1 /* SCTP kernel implementation 2 * (C) Copyright IBM Corp. 2001, 2004 3 * Copyright (c) 1999-2000 Cisco, Inc. 4 * Copyright (c) 1999-2001 Motorola, Inc. 5 * Copyright (c) 2001-2002 Intel Corp. 6 * Copyright (c) 2002 Nokia Corp. 7 * 8 * This is part of the SCTP Linux Kernel Implementation. 9 * 10 * These are the state functions for the state machine. 11 * 12 * This SCTP implementation is free software; 13 * you can redistribute it and/or modify it under the terms of 14 * the GNU General Public License as published by 15 * the Free Software Foundation; either version 2, or (at your option) 16 * any later version. 17 * 18 * This SCTP implementation is distributed in the hope that it 19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 20 * ************************ 21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 22 * See the GNU General Public License for more details. 23 * 24 * You should have received a copy of the GNU General Public License 25 * along with GNU CC; see the file COPYING. If not, write to 26 * the Free Software Foundation, 59 Temple Place - Suite 330, 27 * Boston, MA 02111-1307, USA. 28 * 29 * Please send any bug reports or fixes you make to the 30 * email address(es): 31 * lksctp developers <lksctp-developers@lists.sourceforge.net> 32 * 33 * Or submit a bug report through the following website: 34 * http://www.sf.net/projects/lksctp 35 * 36 * Written or modified by: 37 * La Monte H.P. Yarroll <piggy@acm.org> 38 * Karl Knutson <karl@athena.chicago.il.us> 39 * Mathew Kotowsky <kotowsky@sctp.org> 40 * Sridhar Samudrala <samudrala@us.ibm.com> 41 * Jon Grimm <jgrimm@us.ibm.com> 42 * Hui Huang <hui.huang@nokia.com> 43 * Dajiang Zhang <dajiang.zhang@nokia.com> 44 * Daisy Chang <daisyc@us.ibm.com> 45 * Ardelle Fan <ardelle.fan@intel.com> 46 * Ryan Layer <rmlayer@us.ibm.com> 47 * Kevin Gao <kevin.gao@intel.com> 48 * 49 * Any bugs reported given to us we will try to fix... any fixes shared will 50 * be incorporated into the next SCTP release. 51 */ 52 53 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 54 55 #include <linux/types.h> 56 #include <linux/kernel.h> 57 #include <linux/ip.h> 58 #include <linux/ipv6.h> 59 #include <linux/net.h> 60 #include <linux/inet.h> 61 #include <linux/slab.h> 62 #include <net/sock.h> 63 #include <net/inet_ecn.h> 64 #include <linux/skbuff.h> 65 #include <net/sctp/sctp.h> 66 #include <net/sctp/sm.h> 67 #include <net/sctp/structs.h> 68 69 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 70 const struct sctp_association *asoc, 71 struct sctp_chunk *chunk, 72 const void *payload, 73 size_t paylen); 74 static int sctp_eat_data(const struct sctp_association *asoc, 75 struct sctp_chunk *chunk, 76 sctp_cmd_seq_t *commands); 77 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 78 const struct sctp_chunk *chunk); 79 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 80 const struct sctp_association *asoc, 81 const struct sctp_chunk *chunk, 82 sctp_cmd_seq_t *commands, 83 struct sctp_chunk *err_chunk); 84 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 85 const struct sctp_association *asoc, 86 const sctp_subtype_t type, 87 void *arg, 88 sctp_cmd_seq_t *commands); 89 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 90 const struct sctp_association *asoc, 91 const sctp_subtype_t type, 92 void *arg, 93 sctp_cmd_seq_t *commands); 94 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 95 const struct sctp_association *asoc, 96 const sctp_subtype_t type, 97 void *arg, 98 sctp_cmd_seq_t *commands); 99 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 100 101 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 102 __be16 error, int sk_err, 103 const struct sctp_association *asoc, 104 struct sctp_transport *transport); 105 106 static sctp_disposition_t sctp_sf_abort_violation( 107 const struct sctp_endpoint *ep, 108 const struct sctp_association *asoc, 109 void *arg, 110 sctp_cmd_seq_t *commands, 111 const __u8 *payload, 112 const size_t paylen); 113 114 static sctp_disposition_t sctp_sf_violation_chunklen( 115 const struct sctp_endpoint *ep, 116 const struct sctp_association *asoc, 117 const sctp_subtype_t type, 118 void *arg, 119 sctp_cmd_seq_t *commands); 120 121 static sctp_disposition_t sctp_sf_violation_paramlen( 122 const struct sctp_endpoint *ep, 123 const struct sctp_association *asoc, 124 const sctp_subtype_t type, 125 void *arg, void *ext, 126 sctp_cmd_seq_t *commands); 127 128 static sctp_disposition_t sctp_sf_violation_ctsn( 129 const struct sctp_endpoint *ep, 130 const struct sctp_association *asoc, 131 const sctp_subtype_t type, 132 void *arg, 133 sctp_cmd_seq_t *commands); 134 135 static sctp_disposition_t sctp_sf_violation_chunk( 136 const struct sctp_endpoint *ep, 137 const struct sctp_association *asoc, 138 const sctp_subtype_t type, 139 void *arg, 140 sctp_cmd_seq_t *commands); 141 142 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep, 143 const struct sctp_association *asoc, 144 const sctp_subtype_t type, 145 struct sctp_chunk *chunk); 146 147 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 148 const struct sctp_association *asoc, 149 const sctp_subtype_t type, 150 void *arg, 151 sctp_cmd_seq_t *commands); 152 153 /* Small helper function that checks if the chunk length 154 * is of the appropriate length. The 'required_length' argument 155 * is set to be the size of a specific chunk we are testing. 156 * Return Values: 1 = Valid length 157 * 0 = Invalid length 158 * 159 */ 160 static inline int 161 sctp_chunk_length_valid(struct sctp_chunk *chunk, 162 __u16 required_length) 163 { 164 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 165 166 if (unlikely(chunk_length < required_length)) 167 return 0; 168 169 return 1; 170 } 171 172 /********************************************************** 173 * These are the state functions for handling chunk events. 174 **********************************************************/ 175 176 /* 177 * Process the final SHUTDOWN COMPLETE. 178 * 179 * Section: 4 (C) (diagram), 9.2 180 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 181 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 182 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 183 * should stop the T2-shutdown timer and remove all knowledge of the 184 * association (and thus the association enters the CLOSED state). 185 * 186 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 187 * C) Rules for packet carrying SHUTDOWN COMPLETE: 188 * ... 189 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 190 * if the Verification Tag field of the packet matches its own tag and 191 * the T bit is not set 192 * OR 193 * it is set to its peer's tag and the T bit is set in the Chunk 194 * Flags. 195 * Otherwise, the receiver MUST silently discard the packet 196 * and take no further action. An endpoint MUST ignore the 197 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 198 * 199 * Inputs 200 * (endpoint, asoc, chunk) 201 * 202 * Outputs 203 * (asoc, reply_msg, msg_up, timers, counters) 204 * 205 * The return value is the disposition of the chunk. 206 */ 207 sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep, 208 const struct sctp_association *asoc, 209 const sctp_subtype_t type, 210 void *arg, 211 sctp_cmd_seq_t *commands) 212 { 213 struct sctp_chunk *chunk = arg; 214 struct sctp_ulpevent *ev; 215 216 if (!sctp_vtag_verify_either(chunk, asoc)) 217 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 218 219 /* RFC 2960 6.10 Bundling 220 * 221 * An endpoint MUST NOT bundle INIT, INIT ACK or 222 * SHUTDOWN COMPLETE with any other chunks. 223 */ 224 if (!chunk->singleton) 225 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands); 226 227 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ 228 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 229 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 230 commands); 231 232 /* RFC 2960 10.2 SCTP-to-ULP 233 * 234 * H) SHUTDOWN COMPLETE notification 235 * 236 * When SCTP completes the shutdown procedures (section 9.2) this 237 * notification is passed to the upper layer. 238 */ 239 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 240 0, 0, 0, NULL, GFP_ATOMIC); 241 if (ev) 242 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 243 SCTP_ULPEVENT(ev)); 244 245 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 246 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 247 * not the chunk should be discarded. If the endpoint is in 248 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 249 * T2-shutdown timer and remove all knowledge of the 250 * association (and thus the association enters the CLOSED 251 * state). 252 */ 253 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 254 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 255 256 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 257 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 258 259 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 260 SCTP_STATE(SCTP_STATE_CLOSED)); 261 262 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 263 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 264 265 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 266 267 return SCTP_DISPOSITION_DELETE_TCB; 268 } 269 270 /* 271 * Respond to a normal INIT chunk. 272 * We are the side that is being asked for an association. 273 * 274 * Section: 5.1 Normal Establishment of an Association, B 275 * B) "Z" shall respond immediately with an INIT ACK chunk. The 276 * destination IP address of the INIT ACK MUST be set to the source 277 * IP address of the INIT to which this INIT ACK is responding. In 278 * the response, besides filling in other parameters, "Z" must set the 279 * Verification Tag field to Tag_A, and also provide its own 280 * Verification Tag (Tag_Z) in the Initiate Tag field. 281 * 282 * Verification Tag: Must be 0. 283 * 284 * Inputs 285 * (endpoint, asoc, chunk) 286 * 287 * Outputs 288 * (asoc, reply_msg, msg_up, timers, counters) 289 * 290 * The return value is the disposition of the chunk. 291 */ 292 sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep, 293 const struct sctp_association *asoc, 294 const sctp_subtype_t type, 295 void *arg, 296 sctp_cmd_seq_t *commands) 297 { 298 struct sctp_chunk *chunk = arg; 299 struct sctp_chunk *repl; 300 struct sctp_association *new_asoc; 301 struct sctp_chunk *err_chunk; 302 struct sctp_packet *packet; 303 sctp_unrecognized_param_t *unk_param; 304 int len; 305 306 /* 6.10 Bundling 307 * An endpoint MUST NOT bundle INIT, INIT ACK or 308 * SHUTDOWN COMPLETE with any other chunks. 309 * 310 * IG Section 2.11.2 311 * Furthermore, we require that the receiver of an INIT chunk MUST 312 * enforce these rules by silently discarding an arriving packet 313 * with an INIT chunk that is bundled with other chunks. 314 */ 315 if (!chunk->singleton) 316 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 317 318 /* If the packet is an OOTB packet which is temporarily on the 319 * control endpoint, respond with an ABORT. 320 */ 321 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) { 322 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 323 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 324 } 325 326 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 327 * Tag. 328 */ 329 if (chunk->sctp_hdr->vtag != 0) 330 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 331 332 /* Make sure that the INIT chunk has a valid length. 333 * Normally, this would cause an ABORT with a Protocol Violation 334 * error, but since we don't have an association, we'll 335 * just discard the packet. 336 */ 337 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 338 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 339 340 /* If the INIT is coming toward a closing socket, we'll send back 341 * and ABORT. Essentially, this catches the race of INIT being 342 * backloged to the socket at the same time as the user isses close(). 343 * Since the socket and all its associations are going away, we 344 * can treat this OOTB 345 */ 346 if (sctp_sstate(ep->base.sk, CLOSING)) 347 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 348 349 /* Verify the INIT chunk before processing it. */ 350 err_chunk = NULL; 351 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 352 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 353 &err_chunk)) { 354 /* This chunk contains fatal error. It is to be discarded. 355 * Send an ABORT, with causes if there is any. 356 */ 357 if (err_chunk) { 358 packet = sctp_abort_pkt_new(ep, asoc, arg, 359 (__u8 *)(err_chunk->chunk_hdr) + 360 sizeof(sctp_chunkhdr_t), 361 ntohs(err_chunk->chunk_hdr->length) - 362 sizeof(sctp_chunkhdr_t)); 363 364 sctp_chunk_free(err_chunk); 365 366 if (packet) { 367 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 368 SCTP_PACKET(packet)); 369 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 370 return SCTP_DISPOSITION_CONSUME; 371 } else { 372 return SCTP_DISPOSITION_NOMEM; 373 } 374 } else { 375 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 376 commands); 377 } 378 } 379 380 /* Grab the INIT header. */ 381 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data; 382 383 /* Tag the variable length parameters. */ 384 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 385 386 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 387 if (!new_asoc) 388 goto nomem; 389 390 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 391 sctp_scope(sctp_source(chunk)), 392 GFP_ATOMIC) < 0) 393 goto nomem_init; 394 395 /* The call, sctp_process_init(), can fail on memory allocation. */ 396 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 397 (sctp_init_chunk_t *)chunk->chunk_hdr, 398 GFP_ATOMIC)) 399 goto nomem_init; 400 401 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 402 403 /* If there are errors need to be reported for unknown parameters, 404 * make sure to reserve enough room in the INIT ACK for them. 405 */ 406 len = 0; 407 if (err_chunk) 408 len = ntohs(err_chunk->chunk_hdr->length) - 409 sizeof(sctp_chunkhdr_t); 410 411 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 412 if (!repl) 413 goto nomem_init; 414 415 /* If there are errors need to be reported for unknown parameters, 416 * include them in the outgoing INIT ACK as "Unrecognized parameter" 417 * parameter. 418 */ 419 if (err_chunk) { 420 /* Get the "Unrecognized parameter" parameter(s) out of the 421 * ERROR chunk generated by sctp_verify_init(). Since the 422 * error cause code for "unknown parameter" and the 423 * "Unrecognized parameter" type is the same, we can 424 * construct the parameters in INIT ACK by copying the 425 * ERROR causes over. 426 */ 427 unk_param = (sctp_unrecognized_param_t *) 428 ((__u8 *)(err_chunk->chunk_hdr) + 429 sizeof(sctp_chunkhdr_t)); 430 /* Replace the cause code with the "Unrecognized parameter" 431 * parameter type. 432 */ 433 sctp_addto_chunk(repl, len, unk_param); 434 sctp_chunk_free(err_chunk); 435 } 436 437 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 438 439 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 440 441 /* 442 * Note: After sending out INIT ACK with the State Cookie parameter, 443 * "Z" MUST NOT allocate any resources, nor keep any states for the 444 * new association. Otherwise, "Z" will be vulnerable to resource 445 * attacks. 446 */ 447 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 448 449 return SCTP_DISPOSITION_DELETE_TCB; 450 451 nomem_init: 452 sctp_association_free(new_asoc); 453 nomem: 454 if (err_chunk) 455 sctp_chunk_free(err_chunk); 456 return SCTP_DISPOSITION_NOMEM; 457 } 458 459 /* 460 * Respond to a normal INIT ACK chunk. 461 * We are the side that is initiating the association. 462 * 463 * Section: 5.1 Normal Establishment of an Association, C 464 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 465 * timer and leave COOKIE-WAIT state. "A" shall then send the State 466 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 467 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 468 * 469 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 470 * DATA chunks, but it MUST be the first chunk in the packet and 471 * until the COOKIE ACK is returned the sender MUST NOT send any 472 * other packets to the peer. 473 * 474 * Verification Tag: 3.3.3 475 * If the value of the Initiate Tag in a received INIT ACK chunk is 476 * found to be 0, the receiver MUST treat it as an error and close the 477 * association by transmitting an ABORT. 478 * 479 * Inputs 480 * (endpoint, asoc, chunk) 481 * 482 * Outputs 483 * (asoc, reply_msg, msg_up, timers, counters) 484 * 485 * The return value is the disposition of the chunk. 486 */ 487 sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, 488 const struct sctp_association *asoc, 489 const sctp_subtype_t type, 490 void *arg, 491 sctp_cmd_seq_t *commands) 492 { 493 struct sctp_chunk *chunk = arg; 494 sctp_init_chunk_t *initchunk; 495 struct sctp_chunk *err_chunk; 496 struct sctp_packet *packet; 497 498 if (!sctp_vtag_verify(chunk, asoc)) 499 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 500 501 /* 6.10 Bundling 502 * An endpoint MUST NOT bundle INIT, INIT ACK or 503 * SHUTDOWN COMPLETE with any other chunks. 504 */ 505 if (!chunk->singleton) 506 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands); 507 508 /* Make sure that the INIT-ACK chunk has a valid length */ 509 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t))) 510 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 511 commands); 512 /* Grab the INIT header. */ 513 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 514 515 /* Verify the INIT chunk before processing it. */ 516 err_chunk = NULL; 517 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 518 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 519 &err_chunk)) { 520 521 sctp_error_t error = SCTP_ERROR_NO_RESOURCE; 522 523 /* This chunk contains fatal error. It is to be discarded. 524 * Send an ABORT, with causes. If there are no causes, 525 * then there wasn't enough memory. Just terminate 526 * the association. 527 */ 528 if (err_chunk) { 529 packet = sctp_abort_pkt_new(ep, asoc, arg, 530 (__u8 *)(err_chunk->chunk_hdr) + 531 sizeof(sctp_chunkhdr_t), 532 ntohs(err_chunk->chunk_hdr->length) - 533 sizeof(sctp_chunkhdr_t)); 534 535 sctp_chunk_free(err_chunk); 536 537 if (packet) { 538 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 539 SCTP_PACKET(packet)); 540 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 541 error = SCTP_ERROR_INV_PARAM; 542 } 543 } 544 545 /* SCTP-AUTH, Section 6.3: 546 * It should be noted that if the receiver wants to tear 547 * down an association in an authenticated way only, the 548 * handling of malformed packets should not result in 549 * tearing down the association. 550 * 551 * This means that if we only want to abort associations 552 * in an authenticated way (i.e AUTH+ABORT), then we 553 * can't destroy this association just because the packet 554 * was malformed. 555 */ 556 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 557 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 558 559 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 560 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, 561 asoc, chunk->transport); 562 } 563 564 /* Tag the variable length parameters. Note that we never 565 * convert the parameters in an INIT chunk. 566 */ 567 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 568 569 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr; 570 571 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 572 SCTP_PEER_INIT(initchunk)); 573 574 /* Reset init error count upon receipt of INIT-ACK. */ 575 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 576 577 /* 5.1 C) "A" shall stop the T1-init timer and leave 578 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 579 * timer, and enter the COOKIE-ECHOED state. 580 */ 581 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 582 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 583 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 584 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 585 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 586 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 587 588 /* SCTP-AUTH: genereate the assocition shared keys so that 589 * we can potentially signe the COOKIE-ECHO. 590 */ 591 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); 592 593 /* 5.1 C) "A" shall then send the State Cookie received in the 594 * INIT ACK chunk in a COOKIE ECHO chunk, ... 595 */ 596 /* If there is any errors to report, send the ERROR chunk generated 597 * for unknown parameters as well. 598 */ 599 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 600 SCTP_CHUNK(err_chunk)); 601 602 return SCTP_DISPOSITION_CONSUME; 603 } 604 605 /* 606 * Respond to a normal COOKIE ECHO chunk. 607 * We are the side that is being asked for an association. 608 * 609 * Section: 5.1 Normal Establishment of an Association, D 610 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 611 * with a COOKIE ACK chunk after building a TCB and moving to 612 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 613 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 614 * chunk MUST be the first chunk in the packet. 615 * 616 * IMPLEMENTATION NOTE: An implementation may choose to send the 617 * Communication Up notification to the SCTP user upon reception 618 * of a valid COOKIE ECHO chunk. 619 * 620 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 621 * D) Rules for packet carrying a COOKIE ECHO 622 * 623 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 624 * Initial Tag received in the INIT ACK. 625 * 626 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 627 * 628 * Inputs 629 * (endpoint, asoc, chunk) 630 * 631 * Outputs 632 * (asoc, reply_msg, msg_up, timers, counters) 633 * 634 * The return value is the disposition of the chunk. 635 */ 636 sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep, 637 const struct sctp_association *asoc, 638 const sctp_subtype_t type, void *arg, 639 sctp_cmd_seq_t *commands) 640 { 641 struct sctp_chunk *chunk = arg; 642 struct sctp_association *new_asoc; 643 sctp_init_chunk_t *peer_init; 644 struct sctp_chunk *repl; 645 struct sctp_ulpevent *ev, *ai_ev = NULL; 646 int error = 0; 647 struct sctp_chunk *err_chk_p; 648 struct sock *sk; 649 650 /* If the packet is an OOTB packet which is temporarily on the 651 * control endpoint, respond with an ABORT. 652 */ 653 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) { 654 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 655 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 656 } 657 658 /* Make sure that the COOKIE_ECHO chunk has a valid length. 659 * In this case, we check that we have enough for at least a 660 * chunk header. More detailed verification is done 661 * in sctp_unpack_cookie(). 662 */ 663 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 664 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 665 666 /* If the endpoint is not listening or if the number of associations 667 * on the TCP-style socket exceed the max backlog, respond with an 668 * ABORT. 669 */ 670 sk = ep->base.sk; 671 if (!sctp_sstate(sk, LISTENING) || 672 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) 673 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 674 675 /* "Decode" the chunk. We have no optional parameters so we 676 * are in good shape. 677 */ 678 chunk->subh.cookie_hdr = 679 (struct sctp_signed_cookie *)chunk->skb->data; 680 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 681 sizeof(sctp_chunkhdr_t))) 682 goto nomem; 683 684 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 685 * "Z" will reply with a COOKIE ACK chunk after building a TCB 686 * and moving to the ESTABLISHED state. 687 */ 688 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 689 &err_chk_p); 690 691 /* FIXME: 692 * If the re-build failed, what is the proper error path 693 * from here? 694 * 695 * [We should abort the association. --piggy] 696 */ 697 if (!new_asoc) { 698 /* FIXME: Several errors are possible. A bad cookie should 699 * be silently discarded, but think about logging it too. 700 */ 701 switch (error) { 702 case -SCTP_IERROR_NOMEM: 703 goto nomem; 704 705 case -SCTP_IERROR_STALE_COOKIE: 706 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 707 err_chk_p); 708 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 709 710 case -SCTP_IERROR_BAD_SIG: 711 default: 712 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 713 } 714 } 715 716 717 /* Delay state machine commands until later. 718 * 719 * Re-build the bind address for the association is done in 720 * the sctp_unpack_cookie() already. 721 */ 722 /* This is a brand-new association, so these are not yet side 723 * effects--it is safe to run them here. 724 */ 725 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 726 727 if (!sctp_process_init(new_asoc, chunk, 728 &chunk->subh.cookie_hdr->c.peer_addr, 729 peer_init, GFP_ATOMIC)) 730 goto nomem_init; 731 732 /* SCTP-AUTH: Now that we've populate required fields in 733 * sctp_process_init, set up the assocaition shared keys as 734 * necessary so that we can potentially authenticate the ACK 735 */ 736 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); 737 if (error) 738 goto nomem_init; 739 740 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo 741 * is supposed to be authenticated and we have to do delayed 742 * authentication. We've just recreated the association using 743 * the information in the cookie and now it's much easier to 744 * do the authentication. 745 */ 746 if (chunk->auth_chunk) { 747 struct sctp_chunk auth; 748 sctp_ierror_t ret; 749 750 /* set-up our fake chunk so that we can process it */ 751 auth.skb = chunk->auth_chunk; 752 auth.asoc = chunk->asoc; 753 auth.sctp_hdr = chunk->sctp_hdr; 754 auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk, 755 sizeof(sctp_chunkhdr_t)); 756 skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t)); 757 auth.transport = chunk->transport; 758 759 ret = sctp_sf_authenticate(ep, new_asoc, type, &auth); 760 761 /* We can now safely free the auth_chunk clone */ 762 kfree_skb(chunk->auth_chunk); 763 764 if (ret != SCTP_IERROR_NO_ERROR) { 765 sctp_association_free(new_asoc); 766 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 767 } 768 } 769 770 repl = sctp_make_cookie_ack(new_asoc, chunk); 771 if (!repl) 772 goto nomem_init; 773 774 /* RFC 2960 5.1 Normal Establishment of an Association 775 * 776 * D) IMPLEMENTATION NOTE: An implementation may choose to 777 * send the Communication Up notification to the SCTP user 778 * upon reception of a valid COOKIE ECHO chunk. 779 */ 780 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 781 new_asoc->c.sinit_num_ostreams, 782 new_asoc->c.sinit_max_instreams, 783 NULL, GFP_ATOMIC); 784 if (!ev) 785 goto nomem_ev; 786 787 /* Sockets API Draft Section 5.3.1.6 788 * When a peer sends a Adaptation Layer Indication parameter , SCTP 789 * delivers this notification to inform the application that of the 790 * peers requested adaptation layer. 791 */ 792 if (new_asoc->peer.adaptation_ind) { 793 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 794 GFP_ATOMIC); 795 if (!ai_ev) 796 goto nomem_aiev; 797 } 798 799 /* Add all the state machine commands now since we've created 800 * everything. This way we don't introduce memory corruptions 801 * during side-effect processing and correclty count established 802 * associations. 803 */ 804 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 805 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 806 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 807 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 808 SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS); 809 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 810 811 if (new_asoc->autoclose) 812 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 813 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 814 815 /* This will send the COOKIE ACK */ 816 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 817 818 /* Queue the ASSOC_CHANGE event */ 819 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 820 821 /* Send up the Adaptation Layer Indication event */ 822 if (ai_ev) 823 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 824 SCTP_ULPEVENT(ai_ev)); 825 826 return SCTP_DISPOSITION_CONSUME; 827 828 nomem_aiev: 829 sctp_ulpevent_free(ev); 830 nomem_ev: 831 sctp_chunk_free(repl); 832 nomem_init: 833 sctp_association_free(new_asoc); 834 nomem: 835 return SCTP_DISPOSITION_NOMEM; 836 } 837 838 /* 839 * Respond to a normal COOKIE ACK chunk. 840 * We are the side that is being asked for an association. 841 * 842 * RFC 2960 5.1 Normal Establishment of an Association 843 * 844 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 845 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 846 * timer. It may also notify its ULP about the successful 847 * establishment of the association with a Communication Up 848 * notification (see Section 10). 849 * 850 * Verification Tag: 851 * Inputs 852 * (endpoint, asoc, chunk) 853 * 854 * Outputs 855 * (asoc, reply_msg, msg_up, timers, counters) 856 * 857 * The return value is the disposition of the chunk. 858 */ 859 sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep, 860 const struct sctp_association *asoc, 861 const sctp_subtype_t type, void *arg, 862 sctp_cmd_seq_t *commands) 863 { 864 struct sctp_chunk *chunk = arg; 865 struct sctp_ulpevent *ev; 866 867 if (!sctp_vtag_verify(chunk, asoc)) 868 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 869 870 /* Verify that the chunk length for the COOKIE-ACK is OK. 871 * If we don't do this, any bundled chunks may be junked. 872 */ 873 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 874 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 875 commands); 876 877 /* Reset init error count upon receipt of COOKIE-ACK, 878 * to avoid problems with the managemement of this 879 * counter in stale cookie situations when a transition back 880 * from the COOKIE-ECHOED state to the COOKIE-WAIT 881 * state is performed. 882 */ 883 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 884 885 /* RFC 2960 5.1 Normal Establishment of an Association 886 * 887 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 888 * from the COOKIE-ECHOED state to the ESTABLISHED state, 889 * stopping the T1-cookie timer. 890 */ 891 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 892 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 893 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 894 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 895 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 896 SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS); 897 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 898 if (asoc->autoclose) 899 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 900 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 901 902 /* It may also notify its ULP about the successful 903 * establishment of the association with a Communication Up 904 * notification (see Section 10). 905 */ 906 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 907 0, asoc->c.sinit_num_ostreams, 908 asoc->c.sinit_max_instreams, 909 NULL, GFP_ATOMIC); 910 911 if (!ev) 912 goto nomem; 913 914 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 915 916 /* Sockets API Draft Section 5.3.1.6 917 * When a peer sends a Adaptation Layer Indication parameter , SCTP 918 * delivers this notification to inform the application that of the 919 * peers requested adaptation layer. 920 */ 921 if (asoc->peer.adaptation_ind) { 922 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 923 if (!ev) 924 goto nomem; 925 926 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 927 SCTP_ULPEVENT(ev)); 928 } 929 930 return SCTP_DISPOSITION_CONSUME; 931 nomem: 932 return SCTP_DISPOSITION_NOMEM; 933 } 934 935 /* Generate and sendout a heartbeat packet. */ 936 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep, 937 const struct sctp_association *asoc, 938 const sctp_subtype_t type, 939 void *arg, 940 sctp_cmd_seq_t *commands) 941 { 942 struct sctp_transport *transport = (struct sctp_transport *) arg; 943 struct sctp_chunk *reply; 944 945 /* Send a heartbeat to our peer. */ 946 reply = sctp_make_heartbeat(asoc, transport); 947 if (!reply) 948 return SCTP_DISPOSITION_NOMEM; 949 950 /* Set rto_pending indicating that an RTT measurement 951 * is started with this heartbeat chunk. 952 */ 953 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 954 SCTP_TRANSPORT(transport)); 955 956 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 957 return SCTP_DISPOSITION_CONSUME; 958 } 959 960 /* Generate a HEARTBEAT packet on the given transport. */ 961 sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep, 962 const struct sctp_association *asoc, 963 const sctp_subtype_t type, 964 void *arg, 965 sctp_cmd_seq_t *commands) 966 { 967 struct sctp_transport *transport = (struct sctp_transport *) arg; 968 969 if (asoc->overall_error_count >= asoc->max_retrans) { 970 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 971 SCTP_ERROR(ETIMEDOUT)); 972 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 973 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 974 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 975 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 976 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 977 return SCTP_DISPOSITION_DELETE_TCB; 978 } 979 980 /* Section 3.3.5. 981 * The Sender-specific Heartbeat Info field should normally include 982 * information about the sender's current time when this HEARTBEAT 983 * chunk is sent and the destination transport address to which this 984 * HEARTBEAT is sent (see Section 8.3). 985 */ 986 987 if (transport->param_flags & SPP_HB_ENABLE) { 988 if (SCTP_DISPOSITION_NOMEM == 989 sctp_sf_heartbeat(ep, asoc, type, arg, 990 commands)) 991 return SCTP_DISPOSITION_NOMEM; 992 993 /* Set transport error counter and association error counter 994 * when sending heartbeat. 995 */ 996 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 997 SCTP_TRANSPORT(transport)); 998 } 999 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE, 1000 SCTP_TRANSPORT(transport)); 1001 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 1002 SCTP_TRANSPORT(transport)); 1003 1004 return SCTP_DISPOSITION_CONSUME; 1005 } 1006 1007 /* 1008 * Process an heartbeat request. 1009 * 1010 * Section: 8.3 Path Heartbeat 1011 * The receiver of the HEARTBEAT should immediately respond with a 1012 * HEARTBEAT ACK that contains the Heartbeat Information field copied 1013 * from the received HEARTBEAT chunk. 1014 * 1015 * Verification Tag: 8.5 Verification Tag [Normal verification] 1016 * When receiving an SCTP packet, the endpoint MUST ensure that the 1017 * value in the Verification Tag field of the received SCTP packet 1018 * matches its own Tag. If the received Verification Tag value does not 1019 * match the receiver's own tag value, the receiver shall silently 1020 * discard the packet and shall not process it any further except for 1021 * those cases listed in Section 8.5.1 below. 1022 * 1023 * Inputs 1024 * (endpoint, asoc, chunk) 1025 * 1026 * Outputs 1027 * (asoc, reply_msg, msg_up, timers, counters) 1028 * 1029 * The return value is the disposition of the chunk. 1030 */ 1031 sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep, 1032 const struct sctp_association *asoc, 1033 const sctp_subtype_t type, 1034 void *arg, 1035 sctp_cmd_seq_t *commands) 1036 { 1037 struct sctp_chunk *chunk = arg; 1038 struct sctp_chunk *reply; 1039 size_t paylen = 0; 1040 1041 if (!sctp_vtag_verify(chunk, asoc)) 1042 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1043 1044 /* Make sure that the HEARTBEAT chunk has a valid length. */ 1045 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1046 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1047 commands); 1048 1049 /* 8.3 The receiver of the HEARTBEAT should immediately 1050 * respond with a HEARTBEAT ACK that contains the Heartbeat 1051 * Information field copied from the received HEARTBEAT chunk. 1052 */ 1053 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; 1054 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); 1055 if (!pskb_pull(chunk->skb, paylen)) 1056 goto nomem; 1057 1058 reply = sctp_make_heartbeat_ack(asoc, chunk, 1059 chunk->subh.hb_hdr, paylen); 1060 if (!reply) 1061 goto nomem; 1062 1063 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1064 return SCTP_DISPOSITION_CONSUME; 1065 1066 nomem: 1067 return SCTP_DISPOSITION_NOMEM; 1068 } 1069 1070 /* 1071 * Process the returning HEARTBEAT ACK. 1072 * 1073 * Section: 8.3 Path Heartbeat 1074 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 1075 * should clear the error counter of the destination transport 1076 * address to which the HEARTBEAT was sent, and mark the destination 1077 * transport address as active if it is not so marked. The endpoint may 1078 * optionally report to the upper layer when an inactive destination 1079 * address is marked as active due to the reception of the latest 1080 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 1081 * clear the association overall error count as well (as defined 1082 * in section 8.1). 1083 * 1084 * The receiver of the HEARTBEAT ACK should also perform an RTT 1085 * measurement for that destination transport address using the time 1086 * value carried in the HEARTBEAT ACK chunk. 1087 * 1088 * Verification Tag: 8.5 Verification Tag [Normal verification] 1089 * 1090 * Inputs 1091 * (endpoint, asoc, chunk) 1092 * 1093 * Outputs 1094 * (asoc, reply_msg, msg_up, timers, counters) 1095 * 1096 * The return value is the disposition of the chunk. 1097 */ 1098 sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep, 1099 const struct sctp_association *asoc, 1100 const sctp_subtype_t type, 1101 void *arg, 1102 sctp_cmd_seq_t *commands) 1103 { 1104 struct sctp_chunk *chunk = arg; 1105 union sctp_addr from_addr; 1106 struct sctp_transport *link; 1107 sctp_sender_hb_info_t *hbinfo; 1108 unsigned long max_interval; 1109 1110 if (!sctp_vtag_verify(chunk, asoc)) 1111 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1112 1113 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1114 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t) + 1115 sizeof(sctp_sender_hb_info_t))) 1116 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1117 commands); 1118 1119 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; 1120 /* Make sure that the length of the parameter is what we expect */ 1121 if (ntohs(hbinfo->param_hdr.length) != 1122 sizeof(sctp_sender_hb_info_t)) { 1123 return SCTP_DISPOSITION_DISCARD; 1124 } 1125 1126 from_addr = hbinfo->daddr; 1127 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1128 1129 /* This should never happen, but lets log it if so. */ 1130 if (unlikely(!link)) { 1131 if (from_addr.sa.sa_family == AF_INET6) { 1132 if (net_ratelimit()) 1133 pr_warn("%s association %p could not find address %pI6\n", 1134 __func__, 1135 asoc, 1136 &from_addr.v6.sin6_addr); 1137 } else { 1138 if (net_ratelimit()) 1139 pr_warn("%s association %p could not find address %pI4\n", 1140 __func__, 1141 asoc, 1142 &from_addr.v4.sin_addr.s_addr); 1143 } 1144 return SCTP_DISPOSITION_DISCARD; 1145 } 1146 1147 /* Validate the 64-bit random nonce. */ 1148 if (hbinfo->hb_nonce != link->hb_nonce) 1149 return SCTP_DISPOSITION_DISCARD; 1150 1151 max_interval = link->hbinterval + link->rto; 1152 1153 /* Check if the timestamp looks valid. */ 1154 if (time_after(hbinfo->sent_at, jiffies) || 1155 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1156 SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp " 1157 "received for transport: %p\n", 1158 __func__, link); 1159 return SCTP_DISPOSITION_DISCARD; 1160 } 1161 1162 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1163 * the HEARTBEAT should clear the error counter of the 1164 * destination transport address to which the HEARTBEAT was 1165 * sent and mark the destination transport address as active if 1166 * it is not so marked. 1167 */ 1168 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1169 1170 return SCTP_DISPOSITION_CONSUME; 1171 } 1172 1173 /* Helper function to send out an abort for the restart 1174 * condition. 1175 */ 1176 static int sctp_sf_send_restart_abort(union sctp_addr *ssa, 1177 struct sctp_chunk *init, 1178 sctp_cmd_seq_t *commands) 1179 { 1180 int len; 1181 struct sctp_packet *pkt; 1182 union sctp_addr_param *addrparm; 1183 struct sctp_errhdr *errhdr; 1184 struct sctp_endpoint *ep; 1185 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)]; 1186 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1187 1188 /* Build the error on the stack. We are way to malloc crazy 1189 * throughout the code today. 1190 */ 1191 errhdr = (struct sctp_errhdr *)buffer; 1192 addrparm = (union sctp_addr_param *)errhdr->variable; 1193 1194 /* Copy into a parm format. */ 1195 len = af->to_addr_param(ssa, addrparm); 1196 len += sizeof(sctp_errhdr_t); 1197 1198 errhdr->cause = SCTP_ERROR_RESTART; 1199 errhdr->length = htons(len); 1200 1201 /* Assign to the control socket. */ 1202 ep = sctp_sk((sctp_get_ctl_sock()))->ep; 1203 1204 /* Association is NULL since this may be a restart attack and we 1205 * want to send back the attacker's vtag. 1206 */ 1207 pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len); 1208 1209 if (!pkt) 1210 goto out; 1211 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1212 1213 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1214 1215 /* Discard the rest of the inbound packet. */ 1216 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1217 1218 out: 1219 /* Even if there is no memory, treat as a failure so 1220 * the packet will get dropped. 1221 */ 1222 return 0; 1223 } 1224 1225 static bool list_has_sctp_addr(const struct list_head *list, 1226 union sctp_addr *ipaddr) 1227 { 1228 struct sctp_transport *addr; 1229 1230 list_for_each_entry(addr, list, transports) { 1231 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr)) 1232 return true; 1233 } 1234 1235 return false; 1236 } 1237 /* A restart is occurring, check to make sure no new addresses 1238 * are being added as we may be under a takeover attack. 1239 */ 1240 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1241 const struct sctp_association *asoc, 1242 struct sctp_chunk *init, 1243 sctp_cmd_seq_t *commands) 1244 { 1245 struct sctp_transport *new_addr; 1246 int ret = 1; 1247 1248 /* Implementor's Guide - Section 5.2.2 1249 * ... 1250 * Before responding the endpoint MUST check to see if the 1251 * unexpected INIT adds new addresses to the association. If new 1252 * addresses are added to the association, the endpoint MUST respond 1253 * with an ABORT.. 1254 */ 1255 1256 /* Search through all current addresses and make sure 1257 * we aren't adding any new ones. 1258 */ 1259 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list, 1260 transports) { 1261 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list, 1262 &new_addr->ipaddr)) { 1263 sctp_sf_send_restart_abort(&new_addr->ipaddr, init, 1264 commands); 1265 ret = 0; 1266 break; 1267 } 1268 } 1269 1270 /* Return success if all addresses were found. */ 1271 return ret; 1272 } 1273 1274 /* Populate the verification/tie tags based on overlapping INIT 1275 * scenario. 1276 * 1277 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1278 */ 1279 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1280 const struct sctp_association *asoc) 1281 { 1282 switch (asoc->state) { 1283 1284 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1285 1286 case SCTP_STATE_COOKIE_WAIT: 1287 new_asoc->c.my_vtag = asoc->c.my_vtag; 1288 new_asoc->c.my_ttag = asoc->c.my_vtag; 1289 new_asoc->c.peer_ttag = 0; 1290 break; 1291 1292 case SCTP_STATE_COOKIE_ECHOED: 1293 new_asoc->c.my_vtag = asoc->c.my_vtag; 1294 new_asoc->c.my_ttag = asoc->c.my_vtag; 1295 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1296 break; 1297 1298 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1299 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1300 */ 1301 default: 1302 new_asoc->c.my_ttag = asoc->c.my_vtag; 1303 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1304 break; 1305 } 1306 1307 /* Other parameters for the endpoint SHOULD be copied from the 1308 * existing parameters of the association (e.g. number of 1309 * outbound streams) into the INIT ACK and cookie. 1310 */ 1311 new_asoc->rwnd = asoc->rwnd; 1312 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1313 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1314 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1315 } 1316 1317 /* 1318 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1319 * handling action. 1320 * 1321 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1322 * 1323 * Returns value representing action to be taken. These action values 1324 * correspond to Action/Description values in RFC 2960, Table 2. 1325 */ 1326 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1327 const struct sctp_association *asoc) 1328 { 1329 /* In this case, the peer may have restarted. */ 1330 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1331 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1332 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1333 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1334 return 'A'; 1335 1336 /* Collision case B. */ 1337 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1338 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1339 (0 == asoc->c.peer_vtag))) { 1340 return 'B'; 1341 } 1342 1343 /* Collision case D. */ 1344 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1345 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1346 return 'D'; 1347 1348 /* Collision case C. */ 1349 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1350 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1351 (0 == new_asoc->c.my_ttag) && 1352 (0 == new_asoc->c.peer_ttag)) 1353 return 'C'; 1354 1355 /* No match to any of the special cases; discard this packet. */ 1356 return 'E'; 1357 } 1358 1359 /* Common helper routine for both duplicate and simulataneous INIT 1360 * chunk handling. 1361 */ 1362 static sctp_disposition_t sctp_sf_do_unexpected_init( 1363 const struct sctp_endpoint *ep, 1364 const struct sctp_association *asoc, 1365 const sctp_subtype_t type, 1366 void *arg, sctp_cmd_seq_t *commands) 1367 { 1368 sctp_disposition_t retval; 1369 struct sctp_chunk *chunk = arg; 1370 struct sctp_chunk *repl; 1371 struct sctp_association *new_asoc; 1372 struct sctp_chunk *err_chunk; 1373 struct sctp_packet *packet; 1374 sctp_unrecognized_param_t *unk_param; 1375 int len; 1376 1377 /* 6.10 Bundling 1378 * An endpoint MUST NOT bundle INIT, INIT ACK or 1379 * SHUTDOWN COMPLETE with any other chunks. 1380 * 1381 * IG Section 2.11.2 1382 * Furthermore, we require that the receiver of an INIT chunk MUST 1383 * enforce these rules by silently discarding an arriving packet 1384 * with an INIT chunk that is bundled with other chunks. 1385 */ 1386 if (!chunk->singleton) 1387 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1388 1389 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1390 * Tag. 1391 */ 1392 if (chunk->sctp_hdr->vtag != 0) 1393 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 1394 1395 /* Make sure that the INIT chunk has a valid length. 1396 * In this case, we generate a protocol violation since we have 1397 * an association established. 1398 */ 1399 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 1400 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1401 commands); 1402 /* Grab the INIT header. */ 1403 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 1404 1405 /* Tag the variable length parameters. */ 1406 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 1407 1408 /* Verify the INIT chunk before processing it. */ 1409 err_chunk = NULL; 1410 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 1411 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 1412 &err_chunk)) { 1413 /* This chunk contains fatal error. It is to be discarded. 1414 * Send an ABORT, with causes if there is any. 1415 */ 1416 if (err_chunk) { 1417 packet = sctp_abort_pkt_new(ep, asoc, arg, 1418 (__u8 *)(err_chunk->chunk_hdr) + 1419 sizeof(sctp_chunkhdr_t), 1420 ntohs(err_chunk->chunk_hdr->length) - 1421 sizeof(sctp_chunkhdr_t)); 1422 1423 if (packet) { 1424 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1425 SCTP_PACKET(packet)); 1426 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1427 retval = SCTP_DISPOSITION_CONSUME; 1428 } else { 1429 retval = SCTP_DISPOSITION_NOMEM; 1430 } 1431 goto cleanup; 1432 } else { 1433 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 1434 commands); 1435 } 1436 } 1437 1438 /* 1439 * Other parameters for the endpoint SHOULD be copied from the 1440 * existing parameters of the association (e.g. number of 1441 * outbound streams) into the INIT ACK and cookie. 1442 * FIXME: We are copying parameters from the endpoint not the 1443 * association. 1444 */ 1445 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1446 if (!new_asoc) 1447 goto nomem; 1448 1449 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 1450 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0) 1451 goto nomem; 1452 1453 /* In the outbound INIT ACK the endpoint MUST copy its current 1454 * Verification Tag and Peers Verification tag into a reserved 1455 * place (local tie-tag and per tie-tag) within the state cookie. 1456 */ 1457 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 1458 (sctp_init_chunk_t *)chunk->chunk_hdr, 1459 GFP_ATOMIC)) 1460 goto nomem; 1461 1462 /* Make sure no new addresses are being added during the 1463 * restart. Do not do this check for COOKIE-WAIT state, 1464 * since there are no peer addresses to check against. 1465 * Upon return an ABORT will have been sent if needed. 1466 */ 1467 if (!sctp_state(asoc, COOKIE_WAIT)) { 1468 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1469 commands)) { 1470 retval = SCTP_DISPOSITION_CONSUME; 1471 goto nomem_retval; 1472 } 1473 } 1474 1475 sctp_tietags_populate(new_asoc, asoc); 1476 1477 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1478 1479 /* If there are errors need to be reported for unknown parameters, 1480 * make sure to reserve enough room in the INIT ACK for them. 1481 */ 1482 len = 0; 1483 if (err_chunk) { 1484 len = ntohs(err_chunk->chunk_hdr->length) - 1485 sizeof(sctp_chunkhdr_t); 1486 } 1487 1488 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1489 if (!repl) 1490 goto nomem; 1491 1492 /* If there are errors need to be reported for unknown parameters, 1493 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1494 * parameter. 1495 */ 1496 if (err_chunk) { 1497 /* Get the "Unrecognized parameter" parameter(s) out of the 1498 * ERROR chunk generated by sctp_verify_init(). Since the 1499 * error cause code for "unknown parameter" and the 1500 * "Unrecognized parameter" type is the same, we can 1501 * construct the parameters in INIT ACK by copying the 1502 * ERROR causes over. 1503 */ 1504 unk_param = (sctp_unrecognized_param_t *) 1505 ((__u8 *)(err_chunk->chunk_hdr) + 1506 sizeof(sctp_chunkhdr_t)); 1507 /* Replace the cause code with the "Unrecognized parameter" 1508 * parameter type. 1509 */ 1510 sctp_addto_chunk(repl, len, unk_param); 1511 } 1512 1513 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1514 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1515 1516 /* 1517 * Note: After sending out INIT ACK with the State Cookie parameter, 1518 * "Z" MUST NOT allocate any resources for this new association. 1519 * Otherwise, "Z" will be vulnerable to resource attacks. 1520 */ 1521 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1522 retval = SCTP_DISPOSITION_CONSUME; 1523 1524 return retval; 1525 1526 nomem: 1527 retval = SCTP_DISPOSITION_NOMEM; 1528 nomem_retval: 1529 if (new_asoc) 1530 sctp_association_free(new_asoc); 1531 cleanup: 1532 if (err_chunk) 1533 sctp_chunk_free(err_chunk); 1534 return retval; 1535 } 1536 1537 /* 1538 * Handle simultaneous INIT. 1539 * This means we started an INIT and then we got an INIT request from 1540 * our peer. 1541 * 1542 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1543 * This usually indicates an initialization collision, i.e., each 1544 * endpoint is attempting, at about the same time, to establish an 1545 * association with the other endpoint. 1546 * 1547 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1548 * endpoint MUST respond with an INIT ACK using the same parameters it 1549 * sent in its original INIT chunk (including its Verification Tag, 1550 * unchanged). These original parameters are combined with those from the 1551 * newly received INIT chunk. The endpoint shall also generate a State 1552 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1553 * INIT to calculate the State Cookie. 1554 * 1555 * After that, the endpoint MUST NOT change its state, the T1-init 1556 * timer shall be left running and the corresponding TCB MUST NOT be 1557 * destroyed. The normal procedures for handling State Cookies when 1558 * a TCB exists will resolve the duplicate INITs to a single association. 1559 * 1560 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1561 * its Tie-Tags with the Tag information of itself and its peer (see 1562 * section 5.2.2 for a description of the Tie-Tags). 1563 * 1564 * Verification Tag: Not explicit, but an INIT can not have a valid 1565 * verification tag, so we skip the check. 1566 * 1567 * Inputs 1568 * (endpoint, asoc, chunk) 1569 * 1570 * Outputs 1571 * (asoc, reply_msg, msg_up, timers, counters) 1572 * 1573 * The return value is the disposition of the chunk. 1574 */ 1575 sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep, 1576 const struct sctp_association *asoc, 1577 const sctp_subtype_t type, 1578 void *arg, 1579 sctp_cmd_seq_t *commands) 1580 { 1581 /* Call helper to do the real work for both simulataneous and 1582 * duplicate INIT chunk handling. 1583 */ 1584 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1585 } 1586 1587 /* 1588 * Handle duplicated INIT messages. These are usually delayed 1589 * restransmissions. 1590 * 1591 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1592 * COOKIE-ECHOED and COOKIE-WAIT 1593 * 1594 * Unless otherwise stated, upon reception of an unexpected INIT for 1595 * this association, the endpoint shall generate an INIT ACK with a 1596 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1597 * current Verification Tag and peer's Verification Tag into a reserved 1598 * place within the state cookie. We shall refer to these locations as 1599 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1600 * containing this INIT ACK MUST carry a Verification Tag value equal to 1601 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1602 * MUST contain a new Initiation Tag (randomly generated see Section 1603 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1604 * existing parameters of the association (e.g. number of outbound 1605 * streams) into the INIT ACK and cookie. 1606 * 1607 * After sending out the INIT ACK, the endpoint shall take no further 1608 * actions, i.e., the existing association, including its current state, 1609 * and the corresponding TCB MUST NOT be changed. 1610 * 1611 * Note: Only when a TCB exists and the association is not in a COOKIE- 1612 * WAIT state are the Tie-Tags populated. For a normal association INIT 1613 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1614 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1615 * State Cookie are populated as specified in section 5.2.1. 1616 * 1617 * Verification Tag: Not specified, but an INIT has no way of knowing 1618 * what the verification tag could be, so we ignore it. 1619 * 1620 * Inputs 1621 * (endpoint, asoc, chunk) 1622 * 1623 * Outputs 1624 * (asoc, reply_msg, msg_up, timers, counters) 1625 * 1626 * The return value is the disposition of the chunk. 1627 */ 1628 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep, 1629 const struct sctp_association *asoc, 1630 const sctp_subtype_t type, 1631 void *arg, 1632 sctp_cmd_seq_t *commands) 1633 { 1634 /* Call helper to do the real work for both simulataneous and 1635 * duplicate INIT chunk handling. 1636 */ 1637 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1638 } 1639 1640 1641 /* 1642 * Unexpected INIT-ACK handler. 1643 * 1644 * Section 5.2.3 1645 * If an INIT ACK received by an endpoint in any state other than the 1646 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1647 * An unexpected INIT ACK usually indicates the processing of an old or 1648 * duplicated INIT chunk. 1649 */ 1650 sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep, 1651 const struct sctp_association *asoc, 1652 const sctp_subtype_t type, 1653 void *arg, sctp_cmd_seq_t *commands) 1654 { 1655 /* Per the above section, we'll discard the chunk if we have an 1656 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1657 */ 1658 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 1659 return sctp_sf_ootb(ep, asoc, type, arg, commands); 1660 else 1661 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 1662 } 1663 1664 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1665 * 1666 * Section 5.2.4 1667 * A) In this case, the peer may have restarted. 1668 */ 1669 static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep, 1670 const struct sctp_association *asoc, 1671 struct sctp_chunk *chunk, 1672 sctp_cmd_seq_t *commands, 1673 struct sctp_association *new_asoc) 1674 { 1675 sctp_init_chunk_t *peer_init; 1676 struct sctp_ulpevent *ev; 1677 struct sctp_chunk *repl; 1678 struct sctp_chunk *err; 1679 sctp_disposition_t disposition; 1680 1681 /* new_asoc is a brand-new association, so these are not yet 1682 * side effects--it is safe to run them here. 1683 */ 1684 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1685 1686 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1687 GFP_ATOMIC)) 1688 goto nomem; 1689 1690 /* Make sure no new addresses are being added during the 1691 * restart. Though this is a pretty complicated attack 1692 * since you'd have to get inside the cookie. 1693 */ 1694 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { 1695 return SCTP_DISPOSITION_CONSUME; 1696 } 1697 1698 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1699 * the peer has restarted (Action A), it MUST NOT setup a new 1700 * association but instead resend the SHUTDOWN ACK and send an ERROR 1701 * chunk with a "Cookie Received while Shutting Down" error cause to 1702 * its peer. 1703 */ 1704 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1705 disposition = sctp_sf_do_9_2_reshutack(ep, asoc, 1706 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1707 chunk, commands); 1708 if (SCTP_DISPOSITION_NOMEM == disposition) 1709 goto nomem; 1710 1711 err = sctp_make_op_error(asoc, chunk, 1712 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1713 NULL, 0, 0); 1714 if (err) 1715 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1716 SCTP_CHUNK(err)); 1717 1718 return SCTP_DISPOSITION_CONSUME; 1719 } 1720 1721 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked 1722 * data. Consider the optional choice of resending of this data. 1723 */ 1724 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 1725 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1726 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK)); 1727 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1728 1729 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue 1730 * and ASCONF-ACK cache. 1731 */ 1732 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1733 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 1734 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); 1735 1736 repl = sctp_make_cookie_ack(new_asoc, chunk); 1737 if (!repl) 1738 goto nomem; 1739 1740 /* Report association restart to upper layer. */ 1741 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1742 new_asoc->c.sinit_num_ostreams, 1743 new_asoc->c.sinit_max_instreams, 1744 NULL, GFP_ATOMIC); 1745 if (!ev) 1746 goto nomem_ev; 1747 1748 /* Update the content of current association. */ 1749 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1750 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1751 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1752 return SCTP_DISPOSITION_CONSUME; 1753 1754 nomem_ev: 1755 sctp_chunk_free(repl); 1756 nomem: 1757 return SCTP_DISPOSITION_NOMEM; 1758 } 1759 1760 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1761 * 1762 * Section 5.2.4 1763 * B) In this case, both sides may be attempting to start an association 1764 * at about the same time but the peer endpoint started its INIT 1765 * after responding to the local endpoint's INIT 1766 */ 1767 /* This case represents an initialization collision. */ 1768 static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep, 1769 const struct sctp_association *asoc, 1770 struct sctp_chunk *chunk, 1771 sctp_cmd_seq_t *commands, 1772 struct sctp_association *new_asoc) 1773 { 1774 sctp_init_chunk_t *peer_init; 1775 struct sctp_chunk *repl; 1776 1777 /* new_asoc is a brand-new association, so these are not yet 1778 * side effects--it is safe to run them here. 1779 */ 1780 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1781 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1782 GFP_ATOMIC)) 1783 goto nomem; 1784 1785 /* Update the content of current association. */ 1786 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1787 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1788 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1789 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1790 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1791 1792 repl = sctp_make_cookie_ack(new_asoc, chunk); 1793 if (!repl) 1794 goto nomem; 1795 1796 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1797 1798 /* RFC 2960 5.1 Normal Establishment of an Association 1799 * 1800 * D) IMPLEMENTATION NOTE: An implementation may choose to 1801 * send the Communication Up notification to the SCTP user 1802 * upon reception of a valid COOKIE ECHO chunk. 1803 * 1804 * Sadly, this needs to be implemented as a side-effect, because 1805 * we are not guaranteed to have set the association id of the real 1806 * association and so these notifications need to be delayed until 1807 * the association id is allocated. 1808 */ 1809 1810 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 1811 1812 /* Sockets API Draft Section 5.3.1.6 1813 * When a peer sends a Adaptation Layer Indication parameter , SCTP 1814 * delivers this notification to inform the application that of the 1815 * peers requested adaptation layer. 1816 * 1817 * This also needs to be done as a side effect for the same reason as 1818 * above. 1819 */ 1820 if (asoc->peer.adaptation_ind) 1821 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 1822 1823 return SCTP_DISPOSITION_CONSUME; 1824 1825 nomem: 1826 return SCTP_DISPOSITION_NOMEM; 1827 } 1828 1829 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1830 * 1831 * Section 5.2.4 1832 * C) In this case, the local endpoint's cookie has arrived late. 1833 * Before it arrived, the local endpoint sent an INIT and received an 1834 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1835 * but a new tag of its own. 1836 */ 1837 /* This case represents an initialization collision. */ 1838 static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep, 1839 const struct sctp_association *asoc, 1840 struct sctp_chunk *chunk, 1841 sctp_cmd_seq_t *commands, 1842 struct sctp_association *new_asoc) 1843 { 1844 /* The cookie should be silently discarded. 1845 * The endpoint SHOULD NOT change states and should leave 1846 * any timers running. 1847 */ 1848 return SCTP_DISPOSITION_DISCARD; 1849 } 1850 1851 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1852 * 1853 * Section 5.2.4 1854 * 1855 * D) When both local and remote tags match the endpoint should always 1856 * enter the ESTABLISHED state, if it has not already done so. 1857 */ 1858 /* This case represents an initialization collision. */ 1859 static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep, 1860 const struct sctp_association *asoc, 1861 struct sctp_chunk *chunk, 1862 sctp_cmd_seq_t *commands, 1863 struct sctp_association *new_asoc) 1864 { 1865 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL; 1866 struct sctp_chunk *repl; 1867 1868 /* Clarification from Implementor's Guide: 1869 * D) When both local and remote tags match the endpoint should 1870 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 1871 * It should stop any cookie timer that may be running and send 1872 * a COOKIE ACK. 1873 */ 1874 1875 /* Don't accidentally move back into established state. */ 1876 if (asoc->state < SCTP_STATE_ESTABLISHED) { 1877 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1878 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 1879 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1880 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1881 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1882 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 1883 SCTP_NULL()); 1884 1885 /* RFC 2960 5.1 Normal Establishment of an Association 1886 * 1887 * D) IMPLEMENTATION NOTE: An implementation may choose 1888 * to send the Communication Up notification to the 1889 * SCTP user upon reception of a valid COOKIE 1890 * ECHO chunk. 1891 */ 1892 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 1893 SCTP_COMM_UP, 0, 1894 asoc->c.sinit_num_ostreams, 1895 asoc->c.sinit_max_instreams, 1896 NULL, GFP_ATOMIC); 1897 if (!ev) 1898 goto nomem; 1899 1900 /* Sockets API Draft Section 5.3.1.6 1901 * When a peer sends a Adaptation Layer Indication parameter, 1902 * SCTP delivers this notification to inform the application 1903 * that of the peers requested adaptation layer. 1904 */ 1905 if (asoc->peer.adaptation_ind) { 1906 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 1907 GFP_ATOMIC); 1908 if (!ai_ev) 1909 goto nomem; 1910 1911 } 1912 } 1913 1914 repl = sctp_make_cookie_ack(new_asoc, chunk); 1915 if (!repl) 1916 goto nomem; 1917 1918 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1919 1920 if (ev) 1921 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1922 SCTP_ULPEVENT(ev)); 1923 if (ai_ev) 1924 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1925 SCTP_ULPEVENT(ai_ev)); 1926 1927 return SCTP_DISPOSITION_CONSUME; 1928 1929 nomem: 1930 if (ai_ev) 1931 sctp_ulpevent_free(ai_ev); 1932 if (ev) 1933 sctp_ulpevent_free(ev); 1934 return SCTP_DISPOSITION_NOMEM; 1935 } 1936 1937 /* 1938 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 1939 * chunk was retransmitted and then delayed in the network. 1940 * 1941 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 1942 * 1943 * Verification Tag: None. Do cookie validation. 1944 * 1945 * Inputs 1946 * (endpoint, asoc, chunk) 1947 * 1948 * Outputs 1949 * (asoc, reply_msg, msg_up, timers, counters) 1950 * 1951 * The return value is the disposition of the chunk. 1952 */ 1953 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep, 1954 const struct sctp_association *asoc, 1955 const sctp_subtype_t type, 1956 void *arg, 1957 sctp_cmd_seq_t *commands) 1958 { 1959 sctp_disposition_t retval; 1960 struct sctp_chunk *chunk = arg; 1961 struct sctp_association *new_asoc; 1962 int error = 0; 1963 char action; 1964 struct sctp_chunk *err_chk_p; 1965 1966 /* Make sure that the chunk has a valid length from the protocol 1967 * perspective. In this case check to make sure we have at least 1968 * enough for the chunk header. Cookie length verification is 1969 * done later. 1970 */ 1971 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 1972 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1973 commands); 1974 1975 /* "Decode" the chunk. We have no optional parameters so we 1976 * are in good shape. 1977 */ 1978 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 1979 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 1980 sizeof(sctp_chunkhdr_t))) 1981 goto nomem; 1982 1983 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 1984 * of a duplicate COOKIE ECHO match the Verification Tags of the 1985 * current association, consider the State Cookie valid even if 1986 * the lifespan is exceeded. 1987 */ 1988 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 1989 &err_chk_p); 1990 1991 /* FIXME: 1992 * If the re-build failed, what is the proper error path 1993 * from here? 1994 * 1995 * [We should abort the association. --piggy] 1996 */ 1997 if (!new_asoc) { 1998 /* FIXME: Several errors are possible. A bad cookie should 1999 * be silently discarded, but think about logging it too. 2000 */ 2001 switch (error) { 2002 case -SCTP_IERROR_NOMEM: 2003 goto nomem; 2004 2005 case -SCTP_IERROR_STALE_COOKIE: 2006 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 2007 err_chk_p); 2008 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2009 case -SCTP_IERROR_BAD_SIG: 2010 default: 2011 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2012 } 2013 } 2014 2015 /* Compare the tie_tag in cookie with the verification tag of 2016 * current association. 2017 */ 2018 action = sctp_tietags_compare(new_asoc, asoc); 2019 2020 switch (action) { 2021 case 'A': /* Association restart. */ 2022 retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands, 2023 new_asoc); 2024 break; 2025 2026 case 'B': /* Collision case B. */ 2027 retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands, 2028 new_asoc); 2029 break; 2030 2031 case 'C': /* Collision case C. */ 2032 retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands, 2033 new_asoc); 2034 break; 2035 2036 case 'D': /* Collision case D. */ 2037 retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands, 2038 new_asoc); 2039 break; 2040 2041 default: /* Discard packet for all others. */ 2042 retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2043 break; 2044 } 2045 2046 /* Delete the tempory new association. */ 2047 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 2048 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 2049 2050 /* Restore association pointer to provide SCTP command interpeter 2051 * with a valid context in case it needs to manipulate 2052 * the queues */ 2053 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, 2054 SCTP_ASOC((struct sctp_association *)asoc)); 2055 2056 return retval; 2057 2058 nomem: 2059 return SCTP_DISPOSITION_NOMEM; 2060 } 2061 2062 /* 2063 * Process an ABORT. (SHUTDOWN-PENDING state) 2064 * 2065 * See sctp_sf_do_9_1_abort(). 2066 */ 2067 sctp_disposition_t sctp_sf_shutdown_pending_abort( 2068 const struct sctp_endpoint *ep, 2069 const struct sctp_association *asoc, 2070 const sctp_subtype_t type, 2071 void *arg, 2072 sctp_cmd_seq_t *commands) 2073 { 2074 struct sctp_chunk *chunk = arg; 2075 2076 if (!sctp_vtag_verify_either(chunk, asoc)) 2077 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2078 2079 /* Make sure that the ABORT chunk has a valid length. 2080 * Since this is an ABORT chunk, we have to discard it 2081 * because of the following text: 2082 * RFC 2960, Section 3.3.7 2083 * If an endpoint receives an ABORT with a format error or for an 2084 * association that doesn't exist, it MUST silently discard it. 2085 * Because the length is "invalid", we can't really discard just 2086 * as we do not know its true length. So, to be safe, discard the 2087 * packet. 2088 */ 2089 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2090 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2091 2092 /* ADD-IP: Special case for ABORT chunks 2093 * F4) One special consideration is that ABORT Chunks arriving 2094 * destined to the IP address being deleted MUST be 2095 * ignored (see Section 5.3.1 for further details). 2096 */ 2097 if (SCTP_ADDR_DEL == 2098 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2099 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2100 2101 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2102 } 2103 2104 /* 2105 * Process an ABORT. (SHUTDOWN-SENT state) 2106 * 2107 * See sctp_sf_do_9_1_abort(). 2108 */ 2109 sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep, 2110 const struct sctp_association *asoc, 2111 const sctp_subtype_t type, 2112 void *arg, 2113 sctp_cmd_seq_t *commands) 2114 { 2115 struct sctp_chunk *chunk = arg; 2116 2117 if (!sctp_vtag_verify_either(chunk, asoc)) 2118 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2119 2120 /* Make sure that the ABORT chunk has a valid length. 2121 * Since this is an ABORT chunk, we have to discard it 2122 * because of the following text: 2123 * RFC 2960, Section 3.3.7 2124 * If an endpoint receives an ABORT with a format error or for an 2125 * association that doesn't exist, it MUST silently discard it. 2126 * Because the length is "invalid", we can't really discard just 2127 * as we do not know its true length. So, to be safe, discard the 2128 * packet. 2129 */ 2130 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2131 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2132 2133 /* ADD-IP: Special case for ABORT chunks 2134 * F4) One special consideration is that ABORT Chunks arriving 2135 * destined to the IP address being deleted MUST be 2136 * ignored (see Section 5.3.1 for further details). 2137 */ 2138 if (SCTP_ADDR_DEL == 2139 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2140 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2141 2142 /* Stop the T2-shutdown timer. */ 2143 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2144 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2145 2146 /* Stop the T5-shutdown guard timer. */ 2147 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2148 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2149 2150 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2151 } 2152 2153 /* 2154 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2155 * 2156 * See sctp_sf_do_9_1_abort(). 2157 */ 2158 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort( 2159 const struct sctp_endpoint *ep, 2160 const struct sctp_association *asoc, 2161 const sctp_subtype_t type, 2162 void *arg, 2163 sctp_cmd_seq_t *commands) 2164 { 2165 /* The same T2 timer, so we should be able to use 2166 * common function with the SHUTDOWN-SENT state. 2167 */ 2168 return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands); 2169 } 2170 2171 /* 2172 * Handle an Error received in COOKIE_ECHOED state. 2173 * 2174 * Only handle the error type of stale COOKIE Error, the other errors will 2175 * be ignored. 2176 * 2177 * Inputs 2178 * (endpoint, asoc, chunk) 2179 * 2180 * Outputs 2181 * (asoc, reply_msg, msg_up, timers, counters) 2182 * 2183 * The return value is the disposition of the chunk. 2184 */ 2185 sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep, 2186 const struct sctp_association *asoc, 2187 const sctp_subtype_t type, 2188 void *arg, 2189 sctp_cmd_seq_t *commands) 2190 { 2191 struct sctp_chunk *chunk = arg; 2192 sctp_errhdr_t *err; 2193 2194 if (!sctp_vtag_verify(chunk, asoc)) 2195 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2196 2197 /* Make sure that the ERROR chunk has a valid length. 2198 * The parameter walking depends on this as well. 2199 */ 2200 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2201 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2202 commands); 2203 2204 /* Process the error here */ 2205 /* FUTURE FIXME: When PR-SCTP related and other optional 2206 * parms are emitted, this will have to change to handle multiple 2207 * errors. 2208 */ 2209 sctp_walk_errors(err, chunk->chunk_hdr) { 2210 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2211 return sctp_sf_do_5_2_6_stale(ep, asoc, type, 2212 arg, commands); 2213 } 2214 2215 /* It is possible to have malformed error causes, and that 2216 * will cause us to end the walk early. However, since 2217 * we are discarding the packet, there should be no adverse 2218 * affects. 2219 */ 2220 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2221 } 2222 2223 /* 2224 * Handle a Stale COOKIE Error 2225 * 2226 * Section: 5.2.6 Handle Stale COOKIE Error 2227 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2228 * one of the following three alternatives. 2229 * ... 2230 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2231 * Preservative parameter requesting an extension to the lifetime of 2232 * the State Cookie. When calculating the time extension, an 2233 * implementation SHOULD use the RTT information measured based on the 2234 * previous COOKIE ECHO / ERROR exchange, and should add no more 2235 * than 1 second beyond the measured RTT, due to long State Cookie 2236 * lifetimes making the endpoint more subject to a replay attack. 2237 * 2238 * Verification Tag: Not explicit, but safe to ignore. 2239 * 2240 * Inputs 2241 * (endpoint, asoc, chunk) 2242 * 2243 * Outputs 2244 * (asoc, reply_msg, msg_up, timers, counters) 2245 * 2246 * The return value is the disposition of the chunk. 2247 */ 2248 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 2249 const struct sctp_association *asoc, 2250 const sctp_subtype_t type, 2251 void *arg, 2252 sctp_cmd_seq_t *commands) 2253 { 2254 struct sctp_chunk *chunk = arg; 2255 time_t stale; 2256 sctp_cookie_preserve_param_t bht; 2257 sctp_errhdr_t *err; 2258 struct sctp_chunk *reply; 2259 struct sctp_bind_addr *bp; 2260 int attempts = asoc->init_err_counter + 1; 2261 2262 if (attempts > asoc->max_init_attempts) { 2263 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2264 SCTP_ERROR(ETIMEDOUT)); 2265 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2266 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2267 return SCTP_DISPOSITION_DELETE_TCB; 2268 } 2269 2270 err = (sctp_errhdr_t *)(chunk->skb->data); 2271 2272 /* When calculating the time extension, an implementation 2273 * SHOULD use the RTT information measured based on the 2274 * previous COOKIE ECHO / ERROR exchange, and should add no 2275 * more than 1 second beyond the measured RTT, due to long 2276 * State Cookie lifetimes making the endpoint more subject to 2277 * a replay attack. 2278 * Measure of Staleness's unit is usec. (1/1000000 sec) 2279 * Suggested Cookie Life-span Increment's unit is msec. 2280 * (1/1000 sec) 2281 * In general, if you use the suggested cookie life, the value 2282 * found in the field of measure of staleness should be doubled 2283 * to give ample time to retransmit the new cookie and thus 2284 * yield a higher probability of success on the reattempt. 2285 */ 2286 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t))); 2287 stale = (stale * 2) / 1000; 2288 2289 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2290 bht.param_hdr.length = htons(sizeof(bht)); 2291 bht.lifespan_increment = htonl(stale); 2292 2293 /* Build that new INIT chunk. */ 2294 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2295 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2296 if (!reply) 2297 goto nomem; 2298 2299 sctp_addto_chunk(reply, sizeof(bht), &bht); 2300 2301 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2302 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2303 2304 /* Stop pending T3-rtx and heartbeat timers */ 2305 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2306 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2307 2308 /* Delete non-primary peer ip addresses since we are transitioning 2309 * back to the COOKIE-WAIT state 2310 */ 2311 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2312 2313 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2314 * resend 2315 */ 2316 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, 2317 SCTP_TRANSPORT(asoc->peer.primary_path)); 2318 2319 /* Cast away the const modifier, as we want to just 2320 * rerun it through as a sideffect. 2321 */ 2322 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2323 2324 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2325 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2326 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2327 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2328 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2329 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2330 2331 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2332 2333 return SCTP_DISPOSITION_CONSUME; 2334 2335 nomem: 2336 return SCTP_DISPOSITION_NOMEM; 2337 } 2338 2339 /* 2340 * Process an ABORT. 2341 * 2342 * Section: 9.1 2343 * After checking the Verification Tag, the receiving endpoint shall 2344 * remove the association from its record, and shall report the 2345 * termination to its upper layer. 2346 * 2347 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2348 * B) Rules for packet carrying ABORT: 2349 * 2350 * - The endpoint shall always fill in the Verification Tag field of the 2351 * outbound packet with the destination endpoint's tag value if it 2352 * is known. 2353 * 2354 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2355 * MUST follow the procedure described in Section 8.4. 2356 * 2357 * - The receiver MUST accept the packet if the Verification Tag 2358 * matches either its own tag, OR the tag of its peer. Otherwise, the 2359 * receiver MUST silently discard the packet and take no further 2360 * action. 2361 * 2362 * Inputs 2363 * (endpoint, asoc, chunk) 2364 * 2365 * Outputs 2366 * (asoc, reply_msg, msg_up, timers, counters) 2367 * 2368 * The return value is the disposition of the chunk. 2369 */ 2370 sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2371 const struct sctp_association *asoc, 2372 const sctp_subtype_t type, 2373 void *arg, 2374 sctp_cmd_seq_t *commands) 2375 { 2376 struct sctp_chunk *chunk = arg; 2377 2378 if (!sctp_vtag_verify_either(chunk, asoc)) 2379 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2380 2381 /* Make sure that the ABORT chunk has a valid length. 2382 * Since this is an ABORT chunk, we have to discard it 2383 * because of the following text: 2384 * RFC 2960, Section 3.3.7 2385 * If an endpoint receives an ABORT with a format error or for an 2386 * association that doesn't exist, it MUST silently discard it. 2387 * Because the length is "invalid", we can't really discard just 2388 * as we do not know its true length. So, to be safe, discard the 2389 * packet. 2390 */ 2391 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2392 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2393 2394 /* ADD-IP: Special case for ABORT chunks 2395 * F4) One special consideration is that ABORT Chunks arriving 2396 * destined to the IP address being deleted MUST be 2397 * ignored (see Section 5.3.1 for further details). 2398 */ 2399 if (SCTP_ADDR_DEL == 2400 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2401 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2402 2403 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2404 } 2405 2406 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2407 const struct sctp_association *asoc, 2408 const sctp_subtype_t type, 2409 void *arg, 2410 sctp_cmd_seq_t *commands) 2411 { 2412 struct sctp_chunk *chunk = arg; 2413 unsigned len; 2414 __be16 error = SCTP_ERROR_NO_ERROR; 2415 2416 /* See if we have an error cause code in the chunk. */ 2417 len = ntohs(chunk->chunk_hdr->length); 2418 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) { 2419 2420 sctp_errhdr_t *err; 2421 sctp_walk_errors(err, chunk->chunk_hdr); 2422 if ((void *)err != (void *)chunk->chunk_end) 2423 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2424 2425 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2426 } 2427 2428 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2429 /* ASSOC_FAILED will DELETE_TCB. */ 2430 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2431 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2432 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 2433 2434 return SCTP_DISPOSITION_ABORT; 2435 } 2436 2437 /* 2438 * Process an ABORT. (COOKIE-WAIT state) 2439 * 2440 * See sctp_sf_do_9_1_abort() above. 2441 */ 2442 sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep, 2443 const struct sctp_association *asoc, 2444 const sctp_subtype_t type, 2445 void *arg, 2446 sctp_cmd_seq_t *commands) 2447 { 2448 struct sctp_chunk *chunk = arg; 2449 unsigned len; 2450 __be16 error = SCTP_ERROR_NO_ERROR; 2451 2452 if (!sctp_vtag_verify_either(chunk, asoc)) 2453 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2454 2455 /* Make sure that the ABORT chunk has a valid length. 2456 * Since this is an ABORT chunk, we have to discard it 2457 * because of the following text: 2458 * RFC 2960, Section 3.3.7 2459 * If an endpoint receives an ABORT with a format error or for an 2460 * association that doesn't exist, it MUST silently discard it. 2461 * Because the length is "invalid", we can't really discard just 2462 * as we do not know its true length. So, to be safe, discard the 2463 * packet. 2464 */ 2465 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2466 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2467 2468 /* See if we have an error cause code in the chunk. */ 2469 len = ntohs(chunk->chunk_hdr->length); 2470 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2471 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2472 2473 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc, 2474 chunk->transport); 2475 } 2476 2477 /* 2478 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2479 */ 2480 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep, 2481 const struct sctp_association *asoc, 2482 const sctp_subtype_t type, 2483 void *arg, 2484 sctp_cmd_seq_t *commands) 2485 { 2486 return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR, 2487 ENOPROTOOPT, asoc, 2488 (struct sctp_transport *)arg); 2489 } 2490 2491 /* 2492 * Process an ABORT. (COOKIE-ECHOED state) 2493 */ 2494 sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep, 2495 const struct sctp_association *asoc, 2496 const sctp_subtype_t type, 2497 void *arg, 2498 sctp_cmd_seq_t *commands) 2499 { 2500 /* There is a single T1 timer, so we should be able to use 2501 * common function with the COOKIE-WAIT state. 2502 */ 2503 return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands); 2504 } 2505 2506 /* 2507 * Stop T1 timer and abort association with "INIT failed". 2508 * 2509 * This is common code called by several sctp_sf_*_abort() functions above. 2510 */ 2511 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 2512 __be16 error, int sk_err, 2513 const struct sctp_association *asoc, 2514 struct sctp_transport *transport) 2515 { 2516 SCTP_DEBUG_PRINTK("ABORT received (INIT).\n"); 2517 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2518 SCTP_STATE(SCTP_STATE_CLOSED)); 2519 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2520 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2521 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2522 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2523 /* CMD_INIT_FAILED will DELETE_TCB. */ 2524 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2525 SCTP_PERR(error)); 2526 return SCTP_DISPOSITION_ABORT; 2527 } 2528 2529 /* 2530 * sctp_sf_do_9_2_shut 2531 * 2532 * Section: 9.2 2533 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2534 * - enter the SHUTDOWN-RECEIVED state, 2535 * 2536 * - stop accepting new data from its SCTP user 2537 * 2538 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2539 * that all its outstanding DATA chunks have been received by the 2540 * SHUTDOWN sender. 2541 * 2542 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2543 * send a SHUTDOWN in response to a ULP request. And should discard 2544 * subsequent SHUTDOWN chunks. 2545 * 2546 * If there are still outstanding DATA chunks left, the SHUTDOWN 2547 * receiver shall continue to follow normal data transmission 2548 * procedures defined in Section 6 until all outstanding DATA chunks 2549 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2550 * new data from its SCTP user. 2551 * 2552 * Verification Tag: 8.5 Verification Tag [Normal verification] 2553 * 2554 * Inputs 2555 * (endpoint, asoc, chunk) 2556 * 2557 * Outputs 2558 * (asoc, reply_msg, msg_up, timers, counters) 2559 * 2560 * The return value is the disposition of the chunk. 2561 */ 2562 sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep, 2563 const struct sctp_association *asoc, 2564 const sctp_subtype_t type, 2565 void *arg, 2566 sctp_cmd_seq_t *commands) 2567 { 2568 struct sctp_chunk *chunk = arg; 2569 sctp_shutdownhdr_t *sdh; 2570 sctp_disposition_t disposition; 2571 struct sctp_ulpevent *ev; 2572 __u32 ctsn; 2573 2574 if (!sctp_vtag_verify(chunk, asoc)) 2575 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2576 2577 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2578 if (!sctp_chunk_length_valid(chunk, 2579 sizeof(struct sctp_shutdown_chunk_t))) 2580 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2581 commands); 2582 2583 /* Convert the elaborate header. */ 2584 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2585 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t)); 2586 chunk->subh.shutdown_hdr = sdh; 2587 ctsn = ntohl(sdh->cum_tsn_ack); 2588 2589 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2590 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 2591 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 2592 return SCTP_DISPOSITION_DISCARD; 2593 } 2594 2595 /* If Cumulative TSN Ack beyond the max tsn currently 2596 * send, terminating the association and respond to the 2597 * sender with an ABORT. 2598 */ 2599 if (!TSN_lt(ctsn, asoc->next_tsn)) 2600 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands); 2601 2602 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2603 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2604 * inform the application that it should cease sending data. 2605 */ 2606 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2607 if (!ev) { 2608 disposition = SCTP_DISPOSITION_NOMEM; 2609 goto out; 2610 } 2611 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2612 2613 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2614 * - enter the SHUTDOWN-RECEIVED state, 2615 * - stop accepting new data from its SCTP user 2616 * 2617 * [This is implicit in the new state.] 2618 */ 2619 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2620 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2621 disposition = SCTP_DISPOSITION_CONSUME; 2622 2623 if (sctp_outq_is_empty(&asoc->outqueue)) { 2624 disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type, 2625 arg, commands); 2626 } 2627 2628 if (SCTP_DISPOSITION_NOMEM == disposition) 2629 goto out; 2630 2631 /* - verify, by checking the Cumulative TSN Ack field of the 2632 * chunk, that all its outstanding DATA chunks have been 2633 * received by the SHUTDOWN sender. 2634 */ 2635 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2636 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2637 2638 out: 2639 return disposition; 2640 } 2641 2642 /* 2643 * sctp_sf_do_9_2_shut_ctsn 2644 * 2645 * Once an endpoint has reached the SHUTDOWN-RECEIVED state, 2646 * it MUST NOT send a SHUTDOWN in response to a ULP request. 2647 * The Cumulative TSN Ack of the received SHUTDOWN chunk 2648 * MUST be processed. 2649 */ 2650 sctp_disposition_t sctp_sf_do_9_2_shut_ctsn(const struct sctp_endpoint *ep, 2651 const struct sctp_association *asoc, 2652 const sctp_subtype_t type, 2653 void *arg, 2654 sctp_cmd_seq_t *commands) 2655 { 2656 struct sctp_chunk *chunk = arg; 2657 sctp_shutdownhdr_t *sdh; 2658 __u32 ctsn; 2659 2660 if (!sctp_vtag_verify(chunk, asoc)) 2661 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2662 2663 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2664 if (!sctp_chunk_length_valid(chunk, 2665 sizeof(struct sctp_shutdown_chunk_t))) 2666 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2667 commands); 2668 2669 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2670 ctsn = ntohl(sdh->cum_tsn_ack); 2671 2672 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2673 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 2674 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 2675 return SCTP_DISPOSITION_DISCARD; 2676 } 2677 2678 /* If Cumulative TSN Ack beyond the max tsn currently 2679 * send, terminating the association and respond to the 2680 * sender with an ABORT. 2681 */ 2682 if (!TSN_lt(ctsn, asoc->next_tsn)) 2683 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands); 2684 2685 /* verify, by checking the Cumulative TSN Ack field of the 2686 * chunk, that all its outstanding DATA chunks have been 2687 * received by the SHUTDOWN sender. 2688 */ 2689 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2690 SCTP_BE32(sdh->cum_tsn_ack)); 2691 2692 return SCTP_DISPOSITION_CONSUME; 2693 } 2694 2695 /* RFC 2960 9.2 2696 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2697 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2698 * transport addresses (either in the IP addresses or in the INIT chunk) 2699 * that belong to this association, it should discard the INIT chunk and 2700 * retransmit the SHUTDOWN ACK chunk. 2701 */ 2702 sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep, 2703 const struct sctp_association *asoc, 2704 const sctp_subtype_t type, 2705 void *arg, 2706 sctp_cmd_seq_t *commands) 2707 { 2708 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 2709 struct sctp_chunk *reply; 2710 2711 /* Make sure that the chunk has a valid length */ 2712 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 2713 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2714 commands); 2715 2716 /* Since we are not going to really process this INIT, there 2717 * is no point in verifying chunk boundries. Just generate 2718 * the SHUTDOWN ACK. 2719 */ 2720 reply = sctp_make_shutdown_ack(asoc, chunk); 2721 if (NULL == reply) 2722 goto nomem; 2723 2724 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2725 * the T2-SHUTDOWN timer. 2726 */ 2727 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2728 2729 /* and restart the T2-shutdown timer. */ 2730 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2731 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2732 2733 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2734 2735 return SCTP_DISPOSITION_CONSUME; 2736 nomem: 2737 return SCTP_DISPOSITION_NOMEM; 2738 } 2739 2740 /* 2741 * sctp_sf_do_ecn_cwr 2742 * 2743 * Section: Appendix A: Explicit Congestion Notification 2744 * 2745 * CWR: 2746 * 2747 * RFC 2481 details a specific bit for a sender to send in the header of 2748 * its next outbound TCP segment to indicate to its peer that it has 2749 * reduced its congestion window. This is termed the CWR bit. For 2750 * SCTP the same indication is made by including the CWR chunk. 2751 * This chunk contains one data element, i.e. the TSN number that 2752 * was sent in the ECNE chunk. This element represents the lowest 2753 * TSN number in the datagram that was originally marked with the 2754 * CE bit. 2755 * 2756 * Verification Tag: 8.5 Verification Tag [Normal verification] 2757 * Inputs 2758 * (endpoint, asoc, chunk) 2759 * 2760 * Outputs 2761 * (asoc, reply_msg, msg_up, timers, counters) 2762 * 2763 * The return value is the disposition of the chunk. 2764 */ 2765 sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep, 2766 const struct sctp_association *asoc, 2767 const sctp_subtype_t type, 2768 void *arg, 2769 sctp_cmd_seq_t *commands) 2770 { 2771 sctp_cwrhdr_t *cwr; 2772 struct sctp_chunk *chunk = arg; 2773 u32 lowest_tsn; 2774 2775 if (!sctp_vtag_verify(chunk, asoc)) 2776 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2777 2778 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2779 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2780 commands); 2781 2782 cwr = (sctp_cwrhdr_t *) chunk->skb->data; 2783 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t)); 2784 2785 lowest_tsn = ntohl(cwr->lowest_tsn); 2786 2787 /* Does this CWR ack the last sent congestion notification? */ 2788 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 2789 /* Stop sending ECNE. */ 2790 sctp_add_cmd_sf(commands, 2791 SCTP_CMD_ECN_CWR, 2792 SCTP_U32(lowest_tsn)); 2793 } 2794 return SCTP_DISPOSITION_CONSUME; 2795 } 2796 2797 /* 2798 * sctp_sf_do_ecne 2799 * 2800 * Section: Appendix A: Explicit Congestion Notification 2801 * 2802 * ECN-Echo 2803 * 2804 * RFC 2481 details a specific bit for a receiver to send back in its 2805 * TCP acknowledgements to notify the sender of the Congestion 2806 * Experienced (CE) bit having arrived from the network. For SCTP this 2807 * same indication is made by including the ECNE chunk. This chunk 2808 * contains one data element, i.e. the lowest TSN associated with the IP 2809 * datagram marked with the CE bit..... 2810 * 2811 * Verification Tag: 8.5 Verification Tag [Normal verification] 2812 * Inputs 2813 * (endpoint, asoc, chunk) 2814 * 2815 * Outputs 2816 * (asoc, reply_msg, msg_up, timers, counters) 2817 * 2818 * The return value is the disposition of the chunk. 2819 */ 2820 sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep, 2821 const struct sctp_association *asoc, 2822 const sctp_subtype_t type, 2823 void *arg, 2824 sctp_cmd_seq_t *commands) 2825 { 2826 sctp_ecnehdr_t *ecne; 2827 struct sctp_chunk *chunk = arg; 2828 2829 if (!sctp_vtag_verify(chunk, asoc)) 2830 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2831 2832 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2833 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2834 commands); 2835 2836 ecne = (sctp_ecnehdr_t *) chunk->skb->data; 2837 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t)); 2838 2839 /* If this is a newer ECNE than the last CWR packet we sent out */ 2840 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 2841 SCTP_U32(ntohl(ecne->lowest_tsn))); 2842 2843 return SCTP_DISPOSITION_CONSUME; 2844 } 2845 2846 /* 2847 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 2848 * 2849 * The SCTP endpoint MUST always acknowledge the reception of each valid 2850 * DATA chunk. 2851 * 2852 * The guidelines on delayed acknowledgement algorithm specified in 2853 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 2854 * acknowledgement SHOULD be generated for at least every second packet 2855 * (not every second DATA chunk) received, and SHOULD be generated within 2856 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 2857 * situations it may be beneficial for an SCTP transmitter to be more 2858 * conservative than the algorithms detailed in this document allow. 2859 * However, an SCTP transmitter MUST NOT be more aggressive than the 2860 * following algorithms allow. 2861 * 2862 * A SCTP receiver MUST NOT generate more than one SACK for every 2863 * incoming packet, other than to update the offered window as the 2864 * receiving application consumes new data. 2865 * 2866 * Verification Tag: 8.5 Verification Tag [Normal verification] 2867 * 2868 * Inputs 2869 * (endpoint, asoc, chunk) 2870 * 2871 * Outputs 2872 * (asoc, reply_msg, msg_up, timers, counters) 2873 * 2874 * The return value is the disposition of the chunk. 2875 */ 2876 sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep, 2877 const struct sctp_association *asoc, 2878 const sctp_subtype_t type, 2879 void *arg, 2880 sctp_cmd_seq_t *commands) 2881 { 2882 struct sctp_chunk *chunk = arg; 2883 sctp_arg_t force = SCTP_NOFORCE(); 2884 int error; 2885 2886 if (!sctp_vtag_verify(chunk, asoc)) { 2887 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2888 SCTP_NULL()); 2889 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2890 } 2891 2892 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2893 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2894 commands); 2895 2896 error = sctp_eat_data(asoc, chunk, commands ); 2897 switch (error) { 2898 case SCTP_IERROR_NO_ERROR: 2899 break; 2900 case SCTP_IERROR_HIGH_TSN: 2901 case SCTP_IERROR_BAD_STREAM: 2902 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2903 goto discard_noforce; 2904 case SCTP_IERROR_DUP_TSN: 2905 case SCTP_IERROR_IGNORE_TSN: 2906 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2907 goto discard_force; 2908 case SCTP_IERROR_NO_DATA: 2909 goto consume; 2910 case SCTP_IERROR_PROTO_VIOLATION: 2911 return sctp_sf_abort_violation(ep, asoc, chunk, commands, 2912 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t)); 2913 default: 2914 BUG(); 2915 } 2916 2917 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM) 2918 force = SCTP_FORCE(); 2919 2920 if (asoc->autoclose) { 2921 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2922 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 2923 } 2924 2925 /* If this is the last chunk in a packet, we need to count it 2926 * toward sack generation. Note that we need to SACK every 2927 * OTHER packet containing data chunks, EVEN IF WE DISCARD 2928 * THEM. We elect to NOT generate SACK's if the chunk fails 2929 * the verification tag test. 2930 * 2931 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2932 * 2933 * The SCTP endpoint MUST always acknowledge the reception of 2934 * each valid DATA chunk. 2935 * 2936 * The guidelines on delayed acknowledgement algorithm 2937 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 2938 * Specifically, an acknowledgement SHOULD be generated for at 2939 * least every second packet (not every second DATA chunk) 2940 * received, and SHOULD be generated within 200 ms of the 2941 * arrival of any unacknowledged DATA chunk. In some 2942 * situations it may be beneficial for an SCTP transmitter to 2943 * be more conservative than the algorithms detailed in this 2944 * document allow. However, an SCTP transmitter MUST NOT be 2945 * more aggressive than the following algorithms allow. 2946 */ 2947 if (chunk->end_of_packet) 2948 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 2949 2950 return SCTP_DISPOSITION_CONSUME; 2951 2952 discard_force: 2953 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2954 * 2955 * When a packet arrives with duplicate DATA chunk(s) and with 2956 * no new DATA chunk(s), the endpoint MUST immediately send a 2957 * SACK with no delay. If a packet arrives with duplicate 2958 * DATA chunk(s) bundled with new DATA chunks, the endpoint 2959 * MAY immediately send a SACK. Normally receipt of duplicate 2960 * DATA chunks will occur when the original SACK chunk was lost 2961 * and the peer's RTO has expired. The duplicate TSN number(s) 2962 * SHOULD be reported in the SACK as duplicate. 2963 */ 2964 /* In our case, we split the MAY SACK advice up whether or not 2965 * the last chunk is a duplicate.' 2966 */ 2967 if (chunk->end_of_packet) 2968 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2969 return SCTP_DISPOSITION_DISCARD; 2970 2971 discard_noforce: 2972 if (chunk->end_of_packet) 2973 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 2974 2975 return SCTP_DISPOSITION_DISCARD; 2976 consume: 2977 return SCTP_DISPOSITION_CONSUME; 2978 2979 } 2980 2981 /* 2982 * sctp_sf_eat_data_fast_4_4 2983 * 2984 * Section: 4 (4) 2985 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 2986 * DATA chunks without delay. 2987 * 2988 * Verification Tag: 8.5 Verification Tag [Normal verification] 2989 * Inputs 2990 * (endpoint, asoc, chunk) 2991 * 2992 * Outputs 2993 * (asoc, reply_msg, msg_up, timers, counters) 2994 * 2995 * The return value is the disposition of the chunk. 2996 */ 2997 sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep, 2998 const struct sctp_association *asoc, 2999 const sctp_subtype_t type, 3000 void *arg, 3001 sctp_cmd_seq_t *commands) 3002 { 3003 struct sctp_chunk *chunk = arg; 3004 int error; 3005 3006 if (!sctp_vtag_verify(chunk, asoc)) { 3007 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3008 SCTP_NULL()); 3009 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3010 } 3011 3012 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 3013 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3014 commands); 3015 3016 error = sctp_eat_data(asoc, chunk, commands ); 3017 switch (error) { 3018 case SCTP_IERROR_NO_ERROR: 3019 case SCTP_IERROR_HIGH_TSN: 3020 case SCTP_IERROR_DUP_TSN: 3021 case SCTP_IERROR_IGNORE_TSN: 3022 case SCTP_IERROR_BAD_STREAM: 3023 break; 3024 case SCTP_IERROR_NO_DATA: 3025 goto consume; 3026 case SCTP_IERROR_PROTO_VIOLATION: 3027 return sctp_sf_abort_violation(ep, asoc, chunk, commands, 3028 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t)); 3029 default: 3030 BUG(); 3031 } 3032 3033 /* Go a head and force a SACK, since we are shutting down. */ 3034 3035 /* Implementor's Guide. 3036 * 3037 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3038 * respond to each received packet containing one or more DATA chunk(s) 3039 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3040 */ 3041 if (chunk->end_of_packet) { 3042 /* We must delay the chunk creation since the cumulative 3043 * TSN has not been updated yet. 3044 */ 3045 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3046 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3047 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3048 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3049 } 3050 3051 consume: 3052 return SCTP_DISPOSITION_CONSUME; 3053 } 3054 3055 /* 3056 * Section: 6.2 Processing a Received SACK 3057 * D) Any time a SACK arrives, the endpoint performs the following: 3058 * 3059 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 3060 * then drop the SACK. Since Cumulative TSN Ack is monotonically 3061 * increasing, a SACK whose Cumulative TSN Ack is less than the 3062 * Cumulative TSN Ack Point indicates an out-of-order SACK. 3063 * 3064 * ii) Set rwnd equal to the newly received a_rwnd minus the number 3065 * of bytes still outstanding after processing the Cumulative TSN Ack 3066 * and the Gap Ack Blocks. 3067 * 3068 * iii) If the SACK is missing a TSN that was previously 3069 * acknowledged via a Gap Ack Block (e.g., the data receiver 3070 * reneged on the data), then mark the corresponding DATA chunk 3071 * as available for retransmit: Mark it as missing for fast 3072 * retransmit as described in Section 7.2.4 and if no retransmit 3073 * timer is running for the destination address to which the DATA 3074 * chunk was originally transmitted, then T3-rtx is started for 3075 * that destination address. 3076 * 3077 * Verification Tag: 8.5 Verification Tag [Normal verification] 3078 * 3079 * Inputs 3080 * (endpoint, asoc, chunk) 3081 * 3082 * Outputs 3083 * (asoc, reply_msg, msg_up, timers, counters) 3084 * 3085 * The return value is the disposition of the chunk. 3086 */ 3087 sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep, 3088 const struct sctp_association *asoc, 3089 const sctp_subtype_t type, 3090 void *arg, 3091 sctp_cmd_seq_t *commands) 3092 { 3093 struct sctp_chunk *chunk = arg; 3094 sctp_sackhdr_t *sackh; 3095 __u32 ctsn; 3096 3097 if (!sctp_vtag_verify(chunk, asoc)) 3098 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3099 3100 /* Make sure that the SACK chunk has a valid length. */ 3101 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t))) 3102 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3103 commands); 3104 3105 /* Pull the SACK chunk from the data buffer */ 3106 sackh = sctp_sm_pull_sack(chunk); 3107 /* Was this a bogus SACK? */ 3108 if (!sackh) 3109 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3110 chunk->subh.sack_hdr = sackh; 3111 ctsn = ntohl(sackh->cum_tsn_ack); 3112 3113 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 3114 * Ack Point, then drop the SACK. Since Cumulative TSN 3115 * Ack is monotonically increasing, a SACK whose 3116 * Cumulative TSN Ack is less than the Cumulative TSN Ack 3117 * Point indicates an out-of-order SACK. 3118 */ 3119 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 3120 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 3121 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 3122 return SCTP_DISPOSITION_DISCARD; 3123 } 3124 3125 /* If Cumulative TSN Ack beyond the max tsn currently 3126 * send, terminating the association and respond to the 3127 * sender with an ABORT. 3128 */ 3129 if (!TSN_lt(ctsn, asoc->next_tsn)) 3130 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands); 3131 3132 /* Return this SACK for further processing. */ 3133 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh)); 3134 3135 /* Note: We do the rest of the work on the PROCESS_SACK 3136 * sideeffect. 3137 */ 3138 return SCTP_DISPOSITION_CONSUME; 3139 } 3140 3141 /* 3142 * Generate an ABORT in response to a packet. 3143 * 3144 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 3145 * 3146 * 8) The receiver should respond to the sender of the OOTB packet with 3147 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3148 * MUST fill in the Verification Tag field of the outbound packet 3149 * with the value found in the Verification Tag field of the OOTB 3150 * packet and set the T-bit in the Chunk Flags to indicate that the 3151 * Verification Tag is reflected. After sending this ABORT, the 3152 * receiver of the OOTB packet shall discard the OOTB packet and take 3153 * no further action. 3154 * 3155 * Verification Tag: 3156 * 3157 * The return value is the disposition of the chunk. 3158 */ 3159 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 3160 const struct sctp_association *asoc, 3161 const sctp_subtype_t type, 3162 void *arg, 3163 sctp_cmd_seq_t *commands) 3164 { 3165 struct sctp_packet *packet = NULL; 3166 struct sctp_chunk *chunk = arg; 3167 struct sctp_chunk *abort; 3168 3169 packet = sctp_ootb_pkt_new(asoc, chunk); 3170 3171 if (packet) { 3172 /* Make an ABORT. The T bit will be set if the asoc 3173 * is NULL. 3174 */ 3175 abort = sctp_make_abort(asoc, chunk, 0); 3176 if (!abort) { 3177 sctp_ootb_pkt_free(packet); 3178 return SCTP_DISPOSITION_NOMEM; 3179 } 3180 3181 /* Reflect vtag if T-Bit is set */ 3182 if (sctp_test_T_bit(abort)) 3183 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3184 3185 /* Set the skb to the belonging sock for accounting. */ 3186 abort->skb->sk = ep->base.sk; 3187 3188 sctp_packet_append_chunk(packet, abort); 3189 3190 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3191 SCTP_PACKET(packet)); 3192 3193 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3194 3195 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3196 return SCTP_DISPOSITION_CONSUME; 3197 } 3198 3199 return SCTP_DISPOSITION_NOMEM; 3200 } 3201 3202 /* 3203 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 3204 * event as ULP notification for each cause included in the chunk. 3205 * 3206 * API 5.3.1.3 - SCTP_REMOTE_ERROR 3207 * 3208 * The return value is the disposition of the chunk. 3209 */ 3210 sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep, 3211 const struct sctp_association *asoc, 3212 const sctp_subtype_t type, 3213 void *arg, 3214 sctp_cmd_seq_t *commands) 3215 { 3216 struct sctp_chunk *chunk = arg; 3217 sctp_errhdr_t *err; 3218 3219 if (!sctp_vtag_verify(chunk, asoc)) 3220 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3221 3222 /* Make sure that the ERROR chunk has a valid length. */ 3223 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 3224 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3225 commands); 3226 sctp_walk_errors(err, chunk->chunk_hdr); 3227 if ((void *)err != (void *)chunk->chunk_end) 3228 return sctp_sf_violation_paramlen(ep, asoc, type, arg, 3229 (void *)err, commands); 3230 3231 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 3232 SCTP_CHUNK(chunk)); 3233 3234 return SCTP_DISPOSITION_CONSUME; 3235 } 3236 3237 /* 3238 * Process an inbound SHUTDOWN ACK. 3239 * 3240 * From Section 9.2: 3241 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3242 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3243 * peer, and remove all record of the association. 3244 * 3245 * The return value is the disposition. 3246 */ 3247 sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep, 3248 const struct sctp_association *asoc, 3249 const sctp_subtype_t type, 3250 void *arg, 3251 sctp_cmd_seq_t *commands) 3252 { 3253 struct sctp_chunk *chunk = arg; 3254 struct sctp_chunk *reply; 3255 struct sctp_ulpevent *ev; 3256 3257 if (!sctp_vtag_verify(chunk, asoc)) 3258 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3259 3260 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3261 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3262 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3263 commands); 3264 /* 10.2 H) SHUTDOWN COMPLETE notification 3265 * 3266 * When SCTP completes the shutdown procedures (section 9.2) this 3267 * notification is passed to the upper layer. 3268 */ 3269 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3270 0, 0, 0, NULL, GFP_ATOMIC); 3271 if (!ev) 3272 goto nomem; 3273 3274 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3275 reply = sctp_make_shutdown_complete(asoc, chunk); 3276 if (!reply) 3277 goto nomem_chunk; 3278 3279 /* Do all the commands now (after allocation), so that we 3280 * have consistent state if memory allocation failes 3281 */ 3282 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3283 3284 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3285 * stop the T2-shutdown timer, 3286 */ 3287 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3288 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3289 3290 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3291 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3292 3293 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3294 SCTP_STATE(SCTP_STATE_CLOSED)); 3295 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 3296 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3297 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3298 3299 /* ...and remove all record of the association. */ 3300 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3301 return SCTP_DISPOSITION_DELETE_TCB; 3302 3303 nomem_chunk: 3304 sctp_ulpevent_free(ev); 3305 nomem: 3306 return SCTP_DISPOSITION_NOMEM; 3307 } 3308 3309 /* 3310 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3311 * 3312 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3313 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3314 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3315 * packet must fill in the Verification Tag field of the outbound 3316 * packet with the Verification Tag received in the SHUTDOWN ACK and 3317 * set the T-bit in the Chunk Flags to indicate that the Verification 3318 * Tag is reflected. 3319 * 3320 * 8) The receiver should respond to the sender of the OOTB packet with 3321 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3322 * MUST fill in the Verification Tag field of the outbound packet 3323 * with the value found in the Verification Tag field of the OOTB 3324 * packet and set the T-bit in the Chunk Flags to indicate that the 3325 * Verification Tag is reflected. After sending this ABORT, the 3326 * receiver of the OOTB packet shall discard the OOTB packet and take 3327 * no further action. 3328 */ 3329 sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep, 3330 const struct sctp_association *asoc, 3331 const sctp_subtype_t type, 3332 void *arg, 3333 sctp_cmd_seq_t *commands) 3334 { 3335 struct sctp_chunk *chunk = arg; 3336 struct sk_buff *skb = chunk->skb; 3337 sctp_chunkhdr_t *ch; 3338 sctp_errhdr_t *err; 3339 __u8 *ch_end; 3340 int ootb_shut_ack = 0; 3341 int ootb_cookie_ack = 0; 3342 3343 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 3344 3345 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr; 3346 do { 3347 /* Report violation if the chunk is less then minimal */ 3348 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 3349 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3350 commands); 3351 3352 /* Now that we know we at least have a chunk header, 3353 * do things that are type appropriate. 3354 */ 3355 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3356 ootb_shut_ack = 1; 3357 3358 /* RFC 2960, Section 3.3.7 3359 * Moreover, under any circumstances, an endpoint that 3360 * receives an ABORT MUST NOT respond to that ABORT by 3361 * sending an ABORT of its own. 3362 */ 3363 if (SCTP_CID_ABORT == ch->type) 3364 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3365 3366 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR 3367 * or a COOKIE ACK the SCTP Packet should be silently 3368 * discarded. 3369 */ 3370 3371 if (SCTP_CID_COOKIE_ACK == ch->type) 3372 ootb_cookie_ack = 1; 3373 3374 if (SCTP_CID_ERROR == ch->type) { 3375 sctp_walk_errors(err, ch) { 3376 if (SCTP_ERROR_STALE_COOKIE == err->cause) { 3377 ootb_cookie_ack = 1; 3378 break; 3379 } 3380 } 3381 } 3382 3383 /* Report violation if chunk len overflows */ 3384 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 3385 if (ch_end > skb_tail_pointer(skb)) 3386 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3387 commands); 3388 3389 ch = (sctp_chunkhdr_t *) ch_end; 3390 } while (ch_end < skb_tail_pointer(skb)); 3391 3392 if (ootb_shut_ack) 3393 return sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands); 3394 else if (ootb_cookie_ack) 3395 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3396 else 3397 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 3398 } 3399 3400 /* 3401 * Handle an "Out of the blue" SHUTDOWN ACK. 3402 * 3403 * Section: 8.4 5, sctpimpguide 2.41. 3404 * 3405 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3406 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3407 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3408 * packet must fill in the Verification Tag field of the outbound 3409 * packet with the Verification Tag received in the SHUTDOWN ACK and 3410 * set the T-bit in the Chunk Flags to indicate that the Verification 3411 * Tag is reflected. 3412 * 3413 * Inputs 3414 * (endpoint, asoc, type, arg, commands) 3415 * 3416 * Outputs 3417 * (sctp_disposition_t) 3418 * 3419 * The return value is the disposition of the chunk. 3420 */ 3421 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 3422 const struct sctp_association *asoc, 3423 const sctp_subtype_t type, 3424 void *arg, 3425 sctp_cmd_seq_t *commands) 3426 { 3427 struct sctp_packet *packet = NULL; 3428 struct sctp_chunk *chunk = arg; 3429 struct sctp_chunk *shut; 3430 3431 packet = sctp_ootb_pkt_new(asoc, chunk); 3432 3433 if (packet) { 3434 /* Make an SHUTDOWN_COMPLETE. 3435 * The T bit will be set if the asoc is NULL. 3436 */ 3437 shut = sctp_make_shutdown_complete(asoc, chunk); 3438 if (!shut) { 3439 sctp_ootb_pkt_free(packet); 3440 return SCTP_DISPOSITION_NOMEM; 3441 } 3442 3443 /* Reflect vtag if T-Bit is set */ 3444 if (sctp_test_T_bit(shut)) 3445 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3446 3447 /* Set the skb to the belonging sock for accounting. */ 3448 shut->skb->sk = ep->base.sk; 3449 3450 sctp_packet_append_chunk(packet, shut); 3451 3452 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3453 SCTP_PACKET(packet)); 3454 3455 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3456 3457 /* If the chunk length is invalid, we don't want to process 3458 * the reset of the packet. 3459 */ 3460 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3461 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3462 3463 /* We need to discard the rest of the packet to prevent 3464 * potential bomming attacks from additional bundled chunks. 3465 * This is documented in SCTP Threats ID. 3466 */ 3467 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3468 } 3469 3470 return SCTP_DISPOSITION_NOMEM; 3471 } 3472 3473 /* 3474 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3475 * 3476 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3477 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3478 * procedures in section 8.4 SHOULD be followed, in other words it 3479 * should be treated as an Out Of The Blue packet. 3480 * [This means that we do NOT check the Verification Tag on these 3481 * chunks. --piggy ] 3482 * 3483 */ 3484 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep, 3485 const struct sctp_association *asoc, 3486 const sctp_subtype_t type, 3487 void *arg, 3488 sctp_cmd_seq_t *commands) 3489 { 3490 struct sctp_chunk *chunk = arg; 3491 3492 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3493 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3494 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3495 commands); 3496 3497 /* Although we do have an association in this case, it corresponds 3498 * to a restarted association. So the packet is treated as an OOTB 3499 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3500 * called with a NULL association. 3501 */ 3502 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 3503 3504 return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands); 3505 } 3506 3507 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3508 sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep, 3509 const struct sctp_association *asoc, 3510 const sctp_subtype_t type, void *arg, 3511 sctp_cmd_seq_t *commands) 3512 { 3513 struct sctp_chunk *chunk = arg; 3514 struct sctp_chunk *asconf_ack = NULL; 3515 struct sctp_paramhdr *err_param = NULL; 3516 sctp_addiphdr_t *hdr; 3517 union sctp_addr_param *addr_param; 3518 __u32 serial; 3519 int length; 3520 3521 if (!sctp_vtag_verify(chunk, asoc)) { 3522 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3523 SCTP_NULL()); 3524 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3525 } 3526 3527 /* ADD-IP: Section 4.1.1 3528 * This chunk MUST be sent in an authenticated way by using 3529 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3530 * is received unauthenticated it MUST be silently discarded as 3531 * described in [I-D.ietf-tsvwg-sctp-auth]. 3532 */ 3533 if (!sctp_addip_noauth && !chunk->auth) 3534 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 3535 3536 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3537 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t))) 3538 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3539 commands); 3540 3541 hdr = (sctp_addiphdr_t *)chunk->skb->data; 3542 serial = ntohl(hdr->serial); 3543 3544 addr_param = (union sctp_addr_param *)hdr->params; 3545 length = ntohs(addr_param->p.length); 3546 if (length < sizeof(sctp_paramhdr_t)) 3547 return sctp_sf_violation_paramlen(ep, asoc, type, arg, 3548 (void *)addr_param, commands); 3549 3550 /* Verify the ASCONF chunk before processing it. */ 3551 if (!sctp_verify_asconf(asoc, 3552 (sctp_paramhdr_t *)((void *)addr_param + length), 3553 (void *)chunk->chunk_end, 3554 &err_param)) 3555 return sctp_sf_violation_paramlen(ep, asoc, type, arg, 3556 (void *)err_param, commands); 3557 3558 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3559 * the endpoint stored in a new association variable 3560 * 'Peer-Serial-Number'. 3561 */ 3562 if (serial == asoc->peer.addip_serial + 1) { 3563 /* If this is the first instance of ASCONF in the packet, 3564 * we can clean our old ASCONF-ACKs. 3565 */ 3566 if (!chunk->has_asconf) 3567 sctp_assoc_clean_asconf_ack_cache(asoc); 3568 3569 /* ADDIP 5.2 E4) When the Sequence Number matches the next one 3570 * expected, process the ASCONF as described below and after 3571 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to 3572 * the response packet and cache a copy of it (in the event it 3573 * later needs to be retransmitted). 3574 * 3575 * Essentially, do V1-V5. 3576 */ 3577 asconf_ack = sctp_process_asconf((struct sctp_association *) 3578 asoc, chunk); 3579 if (!asconf_ack) 3580 return SCTP_DISPOSITION_NOMEM; 3581 } else if (serial < asoc->peer.addip_serial + 1) { 3582 /* ADDIP 5.2 E2) 3583 * If the value found in the Sequence Number is less than the 3584 * ('Peer- Sequence-Number' + 1), simply skip to the next 3585 * ASCONF, and include in the outbound response packet 3586 * any previously cached ASCONF-ACK response that was 3587 * sent and saved that matches the Sequence Number of the 3588 * ASCONF. Note: It is possible that no cached ASCONF-ACK 3589 * Chunk exists. This will occur when an older ASCONF 3590 * arrives out of order. In such a case, the receiver 3591 * should skip the ASCONF Chunk and not include ASCONF-ACK 3592 * Chunk for that chunk. 3593 */ 3594 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial); 3595 if (!asconf_ack) 3596 return SCTP_DISPOSITION_DISCARD; 3597 3598 /* Reset the transport so that we select the correct one 3599 * this time around. This is to make sure that we don't 3600 * accidentally use a stale transport that's been removed. 3601 */ 3602 asconf_ack->transport = NULL; 3603 } else { 3604 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since 3605 * it must be either a stale packet or from an attacker. 3606 */ 3607 return SCTP_DISPOSITION_DISCARD; 3608 } 3609 3610 /* ADDIP 5.2 E6) The destination address of the SCTP packet 3611 * containing the ASCONF-ACK Chunks MUST be the source address of 3612 * the SCTP packet that held the ASCONF Chunks. 3613 * 3614 * To do this properly, we'll set the destination address of the chunk 3615 * and at the transmit time, will try look up the transport to use. 3616 * Since ASCONFs may be bundled, the correct transport may not be 3617 * created until we process the entire packet, thus this workaround. 3618 */ 3619 asconf_ack->dest = chunk->source; 3620 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3621 if (asoc->new_transport) { 3622 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, 3623 commands); 3624 ((struct sctp_association *)asoc)->new_transport = NULL; 3625 } 3626 3627 return SCTP_DISPOSITION_CONSUME; 3628 } 3629 3630 /* 3631 * ADDIP Section 4.3 General rules for address manipulation 3632 * When building TLV parameters for the ASCONF Chunk that will add or 3633 * delete IP addresses the D0 to D13 rules should be applied: 3634 */ 3635 sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep, 3636 const struct sctp_association *asoc, 3637 const sctp_subtype_t type, void *arg, 3638 sctp_cmd_seq_t *commands) 3639 { 3640 struct sctp_chunk *asconf_ack = arg; 3641 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3642 struct sctp_chunk *abort; 3643 struct sctp_paramhdr *err_param = NULL; 3644 sctp_addiphdr_t *addip_hdr; 3645 __u32 sent_serial, rcvd_serial; 3646 3647 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3648 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3649 SCTP_NULL()); 3650 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3651 } 3652 3653 /* ADD-IP, Section 4.1.2: 3654 * This chunk MUST be sent in an authenticated way by using 3655 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3656 * is received unauthenticated it MUST be silently discarded as 3657 * described in [I-D.ietf-tsvwg-sctp-auth]. 3658 */ 3659 if (!sctp_addip_noauth && !asconf_ack->auth) 3660 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 3661 3662 /* Make sure that the ADDIP chunk has a valid length. */ 3663 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t))) 3664 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3665 commands); 3666 3667 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data; 3668 rcvd_serial = ntohl(addip_hdr->serial); 3669 3670 /* Verify the ASCONF-ACK chunk before processing it. */ 3671 if (!sctp_verify_asconf(asoc, 3672 (sctp_paramhdr_t *)addip_hdr->params, 3673 (void *)asconf_ack->chunk_end, 3674 &err_param)) 3675 return sctp_sf_violation_paramlen(ep, asoc, type, arg, 3676 (void *)err_param, commands); 3677 3678 if (last_asconf) { 3679 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr; 3680 sent_serial = ntohl(addip_hdr->serial); 3681 } else { 3682 sent_serial = asoc->addip_serial - 1; 3683 } 3684 3685 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3686 * equal to the next serial number to be used but no ASCONF chunk is 3687 * outstanding the endpoint MUST ABORT the association. Note that a 3688 * sequence number is greater than if it is no more than 2^^31-1 3689 * larger than the current sequence number (using serial arithmetic). 3690 */ 3691 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3692 !(asoc->addip_last_asconf)) { 3693 abort = sctp_make_abort(asoc, asconf_ack, 3694 sizeof(sctp_errhdr_t)); 3695 if (abort) { 3696 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0); 3697 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3698 SCTP_CHUNK(abort)); 3699 } 3700 /* We are going to ABORT, so we might as well stop 3701 * processing the rest of the chunks in the packet. 3702 */ 3703 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3704 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3705 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3706 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3707 SCTP_ERROR(ECONNABORTED)); 3708 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3709 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3710 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3711 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3712 return SCTP_DISPOSITION_ABORT; 3713 } 3714 3715 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3716 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3717 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3718 3719 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3720 asconf_ack)) { 3721 /* Successfully processed ASCONF_ACK. We can 3722 * release the next asconf if we have one. 3723 */ 3724 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF, 3725 SCTP_NULL()); 3726 return SCTP_DISPOSITION_CONSUME; 3727 } 3728 3729 abort = sctp_make_abort(asoc, asconf_ack, 3730 sizeof(sctp_errhdr_t)); 3731 if (abort) { 3732 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 3733 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3734 SCTP_CHUNK(abort)); 3735 } 3736 /* We are going to ABORT, so we might as well stop 3737 * processing the rest of the chunks in the packet. 3738 */ 3739 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3740 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3741 SCTP_ERROR(ECONNABORTED)); 3742 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3743 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3744 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3745 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3746 return SCTP_DISPOSITION_ABORT; 3747 } 3748 3749 return SCTP_DISPOSITION_DISCARD; 3750 } 3751 3752 /* 3753 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 3754 * 3755 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 3756 * its cumulative TSN point to the value carried in the FORWARD TSN 3757 * chunk, and then MUST further advance its cumulative TSN point locally 3758 * if possible. 3759 * After the above processing, the data receiver MUST stop reporting any 3760 * missing TSNs earlier than or equal to the new cumulative TSN point. 3761 * 3762 * Verification Tag: 8.5 Verification Tag [Normal verification] 3763 * 3764 * The return value is the disposition of the chunk. 3765 */ 3766 sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep, 3767 const struct sctp_association *asoc, 3768 const sctp_subtype_t type, 3769 void *arg, 3770 sctp_cmd_seq_t *commands) 3771 { 3772 struct sctp_chunk *chunk = arg; 3773 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3774 struct sctp_fwdtsn_skip *skip; 3775 __u16 len; 3776 __u32 tsn; 3777 3778 if (!sctp_vtag_verify(chunk, asoc)) { 3779 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3780 SCTP_NULL()); 3781 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3782 } 3783 3784 /* Make sure that the FORWARD_TSN chunk has valid length. */ 3785 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3786 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3787 commands); 3788 3789 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3790 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3791 len = ntohs(chunk->chunk_hdr->length); 3792 len -= sizeof(struct sctp_chunkhdr); 3793 skb_pull(chunk->skb, len); 3794 3795 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3796 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn); 3797 3798 /* The TSN is too high--silently discard the chunk and count on it 3799 * getting retransmitted later. 3800 */ 3801 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3802 goto discard_noforce; 3803 3804 /* Silently discard the chunk if stream-id is not valid */ 3805 sctp_walk_fwdtsn(skip, chunk) { 3806 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams) 3807 goto discard_noforce; 3808 } 3809 3810 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3811 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3812 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3813 SCTP_CHUNK(chunk)); 3814 3815 /* Count this as receiving DATA. */ 3816 if (asoc->autoclose) { 3817 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3818 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3819 } 3820 3821 /* FIXME: For now send a SACK, but DATA processing may 3822 * send another. 3823 */ 3824 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 3825 3826 return SCTP_DISPOSITION_CONSUME; 3827 3828 discard_noforce: 3829 return SCTP_DISPOSITION_DISCARD; 3830 } 3831 3832 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast( 3833 const struct sctp_endpoint *ep, 3834 const struct sctp_association *asoc, 3835 const sctp_subtype_t type, 3836 void *arg, 3837 sctp_cmd_seq_t *commands) 3838 { 3839 struct sctp_chunk *chunk = arg; 3840 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3841 struct sctp_fwdtsn_skip *skip; 3842 __u16 len; 3843 __u32 tsn; 3844 3845 if (!sctp_vtag_verify(chunk, asoc)) { 3846 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3847 SCTP_NULL()); 3848 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3849 } 3850 3851 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 3852 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3853 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3854 commands); 3855 3856 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3857 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3858 len = ntohs(chunk->chunk_hdr->length); 3859 len -= sizeof(struct sctp_chunkhdr); 3860 skb_pull(chunk->skb, len); 3861 3862 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3863 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn); 3864 3865 /* The TSN is too high--silently discard the chunk and count on it 3866 * getting retransmitted later. 3867 */ 3868 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3869 goto gen_shutdown; 3870 3871 /* Silently discard the chunk if stream-id is not valid */ 3872 sctp_walk_fwdtsn(skip, chunk) { 3873 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams) 3874 goto gen_shutdown; 3875 } 3876 3877 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3878 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3879 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3880 SCTP_CHUNK(chunk)); 3881 3882 /* Go a head and force a SACK, since we are shutting down. */ 3883 gen_shutdown: 3884 /* Implementor's Guide. 3885 * 3886 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3887 * respond to each received packet containing one or more DATA chunk(s) 3888 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3889 */ 3890 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3891 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3892 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3893 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3894 3895 return SCTP_DISPOSITION_CONSUME; 3896 } 3897 3898 /* 3899 * SCTP-AUTH Section 6.3 Receiving authenticated chukns 3900 * 3901 * The receiver MUST use the HMAC algorithm indicated in the HMAC 3902 * Identifier field. If this algorithm was not specified by the 3903 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 3904 * during association setup, the AUTH chunk and all chunks after it MUST 3905 * be discarded and an ERROR chunk SHOULD be sent with the error cause 3906 * defined in Section 4.1. 3907 * 3908 * If an endpoint with no shared key receives a Shared Key Identifier 3909 * other than 0, it MUST silently discard all authenticated chunks. If 3910 * the endpoint has at least one endpoint pair shared key for the peer, 3911 * it MUST use the key specified by the Shared Key Identifier if a 3912 * key has been configured for that Shared Key Identifier. If no 3913 * endpoint pair shared key has been configured for that Shared Key 3914 * Identifier, all authenticated chunks MUST be silently discarded. 3915 * 3916 * Verification Tag: 8.5 Verification Tag [Normal verification] 3917 * 3918 * The return value is the disposition of the chunk. 3919 */ 3920 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep, 3921 const struct sctp_association *asoc, 3922 const sctp_subtype_t type, 3923 struct sctp_chunk *chunk) 3924 { 3925 struct sctp_authhdr *auth_hdr; 3926 struct sctp_hmac *hmac; 3927 unsigned int sig_len; 3928 __u16 key_id; 3929 __u8 *save_digest; 3930 __u8 *digest; 3931 3932 /* Pull in the auth header, so we can do some more verification */ 3933 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 3934 chunk->subh.auth_hdr = auth_hdr; 3935 skb_pull(chunk->skb, sizeof(struct sctp_authhdr)); 3936 3937 /* Make sure that we suport the HMAC algorithm from the auth 3938 * chunk. 3939 */ 3940 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id)) 3941 return SCTP_IERROR_AUTH_BAD_HMAC; 3942 3943 /* Make sure that the provided shared key identifier has been 3944 * configured 3945 */ 3946 key_id = ntohs(auth_hdr->shkey_id); 3947 if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id)) 3948 return SCTP_IERROR_AUTH_BAD_KEYID; 3949 3950 3951 /* Make sure that the length of the signature matches what 3952 * we expect. 3953 */ 3954 sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t); 3955 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id)); 3956 if (sig_len != hmac->hmac_len) 3957 return SCTP_IERROR_PROTO_VIOLATION; 3958 3959 /* Now that we've done validation checks, we can compute and 3960 * verify the hmac. The steps involved are: 3961 * 1. Save the digest from the chunk. 3962 * 2. Zero out the digest in the chunk. 3963 * 3. Compute the new digest 3964 * 4. Compare saved and new digests. 3965 */ 3966 digest = auth_hdr->hmac; 3967 skb_pull(chunk->skb, sig_len); 3968 3969 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC); 3970 if (!save_digest) 3971 goto nomem; 3972 3973 memset(digest, 0, sig_len); 3974 3975 sctp_auth_calculate_hmac(asoc, chunk->skb, 3976 (struct sctp_auth_chunk *)chunk->chunk_hdr, 3977 GFP_ATOMIC); 3978 3979 /* Discard the packet if the digests do not match */ 3980 if (memcmp(save_digest, digest, sig_len)) { 3981 kfree(save_digest); 3982 return SCTP_IERROR_BAD_SIG; 3983 } 3984 3985 kfree(save_digest); 3986 chunk->auth = 1; 3987 3988 return SCTP_IERROR_NO_ERROR; 3989 nomem: 3990 return SCTP_IERROR_NOMEM; 3991 } 3992 3993 sctp_disposition_t sctp_sf_eat_auth(const struct sctp_endpoint *ep, 3994 const struct sctp_association *asoc, 3995 const sctp_subtype_t type, 3996 void *arg, 3997 sctp_cmd_seq_t *commands) 3998 { 3999 struct sctp_authhdr *auth_hdr; 4000 struct sctp_chunk *chunk = arg; 4001 struct sctp_chunk *err_chunk; 4002 sctp_ierror_t error; 4003 4004 /* Make sure that the peer has AUTH capable */ 4005 if (!asoc->peer.auth_capable) 4006 return sctp_sf_unk_chunk(ep, asoc, type, arg, commands); 4007 4008 if (!sctp_vtag_verify(chunk, asoc)) { 4009 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4010 SCTP_NULL()); 4011 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4012 } 4013 4014 /* Make sure that the AUTH chunk has valid length. */ 4015 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk))) 4016 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4017 commands); 4018 4019 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4020 error = sctp_sf_authenticate(ep, asoc, type, chunk); 4021 switch (error) { 4022 case SCTP_IERROR_AUTH_BAD_HMAC: 4023 /* Generate the ERROR chunk and discard the rest 4024 * of the packet 4025 */ 4026 err_chunk = sctp_make_op_error(asoc, chunk, 4027 SCTP_ERROR_UNSUP_HMAC, 4028 &auth_hdr->hmac_id, 4029 sizeof(__u16), 0); 4030 if (err_chunk) { 4031 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4032 SCTP_CHUNK(err_chunk)); 4033 } 4034 /* Fall Through */ 4035 case SCTP_IERROR_AUTH_BAD_KEYID: 4036 case SCTP_IERROR_BAD_SIG: 4037 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4038 4039 case SCTP_IERROR_PROTO_VIOLATION: 4040 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4041 commands); 4042 4043 case SCTP_IERROR_NOMEM: 4044 return SCTP_DISPOSITION_NOMEM; 4045 4046 default: /* Prevent gcc warnings */ 4047 break; 4048 } 4049 4050 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) { 4051 struct sctp_ulpevent *ev; 4052 4053 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id), 4054 SCTP_AUTH_NEWKEY, GFP_ATOMIC); 4055 4056 if (!ev) 4057 return -ENOMEM; 4058 4059 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4060 SCTP_ULPEVENT(ev)); 4061 } 4062 4063 return SCTP_DISPOSITION_CONSUME; 4064 } 4065 4066 /* 4067 * Process an unknown chunk. 4068 * 4069 * Section: 3.2. Also, 2.1 in the implementor's guide. 4070 * 4071 * Chunk Types are encoded such that the highest-order two bits specify 4072 * the action that must be taken if the processing endpoint does not 4073 * recognize the Chunk Type. 4074 * 4075 * 00 - Stop processing this SCTP packet and discard it, do not process 4076 * any further chunks within it. 4077 * 4078 * 01 - Stop processing this SCTP packet and discard it, do not process 4079 * any further chunks within it, and report the unrecognized 4080 * chunk in an 'Unrecognized Chunk Type'. 4081 * 4082 * 10 - Skip this chunk and continue processing. 4083 * 4084 * 11 - Skip this chunk and continue processing, but report in an ERROR 4085 * Chunk using the 'Unrecognized Chunk Type' cause of error. 4086 * 4087 * The return value is the disposition of the chunk. 4088 */ 4089 sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep, 4090 const struct sctp_association *asoc, 4091 const sctp_subtype_t type, 4092 void *arg, 4093 sctp_cmd_seq_t *commands) 4094 { 4095 struct sctp_chunk *unk_chunk = arg; 4096 struct sctp_chunk *err_chunk; 4097 sctp_chunkhdr_t *hdr; 4098 4099 SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk); 4100 4101 if (!sctp_vtag_verify(unk_chunk, asoc)) 4102 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4103 4104 /* Make sure that the chunk has a valid length. 4105 * Since we don't know the chunk type, we use a general 4106 * chunkhdr structure to make a comparison. 4107 */ 4108 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t))) 4109 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4110 commands); 4111 4112 switch (type.chunk & SCTP_CID_ACTION_MASK) { 4113 case SCTP_CID_ACTION_DISCARD: 4114 /* Discard the packet. */ 4115 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4116 break; 4117 case SCTP_CID_ACTION_DISCARD_ERR: 4118 /* Generate an ERROR chunk as response. */ 4119 hdr = unk_chunk->chunk_hdr; 4120 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4121 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4122 WORD_ROUND(ntohs(hdr->length)), 4123 0); 4124 if (err_chunk) { 4125 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4126 SCTP_CHUNK(err_chunk)); 4127 } 4128 4129 /* Discard the packet. */ 4130 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4131 return SCTP_DISPOSITION_CONSUME; 4132 break; 4133 case SCTP_CID_ACTION_SKIP: 4134 /* Skip the chunk. */ 4135 return SCTP_DISPOSITION_DISCARD; 4136 break; 4137 case SCTP_CID_ACTION_SKIP_ERR: 4138 /* Generate an ERROR chunk as response. */ 4139 hdr = unk_chunk->chunk_hdr; 4140 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4141 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4142 WORD_ROUND(ntohs(hdr->length)), 4143 0); 4144 if (err_chunk) { 4145 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4146 SCTP_CHUNK(err_chunk)); 4147 } 4148 /* Skip the chunk. */ 4149 return SCTP_DISPOSITION_CONSUME; 4150 break; 4151 default: 4152 break; 4153 } 4154 4155 return SCTP_DISPOSITION_DISCARD; 4156 } 4157 4158 /* 4159 * Discard the chunk. 4160 * 4161 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 4162 * [Too numerous to mention...] 4163 * Verification Tag: No verification needed. 4164 * Inputs 4165 * (endpoint, asoc, chunk) 4166 * 4167 * Outputs 4168 * (asoc, reply_msg, msg_up, timers, counters) 4169 * 4170 * The return value is the disposition of the chunk. 4171 */ 4172 sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep, 4173 const struct sctp_association *asoc, 4174 const sctp_subtype_t type, 4175 void *arg, 4176 sctp_cmd_seq_t *commands) 4177 { 4178 struct sctp_chunk *chunk = arg; 4179 4180 /* Make sure that the chunk has a valid length. 4181 * Since we don't know the chunk type, we use a general 4182 * chunkhdr structure to make a comparison. 4183 */ 4184 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4185 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4186 commands); 4187 4188 SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk); 4189 return SCTP_DISPOSITION_DISCARD; 4190 } 4191 4192 /* 4193 * Discard the whole packet. 4194 * 4195 * Section: 8.4 2) 4196 * 4197 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 4198 * silently discard the OOTB packet and take no further action. 4199 * 4200 * Verification Tag: No verification necessary 4201 * 4202 * Inputs 4203 * (endpoint, asoc, chunk) 4204 * 4205 * Outputs 4206 * (asoc, reply_msg, msg_up, timers, counters) 4207 * 4208 * The return value is the disposition of the chunk. 4209 */ 4210 sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep, 4211 const struct sctp_association *asoc, 4212 const sctp_subtype_t type, 4213 void *arg, 4214 sctp_cmd_seq_t *commands) 4215 { 4216 SCTP_INC_STATS(SCTP_MIB_IN_PKT_DISCARDS); 4217 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4218 4219 return SCTP_DISPOSITION_CONSUME; 4220 } 4221 4222 4223 /* 4224 * The other end is violating protocol. 4225 * 4226 * Section: Not specified 4227 * Verification Tag: Not specified 4228 * Inputs 4229 * (endpoint, asoc, chunk) 4230 * 4231 * Outputs 4232 * (asoc, reply_msg, msg_up, timers, counters) 4233 * 4234 * We simply tag the chunk as a violation. The state machine will log 4235 * the violation and continue. 4236 */ 4237 sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep, 4238 const struct sctp_association *asoc, 4239 const sctp_subtype_t type, 4240 void *arg, 4241 sctp_cmd_seq_t *commands) 4242 { 4243 struct sctp_chunk *chunk = arg; 4244 4245 /* Make sure that the chunk has a valid length. */ 4246 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4247 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4248 commands); 4249 4250 return SCTP_DISPOSITION_VIOLATION; 4251 } 4252 4253 /* 4254 * Common function to handle a protocol violation. 4255 */ 4256 static sctp_disposition_t sctp_sf_abort_violation( 4257 const struct sctp_endpoint *ep, 4258 const struct sctp_association *asoc, 4259 void *arg, 4260 sctp_cmd_seq_t *commands, 4261 const __u8 *payload, 4262 const size_t paylen) 4263 { 4264 struct sctp_packet *packet = NULL; 4265 struct sctp_chunk *chunk = arg; 4266 struct sctp_chunk *abort = NULL; 4267 4268 /* SCTP-AUTH, Section 6.3: 4269 * It should be noted that if the receiver wants to tear 4270 * down an association in an authenticated way only, the 4271 * handling of malformed packets should not result in 4272 * tearing down the association. 4273 * 4274 * This means that if we only want to abort associations 4275 * in an authenticated way (i.e AUTH+ABORT), then we 4276 * can't destroy this association just because the packet 4277 * was malformed. 4278 */ 4279 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4280 goto discard; 4281 4282 /* Make the abort chunk. */ 4283 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen); 4284 if (!abort) 4285 goto nomem; 4286 4287 if (asoc) { 4288 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */ 4289 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK && 4290 !asoc->peer.i.init_tag) { 4291 sctp_initack_chunk_t *initack; 4292 4293 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; 4294 if (!sctp_chunk_length_valid(chunk, 4295 sizeof(sctp_initack_chunk_t))) 4296 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T; 4297 else { 4298 unsigned int inittag; 4299 4300 inittag = ntohl(initack->init_hdr.init_tag); 4301 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG, 4302 SCTP_U32(inittag)); 4303 } 4304 } 4305 4306 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4307 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4308 4309 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 4310 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4311 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4312 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4313 SCTP_ERROR(ECONNREFUSED)); 4314 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4315 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4316 } else { 4317 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4318 SCTP_ERROR(ECONNABORTED)); 4319 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4320 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4321 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4322 } 4323 } else { 4324 packet = sctp_ootb_pkt_new(asoc, chunk); 4325 4326 if (!packet) 4327 goto nomem_pkt; 4328 4329 if (sctp_test_T_bit(abort)) 4330 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4331 4332 abort->skb->sk = ep->base.sk; 4333 4334 sctp_packet_append_chunk(packet, abort); 4335 4336 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 4337 SCTP_PACKET(packet)); 4338 4339 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4340 } 4341 4342 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4343 4344 discard: 4345 sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4346 return SCTP_DISPOSITION_ABORT; 4347 4348 nomem_pkt: 4349 sctp_chunk_free(abort); 4350 nomem: 4351 return SCTP_DISPOSITION_NOMEM; 4352 } 4353 4354 /* 4355 * Handle a protocol violation when the chunk length is invalid. 4356 * "Invalid" length is identified as smaller than the minimal length a 4357 * given chunk can be. For example, a SACK chunk has invalid length 4358 * if its length is set to be smaller than the size of sctp_sack_chunk_t. 4359 * 4360 * We inform the other end by sending an ABORT with a Protocol Violation 4361 * error code. 4362 * 4363 * Section: Not specified 4364 * Verification Tag: Nothing to do 4365 * Inputs 4366 * (endpoint, asoc, chunk) 4367 * 4368 * Outputs 4369 * (reply_msg, msg_up, counters) 4370 * 4371 * Generate an ABORT chunk and terminate the association. 4372 */ 4373 static sctp_disposition_t sctp_sf_violation_chunklen( 4374 const struct sctp_endpoint *ep, 4375 const struct sctp_association *asoc, 4376 const sctp_subtype_t type, 4377 void *arg, 4378 sctp_cmd_seq_t *commands) 4379 { 4380 static const char err_str[]="The following chunk had invalid length:"; 4381 4382 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4383 sizeof(err_str)); 4384 } 4385 4386 /* 4387 * Handle a protocol violation when the parameter length is invalid. 4388 * If the length is smaller than the minimum length of a given parameter, 4389 * or accumulated length in multi parameters exceeds the end of the chunk, 4390 * the length is considered as invalid. 4391 */ 4392 static sctp_disposition_t sctp_sf_violation_paramlen( 4393 const struct sctp_endpoint *ep, 4394 const struct sctp_association *asoc, 4395 const sctp_subtype_t type, 4396 void *arg, void *ext, 4397 sctp_cmd_seq_t *commands) 4398 { 4399 struct sctp_chunk *chunk = arg; 4400 struct sctp_paramhdr *param = ext; 4401 struct sctp_chunk *abort = NULL; 4402 4403 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4404 goto discard; 4405 4406 /* Make the abort chunk. */ 4407 abort = sctp_make_violation_paramlen(asoc, chunk, param); 4408 if (!abort) 4409 goto nomem; 4410 4411 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4412 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4413 4414 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4415 SCTP_ERROR(ECONNABORTED)); 4416 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4417 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4418 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4419 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4420 4421 discard: 4422 sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4423 return SCTP_DISPOSITION_ABORT; 4424 nomem: 4425 return SCTP_DISPOSITION_NOMEM; 4426 } 4427 4428 /* Handle a protocol violation when the peer trying to advance the 4429 * cumulative tsn ack to a point beyond the max tsn currently sent. 4430 * 4431 * We inform the other end by sending an ABORT with a Protocol Violation 4432 * error code. 4433 */ 4434 static sctp_disposition_t sctp_sf_violation_ctsn( 4435 const struct sctp_endpoint *ep, 4436 const struct sctp_association *asoc, 4437 const sctp_subtype_t type, 4438 void *arg, 4439 sctp_cmd_seq_t *commands) 4440 { 4441 static const char err_str[]="The cumulative tsn ack beyond the max tsn currently sent:"; 4442 4443 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4444 sizeof(err_str)); 4445 } 4446 4447 /* Handle protocol violation of an invalid chunk bundling. For example, 4448 * when we have an association and we receive bundled INIT-ACK, or 4449 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle" 4450 * statement from the specs. Additionally, there might be an attacker 4451 * on the path and we may not want to continue this communication. 4452 */ 4453 static sctp_disposition_t sctp_sf_violation_chunk( 4454 const struct sctp_endpoint *ep, 4455 const struct sctp_association *asoc, 4456 const sctp_subtype_t type, 4457 void *arg, 4458 sctp_cmd_seq_t *commands) 4459 { 4460 static const char err_str[]="The following chunk violates protocol:"; 4461 4462 if (!asoc) 4463 return sctp_sf_violation(ep, asoc, type, arg, commands); 4464 4465 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4466 sizeof(err_str)); 4467 } 4468 /*************************************************************************** 4469 * These are the state functions for handling primitive (Section 10) events. 4470 ***************************************************************************/ 4471 /* 4472 * sctp_sf_do_prm_asoc 4473 * 4474 * Section: 10.1 ULP-to-SCTP 4475 * B) Associate 4476 * 4477 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 4478 * outbound stream count) 4479 * -> association id [,destination transport addr list] [,outbound stream 4480 * count] 4481 * 4482 * This primitive allows the upper layer to initiate an association to a 4483 * specific peer endpoint. 4484 * 4485 * The peer endpoint shall be specified by one of the transport addresses 4486 * which defines the endpoint (see Section 1.4). If the local SCTP 4487 * instance has not been initialized, the ASSOCIATE is considered an 4488 * error. 4489 * [This is not relevant for the kernel implementation since we do all 4490 * initialization at boot time. It we hadn't initialized we wouldn't 4491 * get anywhere near this code.] 4492 * 4493 * An association id, which is a local handle to the SCTP association, 4494 * will be returned on successful establishment of the association. If 4495 * SCTP is not able to open an SCTP association with the peer endpoint, 4496 * an error is returned. 4497 * [In the kernel implementation, the struct sctp_association needs to 4498 * be created BEFORE causing this primitive to run.] 4499 * 4500 * Other association parameters may be returned, including the 4501 * complete destination transport addresses of the peer as well as the 4502 * outbound stream count of the local endpoint. One of the transport 4503 * address from the returned destination addresses will be selected by 4504 * the local endpoint as default primary path for sending SCTP packets 4505 * to this peer. The returned "destination transport addr list" can 4506 * be used by the ULP to change the default primary path or to force 4507 * sending a packet to a specific transport address. [All of this 4508 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 4509 * function.] 4510 * 4511 * Mandatory attributes: 4512 * 4513 * o local SCTP instance name - obtained from the INITIALIZE operation. 4514 * [This is the argument asoc.] 4515 * o destination transport addr - specified as one of the transport 4516 * addresses of the peer endpoint with which the association is to be 4517 * established. 4518 * [This is asoc->peer.active_path.] 4519 * o outbound stream count - the number of outbound streams the ULP 4520 * would like to open towards this peer endpoint. 4521 * [BUG: This is not currently implemented.] 4522 * Optional attributes: 4523 * 4524 * None. 4525 * 4526 * The return value is a disposition. 4527 */ 4528 sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep, 4529 const struct sctp_association *asoc, 4530 const sctp_subtype_t type, 4531 void *arg, 4532 sctp_cmd_seq_t *commands) 4533 { 4534 struct sctp_chunk *repl; 4535 struct sctp_association* my_asoc; 4536 4537 /* The comment below says that we enter COOKIE-WAIT AFTER 4538 * sending the INIT, but that doesn't actually work in our 4539 * implementation... 4540 */ 4541 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4542 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 4543 4544 /* RFC 2960 5.1 Normal Establishment of an Association 4545 * 4546 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 4547 * must provide its Verification Tag (Tag_A) in the Initiate 4548 * Tag field. Tag_A SHOULD be a random number in the range of 4549 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 4550 */ 4551 4552 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 4553 if (!repl) 4554 goto nomem; 4555 4556 /* Cast away the const modifier, as we want to just 4557 * rerun it through as a sideffect. 4558 */ 4559 my_asoc = (struct sctp_association *)asoc; 4560 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc)); 4561 4562 /* Choose transport for INIT. */ 4563 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4564 SCTP_CHUNK(repl)); 4565 4566 /* After sending the INIT, "A" starts the T1-init timer and 4567 * enters the COOKIE-WAIT state. 4568 */ 4569 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4570 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4571 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4572 return SCTP_DISPOSITION_CONSUME; 4573 4574 nomem: 4575 return SCTP_DISPOSITION_NOMEM; 4576 } 4577 4578 /* 4579 * Process the SEND primitive. 4580 * 4581 * Section: 10.1 ULP-to-SCTP 4582 * E) Send 4583 * 4584 * Format: SEND(association id, buffer address, byte count [,context] 4585 * [,stream id] [,life time] [,destination transport address] 4586 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 4587 * -> result 4588 * 4589 * This is the main method to send user data via SCTP. 4590 * 4591 * Mandatory attributes: 4592 * 4593 * o association id - local handle to the SCTP association 4594 * 4595 * o buffer address - the location where the user message to be 4596 * transmitted is stored; 4597 * 4598 * o byte count - The size of the user data in number of bytes; 4599 * 4600 * Optional attributes: 4601 * 4602 * o context - an optional 32 bit integer that will be carried in the 4603 * sending failure notification to the ULP if the transportation of 4604 * this User Message fails. 4605 * 4606 * o stream id - to indicate which stream to send the data on. If not 4607 * specified, stream 0 will be used. 4608 * 4609 * o life time - specifies the life time of the user data. The user data 4610 * will not be sent by SCTP after the life time expires. This 4611 * parameter can be used to avoid efforts to transmit stale 4612 * user messages. SCTP notifies the ULP if the data cannot be 4613 * initiated to transport (i.e. sent to the destination via SCTP's 4614 * send primitive) within the life time variable. However, the 4615 * user data will be transmitted if SCTP has attempted to transmit a 4616 * chunk before the life time expired. 4617 * 4618 * o destination transport address - specified as one of the destination 4619 * transport addresses of the peer endpoint to which this packet 4620 * should be sent. Whenever possible, SCTP should use this destination 4621 * transport address for sending the packets, instead of the current 4622 * primary path. 4623 * 4624 * o unorder flag - this flag, if present, indicates that the user 4625 * would like the data delivered in an unordered fashion to the peer 4626 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 4627 * message). 4628 * 4629 * o no-bundle flag - instructs SCTP not to bundle this user data with 4630 * other outbound DATA chunks. SCTP MAY still bundle even when 4631 * this flag is present, when faced with network congestion. 4632 * 4633 * o payload protocol-id - A 32 bit unsigned integer that is to be 4634 * passed to the peer indicating the type of payload protocol data 4635 * being transmitted. This value is passed as opaque data by SCTP. 4636 * 4637 * The return value is the disposition. 4638 */ 4639 sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep, 4640 const struct sctp_association *asoc, 4641 const sctp_subtype_t type, 4642 void *arg, 4643 sctp_cmd_seq_t *commands) 4644 { 4645 struct sctp_datamsg *msg = arg; 4646 4647 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg)); 4648 return SCTP_DISPOSITION_CONSUME; 4649 } 4650 4651 /* 4652 * Process the SHUTDOWN primitive. 4653 * 4654 * Section: 10.1: 4655 * C) Shutdown 4656 * 4657 * Format: SHUTDOWN(association id) 4658 * -> result 4659 * 4660 * Gracefully closes an association. Any locally queued user data 4661 * will be delivered to the peer. The association will be terminated only 4662 * after the peer acknowledges all the SCTP packets sent. A success code 4663 * will be returned on successful termination of the association. If 4664 * attempting to terminate the association results in a failure, an error 4665 * code shall be returned. 4666 * 4667 * Mandatory attributes: 4668 * 4669 * o association id - local handle to the SCTP association 4670 * 4671 * Optional attributes: 4672 * 4673 * None. 4674 * 4675 * The return value is the disposition. 4676 */ 4677 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown( 4678 const struct sctp_endpoint *ep, 4679 const struct sctp_association *asoc, 4680 const sctp_subtype_t type, 4681 void *arg, 4682 sctp_cmd_seq_t *commands) 4683 { 4684 int disposition; 4685 4686 /* From 9.2 Shutdown of an Association 4687 * Upon receipt of the SHUTDOWN primitive from its upper 4688 * layer, the endpoint enters SHUTDOWN-PENDING state and 4689 * remains there until all outstanding data has been 4690 * acknowledged by its peer. The endpoint accepts no new data 4691 * from its upper layer, but retransmits data to the far end 4692 * if necessary to fill gaps. 4693 */ 4694 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4695 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4696 4697 disposition = SCTP_DISPOSITION_CONSUME; 4698 if (sctp_outq_is_empty(&asoc->outqueue)) { 4699 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 4700 arg, commands); 4701 } 4702 return disposition; 4703 } 4704 4705 /* 4706 * Process the ABORT primitive. 4707 * 4708 * Section: 10.1: 4709 * C) Abort 4710 * 4711 * Format: Abort(association id [, cause code]) 4712 * -> result 4713 * 4714 * Ungracefully closes an association. Any locally queued user data 4715 * will be discarded and an ABORT chunk is sent to the peer. A success code 4716 * will be returned on successful abortion of the association. If 4717 * attempting to abort the association results in a failure, an error 4718 * code shall be returned. 4719 * 4720 * Mandatory attributes: 4721 * 4722 * o association id - local handle to the SCTP association 4723 * 4724 * Optional attributes: 4725 * 4726 * o cause code - reason of the abort to be passed to the peer 4727 * 4728 * None. 4729 * 4730 * The return value is the disposition. 4731 */ 4732 sctp_disposition_t sctp_sf_do_9_1_prm_abort( 4733 const struct sctp_endpoint *ep, 4734 const struct sctp_association *asoc, 4735 const sctp_subtype_t type, 4736 void *arg, 4737 sctp_cmd_seq_t *commands) 4738 { 4739 /* From 9.1 Abort of an Association 4740 * Upon receipt of the ABORT primitive from its upper 4741 * layer, the endpoint enters CLOSED state and 4742 * discard all outstanding data has been 4743 * acknowledged by its peer. The endpoint accepts no new data 4744 * from its upper layer, but retransmits data to the far end 4745 * if necessary to fill gaps. 4746 */ 4747 struct sctp_chunk *abort = arg; 4748 sctp_disposition_t retval; 4749 4750 retval = SCTP_DISPOSITION_CONSUME; 4751 4752 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4753 4754 /* Even if we can't send the ABORT due to low memory delete the 4755 * TCB. This is a departure from our typical NOMEM handling. 4756 */ 4757 4758 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4759 SCTP_ERROR(ECONNABORTED)); 4760 /* Delete the established association. */ 4761 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4762 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4763 4764 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4765 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4766 4767 return retval; 4768 } 4769 4770 /* We tried an illegal operation on an association which is closed. */ 4771 sctp_disposition_t sctp_sf_error_closed(const struct sctp_endpoint *ep, 4772 const struct sctp_association *asoc, 4773 const sctp_subtype_t type, 4774 void *arg, 4775 sctp_cmd_seq_t *commands) 4776 { 4777 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 4778 return SCTP_DISPOSITION_CONSUME; 4779 } 4780 4781 /* We tried an illegal operation on an association which is shutting 4782 * down. 4783 */ 4784 sctp_disposition_t sctp_sf_error_shutdown(const struct sctp_endpoint *ep, 4785 const struct sctp_association *asoc, 4786 const sctp_subtype_t type, 4787 void *arg, 4788 sctp_cmd_seq_t *commands) 4789 { 4790 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 4791 SCTP_ERROR(-ESHUTDOWN)); 4792 return SCTP_DISPOSITION_CONSUME; 4793 } 4794 4795 /* 4796 * sctp_cookie_wait_prm_shutdown 4797 * 4798 * Section: 4 Note: 2 4799 * Verification Tag: 4800 * Inputs 4801 * (endpoint, asoc) 4802 * 4803 * The RFC does not explicitly address this issue, but is the route through the 4804 * state table when someone issues a shutdown while in COOKIE_WAIT state. 4805 * 4806 * Outputs 4807 * (timers) 4808 */ 4809 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown( 4810 const struct sctp_endpoint *ep, 4811 const struct sctp_association *asoc, 4812 const sctp_subtype_t type, 4813 void *arg, 4814 sctp_cmd_seq_t *commands) 4815 { 4816 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4817 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4818 4819 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4820 SCTP_STATE(SCTP_STATE_CLOSED)); 4821 4822 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 4823 4824 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 4825 4826 return SCTP_DISPOSITION_DELETE_TCB; 4827 } 4828 4829 /* 4830 * sctp_cookie_echoed_prm_shutdown 4831 * 4832 * Section: 4 Note: 2 4833 * Verification Tag: 4834 * Inputs 4835 * (endpoint, asoc) 4836 * 4837 * The RFC does not explcitly address this issue, but is the route through the 4838 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 4839 * 4840 * Outputs 4841 * (timers) 4842 */ 4843 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown( 4844 const struct sctp_endpoint *ep, 4845 const struct sctp_association *asoc, 4846 const sctp_subtype_t type, 4847 void *arg, sctp_cmd_seq_t *commands) 4848 { 4849 /* There is a single T1 timer, so we should be able to use 4850 * common function with the COOKIE-WAIT state. 4851 */ 4852 return sctp_sf_cookie_wait_prm_shutdown(ep, asoc, type, arg, commands); 4853 } 4854 4855 /* 4856 * sctp_sf_cookie_wait_prm_abort 4857 * 4858 * Section: 4 Note: 2 4859 * Verification Tag: 4860 * Inputs 4861 * (endpoint, asoc) 4862 * 4863 * The RFC does not explicitly address this issue, but is the route through the 4864 * state table when someone issues an abort while in COOKIE_WAIT state. 4865 * 4866 * Outputs 4867 * (timers) 4868 */ 4869 sctp_disposition_t sctp_sf_cookie_wait_prm_abort( 4870 const struct sctp_endpoint *ep, 4871 const struct sctp_association *asoc, 4872 const sctp_subtype_t type, 4873 void *arg, 4874 sctp_cmd_seq_t *commands) 4875 { 4876 struct sctp_chunk *abort = arg; 4877 sctp_disposition_t retval; 4878 4879 /* Stop T1-init timer */ 4880 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4881 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4882 retval = SCTP_DISPOSITION_CONSUME; 4883 4884 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4885 4886 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4887 SCTP_STATE(SCTP_STATE_CLOSED)); 4888 4889 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4890 4891 /* Even if we can't send the ABORT due to low memory delete the 4892 * TCB. This is a departure from our typical NOMEM handling. 4893 */ 4894 4895 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4896 SCTP_ERROR(ECONNREFUSED)); 4897 /* Delete the established association. */ 4898 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4899 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4900 4901 return retval; 4902 } 4903 4904 /* 4905 * sctp_sf_cookie_echoed_prm_abort 4906 * 4907 * Section: 4 Note: 3 4908 * Verification Tag: 4909 * Inputs 4910 * (endpoint, asoc) 4911 * 4912 * The RFC does not explcitly address this issue, but is the route through the 4913 * state table when someone issues an abort while in COOKIE_ECHOED state. 4914 * 4915 * Outputs 4916 * (timers) 4917 */ 4918 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort( 4919 const struct sctp_endpoint *ep, 4920 const struct sctp_association *asoc, 4921 const sctp_subtype_t type, 4922 void *arg, 4923 sctp_cmd_seq_t *commands) 4924 { 4925 /* There is a single T1 timer, so we should be able to use 4926 * common function with the COOKIE-WAIT state. 4927 */ 4928 return sctp_sf_cookie_wait_prm_abort(ep, asoc, type, arg, commands); 4929 } 4930 4931 /* 4932 * sctp_sf_shutdown_pending_prm_abort 4933 * 4934 * Inputs 4935 * (endpoint, asoc) 4936 * 4937 * The RFC does not explicitly address this issue, but is the route through the 4938 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 4939 * 4940 * Outputs 4941 * (timers) 4942 */ 4943 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort( 4944 const struct sctp_endpoint *ep, 4945 const struct sctp_association *asoc, 4946 const sctp_subtype_t type, 4947 void *arg, 4948 sctp_cmd_seq_t *commands) 4949 { 4950 /* Stop the T5-shutdown guard timer. */ 4951 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4952 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4953 4954 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4955 } 4956 4957 /* 4958 * sctp_sf_shutdown_sent_prm_abort 4959 * 4960 * Inputs 4961 * (endpoint, asoc) 4962 * 4963 * The RFC does not explicitly address this issue, but is the route through the 4964 * state table when someone issues an abort while in SHUTDOWN-SENT state. 4965 * 4966 * Outputs 4967 * (timers) 4968 */ 4969 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort( 4970 const struct sctp_endpoint *ep, 4971 const struct sctp_association *asoc, 4972 const sctp_subtype_t type, 4973 void *arg, 4974 sctp_cmd_seq_t *commands) 4975 { 4976 /* Stop the T2-shutdown timer. */ 4977 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4978 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4979 4980 /* Stop the T5-shutdown guard timer. */ 4981 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4982 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4983 4984 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4985 } 4986 4987 /* 4988 * sctp_sf_cookie_echoed_prm_abort 4989 * 4990 * Inputs 4991 * (endpoint, asoc) 4992 * 4993 * The RFC does not explcitly address this issue, but is the route through the 4994 * state table when someone issues an abort while in COOKIE_ECHOED state. 4995 * 4996 * Outputs 4997 * (timers) 4998 */ 4999 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort( 5000 const struct sctp_endpoint *ep, 5001 const struct sctp_association *asoc, 5002 const sctp_subtype_t type, 5003 void *arg, 5004 sctp_cmd_seq_t *commands) 5005 { 5006 /* The same T2 timer, so we should be able to use 5007 * common function with the SHUTDOWN-SENT state. 5008 */ 5009 return sctp_sf_shutdown_sent_prm_abort(ep, asoc, type, arg, commands); 5010 } 5011 5012 /* 5013 * Process the REQUESTHEARTBEAT primitive 5014 * 5015 * 10.1 ULP-to-SCTP 5016 * J) Request Heartbeat 5017 * 5018 * Format: REQUESTHEARTBEAT(association id, destination transport address) 5019 * 5020 * -> result 5021 * 5022 * Instructs the local endpoint to perform a HeartBeat on the specified 5023 * destination transport address of the given association. The returned 5024 * result should indicate whether the transmission of the HEARTBEAT 5025 * chunk to the destination address is successful. 5026 * 5027 * Mandatory attributes: 5028 * 5029 * o association id - local handle to the SCTP association 5030 * 5031 * o destination transport address - the transport address of the 5032 * association on which a heartbeat should be issued. 5033 */ 5034 sctp_disposition_t sctp_sf_do_prm_requestheartbeat( 5035 const struct sctp_endpoint *ep, 5036 const struct sctp_association *asoc, 5037 const sctp_subtype_t type, 5038 void *arg, 5039 sctp_cmd_seq_t *commands) 5040 { 5041 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 5042 (struct sctp_transport *)arg, commands)) 5043 return SCTP_DISPOSITION_NOMEM; 5044 5045 /* 5046 * RFC 2960 (bis), section 8.3 5047 * 5048 * D) Request an on-demand HEARTBEAT on a specific destination 5049 * transport address of a given association. 5050 * 5051 * The endpoint should increment the respective error counter of 5052 * the destination transport address each time a HEARTBEAT is sent 5053 * to that address and not acknowledged within one RTO. 5054 * 5055 */ 5056 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 5057 SCTP_TRANSPORT(arg)); 5058 return SCTP_DISPOSITION_CONSUME; 5059 } 5060 5061 /* 5062 * ADDIP Section 4.1 ASCONF Chunk Procedures 5063 * When an endpoint has an ASCONF signaled change to be sent to the 5064 * remote endpoint it should do A1 to A9 5065 */ 5066 sctp_disposition_t sctp_sf_do_prm_asconf(const struct sctp_endpoint *ep, 5067 const struct sctp_association *asoc, 5068 const sctp_subtype_t type, 5069 void *arg, 5070 sctp_cmd_seq_t *commands) 5071 { 5072 struct sctp_chunk *chunk = arg; 5073 5074 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5075 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5076 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5077 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5078 return SCTP_DISPOSITION_CONSUME; 5079 } 5080 5081 /* 5082 * Ignore the primitive event 5083 * 5084 * The return value is the disposition of the primitive. 5085 */ 5086 sctp_disposition_t sctp_sf_ignore_primitive( 5087 const struct sctp_endpoint *ep, 5088 const struct sctp_association *asoc, 5089 const sctp_subtype_t type, 5090 void *arg, 5091 sctp_cmd_seq_t *commands) 5092 { 5093 SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive); 5094 return SCTP_DISPOSITION_DISCARD; 5095 } 5096 5097 /*************************************************************************** 5098 * These are the state functions for the OTHER events. 5099 ***************************************************************************/ 5100 5101 /* 5102 * When the SCTP stack has no more user data to send or retransmit, this 5103 * notification is given to the user. Also, at the time when a user app 5104 * subscribes to this event, if there is no data to be sent or 5105 * retransmit, the stack will immediately send up this notification. 5106 */ 5107 sctp_disposition_t sctp_sf_do_no_pending_tsn( 5108 const struct sctp_endpoint *ep, 5109 const struct sctp_association *asoc, 5110 const sctp_subtype_t type, 5111 void *arg, 5112 sctp_cmd_seq_t *commands) 5113 { 5114 struct sctp_ulpevent *event; 5115 5116 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC); 5117 if (!event) 5118 return SCTP_DISPOSITION_NOMEM; 5119 5120 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event)); 5121 5122 return SCTP_DISPOSITION_CONSUME; 5123 } 5124 5125 /* 5126 * Start the shutdown negotiation. 5127 * 5128 * From Section 9.2: 5129 * Once all its outstanding data has been acknowledged, the endpoint 5130 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 5131 * TSN Ack field the last sequential TSN it has received from the peer. 5132 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 5133 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 5134 * with the updated last sequential TSN received from its peer. 5135 * 5136 * The return value is the disposition. 5137 */ 5138 sctp_disposition_t sctp_sf_do_9_2_start_shutdown( 5139 const struct sctp_endpoint *ep, 5140 const struct sctp_association *asoc, 5141 const sctp_subtype_t type, 5142 void *arg, 5143 sctp_cmd_seq_t *commands) 5144 { 5145 struct sctp_chunk *reply; 5146 5147 /* Once all its outstanding data has been acknowledged, the 5148 * endpoint shall send a SHUTDOWN chunk to its peer including 5149 * in the Cumulative TSN Ack field the last sequential TSN it 5150 * has received from the peer. 5151 */ 5152 reply = sctp_make_shutdown(asoc, NULL); 5153 if (!reply) 5154 goto nomem; 5155 5156 /* Set the transport for the SHUTDOWN chunk and the timeout for the 5157 * T2-shutdown timer. 5158 */ 5159 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5160 5161 /* It shall then start the T2-shutdown timer */ 5162 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5163 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5164 5165 /* RFC 4960 Section 9.2 5166 * The sender of the SHUTDOWN MAY also start an overall guard timer 5167 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5168 */ 5169 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5170 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5171 5172 if (asoc->autoclose) 5173 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5174 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5175 5176 /* and enter the SHUTDOWN-SENT state. */ 5177 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5178 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 5179 5180 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5181 * 5182 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5183 * or SHUTDOWN-ACK. 5184 */ 5185 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5186 5187 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5188 5189 return SCTP_DISPOSITION_CONSUME; 5190 5191 nomem: 5192 return SCTP_DISPOSITION_NOMEM; 5193 } 5194 5195 /* 5196 * Generate a SHUTDOWN ACK now that everything is SACK'd. 5197 * 5198 * From Section 9.2: 5199 * 5200 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5201 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 5202 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 5203 * endpoint must re-send the SHUTDOWN ACK. 5204 * 5205 * The return value is the disposition. 5206 */ 5207 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack( 5208 const struct sctp_endpoint *ep, 5209 const struct sctp_association *asoc, 5210 const sctp_subtype_t type, 5211 void *arg, 5212 sctp_cmd_seq_t *commands) 5213 { 5214 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 5215 struct sctp_chunk *reply; 5216 5217 /* There are 2 ways of getting here: 5218 * 1) called in response to a SHUTDOWN chunk 5219 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 5220 * 5221 * For the case (2), the arg parameter is set to NULL. We need 5222 * to check that we have a chunk before accessing it's fields. 5223 */ 5224 if (chunk) { 5225 if (!sctp_vtag_verify(chunk, asoc)) 5226 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 5227 5228 /* Make sure that the SHUTDOWN chunk has a valid length. */ 5229 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t))) 5230 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 5231 commands); 5232 } 5233 5234 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5235 * shall send a SHUTDOWN ACK ... 5236 */ 5237 reply = sctp_make_shutdown_ack(asoc, chunk); 5238 if (!reply) 5239 goto nomem; 5240 5241 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 5242 * the T2-shutdown timer. 5243 */ 5244 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5245 5246 /* and start/restart a T2-shutdown timer of its own, */ 5247 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5248 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5249 5250 if (asoc->autoclose) 5251 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5252 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5253 5254 /* Enter the SHUTDOWN-ACK-SENT state. */ 5255 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5256 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 5257 5258 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5259 * 5260 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5261 * or SHUTDOWN-ACK. 5262 */ 5263 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5264 5265 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5266 5267 return SCTP_DISPOSITION_CONSUME; 5268 5269 nomem: 5270 return SCTP_DISPOSITION_NOMEM; 5271 } 5272 5273 /* 5274 * Ignore the event defined as other 5275 * 5276 * The return value is the disposition of the event. 5277 */ 5278 sctp_disposition_t sctp_sf_ignore_other(const struct sctp_endpoint *ep, 5279 const struct sctp_association *asoc, 5280 const sctp_subtype_t type, 5281 void *arg, 5282 sctp_cmd_seq_t *commands) 5283 { 5284 SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other); 5285 return SCTP_DISPOSITION_DISCARD; 5286 } 5287 5288 /************************************************************ 5289 * These are the state functions for handling timeout events. 5290 ************************************************************/ 5291 5292 /* 5293 * RTX Timeout 5294 * 5295 * Section: 6.3.3 Handle T3-rtx Expiration 5296 * 5297 * Whenever the retransmission timer T3-rtx expires for a destination 5298 * address, do the following: 5299 * [See below] 5300 * 5301 * The return value is the disposition of the chunk. 5302 */ 5303 sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep, 5304 const struct sctp_association *asoc, 5305 const sctp_subtype_t type, 5306 void *arg, 5307 sctp_cmd_seq_t *commands) 5308 { 5309 struct sctp_transport *transport = arg; 5310 5311 SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS); 5312 5313 if (asoc->overall_error_count >= asoc->max_retrans) { 5314 if (asoc->state == SCTP_STATE_SHUTDOWN_PENDING) { 5315 /* 5316 * We are here likely because the receiver had its rwnd 5317 * closed for a while and we have not been able to 5318 * transmit the locally queued data within the maximum 5319 * retransmission attempts limit. Start the T5 5320 * shutdown guard timer to give the receiver one last 5321 * chance and some additional time to recover before 5322 * aborting. 5323 */ 5324 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE, 5325 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5326 } else { 5327 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5328 SCTP_ERROR(ETIMEDOUT)); 5329 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5330 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5331 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5332 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5333 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5334 return SCTP_DISPOSITION_DELETE_TCB; 5335 } 5336 } 5337 5338 /* E1) For the destination address for which the timer 5339 * expires, adjust its ssthresh with rules defined in Section 5340 * 7.2.3 and set the cwnd <- MTU. 5341 */ 5342 5343 /* E2) For the destination address for which the timer 5344 * expires, set RTO <- RTO * 2 ("back off the timer"). The 5345 * maximum value discussed in rule C7 above (RTO.max) may be 5346 * used to provide an upper bound to this doubling operation. 5347 */ 5348 5349 /* E3) Determine how many of the earliest (i.e., lowest TSN) 5350 * outstanding DATA chunks for the address for which the 5351 * T3-rtx has expired will fit into a single packet, subject 5352 * to the MTU constraint for the path corresponding to the 5353 * destination transport address to which the retransmission 5354 * is being sent (this may be different from the address for 5355 * which the timer expires [see Section 6.4]). Call this 5356 * value K. Bundle and retransmit those K DATA chunks in a 5357 * single packet to the destination endpoint. 5358 * 5359 * Note: Any DATA chunks that were sent to the address for 5360 * which the T3-rtx timer expired but did not fit in one MTU 5361 * (rule E3 above), should be marked for retransmission and 5362 * sent as soon as cwnd allows (normally when a SACK arrives). 5363 */ 5364 5365 /* Do some failure management (Section 8.2). */ 5366 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5367 5368 /* NB: Rules E4 and F1 are implicit in R1. */ 5369 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 5370 5371 return SCTP_DISPOSITION_CONSUME; 5372 } 5373 5374 /* 5375 * Generate delayed SACK on timeout 5376 * 5377 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 5378 * 5379 * The guidelines on delayed acknowledgement algorithm specified in 5380 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 5381 * acknowledgement SHOULD be generated for at least every second packet 5382 * (not every second DATA chunk) received, and SHOULD be generated 5383 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 5384 * some situations it may be beneficial for an SCTP transmitter to be 5385 * more conservative than the algorithms detailed in this document 5386 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 5387 * the following algorithms allow. 5388 */ 5389 sctp_disposition_t sctp_sf_do_6_2_sack(const struct sctp_endpoint *ep, 5390 const struct sctp_association *asoc, 5391 const sctp_subtype_t type, 5392 void *arg, 5393 sctp_cmd_seq_t *commands) 5394 { 5395 SCTP_INC_STATS(SCTP_MIB_DELAY_SACK_EXPIREDS); 5396 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 5397 return SCTP_DISPOSITION_CONSUME; 5398 } 5399 5400 /* 5401 * sctp_sf_t1_init_timer_expire 5402 * 5403 * Section: 4 Note: 2 5404 * Verification Tag: 5405 * Inputs 5406 * (endpoint, asoc) 5407 * 5408 * RFC 2960 Section 4 Notes 5409 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 5410 * and re-start the T1-init timer without changing state. This MUST 5411 * be repeated up to 'Max.Init.Retransmits' times. After that, the 5412 * endpoint MUST abort the initialization process and report the 5413 * error to SCTP user. 5414 * 5415 * Outputs 5416 * (timers, events) 5417 * 5418 */ 5419 sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep, 5420 const struct sctp_association *asoc, 5421 const sctp_subtype_t type, 5422 void *arg, 5423 sctp_cmd_seq_t *commands) 5424 { 5425 struct sctp_chunk *repl = NULL; 5426 struct sctp_bind_addr *bp; 5427 int attempts = asoc->init_err_counter + 1; 5428 5429 SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n"); 5430 SCTP_INC_STATS(SCTP_MIB_T1_INIT_EXPIREDS); 5431 5432 if (attempts <= asoc->max_init_attempts) { 5433 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 5434 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 5435 if (!repl) 5436 return SCTP_DISPOSITION_NOMEM; 5437 5438 /* Choose transport for INIT. */ 5439 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5440 SCTP_CHUNK(repl)); 5441 5442 /* Issue a sideeffect to do the needed accounting. */ 5443 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 5444 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5445 5446 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5447 } else { 5448 SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d" 5449 " max_init_attempts: %d\n", 5450 attempts, asoc->max_init_attempts); 5451 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5452 SCTP_ERROR(ETIMEDOUT)); 5453 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5454 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5455 return SCTP_DISPOSITION_DELETE_TCB; 5456 } 5457 5458 return SCTP_DISPOSITION_CONSUME; 5459 } 5460 5461 /* 5462 * sctp_sf_t1_cookie_timer_expire 5463 * 5464 * Section: 4 Note: 2 5465 * Verification Tag: 5466 * Inputs 5467 * (endpoint, asoc) 5468 * 5469 * RFC 2960 Section 4 Notes 5470 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 5471 * COOKIE ECHO and re-start the T1-cookie timer without changing 5472 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 5473 * After that, the endpoint MUST abort the initialization process and 5474 * report the error to SCTP user. 5475 * 5476 * Outputs 5477 * (timers, events) 5478 * 5479 */ 5480 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep, 5481 const struct sctp_association *asoc, 5482 const sctp_subtype_t type, 5483 void *arg, 5484 sctp_cmd_seq_t *commands) 5485 { 5486 struct sctp_chunk *repl = NULL; 5487 int attempts = asoc->init_err_counter + 1; 5488 5489 SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n"); 5490 SCTP_INC_STATS(SCTP_MIB_T1_COOKIE_EXPIREDS); 5491 5492 if (attempts <= asoc->max_init_attempts) { 5493 repl = sctp_make_cookie_echo(asoc, NULL); 5494 if (!repl) 5495 return SCTP_DISPOSITION_NOMEM; 5496 5497 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5498 SCTP_CHUNK(repl)); 5499 /* Issue a sideeffect to do the needed accounting. */ 5500 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 5501 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 5502 5503 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5504 } else { 5505 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5506 SCTP_ERROR(ETIMEDOUT)); 5507 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5508 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5509 return SCTP_DISPOSITION_DELETE_TCB; 5510 } 5511 5512 return SCTP_DISPOSITION_CONSUME; 5513 } 5514 5515 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 5516 * with the updated last sequential TSN received from its peer. 5517 * 5518 * An endpoint should limit the number of retransmissions of the 5519 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 5520 * If this threshold is exceeded the endpoint should destroy the TCB and 5521 * MUST report the peer endpoint unreachable to the upper layer (and 5522 * thus the association enters the CLOSED state). The reception of any 5523 * packet from its peer (i.e. as the peer sends all of its queued DATA 5524 * chunks) should clear the endpoint's retransmission count and restart 5525 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 5526 * all of its queued DATA chunks that have not yet been sent. 5527 */ 5528 sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep, 5529 const struct sctp_association *asoc, 5530 const sctp_subtype_t type, 5531 void *arg, 5532 sctp_cmd_seq_t *commands) 5533 { 5534 struct sctp_chunk *reply = NULL; 5535 5536 SCTP_DEBUG_PRINTK("Timer T2 expired.\n"); 5537 SCTP_INC_STATS(SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 5538 5539 ((struct sctp_association *)asoc)->shutdown_retries++; 5540 5541 if (asoc->overall_error_count >= asoc->max_retrans) { 5542 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5543 SCTP_ERROR(ETIMEDOUT)); 5544 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5545 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5546 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5547 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5548 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5549 return SCTP_DISPOSITION_DELETE_TCB; 5550 } 5551 5552 switch (asoc->state) { 5553 case SCTP_STATE_SHUTDOWN_SENT: 5554 reply = sctp_make_shutdown(asoc, NULL); 5555 break; 5556 5557 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5558 reply = sctp_make_shutdown_ack(asoc, NULL); 5559 break; 5560 5561 default: 5562 BUG(); 5563 break; 5564 } 5565 5566 if (!reply) 5567 goto nomem; 5568 5569 /* Do some failure management (Section 8.2). 5570 * If we remove the transport an SHUTDOWN was last sent to, don't 5571 * do failure management. 5572 */ 5573 if (asoc->shutdown_last_sent_to) 5574 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5575 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 5576 5577 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 5578 * the T2-shutdown timer. 5579 */ 5580 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5581 5582 /* Restart the T2-shutdown timer. */ 5583 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5584 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5585 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5586 return SCTP_DISPOSITION_CONSUME; 5587 5588 nomem: 5589 return SCTP_DISPOSITION_NOMEM; 5590 } 5591 5592 /* 5593 * ADDIP Section 4.1 ASCONF CHunk Procedures 5594 * If the T4 RTO timer expires the endpoint should do B1 to B5 5595 */ 5596 sctp_disposition_t sctp_sf_t4_timer_expire( 5597 const struct sctp_endpoint *ep, 5598 const struct sctp_association *asoc, 5599 const sctp_subtype_t type, 5600 void *arg, 5601 sctp_cmd_seq_t *commands) 5602 { 5603 struct sctp_chunk *chunk = asoc->addip_last_asconf; 5604 struct sctp_transport *transport = chunk->transport; 5605 5606 SCTP_INC_STATS(SCTP_MIB_T4_RTO_EXPIREDS); 5607 5608 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 5609 * detection on the appropriate destination address as defined in 5610 * RFC2960 [5] section 8.1 and 8.2. 5611 */ 5612 if (transport) 5613 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5614 SCTP_TRANSPORT(transport)); 5615 5616 /* Reconfig T4 timer and transport. */ 5617 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5618 5619 /* ADDIP 4.1 B2) Increment the association error counters and perform 5620 * endpoint failure detection on the association as defined in 5621 * RFC2960 [5] section 8.1 and 8.2. 5622 * association error counter is incremented in SCTP_CMD_STRIKE. 5623 */ 5624 if (asoc->overall_error_count >= asoc->max_retrans) { 5625 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5626 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5627 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5628 SCTP_ERROR(ETIMEDOUT)); 5629 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5630 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5631 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5632 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5633 return SCTP_DISPOSITION_ABORT; 5634 } 5635 5636 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 5637 * the ASCONF chunk was sent by doubling the RTO timer value. 5638 * This is done in SCTP_CMD_STRIKE. 5639 */ 5640 5641 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 5642 * choose an alternate destination address (please refer to RFC2960 5643 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 5644 * chunk, it MUST be the same (including its serial number) as the last 5645 * ASCONF sent. 5646 */ 5647 sctp_chunk_hold(asoc->addip_last_asconf); 5648 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5649 SCTP_CHUNK(asoc->addip_last_asconf)); 5650 5651 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 5652 * destination is selected, then the RTO used will be that of the new 5653 * destination address. 5654 */ 5655 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5656 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5657 5658 return SCTP_DISPOSITION_CONSUME; 5659 } 5660 5661 /* sctpimpguide-05 Section 2.12.2 5662 * The sender of the SHUTDOWN MAY also start an overall guard timer 5663 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5664 * At the expiration of this timer the sender SHOULD abort the association 5665 * by sending an ABORT chunk. 5666 */ 5667 sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep, 5668 const struct sctp_association *asoc, 5669 const sctp_subtype_t type, 5670 void *arg, 5671 sctp_cmd_seq_t *commands) 5672 { 5673 struct sctp_chunk *reply = NULL; 5674 5675 SCTP_DEBUG_PRINTK("Timer T5 expired.\n"); 5676 SCTP_INC_STATS(SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 5677 5678 reply = sctp_make_abort(asoc, NULL, 0); 5679 if (!reply) 5680 goto nomem; 5681 5682 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5683 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5684 SCTP_ERROR(ETIMEDOUT)); 5685 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5686 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5687 5688 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5689 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5690 5691 return SCTP_DISPOSITION_DELETE_TCB; 5692 nomem: 5693 return SCTP_DISPOSITION_NOMEM; 5694 } 5695 5696 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 5697 * the association is automatically closed by starting the shutdown process. 5698 * The work that needs to be done is same as when SHUTDOWN is initiated by 5699 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 5700 */ 5701 sctp_disposition_t sctp_sf_autoclose_timer_expire( 5702 const struct sctp_endpoint *ep, 5703 const struct sctp_association *asoc, 5704 const sctp_subtype_t type, 5705 void *arg, 5706 sctp_cmd_seq_t *commands) 5707 { 5708 int disposition; 5709 5710 SCTP_INC_STATS(SCTP_MIB_AUTOCLOSE_EXPIREDS); 5711 5712 /* From 9.2 Shutdown of an Association 5713 * Upon receipt of the SHUTDOWN primitive from its upper 5714 * layer, the endpoint enters SHUTDOWN-PENDING state and 5715 * remains there until all outstanding data has been 5716 * acknowledged by its peer. The endpoint accepts no new data 5717 * from its upper layer, but retransmits data to the far end 5718 * if necessary to fill gaps. 5719 */ 5720 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5721 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 5722 5723 disposition = SCTP_DISPOSITION_CONSUME; 5724 if (sctp_outq_is_empty(&asoc->outqueue)) { 5725 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 5726 arg, commands); 5727 } 5728 return disposition; 5729 } 5730 5731 /***************************************************************************** 5732 * These are sa state functions which could apply to all types of events. 5733 ****************************************************************************/ 5734 5735 /* 5736 * This table entry is not implemented. 5737 * 5738 * Inputs 5739 * (endpoint, asoc, chunk) 5740 * 5741 * The return value is the disposition of the chunk. 5742 */ 5743 sctp_disposition_t sctp_sf_not_impl(const struct sctp_endpoint *ep, 5744 const struct sctp_association *asoc, 5745 const sctp_subtype_t type, 5746 void *arg, 5747 sctp_cmd_seq_t *commands) 5748 { 5749 return SCTP_DISPOSITION_NOT_IMPL; 5750 } 5751 5752 /* 5753 * This table entry represents a bug. 5754 * 5755 * Inputs 5756 * (endpoint, asoc, chunk) 5757 * 5758 * The return value is the disposition of the chunk. 5759 */ 5760 sctp_disposition_t sctp_sf_bug(const struct sctp_endpoint *ep, 5761 const struct sctp_association *asoc, 5762 const sctp_subtype_t type, 5763 void *arg, 5764 sctp_cmd_seq_t *commands) 5765 { 5766 return SCTP_DISPOSITION_BUG; 5767 } 5768 5769 /* 5770 * This table entry represents the firing of a timer in the wrong state. 5771 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 5772 * when the association is in the wrong state. This event should 5773 * be ignored, so as to prevent any rearming of the timer. 5774 * 5775 * Inputs 5776 * (endpoint, asoc, chunk) 5777 * 5778 * The return value is the disposition of the chunk. 5779 */ 5780 sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep, 5781 const struct sctp_association *asoc, 5782 const sctp_subtype_t type, 5783 void *arg, 5784 sctp_cmd_seq_t *commands) 5785 { 5786 SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk); 5787 return SCTP_DISPOSITION_CONSUME; 5788 } 5789 5790 /******************************************************************** 5791 * 2nd Level Abstractions 5792 ********************************************************************/ 5793 5794 /* Pull the SACK chunk based on the SACK header. */ 5795 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 5796 { 5797 struct sctp_sackhdr *sack; 5798 unsigned int len; 5799 __u16 num_blocks; 5800 __u16 num_dup_tsns; 5801 5802 /* Protect ourselves from reading too far into 5803 * the skb from a bogus sender. 5804 */ 5805 sack = (struct sctp_sackhdr *) chunk->skb->data; 5806 5807 num_blocks = ntohs(sack->num_gap_ack_blocks); 5808 num_dup_tsns = ntohs(sack->num_dup_tsns); 5809 len = sizeof(struct sctp_sackhdr); 5810 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 5811 if (len > chunk->skb->len) 5812 return NULL; 5813 5814 skb_pull(chunk->skb, len); 5815 5816 return sack; 5817 } 5818 5819 /* Create an ABORT packet to be sent as a response, with the specified 5820 * error causes. 5821 */ 5822 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 5823 const struct sctp_association *asoc, 5824 struct sctp_chunk *chunk, 5825 const void *payload, 5826 size_t paylen) 5827 { 5828 struct sctp_packet *packet; 5829 struct sctp_chunk *abort; 5830 5831 packet = sctp_ootb_pkt_new(asoc, chunk); 5832 5833 if (packet) { 5834 /* Make an ABORT. 5835 * The T bit will be set if the asoc is NULL. 5836 */ 5837 abort = sctp_make_abort(asoc, chunk, paylen); 5838 if (!abort) { 5839 sctp_ootb_pkt_free(packet); 5840 return NULL; 5841 } 5842 5843 /* Reflect vtag if T-Bit is set */ 5844 if (sctp_test_T_bit(abort)) 5845 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 5846 5847 /* Add specified error causes, i.e., payload, to the 5848 * end of the chunk. 5849 */ 5850 sctp_addto_chunk(abort, paylen, payload); 5851 5852 /* Set the skb to the belonging sock for accounting. */ 5853 abort->skb->sk = ep->base.sk; 5854 5855 sctp_packet_append_chunk(packet, abort); 5856 5857 } 5858 5859 return packet; 5860 } 5861 5862 /* Allocate a packet for responding in the OOTB conditions. */ 5863 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 5864 const struct sctp_chunk *chunk) 5865 { 5866 struct sctp_packet *packet; 5867 struct sctp_transport *transport; 5868 __u16 sport; 5869 __u16 dport; 5870 __u32 vtag; 5871 5872 /* Get the source and destination port from the inbound packet. */ 5873 sport = ntohs(chunk->sctp_hdr->dest); 5874 dport = ntohs(chunk->sctp_hdr->source); 5875 5876 /* The V-tag is going to be the same as the inbound packet if no 5877 * association exists, otherwise, use the peer's vtag. 5878 */ 5879 if (asoc) { 5880 /* Special case the INIT-ACK as there is no peer's vtag 5881 * yet. 5882 */ 5883 switch(chunk->chunk_hdr->type) { 5884 case SCTP_CID_INIT_ACK: 5885 { 5886 sctp_initack_chunk_t *initack; 5887 5888 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; 5889 vtag = ntohl(initack->init_hdr.init_tag); 5890 break; 5891 } 5892 default: 5893 vtag = asoc->peer.i.init_tag; 5894 break; 5895 } 5896 } else { 5897 /* Special case the INIT and stale COOKIE_ECHO as there is no 5898 * vtag yet. 5899 */ 5900 switch(chunk->chunk_hdr->type) { 5901 case SCTP_CID_INIT: 5902 { 5903 sctp_init_chunk_t *init; 5904 5905 init = (sctp_init_chunk_t *)chunk->chunk_hdr; 5906 vtag = ntohl(init->init_hdr.init_tag); 5907 break; 5908 } 5909 default: 5910 vtag = ntohl(chunk->sctp_hdr->vtag); 5911 break; 5912 } 5913 } 5914 5915 /* Make a transport for the bucket, Eliza... */ 5916 transport = sctp_transport_new(sctp_source(chunk), GFP_ATOMIC); 5917 if (!transport) 5918 goto nomem; 5919 5920 /* Cache a route for the transport with the chunk's destination as 5921 * the source address. 5922 */ 5923 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 5924 sctp_sk(sctp_get_ctl_sock())); 5925 5926 packet = sctp_packet_init(&transport->packet, transport, sport, dport); 5927 packet = sctp_packet_config(packet, vtag, 0); 5928 5929 return packet; 5930 5931 nomem: 5932 return NULL; 5933 } 5934 5935 /* Free the packet allocated earlier for responding in the OOTB condition. */ 5936 void sctp_ootb_pkt_free(struct sctp_packet *packet) 5937 { 5938 sctp_transport_free(packet->transport); 5939 } 5940 5941 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 5942 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 5943 const struct sctp_association *asoc, 5944 const struct sctp_chunk *chunk, 5945 sctp_cmd_seq_t *commands, 5946 struct sctp_chunk *err_chunk) 5947 { 5948 struct sctp_packet *packet; 5949 5950 if (err_chunk) { 5951 packet = sctp_ootb_pkt_new(asoc, chunk); 5952 if (packet) { 5953 struct sctp_signed_cookie *cookie; 5954 5955 /* Override the OOTB vtag from the cookie. */ 5956 cookie = chunk->subh.cookie_hdr; 5957 packet->vtag = cookie->c.peer_vtag; 5958 5959 /* Set the skb to the belonging sock for accounting. */ 5960 err_chunk->skb->sk = ep->base.sk; 5961 sctp_packet_append_chunk(packet, err_chunk); 5962 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 5963 SCTP_PACKET(packet)); 5964 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 5965 } else 5966 sctp_chunk_free (err_chunk); 5967 } 5968 } 5969 5970 5971 /* Process a data chunk */ 5972 static int sctp_eat_data(const struct sctp_association *asoc, 5973 struct sctp_chunk *chunk, 5974 sctp_cmd_seq_t *commands) 5975 { 5976 sctp_datahdr_t *data_hdr; 5977 struct sctp_chunk *err; 5978 size_t datalen; 5979 sctp_verb_t deliver; 5980 int tmp; 5981 __u32 tsn; 5982 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 5983 struct sock *sk = asoc->base.sk; 5984 u16 ssn; 5985 u16 sid; 5986 u8 ordered = 0; 5987 5988 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data; 5989 skb_pull(chunk->skb, sizeof(sctp_datahdr_t)); 5990 5991 tsn = ntohl(data_hdr->tsn); 5992 SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn); 5993 5994 /* ASSERT: Now skb->data is really the user data. */ 5995 5996 /* Process ECN based congestion. 5997 * 5998 * Since the chunk structure is reused for all chunks within 5999 * a packet, we use ecn_ce_done to track if we've already 6000 * done CE processing for this packet. 6001 * 6002 * We need to do ECN processing even if we plan to discard the 6003 * chunk later. 6004 */ 6005 6006 if (!chunk->ecn_ce_done) { 6007 struct sctp_af *af; 6008 chunk->ecn_ce_done = 1; 6009 6010 af = sctp_get_af_specific( 6011 ipver2af(ip_hdr(chunk->skb)->version)); 6012 6013 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) { 6014 /* Do real work as sideffect. */ 6015 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 6016 SCTP_U32(tsn)); 6017 } 6018 } 6019 6020 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 6021 if (tmp < 0) { 6022 /* The TSN is too high--silently discard the chunk and 6023 * count on it getting retransmitted later. 6024 */ 6025 return SCTP_IERROR_HIGH_TSN; 6026 } else if (tmp > 0) { 6027 /* This is a duplicate. Record it. */ 6028 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 6029 return SCTP_IERROR_DUP_TSN; 6030 } 6031 6032 /* This is a new TSN. */ 6033 6034 /* Discard if there is no room in the receive window. 6035 * Actually, allow a little bit of overflow (up to a MTU). 6036 */ 6037 datalen = ntohs(chunk->chunk_hdr->length); 6038 datalen -= sizeof(sctp_data_chunk_t); 6039 6040 deliver = SCTP_CMD_CHUNK_ULP; 6041 6042 /* Think about partial delivery. */ 6043 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 6044 6045 /* Even if we don't accept this chunk there is 6046 * memory pressure. 6047 */ 6048 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 6049 } 6050 6051 /* Spill over rwnd a little bit. Note: While allowed, this spill over 6052 * seems a bit troublesome in that frag_point varies based on 6053 * PMTU. In cases, such as loopback, this might be a rather 6054 * large spill over. 6055 */ 6056 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over || 6057 (datalen > asoc->rwnd + asoc->frag_point))) { 6058 6059 /* If this is the next TSN, consider reneging to make 6060 * room. Note: Playing nice with a confused sender. A 6061 * malicious sender can still eat up all our buffer 6062 * space and in the future we may want to detect and 6063 * do more drastic reneging. 6064 */ 6065 if (sctp_tsnmap_has_gap(map) && 6066 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6067 SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn); 6068 deliver = SCTP_CMD_RENEGE; 6069 } else { 6070 SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, " 6071 "rwnd: %d\n", tsn, datalen, 6072 asoc->rwnd); 6073 return SCTP_IERROR_IGNORE_TSN; 6074 } 6075 } 6076 6077 /* 6078 * Also try to renege to limit our memory usage in the event that 6079 * we are under memory pressure 6080 * If we can't renege, don't worry about it, the sk_rmem_schedule 6081 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our 6082 * memory usage too much 6083 */ 6084 if (*sk->sk_prot_creator->memory_pressure) { 6085 if (sctp_tsnmap_has_gap(map) && 6086 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6087 SCTP_DEBUG_PRINTK("Under Pressure! Reneging for tsn:%u\n", tsn); 6088 deliver = SCTP_CMD_RENEGE; 6089 } 6090 } 6091 6092 /* 6093 * Section 3.3.10.9 No User Data (9) 6094 * 6095 * Cause of error 6096 * --------------- 6097 * No User Data: This error cause is returned to the originator of a 6098 * DATA chunk if a received DATA chunk has no user data. 6099 */ 6100 if (unlikely(0 == datalen)) { 6101 err = sctp_make_abort_no_data(asoc, chunk, tsn); 6102 if (err) { 6103 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6104 SCTP_CHUNK(err)); 6105 } 6106 /* We are going to ABORT, so we might as well stop 6107 * processing the rest of the chunks in the packet. 6108 */ 6109 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 6110 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6111 SCTP_ERROR(ECONNABORTED)); 6112 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6113 SCTP_PERR(SCTP_ERROR_NO_DATA)); 6114 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 6115 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 6116 return SCTP_IERROR_NO_DATA; 6117 } 6118 6119 chunk->data_accepted = 1; 6120 6121 /* Note: Some chunks may get overcounted (if we drop) or overcounted 6122 * if we renege and the chunk arrives again. 6123 */ 6124 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) 6125 SCTP_INC_STATS(SCTP_MIB_INUNORDERCHUNKS); 6126 else { 6127 SCTP_INC_STATS(SCTP_MIB_INORDERCHUNKS); 6128 ordered = 1; 6129 } 6130 6131 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 6132 * 6133 * If an endpoint receive a DATA chunk with an invalid stream 6134 * identifier, it shall acknowledge the reception of the DATA chunk 6135 * following the normal procedure, immediately send an ERROR chunk 6136 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 6137 * and discard the DATA chunk. 6138 */ 6139 sid = ntohs(data_hdr->stream); 6140 if (sid >= asoc->c.sinit_max_instreams) { 6141 /* Mark tsn as received even though we drop it */ 6142 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 6143 6144 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 6145 &data_hdr->stream, 6146 sizeof(data_hdr->stream), 6147 sizeof(u16)); 6148 if (err) 6149 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6150 SCTP_CHUNK(err)); 6151 return SCTP_IERROR_BAD_STREAM; 6152 } 6153 6154 /* Check to see if the SSN is possible for this TSN. 6155 * The biggest gap we can record is 4K wide. Since SSNs wrap 6156 * at an unsigned short, there is no way that an SSN can 6157 * wrap and for a valid TSN. We can simply check if the current 6158 * SSN is smaller then the next expected one. If it is, it wrapped 6159 * and is invalid. 6160 */ 6161 ssn = ntohs(data_hdr->ssn); 6162 if (ordered && SSN_lt(ssn, sctp_ssn_peek(&asoc->ssnmap->in, sid))) { 6163 return SCTP_IERROR_PROTO_VIOLATION; 6164 } 6165 6166 /* Send the data up to the user. Note: Schedule the 6167 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 6168 * chunk needs the updated rwnd. 6169 */ 6170 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 6171 6172 return SCTP_IERROR_NO_ERROR; 6173 } 6174