1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* SCTP kernel implementation 3 * (C) Copyright IBM Corp. 2001, 2004 4 * Copyright (c) 1999-2000 Cisco, Inc. 5 * Copyright (c) 1999-2001 Motorola, Inc. 6 * Copyright (c) 2001-2002 Intel Corp. 7 * Copyright (c) 2002 Nokia Corp. 8 * 9 * This is part of the SCTP Linux Kernel Implementation. 10 * 11 * These are the state functions for the state machine. 12 * 13 * Please send any bug reports or fixes you make to the 14 * email address(es): 15 * lksctp developers <linux-sctp@vger.kernel.org> 16 * 17 * Written or modified by: 18 * La Monte H.P. Yarroll <piggy@acm.org> 19 * Karl Knutson <karl@athena.chicago.il.us> 20 * Mathew Kotowsky <kotowsky@sctp.org> 21 * Sridhar Samudrala <samudrala@us.ibm.com> 22 * Jon Grimm <jgrimm@us.ibm.com> 23 * Hui Huang <hui.huang@nokia.com> 24 * Dajiang Zhang <dajiang.zhang@nokia.com> 25 * Daisy Chang <daisyc@us.ibm.com> 26 * Ardelle Fan <ardelle.fan@intel.com> 27 * Ryan Layer <rmlayer@us.ibm.com> 28 * Kevin Gao <kevin.gao@intel.com> 29 */ 30 31 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 32 33 #include <linux/types.h> 34 #include <linux/kernel.h> 35 #include <linux/ip.h> 36 #include <linux/ipv6.h> 37 #include <linux/net.h> 38 #include <linux/inet.h> 39 #include <linux/slab.h> 40 #include <net/sock.h> 41 #include <net/inet_ecn.h> 42 #include <linux/skbuff.h> 43 #include <net/sctp/sctp.h> 44 #include <net/sctp/sm.h> 45 #include <net/sctp/structs.h> 46 47 #define CREATE_TRACE_POINTS 48 #include <trace/events/sctp.h> 49 50 static struct sctp_packet *sctp_abort_pkt_new( 51 struct net *net, 52 const struct sctp_endpoint *ep, 53 const struct sctp_association *asoc, 54 struct sctp_chunk *chunk, 55 const void *payload, size_t paylen); 56 static int sctp_eat_data(const struct sctp_association *asoc, 57 struct sctp_chunk *chunk, 58 struct sctp_cmd_seq *commands); 59 static struct sctp_packet *sctp_ootb_pkt_new( 60 struct net *net, 61 const struct sctp_association *asoc, 62 const struct sctp_chunk *chunk); 63 static void sctp_send_stale_cookie_err(struct net *net, 64 const struct sctp_endpoint *ep, 65 const struct sctp_association *asoc, 66 const struct sctp_chunk *chunk, 67 struct sctp_cmd_seq *commands, 68 struct sctp_chunk *err_chunk); 69 static enum sctp_disposition sctp_sf_do_5_2_6_stale( 70 struct net *net, 71 const struct sctp_endpoint *ep, 72 const struct sctp_association *asoc, 73 const union sctp_subtype type, 74 void *arg, 75 struct sctp_cmd_seq *commands); 76 static enum sctp_disposition sctp_sf_shut_8_4_5( 77 struct net *net, 78 const struct sctp_endpoint *ep, 79 const struct sctp_association *asoc, 80 const union sctp_subtype type, 81 void *arg, 82 struct sctp_cmd_seq *commands); 83 static enum sctp_disposition sctp_sf_tabort_8_4_8( 84 struct net *net, 85 const struct sctp_endpoint *ep, 86 const struct sctp_association *asoc, 87 const union sctp_subtype type, 88 void *arg, 89 struct sctp_cmd_seq *commands); 90 static enum sctp_disposition sctp_sf_new_encap_port( 91 struct net *net, 92 const struct sctp_endpoint *ep, 93 const struct sctp_association *asoc, 94 const union sctp_subtype type, 95 void *arg, 96 struct sctp_cmd_seq *commands); 97 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 98 99 static enum sctp_disposition sctp_stop_t1_and_abort( 100 struct net *net, 101 struct sctp_cmd_seq *commands, 102 __be16 error, int sk_err, 103 const struct sctp_association *asoc, 104 struct sctp_transport *transport); 105 106 static enum sctp_disposition sctp_sf_abort_violation( 107 struct net *net, 108 const struct sctp_endpoint *ep, 109 const struct sctp_association *asoc, 110 void *arg, 111 struct sctp_cmd_seq *commands, 112 const __u8 *payload, 113 const size_t paylen); 114 115 static enum sctp_disposition sctp_sf_violation_chunklen( 116 struct net *net, 117 const struct sctp_endpoint *ep, 118 const struct sctp_association *asoc, 119 const union sctp_subtype type, 120 void *arg, 121 struct sctp_cmd_seq *commands); 122 123 static enum sctp_disposition sctp_sf_violation_paramlen( 124 struct net *net, 125 const struct sctp_endpoint *ep, 126 const struct sctp_association *asoc, 127 const union sctp_subtype type, 128 void *arg, void *ext, 129 struct sctp_cmd_seq *commands); 130 131 static enum sctp_disposition sctp_sf_violation_ctsn( 132 struct net *net, 133 const struct sctp_endpoint *ep, 134 const struct sctp_association *asoc, 135 const union sctp_subtype type, 136 void *arg, 137 struct sctp_cmd_seq *commands); 138 139 static enum sctp_disposition sctp_sf_violation_chunk( 140 struct net *net, 141 const struct sctp_endpoint *ep, 142 const struct sctp_association *asoc, 143 const union sctp_subtype type, 144 void *arg, 145 struct sctp_cmd_seq *commands); 146 147 static enum sctp_ierror sctp_sf_authenticate( 148 const struct sctp_association *asoc, 149 struct sctp_chunk *chunk); 150 151 static enum sctp_disposition __sctp_sf_do_9_1_abort( 152 struct net *net, 153 const struct sctp_endpoint *ep, 154 const struct sctp_association *asoc, 155 const union sctp_subtype type, 156 void *arg, 157 struct sctp_cmd_seq *commands); 158 159 static enum sctp_disposition 160 __sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, 161 const struct sctp_association *asoc, 162 const union sctp_subtype type, void *arg, 163 struct sctp_cmd_seq *commands); 164 165 /* Small helper function that checks if the chunk length 166 * is of the appropriate length. The 'required_length' argument 167 * is set to be the size of a specific chunk we are testing. 168 * Return Values: true = Valid length 169 * false = Invalid length 170 * 171 */ 172 static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk, 173 __u16 required_length) 174 { 175 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 176 177 /* Previously already marked? */ 178 if (unlikely(chunk->pdiscard)) 179 return false; 180 if (unlikely(chunk_length < required_length)) 181 return false; 182 183 return true; 184 } 185 186 /* Check for format error in an ABORT chunk */ 187 static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk) 188 { 189 struct sctp_errhdr *err; 190 191 sctp_walk_errors(err, chunk->chunk_hdr); 192 193 return (void *)err == (void *)chunk->chunk_end; 194 } 195 196 /********************************************************** 197 * These are the state functions for handling chunk events. 198 **********************************************************/ 199 200 /* 201 * Process the final SHUTDOWN COMPLETE. 202 * 203 * Section: 4 (C) (diagram), 9.2 204 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 205 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 206 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 207 * should stop the T2-shutdown timer and remove all knowledge of the 208 * association (and thus the association enters the CLOSED state). 209 * 210 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 211 * C) Rules for packet carrying SHUTDOWN COMPLETE: 212 * ... 213 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 214 * if the Verification Tag field of the packet matches its own tag and 215 * the T bit is not set 216 * OR 217 * it is set to its peer's tag and the T bit is set in the Chunk 218 * Flags. 219 * Otherwise, the receiver MUST silently discard the packet 220 * and take no further action. An endpoint MUST ignore the 221 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 222 * 223 * Inputs 224 * (endpoint, asoc, chunk) 225 * 226 * Outputs 227 * (asoc, reply_msg, msg_up, timers, counters) 228 * 229 * The return value is the disposition of the chunk. 230 */ 231 enum sctp_disposition sctp_sf_do_4_C(struct net *net, 232 const struct sctp_endpoint *ep, 233 const struct sctp_association *asoc, 234 const union sctp_subtype type, 235 void *arg, struct sctp_cmd_seq *commands) 236 { 237 struct sctp_chunk *chunk = arg; 238 struct sctp_ulpevent *ev; 239 240 if (!sctp_vtag_verify_either(chunk, asoc)) 241 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 242 243 /* RFC 2960 6.10 Bundling 244 * 245 * An endpoint MUST NOT bundle INIT, INIT ACK or 246 * SHUTDOWN COMPLETE with any other chunks. 247 */ 248 if (!chunk->singleton) 249 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 250 251 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ 252 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 253 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 254 commands); 255 256 /* RFC 2960 10.2 SCTP-to-ULP 257 * 258 * H) SHUTDOWN COMPLETE notification 259 * 260 * When SCTP completes the shutdown procedures (section 9.2) this 261 * notification is passed to the upper layer. 262 */ 263 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 264 0, 0, 0, NULL, GFP_ATOMIC); 265 if (ev) 266 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 267 SCTP_ULPEVENT(ev)); 268 269 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 270 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 271 * not the chunk should be discarded. If the endpoint is in 272 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 273 * T2-shutdown timer and remove all knowledge of the 274 * association (and thus the association enters the CLOSED 275 * state). 276 */ 277 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 278 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 279 280 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 281 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 282 283 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 284 SCTP_STATE(SCTP_STATE_CLOSED)); 285 286 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 287 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 288 289 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 290 291 return SCTP_DISPOSITION_DELETE_TCB; 292 } 293 294 /* 295 * Respond to a normal INIT chunk. 296 * We are the side that is being asked for an association. 297 * 298 * Section: 5.1 Normal Establishment of an Association, B 299 * B) "Z" shall respond immediately with an INIT ACK chunk. The 300 * destination IP address of the INIT ACK MUST be set to the source 301 * IP address of the INIT to which this INIT ACK is responding. In 302 * the response, besides filling in other parameters, "Z" must set the 303 * Verification Tag field to Tag_A, and also provide its own 304 * Verification Tag (Tag_Z) in the Initiate Tag field. 305 * 306 * Verification Tag: Must be 0. 307 * 308 * Inputs 309 * (endpoint, asoc, chunk) 310 * 311 * Outputs 312 * (asoc, reply_msg, msg_up, timers, counters) 313 * 314 * The return value is the disposition of the chunk. 315 */ 316 enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, 317 const struct sctp_endpoint *ep, 318 const struct sctp_association *asoc, 319 const union sctp_subtype type, 320 void *arg, 321 struct sctp_cmd_seq *commands) 322 { 323 struct sctp_chunk *chunk = arg, *repl, *err_chunk; 324 struct sctp_unrecognized_param *unk_param; 325 struct sctp_association *new_asoc; 326 struct sctp_packet *packet; 327 int len; 328 329 /* 6.10 Bundling 330 * An endpoint MUST NOT bundle INIT, INIT ACK or 331 * SHUTDOWN COMPLETE with any other chunks. 332 * 333 * IG Section 2.11.2 334 * Furthermore, we require that the receiver of an INIT chunk MUST 335 * enforce these rules by silently discarding an arriving packet 336 * with an INIT chunk that is bundled with other chunks. 337 */ 338 if (!chunk->singleton) 339 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 340 341 /* Make sure that the INIT chunk has a valid length. 342 * Normally, this would cause an ABORT with a Protocol Violation 343 * error, but since we don't have an association, we'll 344 * just discard the packet. 345 */ 346 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 347 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 348 349 /* If the packet is an OOTB packet which is temporarily on the 350 * control endpoint, respond with an ABORT. 351 */ 352 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 353 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 354 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 355 } 356 357 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 358 * Tag. 359 */ 360 if (chunk->sctp_hdr->vtag != 0) 361 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 362 363 /* If the INIT is coming toward a closing socket, we'll send back 364 * and ABORT. Essentially, this catches the race of INIT being 365 * backloged to the socket at the same time as the user issues close(). 366 * Since the socket and all its associations are going away, we 367 * can treat this OOTB 368 */ 369 if (sctp_sstate(ep->base.sk, CLOSING)) 370 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 371 372 /* Verify the INIT chunk before processing it. */ 373 err_chunk = NULL; 374 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 375 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 376 &err_chunk)) { 377 /* This chunk contains fatal error. It is to be discarded. 378 * Send an ABORT, with causes if there is any. 379 */ 380 if (err_chunk) { 381 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 382 (__u8 *)(err_chunk->chunk_hdr) + 383 sizeof(struct sctp_chunkhdr), 384 ntohs(err_chunk->chunk_hdr->length) - 385 sizeof(struct sctp_chunkhdr)); 386 387 sctp_chunk_free(err_chunk); 388 389 if (packet) { 390 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 391 SCTP_PACKET(packet)); 392 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 393 return SCTP_DISPOSITION_CONSUME; 394 } else { 395 return SCTP_DISPOSITION_NOMEM; 396 } 397 } else { 398 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 399 commands); 400 } 401 } 402 403 /* Grab the INIT header. */ 404 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 405 406 /* Tag the variable length parameters. */ 407 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 408 409 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 410 if (!new_asoc) 411 goto nomem; 412 413 /* Update socket peer label if first association. */ 414 if (security_sctp_assoc_request(new_asoc, chunk->skb)) { 415 sctp_association_free(new_asoc); 416 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 417 } 418 419 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 420 sctp_scope(sctp_source(chunk)), 421 GFP_ATOMIC) < 0) 422 goto nomem_init; 423 424 /* The call, sctp_process_init(), can fail on memory allocation. */ 425 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 426 (struct sctp_init_chunk *)chunk->chunk_hdr, 427 GFP_ATOMIC)) 428 goto nomem_init; 429 430 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 431 432 /* If there are errors need to be reported for unknown parameters, 433 * make sure to reserve enough room in the INIT ACK for them. 434 */ 435 len = 0; 436 if (err_chunk) 437 len = ntohs(err_chunk->chunk_hdr->length) - 438 sizeof(struct sctp_chunkhdr); 439 440 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 441 if (!repl) 442 goto nomem_init; 443 444 /* If there are errors need to be reported for unknown parameters, 445 * include them in the outgoing INIT ACK as "Unrecognized parameter" 446 * parameter. 447 */ 448 if (err_chunk) { 449 /* Get the "Unrecognized parameter" parameter(s) out of the 450 * ERROR chunk generated by sctp_verify_init(). Since the 451 * error cause code for "unknown parameter" and the 452 * "Unrecognized parameter" type is the same, we can 453 * construct the parameters in INIT ACK by copying the 454 * ERROR causes over. 455 */ 456 unk_param = (struct sctp_unrecognized_param *) 457 ((__u8 *)(err_chunk->chunk_hdr) + 458 sizeof(struct sctp_chunkhdr)); 459 /* Replace the cause code with the "Unrecognized parameter" 460 * parameter type. 461 */ 462 sctp_addto_chunk(repl, len, unk_param); 463 sctp_chunk_free(err_chunk); 464 } 465 466 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 467 468 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 469 470 /* 471 * Note: After sending out INIT ACK with the State Cookie parameter, 472 * "Z" MUST NOT allocate any resources, nor keep any states for the 473 * new association. Otherwise, "Z" will be vulnerable to resource 474 * attacks. 475 */ 476 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 477 478 return SCTP_DISPOSITION_DELETE_TCB; 479 480 nomem_init: 481 sctp_association_free(new_asoc); 482 nomem: 483 if (err_chunk) 484 sctp_chunk_free(err_chunk); 485 return SCTP_DISPOSITION_NOMEM; 486 } 487 488 /* 489 * Respond to a normal INIT ACK chunk. 490 * We are the side that is initiating the association. 491 * 492 * Section: 5.1 Normal Establishment of an Association, C 493 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 494 * timer and leave COOKIE-WAIT state. "A" shall then send the State 495 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 496 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 497 * 498 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 499 * DATA chunks, but it MUST be the first chunk in the packet and 500 * until the COOKIE ACK is returned the sender MUST NOT send any 501 * other packets to the peer. 502 * 503 * Verification Tag: 3.3.3 504 * If the value of the Initiate Tag in a received INIT ACK chunk is 505 * found to be 0, the receiver MUST treat it as an error and close the 506 * association by transmitting an ABORT. 507 * 508 * Inputs 509 * (endpoint, asoc, chunk) 510 * 511 * Outputs 512 * (asoc, reply_msg, msg_up, timers, counters) 513 * 514 * The return value is the disposition of the chunk. 515 */ 516 enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, 517 const struct sctp_endpoint *ep, 518 const struct sctp_association *asoc, 519 const union sctp_subtype type, 520 void *arg, 521 struct sctp_cmd_seq *commands) 522 { 523 struct sctp_init_chunk *initchunk; 524 struct sctp_chunk *chunk = arg; 525 struct sctp_chunk *err_chunk; 526 struct sctp_packet *packet; 527 528 if (!sctp_vtag_verify(chunk, asoc)) 529 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 530 531 /* 6.10 Bundling 532 * An endpoint MUST NOT bundle INIT, INIT ACK or 533 * SHUTDOWN COMPLETE with any other chunks. 534 */ 535 if (!chunk->singleton) 536 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 537 538 /* Make sure that the INIT-ACK chunk has a valid length */ 539 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk))) 540 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 541 commands); 542 /* Grab the INIT header. */ 543 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 544 545 /* Verify the INIT chunk before processing it. */ 546 err_chunk = NULL; 547 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 548 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 549 &err_chunk)) { 550 551 enum sctp_error error = SCTP_ERROR_NO_RESOURCE; 552 553 /* This chunk contains fatal error. It is to be discarded. 554 * Send an ABORT, with causes. If there are no causes, 555 * then there wasn't enough memory. Just terminate 556 * the association. 557 */ 558 if (err_chunk) { 559 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 560 (__u8 *)(err_chunk->chunk_hdr) + 561 sizeof(struct sctp_chunkhdr), 562 ntohs(err_chunk->chunk_hdr->length) - 563 sizeof(struct sctp_chunkhdr)); 564 565 sctp_chunk_free(err_chunk); 566 567 if (packet) { 568 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 569 SCTP_PACKET(packet)); 570 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 571 error = SCTP_ERROR_INV_PARAM; 572 } 573 } 574 575 /* SCTP-AUTH, Section 6.3: 576 * It should be noted that if the receiver wants to tear 577 * down an association in an authenticated way only, the 578 * handling of malformed packets should not result in 579 * tearing down the association. 580 * 581 * This means that if we only want to abort associations 582 * in an authenticated way (i.e AUTH+ABORT), then we 583 * can't destroy this association just because the packet 584 * was malformed. 585 */ 586 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 587 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 588 589 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 590 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, 591 asoc, chunk->transport); 592 } 593 594 /* Tag the variable length parameters. Note that we never 595 * convert the parameters in an INIT chunk. 596 */ 597 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 598 599 initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr; 600 601 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 602 SCTP_PEER_INIT(initchunk)); 603 604 /* Reset init error count upon receipt of INIT-ACK. */ 605 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 606 607 /* 5.1 C) "A" shall stop the T1-init timer and leave 608 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 609 * timer, and enter the COOKIE-ECHOED state. 610 */ 611 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 612 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 613 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 614 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 615 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 616 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 617 618 /* SCTP-AUTH: generate the association shared keys so that 619 * we can potentially sign the COOKIE-ECHO. 620 */ 621 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); 622 623 /* 5.1 C) "A" shall then send the State Cookie received in the 624 * INIT ACK chunk in a COOKIE ECHO chunk, ... 625 */ 626 /* If there is any errors to report, send the ERROR chunk generated 627 * for unknown parameters as well. 628 */ 629 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 630 SCTP_CHUNK(err_chunk)); 631 632 return SCTP_DISPOSITION_CONSUME; 633 } 634 635 static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk, 636 const struct sctp_association *asoc) 637 { 638 struct sctp_chunk auth; 639 640 if (!chunk->auth_chunk) 641 return true; 642 643 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo 644 * is supposed to be authenticated and we have to do delayed 645 * authentication. We've just recreated the association using 646 * the information in the cookie and now it's much easier to 647 * do the authentication. 648 */ 649 650 /* Make sure that we and the peer are AUTH capable */ 651 if (!net->sctp.auth_enable || !asoc->peer.auth_capable) 652 return false; 653 654 /* set-up our fake chunk so that we can process it */ 655 auth.skb = chunk->auth_chunk; 656 auth.asoc = chunk->asoc; 657 auth.sctp_hdr = chunk->sctp_hdr; 658 auth.chunk_hdr = (struct sctp_chunkhdr *) 659 skb_push(chunk->auth_chunk, 660 sizeof(struct sctp_chunkhdr)); 661 skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr)); 662 auth.transport = chunk->transport; 663 664 return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR; 665 } 666 667 /* 668 * Respond to a normal COOKIE ECHO chunk. 669 * We are the side that is being asked for an association. 670 * 671 * Section: 5.1 Normal Establishment of an Association, D 672 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 673 * with a COOKIE ACK chunk after building a TCB and moving to 674 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 675 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 676 * chunk MUST be the first chunk in the packet. 677 * 678 * IMPLEMENTATION NOTE: An implementation may choose to send the 679 * Communication Up notification to the SCTP user upon reception 680 * of a valid COOKIE ECHO chunk. 681 * 682 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 683 * D) Rules for packet carrying a COOKIE ECHO 684 * 685 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 686 * Initial Tag received in the INIT ACK. 687 * 688 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 689 * 690 * Inputs 691 * (endpoint, asoc, chunk) 692 * 693 * Outputs 694 * (asoc, reply_msg, msg_up, timers, counters) 695 * 696 * The return value is the disposition of the chunk. 697 */ 698 enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, 699 const struct sctp_endpoint *ep, 700 const struct sctp_association *asoc, 701 const union sctp_subtype type, 702 void *arg, 703 struct sctp_cmd_seq *commands) 704 { 705 struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL; 706 struct sctp_association *new_asoc; 707 struct sctp_init_chunk *peer_init; 708 struct sctp_chunk *chunk = arg; 709 struct sctp_chunk *err_chk_p; 710 struct sctp_chunk *repl; 711 struct sock *sk; 712 int error = 0; 713 714 if (asoc && !sctp_vtag_verify(chunk, asoc)) 715 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 716 717 /* If the packet is an OOTB packet which is temporarily on the 718 * control endpoint, respond with an ABORT. 719 */ 720 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 721 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 722 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 723 } 724 725 /* Make sure that the COOKIE_ECHO chunk has a valid length. 726 * In this case, we check that we have enough for at least a 727 * chunk header. More detailed verification is done 728 * in sctp_unpack_cookie(). 729 */ 730 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 731 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 732 commands); 733 734 /* If the endpoint is not listening or if the number of associations 735 * on the TCP-style socket exceed the max backlog, respond with an 736 * ABORT. 737 */ 738 sk = ep->base.sk; 739 if (!sctp_sstate(sk, LISTENING) || 740 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) 741 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 742 743 /* "Decode" the chunk. We have no optional parameters so we 744 * are in good shape. 745 */ 746 chunk->subh.cookie_hdr = 747 (struct sctp_signed_cookie *)chunk->skb->data; 748 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 749 sizeof(struct sctp_chunkhdr))) 750 goto nomem; 751 752 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 753 * "Z" will reply with a COOKIE ACK chunk after building a TCB 754 * and moving to the ESTABLISHED state. 755 */ 756 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 757 &err_chk_p); 758 759 /* FIXME: 760 * If the re-build failed, what is the proper error path 761 * from here? 762 * 763 * [We should abort the association. --piggy] 764 */ 765 if (!new_asoc) { 766 /* FIXME: Several errors are possible. A bad cookie should 767 * be silently discarded, but think about logging it too. 768 */ 769 switch (error) { 770 case -SCTP_IERROR_NOMEM: 771 goto nomem; 772 773 case -SCTP_IERROR_STALE_COOKIE: 774 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 775 err_chk_p); 776 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 777 778 case -SCTP_IERROR_BAD_SIG: 779 default: 780 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 781 } 782 } 783 784 if (security_sctp_assoc_request(new_asoc, chunk->head_skb ?: chunk->skb)) { 785 sctp_association_free(new_asoc); 786 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 787 } 788 789 /* Delay state machine commands until later. 790 * 791 * Re-build the bind address for the association is done in 792 * the sctp_unpack_cookie() already. 793 */ 794 /* This is a brand-new association, so these are not yet side 795 * effects--it is safe to run them here. 796 */ 797 peer_init = (struct sctp_init_chunk *)(chunk->subh.cookie_hdr + 1); 798 if (!sctp_process_init(new_asoc, chunk, 799 &chunk->subh.cookie_hdr->c.peer_addr, 800 peer_init, GFP_ATOMIC)) 801 goto nomem_init; 802 803 /* SCTP-AUTH: Now that we've populate required fields in 804 * sctp_process_init, set up the association shared keys as 805 * necessary so that we can potentially authenticate the ACK 806 */ 807 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); 808 if (error) 809 goto nomem_init; 810 811 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) { 812 sctp_association_free(new_asoc); 813 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 814 } 815 816 repl = sctp_make_cookie_ack(new_asoc, chunk); 817 if (!repl) 818 goto nomem_init; 819 820 /* RFC 2960 5.1 Normal Establishment of an Association 821 * 822 * D) IMPLEMENTATION NOTE: An implementation may choose to 823 * send the Communication Up notification to the SCTP user 824 * upon reception of a valid COOKIE ECHO chunk. 825 */ 826 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 827 new_asoc->c.sinit_num_ostreams, 828 new_asoc->c.sinit_max_instreams, 829 NULL, GFP_ATOMIC); 830 if (!ev) 831 goto nomem_ev; 832 833 /* Sockets API Draft Section 5.3.1.6 834 * When a peer sends a Adaptation Layer Indication parameter , SCTP 835 * delivers this notification to inform the application that of the 836 * peers requested adaptation layer. 837 */ 838 if (new_asoc->peer.adaptation_ind) { 839 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 840 GFP_ATOMIC); 841 if (!ai_ev) 842 goto nomem_aiev; 843 } 844 845 if (!new_asoc->peer.auth_capable) { 846 auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0, 847 SCTP_AUTH_NO_AUTH, 848 GFP_ATOMIC); 849 if (!auth_ev) 850 goto nomem_authev; 851 } 852 853 /* Add all the state machine commands now since we've created 854 * everything. This way we don't introduce memory corruptions 855 * during side-effect processing and correctly count established 856 * associations. 857 */ 858 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 859 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 860 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 861 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 862 SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS); 863 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 864 865 if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 866 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 867 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 868 869 /* This will send the COOKIE ACK */ 870 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 871 872 /* Queue the ASSOC_CHANGE event */ 873 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 874 875 /* Send up the Adaptation Layer Indication event */ 876 if (ai_ev) 877 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 878 SCTP_ULPEVENT(ai_ev)); 879 880 if (auth_ev) 881 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 882 SCTP_ULPEVENT(auth_ev)); 883 884 return SCTP_DISPOSITION_CONSUME; 885 886 nomem_authev: 887 sctp_ulpevent_free(ai_ev); 888 nomem_aiev: 889 sctp_ulpevent_free(ev); 890 nomem_ev: 891 sctp_chunk_free(repl); 892 nomem_init: 893 sctp_association_free(new_asoc); 894 nomem: 895 return SCTP_DISPOSITION_NOMEM; 896 } 897 898 /* 899 * Respond to a normal COOKIE ACK chunk. 900 * We are the side that is asking for an association. 901 * 902 * RFC 2960 5.1 Normal Establishment of an Association 903 * 904 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 905 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 906 * timer. It may also notify its ULP about the successful 907 * establishment of the association with a Communication Up 908 * notification (see Section 10). 909 * 910 * Verification Tag: 911 * Inputs 912 * (endpoint, asoc, chunk) 913 * 914 * Outputs 915 * (asoc, reply_msg, msg_up, timers, counters) 916 * 917 * The return value is the disposition of the chunk. 918 */ 919 enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, 920 const struct sctp_endpoint *ep, 921 const struct sctp_association *asoc, 922 const union sctp_subtype type, 923 void *arg, 924 struct sctp_cmd_seq *commands) 925 { 926 struct sctp_chunk *chunk = arg; 927 struct sctp_ulpevent *ev; 928 929 if (!sctp_vtag_verify(chunk, asoc)) 930 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 931 932 /* Set peer label for connection. */ 933 if (security_sctp_assoc_established((struct sctp_association *)asoc, 934 chunk->head_skb ?: chunk->skb)) 935 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 936 937 /* Verify that the chunk length for the COOKIE-ACK is OK. 938 * If we don't do this, any bundled chunks may be junked. 939 */ 940 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 941 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 942 commands); 943 944 /* Reset init error count upon receipt of COOKIE-ACK, 945 * to avoid problems with the management of this 946 * counter in stale cookie situations when a transition back 947 * from the COOKIE-ECHOED state to the COOKIE-WAIT 948 * state is performed. 949 */ 950 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 951 952 /* RFC 2960 5.1 Normal Establishment of an Association 953 * 954 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 955 * from the COOKIE-ECHOED state to the ESTABLISHED state, 956 * stopping the T1-cookie timer. 957 */ 958 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 959 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 960 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 961 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 962 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 963 SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS); 964 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 965 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 966 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 967 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 968 969 /* It may also notify its ULP about the successful 970 * establishment of the association with a Communication Up 971 * notification (see Section 10). 972 */ 973 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 974 0, asoc->c.sinit_num_ostreams, 975 asoc->c.sinit_max_instreams, 976 NULL, GFP_ATOMIC); 977 978 if (!ev) 979 goto nomem; 980 981 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 982 983 /* Sockets API Draft Section 5.3.1.6 984 * When a peer sends a Adaptation Layer Indication parameter , SCTP 985 * delivers this notification to inform the application that of the 986 * peers requested adaptation layer. 987 */ 988 if (asoc->peer.adaptation_ind) { 989 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 990 if (!ev) 991 goto nomem; 992 993 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 994 SCTP_ULPEVENT(ev)); 995 } 996 997 if (!asoc->peer.auth_capable) { 998 ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH, 999 GFP_ATOMIC); 1000 if (!ev) 1001 goto nomem; 1002 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1003 SCTP_ULPEVENT(ev)); 1004 } 1005 1006 return SCTP_DISPOSITION_CONSUME; 1007 nomem: 1008 return SCTP_DISPOSITION_NOMEM; 1009 } 1010 1011 /* Generate and sendout a heartbeat packet. */ 1012 static enum sctp_disposition sctp_sf_heartbeat( 1013 const struct sctp_endpoint *ep, 1014 const struct sctp_association *asoc, 1015 const union sctp_subtype type, 1016 void *arg, 1017 struct sctp_cmd_seq *commands) 1018 { 1019 struct sctp_transport *transport = (struct sctp_transport *) arg; 1020 struct sctp_chunk *reply; 1021 1022 /* Send a heartbeat to our peer. */ 1023 reply = sctp_make_heartbeat(asoc, transport, 0); 1024 if (!reply) 1025 return SCTP_DISPOSITION_NOMEM; 1026 1027 /* Set rto_pending indicating that an RTT measurement 1028 * is started with this heartbeat chunk. 1029 */ 1030 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 1031 SCTP_TRANSPORT(transport)); 1032 1033 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1034 return SCTP_DISPOSITION_CONSUME; 1035 } 1036 1037 /* Generate a HEARTBEAT packet on the given transport. */ 1038 enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net, 1039 const struct sctp_endpoint *ep, 1040 const struct sctp_association *asoc, 1041 const union sctp_subtype type, 1042 void *arg, 1043 struct sctp_cmd_seq *commands) 1044 { 1045 struct sctp_transport *transport = (struct sctp_transport *) arg; 1046 1047 if (asoc->overall_error_count >= asoc->max_retrans) { 1048 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 1049 SCTP_ERROR(ETIMEDOUT)); 1050 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 1051 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 1052 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 1053 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1054 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1055 return SCTP_DISPOSITION_DELETE_TCB; 1056 } 1057 1058 /* Section 3.3.5. 1059 * The Sender-specific Heartbeat Info field should normally include 1060 * information about the sender's current time when this HEARTBEAT 1061 * chunk is sent and the destination transport address to which this 1062 * HEARTBEAT is sent (see Section 8.3). 1063 */ 1064 1065 if (transport->param_flags & SPP_HB_ENABLE) { 1066 if (SCTP_DISPOSITION_NOMEM == 1067 sctp_sf_heartbeat(ep, asoc, type, arg, 1068 commands)) 1069 return SCTP_DISPOSITION_NOMEM; 1070 1071 /* Set transport error counter and association error counter 1072 * when sending heartbeat. 1073 */ 1074 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 1075 SCTP_TRANSPORT(transport)); 1076 } 1077 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE, 1078 SCTP_TRANSPORT(transport)); 1079 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 1080 SCTP_TRANSPORT(transport)); 1081 1082 return SCTP_DISPOSITION_CONSUME; 1083 } 1084 1085 /* resend asoc strreset_chunk. */ 1086 enum sctp_disposition sctp_sf_send_reconf(struct net *net, 1087 const struct sctp_endpoint *ep, 1088 const struct sctp_association *asoc, 1089 const union sctp_subtype type, 1090 void *arg, 1091 struct sctp_cmd_seq *commands) 1092 { 1093 struct sctp_transport *transport = arg; 1094 1095 if (asoc->overall_error_count >= asoc->max_retrans) { 1096 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 1097 SCTP_ERROR(ETIMEDOUT)); 1098 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 1099 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 1100 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 1101 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1102 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1103 return SCTP_DISPOSITION_DELETE_TCB; 1104 } 1105 1106 sctp_chunk_hold(asoc->strreset_chunk); 1107 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1108 SCTP_CHUNK(asoc->strreset_chunk)); 1109 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 1110 1111 return SCTP_DISPOSITION_CONSUME; 1112 } 1113 1114 /* send hb chunk with padding for PLPMUTD. */ 1115 enum sctp_disposition sctp_sf_send_probe(struct net *net, 1116 const struct sctp_endpoint *ep, 1117 const struct sctp_association *asoc, 1118 const union sctp_subtype type, 1119 void *arg, 1120 struct sctp_cmd_seq *commands) 1121 { 1122 struct sctp_transport *transport = (struct sctp_transport *)arg; 1123 struct sctp_chunk *reply; 1124 1125 if (!sctp_transport_pl_enabled(transport)) 1126 return SCTP_DISPOSITION_CONSUME; 1127 1128 sctp_transport_pl_send(transport); 1129 reply = sctp_make_heartbeat(asoc, transport, transport->pl.probe_size); 1130 if (!reply) 1131 return SCTP_DISPOSITION_NOMEM; 1132 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1133 sctp_add_cmd_sf(commands, SCTP_CMD_PROBE_TIMER_UPDATE, 1134 SCTP_TRANSPORT(transport)); 1135 1136 return SCTP_DISPOSITION_CONSUME; 1137 } 1138 1139 /* 1140 * Process an heartbeat request. 1141 * 1142 * Section: 8.3 Path Heartbeat 1143 * The receiver of the HEARTBEAT should immediately respond with a 1144 * HEARTBEAT ACK that contains the Heartbeat Information field copied 1145 * from the received HEARTBEAT chunk. 1146 * 1147 * Verification Tag: 8.5 Verification Tag [Normal verification] 1148 * When receiving an SCTP packet, the endpoint MUST ensure that the 1149 * value in the Verification Tag field of the received SCTP packet 1150 * matches its own Tag. If the received Verification Tag value does not 1151 * match the receiver's own tag value, the receiver shall silently 1152 * discard the packet and shall not process it any further except for 1153 * those cases listed in Section 8.5.1 below. 1154 * 1155 * Inputs 1156 * (endpoint, asoc, chunk) 1157 * 1158 * Outputs 1159 * (asoc, reply_msg, msg_up, timers, counters) 1160 * 1161 * The return value is the disposition of the chunk. 1162 */ 1163 enum sctp_disposition sctp_sf_beat_8_3(struct net *net, 1164 const struct sctp_endpoint *ep, 1165 const struct sctp_association *asoc, 1166 const union sctp_subtype type, 1167 void *arg, struct sctp_cmd_seq *commands) 1168 { 1169 struct sctp_paramhdr *param_hdr; 1170 struct sctp_chunk *chunk = arg; 1171 struct sctp_chunk *reply; 1172 size_t paylen = 0; 1173 1174 if (!sctp_vtag_verify(chunk, asoc)) 1175 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1176 1177 /* Make sure that the HEARTBEAT chunk has a valid length. */ 1178 if (!sctp_chunk_length_valid(chunk, 1179 sizeof(struct sctp_heartbeat_chunk))) 1180 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1181 commands); 1182 1183 /* 8.3 The receiver of the HEARTBEAT should immediately 1184 * respond with a HEARTBEAT ACK that contains the Heartbeat 1185 * Information field copied from the received HEARTBEAT chunk. 1186 */ 1187 chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data; 1188 param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr; 1189 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr); 1190 1191 if (ntohs(param_hdr->length) > paylen) 1192 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 1193 param_hdr, commands); 1194 1195 if (!pskb_pull(chunk->skb, paylen)) 1196 goto nomem; 1197 1198 reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen); 1199 if (!reply) 1200 goto nomem; 1201 1202 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1203 return SCTP_DISPOSITION_CONSUME; 1204 1205 nomem: 1206 return SCTP_DISPOSITION_NOMEM; 1207 } 1208 1209 /* 1210 * Process the returning HEARTBEAT ACK. 1211 * 1212 * Section: 8.3 Path Heartbeat 1213 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 1214 * should clear the error counter of the destination transport 1215 * address to which the HEARTBEAT was sent, and mark the destination 1216 * transport address as active if it is not so marked. The endpoint may 1217 * optionally report to the upper layer when an inactive destination 1218 * address is marked as active due to the reception of the latest 1219 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 1220 * clear the association overall error count as well (as defined 1221 * in section 8.1). 1222 * 1223 * The receiver of the HEARTBEAT ACK should also perform an RTT 1224 * measurement for that destination transport address using the time 1225 * value carried in the HEARTBEAT ACK chunk. 1226 * 1227 * Verification Tag: 8.5 Verification Tag [Normal verification] 1228 * 1229 * Inputs 1230 * (endpoint, asoc, chunk) 1231 * 1232 * Outputs 1233 * (asoc, reply_msg, msg_up, timers, counters) 1234 * 1235 * The return value is the disposition of the chunk. 1236 */ 1237 enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net, 1238 const struct sctp_endpoint *ep, 1239 const struct sctp_association *asoc, 1240 const union sctp_subtype type, 1241 void *arg, 1242 struct sctp_cmd_seq *commands) 1243 { 1244 struct sctp_sender_hb_info *hbinfo; 1245 struct sctp_chunk *chunk = arg; 1246 struct sctp_transport *link; 1247 unsigned long max_interval; 1248 union sctp_addr from_addr; 1249 1250 if (!sctp_vtag_verify(chunk, asoc)) 1251 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1252 1253 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1254 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) + 1255 sizeof(*hbinfo))) 1256 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1257 commands); 1258 1259 hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data; 1260 /* Make sure that the length of the parameter is what we expect */ 1261 if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo)) 1262 return SCTP_DISPOSITION_DISCARD; 1263 1264 from_addr = hbinfo->daddr; 1265 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1266 1267 /* This should never happen, but lets log it if so. */ 1268 if (unlikely(!link)) { 1269 if (from_addr.sa.sa_family == AF_INET6) { 1270 net_warn_ratelimited("%s association %p could not find address %pI6\n", 1271 __func__, 1272 asoc, 1273 &from_addr.v6.sin6_addr); 1274 } else { 1275 net_warn_ratelimited("%s association %p could not find address %pI4\n", 1276 __func__, 1277 asoc, 1278 &from_addr.v4.sin_addr.s_addr); 1279 } 1280 return SCTP_DISPOSITION_DISCARD; 1281 } 1282 1283 /* Validate the 64-bit random nonce. */ 1284 if (hbinfo->hb_nonce != link->hb_nonce) 1285 return SCTP_DISPOSITION_DISCARD; 1286 1287 if (hbinfo->probe_size) { 1288 if (hbinfo->probe_size != link->pl.probe_size || 1289 !sctp_transport_pl_enabled(link)) 1290 return SCTP_DISPOSITION_DISCARD; 1291 1292 if (sctp_transport_pl_recv(link)) 1293 return SCTP_DISPOSITION_CONSUME; 1294 1295 return sctp_sf_send_probe(net, ep, asoc, type, link, commands); 1296 } 1297 1298 max_interval = link->hbinterval + link->rto; 1299 1300 /* Check if the timestamp looks valid. */ 1301 if (time_after(hbinfo->sent_at, jiffies) || 1302 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1303 pr_debug("%s: HEARTBEAT ACK with invalid timestamp received " 1304 "for transport:%p\n", __func__, link); 1305 1306 return SCTP_DISPOSITION_DISCARD; 1307 } 1308 1309 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1310 * the HEARTBEAT should clear the error counter of the 1311 * destination transport address to which the HEARTBEAT was 1312 * sent and mark the destination transport address as active if 1313 * it is not so marked. 1314 */ 1315 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1316 1317 return SCTP_DISPOSITION_CONSUME; 1318 } 1319 1320 /* Helper function to send out an abort for the restart 1321 * condition. 1322 */ 1323 static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa, 1324 struct sctp_chunk *init, 1325 struct sctp_cmd_seq *commands) 1326 { 1327 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1328 union sctp_addr_param *addrparm; 1329 struct sctp_errhdr *errhdr; 1330 char buffer[sizeof(*errhdr) + sizeof(*addrparm)]; 1331 struct sctp_endpoint *ep; 1332 struct sctp_packet *pkt; 1333 int len; 1334 1335 /* Build the error on the stack. We are way to malloc crazy 1336 * throughout the code today. 1337 */ 1338 errhdr = (struct sctp_errhdr *)buffer; 1339 addrparm = (union sctp_addr_param *)(errhdr + 1); 1340 1341 /* Copy into a parm format. */ 1342 len = af->to_addr_param(ssa, addrparm); 1343 len += sizeof(*errhdr); 1344 1345 errhdr->cause = SCTP_ERROR_RESTART; 1346 errhdr->length = htons(len); 1347 1348 /* Assign to the control socket. */ 1349 ep = sctp_sk(net->sctp.ctl_sock)->ep; 1350 1351 /* Association is NULL since this may be a restart attack and we 1352 * want to send back the attacker's vtag. 1353 */ 1354 pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len); 1355 1356 if (!pkt) 1357 goto out; 1358 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1359 1360 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1361 1362 /* Discard the rest of the inbound packet. */ 1363 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1364 1365 out: 1366 /* Even if there is no memory, treat as a failure so 1367 * the packet will get dropped. 1368 */ 1369 return 0; 1370 } 1371 1372 static bool list_has_sctp_addr(const struct list_head *list, 1373 union sctp_addr *ipaddr) 1374 { 1375 struct sctp_transport *addr; 1376 1377 list_for_each_entry(addr, list, transports) { 1378 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr)) 1379 return true; 1380 } 1381 1382 return false; 1383 } 1384 /* A restart is occurring, check to make sure no new addresses 1385 * are being added as we may be under a takeover attack. 1386 */ 1387 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1388 const struct sctp_association *asoc, 1389 struct sctp_chunk *init, 1390 struct sctp_cmd_seq *commands) 1391 { 1392 struct net *net = new_asoc->base.net; 1393 struct sctp_transport *new_addr; 1394 int ret = 1; 1395 1396 /* Implementor's Guide - Section 5.2.2 1397 * ... 1398 * Before responding the endpoint MUST check to see if the 1399 * unexpected INIT adds new addresses to the association. If new 1400 * addresses are added to the association, the endpoint MUST respond 1401 * with an ABORT.. 1402 */ 1403 1404 /* Search through all current addresses and make sure 1405 * we aren't adding any new ones. 1406 */ 1407 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list, 1408 transports) { 1409 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list, 1410 &new_addr->ipaddr)) { 1411 sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init, 1412 commands); 1413 ret = 0; 1414 break; 1415 } 1416 } 1417 1418 /* Return success if all addresses were found. */ 1419 return ret; 1420 } 1421 1422 /* Populate the verification/tie tags based on overlapping INIT 1423 * scenario. 1424 * 1425 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1426 */ 1427 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1428 const struct sctp_association *asoc) 1429 { 1430 switch (asoc->state) { 1431 1432 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1433 1434 case SCTP_STATE_COOKIE_WAIT: 1435 new_asoc->c.my_vtag = asoc->c.my_vtag; 1436 new_asoc->c.my_ttag = asoc->c.my_vtag; 1437 new_asoc->c.peer_ttag = 0; 1438 break; 1439 1440 case SCTP_STATE_COOKIE_ECHOED: 1441 new_asoc->c.my_vtag = asoc->c.my_vtag; 1442 new_asoc->c.my_ttag = asoc->c.my_vtag; 1443 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1444 break; 1445 1446 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1447 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1448 */ 1449 default: 1450 new_asoc->c.my_ttag = asoc->c.my_vtag; 1451 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1452 break; 1453 } 1454 1455 /* Other parameters for the endpoint SHOULD be copied from the 1456 * existing parameters of the association (e.g. number of 1457 * outbound streams) into the INIT ACK and cookie. 1458 */ 1459 new_asoc->rwnd = asoc->rwnd; 1460 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1461 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1462 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1463 } 1464 1465 /* 1466 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1467 * handling action. 1468 * 1469 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1470 * 1471 * Returns value representing action to be taken. These action values 1472 * correspond to Action/Description values in RFC 2960, Table 2. 1473 */ 1474 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1475 const struct sctp_association *asoc) 1476 { 1477 /* In this case, the peer may have restarted. */ 1478 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1479 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1480 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1481 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1482 return 'A'; 1483 1484 /* Collision case B. */ 1485 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1486 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1487 (0 == asoc->c.peer_vtag))) { 1488 return 'B'; 1489 } 1490 1491 /* Collision case D. */ 1492 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1493 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1494 return 'D'; 1495 1496 /* Collision case C. */ 1497 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1498 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1499 (0 == new_asoc->c.my_ttag) && 1500 (0 == new_asoc->c.peer_ttag)) 1501 return 'C'; 1502 1503 /* No match to any of the special cases; discard this packet. */ 1504 return 'E'; 1505 } 1506 1507 /* Common helper routine for both duplicate and simultaneous INIT 1508 * chunk handling. 1509 */ 1510 static enum sctp_disposition sctp_sf_do_unexpected_init( 1511 struct net *net, 1512 const struct sctp_endpoint *ep, 1513 const struct sctp_association *asoc, 1514 const union sctp_subtype type, 1515 void *arg, 1516 struct sctp_cmd_seq *commands) 1517 { 1518 struct sctp_chunk *chunk = arg, *repl, *err_chunk; 1519 struct sctp_unrecognized_param *unk_param; 1520 struct sctp_association *new_asoc; 1521 enum sctp_disposition retval; 1522 struct sctp_packet *packet; 1523 int len; 1524 1525 /* 6.10 Bundling 1526 * An endpoint MUST NOT bundle INIT, INIT ACK or 1527 * SHUTDOWN COMPLETE with any other chunks. 1528 * 1529 * IG Section 2.11.2 1530 * Furthermore, we require that the receiver of an INIT chunk MUST 1531 * enforce these rules by silently discarding an arriving packet 1532 * with an INIT chunk that is bundled with other chunks. 1533 */ 1534 if (!chunk->singleton) 1535 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1536 1537 /* Make sure that the INIT chunk has a valid length. */ 1538 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 1539 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1540 1541 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1542 * Tag. 1543 */ 1544 if (chunk->sctp_hdr->vtag != 0) 1545 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 1546 1547 if (SCTP_INPUT_CB(chunk->skb)->encap_port != chunk->transport->encap_port) 1548 return sctp_sf_new_encap_port(net, ep, asoc, type, arg, commands); 1549 1550 /* Grab the INIT header. */ 1551 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 1552 1553 /* Tag the variable length parameters. */ 1554 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 1555 1556 /* Verify the INIT chunk before processing it. */ 1557 err_chunk = NULL; 1558 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 1559 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 1560 &err_chunk)) { 1561 /* This chunk contains fatal error. It is to be discarded. 1562 * Send an ABORT, with causes if there is any. 1563 */ 1564 if (err_chunk) { 1565 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 1566 (__u8 *)(err_chunk->chunk_hdr) + 1567 sizeof(struct sctp_chunkhdr), 1568 ntohs(err_chunk->chunk_hdr->length) - 1569 sizeof(struct sctp_chunkhdr)); 1570 1571 if (packet) { 1572 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1573 SCTP_PACKET(packet)); 1574 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1575 retval = SCTP_DISPOSITION_CONSUME; 1576 } else { 1577 retval = SCTP_DISPOSITION_NOMEM; 1578 } 1579 goto cleanup; 1580 } else { 1581 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 1582 commands); 1583 } 1584 } 1585 1586 /* 1587 * Other parameters for the endpoint SHOULD be copied from the 1588 * existing parameters of the association (e.g. number of 1589 * outbound streams) into the INIT ACK and cookie. 1590 * FIXME: We are copying parameters from the endpoint not the 1591 * association. 1592 */ 1593 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1594 if (!new_asoc) 1595 goto nomem; 1596 1597 /* Update socket peer label if first association. */ 1598 if (security_sctp_assoc_request(new_asoc, chunk->skb)) { 1599 sctp_association_free(new_asoc); 1600 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1601 } 1602 1603 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 1604 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0) 1605 goto nomem; 1606 1607 /* In the outbound INIT ACK the endpoint MUST copy its current 1608 * Verification Tag and Peers Verification tag into a reserved 1609 * place (local tie-tag and per tie-tag) within the state cookie. 1610 */ 1611 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 1612 (struct sctp_init_chunk *)chunk->chunk_hdr, 1613 GFP_ATOMIC)) 1614 goto nomem; 1615 1616 /* Make sure no new addresses are being added during the 1617 * restart. Do not do this check for COOKIE-WAIT state, 1618 * since there are no peer addresses to check against. 1619 * Upon return an ABORT will have been sent if needed. 1620 */ 1621 if (!sctp_state(asoc, COOKIE_WAIT)) { 1622 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1623 commands)) { 1624 retval = SCTP_DISPOSITION_CONSUME; 1625 goto nomem_retval; 1626 } 1627 } 1628 1629 sctp_tietags_populate(new_asoc, asoc); 1630 1631 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1632 1633 /* If there are errors need to be reported for unknown parameters, 1634 * make sure to reserve enough room in the INIT ACK for them. 1635 */ 1636 len = 0; 1637 if (err_chunk) { 1638 len = ntohs(err_chunk->chunk_hdr->length) - 1639 sizeof(struct sctp_chunkhdr); 1640 } 1641 1642 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1643 if (!repl) 1644 goto nomem; 1645 1646 /* If there are errors need to be reported for unknown parameters, 1647 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1648 * parameter. 1649 */ 1650 if (err_chunk) { 1651 /* Get the "Unrecognized parameter" parameter(s) out of the 1652 * ERROR chunk generated by sctp_verify_init(). Since the 1653 * error cause code for "unknown parameter" and the 1654 * "Unrecognized parameter" type is the same, we can 1655 * construct the parameters in INIT ACK by copying the 1656 * ERROR causes over. 1657 */ 1658 unk_param = (struct sctp_unrecognized_param *) 1659 ((__u8 *)(err_chunk->chunk_hdr) + 1660 sizeof(struct sctp_chunkhdr)); 1661 /* Replace the cause code with the "Unrecognized parameter" 1662 * parameter type. 1663 */ 1664 sctp_addto_chunk(repl, len, unk_param); 1665 } 1666 1667 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1668 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1669 1670 /* 1671 * Note: After sending out INIT ACK with the State Cookie parameter, 1672 * "Z" MUST NOT allocate any resources for this new association. 1673 * Otherwise, "Z" will be vulnerable to resource attacks. 1674 */ 1675 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1676 retval = SCTP_DISPOSITION_CONSUME; 1677 1678 return retval; 1679 1680 nomem: 1681 retval = SCTP_DISPOSITION_NOMEM; 1682 nomem_retval: 1683 if (new_asoc) 1684 sctp_association_free(new_asoc); 1685 cleanup: 1686 if (err_chunk) 1687 sctp_chunk_free(err_chunk); 1688 return retval; 1689 } 1690 1691 /* 1692 * Handle simultaneous INIT. 1693 * This means we started an INIT and then we got an INIT request from 1694 * our peer. 1695 * 1696 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1697 * This usually indicates an initialization collision, i.e., each 1698 * endpoint is attempting, at about the same time, to establish an 1699 * association with the other endpoint. 1700 * 1701 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1702 * endpoint MUST respond with an INIT ACK using the same parameters it 1703 * sent in its original INIT chunk (including its Verification Tag, 1704 * unchanged). These original parameters are combined with those from the 1705 * newly received INIT chunk. The endpoint shall also generate a State 1706 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1707 * INIT to calculate the State Cookie. 1708 * 1709 * After that, the endpoint MUST NOT change its state, the T1-init 1710 * timer shall be left running and the corresponding TCB MUST NOT be 1711 * destroyed. The normal procedures for handling State Cookies when 1712 * a TCB exists will resolve the duplicate INITs to a single association. 1713 * 1714 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1715 * its Tie-Tags with the Tag information of itself and its peer (see 1716 * section 5.2.2 for a description of the Tie-Tags). 1717 * 1718 * Verification Tag: Not explicit, but an INIT can not have a valid 1719 * verification tag, so we skip the check. 1720 * 1721 * Inputs 1722 * (endpoint, asoc, chunk) 1723 * 1724 * Outputs 1725 * (asoc, reply_msg, msg_up, timers, counters) 1726 * 1727 * The return value is the disposition of the chunk. 1728 */ 1729 enum sctp_disposition sctp_sf_do_5_2_1_siminit( 1730 struct net *net, 1731 const struct sctp_endpoint *ep, 1732 const struct sctp_association *asoc, 1733 const union sctp_subtype type, 1734 void *arg, 1735 struct sctp_cmd_seq *commands) 1736 { 1737 /* Call helper to do the real work for both simultaneous and 1738 * duplicate INIT chunk handling. 1739 */ 1740 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1741 } 1742 1743 /* 1744 * Handle duplicated INIT messages. These are usually delayed 1745 * restransmissions. 1746 * 1747 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1748 * COOKIE-ECHOED and COOKIE-WAIT 1749 * 1750 * Unless otherwise stated, upon reception of an unexpected INIT for 1751 * this association, the endpoint shall generate an INIT ACK with a 1752 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1753 * current Verification Tag and peer's Verification Tag into a reserved 1754 * place within the state cookie. We shall refer to these locations as 1755 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1756 * containing this INIT ACK MUST carry a Verification Tag value equal to 1757 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1758 * MUST contain a new Initiation Tag (randomly generated see Section 1759 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1760 * existing parameters of the association (e.g. number of outbound 1761 * streams) into the INIT ACK and cookie. 1762 * 1763 * After sending out the INIT ACK, the endpoint shall take no further 1764 * actions, i.e., the existing association, including its current state, 1765 * and the corresponding TCB MUST NOT be changed. 1766 * 1767 * Note: Only when a TCB exists and the association is not in a COOKIE- 1768 * WAIT state are the Tie-Tags populated. For a normal association INIT 1769 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1770 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1771 * State Cookie are populated as specified in section 5.2.1. 1772 * 1773 * Verification Tag: Not specified, but an INIT has no way of knowing 1774 * what the verification tag could be, so we ignore it. 1775 * 1776 * Inputs 1777 * (endpoint, asoc, chunk) 1778 * 1779 * Outputs 1780 * (asoc, reply_msg, msg_up, timers, counters) 1781 * 1782 * The return value is the disposition of the chunk. 1783 */ 1784 enum sctp_disposition sctp_sf_do_5_2_2_dupinit( 1785 struct net *net, 1786 const struct sctp_endpoint *ep, 1787 const struct sctp_association *asoc, 1788 const union sctp_subtype type, 1789 void *arg, 1790 struct sctp_cmd_seq *commands) 1791 { 1792 /* Call helper to do the real work for both simultaneous and 1793 * duplicate INIT chunk handling. 1794 */ 1795 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1796 } 1797 1798 1799 /* 1800 * Unexpected INIT-ACK handler. 1801 * 1802 * Section 5.2.3 1803 * If an INIT ACK received by an endpoint in any state other than the 1804 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1805 * An unexpected INIT ACK usually indicates the processing of an old or 1806 * duplicated INIT chunk. 1807 */ 1808 enum sctp_disposition sctp_sf_do_5_2_3_initack( 1809 struct net *net, 1810 const struct sctp_endpoint *ep, 1811 const struct sctp_association *asoc, 1812 const union sctp_subtype type, 1813 void *arg, 1814 struct sctp_cmd_seq *commands) 1815 { 1816 /* Per the above section, we'll discard the chunk if we have an 1817 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1818 */ 1819 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) 1820 return sctp_sf_ootb(net, ep, asoc, type, arg, commands); 1821 else 1822 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 1823 } 1824 1825 static int sctp_sf_do_assoc_update(struct sctp_association *asoc, 1826 struct sctp_association *new, 1827 struct sctp_cmd_seq *cmds) 1828 { 1829 struct net *net = asoc->base.net; 1830 struct sctp_chunk *abort; 1831 1832 if (!sctp_assoc_update(asoc, new)) 1833 return 0; 1834 1835 abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr)); 1836 if (abort) { 1837 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 1838 sctp_add_cmd_sf(cmds, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 1839 } 1840 sctp_add_cmd_sf(cmds, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED)); 1841 sctp_add_cmd_sf(cmds, SCTP_CMD_ASSOC_FAILED, 1842 SCTP_PERR(SCTP_ERROR_RSRC_LOW)); 1843 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1844 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1845 1846 return -ENOMEM; 1847 } 1848 1849 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1850 * 1851 * Section 5.2.4 1852 * A) In this case, the peer may have restarted. 1853 */ 1854 static enum sctp_disposition sctp_sf_do_dupcook_a( 1855 struct net *net, 1856 const struct sctp_endpoint *ep, 1857 const struct sctp_association *asoc, 1858 struct sctp_chunk *chunk, 1859 struct sctp_cmd_seq *commands, 1860 struct sctp_association *new_asoc) 1861 { 1862 struct sctp_init_chunk *peer_init; 1863 enum sctp_disposition disposition; 1864 struct sctp_ulpevent *ev; 1865 struct sctp_chunk *repl; 1866 struct sctp_chunk *err; 1867 1868 /* new_asoc is a brand-new association, so these are not yet 1869 * side effects--it is safe to run them here. 1870 */ 1871 peer_init = (struct sctp_init_chunk *)(chunk->subh.cookie_hdr + 1); 1872 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1873 GFP_ATOMIC)) 1874 goto nomem; 1875 1876 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC)) 1877 goto nomem; 1878 1879 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) 1880 return SCTP_DISPOSITION_DISCARD; 1881 1882 /* Make sure no new addresses are being added during the 1883 * restart. Though this is a pretty complicated attack 1884 * since you'd have to get inside the cookie. 1885 */ 1886 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) 1887 return SCTP_DISPOSITION_CONSUME; 1888 1889 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1890 * the peer has restarted (Action A), it MUST NOT setup a new 1891 * association but instead resend the SHUTDOWN ACK and send an ERROR 1892 * chunk with a "Cookie Received while Shutting Down" error cause to 1893 * its peer. 1894 */ 1895 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1896 disposition = __sctp_sf_do_9_2_reshutack(net, ep, asoc, 1897 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1898 chunk, commands); 1899 if (SCTP_DISPOSITION_NOMEM == disposition) 1900 goto nomem; 1901 1902 err = sctp_make_op_error(asoc, chunk, 1903 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1904 NULL, 0, 0); 1905 if (err) 1906 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1907 SCTP_CHUNK(err)); 1908 1909 return SCTP_DISPOSITION_CONSUME; 1910 } 1911 1912 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked 1913 * data. Consider the optional choice of resending of this data. 1914 */ 1915 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 1916 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1917 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK)); 1918 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1919 1920 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue 1921 * and ASCONF-ACK cache. 1922 */ 1923 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1924 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 1925 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); 1926 1927 /* Update the content of current association. */ 1928 if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands)) 1929 goto nomem; 1930 1931 repl = sctp_make_cookie_ack(asoc, chunk); 1932 if (!repl) 1933 goto nomem; 1934 1935 /* Report association restart to upper layer. */ 1936 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1937 asoc->c.sinit_num_ostreams, 1938 asoc->c.sinit_max_instreams, 1939 NULL, GFP_ATOMIC); 1940 if (!ev) 1941 goto nomem_ev; 1942 1943 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1944 if ((sctp_state(asoc, SHUTDOWN_PENDING) || 1945 sctp_state(asoc, SHUTDOWN_SENT)) && 1946 (sctp_sstate(asoc->base.sk, CLOSING) || 1947 sock_flag(asoc->base.sk, SOCK_DEAD))) { 1948 /* If the socket has been closed by user, don't 1949 * transition to ESTABLISHED. Instead trigger SHUTDOWN 1950 * bundled with COOKIE_ACK. 1951 */ 1952 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1953 return sctp_sf_do_9_2_start_shutdown(net, ep, asoc, 1954 SCTP_ST_CHUNK(0), repl, 1955 commands); 1956 } else { 1957 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1958 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1959 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1960 } 1961 return SCTP_DISPOSITION_CONSUME; 1962 1963 nomem_ev: 1964 sctp_chunk_free(repl); 1965 nomem: 1966 return SCTP_DISPOSITION_NOMEM; 1967 } 1968 1969 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1970 * 1971 * Section 5.2.4 1972 * B) In this case, both sides may be attempting to start an association 1973 * at about the same time but the peer endpoint started its INIT 1974 * after responding to the local endpoint's INIT 1975 */ 1976 /* This case represents an initialization collision. */ 1977 static enum sctp_disposition sctp_sf_do_dupcook_b( 1978 struct net *net, 1979 const struct sctp_endpoint *ep, 1980 const struct sctp_association *asoc, 1981 struct sctp_chunk *chunk, 1982 struct sctp_cmd_seq *commands, 1983 struct sctp_association *new_asoc) 1984 { 1985 struct sctp_init_chunk *peer_init; 1986 struct sctp_chunk *repl; 1987 1988 /* new_asoc is a brand-new association, so these are not yet 1989 * side effects--it is safe to run them here. 1990 */ 1991 peer_init = (struct sctp_init_chunk *)(chunk->subh.cookie_hdr + 1); 1992 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1993 GFP_ATOMIC)) 1994 goto nomem; 1995 1996 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC)) 1997 goto nomem; 1998 1999 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) 2000 return SCTP_DISPOSITION_DISCARD; 2001 2002 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2003 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 2004 if (asoc->state < SCTP_STATE_ESTABLISHED) 2005 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 2006 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 2007 2008 /* Update the content of current association. */ 2009 if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands)) 2010 goto nomem; 2011 2012 repl = sctp_make_cookie_ack(asoc, chunk); 2013 if (!repl) 2014 goto nomem; 2015 2016 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 2017 2018 /* RFC 2960 5.1 Normal Establishment of an Association 2019 * 2020 * D) IMPLEMENTATION NOTE: An implementation may choose to 2021 * send the Communication Up notification to the SCTP user 2022 * upon reception of a valid COOKIE ECHO chunk. 2023 * 2024 * Sadly, this needs to be implemented as a side-effect, because 2025 * we are not guaranteed to have set the association id of the real 2026 * association and so these notifications need to be delayed until 2027 * the association id is allocated. 2028 */ 2029 2030 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 2031 2032 /* Sockets API Draft Section 5.3.1.6 2033 * When a peer sends a Adaptation Layer Indication parameter , SCTP 2034 * delivers this notification to inform the application that of the 2035 * peers requested adaptation layer. 2036 * 2037 * This also needs to be done as a side effect for the same reason as 2038 * above. 2039 */ 2040 if (asoc->peer.adaptation_ind) 2041 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 2042 2043 if (!asoc->peer.auth_capable) 2044 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL()); 2045 2046 return SCTP_DISPOSITION_CONSUME; 2047 2048 nomem: 2049 return SCTP_DISPOSITION_NOMEM; 2050 } 2051 2052 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 2053 * 2054 * Section 5.2.4 2055 * C) In this case, the local endpoint's cookie has arrived late. 2056 * Before it arrived, the local endpoint sent an INIT and received an 2057 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 2058 * but a new tag of its own. 2059 */ 2060 /* This case represents an initialization collision. */ 2061 static enum sctp_disposition sctp_sf_do_dupcook_c( 2062 struct net *net, 2063 const struct sctp_endpoint *ep, 2064 const struct sctp_association *asoc, 2065 struct sctp_chunk *chunk, 2066 struct sctp_cmd_seq *commands, 2067 struct sctp_association *new_asoc) 2068 { 2069 /* The cookie should be silently discarded. 2070 * The endpoint SHOULD NOT change states and should leave 2071 * any timers running. 2072 */ 2073 return SCTP_DISPOSITION_DISCARD; 2074 } 2075 2076 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 2077 * 2078 * Section 5.2.4 2079 * 2080 * D) When both local and remote tags match the endpoint should always 2081 * enter the ESTABLISHED state, if it has not already done so. 2082 */ 2083 /* This case represents an initialization collision. */ 2084 static enum sctp_disposition sctp_sf_do_dupcook_d( 2085 struct net *net, 2086 const struct sctp_endpoint *ep, 2087 const struct sctp_association *asoc, 2088 struct sctp_chunk *chunk, 2089 struct sctp_cmd_seq *commands, 2090 struct sctp_association *new_asoc) 2091 { 2092 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL; 2093 struct sctp_chunk *repl; 2094 2095 /* Clarification from Implementor's Guide: 2096 * D) When both local and remote tags match the endpoint should 2097 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 2098 * It should stop any cookie timer that may be running and send 2099 * a COOKIE ACK. 2100 */ 2101 2102 if (!sctp_auth_chunk_verify(net, chunk, asoc)) 2103 return SCTP_DISPOSITION_DISCARD; 2104 2105 /* Don't accidentally move back into established state. */ 2106 if (asoc->state < SCTP_STATE_ESTABLISHED) { 2107 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2108 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2109 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2110 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 2111 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 2112 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 2113 SCTP_NULL()); 2114 2115 /* RFC 2960 5.1 Normal Establishment of an Association 2116 * 2117 * D) IMPLEMENTATION NOTE: An implementation may choose 2118 * to send the Communication Up notification to the 2119 * SCTP user upon reception of a valid COOKIE 2120 * ECHO chunk. 2121 */ 2122 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 2123 SCTP_COMM_UP, 0, 2124 asoc->c.sinit_num_ostreams, 2125 asoc->c.sinit_max_instreams, 2126 NULL, GFP_ATOMIC); 2127 if (!ev) 2128 goto nomem; 2129 2130 /* Sockets API Draft Section 5.3.1.6 2131 * When a peer sends a Adaptation Layer Indication parameter, 2132 * SCTP delivers this notification to inform the application 2133 * that of the peers requested adaptation layer. 2134 */ 2135 if (asoc->peer.adaptation_ind) { 2136 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 2137 GFP_ATOMIC); 2138 if (!ai_ev) 2139 goto nomem; 2140 2141 } 2142 2143 if (!asoc->peer.auth_capable) { 2144 auth_ev = sctp_ulpevent_make_authkey(asoc, 0, 2145 SCTP_AUTH_NO_AUTH, 2146 GFP_ATOMIC); 2147 if (!auth_ev) 2148 goto nomem; 2149 } 2150 } 2151 2152 repl = sctp_make_cookie_ack(asoc, chunk); 2153 if (!repl) 2154 goto nomem; 2155 2156 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 2157 2158 if (ev) 2159 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2160 SCTP_ULPEVENT(ev)); 2161 if (ai_ev) 2162 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2163 SCTP_ULPEVENT(ai_ev)); 2164 if (auth_ev) 2165 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2166 SCTP_ULPEVENT(auth_ev)); 2167 2168 return SCTP_DISPOSITION_CONSUME; 2169 2170 nomem: 2171 if (auth_ev) 2172 sctp_ulpevent_free(auth_ev); 2173 if (ai_ev) 2174 sctp_ulpevent_free(ai_ev); 2175 if (ev) 2176 sctp_ulpevent_free(ev); 2177 return SCTP_DISPOSITION_NOMEM; 2178 } 2179 2180 /* 2181 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 2182 * chunk was retransmitted and then delayed in the network. 2183 * 2184 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 2185 * 2186 * Verification Tag: None. Do cookie validation. 2187 * 2188 * Inputs 2189 * (endpoint, asoc, chunk) 2190 * 2191 * Outputs 2192 * (asoc, reply_msg, msg_up, timers, counters) 2193 * 2194 * The return value is the disposition of the chunk. 2195 */ 2196 enum sctp_disposition sctp_sf_do_5_2_4_dupcook( 2197 struct net *net, 2198 const struct sctp_endpoint *ep, 2199 const struct sctp_association *asoc, 2200 const union sctp_subtype type, 2201 void *arg, 2202 struct sctp_cmd_seq *commands) 2203 { 2204 struct sctp_association *new_asoc; 2205 struct sctp_chunk *chunk = arg; 2206 enum sctp_disposition retval; 2207 struct sctp_chunk *err_chk_p; 2208 int error = 0; 2209 char action; 2210 2211 /* Make sure that the chunk has a valid length from the protocol 2212 * perspective. In this case check to make sure we have at least 2213 * enough for the chunk header. Cookie length verification is 2214 * done later. 2215 */ 2216 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) { 2217 if (!sctp_vtag_verify(chunk, asoc)) 2218 asoc = NULL; 2219 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands); 2220 } 2221 2222 /* "Decode" the chunk. We have no optional parameters so we 2223 * are in good shape. 2224 */ 2225 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 2226 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 2227 sizeof(struct sctp_chunkhdr))) 2228 goto nomem; 2229 2230 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 2231 * of a duplicate COOKIE ECHO match the Verification Tags of the 2232 * current association, consider the State Cookie valid even if 2233 * the lifespan is exceeded. 2234 */ 2235 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 2236 &err_chk_p); 2237 2238 /* FIXME: 2239 * If the re-build failed, what is the proper error path 2240 * from here? 2241 * 2242 * [We should abort the association. --piggy] 2243 */ 2244 if (!new_asoc) { 2245 /* FIXME: Several errors are possible. A bad cookie should 2246 * be silently discarded, but think about logging it too. 2247 */ 2248 switch (error) { 2249 case -SCTP_IERROR_NOMEM: 2250 goto nomem; 2251 2252 case -SCTP_IERROR_STALE_COOKIE: 2253 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 2254 err_chk_p); 2255 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2256 case -SCTP_IERROR_BAD_SIG: 2257 default: 2258 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2259 } 2260 } 2261 2262 /* Update socket peer label if first association. */ 2263 if (security_sctp_assoc_request(new_asoc, chunk->head_skb ?: chunk->skb)) { 2264 sctp_association_free(new_asoc); 2265 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2266 } 2267 2268 /* Set temp so that it won't be added into hashtable */ 2269 new_asoc->temp = 1; 2270 2271 /* Compare the tie_tag in cookie with the verification tag of 2272 * current association. 2273 */ 2274 action = sctp_tietags_compare(new_asoc, asoc); 2275 2276 switch (action) { 2277 case 'A': /* Association restart. */ 2278 retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands, 2279 new_asoc); 2280 break; 2281 2282 case 'B': /* Collision case B. */ 2283 retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands, 2284 new_asoc); 2285 break; 2286 2287 case 'C': /* Collision case C. */ 2288 retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands, 2289 new_asoc); 2290 break; 2291 2292 case 'D': /* Collision case D. */ 2293 retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands, 2294 new_asoc); 2295 break; 2296 2297 default: /* Discard packet for all others. */ 2298 retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2299 break; 2300 } 2301 2302 /* Delete the temporary new association. */ 2303 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc)); 2304 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 2305 2306 /* Restore association pointer to provide SCTP command interpreter 2307 * with a valid context in case it needs to manipulate 2308 * the queues */ 2309 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, 2310 SCTP_ASOC((struct sctp_association *)asoc)); 2311 2312 return retval; 2313 2314 nomem: 2315 return SCTP_DISPOSITION_NOMEM; 2316 } 2317 2318 /* 2319 * Process an ABORT. (SHUTDOWN-PENDING state) 2320 * 2321 * See sctp_sf_do_9_1_abort(). 2322 */ 2323 enum sctp_disposition sctp_sf_shutdown_pending_abort( 2324 struct net *net, 2325 const struct sctp_endpoint *ep, 2326 const struct sctp_association *asoc, 2327 const union sctp_subtype type, 2328 void *arg, 2329 struct sctp_cmd_seq *commands) 2330 { 2331 struct sctp_chunk *chunk = arg; 2332 2333 if (!sctp_vtag_verify_either(chunk, asoc)) 2334 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2335 2336 /* Make sure that the ABORT chunk has a valid length. 2337 * Since this is an ABORT chunk, we have to discard it 2338 * because of the following text: 2339 * RFC 2960, Section 3.3.7 2340 * If an endpoint receives an ABORT with a format error or for an 2341 * association that doesn't exist, it MUST silently discard it. 2342 * Because the length is "invalid", we can't really discard just 2343 * as we do not know its true length. So, to be safe, discard the 2344 * packet. 2345 */ 2346 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2347 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2348 2349 /* ADD-IP: Special case for ABORT chunks 2350 * F4) One special consideration is that ABORT Chunks arriving 2351 * destined to the IP address being deleted MUST be 2352 * ignored (see Section 5.3.1 for further details). 2353 */ 2354 if (SCTP_ADDR_DEL == 2355 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2356 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2357 2358 if (!sctp_err_chunk_valid(chunk)) 2359 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2360 2361 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2362 } 2363 2364 /* 2365 * Process an ABORT. (SHUTDOWN-SENT state) 2366 * 2367 * See sctp_sf_do_9_1_abort(). 2368 */ 2369 enum sctp_disposition sctp_sf_shutdown_sent_abort( 2370 struct net *net, 2371 const struct sctp_endpoint *ep, 2372 const struct sctp_association *asoc, 2373 const union sctp_subtype type, 2374 void *arg, 2375 struct sctp_cmd_seq *commands) 2376 { 2377 struct sctp_chunk *chunk = arg; 2378 2379 if (!sctp_vtag_verify_either(chunk, asoc)) 2380 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2381 2382 /* Make sure that the ABORT chunk has a valid length. 2383 * Since this is an ABORT chunk, we have to discard it 2384 * because of the following text: 2385 * RFC 2960, Section 3.3.7 2386 * If an endpoint receives an ABORT with a format error or for an 2387 * association that doesn't exist, it MUST silently discard it. 2388 * Because the length is "invalid", we can't really discard just 2389 * as we do not know its true length. So, to be safe, discard the 2390 * packet. 2391 */ 2392 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2393 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2394 2395 /* ADD-IP: Special case for ABORT chunks 2396 * F4) One special consideration is that ABORT Chunks arriving 2397 * destined to the IP address being deleted MUST be 2398 * ignored (see Section 5.3.1 for further details). 2399 */ 2400 if (SCTP_ADDR_DEL == 2401 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2402 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2403 2404 if (!sctp_err_chunk_valid(chunk)) 2405 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2406 2407 /* Stop the T2-shutdown timer. */ 2408 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2409 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2410 2411 /* Stop the T5-shutdown guard timer. */ 2412 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2413 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2414 2415 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2416 } 2417 2418 /* 2419 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2420 * 2421 * See sctp_sf_do_9_1_abort(). 2422 */ 2423 enum sctp_disposition sctp_sf_shutdown_ack_sent_abort( 2424 struct net *net, 2425 const struct sctp_endpoint *ep, 2426 const struct sctp_association *asoc, 2427 const union sctp_subtype type, 2428 void *arg, 2429 struct sctp_cmd_seq *commands) 2430 { 2431 /* The same T2 timer, so we should be able to use 2432 * common function with the SHUTDOWN-SENT state. 2433 */ 2434 return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands); 2435 } 2436 2437 /* 2438 * Handle an Error received in COOKIE_ECHOED state. 2439 * 2440 * Only handle the error type of stale COOKIE Error, the other errors will 2441 * be ignored. 2442 * 2443 * Inputs 2444 * (endpoint, asoc, chunk) 2445 * 2446 * Outputs 2447 * (asoc, reply_msg, msg_up, timers, counters) 2448 * 2449 * The return value is the disposition of the chunk. 2450 */ 2451 enum sctp_disposition sctp_sf_cookie_echoed_err( 2452 struct net *net, 2453 const struct sctp_endpoint *ep, 2454 const struct sctp_association *asoc, 2455 const union sctp_subtype type, 2456 void *arg, 2457 struct sctp_cmd_seq *commands) 2458 { 2459 struct sctp_chunk *chunk = arg; 2460 struct sctp_errhdr *err; 2461 2462 if (!sctp_vtag_verify(chunk, asoc)) 2463 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2464 2465 /* Make sure that the ERROR chunk has a valid length. 2466 * The parameter walking depends on this as well. 2467 */ 2468 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk))) 2469 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2470 commands); 2471 2472 /* Process the error here */ 2473 /* FUTURE FIXME: When PR-SCTP related and other optional 2474 * parms are emitted, this will have to change to handle multiple 2475 * errors. 2476 */ 2477 sctp_walk_errors(err, chunk->chunk_hdr) { 2478 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2479 return sctp_sf_do_5_2_6_stale(net, ep, asoc, type, 2480 arg, commands); 2481 } 2482 2483 /* It is possible to have malformed error causes, and that 2484 * will cause us to end the walk early. However, since 2485 * we are discarding the packet, there should be no adverse 2486 * affects. 2487 */ 2488 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2489 } 2490 2491 /* 2492 * Handle a Stale COOKIE Error 2493 * 2494 * Section: 5.2.6 Handle Stale COOKIE Error 2495 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2496 * one of the following three alternatives. 2497 * ... 2498 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2499 * Preservative parameter requesting an extension to the lifetime of 2500 * the State Cookie. When calculating the time extension, an 2501 * implementation SHOULD use the RTT information measured based on the 2502 * previous COOKIE ECHO / ERROR exchange, and should add no more 2503 * than 1 second beyond the measured RTT, due to long State Cookie 2504 * lifetimes making the endpoint more subject to a replay attack. 2505 * 2506 * Verification Tag: Not explicit, but safe to ignore. 2507 * 2508 * Inputs 2509 * (endpoint, asoc, chunk) 2510 * 2511 * Outputs 2512 * (asoc, reply_msg, msg_up, timers, counters) 2513 * 2514 * The return value is the disposition of the chunk. 2515 */ 2516 static enum sctp_disposition sctp_sf_do_5_2_6_stale( 2517 struct net *net, 2518 const struct sctp_endpoint *ep, 2519 const struct sctp_association *asoc, 2520 const union sctp_subtype type, 2521 void *arg, 2522 struct sctp_cmd_seq *commands) 2523 { 2524 int attempts = asoc->init_err_counter + 1; 2525 struct sctp_chunk *chunk = arg, *reply; 2526 struct sctp_cookie_preserve_param bht; 2527 struct sctp_bind_addr *bp; 2528 struct sctp_errhdr *err; 2529 u32 stale; 2530 2531 if (attempts > asoc->max_init_attempts) { 2532 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2533 SCTP_ERROR(ETIMEDOUT)); 2534 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2535 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2536 return SCTP_DISPOSITION_DELETE_TCB; 2537 } 2538 2539 err = (struct sctp_errhdr *)(chunk->skb->data); 2540 2541 /* When calculating the time extension, an implementation 2542 * SHOULD use the RTT information measured based on the 2543 * previous COOKIE ECHO / ERROR exchange, and should add no 2544 * more than 1 second beyond the measured RTT, due to long 2545 * State Cookie lifetimes making the endpoint more subject to 2546 * a replay attack. 2547 * Measure of Staleness's unit is usec. (1/1000000 sec) 2548 * Suggested Cookie Life-span Increment's unit is msec. 2549 * (1/1000 sec) 2550 * In general, if you use the suggested cookie life, the value 2551 * found in the field of measure of staleness should be doubled 2552 * to give ample time to retransmit the new cookie and thus 2553 * yield a higher probability of success on the reattempt. 2554 */ 2555 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err))); 2556 stale = (stale * 2) / 1000; 2557 2558 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2559 bht.param_hdr.length = htons(sizeof(bht)); 2560 bht.lifespan_increment = htonl(stale); 2561 2562 /* Build that new INIT chunk. */ 2563 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2564 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2565 if (!reply) 2566 goto nomem; 2567 2568 sctp_addto_chunk(reply, sizeof(bht), &bht); 2569 2570 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2571 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2572 2573 /* Stop pending T3-rtx and heartbeat timers */ 2574 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2575 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2576 2577 /* Delete non-primary peer ip addresses since we are transitioning 2578 * back to the COOKIE-WAIT state 2579 */ 2580 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2581 2582 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2583 * resend 2584 */ 2585 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, 2586 SCTP_TRANSPORT(asoc->peer.primary_path)); 2587 2588 /* Cast away the const modifier, as we want to just 2589 * rerun it through as a sideffect. 2590 */ 2591 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2592 2593 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2594 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2595 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2596 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2597 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2598 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2599 2600 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2601 2602 return SCTP_DISPOSITION_CONSUME; 2603 2604 nomem: 2605 return SCTP_DISPOSITION_NOMEM; 2606 } 2607 2608 /* 2609 * Process an ABORT. 2610 * 2611 * Section: 9.1 2612 * After checking the Verification Tag, the receiving endpoint shall 2613 * remove the association from its record, and shall report the 2614 * termination to its upper layer. 2615 * 2616 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2617 * B) Rules for packet carrying ABORT: 2618 * 2619 * - The endpoint shall always fill in the Verification Tag field of the 2620 * outbound packet with the destination endpoint's tag value if it 2621 * is known. 2622 * 2623 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2624 * MUST follow the procedure described in Section 8.4. 2625 * 2626 * - The receiver MUST accept the packet if the Verification Tag 2627 * matches either its own tag, OR the tag of its peer. Otherwise, the 2628 * receiver MUST silently discard the packet and take no further 2629 * action. 2630 * 2631 * Inputs 2632 * (endpoint, asoc, chunk) 2633 * 2634 * Outputs 2635 * (asoc, reply_msg, msg_up, timers, counters) 2636 * 2637 * The return value is the disposition of the chunk. 2638 */ 2639 enum sctp_disposition sctp_sf_do_9_1_abort( 2640 struct net *net, 2641 const struct sctp_endpoint *ep, 2642 const struct sctp_association *asoc, 2643 const union sctp_subtype type, 2644 void *arg, 2645 struct sctp_cmd_seq *commands) 2646 { 2647 struct sctp_chunk *chunk = arg; 2648 2649 if (!sctp_vtag_verify_either(chunk, asoc)) 2650 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2651 2652 /* Make sure that the ABORT chunk has a valid length. 2653 * Since this is an ABORT chunk, we have to discard it 2654 * because of the following text: 2655 * RFC 2960, Section 3.3.7 2656 * If an endpoint receives an ABORT with a format error or for an 2657 * association that doesn't exist, it MUST silently discard it. 2658 * Because the length is "invalid", we can't really discard just 2659 * as we do not know its true length. So, to be safe, discard the 2660 * packet. 2661 */ 2662 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2663 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2664 2665 /* ADD-IP: Special case for ABORT chunks 2666 * F4) One special consideration is that ABORT Chunks arriving 2667 * destined to the IP address being deleted MUST be 2668 * ignored (see Section 5.3.1 for further details). 2669 */ 2670 if (SCTP_ADDR_DEL == 2671 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2672 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2673 2674 if (!sctp_err_chunk_valid(chunk)) 2675 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2676 2677 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2678 } 2679 2680 static enum sctp_disposition __sctp_sf_do_9_1_abort( 2681 struct net *net, 2682 const struct sctp_endpoint *ep, 2683 const struct sctp_association *asoc, 2684 const union sctp_subtype type, 2685 void *arg, 2686 struct sctp_cmd_seq *commands) 2687 { 2688 __be16 error = SCTP_ERROR_NO_ERROR; 2689 struct sctp_chunk *chunk = arg; 2690 unsigned int len; 2691 2692 /* See if we have an error cause code in the chunk. */ 2693 len = ntohs(chunk->chunk_hdr->length); 2694 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2695 error = ((struct sctp_errhdr *)chunk->skb->data)->cause; 2696 2697 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2698 /* ASSOC_FAILED will DELETE_TCB. */ 2699 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2700 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2701 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 2702 2703 return SCTP_DISPOSITION_ABORT; 2704 } 2705 2706 /* 2707 * Process an ABORT. (COOKIE-WAIT state) 2708 * 2709 * See sctp_sf_do_9_1_abort() above. 2710 */ 2711 enum sctp_disposition sctp_sf_cookie_wait_abort( 2712 struct net *net, 2713 const struct sctp_endpoint *ep, 2714 const struct sctp_association *asoc, 2715 const union sctp_subtype type, 2716 void *arg, 2717 struct sctp_cmd_seq *commands) 2718 { 2719 __be16 error = SCTP_ERROR_NO_ERROR; 2720 struct sctp_chunk *chunk = arg; 2721 unsigned int len; 2722 2723 if (!sctp_vtag_verify_either(chunk, asoc)) 2724 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2725 2726 /* Make sure that the ABORT chunk has a valid length. 2727 * Since this is an ABORT chunk, we have to discard it 2728 * because of the following text: 2729 * RFC 2960, Section 3.3.7 2730 * If an endpoint receives an ABORT with a format error or for an 2731 * association that doesn't exist, it MUST silently discard it. 2732 * Because the length is "invalid", we can't really discard just 2733 * as we do not know its true length. So, to be safe, discard the 2734 * packet. 2735 */ 2736 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2737 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2738 2739 /* See if we have an error cause code in the chunk. */ 2740 len = ntohs(chunk->chunk_hdr->length); 2741 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2742 error = ((struct sctp_errhdr *)chunk->skb->data)->cause; 2743 2744 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc, 2745 chunk->transport); 2746 } 2747 2748 /* 2749 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2750 */ 2751 enum sctp_disposition sctp_sf_cookie_wait_icmp_abort( 2752 struct net *net, 2753 const struct sctp_endpoint *ep, 2754 const struct sctp_association *asoc, 2755 const union sctp_subtype type, 2756 void *arg, 2757 struct sctp_cmd_seq *commands) 2758 { 2759 return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR, 2760 ENOPROTOOPT, asoc, 2761 (struct sctp_transport *)arg); 2762 } 2763 2764 /* 2765 * Process an ABORT. (COOKIE-ECHOED state) 2766 */ 2767 enum sctp_disposition sctp_sf_cookie_echoed_abort( 2768 struct net *net, 2769 const struct sctp_endpoint *ep, 2770 const struct sctp_association *asoc, 2771 const union sctp_subtype type, 2772 void *arg, 2773 struct sctp_cmd_seq *commands) 2774 { 2775 /* There is a single T1 timer, so we should be able to use 2776 * common function with the COOKIE-WAIT state. 2777 */ 2778 return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands); 2779 } 2780 2781 /* 2782 * Stop T1 timer and abort association with "INIT failed". 2783 * 2784 * This is common code called by several sctp_sf_*_abort() functions above. 2785 */ 2786 static enum sctp_disposition sctp_stop_t1_and_abort( 2787 struct net *net, 2788 struct sctp_cmd_seq *commands, 2789 __be16 error, int sk_err, 2790 const struct sctp_association *asoc, 2791 struct sctp_transport *transport) 2792 { 2793 pr_debug("%s: ABORT received (INIT)\n", __func__); 2794 2795 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2796 SCTP_STATE(SCTP_STATE_CLOSED)); 2797 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2798 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2799 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2800 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2801 /* CMD_INIT_FAILED will DELETE_TCB. */ 2802 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2803 SCTP_PERR(error)); 2804 2805 return SCTP_DISPOSITION_ABORT; 2806 } 2807 2808 /* 2809 * sctp_sf_do_9_2_shut 2810 * 2811 * Section: 9.2 2812 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2813 * - enter the SHUTDOWN-RECEIVED state, 2814 * 2815 * - stop accepting new data from its SCTP user 2816 * 2817 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2818 * that all its outstanding DATA chunks have been received by the 2819 * SHUTDOWN sender. 2820 * 2821 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2822 * send a SHUTDOWN in response to a ULP request. And should discard 2823 * subsequent SHUTDOWN chunks. 2824 * 2825 * If there are still outstanding DATA chunks left, the SHUTDOWN 2826 * receiver shall continue to follow normal data transmission 2827 * procedures defined in Section 6 until all outstanding DATA chunks 2828 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2829 * new data from its SCTP user. 2830 * 2831 * Verification Tag: 8.5 Verification Tag [Normal verification] 2832 * 2833 * Inputs 2834 * (endpoint, asoc, chunk) 2835 * 2836 * Outputs 2837 * (asoc, reply_msg, msg_up, timers, counters) 2838 * 2839 * The return value is the disposition of the chunk. 2840 */ 2841 enum sctp_disposition sctp_sf_do_9_2_shutdown( 2842 struct net *net, 2843 const struct sctp_endpoint *ep, 2844 const struct sctp_association *asoc, 2845 const union sctp_subtype type, 2846 void *arg, 2847 struct sctp_cmd_seq *commands) 2848 { 2849 enum sctp_disposition disposition; 2850 struct sctp_chunk *chunk = arg; 2851 struct sctp_shutdownhdr *sdh; 2852 struct sctp_ulpevent *ev; 2853 __u32 ctsn; 2854 2855 if (!sctp_vtag_verify(chunk, asoc)) 2856 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2857 2858 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2859 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) 2860 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2861 commands); 2862 2863 /* Convert the elaborate header. */ 2864 sdh = (struct sctp_shutdownhdr *)chunk->skb->data; 2865 skb_pull(chunk->skb, sizeof(*sdh)); 2866 chunk->subh.shutdown_hdr = sdh; 2867 ctsn = ntohl(sdh->cum_tsn_ack); 2868 2869 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2870 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2871 asoc->ctsn_ack_point); 2872 2873 return SCTP_DISPOSITION_DISCARD; 2874 } 2875 2876 /* If Cumulative TSN Ack beyond the max tsn currently 2877 * send, terminating the association and respond to the 2878 * sender with an ABORT. 2879 */ 2880 if (!TSN_lt(ctsn, asoc->next_tsn)) 2881 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2882 2883 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2884 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2885 * inform the application that it should cease sending data. 2886 */ 2887 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2888 if (!ev) { 2889 disposition = SCTP_DISPOSITION_NOMEM; 2890 goto out; 2891 } 2892 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2893 2894 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2895 * - enter the SHUTDOWN-RECEIVED state, 2896 * - stop accepting new data from its SCTP user 2897 * 2898 * [This is implicit in the new state.] 2899 */ 2900 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2901 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2902 disposition = SCTP_DISPOSITION_CONSUME; 2903 2904 if (sctp_outq_is_empty(&asoc->outqueue)) { 2905 disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type, 2906 arg, commands); 2907 } 2908 2909 if (SCTP_DISPOSITION_NOMEM == disposition) 2910 goto out; 2911 2912 /* - verify, by checking the Cumulative TSN Ack field of the 2913 * chunk, that all its outstanding DATA chunks have been 2914 * received by the SHUTDOWN sender. 2915 */ 2916 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2917 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2918 2919 out: 2920 return disposition; 2921 } 2922 2923 /* 2924 * sctp_sf_do_9_2_shut_ctsn 2925 * 2926 * Once an endpoint has reached the SHUTDOWN-RECEIVED state, 2927 * it MUST NOT send a SHUTDOWN in response to a ULP request. 2928 * The Cumulative TSN Ack of the received SHUTDOWN chunk 2929 * MUST be processed. 2930 */ 2931 enum sctp_disposition sctp_sf_do_9_2_shut_ctsn( 2932 struct net *net, 2933 const struct sctp_endpoint *ep, 2934 const struct sctp_association *asoc, 2935 const union sctp_subtype type, 2936 void *arg, 2937 struct sctp_cmd_seq *commands) 2938 { 2939 struct sctp_chunk *chunk = arg; 2940 struct sctp_shutdownhdr *sdh; 2941 __u32 ctsn; 2942 2943 if (!sctp_vtag_verify(chunk, asoc)) 2944 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2945 2946 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2947 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) 2948 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2949 commands); 2950 2951 sdh = (struct sctp_shutdownhdr *)chunk->skb->data; 2952 ctsn = ntohl(sdh->cum_tsn_ack); 2953 2954 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2955 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2956 asoc->ctsn_ack_point); 2957 2958 return SCTP_DISPOSITION_DISCARD; 2959 } 2960 2961 /* If Cumulative TSN Ack beyond the max tsn currently 2962 * send, terminating the association and respond to the 2963 * sender with an ABORT. 2964 */ 2965 if (!TSN_lt(ctsn, asoc->next_tsn)) 2966 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2967 2968 /* verify, by checking the Cumulative TSN Ack field of the 2969 * chunk, that all its outstanding DATA chunks have been 2970 * received by the SHUTDOWN sender. 2971 */ 2972 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2973 SCTP_BE32(sdh->cum_tsn_ack)); 2974 2975 return SCTP_DISPOSITION_CONSUME; 2976 } 2977 2978 /* RFC 2960 9.2 2979 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2980 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2981 * transport addresses (either in the IP addresses or in the INIT chunk) 2982 * that belong to this association, it should discard the INIT chunk and 2983 * retransmit the SHUTDOWN ACK chunk. 2984 */ 2985 static enum sctp_disposition 2986 __sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, 2987 const struct sctp_association *asoc, 2988 const union sctp_subtype type, void *arg, 2989 struct sctp_cmd_seq *commands) 2990 { 2991 struct sctp_chunk *chunk = arg; 2992 struct sctp_chunk *reply; 2993 2994 /* Make sure that the chunk has a valid length */ 2995 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 2996 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2997 commands); 2998 2999 /* Since we are not going to really process this INIT, there 3000 * is no point in verifying chunk boundaries. Just generate 3001 * the SHUTDOWN ACK. 3002 */ 3003 reply = sctp_make_shutdown_ack(asoc, chunk); 3004 if (NULL == reply) 3005 goto nomem; 3006 3007 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 3008 * the T2-SHUTDOWN timer. 3009 */ 3010 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 3011 3012 /* and restart the T2-shutdown timer. */ 3013 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3014 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3015 3016 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3017 3018 return SCTP_DISPOSITION_CONSUME; 3019 nomem: 3020 return SCTP_DISPOSITION_NOMEM; 3021 } 3022 3023 enum sctp_disposition 3024 sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, 3025 const struct sctp_association *asoc, 3026 const union sctp_subtype type, void *arg, 3027 struct sctp_cmd_seq *commands) 3028 { 3029 struct sctp_chunk *chunk = arg; 3030 3031 if (!chunk->singleton) 3032 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3033 3034 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 3035 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3036 3037 if (chunk->sctp_hdr->vtag != 0) 3038 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 3039 3040 return __sctp_sf_do_9_2_reshutack(net, ep, asoc, type, arg, commands); 3041 } 3042 3043 /* 3044 * sctp_sf_do_ecn_cwr 3045 * 3046 * Section: Appendix A: Explicit Congestion Notification 3047 * 3048 * CWR: 3049 * 3050 * RFC 2481 details a specific bit for a sender to send in the header of 3051 * its next outbound TCP segment to indicate to its peer that it has 3052 * reduced its congestion window. This is termed the CWR bit. For 3053 * SCTP the same indication is made by including the CWR chunk. 3054 * This chunk contains one data element, i.e. the TSN number that 3055 * was sent in the ECNE chunk. This element represents the lowest 3056 * TSN number in the datagram that was originally marked with the 3057 * CE bit. 3058 * 3059 * Verification Tag: 8.5 Verification Tag [Normal verification] 3060 * Inputs 3061 * (endpoint, asoc, chunk) 3062 * 3063 * Outputs 3064 * (asoc, reply_msg, msg_up, timers, counters) 3065 * 3066 * The return value is the disposition of the chunk. 3067 */ 3068 enum sctp_disposition sctp_sf_do_ecn_cwr(struct net *net, 3069 const struct sctp_endpoint *ep, 3070 const struct sctp_association *asoc, 3071 const union sctp_subtype type, 3072 void *arg, 3073 struct sctp_cmd_seq *commands) 3074 { 3075 struct sctp_chunk *chunk = arg; 3076 struct sctp_cwrhdr *cwr; 3077 u32 lowest_tsn; 3078 3079 if (!sctp_vtag_verify(chunk, asoc)) 3080 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3081 3082 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) 3083 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3084 commands); 3085 3086 cwr = (struct sctp_cwrhdr *)chunk->skb->data; 3087 skb_pull(chunk->skb, sizeof(*cwr)); 3088 3089 lowest_tsn = ntohl(cwr->lowest_tsn); 3090 3091 /* Does this CWR ack the last sent congestion notification? */ 3092 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 3093 /* Stop sending ECNE. */ 3094 sctp_add_cmd_sf(commands, 3095 SCTP_CMD_ECN_CWR, 3096 SCTP_U32(lowest_tsn)); 3097 } 3098 return SCTP_DISPOSITION_CONSUME; 3099 } 3100 3101 /* 3102 * sctp_sf_do_ecne 3103 * 3104 * Section: Appendix A: Explicit Congestion Notification 3105 * 3106 * ECN-Echo 3107 * 3108 * RFC 2481 details a specific bit for a receiver to send back in its 3109 * TCP acknowledgements to notify the sender of the Congestion 3110 * Experienced (CE) bit having arrived from the network. For SCTP this 3111 * same indication is made by including the ECNE chunk. This chunk 3112 * contains one data element, i.e. the lowest TSN associated with the IP 3113 * datagram marked with the CE bit..... 3114 * 3115 * Verification Tag: 8.5 Verification Tag [Normal verification] 3116 * Inputs 3117 * (endpoint, asoc, chunk) 3118 * 3119 * Outputs 3120 * (asoc, reply_msg, msg_up, timers, counters) 3121 * 3122 * The return value is the disposition of the chunk. 3123 */ 3124 enum sctp_disposition sctp_sf_do_ecne(struct net *net, 3125 const struct sctp_endpoint *ep, 3126 const struct sctp_association *asoc, 3127 const union sctp_subtype type, 3128 void *arg, struct sctp_cmd_seq *commands) 3129 { 3130 struct sctp_chunk *chunk = arg; 3131 struct sctp_ecnehdr *ecne; 3132 3133 if (!sctp_vtag_verify(chunk, asoc)) 3134 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3135 3136 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) 3137 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3138 commands); 3139 3140 ecne = (struct sctp_ecnehdr *)chunk->skb->data; 3141 skb_pull(chunk->skb, sizeof(*ecne)); 3142 3143 /* If this is a newer ECNE than the last CWR packet we sent out */ 3144 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 3145 SCTP_U32(ntohl(ecne->lowest_tsn))); 3146 3147 return SCTP_DISPOSITION_CONSUME; 3148 } 3149 3150 /* 3151 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 3152 * 3153 * The SCTP endpoint MUST always acknowledge the reception of each valid 3154 * DATA chunk. 3155 * 3156 * The guidelines on delayed acknowledgement algorithm specified in 3157 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 3158 * acknowledgement SHOULD be generated for at least every second packet 3159 * (not every second DATA chunk) received, and SHOULD be generated within 3160 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 3161 * situations it may be beneficial for an SCTP transmitter to be more 3162 * conservative than the algorithms detailed in this document allow. 3163 * However, an SCTP transmitter MUST NOT be more aggressive than the 3164 * following algorithms allow. 3165 * 3166 * A SCTP receiver MUST NOT generate more than one SACK for every 3167 * incoming packet, other than to update the offered window as the 3168 * receiving application consumes new data. 3169 * 3170 * Verification Tag: 8.5 Verification Tag [Normal verification] 3171 * 3172 * Inputs 3173 * (endpoint, asoc, chunk) 3174 * 3175 * Outputs 3176 * (asoc, reply_msg, msg_up, timers, counters) 3177 * 3178 * The return value is the disposition of the chunk. 3179 */ 3180 enum sctp_disposition sctp_sf_eat_data_6_2(struct net *net, 3181 const struct sctp_endpoint *ep, 3182 const struct sctp_association *asoc, 3183 const union sctp_subtype type, 3184 void *arg, 3185 struct sctp_cmd_seq *commands) 3186 { 3187 union sctp_arg force = SCTP_NOFORCE(); 3188 struct sctp_chunk *chunk = arg; 3189 int error; 3190 3191 if (!sctp_vtag_verify(chunk, asoc)) { 3192 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3193 SCTP_NULL()); 3194 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3195 } 3196 3197 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream))) 3198 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3199 commands); 3200 3201 error = sctp_eat_data(asoc, chunk, commands); 3202 switch (error) { 3203 case SCTP_IERROR_NO_ERROR: 3204 break; 3205 case SCTP_IERROR_HIGH_TSN: 3206 case SCTP_IERROR_BAD_STREAM: 3207 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 3208 goto discard_noforce; 3209 case SCTP_IERROR_DUP_TSN: 3210 case SCTP_IERROR_IGNORE_TSN: 3211 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 3212 goto discard_force; 3213 case SCTP_IERROR_NO_DATA: 3214 return SCTP_DISPOSITION_ABORT; 3215 case SCTP_IERROR_PROTO_VIOLATION: 3216 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3217 (u8 *)chunk->subh.data_hdr, 3218 sctp_datahdr_len(&asoc->stream)); 3219 default: 3220 BUG(); 3221 } 3222 3223 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM) 3224 force = SCTP_FORCE(); 3225 3226 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 3227 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3228 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3229 } 3230 3231 /* If this is the last chunk in a packet, we need to count it 3232 * toward sack generation. Note that we need to SACK every 3233 * OTHER packet containing data chunks, EVEN IF WE DISCARD 3234 * THEM. We elect to NOT generate SACK's if the chunk fails 3235 * the verification tag test. 3236 * 3237 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3238 * 3239 * The SCTP endpoint MUST always acknowledge the reception of 3240 * each valid DATA chunk. 3241 * 3242 * The guidelines on delayed acknowledgement algorithm 3243 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 3244 * Specifically, an acknowledgement SHOULD be generated for at 3245 * least every second packet (not every second DATA chunk) 3246 * received, and SHOULD be generated within 200 ms of the 3247 * arrival of any unacknowledged DATA chunk. In some 3248 * situations it may be beneficial for an SCTP transmitter to 3249 * be more conservative than the algorithms detailed in this 3250 * document allow. However, an SCTP transmitter MUST NOT be 3251 * more aggressive than the following algorithms allow. 3252 */ 3253 if (chunk->end_of_packet) 3254 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3255 3256 return SCTP_DISPOSITION_CONSUME; 3257 3258 discard_force: 3259 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3260 * 3261 * When a packet arrives with duplicate DATA chunk(s) and with 3262 * no new DATA chunk(s), the endpoint MUST immediately send a 3263 * SACK with no delay. If a packet arrives with duplicate 3264 * DATA chunk(s) bundled with new DATA chunks, the endpoint 3265 * MAY immediately send a SACK. Normally receipt of duplicate 3266 * DATA chunks will occur when the original SACK chunk was lost 3267 * and the peer's RTO has expired. The duplicate TSN number(s) 3268 * SHOULD be reported in the SACK as duplicate. 3269 */ 3270 /* In our case, we split the MAY SACK advice up whether or not 3271 * the last chunk is a duplicate.' 3272 */ 3273 if (chunk->end_of_packet) 3274 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3275 return SCTP_DISPOSITION_DISCARD; 3276 3277 discard_noforce: 3278 if (chunk->end_of_packet) 3279 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3280 3281 return SCTP_DISPOSITION_DISCARD; 3282 } 3283 3284 /* 3285 * sctp_sf_eat_data_fast_4_4 3286 * 3287 * Section: 4 (4) 3288 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 3289 * DATA chunks without delay. 3290 * 3291 * Verification Tag: 8.5 Verification Tag [Normal verification] 3292 * Inputs 3293 * (endpoint, asoc, chunk) 3294 * 3295 * Outputs 3296 * (asoc, reply_msg, msg_up, timers, counters) 3297 * 3298 * The return value is the disposition of the chunk. 3299 */ 3300 enum sctp_disposition sctp_sf_eat_data_fast_4_4( 3301 struct net *net, 3302 const struct sctp_endpoint *ep, 3303 const struct sctp_association *asoc, 3304 const union sctp_subtype type, 3305 void *arg, 3306 struct sctp_cmd_seq *commands) 3307 { 3308 struct sctp_chunk *chunk = arg; 3309 int error; 3310 3311 if (!sctp_vtag_verify(chunk, asoc)) { 3312 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3313 SCTP_NULL()); 3314 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3315 } 3316 3317 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream))) 3318 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3319 commands); 3320 3321 error = sctp_eat_data(asoc, chunk, commands); 3322 switch (error) { 3323 case SCTP_IERROR_NO_ERROR: 3324 case SCTP_IERROR_HIGH_TSN: 3325 case SCTP_IERROR_DUP_TSN: 3326 case SCTP_IERROR_IGNORE_TSN: 3327 case SCTP_IERROR_BAD_STREAM: 3328 break; 3329 case SCTP_IERROR_NO_DATA: 3330 return SCTP_DISPOSITION_ABORT; 3331 case SCTP_IERROR_PROTO_VIOLATION: 3332 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3333 (u8 *)chunk->subh.data_hdr, 3334 sctp_datahdr_len(&asoc->stream)); 3335 default: 3336 BUG(); 3337 } 3338 3339 /* Go a head and force a SACK, since we are shutting down. */ 3340 3341 /* Implementor's Guide. 3342 * 3343 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3344 * respond to each received packet containing one or more DATA chunk(s) 3345 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3346 */ 3347 if (chunk->end_of_packet) { 3348 /* We must delay the chunk creation since the cumulative 3349 * TSN has not been updated yet. 3350 */ 3351 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3352 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3353 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3354 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3355 } 3356 3357 return SCTP_DISPOSITION_CONSUME; 3358 } 3359 3360 /* 3361 * Section: 6.2 Processing a Received SACK 3362 * D) Any time a SACK arrives, the endpoint performs the following: 3363 * 3364 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 3365 * then drop the SACK. Since Cumulative TSN Ack is monotonically 3366 * increasing, a SACK whose Cumulative TSN Ack is less than the 3367 * Cumulative TSN Ack Point indicates an out-of-order SACK. 3368 * 3369 * ii) Set rwnd equal to the newly received a_rwnd minus the number 3370 * of bytes still outstanding after processing the Cumulative TSN Ack 3371 * and the Gap Ack Blocks. 3372 * 3373 * iii) If the SACK is missing a TSN that was previously 3374 * acknowledged via a Gap Ack Block (e.g., the data receiver 3375 * reneged on the data), then mark the corresponding DATA chunk 3376 * as available for retransmit: Mark it as missing for fast 3377 * retransmit as described in Section 7.2.4 and if no retransmit 3378 * timer is running for the destination address to which the DATA 3379 * chunk was originally transmitted, then T3-rtx is started for 3380 * that destination address. 3381 * 3382 * Verification Tag: 8.5 Verification Tag [Normal verification] 3383 * 3384 * Inputs 3385 * (endpoint, asoc, chunk) 3386 * 3387 * Outputs 3388 * (asoc, reply_msg, msg_up, timers, counters) 3389 * 3390 * The return value is the disposition of the chunk. 3391 */ 3392 enum sctp_disposition sctp_sf_eat_sack_6_2(struct net *net, 3393 const struct sctp_endpoint *ep, 3394 const struct sctp_association *asoc, 3395 const union sctp_subtype type, 3396 void *arg, 3397 struct sctp_cmd_seq *commands) 3398 { 3399 struct sctp_chunk *chunk = arg; 3400 struct sctp_sackhdr *sackh; 3401 __u32 ctsn; 3402 3403 if (!sctp_vtag_verify(chunk, asoc)) 3404 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3405 3406 /* Make sure that the SACK chunk has a valid length. */ 3407 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_sack_chunk))) 3408 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3409 commands); 3410 3411 /* Pull the SACK chunk from the data buffer */ 3412 sackh = sctp_sm_pull_sack(chunk); 3413 /* Was this a bogus SACK? */ 3414 if (!sackh) 3415 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3416 chunk->subh.sack_hdr = sackh; 3417 ctsn = ntohl(sackh->cum_tsn_ack); 3418 3419 /* If Cumulative TSN Ack beyond the max tsn currently 3420 * send, terminating the association and respond to the 3421 * sender with an ABORT. 3422 */ 3423 if (TSN_lte(asoc->next_tsn, ctsn)) 3424 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 3425 3426 trace_sctp_probe(ep, asoc, chunk); 3427 3428 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 3429 * Ack Point, then drop the SACK. Since Cumulative TSN 3430 * Ack is monotonically increasing, a SACK whose 3431 * Cumulative TSN Ack is less than the Cumulative TSN Ack 3432 * Point indicates an out-of-order SACK. 3433 */ 3434 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 3435 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 3436 asoc->ctsn_ack_point); 3437 3438 return SCTP_DISPOSITION_DISCARD; 3439 } 3440 3441 /* Return this SACK for further processing. */ 3442 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk)); 3443 3444 /* Note: We do the rest of the work on the PROCESS_SACK 3445 * sideeffect. 3446 */ 3447 return SCTP_DISPOSITION_CONSUME; 3448 } 3449 3450 /* 3451 * Generate an ABORT in response to a packet. 3452 * 3453 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 3454 * 3455 * 8) The receiver should respond to the sender of the OOTB packet with 3456 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3457 * MUST fill in the Verification Tag field of the outbound packet 3458 * with the value found in the Verification Tag field of the OOTB 3459 * packet and set the T-bit in the Chunk Flags to indicate that the 3460 * Verification Tag is reflected. After sending this ABORT, the 3461 * receiver of the OOTB packet shall discard the OOTB packet and take 3462 * no further action. 3463 * 3464 * Verification Tag: 3465 * 3466 * The return value is the disposition of the chunk. 3467 */ 3468 static enum sctp_disposition sctp_sf_tabort_8_4_8( 3469 struct net *net, 3470 const struct sctp_endpoint *ep, 3471 const struct sctp_association *asoc, 3472 const union sctp_subtype type, 3473 void *arg, 3474 struct sctp_cmd_seq *commands) 3475 { 3476 struct sctp_packet *packet = NULL; 3477 struct sctp_chunk *chunk = arg; 3478 struct sctp_chunk *abort; 3479 3480 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3481 if (!packet) 3482 return SCTP_DISPOSITION_NOMEM; 3483 3484 /* Make an ABORT. The T bit will be set if the asoc 3485 * is NULL. 3486 */ 3487 abort = sctp_make_abort(asoc, chunk, 0); 3488 if (!abort) { 3489 sctp_ootb_pkt_free(packet); 3490 return SCTP_DISPOSITION_NOMEM; 3491 } 3492 3493 /* Reflect vtag if T-Bit is set */ 3494 if (sctp_test_T_bit(abort)) 3495 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3496 3497 /* Set the skb to the belonging sock for accounting. */ 3498 abort->skb->sk = ep->base.sk; 3499 3500 sctp_packet_append_chunk(packet, abort); 3501 3502 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(packet)); 3503 3504 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3505 3506 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3507 return SCTP_DISPOSITION_CONSUME; 3508 } 3509 3510 /* Handling of SCTP Packets Containing an INIT Chunk Matching an 3511 * Existing Associations when the UDP encap port is incorrect. 3512 * 3513 * From Section 4 at draft-tuexen-tsvwg-sctp-udp-encaps-cons-03. 3514 */ 3515 static enum sctp_disposition sctp_sf_new_encap_port( 3516 struct net *net, 3517 const struct sctp_endpoint *ep, 3518 const struct sctp_association *asoc, 3519 const union sctp_subtype type, 3520 void *arg, 3521 struct sctp_cmd_seq *commands) 3522 { 3523 struct sctp_packet *packet = NULL; 3524 struct sctp_chunk *chunk = arg; 3525 struct sctp_chunk *abort; 3526 3527 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3528 if (!packet) 3529 return SCTP_DISPOSITION_NOMEM; 3530 3531 abort = sctp_make_new_encap_port(asoc, chunk); 3532 if (!abort) { 3533 sctp_ootb_pkt_free(packet); 3534 return SCTP_DISPOSITION_NOMEM; 3535 } 3536 3537 abort->skb->sk = ep->base.sk; 3538 3539 sctp_packet_append_chunk(packet, abort); 3540 3541 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3542 SCTP_PACKET(packet)); 3543 3544 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3545 3546 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3547 return SCTP_DISPOSITION_CONSUME; 3548 } 3549 3550 /* 3551 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 3552 * event as ULP notification for each cause included in the chunk. 3553 * 3554 * API 5.3.1.3 - SCTP_REMOTE_ERROR 3555 * 3556 * The return value is the disposition of the chunk. 3557 */ 3558 enum sctp_disposition sctp_sf_operr_notify(struct net *net, 3559 const struct sctp_endpoint *ep, 3560 const struct sctp_association *asoc, 3561 const union sctp_subtype type, 3562 void *arg, 3563 struct sctp_cmd_seq *commands) 3564 { 3565 struct sctp_chunk *chunk = arg; 3566 struct sctp_errhdr *err; 3567 3568 if (!sctp_vtag_verify(chunk, asoc)) 3569 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3570 3571 /* Make sure that the ERROR chunk has a valid length. */ 3572 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk))) 3573 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3574 commands); 3575 sctp_walk_errors(err, chunk->chunk_hdr); 3576 if ((void *)err != (void *)chunk->chunk_end) 3577 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3578 (void *)err, commands); 3579 3580 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 3581 SCTP_CHUNK(chunk)); 3582 3583 return SCTP_DISPOSITION_CONSUME; 3584 } 3585 3586 /* 3587 * Process an inbound SHUTDOWN ACK. 3588 * 3589 * From Section 9.2: 3590 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3591 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3592 * peer, and remove all record of the association. 3593 * 3594 * The return value is the disposition. 3595 */ 3596 enum sctp_disposition sctp_sf_do_9_2_final(struct net *net, 3597 const struct sctp_endpoint *ep, 3598 const struct sctp_association *asoc, 3599 const union sctp_subtype type, 3600 void *arg, 3601 struct sctp_cmd_seq *commands) 3602 { 3603 struct sctp_chunk *chunk = arg; 3604 struct sctp_chunk *reply; 3605 struct sctp_ulpevent *ev; 3606 3607 if (!sctp_vtag_verify(chunk, asoc)) 3608 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3609 3610 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3611 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3612 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3613 commands); 3614 /* 10.2 H) SHUTDOWN COMPLETE notification 3615 * 3616 * When SCTP completes the shutdown procedures (section 9.2) this 3617 * notification is passed to the upper layer. 3618 */ 3619 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3620 0, 0, 0, NULL, GFP_ATOMIC); 3621 if (!ev) 3622 goto nomem; 3623 3624 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3625 reply = sctp_make_shutdown_complete(asoc, chunk); 3626 if (!reply) 3627 goto nomem_chunk; 3628 3629 /* Do all the commands now (after allocation), so that we 3630 * have consistent state if memory allocation fails 3631 */ 3632 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3633 3634 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3635 * stop the T2-shutdown timer, 3636 */ 3637 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3638 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3639 3640 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3641 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3642 3643 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3644 SCTP_STATE(SCTP_STATE_CLOSED)); 3645 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 3646 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3647 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3648 3649 /* ...and remove all record of the association. */ 3650 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3651 return SCTP_DISPOSITION_DELETE_TCB; 3652 3653 nomem_chunk: 3654 sctp_ulpevent_free(ev); 3655 nomem: 3656 return SCTP_DISPOSITION_NOMEM; 3657 } 3658 3659 /* 3660 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3661 * 3662 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3663 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3664 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3665 * packet must fill in the Verification Tag field of the outbound 3666 * packet with the Verification Tag received in the SHUTDOWN ACK and 3667 * set the T-bit in the Chunk Flags to indicate that the Verification 3668 * Tag is reflected. 3669 * 3670 * 8) The receiver should respond to the sender of the OOTB packet with 3671 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3672 * MUST fill in the Verification Tag field of the outbound packet 3673 * with the value found in the Verification Tag field of the OOTB 3674 * packet and set the T-bit in the Chunk Flags to indicate that the 3675 * Verification Tag is reflected. After sending this ABORT, the 3676 * receiver of the OOTB packet shall discard the OOTB packet and take 3677 * no further action. 3678 */ 3679 enum sctp_disposition sctp_sf_ootb(struct net *net, 3680 const struct sctp_endpoint *ep, 3681 const struct sctp_association *asoc, 3682 const union sctp_subtype type, 3683 void *arg, struct sctp_cmd_seq *commands) 3684 { 3685 struct sctp_chunk *chunk = arg; 3686 struct sk_buff *skb = chunk->skb; 3687 struct sctp_chunkhdr *ch; 3688 struct sctp_errhdr *err; 3689 int ootb_cookie_ack = 0; 3690 int ootb_shut_ack = 0; 3691 __u8 *ch_end; 3692 3693 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3694 3695 if (asoc && !sctp_vtag_verify(chunk, asoc)) 3696 asoc = NULL; 3697 3698 ch = (struct sctp_chunkhdr *)chunk->chunk_hdr; 3699 do { 3700 /* Report violation if the chunk is less then minimal */ 3701 if (ntohs(ch->length) < sizeof(*ch)) 3702 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3703 commands); 3704 3705 /* Report violation if chunk len overflows */ 3706 ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); 3707 if (ch_end > skb_tail_pointer(skb)) 3708 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3709 commands); 3710 3711 /* Now that we know we at least have a chunk header, 3712 * do things that are type appropriate. 3713 */ 3714 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3715 ootb_shut_ack = 1; 3716 3717 /* RFC 2960, Section 3.3.7 3718 * Moreover, under any circumstances, an endpoint that 3719 * receives an ABORT MUST NOT respond to that ABORT by 3720 * sending an ABORT of its own. 3721 */ 3722 if (SCTP_CID_ABORT == ch->type) 3723 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3724 3725 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR 3726 * or a COOKIE ACK the SCTP Packet should be silently 3727 * discarded. 3728 */ 3729 3730 if (SCTP_CID_COOKIE_ACK == ch->type) 3731 ootb_cookie_ack = 1; 3732 3733 if (SCTP_CID_ERROR == ch->type) { 3734 sctp_walk_errors(err, ch) { 3735 if (SCTP_ERROR_STALE_COOKIE == err->cause) { 3736 ootb_cookie_ack = 1; 3737 break; 3738 } 3739 } 3740 } 3741 3742 ch = (struct sctp_chunkhdr *)ch_end; 3743 } while (ch_end < skb_tail_pointer(skb)); 3744 3745 if (ootb_shut_ack) 3746 return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands); 3747 else if (ootb_cookie_ack) 3748 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3749 else 3750 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 3751 } 3752 3753 /* 3754 * Handle an "Out of the blue" SHUTDOWN ACK. 3755 * 3756 * Section: 8.4 5, sctpimpguide 2.41. 3757 * 3758 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3759 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3760 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3761 * packet must fill in the Verification Tag field of the outbound 3762 * packet with the Verification Tag received in the SHUTDOWN ACK and 3763 * set the T-bit in the Chunk Flags to indicate that the Verification 3764 * Tag is reflected. 3765 * 3766 * Inputs 3767 * (endpoint, asoc, type, arg, commands) 3768 * 3769 * Outputs 3770 * (enum sctp_disposition) 3771 * 3772 * The return value is the disposition of the chunk. 3773 */ 3774 static enum sctp_disposition sctp_sf_shut_8_4_5( 3775 struct net *net, 3776 const struct sctp_endpoint *ep, 3777 const struct sctp_association *asoc, 3778 const union sctp_subtype type, 3779 void *arg, 3780 struct sctp_cmd_seq *commands) 3781 { 3782 struct sctp_packet *packet = NULL; 3783 struct sctp_chunk *chunk = arg; 3784 struct sctp_chunk *shut; 3785 3786 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3787 if (!packet) 3788 return SCTP_DISPOSITION_NOMEM; 3789 3790 /* Make an SHUTDOWN_COMPLETE. 3791 * The T bit will be set if the asoc is NULL. 3792 */ 3793 shut = sctp_make_shutdown_complete(asoc, chunk); 3794 if (!shut) { 3795 sctp_ootb_pkt_free(packet); 3796 return SCTP_DISPOSITION_NOMEM; 3797 } 3798 3799 /* Reflect vtag if T-Bit is set */ 3800 if (sctp_test_T_bit(shut)) 3801 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3802 3803 /* Set the skb to the belonging sock for accounting. */ 3804 shut->skb->sk = ep->base.sk; 3805 3806 sctp_packet_append_chunk(packet, shut); 3807 3808 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3809 SCTP_PACKET(packet)); 3810 3811 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3812 3813 /* We need to discard the rest of the packet to prevent 3814 * potential boomming attacks from additional bundled chunks. 3815 * This is documented in SCTP Threats ID. 3816 */ 3817 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3818 } 3819 3820 /* 3821 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3822 * 3823 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3824 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3825 * procedures in section 8.4 SHOULD be followed, in other words it 3826 * should be treated as an Out Of The Blue packet. 3827 * [This means that we do NOT check the Verification Tag on these 3828 * chunks. --piggy ] 3829 * 3830 */ 3831 enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net, 3832 const struct sctp_endpoint *ep, 3833 const struct sctp_association *asoc, 3834 const union sctp_subtype type, 3835 void *arg, 3836 struct sctp_cmd_seq *commands) 3837 { 3838 struct sctp_chunk *chunk = arg; 3839 3840 if (!sctp_vtag_verify(chunk, asoc)) 3841 asoc = NULL; 3842 3843 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3844 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3845 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3846 commands); 3847 3848 /* Although we do have an association in this case, it corresponds 3849 * to a restarted association. So the packet is treated as an OOTB 3850 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3851 * called with a NULL association. 3852 */ 3853 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3854 3855 return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands); 3856 } 3857 3858 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3859 enum sctp_disposition sctp_sf_do_asconf(struct net *net, 3860 const struct sctp_endpoint *ep, 3861 const struct sctp_association *asoc, 3862 const union sctp_subtype type, 3863 void *arg, 3864 struct sctp_cmd_seq *commands) 3865 { 3866 struct sctp_paramhdr *err_param = NULL; 3867 struct sctp_chunk *asconf_ack = NULL; 3868 struct sctp_chunk *chunk = arg; 3869 struct sctp_addiphdr *hdr; 3870 __u32 serial; 3871 3872 if (!sctp_vtag_verify(chunk, asoc)) { 3873 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3874 SCTP_NULL()); 3875 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3876 } 3877 3878 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3879 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk))) 3880 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3881 commands); 3882 3883 /* ADD-IP: Section 4.1.1 3884 * This chunk MUST be sent in an authenticated way by using 3885 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3886 * is received unauthenticated it MUST be silently discarded as 3887 * described in [I-D.ietf-tsvwg-sctp-auth]. 3888 */ 3889 if (!asoc->peer.asconf_capable || 3890 (!net->sctp.addip_noauth && !chunk->auth)) 3891 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3892 3893 hdr = (struct sctp_addiphdr *)chunk->skb->data; 3894 serial = ntohl(hdr->serial); 3895 3896 /* Verify the ASCONF chunk before processing it. */ 3897 if (!sctp_verify_asconf(asoc, chunk, true, &err_param)) 3898 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3899 (void *)err_param, commands); 3900 3901 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3902 * the endpoint stored in a new association variable 3903 * 'Peer-Serial-Number'. 3904 */ 3905 if (serial == asoc->peer.addip_serial + 1) { 3906 /* If this is the first instance of ASCONF in the packet, 3907 * we can clean our old ASCONF-ACKs. 3908 */ 3909 if (!chunk->has_asconf) 3910 sctp_assoc_clean_asconf_ack_cache(asoc); 3911 3912 /* ADDIP 5.2 E4) When the Sequence Number matches the next one 3913 * expected, process the ASCONF as described below and after 3914 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to 3915 * the response packet and cache a copy of it (in the event it 3916 * later needs to be retransmitted). 3917 * 3918 * Essentially, do V1-V5. 3919 */ 3920 asconf_ack = sctp_process_asconf((struct sctp_association *) 3921 asoc, chunk); 3922 if (!asconf_ack) 3923 return SCTP_DISPOSITION_NOMEM; 3924 } else if (serial < asoc->peer.addip_serial + 1) { 3925 /* ADDIP 5.2 E2) 3926 * If the value found in the Sequence Number is less than the 3927 * ('Peer- Sequence-Number' + 1), simply skip to the next 3928 * ASCONF, and include in the outbound response packet 3929 * any previously cached ASCONF-ACK response that was 3930 * sent and saved that matches the Sequence Number of the 3931 * ASCONF. Note: It is possible that no cached ASCONF-ACK 3932 * Chunk exists. This will occur when an older ASCONF 3933 * arrives out of order. In such a case, the receiver 3934 * should skip the ASCONF Chunk and not include ASCONF-ACK 3935 * Chunk for that chunk. 3936 */ 3937 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial); 3938 if (!asconf_ack) 3939 return SCTP_DISPOSITION_DISCARD; 3940 3941 /* Reset the transport so that we select the correct one 3942 * this time around. This is to make sure that we don't 3943 * accidentally use a stale transport that's been removed. 3944 */ 3945 asconf_ack->transport = NULL; 3946 } else { 3947 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since 3948 * it must be either a stale packet or from an attacker. 3949 */ 3950 return SCTP_DISPOSITION_DISCARD; 3951 } 3952 3953 /* ADDIP 5.2 E6) The destination address of the SCTP packet 3954 * containing the ASCONF-ACK Chunks MUST be the source address of 3955 * the SCTP packet that held the ASCONF Chunks. 3956 * 3957 * To do this properly, we'll set the destination address of the chunk 3958 * and at the transmit time, will try look up the transport to use. 3959 * Since ASCONFs may be bundled, the correct transport may not be 3960 * created until we process the entire packet, thus this workaround. 3961 */ 3962 asconf_ack->dest = chunk->source; 3963 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3964 if (asoc->new_transport) { 3965 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands); 3966 ((struct sctp_association *)asoc)->new_transport = NULL; 3967 } 3968 3969 return SCTP_DISPOSITION_CONSUME; 3970 } 3971 3972 static enum sctp_disposition sctp_send_next_asconf( 3973 struct net *net, 3974 const struct sctp_endpoint *ep, 3975 struct sctp_association *asoc, 3976 const union sctp_subtype type, 3977 struct sctp_cmd_seq *commands) 3978 { 3979 struct sctp_chunk *asconf; 3980 struct list_head *entry; 3981 3982 if (list_empty(&asoc->addip_chunk_list)) 3983 return SCTP_DISPOSITION_CONSUME; 3984 3985 entry = asoc->addip_chunk_list.next; 3986 asconf = list_entry(entry, struct sctp_chunk, list); 3987 3988 list_del_init(entry); 3989 sctp_chunk_hold(asconf); 3990 asoc->addip_last_asconf = asconf; 3991 3992 return sctp_sf_do_prm_asconf(net, ep, asoc, type, asconf, commands); 3993 } 3994 3995 /* 3996 * ADDIP Section 4.3 General rules for address manipulation 3997 * When building TLV parameters for the ASCONF Chunk that will add or 3998 * delete IP addresses the D0 to D13 rules should be applied: 3999 */ 4000 enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net, 4001 const struct sctp_endpoint *ep, 4002 const struct sctp_association *asoc, 4003 const union sctp_subtype type, 4004 void *arg, 4005 struct sctp_cmd_seq *commands) 4006 { 4007 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 4008 struct sctp_paramhdr *err_param = NULL; 4009 struct sctp_chunk *asconf_ack = arg; 4010 struct sctp_addiphdr *addip_hdr; 4011 __u32 sent_serial, rcvd_serial; 4012 struct sctp_chunk *abort; 4013 4014 if (!sctp_vtag_verify(asconf_ack, asoc)) { 4015 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4016 SCTP_NULL()); 4017 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4018 } 4019 4020 /* Make sure that the ADDIP chunk has a valid length. */ 4021 if (!sctp_chunk_length_valid(asconf_ack, 4022 sizeof(struct sctp_addip_chunk))) 4023 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4024 commands); 4025 4026 /* ADD-IP, Section 4.1.2: 4027 * This chunk MUST be sent in an authenticated way by using 4028 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 4029 * is received unauthenticated it MUST be silently discarded as 4030 * described in [I-D.ietf-tsvwg-sctp-auth]. 4031 */ 4032 if (!asoc->peer.asconf_capable || 4033 (!net->sctp.addip_noauth && !asconf_ack->auth)) 4034 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4035 4036 addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data; 4037 rcvd_serial = ntohl(addip_hdr->serial); 4038 4039 /* Verify the ASCONF-ACK chunk before processing it. */ 4040 if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param)) 4041 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 4042 (void *)err_param, commands); 4043 4044 if (last_asconf) { 4045 addip_hdr = last_asconf->subh.addip_hdr; 4046 sent_serial = ntohl(addip_hdr->serial); 4047 } else { 4048 sent_serial = asoc->addip_serial - 1; 4049 } 4050 4051 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 4052 * equal to the next serial number to be used but no ASCONF chunk is 4053 * outstanding the endpoint MUST ABORT the association. Note that a 4054 * sequence number is greater than if it is no more than 2^^31-1 4055 * larger than the current sequence number (using serial arithmetic). 4056 */ 4057 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 4058 !(asoc->addip_last_asconf)) { 4059 abort = sctp_make_abort(asoc, asconf_ack, 4060 sizeof(struct sctp_errhdr)); 4061 if (abort) { 4062 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0); 4063 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4064 SCTP_CHUNK(abort)); 4065 } 4066 /* We are going to ABORT, so we might as well stop 4067 * processing the rest of the chunks in the packet. 4068 */ 4069 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4070 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4071 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4072 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4073 SCTP_ERROR(ECONNABORTED)); 4074 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4075 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 4076 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4077 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4078 return SCTP_DISPOSITION_ABORT; 4079 } 4080 4081 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 4082 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4083 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4084 4085 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 4086 asconf_ack)) 4087 return sctp_send_next_asconf(net, ep, 4088 (struct sctp_association *)asoc, 4089 type, commands); 4090 4091 abort = sctp_make_abort(asoc, asconf_ack, 4092 sizeof(struct sctp_errhdr)); 4093 if (abort) { 4094 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 4095 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4096 SCTP_CHUNK(abort)); 4097 } 4098 /* We are going to ABORT, so we might as well stop 4099 * processing the rest of the chunks in the packet. 4100 */ 4101 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4102 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4103 SCTP_ERROR(ECONNABORTED)); 4104 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4105 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 4106 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4107 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4108 return SCTP_DISPOSITION_ABORT; 4109 } 4110 4111 return SCTP_DISPOSITION_DISCARD; 4112 } 4113 4114 /* RE-CONFIG Section 5.2 Upon reception of an RECONF Chunk. */ 4115 enum sctp_disposition sctp_sf_do_reconf(struct net *net, 4116 const struct sctp_endpoint *ep, 4117 const struct sctp_association *asoc, 4118 const union sctp_subtype type, 4119 void *arg, 4120 struct sctp_cmd_seq *commands) 4121 { 4122 struct sctp_paramhdr *err_param = NULL; 4123 struct sctp_chunk *chunk = arg; 4124 struct sctp_reconf_chunk *hdr; 4125 union sctp_params param; 4126 4127 if (!sctp_vtag_verify(chunk, asoc)) { 4128 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4129 SCTP_NULL()); 4130 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4131 } 4132 4133 /* Make sure that the RECONF chunk has a valid length. */ 4134 if (!sctp_chunk_length_valid(chunk, sizeof(*hdr))) 4135 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4136 commands); 4137 4138 if (!sctp_verify_reconf(asoc, chunk, &err_param)) 4139 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 4140 (void *)err_param, commands); 4141 4142 hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr; 4143 sctp_walk_params(param, hdr) { 4144 struct sctp_chunk *reply = NULL; 4145 struct sctp_ulpevent *ev = NULL; 4146 4147 if (param.p->type == SCTP_PARAM_RESET_OUT_REQUEST) 4148 reply = sctp_process_strreset_outreq( 4149 (struct sctp_association *)asoc, param, &ev); 4150 else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST) 4151 reply = sctp_process_strreset_inreq( 4152 (struct sctp_association *)asoc, param, &ev); 4153 else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST) 4154 reply = sctp_process_strreset_tsnreq( 4155 (struct sctp_association *)asoc, param, &ev); 4156 else if (param.p->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS) 4157 reply = sctp_process_strreset_addstrm_out( 4158 (struct sctp_association *)asoc, param, &ev); 4159 else if (param.p->type == SCTP_PARAM_RESET_ADD_IN_STREAMS) 4160 reply = sctp_process_strreset_addstrm_in( 4161 (struct sctp_association *)asoc, param, &ev); 4162 else if (param.p->type == SCTP_PARAM_RESET_RESPONSE) 4163 reply = sctp_process_strreset_resp( 4164 (struct sctp_association *)asoc, param, &ev); 4165 4166 if (ev) 4167 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4168 SCTP_ULPEVENT(ev)); 4169 4170 if (reply) 4171 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4172 SCTP_CHUNK(reply)); 4173 } 4174 4175 return SCTP_DISPOSITION_CONSUME; 4176 } 4177 4178 /* 4179 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 4180 * 4181 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 4182 * its cumulative TSN point to the value carried in the FORWARD TSN 4183 * chunk, and then MUST further advance its cumulative TSN point locally 4184 * if possible. 4185 * After the above processing, the data receiver MUST stop reporting any 4186 * missing TSNs earlier than or equal to the new cumulative TSN point. 4187 * 4188 * Verification Tag: 8.5 Verification Tag [Normal verification] 4189 * 4190 * The return value is the disposition of the chunk. 4191 */ 4192 enum sctp_disposition sctp_sf_eat_fwd_tsn(struct net *net, 4193 const struct sctp_endpoint *ep, 4194 const struct sctp_association *asoc, 4195 const union sctp_subtype type, 4196 void *arg, 4197 struct sctp_cmd_seq *commands) 4198 { 4199 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 4200 struct sctp_chunk *chunk = arg; 4201 __u16 len; 4202 __u32 tsn; 4203 4204 if (!sctp_vtag_verify(chunk, asoc)) { 4205 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4206 SCTP_NULL()); 4207 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4208 } 4209 4210 if (!asoc->peer.prsctp_capable) 4211 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4212 4213 /* Make sure that the FORWARD_TSN chunk has valid length. */ 4214 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream))) 4215 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4216 commands); 4217 4218 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 4219 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 4220 len = ntohs(chunk->chunk_hdr->length); 4221 len -= sizeof(struct sctp_chunkhdr); 4222 skb_pull(chunk->skb, len); 4223 4224 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 4225 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 4226 4227 /* The TSN is too high--silently discard the chunk and count on it 4228 * getting retransmitted later. 4229 */ 4230 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 4231 goto discard_noforce; 4232 4233 if (!asoc->stream.si->validate_ftsn(chunk)) 4234 goto discard_noforce; 4235 4236 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 4237 if (len > sctp_ftsnhdr_len(&asoc->stream)) 4238 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 4239 SCTP_CHUNK(chunk)); 4240 4241 /* Count this as receiving DATA. */ 4242 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 4243 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4244 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4245 } 4246 4247 /* FIXME: For now send a SACK, but DATA processing may 4248 * send another. 4249 */ 4250 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 4251 4252 return SCTP_DISPOSITION_CONSUME; 4253 4254 discard_noforce: 4255 return SCTP_DISPOSITION_DISCARD; 4256 } 4257 4258 enum sctp_disposition sctp_sf_eat_fwd_tsn_fast( 4259 struct net *net, 4260 const struct sctp_endpoint *ep, 4261 const struct sctp_association *asoc, 4262 const union sctp_subtype type, 4263 void *arg, 4264 struct sctp_cmd_seq *commands) 4265 { 4266 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 4267 struct sctp_chunk *chunk = arg; 4268 __u16 len; 4269 __u32 tsn; 4270 4271 if (!sctp_vtag_verify(chunk, asoc)) { 4272 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4273 SCTP_NULL()); 4274 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4275 } 4276 4277 if (!asoc->peer.prsctp_capable) 4278 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4279 4280 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 4281 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream))) 4282 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4283 commands); 4284 4285 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 4286 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 4287 len = ntohs(chunk->chunk_hdr->length); 4288 len -= sizeof(struct sctp_chunkhdr); 4289 skb_pull(chunk->skb, len); 4290 4291 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 4292 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 4293 4294 /* The TSN is too high--silently discard the chunk and count on it 4295 * getting retransmitted later. 4296 */ 4297 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 4298 goto gen_shutdown; 4299 4300 if (!asoc->stream.si->validate_ftsn(chunk)) 4301 goto gen_shutdown; 4302 4303 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 4304 if (len > sctp_ftsnhdr_len(&asoc->stream)) 4305 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 4306 SCTP_CHUNK(chunk)); 4307 4308 /* Go a head and force a SACK, since we are shutting down. */ 4309 gen_shutdown: 4310 /* Implementor's Guide. 4311 * 4312 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 4313 * respond to each received packet containing one or more DATA chunk(s) 4314 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 4315 */ 4316 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 4317 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 4318 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4319 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4320 4321 return SCTP_DISPOSITION_CONSUME; 4322 } 4323 4324 /* 4325 * SCTP-AUTH Section 6.3 Receiving authenticated chunks 4326 * 4327 * The receiver MUST use the HMAC algorithm indicated in the HMAC 4328 * Identifier field. If this algorithm was not specified by the 4329 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 4330 * during association setup, the AUTH chunk and all chunks after it MUST 4331 * be discarded and an ERROR chunk SHOULD be sent with the error cause 4332 * defined in Section 4.1. 4333 * 4334 * If an endpoint with no shared key receives a Shared Key Identifier 4335 * other than 0, it MUST silently discard all authenticated chunks. If 4336 * the endpoint has at least one endpoint pair shared key for the peer, 4337 * it MUST use the key specified by the Shared Key Identifier if a 4338 * key has been configured for that Shared Key Identifier. If no 4339 * endpoint pair shared key has been configured for that Shared Key 4340 * Identifier, all authenticated chunks MUST be silently discarded. 4341 * 4342 * Verification Tag: 8.5 Verification Tag [Normal verification] 4343 * 4344 * The return value is the disposition of the chunk. 4345 */ 4346 static enum sctp_ierror sctp_sf_authenticate( 4347 const struct sctp_association *asoc, 4348 struct sctp_chunk *chunk) 4349 { 4350 struct sctp_shared_key *sh_key = NULL; 4351 struct sctp_authhdr *auth_hdr; 4352 __u8 *save_digest, *digest; 4353 struct sctp_hmac *hmac; 4354 unsigned int sig_len; 4355 __u16 key_id; 4356 4357 /* Pull in the auth header, so we can do some more verification */ 4358 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4359 chunk->subh.auth_hdr = auth_hdr; 4360 skb_pull(chunk->skb, sizeof(*auth_hdr)); 4361 4362 /* Make sure that we support the HMAC algorithm from the auth 4363 * chunk. 4364 */ 4365 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id)) 4366 return SCTP_IERROR_AUTH_BAD_HMAC; 4367 4368 /* Make sure that the provided shared key identifier has been 4369 * configured 4370 */ 4371 key_id = ntohs(auth_hdr->shkey_id); 4372 if (key_id != asoc->active_key_id) { 4373 sh_key = sctp_auth_get_shkey(asoc, key_id); 4374 if (!sh_key) 4375 return SCTP_IERROR_AUTH_BAD_KEYID; 4376 } 4377 4378 /* Make sure that the length of the signature matches what 4379 * we expect. 4380 */ 4381 sig_len = ntohs(chunk->chunk_hdr->length) - 4382 sizeof(struct sctp_auth_chunk); 4383 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id)); 4384 if (sig_len != hmac->hmac_len) 4385 return SCTP_IERROR_PROTO_VIOLATION; 4386 4387 /* Now that we've done validation checks, we can compute and 4388 * verify the hmac. The steps involved are: 4389 * 1. Save the digest from the chunk. 4390 * 2. Zero out the digest in the chunk. 4391 * 3. Compute the new digest 4392 * 4. Compare saved and new digests. 4393 */ 4394 digest = (u8 *)(auth_hdr + 1); 4395 skb_pull(chunk->skb, sig_len); 4396 4397 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC); 4398 if (!save_digest) 4399 goto nomem; 4400 4401 memset(digest, 0, sig_len); 4402 4403 sctp_auth_calculate_hmac(asoc, chunk->skb, 4404 (struct sctp_auth_chunk *)chunk->chunk_hdr, 4405 sh_key, GFP_ATOMIC); 4406 4407 /* Discard the packet if the digests do not match */ 4408 if (memcmp(save_digest, digest, sig_len)) { 4409 kfree(save_digest); 4410 return SCTP_IERROR_BAD_SIG; 4411 } 4412 4413 kfree(save_digest); 4414 chunk->auth = 1; 4415 4416 return SCTP_IERROR_NO_ERROR; 4417 nomem: 4418 return SCTP_IERROR_NOMEM; 4419 } 4420 4421 enum sctp_disposition sctp_sf_eat_auth(struct net *net, 4422 const struct sctp_endpoint *ep, 4423 const struct sctp_association *asoc, 4424 const union sctp_subtype type, 4425 void *arg, struct sctp_cmd_seq *commands) 4426 { 4427 struct sctp_chunk *chunk = arg; 4428 struct sctp_authhdr *auth_hdr; 4429 struct sctp_chunk *err_chunk; 4430 enum sctp_ierror error; 4431 4432 /* Make sure that the peer has AUTH capable */ 4433 if (!asoc->peer.auth_capable) 4434 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4435 4436 if (!sctp_vtag_verify(chunk, asoc)) { 4437 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4438 SCTP_NULL()); 4439 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4440 } 4441 4442 /* Make sure that the AUTH chunk has valid length. */ 4443 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk))) 4444 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4445 commands); 4446 4447 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4448 error = sctp_sf_authenticate(asoc, chunk); 4449 switch (error) { 4450 case SCTP_IERROR_AUTH_BAD_HMAC: 4451 /* Generate the ERROR chunk and discard the rest 4452 * of the packet 4453 */ 4454 err_chunk = sctp_make_op_error(asoc, chunk, 4455 SCTP_ERROR_UNSUP_HMAC, 4456 &auth_hdr->hmac_id, 4457 sizeof(__u16), 0); 4458 if (err_chunk) { 4459 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4460 SCTP_CHUNK(err_chunk)); 4461 } 4462 fallthrough; 4463 case SCTP_IERROR_AUTH_BAD_KEYID: 4464 case SCTP_IERROR_BAD_SIG: 4465 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4466 4467 case SCTP_IERROR_PROTO_VIOLATION: 4468 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4469 commands); 4470 4471 case SCTP_IERROR_NOMEM: 4472 return SCTP_DISPOSITION_NOMEM; 4473 4474 default: /* Prevent gcc warnings */ 4475 break; 4476 } 4477 4478 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) { 4479 struct sctp_ulpevent *ev; 4480 4481 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id), 4482 SCTP_AUTH_NEW_KEY, GFP_ATOMIC); 4483 4484 if (!ev) 4485 return -ENOMEM; 4486 4487 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4488 SCTP_ULPEVENT(ev)); 4489 } 4490 4491 return SCTP_DISPOSITION_CONSUME; 4492 } 4493 4494 /* 4495 * Process an unknown chunk. 4496 * 4497 * Section: 3.2. Also, 2.1 in the implementor's guide. 4498 * 4499 * Chunk Types are encoded such that the highest-order two bits specify 4500 * the action that must be taken if the processing endpoint does not 4501 * recognize the Chunk Type. 4502 * 4503 * 00 - Stop processing this SCTP packet and discard it, do not process 4504 * any further chunks within it. 4505 * 4506 * 01 - Stop processing this SCTP packet and discard it, do not process 4507 * any further chunks within it, and report the unrecognized 4508 * chunk in an 'Unrecognized Chunk Type'. 4509 * 4510 * 10 - Skip this chunk and continue processing. 4511 * 4512 * 11 - Skip this chunk and continue processing, but report in an ERROR 4513 * Chunk using the 'Unrecognized Chunk Type' cause of error. 4514 * 4515 * The return value is the disposition of the chunk. 4516 */ 4517 enum sctp_disposition sctp_sf_unk_chunk(struct net *net, 4518 const struct sctp_endpoint *ep, 4519 const struct sctp_association *asoc, 4520 const union sctp_subtype type, 4521 void *arg, 4522 struct sctp_cmd_seq *commands) 4523 { 4524 struct sctp_chunk *unk_chunk = arg; 4525 struct sctp_chunk *err_chunk; 4526 struct sctp_chunkhdr *hdr; 4527 4528 pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk); 4529 4530 if (!sctp_vtag_verify(unk_chunk, asoc)) 4531 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4532 4533 /* Make sure that the chunk has a valid length. 4534 * Since we don't know the chunk type, we use a general 4535 * chunkhdr structure to make a comparison. 4536 */ 4537 if (!sctp_chunk_length_valid(unk_chunk, sizeof(*hdr))) 4538 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4539 commands); 4540 4541 switch (type.chunk & SCTP_CID_ACTION_MASK) { 4542 case SCTP_CID_ACTION_DISCARD: 4543 /* Discard the packet. */ 4544 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4545 case SCTP_CID_ACTION_DISCARD_ERR: 4546 /* Generate an ERROR chunk as response. */ 4547 hdr = unk_chunk->chunk_hdr; 4548 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4549 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4550 SCTP_PAD4(ntohs(hdr->length)), 4551 0); 4552 if (err_chunk) { 4553 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4554 SCTP_CHUNK(err_chunk)); 4555 } 4556 4557 /* Discard the packet. */ 4558 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4559 return SCTP_DISPOSITION_CONSUME; 4560 case SCTP_CID_ACTION_SKIP: 4561 /* Skip the chunk. */ 4562 return SCTP_DISPOSITION_DISCARD; 4563 case SCTP_CID_ACTION_SKIP_ERR: 4564 /* Generate an ERROR chunk as response. */ 4565 hdr = unk_chunk->chunk_hdr; 4566 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4567 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4568 SCTP_PAD4(ntohs(hdr->length)), 4569 0); 4570 if (err_chunk) { 4571 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4572 SCTP_CHUNK(err_chunk)); 4573 } 4574 /* Skip the chunk. */ 4575 return SCTP_DISPOSITION_CONSUME; 4576 default: 4577 break; 4578 } 4579 4580 return SCTP_DISPOSITION_DISCARD; 4581 } 4582 4583 /* 4584 * Discard the chunk. 4585 * 4586 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 4587 * [Too numerous to mention...] 4588 * Verification Tag: No verification needed. 4589 * Inputs 4590 * (endpoint, asoc, chunk) 4591 * 4592 * Outputs 4593 * (asoc, reply_msg, msg_up, timers, counters) 4594 * 4595 * The return value is the disposition of the chunk. 4596 */ 4597 enum sctp_disposition sctp_sf_discard_chunk(struct net *net, 4598 const struct sctp_endpoint *ep, 4599 const struct sctp_association *asoc, 4600 const union sctp_subtype type, 4601 void *arg, 4602 struct sctp_cmd_seq *commands) 4603 { 4604 struct sctp_chunk *chunk = arg; 4605 4606 if (asoc && !sctp_vtag_verify(chunk, asoc)) 4607 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4608 4609 /* Make sure that the chunk has a valid length. 4610 * Since we don't know the chunk type, we use a general 4611 * chunkhdr structure to make a comparison. 4612 */ 4613 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 4614 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4615 commands); 4616 4617 pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk); 4618 4619 return SCTP_DISPOSITION_DISCARD; 4620 } 4621 4622 /* 4623 * Discard the whole packet. 4624 * 4625 * Section: 8.4 2) 4626 * 4627 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 4628 * silently discard the OOTB packet and take no further action. 4629 * 4630 * Verification Tag: No verification necessary 4631 * 4632 * Inputs 4633 * (endpoint, asoc, chunk) 4634 * 4635 * Outputs 4636 * (asoc, reply_msg, msg_up, timers, counters) 4637 * 4638 * The return value is the disposition of the chunk. 4639 */ 4640 enum sctp_disposition sctp_sf_pdiscard(struct net *net, 4641 const struct sctp_endpoint *ep, 4642 const struct sctp_association *asoc, 4643 const union sctp_subtype type, 4644 void *arg, struct sctp_cmd_seq *commands) 4645 { 4646 SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS); 4647 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4648 4649 return SCTP_DISPOSITION_CONSUME; 4650 } 4651 4652 4653 /* 4654 * The other end is violating protocol. 4655 * 4656 * Section: Not specified 4657 * Verification Tag: Not specified 4658 * Inputs 4659 * (endpoint, asoc, chunk) 4660 * 4661 * Outputs 4662 * (asoc, reply_msg, msg_up, timers, counters) 4663 * 4664 * We simply tag the chunk as a violation. The state machine will log 4665 * the violation and continue. 4666 */ 4667 enum sctp_disposition sctp_sf_violation(struct net *net, 4668 const struct sctp_endpoint *ep, 4669 const struct sctp_association *asoc, 4670 const union sctp_subtype type, 4671 void *arg, 4672 struct sctp_cmd_seq *commands) 4673 { 4674 struct sctp_chunk *chunk = arg; 4675 4676 if (!sctp_vtag_verify(chunk, asoc)) 4677 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4678 4679 /* Make sure that the chunk has a valid length. */ 4680 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 4681 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4682 commands); 4683 4684 return SCTP_DISPOSITION_VIOLATION; 4685 } 4686 4687 /* 4688 * Common function to handle a protocol violation. 4689 */ 4690 static enum sctp_disposition sctp_sf_abort_violation( 4691 struct net *net, 4692 const struct sctp_endpoint *ep, 4693 const struct sctp_association *asoc, 4694 void *arg, 4695 struct sctp_cmd_seq *commands, 4696 const __u8 *payload, 4697 const size_t paylen) 4698 { 4699 struct sctp_packet *packet = NULL; 4700 struct sctp_chunk *chunk = arg; 4701 struct sctp_chunk *abort = NULL; 4702 4703 /* SCTP-AUTH, Section 6.3: 4704 * It should be noted that if the receiver wants to tear 4705 * down an association in an authenticated way only, the 4706 * handling of malformed packets should not result in 4707 * tearing down the association. 4708 * 4709 * This means that if we only want to abort associations 4710 * in an authenticated way (i.e AUTH+ABORT), then we 4711 * can't destroy this association just because the packet 4712 * was malformed. 4713 */ 4714 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4715 goto discard; 4716 4717 /* Make the abort chunk. */ 4718 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen); 4719 if (!abort) 4720 goto nomem; 4721 4722 if (asoc) { 4723 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */ 4724 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK && 4725 !asoc->peer.i.init_tag) { 4726 struct sctp_initack_chunk *initack; 4727 4728 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr; 4729 if (!sctp_chunk_length_valid(chunk, sizeof(*initack))) 4730 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T; 4731 else { 4732 unsigned int inittag; 4733 4734 inittag = ntohl(initack->init_hdr.init_tag); 4735 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG, 4736 SCTP_U32(inittag)); 4737 } 4738 } 4739 4740 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4741 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4742 4743 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 4744 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4745 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4746 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4747 SCTP_ERROR(ECONNREFUSED)); 4748 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4749 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4750 } else { 4751 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4752 SCTP_ERROR(ECONNABORTED)); 4753 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4754 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4755 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4756 } 4757 } else { 4758 packet = sctp_ootb_pkt_new(net, asoc, chunk); 4759 4760 if (!packet) 4761 goto nomem_pkt; 4762 4763 if (sctp_test_T_bit(abort)) 4764 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4765 4766 abort->skb->sk = ep->base.sk; 4767 4768 sctp_packet_append_chunk(packet, abort); 4769 4770 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 4771 SCTP_PACKET(packet)); 4772 4773 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4774 } 4775 4776 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4777 4778 discard: 4779 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4780 return SCTP_DISPOSITION_ABORT; 4781 4782 nomem_pkt: 4783 sctp_chunk_free(abort); 4784 nomem: 4785 return SCTP_DISPOSITION_NOMEM; 4786 } 4787 4788 /* 4789 * Handle a protocol violation when the chunk length is invalid. 4790 * "Invalid" length is identified as smaller than the minimal length a 4791 * given chunk can be. For example, a SACK chunk has invalid length 4792 * if its length is set to be smaller than the size of struct sctp_sack_chunk. 4793 * 4794 * We inform the other end by sending an ABORT with a Protocol Violation 4795 * error code. 4796 * 4797 * Section: Not specified 4798 * Verification Tag: Nothing to do 4799 * Inputs 4800 * (endpoint, asoc, chunk) 4801 * 4802 * Outputs 4803 * (reply_msg, msg_up, counters) 4804 * 4805 * Generate an ABORT chunk and terminate the association. 4806 */ 4807 static enum sctp_disposition sctp_sf_violation_chunklen( 4808 struct net *net, 4809 const struct sctp_endpoint *ep, 4810 const struct sctp_association *asoc, 4811 const union sctp_subtype type, 4812 void *arg, 4813 struct sctp_cmd_seq *commands) 4814 { 4815 static const char err_str[] = "The following chunk had invalid length:"; 4816 4817 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4818 sizeof(err_str)); 4819 } 4820 4821 /* 4822 * Handle a protocol violation when the parameter length is invalid. 4823 * If the length is smaller than the minimum length of a given parameter, 4824 * or accumulated length in multi parameters exceeds the end of the chunk, 4825 * the length is considered as invalid. 4826 */ 4827 static enum sctp_disposition sctp_sf_violation_paramlen( 4828 struct net *net, 4829 const struct sctp_endpoint *ep, 4830 const struct sctp_association *asoc, 4831 const union sctp_subtype type, 4832 void *arg, void *ext, 4833 struct sctp_cmd_seq *commands) 4834 { 4835 struct sctp_paramhdr *param = ext; 4836 struct sctp_chunk *abort = NULL; 4837 struct sctp_chunk *chunk = arg; 4838 4839 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4840 goto discard; 4841 4842 /* Make the abort chunk. */ 4843 abort = sctp_make_violation_paramlen(asoc, chunk, param); 4844 if (!abort) 4845 goto nomem; 4846 4847 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4848 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4849 4850 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4851 SCTP_ERROR(ECONNABORTED)); 4852 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4853 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4854 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4855 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4856 4857 discard: 4858 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4859 return SCTP_DISPOSITION_ABORT; 4860 nomem: 4861 return SCTP_DISPOSITION_NOMEM; 4862 } 4863 4864 /* Handle a protocol violation when the peer trying to advance the 4865 * cumulative tsn ack to a point beyond the max tsn currently sent. 4866 * 4867 * We inform the other end by sending an ABORT with a Protocol Violation 4868 * error code. 4869 */ 4870 static enum sctp_disposition sctp_sf_violation_ctsn( 4871 struct net *net, 4872 const struct sctp_endpoint *ep, 4873 const struct sctp_association *asoc, 4874 const union sctp_subtype type, 4875 void *arg, 4876 struct sctp_cmd_seq *commands) 4877 { 4878 static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:"; 4879 4880 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4881 sizeof(err_str)); 4882 } 4883 4884 /* Handle protocol violation of an invalid chunk bundling. For example, 4885 * when we have an association and we receive bundled INIT-ACK, or 4886 * SHUTDOWN-COMPLETE, our peer is clearly violating the "MUST NOT bundle" 4887 * statement from the specs. Additionally, there might be an attacker 4888 * on the path and we may not want to continue this communication. 4889 */ 4890 static enum sctp_disposition sctp_sf_violation_chunk( 4891 struct net *net, 4892 const struct sctp_endpoint *ep, 4893 const struct sctp_association *asoc, 4894 const union sctp_subtype type, 4895 void *arg, 4896 struct sctp_cmd_seq *commands) 4897 { 4898 static const char err_str[] = "The following chunk violates protocol:"; 4899 4900 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4901 sizeof(err_str)); 4902 } 4903 /*************************************************************************** 4904 * These are the state functions for handling primitive (Section 10) events. 4905 ***************************************************************************/ 4906 /* 4907 * sctp_sf_do_prm_asoc 4908 * 4909 * Section: 10.1 ULP-to-SCTP 4910 * B) Associate 4911 * 4912 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 4913 * outbound stream count) 4914 * -> association id [,destination transport addr list] [,outbound stream 4915 * count] 4916 * 4917 * This primitive allows the upper layer to initiate an association to a 4918 * specific peer endpoint. 4919 * 4920 * The peer endpoint shall be specified by one of the transport addresses 4921 * which defines the endpoint (see Section 1.4). If the local SCTP 4922 * instance has not been initialized, the ASSOCIATE is considered an 4923 * error. 4924 * [This is not relevant for the kernel implementation since we do all 4925 * initialization at boot time. It we hadn't initialized we wouldn't 4926 * get anywhere near this code.] 4927 * 4928 * An association id, which is a local handle to the SCTP association, 4929 * will be returned on successful establishment of the association. If 4930 * SCTP is not able to open an SCTP association with the peer endpoint, 4931 * an error is returned. 4932 * [In the kernel implementation, the struct sctp_association needs to 4933 * be created BEFORE causing this primitive to run.] 4934 * 4935 * Other association parameters may be returned, including the 4936 * complete destination transport addresses of the peer as well as the 4937 * outbound stream count of the local endpoint. One of the transport 4938 * address from the returned destination addresses will be selected by 4939 * the local endpoint as default primary path for sending SCTP packets 4940 * to this peer. The returned "destination transport addr list" can 4941 * be used by the ULP to change the default primary path or to force 4942 * sending a packet to a specific transport address. [All of this 4943 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 4944 * function.] 4945 * 4946 * Mandatory attributes: 4947 * 4948 * o local SCTP instance name - obtained from the INITIALIZE operation. 4949 * [This is the argument asoc.] 4950 * o destination transport addr - specified as one of the transport 4951 * addresses of the peer endpoint with which the association is to be 4952 * established. 4953 * [This is asoc->peer.active_path.] 4954 * o outbound stream count - the number of outbound streams the ULP 4955 * would like to open towards this peer endpoint. 4956 * [BUG: This is not currently implemented.] 4957 * Optional attributes: 4958 * 4959 * None. 4960 * 4961 * The return value is a disposition. 4962 */ 4963 enum sctp_disposition sctp_sf_do_prm_asoc(struct net *net, 4964 const struct sctp_endpoint *ep, 4965 const struct sctp_association *asoc, 4966 const union sctp_subtype type, 4967 void *arg, 4968 struct sctp_cmd_seq *commands) 4969 { 4970 struct sctp_association *my_asoc; 4971 struct sctp_chunk *repl; 4972 4973 /* The comment below says that we enter COOKIE-WAIT AFTER 4974 * sending the INIT, but that doesn't actually work in our 4975 * implementation... 4976 */ 4977 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4978 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 4979 4980 /* RFC 2960 5.1 Normal Establishment of an Association 4981 * 4982 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 4983 * must provide its Verification Tag (Tag_A) in the Initiate 4984 * Tag field. Tag_A SHOULD be a random number in the range of 4985 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 4986 */ 4987 4988 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 4989 if (!repl) 4990 goto nomem; 4991 4992 /* Choose transport for INIT. */ 4993 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4994 SCTP_CHUNK(repl)); 4995 4996 /* Cast away the const modifier, as we want to just 4997 * rerun it through as a sideffect. 4998 */ 4999 my_asoc = (struct sctp_association *)asoc; 5000 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc)); 5001 5002 /* After sending the INIT, "A" starts the T1-init timer and 5003 * enters the COOKIE-WAIT state. 5004 */ 5005 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5006 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5007 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5008 return SCTP_DISPOSITION_CONSUME; 5009 5010 nomem: 5011 return SCTP_DISPOSITION_NOMEM; 5012 } 5013 5014 /* 5015 * Process the SEND primitive. 5016 * 5017 * Section: 10.1 ULP-to-SCTP 5018 * E) Send 5019 * 5020 * Format: SEND(association id, buffer address, byte count [,context] 5021 * [,stream id] [,life time] [,destination transport address] 5022 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 5023 * -> result 5024 * 5025 * This is the main method to send user data via SCTP. 5026 * 5027 * Mandatory attributes: 5028 * 5029 * o association id - local handle to the SCTP association 5030 * 5031 * o buffer address - the location where the user message to be 5032 * transmitted is stored; 5033 * 5034 * o byte count - The size of the user data in number of bytes; 5035 * 5036 * Optional attributes: 5037 * 5038 * o context - an optional 32 bit integer that will be carried in the 5039 * sending failure notification to the ULP if the transportation of 5040 * this User Message fails. 5041 * 5042 * o stream id - to indicate which stream to send the data on. If not 5043 * specified, stream 0 will be used. 5044 * 5045 * o life time - specifies the life time of the user data. The user data 5046 * will not be sent by SCTP after the life time expires. This 5047 * parameter can be used to avoid efforts to transmit stale 5048 * user messages. SCTP notifies the ULP if the data cannot be 5049 * initiated to transport (i.e. sent to the destination via SCTP's 5050 * send primitive) within the life time variable. However, the 5051 * user data will be transmitted if SCTP has attempted to transmit a 5052 * chunk before the life time expired. 5053 * 5054 * o destination transport address - specified as one of the destination 5055 * transport addresses of the peer endpoint to which this packet 5056 * should be sent. Whenever possible, SCTP should use this destination 5057 * transport address for sending the packets, instead of the current 5058 * primary path. 5059 * 5060 * o unorder flag - this flag, if present, indicates that the user 5061 * would like the data delivered in an unordered fashion to the peer 5062 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 5063 * message). 5064 * 5065 * o no-bundle flag - instructs SCTP not to bundle this user data with 5066 * other outbound DATA chunks. SCTP MAY still bundle even when 5067 * this flag is present, when faced with network congestion. 5068 * 5069 * o payload protocol-id - A 32 bit unsigned integer that is to be 5070 * passed to the peer indicating the type of payload protocol data 5071 * being transmitted. This value is passed as opaque data by SCTP. 5072 * 5073 * The return value is the disposition. 5074 */ 5075 enum sctp_disposition sctp_sf_do_prm_send(struct net *net, 5076 const struct sctp_endpoint *ep, 5077 const struct sctp_association *asoc, 5078 const union sctp_subtype type, 5079 void *arg, 5080 struct sctp_cmd_seq *commands) 5081 { 5082 struct sctp_datamsg *msg = arg; 5083 5084 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg)); 5085 return SCTP_DISPOSITION_CONSUME; 5086 } 5087 5088 /* 5089 * Process the SHUTDOWN primitive. 5090 * 5091 * Section: 10.1: 5092 * C) Shutdown 5093 * 5094 * Format: SHUTDOWN(association id) 5095 * -> result 5096 * 5097 * Gracefully closes an association. Any locally queued user data 5098 * will be delivered to the peer. The association will be terminated only 5099 * after the peer acknowledges all the SCTP packets sent. A success code 5100 * will be returned on successful termination of the association. If 5101 * attempting to terminate the association results in a failure, an error 5102 * code shall be returned. 5103 * 5104 * Mandatory attributes: 5105 * 5106 * o association id - local handle to the SCTP association 5107 * 5108 * Optional attributes: 5109 * 5110 * None. 5111 * 5112 * The return value is the disposition. 5113 */ 5114 enum sctp_disposition sctp_sf_do_9_2_prm_shutdown( 5115 struct net *net, 5116 const struct sctp_endpoint *ep, 5117 const struct sctp_association *asoc, 5118 const union sctp_subtype type, 5119 void *arg, 5120 struct sctp_cmd_seq *commands) 5121 { 5122 enum sctp_disposition disposition; 5123 5124 /* From 9.2 Shutdown of an Association 5125 * Upon receipt of the SHUTDOWN primitive from its upper 5126 * layer, the endpoint enters SHUTDOWN-PENDING state and 5127 * remains there until all outstanding data has been 5128 * acknowledged by its peer. The endpoint accepts no new data 5129 * from its upper layer, but retransmits data to the far end 5130 * if necessary to fill gaps. 5131 */ 5132 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5133 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 5134 5135 disposition = SCTP_DISPOSITION_CONSUME; 5136 if (sctp_outq_is_empty(&asoc->outqueue)) { 5137 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 5138 arg, commands); 5139 } 5140 5141 return disposition; 5142 } 5143 5144 /* 5145 * Process the ABORT primitive. 5146 * 5147 * Section: 10.1: 5148 * C) Abort 5149 * 5150 * Format: Abort(association id [, cause code]) 5151 * -> result 5152 * 5153 * Ungracefully closes an association. Any locally queued user data 5154 * will be discarded and an ABORT chunk is sent to the peer. A success code 5155 * will be returned on successful abortion of the association. If 5156 * attempting to abort the association results in a failure, an error 5157 * code shall be returned. 5158 * 5159 * Mandatory attributes: 5160 * 5161 * o association id - local handle to the SCTP association 5162 * 5163 * Optional attributes: 5164 * 5165 * o cause code - reason of the abort to be passed to the peer 5166 * 5167 * None. 5168 * 5169 * The return value is the disposition. 5170 */ 5171 enum sctp_disposition sctp_sf_do_9_1_prm_abort( 5172 struct net *net, 5173 const struct sctp_endpoint *ep, 5174 const struct sctp_association *asoc, 5175 const union sctp_subtype type, 5176 void *arg, 5177 struct sctp_cmd_seq *commands) 5178 { 5179 /* From 9.1 Abort of an Association 5180 * Upon receipt of the ABORT primitive from its upper 5181 * layer, the endpoint enters CLOSED state and 5182 * discard all outstanding data has been 5183 * acknowledged by its peer. The endpoint accepts no new data 5184 * from its upper layer, but retransmits data to the far end 5185 * if necessary to fill gaps. 5186 */ 5187 struct sctp_chunk *abort = arg; 5188 5189 if (abort) 5190 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 5191 5192 /* Even if we can't send the ABORT due to low memory delete the 5193 * TCB. This is a departure from our typical NOMEM handling. 5194 */ 5195 5196 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5197 SCTP_ERROR(ECONNABORTED)); 5198 /* Delete the established association. */ 5199 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5200 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 5201 5202 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5203 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5204 5205 return SCTP_DISPOSITION_ABORT; 5206 } 5207 5208 /* We tried an illegal operation on an association which is closed. */ 5209 enum sctp_disposition sctp_sf_error_closed(struct net *net, 5210 const struct sctp_endpoint *ep, 5211 const struct sctp_association *asoc, 5212 const union sctp_subtype type, 5213 void *arg, 5214 struct sctp_cmd_seq *commands) 5215 { 5216 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 5217 return SCTP_DISPOSITION_CONSUME; 5218 } 5219 5220 /* We tried an illegal operation on an association which is shutting 5221 * down. 5222 */ 5223 enum sctp_disposition sctp_sf_error_shutdown( 5224 struct net *net, 5225 const struct sctp_endpoint *ep, 5226 const struct sctp_association *asoc, 5227 const union sctp_subtype type, 5228 void *arg, 5229 struct sctp_cmd_seq *commands) 5230 { 5231 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 5232 SCTP_ERROR(-ESHUTDOWN)); 5233 return SCTP_DISPOSITION_CONSUME; 5234 } 5235 5236 /* 5237 * sctp_cookie_wait_prm_shutdown 5238 * 5239 * Section: 4 Note: 2 5240 * Verification Tag: 5241 * Inputs 5242 * (endpoint, asoc) 5243 * 5244 * The RFC does not explicitly address this issue, but is the route through the 5245 * state table when someone issues a shutdown while in COOKIE_WAIT state. 5246 * 5247 * Outputs 5248 * (timers) 5249 */ 5250 enum sctp_disposition sctp_sf_cookie_wait_prm_shutdown( 5251 struct net *net, 5252 const struct sctp_endpoint *ep, 5253 const struct sctp_association *asoc, 5254 const union sctp_subtype type, 5255 void *arg, 5256 struct sctp_cmd_seq *commands) 5257 { 5258 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5259 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5260 5261 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5262 SCTP_STATE(SCTP_STATE_CLOSED)); 5263 5264 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 5265 5266 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 5267 5268 return SCTP_DISPOSITION_DELETE_TCB; 5269 } 5270 5271 /* 5272 * sctp_cookie_echoed_prm_shutdown 5273 * 5274 * Section: 4 Note: 2 5275 * Verification Tag: 5276 * Inputs 5277 * (endpoint, asoc) 5278 * 5279 * The RFC does not explicitly address this issue, but is the route through the 5280 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 5281 * 5282 * Outputs 5283 * (timers) 5284 */ 5285 enum sctp_disposition sctp_sf_cookie_echoed_prm_shutdown( 5286 struct net *net, 5287 const struct sctp_endpoint *ep, 5288 const struct sctp_association *asoc, 5289 const union sctp_subtype type, 5290 void *arg, 5291 struct sctp_cmd_seq *commands) 5292 { 5293 /* There is a single T1 timer, so we should be able to use 5294 * common function with the COOKIE-WAIT state. 5295 */ 5296 return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands); 5297 } 5298 5299 /* 5300 * sctp_sf_cookie_wait_prm_abort 5301 * 5302 * Section: 4 Note: 2 5303 * Verification Tag: 5304 * Inputs 5305 * (endpoint, asoc) 5306 * 5307 * The RFC does not explicitly address this issue, but is the route through the 5308 * state table when someone issues an abort while in COOKIE_WAIT state. 5309 * 5310 * Outputs 5311 * (timers) 5312 */ 5313 enum sctp_disposition sctp_sf_cookie_wait_prm_abort( 5314 struct net *net, 5315 const struct sctp_endpoint *ep, 5316 const struct sctp_association *asoc, 5317 const union sctp_subtype type, 5318 void *arg, 5319 struct sctp_cmd_seq *commands) 5320 { 5321 struct sctp_chunk *abort = arg; 5322 5323 /* Stop T1-init timer */ 5324 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5325 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5326 5327 if (abort) 5328 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 5329 5330 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5331 SCTP_STATE(SCTP_STATE_CLOSED)); 5332 5333 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5334 5335 /* Even if we can't send the ABORT due to low memory delete the 5336 * TCB. This is a departure from our typical NOMEM handling. 5337 */ 5338 5339 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5340 SCTP_ERROR(ECONNREFUSED)); 5341 /* Delete the established association. */ 5342 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5343 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 5344 5345 return SCTP_DISPOSITION_ABORT; 5346 } 5347 5348 /* 5349 * sctp_sf_cookie_echoed_prm_abort 5350 * 5351 * Section: 4 Note: 3 5352 * Verification Tag: 5353 * Inputs 5354 * (endpoint, asoc) 5355 * 5356 * The RFC does not explcitly address this issue, but is the route through the 5357 * state table when someone issues an abort while in COOKIE_ECHOED state. 5358 * 5359 * Outputs 5360 * (timers) 5361 */ 5362 enum sctp_disposition sctp_sf_cookie_echoed_prm_abort( 5363 struct net *net, 5364 const struct sctp_endpoint *ep, 5365 const struct sctp_association *asoc, 5366 const union sctp_subtype type, 5367 void *arg, 5368 struct sctp_cmd_seq *commands) 5369 { 5370 /* There is a single T1 timer, so we should be able to use 5371 * common function with the COOKIE-WAIT state. 5372 */ 5373 return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands); 5374 } 5375 5376 /* 5377 * sctp_sf_shutdown_pending_prm_abort 5378 * 5379 * Inputs 5380 * (endpoint, asoc) 5381 * 5382 * The RFC does not explicitly address this issue, but is the route through the 5383 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 5384 * 5385 * Outputs 5386 * (timers) 5387 */ 5388 enum sctp_disposition sctp_sf_shutdown_pending_prm_abort( 5389 struct net *net, 5390 const struct sctp_endpoint *ep, 5391 const struct sctp_association *asoc, 5392 const union sctp_subtype type, 5393 void *arg, 5394 struct sctp_cmd_seq *commands) 5395 { 5396 /* Stop the T5-shutdown guard timer. */ 5397 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5398 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5399 5400 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5401 } 5402 5403 /* 5404 * sctp_sf_shutdown_sent_prm_abort 5405 * 5406 * Inputs 5407 * (endpoint, asoc) 5408 * 5409 * The RFC does not explicitly address this issue, but is the route through the 5410 * state table when someone issues an abort while in SHUTDOWN-SENT state. 5411 * 5412 * Outputs 5413 * (timers) 5414 */ 5415 enum sctp_disposition sctp_sf_shutdown_sent_prm_abort( 5416 struct net *net, 5417 const struct sctp_endpoint *ep, 5418 const struct sctp_association *asoc, 5419 const union sctp_subtype type, 5420 void *arg, 5421 struct sctp_cmd_seq *commands) 5422 { 5423 /* Stop the T2-shutdown timer. */ 5424 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5425 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5426 5427 /* Stop the T5-shutdown guard timer. */ 5428 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5429 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5430 5431 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5432 } 5433 5434 /* 5435 * sctp_sf_cookie_echoed_prm_abort 5436 * 5437 * Inputs 5438 * (endpoint, asoc) 5439 * 5440 * The RFC does not explcitly address this issue, but is the route through the 5441 * state table when someone issues an abort while in COOKIE_ECHOED state. 5442 * 5443 * Outputs 5444 * (timers) 5445 */ 5446 enum sctp_disposition sctp_sf_shutdown_ack_sent_prm_abort( 5447 struct net *net, 5448 const struct sctp_endpoint *ep, 5449 const struct sctp_association *asoc, 5450 const union sctp_subtype type, 5451 void *arg, 5452 struct sctp_cmd_seq *commands) 5453 { 5454 /* The same T2 timer, so we should be able to use 5455 * common function with the SHUTDOWN-SENT state. 5456 */ 5457 return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands); 5458 } 5459 5460 /* 5461 * Process the REQUESTHEARTBEAT primitive 5462 * 5463 * 10.1 ULP-to-SCTP 5464 * J) Request Heartbeat 5465 * 5466 * Format: REQUESTHEARTBEAT(association id, destination transport address) 5467 * 5468 * -> result 5469 * 5470 * Instructs the local endpoint to perform a HeartBeat on the specified 5471 * destination transport address of the given association. The returned 5472 * result should indicate whether the transmission of the HEARTBEAT 5473 * chunk to the destination address is successful. 5474 * 5475 * Mandatory attributes: 5476 * 5477 * o association id - local handle to the SCTP association 5478 * 5479 * o destination transport address - the transport address of the 5480 * association on which a heartbeat should be issued. 5481 */ 5482 enum sctp_disposition sctp_sf_do_prm_requestheartbeat( 5483 struct net *net, 5484 const struct sctp_endpoint *ep, 5485 const struct sctp_association *asoc, 5486 const union sctp_subtype type, 5487 void *arg, 5488 struct sctp_cmd_seq *commands) 5489 { 5490 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 5491 (struct sctp_transport *)arg, commands)) 5492 return SCTP_DISPOSITION_NOMEM; 5493 5494 /* 5495 * RFC 2960 (bis), section 8.3 5496 * 5497 * D) Request an on-demand HEARTBEAT on a specific destination 5498 * transport address of a given association. 5499 * 5500 * The endpoint should increment the respective error counter of 5501 * the destination transport address each time a HEARTBEAT is sent 5502 * to that address and not acknowledged within one RTO. 5503 * 5504 */ 5505 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 5506 SCTP_TRANSPORT(arg)); 5507 return SCTP_DISPOSITION_CONSUME; 5508 } 5509 5510 /* 5511 * ADDIP Section 4.1 ASCONF Chunk Procedures 5512 * When an endpoint has an ASCONF signaled change to be sent to the 5513 * remote endpoint it should do A1 to A9 5514 */ 5515 enum sctp_disposition sctp_sf_do_prm_asconf(struct net *net, 5516 const struct sctp_endpoint *ep, 5517 const struct sctp_association *asoc, 5518 const union sctp_subtype type, 5519 void *arg, 5520 struct sctp_cmd_seq *commands) 5521 { 5522 struct sctp_chunk *chunk = arg; 5523 5524 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5525 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5526 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5527 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5528 return SCTP_DISPOSITION_CONSUME; 5529 } 5530 5531 /* RE-CONFIG Section 5.1 RECONF Chunk Procedures */ 5532 enum sctp_disposition sctp_sf_do_prm_reconf(struct net *net, 5533 const struct sctp_endpoint *ep, 5534 const struct sctp_association *asoc, 5535 const union sctp_subtype type, 5536 void *arg, 5537 struct sctp_cmd_seq *commands) 5538 { 5539 struct sctp_chunk *chunk = arg; 5540 5541 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5542 return SCTP_DISPOSITION_CONSUME; 5543 } 5544 5545 /* 5546 * Ignore the primitive event 5547 * 5548 * The return value is the disposition of the primitive. 5549 */ 5550 enum sctp_disposition sctp_sf_ignore_primitive( 5551 struct net *net, 5552 const struct sctp_endpoint *ep, 5553 const struct sctp_association *asoc, 5554 const union sctp_subtype type, 5555 void *arg, 5556 struct sctp_cmd_seq *commands) 5557 { 5558 pr_debug("%s: primitive type:%d is ignored\n", __func__, 5559 type.primitive); 5560 5561 return SCTP_DISPOSITION_DISCARD; 5562 } 5563 5564 /*************************************************************************** 5565 * These are the state functions for the OTHER events. 5566 ***************************************************************************/ 5567 5568 /* 5569 * When the SCTP stack has no more user data to send or retransmit, this 5570 * notification is given to the user. Also, at the time when a user app 5571 * subscribes to this event, if there is no data to be sent or 5572 * retransmit, the stack will immediately send up this notification. 5573 */ 5574 enum sctp_disposition sctp_sf_do_no_pending_tsn( 5575 struct net *net, 5576 const struct sctp_endpoint *ep, 5577 const struct sctp_association *asoc, 5578 const union sctp_subtype type, 5579 void *arg, 5580 struct sctp_cmd_seq *commands) 5581 { 5582 struct sctp_ulpevent *event; 5583 5584 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC); 5585 if (!event) 5586 return SCTP_DISPOSITION_NOMEM; 5587 5588 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event)); 5589 5590 return SCTP_DISPOSITION_CONSUME; 5591 } 5592 5593 /* 5594 * Start the shutdown negotiation. 5595 * 5596 * From Section 9.2: 5597 * Once all its outstanding data has been acknowledged, the endpoint 5598 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 5599 * TSN Ack field the last sequential TSN it has received from the peer. 5600 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 5601 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 5602 * with the updated last sequential TSN received from its peer. 5603 * 5604 * The return value is the disposition. 5605 */ 5606 enum sctp_disposition sctp_sf_do_9_2_start_shutdown( 5607 struct net *net, 5608 const struct sctp_endpoint *ep, 5609 const struct sctp_association *asoc, 5610 const union sctp_subtype type, 5611 void *arg, 5612 struct sctp_cmd_seq *commands) 5613 { 5614 struct sctp_chunk *reply; 5615 5616 /* Once all its outstanding data has been acknowledged, the 5617 * endpoint shall send a SHUTDOWN chunk to its peer including 5618 * in the Cumulative TSN Ack field the last sequential TSN it 5619 * has received from the peer. 5620 */ 5621 reply = sctp_make_shutdown(asoc, arg); 5622 if (!reply) 5623 goto nomem; 5624 5625 /* Set the transport for the SHUTDOWN chunk and the timeout for the 5626 * T2-shutdown timer. 5627 */ 5628 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5629 5630 /* It shall then start the T2-shutdown timer */ 5631 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5632 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5633 5634 /* RFC 4960 Section 9.2 5635 * The sender of the SHUTDOWN MAY also start an overall guard timer 5636 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5637 */ 5638 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5639 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5640 5641 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5642 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5643 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5644 5645 /* and enter the SHUTDOWN-SENT state. */ 5646 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5647 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 5648 5649 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5650 * 5651 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5652 * or SHUTDOWN-ACK. 5653 */ 5654 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5655 5656 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5657 5658 return SCTP_DISPOSITION_CONSUME; 5659 5660 nomem: 5661 return SCTP_DISPOSITION_NOMEM; 5662 } 5663 5664 /* 5665 * Generate a SHUTDOWN ACK now that everything is SACK'd. 5666 * 5667 * From Section 9.2: 5668 * 5669 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5670 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 5671 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 5672 * endpoint must re-send the SHUTDOWN ACK. 5673 * 5674 * The return value is the disposition. 5675 */ 5676 enum sctp_disposition sctp_sf_do_9_2_shutdown_ack( 5677 struct net *net, 5678 const struct sctp_endpoint *ep, 5679 const struct sctp_association *asoc, 5680 const union sctp_subtype type, 5681 void *arg, 5682 struct sctp_cmd_seq *commands) 5683 { 5684 struct sctp_chunk *chunk = arg; 5685 struct sctp_chunk *reply; 5686 5687 /* There are 2 ways of getting here: 5688 * 1) called in response to a SHUTDOWN chunk 5689 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 5690 * 5691 * For the case (2), the arg parameter is set to NULL. We need 5692 * to check that we have a chunk before accessing it's fields. 5693 */ 5694 if (chunk) { 5695 if (!sctp_vtag_verify(chunk, asoc)) 5696 return sctp_sf_pdiscard(net, ep, asoc, type, arg, 5697 commands); 5698 5699 /* Make sure that the SHUTDOWN chunk has a valid length. */ 5700 if (!sctp_chunk_length_valid( 5701 chunk, sizeof(struct sctp_shutdown_chunk))) 5702 return sctp_sf_violation_chunklen(net, ep, asoc, type, 5703 arg, commands); 5704 } 5705 5706 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5707 * shall send a SHUTDOWN ACK ... 5708 */ 5709 reply = sctp_make_shutdown_ack(asoc, chunk); 5710 if (!reply) 5711 goto nomem; 5712 5713 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 5714 * the T2-shutdown timer. 5715 */ 5716 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5717 5718 /* and start/restart a T2-shutdown timer of its own, */ 5719 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5720 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5721 5722 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5723 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5724 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5725 5726 /* Enter the SHUTDOWN-ACK-SENT state. */ 5727 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5728 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 5729 5730 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5731 * 5732 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5733 * or SHUTDOWN-ACK. 5734 */ 5735 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5736 5737 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5738 5739 return SCTP_DISPOSITION_CONSUME; 5740 5741 nomem: 5742 return SCTP_DISPOSITION_NOMEM; 5743 } 5744 5745 /* 5746 * Ignore the event defined as other 5747 * 5748 * The return value is the disposition of the event. 5749 */ 5750 enum sctp_disposition sctp_sf_ignore_other(struct net *net, 5751 const struct sctp_endpoint *ep, 5752 const struct sctp_association *asoc, 5753 const union sctp_subtype type, 5754 void *arg, 5755 struct sctp_cmd_seq *commands) 5756 { 5757 pr_debug("%s: the event other type:%d is ignored\n", 5758 __func__, type.other); 5759 5760 return SCTP_DISPOSITION_DISCARD; 5761 } 5762 5763 /************************************************************ 5764 * These are the state functions for handling timeout events. 5765 ************************************************************/ 5766 5767 /* 5768 * RTX Timeout 5769 * 5770 * Section: 6.3.3 Handle T3-rtx Expiration 5771 * 5772 * Whenever the retransmission timer T3-rtx expires for a destination 5773 * address, do the following: 5774 * [See below] 5775 * 5776 * The return value is the disposition of the chunk. 5777 */ 5778 enum sctp_disposition sctp_sf_do_6_3_3_rtx(struct net *net, 5779 const struct sctp_endpoint *ep, 5780 const struct sctp_association *asoc, 5781 const union sctp_subtype type, 5782 void *arg, 5783 struct sctp_cmd_seq *commands) 5784 { 5785 struct sctp_transport *transport = arg; 5786 5787 SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS); 5788 5789 if (asoc->overall_error_count >= asoc->max_retrans) { 5790 if (asoc->peer.zero_window_announced && 5791 asoc->state == SCTP_STATE_SHUTDOWN_PENDING) { 5792 /* 5793 * We are here likely because the receiver had its rwnd 5794 * closed for a while and we have not been able to 5795 * transmit the locally queued data within the maximum 5796 * retransmission attempts limit. Start the T5 5797 * shutdown guard timer to give the receiver one last 5798 * chance and some additional time to recover before 5799 * aborting. 5800 */ 5801 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE, 5802 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5803 } else { 5804 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5805 SCTP_ERROR(ETIMEDOUT)); 5806 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5807 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5808 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5809 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5810 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5811 return SCTP_DISPOSITION_DELETE_TCB; 5812 } 5813 } 5814 5815 /* E1) For the destination address for which the timer 5816 * expires, adjust its ssthresh with rules defined in Section 5817 * 7.2.3 and set the cwnd <- MTU. 5818 */ 5819 5820 /* E2) For the destination address for which the timer 5821 * expires, set RTO <- RTO * 2 ("back off the timer"). The 5822 * maximum value discussed in rule C7 above (RTO.max) may be 5823 * used to provide an upper bound to this doubling operation. 5824 */ 5825 5826 /* E3) Determine how many of the earliest (i.e., lowest TSN) 5827 * outstanding DATA chunks for the address for which the 5828 * T3-rtx has expired will fit into a single packet, subject 5829 * to the MTU constraint for the path corresponding to the 5830 * destination transport address to which the retransmission 5831 * is being sent (this may be different from the address for 5832 * which the timer expires [see Section 6.4]). Call this 5833 * value K. Bundle and retransmit those K DATA chunks in a 5834 * single packet to the destination endpoint. 5835 * 5836 * Note: Any DATA chunks that were sent to the address for 5837 * which the T3-rtx timer expired but did not fit in one MTU 5838 * (rule E3 above), should be marked for retransmission and 5839 * sent as soon as cwnd allows (normally when a SACK arrives). 5840 */ 5841 5842 /* Do some failure management (Section 8.2). */ 5843 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5844 5845 /* NB: Rules E4 and F1 are implicit in R1. */ 5846 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 5847 5848 return SCTP_DISPOSITION_CONSUME; 5849 } 5850 5851 /* 5852 * Generate delayed SACK on timeout 5853 * 5854 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 5855 * 5856 * The guidelines on delayed acknowledgement algorithm specified in 5857 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 5858 * acknowledgement SHOULD be generated for at least every second packet 5859 * (not every second DATA chunk) received, and SHOULD be generated 5860 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 5861 * some situations it may be beneficial for an SCTP transmitter to be 5862 * more conservative than the algorithms detailed in this document 5863 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 5864 * the following algorithms allow. 5865 */ 5866 enum sctp_disposition sctp_sf_do_6_2_sack(struct net *net, 5867 const struct sctp_endpoint *ep, 5868 const struct sctp_association *asoc, 5869 const union sctp_subtype type, 5870 void *arg, 5871 struct sctp_cmd_seq *commands) 5872 { 5873 SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS); 5874 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 5875 return SCTP_DISPOSITION_CONSUME; 5876 } 5877 5878 /* 5879 * sctp_sf_t1_init_timer_expire 5880 * 5881 * Section: 4 Note: 2 5882 * Verification Tag: 5883 * Inputs 5884 * (endpoint, asoc) 5885 * 5886 * RFC 2960 Section 4 Notes 5887 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 5888 * and re-start the T1-init timer without changing state. This MUST 5889 * be repeated up to 'Max.Init.Retransmits' times. After that, the 5890 * endpoint MUST abort the initialization process and report the 5891 * error to SCTP user. 5892 * 5893 * Outputs 5894 * (timers, events) 5895 * 5896 */ 5897 enum sctp_disposition sctp_sf_t1_init_timer_expire( 5898 struct net *net, 5899 const struct sctp_endpoint *ep, 5900 const struct sctp_association *asoc, 5901 const union sctp_subtype type, 5902 void *arg, 5903 struct sctp_cmd_seq *commands) 5904 { 5905 int attempts = asoc->init_err_counter + 1; 5906 struct sctp_chunk *repl = NULL; 5907 struct sctp_bind_addr *bp; 5908 5909 pr_debug("%s: timer T1 expired (INIT)\n", __func__); 5910 5911 SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS); 5912 5913 if (attempts <= asoc->max_init_attempts) { 5914 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 5915 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 5916 if (!repl) 5917 return SCTP_DISPOSITION_NOMEM; 5918 5919 /* Choose transport for INIT. */ 5920 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5921 SCTP_CHUNK(repl)); 5922 5923 /* Issue a sideeffect to do the needed accounting. */ 5924 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 5925 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5926 5927 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5928 } else { 5929 pr_debug("%s: giving up on INIT, attempts:%d " 5930 "max_init_attempts:%d\n", __func__, attempts, 5931 asoc->max_init_attempts); 5932 5933 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5934 SCTP_ERROR(ETIMEDOUT)); 5935 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5936 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5937 return SCTP_DISPOSITION_DELETE_TCB; 5938 } 5939 5940 return SCTP_DISPOSITION_CONSUME; 5941 } 5942 5943 /* 5944 * sctp_sf_t1_cookie_timer_expire 5945 * 5946 * Section: 4 Note: 2 5947 * Verification Tag: 5948 * Inputs 5949 * (endpoint, asoc) 5950 * 5951 * RFC 2960 Section 4 Notes 5952 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 5953 * COOKIE ECHO and re-start the T1-cookie timer without changing 5954 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 5955 * After that, the endpoint MUST abort the initialization process and 5956 * report the error to SCTP user. 5957 * 5958 * Outputs 5959 * (timers, events) 5960 * 5961 */ 5962 enum sctp_disposition sctp_sf_t1_cookie_timer_expire( 5963 struct net *net, 5964 const struct sctp_endpoint *ep, 5965 const struct sctp_association *asoc, 5966 const union sctp_subtype type, 5967 void *arg, 5968 struct sctp_cmd_seq *commands) 5969 { 5970 int attempts = asoc->init_err_counter + 1; 5971 struct sctp_chunk *repl = NULL; 5972 5973 pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__); 5974 5975 SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS); 5976 5977 if (attempts <= asoc->max_init_attempts) { 5978 repl = sctp_make_cookie_echo(asoc, NULL); 5979 if (!repl) 5980 return SCTP_DISPOSITION_NOMEM; 5981 5982 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5983 SCTP_CHUNK(repl)); 5984 /* Issue a sideeffect to do the needed accounting. */ 5985 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 5986 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 5987 5988 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5989 } else { 5990 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5991 SCTP_ERROR(ETIMEDOUT)); 5992 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5993 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5994 return SCTP_DISPOSITION_DELETE_TCB; 5995 } 5996 5997 return SCTP_DISPOSITION_CONSUME; 5998 } 5999 6000 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 6001 * with the updated last sequential TSN received from its peer. 6002 * 6003 * An endpoint should limit the number of retransmission of the 6004 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 6005 * If this threshold is exceeded the endpoint should destroy the TCB and 6006 * MUST report the peer endpoint unreachable to the upper layer (and 6007 * thus the association enters the CLOSED state). The reception of any 6008 * packet from its peer (i.e. as the peer sends all of its queued DATA 6009 * chunks) should clear the endpoint's retransmission count and restart 6010 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 6011 * all of its queued DATA chunks that have not yet been sent. 6012 */ 6013 enum sctp_disposition sctp_sf_t2_timer_expire( 6014 struct net *net, 6015 const struct sctp_endpoint *ep, 6016 const struct sctp_association *asoc, 6017 const union sctp_subtype type, 6018 void *arg, 6019 struct sctp_cmd_seq *commands) 6020 { 6021 struct sctp_chunk *reply = NULL; 6022 6023 pr_debug("%s: timer T2 expired\n", __func__); 6024 6025 SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 6026 6027 ((struct sctp_association *)asoc)->shutdown_retries++; 6028 6029 if (asoc->overall_error_count >= asoc->max_retrans) { 6030 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6031 SCTP_ERROR(ETIMEDOUT)); 6032 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 6033 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6034 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 6035 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6036 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6037 return SCTP_DISPOSITION_DELETE_TCB; 6038 } 6039 6040 switch (asoc->state) { 6041 case SCTP_STATE_SHUTDOWN_SENT: 6042 reply = sctp_make_shutdown(asoc, NULL); 6043 break; 6044 6045 case SCTP_STATE_SHUTDOWN_ACK_SENT: 6046 reply = sctp_make_shutdown_ack(asoc, NULL); 6047 break; 6048 6049 default: 6050 BUG(); 6051 break; 6052 } 6053 6054 if (!reply) 6055 goto nomem; 6056 6057 /* Do some failure management (Section 8.2). 6058 * If we remove the transport an SHUTDOWN was last sent to, don't 6059 * do failure management. 6060 */ 6061 if (asoc->shutdown_last_sent_to) 6062 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 6063 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 6064 6065 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 6066 * the T2-shutdown timer. 6067 */ 6068 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 6069 6070 /* Restart the T2-shutdown timer. */ 6071 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 6072 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 6073 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 6074 return SCTP_DISPOSITION_CONSUME; 6075 6076 nomem: 6077 return SCTP_DISPOSITION_NOMEM; 6078 } 6079 6080 /* 6081 * ADDIP Section 4.1 ASCONF Chunk Procedures 6082 * If the T4 RTO timer expires the endpoint should do B1 to B5 6083 */ 6084 enum sctp_disposition sctp_sf_t4_timer_expire( 6085 struct net *net, 6086 const struct sctp_endpoint *ep, 6087 const struct sctp_association *asoc, 6088 const union sctp_subtype type, 6089 void *arg, 6090 struct sctp_cmd_seq *commands) 6091 { 6092 struct sctp_chunk *chunk = asoc->addip_last_asconf; 6093 struct sctp_transport *transport = chunk->transport; 6094 6095 SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS); 6096 6097 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 6098 * detection on the appropriate destination address as defined in 6099 * RFC2960 [5] section 8.1 and 8.2. 6100 */ 6101 if (transport) 6102 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 6103 SCTP_TRANSPORT(transport)); 6104 6105 /* Reconfig T4 timer and transport. */ 6106 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 6107 6108 /* ADDIP 4.1 B2) Increment the association error counters and perform 6109 * endpoint failure detection on the association as defined in 6110 * RFC2960 [5] section 8.1 and 8.2. 6111 * association error counter is incremented in SCTP_CMD_STRIKE. 6112 */ 6113 if (asoc->overall_error_count >= asoc->max_retrans) { 6114 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 6115 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 6116 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6117 SCTP_ERROR(ETIMEDOUT)); 6118 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6119 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 6120 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6121 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6122 return SCTP_DISPOSITION_ABORT; 6123 } 6124 6125 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 6126 * the ASCONF chunk was sent by doubling the RTO timer value. 6127 * This is done in SCTP_CMD_STRIKE. 6128 */ 6129 6130 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 6131 * choose an alternate destination address (please refer to RFC2960 6132 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 6133 * chunk, it MUST be the same (including its serial number) as the last 6134 * ASCONF sent. 6135 */ 6136 sctp_chunk_hold(asoc->addip_last_asconf); 6137 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6138 SCTP_CHUNK(asoc->addip_last_asconf)); 6139 6140 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 6141 * destination is selected, then the RTO used will be that of the new 6142 * destination address. 6143 */ 6144 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 6145 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 6146 6147 return SCTP_DISPOSITION_CONSUME; 6148 } 6149 6150 /* sctpimpguide-05 Section 2.12.2 6151 * The sender of the SHUTDOWN MAY also start an overall guard timer 6152 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 6153 * At the expiration of this timer the sender SHOULD abort the association 6154 * by sending an ABORT chunk. 6155 */ 6156 enum sctp_disposition sctp_sf_t5_timer_expire( 6157 struct net *net, 6158 const struct sctp_endpoint *ep, 6159 const struct sctp_association *asoc, 6160 const union sctp_subtype type, 6161 void *arg, 6162 struct sctp_cmd_seq *commands) 6163 { 6164 struct sctp_chunk *reply = NULL; 6165 6166 pr_debug("%s: timer T5 expired\n", __func__); 6167 6168 SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 6169 6170 reply = sctp_make_abort(asoc, NULL, 0); 6171 if (!reply) 6172 goto nomem; 6173 6174 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 6175 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6176 SCTP_ERROR(ETIMEDOUT)); 6177 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6178 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 6179 6180 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6181 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6182 6183 return SCTP_DISPOSITION_DELETE_TCB; 6184 nomem: 6185 return SCTP_DISPOSITION_NOMEM; 6186 } 6187 6188 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 6189 * the association is automatically closed by starting the shutdown process. 6190 * The work that needs to be done is same as when SHUTDOWN is initiated by 6191 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 6192 */ 6193 enum sctp_disposition sctp_sf_autoclose_timer_expire( 6194 struct net *net, 6195 const struct sctp_endpoint *ep, 6196 const struct sctp_association *asoc, 6197 const union sctp_subtype type, 6198 void *arg, 6199 struct sctp_cmd_seq *commands) 6200 { 6201 enum sctp_disposition disposition; 6202 6203 SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS); 6204 6205 /* From 9.2 Shutdown of an Association 6206 * Upon receipt of the SHUTDOWN primitive from its upper 6207 * layer, the endpoint enters SHUTDOWN-PENDING state and 6208 * remains there until all outstanding data has been 6209 * acknowledged by its peer. The endpoint accepts no new data 6210 * from its upper layer, but retransmits data to the far end 6211 * if necessary to fill gaps. 6212 */ 6213 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 6214 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 6215 6216 disposition = SCTP_DISPOSITION_CONSUME; 6217 if (sctp_outq_is_empty(&asoc->outqueue)) { 6218 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 6219 NULL, commands); 6220 } 6221 6222 return disposition; 6223 } 6224 6225 /***************************************************************************** 6226 * These are sa state functions which could apply to all types of events. 6227 ****************************************************************************/ 6228 6229 /* 6230 * This table entry is not implemented. 6231 * 6232 * Inputs 6233 * (endpoint, asoc, chunk) 6234 * 6235 * The return value is the disposition of the chunk. 6236 */ 6237 enum sctp_disposition sctp_sf_not_impl(struct net *net, 6238 const struct sctp_endpoint *ep, 6239 const struct sctp_association *asoc, 6240 const union sctp_subtype type, 6241 void *arg, struct sctp_cmd_seq *commands) 6242 { 6243 return SCTP_DISPOSITION_NOT_IMPL; 6244 } 6245 6246 /* 6247 * This table entry represents a bug. 6248 * 6249 * Inputs 6250 * (endpoint, asoc, chunk) 6251 * 6252 * The return value is the disposition of the chunk. 6253 */ 6254 enum sctp_disposition sctp_sf_bug(struct net *net, 6255 const struct sctp_endpoint *ep, 6256 const struct sctp_association *asoc, 6257 const union sctp_subtype type, 6258 void *arg, struct sctp_cmd_seq *commands) 6259 { 6260 return SCTP_DISPOSITION_BUG; 6261 } 6262 6263 /* 6264 * This table entry represents the firing of a timer in the wrong state. 6265 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 6266 * when the association is in the wrong state. This event should 6267 * be ignored, so as to prevent any rearming of the timer. 6268 * 6269 * Inputs 6270 * (endpoint, asoc, chunk) 6271 * 6272 * The return value is the disposition of the chunk. 6273 */ 6274 enum sctp_disposition sctp_sf_timer_ignore(struct net *net, 6275 const struct sctp_endpoint *ep, 6276 const struct sctp_association *asoc, 6277 const union sctp_subtype type, 6278 void *arg, 6279 struct sctp_cmd_seq *commands) 6280 { 6281 pr_debug("%s: timer %d ignored\n", __func__, type.chunk); 6282 6283 return SCTP_DISPOSITION_CONSUME; 6284 } 6285 6286 /******************************************************************** 6287 * 2nd Level Abstractions 6288 ********************************************************************/ 6289 6290 /* Pull the SACK chunk based on the SACK header. */ 6291 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 6292 { 6293 struct sctp_sackhdr *sack; 6294 __u16 num_dup_tsns; 6295 unsigned int len; 6296 __u16 num_blocks; 6297 6298 /* Protect ourselves from reading too far into 6299 * the skb from a bogus sender. 6300 */ 6301 sack = (struct sctp_sackhdr *) chunk->skb->data; 6302 6303 num_blocks = ntohs(sack->num_gap_ack_blocks); 6304 num_dup_tsns = ntohs(sack->num_dup_tsns); 6305 len = sizeof(struct sctp_sackhdr); 6306 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 6307 if (len > chunk->skb->len) 6308 return NULL; 6309 6310 skb_pull(chunk->skb, len); 6311 6312 return sack; 6313 } 6314 6315 /* Create an ABORT packet to be sent as a response, with the specified 6316 * error causes. 6317 */ 6318 static struct sctp_packet *sctp_abort_pkt_new( 6319 struct net *net, 6320 const struct sctp_endpoint *ep, 6321 const struct sctp_association *asoc, 6322 struct sctp_chunk *chunk, 6323 const void *payload, size_t paylen) 6324 { 6325 struct sctp_packet *packet; 6326 struct sctp_chunk *abort; 6327 6328 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6329 6330 if (packet) { 6331 /* Make an ABORT. 6332 * The T bit will be set if the asoc is NULL. 6333 */ 6334 abort = sctp_make_abort(asoc, chunk, paylen); 6335 if (!abort) { 6336 sctp_ootb_pkt_free(packet); 6337 return NULL; 6338 } 6339 6340 /* Reflect vtag if T-Bit is set */ 6341 if (sctp_test_T_bit(abort)) 6342 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 6343 6344 /* Add specified error causes, i.e., payload, to the 6345 * end of the chunk. 6346 */ 6347 sctp_addto_chunk(abort, paylen, payload); 6348 6349 /* Set the skb to the belonging sock for accounting. */ 6350 abort->skb->sk = ep->base.sk; 6351 6352 sctp_packet_append_chunk(packet, abort); 6353 6354 } 6355 6356 return packet; 6357 } 6358 6359 /* Allocate a packet for responding in the OOTB conditions. */ 6360 static struct sctp_packet *sctp_ootb_pkt_new( 6361 struct net *net, 6362 const struct sctp_association *asoc, 6363 const struct sctp_chunk *chunk) 6364 { 6365 struct sctp_transport *transport; 6366 struct sctp_packet *packet; 6367 __u16 sport, dport; 6368 __u32 vtag; 6369 6370 /* Get the source and destination port from the inbound packet. */ 6371 sport = ntohs(chunk->sctp_hdr->dest); 6372 dport = ntohs(chunk->sctp_hdr->source); 6373 6374 /* The V-tag is going to be the same as the inbound packet if no 6375 * association exists, otherwise, use the peer's vtag. 6376 */ 6377 if (asoc) { 6378 /* Special case the INIT-ACK as there is no peer's vtag 6379 * yet. 6380 */ 6381 switch (chunk->chunk_hdr->type) { 6382 case SCTP_CID_INIT: 6383 case SCTP_CID_INIT_ACK: 6384 { 6385 struct sctp_initack_chunk *initack; 6386 6387 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr; 6388 vtag = ntohl(initack->init_hdr.init_tag); 6389 break; 6390 } 6391 default: 6392 vtag = asoc->peer.i.init_tag; 6393 break; 6394 } 6395 } else { 6396 /* Special case the INIT and stale COOKIE_ECHO as there is no 6397 * vtag yet. 6398 */ 6399 switch (chunk->chunk_hdr->type) { 6400 case SCTP_CID_INIT: 6401 { 6402 struct sctp_init_chunk *init; 6403 6404 init = (struct sctp_init_chunk *)chunk->chunk_hdr; 6405 vtag = ntohl(init->init_hdr.init_tag); 6406 break; 6407 } 6408 default: 6409 vtag = ntohl(chunk->sctp_hdr->vtag); 6410 break; 6411 } 6412 } 6413 6414 /* Make a transport for the bucket, Eliza... */ 6415 transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC); 6416 if (!transport) 6417 goto nomem; 6418 6419 transport->encap_port = SCTP_INPUT_CB(chunk->skb)->encap_port; 6420 6421 /* Cache a route for the transport with the chunk's destination as 6422 * the source address. 6423 */ 6424 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 6425 sctp_sk(net->sctp.ctl_sock)); 6426 6427 packet = &transport->packet; 6428 sctp_packet_init(packet, transport, sport, dport); 6429 sctp_packet_config(packet, vtag, 0); 6430 6431 return packet; 6432 6433 nomem: 6434 return NULL; 6435 } 6436 6437 /* Free the packet allocated earlier for responding in the OOTB condition. */ 6438 void sctp_ootb_pkt_free(struct sctp_packet *packet) 6439 { 6440 sctp_transport_free(packet->transport); 6441 } 6442 6443 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 6444 static void sctp_send_stale_cookie_err(struct net *net, 6445 const struct sctp_endpoint *ep, 6446 const struct sctp_association *asoc, 6447 const struct sctp_chunk *chunk, 6448 struct sctp_cmd_seq *commands, 6449 struct sctp_chunk *err_chunk) 6450 { 6451 struct sctp_packet *packet; 6452 6453 if (err_chunk) { 6454 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6455 if (packet) { 6456 struct sctp_signed_cookie *cookie; 6457 6458 /* Override the OOTB vtag from the cookie. */ 6459 cookie = chunk->subh.cookie_hdr; 6460 packet->vtag = cookie->c.peer_vtag; 6461 6462 /* Set the skb to the belonging sock for accounting. */ 6463 err_chunk->skb->sk = ep->base.sk; 6464 sctp_packet_append_chunk(packet, err_chunk); 6465 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 6466 SCTP_PACKET(packet)); 6467 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 6468 } else 6469 sctp_chunk_free (err_chunk); 6470 } 6471 } 6472 6473 6474 /* Process a data chunk */ 6475 static int sctp_eat_data(const struct sctp_association *asoc, 6476 struct sctp_chunk *chunk, 6477 struct sctp_cmd_seq *commands) 6478 { 6479 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 6480 struct sock *sk = asoc->base.sk; 6481 struct net *net = sock_net(sk); 6482 struct sctp_datahdr *data_hdr; 6483 struct sctp_chunk *err; 6484 enum sctp_verb deliver; 6485 size_t datalen; 6486 __u32 tsn; 6487 int tmp; 6488 6489 data_hdr = (struct sctp_datahdr *)chunk->skb->data; 6490 chunk->subh.data_hdr = data_hdr; 6491 skb_pull(chunk->skb, sctp_datahdr_len(&asoc->stream)); 6492 6493 tsn = ntohl(data_hdr->tsn); 6494 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 6495 6496 /* ASSERT: Now skb->data is really the user data. */ 6497 6498 /* Process ECN based congestion. 6499 * 6500 * Since the chunk structure is reused for all chunks within 6501 * a packet, we use ecn_ce_done to track if we've already 6502 * done CE processing for this packet. 6503 * 6504 * We need to do ECN processing even if we plan to discard the 6505 * chunk later. 6506 */ 6507 6508 if (asoc->peer.ecn_capable && !chunk->ecn_ce_done) { 6509 struct sctp_af *af = SCTP_INPUT_CB(chunk->skb)->af; 6510 chunk->ecn_ce_done = 1; 6511 6512 if (af->is_ce(sctp_gso_headskb(chunk->skb))) { 6513 /* Do real work as side effect. */ 6514 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 6515 SCTP_U32(tsn)); 6516 } 6517 } 6518 6519 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 6520 if (tmp < 0) { 6521 /* The TSN is too high--silently discard the chunk and 6522 * count on it getting retransmitted later. 6523 */ 6524 if (chunk->asoc) 6525 chunk->asoc->stats.outofseqtsns++; 6526 return SCTP_IERROR_HIGH_TSN; 6527 } else if (tmp > 0) { 6528 /* This is a duplicate. Record it. */ 6529 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 6530 return SCTP_IERROR_DUP_TSN; 6531 } 6532 6533 /* This is a new TSN. */ 6534 6535 /* Discard if there is no room in the receive window. 6536 * Actually, allow a little bit of overflow (up to a MTU). 6537 */ 6538 datalen = ntohs(chunk->chunk_hdr->length); 6539 datalen -= sctp_datachk_len(&asoc->stream); 6540 6541 deliver = SCTP_CMD_CHUNK_ULP; 6542 6543 /* Think about partial delivery. */ 6544 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 6545 6546 /* Even if we don't accept this chunk there is 6547 * memory pressure. 6548 */ 6549 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 6550 } 6551 6552 /* Spill over rwnd a little bit. Note: While allowed, this spill over 6553 * seems a bit troublesome in that frag_point varies based on 6554 * PMTU. In cases, such as loopback, this might be a rather 6555 * large spill over. 6556 */ 6557 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over || 6558 (datalen > asoc->rwnd + asoc->frag_point))) { 6559 6560 /* If this is the next TSN, consider reneging to make 6561 * room. Note: Playing nice with a confused sender. A 6562 * malicious sender can still eat up all our buffer 6563 * space and in the future we may want to detect and 6564 * do more drastic reneging. 6565 */ 6566 if (sctp_tsnmap_has_gap(map) && 6567 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6568 pr_debug("%s: reneging for tsn:%u\n", __func__, tsn); 6569 deliver = SCTP_CMD_RENEGE; 6570 } else { 6571 pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n", 6572 __func__, tsn, datalen, asoc->rwnd); 6573 6574 return SCTP_IERROR_IGNORE_TSN; 6575 } 6576 } 6577 6578 /* 6579 * Also try to renege to limit our memory usage in the event that 6580 * we are under memory pressure 6581 * If we can't renege, don't worry about it, the sk_rmem_schedule 6582 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our 6583 * memory usage too much 6584 */ 6585 if (sk_under_memory_pressure(sk)) { 6586 if (sctp_tsnmap_has_gap(map) && 6587 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6588 pr_debug("%s: under pressure, reneging for tsn:%u\n", 6589 __func__, tsn); 6590 deliver = SCTP_CMD_RENEGE; 6591 } 6592 } 6593 6594 /* 6595 * Section 3.3.10.9 No User Data (9) 6596 * 6597 * Cause of error 6598 * --------------- 6599 * No User Data: This error cause is returned to the originator of a 6600 * DATA chunk if a received DATA chunk has no user data. 6601 */ 6602 if (unlikely(0 == datalen)) { 6603 err = sctp_make_abort_no_data(asoc, chunk, tsn); 6604 if (err) { 6605 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6606 SCTP_CHUNK(err)); 6607 } 6608 /* We are going to ABORT, so we might as well stop 6609 * processing the rest of the chunks in the packet. 6610 */ 6611 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 6612 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6613 SCTP_ERROR(ECONNABORTED)); 6614 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6615 SCTP_PERR(SCTP_ERROR_NO_DATA)); 6616 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6617 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6618 return SCTP_IERROR_NO_DATA; 6619 } 6620 6621 chunk->data_accepted = 1; 6622 6623 /* Note: Some chunks may get overcounted (if we drop) or overcounted 6624 * if we renege and the chunk arrives again. 6625 */ 6626 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) { 6627 SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS); 6628 if (chunk->asoc) 6629 chunk->asoc->stats.iuodchunks++; 6630 } else { 6631 SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS); 6632 if (chunk->asoc) 6633 chunk->asoc->stats.iodchunks++; 6634 } 6635 6636 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 6637 * 6638 * If an endpoint receive a DATA chunk with an invalid stream 6639 * identifier, it shall acknowledge the reception of the DATA chunk 6640 * following the normal procedure, immediately send an ERROR chunk 6641 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 6642 * and discard the DATA chunk. 6643 */ 6644 if (ntohs(data_hdr->stream) >= asoc->stream.incnt) { 6645 /* Mark tsn as received even though we drop it */ 6646 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 6647 6648 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 6649 &data_hdr->stream, 6650 sizeof(data_hdr->stream), 6651 sizeof(u16)); 6652 if (err) 6653 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6654 SCTP_CHUNK(err)); 6655 return SCTP_IERROR_BAD_STREAM; 6656 } 6657 6658 /* Check to see if the SSN is possible for this TSN. 6659 * The biggest gap we can record is 4K wide. Since SSNs wrap 6660 * at an unsigned short, there is no way that an SSN can 6661 * wrap and for a valid TSN. We can simply check if the current 6662 * SSN is smaller then the next expected one. If it is, it wrapped 6663 * and is invalid. 6664 */ 6665 if (!asoc->stream.si->validate_data(chunk)) 6666 return SCTP_IERROR_PROTO_VIOLATION; 6667 6668 /* Send the data up to the user. Note: Schedule the 6669 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 6670 * chunk needs the updated rwnd. 6671 */ 6672 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 6673 6674 return SCTP_IERROR_NO_ERROR; 6675 } 6676