1 /* SCTP kernel implementation 2 * (C) Copyright IBM Corp. 2001, 2004 3 * Copyright (c) 1999-2000 Cisco, Inc. 4 * Copyright (c) 1999-2001 Motorola, Inc. 5 * Copyright (c) 2001-2002 Intel Corp. 6 * Copyright (c) 2002 Nokia Corp. 7 * 8 * This is part of the SCTP Linux Kernel Implementation. 9 * 10 * These are the state functions for the state machine. 11 * 12 * This SCTP implementation is free software; 13 * you can redistribute it and/or modify it under the terms of 14 * the GNU General Public License as published by 15 * the Free Software Foundation; either version 2, or (at your option) 16 * any later version. 17 * 18 * This SCTP implementation is distributed in the hope that it 19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 20 * ************************ 21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 22 * See the GNU General Public License for more details. 23 * 24 * You should have received a copy of the GNU General Public License 25 * along with GNU CC; see the file COPYING. If not, see 26 * <http://www.gnu.org/licenses/>. 27 * 28 * Please send any bug reports or fixes you make to the 29 * email address(es): 30 * lksctp developers <linux-sctp@vger.kernel.org> 31 * 32 * Written or modified by: 33 * La Monte H.P. Yarroll <piggy@acm.org> 34 * Karl Knutson <karl@athena.chicago.il.us> 35 * Mathew Kotowsky <kotowsky@sctp.org> 36 * Sridhar Samudrala <samudrala@us.ibm.com> 37 * Jon Grimm <jgrimm@us.ibm.com> 38 * Hui Huang <hui.huang@nokia.com> 39 * Dajiang Zhang <dajiang.zhang@nokia.com> 40 * Daisy Chang <daisyc@us.ibm.com> 41 * Ardelle Fan <ardelle.fan@intel.com> 42 * Ryan Layer <rmlayer@us.ibm.com> 43 * Kevin Gao <kevin.gao@intel.com> 44 */ 45 46 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 47 48 #include <linux/types.h> 49 #include <linux/kernel.h> 50 #include <linux/ip.h> 51 #include <linux/ipv6.h> 52 #include <linux/net.h> 53 #include <linux/inet.h> 54 #include <linux/slab.h> 55 #include <net/sock.h> 56 #include <net/inet_ecn.h> 57 #include <linux/skbuff.h> 58 #include <net/sctp/sctp.h> 59 #include <net/sctp/sm.h> 60 #include <net/sctp/structs.h> 61 62 #define CREATE_TRACE_POINTS 63 #include <trace/events/sctp.h> 64 65 static struct sctp_packet *sctp_abort_pkt_new( 66 struct net *net, 67 const struct sctp_endpoint *ep, 68 const struct sctp_association *asoc, 69 struct sctp_chunk *chunk, 70 const void *payload, size_t paylen); 71 static int sctp_eat_data(const struct sctp_association *asoc, 72 struct sctp_chunk *chunk, 73 struct sctp_cmd_seq *commands); 74 static struct sctp_packet *sctp_ootb_pkt_new( 75 struct net *net, 76 const struct sctp_association *asoc, 77 const struct sctp_chunk *chunk); 78 static void sctp_send_stale_cookie_err(struct net *net, 79 const struct sctp_endpoint *ep, 80 const struct sctp_association *asoc, 81 const struct sctp_chunk *chunk, 82 struct sctp_cmd_seq *commands, 83 struct sctp_chunk *err_chunk); 84 static enum sctp_disposition sctp_sf_do_5_2_6_stale( 85 struct net *net, 86 const struct sctp_endpoint *ep, 87 const struct sctp_association *asoc, 88 const union sctp_subtype type, 89 void *arg, 90 struct sctp_cmd_seq *commands); 91 static enum sctp_disposition sctp_sf_shut_8_4_5( 92 struct net *net, 93 const struct sctp_endpoint *ep, 94 const struct sctp_association *asoc, 95 const union sctp_subtype type, 96 void *arg, 97 struct sctp_cmd_seq *commands); 98 static enum sctp_disposition sctp_sf_tabort_8_4_8( 99 struct net *net, 100 const struct sctp_endpoint *ep, 101 const struct sctp_association *asoc, 102 const union sctp_subtype type, 103 void *arg, 104 struct sctp_cmd_seq *commands); 105 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 106 107 static enum sctp_disposition sctp_stop_t1_and_abort( 108 struct net *net, 109 struct sctp_cmd_seq *commands, 110 __be16 error, int sk_err, 111 const struct sctp_association *asoc, 112 struct sctp_transport *transport); 113 114 static enum sctp_disposition sctp_sf_abort_violation( 115 struct net *net, 116 const struct sctp_endpoint *ep, 117 const struct sctp_association *asoc, 118 void *arg, 119 struct sctp_cmd_seq *commands, 120 const __u8 *payload, 121 const size_t paylen); 122 123 static enum sctp_disposition sctp_sf_violation_chunklen( 124 struct net *net, 125 const struct sctp_endpoint *ep, 126 const struct sctp_association *asoc, 127 const union sctp_subtype type, 128 void *arg, 129 struct sctp_cmd_seq *commands); 130 131 static enum sctp_disposition sctp_sf_violation_paramlen( 132 struct net *net, 133 const struct sctp_endpoint *ep, 134 const struct sctp_association *asoc, 135 const union sctp_subtype type, 136 void *arg, void *ext, 137 struct sctp_cmd_seq *commands); 138 139 static enum sctp_disposition sctp_sf_violation_ctsn( 140 struct net *net, 141 const struct sctp_endpoint *ep, 142 const struct sctp_association *asoc, 143 const union sctp_subtype type, 144 void *arg, 145 struct sctp_cmd_seq *commands); 146 147 static enum sctp_disposition sctp_sf_violation_chunk( 148 struct net *net, 149 const struct sctp_endpoint *ep, 150 const struct sctp_association *asoc, 151 const union sctp_subtype type, 152 void *arg, 153 struct sctp_cmd_seq *commands); 154 155 static enum sctp_ierror sctp_sf_authenticate( 156 struct net *net, 157 const struct sctp_endpoint *ep, 158 const struct sctp_association *asoc, 159 const union sctp_subtype type, 160 struct sctp_chunk *chunk); 161 162 static enum sctp_disposition __sctp_sf_do_9_1_abort( 163 struct net *net, 164 const struct sctp_endpoint *ep, 165 const struct sctp_association *asoc, 166 const union sctp_subtype type, 167 void *arg, 168 struct sctp_cmd_seq *commands); 169 170 /* Small helper function that checks if the chunk length 171 * is of the appropriate length. The 'required_length' argument 172 * is set to be the size of a specific chunk we are testing. 173 * Return Values: true = Valid length 174 * false = Invalid length 175 * 176 */ 177 static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk, 178 __u16 required_length) 179 { 180 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 181 182 /* Previously already marked? */ 183 if (unlikely(chunk->pdiscard)) 184 return false; 185 if (unlikely(chunk_length < required_length)) 186 return false; 187 188 return true; 189 } 190 191 /********************************************************** 192 * These are the state functions for handling chunk events. 193 **********************************************************/ 194 195 /* 196 * Process the final SHUTDOWN COMPLETE. 197 * 198 * Section: 4 (C) (diagram), 9.2 199 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 200 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 201 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 202 * should stop the T2-shutdown timer and remove all knowledge of the 203 * association (and thus the association enters the CLOSED state). 204 * 205 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 206 * C) Rules for packet carrying SHUTDOWN COMPLETE: 207 * ... 208 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 209 * if the Verification Tag field of the packet matches its own tag and 210 * the T bit is not set 211 * OR 212 * it is set to its peer's tag and the T bit is set in the Chunk 213 * Flags. 214 * Otherwise, the receiver MUST silently discard the packet 215 * and take no further action. An endpoint MUST ignore the 216 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 217 * 218 * Inputs 219 * (endpoint, asoc, chunk) 220 * 221 * Outputs 222 * (asoc, reply_msg, msg_up, timers, counters) 223 * 224 * The return value is the disposition of the chunk. 225 */ 226 enum sctp_disposition sctp_sf_do_4_C(struct net *net, 227 const struct sctp_endpoint *ep, 228 const struct sctp_association *asoc, 229 const union sctp_subtype type, 230 void *arg, struct sctp_cmd_seq *commands) 231 { 232 struct sctp_chunk *chunk = arg; 233 struct sctp_ulpevent *ev; 234 235 if (!sctp_vtag_verify_either(chunk, asoc)) 236 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 237 238 /* RFC 2960 6.10 Bundling 239 * 240 * An endpoint MUST NOT bundle INIT, INIT ACK or 241 * SHUTDOWN COMPLETE with any other chunks. 242 */ 243 if (!chunk->singleton) 244 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 245 246 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ 247 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 248 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 249 commands); 250 251 /* RFC 2960 10.2 SCTP-to-ULP 252 * 253 * H) SHUTDOWN COMPLETE notification 254 * 255 * When SCTP completes the shutdown procedures (section 9.2) this 256 * notification is passed to the upper layer. 257 */ 258 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 259 0, 0, 0, NULL, GFP_ATOMIC); 260 if (ev) 261 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 262 SCTP_ULPEVENT(ev)); 263 264 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 265 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 266 * not the chunk should be discarded. If the endpoint is in 267 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 268 * T2-shutdown timer and remove all knowledge of the 269 * association (and thus the association enters the CLOSED 270 * state). 271 */ 272 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 273 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 274 275 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 276 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 277 278 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 279 SCTP_STATE(SCTP_STATE_CLOSED)); 280 281 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 282 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 283 284 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 285 286 return SCTP_DISPOSITION_DELETE_TCB; 287 } 288 289 /* 290 * Respond to a normal INIT chunk. 291 * We are the side that is being asked for an association. 292 * 293 * Section: 5.1 Normal Establishment of an Association, B 294 * B) "Z" shall respond immediately with an INIT ACK chunk. The 295 * destination IP address of the INIT ACK MUST be set to the source 296 * IP address of the INIT to which this INIT ACK is responding. In 297 * the response, besides filling in other parameters, "Z" must set the 298 * Verification Tag field to Tag_A, and also provide its own 299 * Verification Tag (Tag_Z) in the Initiate Tag field. 300 * 301 * Verification Tag: Must be 0. 302 * 303 * Inputs 304 * (endpoint, asoc, chunk) 305 * 306 * Outputs 307 * (asoc, reply_msg, msg_up, timers, counters) 308 * 309 * The return value is the disposition of the chunk. 310 */ 311 enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, 312 const struct sctp_endpoint *ep, 313 const struct sctp_association *asoc, 314 const union sctp_subtype type, 315 void *arg, 316 struct sctp_cmd_seq *commands) 317 { 318 struct sctp_chunk *chunk = arg, *repl, *err_chunk; 319 struct sctp_unrecognized_param *unk_param; 320 struct sctp_association *new_asoc; 321 struct sctp_packet *packet; 322 int len; 323 324 /* Update socket peer label if first association. */ 325 if (security_sctp_assoc_request((struct sctp_endpoint *)ep, 326 chunk->skb)) 327 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 328 329 /* 6.10 Bundling 330 * An endpoint MUST NOT bundle INIT, INIT ACK or 331 * SHUTDOWN COMPLETE with any other chunks. 332 * 333 * IG Section 2.11.2 334 * Furthermore, we require that the receiver of an INIT chunk MUST 335 * enforce these rules by silently discarding an arriving packet 336 * with an INIT chunk that is bundled with other chunks. 337 */ 338 if (!chunk->singleton) 339 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 340 341 /* If the packet is an OOTB packet which is temporarily on the 342 * control endpoint, respond with an ABORT. 343 */ 344 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 345 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 346 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 347 } 348 349 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 350 * Tag. 351 */ 352 if (chunk->sctp_hdr->vtag != 0) 353 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 354 355 /* Make sure that the INIT chunk has a valid length. 356 * Normally, this would cause an ABORT with a Protocol Violation 357 * error, but since we don't have an association, we'll 358 * just discard the packet. 359 */ 360 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 361 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 362 363 /* If the INIT is coming toward a closing socket, we'll send back 364 * and ABORT. Essentially, this catches the race of INIT being 365 * backloged to the socket at the same time as the user isses close(). 366 * Since the socket and all its associations are going away, we 367 * can treat this OOTB 368 */ 369 if (sctp_sstate(ep->base.sk, CLOSING)) 370 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 371 372 /* Verify the INIT chunk before processing it. */ 373 err_chunk = NULL; 374 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 375 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 376 &err_chunk)) { 377 /* This chunk contains fatal error. It is to be discarded. 378 * Send an ABORT, with causes if there is any. 379 */ 380 if (err_chunk) { 381 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 382 (__u8 *)(err_chunk->chunk_hdr) + 383 sizeof(struct sctp_chunkhdr), 384 ntohs(err_chunk->chunk_hdr->length) - 385 sizeof(struct sctp_chunkhdr)); 386 387 sctp_chunk_free(err_chunk); 388 389 if (packet) { 390 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 391 SCTP_PACKET(packet)); 392 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 393 return SCTP_DISPOSITION_CONSUME; 394 } else { 395 return SCTP_DISPOSITION_NOMEM; 396 } 397 } else { 398 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 399 commands); 400 } 401 } 402 403 /* Grab the INIT header. */ 404 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 405 406 /* Tag the variable length parameters. */ 407 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 408 409 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 410 if (!new_asoc) 411 goto nomem; 412 413 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 414 sctp_scope(sctp_source(chunk)), 415 GFP_ATOMIC) < 0) 416 goto nomem_init; 417 418 /* The call, sctp_process_init(), can fail on memory allocation. */ 419 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 420 (struct sctp_init_chunk *)chunk->chunk_hdr, 421 GFP_ATOMIC)) 422 goto nomem_init; 423 424 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 425 426 /* If there are errors need to be reported for unknown parameters, 427 * make sure to reserve enough room in the INIT ACK for them. 428 */ 429 len = 0; 430 if (err_chunk) 431 len = ntohs(err_chunk->chunk_hdr->length) - 432 sizeof(struct sctp_chunkhdr); 433 434 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 435 if (!repl) 436 goto nomem_init; 437 438 /* If there are errors need to be reported for unknown parameters, 439 * include them in the outgoing INIT ACK as "Unrecognized parameter" 440 * parameter. 441 */ 442 if (err_chunk) { 443 /* Get the "Unrecognized parameter" parameter(s) out of the 444 * ERROR chunk generated by sctp_verify_init(). Since the 445 * error cause code for "unknown parameter" and the 446 * "Unrecognized parameter" type is the same, we can 447 * construct the parameters in INIT ACK by copying the 448 * ERROR causes over. 449 */ 450 unk_param = (struct sctp_unrecognized_param *) 451 ((__u8 *)(err_chunk->chunk_hdr) + 452 sizeof(struct sctp_chunkhdr)); 453 /* Replace the cause code with the "Unrecognized parameter" 454 * parameter type. 455 */ 456 sctp_addto_chunk(repl, len, unk_param); 457 sctp_chunk_free(err_chunk); 458 } 459 460 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 461 462 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 463 464 /* 465 * Note: After sending out INIT ACK with the State Cookie parameter, 466 * "Z" MUST NOT allocate any resources, nor keep any states for the 467 * new association. Otherwise, "Z" will be vulnerable to resource 468 * attacks. 469 */ 470 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 471 472 return SCTP_DISPOSITION_DELETE_TCB; 473 474 nomem_init: 475 sctp_association_free(new_asoc); 476 nomem: 477 if (err_chunk) 478 sctp_chunk_free(err_chunk); 479 return SCTP_DISPOSITION_NOMEM; 480 } 481 482 /* 483 * Respond to a normal INIT ACK chunk. 484 * We are the side that is initiating the association. 485 * 486 * Section: 5.1 Normal Establishment of an Association, C 487 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 488 * timer and leave COOKIE-WAIT state. "A" shall then send the State 489 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 490 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 491 * 492 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 493 * DATA chunks, but it MUST be the first chunk in the packet and 494 * until the COOKIE ACK is returned the sender MUST NOT send any 495 * other packets to the peer. 496 * 497 * Verification Tag: 3.3.3 498 * If the value of the Initiate Tag in a received INIT ACK chunk is 499 * found to be 0, the receiver MUST treat it as an error and close the 500 * association by transmitting an ABORT. 501 * 502 * Inputs 503 * (endpoint, asoc, chunk) 504 * 505 * Outputs 506 * (asoc, reply_msg, msg_up, timers, counters) 507 * 508 * The return value is the disposition of the chunk. 509 */ 510 enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, 511 const struct sctp_endpoint *ep, 512 const struct sctp_association *asoc, 513 const union sctp_subtype type, 514 void *arg, 515 struct sctp_cmd_seq *commands) 516 { 517 struct sctp_init_chunk *initchunk; 518 struct sctp_chunk *chunk = arg; 519 struct sctp_chunk *err_chunk; 520 struct sctp_packet *packet; 521 522 if (!sctp_vtag_verify(chunk, asoc)) 523 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 524 525 /* 6.10 Bundling 526 * An endpoint MUST NOT bundle INIT, INIT ACK or 527 * SHUTDOWN COMPLETE with any other chunks. 528 */ 529 if (!chunk->singleton) 530 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 531 532 /* Make sure that the INIT-ACK chunk has a valid length */ 533 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk))) 534 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 535 commands); 536 /* Grab the INIT header. */ 537 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 538 539 /* Verify the INIT chunk before processing it. */ 540 err_chunk = NULL; 541 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 542 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 543 &err_chunk)) { 544 545 enum sctp_error error = SCTP_ERROR_NO_RESOURCE; 546 547 /* This chunk contains fatal error. It is to be discarded. 548 * Send an ABORT, with causes. If there are no causes, 549 * then there wasn't enough memory. Just terminate 550 * the association. 551 */ 552 if (err_chunk) { 553 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 554 (__u8 *)(err_chunk->chunk_hdr) + 555 sizeof(struct sctp_chunkhdr), 556 ntohs(err_chunk->chunk_hdr->length) - 557 sizeof(struct sctp_chunkhdr)); 558 559 sctp_chunk_free(err_chunk); 560 561 if (packet) { 562 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 563 SCTP_PACKET(packet)); 564 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 565 error = SCTP_ERROR_INV_PARAM; 566 } 567 } 568 569 /* SCTP-AUTH, Section 6.3: 570 * It should be noted that if the receiver wants to tear 571 * down an association in an authenticated way only, the 572 * handling of malformed packets should not result in 573 * tearing down the association. 574 * 575 * This means that if we only want to abort associations 576 * in an authenticated way (i.e AUTH+ABORT), then we 577 * can't destroy this association just because the packet 578 * was malformed. 579 */ 580 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 581 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 582 583 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 584 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, 585 asoc, chunk->transport); 586 } 587 588 /* Tag the variable length parameters. Note that we never 589 * convert the parameters in an INIT chunk. 590 */ 591 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 592 593 initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr; 594 595 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 596 SCTP_PEER_INIT(initchunk)); 597 598 /* Reset init error count upon receipt of INIT-ACK. */ 599 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 600 601 /* 5.1 C) "A" shall stop the T1-init timer and leave 602 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 603 * timer, and enter the COOKIE-ECHOED state. 604 */ 605 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 606 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 607 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 608 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 609 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 610 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 611 612 /* SCTP-AUTH: genereate the assocition shared keys so that 613 * we can potentially signe the COOKIE-ECHO. 614 */ 615 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); 616 617 /* 5.1 C) "A" shall then send the State Cookie received in the 618 * INIT ACK chunk in a COOKIE ECHO chunk, ... 619 */ 620 /* If there is any errors to report, send the ERROR chunk generated 621 * for unknown parameters as well. 622 */ 623 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 624 SCTP_CHUNK(err_chunk)); 625 626 return SCTP_DISPOSITION_CONSUME; 627 } 628 629 /* 630 * Respond to a normal COOKIE ECHO chunk. 631 * We are the side that is being asked for an association. 632 * 633 * Section: 5.1 Normal Establishment of an Association, D 634 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 635 * with a COOKIE ACK chunk after building a TCB and moving to 636 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 637 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 638 * chunk MUST be the first chunk in the packet. 639 * 640 * IMPLEMENTATION NOTE: An implementation may choose to send the 641 * Communication Up notification to the SCTP user upon reception 642 * of a valid COOKIE ECHO chunk. 643 * 644 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 645 * D) Rules for packet carrying a COOKIE ECHO 646 * 647 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 648 * Initial Tag received in the INIT ACK. 649 * 650 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 651 * 652 * Inputs 653 * (endpoint, asoc, chunk) 654 * 655 * Outputs 656 * (asoc, reply_msg, msg_up, timers, counters) 657 * 658 * The return value is the disposition of the chunk. 659 */ 660 enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, 661 const struct sctp_endpoint *ep, 662 const struct sctp_association *asoc, 663 const union sctp_subtype type, 664 void *arg, 665 struct sctp_cmd_seq *commands) 666 { 667 struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL; 668 struct sctp_association *new_asoc; 669 struct sctp_init_chunk *peer_init; 670 struct sctp_chunk *chunk = arg; 671 struct sctp_chunk *err_chk_p; 672 struct sctp_chunk *repl; 673 struct sock *sk; 674 int error = 0; 675 676 /* If the packet is an OOTB packet which is temporarily on the 677 * control endpoint, respond with an ABORT. 678 */ 679 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 680 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 681 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 682 } 683 684 /* Make sure that the COOKIE_ECHO chunk has a valid length. 685 * In this case, we check that we have enough for at least a 686 * chunk header. More detailed verification is done 687 * in sctp_unpack_cookie(). 688 */ 689 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 690 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 691 692 /* If the endpoint is not listening or if the number of associations 693 * on the TCP-style socket exceed the max backlog, respond with an 694 * ABORT. 695 */ 696 sk = ep->base.sk; 697 if (!sctp_sstate(sk, LISTENING) || 698 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) 699 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 700 701 /* "Decode" the chunk. We have no optional parameters so we 702 * are in good shape. 703 */ 704 chunk->subh.cookie_hdr = 705 (struct sctp_signed_cookie *)chunk->skb->data; 706 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 707 sizeof(struct sctp_chunkhdr))) 708 goto nomem; 709 710 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 711 * "Z" will reply with a COOKIE ACK chunk after building a TCB 712 * and moving to the ESTABLISHED state. 713 */ 714 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 715 &err_chk_p); 716 717 /* FIXME: 718 * If the re-build failed, what is the proper error path 719 * from here? 720 * 721 * [We should abort the association. --piggy] 722 */ 723 if (!new_asoc) { 724 /* FIXME: Several errors are possible. A bad cookie should 725 * be silently discarded, but think about logging it too. 726 */ 727 switch (error) { 728 case -SCTP_IERROR_NOMEM: 729 goto nomem; 730 731 case -SCTP_IERROR_STALE_COOKIE: 732 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 733 err_chk_p); 734 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 735 736 case -SCTP_IERROR_BAD_SIG: 737 default: 738 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 739 } 740 } 741 742 743 /* Delay state machine commands until later. 744 * 745 * Re-build the bind address for the association is done in 746 * the sctp_unpack_cookie() already. 747 */ 748 /* This is a brand-new association, so these are not yet side 749 * effects--it is safe to run them here. 750 */ 751 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 752 753 if (!sctp_process_init(new_asoc, chunk, 754 &chunk->subh.cookie_hdr->c.peer_addr, 755 peer_init, GFP_ATOMIC)) 756 goto nomem_init; 757 758 /* SCTP-AUTH: Now that we've populate required fields in 759 * sctp_process_init, set up the assocaition shared keys as 760 * necessary so that we can potentially authenticate the ACK 761 */ 762 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); 763 if (error) 764 goto nomem_init; 765 766 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo 767 * is supposed to be authenticated and we have to do delayed 768 * authentication. We've just recreated the association using 769 * the information in the cookie and now it's much easier to 770 * do the authentication. 771 */ 772 if (chunk->auth_chunk) { 773 struct sctp_chunk auth; 774 enum sctp_ierror ret; 775 776 /* Make sure that we and the peer are AUTH capable */ 777 if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) { 778 sctp_association_free(new_asoc); 779 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 780 } 781 782 /* set-up our fake chunk so that we can process it */ 783 auth.skb = chunk->auth_chunk; 784 auth.asoc = chunk->asoc; 785 auth.sctp_hdr = chunk->sctp_hdr; 786 auth.chunk_hdr = (struct sctp_chunkhdr *) 787 skb_push(chunk->auth_chunk, 788 sizeof(struct sctp_chunkhdr)); 789 skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr)); 790 auth.transport = chunk->transport; 791 792 ret = sctp_sf_authenticate(net, ep, new_asoc, type, &auth); 793 if (ret != SCTP_IERROR_NO_ERROR) { 794 sctp_association_free(new_asoc); 795 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 796 } 797 } 798 799 repl = sctp_make_cookie_ack(new_asoc, chunk); 800 if (!repl) 801 goto nomem_init; 802 803 /* RFC 2960 5.1 Normal Establishment of an Association 804 * 805 * D) IMPLEMENTATION NOTE: An implementation may choose to 806 * send the Communication Up notification to the SCTP user 807 * upon reception of a valid COOKIE ECHO chunk. 808 */ 809 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 810 new_asoc->c.sinit_num_ostreams, 811 new_asoc->c.sinit_max_instreams, 812 NULL, GFP_ATOMIC); 813 if (!ev) 814 goto nomem_ev; 815 816 /* Sockets API Draft Section 5.3.1.6 817 * When a peer sends a Adaptation Layer Indication parameter , SCTP 818 * delivers this notification to inform the application that of the 819 * peers requested adaptation layer. 820 */ 821 if (new_asoc->peer.adaptation_ind) { 822 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 823 GFP_ATOMIC); 824 if (!ai_ev) 825 goto nomem_aiev; 826 } 827 828 if (!new_asoc->peer.auth_capable) { 829 auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0, 830 SCTP_AUTH_NO_AUTH, 831 GFP_ATOMIC); 832 if (!auth_ev) 833 goto nomem_authev; 834 } 835 836 /* Add all the state machine commands now since we've created 837 * everything. This way we don't introduce memory corruptions 838 * during side-effect processing and correclty count established 839 * associations. 840 */ 841 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 842 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 843 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 844 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 845 SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS); 846 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 847 848 if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 849 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 850 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 851 852 /* This will send the COOKIE ACK */ 853 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 854 855 /* Queue the ASSOC_CHANGE event */ 856 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 857 858 /* Send up the Adaptation Layer Indication event */ 859 if (ai_ev) 860 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 861 SCTP_ULPEVENT(ai_ev)); 862 863 if (auth_ev) 864 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 865 SCTP_ULPEVENT(auth_ev)); 866 867 return SCTP_DISPOSITION_CONSUME; 868 869 nomem_authev: 870 sctp_ulpevent_free(ai_ev); 871 nomem_aiev: 872 sctp_ulpevent_free(ev); 873 nomem_ev: 874 sctp_chunk_free(repl); 875 nomem_init: 876 sctp_association_free(new_asoc); 877 nomem: 878 return SCTP_DISPOSITION_NOMEM; 879 } 880 881 /* 882 * Respond to a normal COOKIE ACK chunk. 883 * We are the side that is asking for an association. 884 * 885 * RFC 2960 5.1 Normal Establishment of an Association 886 * 887 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 888 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 889 * timer. It may also notify its ULP about the successful 890 * establishment of the association with a Communication Up 891 * notification (see Section 10). 892 * 893 * Verification Tag: 894 * Inputs 895 * (endpoint, asoc, chunk) 896 * 897 * Outputs 898 * (asoc, reply_msg, msg_up, timers, counters) 899 * 900 * The return value is the disposition of the chunk. 901 */ 902 enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, 903 const struct sctp_endpoint *ep, 904 const struct sctp_association *asoc, 905 const union sctp_subtype type, 906 void *arg, 907 struct sctp_cmd_seq *commands) 908 { 909 struct sctp_chunk *chunk = arg; 910 struct sctp_ulpevent *ev; 911 912 if (!sctp_vtag_verify(chunk, asoc)) 913 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 914 915 /* Verify that the chunk length for the COOKIE-ACK is OK. 916 * If we don't do this, any bundled chunks may be junked. 917 */ 918 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 919 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 920 commands); 921 922 /* Reset init error count upon receipt of COOKIE-ACK, 923 * to avoid problems with the managemement of this 924 * counter in stale cookie situations when a transition back 925 * from the COOKIE-ECHOED state to the COOKIE-WAIT 926 * state is performed. 927 */ 928 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 929 930 /* Set peer label for connection. */ 931 security_inet_conn_established(ep->base.sk, chunk->skb); 932 933 /* RFC 2960 5.1 Normal Establishment of an Association 934 * 935 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 936 * from the COOKIE-ECHOED state to the ESTABLISHED state, 937 * stopping the T1-cookie timer. 938 */ 939 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 940 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 941 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 942 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 943 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 944 SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS); 945 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 946 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 947 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 948 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 949 950 /* It may also notify its ULP about the successful 951 * establishment of the association with a Communication Up 952 * notification (see Section 10). 953 */ 954 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 955 0, asoc->c.sinit_num_ostreams, 956 asoc->c.sinit_max_instreams, 957 NULL, GFP_ATOMIC); 958 959 if (!ev) 960 goto nomem; 961 962 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 963 964 /* Sockets API Draft Section 5.3.1.6 965 * When a peer sends a Adaptation Layer Indication parameter , SCTP 966 * delivers this notification to inform the application that of the 967 * peers requested adaptation layer. 968 */ 969 if (asoc->peer.adaptation_ind) { 970 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 971 if (!ev) 972 goto nomem; 973 974 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 975 SCTP_ULPEVENT(ev)); 976 } 977 978 if (!asoc->peer.auth_capable) { 979 ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH, 980 GFP_ATOMIC); 981 if (!ev) 982 goto nomem; 983 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 984 SCTP_ULPEVENT(ev)); 985 } 986 987 return SCTP_DISPOSITION_CONSUME; 988 nomem: 989 return SCTP_DISPOSITION_NOMEM; 990 } 991 992 /* Generate and sendout a heartbeat packet. */ 993 static enum sctp_disposition sctp_sf_heartbeat( 994 const struct sctp_endpoint *ep, 995 const struct sctp_association *asoc, 996 const union sctp_subtype type, 997 void *arg, 998 struct sctp_cmd_seq *commands) 999 { 1000 struct sctp_transport *transport = (struct sctp_transport *) arg; 1001 struct sctp_chunk *reply; 1002 1003 /* Send a heartbeat to our peer. */ 1004 reply = sctp_make_heartbeat(asoc, transport); 1005 if (!reply) 1006 return SCTP_DISPOSITION_NOMEM; 1007 1008 /* Set rto_pending indicating that an RTT measurement 1009 * is started with this heartbeat chunk. 1010 */ 1011 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 1012 SCTP_TRANSPORT(transport)); 1013 1014 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1015 return SCTP_DISPOSITION_CONSUME; 1016 } 1017 1018 /* Generate a HEARTBEAT packet on the given transport. */ 1019 enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net, 1020 const struct sctp_endpoint *ep, 1021 const struct sctp_association *asoc, 1022 const union sctp_subtype type, 1023 void *arg, 1024 struct sctp_cmd_seq *commands) 1025 { 1026 struct sctp_transport *transport = (struct sctp_transport *) arg; 1027 1028 if (asoc->overall_error_count >= asoc->max_retrans) { 1029 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 1030 SCTP_ERROR(ETIMEDOUT)); 1031 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 1032 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 1033 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 1034 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1035 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1036 return SCTP_DISPOSITION_DELETE_TCB; 1037 } 1038 1039 /* Section 3.3.5. 1040 * The Sender-specific Heartbeat Info field should normally include 1041 * information about the sender's current time when this HEARTBEAT 1042 * chunk is sent and the destination transport address to which this 1043 * HEARTBEAT is sent (see Section 8.3). 1044 */ 1045 1046 if (transport->param_flags & SPP_HB_ENABLE) { 1047 if (SCTP_DISPOSITION_NOMEM == 1048 sctp_sf_heartbeat(ep, asoc, type, arg, 1049 commands)) 1050 return SCTP_DISPOSITION_NOMEM; 1051 1052 /* Set transport error counter and association error counter 1053 * when sending heartbeat. 1054 */ 1055 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 1056 SCTP_TRANSPORT(transport)); 1057 } 1058 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE, 1059 SCTP_TRANSPORT(transport)); 1060 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 1061 SCTP_TRANSPORT(transport)); 1062 1063 return SCTP_DISPOSITION_CONSUME; 1064 } 1065 1066 /* resend asoc strreset_chunk. */ 1067 enum sctp_disposition sctp_sf_send_reconf(struct net *net, 1068 const struct sctp_endpoint *ep, 1069 const struct sctp_association *asoc, 1070 const union sctp_subtype type, 1071 void *arg, 1072 struct sctp_cmd_seq *commands) 1073 { 1074 struct sctp_transport *transport = arg; 1075 1076 if (asoc->overall_error_count >= asoc->max_retrans) { 1077 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 1078 SCTP_ERROR(ETIMEDOUT)); 1079 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 1080 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 1081 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 1082 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1083 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1084 return SCTP_DISPOSITION_DELETE_TCB; 1085 } 1086 1087 sctp_chunk_hold(asoc->strreset_chunk); 1088 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1089 SCTP_CHUNK(asoc->strreset_chunk)); 1090 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 1091 1092 return SCTP_DISPOSITION_CONSUME; 1093 } 1094 1095 /* 1096 * Process an heartbeat request. 1097 * 1098 * Section: 8.3 Path Heartbeat 1099 * The receiver of the HEARTBEAT should immediately respond with a 1100 * HEARTBEAT ACK that contains the Heartbeat Information field copied 1101 * from the received HEARTBEAT chunk. 1102 * 1103 * Verification Tag: 8.5 Verification Tag [Normal verification] 1104 * When receiving an SCTP packet, the endpoint MUST ensure that the 1105 * value in the Verification Tag field of the received SCTP packet 1106 * matches its own Tag. If the received Verification Tag value does not 1107 * match the receiver's own tag value, the receiver shall silently 1108 * discard the packet and shall not process it any further except for 1109 * those cases listed in Section 8.5.1 below. 1110 * 1111 * Inputs 1112 * (endpoint, asoc, chunk) 1113 * 1114 * Outputs 1115 * (asoc, reply_msg, msg_up, timers, counters) 1116 * 1117 * The return value is the disposition of the chunk. 1118 */ 1119 enum sctp_disposition sctp_sf_beat_8_3(struct net *net, 1120 const struct sctp_endpoint *ep, 1121 const struct sctp_association *asoc, 1122 const union sctp_subtype type, 1123 void *arg, struct sctp_cmd_seq *commands) 1124 { 1125 struct sctp_paramhdr *param_hdr; 1126 struct sctp_chunk *chunk = arg; 1127 struct sctp_chunk *reply; 1128 size_t paylen = 0; 1129 1130 if (!sctp_vtag_verify(chunk, asoc)) 1131 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1132 1133 /* Make sure that the HEARTBEAT chunk has a valid length. */ 1134 if (!sctp_chunk_length_valid(chunk, 1135 sizeof(struct sctp_heartbeat_chunk))) 1136 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1137 commands); 1138 1139 /* 8.3 The receiver of the HEARTBEAT should immediately 1140 * respond with a HEARTBEAT ACK that contains the Heartbeat 1141 * Information field copied from the received HEARTBEAT chunk. 1142 */ 1143 chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data; 1144 param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr; 1145 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr); 1146 1147 if (ntohs(param_hdr->length) > paylen) 1148 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 1149 param_hdr, commands); 1150 1151 if (!pskb_pull(chunk->skb, paylen)) 1152 goto nomem; 1153 1154 reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen); 1155 if (!reply) 1156 goto nomem; 1157 1158 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1159 return SCTP_DISPOSITION_CONSUME; 1160 1161 nomem: 1162 return SCTP_DISPOSITION_NOMEM; 1163 } 1164 1165 /* 1166 * Process the returning HEARTBEAT ACK. 1167 * 1168 * Section: 8.3 Path Heartbeat 1169 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 1170 * should clear the error counter of the destination transport 1171 * address to which the HEARTBEAT was sent, and mark the destination 1172 * transport address as active if it is not so marked. The endpoint may 1173 * optionally report to the upper layer when an inactive destination 1174 * address is marked as active due to the reception of the latest 1175 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 1176 * clear the association overall error count as well (as defined 1177 * in section 8.1). 1178 * 1179 * The receiver of the HEARTBEAT ACK should also perform an RTT 1180 * measurement for that destination transport address using the time 1181 * value carried in the HEARTBEAT ACK chunk. 1182 * 1183 * Verification Tag: 8.5 Verification Tag [Normal verification] 1184 * 1185 * Inputs 1186 * (endpoint, asoc, chunk) 1187 * 1188 * Outputs 1189 * (asoc, reply_msg, msg_up, timers, counters) 1190 * 1191 * The return value is the disposition of the chunk. 1192 */ 1193 enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net, 1194 const struct sctp_endpoint *ep, 1195 const struct sctp_association *asoc, 1196 const union sctp_subtype type, 1197 void *arg, 1198 struct sctp_cmd_seq *commands) 1199 { 1200 struct sctp_sender_hb_info *hbinfo; 1201 struct sctp_chunk *chunk = arg; 1202 struct sctp_transport *link; 1203 unsigned long max_interval; 1204 union sctp_addr from_addr; 1205 1206 if (!sctp_vtag_verify(chunk, asoc)) 1207 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1208 1209 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1210 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) + 1211 sizeof(*hbinfo))) 1212 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1213 commands); 1214 1215 hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data; 1216 /* Make sure that the length of the parameter is what we expect */ 1217 if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo)) 1218 return SCTP_DISPOSITION_DISCARD; 1219 1220 from_addr = hbinfo->daddr; 1221 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1222 1223 /* This should never happen, but lets log it if so. */ 1224 if (unlikely(!link)) { 1225 if (from_addr.sa.sa_family == AF_INET6) { 1226 net_warn_ratelimited("%s association %p could not find address %pI6\n", 1227 __func__, 1228 asoc, 1229 &from_addr.v6.sin6_addr); 1230 } else { 1231 net_warn_ratelimited("%s association %p could not find address %pI4\n", 1232 __func__, 1233 asoc, 1234 &from_addr.v4.sin_addr.s_addr); 1235 } 1236 return SCTP_DISPOSITION_DISCARD; 1237 } 1238 1239 /* Validate the 64-bit random nonce. */ 1240 if (hbinfo->hb_nonce != link->hb_nonce) 1241 return SCTP_DISPOSITION_DISCARD; 1242 1243 max_interval = link->hbinterval + link->rto; 1244 1245 /* Check if the timestamp looks valid. */ 1246 if (time_after(hbinfo->sent_at, jiffies) || 1247 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1248 pr_debug("%s: HEARTBEAT ACK with invalid timestamp received " 1249 "for transport:%p\n", __func__, link); 1250 1251 return SCTP_DISPOSITION_DISCARD; 1252 } 1253 1254 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1255 * the HEARTBEAT should clear the error counter of the 1256 * destination transport address to which the HEARTBEAT was 1257 * sent and mark the destination transport address as active if 1258 * it is not so marked. 1259 */ 1260 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1261 1262 return SCTP_DISPOSITION_CONSUME; 1263 } 1264 1265 /* Helper function to send out an abort for the restart 1266 * condition. 1267 */ 1268 static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa, 1269 struct sctp_chunk *init, 1270 struct sctp_cmd_seq *commands) 1271 { 1272 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1273 union sctp_addr_param *addrparm; 1274 struct sctp_errhdr *errhdr; 1275 char buffer[sizeof(*errhdr) + sizeof(*addrparm)]; 1276 struct sctp_endpoint *ep; 1277 struct sctp_packet *pkt; 1278 int len; 1279 1280 /* Build the error on the stack. We are way to malloc crazy 1281 * throughout the code today. 1282 */ 1283 errhdr = (struct sctp_errhdr *)buffer; 1284 addrparm = (union sctp_addr_param *)errhdr->variable; 1285 1286 /* Copy into a parm format. */ 1287 len = af->to_addr_param(ssa, addrparm); 1288 len += sizeof(*errhdr); 1289 1290 errhdr->cause = SCTP_ERROR_RESTART; 1291 errhdr->length = htons(len); 1292 1293 /* Assign to the control socket. */ 1294 ep = sctp_sk(net->sctp.ctl_sock)->ep; 1295 1296 /* Association is NULL since this may be a restart attack and we 1297 * want to send back the attacker's vtag. 1298 */ 1299 pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len); 1300 1301 if (!pkt) 1302 goto out; 1303 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1304 1305 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1306 1307 /* Discard the rest of the inbound packet. */ 1308 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1309 1310 out: 1311 /* Even if there is no memory, treat as a failure so 1312 * the packet will get dropped. 1313 */ 1314 return 0; 1315 } 1316 1317 static bool list_has_sctp_addr(const struct list_head *list, 1318 union sctp_addr *ipaddr) 1319 { 1320 struct sctp_transport *addr; 1321 1322 list_for_each_entry(addr, list, transports) { 1323 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr)) 1324 return true; 1325 } 1326 1327 return false; 1328 } 1329 /* A restart is occurring, check to make sure no new addresses 1330 * are being added as we may be under a takeover attack. 1331 */ 1332 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1333 const struct sctp_association *asoc, 1334 struct sctp_chunk *init, 1335 struct sctp_cmd_seq *commands) 1336 { 1337 struct net *net = sock_net(new_asoc->base.sk); 1338 struct sctp_transport *new_addr; 1339 int ret = 1; 1340 1341 /* Implementor's Guide - Section 5.2.2 1342 * ... 1343 * Before responding the endpoint MUST check to see if the 1344 * unexpected INIT adds new addresses to the association. If new 1345 * addresses are added to the association, the endpoint MUST respond 1346 * with an ABORT.. 1347 */ 1348 1349 /* Search through all current addresses and make sure 1350 * we aren't adding any new ones. 1351 */ 1352 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list, 1353 transports) { 1354 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list, 1355 &new_addr->ipaddr)) { 1356 sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init, 1357 commands); 1358 ret = 0; 1359 break; 1360 } 1361 } 1362 1363 /* Return success if all addresses were found. */ 1364 return ret; 1365 } 1366 1367 /* Populate the verification/tie tags based on overlapping INIT 1368 * scenario. 1369 * 1370 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1371 */ 1372 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1373 const struct sctp_association *asoc) 1374 { 1375 switch (asoc->state) { 1376 1377 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1378 1379 case SCTP_STATE_COOKIE_WAIT: 1380 new_asoc->c.my_vtag = asoc->c.my_vtag; 1381 new_asoc->c.my_ttag = asoc->c.my_vtag; 1382 new_asoc->c.peer_ttag = 0; 1383 break; 1384 1385 case SCTP_STATE_COOKIE_ECHOED: 1386 new_asoc->c.my_vtag = asoc->c.my_vtag; 1387 new_asoc->c.my_ttag = asoc->c.my_vtag; 1388 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1389 break; 1390 1391 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1392 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1393 */ 1394 default: 1395 new_asoc->c.my_ttag = asoc->c.my_vtag; 1396 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1397 break; 1398 } 1399 1400 /* Other parameters for the endpoint SHOULD be copied from the 1401 * existing parameters of the association (e.g. number of 1402 * outbound streams) into the INIT ACK and cookie. 1403 */ 1404 new_asoc->rwnd = asoc->rwnd; 1405 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1406 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1407 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1408 } 1409 1410 /* 1411 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1412 * handling action. 1413 * 1414 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1415 * 1416 * Returns value representing action to be taken. These action values 1417 * correspond to Action/Description values in RFC 2960, Table 2. 1418 */ 1419 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1420 const struct sctp_association *asoc) 1421 { 1422 /* In this case, the peer may have restarted. */ 1423 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1424 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1425 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1426 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1427 return 'A'; 1428 1429 /* Collision case B. */ 1430 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1431 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1432 (0 == asoc->c.peer_vtag))) { 1433 return 'B'; 1434 } 1435 1436 /* Collision case D. */ 1437 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1438 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1439 return 'D'; 1440 1441 /* Collision case C. */ 1442 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1443 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1444 (0 == new_asoc->c.my_ttag) && 1445 (0 == new_asoc->c.peer_ttag)) 1446 return 'C'; 1447 1448 /* No match to any of the special cases; discard this packet. */ 1449 return 'E'; 1450 } 1451 1452 /* Common helper routine for both duplicate and simulataneous INIT 1453 * chunk handling. 1454 */ 1455 static enum sctp_disposition sctp_sf_do_unexpected_init( 1456 struct net *net, 1457 const struct sctp_endpoint *ep, 1458 const struct sctp_association *asoc, 1459 const union sctp_subtype type, 1460 void *arg, 1461 struct sctp_cmd_seq *commands) 1462 { 1463 struct sctp_chunk *chunk = arg, *repl, *err_chunk; 1464 struct sctp_unrecognized_param *unk_param; 1465 struct sctp_association *new_asoc; 1466 enum sctp_disposition retval; 1467 struct sctp_packet *packet; 1468 int len; 1469 1470 /* Update socket peer label if first association. */ 1471 if (security_sctp_assoc_request((struct sctp_endpoint *)ep, 1472 chunk->skb)) 1473 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1474 1475 /* 6.10 Bundling 1476 * An endpoint MUST NOT bundle INIT, INIT ACK or 1477 * SHUTDOWN COMPLETE with any other chunks. 1478 * 1479 * IG Section 2.11.2 1480 * Furthermore, we require that the receiver of an INIT chunk MUST 1481 * enforce these rules by silently discarding an arriving packet 1482 * with an INIT chunk that is bundled with other chunks. 1483 */ 1484 if (!chunk->singleton) 1485 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1486 1487 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1488 * Tag. 1489 */ 1490 if (chunk->sctp_hdr->vtag != 0) 1491 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 1492 1493 /* Make sure that the INIT chunk has a valid length. 1494 * In this case, we generate a protocol violation since we have 1495 * an association established. 1496 */ 1497 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 1498 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1499 commands); 1500 /* Grab the INIT header. */ 1501 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 1502 1503 /* Tag the variable length parameters. */ 1504 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 1505 1506 /* Verify the INIT chunk before processing it. */ 1507 err_chunk = NULL; 1508 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 1509 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 1510 &err_chunk)) { 1511 /* This chunk contains fatal error. It is to be discarded. 1512 * Send an ABORT, with causes if there is any. 1513 */ 1514 if (err_chunk) { 1515 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 1516 (__u8 *)(err_chunk->chunk_hdr) + 1517 sizeof(struct sctp_chunkhdr), 1518 ntohs(err_chunk->chunk_hdr->length) - 1519 sizeof(struct sctp_chunkhdr)); 1520 1521 if (packet) { 1522 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1523 SCTP_PACKET(packet)); 1524 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1525 retval = SCTP_DISPOSITION_CONSUME; 1526 } else { 1527 retval = SCTP_DISPOSITION_NOMEM; 1528 } 1529 goto cleanup; 1530 } else { 1531 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 1532 commands); 1533 } 1534 } 1535 1536 /* 1537 * Other parameters for the endpoint SHOULD be copied from the 1538 * existing parameters of the association (e.g. number of 1539 * outbound streams) into the INIT ACK and cookie. 1540 * FIXME: We are copying parameters from the endpoint not the 1541 * association. 1542 */ 1543 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1544 if (!new_asoc) 1545 goto nomem; 1546 1547 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 1548 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0) 1549 goto nomem; 1550 1551 /* In the outbound INIT ACK the endpoint MUST copy its current 1552 * Verification Tag and Peers Verification tag into a reserved 1553 * place (local tie-tag and per tie-tag) within the state cookie. 1554 */ 1555 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 1556 (struct sctp_init_chunk *)chunk->chunk_hdr, 1557 GFP_ATOMIC)) 1558 goto nomem; 1559 1560 /* Make sure no new addresses are being added during the 1561 * restart. Do not do this check for COOKIE-WAIT state, 1562 * since there are no peer addresses to check against. 1563 * Upon return an ABORT will have been sent if needed. 1564 */ 1565 if (!sctp_state(asoc, COOKIE_WAIT)) { 1566 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1567 commands)) { 1568 retval = SCTP_DISPOSITION_CONSUME; 1569 goto nomem_retval; 1570 } 1571 } 1572 1573 sctp_tietags_populate(new_asoc, asoc); 1574 1575 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1576 1577 /* If there are errors need to be reported for unknown parameters, 1578 * make sure to reserve enough room in the INIT ACK for them. 1579 */ 1580 len = 0; 1581 if (err_chunk) { 1582 len = ntohs(err_chunk->chunk_hdr->length) - 1583 sizeof(struct sctp_chunkhdr); 1584 } 1585 1586 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1587 if (!repl) 1588 goto nomem; 1589 1590 /* If there are errors need to be reported for unknown parameters, 1591 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1592 * parameter. 1593 */ 1594 if (err_chunk) { 1595 /* Get the "Unrecognized parameter" parameter(s) out of the 1596 * ERROR chunk generated by sctp_verify_init(). Since the 1597 * error cause code for "unknown parameter" and the 1598 * "Unrecognized parameter" type is the same, we can 1599 * construct the parameters in INIT ACK by copying the 1600 * ERROR causes over. 1601 */ 1602 unk_param = (struct sctp_unrecognized_param *) 1603 ((__u8 *)(err_chunk->chunk_hdr) + 1604 sizeof(struct sctp_chunkhdr)); 1605 /* Replace the cause code with the "Unrecognized parameter" 1606 * parameter type. 1607 */ 1608 sctp_addto_chunk(repl, len, unk_param); 1609 } 1610 1611 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1612 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1613 1614 /* 1615 * Note: After sending out INIT ACK with the State Cookie parameter, 1616 * "Z" MUST NOT allocate any resources for this new association. 1617 * Otherwise, "Z" will be vulnerable to resource attacks. 1618 */ 1619 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1620 retval = SCTP_DISPOSITION_CONSUME; 1621 1622 return retval; 1623 1624 nomem: 1625 retval = SCTP_DISPOSITION_NOMEM; 1626 nomem_retval: 1627 if (new_asoc) 1628 sctp_association_free(new_asoc); 1629 cleanup: 1630 if (err_chunk) 1631 sctp_chunk_free(err_chunk); 1632 return retval; 1633 } 1634 1635 /* 1636 * Handle simultaneous INIT. 1637 * This means we started an INIT and then we got an INIT request from 1638 * our peer. 1639 * 1640 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1641 * This usually indicates an initialization collision, i.e., each 1642 * endpoint is attempting, at about the same time, to establish an 1643 * association with the other endpoint. 1644 * 1645 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1646 * endpoint MUST respond with an INIT ACK using the same parameters it 1647 * sent in its original INIT chunk (including its Verification Tag, 1648 * unchanged). These original parameters are combined with those from the 1649 * newly received INIT chunk. The endpoint shall also generate a State 1650 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1651 * INIT to calculate the State Cookie. 1652 * 1653 * After that, the endpoint MUST NOT change its state, the T1-init 1654 * timer shall be left running and the corresponding TCB MUST NOT be 1655 * destroyed. The normal procedures for handling State Cookies when 1656 * a TCB exists will resolve the duplicate INITs to a single association. 1657 * 1658 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1659 * its Tie-Tags with the Tag information of itself and its peer (see 1660 * section 5.2.2 for a description of the Tie-Tags). 1661 * 1662 * Verification Tag: Not explicit, but an INIT can not have a valid 1663 * verification tag, so we skip the check. 1664 * 1665 * Inputs 1666 * (endpoint, asoc, chunk) 1667 * 1668 * Outputs 1669 * (asoc, reply_msg, msg_up, timers, counters) 1670 * 1671 * The return value is the disposition of the chunk. 1672 */ 1673 enum sctp_disposition sctp_sf_do_5_2_1_siminit( 1674 struct net *net, 1675 const struct sctp_endpoint *ep, 1676 const struct sctp_association *asoc, 1677 const union sctp_subtype type, 1678 void *arg, 1679 struct sctp_cmd_seq *commands) 1680 { 1681 /* Call helper to do the real work for both simulataneous and 1682 * duplicate INIT chunk handling. 1683 */ 1684 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1685 } 1686 1687 /* 1688 * Handle duplicated INIT messages. These are usually delayed 1689 * restransmissions. 1690 * 1691 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1692 * COOKIE-ECHOED and COOKIE-WAIT 1693 * 1694 * Unless otherwise stated, upon reception of an unexpected INIT for 1695 * this association, the endpoint shall generate an INIT ACK with a 1696 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1697 * current Verification Tag and peer's Verification Tag into a reserved 1698 * place within the state cookie. We shall refer to these locations as 1699 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1700 * containing this INIT ACK MUST carry a Verification Tag value equal to 1701 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1702 * MUST contain a new Initiation Tag (randomly generated see Section 1703 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1704 * existing parameters of the association (e.g. number of outbound 1705 * streams) into the INIT ACK and cookie. 1706 * 1707 * After sending out the INIT ACK, the endpoint shall take no further 1708 * actions, i.e., the existing association, including its current state, 1709 * and the corresponding TCB MUST NOT be changed. 1710 * 1711 * Note: Only when a TCB exists and the association is not in a COOKIE- 1712 * WAIT state are the Tie-Tags populated. For a normal association INIT 1713 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1714 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1715 * State Cookie are populated as specified in section 5.2.1. 1716 * 1717 * Verification Tag: Not specified, but an INIT has no way of knowing 1718 * what the verification tag could be, so we ignore it. 1719 * 1720 * Inputs 1721 * (endpoint, asoc, chunk) 1722 * 1723 * Outputs 1724 * (asoc, reply_msg, msg_up, timers, counters) 1725 * 1726 * The return value is the disposition of the chunk. 1727 */ 1728 enum sctp_disposition sctp_sf_do_5_2_2_dupinit( 1729 struct net *net, 1730 const struct sctp_endpoint *ep, 1731 const struct sctp_association *asoc, 1732 const union sctp_subtype type, 1733 void *arg, 1734 struct sctp_cmd_seq *commands) 1735 { 1736 /* Call helper to do the real work for both simulataneous and 1737 * duplicate INIT chunk handling. 1738 */ 1739 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1740 } 1741 1742 1743 /* 1744 * Unexpected INIT-ACK handler. 1745 * 1746 * Section 5.2.3 1747 * If an INIT ACK received by an endpoint in any state other than the 1748 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1749 * An unexpected INIT ACK usually indicates the processing of an old or 1750 * duplicated INIT chunk. 1751 */ 1752 enum sctp_disposition sctp_sf_do_5_2_3_initack( 1753 struct net *net, 1754 const struct sctp_endpoint *ep, 1755 const struct sctp_association *asoc, 1756 const union sctp_subtype type, 1757 void *arg, 1758 struct sctp_cmd_seq *commands) 1759 { 1760 /* Per the above section, we'll discard the chunk if we have an 1761 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1762 */ 1763 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) 1764 return sctp_sf_ootb(net, ep, asoc, type, arg, commands); 1765 else 1766 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 1767 } 1768 1769 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1770 * 1771 * Section 5.2.4 1772 * A) In this case, the peer may have restarted. 1773 */ 1774 static enum sctp_disposition sctp_sf_do_dupcook_a( 1775 struct net *net, 1776 const struct sctp_endpoint *ep, 1777 const struct sctp_association *asoc, 1778 struct sctp_chunk *chunk, 1779 struct sctp_cmd_seq *commands, 1780 struct sctp_association *new_asoc) 1781 { 1782 struct sctp_init_chunk *peer_init; 1783 enum sctp_disposition disposition; 1784 struct sctp_ulpevent *ev; 1785 struct sctp_chunk *repl; 1786 struct sctp_chunk *err; 1787 1788 /* new_asoc is a brand-new association, so these are not yet 1789 * side effects--it is safe to run them here. 1790 */ 1791 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1792 1793 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1794 GFP_ATOMIC)) 1795 goto nomem; 1796 1797 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC)) 1798 goto nomem; 1799 1800 /* Make sure no new addresses are being added during the 1801 * restart. Though this is a pretty complicated attack 1802 * since you'd have to get inside the cookie. 1803 */ 1804 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { 1805 return SCTP_DISPOSITION_CONSUME; 1806 } 1807 1808 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1809 * the peer has restarted (Action A), it MUST NOT setup a new 1810 * association but instead resend the SHUTDOWN ACK and send an ERROR 1811 * chunk with a "Cookie Received while Shutting Down" error cause to 1812 * its peer. 1813 */ 1814 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1815 disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc, 1816 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1817 chunk, commands); 1818 if (SCTP_DISPOSITION_NOMEM == disposition) 1819 goto nomem; 1820 1821 err = sctp_make_op_error(asoc, chunk, 1822 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1823 NULL, 0, 0); 1824 if (err) 1825 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1826 SCTP_CHUNK(err)); 1827 1828 return SCTP_DISPOSITION_CONSUME; 1829 } 1830 1831 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked 1832 * data. Consider the optional choice of resending of this data. 1833 */ 1834 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 1835 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1836 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK)); 1837 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1838 1839 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue 1840 * and ASCONF-ACK cache. 1841 */ 1842 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1843 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 1844 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); 1845 1846 repl = sctp_make_cookie_ack(new_asoc, chunk); 1847 if (!repl) 1848 goto nomem; 1849 1850 /* Report association restart to upper layer. */ 1851 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1852 new_asoc->c.sinit_num_ostreams, 1853 new_asoc->c.sinit_max_instreams, 1854 NULL, GFP_ATOMIC); 1855 if (!ev) 1856 goto nomem_ev; 1857 1858 /* Update the content of current association. */ 1859 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1860 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1861 if (sctp_state(asoc, SHUTDOWN_PENDING) && 1862 (sctp_sstate(asoc->base.sk, CLOSING) || 1863 sock_flag(asoc->base.sk, SOCK_DEAD))) { 1864 /* if were currently in SHUTDOWN_PENDING, but the socket 1865 * has been closed by user, don't transition to ESTABLISHED. 1866 * Instead trigger SHUTDOWN bundled with COOKIE_ACK. 1867 */ 1868 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1869 return sctp_sf_do_9_2_start_shutdown(net, ep, asoc, 1870 SCTP_ST_CHUNK(0), NULL, 1871 commands); 1872 } else { 1873 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1874 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1875 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1876 } 1877 return SCTP_DISPOSITION_CONSUME; 1878 1879 nomem_ev: 1880 sctp_chunk_free(repl); 1881 nomem: 1882 return SCTP_DISPOSITION_NOMEM; 1883 } 1884 1885 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1886 * 1887 * Section 5.2.4 1888 * B) In this case, both sides may be attempting to start an association 1889 * at about the same time but the peer endpoint started its INIT 1890 * after responding to the local endpoint's INIT 1891 */ 1892 /* This case represents an initialization collision. */ 1893 static enum sctp_disposition sctp_sf_do_dupcook_b( 1894 struct net *net, 1895 const struct sctp_endpoint *ep, 1896 const struct sctp_association *asoc, 1897 struct sctp_chunk *chunk, 1898 struct sctp_cmd_seq *commands, 1899 struct sctp_association *new_asoc) 1900 { 1901 struct sctp_init_chunk *peer_init; 1902 struct sctp_chunk *repl; 1903 1904 /* new_asoc is a brand-new association, so these are not yet 1905 * side effects--it is safe to run them here. 1906 */ 1907 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1908 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1909 GFP_ATOMIC)) 1910 goto nomem; 1911 1912 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC)) 1913 goto nomem; 1914 1915 /* Update the content of current association. */ 1916 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1917 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1918 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1919 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 1920 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1921 1922 repl = sctp_make_cookie_ack(new_asoc, chunk); 1923 if (!repl) 1924 goto nomem; 1925 1926 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1927 1928 /* RFC 2960 5.1 Normal Establishment of an Association 1929 * 1930 * D) IMPLEMENTATION NOTE: An implementation may choose to 1931 * send the Communication Up notification to the SCTP user 1932 * upon reception of a valid COOKIE ECHO chunk. 1933 * 1934 * Sadly, this needs to be implemented as a side-effect, because 1935 * we are not guaranteed to have set the association id of the real 1936 * association and so these notifications need to be delayed until 1937 * the association id is allocated. 1938 */ 1939 1940 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 1941 1942 /* Sockets API Draft Section 5.3.1.6 1943 * When a peer sends a Adaptation Layer Indication parameter , SCTP 1944 * delivers this notification to inform the application that of the 1945 * peers requested adaptation layer. 1946 * 1947 * This also needs to be done as a side effect for the same reason as 1948 * above. 1949 */ 1950 if (asoc->peer.adaptation_ind) 1951 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 1952 1953 if (!asoc->peer.auth_capable) 1954 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL()); 1955 1956 return SCTP_DISPOSITION_CONSUME; 1957 1958 nomem: 1959 return SCTP_DISPOSITION_NOMEM; 1960 } 1961 1962 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1963 * 1964 * Section 5.2.4 1965 * C) In this case, the local endpoint's cookie has arrived late. 1966 * Before it arrived, the local endpoint sent an INIT and received an 1967 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1968 * but a new tag of its own. 1969 */ 1970 /* This case represents an initialization collision. */ 1971 static enum sctp_disposition sctp_sf_do_dupcook_c( 1972 struct net *net, 1973 const struct sctp_endpoint *ep, 1974 const struct sctp_association *asoc, 1975 struct sctp_chunk *chunk, 1976 struct sctp_cmd_seq *commands, 1977 struct sctp_association *new_asoc) 1978 { 1979 /* The cookie should be silently discarded. 1980 * The endpoint SHOULD NOT change states and should leave 1981 * any timers running. 1982 */ 1983 return SCTP_DISPOSITION_DISCARD; 1984 } 1985 1986 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1987 * 1988 * Section 5.2.4 1989 * 1990 * D) When both local and remote tags match the endpoint should always 1991 * enter the ESTABLISHED state, if it has not already done so. 1992 */ 1993 /* This case represents an initialization collision. */ 1994 static enum sctp_disposition sctp_sf_do_dupcook_d( 1995 struct net *net, 1996 const struct sctp_endpoint *ep, 1997 const struct sctp_association *asoc, 1998 struct sctp_chunk *chunk, 1999 struct sctp_cmd_seq *commands, 2000 struct sctp_association *new_asoc) 2001 { 2002 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL; 2003 struct sctp_chunk *repl; 2004 2005 /* Clarification from Implementor's Guide: 2006 * D) When both local and remote tags match the endpoint should 2007 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 2008 * It should stop any cookie timer that may be running and send 2009 * a COOKIE ACK. 2010 */ 2011 2012 /* Don't accidentally move back into established state. */ 2013 if (asoc->state < SCTP_STATE_ESTABLISHED) { 2014 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2015 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2016 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2017 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 2018 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 2019 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 2020 SCTP_NULL()); 2021 2022 /* RFC 2960 5.1 Normal Establishment of an Association 2023 * 2024 * D) IMPLEMENTATION NOTE: An implementation may choose 2025 * to send the Communication Up notification to the 2026 * SCTP user upon reception of a valid COOKIE 2027 * ECHO chunk. 2028 */ 2029 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 2030 SCTP_COMM_UP, 0, 2031 asoc->c.sinit_num_ostreams, 2032 asoc->c.sinit_max_instreams, 2033 NULL, GFP_ATOMIC); 2034 if (!ev) 2035 goto nomem; 2036 2037 /* Sockets API Draft Section 5.3.1.6 2038 * When a peer sends a Adaptation Layer Indication parameter, 2039 * SCTP delivers this notification to inform the application 2040 * that of the peers requested adaptation layer. 2041 */ 2042 if (asoc->peer.adaptation_ind) { 2043 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 2044 GFP_ATOMIC); 2045 if (!ai_ev) 2046 goto nomem; 2047 2048 } 2049 2050 if (!asoc->peer.auth_capable) { 2051 auth_ev = sctp_ulpevent_make_authkey(asoc, 0, 2052 SCTP_AUTH_NO_AUTH, 2053 GFP_ATOMIC); 2054 if (!auth_ev) 2055 goto nomem; 2056 } 2057 } 2058 2059 repl = sctp_make_cookie_ack(asoc, chunk); 2060 if (!repl) 2061 goto nomem; 2062 2063 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 2064 2065 if (ev) 2066 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2067 SCTP_ULPEVENT(ev)); 2068 if (ai_ev) 2069 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2070 SCTP_ULPEVENT(ai_ev)); 2071 if (auth_ev) 2072 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2073 SCTP_ULPEVENT(auth_ev)); 2074 2075 return SCTP_DISPOSITION_CONSUME; 2076 2077 nomem: 2078 if (auth_ev) 2079 sctp_ulpevent_free(auth_ev); 2080 if (ai_ev) 2081 sctp_ulpevent_free(ai_ev); 2082 if (ev) 2083 sctp_ulpevent_free(ev); 2084 return SCTP_DISPOSITION_NOMEM; 2085 } 2086 2087 /* 2088 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 2089 * chunk was retransmitted and then delayed in the network. 2090 * 2091 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 2092 * 2093 * Verification Tag: None. Do cookie validation. 2094 * 2095 * Inputs 2096 * (endpoint, asoc, chunk) 2097 * 2098 * Outputs 2099 * (asoc, reply_msg, msg_up, timers, counters) 2100 * 2101 * The return value is the disposition of the chunk. 2102 */ 2103 enum sctp_disposition sctp_sf_do_5_2_4_dupcook( 2104 struct net *net, 2105 const struct sctp_endpoint *ep, 2106 const struct sctp_association *asoc, 2107 const union sctp_subtype type, 2108 void *arg, 2109 struct sctp_cmd_seq *commands) 2110 { 2111 struct sctp_association *new_asoc; 2112 struct sctp_chunk *chunk = arg; 2113 enum sctp_disposition retval; 2114 struct sctp_chunk *err_chk_p; 2115 int error = 0; 2116 char action; 2117 2118 /* Make sure that the chunk has a valid length from the protocol 2119 * perspective. In this case check to make sure we have at least 2120 * enough for the chunk header. Cookie length verification is 2121 * done later. 2122 */ 2123 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 2124 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2125 commands); 2126 2127 /* "Decode" the chunk. We have no optional parameters so we 2128 * are in good shape. 2129 */ 2130 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 2131 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 2132 sizeof(struct sctp_chunkhdr))) 2133 goto nomem; 2134 2135 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 2136 * of a duplicate COOKIE ECHO match the Verification Tags of the 2137 * current association, consider the State Cookie valid even if 2138 * the lifespan is exceeded. 2139 */ 2140 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 2141 &err_chk_p); 2142 2143 /* FIXME: 2144 * If the re-build failed, what is the proper error path 2145 * from here? 2146 * 2147 * [We should abort the association. --piggy] 2148 */ 2149 if (!new_asoc) { 2150 /* FIXME: Several errors are possible. A bad cookie should 2151 * be silently discarded, but think about logging it too. 2152 */ 2153 switch (error) { 2154 case -SCTP_IERROR_NOMEM: 2155 goto nomem; 2156 2157 case -SCTP_IERROR_STALE_COOKIE: 2158 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 2159 err_chk_p); 2160 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2161 case -SCTP_IERROR_BAD_SIG: 2162 default: 2163 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2164 } 2165 } 2166 2167 /* Update socket peer label if first association. */ 2168 if (security_sctp_assoc_request((struct sctp_endpoint *)ep, 2169 chunk->skb)) 2170 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2171 2172 /* Set temp so that it won't be added into hashtable */ 2173 new_asoc->temp = 1; 2174 2175 /* Compare the tie_tag in cookie with the verification tag of 2176 * current association. 2177 */ 2178 action = sctp_tietags_compare(new_asoc, asoc); 2179 2180 switch (action) { 2181 case 'A': /* Association restart. */ 2182 retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands, 2183 new_asoc); 2184 break; 2185 2186 case 'B': /* Collision case B. */ 2187 retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands, 2188 new_asoc); 2189 break; 2190 2191 case 'C': /* Collision case C. */ 2192 retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands, 2193 new_asoc); 2194 break; 2195 2196 case 'D': /* Collision case D. */ 2197 retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands, 2198 new_asoc); 2199 break; 2200 2201 default: /* Discard packet for all others. */ 2202 retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2203 break; 2204 } 2205 2206 /* Delete the tempory new association. */ 2207 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc)); 2208 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 2209 2210 /* Restore association pointer to provide SCTP command interpeter 2211 * with a valid context in case it needs to manipulate 2212 * the queues */ 2213 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, 2214 SCTP_ASOC((struct sctp_association *)asoc)); 2215 2216 return retval; 2217 2218 nomem: 2219 return SCTP_DISPOSITION_NOMEM; 2220 } 2221 2222 /* 2223 * Process an ABORT. (SHUTDOWN-PENDING state) 2224 * 2225 * See sctp_sf_do_9_1_abort(). 2226 */ 2227 enum sctp_disposition sctp_sf_shutdown_pending_abort( 2228 struct net *net, 2229 const struct sctp_endpoint *ep, 2230 const struct sctp_association *asoc, 2231 const union sctp_subtype type, 2232 void *arg, 2233 struct sctp_cmd_seq *commands) 2234 { 2235 struct sctp_chunk *chunk = arg; 2236 2237 if (!sctp_vtag_verify_either(chunk, asoc)) 2238 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2239 2240 /* Make sure that the ABORT chunk has a valid length. 2241 * Since this is an ABORT chunk, we have to discard it 2242 * because of the following text: 2243 * RFC 2960, Section 3.3.7 2244 * If an endpoint receives an ABORT with a format error or for an 2245 * association that doesn't exist, it MUST silently discard it. 2246 * Because the length is "invalid", we can't really discard just 2247 * as we do not know its true length. So, to be safe, discard the 2248 * packet. 2249 */ 2250 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2251 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2252 2253 /* ADD-IP: Special case for ABORT chunks 2254 * F4) One special consideration is that ABORT Chunks arriving 2255 * destined to the IP address being deleted MUST be 2256 * ignored (see Section 5.3.1 for further details). 2257 */ 2258 if (SCTP_ADDR_DEL == 2259 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2260 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 2261 2262 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2263 } 2264 2265 /* 2266 * Process an ABORT. (SHUTDOWN-SENT state) 2267 * 2268 * See sctp_sf_do_9_1_abort(). 2269 */ 2270 enum sctp_disposition sctp_sf_shutdown_sent_abort( 2271 struct net *net, 2272 const struct sctp_endpoint *ep, 2273 const struct sctp_association *asoc, 2274 const union sctp_subtype type, 2275 void *arg, 2276 struct sctp_cmd_seq *commands) 2277 { 2278 struct sctp_chunk *chunk = arg; 2279 2280 if (!sctp_vtag_verify_either(chunk, asoc)) 2281 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2282 2283 /* Make sure that the ABORT chunk has a valid length. 2284 * Since this is an ABORT chunk, we have to discard it 2285 * because of the following text: 2286 * RFC 2960, Section 3.3.7 2287 * If an endpoint receives an ABORT with a format error or for an 2288 * association that doesn't exist, it MUST silently discard it. 2289 * Because the length is "invalid", we can't really discard just 2290 * as we do not know its true length. So, to be safe, discard the 2291 * packet. 2292 */ 2293 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2294 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2295 2296 /* ADD-IP: Special case for ABORT chunks 2297 * F4) One special consideration is that ABORT Chunks arriving 2298 * destined to the IP address being deleted MUST be 2299 * ignored (see Section 5.3.1 for further details). 2300 */ 2301 if (SCTP_ADDR_DEL == 2302 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2303 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 2304 2305 /* Stop the T2-shutdown timer. */ 2306 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2307 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2308 2309 /* Stop the T5-shutdown guard timer. */ 2310 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2311 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2312 2313 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2314 } 2315 2316 /* 2317 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2318 * 2319 * See sctp_sf_do_9_1_abort(). 2320 */ 2321 enum sctp_disposition sctp_sf_shutdown_ack_sent_abort( 2322 struct net *net, 2323 const struct sctp_endpoint *ep, 2324 const struct sctp_association *asoc, 2325 const union sctp_subtype type, 2326 void *arg, 2327 struct sctp_cmd_seq *commands) 2328 { 2329 /* The same T2 timer, so we should be able to use 2330 * common function with the SHUTDOWN-SENT state. 2331 */ 2332 return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands); 2333 } 2334 2335 /* 2336 * Handle an Error received in COOKIE_ECHOED state. 2337 * 2338 * Only handle the error type of stale COOKIE Error, the other errors will 2339 * be ignored. 2340 * 2341 * Inputs 2342 * (endpoint, asoc, chunk) 2343 * 2344 * Outputs 2345 * (asoc, reply_msg, msg_up, timers, counters) 2346 * 2347 * The return value is the disposition of the chunk. 2348 */ 2349 enum sctp_disposition sctp_sf_cookie_echoed_err( 2350 struct net *net, 2351 const struct sctp_endpoint *ep, 2352 const struct sctp_association *asoc, 2353 const union sctp_subtype type, 2354 void *arg, 2355 struct sctp_cmd_seq *commands) 2356 { 2357 struct sctp_chunk *chunk = arg; 2358 struct sctp_errhdr *err; 2359 2360 if (!sctp_vtag_verify(chunk, asoc)) 2361 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2362 2363 /* Make sure that the ERROR chunk has a valid length. 2364 * The parameter walking depends on this as well. 2365 */ 2366 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk))) 2367 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2368 commands); 2369 2370 /* Process the error here */ 2371 /* FUTURE FIXME: When PR-SCTP related and other optional 2372 * parms are emitted, this will have to change to handle multiple 2373 * errors. 2374 */ 2375 sctp_walk_errors(err, chunk->chunk_hdr) { 2376 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2377 return sctp_sf_do_5_2_6_stale(net, ep, asoc, type, 2378 arg, commands); 2379 } 2380 2381 /* It is possible to have malformed error causes, and that 2382 * will cause us to end the walk early. However, since 2383 * we are discarding the packet, there should be no adverse 2384 * affects. 2385 */ 2386 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2387 } 2388 2389 /* 2390 * Handle a Stale COOKIE Error 2391 * 2392 * Section: 5.2.6 Handle Stale COOKIE Error 2393 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2394 * one of the following three alternatives. 2395 * ... 2396 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2397 * Preservative parameter requesting an extension to the lifetime of 2398 * the State Cookie. When calculating the time extension, an 2399 * implementation SHOULD use the RTT information measured based on the 2400 * previous COOKIE ECHO / ERROR exchange, and should add no more 2401 * than 1 second beyond the measured RTT, due to long State Cookie 2402 * lifetimes making the endpoint more subject to a replay attack. 2403 * 2404 * Verification Tag: Not explicit, but safe to ignore. 2405 * 2406 * Inputs 2407 * (endpoint, asoc, chunk) 2408 * 2409 * Outputs 2410 * (asoc, reply_msg, msg_up, timers, counters) 2411 * 2412 * The return value is the disposition of the chunk. 2413 */ 2414 static enum sctp_disposition sctp_sf_do_5_2_6_stale( 2415 struct net *net, 2416 const struct sctp_endpoint *ep, 2417 const struct sctp_association *asoc, 2418 const union sctp_subtype type, 2419 void *arg, 2420 struct sctp_cmd_seq *commands) 2421 { 2422 int attempts = asoc->init_err_counter + 1; 2423 struct sctp_chunk *chunk = arg, *reply; 2424 struct sctp_cookie_preserve_param bht; 2425 struct sctp_bind_addr *bp; 2426 struct sctp_errhdr *err; 2427 u32 stale; 2428 2429 if (attempts > asoc->max_init_attempts) { 2430 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2431 SCTP_ERROR(ETIMEDOUT)); 2432 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2433 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2434 return SCTP_DISPOSITION_DELETE_TCB; 2435 } 2436 2437 err = (struct sctp_errhdr *)(chunk->skb->data); 2438 2439 /* When calculating the time extension, an implementation 2440 * SHOULD use the RTT information measured based on the 2441 * previous COOKIE ECHO / ERROR exchange, and should add no 2442 * more than 1 second beyond the measured RTT, due to long 2443 * State Cookie lifetimes making the endpoint more subject to 2444 * a replay attack. 2445 * Measure of Staleness's unit is usec. (1/1000000 sec) 2446 * Suggested Cookie Life-span Increment's unit is msec. 2447 * (1/1000 sec) 2448 * In general, if you use the suggested cookie life, the value 2449 * found in the field of measure of staleness should be doubled 2450 * to give ample time to retransmit the new cookie and thus 2451 * yield a higher probability of success on the reattempt. 2452 */ 2453 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err))); 2454 stale = (stale * 2) / 1000; 2455 2456 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2457 bht.param_hdr.length = htons(sizeof(bht)); 2458 bht.lifespan_increment = htonl(stale); 2459 2460 /* Build that new INIT chunk. */ 2461 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2462 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2463 if (!reply) 2464 goto nomem; 2465 2466 sctp_addto_chunk(reply, sizeof(bht), &bht); 2467 2468 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2469 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2470 2471 /* Stop pending T3-rtx and heartbeat timers */ 2472 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2473 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2474 2475 /* Delete non-primary peer ip addresses since we are transitioning 2476 * back to the COOKIE-WAIT state 2477 */ 2478 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2479 2480 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2481 * resend 2482 */ 2483 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, 2484 SCTP_TRANSPORT(asoc->peer.primary_path)); 2485 2486 /* Cast away the const modifier, as we want to just 2487 * rerun it through as a sideffect. 2488 */ 2489 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2490 2491 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2492 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2493 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2494 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2495 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2496 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2497 2498 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2499 2500 return SCTP_DISPOSITION_CONSUME; 2501 2502 nomem: 2503 return SCTP_DISPOSITION_NOMEM; 2504 } 2505 2506 /* 2507 * Process an ABORT. 2508 * 2509 * Section: 9.1 2510 * After checking the Verification Tag, the receiving endpoint shall 2511 * remove the association from its record, and shall report the 2512 * termination to its upper layer. 2513 * 2514 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2515 * B) Rules for packet carrying ABORT: 2516 * 2517 * - The endpoint shall always fill in the Verification Tag field of the 2518 * outbound packet with the destination endpoint's tag value if it 2519 * is known. 2520 * 2521 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2522 * MUST follow the procedure described in Section 8.4. 2523 * 2524 * - The receiver MUST accept the packet if the Verification Tag 2525 * matches either its own tag, OR the tag of its peer. Otherwise, the 2526 * receiver MUST silently discard the packet and take no further 2527 * action. 2528 * 2529 * Inputs 2530 * (endpoint, asoc, chunk) 2531 * 2532 * Outputs 2533 * (asoc, reply_msg, msg_up, timers, counters) 2534 * 2535 * The return value is the disposition of the chunk. 2536 */ 2537 enum sctp_disposition sctp_sf_do_9_1_abort( 2538 struct net *net, 2539 const struct sctp_endpoint *ep, 2540 const struct sctp_association *asoc, 2541 const union sctp_subtype type, 2542 void *arg, 2543 struct sctp_cmd_seq *commands) 2544 { 2545 struct sctp_chunk *chunk = arg; 2546 2547 if (!sctp_vtag_verify_either(chunk, asoc)) 2548 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2549 2550 /* Make sure that the ABORT chunk has a valid length. 2551 * Since this is an ABORT chunk, we have to discard it 2552 * because of the following text: 2553 * RFC 2960, Section 3.3.7 2554 * If an endpoint receives an ABORT with a format error or for an 2555 * association that doesn't exist, it MUST silently discard it. 2556 * Because the length is "invalid", we can't really discard just 2557 * as we do not know its true length. So, to be safe, discard the 2558 * packet. 2559 */ 2560 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2561 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2562 2563 /* ADD-IP: Special case for ABORT chunks 2564 * F4) One special consideration is that ABORT Chunks arriving 2565 * destined to the IP address being deleted MUST be 2566 * ignored (see Section 5.3.1 for further details). 2567 */ 2568 if (SCTP_ADDR_DEL == 2569 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2570 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 2571 2572 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2573 } 2574 2575 static enum sctp_disposition __sctp_sf_do_9_1_abort( 2576 struct net *net, 2577 const struct sctp_endpoint *ep, 2578 const struct sctp_association *asoc, 2579 const union sctp_subtype type, 2580 void *arg, 2581 struct sctp_cmd_seq *commands) 2582 { 2583 __be16 error = SCTP_ERROR_NO_ERROR; 2584 struct sctp_chunk *chunk = arg; 2585 unsigned int len; 2586 2587 /* See if we have an error cause code in the chunk. */ 2588 len = ntohs(chunk->chunk_hdr->length); 2589 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) { 2590 struct sctp_errhdr *err; 2591 2592 sctp_walk_errors(err, chunk->chunk_hdr); 2593 if ((void *)err != (void *)chunk->chunk_end) 2594 return sctp_sf_pdiscard(net, ep, asoc, type, arg, 2595 commands); 2596 2597 error = ((struct sctp_errhdr *)chunk->skb->data)->cause; 2598 } 2599 2600 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2601 /* ASSOC_FAILED will DELETE_TCB. */ 2602 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2603 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2604 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 2605 2606 return SCTP_DISPOSITION_ABORT; 2607 } 2608 2609 /* 2610 * Process an ABORT. (COOKIE-WAIT state) 2611 * 2612 * See sctp_sf_do_9_1_abort() above. 2613 */ 2614 enum sctp_disposition sctp_sf_cookie_wait_abort( 2615 struct net *net, 2616 const struct sctp_endpoint *ep, 2617 const struct sctp_association *asoc, 2618 const union sctp_subtype type, 2619 void *arg, 2620 struct sctp_cmd_seq *commands) 2621 { 2622 __be16 error = SCTP_ERROR_NO_ERROR; 2623 struct sctp_chunk *chunk = arg; 2624 unsigned int len; 2625 2626 if (!sctp_vtag_verify_either(chunk, asoc)) 2627 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2628 2629 /* Make sure that the ABORT chunk has a valid length. 2630 * Since this is an ABORT chunk, we have to discard it 2631 * because of the following text: 2632 * RFC 2960, Section 3.3.7 2633 * If an endpoint receives an ABORT with a format error or for an 2634 * association that doesn't exist, it MUST silently discard it. 2635 * Because the length is "invalid", we can't really discard just 2636 * as we do not know its true length. So, to be safe, discard the 2637 * packet. 2638 */ 2639 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2640 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2641 2642 /* See if we have an error cause code in the chunk. */ 2643 len = ntohs(chunk->chunk_hdr->length); 2644 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2645 error = ((struct sctp_errhdr *)chunk->skb->data)->cause; 2646 2647 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc, 2648 chunk->transport); 2649 } 2650 2651 /* 2652 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2653 */ 2654 enum sctp_disposition sctp_sf_cookie_wait_icmp_abort( 2655 struct net *net, 2656 const struct sctp_endpoint *ep, 2657 const struct sctp_association *asoc, 2658 const union sctp_subtype type, 2659 void *arg, 2660 struct sctp_cmd_seq *commands) 2661 { 2662 return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR, 2663 ENOPROTOOPT, asoc, 2664 (struct sctp_transport *)arg); 2665 } 2666 2667 /* 2668 * Process an ABORT. (COOKIE-ECHOED state) 2669 */ 2670 enum sctp_disposition sctp_sf_cookie_echoed_abort( 2671 struct net *net, 2672 const struct sctp_endpoint *ep, 2673 const struct sctp_association *asoc, 2674 const union sctp_subtype type, 2675 void *arg, 2676 struct sctp_cmd_seq *commands) 2677 { 2678 /* There is a single T1 timer, so we should be able to use 2679 * common function with the COOKIE-WAIT state. 2680 */ 2681 return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands); 2682 } 2683 2684 /* 2685 * Stop T1 timer and abort association with "INIT failed". 2686 * 2687 * This is common code called by several sctp_sf_*_abort() functions above. 2688 */ 2689 static enum sctp_disposition sctp_stop_t1_and_abort( 2690 struct net *net, 2691 struct sctp_cmd_seq *commands, 2692 __be16 error, int sk_err, 2693 const struct sctp_association *asoc, 2694 struct sctp_transport *transport) 2695 { 2696 pr_debug("%s: ABORT received (INIT)\n", __func__); 2697 2698 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2699 SCTP_STATE(SCTP_STATE_CLOSED)); 2700 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2701 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2702 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2703 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2704 /* CMD_INIT_FAILED will DELETE_TCB. */ 2705 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2706 SCTP_PERR(error)); 2707 2708 return SCTP_DISPOSITION_ABORT; 2709 } 2710 2711 /* 2712 * sctp_sf_do_9_2_shut 2713 * 2714 * Section: 9.2 2715 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2716 * - enter the SHUTDOWN-RECEIVED state, 2717 * 2718 * - stop accepting new data from its SCTP user 2719 * 2720 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2721 * that all its outstanding DATA chunks have been received by the 2722 * SHUTDOWN sender. 2723 * 2724 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2725 * send a SHUTDOWN in response to a ULP request. And should discard 2726 * subsequent SHUTDOWN chunks. 2727 * 2728 * If there are still outstanding DATA chunks left, the SHUTDOWN 2729 * receiver shall continue to follow normal data transmission 2730 * procedures defined in Section 6 until all outstanding DATA chunks 2731 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2732 * new data from its SCTP user. 2733 * 2734 * Verification Tag: 8.5 Verification Tag [Normal verification] 2735 * 2736 * Inputs 2737 * (endpoint, asoc, chunk) 2738 * 2739 * Outputs 2740 * (asoc, reply_msg, msg_up, timers, counters) 2741 * 2742 * The return value is the disposition of the chunk. 2743 */ 2744 enum sctp_disposition sctp_sf_do_9_2_shutdown( 2745 struct net *net, 2746 const struct sctp_endpoint *ep, 2747 const struct sctp_association *asoc, 2748 const union sctp_subtype type, 2749 void *arg, 2750 struct sctp_cmd_seq *commands) 2751 { 2752 enum sctp_disposition disposition; 2753 struct sctp_chunk *chunk = arg; 2754 struct sctp_shutdownhdr *sdh; 2755 struct sctp_ulpevent *ev; 2756 __u32 ctsn; 2757 2758 if (!sctp_vtag_verify(chunk, asoc)) 2759 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2760 2761 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2762 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) 2763 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2764 commands); 2765 2766 /* Convert the elaborate header. */ 2767 sdh = (struct sctp_shutdownhdr *)chunk->skb->data; 2768 skb_pull(chunk->skb, sizeof(*sdh)); 2769 chunk->subh.shutdown_hdr = sdh; 2770 ctsn = ntohl(sdh->cum_tsn_ack); 2771 2772 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2773 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2774 asoc->ctsn_ack_point); 2775 2776 return SCTP_DISPOSITION_DISCARD; 2777 } 2778 2779 /* If Cumulative TSN Ack beyond the max tsn currently 2780 * send, terminating the association and respond to the 2781 * sender with an ABORT. 2782 */ 2783 if (!TSN_lt(ctsn, asoc->next_tsn)) 2784 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2785 2786 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2787 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2788 * inform the application that it should cease sending data. 2789 */ 2790 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2791 if (!ev) { 2792 disposition = SCTP_DISPOSITION_NOMEM; 2793 goto out; 2794 } 2795 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2796 2797 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2798 * - enter the SHUTDOWN-RECEIVED state, 2799 * - stop accepting new data from its SCTP user 2800 * 2801 * [This is implicit in the new state.] 2802 */ 2803 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2804 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2805 disposition = SCTP_DISPOSITION_CONSUME; 2806 2807 if (sctp_outq_is_empty(&asoc->outqueue)) { 2808 disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type, 2809 arg, commands); 2810 } 2811 2812 if (SCTP_DISPOSITION_NOMEM == disposition) 2813 goto out; 2814 2815 /* - verify, by checking the Cumulative TSN Ack field of the 2816 * chunk, that all its outstanding DATA chunks have been 2817 * received by the SHUTDOWN sender. 2818 */ 2819 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2820 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2821 2822 out: 2823 return disposition; 2824 } 2825 2826 /* 2827 * sctp_sf_do_9_2_shut_ctsn 2828 * 2829 * Once an endpoint has reached the SHUTDOWN-RECEIVED state, 2830 * it MUST NOT send a SHUTDOWN in response to a ULP request. 2831 * The Cumulative TSN Ack of the received SHUTDOWN chunk 2832 * MUST be processed. 2833 */ 2834 enum sctp_disposition sctp_sf_do_9_2_shut_ctsn( 2835 struct net *net, 2836 const struct sctp_endpoint *ep, 2837 const struct sctp_association *asoc, 2838 const union sctp_subtype type, 2839 void *arg, 2840 struct sctp_cmd_seq *commands) 2841 { 2842 struct sctp_chunk *chunk = arg; 2843 struct sctp_shutdownhdr *sdh; 2844 __u32 ctsn; 2845 2846 if (!sctp_vtag_verify(chunk, asoc)) 2847 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2848 2849 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2850 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) 2851 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2852 commands); 2853 2854 sdh = (struct sctp_shutdownhdr *)chunk->skb->data; 2855 ctsn = ntohl(sdh->cum_tsn_ack); 2856 2857 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2858 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2859 asoc->ctsn_ack_point); 2860 2861 return SCTP_DISPOSITION_DISCARD; 2862 } 2863 2864 /* If Cumulative TSN Ack beyond the max tsn currently 2865 * send, terminating the association and respond to the 2866 * sender with an ABORT. 2867 */ 2868 if (!TSN_lt(ctsn, asoc->next_tsn)) 2869 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2870 2871 /* verify, by checking the Cumulative TSN Ack field of the 2872 * chunk, that all its outstanding DATA chunks have been 2873 * received by the SHUTDOWN sender. 2874 */ 2875 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2876 SCTP_BE32(sdh->cum_tsn_ack)); 2877 2878 return SCTP_DISPOSITION_CONSUME; 2879 } 2880 2881 /* RFC 2960 9.2 2882 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2883 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2884 * transport addresses (either in the IP addresses or in the INIT chunk) 2885 * that belong to this association, it should discard the INIT chunk and 2886 * retransmit the SHUTDOWN ACK chunk. 2887 */ 2888 enum sctp_disposition sctp_sf_do_9_2_reshutack( 2889 struct net *net, 2890 const struct sctp_endpoint *ep, 2891 const struct sctp_association *asoc, 2892 const union sctp_subtype type, 2893 void *arg, 2894 struct sctp_cmd_seq *commands) 2895 { 2896 struct sctp_chunk *chunk = arg; 2897 struct sctp_chunk *reply; 2898 2899 /* Make sure that the chunk has a valid length */ 2900 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 2901 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2902 commands); 2903 2904 /* Since we are not going to really process this INIT, there 2905 * is no point in verifying chunk boundries. Just generate 2906 * the SHUTDOWN ACK. 2907 */ 2908 reply = sctp_make_shutdown_ack(asoc, chunk); 2909 if (NULL == reply) 2910 goto nomem; 2911 2912 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2913 * the T2-SHUTDOWN timer. 2914 */ 2915 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2916 2917 /* and restart the T2-shutdown timer. */ 2918 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2919 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2920 2921 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2922 2923 return SCTP_DISPOSITION_CONSUME; 2924 nomem: 2925 return SCTP_DISPOSITION_NOMEM; 2926 } 2927 2928 /* 2929 * sctp_sf_do_ecn_cwr 2930 * 2931 * Section: Appendix A: Explicit Congestion Notification 2932 * 2933 * CWR: 2934 * 2935 * RFC 2481 details a specific bit for a sender to send in the header of 2936 * its next outbound TCP segment to indicate to its peer that it has 2937 * reduced its congestion window. This is termed the CWR bit. For 2938 * SCTP the same indication is made by including the CWR chunk. 2939 * This chunk contains one data element, i.e. the TSN number that 2940 * was sent in the ECNE chunk. This element represents the lowest 2941 * TSN number in the datagram that was originally marked with the 2942 * CE bit. 2943 * 2944 * Verification Tag: 8.5 Verification Tag [Normal verification] 2945 * Inputs 2946 * (endpoint, asoc, chunk) 2947 * 2948 * Outputs 2949 * (asoc, reply_msg, msg_up, timers, counters) 2950 * 2951 * The return value is the disposition of the chunk. 2952 */ 2953 enum sctp_disposition sctp_sf_do_ecn_cwr(struct net *net, 2954 const struct sctp_endpoint *ep, 2955 const struct sctp_association *asoc, 2956 const union sctp_subtype type, 2957 void *arg, 2958 struct sctp_cmd_seq *commands) 2959 { 2960 struct sctp_chunk *chunk = arg; 2961 struct sctp_cwrhdr *cwr; 2962 u32 lowest_tsn; 2963 2964 if (!sctp_vtag_verify(chunk, asoc)) 2965 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2966 2967 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) 2968 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2969 commands); 2970 2971 cwr = (struct sctp_cwrhdr *)chunk->skb->data; 2972 skb_pull(chunk->skb, sizeof(*cwr)); 2973 2974 lowest_tsn = ntohl(cwr->lowest_tsn); 2975 2976 /* Does this CWR ack the last sent congestion notification? */ 2977 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 2978 /* Stop sending ECNE. */ 2979 sctp_add_cmd_sf(commands, 2980 SCTP_CMD_ECN_CWR, 2981 SCTP_U32(lowest_tsn)); 2982 } 2983 return SCTP_DISPOSITION_CONSUME; 2984 } 2985 2986 /* 2987 * sctp_sf_do_ecne 2988 * 2989 * Section: Appendix A: Explicit Congestion Notification 2990 * 2991 * ECN-Echo 2992 * 2993 * RFC 2481 details a specific bit for a receiver to send back in its 2994 * TCP acknowledgements to notify the sender of the Congestion 2995 * Experienced (CE) bit having arrived from the network. For SCTP this 2996 * same indication is made by including the ECNE chunk. This chunk 2997 * contains one data element, i.e. the lowest TSN associated with the IP 2998 * datagram marked with the CE bit..... 2999 * 3000 * Verification Tag: 8.5 Verification Tag [Normal verification] 3001 * Inputs 3002 * (endpoint, asoc, chunk) 3003 * 3004 * Outputs 3005 * (asoc, reply_msg, msg_up, timers, counters) 3006 * 3007 * The return value is the disposition of the chunk. 3008 */ 3009 enum sctp_disposition sctp_sf_do_ecne(struct net *net, 3010 const struct sctp_endpoint *ep, 3011 const struct sctp_association *asoc, 3012 const union sctp_subtype type, 3013 void *arg, struct sctp_cmd_seq *commands) 3014 { 3015 struct sctp_chunk *chunk = arg; 3016 struct sctp_ecnehdr *ecne; 3017 3018 if (!sctp_vtag_verify(chunk, asoc)) 3019 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3020 3021 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) 3022 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3023 commands); 3024 3025 ecne = (struct sctp_ecnehdr *)chunk->skb->data; 3026 skb_pull(chunk->skb, sizeof(*ecne)); 3027 3028 /* If this is a newer ECNE than the last CWR packet we sent out */ 3029 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 3030 SCTP_U32(ntohl(ecne->lowest_tsn))); 3031 3032 return SCTP_DISPOSITION_CONSUME; 3033 } 3034 3035 /* 3036 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 3037 * 3038 * The SCTP endpoint MUST always acknowledge the reception of each valid 3039 * DATA chunk. 3040 * 3041 * The guidelines on delayed acknowledgement algorithm specified in 3042 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 3043 * acknowledgement SHOULD be generated for at least every second packet 3044 * (not every second DATA chunk) received, and SHOULD be generated within 3045 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 3046 * situations it may be beneficial for an SCTP transmitter to be more 3047 * conservative than the algorithms detailed in this document allow. 3048 * However, an SCTP transmitter MUST NOT be more aggressive than the 3049 * following algorithms allow. 3050 * 3051 * A SCTP receiver MUST NOT generate more than one SACK for every 3052 * incoming packet, other than to update the offered window as the 3053 * receiving application consumes new data. 3054 * 3055 * Verification Tag: 8.5 Verification Tag [Normal verification] 3056 * 3057 * Inputs 3058 * (endpoint, asoc, chunk) 3059 * 3060 * Outputs 3061 * (asoc, reply_msg, msg_up, timers, counters) 3062 * 3063 * The return value is the disposition of the chunk. 3064 */ 3065 enum sctp_disposition sctp_sf_eat_data_6_2(struct net *net, 3066 const struct sctp_endpoint *ep, 3067 const struct sctp_association *asoc, 3068 const union sctp_subtype type, 3069 void *arg, 3070 struct sctp_cmd_seq *commands) 3071 { 3072 union sctp_arg force = SCTP_NOFORCE(); 3073 struct sctp_chunk *chunk = arg; 3074 int error; 3075 3076 if (!sctp_vtag_verify(chunk, asoc)) { 3077 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3078 SCTP_NULL()); 3079 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3080 } 3081 3082 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream))) 3083 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3084 commands); 3085 3086 error = sctp_eat_data(asoc, chunk, commands); 3087 switch (error) { 3088 case SCTP_IERROR_NO_ERROR: 3089 break; 3090 case SCTP_IERROR_HIGH_TSN: 3091 case SCTP_IERROR_BAD_STREAM: 3092 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 3093 goto discard_noforce; 3094 case SCTP_IERROR_DUP_TSN: 3095 case SCTP_IERROR_IGNORE_TSN: 3096 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 3097 goto discard_force; 3098 case SCTP_IERROR_NO_DATA: 3099 return SCTP_DISPOSITION_ABORT; 3100 case SCTP_IERROR_PROTO_VIOLATION: 3101 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3102 (u8 *)chunk->subh.data_hdr, 3103 sctp_datahdr_len(&asoc->stream)); 3104 default: 3105 BUG(); 3106 } 3107 3108 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM) 3109 force = SCTP_FORCE(); 3110 3111 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 3112 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3113 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3114 } 3115 3116 /* If this is the last chunk in a packet, we need to count it 3117 * toward sack generation. Note that we need to SACK every 3118 * OTHER packet containing data chunks, EVEN IF WE DISCARD 3119 * THEM. We elect to NOT generate SACK's if the chunk fails 3120 * the verification tag test. 3121 * 3122 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3123 * 3124 * The SCTP endpoint MUST always acknowledge the reception of 3125 * each valid DATA chunk. 3126 * 3127 * The guidelines on delayed acknowledgement algorithm 3128 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 3129 * Specifically, an acknowledgement SHOULD be generated for at 3130 * least every second packet (not every second DATA chunk) 3131 * received, and SHOULD be generated within 200 ms of the 3132 * arrival of any unacknowledged DATA chunk. In some 3133 * situations it may be beneficial for an SCTP transmitter to 3134 * be more conservative than the algorithms detailed in this 3135 * document allow. However, an SCTP transmitter MUST NOT be 3136 * more aggressive than the following algorithms allow. 3137 */ 3138 if (chunk->end_of_packet) 3139 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3140 3141 return SCTP_DISPOSITION_CONSUME; 3142 3143 discard_force: 3144 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3145 * 3146 * When a packet arrives with duplicate DATA chunk(s) and with 3147 * no new DATA chunk(s), the endpoint MUST immediately send a 3148 * SACK with no delay. If a packet arrives with duplicate 3149 * DATA chunk(s) bundled with new DATA chunks, the endpoint 3150 * MAY immediately send a SACK. Normally receipt of duplicate 3151 * DATA chunks will occur when the original SACK chunk was lost 3152 * and the peer's RTO has expired. The duplicate TSN number(s) 3153 * SHOULD be reported in the SACK as duplicate. 3154 */ 3155 /* In our case, we split the MAY SACK advice up whether or not 3156 * the last chunk is a duplicate.' 3157 */ 3158 if (chunk->end_of_packet) 3159 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3160 return SCTP_DISPOSITION_DISCARD; 3161 3162 discard_noforce: 3163 if (chunk->end_of_packet) 3164 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3165 3166 return SCTP_DISPOSITION_DISCARD; 3167 } 3168 3169 /* 3170 * sctp_sf_eat_data_fast_4_4 3171 * 3172 * Section: 4 (4) 3173 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 3174 * DATA chunks without delay. 3175 * 3176 * Verification Tag: 8.5 Verification Tag [Normal verification] 3177 * Inputs 3178 * (endpoint, asoc, chunk) 3179 * 3180 * Outputs 3181 * (asoc, reply_msg, msg_up, timers, counters) 3182 * 3183 * The return value is the disposition of the chunk. 3184 */ 3185 enum sctp_disposition sctp_sf_eat_data_fast_4_4( 3186 struct net *net, 3187 const struct sctp_endpoint *ep, 3188 const struct sctp_association *asoc, 3189 const union sctp_subtype type, 3190 void *arg, 3191 struct sctp_cmd_seq *commands) 3192 { 3193 struct sctp_chunk *chunk = arg; 3194 int error; 3195 3196 if (!sctp_vtag_verify(chunk, asoc)) { 3197 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3198 SCTP_NULL()); 3199 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3200 } 3201 3202 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream))) 3203 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3204 commands); 3205 3206 error = sctp_eat_data(asoc, chunk, commands); 3207 switch (error) { 3208 case SCTP_IERROR_NO_ERROR: 3209 case SCTP_IERROR_HIGH_TSN: 3210 case SCTP_IERROR_DUP_TSN: 3211 case SCTP_IERROR_IGNORE_TSN: 3212 case SCTP_IERROR_BAD_STREAM: 3213 break; 3214 case SCTP_IERROR_NO_DATA: 3215 return SCTP_DISPOSITION_ABORT; 3216 case SCTP_IERROR_PROTO_VIOLATION: 3217 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3218 (u8 *)chunk->subh.data_hdr, 3219 sctp_datahdr_len(&asoc->stream)); 3220 default: 3221 BUG(); 3222 } 3223 3224 /* Go a head and force a SACK, since we are shutting down. */ 3225 3226 /* Implementor's Guide. 3227 * 3228 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3229 * respond to each received packet containing one or more DATA chunk(s) 3230 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3231 */ 3232 if (chunk->end_of_packet) { 3233 /* We must delay the chunk creation since the cumulative 3234 * TSN has not been updated yet. 3235 */ 3236 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3237 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3238 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3239 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3240 } 3241 3242 return SCTP_DISPOSITION_CONSUME; 3243 } 3244 3245 /* 3246 * Section: 6.2 Processing a Received SACK 3247 * D) Any time a SACK arrives, the endpoint performs the following: 3248 * 3249 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 3250 * then drop the SACK. Since Cumulative TSN Ack is monotonically 3251 * increasing, a SACK whose Cumulative TSN Ack is less than the 3252 * Cumulative TSN Ack Point indicates an out-of-order SACK. 3253 * 3254 * ii) Set rwnd equal to the newly received a_rwnd minus the number 3255 * of bytes still outstanding after processing the Cumulative TSN Ack 3256 * and the Gap Ack Blocks. 3257 * 3258 * iii) If the SACK is missing a TSN that was previously 3259 * acknowledged via a Gap Ack Block (e.g., the data receiver 3260 * reneged on the data), then mark the corresponding DATA chunk 3261 * as available for retransmit: Mark it as missing for fast 3262 * retransmit as described in Section 7.2.4 and if no retransmit 3263 * timer is running for the destination address to which the DATA 3264 * chunk was originally transmitted, then T3-rtx is started for 3265 * that destination address. 3266 * 3267 * Verification Tag: 8.5 Verification Tag [Normal verification] 3268 * 3269 * Inputs 3270 * (endpoint, asoc, chunk) 3271 * 3272 * Outputs 3273 * (asoc, reply_msg, msg_up, timers, counters) 3274 * 3275 * The return value is the disposition of the chunk. 3276 */ 3277 enum sctp_disposition sctp_sf_eat_sack_6_2(struct net *net, 3278 const struct sctp_endpoint *ep, 3279 const struct sctp_association *asoc, 3280 const union sctp_subtype type, 3281 void *arg, 3282 struct sctp_cmd_seq *commands) 3283 { 3284 struct sctp_chunk *chunk = arg; 3285 struct sctp_sackhdr *sackh; 3286 __u32 ctsn; 3287 3288 trace_sctp_probe(ep, asoc, chunk); 3289 3290 if (!sctp_vtag_verify(chunk, asoc)) 3291 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3292 3293 /* Make sure that the SACK chunk has a valid length. */ 3294 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_sack_chunk))) 3295 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3296 commands); 3297 3298 /* Pull the SACK chunk from the data buffer */ 3299 sackh = sctp_sm_pull_sack(chunk); 3300 /* Was this a bogus SACK? */ 3301 if (!sackh) 3302 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3303 chunk->subh.sack_hdr = sackh; 3304 ctsn = ntohl(sackh->cum_tsn_ack); 3305 3306 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 3307 * Ack Point, then drop the SACK. Since Cumulative TSN 3308 * Ack is monotonically increasing, a SACK whose 3309 * Cumulative TSN Ack is less than the Cumulative TSN Ack 3310 * Point indicates an out-of-order SACK. 3311 */ 3312 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 3313 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 3314 asoc->ctsn_ack_point); 3315 3316 return SCTP_DISPOSITION_DISCARD; 3317 } 3318 3319 /* If Cumulative TSN Ack beyond the max tsn currently 3320 * send, terminating the association and respond to the 3321 * sender with an ABORT. 3322 */ 3323 if (!TSN_lt(ctsn, asoc->next_tsn)) 3324 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 3325 3326 /* Return this SACK for further processing. */ 3327 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk)); 3328 3329 /* Note: We do the rest of the work on the PROCESS_SACK 3330 * sideeffect. 3331 */ 3332 return SCTP_DISPOSITION_CONSUME; 3333 } 3334 3335 /* 3336 * Generate an ABORT in response to a packet. 3337 * 3338 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 3339 * 3340 * 8) The receiver should respond to the sender of the OOTB packet with 3341 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3342 * MUST fill in the Verification Tag field of the outbound packet 3343 * with the value found in the Verification Tag field of the OOTB 3344 * packet and set the T-bit in the Chunk Flags to indicate that the 3345 * Verification Tag is reflected. After sending this ABORT, the 3346 * receiver of the OOTB packet shall discard the OOTB packet and take 3347 * no further action. 3348 * 3349 * Verification Tag: 3350 * 3351 * The return value is the disposition of the chunk. 3352 */ 3353 static enum sctp_disposition sctp_sf_tabort_8_4_8( 3354 struct net *net, 3355 const struct sctp_endpoint *ep, 3356 const struct sctp_association *asoc, 3357 const union sctp_subtype type, 3358 void *arg, 3359 struct sctp_cmd_seq *commands) 3360 { 3361 struct sctp_packet *packet = NULL; 3362 struct sctp_chunk *chunk = arg; 3363 struct sctp_chunk *abort; 3364 3365 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3366 if (!packet) 3367 return SCTP_DISPOSITION_NOMEM; 3368 3369 /* Make an ABORT. The T bit will be set if the asoc 3370 * is NULL. 3371 */ 3372 abort = sctp_make_abort(asoc, chunk, 0); 3373 if (!abort) { 3374 sctp_ootb_pkt_free(packet); 3375 return SCTP_DISPOSITION_NOMEM; 3376 } 3377 3378 /* Reflect vtag if T-Bit is set */ 3379 if (sctp_test_T_bit(abort)) 3380 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3381 3382 /* Set the skb to the belonging sock for accounting. */ 3383 abort->skb->sk = ep->base.sk; 3384 3385 sctp_packet_append_chunk(packet, abort); 3386 3387 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3388 SCTP_PACKET(packet)); 3389 3390 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3391 3392 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3393 return SCTP_DISPOSITION_CONSUME; 3394 } 3395 3396 /* 3397 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 3398 * event as ULP notification for each cause included in the chunk. 3399 * 3400 * API 5.3.1.3 - SCTP_REMOTE_ERROR 3401 * 3402 * The return value is the disposition of the chunk. 3403 */ 3404 enum sctp_disposition sctp_sf_operr_notify(struct net *net, 3405 const struct sctp_endpoint *ep, 3406 const struct sctp_association *asoc, 3407 const union sctp_subtype type, 3408 void *arg, 3409 struct sctp_cmd_seq *commands) 3410 { 3411 struct sctp_chunk *chunk = arg; 3412 struct sctp_errhdr *err; 3413 3414 if (!sctp_vtag_verify(chunk, asoc)) 3415 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3416 3417 /* Make sure that the ERROR chunk has a valid length. */ 3418 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk))) 3419 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3420 commands); 3421 sctp_walk_errors(err, chunk->chunk_hdr); 3422 if ((void *)err != (void *)chunk->chunk_end) 3423 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3424 (void *)err, commands); 3425 3426 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 3427 SCTP_CHUNK(chunk)); 3428 3429 return SCTP_DISPOSITION_CONSUME; 3430 } 3431 3432 /* 3433 * Process an inbound SHUTDOWN ACK. 3434 * 3435 * From Section 9.2: 3436 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3437 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3438 * peer, and remove all record of the association. 3439 * 3440 * The return value is the disposition. 3441 */ 3442 enum sctp_disposition sctp_sf_do_9_2_final(struct net *net, 3443 const struct sctp_endpoint *ep, 3444 const struct sctp_association *asoc, 3445 const union sctp_subtype type, 3446 void *arg, 3447 struct sctp_cmd_seq *commands) 3448 { 3449 struct sctp_chunk *chunk = arg; 3450 struct sctp_chunk *reply; 3451 struct sctp_ulpevent *ev; 3452 3453 if (!sctp_vtag_verify(chunk, asoc)) 3454 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3455 3456 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3457 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3458 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3459 commands); 3460 /* 10.2 H) SHUTDOWN COMPLETE notification 3461 * 3462 * When SCTP completes the shutdown procedures (section 9.2) this 3463 * notification is passed to the upper layer. 3464 */ 3465 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3466 0, 0, 0, NULL, GFP_ATOMIC); 3467 if (!ev) 3468 goto nomem; 3469 3470 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3471 reply = sctp_make_shutdown_complete(asoc, chunk); 3472 if (!reply) 3473 goto nomem_chunk; 3474 3475 /* Do all the commands now (after allocation), so that we 3476 * have consistent state if memory allocation failes 3477 */ 3478 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3479 3480 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3481 * stop the T2-shutdown timer, 3482 */ 3483 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3484 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3485 3486 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3487 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3488 3489 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3490 SCTP_STATE(SCTP_STATE_CLOSED)); 3491 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 3492 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3493 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3494 3495 /* ...and remove all record of the association. */ 3496 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3497 return SCTP_DISPOSITION_DELETE_TCB; 3498 3499 nomem_chunk: 3500 sctp_ulpevent_free(ev); 3501 nomem: 3502 return SCTP_DISPOSITION_NOMEM; 3503 } 3504 3505 /* 3506 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3507 * 3508 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3509 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3510 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3511 * packet must fill in the Verification Tag field of the outbound 3512 * packet with the Verification Tag received in the SHUTDOWN ACK and 3513 * set the T-bit in the Chunk Flags to indicate that the Verification 3514 * Tag is reflected. 3515 * 3516 * 8) The receiver should respond to the sender of the OOTB packet with 3517 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3518 * MUST fill in the Verification Tag field of the outbound packet 3519 * with the value found in the Verification Tag field of the OOTB 3520 * packet and set the T-bit in the Chunk Flags to indicate that the 3521 * Verification Tag is reflected. After sending this ABORT, the 3522 * receiver of the OOTB packet shall discard the OOTB packet and take 3523 * no further action. 3524 */ 3525 enum sctp_disposition sctp_sf_ootb(struct net *net, 3526 const struct sctp_endpoint *ep, 3527 const struct sctp_association *asoc, 3528 const union sctp_subtype type, 3529 void *arg, struct sctp_cmd_seq *commands) 3530 { 3531 struct sctp_chunk *chunk = arg; 3532 struct sk_buff *skb = chunk->skb; 3533 struct sctp_chunkhdr *ch; 3534 struct sctp_errhdr *err; 3535 int ootb_cookie_ack = 0; 3536 int ootb_shut_ack = 0; 3537 __u8 *ch_end; 3538 3539 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3540 3541 ch = (struct sctp_chunkhdr *)chunk->chunk_hdr; 3542 do { 3543 /* Report violation if the chunk is less then minimal */ 3544 if (ntohs(ch->length) < sizeof(*ch)) 3545 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3546 commands); 3547 3548 /* Report violation if chunk len overflows */ 3549 ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); 3550 if (ch_end > skb_tail_pointer(skb)) 3551 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3552 commands); 3553 3554 /* Now that we know we at least have a chunk header, 3555 * do things that are type appropriate. 3556 */ 3557 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3558 ootb_shut_ack = 1; 3559 3560 /* RFC 2960, Section 3.3.7 3561 * Moreover, under any circumstances, an endpoint that 3562 * receives an ABORT MUST NOT respond to that ABORT by 3563 * sending an ABORT of its own. 3564 */ 3565 if (SCTP_CID_ABORT == ch->type) 3566 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3567 3568 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR 3569 * or a COOKIE ACK the SCTP Packet should be silently 3570 * discarded. 3571 */ 3572 3573 if (SCTP_CID_COOKIE_ACK == ch->type) 3574 ootb_cookie_ack = 1; 3575 3576 if (SCTP_CID_ERROR == ch->type) { 3577 sctp_walk_errors(err, ch) { 3578 if (SCTP_ERROR_STALE_COOKIE == err->cause) { 3579 ootb_cookie_ack = 1; 3580 break; 3581 } 3582 } 3583 } 3584 3585 ch = (struct sctp_chunkhdr *)ch_end; 3586 } while (ch_end < skb_tail_pointer(skb)); 3587 3588 if (ootb_shut_ack) 3589 return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands); 3590 else if (ootb_cookie_ack) 3591 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3592 else 3593 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 3594 } 3595 3596 /* 3597 * Handle an "Out of the blue" SHUTDOWN ACK. 3598 * 3599 * Section: 8.4 5, sctpimpguide 2.41. 3600 * 3601 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3602 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3603 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3604 * packet must fill in the Verification Tag field of the outbound 3605 * packet with the Verification Tag received in the SHUTDOWN ACK and 3606 * set the T-bit in the Chunk Flags to indicate that the Verification 3607 * Tag is reflected. 3608 * 3609 * Inputs 3610 * (endpoint, asoc, type, arg, commands) 3611 * 3612 * Outputs 3613 * (enum sctp_disposition) 3614 * 3615 * The return value is the disposition of the chunk. 3616 */ 3617 static enum sctp_disposition sctp_sf_shut_8_4_5( 3618 struct net *net, 3619 const struct sctp_endpoint *ep, 3620 const struct sctp_association *asoc, 3621 const union sctp_subtype type, 3622 void *arg, 3623 struct sctp_cmd_seq *commands) 3624 { 3625 struct sctp_packet *packet = NULL; 3626 struct sctp_chunk *chunk = arg; 3627 struct sctp_chunk *shut; 3628 3629 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3630 if (!packet) 3631 return SCTP_DISPOSITION_NOMEM; 3632 3633 /* Make an SHUTDOWN_COMPLETE. 3634 * The T bit will be set if the asoc is NULL. 3635 */ 3636 shut = sctp_make_shutdown_complete(asoc, chunk); 3637 if (!shut) { 3638 sctp_ootb_pkt_free(packet); 3639 return SCTP_DISPOSITION_NOMEM; 3640 } 3641 3642 /* Reflect vtag if T-Bit is set */ 3643 if (sctp_test_T_bit(shut)) 3644 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3645 3646 /* Set the skb to the belonging sock for accounting. */ 3647 shut->skb->sk = ep->base.sk; 3648 3649 sctp_packet_append_chunk(packet, shut); 3650 3651 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3652 SCTP_PACKET(packet)); 3653 3654 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3655 3656 /* If the chunk length is invalid, we don't want to process 3657 * the reset of the packet. 3658 */ 3659 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3660 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3661 3662 /* We need to discard the rest of the packet to prevent 3663 * potential bomming attacks from additional bundled chunks. 3664 * This is documented in SCTP Threats ID. 3665 */ 3666 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3667 } 3668 3669 /* 3670 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3671 * 3672 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3673 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3674 * procedures in section 8.4 SHOULD be followed, in other words it 3675 * should be treated as an Out Of The Blue packet. 3676 * [This means that we do NOT check the Verification Tag on these 3677 * chunks. --piggy ] 3678 * 3679 */ 3680 enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net, 3681 const struct sctp_endpoint *ep, 3682 const struct sctp_association *asoc, 3683 const union sctp_subtype type, 3684 void *arg, 3685 struct sctp_cmd_seq *commands) 3686 { 3687 struct sctp_chunk *chunk = arg; 3688 3689 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3690 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3691 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3692 commands); 3693 3694 /* Although we do have an association in this case, it corresponds 3695 * to a restarted association. So the packet is treated as an OOTB 3696 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3697 * called with a NULL association. 3698 */ 3699 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3700 3701 return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands); 3702 } 3703 3704 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3705 enum sctp_disposition sctp_sf_do_asconf(struct net *net, 3706 const struct sctp_endpoint *ep, 3707 const struct sctp_association *asoc, 3708 const union sctp_subtype type, 3709 void *arg, 3710 struct sctp_cmd_seq *commands) 3711 { 3712 struct sctp_paramhdr *err_param = NULL; 3713 struct sctp_chunk *asconf_ack = NULL; 3714 struct sctp_chunk *chunk = arg; 3715 struct sctp_addiphdr *hdr; 3716 __u32 serial; 3717 3718 if (!sctp_vtag_verify(chunk, asoc)) { 3719 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3720 SCTP_NULL()); 3721 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3722 } 3723 3724 /* ADD-IP: Section 4.1.1 3725 * This chunk MUST be sent in an authenticated way by using 3726 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3727 * is received unauthenticated it MUST be silently discarded as 3728 * described in [I-D.ietf-tsvwg-sctp-auth]. 3729 */ 3730 if (!net->sctp.addip_noauth && !chunk->auth) 3731 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, 3732 commands); 3733 3734 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3735 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk))) 3736 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3737 commands); 3738 3739 hdr = (struct sctp_addiphdr *)chunk->skb->data; 3740 serial = ntohl(hdr->serial); 3741 3742 /* Verify the ASCONF chunk before processing it. */ 3743 if (!sctp_verify_asconf(asoc, chunk, true, &err_param)) 3744 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3745 (void *)err_param, commands); 3746 3747 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3748 * the endpoint stored in a new association variable 3749 * 'Peer-Serial-Number'. 3750 */ 3751 if (serial == asoc->peer.addip_serial + 1) { 3752 /* If this is the first instance of ASCONF in the packet, 3753 * we can clean our old ASCONF-ACKs. 3754 */ 3755 if (!chunk->has_asconf) 3756 sctp_assoc_clean_asconf_ack_cache(asoc); 3757 3758 /* ADDIP 5.2 E4) When the Sequence Number matches the next one 3759 * expected, process the ASCONF as described below and after 3760 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to 3761 * the response packet and cache a copy of it (in the event it 3762 * later needs to be retransmitted). 3763 * 3764 * Essentially, do V1-V5. 3765 */ 3766 asconf_ack = sctp_process_asconf((struct sctp_association *) 3767 asoc, chunk); 3768 if (!asconf_ack) 3769 return SCTP_DISPOSITION_NOMEM; 3770 } else if (serial < asoc->peer.addip_serial + 1) { 3771 /* ADDIP 5.2 E2) 3772 * If the value found in the Sequence Number is less than the 3773 * ('Peer- Sequence-Number' + 1), simply skip to the next 3774 * ASCONF, and include in the outbound response packet 3775 * any previously cached ASCONF-ACK response that was 3776 * sent and saved that matches the Sequence Number of the 3777 * ASCONF. Note: It is possible that no cached ASCONF-ACK 3778 * Chunk exists. This will occur when an older ASCONF 3779 * arrives out of order. In such a case, the receiver 3780 * should skip the ASCONF Chunk and not include ASCONF-ACK 3781 * Chunk for that chunk. 3782 */ 3783 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial); 3784 if (!asconf_ack) 3785 return SCTP_DISPOSITION_DISCARD; 3786 3787 /* Reset the transport so that we select the correct one 3788 * this time around. This is to make sure that we don't 3789 * accidentally use a stale transport that's been removed. 3790 */ 3791 asconf_ack->transport = NULL; 3792 } else { 3793 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since 3794 * it must be either a stale packet or from an attacker. 3795 */ 3796 return SCTP_DISPOSITION_DISCARD; 3797 } 3798 3799 /* ADDIP 5.2 E6) The destination address of the SCTP packet 3800 * containing the ASCONF-ACK Chunks MUST be the source address of 3801 * the SCTP packet that held the ASCONF Chunks. 3802 * 3803 * To do this properly, we'll set the destination address of the chunk 3804 * and at the transmit time, will try look up the transport to use. 3805 * Since ASCONFs may be bundled, the correct transport may not be 3806 * created until we process the entire packet, thus this workaround. 3807 */ 3808 asconf_ack->dest = chunk->source; 3809 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3810 if (asoc->new_transport) { 3811 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands); 3812 ((struct sctp_association *)asoc)->new_transport = NULL; 3813 } 3814 3815 return SCTP_DISPOSITION_CONSUME; 3816 } 3817 3818 /* 3819 * ADDIP Section 4.3 General rules for address manipulation 3820 * When building TLV parameters for the ASCONF Chunk that will add or 3821 * delete IP addresses the D0 to D13 rules should be applied: 3822 */ 3823 enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net, 3824 const struct sctp_endpoint *ep, 3825 const struct sctp_association *asoc, 3826 const union sctp_subtype type, 3827 void *arg, 3828 struct sctp_cmd_seq *commands) 3829 { 3830 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3831 struct sctp_paramhdr *err_param = NULL; 3832 struct sctp_chunk *asconf_ack = arg; 3833 struct sctp_addiphdr *addip_hdr; 3834 __u32 sent_serial, rcvd_serial; 3835 struct sctp_chunk *abort; 3836 3837 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3838 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3839 SCTP_NULL()); 3840 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3841 } 3842 3843 /* ADD-IP, Section 4.1.2: 3844 * This chunk MUST be sent in an authenticated way by using 3845 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3846 * is received unauthenticated it MUST be silently discarded as 3847 * described in [I-D.ietf-tsvwg-sctp-auth]. 3848 */ 3849 if (!net->sctp.addip_noauth && !asconf_ack->auth) 3850 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, 3851 commands); 3852 3853 /* Make sure that the ADDIP chunk has a valid length. */ 3854 if (!sctp_chunk_length_valid(asconf_ack, 3855 sizeof(struct sctp_addip_chunk))) 3856 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3857 commands); 3858 3859 addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data; 3860 rcvd_serial = ntohl(addip_hdr->serial); 3861 3862 /* Verify the ASCONF-ACK chunk before processing it. */ 3863 if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param)) 3864 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3865 (void *)err_param, commands); 3866 3867 if (last_asconf) { 3868 addip_hdr = (struct sctp_addiphdr *)last_asconf->subh.addip_hdr; 3869 sent_serial = ntohl(addip_hdr->serial); 3870 } else { 3871 sent_serial = asoc->addip_serial - 1; 3872 } 3873 3874 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3875 * equal to the next serial number to be used but no ASCONF chunk is 3876 * outstanding the endpoint MUST ABORT the association. Note that a 3877 * sequence number is greater than if it is no more than 2^^31-1 3878 * larger than the current sequence number (using serial arithmetic). 3879 */ 3880 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3881 !(asoc->addip_last_asconf)) { 3882 abort = sctp_make_abort(asoc, asconf_ack, 3883 sizeof(struct sctp_errhdr)); 3884 if (abort) { 3885 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0); 3886 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3887 SCTP_CHUNK(abort)); 3888 } 3889 /* We are going to ABORT, so we might as well stop 3890 * processing the rest of the chunks in the packet. 3891 */ 3892 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3893 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3894 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3895 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3896 SCTP_ERROR(ECONNABORTED)); 3897 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3898 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3899 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 3900 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3901 return SCTP_DISPOSITION_ABORT; 3902 } 3903 3904 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3905 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3906 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3907 3908 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3909 asconf_ack)) { 3910 /* Successfully processed ASCONF_ACK. We can 3911 * release the next asconf if we have one. 3912 */ 3913 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF, 3914 SCTP_NULL()); 3915 return SCTP_DISPOSITION_CONSUME; 3916 } 3917 3918 abort = sctp_make_abort(asoc, asconf_ack, 3919 sizeof(struct sctp_errhdr)); 3920 if (abort) { 3921 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 3922 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3923 SCTP_CHUNK(abort)); 3924 } 3925 /* We are going to ABORT, so we might as well stop 3926 * processing the rest of the chunks in the packet. 3927 */ 3928 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3929 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3930 SCTP_ERROR(ECONNABORTED)); 3931 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3932 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3933 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 3934 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3935 return SCTP_DISPOSITION_ABORT; 3936 } 3937 3938 return SCTP_DISPOSITION_DISCARD; 3939 } 3940 3941 /* RE-CONFIG Section 5.2 Upon reception of an RECONF Chunk. */ 3942 enum sctp_disposition sctp_sf_do_reconf(struct net *net, 3943 const struct sctp_endpoint *ep, 3944 const struct sctp_association *asoc, 3945 const union sctp_subtype type, 3946 void *arg, 3947 struct sctp_cmd_seq *commands) 3948 { 3949 struct sctp_paramhdr *err_param = NULL; 3950 struct sctp_chunk *chunk = arg; 3951 struct sctp_reconf_chunk *hdr; 3952 union sctp_params param; 3953 3954 if (!sctp_vtag_verify(chunk, asoc)) { 3955 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3956 SCTP_NULL()); 3957 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3958 } 3959 3960 /* Make sure that the RECONF chunk has a valid length. */ 3961 if (!sctp_chunk_length_valid(chunk, sizeof(*hdr))) 3962 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3963 commands); 3964 3965 if (!sctp_verify_reconf(asoc, chunk, &err_param)) 3966 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3967 (void *)err_param, commands); 3968 3969 hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr; 3970 sctp_walk_params(param, hdr, params) { 3971 struct sctp_chunk *reply = NULL; 3972 struct sctp_ulpevent *ev = NULL; 3973 3974 if (param.p->type == SCTP_PARAM_RESET_OUT_REQUEST) 3975 reply = sctp_process_strreset_outreq( 3976 (struct sctp_association *)asoc, param, &ev); 3977 else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST) 3978 reply = sctp_process_strreset_inreq( 3979 (struct sctp_association *)asoc, param, &ev); 3980 else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST) 3981 reply = sctp_process_strreset_tsnreq( 3982 (struct sctp_association *)asoc, param, &ev); 3983 else if (param.p->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS) 3984 reply = sctp_process_strreset_addstrm_out( 3985 (struct sctp_association *)asoc, param, &ev); 3986 else if (param.p->type == SCTP_PARAM_RESET_ADD_IN_STREAMS) 3987 reply = sctp_process_strreset_addstrm_in( 3988 (struct sctp_association *)asoc, param, &ev); 3989 else if (param.p->type == SCTP_PARAM_RESET_RESPONSE) 3990 reply = sctp_process_strreset_resp( 3991 (struct sctp_association *)asoc, param, &ev); 3992 3993 if (ev) 3994 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 3995 SCTP_ULPEVENT(ev)); 3996 3997 if (reply) 3998 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3999 SCTP_CHUNK(reply)); 4000 } 4001 4002 return SCTP_DISPOSITION_CONSUME; 4003 } 4004 4005 /* 4006 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 4007 * 4008 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 4009 * its cumulative TSN point to the value carried in the FORWARD TSN 4010 * chunk, and then MUST further advance its cumulative TSN point locally 4011 * if possible. 4012 * After the above processing, the data receiver MUST stop reporting any 4013 * missing TSNs earlier than or equal to the new cumulative TSN point. 4014 * 4015 * Verification Tag: 8.5 Verification Tag [Normal verification] 4016 * 4017 * The return value is the disposition of the chunk. 4018 */ 4019 enum sctp_disposition sctp_sf_eat_fwd_tsn(struct net *net, 4020 const struct sctp_endpoint *ep, 4021 const struct sctp_association *asoc, 4022 const union sctp_subtype type, 4023 void *arg, 4024 struct sctp_cmd_seq *commands) 4025 { 4026 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 4027 struct sctp_chunk *chunk = arg; 4028 __u16 len; 4029 __u32 tsn; 4030 4031 if (!sctp_vtag_verify(chunk, asoc)) { 4032 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4033 SCTP_NULL()); 4034 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4035 } 4036 4037 if (!asoc->peer.prsctp_capable) 4038 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4039 4040 /* Make sure that the FORWARD_TSN chunk has valid length. */ 4041 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream))) 4042 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4043 commands); 4044 4045 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 4046 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 4047 len = ntohs(chunk->chunk_hdr->length); 4048 len -= sizeof(struct sctp_chunkhdr); 4049 skb_pull(chunk->skb, len); 4050 4051 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 4052 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 4053 4054 /* The TSN is too high--silently discard the chunk and count on it 4055 * getting retransmitted later. 4056 */ 4057 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 4058 goto discard_noforce; 4059 4060 if (!asoc->stream.si->validate_ftsn(chunk)) 4061 goto discard_noforce; 4062 4063 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 4064 if (len > sctp_ftsnhdr_len(&asoc->stream)) 4065 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 4066 SCTP_CHUNK(chunk)); 4067 4068 /* Count this as receiving DATA. */ 4069 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 4070 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4071 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4072 } 4073 4074 /* FIXME: For now send a SACK, but DATA processing may 4075 * send another. 4076 */ 4077 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 4078 4079 return SCTP_DISPOSITION_CONSUME; 4080 4081 discard_noforce: 4082 return SCTP_DISPOSITION_DISCARD; 4083 } 4084 4085 enum sctp_disposition sctp_sf_eat_fwd_tsn_fast( 4086 struct net *net, 4087 const struct sctp_endpoint *ep, 4088 const struct sctp_association *asoc, 4089 const union sctp_subtype type, 4090 void *arg, 4091 struct sctp_cmd_seq *commands) 4092 { 4093 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 4094 struct sctp_chunk *chunk = arg; 4095 __u16 len; 4096 __u32 tsn; 4097 4098 if (!sctp_vtag_verify(chunk, asoc)) { 4099 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4100 SCTP_NULL()); 4101 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4102 } 4103 4104 if (!asoc->peer.prsctp_capable) 4105 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4106 4107 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 4108 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream))) 4109 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4110 commands); 4111 4112 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 4113 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 4114 len = ntohs(chunk->chunk_hdr->length); 4115 len -= sizeof(struct sctp_chunkhdr); 4116 skb_pull(chunk->skb, len); 4117 4118 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 4119 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 4120 4121 /* The TSN is too high--silently discard the chunk and count on it 4122 * getting retransmitted later. 4123 */ 4124 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 4125 goto gen_shutdown; 4126 4127 if (!asoc->stream.si->validate_ftsn(chunk)) 4128 goto gen_shutdown; 4129 4130 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 4131 if (len > sctp_ftsnhdr_len(&asoc->stream)) 4132 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 4133 SCTP_CHUNK(chunk)); 4134 4135 /* Go a head and force a SACK, since we are shutting down. */ 4136 gen_shutdown: 4137 /* Implementor's Guide. 4138 * 4139 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 4140 * respond to each received packet containing one or more DATA chunk(s) 4141 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 4142 */ 4143 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 4144 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 4145 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4146 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4147 4148 return SCTP_DISPOSITION_CONSUME; 4149 } 4150 4151 /* 4152 * SCTP-AUTH Section 6.3 Receiving authenticated chukns 4153 * 4154 * The receiver MUST use the HMAC algorithm indicated in the HMAC 4155 * Identifier field. If this algorithm was not specified by the 4156 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 4157 * during association setup, the AUTH chunk and all chunks after it MUST 4158 * be discarded and an ERROR chunk SHOULD be sent with the error cause 4159 * defined in Section 4.1. 4160 * 4161 * If an endpoint with no shared key receives a Shared Key Identifier 4162 * other than 0, it MUST silently discard all authenticated chunks. If 4163 * the endpoint has at least one endpoint pair shared key for the peer, 4164 * it MUST use the key specified by the Shared Key Identifier if a 4165 * key has been configured for that Shared Key Identifier. If no 4166 * endpoint pair shared key has been configured for that Shared Key 4167 * Identifier, all authenticated chunks MUST be silently discarded. 4168 * 4169 * Verification Tag: 8.5 Verification Tag [Normal verification] 4170 * 4171 * The return value is the disposition of the chunk. 4172 */ 4173 static enum sctp_ierror sctp_sf_authenticate( 4174 struct net *net, 4175 const struct sctp_endpoint *ep, 4176 const struct sctp_association *asoc, 4177 const union sctp_subtype type, 4178 struct sctp_chunk *chunk) 4179 { 4180 struct sctp_shared_key *sh_key = NULL; 4181 struct sctp_authhdr *auth_hdr; 4182 __u8 *save_digest, *digest; 4183 struct sctp_hmac *hmac; 4184 unsigned int sig_len; 4185 __u16 key_id; 4186 4187 /* Pull in the auth header, so we can do some more verification */ 4188 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4189 chunk->subh.auth_hdr = auth_hdr; 4190 skb_pull(chunk->skb, sizeof(*auth_hdr)); 4191 4192 /* Make sure that we support the HMAC algorithm from the auth 4193 * chunk. 4194 */ 4195 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id)) 4196 return SCTP_IERROR_AUTH_BAD_HMAC; 4197 4198 /* Make sure that the provided shared key identifier has been 4199 * configured 4200 */ 4201 key_id = ntohs(auth_hdr->shkey_id); 4202 if (key_id != asoc->active_key_id) { 4203 sh_key = sctp_auth_get_shkey(asoc, key_id); 4204 if (!sh_key) 4205 return SCTP_IERROR_AUTH_BAD_KEYID; 4206 } 4207 4208 /* Make sure that the length of the signature matches what 4209 * we expect. 4210 */ 4211 sig_len = ntohs(chunk->chunk_hdr->length) - 4212 sizeof(struct sctp_auth_chunk); 4213 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id)); 4214 if (sig_len != hmac->hmac_len) 4215 return SCTP_IERROR_PROTO_VIOLATION; 4216 4217 /* Now that we've done validation checks, we can compute and 4218 * verify the hmac. The steps involved are: 4219 * 1. Save the digest from the chunk. 4220 * 2. Zero out the digest in the chunk. 4221 * 3. Compute the new digest 4222 * 4. Compare saved and new digests. 4223 */ 4224 digest = auth_hdr->hmac; 4225 skb_pull(chunk->skb, sig_len); 4226 4227 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC); 4228 if (!save_digest) 4229 goto nomem; 4230 4231 memset(digest, 0, sig_len); 4232 4233 sctp_auth_calculate_hmac(asoc, chunk->skb, 4234 (struct sctp_auth_chunk *)chunk->chunk_hdr, 4235 sh_key, GFP_ATOMIC); 4236 4237 /* Discard the packet if the digests do not match */ 4238 if (memcmp(save_digest, digest, sig_len)) { 4239 kfree(save_digest); 4240 return SCTP_IERROR_BAD_SIG; 4241 } 4242 4243 kfree(save_digest); 4244 chunk->auth = 1; 4245 4246 return SCTP_IERROR_NO_ERROR; 4247 nomem: 4248 return SCTP_IERROR_NOMEM; 4249 } 4250 4251 enum sctp_disposition sctp_sf_eat_auth(struct net *net, 4252 const struct sctp_endpoint *ep, 4253 const struct sctp_association *asoc, 4254 const union sctp_subtype type, 4255 void *arg, struct sctp_cmd_seq *commands) 4256 { 4257 struct sctp_chunk *chunk = arg; 4258 struct sctp_authhdr *auth_hdr; 4259 struct sctp_chunk *err_chunk; 4260 enum sctp_ierror error; 4261 4262 /* Make sure that the peer has AUTH capable */ 4263 if (!asoc->peer.auth_capable) 4264 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4265 4266 if (!sctp_vtag_verify(chunk, asoc)) { 4267 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4268 SCTP_NULL()); 4269 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4270 } 4271 4272 /* Make sure that the AUTH chunk has valid length. */ 4273 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk))) 4274 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4275 commands); 4276 4277 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4278 error = sctp_sf_authenticate(net, ep, asoc, type, chunk); 4279 switch (error) { 4280 case SCTP_IERROR_AUTH_BAD_HMAC: 4281 /* Generate the ERROR chunk and discard the rest 4282 * of the packet 4283 */ 4284 err_chunk = sctp_make_op_error(asoc, chunk, 4285 SCTP_ERROR_UNSUP_HMAC, 4286 &auth_hdr->hmac_id, 4287 sizeof(__u16), 0); 4288 if (err_chunk) { 4289 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4290 SCTP_CHUNK(err_chunk)); 4291 } 4292 /* Fall Through */ 4293 case SCTP_IERROR_AUTH_BAD_KEYID: 4294 case SCTP_IERROR_BAD_SIG: 4295 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4296 4297 case SCTP_IERROR_PROTO_VIOLATION: 4298 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4299 commands); 4300 4301 case SCTP_IERROR_NOMEM: 4302 return SCTP_DISPOSITION_NOMEM; 4303 4304 default: /* Prevent gcc warnings */ 4305 break; 4306 } 4307 4308 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) { 4309 struct sctp_ulpevent *ev; 4310 4311 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id), 4312 SCTP_AUTH_NEW_KEY, GFP_ATOMIC); 4313 4314 if (!ev) 4315 return -ENOMEM; 4316 4317 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4318 SCTP_ULPEVENT(ev)); 4319 } 4320 4321 return SCTP_DISPOSITION_CONSUME; 4322 } 4323 4324 /* 4325 * Process an unknown chunk. 4326 * 4327 * Section: 3.2. Also, 2.1 in the implementor's guide. 4328 * 4329 * Chunk Types are encoded such that the highest-order two bits specify 4330 * the action that must be taken if the processing endpoint does not 4331 * recognize the Chunk Type. 4332 * 4333 * 00 - Stop processing this SCTP packet and discard it, do not process 4334 * any further chunks within it. 4335 * 4336 * 01 - Stop processing this SCTP packet and discard it, do not process 4337 * any further chunks within it, and report the unrecognized 4338 * chunk in an 'Unrecognized Chunk Type'. 4339 * 4340 * 10 - Skip this chunk and continue processing. 4341 * 4342 * 11 - Skip this chunk and continue processing, but report in an ERROR 4343 * Chunk using the 'Unrecognized Chunk Type' cause of error. 4344 * 4345 * The return value is the disposition of the chunk. 4346 */ 4347 enum sctp_disposition sctp_sf_unk_chunk(struct net *net, 4348 const struct sctp_endpoint *ep, 4349 const struct sctp_association *asoc, 4350 const union sctp_subtype type, 4351 void *arg, 4352 struct sctp_cmd_seq *commands) 4353 { 4354 struct sctp_chunk *unk_chunk = arg; 4355 struct sctp_chunk *err_chunk; 4356 struct sctp_chunkhdr *hdr; 4357 4358 pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk); 4359 4360 if (!sctp_vtag_verify(unk_chunk, asoc)) 4361 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4362 4363 /* Make sure that the chunk has a valid length. 4364 * Since we don't know the chunk type, we use a general 4365 * chunkhdr structure to make a comparison. 4366 */ 4367 if (!sctp_chunk_length_valid(unk_chunk, sizeof(*hdr))) 4368 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4369 commands); 4370 4371 switch (type.chunk & SCTP_CID_ACTION_MASK) { 4372 case SCTP_CID_ACTION_DISCARD: 4373 /* Discard the packet. */ 4374 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4375 case SCTP_CID_ACTION_DISCARD_ERR: 4376 /* Generate an ERROR chunk as response. */ 4377 hdr = unk_chunk->chunk_hdr; 4378 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4379 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4380 SCTP_PAD4(ntohs(hdr->length)), 4381 0); 4382 if (err_chunk) { 4383 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4384 SCTP_CHUNK(err_chunk)); 4385 } 4386 4387 /* Discard the packet. */ 4388 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4389 return SCTP_DISPOSITION_CONSUME; 4390 case SCTP_CID_ACTION_SKIP: 4391 /* Skip the chunk. */ 4392 return SCTP_DISPOSITION_DISCARD; 4393 case SCTP_CID_ACTION_SKIP_ERR: 4394 /* Generate an ERROR chunk as response. */ 4395 hdr = unk_chunk->chunk_hdr; 4396 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4397 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4398 SCTP_PAD4(ntohs(hdr->length)), 4399 0); 4400 if (err_chunk) { 4401 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4402 SCTP_CHUNK(err_chunk)); 4403 } 4404 /* Skip the chunk. */ 4405 return SCTP_DISPOSITION_CONSUME; 4406 default: 4407 break; 4408 } 4409 4410 return SCTP_DISPOSITION_DISCARD; 4411 } 4412 4413 /* 4414 * Discard the chunk. 4415 * 4416 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 4417 * [Too numerous to mention...] 4418 * Verification Tag: No verification needed. 4419 * Inputs 4420 * (endpoint, asoc, chunk) 4421 * 4422 * Outputs 4423 * (asoc, reply_msg, msg_up, timers, counters) 4424 * 4425 * The return value is the disposition of the chunk. 4426 */ 4427 enum sctp_disposition sctp_sf_discard_chunk(struct net *net, 4428 const struct sctp_endpoint *ep, 4429 const struct sctp_association *asoc, 4430 const union sctp_subtype type, 4431 void *arg, 4432 struct sctp_cmd_seq *commands) 4433 { 4434 struct sctp_chunk *chunk = arg; 4435 4436 /* Make sure that the chunk has a valid length. 4437 * Since we don't know the chunk type, we use a general 4438 * chunkhdr structure to make a comparison. 4439 */ 4440 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 4441 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4442 commands); 4443 4444 pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk); 4445 4446 return SCTP_DISPOSITION_DISCARD; 4447 } 4448 4449 /* 4450 * Discard the whole packet. 4451 * 4452 * Section: 8.4 2) 4453 * 4454 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 4455 * silently discard the OOTB packet and take no further action. 4456 * 4457 * Verification Tag: No verification necessary 4458 * 4459 * Inputs 4460 * (endpoint, asoc, chunk) 4461 * 4462 * Outputs 4463 * (asoc, reply_msg, msg_up, timers, counters) 4464 * 4465 * The return value is the disposition of the chunk. 4466 */ 4467 enum sctp_disposition sctp_sf_pdiscard(struct net *net, 4468 const struct sctp_endpoint *ep, 4469 const struct sctp_association *asoc, 4470 const union sctp_subtype type, 4471 void *arg, struct sctp_cmd_seq *commands) 4472 { 4473 SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS); 4474 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4475 4476 return SCTP_DISPOSITION_CONSUME; 4477 } 4478 4479 4480 /* 4481 * The other end is violating protocol. 4482 * 4483 * Section: Not specified 4484 * Verification Tag: Not specified 4485 * Inputs 4486 * (endpoint, asoc, chunk) 4487 * 4488 * Outputs 4489 * (asoc, reply_msg, msg_up, timers, counters) 4490 * 4491 * We simply tag the chunk as a violation. The state machine will log 4492 * the violation and continue. 4493 */ 4494 enum sctp_disposition sctp_sf_violation(struct net *net, 4495 const struct sctp_endpoint *ep, 4496 const struct sctp_association *asoc, 4497 const union sctp_subtype type, 4498 void *arg, 4499 struct sctp_cmd_seq *commands) 4500 { 4501 struct sctp_chunk *chunk = arg; 4502 4503 /* Make sure that the chunk has a valid length. */ 4504 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 4505 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4506 commands); 4507 4508 return SCTP_DISPOSITION_VIOLATION; 4509 } 4510 4511 /* 4512 * Common function to handle a protocol violation. 4513 */ 4514 static enum sctp_disposition sctp_sf_abort_violation( 4515 struct net *net, 4516 const struct sctp_endpoint *ep, 4517 const struct sctp_association *asoc, 4518 void *arg, 4519 struct sctp_cmd_seq *commands, 4520 const __u8 *payload, 4521 const size_t paylen) 4522 { 4523 struct sctp_packet *packet = NULL; 4524 struct sctp_chunk *chunk = arg; 4525 struct sctp_chunk *abort = NULL; 4526 4527 /* SCTP-AUTH, Section 6.3: 4528 * It should be noted that if the receiver wants to tear 4529 * down an association in an authenticated way only, the 4530 * handling of malformed packets should not result in 4531 * tearing down the association. 4532 * 4533 * This means that if we only want to abort associations 4534 * in an authenticated way (i.e AUTH+ABORT), then we 4535 * can't destroy this association just because the packet 4536 * was malformed. 4537 */ 4538 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4539 goto discard; 4540 4541 /* Make the abort chunk. */ 4542 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen); 4543 if (!abort) 4544 goto nomem; 4545 4546 if (asoc) { 4547 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */ 4548 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK && 4549 !asoc->peer.i.init_tag) { 4550 struct sctp_initack_chunk *initack; 4551 4552 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr; 4553 if (!sctp_chunk_length_valid(chunk, sizeof(*initack))) 4554 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T; 4555 else { 4556 unsigned int inittag; 4557 4558 inittag = ntohl(initack->init_hdr.init_tag); 4559 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG, 4560 SCTP_U32(inittag)); 4561 } 4562 } 4563 4564 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4565 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4566 4567 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 4568 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4569 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4570 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4571 SCTP_ERROR(ECONNREFUSED)); 4572 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4573 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4574 } else { 4575 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4576 SCTP_ERROR(ECONNABORTED)); 4577 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4578 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4579 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4580 } 4581 } else { 4582 packet = sctp_ootb_pkt_new(net, asoc, chunk); 4583 4584 if (!packet) 4585 goto nomem_pkt; 4586 4587 if (sctp_test_T_bit(abort)) 4588 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4589 4590 abort->skb->sk = ep->base.sk; 4591 4592 sctp_packet_append_chunk(packet, abort); 4593 4594 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 4595 SCTP_PACKET(packet)); 4596 4597 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4598 } 4599 4600 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4601 4602 discard: 4603 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4604 return SCTP_DISPOSITION_ABORT; 4605 4606 nomem_pkt: 4607 sctp_chunk_free(abort); 4608 nomem: 4609 return SCTP_DISPOSITION_NOMEM; 4610 } 4611 4612 /* 4613 * Handle a protocol violation when the chunk length is invalid. 4614 * "Invalid" length is identified as smaller than the minimal length a 4615 * given chunk can be. For example, a SACK chunk has invalid length 4616 * if its length is set to be smaller than the size of struct sctp_sack_chunk. 4617 * 4618 * We inform the other end by sending an ABORT with a Protocol Violation 4619 * error code. 4620 * 4621 * Section: Not specified 4622 * Verification Tag: Nothing to do 4623 * Inputs 4624 * (endpoint, asoc, chunk) 4625 * 4626 * Outputs 4627 * (reply_msg, msg_up, counters) 4628 * 4629 * Generate an ABORT chunk and terminate the association. 4630 */ 4631 static enum sctp_disposition sctp_sf_violation_chunklen( 4632 struct net *net, 4633 const struct sctp_endpoint *ep, 4634 const struct sctp_association *asoc, 4635 const union sctp_subtype type, 4636 void *arg, 4637 struct sctp_cmd_seq *commands) 4638 { 4639 static const char err_str[] = "The following chunk had invalid length:"; 4640 4641 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4642 sizeof(err_str)); 4643 } 4644 4645 /* 4646 * Handle a protocol violation when the parameter length is invalid. 4647 * If the length is smaller than the minimum length of a given parameter, 4648 * or accumulated length in multi parameters exceeds the end of the chunk, 4649 * the length is considered as invalid. 4650 */ 4651 static enum sctp_disposition sctp_sf_violation_paramlen( 4652 struct net *net, 4653 const struct sctp_endpoint *ep, 4654 const struct sctp_association *asoc, 4655 const union sctp_subtype type, 4656 void *arg, void *ext, 4657 struct sctp_cmd_seq *commands) 4658 { 4659 struct sctp_paramhdr *param = ext; 4660 struct sctp_chunk *abort = NULL; 4661 struct sctp_chunk *chunk = arg; 4662 4663 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4664 goto discard; 4665 4666 /* Make the abort chunk. */ 4667 abort = sctp_make_violation_paramlen(asoc, chunk, param); 4668 if (!abort) 4669 goto nomem; 4670 4671 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4672 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4673 4674 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4675 SCTP_ERROR(ECONNABORTED)); 4676 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4677 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4678 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4679 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4680 4681 discard: 4682 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4683 return SCTP_DISPOSITION_ABORT; 4684 nomem: 4685 return SCTP_DISPOSITION_NOMEM; 4686 } 4687 4688 /* Handle a protocol violation when the peer trying to advance the 4689 * cumulative tsn ack to a point beyond the max tsn currently sent. 4690 * 4691 * We inform the other end by sending an ABORT with a Protocol Violation 4692 * error code. 4693 */ 4694 static enum sctp_disposition sctp_sf_violation_ctsn( 4695 struct net *net, 4696 const struct sctp_endpoint *ep, 4697 const struct sctp_association *asoc, 4698 const union sctp_subtype type, 4699 void *arg, 4700 struct sctp_cmd_seq *commands) 4701 { 4702 static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:"; 4703 4704 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4705 sizeof(err_str)); 4706 } 4707 4708 /* Handle protocol violation of an invalid chunk bundling. For example, 4709 * when we have an association and we receive bundled INIT-ACK, or 4710 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle" 4711 * statement from the specs. Additionally, there might be an attacker 4712 * on the path and we may not want to continue this communication. 4713 */ 4714 static enum sctp_disposition sctp_sf_violation_chunk( 4715 struct net *net, 4716 const struct sctp_endpoint *ep, 4717 const struct sctp_association *asoc, 4718 const union sctp_subtype type, 4719 void *arg, 4720 struct sctp_cmd_seq *commands) 4721 { 4722 static const char err_str[] = "The following chunk violates protocol:"; 4723 4724 if (!asoc) 4725 return sctp_sf_violation(net, ep, asoc, type, arg, commands); 4726 4727 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4728 sizeof(err_str)); 4729 } 4730 /*************************************************************************** 4731 * These are the state functions for handling primitive (Section 10) events. 4732 ***************************************************************************/ 4733 /* 4734 * sctp_sf_do_prm_asoc 4735 * 4736 * Section: 10.1 ULP-to-SCTP 4737 * B) Associate 4738 * 4739 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 4740 * outbound stream count) 4741 * -> association id [,destination transport addr list] [,outbound stream 4742 * count] 4743 * 4744 * This primitive allows the upper layer to initiate an association to a 4745 * specific peer endpoint. 4746 * 4747 * The peer endpoint shall be specified by one of the transport addresses 4748 * which defines the endpoint (see Section 1.4). If the local SCTP 4749 * instance has not been initialized, the ASSOCIATE is considered an 4750 * error. 4751 * [This is not relevant for the kernel implementation since we do all 4752 * initialization at boot time. It we hadn't initialized we wouldn't 4753 * get anywhere near this code.] 4754 * 4755 * An association id, which is a local handle to the SCTP association, 4756 * will be returned on successful establishment of the association. If 4757 * SCTP is not able to open an SCTP association with the peer endpoint, 4758 * an error is returned. 4759 * [In the kernel implementation, the struct sctp_association needs to 4760 * be created BEFORE causing this primitive to run.] 4761 * 4762 * Other association parameters may be returned, including the 4763 * complete destination transport addresses of the peer as well as the 4764 * outbound stream count of the local endpoint. One of the transport 4765 * address from the returned destination addresses will be selected by 4766 * the local endpoint as default primary path for sending SCTP packets 4767 * to this peer. The returned "destination transport addr list" can 4768 * be used by the ULP to change the default primary path or to force 4769 * sending a packet to a specific transport address. [All of this 4770 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 4771 * function.] 4772 * 4773 * Mandatory attributes: 4774 * 4775 * o local SCTP instance name - obtained from the INITIALIZE operation. 4776 * [This is the argument asoc.] 4777 * o destination transport addr - specified as one of the transport 4778 * addresses of the peer endpoint with which the association is to be 4779 * established. 4780 * [This is asoc->peer.active_path.] 4781 * o outbound stream count - the number of outbound streams the ULP 4782 * would like to open towards this peer endpoint. 4783 * [BUG: This is not currently implemented.] 4784 * Optional attributes: 4785 * 4786 * None. 4787 * 4788 * The return value is a disposition. 4789 */ 4790 enum sctp_disposition sctp_sf_do_prm_asoc(struct net *net, 4791 const struct sctp_endpoint *ep, 4792 const struct sctp_association *asoc, 4793 const union sctp_subtype type, 4794 void *arg, 4795 struct sctp_cmd_seq *commands) 4796 { 4797 struct sctp_association *my_asoc; 4798 struct sctp_chunk *repl; 4799 4800 /* The comment below says that we enter COOKIE-WAIT AFTER 4801 * sending the INIT, but that doesn't actually work in our 4802 * implementation... 4803 */ 4804 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4805 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 4806 4807 /* RFC 2960 5.1 Normal Establishment of an Association 4808 * 4809 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 4810 * must provide its Verification Tag (Tag_A) in the Initiate 4811 * Tag field. Tag_A SHOULD be a random number in the range of 4812 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 4813 */ 4814 4815 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 4816 if (!repl) 4817 goto nomem; 4818 4819 /* Choose transport for INIT. */ 4820 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4821 SCTP_CHUNK(repl)); 4822 4823 /* Cast away the const modifier, as we want to just 4824 * rerun it through as a sideffect. 4825 */ 4826 my_asoc = (struct sctp_association *)asoc; 4827 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc)); 4828 4829 /* After sending the INIT, "A" starts the T1-init timer and 4830 * enters the COOKIE-WAIT state. 4831 */ 4832 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4833 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4834 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4835 return SCTP_DISPOSITION_CONSUME; 4836 4837 nomem: 4838 return SCTP_DISPOSITION_NOMEM; 4839 } 4840 4841 /* 4842 * Process the SEND primitive. 4843 * 4844 * Section: 10.1 ULP-to-SCTP 4845 * E) Send 4846 * 4847 * Format: SEND(association id, buffer address, byte count [,context] 4848 * [,stream id] [,life time] [,destination transport address] 4849 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 4850 * -> result 4851 * 4852 * This is the main method to send user data via SCTP. 4853 * 4854 * Mandatory attributes: 4855 * 4856 * o association id - local handle to the SCTP association 4857 * 4858 * o buffer address - the location where the user message to be 4859 * transmitted is stored; 4860 * 4861 * o byte count - The size of the user data in number of bytes; 4862 * 4863 * Optional attributes: 4864 * 4865 * o context - an optional 32 bit integer that will be carried in the 4866 * sending failure notification to the ULP if the transportation of 4867 * this User Message fails. 4868 * 4869 * o stream id - to indicate which stream to send the data on. If not 4870 * specified, stream 0 will be used. 4871 * 4872 * o life time - specifies the life time of the user data. The user data 4873 * will not be sent by SCTP after the life time expires. This 4874 * parameter can be used to avoid efforts to transmit stale 4875 * user messages. SCTP notifies the ULP if the data cannot be 4876 * initiated to transport (i.e. sent to the destination via SCTP's 4877 * send primitive) within the life time variable. However, the 4878 * user data will be transmitted if SCTP has attempted to transmit a 4879 * chunk before the life time expired. 4880 * 4881 * o destination transport address - specified as one of the destination 4882 * transport addresses of the peer endpoint to which this packet 4883 * should be sent. Whenever possible, SCTP should use this destination 4884 * transport address for sending the packets, instead of the current 4885 * primary path. 4886 * 4887 * o unorder flag - this flag, if present, indicates that the user 4888 * would like the data delivered in an unordered fashion to the peer 4889 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 4890 * message). 4891 * 4892 * o no-bundle flag - instructs SCTP not to bundle this user data with 4893 * other outbound DATA chunks. SCTP MAY still bundle even when 4894 * this flag is present, when faced with network congestion. 4895 * 4896 * o payload protocol-id - A 32 bit unsigned integer that is to be 4897 * passed to the peer indicating the type of payload protocol data 4898 * being transmitted. This value is passed as opaque data by SCTP. 4899 * 4900 * The return value is the disposition. 4901 */ 4902 enum sctp_disposition sctp_sf_do_prm_send(struct net *net, 4903 const struct sctp_endpoint *ep, 4904 const struct sctp_association *asoc, 4905 const union sctp_subtype type, 4906 void *arg, 4907 struct sctp_cmd_seq *commands) 4908 { 4909 struct sctp_datamsg *msg = arg; 4910 4911 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg)); 4912 return SCTP_DISPOSITION_CONSUME; 4913 } 4914 4915 /* 4916 * Process the SHUTDOWN primitive. 4917 * 4918 * Section: 10.1: 4919 * C) Shutdown 4920 * 4921 * Format: SHUTDOWN(association id) 4922 * -> result 4923 * 4924 * Gracefully closes an association. Any locally queued user data 4925 * will be delivered to the peer. The association will be terminated only 4926 * after the peer acknowledges all the SCTP packets sent. A success code 4927 * will be returned on successful termination of the association. If 4928 * attempting to terminate the association results in a failure, an error 4929 * code shall be returned. 4930 * 4931 * Mandatory attributes: 4932 * 4933 * o association id - local handle to the SCTP association 4934 * 4935 * Optional attributes: 4936 * 4937 * None. 4938 * 4939 * The return value is the disposition. 4940 */ 4941 enum sctp_disposition sctp_sf_do_9_2_prm_shutdown( 4942 struct net *net, 4943 const struct sctp_endpoint *ep, 4944 const struct sctp_association *asoc, 4945 const union sctp_subtype type, 4946 void *arg, 4947 struct sctp_cmd_seq *commands) 4948 { 4949 enum sctp_disposition disposition; 4950 4951 /* From 9.2 Shutdown of an Association 4952 * Upon receipt of the SHUTDOWN primitive from its upper 4953 * layer, the endpoint enters SHUTDOWN-PENDING state and 4954 * remains there until all outstanding data has been 4955 * acknowledged by its peer. The endpoint accepts no new data 4956 * from its upper layer, but retransmits data to the far end 4957 * if necessary to fill gaps. 4958 */ 4959 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4960 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4961 4962 disposition = SCTP_DISPOSITION_CONSUME; 4963 if (sctp_outq_is_empty(&asoc->outqueue)) { 4964 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 4965 arg, commands); 4966 } 4967 4968 return disposition; 4969 } 4970 4971 /* 4972 * Process the ABORT primitive. 4973 * 4974 * Section: 10.1: 4975 * C) Abort 4976 * 4977 * Format: Abort(association id [, cause code]) 4978 * -> result 4979 * 4980 * Ungracefully closes an association. Any locally queued user data 4981 * will be discarded and an ABORT chunk is sent to the peer. A success code 4982 * will be returned on successful abortion of the association. If 4983 * attempting to abort the association results in a failure, an error 4984 * code shall be returned. 4985 * 4986 * Mandatory attributes: 4987 * 4988 * o association id - local handle to the SCTP association 4989 * 4990 * Optional attributes: 4991 * 4992 * o cause code - reason of the abort to be passed to the peer 4993 * 4994 * None. 4995 * 4996 * The return value is the disposition. 4997 */ 4998 enum sctp_disposition sctp_sf_do_9_1_prm_abort( 4999 struct net *net, 5000 const struct sctp_endpoint *ep, 5001 const struct sctp_association *asoc, 5002 const union sctp_subtype type, 5003 void *arg, 5004 struct sctp_cmd_seq *commands) 5005 { 5006 /* From 9.1 Abort of an Association 5007 * Upon receipt of the ABORT primitive from its upper 5008 * layer, the endpoint enters CLOSED state and 5009 * discard all outstanding data has been 5010 * acknowledged by its peer. The endpoint accepts no new data 5011 * from its upper layer, but retransmits data to the far end 5012 * if necessary to fill gaps. 5013 */ 5014 struct sctp_chunk *abort = arg; 5015 5016 if (abort) 5017 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 5018 5019 /* Even if we can't send the ABORT due to low memory delete the 5020 * TCB. This is a departure from our typical NOMEM handling. 5021 */ 5022 5023 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5024 SCTP_ERROR(ECONNABORTED)); 5025 /* Delete the established association. */ 5026 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5027 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 5028 5029 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5030 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5031 5032 return SCTP_DISPOSITION_ABORT; 5033 } 5034 5035 /* We tried an illegal operation on an association which is closed. */ 5036 enum sctp_disposition sctp_sf_error_closed(struct net *net, 5037 const struct sctp_endpoint *ep, 5038 const struct sctp_association *asoc, 5039 const union sctp_subtype type, 5040 void *arg, 5041 struct sctp_cmd_seq *commands) 5042 { 5043 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 5044 return SCTP_DISPOSITION_CONSUME; 5045 } 5046 5047 /* We tried an illegal operation on an association which is shutting 5048 * down. 5049 */ 5050 enum sctp_disposition sctp_sf_error_shutdown( 5051 struct net *net, 5052 const struct sctp_endpoint *ep, 5053 const struct sctp_association *asoc, 5054 const union sctp_subtype type, 5055 void *arg, 5056 struct sctp_cmd_seq *commands) 5057 { 5058 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 5059 SCTP_ERROR(-ESHUTDOWN)); 5060 return SCTP_DISPOSITION_CONSUME; 5061 } 5062 5063 /* 5064 * sctp_cookie_wait_prm_shutdown 5065 * 5066 * Section: 4 Note: 2 5067 * Verification Tag: 5068 * Inputs 5069 * (endpoint, asoc) 5070 * 5071 * The RFC does not explicitly address this issue, but is the route through the 5072 * state table when someone issues a shutdown while in COOKIE_WAIT state. 5073 * 5074 * Outputs 5075 * (timers) 5076 */ 5077 enum sctp_disposition sctp_sf_cookie_wait_prm_shutdown( 5078 struct net *net, 5079 const struct sctp_endpoint *ep, 5080 const struct sctp_association *asoc, 5081 const union sctp_subtype type, 5082 void *arg, 5083 struct sctp_cmd_seq *commands) 5084 { 5085 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5086 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5087 5088 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5089 SCTP_STATE(SCTP_STATE_CLOSED)); 5090 5091 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 5092 5093 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 5094 5095 return SCTP_DISPOSITION_DELETE_TCB; 5096 } 5097 5098 /* 5099 * sctp_cookie_echoed_prm_shutdown 5100 * 5101 * Section: 4 Note: 2 5102 * Verification Tag: 5103 * Inputs 5104 * (endpoint, asoc) 5105 * 5106 * The RFC does not explcitly address this issue, but is the route through the 5107 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 5108 * 5109 * Outputs 5110 * (timers) 5111 */ 5112 enum sctp_disposition sctp_sf_cookie_echoed_prm_shutdown( 5113 struct net *net, 5114 const struct sctp_endpoint *ep, 5115 const struct sctp_association *asoc, 5116 const union sctp_subtype type, 5117 void *arg, 5118 struct sctp_cmd_seq *commands) 5119 { 5120 /* There is a single T1 timer, so we should be able to use 5121 * common function with the COOKIE-WAIT state. 5122 */ 5123 return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands); 5124 } 5125 5126 /* 5127 * sctp_sf_cookie_wait_prm_abort 5128 * 5129 * Section: 4 Note: 2 5130 * Verification Tag: 5131 * Inputs 5132 * (endpoint, asoc) 5133 * 5134 * The RFC does not explicitly address this issue, but is the route through the 5135 * state table when someone issues an abort while in COOKIE_WAIT state. 5136 * 5137 * Outputs 5138 * (timers) 5139 */ 5140 enum sctp_disposition sctp_sf_cookie_wait_prm_abort( 5141 struct net *net, 5142 const struct sctp_endpoint *ep, 5143 const struct sctp_association *asoc, 5144 const union sctp_subtype type, 5145 void *arg, 5146 struct sctp_cmd_seq *commands) 5147 { 5148 struct sctp_chunk *abort = arg; 5149 5150 /* Stop T1-init timer */ 5151 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5152 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5153 5154 if (abort) 5155 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 5156 5157 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5158 SCTP_STATE(SCTP_STATE_CLOSED)); 5159 5160 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5161 5162 /* Even if we can't send the ABORT due to low memory delete the 5163 * TCB. This is a departure from our typical NOMEM handling. 5164 */ 5165 5166 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5167 SCTP_ERROR(ECONNREFUSED)); 5168 /* Delete the established association. */ 5169 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5170 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 5171 5172 return SCTP_DISPOSITION_ABORT; 5173 } 5174 5175 /* 5176 * sctp_sf_cookie_echoed_prm_abort 5177 * 5178 * Section: 4 Note: 3 5179 * Verification Tag: 5180 * Inputs 5181 * (endpoint, asoc) 5182 * 5183 * The RFC does not explcitly address this issue, but is the route through the 5184 * state table when someone issues an abort while in COOKIE_ECHOED state. 5185 * 5186 * Outputs 5187 * (timers) 5188 */ 5189 enum sctp_disposition sctp_sf_cookie_echoed_prm_abort( 5190 struct net *net, 5191 const struct sctp_endpoint *ep, 5192 const struct sctp_association *asoc, 5193 const union sctp_subtype type, 5194 void *arg, 5195 struct sctp_cmd_seq *commands) 5196 { 5197 /* There is a single T1 timer, so we should be able to use 5198 * common function with the COOKIE-WAIT state. 5199 */ 5200 return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands); 5201 } 5202 5203 /* 5204 * sctp_sf_shutdown_pending_prm_abort 5205 * 5206 * Inputs 5207 * (endpoint, asoc) 5208 * 5209 * The RFC does not explicitly address this issue, but is the route through the 5210 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 5211 * 5212 * Outputs 5213 * (timers) 5214 */ 5215 enum sctp_disposition sctp_sf_shutdown_pending_prm_abort( 5216 struct net *net, 5217 const struct sctp_endpoint *ep, 5218 const struct sctp_association *asoc, 5219 const union sctp_subtype type, 5220 void *arg, 5221 struct sctp_cmd_seq *commands) 5222 { 5223 /* Stop the T5-shutdown guard timer. */ 5224 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5225 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5226 5227 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5228 } 5229 5230 /* 5231 * sctp_sf_shutdown_sent_prm_abort 5232 * 5233 * Inputs 5234 * (endpoint, asoc) 5235 * 5236 * The RFC does not explicitly address this issue, but is the route through the 5237 * state table when someone issues an abort while in SHUTDOWN-SENT state. 5238 * 5239 * Outputs 5240 * (timers) 5241 */ 5242 enum sctp_disposition sctp_sf_shutdown_sent_prm_abort( 5243 struct net *net, 5244 const struct sctp_endpoint *ep, 5245 const struct sctp_association *asoc, 5246 const union sctp_subtype type, 5247 void *arg, 5248 struct sctp_cmd_seq *commands) 5249 { 5250 /* Stop the T2-shutdown timer. */ 5251 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5252 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5253 5254 /* Stop the T5-shutdown guard timer. */ 5255 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5256 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5257 5258 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5259 } 5260 5261 /* 5262 * sctp_sf_cookie_echoed_prm_abort 5263 * 5264 * Inputs 5265 * (endpoint, asoc) 5266 * 5267 * The RFC does not explcitly address this issue, but is the route through the 5268 * state table when someone issues an abort while in COOKIE_ECHOED state. 5269 * 5270 * Outputs 5271 * (timers) 5272 */ 5273 enum sctp_disposition sctp_sf_shutdown_ack_sent_prm_abort( 5274 struct net *net, 5275 const struct sctp_endpoint *ep, 5276 const struct sctp_association *asoc, 5277 const union sctp_subtype type, 5278 void *arg, 5279 struct sctp_cmd_seq *commands) 5280 { 5281 /* The same T2 timer, so we should be able to use 5282 * common function with the SHUTDOWN-SENT state. 5283 */ 5284 return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands); 5285 } 5286 5287 /* 5288 * Process the REQUESTHEARTBEAT primitive 5289 * 5290 * 10.1 ULP-to-SCTP 5291 * J) Request Heartbeat 5292 * 5293 * Format: REQUESTHEARTBEAT(association id, destination transport address) 5294 * 5295 * -> result 5296 * 5297 * Instructs the local endpoint to perform a HeartBeat on the specified 5298 * destination transport address of the given association. The returned 5299 * result should indicate whether the transmission of the HEARTBEAT 5300 * chunk to the destination address is successful. 5301 * 5302 * Mandatory attributes: 5303 * 5304 * o association id - local handle to the SCTP association 5305 * 5306 * o destination transport address - the transport address of the 5307 * association on which a heartbeat should be issued. 5308 */ 5309 enum sctp_disposition sctp_sf_do_prm_requestheartbeat( 5310 struct net *net, 5311 const struct sctp_endpoint *ep, 5312 const struct sctp_association *asoc, 5313 const union sctp_subtype type, 5314 void *arg, 5315 struct sctp_cmd_seq *commands) 5316 { 5317 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 5318 (struct sctp_transport *)arg, commands)) 5319 return SCTP_DISPOSITION_NOMEM; 5320 5321 /* 5322 * RFC 2960 (bis), section 8.3 5323 * 5324 * D) Request an on-demand HEARTBEAT on a specific destination 5325 * transport address of a given association. 5326 * 5327 * The endpoint should increment the respective error counter of 5328 * the destination transport address each time a HEARTBEAT is sent 5329 * to that address and not acknowledged within one RTO. 5330 * 5331 */ 5332 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 5333 SCTP_TRANSPORT(arg)); 5334 return SCTP_DISPOSITION_CONSUME; 5335 } 5336 5337 /* 5338 * ADDIP Section 4.1 ASCONF Chunk Procedures 5339 * When an endpoint has an ASCONF signaled change to be sent to the 5340 * remote endpoint it should do A1 to A9 5341 */ 5342 enum sctp_disposition sctp_sf_do_prm_asconf(struct net *net, 5343 const struct sctp_endpoint *ep, 5344 const struct sctp_association *asoc, 5345 const union sctp_subtype type, 5346 void *arg, 5347 struct sctp_cmd_seq *commands) 5348 { 5349 struct sctp_chunk *chunk = arg; 5350 5351 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5352 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5353 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5354 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5355 return SCTP_DISPOSITION_CONSUME; 5356 } 5357 5358 /* RE-CONFIG Section 5.1 RECONF Chunk Procedures */ 5359 enum sctp_disposition sctp_sf_do_prm_reconf(struct net *net, 5360 const struct sctp_endpoint *ep, 5361 const struct sctp_association *asoc, 5362 const union sctp_subtype type, 5363 void *arg, 5364 struct sctp_cmd_seq *commands) 5365 { 5366 struct sctp_chunk *chunk = arg; 5367 5368 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5369 return SCTP_DISPOSITION_CONSUME; 5370 } 5371 5372 /* 5373 * Ignore the primitive event 5374 * 5375 * The return value is the disposition of the primitive. 5376 */ 5377 enum sctp_disposition sctp_sf_ignore_primitive( 5378 struct net *net, 5379 const struct sctp_endpoint *ep, 5380 const struct sctp_association *asoc, 5381 const union sctp_subtype type, 5382 void *arg, 5383 struct sctp_cmd_seq *commands) 5384 { 5385 pr_debug("%s: primitive type:%d is ignored\n", __func__, 5386 type.primitive); 5387 5388 return SCTP_DISPOSITION_DISCARD; 5389 } 5390 5391 /*************************************************************************** 5392 * These are the state functions for the OTHER events. 5393 ***************************************************************************/ 5394 5395 /* 5396 * When the SCTP stack has no more user data to send or retransmit, this 5397 * notification is given to the user. Also, at the time when a user app 5398 * subscribes to this event, if there is no data to be sent or 5399 * retransmit, the stack will immediately send up this notification. 5400 */ 5401 enum sctp_disposition sctp_sf_do_no_pending_tsn( 5402 struct net *net, 5403 const struct sctp_endpoint *ep, 5404 const struct sctp_association *asoc, 5405 const union sctp_subtype type, 5406 void *arg, 5407 struct sctp_cmd_seq *commands) 5408 { 5409 struct sctp_ulpevent *event; 5410 5411 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC); 5412 if (!event) 5413 return SCTP_DISPOSITION_NOMEM; 5414 5415 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event)); 5416 5417 return SCTP_DISPOSITION_CONSUME; 5418 } 5419 5420 /* 5421 * Start the shutdown negotiation. 5422 * 5423 * From Section 9.2: 5424 * Once all its outstanding data has been acknowledged, the endpoint 5425 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 5426 * TSN Ack field the last sequential TSN it has received from the peer. 5427 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 5428 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 5429 * with the updated last sequential TSN received from its peer. 5430 * 5431 * The return value is the disposition. 5432 */ 5433 enum sctp_disposition sctp_sf_do_9_2_start_shutdown( 5434 struct net *net, 5435 const struct sctp_endpoint *ep, 5436 const struct sctp_association *asoc, 5437 const union sctp_subtype type, 5438 void *arg, 5439 struct sctp_cmd_seq *commands) 5440 { 5441 struct sctp_chunk *reply; 5442 5443 /* Once all its outstanding data has been acknowledged, the 5444 * endpoint shall send a SHUTDOWN chunk to its peer including 5445 * in the Cumulative TSN Ack field the last sequential TSN it 5446 * has received from the peer. 5447 */ 5448 reply = sctp_make_shutdown(asoc, NULL); 5449 if (!reply) 5450 goto nomem; 5451 5452 /* Set the transport for the SHUTDOWN chunk and the timeout for the 5453 * T2-shutdown timer. 5454 */ 5455 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5456 5457 /* It shall then start the T2-shutdown timer */ 5458 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5459 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5460 5461 /* RFC 4960 Section 9.2 5462 * The sender of the SHUTDOWN MAY also start an overall guard timer 5463 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5464 */ 5465 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5466 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5467 5468 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5469 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5470 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5471 5472 /* and enter the SHUTDOWN-SENT state. */ 5473 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5474 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 5475 5476 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5477 * 5478 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5479 * or SHUTDOWN-ACK. 5480 */ 5481 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5482 5483 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5484 5485 return SCTP_DISPOSITION_CONSUME; 5486 5487 nomem: 5488 return SCTP_DISPOSITION_NOMEM; 5489 } 5490 5491 /* 5492 * Generate a SHUTDOWN ACK now that everything is SACK'd. 5493 * 5494 * From Section 9.2: 5495 * 5496 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5497 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 5498 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 5499 * endpoint must re-send the SHUTDOWN ACK. 5500 * 5501 * The return value is the disposition. 5502 */ 5503 enum sctp_disposition sctp_sf_do_9_2_shutdown_ack( 5504 struct net *net, 5505 const struct sctp_endpoint *ep, 5506 const struct sctp_association *asoc, 5507 const union sctp_subtype type, 5508 void *arg, 5509 struct sctp_cmd_seq *commands) 5510 { 5511 struct sctp_chunk *chunk = arg; 5512 struct sctp_chunk *reply; 5513 5514 /* There are 2 ways of getting here: 5515 * 1) called in response to a SHUTDOWN chunk 5516 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 5517 * 5518 * For the case (2), the arg parameter is set to NULL. We need 5519 * to check that we have a chunk before accessing it's fields. 5520 */ 5521 if (chunk) { 5522 if (!sctp_vtag_verify(chunk, asoc)) 5523 return sctp_sf_pdiscard(net, ep, asoc, type, arg, 5524 commands); 5525 5526 /* Make sure that the SHUTDOWN chunk has a valid length. */ 5527 if (!sctp_chunk_length_valid( 5528 chunk, sizeof(struct sctp_shutdown_chunk))) 5529 return sctp_sf_violation_chunklen(net, ep, asoc, type, 5530 arg, commands); 5531 } 5532 5533 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5534 * shall send a SHUTDOWN ACK ... 5535 */ 5536 reply = sctp_make_shutdown_ack(asoc, chunk); 5537 if (!reply) 5538 goto nomem; 5539 5540 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 5541 * the T2-shutdown timer. 5542 */ 5543 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5544 5545 /* and start/restart a T2-shutdown timer of its own, */ 5546 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5547 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5548 5549 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5550 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5551 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5552 5553 /* Enter the SHUTDOWN-ACK-SENT state. */ 5554 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5555 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 5556 5557 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5558 * 5559 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5560 * or SHUTDOWN-ACK. 5561 */ 5562 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5563 5564 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5565 5566 return SCTP_DISPOSITION_CONSUME; 5567 5568 nomem: 5569 return SCTP_DISPOSITION_NOMEM; 5570 } 5571 5572 /* 5573 * Ignore the event defined as other 5574 * 5575 * The return value is the disposition of the event. 5576 */ 5577 enum sctp_disposition sctp_sf_ignore_other(struct net *net, 5578 const struct sctp_endpoint *ep, 5579 const struct sctp_association *asoc, 5580 const union sctp_subtype type, 5581 void *arg, 5582 struct sctp_cmd_seq *commands) 5583 { 5584 pr_debug("%s: the event other type:%d is ignored\n", 5585 __func__, type.other); 5586 5587 return SCTP_DISPOSITION_DISCARD; 5588 } 5589 5590 /************************************************************ 5591 * These are the state functions for handling timeout events. 5592 ************************************************************/ 5593 5594 /* 5595 * RTX Timeout 5596 * 5597 * Section: 6.3.3 Handle T3-rtx Expiration 5598 * 5599 * Whenever the retransmission timer T3-rtx expires for a destination 5600 * address, do the following: 5601 * [See below] 5602 * 5603 * The return value is the disposition of the chunk. 5604 */ 5605 enum sctp_disposition sctp_sf_do_6_3_3_rtx(struct net *net, 5606 const struct sctp_endpoint *ep, 5607 const struct sctp_association *asoc, 5608 const union sctp_subtype type, 5609 void *arg, 5610 struct sctp_cmd_seq *commands) 5611 { 5612 struct sctp_transport *transport = arg; 5613 5614 SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS); 5615 5616 if (asoc->overall_error_count >= asoc->max_retrans) { 5617 if (asoc->peer.zero_window_announced && 5618 asoc->state == SCTP_STATE_SHUTDOWN_PENDING) { 5619 /* 5620 * We are here likely because the receiver had its rwnd 5621 * closed for a while and we have not been able to 5622 * transmit the locally queued data within the maximum 5623 * retransmission attempts limit. Start the T5 5624 * shutdown guard timer to give the receiver one last 5625 * chance and some additional time to recover before 5626 * aborting. 5627 */ 5628 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE, 5629 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5630 } else { 5631 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5632 SCTP_ERROR(ETIMEDOUT)); 5633 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5634 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5635 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5636 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5637 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5638 return SCTP_DISPOSITION_DELETE_TCB; 5639 } 5640 } 5641 5642 /* E1) For the destination address for which the timer 5643 * expires, adjust its ssthresh with rules defined in Section 5644 * 7.2.3 and set the cwnd <- MTU. 5645 */ 5646 5647 /* E2) For the destination address for which the timer 5648 * expires, set RTO <- RTO * 2 ("back off the timer"). The 5649 * maximum value discussed in rule C7 above (RTO.max) may be 5650 * used to provide an upper bound to this doubling operation. 5651 */ 5652 5653 /* E3) Determine how many of the earliest (i.e., lowest TSN) 5654 * outstanding DATA chunks for the address for which the 5655 * T3-rtx has expired will fit into a single packet, subject 5656 * to the MTU constraint for the path corresponding to the 5657 * destination transport address to which the retransmission 5658 * is being sent (this may be different from the address for 5659 * which the timer expires [see Section 6.4]). Call this 5660 * value K. Bundle and retransmit those K DATA chunks in a 5661 * single packet to the destination endpoint. 5662 * 5663 * Note: Any DATA chunks that were sent to the address for 5664 * which the T3-rtx timer expired but did not fit in one MTU 5665 * (rule E3 above), should be marked for retransmission and 5666 * sent as soon as cwnd allows (normally when a SACK arrives). 5667 */ 5668 5669 /* Do some failure management (Section 8.2). */ 5670 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5671 5672 /* NB: Rules E4 and F1 are implicit in R1. */ 5673 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 5674 5675 return SCTP_DISPOSITION_CONSUME; 5676 } 5677 5678 /* 5679 * Generate delayed SACK on timeout 5680 * 5681 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 5682 * 5683 * The guidelines on delayed acknowledgement algorithm specified in 5684 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 5685 * acknowledgement SHOULD be generated for at least every second packet 5686 * (not every second DATA chunk) received, and SHOULD be generated 5687 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 5688 * some situations it may be beneficial for an SCTP transmitter to be 5689 * more conservative than the algorithms detailed in this document 5690 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 5691 * the following algorithms allow. 5692 */ 5693 enum sctp_disposition sctp_sf_do_6_2_sack(struct net *net, 5694 const struct sctp_endpoint *ep, 5695 const struct sctp_association *asoc, 5696 const union sctp_subtype type, 5697 void *arg, 5698 struct sctp_cmd_seq *commands) 5699 { 5700 SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS); 5701 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 5702 return SCTP_DISPOSITION_CONSUME; 5703 } 5704 5705 /* 5706 * sctp_sf_t1_init_timer_expire 5707 * 5708 * Section: 4 Note: 2 5709 * Verification Tag: 5710 * Inputs 5711 * (endpoint, asoc) 5712 * 5713 * RFC 2960 Section 4 Notes 5714 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 5715 * and re-start the T1-init timer without changing state. This MUST 5716 * be repeated up to 'Max.Init.Retransmits' times. After that, the 5717 * endpoint MUST abort the initialization process and report the 5718 * error to SCTP user. 5719 * 5720 * Outputs 5721 * (timers, events) 5722 * 5723 */ 5724 enum sctp_disposition sctp_sf_t1_init_timer_expire( 5725 struct net *net, 5726 const struct sctp_endpoint *ep, 5727 const struct sctp_association *asoc, 5728 const union sctp_subtype type, 5729 void *arg, 5730 struct sctp_cmd_seq *commands) 5731 { 5732 int attempts = asoc->init_err_counter + 1; 5733 struct sctp_chunk *repl = NULL; 5734 struct sctp_bind_addr *bp; 5735 5736 pr_debug("%s: timer T1 expired (INIT)\n", __func__); 5737 5738 SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS); 5739 5740 if (attempts <= asoc->max_init_attempts) { 5741 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 5742 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 5743 if (!repl) 5744 return SCTP_DISPOSITION_NOMEM; 5745 5746 /* Choose transport for INIT. */ 5747 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5748 SCTP_CHUNK(repl)); 5749 5750 /* Issue a sideeffect to do the needed accounting. */ 5751 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 5752 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5753 5754 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5755 } else { 5756 pr_debug("%s: giving up on INIT, attempts:%d " 5757 "max_init_attempts:%d\n", __func__, attempts, 5758 asoc->max_init_attempts); 5759 5760 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5761 SCTP_ERROR(ETIMEDOUT)); 5762 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5763 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5764 return SCTP_DISPOSITION_DELETE_TCB; 5765 } 5766 5767 return SCTP_DISPOSITION_CONSUME; 5768 } 5769 5770 /* 5771 * sctp_sf_t1_cookie_timer_expire 5772 * 5773 * Section: 4 Note: 2 5774 * Verification Tag: 5775 * Inputs 5776 * (endpoint, asoc) 5777 * 5778 * RFC 2960 Section 4 Notes 5779 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 5780 * COOKIE ECHO and re-start the T1-cookie timer without changing 5781 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 5782 * After that, the endpoint MUST abort the initialization process and 5783 * report the error to SCTP user. 5784 * 5785 * Outputs 5786 * (timers, events) 5787 * 5788 */ 5789 enum sctp_disposition sctp_sf_t1_cookie_timer_expire( 5790 struct net *net, 5791 const struct sctp_endpoint *ep, 5792 const struct sctp_association *asoc, 5793 const union sctp_subtype type, 5794 void *arg, 5795 struct sctp_cmd_seq *commands) 5796 { 5797 int attempts = asoc->init_err_counter + 1; 5798 struct sctp_chunk *repl = NULL; 5799 5800 pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__); 5801 5802 SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS); 5803 5804 if (attempts <= asoc->max_init_attempts) { 5805 repl = sctp_make_cookie_echo(asoc, NULL); 5806 if (!repl) 5807 return SCTP_DISPOSITION_NOMEM; 5808 5809 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5810 SCTP_CHUNK(repl)); 5811 /* Issue a sideeffect to do the needed accounting. */ 5812 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 5813 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 5814 5815 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5816 } else { 5817 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5818 SCTP_ERROR(ETIMEDOUT)); 5819 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5820 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5821 return SCTP_DISPOSITION_DELETE_TCB; 5822 } 5823 5824 return SCTP_DISPOSITION_CONSUME; 5825 } 5826 5827 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 5828 * with the updated last sequential TSN received from its peer. 5829 * 5830 * An endpoint should limit the number of retransmissions of the 5831 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 5832 * If this threshold is exceeded the endpoint should destroy the TCB and 5833 * MUST report the peer endpoint unreachable to the upper layer (and 5834 * thus the association enters the CLOSED state). The reception of any 5835 * packet from its peer (i.e. as the peer sends all of its queued DATA 5836 * chunks) should clear the endpoint's retransmission count and restart 5837 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 5838 * all of its queued DATA chunks that have not yet been sent. 5839 */ 5840 enum sctp_disposition sctp_sf_t2_timer_expire( 5841 struct net *net, 5842 const struct sctp_endpoint *ep, 5843 const struct sctp_association *asoc, 5844 const union sctp_subtype type, 5845 void *arg, 5846 struct sctp_cmd_seq *commands) 5847 { 5848 struct sctp_chunk *reply = NULL; 5849 5850 pr_debug("%s: timer T2 expired\n", __func__); 5851 5852 SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 5853 5854 ((struct sctp_association *)asoc)->shutdown_retries++; 5855 5856 if (asoc->overall_error_count >= asoc->max_retrans) { 5857 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5858 SCTP_ERROR(ETIMEDOUT)); 5859 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5860 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5861 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5862 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5863 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5864 return SCTP_DISPOSITION_DELETE_TCB; 5865 } 5866 5867 switch (asoc->state) { 5868 case SCTP_STATE_SHUTDOWN_SENT: 5869 reply = sctp_make_shutdown(asoc, NULL); 5870 break; 5871 5872 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5873 reply = sctp_make_shutdown_ack(asoc, NULL); 5874 break; 5875 5876 default: 5877 BUG(); 5878 break; 5879 } 5880 5881 if (!reply) 5882 goto nomem; 5883 5884 /* Do some failure management (Section 8.2). 5885 * If we remove the transport an SHUTDOWN was last sent to, don't 5886 * do failure management. 5887 */ 5888 if (asoc->shutdown_last_sent_to) 5889 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5890 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 5891 5892 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 5893 * the T2-shutdown timer. 5894 */ 5895 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5896 5897 /* Restart the T2-shutdown timer. */ 5898 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5899 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5900 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5901 return SCTP_DISPOSITION_CONSUME; 5902 5903 nomem: 5904 return SCTP_DISPOSITION_NOMEM; 5905 } 5906 5907 /* 5908 * ADDIP Section 4.1 ASCONF CHunk Procedures 5909 * If the T4 RTO timer expires the endpoint should do B1 to B5 5910 */ 5911 enum sctp_disposition sctp_sf_t4_timer_expire( 5912 struct net *net, 5913 const struct sctp_endpoint *ep, 5914 const struct sctp_association *asoc, 5915 const union sctp_subtype type, 5916 void *arg, 5917 struct sctp_cmd_seq *commands) 5918 { 5919 struct sctp_chunk *chunk = asoc->addip_last_asconf; 5920 struct sctp_transport *transport = chunk->transport; 5921 5922 SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS); 5923 5924 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 5925 * detection on the appropriate destination address as defined in 5926 * RFC2960 [5] section 8.1 and 8.2. 5927 */ 5928 if (transport) 5929 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5930 SCTP_TRANSPORT(transport)); 5931 5932 /* Reconfig T4 timer and transport. */ 5933 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5934 5935 /* ADDIP 4.1 B2) Increment the association error counters and perform 5936 * endpoint failure detection on the association as defined in 5937 * RFC2960 [5] section 8.1 and 8.2. 5938 * association error counter is incremented in SCTP_CMD_STRIKE. 5939 */ 5940 if (asoc->overall_error_count >= asoc->max_retrans) { 5941 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5942 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5943 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5944 SCTP_ERROR(ETIMEDOUT)); 5945 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5946 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5947 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5948 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5949 return SCTP_DISPOSITION_ABORT; 5950 } 5951 5952 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 5953 * the ASCONF chunk was sent by doubling the RTO timer value. 5954 * This is done in SCTP_CMD_STRIKE. 5955 */ 5956 5957 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 5958 * choose an alternate destination address (please refer to RFC2960 5959 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 5960 * chunk, it MUST be the same (including its serial number) as the last 5961 * ASCONF sent. 5962 */ 5963 sctp_chunk_hold(asoc->addip_last_asconf); 5964 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5965 SCTP_CHUNK(asoc->addip_last_asconf)); 5966 5967 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 5968 * destination is selected, then the RTO used will be that of the new 5969 * destination address. 5970 */ 5971 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5972 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5973 5974 return SCTP_DISPOSITION_CONSUME; 5975 } 5976 5977 /* sctpimpguide-05 Section 2.12.2 5978 * The sender of the SHUTDOWN MAY also start an overall guard timer 5979 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5980 * At the expiration of this timer the sender SHOULD abort the association 5981 * by sending an ABORT chunk. 5982 */ 5983 enum sctp_disposition sctp_sf_t5_timer_expire( 5984 struct net *net, 5985 const struct sctp_endpoint *ep, 5986 const struct sctp_association *asoc, 5987 const union sctp_subtype type, 5988 void *arg, 5989 struct sctp_cmd_seq *commands) 5990 { 5991 struct sctp_chunk *reply = NULL; 5992 5993 pr_debug("%s: timer T5 expired\n", __func__); 5994 5995 SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 5996 5997 reply = sctp_make_abort(asoc, NULL, 0); 5998 if (!reply) 5999 goto nomem; 6000 6001 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 6002 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6003 SCTP_ERROR(ETIMEDOUT)); 6004 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6005 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 6006 6007 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6008 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6009 6010 return SCTP_DISPOSITION_DELETE_TCB; 6011 nomem: 6012 return SCTP_DISPOSITION_NOMEM; 6013 } 6014 6015 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 6016 * the association is automatically closed by starting the shutdown process. 6017 * The work that needs to be done is same as when SHUTDOWN is initiated by 6018 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 6019 */ 6020 enum sctp_disposition sctp_sf_autoclose_timer_expire( 6021 struct net *net, 6022 const struct sctp_endpoint *ep, 6023 const struct sctp_association *asoc, 6024 const union sctp_subtype type, 6025 void *arg, 6026 struct sctp_cmd_seq *commands) 6027 { 6028 enum sctp_disposition disposition; 6029 6030 SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS); 6031 6032 /* From 9.2 Shutdown of an Association 6033 * Upon receipt of the SHUTDOWN primitive from its upper 6034 * layer, the endpoint enters SHUTDOWN-PENDING state and 6035 * remains there until all outstanding data has been 6036 * acknowledged by its peer. The endpoint accepts no new data 6037 * from its upper layer, but retransmits data to the far end 6038 * if necessary to fill gaps. 6039 */ 6040 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 6041 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 6042 6043 disposition = SCTP_DISPOSITION_CONSUME; 6044 if (sctp_outq_is_empty(&asoc->outqueue)) { 6045 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 6046 arg, commands); 6047 } 6048 6049 return disposition; 6050 } 6051 6052 /***************************************************************************** 6053 * These are sa state functions which could apply to all types of events. 6054 ****************************************************************************/ 6055 6056 /* 6057 * This table entry is not implemented. 6058 * 6059 * Inputs 6060 * (endpoint, asoc, chunk) 6061 * 6062 * The return value is the disposition of the chunk. 6063 */ 6064 enum sctp_disposition sctp_sf_not_impl(struct net *net, 6065 const struct sctp_endpoint *ep, 6066 const struct sctp_association *asoc, 6067 const union sctp_subtype type, 6068 void *arg, struct sctp_cmd_seq *commands) 6069 { 6070 return SCTP_DISPOSITION_NOT_IMPL; 6071 } 6072 6073 /* 6074 * This table entry represents a bug. 6075 * 6076 * Inputs 6077 * (endpoint, asoc, chunk) 6078 * 6079 * The return value is the disposition of the chunk. 6080 */ 6081 enum sctp_disposition sctp_sf_bug(struct net *net, 6082 const struct sctp_endpoint *ep, 6083 const struct sctp_association *asoc, 6084 const union sctp_subtype type, 6085 void *arg, struct sctp_cmd_seq *commands) 6086 { 6087 return SCTP_DISPOSITION_BUG; 6088 } 6089 6090 /* 6091 * This table entry represents the firing of a timer in the wrong state. 6092 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 6093 * when the association is in the wrong state. This event should 6094 * be ignored, so as to prevent any rearming of the timer. 6095 * 6096 * Inputs 6097 * (endpoint, asoc, chunk) 6098 * 6099 * The return value is the disposition of the chunk. 6100 */ 6101 enum sctp_disposition sctp_sf_timer_ignore(struct net *net, 6102 const struct sctp_endpoint *ep, 6103 const struct sctp_association *asoc, 6104 const union sctp_subtype type, 6105 void *arg, 6106 struct sctp_cmd_seq *commands) 6107 { 6108 pr_debug("%s: timer %d ignored\n", __func__, type.chunk); 6109 6110 return SCTP_DISPOSITION_CONSUME; 6111 } 6112 6113 /******************************************************************** 6114 * 2nd Level Abstractions 6115 ********************************************************************/ 6116 6117 /* Pull the SACK chunk based on the SACK header. */ 6118 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 6119 { 6120 struct sctp_sackhdr *sack; 6121 __u16 num_dup_tsns; 6122 unsigned int len; 6123 __u16 num_blocks; 6124 6125 /* Protect ourselves from reading too far into 6126 * the skb from a bogus sender. 6127 */ 6128 sack = (struct sctp_sackhdr *) chunk->skb->data; 6129 6130 num_blocks = ntohs(sack->num_gap_ack_blocks); 6131 num_dup_tsns = ntohs(sack->num_dup_tsns); 6132 len = sizeof(struct sctp_sackhdr); 6133 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 6134 if (len > chunk->skb->len) 6135 return NULL; 6136 6137 skb_pull(chunk->skb, len); 6138 6139 return sack; 6140 } 6141 6142 /* Create an ABORT packet to be sent as a response, with the specified 6143 * error causes. 6144 */ 6145 static struct sctp_packet *sctp_abort_pkt_new( 6146 struct net *net, 6147 const struct sctp_endpoint *ep, 6148 const struct sctp_association *asoc, 6149 struct sctp_chunk *chunk, 6150 const void *payload, size_t paylen) 6151 { 6152 struct sctp_packet *packet; 6153 struct sctp_chunk *abort; 6154 6155 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6156 6157 if (packet) { 6158 /* Make an ABORT. 6159 * The T bit will be set if the asoc is NULL. 6160 */ 6161 abort = sctp_make_abort(asoc, chunk, paylen); 6162 if (!abort) { 6163 sctp_ootb_pkt_free(packet); 6164 return NULL; 6165 } 6166 6167 /* Reflect vtag if T-Bit is set */ 6168 if (sctp_test_T_bit(abort)) 6169 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 6170 6171 /* Add specified error causes, i.e., payload, to the 6172 * end of the chunk. 6173 */ 6174 sctp_addto_chunk(abort, paylen, payload); 6175 6176 /* Set the skb to the belonging sock for accounting. */ 6177 abort->skb->sk = ep->base.sk; 6178 6179 sctp_packet_append_chunk(packet, abort); 6180 6181 } 6182 6183 return packet; 6184 } 6185 6186 /* Allocate a packet for responding in the OOTB conditions. */ 6187 static struct sctp_packet *sctp_ootb_pkt_new( 6188 struct net *net, 6189 const struct sctp_association *asoc, 6190 const struct sctp_chunk *chunk) 6191 { 6192 struct sctp_transport *transport; 6193 struct sctp_packet *packet; 6194 __u16 sport, dport; 6195 __u32 vtag; 6196 6197 /* Get the source and destination port from the inbound packet. */ 6198 sport = ntohs(chunk->sctp_hdr->dest); 6199 dport = ntohs(chunk->sctp_hdr->source); 6200 6201 /* The V-tag is going to be the same as the inbound packet if no 6202 * association exists, otherwise, use the peer's vtag. 6203 */ 6204 if (asoc) { 6205 /* Special case the INIT-ACK as there is no peer's vtag 6206 * yet. 6207 */ 6208 switch (chunk->chunk_hdr->type) { 6209 case SCTP_CID_INIT_ACK: 6210 { 6211 struct sctp_initack_chunk *initack; 6212 6213 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr; 6214 vtag = ntohl(initack->init_hdr.init_tag); 6215 break; 6216 } 6217 default: 6218 vtag = asoc->peer.i.init_tag; 6219 break; 6220 } 6221 } else { 6222 /* Special case the INIT and stale COOKIE_ECHO as there is no 6223 * vtag yet. 6224 */ 6225 switch (chunk->chunk_hdr->type) { 6226 case SCTP_CID_INIT: 6227 { 6228 struct sctp_init_chunk *init; 6229 6230 init = (struct sctp_init_chunk *)chunk->chunk_hdr; 6231 vtag = ntohl(init->init_hdr.init_tag); 6232 break; 6233 } 6234 default: 6235 vtag = ntohl(chunk->sctp_hdr->vtag); 6236 break; 6237 } 6238 } 6239 6240 /* Make a transport for the bucket, Eliza... */ 6241 transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC); 6242 if (!transport) 6243 goto nomem; 6244 6245 /* Cache a route for the transport with the chunk's destination as 6246 * the source address. 6247 */ 6248 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 6249 sctp_sk(net->sctp.ctl_sock)); 6250 6251 packet = &transport->packet; 6252 sctp_packet_init(packet, transport, sport, dport); 6253 sctp_packet_config(packet, vtag, 0); 6254 6255 return packet; 6256 6257 nomem: 6258 return NULL; 6259 } 6260 6261 /* Free the packet allocated earlier for responding in the OOTB condition. */ 6262 void sctp_ootb_pkt_free(struct sctp_packet *packet) 6263 { 6264 sctp_transport_free(packet->transport); 6265 } 6266 6267 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 6268 static void sctp_send_stale_cookie_err(struct net *net, 6269 const struct sctp_endpoint *ep, 6270 const struct sctp_association *asoc, 6271 const struct sctp_chunk *chunk, 6272 struct sctp_cmd_seq *commands, 6273 struct sctp_chunk *err_chunk) 6274 { 6275 struct sctp_packet *packet; 6276 6277 if (err_chunk) { 6278 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6279 if (packet) { 6280 struct sctp_signed_cookie *cookie; 6281 6282 /* Override the OOTB vtag from the cookie. */ 6283 cookie = chunk->subh.cookie_hdr; 6284 packet->vtag = cookie->c.peer_vtag; 6285 6286 /* Set the skb to the belonging sock for accounting. */ 6287 err_chunk->skb->sk = ep->base.sk; 6288 sctp_packet_append_chunk(packet, err_chunk); 6289 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 6290 SCTP_PACKET(packet)); 6291 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 6292 } else 6293 sctp_chunk_free (err_chunk); 6294 } 6295 } 6296 6297 6298 /* Process a data chunk */ 6299 static int sctp_eat_data(const struct sctp_association *asoc, 6300 struct sctp_chunk *chunk, 6301 struct sctp_cmd_seq *commands) 6302 { 6303 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 6304 struct sock *sk = asoc->base.sk; 6305 struct net *net = sock_net(sk); 6306 struct sctp_datahdr *data_hdr; 6307 struct sctp_chunk *err; 6308 enum sctp_verb deliver; 6309 size_t datalen; 6310 __u32 tsn; 6311 int tmp; 6312 6313 data_hdr = (struct sctp_datahdr *)chunk->skb->data; 6314 chunk->subh.data_hdr = data_hdr; 6315 skb_pull(chunk->skb, sctp_datahdr_len(&asoc->stream)); 6316 6317 tsn = ntohl(data_hdr->tsn); 6318 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 6319 6320 /* ASSERT: Now skb->data is really the user data. */ 6321 6322 /* Process ECN based congestion. 6323 * 6324 * Since the chunk structure is reused for all chunks within 6325 * a packet, we use ecn_ce_done to track if we've already 6326 * done CE processing for this packet. 6327 * 6328 * We need to do ECN processing even if we plan to discard the 6329 * chunk later. 6330 */ 6331 6332 if (asoc->peer.ecn_capable && !chunk->ecn_ce_done) { 6333 struct sctp_af *af = SCTP_INPUT_CB(chunk->skb)->af; 6334 chunk->ecn_ce_done = 1; 6335 6336 if (af->is_ce(sctp_gso_headskb(chunk->skb))) { 6337 /* Do real work as sideffect. */ 6338 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 6339 SCTP_U32(tsn)); 6340 } 6341 } 6342 6343 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 6344 if (tmp < 0) { 6345 /* The TSN is too high--silently discard the chunk and 6346 * count on it getting retransmitted later. 6347 */ 6348 if (chunk->asoc) 6349 chunk->asoc->stats.outofseqtsns++; 6350 return SCTP_IERROR_HIGH_TSN; 6351 } else if (tmp > 0) { 6352 /* This is a duplicate. Record it. */ 6353 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 6354 return SCTP_IERROR_DUP_TSN; 6355 } 6356 6357 /* This is a new TSN. */ 6358 6359 /* Discard if there is no room in the receive window. 6360 * Actually, allow a little bit of overflow (up to a MTU). 6361 */ 6362 datalen = ntohs(chunk->chunk_hdr->length); 6363 datalen -= sctp_datachk_len(&asoc->stream); 6364 6365 deliver = SCTP_CMD_CHUNK_ULP; 6366 6367 /* Think about partial delivery. */ 6368 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 6369 6370 /* Even if we don't accept this chunk there is 6371 * memory pressure. 6372 */ 6373 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 6374 } 6375 6376 /* Spill over rwnd a little bit. Note: While allowed, this spill over 6377 * seems a bit troublesome in that frag_point varies based on 6378 * PMTU. In cases, such as loopback, this might be a rather 6379 * large spill over. 6380 */ 6381 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over || 6382 (datalen > asoc->rwnd + asoc->frag_point))) { 6383 6384 /* If this is the next TSN, consider reneging to make 6385 * room. Note: Playing nice with a confused sender. A 6386 * malicious sender can still eat up all our buffer 6387 * space and in the future we may want to detect and 6388 * do more drastic reneging. 6389 */ 6390 if (sctp_tsnmap_has_gap(map) && 6391 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6392 pr_debug("%s: reneging for tsn:%u\n", __func__, tsn); 6393 deliver = SCTP_CMD_RENEGE; 6394 } else { 6395 pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n", 6396 __func__, tsn, datalen, asoc->rwnd); 6397 6398 return SCTP_IERROR_IGNORE_TSN; 6399 } 6400 } 6401 6402 /* 6403 * Also try to renege to limit our memory usage in the event that 6404 * we are under memory pressure 6405 * If we can't renege, don't worry about it, the sk_rmem_schedule 6406 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our 6407 * memory usage too much 6408 */ 6409 if (*sk->sk_prot_creator->memory_pressure) { 6410 if (sctp_tsnmap_has_gap(map) && 6411 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6412 pr_debug("%s: under pressure, reneging for tsn:%u\n", 6413 __func__, tsn); 6414 deliver = SCTP_CMD_RENEGE; 6415 } 6416 } 6417 6418 /* 6419 * Section 3.3.10.9 No User Data (9) 6420 * 6421 * Cause of error 6422 * --------------- 6423 * No User Data: This error cause is returned to the originator of a 6424 * DATA chunk if a received DATA chunk has no user data. 6425 */ 6426 if (unlikely(0 == datalen)) { 6427 err = sctp_make_abort_no_data(asoc, chunk, tsn); 6428 if (err) { 6429 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6430 SCTP_CHUNK(err)); 6431 } 6432 /* We are going to ABORT, so we might as well stop 6433 * processing the rest of the chunks in the packet. 6434 */ 6435 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 6436 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6437 SCTP_ERROR(ECONNABORTED)); 6438 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6439 SCTP_PERR(SCTP_ERROR_NO_DATA)); 6440 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6441 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6442 return SCTP_IERROR_NO_DATA; 6443 } 6444 6445 chunk->data_accepted = 1; 6446 6447 /* Note: Some chunks may get overcounted (if we drop) or overcounted 6448 * if we renege and the chunk arrives again. 6449 */ 6450 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) { 6451 SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS); 6452 if (chunk->asoc) 6453 chunk->asoc->stats.iuodchunks++; 6454 } else { 6455 SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS); 6456 if (chunk->asoc) 6457 chunk->asoc->stats.iodchunks++; 6458 } 6459 6460 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 6461 * 6462 * If an endpoint receive a DATA chunk with an invalid stream 6463 * identifier, it shall acknowledge the reception of the DATA chunk 6464 * following the normal procedure, immediately send an ERROR chunk 6465 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 6466 * and discard the DATA chunk. 6467 */ 6468 if (ntohs(data_hdr->stream) >= asoc->stream.incnt) { 6469 /* Mark tsn as received even though we drop it */ 6470 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 6471 6472 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 6473 &data_hdr->stream, 6474 sizeof(data_hdr->stream), 6475 sizeof(u16)); 6476 if (err) 6477 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6478 SCTP_CHUNK(err)); 6479 return SCTP_IERROR_BAD_STREAM; 6480 } 6481 6482 /* Check to see if the SSN is possible for this TSN. 6483 * The biggest gap we can record is 4K wide. Since SSNs wrap 6484 * at an unsigned short, there is no way that an SSN can 6485 * wrap and for a valid TSN. We can simply check if the current 6486 * SSN is smaller then the next expected one. If it is, it wrapped 6487 * and is invalid. 6488 */ 6489 if (!asoc->stream.si->validate_data(chunk)) 6490 return SCTP_IERROR_PROTO_VIOLATION; 6491 6492 /* Send the data up to the user. Note: Schedule the 6493 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 6494 * chunk needs the updated rwnd. 6495 */ 6496 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 6497 6498 return SCTP_IERROR_NO_ERROR; 6499 } 6500