
3641 */
3642 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3643
3644 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3645 * stop the T2-shutdown timer,
3646 */
3647 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3648 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3649
3650 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3651 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3652
3653 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3654 SCTP_STATE(SCTP_STATE_CLOSED));
3655 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
3656 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3657 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3658
3659 /* ...and remove all record of the association. */
3660 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3661 return SCTP_DISPOSITION_DELETE_TCB;
3662
3663 nomem_chunk:
3664 sctp_ulpevent_free(ev);
3665 nomem:
3666 return SCTP_DISPOSITION_NOMEM;
3667 }
3668
3669 /*
3670 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.
3671 *
3672 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3673 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3674 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3675 * packet must fill in the Verification Tag field of the outbound
3676 * packet with the Verification Tag received in the SHUTDOWN ACK and
3677 * set the T-bit in the Chunk Flags to indicate that the Verification
3678 * Tag is reflected.
3679 *
3680 * 8) The receiver should respond to the sender of the OOTB packet with
3681 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
3682 * MUST fill in the Verification Tag field of the outbound packet
3683 * with the value found in the Verification Tag field of the OOTB
3684 * packet and set the T-bit in the Chunk Flags to indicate that the
3685 * Verification Tag is reflected. After sending this ABORT, the
3686 * receiver of the OOTB packet shall discard the OOTB packet and take
3687 * no further action.
3688 */
sctp_sf_ootb(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)3689 enum sctp_disposition sctp_sf_ootb(struct net *net,
3690 const struct sctp_endpoint *ep,
3691 const struct sctp_association *asoc,
3692 const union sctp_subtype type,
3693 void *arg, struct sctp_cmd_seq *commands)
3694 {
3695 struct sctp_chunk *chunk = arg;
3696 struct sk_buff *skb = chunk->skb;
3697 struct sctp_chunkhdr *ch;
3698 struct sctp_errhdr *err;
3699 int ootb_cookie_ack = 0;
3700 int ootb_shut_ack = 0;
3701 __u8 *ch_end;
3702
3703 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3704
3705 if (asoc && !sctp_vtag_verify(chunk, asoc))
3706 asoc = NULL;
3707
3708 ch = (struct sctp_chunkhdr *)chunk->chunk_hdr;
3709 do {
3710 /* Report violation if the chunk is less then minimal */
3711 if (ntohs(ch->length) < sizeof(*ch))
3712 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3713 commands);
3714
3715 /* Report violation if chunk len overflows */
3716 ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length));
3717 if (ch_end > skb_tail_pointer(skb))
3718 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3719 commands);
3720
3721 /* Now that we know we at least have a chunk header,
3722 * do things that are type appropriate.
3723 */
3724 if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3725 ootb_shut_ack = 1;
3726
3727 /* RFC 2960, Section 3.3.7
3728 * Moreover, under any circumstances, an endpoint that
3729 * receives an ABORT MUST NOT respond to that ABORT by
3730 * sending an ABORT of its own.
3731 */
3732 if (SCTP_CID_ABORT == ch->type)
3733 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3734
3735 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR
3736 * or a COOKIE ACK the SCTP Packet should be silently
3737 * discarded.
3738 */
3739
3740 if (SCTP_CID_COOKIE_ACK == ch->type)
3741 ootb_cookie_ack = 1;
3742
3743 if (SCTP_CID_ERROR == ch->type) {
3744 sctp_walk_errors(err, ch) {
3745 if (SCTP_ERROR_STALE_COOKIE == err->cause) {
3746 ootb_cookie_ack = 1;
3747 break;
3748 }
3749 }
3750 }
3751
3752 ch = (struct sctp_chunkhdr *)ch_end;
3753 } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb));
3754
3755 if (ootb_shut_ack)
3756 return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands);
3757 else if (ootb_cookie_ack)
3758 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3759 else
3760 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
3761 }
3762
3763 /*
3764 * Handle an "Out of the blue" SHUTDOWN ACK.
3765 *
3766 * Section: 8.4 5, sctpimpguide 2.41.
3767 *
3768 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3769 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3770 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3771 * packet must fill in the Verification Tag field of the outbound
3772 * packet with the Verification Tag received in the SHUTDOWN ACK and
3773 * set the T-bit in the Chunk Flags to indicate that the Verification
3774 * Tag is reflected.
3775 *
3776 * Inputs
3777 * (endpoint, asoc, type, arg, commands)
3778 *
3779 * Outputs
3780 * (enum sctp_disposition)
3781 *
3782 * The return value is the disposition of the chunk.
3783 */
sctp_sf_shut_8_4_5(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)3784 static enum sctp_disposition sctp_sf_shut_8_4_5(
3785 struct net *net,
3786 const struct sctp_endpoint *ep,
3787 const struct sctp_association *asoc,
3788 const union sctp_subtype type,
3789 void *arg,
3790 struct sctp_cmd_seq *commands)
3791 {
3792 struct sctp_packet *packet = NULL;
3793 struct sctp_chunk *chunk = arg;
3794 struct sctp_chunk *shut;
3795
3796 packet = sctp_ootb_pkt_new(net, asoc, chunk);
3797 if (!packet)
3798 return SCTP_DISPOSITION_NOMEM;
3799
3800 /* Make an SHUTDOWN_COMPLETE.
3801 * The T bit will be set if the asoc is NULL.
3802 */
3803 shut = sctp_make_shutdown_complete(asoc, chunk);
3804 if (!shut) {
3805 sctp_ootb_pkt_free(packet);
3806 return SCTP_DISPOSITION_NOMEM;
3807 }
3808
3809 /* Reflect vtag if T-Bit is set */
3810 if (sctp_test_T_bit(shut))
3811 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3812
3813 /* Set the skb to the belonging sock for accounting. */
3814 shut->skb->sk = ep->base.sk;
3815
3816 sctp_packet_append_chunk(packet, shut);
3817
3818 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3819 SCTP_PACKET(packet));
3820
3821 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3822
3823 /* We need to discard the rest of the packet to prevent
3824 * potential boomming attacks from additional bundled chunks.
3825 * This is documented in SCTP Threats ID.
3826 */
3827 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3828 }
3829
3830 /*
3831 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.
3832 *
3833 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK
3834 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the
3835 * procedures in section 8.4 SHOULD be followed, in other words it
3836 * should be treated as an Out Of The Blue packet.
3837 * [This means that we do NOT check the Verification Tag on these
3838 * chunks. --piggy ]
3839 *
3840 */
sctp_sf_do_8_5_1_E_sa(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)3841 enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net,
3842 const struct sctp_endpoint *ep,
3843 const struct sctp_association *asoc,
3844 const union sctp_subtype type,
3845 void *arg,
3846 struct sctp_cmd_seq *commands)
3847 {
3848 struct sctp_chunk *chunk = arg;
3849
3850 if (!sctp_vtag_verify(chunk, asoc))
3851 asoc = NULL;
3852
3853 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3854 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3855 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3856 commands);
3857
3858 /* Although we do have an association in this case, it corresponds
3859 * to a restarted association. So the packet is treated as an OOTB
3860 * packet and the state function that handles OOTB SHUTDOWN_ACK is
3861 * called with a NULL association.
3862 */
3863 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3864
3865 return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands);
3866 }
3867
3868 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */
sctp_sf_do_asconf(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)3869 enum sctp_disposition sctp_sf_do_asconf(struct net *net,
3870 const struct sctp_endpoint *ep,
3871 const struct sctp_association *asoc,
3872 const union sctp_subtype type,
3873 void *arg,
3874 struct sctp_cmd_seq *commands)
3875 {
3876 struct sctp_paramhdr *err_param = NULL;
3877 struct sctp_chunk *asconf_ack = NULL;
3878 struct sctp_chunk *chunk = arg;
3879 struct sctp_addiphdr *hdr;
3880 __u32 serial;
3881
3882 if (!sctp_vtag_verify(chunk, asoc)) {
3883 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3884 SCTP_NULL());
3885 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3886 }
3887
3888 /* Make sure that the ASCONF ADDIP chunk has a valid length. */
3889 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk)))
3890 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3891 commands);
3892
3893 /* ADD-IP: Section 4.1.1
3894 * This chunk MUST be sent in an authenticated way by using
3895 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3896 * is received unauthenticated it MUST be silently discarded as
3897 * described in [I-D.ietf-tsvwg-sctp-auth].
3898 */
3899 if (!asoc->peer.asconf_capable ||
3900 (!net->sctp.addip_noauth && !chunk->auth))
3901 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3902
3903 hdr = (struct sctp_addiphdr *)chunk->skb->data;
3904 serial = ntohl(hdr->serial);
3905
3906 /* Verify the ASCONF chunk before processing it. */
3907 if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
3908 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3909 (void *)err_param, commands);
3910
3911 /* ADDIP 5.2 E1) Compare the value of the serial number to the value
3912 * the endpoint stored in a new association variable
3913 * 'Peer-Serial-Number'.
3914 */
3915 if (serial == asoc->peer.addip_serial + 1) {
3916 /* If this is the first instance of ASCONF in the packet,
3917 * we can clean our old ASCONF-ACKs.
3918 */
3919 if (!chunk->has_asconf)
3920 sctp_assoc_clean_asconf_ack_cache(asoc);
3921
3922 /* ADDIP 5.2 E4) When the Sequence Number matches the next one
3923 * expected, process the ASCONF as described below and after
3924 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to
3925 * the response packet and cache a copy of it (in the event it
3926 * later needs to be retransmitted).
3927 *
3928 * Essentially, do V1-V5.
3929 */
3930 asconf_ack = sctp_process_asconf((struct sctp_association *)
3931 asoc, chunk);
3932 if (!asconf_ack)
3933 return SCTP_DISPOSITION_NOMEM;
3934 } else if (serial < asoc->peer.addip_serial + 1) {
3935 /* ADDIP 5.2 E2)
3936 * If the value found in the Sequence Number is less than the
3937 * ('Peer- Sequence-Number' + 1), simply skip to the next
3938 * ASCONF, and include in the outbound response packet
3939 * any previously cached ASCONF-ACK response that was
3940 * sent and saved that matches the Sequence Number of the
3941 * ASCONF. Note: It is possible that no cached ASCONF-ACK
3942 * Chunk exists. This will occur when an older ASCONF
3943 * arrives out of order. In such a case, the receiver
3944 * should skip the ASCONF Chunk and not include ASCONF-ACK
3945 * Chunk for that chunk.
3946 */
3947 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);
3948 if (!asconf_ack)
3949 return SCTP_DISPOSITION_DISCARD;
3950
3951 /* Reset the transport so that we select the correct one
3952 * this time around. This is to make sure that we don't
3953 * accidentally use a stale transport that's been removed.
3954 */
3955 asconf_ack->transport = NULL;
3956 } else {
3957 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since
3958 * it must be either a stale packet or from an attacker.
3959 */
3960 return SCTP_DISPOSITION_DISCARD;
3961 }
3962
3963 /* ADDIP 5.2 E6) The destination address of the SCTP packet
3964 * containing the ASCONF-ACK Chunks MUST be the source address of
3965 * the SCTP packet that held the ASCONF Chunks.
3966 *
3967 * To do this properly, we'll set the destination address of the chunk
3968 * and at the transmit time, will try look up the transport to use.
3969 * Since ASCONFs may be bundled, the correct transport may not be
3970 * created until we process the entire packet, thus this workaround.
3971 */
3972 asconf_ack->dest = chunk->source;
3973 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3974 if (asoc->new_transport) {
3975 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands);
3976 ((struct sctp_association *)asoc)->new_transport = NULL;
3977 }
3978
3979 return SCTP_DISPOSITION_CONSUME;
3980 }
3981
sctp_send_next_asconf(struct net * net,const struct sctp_endpoint * ep,struct sctp_association * asoc,const union sctp_subtype type,struct sctp_cmd_seq * commands)3982 static enum sctp_disposition sctp_send_next_asconf(
3983 struct net *net,
3984 const struct sctp_endpoint *ep,
3985 struct sctp_association *asoc,
3986 const union sctp_subtype type,
3987 struct sctp_cmd_seq *commands)
3988 {
3989 struct sctp_chunk *asconf;
3990 struct list_head *entry;
3991
3992 if (list_empty(&asoc->addip_chunk_list))
3993 return SCTP_DISPOSITION_CONSUME;
3994
3995 entry = asoc->addip_chunk_list.next;
3996 asconf = list_entry(entry, struct sctp_chunk, list);
3997
3998 list_del_init(entry);
3999 sctp_chunk_hold(asconf);
4000 asoc->addip_last_asconf = asconf;
4001
4002 return sctp_sf_do_prm_asconf(net, ep, asoc, type, asconf, commands);
4003 }
4004
4005 /*
4006 * ADDIP Section 4.3 General rules for address manipulation
4007 * When building TLV parameters for the ASCONF Chunk that will add or
4008 * delete IP addresses the D0 to D13 rules should be applied:
4009 */
sctp_sf_do_asconf_ack(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)4010 enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net,
4011 const struct sctp_endpoint *ep,
4012 const struct sctp_association *asoc,
4013 const union sctp_subtype type,
4014 void *arg,
4015 struct sctp_cmd_seq *commands)
4016 {
4017 struct sctp_chunk *last_asconf = asoc->addip_last_asconf;
4018 struct sctp_paramhdr *err_param = NULL;
4019 struct sctp_chunk *asconf_ack = arg;
4020 struct sctp_addiphdr *addip_hdr;
4021 __u32 sent_serial, rcvd_serial;
4022 struct sctp_chunk *abort;
4023
4024 if (!sctp_vtag_verify(asconf_ack, asoc)) {
4025 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4026 SCTP_NULL());
4027 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4028 }
4029
4030 /* Make sure that the ADDIP chunk has a valid length. */
4031 if (!sctp_chunk_length_valid(asconf_ack,
4032 sizeof(struct sctp_addip_chunk)))
4033 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4034 commands);
4035
4036 /* ADD-IP, Section 4.1.2:
4037 * This chunk MUST be sent in an authenticated way by using
4038 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
4039 * is received unauthenticated it MUST be silently discarded as
4040 * described in [I-D.ietf-tsvwg-sctp-auth].
4041 */
4042 if (!asoc->peer.asconf_capable ||
4043 (!net->sctp.addip_noauth && !asconf_ack->auth))
4044 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4045
4046 addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data;
4047 rcvd_serial = ntohl(addip_hdr->serial);
4048
4049 /* Verify the ASCONF-ACK chunk before processing it. */
4050 if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
4051 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
4052 (void *)err_param, commands);
4053
4054 if (last_asconf) {
4055 addip_hdr = last_asconf->subh.addip_hdr;
4056 sent_serial = ntohl(addip_hdr->serial);
4057 } else {
4058 sent_serial = asoc->addip_serial - 1;
4059 }
4060
4061 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or
4062 * equal to the next serial number to be used but no ASCONF chunk is
4063 * outstanding the endpoint MUST ABORT the association. Note that a
4064 * sequence number is greater than if it is no more than 2^^31-1
4065 * larger than the current sequence number (using serial arithmetic).
4066 */
4067 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
4068 !(asoc->addip_last_asconf)) {
4069 abort = sctp_make_abort(asoc, asconf_ack,
4070 sizeof(struct sctp_errhdr));
4071 if (abort) {
4072 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
4073 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4074 SCTP_CHUNK(abort));
4075 }
4076 /* We are going to ABORT, so we might as well stop
4077 * processing the rest of the chunks in the packet.
4078 */
4079 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4080 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
4081 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4082 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4083 SCTP_ERROR(ECONNABORTED));
4084 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4085 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
4086 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4087 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4088 return SCTP_DISPOSITION_ABORT;
4089 }
4090
4091 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
4092 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4093 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
4094
4095 if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
4096 asconf_ack))
4097 return sctp_send_next_asconf(net, ep,
4098 (struct sctp_association *)asoc,
4099 type, commands);
4100
4101 abort = sctp_make_abort(asoc, asconf_ack,
4102 sizeof(struct sctp_errhdr));
4103 if (abort) {
4104 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
4105 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4106 SCTP_CHUNK(abort));
4107 }
4108 /* We are going to ABORT, so we might as well stop
4109 * processing the rest of the chunks in the packet.
4110 */
4111 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4112 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4113 SCTP_ERROR(ECONNABORTED));
4114 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4115 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
4116 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4117 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4118 return SCTP_DISPOSITION_ABORT;
4119 }
4120
4121 return SCTP_DISPOSITION_DISCARD;
4122 }
4123
4124 /* RE-CONFIG Section 5.2 Upon reception of an RECONF Chunk. */
sctp_sf_do_reconf(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)4125 enum sctp_disposition sctp_sf_do_reconf(struct net *net,
4126 const struct sctp_endpoint *ep,
4127 const struct sctp_association *asoc,
4128 const union sctp_subtype type,
4129 void *arg,
4130 struct sctp_cmd_seq *commands)
4131 {
4132 struct sctp_paramhdr *err_param = NULL;
4133 struct sctp_chunk *chunk = arg;
4134 struct sctp_reconf_chunk *hdr;
4135 union sctp_params param;
4136
4137 if (!sctp_vtag_verify(chunk, asoc)) {
4138 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4139 SCTP_NULL());
4140 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4141 }
4142
4143 /* Make sure that the RECONF chunk has a valid length. */
4144 if (!sctp_chunk_length_valid(chunk, sizeof(*hdr)))
4145 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4146 commands);
4147
4148 if (!sctp_verify_reconf(asoc, chunk, &err_param))
4149 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
4150 (void *)err_param, commands);
4151
4152 hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr;
4153 sctp_walk_params(param, hdr) {
4154 struct sctp_chunk *reply = NULL;
4155 struct sctp_ulpevent *ev = NULL;
4156
4157 if (param.p->type == SCTP_PARAM_RESET_OUT_REQUEST)
4158 reply = sctp_process_strreset_outreq(
4159 (struct sctp_association *)asoc, param, &ev);
4160 else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST)
4161 reply = sctp_process_strreset_inreq(
4162 (struct sctp_association *)asoc, param, &ev);
4163 else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST)
4164 reply = sctp_process_strreset_tsnreq(
4165 (struct sctp_association *)asoc, param, &ev);
4166 else if (param.p->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS)
4167 reply = sctp_process_strreset_addstrm_out(
4168 (struct sctp_association *)asoc, param, &ev);
4169 else if (param.p->type == SCTP_PARAM_RESET_ADD_IN_STREAMS)
4170 reply = sctp_process_strreset_addstrm_in(
4171 (struct sctp_association *)asoc, param, &ev);
4172 else if (param.p->type == SCTP_PARAM_RESET_RESPONSE)
4173 reply = sctp_process_strreset_resp(
4174 (struct sctp_association *)asoc, param, &ev);
4175
4176 if (ev)
4177 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4178 SCTP_ULPEVENT(ev));
4179
4180 if (reply)
4181 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4182 SCTP_CHUNK(reply));
4183 }
4184
4185 return SCTP_DISPOSITION_CONSUME;
4186 }
4187
4188 /*
4189 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP
4190 *
4191 * When a FORWARD TSN chunk arrives, the data receiver MUST first update
4192 * its cumulative TSN point to the value carried in the FORWARD TSN
4193 * chunk, and then MUST further advance its cumulative TSN point locally
4194 * if possible.
4195 * After the above processing, the data receiver MUST stop reporting any
4196 * missing TSNs earlier than or equal to the new cumulative TSN point.
4197 *
4198 * Verification Tag: 8.5 Verification Tag [Normal verification]
4199 *
4200 * The return value is the disposition of the chunk.
4201 */
sctp_sf_eat_fwd_tsn(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)4202 enum sctp_disposition sctp_sf_eat_fwd_tsn(struct net *net,
4203 const struct sctp_endpoint *ep,
4204 const struct sctp_association *asoc,
4205 const union sctp_subtype type,
4206 void *arg,
4207 struct sctp_cmd_seq *commands)
4208 {
4209 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
4210 struct sctp_chunk *chunk = arg;
4211 __u16 len;
4212 __u32 tsn;
4213
4214 if (!sctp_vtag_verify(chunk, asoc)) {
4215 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4216 SCTP_NULL());
4217 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4218 }
4219
4220 if (!asoc->peer.prsctp_capable)
4221 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4222
4223 /* Make sure that the FORWARD_TSN chunk has valid length. */
4224 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream)))
4225 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4226 commands);
4227
4228 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
4229 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
4230 len = ntohs(chunk->chunk_hdr->length);
4231 len -= sizeof(struct sctp_chunkhdr);
4232 skb_pull(chunk->skb, len);
4233
4234 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
4235 pr_debug("%s: TSN 0x%x\n", __func__, tsn);
4236
4237 /* The TSN is too high--silently discard the chunk and count on it
4238 * getting retransmitted later.
4239 */
4240 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
4241 goto discard_noforce;
4242
4243 if (!asoc->stream.si->validate_ftsn(chunk))
4244 goto discard_noforce;
4245
4246 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
4247 if (len > sctp_ftsnhdr_len(&asoc->stream))
4248 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
4249 SCTP_CHUNK(chunk));
4250
4251 /* Count this as receiving DATA. */
4252 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
4253 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4254 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
4255 }
4256
4257 /* FIXME: For now send a SACK, but DATA processing may
4258 * send another.
4259 */
4260 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
4261
4262 return SCTP_DISPOSITION_CONSUME;
4263
4264 discard_noforce:
4265 return SCTP_DISPOSITION_DISCARD;
4266 }
4267
sctp_sf_eat_fwd_tsn_fast(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)4268 enum sctp_disposition sctp_sf_eat_fwd_tsn_fast(
4269 struct net *net,
4270 const struct sctp_endpoint *ep,
4271 const struct sctp_association *asoc,
4272 const union sctp_subtype type,
4273 void *arg,
4274 struct sctp_cmd_seq *commands)
4275 {
4276 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
4277 struct sctp_chunk *chunk = arg;
4278 __u16 len;
4279 __u32 tsn;
4280
4281 if (!sctp_vtag_verify(chunk, asoc)) {
4282 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4283 SCTP_NULL());
4284 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4285 }
4286
4287 if (!asoc->peer.prsctp_capable)
4288 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4289
4290 /* Make sure that the FORWARD_TSN chunk has a valid length. */
4291 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream)))
4292 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4293 commands);
4294
4295 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
4296 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
4297 len = ntohs(chunk->chunk_hdr->length);
4298 len -= sizeof(struct sctp_chunkhdr);
4299 skb_pull(chunk->skb, len);
4300
4301 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
4302 pr_debug("%s: TSN 0x%x\n", __func__, tsn);
4303
4304 /* The TSN is too high--silently discard the chunk and count on it
4305 * getting retransmitted later.
4306 */
4307 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
4308 goto gen_shutdown;
4309
4310 if (!asoc->stream.si->validate_ftsn(chunk))
4311 goto gen_shutdown;
4312
4313 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
4314 if (len > sctp_ftsnhdr_len(&asoc->stream))
4315 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
4316 SCTP_CHUNK(chunk));
4317
4318 /* Go a head and force a SACK, since we are shutting down. */
4319 gen_shutdown:
4320 /* Implementor's Guide.
4321 *
4322 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
4323 * respond to each received packet containing one or more DATA chunk(s)
4324 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
4325 */
4326 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
4327 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
4328 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4329 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
4330
4331 return SCTP_DISPOSITION_CONSUME;
4332 }
4333
4334 /*
4335 * SCTP-AUTH Section 6.3 Receiving authenticated chunks
4336 *
4337 * The receiver MUST use the HMAC algorithm indicated in the HMAC
4338 * Identifier field. If this algorithm was not specified by the
4339 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
4340 * during association setup, the AUTH chunk and all chunks after it MUST
4341 * be discarded and an ERROR chunk SHOULD be sent with the error cause
4342 * defined in Section 4.1.
4343 *
4344 * If an endpoint with no shared key receives a Shared Key Identifier
4345 * other than 0, it MUST silently discard all authenticated chunks. If
4346 * the endpoint has at least one endpoint pair shared key for the peer,
4347 * it MUST use the key specified by the Shared Key Identifier if a
4348 * key has been configured for that Shared Key Identifier. If no
4349 * endpoint pair shared key has been configured for that Shared Key
4350 * Identifier, all authenticated chunks MUST be silently discarded.
4351 *
4352 * Verification Tag: 8.5 Verification Tag [Normal verification]
4353 *
4354 * The return value is the disposition of the chunk.
4355 */
sctp_sf_authenticate(const struct sctp_association * asoc,struct sctp_chunk * chunk)4356 static enum sctp_ierror sctp_sf_authenticate(
4357 const struct sctp_association *asoc,
4358 struct sctp_chunk *chunk)
4359 {
4360 struct sctp_shared_key *sh_key = NULL;
4361 struct sctp_authhdr *auth_hdr;
4362 __u8 *save_digest, *digest;
4363 struct sctp_hmac *hmac;
4364 unsigned int sig_len;
4365 __u16 key_id;
4366
4367 /* Pull in the auth header, so we can do some more verification */
4368 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4369 chunk->subh.auth_hdr = auth_hdr;
4370 skb_pull(chunk->skb, sizeof(*auth_hdr));
4371
4372 /* Make sure that we support the HMAC algorithm from the auth
4373 * chunk.
4374 */
4375 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))
4376 return SCTP_IERROR_AUTH_BAD_HMAC;
4377
4378 /* Make sure that the provided shared key identifier has been
4379 * configured
4380 */
4381 key_id = ntohs(auth_hdr->shkey_id);
4382 if (key_id != asoc->active_key_id) {
4383 sh_key = sctp_auth_get_shkey(asoc, key_id);
4384 if (!sh_key)
4385 return SCTP_IERROR_AUTH_BAD_KEYID;
4386 }
4387
4388 /* Make sure that the length of the signature matches what
4389 * we expect.
4390 */
4391 sig_len = ntohs(chunk->chunk_hdr->length) -
4392 sizeof(struct sctp_auth_chunk);
4393 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));
4394 if (sig_len != hmac->hmac_len)
4395 return SCTP_IERROR_PROTO_VIOLATION;
4396
4397 /* Now that we've done validation checks, we can compute and
4398 * verify the hmac. The steps involved are:
4399 * 1. Save the digest from the chunk.
4400 * 2. Zero out the digest in the chunk.
4401 * 3. Compute the new digest
4402 * 4. Compare saved and new digests.
4403 */
4404 digest = (u8 *)(auth_hdr + 1);
4405 skb_pull(chunk->skb, sig_len);
4406
4407 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);
4408 if (!save_digest)
4409 goto nomem;
4410
4411 memset(digest, 0, sig_len);
4412
4413 sctp_auth_calculate_hmac(asoc, chunk->skb,
4414 (struct sctp_auth_chunk *)chunk->chunk_hdr,
4415 sh_key, GFP_ATOMIC);
4416
4417 /* Discard the packet if the digests do not match */
4418 if (memcmp(save_digest, digest, sig_len)) {
4419 kfree(save_digest);
4420 return SCTP_IERROR_BAD_SIG;
4421 }
4422
4423 kfree(save_digest);
4424 chunk->auth = 1;
4425
4426 return SCTP_IERROR_NO_ERROR;
4427 nomem:
4428 return SCTP_IERROR_NOMEM;
4429 }
4430
sctp_sf_eat_auth(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)4431 enum sctp_disposition sctp_sf_eat_auth(struct net *net,
4432 const struct sctp_endpoint *ep,
4433 const struct sctp_association *asoc,
4434 const union sctp_subtype type,
4435 void *arg, struct sctp_cmd_seq *commands)
4436 {
4437 struct sctp_chunk *chunk = arg;
4438 struct sctp_authhdr *auth_hdr;
4439 struct sctp_chunk *err_chunk;
4440 enum sctp_ierror error;
4441
4442 /* Make sure that the peer has AUTH capable */
4443 if (!asoc->peer.auth_capable)
4444 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4445
4446 if (!sctp_vtag_verify(chunk, asoc)) {
4447 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4448 SCTP_NULL());
4449 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4450 }
4451
4452 /* Make sure that the AUTH chunk has valid length. */
4453 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))
4454 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4455 commands);
4456
4457 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4458 error = sctp_sf_authenticate(asoc, chunk);
4459 switch (error) {
4460 case SCTP_IERROR_AUTH_BAD_HMAC:
4461 /* Generate the ERROR chunk and discard the rest
4462 * of the packet
4463 */
4464 err_chunk = sctp_make_op_error(asoc, chunk,
4465 SCTP_ERROR_UNSUP_HMAC,
4466 &auth_hdr->hmac_id,
4467 sizeof(__u16), 0);
4468 if (err_chunk) {
4469 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4470 SCTP_CHUNK(err_chunk));
4471 }
4472 fallthrough;
4473 case SCTP_IERROR_AUTH_BAD_KEYID:
4474 case SCTP_IERROR_BAD_SIG:
4475 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4476
4477 case SCTP_IERROR_PROTO_VIOLATION:
4478 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4479 commands);
4480
4481 case SCTP_IERROR_NOMEM:
4482 return SCTP_DISPOSITION_NOMEM;
4483
4484 default: /* Prevent gcc warnings */
4485 break;
4486 }
4487
4488 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) {
4489 struct sctp_ulpevent *ev;
4490
4491 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),
4492 SCTP_AUTH_NEW_KEY, GFP_ATOMIC);
4493
4494 if (!ev)
4495 return SCTP_DISPOSITION_NOMEM;
4496
4497 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4498 SCTP_ULPEVENT(ev));
4499 }
4500
4501 return SCTP_DISPOSITION_CONSUME;
4502 }
4503
4504 /*
4505 * Process an unknown chunk.
4506 *
4507 * Section: 3.2. Also, 2.1 in the implementor's guide.
4508 *
4509 * Chunk Types are encoded such that the highest-order two bits specify
4510 * the action that must be taken if the processing endpoint does not
4511 * recognize the Chunk Type.
4512 *
4513 * 00 - Stop processing this SCTP packet and discard it, do not process
4514 * any further chunks within it.
4515 *
4516 * 01 - Stop processing this SCTP packet and discard it, do not process
4517 * any further chunks within it, and report the unrecognized
4518 * chunk in an 'Unrecognized Chunk Type'.
4519 *
4520 * 10 - Skip this chunk and continue processing.
4521 *
4522 * 11 - Skip this chunk and continue processing, but report in an ERROR
4523 * Chunk using the 'Unrecognized Chunk Type' cause of error.
4524 *
4525 * The return value is the disposition of the chunk.
4526 */
sctp_sf_unk_chunk(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)4527 enum sctp_disposition sctp_sf_unk_chunk(struct net *net,
4528 const struct sctp_endpoint *ep,
4529 const struct sctp_association *asoc,
4530 const union sctp_subtype type,
4531 void *arg,
4532 struct sctp_cmd_seq *commands)
4533 {
4534 struct sctp_chunk *unk_chunk = arg;
4535 struct sctp_chunk *err_chunk;
4536 struct sctp_chunkhdr *hdr;
4537
4538 pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk);
4539
4540 if (!sctp_vtag_verify(unk_chunk, asoc))
4541 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4542
4543 /* Make sure that the chunk has a valid length.
4544 * Since we don't know the chunk type, we use a general
4545 * chunkhdr structure to make a comparison.
4546 */
4547 if (!sctp_chunk_length_valid(unk_chunk, sizeof(*hdr)))
4548 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4549 commands);
4550
4551 switch (type.chunk & SCTP_CID_ACTION_MASK) {
4552 case SCTP_CID_ACTION_DISCARD:
4553 /* Discard the packet. */
4554 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4555 case SCTP_CID_ACTION_DISCARD_ERR:
4556 /* Generate an ERROR chunk as response. */
4557 hdr = unk_chunk->chunk_hdr;
4558 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4559 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4560 SCTP_PAD4(ntohs(hdr->length)),
4561 0);
4562 if (err_chunk) {
4563 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4564 SCTP_CHUNK(err_chunk));
4565 }
4566
4567 /* Discard the packet. */
4568 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4569 return SCTP_DISPOSITION_CONSUME;
4570 case SCTP_CID_ACTION_SKIP:
4571 /* Skip the chunk. */
4572 return SCTP_DISPOSITION_DISCARD;
4573 case SCTP_CID_ACTION_SKIP_ERR:
4574 /* Generate an ERROR chunk as response. */
4575 hdr = unk_chunk->chunk_hdr;
4576 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4577 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4578 SCTP_PAD4(ntohs(hdr->length)),
4579 0);
4580 if (err_chunk) {
4581 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4582 SCTP_CHUNK(err_chunk));
4583 }
4584 /* Skip the chunk. */
4585 return SCTP_DISPOSITION_CONSUME;
4586 default:
4587 break;
4588 }
4589
4590 return SCTP_DISPOSITION_DISCARD;
4591 }
4592
4593 /*
4594 * Discard the chunk.
4595 *
4596 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2
4597 * [Too numerous to mention...]
4598 * Verification Tag: No verification needed.
4599 * Inputs
4600 * (endpoint, asoc, chunk)
4601 *
4602 * Outputs
4603 * (asoc, reply_msg, msg_up, timers, counters)
4604 *
4605 * The return value is the disposition of the chunk.
4606 */
sctp_sf_discard_chunk(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)4607 enum sctp_disposition sctp_sf_discard_chunk(struct net *net,
4608 const struct sctp_endpoint *ep,
4609 const struct sctp_association *asoc,
4610 const union sctp_subtype type,
4611 void *arg,
4612 struct sctp_cmd_seq *commands)
4613 {
4614 struct sctp_chunk *chunk = arg;
4615
4616 if (asoc && !sctp_vtag_verify(chunk, asoc))
4617 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4618
4619 /* Make sure that the chunk has a valid length.
4620 * Since we don't know the chunk type, we use a general
4621 * chunkhdr structure to make a comparison.
4622 */
4623 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
4624 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4625 commands);
4626
4627 pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk);
4628
4629 return SCTP_DISPOSITION_DISCARD;
4630 }
4631
4632 /*
4633 * Discard the whole packet.
4634 *
4635 * Section: 8.4 2)
4636 *
4637 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST
4638 * silently discard the OOTB packet and take no further action.
4639 *
4640 * Verification Tag: No verification necessary
4641 *
4642 * Inputs
4643 * (endpoint, asoc, chunk)
4644 *
4645 * Outputs
4646 * (asoc, reply_msg, msg_up, timers, counters)
4647 *
4648 * The return value is the disposition of the chunk.
4649 */
sctp_sf_pdiscard(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)4650 enum sctp_disposition sctp_sf_pdiscard(struct net *net,
4651 const struct sctp_endpoint *ep,
4652 const struct sctp_association *asoc,
4653 const union sctp_subtype type,
4654 void *arg, struct sctp_cmd_seq *commands)
4655 {
4656 SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS);
4657 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4658
4659 return SCTP_DISPOSITION_CONSUME;
4660 }
4661
4662
4663 /*
4664 * The other end is violating protocol.
4665 *
4666 * Section: Not specified
4667 * Verification Tag: Not specified
4668 * Inputs
4669 * (endpoint, asoc, chunk)
4670 *
4671 * Outputs
4672 * (asoc, reply_msg, msg_up, timers, counters)
4673 *
4674 * We simply tag the chunk as a violation. The state machine will log
4675 * the violation and continue.
4676 */
sctp_sf_violation(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)4677 enum sctp_disposition sctp_sf_violation(struct net *net,
4678 const struct sctp_endpoint *ep,
4679 const struct sctp_association *asoc,
4680 const union sctp_subtype type,
4681 void *arg,
4682 struct sctp_cmd_seq *commands)
4683 {
4684 struct sctp_chunk *chunk = arg;
4685
4686 if (!sctp_vtag_verify(chunk, asoc))
4687 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4688
4689 /* Make sure that the chunk has a valid length. */
4690 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
4691 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4692 commands);
4693
4694 return SCTP_DISPOSITION_VIOLATION;
4695 }
4696
4697 /*
4698 * Common function to handle a protocol violation.
4699 */
sctp_sf_abort_violation(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,void * arg,struct sctp_cmd_seq * commands,const __u8 * payload,const size_t paylen)4700 static enum sctp_disposition sctp_sf_abort_violation(
4701 struct net *net,
4702 const struct sctp_endpoint *ep,
4703 const struct sctp_association *asoc,
4704 void *arg,
4705 struct sctp_cmd_seq *commands,
4706 const __u8 *payload,
4707 const size_t paylen)
4708 {
4709 struct sctp_packet *packet = NULL;
4710 struct sctp_chunk *chunk = arg;
4711 struct sctp_chunk *abort = NULL;
4712
4713 /* SCTP-AUTH, Section 6.3:
4714 * It should be noted that if the receiver wants to tear
4715 * down an association in an authenticated way only, the
4716 * handling of malformed packets should not result in
4717 * tearing down the association.
4718 *
4719 * This means that if we only want to abort associations
4720 * in an authenticated way (i.e AUTH+ABORT), then we
4721 * can't destroy this association just because the packet
4722 * was malformed.
4723 */
4724 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4725 goto discard;
4726
4727 /* Make the abort chunk. */
4728 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);
4729 if (!abort)
4730 goto nomem;
4731
4732 if (asoc) {
4733 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */
4734 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&
4735 !asoc->peer.i.init_tag) {
4736 struct sctp_initack_chunk *initack;
4737
4738 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr;
4739 if (!sctp_chunk_length_valid(chunk, sizeof(*initack)))
4740 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
4741 else {
4742 unsigned int inittag;
4743
4744 inittag = ntohl(initack->init_hdr.init_tag);
4745 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
4746 SCTP_U32(inittag));
4747 }
4748 }
4749
4750 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4751 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4752
4753 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
4754 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4755 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4756 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4757 SCTP_ERROR(ECONNREFUSED));
4758 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4759 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4760 } else {
4761 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4762 SCTP_ERROR(ECONNABORTED));
4763 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4764 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4765 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4766 }
4767 } else {
4768 packet = sctp_ootb_pkt_new(net, asoc, chunk);
4769
4770 if (!packet)
4771 goto nomem_pkt;
4772
4773 if (sctp_test_T_bit(abort))
4774 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
4775
4776 abort->skb->sk = ep->base.sk;
4777
4778 sctp_packet_append_chunk(packet, abort);
4779
4780 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
4781 SCTP_PACKET(packet));
4782
4783 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4784 }
4785
4786 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4787
4788 discard:
4789 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4790 return SCTP_DISPOSITION_ABORT;
4791
4792 nomem_pkt:
4793 sctp_chunk_free(abort);
4794 nomem:
4795 return SCTP_DISPOSITION_NOMEM;
4796 }
4797
4798 /*
4799 * Handle a protocol violation when the chunk length is invalid.
4800 * "Invalid" length is identified as smaller than the minimal length a
4801 * given chunk can be. For example, a SACK chunk has invalid length
4802 * if its length is set to be smaller than the size of struct sctp_sack_chunk.
4803 *
4804 * We inform the other end by sending an ABORT with a Protocol Violation
4805 * error code.
4806 *
4807 * Section: Not specified
4808 * Verification Tag: Nothing to do
4809 * Inputs
4810 * (endpoint, asoc, chunk)
4811 *
4812 * Outputs
4813 * (reply_msg, msg_up, counters)
4814 *
4815 * Generate an ABORT chunk and terminate the association.
4816 */
sctp_sf_violation_chunklen(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)4817 static enum sctp_disposition sctp_sf_violation_chunklen(
4818 struct net *net,
4819 const struct sctp_endpoint *ep,
4820 const struct sctp_association *asoc,
4821 const union sctp_subtype type,
4822 void *arg,
4823 struct sctp_cmd_seq *commands)
4824 {
4825 static const char err_str[] = "The following chunk had invalid length:";
4826
4827 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4828 sizeof(err_str));
4829 }
4830
4831 /*
4832 * Handle a protocol violation when the parameter length is invalid.
4833 * If the length is smaller than the minimum length of a given parameter,
4834 * or accumulated length in multi parameters exceeds the end of the chunk,
4835 * the length is considered as invalid.
4836 */
sctp_sf_violation_paramlen(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,void * ext,struct sctp_cmd_seq * commands)4837 static enum sctp_disposition sctp_sf_violation_paramlen(
4838 struct net *net,
4839 const struct sctp_endpoint *ep,
4840 const struct sctp_association *asoc,
4841 const union sctp_subtype type,
4842 void *arg, void *ext,
4843 struct sctp_cmd_seq *commands)
4844 {
4845 struct sctp_paramhdr *param = ext;
4846 struct sctp_chunk *abort = NULL;
4847 struct sctp_chunk *chunk = arg;
4848
4849 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4850 goto discard;
4851
4852 /* Make the abort chunk. */
4853 abort = sctp_make_violation_paramlen(asoc, chunk, param);
4854 if (!abort)
4855 goto nomem;
4856
4857 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4858 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4859
4860 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4861 SCTP_ERROR(ECONNABORTED));
4862 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4863 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4864 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4865 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4866
4867 discard:
4868 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4869 return SCTP_DISPOSITION_ABORT;
4870 nomem:
4871 return SCTP_DISPOSITION_NOMEM;
4872 }
4873
4874 /* Handle a protocol violation when the peer trying to advance the
4875 * cumulative tsn ack to a point beyond the max tsn currently sent.
4876 *
4877 * We inform the other end by sending an ABORT with a Protocol Violation
4878 * error code.
4879 */
sctp_sf_violation_ctsn(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)4880 static enum sctp_disposition sctp_sf_violation_ctsn(
4881 struct net *net,
4882 const struct sctp_endpoint *ep,
4883 const struct sctp_association *asoc,
4884 const union sctp_subtype type,
4885 void *arg,
4886 struct sctp_cmd_seq *commands)
4887 {
4888 static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:";
4889
4890 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4891 sizeof(err_str));
4892 }
4893
4894 /* Handle protocol violation of an invalid chunk bundling. For example,
4895 * when we have an association and we receive bundled INIT-ACK, or
4896 * SHUTDOWN-COMPLETE, our peer is clearly violating the "MUST NOT bundle"
4897 * statement from the specs. Additionally, there might be an attacker
4898 * on the path and we may not want to continue this communication.
4899 */
sctp_sf_violation_chunk(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)4900 static enum sctp_disposition sctp_sf_violation_chunk(
4901 struct net *net,
4902 const struct sctp_endpoint *ep,
4903 const struct sctp_association *asoc,
4904 const union sctp_subtype type,
4905 void *arg,
4906 struct sctp_cmd_seq *commands)
4907 {
4908 static const char err_str[] = "The following chunk violates protocol:";
4909
4910 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4911 sizeof(err_str));
4912 }
4913 /***************************************************************************
4914 * These are the state functions for handling primitive (Section 10) events.
4915 ***************************************************************************/
4916 /*
4917 * sctp_sf_do_prm_asoc
4918 *
4919 * Section: 10.1 ULP-to-SCTP
4920 * B) Associate
4921 *
4922 * Format: ASSOCIATE(local SCTP instance name, destination transport addr,
4923 * outbound stream count)
4924 * -> association id [,destination transport addr list] [,outbound stream
4925 * count]
4926 *
4927 * This primitive allows the upper layer to initiate an association to a
4928 * specific peer endpoint.
4929 *
4930 * The peer endpoint shall be specified by one of the transport addresses
4931 * which defines the endpoint (see Section 1.4). If the local SCTP
4932 * instance has not been initialized, the ASSOCIATE is considered an
4933 * error.
4934 * [This is not relevant for the kernel implementation since we do all
4935 * initialization at boot time. It we hadn't initialized we wouldn't
4936 * get anywhere near this code.]
4937 *
4938 * An association id, which is a local handle to the SCTP association,
4939 * will be returned on successful establishment of the association. If
4940 * SCTP is not able to open an SCTP association with the peer endpoint,
4941 * an error is returned.
4942 * [In the kernel implementation, the struct sctp_association needs to
4943 * be created BEFORE causing this primitive to run.]
4944 *
4945 * Other association parameters may be returned, including the
4946 * complete destination transport addresses of the peer as well as the
4947 * outbound stream count of the local endpoint. One of the transport
4948 * address from the returned destination addresses will be selected by
4949 * the local endpoint as default primary path for sending SCTP packets
4950 * to this peer. The returned "destination transport addr list" can
4951 * be used by the ULP to change the default primary path or to force
4952 * sending a packet to a specific transport address. [All of this
4953 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING
4954 * function.]
4955 *
4956 * Mandatory attributes:
4957 *
4958 * o local SCTP instance name - obtained from the INITIALIZE operation.
4959 * [This is the argument asoc.]
4960 * o destination transport addr - specified as one of the transport
4961 * addresses of the peer endpoint with which the association is to be
4962 * established.
4963 * [This is asoc->peer.active_path.]
4964 * o outbound stream count - the number of outbound streams the ULP
4965 * would like to open towards this peer endpoint.
4966 * [BUG: This is not currently implemented.]
4967 * Optional attributes:
4968 *
4969 * None.
4970 *
4971 * The return value is a disposition.
4972 */
sctp_sf_do_prm_asoc(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)4973 enum sctp_disposition sctp_sf_do_prm_asoc(struct net *net,
4974 const struct sctp_endpoint *ep,
4975 const struct sctp_association *asoc,
4976 const union sctp_subtype type,
4977 void *arg,
4978 struct sctp_cmd_seq *commands)
4979 {
4980 struct sctp_association *my_asoc;
4981 struct sctp_chunk *repl;
4982
4983 /* The comment below says that we enter COOKIE-WAIT AFTER
4984 * sending the INIT, but that doesn't actually work in our
4985 * implementation...
4986 */
4987 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4988 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
4989
4990 /* RFC 2960 5.1 Normal Establishment of an Association
4991 *
4992 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A"
4993 * must provide its Verification Tag (Tag_A) in the Initiate
4994 * Tag field. Tag_A SHOULD be a random number in the range of
4995 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ...
4996 */
4997
4998 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0);
4999 if (!repl)
5000 goto nomem;
5001
5002 /* Choose transport for INIT. */
5003 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5004 SCTP_CHUNK(repl));
5005
5006 /* Cast away the const modifier, as we want to just
5007 * rerun it through as a sideffect.
5008 */
5009 my_asoc = (struct sctp_association *)asoc;
5010 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc));
5011
5012 /* After sending the INIT, "A" starts the T1-init timer and
5013 * enters the COOKIE-WAIT state.
5014 */
5015 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5016 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5017 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5018 return SCTP_DISPOSITION_CONSUME;
5019
5020 nomem:
5021 return SCTP_DISPOSITION_NOMEM;
5022 }
5023
5024 /*
5025 * Process the SEND primitive.
5026 *
5027 * Section: 10.1 ULP-to-SCTP
5028 * E) Send
5029 *
5030 * Format: SEND(association id, buffer address, byte count [,context]
5031 * [,stream id] [,life time] [,destination transport address]
5032 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] )
5033 * -> result
5034 *
5035 * This is the main method to send user data via SCTP.
5036 *
5037 * Mandatory attributes:
5038 *
5039 * o association id - local handle to the SCTP association
5040 *
5041 * o buffer address - the location where the user message to be
5042 * transmitted is stored;
5043 *
5044 * o byte count - The size of the user data in number of bytes;
5045 *
5046 * Optional attributes:
5047 *
5048 * o context - an optional 32 bit integer that will be carried in the
5049 * sending failure notification to the ULP if the transportation of
5050 * this User Message fails.
5051 *
5052 * o stream id - to indicate which stream to send the data on. If not
5053 * specified, stream 0 will be used.
5054 *
5055 * o life time - specifies the life time of the user data. The user data
5056 * will not be sent by SCTP after the life time expires. This
5057 * parameter can be used to avoid efforts to transmit stale
5058 * user messages. SCTP notifies the ULP if the data cannot be
5059 * initiated to transport (i.e. sent to the destination via SCTP's
5060 * send primitive) within the life time variable. However, the
5061 * user data will be transmitted if SCTP has attempted to transmit a
5062 * chunk before the life time expired.
5063 *
5064 * o destination transport address - specified as one of the destination
5065 * transport addresses of the peer endpoint to which this packet
5066 * should be sent. Whenever possible, SCTP should use this destination
5067 * transport address for sending the packets, instead of the current
5068 * primary path.
5069 *
5070 * o unorder flag - this flag, if present, indicates that the user
5071 * would like the data delivered in an unordered fashion to the peer
5072 * (i.e., the U flag is set to 1 on all DATA chunks carrying this
5073 * message).
5074 *
5075 * o no-bundle flag - instructs SCTP not to bundle this user data with
5076 * other outbound DATA chunks. SCTP MAY still bundle even when
5077 * this flag is present, when faced with network congestion.
5078 *
5079 * o payload protocol-id - A 32 bit unsigned integer that is to be
5080 * passed to the peer indicating the type of payload protocol data
5081 * being transmitted. This value is passed as opaque data by SCTP.
5082 *
5083 * The return value is the disposition.
5084 */
sctp_sf_do_prm_send(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5085 enum sctp_disposition sctp_sf_do_prm_send(struct net *net,
5086 const struct sctp_endpoint *ep,
5087 const struct sctp_association *asoc,
5088 const union sctp_subtype type,
5089 void *arg,
5090 struct sctp_cmd_seq *commands)
5091 {
5092 struct sctp_datamsg *msg = arg;
5093
5094 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg));
5095 return SCTP_DISPOSITION_CONSUME;
5096 }
5097
5098 /*
5099 * Process the SHUTDOWN primitive.
5100 *
5101 * Section: 10.1:
5102 * C) Shutdown
5103 *
5104 * Format: SHUTDOWN(association id)
5105 * -> result
5106 *
5107 * Gracefully closes an association. Any locally queued user data
5108 * will be delivered to the peer. The association will be terminated only
5109 * after the peer acknowledges all the SCTP packets sent. A success code
5110 * will be returned on successful termination of the association. If
5111 * attempting to terminate the association results in a failure, an error
5112 * code shall be returned.
5113 *
5114 * Mandatory attributes:
5115 *
5116 * o association id - local handle to the SCTP association
5117 *
5118 * Optional attributes:
5119 *
5120 * None.
5121 *
5122 * The return value is the disposition.
5123 */
sctp_sf_do_9_2_prm_shutdown(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5124 enum sctp_disposition sctp_sf_do_9_2_prm_shutdown(
5125 struct net *net,
5126 const struct sctp_endpoint *ep,
5127 const struct sctp_association *asoc,
5128 const union sctp_subtype type,
5129 void *arg,
5130 struct sctp_cmd_seq *commands)
5131 {
5132 enum sctp_disposition disposition;
5133
5134 /* From 9.2 Shutdown of an Association
5135 * Upon receipt of the SHUTDOWN primitive from its upper
5136 * layer, the endpoint enters SHUTDOWN-PENDING state and
5137 * remains there until all outstanding data has been
5138 * acknowledged by its peer. The endpoint accepts no new data
5139 * from its upper layer, but retransmits data to the far end
5140 * if necessary to fill gaps.
5141 */
5142 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5143 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
5144
5145 disposition = SCTP_DISPOSITION_CONSUME;
5146 if (sctp_outq_is_empty(&asoc->outqueue)) {
5147 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
5148 arg, commands);
5149 }
5150
5151 return disposition;
5152 }
5153
5154 /*
5155 * Process the ABORT primitive.
5156 *
5157 * Section: 10.1:
5158 * C) Abort
5159 *
5160 * Format: Abort(association id [, cause code])
5161 * -> result
5162 *
5163 * Ungracefully closes an association. Any locally queued user data
5164 * will be discarded and an ABORT chunk is sent to the peer. A success code
5165 * will be returned on successful abortion of the association. If
5166 * attempting to abort the association results in a failure, an error
5167 * code shall be returned.
5168 *
5169 * Mandatory attributes:
5170 *
5171 * o association id - local handle to the SCTP association
5172 *
5173 * Optional attributes:
5174 *
5175 * o cause code - reason of the abort to be passed to the peer
5176 *
5177 * None.
5178 *
5179 * The return value is the disposition.
5180 */
sctp_sf_do_9_1_prm_abort(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5181 enum sctp_disposition sctp_sf_do_9_1_prm_abort(
5182 struct net *net,
5183 const struct sctp_endpoint *ep,
5184 const struct sctp_association *asoc,
5185 const union sctp_subtype type,
5186 void *arg,
5187 struct sctp_cmd_seq *commands)
5188 {
5189 /* From 9.1 Abort of an Association
5190 * Upon receipt of the ABORT primitive from its upper
5191 * layer, the endpoint enters CLOSED state and
5192 * discard all outstanding data has been
5193 * acknowledged by its peer. The endpoint accepts no new data
5194 * from its upper layer, but retransmits data to the far end
5195 * if necessary to fill gaps.
5196 */
5197 struct sctp_chunk *abort = arg;
5198
5199 if (abort)
5200 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
5201
5202 /* Even if we can't send the ABORT due to low memory delete the
5203 * TCB. This is a departure from our typical NOMEM handling.
5204 */
5205
5206 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5207 SCTP_ERROR(ECONNABORTED));
5208 /* Delete the established association. */
5209 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5210 SCTP_PERR(SCTP_ERROR_USER_ABORT));
5211
5212 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5213 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5214
5215 return SCTP_DISPOSITION_ABORT;
5216 }
5217
5218 /* We tried an illegal operation on an association which is closed. */
sctp_sf_error_closed(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5219 enum sctp_disposition sctp_sf_error_closed(struct net *net,
5220 const struct sctp_endpoint *ep,
5221 const struct sctp_association *asoc,
5222 const union sctp_subtype type,
5223 void *arg,
5224 struct sctp_cmd_seq *commands)
5225 {
5226 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL));
5227 return SCTP_DISPOSITION_CONSUME;
5228 }
5229
5230 /* We tried an illegal operation on an association which is shutting
5231 * down.
5232 */
sctp_sf_error_shutdown(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5233 enum sctp_disposition sctp_sf_error_shutdown(
5234 struct net *net,
5235 const struct sctp_endpoint *ep,
5236 const struct sctp_association *asoc,
5237 const union sctp_subtype type,
5238 void *arg,
5239 struct sctp_cmd_seq *commands)
5240 {
5241 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR,
5242 SCTP_ERROR(-ESHUTDOWN));
5243 return SCTP_DISPOSITION_CONSUME;
5244 }
5245
5246 /*
5247 * sctp_cookie_wait_prm_shutdown
5248 *
5249 * Section: 4 Note: 2
5250 * Verification Tag:
5251 * Inputs
5252 * (endpoint, asoc)
5253 *
5254 * The RFC does not explicitly address this issue, but is the route through the
5255 * state table when someone issues a shutdown while in COOKIE_WAIT state.
5256 *
5257 * Outputs
5258 * (timers)
5259 */
sctp_sf_cookie_wait_prm_shutdown(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5260 enum sctp_disposition sctp_sf_cookie_wait_prm_shutdown(
5261 struct net *net,
5262 const struct sctp_endpoint *ep,
5263 const struct sctp_association *asoc,
5264 const union sctp_subtype type,
5265 void *arg,
5266 struct sctp_cmd_seq *commands)
5267 {
5268 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5269 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5270
5271 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5272 SCTP_STATE(SCTP_STATE_CLOSED));
5273
5274 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
5275
5276 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
5277
5278 return SCTP_DISPOSITION_DELETE_TCB;
5279 }
5280
5281 /*
5282 * sctp_cookie_echoed_prm_shutdown
5283 *
5284 * Section: 4 Note: 2
5285 * Verification Tag:
5286 * Inputs
5287 * (endpoint, asoc)
5288 *
5289 * The RFC does not explicitly address this issue, but is the route through the
5290 * state table when someone issues a shutdown while in COOKIE_ECHOED state.
5291 *
5292 * Outputs
5293 * (timers)
5294 */
sctp_sf_cookie_echoed_prm_shutdown(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5295 enum sctp_disposition sctp_sf_cookie_echoed_prm_shutdown(
5296 struct net *net,
5297 const struct sctp_endpoint *ep,
5298 const struct sctp_association *asoc,
5299 const union sctp_subtype type,
5300 void *arg,
5301 struct sctp_cmd_seq *commands)
5302 {
5303 /* There is a single T1 timer, so we should be able to use
5304 * common function with the COOKIE-WAIT state.
5305 */
5306 return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands);
5307 }
5308
5309 /*
5310 * sctp_sf_cookie_wait_prm_abort
5311 *
5312 * Section: 4 Note: 2
5313 * Verification Tag:
5314 * Inputs
5315 * (endpoint, asoc)
5316 *
5317 * The RFC does not explicitly address this issue, but is the route through the
5318 * state table when someone issues an abort while in COOKIE_WAIT state.
5319 *
5320 * Outputs
5321 * (timers)
5322 */
sctp_sf_cookie_wait_prm_abort(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5323 enum sctp_disposition sctp_sf_cookie_wait_prm_abort(
5324 struct net *net,
5325 const struct sctp_endpoint *ep,
5326 const struct sctp_association *asoc,
5327 const union sctp_subtype type,
5328 void *arg,
5329 struct sctp_cmd_seq *commands)
5330 {
5331 struct sctp_chunk *abort = arg;
5332
5333 /* Stop T1-init timer */
5334 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5335 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5336
5337 if (abort)
5338 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
5339
5340 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5341 SCTP_STATE(SCTP_STATE_CLOSED));
5342
5343 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5344
5345 /* Even if we can't send the ABORT due to low memory delete the
5346 * TCB. This is a departure from our typical NOMEM handling.
5347 */
5348
5349 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5350 SCTP_ERROR(ECONNREFUSED));
5351 /* Delete the established association. */
5352 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5353 SCTP_PERR(SCTP_ERROR_USER_ABORT));
5354
5355 return SCTP_DISPOSITION_ABORT;
5356 }
5357
5358 /*
5359 * sctp_sf_cookie_echoed_prm_abort
5360 *
5361 * Section: 4 Note: 3
5362 * Verification Tag:
5363 * Inputs
5364 * (endpoint, asoc)
5365 *
5366 * The RFC does not explcitly address this issue, but is the route through the
5367 * state table when someone issues an abort while in COOKIE_ECHOED state.
5368 *
5369 * Outputs
5370 * (timers)
5371 */
sctp_sf_cookie_echoed_prm_abort(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5372 enum sctp_disposition sctp_sf_cookie_echoed_prm_abort(
5373 struct net *net,
5374 const struct sctp_endpoint *ep,
5375 const struct sctp_association *asoc,
5376 const union sctp_subtype type,
5377 void *arg,
5378 struct sctp_cmd_seq *commands)
5379 {
5380 /* There is a single T1 timer, so we should be able to use
5381 * common function with the COOKIE-WAIT state.
5382 */
5383 return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands);
5384 }
5385
5386 /*
5387 * sctp_sf_shutdown_pending_prm_abort
5388 *
5389 * Inputs
5390 * (endpoint, asoc)
5391 *
5392 * The RFC does not explicitly address this issue, but is the route through the
5393 * state table when someone issues an abort while in SHUTDOWN-PENDING state.
5394 *
5395 * Outputs
5396 * (timers)
5397 */
sctp_sf_shutdown_pending_prm_abort(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5398 enum sctp_disposition sctp_sf_shutdown_pending_prm_abort(
5399 struct net *net,
5400 const struct sctp_endpoint *ep,
5401 const struct sctp_association *asoc,
5402 const union sctp_subtype type,
5403 void *arg,
5404 struct sctp_cmd_seq *commands)
5405 {
5406 /* Stop the T5-shutdown guard timer. */
5407 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5408 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5409
5410 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5411 }
5412
5413 /*
5414 * sctp_sf_shutdown_sent_prm_abort
5415 *
5416 * Inputs
5417 * (endpoint, asoc)
5418 *
5419 * The RFC does not explicitly address this issue, but is the route through the
5420 * state table when someone issues an abort while in SHUTDOWN-SENT state.
5421 *
5422 * Outputs
5423 * (timers)
5424 */
sctp_sf_shutdown_sent_prm_abort(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5425 enum sctp_disposition sctp_sf_shutdown_sent_prm_abort(
5426 struct net *net,
5427 const struct sctp_endpoint *ep,
5428 const struct sctp_association *asoc,
5429 const union sctp_subtype type,
5430 void *arg,
5431 struct sctp_cmd_seq *commands)
5432 {
5433 /* Stop the T2-shutdown timer. */
5434 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5435 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5436
5437 /* Stop the T5-shutdown guard timer. */
5438 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5439 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5440
5441 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5442 }
5443
5444 /*
5445 * sctp_sf_cookie_echoed_prm_abort
5446 *
5447 * Inputs
5448 * (endpoint, asoc)
5449 *
5450 * The RFC does not explcitly address this issue, but is the route through the
5451 * state table when someone issues an abort while in COOKIE_ECHOED state.
5452 *
5453 * Outputs
5454 * (timers)
5455 */
sctp_sf_shutdown_ack_sent_prm_abort(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5456 enum sctp_disposition sctp_sf_shutdown_ack_sent_prm_abort(
5457 struct net *net,
5458 const struct sctp_endpoint *ep,
5459 const struct sctp_association *asoc,
5460 const union sctp_subtype type,
5461 void *arg,
5462 struct sctp_cmd_seq *commands)
5463 {
5464 /* The same T2 timer, so we should be able to use
5465 * common function with the SHUTDOWN-SENT state.
5466 */
5467 return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands);
5468 }
5469
5470 /*
5471 * Process the REQUESTHEARTBEAT primitive
5472 *
5473 * 10.1 ULP-to-SCTP
5474 * J) Request Heartbeat
5475 *
5476 * Format: REQUESTHEARTBEAT(association id, destination transport address)
5477 *
5478 * -> result
5479 *
5480 * Instructs the local endpoint to perform a HeartBeat on the specified
5481 * destination transport address of the given association. The returned
5482 * result should indicate whether the transmission of the HEARTBEAT
5483 * chunk to the destination address is successful.
5484 *
5485 * Mandatory attributes:
5486 *
5487 * o association id - local handle to the SCTP association
5488 *
5489 * o destination transport address - the transport address of the
5490 * association on which a heartbeat should be issued.
5491 */
sctp_sf_do_prm_requestheartbeat(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5492 enum sctp_disposition sctp_sf_do_prm_requestheartbeat(
5493 struct net *net,
5494 const struct sctp_endpoint *ep,
5495 const struct sctp_association *asoc,
5496 const union sctp_subtype type,
5497 void *arg,
5498 struct sctp_cmd_seq *commands)
5499 {
5500 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type,
5501 (struct sctp_transport *)arg, commands))
5502 return SCTP_DISPOSITION_NOMEM;
5503
5504 /*
5505 * RFC 2960 (bis), section 8.3
5506 *
5507 * D) Request an on-demand HEARTBEAT on a specific destination
5508 * transport address of a given association.
5509 *
5510 * The endpoint should increment the respective error counter of
5511 * the destination transport address each time a HEARTBEAT is sent
5512 * to that address and not acknowledged within one RTO.
5513 *
5514 */
5515 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
5516 SCTP_TRANSPORT(arg));
5517 return SCTP_DISPOSITION_CONSUME;
5518 }
5519
5520 /*
5521 * ADDIP Section 4.1 ASCONF Chunk Procedures
5522 * When an endpoint has an ASCONF signaled change to be sent to the
5523 * remote endpoint it should do A1 to A9
5524 */
sctp_sf_do_prm_asconf(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5525 enum sctp_disposition sctp_sf_do_prm_asconf(struct net *net,
5526 const struct sctp_endpoint *ep,
5527 const struct sctp_association *asoc,
5528 const union sctp_subtype type,
5529 void *arg,
5530 struct sctp_cmd_seq *commands)
5531 {
5532 struct sctp_chunk *chunk = arg;
5533
5534 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5535 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5536 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5537 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5538 return SCTP_DISPOSITION_CONSUME;
5539 }
5540
5541 /* RE-CONFIG Section 5.1 RECONF Chunk Procedures */
sctp_sf_do_prm_reconf(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5542 enum sctp_disposition sctp_sf_do_prm_reconf(struct net *net,
5543 const struct sctp_endpoint *ep,
5544 const struct sctp_association *asoc,
5545 const union sctp_subtype type,
5546 void *arg,
5547 struct sctp_cmd_seq *commands)
5548 {
5549 struct sctp_chunk *chunk = arg;
5550
5551 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5552 return SCTP_DISPOSITION_CONSUME;
5553 }
5554
5555 /*
5556 * Ignore the primitive event
5557 *
5558 * The return value is the disposition of the primitive.
5559 */
sctp_sf_ignore_primitive(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5560 enum sctp_disposition sctp_sf_ignore_primitive(
5561 struct net *net,
5562 const struct sctp_endpoint *ep,
5563 const struct sctp_association *asoc,
5564 const union sctp_subtype type,
5565 void *arg,
5566 struct sctp_cmd_seq *commands)
5567 {
5568 pr_debug("%s: primitive type:%d is ignored\n", __func__,
5569 type.primitive);
5570
5571 return SCTP_DISPOSITION_DISCARD;
5572 }
5573
5574 /***************************************************************************
5575 * These are the state functions for the OTHER events.
5576 ***************************************************************************/
5577
5578 /*
5579 * When the SCTP stack has no more user data to send or retransmit, this
5580 * notification is given to the user. Also, at the time when a user app
5581 * subscribes to this event, if there is no data to be sent or
5582 * retransmit, the stack will immediately send up this notification.
5583 */
sctp_sf_do_no_pending_tsn(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5584 enum sctp_disposition sctp_sf_do_no_pending_tsn(
5585 struct net *net,
5586 const struct sctp_endpoint *ep,
5587 const struct sctp_association *asoc,
5588 const union sctp_subtype type,
5589 void *arg,
5590 struct sctp_cmd_seq *commands)
5591 {
5592 struct sctp_ulpevent *event;
5593
5594 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC);
5595 if (!event)
5596 return SCTP_DISPOSITION_NOMEM;
5597
5598 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event));
5599
5600 return SCTP_DISPOSITION_CONSUME;
5601 }
5602
5603 /*
5604 * Start the shutdown negotiation.
5605 *
5606 * From Section 9.2:
5607 * Once all its outstanding data has been acknowledged, the endpoint
5608 * shall send a SHUTDOWN chunk to its peer including in the Cumulative
5609 * TSN Ack field the last sequential TSN it has received from the peer.
5610 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT
5611 * state. If the timer expires, the endpoint must re-send the SHUTDOWN
5612 * with the updated last sequential TSN received from its peer.
5613 *
5614 * The return value is the disposition.
5615 */
sctp_sf_do_9_2_start_shutdown(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5616 enum sctp_disposition sctp_sf_do_9_2_start_shutdown(
5617 struct net *net,
5618 const struct sctp_endpoint *ep,
5619 const struct sctp_association *asoc,
5620 const union sctp_subtype type,
5621 void *arg,
5622 struct sctp_cmd_seq *commands)
5623 {
5624 struct sctp_chunk *reply;
5625
5626 /* Once all its outstanding data has been acknowledged, the
5627 * endpoint shall send a SHUTDOWN chunk to its peer including
5628 * in the Cumulative TSN Ack field the last sequential TSN it
5629 * has received from the peer.
5630 */
5631 reply = sctp_make_shutdown(asoc, arg);
5632 if (!reply)
5633 goto nomem;
5634
5635 /* Set the transport for the SHUTDOWN chunk and the timeout for the
5636 * T2-shutdown timer.
5637 */
5638 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5639
5640 /* It shall then start the T2-shutdown timer */
5641 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5642 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5643
5644 /* RFC 4960 Section 9.2
5645 * The sender of the SHUTDOWN MAY also start an overall guard timer
5646 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5647 */
5648 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5649 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5650
5651 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5652 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5653 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5654
5655 /* and enter the SHUTDOWN-SENT state. */
5656 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5657 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT));
5658
5659 /* sctp-implguide 2.10 Issues with Heartbeating and failover
5660 *
5661 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5662 * or SHUTDOWN-ACK.
5663 */
5664 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5665
5666 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5667
5668 return SCTP_DISPOSITION_CONSUME;
5669
5670 nomem:
5671 return SCTP_DISPOSITION_NOMEM;
5672 }
5673
5674 /*
5675 * Generate a SHUTDOWN ACK now that everything is SACK'd.
5676 *
5677 * From Section 9.2:
5678 *
5679 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5680 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own,
5681 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the
5682 * endpoint must re-send the SHUTDOWN ACK.
5683 *
5684 * The return value is the disposition.
5685 */
sctp_sf_do_9_2_shutdown_ack(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5686 enum sctp_disposition sctp_sf_do_9_2_shutdown_ack(
5687 struct net *net,
5688 const struct sctp_endpoint *ep,
5689 const struct sctp_association *asoc,
5690 const union sctp_subtype type,
5691 void *arg,
5692 struct sctp_cmd_seq *commands)
5693 {
5694 struct sctp_chunk *chunk = arg;
5695 struct sctp_chunk *reply;
5696
5697 /* There are 2 ways of getting here:
5698 * 1) called in response to a SHUTDOWN chunk
5699 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued.
5700 *
5701 * For the case (2), the arg parameter is set to NULL. We need
5702 * to check that we have a chunk before accessing it's fields.
5703 */
5704 if (chunk) {
5705 if (!sctp_vtag_verify(chunk, asoc))
5706 return sctp_sf_pdiscard(net, ep, asoc, type, arg,
5707 commands);
5708
5709 /* Make sure that the SHUTDOWN chunk has a valid length. */
5710 if (!sctp_chunk_length_valid(
5711 chunk, sizeof(struct sctp_shutdown_chunk)))
5712 return sctp_sf_violation_chunklen(net, ep, asoc, type,
5713 arg, commands);
5714 }
5715
5716 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5717 * shall send a SHUTDOWN ACK ...
5718 */
5719 reply = sctp_make_shutdown_ack(asoc, chunk);
5720 if (!reply)
5721 goto nomem;
5722
5723 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
5724 * the T2-shutdown timer.
5725 */
5726 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5727
5728 /* and start/restart a T2-shutdown timer of its own, */
5729 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5730 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5731
5732 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5733 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5734 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5735
5736 /* Enter the SHUTDOWN-ACK-SENT state. */
5737 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5738 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT));
5739
5740 /* sctp-implguide 2.10 Issues with Heartbeating and failover
5741 *
5742 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5743 * or SHUTDOWN-ACK.
5744 */
5745 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5746
5747 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5748
5749 return SCTP_DISPOSITION_CONSUME;
5750
5751 nomem:
5752 return SCTP_DISPOSITION_NOMEM;
5753 }
5754
5755 /*
5756 * Ignore the event defined as other
5757 *
5758 * The return value is the disposition of the event.
5759 */
sctp_sf_ignore_other(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5760 enum sctp_disposition sctp_sf_ignore_other(struct net *net,
5761 const struct sctp_endpoint *ep,
5762 const struct sctp_association *asoc,
5763 const union sctp_subtype type,
5764 void *arg,
5765 struct sctp_cmd_seq *commands)
5766 {
5767 pr_debug("%s: the event other type:%d is ignored\n",
5768 __func__, type.other);
5769
5770 return SCTP_DISPOSITION_DISCARD;
5771 }
5772
5773 /************************************************************
5774 * These are the state functions for handling timeout events.
5775 ************************************************************/
5776
5777 /*
5778 * RTX Timeout
5779 *
5780 * Section: 6.3.3 Handle T3-rtx Expiration
5781 *
5782 * Whenever the retransmission timer T3-rtx expires for a destination
5783 * address, do the following:
5784 * [See below]
5785 *
5786 * The return value is the disposition of the chunk.
5787 */
sctp_sf_do_6_3_3_rtx(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5788 enum sctp_disposition sctp_sf_do_6_3_3_rtx(struct net *net,
5789 const struct sctp_endpoint *ep,
5790 const struct sctp_association *asoc,
5791 const union sctp_subtype type,
5792 void *arg,
5793 struct sctp_cmd_seq *commands)
5794 {
5795 struct sctp_transport *transport = arg;
5796
5797 SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS);
5798
5799 if (asoc->overall_error_count >= asoc->max_retrans) {
5800 if (asoc->peer.zero_window_announced &&
5801 asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
5802 /*
5803 * We are here likely because the receiver had its rwnd
5804 * closed for a while and we have not been able to
5805 * transmit the locally queued data within the maximum
5806 * retransmission attempts limit. Start the T5
5807 * shutdown guard timer to give the receiver one last
5808 * chance and some additional time to recover before
5809 * aborting.
5810 */
5811 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE,
5812 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5813 } else {
5814 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5815 SCTP_ERROR(ETIMEDOUT));
5816 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5817 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5818 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5819 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5820 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5821 return SCTP_DISPOSITION_DELETE_TCB;
5822 }
5823 }
5824
5825 /* E1) For the destination address for which the timer
5826 * expires, adjust its ssthresh with rules defined in Section
5827 * 7.2.3 and set the cwnd <- MTU.
5828 */
5829
5830 /* E2) For the destination address for which the timer
5831 * expires, set RTO <- RTO * 2 ("back off the timer"). The
5832 * maximum value discussed in rule C7 above (RTO.max) may be
5833 * used to provide an upper bound to this doubling operation.
5834 */
5835
5836 /* E3) Determine how many of the earliest (i.e., lowest TSN)
5837 * outstanding DATA chunks for the address for which the
5838 * T3-rtx has expired will fit into a single packet, subject
5839 * to the MTU constraint for the path corresponding to the
5840 * destination transport address to which the retransmission
5841 * is being sent (this may be different from the address for
5842 * which the timer expires [see Section 6.4]). Call this
5843 * value K. Bundle and retransmit those K DATA chunks in a
5844 * single packet to the destination endpoint.
5845 *
5846 * Note: Any DATA chunks that were sent to the address for
5847 * which the T3-rtx timer expired but did not fit in one MTU
5848 * (rule E3 above), should be marked for retransmission and
5849 * sent as soon as cwnd allows (normally when a SACK arrives).
5850 */
5851
5852 /* Do some failure management (Section 8.2). */
5853 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
5854
5855 /* NB: Rules E4 and F1 are implicit in R1. */
5856 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport));
5857
5858 return SCTP_DISPOSITION_CONSUME;
5859 }
5860
5861 /*
5862 * Generate delayed SACK on timeout
5863 *
5864 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
5865 *
5866 * The guidelines on delayed acknowledgement algorithm specified in
5867 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
5868 * acknowledgement SHOULD be generated for at least every second packet
5869 * (not every second DATA chunk) received, and SHOULD be generated
5870 * within 200 ms of the arrival of any unacknowledged DATA chunk. In
5871 * some situations it may be beneficial for an SCTP transmitter to be
5872 * more conservative than the algorithms detailed in this document
5873 * allow. However, an SCTP transmitter MUST NOT be more aggressive than
5874 * the following algorithms allow.
5875 */
sctp_sf_do_6_2_sack(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5876 enum sctp_disposition sctp_sf_do_6_2_sack(struct net *net,
5877 const struct sctp_endpoint *ep,
5878 const struct sctp_association *asoc,
5879 const union sctp_subtype type,
5880 void *arg,
5881 struct sctp_cmd_seq *commands)
5882 {
5883 SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS);
5884 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
5885 return SCTP_DISPOSITION_CONSUME;
5886 }
5887
5888 /*
5889 * sctp_sf_t1_init_timer_expire
5890 *
5891 * Section: 4 Note: 2
5892 * Verification Tag:
5893 * Inputs
5894 * (endpoint, asoc)
5895 *
5896 * RFC 2960 Section 4 Notes
5897 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT
5898 * and re-start the T1-init timer without changing state. This MUST
5899 * be repeated up to 'Max.Init.Retransmits' times. After that, the
5900 * endpoint MUST abort the initialization process and report the
5901 * error to SCTP user.
5902 *
5903 * Outputs
5904 * (timers, events)
5905 *
5906 */
sctp_sf_t1_init_timer_expire(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5907 enum sctp_disposition sctp_sf_t1_init_timer_expire(
5908 struct net *net,
5909 const struct sctp_endpoint *ep,
5910 const struct sctp_association *asoc,
5911 const union sctp_subtype type,
5912 void *arg,
5913 struct sctp_cmd_seq *commands)
5914 {
5915 int attempts = asoc->init_err_counter + 1;
5916 struct sctp_chunk *repl = NULL;
5917 struct sctp_bind_addr *bp;
5918
5919 pr_debug("%s: timer T1 expired (INIT)\n", __func__);
5920
5921 SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS);
5922
5923 if (attempts <= asoc->max_init_attempts) {
5924 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
5925 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0);
5926 if (!repl)
5927 return SCTP_DISPOSITION_NOMEM;
5928
5929 /* Choose transport for INIT. */
5930 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5931 SCTP_CHUNK(repl));
5932
5933 /* Issue a sideeffect to do the needed accounting. */
5934 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART,
5935 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5936
5937 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5938 } else {
5939 pr_debug("%s: giving up on INIT, attempts:%d "
5940 "max_init_attempts:%d\n", __func__, attempts,
5941 asoc->max_init_attempts);
5942
5943 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5944 SCTP_ERROR(ETIMEDOUT));
5945 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5946 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5947 return SCTP_DISPOSITION_DELETE_TCB;
5948 }
5949
5950 return SCTP_DISPOSITION_CONSUME;
5951 }
5952
5953 /*
5954 * sctp_sf_t1_cookie_timer_expire
5955 *
5956 * Section: 4 Note: 2
5957 * Verification Tag:
5958 * Inputs
5959 * (endpoint, asoc)
5960 *
5961 * RFC 2960 Section 4 Notes
5962 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit
5963 * COOKIE ECHO and re-start the T1-cookie timer without changing
5964 * state. This MUST be repeated up to 'Max.Init.Retransmits' times.
5965 * After that, the endpoint MUST abort the initialization process and
5966 * report the error to SCTP user.
5967 *
5968 * Outputs
5969 * (timers, events)
5970 *
5971 */
sctp_sf_t1_cookie_timer_expire(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)5972 enum sctp_disposition sctp_sf_t1_cookie_timer_expire(
5973 struct net *net,
5974 const struct sctp_endpoint *ep,
5975 const struct sctp_association *asoc,
5976 const union sctp_subtype type,
5977 void *arg,
5978 struct sctp_cmd_seq *commands)
5979 {
5980 int attempts = asoc->init_err_counter + 1;
5981 struct sctp_chunk *repl = NULL;
5982
5983 pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__);
5984
5985 SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS);
5986
5987 if (attempts <= asoc->max_init_attempts) {
5988 repl = sctp_make_cookie_echo(asoc, NULL);
5989 if (!repl)
5990 return SCTP_DISPOSITION_NOMEM;
5991
5992 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5993 SCTP_CHUNK(repl));
5994 /* Issue a sideeffect to do the needed accounting. */
5995 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART,
5996 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
5997
5998 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5999 } else {
6000 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6001 SCTP_ERROR(ETIMEDOUT));
6002 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
6003 SCTP_PERR(SCTP_ERROR_NO_ERROR));
6004 return SCTP_DISPOSITION_DELETE_TCB;
6005 }
6006
6007 return SCTP_DISPOSITION_CONSUME;
6008 }
6009
6010 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN
6011 * with the updated last sequential TSN received from its peer.
6012 *
6013 * An endpoint should limit the number of retransmission of the
6014 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'.
6015 * If this threshold is exceeded the endpoint should destroy the TCB and
6016 * MUST report the peer endpoint unreachable to the upper layer (and
6017 * thus the association enters the CLOSED state). The reception of any
6018 * packet from its peer (i.e. as the peer sends all of its queued DATA
6019 * chunks) should clear the endpoint's retransmission count and restart
6020 * the T2-Shutdown timer, giving its peer ample opportunity to transmit
6021 * all of its queued DATA chunks that have not yet been sent.
6022 */
sctp_sf_t2_timer_expire(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)6023 enum sctp_disposition sctp_sf_t2_timer_expire(
6024 struct net *net,
6025 const struct sctp_endpoint *ep,
6026 const struct sctp_association *asoc,
6027 const union sctp_subtype type,
6028 void *arg,
6029 struct sctp_cmd_seq *commands)
6030 {
6031 struct sctp_chunk *reply = NULL;
6032
6033 pr_debug("%s: timer T2 expired\n", __func__);
6034
6035 SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS);
6036
6037 ((struct sctp_association *)asoc)->shutdown_retries++;
6038
6039 if (asoc->overall_error_count >= asoc->max_retrans) {
6040 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6041 SCTP_ERROR(ETIMEDOUT));
6042 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
6043 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6044 SCTP_PERR(SCTP_ERROR_NO_ERROR));
6045 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6046 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6047 return SCTP_DISPOSITION_DELETE_TCB;
6048 }
6049
6050 switch (asoc->state) {
6051 case SCTP_STATE_SHUTDOWN_SENT:
6052 reply = sctp_make_shutdown(asoc, NULL);
6053 break;
6054
6055 case SCTP_STATE_SHUTDOWN_ACK_SENT:
6056 reply = sctp_make_shutdown_ack(asoc, NULL);
6057 break;
6058
6059 default:
6060 BUG();
6061 break;
6062 }
6063
6064 if (!reply)
6065 goto nomem;
6066
6067 /* Do some failure management (Section 8.2).
6068 * If we remove the transport an SHUTDOWN was last sent to, don't
6069 * do failure management.
6070 */
6071 if (asoc->shutdown_last_sent_to)
6072 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
6073 SCTP_TRANSPORT(asoc->shutdown_last_sent_to));
6074
6075 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for
6076 * the T2-shutdown timer.
6077 */
6078 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
6079
6080 /* Restart the T2-shutdown timer. */
6081 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
6082 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
6083 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
6084 return SCTP_DISPOSITION_CONSUME;
6085
6086 nomem:
6087 return SCTP_DISPOSITION_NOMEM;
6088 }
6089
6090 /*
6091 * ADDIP Section 4.1 ASCONF Chunk Procedures
6092 * If the T4 RTO timer expires the endpoint should do B1 to B5
6093 */
sctp_sf_t4_timer_expire(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)6094 enum sctp_disposition sctp_sf_t4_timer_expire(
6095 struct net *net,
6096 const struct sctp_endpoint *ep,
6097 const struct sctp_association *asoc,
6098 const union sctp_subtype type,
6099 void *arg,
6100 struct sctp_cmd_seq *commands)
6101 {
6102 struct sctp_chunk *chunk = asoc->addip_last_asconf;
6103 struct sctp_transport *transport = chunk->transport;
6104
6105 SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS);
6106
6107 /* ADDIP 4.1 B1) Increment the error counters and perform path failure
6108 * detection on the appropriate destination address as defined in
6109 * RFC2960 [5] section 8.1 and 8.2.
6110 */
6111 if (transport)
6112 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
6113 SCTP_TRANSPORT(transport));
6114
6115 /* Reconfig T4 timer and transport. */
6116 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
6117
6118 /* ADDIP 4.1 B2) Increment the association error counters and perform
6119 * endpoint failure detection on the association as defined in
6120 * RFC2960 [5] section 8.1 and 8.2.
6121 * association error counter is incremented in SCTP_CMD_STRIKE.
6122 */
6123 if (asoc->overall_error_count >= asoc->max_retrans) {
6124 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
6125 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
6126 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6127 SCTP_ERROR(ETIMEDOUT));
6128 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6129 SCTP_PERR(SCTP_ERROR_NO_ERROR));
6130 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6131 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6132 return SCTP_DISPOSITION_ABORT;
6133 }
6134
6135 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which
6136 * the ASCONF chunk was sent by doubling the RTO timer value.
6137 * This is done in SCTP_CMD_STRIKE.
6138 */
6139
6140 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible
6141 * choose an alternate destination address (please refer to RFC2960
6142 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this
6143 * chunk, it MUST be the same (including its serial number) as the last
6144 * ASCONF sent.
6145 */
6146 sctp_chunk_hold(asoc->addip_last_asconf);
6147 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6148 SCTP_CHUNK(asoc->addip_last_asconf));
6149
6150 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different
6151 * destination is selected, then the RTO used will be that of the new
6152 * destination address.
6153 */
6154 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
6155 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
6156
6157 return SCTP_DISPOSITION_CONSUME;
6158 }
6159
6160 /* sctpimpguide-05 Section 2.12.2
6161 * The sender of the SHUTDOWN MAY also start an overall guard timer
6162 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
6163 * At the expiration of this timer the sender SHOULD abort the association
6164 * by sending an ABORT chunk.
6165 */
sctp_sf_t5_timer_expire(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)6166 enum sctp_disposition sctp_sf_t5_timer_expire(
6167 struct net *net,
6168 const struct sctp_endpoint *ep,
6169 const struct sctp_association *asoc,
6170 const union sctp_subtype type,
6171 void *arg,
6172 struct sctp_cmd_seq *commands)
6173 {
6174 struct sctp_chunk *reply = NULL;
6175
6176 pr_debug("%s: timer T5 expired\n", __func__);
6177
6178 SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS);
6179
6180 reply = sctp_make_abort(asoc, NULL, 0);
6181 if (!reply)
6182 goto nomem;
6183
6184 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
6185 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6186 SCTP_ERROR(ETIMEDOUT));
6187 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6188 SCTP_PERR(SCTP_ERROR_NO_ERROR));
6189
6190 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6191 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6192
6193 return SCTP_DISPOSITION_DELETE_TCB;
6194 nomem:
6195 return SCTP_DISPOSITION_NOMEM;
6196 }
6197
6198 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires,
6199 * the association is automatically closed by starting the shutdown process.
6200 * The work that needs to be done is same as when SHUTDOWN is initiated by
6201 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown().
6202 */
sctp_sf_autoclose_timer_expire(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)6203 enum sctp_disposition sctp_sf_autoclose_timer_expire(
6204 struct net *net,
6205 const struct sctp_endpoint *ep,
6206 const struct sctp_association *asoc,
6207 const union sctp_subtype type,
6208 void *arg,
6209 struct sctp_cmd_seq *commands)
6210 {
6211 enum sctp_disposition disposition;
6212
6213 SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS);
6214
6215 /* From 9.2 Shutdown of an Association
6216 * Upon receipt of the SHUTDOWN primitive from its upper
6217 * layer, the endpoint enters SHUTDOWN-PENDING state and
6218 * remains there until all outstanding data has been
6219 * acknowledged by its peer. The endpoint accepts no new data
6220 * from its upper layer, but retransmits data to the far end
6221 * if necessary to fill gaps.
6222 */
6223 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
6224 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
6225
6226 disposition = SCTP_DISPOSITION_CONSUME;
6227 if (sctp_outq_is_empty(&asoc->outqueue)) {
6228 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
6229 NULL, commands);
6230 }
6231
6232 return disposition;
6233 }
6234
6235 /*****************************************************************************
6236 * These are sa state functions which could apply to all types of events.
6237 ****************************************************************************/
6238
6239 /*
6240 * This table entry is not implemented.
6241 *
6242 * Inputs
6243 * (endpoint, asoc, chunk)
6244 *
6245 * The return value is the disposition of the chunk.
6246 */
sctp_sf_not_impl(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)6247 enum sctp_disposition sctp_sf_not_impl(struct net *net,
6248 const struct sctp_endpoint *ep,
6249 const struct sctp_association *asoc,
6250 const union sctp_subtype type,
6251 void *arg, struct sctp_cmd_seq *commands)
6252 {
6253 return SCTP_DISPOSITION_NOT_IMPL;
6254 }
6255
6256 /*
6257 * This table entry represents a bug.
6258 *
6259 * Inputs
6260 * (endpoint, asoc, chunk)
6261 *
6262 * The return value is the disposition of the chunk.
6263 */
sctp_sf_bug(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)6264 enum sctp_disposition sctp_sf_bug(struct net *net,
6265 const struct sctp_endpoint *ep,
6266 const struct sctp_association *asoc,
6267 const union sctp_subtype type,
6268 void *arg, struct sctp_cmd_seq *commands)
6269 {
6270 return SCTP_DISPOSITION_BUG;
6271 }
6272
6273 /*
6274 * This table entry represents the firing of a timer in the wrong state.
6275 * Since timer deletion cannot be guaranteed a timer 'may' end up firing
6276 * when the association is in the wrong state. This event should
6277 * be ignored, so as to prevent any rearming of the timer.
6278 *
6279 * Inputs
6280 * (endpoint, asoc, chunk)
6281 *
6282 * The return value is the disposition of the chunk.
6283 */
sctp_sf_timer_ignore(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const union sctp_subtype type,void * arg,struct sctp_cmd_seq * commands)6284 enum sctp_disposition sctp_sf_timer_ignore(struct net *net,
6285 const struct sctp_endpoint *ep,
6286 const struct sctp_association *asoc,
6287 const union sctp_subtype type,
6288 void *arg,
6289 struct sctp_cmd_seq *commands)
6290 {
6291 pr_debug("%s: timer %d ignored\n", __func__, type.chunk);
6292
6293 return SCTP_DISPOSITION_CONSUME;
6294 }
6295
6296 /********************************************************************
6297 * 2nd Level Abstractions
6298 ********************************************************************/
6299
6300 /* Pull the SACK chunk based on the SACK header. */
sctp_sm_pull_sack(struct sctp_chunk * chunk)6301 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk)
6302 {
6303 struct sctp_sackhdr *sack;
6304 __u16 num_dup_tsns;
6305 unsigned int len;
6306 __u16 num_blocks;
6307
6308 /* Protect ourselves from reading too far into
6309 * the skb from a bogus sender.
6310 */
6311 sack = (struct sctp_sackhdr *) chunk->skb->data;
6312
6313 num_blocks = ntohs(sack->num_gap_ack_blocks);
6314 num_dup_tsns = ntohs(sack->num_dup_tsns);
6315 len = sizeof(struct sctp_sackhdr);
6316 len += (num_blocks + num_dup_tsns) * sizeof(__u32);
6317 if (len > chunk->skb->len)
6318 return NULL;
6319
6320 skb_pull(chunk->skb, len);
6321
6322 return sack;
6323 }
6324
6325 /* Create an ABORT packet to be sent as a response, with the specified
6326 * error causes.
6327 */
sctp_abort_pkt_new(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,struct sctp_chunk * chunk,const void * payload,size_t paylen)6328 static struct sctp_packet *sctp_abort_pkt_new(
6329 struct net *net,
6330 const struct sctp_endpoint *ep,
6331 const struct sctp_association *asoc,
6332 struct sctp_chunk *chunk,
6333 const void *payload, size_t paylen)
6334 {
6335 struct sctp_packet *packet;
6336 struct sctp_chunk *abort;
6337
6338 packet = sctp_ootb_pkt_new(net, asoc, chunk);
6339
6340 if (packet) {
6341 /* Make an ABORT.
6342 * The T bit will be set if the asoc is NULL.
6343 */
6344 abort = sctp_make_abort(asoc, chunk, paylen);
6345 if (!abort) {
6346 sctp_ootb_pkt_free(packet);
6347 return NULL;
6348 }
6349
6350 /* Reflect vtag if T-Bit is set */
6351 if (sctp_test_T_bit(abort))
6352 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
6353
6354 /* Add specified error causes, i.e., payload, to the
6355 * end of the chunk.
6356 */
6357 sctp_addto_chunk(abort, paylen, payload);
6358
6359 /* Set the skb to the belonging sock for accounting. */
6360 abort->skb->sk = ep->base.sk;
6361
6362 sctp_packet_append_chunk(packet, abort);
6363
6364 }
6365
6366 return packet;
6367 }
6368
6369 /* Allocate a packet for responding in the OOTB conditions. */
sctp_ootb_pkt_new(struct net * net,const struct sctp_association * asoc,const struct sctp_chunk * chunk)6370 static struct sctp_packet *sctp_ootb_pkt_new(
6371 struct net *net,
6372 const struct sctp_association *asoc,
6373 const struct sctp_chunk *chunk)
6374 {
6375 struct sctp_transport *transport;
6376 struct sctp_packet *packet;
6377 __u16 sport, dport;
6378 __u32 vtag;
6379
6380 /* Get the source and destination port from the inbound packet. */
6381 sport = ntohs(chunk->sctp_hdr->dest);
6382 dport = ntohs(chunk->sctp_hdr->source);
6383
6384 /* The V-tag is going to be the same as the inbound packet if no
6385 * association exists, otherwise, use the peer's vtag.
6386 */
6387 if (asoc) {
6388 /* Special case the INIT-ACK as there is no peer's vtag
6389 * yet.
6390 */
6391 switch (chunk->chunk_hdr->type) {
6392 case SCTP_CID_INIT:
6393 case SCTP_CID_INIT_ACK:
6394 {
6395 struct sctp_initack_chunk *initack;
6396
6397 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr;
6398 vtag = ntohl(initack->init_hdr.init_tag);
6399 break;
6400 }
6401 default:
6402 vtag = asoc->peer.i.init_tag;
6403 break;
6404 }
6405 } else {
6406 /* Special case the INIT and stale COOKIE_ECHO as there is no
6407 * vtag yet.
6408 */
6409 switch (chunk->chunk_hdr->type) {
6410 case SCTP_CID_INIT:
6411 {
6412 struct sctp_init_chunk *init;
6413
6414 init = (struct sctp_init_chunk *)chunk->chunk_hdr;
6415 vtag = ntohl(init->init_hdr.init_tag);
6416 break;
6417 }
6418 default:
6419 vtag = ntohl(chunk->sctp_hdr->vtag);
6420 break;
6421 }
6422 }
6423
6424 /* Make a transport for the bucket, Eliza... */
6425 transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC);
6426 if (!transport)
6427 goto nomem;
6428
6429 transport->encap_port = SCTP_INPUT_CB(chunk->skb)->encap_port;
6430
6431 /* Cache a route for the transport with the chunk's destination as
6432 * the source address.
6433 */
6434 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest,
6435 sctp_sk(net->sctp.ctl_sock));
6436
6437 packet = &transport->packet;
6438 sctp_packet_init(packet, transport, sport, dport);
6439 sctp_packet_config(packet, vtag, 0);
6440
6441 return packet;
6442
6443 nomem:
6444 return NULL;
6445 }
6446
6447 /* Free the packet allocated earlier for responding in the OOTB condition. */
sctp_ootb_pkt_free(struct sctp_packet * packet)6448 void sctp_ootb_pkt_free(struct sctp_packet *packet)
6449 {
6450 sctp_transport_free(packet->transport);
6451 }
6452
6453 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */
sctp_send_stale_cookie_err(struct net * net,const struct sctp_endpoint * ep,const struct sctp_association * asoc,const struct sctp_chunk * chunk,struct sctp_cmd_seq * commands,struct sctp_chunk * err_chunk)6454 static void sctp_send_stale_cookie_err(struct net *net,
6455 const struct sctp_endpoint *ep,
6456 const struct sctp_association *asoc,
6457 const struct sctp_chunk *chunk,
6458 struct sctp_cmd_seq *commands,
6459 struct sctp_chunk *err_chunk)
6460 {
6461 struct sctp_packet *packet;
6462
6463 if (err_chunk) {
6464 packet = sctp_ootb_pkt_new(net, asoc, chunk);
6465 if (packet) {
6466 struct sctp_signed_cookie *cookie;
6467
6468 /* Override the OOTB vtag from the cookie. */
6469 cookie = chunk->subh.cookie_hdr;
6470 packet->vtag = cookie->c.peer_vtag;
6471
6472 /* Set the skb to the belonging sock for accounting. */
6473 err_chunk->skb->sk = ep->base.sk;
6474 sctp_packet_append_chunk(packet, err_chunk);
6475 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
6476 SCTP_PACKET(packet));
6477 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
6478 } else
6479 sctp_chunk_free (err_chunk);
6480 }
6481 }
6482
6483
6484 /* Process a data chunk */
sctp_eat_data(const struct sctp_association * asoc,struct sctp_chunk * chunk,struct sctp_cmd_seq * commands)6485 static int sctp_eat_data(const struct sctp_association *asoc,
6486 struct sctp_chunk *chunk,
6487 struct sctp_cmd_seq *commands)
6488 {
6489 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
6490 struct sock *sk = asoc->base.sk;
6491 struct net *net = sock_net(sk);
6492 struct sctp_datahdr *data_hdr;
6493 struct sctp_chunk *err;
6494 enum sctp_verb deliver;
6495 size_t datalen;
6496 __u32 tsn;
6497 int tmp;
6498
6499 data_hdr = (struct sctp_datahdr *)chunk->skb->data;
6500 chunk->subh.data_hdr = data_hdr;
6501 skb_pull(chunk->skb, sctp_datahdr_len(&asoc->stream));
6502
6503 tsn = ntohl(data_hdr->tsn);
6504 pr_debug("%s: TSN 0x%x\n", __func__, tsn);
6505
6506 /* ASSERT: Now skb->data is really the user data. */
6507
6508 /* Process ECN based congestion.
6509 *
6510 * Since the chunk structure is reused for all chunks within
6511 * a packet, we use ecn_ce_done to track if we've already
6512 * done CE processing for this packet.
6513 *
6514 * We need to do ECN processing even if we plan to discard the
6515 * chunk later.
6516 */
6517
6518 if (asoc->peer.ecn_capable && !chunk->ecn_ce_done) {
6519 struct sctp_af *af = SCTP_INPUT_CB(chunk->skb)->af;
6520 chunk->ecn_ce_done = 1;
6521
6522 if (af->is_ce(sctp_gso_headskb(chunk->skb))) {
6523 /* Do real work as side effect. */
6524 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE,
6525 SCTP_U32(tsn));
6526 }
6527 }
6528
6529 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn);
6530 if (tmp < 0) {
6531 /* The TSN is too high--silently discard the chunk and
6532 * count on it getting retransmitted later.
6533 */
6534 if (chunk->asoc)
6535 chunk->asoc->stats.outofseqtsns++;
6536 return SCTP_IERROR_HIGH_TSN;
6537 } else if (tmp > 0) {
6538 /* This is a duplicate. Record it. */
6539 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn));
6540 return SCTP_IERROR_DUP_TSN;
6541 }
6542
6543 /* This is a new TSN. */
6544
6545 /* Discard if there is no room in the receive window.
6546 * Actually, allow a little bit of overflow (up to a MTU).
6547 */
6548 datalen = ntohs(chunk->chunk_hdr->length);
6549 datalen -= sctp_datachk_len(&asoc->stream);
6550
6551 deliver = SCTP_CMD_CHUNK_ULP;
6552
6553 /* Think about partial delivery. */
6554 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) {
6555
6556 /* Even if we don't accept this chunk there is
6557 * memory pressure.
6558 */
6559 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL());
6560 }
6561
6562 /* Spill over rwnd a little bit. Note: While allowed, this spill over
6563 * seems a bit troublesome in that frag_point varies based on
6564 * PMTU. In cases, such as loopback, this might be a rather
6565 * large spill over.
6566 */
6567 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over ||
6568 (datalen > asoc->rwnd + asoc->frag_point))) {
6569
6570 /* If this is the next TSN, consider reneging to make
6571 * room. Note: Playing nice with a confused sender. A
6572 * malicious sender can still eat up all our buffer
6573 * space and in the future we may want to detect and
6574 * do more drastic reneging.
6575 */
6576 if (sctp_tsnmap_has_gap(map) &&
6577 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6578 pr_debug("%s: reneging for tsn:%u\n", __func__, tsn);
6579 deliver = SCTP_CMD_RENEGE;
6580 } else {
6581 pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n",
6582 __func__, tsn, datalen, asoc->rwnd);
6583
6584 return SCTP_IERROR_IGNORE_TSN;
6585 }
6586 }
6587
6588 /*
6589 * Also try to renege to limit our memory usage in the event that
6590 * we are under memory pressure
6591 * If we can't renege, don't worry about it, the sk_rmem_schedule
6592 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our
6593 * memory usage too much
6594 */
6595 if (sk_under_memory_pressure(sk)) {
6596 if (sctp_tsnmap_has_gap(map) &&
6597 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6598 pr_debug("%s: under pressure, reneging for tsn:%u\n",
6599 __func__, tsn);
6600 deliver = SCTP_CMD_RENEGE;
6601 }
6602 }
6603
6604 /*
6605 * Section 3.3.10.9 No User Data (9)
6606 *
6607 * Cause of error
6608 * ---------------
6609 * No User Data: This error cause is returned to the originator of a
6610 * DATA chunk if a received DATA chunk has no user data.
6611 */
6612 if (unlikely(0 == datalen)) {
6613 err = sctp_make_abort_no_data(asoc, chunk, tsn);
6614 if (err) {
6615 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6616 SCTP_CHUNK(err));
6617 }
6618 /* We are going to ABORT, so we might as well stop
6619 * processing the rest of the chunks in the packet.
6620 */
6621 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
6622 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6623 SCTP_ERROR(ECONNABORTED));
6624 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6625 SCTP_PERR(SCTP_ERROR_NO_DATA));
6626 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6627 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6628 return SCTP_IERROR_NO_DATA;
6629 }
6630
6631 chunk->data_accepted = 1;
6632
6633 /* Note: Some chunks may get overcounted (if we drop) or overcounted
6634 * if we renege and the chunk arrives again.
6635 */
6636 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) {
6637 SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS);
6638 if (chunk->asoc)
6639 chunk->asoc->stats.iuodchunks++;
6640 } else {
6641 SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS);
6642 if (chunk->asoc)
6643 chunk->asoc->stats.iodchunks++;
6644 }
6645
6646 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number
6647 *
6648 * If an endpoint receive a DATA chunk with an invalid stream
6649 * identifier, it shall acknowledge the reception of the DATA chunk
6650 * following the normal procedure, immediately send an ERROR chunk
6651 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10)
6652 * and discard the DATA chunk.
6653 */
6654 if (ntohs(data_hdr->stream) >= asoc->stream.incnt) {
6655 /* Mark tsn as received even though we drop it */
6656 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
6657
6658 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM,
6659 &data_hdr->stream,
6660 sizeof(data_hdr->stream),
6661 sizeof(u16));
6662 if (err)
6663 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6664 SCTP_CHUNK(err));
6665 return SCTP_IERROR_BAD_STREAM;
6666 }
6667
6668 /* Check to see if the SSN is possible for this TSN.
6669 * The biggest gap we can record is 4K wide. Since SSNs wrap
6670 * at an unsigned short, there is no way that an SSN can
6671 * wrap and for a valid TSN. We can simply check if the current
6672 * SSN is smaller then the next expected one. If it is, it wrapped
6673 * and is invalid.
6674 */
6675 if (!asoc->stream.si->validate_data(chunk))
6676 return SCTP_IERROR_PROTO_VIOLATION;
6677
6678 /* Send the data up to the user. Note: Schedule the
6679 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK
6680 * chunk needs the updated rwnd.
6681 */
6682 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk));
6683
6684 return SCTP_IERROR_NO_ERROR;
6685 }
6686