1 /* SCTP kernel implementation 2 * (C) Copyright IBM Corp. 2001, 2004 3 * Copyright (c) 1999-2000 Cisco, Inc. 4 * Copyright (c) 1999-2001 Motorola, Inc. 5 * Copyright (c) 2001-2002 Intel Corp. 6 * Copyright (c) 2002 Nokia Corp. 7 * 8 * This is part of the SCTP Linux Kernel Implementation. 9 * 10 * These are the state functions for the state machine. 11 * 12 * This SCTP implementation is free software; 13 * you can redistribute it and/or modify it under the terms of 14 * the GNU General Public License as published by 15 * the Free Software Foundation; either version 2, or (at your option) 16 * any later version. 17 * 18 * This SCTP implementation is distributed in the hope that it 19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 20 * ************************ 21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 22 * See the GNU General Public License for more details. 23 * 24 * You should have received a copy of the GNU General Public License 25 * along with GNU CC; see the file COPYING. If not, see 26 * <http://www.gnu.org/licenses/>. 27 * 28 * Please send any bug reports or fixes you make to the 29 * email address(es): 30 * lksctp developers <linux-sctp@vger.kernel.org> 31 * 32 * Written or modified by: 33 * La Monte H.P. Yarroll <piggy@acm.org> 34 * Karl Knutson <karl@athena.chicago.il.us> 35 * Mathew Kotowsky <kotowsky@sctp.org> 36 * Sridhar Samudrala <samudrala@us.ibm.com> 37 * Jon Grimm <jgrimm@us.ibm.com> 38 * Hui Huang <hui.huang@nokia.com> 39 * Dajiang Zhang <dajiang.zhang@nokia.com> 40 * Daisy Chang <daisyc@us.ibm.com> 41 * Ardelle Fan <ardelle.fan@intel.com> 42 * Ryan Layer <rmlayer@us.ibm.com> 43 * Kevin Gao <kevin.gao@intel.com> 44 */ 45 46 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 47 48 #include <linux/types.h> 49 #include <linux/kernel.h> 50 #include <linux/ip.h> 51 #include <linux/ipv6.h> 52 #include <linux/net.h> 53 #include <linux/inet.h> 54 #include <linux/slab.h> 55 #include <net/sock.h> 56 #include <net/inet_ecn.h> 57 #include <linux/skbuff.h> 58 #include <net/sctp/sctp.h> 59 #include <net/sctp/sm.h> 60 #include <net/sctp/structs.h> 61 62 static struct sctp_packet *sctp_abort_pkt_new(struct net *net, 63 const struct sctp_endpoint *ep, 64 const struct sctp_association *asoc, 65 struct sctp_chunk *chunk, 66 const void *payload, 67 size_t paylen); 68 static int sctp_eat_data(const struct sctp_association *asoc, 69 struct sctp_chunk *chunk, 70 sctp_cmd_seq_t *commands); 71 static struct sctp_packet *sctp_ootb_pkt_new(struct net *net, 72 const struct sctp_association *asoc, 73 const struct sctp_chunk *chunk); 74 static void sctp_send_stale_cookie_err(struct net *net, 75 const struct sctp_endpoint *ep, 76 const struct sctp_association *asoc, 77 const struct sctp_chunk *chunk, 78 sctp_cmd_seq_t *commands, 79 struct sctp_chunk *err_chunk); 80 static sctp_disposition_t sctp_sf_do_5_2_6_stale(struct net *net, 81 const struct sctp_endpoint *ep, 82 const struct sctp_association *asoc, 83 const sctp_subtype_t type, 84 void *arg, 85 sctp_cmd_seq_t *commands); 86 static sctp_disposition_t sctp_sf_shut_8_4_5(struct net *net, 87 const struct sctp_endpoint *ep, 88 const struct sctp_association *asoc, 89 const sctp_subtype_t type, 90 void *arg, 91 sctp_cmd_seq_t *commands); 92 static sctp_disposition_t sctp_sf_tabort_8_4_8(struct net *net, 93 const struct sctp_endpoint *ep, 94 const struct sctp_association *asoc, 95 const sctp_subtype_t type, 96 void *arg, 97 sctp_cmd_seq_t *commands); 98 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 99 100 static sctp_disposition_t sctp_stop_t1_and_abort(struct net *net, 101 sctp_cmd_seq_t *commands, 102 __be16 error, int sk_err, 103 const struct sctp_association *asoc, 104 struct sctp_transport *transport); 105 106 static sctp_disposition_t sctp_sf_abort_violation( 107 struct net *net, 108 const struct sctp_endpoint *ep, 109 const struct sctp_association *asoc, 110 void *arg, 111 sctp_cmd_seq_t *commands, 112 const __u8 *payload, 113 const size_t paylen); 114 115 static sctp_disposition_t sctp_sf_violation_chunklen( 116 struct net *net, 117 const struct sctp_endpoint *ep, 118 const struct sctp_association *asoc, 119 const sctp_subtype_t type, 120 void *arg, 121 sctp_cmd_seq_t *commands); 122 123 static sctp_disposition_t sctp_sf_violation_paramlen( 124 struct net *net, 125 const struct sctp_endpoint *ep, 126 const struct sctp_association *asoc, 127 const sctp_subtype_t type, 128 void *arg, void *ext, 129 sctp_cmd_seq_t *commands); 130 131 static sctp_disposition_t sctp_sf_violation_ctsn( 132 struct net *net, 133 const struct sctp_endpoint *ep, 134 const struct sctp_association *asoc, 135 const sctp_subtype_t type, 136 void *arg, 137 sctp_cmd_seq_t *commands); 138 139 static sctp_disposition_t sctp_sf_violation_chunk( 140 struct net *net, 141 const struct sctp_endpoint *ep, 142 const struct sctp_association *asoc, 143 const sctp_subtype_t type, 144 void *arg, 145 sctp_cmd_seq_t *commands); 146 147 static sctp_ierror_t sctp_sf_authenticate(struct net *net, 148 const struct sctp_endpoint *ep, 149 const struct sctp_association *asoc, 150 const sctp_subtype_t type, 151 struct sctp_chunk *chunk); 152 153 static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net, 154 const struct sctp_endpoint *ep, 155 const struct sctp_association *asoc, 156 const sctp_subtype_t type, 157 void *arg, 158 sctp_cmd_seq_t *commands); 159 160 /* Small helper function that checks if the chunk length 161 * is of the appropriate length. The 'required_length' argument 162 * is set to be the size of a specific chunk we are testing. 163 * Return Values: 1 = Valid length 164 * 0 = Invalid length 165 * 166 */ 167 static inline int 168 sctp_chunk_length_valid(struct sctp_chunk *chunk, 169 __u16 required_length) 170 { 171 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 172 173 /* Previously already marked? */ 174 if (unlikely(chunk->pdiscard)) 175 return 0; 176 if (unlikely(chunk_length < required_length)) 177 return 0; 178 179 return 1; 180 } 181 182 /********************************************************** 183 * These are the state functions for handling chunk events. 184 **********************************************************/ 185 186 /* 187 * Process the final SHUTDOWN COMPLETE. 188 * 189 * Section: 4 (C) (diagram), 9.2 190 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 191 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 192 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 193 * should stop the T2-shutdown timer and remove all knowledge of the 194 * association (and thus the association enters the CLOSED state). 195 * 196 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 197 * C) Rules for packet carrying SHUTDOWN COMPLETE: 198 * ... 199 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 200 * if the Verification Tag field of the packet matches its own tag and 201 * the T bit is not set 202 * OR 203 * it is set to its peer's tag and the T bit is set in the Chunk 204 * Flags. 205 * Otherwise, the receiver MUST silently discard the packet 206 * and take no further action. An endpoint MUST ignore the 207 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 208 * 209 * Inputs 210 * (endpoint, asoc, chunk) 211 * 212 * Outputs 213 * (asoc, reply_msg, msg_up, timers, counters) 214 * 215 * The return value is the disposition of the chunk. 216 */ 217 sctp_disposition_t sctp_sf_do_4_C(struct net *net, 218 const struct sctp_endpoint *ep, 219 const struct sctp_association *asoc, 220 const sctp_subtype_t type, 221 void *arg, 222 sctp_cmd_seq_t *commands) 223 { 224 struct sctp_chunk *chunk = arg; 225 struct sctp_ulpevent *ev; 226 227 if (!sctp_vtag_verify_either(chunk, asoc)) 228 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 229 230 /* RFC 2960 6.10 Bundling 231 * 232 * An endpoint MUST NOT bundle INIT, INIT ACK or 233 * SHUTDOWN COMPLETE with any other chunks. 234 */ 235 if (!chunk->singleton) 236 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 237 238 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ 239 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 240 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 241 commands); 242 243 /* RFC 2960 10.2 SCTP-to-ULP 244 * 245 * H) SHUTDOWN COMPLETE notification 246 * 247 * When SCTP completes the shutdown procedures (section 9.2) this 248 * notification is passed to the upper layer. 249 */ 250 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 251 0, 0, 0, NULL, GFP_ATOMIC); 252 if (ev) 253 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 254 SCTP_ULPEVENT(ev)); 255 256 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 257 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 258 * not the chunk should be discarded. If the endpoint is in 259 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 260 * T2-shutdown timer and remove all knowledge of the 261 * association (and thus the association enters the CLOSED 262 * state). 263 */ 264 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 265 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 266 267 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 268 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 269 270 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 271 SCTP_STATE(SCTP_STATE_CLOSED)); 272 273 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 274 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 275 276 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 277 278 return SCTP_DISPOSITION_DELETE_TCB; 279 } 280 281 /* 282 * Respond to a normal INIT chunk. 283 * We are the side that is being asked for an association. 284 * 285 * Section: 5.1 Normal Establishment of an Association, B 286 * B) "Z" shall respond immediately with an INIT ACK chunk. The 287 * destination IP address of the INIT ACK MUST be set to the source 288 * IP address of the INIT to which this INIT ACK is responding. In 289 * the response, besides filling in other parameters, "Z" must set the 290 * Verification Tag field to Tag_A, and also provide its own 291 * Verification Tag (Tag_Z) in the Initiate Tag field. 292 * 293 * Verification Tag: Must be 0. 294 * 295 * Inputs 296 * (endpoint, asoc, chunk) 297 * 298 * Outputs 299 * (asoc, reply_msg, msg_up, timers, counters) 300 * 301 * The return value is the disposition of the chunk. 302 */ 303 sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net, 304 const struct sctp_endpoint *ep, 305 const struct sctp_association *asoc, 306 const sctp_subtype_t type, 307 void *arg, 308 sctp_cmd_seq_t *commands) 309 { 310 struct sctp_chunk *chunk = arg; 311 struct sctp_chunk *repl; 312 struct sctp_association *new_asoc; 313 struct sctp_chunk *err_chunk; 314 struct sctp_packet *packet; 315 sctp_unrecognized_param_t *unk_param; 316 int len; 317 318 /* 6.10 Bundling 319 * An endpoint MUST NOT bundle INIT, INIT ACK or 320 * SHUTDOWN COMPLETE with any other chunks. 321 * 322 * IG Section 2.11.2 323 * Furthermore, we require that the receiver of an INIT chunk MUST 324 * enforce these rules by silently discarding an arriving packet 325 * with an INIT chunk that is bundled with other chunks. 326 */ 327 if (!chunk->singleton) 328 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 329 330 /* If the packet is an OOTB packet which is temporarily on the 331 * control endpoint, respond with an ABORT. 332 */ 333 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 334 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 335 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 336 } 337 338 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 339 * Tag. 340 */ 341 if (chunk->sctp_hdr->vtag != 0) 342 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 343 344 /* Make sure that the INIT chunk has a valid length. 345 * Normally, this would cause an ABORT with a Protocol Violation 346 * error, but since we don't have an association, we'll 347 * just discard the packet. 348 */ 349 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 350 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 351 352 /* If the INIT is coming toward a closing socket, we'll send back 353 * and ABORT. Essentially, this catches the race of INIT being 354 * backloged to the socket at the same time as the user isses close(). 355 * Since the socket and all its associations are going away, we 356 * can treat this OOTB 357 */ 358 if (sctp_sstate(ep->base.sk, CLOSING)) 359 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 360 361 /* Verify the INIT chunk before processing it. */ 362 err_chunk = NULL; 363 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 364 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 365 &err_chunk)) { 366 /* This chunk contains fatal error. It is to be discarded. 367 * Send an ABORT, with causes if there is any. 368 */ 369 if (err_chunk) { 370 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 371 (__u8 *)(err_chunk->chunk_hdr) + 372 sizeof(sctp_chunkhdr_t), 373 ntohs(err_chunk->chunk_hdr->length) - 374 sizeof(sctp_chunkhdr_t)); 375 376 sctp_chunk_free(err_chunk); 377 378 if (packet) { 379 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 380 SCTP_PACKET(packet)); 381 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 382 return SCTP_DISPOSITION_CONSUME; 383 } else { 384 return SCTP_DISPOSITION_NOMEM; 385 } 386 } else { 387 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 388 commands); 389 } 390 } 391 392 /* Grab the INIT header. */ 393 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data; 394 395 /* Tag the variable length parameters. */ 396 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 397 398 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 399 if (!new_asoc) 400 goto nomem; 401 402 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 403 sctp_scope(sctp_source(chunk)), 404 GFP_ATOMIC) < 0) 405 goto nomem_init; 406 407 /* The call, sctp_process_init(), can fail on memory allocation. */ 408 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 409 (sctp_init_chunk_t *)chunk->chunk_hdr, 410 GFP_ATOMIC)) 411 goto nomem_init; 412 413 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 414 415 /* If there are errors need to be reported for unknown parameters, 416 * make sure to reserve enough room in the INIT ACK for them. 417 */ 418 len = 0; 419 if (err_chunk) 420 len = ntohs(err_chunk->chunk_hdr->length) - 421 sizeof(sctp_chunkhdr_t); 422 423 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 424 if (!repl) 425 goto nomem_init; 426 427 /* If there are errors need to be reported for unknown parameters, 428 * include them in the outgoing INIT ACK as "Unrecognized parameter" 429 * parameter. 430 */ 431 if (err_chunk) { 432 /* Get the "Unrecognized parameter" parameter(s) out of the 433 * ERROR chunk generated by sctp_verify_init(). Since the 434 * error cause code for "unknown parameter" and the 435 * "Unrecognized parameter" type is the same, we can 436 * construct the parameters in INIT ACK by copying the 437 * ERROR causes over. 438 */ 439 unk_param = (sctp_unrecognized_param_t *) 440 ((__u8 *)(err_chunk->chunk_hdr) + 441 sizeof(sctp_chunkhdr_t)); 442 /* Replace the cause code with the "Unrecognized parameter" 443 * parameter type. 444 */ 445 sctp_addto_chunk(repl, len, unk_param); 446 sctp_chunk_free(err_chunk); 447 } 448 449 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 450 451 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 452 453 /* 454 * Note: After sending out INIT ACK with the State Cookie parameter, 455 * "Z" MUST NOT allocate any resources, nor keep any states for the 456 * new association. Otherwise, "Z" will be vulnerable to resource 457 * attacks. 458 */ 459 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 460 461 return SCTP_DISPOSITION_DELETE_TCB; 462 463 nomem_init: 464 sctp_association_free(new_asoc); 465 nomem: 466 if (err_chunk) 467 sctp_chunk_free(err_chunk); 468 return SCTP_DISPOSITION_NOMEM; 469 } 470 471 /* 472 * Respond to a normal INIT ACK chunk. 473 * We are the side that is initiating the association. 474 * 475 * Section: 5.1 Normal Establishment of an Association, C 476 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 477 * timer and leave COOKIE-WAIT state. "A" shall then send the State 478 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 479 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 480 * 481 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 482 * DATA chunks, but it MUST be the first chunk in the packet and 483 * until the COOKIE ACK is returned the sender MUST NOT send any 484 * other packets to the peer. 485 * 486 * Verification Tag: 3.3.3 487 * If the value of the Initiate Tag in a received INIT ACK chunk is 488 * found to be 0, the receiver MUST treat it as an error and close the 489 * association by transmitting an ABORT. 490 * 491 * Inputs 492 * (endpoint, asoc, chunk) 493 * 494 * Outputs 495 * (asoc, reply_msg, msg_up, timers, counters) 496 * 497 * The return value is the disposition of the chunk. 498 */ 499 sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net, 500 const struct sctp_endpoint *ep, 501 const struct sctp_association *asoc, 502 const sctp_subtype_t type, 503 void *arg, 504 sctp_cmd_seq_t *commands) 505 { 506 struct sctp_chunk *chunk = arg; 507 sctp_init_chunk_t *initchunk; 508 struct sctp_chunk *err_chunk; 509 struct sctp_packet *packet; 510 511 if (!sctp_vtag_verify(chunk, asoc)) 512 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 513 514 /* 6.10 Bundling 515 * An endpoint MUST NOT bundle INIT, INIT ACK or 516 * SHUTDOWN COMPLETE with any other chunks. 517 */ 518 if (!chunk->singleton) 519 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 520 521 /* Make sure that the INIT-ACK chunk has a valid length */ 522 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t))) 523 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 524 commands); 525 /* Grab the INIT header. */ 526 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 527 528 /* Verify the INIT chunk before processing it. */ 529 err_chunk = NULL; 530 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 531 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 532 &err_chunk)) { 533 534 sctp_error_t error = SCTP_ERROR_NO_RESOURCE; 535 536 /* This chunk contains fatal error. It is to be discarded. 537 * Send an ABORT, with causes. If there are no causes, 538 * then there wasn't enough memory. Just terminate 539 * the association. 540 */ 541 if (err_chunk) { 542 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 543 (__u8 *)(err_chunk->chunk_hdr) + 544 sizeof(sctp_chunkhdr_t), 545 ntohs(err_chunk->chunk_hdr->length) - 546 sizeof(sctp_chunkhdr_t)); 547 548 sctp_chunk_free(err_chunk); 549 550 if (packet) { 551 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 552 SCTP_PACKET(packet)); 553 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 554 error = SCTP_ERROR_INV_PARAM; 555 } 556 } 557 558 /* SCTP-AUTH, Section 6.3: 559 * It should be noted that if the receiver wants to tear 560 * down an association in an authenticated way only, the 561 * handling of malformed packets should not result in 562 * tearing down the association. 563 * 564 * This means that if we only want to abort associations 565 * in an authenticated way (i.e AUTH+ABORT), then we 566 * can't destroy this association just because the packet 567 * was malformed. 568 */ 569 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 570 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 571 572 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 573 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, 574 asoc, chunk->transport); 575 } 576 577 /* Tag the variable length parameters. Note that we never 578 * convert the parameters in an INIT chunk. 579 */ 580 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 581 582 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr; 583 584 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 585 SCTP_PEER_INIT(initchunk)); 586 587 /* Reset init error count upon receipt of INIT-ACK. */ 588 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 589 590 /* 5.1 C) "A" shall stop the T1-init timer and leave 591 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 592 * timer, and enter the COOKIE-ECHOED state. 593 */ 594 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 595 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 596 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 597 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 598 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 599 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 600 601 /* SCTP-AUTH: genereate the assocition shared keys so that 602 * we can potentially signe the COOKIE-ECHO. 603 */ 604 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); 605 606 /* 5.1 C) "A" shall then send the State Cookie received in the 607 * INIT ACK chunk in a COOKIE ECHO chunk, ... 608 */ 609 /* If there is any errors to report, send the ERROR chunk generated 610 * for unknown parameters as well. 611 */ 612 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 613 SCTP_CHUNK(err_chunk)); 614 615 return SCTP_DISPOSITION_CONSUME; 616 } 617 618 /* 619 * Respond to a normal COOKIE ECHO chunk. 620 * We are the side that is being asked for an association. 621 * 622 * Section: 5.1 Normal Establishment of an Association, D 623 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 624 * with a COOKIE ACK chunk after building a TCB and moving to 625 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 626 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 627 * chunk MUST be the first chunk in the packet. 628 * 629 * IMPLEMENTATION NOTE: An implementation may choose to send the 630 * Communication Up notification to the SCTP user upon reception 631 * of a valid COOKIE ECHO chunk. 632 * 633 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 634 * D) Rules for packet carrying a COOKIE ECHO 635 * 636 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 637 * Initial Tag received in the INIT ACK. 638 * 639 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 640 * 641 * Inputs 642 * (endpoint, asoc, chunk) 643 * 644 * Outputs 645 * (asoc, reply_msg, msg_up, timers, counters) 646 * 647 * The return value is the disposition of the chunk. 648 */ 649 sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net, 650 const struct sctp_endpoint *ep, 651 const struct sctp_association *asoc, 652 const sctp_subtype_t type, void *arg, 653 sctp_cmd_seq_t *commands) 654 { 655 struct sctp_chunk *chunk = arg; 656 struct sctp_association *new_asoc; 657 sctp_init_chunk_t *peer_init; 658 struct sctp_chunk *repl; 659 struct sctp_ulpevent *ev, *ai_ev = NULL; 660 int error = 0; 661 struct sctp_chunk *err_chk_p; 662 struct sock *sk; 663 664 /* If the packet is an OOTB packet which is temporarily on the 665 * control endpoint, respond with an ABORT. 666 */ 667 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 668 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 669 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 670 } 671 672 /* Make sure that the COOKIE_ECHO chunk has a valid length. 673 * In this case, we check that we have enough for at least a 674 * chunk header. More detailed verification is done 675 * in sctp_unpack_cookie(). 676 */ 677 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 678 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 679 680 /* If the endpoint is not listening or if the number of associations 681 * on the TCP-style socket exceed the max backlog, respond with an 682 * ABORT. 683 */ 684 sk = ep->base.sk; 685 if (!sctp_sstate(sk, LISTENING) || 686 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) 687 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 688 689 /* "Decode" the chunk. We have no optional parameters so we 690 * are in good shape. 691 */ 692 chunk->subh.cookie_hdr = 693 (struct sctp_signed_cookie *)chunk->skb->data; 694 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 695 sizeof(sctp_chunkhdr_t))) 696 goto nomem; 697 698 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 699 * "Z" will reply with a COOKIE ACK chunk after building a TCB 700 * and moving to the ESTABLISHED state. 701 */ 702 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 703 &err_chk_p); 704 705 /* FIXME: 706 * If the re-build failed, what is the proper error path 707 * from here? 708 * 709 * [We should abort the association. --piggy] 710 */ 711 if (!new_asoc) { 712 /* FIXME: Several errors are possible. A bad cookie should 713 * be silently discarded, but think about logging it too. 714 */ 715 switch (error) { 716 case -SCTP_IERROR_NOMEM: 717 goto nomem; 718 719 case -SCTP_IERROR_STALE_COOKIE: 720 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 721 err_chk_p); 722 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 723 724 case -SCTP_IERROR_BAD_SIG: 725 default: 726 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 727 } 728 } 729 730 731 /* Delay state machine commands until later. 732 * 733 * Re-build the bind address for the association is done in 734 * the sctp_unpack_cookie() already. 735 */ 736 /* This is a brand-new association, so these are not yet side 737 * effects--it is safe to run them here. 738 */ 739 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 740 741 if (!sctp_process_init(new_asoc, chunk, 742 &chunk->subh.cookie_hdr->c.peer_addr, 743 peer_init, GFP_ATOMIC)) 744 goto nomem_init; 745 746 /* SCTP-AUTH: Now that we've populate required fields in 747 * sctp_process_init, set up the assocaition shared keys as 748 * necessary so that we can potentially authenticate the ACK 749 */ 750 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); 751 if (error) 752 goto nomem_init; 753 754 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo 755 * is supposed to be authenticated and we have to do delayed 756 * authentication. We've just recreated the association using 757 * the information in the cookie and now it's much easier to 758 * do the authentication. 759 */ 760 if (chunk->auth_chunk) { 761 struct sctp_chunk auth; 762 sctp_ierror_t ret; 763 764 /* Make sure that we and the peer are AUTH capable */ 765 if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) { 766 sctp_association_free(new_asoc); 767 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 768 } 769 770 /* set-up our fake chunk so that we can process it */ 771 auth.skb = chunk->auth_chunk; 772 auth.asoc = chunk->asoc; 773 auth.sctp_hdr = chunk->sctp_hdr; 774 auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk, 775 sizeof(sctp_chunkhdr_t)); 776 skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t)); 777 auth.transport = chunk->transport; 778 779 ret = sctp_sf_authenticate(net, ep, new_asoc, type, &auth); 780 if (ret != SCTP_IERROR_NO_ERROR) { 781 sctp_association_free(new_asoc); 782 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 783 } 784 } 785 786 repl = sctp_make_cookie_ack(new_asoc, chunk); 787 if (!repl) 788 goto nomem_init; 789 790 /* RFC 2960 5.1 Normal Establishment of an Association 791 * 792 * D) IMPLEMENTATION NOTE: An implementation may choose to 793 * send the Communication Up notification to the SCTP user 794 * upon reception of a valid COOKIE ECHO chunk. 795 */ 796 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 797 new_asoc->c.sinit_num_ostreams, 798 new_asoc->c.sinit_max_instreams, 799 NULL, GFP_ATOMIC); 800 if (!ev) 801 goto nomem_ev; 802 803 /* Sockets API Draft Section 5.3.1.6 804 * When a peer sends a Adaptation Layer Indication parameter , SCTP 805 * delivers this notification to inform the application that of the 806 * peers requested adaptation layer. 807 */ 808 if (new_asoc->peer.adaptation_ind) { 809 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 810 GFP_ATOMIC); 811 if (!ai_ev) 812 goto nomem_aiev; 813 } 814 815 /* Add all the state machine commands now since we've created 816 * everything. This way we don't introduce memory corruptions 817 * during side-effect processing and correclty count established 818 * associations. 819 */ 820 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 821 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 822 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 823 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 824 SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS); 825 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 826 827 if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 828 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 829 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 830 831 /* This will send the COOKIE ACK */ 832 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 833 834 /* Queue the ASSOC_CHANGE event */ 835 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 836 837 /* Send up the Adaptation Layer Indication event */ 838 if (ai_ev) 839 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 840 SCTP_ULPEVENT(ai_ev)); 841 842 return SCTP_DISPOSITION_CONSUME; 843 844 nomem_aiev: 845 sctp_ulpevent_free(ev); 846 nomem_ev: 847 sctp_chunk_free(repl); 848 nomem_init: 849 sctp_association_free(new_asoc); 850 nomem: 851 return SCTP_DISPOSITION_NOMEM; 852 } 853 854 /* 855 * Respond to a normal COOKIE ACK chunk. 856 * We are the side that is asking for an association. 857 * 858 * RFC 2960 5.1 Normal Establishment of an Association 859 * 860 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 861 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 862 * timer. It may also notify its ULP about the successful 863 * establishment of the association with a Communication Up 864 * notification (see Section 10). 865 * 866 * Verification Tag: 867 * Inputs 868 * (endpoint, asoc, chunk) 869 * 870 * Outputs 871 * (asoc, reply_msg, msg_up, timers, counters) 872 * 873 * The return value is the disposition of the chunk. 874 */ 875 sctp_disposition_t sctp_sf_do_5_1E_ca(struct net *net, 876 const struct sctp_endpoint *ep, 877 const struct sctp_association *asoc, 878 const sctp_subtype_t type, void *arg, 879 sctp_cmd_seq_t *commands) 880 { 881 struct sctp_chunk *chunk = arg; 882 struct sctp_ulpevent *ev; 883 884 if (!sctp_vtag_verify(chunk, asoc)) 885 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 886 887 /* Verify that the chunk length for the COOKIE-ACK is OK. 888 * If we don't do this, any bundled chunks may be junked. 889 */ 890 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 891 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 892 commands); 893 894 /* Reset init error count upon receipt of COOKIE-ACK, 895 * to avoid problems with the managemement of this 896 * counter in stale cookie situations when a transition back 897 * from the COOKIE-ECHOED state to the COOKIE-WAIT 898 * state is performed. 899 */ 900 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 901 902 /* RFC 2960 5.1 Normal Establishment of an Association 903 * 904 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 905 * from the COOKIE-ECHOED state to the ESTABLISHED state, 906 * stopping the T1-cookie timer. 907 */ 908 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 909 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 910 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 911 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 912 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 913 SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS); 914 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 915 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 916 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 917 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 918 919 /* It may also notify its ULP about the successful 920 * establishment of the association with a Communication Up 921 * notification (see Section 10). 922 */ 923 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 924 0, asoc->c.sinit_num_ostreams, 925 asoc->c.sinit_max_instreams, 926 NULL, GFP_ATOMIC); 927 928 if (!ev) 929 goto nomem; 930 931 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 932 933 /* Sockets API Draft Section 5.3.1.6 934 * When a peer sends a Adaptation Layer Indication parameter , SCTP 935 * delivers this notification to inform the application that of the 936 * peers requested adaptation layer. 937 */ 938 if (asoc->peer.adaptation_ind) { 939 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 940 if (!ev) 941 goto nomem; 942 943 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 944 SCTP_ULPEVENT(ev)); 945 } 946 947 return SCTP_DISPOSITION_CONSUME; 948 nomem: 949 return SCTP_DISPOSITION_NOMEM; 950 } 951 952 /* Generate and sendout a heartbeat packet. */ 953 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep, 954 const struct sctp_association *asoc, 955 const sctp_subtype_t type, 956 void *arg, 957 sctp_cmd_seq_t *commands) 958 { 959 struct sctp_transport *transport = (struct sctp_transport *) arg; 960 struct sctp_chunk *reply; 961 962 /* Send a heartbeat to our peer. */ 963 reply = sctp_make_heartbeat(asoc, transport); 964 if (!reply) 965 return SCTP_DISPOSITION_NOMEM; 966 967 /* Set rto_pending indicating that an RTT measurement 968 * is started with this heartbeat chunk. 969 */ 970 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 971 SCTP_TRANSPORT(transport)); 972 973 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 974 return SCTP_DISPOSITION_CONSUME; 975 } 976 977 /* Generate a HEARTBEAT packet on the given transport. */ 978 sctp_disposition_t sctp_sf_sendbeat_8_3(struct net *net, 979 const struct sctp_endpoint *ep, 980 const struct sctp_association *asoc, 981 const sctp_subtype_t type, 982 void *arg, 983 sctp_cmd_seq_t *commands) 984 { 985 struct sctp_transport *transport = (struct sctp_transport *) arg; 986 987 if (asoc->overall_error_count >= asoc->max_retrans) { 988 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 989 SCTP_ERROR(ETIMEDOUT)); 990 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 991 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 992 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 993 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 994 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 995 return SCTP_DISPOSITION_DELETE_TCB; 996 } 997 998 /* Section 3.3.5. 999 * The Sender-specific Heartbeat Info field should normally include 1000 * information about the sender's current time when this HEARTBEAT 1001 * chunk is sent and the destination transport address to which this 1002 * HEARTBEAT is sent (see Section 8.3). 1003 */ 1004 1005 if (transport->param_flags & SPP_HB_ENABLE) { 1006 if (SCTP_DISPOSITION_NOMEM == 1007 sctp_sf_heartbeat(ep, asoc, type, arg, 1008 commands)) 1009 return SCTP_DISPOSITION_NOMEM; 1010 1011 /* Set transport error counter and association error counter 1012 * when sending heartbeat. 1013 */ 1014 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 1015 SCTP_TRANSPORT(transport)); 1016 } 1017 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE, 1018 SCTP_TRANSPORT(transport)); 1019 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 1020 SCTP_TRANSPORT(transport)); 1021 1022 return SCTP_DISPOSITION_CONSUME; 1023 } 1024 1025 /* 1026 * Process an heartbeat request. 1027 * 1028 * Section: 8.3 Path Heartbeat 1029 * The receiver of the HEARTBEAT should immediately respond with a 1030 * HEARTBEAT ACK that contains the Heartbeat Information field copied 1031 * from the received HEARTBEAT chunk. 1032 * 1033 * Verification Tag: 8.5 Verification Tag [Normal verification] 1034 * When receiving an SCTP packet, the endpoint MUST ensure that the 1035 * value in the Verification Tag field of the received SCTP packet 1036 * matches its own Tag. If the received Verification Tag value does not 1037 * match the receiver's own tag value, the receiver shall silently 1038 * discard the packet and shall not process it any further except for 1039 * those cases listed in Section 8.5.1 below. 1040 * 1041 * Inputs 1042 * (endpoint, asoc, chunk) 1043 * 1044 * Outputs 1045 * (asoc, reply_msg, msg_up, timers, counters) 1046 * 1047 * The return value is the disposition of the chunk. 1048 */ 1049 sctp_disposition_t sctp_sf_beat_8_3(struct net *net, 1050 const struct sctp_endpoint *ep, 1051 const struct sctp_association *asoc, 1052 const sctp_subtype_t type, 1053 void *arg, 1054 sctp_cmd_seq_t *commands) 1055 { 1056 sctp_paramhdr_t *param_hdr; 1057 struct sctp_chunk *chunk = arg; 1058 struct sctp_chunk *reply; 1059 size_t paylen = 0; 1060 1061 if (!sctp_vtag_verify(chunk, asoc)) 1062 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1063 1064 /* Make sure that the HEARTBEAT chunk has a valid length. */ 1065 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1066 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1067 commands); 1068 1069 /* 8.3 The receiver of the HEARTBEAT should immediately 1070 * respond with a HEARTBEAT ACK that contains the Heartbeat 1071 * Information field copied from the received HEARTBEAT chunk. 1072 */ 1073 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; 1074 param_hdr = (sctp_paramhdr_t *) chunk->subh.hb_hdr; 1075 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); 1076 1077 if (ntohs(param_hdr->length) > paylen) 1078 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 1079 param_hdr, commands); 1080 1081 if (!pskb_pull(chunk->skb, paylen)) 1082 goto nomem; 1083 1084 reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen); 1085 if (!reply) 1086 goto nomem; 1087 1088 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1089 return SCTP_DISPOSITION_CONSUME; 1090 1091 nomem: 1092 return SCTP_DISPOSITION_NOMEM; 1093 } 1094 1095 /* 1096 * Process the returning HEARTBEAT ACK. 1097 * 1098 * Section: 8.3 Path Heartbeat 1099 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 1100 * should clear the error counter of the destination transport 1101 * address to which the HEARTBEAT was sent, and mark the destination 1102 * transport address as active if it is not so marked. The endpoint may 1103 * optionally report to the upper layer when an inactive destination 1104 * address is marked as active due to the reception of the latest 1105 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 1106 * clear the association overall error count as well (as defined 1107 * in section 8.1). 1108 * 1109 * The receiver of the HEARTBEAT ACK should also perform an RTT 1110 * measurement for that destination transport address using the time 1111 * value carried in the HEARTBEAT ACK chunk. 1112 * 1113 * Verification Tag: 8.5 Verification Tag [Normal verification] 1114 * 1115 * Inputs 1116 * (endpoint, asoc, chunk) 1117 * 1118 * Outputs 1119 * (asoc, reply_msg, msg_up, timers, counters) 1120 * 1121 * The return value is the disposition of the chunk. 1122 */ 1123 sctp_disposition_t sctp_sf_backbeat_8_3(struct net *net, 1124 const struct sctp_endpoint *ep, 1125 const struct sctp_association *asoc, 1126 const sctp_subtype_t type, 1127 void *arg, 1128 sctp_cmd_seq_t *commands) 1129 { 1130 struct sctp_chunk *chunk = arg; 1131 union sctp_addr from_addr; 1132 struct sctp_transport *link; 1133 sctp_sender_hb_info_t *hbinfo; 1134 unsigned long max_interval; 1135 1136 if (!sctp_vtag_verify(chunk, asoc)) 1137 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1138 1139 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1140 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t) + 1141 sizeof(sctp_sender_hb_info_t))) 1142 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1143 commands); 1144 1145 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; 1146 /* Make sure that the length of the parameter is what we expect */ 1147 if (ntohs(hbinfo->param_hdr.length) != 1148 sizeof(sctp_sender_hb_info_t)) { 1149 return SCTP_DISPOSITION_DISCARD; 1150 } 1151 1152 from_addr = hbinfo->daddr; 1153 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1154 1155 /* This should never happen, but lets log it if so. */ 1156 if (unlikely(!link)) { 1157 if (from_addr.sa.sa_family == AF_INET6) { 1158 net_warn_ratelimited("%s association %p could not find address %pI6\n", 1159 __func__, 1160 asoc, 1161 &from_addr.v6.sin6_addr); 1162 } else { 1163 net_warn_ratelimited("%s association %p could not find address %pI4\n", 1164 __func__, 1165 asoc, 1166 &from_addr.v4.sin_addr.s_addr); 1167 } 1168 return SCTP_DISPOSITION_DISCARD; 1169 } 1170 1171 /* Validate the 64-bit random nonce. */ 1172 if (hbinfo->hb_nonce != link->hb_nonce) 1173 return SCTP_DISPOSITION_DISCARD; 1174 1175 max_interval = link->hbinterval + link->rto; 1176 1177 /* Check if the timestamp looks valid. */ 1178 if (time_after(hbinfo->sent_at, jiffies) || 1179 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1180 pr_debug("%s: HEARTBEAT ACK with invalid timestamp received " 1181 "for transport:%p\n", __func__, link); 1182 1183 return SCTP_DISPOSITION_DISCARD; 1184 } 1185 1186 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1187 * the HEARTBEAT should clear the error counter of the 1188 * destination transport address to which the HEARTBEAT was 1189 * sent and mark the destination transport address as active if 1190 * it is not so marked. 1191 */ 1192 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1193 1194 return SCTP_DISPOSITION_CONSUME; 1195 } 1196 1197 /* Helper function to send out an abort for the restart 1198 * condition. 1199 */ 1200 static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa, 1201 struct sctp_chunk *init, 1202 sctp_cmd_seq_t *commands) 1203 { 1204 int len; 1205 struct sctp_packet *pkt; 1206 union sctp_addr_param *addrparm; 1207 struct sctp_errhdr *errhdr; 1208 struct sctp_endpoint *ep; 1209 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)]; 1210 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1211 1212 /* Build the error on the stack. We are way to malloc crazy 1213 * throughout the code today. 1214 */ 1215 errhdr = (struct sctp_errhdr *)buffer; 1216 addrparm = (union sctp_addr_param *)errhdr->variable; 1217 1218 /* Copy into a parm format. */ 1219 len = af->to_addr_param(ssa, addrparm); 1220 len += sizeof(sctp_errhdr_t); 1221 1222 errhdr->cause = SCTP_ERROR_RESTART; 1223 errhdr->length = htons(len); 1224 1225 /* Assign to the control socket. */ 1226 ep = sctp_sk(net->sctp.ctl_sock)->ep; 1227 1228 /* Association is NULL since this may be a restart attack and we 1229 * want to send back the attacker's vtag. 1230 */ 1231 pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len); 1232 1233 if (!pkt) 1234 goto out; 1235 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1236 1237 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1238 1239 /* Discard the rest of the inbound packet. */ 1240 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1241 1242 out: 1243 /* Even if there is no memory, treat as a failure so 1244 * the packet will get dropped. 1245 */ 1246 return 0; 1247 } 1248 1249 static bool list_has_sctp_addr(const struct list_head *list, 1250 union sctp_addr *ipaddr) 1251 { 1252 struct sctp_transport *addr; 1253 1254 list_for_each_entry(addr, list, transports) { 1255 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr)) 1256 return true; 1257 } 1258 1259 return false; 1260 } 1261 /* A restart is occurring, check to make sure no new addresses 1262 * are being added as we may be under a takeover attack. 1263 */ 1264 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1265 const struct sctp_association *asoc, 1266 struct sctp_chunk *init, 1267 sctp_cmd_seq_t *commands) 1268 { 1269 struct net *net = sock_net(new_asoc->base.sk); 1270 struct sctp_transport *new_addr; 1271 int ret = 1; 1272 1273 /* Implementor's Guide - Section 5.2.2 1274 * ... 1275 * Before responding the endpoint MUST check to see if the 1276 * unexpected INIT adds new addresses to the association. If new 1277 * addresses are added to the association, the endpoint MUST respond 1278 * with an ABORT.. 1279 */ 1280 1281 /* Search through all current addresses and make sure 1282 * we aren't adding any new ones. 1283 */ 1284 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list, 1285 transports) { 1286 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list, 1287 &new_addr->ipaddr)) { 1288 sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init, 1289 commands); 1290 ret = 0; 1291 break; 1292 } 1293 } 1294 1295 /* Return success if all addresses were found. */ 1296 return ret; 1297 } 1298 1299 /* Populate the verification/tie tags based on overlapping INIT 1300 * scenario. 1301 * 1302 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1303 */ 1304 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1305 const struct sctp_association *asoc) 1306 { 1307 switch (asoc->state) { 1308 1309 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1310 1311 case SCTP_STATE_COOKIE_WAIT: 1312 new_asoc->c.my_vtag = asoc->c.my_vtag; 1313 new_asoc->c.my_ttag = asoc->c.my_vtag; 1314 new_asoc->c.peer_ttag = 0; 1315 break; 1316 1317 case SCTP_STATE_COOKIE_ECHOED: 1318 new_asoc->c.my_vtag = asoc->c.my_vtag; 1319 new_asoc->c.my_ttag = asoc->c.my_vtag; 1320 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1321 break; 1322 1323 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1324 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1325 */ 1326 default: 1327 new_asoc->c.my_ttag = asoc->c.my_vtag; 1328 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1329 break; 1330 } 1331 1332 /* Other parameters for the endpoint SHOULD be copied from the 1333 * existing parameters of the association (e.g. number of 1334 * outbound streams) into the INIT ACK and cookie. 1335 */ 1336 new_asoc->rwnd = asoc->rwnd; 1337 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1338 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1339 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1340 } 1341 1342 /* 1343 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1344 * handling action. 1345 * 1346 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1347 * 1348 * Returns value representing action to be taken. These action values 1349 * correspond to Action/Description values in RFC 2960, Table 2. 1350 */ 1351 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1352 const struct sctp_association *asoc) 1353 { 1354 /* In this case, the peer may have restarted. */ 1355 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1356 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1357 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1358 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1359 return 'A'; 1360 1361 /* Collision case B. */ 1362 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1363 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1364 (0 == asoc->c.peer_vtag))) { 1365 return 'B'; 1366 } 1367 1368 /* Collision case D. */ 1369 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1370 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1371 return 'D'; 1372 1373 /* Collision case C. */ 1374 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1375 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1376 (0 == new_asoc->c.my_ttag) && 1377 (0 == new_asoc->c.peer_ttag)) 1378 return 'C'; 1379 1380 /* No match to any of the special cases; discard this packet. */ 1381 return 'E'; 1382 } 1383 1384 /* Common helper routine for both duplicate and simulataneous INIT 1385 * chunk handling. 1386 */ 1387 static sctp_disposition_t sctp_sf_do_unexpected_init( 1388 struct net *net, 1389 const struct sctp_endpoint *ep, 1390 const struct sctp_association *asoc, 1391 const sctp_subtype_t type, 1392 void *arg, sctp_cmd_seq_t *commands) 1393 { 1394 sctp_disposition_t retval; 1395 struct sctp_chunk *chunk = arg; 1396 struct sctp_chunk *repl; 1397 struct sctp_association *new_asoc; 1398 struct sctp_chunk *err_chunk; 1399 struct sctp_packet *packet; 1400 sctp_unrecognized_param_t *unk_param; 1401 int len; 1402 1403 /* 6.10 Bundling 1404 * An endpoint MUST NOT bundle INIT, INIT ACK or 1405 * SHUTDOWN COMPLETE with any other chunks. 1406 * 1407 * IG Section 2.11.2 1408 * Furthermore, we require that the receiver of an INIT chunk MUST 1409 * enforce these rules by silently discarding an arriving packet 1410 * with an INIT chunk that is bundled with other chunks. 1411 */ 1412 if (!chunk->singleton) 1413 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1414 1415 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1416 * Tag. 1417 */ 1418 if (chunk->sctp_hdr->vtag != 0) 1419 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 1420 1421 /* Make sure that the INIT chunk has a valid length. 1422 * In this case, we generate a protocol violation since we have 1423 * an association established. 1424 */ 1425 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 1426 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1427 commands); 1428 /* Grab the INIT header. */ 1429 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 1430 1431 /* Tag the variable length parameters. */ 1432 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 1433 1434 /* Verify the INIT chunk before processing it. */ 1435 err_chunk = NULL; 1436 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 1437 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 1438 &err_chunk)) { 1439 /* This chunk contains fatal error. It is to be discarded. 1440 * Send an ABORT, with causes if there is any. 1441 */ 1442 if (err_chunk) { 1443 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 1444 (__u8 *)(err_chunk->chunk_hdr) + 1445 sizeof(sctp_chunkhdr_t), 1446 ntohs(err_chunk->chunk_hdr->length) - 1447 sizeof(sctp_chunkhdr_t)); 1448 1449 if (packet) { 1450 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1451 SCTP_PACKET(packet)); 1452 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1453 retval = SCTP_DISPOSITION_CONSUME; 1454 } else { 1455 retval = SCTP_DISPOSITION_NOMEM; 1456 } 1457 goto cleanup; 1458 } else { 1459 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 1460 commands); 1461 } 1462 } 1463 1464 /* 1465 * Other parameters for the endpoint SHOULD be copied from the 1466 * existing parameters of the association (e.g. number of 1467 * outbound streams) into the INIT ACK and cookie. 1468 * FIXME: We are copying parameters from the endpoint not the 1469 * association. 1470 */ 1471 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1472 if (!new_asoc) 1473 goto nomem; 1474 1475 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 1476 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0) 1477 goto nomem; 1478 1479 /* In the outbound INIT ACK the endpoint MUST copy its current 1480 * Verification Tag and Peers Verification tag into a reserved 1481 * place (local tie-tag and per tie-tag) within the state cookie. 1482 */ 1483 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 1484 (sctp_init_chunk_t *)chunk->chunk_hdr, 1485 GFP_ATOMIC)) 1486 goto nomem; 1487 1488 /* Make sure no new addresses are being added during the 1489 * restart. Do not do this check for COOKIE-WAIT state, 1490 * since there are no peer addresses to check against. 1491 * Upon return an ABORT will have been sent if needed. 1492 */ 1493 if (!sctp_state(asoc, COOKIE_WAIT)) { 1494 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1495 commands)) { 1496 retval = SCTP_DISPOSITION_CONSUME; 1497 goto nomem_retval; 1498 } 1499 } 1500 1501 sctp_tietags_populate(new_asoc, asoc); 1502 1503 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1504 1505 /* If there are errors need to be reported for unknown parameters, 1506 * make sure to reserve enough room in the INIT ACK for them. 1507 */ 1508 len = 0; 1509 if (err_chunk) { 1510 len = ntohs(err_chunk->chunk_hdr->length) - 1511 sizeof(sctp_chunkhdr_t); 1512 } 1513 1514 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1515 if (!repl) 1516 goto nomem; 1517 1518 /* If there are errors need to be reported for unknown parameters, 1519 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1520 * parameter. 1521 */ 1522 if (err_chunk) { 1523 /* Get the "Unrecognized parameter" parameter(s) out of the 1524 * ERROR chunk generated by sctp_verify_init(). Since the 1525 * error cause code for "unknown parameter" and the 1526 * "Unrecognized parameter" type is the same, we can 1527 * construct the parameters in INIT ACK by copying the 1528 * ERROR causes over. 1529 */ 1530 unk_param = (sctp_unrecognized_param_t *) 1531 ((__u8 *)(err_chunk->chunk_hdr) + 1532 sizeof(sctp_chunkhdr_t)); 1533 /* Replace the cause code with the "Unrecognized parameter" 1534 * parameter type. 1535 */ 1536 sctp_addto_chunk(repl, len, unk_param); 1537 } 1538 1539 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1540 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1541 1542 /* 1543 * Note: After sending out INIT ACK with the State Cookie parameter, 1544 * "Z" MUST NOT allocate any resources for this new association. 1545 * Otherwise, "Z" will be vulnerable to resource attacks. 1546 */ 1547 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1548 retval = SCTP_DISPOSITION_CONSUME; 1549 1550 return retval; 1551 1552 nomem: 1553 retval = SCTP_DISPOSITION_NOMEM; 1554 nomem_retval: 1555 if (new_asoc) 1556 sctp_association_free(new_asoc); 1557 cleanup: 1558 if (err_chunk) 1559 sctp_chunk_free(err_chunk); 1560 return retval; 1561 } 1562 1563 /* 1564 * Handle simultaneous INIT. 1565 * This means we started an INIT and then we got an INIT request from 1566 * our peer. 1567 * 1568 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1569 * This usually indicates an initialization collision, i.e., each 1570 * endpoint is attempting, at about the same time, to establish an 1571 * association with the other endpoint. 1572 * 1573 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1574 * endpoint MUST respond with an INIT ACK using the same parameters it 1575 * sent in its original INIT chunk (including its Verification Tag, 1576 * unchanged). These original parameters are combined with those from the 1577 * newly received INIT chunk. The endpoint shall also generate a State 1578 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1579 * INIT to calculate the State Cookie. 1580 * 1581 * After that, the endpoint MUST NOT change its state, the T1-init 1582 * timer shall be left running and the corresponding TCB MUST NOT be 1583 * destroyed. The normal procedures for handling State Cookies when 1584 * a TCB exists will resolve the duplicate INITs to a single association. 1585 * 1586 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1587 * its Tie-Tags with the Tag information of itself and its peer (see 1588 * section 5.2.2 for a description of the Tie-Tags). 1589 * 1590 * Verification Tag: Not explicit, but an INIT can not have a valid 1591 * verification tag, so we skip the check. 1592 * 1593 * Inputs 1594 * (endpoint, asoc, chunk) 1595 * 1596 * Outputs 1597 * (asoc, reply_msg, msg_up, timers, counters) 1598 * 1599 * The return value is the disposition of the chunk. 1600 */ 1601 sctp_disposition_t sctp_sf_do_5_2_1_siminit(struct net *net, 1602 const struct sctp_endpoint *ep, 1603 const struct sctp_association *asoc, 1604 const sctp_subtype_t type, 1605 void *arg, 1606 sctp_cmd_seq_t *commands) 1607 { 1608 /* Call helper to do the real work for both simulataneous and 1609 * duplicate INIT chunk handling. 1610 */ 1611 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1612 } 1613 1614 /* 1615 * Handle duplicated INIT messages. These are usually delayed 1616 * restransmissions. 1617 * 1618 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1619 * COOKIE-ECHOED and COOKIE-WAIT 1620 * 1621 * Unless otherwise stated, upon reception of an unexpected INIT for 1622 * this association, the endpoint shall generate an INIT ACK with a 1623 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1624 * current Verification Tag and peer's Verification Tag into a reserved 1625 * place within the state cookie. We shall refer to these locations as 1626 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1627 * containing this INIT ACK MUST carry a Verification Tag value equal to 1628 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1629 * MUST contain a new Initiation Tag (randomly generated see Section 1630 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1631 * existing parameters of the association (e.g. number of outbound 1632 * streams) into the INIT ACK and cookie. 1633 * 1634 * After sending out the INIT ACK, the endpoint shall take no further 1635 * actions, i.e., the existing association, including its current state, 1636 * and the corresponding TCB MUST NOT be changed. 1637 * 1638 * Note: Only when a TCB exists and the association is not in a COOKIE- 1639 * WAIT state are the Tie-Tags populated. For a normal association INIT 1640 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1641 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1642 * State Cookie are populated as specified in section 5.2.1. 1643 * 1644 * Verification Tag: Not specified, but an INIT has no way of knowing 1645 * what the verification tag could be, so we ignore it. 1646 * 1647 * Inputs 1648 * (endpoint, asoc, chunk) 1649 * 1650 * Outputs 1651 * (asoc, reply_msg, msg_up, timers, counters) 1652 * 1653 * The return value is the disposition of the chunk. 1654 */ 1655 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(struct net *net, 1656 const struct sctp_endpoint *ep, 1657 const struct sctp_association *asoc, 1658 const sctp_subtype_t type, 1659 void *arg, 1660 sctp_cmd_seq_t *commands) 1661 { 1662 /* Call helper to do the real work for both simulataneous and 1663 * duplicate INIT chunk handling. 1664 */ 1665 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1666 } 1667 1668 1669 /* 1670 * Unexpected INIT-ACK handler. 1671 * 1672 * Section 5.2.3 1673 * If an INIT ACK received by an endpoint in any state other than the 1674 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1675 * An unexpected INIT ACK usually indicates the processing of an old or 1676 * duplicated INIT chunk. 1677 */ 1678 sctp_disposition_t sctp_sf_do_5_2_3_initack(struct net *net, 1679 const struct sctp_endpoint *ep, 1680 const struct sctp_association *asoc, 1681 const sctp_subtype_t type, 1682 void *arg, sctp_cmd_seq_t *commands) 1683 { 1684 /* Per the above section, we'll discard the chunk if we have an 1685 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1686 */ 1687 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) 1688 return sctp_sf_ootb(net, ep, asoc, type, arg, commands); 1689 else 1690 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 1691 } 1692 1693 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1694 * 1695 * Section 5.2.4 1696 * A) In this case, the peer may have restarted. 1697 */ 1698 static sctp_disposition_t sctp_sf_do_dupcook_a(struct net *net, 1699 const struct sctp_endpoint *ep, 1700 const struct sctp_association *asoc, 1701 struct sctp_chunk *chunk, 1702 sctp_cmd_seq_t *commands, 1703 struct sctp_association *new_asoc) 1704 { 1705 sctp_init_chunk_t *peer_init; 1706 struct sctp_ulpevent *ev; 1707 struct sctp_chunk *repl; 1708 struct sctp_chunk *err; 1709 sctp_disposition_t disposition; 1710 1711 /* new_asoc is a brand-new association, so these are not yet 1712 * side effects--it is safe to run them here. 1713 */ 1714 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1715 1716 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1717 GFP_ATOMIC)) 1718 goto nomem; 1719 1720 /* Make sure no new addresses are being added during the 1721 * restart. Though this is a pretty complicated attack 1722 * since you'd have to get inside the cookie. 1723 */ 1724 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { 1725 return SCTP_DISPOSITION_CONSUME; 1726 } 1727 1728 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1729 * the peer has restarted (Action A), it MUST NOT setup a new 1730 * association but instead resend the SHUTDOWN ACK and send an ERROR 1731 * chunk with a "Cookie Received while Shutting Down" error cause to 1732 * its peer. 1733 */ 1734 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1735 disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc, 1736 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1737 chunk, commands); 1738 if (SCTP_DISPOSITION_NOMEM == disposition) 1739 goto nomem; 1740 1741 err = sctp_make_op_error(asoc, chunk, 1742 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1743 NULL, 0, 0); 1744 if (err) 1745 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1746 SCTP_CHUNK(err)); 1747 1748 return SCTP_DISPOSITION_CONSUME; 1749 } 1750 1751 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked 1752 * data. Consider the optional choice of resending of this data. 1753 */ 1754 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 1755 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1756 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK)); 1757 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1758 1759 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue 1760 * and ASCONF-ACK cache. 1761 */ 1762 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1763 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 1764 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); 1765 1766 repl = sctp_make_cookie_ack(new_asoc, chunk); 1767 if (!repl) 1768 goto nomem; 1769 1770 /* Report association restart to upper layer. */ 1771 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1772 new_asoc->c.sinit_num_ostreams, 1773 new_asoc->c.sinit_max_instreams, 1774 NULL, GFP_ATOMIC); 1775 if (!ev) 1776 goto nomem_ev; 1777 1778 /* Update the content of current association. */ 1779 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1780 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1781 if (sctp_state(asoc, SHUTDOWN_PENDING) && 1782 (sctp_sstate(asoc->base.sk, CLOSING) || 1783 sock_flag(asoc->base.sk, SOCK_DEAD))) { 1784 /* if were currently in SHUTDOWN_PENDING, but the socket 1785 * has been closed by user, don't transition to ESTABLISHED. 1786 * Instead trigger SHUTDOWN bundled with COOKIE_ACK. 1787 */ 1788 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1789 return sctp_sf_do_9_2_start_shutdown(net, ep, asoc, 1790 SCTP_ST_CHUNK(0), NULL, 1791 commands); 1792 } else { 1793 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1794 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1795 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1796 } 1797 return SCTP_DISPOSITION_CONSUME; 1798 1799 nomem_ev: 1800 sctp_chunk_free(repl); 1801 nomem: 1802 return SCTP_DISPOSITION_NOMEM; 1803 } 1804 1805 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1806 * 1807 * Section 5.2.4 1808 * B) In this case, both sides may be attempting to start an association 1809 * at about the same time but the peer endpoint started its INIT 1810 * after responding to the local endpoint's INIT 1811 */ 1812 /* This case represents an initialization collision. */ 1813 static sctp_disposition_t sctp_sf_do_dupcook_b(struct net *net, 1814 const struct sctp_endpoint *ep, 1815 const struct sctp_association *asoc, 1816 struct sctp_chunk *chunk, 1817 sctp_cmd_seq_t *commands, 1818 struct sctp_association *new_asoc) 1819 { 1820 sctp_init_chunk_t *peer_init; 1821 struct sctp_chunk *repl; 1822 1823 /* new_asoc is a brand-new association, so these are not yet 1824 * side effects--it is safe to run them here. 1825 */ 1826 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1827 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1828 GFP_ATOMIC)) 1829 goto nomem; 1830 1831 /* Update the content of current association. */ 1832 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1833 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1834 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1835 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 1836 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1837 1838 repl = sctp_make_cookie_ack(new_asoc, chunk); 1839 if (!repl) 1840 goto nomem; 1841 1842 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1843 1844 /* RFC 2960 5.1 Normal Establishment of an Association 1845 * 1846 * D) IMPLEMENTATION NOTE: An implementation may choose to 1847 * send the Communication Up notification to the SCTP user 1848 * upon reception of a valid COOKIE ECHO chunk. 1849 * 1850 * Sadly, this needs to be implemented as a side-effect, because 1851 * we are not guaranteed to have set the association id of the real 1852 * association and so these notifications need to be delayed until 1853 * the association id is allocated. 1854 */ 1855 1856 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 1857 1858 /* Sockets API Draft Section 5.3.1.6 1859 * When a peer sends a Adaptation Layer Indication parameter , SCTP 1860 * delivers this notification to inform the application that of the 1861 * peers requested adaptation layer. 1862 * 1863 * This also needs to be done as a side effect for the same reason as 1864 * above. 1865 */ 1866 if (asoc->peer.adaptation_ind) 1867 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 1868 1869 return SCTP_DISPOSITION_CONSUME; 1870 1871 nomem: 1872 return SCTP_DISPOSITION_NOMEM; 1873 } 1874 1875 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1876 * 1877 * Section 5.2.4 1878 * C) In this case, the local endpoint's cookie has arrived late. 1879 * Before it arrived, the local endpoint sent an INIT and received an 1880 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1881 * but a new tag of its own. 1882 */ 1883 /* This case represents an initialization collision. */ 1884 static sctp_disposition_t sctp_sf_do_dupcook_c(struct net *net, 1885 const struct sctp_endpoint *ep, 1886 const struct sctp_association *asoc, 1887 struct sctp_chunk *chunk, 1888 sctp_cmd_seq_t *commands, 1889 struct sctp_association *new_asoc) 1890 { 1891 /* The cookie should be silently discarded. 1892 * The endpoint SHOULD NOT change states and should leave 1893 * any timers running. 1894 */ 1895 return SCTP_DISPOSITION_DISCARD; 1896 } 1897 1898 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1899 * 1900 * Section 5.2.4 1901 * 1902 * D) When both local and remote tags match the endpoint should always 1903 * enter the ESTABLISHED state, if it has not already done so. 1904 */ 1905 /* This case represents an initialization collision. */ 1906 static sctp_disposition_t sctp_sf_do_dupcook_d(struct net *net, 1907 const struct sctp_endpoint *ep, 1908 const struct sctp_association *asoc, 1909 struct sctp_chunk *chunk, 1910 sctp_cmd_seq_t *commands, 1911 struct sctp_association *new_asoc) 1912 { 1913 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL; 1914 struct sctp_chunk *repl; 1915 1916 /* Clarification from Implementor's Guide: 1917 * D) When both local and remote tags match the endpoint should 1918 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 1919 * It should stop any cookie timer that may be running and send 1920 * a COOKIE ACK. 1921 */ 1922 1923 /* Don't accidentally move back into established state. */ 1924 if (asoc->state < SCTP_STATE_ESTABLISHED) { 1925 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1926 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 1927 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1928 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1929 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 1930 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 1931 SCTP_NULL()); 1932 1933 /* RFC 2960 5.1 Normal Establishment of an Association 1934 * 1935 * D) IMPLEMENTATION NOTE: An implementation may choose 1936 * to send the Communication Up notification to the 1937 * SCTP user upon reception of a valid COOKIE 1938 * ECHO chunk. 1939 */ 1940 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 1941 SCTP_COMM_UP, 0, 1942 asoc->c.sinit_num_ostreams, 1943 asoc->c.sinit_max_instreams, 1944 NULL, GFP_ATOMIC); 1945 if (!ev) 1946 goto nomem; 1947 1948 /* Sockets API Draft Section 5.3.1.6 1949 * When a peer sends a Adaptation Layer Indication parameter, 1950 * SCTP delivers this notification to inform the application 1951 * that of the peers requested adaptation layer. 1952 */ 1953 if (asoc->peer.adaptation_ind) { 1954 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 1955 GFP_ATOMIC); 1956 if (!ai_ev) 1957 goto nomem; 1958 1959 } 1960 } 1961 1962 repl = sctp_make_cookie_ack(new_asoc, chunk); 1963 if (!repl) 1964 goto nomem; 1965 1966 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1967 1968 if (ev) 1969 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1970 SCTP_ULPEVENT(ev)); 1971 if (ai_ev) 1972 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1973 SCTP_ULPEVENT(ai_ev)); 1974 1975 return SCTP_DISPOSITION_CONSUME; 1976 1977 nomem: 1978 if (ai_ev) 1979 sctp_ulpevent_free(ai_ev); 1980 if (ev) 1981 sctp_ulpevent_free(ev); 1982 return SCTP_DISPOSITION_NOMEM; 1983 } 1984 1985 /* 1986 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 1987 * chunk was retransmitted and then delayed in the network. 1988 * 1989 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 1990 * 1991 * Verification Tag: None. Do cookie validation. 1992 * 1993 * Inputs 1994 * (endpoint, asoc, chunk) 1995 * 1996 * Outputs 1997 * (asoc, reply_msg, msg_up, timers, counters) 1998 * 1999 * The return value is the disposition of the chunk. 2000 */ 2001 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(struct net *net, 2002 const struct sctp_endpoint *ep, 2003 const struct sctp_association *asoc, 2004 const sctp_subtype_t type, 2005 void *arg, 2006 sctp_cmd_seq_t *commands) 2007 { 2008 sctp_disposition_t retval; 2009 struct sctp_chunk *chunk = arg; 2010 struct sctp_association *new_asoc; 2011 int error = 0; 2012 char action; 2013 struct sctp_chunk *err_chk_p; 2014 2015 /* Make sure that the chunk has a valid length from the protocol 2016 * perspective. In this case check to make sure we have at least 2017 * enough for the chunk header. Cookie length verification is 2018 * done later. 2019 */ 2020 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 2021 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2022 commands); 2023 2024 /* "Decode" the chunk. We have no optional parameters so we 2025 * are in good shape. 2026 */ 2027 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 2028 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 2029 sizeof(sctp_chunkhdr_t))) 2030 goto nomem; 2031 2032 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 2033 * of a duplicate COOKIE ECHO match the Verification Tags of the 2034 * current association, consider the State Cookie valid even if 2035 * the lifespan is exceeded. 2036 */ 2037 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 2038 &err_chk_p); 2039 2040 /* FIXME: 2041 * If the re-build failed, what is the proper error path 2042 * from here? 2043 * 2044 * [We should abort the association. --piggy] 2045 */ 2046 if (!new_asoc) { 2047 /* FIXME: Several errors are possible. A bad cookie should 2048 * be silently discarded, but think about logging it too. 2049 */ 2050 switch (error) { 2051 case -SCTP_IERROR_NOMEM: 2052 goto nomem; 2053 2054 case -SCTP_IERROR_STALE_COOKIE: 2055 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 2056 err_chk_p); 2057 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2058 case -SCTP_IERROR_BAD_SIG: 2059 default: 2060 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2061 } 2062 } 2063 2064 /* Compare the tie_tag in cookie with the verification tag of 2065 * current association. 2066 */ 2067 action = sctp_tietags_compare(new_asoc, asoc); 2068 2069 switch (action) { 2070 case 'A': /* Association restart. */ 2071 retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands, 2072 new_asoc); 2073 break; 2074 2075 case 'B': /* Collision case B. */ 2076 retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands, 2077 new_asoc); 2078 break; 2079 2080 case 'C': /* Collision case C. */ 2081 retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands, 2082 new_asoc); 2083 break; 2084 2085 case 'D': /* Collision case D. */ 2086 retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands, 2087 new_asoc); 2088 break; 2089 2090 default: /* Discard packet for all others. */ 2091 retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2092 break; 2093 } 2094 2095 /* Delete the tempory new association. */ 2096 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc)); 2097 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 2098 2099 /* Restore association pointer to provide SCTP command interpeter 2100 * with a valid context in case it needs to manipulate 2101 * the queues */ 2102 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, 2103 SCTP_ASOC((struct sctp_association *)asoc)); 2104 2105 return retval; 2106 2107 nomem: 2108 return SCTP_DISPOSITION_NOMEM; 2109 } 2110 2111 /* 2112 * Process an ABORT. (SHUTDOWN-PENDING state) 2113 * 2114 * See sctp_sf_do_9_1_abort(). 2115 */ 2116 sctp_disposition_t sctp_sf_shutdown_pending_abort( 2117 struct net *net, 2118 const struct sctp_endpoint *ep, 2119 const struct sctp_association *asoc, 2120 const sctp_subtype_t type, 2121 void *arg, 2122 sctp_cmd_seq_t *commands) 2123 { 2124 struct sctp_chunk *chunk = arg; 2125 2126 if (!sctp_vtag_verify_either(chunk, asoc)) 2127 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2128 2129 /* Make sure that the ABORT chunk has a valid length. 2130 * Since this is an ABORT chunk, we have to discard it 2131 * because of the following text: 2132 * RFC 2960, Section 3.3.7 2133 * If an endpoint receives an ABORT with a format error or for an 2134 * association that doesn't exist, it MUST silently discard it. 2135 * Because the length is "invalid", we can't really discard just 2136 * as we do not know its true length. So, to be safe, discard the 2137 * packet. 2138 */ 2139 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2140 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2141 2142 /* ADD-IP: Special case for ABORT chunks 2143 * F4) One special consideration is that ABORT Chunks arriving 2144 * destined to the IP address being deleted MUST be 2145 * ignored (see Section 5.3.1 for further details). 2146 */ 2147 if (SCTP_ADDR_DEL == 2148 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2149 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 2150 2151 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2152 } 2153 2154 /* 2155 * Process an ABORT. (SHUTDOWN-SENT state) 2156 * 2157 * See sctp_sf_do_9_1_abort(). 2158 */ 2159 sctp_disposition_t sctp_sf_shutdown_sent_abort(struct net *net, 2160 const struct sctp_endpoint *ep, 2161 const struct sctp_association *asoc, 2162 const sctp_subtype_t type, 2163 void *arg, 2164 sctp_cmd_seq_t *commands) 2165 { 2166 struct sctp_chunk *chunk = arg; 2167 2168 if (!sctp_vtag_verify_either(chunk, asoc)) 2169 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2170 2171 /* Make sure that the ABORT chunk has a valid length. 2172 * Since this is an ABORT chunk, we have to discard it 2173 * because of the following text: 2174 * RFC 2960, Section 3.3.7 2175 * If an endpoint receives an ABORT with a format error or for an 2176 * association that doesn't exist, it MUST silently discard it. 2177 * Because the length is "invalid", we can't really discard just 2178 * as we do not know its true length. So, to be safe, discard the 2179 * packet. 2180 */ 2181 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2182 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2183 2184 /* ADD-IP: Special case for ABORT chunks 2185 * F4) One special consideration is that ABORT Chunks arriving 2186 * destined to the IP address being deleted MUST be 2187 * ignored (see Section 5.3.1 for further details). 2188 */ 2189 if (SCTP_ADDR_DEL == 2190 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2191 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 2192 2193 /* Stop the T2-shutdown timer. */ 2194 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2195 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2196 2197 /* Stop the T5-shutdown guard timer. */ 2198 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2199 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2200 2201 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2202 } 2203 2204 /* 2205 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2206 * 2207 * See sctp_sf_do_9_1_abort(). 2208 */ 2209 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort( 2210 struct net *net, 2211 const struct sctp_endpoint *ep, 2212 const struct sctp_association *asoc, 2213 const sctp_subtype_t type, 2214 void *arg, 2215 sctp_cmd_seq_t *commands) 2216 { 2217 /* The same T2 timer, so we should be able to use 2218 * common function with the SHUTDOWN-SENT state. 2219 */ 2220 return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands); 2221 } 2222 2223 /* 2224 * Handle an Error received in COOKIE_ECHOED state. 2225 * 2226 * Only handle the error type of stale COOKIE Error, the other errors will 2227 * be ignored. 2228 * 2229 * Inputs 2230 * (endpoint, asoc, chunk) 2231 * 2232 * Outputs 2233 * (asoc, reply_msg, msg_up, timers, counters) 2234 * 2235 * The return value is the disposition of the chunk. 2236 */ 2237 sctp_disposition_t sctp_sf_cookie_echoed_err(struct net *net, 2238 const struct sctp_endpoint *ep, 2239 const struct sctp_association *asoc, 2240 const sctp_subtype_t type, 2241 void *arg, 2242 sctp_cmd_seq_t *commands) 2243 { 2244 struct sctp_chunk *chunk = arg; 2245 sctp_errhdr_t *err; 2246 2247 if (!sctp_vtag_verify(chunk, asoc)) 2248 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2249 2250 /* Make sure that the ERROR chunk has a valid length. 2251 * The parameter walking depends on this as well. 2252 */ 2253 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2254 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2255 commands); 2256 2257 /* Process the error here */ 2258 /* FUTURE FIXME: When PR-SCTP related and other optional 2259 * parms are emitted, this will have to change to handle multiple 2260 * errors. 2261 */ 2262 sctp_walk_errors(err, chunk->chunk_hdr) { 2263 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2264 return sctp_sf_do_5_2_6_stale(net, ep, asoc, type, 2265 arg, commands); 2266 } 2267 2268 /* It is possible to have malformed error causes, and that 2269 * will cause us to end the walk early. However, since 2270 * we are discarding the packet, there should be no adverse 2271 * affects. 2272 */ 2273 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2274 } 2275 2276 /* 2277 * Handle a Stale COOKIE Error 2278 * 2279 * Section: 5.2.6 Handle Stale COOKIE Error 2280 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2281 * one of the following three alternatives. 2282 * ... 2283 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2284 * Preservative parameter requesting an extension to the lifetime of 2285 * the State Cookie. When calculating the time extension, an 2286 * implementation SHOULD use the RTT information measured based on the 2287 * previous COOKIE ECHO / ERROR exchange, and should add no more 2288 * than 1 second beyond the measured RTT, due to long State Cookie 2289 * lifetimes making the endpoint more subject to a replay attack. 2290 * 2291 * Verification Tag: Not explicit, but safe to ignore. 2292 * 2293 * Inputs 2294 * (endpoint, asoc, chunk) 2295 * 2296 * Outputs 2297 * (asoc, reply_msg, msg_up, timers, counters) 2298 * 2299 * The return value is the disposition of the chunk. 2300 */ 2301 static sctp_disposition_t sctp_sf_do_5_2_6_stale(struct net *net, 2302 const struct sctp_endpoint *ep, 2303 const struct sctp_association *asoc, 2304 const sctp_subtype_t type, 2305 void *arg, 2306 sctp_cmd_seq_t *commands) 2307 { 2308 struct sctp_chunk *chunk = arg; 2309 u32 stale; 2310 sctp_cookie_preserve_param_t bht; 2311 sctp_errhdr_t *err; 2312 struct sctp_chunk *reply; 2313 struct sctp_bind_addr *bp; 2314 int attempts = asoc->init_err_counter + 1; 2315 2316 if (attempts > asoc->max_init_attempts) { 2317 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2318 SCTP_ERROR(ETIMEDOUT)); 2319 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2320 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2321 return SCTP_DISPOSITION_DELETE_TCB; 2322 } 2323 2324 err = (sctp_errhdr_t *)(chunk->skb->data); 2325 2326 /* When calculating the time extension, an implementation 2327 * SHOULD use the RTT information measured based on the 2328 * previous COOKIE ECHO / ERROR exchange, and should add no 2329 * more than 1 second beyond the measured RTT, due to long 2330 * State Cookie lifetimes making the endpoint more subject to 2331 * a replay attack. 2332 * Measure of Staleness's unit is usec. (1/1000000 sec) 2333 * Suggested Cookie Life-span Increment's unit is msec. 2334 * (1/1000 sec) 2335 * In general, if you use the suggested cookie life, the value 2336 * found in the field of measure of staleness should be doubled 2337 * to give ample time to retransmit the new cookie and thus 2338 * yield a higher probability of success on the reattempt. 2339 */ 2340 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t))); 2341 stale = (stale * 2) / 1000; 2342 2343 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2344 bht.param_hdr.length = htons(sizeof(bht)); 2345 bht.lifespan_increment = htonl(stale); 2346 2347 /* Build that new INIT chunk. */ 2348 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2349 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2350 if (!reply) 2351 goto nomem; 2352 2353 sctp_addto_chunk(reply, sizeof(bht), &bht); 2354 2355 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2356 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2357 2358 /* Stop pending T3-rtx and heartbeat timers */ 2359 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2360 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2361 2362 /* Delete non-primary peer ip addresses since we are transitioning 2363 * back to the COOKIE-WAIT state 2364 */ 2365 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2366 2367 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2368 * resend 2369 */ 2370 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, 2371 SCTP_TRANSPORT(asoc->peer.primary_path)); 2372 2373 /* Cast away the const modifier, as we want to just 2374 * rerun it through as a sideffect. 2375 */ 2376 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2377 2378 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2379 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2380 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2381 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2382 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2383 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2384 2385 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2386 2387 return SCTP_DISPOSITION_CONSUME; 2388 2389 nomem: 2390 return SCTP_DISPOSITION_NOMEM; 2391 } 2392 2393 /* 2394 * Process an ABORT. 2395 * 2396 * Section: 9.1 2397 * After checking the Verification Tag, the receiving endpoint shall 2398 * remove the association from its record, and shall report the 2399 * termination to its upper layer. 2400 * 2401 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2402 * B) Rules for packet carrying ABORT: 2403 * 2404 * - The endpoint shall always fill in the Verification Tag field of the 2405 * outbound packet with the destination endpoint's tag value if it 2406 * is known. 2407 * 2408 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2409 * MUST follow the procedure described in Section 8.4. 2410 * 2411 * - The receiver MUST accept the packet if the Verification Tag 2412 * matches either its own tag, OR the tag of its peer. Otherwise, the 2413 * receiver MUST silently discard the packet and take no further 2414 * action. 2415 * 2416 * Inputs 2417 * (endpoint, asoc, chunk) 2418 * 2419 * Outputs 2420 * (asoc, reply_msg, msg_up, timers, counters) 2421 * 2422 * The return value is the disposition of the chunk. 2423 */ 2424 sctp_disposition_t sctp_sf_do_9_1_abort(struct net *net, 2425 const struct sctp_endpoint *ep, 2426 const struct sctp_association *asoc, 2427 const sctp_subtype_t type, 2428 void *arg, 2429 sctp_cmd_seq_t *commands) 2430 { 2431 struct sctp_chunk *chunk = arg; 2432 2433 if (!sctp_vtag_verify_either(chunk, asoc)) 2434 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2435 2436 /* Make sure that the ABORT chunk has a valid length. 2437 * Since this is an ABORT chunk, we have to discard it 2438 * because of the following text: 2439 * RFC 2960, Section 3.3.7 2440 * If an endpoint receives an ABORT with a format error or for an 2441 * association that doesn't exist, it MUST silently discard it. 2442 * Because the length is "invalid", we can't really discard just 2443 * as we do not know its true length. So, to be safe, discard the 2444 * packet. 2445 */ 2446 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2447 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2448 2449 /* ADD-IP: Special case for ABORT chunks 2450 * F4) One special consideration is that ABORT Chunks arriving 2451 * destined to the IP address being deleted MUST be 2452 * ignored (see Section 5.3.1 for further details). 2453 */ 2454 if (SCTP_ADDR_DEL == 2455 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2456 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 2457 2458 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2459 } 2460 2461 static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net, 2462 const struct sctp_endpoint *ep, 2463 const struct sctp_association *asoc, 2464 const sctp_subtype_t type, 2465 void *arg, 2466 sctp_cmd_seq_t *commands) 2467 { 2468 struct sctp_chunk *chunk = arg; 2469 unsigned int len; 2470 __be16 error = SCTP_ERROR_NO_ERROR; 2471 2472 /* See if we have an error cause code in the chunk. */ 2473 len = ntohs(chunk->chunk_hdr->length); 2474 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) { 2475 2476 sctp_errhdr_t *err; 2477 sctp_walk_errors(err, chunk->chunk_hdr); 2478 if ((void *)err != (void *)chunk->chunk_end) 2479 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2480 2481 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2482 } 2483 2484 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2485 /* ASSOC_FAILED will DELETE_TCB. */ 2486 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2487 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2488 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 2489 2490 return SCTP_DISPOSITION_ABORT; 2491 } 2492 2493 /* 2494 * Process an ABORT. (COOKIE-WAIT state) 2495 * 2496 * See sctp_sf_do_9_1_abort() above. 2497 */ 2498 sctp_disposition_t sctp_sf_cookie_wait_abort(struct net *net, 2499 const struct sctp_endpoint *ep, 2500 const struct sctp_association *asoc, 2501 const sctp_subtype_t type, 2502 void *arg, 2503 sctp_cmd_seq_t *commands) 2504 { 2505 struct sctp_chunk *chunk = arg; 2506 unsigned int len; 2507 __be16 error = SCTP_ERROR_NO_ERROR; 2508 2509 if (!sctp_vtag_verify_either(chunk, asoc)) 2510 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2511 2512 /* Make sure that the ABORT chunk has a valid length. 2513 * Since this is an ABORT chunk, we have to discard it 2514 * because of the following text: 2515 * RFC 2960, Section 3.3.7 2516 * If an endpoint receives an ABORT with a format error or for an 2517 * association that doesn't exist, it MUST silently discard it. 2518 * Because the length is "invalid", we can't really discard just 2519 * as we do not know its true length. So, to be safe, discard the 2520 * packet. 2521 */ 2522 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2523 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2524 2525 /* See if we have an error cause code in the chunk. */ 2526 len = ntohs(chunk->chunk_hdr->length); 2527 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2528 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2529 2530 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc, 2531 chunk->transport); 2532 } 2533 2534 /* 2535 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2536 */ 2537 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(struct net *net, 2538 const struct sctp_endpoint *ep, 2539 const struct sctp_association *asoc, 2540 const sctp_subtype_t type, 2541 void *arg, 2542 sctp_cmd_seq_t *commands) 2543 { 2544 return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR, 2545 ENOPROTOOPT, asoc, 2546 (struct sctp_transport *)arg); 2547 } 2548 2549 /* 2550 * Process an ABORT. (COOKIE-ECHOED state) 2551 */ 2552 sctp_disposition_t sctp_sf_cookie_echoed_abort(struct net *net, 2553 const struct sctp_endpoint *ep, 2554 const struct sctp_association *asoc, 2555 const sctp_subtype_t type, 2556 void *arg, 2557 sctp_cmd_seq_t *commands) 2558 { 2559 /* There is a single T1 timer, so we should be able to use 2560 * common function with the COOKIE-WAIT state. 2561 */ 2562 return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands); 2563 } 2564 2565 /* 2566 * Stop T1 timer and abort association with "INIT failed". 2567 * 2568 * This is common code called by several sctp_sf_*_abort() functions above. 2569 */ 2570 static sctp_disposition_t sctp_stop_t1_and_abort(struct net *net, 2571 sctp_cmd_seq_t *commands, 2572 __be16 error, int sk_err, 2573 const struct sctp_association *asoc, 2574 struct sctp_transport *transport) 2575 { 2576 pr_debug("%s: ABORT received (INIT)\n", __func__); 2577 2578 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2579 SCTP_STATE(SCTP_STATE_CLOSED)); 2580 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2581 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2582 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2583 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2584 /* CMD_INIT_FAILED will DELETE_TCB. */ 2585 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2586 SCTP_PERR(error)); 2587 2588 return SCTP_DISPOSITION_ABORT; 2589 } 2590 2591 /* 2592 * sctp_sf_do_9_2_shut 2593 * 2594 * Section: 9.2 2595 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2596 * - enter the SHUTDOWN-RECEIVED state, 2597 * 2598 * - stop accepting new data from its SCTP user 2599 * 2600 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2601 * that all its outstanding DATA chunks have been received by the 2602 * SHUTDOWN sender. 2603 * 2604 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2605 * send a SHUTDOWN in response to a ULP request. And should discard 2606 * subsequent SHUTDOWN chunks. 2607 * 2608 * If there are still outstanding DATA chunks left, the SHUTDOWN 2609 * receiver shall continue to follow normal data transmission 2610 * procedures defined in Section 6 until all outstanding DATA chunks 2611 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2612 * new data from its SCTP user. 2613 * 2614 * Verification Tag: 8.5 Verification Tag [Normal verification] 2615 * 2616 * Inputs 2617 * (endpoint, asoc, chunk) 2618 * 2619 * Outputs 2620 * (asoc, reply_msg, msg_up, timers, counters) 2621 * 2622 * The return value is the disposition of the chunk. 2623 */ 2624 sctp_disposition_t sctp_sf_do_9_2_shutdown(struct net *net, 2625 const struct sctp_endpoint *ep, 2626 const struct sctp_association *asoc, 2627 const sctp_subtype_t type, 2628 void *arg, 2629 sctp_cmd_seq_t *commands) 2630 { 2631 struct sctp_chunk *chunk = arg; 2632 sctp_shutdownhdr_t *sdh; 2633 sctp_disposition_t disposition; 2634 struct sctp_ulpevent *ev; 2635 __u32 ctsn; 2636 2637 if (!sctp_vtag_verify(chunk, asoc)) 2638 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2639 2640 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2641 if (!sctp_chunk_length_valid(chunk, 2642 sizeof(struct sctp_shutdown_chunk_t))) 2643 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2644 commands); 2645 2646 /* Convert the elaborate header. */ 2647 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2648 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t)); 2649 chunk->subh.shutdown_hdr = sdh; 2650 ctsn = ntohl(sdh->cum_tsn_ack); 2651 2652 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2653 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2654 asoc->ctsn_ack_point); 2655 2656 return SCTP_DISPOSITION_DISCARD; 2657 } 2658 2659 /* If Cumulative TSN Ack beyond the max tsn currently 2660 * send, terminating the association and respond to the 2661 * sender with an ABORT. 2662 */ 2663 if (!TSN_lt(ctsn, asoc->next_tsn)) 2664 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2665 2666 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2667 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2668 * inform the application that it should cease sending data. 2669 */ 2670 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2671 if (!ev) { 2672 disposition = SCTP_DISPOSITION_NOMEM; 2673 goto out; 2674 } 2675 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2676 2677 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2678 * - enter the SHUTDOWN-RECEIVED state, 2679 * - stop accepting new data from its SCTP user 2680 * 2681 * [This is implicit in the new state.] 2682 */ 2683 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2684 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2685 disposition = SCTP_DISPOSITION_CONSUME; 2686 2687 if (sctp_outq_is_empty(&asoc->outqueue)) { 2688 disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type, 2689 arg, commands); 2690 } 2691 2692 if (SCTP_DISPOSITION_NOMEM == disposition) 2693 goto out; 2694 2695 /* - verify, by checking the Cumulative TSN Ack field of the 2696 * chunk, that all its outstanding DATA chunks have been 2697 * received by the SHUTDOWN sender. 2698 */ 2699 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2700 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2701 2702 out: 2703 return disposition; 2704 } 2705 2706 /* 2707 * sctp_sf_do_9_2_shut_ctsn 2708 * 2709 * Once an endpoint has reached the SHUTDOWN-RECEIVED state, 2710 * it MUST NOT send a SHUTDOWN in response to a ULP request. 2711 * The Cumulative TSN Ack of the received SHUTDOWN chunk 2712 * MUST be processed. 2713 */ 2714 sctp_disposition_t sctp_sf_do_9_2_shut_ctsn(struct net *net, 2715 const struct sctp_endpoint *ep, 2716 const struct sctp_association *asoc, 2717 const sctp_subtype_t type, 2718 void *arg, 2719 sctp_cmd_seq_t *commands) 2720 { 2721 struct sctp_chunk *chunk = arg; 2722 sctp_shutdownhdr_t *sdh; 2723 __u32 ctsn; 2724 2725 if (!sctp_vtag_verify(chunk, asoc)) 2726 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2727 2728 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2729 if (!sctp_chunk_length_valid(chunk, 2730 sizeof(struct sctp_shutdown_chunk_t))) 2731 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2732 commands); 2733 2734 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2735 ctsn = ntohl(sdh->cum_tsn_ack); 2736 2737 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2738 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2739 asoc->ctsn_ack_point); 2740 2741 return SCTP_DISPOSITION_DISCARD; 2742 } 2743 2744 /* If Cumulative TSN Ack beyond the max tsn currently 2745 * send, terminating the association and respond to the 2746 * sender with an ABORT. 2747 */ 2748 if (!TSN_lt(ctsn, asoc->next_tsn)) 2749 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2750 2751 /* verify, by checking the Cumulative TSN Ack field of the 2752 * chunk, that all its outstanding DATA chunks have been 2753 * received by the SHUTDOWN sender. 2754 */ 2755 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2756 SCTP_BE32(sdh->cum_tsn_ack)); 2757 2758 return SCTP_DISPOSITION_CONSUME; 2759 } 2760 2761 /* RFC 2960 9.2 2762 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2763 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2764 * transport addresses (either in the IP addresses or in the INIT chunk) 2765 * that belong to this association, it should discard the INIT chunk and 2766 * retransmit the SHUTDOWN ACK chunk. 2767 */ 2768 sctp_disposition_t sctp_sf_do_9_2_reshutack(struct net *net, 2769 const struct sctp_endpoint *ep, 2770 const struct sctp_association *asoc, 2771 const sctp_subtype_t type, 2772 void *arg, 2773 sctp_cmd_seq_t *commands) 2774 { 2775 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 2776 struct sctp_chunk *reply; 2777 2778 /* Make sure that the chunk has a valid length */ 2779 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 2780 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2781 commands); 2782 2783 /* Since we are not going to really process this INIT, there 2784 * is no point in verifying chunk boundries. Just generate 2785 * the SHUTDOWN ACK. 2786 */ 2787 reply = sctp_make_shutdown_ack(asoc, chunk); 2788 if (NULL == reply) 2789 goto nomem; 2790 2791 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2792 * the T2-SHUTDOWN timer. 2793 */ 2794 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2795 2796 /* and restart the T2-shutdown timer. */ 2797 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2798 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2799 2800 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2801 2802 return SCTP_DISPOSITION_CONSUME; 2803 nomem: 2804 return SCTP_DISPOSITION_NOMEM; 2805 } 2806 2807 /* 2808 * sctp_sf_do_ecn_cwr 2809 * 2810 * Section: Appendix A: Explicit Congestion Notification 2811 * 2812 * CWR: 2813 * 2814 * RFC 2481 details a specific bit for a sender to send in the header of 2815 * its next outbound TCP segment to indicate to its peer that it has 2816 * reduced its congestion window. This is termed the CWR bit. For 2817 * SCTP the same indication is made by including the CWR chunk. 2818 * This chunk contains one data element, i.e. the TSN number that 2819 * was sent in the ECNE chunk. This element represents the lowest 2820 * TSN number in the datagram that was originally marked with the 2821 * CE bit. 2822 * 2823 * Verification Tag: 8.5 Verification Tag [Normal verification] 2824 * Inputs 2825 * (endpoint, asoc, chunk) 2826 * 2827 * Outputs 2828 * (asoc, reply_msg, msg_up, timers, counters) 2829 * 2830 * The return value is the disposition of the chunk. 2831 */ 2832 sctp_disposition_t sctp_sf_do_ecn_cwr(struct net *net, 2833 const struct sctp_endpoint *ep, 2834 const struct sctp_association *asoc, 2835 const sctp_subtype_t type, 2836 void *arg, 2837 sctp_cmd_seq_t *commands) 2838 { 2839 sctp_cwrhdr_t *cwr; 2840 struct sctp_chunk *chunk = arg; 2841 u32 lowest_tsn; 2842 2843 if (!sctp_vtag_verify(chunk, asoc)) 2844 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2845 2846 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2847 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2848 commands); 2849 2850 cwr = (sctp_cwrhdr_t *) chunk->skb->data; 2851 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t)); 2852 2853 lowest_tsn = ntohl(cwr->lowest_tsn); 2854 2855 /* Does this CWR ack the last sent congestion notification? */ 2856 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 2857 /* Stop sending ECNE. */ 2858 sctp_add_cmd_sf(commands, 2859 SCTP_CMD_ECN_CWR, 2860 SCTP_U32(lowest_tsn)); 2861 } 2862 return SCTP_DISPOSITION_CONSUME; 2863 } 2864 2865 /* 2866 * sctp_sf_do_ecne 2867 * 2868 * Section: Appendix A: Explicit Congestion Notification 2869 * 2870 * ECN-Echo 2871 * 2872 * RFC 2481 details a specific bit for a receiver to send back in its 2873 * TCP acknowledgements to notify the sender of the Congestion 2874 * Experienced (CE) bit having arrived from the network. For SCTP this 2875 * same indication is made by including the ECNE chunk. This chunk 2876 * contains one data element, i.e. the lowest TSN associated with the IP 2877 * datagram marked with the CE bit..... 2878 * 2879 * Verification Tag: 8.5 Verification Tag [Normal verification] 2880 * Inputs 2881 * (endpoint, asoc, chunk) 2882 * 2883 * Outputs 2884 * (asoc, reply_msg, msg_up, timers, counters) 2885 * 2886 * The return value is the disposition of the chunk. 2887 */ 2888 sctp_disposition_t sctp_sf_do_ecne(struct net *net, 2889 const struct sctp_endpoint *ep, 2890 const struct sctp_association *asoc, 2891 const sctp_subtype_t type, 2892 void *arg, 2893 sctp_cmd_seq_t *commands) 2894 { 2895 sctp_ecnehdr_t *ecne; 2896 struct sctp_chunk *chunk = arg; 2897 2898 if (!sctp_vtag_verify(chunk, asoc)) 2899 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2900 2901 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2902 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2903 commands); 2904 2905 ecne = (sctp_ecnehdr_t *) chunk->skb->data; 2906 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t)); 2907 2908 /* If this is a newer ECNE than the last CWR packet we sent out */ 2909 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 2910 SCTP_U32(ntohl(ecne->lowest_tsn))); 2911 2912 return SCTP_DISPOSITION_CONSUME; 2913 } 2914 2915 /* 2916 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 2917 * 2918 * The SCTP endpoint MUST always acknowledge the reception of each valid 2919 * DATA chunk. 2920 * 2921 * The guidelines on delayed acknowledgement algorithm specified in 2922 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 2923 * acknowledgement SHOULD be generated for at least every second packet 2924 * (not every second DATA chunk) received, and SHOULD be generated within 2925 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 2926 * situations it may be beneficial for an SCTP transmitter to be more 2927 * conservative than the algorithms detailed in this document allow. 2928 * However, an SCTP transmitter MUST NOT be more aggressive than the 2929 * following algorithms allow. 2930 * 2931 * A SCTP receiver MUST NOT generate more than one SACK for every 2932 * incoming packet, other than to update the offered window as the 2933 * receiving application consumes new data. 2934 * 2935 * Verification Tag: 8.5 Verification Tag [Normal verification] 2936 * 2937 * Inputs 2938 * (endpoint, asoc, chunk) 2939 * 2940 * Outputs 2941 * (asoc, reply_msg, msg_up, timers, counters) 2942 * 2943 * The return value is the disposition of the chunk. 2944 */ 2945 sctp_disposition_t sctp_sf_eat_data_6_2(struct net *net, 2946 const struct sctp_endpoint *ep, 2947 const struct sctp_association *asoc, 2948 const sctp_subtype_t type, 2949 void *arg, 2950 sctp_cmd_seq_t *commands) 2951 { 2952 struct sctp_chunk *chunk = arg; 2953 sctp_arg_t force = SCTP_NOFORCE(); 2954 int error; 2955 2956 if (!sctp_vtag_verify(chunk, asoc)) { 2957 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2958 SCTP_NULL()); 2959 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2960 } 2961 2962 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2963 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2964 commands); 2965 2966 error = sctp_eat_data(asoc, chunk, commands); 2967 switch (error) { 2968 case SCTP_IERROR_NO_ERROR: 2969 break; 2970 case SCTP_IERROR_HIGH_TSN: 2971 case SCTP_IERROR_BAD_STREAM: 2972 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2973 goto discard_noforce; 2974 case SCTP_IERROR_DUP_TSN: 2975 case SCTP_IERROR_IGNORE_TSN: 2976 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2977 goto discard_force; 2978 case SCTP_IERROR_NO_DATA: 2979 goto consume; 2980 case SCTP_IERROR_PROTO_VIOLATION: 2981 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 2982 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t)); 2983 default: 2984 BUG(); 2985 } 2986 2987 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM) 2988 force = SCTP_FORCE(); 2989 2990 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 2991 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2992 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 2993 } 2994 2995 /* If this is the last chunk in a packet, we need to count it 2996 * toward sack generation. Note that we need to SACK every 2997 * OTHER packet containing data chunks, EVEN IF WE DISCARD 2998 * THEM. We elect to NOT generate SACK's if the chunk fails 2999 * the verification tag test. 3000 * 3001 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3002 * 3003 * The SCTP endpoint MUST always acknowledge the reception of 3004 * each valid DATA chunk. 3005 * 3006 * The guidelines on delayed acknowledgement algorithm 3007 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 3008 * Specifically, an acknowledgement SHOULD be generated for at 3009 * least every second packet (not every second DATA chunk) 3010 * received, and SHOULD be generated within 200 ms of the 3011 * arrival of any unacknowledged DATA chunk. In some 3012 * situations it may be beneficial for an SCTP transmitter to 3013 * be more conservative than the algorithms detailed in this 3014 * document allow. However, an SCTP transmitter MUST NOT be 3015 * more aggressive than the following algorithms allow. 3016 */ 3017 if (chunk->end_of_packet) 3018 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3019 3020 return SCTP_DISPOSITION_CONSUME; 3021 3022 discard_force: 3023 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3024 * 3025 * When a packet arrives with duplicate DATA chunk(s) and with 3026 * no new DATA chunk(s), the endpoint MUST immediately send a 3027 * SACK with no delay. If a packet arrives with duplicate 3028 * DATA chunk(s) bundled with new DATA chunks, the endpoint 3029 * MAY immediately send a SACK. Normally receipt of duplicate 3030 * DATA chunks will occur when the original SACK chunk was lost 3031 * and the peer's RTO has expired. The duplicate TSN number(s) 3032 * SHOULD be reported in the SACK as duplicate. 3033 */ 3034 /* In our case, we split the MAY SACK advice up whether or not 3035 * the last chunk is a duplicate.' 3036 */ 3037 if (chunk->end_of_packet) 3038 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3039 return SCTP_DISPOSITION_DISCARD; 3040 3041 discard_noforce: 3042 if (chunk->end_of_packet) 3043 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3044 3045 return SCTP_DISPOSITION_DISCARD; 3046 consume: 3047 return SCTP_DISPOSITION_CONSUME; 3048 3049 } 3050 3051 /* 3052 * sctp_sf_eat_data_fast_4_4 3053 * 3054 * Section: 4 (4) 3055 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 3056 * DATA chunks without delay. 3057 * 3058 * Verification Tag: 8.5 Verification Tag [Normal verification] 3059 * Inputs 3060 * (endpoint, asoc, chunk) 3061 * 3062 * Outputs 3063 * (asoc, reply_msg, msg_up, timers, counters) 3064 * 3065 * The return value is the disposition of the chunk. 3066 */ 3067 sctp_disposition_t sctp_sf_eat_data_fast_4_4(struct net *net, 3068 const struct sctp_endpoint *ep, 3069 const struct sctp_association *asoc, 3070 const sctp_subtype_t type, 3071 void *arg, 3072 sctp_cmd_seq_t *commands) 3073 { 3074 struct sctp_chunk *chunk = arg; 3075 int error; 3076 3077 if (!sctp_vtag_verify(chunk, asoc)) { 3078 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3079 SCTP_NULL()); 3080 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3081 } 3082 3083 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 3084 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3085 commands); 3086 3087 error = sctp_eat_data(asoc, chunk, commands); 3088 switch (error) { 3089 case SCTP_IERROR_NO_ERROR: 3090 case SCTP_IERROR_HIGH_TSN: 3091 case SCTP_IERROR_DUP_TSN: 3092 case SCTP_IERROR_IGNORE_TSN: 3093 case SCTP_IERROR_BAD_STREAM: 3094 break; 3095 case SCTP_IERROR_NO_DATA: 3096 goto consume; 3097 case SCTP_IERROR_PROTO_VIOLATION: 3098 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3099 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t)); 3100 default: 3101 BUG(); 3102 } 3103 3104 /* Go a head and force a SACK, since we are shutting down. */ 3105 3106 /* Implementor's Guide. 3107 * 3108 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3109 * respond to each received packet containing one or more DATA chunk(s) 3110 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3111 */ 3112 if (chunk->end_of_packet) { 3113 /* We must delay the chunk creation since the cumulative 3114 * TSN has not been updated yet. 3115 */ 3116 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3117 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3118 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3119 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3120 } 3121 3122 consume: 3123 return SCTP_DISPOSITION_CONSUME; 3124 } 3125 3126 /* 3127 * Section: 6.2 Processing a Received SACK 3128 * D) Any time a SACK arrives, the endpoint performs the following: 3129 * 3130 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 3131 * then drop the SACK. Since Cumulative TSN Ack is monotonically 3132 * increasing, a SACK whose Cumulative TSN Ack is less than the 3133 * Cumulative TSN Ack Point indicates an out-of-order SACK. 3134 * 3135 * ii) Set rwnd equal to the newly received a_rwnd minus the number 3136 * of bytes still outstanding after processing the Cumulative TSN Ack 3137 * and the Gap Ack Blocks. 3138 * 3139 * iii) If the SACK is missing a TSN that was previously 3140 * acknowledged via a Gap Ack Block (e.g., the data receiver 3141 * reneged on the data), then mark the corresponding DATA chunk 3142 * as available for retransmit: Mark it as missing for fast 3143 * retransmit as described in Section 7.2.4 and if no retransmit 3144 * timer is running for the destination address to which the DATA 3145 * chunk was originally transmitted, then T3-rtx is started for 3146 * that destination address. 3147 * 3148 * Verification Tag: 8.5 Verification Tag [Normal verification] 3149 * 3150 * Inputs 3151 * (endpoint, asoc, chunk) 3152 * 3153 * Outputs 3154 * (asoc, reply_msg, msg_up, timers, counters) 3155 * 3156 * The return value is the disposition of the chunk. 3157 */ 3158 sctp_disposition_t sctp_sf_eat_sack_6_2(struct net *net, 3159 const struct sctp_endpoint *ep, 3160 const struct sctp_association *asoc, 3161 const sctp_subtype_t type, 3162 void *arg, 3163 sctp_cmd_seq_t *commands) 3164 { 3165 struct sctp_chunk *chunk = arg; 3166 sctp_sackhdr_t *sackh; 3167 __u32 ctsn; 3168 3169 if (!sctp_vtag_verify(chunk, asoc)) 3170 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3171 3172 /* Make sure that the SACK chunk has a valid length. */ 3173 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t))) 3174 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3175 commands); 3176 3177 /* Pull the SACK chunk from the data buffer */ 3178 sackh = sctp_sm_pull_sack(chunk); 3179 /* Was this a bogus SACK? */ 3180 if (!sackh) 3181 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3182 chunk->subh.sack_hdr = sackh; 3183 ctsn = ntohl(sackh->cum_tsn_ack); 3184 3185 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 3186 * Ack Point, then drop the SACK. Since Cumulative TSN 3187 * Ack is monotonically increasing, a SACK whose 3188 * Cumulative TSN Ack is less than the Cumulative TSN Ack 3189 * Point indicates an out-of-order SACK. 3190 */ 3191 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 3192 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 3193 asoc->ctsn_ack_point); 3194 3195 return SCTP_DISPOSITION_DISCARD; 3196 } 3197 3198 /* If Cumulative TSN Ack beyond the max tsn currently 3199 * send, terminating the association and respond to the 3200 * sender with an ABORT. 3201 */ 3202 if (!TSN_lt(ctsn, asoc->next_tsn)) 3203 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 3204 3205 /* Return this SACK for further processing. */ 3206 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk)); 3207 3208 /* Note: We do the rest of the work on the PROCESS_SACK 3209 * sideeffect. 3210 */ 3211 return SCTP_DISPOSITION_CONSUME; 3212 } 3213 3214 /* 3215 * Generate an ABORT in response to a packet. 3216 * 3217 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 3218 * 3219 * 8) The receiver should respond to the sender of the OOTB packet with 3220 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3221 * MUST fill in the Verification Tag field of the outbound packet 3222 * with the value found in the Verification Tag field of the OOTB 3223 * packet and set the T-bit in the Chunk Flags to indicate that the 3224 * Verification Tag is reflected. After sending this ABORT, the 3225 * receiver of the OOTB packet shall discard the OOTB packet and take 3226 * no further action. 3227 * 3228 * Verification Tag: 3229 * 3230 * The return value is the disposition of the chunk. 3231 */ 3232 static sctp_disposition_t sctp_sf_tabort_8_4_8(struct net *net, 3233 const struct sctp_endpoint *ep, 3234 const struct sctp_association *asoc, 3235 const sctp_subtype_t type, 3236 void *arg, 3237 sctp_cmd_seq_t *commands) 3238 { 3239 struct sctp_packet *packet = NULL; 3240 struct sctp_chunk *chunk = arg; 3241 struct sctp_chunk *abort; 3242 3243 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3244 3245 if (packet) { 3246 /* Make an ABORT. The T bit will be set if the asoc 3247 * is NULL. 3248 */ 3249 abort = sctp_make_abort(asoc, chunk, 0); 3250 if (!abort) { 3251 sctp_ootb_pkt_free(packet); 3252 return SCTP_DISPOSITION_NOMEM; 3253 } 3254 3255 /* Reflect vtag if T-Bit is set */ 3256 if (sctp_test_T_bit(abort)) 3257 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3258 3259 /* Set the skb to the belonging sock for accounting. */ 3260 abort->skb->sk = ep->base.sk; 3261 3262 sctp_packet_append_chunk(packet, abort); 3263 3264 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3265 SCTP_PACKET(packet)); 3266 3267 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3268 3269 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3270 return SCTP_DISPOSITION_CONSUME; 3271 } 3272 3273 return SCTP_DISPOSITION_NOMEM; 3274 } 3275 3276 /* 3277 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 3278 * event as ULP notification for each cause included in the chunk. 3279 * 3280 * API 5.3.1.3 - SCTP_REMOTE_ERROR 3281 * 3282 * The return value is the disposition of the chunk. 3283 */ 3284 sctp_disposition_t sctp_sf_operr_notify(struct net *net, 3285 const struct sctp_endpoint *ep, 3286 const struct sctp_association *asoc, 3287 const sctp_subtype_t type, 3288 void *arg, 3289 sctp_cmd_seq_t *commands) 3290 { 3291 struct sctp_chunk *chunk = arg; 3292 sctp_errhdr_t *err; 3293 3294 if (!sctp_vtag_verify(chunk, asoc)) 3295 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3296 3297 /* Make sure that the ERROR chunk has a valid length. */ 3298 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 3299 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3300 commands); 3301 sctp_walk_errors(err, chunk->chunk_hdr); 3302 if ((void *)err != (void *)chunk->chunk_end) 3303 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3304 (void *)err, commands); 3305 3306 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 3307 SCTP_CHUNK(chunk)); 3308 3309 return SCTP_DISPOSITION_CONSUME; 3310 } 3311 3312 /* 3313 * Process an inbound SHUTDOWN ACK. 3314 * 3315 * From Section 9.2: 3316 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3317 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3318 * peer, and remove all record of the association. 3319 * 3320 * The return value is the disposition. 3321 */ 3322 sctp_disposition_t sctp_sf_do_9_2_final(struct net *net, 3323 const struct sctp_endpoint *ep, 3324 const struct sctp_association *asoc, 3325 const sctp_subtype_t type, 3326 void *arg, 3327 sctp_cmd_seq_t *commands) 3328 { 3329 struct sctp_chunk *chunk = arg; 3330 struct sctp_chunk *reply; 3331 struct sctp_ulpevent *ev; 3332 3333 if (!sctp_vtag_verify(chunk, asoc)) 3334 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3335 3336 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3337 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3338 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3339 commands); 3340 /* 10.2 H) SHUTDOWN COMPLETE notification 3341 * 3342 * When SCTP completes the shutdown procedures (section 9.2) this 3343 * notification is passed to the upper layer. 3344 */ 3345 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3346 0, 0, 0, NULL, GFP_ATOMIC); 3347 if (!ev) 3348 goto nomem; 3349 3350 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3351 reply = sctp_make_shutdown_complete(asoc, chunk); 3352 if (!reply) 3353 goto nomem_chunk; 3354 3355 /* Do all the commands now (after allocation), so that we 3356 * have consistent state if memory allocation failes 3357 */ 3358 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3359 3360 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3361 * stop the T2-shutdown timer, 3362 */ 3363 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3364 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3365 3366 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3367 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3368 3369 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3370 SCTP_STATE(SCTP_STATE_CLOSED)); 3371 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 3372 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3373 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3374 3375 /* ...and remove all record of the association. */ 3376 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3377 return SCTP_DISPOSITION_DELETE_TCB; 3378 3379 nomem_chunk: 3380 sctp_ulpevent_free(ev); 3381 nomem: 3382 return SCTP_DISPOSITION_NOMEM; 3383 } 3384 3385 /* 3386 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3387 * 3388 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3389 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3390 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3391 * packet must fill in the Verification Tag field of the outbound 3392 * packet with the Verification Tag received in the SHUTDOWN ACK and 3393 * set the T-bit in the Chunk Flags to indicate that the Verification 3394 * Tag is reflected. 3395 * 3396 * 8) The receiver should respond to the sender of the OOTB packet with 3397 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3398 * MUST fill in the Verification Tag field of the outbound packet 3399 * with the value found in the Verification Tag field of the OOTB 3400 * packet and set the T-bit in the Chunk Flags to indicate that the 3401 * Verification Tag is reflected. After sending this ABORT, the 3402 * receiver of the OOTB packet shall discard the OOTB packet and take 3403 * no further action. 3404 */ 3405 sctp_disposition_t sctp_sf_ootb(struct net *net, 3406 const struct sctp_endpoint *ep, 3407 const struct sctp_association *asoc, 3408 const sctp_subtype_t type, 3409 void *arg, 3410 sctp_cmd_seq_t *commands) 3411 { 3412 struct sctp_chunk *chunk = arg; 3413 struct sk_buff *skb = chunk->skb; 3414 sctp_chunkhdr_t *ch; 3415 sctp_errhdr_t *err; 3416 __u8 *ch_end; 3417 int ootb_shut_ack = 0; 3418 int ootb_cookie_ack = 0; 3419 3420 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3421 3422 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr; 3423 do { 3424 /* Report violation if the chunk is less then minimal */ 3425 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 3426 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3427 commands); 3428 3429 /* Now that we know we at least have a chunk header, 3430 * do things that are type appropriate. 3431 */ 3432 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3433 ootb_shut_ack = 1; 3434 3435 /* RFC 2960, Section 3.3.7 3436 * Moreover, under any circumstances, an endpoint that 3437 * receives an ABORT MUST NOT respond to that ABORT by 3438 * sending an ABORT of its own. 3439 */ 3440 if (SCTP_CID_ABORT == ch->type) 3441 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3442 3443 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR 3444 * or a COOKIE ACK the SCTP Packet should be silently 3445 * discarded. 3446 */ 3447 3448 if (SCTP_CID_COOKIE_ACK == ch->type) 3449 ootb_cookie_ack = 1; 3450 3451 if (SCTP_CID_ERROR == ch->type) { 3452 sctp_walk_errors(err, ch) { 3453 if (SCTP_ERROR_STALE_COOKIE == err->cause) { 3454 ootb_cookie_ack = 1; 3455 break; 3456 } 3457 } 3458 } 3459 3460 /* Report violation if chunk len overflows */ 3461 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 3462 if (ch_end > skb_tail_pointer(skb)) 3463 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3464 commands); 3465 3466 ch = (sctp_chunkhdr_t *) ch_end; 3467 } while (ch_end < skb_tail_pointer(skb)); 3468 3469 if (ootb_shut_ack) 3470 return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands); 3471 else if (ootb_cookie_ack) 3472 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3473 else 3474 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 3475 } 3476 3477 /* 3478 * Handle an "Out of the blue" SHUTDOWN ACK. 3479 * 3480 * Section: 8.4 5, sctpimpguide 2.41. 3481 * 3482 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3483 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3484 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3485 * packet must fill in the Verification Tag field of the outbound 3486 * packet with the Verification Tag received in the SHUTDOWN ACK and 3487 * set the T-bit in the Chunk Flags to indicate that the Verification 3488 * Tag is reflected. 3489 * 3490 * Inputs 3491 * (endpoint, asoc, type, arg, commands) 3492 * 3493 * Outputs 3494 * (sctp_disposition_t) 3495 * 3496 * The return value is the disposition of the chunk. 3497 */ 3498 static sctp_disposition_t sctp_sf_shut_8_4_5(struct net *net, 3499 const struct sctp_endpoint *ep, 3500 const struct sctp_association *asoc, 3501 const sctp_subtype_t type, 3502 void *arg, 3503 sctp_cmd_seq_t *commands) 3504 { 3505 struct sctp_packet *packet = NULL; 3506 struct sctp_chunk *chunk = arg; 3507 struct sctp_chunk *shut; 3508 3509 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3510 3511 if (packet) { 3512 /* Make an SHUTDOWN_COMPLETE. 3513 * The T bit will be set if the asoc is NULL. 3514 */ 3515 shut = sctp_make_shutdown_complete(asoc, chunk); 3516 if (!shut) { 3517 sctp_ootb_pkt_free(packet); 3518 return SCTP_DISPOSITION_NOMEM; 3519 } 3520 3521 /* Reflect vtag if T-Bit is set */ 3522 if (sctp_test_T_bit(shut)) 3523 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3524 3525 /* Set the skb to the belonging sock for accounting. */ 3526 shut->skb->sk = ep->base.sk; 3527 3528 sctp_packet_append_chunk(packet, shut); 3529 3530 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3531 SCTP_PACKET(packet)); 3532 3533 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3534 3535 /* If the chunk length is invalid, we don't want to process 3536 * the reset of the packet. 3537 */ 3538 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3539 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3540 3541 /* We need to discard the rest of the packet to prevent 3542 * potential bomming attacks from additional bundled chunks. 3543 * This is documented in SCTP Threats ID. 3544 */ 3545 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3546 } 3547 3548 return SCTP_DISPOSITION_NOMEM; 3549 } 3550 3551 /* 3552 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3553 * 3554 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3555 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3556 * procedures in section 8.4 SHOULD be followed, in other words it 3557 * should be treated as an Out Of The Blue packet. 3558 * [This means that we do NOT check the Verification Tag on these 3559 * chunks. --piggy ] 3560 * 3561 */ 3562 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(struct net *net, 3563 const struct sctp_endpoint *ep, 3564 const struct sctp_association *asoc, 3565 const sctp_subtype_t type, 3566 void *arg, 3567 sctp_cmd_seq_t *commands) 3568 { 3569 struct sctp_chunk *chunk = arg; 3570 3571 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3572 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3573 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3574 commands); 3575 3576 /* Although we do have an association in this case, it corresponds 3577 * to a restarted association. So the packet is treated as an OOTB 3578 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3579 * called with a NULL association. 3580 */ 3581 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3582 3583 return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands); 3584 } 3585 3586 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3587 sctp_disposition_t sctp_sf_do_asconf(struct net *net, 3588 const struct sctp_endpoint *ep, 3589 const struct sctp_association *asoc, 3590 const sctp_subtype_t type, void *arg, 3591 sctp_cmd_seq_t *commands) 3592 { 3593 struct sctp_chunk *chunk = arg; 3594 struct sctp_chunk *asconf_ack = NULL; 3595 struct sctp_paramhdr *err_param = NULL; 3596 sctp_addiphdr_t *hdr; 3597 __u32 serial; 3598 3599 if (!sctp_vtag_verify(chunk, asoc)) { 3600 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3601 SCTP_NULL()); 3602 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3603 } 3604 3605 /* ADD-IP: Section 4.1.1 3606 * This chunk MUST be sent in an authenticated way by using 3607 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3608 * is received unauthenticated it MUST be silently discarded as 3609 * described in [I-D.ietf-tsvwg-sctp-auth]. 3610 */ 3611 if (!net->sctp.addip_noauth && !chunk->auth) 3612 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 3613 3614 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3615 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t))) 3616 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3617 commands); 3618 3619 hdr = (sctp_addiphdr_t *)chunk->skb->data; 3620 serial = ntohl(hdr->serial); 3621 3622 /* Verify the ASCONF chunk before processing it. */ 3623 if (!sctp_verify_asconf(asoc, chunk, true, &err_param)) 3624 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3625 (void *)err_param, commands); 3626 3627 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3628 * the endpoint stored in a new association variable 3629 * 'Peer-Serial-Number'. 3630 */ 3631 if (serial == asoc->peer.addip_serial + 1) { 3632 /* If this is the first instance of ASCONF in the packet, 3633 * we can clean our old ASCONF-ACKs. 3634 */ 3635 if (!chunk->has_asconf) 3636 sctp_assoc_clean_asconf_ack_cache(asoc); 3637 3638 /* ADDIP 5.2 E4) When the Sequence Number matches the next one 3639 * expected, process the ASCONF as described below and after 3640 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to 3641 * the response packet and cache a copy of it (in the event it 3642 * later needs to be retransmitted). 3643 * 3644 * Essentially, do V1-V5. 3645 */ 3646 asconf_ack = sctp_process_asconf((struct sctp_association *) 3647 asoc, chunk); 3648 if (!asconf_ack) 3649 return SCTP_DISPOSITION_NOMEM; 3650 } else if (serial < asoc->peer.addip_serial + 1) { 3651 /* ADDIP 5.2 E2) 3652 * If the value found in the Sequence Number is less than the 3653 * ('Peer- Sequence-Number' + 1), simply skip to the next 3654 * ASCONF, and include in the outbound response packet 3655 * any previously cached ASCONF-ACK response that was 3656 * sent and saved that matches the Sequence Number of the 3657 * ASCONF. Note: It is possible that no cached ASCONF-ACK 3658 * Chunk exists. This will occur when an older ASCONF 3659 * arrives out of order. In such a case, the receiver 3660 * should skip the ASCONF Chunk and not include ASCONF-ACK 3661 * Chunk for that chunk. 3662 */ 3663 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial); 3664 if (!asconf_ack) 3665 return SCTP_DISPOSITION_DISCARD; 3666 3667 /* Reset the transport so that we select the correct one 3668 * this time around. This is to make sure that we don't 3669 * accidentally use a stale transport that's been removed. 3670 */ 3671 asconf_ack->transport = NULL; 3672 } else { 3673 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since 3674 * it must be either a stale packet or from an attacker. 3675 */ 3676 return SCTP_DISPOSITION_DISCARD; 3677 } 3678 3679 /* ADDIP 5.2 E6) The destination address of the SCTP packet 3680 * containing the ASCONF-ACK Chunks MUST be the source address of 3681 * the SCTP packet that held the ASCONF Chunks. 3682 * 3683 * To do this properly, we'll set the destination address of the chunk 3684 * and at the transmit time, will try look up the transport to use. 3685 * Since ASCONFs may be bundled, the correct transport may not be 3686 * created until we process the entire packet, thus this workaround. 3687 */ 3688 asconf_ack->dest = chunk->source; 3689 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3690 if (asoc->new_transport) { 3691 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands); 3692 ((struct sctp_association *)asoc)->new_transport = NULL; 3693 } 3694 3695 return SCTP_DISPOSITION_CONSUME; 3696 } 3697 3698 /* 3699 * ADDIP Section 4.3 General rules for address manipulation 3700 * When building TLV parameters for the ASCONF Chunk that will add or 3701 * delete IP addresses the D0 to D13 rules should be applied: 3702 */ 3703 sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net, 3704 const struct sctp_endpoint *ep, 3705 const struct sctp_association *asoc, 3706 const sctp_subtype_t type, void *arg, 3707 sctp_cmd_seq_t *commands) 3708 { 3709 struct sctp_chunk *asconf_ack = arg; 3710 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3711 struct sctp_chunk *abort; 3712 struct sctp_paramhdr *err_param = NULL; 3713 sctp_addiphdr_t *addip_hdr; 3714 __u32 sent_serial, rcvd_serial; 3715 3716 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3717 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3718 SCTP_NULL()); 3719 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3720 } 3721 3722 /* ADD-IP, Section 4.1.2: 3723 * This chunk MUST be sent in an authenticated way by using 3724 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3725 * is received unauthenticated it MUST be silently discarded as 3726 * described in [I-D.ietf-tsvwg-sctp-auth]. 3727 */ 3728 if (!net->sctp.addip_noauth && !asconf_ack->auth) 3729 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 3730 3731 /* Make sure that the ADDIP chunk has a valid length. */ 3732 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t))) 3733 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3734 commands); 3735 3736 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data; 3737 rcvd_serial = ntohl(addip_hdr->serial); 3738 3739 /* Verify the ASCONF-ACK chunk before processing it. */ 3740 if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param)) 3741 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3742 (void *)err_param, commands); 3743 3744 if (last_asconf) { 3745 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr; 3746 sent_serial = ntohl(addip_hdr->serial); 3747 } else { 3748 sent_serial = asoc->addip_serial - 1; 3749 } 3750 3751 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3752 * equal to the next serial number to be used but no ASCONF chunk is 3753 * outstanding the endpoint MUST ABORT the association. Note that a 3754 * sequence number is greater than if it is no more than 2^^31-1 3755 * larger than the current sequence number (using serial arithmetic). 3756 */ 3757 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3758 !(asoc->addip_last_asconf)) { 3759 abort = sctp_make_abort(asoc, asconf_ack, 3760 sizeof(sctp_errhdr_t)); 3761 if (abort) { 3762 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0); 3763 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3764 SCTP_CHUNK(abort)); 3765 } 3766 /* We are going to ABORT, so we might as well stop 3767 * processing the rest of the chunks in the packet. 3768 */ 3769 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3770 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3771 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3772 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3773 SCTP_ERROR(ECONNABORTED)); 3774 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3775 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3776 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 3777 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3778 return SCTP_DISPOSITION_ABORT; 3779 } 3780 3781 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3782 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3783 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3784 3785 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3786 asconf_ack)) { 3787 /* Successfully processed ASCONF_ACK. We can 3788 * release the next asconf if we have one. 3789 */ 3790 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF, 3791 SCTP_NULL()); 3792 return SCTP_DISPOSITION_CONSUME; 3793 } 3794 3795 abort = sctp_make_abort(asoc, asconf_ack, 3796 sizeof(sctp_errhdr_t)); 3797 if (abort) { 3798 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 3799 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3800 SCTP_CHUNK(abort)); 3801 } 3802 /* We are going to ABORT, so we might as well stop 3803 * processing the rest of the chunks in the packet. 3804 */ 3805 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3806 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3807 SCTP_ERROR(ECONNABORTED)); 3808 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3809 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3810 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 3811 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3812 return SCTP_DISPOSITION_ABORT; 3813 } 3814 3815 return SCTP_DISPOSITION_DISCARD; 3816 } 3817 3818 /* 3819 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 3820 * 3821 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 3822 * its cumulative TSN point to the value carried in the FORWARD TSN 3823 * chunk, and then MUST further advance its cumulative TSN point locally 3824 * if possible. 3825 * After the above processing, the data receiver MUST stop reporting any 3826 * missing TSNs earlier than or equal to the new cumulative TSN point. 3827 * 3828 * Verification Tag: 8.5 Verification Tag [Normal verification] 3829 * 3830 * The return value is the disposition of the chunk. 3831 */ 3832 sctp_disposition_t sctp_sf_eat_fwd_tsn(struct net *net, 3833 const struct sctp_endpoint *ep, 3834 const struct sctp_association *asoc, 3835 const sctp_subtype_t type, 3836 void *arg, 3837 sctp_cmd_seq_t *commands) 3838 { 3839 struct sctp_chunk *chunk = arg; 3840 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3841 struct sctp_fwdtsn_skip *skip; 3842 __u16 len; 3843 __u32 tsn; 3844 3845 if (!sctp_vtag_verify(chunk, asoc)) { 3846 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3847 SCTP_NULL()); 3848 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3849 } 3850 3851 /* Make sure that the FORWARD_TSN chunk has valid length. */ 3852 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3853 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3854 commands); 3855 3856 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3857 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3858 len = ntohs(chunk->chunk_hdr->length); 3859 len -= sizeof(struct sctp_chunkhdr); 3860 skb_pull(chunk->skb, len); 3861 3862 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3863 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 3864 3865 /* The TSN is too high--silently discard the chunk and count on it 3866 * getting retransmitted later. 3867 */ 3868 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3869 goto discard_noforce; 3870 3871 /* Silently discard the chunk if stream-id is not valid */ 3872 sctp_walk_fwdtsn(skip, chunk) { 3873 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams) 3874 goto discard_noforce; 3875 } 3876 3877 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3878 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3879 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3880 SCTP_CHUNK(chunk)); 3881 3882 /* Count this as receiving DATA. */ 3883 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 3884 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3885 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3886 } 3887 3888 /* FIXME: For now send a SACK, but DATA processing may 3889 * send another. 3890 */ 3891 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 3892 3893 return SCTP_DISPOSITION_CONSUME; 3894 3895 discard_noforce: 3896 return SCTP_DISPOSITION_DISCARD; 3897 } 3898 3899 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast( 3900 struct net *net, 3901 const struct sctp_endpoint *ep, 3902 const struct sctp_association *asoc, 3903 const sctp_subtype_t type, 3904 void *arg, 3905 sctp_cmd_seq_t *commands) 3906 { 3907 struct sctp_chunk *chunk = arg; 3908 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3909 struct sctp_fwdtsn_skip *skip; 3910 __u16 len; 3911 __u32 tsn; 3912 3913 if (!sctp_vtag_verify(chunk, asoc)) { 3914 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3915 SCTP_NULL()); 3916 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3917 } 3918 3919 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 3920 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3921 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3922 commands); 3923 3924 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3925 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3926 len = ntohs(chunk->chunk_hdr->length); 3927 len -= sizeof(struct sctp_chunkhdr); 3928 skb_pull(chunk->skb, len); 3929 3930 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3931 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 3932 3933 /* The TSN is too high--silently discard the chunk and count on it 3934 * getting retransmitted later. 3935 */ 3936 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3937 goto gen_shutdown; 3938 3939 /* Silently discard the chunk if stream-id is not valid */ 3940 sctp_walk_fwdtsn(skip, chunk) { 3941 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams) 3942 goto gen_shutdown; 3943 } 3944 3945 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3946 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3947 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3948 SCTP_CHUNK(chunk)); 3949 3950 /* Go a head and force a SACK, since we are shutting down. */ 3951 gen_shutdown: 3952 /* Implementor's Guide. 3953 * 3954 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3955 * respond to each received packet containing one or more DATA chunk(s) 3956 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3957 */ 3958 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3959 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3960 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3961 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3962 3963 return SCTP_DISPOSITION_CONSUME; 3964 } 3965 3966 /* 3967 * SCTP-AUTH Section 6.3 Receiving authenticated chukns 3968 * 3969 * The receiver MUST use the HMAC algorithm indicated in the HMAC 3970 * Identifier field. If this algorithm was not specified by the 3971 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 3972 * during association setup, the AUTH chunk and all chunks after it MUST 3973 * be discarded and an ERROR chunk SHOULD be sent with the error cause 3974 * defined in Section 4.1. 3975 * 3976 * If an endpoint with no shared key receives a Shared Key Identifier 3977 * other than 0, it MUST silently discard all authenticated chunks. If 3978 * the endpoint has at least one endpoint pair shared key for the peer, 3979 * it MUST use the key specified by the Shared Key Identifier if a 3980 * key has been configured for that Shared Key Identifier. If no 3981 * endpoint pair shared key has been configured for that Shared Key 3982 * Identifier, all authenticated chunks MUST be silently discarded. 3983 * 3984 * Verification Tag: 8.5 Verification Tag [Normal verification] 3985 * 3986 * The return value is the disposition of the chunk. 3987 */ 3988 static sctp_ierror_t sctp_sf_authenticate(struct net *net, 3989 const struct sctp_endpoint *ep, 3990 const struct sctp_association *asoc, 3991 const sctp_subtype_t type, 3992 struct sctp_chunk *chunk) 3993 { 3994 struct sctp_authhdr *auth_hdr; 3995 struct sctp_hmac *hmac; 3996 unsigned int sig_len; 3997 __u16 key_id; 3998 __u8 *save_digest; 3999 __u8 *digest; 4000 4001 /* Pull in the auth header, so we can do some more verification */ 4002 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4003 chunk->subh.auth_hdr = auth_hdr; 4004 skb_pull(chunk->skb, sizeof(struct sctp_authhdr)); 4005 4006 /* Make sure that we support the HMAC algorithm from the auth 4007 * chunk. 4008 */ 4009 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id)) 4010 return SCTP_IERROR_AUTH_BAD_HMAC; 4011 4012 /* Make sure that the provided shared key identifier has been 4013 * configured 4014 */ 4015 key_id = ntohs(auth_hdr->shkey_id); 4016 if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id)) 4017 return SCTP_IERROR_AUTH_BAD_KEYID; 4018 4019 4020 /* Make sure that the length of the signature matches what 4021 * we expect. 4022 */ 4023 sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t); 4024 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id)); 4025 if (sig_len != hmac->hmac_len) 4026 return SCTP_IERROR_PROTO_VIOLATION; 4027 4028 /* Now that we've done validation checks, we can compute and 4029 * verify the hmac. The steps involved are: 4030 * 1. Save the digest from the chunk. 4031 * 2. Zero out the digest in the chunk. 4032 * 3. Compute the new digest 4033 * 4. Compare saved and new digests. 4034 */ 4035 digest = auth_hdr->hmac; 4036 skb_pull(chunk->skb, sig_len); 4037 4038 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC); 4039 if (!save_digest) 4040 goto nomem; 4041 4042 memset(digest, 0, sig_len); 4043 4044 sctp_auth_calculate_hmac(asoc, chunk->skb, 4045 (struct sctp_auth_chunk *)chunk->chunk_hdr, 4046 GFP_ATOMIC); 4047 4048 /* Discard the packet if the digests do not match */ 4049 if (memcmp(save_digest, digest, sig_len)) { 4050 kfree(save_digest); 4051 return SCTP_IERROR_BAD_SIG; 4052 } 4053 4054 kfree(save_digest); 4055 chunk->auth = 1; 4056 4057 return SCTP_IERROR_NO_ERROR; 4058 nomem: 4059 return SCTP_IERROR_NOMEM; 4060 } 4061 4062 sctp_disposition_t sctp_sf_eat_auth(struct net *net, 4063 const struct sctp_endpoint *ep, 4064 const struct sctp_association *asoc, 4065 const sctp_subtype_t type, 4066 void *arg, 4067 sctp_cmd_seq_t *commands) 4068 { 4069 struct sctp_authhdr *auth_hdr; 4070 struct sctp_chunk *chunk = arg; 4071 struct sctp_chunk *err_chunk; 4072 sctp_ierror_t error; 4073 4074 /* Make sure that the peer has AUTH capable */ 4075 if (!asoc->peer.auth_capable) 4076 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4077 4078 if (!sctp_vtag_verify(chunk, asoc)) { 4079 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4080 SCTP_NULL()); 4081 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4082 } 4083 4084 /* Make sure that the AUTH chunk has valid length. */ 4085 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk))) 4086 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4087 commands); 4088 4089 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4090 error = sctp_sf_authenticate(net, ep, asoc, type, chunk); 4091 switch (error) { 4092 case SCTP_IERROR_AUTH_BAD_HMAC: 4093 /* Generate the ERROR chunk and discard the rest 4094 * of the packet 4095 */ 4096 err_chunk = sctp_make_op_error(asoc, chunk, 4097 SCTP_ERROR_UNSUP_HMAC, 4098 &auth_hdr->hmac_id, 4099 sizeof(__u16), 0); 4100 if (err_chunk) { 4101 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4102 SCTP_CHUNK(err_chunk)); 4103 } 4104 /* Fall Through */ 4105 case SCTP_IERROR_AUTH_BAD_KEYID: 4106 case SCTP_IERROR_BAD_SIG: 4107 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4108 4109 case SCTP_IERROR_PROTO_VIOLATION: 4110 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4111 commands); 4112 4113 case SCTP_IERROR_NOMEM: 4114 return SCTP_DISPOSITION_NOMEM; 4115 4116 default: /* Prevent gcc warnings */ 4117 break; 4118 } 4119 4120 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) { 4121 struct sctp_ulpevent *ev; 4122 4123 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id), 4124 SCTP_AUTH_NEWKEY, GFP_ATOMIC); 4125 4126 if (!ev) 4127 return -ENOMEM; 4128 4129 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4130 SCTP_ULPEVENT(ev)); 4131 } 4132 4133 return SCTP_DISPOSITION_CONSUME; 4134 } 4135 4136 /* 4137 * Process an unknown chunk. 4138 * 4139 * Section: 3.2. Also, 2.1 in the implementor's guide. 4140 * 4141 * Chunk Types are encoded such that the highest-order two bits specify 4142 * the action that must be taken if the processing endpoint does not 4143 * recognize the Chunk Type. 4144 * 4145 * 00 - Stop processing this SCTP packet and discard it, do not process 4146 * any further chunks within it. 4147 * 4148 * 01 - Stop processing this SCTP packet and discard it, do not process 4149 * any further chunks within it, and report the unrecognized 4150 * chunk in an 'Unrecognized Chunk Type'. 4151 * 4152 * 10 - Skip this chunk and continue processing. 4153 * 4154 * 11 - Skip this chunk and continue processing, but report in an ERROR 4155 * Chunk using the 'Unrecognized Chunk Type' cause of error. 4156 * 4157 * The return value is the disposition of the chunk. 4158 */ 4159 sctp_disposition_t sctp_sf_unk_chunk(struct net *net, 4160 const struct sctp_endpoint *ep, 4161 const struct sctp_association *asoc, 4162 const sctp_subtype_t type, 4163 void *arg, 4164 sctp_cmd_seq_t *commands) 4165 { 4166 struct sctp_chunk *unk_chunk = arg; 4167 struct sctp_chunk *err_chunk; 4168 sctp_chunkhdr_t *hdr; 4169 4170 pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk); 4171 4172 if (!sctp_vtag_verify(unk_chunk, asoc)) 4173 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4174 4175 /* Make sure that the chunk has a valid length. 4176 * Since we don't know the chunk type, we use a general 4177 * chunkhdr structure to make a comparison. 4178 */ 4179 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t))) 4180 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4181 commands); 4182 4183 switch (type.chunk & SCTP_CID_ACTION_MASK) { 4184 case SCTP_CID_ACTION_DISCARD: 4185 /* Discard the packet. */ 4186 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4187 case SCTP_CID_ACTION_DISCARD_ERR: 4188 /* Generate an ERROR chunk as response. */ 4189 hdr = unk_chunk->chunk_hdr; 4190 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4191 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4192 WORD_ROUND(ntohs(hdr->length)), 4193 0); 4194 if (err_chunk) { 4195 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4196 SCTP_CHUNK(err_chunk)); 4197 } 4198 4199 /* Discard the packet. */ 4200 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4201 return SCTP_DISPOSITION_CONSUME; 4202 case SCTP_CID_ACTION_SKIP: 4203 /* Skip the chunk. */ 4204 return SCTP_DISPOSITION_DISCARD; 4205 case SCTP_CID_ACTION_SKIP_ERR: 4206 /* Generate an ERROR chunk as response. */ 4207 hdr = unk_chunk->chunk_hdr; 4208 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4209 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4210 WORD_ROUND(ntohs(hdr->length)), 4211 0); 4212 if (err_chunk) { 4213 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4214 SCTP_CHUNK(err_chunk)); 4215 } 4216 /* Skip the chunk. */ 4217 return SCTP_DISPOSITION_CONSUME; 4218 default: 4219 break; 4220 } 4221 4222 return SCTP_DISPOSITION_DISCARD; 4223 } 4224 4225 /* 4226 * Discard the chunk. 4227 * 4228 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 4229 * [Too numerous to mention...] 4230 * Verification Tag: No verification needed. 4231 * Inputs 4232 * (endpoint, asoc, chunk) 4233 * 4234 * Outputs 4235 * (asoc, reply_msg, msg_up, timers, counters) 4236 * 4237 * The return value is the disposition of the chunk. 4238 */ 4239 sctp_disposition_t sctp_sf_discard_chunk(struct net *net, 4240 const struct sctp_endpoint *ep, 4241 const struct sctp_association *asoc, 4242 const sctp_subtype_t type, 4243 void *arg, 4244 sctp_cmd_seq_t *commands) 4245 { 4246 struct sctp_chunk *chunk = arg; 4247 4248 /* Make sure that the chunk has a valid length. 4249 * Since we don't know the chunk type, we use a general 4250 * chunkhdr structure to make a comparison. 4251 */ 4252 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4253 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4254 commands); 4255 4256 pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk); 4257 4258 return SCTP_DISPOSITION_DISCARD; 4259 } 4260 4261 /* 4262 * Discard the whole packet. 4263 * 4264 * Section: 8.4 2) 4265 * 4266 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 4267 * silently discard the OOTB packet and take no further action. 4268 * 4269 * Verification Tag: No verification necessary 4270 * 4271 * Inputs 4272 * (endpoint, asoc, chunk) 4273 * 4274 * Outputs 4275 * (asoc, reply_msg, msg_up, timers, counters) 4276 * 4277 * The return value is the disposition of the chunk. 4278 */ 4279 sctp_disposition_t sctp_sf_pdiscard(struct net *net, 4280 const struct sctp_endpoint *ep, 4281 const struct sctp_association *asoc, 4282 const sctp_subtype_t type, 4283 void *arg, 4284 sctp_cmd_seq_t *commands) 4285 { 4286 SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS); 4287 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4288 4289 return SCTP_DISPOSITION_CONSUME; 4290 } 4291 4292 4293 /* 4294 * The other end is violating protocol. 4295 * 4296 * Section: Not specified 4297 * Verification Tag: Not specified 4298 * Inputs 4299 * (endpoint, asoc, chunk) 4300 * 4301 * Outputs 4302 * (asoc, reply_msg, msg_up, timers, counters) 4303 * 4304 * We simply tag the chunk as a violation. The state machine will log 4305 * the violation and continue. 4306 */ 4307 sctp_disposition_t sctp_sf_violation(struct net *net, 4308 const struct sctp_endpoint *ep, 4309 const struct sctp_association *asoc, 4310 const sctp_subtype_t type, 4311 void *arg, 4312 sctp_cmd_seq_t *commands) 4313 { 4314 struct sctp_chunk *chunk = arg; 4315 4316 /* Make sure that the chunk has a valid length. */ 4317 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4318 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4319 commands); 4320 4321 return SCTP_DISPOSITION_VIOLATION; 4322 } 4323 4324 /* 4325 * Common function to handle a protocol violation. 4326 */ 4327 static sctp_disposition_t sctp_sf_abort_violation( 4328 struct net *net, 4329 const struct sctp_endpoint *ep, 4330 const struct sctp_association *asoc, 4331 void *arg, 4332 sctp_cmd_seq_t *commands, 4333 const __u8 *payload, 4334 const size_t paylen) 4335 { 4336 struct sctp_packet *packet = NULL; 4337 struct sctp_chunk *chunk = arg; 4338 struct sctp_chunk *abort = NULL; 4339 4340 /* SCTP-AUTH, Section 6.3: 4341 * It should be noted that if the receiver wants to tear 4342 * down an association in an authenticated way only, the 4343 * handling of malformed packets should not result in 4344 * tearing down the association. 4345 * 4346 * This means that if we only want to abort associations 4347 * in an authenticated way (i.e AUTH+ABORT), then we 4348 * can't destroy this association just because the packet 4349 * was malformed. 4350 */ 4351 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4352 goto discard; 4353 4354 /* Make the abort chunk. */ 4355 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen); 4356 if (!abort) 4357 goto nomem; 4358 4359 if (asoc) { 4360 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */ 4361 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK && 4362 !asoc->peer.i.init_tag) { 4363 sctp_initack_chunk_t *initack; 4364 4365 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; 4366 if (!sctp_chunk_length_valid(chunk, 4367 sizeof(sctp_initack_chunk_t))) 4368 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T; 4369 else { 4370 unsigned int inittag; 4371 4372 inittag = ntohl(initack->init_hdr.init_tag); 4373 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG, 4374 SCTP_U32(inittag)); 4375 } 4376 } 4377 4378 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4379 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4380 4381 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 4382 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4383 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4384 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4385 SCTP_ERROR(ECONNREFUSED)); 4386 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4387 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4388 } else { 4389 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4390 SCTP_ERROR(ECONNABORTED)); 4391 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4392 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4393 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4394 } 4395 } else { 4396 packet = sctp_ootb_pkt_new(net, asoc, chunk); 4397 4398 if (!packet) 4399 goto nomem_pkt; 4400 4401 if (sctp_test_T_bit(abort)) 4402 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4403 4404 abort->skb->sk = ep->base.sk; 4405 4406 sctp_packet_append_chunk(packet, abort); 4407 4408 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 4409 SCTP_PACKET(packet)); 4410 4411 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4412 } 4413 4414 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4415 4416 discard: 4417 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4418 return SCTP_DISPOSITION_ABORT; 4419 4420 nomem_pkt: 4421 sctp_chunk_free(abort); 4422 nomem: 4423 return SCTP_DISPOSITION_NOMEM; 4424 } 4425 4426 /* 4427 * Handle a protocol violation when the chunk length is invalid. 4428 * "Invalid" length is identified as smaller than the minimal length a 4429 * given chunk can be. For example, a SACK chunk has invalid length 4430 * if its length is set to be smaller than the size of sctp_sack_chunk_t. 4431 * 4432 * We inform the other end by sending an ABORT with a Protocol Violation 4433 * error code. 4434 * 4435 * Section: Not specified 4436 * Verification Tag: Nothing to do 4437 * Inputs 4438 * (endpoint, asoc, chunk) 4439 * 4440 * Outputs 4441 * (reply_msg, msg_up, counters) 4442 * 4443 * Generate an ABORT chunk and terminate the association. 4444 */ 4445 static sctp_disposition_t sctp_sf_violation_chunklen( 4446 struct net *net, 4447 const struct sctp_endpoint *ep, 4448 const struct sctp_association *asoc, 4449 const sctp_subtype_t type, 4450 void *arg, 4451 sctp_cmd_seq_t *commands) 4452 { 4453 static const char err_str[] = "The following chunk had invalid length:"; 4454 4455 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4456 sizeof(err_str)); 4457 } 4458 4459 /* 4460 * Handle a protocol violation when the parameter length is invalid. 4461 * If the length is smaller than the minimum length of a given parameter, 4462 * or accumulated length in multi parameters exceeds the end of the chunk, 4463 * the length is considered as invalid. 4464 */ 4465 static sctp_disposition_t sctp_sf_violation_paramlen( 4466 struct net *net, 4467 const struct sctp_endpoint *ep, 4468 const struct sctp_association *asoc, 4469 const sctp_subtype_t type, 4470 void *arg, void *ext, 4471 sctp_cmd_seq_t *commands) 4472 { 4473 struct sctp_chunk *chunk = arg; 4474 struct sctp_paramhdr *param = ext; 4475 struct sctp_chunk *abort = NULL; 4476 4477 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4478 goto discard; 4479 4480 /* Make the abort chunk. */ 4481 abort = sctp_make_violation_paramlen(asoc, chunk, param); 4482 if (!abort) 4483 goto nomem; 4484 4485 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4486 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4487 4488 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4489 SCTP_ERROR(ECONNABORTED)); 4490 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4491 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4492 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4493 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4494 4495 discard: 4496 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4497 return SCTP_DISPOSITION_ABORT; 4498 nomem: 4499 return SCTP_DISPOSITION_NOMEM; 4500 } 4501 4502 /* Handle a protocol violation when the peer trying to advance the 4503 * cumulative tsn ack to a point beyond the max tsn currently sent. 4504 * 4505 * We inform the other end by sending an ABORT with a Protocol Violation 4506 * error code. 4507 */ 4508 static sctp_disposition_t sctp_sf_violation_ctsn( 4509 struct net *net, 4510 const struct sctp_endpoint *ep, 4511 const struct sctp_association *asoc, 4512 const sctp_subtype_t type, 4513 void *arg, 4514 sctp_cmd_seq_t *commands) 4515 { 4516 static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:"; 4517 4518 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4519 sizeof(err_str)); 4520 } 4521 4522 /* Handle protocol violation of an invalid chunk bundling. For example, 4523 * when we have an association and we receive bundled INIT-ACK, or 4524 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle" 4525 * statement from the specs. Additionally, there might be an attacker 4526 * on the path and we may not want to continue this communication. 4527 */ 4528 static sctp_disposition_t sctp_sf_violation_chunk( 4529 struct net *net, 4530 const struct sctp_endpoint *ep, 4531 const struct sctp_association *asoc, 4532 const sctp_subtype_t type, 4533 void *arg, 4534 sctp_cmd_seq_t *commands) 4535 { 4536 static const char err_str[] = "The following chunk violates protocol:"; 4537 4538 if (!asoc) 4539 return sctp_sf_violation(net, ep, asoc, type, arg, commands); 4540 4541 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4542 sizeof(err_str)); 4543 } 4544 /*************************************************************************** 4545 * These are the state functions for handling primitive (Section 10) events. 4546 ***************************************************************************/ 4547 /* 4548 * sctp_sf_do_prm_asoc 4549 * 4550 * Section: 10.1 ULP-to-SCTP 4551 * B) Associate 4552 * 4553 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 4554 * outbound stream count) 4555 * -> association id [,destination transport addr list] [,outbound stream 4556 * count] 4557 * 4558 * This primitive allows the upper layer to initiate an association to a 4559 * specific peer endpoint. 4560 * 4561 * The peer endpoint shall be specified by one of the transport addresses 4562 * which defines the endpoint (see Section 1.4). If the local SCTP 4563 * instance has not been initialized, the ASSOCIATE is considered an 4564 * error. 4565 * [This is not relevant for the kernel implementation since we do all 4566 * initialization at boot time. It we hadn't initialized we wouldn't 4567 * get anywhere near this code.] 4568 * 4569 * An association id, which is a local handle to the SCTP association, 4570 * will be returned on successful establishment of the association. If 4571 * SCTP is not able to open an SCTP association with the peer endpoint, 4572 * an error is returned. 4573 * [In the kernel implementation, the struct sctp_association needs to 4574 * be created BEFORE causing this primitive to run.] 4575 * 4576 * Other association parameters may be returned, including the 4577 * complete destination transport addresses of the peer as well as the 4578 * outbound stream count of the local endpoint. One of the transport 4579 * address from the returned destination addresses will be selected by 4580 * the local endpoint as default primary path for sending SCTP packets 4581 * to this peer. The returned "destination transport addr list" can 4582 * be used by the ULP to change the default primary path or to force 4583 * sending a packet to a specific transport address. [All of this 4584 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 4585 * function.] 4586 * 4587 * Mandatory attributes: 4588 * 4589 * o local SCTP instance name - obtained from the INITIALIZE operation. 4590 * [This is the argument asoc.] 4591 * o destination transport addr - specified as one of the transport 4592 * addresses of the peer endpoint with which the association is to be 4593 * established. 4594 * [This is asoc->peer.active_path.] 4595 * o outbound stream count - the number of outbound streams the ULP 4596 * would like to open towards this peer endpoint. 4597 * [BUG: This is not currently implemented.] 4598 * Optional attributes: 4599 * 4600 * None. 4601 * 4602 * The return value is a disposition. 4603 */ 4604 sctp_disposition_t sctp_sf_do_prm_asoc(struct net *net, 4605 const struct sctp_endpoint *ep, 4606 const struct sctp_association *asoc, 4607 const sctp_subtype_t type, 4608 void *arg, 4609 sctp_cmd_seq_t *commands) 4610 { 4611 struct sctp_chunk *repl; 4612 struct sctp_association *my_asoc; 4613 4614 /* The comment below says that we enter COOKIE-WAIT AFTER 4615 * sending the INIT, but that doesn't actually work in our 4616 * implementation... 4617 */ 4618 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4619 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 4620 4621 /* RFC 2960 5.1 Normal Establishment of an Association 4622 * 4623 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 4624 * must provide its Verification Tag (Tag_A) in the Initiate 4625 * Tag field. Tag_A SHOULD be a random number in the range of 4626 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 4627 */ 4628 4629 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 4630 if (!repl) 4631 goto nomem; 4632 4633 /* Choose transport for INIT. */ 4634 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4635 SCTP_CHUNK(repl)); 4636 4637 /* Cast away the const modifier, as we want to just 4638 * rerun it through as a sideffect. 4639 */ 4640 my_asoc = (struct sctp_association *)asoc; 4641 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc)); 4642 4643 /* After sending the INIT, "A" starts the T1-init timer and 4644 * enters the COOKIE-WAIT state. 4645 */ 4646 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4647 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4648 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4649 return SCTP_DISPOSITION_CONSUME; 4650 4651 nomem: 4652 return SCTP_DISPOSITION_NOMEM; 4653 } 4654 4655 /* 4656 * Process the SEND primitive. 4657 * 4658 * Section: 10.1 ULP-to-SCTP 4659 * E) Send 4660 * 4661 * Format: SEND(association id, buffer address, byte count [,context] 4662 * [,stream id] [,life time] [,destination transport address] 4663 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 4664 * -> result 4665 * 4666 * This is the main method to send user data via SCTP. 4667 * 4668 * Mandatory attributes: 4669 * 4670 * o association id - local handle to the SCTP association 4671 * 4672 * o buffer address - the location where the user message to be 4673 * transmitted is stored; 4674 * 4675 * o byte count - The size of the user data in number of bytes; 4676 * 4677 * Optional attributes: 4678 * 4679 * o context - an optional 32 bit integer that will be carried in the 4680 * sending failure notification to the ULP if the transportation of 4681 * this User Message fails. 4682 * 4683 * o stream id - to indicate which stream to send the data on. If not 4684 * specified, stream 0 will be used. 4685 * 4686 * o life time - specifies the life time of the user data. The user data 4687 * will not be sent by SCTP after the life time expires. This 4688 * parameter can be used to avoid efforts to transmit stale 4689 * user messages. SCTP notifies the ULP if the data cannot be 4690 * initiated to transport (i.e. sent to the destination via SCTP's 4691 * send primitive) within the life time variable. However, the 4692 * user data will be transmitted if SCTP has attempted to transmit a 4693 * chunk before the life time expired. 4694 * 4695 * o destination transport address - specified as one of the destination 4696 * transport addresses of the peer endpoint to which this packet 4697 * should be sent. Whenever possible, SCTP should use this destination 4698 * transport address for sending the packets, instead of the current 4699 * primary path. 4700 * 4701 * o unorder flag - this flag, if present, indicates that the user 4702 * would like the data delivered in an unordered fashion to the peer 4703 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 4704 * message). 4705 * 4706 * o no-bundle flag - instructs SCTP not to bundle this user data with 4707 * other outbound DATA chunks. SCTP MAY still bundle even when 4708 * this flag is present, when faced with network congestion. 4709 * 4710 * o payload protocol-id - A 32 bit unsigned integer that is to be 4711 * passed to the peer indicating the type of payload protocol data 4712 * being transmitted. This value is passed as opaque data by SCTP. 4713 * 4714 * The return value is the disposition. 4715 */ 4716 sctp_disposition_t sctp_sf_do_prm_send(struct net *net, 4717 const struct sctp_endpoint *ep, 4718 const struct sctp_association *asoc, 4719 const sctp_subtype_t type, 4720 void *arg, 4721 sctp_cmd_seq_t *commands) 4722 { 4723 struct sctp_datamsg *msg = arg; 4724 4725 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg)); 4726 return SCTP_DISPOSITION_CONSUME; 4727 } 4728 4729 /* 4730 * Process the SHUTDOWN primitive. 4731 * 4732 * Section: 10.1: 4733 * C) Shutdown 4734 * 4735 * Format: SHUTDOWN(association id) 4736 * -> result 4737 * 4738 * Gracefully closes an association. Any locally queued user data 4739 * will be delivered to the peer. The association will be terminated only 4740 * after the peer acknowledges all the SCTP packets sent. A success code 4741 * will be returned on successful termination of the association. If 4742 * attempting to terminate the association results in a failure, an error 4743 * code shall be returned. 4744 * 4745 * Mandatory attributes: 4746 * 4747 * o association id - local handle to the SCTP association 4748 * 4749 * Optional attributes: 4750 * 4751 * None. 4752 * 4753 * The return value is the disposition. 4754 */ 4755 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown( 4756 struct net *net, 4757 const struct sctp_endpoint *ep, 4758 const struct sctp_association *asoc, 4759 const sctp_subtype_t type, 4760 void *arg, 4761 sctp_cmd_seq_t *commands) 4762 { 4763 int disposition; 4764 4765 /* From 9.2 Shutdown of an Association 4766 * Upon receipt of the SHUTDOWN primitive from its upper 4767 * layer, the endpoint enters SHUTDOWN-PENDING state and 4768 * remains there until all outstanding data has been 4769 * acknowledged by its peer. The endpoint accepts no new data 4770 * from its upper layer, but retransmits data to the far end 4771 * if necessary to fill gaps. 4772 */ 4773 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4774 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4775 4776 disposition = SCTP_DISPOSITION_CONSUME; 4777 if (sctp_outq_is_empty(&asoc->outqueue)) { 4778 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 4779 arg, commands); 4780 } 4781 return disposition; 4782 } 4783 4784 /* 4785 * Process the ABORT primitive. 4786 * 4787 * Section: 10.1: 4788 * C) Abort 4789 * 4790 * Format: Abort(association id [, cause code]) 4791 * -> result 4792 * 4793 * Ungracefully closes an association. Any locally queued user data 4794 * will be discarded and an ABORT chunk is sent to the peer. A success code 4795 * will be returned on successful abortion of the association. If 4796 * attempting to abort the association results in a failure, an error 4797 * code shall be returned. 4798 * 4799 * Mandatory attributes: 4800 * 4801 * o association id - local handle to the SCTP association 4802 * 4803 * Optional attributes: 4804 * 4805 * o cause code - reason of the abort to be passed to the peer 4806 * 4807 * None. 4808 * 4809 * The return value is the disposition. 4810 */ 4811 sctp_disposition_t sctp_sf_do_9_1_prm_abort( 4812 struct net *net, 4813 const struct sctp_endpoint *ep, 4814 const struct sctp_association *asoc, 4815 const sctp_subtype_t type, 4816 void *arg, 4817 sctp_cmd_seq_t *commands) 4818 { 4819 /* From 9.1 Abort of an Association 4820 * Upon receipt of the ABORT primitive from its upper 4821 * layer, the endpoint enters CLOSED state and 4822 * discard all outstanding data has been 4823 * acknowledged by its peer. The endpoint accepts no new data 4824 * from its upper layer, but retransmits data to the far end 4825 * if necessary to fill gaps. 4826 */ 4827 struct sctp_chunk *abort = arg; 4828 sctp_disposition_t retval; 4829 4830 retval = SCTP_DISPOSITION_CONSUME; 4831 4832 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4833 4834 /* Even if we can't send the ABORT due to low memory delete the 4835 * TCB. This is a departure from our typical NOMEM handling. 4836 */ 4837 4838 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4839 SCTP_ERROR(ECONNABORTED)); 4840 /* Delete the established association. */ 4841 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4842 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4843 4844 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4845 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4846 4847 return retval; 4848 } 4849 4850 /* We tried an illegal operation on an association which is closed. */ 4851 sctp_disposition_t sctp_sf_error_closed(struct net *net, 4852 const struct sctp_endpoint *ep, 4853 const struct sctp_association *asoc, 4854 const sctp_subtype_t type, 4855 void *arg, 4856 sctp_cmd_seq_t *commands) 4857 { 4858 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 4859 return SCTP_DISPOSITION_CONSUME; 4860 } 4861 4862 /* We tried an illegal operation on an association which is shutting 4863 * down. 4864 */ 4865 sctp_disposition_t sctp_sf_error_shutdown(struct net *net, 4866 const struct sctp_endpoint *ep, 4867 const struct sctp_association *asoc, 4868 const sctp_subtype_t type, 4869 void *arg, 4870 sctp_cmd_seq_t *commands) 4871 { 4872 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 4873 SCTP_ERROR(-ESHUTDOWN)); 4874 return SCTP_DISPOSITION_CONSUME; 4875 } 4876 4877 /* 4878 * sctp_cookie_wait_prm_shutdown 4879 * 4880 * Section: 4 Note: 2 4881 * Verification Tag: 4882 * Inputs 4883 * (endpoint, asoc) 4884 * 4885 * The RFC does not explicitly address this issue, but is the route through the 4886 * state table when someone issues a shutdown while in COOKIE_WAIT state. 4887 * 4888 * Outputs 4889 * (timers) 4890 */ 4891 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown( 4892 struct net *net, 4893 const struct sctp_endpoint *ep, 4894 const struct sctp_association *asoc, 4895 const sctp_subtype_t type, 4896 void *arg, 4897 sctp_cmd_seq_t *commands) 4898 { 4899 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4900 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4901 4902 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4903 SCTP_STATE(SCTP_STATE_CLOSED)); 4904 4905 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 4906 4907 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 4908 4909 return SCTP_DISPOSITION_DELETE_TCB; 4910 } 4911 4912 /* 4913 * sctp_cookie_echoed_prm_shutdown 4914 * 4915 * Section: 4 Note: 2 4916 * Verification Tag: 4917 * Inputs 4918 * (endpoint, asoc) 4919 * 4920 * The RFC does not explcitly address this issue, but is the route through the 4921 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 4922 * 4923 * Outputs 4924 * (timers) 4925 */ 4926 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown( 4927 struct net *net, 4928 const struct sctp_endpoint *ep, 4929 const struct sctp_association *asoc, 4930 const sctp_subtype_t type, 4931 void *arg, sctp_cmd_seq_t *commands) 4932 { 4933 /* There is a single T1 timer, so we should be able to use 4934 * common function with the COOKIE-WAIT state. 4935 */ 4936 return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands); 4937 } 4938 4939 /* 4940 * sctp_sf_cookie_wait_prm_abort 4941 * 4942 * Section: 4 Note: 2 4943 * Verification Tag: 4944 * Inputs 4945 * (endpoint, asoc) 4946 * 4947 * The RFC does not explicitly address this issue, but is the route through the 4948 * state table when someone issues an abort while in COOKIE_WAIT state. 4949 * 4950 * Outputs 4951 * (timers) 4952 */ 4953 sctp_disposition_t sctp_sf_cookie_wait_prm_abort( 4954 struct net *net, 4955 const struct sctp_endpoint *ep, 4956 const struct sctp_association *asoc, 4957 const sctp_subtype_t type, 4958 void *arg, 4959 sctp_cmd_seq_t *commands) 4960 { 4961 struct sctp_chunk *abort = arg; 4962 sctp_disposition_t retval; 4963 4964 /* Stop T1-init timer */ 4965 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4966 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4967 retval = SCTP_DISPOSITION_CONSUME; 4968 4969 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4970 4971 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4972 SCTP_STATE(SCTP_STATE_CLOSED)); 4973 4974 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4975 4976 /* Even if we can't send the ABORT due to low memory delete the 4977 * TCB. This is a departure from our typical NOMEM handling. 4978 */ 4979 4980 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4981 SCTP_ERROR(ECONNREFUSED)); 4982 /* Delete the established association. */ 4983 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4984 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4985 4986 return retval; 4987 } 4988 4989 /* 4990 * sctp_sf_cookie_echoed_prm_abort 4991 * 4992 * Section: 4 Note: 3 4993 * Verification Tag: 4994 * Inputs 4995 * (endpoint, asoc) 4996 * 4997 * The RFC does not explcitly address this issue, but is the route through the 4998 * state table when someone issues an abort while in COOKIE_ECHOED state. 4999 * 5000 * Outputs 5001 * (timers) 5002 */ 5003 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort( 5004 struct net *net, 5005 const struct sctp_endpoint *ep, 5006 const struct sctp_association *asoc, 5007 const sctp_subtype_t type, 5008 void *arg, 5009 sctp_cmd_seq_t *commands) 5010 { 5011 /* There is a single T1 timer, so we should be able to use 5012 * common function with the COOKIE-WAIT state. 5013 */ 5014 return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands); 5015 } 5016 5017 /* 5018 * sctp_sf_shutdown_pending_prm_abort 5019 * 5020 * Inputs 5021 * (endpoint, asoc) 5022 * 5023 * The RFC does not explicitly address this issue, but is the route through the 5024 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 5025 * 5026 * Outputs 5027 * (timers) 5028 */ 5029 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort( 5030 struct net *net, 5031 const struct sctp_endpoint *ep, 5032 const struct sctp_association *asoc, 5033 const sctp_subtype_t type, 5034 void *arg, 5035 sctp_cmd_seq_t *commands) 5036 { 5037 /* Stop the T5-shutdown guard timer. */ 5038 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5039 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5040 5041 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5042 } 5043 5044 /* 5045 * sctp_sf_shutdown_sent_prm_abort 5046 * 5047 * Inputs 5048 * (endpoint, asoc) 5049 * 5050 * The RFC does not explicitly address this issue, but is the route through the 5051 * state table when someone issues an abort while in SHUTDOWN-SENT state. 5052 * 5053 * Outputs 5054 * (timers) 5055 */ 5056 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort( 5057 struct net *net, 5058 const struct sctp_endpoint *ep, 5059 const struct sctp_association *asoc, 5060 const sctp_subtype_t type, 5061 void *arg, 5062 sctp_cmd_seq_t *commands) 5063 { 5064 /* Stop the T2-shutdown timer. */ 5065 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5066 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5067 5068 /* Stop the T5-shutdown guard timer. */ 5069 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5070 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5071 5072 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5073 } 5074 5075 /* 5076 * sctp_sf_cookie_echoed_prm_abort 5077 * 5078 * Inputs 5079 * (endpoint, asoc) 5080 * 5081 * The RFC does not explcitly address this issue, but is the route through the 5082 * state table when someone issues an abort while in COOKIE_ECHOED state. 5083 * 5084 * Outputs 5085 * (timers) 5086 */ 5087 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort( 5088 struct net *net, 5089 const struct sctp_endpoint *ep, 5090 const struct sctp_association *asoc, 5091 const sctp_subtype_t type, 5092 void *arg, 5093 sctp_cmd_seq_t *commands) 5094 { 5095 /* The same T2 timer, so we should be able to use 5096 * common function with the SHUTDOWN-SENT state. 5097 */ 5098 return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands); 5099 } 5100 5101 /* 5102 * Process the REQUESTHEARTBEAT primitive 5103 * 5104 * 10.1 ULP-to-SCTP 5105 * J) Request Heartbeat 5106 * 5107 * Format: REQUESTHEARTBEAT(association id, destination transport address) 5108 * 5109 * -> result 5110 * 5111 * Instructs the local endpoint to perform a HeartBeat on the specified 5112 * destination transport address of the given association. The returned 5113 * result should indicate whether the transmission of the HEARTBEAT 5114 * chunk to the destination address is successful. 5115 * 5116 * Mandatory attributes: 5117 * 5118 * o association id - local handle to the SCTP association 5119 * 5120 * o destination transport address - the transport address of the 5121 * association on which a heartbeat should be issued. 5122 */ 5123 sctp_disposition_t sctp_sf_do_prm_requestheartbeat( 5124 struct net *net, 5125 const struct sctp_endpoint *ep, 5126 const struct sctp_association *asoc, 5127 const sctp_subtype_t type, 5128 void *arg, 5129 sctp_cmd_seq_t *commands) 5130 { 5131 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 5132 (struct sctp_transport *)arg, commands)) 5133 return SCTP_DISPOSITION_NOMEM; 5134 5135 /* 5136 * RFC 2960 (bis), section 8.3 5137 * 5138 * D) Request an on-demand HEARTBEAT on a specific destination 5139 * transport address of a given association. 5140 * 5141 * The endpoint should increment the respective error counter of 5142 * the destination transport address each time a HEARTBEAT is sent 5143 * to that address and not acknowledged within one RTO. 5144 * 5145 */ 5146 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 5147 SCTP_TRANSPORT(arg)); 5148 return SCTP_DISPOSITION_CONSUME; 5149 } 5150 5151 /* 5152 * ADDIP Section 4.1 ASCONF Chunk Procedures 5153 * When an endpoint has an ASCONF signaled change to be sent to the 5154 * remote endpoint it should do A1 to A9 5155 */ 5156 sctp_disposition_t sctp_sf_do_prm_asconf(struct net *net, 5157 const struct sctp_endpoint *ep, 5158 const struct sctp_association *asoc, 5159 const sctp_subtype_t type, 5160 void *arg, 5161 sctp_cmd_seq_t *commands) 5162 { 5163 struct sctp_chunk *chunk = arg; 5164 5165 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5166 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5167 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5168 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5169 return SCTP_DISPOSITION_CONSUME; 5170 } 5171 5172 /* 5173 * Ignore the primitive event 5174 * 5175 * The return value is the disposition of the primitive. 5176 */ 5177 sctp_disposition_t sctp_sf_ignore_primitive( 5178 struct net *net, 5179 const struct sctp_endpoint *ep, 5180 const struct sctp_association *asoc, 5181 const sctp_subtype_t type, 5182 void *arg, 5183 sctp_cmd_seq_t *commands) 5184 { 5185 pr_debug("%s: primitive type:%d is ignored\n", __func__, 5186 type.primitive); 5187 5188 return SCTP_DISPOSITION_DISCARD; 5189 } 5190 5191 /*************************************************************************** 5192 * These are the state functions for the OTHER events. 5193 ***************************************************************************/ 5194 5195 /* 5196 * When the SCTP stack has no more user data to send or retransmit, this 5197 * notification is given to the user. Also, at the time when a user app 5198 * subscribes to this event, if there is no data to be sent or 5199 * retransmit, the stack will immediately send up this notification. 5200 */ 5201 sctp_disposition_t sctp_sf_do_no_pending_tsn( 5202 struct net *net, 5203 const struct sctp_endpoint *ep, 5204 const struct sctp_association *asoc, 5205 const sctp_subtype_t type, 5206 void *arg, 5207 sctp_cmd_seq_t *commands) 5208 { 5209 struct sctp_ulpevent *event; 5210 5211 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC); 5212 if (!event) 5213 return SCTP_DISPOSITION_NOMEM; 5214 5215 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event)); 5216 5217 return SCTP_DISPOSITION_CONSUME; 5218 } 5219 5220 /* 5221 * Start the shutdown negotiation. 5222 * 5223 * From Section 9.2: 5224 * Once all its outstanding data has been acknowledged, the endpoint 5225 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 5226 * TSN Ack field the last sequential TSN it has received from the peer. 5227 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 5228 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 5229 * with the updated last sequential TSN received from its peer. 5230 * 5231 * The return value is the disposition. 5232 */ 5233 sctp_disposition_t sctp_sf_do_9_2_start_shutdown( 5234 struct net *net, 5235 const struct sctp_endpoint *ep, 5236 const struct sctp_association *asoc, 5237 const sctp_subtype_t type, 5238 void *arg, 5239 sctp_cmd_seq_t *commands) 5240 { 5241 struct sctp_chunk *reply; 5242 5243 /* Once all its outstanding data has been acknowledged, the 5244 * endpoint shall send a SHUTDOWN chunk to its peer including 5245 * in the Cumulative TSN Ack field the last sequential TSN it 5246 * has received from the peer. 5247 */ 5248 reply = sctp_make_shutdown(asoc, NULL); 5249 if (!reply) 5250 goto nomem; 5251 5252 /* Set the transport for the SHUTDOWN chunk and the timeout for the 5253 * T2-shutdown timer. 5254 */ 5255 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5256 5257 /* It shall then start the T2-shutdown timer */ 5258 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5259 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5260 5261 /* RFC 4960 Section 9.2 5262 * The sender of the SHUTDOWN MAY also start an overall guard timer 5263 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5264 */ 5265 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5266 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5267 5268 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5269 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5270 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5271 5272 /* and enter the SHUTDOWN-SENT state. */ 5273 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5274 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 5275 5276 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5277 * 5278 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5279 * or SHUTDOWN-ACK. 5280 */ 5281 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5282 5283 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5284 5285 return SCTP_DISPOSITION_CONSUME; 5286 5287 nomem: 5288 return SCTP_DISPOSITION_NOMEM; 5289 } 5290 5291 /* 5292 * Generate a SHUTDOWN ACK now that everything is SACK'd. 5293 * 5294 * From Section 9.2: 5295 * 5296 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5297 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 5298 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 5299 * endpoint must re-send the SHUTDOWN ACK. 5300 * 5301 * The return value is the disposition. 5302 */ 5303 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack( 5304 struct net *net, 5305 const struct sctp_endpoint *ep, 5306 const struct sctp_association *asoc, 5307 const sctp_subtype_t type, 5308 void *arg, 5309 sctp_cmd_seq_t *commands) 5310 { 5311 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 5312 struct sctp_chunk *reply; 5313 5314 /* There are 2 ways of getting here: 5315 * 1) called in response to a SHUTDOWN chunk 5316 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 5317 * 5318 * For the case (2), the arg parameter is set to NULL. We need 5319 * to check that we have a chunk before accessing it's fields. 5320 */ 5321 if (chunk) { 5322 if (!sctp_vtag_verify(chunk, asoc)) 5323 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 5324 5325 /* Make sure that the SHUTDOWN chunk has a valid length. */ 5326 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t))) 5327 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 5328 commands); 5329 } 5330 5331 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5332 * shall send a SHUTDOWN ACK ... 5333 */ 5334 reply = sctp_make_shutdown_ack(asoc, chunk); 5335 if (!reply) 5336 goto nomem; 5337 5338 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 5339 * the T2-shutdown timer. 5340 */ 5341 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5342 5343 /* and start/restart a T2-shutdown timer of its own, */ 5344 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5345 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5346 5347 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5348 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5349 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5350 5351 /* Enter the SHUTDOWN-ACK-SENT state. */ 5352 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5353 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 5354 5355 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5356 * 5357 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5358 * or SHUTDOWN-ACK. 5359 */ 5360 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5361 5362 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5363 5364 return SCTP_DISPOSITION_CONSUME; 5365 5366 nomem: 5367 return SCTP_DISPOSITION_NOMEM; 5368 } 5369 5370 /* 5371 * Ignore the event defined as other 5372 * 5373 * The return value is the disposition of the event. 5374 */ 5375 sctp_disposition_t sctp_sf_ignore_other(struct net *net, 5376 const struct sctp_endpoint *ep, 5377 const struct sctp_association *asoc, 5378 const sctp_subtype_t type, 5379 void *arg, 5380 sctp_cmd_seq_t *commands) 5381 { 5382 pr_debug("%s: the event other type:%d is ignored\n", 5383 __func__, type.other); 5384 5385 return SCTP_DISPOSITION_DISCARD; 5386 } 5387 5388 /************************************************************ 5389 * These are the state functions for handling timeout events. 5390 ************************************************************/ 5391 5392 /* 5393 * RTX Timeout 5394 * 5395 * Section: 6.3.3 Handle T3-rtx Expiration 5396 * 5397 * Whenever the retransmission timer T3-rtx expires for a destination 5398 * address, do the following: 5399 * [See below] 5400 * 5401 * The return value is the disposition of the chunk. 5402 */ 5403 sctp_disposition_t sctp_sf_do_6_3_3_rtx(struct net *net, 5404 const struct sctp_endpoint *ep, 5405 const struct sctp_association *asoc, 5406 const sctp_subtype_t type, 5407 void *arg, 5408 sctp_cmd_seq_t *commands) 5409 { 5410 struct sctp_transport *transport = arg; 5411 5412 SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS); 5413 5414 if (asoc->overall_error_count >= asoc->max_retrans) { 5415 if (asoc->peer.zero_window_announced && 5416 asoc->state == SCTP_STATE_SHUTDOWN_PENDING) { 5417 /* 5418 * We are here likely because the receiver had its rwnd 5419 * closed for a while and we have not been able to 5420 * transmit the locally queued data within the maximum 5421 * retransmission attempts limit. Start the T5 5422 * shutdown guard timer to give the receiver one last 5423 * chance and some additional time to recover before 5424 * aborting. 5425 */ 5426 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE, 5427 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5428 } else { 5429 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5430 SCTP_ERROR(ETIMEDOUT)); 5431 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5432 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5433 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5434 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5435 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5436 return SCTP_DISPOSITION_DELETE_TCB; 5437 } 5438 } 5439 5440 /* E1) For the destination address for which the timer 5441 * expires, adjust its ssthresh with rules defined in Section 5442 * 7.2.3 and set the cwnd <- MTU. 5443 */ 5444 5445 /* E2) For the destination address for which the timer 5446 * expires, set RTO <- RTO * 2 ("back off the timer"). The 5447 * maximum value discussed in rule C7 above (RTO.max) may be 5448 * used to provide an upper bound to this doubling operation. 5449 */ 5450 5451 /* E3) Determine how many of the earliest (i.e., lowest TSN) 5452 * outstanding DATA chunks for the address for which the 5453 * T3-rtx has expired will fit into a single packet, subject 5454 * to the MTU constraint for the path corresponding to the 5455 * destination transport address to which the retransmission 5456 * is being sent (this may be different from the address for 5457 * which the timer expires [see Section 6.4]). Call this 5458 * value K. Bundle and retransmit those K DATA chunks in a 5459 * single packet to the destination endpoint. 5460 * 5461 * Note: Any DATA chunks that were sent to the address for 5462 * which the T3-rtx timer expired but did not fit in one MTU 5463 * (rule E3 above), should be marked for retransmission and 5464 * sent as soon as cwnd allows (normally when a SACK arrives). 5465 */ 5466 5467 /* Do some failure management (Section 8.2). */ 5468 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5469 5470 /* NB: Rules E4 and F1 are implicit in R1. */ 5471 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 5472 5473 return SCTP_DISPOSITION_CONSUME; 5474 } 5475 5476 /* 5477 * Generate delayed SACK on timeout 5478 * 5479 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 5480 * 5481 * The guidelines on delayed acknowledgement algorithm specified in 5482 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 5483 * acknowledgement SHOULD be generated for at least every second packet 5484 * (not every second DATA chunk) received, and SHOULD be generated 5485 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 5486 * some situations it may be beneficial for an SCTP transmitter to be 5487 * more conservative than the algorithms detailed in this document 5488 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 5489 * the following algorithms allow. 5490 */ 5491 sctp_disposition_t sctp_sf_do_6_2_sack(struct net *net, 5492 const struct sctp_endpoint *ep, 5493 const struct sctp_association *asoc, 5494 const sctp_subtype_t type, 5495 void *arg, 5496 sctp_cmd_seq_t *commands) 5497 { 5498 SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS); 5499 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 5500 return SCTP_DISPOSITION_CONSUME; 5501 } 5502 5503 /* 5504 * sctp_sf_t1_init_timer_expire 5505 * 5506 * Section: 4 Note: 2 5507 * Verification Tag: 5508 * Inputs 5509 * (endpoint, asoc) 5510 * 5511 * RFC 2960 Section 4 Notes 5512 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 5513 * and re-start the T1-init timer without changing state. This MUST 5514 * be repeated up to 'Max.Init.Retransmits' times. After that, the 5515 * endpoint MUST abort the initialization process and report the 5516 * error to SCTP user. 5517 * 5518 * Outputs 5519 * (timers, events) 5520 * 5521 */ 5522 sctp_disposition_t sctp_sf_t1_init_timer_expire(struct net *net, 5523 const struct sctp_endpoint *ep, 5524 const struct sctp_association *asoc, 5525 const sctp_subtype_t type, 5526 void *arg, 5527 sctp_cmd_seq_t *commands) 5528 { 5529 struct sctp_chunk *repl = NULL; 5530 struct sctp_bind_addr *bp; 5531 int attempts = asoc->init_err_counter + 1; 5532 5533 pr_debug("%s: timer T1 expired (INIT)\n", __func__); 5534 5535 SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS); 5536 5537 if (attempts <= asoc->max_init_attempts) { 5538 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 5539 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 5540 if (!repl) 5541 return SCTP_DISPOSITION_NOMEM; 5542 5543 /* Choose transport for INIT. */ 5544 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5545 SCTP_CHUNK(repl)); 5546 5547 /* Issue a sideeffect to do the needed accounting. */ 5548 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 5549 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5550 5551 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5552 } else { 5553 pr_debug("%s: giving up on INIT, attempts:%d " 5554 "max_init_attempts:%d\n", __func__, attempts, 5555 asoc->max_init_attempts); 5556 5557 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5558 SCTP_ERROR(ETIMEDOUT)); 5559 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5560 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5561 return SCTP_DISPOSITION_DELETE_TCB; 5562 } 5563 5564 return SCTP_DISPOSITION_CONSUME; 5565 } 5566 5567 /* 5568 * sctp_sf_t1_cookie_timer_expire 5569 * 5570 * Section: 4 Note: 2 5571 * Verification Tag: 5572 * Inputs 5573 * (endpoint, asoc) 5574 * 5575 * RFC 2960 Section 4 Notes 5576 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 5577 * COOKIE ECHO and re-start the T1-cookie timer without changing 5578 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 5579 * After that, the endpoint MUST abort the initialization process and 5580 * report the error to SCTP user. 5581 * 5582 * Outputs 5583 * (timers, events) 5584 * 5585 */ 5586 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(struct net *net, 5587 const struct sctp_endpoint *ep, 5588 const struct sctp_association *asoc, 5589 const sctp_subtype_t type, 5590 void *arg, 5591 sctp_cmd_seq_t *commands) 5592 { 5593 struct sctp_chunk *repl = NULL; 5594 int attempts = asoc->init_err_counter + 1; 5595 5596 pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__); 5597 5598 SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS); 5599 5600 if (attempts <= asoc->max_init_attempts) { 5601 repl = sctp_make_cookie_echo(asoc, NULL); 5602 if (!repl) 5603 return SCTP_DISPOSITION_NOMEM; 5604 5605 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5606 SCTP_CHUNK(repl)); 5607 /* Issue a sideeffect to do the needed accounting. */ 5608 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 5609 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 5610 5611 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5612 } else { 5613 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5614 SCTP_ERROR(ETIMEDOUT)); 5615 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5616 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5617 return SCTP_DISPOSITION_DELETE_TCB; 5618 } 5619 5620 return SCTP_DISPOSITION_CONSUME; 5621 } 5622 5623 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 5624 * with the updated last sequential TSN received from its peer. 5625 * 5626 * An endpoint should limit the number of retransmissions of the 5627 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 5628 * If this threshold is exceeded the endpoint should destroy the TCB and 5629 * MUST report the peer endpoint unreachable to the upper layer (and 5630 * thus the association enters the CLOSED state). The reception of any 5631 * packet from its peer (i.e. as the peer sends all of its queued DATA 5632 * chunks) should clear the endpoint's retransmission count and restart 5633 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 5634 * all of its queued DATA chunks that have not yet been sent. 5635 */ 5636 sctp_disposition_t sctp_sf_t2_timer_expire(struct net *net, 5637 const struct sctp_endpoint *ep, 5638 const struct sctp_association *asoc, 5639 const sctp_subtype_t type, 5640 void *arg, 5641 sctp_cmd_seq_t *commands) 5642 { 5643 struct sctp_chunk *reply = NULL; 5644 5645 pr_debug("%s: timer T2 expired\n", __func__); 5646 5647 SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 5648 5649 ((struct sctp_association *)asoc)->shutdown_retries++; 5650 5651 if (asoc->overall_error_count >= asoc->max_retrans) { 5652 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5653 SCTP_ERROR(ETIMEDOUT)); 5654 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5655 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5656 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5657 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5658 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5659 return SCTP_DISPOSITION_DELETE_TCB; 5660 } 5661 5662 switch (asoc->state) { 5663 case SCTP_STATE_SHUTDOWN_SENT: 5664 reply = sctp_make_shutdown(asoc, NULL); 5665 break; 5666 5667 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5668 reply = sctp_make_shutdown_ack(asoc, NULL); 5669 break; 5670 5671 default: 5672 BUG(); 5673 break; 5674 } 5675 5676 if (!reply) 5677 goto nomem; 5678 5679 /* Do some failure management (Section 8.2). 5680 * If we remove the transport an SHUTDOWN was last sent to, don't 5681 * do failure management. 5682 */ 5683 if (asoc->shutdown_last_sent_to) 5684 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5685 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 5686 5687 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 5688 * the T2-shutdown timer. 5689 */ 5690 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5691 5692 /* Restart the T2-shutdown timer. */ 5693 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5694 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5695 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5696 return SCTP_DISPOSITION_CONSUME; 5697 5698 nomem: 5699 return SCTP_DISPOSITION_NOMEM; 5700 } 5701 5702 /* 5703 * ADDIP Section 4.1 ASCONF CHunk Procedures 5704 * If the T4 RTO timer expires the endpoint should do B1 to B5 5705 */ 5706 sctp_disposition_t sctp_sf_t4_timer_expire( 5707 struct net *net, 5708 const struct sctp_endpoint *ep, 5709 const struct sctp_association *asoc, 5710 const sctp_subtype_t type, 5711 void *arg, 5712 sctp_cmd_seq_t *commands) 5713 { 5714 struct sctp_chunk *chunk = asoc->addip_last_asconf; 5715 struct sctp_transport *transport = chunk->transport; 5716 5717 SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS); 5718 5719 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 5720 * detection on the appropriate destination address as defined in 5721 * RFC2960 [5] section 8.1 and 8.2. 5722 */ 5723 if (transport) 5724 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5725 SCTP_TRANSPORT(transport)); 5726 5727 /* Reconfig T4 timer and transport. */ 5728 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5729 5730 /* ADDIP 4.1 B2) Increment the association error counters and perform 5731 * endpoint failure detection on the association as defined in 5732 * RFC2960 [5] section 8.1 and 8.2. 5733 * association error counter is incremented in SCTP_CMD_STRIKE. 5734 */ 5735 if (asoc->overall_error_count >= asoc->max_retrans) { 5736 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5737 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5738 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5739 SCTP_ERROR(ETIMEDOUT)); 5740 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5741 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5742 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5743 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5744 return SCTP_DISPOSITION_ABORT; 5745 } 5746 5747 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 5748 * the ASCONF chunk was sent by doubling the RTO timer value. 5749 * This is done in SCTP_CMD_STRIKE. 5750 */ 5751 5752 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 5753 * choose an alternate destination address (please refer to RFC2960 5754 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 5755 * chunk, it MUST be the same (including its serial number) as the last 5756 * ASCONF sent. 5757 */ 5758 sctp_chunk_hold(asoc->addip_last_asconf); 5759 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5760 SCTP_CHUNK(asoc->addip_last_asconf)); 5761 5762 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 5763 * destination is selected, then the RTO used will be that of the new 5764 * destination address. 5765 */ 5766 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5767 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5768 5769 return SCTP_DISPOSITION_CONSUME; 5770 } 5771 5772 /* sctpimpguide-05 Section 2.12.2 5773 * The sender of the SHUTDOWN MAY also start an overall guard timer 5774 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5775 * At the expiration of this timer the sender SHOULD abort the association 5776 * by sending an ABORT chunk. 5777 */ 5778 sctp_disposition_t sctp_sf_t5_timer_expire(struct net *net, 5779 const struct sctp_endpoint *ep, 5780 const struct sctp_association *asoc, 5781 const sctp_subtype_t type, 5782 void *arg, 5783 sctp_cmd_seq_t *commands) 5784 { 5785 struct sctp_chunk *reply = NULL; 5786 5787 pr_debug("%s: timer T5 expired\n", __func__); 5788 5789 SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 5790 5791 reply = sctp_make_abort(asoc, NULL, 0); 5792 if (!reply) 5793 goto nomem; 5794 5795 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5796 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5797 SCTP_ERROR(ETIMEDOUT)); 5798 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5799 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5800 5801 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5802 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5803 5804 return SCTP_DISPOSITION_DELETE_TCB; 5805 nomem: 5806 return SCTP_DISPOSITION_NOMEM; 5807 } 5808 5809 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 5810 * the association is automatically closed by starting the shutdown process. 5811 * The work that needs to be done is same as when SHUTDOWN is initiated by 5812 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 5813 */ 5814 sctp_disposition_t sctp_sf_autoclose_timer_expire( 5815 struct net *net, 5816 const struct sctp_endpoint *ep, 5817 const struct sctp_association *asoc, 5818 const sctp_subtype_t type, 5819 void *arg, 5820 sctp_cmd_seq_t *commands) 5821 { 5822 int disposition; 5823 5824 SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS); 5825 5826 /* From 9.2 Shutdown of an Association 5827 * Upon receipt of the SHUTDOWN primitive from its upper 5828 * layer, the endpoint enters SHUTDOWN-PENDING state and 5829 * remains there until all outstanding data has been 5830 * acknowledged by its peer. The endpoint accepts no new data 5831 * from its upper layer, but retransmits data to the far end 5832 * if necessary to fill gaps. 5833 */ 5834 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5835 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 5836 5837 disposition = SCTP_DISPOSITION_CONSUME; 5838 if (sctp_outq_is_empty(&asoc->outqueue)) { 5839 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 5840 arg, commands); 5841 } 5842 return disposition; 5843 } 5844 5845 /***************************************************************************** 5846 * These are sa state functions which could apply to all types of events. 5847 ****************************************************************************/ 5848 5849 /* 5850 * This table entry is not implemented. 5851 * 5852 * Inputs 5853 * (endpoint, asoc, chunk) 5854 * 5855 * The return value is the disposition of the chunk. 5856 */ 5857 sctp_disposition_t sctp_sf_not_impl(struct net *net, 5858 const struct sctp_endpoint *ep, 5859 const struct sctp_association *asoc, 5860 const sctp_subtype_t type, 5861 void *arg, 5862 sctp_cmd_seq_t *commands) 5863 { 5864 return SCTP_DISPOSITION_NOT_IMPL; 5865 } 5866 5867 /* 5868 * This table entry represents a bug. 5869 * 5870 * Inputs 5871 * (endpoint, asoc, chunk) 5872 * 5873 * The return value is the disposition of the chunk. 5874 */ 5875 sctp_disposition_t sctp_sf_bug(struct net *net, 5876 const struct sctp_endpoint *ep, 5877 const struct sctp_association *asoc, 5878 const sctp_subtype_t type, 5879 void *arg, 5880 sctp_cmd_seq_t *commands) 5881 { 5882 return SCTP_DISPOSITION_BUG; 5883 } 5884 5885 /* 5886 * This table entry represents the firing of a timer in the wrong state. 5887 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 5888 * when the association is in the wrong state. This event should 5889 * be ignored, so as to prevent any rearming of the timer. 5890 * 5891 * Inputs 5892 * (endpoint, asoc, chunk) 5893 * 5894 * The return value is the disposition of the chunk. 5895 */ 5896 sctp_disposition_t sctp_sf_timer_ignore(struct net *net, 5897 const struct sctp_endpoint *ep, 5898 const struct sctp_association *asoc, 5899 const sctp_subtype_t type, 5900 void *arg, 5901 sctp_cmd_seq_t *commands) 5902 { 5903 pr_debug("%s: timer %d ignored\n", __func__, type.chunk); 5904 5905 return SCTP_DISPOSITION_CONSUME; 5906 } 5907 5908 /******************************************************************** 5909 * 2nd Level Abstractions 5910 ********************************************************************/ 5911 5912 /* Pull the SACK chunk based on the SACK header. */ 5913 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 5914 { 5915 struct sctp_sackhdr *sack; 5916 unsigned int len; 5917 __u16 num_blocks; 5918 __u16 num_dup_tsns; 5919 5920 /* Protect ourselves from reading too far into 5921 * the skb from a bogus sender. 5922 */ 5923 sack = (struct sctp_sackhdr *) chunk->skb->data; 5924 5925 num_blocks = ntohs(sack->num_gap_ack_blocks); 5926 num_dup_tsns = ntohs(sack->num_dup_tsns); 5927 len = sizeof(struct sctp_sackhdr); 5928 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 5929 if (len > chunk->skb->len) 5930 return NULL; 5931 5932 skb_pull(chunk->skb, len); 5933 5934 return sack; 5935 } 5936 5937 /* Create an ABORT packet to be sent as a response, with the specified 5938 * error causes. 5939 */ 5940 static struct sctp_packet *sctp_abort_pkt_new(struct net *net, 5941 const struct sctp_endpoint *ep, 5942 const struct sctp_association *asoc, 5943 struct sctp_chunk *chunk, 5944 const void *payload, 5945 size_t paylen) 5946 { 5947 struct sctp_packet *packet; 5948 struct sctp_chunk *abort; 5949 5950 packet = sctp_ootb_pkt_new(net, asoc, chunk); 5951 5952 if (packet) { 5953 /* Make an ABORT. 5954 * The T bit will be set if the asoc is NULL. 5955 */ 5956 abort = sctp_make_abort(asoc, chunk, paylen); 5957 if (!abort) { 5958 sctp_ootb_pkt_free(packet); 5959 return NULL; 5960 } 5961 5962 /* Reflect vtag if T-Bit is set */ 5963 if (sctp_test_T_bit(abort)) 5964 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 5965 5966 /* Add specified error causes, i.e., payload, to the 5967 * end of the chunk. 5968 */ 5969 sctp_addto_chunk(abort, paylen, payload); 5970 5971 /* Set the skb to the belonging sock for accounting. */ 5972 abort->skb->sk = ep->base.sk; 5973 5974 sctp_packet_append_chunk(packet, abort); 5975 5976 } 5977 5978 return packet; 5979 } 5980 5981 /* Allocate a packet for responding in the OOTB conditions. */ 5982 static struct sctp_packet *sctp_ootb_pkt_new(struct net *net, 5983 const struct sctp_association *asoc, 5984 const struct sctp_chunk *chunk) 5985 { 5986 struct sctp_packet *packet; 5987 struct sctp_transport *transport; 5988 __u16 sport; 5989 __u16 dport; 5990 __u32 vtag; 5991 5992 /* Get the source and destination port from the inbound packet. */ 5993 sport = ntohs(chunk->sctp_hdr->dest); 5994 dport = ntohs(chunk->sctp_hdr->source); 5995 5996 /* The V-tag is going to be the same as the inbound packet if no 5997 * association exists, otherwise, use the peer's vtag. 5998 */ 5999 if (asoc) { 6000 /* Special case the INIT-ACK as there is no peer's vtag 6001 * yet. 6002 */ 6003 switch (chunk->chunk_hdr->type) { 6004 case SCTP_CID_INIT_ACK: 6005 { 6006 sctp_initack_chunk_t *initack; 6007 6008 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; 6009 vtag = ntohl(initack->init_hdr.init_tag); 6010 break; 6011 } 6012 default: 6013 vtag = asoc->peer.i.init_tag; 6014 break; 6015 } 6016 } else { 6017 /* Special case the INIT and stale COOKIE_ECHO as there is no 6018 * vtag yet. 6019 */ 6020 switch (chunk->chunk_hdr->type) { 6021 case SCTP_CID_INIT: 6022 { 6023 sctp_init_chunk_t *init; 6024 6025 init = (sctp_init_chunk_t *)chunk->chunk_hdr; 6026 vtag = ntohl(init->init_hdr.init_tag); 6027 break; 6028 } 6029 default: 6030 vtag = ntohl(chunk->sctp_hdr->vtag); 6031 break; 6032 } 6033 } 6034 6035 /* Make a transport for the bucket, Eliza... */ 6036 transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC); 6037 if (!transport) 6038 goto nomem; 6039 6040 /* Cache a route for the transport with the chunk's destination as 6041 * the source address. 6042 */ 6043 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 6044 sctp_sk(net->sctp.ctl_sock)); 6045 6046 packet = sctp_packet_init(&transport->packet, transport, sport, dport); 6047 packet = sctp_packet_config(packet, vtag, 0); 6048 6049 return packet; 6050 6051 nomem: 6052 return NULL; 6053 } 6054 6055 /* Free the packet allocated earlier for responding in the OOTB condition. */ 6056 void sctp_ootb_pkt_free(struct sctp_packet *packet) 6057 { 6058 sctp_transport_free(packet->transport); 6059 } 6060 6061 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 6062 static void sctp_send_stale_cookie_err(struct net *net, 6063 const struct sctp_endpoint *ep, 6064 const struct sctp_association *asoc, 6065 const struct sctp_chunk *chunk, 6066 sctp_cmd_seq_t *commands, 6067 struct sctp_chunk *err_chunk) 6068 { 6069 struct sctp_packet *packet; 6070 6071 if (err_chunk) { 6072 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6073 if (packet) { 6074 struct sctp_signed_cookie *cookie; 6075 6076 /* Override the OOTB vtag from the cookie. */ 6077 cookie = chunk->subh.cookie_hdr; 6078 packet->vtag = cookie->c.peer_vtag; 6079 6080 /* Set the skb to the belonging sock for accounting. */ 6081 err_chunk->skb->sk = ep->base.sk; 6082 sctp_packet_append_chunk(packet, err_chunk); 6083 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 6084 SCTP_PACKET(packet)); 6085 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 6086 } else 6087 sctp_chunk_free (err_chunk); 6088 } 6089 } 6090 6091 6092 /* Process a data chunk */ 6093 static int sctp_eat_data(const struct sctp_association *asoc, 6094 struct sctp_chunk *chunk, 6095 sctp_cmd_seq_t *commands) 6096 { 6097 sctp_datahdr_t *data_hdr; 6098 struct sctp_chunk *err; 6099 size_t datalen; 6100 sctp_verb_t deliver; 6101 int tmp; 6102 __u32 tsn; 6103 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 6104 struct sock *sk = asoc->base.sk; 6105 struct net *net = sock_net(sk); 6106 u16 ssn; 6107 u16 sid; 6108 u8 ordered = 0; 6109 6110 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data; 6111 skb_pull(chunk->skb, sizeof(sctp_datahdr_t)); 6112 6113 tsn = ntohl(data_hdr->tsn); 6114 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 6115 6116 /* ASSERT: Now skb->data is really the user data. */ 6117 6118 /* Process ECN based congestion. 6119 * 6120 * Since the chunk structure is reused for all chunks within 6121 * a packet, we use ecn_ce_done to track if we've already 6122 * done CE processing for this packet. 6123 * 6124 * We need to do ECN processing even if we plan to discard the 6125 * chunk later. 6126 */ 6127 6128 if (!chunk->ecn_ce_done) { 6129 struct sctp_af *af; 6130 chunk->ecn_ce_done = 1; 6131 6132 af = sctp_get_af_specific( 6133 ipver2af(ip_hdr(chunk->skb)->version)); 6134 6135 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) { 6136 /* Do real work as sideffect. */ 6137 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 6138 SCTP_U32(tsn)); 6139 } 6140 } 6141 6142 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 6143 if (tmp < 0) { 6144 /* The TSN is too high--silently discard the chunk and 6145 * count on it getting retransmitted later. 6146 */ 6147 if (chunk->asoc) 6148 chunk->asoc->stats.outofseqtsns++; 6149 return SCTP_IERROR_HIGH_TSN; 6150 } else if (tmp > 0) { 6151 /* This is a duplicate. Record it. */ 6152 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 6153 return SCTP_IERROR_DUP_TSN; 6154 } 6155 6156 /* This is a new TSN. */ 6157 6158 /* Discard if there is no room in the receive window. 6159 * Actually, allow a little bit of overflow (up to a MTU). 6160 */ 6161 datalen = ntohs(chunk->chunk_hdr->length); 6162 datalen -= sizeof(sctp_data_chunk_t); 6163 6164 deliver = SCTP_CMD_CHUNK_ULP; 6165 6166 /* Think about partial delivery. */ 6167 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 6168 6169 /* Even if we don't accept this chunk there is 6170 * memory pressure. 6171 */ 6172 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 6173 } 6174 6175 /* Spill over rwnd a little bit. Note: While allowed, this spill over 6176 * seems a bit troublesome in that frag_point varies based on 6177 * PMTU. In cases, such as loopback, this might be a rather 6178 * large spill over. 6179 */ 6180 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over || 6181 (datalen > asoc->rwnd + asoc->frag_point))) { 6182 6183 /* If this is the next TSN, consider reneging to make 6184 * room. Note: Playing nice with a confused sender. A 6185 * malicious sender can still eat up all our buffer 6186 * space and in the future we may want to detect and 6187 * do more drastic reneging. 6188 */ 6189 if (sctp_tsnmap_has_gap(map) && 6190 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6191 pr_debug("%s: reneging for tsn:%u\n", __func__, tsn); 6192 deliver = SCTP_CMD_RENEGE; 6193 } else { 6194 pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n", 6195 __func__, tsn, datalen, asoc->rwnd); 6196 6197 return SCTP_IERROR_IGNORE_TSN; 6198 } 6199 } 6200 6201 /* 6202 * Also try to renege to limit our memory usage in the event that 6203 * we are under memory pressure 6204 * If we can't renege, don't worry about it, the sk_rmem_schedule 6205 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our 6206 * memory usage too much 6207 */ 6208 if (*sk->sk_prot_creator->memory_pressure) { 6209 if (sctp_tsnmap_has_gap(map) && 6210 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6211 pr_debug("%s: under pressure, reneging for tsn:%u\n", 6212 __func__, tsn); 6213 deliver = SCTP_CMD_RENEGE; 6214 } 6215 } 6216 6217 /* 6218 * Section 3.3.10.9 No User Data (9) 6219 * 6220 * Cause of error 6221 * --------------- 6222 * No User Data: This error cause is returned to the originator of a 6223 * DATA chunk if a received DATA chunk has no user data. 6224 */ 6225 if (unlikely(0 == datalen)) { 6226 err = sctp_make_abort_no_data(asoc, chunk, tsn); 6227 if (err) { 6228 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6229 SCTP_CHUNK(err)); 6230 } 6231 /* We are going to ABORT, so we might as well stop 6232 * processing the rest of the chunks in the packet. 6233 */ 6234 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 6235 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6236 SCTP_ERROR(ECONNABORTED)); 6237 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6238 SCTP_PERR(SCTP_ERROR_NO_DATA)); 6239 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6240 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6241 return SCTP_IERROR_NO_DATA; 6242 } 6243 6244 chunk->data_accepted = 1; 6245 6246 /* Note: Some chunks may get overcounted (if we drop) or overcounted 6247 * if we renege and the chunk arrives again. 6248 */ 6249 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) { 6250 SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS); 6251 if (chunk->asoc) 6252 chunk->asoc->stats.iuodchunks++; 6253 } else { 6254 SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS); 6255 if (chunk->asoc) 6256 chunk->asoc->stats.iodchunks++; 6257 ordered = 1; 6258 } 6259 6260 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 6261 * 6262 * If an endpoint receive a DATA chunk with an invalid stream 6263 * identifier, it shall acknowledge the reception of the DATA chunk 6264 * following the normal procedure, immediately send an ERROR chunk 6265 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 6266 * and discard the DATA chunk. 6267 */ 6268 sid = ntohs(data_hdr->stream); 6269 if (sid >= asoc->c.sinit_max_instreams) { 6270 /* Mark tsn as received even though we drop it */ 6271 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 6272 6273 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 6274 &data_hdr->stream, 6275 sizeof(data_hdr->stream), 6276 sizeof(u16)); 6277 if (err) 6278 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6279 SCTP_CHUNK(err)); 6280 return SCTP_IERROR_BAD_STREAM; 6281 } 6282 6283 /* Check to see if the SSN is possible for this TSN. 6284 * The biggest gap we can record is 4K wide. Since SSNs wrap 6285 * at an unsigned short, there is no way that an SSN can 6286 * wrap and for a valid TSN. We can simply check if the current 6287 * SSN is smaller then the next expected one. If it is, it wrapped 6288 * and is invalid. 6289 */ 6290 ssn = ntohs(data_hdr->ssn); 6291 if (ordered && SSN_lt(ssn, sctp_ssn_peek(&asoc->ssnmap->in, sid))) { 6292 return SCTP_IERROR_PROTO_VIOLATION; 6293 } 6294 6295 /* Send the data up to the user. Note: Schedule the 6296 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 6297 * chunk needs the updated rwnd. 6298 */ 6299 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 6300 6301 return SCTP_IERROR_NO_ERROR; 6302 } 6303