1 /* SCTP kernel implementation 2 * (C) Copyright IBM Corp. 2001, 2004 3 * Copyright (c) 1999-2000 Cisco, Inc. 4 * Copyright (c) 1999-2001 Motorola, Inc. 5 * Copyright (c) 2001-2002 Intel Corp. 6 * Copyright (c) 2002 Nokia Corp. 7 * 8 * This is part of the SCTP Linux Kernel Implementation. 9 * 10 * These are the state functions for the state machine. 11 * 12 * This SCTP implementation is free software; 13 * you can redistribute it and/or modify it under the terms of 14 * the GNU General Public License as published by 15 * the Free Software Foundation; either version 2, or (at your option) 16 * any later version. 17 * 18 * This SCTP implementation is distributed in the hope that it 19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 20 * ************************ 21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 22 * See the GNU General Public License for more details. 23 * 24 * You should have received a copy of the GNU General Public License 25 * along with GNU CC; see the file COPYING. If not, write to 26 * the Free Software Foundation, 59 Temple Place - Suite 330, 27 * Boston, MA 02111-1307, USA. 28 * 29 * Please send any bug reports or fixes you make to the 30 * email address(es): 31 * lksctp developers <lksctp-developers@lists.sourceforge.net> 32 * 33 * Or submit a bug report through the following website: 34 * http://www.sf.net/projects/lksctp 35 * 36 * Written or modified by: 37 * La Monte H.P. Yarroll <piggy@acm.org> 38 * Karl Knutson <karl@athena.chicago.il.us> 39 * Mathew Kotowsky <kotowsky@sctp.org> 40 * Sridhar Samudrala <samudrala@us.ibm.com> 41 * Jon Grimm <jgrimm@us.ibm.com> 42 * Hui Huang <hui.huang@nokia.com> 43 * Dajiang Zhang <dajiang.zhang@nokia.com> 44 * Daisy Chang <daisyc@us.ibm.com> 45 * Ardelle Fan <ardelle.fan@intel.com> 46 * Ryan Layer <rmlayer@us.ibm.com> 47 * Kevin Gao <kevin.gao@intel.com> 48 * 49 * Any bugs reported given to us we will try to fix... any fixes shared will 50 * be incorporated into the next SCTP release. 51 */ 52 53 #include <linux/types.h> 54 #include <linux/kernel.h> 55 #include <linux/ip.h> 56 #include <linux/ipv6.h> 57 #include <linux/net.h> 58 #include <linux/inet.h> 59 #include <net/sock.h> 60 #include <net/inet_ecn.h> 61 #include <linux/skbuff.h> 62 #include <net/sctp/sctp.h> 63 #include <net/sctp/sm.h> 64 #include <net/sctp/structs.h> 65 66 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 67 const struct sctp_association *asoc, 68 struct sctp_chunk *chunk, 69 const void *payload, 70 size_t paylen); 71 static int sctp_eat_data(const struct sctp_association *asoc, 72 struct sctp_chunk *chunk, 73 sctp_cmd_seq_t *commands); 74 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 75 const struct sctp_chunk *chunk); 76 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 77 const struct sctp_association *asoc, 78 const struct sctp_chunk *chunk, 79 sctp_cmd_seq_t *commands, 80 struct sctp_chunk *err_chunk); 81 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 82 const struct sctp_association *asoc, 83 const sctp_subtype_t type, 84 void *arg, 85 sctp_cmd_seq_t *commands); 86 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 87 const struct sctp_association *asoc, 88 const sctp_subtype_t type, 89 void *arg, 90 sctp_cmd_seq_t *commands); 91 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 92 const struct sctp_association *asoc, 93 const sctp_subtype_t type, 94 void *arg, 95 sctp_cmd_seq_t *commands); 96 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 97 98 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 99 __be16 error, int sk_err, 100 const struct sctp_association *asoc, 101 struct sctp_transport *transport); 102 103 static sctp_disposition_t sctp_sf_abort_violation( 104 const struct sctp_endpoint *ep, 105 const struct sctp_association *asoc, 106 void *arg, 107 sctp_cmd_seq_t *commands, 108 const __u8 *payload, 109 const size_t paylen); 110 111 static sctp_disposition_t sctp_sf_violation_chunklen( 112 const struct sctp_endpoint *ep, 113 const struct sctp_association *asoc, 114 const sctp_subtype_t type, 115 void *arg, 116 sctp_cmd_seq_t *commands); 117 118 static sctp_disposition_t sctp_sf_violation_paramlen( 119 const struct sctp_endpoint *ep, 120 const struct sctp_association *asoc, 121 const sctp_subtype_t type, 122 void *arg, 123 sctp_cmd_seq_t *commands); 124 125 static sctp_disposition_t sctp_sf_violation_ctsn( 126 const struct sctp_endpoint *ep, 127 const struct sctp_association *asoc, 128 const sctp_subtype_t type, 129 void *arg, 130 sctp_cmd_seq_t *commands); 131 132 static sctp_disposition_t sctp_sf_violation_chunk( 133 const struct sctp_endpoint *ep, 134 const struct sctp_association *asoc, 135 const sctp_subtype_t type, 136 void *arg, 137 sctp_cmd_seq_t *commands); 138 139 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep, 140 const struct sctp_association *asoc, 141 const sctp_subtype_t type, 142 struct sctp_chunk *chunk); 143 144 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 145 const struct sctp_association *asoc, 146 const sctp_subtype_t type, 147 void *arg, 148 sctp_cmd_seq_t *commands); 149 150 /* Small helper function that checks if the chunk length 151 * is of the appropriate length. The 'required_length' argument 152 * is set to be the size of a specific chunk we are testing. 153 * Return Values: 1 = Valid length 154 * 0 = Invalid length 155 * 156 */ 157 static inline int 158 sctp_chunk_length_valid(struct sctp_chunk *chunk, 159 __u16 required_length) 160 { 161 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 162 163 if (unlikely(chunk_length < required_length)) 164 return 0; 165 166 return 1; 167 } 168 169 /********************************************************** 170 * These are the state functions for handling chunk events. 171 **********************************************************/ 172 173 /* 174 * Process the final SHUTDOWN COMPLETE. 175 * 176 * Section: 4 (C) (diagram), 9.2 177 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 178 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 179 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 180 * should stop the T2-shutdown timer and remove all knowledge of the 181 * association (and thus the association enters the CLOSED state). 182 * 183 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 184 * C) Rules for packet carrying SHUTDOWN COMPLETE: 185 * ... 186 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 187 * if the Verification Tag field of the packet matches its own tag and 188 * the T bit is not set 189 * OR 190 * it is set to its peer's tag and the T bit is set in the Chunk 191 * Flags. 192 * Otherwise, the receiver MUST silently discard the packet 193 * and take no further action. An endpoint MUST ignore the 194 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 195 * 196 * Inputs 197 * (endpoint, asoc, chunk) 198 * 199 * Outputs 200 * (asoc, reply_msg, msg_up, timers, counters) 201 * 202 * The return value is the disposition of the chunk. 203 */ 204 sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep, 205 const struct sctp_association *asoc, 206 const sctp_subtype_t type, 207 void *arg, 208 sctp_cmd_seq_t *commands) 209 { 210 struct sctp_chunk *chunk = arg; 211 struct sctp_ulpevent *ev; 212 213 if (!sctp_vtag_verify_either(chunk, asoc)) 214 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 215 216 /* RFC 2960 6.10 Bundling 217 * 218 * An endpoint MUST NOT bundle INIT, INIT ACK or 219 * SHUTDOWN COMPLETE with any other chunks. 220 */ 221 if (!chunk->singleton) 222 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands); 223 224 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ 225 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 226 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 227 commands); 228 229 /* RFC 2960 10.2 SCTP-to-ULP 230 * 231 * H) SHUTDOWN COMPLETE notification 232 * 233 * When SCTP completes the shutdown procedures (section 9.2) this 234 * notification is passed to the upper layer. 235 */ 236 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 237 0, 0, 0, NULL, GFP_ATOMIC); 238 if (ev) 239 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 240 SCTP_ULPEVENT(ev)); 241 242 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 243 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 244 * not the chunk should be discarded. If the endpoint is in 245 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 246 * T2-shutdown timer and remove all knowledge of the 247 * association (and thus the association enters the CLOSED 248 * state). 249 */ 250 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 251 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 252 253 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 254 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 255 256 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 257 SCTP_STATE(SCTP_STATE_CLOSED)); 258 259 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 260 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 261 262 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 263 264 return SCTP_DISPOSITION_DELETE_TCB; 265 } 266 267 /* 268 * Respond to a normal INIT chunk. 269 * We are the side that is being asked for an association. 270 * 271 * Section: 5.1 Normal Establishment of an Association, B 272 * B) "Z" shall respond immediately with an INIT ACK chunk. The 273 * destination IP address of the INIT ACK MUST be set to the source 274 * IP address of the INIT to which this INIT ACK is responding. In 275 * the response, besides filling in other parameters, "Z" must set the 276 * Verification Tag field to Tag_A, and also provide its own 277 * Verification Tag (Tag_Z) in the Initiate Tag field. 278 * 279 * Verification Tag: Must be 0. 280 * 281 * Inputs 282 * (endpoint, asoc, chunk) 283 * 284 * Outputs 285 * (asoc, reply_msg, msg_up, timers, counters) 286 * 287 * The return value is the disposition of the chunk. 288 */ 289 sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep, 290 const struct sctp_association *asoc, 291 const sctp_subtype_t type, 292 void *arg, 293 sctp_cmd_seq_t *commands) 294 { 295 struct sctp_chunk *chunk = arg; 296 struct sctp_chunk *repl; 297 struct sctp_association *new_asoc; 298 struct sctp_chunk *err_chunk; 299 struct sctp_packet *packet; 300 sctp_unrecognized_param_t *unk_param; 301 int len; 302 303 /* 6.10 Bundling 304 * An endpoint MUST NOT bundle INIT, INIT ACK or 305 * SHUTDOWN COMPLETE with any other chunks. 306 * 307 * IG Section 2.11.2 308 * Furthermore, we require that the receiver of an INIT chunk MUST 309 * enforce these rules by silently discarding an arriving packet 310 * with an INIT chunk that is bundled with other chunks. 311 */ 312 if (!chunk->singleton) 313 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 314 315 /* If the packet is an OOTB packet which is temporarily on the 316 * control endpoint, respond with an ABORT. 317 */ 318 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 319 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 320 321 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 322 * Tag. 323 */ 324 if (chunk->sctp_hdr->vtag != 0) 325 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 326 327 /* Make sure that the INIT chunk has a valid length. 328 * Normally, this would cause an ABORT with a Protocol Violation 329 * error, but since we don't have an association, we'll 330 * just discard the packet. 331 */ 332 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 333 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 334 335 /* Verify the INIT chunk before processing it. */ 336 err_chunk = NULL; 337 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 338 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 339 &err_chunk)) { 340 /* This chunk contains fatal error. It is to be discarded. 341 * Send an ABORT, with causes if there is any. 342 */ 343 if (err_chunk) { 344 packet = sctp_abort_pkt_new(ep, asoc, arg, 345 (__u8 *)(err_chunk->chunk_hdr) + 346 sizeof(sctp_chunkhdr_t), 347 ntohs(err_chunk->chunk_hdr->length) - 348 sizeof(sctp_chunkhdr_t)); 349 350 sctp_chunk_free(err_chunk); 351 352 if (packet) { 353 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 354 SCTP_PACKET(packet)); 355 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 356 return SCTP_DISPOSITION_CONSUME; 357 } else { 358 return SCTP_DISPOSITION_NOMEM; 359 } 360 } else { 361 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 362 commands); 363 } 364 } 365 366 /* Grab the INIT header. */ 367 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data; 368 369 /* Tag the variable length parameters. */ 370 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 371 372 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 373 if (!new_asoc) 374 goto nomem; 375 376 /* The call, sctp_process_init(), can fail on memory allocation. */ 377 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 378 sctp_source(chunk), 379 (sctp_init_chunk_t *)chunk->chunk_hdr, 380 GFP_ATOMIC)) 381 goto nomem_init; 382 383 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 384 385 /* If there are errors need to be reported for unknown parameters, 386 * make sure to reserve enough room in the INIT ACK for them. 387 */ 388 len = 0; 389 if (err_chunk) 390 len = ntohs(err_chunk->chunk_hdr->length) - 391 sizeof(sctp_chunkhdr_t); 392 393 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 394 goto nomem_init; 395 396 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 397 if (!repl) 398 goto nomem_init; 399 400 /* If there are errors need to be reported for unknown parameters, 401 * include them in the outgoing INIT ACK as "Unrecognized parameter" 402 * parameter. 403 */ 404 if (err_chunk) { 405 /* Get the "Unrecognized parameter" parameter(s) out of the 406 * ERROR chunk generated by sctp_verify_init(). Since the 407 * error cause code for "unknown parameter" and the 408 * "Unrecognized parameter" type is the same, we can 409 * construct the parameters in INIT ACK by copying the 410 * ERROR causes over. 411 */ 412 unk_param = (sctp_unrecognized_param_t *) 413 ((__u8 *)(err_chunk->chunk_hdr) + 414 sizeof(sctp_chunkhdr_t)); 415 /* Replace the cause code with the "Unrecognized parameter" 416 * parameter type. 417 */ 418 sctp_addto_chunk(repl, len, unk_param); 419 sctp_chunk_free(err_chunk); 420 } 421 422 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 423 424 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 425 426 /* 427 * Note: After sending out INIT ACK with the State Cookie parameter, 428 * "Z" MUST NOT allocate any resources, nor keep any states for the 429 * new association. Otherwise, "Z" will be vulnerable to resource 430 * attacks. 431 */ 432 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 433 434 return SCTP_DISPOSITION_DELETE_TCB; 435 436 nomem_init: 437 sctp_association_free(new_asoc); 438 nomem: 439 if (err_chunk) 440 sctp_chunk_free(err_chunk); 441 return SCTP_DISPOSITION_NOMEM; 442 } 443 444 /* 445 * Respond to a normal INIT ACK chunk. 446 * We are the side that is initiating the association. 447 * 448 * Section: 5.1 Normal Establishment of an Association, C 449 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 450 * timer and leave COOKIE-WAIT state. "A" shall then send the State 451 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 452 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 453 * 454 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 455 * DATA chunks, but it MUST be the first chunk in the packet and 456 * until the COOKIE ACK is returned the sender MUST NOT send any 457 * other packets to the peer. 458 * 459 * Verification Tag: 3.3.3 460 * If the value of the Initiate Tag in a received INIT ACK chunk is 461 * found to be 0, the receiver MUST treat it as an error and close the 462 * association by transmitting an ABORT. 463 * 464 * Inputs 465 * (endpoint, asoc, chunk) 466 * 467 * Outputs 468 * (asoc, reply_msg, msg_up, timers, counters) 469 * 470 * The return value is the disposition of the chunk. 471 */ 472 sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, 473 const struct sctp_association *asoc, 474 const sctp_subtype_t type, 475 void *arg, 476 sctp_cmd_seq_t *commands) 477 { 478 struct sctp_chunk *chunk = arg; 479 sctp_init_chunk_t *initchunk; 480 struct sctp_chunk *err_chunk; 481 struct sctp_packet *packet; 482 483 if (!sctp_vtag_verify(chunk, asoc)) 484 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 485 486 /* 6.10 Bundling 487 * An endpoint MUST NOT bundle INIT, INIT ACK or 488 * SHUTDOWN COMPLETE with any other chunks. 489 */ 490 if (!chunk->singleton) 491 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands); 492 493 /* Make sure that the INIT-ACK chunk has a valid length */ 494 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t))) 495 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 496 commands); 497 /* Grab the INIT header. */ 498 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 499 500 /* Verify the INIT chunk before processing it. */ 501 err_chunk = NULL; 502 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 503 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 504 &err_chunk)) { 505 506 sctp_error_t error = SCTP_ERROR_NO_RESOURCE; 507 508 /* This chunk contains fatal error. It is to be discarded. 509 * Send an ABORT, with causes. If there are no causes, 510 * then there wasn't enough memory. Just terminate 511 * the association. 512 */ 513 if (err_chunk) { 514 packet = sctp_abort_pkt_new(ep, asoc, arg, 515 (__u8 *)(err_chunk->chunk_hdr) + 516 sizeof(sctp_chunkhdr_t), 517 ntohs(err_chunk->chunk_hdr->length) - 518 sizeof(sctp_chunkhdr_t)); 519 520 sctp_chunk_free(err_chunk); 521 522 if (packet) { 523 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 524 SCTP_PACKET(packet)); 525 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 526 error = SCTP_ERROR_INV_PARAM; 527 } 528 } 529 530 /* SCTP-AUTH, Section 6.3: 531 * It should be noted that if the receiver wants to tear 532 * down an association in an authenticated way only, the 533 * handling of malformed packets should not result in 534 * tearing down the association. 535 * 536 * This means that if we only want to abort associations 537 * in an authenticated way (i.e AUTH+ABORT), then we 538 * can't destroy this association just becuase the packet 539 * was malformed. 540 */ 541 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 542 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 543 544 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 545 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, 546 asoc, chunk->transport); 547 } 548 549 /* Tag the variable length parameters. Note that we never 550 * convert the parameters in an INIT chunk. 551 */ 552 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 553 554 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr; 555 556 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 557 SCTP_PEER_INIT(initchunk)); 558 559 /* Reset init error count upon receipt of INIT-ACK. */ 560 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 561 562 /* 5.1 C) "A" shall stop the T1-init timer and leave 563 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 564 * timer, and enter the COOKIE-ECHOED state. 565 */ 566 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 567 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 568 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 569 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 570 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 571 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 572 573 /* SCTP-AUTH: genereate the assocition shared keys so that 574 * we can potentially signe the COOKIE-ECHO. 575 */ 576 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); 577 578 /* 5.1 C) "A" shall then send the State Cookie received in the 579 * INIT ACK chunk in a COOKIE ECHO chunk, ... 580 */ 581 /* If there is any errors to report, send the ERROR chunk generated 582 * for unknown parameters as well. 583 */ 584 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 585 SCTP_CHUNK(err_chunk)); 586 587 return SCTP_DISPOSITION_CONSUME; 588 } 589 590 /* 591 * Respond to a normal COOKIE ECHO chunk. 592 * We are the side that is being asked for an association. 593 * 594 * Section: 5.1 Normal Establishment of an Association, D 595 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 596 * with a COOKIE ACK chunk after building a TCB and moving to 597 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 598 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 599 * chunk MUST be the first chunk in the packet. 600 * 601 * IMPLEMENTATION NOTE: An implementation may choose to send the 602 * Communication Up notification to the SCTP user upon reception 603 * of a valid COOKIE ECHO chunk. 604 * 605 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 606 * D) Rules for packet carrying a COOKIE ECHO 607 * 608 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 609 * Initial Tag received in the INIT ACK. 610 * 611 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 612 * 613 * Inputs 614 * (endpoint, asoc, chunk) 615 * 616 * Outputs 617 * (asoc, reply_msg, msg_up, timers, counters) 618 * 619 * The return value is the disposition of the chunk. 620 */ 621 sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep, 622 const struct sctp_association *asoc, 623 const sctp_subtype_t type, void *arg, 624 sctp_cmd_seq_t *commands) 625 { 626 struct sctp_chunk *chunk = arg; 627 struct sctp_association *new_asoc; 628 sctp_init_chunk_t *peer_init; 629 struct sctp_chunk *repl; 630 struct sctp_ulpevent *ev, *ai_ev = NULL; 631 int error = 0; 632 struct sctp_chunk *err_chk_p; 633 struct sock *sk; 634 635 /* If the packet is an OOTB packet which is temporarily on the 636 * control endpoint, respond with an ABORT. 637 */ 638 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 639 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 640 641 /* Make sure that the COOKIE_ECHO chunk has a valid length. 642 * In this case, we check that we have enough for at least a 643 * chunk header. More detailed verification is done 644 * in sctp_unpack_cookie(). 645 */ 646 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 647 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 648 649 /* If the endpoint is not listening or if the number of associations 650 * on the TCP-style socket exceed the max backlog, respond with an 651 * ABORT. 652 */ 653 sk = ep->base.sk; 654 if (!sctp_sstate(sk, LISTENING) || 655 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) 656 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 657 658 /* "Decode" the chunk. We have no optional parameters so we 659 * are in good shape. 660 */ 661 chunk->subh.cookie_hdr = 662 (struct sctp_signed_cookie *)chunk->skb->data; 663 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 664 sizeof(sctp_chunkhdr_t))) 665 goto nomem; 666 667 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 668 * "Z" will reply with a COOKIE ACK chunk after building a TCB 669 * and moving to the ESTABLISHED state. 670 */ 671 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 672 &err_chk_p); 673 674 /* FIXME: 675 * If the re-build failed, what is the proper error path 676 * from here? 677 * 678 * [We should abort the association. --piggy] 679 */ 680 if (!new_asoc) { 681 /* FIXME: Several errors are possible. A bad cookie should 682 * be silently discarded, but think about logging it too. 683 */ 684 switch (error) { 685 case -SCTP_IERROR_NOMEM: 686 goto nomem; 687 688 case -SCTP_IERROR_STALE_COOKIE: 689 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 690 err_chk_p); 691 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 692 693 case -SCTP_IERROR_BAD_SIG: 694 default: 695 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 696 } 697 } 698 699 700 /* Delay state machine commands until later. 701 * 702 * Re-build the bind address for the association is done in 703 * the sctp_unpack_cookie() already. 704 */ 705 /* This is a brand-new association, so these are not yet side 706 * effects--it is safe to run them here. 707 */ 708 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 709 710 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 711 &chunk->subh.cookie_hdr->c.peer_addr, 712 peer_init, GFP_ATOMIC)) 713 goto nomem_init; 714 715 /* SCTP-AUTH: Now that we've populate required fields in 716 * sctp_process_init, set up the assocaition shared keys as 717 * necessary so that we can potentially authenticate the ACK 718 */ 719 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); 720 if (error) 721 goto nomem_init; 722 723 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo 724 * is supposed to be authenticated and we have to do delayed 725 * authentication. We've just recreated the association using 726 * the information in the cookie and now it's much easier to 727 * do the authentication. 728 */ 729 if (chunk->auth_chunk) { 730 struct sctp_chunk auth; 731 sctp_ierror_t ret; 732 733 /* set-up our fake chunk so that we can process it */ 734 auth.skb = chunk->auth_chunk; 735 auth.asoc = chunk->asoc; 736 auth.sctp_hdr = chunk->sctp_hdr; 737 auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk, 738 sizeof(sctp_chunkhdr_t)); 739 skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t)); 740 auth.transport = chunk->transport; 741 742 ret = sctp_sf_authenticate(ep, new_asoc, type, &auth); 743 744 /* We can now safely free the auth_chunk clone */ 745 kfree_skb(chunk->auth_chunk); 746 747 if (ret != SCTP_IERROR_NO_ERROR) { 748 sctp_association_free(new_asoc); 749 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 750 } 751 } 752 753 repl = sctp_make_cookie_ack(new_asoc, chunk); 754 if (!repl) 755 goto nomem_init; 756 757 /* RFC 2960 5.1 Normal Establishment of an Association 758 * 759 * D) IMPLEMENTATION NOTE: An implementation may choose to 760 * send the Communication Up notification to the SCTP user 761 * upon reception of a valid COOKIE ECHO chunk. 762 */ 763 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 764 new_asoc->c.sinit_num_ostreams, 765 new_asoc->c.sinit_max_instreams, 766 NULL, GFP_ATOMIC); 767 if (!ev) 768 goto nomem_ev; 769 770 /* Sockets API Draft Section 5.3.1.6 771 * When a peer sends a Adaptation Layer Indication parameter , SCTP 772 * delivers this notification to inform the application that of the 773 * peers requested adaptation layer. 774 */ 775 if (new_asoc->peer.adaptation_ind) { 776 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 777 GFP_ATOMIC); 778 if (!ai_ev) 779 goto nomem_aiev; 780 } 781 782 /* Add all the state machine commands now since we've created 783 * everything. This way we don't introduce memory corruptions 784 * during side-effect processing and correclty count established 785 * associations. 786 */ 787 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 788 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 789 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 790 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 791 SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS); 792 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 793 794 if (new_asoc->autoclose) 795 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 796 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 797 798 /* This will send the COOKIE ACK */ 799 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 800 801 /* Queue the ASSOC_CHANGE event */ 802 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 803 804 /* Send up the Adaptation Layer Indication event */ 805 if (ai_ev) 806 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 807 SCTP_ULPEVENT(ai_ev)); 808 809 return SCTP_DISPOSITION_CONSUME; 810 811 nomem_aiev: 812 sctp_ulpevent_free(ev); 813 nomem_ev: 814 sctp_chunk_free(repl); 815 nomem_init: 816 sctp_association_free(new_asoc); 817 nomem: 818 return SCTP_DISPOSITION_NOMEM; 819 } 820 821 /* 822 * Respond to a normal COOKIE ACK chunk. 823 * We are the side that is being asked for an association. 824 * 825 * RFC 2960 5.1 Normal Establishment of an Association 826 * 827 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 828 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 829 * timer. It may also notify its ULP about the successful 830 * establishment of the association with a Communication Up 831 * notification (see Section 10). 832 * 833 * Verification Tag: 834 * Inputs 835 * (endpoint, asoc, chunk) 836 * 837 * Outputs 838 * (asoc, reply_msg, msg_up, timers, counters) 839 * 840 * The return value is the disposition of the chunk. 841 */ 842 sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep, 843 const struct sctp_association *asoc, 844 const sctp_subtype_t type, void *arg, 845 sctp_cmd_seq_t *commands) 846 { 847 struct sctp_chunk *chunk = arg; 848 struct sctp_ulpevent *ev; 849 850 if (!sctp_vtag_verify(chunk, asoc)) 851 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 852 853 /* Verify that the chunk length for the COOKIE-ACK is OK. 854 * If we don't do this, any bundled chunks may be junked. 855 */ 856 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 857 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 858 commands); 859 860 /* Reset init error count upon receipt of COOKIE-ACK, 861 * to avoid problems with the managemement of this 862 * counter in stale cookie situations when a transition back 863 * from the COOKIE-ECHOED state to the COOKIE-WAIT 864 * state is performed. 865 */ 866 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 867 868 /* RFC 2960 5.1 Normal Establishment of an Association 869 * 870 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 871 * from the COOKIE-ECHOED state to the ESTABLISHED state, 872 * stopping the T1-cookie timer. 873 */ 874 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 875 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 876 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 877 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 878 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 879 SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS); 880 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 881 if (asoc->autoclose) 882 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 883 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 884 885 /* It may also notify its ULP about the successful 886 * establishment of the association with a Communication Up 887 * notification (see Section 10). 888 */ 889 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 890 0, asoc->c.sinit_num_ostreams, 891 asoc->c.sinit_max_instreams, 892 NULL, GFP_ATOMIC); 893 894 if (!ev) 895 goto nomem; 896 897 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 898 899 /* Sockets API Draft Section 5.3.1.6 900 * When a peer sends a Adaptation Layer Indication parameter , SCTP 901 * delivers this notification to inform the application that of the 902 * peers requested adaptation layer. 903 */ 904 if (asoc->peer.adaptation_ind) { 905 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 906 if (!ev) 907 goto nomem; 908 909 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 910 SCTP_ULPEVENT(ev)); 911 } 912 913 return SCTP_DISPOSITION_CONSUME; 914 nomem: 915 return SCTP_DISPOSITION_NOMEM; 916 } 917 918 /* Generate and sendout a heartbeat packet. */ 919 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep, 920 const struct sctp_association *asoc, 921 const sctp_subtype_t type, 922 void *arg, 923 sctp_cmd_seq_t *commands) 924 { 925 struct sctp_transport *transport = (struct sctp_transport *) arg; 926 struct sctp_chunk *reply; 927 sctp_sender_hb_info_t hbinfo; 928 size_t paylen = 0; 929 930 hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO; 931 hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t)); 932 hbinfo.daddr = transport->ipaddr; 933 hbinfo.sent_at = jiffies; 934 hbinfo.hb_nonce = transport->hb_nonce; 935 936 /* Send a heartbeat to our peer. */ 937 paylen = sizeof(sctp_sender_hb_info_t); 938 reply = sctp_make_heartbeat(asoc, transport, &hbinfo, paylen); 939 if (!reply) 940 return SCTP_DISPOSITION_NOMEM; 941 942 /* Set rto_pending indicating that an RTT measurement 943 * is started with this heartbeat chunk. 944 */ 945 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 946 SCTP_TRANSPORT(transport)); 947 948 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 949 return SCTP_DISPOSITION_CONSUME; 950 } 951 952 /* Generate a HEARTBEAT packet on the given transport. */ 953 sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep, 954 const struct sctp_association *asoc, 955 const sctp_subtype_t type, 956 void *arg, 957 sctp_cmd_seq_t *commands) 958 { 959 struct sctp_transport *transport = (struct sctp_transport *) arg; 960 961 if (asoc->overall_error_count > asoc->max_retrans) { 962 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 963 SCTP_ERROR(ETIMEDOUT)); 964 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 965 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 966 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 967 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 968 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 969 return SCTP_DISPOSITION_DELETE_TCB; 970 } 971 972 /* Section 3.3.5. 973 * The Sender-specific Heartbeat Info field should normally include 974 * information about the sender's current time when this HEARTBEAT 975 * chunk is sent and the destination transport address to which this 976 * HEARTBEAT is sent (see Section 8.3). 977 */ 978 979 if (transport->param_flags & SPP_HB_ENABLE) { 980 if (SCTP_DISPOSITION_NOMEM == 981 sctp_sf_heartbeat(ep, asoc, type, arg, 982 commands)) 983 return SCTP_DISPOSITION_NOMEM; 984 /* Set transport error counter and association error counter 985 * when sending heartbeat. 986 */ 987 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_RESET, 988 SCTP_TRANSPORT(transport)); 989 } 990 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 991 SCTP_TRANSPORT(transport)); 992 993 return SCTP_DISPOSITION_CONSUME; 994 } 995 996 /* 997 * Process an heartbeat request. 998 * 999 * Section: 8.3 Path Heartbeat 1000 * The receiver of the HEARTBEAT should immediately respond with a 1001 * HEARTBEAT ACK that contains the Heartbeat Information field copied 1002 * from the received HEARTBEAT chunk. 1003 * 1004 * Verification Tag: 8.5 Verification Tag [Normal verification] 1005 * When receiving an SCTP packet, the endpoint MUST ensure that the 1006 * value in the Verification Tag field of the received SCTP packet 1007 * matches its own Tag. If the received Verification Tag value does not 1008 * match the receiver's own tag value, the receiver shall silently 1009 * discard the packet and shall not process it any further except for 1010 * those cases listed in Section 8.5.1 below. 1011 * 1012 * Inputs 1013 * (endpoint, asoc, chunk) 1014 * 1015 * Outputs 1016 * (asoc, reply_msg, msg_up, timers, counters) 1017 * 1018 * The return value is the disposition of the chunk. 1019 */ 1020 sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep, 1021 const struct sctp_association *asoc, 1022 const sctp_subtype_t type, 1023 void *arg, 1024 sctp_cmd_seq_t *commands) 1025 { 1026 struct sctp_chunk *chunk = arg; 1027 struct sctp_chunk *reply; 1028 size_t paylen = 0; 1029 1030 if (!sctp_vtag_verify(chunk, asoc)) 1031 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1032 1033 /* Make sure that the HEARTBEAT chunk has a valid length. */ 1034 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1035 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1036 commands); 1037 1038 /* 8.3 The receiver of the HEARTBEAT should immediately 1039 * respond with a HEARTBEAT ACK that contains the Heartbeat 1040 * Information field copied from the received HEARTBEAT chunk. 1041 */ 1042 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; 1043 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); 1044 if (!pskb_pull(chunk->skb, paylen)) 1045 goto nomem; 1046 1047 reply = sctp_make_heartbeat_ack(asoc, chunk, 1048 chunk->subh.hb_hdr, paylen); 1049 if (!reply) 1050 goto nomem; 1051 1052 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1053 return SCTP_DISPOSITION_CONSUME; 1054 1055 nomem: 1056 return SCTP_DISPOSITION_NOMEM; 1057 } 1058 1059 /* 1060 * Process the returning HEARTBEAT ACK. 1061 * 1062 * Section: 8.3 Path Heartbeat 1063 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 1064 * should clear the error counter of the destination transport 1065 * address to which the HEARTBEAT was sent, and mark the destination 1066 * transport address as active if it is not so marked. The endpoint may 1067 * optionally report to the upper layer when an inactive destination 1068 * address is marked as active due to the reception of the latest 1069 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 1070 * clear the association overall error count as well (as defined 1071 * in section 8.1). 1072 * 1073 * The receiver of the HEARTBEAT ACK should also perform an RTT 1074 * measurement for that destination transport address using the time 1075 * value carried in the HEARTBEAT ACK chunk. 1076 * 1077 * Verification Tag: 8.5 Verification Tag [Normal verification] 1078 * 1079 * Inputs 1080 * (endpoint, asoc, chunk) 1081 * 1082 * Outputs 1083 * (asoc, reply_msg, msg_up, timers, counters) 1084 * 1085 * The return value is the disposition of the chunk. 1086 */ 1087 sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep, 1088 const struct sctp_association *asoc, 1089 const sctp_subtype_t type, 1090 void *arg, 1091 sctp_cmd_seq_t *commands) 1092 { 1093 struct sctp_chunk *chunk = arg; 1094 union sctp_addr from_addr; 1095 struct sctp_transport *link; 1096 sctp_sender_hb_info_t *hbinfo; 1097 unsigned long max_interval; 1098 1099 if (!sctp_vtag_verify(chunk, asoc)) 1100 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1101 1102 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1103 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1104 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1105 commands); 1106 1107 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; 1108 /* Make sure that the length of the parameter is what we expect */ 1109 if (ntohs(hbinfo->param_hdr.length) != 1110 sizeof(sctp_sender_hb_info_t)) { 1111 return SCTP_DISPOSITION_DISCARD; 1112 } 1113 1114 from_addr = hbinfo->daddr; 1115 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1116 1117 /* This should never happen, but lets log it if so. */ 1118 if (unlikely(!link)) { 1119 if (from_addr.sa.sa_family == AF_INET6) { 1120 if (net_ratelimit()) 1121 printk(KERN_WARNING 1122 "%s association %p could not find address " 1123 NIP6_FMT "\n", 1124 __func__, 1125 asoc, 1126 NIP6(from_addr.v6.sin6_addr)); 1127 } else { 1128 if (net_ratelimit()) 1129 printk(KERN_WARNING 1130 "%s association %p could not find address " 1131 NIPQUAD_FMT "\n", 1132 __func__, 1133 asoc, 1134 NIPQUAD(from_addr.v4.sin_addr.s_addr)); 1135 } 1136 return SCTP_DISPOSITION_DISCARD; 1137 } 1138 1139 /* Validate the 64-bit random nonce. */ 1140 if (hbinfo->hb_nonce != link->hb_nonce) 1141 return SCTP_DISPOSITION_DISCARD; 1142 1143 max_interval = link->hbinterval + link->rto; 1144 1145 /* Check if the timestamp looks valid. */ 1146 if (time_after(hbinfo->sent_at, jiffies) || 1147 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1148 SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp " 1149 "received for transport: %p\n", 1150 __func__, link); 1151 return SCTP_DISPOSITION_DISCARD; 1152 } 1153 1154 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1155 * the HEARTBEAT should clear the error counter of the 1156 * destination transport address to which the HEARTBEAT was 1157 * sent and mark the destination transport address as active if 1158 * it is not so marked. 1159 */ 1160 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1161 1162 return SCTP_DISPOSITION_CONSUME; 1163 } 1164 1165 /* Helper function to send out an abort for the restart 1166 * condition. 1167 */ 1168 static int sctp_sf_send_restart_abort(union sctp_addr *ssa, 1169 struct sctp_chunk *init, 1170 sctp_cmd_seq_t *commands) 1171 { 1172 int len; 1173 struct sctp_packet *pkt; 1174 union sctp_addr_param *addrparm; 1175 struct sctp_errhdr *errhdr; 1176 struct sctp_endpoint *ep; 1177 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)]; 1178 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1179 1180 /* Build the error on the stack. We are way to malloc crazy 1181 * throughout the code today. 1182 */ 1183 errhdr = (struct sctp_errhdr *)buffer; 1184 addrparm = (union sctp_addr_param *)errhdr->variable; 1185 1186 /* Copy into a parm format. */ 1187 len = af->to_addr_param(ssa, addrparm); 1188 len += sizeof(sctp_errhdr_t); 1189 1190 errhdr->cause = SCTP_ERROR_RESTART; 1191 errhdr->length = htons(len); 1192 1193 /* Assign to the control socket. */ 1194 ep = sctp_sk((sctp_get_ctl_sock()))->ep; 1195 1196 /* Association is NULL since this may be a restart attack and we 1197 * want to send back the attacker's vtag. 1198 */ 1199 pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len); 1200 1201 if (!pkt) 1202 goto out; 1203 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1204 1205 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1206 1207 /* Discard the rest of the inbound packet. */ 1208 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1209 1210 out: 1211 /* Even if there is no memory, treat as a failure so 1212 * the packet will get dropped. 1213 */ 1214 return 0; 1215 } 1216 1217 /* A restart is occurring, check to make sure no new addresses 1218 * are being added as we may be under a takeover attack. 1219 */ 1220 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1221 const struct sctp_association *asoc, 1222 struct sctp_chunk *init, 1223 sctp_cmd_seq_t *commands) 1224 { 1225 struct sctp_transport *new_addr, *addr; 1226 int found; 1227 1228 /* Implementor's Guide - Sectin 5.2.2 1229 * ... 1230 * Before responding the endpoint MUST check to see if the 1231 * unexpected INIT adds new addresses to the association. If new 1232 * addresses are added to the association, the endpoint MUST respond 1233 * with an ABORT.. 1234 */ 1235 1236 /* Search through all current addresses and make sure 1237 * we aren't adding any new ones. 1238 */ 1239 new_addr = NULL; 1240 found = 0; 1241 1242 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list, 1243 transports) { 1244 found = 0; 1245 list_for_each_entry(addr, &asoc->peer.transport_addr_list, 1246 transports) { 1247 if (sctp_cmp_addr_exact(&new_addr->ipaddr, 1248 &addr->ipaddr)) { 1249 found = 1; 1250 break; 1251 } 1252 } 1253 if (!found) 1254 break; 1255 } 1256 1257 /* If a new address was added, ABORT the sender. */ 1258 if (!found && new_addr) { 1259 sctp_sf_send_restart_abort(&new_addr->ipaddr, init, commands); 1260 } 1261 1262 /* Return success if all addresses were found. */ 1263 return found; 1264 } 1265 1266 /* Populate the verification/tie tags based on overlapping INIT 1267 * scenario. 1268 * 1269 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1270 */ 1271 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1272 const struct sctp_association *asoc) 1273 { 1274 switch (asoc->state) { 1275 1276 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1277 1278 case SCTP_STATE_COOKIE_WAIT: 1279 new_asoc->c.my_vtag = asoc->c.my_vtag; 1280 new_asoc->c.my_ttag = asoc->c.my_vtag; 1281 new_asoc->c.peer_ttag = 0; 1282 break; 1283 1284 case SCTP_STATE_COOKIE_ECHOED: 1285 new_asoc->c.my_vtag = asoc->c.my_vtag; 1286 new_asoc->c.my_ttag = asoc->c.my_vtag; 1287 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1288 break; 1289 1290 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1291 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1292 */ 1293 default: 1294 new_asoc->c.my_ttag = asoc->c.my_vtag; 1295 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1296 break; 1297 } 1298 1299 /* Other parameters for the endpoint SHOULD be copied from the 1300 * existing parameters of the association (e.g. number of 1301 * outbound streams) into the INIT ACK and cookie. 1302 */ 1303 new_asoc->rwnd = asoc->rwnd; 1304 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1305 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1306 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1307 } 1308 1309 /* 1310 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1311 * handling action. 1312 * 1313 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1314 * 1315 * Returns value representing action to be taken. These action values 1316 * correspond to Action/Description values in RFC 2960, Table 2. 1317 */ 1318 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1319 const struct sctp_association *asoc) 1320 { 1321 /* In this case, the peer may have restarted. */ 1322 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1323 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1324 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1325 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1326 return 'A'; 1327 1328 /* Collision case B. */ 1329 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1330 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1331 (0 == asoc->c.peer_vtag))) { 1332 return 'B'; 1333 } 1334 1335 /* Collision case D. */ 1336 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1337 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1338 return 'D'; 1339 1340 /* Collision case C. */ 1341 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1342 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1343 (0 == new_asoc->c.my_ttag) && 1344 (0 == new_asoc->c.peer_ttag)) 1345 return 'C'; 1346 1347 /* No match to any of the special cases; discard this packet. */ 1348 return 'E'; 1349 } 1350 1351 /* Common helper routine for both duplicate and simulataneous INIT 1352 * chunk handling. 1353 */ 1354 static sctp_disposition_t sctp_sf_do_unexpected_init( 1355 const struct sctp_endpoint *ep, 1356 const struct sctp_association *asoc, 1357 const sctp_subtype_t type, 1358 void *arg, sctp_cmd_seq_t *commands) 1359 { 1360 sctp_disposition_t retval; 1361 struct sctp_chunk *chunk = arg; 1362 struct sctp_chunk *repl; 1363 struct sctp_association *new_asoc; 1364 struct sctp_chunk *err_chunk; 1365 struct sctp_packet *packet; 1366 sctp_unrecognized_param_t *unk_param; 1367 int len; 1368 1369 /* 6.10 Bundling 1370 * An endpoint MUST NOT bundle INIT, INIT ACK or 1371 * SHUTDOWN COMPLETE with any other chunks. 1372 * 1373 * IG Section 2.11.2 1374 * Furthermore, we require that the receiver of an INIT chunk MUST 1375 * enforce these rules by silently discarding an arriving packet 1376 * with an INIT chunk that is bundled with other chunks. 1377 */ 1378 if (!chunk->singleton) 1379 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1380 1381 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1382 * Tag. 1383 */ 1384 if (chunk->sctp_hdr->vtag != 0) 1385 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 1386 1387 /* Make sure that the INIT chunk has a valid length. 1388 * In this case, we generate a protocol violation since we have 1389 * an association established. 1390 */ 1391 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 1392 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1393 commands); 1394 /* Grab the INIT header. */ 1395 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 1396 1397 /* Tag the variable length parameters. */ 1398 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 1399 1400 /* Verify the INIT chunk before processing it. */ 1401 err_chunk = NULL; 1402 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 1403 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 1404 &err_chunk)) { 1405 /* This chunk contains fatal error. It is to be discarded. 1406 * Send an ABORT, with causes if there is any. 1407 */ 1408 if (err_chunk) { 1409 packet = sctp_abort_pkt_new(ep, asoc, arg, 1410 (__u8 *)(err_chunk->chunk_hdr) + 1411 sizeof(sctp_chunkhdr_t), 1412 ntohs(err_chunk->chunk_hdr->length) - 1413 sizeof(sctp_chunkhdr_t)); 1414 1415 if (packet) { 1416 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1417 SCTP_PACKET(packet)); 1418 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1419 retval = SCTP_DISPOSITION_CONSUME; 1420 } else { 1421 retval = SCTP_DISPOSITION_NOMEM; 1422 } 1423 goto cleanup; 1424 } else { 1425 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 1426 commands); 1427 } 1428 } 1429 1430 /* 1431 * Other parameters for the endpoint SHOULD be copied from the 1432 * existing parameters of the association (e.g. number of 1433 * outbound streams) into the INIT ACK and cookie. 1434 * FIXME: We are copying parameters from the endpoint not the 1435 * association. 1436 */ 1437 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1438 if (!new_asoc) 1439 goto nomem; 1440 1441 /* In the outbound INIT ACK the endpoint MUST copy its current 1442 * Verification Tag and Peers Verification tag into a reserved 1443 * place (local tie-tag and per tie-tag) within the state cookie. 1444 */ 1445 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1446 sctp_source(chunk), 1447 (sctp_init_chunk_t *)chunk->chunk_hdr, 1448 GFP_ATOMIC)) 1449 goto nomem; 1450 1451 /* Make sure no new addresses are being added during the 1452 * restart. Do not do this check for COOKIE-WAIT state, 1453 * since there are no peer addresses to check against. 1454 * Upon return an ABORT will have been sent if needed. 1455 */ 1456 if (!sctp_state(asoc, COOKIE_WAIT)) { 1457 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1458 commands)) { 1459 retval = SCTP_DISPOSITION_CONSUME; 1460 goto nomem_retval; 1461 } 1462 } 1463 1464 sctp_tietags_populate(new_asoc, asoc); 1465 1466 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1467 1468 /* If there are errors need to be reported for unknown parameters, 1469 * make sure to reserve enough room in the INIT ACK for them. 1470 */ 1471 len = 0; 1472 if (err_chunk) { 1473 len = ntohs(err_chunk->chunk_hdr->length) - 1474 sizeof(sctp_chunkhdr_t); 1475 } 1476 1477 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 1478 goto nomem; 1479 1480 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1481 if (!repl) 1482 goto nomem; 1483 1484 /* If there are errors need to be reported for unknown parameters, 1485 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1486 * parameter. 1487 */ 1488 if (err_chunk) { 1489 /* Get the "Unrecognized parameter" parameter(s) out of the 1490 * ERROR chunk generated by sctp_verify_init(). Since the 1491 * error cause code for "unknown parameter" and the 1492 * "Unrecognized parameter" type is the same, we can 1493 * construct the parameters in INIT ACK by copying the 1494 * ERROR causes over. 1495 */ 1496 unk_param = (sctp_unrecognized_param_t *) 1497 ((__u8 *)(err_chunk->chunk_hdr) + 1498 sizeof(sctp_chunkhdr_t)); 1499 /* Replace the cause code with the "Unrecognized parameter" 1500 * parameter type. 1501 */ 1502 sctp_addto_chunk(repl, len, unk_param); 1503 } 1504 1505 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1506 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1507 1508 /* 1509 * Note: After sending out INIT ACK with the State Cookie parameter, 1510 * "Z" MUST NOT allocate any resources for this new association. 1511 * Otherwise, "Z" will be vulnerable to resource attacks. 1512 */ 1513 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1514 retval = SCTP_DISPOSITION_CONSUME; 1515 1516 return retval; 1517 1518 nomem: 1519 retval = SCTP_DISPOSITION_NOMEM; 1520 nomem_retval: 1521 if (new_asoc) 1522 sctp_association_free(new_asoc); 1523 cleanup: 1524 if (err_chunk) 1525 sctp_chunk_free(err_chunk); 1526 return retval; 1527 } 1528 1529 /* 1530 * Handle simultanous INIT. 1531 * This means we started an INIT and then we got an INIT request from 1532 * our peer. 1533 * 1534 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1535 * This usually indicates an initialization collision, i.e., each 1536 * endpoint is attempting, at about the same time, to establish an 1537 * association with the other endpoint. 1538 * 1539 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1540 * endpoint MUST respond with an INIT ACK using the same parameters it 1541 * sent in its original INIT chunk (including its Verification Tag, 1542 * unchanged). These original parameters are combined with those from the 1543 * newly received INIT chunk. The endpoint shall also generate a State 1544 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1545 * INIT to calculate the State Cookie. 1546 * 1547 * After that, the endpoint MUST NOT change its state, the T1-init 1548 * timer shall be left running and the corresponding TCB MUST NOT be 1549 * destroyed. The normal procedures for handling State Cookies when 1550 * a TCB exists will resolve the duplicate INITs to a single association. 1551 * 1552 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1553 * its Tie-Tags with the Tag information of itself and its peer (see 1554 * section 5.2.2 for a description of the Tie-Tags). 1555 * 1556 * Verification Tag: Not explicit, but an INIT can not have a valid 1557 * verification tag, so we skip the check. 1558 * 1559 * Inputs 1560 * (endpoint, asoc, chunk) 1561 * 1562 * Outputs 1563 * (asoc, reply_msg, msg_up, timers, counters) 1564 * 1565 * The return value is the disposition of the chunk. 1566 */ 1567 sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep, 1568 const struct sctp_association *asoc, 1569 const sctp_subtype_t type, 1570 void *arg, 1571 sctp_cmd_seq_t *commands) 1572 { 1573 /* Call helper to do the real work for both simulataneous and 1574 * duplicate INIT chunk handling. 1575 */ 1576 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1577 } 1578 1579 /* 1580 * Handle duplicated INIT messages. These are usually delayed 1581 * restransmissions. 1582 * 1583 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1584 * COOKIE-ECHOED and COOKIE-WAIT 1585 * 1586 * Unless otherwise stated, upon reception of an unexpected INIT for 1587 * this association, the endpoint shall generate an INIT ACK with a 1588 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1589 * current Verification Tag and peer's Verification Tag into a reserved 1590 * place within the state cookie. We shall refer to these locations as 1591 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1592 * containing this INIT ACK MUST carry a Verification Tag value equal to 1593 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1594 * MUST contain a new Initiation Tag (randomly generated see Section 1595 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1596 * existing parameters of the association (e.g. number of outbound 1597 * streams) into the INIT ACK and cookie. 1598 * 1599 * After sending out the INIT ACK, the endpoint shall take no further 1600 * actions, i.e., the existing association, including its current state, 1601 * and the corresponding TCB MUST NOT be changed. 1602 * 1603 * Note: Only when a TCB exists and the association is not in a COOKIE- 1604 * WAIT state are the Tie-Tags populated. For a normal association INIT 1605 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1606 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1607 * State Cookie are populated as specified in section 5.2.1. 1608 * 1609 * Verification Tag: Not specified, but an INIT has no way of knowing 1610 * what the verification tag could be, so we ignore it. 1611 * 1612 * Inputs 1613 * (endpoint, asoc, chunk) 1614 * 1615 * Outputs 1616 * (asoc, reply_msg, msg_up, timers, counters) 1617 * 1618 * The return value is the disposition of the chunk. 1619 */ 1620 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep, 1621 const struct sctp_association *asoc, 1622 const sctp_subtype_t type, 1623 void *arg, 1624 sctp_cmd_seq_t *commands) 1625 { 1626 /* Call helper to do the real work for both simulataneous and 1627 * duplicate INIT chunk handling. 1628 */ 1629 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1630 } 1631 1632 1633 /* 1634 * Unexpected INIT-ACK handler. 1635 * 1636 * Section 5.2.3 1637 * If an INIT ACK received by an endpoint in any state other than the 1638 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1639 * An unexpected INIT ACK usually indicates the processing of an old or 1640 * duplicated INIT chunk. 1641 */ 1642 sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep, 1643 const struct sctp_association *asoc, 1644 const sctp_subtype_t type, 1645 void *arg, sctp_cmd_seq_t *commands) 1646 { 1647 /* Per the above section, we'll discard the chunk if we have an 1648 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1649 */ 1650 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 1651 return sctp_sf_ootb(ep, asoc, type, arg, commands); 1652 else 1653 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 1654 } 1655 1656 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1657 * 1658 * Section 5.2.4 1659 * A) In this case, the peer may have restarted. 1660 */ 1661 static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep, 1662 const struct sctp_association *asoc, 1663 struct sctp_chunk *chunk, 1664 sctp_cmd_seq_t *commands, 1665 struct sctp_association *new_asoc) 1666 { 1667 sctp_init_chunk_t *peer_init; 1668 struct sctp_ulpevent *ev; 1669 struct sctp_chunk *repl; 1670 struct sctp_chunk *err; 1671 sctp_disposition_t disposition; 1672 1673 /* new_asoc is a brand-new association, so these are not yet 1674 * side effects--it is safe to run them here. 1675 */ 1676 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1677 1678 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1679 sctp_source(chunk), peer_init, 1680 GFP_ATOMIC)) 1681 goto nomem; 1682 1683 /* Make sure no new addresses are being added during the 1684 * restart. Though this is a pretty complicated attack 1685 * since you'd have to get inside the cookie. 1686 */ 1687 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { 1688 return SCTP_DISPOSITION_CONSUME; 1689 } 1690 1691 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1692 * the peer has restarted (Action A), it MUST NOT setup a new 1693 * association but instead resend the SHUTDOWN ACK and send an ERROR 1694 * chunk with a "Cookie Received while Shutting Down" error cause to 1695 * its peer. 1696 */ 1697 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1698 disposition = sctp_sf_do_9_2_reshutack(ep, asoc, 1699 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1700 chunk, commands); 1701 if (SCTP_DISPOSITION_NOMEM == disposition) 1702 goto nomem; 1703 1704 err = sctp_make_op_error(asoc, chunk, 1705 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1706 NULL, 0); 1707 if (err) 1708 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1709 SCTP_CHUNK(err)); 1710 1711 return SCTP_DISPOSITION_CONSUME; 1712 } 1713 1714 /* For now, fail any unsent/unacked data. Consider the optional 1715 * choice of resending of this data. 1716 */ 1717 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1718 1719 repl = sctp_make_cookie_ack(new_asoc, chunk); 1720 if (!repl) 1721 goto nomem; 1722 1723 /* Report association restart to upper layer. */ 1724 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1725 new_asoc->c.sinit_num_ostreams, 1726 new_asoc->c.sinit_max_instreams, 1727 NULL, GFP_ATOMIC); 1728 if (!ev) 1729 goto nomem_ev; 1730 1731 /* Update the content of current association. */ 1732 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1733 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1734 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1735 return SCTP_DISPOSITION_CONSUME; 1736 1737 nomem_ev: 1738 sctp_chunk_free(repl); 1739 nomem: 1740 return SCTP_DISPOSITION_NOMEM; 1741 } 1742 1743 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1744 * 1745 * Section 5.2.4 1746 * B) In this case, both sides may be attempting to start an association 1747 * at about the same time but the peer endpoint started its INIT 1748 * after responding to the local endpoint's INIT 1749 */ 1750 /* This case represents an initialization collision. */ 1751 static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep, 1752 const struct sctp_association *asoc, 1753 struct sctp_chunk *chunk, 1754 sctp_cmd_seq_t *commands, 1755 struct sctp_association *new_asoc) 1756 { 1757 sctp_init_chunk_t *peer_init; 1758 struct sctp_chunk *repl; 1759 1760 /* new_asoc is a brand-new association, so these are not yet 1761 * side effects--it is safe to run them here. 1762 */ 1763 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1764 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1765 sctp_source(chunk), peer_init, 1766 GFP_ATOMIC)) 1767 goto nomem; 1768 1769 /* Update the content of current association. */ 1770 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1771 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1772 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1773 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1774 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1775 1776 repl = sctp_make_cookie_ack(new_asoc, chunk); 1777 if (!repl) 1778 goto nomem; 1779 1780 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1781 1782 /* RFC 2960 5.1 Normal Establishment of an Association 1783 * 1784 * D) IMPLEMENTATION NOTE: An implementation may choose to 1785 * send the Communication Up notification to the SCTP user 1786 * upon reception of a valid COOKIE ECHO chunk. 1787 * 1788 * Sadly, this needs to be implemented as a side-effect, because 1789 * we are not guaranteed to have set the association id of the real 1790 * association and so these notifications need to be delayed until 1791 * the association id is allocated. 1792 */ 1793 1794 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 1795 1796 /* Sockets API Draft Section 5.3.1.6 1797 * When a peer sends a Adaptation Layer Indication parameter , SCTP 1798 * delivers this notification to inform the application that of the 1799 * peers requested adaptation layer. 1800 * 1801 * This also needs to be done as a side effect for the same reason as 1802 * above. 1803 */ 1804 if (asoc->peer.adaptation_ind) 1805 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 1806 1807 return SCTP_DISPOSITION_CONSUME; 1808 1809 nomem: 1810 return SCTP_DISPOSITION_NOMEM; 1811 } 1812 1813 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1814 * 1815 * Section 5.2.4 1816 * C) In this case, the local endpoint's cookie has arrived late. 1817 * Before it arrived, the local endpoint sent an INIT and received an 1818 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1819 * but a new tag of its own. 1820 */ 1821 /* This case represents an initialization collision. */ 1822 static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep, 1823 const struct sctp_association *asoc, 1824 struct sctp_chunk *chunk, 1825 sctp_cmd_seq_t *commands, 1826 struct sctp_association *new_asoc) 1827 { 1828 /* The cookie should be silently discarded. 1829 * The endpoint SHOULD NOT change states and should leave 1830 * any timers running. 1831 */ 1832 return SCTP_DISPOSITION_DISCARD; 1833 } 1834 1835 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1836 * 1837 * Section 5.2.4 1838 * 1839 * D) When both local and remote tags match the endpoint should always 1840 * enter the ESTABLISHED state, if it has not already done so. 1841 */ 1842 /* This case represents an initialization collision. */ 1843 static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep, 1844 const struct sctp_association *asoc, 1845 struct sctp_chunk *chunk, 1846 sctp_cmd_seq_t *commands, 1847 struct sctp_association *new_asoc) 1848 { 1849 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL; 1850 struct sctp_chunk *repl; 1851 1852 /* Clarification from Implementor's Guide: 1853 * D) When both local and remote tags match the endpoint should 1854 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 1855 * It should stop any cookie timer that may be running and send 1856 * a COOKIE ACK. 1857 */ 1858 1859 /* Don't accidentally move back into established state. */ 1860 if (asoc->state < SCTP_STATE_ESTABLISHED) { 1861 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1862 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 1863 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1864 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1865 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1866 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 1867 SCTP_NULL()); 1868 1869 /* RFC 2960 5.1 Normal Establishment of an Association 1870 * 1871 * D) IMPLEMENTATION NOTE: An implementation may choose 1872 * to send the Communication Up notification to the 1873 * SCTP user upon reception of a valid COOKIE 1874 * ECHO chunk. 1875 */ 1876 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 1877 SCTP_COMM_UP, 0, 1878 asoc->c.sinit_num_ostreams, 1879 asoc->c.sinit_max_instreams, 1880 NULL, GFP_ATOMIC); 1881 if (!ev) 1882 goto nomem; 1883 1884 /* Sockets API Draft Section 5.3.1.6 1885 * When a peer sends a Adaptation Layer Indication parameter, 1886 * SCTP delivers this notification to inform the application 1887 * that of the peers requested adaptation layer. 1888 */ 1889 if (asoc->peer.adaptation_ind) { 1890 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 1891 GFP_ATOMIC); 1892 if (!ai_ev) 1893 goto nomem; 1894 1895 } 1896 } 1897 1898 repl = sctp_make_cookie_ack(new_asoc, chunk); 1899 if (!repl) 1900 goto nomem; 1901 1902 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1903 1904 if (ev) 1905 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1906 SCTP_ULPEVENT(ev)); 1907 if (ai_ev) 1908 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1909 SCTP_ULPEVENT(ai_ev)); 1910 1911 return SCTP_DISPOSITION_CONSUME; 1912 1913 nomem: 1914 if (ai_ev) 1915 sctp_ulpevent_free(ai_ev); 1916 if (ev) 1917 sctp_ulpevent_free(ev); 1918 return SCTP_DISPOSITION_NOMEM; 1919 } 1920 1921 /* 1922 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 1923 * chunk was retransmitted and then delayed in the network. 1924 * 1925 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 1926 * 1927 * Verification Tag: None. Do cookie validation. 1928 * 1929 * Inputs 1930 * (endpoint, asoc, chunk) 1931 * 1932 * Outputs 1933 * (asoc, reply_msg, msg_up, timers, counters) 1934 * 1935 * The return value is the disposition of the chunk. 1936 */ 1937 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep, 1938 const struct sctp_association *asoc, 1939 const sctp_subtype_t type, 1940 void *arg, 1941 sctp_cmd_seq_t *commands) 1942 { 1943 sctp_disposition_t retval; 1944 struct sctp_chunk *chunk = arg; 1945 struct sctp_association *new_asoc; 1946 int error = 0; 1947 char action; 1948 struct sctp_chunk *err_chk_p; 1949 1950 /* Make sure that the chunk has a valid length from the protocol 1951 * perspective. In this case check to make sure we have at least 1952 * enough for the chunk header. Cookie length verification is 1953 * done later. 1954 */ 1955 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 1956 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1957 commands); 1958 1959 /* "Decode" the chunk. We have no optional parameters so we 1960 * are in good shape. 1961 */ 1962 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 1963 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 1964 sizeof(sctp_chunkhdr_t))) 1965 goto nomem; 1966 1967 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 1968 * of a duplicate COOKIE ECHO match the Verification Tags of the 1969 * current association, consider the State Cookie valid even if 1970 * the lifespan is exceeded. 1971 */ 1972 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 1973 &err_chk_p); 1974 1975 /* FIXME: 1976 * If the re-build failed, what is the proper error path 1977 * from here? 1978 * 1979 * [We should abort the association. --piggy] 1980 */ 1981 if (!new_asoc) { 1982 /* FIXME: Several errors are possible. A bad cookie should 1983 * be silently discarded, but think about logging it too. 1984 */ 1985 switch (error) { 1986 case -SCTP_IERROR_NOMEM: 1987 goto nomem; 1988 1989 case -SCTP_IERROR_STALE_COOKIE: 1990 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 1991 err_chk_p); 1992 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1993 case -SCTP_IERROR_BAD_SIG: 1994 default: 1995 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1996 } 1997 } 1998 1999 /* Compare the tie_tag in cookie with the verification tag of 2000 * current association. 2001 */ 2002 action = sctp_tietags_compare(new_asoc, asoc); 2003 2004 switch (action) { 2005 case 'A': /* Association restart. */ 2006 retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands, 2007 new_asoc); 2008 break; 2009 2010 case 'B': /* Collision case B. */ 2011 retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands, 2012 new_asoc); 2013 break; 2014 2015 case 'C': /* Collision case C. */ 2016 retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands, 2017 new_asoc); 2018 break; 2019 2020 case 'D': /* Collision case D. */ 2021 retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands, 2022 new_asoc); 2023 break; 2024 2025 default: /* Discard packet for all others. */ 2026 retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2027 break; 2028 } 2029 2030 /* Delete the tempory new association. */ 2031 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 2032 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 2033 2034 return retval; 2035 2036 nomem: 2037 return SCTP_DISPOSITION_NOMEM; 2038 } 2039 2040 /* 2041 * Process an ABORT. (SHUTDOWN-PENDING state) 2042 * 2043 * See sctp_sf_do_9_1_abort(). 2044 */ 2045 sctp_disposition_t sctp_sf_shutdown_pending_abort( 2046 const struct sctp_endpoint *ep, 2047 const struct sctp_association *asoc, 2048 const sctp_subtype_t type, 2049 void *arg, 2050 sctp_cmd_seq_t *commands) 2051 { 2052 struct sctp_chunk *chunk = arg; 2053 2054 if (!sctp_vtag_verify_either(chunk, asoc)) 2055 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2056 2057 /* Make sure that the ABORT chunk has a valid length. 2058 * Since this is an ABORT chunk, we have to discard it 2059 * because of the following text: 2060 * RFC 2960, Section 3.3.7 2061 * If an endpoint receives an ABORT with a format error or for an 2062 * association that doesn't exist, it MUST silently discard it. 2063 * Becasue the length is "invalid", we can't really discard just 2064 * as we do not know its true length. So, to be safe, discard the 2065 * packet. 2066 */ 2067 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2068 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2069 2070 /* ADD-IP: Special case for ABORT chunks 2071 * F4) One special consideration is that ABORT Chunks arriving 2072 * destined to the IP address being deleted MUST be 2073 * ignored (see Section 5.3.1 for further details). 2074 */ 2075 if (SCTP_ADDR_DEL == 2076 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2077 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2078 2079 /* Stop the T5-shutdown guard timer. */ 2080 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2081 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2082 2083 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2084 } 2085 2086 /* 2087 * Process an ABORT. (SHUTDOWN-SENT state) 2088 * 2089 * See sctp_sf_do_9_1_abort(). 2090 */ 2091 sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep, 2092 const struct sctp_association *asoc, 2093 const sctp_subtype_t type, 2094 void *arg, 2095 sctp_cmd_seq_t *commands) 2096 { 2097 struct sctp_chunk *chunk = arg; 2098 2099 if (!sctp_vtag_verify_either(chunk, asoc)) 2100 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2101 2102 /* Make sure that the ABORT chunk has a valid length. 2103 * Since this is an ABORT chunk, we have to discard it 2104 * because of the following text: 2105 * RFC 2960, Section 3.3.7 2106 * If an endpoint receives an ABORT with a format error or for an 2107 * association that doesn't exist, it MUST silently discard it. 2108 * Becasue the length is "invalid", we can't really discard just 2109 * as we do not know its true length. So, to be safe, discard the 2110 * packet. 2111 */ 2112 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2113 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2114 2115 /* ADD-IP: Special case for ABORT chunks 2116 * F4) One special consideration is that ABORT Chunks arriving 2117 * destined to the IP address being deleted MUST be 2118 * ignored (see Section 5.3.1 for further details). 2119 */ 2120 if (SCTP_ADDR_DEL == 2121 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2122 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2123 2124 /* Stop the T2-shutdown timer. */ 2125 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2126 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2127 2128 /* Stop the T5-shutdown guard timer. */ 2129 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2130 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2131 2132 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2133 } 2134 2135 /* 2136 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2137 * 2138 * See sctp_sf_do_9_1_abort(). 2139 */ 2140 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort( 2141 const struct sctp_endpoint *ep, 2142 const struct sctp_association *asoc, 2143 const sctp_subtype_t type, 2144 void *arg, 2145 sctp_cmd_seq_t *commands) 2146 { 2147 /* The same T2 timer, so we should be able to use 2148 * common function with the SHUTDOWN-SENT state. 2149 */ 2150 return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands); 2151 } 2152 2153 /* 2154 * Handle an Error received in COOKIE_ECHOED state. 2155 * 2156 * Only handle the error type of stale COOKIE Error, the other errors will 2157 * be ignored. 2158 * 2159 * Inputs 2160 * (endpoint, asoc, chunk) 2161 * 2162 * Outputs 2163 * (asoc, reply_msg, msg_up, timers, counters) 2164 * 2165 * The return value is the disposition of the chunk. 2166 */ 2167 sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep, 2168 const struct sctp_association *asoc, 2169 const sctp_subtype_t type, 2170 void *arg, 2171 sctp_cmd_seq_t *commands) 2172 { 2173 struct sctp_chunk *chunk = arg; 2174 sctp_errhdr_t *err; 2175 2176 if (!sctp_vtag_verify(chunk, asoc)) 2177 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2178 2179 /* Make sure that the ERROR chunk has a valid length. 2180 * The parameter walking depends on this as well. 2181 */ 2182 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2183 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2184 commands); 2185 2186 /* Process the error here */ 2187 /* FUTURE FIXME: When PR-SCTP related and other optional 2188 * parms are emitted, this will have to change to handle multiple 2189 * errors. 2190 */ 2191 sctp_walk_errors(err, chunk->chunk_hdr) { 2192 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2193 return sctp_sf_do_5_2_6_stale(ep, asoc, type, 2194 arg, commands); 2195 } 2196 2197 /* It is possible to have malformed error causes, and that 2198 * will cause us to end the walk early. However, since 2199 * we are discarding the packet, there should be no adverse 2200 * affects. 2201 */ 2202 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2203 } 2204 2205 /* 2206 * Handle a Stale COOKIE Error 2207 * 2208 * Section: 5.2.6 Handle Stale COOKIE Error 2209 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2210 * one of the following three alternatives. 2211 * ... 2212 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2213 * Preservative parameter requesting an extension to the lifetime of 2214 * the State Cookie. When calculating the time extension, an 2215 * implementation SHOULD use the RTT information measured based on the 2216 * previous COOKIE ECHO / ERROR exchange, and should add no more 2217 * than 1 second beyond the measured RTT, due to long State Cookie 2218 * lifetimes making the endpoint more subject to a replay attack. 2219 * 2220 * Verification Tag: Not explicit, but safe to ignore. 2221 * 2222 * Inputs 2223 * (endpoint, asoc, chunk) 2224 * 2225 * Outputs 2226 * (asoc, reply_msg, msg_up, timers, counters) 2227 * 2228 * The return value is the disposition of the chunk. 2229 */ 2230 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 2231 const struct sctp_association *asoc, 2232 const sctp_subtype_t type, 2233 void *arg, 2234 sctp_cmd_seq_t *commands) 2235 { 2236 struct sctp_chunk *chunk = arg; 2237 time_t stale; 2238 sctp_cookie_preserve_param_t bht; 2239 sctp_errhdr_t *err; 2240 struct sctp_chunk *reply; 2241 struct sctp_bind_addr *bp; 2242 int attempts = asoc->init_err_counter + 1; 2243 2244 if (attempts > asoc->max_init_attempts) { 2245 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2246 SCTP_ERROR(ETIMEDOUT)); 2247 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2248 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2249 return SCTP_DISPOSITION_DELETE_TCB; 2250 } 2251 2252 err = (sctp_errhdr_t *)(chunk->skb->data); 2253 2254 /* When calculating the time extension, an implementation 2255 * SHOULD use the RTT information measured based on the 2256 * previous COOKIE ECHO / ERROR exchange, and should add no 2257 * more than 1 second beyond the measured RTT, due to long 2258 * State Cookie lifetimes making the endpoint more subject to 2259 * a replay attack. 2260 * Measure of Staleness's unit is usec. (1/1000000 sec) 2261 * Suggested Cookie Life-span Increment's unit is msec. 2262 * (1/1000 sec) 2263 * In general, if you use the suggested cookie life, the value 2264 * found in the field of measure of staleness should be doubled 2265 * to give ample time to retransmit the new cookie and thus 2266 * yield a higher probability of success on the reattempt. 2267 */ 2268 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t))); 2269 stale = (stale * 2) / 1000; 2270 2271 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2272 bht.param_hdr.length = htons(sizeof(bht)); 2273 bht.lifespan_increment = htonl(stale); 2274 2275 /* Build that new INIT chunk. */ 2276 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2277 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2278 if (!reply) 2279 goto nomem; 2280 2281 sctp_addto_chunk(reply, sizeof(bht), &bht); 2282 2283 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2284 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2285 2286 /* Stop pending T3-rtx and heartbeat timers */ 2287 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2288 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2289 2290 /* Delete non-primary peer ip addresses since we are transitioning 2291 * back to the COOKIE-WAIT state 2292 */ 2293 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2294 2295 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2296 * resend 2297 */ 2298 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, 2299 SCTP_TRANSPORT(asoc->peer.primary_path)); 2300 2301 /* Cast away the const modifier, as we want to just 2302 * rerun it through as a sideffect. 2303 */ 2304 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2305 2306 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2307 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2308 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2309 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2310 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2311 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2312 2313 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2314 2315 return SCTP_DISPOSITION_CONSUME; 2316 2317 nomem: 2318 return SCTP_DISPOSITION_NOMEM; 2319 } 2320 2321 /* 2322 * Process an ABORT. 2323 * 2324 * Section: 9.1 2325 * After checking the Verification Tag, the receiving endpoint shall 2326 * remove the association from its record, and shall report the 2327 * termination to its upper layer. 2328 * 2329 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2330 * B) Rules for packet carrying ABORT: 2331 * 2332 * - The endpoint shall always fill in the Verification Tag field of the 2333 * outbound packet with the destination endpoint's tag value if it 2334 * is known. 2335 * 2336 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2337 * MUST follow the procedure described in Section 8.4. 2338 * 2339 * - The receiver MUST accept the packet if the Verification Tag 2340 * matches either its own tag, OR the tag of its peer. Otherwise, the 2341 * receiver MUST silently discard the packet and take no further 2342 * action. 2343 * 2344 * Inputs 2345 * (endpoint, asoc, chunk) 2346 * 2347 * Outputs 2348 * (asoc, reply_msg, msg_up, timers, counters) 2349 * 2350 * The return value is the disposition of the chunk. 2351 */ 2352 sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2353 const struct sctp_association *asoc, 2354 const sctp_subtype_t type, 2355 void *arg, 2356 sctp_cmd_seq_t *commands) 2357 { 2358 struct sctp_chunk *chunk = arg; 2359 2360 if (!sctp_vtag_verify_either(chunk, asoc)) 2361 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2362 2363 /* Make sure that the ABORT chunk has a valid length. 2364 * Since this is an ABORT chunk, we have to discard it 2365 * because of the following text: 2366 * RFC 2960, Section 3.3.7 2367 * If an endpoint receives an ABORT with a format error or for an 2368 * association that doesn't exist, it MUST silently discard it. 2369 * Becasue the length is "invalid", we can't really discard just 2370 * as we do not know its true length. So, to be safe, discard the 2371 * packet. 2372 */ 2373 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2374 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2375 2376 /* ADD-IP: Special case for ABORT chunks 2377 * F4) One special consideration is that ABORT Chunks arriving 2378 * destined to the IP address being deleted MUST be 2379 * ignored (see Section 5.3.1 for further details). 2380 */ 2381 if (SCTP_ADDR_DEL == 2382 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2383 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2384 2385 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2386 } 2387 2388 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2389 const struct sctp_association *asoc, 2390 const sctp_subtype_t type, 2391 void *arg, 2392 sctp_cmd_seq_t *commands) 2393 { 2394 struct sctp_chunk *chunk = arg; 2395 unsigned len; 2396 __be16 error = SCTP_ERROR_NO_ERROR; 2397 2398 /* See if we have an error cause code in the chunk. */ 2399 len = ntohs(chunk->chunk_hdr->length); 2400 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2401 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2402 2403 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2404 /* ASSOC_FAILED will DELETE_TCB. */ 2405 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2406 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2407 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 2408 2409 return SCTP_DISPOSITION_ABORT; 2410 } 2411 2412 /* 2413 * Process an ABORT. (COOKIE-WAIT state) 2414 * 2415 * See sctp_sf_do_9_1_abort() above. 2416 */ 2417 sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep, 2418 const struct sctp_association *asoc, 2419 const sctp_subtype_t type, 2420 void *arg, 2421 sctp_cmd_seq_t *commands) 2422 { 2423 struct sctp_chunk *chunk = arg; 2424 unsigned len; 2425 __be16 error = SCTP_ERROR_NO_ERROR; 2426 2427 if (!sctp_vtag_verify_either(chunk, asoc)) 2428 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2429 2430 /* Make sure that the ABORT chunk has a valid length. 2431 * Since this is an ABORT chunk, we have to discard it 2432 * because of the following text: 2433 * RFC 2960, Section 3.3.7 2434 * If an endpoint receives an ABORT with a format error or for an 2435 * association that doesn't exist, it MUST silently discard it. 2436 * Becasue the length is "invalid", we can't really discard just 2437 * as we do not know its true length. So, to be safe, discard the 2438 * packet. 2439 */ 2440 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2441 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2442 2443 /* See if we have an error cause code in the chunk. */ 2444 len = ntohs(chunk->chunk_hdr->length); 2445 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2446 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2447 2448 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc, 2449 chunk->transport); 2450 } 2451 2452 /* 2453 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2454 */ 2455 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep, 2456 const struct sctp_association *asoc, 2457 const sctp_subtype_t type, 2458 void *arg, 2459 sctp_cmd_seq_t *commands) 2460 { 2461 return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR, 2462 ENOPROTOOPT, asoc, 2463 (struct sctp_transport *)arg); 2464 } 2465 2466 /* 2467 * Process an ABORT. (COOKIE-ECHOED state) 2468 */ 2469 sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep, 2470 const struct sctp_association *asoc, 2471 const sctp_subtype_t type, 2472 void *arg, 2473 sctp_cmd_seq_t *commands) 2474 { 2475 /* There is a single T1 timer, so we should be able to use 2476 * common function with the COOKIE-WAIT state. 2477 */ 2478 return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands); 2479 } 2480 2481 /* 2482 * Stop T1 timer and abort association with "INIT failed". 2483 * 2484 * This is common code called by several sctp_sf_*_abort() functions above. 2485 */ 2486 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 2487 __be16 error, int sk_err, 2488 const struct sctp_association *asoc, 2489 struct sctp_transport *transport) 2490 { 2491 SCTP_DEBUG_PRINTK("ABORT received (INIT).\n"); 2492 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2493 SCTP_STATE(SCTP_STATE_CLOSED)); 2494 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2495 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2496 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2497 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2498 /* CMD_INIT_FAILED will DELETE_TCB. */ 2499 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2500 SCTP_PERR(error)); 2501 return SCTP_DISPOSITION_ABORT; 2502 } 2503 2504 /* 2505 * sctp_sf_do_9_2_shut 2506 * 2507 * Section: 9.2 2508 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2509 * - enter the SHUTDOWN-RECEIVED state, 2510 * 2511 * - stop accepting new data from its SCTP user 2512 * 2513 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2514 * that all its outstanding DATA chunks have been received by the 2515 * SHUTDOWN sender. 2516 * 2517 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2518 * send a SHUTDOWN in response to a ULP request. And should discard 2519 * subsequent SHUTDOWN chunks. 2520 * 2521 * If there are still outstanding DATA chunks left, the SHUTDOWN 2522 * receiver shall continue to follow normal data transmission 2523 * procedures defined in Section 6 until all outstanding DATA chunks 2524 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2525 * new data from its SCTP user. 2526 * 2527 * Verification Tag: 8.5 Verification Tag [Normal verification] 2528 * 2529 * Inputs 2530 * (endpoint, asoc, chunk) 2531 * 2532 * Outputs 2533 * (asoc, reply_msg, msg_up, timers, counters) 2534 * 2535 * The return value is the disposition of the chunk. 2536 */ 2537 sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep, 2538 const struct sctp_association *asoc, 2539 const sctp_subtype_t type, 2540 void *arg, 2541 sctp_cmd_seq_t *commands) 2542 { 2543 struct sctp_chunk *chunk = arg; 2544 sctp_shutdownhdr_t *sdh; 2545 sctp_disposition_t disposition; 2546 struct sctp_ulpevent *ev; 2547 2548 if (!sctp_vtag_verify(chunk, asoc)) 2549 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2550 2551 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2552 if (!sctp_chunk_length_valid(chunk, 2553 sizeof(struct sctp_shutdown_chunk_t))) 2554 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2555 commands); 2556 2557 /* Convert the elaborate header. */ 2558 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2559 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t)); 2560 chunk->subh.shutdown_hdr = sdh; 2561 2562 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2563 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2564 * inform the application that it should cease sending data. 2565 */ 2566 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2567 if (!ev) { 2568 disposition = SCTP_DISPOSITION_NOMEM; 2569 goto out; 2570 } 2571 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2572 2573 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2574 * - enter the SHUTDOWN-RECEIVED state, 2575 * - stop accepting new data from its SCTP user 2576 * 2577 * [This is implicit in the new state.] 2578 */ 2579 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2580 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2581 disposition = SCTP_DISPOSITION_CONSUME; 2582 2583 if (sctp_outq_is_empty(&asoc->outqueue)) { 2584 disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type, 2585 arg, commands); 2586 } 2587 2588 if (SCTP_DISPOSITION_NOMEM == disposition) 2589 goto out; 2590 2591 /* - verify, by checking the Cumulative TSN Ack field of the 2592 * chunk, that all its outstanding DATA chunks have been 2593 * received by the SHUTDOWN sender. 2594 */ 2595 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2596 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2597 2598 out: 2599 return disposition; 2600 } 2601 2602 /* RFC 2960 9.2 2603 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2604 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2605 * transport addresses (either in the IP addresses or in the INIT chunk) 2606 * that belong to this association, it should discard the INIT chunk and 2607 * retransmit the SHUTDOWN ACK chunk. 2608 */ 2609 sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep, 2610 const struct sctp_association *asoc, 2611 const sctp_subtype_t type, 2612 void *arg, 2613 sctp_cmd_seq_t *commands) 2614 { 2615 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 2616 struct sctp_chunk *reply; 2617 2618 /* Make sure that the chunk has a valid length */ 2619 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 2620 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2621 commands); 2622 2623 /* Since we are not going to really process this INIT, there 2624 * is no point in verifying chunk boundries. Just generate 2625 * the SHUTDOWN ACK. 2626 */ 2627 reply = sctp_make_shutdown_ack(asoc, chunk); 2628 if (NULL == reply) 2629 goto nomem; 2630 2631 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2632 * the T2-SHUTDOWN timer. 2633 */ 2634 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2635 2636 /* and restart the T2-shutdown timer. */ 2637 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2638 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2639 2640 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2641 2642 return SCTP_DISPOSITION_CONSUME; 2643 nomem: 2644 return SCTP_DISPOSITION_NOMEM; 2645 } 2646 2647 /* 2648 * sctp_sf_do_ecn_cwr 2649 * 2650 * Section: Appendix A: Explicit Congestion Notification 2651 * 2652 * CWR: 2653 * 2654 * RFC 2481 details a specific bit for a sender to send in the header of 2655 * its next outbound TCP segment to indicate to its peer that it has 2656 * reduced its congestion window. This is termed the CWR bit. For 2657 * SCTP the same indication is made by including the CWR chunk. 2658 * This chunk contains one data element, i.e. the TSN number that 2659 * was sent in the ECNE chunk. This element represents the lowest 2660 * TSN number in the datagram that was originally marked with the 2661 * CE bit. 2662 * 2663 * Verification Tag: 8.5 Verification Tag [Normal verification] 2664 * Inputs 2665 * (endpoint, asoc, chunk) 2666 * 2667 * Outputs 2668 * (asoc, reply_msg, msg_up, timers, counters) 2669 * 2670 * The return value is the disposition of the chunk. 2671 */ 2672 sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep, 2673 const struct sctp_association *asoc, 2674 const sctp_subtype_t type, 2675 void *arg, 2676 sctp_cmd_seq_t *commands) 2677 { 2678 sctp_cwrhdr_t *cwr; 2679 struct sctp_chunk *chunk = arg; 2680 u32 lowest_tsn; 2681 2682 if (!sctp_vtag_verify(chunk, asoc)) 2683 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2684 2685 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2686 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2687 commands); 2688 2689 cwr = (sctp_cwrhdr_t *) chunk->skb->data; 2690 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t)); 2691 2692 lowest_tsn = ntohl(cwr->lowest_tsn); 2693 2694 /* Does this CWR ack the last sent congestion notification? */ 2695 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 2696 /* Stop sending ECNE. */ 2697 sctp_add_cmd_sf(commands, 2698 SCTP_CMD_ECN_CWR, 2699 SCTP_U32(lowest_tsn)); 2700 } 2701 return SCTP_DISPOSITION_CONSUME; 2702 } 2703 2704 /* 2705 * sctp_sf_do_ecne 2706 * 2707 * Section: Appendix A: Explicit Congestion Notification 2708 * 2709 * ECN-Echo 2710 * 2711 * RFC 2481 details a specific bit for a receiver to send back in its 2712 * TCP acknowledgements to notify the sender of the Congestion 2713 * Experienced (CE) bit having arrived from the network. For SCTP this 2714 * same indication is made by including the ECNE chunk. This chunk 2715 * contains one data element, i.e. the lowest TSN associated with the IP 2716 * datagram marked with the CE bit..... 2717 * 2718 * Verification Tag: 8.5 Verification Tag [Normal verification] 2719 * Inputs 2720 * (endpoint, asoc, chunk) 2721 * 2722 * Outputs 2723 * (asoc, reply_msg, msg_up, timers, counters) 2724 * 2725 * The return value is the disposition of the chunk. 2726 */ 2727 sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep, 2728 const struct sctp_association *asoc, 2729 const sctp_subtype_t type, 2730 void *arg, 2731 sctp_cmd_seq_t *commands) 2732 { 2733 sctp_ecnehdr_t *ecne; 2734 struct sctp_chunk *chunk = arg; 2735 2736 if (!sctp_vtag_verify(chunk, asoc)) 2737 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2738 2739 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2740 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2741 commands); 2742 2743 ecne = (sctp_ecnehdr_t *) chunk->skb->data; 2744 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t)); 2745 2746 /* If this is a newer ECNE than the last CWR packet we sent out */ 2747 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 2748 SCTP_U32(ntohl(ecne->lowest_tsn))); 2749 2750 return SCTP_DISPOSITION_CONSUME; 2751 } 2752 2753 /* 2754 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 2755 * 2756 * The SCTP endpoint MUST always acknowledge the reception of each valid 2757 * DATA chunk. 2758 * 2759 * The guidelines on delayed acknowledgement algorithm specified in 2760 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 2761 * acknowledgement SHOULD be generated for at least every second packet 2762 * (not every second DATA chunk) received, and SHOULD be generated within 2763 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 2764 * situations it may be beneficial for an SCTP transmitter to be more 2765 * conservative than the algorithms detailed in this document allow. 2766 * However, an SCTP transmitter MUST NOT be more aggressive than the 2767 * following algorithms allow. 2768 * 2769 * A SCTP receiver MUST NOT generate more than one SACK for every 2770 * incoming packet, other than to update the offered window as the 2771 * receiving application consumes new data. 2772 * 2773 * Verification Tag: 8.5 Verification Tag [Normal verification] 2774 * 2775 * Inputs 2776 * (endpoint, asoc, chunk) 2777 * 2778 * Outputs 2779 * (asoc, reply_msg, msg_up, timers, counters) 2780 * 2781 * The return value is the disposition of the chunk. 2782 */ 2783 sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep, 2784 const struct sctp_association *asoc, 2785 const sctp_subtype_t type, 2786 void *arg, 2787 sctp_cmd_seq_t *commands) 2788 { 2789 struct sctp_chunk *chunk = arg; 2790 int error; 2791 2792 if (!sctp_vtag_verify(chunk, asoc)) { 2793 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2794 SCTP_NULL()); 2795 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2796 } 2797 2798 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2799 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2800 commands); 2801 2802 error = sctp_eat_data(asoc, chunk, commands ); 2803 switch (error) { 2804 case SCTP_IERROR_NO_ERROR: 2805 break; 2806 case SCTP_IERROR_HIGH_TSN: 2807 case SCTP_IERROR_BAD_STREAM: 2808 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2809 goto discard_noforce; 2810 case SCTP_IERROR_DUP_TSN: 2811 case SCTP_IERROR_IGNORE_TSN: 2812 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2813 goto discard_force; 2814 case SCTP_IERROR_NO_DATA: 2815 goto consume; 2816 default: 2817 BUG(); 2818 } 2819 2820 if (asoc->autoclose) { 2821 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2822 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 2823 } 2824 2825 /* If this is the last chunk in a packet, we need to count it 2826 * toward sack generation. Note that we need to SACK every 2827 * OTHER packet containing data chunks, EVEN IF WE DISCARD 2828 * THEM. We elect to NOT generate SACK's if the chunk fails 2829 * the verification tag test. 2830 * 2831 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2832 * 2833 * The SCTP endpoint MUST always acknowledge the reception of 2834 * each valid DATA chunk. 2835 * 2836 * The guidelines on delayed acknowledgement algorithm 2837 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 2838 * Specifically, an acknowledgement SHOULD be generated for at 2839 * least every second packet (not every second DATA chunk) 2840 * received, and SHOULD be generated within 200 ms of the 2841 * arrival of any unacknowledged DATA chunk. In some 2842 * situations it may be beneficial for an SCTP transmitter to 2843 * be more conservative than the algorithms detailed in this 2844 * document allow. However, an SCTP transmitter MUST NOT be 2845 * more aggressive than the following algorithms allow. 2846 */ 2847 if (chunk->end_of_packet) 2848 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2849 2850 return SCTP_DISPOSITION_CONSUME; 2851 2852 discard_force: 2853 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2854 * 2855 * When a packet arrives with duplicate DATA chunk(s) and with 2856 * no new DATA chunk(s), the endpoint MUST immediately send a 2857 * SACK with no delay. If a packet arrives with duplicate 2858 * DATA chunk(s) bundled with new DATA chunks, the endpoint 2859 * MAY immediately send a SACK. Normally receipt of duplicate 2860 * DATA chunks will occur when the original SACK chunk was lost 2861 * and the peer's RTO has expired. The duplicate TSN number(s) 2862 * SHOULD be reported in the SACK as duplicate. 2863 */ 2864 /* In our case, we split the MAY SACK advice up whether or not 2865 * the last chunk is a duplicate.' 2866 */ 2867 if (chunk->end_of_packet) 2868 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2869 return SCTP_DISPOSITION_DISCARD; 2870 2871 discard_noforce: 2872 if (chunk->end_of_packet) 2873 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2874 2875 return SCTP_DISPOSITION_DISCARD; 2876 consume: 2877 return SCTP_DISPOSITION_CONSUME; 2878 2879 } 2880 2881 /* 2882 * sctp_sf_eat_data_fast_4_4 2883 * 2884 * Section: 4 (4) 2885 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 2886 * DATA chunks without delay. 2887 * 2888 * Verification Tag: 8.5 Verification Tag [Normal verification] 2889 * Inputs 2890 * (endpoint, asoc, chunk) 2891 * 2892 * Outputs 2893 * (asoc, reply_msg, msg_up, timers, counters) 2894 * 2895 * The return value is the disposition of the chunk. 2896 */ 2897 sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep, 2898 const struct sctp_association *asoc, 2899 const sctp_subtype_t type, 2900 void *arg, 2901 sctp_cmd_seq_t *commands) 2902 { 2903 struct sctp_chunk *chunk = arg; 2904 int error; 2905 2906 if (!sctp_vtag_verify(chunk, asoc)) { 2907 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2908 SCTP_NULL()); 2909 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2910 } 2911 2912 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2913 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2914 commands); 2915 2916 error = sctp_eat_data(asoc, chunk, commands ); 2917 switch (error) { 2918 case SCTP_IERROR_NO_ERROR: 2919 case SCTP_IERROR_HIGH_TSN: 2920 case SCTP_IERROR_DUP_TSN: 2921 case SCTP_IERROR_IGNORE_TSN: 2922 case SCTP_IERROR_BAD_STREAM: 2923 break; 2924 case SCTP_IERROR_NO_DATA: 2925 goto consume; 2926 default: 2927 BUG(); 2928 } 2929 2930 /* Go a head and force a SACK, since we are shutting down. */ 2931 2932 /* Implementor's Guide. 2933 * 2934 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 2935 * respond to each received packet containing one or more DATA chunk(s) 2936 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 2937 */ 2938 if (chunk->end_of_packet) { 2939 /* We must delay the chunk creation since the cumulative 2940 * TSN has not been updated yet. 2941 */ 2942 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 2943 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2944 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2945 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2946 } 2947 2948 consume: 2949 return SCTP_DISPOSITION_CONSUME; 2950 } 2951 2952 /* 2953 * Section: 6.2 Processing a Received SACK 2954 * D) Any time a SACK arrives, the endpoint performs the following: 2955 * 2956 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 2957 * then drop the SACK. Since Cumulative TSN Ack is monotonically 2958 * increasing, a SACK whose Cumulative TSN Ack is less than the 2959 * Cumulative TSN Ack Point indicates an out-of-order SACK. 2960 * 2961 * ii) Set rwnd equal to the newly received a_rwnd minus the number 2962 * of bytes still outstanding after processing the Cumulative TSN Ack 2963 * and the Gap Ack Blocks. 2964 * 2965 * iii) If the SACK is missing a TSN that was previously 2966 * acknowledged via a Gap Ack Block (e.g., the data receiver 2967 * reneged on the data), then mark the corresponding DATA chunk 2968 * as available for retransmit: Mark it as missing for fast 2969 * retransmit as described in Section 7.2.4 and if no retransmit 2970 * timer is running for the destination address to which the DATA 2971 * chunk was originally transmitted, then T3-rtx is started for 2972 * that destination address. 2973 * 2974 * Verification Tag: 8.5 Verification Tag [Normal verification] 2975 * 2976 * Inputs 2977 * (endpoint, asoc, chunk) 2978 * 2979 * Outputs 2980 * (asoc, reply_msg, msg_up, timers, counters) 2981 * 2982 * The return value is the disposition of the chunk. 2983 */ 2984 sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep, 2985 const struct sctp_association *asoc, 2986 const sctp_subtype_t type, 2987 void *arg, 2988 sctp_cmd_seq_t *commands) 2989 { 2990 struct sctp_chunk *chunk = arg; 2991 sctp_sackhdr_t *sackh; 2992 __u32 ctsn; 2993 2994 if (!sctp_vtag_verify(chunk, asoc)) 2995 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2996 2997 /* Make sure that the SACK chunk has a valid length. */ 2998 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t))) 2999 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3000 commands); 3001 3002 /* Pull the SACK chunk from the data buffer */ 3003 sackh = sctp_sm_pull_sack(chunk); 3004 /* Was this a bogus SACK? */ 3005 if (!sackh) 3006 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3007 chunk->subh.sack_hdr = sackh; 3008 ctsn = ntohl(sackh->cum_tsn_ack); 3009 3010 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 3011 * Ack Point, then drop the SACK. Since Cumulative TSN 3012 * Ack is monotonically increasing, a SACK whose 3013 * Cumulative TSN Ack is less than the Cumulative TSN Ack 3014 * Point indicates an out-of-order SACK. 3015 */ 3016 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 3017 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 3018 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 3019 return SCTP_DISPOSITION_DISCARD; 3020 } 3021 3022 /* If Cumulative TSN Ack beyond the max tsn currently 3023 * send, terminating the association and respond to the 3024 * sender with an ABORT. 3025 */ 3026 if (!TSN_lt(ctsn, asoc->next_tsn)) 3027 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands); 3028 3029 /* Return this SACK for further processing. */ 3030 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh)); 3031 3032 /* Note: We do the rest of the work on the PROCESS_SACK 3033 * sideeffect. 3034 */ 3035 return SCTP_DISPOSITION_CONSUME; 3036 } 3037 3038 /* 3039 * Generate an ABORT in response to a packet. 3040 * 3041 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 3042 * 3043 * 8) The receiver should respond to the sender of the OOTB packet with 3044 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3045 * MUST fill in the Verification Tag field of the outbound packet 3046 * with the value found in the Verification Tag field of the OOTB 3047 * packet and set the T-bit in the Chunk Flags to indicate that the 3048 * Verification Tag is reflected. After sending this ABORT, the 3049 * receiver of the OOTB packet shall discard the OOTB packet and take 3050 * no further action. 3051 * 3052 * Verification Tag: 3053 * 3054 * The return value is the disposition of the chunk. 3055 */ 3056 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 3057 const struct sctp_association *asoc, 3058 const sctp_subtype_t type, 3059 void *arg, 3060 sctp_cmd_seq_t *commands) 3061 { 3062 struct sctp_packet *packet = NULL; 3063 struct sctp_chunk *chunk = arg; 3064 struct sctp_chunk *abort; 3065 3066 packet = sctp_ootb_pkt_new(asoc, chunk); 3067 3068 if (packet) { 3069 /* Make an ABORT. The T bit will be set if the asoc 3070 * is NULL. 3071 */ 3072 abort = sctp_make_abort(asoc, chunk, 0); 3073 if (!abort) { 3074 sctp_ootb_pkt_free(packet); 3075 return SCTP_DISPOSITION_NOMEM; 3076 } 3077 3078 /* Reflect vtag if T-Bit is set */ 3079 if (sctp_test_T_bit(abort)) 3080 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3081 3082 /* Set the skb to the belonging sock for accounting. */ 3083 abort->skb->sk = ep->base.sk; 3084 3085 sctp_packet_append_chunk(packet, abort); 3086 3087 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3088 SCTP_PACKET(packet)); 3089 3090 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3091 3092 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3093 return SCTP_DISPOSITION_CONSUME; 3094 } 3095 3096 return SCTP_DISPOSITION_NOMEM; 3097 } 3098 3099 /* 3100 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 3101 * event as ULP notification for each cause included in the chunk. 3102 * 3103 * API 5.3.1.3 - SCTP_REMOTE_ERROR 3104 * 3105 * The return value is the disposition of the chunk. 3106 */ 3107 sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep, 3108 const struct sctp_association *asoc, 3109 const sctp_subtype_t type, 3110 void *arg, 3111 sctp_cmd_seq_t *commands) 3112 { 3113 struct sctp_chunk *chunk = arg; 3114 struct sctp_ulpevent *ev; 3115 3116 if (!sctp_vtag_verify(chunk, asoc)) 3117 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3118 3119 /* Make sure that the ERROR chunk has a valid length. */ 3120 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 3121 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3122 commands); 3123 3124 while (chunk->chunk_end > chunk->skb->data) { 3125 ev = sctp_ulpevent_make_remote_error(asoc, chunk, 0, 3126 GFP_ATOMIC); 3127 if (!ev) 3128 goto nomem; 3129 3130 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 3131 SCTP_ULPEVENT(ev)); 3132 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 3133 SCTP_CHUNK(chunk)); 3134 } 3135 return SCTP_DISPOSITION_CONSUME; 3136 3137 nomem: 3138 return SCTP_DISPOSITION_NOMEM; 3139 } 3140 3141 /* 3142 * Process an inbound SHUTDOWN ACK. 3143 * 3144 * From Section 9.2: 3145 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3146 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3147 * peer, and remove all record of the association. 3148 * 3149 * The return value is the disposition. 3150 */ 3151 sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep, 3152 const struct sctp_association *asoc, 3153 const sctp_subtype_t type, 3154 void *arg, 3155 sctp_cmd_seq_t *commands) 3156 { 3157 struct sctp_chunk *chunk = arg; 3158 struct sctp_chunk *reply; 3159 struct sctp_ulpevent *ev; 3160 3161 if (!sctp_vtag_verify(chunk, asoc)) 3162 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3163 3164 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3165 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3166 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3167 commands); 3168 /* 10.2 H) SHUTDOWN COMPLETE notification 3169 * 3170 * When SCTP completes the shutdown procedures (section 9.2) this 3171 * notification is passed to the upper layer. 3172 */ 3173 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3174 0, 0, 0, NULL, GFP_ATOMIC); 3175 if (!ev) 3176 goto nomem; 3177 3178 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3179 reply = sctp_make_shutdown_complete(asoc, chunk); 3180 if (!reply) 3181 goto nomem_chunk; 3182 3183 /* Do all the commands now (after allocation), so that we 3184 * have consistent state if memory allocation failes 3185 */ 3186 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3187 3188 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3189 * stop the T2-shutdown timer, 3190 */ 3191 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3192 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3193 3194 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3195 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3196 3197 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3198 SCTP_STATE(SCTP_STATE_CLOSED)); 3199 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 3200 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3201 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3202 3203 /* ...and remove all record of the association. */ 3204 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3205 return SCTP_DISPOSITION_DELETE_TCB; 3206 3207 nomem_chunk: 3208 sctp_ulpevent_free(ev); 3209 nomem: 3210 return SCTP_DISPOSITION_NOMEM; 3211 } 3212 3213 /* 3214 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3215 * 3216 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3217 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3218 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3219 * packet must fill in the Verification Tag field of the outbound 3220 * packet with the Verification Tag received in the SHUTDOWN ACK and 3221 * set the T-bit in the Chunk Flags to indicate that the Verification 3222 * Tag is reflected. 3223 * 3224 * 8) The receiver should respond to the sender of the OOTB packet with 3225 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3226 * MUST fill in the Verification Tag field of the outbound packet 3227 * with the value found in the Verification Tag field of the OOTB 3228 * packet and set the T-bit in the Chunk Flags to indicate that the 3229 * Verification Tag is reflected. After sending this ABORT, the 3230 * receiver of the OOTB packet shall discard the OOTB packet and take 3231 * no further action. 3232 */ 3233 sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep, 3234 const struct sctp_association *asoc, 3235 const sctp_subtype_t type, 3236 void *arg, 3237 sctp_cmd_seq_t *commands) 3238 { 3239 struct sctp_chunk *chunk = arg; 3240 struct sk_buff *skb = chunk->skb; 3241 sctp_chunkhdr_t *ch; 3242 __u8 *ch_end; 3243 int ootb_shut_ack = 0; 3244 3245 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 3246 3247 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr; 3248 do { 3249 /* Report violation if the chunk is less then minimal */ 3250 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 3251 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3252 commands); 3253 3254 /* Now that we know we at least have a chunk header, 3255 * do things that are type appropriate. 3256 */ 3257 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3258 ootb_shut_ack = 1; 3259 3260 /* RFC 2960, Section 3.3.7 3261 * Moreover, under any circumstances, an endpoint that 3262 * receives an ABORT MUST NOT respond to that ABORT by 3263 * sending an ABORT of its own. 3264 */ 3265 if (SCTP_CID_ABORT == ch->type) 3266 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3267 3268 /* Report violation if chunk len overflows */ 3269 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 3270 if (ch_end > skb_tail_pointer(skb)) 3271 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3272 commands); 3273 3274 ch = (sctp_chunkhdr_t *) ch_end; 3275 } while (ch_end < skb_tail_pointer(skb)); 3276 3277 if (ootb_shut_ack) 3278 return sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands); 3279 else 3280 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 3281 } 3282 3283 /* 3284 * Handle an "Out of the blue" SHUTDOWN ACK. 3285 * 3286 * Section: 8.4 5, sctpimpguide 2.41. 3287 * 3288 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3289 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3290 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3291 * packet must fill in the Verification Tag field of the outbound 3292 * packet with the Verification Tag received in the SHUTDOWN ACK and 3293 * set the T-bit in the Chunk Flags to indicate that the Verification 3294 * Tag is reflected. 3295 * 3296 * Inputs 3297 * (endpoint, asoc, type, arg, commands) 3298 * 3299 * Outputs 3300 * (sctp_disposition_t) 3301 * 3302 * The return value is the disposition of the chunk. 3303 */ 3304 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 3305 const struct sctp_association *asoc, 3306 const sctp_subtype_t type, 3307 void *arg, 3308 sctp_cmd_seq_t *commands) 3309 { 3310 struct sctp_packet *packet = NULL; 3311 struct sctp_chunk *chunk = arg; 3312 struct sctp_chunk *shut; 3313 3314 packet = sctp_ootb_pkt_new(asoc, chunk); 3315 3316 if (packet) { 3317 /* Make an SHUTDOWN_COMPLETE. 3318 * The T bit will be set if the asoc is NULL. 3319 */ 3320 shut = sctp_make_shutdown_complete(asoc, chunk); 3321 if (!shut) { 3322 sctp_ootb_pkt_free(packet); 3323 return SCTP_DISPOSITION_NOMEM; 3324 } 3325 3326 /* Reflect vtag if T-Bit is set */ 3327 if (sctp_test_T_bit(shut)) 3328 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3329 3330 /* Set the skb to the belonging sock for accounting. */ 3331 shut->skb->sk = ep->base.sk; 3332 3333 sctp_packet_append_chunk(packet, shut); 3334 3335 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3336 SCTP_PACKET(packet)); 3337 3338 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3339 3340 /* If the chunk length is invalid, we don't want to process 3341 * the reset of the packet. 3342 */ 3343 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3344 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3345 3346 /* We need to discard the rest of the packet to prevent 3347 * potential bomming attacks from additional bundled chunks. 3348 * This is documented in SCTP Threats ID. 3349 */ 3350 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3351 } 3352 3353 return SCTP_DISPOSITION_NOMEM; 3354 } 3355 3356 /* 3357 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3358 * 3359 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3360 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3361 * procedures in section 8.4 SHOULD be followed, in other words it 3362 * should be treated as an Out Of The Blue packet. 3363 * [This means that we do NOT check the Verification Tag on these 3364 * chunks. --piggy ] 3365 * 3366 */ 3367 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep, 3368 const struct sctp_association *asoc, 3369 const sctp_subtype_t type, 3370 void *arg, 3371 sctp_cmd_seq_t *commands) 3372 { 3373 struct sctp_chunk *chunk = arg; 3374 3375 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3376 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3377 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3378 commands); 3379 3380 /* Although we do have an association in this case, it corresponds 3381 * to a restarted association. So the packet is treated as an OOTB 3382 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3383 * called with a NULL association. 3384 */ 3385 return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands); 3386 } 3387 3388 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3389 sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep, 3390 const struct sctp_association *asoc, 3391 const sctp_subtype_t type, void *arg, 3392 sctp_cmd_seq_t *commands) 3393 { 3394 struct sctp_chunk *chunk = arg; 3395 struct sctp_chunk *asconf_ack = NULL; 3396 struct sctp_paramhdr *err_param = NULL; 3397 sctp_addiphdr_t *hdr; 3398 union sctp_addr_param *addr_param; 3399 __u32 serial; 3400 int length; 3401 3402 if (!sctp_vtag_verify(chunk, asoc)) { 3403 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3404 SCTP_NULL()); 3405 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3406 } 3407 3408 /* ADD-IP: Section 4.1.1 3409 * This chunk MUST be sent in an authenticated way by using 3410 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3411 * is received unauthenticated it MUST be silently discarded as 3412 * described in [I-D.ietf-tsvwg-sctp-auth]. 3413 */ 3414 if (!sctp_addip_noauth && !chunk->auth) 3415 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 3416 3417 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3418 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t))) 3419 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3420 commands); 3421 3422 hdr = (sctp_addiphdr_t *)chunk->skb->data; 3423 serial = ntohl(hdr->serial); 3424 3425 addr_param = (union sctp_addr_param *)hdr->params; 3426 length = ntohs(addr_param->p.length); 3427 if (length < sizeof(sctp_paramhdr_t)) 3428 return sctp_sf_violation_paramlen(ep, asoc, type, 3429 (void *)addr_param, commands); 3430 3431 /* Verify the ASCONF chunk before processing it. */ 3432 if (!sctp_verify_asconf(asoc, 3433 (sctp_paramhdr_t *)((void *)addr_param + length), 3434 (void *)chunk->chunk_end, 3435 &err_param)) 3436 return sctp_sf_violation_paramlen(ep, asoc, type, 3437 (void *)&err_param, commands); 3438 3439 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3440 * the endpoint stored in a new association variable 3441 * 'Peer-Serial-Number'. 3442 */ 3443 if (serial == asoc->peer.addip_serial + 1) { 3444 /* If this is the first instance of ASCONF in the packet, 3445 * we can clean our old ASCONF-ACKs. 3446 */ 3447 if (!chunk->has_asconf) 3448 sctp_assoc_clean_asconf_ack_cache(asoc); 3449 3450 /* ADDIP 5.2 E4) When the Sequence Number matches the next one 3451 * expected, process the ASCONF as described below and after 3452 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to 3453 * the response packet and cache a copy of it (in the event it 3454 * later needs to be retransmitted). 3455 * 3456 * Essentially, do V1-V5. 3457 */ 3458 asconf_ack = sctp_process_asconf((struct sctp_association *) 3459 asoc, chunk); 3460 if (!asconf_ack) 3461 return SCTP_DISPOSITION_NOMEM; 3462 } else if (serial < asoc->peer.addip_serial + 1) { 3463 /* ADDIP 5.2 E2) 3464 * If the value found in the Sequence Number is less than the 3465 * ('Peer- Sequence-Number' + 1), simply skip to the next 3466 * ASCONF, and include in the outbound response packet 3467 * any previously cached ASCONF-ACK response that was 3468 * sent and saved that matches the Sequence Number of the 3469 * ASCONF. Note: It is possible that no cached ASCONF-ACK 3470 * Chunk exists. This will occur when an older ASCONF 3471 * arrives out of order. In such a case, the receiver 3472 * should skip the ASCONF Chunk and not include ASCONF-ACK 3473 * Chunk for that chunk. 3474 */ 3475 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial); 3476 if (!asconf_ack) 3477 return SCTP_DISPOSITION_DISCARD; 3478 } else { 3479 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since 3480 * it must be either a stale packet or from an attacker. 3481 */ 3482 return SCTP_DISPOSITION_DISCARD; 3483 } 3484 3485 /* ADDIP 5.2 E6) The destination address of the SCTP packet 3486 * containing the ASCONF-ACK Chunks MUST be the source address of 3487 * the SCTP packet that held the ASCONF Chunks. 3488 * 3489 * To do this properly, we'll set the destination address of the chunk 3490 * and at the transmit time, will try look up the transport to use. 3491 * Since ASCONFs may be bundled, the correct transport may not be 3492 * created untill we process the entire packet, thus this workaround. 3493 */ 3494 asconf_ack->dest = chunk->source; 3495 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3496 3497 return SCTP_DISPOSITION_CONSUME; 3498 } 3499 3500 /* 3501 * ADDIP Section 4.3 General rules for address manipulation 3502 * When building TLV parameters for the ASCONF Chunk that will add or 3503 * delete IP addresses the D0 to D13 rules should be applied: 3504 */ 3505 sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep, 3506 const struct sctp_association *asoc, 3507 const sctp_subtype_t type, void *arg, 3508 sctp_cmd_seq_t *commands) 3509 { 3510 struct sctp_chunk *asconf_ack = arg; 3511 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3512 struct sctp_chunk *abort; 3513 struct sctp_paramhdr *err_param = NULL; 3514 sctp_addiphdr_t *addip_hdr; 3515 __u32 sent_serial, rcvd_serial; 3516 3517 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3518 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3519 SCTP_NULL()); 3520 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3521 } 3522 3523 /* ADD-IP, Section 4.1.2: 3524 * This chunk MUST be sent in an authenticated way by using 3525 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3526 * is received unauthenticated it MUST be silently discarded as 3527 * described in [I-D.ietf-tsvwg-sctp-auth]. 3528 */ 3529 if (!sctp_addip_noauth && !asconf_ack->auth) 3530 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 3531 3532 /* Make sure that the ADDIP chunk has a valid length. */ 3533 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t))) 3534 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3535 commands); 3536 3537 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data; 3538 rcvd_serial = ntohl(addip_hdr->serial); 3539 3540 /* Verify the ASCONF-ACK chunk before processing it. */ 3541 if (!sctp_verify_asconf(asoc, 3542 (sctp_paramhdr_t *)addip_hdr->params, 3543 (void *)asconf_ack->chunk_end, 3544 &err_param)) 3545 return sctp_sf_violation_paramlen(ep, asoc, type, 3546 (void *)&err_param, commands); 3547 3548 if (last_asconf) { 3549 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr; 3550 sent_serial = ntohl(addip_hdr->serial); 3551 } else { 3552 sent_serial = asoc->addip_serial - 1; 3553 } 3554 3555 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3556 * equal to the next serial number to be used but no ASCONF chunk is 3557 * outstanding the endpoint MUST ABORT the association. Note that a 3558 * sequence number is greater than if it is no more than 2^^31-1 3559 * larger than the current sequence number (using serial arithmetic). 3560 */ 3561 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3562 !(asoc->addip_last_asconf)) { 3563 abort = sctp_make_abort(asoc, asconf_ack, 3564 sizeof(sctp_errhdr_t)); 3565 if (abort) { 3566 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0); 3567 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3568 SCTP_CHUNK(abort)); 3569 } 3570 /* We are going to ABORT, so we might as well stop 3571 * processing the rest of the chunks in the packet. 3572 */ 3573 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3574 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3575 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3576 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3577 SCTP_ERROR(ECONNABORTED)); 3578 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3579 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3580 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3581 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3582 return SCTP_DISPOSITION_ABORT; 3583 } 3584 3585 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3586 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3587 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3588 3589 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3590 asconf_ack)) 3591 return SCTP_DISPOSITION_CONSUME; 3592 3593 abort = sctp_make_abort(asoc, asconf_ack, 3594 sizeof(sctp_errhdr_t)); 3595 if (abort) { 3596 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 3597 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3598 SCTP_CHUNK(abort)); 3599 } 3600 /* We are going to ABORT, so we might as well stop 3601 * processing the rest of the chunks in the packet. 3602 */ 3603 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3604 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3605 SCTP_ERROR(ECONNABORTED)); 3606 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3607 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3608 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3609 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3610 return SCTP_DISPOSITION_ABORT; 3611 } 3612 3613 return SCTP_DISPOSITION_DISCARD; 3614 } 3615 3616 /* 3617 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 3618 * 3619 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 3620 * its cumulative TSN point to the value carried in the FORWARD TSN 3621 * chunk, and then MUST further advance its cumulative TSN point locally 3622 * if possible. 3623 * After the above processing, the data receiver MUST stop reporting any 3624 * missing TSNs earlier than or equal to the new cumulative TSN point. 3625 * 3626 * Verification Tag: 8.5 Verification Tag [Normal verification] 3627 * 3628 * The return value is the disposition of the chunk. 3629 */ 3630 sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep, 3631 const struct sctp_association *asoc, 3632 const sctp_subtype_t type, 3633 void *arg, 3634 sctp_cmd_seq_t *commands) 3635 { 3636 struct sctp_chunk *chunk = arg; 3637 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3638 __u16 len; 3639 __u32 tsn; 3640 3641 if (!sctp_vtag_verify(chunk, asoc)) { 3642 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3643 SCTP_NULL()); 3644 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3645 } 3646 3647 /* Make sure that the FORWARD_TSN chunk has valid length. */ 3648 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3649 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3650 commands); 3651 3652 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3653 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3654 len = ntohs(chunk->chunk_hdr->length); 3655 len -= sizeof(struct sctp_chunkhdr); 3656 skb_pull(chunk->skb, len); 3657 3658 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3659 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn); 3660 3661 /* The TSN is too high--silently discard the chunk and count on it 3662 * getting retransmitted later. 3663 */ 3664 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3665 goto discard_noforce; 3666 3667 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3668 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3669 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3670 SCTP_CHUNK(chunk)); 3671 3672 /* Count this as receiving DATA. */ 3673 if (asoc->autoclose) { 3674 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3675 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3676 } 3677 3678 /* FIXME: For now send a SACK, but DATA processing may 3679 * send another. 3680 */ 3681 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 3682 3683 return SCTP_DISPOSITION_CONSUME; 3684 3685 discard_noforce: 3686 return SCTP_DISPOSITION_DISCARD; 3687 } 3688 3689 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast( 3690 const struct sctp_endpoint *ep, 3691 const struct sctp_association *asoc, 3692 const sctp_subtype_t type, 3693 void *arg, 3694 sctp_cmd_seq_t *commands) 3695 { 3696 struct sctp_chunk *chunk = arg; 3697 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3698 __u16 len; 3699 __u32 tsn; 3700 3701 if (!sctp_vtag_verify(chunk, asoc)) { 3702 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3703 SCTP_NULL()); 3704 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3705 } 3706 3707 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 3708 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3709 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3710 commands); 3711 3712 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3713 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3714 len = ntohs(chunk->chunk_hdr->length); 3715 len -= sizeof(struct sctp_chunkhdr); 3716 skb_pull(chunk->skb, len); 3717 3718 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3719 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn); 3720 3721 /* The TSN is too high--silently discard the chunk and count on it 3722 * getting retransmitted later. 3723 */ 3724 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3725 goto gen_shutdown; 3726 3727 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3728 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3729 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3730 SCTP_CHUNK(chunk)); 3731 3732 /* Go a head and force a SACK, since we are shutting down. */ 3733 gen_shutdown: 3734 /* Implementor's Guide. 3735 * 3736 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3737 * respond to each received packet containing one or more DATA chunk(s) 3738 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3739 */ 3740 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3741 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3742 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3743 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3744 3745 return SCTP_DISPOSITION_CONSUME; 3746 } 3747 3748 /* 3749 * SCTP-AUTH Section 6.3 Receving authenticated chukns 3750 * 3751 * The receiver MUST use the HMAC algorithm indicated in the HMAC 3752 * Identifier field. If this algorithm was not specified by the 3753 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 3754 * during association setup, the AUTH chunk and all chunks after it MUST 3755 * be discarded and an ERROR chunk SHOULD be sent with the error cause 3756 * defined in Section 4.1. 3757 * 3758 * If an endpoint with no shared key receives a Shared Key Identifier 3759 * other than 0, it MUST silently discard all authenticated chunks. If 3760 * the endpoint has at least one endpoint pair shared key for the peer, 3761 * it MUST use the key specified by the Shared Key Identifier if a 3762 * key has been configured for that Shared Key Identifier. If no 3763 * endpoint pair shared key has been configured for that Shared Key 3764 * Identifier, all authenticated chunks MUST be silently discarded. 3765 * 3766 * Verification Tag: 8.5 Verification Tag [Normal verification] 3767 * 3768 * The return value is the disposition of the chunk. 3769 */ 3770 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep, 3771 const struct sctp_association *asoc, 3772 const sctp_subtype_t type, 3773 struct sctp_chunk *chunk) 3774 { 3775 struct sctp_authhdr *auth_hdr; 3776 struct sctp_hmac *hmac; 3777 unsigned int sig_len; 3778 __u16 key_id; 3779 __u8 *save_digest; 3780 __u8 *digest; 3781 3782 /* Pull in the auth header, so we can do some more verification */ 3783 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 3784 chunk->subh.auth_hdr = auth_hdr; 3785 skb_pull(chunk->skb, sizeof(struct sctp_authhdr)); 3786 3787 /* Make sure that we suport the HMAC algorithm from the auth 3788 * chunk. 3789 */ 3790 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id)) 3791 return SCTP_IERROR_AUTH_BAD_HMAC; 3792 3793 /* Make sure that the provided shared key identifier has been 3794 * configured 3795 */ 3796 key_id = ntohs(auth_hdr->shkey_id); 3797 if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id)) 3798 return SCTP_IERROR_AUTH_BAD_KEYID; 3799 3800 3801 /* Make sure that the length of the signature matches what 3802 * we expect. 3803 */ 3804 sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t); 3805 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id)); 3806 if (sig_len != hmac->hmac_len) 3807 return SCTP_IERROR_PROTO_VIOLATION; 3808 3809 /* Now that we've done validation checks, we can compute and 3810 * verify the hmac. The steps involved are: 3811 * 1. Save the digest from the chunk. 3812 * 2. Zero out the digest in the chunk. 3813 * 3. Compute the new digest 3814 * 4. Compare saved and new digests. 3815 */ 3816 digest = auth_hdr->hmac; 3817 skb_pull(chunk->skb, sig_len); 3818 3819 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC); 3820 if (!save_digest) 3821 goto nomem; 3822 3823 memset(digest, 0, sig_len); 3824 3825 sctp_auth_calculate_hmac(asoc, chunk->skb, 3826 (struct sctp_auth_chunk *)chunk->chunk_hdr, 3827 GFP_ATOMIC); 3828 3829 /* Discard the packet if the digests do not match */ 3830 if (memcmp(save_digest, digest, sig_len)) { 3831 kfree(save_digest); 3832 return SCTP_IERROR_BAD_SIG; 3833 } 3834 3835 kfree(save_digest); 3836 chunk->auth = 1; 3837 3838 return SCTP_IERROR_NO_ERROR; 3839 nomem: 3840 return SCTP_IERROR_NOMEM; 3841 } 3842 3843 sctp_disposition_t sctp_sf_eat_auth(const struct sctp_endpoint *ep, 3844 const struct sctp_association *asoc, 3845 const sctp_subtype_t type, 3846 void *arg, 3847 sctp_cmd_seq_t *commands) 3848 { 3849 struct sctp_authhdr *auth_hdr; 3850 struct sctp_chunk *chunk = arg; 3851 struct sctp_chunk *err_chunk; 3852 sctp_ierror_t error; 3853 3854 /* Make sure that the peer has AUTH capable */ 3855 if (!asoc->peer.auth_capable) 3856 return sctp_sf_unk_chunk(ep, asoc, type, arg, commands); 3857 3858 if (!sctp_vtag_verify(chunk, asoc)) { 3859 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3860 SCTP_NULL()); 3861 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3862 } 3863 3864 /* Make sure that the AUTH chunk has valid length. */ 3865 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk))) 3866 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3867 commands); 3868 3869 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 3870 error = sctp_sf_authenticate(ep, asoc, type, chunk); 3871 switch (error) { 3872 case SCTP_IERROR_AUTH_BAD_HMAC: 3873 /* Generate the ERROR chunk and discard the rest 3874 * of the packet 3875 */ 3876 err_chunk = sctp_make_op_error(asoc, chunk, 3877 SCTP_ERROR_UNSUP_HMAC, 3878 &auth_hdr->hmac_id, 3879 sizeof(__u16)); 3880 if (err_chunk) { 3881 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3882 SCTP_CHUNK(err_chunk)); 3883 } 3884 /* Fall Through */ 3885 case SCTP_IERROR_AUTH_BAD_KEYID: 3886 case SCTP_IERROR_BAD_SIG: 3887 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3888 break; 3889 case SCTP_IERROR_PROTO_VIOLATION: 3890 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3891 commands); 3892 break; 3893 case SCTP_IERROR_NOMEM: 3894 return SCTP_DISPOSITION_NOMEM; 3895 default: 3896 break; 3897 } 3898 3899 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) { 3900 struct sctp_ulpevent *ev; 3901 3902 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id), 3903 SCTP_AUTH_NEWKEY, GFP_ATOMIC); 3904 3905 if (!ev) 3906 return -ENOMEM; 3907 3908 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 3909 SCTP_ULPEVENT(ev)); 3910 } 3911 3912 return SCTP_DISPOSITION_CONSUME; 3913 } 3914 3915 /* 3916 * Process an unknown chunk. 3917 * 3918 * Section: 3.2. Also, 2.1 in the implementor's guide. 3919 * 3920 * Chunk Types are encoded such that the highest-order two bits specify 3921 * the action that must be taken if the processing endpoint does not 3922 * recognize the Chunk Type. 3923 * 3924 * 00 - Stop processing this SCTP packet and discard it, do not process 3925 * any further chunks within it. 3926 * 3927 * 01 - Stop processing this SCTP packet and discard it, do not process 3928 * any further chunks within it, and report the unrecognized 3929 * chunk in an 'Unrecognized Chunk Type'. 3930 * 3931 * 10 - Skip this chunk and continue processing. 3932 * 3933 * 11 - Skip this chunk and continue processing, but report in an ERROR 3934 * Chunk using the 'Unrecognized Chunk Type' cause of error. 3935 * 3936 * The return value is the disposition of the chunk. 3937 */ 3938 sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep, 3939 const struct sctp_association *asoc, 3940 const sctp_subtype_t type, 3941 void *arg, 3942 sctp_cmd_seq_t *commands) 3943 { 3944 struct sctp_chunk *unk_chunk = arg; 3945 struct sctp_chunk *err_chunk; 3946 sctp_chunkhdr_t *hdr; 3947 3948 SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk); 3949 3950 if (!sctp_vtag_verify(unk_chunk, asoc)) 3951 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3952 3953 /* Make sure that the chunk has a valid length. 3954 * Since we don't know the chunk type, we use a general 3955 * chunkhdr structure to make a comparison. 3956 */ 3957 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t))) 3958 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3959 commands); 3960 3961 switch (type.chunk & SCTP_CID_ACTION_MASK) { 3962 case SCTP_CID_ACTION_DISCARD: 3963 /* Discard the packet. */ 3964 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3965 break; 3966 case SCTP_CID_ACTION_DISCARD_ERR: 3967 /* Generate an ERROR chunk as response. */ 3968 hdr = unk_chunk->chunk_hdr; 3969 err_chunk = sctp_make_op_error(asoc, unk_chunk, 3970 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 3971 WORD_ROUND(ntohs(hdr->length))); 3972 if (err_chunk) { 3973 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3974 SCTP_CHUNK(err_chunk)); 3975 } 3976 3977 /* Discard the packet. */ 3978 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3979 return SCTP_DISPOSITION_CONSUME; 3980 break; 3981 case SCTP_CID_ACTION_SKIP: 3982 /* Skip the chunk. */ 3983 return SCTP_DISPOSITION_DISCARD; 3984 break; 3985 case SCTP_CID_ACTION_SKIP_ERR: 3986 /* Generate an ERROR chunk as response. */ 3987 hdr = unk_chunk->chunk_hdr; 3988 err_chunk = sctp_make_op_error(asoc, unk_chunk, 3989 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 3990 WORD_ROUND(ntohs(hdr->length))); 3991 if (err_chunk) { 3992 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3993 SCTP_CHUNK(err_chunk)); 3994 } 3995 /* Skip the chunk. */ 3996 return SCTP_DISPOSITION_CONSUME; 3997 break; 3998 default: 3999 break; 4000 } 4001 4002 return SCTP_DISPOSITION_DISCARD; 4003 } 4004 4005 /* 4006 * Discard the chunk. 4007 * 4008 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 4009 * [Too numerous to mention...] 4010 * Verification Tag: No verification needed. 4011 * Inputs 4012 * (endpoint, asoc, chunk) 4013 * 4014 * Outputs 4015 * (asoc, reply_msg, msg_up, timers, counters) 4016 * 4017 * The return value is the disposition of the chunk. 4018 */ 4019 sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep, 4020 const struct sctp_association *asoc, 4021 const sctp_subtype_t type, 4022 void *arg, 4023 sctp_cmd_seq_t *commands) 4024 { 4025 struct sctp_chunk *chunk = arg; 4026 4027 /* Make sure that the chunk has a valid length. 4028 * Since we don't know the chunk type, we use a general 4029 * chunkhdr structure to make a comparison. 4030 */ 4031 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4032 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4033 commands); 4034 4035 SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk); 4036 return SCTP_DISPOSITION_DISCARD; 4037 } 4038 4039 /* 4040 * Discard the whole packet. 4041 * 4042 * Section: 8.4 2) 4043 * 4044 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 4045 * silently discard the OOTB packet and take no further action. 4046 * 4047 * Verification Tag: No verification necessary 4048 * 4049 * Inputs 4050 * (endpoint, asoc, chunk) 4051 * 4052 * Outputs 4053 * (asoc, reply_msg, msg_up, timers, counters) 4054 * 4055 * The return value is the disposition of the chunk. 4056 */ 4057 sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep, 4058 const struct sctp_association *asoc, 4059 const sctp_subtype_t type, 4060 void *arg, 4061 sctp_cmd_seq_t *commands) 4062 { 4063 SCTP_INC_STATS(SCTP_MIB_IN_PKT_DISCARDS); 4064 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4065 4066 return SCTP_DISPOSITION_CONSUME; 4067 } 4068 4069 4070 /* 4071 * The other end is violating protocol. 4072 * 4073 * Section: Not specified 4074 * Verification Tag: Not specified 4075 * Inputs 4076 * (endpoint, asoc, chunk) 4077 * 4078 * Outputs 4079 * (asoc, reply_msg, msg_up, timers, counters) 4080 * 4081 * We simply tag the chunk as a violation. The state machine will log 4082 * the violation and continue. 4083 */ 4084 sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep, 4085 const struct sctp_association *asoc, 4086 const sctp_subtype_t type, 4087 void *arg, 4088 sctp_cmd_seq_t *commands) 4089 { 4090 struct sctp_chunk *chunk = arg; 4091 4092 /* Make sure that the chunk has a valid length. */ 4093 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4094 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4095 commands); 4096 4097 return SCTP_DISPOSITION_VIOLATION; 4098 } 4099 4100 /* 4101 * Common function to handle a protocol violation. 4102 */ 4103 static sctp_disposition_t sctp_sf_abort_violation( 4104 const struct sctp_endpoint *ep, 4105 const struct sctp_association *asoc, 4106 void *arg, 4107 sctp_cmd_seq_t *commands, 4108 const __u8 *payload, 4109 const size_t paylen) 4110 { 4111 struct sctp_packet *packet = NULL; 4112 struct sctp_chunk *chunk = arg; 4113 struct sctp_chunk *abort = NULL; 4114 4115 /* SCTP-AUTH, Section 6.3: 4116 * It should be noted that if the receiver wants to tear 4117 * down an association in an authenticated way only, the 4118 * handling of malformed packets should not result in 4119 * tearing down the association. 4120 * 4121 * This means that if we only want to abort associations 4122 * in an authenticated way (i.e AUTH+ABORT), then we 4123 * can't destroy this association just becuase the packet 4124 * was malformed. 4125 */ 4126 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4127 goto discard; 4128 4129 /* Make the abort chunk. */ 4130 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen); 4131 if (!abort) 4132 goto nomem; 4133 4134 if (asoc) { 4135 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */ 4136 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK && 4137 !asoc->peer.i.init_tag) { 4138 sctp_initack_chunk_t *initack; 4139 4140 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; 4141 if (!sctp_chunk_length_valid(chunk, 4142 sizeof(sctp_initack_chunk_t))) 4143 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T; 4144 else { 4145 unsigned int inittag; 4146 4147 inittag = ntohl(initack->init_hdr.init_tag); 4148 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG, 4149 SCTP_U32(inittag)); 4150 } 4151 } 4152 4153 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4154 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4155 4156 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 4157 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4158 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4159 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4160 SCTP_ERROR(ECONNREFUSED)); 4161 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4162 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4163 } else { 4164 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4165 SCTP_ERROR(ECONNABORTED)); 4166 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4167 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4168 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4169 } 4170 } else { 4171 packet = sctp_ootb_pkt_new(asoc, chunk); 4172 4173 if (!packet) 4174 goto nomem_pkt; 4175 4176 if (sctp_test_T_bit(abort)) 4177 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4178 4179 abort->skb->sk = ep->base.sk; 4180 4181 sctp_packet_append_chunk(packet, abort); 4182 4183 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 4184 SCTP_PACKET(packet)); 4185 4186 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4187 } 4188 4189 discard: 4190 sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4191 4192 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4193 4194 return SCTP_DISPOSITION_ABORT; 4195 4196 nomem_pkt: 4197 sctp_chunk_free(abort); 4198 nomem: 4199 return SCTP_DISPOSITION_NOMEM; 4200 } 4201 4202 /* 4203 * Handle a protocol violation when the chunk length is invalid. 4204 * "Invalid" length is identified as smaller then the minimal length a 4205 * given chunk can be. For example, a SACK chunk has invalid length 4206 * if it's length is set to be smaller then the size of sctp_sack_chunk_t. 4207 * 4208 * We inform the other end by sending an ABORT with a Protocol Violation 4209 * error code. 4210 * 4211 * Section: Not specified 4212 * Verification Tag: Nothing to do 4213 * Inputs 4214 * (endpoint, asoc, chunk) 4215 * 4216 * Outputs 4217 * (reply_msg, msg_up, counters) 4218 * 4219 * Generate an ABORT chunk and terminate the association. 4220 */ 4221 static sctp_disposition_t sctp_sf_violation_chunklen( 4222 const struct sctp_endpoint *ep, 4223 const struct sctp_association *asoc, 4224 const sctp_subtype_t type, 4225 void *arg, 4226 sctp_cmd_seq_t *commands) 4227 { 4228 static const char err_str[]="The following chunk had invalid length:"; 4229 4230 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4231 sizeof(err_str)); 4232 } 4233 4234 /* 4235 * Handle a protocol violation when the parameter length is invalid. 4236 * "Invalid" length is identified as smaller then the minimal length a 4237 * given parameter can be. 4238 */ 4239 static sctp_disposition_t sctp_sf_violation_paramlen( 4240 const struct sctp_endpoint *ep, 4241 const struct sctp_association *asoc, 4242 const sctp_subtype_t type, 4243 void *arg, 4244 sctp_cmd_seq_t *commands) { 4245 static const char err_str[] = "The following parameter had invalid length:"; 4246 4247 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4248 sizeof(err_str)); 4249 } 4250 4251 /* Handle a protocol violation when the peer trying to advance the 4252 * cumulative tsn ack to a point beyond the max tsn currently sent. 4253 * 4254 * We inform the other end by sending an ABORT with a Protocol Violation 4255 * error code. 4256 */ 4257 static sctp_disposition_t sctp_sf_violation_ctsn( 4258 const struct sctp_endpoint *ep, 4259 const struct sctp_association *asoc, 4260 const sctp_subtype_t type, 4261 void *arg, 4262 sctp_cmd_seq_t *commands) 4263 { 4264 static const char err_str[]="The cumulative tsn ack beyond the max tsn currently sent:"; 4265 4266 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4267 sizeof(err_str)); 4268 } 4269 4270 /* Handle protocol violation of an invalid chunk bundling. For example, 4271 * when we have an association and we recieve bundled INIT-ACK, or 4272 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle" 4273 * statement from the specs. Additinally, there might be an attacker 4274 * on the path and we may not want to continue this communication. 4275 */ 4276 static sctp_disposition_t sctp_sf_violation_chunk( 4277 const struct sctp_endpoint *ep, 4278 const struct sctp_association *asoc, 4279 const sctp_subtype_t type, 4280 void *arg, 4281 sctp_cmd_seq_t *commands) 4282 { 4283 static const char err_str[]="The following chunk violates protocol:"; 4284 4285 if (!asoc) 4286 return sctp_sf_violation(ep, asoc, type, arg, commands); 4287 4288 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4289 sizeof(err_str)); 4290 } 4291 /*************************************************************************** 4292 * These are the state functions for handling primitive (Section 10) events. 4293 ***************************************************************************/ 4294 /* 4295 * sctp_sf_do_prm_asoc 4296 * 4297 * Section: 10.1 ULP-to-SCTP 4298 * B) Associate 4299 * 4300 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 4301 * outbound stream count) 4302 * -> association id [,destination transport addr list] [,outbound stream 4303 * count] 4304 * 4305 * This primitive allows the upper layer to initiate an association to a 4306 * specific peer endpoint. 4307 * 4308 * The peer endpoint shall be specified by one of the transport addresses 4309 * which defines the endpoint (see Section 1.4). If the local SCTP 4310 * instance has not been initialized, the ASSOCIATE is considered an 4311 * error. 4312 * [This is not relevant for the kernel implementation since we do all 4313 * initialization at boot time. It we hadn't initialized we wouldn't 4314 * get anywhere near this code.] 4315 * 4316 * An association id, which is a local handle to the SCTP association, 4317 * will be returned on successful establishment of the association. If 4318 * SCTP is not able to open an SCTP association with the peer endpoint, 4319 * an error is returned. 4320 * [In the kernel implementation, the struct sctp_association needs to 4321 * be created BEFORE causing this primitive to run.] 4322 * 4323 * Other association parameters may be returned, including the 4324 * complete destination transport addresses of the peer as well as the 4325 * outbound stream count of the local endpoint. One of the transport 4326 * address from the returned destination addresses will be selected by 4327 * the local endpoint as default primary path for sending SCTP packets 4328 * to this peer. The returned "destination transport addr list" can 4329 * be used by the ULP to change the default primary path or to force 4330 * sending a packet to a specific transport address. [All of this 4331 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 4332 * function.] 4333 * 4334 * Mandatory attributes: 4335 * 4336 * o local SCTP instance name - obtained from the INITIALIZE operation. 4337 * [This is the argument asoc.] 4338 * o destination transport addr - specified as one of the transport 4339 * addresses of the peer endpoint with which the association is to be 4340 * established. 4341 * [This is asoc->peer.active_path.] 4342 * o outbound stream count - the number of outbound streams the ULP 4343 * would like to open towards this peer endpoint. 4344 * [BUG: This is not currently implemented.] 4345 * Optional attributes: 4346 * 4347 * None. 4348 * 4349 * The return value is a disposition. 4350 */ 4351 sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep, 4352 const struct sctp_association *asoc, 4353 const sctp_subtype_t type, 4354 void *arg, 4355 sctp_cmd_seq_t *commands) 4356 { 4357 struct sctp_chunk *repl; 4358 struct sctp_association* my_asoc; 4359 4360 /* The comment below says that we enter COOKIE-WAIT AFTER 4361 * sending the INIT, but that doesn't actually work in our 4362 * implementation... 4363 */ 4364 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4365 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 4366 4367 /* RFC 2960 5.1 Normal Establishment of an Association 4368 * 4369 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 4370 * must provide its Verification Tag (Tag_A) in the Initiate 4371 * Tag field. Tag_A SHOULD be a random number in the range of 4372 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 4373 */ 4374 4375 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 4376 if (!repl) 4377 goto nomem; 4378 4379 /* Cast away the const modifier, as we want to just 4380 * rerun it through as a sideffect. 4381 */ 4382 my_asoc = (struct sctp_association *)asoc; 4383 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc)); 4384 4385 /* Choose transport for INIT. */ 4386 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4387 SCTP_CHUNK(repl)); 4388 4389 /* After sending the INIT, "A" starts the T1-init timer and 4390 * enters the COOKIE-WAIT state. 4391 */ 4392 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4393 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4394 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4395 return SCTP_DISPOSITION_CONSUME; 4396 4397 nomem: 4398 return SCTP_DISPOSITION_NOMEM; 4399 } 4400 4401 /* 4402 * Process the SEND primitive. 4403 * 4404 * Section: 10.1 ULP-to-SCTP 4405 * E) Send 4406 * 4407 * Format: SEND(association id, buffer address, byte count [,context] 4408 * [,stream id] [,life time] [,destination transport address] 4409 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 4410 * -> result 4411 * 4412 * This is the main method to send user data via SCTP. 4413 * 4414 * Mandatory attributes: 4415 * 4416 * o association id - local handle to the SCTP association 4417 * 4418 * o buffer address - the location where the user message to be 4419 * transmitted is stored; 4420 * 4421 * o byte count - The size of the user data in number of bytes; 4422 * 4423 * Optional attributes: 4424 * 4425 * o context - an optional 32 bit integer that will be carried in the 4426 * sending failure notification to the ULP if the transportation of 4427 * this User Message fails. 4428 * 4429 * o stream id - to indicate which stream to send the data on. If not 4430 * specified, stream 0 will be used. 4431 * 4432 * o life time - specifies the life time of the user data. The user data 4433 * will not be sent by SCTP after the life time expires. This 4434 * parameter can be used to avoid efforts to transmit stale 4435 * user messages. SCTP notifies the ULP if the data cannot be 4436 * initiated to transport (i.e. sent to the destination via SCTP's 4437 * send primitive) within the life time variable. However, the 4438 * user data will be transmitted if SCTP has attempted to transmit a 4439 * chunk before the life time expired. 4440 * 4441 * o destination transport address - specified as one of the destination 4442 * transport addresses of the peer endpoint to which this packet 4443 * should be sent. Whenever possible, SCTP should use this destination 4444 * transport address for sending the packets, instead of the current 4445 * primary path. 4446 * 4447 * o unorder flag - this flag, if present, indicates that the user 4448 * would like the data delivered in an unordered fashion to the peer 4449 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 4450 * message). 4451 * 4452 * o no-bundle flag - instructs SCTP not to bundle this user data with 4453 * other outbound DATA chunks. SCTP MAY still bundle even when 4454 * this flag is present, when faced with network congestion. 4455 * 4456 * o payload protocol-id - A 32 bit unsigned integer that is to be 4457 * passed to the peer indicating the type of payload protocol data 4458 * being transmitted. This value is passed as opaque data by SCTP. 4459 * 4460 * The return value is the disposition. 4461 */ 4462 sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep, 4463 const struct sctp_association *asoc, 4464 const sctp_subtype_t type, 4465 void *arg, 4466 sctp_cmd_seq_t *commands) 4467 { 4468 struct sctp_chunk *chunk = arg; 4469 4470 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 4471 return SCTP_DISPOSITION_CONSUME; 4472 } 4473 4474 /* 4475 * Process the SHUTDOWN primitive. 4476 * 4477 * Section: 10.1: 4478 * C) Shutdown 4479 * 4480 * Format: SHUTDOWN(association id) 4481 * -> result 4482 * 4483 * Gracefully closes an association. Any locally queued user data 4484 * will be delivered to the peer. The association will be terminated only 4485 * after the peer acknowledges all the SCTP packets sent. A success code 4486 * will be returned on successful termination of the association. If 4487 * attempting to terminate the association results in a failure, an error 4488 * code shall be returned. 4489 * 4490 * Mandatory attributes: 4491 * 4492 * o association id - local handle to the SCTP association 4493 * 4494 * Optional attributes: 4495 * 4496 * None. 4497 * 4498 * The return value is the disposition. 4499 */ 4500 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown( 4501 const struct sctp_endpoint *ep, 4502 const struct sctp_association *asoc, 4503 const sctp_subtype_t type, 4504 void *arg, 4505 sctp_cmd_seq_t *commands) 4506 { 4507 int disposition; 4508 4509 /* From 9.2 Shutdown of an Association 4510 * Upon receipt of the SHUTDOWN primitive from its upper 4511 * layer, the endpoint enters SHUTDOWN-PENDING state and 4512 * remains there until all outstanding data has been 4513 * acknowledged by its peer. The endpoint accepts no new data 4514 * from its upper layer, but retransmits data to the far end 4515 * if necessary to fill gaps. 4516 */ 4517 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4518 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4519 4520 /* sctpimpguide-05 Section 2.12.2 4521 * The sender of the SHUTDOWN MAY also start an overall guard timer 4522 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 4523 */ 4524 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4525 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4526 4527 disposition = SCTP_DISPOSITION_CONSUME; 4528 if (sctp_outq_is_empty(&asoc->outqueue)) { 4529 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 4530 arg, commands); 4531 } 4532 return disposition; 4533 } 4534 4535 /* 4536 * Process the ABORT primitive. 4537 * 4538 * Section: 10.1: 4539 * C) Abort 4540 * 4541 * Format: Abort(association id [, cause code]) 4542 * -> result 4543 * 4544 * Ungracefully closes an association. Any locally queued user data 4545 * will be discarded and an ABORT chunk is sent to the peer. A success code 4546 * will be returned on successful abortion of the association. If 4547 * attempting to abort the association results in a failure, an error 4548 * code shall be returned. 4549 * 4550 * Mandatory attributes: 4551 * 4552 * o association id - local handle to the SCTP association 4553 * 4554 * Optional attributes: 4555 * 4556 * o cause code - reason of the abort to be passed to the peer 4557 * 4558 * None. 4559 * 4560 * The return value is the disposition. 4561 */ 4562 sctp_disposition_t sctp_sf_do_9_1_prm_abort( 4563 const struct sctp_endpoint *ep, 4564 const struct sctp_association *asoc, 4565 const sctp_subtype_t type, 4566 void *arg, 4567 sctp_cmd_seq_t *commands) 4568 { 4569 /* From 9.1 Abort of an Association 4570 * Upon receipt of the ABORT primitive from its upper 4571 * layer, the endpoint enters CLOSED state and 4572 * discard all outstanding data has been 4573 * acknowledged by its peer. The endpoint accepts no new data 4574 * from its upper layer, but retransmits data to the far end 4575 * if necessary to fill gaps. 4576 */ 4577 struct sctp_chunk *abort = arg; 4578 sctp_disposition_t retval; 4579 4580 retval = SCTP_DISPOSITION_CONSUME; 4581 4582 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4583 4584 /* Even if we can't send the ABORT due to low memory delete the 4585 * TCB. This is a departure from our typical NOMEM handling. 4586 */ 4587 4588 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4589 SCTP_ERROR(ECONNABORTED)); 4590 /* Delete the established association. */ 4591 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4592 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4593 4594 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4595 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4596 4597 return retval; 4598 } 4599 4600 /* We tried an illegal operation on an association which is closed. */ 4601 sctp_disposition_t sctp_sf_error_closed(const struct sctp_endpoint *ep, 4602 const struct sctp_association *asoc, 4603 const sctp_subtype_t type, 4604 void *arg, 4605 sctp_cmd_seq_t *commands) 4606 { 4607 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 4608 return SCTP_DISPOSITION_CONSUME; 4609 } 4610 4611 /* We tried an illegal operation on an association which is shutting 4612 * down. 4613 */ 4614 sctp_disposition_t sctp_sf_error_shutdown(const struct sctp_endpoint *ep, 4615 const struct sctp_association *asoc, 4616 const sctp_subtype_t type, 4617 void *arg, 4618 sctp_cmd_seq_t *commands) 4619 { 4620 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 4621 SCTP_ERROR(-ESHUTDOWN)); 4622 return SCTP_DISPOSITION_CONSUME; 4623 } 4624 4625 /* 4626 * sctp_cookie_wait_prm_shutdown 4627 * 4628 * Section: 4 Note: 2 4629 * Verification Tag: 4630 * Inputs 4631 * (endpoint, asoc) 4632 * 4633 * The RFC does not explicitly address this issue, but is the route through the 4634 * state table when someone issues a shutdown while in COOKIE_WAIT state. 4635 * 4636 * Outputs 4637 * (timers) 4638 */ 4639 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown( 4640 const struct sctp_endpoint *ep, 4641 const struct sctp_association *asoc, 4642 const sctp_subtype_t type, 4643 void *arg, 4644 sctp_cmd_seq_t *commands) 4645 { 4646 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4647 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4648 4649 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4650 SCTP_STATE(SCTP_STATE_CLOSED)); 4651 4652 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 4653 4654 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 4655 4656 return SCTP_DISPOSITION_DELETE_TCB; 4657 } 4658 4659 /* 4660 * sctp_cookie_echoed_prm_shutdown 4661 * 4662 * Section: 4 Note: 2 4663 * Verification Tag: 4664 * Inputs 4665 * (endpoint, asoc) 4666 * 4667 * The RFC does not explcitly address this issue, but is the route through the 4668 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 4669 * 4670 * Outputs 4671 * (timers) 4672 */ 4673 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown( 4674 const struct sctp_endpoint *ep, 4675 const struct sctp_association *asoc, 4676 const sctp_subtype_t type, 4677 void *arg, sctp_cmd_seq_t *commands) 4678 { 4679 /* There is a single T1 timer, so we should be able to use 4680 * common function with the COOKIE-WAIT state. 4681 */ 4682 return sctp_sf_cookie_wait_prm_shutdown(ep, asoc, type, arg, commands); 4683 } 4684 4685 /* 4686 * sctp_sf_cookie_wait_prm_abort 4687 * 4688 * Section: 4 Note: 2 4689 * Verification Tag: 4690 * Inputs 4691 * (endpoint, asoc) 4692 * 4693 * The RFC does not explicitly address this issue, but is the route through the 4694 * state table when someone issues an abort while in COOKIE_WAIT state. 4695 * 4696 * Outputs 4697 * (timers) 4698 */ 4699 sctp_disposition_t sctp_sf_cookie_wait_prm_abort( 4700 const struct sctp_endpoint *ep, 4701 const struct sctp_association *asoc, 4702 const sctp_subtype_t type, 4703 void *arg, 4704 sctp_cmd_seq_t *commands) 4705 { 4706 struct sctp_chunk *abort = arg; 4707 sctp_disposition_t retval; 4708 4709 /* Stop T1-init timer */ 4710 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4711 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4712 retval = SCTP_DISPOSITION_CONSUME; 4713 4714 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4715 4716 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4717 SCTP_STATE(SCTP_STATE_CLOSED)); 4718 4719 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4720 4721 /* Even if we can't send the ABORT due to low memory delete the 4722 * TCB. This is a departure from our typical NOMEM handling. 4723 */ 4724 4725 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4726 SCTP_ERROR(ECONNREFUSED)); 4727 /* Delete the established association. */ 4728 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4729 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4730 4731 return retval; 4732 } 4733 4734 /* 4735 * sctp_sf_cookie_echoed_prm_abort 4736 * 4737 * Section: 4 Note: 3 4738 * Verification Tag: 4739 * Inputs 4740 * (endpoint, asoc) 4741 * 4742 * The RFC does not explcitly address this issue, but is the route through the 4743 * state table when someone issues an abort while in COOKIE_ECHOED state. 4744 * 4745 * Outputs 4746 * (timers) 4747 */ 4748 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort( 4749 const struct sctp_endpoint *ep, 4750 const struct sctp_association *asoc, 4751 const sctp_subtype_t type, 4752 void *arg, 4753 sctp_cmd_seq_t *commands) 4754 { 4755 /* There is a single T1 timer, so we should be able to use 4756 * common function with the COOKIE-WAIT state. 4757 */ 4758 return sctp_sf_cookie_wait_prm_abort(ep, asoc, type, arg, commands); 4759 } 4760 4761 /* 4762 * sctp_sf_shutdown_pending_prm_abort 4763 * 4764 * Inputs 4765 * (endpoint, asoc) 4766 * 4767 * The RFC does not explicitly address this issue, but is the route through the 4768 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 4769 * 4770 * Outputs 4771 * (timers) 4772 */ 4773 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort( 4774 const struct sctp_endpoint *ep, 4775 const struct sctp_association *asoc, 4776 const sctp_subtype_t type, 4777 void *arg, 4778 sctp_cmd_seq_t *commands) 4779 { 4780 /* Stop the T5-shutdown guard timer. */ 4781 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4782 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4783 4784 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4785 } 4786 4787 /* 4788 * sctp_sf_shutdown_sent_prm_abort 4789 * 4790 * Inputs 4791 * (endpoint, asoc) 4792 * 4793 * The RFC does not explicitly address this issue, but is the route through the 4794 * state table when someone issues an abort while in SHUTDOWN-SENT state. 4795 * 4796 * Outputs 4797 * (timers) 4798 */ 4799 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort( 4800 const struct sctp_endpoint *ep, 4801 const struct sctp_association *asoc, 4802 const sctp_subtype_t type, 4803 void *arg, 4804 sctp_cmd_seq_t *commands) 4805 { 4806 /* Stop the T2-shutdown timer. */ 4807 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4808 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4809 4810 /* Stop the T5-shutdown guard timer. */ 4811 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4812 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4813 4814 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4815 } 4816 4817 /* 4818 * sctp_sf_cookie_echoed_prm_abort 4819 * 4820 * Inputs 4821 * (endpoint, asoc) 4822 * 4823 * The RFC does not explcitly address this issue, but is the route through the 4824 * state table when someone issues an abort while in COOKIE_ECHOED state. 4825 * 4826 * Outputs 4827 * (timers) 4828 */ 4829 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort( 4830 const struct sctp_endpoint *ep, 4831 const struct sctp_association *asoc, 4832 const sctp_subtype_t type, 4833 void *arg, 4834 sctp_cmd_seq_t *commands) 4835 { 4836 /* The same T2 timer, so we should be able to use 4837 * common function with the SHUTDOWN-SENT state. 4838 */ 4839 return sctp_sf_shutdown_sent_prm_abort(ep, asoc, type, arg, commands); 4840 } 4841 4842 /* 4843 * Process the REQUESTHEARTBEAT primitive 4844 * 4845 * 10.1 ULP-to-SCTP 4846 * J) Request Heartbeat 4847 * 4848 * Format: REQUESTHEARTBEAT(association id, destination transport address) 4849 * 4850 * -> result 4851 * 4852 * Instructs the local endpoint to perform a HeartBeat on the specified 4853 * destination transport address of the given association. The returned 4854 * result should indicate whether the transmission of the HEARTBEAT 4855 * chunk to the destination address is successful. 4856 * 4857 * Mandatory attributes: 4858 * 4859 * o association id - local handle to the SCTP association 4860 * 4861 * o destination transport address - the transport address of the 4862 * association on which a heartbeat should be issued. 4863 */ 4864 sctp_disposition_t sctp_sf_do_prm_requestheartbeat( 4865 const struct sctp_endpoint *ep, 4866 const struct sctp_association *asoc, 4867 const sctp_subtype_t type, 4868 void *arg, 4869 sctp_cmd_seq_t *commands) 4870 { 4871 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 4872 (struct sctp_transport *)arg, commands)) 4873 return SCTP_DISPOSITION_NOMEM; 4874 4875 /* 4876 * RFC 2960 (bis), section 8.3 4877 * 4878 * D) Request an on-demand HEARTBEAT on a specific destination 4879 * transport address of a given association. 4880 * 4881 * The endpoint should increment the respective error counter of 4882 * the destination transport address each time a HEARTBEAT is sent 4883 * to that address and not acknowledged within one RTO. 4884 * 4885 */ 4886 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_RESET, 4887 SCTP_TRANSPORT(arg)); 4888 return SCTP_DISPOSITION_CONSUME; 4889 } 4890 4891 /* 4892 * ADDIP Section 4.1 ASCONF Chunk Procedures 4893 * When an endpoint has an ASCONF signaled change to be sent to the 4894 * remote endpoint it should do A1 to A9 4895 */ 4896 sctp_disposition_t sctp_sf_do_prm_asconf(const struct sctp_endpoint *ep, 4897 const struct sctp_association *asoc, 4898 const sctp_subtype_t type, 4899 void *arg, 4900 sctp_cmd_seq_t *commands) 4901 { 4902 struct sctp_chunk *chunk = arg; 4903 4904 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 4905 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4906 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4907 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 4908 return SCTP_DISPOSITION_CONSUME; 4909 } 4910 4911 /* 4912 * Ignore the primitive event 4913 * 4914 * The return value is the disposition of the primitive. 4915 */ 4916 sctp_disposition_t sctp_sf_ignore_primitive( 4917 const struct sctp_endpoint *ep, 4918 const struct sctp_association *asoc, 4919 const sctp_subtype_t type, 4920 void *arg, 4921 sctp_cmd_seq_t *commands) 4922 { 4923 SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive); 4924 return SCTP_DISPOSITION_DISCARD; 4925 } 4926 4927 /*************************************************************************** 4928 * These are the state functions for the OTHER events. 4929 ***************************************************************************/ 4930 4931 /* 4932 * Start the shutdown negotiation. 4933 * 4934 * From Section 9.2: 4935 * Once all its outstanding data has been acknowledged, the endpoint 4936 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 4937 * TSN Ack field the last sequential TSN it has received from the peer. 4938 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 4939 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 4940 * with the updated last sequential TSN received from its peer. 4941 * 4942 * The return value is the disposition. 4943 */ 4944 sctp_disposition_t sctp_sf_do_9_2_start_shutdown( 4945 const struct sctp_endpoint *ep, 4946 const struct sctp_association *asoc, 4947 const sctp_subtype_t type, 4948 void *arg, 4949 sctp_cmd_seq_t *commands) 4950 { 4951 struct sctp_chunk *reply; 4952 4953 /* Once all its outstanding data has been acknowledged, the 4954 * endpoint shall send a SHUTDOWN chunk to its peer including 4955 * in the Cumulative TSN Ack field the last sequential TSN it 4956 * has received from the peer. 4957 */ 4958 reply = sctp_make_shutdown(asoc, NULL); 4959 if (!reply) 4960 goto nomem; 4961 4962 /* Set the transport for the SHUTDOWN chunk and the timeout for the 4963 * T2-shutdown timer. 4964 */ 4965 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4966 4967 /* It shall then start the T2-shutdown timer */ 4968 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4969 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4970 4971 if (asoc->autoclose) 4972 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4973 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4974 4975 /* and enter the SHUTDOWN-SENT state. */ 4976 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4977 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 4978 4979 /* sctp-implguide 2.10 Issues with Heartbeating and failover 4980 * 4981 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 4982 * or SHUTDOWN-ACK. 4983 */ 4984 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 4985 4986 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4987 4988 return SCTP_DISPOSITION_CONSUME; 4989 4990 nomem: 4991 return SCTP_DISPOSITION_NOMEM; 4992 } 4993 4994 /* 4995 * Generate a SHUTDOWN ACK now that everything is SACK'd. 4996 * 4997 * From Section 9.2: 4998 * 4999 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5000 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 5001 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 5002 * endpoint must re-send the SHUTDOWN ACK. 5003 * 5004 * The return value is the disposition. 5005 */ 5006 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack( 5007 const struct sctp_endpoint *ep, 5008 const struct sctp_association *asoc, 5009 const sctp_subtype_t type, 5010 void *arg, 5011 sctp_cmd_seq_t *commands) 5012 { 5013 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 5014 struct sctp_chunk *reply; 5015 5016 /* There are 2 ways of getting here: 5017 * 1) called in response to a SHUTDOWN chunk 5018 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 5019 * 5020 * For the case (2), the arg parameter is set to NULL. We need 5021 * to check that we have a chunk before accessing it's fields. 5022 */ 5023 if (chunk) { 5024 if (!sctp_vtag_verify(chunk, asoc)) 5025 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 5026 5027 /* Make sure that the SHUTDOWN chunk has a valid length. */ 5028 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t))) 5029 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 5030 commands); 5031 } 5032 5033 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5034 * shall send a SHUTDOWN ACK ... 5035 */ 5036 reply = sctp_make_shutdown_ack(asoc, chunk); 5037 if (!reply) 5038 goto nomem; 5039 5040 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 5041 * the T2-shutdown timer. 5042 */ 5043 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5044 5045 /* and start/restart a T2-shutdown timer of its own, */ 5046 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5047 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5048 5049 if (asoc->autoclose) 5050 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5051 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5052 5053 /* Enter the SHUTDOWN-ACK-SENT state. */ 5054 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5055 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 5056 5057 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5058 * 5059 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5060 * or SHUTDOWN-ACK. 5061 */ 5062 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5063 5064 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5065 5066 return SCTP_DISPOSITION_CONSUME; 5067 5068 nomem: 5069 return SCTP_DISPOSITION_NOMEM; 5070 } 5071 5072 /* 5073 * Ignore the event defined as other 5074 * 5075 * The return value is the disposition of the event. 5076 */ 5077 sctp_disposition_t sctp_sf_ignore_other(const struct sctp_endpoint *ep, 5078 const struct sctp_association *asoc, 5079 const sctp_subtype_t type, 5080 void *arg, 5081 sctp_cmd_seq_t *commands) 5082 { 5083 SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other); 5084 return SCTP_DISPOSITION_DISCARD; 5085 } 5086 5087 /************************************************************ 5088 * These are the state functions for handling timeout events. 5089 ************************************************************/ 5090 5091 /* 5092 * RTX Timeout 5093 * 5094 * Section: 6.3.3 Handle T3-rtx Expiration 5095 * 5096 * Whenever the retransmission timer T3-rtx expires for a destination 5097 * address, do the following: 5098 * [See below] 5099 * 5100 * The return value is the disposition of the chunk. 5101 */ 5102 sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep, 5103 const struct sctp_association *asoc, 5104 const sctp_subtype_t type, 5105 void *arg, 5106 sctp_cmd_seq_t *commands) 5107 { 5108 struct sctp_transport *transport = arg; 5109 5110 SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS); 5111 5112 if (asoc->overall_error_count >= asoc->max_retrans) { 5113 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5114 SCTP_ERROR(ETIMEDOUT)); 5115 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5116 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5117 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5118 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5119 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5120 return SCTP_DISPOSITION_DELETE_TCB; 5121 } 5122 5123 /* E1) For the destination address for which the timer 5124 * expires, adjust its ssthresh with rules defined in Section 5125 * 7.2.3 and set the cwnd <- MTU. 5126 */ 5127 5128 /* E2) For the destination address for which the timer 5129 * expires, set RTO <- RTO * 2 ("back off the timer"). The 5130 * maximum value discussed in rule C7 above (RTO.max) may be 5131 * used to provide an upper bound to this doubling operation. 5132 */ 5133 5134 /* E3) Determine how many of the earliest (i.e., lowest TSN) 5135 * outstanding DATA chunks for the address for which the 5136 * T3-rtx has expired will fit into a single packet, subject 5137 * to the MTU constraint for the path corresponding to the 5138 * destination transport address to which the retransmission 5139 * is being sent (this may be different from the address for 5140 * which the timer expires [see Section 6.4]). Call this 5141 * value K. Bundle and retransmit those K DATA chunks in a 5142 * single packet to the destination endpoint. 5143 * 5144 * Note: Any DATA chunks that were sent to the address for 5145 * which the T3-rtx timer expired but did not fit in one MTU 5146 * (rule E3 above), should be marked for retransmission and 5147 * sent as soon as cwnd allows (normally when a SACK arrives). 5148 */ 5149 5150 /* Do some failure management (Section 8.2). */ 5151 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5152 5153 /* NB: Rules E4 and F1 are implicit in R1. */ 5154 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 5155 5156 return SCTP_DISPOSITION_CONSUME; 5157 } 5158 5159 /* 5160 * Generate delayed SACK on timeout 5161 * 5162 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 5163 * 5164 * The guidelines on delayed acknowledgement algorithm specified in 5165 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 5166 * acknowledgement SHOULD be generated for at least every second packet 5167 * (not every second DATA chunk) received, and SHOULD be generated 5168 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 5169 * some situations it may be beneficial for an SCTP transmitter to be 5170 * more conservative than the algorithms detailed in this document 5171 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 5172 * the following algorithms allow. 5173 */ 5174 sctp_disposition_t sctp_sf_do_6_2_sack(const struct sctp_endpoint *ep, 5175 const struct sctp_association *asoc, 5176 const sctp_subtype_t type, 5177 void *arg, 5178 sctp_cmd_seq_t *commands) 5179 { 5180 SCTP_INC_STATS(SCTP_MIB_DELAY_SACK_EXPIREDS); 5181 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 5182 return SCTP_DISPOSITION_CONSUME; 5183 } 5184 5185 /* 5186 * sctp_sf_t1_init_timer_expire 5187 * 5188 * Section: 4 Note: 2 5189 * Verification Tag: 5190 * Inputs 5191 * (endpoint, asoc) 5192 * 5193 * RFC 2960 Section 4 Notes 5194 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 5195 * and re-start the T1-init timer without changing state. This MUST 5196 * be repeated up to 'Max.Init.Retransmits' times. After that, the 5197 * endpoint MUST abort the initialization process and report the 5198 * error to SCTP user. 5199 * 5200 * Outputs 5201 * (timers, events) 5202 * 5203 */ 5204 sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep, 5205 const struct sctp_association *asoc, 5206 const sctp_subtype_t type, 5207 void *arg, 5208 sctp_cmd_seq_t *commands) 5209 { 5210 struct sctp_chunk *repl = NULL; 5211 struct sctp_bind_addr *bp; 5212 int attempts = asoc->init_err_counter + 1; 5213 5214 SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n"); 5215 SCTP_INC_STATS(SCTP_MIB_T1_INIT_EXPIREDS); 5216 5217 if (attempts <= asoc->max_init_attempts) { 5218 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 5219 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 5220 if (!repl) 5221 return SCTP_DISPOSITION_NOMEM; 5222 5223 /* Choose transport for INIT. */ 5224 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5225 SCTP_CHUNK(repl)); 5226 5227 /* Issue a sideeffect to do the needed accounting. */ 5228 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 5229 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5230 5231 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5232 } else { 5233 SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d" 5234 " max_init_attempts: %d\n", 5235 attempts, asoc->max_init_attempts); 5236 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5237 SCTP_ERROR(ETIMEDOUT)); 5238 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5239 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5240 return SCTP_DISPOSITION_DELETE_TCB; 5241 } 5242 5243 return SCTP_DISPOSITION_CONSUME; 5244 } 5245 5246 /* 5247 * sctp_sf_t1_cookie_timer_expire 5248 * 5249 * Section: 4 Note: 2 5250 * Verification Tag: 5251 * Inputs 5252 * (endpoint, asoc) 5253 * 5254 * RFC 2960 Section 4 Notes 5255 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 5256 * COOKIE ECHO and re-start the T1-cookie timer without changing 5257 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 5258 * After that, the endpoint MUST abort the initialization process and 5259 * report the error to SCTP user. 5260 * 5261 * Outputs 5262 * (timers, events) 5263 * 5264 */ 5265 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep, 5266 const struct sctp_association *asoc, 5267 const sctp_subtype_t type, 5268 void *arg, 5269 sctp_cmd_seq_t *commands) 5270 { 5271 struct sctp_chunk *repl = NULL; 5272 int attempts = asoc->init_err_counter + 1; 5273 5274 SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n"); 5275 SCTP_INC_STATS(SCTP_MIB_T1_COOKIE_EXPIREDS); 5276 5277 if (attempts <= asoc->max_init_attempts) { 5278 repl = sctp_make_cookie_echo(asoc, NULL); 5279 if (!repl) 5280 return SCTP_DISPOSITION_NOMEM; 5281 5282 /* Issue a sideeffect to do the needed accounting. */ 5283 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 5284 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 5285 5286 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5287 } else { 5288 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5289 SCTP_ERROR(ETIMEDOUT)); 5290 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5291 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5292 return SCTP_DISPOSITION_DELETE_TCB; 5293 } 5294 5295 return SCTP_DISPOSITION_CONSUME; 5296 } 5297 5298 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 5299 * with the updated last sequential TSN received from its peer. 5300 * 5301 * An endpoint should limit the number of retransmissions of the 5302 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 5303 * If this threshold is exceeded the endpoint should destroy the TCB and 5304 * MUST report the peer endpoint unreachable to the upper layer (and 5305 * thus the association enters the CLOSED state). The reception of any 5306 * packet from its peer (i.e. as the peer sends all of its queued DATA 5307 * chunks) should clear the endpoint's retransmission count and restart 5308 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 5309 * all of its queued DATA chunks that have not yet been sent. 5310 */ 5311 sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep, 5312 const struct sctp_association *asoc, 5313 const sctp_subtype_t type, 5314 void *arg, 5315 sctp_cmd_seq_t *commands) 5316 { 5317 struct sctp_chunk *reply = NULL; 5318 5319 SCTP_DEBUG_PRINTK("Timer T2 expired.\n"); 5320 SCTP_INC_STATS(SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 5321 5322 ((struct sctp_association *)asoc)->shutdown_retries++; 5323 5324 if (asoc->overall_error_count >= asoc->max_retrans) { 5325 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5326 SCTP_ERROR(ETIMEDOUT)); 5327 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5328 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5329 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5330 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5331 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5332 return SCTP_DISPOSITION_DELETE_TCB; 5333 } 5334 5335 switch (asoc->state) { 5336 case SCTP_STATE_SHUTDOWN_SENT: 5337 reply = sctp_make_shutdown(asoc, NULL); 5338 break; 5339 5340 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5341 reply = sctp_make_shutdown_ack(asoc, NULL); 5342 break; 5343 5344 default: 5345 BUG(); 5346 break; 5347 } 5348 5349 if (!reply) 5350 goto nomem; 5351 5352 /* Do some failure management (Section 8.2). */ 5353 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5354 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 5355 5356 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 5357 * the T2-shutdown timer. 5358 */ 5359 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5360 5361 /* Restart the T2-shutdown timer. */ 5362 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5363 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5364 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5365 return SCTP_DISPOSITION_CONSUME; 5366 5367 nomem: 5368 return SCTP_DISPOSITION_NOMEM; 5369 } 5370 5371 /* 5372 * ADDIP Section 4.1 ASCONF CHunk Procedures 5373 * If the T4 RTO timer expires the endpoint should do B1 to B5 5374 */ 5375 sctp_disposition_t sctp_sf_t4_timer_expire( 5376 const struct sctp_endpoint *ep, 5377 const struct sctp_association *asoc, 5378 const sctp_subtype_t type, 5379 void *arg, 5380 sctp_cmd_seq_t *commands) 5381 { 5382 struct sctp_chunk *chunk = asoc->addip_last_asconf; 5383 struct sctp_transport *transport = chunk->transport; 5384 5385 SCTP_INC_STATS(SCTP_MIB_T4_RTO_EXPIREDS); 5386 5387 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 5388 * detection on the appropriate destination address as defined in 5389 * RFC2960 [5] section 8.1 and 8.2. 5390 */ 5391 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5392 5393 /* Reconfig T4 timer and transport. */ 5394 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5395 5396 /* ADDIP 4.1 B2) Increment the association error counters and perform 5397 * endpoint failure detection on the association as defined in 5398 * RFC2960 [5] section 8.1 and 8.2. 5399 * association error counter is incremented in SCTP_CMD_STRIKE. 5400 */ 5401 if (asoc->overall_error_count >= asoc->max_retrans) { 5402 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5403 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5404 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5405 SCTP_ERROR(ETIMEDOUT)); 5406 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5407 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5408 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5409 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 5410 return SCTP_DISPOSITION_ABORT; 5411 } 5412 5413 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 5414 * the ASCONF chunk was sent by doubling the RTO timer value. 5415 * This is done in SCTP_CMD_STRIKE. 5416 */ 5417 5418 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 5419 * choose an alternate destination address (please refer to RFC2960 5420 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 5421 * chunk, it MUST be the same (including its serial number) as the last 5422 * ASCONF sent. 5423 */ 5424 sctp_chunk_hold(asoc->addip_last_asconf); 5425 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5426 SCTP_CHUNK(asoc->addip_last_asconf)); 5427 5428 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 5429 * destination is selected, then the RTO used will be that of the new 5430 * destination address. 5431 */ 5432 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5433 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5434 5435 return SCTP_DISPOSITION_CONSUME; 5436 } 5437 5438 /* sctpimpguide-05 Section 2.12.2 5439 * The sender of the SHUTDOWN MAY also start an overall guard timer 5440 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5441 * At the expiration of this timer the sender SHOULD abort the association 5442 * by sending an ABORT chunk. 5443 */ 5444 sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep, 5445 const struct sctp_association *asoc, 5446 const sctp_subtype_t type, 5447 void *arg, 5448 sctp_cmd_seq_t *commands) 5449 { 5450 struct sctp_chunk *reply = NULL; 5451 5452 SCTP_DEBUG_PRINTK("Timer T5 expired.\n"); 5453 SCTP_INC_STATS(SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 5454 5455 reply = sctp_make_abort(asoc, NULL, 0); 5456 if (!reply) 5457 goto nomem; 5458 5459 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5460 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5461 SCTP_ERROR(ETIMEDOUT)); 5462 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5463 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5464 5465 return SCTP_DISPOSITION_DELETE_TCB; 5466 nomem: 5467 return SCTP_DISPOSITION_NOMEM; 5468 } 5469 5470 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 5471 * the association is automatically closed by starting the shutdown process. 5472 * The work that needs to be done is same as when SHUTDOWN is initiated by 5473 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 5474 */ 5475 sctp_disposition_t sctp_sf_autoclose_timer_expire( 5476 const struct sctp_endpoint *ep, 5477 const struct sctp_association *asoc, 5478 const sctp_subtype_t type, 5479 void *arg, 5480 sctp_cmd_seq_t *commands) 5481 { 5482 int disposition; 5483 5484 SCTP_INC_STATS(SCTP_MIB_AUTOCLOSE_EXPIREDS); 5485 5486 /* From 9.2 Shutdown of an Association 5487 * Upon receipt of the SHUTDOWN primitive from its upper 5488 * layer, the endpoint enters SHUTDOWN-PENDING state and 5489 * remains there until all outstanding data has been 5490 * acknowledged by its peer. The endpoint accepts no new data 5491 * from its upper layer, but retransmits data to the far end 5492 * if necessary to fill gaps. 5493 */ 5494 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5495 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 5496 5497 /* sctpimpguide-05 Section 2.12.2 5498 * The sender of the SHUTDOWN MAY also start an overall guard timer 5499 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5500 */ 5501 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5502 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5503 disposition = SCTP_DISPOSITION_CONSUME; 5504 if (sctp_outq_is_empty(&asoc->outqueue)) { 5505 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 5506 arg, commands); 5507 } 5508 return disposition; 5509 } 5510 5511 /***************************************************************************** 5512 * These are sa state functions which could apply to all types of events. 5513 ****************************************************************************/ 5514 5515 /* 5516 * This table entry is not implemented. 5517 * 5518 * Inputs 5519 * (endpoint, asoc, chunk) 5520 * 5521 * The return value is the disposition of the chunk. 5522 */ 5523 sctp_disposition_t sctp_sf_not_impl(const struct sctp_endpoint *ep, 5524 const struct sctp_association *asoc, 5525 const sctp_subtype_t type, 5526 void *arg, 5527 sctp_cmd_seq_t *commands) 5528 { 5529 return SCTP_DISPOSITION_NOT_IMPL; 5530 } 5531 5532 /* 5533 * This table entry represents a bug. 5534 * 5535 * Inputs 5536 * (endpoint, asoc, chunk) 5537 * 5538 * The return value is the disposition of the chunk. 5539 */ 5540 sctp_disposition_t sctp_sf_bug(const struct sctp_endpoint *ep, 5541 const struct sctp_association *asoc, 5542 const sctp_subtype_t type, 5543 void *arg, 5544 sctp_cmd_seq_t *commands) 5545 { 5546 return SCTP_DISPOSITION_BUG; 5547 } 5548 5549 /* 5550 * This table entry represents the firing of a timer in the wrong state. 5551 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 5552 * when the association is in the wrong state. This event should 5553 * be ignored, so as to prevent any rearming of the timer. 5554 * 5555 * Inputs 5556 * (endpoint, asoc, chunk) 5557 * 5558 * The return value is the disposition of the chunk. 5559 */ 5560 sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep, 5561 const struct sctp_association *asoc, 5562 const sctp_subtype_t type, 5563 void *arg, 5564 sctp_cmd_seq_t *commands) 5565 { 5566 SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk); 5567 return SCTP_DISPOSITION_CONSUME; 5568 } 5569 5570 /******************************************************************** 5571 * 2nd Level Abstractions 5572 ********************************************************************/ 5573 5574 /* Pull the SACK chunk based on the SACK header. */ 5575 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 5576 { 5577 struct sctp_sackhdr *sack; 5578 unsigned int len; 5579 __u16 num_blocks; 5580 __u16 num_dup_tsns; 5581 5582 /* Protect ourselves from reading too far into 5583 * the skb from a bogus sender. 5584 */ 5585 sack = (struct sctp_sackhdr *) chunk->skb->data; 5586 5587 num_blocks = ntohs(sack->num_gap_ack_blocks); 5588 num_dup_tsns = ntohs(sack->num_dup_tsns); 5589 len = sizeof(struct sctp_sackhdr); 5590 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 5591 if (len > chunk->skb->len) 5592 return NULL; 5593 5594 skb_pull(chunk->skb, len); 5595 5596 return sack; 5597 } 5598 5599 /* Create an ABORT packet to be sent as a response, with the specified 5600 * error causes. 5601 */ 5602 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 5603 const struct sctp_association *asoc, 5604 struct sctp_chunk *chunk, 5605 const void *payload, 5606 size_t paylen) 5607 { 5608 struct sctp_packet *packet; 5609 struct sctp_chunk *abort; 5610 5611 packet = sctp_ootb_pkt_new(asoc, chunk); 5612 5613 if (packet) { 5614 /* Make an ABORT. 5615 * The T bit will be set if the asoc is NULL. 5616 */ 5617 abort = sctp_make_abort(asoc, chunk, paylen); 5618 if (!abort) { 5619 sctp_ootb_pkt_free(packet); 5620 return NULL; 5621 } 5622 5623 /* Reflect vtag if T-Bit is set */ 5624 if (sctp_test_T_bit(abort)) 5625 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 5626 5627 /* Add specified error causes, i.e., payload, to the 5628 * end of the chunk. 5629 */ 5630 sctp_addto_chunk(abort, paylen, payload); 5631 5632 /* Set the skb to the belonging sock for accounting. */ 5633 abort->skb->sk = ep->base.sk; 5634 5635 sctp_packet_append_chunk(packet, abort); 5636 5637 } 5638 5639 return packet; 5640 } 5641 5642 /* Allocate a packet for responding in the OOTB conditions. */ 5643 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 5644 const struct sctp_chunk *chunk) 5645 { 5646 struct sctp_packet *packet; 5647 struct sctp_transport *transport; 5648 __u16 sport; 5649 __u16 dport; 5650 __u32 vtag; 5651 5652 /* Get the source and destination port from the inbound packet. */ 5653 sport = ntohs(chunk->sctp_hdr->dest); 5654 dport = ntohs(chunk->sctp_hdr->source); 5655 5656 /* The V-tag is going to be the same as the inbound packet if no 5657 * association exists, otherwise, use the peer's vtag. 5658 */ 5659 if (asoc) { 5660 /* Special case the INIT-ACK as there is no peer's vtag 5661 * yet. 5662 */ 5663 switch(chunk->chunk_hdr->type) { 5664 case SCTP_CID_INIT_ACK: 5665 { 5666 sctp_initack_chunk_t *initack; 5667 5668 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; 5669 vtag = ntohl(initack->init_hdr.init_tag); 5670 break; 5671 } 5672 default: 5673 vtag = asoc->peer.i.init_tag; 5674 break; 5675 } 5676 } else { 5677 /* Special case the INIT and stale COOKIE_ECHO as there is no 5678 * vtag yet. 5679 */ 5680 switch(chunk->chunk_hdr->type) { 5681 case SCTP_CID_INIT: 5682 { 5683 sctp_init_chunk_t *init; 5684 5685 init = (sctp_init_chunk_t *)chunk->chunk_hdr; 5686 vtag = ntohl(init->init_hdr.init_tag); 5687 break; 5688 } 5689 default: 5690 vtag = ntohl(chunk->sctp_hdr->vtag); 5691 break; 5692 } 5693 } 5694 5695 /* Make a transport for the bucket, Eliza... */ 5696 transport = sctp_transport_new(sctp_source(chunk), GFP_ATOMIC); 5697 if (!transport) 5698 goto nomem; 5699 5700 /* Cache a route for the transport with the chunk's destination as 5701 * the source address. 5702 */ 5703 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 5704 sctp_sk(sctp_get_ctl_sock())); 5705 5706 packet = sctp_packet_init(&transport->packet, transport, sport, dport); 5707 packet = sctp_packet_config(packet, vtag, 0); 5708 5709 return packet; 5710 5711 nomem: 5712 return NULL; 5713 } 5714 5715 /* Free the packet allocated earlier for responding in the OOTB condition. */ 5716 void sctp_ootb_pkt_free(struct sctp_packet *packet) 5717 { 5718 sctp_transport_free(packet->transport); 5719 } 5720 5721 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 5722 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 5723 const struct sctp_association *asoc, 5724 const struct sctp_chunk *chunk, 5725 sctp_cmd_seq_t *commands, 5726 struct sctp_chunk *err_chunk) 5727 { 5728 struct sctp_packet *packet; 5729 5730 if (err_chunk) { 5731 packet = sctp_ootb_pkt_new(asoc, chunk); 5732 if (packet) { 5733 struct sctp_signed_cookie *cookie; 5734 5735 /* Override the OOTB vtag from the cookie. */ 5736 cookie = chunk->subh.cookie_hdr; 5737 packet->vtag = cookie->c.peer_vtag; 5738 5739 /* Set the skb to the belonging sock for accounting. */ 5740 err_chunk->skb->sk = ep->base.sk; 5741 sctp_packet_append_chunk(packet, err_chunk); 5742 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 5743 SCTP_PACKET(packet)); 5744 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 5745 } else 5746 sctp_chunk_free (err_chunk); 5747 } 5748 } 5749 5750 5751 /* Process a data chunk */ 5752 static int sctp_eat_data(const struct sctp_association *asoc, 5753 struct sctp_chunk *chunk, 5754 sctp_cmd_seq_t *commands) 5755 { 5756 sctp_datahdr_t *data_hdr; 5757 struct sctp_chunk *err; 5758 size_t datalen; 5759 sctp_verb_t deliver; 5760 int tmp; 5761 __u32 tsn; 5762 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 5763 struct sock *sk = asoc->base.sk; 5764 5765 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data; 5766 skb_pull(chunk->skb, sizeof(sctp_datahdr_t)); 5767 5768 tsn = ntohl(data_hdr->tsn); 5769 SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn); 5770 5771 /* ASSERT: Now skb->data is really the user data. */ 5772 5773 /* Process ECN based congestion. 5774 * 5775 * Since the chunk structure is reused for all chunks within 5776 * a packet, we use ecn_ce_done to track if we've already 5777 * done CE processing for this packet. 5778 * 5779 * We need to do ECN processing even if we plan to discard the 5780 * chunk later. 5781 */ 5782 5783 if (!chunk->ecn_ce_done) { 5784 struct sctp_af *af; 5785 chunk->ecn_ce_done = 1; 5786 5787 af = sctp_get_af_specific( 5788 ipver2af(ip_hdr(chunk->skb)->version)); 5789 5790 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) { 5791 /* Do real work as sideffect. */ 5792 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 5793 SCTP_U32(tsn)); 5794 } 5795 } 5796 5797 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 5798 if (tmp < 0) { 5799 /* The TSN is too high--silently discard the chunk and 5800 * count on it getting retransmitted later. 5801 */ 5802 return SCTP_IERROR_HIGH_TSN; 5803 } else if (tmp > 0) { 5804 /* This is a duplicate. Record it. */ 5805 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 5806 return SCTP_IERROR_DUP_TSN; 5807 } 5808 5809 /* This is a new TSN. */ 5810 5811 /* Discard if there is no room in the receive window. 5812 * Actually, allow a little bit of overflow (up to a MTU). 5813 */ 5814 datalen = ntohs(chunk->chunk_hdr->length); 5815 datalen -= sizeof(sctp_data_chunk_t); 5816 5817 deliver = SCTP_CMD_CHUNK_ULP; 5818 5819 /* Think about partial delivery. */ 5820 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 5821 5822 /* Even if we don't accept this chunk there is 5823 * memory pressure. 5824 */ 5825 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 5826 } 5827 5828 /* Spill over rwnd a little bit. Note: While allowed, this spill over 5829 * seems a bit troublesome in that frag_point varies based on 5830 * PMTU. In cases, such as loopback, this might be a rather 5831 * large spill over. 5832 */ 5833 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over || 5834 (datalen > asoc->rwnd + asoc->frag_point))) { 5835 5836 /* If this is the next TSN, consider reneging to make 5837 * room. Note: Playing nice with a confused sender. A 5838 * malicious sender can still eat up all our buffer 5839 * space and in the future we may want to detect and 5840 * do more drastic reneging. 5841 */ 5842 if (sctp_tsnmap_has_gap(map) && 5843 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 5844 SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn); 5845 deliver = SCTP_CMD_RENEGE; 5846 } else { 5847 SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, " 5848 "rwnd: %d\n", tsn, datalen, 5849 asoc->rwnd); 5850 return SCTP_IERROR_IGNORE_TSN; 5851 } 5852 } 5853 5854 /* 5855 * Also try to renege to limit our memory usage in the event that 5856 * we are under memory pressure 5857 * If we can't renege, don't worry about it, the sk_rmem_schedule 5858 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our 5859 * memory usage too much 5860 */ 5861 if (*sk->sk_prot_creator->memory_pressure) { 5862 if (sctp_tsnmap_has_gap(map) && 5863 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 5864 SCTP_DEBUG_PRINTK("Under Pressure! Reneging for tsn:%u\n", tsn); 5865 deliver = SCTP_CMD_RENEGE; 5866 } 5867 } 5868 5869 /* 5870 * Section 3.3.10.9 No User Data (9) 5871 * 5872 * Cause of error 5873 * --------------- 5874 * No User Data: This error cause is returned to the originator of a 5875 * DATA chunk if a received DATA chunk has no user data. 5876 */ 5877 if (unlikely(0 == datalen)) { 5878 err = sctp_make_abort_no_data(asoc, chunk, tsn); 5879 if (err) { 5880 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5881 SCTP_CHUNK(err)); 5882 } 5883 /* We are going to ABORT, so we might as well stop 5884 * processing the rest of the chunks in the packet. 5885 */ 5886 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 5887 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5888 SCTP_ERROR(ECONNABORTED)); 5889 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5890 SCTP_PERR(SCTP_ERROR_NO_DATA)); 5891 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5892 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5893 return SCTP_IERROR_NO_DATA; 5894 } 5895 5896 chunk->data_accepted = 1; 5897 5898 /* Note: Some chunks may get overcounted (if we drop) or overcounted 5899 * if we renege and the chunk arrives again. 5900 */ 5901 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) 5902 SCTP_INC_STATS(SCTP_MIB_INUNORDERCHUNKS); 5903 else 5904 SCTP_INC_STATS(SCTP_MIB_INORDERCHUNKS); 5905 5906 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 5907 * 5908 * If an endpoint receive a DATA chunk with an invalid stream 5909 * identifier, it shall acknowledge the reception of the DATA chunk 5910 * following the normal procedure, immediately send an ERROR chunk 5911 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 5912 * and discard the DATA chunk. 5913 */ 5914 if (ntohs(data_hdr->stream) >= asoc->c.sinit_max_instreams) { 5915 /* Mark tsn as received even though we drop it */ 5916 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 5917 5918 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 5919 &data_hdr->stream, 5920 sizeof(data_hdr->stream)); 5921 if (err) 5922 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5923 SCTP_CHUNK(err)); 5924 return SCTP_IERROR_BAD_STREAM; 5925 } 5926 5927 /* Send the data up to the user. Note: Schedule the 5928 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 5929 * chunk needs the updated rwnd. 5930 */ 5931 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 5932 5933 return SCTP_IERROR_NO_ERROR; 5934 } 5935