1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * net/dccp/options.c 4 * 5 * An implementation of the DCCP protocol 6 * Copyright (c) 2005 Aristeu Sergio Rozanski Filho <aris@cathedrallabs.org> 7 * Copyright (c) 2005 Arnaldo Carvalho de Melo <acme@ghostprotocols.net> 8 * Copyright (c) 2005 Ian McDonald <ian.mcdonald@jandi.co.nz> 9 */ 10 #include <linux/dccp.h> 11 #include <linux/module.h> 12 #include <linux/types.h> 13 #include <asm/unaligned.h> 14 #include <linux/kernel.h> 15 #include <linux/skbuff.h> 16 17 #include "ackvec.h" 18 #include "ccid.h" 19 #include "dccp.h" 20 #include "feat.h" 21 22 u64 dccp_decode_value_var(const u8 *bf, const u8 len) 23 { 24 u64 value = 0; 25 26 if (len >= DCCP_OPTVAL_MAXLEN) 27 value += ((u64)*bf++) << 40; 28 if (len > 4) 29 value += ((u64)*bf++) << 32; 30 if (len > 3) 31 value += ((u64)*bf++) << 24; 32 if (len > 2) 33 value += ((u64)*bf++) << 16; 34 if (len > 1) 35 value += ((u64)*bf++) << 8; 36 if (len > 0) 37 value += *bf; 38 39 return value; 40 } 41 42 /** 43 * dccp_parse_options - Parse DCCP options present in @skb 44 * @sk: client|server|listening dccp socket (when @dreq != NULL) 45 * @dreq: request socket to use during connection setup, or NULL 46 */ 47 int dccp_parse_options(struct sock *sk, struct dccp_request_sock *dreq, 48 struct sk_buff *skb) 49 { 50 struct dccp_sock *dp = dccp_sk(sk); 51 const struct dccp_hdr *dh = dccp_hdr(skb); 52 const u8 pkt_type = DCCP_SKB_CB(skb)->dccpd_type; 53 unsigned char *options = (unsigned char *)dh + dccp_hdr_len(skb); 54 unsigned char *opt_ptr = options; 55 const unsigned char *opt_end = (unsigned char *)dh + 56 (dh->dccph_doff * 4); 57 struct dccp_options_received *opt_recv = &dp->dccps_options_received; 58 unsigned char opt, len; 59 unsigned char *uninitialized_var(value); 60 u32 elapsed_time; 61 __be32 opt_val; 62 int rc; 63 int mandatory = 0; 64 65 memset(opt_recv, 0, sizeof(*opt_recv)); 66 67 opt = len = 0; 68 while (opt_ptr != opt_end) { 69 opt = *opt_ptr++; 70 len = 0; 71 value = NULL; 72 73 /* Check if this isn't a single byte option */ 74 if (opt > DCCPO_MAX_RESERVED) { 75 if (opt_ptr == opt_end) 76 goto out_nonsensical_length; 77 78 len = *opt_ptr++; 79 if (len < 2) 80 goto out_nonsensical_length; 81 /* 82 * Remove the type and len fields, leaving 83 * just the value size 84 */ 85 len -= 2; 86 value = opt_ptr; 87 opt_ptr += len; 88 89 if (opt_ptr > opt_end) 90 goto out_nonsensical_length; 91 } 92 93 /* 94 * CCID-specific options are ignored during connection setup, as 95 * negotiation may still be in progress (see RFC 4340, 10.3). 96 * The same applies to Ack Vectors, as these depend on the CCID. 97 */ 98 if (dreq != NULL && (opt >= DCCPO_MIN_RX_CCID_SPECIFIC || 99 opt == DCCPO_ACK_VECTOR_0 || opt == DCCPO_ACK_VECTOR_1)) 100 goto ignore_option; 101 102 switch (opt) { 103 case DCCPO_PADDING: 104 break; 105 case DCCPO_MANDATORY: 106 if (mandatory) 107 goto out_invalid_option; 108 if (pkt_type != DCCP_PKT_DATA) 109 mandatory = 1; 110 break; 111 case DCCPO_NDP_COUNT: 112 if (len > 6) 113 goto out_invalid_option; 114 115 opt_recv->dccpor_ndp = dccp_decode_value_var(value, len); 116 dccp_pr_debug("%s opt: NDP count=%llu\n", dccp_role(sk), 117 (unsigned long long)opt_recv->dccpor_ndp); 118 break; 119 case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R: 120 if (pkt_type == DCCP_PKT_DATA) /* RFC 4340, 6 */ 121 break; 122 if (len == 0) 123 goto out_invalid_option; 124 rc = dccp_feat_parse_options(sk, dreq, mandatory, opt, 125 *value, value + 1, len - 1); 126 if (rc) 127 goto out_featneg_failed; 128 break; 129 case DCCPO_TIMESTAMP: 130 if (len != 4) 131 goto out_invalid_option; 132 /* 133 * RFC 4340 13.1: "The precise time corresponding to 134 * Timestamp Value zero is not specified". We use 135 * zero to indicate absence of a meaningful timestamp. 136 */ 137 opt_val = get_unaligned((__be32 *)value); 138 if (unlikely(opt_val == 0)) { 139 DCCP_WARN("Timestamp with zero value\n"); 140 break; 141 } 142 143 if (dreq != NULL) { 144 dreq->dreq_timestamp_echo = ntohl(opt_val); 145 dreq->dreq_timestamp_time = dccp_timestamp(); 146 } else { 147 opt_recv->dccpor_timestamp = 148 dp->dccps_timestamp_echo = ntohl(opt_val); 149 dp->dccps_timestamp_time = dccp_timestamp(); 150 } 151 dccp_pr_debug("%s rx opt: TIMESTAMP=%u, ackno=%llu\n", 152 dccp_role(sk), ntohl(opt_val), 153 (unsigned long long) 154 DCCP_SKB_CB(skb)->dccpd_ack_seq); 155 /* schedule an Ack in case this sender is quiescent */ 156 inet_csk_schedule_ack(sk); 157 break; 158 case DCCPO_TIMESTAMP_ECHO: 159 if (len != 4 && len != 6 && len != 8) 160 goto out_invalid_option; 161 162 opt_val = get_unaligned((__be32 *)value); 163 opt_recv->dccpor_timestamp_echo = ntohl(opt_val); 164 165 dccp_pr_debug("%s rx opt: TIMESTAMP_ECHO=%u, len=%d, " 166 "ackno=%llu", dccp_role(sk), 167 opt_recv->dccpor_timestamp_echo, 168 len + 2, 169 (unsigned long long) 170 DCCP_SKB_CB(skb)->dccpd_ack_seq); 171 172 value += 4; 173 174 if (len == 4) { /* no elapsed time included */ 175 dccp_pr_debug_cat("\n"); 176 break; 177 } 178 179 if (len == 6) { /* 2-byte elapsed time */ 180 __be16 opt_val2 = get_unaligned((__be16 *)value); 181 elapsed_time = ntohs(opt_val2); 182 } else { /* 4-byte elapsed time */ 183 opt_val = get_unaligned((__be32 *)value); 184 elapsed_time = ntohl(opt_val); 185 } 186 187 dccp_pr_debug_cat(", ELAPSED_TIME=%u\n", elapsed_time); 188 189 /* Give precedence to the biggest ELAPSED_TIME */ 190 if (elapsed_time > opt_recv->dccpor_elapsed_time) 191 opt_recv->dccpor_elapsed_time = elapsed_time; 192 break; 193 case DCCPO_ELAPSED_TIME: 194 if (dccp_packet_without_ack(skb)) /* RFC 4340, 13.2 */ 195 break; 196 197 if (len == 2) { 198 __be16 opt_val2 = get_unaligned((__be16 *)value); 199 elapsed_time = ntohs(opt_val2); 200 } else if (len == 4) { 201 opt_val = get_unaligned((__be32 *)value); 202 elapsed_time = ntohl(opt_val); 203 } else { 204 goto out_invalid_option; 205 } 206 207 if (elapsed_time > opt_recv->dccpor_elapsed_time) 208 opt_recv->dccpor_elapsed_time = elapsed_time; 209 210 dccp_pr_debug("%s rx opt: ELAPSED_TIME=%d\n", 211 dccp_role(sk), elapsed_time); 212 break; 213 case DCCPO_MIN_RX_CCID_SPECIFIC ... DCCPO_MAX_RX_CCID_SPECIFIC: 214 if (ccid_hc_rx_parse_options(dp->dccps_hc_rx_ccid, sk, 215 pkt_type, opt, value, len)) 216 goto out_invalid_option; 217 break; 218 case DCCPO_ACK_VECTOR_0: 219 case DCCPO_ACK_VECTOR_1: 220 if (dccp_packet_without_ack(skb)) /* RFC 4340, 11.4 */ 221 break; 222 /* 223 * Ack vectors are processed by the TX CCID if it is 224 * interested. The RX CCID need not parse Ack Vectors, 225 * since it is only interested in clearing old state. 226 */ 227 /* fall through */ 228 case DCCPO_MIN_TX_CCID_SPECIFIC ... DCCPO_MAX_TX_CCID_SPECIFIC: 229 if (ccid_hc_tx_parse_options(dp->dccps_hc_tx_ccid, sk, 230 pkt_type, opt, value, len)) 231 goto out_invalid_option; 232 break; 233 default: 234 DCCP_CRIT("DCCP(%p): option %d(len=%d) not " 235 "implemented, ignoring", sk, opt, len); 236 break; 237 } 238 ignore_option: 239 if (opt != DCCPO_MANDATORY) 240 mandatory = 0; 241 } 242 243 /* mandatory was the last byte in option list -> reset connection */ 244 if (mandatory) 245 goto out_invalid_option; 246 247 out_nonsensical_length: 248 /* RFC 4340, 5.8: ignore option and all remaining option space */ 249 return 0; 250 251 out_invalid_option: 252 DCCP_INC_STATS(DCCP_MIB_INVALIDOPT); 253 rc = DCCP_RESET_CODE_OPTION_ERROR; 254 out_featneg_failed: 255 DCCP_WARN("DCCP(%p): Option %d (len=%d) error=%u\n", sk, opt, len, rc); 256 DCCP_SKB_CB(skb)->dccpd_reset_code = rc; 257 DCCP_SKB_CB(skb)->dccpd_reset_data[0] = opt; 258 DCCP_SKB_CB(skb)->dccpd_reset_data[1] = len > 0 ? value[0] : 0; 259 DCCP_SKB_CB(skb)->dccpd_reset_data[2] = len > 1 ? value[1] : 0; 260 return -1; 261 } 262 263 EXPORT_SYMBOL_GPL(dccp_parse_options); 264 265 void dccp_encode_value_var(const u64 value, u8 *to, const u8 len) 266 { 267 if (len >= DCCP_OPTVAL_MAXLEN) 268 *to++ = (value & 0xFF0000000000ull) >> 40; 269 if (len > 4) 270 *to++ = (value & 0xFF00000000ull) >> 32; 271 if (len > 3) 272 *to++ = (value & 0xFF000000) >> 24; 273 if (len > 2) 274 *to++ = (value & 0xFF0000) >> 16; 275 if (len > 1) 276 *to++ = (value & 0xFF00) >> 8; 277 if (len > 0) 278 *to++ = (value & 0xFF); 279 } 280 281 static inline u8 dccp_ndp_len(const u64 ndp) 282 { 283 if (likely(ndp <= 0xFF)) 284 return 1; 285 return likely(ndp <= USHRT_MAX) ? 2 : (ndp <= UINT_MAX ? 4 : 6); 286 } 287 288 int dccp_insert_option(struct sk_buff *skb, const unsigned char option, 289 const void *value, const unsigned char len) 290 { 291 unsigned char *to; 292 293 if (DCCP_SKB_CB(skb)->dccpd_opt_len + len + 2 > DCCP_MAX_OPT_LEN) 294 return -1; 295 296 DCCP_SKB_CB(skb)->dccpd_opt_len += len + 2; 297 298 to = skb_push(skb, len + 2); 299 *to++ = option; 300 *to++ = len + 2; 301 302 memcpy(to, value, len); 303 return 0; 304 } 305 306 EXPORT_SYMBOL_GPL(dccp_insert_option); 307 308 static int dccp_insert_option_ndp(struct sock *sk, struct sk_buff *skb) 309 { 310 struct dccp_sock *dp = dccp_sk(sk); 311 u64 ndp = dp->dccps_ndp_count; 312 313 if (dccp_non_data_packet(skb)) 314 ++dp->dccps_ndp_count; 315 else 316 dp->dccps_ndp_count = 0; 317 318 if (ndp > 0) { 319 unsigned char *ptr; 320 const int ndp_len = dccp_ndp_len(ndp); 321 const int len = ndp_len + 2; 322 323 if (DCCP_SKB_CB(skb)->dccpd_opt_len + len > DCCP_MAX_OPT_LEN) 324 return -1; 325 326 DCCP_SKB_CB(skb)->dccpd_opt_len += len; 327 328 ptr = skb_push(skb, len); 329 *ptr++ = DCCPO_NDP_COUNT; 330 *ptr++ = len; 331 dccp_encode_value_var(ndp, ptr, ndp_len); 332 } 333 334 return 0; 335 } 336 337 static inline int dccp_elapsed_time_len(const u32 elapsed_time) 338 { 339 return elapsed_time == 0 ? 0 : elapsed_time <= 0xFFFF ? 2 : 4; 340 } 341 342 static int dccp_insert_option_timestamp(struct sk_buff *skb) 343 { 344 __be32 now = htonl(dccp_timestamp()); 345 /* yes this will overflow but that is the point as we want a 346 * 10 usec 32 bit timer which mean it wraps every 11.9 hours */ 347 348 return dccp_insert_option(skb, DCCPO_TIMESTAMP, &now, sizeof(now)); 349 } 350 351 static int dccp_insert_option_timestamp_echo(struct dccp_sock *dp, 352 struct dccp_request_sock *dreq, 353 struct sk_buff *skb) 354 { 355 __be32 tstamp_echo; 356 unsigned char *to; 357 u32 elapsed_time, elapsed_time_len, len; 358 359 if (dreq != NULL) { 360 elapsed_time = dccp_timestamp() - dreq->dreq_timestamp_time; 361 tstamp_echo = htonl(dreq->dreq_timestamp_echo); 362 dreq->dreq_timestamp_echo = 0; 363 } else { 364 elapsed_time = dccp_timestamp() - dp->dccps_timestamp_time; 365 tstamp_echo = htonl(dp->dccps_timestamp_echo); 366 dp->dccps_timestamp_echo = 0; 367 } 368 369 elapsed_time_len = dccp_elapsed_time_len(elapsed_time); 370 len = 6 + elapsed_time_len; 371 372 if (DCCP_SKB_CB(skb)->dccpd_opt_len + len > DCCP_MAX_OPT_LEN) 373 return -1; 374 375 DCCP_SKB_CB(skb)->dccpd_opt_len += len; 376 377 to = skb_push(skb, len); 378 *to++ = DCCPO_TIMESTAMP_ECHO; 379 *to++ = len; 380 381 memcpy(to, &tstamp_echo, 4); 382 to += 4; 383 384 if (elapsed_time_len == 2) { 385 const __be16 var16 = htons((u16)elapsed_time); 386 memcpy(to, &var16, 2); 387 } else if (elapsed_time_len == 4) { 388 const __be32 var32 = htonl(elapsed_time); 389 memcpy(to, &var32, 4); 390 } 391 392 return 0; 393 } 394 395 static int dccp_insert_option_ackvec(struct sock *sk, struct sk_buff *skb) 396 { 397 struct dccp_sock *dp = dccp_sk(sk); 398 struct dccp_ackvec *av = dp->dccps_hc_rx_ackvec; 399 struct dccp_skb_cb *dcb = DCCP_SKB_CB(skb); 400 const u16 buflen = dccp_ackvec_buflen(av); 401 /* Figure out how many options do we need to represent the ackvec */ 402 const u8 nr_opts = DIV_ROUND_UP(buflen, DCCP_SINGLE_OPT_MAXLEN); 403 u16 len = buflen + 2 * nr_opts; 404 u8 i, nonce = 0; 405 const unsigned char *tail, *from; 406 unsigned char *to; 407 408 if (dcb->dccpd_opt_len + len > DCCP_MAX_OPT_LEN) { 409 DCCP_WARN("Lacking space for %u bytes on %s packet\n", len, 410 dccp_packet_name(dcb->dccpd_type)); 411 return -1; 412 } 413 /* 414 * Since Ack Vectors are variable-length, we can not always predict 415 * their size. To catch exception cases where the space is running out 416 * on the skb, a separate Sync is scheduled to carry the Ack Vector. 417 */ 418 if (len > DCCPAV_MIN_OPTLEN && 419 len + dcb->dccpd_opt_len + skb->len > dp->dccps_mss_cache) { 420 DCCP_WARN("No space left for Ack Vector (%u) on skb (%u+%u), " 421 "MPS=%u ==> reduce payload size?\n", len, skb->len, 422 dcb->dccpd_opt_len, dp->dccps_mss_cache); 423 dp->dccps_sync_scheduled = 1; 424 return 0; 425 } 426 dcb->dccpd_opt_len += len; 427 428 to = skb_push(skb, len); 429 len = buflen; 430 from = av->av_buf + av->av_buf_head; 431 tail = av->av_buf + DCCPAV_MAX_ACKVEC_LEN; 432 433 for (i = 0; i < nr_opts; ++i) { 434 int copylen = len; 435 436 if (len > DCCP_SINGLE_OPT_MAXLEN) 437 copylen = DCCP_SINGLE_OPT_MAXLEN; 438 439 /* 440 * RFC 4340, 12.2: Encode the Nonce Echo for this Ack Vector via 441 * its type; ack_nonce is the sum of all individual buf_nonce's. 442 */ 443 nonce ^= av->av_buf_nonce[i]; 444 445 *to++ = DCCPO_ACK_VECTOR_0 + av->av_buf_nonce[i]; 446 *to++ = copylen + 2; 447 448 /* Check if buf_head wraps */ 449 if (from + copylen > tail) { 450 const u16 tailsize = tail - from; 451 452 memcpy(to, from, tailsize); 453 to += tailsize; 454 len -= tailsize; 455 copylen -= tailsize; 456 from = av->av_buf; 457 } 458 459 memcpy(to, from, copylen); 460 from += copylen; 461 to += copylen; 462 len -= copylen; 463 } 464 /* 465 * Each sent Ack Vector is recorded in the list, as per A.2 of RFC 4340. 466 */ 467 if (dccp_ackvec_update_records(av, dcb->dccpd_seq, nonce)) 468 return -ENOBUFS; 469 return 0; 470 } 471 472 /** 473 * dccp_insert_option_mandatory - Mandatory option (5.8.2) 474 * Note that since we are using skb_push, this function needs to be called 475 * _after_ inserting the option it is supposed to influence (stack order). 476 */ 477 int dccp_insert_option_mandatory(struct sk_buff *skb) 478 { 479 if (DCCP_SKB_CB(skb)->dccpd_opt_len >= DCCP_MAX_OPT_LEN) 480 return -1; 481 482 DCCP_SKB_CB(skb)->dccpd_opt_len++; 483 *(u8 *)skb_push(skb, 1) = DCCPO_MANDATORY; 484 return 0; 485 } 486 487 /** 488 * dccp_insert_fn_opt - Insert single Feature-Negotiation option into @skb 489 * @type: %DCCPO_CHANGE_L, %DCCPO_CHANGE_R, %DCCPO_CONFIRM_L, %DCCPO_CONFIRM_R 490 * @feat: one out of %dccp_feature_numbers 491 * @val: NN value or SP array (preferred element first) to copy 492 * @len: true length of @val in bytes (excluding first element repetition) 493 * @repeat_first: whether to copy the first element of @val twice 494 * 495 * The last argument is used to construct Confirm options, where the preferred 496 * value and the preference list appear separately (RFC 4340, 6.3.1). Preference 497 * lists are kept such that the preferred entry is always first, so we only need 498 * to copy twice, and avoid the overhead of cloning into a bigger array. 499 */ 500 int dccp_insert_fn_opt(struct sk_buff *skb, u8 type, u8 feat, 501 u8 *val, u8 len, bool repeat_first) 502 { 503 u8 tot_len, *to; 504 505 /* take the `Feature' field and possible repetition into account */ 506 if (len > (DCCP_SINGLE_OPT_MAXLEN - 2)) { 507 DCCP_WARN("length %u for feature %u too large\n", len, feat); 508 return -1; 509 } 510 511 if (unlikely(val == NULL || len == 0)) 512 len = repeat_first = false; 513 tot_len = 3 + repeat_first + len; 514 515 if (DCCP_SKB_CB(skb)->dccpd_opt_len + tot_len > DCCP_MAX_OPT_LEN) { 516 DCCP_WARN("packet too small for feature %d option!\n", feat); 517 return -1; 518 } 519 DCCP_SKB_CB(skb)->dccpd_opt_len += tot_len; 520 521 to = skb_push(skb, tot_len); 522 *to++ = type; 523 *to++ = tot_len; 524 *to++ = feat; 525 526 if (repeat_first) 527 *to++ = *val; 528 if (len) 529 memcpy(to, val, len); 530 return 0; 531 } 532 533 /* The length of all options needs to be a multiple of 4 (5.8) */ 534 static void dccp_insert_option_padding(struct sk_buff *skb) 535 { 536 int padding = DCCP_SKB_CB(skb)->dccpd_opt_len % 4; 537 538 if (padding != 0) { 539 padding = 4 - padding; 540 memset(skb_push(skb, padding), 0, padding); 541 DCCP_SKB_CB(skb)->dccpd_opt_len += padding; 542 } 543 } 544 545 int dccp_insert_options(struct sock *sk, struct sk_buff *skb) 546 { 547 struct dccp_sock *dp = dccp_sk(sk); 548 549 DCCP_SKB_CB(skb)->dccpd_opt_len = 0; 550 551 if (dp->dccps_send_ndp_count && dccp_insert_option_ndp(sk, skb)) 552 return -1; 553 554 if (DCCP_SKB_CB(skb)->dccpd_type != DCCP_PKT_DATA) { 555 556 /* Feature Negotiation */ 557 if (dccp_feat_insert_opts(dp, NULL, skb)) 558 return -1; 559 560 if (DCCP_SKB_CB(skb)->dccpd_type == DCCP_PKT_REQUEST) { 561 /* 562 * Obtain RTT sample from Request/Response exchange. 563 * This is currently used for TFRC initialisation. 564 */ 565 if (dccp_insert_option_timestamp(skb)) 566 return -1; 567 568 } else if (dccp_ackvec_pending(sk) && 569 dccp_insert_option_ackvec(sk, skb)) { 570 return -1; 571 } 572 } 573 574 if (dp->dccps_hc_rx_insert_options) { 575 if (ccid_hc_rx_insert_options(dp->dccps_hc_rx_ccid, sk, skb)) 576 return -1; 577 dp->dccps_hc_rx_insert_options = 0; 578 } 579 580 if (dp->dccps_timestamp_echo != 0 && 581 dccp_insert_option_timestamp_echo(dp, NULL, skb)) 582 return -1; 583 584 dccp_insert_option_padding(skb); 585 return 0; 586 } 587 588 int dccp_insert_options_rsk(struct dccp_request_sock *dreq, struct sk_buff *skb) 589 { 590 DCCP_SKB_CB(skb)->dccpd_opt_len = 0; 591 592 if (dccp_feat_insert_opts(NULL, dreq, skb)) 593 return -1; 594 595 /* Obtain RTT sample from Response/Ack exchange (used by TFRC). */ 596 if (dccp_insert_option_timestamp(skb)) 597 return -1; 598 599 if (dreq->dreq_timestamp_echo != 0 && 600 dccp_insert_option_timestamp_echo(NULL, dreq, skb)) 601 return -1; 602 603 dccp_insert_option_padding(skb); 604 return 0; 605 } 606