xref: /openbmc/linux/net/sctp/sm_statefuns.c (revision 0f4630f3)
1 /* SCTP kernel implementation
2  * (C) Copyright IBM Corp. 2001, 2004
3  * Copyright (c) 1999-2000 Cisco, Inc.
4  * Copyright (c) 1999-2001 Motorola, Inc.
5  * Copyright (c) 2001-2002 Intel Corp.
6  * Copyright (c) 2002      Nokia Corp.
7  *
8  * This is part of the SCTP Linux Kernel Implementation.
9  *
10  * These are the state functions for the state machine.
11  *
12  * This SCTP implementation is free software;
13  * you can redistribute it and/or modify it under the terms of
14  * the GNU General Public License as published by
15  * the Free Software Foundation; either version 2, or (at your option)
16  * any later version.
17  *
18  * This SCTP implementation is distributed in the hope that it
19  * will be useful, but WITHOUT ANY WARRANTY; without even the implied
20  *                 ************************
21  * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
22  * See the GNU General Public License for more details.
23  *
24  * You should have received a copy of the GNU General Public License
25  * along with GNU CC; see the file COPYING.  If not, see
26  * <http://www.gnu.org/licenses/>.
27  *
28  * Please send any bug reports or fixes you make to the
29  * email address(es):
30  *    lksctp developers <linux-sctp@vger.kernel.org>
31  *
32  * Written or modified by:
33  *    La Monte H.P. Yarroll <piggy@acm.org>
34  *    Karl Knutson          <karl@athena.chicago.il.us>
35  *    Mathew Kotowsky       <kotowsky@sctp.org>
36  *    Sridhar Samudrala     <samudrala@us.ibm.com>
37  *    Jon Grimm             <jgrimm@us.ibm.com>
38  *    Hui Huang 	    <hui.huang@nokia.com>
39  *    Dajiang Zhang 	    <dajiang.zhang@nokia.com>
40  *    Daisy Chang	    <daisyc@us.ibm.com>
41  *    Ardelle Fan	    <ardelle.fan@intel.com>
42  *    Ryan Layer	    <rmlayer@us.ibm.com>
43  *    Kevin Gao		    <kevin.gao@intel.com>
44  */
45 
46 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
47 
48 #include <linux/types.h>
49 #include <linux/kernel.h>
50 #include <linux/ip.h>
51 #include <linux/ipv6.h>
52 #include <linux/net.h>
53 #include <linux/inet.h>
54 #include <linux/slab.h>
55 #include <net/sock.h>
56 #include <net/inet_ecn.h>
57 #include <linux/skbuff.h>
58 #include <net/sctp/sctp.h>
59 #include <net/sctp/sm.h>
60 #include <net/sctp/structs.h>
61 
62 static struct sctp_packet *sctp_abort_pkt_new(struct net *net,
63 				  const struct sctp_endpoint *ep,
64 				  const struct sctp_association *asoc,
65 				  struct sctp_chunk *chunk,
66 				  const void *payload,
67 				  size_t paylen);
68 static int sctp_eat_data(const struct sctp_association *asoc,
69 			 struct sctp_chunk *chunk,
70 			 sctp_cmd_seq_t *commands);
71 static struct sctp_packet *sctp_ootb_pkt_new(struct net *net,
72 					     const struct sctp_association *asoc,
73 					     const struct sctp_chunk *chunk);
74 static void sctp_send_stale_cookie_err(struct net *net,
75 				       const struct sctp_endpoint *ep,
76 				       const struct sctp_association *asoc,
77 				       const struct sctp_chunk *chunk,
78 				       sctp_cmd_seq_t *commands,
79 				       struct sctp_chunk *err_chunk);
80 static sctp_disposition_t sctp_sf_do_5_2_6_stale(struct net *net,
81 						 const struct sctp_endpoint *ep,
82 						 const struct sctp_association *asoc,
83 						 const sctp_subtype_t type,
84 						 void *arg,
85 						 sctp_cmd_seq_t *commands);
86 static sctp_disposition_t sctp_sf_shut_8_4_5(struct net *net,
87 					     const struct sctp_endpoint *ep,
88 					     const struct sctp_association *asoc,
89 					     const sctp_subtype_t type,
90 					     void *arg,
91 					     sctp_cmd_seq_t *commands);
92 static sctp_disposition_t sctp_sf_tabort_8_4_8(struct net *net,
93 					const struct sctp_endpoint *ep,
94 					const struct sctp_association *asoc,
95 					const sctp_subtype_t type,
96 					void *arg,
97 					sctp_cmd_seq_t *commands);
98 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
99 
100 static sctp_disposition_t sctp_stop_t1_and_abort(struct net *net,
101 					   sctp_cmd_seq_t *commands,
102 					   __be16 error, int sk_err,
103 					   const struct sctp_association *asoc,
104 					   struct sctp_transport *transport);
105 
106 static sctp_disposition_t sctp_sf_abort_violation(
107 				     struct net *net,
108 				     const struct sctp_endpoint *ep,
109 				     const struct sctp_association *asoc,
110 				     void *arg,
111 				     sctp_cmd_seq_t *commands,
112 				     const __u8 *payload,
113 				     const size_t paylen);
114 
115 static sctp_disposition_t sctp_sf_violation_chunklen(
116 				     struct net *net,
117 				     const struct sctp_endpoint *ep,
118 				     const struct sctp_association *asoc,
119 				     const sctp_subtype_t type,
120 				     void *arg,
121 				     sctp_cmd_seq_t *commands);
122 
123 static sctp_disposition_t sctp_sf_violation_paramlen(
124 				     struct net *net,
125 				     const struct sctp_endpoint *ep,
126 				     const struct sctp_association *asoc,
127 				     const sctp_subtype_t type,
128 				     void *arg, void *ext,
129 				     sctp_cmd_seq_t *commands);
130 
131 static sctp_disposition_t sctp_sf_violation_ctsn(
132 				     struct net *net,
133 				     const struct sctp_endpoint *ep,
134 				     const struct sctp_association *asoc,
135 				     const sctp_subtype_t type,
136 				     void *arg,
137 				     sctp_cmd_seq_t *commands);
138 
139 static sctp_disposition_t sctp_sf_violation_chunk(
140 				     struct net *net,
141 				     const struct sctp_endpoint *ep,
142 				     const struct sctp_association *asoc,
143 				     const sctp_subtype_t type,
144 				     void *arg,
145 				     sctp_cmd_seq_t *commands);
146 
147 static sctp_ierror_t sctp_sf_authenticate(struct net *net,
148 				    const struct sctp_endpoint *ep,
149 				    const struct sctp_association *asoc,
150 				    const sctp_subtype_t type,
151 				    struct sctp_chunk *chunk);
152 
153 static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net,
154 					const struct sctp_endpoint *ep,
155 					const struct sctp_association *asoc,
156 					const sctp_subtype_t type,
157 					void *arg,
158 					sctp_cmd_seq_t *commands);
159 
160 /* Small helper function that checks if the chunk length
161  * is of the appropriate length.  The 'required_length' argument
162  * is set to be the size of a specific chunk we are testing.
163  * Return Values:  1 = Valid length
164  * 		   0 = Invalid length
165  *
166  */
167 static inline int
168 sctp_chunk_length_valid(struct sctp_chunk *chunk,
169 			   __u16 required_length)
170 {
171 	__u16 chunk_length = ntohs(chunk->chunk_hdr->length);
172 
173 	/* Previously already marked? */
174 	if (unlikely(chunk->pdiscard))
175 		return 0;
176 	if (unlikely(chunk_length < required_length))
177 		return 0;
178 
179 	return 1;
180 }
181 
182 /**********************************************************
183  * These are the state functions for handling chunk events.
184  **********************************************************/
185 
186 /*
187  * Process the final SHUTDOWN COMPLETE.
188  *
189  * Section: 4 (C) (diagram), 9.2
190  * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
191  * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
192  * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
193  * should stop the T2-shutdown timer and remove all knowledge of the
194  * association (and thus the association enters the CLOSED state).
195  *
196  * Verification Tag: 8.5.1(C), sctpimpguide 2.41.
197  * C) Rules for packet carrying SHUTDOWN COMPLETE:
198  * ...
199  * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
200  *   if the Verification Tag field of the packet matches its own tag and
201  *   the T bit is not set
202  *   OR
203  *   it is set to its peer's tag and the T bit is set in the Chunk
204  *   Flags.
205  *   Otherwise, the receiver MUST silently discard the packet
206  *   and take no further action.  An endpoint MUST ignore the
207  *   SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.
208  *
209  * Inputs
210  * (endpoint, asoc, chunk)
211  *
212  * Outputs
213  * (asoc, reply_msg, msg_up, timers, counters)
214  *
215  * The return value is the disposition of the chunk.
216  */
217 sctp_disposition_t sctp_sf_do_4_C(struct net *net,
218 				  const struct sctp_endpoint *ep,
219 				  const struct sctp_association *asoc,
220 				  const sctp_subtype_t type,
221 				  void *arg,
222 				  sctp_cmd_seq_t *commands)
223 {
224 	struct sctp_chunk *chunk = arg;
225 	struct sctp_ulpevent *ev;
226 
227 	if (!sctp_vtag_verify_either(chunk, asoc))
228 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
229 
230 	/* RFC 2960 6.10 Bundling
231 	 *
232 	 * An endpoint MUST NOT bundle INIT, INIT ACK or
233 	 * SHUTDOWN COMPLETE with any other chunks.
234 	 */
235 	if (!chunk->singleton)
236 		return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
237 
238 	/* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */
239 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
240 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
241 						  commands);
242 
243 	/* RFC 2960 10.2 SCTP-to-ULP
244 	 *
245 	 * H) SHUTDOWN COMPLETE notification
246 	 *
247 	 * When SCTP completes the shutdown procedures (section 9.2) this
248 	 * notification is passed to the upper layer.
249 	 */
250 	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
251 					     0, 0, 0, NULL, GFP_ATOMIC);
252 	if (ev)
253 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
254 				SCTP_ULPEVENT(ev));
255 
256 	/* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
257 	 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
258 	 * not the chunk should be discarded. If the endpoint is in
259 	 * the SHUTDOWN-ACK-SENT state the endpoint should stop the
260 	 * T2-shutdown timer and remove all knowledge of the
261 	 * association (and thus the association enters the CLOSED
262 	 * state).
263 	 */
264 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
265 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
266 
267 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
268 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
269 
270 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
271 			SCTP_STATE(SCTP_STATE_CLOSED));
272 
273 	SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
274 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
275 
276 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
277 
278 	return SCTP_DISPOSITION_DELETE_TCB;
279 }
280 
281 /*
282  * Respond to a normal INIT chunk.
283  * We are the side that is being asked for an association.
284  *
285  * Section: 5.1 Normal Establishment of an Association, B
286  * B) "Z" shall respond immediately with an INIT ACK chunk.  The
287  *    destination IP address of the INIT ACK MUST be set to the source
288  *    IP address of the INIT to which this INIT ACK is responding.  In
289  *    the response, besides filling in other parameters, "Z" must set the
290  *    Verification Tag field to Tag_A, and also provide its own
291  *    Verification Tag (Tag_Z) in the Initiate Tag field.
292  *
293  * Verification Tag: Must be 0.
294  *
295  * Inputs
296  * (endpoint, asoc, chunk)
297  *
298  * Outputs
299  * (asoc, reply_msg, msg_up, timers, counters)
300  *
301  * The return value is the disposition of the chunk.
302  */
303 sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
304 					const struct sctp_endpoint *ep,
305 					const struct sctp_association *asoc,
306 					const sctp_subtype_t type,
307 					void *arg,
308 					sctp_cmd_seq_t *commands)
309 {
310 	struct sctp_chunk *chunk = arg;
311 	struct sctp_chunk *repl;
312 	struct sctp_association *new_asoc;
313 	struct sctp_chunk *err_chunk;
314 	struct sctp_packet *packet;
315 	sctp_unrecognized_param_t *unk_param;
316 	int len;
317 
318 	/* 6.10 Bundling
319 	 * An endpoint MUST NOT bundle INIT, INIT ACK or
320 	 * SHUTDOWN COMPLETE with any other chunks.
321 	 *
322 	 * IG Section 2.11.2
323 	 * Furthermore, we require that the receiver of an INIT chunk MUST
324 	 * enforce these rules by silently discarding an arriving packet
325 	 * with an INIT chunk that is bundled with other chunks.
326 	 */
327 	if (!chunk->singleton)
328 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
329 
330 	/* If the packet is an OOTB packet which is temporarily on the
331 	 * control endpoint, respond with an ABORT.
332 	 */
333 	if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
334 		SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
335 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
336 	}
337 
338 	/* 3.1 A packet containing an INIT chunk MUST have a zero Verification
339 	 * Tag.
340 	 */
341 	if (chunk->sctp_hdr->vtag != 0)
342 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
343 
344 	/* Make sure that the INIT chunk has a valid length.
345 	 * Normally, this would cause an ABORT with a Protocol Violation
346 	 * error, but since we don't have an association, we'll
347 	 * just discard the packet.
348 	 */
349 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
350 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
351 
352 	/* If the INIT is coming toward a closing socket, we'll send back
353 	 * and ABORT.  Essentially, this catches the race of INIT being
354 	 * backloged to the socket at the same time as the user isses close().
355 	 * Since the socket and all its associations are going away, we
356 	 * can treat this OOTB
357 	 */
358 	if (sctp_sstate(ep->base.sk, CLOSING))
359 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
360 
361 	/* Verify the INIT chunk before processing it. */
362 	err_chunk = NULL;
363 	if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
364 			      (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
365 			      &err_chunk)) {
366 		/* This chunk contains fatal error. It is to be discarded.
367 		 * Send an ABORT, with causes if there is any.
368 		 */
369 		if (err_chunk) {
370 			packet = sctp_abort_pkt_new(net, ep, asoc, arg,
371 					(__u8 *)(err_chunk->chunk_hdr) +
372 					sizeof(sctp_chunkhdr_t),
373 					ntohs(err_chunk->chunk_hdr->length) -
374 					sizeof(sctp_chunkhdr_t));
375 
376 			sctp_chunk_free(err_chunk);
377 
378 			if (packet) {
379 				sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
380 						SCTP_PACKET(packet));
381 				SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
382 				return SCTP_DISPOSITION_CONSUME;
383 			} else {
384 				return SCTP_DISPOSITION_NOMEM;
385 			}
386 		} else {
387 			return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
388 						    commands);
389 		}
390 	}
391 
392 	/* Grab the INIT header.  */
393 	chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data;
394 
395 	/* Tag the variable length parameters.  */
396 	chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
397 
398 	new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
399 	if (!new_asoc)
400 		goto nomem;
401 
402 	if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
403 					     sctp_scope(sctp_source(chunk)),
404 					     GFP_ATOMIC) < 0)
405 		goto nomem_init;
406 
407 	/* The call, sctp_process_init(), can fail on memory allocation.  */
408 	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
409 			       (sctp_init_chunk_t *)chunk->chunk_hdr,
410 			       GFP_ATOMIC))
411 		goto nomem_init;
412 
413 	/* B) "Z" shall respond immediately with an INIT ACK chunk.  */
414 
415 	/* If there are errors need to be reported for unknown parameters,
416 	 * make sure to reserve enough room in the INIT ACK for them.
417 	 */
418 	len = 0;
419 	if (err_chunk)
420 		len = ntohs(err_chunk->chunk_hdr->length) -
421 			sizeof(sctp_chunkhdr_t);
422 
423 	repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
424 	if (!repl)
425 		goto nomem_init;
426 
427 	/* If there are errors need to be reported for unknown parameters,
428 	 * include them in the outgoing INIT ACK as "Unrecognized parameter"
429 	 * parameter.
430 	 */
431 	if (err_chunk) {
432 		/* Get the "Unrecognized parameter" parameter(s) out of the
433 		 * ERROR chunk generated by sctp_verify_init(). Since the
434 		 * error cause code for "unknown parameter" and the
435 		 * "Unrecognized parameter" type is the same, we can
436 		 * construct the parameters in INIT ACK by copying the
437 		 * ERROR causes over.
438 		 */
439 		unk_param = (sctp_unrecognized_param_t *)
440 			    ((__u8 *)(err_chunk->chunk_hdr) +
441 			    sizeof(sctp_chunkhdr_t));
442 		/* Replace the cause code with the "Unrecognized parameter"
443 		 * parameter type.
444 		 */
445 		sctp_addto_chunk(repl, len, unk_param);
446 		sctp_chunk_free(err_chunk);
447 	}
448 
449 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
450 
451 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
452 
453 	/*
454 	 * Note:  After sending out INIT ACK with the State Cookie parameter,
455 	 * "Z" MUST NOT allocate any resources, nor keep any states for the
456 	 * new association.  Otherwise, "Z" will be vulnerable to resource
457 	 * attacks.
458 	 */
459 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
460 
461 	return SCTP_DISPOSITION_DELETE_TCB;
462 
463 nomem_init:
464 	sctp_association_free(new_asoc);
465 nomem:
466 	if (err_chunk)
467 		sctp_chunk_free(err_chunk);
468 	return SCTP_DISPOSITION_NOMEM;
469 }
470 
471 /*
472  * Respond to a normal INIT ACK chunk.
473  * We are the side that is initiating the association.
474  *
475  * Section: 5.1 Normal Establishment of an Association, C
476  * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
477  *    timer and leave COOKIE-WAIT state. "A" shall then send the State
478  *    Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
479  *    the T1-cookie timer, and enter the COOKIE-ECHOED state.
480  *
481  *    Note: The COOKIE ECHO chunk can be bundled with any pending outbound
482  *    DATA chunks, but it MUST be the first chunk in the packet and
483  *    until the COOKIE ACK is returned the sender MUST NOT send any
484  *    other packets to the peer.
485  *
486  * Verification Tag: 3.3.3
487  *   If the value of the Initiate Tag in a received INIT ACK chunk is
488  *   found to be 0, the receiver MUST treat it as an error and close the
489  *   association by transmitting an ABORT.
490  *
491  * Inputs
492  * (endpoint, asoc, chunk)
493  *
494  * Outputs
495  * (asoc, reply_msg, msg_up, timers, counters)
496  *
497  * The return value is the disposition of the chunk.
498  */
499 sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
500 				       const struct sctp_endpoint *ep,
501 				       const struct sctp_association *asoc,
502 				       const sctp_subtype_t type,
503 				       void *arg,
504 				       sctp_cmd_seq_t *commands)
505 {
506 	struct sctp_chunk *chunk = arg;
507 	sctp_init_chunk_t *initchunk;
508 	struct sctp_chunk *err_chunk;
509 	struct sctp_packet *packet;
510 
511 	if (!sctp_vtag_verify(chunk, asoc))
512 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
513 
514 	/* 6.10 Bundling
515 	 * An endpoint MUST NOT bundle INIT, INIT ACK or
516 	 * SHUTDOWN COMPLETE with any other chunks.
517 	 */
518 	if (!chunk->singleton)
519 		return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
520 
521 	/* Make sure that the INIT-ACK chunk has a valid length */
522 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t)))
523 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
524 						  commands);
525 	/* Grab the INIT header.  */
526 	chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
527 
528 	/* Verify the INIT chunk before processing it. */
529 	err_chunk = NULL;
530 	if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
531 			      (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
532 			      &err_chunk)) {
533 
534 		sctp_error_t error = SCTP_ERROR_NO_RESOURCE;
535 
536 		/* This chunk contains fatal error. It is to be discarded.
537 		 * Send an ABORT, with causes.  If there are no causes,
538 		 * then there wasn't enough memory.  Just terminate
539 		 * the association.
540 		 */
541 		if (err_chunk) {
542 			packet = sctp_abort_pkt_new(net, ep, asoc, arg,
543 					(__u8 *)(err_chunk->chunk_hdr) +
544 					sizeof(sctp_chunkhdr_t),
545 					ntohs(err_chunk->chunk_hdr->length) -
546 					sizeof(sctp_chunkhdr_t));
547 
548 			sctp_chunk_free(err_chunk);
549 
550 			if (packet) {
551 				sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
552 						SCTP_PACKET(packet));
553 				SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
554 				error = SCTP_ERROR_INV_PARAM;
555 			}
556 		}
557 
558 		/* SCTP-AUTH, Section 6.3:
559 		 *    It should be noted that if the receiver wants to tear
560 		 *    down an association in an authenticated way only, the
561 		 *    handling of malformed packets should not result in
562 		 *    tearing down the association.
563 		 *
564 		 * This means that if we only want to abort associations
565 		 * in an authenticated way (i.e AUTH+ABORT), then we
566 		 * can't destroy this association just because the packet
567 		 * was malformed.
568 		 */
569 		if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
570 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
571 
572 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
573 		return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED,
574 						asoc, chunk->transport);
575 	}
576 
577 	/* Tag the variable length parameters.  Note that we never
578 	 * convert the parameters in an INIT chunk.
579 	 */
580 	chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
581 
582 	initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr;
583 
584 	sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
585 			SCTP_PEER_INIT(initchunk));
586 
587 	/* Reset init error count upon receipt of INIT-ACK.  */
588 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
589 
590 	/* 5.1 C) "A" shall stop the T1-init timer and leave
591 	 * COOKIE-WAIT state.  "A" shall then ... start the T1-cookie
592 	 * timer, and enter the COOKIE-ECHOED state.
593 	 */
594 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
595 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
596 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
597 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
598 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
599 			SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
600 
601 	/* SCTP-AUTH: genereate the assocition shared keys so that
602 	 * we can potentially signe the COOKIE-ECHO.
603 	 */
604 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
605 
606 	/* 5.1 C) "A" shall then send the State Cookie received in the
607 	 * INIT ACK chunk in a COOKIE ECHO chunk, ...
608 	 */
609 	/* If there is any errors to report, send the ERROR chunk generated
610 	 * for unknown parameters as well.
611 	 */
612 	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
613 			SCTP_CHUNK(err_chunk));
614 
615 	return SCTP_DISPOSITION_CONSUME;
616 }
617 
618 /*
619  * Respond to a normal COOKIE ECHO chunk.
620  * We are the side that is being asked for an association.
621  *
622  * Section: 5.1 Normal Establishment of an Association, D
623  * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
624  *    with a COOKIE ACK chunk after building a TCB and moving to
625  *    the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
626  *    any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
627  *    chunk MUST be the first chunk in the packet.
628  *
629  *   IMPLEMENTATION NOTE: An implementation may choose to send the
630  *   Communication Up notification to the SCTP user upon reception
631  *   of a valid COOKIE ECHO chunk.
632  *
633  * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
634  * D) Rules for packet carrying a COOKIE ECHO
635  *
636  * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
637  *   Initial Tag received in the INIT ACK.
638  *
639  * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
640  *
641  * Inputs
642  * (endpoint, asoc, chunk)
643  *
644  * Outputs
645  * (asoc, reply_msg, msg_up, timers, counters)
646  *
647  * The return value is the disposition of the chunk.
648  */
649 sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
650 				      const struct sctp_endpoint *ep,
651 				      const struct sctp_association *asoc,
652 				      const sctp_subtype_t type, void *arg,
653 				      sctp_cmd_seq_t *commands)
654 {
655 	struct sctp_chunk *chunk = arg;
656 	struct sctp_association *new_asoc;
657 	sctp_init_chunk_t *peer_init;
658 	struct sctp_chunk *repl;
659 	struct sctp_ulpevent *ev, *ai_ev = NULL;
660 	int error = 0;
661 	struct sctp_chunk *err_chk_p;
662 	struct sock *sk;
663 
664 	/* If the packet is an OOTB packet which is temporarily on the
665 	 * control endpoint, respond with an ABORT.
666 	 */
667 	if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
668 		SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
669 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
670 	}
671 
672 	/* Make sure that the COOKIE_ECHO chunk has a valid length.
673 	 * In this case, we check that we have enough for at least a
674 	 * chunk header.  More detailed verification is done
675 	 * in sctp_unpack_cookie().
676 	 */
677 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
678 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
679 
680 	/* If the endpoint is not listening or if the number of associations
681 	 * on the TCP-style socket exceed the max backlog, respond with an
682 	 * ABORT.
683 	 */
684 	sk = ep->base.sk;
685 	if (!sctp_sstate(sk, LISTENING) ||
686 	    (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
687 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
688 
689 	/* "Decode" the chunk.  We have no optional parameters so we
690 	 * are in good shape.
691 	 */
692 	chunk->subh.cookie_hdr =
693 		(struct sctp_signed_cookie *)chunk->skb->data;
694 	if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
695 					 sizeof(sctp_chunkhdr_t)))
696 		goto nomem;
697 
698 	/* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
699 	 * "Z" will reply with a COOKIE ACK chunk after building a TCB
700 	 * and moving to the ESTABLISHED state.
701 	 */
702 	new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
703 				      &err_chk_p);
704 
705 	/* FIXME:
706 	 * If the re-build failed, what is the proper error path
707 	 * from here?
708 	 *
709 	 * [We should abort the association. --piggy]
710 	 */
711 	if (!new_asoc) {
712 		/* FIXME: Several errors are possible.  A bad cookie should
713 		 * be silently discarded, but think about logging it too.
714 		 */
715 		switch (error) {
716 		case -SCTP_IERROR_NOMEM:
717 			goto nomem;
718 
719 		case -SCTP_IERROR_STALE_COOKIE:
720 			sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
721 						   err_chk_p);
722 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
723 
724 		case -SCTP_IERROR_BAD_SIG:
725 		default:
726 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
727 		}
728 	}
729 
730 
731 	/* Delay state machine commands until later.
732 	 *
733 	 * Re-build the bind address for the association is done in
734 	 * the sctp_unpack_cookie() already.
735 	 */
736 	/* This is a brand-new association, so these are not yet side
737 	 * effects--it is safe to run them here.
738 	 */
739 	peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
740 
741 	if (!sctp_process_init(new_asoc, chunk,
742 			       &chunk->subh.cookie_hdr->c.peer_addr,
743 			       peer_init, GFP_ATOMIC))
744 		goto nomem_init;
745 
746 	/* SCTP-AUTH:  Now that we've populate required fields in
747 	 * sctp_process_init, set up the assocaition shared keys as
748 	 * necessary so that we can potentially authenticate the ACK
749 	 */
750 	error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
751 	if (error)
752 		goto nomem_init;
753 
754 	/* SCTP-AUTH:  auth_chunk pointer is only set when the cookie-echo
755 	 * is supposed to be authenticated and we have to do delayed
756 	 * authentication.  We've just recreated the association using
757 	 * the information in the cookie and now it's much easier to
758 	 * do the authentication.
759 	 */
760 	if (chunk->auth_chunk) {
761 		struct sctp_chunk auth;
762 		sctp_ierror_t ret;
763 
764 		/* Make sure that we and the peer are AUTH capable */
765 		if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
766 			sctp_association_free(new_asoc);
767 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
768 		}
769 
770 		/* set-up our fake chunk so that we can process it */
771 		auth.skb = chunk->auth_chunk;
772 		auth.asoc = chunk->asoc;
773 		auth.sctp_hdr = chunk->sctp_hdr;
774 		auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk,
775 					    sizeof(sctp_chunkhdr_t));
776 		skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t));
777 		auth.transport = chunk->transport;
778 
779 		ret = sctp_sf_authenticate(net, ep, new_asoc, type, &auth);
780 		if (ret != SCTP_IERROR_NO_ERROR) {
781 			sctp_association_free(new_asoc);
782 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
783 		}
784 	}
785 
786 	repl = sctp_make_cookie_ack(new_asoc, chunk);
787 	if (!repl)
788 		goto nomem_init;
789 
790 	/* RFC 2960 5.1 Normal Establishment of an Association
791 	 *
792 	 * D) IMPLEMENTATION NOTE: An implementation may choose to
793 	 * send the Communication Up notification to the SCTP user
794 	 * upon reception of a valid COOKIE ECHO chunk.
795 	 */
796 	ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
797 					     new_asoc->c.sinit_num_ostreams,
798 					     new_asoc->c.sinit_max_instreams,
799 					     NULL, GFP_ATOMIC);
800 	if (!ev)
801 		goto nomem_ev;
802 
803 	/* Sockets API Draft Section 5.3.1.6
804 	 * When a peer sends a Adaptation Layer Indication parameter , SCTP
805 	 * delivers this notification to inform the application that of the
806 	 * peers requested adaptation layer.
807 	 */
808 	if (new_asoc->peer.adaptation_ind) {
809 		ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
810 							    GFP_ATOMIC);
811 		if (!ai_ev)
812 			goto nomem_aiev;
813 	}
814 
815 	/* Add all the state machine commands now since we've created
816 	 * everything.  This way we don't introduce memory corruptions
817 	 * during side-effect processing and correclty count established
818 	 * associations.
819 	 */
820 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
821 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
822 			SCTP_STATE(SCTP_STATE_ESTABLISHED));
823 	SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
824 	SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS);
825 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
826 
827 	if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
828 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
829 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
830 
831 	/* This will send the COOKIE ACK */
832 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
833 
834 	/* Queue the ASSOC_CHANGE event */
835 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
836 
837 	/* Send up the Adaptation Layer Indication event */
838 	if (ai_ev)
839 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
840 				SCTP_ULPEVENT(ai_ev));
841 
842 	return SCTP_DISPOSITION_CONSUME;
843 
844 nomem_aiev:
845 	sctp_ulpevent_free(ev);
846 nomem_ev:
847 	sctp_chunk_free(repl);
848 nomem_init:
849 	sctp_association_free(new_asoc);
850 nomem:
851 	return SCTP_DISPOSITION_NOMEM;
852 }
853 
854 /*
855  * Respond to a normal COOKIE ACK chunk.
856  * We are the side that is asking for an association.
857  *
858  * RFC 2960 5.1 Normal Establishment of an Association
859  *
860  * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
861  *    COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
862  *    timer. It may also notify its ULP about the successful
863  *    establishment of the association with a Communication Up
864  *    notification (see Section 10).
865  *
866  * Verification Tag:
867  * Inputs
868  * (endpoint, asoc, chunk)
869  *
870  * Outputs
871  * (asoc, reply_msg, msg_up, timers, counters)
872  *
873  * The return value is the disposition of the chunk.
874  */
875 sctp_disposition_t sctp_sf_do_5_1E_ca(struct net *net,
876 				      const struct sctp_endpoint *ep,
877 				      const struct sctp_association *asoc,
878 				      const sctp_subtype_t type, void *arg,
879 				      sctp_cmd_seq_t *commands)
880 {
881 	struct sctp_chunk *chunk = arg;
882 	struct sctp_ulpevent *ev;
883 
884 	if (!sctp_vtag_verify(chunk, asoc))
885 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
886 
887 	/* Verify that the chunk length for the COOKIE-ACK is OK.
888 	 * If we don't do this, any bundled chunks may be junked.
889 	 */
890 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
891 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
892 						  commands);
893 
894 	/* Reset init error count upon receipt of COOKIE-ACK,
895 	 * to avoid problems with the managemement of this
896 	 * counter in stale cookie situations when a transition back
897 	 * from the COOKIE-ECHOED state to the COOKIE-WAIT
898 	 * state is performed.
899 	 */
900 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
901 
902 	/* RFC 2960 5.1 Normal Establishment of an Association
903 	 *
904 	 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
905 	 * from the COOKIE-ECHOED state to the ESTABLISHED state,
906 	 * stopping the T1-cookie timer.
907 	 */
908 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
909 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
910 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
911 			SCTP_STATE(SCTP_STATE_ESTABLISHED));
912 	SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
913 	SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS);
914 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
915 	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
916 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
917 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
918 
919 	/* It may also notify its ULP about the successful
920 	 * establishment of the association with a Communication Up
921 	 * notification (see Section 10).
922 	 */
923 	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
924 					     0, asoc->c.sinit_num_ostreams,
925 					     asoc->c.sinit_max_instreams,
926 					     NULL, GFP_ATOMIC);
927 
928 	if (!ev)
929 		goto nomem;
930 
931 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
932 
933 	/* Sockets API Draft Section 5.3.1.6
934 	 * When a peer sends a Adaptation Layer Indication parameter , SCTP
935 	 * delivers this notification to inform the application that of the
936 	 * peers requested adaptation layer.
937 	 */
938 	if (asoc->peer.adaptation_ind) {
939 		ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
940 		if (!ev)
941 			goto nomem;
942 
943 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
944 				SCTP_ULPEVENT(ev));
945 	}
946 
947 	return SCTP_DISPOSITION_CONSUME;
948 nomem:
949 	return SCTP_DISPOSITION_NOMEM;
950 }
951 
952 /* Generate and sendout a heartbeat packet.  */
953 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep,
954 					    const struct sctp_association *asoc,
955 					    const sctp_subtype_t type,
956 					    void *arg,
957 					    sctp_cmd_seq_t *commands)
958 {
959 	struct sctp_transport *transport = (struct sctp_transport *) arg;
960 	struct sctp_chunk *reply;
961 
962 	/* Send a heartbeat to our peer.  */
963 	reply = sctp_make_heartbeat(asoc, transport);
964 	if (!reply)
965 		return SCTP_DISPOSITION_NOMEM;
966 
967 	/* Set rto_pending indicating that an RTT measurement
968 	 * is started with this heartbeat chunk.
969 	 */
970 	sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
971 			SCTP_TRANSPORT(transport));
972 
973 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
974 	return SCTP_DISPOSITION_CONSUME;
975 }
976 
977 /* Generate a HEARTBEAT packet on the given transport.  */
978 sctp_disposition_t sctp_sf_sendbeat_8_3(struct net *net,
979 					const struct sctp_endpoint *ep,
980 					const struct sctp_association *asoc,
981 					const sctp_subtype_t type,
982 					void *arg,
983 					sctp_cmd_seq_t *commands)
984 {
985 	struct sctp_transport *transport = (struct sctp_transport *) arg;
986 
987 	if (asoc->overall_error_count >= asoc->max_retrans) {
988 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
989 				SCTP_ERROR(ETIMEDOUT));
990 		/* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
991 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
992 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
993 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
994 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
995 		return SCTP_DISPOSITION_DELETE_TCB;
996 	}
997 
998 	/* Section 3.3.5.
999 	 * The Sender-specific Heartbeat Info field should normally include
1000 	 * information about the sender's current time when this HEARTBEAT
1001 	 * chunk is sent and the destination transport address to which this
1002 	 * HEARTBEAT is sent (see Section 8.3).
1003 	 */
1004 
1005 	if (transport->param_flags & SPP_HB_ENABLE) {
1006 		if (SCTP_DISPOSITION_NOMEM ==
1007 				sctp_sf_heartbeat(ep, asoc, type, arg,
1008 						  commands))
1009 			return SCTP_DISPOSITION_NOMEM;
1010 
1011 		/* Set transport error counter and association error counter
1012 		 * when sending heartbeat.
1013 		 */
1014 		sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
1015 				SCTP_TRANSPORT(transport));
1016 	}
1017 	sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
1018 			SCTP_TRANSPORT(transport));
1019 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
1020 			SCTP_TRANSPORT(transport));
1021 
1022 	return SCTP_DISPOSITION_CONSUME;
1023 }
1024 
1025 /*
1026  * Process an heartbeat request.
1027  *
1028  * Section: 8.3 Path Heartbeat
1029  * The receiver of the HEARTBEAT should immediately respond with a
1030  * HEARTBEAT ACK that contains the Heartbeat Information field copied
1031  * from the received HEARTBEAT chunk.
1032  *
1033  * Verification Tag:  8.5 Verification Tag [Normal verification]
1034  * When receiving an SCTP packet, the endpoint MUST ensure that the
1035  * value in the Verification Tag field of the received SCTP packet
1036  * matches its own Tag. If the received Verification Tag value does not
1037  * match the receiver's own tag value, the receiver shall silently
1038  * discard the packet and shall not process it any further except for
1039  * those cases listed in Section 8.5.1 below.
1040  *
1041  * Inputs
1042  * (endpoint, asoc, chunk)
1043  *
1044  * Outputs
1045  * (asoc, reply_msg, msg_up, timers, counters)
1046  *
1047  * The return value is the disposition of the chunk.
1048  */
1049 sctp_disposition_t sctp_sf_beat_8_3(struct net *net,
1050 				    const struct sctp_endpoint *ep,
1051 				    const struct sctp_association *asoc,
1052 				    const sctp_subtype_t type,
1053 				    void *arg,
1054 				    sctp_cmd_seq_t *commands)
1055 {
1056 	sctp_paramhdr_t *param_hdr;
1057 	struct sctp_chunk *chunk = arg;
1058 	struct sctp_chunk *reply;
1059 	size_t paylen = 0;
1060 
1061 	if (!sctp_vtag_verify(chunk, asoc))
1062 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1063 
1064 	/* Make sure that the HEARTBEAT chunk has a valid length. */
1065 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t)))
1066 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1067 						  commands);
1068 
1069 	/* 8.3 The receiver of the HEARTBEAT should immediately
1070 	 * respond with a HEARTBEAT ACK that contains the Heartbeat
1071 	 * Information field copied from the received HEARTBEAT chunk.
1072 	 */
1073 	chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data;
1074 	param_hdr = (sctp_paramhdr_t *) chunk->subh.hb_hdr;
1075 	paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
1076 
1077 	if (ntohs(param_hdr->length) > paylen)
1078 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
1079 						  param_hdr, commands);
1080 
1081 	if (!pskb_pull(chunk->skb, paylen))
1082 		goto nomem;
1083 
1084 	reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen);
1085 	if (!reply)
1086 		goto nomem;
1087 
1088 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1089 	return SCTP_DISPOSITION_CONSUME;
1090 
1091 nomem:
1092 	return SCTP_DISPOSITION_NOMEM;
1093 }
1094 
1095 /*
1096  * Process the returning HEARTBEAT ACK.
1097  *
1098  * Section: 8.3 Path Heartbeat
1099  * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
1100  * should clear the error counter of the destination transport
1101  * address to which the HEARTBEAT was sent, and mark the destination
1102  * transport address as active if it is not so marked. The endpoint may
1103  * optionally report to the upper layer when an inactive destination
1104  * address is marked as active due to the reception of the latest
1105  * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
1106  * clear the association overall error count as well (as defined
1107  * in section 8.1).
1108  *
1109  * The receiver of the HEARTBEAT ACK should also perform an RTT
1110  * measurement for that destination transport address using the time
1111  * value carried in the HEARTBEAT ACK chunk.
1112  *
1113  * Verification Tag:  8.5 Verification Tag [Normal verification]
1114  *
1115  * Inputs
1116  * (endpoint, asoc, chunk)
1117  *
1118  * Outputs
1119  * (asoc, reply_msg, msg_up, timers, counters)
1120  *
1121  * The return value is the disposition of the chunk.
1122  */
1123 sctp_disposition_t sctp_sf_backbeat_8_3(struct net *net,
1124 					const struct sctp_endpoint *ep,
1125 					const struct sctp_association *asoc,
1126 					const sctp_subtype_t type,
1127 					void *arg,
1128 					sctp_cmd_seq_t *commands)
1129 {
1130 	struct sctp_chunk *chunk = arg;
1131 	union sctp_addr from_addr;
1132 	struct sctp_transport *link;
1133 	sctp_sender_hb_info_t *hbinfo;
1134 	unsigned long max_interval;
1135 
1136 	if (!sctp_vtag_verify(chunk, asoc))
1137 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1138 
1139 	/* Make sure that the HEARTBEAT-ACK chunk has a valid length.  */
1140 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t) +
1141 					    sizeof(sctp_sender_hb_info_t)))
1142 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1143 						  commands);
1144 
1145 	hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
1146 	/* Make sure that the length of the parameter is what we expect */
1147 	if (ntohs(hbinfo->param_hdr.length) !=
1148 				    sizeof(sctp_sender_hb_info_t)) {
1149 		return SCTP_DISPOSITION_DISCARD;
1150 	}
1151 
1152 	from_addr = hbinfo->daddr;
1153 	link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1154 
1155 	/* This should never happen, but lets log it if so.  */
1156 	if (unlikely(!link)) {
1157 		if (from_addr.sa.sa_family == AF_INET6) {
1158 			net_warn_ratelimited("%s association %p could not find address %pI6\n",
1159 					     __func__,
1160 					     asoc,
1161 					     &from_addr.v6.sin6_addr);
1162 		} else {
1163 			net_warn_ratelimited("%s association %p could not find address %pI4\n",
1164 					     __func__,
1165 					     asoc,
1166 					     &from_addr.v4.sin_addr.s_addr);
1167 		}
1168 		return SCTP_DISPOSITION_DISCARD;
1169 	}
1170 
1171 	/* Validate the 64-bit random nonce. */
1172 	if (hbinfo->hb_nonce != link->hb_nonce)
1173 		return SCTP_DISPOSITION_DISCARD;
1174 
1175 	max_interval = link->hbinterval + link->rto;
1176 
1177 	/* Check if the timestamp looks valid.  */
1178 	if (time_after(hbinfo->sent_at, jiffies) ||
1179 	    time_after(jiffies, hbinfo->sent_at + max_interval)) {
1180 		pr_debug("%s: HEARTBEAT ACK with invalid timestamp received "
1181 			 "for transport:%p\n", __func__, link);
1182 
1183 		return SCTP_DISPOSITION_DISCARD;
1184 	}
1185 
1186 	/* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
1187 	 * the HEARTBEAT should clear the error counter of the
1188 	 * destination transport address to which the HEARTBEAT was
1189 	 * sent and mark the destination transport address as active if
1190 	 * it is not so marked.
1191 	 */
1192 	sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1193 
1194 	return SCTP_DISPOSITION_CONSUME;
1195 }
1196 
1197 /* Helper function to send out an abort for the restart
1198  * condition.
1199  */
1200 static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa,
1201 				      struct sctp_chunk *init,
1202 				      sctp_cmd_seq_t *commands)
1203 {
1204 	int len;
1205 	struct sctp_packet *pkt;
1206 	union sctp_addr_param *addrparm;
1207 	struct sctp_errhdr *errhdr;
1208 	struct sctp_endpoint *ep;
1209 	char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)];
1210 	struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1211 
1212 	/* Build the error on the stack.   We are way to malloc crazy
1213 	 * throughout the code today.
1214 	 */
1215 	errhdr = (struct sctp_errhdr *)buffer;
1216 	addrparm = (union sctp_addr_param *)errhdr->variable;
1217 
1218 	/* Copy into a parm format. */
1219 	len = af->to_addr_param(ssa, addrparm);
1220 	len += sizeof(sctp_errhdr_t);
1221 
1222 	errhdr->cause = SCTP_ERROR_RESTART;
1223 	errhdr->length = htons(len);
1224 
1225 	/* Assign to the control socket. */
1226 	ep = sctp_sk(net->sctp.ctl_sock)->ep;
1227 
1228 	/* Association is NULL since this may be a restart attack and we
1229 	 * want to send back the attacker's vtag.
1230 	 */
1231 	pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len);
1232 
1233 	if (!pkt)
1234 		goto out;
1235 	sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1236 
1237 	SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1238 
1239 	/* Discard the rest of the inbound packet. */
1240 	sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1241 
1242 out:
1243 	/* Even if there is no memory, treat as a failure so
1244 	 * the packet will get dropped.
1245 	 */
1246 	return 0;
1247 }
1248 
1249 static bool list_has_sctp_addr(const struct list_head *list,
1250 			       union sctp_addr *ipaddr)
1251 {
1252 	struct sctp_transport *addr;
1253 
1254 	list_for_each_entry(addr, list, transports) {
1255 		if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
1256 			return true;
1257 	}
1258 
1259 	return false;
1260 }
1261 /* A restart is occurring, check to make sure no new addresses
1262  * are being added as we may be under a takeover attack.
1263  */
1264 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1265 				       const struct sctp_association *asoc,
1266 				       struct sctp_chunk *init,
1267 				       sctp_cmd_seq_t *commands)
1268 {
1269 	struct net *net = sock_net(new_asoc->base.sk);
1270 	struct sctp_transport *new_addr;
1271 	int ret = 1;
1272 
1273 	/* Implementor's Guide - Section 5.2.2
1274 	 * ...
1275 	 * Before responding the endpoint MUST check to see if the
1276 	 * unexpected INIT adds new addresses to the association. If new
1277 	 * addresses are added to the association, the endpoint MUST respond
1278 	 * with an ABORT..
1279 	 */
1280 
1281 	/* Search through all current addresses and make sure
1282 	 * we aren't adding any new ones.
1283 	 */
1284 	list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
1285 			    transports) {
1286 		if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
1287 					&new_addr->ipaddr)) {
1288 			sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init,
1289 						   commands);
1290 			ret = 0;
1291 			break;
1292 		}
1293 	}
1294 
1295 	/* Return success if all addresses were found. */
1296 	return ret;
1297 }
1298 
1299 /* Populate the verification/tie tags based on overlapping INIT
1300  * scenario.
1301  *
1302  * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
1303  */
1304 static void sctp_tietags_populate(struct sctp_association *new_asoc,
1305 				  const struct sctp_association *asoc)
1306 {
1307 	switch (asoc->state) {
1308 
1309 	/* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
1310 
1311 	case SCTP_STATE_COOKIE_WAIT:
1312 		new_asoc->c.my_vtag     = asoc->c.my_vtag;
1313 		new_asoc->c.my_ttag     = asoc->c.my_vtag;
1314 		new_asoc->c.peer_ttag   = 0;
1315 		break;
1316 
1317 	case SCTP_STATE_COOKIE_ECHOED:
1318 		new_asoc->c.my_vtag     = asoc->c.my_vtag;
1319 		new_asoc->c.my_ttag     = asoc->c.my_vtag;
1320 		new_asoc->c.peer_ttag   = asoc->c.peer_vtag;
1321 		break;
1322 
1323 	/* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
1324 	 * COOKIE-WAIT and SHUTDOWN-ACK-SENT
1325 	 */
1326 	default:
1327 		new_asoc->c.my_ttag   = asoc->c.my_vtag;
1328 		new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1329 		break;
1330 	}
1331 
1332 	/* Other parameters for the endpoint SHOULD be copied from the
1333 	 * existing parameters of the association (e.g. number of
1334 	 * outbound streams) into the INIT ACK and cookie.
1335 	 */
1336 	new_asoc->rwnd                  = asoc->rwnd;
1337 	new_asoc->c.sinit_num_ostreams  = asoc->c.sinit_num_ostreams;
1338 	new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1339 	new_asoc->c.initial_tsn         = asoc->c.initial_tsn;
1340 }
1341 
1342 /*
1343  * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
1344  * handling action.
1345  *
1346  * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
1347  *
1348  * Returns value representing action to be taken.   These action values
1349  * correspond to Action/Description values in RFC 2960, Table 2.
1350  */
1351 static char sctp_tietags_compare(struct sctp_association *new_asoc,
1352 				 const struct sctp_association *asoc)
1353 {
1354 	/* In this case, the peer may have restarted.  */
1355 	if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1356 	    (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1357 	    (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1358 	    (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1359 		return 'A';
1360 
1361 	/* Collision case B. */
1362 	if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1363 	    ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1364 	     (0 == asoc->c.peer_vtag))) {
1365 		return 'B';
1366 	}
1367 
1368 	/* Collision case D. */
1369 	if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1370 	    (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1371 		return 'D';
1372 
1373 	/* Collision case C. */
1374 	if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1375 	    (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1376 	    (0 == new_asoc->c.my_ttag) &&
1377 	    (0 == new_asoc->c.peer_ttag))
1378 		return 'C';
1379 
1380 	/* No match to any of the special cases; discard this packet. */
1381 	return 'E';
1382 }
1383 
1384 /* Common helper routine for both duplicate and simulataneous INIT
1385  * chunk handling.
1386  */
1387 static sctp_disposition_t sctp_sf_do_unexpected_init(
1388 	struct net *net,
1389 	const struct sctp_endpoint *ep,
1390 	const struct sctp_association *asoc,
1391 	const sctp_subtype_t type,
1392 	void *arg, sctp_cmd_seq_t *commands)
1393 {
1394 	sctp_disposition_t retval;
1395 	struct sctp_chunk *chunk = arg;
1396 	struct sctp_chunk *repl;
1397 	struct sctp_association *new_asoc;
1398 	struct sctp_chunk *err_chunk;
1399 	struct sctp_packet *packet;
1400 	sctp_unrecognized_param_t *unk_param;
1401 	int len;
1402 
1403 	/* 6.10 Bundling
1404 	 * An endpoint MUST NOT bundle INIT, INIT ACK or
1405 	 * SHUTDOWN COMPLETE with any other chunks.
1406 	 *
1407 	 * IG Section 2.11.2
1408 	 * Furthermore, we require that the receiver of an INIT chunk MUST
1409 	 * enforce these rules by silently discarding an arriving packet
1410 	 * with an INIT chunk that is bundled with other chunks.
1411 	 */
1412 	if (!chunk->singleton)
1413 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1414 
1415 	/* 3.1 A packet containing an INIT chunk MUST have a zero Verification
1416 	 * Tag.
1417 	 */
1418 	if (chunk->sctp_hdr->vtag != 0)
1419 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
1420 
1421 	/* Make sure that the INIT chunk has a valid length.
1422 	 * In this case, we generate a protocol violation since we have
1423 	 * an association established.
1424 	 */
1425 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
1426 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1427 						  commands);
1428 	/* Grab the INIT header.  */
1429 	chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
1430 
1431 	/* Tag the variable length parameters.  */
1432 	chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
1433 
1434 	/* Verify the INIT chunk before processing it. */
1435 	err_chunk = NULL;
1436 	if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
1437 			      (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
1438 			      &err_chunk)) {
1439 		/* This chunk contains fatal error. It is to be discarded.
1440 		 * Send an ABORT, with causes if there is any.
1441 		 */
1442 		if (err_chunk) {
1443 			packet = sctp_abort_pkt_new(net, ep, asoc, arg,
1444 					(__u8 *)(err_chunk->chunk_hdr) +
1445 					sizeof(sctp_chunkhdr_t),
1446 					ntohs(err_chunk->chunk_hdr->length) -
1447 					sizeof(sctp_chunkhdr_t));
1448 
1449 			if (packet) {
1450 				sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1451 						SCTP_PACKET(packet));
1452 				SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1453 				retval = SCTP_DISPOSITION_CONSUME;
1454 			} else {
1455 				retval = SCTP_DISPOSITION_NOMEM;
1456 			}
1457 			goto cleanup;
1458 		} else {
1459 			return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
1460 						    commands);
1461 		}
1462 	}
1463 
1464 	/*
1465 	 * Other parameters for the endpoint SHOULD be copied from the
1466 	 * existing parameters of the association (e.g. number of
1467 	 * outbound streams) into the INIT ACK and cookie.
1468 	 * FIXME:  We are copying parameters from the endpoint not the
1469 	 * association.
1470 	 */
1471 	new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1472 	if (!new_asoc)
1473 		goto nomem;
1474 
1475 	if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
1476 				sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
1477 		goto nomem;
1478 
1479 	/* In the outbound INIT ACK the endpoint MUST copy its current
1480 	 * Verification Tag and Peers Verification tag into a reserved
1481 	 * place (local tie-tag and per tie-tag) within the state cookie.
1482 	 */
1483 	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
1484 			       (sctp_init_chunk_t *)chunk->chunk_hdr,
1485 			       GFP_ATOMIC))
1486 		goto nomem;
1487 
1488 	/* Make sure no new addresses are being added during the
1489 	 * restart.   Do not do this check for COOKIE-WAIT state,
1490 	 * since there are no peer addresses to check against.
1491 	 * Upon return an ABORT will have been sent if needed.
1492 	 */
1493 	if (!sctp_state(asoc, COOKIE_WAIT)) {
1494 		if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1495 						 commands)) {
1496 			retval = SCTP_DISPOSITION_CONSUME;
1497 			goto nomem_retval;
1498 		}
1499 	}
1500 
1501 	sctp_tietags_populate(new_asoc, asoc);
1502 
1503 	/* B) "Z" shall respond immediately with an INIT ACK chunk.  */
1504 
1505 	/* If there are errors need to be reported for unknown parameters,
1506 	 * make sure to reserve enough room in the INIT ACK for them.
1507 	 */
1508 	len = 0;
1509 	if (err_chunk) {
1510 		len = ntohs(err_chunk->chunk_hdr->length) -
1511 			sizeof(sctp_chunkhdr_t);
1512 	}
1513 
1514 	repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1515 	if (!repl)
1516 		goto nomem;
1517 
1518 	/* If there are errors need to be reported for unknown parameters,
1519 	 * include them in the outgoing INIT ACK as "Unrecognized parameter"
1520 	 * parameter.
1521 	 */
1522 	if (err_chunk) {
1523 		/* Get the "Unrecognized parameter" parameter(s) out of the
1524 		 * ERROR chunk generated by sctp_verify_init(). Since the
1525 		 * error cause code for "unknown parameter" and the
1526 		 * "Unrecognized parameter" type is the same, we can
1527 		 * construct the parameters in INIT ACK by copying the
1528 		 * ERROR causes over.
1529 		 */
1530 		unk_param = (sctp_unrecognized_param_t *)
1531 			    ((__u8 *)(err_chunk->chunk_hdr) +
1532 			    sizeof(sctp_chunkhdr_t));
1533 		/* Replace the cause code with the "Unrecognized parameter"
1534 		 * parameter type.
1535 		 */
1536 		sctp_addto_chunk(repl, len, unk_param);
1537 	}
1538 
1539 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1540 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1541 
1542 	/*
1543 	 * Note: After sending out INIT ACK with the State Cookie parameter,
1544 	 * "Z" MUST NOT allocate any resources for this new association.
1545 	 * Otherwise, "Z" will be vulnerable to resource attacks.
1546 	 */
1547 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1548 	retval = SCTP_DISPOSITION_CONSUME;
1549 
1550 	return retval;
1551 
1552 nomem:
1553 	retval = SCTP_DISPOSITION_NOMEM;
1554 nomem_retval:
1555 	if (new_asoc)
1556 		sctp_association_free(new_asoc);
1557 cleanup:
1558 	if (err_chunk)
1559 		sctp_chunk_free(err_chunk);
1560 	return retval;
1561 }
1562 
1563 /*
1564  * Handle simultaneous INIT.
1565  * This means we started an INIT and then we got an INIT request from
1566  * our peer.
1567  *
1568  * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
1569  * This usually indicates an initialization collision, i.e., each
1570  * endpoint is attempting, at about the same time, to establish an
1571  * association with the other endpoint.
1572  *
1573  * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
1574  * endpoint MUST respond with an INIT ACK using the same parameters it
1575  * sent in its original INIT chunk (including its Verification Tag,
1576  * unchanged). These original parameters are combined with those from the
1577  * newly received INIT chunk. The endpoint shall also generate a State
1578  * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
1579  * INIT to calculate the State Cookie.
1580  *
1581  * After that, the endpoint MUST NOT change its state, the T1-init
1582  * timer shall be left running and the corresponding TCB MUST NOT be
1583  * destroyed. The normal procedures for handling State Cookies when
1584  * a TCB exists will resolve the duplicate INITs to a single association.
1585  *
1586  * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
1587  * its Tie-Tags with the Tag information of itself and its peer (see
1588  * section 5.2.2 for a description of the Tie-Tags).
1589  *
1590  * Verification Tag: Not explicit, but an INIT can not have a valid
1591  * verification tag, so we skip the check.
1592  *
1593  * Inputs
1594  * (endpoint, asoc, chunk)
1595  *
1596  * Outputs
1597  * (asoc, reply_msg, msg_up, timers, counters)
1598  *
1599  * The return value is the disposition of the chunk.
1600  */
1601 sctp_disposition_t sctp_sf_do_5_2_1_siminit(struct net *net,
1602 				    const struct sctp_endpoint *ep,
1603 				    const struct sctp_association *asoc,
1604 				    const sctp_subtype_t type,
1605 				    void *arg,
1606 				    sctp_cmd_seq_t *commands)
1607 {
1608 	/* Call helper to do the real work for both simulataneous and
1609 	 * duplicate INIT chunk handling.
1610 	 */
1611 	return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1612 }
1613 
1614 /*
1615  * Handle duplicated INIT messages.  These are usually delayed
1616  * restransmissions.
1617  *
1618  * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
1619  * COOKIE-ECHOED and COOKIE-WAIT
1620  *
1621  * Unless otherwise stated, upon reception of an unexpected INIT for
1622  * this association, the endpoint shall generate an INIT ACK with a
1623  * State Cookie.  In the outbound INIT ACK the endpoint MUST copy its
1624  * current Verification Tag and peer's Verification Tag into a reserved
1625  * place within the state cookie.  We shall refer to these locations as
1626  * the Peer's-Tie-Tag and the Local-Tie-Tag.  The outbound SCTP packet
1627  * containing this INIT ACK MUST carry a Verification Tag value equal to
1628  * the Initiation Tag found in the unexpected INIT.  And the INIT ACK
1629  * MUST contain a new Initiation Tag (randomly generated see Section
1630  * 5.3.1).  Other parameters for the endpoint SHOULD be copied from the
1631  * existing parameters of the association (e.g. number of outbound
1632  * streams) into the INIT ACK and cookie.
1633  *
1634  * After sending out the INIT ACK, the endpoint shall take no further
1635  * actions, i.e., the existing association, including its current state,
1636  * and the corresponding TCB MUST NOT be changed.
1637  *
1638  * Note: Only when a TCB exists and the association is not in a COOKIE-
1639  * WAIT state are the Tie-Tags populated.  For a normal association INIT
1640  * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
1641  * set to 0 (indicating that no previous TCB existed).  The INIT ACK and
1642  * State Cookie are populated as specified in section 5.2.1.
1643  *
1644  * Verification Tag: Not specified, but an INIT has no way of knowing
1645  * what the verification tag could be, so we ignore it.
1646  *
1647  * Inputs
1648  * (endpoint, asoc, chunk)
1649  *
1650  * Outputs
1651  * (asoc, reply_msg, msg_up, timers, counters)
1652  *
1653  * The return value is the disposition of the chunk.
1654  */
1655 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(struct net *net,
1656 					const struct sctp_endpoint *ep,
1657 					const struct sctp_association *asoc,
1658 					const sctp_subtype_t type,
1659 					void *arg,
1660 					sctp_cmd_seq_t *commands)
1661 {
1662 	/* Call helper to do the real work for both simulataneous and
1663 	 * duplicate INIT chunk handling.
1664 	 */
1665 	return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1666 }
1667 
1668 
1669 /*
1670  * Unexpected INIT-ACK handler.
1671  *
1672  * Section 5.2.3
1673  * If an INIT ACK received by an endpoint in any state other than the
1674  * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
1675  * An unexpected INIT ACK usually indicates the processing of an old or
1676  * duplicated INIT chunk.
1677 */
1678 sctp_disposition_t sctp_sf_do_5_2_3_initack(struct net *net,
1679 					    const struct sctp_endpoint *ep,
1680 					    const struct sctp_association *asoc,
1681 					    const sctp_subtype_t type,
1682 					    void *arg, sctp_cmd_seq_t *commands)
1683 {
1684 	/* Per the above section, we'll discard the chunk if we have an
1685 	 * endpoint.  If this is an OOTB INIT-ACK, treat it as such.
1686 	 */
1687 	if (ep == sctp_sk(net->sctp.ctl_sock)->ep)
1688 		return sctp_sf_ootb(net, ep, asoc, type, arg, commands);
1689 	else
1690 		return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
1691 }
1692 
1693 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
1694  *
1695  * Section 5.2.4
1696  *  A)  In this case, the peer may have restarted.
1697  */
1698 static sctp_disposition_t sctp_sf_do_dupcook_a(struct net *net,
1699 					const struct sctp_endpoint *ep,
1700 					const struct sctp_association *asoc,
1701 					struct sctp_chunk *chunk,
1702 					sctp_cmd_seq_t *commands,
1703 					struct sctp_association *new_asoc)
1704 {
1705 	sctp_init_chunk_t *peer_init;
1706 	struct sctp_ulpevent *ev;
1707 	struct sctp_chunk *repl;
1708 	struct sctp_chunk *err;
1709 	sctp_disposition_t disposition;
1710 
1711 	/* new_asoc is a brand-new association, so these are not yet
1712 	 * side effects--it is safe to run them here.
1713 	 */
1714 	peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1715 
1716 	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1717 			       GFP_ATOMIC))
1718 		goto nomem;
1719 
1720 	/* Make sure no new addresses are being added during the
1721 	 * restart.  Though this is a pretty complicated attack
1722 	 * since you'd have to get inside the cookie.
1723 	 */
1724 	if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) {
1725 		return SCTP_DISPOSITION_CONSUME;
1726 	}
1727 
1728 	/* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
1729 	 * the peer has restarted (Action A), it MUST NOT setup a new
1730 	 * association but instead resend the SHUTDOWN ACK and send an ERROR
1731 	 * chunk with a "Cookie Received while Shutting Down" error cause to
1732 	 * its peer.
1733 	*/
1734 	if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1735 		disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc,
1736 				SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1737 				chunk, commands);
1738 		if (SCTP_DISPOSITION_NOMEM == disposition)
1739 			goto nomem;
1740 
1741 		err = sctp_make_op_error(asoc, chunk,
1742 					 SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1743 					 NULL, 0, 0);
1744 		if (err)
1745 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1746 					SCTP_CHUNK(err));
1747 
1748 		return SCTP_DISPOSITION_CONSUME;
1749 	}
1750 
1751 	/* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked
1752 	 * data. Consider the optional choice of resending of this data.
1753 	 */
1754 	sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
1755 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1756 			SCTP_TO(SCTP_EVENT_TIMEOUT_SACK));
1757 	sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1758 
1759 	/* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue
1760 	 * and ASCONF-ACK cache.
1761 	 */
1762 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1763 			SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
1764 	sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());
1765 
1766 	repl = sctp_make_cookie_ack(new_asoc, chunk);
1767 	if (!repl)
1768 		goto nomem;
1769 
1770 	/* Report association restart to upper layer. */
1771 	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1772 					     new_asoc->c.sinit_num_ostreams,
1773 					     new_asoc->c.sinit_max_instreams,
1774 					     NULL, GFP_ATOMIC);
1775 	if (!ev)
1776 		goto nomem_ev;
1777 
1778 	/* Update the content of current association. */
1779 	sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1780 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1781 	if (sctp_state(asoc, SHUTDOWN_PENDING) &&
1782 	    (sctp_sstate(asoc->base.sk, CLOSING) ||
1783 	     sock_flag(asoc->base.sk, SOCK_DEAD))) {
1784 		/* if were currently in SHUTDOWN_PENDING, but the socket
1785 		 * has been closed by user, don't transition to ESTABLISHED.
1786 		 * Instead trigger SHUTDOWN bundled with COOKIE_ACK.
1787 		 */
1788 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1789 		return sctp_sf_do_9_2_start_shutdown(net, ep, asoc,
1790 						     SCTP_ST_CHUNK(0), NULL,
1791 						     commands);
1792 	} else {
1793 		sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1794 				SCTP_STATE(SCTP_STATE_ESTABLISHED));
1795 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1796 	}
1797 	return SCTP_DISPOSITION_CONSUME;
1798 
1799 nomem_ev:
1800 	sctp_chunk_free(repl);
1801 nomem:
1802 	return SCTP_DISPOSITION_NOMEM;
1803 }
1804 
1805 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
1806  *
1807  * Section 5.2.4
1808  *   B) In this case, both sides may be attempting to start an association
1809  *      at about the same time but the peer endpoint started its INIT
1810  *      after responding to the local endpoint's INIT
1811  */
1812 /* This case represents an initialization collision.  */
1813 static sctp_disposition_t sctp_sf_do_dupcook_b(struct net *net,
1814 					const struct sctp_endpoint *ep,
1815 					const struct sctp_association *asoc,
1816 					struct sctp_chunk *chunk,
1817 					sctp_cmd_seq_t *commands,
1818 					struct sctp_association *new_asoc)
1819 {
1820 	sctp_init_chunk_t *peer_init;
1821 	struct sctp_chunk *repl;
1822 
1823 	/* new_asoc is a brand-new association, so these are not yet
1824 	 * side effects--it is safe to run them here.
1825 	 */
1826 	peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1827 	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1828 			       GFP_ATOMIC))
1829 		goto nomem;
1830 
1831 	/* Update the content of current association.  */
1832 	sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1833 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1834 			SCTP_STATE(SCTP_STATE_ESTABLISHED));
1835 	SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
1836 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
1837 
1838 	repl = sctp_make_cookie_ack(new_asoc, chunk);
1839 	if (!repl)
1840 		goto nomem;
1841 
1842 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1843 
1844 	/* RFC 2960 5.1 Normal Establishment of an Association
1845 	 *
1846 	 * D) IMPLEMENTATION NOTE: An implementation may choose to
1847 	 * send the Communication Up notification to the SCTP user
1848 	 * upon reception of a valid COOKIE ECHO chunk.
1849 	 *
1850 	 * Sadly, this needs to be implemented as a side-effect, because
1851 	 * we are not guaranteed to have set the association id of the real
1852 	 * association and so these notifications need to be delayed until
1853 	 * the association id is allocated.
1854 	 */
1855 
1856 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
1857 
1858 	/* Sockets API Draft Section 5.3.1.6
1859 	 * When a peer sends a Adaptation Layer Indication parameter , SCTP
1860 	 * delivers this notification to inform the application that of the
1861 	 * peers requested adaptation layer.
1862 	 *
1863 	 * This also needs to be done as a side effect for the same reason as
1864 	 * above.
1865 	 */
1866 	if (asoc->peer.adaptation_ind)
1867 		sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
1868 
1869 	return SCTP_DISPOSITION_CONSUME;
1870 
1871 nomem:
1872 	return SCTP_DISPOSITION_NOMEM;
1873 }
1874 
1875 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
1876  *
1877  * Section 5.2.4
1878  *  C) In this case, the local endpoint's cookie has arrived late.
1879  *     Before it arrived, the local endpoint sent an INIT and received an
1880  *     INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
1881  *     but a new tag of its own.
1882  */
1883 /* This case represents an initialization collision.  */
1884 static sctp_disposition_t sctp_sf_do_dupcook_c(struct net *net,
1885 					const struct sctp_endpoint *ep,
1886 					const struct sctp_association *asoc,
1887 					struct sctp_chunk *chunk,
1888 					sctp_cmd_seq_t *commands,
1889 					struct sctp_association *new_asoc)
1890 {
1891 	/* The cookie should be silently discarded.
1892 	 * The endpoint SHOULD NOT change states and should leave
1893 	 * any timers running.
1894 	 */
1895 	return SCTP_DISPOSITION_DISCARD;
1896 }
1897 
1898 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
1899  *
1900  * Section 5.2.4
1901  *
1902  * D) When both local and remote tags match the endpoint should always
1903  *    enter the ESTABLISHED state, if it has not already done so.
1904  */
1905 /* This case represents an initialization collision.  */
1906 static sctp_disposition_t sctp_sf_do_dupcook_d(struct net *net,
1907 					const struct sctp_endpoint *ep,
1908 					const struct sctp_association *asoc,
1909 					struct sctp_chunk *chunk,
1910 					sctp_cmd_seq_t *commands,
1911 					struct sctp_association *new_asoc)
1912 {
1913 	struct sctp_ulpevent *ev = NULL, *ai_ev = NULL;
1914 	struct sctp_chunk *repl;
1915 
1916 	/* Clarification from Implementor's Guide:
1917 	 * D) When both local and remote tags match the endpoint should
1918 	 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
1919 	 * It should stop any cookie timer that may be running and send
1920 	 * a COOKIE ACK.
1921 	 */
1922 
1923 	/* Don't accidentally move back into established state. */
1924 	if (asoc->state < SCTP_STATE_ESTABLISHED) {
1925 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1926 				SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
1927 		sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1928 				SCTP_STATE(SCTP_STATE_ESTABLISHED));
1929 		SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
1930 		sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
1931 				SCTP_NULL());
1932 
1933 		/* RFC 2960 5.1 Normal Establishment of an Association
1934 		 *
1935 		 * D) IMPLEMENTATION NOTE: An implementation may choose
1936 		 * to send the Communication Up notification to the
1937 		 * SCTP user upon reception of a valid COOKIE
1938 		 * ECHO chunk.
1939 		 */
1940 		ev = sctp_ulpevent_make_assoc_change(asoc, 0,
1941 					     SCTP_COMM_UP, 0,
1942 					     asoc->c.sinit_num_ostreams,
1943 					     asoc->c.sinit_max_instreams,
1944 					     NULL, GFP_ATOMIC);
1945 		if (!ev)
1946 			goto nomem;
1947 
1948 		/* Sockets API Draft Section 5.3.1.6
1949 		 * When a peer sends a Adaptation Layer Indication parameter,
1950 		 * SCTP delivers this notification to inform the application
1951 		 * that of the peers requested adaptation layer.
1952 		 */
1953 		if (asoc->peer.adaptation_ind) {
1954 			ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
1955 								 GFP_ATOMIC);
1956 			if (!ai_ev)
1957 				goto nomem;
1958 
1959 		}
1960 	}
1961 
1962 	repl = sctp_make_cookie_ack(new_asoc, chunk);
1963 	if (!repl)
1964 		goto nomem;
1965 
1966 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1967 
1968 	if (ev)
1969 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1970 				SCTP_ULPEVENT(ev));
1971 	if (ai_ev)
1972 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1973 					SCTP_ULPEVENT(ai_ev));
1974 
1975 	return SCTP_DISPOSITION_CONSUME;
1976 
1977 nomem:
1978 	if (ai_ev)
1979 		sctp_ulpevent_free(ai_ev);
1980 	if (ev)
1981 		sctp_ulpevent_free(ev);
1982 	return SCTP_DISPOSITION_NOMEM;
1983 }
1984 
1985 /*
1986  * Handle a duplicate COOKIE-ECHO.  This usually means a cookie-carrying
1987  * chunk was retransmitted and then delayed in the network.
1988  *
1989  * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
1990  *
1991  * Verification Tag: None.  Do cookie validation.
1992  *
1993  * Inputs
1994  * (endpoint, asoc, chunk)
1995  *
1996  * Outputs
1997  * (asoc, reply_msg, msg_up, timers, counters)
1998  *
1999  * The return value is the disposition of the chunk.
2000  */
2001 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(struct net *net,
2002 					const struct sctp_endpoint *ep,
2003 					const struct sctp_association *asoc,
2004 					const sctp_subtype_t type,
2005 					void *arg,
2006 					sctp_cmd_seq_t *commands)
2007 {
2008 	sctp_disposition_t retval;
2009 	struct sctp_chunk *chunk = arg;
2010 	struct sctp_association *new_asoc;
2011 	int error = 0;
2012 	char action;
2013 	struct sctp_chunk *err_chk_p;
2014 
2015 	/* Make sure that the chunk has a valid length from the protocol
2016 	 * perspective.  In this case check to make sure we have at least
2017 	 * enough for the chunk header.  Cookie length verification is
2018 	 * done later.
2019 	 */
2020 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
2021 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2022 						  commands);
2023 
2024 	/* "Decode" the chunk.  We have no optional parameters so we
2025 	 * are in good shape.
2026 	 */
2027 	chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
2028 	if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
2029 					sizeof(sctp_chunkhdr_t)))
2030 		goto nomem;
2031 
2032 	/* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
2033 	 * of a duplicate COOKIE ECHO match the Verification Tags of the
2034 	 * current association, consider the State Cookie valid even if
2035 	 * the lifespan is exceeded.
2036 	 */
2037 	new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
2038 				      &err_chk_p);
2039 
2040 	/* FIXME:
2041 	 * If the re-build failed, what is the proper error path
2042 	 * from here?
2043 	 *
2044 	 * [We should abort the association. --piggy]
2045 	 */
2046 	if (!new_asoc) {
2047 		/* FIXME: Several errors are possible.  A bad cookie should
2048 		 * be silently discarded, but think about logging it too.
2049 		 */
2050 		switch (error) {
2051 		case -SCTP_IERROR_NOMEM:
2052 			goto nomem;
2053 
2054 		case -SCTP_IERROR_STALE_COOKIE:
2055 			sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
2056 						   err_chk_p);
2057 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2058 		case -SCTP_IERROR_BAD_SIG:
2059 		default:
2060 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2061 		}
2062 	}
2063 
2064 	/* Compare the tie_tag in cookie with the verification tag of
2065 	 * current association.
2066 	 */
2067 	action = sctp_tietags_compare(new_asoc, asoc);
2068 
2069 	switch (action) {
2070 	case 'A': /* Association restart. */
2071 		retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands,
2072 					      new_asoc);
2073 		break;
2074 
2075 	case 'B': /* Collision case B. */
2076 		retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands,
2077 					      new_asoc);
2078 		break;
2079 
2080 	case 'C': /* Collision case C. */
2081 		retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands,
2082 					      new_asoc);
2083 		break;
2084 
2085 	case 'D': /* Collision case D. */
2086 		retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands,
2087 					      new_asoc);
2088 		break;
2089 
2090 	default: /* Discard packet for all others. */
2091 		retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2092 		break;
2093 	}
2094 
2095 	/* Delete the tempory new association. */
2096 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc));
2097 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
2098 
2099 	/* Restore association pointer to provide SCTP command interpeter
2100 	 * with a valid context in case it needs to manipulate
2101 	 * the queues */
2102 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC,
2103 			 SCTP_ASOC((struct sctp_association *)asoc));
2104 
2105 	return retval;
2106 
2107 nomem:
2108 	return SCTP_DISPOSITION_NOMEM;
2109 }
2110 
2111 /*
2112  * Process an ABORT.  (SHUTDOWN-PENDING state)
2113  *
2114  * See sctp_sf_do_9_1_abort().
2115  */
2116 sctp_disposition_t sctp_sf_shutdown_pending_abort(
2117 	struct net *net,
2118 	const struct sctp_endpoint *ep,
2119 	const struct sctp_association *asoc,
2120 	const sctp_subtype_t type,
2121 	void *arg,
2122 	sctp_cmd_seq_t *commands)
2123 {
2124 	struct sctp_chunk *chunk = arg;
2125 
2126 	if (!sctp_vtag_verify_either(chunk, asoc))
2127 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2128 
2129 	/* Make sure that the ABORT chunk has a valid length.
2130 	 * Since this is an ABORT chunk, we have to discard it
2131 	 * because of the following text:
2132 	 * RFC 2960, Section 3.3.7
2133 	 *    If an endpoint receives an ABORT with a format error or for an
2134 	 *    association that doesn't exist, it MUST silently discard it.
2135 	 * Because the length is "invalid", we can't really discard just
2136 	 * as we do not know its true length.  So, to be safe, discard the
2137 	 * packet.
2138 	 */
2139 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2140 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2141 
2142 	/* ADD-IP: Special case for ABORT chunks
2143 	 * F4)  One special consideration is that ABORT Chunks arriving
2144 	 * destined to the IP address being deleted MUST be
2145 	 * ignored (see Section 5.3.1 for further details).
2146 	 */
2147 	if (SCTP_ADDR_DEL ==
2148 		    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2149 		return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2150 
2151 	return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2152 }
2153 
2154 /*
2155  * Process an ABORT.  (SHUTDOWN-SENT state)
2156  *
2157  * See sctp_sf_do_9_1_abort().
2158  */
2159 sctp_disposition_t sctp_sf_shutdown_sent_abort(struct net *net,
2160 					const struct sctp_endpoint *ep,
2161 					const struct sctp_association *asoc,
2162 					const sctp_subtype_t type,
2163 					void *arg,
2164 					sctp_cmd_seq_t *commands)
2165 {
2166 	struct sctp_chunk *chunk = arg;
2167 
2168 	if (!sctp_vtag_verify_either(chunk, asoc))
2169 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2170 
2171 	/* Make sure that the ABORT chunk has a valid length.
2172 	 * Since this is an ABORT chunk, we have to discard it
2173 	 * because of the following text:
2174 	 * RFC 2960, Section 3.3.7
2175 	 *    If an endpoint receives an ABORT with a format error or for an
2176 	 *    association that doesn't exist, it MUST silently discard it.
2177 	 * Because the length is "invalid", we can't really discard just
2178 	 * as we do not know its true length.  So, to be safe, discard the
2179 	 * packet.
2180 	 */
2181 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2182 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2183 
2184 	/* ADD-IP: Special case for ABORT chunks
2185 	 * F4)  One special consideration is that ABORT Chunks arriving
2186 	 * destined to the IP address being deleted MUST be
2187 	 * ignored (see Section 5.3.1 for further details).
2188 	 */
2189 	if (SCTP_ADDR_DEL ==
2190 		    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2191 		return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2192 
2193 	/* Stop the T2-shutdown timer. */
2194 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2195 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2196 
2197 	/* Stop the T5-shutdown guard timer.  */
2198 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2199 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2200 
2201 	return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2202 }
2203 
2204 /*
2205  * Process an ABORT.  (SHUTDOWN-ACK-SENT state)
2206  *
2207  * See sctp_sf_do_9_1_abort().
2208  */
2209 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort(
2210 	struct net *net,
2211 	const struct sctp_endpoint *ep,
2212 	const struct sctp_association *asoc,
2213 	const sctp_subtype_t type,
2214 	void *arg,
2215 	sctp_cmd_seq_t *commands)
2216 {
2217 	/* The same T2 timer, so we should be able to use
2218 	 * common function with the SHUTDOWN-SENT state.
2219 	 */
2220 	return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands);
2221 }
2222 
2223 /*
2224  * Handle an Error received in COOKIE_ECHOED state.
2225  *
2226  * Only handle the error type of stale COOKIE Error, the other errors will
2227  * be ignored.
2228  *
2229  * Inputs
2230  * (endpoint, asoc, chunk)
2231  *
2232  * Outputs
2233  * (asoc, reply_msg, msg_up, timers, counters)
2234  *
2235  * The return value is the disposition of the chunk.
2236  */
2237 sctp_disposition_t sctp_sf_cookie_echoed_err(struct net *net,
2238 					const struct sctp_endpoint *ep,
2239 					const struct sctp_association *asoc,
2240 					const sctp_subtype_t type,
2241 					void *arg,
2242 					sctp_cmd_seq_t *commands)
2243 {
2244 	struct sctp_chunk *chunk = arg;
2245 	sctp_errhdr_t *err;
2246 
2247 	if (!sctp_vtag_verify(chunk, asoc))
2248 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2249 
2250 	/* Make sure that the ERROR chunk has a valid length.
2251 	 * The parameter walking depends on this as well.
2252 	 */
2253 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
2254 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2255 						  commands);
2256 
2257 	/* Process the error here */
2258 	/* FUTURE FIXME:  When PR-SCTP related and other optional
2259 	 * parms are emitted, this will have to change to handle multiple
2260 	 * errors.
2261 	 */
2262 	sctp_walk_errors(err, chunk->chunk_hdr) {
2263 		if (SCTP_ERROR_STALE_COOKIE == err->cause)
2264 			return sctp_sf_do_5_2_6_stale(net, ep, asoc, type,
2265 							arg, commands);
2266 	}
2267 
2268 	/* It is possible to have malformed error causes, and that
2269 	 * will cause us to end the walk early.  However, since
2270 	 * we are discarding the packet, there should be no adverse
2271 	 * affects.
2272 	 */
2273 	return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2274 }
2275 
2276 /*
2277  * Handle a Stale COOKIE Error
2278  *
2279  * Section: 5.2.6 Handle Stale COOKIE Error
2280  * If the association is in the COOKIE-ECHOED state, the endpoint may elect
2281  * one of the following three alternatives.
2282  * ...
2283  * 3) Send a new INIT chunk to the endpoint, adding a Cookie
2284  *    Preservative parameter requesting an extension to the lifetime of
2285  *    the State Cookie. When calculating the time extension, an
2286  *    implementation SHOULD use the RTT information measured based on the
2287  *    previous COOKIE ECHO / ERROR exchange, and should add no more
2288  *    than 1 second beyond the measured RTT, due to long State Cookie
2289  *    lifetimes making the endpoint more subject to a replay attack.
2290  *
2291  * Verification Tag:  Not explicit, but safe to ignore.
2292  *
2293  * Inputs
2294  * (endpoint, asoc, chunk)
2295  *
2296  * Outputs
2297  * (asoc, reply_msg, msg_up, timers, counters)
2298  *
2299  * The return value is the disposition of the chunk.
2300  */
2301 static sctp_disposition_t sctp_sf_do_5_2_6_stale(struct net *net,
2302 						 const struct sctp_endpoint *ep,
2303 						 const struct sctp_association *asoc,
2304 						 const sctp_subtype_t type,
2305 						 void *arg,
2306 						 sctp_cmd_seq_t *commands)
2307 {
2308 	struct sctp_chunk *chunk = arg;
2309 	u32 stale;
2310 	sctp_cookie_preserve_param_t bht;
2311 	sctp_errhdr_t *err;
2312 	struct sctp_chunk *reply;
2313 	struct sctp_bind_addr *bp;
2314 	int attempts = asoc->init_err_counter + 1;
2315 
2316 	if (attempts > asoc->max_init_attempts) {
2317 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2318 				SCTP_ERROR(ETIMEDOUT));
2319 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2320 				SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2321 		return SCTP_DISPOSITION_DELETE_TCB;
2322 	}
2323 
2324 	err = (sctp_errhdr_t *)(chunk->skb->data);
2325 
2326 	/* When calculating the time extension, an implementation
2327 	 * SHOULD use the RTT information measured based on the
2328 	 * previous COOKIE ECHO / ERROR exchange, and should add no
2329 	 * more than 1 second beyond the measured RTT, due to long
2330 	 * State Cookie lifetimes making the endpoint more subject to
2331 	 * a replay attack.
2332 	 * Measure of Staleness's unit is usec. (1/1000000 sec)
2333 	 * Suggested Cookie Life-span Increment's unit is msec.
2334 	 * (1/1000 sec)
2335 	 * In general, if you use the suggested cookie life, the value
2336 	 * found in the field of measure of staleness should be doubled
2337 	 * to give ample time to retransmit the new cookie and thus
2338 	 * yield a higher probability of success on the reattempt.
2339 	 */
2340 	stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t)));
2341 	stale = (stale * 2) / 1000;
2342 
2343 	bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2344 	bht.param_hdr.length = htons(sizeof(bht));
2345 	bht.lifespan_increment = htonl(stale);
2346 
2347 	/* Build that new INIT chunk.  */
2348 	bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2349 	reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2350 	if (!reply)
2351 		goto nomem;
2352 
2353 	sctp_addto_chunk(reply, sizeof(bht), &bht);
2354 
2355 	/* Clear peer's init_tag cached in assoc as we are sending a new INIT */
2356 	sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2357 
2358 	/* Stop pending T3-rtx and heartbeat timers */
2359 	sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2360 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2361 
2362 	/* Delete non-primary peer ip addresses since we are transitioning
2363 	 * back to the COOKIE-WAIT state
2364 	 */
2365 	sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2366 
2367 	/* If we've sent any data bundled with COOKIE-ECHO we will need to
2368 	 * resend
2369 	 */
2370 	sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
2371 			SCTP_TRANSPORT(asoc->peer.primary_path));
2372 
2373 	/* Cast away the const modifier, as we want to just
2374 	 * rerun it through as a sideffect.
2375 	 */
2376 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2377 
2378 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2379 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2380 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2381 			SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2382 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2383 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2384 
2385 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2386 
2387 	return SCTP_DISPOSITION_CONSUME;
2388 
2389 nomem:
2390 	return SCTP_DISPOSITION_NOMEM;
2391 }
2392 
2393 /*
2394  * Process an ABORT.
2395  *
2396  * Section: 9.1
2397  * After checking the Verification Tag, the receiving endpoint shall
2398  * remove the association from its record, and shall report the
2399  * termination to its upper layer.
2400  *
2401  * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
2402  * B) Rules for packet carrying ABORT:
2403  *
2404  *  - The endpoint shall always fill in the Verification Tag field of the
2405  *    outbound packet with the destination endpoint's tag value if it
2406  *    is known.
2407  *
2408  *  - If the ABORT is sent in response to an OOTB packet, the endpoint
2409  *    MUST follow the procedure described in Section 8.4.
2410  *
2411  *  - The receiver MUST accept the packet if the Verification Tag
2412  *    matches either its own tag, OR the tag of its peer. Otherwise, the
2413  *    receiver MUST silently discard the packet and take no further
2414  *    action.
2415  *
2416  * Inputs
2417  * (endpoint, asoc, chunk)
2418  *
2419  * Outputs
2420  * (asoc, reply_msg, msg_up, timers, counters)
2421  *
2422  * The return value is the disposition of the chunk.
2423  */
2424 sctp_disposition_t sctp_sf_do_9_1_abort(struct net *net,
2425 					const struct sctp_endpoint *ep,
2426 					const struct sctp_association *asoc,
2427 					const sctp_subtype_t type,
2428 					void *arg,
2429 					sctp_cmd_seq_t *commands)
2430 {
2431 	struct sctp_chunk *chunk = arg;
2432 
2433 	if (!sctp_vtag_verify_either(chunk, asoc))
2434 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2435 
2436 	/* Make sure that the ABORT chunk has a valid length.
2437 	 * Since this is an ABORT chunk, we have to discard it
2438 	 * because of the following text:
2439 	 * RFC 2960, Section 3.3.7
2440 	 *    If an endpoint receives an ABORT with a format error or for an
2441 	 *    association that doesn't exist, it MUST silently discard it.
2442 	 * Because the length is "invalid", we can't really discard just
2443 	 * as we do not know its true length.  So, to be safe, discard the
2444 	 * packet.
2445 	 */
2446 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2447 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2448 
2449 	/* ADD-IP: Special case for ABORT chunks
2450 	 * F4)  One special consideration is that ABORT Chunks arriving
2451 	 * destined to the IP address being deleted MUST be
2452 	 * ignored (see Section 5.3.1 for further details).
2453 	 */
2454 	if (SCTP_ADDR_DEL ==
2455 		    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2456 		return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2457 
2458 	return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2459 }
2460 
2461 static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net,
2462 					const struct sctp_endpoint *ep,
2463 					const struct sctp_association *asoc,
2464 					const sctp_subtype_t type,
2465 					void *arg,
2466 					sctp_cmd_seq_t *commands)
2467 {
2468 	struct sctp_chunk *chunk = arg;
2469 	unsigned int len;
2470 	__be16 error = SCTP_ERROR_NO_ERROR;
2471 
2472 	/* See if we have an error cause code in the chunk.  */
2473 	len = ntohs(chunk->chunk_hdr->length);
2474 	if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
2475 
2476 		sctp_errhdr_t *err;
2477 		sctp_walk_errors(err, chunk->chunk_hdr);
2478 		if ((void *)err != (void *)chunk->chunk_end)
2479 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2480 
2481 		error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2482 	}
2483 
2484 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2485 	/* ASSOC_FAILED will DELETE_TCB. */
2486 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2487 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2488 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
2489 
2490 	return SCTP_DISPOSITION_ABORT;
2491 }
2492 
2493 /*
2494  * Process an ABORT.  (COOKIE-WAIT state)
2495  *
2496  * See sctp_sf_do_9_1_abort() above.
2497  */
2498 sctp_disposition_t sctp_sf_cookie_wait_abort(struct net *net,
2499 				     const struct sctp_endpoint *ep,
2500 				     const struct sctp_association *asoc,
2501 				     const sctp_subtype_t type,
2502 				     void *arg,
2503 				     sctp_cmd_seq_t *commands)
2504 {
2505 	struct sctp_chunk *chunk = arg;
2506 	unsigned int len;
2507 	__be16 error = SCTP_ERROR_NO_ERROR;
2508 
2509 	if (!sctp_vtag_verify_either(chunk, asoc))
2510 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2511 
2512 	/* Make sure that the ABORT chunk has a valid length.
2513 	 * Since this is an ABORT chunk, we have to discard it
2514 	 * because of the following text:
2515 	 * RFC 2960, Section 3.3.7
2516 	 *    If an endpoint receives an ABORT with a format error or for an
2517 	 *    association that doesn't exist, it MUST silently discard it.
2518 	 * Because the length is "invalid", we can't really discard just
2519 	 * as we do not know its true length.  So, to be safe, discard the
2520 	 * packet.
2521 	 */
2522 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2523 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2524 
2525 	/* See if we have an error cause code in the chunk.  */
2526 	len = ntohs(chunk->chunk_hdr->length);
2527 	if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2528 		error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2529 
2530 	return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc,
2531 				      chunk->transport);
2532 }
2533 
2534 /*
2535  * Process an incoming ICMP as an ABORT.  (COOKIE-WAIT state)
2536  */
2537 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(struct net *net,
2538 					const struct sctp_endpoint *ep,
2539 					const struct sctp_association *asoc,
2540 					const sctp_subtype_t type,
2541 					void *arg,
2542 					sctp_cmd_seq_t *commands)
2543 {
2544 	return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR,
2545 				      ENOPROTOOPT, asoc,
2546 				      (struct sctp_transport *)arg);
2547 }
2548 
2549 /*
2550  * Process an ABORT.  (COOKIE-ECHOED state)
2551  */
2552 sctp_disposition_t sctp_sf_cookie_echoed_abort(struct net *net,
2553 					       const struct sctp_endpoint *ep,
2554 					       const struct sctp_association *asoc,
2555 					       const sctp_subtype_t type,
2556 					       void *arg,
2557 					       sctp_cmd_seq_t *commands)
2558 {
2559 	/* There is a single T1 timer, so we should be able to use
2560 	 * common function with the COOKIE-WAIT state.
2561 	 */
2562 	return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands);
2563 }
2564 
2565 /*
2566  * Stop T1 timer and abort association with "INIT failed".
2567  *
2568  * This is common code called by several sctp_sf_*_abort() functions above.
2569  */
2570 static sctp_disposition_t sctp_stop_t1_and_abort(struct net *net,
2571 					   sctp_cmd_seq_t *commands,
2572 					   __be16 error, int sk_err,
2573 					   const struct sctp_association *asoc,
2574 					   struct sctp_transport *transport)
2575 {
2576 	pr_debug("%s: ABORT received (INIT)\n", __func__);
2577 
2578 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2579 			SCTP_STATE(SCTP_STATE_CLOSED));
2580 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2581 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2582 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2583 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2584 	/* CMD_INIT_FAILED will DELETE_TCB. */
2585 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2586 			SCTP_PERR(error));
2587 
2588 	return SCTP_DISPOSITION_ABORT;
2589 }
2590 
2591 /*
2592  * sctp_sf_do_9_2_shut
2593  *
2594  * Section: 9.2
2595  * Upon the reception of the SHUTDOWN, the peer endpoint shall
2596  *  - enter the SHUTDOWN-RECEIVED state,
2597  *
2598  *  - stop accepting new data from its SCTP user
2599  *
2600  *  - verify, by checking the Cumulative TSN Ack field of the chunk,
2601  *    that all its outstanding DATA chunks have been received by the
2602  *    SHUTDOWN sender.
2603  *
2604  * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT
2605  * send a SHUTDOWN in response to a ULP request. And should discard
2606  * subsequent SHUTDOWN chunks.
2607  *
2608  * If there are still outstanding DATA chunks left, the SHUTDOWN
2609  * receiver shall continue to follow normal data transmission
2610  * procedures defined in Section 6 until all outstanding DATA chunks
2611  * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept
2612  * new data from its SCTP user.
2613  *
2614  * Verification Tag:  8.5 Verification Tag [Normal verification]
2615  *
2616  * Inputs
2617  * (endpoint, asoc, chunk)
2618  *
2619  * Outputs
2620  * (asoc, reply_msg, msg_up, timers, counters)
2621  *
2622  * The return value is the disposition of the chunk.
2623  */
2624 sctp_disposition_t sctp_sf_do_9_2_shutdown(struct net *net,
2625 					   const struct sctp_endpoint *ep,
2626 					   const struct sctp_association *asoc,
2627 					   const sctp_subtype_t type,
2628 					   void *arg,
2629 					   sctp_cmd_seq_t *commands)
2630 {
2631 	struct sctp_chunk *chunk = arg;
2632 	sctp_shutdownhdr_t *sdh;
2633 	sctp_disposition_t disposition;
2634 	struct sctp_ulpevent *ev;
2635 	__u32 ctsn;
2636 
2637 	if (!sctp_vtag_verify(chunk, asoc))
2638 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2639 
2640 	/* Make sure that the SHUTDOWN chunk has a valid length. */
2641 	if (!sctp_chunk_length_valid(chunk,
2642 				      sizeof(struct sctp_shutdown_chunk_t)))
2643 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2644 						  commands);
2645 
2646 	/* Convert the elaborate header.  */
2647 	sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
2648 	skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t));
2649 	chunk->subh.shutdown_hdr = sdh;
2650 	ctsn = ntohl(sdh->cum_tsn_ack);
2651 
2652 	if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2653 		pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2654 			 asoc->ctsn_ack_point);
2655 
2656 		return SCTP_DISPOSITION_DISCARD;
2657 	}
2658 
2659 	/* If Cumulative TSN Ack beyond the max tsn currently
2660 	 * send, terminating the association and respond to the
2661 	 * sender with an ABORT.
2662 	 */
2663 	if (!TSN_lt(ctsn, asoc->next_tsn))
2664 		return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2665 
2666 	/* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
2667 	 * When a peer sends a SHUTDOWN, SCTP delivers this notification to
2668 	 * inform the application that it should cease sending data.
2669 	 */
2670 	ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2671 	if (!ev) {
2672 		disposition = SCTP_DISPOSITION_NOMEM;
2673 		goto out;
2674 	}
2675 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2676 
2677 	/* Upon the reception of the SHUTDOWN, the peer endpoint shall
2678 	 *  - enter the SHUTDOWN-RECEIVED state,
2679 	 *  - stop accepting new data from its SCTP user
2680 	 *
2681 	 * [This is implicit in the new state.]
2682 	 */
2683 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2684 			SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2685 	disposition = SCTP_DISPOSITION_CONSUME;
2686 
2687 	if (sctp_outq_is_empty(&asoc->outqueue)) {
2688 		disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type,
2689 							  arg, commands);
2690 	}
2691 
2692 	if (SCTP_DISPOSITION_NOMEM == disposition)
2693 		goto out;
2694 
2695 	/*  - verify, by checking the Cumulative TSN Ack field of the
2696 	 *    chunk, that all its outstanding DATA chunks have been
2697 	 *    received by the SHUTDOWN sender.
2698 	 */
2699 	sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2700 			SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2701 
2702 out:
2703 	return disposition;
2704 }
2705 
2706 /*
2707  * sctp_sf_do_9_2_shut_ctsn
2708  *
2709  * Once an endpoint has reached the SHUTDOWN-RECEIVED state,
2710  * it MUST NOT send a SHUTDOWN in response to a ULP request.
2711  * The Cumulative TSN Ack of the received SHUTDOWN chunk
2712  * MUST be processed.
2713  */
2714 sctp_disposition_t sctp_sf_do_9_2_shut_ctsn(struct net *net,
2715 					   const struct sctp_endpoint *ep,
2716 					   const struct sctp_association *asoc,
2717 					   const sctp_subtype_t type,
2718 					   void *arg,
2719 					   sctp_cmd_seq_t *commands)
2720 {
2721 	struct sctp_chunk *chunk = arg;
2722 	sctp_shutdownhdr_t *sdh;
2723 	__u32 ctsn;
2724 
2725 	if (!sctp_vtag_verify(chunk, asoc))
2726 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2727 
2728 	/* Make sure that the SHUTDOWN chunk has a valid length. */
2729 	if (!sctp_chunk_length_valid(chunk,
2730 				      sizeof(struct sctp_shutdown_chunk_t)))
2731 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2732 						  commands);
2733 
2734 	sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
2735 	ctsn = ntohl(sdh->cum_tsn_ack);
2736 
2737 	if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2738 		pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2739 			 asoc->ctsn_ack_point);
2740 
2741 		return SCTP_DISPOSITION_DISCARD;
2742 	}
2743 
2744 	/* If Cumulative TSN Ack beyond the max tsn currently
2745 	 * send, terminating the association and respond to the
2746 	 * sender with an ABORT.
2747 	 */
2748 	if (!TSN_lt(ctsn, asoc->next_tsn))
2749 		return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2750 
2751 	/* verify, by checking the Cumulative TSN Ack field of the
2752 	 * chunk, that all its outstanding DATA chunks have been
2753 	 * received by the SHUTDOWN sender.
2754 	 */
2755 	sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2756 			SCTP_BE32(sdh->cum_tsn_ack));
2757 
2758 	return SCTP_DISPOSITION_CONSUME;
2759 }
2760 
2761 /* RFC 2960 9.2
2762  * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk
2763  * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination
2764  * transport addresses (either in the IP addresses or in the INIT chunk)
2765  * that belong to this association, it should discard the INIT chunk and
2766  * retransmit the SHUTDOWN ACK chunk.
2767  */
2768 sctp_disposition_t sctp_sf_do_9_2_reshutack(struct net *net,
2769 				    const struct sctp_endpoint *ep,
2770 				    const struct sctp_association *asoc,
2771 				    const sctp_subtype_t type,
2772 				    void *arg,
2773 				    sctp_cmd_seq_t *commands)
2774 {
2775 	struct sctp_chunk *chunk = (struct sctp_chunk *) arg;
2776 	struct sctp_chunk *reply;
2777 
2778 	/* Make sure that the chunk has a valid length */
2779 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
2780 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2781 						  commands);
2782 
2783 	/* Since we are not going to really process this INIT, there
2784 	 * is no point in verifying chunk boundries.  Just generate
2785 	 * the SHUTDOWN ACK.
2786 	 */
2787 	reply = sctp_make_shutdown_ack(asoc, chunk);
2788 	if (NULL == reply)
2789 		goto nomem;
2790 
2791 	/* Set the transport for the SHUTDOWN ACK chunk and the timeout for
2792 	 * the T2-SHUTDOWN timer.
2793 	 */
2794 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
2795 
2796 	/* and restart the T2-shutdown timer. */
2797 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2798 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2799 
2800 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2801 
2802 	return SCTP_DISPOSITION_CONSUME;
2803 nomem:
2804 	return SCTP_DISPOSITION_NOMEM;
2805 }
2806 
2807 /*
2808  * sctp_sf_do_ecn_cwr
2809  *
2810  * Section:  Appendix A: Explicit Congestion Notification
2811  *
2812  * CWR:
2813  *
2814  * RFC 2481 details a specific bit for a sender to send in the header of
2815  * its next outbound TCP segment to indicate to its peer that it has
2816  * reduced its congestion window.  This is termed the CWR bit.  For
2817  * SCTP the same indication is made by including the CWR chunk.
2818  * This chunk contains one data element, i.e. the TSN number that
2819  * was sent in the ECNE chunk.  This element represents the lowest
2820  * TSN number in the datagram that was originally marked with the
2821  * CE bit.
2822  *
2823  * Verification Tag: 8.5 Verification Tag [Normal verification]
2824  * Inputs
2825  * (endpoint, asoc, chunk)
2826  *
2827  * Outputs
2828  * (asoc, reply_msg, msg_up, timers, counters)
2829  *
2830  * The return value is the disposition of the chunk.
2831  */
2832 sctp_disposition_t sctp_sf_do_ecn_cwr(struct net *net,
2833 				      const struct sctp_endpoint *ep,
2834 				      const struct sctp_association *asoc,
2835 				      const sctp_subtype_t type,
2836 				      void *arg,
2837 				      sctp_cmd_seq_t *commands)
2838 {
2839 	sctp_cwrhdr_t *cwr;
2840 	struct sctp_chunk *chunk = arg;
2841 	u32 lowest_tsn;
2842 
2843 	if (!sctp_vtag_verify(chunk, asoc))
2844 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2845 
2846 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2847 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2848 						  commands);
2849 
2850 	cwr = (sctp_cwrhdr_t *) chunk->skb->data;
2851 	skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t));
2852 
2853 	lowest_tsn = ntohl(cwr->lowest_tsn);
2854 
2855 	/* Does this CWR ack the last sent congestion notification? */
2856 	if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
2857 		/* Stop sending ECNE. */
2858 		sctp_add_cmd_sf(commands,
2859 				SCTP_CMD_ECN_CWR,
2860 				SCTP_U32(lowest_tsn));
2861 	}
2862 	return SCTP_DISPOSITION_CONSUME;
2863 }
2864 
2865 /*
2866  * sctp_sf_do_ecne
2867  *
2868  * Section:  Appendix A: Explicit Congestion Notification
2869  *
2870  * ECN-Echo
2871  *
2872  * RFC 2481 details a specific bit for a receiver to send back in its
2873  * TCP acknowledgements to notify the sender of the Congestion
2874  * Experienced (CE) bit having arrived from the network.  For SCTP this
2875  * same indication is made by including the ECNE chunk.  This chunk
2876  * contains one data element, i.e. the lowest TSN associated with the IP
2877  * datagram marked with the CE bit.....
2878  *
2879  * Verification Tag: 8.5 Verification Tag [Normal verification]
2880  * Inputs
2881  * (endpoint, asoc, chunk)
2882  *
2883  * Outputs
2884  * (asoc, reply_msg, msg_up, timers, counters)
2885  *
2886  * The return value is the disposition of the chunk.
2887  */
2888 sctp_disposition_t sctp_sf_do_ecne(struct net *net,
2889 				   const struct sctp_endpoint *ep,
2890 				   const struct sctp_association *asoc,
2891 				   const sctp_subtype_t type,
2892 				   void *arg,
2893 				   sctp_cmd_seq_t *commands)
2894 {
2895 	sctp_ecnehdr_t *ecne;
2896 	struct sctp_chunk *chunk = arg;
2897 
2898 	if (!sctp_vtag_verify(chunk, asoc))
2899 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2900 
2901 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2902 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2903 						  commands);
2904 
2905 	ecne = (sctp_ecnehdr_t *) chunk->skb->data;
2906 	skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t));
2907 
2908 	/* If this is a newer ECNE than the last CWR packet we sent out */
2909 	sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
2910 			SCTP_U32(ntohl(ecne->lowest_tsn)));
2911 
2912 	return SCTP_DISPOSITION_CONSUME;
2913 }
2914 
2915 /*
2916  * Section: 6.2  Acknowledgement on Reception of DATA Chunks
2917  *
2918  * The SCTP endpoint MUST always acknowledge the reception of each valid
2919  * DATA chunk.
2920  *
2921  * The guidelines on delayed acknowledgement algorithm specified in
2922  * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
2923  * acknowledgement SHOULD be generated for at least every second packet
2924  * (not every second DATA chunk) received, and SHOULD be generated within
2925  * 200 ms of the arrival of any unacknowledged DATA chunk. In some
2926  * situations it may be beneficial for an SCTP transmitter to be more
2927  * conservative than the algorithms detailed in this document allow.
2928  * However, an SCTP transmitter MUST NOT be more aggressive than the
2929  * following algorithms allow.
2930  *
2931  * A SCTP receiver MUST NOT generate more than one SACK for every
2932  * incoming packet, other than to update the offered window as the
2933  * receiving application consumes new data.
2934  *
2935  * Verification Tag:  8.5 Verification Tag [Normal verification]
2936  *
2937  * Inputs
2938  * (endpoint, asoc, chunk)
2939  *
2940  * Outputs
2941  * (asoc, reply_msg, msg_up, timers, counters)
2942  *
2943  * The return value is the disposition of the chunk.
2944  */
2945 sctp_disposition_t sctp_sf_eat_data_6_2(struct net *net,
2946 					const struct sctp_endpoint *ep,
2947 					const struct sctp_association *asoc,
2948 					const sctp_subtype_t type,
2949 					void *arg,
2950 					sctp_cmd_seq_t *commands)
2951 {
2952 	struct sctp_chunk *chunk = arg;
2953 	sctp_arg_t force = SCTP_NOFORCE();
2954 	int error;
2955 
2956 	if (!sctp_vtag_verify(chunk, asoc)) {
2957 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
2958 				SCTP_NULL());
2959 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2960 	}
2961 
2962 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
2963 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2964 						  commands);
2965 
2966 	error = sctp_eat_data(asoc, chunk, commands);
2967 	switch (error) {
2968 	case SCTP_IERROR_NO_ERROR:
2969 		break;
2970 	case SCTP_IERROR_HIGH_TSN:
2971 	case SCTP_IERROR_BAD_STREAM:
2972 		SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2973 		goto discard_noforce;
2974 	case SCTP_IERROR_DUP_TSN:
2975 	case SCTP_IERROR_IGNORE_TSN:
2976 		SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2977 		goto discard_force;
2978 	case SCTP_IERROR_NO_DATA:
2979 		goto consume;
2980 	case SCTP_IERROR_PROTO_VIOLATION:
2981 		return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
2982 			(u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t));
2983 	default:
2984 		BUG();
2985 	}
2986 
2987 	if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)
2988 		force = SCTP_FORCE();
2989 
2990 	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
2991 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2992 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
2993 	}
2994 
2995 	/* If this is the last chunk in a packet, we need to count it
2996 	 * toward sack generation.  Note that we need to SACK every
2997 	 * OTHER packet containing data chunks, EVEN IF WE DISCARD
2998 	 * THEM.  We elect to NOT generate SACK's if the chunk fails
2999 	 * the verification tag test.
3000 	 *
3001 	 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3002 	 *
3003 	 * The SCTP endpoint MUST always acknowledge the reception of
3004 	 * each valid DATA chunk.
3005 	 *
3006 	 * The guidelines on delayed acknowledgement algorithm
3007 	 * specified in  Section 4.2 of [RFC2581] SHOULD be followed.
3008 	 * Specifically, an acknowledgement SHOULD be generated for at
3009 	 * least every second packet (not every second DATA chunk)
3010 	 * received, and SHOULD be generated within 200 ms of the
3011 	 * arrival of any unacknowledged DATA chunk.  In some
3012 	 * situations it may be beneficial for an SCTP transmitter to
3013 	 * be more conservative than the algorithms detailed in this
3014 	 * document allow. However, an SCTP transmitter MUST NOT be
3015 	 * more aggressive than the following algorithms allow.
3016 	 */
3017 	if (chunk->end_of_packet)
3018 		sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3019 
3020 	return SCTP_DISPOSITION_CONSUME;
3021 
3022 discard_force:
3023 	/* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3024 	 *
3025 	 * When a packet arrives with duplicate DATA chunk(s) and with
3026 	 * no new DATA chunk(s), the endpoint MUST immediately send a
3027 	 * SACK with no delay.  If a packet arrives with duplicate
3028 	 * DATA chunk(s) bundled with new DATA chunks, the endpoint
3029 	 * MAY immediately send a SACK.  Normally receipt of duplicate
3030 	 * DATA chunks will occur when the original SACK chunk was lost
3031 	 * and the peer's RTO has expired.  The duplicate TSN number(s)
3032 	 * SHOULD be reported in the SACK as duplicate.
3033 	 */
3034 	/* In our case, we split the MAY SACK advice up whether or not
3035 	 * the last chunk is a duplicate.'
3036 	 */
3037 	if (chunk->end_of_packet)
3038 		sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3039 	return SCTP_DISPOSITION_DISCARD;
3040 
3041 discard_noforce:
3042 	if (chunk->end_of_packet)
3043 		sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3044 
3045 	return SCTP_DISPOSITION_DISCARD;
3046 consume:
3047 	return SCTP_DISPOSITION_CONSUME;
3048 
3049 }
3050 
3051 /*
3052  * sctp_sf_eat_data_fast_4_4
3053  *
3054  * Section: 4 (4)
3055  * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received
3056  *    DATA chunks without delay.
3057  *
3058  * Verification Tag:  8.5 Verification Tag [Normal verification]
3059  * Inputs
3060  * (endpoint, asoc, chunk)
3061  *
3062  * Outputs
3063  * (asoc, reply_msg, msg_up, timers, counters)
3064  *
3065  * The return value is the disposition of the chunk.
3066  */
3067 sctp_disposition_t sctp_sf_eat_data_fast_4_4(struct net *net,
3068 				     const struct sctp_endpoint *ep,
3069 				     const struct sctp_association *asoc,
3070 				     const sctp_subtype_t type,
3071 				     void *arg,
3072 				     sctp_cmd_seq_t *commands)
3073 {
3074 	struct sctp_chunk *chunk = arg;
3075 	int error;
3076 
3077 	if (!sctp_vtag_verify(chunk, asoc)) {
3078 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3079 				SCTP_NULL());
3080 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3081 	}
3082 
3083 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
3084 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3085 						  commands);
3086 
3087 	error = sctp_eat_data(asoc, chunk, commands);
3088 	switch (error) {
3089 	case SCTP_IERROR_NO_ERROR:
3090 	case SCTP_IERROR_HIGH_TSN:
3091 	case SCTP_IERROR_DUP_TSN:
3092 	case SCTP_IERROR_IGNORE_TSN:
3093 	case SCTP_IERROR_BAD_STREAM:
3094 		break;
3095 	case SCTP_IERROR_NO_DATA:
3096 		goto consume;
3097 	case SCTP_IERROR_PROTO_VIOLATION:
3098 		return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3099 			(u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t));
3100 	default:
3101 		BUG();
3102 	}
3103 
3104 	/* Go a head and force a SACK, since we are shutting down. */
3105 
3106 	/* Implementor's Guide.
3107 	 *
3108 	 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3109 	 * respond to each received packet containing one or more DATA chunk(s)
3110 	 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3111 	 */
3112 	if (chunk->end_of_packet) {
3113 		/* We must delay the chunk creation since the cumulative
3114 		 * TSN has not been updated yet.
3115 		 */
3116 		sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3117 		sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3118 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3119 				SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3120 	}
3121 
3122 consume:
3123 	return SCTP_DISPOSITION_CONSUME;
3124 }
3125 
3126 /*
3127  * Section: 6.2  Processing a Received SACK
3128  * D) Any time a SACK arrives, the endpoint performs the following:
3129  *
3130  *     i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,
3131  *     then drop the SACK.   Since Cumulative TSN Ack is monotonically
3132  *     increasing, a SACK whose Cumulative TSN Ack is less than the
3133  *     Cumulative TSN Ack Point indicates an out-of-order SACK.
3134  *
3135  *     ii) Set rwnd equal to the newly received a_rwnd minus the number
3136  *     of bytes still outstanding after processing the Cumulative TSN Ack
3137  *     and the Gap Ack Blocks.
3138  *
3139  *     iii) If the SACK is missing a TSN that was previously
3140  *     acknowledged via a Gap Ack Block (e.g., the data receiver
3141  *     reneged on the data), then mark the corresponding DATA chunk
3142  *     as available for retransmit:  Mark it as missing for fast
3143  *     retransmit as described in Section 7.2.4 and if no retransmit
3144  *     timer is running for the destination address to which the DATA
3145  *     chunk was originally transmitted, then T3-rtx is started for
3146  *     that destination address.
3147  *
3148  * Verification Tag:  8.5 Verification Tag [Normal verification]
3149  *
3150  * Inputs
3151  * (endpoint, asoc, chunk)
3152  *
3153  * Outputs
3154  * (asoc, reply_msg, msg_up, timers, counters)
3155  *
3156  * The return value is the disposition of the chunk.
3157  */
3158 sctp_disposition_t sctp_sf_eat_sack_6_2(struct net *net,
3159 					const struct sctp_endpoint *ep,
3160 					const struct sctp_association *asoc,
3161 					const sctp_subtype_t type,
3162 					void *arg,
3163 					sctp_cmd_seq_t *commands)
3164 {
3165 	struct sctp_chunk *chunk = arg;
3166 	sctp_sackhdr_t *sackh;
3167 	__u32 ctsn;
3168 
3169 	if (!sctp_vtag_verify(chunk, asoc))
3170 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3171 
3172 	/* Make sure that the SACK chunk has a valid length. */
3173 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t)))
3174 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3175 						  commands);
3176 
3177 	/* Pull the SACK chunk from the data buffer */
3178 	sackh = sctp_sm_pull_sack(chunk);
3179 	/* Was this a bogus SACK? */
3180 	if (!sackh)
3181 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3182 	chunk->subh.sack_hdr = sackh;
3183 	ctsn = ntohl(sackh->cum_tsn_ack);
3184 
3185 	/* i) If Cumulative TSN Ack is less than the Cumulative TSN
3186 	 *     Ack Point, then drop the SACK.  Since Cumulative TSN
3187 	 *     Ack is monotonically increasing, a SACK whose
3188 	 *     Cumulative TSN Ack is less than the Cumulative TSN Ack
3189 	 *     Point indicates an out-of-order SACK.
3190 	 */
3191 	if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
3192 		pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
3193 			 asoc->ctsn_ack_point);
3194 
3195 		return SCTP_DISPOSITION_DISCARD;
3196 	}
3197 
3198 	/* If Cumulative TSN Ack beyond the max tsn currently
3199 	 * send, terminating the association and respond to the
3200 	 * sender with an ABORT.
3201 	 */
3202 	if (!TSN_lt(ctsn, asoc->next_tsn))
3203 		return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
3204 
3205 	/* Return this SACK for further processing.  */
3206 	sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk));
3207 
3208 	/* Note: We do the rest of the work on the PROCESS_SACK
3209 	 * sideeffect.
3210 	 */
3211 	return SCTP_DISPOSITION_CONSUME;
3212 }
3213 
3214 /*
3215  * Generate an ABORT in response to a packet.
3216  *
3217  * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41
3218  *
3219  * 8) The receiver should respond to the sender of the OOTB packet with
3220  *    an ABORT.  When sending the ABORT, the receiver of the OOTB packet
3221  *    MUST fill in the Verification Tag field of the outbound packet
3222  *    with the value found in the Verification Tag field of the OOTB
3223  *    packet and set the T-bit in the Chunk Flags to indicate that the
3224  *    Verification Tag is reflected.  After sending this ABORT, the
3225  *    receiver of the OOTB packet shall discard the OOTB packet and take
3226  *    no further action.
3227  *
3228  * Verification Tag:
3229  *
3230  * The return value is the disposition of the chunk.
3231 */
3232 static sctp_disposition_t sctp_sf_tabort_8_4_8(struct net *net,
3233 					const struct sctp_endpoint *ep,
3234 					const struct sctp_association *asoc,
3235 					const sctp_subtype_t type,
3236 					void *arg,
3237 					sctp_cmd_seq_t *commands)
3238 {
3239 	struct sctp_packet *packet = NULL;
3240 	struct sctp_chunk *chunk = arg;
3241 	struct sctp_chunk *abort;
3242 
3243 	packet = sctp_ootb_pkt_new(net, asoc, chunk);
3244 
3245 	if (packet) {
3246 		/* Make an ABORT. The T bit will be set if the asoc
3247 		 * is NULL.
3248 		 */
3249 		abort = sctp_make_abort(asoc, chunk, 0);
3250 		if (!abort) {
3251 			sctp_ootb_pkt_free(packet);
3252 			return SCTP_DISPOSITION_NOMEM;
3253 		}
3254 
3255 		/* Reflect vtag if T-Bit is set */
3256 		if (sctp_test_T_bit(abort))
3257 			packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3258 
3259 		/* Set the skb to the belonging sock for accounting.  */
3260 		abort->skb->sk = ep->base.sk;
3261 
3262 		sctp_packet_append_chunk(packet, abort);
3263 
3264 		sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3265 				SCTP_PACKET(packet));
3266 
3267 		SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3268 
3269 		sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3270 		return SCTP_DISPOSITION_CONSUME;
3271 	}
3272 
3273 	return SCTP_DISPOSITION_NOMEM;
3274 }
3275 
3276 /*
3277  * Received an ERROR chunk from peer.  Generate SCTP_REMOTE_ERROR
3278  * event as ULP notification for each cause included in the chunk.
3279  *
3280  * API 5.3.1.3 - SCTP_REMOTE_ERROR
3281  *
3282  * The return value is the disposition of the chunk.
3283 */
3284 sctp_disposition_t sctp_sf_operr_notify(struct net *net,
3285 					const struct sctp_endpoint *ep,
3286 					const struct sctp_association *asoc,
3287 					const sctp_subtype_t type,
3288 					void *arg,
3289 					sctp_cmd_seq_t *commands)
3290 {
3291 	struct sctp_chunk *chunk = arg;
3292 	sctp_errhdr_t *err;
3293 
3294 	if (!sctp_vtag_verify(chunk, asoc))
3295 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3296 
3297 	/* Make sure that the ERROR chunk has a valid length. */
3298 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
3299 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3300 						  commands);
3301 	sctp_walk_errors(err, chunk->chunk_hdr);
3302 	if ((void *)err != (void *)chunk->chunk_end)
3303 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3304 						  (void *)err, commands);
3305 
3306 	sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3307 			SCTP_CHUNK(chunk));
3308 
3309 	return SCTP_DISPOSITION_CONSUME;
3310 }
3311 
3312 /*
3313  * Process an inbound SHUTDOWN ACK.
3314  *
3315  * From Section 9.2:
3316  * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3317  * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its
3318  * peer, and remove all record of the association.
3319  *
3320  * The return value is the disposition.
3321  */
3322 sctp_disposition_t sctp_sf_do_9_2_final(struct net *net,
3323 					const struct sctp_endpoint *ep,
3324 					const struct sctp_association *asoc,
3325 					const sctp_subtype_t type,
3326 					void *arg,
3327 					sctp_cmd_seq_t *commands)
3328 {
3329 	struct sctp_chunk *chunk = arg;
3330 	struct sctp_chunk *reply;
3331 	struct sctp_ulpevent *ev;
3332 
3333 	if (!sctp_vtag_verify(chunk, asoc))
3334 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3335 
3336 	/* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3337 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3338 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3339 						  commands);
3340 	/* 10.2 H) SHUTDOWN COMPLETE notification
3341 	 *
3342 	 * When SCTP completes the shutdown procedures (section 9.2) this
3343 	 * notification is passed to the upper layer.
3344 	 */
3345 	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3346 					     0, 0, 0, NULL, GFP_ATOMIC);
3347 	if (!ev)
3348 		goto nomem;
3349 
3350 	/* ...send a SHUTDOWN COMPLETE chunk to its peer, */
3351 	reply = sctp_make_shutdown_complete(asoc, chunk);
3352 	if (!reply)
3353 		goto nomem_chunk;
3354 
3355 	/* Do all the commands now (after allocation), so that we
3356 	 * have consistent state if memory allocation failes
3357 	 */
3358 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3359 
3360 	/* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3361 	 * stop the T2-shutdown timer,
3362 	 */
3363 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3364 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3365 
3366 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3367 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3368 
3369 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3370 			SCTP_STATE(SCTP_STATE_CLOSED));
3371 	SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
3372 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3373 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3374 
3375 	/* ...and remove all record of the association. */
3376 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3377 	return SCTP_DISPOSITION_DELETE_TCB;
3378 
3379 nomem_chunk:
3380 	sctp_ulpevent_free(ev);
3381 nomem:
3382 	return SCTP_DISPOSITION_NOMEM;
3383 }
3384 
3385 /*
3386  * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.
3387  *
3388  * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3389  *    respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3390  *    When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3391  *    packet must fill in the Verification Tag field of the outbound
3392  *    packet with the Verification Tag received in the SHUTDOWN ACK and
3393  *    set the T-bit in the Chunk Flags to indicate that the Verification
3394  *    Tag is reflected.
3395  *
3396  * 8) The receiver should respond to the sender of the OOTB packet with
3397  *    an ABORT.  When sending the ABORT, the receiver of the OOTB packet
3398  *    MUST fill in the Verification Tag field of the outbound packet
3399  *    with the value found in the Verification Tag field of the OOTB
3400  *    packet and set the T-bit in the Chunk Flags to indicate that the
3401  *    Verification Tag is reflected.  After sending this ABORT, the
3402  *    receiver of the OOTB packet shall discard the OOTB packet and take
3403  *    no further action.
3404  */
3405 sctp_disposition_t sctp_sf_ootb(struct net *net,
3406 				const struct sctp_endpoint *ep,
3407 				const struct sctp_association *asoc,
3408 				const sctp_subtype_t type,
3409 				void *arg,
3410 				sctp_cmd_seq_t *commands)
3411 {
3412 	struct sctp_chunk *chunk = arg;
3413 	struct sk_buff *skb = chunk->skb;
3414 	sctp_chunkhdr_t *ch;
3415 	sctp_errhdr_t *err;
3416 	__u8 *ch_end;
3417 	int ootb_shut_ack = 0;
3418 	int ootb_cookie_ack = 0;
3419 
3420 	SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3421 
3422 	ch = (sctp_chunkhdr_t *) chunk->chunk_hdr;
3423 	do {
3424 		/* Report violation if the chunk is less then minimal */
3425 		if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t))
3426 			return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3427 						  commands);
3428 
3429 		/* Now that we know we at least have a chunk header,
3430 		 * do things that are type appropriate.
3431 		 */
3432 		if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3433 			ootb_shut_ack = 1;
3434 
3435 		/* RFC 2960, Section 3.3.7
3436 		 *   Moreover, under any circumstances, an endpoint that
3437 		 *   receives an ABORT  MUST NOT respond to that ABORT by
3438 		 *   sending an ABORT of its own.
3439 		 */
3440 		if (SCTP_CID_ABORT == ch->type)
3441 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3442 
3443 		/* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR
3444 		 * or a COOKIE ACK the SCTP Packet should be silently
3445 		 * discarded.
3446 		 */
3447 
3448 		if (SCTP_CID_COOKIE_ACK == ch->type)
3449 			ootb_cookie_ack = 1;
3450 
3451 		if (SCTP_CID_ERROR == ch->type) {
3452 			sctp_walk_errors(err, ch) {
3453 				if (SCTP_ERROR_STALE_COOKIE == err->cause) {
3454 					ootb_cookie_ack = 1;
3455 					break;
3456 				}
3457 			}
3458 		}
3459 
3460 		/* Report violation if chunk len overflows */
3461 		ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
3462 		if (ch_end > skb_tail_pointer(skb))
3463 			return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3464 						  commands);
3465 
3466 		ch = (sctp_chunkhdr_t *) ch_end;
3467 	} while (ch_end < skb_tail_pointer(skb));
3468 
3469 	if (ootb_shut_ack)
3470 		return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands);
3471 	else if (ootb_cookie_ack)
3472 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3473 	else
3474 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
3475 }
3476 
3477 /*
3478  * Handle an "Out of the blue" SHUTDOWN ACK.
3479  *
3480  * Section: 8.4 5, sctpimpguide 2.41.
3481  *
3482  * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3483  *    respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3484  *    When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3485  *    packet must fill in the Verification Tag field of the outbound
3486  *    packet with the Verification Tag received in the SHUTDOWN ACK and
3487  *    set the T-bit in the Chunk Flags to indicate that the Verification
3488  *    Tag is reflected.
3489  *
3490  * Inputs
3491  * (endpoint, asoc, type, arg, commands)
3492  *
3493  * Outputs
3494  * (sctp_disposition_t)
3495  *
3496  * The return value is the disposition of the chunk.
3497  */
3498 static sctp_disposition_t sctp_sf_shut_8_4_5(struct net *net,
3499 					     const struct sctp_endpoint *ep,
3500 					     const struct sctp_association *asoc,
3501 					     const sctp_subtype_t type,
3502 					     void *arg,
3503 					     sctp_cmd_seq_t *commands)
3504 {
3505 	struct sctp_packet *packet = NULL;
3506 	struct sctp_chunk *chunk = arg;
3507 	struct sctp_chunk *shut;
3508 
3509 	packet = sctp_ootb_pkt_new(net, asoc, chunk);
3510 
3511 	if (packet) {
3512 		/* Make an SHUTDOWN_COMPLETE.
3513 		 * The T bit will be set if the asoc is NULL.
3514 		 */
3515 		shut = sctp_make_shutdown_complete(asoc, chunk);
3516 		if (!shut) {
3517 			sctp_ootb_pkt_free(packet);
3518 			return SCTP_DISPOSITION_NOMEM;
3519 		}
3520 
3521 		/* Reflect vtag if T-Bit is set */
3522 		if (sctp_test_T_bit(shut))
3523 			packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3524 
3525 		/* Set the skb to the belonging sock for accounting.  */
3526 		shut->skb->sk = ep->base.sk;
3527 
3528 		sctp_packet_append_chunk(packet, shut);
3529 
3530 		sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3531 				SCTP_PACKET(packet));
3532 
3533 		SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3534 
3535 		/* If the chunk length is invalid, we don't want to process
3536 		 * the reset of the packet.
3537 		 */
3538 		if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3539 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3540 
3541 		/* We need to discard the rest of the packet to prevent
3542 		 * potential bomming attacks from additional bundled chunks.
3543 		 * This is documented in SCTP Threats ID.
3544 		 */
3545 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3546 	}
3547 
3548 	return SCTP_DISPOSITION_NOMEM;
3549 }
3550 
3551 /*
3552  * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.
3553  *
3554  * Verification Tag:  8.5.1 E) Rules for packet carrying a SHUTDOWN ACK
3555  *   If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the
3556  *   procedures in section 8.4 SHOULD be followed, in other words it
3557  *   should be treated as an Out Of The Blue packet.
3558  *   [This means that we do NOT check the Verification Tag on these
3559  *   chunks. --piggy ]
3560  *
3561  */
3562 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(struct net *net,
3563 				      const struct sctp_endpoint *ep,
3564 				      const struct sctp_association *asoc,
3565 				      const sctp_subtype_t type,
3566 				      void *arg,
3567 				      sctp_cmd_seq_t *commands)
3568 {
3569 	struct sctp_chunk *chunk = arg;
3570 
3571 	/* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3572 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3573 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3574 						  commands);
3575 
3576 	/* Although we do have an association in this case, it corresponds
3577 	 * to a restarted association. So the packet is treated as an OOTB
3578 	 * packet and the state function that handles OOTB SHUTDOWN_ACK is
3579 	 * called with a NULL association.
3580 	 */
3581 	SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3582 
3583 	return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands);
3584 }
3585 
3586 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk.  */
3587 sctp_disposition_t sctp_sf_do_asconf(struct net *net,
3588 				     const struct sctp_endpoint *ep,
3589 				     const struct sctp_association *asoc,
3590 				     const sctp_subtype_t type, void *arg,
3591 				     sctp_cmd_seq_t *commands)
3592 {
3593 	struct sctp_chunk	*chunk = arg;
3594 	struct sctp_chunk	*asconf_ack = NULL;
3595 	struct sctp_paramhdr	*err_param = NULL;
3596 	sctp_addiphdr_t		*hdr;
3597 	__u32			serial;
3598 
3599 	if (!sctp_vtag_verify(chunk, asoc)) {
3600 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3601 				SCTP_NULL());
3602 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3603 	}
3604 
3605 	/* ADD-IP: Section 4.1.1
3606 	 * This chunk MUST be sent in an authenticated way by using
3607 	 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3608 	 * is received unauthenticated it MUST be silently discarded as
3609 	 * described in [I-D.ietf-tsvwg-sctp-auth].
3610 	 */
3611 	if (!net->sctp.addip_noauth && !chunk->auth)
3612 		return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
3613 
3614 	/* Make sure that the ASCONF ADDIP chunk has a valid length.  */
3615 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t)))
3616 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3617 						  commands);
3618 
3619 	hdr = (sctp_addiphdr_t *)chunk->skb->data;
3620 	serial = ntohl(hdr->serial);
3621 
3622 	/* Verify the ASCONF chunk before processing it. */
3623 	if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
3624 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3625 						  (void *)err_param, commands);
3626 
3627 	/* ADDIP 5.2 E1) Compare the value of the serial number to the value
3628 	 * the endpoint stored in a new association variable
3629 	 * 'Peer-Serial-Number'.
3630 	 */
3631 	if (serial == asoc->peer.addip_serial + 1) {
3632 		/* If this is the first instance of ASCONF in the packet,
3633 		 * we can clean our old ASCONF-ACKs.
3634 		 */
3635 		if (!chunk->has_asconf)
3636 			sctp_assoc_clean_asconf_ack_cache(asoc);
3637 
3638 		/* ADDIP 5.2 E4) When the Sequence Number matches the next one
3639 		 * expected, process the ASCONF as described below and after
3640 		 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to
3641 		 * the response packet and cache a copy of it (in the event it
3642 		 * later needs to be retransmitted).
3643 		 *
3644 		 * Essentially, do V1-V5.
3645 		 */
3646 		asconf_ack = sctp_process_asconf((struct sctp_association *)
3647 						 asoc, chunk);
3648 		if (!asconf_ack)
3649 			return SCTP_DISPOSITION_NOMEM;
3650 	} else if (serial < asoc->peer.addip_serial + 1) {
3651 		/* ADDIP 5.2 E2)
3652 		 * If the value found in the Sequence Number is less than the
3653 		 * ('Peer- Sequence-Number' + 1), simply skip to the next
3654 		 * ASCONF, and include in the outbound response packet
3655 		 * any previously cached ASCONF-ACK response that was
3656 		 * sent and saved that matches the Sequence Number of the
3657 		 * ASCONF.  Note: It is possible that no cached ASCONF-ACK
3658 		 * Chunk exists.  This will occur when an older ASCONF
3659 		 * arrives out of order.  In such a case, the receiver
3660 		 * should skip the ASCONF Chunk and not include ASCONF-ACK
3661 		 * Chunk for that chunk.
3662 		 */
3663 		asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);
3664 		if (!asconf_ack)
3665 			return SCTP_DISPOSITION_DISCARD;
3666 
3667 		/* Reset the transport so that we select the correct one
3668 		 * this time around.  This is to make sure that we don't
3669 		 * accidentally use a stale transport that's been removed.
3670 		 */
3671 		asconf_ack->transport = NULL;
3672 	} else {
3673 		/* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since
3674 		 * it must be either a stale packet or from an attacker.
3675 		 */
3676 		return SCTP_DISPOSITION_DISCARD;
3677 	}
3678 
3679 	/* ADDIP 5.2 E6)  The destination address of the SCTP packet
3680 	 * containing the ASCONF-ACK Chunks MUST be the source address of
3681 	 * the SCTP packet that held the ASCONF Chunks.
3682 	 *
3683 	 * To do this properly, we'll set the destination address of the chunk
3684 	 * and at the transmit time, will try look up the transport to use.
3685 	 * Since ASCONFs may be bundled, the correct transport may not be
3686 	 * created until we process the entire packet, thus this workaround.
3687 	 */
3688 	asconf_ack->dest = chunk->source;
3689 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3690 	if (asoc->new_transport) {
3691 		sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands);
3692 		((struct sctp_association *)asoc)->new_transport = NULL;
3693 	}
3694 
3695 	return SCTP_DISPOSITION_CONSUME;
3696 }
3697 
3698 /*
3699  * ADDIP Section 4.3 General rules for address manipulation
3700  * When building TLV parameters for the ASCONF Chunk that will add or
3701  * delete IP addresses the D0 to D13 rules should be applied:
3702  */
3703 sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net,
3704 					 const struct sctp_endpoint *ep,
3705 					 const struct sctp_association *asoc,
3706 					 const sctp_subtype_t type, void *arg,
3707 					 sctp_cmd_seq_t *commands)
3708 {
3709 	struct sctp_chunk	*asconf_ack = arg;
3710 	struct sctp_chunk	*last_asconf = asoc->addip_last_asconf;
3711 	struct sctp_chunk	*abort;
3712 	struct sctp_paramhdr	*err_param = NULL;
3713 	sctp_addiphdr_t		*addip_hdr;
3714 	__u32			sent_serial, rcvd_serial;
3715 
3716 	if (!sctp_vtag_verify(asconf_ack, asoc)) {
3717 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3718 				SCTP_NULL());
3719 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3720 	}
3721 
3722 	/* ADD-IP, Section 4.1.2:
3723 	 * This chunk MUST be sent in an authenticated way by using
3724 	 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3725 	 * is received unauthenticated it MUST be silently discarded as
3726 	 * described in [I-D.ietf-tsvwg-sctp-auth].
3727 	 */
3728 	if (!net->sctp.addip_noauth && !asconf_ack->auth)
3729 		return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
3730 
3731 	/* Make sure that the ADDIP chunk has a valid length.  */
3732 	if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t)))
3733 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3734 						  commands);
3735 
3736 	addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data;
3737 	rcvd_serial = ntohl(addip_hdr->serial);
3738 
3739 	/* Verify the ASCONF-ACK chunk before processing it. */
3740 	if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
3741 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3742 			   (void *)err_param, commands);
3743 
3744 	if (last_asconf) {
3745 		addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr;
3746 		sent_serial = ntohl(addip_hdr->serial);
3747 	} else {
3748 		sent_serial = asoc->addip_serial - 1;
3749 	}
3750 
3751 	/* D0) If an endpoint receives an ASCONF-ACK that is greater than or
3752 	 * equal to the next serial number to be used but no ASCONF chunk is
3753 	 * outstanding the endpoint MUST ABORT the association. Note that a
3754 	 * sequence number is greater than if it is no more than 2^^31-1
3755 	 * larger than the current sequence number (using serial arithmetic).
3756 	 */
3757 	if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
3758 	    !(asoc->addip_last_asconf)) {
3759 		abort = sctp_make_abort(asoc, asconf_ack,
3760 					sizeof(sctp_errhdr_t));
3761 		if (abort) {
3762 			sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
3763 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3764 					SCTP_CHUNK(abort));
3765 		}
3766 		/* We are going to ABORT, so we might as well stop
3767 		 * processing the rest of the chunks in the packet.
3768 		 */
3769 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3770 				SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3771 		sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
3772 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3773 				SCTP_ERROR(ECONNABORTED));
3774 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3775 				SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3776 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
3777 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3778 		return SCTP_DISPOSITION_ABORT;
3779 	}
3780 
3781 	if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
3782 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3783 				SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3784 
3785 		if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
3786 					     asconf_ack)) {
3787 			/* Successfully processed ASCONF_ACK.  We can
3788 			 * release the next asconf if we have one.
3789 			 */
3790 			sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF,
3791 					SCTP_NULL());
3792 			return SCTP_DISPOSITION_CONSUME;
3793 		}
3794 
3795 		abort = sctp_make_abort(asoc, asconf_ack,
3796 					sizeof(sctp_errhdr_t));
3797 		if (abort) {
3798 			sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
3799 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3800 					SCTP_CHUNK(abort));
3801 		}
3802 		/* We are going to ABORT, so we might as well stop
3803 		 * processing the rest of the chunks in the packet.
3804 		 */
3805 		sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
3806 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3807 				SCTP_ERROR(ECONNABORTED));
3808 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3809 				SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3810 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
3811 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3812 		return SCTP_DISPOSITION_ABORT;
3813 	}
3814 
3815 	return SCTP_DISPOSITION_DISCARD;
3816 }
3817 
3818 /*
3819  * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP
3820  *
3821  * When a FORWARD TSN chunk arrives, the data receiver MUST first update
3822  * its cumulative TSN point to the value carried in the FORWARD TSN
3823  * chunk, and then MUST further advance its cumulative TSN point locally
3824  * if possible.
3825  * After the above processing, the data receiver MUST stop reporting any
3826  * missing TSNs earlier than or equal to the new cumulative TSN point.
3827  *
3828  * Verification Tag:  8.5 Verification Tag [Normal verification]
3829  *
3830  * The return value is the disposition of the chunk.
3831  */
3832 sctp_disposition_t sctp_sf_eat_fwd_tsn(struct net *net,
3833 				       const struct sctp_endpoint *ep,
3834 				       const struct sctp_association *asoc,
3835 				       const sctp_subtype_t type,
3836 				       void *arg,
3837 				       sctp_cmd_seq_t *commands)
3838 {
3839 	struct sctp_chunk *chunk = arg;
3840 	struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3841 	struct sctp_fwdtsn_skip *skip;
3842 	__u16 len;
3843 	__u32 tsn;
3844 
3845 	if (!sctp_vtag_verify(chunk, asoc)) {
3846 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3847 				SCTP_NULL());
3848 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3849 	}
3850 
3851 	/* Make sure that the FORWARD_TSN chunk has valid length.  */
3852 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3853 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3854 						  commands);
3855 
3856 	fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3857 	chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3858 	len = ntohs(chunk->chunk_hdr->length);
3859 	len -= sizeof(struct sctp_chunkhdr);
3860 	skb_pull(chunk->skb, len);
3861 
3862 	tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3863 	pr_debug("%s: TSN 0x%x\n", __func__, tsn);
3864 
3865 	/* The TSN is too high--silently discard the chunk and count on it
3866 	 * getting retransmitted later.
3867 	 */
3868 	if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3869 		goto discard_noforce;
3870 
3871 	/* Silently discard the chunk if stream-id is not valid */
3872 	sctp_walk_fwdtsn(skip, chunk) {
3873 		if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
3874 			goto discard_noforce;
3875 	}
3876 
3877 	sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3878 	if (len > sizeof(struct sctp_fwdtsn_hdr))
3879 		sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3880 				SCTP_CHUNK(chunk));
3881 
3882 	/* Count this as receiving DATA. */
3883 	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
3884 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3885 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3886 	}
3887 
3888 	/* FIXME: For now send a SACK, but DATA processing may
3889 	 * send another.
3890 	 */
3891 	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
3892 
3893 	return SCTP_DISPOSITION_CONSUME;
3894 
3895 discard_noforce:
3896 	return SCTP_DISPOSITION_DISCARD;
3897 }
3898 
3899 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast(
3900 	struct net *net,
3901 	const struct sctp_endpoint *ep,
3902 	const struct sctp_association *asoc,
3903 	const sctp_subtype_t type,
3904 	void *arg,
3905 	sctp_cmd_seq_t *commands)
3906 {
3907 	struct sctp_chunk *chunk = arg;
3908 	struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3909 	struct sctp_fwdtsn_skip *skip;
3910 	__u16 len;
3911 	__u32 tsn;
3912 
3913 	if (!sctp_vtag_verify(chunk, asoc)) {
3914 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3915 				SCTP_NULL());
3916 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3917 	}
3918 
3919 	/* Make sure that the FORWARD_TSN chunk has a valid length.  */
3920 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3921 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3922 						  commands);
3923 
3924 	fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3925 	chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3926 	len = ntohs(chunk->chunk_hdr->length);
3927 	len -= sizeof(struct sctp_chunkhdr);
3928 	skb_pull(chunk->skb, len);
3929 
3930 	tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3931 	pr_debug("%s: TSN 0x%x\n", __func__, tsn);
3932 
3933 	/* The TSN is too high--silently discard the chunk and count on it
3934 	 * getting retransmitted later.
3935 	 */
3936 	if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3937 		goto gen_shutdown;
3938 
3939 	/* Silently discard the chunk if stream-id is not valid */
3940 	sctp_walk_fwdtsn(skip, chunk) {
3941 		if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
3942 			goto gen_shutdown;
3943 	}
3944 
3945 	sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3946 	if (len > sizeof(struct sctp_fwdtsn_hdr))
3947 		sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3948 				SCTP_CHUNK(chunk));
3949 
3950 	/* Go a head and force a SACK, since we are shutting down. */
3951 gen_shutdown:
3952 	/* Implementor's Guide.
3953 	 *
3954 	 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3955 	 * respond to each received packet containing one or more DATA chunk(s)
3956 	 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3957 	 */
3958 	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3959 	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3960 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3961 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3962 
3963 	return SCTP_DISPOSITION_CONSUME;
3964 }
3965 
3966 /*
3967  * SCTP-AUTH Section 6.3 Receiving authenticated chukns
3968  *
3969  *    The receiver MUST use the HMAC algorithm indicated in the HMAC
3970  *    Identifier field.  If this algorithm was not specified by the
3971  *    receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
3972  *    during association setup, the AUTH chunk and all chunks after it MUST
3973  *    be discarded and an ERROR chunk SHOULD be sent with the error cause
3974  *    defined in Section 4.1.
3975  *
3976  *    If an endpoint with no shared key receives a Shared Key Identifier
3977  *    other than 0, it MUST silently discard all authenticated chunks.  If
3978  *    the endpoint has at least one endpoint pair shared key for the peer,
3979  *    it MUST use the key specified by the Shared Key Identifier if a
3980  *    key has been configured for that Shared Key Identifier.  If no
3981  *    endpoint pair shared key has been configured for that Shared Key
3982  *    Identifier, all authenticated chunks MUST be silently discarded.
3983  *
3984  * Verification Tag:  8.5 Verification Tag [Normal verification]
3985  *
3986  * The return value is the disposition of the chunk.
3987  */
3988 static sctp_ierror_t sctp_sf_authenticate(struct net *net,
3989 				    const struct sctp_endpoint *ep,
3990 				    const struct sctp_association *asoc,
3991 				    const sctp_subtype_t type,
3992 				    struct sctp_chunk *chunk)
3993 {
3994 	struct sctp_authhdr *auth_hdr;
3995 	struct sctp_hmac *hmac;
3996 	unsigned int sig_len;
3997 	__u16 key_id;
3998 	__u8 *save_digest;
3999 	__u8 *digest;
4000 
4001 	/* Pull in the auth header, so we can do some more verification */
4002 	auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4003 	chunk->subh.auth_hdr = auth_hdr;
4004 	skb_pull(chunk->skb, sizeof(struct sctp_authhdr));
4005 
4006 	/* Make sure that we support the HMAC algorithm from the auth
4007 	 * chunk.
4008 	 */
4009 	if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))
4010 		return SCTP_IERROR_AUTH_BAD_HMAC;
4011 
4012 	/* Make sure that the provided shared key identifier has been
4013 	 * configured
4014 	 */
4015 	key_id = ntohs(auth_hdr->shkey_id);
4016 	if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id))
4017 		return SCTP_IERROR_AUTH_BAD_KEYID;
4018 
4019 
4020 	/* Make sure that the length of the signature matches what
4021 	 * we expect.
4022 	 */
4023 	sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t);
4024 	hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));
4025 	if (sig_len != hmac->hmac_len)
4026 		return SCTP_IERROR_PROTO_VIOLATION;
4027 
4028 	/* Now that we've done validation checks, we can compute and
4029 	 * verify the hmac.  The steps involved are:
4030 	 *  1. Save the digest from the chunk.
4031 	 *  2. Zero out the digest in the chunk.
4032 	 *  3. Compute the new digest
4033 	 *  4. Compare saved and new digests.
4034 	 */
4035 	digest = auth_hdr->hmac;
4036 	skb_pull(chunk->skb, sig_len);
4037 
4038 	save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);
4039 	if (!save_digest)
4040 		goto nomem;
4041 
4042 	memset(digest, 0, sig_len);
4043 
4044 	sctp_auth_calculate_hmac(asoc, chunk->skb,
4045 				(struct sctp_auth_chunk *)chunk->chunk_hdr,
4046 				GFP_ATOMIC);
4047 
4048 	/* Discard the packet if the digests do not match */
4049 	if (memcmp(save_digest, digest, sig_len)) {
4050 		kfree(save_digest);
4051 		return SCTP_IERROR_BAD_SIG;
4052 	}
4053 
4054 	kfree(save_digest);
4055 	chunk->auth = 1;
4056 
4057 	return SCTP_IERROR_NO_ERROR;
4058 nomem:
4059 	return SCTP_IERROR_NOMEM;
4060 }
4061 
4062 sctp_disposition_t sctp_sf_eat_auth(struct net *net,
4063 				    const struct sctp_endpoint *ep,
4064 				    const struct sctp_association *asoc,
4065 				    const sctp_subtype_t type,
4066 				    void *arg,
4067 				    sctp_cmd_seq_t *commands)
4068 {
4069 	struct sctp_authhdr *auth_hdr;
4070 	struct sctp_chunk *chunk = arg;
4071 	struct sctp_chunk *err_chunk;
4072 	sctp_ierror_t error;
4073 
4074 	/* Make sure that the peer has AUTH capable */
4075 	if (!asoc->peer.auth_capable)
4076 		return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4077 
4078 	if (!sctp_vtag_verify(chunk, asoc)) {
4079 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4080 				SCTP_NULL());
4081 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4082 	}
4083 
4084 	/* Make sure that the AUTH chunk has valid length.  */
4085 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))
4086 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4087 						  commands);
4088 
4089 	auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4090 	error = sctp_sf_authenticate(net, ep, asoc, type, chunk);
4091 	switch (error) {
4092 	case SCTP_IERROR_AUTH_BAD_HMAC:
4093 		/* Generate the ERROR chunk and discard the rest
4094 		 * of the packet
4095 		 */
4096 		err_chunk = sctp_make_op_error(asoc, chunk,
4097 					       SCTP_ERROR_UNSUP_HMAC,
4098 					       &auth_hdr->hmac_id,
4099 					       sizeof(__u16), 0);
4100 		if (err_chunk) {
4101 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4102 					SCTP_CHUNK(err_chunk));
4103 		}
4104 		/* Fall Through */
4105 	case SCTP_IERROR_AUTH_BAD_KEYID:
4106 	case SCTP_IERROR_BAD_SIG:
4107 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4108 
4109 	case SCTP_IERROR_PROTO_VIOLATION:
4110 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4111 						  commands);
4112 
4113 	case SCTP_IERROR_NOMEM:
4114 		return SCTP_DISPOSITION_NOMEM;
4115 
4116 	default:			/* Prevent gcc warnings */
4117 		break;
4118 	}
4119 
4120 	if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) {
4121 		struct sctp_ulpevent *ev;
4122 
4123 		ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),
4124 				    SCTP_AUTH_NEWKEY, GFP_ATOMIC);
4125 
4126 		if (!ev)
4127 			return -ENOMEM;
4128 
4129 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4130 				SCTP_ULPEVENT(ev));
4131 	}
4132 
4133 	return SCTP_DISPOSITION_CONSUME;
4134 }
4135 
4136 /*
4137  * Process an unknown chunk.
4138  *
4139  * Section: 3.2. Also, 2.1 in the implementor's guide.
4140  *
4141  * Chunk Types are encoded such that the highest-order two bits specify
4142  * the action that must be taken if the processing endpoint does not
4143  * recognize the Chunk Type.
4144  *
4145  * 00 - Stop processing this SCTP packet and discard it, do not process
4146  *      any further chunks within it.
4147  *
4148  * 01 - Stop processing this SCTP packet and discard it, do not process
4149  *      any further chunks within it, and report the unrecognized
4150  *      chunk in an 'Unrecognized Chunk Type'.
4151  *
4152  * 10 - Skip this chunk and continue processing.
4153  *
4154  * 11 - Skip this chunk and continue processing, but report in an ERROR
4155  *      Chunk using the 'Unrecognized Chunk Type' cause of error.
4156  *
4157  * The return value is the disposition of the chunk.
4158  */
4159 sctp_disposition_t sctp_sf_unk_chunk(struct net *net,
4160 				     const struct sctp_endpoint *ep,
4161 				     const struct sctp_association *asoc,
4162 				     const sctp_subtype_t type,
4163 				     void *arg,
4164 				     sctp_cmd_seq_t *commands)
4165 {
4166 	struct sctp_chunk *unk_chunk = arg;
4167 	struct sctp_chunk *err_chunk;
4168 	sctp_chunkhdr_t *hdr;
4169 
4170 	pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk);
4171 
4172 	if (!sctp_vtag_verify(unk_chunk, asoc))
4173 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4174 
4175 	/* Make sure that the chunk has a valid length.
4176 	 * Since we don't know the chunk type, we use a general
4177 	 * chunkhdr structure to make a comparison.
4178 	 */
4179 	if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t)))
4180 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4181 						  commands);
4182 
4183 	switch (type.chunk & SCTP_CID_ACTION_MASK) {
4184 	case SCTP_CID_ACTION_DISCARD:
4185 		/* Discard the packet.  */
4186 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4187 	case SCTP_CID_ACTION_DISCARD_ERR:
4188 		/* Generate an ERROR chunk as response. */
4189 		hdr = unk_chunk->chunk_hdr;
4190 		err_chunk = sctp_make_op_error(asoc, unk_chunk,
4191 					       SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4192 					       WORD_ROUND(ntohs(hdr->length)),
4193 					       0);
4194 		if (err_chunk) {
4195 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4196 					SCTP_CHUNK(err_chunk));
4197 		}
4198 
4199 		/* Discard the packet.  */
4200 		sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4201 		return SCTP_DISPOSITION_CONSUME;
4202 	case SCTP_CID_ACTION_SKIP:
4203 		/* Skip the chunk.  */
4204 		return SCTP_DISPOSITION_DISCARD;
4205 	case SCTP_CID_ACTION_SKIP_ERR:
4206 		/* Generate an ERROR chunk as response. */
4207 		hdr = unk_chunk->chunk_hdr;
4208 		err_chunk = sctp_make_op_error(asoc, unk_chunk,
4209 					       SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4210 					       WORD_ROUND(ntohs(hdr->length)),
4211 					       0);
4212 		if (err_chunk) {
4213 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4214 					SCTP_CHUNK(err_chunk));
4215 		}
4216 		/* Skip the chunk.  */
4217 		return SCTP_DISPOSITION_CONSUME;
4218 	default:
4219 		break;
4220 	}
4221 
4222 	return SCTP_DISPOSITION_DISCARD;
4223 }
4224 
4225 /*
4226  * Discard the chunk.
4227  *
4228  * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2
4229  * [Too numerous to mention...]
4230  * Verification Tag: No verification needed.
4231  * Inputs
4232  * (endpoint, asoc, chunk)
4233  *
4234  * Outputs
4235  * (asoc, reply_msg, msg_up, timers, counters)
4236  *
4237  * The return value is the disposition of the chunk.
4238  */
4239 sctp_disposition_t sctp_sf_discard_chunk(struct net *net,
4240 					 const struct sctp_endpoint *ep,
4241 					 const struct sctp_association *asoc,
4242 					 const sctp_subtype_t type,
4243 					 void *arg,
4244 					 sctp_cmd_seq_t *commands)
4245 {
4246 	struct sctp_chunk *chunk = arg;
4247 
4248 	/* Make sure that the chunk has a valid length.
4249 	 * Since we don't know the chunk type, we use a general
4250 	 * chunkhdr structure to make a comparison.
4251 	 */
4252 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
4253 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4254 						  commands);
4255 
4256 	pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk);
4257 
4258 	return SCTP_DISPOSITION_DISCARD;
4259 }
4260 
4261 /*
4262  * Discard the whole packet.
4263  *
4264  * Section: 8.4 2)
4265  *
4266  * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST
4267  *    silently discard the OOTB packet and take no further action.
4268  *
4269  * Verification Tag: No verification necessary
4270  *
4271  * Inputs
4272  * (endpoint, asoc, chunk)
4273  *
4274  * Outputs
4275  * (asoc, reply_msg, msg_up, timers, counters)
4276  *
4277  * The return value is the disposition of the chunk.
4278  */
4279 sctp_disposition_t sctp_sf_pdiscard(struct net *net,
4280 				    const struct sctp_endpoint *ep,
4281 				    const struct sctp_association *asoc,
4282 				    const sctp_subtype_t type,
4283 				    void *arg,
4284 				    sctp_cmd_seq_t *commands)
4285 {
4286 	SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS);
4287 	sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4288 
4289 	return SCTP_DISPOSITION_CONSUME;
4290 }
4291 
4292 
4293 /*
4294  * The other end is violating protocol.
4295  *
4296  * Section: Not specified
4297  * Verification Tag: Not specified
4298  * Inputs
4299  * (endpoint, asoc, chunk)
4300  *
4301  * Outputs
4302  * (asoc, reply_msg, msg_up, timers, counters)
4303  *
4304  * We simply tag the chunk as a violation.  The state machine will log
4305  * the violation and continue.
4306  */
4307 sctp_disposition_t sctp_sf_violation(struct net *net,
4308 				     const struct sctp_endpoint *ep,
4309 				     const struct sctp_association *asoc,
4310 				     const sctp_subtype_t type,
4311 				     void *arg,
4312 				     sctp_cmd_seq_t *commands)
4313 {
4314 	struct sctp_chunk *chunk = arg;
4315 
4316 	/* Make sure that the chunk has a valid length. */
4317 	if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
4318 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4319 						  commands);
4320 
4321 	return SCTP_DISPOSITION_VIOLATION;
4322 }
4323 
4324 /*
4325  * Common function to handle a protocol violation.
4326  */
4327 static sctp_disposition_t sctp_sf_abort_violation(
4328 				     struct net *net,
4329 				     const struct sctp_endpoint *ep,
4330 				     const struct sctp_association *asoc,
4331 				     void *arg,
4332 				     sctp_cmd_seq_t *commands,
4333 				     const __u8 *payload,
4334 				     const size_t paylen)
4335 {
4336 	struct sctp_packet *packet = NULL;
4337 	struct sctp_chunk *chunk =  arg;
4338 	struct sctp_chunk *abort = NULL;
4339 
4340 	/* SCTP-AUTH, Section 6.3:
4341 	 *    It should be noted that if the receiver wants to tear
4342 	 *    down an association in an authenticated way only, the
4343 	 *    handling of malformed packets should not result in
4344 	 *    tearing down the association.
4345 	 *
4346 	 * This means that if we only want to abort associations
4347 	 * in an authenticated way (i.e AUTH+ABORT), then we
4348 	 * can't destroy this association just because the packet
4349 	 * was malformed.
4350 	 */
4351 	if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4352 		goto discard;
4353 
4354 	/* Make the abort chunk. */
4355 	abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);
4356 	if (!abort)
4357 		goto nomem;
4358 
4359 	if (asoc) {
4360 		/* Treat INIT-ACK as a special case during COOKIE-WAIT. */
4361 		if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&
4362 		    !asoc->peer.i.init_tag) {
4363 			sctp_initack_chunk_t *initack;
4364 
4365 			initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
4366 			if (!sctp_chunk_length_valid(chunk,
4367 						     sizeof(sctp_initack_chunk_t)))
4368 				abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
4369 			else {
4370 				unsigned int inittag;
4371 
4372 				inittag = ntohl(initack->init_hdr.init_tag);
4373 				sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
4374 						SCTP_U32(inittag));
4375 			}
4376 		}
4377 
4378 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4379 		SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4380 
4381 		if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
4382 			sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4383 					SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4384 			sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4385 					SCTP_ERROR(ECONNREFUSED));
4386 			sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4387 					SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4388 		} else {
4389 			sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4390 					SCTP_ERROR(ECONNABORTED));
4391 			sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4392 					SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4393 			SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4394 		}
4395 	} else {
4396 		packet = sctp_ootb_pkt_new(net, asoc, chunk);
4397 
4398 		if (!packet)
4399 			goto nomem_pkt;
4400 
4401 		if (sctp_test_T_bit(abort))
4402 			packet->vtag = ntohl(chunk->sctp_hdr->vtag);
4403 
4404 		abort->skb->sk = ep->base.sk;
4405 
4406 		sctp_packet_append_chunk(packet, abort);
4407 
4408 		sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
4409 			SCTP_PACKET(packet));
4410 
4411 		SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4412 	}
4413 
4414 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4415 
4416 discard:
4417 	sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4418 	return SCTP_DISPOSITION_ABORT;
4419 
4420 nomem_pkt:
4421 	sctp_chunk_free(abort);
4422 nomem:
4423 	return SCTP_DISPOSITION_NOMEM;
4424 }
4425 
4426 /*
4427  * Handle a protocol violation when the chunk length is invalid.
4428  * "Invalid" length is identified as smaller than the minimal length a
4429  * given chunk can be.  For example, a SACK chunk has invalid length
4430  * if its length is set to be smaller than the size of sctp_sack_chunk_t.
4431  *
4432  * We inform the other end by sending an ABORT with a Protocol Violation
4433  * error code.
4434  *
4435  * Section: Not specified
4436  * Verification Tag:  Nothing to do
4437  * Inputs
4438  * (endpoint, asoc, chunk)
4439  *
4440  * Outputs
4441  * (reply_msg, msg_up, counters)
4442  *
4443  * Generate an  ABORT chunk and terminate the association.
4444  */
4445 static sctp_disposition_t sctp_sf_violation_chunklen(
4446 				     struct net *net,
4447 				     const struct sctp_endpoint *ep,
4448 				     const struct sctp_association *asoc,
4449 				     const sctp_subtype_t type,
4450 				     void *arg,
4451 				     sctp_cmd_seq_t *commands)
4452 {
4453 	static const char err_str[] = "The following chunk had invalid length:";
4454 
4455 	return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4456 					sizeof(err_str));
4457 }
4458 
4459 /*
4460  * Handle a protocol violation when the parameter length is invalid.
4461  * If the length is smaller than the minimum length of a given parameter,
4462  * or accumulated length in multi parameters exceeds the end of the chunk,
4463  * the length is considered as invalid.
4464  */
4465 static sctp_disposition_t sctp_sf_violation_paramlen(
4466 				     struct net *net,
4467 				     const struct sctp_endpoint *ep,
4468 				     const struct sctp_association *asoc,
4469 				     const sctp_subtype_t type,
4470 				     void *arg, void *ext,
4471 				     sctp_cmd_seq_t *commands)
4472 {
4473 	struct sctp_chunk *chunk =  arg;
4474 	struct sctp_paramhdr *param = ext;
4475 	struct sctp_chunk *abort = NULL;
4476 
4477 	if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4478 		goto discard;
4479 
4480 	/* Make the abort chunk. */
4481 	abort = sctp_make_violation_paramlen(asoc, chunk, param);
4482 	if (!abort)
4483 		goto nomem;
4484 
4485 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4486 	SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4487 
4488 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4489 			SCTP_ERROR(ECONNABORTED));
4490 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4491 			SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4492 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4493 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4494 
4495 discard:
4496 	sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4497 	return SCTP_DISPOSITION_ABORT;
4498 nomem:
4499 	return SCTP_DISPOSITION_NOMEM;
4500 }
4501 
4502 /* Handle a protocol violation when the peer trying to advance the
4503  * cumulative tsn ack to a point beyond the max tsn currently sent.
4504  *
4505  * We inform the other end by sending an ABORT with a Protocol Violation
4506  * error code.
4507  */
4508 static sctp_disposition_t sctp_sf_violation_ctsn(
4509 				     struct net *net,
4510 				     const struct sctp_endpoint *ep,
4511 				     const struct sctp_association *asoc,
4512 				     const sctp_subtype_t type,
4513 				     void *arg,
4514 				     sctp_cmd_seq_t *commands)
4515 {
4516 	static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:";
4517 
4518 	return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4519 					sizeof(err_str));
4520 }
4521 
4522 /* Handle protocol violation of an invalid chunk bundling.  For example,
4523  * when we have an association and we receive bundled INIT-ACK, or
4524  * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle"
4525  * statement from the specs.  Additionally, there might be an attacker
4526  * on the path and we may not want to continue this communication.
4527  */
4528 static sctp_disposition_t sctp_sf_violation_chunk(
4529 				     struct net *net,
4530 				     const struct sctp_endpoint *ep,
4531 				     const struct sctp_association *asoc,
4532 				     const sctp_subtype_t type,
4533 				     void *arg,
4534 				     sctp_cmd_seq_t *commands)
4535 {
4536 	static const char err_str[] = "The following chunk violates protocol:";
4537 
4538 	if (!asoc)
4539 		return sctp_sf_violation(net, ep, asoc, type, arg, commands);
4540 
4541 	return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4542 					sizeof(err_str));
4543 }
4544 /***************************************************************************
4545  * These are the state functions for handling primitive (Section 10) events.
4546  ***************************************************************************/
4547 /*
4548  * sctp_sf_do_prm_asoc
4549  *
4550  * Section: 10.1 ULP-to-SCTP
4551  * B) Associate
4552  *
4553  * Format: ASSOCIATE(local SCTP instance name, destination transport addr,
4554  * outbound stream count)
4555  * -> association id [,destination transport addr list] [,outbound stream
4556  * count]
4557  *
4558  * This primitive allows the upper layer to initiate an association to a
4559  * specific peer endpoint.
4560  *
4561  * The peer endpoint shall be specified by one of the transport addresses
4562  * which defines the endpoint (see Section 1.4).  If the local SCTP
4563  * instance has not been initialized, the ASSOCIATE is considered an
4564  * error.
4565  * [This is not relevant for the kernel implementation since we do all
4566  * initialization at boot time.  It we hadn't initialized we wouldn't
4567  * get anywhere near this code.]
4568  *
4569  * An association id, which is a local handle to the SCTP association,
4570  * will be returned on successful establishment of the association. If
4571  * SCTP is not able to open an SCTP association with the peer endpoint,
4572  * an error is returned.
4573  * [In the kernel implementation, the struct sctp_association needs to
4574  * be created BEFORE causing this primitive to run.]
4575  *
4576  * Other association parameters may be returned, including the
4577  * complete destination transport addresses of the peer as well as the
4578  * outbound stream count of the local endpoint. One of the transport
4579  * address from the returned destination addresses will be selected by
4580  * the local endpoint as default primary path for sending SCTP packets
4581  * to this peer.  The returned "destination transport addr list" can
4582  * be used by the ULP to change the default primary path or to force
4583  * sending a packet to a specific transport address.  [All of this
4584  * stuff happens when the INIT ACK arrives.  This is a NON-BLOCKING
4585  * function.]
4586  *
4587  * Mandatory attributes:
4588  *
4589  * o local SCTP instance name - obtained from the INITIALIZE operation.
4590  *   [This is the argument asoc.]
4591  * o destination transport addr - specified as one of the transport
4592  * addresses of the peer endpoint with which the association is to be
4593  * established.
4594  *  [This is asoc->peer.active_path.]
4595  * o outbound stream count - the number of outbound streams the ULP
4596  * would like to open towards this peer endpoint.
4597  * [BUG: This is not currently implemented.]
4598  * Optional attributes:
4599  *
4600  * None.
4601  *
4602  * The return value is a disposition.
4603  */
4604 sctp_disposition_t sctp_sf_do_prm_asoc(struct net *net,
4605 				       const struct sctp_endpoint *ep,
4606 				       const struct sctp_association *asoc,
4607 				       const sctp_subtype_t type,
4608 				       void *arg,
4609 				       sctp_cmd_seq_t *commands)
4610 {
4611 	struct sctp_chunk *repl;
4612 	struct sctp_association *my_asoc;
4613 
4614 	/* The comment below says that we enter COOKIE-WAIT AFTER
4615 	 * sending the INIT, but that doesn't actually work in our
4616 	 * implementation...
4617 	 */
4618 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4619 			SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
4620 
4621 	/* RFC 2960 5.1 Normal Establishment of an Association
4622 	 *
4623 	 * A) "A" first sends an INIT chunk to "Z".  In the INIT, "A"
4624 	 * must provide its Verification Tag (Tag_A) in the Initiate
4625 	 * Tag field.  Tag_A SHOULD be a random number in the range of
4626 	 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ...
4627 	 */
4628 
4629 	repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0);
4630 	if (!repl)
4631 		goto nomem;
4632 
4633 	/* Choose transport for INIT. */
4634 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
4635 			SCTP_CHUNK(repl));
4636 
4637 	/* Cast away the const modifier, as we want to just
4638 	 * rerun it through as a sideffect.
4639 	 */
4640 	my_asoc = (struct sctp_association *)asoc;
4641 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc));
4642 
4643 	/* After sending the INIT, "A" starts the T1-init timer and
4644 	 * enters the COOKIE-WAIT state.
4645 	 */
4646 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
4647 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4648 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
4649 	return SCTP_DISPOSITION_CONSUME;
4650 
4651 nomem:
4652 	return SCTP_DISPOSITION_NOMEM;
4653 }
4654 
4655 /*
4656  * Process the SEND primitive.
4657  *
4658  * Section: 10.1 ULP-to-SCTP
4659  * E) Send
4660  *
4661  * Format: SEND(association id, buffer address, byte count [,context]
4662  *         [,stream id] [,life time] [,destination transport address]
4663  *         [,unorder flag] [,no-bundle flag] [,payload protocol-id] )
4664  * -> result
4665  *
4666  * This is the main method to send user data via SCTP.
4667  *
4668  * Mandatory attributes:
4669  *
4670  *  o association id - local handle to the SCTP association
4671  *
4672  *  o buffer address - the location where the user message to be
4673  *    transmitted is stored;
4674  *
4675  *  o byte count - The size of the user data in number of bytes;
4676  *
4677  * Optional attributes:
4678  *
4679  *  o context - an optional 32 bit integer that will be carried in the
4680  *    sending failure notification to the ULP if the transportation of
4681  *    this User Message fails.
4682  *
4683  *  o stream id - to indicate which stream to send the data on. If not
4684  *    specified, stream 0 will be used.
4685  *
4686  *  o life time - specifies the life time of the user data. The user data
4687  *    will not be sent by SCTP after the life time expires. This
4688  *    parameter can be used to avoid efforts to transmit stale
4689  *    user messages. SCTP notifies the ULP if the data cannot be
4690  *    initiated to transport (i.e. sent to the destination via SCTP's
4691  *    send primitive) within the life time variable. However, the
4692  *    user data will be transmitted if SCTP has attempted to transmit a
4693  *    chunk before the life time expired.
4694  *
4695  *  o destination transport address - specified as one of the destination
4696  *    transport addresses of the peer endpoint to which this packet
4697  *    should be sent. Whenever possible, SCTP should use this destination
4698  *    transport address for sending the packets, instead of the current
4699  *    primary path.
4700  *
4701  *  o unorder flag - this flag, if present, indicates that the user
4702  *    would like the data delivered in an unordered fashion to the peer
4703  *    (i.e., the U flag is set to 1 on all DATA chunks carrying this
4704  *    message).
4705  *
4706  *  o no-bundle flag - instructs SCTP not to bundle this user data with
4707  *    other outbound DATA chunks. SCTP MAY still bundle even when
4708  *    this flag is present, when faced with network congestion.
4709  *
4710  *  o payload protocol-id - A 32 bit unsigned integer that is to be
4711  *    passed to the peer indicating the type of payload protocol data
4712  *    being transmitted. This value is passed as opaque data by SCTP.
4713  *
4714  * The return value is the disposition.
4715  */
4716 sctp_disposition_t sctp_sf_do_prm_send(struct net *net,
4717 				       const struct sctp_endpoint *ep,
4718 				       const struct sctp_association *asoc,
4719 				       const sctp_subtype_t type,
4720 				       void *arg,
4721 				       sctp_cmd_seq_t *commands)
4722 {
4723 	struct sctp_datamsg *msg = arg;
4724 
4725 	sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg));
4726 	return SCTP_DISPOSITION_CONSUME;
4727 }
4728 
4729 /*
4730  * Process the SHUTDOWN primitive.
4731  *
4732  * Section: 10.1:
4733  * C) Shutdown
4734  *
4735  * Format: SHUTDOWN(association id)
4736  * -> result
4737  *
4738  * Gracefully closes an association. Any locally queued user data
4739  * will be delivered to the peer. The association will be terminated only
4740  * after the peer acknowledges all the SCTP packets sent.  A success code
4741  * will be returned on successful termination of the association. If
4742  * attempting to terminate the association results in a failure, an error
4743  * code shall be returned.
4744  *
4745  * Mandatory attributes:
4746  *
4747  *  o association id - local handle to the SCTP association
4748  *
4749  * Optional attributes:
4750  *
4751  * None.
4752  *
4753  * The return value is the disposition.
4754  */
4755 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown(
4756 	struct net *net,
4757 	const struct sctp_endpoint *ep,
4758 	const struct sctp_association *asoc,
4759 	const sctp_subtype_t type,
4760 	void *arg,
4761 	sctp_cmd_seq_t *commands)
4762 {
4763 	int disposition;
4764 
4765 	/* From 9.2 Shutdown of an Association
4766 	 * Upon receipt of the SHUTDOWN primitive from its upper
4767 	 * layer, the endpoint enters SHUTDOWN-PENDING state and
4768 	 * remains there until all outstanding data has been
4769 	 * acknowledged by its peer. The endpoint accepts no new data
4770 	 * from its upper layer, but retransmits data to the far end
4771 	 * if necessary to fill gaps.
4772 	 */
4773 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4774 			SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
4775 
4776 	disposition = SCTP_DISPOSITION_CONSUME;
4777 	if (sctp_outq_is_empty(&asoc->outqueue)) {
4778 		disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
4779 							    arg, commands);
4780 	}
4781 	return disposition;
4782 }
4783 
4784 /*
4785  * Process the ABORT primitive.
4786  *
4787  * Section: 10.1:
4788  * C) Abort
4789  *
4790  * Format: Abort(association id [, cause code])
4791  * -> result
4792  *
4793  * Ungracefully closes an association. Any locally queued user data
4794  * will be discarded and an ABORT chunk is sent to the peer.  A success code
4795  * will be returned on successful abortion of the association. If
4796  * attempting to abort the association results in a failure, an error
4797  * code shall be returned.
4798  *
4799  * Mandatory attributes:
4800  *
4801  *  o association id - local handle to the SCTP association
4802  *
4803  * Optional attributes:
4804  *
4805  *  o cause code - reason of the abort to be passed to the peer
4806  *
4807  * None.
4808  *
4809  * The return value is the disposition.
4810  */
4811 sctp_disposition_t sctp_sf_do_9_1_prm_abort(
4812 	struct net *net,
4813 	const struct sctp_endpoint *ep,
4814 	const struct sctp_association *asoc,
4815 	const sctp_subtype_t type,
4816 	void *arg,
4817 	sctp_cmd_seq_t *commands)
4818 {
4819 	/* From 9.1 Abort of an Association
4820 	 * Upon receipt of the ABORT primitive from its upper
4821 	 * layer, the endpoint enters CLOSED state and
4822 	 * discard all outstanding data has been
4823 	 * acknowledged by its peer. The endpoint accepts no new data
4824 	 * from its upper layer, but retransmits data to the far end
4825 	 * if necessary to fill gaps.
4826 	 */
4827 	struct sctp_chunk *abort = arg;
4828 	sctp_disposition_t retval;
4829 
4830 	retval = SCTP_DISPOSITION_CONSUME;
4831 
4832 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4833 
4834 	/* Even if we can't send the ABORT due to low memory delete the
4835 	 * TCB.  This is a departure from our typical NOMEM handling.
4836 	 */
4837 
4838 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4839 			SCTP_ERROR(ECONNABORTED));
4840 	/* Delete the established association. */
4841 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4842 			SCTP_PERR(SCTP_ERROR_USER_ABORT));
4843 
4844 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4845 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4846 
4847 	return retval;
4848 }
4849 
4850 /* We tried an illegal operation on an association which is closed.  */
4851 sctp_disposition_t sctp_sf_error_closed(struct net *net,
4852 					const struct sctp_endpoint *ep,
4853 					const struct sctp_association *asoc,
4854 					const sctp_subtype_t type,
4855 					void *arg,
4856 					sctp_cmd_seq_t *commands)
4857 {
4858 	sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL));
4859 	return SCTP_DISPOSITION_CONSUME;
4860 }
4861 
4862 /* We tried an illegal operation on an association which is shutting
4863  * down.
4864  */
4865 sctp_disposition_t sctp_sf_error_shutdown(struct net *net,
4866 					  const struct sctp_endpoint *ep,
4867 					  const struct sctp_association *asoc,
4868 					  const sctp_subtype_t type,
4869 					  void *arg,
4870 					  sctp_cmd_seq_t *commands)
4871 {
4872 	sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR,
4873 			SCTP_ERROR(-ESHUTDOWN));
4874 	return SCTP_DISPOSITION_CONSUME;
4875 }
4876 
4877 /*
4878  * sctp_cookie_wait_prm_shutdown
4879  *
4880  * Section: 4 Note: 2
4881  * Verification Tag:
4882  * Inputs
4883  * (endpoint, asoc)
4884  *
4885  * The RFC does not explicitly address this issue, but is the route through the
4886  * state table when someone issues a shutdown while in COOKIE_WAIT state.
4887  *
4888  * Outputs
4889  * (timers)
4890  */
4891 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown(
4892 	struct net *net,
4893 	const struct sctp_endpoint *ep,
4894 	const struct sctp_association *asoc,
4895 	const sctp_subtype_t type,
4896 	void *arg,
4897 	sctp_cmd_seq_t *commands)
4898 {
4899 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4900 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4901 
4902 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4903 			SCTP_STATE(SCTP_STATE_CLOSED));
4904 
4905 	SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
4906 
4907 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
4908 
4909 	return SCTP_DISPOSITION_DELETE_TCB;
4910 }
4911 
4912 /*
4913  * sctp_cookie_echoed_prm_shutdown
4914  *
4915  * Section: 4 Note: 2
4916  * Verification Tag:
4917  * Inputs
4918  * (endpoint, asoc)
4919  *
4920  * The RFC does not explcitly address this issue, but is the route through the
4921  * state table when someone issues a shutdown while in COOKIE_ECHOED state.
4922  *
4923  * Outputs
4924  * (timers)
4925  */
4926 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown(
4927 	struct net *net,
4928 	const struct sctp_endpoint *ep,
4929 	const struct sctp_association *asoc,
4930 	const sctp_subtype_t type,
4931 	void *arg, sctp_cmd_seq_t *commands)
4932 {
4933 	/* There is a single T1 timer, so we should be able to use
4934 	 * common function with the COOKIE-WAIT state.
4935 	 */
4936 	return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands);
4937 }
4938 
4939 /*
4940  * sctp_sf_cookie_wait_prm_abort
4941  *
4942  * Section: 4 Note: 2
4943  * Verification Tag:
4944  * Inputs
4945  * (endpoint, asoc)
4946  *
4947  * The RFC does not explicitly address this issue, but is the route through the
4948  * state table when someone issues an abort while in COOKIE_WAIT state.
4949  *
4950  * Outputs
4951  * (timers)
4952  */
4953 sctp_disposition_t sctp_sf_cookie_wait_prm_abort(
4954 	struct net *net,
4955 	const struct sctp_endpoint *ep,
4956 	const struct sctp_association *asoc,
4957 	const sctp_subtype_t type,
4958 	void *arg,
4959 	sctp_cmd_seq_t *commands)
4960 {
4961 	struct sctp_chunk *abort = arg;
4962 	sctp_disposition_t retval;
4963 
4964 	/* Stop T1-init timer */
4965 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4966 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4967 	retval = SCTP_DISPOSITION_CONSUME;
4968 
4969 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4970 
4971 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4972 			SCTP_STATE(SCTP_STATE_CLOSED));
4973 
4974 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4975 
4976 	/* Even if we can't send the ABORT due to low memory delete the
4977 	 * TCB.  This is a departure from our typical NOMEM handling.
4978 	 */
4979 
4980 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4981 			SCTP_ERROR(ECONNREFUSED));
4982 	/* Delete the established association. */
4983 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4984 			SCTP_PERR(SCTP_ERROR_USER_ABORT));
4985 
4986 	return retval;
4987 }
4988 
4989 /*
4990  * sctp_sf_cookie_echoed_prm_abort
4991  *
4992  * Section: 4 Note: 3
4993  * Verification Tag:
4994  * Inputs
4995  * (endpoint, asoc)
4996  *
4997  * The RFC does not explcitly address this issue, but is the route through the
4998  * state table when someone issues an abort while in COOKIE_ECHOED state.
4999  *
5000  * Outputs
5001  * (timers)
5002  */
5003 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort(
5004 	struct net *net,
5005 	const struct sctp_endpoint *ep,
5006 	const struct sctp_association *asoc,
5007 	const sctp_subtype_t type,
5008 	void *arg,
5009 	sctp_cmd_seq_t *commands)
5010 {
5011 	/* There is a single T1 timer, so we should be able to use
5012 	 * common function with the COOKIE-WAIT state.
5013 	 */
5014 	return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands);
5015 }
5016 
5017 /*
5018  * sctp_sf_shutdown_pending_prm_abort
5019  *
5020  * Inputs
5021  * (endpoint, asoc)
5022  *
5023  * The RFC does not explicitly address this issue, but is the route through the
5024  * state table when someone issues an abort while in SHUTDOWN-PENDING state.
5025  *
5026  * Outputs
5027  * (timers)
5028  */
5029 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort(
5030 	struct net *net,
5031 	const struct sctp_endpoint *ep,
5032 	const struct sctp_association *asoc,
5033 	const sctp_subtype_t type,
5034 	void *arg,
5035 	sctp_cmd_seq_t *commands)
5036 {
5037 	/* Stop the T5-shutdown guard timer.  */
5038 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5039 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5040 
5041 	return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5042 }
5043 
5044 /*
5045  * sctp_sf_shutdown_sent_prm_abort
5046  *
5047  * Inputs
5048  * (endpoint, asoc)
5049  *
5050  * The RFC does not explicitly address this issue, but is the route through the
5051  * state table when someone issues an abort while in SHUTDOWN-SENT state.
5052  *
5053  * Outputs
5054  * (timers)
5055  */
5056 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort(
5057 	struct net *net,
5058 	const struct sctp_endpoint *ep,
5059 	const struct sctp_association *asoc,
5060 	const sctp_subtype_t type,
5061 	void *arg,
5062 	sctp_cmd_seq_t *commands)
5063 {
5064 	/* Stop the T2-shutdown timer.  */
5065 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5066 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5067 
5068 	/* Stop the T5-shutdown guard timer.  */
5069 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5070 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5071 
5072 	return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5073 }
5074 
5075 /*
5076  * sctp_sf_cookie_echoed_prm_abort
5077  *
5078  * Inputs
5079  * (endpoint, asoc)
5080  *
5081  * The RFC does not explcitly address this issue, but is the route through the
5082  * state table when someone issues an abort while in COOKIE_ECHOED state.
5083  *
5084  * Outputs
5085  * (timers)
5086  */
5087 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort(
5088 	struct net *net,
5089 	const struct sctp_endpoint *ep,
5090 	const struct sctp_association *asoc,
5091 	const sctp_subtype_t type,
5092 	void *arg,
5093 	sctp_cmd_seq_t *commands)
5094 {
5095 	/* The same T2 timer, so we should be able to use
5096 	 * common function with the SHUTDOWN-SENT state.
5097 	 */
5098 	return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands);
5099 }
5100 
5101 /*
5102  * Process the REQUESTHEARTBEAT primitive
5103  *
5104  * 10.1 ULP-to-SCTP
5105  * J) Request Heartbeat
5106  *
5107  * Format: REQUESTHEARTBEAT(association id, destination transport address)
5108  *
5109  * -> result
5110  *
5111  * Instructs the local endpoint to perform a HeartBeat on the specified
5112  * destination transport address of the given association. The returned
5113  * result should indicate whether the transmission of the HEARTBEAT
5114  * chunk to the destination address is successful.
5115  *
5116  * Mandatory attributes:
5117  *
5118  * o association id - local handle to the SCTP association
5119  *
5120  * o destination transport address - the transport address of the
5121  *   association on which a heartbeat should be issued.
5122  */
5123 sctp_disposition_t sctp_sf_do_prm_requestheartbeat(
5124 					struct net *net,
5125 					const struct sctp_endpoint *ep,
5126 					const struct sctp_association *asoc,
5127 					const sctp_subtype_t type,
5128 					void *arg,
5129 					sctp_cmd_seq_t *commands)
5130 {
5131 	if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type,
5132 				      (struct sctp_transport *)arg, commands))
5133 		return SCTP_DISPOSITION_NOMEM;
5134 
5135 	/*
5136 	 * RFC 2960 (bis), section 8.3
5137 	 *
5138 	 *    D) Request an on-demand HEARTBEAT on a specific destination
5139 	 *    transport address of a given association.
5140 	 *
5141 	 *    The endpoint should increment the respective error  counter of
5142 	 *    the destination transport address each time a HEARTBEAT is sent
5143 	 *    to that address and not acknowledged within one RTO.
5144 	 *
5145 	 */
5146 	sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
5147 			SCTP_TRANSPORT(arg));
5148 	return SCTP_DISPOSITION_CONSUME;
5149 }
5150 
5151 /*
5152  * ADDIP Section 4.1 ASCONF Chunk Procedures
5153  * When an endpoint has an ASCONF signaled change to be sent to the
5154  * remote endpoint it should do A1 to A9
5155  */
5156 sctp_disposition_t sctp_sf_do_prm_asconf(struct net *net,
5157 					const struct sctp_endpoint *ep,
5158 					const struct sctp_association *asoc,
5159 					const sctp_subtype_t type,
5160 					void *arg,
5161 					sctp_cmd_seq_t *commands)
5162 {
5163 	struct sctp_chunk *chunk = arg;
5164 
5165 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5166 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5167 			SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5168 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5169 	return SCTP_DISPOSITION_CONSUME;
5170 }
5171 
5172 /*
5173  * Ignore the primitive event
5174  *
5175  * The return value is the disposition of the primitive.
5176  */
5177 sctp_disposition_t sctp_sf_ignore_primitive(
5178 	struct net *net,
5179 	const struct sctp_endpoint *ep,
5180 	const struct sctp_association *asoc,
5181 	const sctp_subtype_t type,
5182 	void *arg,
5183 	sctp_cmd_seq_t *commands)
5184 {
5185 	pr_debug("%s: primitive type:%d is ignored\n", __func__,
5186 		 type.primitive);
5187 
5188 	return SCTP_DISPOSITION_DISCARD;
5189 }
5190 
5191 /***************************************************************************
5192  * These are the state functions for the OTHER events.
5193  ***************************************************************************/
5194 
5195 /*
5196  * When the SCTP stack has no more user data to send or retransmit, this
5197  * notification is given to the user. Also, at the time when a user app
5198  * subscribes to this event, if there is no data to be sent or
5199  * retransmit, the stack will immediately send up this notification.
5200  */
5201 sctp_disposition_t sctp_sf_do_no_pending_tsn(
5202 	struct net *net,
5203 	const struct sctp_endpoint *ep,
5204 	const struct sctp_association *asoc,
5205 	const sctp_subtype_t type,
5206 	void *arg,
5207 	sctp_cmd_seq_t *commands)
5208 {
5209 	struct sctp_ulpevent *event;
5210 
5211 	event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC);
5212 	if (!event)
5213 		return SCTP_DISPOSITION_NOMEM;
5214 
5215 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event));
5216 
5217 	return SCTP_DISPOSITION_CONSUME;
5218 }
5219 
5220 /*
5221  * Start the shutdown negotiation.
5222  *
5223  * From Section 9.2:
5224  * Once all its outstanding data has been acknowledged, the endpoint
5225  * shall send a SHUTDOWN chunk to its peer including in the Cumulative
5226  * TSN Ack field the last sequential TSN it has received from the peer.
5227  * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT
5228  * state. If the timer expires, the endpoint must re-send the SHUTDOWN
5229  * with the updated last sequential TSN received from its peer.
5230  *
5231  * The return value is the disposition.
5232  */
5233 sctp_disposition_t sctp_sf_do_9_2_start_shutdown(
5234 	struct net *net,
5235 	const struct sctp_endpoint *ep,
5236 	const struct sctp_association *asoc,
5237 	const sctp_subtype_t type,
5238 	void *arg,
5239 	sctp_cmd_seq_t *commands)
5240 {
5241 	struct sctp_chunk *reply;
5242 
5243 	/* Once all its outstanding data has been acknowledged, the
5244 	 * endpoint shall send a SHUTDOWN chunk to its peer including
5245 	 * in the Cumulative TSN Ack field the last sequential TSN it
5246 	 * has received from the peer.
5247 	 */
5248 	reply = sctp_make_shutdown(asoc, NULL);
5249 	if (!reply)
5250 		goto nomem;
5251 
5252 	/* Set the transport for the SHUTDOWN chunk and the timeout for the
5253 	 * T2-shutdown timer.
5254 	 */
5255 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5256 
5257 	/* It shall then start the T2-shutdown timer */
5258 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5259 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5260 
5261 	/* RFC 4960 Section 9.2
5262 	 * The sender of the SHUTDOWN MAY also start an overall guard timer
5263 	 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5264 	 */
5265 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5266 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5267 
5268 	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5269 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5270 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5271 
5272 	/* and enter the SHUTDOWN-SENT state.  */
5273 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5274 			SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT));
5275 
5276 	/* sctp-implguide 2.10 Issues with Heartbeating and failover
5277 	 *
5278 	 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5279 	 * or SHUTDOWN-ACK.
5280 	 */
5281 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5282 
5283 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5284 
5285 	return SCTP_DISPOSITION_CONSUME;
5286 
5287 nomem:
5288 	return SCTP_DISPOSITION_NOMEM;
5289 }
5290 
5291 /*
5292  * Generate a SHUTDOWN ACK now that everything is SACK'd.
5293  *
5294  * From Section 9.2:
5295  *
5296  * If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5297  * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own,
5298  * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the
5299  * endpoint must re-send the SHUTDOWN ACK.
5300  *
5301  * The return value is the disposition.
5302  */
5303 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack(
5304 	struct net *net,
5305 	const struct sctp_endpoint *ep,
5306 	const struct sctp_association *asoc,
5307 	const sctp_subtype_t type,
5308 	void *arg,
5309 	sctp_cmd_seq_t *commands)
5310 {
5311 	struct sctp_chunk *chunk = (struct sctp_chunk *) arg;
5312 	struct sctp_chunk *reply;
5313 
5314 	/* There are 2 ways of getting here:
5315 	 *    1) called in response to a SHUTDOWN chunk
5316 	 *    2) called when SCTP_EVENT_NO_PENDING_TSN event is issued.
5317 	 *
5318 	 * For the case (2), the arg parameter is set to NULL.  We need
5319 	 * to check that we have a chunk before accessing it's fields.
5320 	 */
5321 	if (chunk) {
5322 		if (!sctp_vtag_verify(chunk, asoc))
5323 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
5324 
5325 		/* Make sure that the SHUTDOWN chunk has a valid length. */
5326 		if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t)))
5327 			return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
5328 							  commands);
5329 	}
5330 
5331 	/* If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5332 	 * shall send a SHUTDOWN ACK ...
5333 	 */
5334 	reply = sctp_make_shutdown_ack(asoc, chunk);
5335 	if (!reply)
5336 		goto nomem;
5337 
5338 	/* Set the transport for the SHUTDOWN ACK chunk and the timeout for
5339 	 * the T2-shutdown timer.
5340 	 */
5341 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5342 
5343 	/* and start/restart a T2-shutdown timer of its own, */
5344 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5345 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5346 
5347 	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5348 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5349 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5350 
5351 	/* Enter the SHUTDOWN-ACK-SENT state.  */
5352 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5353 			SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT));
5354 
5355 	/* sctp-implguide 2.10 Issues with Heartbeating and failover
5356 	 *
5357 	 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5358 	 * or SHUTDOWN-ACK.
5359 	 */
5360 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5361 
5362 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5363 
5364 	return SCTP_DISPOSITION_CONSUME;
5365 
5366 nomem:
5367 	return SCTP_DISPOSITION_NOMEM;
5368 }
5369 
5370 /*
5371  * Ignore the event defined as other
5372  *
5373  * The return value is the disposition of the event.
5374  */
5375 sctp_disposition_t sctp_sf_ignore_other(struct net *net,
5376 					const struct sctp_endpoint *ep,
5377 					const struct sctp_association *asoc,
5378 					const sctp_subtype_t type,
5379 					void *arg,
5380 					sctp_cmd_seq_t *commands)
5381 {
5382 	pr_debug("%s: the event other type:%d is ignored\n",
5383 		 __func__, type.other);
5384 
5385 	return SCTP_DISPOSITION_DISCARD;
5386 }
5387 
5388 /************************************************************
5389  * These are the state functions for handling timeout events.
5390  ************************************************************/
5391 
5392 /*
5393  * RTX Timeout
5394  *
5395  * Section: 6.3.3 Handle T3-rtx Expiration
5396  *
5397  * Whenever the retransmission timer T3-rtx expires for a destination
5398  * address, do the following:
5399  * [See below]
5400  *
5401  * The return value is the disposition of the chunk.
5402  */
5403 sctp_disposition_t sctp_sf_do_6_3_3_rtx(struct net *net,
5404 					const struct sctp_endpoint *ep,
5405 					const struct sctp_association *asoc,
5406 					const sctp_subtype_t type,
5407 					void *arg,
5408 					sctp_cmd_seq_t *commands)
5409 {
5410 	struct sctp_transport *transport = arg;
5411 
5412 	SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS);
5413 
5414 	if (asoc->overall_error_count >= asoc->max_retrans) {
5415 		if (asoc->peer.zero_window_announced &&
5416 		    asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
5417 			/*
5418 			 * We are here likely because the receiver had its rwnd
5419 			 * closed for a while and we have not been able to
5420 			 * transmit the locally queued data within the maximum
5421 			 * retransmission attempts limit.  Start the T5
5422 			 * shutdown guard timer to give the receiver one last
5423 			 * chance and some additional time to recover before
5424 			 * aborting.
5425 			 */
5426 			sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE,
5427 				SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5428 		} else {
5429 			sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5430 					SCTP_ERROR(ETIMEDOUT));
5431 			/* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5432 			sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5433 					SCTP_PERR(SCTP_ERROR_NO_ERROR));
5434 			SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5435 			SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5436 			return SCTP_DISPOSITION_DELETE_TCB;
5437 		}
5438 	}
5439 
5440 	/* E1) For the destination address for which the timer
5441 	 * expires, adjust its ssthresh with rules defined in Section
5442 	 * 7.2.3 and set the cwnd <- MTU.
5443 	 */
5444 
5445 	/* E2) For the destination address for which the timer
5446 	 * expires, set RTO <- RTO * 2 ("back off the timer").  The
5447 	 * maximum value discussed in rule C7 above (RTO.max) may be
5448 	 * used to provide an upper bound to this doubling operation.
5449 	 */
5450 
5451 	/* E3) Determine how many of the earliest (i.e., lowest TSN)
5452 	 * outstanding DATA chunks for the address for which the
5453 	 * T3-rtx has expired will fit into a single packet, subject
5454 	 * to the MTU constraint for the path corresponding to the
5455 	 * destination transport address to which the retransmission
5456 	 * is being sent (this may be different from the address for
5457 	 * which the timer expires [see Section 6.4]).  Call this
5458 	 * value K. Bundle and retransmit those K DATA chunks in a
5459 	 * single packet to the destination endpoint.
5460 	 *
5461 	 * Note: Any DATA chunks that were sent to the address for
5462 	 * which the T3-rtx timer expired but did not fit in one MTU
5463 	 * (rule E3 above), should be marked for retransmission and
5464 	 * sent as soon as cwnd allows (normally when a SACK arrives).
5465 	 */
5466 
5467 	/* Do some failure management (Section 8.2). */
5468 	sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
5469 
5470 	/* NB: Rules E4 and F1 are implicit in R1.  */
5471 	sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport));
5472 
5473 	return SCTP_DISPOSITION_CONSUME;
5474 }
5475 
5476 /*
5477  * Generate delayed SACK on timeout
5478  *
5479  * Section: 6.2  Acknowledgement on Reception of DATA Chunks
5480  *
5481  * The guidelines on delayed acknowledgement algorithm specified in
5482  * Section 4.2 of [RFC2581] SHOULD be followed.  Specifically, an
5483  * acknowledgement SHOULD be generated for at least every second packet
5484  * (not every second DATA chunk) received, and SHOULD be generated
5485  * within 200 ms of the arrival of any unacknowledged DATA chunk.  In
5486  * some situations it may be beneficial for an SCTP transmitter to be
5487  * more conservative than the algorithms detailed in this document
5488  * allow. However, an SCTP transmitter MUST NOT be more aggressive than
5489  * the following algorithms allow.
5490  */
5491 sctp_disposition_t sctp_sf_do_6_2_sack(struct net *net,
5492 				       const struct sctp_endpoint *ep,
5493 				       const struct sctp_association *asoc,
5494 				       const sctp_subtype_t type,
5495 				       void *arg,
5496 				       sctp_cmd_seq_t *commands)
5497 {
5498 	SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS);
5499 	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
5500 	return SCTP_DISPOSITION_CONSUME;
5501 }
5502 
5503 /*
5504  * sctp_sf_t1_init_timer_expire
5505  *
5506  * Section: 4 Note: 2
5507  * Verification Tag:
5508  * Inputs
5509  * (endpoint, asoc)
5510  *
5511  *  RFC 2960 Section 4 Notes
5512  *  2) If the T1-init timer expires, the endpoint MUST retransmit INIT
5513  *     and re-start the T1-init timer without changing state.  This MUST
5514  *     be repeated up to 'Max.Init.Retransmits' times.  After that, the
5515  *     endpoint MUST abort the initialization process and report the
5516  *     error to SCTP user.
5517  *
5518  * Outputs
5519  * (timers, events)
5520  *
5521  */
5522 sctp_disposition_t sctp_sf_t1_init_timer_expire(struct net *net,
5523 					   const struct sctp_endpoint *ep,
5524 					   const struct sctp_association *asoc,
5525 					   const sctp_subtype_t type,
5526 					   void *arg,
5527 					   sctp_cmd_seq_t *commands)
5528 {
5529 	struct sctp_chunk *repl = NULL;
5530 	struct sctp_bind_addr *bp;
5531 	int attempts = asoc->init_err_counter + 1;
5532 
5533 	pr_debug("%s: timer T1 expired (INIT)\n", __func__);
5534 
5535 	SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS);
5536 
5537 	if (attempts <= asoc->max_init_attempts) {
5538 		bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
5539 		repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0);
5540 		if (!repl)
5541 			return SCTP_DISPOSITION_NOMEM;
5542 
5543 		/* Choose transport for INIT. */
5544 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5545 				SCTP_CHUNK(repl));
5546 
5547 		/* Issue a sideeffect to do the needed accounting. */
5548 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART,
5549 				SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5550 
5551 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5552 	} else {
5553 		pr_debug("%s: giving up on INIT, attempts:%d "
5554 			 "max_init_attempts:%d\n", __func__, attempts,
5555 			 asoc->max_init_attempts);
5556 
5557 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5558 				SCTP_ERROR(ETIMEDOUT));
5559 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5560 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
5561 		return SCTP_DISPOSITION_DELETE_TCB;
5562 	}
5563 
5564 	return SCTP_DISPOSITION_CONSUME;
5565 }
5566 
5567 /*
5568  * sctp_sf_t1_cookie_timer_expire
5569  *
5570  * Section: 4 Note: 2
5571  * Verification Tag:
5572  * Inputs
5573  * (endpoint, asoc)
5574  *
5575  *  RFC 2960 Section 4 Notes
5576  *  3) If the T1-cookie timer expires, the endpoint MUST retransmit
5577  *     COOKIE ECHO and re-start the T1-cookie timer without changing
5578  *     state.  This MUST be repeated up to 'Max.Init.Retransmits' times.
5579  *     After that, the endpoint MUST abort the initialization process and
5580  *     report the error to SCTP user.
5581  *
5582  * Outputs
5583  * (timers, events)
5584  *
5585  */
5586 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(struct net *net,
5587 					   const struct sctp_endpoint *ep,
5588 					   const struct sctp_association *asoc,
5589 					   const sctp_subtype_t type,
5590 					   void *arg,
5591 					   sctp_cmd_seq_t *commands)
5592 {
5593 	struct sctp_chunk *repl = NULL;
5594 	int attempts = asoc->init_err_counter + 1;
5595 
5596 	pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__);
5597 
5598 	SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS);
5599 
5600 	if (attempts <= asoc->max_init_attempts) {
5601 		repl = sctp_make_cookie_echo(asoc, NULL);
5602 		if (!repl)
5603 			return SCTP_DISPOSITION_NOMEM;
5604 
5605 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5606 				SCTP_CHUNK(repl));
5607 		/* Issue a sideeffect to do the needed accounting. */
5608 		sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART,
5609 				SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
5610 
5611 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5612 	} else {
5613 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5614 				SCTP_ERROR(ETIMEDOUT));
5615 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5616 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
5617 		return SCTP_DISPOSITION_DELETE_TCB;
5618 	}
5619 
5620 	return SCTP_DISPOSITION_CONSUME;
5621 }
5622 
5623 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN
5624  * with the updated last sequential TSN received from its peer.
5625  *
5626  * An endpoint should limit the number of retransmissions of the
5627  * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'.
5628  * If this threshold is exceeded the endpoint should destroy the TCB and
5629  * MUST report the peer endpoint unreachable to the upper layer (and
5630  * thus the association enters the CLOSED state).  The reception of any
5631  * packet from its peer (i.e. as the peer sends all of its queued DATA
5632  * chunks) should clear the endpoint's retransmission count and restart
5633  * the T2-Shutdown timer,  giving its peer ample opportunity to transmit
5634  * all of its queued DATA chunks that have not yet been sent.
5635  */
5636 sctp_disposition_t sctp_sf_t2_timer_expire(struct net *net,
5637 					   const struct sctp_endpoint *ep,
5638 					   const struct sctp_association *asoc,
5639 					   const sctp_subtype_t type,
5640 					   void *arg,
5641 					   sctp_cmd_seq_t *commands)
5642 {
5643 	struct sctp_chunk *reply = NULL;
5644 
5645 	pr_debug("%s: timer T2 expired\n", __func__);
5646 
5647 	SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS);
5648 
5649 	((struct sctp_association *)asoc)->shutdown_retries++;
5650 
5651 	if (asoc->overall_error_count >= asoc->max_retrans) {
5652 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5653 				SCTP_ERROR(ETIMEDOUT));
5654 		/* Note:  CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5655 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5656 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
5657 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5658 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5659 		return SCTP_DISPOSITION_DELETE_TCB;
5660 	}
5661 
5662 	switch (asoc->state) {
5663 	case SCTP_STATE_SHUTDOWN_SENT:
5664 		reply = sctp_make_shutdown(asoc, NULL);
5665 		break;
5666 
5667 	case SCTP_STATE_SHUTDOWN_ACK_SENT:
5668 		reply = sctp_make_shutdown_ack(asoc, NULL);
5669 		break;
5670 
5671 	default:
5672 		BUG();
5673 		break;
5674 	}
5675 
5676 	if (!reply)
5677 		goto nomem;
5678 
5679 	/* Do some failure management (Section 8.2).
5680 	 * If we remove the transport an SHUTDOWN was last sent to, don't
5681 	 * do failure management.
5682 	 */
5683 	if (asoc->shutdown_last_sent_to)
5684 		sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5685 				SCTP_TRANSPORT(asoc->shutdown_last_sent_to));
5686 
5687 	/* Set the transport for the SHUTDOWN/ACK chunk and the timeout for
5688 	 * the T2-shutdown timer.
5689 	 */
5690 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5691 
5692 	/* Restart the T2-shutdown timer.  */
5693 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5694 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5695 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5696 	return SCTP_DISPOSITION_CONSUME;
5697 
5698 nomem:
5699 	return SCTP_DISPOSITION_NOMEM;
5700 }
5701 
5702 /*
5703  * ADDIP Section 4.1 ASCONF CHunk Procedures
5704  * If the T4 RTO timer expires the endpoint should do B1 to B5
5705  */
5706 sctp_disposition_t sctp_sf_t4_timer_expire(
5707 	struct net *net,
5708 	const struct sctp_endpoint *ep,
5709 	const struct sctp_association *asoc,
5710 	const sctp_subtype_t type,
5711 	void *arg,
5712 	sctp_cmd_seq_t *commands)
5713 {
5714 	struct sctp_chunk *chunk = asoc->addip_last_asconf;
5715 	struct sctp_transport *transport = chunk->transport;
5716 
5717 	SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS);
5718 
5719 	/* ADDIP 4.1 B1) Increment the error counters and perform path failure
5720 	 * detection on the appropriate destination address as defined in
5721 	 * RFC2960 [5] section 8.1 and 8.2.
5722 	 */
5723 	if (transport)
5724 		sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5725 				SCTP_TRANSPORT(transport));
5726 
5727 	/* Reconfig T4 timer and transport. */
5728 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5729 
5730 	/* ADDIP 4.1 B2) Increment the association error counters and perform
5731 	 * endpoint failure detection on the association as defined in
5732 	 * RFC2960 [5] section 8.1 and 8.2.
5733 	 * association error counter is incremented in SCTP_CMD_STRIKE.
5734 	 */
5735 	if (asoc->overall_error_count >= asoc->max_retrans) {
5736 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5737 				SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5738 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5739 				SCTP_ERROR(ETIMEDOUT));
5740 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5741 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
5742 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5743 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5744 		return SCTP_DISPOSITION_ABORT;
5745 	}
5746 
5747 	/* ADDIP 4.1 B3) Back-off the destination address RTO value to which
5748 	 * the ASCONF chunk was sent by doubling the RTO timer value.
5749 	 * This is done in SCTP_CMD_STRIKE.
5750 	 */
5751 
5752 	/* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible
5753 	 * choose an alternate destination address (please refer to RFC2960
5754 	 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this
5755 	 * chunk, it MUST be the same (including its serial number) as the last
5756 	 * ASCONF sent.
5757 	 */
5758 	sctp_chunk_hold(asoc->addip_last_asconf);
5759 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
5760 			SCTP_CHUNK(asoc->addip_last_asconf));
5761 
5762 	/* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different
5763 	 * destination is selected, then the RTO used will be that of the new
5764 	 * destination address.
5765 	 */
5766 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5767 			SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5768 
5769 	return SCTP_DISPOSITION_CONSUME;
5770 }
5771 
5772 /* sctpimpguide-05 Section 2.12.2
5773  * The sender of the SHUTDOWN MAY also start an overall guard timer
5774  * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5775  * At the expiration of this timer the sender SHOULD abort the association
5776  * by sending an ABORT chunk.
5777  */
5778 sctp_disposition_t sctp_sf_t5_timer_expire(struct net *net,
5779 					   const struct sctp_endpoint *ep,
5780 					   const struct sctp_association *asoc,
5781 					   const sctp_subtype_t type,
5782 					   void *arg,
5783 					   sctp_cmd_seq_t *commands)
5784 {
5785 	struct sctp_chunk *reply = NULL;
5786 
5787 	pr_debug("%s: timer T5 expired\n", __func__);
5788 
5789 	SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS);
5790 
5791 	reply = sctp_make_abort(asoc, NULL, 0);
5792 	if (!reply)
5793 		goto nomem;
5794 
5795 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5796 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5797 			SCTP_ERROR(ETIMEDOUT));
5798 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5799 			SCTP_PERR(SCTP_ERROR_NO_ERROR));
5800 
5801 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5802 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5803 
5804 	return SCTP_DISPOSITION_DELETE_TCB;
5805 nomem:
5806 	return SCTP_DISPOSITION_NOMEM;
5807 }
5808 
5809 /* Handle expiration of AUTOCLOSE timer.  When the autoclose timer expires,
5810  * the association is automatically closed by starting the shutdown process.
5811  * The work that needs to be done is same as when SHUTDOWN is initiated by
5812  * the user.  So this routine looks same as sctp_sf_do_9_2_prm_shutdown().
5813  */
5814 sctp_disposition_t sctp_sf_autoclose_timer_expire(
5815 	struct net *net,
5816 	const struct sctp_endpoint *ep,
5817 	const struct sctp_association *asoc,
5818 	const sctp_subtype_t type,
5819 	void *arg,
5820 	sctp_cmd_seq_t *commands)
5821 {
5822 	int disposition;
5823 
5824 	SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS);
5825 
5826 	/* From 9.2 Shutdown of an Association
5827 	 * Upon receipt of the SHUTDOWN primitive from its upper
5828 	 * layer, the endpoint enters SHUTDOWN-PENDING state and
5829 	 * remains there until all outstanding data has been
5830 	 * acknowledged by its peer. The endpoint accepts no new data
5831 	 * from its upper layer, but retransmits data to the far end
5832 	 * if necessary to fill gaps.
5833 	 */
5834 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5835 			SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
5836 
5837 	disposition = SCTP_DISPOSITION_CONSUME;
5838 	if (sctp_outq_is_empty(&asoc->outqueue)) {
5839 		disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
5840 							    arg, commands);
5841 	}
5842 	return disposition;
5843 }
5844 
5845 /*****************************************************************************
5846  * These are sa state functions which could apply to all types of events.
5847  ****************************************************************************/
5848 
5849 /*
5850  * This table entry is not implemented.
5851  *
5852  * Inputs
5853  * (endpoint, asoc, chunk)
5854  *
5855  * The return value is the disposition of the chunk.
5856  */
5857 sctp_disposition_t sctp_sf_not_impl(struct net *net,
5858 				    const struct sctp_endpoint *ep,
5859 				    const struct sctp_association *asoc,
5860 				    const sctp_subtype_t type,
5861 				    void *arg,
5862 				    sctp_cmd_seq_t *commands)
5863 {
5864 	return SCTP_DISPOSITION_NOT_IMPL;
5865 }
5866 
5867 /*
5868  * This table entry represents a bug.
5869  *
5870  * Inputs
5871  * (endpoint, asoc, chunk)
5872  *
5873  * The return value is the disposition of the chunk.
5874  */
5875 sctp_disposition_t sctp_sf_bug(struct net *net,
5876 			       const struct sctp_endpoint *ep,
5877 			       const struct sctp_association *asoc,
5878 			       const sctp_subtype_t type,
5879 			       void *arg,
5880 			       sctp_cmd_seq_t *commands)
5881 {
5882 	return SCTP_DISPOSITION_BUG;
5883 }
5884 
5885 /*
5886  * This table entry represents the firing of a timer in the wrong state.
5887  * Since timer deletion cannot be guaranteed a timer 'may' end up firing
5888  * when the association is in the wrong state.   This event should
5889  * be ignored, so as to prevent any rearming of the timer.
5890  *
5891  * Inputs
5892  * (endpoint, asoc, chunk)
5893  *
5894  * The return value is the disposition of the chunk.
5895  */
5896 sctp_disposition_t sctp_sf_timer_ignore(struct net *net,
5897 					const struct sctp_endpoint *ep,
5898 					const struct sctp_association *asoc,
5899 					const sctp_subtype_t type,
5900 					void *arg,
5901 					sctp_cmd_seq_t *commands)
5902 {
5903 	pr_debug("%s: timer %d ignored\n", __func__, type.chunk);
5904 
5905 	return SCTP_DISPOSITION_CONSUME;
5906 }
5907 
5908 /********************************************************************
5909  * 2nd Level Abstractions
5910  ********************************************************************/
5911 
5912 /* Pull the SACK chunk based on the SACK header. */
5913 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk)
5914 {
5915 	struct sctp_sackhdr *sack;
5916 	unsigned int len;
5917 	__u16 num_blocks;
5918 	__u16 num_dup_tsns;
5919 
5920 	/* Protect ourselves from reading too far into
5921 	 * the skb from a bogus sender.
5922 	 */
5923 	sack = (struct sctp_sackhdr *) chunk->skb->data;
5924 
5925 	num_blocks = ntohs(sack->num_gap_ack_blocks);
5926 	num_dup_tsns = ntohs(sack->num_dup_tsns);
5927 	len = sizeof(struct sctp_sackhdr);
5928 	len += (num_blocks + num_dup_tsns) * sizeof(__u32);
5929 	if (len > chunk->skb->len)
5930 		return NULL;
5931 
5932 	skb_pull(chunk->skb, len);
5933 
5934 	return sack;
5935 }
5936 
5937 /* Create an ABORT packet to be sent as a response, with the specified
5938  * error causes.
5939  */
5940 static struct sctp_packet *sctp_abort_pkt_new(struct net *net,
5941 				  const struct sctp_endpoint *ep,
5942 				  const struct sctp_association *asoc,
5943 				  struct sctp_chunk *chunk,
5944 				  const void *payload,
5945 				  size_t paylen)
5946 {
5947 	struct sctp_packet *packet;
5948 	struct sctp_chunk *abort;
5949 
5950 	packet = sctp_ootb_pkt_new(net, asoc, chunk);
5951 
5952 	if (packet) {
5953 		/* Make an ABORT.
5954 		 * The T bit will be set if the asoc is NULL.
5955 		 */
5956 		abort = sctp_make_abort(asoc, chunk, paylen);
5957 		if (!abort) {
5958 			sctp_ootb_pkt_free(packet);
5959 			return NULL;
5960 		}
5961 
5962 		/* Reflect vtag if T-Bit is set */
5963 		if (sctp_test_T_bit(abort))
5964 			packet->vtag = ntohl(chunk->sctp_hdr->vtag);
5965 
5966 		/* Add specified error causes, i.e., payload, to the
5967 		 * end of the chunk.
5968 		 */
5969 		sctp_addto_chunk(abort, paylen, payload);
5970 
5971 		/* Set the skb to the belonging sock for accounting.  */
5972 		abort->skb->sk = ep->base.sk;
5973 
5974 		sctp_packet_append_chunk(packet, abort);
5975 
5976 	}
5977 
5978 	return packet;
5979 }
5980 
5981 /* Allocate a packet for responding in the OOTB conditions.  */
5982 static struct sctp_packet *sctp_ootb_pkt_new(struct net *net,
5983 					     const struct sctp_association *asoc,
5984 					     const struct sctp_chunk *chunk)
5985 {
5986 	struct sctp_packet *packet;
5987 	struct sctp_transport *transport;
5988 	__u16 sport;
5989 	__u16 dport;
5990 	__u32 vtag;
5991 
5992 	/* Get the source and destination port from the inbound packet.  */
5993 	sport = ntohs(chunk->sctp_hdr->dest);
5994 	dport = ntohs(chunk->sctp_hdr->source);
5995 
5996 	/* The V-tag is going to be the same as the inbound packet if no
5997 	 * association exists, otherwise, use the peer's vtag.
5998 	 */
5999 	if (asoc) {
6000 		/* Special case the INIT-ACK as there is no peer's vtag
6001 		 * yet.
6002 		 */
6003 		switch (chunk->chunk_hdr->type) {
6004 		case SCTP_CID_INIT_ACK:
6005 		{
6006 			sctp_initack_chunk_t *initack;
6007 
6008 			initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
6009 			vtag = ntohl(initack->init_hdr.init_tag);
6010 			break;
6011 		}
6012 		default:
6013 			vtag = asoc->peer.i.init_tag;
6014 			break;
6015 		}
6016 	} else {
6017 		/* Special case the INIT and stale COOKIE_ECHO as there is no
6018 		 * vtag yet.
6019 		 */
6020 		switch (chunk->chunk_hdr->type) {
6021 		case SCTP_CID_INIT:
6022 		{
6023 			sctp_init_chunk_t *init;
6024 
6025 			init = (sctp_init_chunk_t *)chunk->chunk_hdr;
6026 			vtag = ntohl(init->init_hdr.init_tag);
6027 			break;
6028 		}
6029 		default:
6030 			vtag = ntohl(chunk->sctp_hdr->vtag);
6031 			break;
6032 		}
6033 	}
6034 
6035 	/* Make a transport for the bucket, Eliza... */
6036 	transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC);
6037 	if (!transport)
6038 		goto nomem;
6039 
6040 	/* Cache a route for the transport with the chunk's destination as
6041 	 * the source address.
6042 	 */
6043 	sctp_transport_route(transport, (union sctp_addr *)&chunk->dest,
6044 			     sctp_sk(net->sctp.ctl_sock));
6045 
6046 	packet = sctp_packet_init(&transport->packet, transport, sport, dport);
6047 	packet = sctp_packet_config(packet, vtag, 0);
6048 
6049 	return packet;
6050 
6051 nomem:
6052 	return NULL;
6053 }
6054 
6055 /* Free the packet allocated earlier for responding in the OOTB condition.  */
6056 void sctp_ootb_pkt_free(struct sctp_packet *packet)
6057 {
6058 	sctp_transport_free(packet->transport);
6059 }
6060 
6061 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found  */
6062 static void sctp_send_stale_cookie_err(struct net *net,
6063 				       const struct sctp_endpoint *ep,
6064 				       const struct sctp_association *asoc,
6065 				       const struct sctp_chunk *chunk,
6066 				       sctp_cmd_seq_t *commands,
6067 				       struct sctp_chunk *err_chunk)
6068 {
6069 	struct sctp_packet *packet;
6070 
6071 	if (err_chunk) {
6072 		packet = sctp_ootb_pkt_new(net, asoc, chunk);
6073 		if (packet) {
6074 			struct sctp_signed_cookie *cookie;
6075 
6076 			/* Override the OOTB vtag from the cookie. */
6077 			cookie = chunk->subh.cookie_hdr;
6078 			packet->vtag = cookie->c.peer_vtag;
6079 
6080 			/* Set the skb to the belonging sock for accounting. */
6081 			err_chunk->skb->sk = ep->base.sk;
6082 			sctp_packet_append_chunk(packet, err_chunk);
6083 			sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
6084 					SCTP_PACKET(packet));
6085 			SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
6086 		} else
6087 			sctp_chunk_free (err_chunk);
6088 	}
6089 }
6090 
6091 
6092 /* Process a data chunk */
6093 static int sctp_eat_data(const struct sctp_association *asoc,
6094 			 struct sctp_chunk *chunk,
6095 			 sctp_cmd_seq_t *commands)
6096 {
6097 	sctp_datahdr_t *data_hdr;
6098 	struct sctp_chunk *err;
6099 	size_t datalen;
6100 	sctp_verb_t deliver;
6101 	int tmp;
6102 	__u32 tsn;
6103 	struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
6104 	struct sock *sk = asoc->base.sk;
6105 	struct net *net = sock_net(sk);
6106 	u16 ssn;
6107 	u16 sid;
6108 	u8 ordered = 0;
6109 
6110 	data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data;
6111 	skb_pull(chunk->skb, sizeof(sctp_datahdr_t));
6112 
6113 	tsn = ntohl(data_hdr->tsn);
6114 	pr_debug("%s: TSN 0x%x\n", __func__, tsn);
6115 
6116 	/* ASSERT:  Now skb->data is really the user data.  */
6117 
6118 	/* Process ECN based congestion.
6119 	 *
6120 	 * Since the chunk structure is reused for all chunks within
6121 	 * a packet, we use ecn_ce_done to track if we've already
6122 	 * done CE processing for this packet.
6123 	 *
6124 	 * We need to do ECN processing even if we plan to discard the
6125 	 * chunk later.
6126 	 */
6127 
6128 	if (!chunk->ecn_ce_done) {
6129 		struct sctp_af *af;
6130 		chunk->ecn_ce_done = 1;
6131 
6132 		af = sctp_get_af_specific(
6133 			ipver2af(ip_hdr(chunk->skb)->version));
6134 
6135 		if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) {
6136 			/* Do real work as sideffect. */
6137 			sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE,
6138 					SCTP_U32(tsn));
6139 		}
6140 	}
6141 
6142 	tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn);
6143 	if (tmp < 0) {
6144 		/* The TSN is too high--silently discard the chunk and
6145 		 * count on it getting retransmitted later.
6146 		 */
6147 		if (chunk->asoc)
6148 			chunk->asoc->stats.outofseqtsns++;
6149 		return SCTP_IERROR_HIGH_TSN;
6150 	} else if (tmp > 0) {
6151 		/* This is a duplicate.  Record it.  */
6152 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn));
6153 		return SCTP_IERROR_DUP_TSN;
6154 	}
6155 
6156 	/* This is a new TSN.  */
6157 
6158 	/* Discard if there is no room in the receive window.
6159 	 * Actually, allow a little bit of overflow (up to a MTU).
6160 	 */
6161 	datalen = ntohs(chunk->chunk_hdr->length);
6162 	datalen -= sizeof(sctp_data_chunk_t);
6163 
6164 	deliver = SCTP_CMD_CHUNK_ULP;
6165 
6166 	/* Think about partial delivery. */
6167 	if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) {
6168 
6169 		/* Even if we don't accept this chunk there is
6170 		 * memory pressure.
6171 		 */
6172 		sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL());
6173 	}
6174 
6175 	/* Spill over rwnd a little bit.  Note: While allowed, this spill over
6176 	 * seems a bit troublesome in that frag_point varies based on
6177 	 * PMTU.  In cases, such as loopback, this might be a rather
6178 	 * large spill over.
6179 	 */
6180 	if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over ||
6181 	    (datalen > asoc->rwnd + asoc->frag_point))) {
6182 
6183 		/* If this is the next TSN, consider reneging to make
6184 		 * room.   Note: Playing nice with a confused sender.  A
6185 		 * malicious sender can still eat up all our buffer
6186 		 * space and in the future we may want to detect and
6187 		 * do more drastic reneging.
6188 		 */
6189 		if (sctp_tsnmap_has_gap(map) &&
6190 		    (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6191 			pr_debug("%s: reneging for tsn:%u\n", __func__, tsn);
6192 			deliver = SCTP_CMD_RENEGE;
6193 		} else {
6194 			pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n",
6195 				 __func__, tsn, datalen, asoc->rwnd);
6196 
6197 			return SCTP_IERROR_IGNORE_TSN;
6198 		}
6199 	}
6200 
6201 	/*
6202 	 * Also try to renege to limit our memory usage in the event that
6203 	 * we are under memory pressure
6204 	 * If we can't renege, don't worry about it, the sk_rmem_schedule
6205 	 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our
6206 	 * memory usage too much
6207 	 */
6208 	if (*sk->sk_prot_creator->memory_pressure) {
6209 		if (sctp_tsnmap_has_gap(map) &&
6210 		    (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6211 			pr_debug("%s: under pressure, reneging for tsn:%u\n",
6212 				 __func__, tsn);
6213 			deliver = SCTP_CMD_RENEGE;
6214 		 }
6215 	}
6216 
6217 	/*
6218 	 * Section 3.3.10.9 No User Data (9)
6219 	 *
6220 	 * Cause of error
6221 	 * ---------------
6222 	 * No User Data:  This error cause is returned to the originator of a
6223 	 * DATA chunk if a received DATA chunk has no user data.
6224 	 */
6225 	if (unlikely(0 == datalen)) {
6226 		err = sctp_make_abort_no_data(asoc, chunk, tsn);
6227 		if (err) {
6228 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6229 					SCTP_CHUNK(err));
6230 		}
6231 		/* We are going to ABORT, so we might as well stop
6232 		 * processing the rest of the chunks in the packet.
6233 		 */
6234 		sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
6235 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6236 				SCTP_ERROR(ECONNABORTED));
6237 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6238 				SCTP_PERR(SCTP_ERROR_NO_DATA));
6239 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6240 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6241 		return SCTP_IERROR_NO_DATA;
6242 	}
6243 
6244 	chunk->data_accepted = 1;
6245 
6246 	/* Note: Some chunks may get overcounted (if we drop) or overcounted
6247 	 * if we renege and the chunk arrives again.
6248 	 */
6249 	if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) {
6250 		SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS);
6251 		if (chunk->asoc)
6252 			chunk->asoc->stats.iuodchunks++;
6253 	} else {
6254 		SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS);
6255 		if (chunk->asoc)
6256 			chunk->asoc->stats.iodchunks++;
6257 		ordered = 1;
6258 	}
6259 
6260 	/* RFC 2960 6.5 Stream Identifier and Stream Sequence Number
6261 	 *
6262 	 * If an endpoint receive a DATA chunk with an invalid stream
6263 	 * identifier, it shall acknowledge the reception of the DATA chunk
6264 	 * following the normal procedure, immediately send an ERROR chunk
6265 	 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10)
6266 	 * and discard the DATA chunk.
6267 	 */
6268 	sid = ntohs(data_hdr->stream);
6269 	if (sid >= asoc->c.sinit_max_instreams) {
6270 		/* Mark tsn as received even though we drop it */
6271 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
6272 
6273 		err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM,
6274 					 &data_hdr->stream,
6275 					 sizeof(data_hdr->stream),
6276 					 sizeof(u16));
6277 		if (err)
6278 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6279 					SCTP_CHUNK(err));
6280 		return SCTP_IERROR_BAD_STREAM;
6281 	}
6282 
6283 	/* Check to see if the SSN is possible for this TSN.
6284 	 * The biggest gap we can record is 4K wide.  Since SSNs wrap
6285 	 * at an unsigned short, there is no way that an SSN can
6286 	 * wrap and for a valid TSN.  We can simply check if the current
6287 	 * SSN is smaller then the next expected one.  If it is, it wrapped
6288 	 * and is invalid.
6289 	 */
6290 	ssn = ntohs(data_hdr->ssn);
6291 	if (ordered && SSN_lt(ssn, sctp_ssn_peek(&asoc->ssnmap->in, sid))) {
6292 		return SCTP_IERROR_PROTO_VIOLATION;
6293 	}
6294 
6295 	/* Send the data up to the user.  Note:  Schedule  the
6296 	 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK
6297 	 * chunk needs the updated rwnd.
6298 	 */
6299 	sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk));
6300 
6301 	return SCTP_IERROR_NO_ERROR;
6302 }
6303