1 /* SCTP kernel implementation 2 * (C) Copyright IBM Corp. 2001, 2004 3 * Copyright (c) 1999-2000 Cisco, Inc. 4 * Copyright (c) 1999-2001 Motorola, Inc. 5 * Copyright (c) 2001-2002 Intel Corp. 6 * Copyright (c) 2002 Nokia Corp. 7 * 8 * This is part of the SCTP Linux Kernel Implementation. 9 * 10 * These are the state functions for the state machine. 11 * 12 * This SCTP implementation is free software; 13 * you can redistribute it and/or modify it under the terms of 14 * the GNU General Public License as published by 15 * the Free Software Foundation; either version 2, or (at your option) 16 * any later version. 17 * 18 * This SCTP implementation is distributed in the hope that it 19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 20 * ************************ 21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 22 * See the GNU General Public License for more details. 23 * 24 * You should have received a copy of the GNU General Public License 25 * along with GNU CC; see the file COPYING. If not, write to 26 * the Free Software Foundation, 59 Temple Place - Suite 330, 27 * Boston, MA 02111-1307, USA. 28 * 29 * Please send any bug reports or fixes you make to the 30 * email address(es): 31 * lksctp developers <lksctp-developers@lists.sourceforge.net> 32 * 33 * Or submit a bug report through the following website: 34 * http://www.sf.net/projects/lksctp 35 * 36 * Written or modified by: 37 * La Monte H.P. Yarroll <piggy@acm.org> 38 * Karl Knutson <karl@athena.chicago.il.us> 39 * Mathew Kotowsky <kotowsky@sctp.org> 40 * Sridhar Samudrala <samudrala@us.ibm.com> 41 * Jon Grimm <jgrimm@us.ibm.com> 42 * Hui Huang <hui.huang@nokia.com> 43 * Dajiang Zhang <dajiang.zhang@nokia.com> 44 * Daisy Chang <daisyc@us.ibm.com> 45 * Ardelle Fan <ardelle.fan@intel.com> 46 * Ryan Layer <rmlayer@us.ibm.com> 47 * Kevin Gao <kevin.gao@intel.com> 48 * 49 * Any bugs reported given to us we will try to fix... any fixes shared will 50 * be incorporated into the next SCTP release. 51 */ 52 53 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 54 55 #include <linux/types.h> 56 #include <linux/kernel.h> 57 #include <linux/ip.h> 58 #include <linux/ipv6.h> 59 #include <linux/net.h> 60 #include <linux/inet.h> 61 #include <linux/slab.h> 62 #include <net/sock.h> 63 #include <net/inet_ecn.h> 64 #include <linux/skbuff.h> 65 #include <net/sctp/sctp.h> 66 #include <net/sctp/sm.h> 67 #include <net/sctp/structs.h> 68 69 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 70 const struct sctp_association *asoc, 71 struct sctp_chunk *chunk, 72 const void *payload, 73 size_t paylen); 74 static int sctp_eat_data(const struct sctp_association *asoc, 75 struct sctp_chunk *chunk, 76 sctp_cmd_seq_t *commands); 77 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 78 const struct sctp_chunk *chunk); 79 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 80 const struct sctp_association *asoc, 81 const struct sctp_chunk *chunk, 82 sctp_cmd_seq_t *commands, 83 struct sctp_chunk *err_chunk); 84 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 85 const struct sctp_association *asoc, 86 const sctp_subtype_t type, 87 void *arg, 88 sctp_cmd_seq_t *commands); 89 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 90 const struct sctp_association *asoc, 91 const sctp_subtype_t type, 92 void *arg, 93 sctp_cmd_seq_t *commands); 94 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 95 const struct sctp_association *asoc, 96 const sctp_subtype_t type, 97 void *arg, 98 sctp_cmd_seq_t *commands); 99 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 100 101 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 102 __be16 error, int sk_err, 103 const struct sctp_association *asoc, 104 struct sctp_transport *transport); 105 106 static sctp_disposition_t sctp_sf_abort_violation( 107 const struct sctp_endpoint *ep, 108 const struct sctp_association *asoc, 109 void *arg, 110 sctp_cmd_seq_t *commands, 111 const __u8 *payload, 112 const size_t paylen); 113 114 static sctp_disposition_t sctp_sf_violation_chunklen( 115 const struct sctp_endpoint *ep, 116 const struct sctp_association *asoc, 117 const sctp_subtype_t type, 118 void *arg, 119 sctp_cmd_seq_t *commands); 120 121 static sctp_disposition_t sctp_sf_violation_paramlen( 122 const struct sctp_endpoint *ep, 123 const struct sctp_association *asoc, 124 const sctp_subtype_t type, 125 void *arg, void *ext, 126 sctp_cmd_seq_t *commands); 127 128 static sctp_disposition_t sctp_sf_violation_ctsn( 129 const struct sctp_endpoint *ep, 130 const struct sctp_association *asoc, 131 const sctp_subtype_t type, 132 void *arg, 133 sctp_cmd_seq_t *commands); 134 135 static sctp_disposition_t sctp_sf_violation_chunk( 136 const struct sctp_endpoint *ep, 137 const struct sctp_association *asoc, 138 const sctp_subtype_t type, 139 void *arg, 140 sctp_cmd_seq_t *commands); 141 142 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep, 143 const struct sctp_association *asoc, 144 const sctp_subtype_t type, 145 struct sctp_chunk *chunk); 146 147 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 148 const struct sctp_association *asoc, 149 const sctp_subtype_t type, 150 void *arg, 151 sctp_cmd_seq_t *commands); 152 153 /* Small helper function that checks if the chunk length 154 * is of the appropriate length. The 'required_length' argument 155 * is set to be the size of a specific chunk we are testing. 156 * Return Values: 1 = Valid length 157 * 0 = Invalid length 158 * 159 */ 160 static inline int 161 sctp_chunk_length_valid(struct sctp_chunk *chunk, 162 __u16 required_length) 163 { 164 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 165 166 if (unlikely(chunk_length < required_length)) 167 return 0; 168 169 return 1; 170 } 171 172 /********************************************************** 173 * These are the state functions for handling chunk events. 174 **********************************************************/ 175 176 /* 177 * Process the final SHUTDOWN COMPLETE. 178 * 179 * Section: 4 (C) (diagram), 9.2 180 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 181 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 182 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 183 * should stop the T2-shutdown timer and remove all knowledge of the 184 * association (and thus the association enters the CLOSED state). 185 * 186 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 187 * C) Rules for packet carrying SHUTDOWN COMPLETE: 188 * ... 189 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 190 * if the Verification Tag field of the packet matches its own tag and 191 * the T bit is not set 192 * OR 193 * it is set to its peer's tag and the T bit is set in the Chunk 194 * Flags. 195 * Otherwise, the receiver MUST silently discard the packet 196 * and take no further action. An endpoint MUST ignore the 197 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 198 * 199 * Inputs 200 * (endpoint, asoc, chunk) 201 * 202 * Outputs 203 * (asoc, reply_msg, msg_up, timers, counters) 204 * 205 * The return value is the disposition of the chunk. 206 */ 207 sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep, 208 const struct sctp_association *asoc, 209 const sctp_subtype_t type, 210 void *arg, 211 sctp_cmd_seq_t *commands) 212 { 213 struct sctp_chunk *chunk = arg; 214 struct sctp_ulpevent *ev; 215 216 if (!sctp_vtag_verify_either(chunk, asoc)) 217 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 218 219 /* RFC 2960 6.10 Bundling 220 * 221 * An endpoint MUST NOT bundle INIT, INIT ACK or 222 * SHUTDOWN COMPLETE with any other chunks. 223 */ 224 if (!chunk->singleton) 225 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands); 226 227 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ 228 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 229 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 230 commands); 231 232 /* RFC 2960 10.2 SCTP-to-ULP 233 * 234 * H) SHUTDOWN COMPLETE notification 235 * 236 * When SCTP completes the shutdown procedures (section 9.2) this 237 * notification is passed to the upper layer. 238 */ 239 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 240 0, 0, 0, NULL, GFP_ATOMIC); 241 if (ev) 242 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 243 SCTP_ULPEVENT(ev)); 244 245 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 246 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 247 * not the chunk should be discarded. If the endpoint is in 248 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 249 * T2-shutdown timer and remove all knowledge of the 250 * association (and thus the association enters the CLOSED 251 * state). 252 */ 253 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 254 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 255 256 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 257 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 258 259 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 260 SCTP_STATE(SCTP_STATE_CLOSED)); 261 262 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 263 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 264 265 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 266 267 return SCTP_DISPOSITION_DELETE_TCB; 268 } 269 270 /* 271 * Respond to a normal INIT chunk. 272 * We are the side that is being asked for an association. 273 * 274 * Section: 5.1 Normal Establishment of an Association, B 275 * B) "Z" shall respond immediately with an INIT ACK chunk. The 276 * destination IP address of the INIT ACK MUST be set to the source 277 * IP address of the INIT to which this INIT ACK is responding. In 278 * the response, besides filling in other parameters, "Z" must set the 279 * Verification Tag field to Tag_A, and also provide its own 280 * Verification Tag (Tag_Z) in the Initiate Tag field. 281 * 282 * Verification Tag: Must be 0. 283 * 284 * Inputs 285 * (endpoint, asoc, chunk) 286 * 287 * Outputs 288 * (asoc, reply_msg, msg_up, timers, counters) 289 * 290 * The return value is the disposition of the chunk. 291 */ 292 sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep, 293 const struct sctp_association *asoc, 294 const sctp_subtype_t type, 295 void *arg, 296 sctp_cmd_seq_t *commands) 297 { 298 struct sctp_chunk *chunk = arg; 299 struct sctp_chunk *repl; 300 struct sctp_association *new_asoc; 301 struct sctp_chunk *err_chunk; 302 struct sctp_packet *packet; 303 sctp_unrecognized_param_t *unk_param; 304 int len; 305 306 /* 6.10 Bundling 307 * An endpoint MUST NOT bundle INIT, INIT ACK or 308 * SHUTDOWN COMPLETE with any other chunks. 309 * 310 * IG Section 2.11.2 311 * Furthermore, we require that the receiver of an INIT chunk MUST 312 * enforce these rules by silently discarding an arriving packet 313 * with an INIT chunk that is bundled with other chunks. 314 */ 315 if (!chunk->singleton) 316 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 317 318 /* If the packet is an OOTB packet which is temporarily on the 319 * control endpoint, respond with an ABORT. 320 */ 321 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) { 322 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 323 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 324 } 325 326 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 327 * Tag. 328 */ 329 if (chunk->sctp_hdr->vtag != 0) 330 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 331 332 /* Make sure that the INIT chunk has a valid length. 333 * Normally, this would cause an ABORT with a Protocol Violation 334 * error, but since we don't have an association, we'll 335 * just discard the packet. 336 */ 337 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 338 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 339 340 /* If the INIT is coming toward a closing socket, we'll send back 341 * and ABORT. Essentially, this catches the race of INIT being 342 * backloged to the socket at the same time as the user isses close(). 343 * Since the socket and all its associations are going away, we 344 * can treat this OOTB 345 */ 346 if (sctp_sstate(ep->base.sk, CLOSING)) 347 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 348 349 /* Verify the INIT chunk before processing it. */ 350 err_chunk = NULL; 351 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 352 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 353 &err_chunk)) { 354 /* This chunk contains fatal error. It is to be discarded. 355 * Send an ABORT, with causes if there is any. 356 */ 357 if (err_chunk) { 358 packet = sctp_abort_pkt_new(ep, asoc, arg, 359 (__u8 *)(err_chunk->chunk_hdr) + 360 sizeof(sctp_chunkhdr_t), 361 ntohs(err_chunk->chunk_hdr->length) - 362 sizeof(sctp_chunkhdr_t)); 363 364 sctp_chunk_free(err_chunk); 365 366 if (packet) { 367 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 368 SCTP_PACKET(packet)); 369 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 370 return SCTP_DISPOSITION_CONSUME; 371 } else { 372 return SCTP_DISPOSITION_NOMEM; 373 } 374 } else { 375 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 376 commands); 377 } 378 } 379 380 /* Grab the INIT header. */ 381 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data; 382 383 /* Tag the variable length parameters. */ 384 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 385 386 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 387 if (!new_asoc) 388 goto nomem; 389 390 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 391 sctp_scope(sctp_source(chunk)), 392 GFP_ATOMIC) < 0) 393 goto nomem_init; 394 395 /* The call, sctp_process_init(), can fail on memory allocation. */ 396 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 397 (sctp_init_chunk_t *)chunk->chunk_hdr, 398 GFP_ATOMIC)) 399 goto nomem_init; 400 401 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 402 403 /* If there are errors need to be reported for unknown parameters, 404 * make sure to reserve enough room in the INIT ACK for them. 405 */ 406 len = 0; 407 if (err_chunk) 408 len = ntohs(err_chunk->chunk_hdr->length) - 409 sizeof(sctp_chunkhdr_t); 410 411 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 412 if (!repl) 413 goto nomem_init; 414 415 /* If there are errors need to be reported for unknown parameters, 416 * include them in the outgoing INIT ACK as "Unrecognized parameter" 417 * parameter. 418 */ 419 if (err_chunk) { 420 /* Get the "Unrecognized parameter" parameter(s) out of the 421 * ERROR chunk generated by sctp_verify_init(). Since the 422 * error cause code for "unknown parameter" and the 423 * "Unrecognized parameter" type is the same, we can 424 * construct the parameters in INIT ACK by copying the 425 * ERROR causes over. 426 */ 427 unk_param = (sctp_unrecognized_param_t *) 428 ((__u8 *)(err_chunk->chunk_hdr) + 429 sizeof(sctp_chunkhdr_t)); 430 /* Replace the cause code with the "Unrecognized parameter" 431 * parameter type. 432 */ 433 sctp_addto_chunk(repl, len, unk_param); 434 sctp_chunk_free(err_chunk); 435 } 436 437 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 438 439 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 440 441 /* 442 * Note: After sending out INIT ACK with the State Cookie parameter, 443 * "Z" MUST NOT allocate any resources, nor keep any states for the 444 * new association. Otherwise, "Z" will be vulnerable to resource 445 * attacks. 446 */ 447 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 448 449 return SCTP_DISPOSITION_DELETE_TCB; 450 451 nomem_init: 452 sctp_association_free(new_asoc); 453 nomem: 454 if (err_chunk) 455 sctp_chunk_free(err_chunk); 456 return SCTP_DISPOSITION_NOMEM; 457 } 458 459 /* 460 * Respond to a normal INIT ACK chunk. 461 * We are the side that is initiating the association. 462 * 463 * Section: 5.1 Normal Establishment of an Association, C 464 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 465 * timer and leave COOKIE-WAIT state. "A" shall then send the State 466 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 467 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 468 * 469 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 470 * DATA chunks, but it MUST be the first chunk in the packet and 471 * until the COOKIE ACK is returned the sender MUST NOT send any 472 * other packets to the peer. 473 * 474 * Verification Tag: 3.3.3 475 * If the value of the Initiate Tag in a received INIT ACK chunk is 476 * found to be 0, the receiver MUST treat it as an error and close the 477 * association by transmitting an ABORT. 478 * 479 * Inputs 480 * (endpoint, asoc, chunk) 481 * 482 * Outputs 483 * (asoc, reply_msg, msg_up, timers, counters) 484 * 485 * The return value is the disposition of the chunk. 486 */ 487 sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, 488 const struct sctp_association *asoc, 489 const sctp_subtype_t type, 490 void *arg, 491 sctp_cmd_seq_t *commands) 492 { 493 struct sctp_chunk *chunk = arg; 494 sctp_init_chunk_t *initchunk; 495 struct sctp_chunk *err_chunk; 496 struct sctp_packet *packet; 497 498 if (!sctp_vtag_verify(chunk, asoc)) 499 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 500 501 /* 6.10 Bundling 502 * An endpoint MUST NOT bundle INIT, INIT ACK or 503 * SHUTDOWN COMPLETE with any other chunks. 504 */ 505 if (!chunk->singleton) 506 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands); 507 508 /* Make sure that the INIT-ACK chunk has a valid length */ 509 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t))) 510 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 511 commands); 512 /* Grab the INIT header. */ 513 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 514 515 /* Verify the INIT chunk before processing it. */ 516 err_chunk = NULL; 517 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 518 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 519 &err_chunk)) { 520 521 sctp_error_t error = SCTP_ERROR_NO_RESOURCE; 522 523 /* This chunk contains fatal error. It is to be discarded. 524 * Send an ABORT, with causes. If there are no causes, 525 * then there wasn't enough memory. Just terminate 526 * the association. 527 */ 528 if (err_chunk) { 529 packet = sctp_abort_pkt_new(ep, asoc, arg, 530 (__u8 *)(err_chunk->chunk_hdr) + 531 sizeof(sctp_chunkhdr_t), 532 ntohs(err_chunk->chunk_hdr->length) - 533 sizeof(sctp_chunkhdr_t)); 534 535 sctp_chunk_free(err_chunk); 536 537 if (packet) { 538 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 539 SCTP_PACKET(packet)); 540 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 541 error = SCTP_ERROR_INV_PARAM; 542 } 543 } 544 545 /* SCTP-AUTH, Section 6.3: 546 * It should be noted that if the receiver wants to tear 547 * down an association in an authenticated way only, the 548 * handling of malformed packets should not result in 549 * tearing down the association. 550 * 551 * This means that if we only want to abort associations 552 * in an authenticated way (i.e AUTH+ABORT), then we 553 * can't destroy this association just because the packet 554 * was malformed. 555 */ 556 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 557 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 558 559 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 560 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, 561 asoc, chunk->transport); 562 } 563 564 /* Tag the variable length parameters. Note that we never 565 * convert the parameters in an INIT chunk. 566 */ 567 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 568 569 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr; 570 571 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 572 SCTP_PEER_INIT(initchunk)); 573 574 /* Reset init error count upon receipt of INIT-ACK. */ 575 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 576 577 /* 5.1 C) "A" shall stop the T1-init timer and leave 578 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 579 * timer, and enter the COOKIE-ECHOED state. 580 */ 581 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 582 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 583 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 584 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 585 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 586 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 587 588 /* SCTP-AUTH: genereate the assocition shared keys so that 589 * we can potentially signe the COOKIE-ECHO. 590 */ 591 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); 592 593 /* 5.1 C) "A" shall then send the State Cookie received in the 594 * INIT ACK chunk in a COOKIE ECHO chunk, ... 595 */ 596 /* If there is any errors to report, send the ERROR chunk generated 597 * for unknown parameters as well. 598 */ 599 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 600 SCTP_CHUNK(err_chunk)); 601 602 return SCTP_DISPOSITION_CONSUME; 603 } 604 605 /* 606 * Respond to a normal COOKIE ECHO chunk. 607 * We are the side that is being asked for an association. 608 * 609 * Section: 5.1 Normal Establishment of an Association, D 610 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 611 * with a COOKIE ACK chunk after building a TCB and moving to 612 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 613 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 614 * chunk MUST be the first chunk in the packet. 615 * 616 * IMPLEMENTATION NOTE: An implementation may choose to send the 617 * Communication Up notification to the SCTP user upon reception 618 * of a valid COOKIE ECHO chunk. 619 * 620 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 621 * D) Rules for packet carrying a COOKIE ECHO 622 * 623 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 624 * Initial Tag received in the INIT ACK. 625 * 626 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 627 * 628 * Inputs 629 * (endpoint, asoc, chunk) 630 * 631 * Outputs 632 * (asoc, reply_msg, msg_up, timers, counters) 633 * 634 * The return value is the disposition of the chunk. 635 */ 636 sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep, 637 const struct sctp_association *asoc, 638 const sctp_subtype_t type, void *arg, 639 sctp_cmd_seq_t *commands) 640 { 641 struct sctp_chunk *chunk = arg; 642 struct sctp_association *new_asoc; 643 sctp_init_chunk_t *peer_init; 644 struct sctp_chunk *repl; 645 struct sctp_ulpevent *ev, *ai_ev = NULL; 646 int error = 0; 647 struct sctp_chunk *err_chk_p; 648 struct sock *sk; 649 650 /* If the packet is an OOTB packet which is temporarily on the 651 * control endpoint, respond with an ABORT. 652 */ 653 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) { 654 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 655 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 656 } 657 658 /* Make sure that the COOKIE_ECHO chunk has a valid length. 659 * In this case, we check that we have enough for at least a 660 * chunk header. More detailed verification is done 661 * in sctp_unpack_cookie(). 662 */ 663 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 664 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 665 666 /* If the endpoint is not listening or if the number of associations 667 * on the TCP-style socket exceed the max backlog, respond with an 668 * ABORT. 669 */ 670 sk = ep->base.sk; 671 if (!sctp_sstate(sk, LISTENING) || 672 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) 673 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 674 675 /* "Decode" the chunk. We have no optional parameters so we 676 * are in good shape. 677 */ 678 chunk->subh.cookie_hdr = 679 (struct sctp_signed_cookie *)chunk->skb->data; 680 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 681 sizeof(sctp_chunkhdr_t))) 682 goto nomem; 683 684 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 685 * "Z" will reply with a COOKIE ACK chunk after building a TCB 686 * and moving to the ESTABLISHED state. 687 */ 688 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 689 &err_chk_p); 690 691 /* FIXME: 692 * If the re-build failed, what is the proper error path 693 * from here? 694 * 695 * [We should abort the association. --piggy] 696 */ 697 if (!new_asoc) { 698 /* FIXME: Several errors are possible. A bad cookie should 699 * be silently discarded, but think about logging it too. 700 */ 701 switch (error) { 702 case -SCTP_IERROR_NOMEM: 703 goto nomem; 704 705 case -SCTP_IERROR_STALE_COOKIE: 706 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 707 err_chk_p); 708 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 709 710 case -SCTP_IERROR_BAD_SIG: 711 default: 712 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 713 } 714 } 715 716 717 /* Delay state machine commands until later. 718 * 719 * Re-build the bind address for the association is done in 720 * the sctp_unpack_cookie() already. 721 */ 722 /* This is a brand-new association, so these are not yet side 723 * effects--it is safe to run them here. 724 */ 725 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 726 727 if (!sctp_process_init(new_asoc, chunk, 728 &chunk->subh.cookie_hdr->c.peer_addr, 729 peer_init, GFP_ATOMIC)) 730 goto nomem_init; 731 732 /* SCTP-AUTH: Now that we've populate required fields in 733 * sctp_process_init, set up the assocaition shared keys as 734 * necessary so that we can potentially authenticate the ACK 735 */ 736 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); 737 if (error) 738 goto nomem_init; 739 740 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo 741 * is supposed to be authenticated and we have to do delayed 742 * authentication. We've just recreated the association using 743 * the information in the cookie and now it's much easier to 744 * do the authentication. 745 */ 746 if (chunk->auth_chunk) { 747 struct sctp_chunk auth; 748 sctp_ierror_t ret; 749 750 /* set-up our fake chunk so that we can process it */ 751 auth.skb = chunk->auth_chunk; 752 auth.asoc = chunk->asoc; 753 auth.sctp_hdr = chunk->sctp_hdr; 754 auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk, 755 sizeof(sctp_chunkhdr_t)); 756 skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t)); 757 auth.transport = chunk->transport; 758 759 ret = sctp_sf_authenticate(ep, new_asoc, type, &auth); 760 761 /* We can now safely free the auth_chunk clone */ 762 kfree_skb(chunk->auth_chunk); 763 764 if (ret != SCTP_IERROR_NO_ERROR) { 765 sctp_association_free(new_asoc); 766 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 767 } 768 } 769 770 repl = sctp_make_cookie_ack(new_asoc, chunk); 771 if (!repl) 772 goto nomem_init; 773 774 /* RFC 2960 5.1 Normal Establishment of an Association 775 * 776 * D) IMPLEMENTATION NOTE: An implementation may choose to 777 * send the Communication Up notification to the SCTP user 778 * upon reception of a valid COOKIE ECHO chunk. 779 */ 780 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 781 new_asoc->c.sinit_num_ostreams, 782 new_asoc->c.sinit_max_instreams, 783 NULL, GFP_ATOMIC); 784 if (!ev) 785 goto nomem_ev; 786 787 /* Sockets API Draft Section 5.3.1.6 788 * When a peer sends a Adaptation Layer Indication parameter , SCTP 789 * delivers this notification to inform the application that of the 790 * peers requested adaptation layer. 791 */ 792 if (new_asoc->peer.adaptation_ind) { 793 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 794 GFP_ATOMIC); 795 if (!ai_ev) 796 goto nomem_aiev; 797 } 798 799 /* Add all the state machine commands now since we've created 800 * everything. This way we don't introduce memory corruptions 801 * during side-effect processing and correclty count established 802 * associations. 803 */ 804 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 805 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 806 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 807 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 808 SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS); 809 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 810 811 if (new_asoc->autoclose) 812 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 813 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 814 815 /* This will send the COOKIE ACK */ 816 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 817 818 /* Queue the ASSOC_CHANGE event */ 819 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 820 821 /* Send up the Adaptation Layer Indication event */ 822 if (ai_ev) 823 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 824 SCTP_ULPEVENT(ai_ev)); 825 826 return SCTP_DISPOSITION_CONSUME; 827 828 nomem_aiev: 829 sctp_ulpevent_free(ev); 830 nomem_ev: 831 sctp_chunk_free(repl); 832 nomem_init: 833 sctp_association_free(new_asoc); 834 nomem: 835 return SCTP_DISPOSITION_NOMEM; 836 } 837 838 /* 839 * Respond to a normal COOKIE ACK chunk. 840 * We are the side that is being asked for an association. 841 * 842 * RFC 2960 5.1 Normal Establishment of an Association 843 * 844 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 845 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 846 * timer. It may also notify its ULP about the successful 847 * establishment of the association with a Communication Up 848 * notification (see Section 10). 849 * 850 * Verification Tag: 851 * Inputs 852 * (endpoint, asoc, chunk) 853 * 854 * Outputs 855 * (asoc, reply_msg, msg_up, timers, counters) 856 * 857 * The return value is the disposition of the chunk. 858 */ 859 sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep, 860 const struct sctp_association *asoc, 861 const sctp_subtype_t type, void *arg, 862 sctp_cmd_seq_t *commands) 863 { 864 struct sctp_chunk *chunk = arg; 865 struct sctp_ulpevent *ev; 866 867 if (!sctp_vtag_verify(chunk, asoc)) 868 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 869 870 /* Verify that the chunk length for the COOKIE-ACK is OK. 871 * If we don't do this, any bundled chunks may be junked. 872 */ 873 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 874 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 875 commands); 876 877 /* Reset init error count upon receipt of COOKIE-ACK, 878 * to avoid problems with the managemement of this 879 * counter in stale cookie situations when a transition back 880 * from the COOKIE-ECHOED state to the COOKIE-WAIT 881 * state is performed. 882 */ 883 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 884 885 /* RFC 2960 5.1 Normal Establishment of an Association 886 * 887 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 888 * from the COOKIE-ECHOED state to the ESTABLISHED state, 889 * stopping the T1-cookie timer. 890 */ 891 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 892 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 893 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 894 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 895 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 896 SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS); 897 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 898 if (asoc->autoclose) 899 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 900 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 901 902 /* It may also notify its ULP about the successful 903 * establishment of the association with a Communication Up 904 * notification (see Section 10). 905 */ 906 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 907 0, asoc->c.sinit_num_ostreams, 908 asoc->c.sinit_max_instreams, 909 NULL, GFP_ATOMIC); 910 911 if (!ev) 912 goto nomem; 913 914 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 915 916 /* Sockets API Draft Section 5.3.1.6 917 * When a peer sends a Adaptation Layer Indication parameter , SCTP 918 * delivers this notification to inform the application that of the 919 * peers requested adaptation layer. 920 */ 921 if (asoc->peer.adaptation_ind) { 922 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 923 if (!ev) 924 goto nomem; 925 926 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 927 SCTP_ULPEVENT(ev)); 928 } 929 930 return SCTP_DISPOSITION_CONSUME; 931 nomem: 932 return SCTP_DISPOSITION_NOMEM; 933 } 934 935 /* Generate and sendout a heartbeat packet. */ 936 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep, 937 const struct sctp_association *asoc, 938 const sctp_subtype_t type, 939 void *arg, 940 sctp_cmd_seq_t *commands) 941 { 942 struct sctp_transport *transport = (struct sctp_transport *) arg; 943 struct sctp_chunk *reply; 944 945 /* Send a heartbeat to our peer. */ 946 reply = sctp_make_heartbeat(asoc, transport); 947 if (!reply) 948 return SCTP_DISPOSITION_NOMEM; 949 950 /* Set rto_pending indicating that an RTT measurement 951 * is started with this heartbeat chunk. 952 */ 953 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 954 SCTP_TRANSPORT(transport)); 955 956 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 957 return SCTP_DISPOSITION_CONSUME; 958 } 959 960 /* Generate a HEARTBEAT packet on the given transport. */ 961 sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep, 962 const struct sctp_association *asoc, 963 const sctp_subtype_t type, 964 void *arg, 965 sctp_cmd_seq_t *commands) 966 { 967 struct sctp_transport *transport = (struct sctp_transport *) arg; 968 969 if (asoc->overall_error_count >= asoc->max_retrans) { 970 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 971 SCTP_ERROR(ETIMEDOUT)); 972 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 973 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 974 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 975 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 976 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 977 return SCTP_DISPOSITION_DELETE_TCB; 978 } 979 980 /* Section 3.3.5. 981 * The Sender-specific Heartbeat Info field should normally include 982 * information about the sender's current time when this HEARTBEAT 983 * chunk is sent and the destination transport address to which this 984 * HEARTBEAT is sent (see Section 8.3). 985 */ 986 987 if (transport->param_flags & SPP_HB_ENABLE) { 988 if (SCTP_DISPOSITION_NOMEM == 989 sctp_sf_heartbeat(ep, asoc, type, arg, 990 commands)) 991 return SCTP_DISPOSITION_NOMEM; 992 993 /* Set transport error counter and association error counter 994 * when sending heartbeat. 995 */ 996 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 997 SCTP_TRANSPORT(transport)); 998 } 999 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE, 1000 SCTP_TRANSPORT(transport)); 1001 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 1002 SCTP_TRANSPORT(transport)); 1003 1004 return SCTP_DISPOSITION_CONSUME; 1005 } 1006 1007 /* 1008 * Process an heartbeat request. 1009 * 1010 * Section: 8.3 Path Heartbeat 1011 * The receiver of the HEARTBEAT should immediately respond with a 1012 * HEARTBEAT ACK that contains the Heartbeat Information field copied 1013 * from the received HEARTBEAT chunk. 1014 * 1015 * Verification Tag: 8.5 Verification Tag [Normal verification] 1016 * When receiving an SCTP packet, the endpoint MUST ensure that the 1017 * value in the Verification Tag field of the received SCTP packet 1018 * matches its own Tag. If the received Verification Tag value does not 1019 * match the receiver's own tag value, the receiver shall silently 1020 * discard the packet and shall not process it any further except for 1021 * those cases listed in Section 8.5.1 below. 1022 * 1023 * Inputs 1024 * (endpoint, asoc, chunk) 1025 * 1026 * Outputs 1027 * (asoc, reply_msg, msg_up, timers, counters) 1028 * 1029 * The return value is the disposition of the chunk. 1030 */ 1031 sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep, 1032 const struct sctp_association *asoc, 1033 const sctp_subtype_t type, 1034 void *arg, 1035 sctp_cmd_seq_t *commands) 1036 { 1037 struct sctp_chunk *chunk = arg; 1038 struct sctp_chunk *reply; 1039 size_t paylen = 0; 1040 1041 if (!sctp_vtag_verify(chunk, asoc)) 1042 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1043 1044 /* Make sure that the HEARTBEAT chunk has a valid length. */ 1045 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1046 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1047 commands); 1048 1049 /* 8.3 The receiver of the HEARTBEAT should immediately 1050 * respond with a HEARTBEAT ACK that contains the Heartbeat 1051 * Information field copied from the received HEARTBEAT chunk. 1052 */ 1053 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; 1054 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); 1055 if (!pskb_pull(chunk->skb, paylen)) 1056 goto nomem; 1057 1058 reply = sctp_make_heartbeat_ack(asoc, chunk, 1059 chunk->subh.hb_hdr, paylen); 1060 if (!reply) 1061 goto nomem; 1062 1063 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1064 return SCTP_DISPOSITION_CONSUME; 1065 1066 nomem: 1067 return SCTP_DISPOSITION_NOMEM; 1068 } 1069 1070 /* 1071 * Process the returning HEARTBEAT ACK. 1072 * 1073 * Section: 8.3 Path Heartbeat 1074 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 1075 * should clear the error counter of the destination transport 1076 * address to which the HEARTBEAT was sent, and mark the destination 1077 * transport address as active if it is not so marked. The endpoint may 1078 * optionally report to the upper layer when an inactive destination 1079 * address is marked as active due to the reception of the latest 1080 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 1081 * clear the association overall error count as well (as defined 1082 * in section 8.1). 1083 * 1084 * The receiver of the HEARTBEAT ACK should also perform an RTT 1085 * measurement for that destination transport address using the time 1086 * value carried in the HEARTBEAT ACK chunk. 1087 * 1088 * Verification Tag: 8.5 Verification Tag [Normal verification] 1089 * 1090 * Inputs 1091 * (endpoint, asoc, chunk) 1092 * 1093 * Outputs 1094 * (asoc, reply_msg, msg_up, timers, counters) 1095 * 1096 * The return value is the disposition of the chunk. 1097 */ 1098 sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep, 1099 const struct sctp_association *asoc, 1100 const sctp_subtype_t type, 1101 void *arg, 1102 sctp_cmd_seq_t *commands) 1103 { 1104 struct sctp_chunk *chunk = arg; 1105 union sctp_addr from_addr; 1106 struct sctp_transport *link; 1107 sctp_sender_hb_info_t *hbinfo; 1108 unsigned long max_interval; 1109 1110 if (!sctp_vtag_verify(chunk, asoc)) 1111 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1112 1113 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1114 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t) + 1115 sizeof(sctp_sender_hb_info_t))) 1116 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1117 commands); 1118 1119 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; 1120 /* Make sure that the length of the parameter is what we expect */ 1121 if (ntohs(hbinfo->param_hdr.length) != 1122 sizeof(sctp_sender_hb_info_t)) { 1123 return SCTP_DISPOSITION_DISCARD; 1124 } 1125 1126 from_addr = hbinfo->daddr; 1127 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1128 1129 /* This should never happen, but lets log it if so. */ 1130 if (unlikely(!link)) { 1131 if (from_addr.sa.sa_family == AF_INET6) { 1132 if (net_ratelimit()) 1133 pr_warn("%s association %p could not find address %pI6\n", 1134 __func__, 1135 asoc, 1136 &from_addr.v6.sin6_addr); 1137 } else { 1138 if (net_ratelimit()) 1139 pr_warn("%s association %p could not find address %pI4\n", 1140 __func__, 1141 asoc, 1142 &from_addr.v4.sin_addr.s_addr); 1143 } 1144 return SCTP_DISPOSITION_DISCARD; 1145 } 1146 1147 /* Validate the 64-bit random nonce. */ 1148 if (hbinfo->hb_nonce != link->hb_nonce) 1149 return SCTP_DISPOSITION_DISCARD; 1150 1151 max_interval = link->hbinterval + link->rto; 1152 1153 /* Check if the timestamp looks valid. */ 1154 if (time_after(hbinfo->sent_at, jiffies) || 1155 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1156 SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp " 1157 "received for transport: %p\n", 1158 __func__, link); 1159 return SCTP_DISPOSITION_DISCARD; 1160 } 1161 1162 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1163 * the HEARTBEAT should clear the error counter of the 1164 * destination transport address to which the HEARTBEAT was 1165 * sent and mark the destination transport address as active if 1166 * it is not so marked. 1167 */ 1168 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1169 1170 return SCTP_DISPOSITION_CONSUME; 1171 } 1172 1173 /* Helper function to send out an abort for the restart 1174 * condition. 1175 */ 1176 static int sctp_sf_send_restart_abort(union sctp_addr *ssa, 1177 struct sctp_chunk *init, 1178 sctp_cmd_seq_t *commands) 1179 { 1180 int len; 1181 struct sctp_packet *pkt; 1182 union sctp_addr_param *addrparm; 1183 struct sctp_errhdr *errhdr; 1184 struct sctp_endpoint *ep; 1185 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)]; 1186 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1187 1188 /* Build the error on the stack. We are way to malloc crazy 1189 * throughout the code today. 1190 */ 1191 errhdr = (struct sctp_errhdr *)buffer; 1192 addrparm = (union sctp_addr_param *)errhdr->variable; 1193 1194 /* Copy into a parm format. */ 1195 len = af->to_addr_param(ssa, addrparm); 1196 len += sizeof(sctp_errhdr_t); 1197 1198 errhdr->cause = SCTP_ERROR_RESTART; 1199 errhdr->length = htons(len); 1200 1201 /* Assign to the control socket. */ 1202 ep = sctp_sk((sctp_get_ctl_sock()))->ep; 1203 1204 /* Association is NULL since this may be a restart attack and we 1205 * want to send back the attacker's vtag. 1206 */ 1207 pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len); 1208 1209 if (!pkt) 1210 goto out; 1211 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1212 1213 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1214 1215 /* Discard the rest of the inbound packet. */ 1216 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1217 1218 out: 1219 /* Even if there is no memory, treat as a failure so 1220 * the packet will get dropped. 1221 */ 1222 return 0; 1223 } 1224 1225 static bool list_has_sctp_addr(const struct list_head *list, 1226 union sctp_addr *ipaddr) 1227 { 1228 struct sctp_transport *addr; 1229 1230 list_for_each_entry(addr, list, transports) { 1231 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr)) 1232 return true; 1233 } 1234 1235 return false; 1236 } 1237 /* A restart is occurring, check to make sure no new addresses 1238 * are being added as we may be under a takeover attack. 1239 */ 1240 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1241 const struct sctp_association *asoc, 1242 struct sctp_chunk *init, 1243 sctp_cmd_seq_t *commands) 1244 { 1245 struct sctp_transport *new_addr; 1246 int ret = 1; 1247 1248 /* Implementor's Guide - Section 5.2.2 1249 * ... 1250 * Before responding the endpoint MUST check to see if the 1251 * unexpected INIT adds new addresses to the association. If new 1252 * addresses are added to the association, the endpoint MUST respond 1253 * with an ABORT.. 1254 */ 1255 1256 /* Search through all current addresses and make sure 1257 * we aren't adding any new ones. 1258 */ 1259 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list, 1260 transports) { 1261 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list, 1262 &new_addr->ipaddr)) { 1263 sctp_sf_send_restart_abort(&new_addr->ipaddr, init, 1264 commands); 1265 ret = 0; 1266 break; 1267 } 1268 } 1269 1270 /* Return success if all addresses were found. */ 1271 return ret; 1272 } 1273 1274 /* Populate the verification/tie tags based on overlapping INIT 1275 * scenario. 1276 * 1277 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1278 */ 1279 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1280 const struct sctp_association *asoc) 1281 { 1282 switch (asoc->state) { 1283 1284 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1285 1286 case SCTP_STATE_COOKIE_WAIT: 1287 new_asoc->c.my_vtag = asoc->c.my_vtag; 1288 new_asoc->c.my_ttag = asoc->c.my_vtag; 1289 new_asoc->c.peer_ttag = 0; 1290 break; 1291 1292 case SCTP_STATE_COOKIE_ECHOED: 1293 new_asoc->c.my_vtag = asoc->c.my_vtag; 1294 new_asoc->c.my_ttag = asoc->c.my_vtag; 1295 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1296 break; 1297 1298 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1299 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1300 */ 1301 default: 1302 new_asoc->c.my_ttag = asoc->c.my_vtag; 1303 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1304 break; 1305 } 1306 1307 /* Other parameters for the endpoint SHOULD be copied from the 1308 * existing parameters of the association (e.g. number of 1309 * outbound streams) into the INIT ACK and cookie. 1310 */ 1311 new_asoc->rwnd = asoc->rwnd; 1312 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1313 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1314 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1315 } 1316 1317 /* 1318 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1319 * handling action. 1320 * 1321 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1322 * 1323 * Returns value representing action to be taken. These action values 1324 * correspond to Action/Description values in RFC 2960, Table 2. 1325 */ 1326 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1327 const struct sctp_association *asoc) 1328 { 1329 /* In this case, the peer may have restarted. */ 1330 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1331 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1332 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1333 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1334 return 'A'; 1335 1336 /* Collision case B. */ 1337 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1338 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1339 (0 == asoc->c.peer_vtag))) { 1340 return 'B'; 1341 } 1342 1343 /* Collision case D. */ 1344 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1345 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1346 return 'D'; 1347 1348 /* Collision case C. */ 1349 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1350 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1351 (0 == new_asoc->c.my_ttag) && 1352 (0 == new_asoc->c.peer_ttag)) 1353 return 'C'; 1354 1355 /* No match to any of the special cases; discard this packet. */ 1356 return 'E'; 1357 } 1358 1359 /* Common helper routine for both duplicate and simulataneous INIT 1360 * chunk handling. 1361 */ 1362 static sctp_disposition_t sctp_sf_do_unexpected_init( 1363 const struct sctp_endpoint *ep, 1364 const struct sctp_association *asoc, 1365 const sctp_subtype_t type, 1366 void *arg, sctp_cmd_seq_t *commands) 1367 { 1368 sctp_disposition_t retval; 1369 struct sctp_chunk *chunk = arg; 1370 struct sctp_chunk *repl; 1371 struct sctp_association *new_asoc; 1372 struct sctp_chunk *err_chunk; 1373 struct sctp_packet *packet; 1374 sctp_unrecognized_param_t *unk_param; 1375 int len; 1376 1377 /* 6.10 Bundling 1378 * An endpoint MUST NOT bundle INIT, INIT ACK or 1379 * SHUTDOWN COMPLETE with any other chunks. 1380 * 1381 * IG Section 2.11.2 1382 * Furthermore, we require that the receiver of an INIT chunk MUST 1383 * enforce these rules by silently discarding an arriving packet 1384 * with an INIT chunk that is bundled with other chunks. 1385 */ 1386 if (!chunk->singleton) 1387 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1388 1389 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1390 * Tag. 1391 */ 1392 if (chunk->sctp_hdr->vtag != 0) 1393 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 1394 1395 /* Make sure that the INIT chunk has a valid length. 1396 * In this case, we generate a protocol violation since we have 1397 * an association established. 1398 */ 1399 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 1400 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1401 commands); 1402 /* Grab the INIT header. */ 1403 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 1404 1405 /* Tag the variable length parameters. */ 1406 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 1407 1408 /* Verify the INIT chunk before processing it. */ 1409 err_chunk = NULL; 1410 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 1411 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 1412 &err_chunk)) { 1413 /* This chunk contains fatal error. It is to be discarded. 1414 * Send an ABORT, with causes if there is any. 1415 */ 1416 if (err_chunk) { 1417 packet = sctp_abort_pkt_new(ep, asoc, arg, 1418 (__u8 *)(err_chunk->chunk_hdr) + 1419 sizeof(sctp_chunkhdr_t), 1420 ntohs(err_chunk->chunk_hdr->length) - 1421 sizeof(sctp_chunkhdr_t)); 1422 1423 if (packet) { 1424 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1425 SCTP_PACKET(packet)); 1426 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1427 retval = SCTP_DISPOSITION_CONSUME; 1428 } else { 1429 retval = SCTP_DISPOSITION_NOMEM; 1430 } 1431 goto cleanup; 1432 } else { 1433 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 1434 commands); 1435 } 1436 } 1437 1438 /* 1439 * Other parameters for the endpoint SHOULD be copied from the 1440 * existing parameters of the association (e.g. number of 1441 * outbound streams) into the INIT ACK and cookie. 1442 * FIXME: We are copying parameters from the endpoint not the 1443 * association. 1444 */ 1445 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1446 if (!new_asoc) 1447 goto nomem; 1448 1449 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 1450 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0) 1451 goto nomem; 1452 1453 /* In the outbound INIT ACK the endpoint MUST copy its current 1454 * Verification Tag and Peers Verification tag into a reserved 1455 * place (local tie-tag and per tie-tag) within the state cookie. 1456 */ 1457 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 1458 (sctp_init_chunk_t *)chunk->chunk_hdr, 1459 GFP_ATOMIC)) 1460 goto nomem; 1461 1462 /* Make sure no new addresses are being added during the 1463 * restart. Do not do this check for COOKIE-WAIT state, 1464 * since there are no peer addresses to check against. 1465 * Upon return an ABORT will have been sent if needed. 1466 */ 1467 if (!sctp_state(asoc, COOKIE_WAIT)) { 1468 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1469 commands)) { 1470 retval = SCTP_DISPOSITION_CONSUME; 1471 goto nomem_retval; 1472 } 1473 } 1474 1475 sctp_tietags_populate(new_asoc, asoc); 1476 1477 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1478 1479 /* If there are errors need to be reported for unknown parameters, 1480 * make sure to reserve enough room in the INIT ACK for them. 1481 */ 1482 len = 0; 1483 if (err_chunk) { 1484 len = ntohs(err_chunk->chunk_hdr->length) - 1485 sizeof(sctp_chunkhdr_t); 1486 } 1487 1488 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1489 if (!repl) 1490 goto nomem; 1491 1492 /* If there are errors need to be reported for unknown parameters, 1493 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1494 * parameter. 1495 */ 1496 if (err_chunk) { 1497 /* Get the "Unrecognized parameter" parameter(s) out of the 1498 * ERROR chunk generated by sctp_verify_init(). Since the 1499 * error cause code for "unknown parameter" and the 1500 * "Unrecognized parameter" type is the same, we can 1501 * construct the parameters in INIT ACK by copying the 1502 * ERROR causes over. 1503 */ 1504 unk_param = (sctp_unrecognized_param_t *) 1505 ((__u8 *)(err_chunk->chunk_hdr) + 1506 sizeof(sctp_chunkhdr_t)); 1507 /* Replace the cause code with the "Unrecognized parameter" 1508 * parameter type. 1509 */ 1510 sctp_addto_chunk(repl, len, unk_param); 1511 } 1512 1513 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1514 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1515 1516 /* 1517 * Note: After sending out INIT ACK with the State Cookie parameter, 1518 * "Z" MUST NOT allocate any resources for this new association. 1519 * Otherwise, "Z" will be vulnerable to resource attacks. 1520 */ 1521 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1522 retval = SCTP_DISPOSITION_CONSUME; 1523 1524 return retval; 1525 1526 nomem: 1527 retval = SCTP_DISPOSITION_NOMEM; 1528 nomem_retval: 1529 if (new_asoc) 1530 sctp_association_free(new_asoc); 1531 cleanup: 1532 if (err_chunk) 1533 sctp_chunk_free(err_chunk); 1534 return retval; 1535 } 1536 1537 /* 1538 * Handle simultaneous INIT. 1539 * This means we started an INIT and then we got an INIT request from 1540 * our peer. 1541 * 1542 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1543 * This usually indicates an initialization collision, i.e., each 1544 * endpoint is attempting, at about the same time, to establish an 1545 * association with the other endpoint. 1546 * 1547 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1548 * endpoint MUST respond with an INIT ACK using the same parameters it 1549 * sent in its original INIT chunk (including its Verification Tag, 1550 * unchanged). These original parameters are combined with those from the 1551 * newly received INIT chunk. The endpoint shall also generate a State 1552 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1553 * INIT to calculate the State Cookie. 1554 * 1555 * After that, the endpoint MUST NOT change its state, the T1-init 1556 * timer shall be left running and the corresponding TCB MUST NOT be 1557 * destroyed. The normal procedures for handling State Cookies when 1558 * a TCB exists will resolve the duplicate INITs to a single association. 1559 * 1560 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1561 * its Tie-Tags with the Tag information of itself and its peer (see 1562 * section 5.2.2 for a description of the Tie-Tags). 1563 * 1564 * Verification Tag: Not explicit, but an INIT can not have a valid 1565 * verification tag, so we skip the check. 1566 * 1567 * Inputs 1568 * (endpoint, asoc, chunk) 1569 * 1570 * Outputs 1571 * (asoc, reply_msg, msg_up, timers, counters) 1572 * 1573 * The return value is the disposition of the chunk. 1574 */ 1575 sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep, 1576 const struct sctp_association *asoc, 1577 const sctp_subtype_t type, 1578 void *arg, 1579 sctp_cmd_seq_t *commands) 1580 { 1581 /* Call helper to do the real work for both simulataneous and 1582 * duplicate INIT chunk handling. 1583 */ 1584 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1585 } 1586 1587 /* 1588 * Handle duplicated INIT messages. These are usually delayed 1589 * restransmissions. 1590 * 1591 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1592 * COOKIE-ECHOED and COOKIE-WAIT 1593 * 1594 * Unless otherwise stated, upon reception of an unexpected INIT for 1595 * this association, the endpoint shall generate an INIT ACK with a 1596 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1597 * current Verification Tag and peer's Verification Tag into a reserved 1598 * place within the state cookie. We shall refer to these locations as 1599 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1600 * containing this INIT ACK MUST carry a Verification Tag value equal to 1601 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1602 * MUST contain a new Initiation Tag (randomly generated see Section 1603 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1604 * existing parameters of the association (e.g. number of outbound 1605 * streams) into the INIT ACK and cookie. 1606 * 1607 * After sending out the INIT ACK, the endpoint shall take no further 1608 * actions, i.e., the existing association, including its current state, 1609 * and the corresponding TCB MUST NOT be changed. 1610 * 1611 * Note: Only when a TCB exists and the association is not in a COOKIE- 1612 * WAIT state are the Tie-Tags populated. For a normal association INIT 1613 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1614 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1615 * State Cookie are populated as specified in section 5.2.1. 1616 * 1617 * Verification Tag: Not specified, but an INIT has no way of knowing 1618 * what the verification tag could be, so we ignore it. 1619 * 1620 * Inputs 1621 * (endpoint, asoc, chunk) 1622 * 1623 * Outputs 1624 * (asoc, reply_msg, msg_up, timers, counters) 1625 * 1626 * The return value is the disposition of the chunk. 1627 */ 1628 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep, 1629 const struct sctp_association *asoc, 1630 const sctp_subtype_t type, 1631 void *arg, 1632 sctp_cmd_seq_t *commands) 1633 { 1634 /* Call helper to do the real work for both simulataneous and 1635 * duplicate INIT chunk handling. 1636 */ 1637 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1638 } 1639 1640 1641 /* 1642 * Unexpected INIT-ACK handler. 1643 * 1644 * Section 5.2.3 1645 * If an INIT ACK received by an endpoint in any state other than the 1646 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1647 * An unexpected INIT ACK usually indicates the processing of an old or 1648 * duplicated INIT chunk. 1649 */ 1650 sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep, 1651 const struct sctp_association *asoc, 1652 const sctp_subtype_t type, 1653 void *arg, sctp_cmd_seq_t *commands) 1654 { 1655 /* Per the above section, we'll discard the chunk if we have an 1656 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1657 */ 1658 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 1659 return sctp_sf_ootb(ep, asoc, type, arg, commands); 1660 else 1661 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 1662 } 1663 1664 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1665 * 1666 * Section 5.2.4 1667 * A) In this case, the peer may have restarted. 1668 */ 1669 static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep, 1670 const struct sctp_association *asoc, 1671 struct sctp_chunk *chunk, 1672 sctp_cmd_seq_t *commands, 1673 struct sctp_association *new_asoc) 1674 { 1675 sctp_init_chunk_t *peer_init; 1676 struct sctp_ulpevent *ev; 1677 struct sctp_chunk *repl; 1678 struct sctp_chunk *err; 1679 sctp_disposition_t disposition; 1680 1681 /* new_asoc is a brand-new association, so these are not yet 1682 * side effects--it is safe to run them here. 1683 */ 1684 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1685 1686 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1687 GFP_ATOMIC)) 1688 goto nomem; 1689 1690 /* Make sure no new addresses are being added during the 1691 * restart. Though this is a pretty complicated attack 1692 * since you'd have to get inside the cookie. 1693 */ 1694 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { 1695 return SCTP_DISPOSITION_CONSUME; 1696 } 1697 1698 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1699 * the peer has restarted (Action A), it MUST NOT setup a new 1700 * association but instead resend the SHUTDOWN ACK and send an ERROR 1701 * chunk with a "Cookie Received while Shutting Down" error cause to 1702 * its peer. 1703 */ 1704 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1705 disposition = sctp_sf_do_9_2_reshutack(ep, asoc, 1706 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1707 chunk, commands); 1708 if (SCTP_DISPOSITION_NOMEM == disposition) 1709 goto nomem; 1710 1711 err = sctp_make_op_error(asoc, chunk, 1712 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1713 NULL, 0, 0); 1714 if (err) 1715 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1716 SCTP_CHUNK(err)); 1717 1718 return SCTP_DISPOSITION_CONSUME; 1719 } 1720 1721 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked 1722 * data. Consider the optional choice of resending of this data. 1723 */ 1724 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 1725 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1726 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK)); 1727 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1728 1729 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue 1730 * and ASCONF-ACK cache. 1731 */ 1732 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1733 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 1734 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); 1735 1736 repl = sctp_make_cookie_ack(new_asoc, chunk); 1737 if (!repl) 1738 goto nomem; 1739 1740 /* Report association restart to upper layer. */ 1741 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1742 new_asoc->c.sinit_num_ostreams, 1743 new_asoc->c.sinit_max_instreams, 1744 NULL, GFP_ATOMIC); 1745 if (!ev) 1746 goto nomem_ev; 1747 1748 /* Update the content of current association. */ 1749 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1750 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1751 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1752 return SCTP_DISPOSITION_CONSUME; 1753 1754 nomem_ev: 1755 sctp_chunk_free(repl); 1756 nomem: 1757 return SCTP_DISPOSITION_NOMEM; 1758 } 1759 1760 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1761 * 1762 * Section 5.2.4 1763 * B) In this case, both sides may be attempting to start an association 1764 * at about the same time but the peer endpoint started its INIT 1765 * after responding to the local endpoint's INIT 1766 */ 1767 /* This case represents an initialization collision. */ 1768 static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep, 1769 const struct sctp_association *asoc, 1770 struct sctp_chunk *chunk, 1771 sctp_cmd_seq_t *commands, 1772 struct sctp_association *new_asoc) 1773 { 1774 sctp_init_chunk_t *peer_init; 1775 struct sctp_chunk *repl; 1776 1777 /* new_asoc is a brand-new association, so these are not yet 1778 * side effects--it is safe to run them here. 1779 */ 1780 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1781 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1782 GFP_ATOMIC)) 1783 goto nomem; 1784 1785 /* Update the content of current association. */ 1786 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1787 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1788 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1789 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1790 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1791 1792 repl = sctp_make_cookie_ack(new_asoc, chunk); 1793 if (!repl) 1794 goto nomem; 1795 1796 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1797 1798 /* RFC 2960 5.1 Normal Establishment of an Association 1799 * 1800 * D) IMPLEMENTATION NOTE: An implementation may choose to 1801 * send the Communication Up notification to the SCTP user 1802 * upon reception of a valid COOKIE ECHO chunk. 1803 * 1804 * Sadly, this needs to be implemented as a side-effect, because 1805 * we are not guaranteed to have set the association id of the real 1806 * association and so these notifications need to be delayed until 1807 * the association id is allocated. 1808 */ 1809 1810 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 1811 1812 /* Sockets API Draft Section 5.3.1.6 1813 * When a peer sends a Adaptation Layer Indication parameter , SCTP 1814 * delivers this notification to inform the application that of the 1815 * peers requested adaptation layer. 1816 * 1817 * This also needs to be done as a side effect for the same reason as 1818 * above. 1819 */ 1820 if (asoc->peer.adaptation_ind) 1821 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 1822 1823 return SCTP_DISPOSITION_CONSUME; 1824 1825 nomem: 1826 return SCTP_DISPOSITION_NOMEM; 1827 } 1828 1829 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1830 * 1831 * Section 5.2.4 1832 * C) In this case, the local endpoint's cookie has arrived late. 1833 * Before it arrived, the local endpoint sent an INIT and received an 1834 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1835 * but a new tag of its own. 1836 */ 1837 /* This case represents an initialization collision. */ 1838 static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep, 1839 const struct sctp_association *asoc, 1840 struct sctp_chunk *chunk, 1841 sctp_cmd_seq_t *commands, 1842 struct sctp_association *new_asoc) 1843 { 1844 /* The cookie should be silently discarded. 1845 * The endpoint SHOULD NOT change states and should leave 1846 * any timers running. 1847 */ 1848 return SCTP_DISPOSITION_DISCARD; 1849 } 1850 1851 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1852 * 1853 * Section 5.2.4 1854 * 1855 * D) When both local and remote tags match the endpoint should always 1856 * enter the ESTABLISHED state, if it has not already done so. 1857 */ 1858 /* This case represents an initialization collision. */ 1859 static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep, 1860 const struct sctp_association *asoc, 1861 struct sctp_chunk *chunk, 1862 sctp_cmd_seq_t *commands, 1863 struct sctp_association *new_asoc) 1864 { 1865 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL; 1866 struct sctp_chunk *repl; 1867 1868 /* Clarification from Implementor's Guide: 1869 * D) When both local and remote tags match the endpoint should 1870 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 1871 * It should stop any cookie timer that may be running and send 1872 * a COOKIE ACK. 1873 */ 1874 1875 /* Don't accidentally move back into established state. */ 1876 if (asoc->state < SCTP_STATE_ESTABLISHED) { 1877 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1878 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 1879 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1880 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1881 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1882 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 1883 SCTP_NULL()); 1884 1885 /* RFC 2960 5.1 Normal Establishment of an Association 1886 * 1887 * D) IMPLEMENTATION NOTE: An implementation may choose 1888 * to send the Communication Up notification to the 1889 * SCTP user upon reception of a valid COOKIE 1890 * ECHO chunk. 1891 */ 1892 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 1893 SCTP_COMM_UP, 0, 1894 asoc->c.sinit_num_ostreams, 1895 asoc->c.sinit_max_instreams, 1896 NULL, GFP_ATOMIC); 1897 if (!ev) 1898 goto nomem; 1899 1900 /* Sockets API Draft Section 5.3.1.6 1901 * When a peer sends a Adaptation Layer Indication parameter, 1902 * SCTP delivers this notification to inform the application 1903 * that of the peers requested adaptation layer. 1904 */ 1905 if (asoc->peer.adaptation_ind) { 1906 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 1907 GFP_ATOMIC); 1908 if (!ai_ev) 1909 goto nomem; 1910 1911 } 1912 } 1913 1914 repl = sctp_make_cookie_ack(new_asoc, chunk); 1915 if (!repl) 1916 goto nomem; 1917 1918 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1919 1920 if (ev) 1921 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1922 SCTP_ULPEVENT(ev)); 1923 if (ai_ev) 1924 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1925 SCTP_ULPEVENT(ai_ev)); 1926 1927 return SCTP_DISPOSITION_CONSUME; 1928 1929 nomem: 1930 if (ai_ev) 1931 sctp_ulpevent_free(ai_ev); 1932 if (ev) 1933 sctp_ulpevent_free(ev); 1934 return SCTP_DISPOSITION_NOMEM; 1935 } 1936 1937 /* 1938 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 1939 * chunk was retransmitted and then delayed in the network. 1940 * 1941 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 1942 * 1943 * Verification Tag: None. Do cookie validation. 1944 * 1945 * Inputs 1946 * (endpoint, asoc, chunk) 1947 * 1948 * Outputs 1949 * (asoc, reply_msg, msg_up, timers, counters) 1950 * 1951 * The return value is the disposition of the chunk. 1952 */ 1953 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep, 1954 const struct sctp_association *asoc, 1955 const sctp_subtype_t type, 1956 void *arg, 1957 sctp_cmd_seq_t *commands) 1958 { 1959 sctp_disposition_t retval; 1960 struct sctp_chunk *chunk = arg; 1961 struct sctp_association *new_asoc; 1962 int error = 0; 1963 char action; 1964 struct sctp_chunk *err_chk_p; 1965 1966 /* Make sure that the chunk has a valid length from the protocol 1967 * perspective. In this case check to make sure we have at least 1968 * enough for the chunk header. Cookie length verification is 1969 * done later. 1970 */ 1971 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 1972 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1973 commands); 1974 1975 /* "Decode" the chunk. We have no optional parameters so we 1976 * are in good shape. 1977 */ 1978 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 1979 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 1980 sizeof(sctp_chunkhdr_t))) 1981 goto nomem; 1982 1983 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 1984 * of a duplicate COOKIE ECHO match the Verification Tags of the 1985 * current association, consider the State Cookie valid even if 1986 * the lifespan is exceeded. 1987 */ 1988 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 1989 &err_chk_p); 1990 1991 /* FIXME: 1992 * If the re-build failed, what is the proper error path 1993 * from here? 1994 * 1995 * [We should abort the association. --piggy] 1996 */ 1997 if (!new_asoc) { 1998 /* FIXME: Several errors are possible. A bad cookie should 1999 * be silently discarded, but think about logging it too. 2000 */ 2001 switch (error) { 2002 case -SCTP_IERROR_NOMEM: 2003 goto nomem; 2004 2005 case -SCTP_IERROR_STALE_COOKIE: 2006 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 2007 err_chk_p); 2008 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2009 case -SCTP_IERROR_BAD_SIG: 2010 default: 2011 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2012 } 2013 } 2014 2015 /* Compare the tie_tag in cookie with the verification tag of 2016 * current association. 2017 */ 2018 action = sctp_tietags_compare(new_asoc, asoc); 2019 2020 switch (action) { 2021 case 'A': /* Association restart. */ 2022 retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands, 2023 new_asoc); 2024 break; 2025 2026 case 'B': /* Collision case B. */ 2027 retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands, 2028 new_asoc); 2029 break; 2030 2031 case 'C': /* Collision case C. */ 2032 retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands, 2033 new_asoc); 2034 break; 2035 2036 case 'D': /* Collision case D. */ 2037 retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands, 2038 new_asoc); 2039 break; 2040 2041 default: /* Discard packet for all others. */ 2042 retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2043 break; 2044 } 2045 2046 /* Delete the tempory new association. */ 2047 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 2048 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 2049 2050 return retval; 2051 2052 nomem: 2053 return SCTP_DISPOSITION_NOMEM; 2054 } 2055 2056 /* 2057 * Process an ABORT. (SHUTDOWN-PENDING state) 2058 * 2059 * See sctp_sf_do_9_1_abort(). 2060 */ 2061 sctp_disposition_t sctp_sf_shutdown_pending_abort( 2062 const struct sctp_endpoint *ep, 2063 const struct sctp_association *asoc, 2064 const sctp_subtype_t type, 2065 void *arg, 2066 sctp_cmd_seq_t *commands) 2067 { 2068 struct sctp_chunk *chunk = arg; 2069 2070 if (!sctp_vtag_verify_either(chunk, asoc)) 2071 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2072 2073 /* Make sure that the ABORT chunk has a valid length. 2074 * Since this is an ABORT chunk, we have to discard it 2075 * because of the following text: 2076 * RFC 2960, Section 3.3.7 2077 * If an endpoint receives an ABORT with a format error or for an 2078 * association that doesn't exist, it MUST silently discard it. 2079 * Because the length is "invalid", we can't really discard just 2080 * as we do not know its true length. So, to be safe, discard the 2081 * packet. 2082 */ 2083 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2084 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2085 2086 /* ADD-IP: Special case for ABORT chunks 2087 * F4) One special consideration is that ABORT Chunks arriving 2088 * destined to the IP address being deleted MUST be 2089 * ignored (see Section 5.3.1 for further details). 2090 */ 2091 if (SCTP_ADDR_DEL == 2092 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2093 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2094 2095 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2096 } 2097 2098 /* 2099 * Process an ABORT. (SHUTDOWN-SENT state) 2100 * 2101 * See sctp_sf_do_9_1_abort(). 2102 */ 2103 sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep, 2104 const struct sctp_association *asoc, 2105 const sctp_subtype_t type, 2106 void *arg, 2107 sctp_cmd_seq_t *commands) 2108 { 2109 struct sctp_chunk *chunk = arg; 2110 2111 if (!sctp_vtag_verify_either(chunk, asoc)) 2112 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2113 2114 /* Make sure that the ABORT chunk has a valid length. 2115 * Since this is an ABORT chunk, we have to discard it 2116 * because of the following text: 2117 * RFC 2960, Section 3.3.7 2118 * If an endpoint receives an ABORT with a format error or for an 2119 * association that doesn't exist, it MUST silently discard it. 2120 * Because the length is "invalid", we can't really discard just 2121 * as we do not know its true length. So, to be safe, discard the 2122 * packet. 2123 */ 2124 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2125 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2126 2127 /* ADD-IP: Special case for ABORT chunks 2128 * F4) One special consideration is that ABORT Chunks arriving 2129 * destined to the IP address being deleted MUST be 2130 * ignored (see Section 5.3.1 for further details). 2131 */ 2132 if (SCTP_ADDR_DEL == 2133 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2134 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2135 2136 /* Stop the T2-shutdown timer. */ 2137 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2138 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2139 2140 /* Stop the T5-shutdown guard timer. */ 2141 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2142 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2143 2144 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2145 } 2146 2147 /* 2148 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2149 * 2150 * See sctp_sf_do_9_1_abort(). 2151 */ 2152 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort( 2153 const struct sctp_endpoint *ep, 2154 const struct sctp_association *asoc, 2155 const sctp_subtype_t type, 2156 void *arg, 2157 sctp_cmd_seq_t *commands) 2158 { 2159 /* The same T2 timer, so we should be able to use 2160 * common function with the SHUTDOWN-SENT state. 2161 */ 2162 return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands); 2163 } 2164 2165 /* 2166 * Handle an Error received in COOKIE_ECHOED state. 2167 * 2168 * Only handle the error type of stale COOKIE Error, the other errors will 2169 * be ignored. 2170 * 2171 * Inputs 2172 * (endpoint, asoc, chunk) 2173 * 2174 * Outputs 2175 * (asoc, reply_msg, msg_up, timers, counters) 2176 * 2177 * The return value is the disposition of the chunk. 2178 */ 2179 sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep, 2180 const struct sctp_association *asoc, 2181 const sctp_subtype_t type, 2182 void *arg, 2183 sctp_cmd_seq_t *commands) 2184 { 2185 struct sctp_chunk *chunk = arg; 2186 sctp_errhdr_t *err; 2187 2188 if (!sctp_vtag_verify(chunk, asoc)) 2189 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2190 2191 /* Make sure that the ERROR chunk has a valid length. 2192 * The parameter walking depends on this as well. 2193 */ 2194 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2195 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2196 commands); 2197 2198 /* Process the error here */ 2199 /* FUTURE FIXME: When PR-SCTP related and other optional 2200 * parms are emitted, this will have to change to handle multiple 2201 * errors. 2202 */ 2203 sctp_walk_errors(err, chunk->chunk_hdr) { 2204 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2205 return sctp_sf_do_5_2_6_stale(ep, asoc, type, 2206 arg, commands); 2207 } 2208 2209 /* It is possible to have malformed error causes, and that 2210 * will cause us to end the walk early. However, since 2211 * we are discarding the packet, there should be no adverse 2212 * affects. 2213 */ 2214 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2215 } 2216 2217 /* 2218 * Handle a Stale COOKIE Error 2219 * 2220 * Section: 5.2.6 Handle Stale COOKIE Error 2221 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2222 * one of the following three alternatives. 2223 * ... 2224 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2225 * Preservative parameter requesting an extension to the lifetime of 2226 * the State Cookie. When calculating the time extension, an 2227 * implementation SHOULD use the RTT information measured based on the 2228 * previous COOKIE ECHO / ERROR exchange, and should add no more 2229 * than 1 second beyond the measured RTT, due to long State Cookie 2230 * lifetimes making the endpoint more subject to a replay attack. 2231 * 2232 * Verification Tag: Not explicit, but safe to ignore. 2233 * 2234 * Inputs 2235 * (endpoint, asoc, chunk) 2236 * 2237 * Outputs 2238 * (asoc, reply_msg, msg_up, timers, counters) 2239 * 2240 * The return value is the disposition of the chunk. 2241 */ 2242 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 2243 const struct sctp_association *asoc, 2244 const sctp_subtype_t type, 2245 void *arg, 2246 sctp_cmd_seq_t *commands) 2247 { 2248 struct sctp_chunk *chunk = arg; 2249 time_t stale; 2250 sctp_cookie_preserve_param_t bht; 2251 sctp_errhdr_t *err; 2252 struct sctp_chunk *reply; 2253 struct sctp_bind_addr *bp; 2254 int attempts = asoc->init_err_counter + 1; 2255 2256 if (attempts > asoc->max_init_attempts) { 2257 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2258 SCTP_ERROR(ETIMEDOUT)); 2259 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2260 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2261 return SCTP_DISPOSITION_DELETE_TCB; 2262 } 2263 2264 err = (sctp_errhdr_t *)(chunk->skb->data); 2265 2266 /* When calculating the time extension, an implementation 2267 * SHOULD use the RTT information measured based on the 2268 * previous COOKIE ECHO / ERROR exchange, and should add no 2269 * more than 1 second beyond the measured RTT, due to long 2270 * State Cookie lifetimes making the endpoint more subject to 2271 * a replay attack. 2272 * Measure of Staleness's unit is usec. (1/1000000 sec) 2273 * Suggested Cookie Life-span Increment's unit is msec. 2274 * (1/1000 sec) 2275 * In general, if you use the suggested cookie life, the value 2276 * found in the field of measure of staleness should be doubled 2277 * to give ample time to retransmit the new cookie and thus 2278 * yield a higher probability of success on the reattempt. 2279 */ 2280 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t))); 2281 stale = (stale * 2) / 1000; 2282 2283 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2284 bht.param_hdr.length = htons(sizeof(bht)); 2285 bht.lifespan_increment = htonl(stale); 2286 2287 /* Build that new INIT chunk. */ 2288 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2289 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2290 if (!reply) 2291 goto nomem; 2292 2293 sctp_addto_chunk(reply, sizeof(bht), &bht); 2294 2295 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2296 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2297 2298 /* Stop pending T3-rtx and heartbeat timers */ 2299 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2300 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2301 2302 /* Delete non-primary peer ip addresses since we are transitioning 2303 * back to the COOKIE-WAIT state 2304 */ 2305 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2306 2307 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2308 * resend 2309 */ 2310 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, 2311 SCTP_TRANSPORT(asoc->peer.primary_path)); 2312 2313 /* Cast away the const modifier, as we want to just 2314 * rerun it through as a sideffect. 2315 */ 2316 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2317 2318 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2319 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2320 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2321 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2322 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2323 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2324 2325 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2326 2327 return SCTP_DISPOSITION_CONSUME; 2328 2329 nomem: 2330 return SCTP_DISPOSITION_NOMEM; 2331 } 2332 2333 /* 2334 * Process an ABORT. 2335 * 2336 * Section: 9.1 2337 * After checking the Verification Tag, the receiving endpoint shall 2338 * remove the association from its record, and shall report the 2339 * termination to its upper layer. 2340 * 2341 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2342 * B) Rules for packet carrying ABORT: 2343 * 2344 * - The endpoint shall always fill in the Verification Tag field of the 2345 * outbound packet with the destination endpoint's tag value if it 2346 * is known. 2347 * 2348 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2349 * MUST follow the procedure described in Section 8.4. 2350 * 2351 * - The receiver MUST accept the packet if the Verification Tag 2352 * matches either its own tag, OR the tag of its peer. Otherwise, the 2353 * receiver MUST silently discard the packet and take no further 2354 * action. 2355 * 2356 * Inputs 2357 * (endpoint, asoc, chunk) 2358 * 2359 * Outputs 2360 * (asoc, reply_msg, msg_up, timers, counters) 2361 * 2362 * The return value is the disposition of the chunk. 2363 */ 2364 sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2365 const struct sctp_association *asoc, 2366 const sctp_subtype_t type, 2367 void *arg, 2368 sctp_cmd_seq_t *commands) 2369 { 2370 struct sctp_chunk *chunk = arg; 2371 2372 if (!sctp_vtag_verify_either(chunk, asoc)) 2373 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2374 2375 /* Make sure that the ABORT chunk has a valid length. 2376 * Since this is an ABORT chunk, we have to discard it 2377 * because of the following text: 2378 * RFC 2960, Section 3.3.7 2379 * If an endpoint receives an ABORT with a format error or for an 2380 * association that doesn't exist, it MUST silently discard it. 2381 * Because the length is "invalid", we can't really discard just 2382 * as we do not know its true length. So, to be safe, discard the 2383 * packet. 2384 */ 2385 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2386 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2387 2388 /* ADD-IP: Special case for ABORT chunks 2389 * F4) One special consideration is that ABORT Chunks arriving 2390 * destined to the IP address being deleted MUST be 2391 * ignored (see Section 5.3.1 for further details). 2392 */ 2393 if (SCTP_ADDR_DEL == 2394 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2395 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2396 2397 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2398 } 2399 2400 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2401 const struct sctp_association *asoc, 2402 const sctp_subtype_t type, 2403 void *arg, 2404 sctp_cmd_seq_t *commands) 2405 { 2406 struct sctp_chunk *chunk = arg; 2407 unsigned len; 2408 __be16 error = SCTP_ERROR_NO_ERROR; 2409 2410 /* See if we have an error cause code in the chunk. */ 2411 len = ntohs(chunk->chunk_hdr->length); 2412 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) { 2413 2414 sctp_errhdr_t *err; 2415 sctp_walk_errors(err, chunk->chunk_hdr); 2416 if ((void *)err != (void *)chunk->chunk_end) 2417 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2418 2419 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2420 } 2421 2422 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2423 /* ASSOC_FAILED will DELETE_TCB. */ 2424 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2425 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2426 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 2427 2428 return SCTP_DISPOSITION_ABORT; 2429 } 2430 2431 /* 2432 * Process an ABORT. (COOKIE-WAIT state) 2433 * 2434 * See sctp_sf_do_9_1_abort() above. 2435 */ 2436 sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep, 2437 const struct sctp_association *asoc, 2438 const sctp_subtype_t type, 2439 void *arg, 2440 sctp_cmd_seq_t *commands) 2441 { 2442 struct sctp_chunk *chunk = arg; 2443 unsigned len; 2444 __be16 error = SCTP_ERROR_NO_ERROR; 2445 2446 if (!sctp_vtag_verify_either(chunk, asoc)) 2447 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2448 2449 /* Make sure that the ABORT chunk has a valid length. 2450 * Since this is an ABORT chunk, we have to discard it 2451 * because of the following text: 2452 * RFC 2960, Section 3.3.7 2453 * If an endpoint receives an ABORT with a format error or for an 2454 * association that doesn't exist, it MUST silently discard it. 2455 * Because the length is "invalid", we can't really discard just 2456 * as we do not know its true length. So, to be safe, discard the 2457 * packet. 2458 */ 2459 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2460 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2461 2462 /* See if we have an error cause code in the chunk. */ 2463 len = ntohs(chunk->chunk_hdr->length); 2464 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2465 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2466 2467 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc, 2468 chunk->transport); 2469 } 2470 2471 /* 2472 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2473 */ 2474 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep, 2475 const struct sctp_association *asoc, 2476 const sctp_subtype_t type, 2477 void *arg, 2478 sctp_cmd_seq_t *commands) 2479 { 2480 return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR, 2481 ENOPROTOOPT, asoc, 2482 (struct sctp_transport *)arg); 2483 } 2484 2485 /* 2486 * Process an ABORT. (COOKIE-ECHOED state) 2487 */ 2488 sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep, 2489 const struct sctp_association *asoc, 2490 const sctp_subtype_t type, 2491 void *arg, 2492 sctp_cmd_seq_t *commands) 2493 { 2494 /* There is a single T1 timer, so we should be able to use 2495 * common function with the COOKIE-WAIT state. 2496 */ 2497 return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands); 2498 } 2499 2500 /* 2501 * Stop T1 timer and abort association with "INIT failed". 2502 * 2503 * This is common code called by several sctp_sf_*_abort() functions above. 2504 */ 2505 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 2506 __be16 error, int sk_err, 2507 const struct sctp_association *asoc, 2508 struct sctp_transport *transport) 2509 { 2510 SCTP_DEBUG_PRINTK("ABORT received (INIT).\n"); 2511 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2512 SCTP_STATE(SCTP_STATE_CLOSED)); 2513 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2514 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2515 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2516 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2517 /* CMD_INIT_FAILED will DELETE_TCB. */ 2518 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2519 SCTP_PERR(error)); 2520 return SCTP_DISPOSITION_ABORT; 2521 } 2522 2523 /* 2524 * sctp_sf_do_9_2_shut 2525 * 2526 * Section: 9.2 2527 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2528 * - enter the SHUTDOWN-RECEIVED state, 2529 * 2530 * - stop accepting new data from its SCTP user 2531 * 2532 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2533 * that all its outstanding DATA chunks have been received by the 2534 * SHUTDOWN sender. 2535 * 2536 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2537 * send a SHUTDOWN in response to a ULP request. And should discard 2538 * subsequent SHUTDOWN chunks. 2539 * 2540 * If there are still outstanding DATA chunks left, the SHUTDOWN 2541 * receiver shall continue to follow normal data transmission 2542 * procedures defined in Section 6 until all outstanding DATA chunks 2543 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2544 * new data from its SCTP user. 2545 * 2546 * Verification Tag: 8.5 Verification Tag [Normal verification] 2547 * 2548 * Inputs 2549 * (endpoint, asoc, chunk) 2550 * 2551 * Outputs 2552 * (asoc, reply_msg, msg_up, timers, counters) 2553 * 2554 * The return value is the disposition of the chunk. 2555 */ 2556 sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep, 2557 const struct sctp_association *asoc, 2558 const sctp_subtype_t type, 2559 void *arg, 2560 sctp_cmd_seq_t *commands) 2561 { 2562 struct sctp_chunk *chunk = arg; 2563 sctp_shutdownhdr_t *sdh; 2564 sctp_disposition_t disposition; 2565 struct sctp_ulpevent *ev; 2566 __u32 ctsn; 2567 2568 if (!sctp_vtag_verify(chunk, asoc)) 2569 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2570 2571 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2572 if (!sctp_chunk_length_valid(chunk, 2573 sizeof(struct sctp_shutdown_chunk_t))) 2574 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2575 commands); 2576 2577 /* Convert the elaborate header. */ 2578 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2579 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t)); 2580 chunk->subh.shutdown_hdr = sdh; 2581 ctsn = ntohl(sdh->cum_tsn_ack); 2582 2583 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2584 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 2585 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 2586 return SCTP_DISPOSITION_DISCARD; 2587 } 2588 2589 /* If Cumulative TSN Ack beyond the max tsn currently 2590 * send, terminating the association and respond to the 2591 * sender with an ABORT. 2592 */ 2593 if (!TSN_lt(ctsn, asoc->next_tsn)) 2594 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands); 2595 2596 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2597 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2598 * inform the application that it should cease sending data. 2599 */ 2600 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2601 if (!ev) { 2602 disposition = SCTP_DISPOSITION_NOMEM; 2603 goto out; 2604 } 2605 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2606 2607 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2608 * - enter the SHUTDOWN-RECEIVED state, 2609 * - stop accepting new data from its SCTP user 2610 * 2611 * [This is implicit in the new state.] 2612 */ 2613 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2614 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2615 disposition = SCTP_DISPOSITION_CONSUME; 2616 2617 if (sctp_outq_is_empty(&asoc->outqueue)) { 2618 disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type, 2619 arg, commands); 2620 } 2621 2622 if (SCTP_DISPOSITION_NOMEM == disposition) 2623 goto out; 2624 2625 /* - verify, by checking the Cumulative TSN Ack field of the 2626 * chunk, that all its outstanding DATA chunks have been 2627 * received by the SHUTDOWN sender. 2628 */ 2629 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2630 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2631 2632 out: 2633 return disposition; 2634 } 2635 2636 /* 2637 * sctp_sf_do_9_2_shut_ctsn 2638 * 2639 * Once an endpoint has reached the SHUTDOWN-RECEIVED state, 2640 * it MUST NOT send a SHUTDOWN in response to a ULP request. 2641 * The Cumulative TSN Ack of the received SHUTDOWN chunk 2642 * MUST be processed. 2643 */ 2644 sctp_disposition_t sctp_sf_do_9_2_shut_ctsn(const struct sctp_endpoint *ep, 2645 const struct sctp_association *asoc, 2646 const sctp_subtype_t type, 2647 void *arg, 2648 sctp_cmd_seq_t *commands) 2649 { 2650 struct sctp_chunk *chunk = arg; 2651 sctp_shutdownhdr_t *sdh; 2652 __u32 ctsn; 2653 2654 if (!sctp_vtag_verify(chunk, asoc)) 2655 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2656 2657 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2658 if (!sctp_chunk_length_valid(chunk, 2659 sizeof(struct sctp_shutdown_chunk_t))) 2660 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2661 commands); 2662 2663 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2664 ctsn = ntohl(sdh->cum_tsn_ack); 2665 2666 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2667 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 2668 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 2669 return SCTP_DISPOSITION_DISCARD; 2670 } 2671 2672 /* If Cumulative TSN Ack beyond the max tsn currently 2673 * send, terminating the association and respond to the 2674 * sender with an ABORT. 2675 */ 2676 if (!TSN_lt(ctsn, asoc->next_tsn)) 2677 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands); 2678 2679 /* verify, by checking the Cumulative TSN Ack field of the 2680 * chunk, that all its outstanding DATA chunks have been 2681 * received by the SHUTDOWN sender. 2682 */ 2683 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2684 SCTP_BE32(sdh->cum_tsn_ack)); 2685 2686 return SCTP_DISPOSITION_CONSUME; 2687 } 2688 2689 /* RFC 2960 9.2 2690 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2691 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2692 * transport addresses (either in the IP addresses or in the INIT chunk) 2693 * that belong to this association, it should discard the INIT chunk and 2694 * retransmit the SHUTDOWN ACK chunk. 2695 */ 2696 sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep, 2697 const struct sctp_association *asoc, 2698 const sctp_subtype_t type, 2699 void *arg, 2700 sctp_cmd_seq_t *commands) 2701 { 2702 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 2703 struct sctp_chunk *reply; 2704 2705 /* Make sure that the chunk has a valid length */ 2706 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 2707 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2708 commands); 2709 2710 /* Since we are not going to really process this INIT, there 2711 * is no point in verifying chunk boundries. Just generate 2712 * the SHUTDOWN ACK. 2713 */ 2714 reply = sctp_make_shutdown_ack(asoc, chunk); 2715 if (NULL == reply) 2716 goto nomem; 2717 2718 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2719 * the T2-SHUTDOWN timer. 2720 */ 2721 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2722 2723 /* and restart the T2-shutdown timer. */ 2724 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2725 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2726 2727 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2728 2729 return SCTP_DISPOSITION_CONSUME; 2730 nomem: 2731 return SCTP_DISPOSITION_NOMEM; 2732 } 2733 2734 /* 2735 * sctp_sf_do_ecn_cwr 2736 * 2737 * Section: Appendix A: Explicit Congestion Notification 2738 * 2739 * CWR: 2740 * 2741 * RFC 2481 details a specific bit for a sender to send in the header of 2742 * its next outbound TCP segment to indicate to its peer that it has 2743 * reduced its congestion window. This is termed the CWR bit. For 2744 * SCTP the same indication is made by including the CWR chunk. 2745 * This chunk contains one data element, i.e. the TSN number that 2746 * was sent in the ECNE chunk. This element represents the lowest 2747 * TSN number in the datagram that was originally marked with the 2748 * CE bit. 2749 * 2750 * Verification Tag: 8.5 Verification Tag [Normal verification] 2751 * Inputs 2752 * (endpoint, asoc, chunk) 2753 * 2754 * Outputs 2755 * (asoc, reply_msg, msg_up, timers, counters) 2756 * 2757 * The return value is the disposition of the chunk. 2758 */ 2759 sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep, 2760 const struct sctp_association *asoc, 2761 const sctp_subtype_t type, 2762 void *arg, 2763 sctp_cmd_seq_t *commands) 2764 { 2765 sctp_cwrhdr_t *cwr; 2766 struct sctp_chunk *chunk = arg; 2767 u32 lowest_tsn; 2768 2769 if (!sctp_vtag_verify(chunk, asoc)) 2770 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2771 2772 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2773 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2774 commands); 2775 2776 cwr = (sctp_cwrhdr_t *) chunk->skb->data; 2777 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t)); 2778 2779 lowest_tsn = ntohl(cwr->lowest_tsn); 2780 2781 /* Does this CWR ack the last sent congestion notification? */ 2782 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 2783 /* Stop sending ECNE. */ 2784 sctp_add_cmd_sf(commands, 2785 SCTP_CMD_ECN_CWR, 2786 SCTP_U32(lowest_tsn)); 2787 } 2788 return SCTP_DISPOSITION_CONSUME; 2789 } 2790 2791 /* 2792 * sctp_sf_do_ecne 2793 * 2794 * Section: Appendix A: Explicit Congestion Notification 2795 * 2796 * ECN-Echo 2797 * 2798 * RFC 2481 details a specific bit for a receiver to send back in its 2799 * TCP acknowledgements to notify the sender of the Congestion 2800 * Experienced (CE) bit having arrived from the network. For SCTP this 2801 * same indication is made by including the ECNE chunk. This chunk 2802 * contains one data element, i.e. the lowest TSN associated with the IP 2803 * datagram marked with the CE bit..... 2804 * 2805 * Verification Tag: 8.5 Verification Tag [Normal verification] 2806 * Inputs 2807 * (endpoint, asoc, chunk) 2808 * 2809 * Outputs 2810 * (asoc, reply_msg, msg_up, timers, counters) 2811 * 2812 * The return value is the disposition of the chunk. 2813 */ 2814 sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep, 2815 const struct sctp_association *asoc, 2816 const sctp_subtype_t type, 2817 void *arg, 2818 sctp_cmd_seq_t *commands) 2819 { 2820 sctp_ecnehdr_t *ecne; 2821 struct sctp_chunk *chunk = arg; 2822 2823 if (!sctp_vtag_verify(chunk, asoc)) 2824 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2825 2826 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2827 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2828 commands); 2829 2830 ecne = (sctp_ecnehdr_t *) chunk->skb->data; 2831 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t)); 2832 2833 /* If this is a newer ECNE than the last CWR packet we sent out */ 2834 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 2835 SCTP_U32(ntohl(ecne->lowest_tsn))); 2836 2837 return SCTP_DISPOSITION_CONSUME; 2838 } 2839 2840 /* 2841 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 2842 * 2843 * The SCTP endpoint MUST always acknowledge the reception of each valid 2844 * DATA chunk. 2845 * 2846 * The guidelines on delayed acknowledgement algorithm specified in 2847 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 2848 * acknowledgement SHOULD be generated for at least every second packet 2849 * (not every second DATA chunk) received, and SHOULD be generated within 2850 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 2851 * situations it may be beneficial for an SCTP transmitter to be more 2852 * conservative than the algorithms detailed in this document allow. 2853 * However, an SCTP transmitter MUST NOT be more aggressive than the 2854 * following algorithms allow. 2855 * 2856 * A SCTP receiver MUST NOT generate more than one SACK for every 2857 * incoming packet, other than to update the offered window as the 2858 * receiving application consumes new data. 2859 * 2860 * Verification Tag: 8.5 Verification Tag [Normal verification] 2861 * 2862 * Inputs 2863 * (endpoint, asoc, chunk) 2864 * 2865 * Outputs 2866 * (asoc, reply_msg, msg_up, timers, counters) 2867 * 2868 * The return value is the disposition of the chunk. 2869 */ 2870 sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep, 2871 const struct sctp_association *asoc, 2872 const sctp_subtype_t type, 2873 void *arg, 2874 sctp_cmd_seq_t *commands) 2875 { 2876 struct sctp_chunk *chunk = arg; 2877 sctp_arg_t force = SCTP_NOFORCE(); 2878 int error; 2879 2880 if (!sctp_vtag_verify(chunk, asoc)) { 2881 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2882 SCTP_NULL()); 2883 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2884 } 2885 2886 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2887 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2888 commands); 2889 2890 error = sctp_eat_data(asoc, chunk, commands ); 2891 switch (error) { 2892 case SCTP_IERROR_NO_ERROR: 2893 break; 2894 case SCTP_IERROR_HIGH_TSN: 2895 case SCTP_IERROR_BAD_STREAM: 2896 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2897 goto discard_noforce; 2898 case SCTP_IERROR_DUP_TSN: 2899 case SCTP_IERROR_IGNORE_TSN: 2900 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2901 goto discard_force; 2902 case SCTP_IERROR_NO_DATA: 2903 goto consume; 2904 case SCTP_IERROR_PROTO_VIOLATION: 2905 return sctp_sf_abort_violation(ep, asoc, chunk, commands, 2906 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t)); 2907 default: 2908 BUG(); 2909 } 2910 2911 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM) 2912 force = SCTP_FORCE(); 2913 2914 if (asoc->autoclose) { 2915 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2916 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 2917 } 2918 2919 /* If this is the last chunk in a packet, we need to count it 2920 * toward sack generation. Note that we need to SACK every 2921 * OTHER packet containing data chunks, EVEN IF WE DISCARD 2922 * THEM. We elect to NOT generate SACK's if the chunk fails 2923 * the verification tag test. 2924 * 2925 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2926 * 2927 * The SCTP endpoint MUST always acknowledge the reception of 2928 * each valid DATA chunk. 2929 * 2930 * The guidelines on delayed acknowledgement algorithm 2931 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 2932 * Specifically, an acknowledgement SHOULD be generated for at 2933 * least every second packet (not every second DATA chunk) 2934 * received, and SHOULD be generated within 200 ms of the 2935 * arrival of any unacknowledged DATA chunk. In some 2936 * situations it may be beneficial for an SCTP transmitter to 2937 * be more conservative than the algorithms detailed in this 2938 * document allow. However, an SCTP transmitter MUST NOT be 2939 * more aggressive than the following algorithms allow. 2940 */ 2941 if (chunk->end_of_packet) 2942 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 2943 2944 return SCTP_DISPOSITION_CONSUME; 2945 2946 discard_force: 2947 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2948 * 2949 * When a packet arrives with duplicate DATA chunk(s) and with 2950 * no new DATA chunk(s), the endpoint MUST immediately send a 2951 * SACK with no delay. If a packet arrives with duplicate 2952 * DATA chunk(s) bundled with new DATA chunks, the endpoint 2953 * MAY immediately send a SACK. Normally receipt of duplicate 2954 * DATA chunks will occur when the original SACK chunk was lost 2955 * and the peer's RTO has expired. The duplicate TSN number(s) 2956 * SHOULD be reported in the SACK as duplicate. 2957 */ 2958 /* In our case, we split the MAY SACK advice up whether or not 2959 * the last chunk is a duplicate.' 2960 */ 2961 if (chunk->end_of_packet) 2962 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2963 return SCTP_DISPOSITION_DISCARD; 2964 2965 discard_noforce: 2966 if (chunk->end_of_packet) 2967 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 2968 2969 return SCTP_DISPOSITION_DISCARD; 2970 consume: 2971 return SCTP_DISPOSITION_CONSUME; 2972 2973 } 2974 2975 /* 2976 * sctp_sf_eat_data_fast_4_4 2977 * 2978 * Section: 4 (4) 2979 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 2980 * DATA chunks without delay. 2981 * 2982 * Verification Tag: 8.5 Verification Tag [Normal verification] 2983 * Inputs 2984 * (endpoint, asoc, chunk) 2985 * 2986 * Outputs 2987 * (asoc, reply_msg, msg_up, timers, counters) 2988 * 2989 * The return value is the disposition of the chunk. 2990 */ 2991 sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep, 2992 const struct sctp_association *asoc, 2993 const sctp_subtype_t type, 2994 void *arg, 2995 sctp_cmd_seq_t *commands) 2996 { 2997 struct sctp_chunk *chunk = arg; 2998 int error; 2999 3000 if (!sctp_vtag_verify(chunk, asoc)) { 3001 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3002 SCTP_NULL()); 3003 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3004 } 3005 3006 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 3007 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3008 commands); 3009 3010 error = sctp_eat_data(asoc, chunk, commands ); 3011 switch (error) { 3012 case SCTP_IERROR_NO_ERROR: 3013 case SCTP_IERROR_HIGH_TSN: 3014 case SCTP_IERROR_DUP_TSN: 3015 case SCTP_IERROR_IGNORE_TSN: 3016 case SCTP_IERROR_BAD_STREAM: 3017 break; 3018 case SCTP_IERROR_NO_DATA: 3019 goto consume; 3020 case SCTP_IERROR_PROTO_VIOLATION: 3021 return sctp_sf_abort_violation(ep, asoc, chunk, commands, 3022 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t)); 3023 default: 3024 BUG(); 3025 } 3026 3027 /* Go a head and force a SACK, since we are shutting down. */ 3028 3029 /* Implementor's Guide. 3030 * 3031 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3032 * respond to each received packet containing one or more DATA chunk(s) 3033 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3034 */ 3035 if (chunk->end_of_packet) { 3036 /* We must delay the chunk creation since the cumulative 3037 * TSN has not been updated yet. 3038 */ 3039 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3040 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3041 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3042 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3043 } 3044 3045 consume: 3046 return SCTP_DISPOSITION_CONSUME; 3047 } 3048 3049 /* 3050 * Section: 6.2 Processing a Received SACK 3051 * D) Any time a SACK arrives, the endpoint performs the following: 3052 * 3053 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 3054 * then drop the SACK. Since Cumulative TSN Ack is monotonically 3055 * increasing, a SACK whose Cumulative TSN Ack is less than the 3056 * Cumulative TSN Ack Point indicates an out-of-order SACK. 3057 * 3058 * ii) Set rwnd equal to the newly received a_rwnd minus the number 3059 * of bytes still outstanding after processing the Cumulative TSN Ack 3060 * and the Gap Ack Blocks. 3061 * 3062 * iii) If the SACK is missing a TSN that was previously 3063 * acknowledged via a Gap Ack Block (e.g., the data receiver 3064 * reneged on the data), then mark the corresponding DATA chunk 3065 * as available for retransmit: Mark it as missing for fast 3066 * retransmit as described in Section 7.2.4 and if no retransmit 3067 * timer is running for the destination address to which the DATA 3068 * chunk was originally transmitted, then T3-rtx is started for 3069 * that destination address. 3070 * 3071 * Verification Tag: 8.5 Verification Tag [Normal verification] 3072 * 3073 * Inputs 3074 * (endpoint, asoc, chunk) 3075 * 3076 * Outputs 3077 * (asoc, reply_msg, msg_up, timers, counters) 3078 * 3079 * The return value is the disposition of the chunk. 3080 */ 3081 sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep, 3082 const struct sctp_association *asoc, 3083 const sctp_subtype_t type, 3084 void *arg, 3085 sctp_cmd_seq_t *commands) 3086 { 3087 struct sctp_chunk *chunk = arg; 3088 sctp_sackhdr_t *sackh; 3089 __u32 ctsn; 3090 3091 if (!sctp_vtag_verify(chunk, asoc)) 3092 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3093 3094 /* Make sure that the SACK chunk has a valid length. */ 3095 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t))) 3096 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3097 commands); 3098 3099 /* Pull the SACK chunk from the data buffer */ 3100 sackh = sctp_sm_pull_sack(chunk); 3101 /* Was this a bogus SACK? */ 3102 if (!sackh) 3103 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3104 chunk->subh.sack_hdr = sackh; 3105 ctsn = ntohl(sackh->cum_tsn_ack); 3106 3107 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 3108 * Ack Point, then drop the SACK. Since Cumulative TSN 3109 * Ack is monotonically increasing, a SACK whose 3110 * Cumulative TSN Ack is less than the Cumulative TSN Ack 3111 * Point indicates an out-of-order SACK. 3112 */ 3113 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 3114 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 3115 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 3116 return SCTP_DISPOSITION_DISCARD; 3117 } 3118 3119 /* If Cumulative TSN Ack beyond the max tsn currently 3120 * send, terminating the association and respond to the 3121 * sender with an ABORT. 3122 */ 3123 if (!TSN_lt(ctsn, asoc->next_tsn)) 3124 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands); 3125 3126 /* Return this SACK for further processing. */ 3127 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh)); 3128 3129 /* Note: We do the rest of the work on the PROCESS_SACK 3130 * sideeffect. 3131 */ 3132 return SCTP_DISPOSITION_CONSUME; 3133 } 3134 3135 /* 3136 * Generate an ABORT in response to a packet. 3137 * 3138 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 3139 * 3140 * 8) The receiver should respond to the sender of the OOTB packet with 3141 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3142 * MUST fill in the Verification Tag field of the outbound packet 3143 * with the value found in the Verification Tag field of the OOTB 3144 * packet and set the T-bit in the Chunk Flags to indicate that the 3145 * Verification Tag is reflected. After sending this ABORT, the 3146 * receiver of the OOTB packet shall discard the OOTB packet and take 3147 * no further action. 3148 * 3149 * Verification Tag: 3150 * 3151 * The return value is the disposition of the chunk. 3152 */ 3153 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 3154 const struct sctp_association *asoc, 3155 const sctp_subtype_t type, 3156 void *arg, 3157 sctp_cmd_seq_t *commands) 3158 { 3159 struct sctp_packet *packet = NULL; 3160 struct sctp_chunk *chunk = arg; 3161 struct sctp_chunk *abort; 3162 3163 packet = sctp_ootb_pkt_new(asoc, chunk); 3164 3165 if (packet) { 3166 /* Make an ABORT. The T bit will be set if the asoc 3167 * is NULL. 3168 */ 3169 abort = sctp_make_abort(asoc, chunk, 0); 3170 if (!abort) { 3171 sctp_ootb_pkt_free(packet); 3172 return SCTP_DISPOSITION_NOMEM; 3173 } 3174 3175 /* Reflect vtag if T-Bit is set */ 3176 if (sctp_test_T_bit(abort)) 3177 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3178 3179 /* Set the skb to the belonging sock for accounting. */ 3180 abort->skb->sk = ep->base.sk; 3181 3182 sctp_packet_append_chunk(packet, abort); 3183 3184 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3185 SCTP_PACKET(packet)); 3186 3187 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3188 3189 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3190 return SCTP_DISPOSITION_CONSUME; 3191 } 3192 3193 return SCTP_DISPOSITION_NOMEM; 3194 } 3195 3196 /* 3197 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 3198 * event as ULP notification for each cause included in the chunk. 3199 * 3200 * API 5.3.1.3 - SCTP_REMOTE_ERROR 3201 * 3202 * The return value is the disposition of the chunk. 3203 */ 3204 sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep, 3205 const struct sctp_association *asoc, 3206 const sctp_subtype_t type, 3207 void *arg, 3208 sctp_cmd_seq_t *commands) 3209 { 3210 struct sctp_chunk *chunk = arg; 3211 sctp_errhdr_t *err; 3212 3213 if (!sctp_vtag_verify(chunk, asoc)) 3214 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3215 3216 /* Make sure that the ERROR chunk has a valid length. */ 3217 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 3218 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3219 commands); 3220 sctp_walk_errors(err, chunk->chunk_hdr); 3221 if ((void *)err != (void *)chunk->chunk_end) 3222 return sctp_sf_violation_paramlen(ep, asoc, type, arg, 3223 (void *)err, commands); 3224 3225 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 3226 SCTP_CHUNK(chunk)); 3227 3228 return SCTP_DISPOSITION_CONSUME; 3229 } 3230 3231 /* 3232 * Process an inbound SHUTDOWN ACK. 3233 * 3234 * From Section 9.2: 3235 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3236 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3237 * peer, and remove all record of the association. 3238 * 3239 * The return value is the disposition. 3240 */ 3241 sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep, 3242 const struct sctp_association *asoc, 3243 const sctp_subtype_t type, 3244 void *arg, 3245 sctp_cmd_seq_t *commands) 3246 { 3247 struct sctp_chunk *chunk = arg; 3248 struct sctp_chunk *reply; 3249 struct sctp_ulpevent *ev; 3250 3251 if (!sctp_vtag_verify(chunk, asoc)) 3252 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3253 3254 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3255 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3256 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3257 commands); 3258 /* 10.2 H) SHUTDOWN COMPLETE notification 3259 * 3260 * When SCTP completes the shutdown procedures (section 9.2) this 3261 * notification is passed to the upper layer. 3262 */ 3263 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3264 0, 0, 0, NULL, GFP_ATOMIC); 3265 if (!ev) 3266 goto nomem; 3267 3268 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3269 reply = sctp_make_shutdown_complete(asoc, chunk); 3270 if (!reply) 3271 goto nomem_chunk; 3272 3273 /* Do all the commands now (after allocation), so that we 3274 * have consistent state if memory allocation failes 3275 */ 3276 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3277 3278 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3279 * stop the T2-shutdown timer, 3280 */ 3281 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3282 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3283 3284 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3285 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3286 3287 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3288 SCTP_STATE(SCTP_STATE_CLOSED)); 3289 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 3290 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3291 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3292 3293 /* ...and remove all record of the association. */ 3294 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3295 return SCTP_DISPOSITION_DELETE_TCB; 3296 3297 nomem_chunk: 3298 sctp_ulpevent_free(ev); 3299 nomem: 3300 return SCTP_DISPOSITION_NOMEM; 3301 } 3302 3303 /* 3304 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3305 * 3306 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3307 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3308 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3309 * packet must fill in the Verification Tag field of the outbound 3310 * packet with the Verification Tag received in the SHUTDOWN ACK and 3311 * set the T-bit in the Chunk Flags to indicate that the Verification 3312 * Tag is reflected. 3313 * 3314 * 8) The receiver should respond to the sender of the OOTB packet with 3315 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3316 * MUST fill in the Verification Tag field of the outbound packet 3317 * with the value found in the Verification Tag field of the OOTB 3318 * packet and set the T-bit in the Chunk Flags to indicate that the 3319 * Verification Tag is reflected. After sending this ABORT, the 3320 * receiver of the OOTB packet shall discard the OOTB packet and take 3321 * no further action. 3322 */ 3323 sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep, 3324 const struct sctp_association *asoc, 3325 const sctp_subtype_t type, 3326 void *arg, 3327 sctp_cmd_seq_t *commands) 3328 { 3329 struct sctp_chunk *chunk = arg; 3330 struct sk_buff *skb = chunk->skb; 3331 sctp_chunkhdr_t *ch; 3332 sctp_errhdr_t *err; 3333 __u8 *ch_end; 3334 int ootb_shut_ack = 0; 3335 int ootb_cookie_ack = 0; 3336 3337 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 3338 3339 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr; 3340 do { 3341 /* Report violation if the chunk is less then minimal */ 3342 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 3343 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3344 commands); 3345 3346 /* Now that we know we at least have a chunk header, 3347 * do things that are type appropriate. 3348 */ 3349 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3350 ootb_shut_ack = 1; 3351 3352 /* RFC 2960, Section 3.3.7 3353 * Moreover, under any circumstances, an endpoint that 3354 * receives an ABORT MUST NOT respond to that ABORT by 3355 * sending an ABORT of its own. 3356 */ 3357 if (SCTP_CID_ABORT == ch->type) 3358 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3359 3360 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR 3361 * or a COOKIE ACK the SCTP Packet should be silently 3362 * discarded. 3363 */ 3364 3365 if (SCTP_CID_COOKIE_ACK == ch->type) 3366 ootb_cookie_ack = 1; 3367 3368 if (SCTP_CID_ERROR == ch->type) { 3369 sctp_walk_errors(err, ch) { 3370 if (SCTP_ERROR_STALE_COOKIE == err->cause) { 3371 ootb_cookie_ack = 1; 3372 break; 3373 } 3374 } 3375 } 3376 3377 /* Report violation if chunk len overflows */ 3378 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 3379 if (ch_end > skb_tail_pointer(skb)) 3380 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3381 commands); 3382 3383 ch = (sctp_chunkhdr_t *) ch_end; 3384 } while (ch_end < skb_tail_pointer(skb)); 3385 3386 if (ootb_shut_ack) 3387 return sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands); 3388 else if (ootb_cookie_ack) 3389 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3390 else 3391 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 3392 } 3393 3394 /* 3395 * Handle an "Out of the blue" SHUTDOWN ACK. 3396 * 3397 * Section: 8.4 5, sctpimpguide 2.41. 3398 * 3399 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3400 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3401 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3402 * packet must fill in the Verification Tag field of the outbound 3403 * packet with the Verification Tag received in the SHUTDOWN ACK and 3404 * set the T-bit in the Chunk Flags to indicate that the Verification 3405 * Tag is reflected. 3406 * 3407 * Inputs 3408 * (endpoint, asoc, type, arg, commands) 3409 * 3410 * Outputs 3411 * (sctp_disposition_t) 3412 * 3413 * The return value is the disposition of the chunk. 3414 */ 3415 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 3416 const struct sctp_association *asoc, 3417 const sctp_subtype_t type, 3418 void *arg, 3419 sctp_cmd_seq_t *commands) 3420 { 3421 struct sctp_packet *packet = NULL; 3422 struct sctp_chunk *chunk = arg; 3423 struct sctp_chunk *shut; 3424 3425 packet = sctp_ootb_pkt_new(asoc, chunk); 3426 3427 if (packet) { 3428 /* Make an SHUTDOWN_COMPLETE. 3429 * The T bit will be set if the asoc is NULL. 3430 */ 3431 shut = sctp_make_shutdown_complete(asoc, chunk); 3432 if (!shut) { 3433 sctp_ootb_pkt_free(packet); 3434 return SCTP_DISPOSITION_NOMEM; 3435 } 3436 3437 /* Reflect vtag if T-Bit is set */ 3438 if (sctp_test_T_bit(shut)) 3439 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3440 3441 /* Set the skb to the belonging sock for accounting. */ 3442 shut->skb->sk = ep->base.sk; 3443 3444 sctp_packet_append_chunk(packet, shut); 3445 3446 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3447 SCTP_PACKET(packet)); 3448 3449 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3450 3451 /* If the chunk length is invalid, we don't want to process 3452 * the reset of the packet. 3453 */ 3454 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3455 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3456 3457 /* We need to discard the rest of the packet to prevent 3458 * potential bomming attacks from additional bundled chunks. 3459 * This is documented in SCTP Threats ID. 3460 */ 3461 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3462 } 3463 3464 return SCTP_DISPOSITION_NOMEM; 3465 } 3466 3467 /* 3468 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3469 * 3470 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3471 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3472 * procedures in section 8.4 SHOULD be followed, in other words it 3473 * should be treated as an Out Of The Blue packet. 3474 * [This means that we do NOT check the Verification Tag on these 3475 * chunks. --piggy ] 3476 * 3477 */ 3478 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep, 3479 const struct sctp_association *asoc, 3480 const sctp_subtype_t type, 3481 void *arg, 3482 sctp_cmd_seq_t *commands) 3483 { 3484 struct sctp_chunk *chunk = arg; 3485 3486 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3487 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3488 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3489 commands); 3490 3491 /* Although we do have an association in this case, it corresponds 3492 * to a restarted association. So the packet is treated as an OOTB 3493 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3494 * called with a NULL association. 3495 */ 3496 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 3497 3498 return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands); 3499 } 3500 3501 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3502 sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep, 3503 const struct sctp_association *asoc, 3504 const sctp_subtype_t type, void *arg, 3505 sctp_cmd_seq_t *commands) 3506 { 3507 struct sctp_chunk *chunk = arg; 3508 struct sctp_chunk *asconf_ack = NULL; 3509 struct sctp_paramhdr *err_param = NULL; 3510 sctp_addiphdr_t *hdr; 3511 union sctp_addr_param *addr_param; 3512 __u32 serial; 3513 int length; 3514 3515 if (!sctp_vtag_verify(chunk, asoc)) { 3516 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3517 SCTP_NULL()); 3518 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3519 } 3520 3521 /* ADD-IP: Section 4.1.1 3522 * This chunk MUST be sent in an authenticated way by using 3523 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3524 * is received unauthenticated it MUST be silently discarded as 3525 * described in [I-D.ietf-tsvwg-sctp-auth]. 3526 */ 3527 if (!sctp_addip_noauth && !chunk->auth) 3528 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 3529 3530 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3531 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t))) 3532 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3533 commands); 3534 3535 hdr = (sctp_addiphdr_t *)chunk->skb->data; 3536 serial = ntohl(hdr->serial); 3537 3538 addr_param = (union sctp_addr_param *)hdr->params; 3539 length = ntohs(addr_param->p.length); 3540 if (length < sizeof(sctp_paramhdr_t)) 3541 return sctp_sf_violation_paramlen(ep, asoc, type, arg, 3542 (void *)addr_param, commands); 3543 3544 /* Verify the ASCONF chunk before processing it. */ 3545 if (!sctp_verify_asconf(asoc, 3546 (sctp_paramhdr_t *)((void *)addr_param + length), 3547 (void *)chunk->chunk_end, 3548 &err_param)) 3549 return sctp_sf_violation_paramlen(ep, asoc, type, arg, 3550 (void *)err_param, commands); 3551 3552 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3553 * the endpoint stored in a new association variable 3554 * 'Peer-Serial-Number'. 3555 */ 3556 if (serial == asoc->peer.addip_serial + 1) { 3557 /* If this is the first instance of ASCONF in the packet, 3558 * we can clean our old ASCONF-ACKs. 3559 */ 3560 if (!chunk->has_asconf) 3561 sctp_assoc_clean_asconf_ack_cache(asoc); 3562 3563 /* ADDIP 5.2 E4) When the Sequence Number matches the next one 3564 * expected, process the ASCONF as described below and after 3565 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to 3566 * the response packet and cache a copy of it (in the event it 3567 * later needs to be retransmitted). 3568 * 3569 * Essentially, do V1-V5. 3570 */ 3571 asconf_ack = sctp_process_asconf((struct sctp_association *) 3572 asoc, chunk); 3573 if (!asconf_ack) 3574 return SCTP_DISPOSITION_NOMEM; 3575 } else if (serial < asoc->peer.addip_serial + 1) { 3576 /* ADDIP 5.2 E2) 3577 * If the value found in the Sequence Number is less than the 3578 * ('Peer- Sequence-Number' + 1), simply skip to the next 3579 * ASCONF, and include in the outbound response packet 3580 * any previously cached ASCONF-ACK response that was 3581 * sent and saved that matches the Sequence Number of the 3582 * ASCONF. Note: It is possible that no cached ASCONF-ACK 3583 * Chunk exists. This will occur when an older ASCONF 3584 * arrives out of order. In such a case, the receiver 3585 * should skip the ASCONF Chunk and not include ASCONF-ACK 3586 * Chunk for that chunk. 3587 */ 3588 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial); 3589 if (!asconf_ack) 3590 return SCTP_DISPOSITION_DISCARD; 3591 3592 /* Reset the transport so that we select the correct one 3593 * this time around. This is to make sure that we don't 3594 * accidentally use a stale transport that's been removed. 3595 */ 3596 asconf_ack->transport = NULL; 3597 } else { 3598 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since 3599 * it must be either a stale packet or from an attacker. 3600 */ 3601 return SCTP_DISPOSITION_DISCARD; 3602 } 3603 3604 /* ADDIP 5.2 E6) The destination address of the SCTP packet 3605 * containing the ASCONF-ACK Chunks MUST be the source address of 3606 * the SCTP packet that held the ASCONF Chunks. 3607 * 3608 * To do this properly, we'll set the destination address of the chunk 3609 * and at the transmit time, will try look up the transport to use. 3610 * Since ASCONFs may be bundled, the correct transport may not be 3611 * created until we process the entire packet, thus this workaround. 3612 */ 3613 asconf_ack->dest = chunk->source; 3614 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3615 3616 return SCTP_DISPOSITION_CONSUME; 3617 } 3618 3619 /* 3620 * ADDIP Section 4.3 General rules for address manipulation 3621 * When building TLV parameters for the ASCONF Chunk that will add or 3622 * delete IP addresses the D0 to D13 rules should be applied: 3623 */ 3624 sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep, 3625 const struct sctp_association *asoc, 3626 const sctp_subtype_t type, void *arg, 3627 sctp_cmd_seq_t *commands) 3628 { 3629 struct sctp_chunk *asconf_ack = arg; 3630 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3631 struct sctp_chunk *abort; 3632 struct sctp_paramhdr *err_param = NULL; 3633 sctp_addiphdr_t *addip_hdr; 3634 __u32 sent_serial, rcvd_serial; 3635 3636 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3637 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3638 SCTP_NULL()); 3639 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3640 } 3641 3642 /* ADD-IP, Section 4.1.2: 3643 * This chunk MUST be sent in an authenticated way by using 3644 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3645 * is received unauthenticated it MUST be silently discarded as 3646 * described in [I-D.ietf-tsvwg-sctp-auth]. 3647 */ 3648 if (!sctp_addip_noauth && !asconf_ack->auth) 3649 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 3650 3651 /* Make sure that the ADDIP chunk has a valid length. */ 3652 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t))) 3653 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3654 commands); 3655 3656 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data; 3657 rcvd_serial = ntohl(addip_hdr->serial); 3658 3659 /* Verify the ASCONF-ACK chunk before processing it. */ 3660 if (!sctp_verify_asconf(asoc, 3661 (sctp_paramhdr_t *)addip_hdr->params, 3662 (void *)asconf_ack->chunk_end, 3663 &err_param)) 3664 return sctp_sf_violation_paramlen(ep, asoc, type, arg, 3665 (void *)err_param, commands); 3666 3667 if (last_asconf) { 3668 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr; 3669 sent_serial = ntohl(addip_hdr->serial); 3670 } else { 3671 sent_serial = asoc->addip_serial - 1; 3672 } 3673 3674 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3675 * equal to the next serial number to be used but no ASCONF chunk is 3676 * outstanding the endpoint MUST ABORT the association. Note that a 3677 * sequence number is greater than if it is no more than 2^^31-1 3678 * larger than the current sequence number (using serial arithmetic). 3679 */ 3680 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3681 !(asoc->addip_last_asconf)) { 3682 abort = sctp_make_abort(asoc, asconf_ack, 3683 sizeof(sctp_errhdr_t)); 3684 if (abort) { 3685 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0); 3686 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3687 SCTP_CHUNK(abort)); 3688 } 3689 /* We are going to ABORT, so we might as well stop 3690 * processing the rest of the chunks in the packet. 3691 */ 3692 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3693 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3694 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3695 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3696 SCTP_ERROR(ECONNABORTED)); 3697 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3698 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3699 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3700 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3701 return SCTP_DISPOSITION_ABORT; 3702 } 3703 3704 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3705 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3706 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3707 3708 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3709 asconf_ack)) { 3710 /* Successfully processed ASCONF_ACK. We can 3711 * release the next asconf if we have one. 3712 */ 3713 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF, 3714 SCTP_NULL()); 3715 return SCTP_DISPOSITION_CONSUME; 3716 } 3717 3718 abort = sctp_make_abort(asoc, asconf_ack, 3719 sizeof(sctp_errhdr_t)); 3720 if (abort) { 3721 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 3722 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3723 SCTP_CHUNK(abort)); 3724 } 3725 /* We are going to ABORT, so we might as well stop 3726 * processing the rest of the chunks in the packet. 3727 */ 3728 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3729 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3730 SCTP_ERROR(ECONNABORTED)); 3731 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3732 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3733 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3734 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3735 return SCTP_DISPOSITION_ABORT; 3736 } 3737 3738 return SCTP_DISPOSITION_DISCARD; 3739 } 3740 3741 /* 3742 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 3743 * 3744 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 3745 * its cumulative TSN point to the value carried in the FORWARD TSN 3746 * chunk, and then MUST further advance its cumulative TSN point locally 3747 * if possible. 3748 * After the above processing, the data receiver MUST stop reporting any 3749 * missing TSNs earlier than or equal to the new cumulative TSN point. 3750 * 3751 * Verification Tag: 8.5 Verification Tag [Normal verification] 3752 * 3753 * The return value is the disposition of the chunk. 3754 */ 3755 sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep, 3756 const struct sctp_association *asoc, 3757 const sctp_subtype_t type, 3758 void *arg, 3759 sctp_cmd_seq_t *commands) 3760 { 3761 struct sctp_chunk *chunk = arg; 3762 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3763 struct sctp_fwdtsn_skip *skip; 3764 __u16 len; 3765 __u32 tsn; 3766 3767 if (!sctp_vtag_verify(chunk, asoc)) { 3768 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3769 SCTP_NULL()); 3770 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3771 } 3772 3773 /* Make sure that the FORWARD_TSN chunk has valid length. */ 3774 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3775 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3776 commands); 3777 3778 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3779 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3780 len = ntohs(chunk->chunk_hdr->length); 3781 len -= sizeof(struct sctp_chunkhdr); 3782 skb_pull(chunk->skb, len); 3783 3784 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3785 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn); 3786 3787 /* The TSN is too high--silently discard the chunk and count on it 3788 * getting retransmitted later. 3789 */ 3790 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3791 goto discard_noforce; 3792 3793 /* Silently discard the chunk if stream-id is not valid */ 3794 sctp_walk_fwdtsn(skip, chunk) { 3795 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams) 3796 goto discard_noforce; 3797 } 3798 3799 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3800 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3801 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3802 SCTP_CHUNK(chunk)); 3803 3804 /* Count this as receiving DATA. */ 3805 if (asoc->autoclose) { 3806 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3807 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3808 } 3809 3810 /* FIXME: For now send a SACK, but DATA processing may 3811 * send another. 3812 */ 3813 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 3814 3815 return SCTP_DISPOSITION_CONSUME; 3816 3817 discard_noforce: 3818 return SCTP_DISPOSITION_DISCARD; 3819 } 3820 3821 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast( 3822 const struct sctp_endpoint *ep, 3823 const struct sctp_association *asoc, 3824 const sctp_subtype_t type, 3825 void *arg, 3826 sctp_cmd_seq_t *commands) 3827 { 3828 struct sctp_chunk *chunk = arg; 3829 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3830 struct sctp_fwdtsn_skip *skip; 3831 __u16 len; 3832 __u32 tsn; 3833 3834 if (!sctp_vtag_verify(chunk, asoc)) { 3835 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3836 SCTP_NULL()); 3837 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3838 } 3839 3840 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 3841 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3842 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3843 commands); 3844 3845 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3846 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3847 len = ntohs(chunk->chunk_hdr->length); 3848 len -= sizeof(struct sctp_chunkhdr); 3849 skb_pull(chunk->skb, len); 3850 3851 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3852 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn); 3853 3854 /* The TSN is too high--silently discard the chunk and count on it 3855 * getting retransmitted later. 3856 */ 3857 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3858 goto gen_shutdown; 3859 3860 /* Silently discard the chunk if stream-id is not valid */ 3861 sctp_walk_fwdtsn(skip, chunk) { 3862 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams) 3863 goto gen_shutdown; 3864 } 3865 3866 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3867 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3868 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3869 SCTP_CHUNK(chunk)); 3870 3871 /* Go a head and force a SACK, since we are shutting down. */ 3872 gen_shutdown: 3873 /* Implementor's Guide. 3874 * 3875 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3876 * respond to each received packet containing one or more DATA chunk(s) 3877 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3878 */ 3879 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3880 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3881 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3882 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3883 3884 return SCTP_DISPOSITION_CONSUME; 3885 } 3886 3887 /* 3888 * SCTP-AUTH Section 6.3 Receiving authenticated chukns 3889 * 3890 * The receiver MUST use the HMAC algorithm indicated in the HMAC 3891 * Identifier field. If this algorithm was not specified by the 3892 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 3893 * during association setup, the AUTH chunk and all chunks after it MUST 3894 * be discarded and an ERROR chunk SHOULD be sent with the error cause 3895 * defined in Section 4.1. 3896 * 3897 * If an endpoint with no shared key receives a Shared Key Identifier 3898 * other than 0, it MUST silently discard all authenticated chunks. If 3899 * the endpoint has at least one endpoint pair shared key for the peer, 3900 * it MUST use the key specified by the Shared Key Identifier if a 3901 * key has been configured for that Shared Key Identifier. If no 3902 * endpoint pair shared key has been configured for that Shared Key 3903 * Identifier, all authenticated chunks MUST be silently discarded. 3904 * 3905 * Verification Tag: 8.5 Verification Tag [Normal verification] 3906 * 3907 * The return value is the disposition of the chunk. 3908 */ 3909 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep, 3910 const struct sctp_association *asoc, 3911 const sctp_subtype_t type, 3912 struct sctp_chunk *chunk) 3913 { 3914 struct sctp_authhdr *auth_hdr; 3915 struct sctp_hmac *hmac; 3916 unsigned int sig_len; 3917 __u16 key_id; 3918 __u8 *save_digest; 3919 __u8 *digest; 3920 3921 /* Pull in the auth header, so we can do some more verification */ 3922 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 3923 chunk->subh.auth_hdr = auth_hdr; 3924 skb_pull(chunk->skb, sizeof(struct sctp_authhdr)); 3925 3926 /* Make sure that we suport the HMAC algorithm from the auth 3927 * chunk. 3928 */ 3929 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id)) 3930 return SCTP_IERROR_AUTH_BAD_HMAC; 3931 3932 /* Make sure that the provided shared key identifier has been 3933 * configured 3934 */ 3935 key_id = ntohs(auth_hdr->shkey_id); 3936 if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id)) 3937 return SCTP_IERROR_AUTH_BAD_KEYID; 3938 3939 3940 /* Make sure that the length of the signature matches what 3941 * we expect. 3942 */ 3943 sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t); 3944 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id)); 3945 if (sig_len != hmac->hmac_len) 3946 return SCTP_IERROR_PROTO_VIOLATION; 3947 3948 /* Now that we've done validation checks, we can compute and 3949 * verify the hmac. The steps involved are: 3950 * 1. Save the digest from the chunk. 3951 * 2. Zero out the digest in the chunk. 3952 * 3. Compute the new digest 3953 * 4. Compare saved and new digests. 3954 */ 3955 digest = auth_hdr->hmac; 3956 skb_pull(chunk->skb, sig_len); 3957 3958 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC); 3959 if (!save_digest) 3960 goto nomem; 3961 3962 memset(digest, 0, sig_len); 3963 3964 sctp_auth_calculate_hmac(asoc, chunk->skb, 3965 (struct sctp_auth_chunk *)chunk->chunk_hdr, 3966 GFP_ATOMIC); 3967 3968 /* Discard the packet if the digests do not match */ 3969 if (memcmp(save_digest, digest, sig_len)) { 3970 kfree(save_digest); 3971 return SCTP_IERROR_BAD_SIG; 3972 } 3973 3974 kfree(save_digest); 3975 chunk->auth = 1; 3976 3977 return SCTP_IERROR_NO_ERROR; 3978 nomem: 3979 return SCTP_IERROR_NOMEM; 3980 } 3981 3982 sctp_disposition_t sctp_sf_eat_auth(const struct sctp_endpoint *ep, 3983 const struct sctp_association *asoc, 3984 const sctp_subtype_t type, 3985 void *arg, 3986 sctp_cmd_seq_t *commands) 3987 { 3988 struct sctp_authhdr *auth_hdr; 3989 struct sctp_chunk *chunk = arg; 3990 struct sctp_chunk *err_chunk; 3991 sctp_ierror_t error; 3992 3993 /* Make sure that the peer has AUTH capable */ 3994 if (!asoc->peer.auth_capable) 3995 return sctp_sf_unk_chunk(ep, asoc, type, arg, commands); 3996 3997 if (!sctp_vtag_verify(chunk, asoc)) { 3998 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3999 SCTP_NULL()); 4000 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4001 } 4002 4003 /* Make sure that the AUTH chunk has valid length. */ 4004 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk))) 4005 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4006 commands); 4007 4008 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4009 error = sctp_sf_authenticate(ep, asoc, type, chunk); 4010 switch (error) { 4011 case SCTP_IERROR_AUTH_BAD_HMAC: 4012 /* Generate the ERROR chunk and discard the rest 4013 * of the packet 4014 */ 4015 err_chunk = sctp_make_op_error(asoc, chunk, 4016 SCTP_ERROR_UNSUP_HMAC, 4017 &auth_hdr->hmac_id, 4018 sizeof(__u16), 0); 4019 if (err_chunk) { 4020 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4021 SCTP_CHUNK(err_chunk)); 4022 } 4023 /* Fall Through */ 4024 case SCTP_IERROR_AUTH_BAD_KEYID: 4025 case SCTP_IERROR_BAD_SIG: 4026 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4027 4028 case SCTP_IERROR_PROTO_VIOLATION: 4029 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4030 commands); 4031 4032 case SCTP_IERROR_NOMEM: 4033 return SCTP_DISPOSITION_NOMEM; 4034 4035 default: /* Prevent gcc warnings */ 4036 break; 4037 } 4038 4039 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) { 4040 struct sctp_ulpevent *ev; 4041 4042 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id), 4043 SCTP_AUTH_NEWKEY, GFP_ATOMIC); 4044 4045 if (!ev) 4046 return -ENOMEM; 4047 4048 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4049 SCTP_ULPEVENT(ev)); 4050 } 4051 4052 return SCTP_DISPOSITION_CONSUME; 4053 } 4054 4055 /* 4056 * Process an unknown chunk. 4057 * 4058 * Section: 3.2. Also, 2.1 in the implementor's guide. 4059 * 4060 * Chunk Types are encoded such that the highest-order two bits specify 4061 * the action that must be taken if the processing endpoint does not 4062 * recognize the Chunk Type. 4063 * 4064 * 00 - Stop processing this SCTP packet and discard it, do not process 4065 * any further chunks within it. 4066 * 4067 * 01 - Stop processing this SCTP packet and discard it, do not process 4068 * any further chunks within it, and report the unrecognized 4069 * chunk in an 'Unrecognized Chunk Type'. 4070 * 4071 * 10 - Skip this chunk and continue processing. 4072 * 4073 * 11 - Skip this chunk and continue processing, but report in an ERROR 4074 * Chunk using the 'Unrecognized Chunk Type' cause of error. 4075 * 4076 * The return value is the disposition of the chunk. 4077 */ 4078 sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep, 4079 const struct sctp_association *asoc, 4080 const sctp_subtype_t type, 4081 void *arg, 4082 sctp_cmd_seq_t *commands) 4083 { 4084 struct sctp_chunk *unk_chunk = arg; 4085 struct sctp_chunk *err_chunk; 4086 sctp_chunkhdr_t *hdr; 4087 4088 SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk); 4089 4090 if (!sctp_vtag_verify(unk_chunk, asoc)) 4091 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4092 4093 /* Make sure that the chunk has a valid length. 4094 * Since we don't know the chunk type, we use a general 4095 * chunkhdr structure to make a comparison. 4096 */ 4097 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t))) 4098 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4099 commands); 4100 4101 switch (type.chunk & SCTP_CID_ACTION_MASK) { 4102 case SCTP_CID_ACTION_DISCARD: 4103 /* Discard the packet. */ 4104 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4105 break; 4106 case SCTP_CID_ACTION_DISCARD_ERR: 4107 /* Generate an ERROR chunk as response. */ 4108 hdr = unk_chunk->chunk_hdr; 4109 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4110 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4111 WORD_ROUND(ntohs(hdr->length)), 4112 0); 4113 if (err_chunk) { 4114 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4115 SCTP_CHUNK(err_chunk)); 4116 } 4117 4118 /* Discard the packet. */ 4119 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4120 return SCTP_DISPOSITION_CONSUME; 4121 break; 4122 case SCTP_CID_ACTION_SKIP: 4123 /* Skip the chunk. */ 4124 return SCTP_DISPOSITION_DISCARD; 4125 break; 4126 case SCTP_CID_ACTION_SKIP_ERR: 4127 /* Generate an ERROR chunk as response. */ 4128 hdr = unk_chunk->chunk_hdr; 4129 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4130 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4131 WORD_ROUND(ntohs(hdr->length)), 4132 0); 4133 if (err_chunk) { 4134 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4135 SCTP_CHUNK(err_chunk)); 4136 } 4137 /* Skip the chunk. */ 4138 return SCTP_DISPOSITION_CONSUME; 4139 break; 4140 default: 4141 break; 4142 } 4143 4144 return SCTP_DISPOSITION_DISCARD; 4145 } 4146 4147 /* 4148 * Discard the chunk. 4149 * 4150 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 4151 * [Too numerous to mention...] 4152 * Verification Tag: No verification needed. 4153 * Inputs 4154 * (endpoint, asoc, chunk) 4155 * 4156 * Outputs 4157 * (asoc, reply_msg, msg_up, timers, counters) 4158 * 4159 * The return value is the disposition of the chunk. 4160 */ 4161 sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep, 4162 const struct sctp_association *asoc, 4163 const sctp_subtype_t type, 4164 void *arg, 4165 sctp_cmd_seq_t *commands) 4166 { 4167 struct sctp_chunk *chunk = arg; 4168 4169 /* Make sure that the chunk has a valid length. 4170 * Since we don't know the chunk type, we use a general 4171 * chunkhdr structure to make a comparison. 4172 */ 4173 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4174 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4175 commands); 4176 4177 SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk); 4178 return SCTP_DISPOSITION_DISCARD; 4179 } 4180 4181 /* 4182 * Discard the whole packet. 4183 * 4184 * Section: 8.4 2) 4185 * 4186 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 4187 * silently discard the OOTB packet and take no further action. 4188 * 4189 * Verification Tag: No verification necessary 4190 * 4191 * Inputs 4192 * (endpoint, asoc, chunk) 4193 * 4194 * Outputs 4195 * (asoc, reply_msg, msg_up, timers, counters) 4196 * 4197 * The return value is the disposition of the chunk. 4198 */ 4199 sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep, 4200 const struct sctp_association *asoc, 4201 const sctp_subtype_t type, 4202 void *arg, 4203 sctp_cmd_seq_t *commands) 4204 { 4205 SCTP_INC_STATS(SCTP_MIB_IN_PKT_DISCARDS); 4206 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4207 4208 return SCTP_DISPOSITION_CONSUME; 4209 } 4210 4211 4212 /* 4213 * The other end is violating protocol. 4214 * 4215 * Section: Not specified 4216 * Verification Tag: Not specified 4217 * Inputs 4218 * (endpoint, asoc, chunk) 4219 * 4220 * Outputs 4221 * (asoc, reply_msg, msg_up, timers, counters) 4222 * 4223 * We simply tag the chunk as a violation. The state machine will log 4224 * the violation and continue. 4225 */ 4226 sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep, 4227 const struct sctp_association *asoc, 4228 const sctp_subtype_t type, 4229 void *arg, 4230 sctp_cmd_seq_t *commands) 4231 { 4232 struct sctp_chunk *chunk = arg; 4233 4234 /* Make sure that the chunk has a valid length. */ 4235 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4236 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4237 commands); 4238 4239 return SCTP_DISPOSITION_VIOLATION; 4240 } 4241 4242 /* 4243 * Common function to handle a protocol violation. 4244 */ 4245 static sctp_disposition_t sctp_sf_abort_violation( 4246 const struct sctp_endpoint *ep, 4247 const struct sctp_association *asoc, 4248 void *arg, 4249 sctp_cmd_seq_t *commands, 4250 const __u8 *payload, 4251 const size_t paylen) 4252 { 4253 struct sctp_packet *packet = NULL; 4254 struct sctp_chunk *chunk = arg; 4255 struct sctp_chunk *abort = NULL; 4256 4257 /* SCTP-AUTH, Section 6.3: 4258 * It should be noted that if the receiver wants to tear 4259 * down an association in an authenticated way only, the 4260 * handling of malformed packets should not result in 4261 * tearing down the association. 4262 * 4263 * This means that if we only want to abort associations 4264 * in an authenticated way (i.e AUTH+ABORT), then we 4265 * can't destroy this association just because the packet 4266 * was malformed. 4267 */ 4268 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4269 goto discard; 4270 4271 /* Make the abort chunk. */ 4272 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen); 4273 if (!abort) 4274 goto nomem; 4275 4276 if (asoc) { 4277 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */ 4278 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK && 4279 !asoc->peer.i.init_tag) { 4280 sctp_initack_chunk_t *initack; 4281 4282 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; 4283 if (!sctp_chunk_length_valid(chunk, 4284 sizeof(sctp_initack_chunk_t))) 4285 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T; 4286 else { 4287 unsigned int inittag; 4288 4289 inittag = ntohl(initack->init_hdr.init_tag); 4290 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG, 4291 SCTP_U32(inittag)); 4292 } 4293 } 4294 4295 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4296 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4297 4298 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 4299 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4300 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4301 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4302 SCTP_ERROR(ECONNREFUSED)); 4303 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4304 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4305 } else { 4306 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4307 SCTP_ERROR(ECONNABORTED)); 4308 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4309 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4310 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4311 } 4312 } else { 4313 packet = sctp_ootb_pkt_new(asoc, chunk); 4314 4315 if (!packet) 4316 goto nomem_pkt; 4317 4318 if (sctp_test_T_bit(abort)) 4319 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4320 4321 abort->skb->sk = ep->base.sk; 4322 4323 sctp_packet_append_chunk(packet, abort); 4324 4325 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 4326 SCTP_PACKET(packet)); 4327 4328 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4329 } 4330 4331 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4332 4333 discard: 4334 sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4335 return SCTP_DISPOSITION_ABORT; 4336 4337 nomem_pkt: 4338 sctp_chunk_free(abort); 4339 nomem: 4340 return SCTP_DISPOSITION_NOMEM; 4341 } 4342 4343 /* 4344 * Handle a protocol violation when the chunk length is invalid. 4345 * "Invalid" length is identified as smaller than the minimal length a 4346 * given chunk can be. For example, a SACK chunk has invalid length 4347 * if its length is set to be smaller than the size of sctp_sack_chunk_t. 4348 * 4349 * We inform the other end by sending an ABORT with a Protocol Violation 4350 * error code. 4351 * 4352 * Section: Not specified 4353 * Verification Tag: Nothing to do 4354 * Inputs 4355 * (endpoint, asoc, chunk) 4356 * 4357 * Outputs 4358 * (reply_msg, msg_up, counters) 4359 * 4360 * Generate an ABORT chunk and terminate the association. 4361 */ 4362 static sctp_disposition_t sctp_sf_violation_chunklen( 4363 const struct sctp_endpoint *ep, 4364 const struct sctp_association *asoc, 4365 const sctp_subtype_t type, 4366 void *arg, 4367 sctp_cmd_seq_t *commands) 4368 { 4369 static const char err_str[]="The following chunk had invalid length:"; 4370 4371 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4372 sizeof(err_str)); 4373 } 4374 4375 /* 4376 * Handle a protocol violation when the parameter length is invalid. 4377 * If the length is smaller than the minimum length of a given parameter, 4378 * or accumulated length in multi parameters exceeds the end of the chunk, 4379 * the length is considered as invalid. 4380 */ 4381 static sctp_disposition_t sctp_sf_violation_paramlen( 4382 const struct sctp_endpoint *ep, 4383 const struct sctp_association *asoc, 4384 const sctp_subtype_t type, 4385 void *arg, void *ext, 4386 sctp_cmd_seq_t *commands) 4387 { 4388 struct sctp_chunk *chunk = arg; 4389 struct sctp_paramhdr *param = ext; 4390 struct sctp_chunk *abort = NULL; 4391 4392 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4393 goto discard; 4394 4395 /* Make the abort chunk. */ 4396 abort = sctp_make_violation_paramlen(asoc, chunk, param); 4397 if (!abort) 4398 goto nomem; 4399 4400 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4401 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4402 4403 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4404 SCTP_ERROR(ECONNABORTED)); 4405 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4406 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4407 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4408 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4409 4410 discard: 4411 sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4412 return SCTP_DISPOSITION_ABORT; 4413 nomem: 4414 return SCTP_DISPOSITION_NOMEM; 4415 } 4416 4417 /* Handle a protocol violation when the peer trying to advance the 4418 * cumulative tsn ack to a point beyond the max tsn currently sent. 4419 * 4420 * We inform the other end by sending an ABORT with a Protocol Violation 4421 * error code. 4422 */ 4423 static sctp_disposition_t sctp_sf_violation_ctsn( 4424 const struct sctp_endpoint *ep, 4425 const struct sctp_association *asoc, 4426 const sctp_subtype_t type, 4427 void *arg, 4428 sctp_cmd_seq_t *commands) 4429 { 4430 static const char err_str[]="The cumulative tsn ack beyond the max tsn currently sent:"; 4431 4432 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4433 sizeof(err_str)); 4434 } 4435 4436 /* Handle protocol violation of an invalid chunk bundling. For example, 4437 * when we have an association and we receive bundled INIT-ACK, or 4438 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle" 4439 * statement from the specs. Additionally, there might be an attacker 4440 * on the path and we may not want to continue this communication. 4441 */ 4442 static sctp_disposition_t sctp_sf_violation_chunk( 4443 const struct sctp_endpoint *ep, 4444 const struct sctp_association *asoc, 4445 const sctp_subtype_t type, 4446 void *arg, 4447 sctp_cmd_seq_t *commands) 4448 { 4449 static const char err_str[]="The following chunk violates protocol:"; 4450 4451 if (!asoc) 4452 return sctp_sf_violation(ep, asoc, type, arg, commands); 4453 4454 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4455 sizeof(err_str)); 4456 } 4457 /*************************************************************************** 4458 * These are the state functions for handling primitive (Section 10) events. 4459 ***************************************************************************/ 4460 /* 4461 * sctp_sf_do_prm_asoc 4462 * 4463 * Section: 10.1 ULP-to-SCTP 4464 * B) Associate 4465 * 4466 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 4467 * outbound stream count) 4468 * -> association id [,destination transport addr list] [,outbound stream 4469 * count] 4470 * 4471 * This primitive allows the upper layer to initiate an association to a 4472 * specific peer endpoint. 4473 * 4474 * The peer endpoint shall be specified by one of the transport addresses 4475 * which defines the endpoint (see Section 1.4). If the local SCTP 4476 * instance has not been initialized, the ASSOCIATE is considered an 4477 * error. 4478 * [This is not relevant for the kernel implementation since we do all 4479 * initialization at boot time. It we hadn't initialized we wouldn't 4480 * get anywhere near this code.] 4481 * 4482 * An association id, which is a local handle to the SCTP association, 4483 * will be returned on successful establishment of the association. If 4484 * SCTP is not able to open an SCTP association with the peer endpoint, 4485 * an error is returned. 4486 * [In the kernel implementation, the struct sctp_association needs to 4487 * be created BEFORE causing this primitive to run.] 4488 * 4489 * Other association parameters may be returned, including the 4490 * complete destination transport addresses of the peer as well as the 4491 * outbound stream count of the local endpoint. One of the transport 4492 * address from the returned destination addresses will be selected by 4493 * the local endpoint as default primary path for sending SCTP packets 4494 * to this peer. The returned "destination transport addr list" can 4495 * be used by the ULP to change the default primary path or to force 4496 * sending a packet to a specific transport address. [All of this 4497 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 4498 * function.] 4499 * 4500 * Mandatory attributes: 4501 * 4502 * o local SCTP instance name - obtained from the INITIALIZE operation. 4503 * [This is the argument asoc.] 4504 * o destination transport addr - specified as one of the transport 4505 * addresses of the peer endpoint with which the association is to be 4506 * established. 4507 * [This is asoc->peer.active_path.] 4508 * o outbound stream count - the number of outbound streams the ULP 4509 * would like to open towards this peer endpoint. 4510 * [BUG: This is not currently implemented.] 4511 * Optional attributes: 4512 * 4513 * None. 4514 * 4515 * The return value is a disposition. 4516 */ 4517 sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep, 4518 const struct sctp_association *asoc, 4519 const sctp_subtype_t type, 4520 void *arg, 4521 sctp_cmd_seq_t *commands) 4522 { 4523 struct sctp_chunk *repl; 4524 struct sctp_association* my_asoc; 4525 4526 /* The comment below says that we enter COOKIE-WAIT AFTER 4527 * sending the INIT, but that doesn't actually work in our 4528 * implementation... 4529 */ 4530 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4531 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 4532 4533 /* RFC 2960 5.1 Normal Establishment of an Association 4534 * 4535 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 4536 * must provide its Verification Tag (Tag_A) in the Initiate 4537 * Tag field. Tag_A SHOULD be a random number in the range of 4538 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 4539 */ 4540 4541 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 4542 if (!repl) 4543 goto nomem; 4544 4545 /* Cast away the const modifier, as we want to just 4546 * rerun it through as a sideffect. 4547 */ 4548 my_asoc = (struct sctp_association *)asoc; 4549 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc)); 4550 4551 /* Choose transport for INIT. */ 4552 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4553 SCTP_CHUNK(repl)); 4554 4555 /* After sending the INIT, "A" starts the T1-init timer and 4556 * enters the COOKIE-WAIT state. 4557 */ 4558 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4559 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4560 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4561 return SCTP_DISPOSITION_CONSUME; 4562 4563 nomem: 4564 return SCTP_DISPOSITION_NOMEM; 4565 } 4566 4567 /* 4568 * Process the SEND primitive. 4569 * 4570 * Section: 10.1 ULP-to-SCTP 4571 * E) Send 4572 * 4573 * Format: SEND(association id, buffer address, byte count [,context] 4574 * [,stream id] [,life time] [,destination transport address] 4575 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 4576 * -> result 4577 * 4578 * This is the main method to send user data via SCTP. 4579 * 4580 * Mandatory attributes: 4581 * 4582 * o association id - local handle to the SCTP association 4583 * 4584 * o buffer address - the location where the user message to be 4585 * transmitted is stored; 4586 * 4587 * o byte count - The size of the user data in number of bytes; 4588 * 4589 * Optional attributes: 4590 * 4591 * o context - an optional 32 bit integer that will be carried in the 4592 * sending failure notification to the ULP if the transportation of 4593 * this User Message fails. 4594 * 4595 * o stream id - to indicate which stream to send the data on. If not 4596 * specified, stream 0 will be used. 4597 * 4598 * o life time - specifies the life time of the user data. The user data 4599 * will not be sent by SCTP after the life time expires. This 4600 * parameter can be used to avoid efforts to transmit stale 4601 * user messages. SCTP notifies the ULP if the data cannot be 4602 * initiated to transport (i.e. sent to the destination via SCTP's 4603 * send primitive) within the life time variable. However, the 4604 * user data will be transmitted if SCTP has attempted to transmit a 4605 * chunk before the life time expired. 4606 * 4607 * o destination transport address - specified as one of the destination 4608 * transport addresses of the peer endpoint to which this packet 4609 * should be sent. Whenever possible, SCTP should use this destination 4610 * transport address for sending the packets, instead of the current 4611 * primary path. 4612 * 4613 * o unorder flag - this flag, if present, indicates that the user 4614 * would like the data delivered in an unordered fashion to the peer 4615 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 4616 * message). 4617 * 4618 * o no-bundle flag - instructs SCTP not to bundle this user data with 4619 * other outbound DATA chunks. SCTP MAY still bundle even when 4620 * this flag is present, when faced with network congestion. 4621 * 4622 * o payload protocol-id - A 32 bit unsigned integer that is to be 4623 * passed to the peer indicating the type of payload protocol data 4624 * being transmitted. This value is passed as opaque data by SCTP. 4625 * 4626 * The return value is the disposition. 4627 */ 4628 sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep, 4629 const struct sctp_association *asoc, 4630 const sctp_subtype_t type, 4631 void *arg, 4632 sctp_cmd_seq_t *commands) 4633 { 4634 struct sctp_datamsg *msg = arg; 4635 4636 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg)); 4637 return SCTP_DISPOSITION_CONSUME; 4638 } 4639 4640 /* 4641 * Process the SHUTDOWN primitive. 4642 * 4643 * Section: 10.1: 4644 * C) Shutdown 4645 * 4646 * Format: SHUTDOWN(association id) 4647 * -> result 4648 * 4649 * Gracefully closes an association. Any locally queued user data 4650 * will be delivered to the peer. The association will be terminated only 4651 * after the peer acknowledges all the SCTP packets sent. A success code 4652 * will be returned on successful termination of the association. If 4653 * attempting to terminate the association results in a failure, an error 4654 * code shall be returned. 4655 * 4656 * Mandatory attributes: 4657 * 4658 * o association id - local handle to the SCTP association 4659 * 4660 * Optional attributes: 4661 * 4662 * None. 4663 * 4664 * The return value is the disposition. 4665 */ 4666 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown( 4667 const struct sctp_endpoint *ep, 4668 const struct sctp_association *asoc, 4669 const sctp_subtype_t type, 4670 void *arg, 4671 sctp_cmd_seq_t *commands) 4672 { 4673 int disposition; 4674 4675 /* From 9.2 Shutdown of an Association 4676 * Upon receipt of the SHUTDOWN primitive from its upper 4677 * layer, the endpoint enters SHUTDOWN-PENDING state and 4678 * remains there until all outstanding data has been 4679 * acknowledged by its peer. The endpoint accepts no new data 4680 * from its upper layer, but retransmits data to the far end 4681 * if necessary to fill gaps. 4682 */ 4683 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4684 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4685 4686 disposition = SCTP_DISPOSITION_CONSUME; 4687 if (sctp_outq_is_empty(&asoc->outqueue)) { 4688 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 4689 arg, commands); 4690 } 4691 return disposition; 4692 } 4693 4694 /* 4695 * Process the ABORT primitive. 4696 * 4697 * Section: 10.1: 4698 * C) Abort 4699 * 4700 * Format: Abort(association id [, cause code]) 4701 * -> result 4702 * 4703 * Ungracefully closes an association. Any locally queued user data 4704 * will be discarded and an ABORT chunk is sent to the peer. A success code 4705 * will be returned on successful abortion of the association. If 4706 * attempting to abort the association results in a failure, an error 4707 * code shall be returned. 4708 * 4709 * Mandatory attributes: 4710 * 4711 * o association id - local handle to the SCTP association 4712 * 4713 * Optional attributes: 4714 * 4715 * o cause code - reason of the abort to be passed to the peer 4716 * 4717 * None. 4718 * 4719 * The return value is the disposition. 4720 */ 4721 sctp_disposition_t sctp_sf_do_9_1_prm_abort( 4722 const struct sctp_endpoint *ep, 4723 const struct sctp_association *asoc, 4724 const sctp_subtype_t type, 4725 void *arg, 4726 sctp_cmd_seq_t *commands) 4727 { 4728 /* From 9.1 Abort of an Association 4729 * Upon receipt of the ABORT primitive from its upper 4730 * layer, the endpoint enters CLOSED state and 4731 * discard all outstanding data has been 4732 * acknowledged by its peer. The endpoint accepts no new data 4733 * from its upper layer, but retransmits data to the far end 4734 * if necessary to fill gaps. 4735 */ 4736 struct sctp_chunk *abort = arg; 4737 sctp_disposition_t retval; 4738 4739 retval = SCTP_DISPOSITION_CONSUME; 4740 4741 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4742 4743 /* Even if we can't send the ABORT due to low memory delete the 4744 * TCB. This is a departure from our typical NOMEM handling. 4745 */ 4746 4747 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4748 SCTP_ERROR(ECONNABORTED)); 4749 /* Delete the established association. */ 4750 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4751 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4752 4753 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4754 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4755 4756 return retval; 4757 } 4758 4759 /* We tried an illegal operation on an association which is closed. */ 4760 sctp_disposition_t sctp_sf_error_closed(const struct sctp_endpoint *ep, 4761 const struct sctp_association *asoc, 4762 const sctp_subtype_t type, 4763 void *arg, 4764 sctp_cmd_seq_t *commands) 4765 { 4766 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 4767 return SCTP_DISPOSITION_CONSUME; 4768 } 4769 4770 /* We tried an illegal operation on an association which is shutting 4771 * down. 4772 */ 4773 sctp_disposition_t sctp_sf_error_shutdown(const struct sctp_endpoint *ep, 4774 const struct sctp_association *asoc, 4775 const sctp_subtype_t type, 4776 void *arg, 4777 sctp_cmd_seq_t *commands) 4778 { 4779 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 4780 SCTP_ERROR(-ESHUTDOWN)); 4781 return SCTP_DISPOSITION_CONSUME; 4782 } 4783 4784 /* 4785 * sctp_cookie_wait_prm_shutdown 4786 * 4787 * Section: 4 Note: 2 4788 * Verification Tag: 4789 * Inputs 4790 * (endpoint, asoc) 4791 * 4792 * The RFC does not explicitly address this issue, but is the route through the 4793 * state table when someone issues a shutdown while in COOKIE_WAIT state. 4794 * 4795 * Outputs 4796 * (timers) 4797 */ 4798 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown( 4799 const struct sctp_endpoint *ep, 4800 const struct sctp_association *asoc, 4801 const sctp_subtype_t type, 4802 void *arg, 4803 sctp_cmd_seq_t *commands) 4804 { 4805 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4806 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4807 4808 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4809 SCTP_STATE(SCTP_STATE_CLOSED)); 4810 4811 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 4812 4813 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 4814 4815 return SCTP_DISPOSITION_DELETE_TCB; 4816 } 4817 4818 /* 4819 * sctp_cookie_echoed_prm_shutdown 4820 * 4821 * Section: 4 Note: 2 4822 * Verification Tag: 4823 * Inputs 4824 * (endpoint, asoc) 4825 * 4826 * The RFC does not explcitly address this issue, but is the route through the 4827 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 4828 * 4829 * Outputs 4830 * (timers) 4831 */ 4832 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown( 4833 const struct sctp_endpoint *ep, 4834 const struct sctp_association *asoc, 4835 const sctp_subtype_t type, 4836 void *arg, sctp_cmd_seq_t *commands) 4837 { 4838 /* There is a single T1 timer, so we should be able to use 4839 * common function with the COOKIE-WAIT state. 4840 */ 4841 return sctp_sf_cookie_wait_prm_shutdown(ep, asoc, type, arg, commands); 4842 } 4843 4844 /* 4845 * sctp_sf_cookie_wait_prm_abort 4846 * 4847 * Section: 4 Note: 2 4848 * Verification Tag: 4849 * Inputs 4850 * (endpoint, asoc) 4851 * 4852 * The RFC does not explicitly address this issue, but is the route through the 4853 * state table when someone issues an abort while in COOKIE_WAIT state. 4854 * 4855 * Outputs 4856 * (timers) 4857 */ 4858 sctp_disposition_t sctp_sf_cookie_wait_prm_abort( 4859 const struct sctp_endpoint *ep, 4860 const struct sctp_association *asoc, 4861 const sctp_subtype_t type, 4862 void *arg, 4863 sctp_cmd_seq_t *commands) 4864 { 4865 struct sctp_chunk *abort = arg; 4866 sctp_disposition_t retval; 4867 4868 /* Stop T1-init timer */ 4869 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4870 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4871 retval = SCTP_DISPOSITION_CONSUME; 4872 4873 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4874 4875 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4876 SCTP_STATE(SCTP_STATE_CLOSED)); 4877 4878 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4879 4880 /* Even if we can't send the ABORT due to low memory delete the 4881 * TCB. This is a departure from our typical NOMEM handling. 4882 */ 4883 4884 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4885 SCTP_ERROR(ECONNREFUSED)); 4886 /* Delete the established association. */ 4887 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4888 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4889 4890 return retval; 4891 } 4892 4893 /* 4894 * sctp_sf_cookie_echoed_prm_abort 4895 * 4896 * Section: 4 Note: 3 4897 * Verification Tag: 4898 * Inputs 4899 * (endpoint, asoc) 4900 * 4901 * The RFC does not explcitly address this issue, but is the route through the 4902 * state table when someone issues an abort while in COOKIE_ECHOED state. 4903 * 4904 * Outputs 4905 * (timers) 4906 */ 4907 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort( 4908 const struct sctp_endpoint *ep, 4909 const struct sctp_association *asoc, 4910 const sctp_subtype_t type, 4911 void *arg, 4912 sctp_cmd_seq_t *commands) 4913 { 4914 /* There is a single T1 timer, so we should be able to use 4915 * common function with the COOKIE-WAIT state. 4916 */ 4917 return sctp_sf_cookie_wait_prm_abort(ep, asoc, type, arg, commands); 4918 } 4919 4920 /* 4921 * sctp_sf_shutdown_pending_prm_abort 4922 * 4923 * Inputs 4924 * (endpoint, asoc) 4925 * 4926 * The RFC does not explicitly address this issue, but is the route through the 4927 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 4928 * 4929 * Outputs 4930 * (timers) 4931 */ 4932 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort( 4933 const struct sctp_endpoint *ep, 4934 const struct sctp_association *asoc, 4935 const sctp_subtype_t type, 4936 void *arg, 4937 sctp_cmd_seq_t *commands) 4938 { 4939 /* Stop the T5-shutdown guard timer. */ 4940 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4941 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4942 4943 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4944 } 4945 4946 /* 4947 * sctp_sf_shutdown_sent_prm_abort 4948 * 4949 * Inputs 4950 * (endpoint, asoc) 4951 * 4952 * The RFC does not explicitly address this issue, but is the route through the 4953 * state table when someone issues an abort while in SHUTDOWN-SENT state. 4954 * 4955 * Outputs 4956 * (timers) 4957 */ 4958 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort( 4959 const struct sctp_endpoint *ep, 4960 const struct sctp_association *asoc, 4961 const sctp_subtype_t type, 4962 void *arg, 4963 sctp_cmd_seq_t *commands) 4964 { 4965 /* Stop the T2-shutdown timer. */ 4966 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4967 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4968 4969 /* Stop the T5-shutdown guard timer. */ 4970 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4971 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4972 4973 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4974 } 4975 4976 /* 4977 * sctp_sf_cookie_echoed_prm_abort 4978 * 4979 * Inputs 4980 * (endpoint, asoc) 4981 * 4982 * The RFC does not explcitly address this issue, but is the route through the 4983 * state table when someone issues an abort while in COOKIE_ECHOED state. 4984 * 4985 * Outputs 4986 * (timers) 4987 */ 4988 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort( 4989 const struct sctp_endpoint *ep, 4990 const struct sctp_association *asoc, 4991 const sctp_subtype_t type, 4992 void *arg, 4993 sctp_cmd_seq_t *commands) 4994 { 4995 /* The same T2 timer, so we should be able to use 4996 * common function with the SHUTDOWN-SENT state. 4997 */ 4998 return sctp_sf_shutdown_sent_prm_abort(ep, asoc, type, arg, commands); 4999 } 5000 5001 /* 5002 * Process the REQUESTHEARTBEAT primitive 5003 * 5004 * 10.1 ULP-to-SCTP 5005 * J) Request Heartbeat 5006 * 5007 * Format: REQUESTHEARTBEAT(association id, destination transport address) 5008 * 5009 * -> result 5010 * 5011 * Instructs the local endpoint to perform a HeartBeat on the specified 5012 * destination transport address of the given association. The returned 5013 * result should indicate whether the transmission of the HEARTBEAT 5014 * chunk to the destination address is successful. 5015 * 5016 * Mandatory attributes: 5017 * 5018 * o association id - local handle to the SCTP association 5019 * 5020 * o destination transport address - the transport address of the 5021 * association on which a heartbeat should be issued. 5022 */ 5023 sctp_disposition_t sctp_sf_do_prm_requestheartbeat( 5024 const struct sctp_endpoint *ep, 5025 const struct sctp_association *asoc, 5026 const sctp_subtype_t type, 5027 void *arg, 5028 sctp_cmd_seq_t *commands) 5029 { 5030 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 5031 (struct sctp_transport *)arg, commands)) 5032 return SCTP_DISPOSITION_NOMEM; 5033 5034 /* 5035 * RFC 2960 (bis), section 8.3 5036 * 5037 * D) Request an on-demand HEARTBEAT on a specific destination 5038 * transport address of a given association. 5039 * 5040 * The endpoint should increment the respective error counter of 5041 * the destination transport address each time a HEARTBEAT is sent 5042 * to that address and not acknowledged within one RTO. 5043 * 5044 */ 5045 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 5046 SCTP_TRANSPORT(arg)); 5047 return SCTP_DISPOSITION_CONSUME; 5048 } 5049 5050 /* 5051 * ADDIP Section 4.1 ASCONF Chunk Procedures 5052 * When an endpoint has an ASCONF signaled change to be sent to the 5053 * remote endpoint it should do A1 to A9 5054 */ 5055 sctp_disposition_t sctp_sf_do_prm_asconf(const struct sctp_endpoint *ep, 5056 const struct sctp_association *asoc, 5057 const sctp_subtype_t type, 5058 void *arg, 5059 sctp_cmd_seq_t *commands) 5060 { 5061 struct sctp_chunk *chunk = arg; 5062 5063 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5064 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5065 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5066 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5067 return SCTP_DISPOSITION_CONSUME; 5068 } 5069 5070 /* 5071 * Ignore the primitive event 5072 * 5073 * The return value is the disposition of the primitive. 5074 */ 5075 sctp_disposition_t sctp_sf_ignore_primitive( 5076 const struct sctp_endpoint *ep, 5077 const struct sctp_association *asoc, 5078 const sctp_subtype_t type, 5079 void *arg, 5080 sctp_cmd_seq_t *commands) 5081 { 5082 SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive); 5083 return SCTP_DISPOSITION_DISCARD; 5084 } 5085 5086 /*************************************************************************** 5087 * These are the state functions for the OTHER events. 5088 ***************************************************************************/ 5089 5090 /* 5091 * When the SCTP stack has no more user data to send or retransmit, this 5092 * notification is given to the user. Also, at the time when a user app 5093 * subscribes to this event, if there is no data to be sent or 5094 * retransmit, the stack will immediately send up this notification. 5095 */ 5096 sctp_disposition_t sctp_sf_do_no_pending_tsn( 5097 const struct sctp_endpoint *ep, 5098 const struct sctp_association *asoc, 5099 const sctp_subtype_t type, 5100 void *arg, 5101 sctp_cmd_seq_t *commands) 5102 { 5103 struct sctp_ulpevent *event; 5104 5105 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC); 5106 if (!event) 5107 return SCTP_DISPOSITION_NOMEM; 5108 5109 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event)); 5110 5111 return SCTP_DISPOSITION_CONSUME; 5112 } 5113 5114 /* 5115 * Start the shutdown negotiation. 5116 * 5117 * From Section 9.2: 5118 * Once all its outstanding data has been acknowledged, the endpoint 5119 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 5120 * TSN Ack field the last sequential TSN it has received from the peer. 5121 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 5122 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 5123 * with the updated last sequential TSN received from its peer. 5124 * 5125 * The return value is the disposition. 5126 */ 5127 sctp_disposition_t sctp_sf_do_9_2_start_shutdown( 5128 const struct sctp_endpoint *ep, 5129 const struct sctp_association *asoc, 5130 const sctp_subtype_t type, 5131 void *arg, 5132 sctp_cmd_seq_t *commands) 5133 { 5134 struct sctp_chunk *reply; 5135 5136 /* Once all its outstanding data has been acknowledged, the 5137 * endpoint shall send a SHUTDOWN chunk to its peer including 5138 * in the Cumulative TSN Ack field the last sequential TSN it 5139 * has received from the peer. 5140 */ 5141 reply = sctp_make_shutdown(asoc, NULL); 5142 if (!reply) 5143 goto nomem; 5144 5145 /* Set the transport for the SHUTDOWN chunk and the timeout for the 5146 * T2-shutdown timer. 5147 */ 5148 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5149 5150 /* It shall then start the T2-shutdown timer */ 5151 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5152 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5153 5154 /* RFC 4960 Section 9.2 5155 * The sender of the SHUTDOWN MAY also start an overall guard timer 5156 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5157 */ 5158 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5159 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5160 5161 if (asoc->autoclose) 5162 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5163 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5164 5165 /* and enter the SHUTDOWN-SENT state. */ 5166 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5167 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 5168 5169 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5170 * 5171 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5172 * or SHUTDOWN-ACK. 5173 */ 5174 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5175 5176 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5177 5178 return SCTP_DISPOSITION_CONSUME; 5179 5180 nomem: 5181 return SCTP_DISPOSITION_NOMEM; 5182 } 5183 5184 /* 5185 * Generate a SHUTDOWN ACK now that everything is SACK'd. 5186 * 5187 * From Section 9.2: 5188 * 5189 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5190 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 5191 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 5192 * endpoint must re-send the SHUTDOWN ACK. 5193 * 5194 * The return value is the disposition. 5195 */ 5196 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack( 5197 const struct sctp_endpoint *ep, 5198 const struct sctp_association *asoc, 5199 const sctp_subtype_t type, 5200 void *arg, 5201 sctp_cmd_seq_t *commands) 5202 { 5203 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 5204 struct sctp_chunk *reply; 5205 5206 /* There are 2 ways of getting here: 5207 * 1) called in response to a SHUTDOWN chunk 5208 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 5209 * 5210 * For the case (2), the arg parameter is set to NULL. We need 5211 * to check that we have a chunk before accessing it's fields. 5212 */ 5213 if (chunk) { 5214 if (!sctp_vtag_verify(chunk, asoc)) 5215 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 5216 5217 /* Make sure that the SHUTDOWN chunk has a valid length. */ 5218 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t))) 5219 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 5220 commands); 5221 } 5222 5223 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5224 * shall send a SHUTDOWN ACK ... 5225 */ 5226 reply = sctp_make_shutdown_ack(asoc, chunk); 5227 if (!reply) 5228 goto nomem; 5229 5230 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 5231 * the T2-shutdown timer. 5232 */ 5233 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5234 5235 /* and start/restart a T2-shutdown timer of its own, */ 5236 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5237 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5238 5239 if (asoc->autoclose) 5240 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5241 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5242 5243 /* Enter the SHUTDOWN-ACK-SENT state. */ 5244 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5245 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 5246 5247 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5248 * 5249 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5250 * or SHUTDOWN-ACK. 5251 */ 5252 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5253 5254 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5255 5256 return SCTP_DISPOSITION_CONSUME; 5257 5258 nomem: 5259 return SCTP_DISPOSITION_NOMEM; 5260 } 5261 5262 /* 5263 * Ignore the event defined as other 5264 * 5265 * The return value is the disposition of the event. 5266 */ 5267 sctp_disposition_t sctp_sf_ignore_other(const struct sctp_endpoint *ep, 5268 const struct sctp_association *asoc, 5269 const sctp_subtype_t type, 5270 void *arg, 5271 sctp_cmd_seq_t *commands) 5272 { 5273 SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other); 5274 return SCTP_DISPOSITION_DISCARD; 5275 } 5276 5277 /************************************************************ 5278 * These are the state functions for handling timeout events. 5279 ************************************************************/ 5280 5281 /* 5282 * RTX Timeout 5283 * 5284 * Section: 6.3.3 Handle T3-rtx Expiration 5285 * 5286 * Whenever the retransmission timer T3-rtx expires for a destination 5287 * address, do the following: 5288 * [See below] 5289 * 5290 * The return value is the disposition of the chunk. 5291 */ 5292 sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep, 5293 const struct sctp_association *asoc, 5294 const sctp_subtype_t type, 5295 void *arg, 5296 sctp_cmd_seq_t *commands) 5297 { 5298 struct sctp_transport *transport = arg; 5299 5300 SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS); 5301 5302 if (asoc->overall_error_count >= asoc->max_retrans) { 5303 if (asoc->state == SCTP_STATE_SHUTDOWN_PENDING) { 5304 /* 5305 * We are here likely because the receiver had its rwnd 5306 * closed for a while and we have not been able to 5307 * transmit the locally queued data within the maximum 5308 * retransmission attempts limit. Start the T5 5309 * shutdown guard timer to give the receiver one last 5310 * chance and some additional time to recover before 5311 * aborting. 5312 */ 5313 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE, 5314 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5315 } else { 5316 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5317 SCTP_ERROR(ETIMEDOUT)); 5318 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5319 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5320 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5321 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5322 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5323 return SCTP_DISPOSITION_DELETE_TCB; 5324 } 5325 } 5326 5327 /* E1) For the destination address for which the timer 5328 * expires, adjust its ssthresh with rules defined in Section 5329 * 7.2.3 and set the cwnd <- MTU. 5330 */ 5331 5332 /* E2) For the destination address for which the timer 5333 * expires, set RTO <- RTO * 2 ("back off the timer"). The 5334 * maximum value discussed in rule C7 above (RTO.max) may be 5335 * used to provide an upper bound to this doubling operation. 5336 */ 5337 5338 /* E3) Determine how many of the earliest (i.e., lowest TSN) 5339 * outstanding DATA chunks for the address for which the 5340 * T3-rtx has expired will fit into a single packet, subject 5341 * to the MTU constraint for the path corresponding to the 5342 * destination transport address to which the retransmission 5343 * is being sent (this may be different from the address for 5344 * which the timer expires [see Section 6.4]). Call this 5345 * value K. Bundle and retransmit those K DATA chunks in a 5346 * single packet to the destination endpoint. 5347 * 5348 * Note: Any DATA chunks that were sent to the address for 5349 * which the T3-rtx timer expired but did not fit in one MTU 5350 * (rule E3 above), should be marked for retransmission and 5351 * sent as soon as cwnd allows (normally when a SACK arrives). 5352 */ 5353 5354 /* Do some failure management (Section 8.2). */ 5355 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5356 5357 /* NB: Rules E4 and F1 are implicit in R1. */ 5358 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 5359 5360 return SCTP_DISPOSITION_CONSUME; 5361 } 5362 5363 /* 5364 * Generate delayed SACK on timeout 5365 * 5366 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 5367 * 5368 * The guidelines on delayed acknowledgement algorithm specified in 5369 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 5370 * acknowledgement SHOULD be generated for at least every second packet 5371 * (not every second DATA chunk) received, and SHOULD be generated 5372 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 5373 * some situations it may be beneficial for an SCTP transmitter to be 5374 * more conservative than the algorithms detailed in this document 5375 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 5376 * the following algorithms allow. 5377 */ 5378 sctp_disposition_t sctp_sf_do_6_2_sack(const struct sctp_endpoint *ep, 5379 const struct sctp_association *asoc, 5380 const sctp_subtype_t type, 5381 void *arg, 5382 sctp_cmd_seq_t *commands) 5383 { 5384 SCTP_INC_STATS(SCTP_MIB_DELAY_SACK_EXPIREDS); 5385 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 5386 return SCTP_DISPOSITION_CONSUME; 5387 } 5388 5389 /* 5390 * sctp_sf_t1_init_timer_expire 5391 * 5392 * Section: 4 Note: 2 5393 * Verification Tag: 5394 * Inputs 5395 * (endpoint, asoc) 5396 * 5397 * RFC 2960 Section 4 Notes 5398 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 5399 * and re-start the T1-init timer without changing state. This MUST 5400 * be repeated up to 'Max.Init.Retransmits' times. After that, the 5401 * endpoint MUST abort the initialization process and report the 5402 * error to SCTP user. 5403 * 5404 * Outputs 5405 * (timers, events) 5406 * 5407 */ 5408 sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep, 5409 const struct sctp_association *asoc, 5410 const sctp_subtype_t type, 5411 void *arg, 5412 sctp_cmd_seq_t *commands) 5413 { 5414 struct sctp_chunk *repl = NULL; 5415 struct sctp_bind_addr *bp; 5416 int attempts = asoc->init_err_counter + 1; 5417 5418 SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n"); 5419 SCTP_INC_STATS(SCTP_MIB_T1_INIT_EXPIREDS); 5420 5421 if (attempts <= asoc->max_init_attempts) { 5422 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 5423 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 5424 if (!repl) 5425 return SCTP_DISPOSITION_NOMEM; 5426 5427 /* Choose transport for INIT. */ 5428 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5429 SCTP_CHUNK(repl)); 5430 5431 /* Issue a sideeffect to do the needed accounting. */ 5432 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 5433 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5434 5435 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5436 } else { 5437 SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d" 5438 " max_init_attempts: %d\n", 5439 attempts, asoc->max_init_attempts); 5440 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5441 SCTP_ERROR(ETIMEDOUT)); 5442 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5443 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5444 return SCTP_DISPOSITION_DELETE_TCB; 5445 } 5446 5447 return SCTP_DISPOSITION_CONSUME; 5448 } 5449 5450 /* 5451 * sctp_sf_t1_cookie_timer_expire 5452 * 5453 * Section: 4 Note: 2 5454 * Verification Tag: 5455 * Inputs 5456 * (endpoint, asoc) 5457 * 5458 * RFC 2960 Section 4 Notes 5459 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 5460 * COOKIE ECHO and re-start the T1-cookie timer without changing 5461 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 5462 * After that, the endpoint MUST abort the initialization process and 5463 * report the error to SCTP user. 5464 * 5465 * Outputs 5466 * (timers, events) 5467 * 5468 */ 5469 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep, 5470 const struct sctp_association *asoc, 5471 const sctp_subtype_t type, 5472 void *arg, 5473 sctp_cmd_seq_t *commands) 5474 { 5475 struct sctp_chunk *repl = NULL; 5476 int attempts = asoc->init_err_counter + 1; 5477 5478 SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n"); 5479 SCTP_INC_STATS(SCTP_MIB_T1_COOKIE_EXPIREDS); 5480 5481 if (attempts <= asoc->max_init_attempts) { 5482 repl = sctp_make_cookie_echo(asoc, NULL); 5483 if (!repl) 5484 return SCTP_DISPOSITION_NOMEM; 5485 5486 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5487 SCTP_CHUNK(repl)); 5488 /* Issue a sideeffect to do the needed accounting. */ 5489 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 5490 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 5491 5492 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5493 } else { 5494 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5495 SCTP_ERROR(ETIMEDOUT)); 5496 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5497 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5498 return SCTP_DISPOSITION_DELETE_TCB; 5499 } 5500 5501 return SCTP_DISPOSITION_CONSUME; 5502 } 5503 5504 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 5505 * with the updated last sequential TSN received from its peer. 5506 * 5507 * An endpoint should limit the number of retransmissions of the 5508 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 5509 * If this threshold is exceeded the endpoint should destroy the TCB and 5510 * MUST report the peer endpoint unreachable to the upper layer (and 5511 * thus the association enters the CLOSED state). The reception of any 5512 * packet from its peer (i.e. as the peer sends all of its queued DATA 5513 * chunks) should clear the endpoint's retransmission count and restart 5514 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 5515 * all of its queued DATA chunks that have not yet been sent. 5516 */ 5517 sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep, 5518 const struct sctp_association *asoc, 5519 const sctp_subtype_t type, 5520 void *arg, 5521 sctp_cmd_seq_t *commands) 5522 { 5523 struct sctp_chunk *reply = NULL; 5524 5525 SCTP_DEBUG_PRINTK("Timer T2 expired.\n"); 5526 SCTP_INC_STATS(SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 5527 5528 ((struct sctp_association *)asoc)->shutdown_retries++; 5529 5530 if (asoc->overall_error_count >= asoc->max_retrans) { 5531 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5532 SCTP_ERROR(ETIMEDOUT)); 5533 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5534 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5535 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5536 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5537 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5538 return SCTP_DISPOSITION_DELETE_TCB; 5539 } 5540 5541 switch (asoc->state) { 5542 case SCTP_STATE_SHUTDOWN_SENT: 5543 reply = sctp_make_shutdown(asoc, NULL); 5544 break; 5545 5546 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5547 reply = sctp_make_shutdown_ack(asoc, NULL); 5548 break; 5549 5550 default: 5551 BUG(); 5552 break; 5553 } 5554 5555 if (!reply) 5556 goto nomem; 5557 5558 /* Do some failure management (Section 8.2). 5559 * If we remove the transport an SHUTDOWN was last sent to, don't 5560 * do failure management. 5561 */ 5562 if (asoc->shutdown_last_sent_to) 5563 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5564 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 5565 5566 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 5567 * the T2-shutdown timer. 5568 */ 5569 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5570 5571 /* Restart the T2-shutdown timer. */ 5572 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5573 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5574 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5575 return SCTP_DISPOSITION_CONSUME; 5576 5577 nomem: 5578 return SCTP_DISPOSITION_NOMEM; 5579 } 5580 5581 /* 5582 * ADDIP Section 4.1 ASCONF CHunk Procedures 5583 * If the T4 RTO timer expires the endpoint should do B1 to B5 5584 */ 5585 sctp_disposition_t sctp_sf_t4_timer_expire( 5586 const struct sctp_endpoint *ep, 5587 const struct sctp_association *asoc, 5588 const sctp_subtype_t type, 5589 void *arg, 5590 sctp_cmd_seq_t *commands) 5591 { 5592 struct sctp_chunk *chunk = asoc->addip_last_asconf; 5593 struct sctp_transport *transport = chunk->transport; 5594 5595 SCTP_INC_STATS(SCTP_MIB_T4_RTO_EXPIREDS); 5596 5597 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 5598 * detection on the appropriate destination address as defined in 5599 * RFC2960 [5] section 8.1 and 8.2. 5600 */ 5601 if (transport) 5602 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5603 SCTP_TRANSPORT(transport)); 5604 5605 /* Reconfig T4 timer and transport. */ 5606 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5607 5608 /* ADDIP 4.1 B2) Increment the association error counters and perform 5609 * endpoint failure detection on the association as defined in 5610 * RFC2960 [5] section 8.1 and 8.2. 5611 * association error counter is incremented in SCTP_CMD_STRIKE. 5612 */ 5613 if (asoc->overall_error_count >= asoc->max_retrans) { 5614 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5615 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5616 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5617 SCTP_ERROR(ETIMEDOUT)); 5618 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5619 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5620 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5621 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5622 return SCTP_DISPOSITION_ABORT; 5623 } 5624 5625 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 5626 * the ASCONF chunk was sent by doubling the RTO timer value. 5627 * This is done in SCTP_CMD_STRIKE. 5628 */ 5629 5630 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 5631 * choose an alternate destination address (please refer to RFC2960 5632 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 5633 * chunk, it MUST be the same (including its serial number) as the last 5634 * ASCONF sent. 5635 */ 5636 sctp_chunk_hold(asoc->addip_last_asconf); 5637 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5638 SCTP_CHUNK(asoc->addip_last_asconf)); 5639 5640 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 5641 * destination is selected, then the RTO used will be that of the new 5642 * destination address. 5643 */ 5644 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5645 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5646 5647 return SCTP_DISPOSITION_CONSUME; 5648 } 5649 5650 /* sctpimpguide-05 Section 2.12.2 5651 * The sender of the SHUTDOWN MAY also start an overall guard timer 5652 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5653 * At the expiration of this timer the sender SHOULD abort the association 5654 * by sending an ABORT chunk. 5655 */ 5656 sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep, 5657 const struct sctp_association *asoc, 5658 const sctp_subtype_t type, 5659 void *arg, 5660 sctp_cmd_seq_t *commands) 5661 { 5662 struct sctp_chunk *reply = NULL; 5663 5664 SCTP_DEBUG_PRINTK("Timer T5 expired.\n"); 5665 SCTP_INC_STATS(SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 5666 5667 reply = sctp_make_abort(asoc, NULL, 0); 5668 if (!reply) 5669 goto nomem; 5670 5671 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5672 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5673 SCTP_ERROR(ETIMEDOUT)); 5674 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5675 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5676 5677 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5678 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5679 5680 return SCTP_DISPOSITION_DELETE_TCB; 5681 nomem: 5682 return SCTP_DISPOSITION_NOMEM; 5683 } 5684 5685 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 5686 * the association is automatically closed by starting the shutdown process. 5687 * The work that needs to be done is same as when SHUTDOWN is initiated by 5688 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 5689 */ 5690 sctp_disposition_t sctp_sf_autoclose_timer_expire( 5691 const struct sctp_endpoint *ep, 5692 const struct sctp_association *asoc, 5693 const sctp_subtype_t type, 5694 void *arg, 5695 sctp_cmd_seq_t *commands) 5696 { 5697 int disposition; 5698 5699 SCTP_INC_STATS(SCTP_MIB_AUTOCLOSE_EXPIREDS); 5700 5701 /* From 9.2 Shutdown of an Association 5702 * Upon receipt of the SHUTDOWN primitive from its upper 5703 * layer, the endpoint enters SHUTDOWN-PENDING state and 5704 * remains there until all outstanding data has been 5705 * acknowledged by its peer. The endpoint accepts no new data 5706 * from its upper layer, but retransmits data to the far end 5707 * if necessary to fill gaps. 5708 */ 5709 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5710 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 5711 5712 disposition = SCTP_DISPOSITION_CONSUME; 5713 if (sctp_outq_is_empty(&asoc->outqueue)) { 5714 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 5715 arg, commands); 5716 } 5717 return disposition; 5718 } 5719 5720 /***************************************************************************** 5721 * These are sa state functions which could apply to all types of events. 5722 ****************************************************************************/ 5723 5724 /* 5725 * This table entry is not implemented. 5726 * 5727 * Inputs 5728 * (endpoint, asoc, chunk) 5729 * 5730 * The return value is the disposition of the chunk. 5731 */ 5732 sctp_disposition_t sctp_sf_not_impl(const struct sctp_endpoint *ep, 5733 const struct sctp_association *asoc, 5734 const sctp_subtype_t type, 5735 void *arg, 5736 sctp_cmd_seq_t *commands) 5737 { 5738 return SCTP_DISPOSITION_NOT_IMPL; 5739 } 5740 5741 /* 5742 * This table entry represents a bug. 5743 * 5744 * Inputs 5745 * (endpoint, asoc, chunk) 5746 * 5747 * The return value is the disposition of the chunk. 5748 */ 5749 sctp_disposition_t sctp_sf_bug(const struct sctp_endpoint *ep, 5750 const struct sctp_association *asoc, 5751 const sctp_subtype_t type, 5752 void *arg, 5753 sctp_cmd_seq_t *commands) 5754 { 5755 return SCTP_DISPOSITION_BUG; 5756 } 5757 5758 /* 5759 * This table entry represents the firing of a timer in the wrong state. 5760 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 5761 * when the association is in the wrong state. This event should 5762 * be ignored, so as to prevent any rearming of the timer. 5763 * 5764 * Inputs 5765 * (endpoint, asoc, chunk) 5766 * 5767 * The return value is the disposition of the chunk. 5768 */ 5769 sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep, 5770 const struct sctp_association *asoc, 5771 const sctp_subtype_t type, 5772 void *arg, 5773 sctp_cmd_seq_t *commands) 5774 { 5775 SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk); 5776 return SCTP_DISPOSITION_CONSUME; 5777 } 5778 5779 /******************************************************************** 5780 * 2nd Level Abstractions 5781 ********************************************************************/ 5782 5783 /* Pull the SACK chunk based on the SACK header. */ 5784 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 5785 { 5786 struct sctp_sackhdr *sack; 5787 unsigned int len; 5788 __u16 num_blocks; 5789 __u16 num_dup_tsns; 5790 5791 /* Protect ourselves from reading too far into 5792 * the skb from a bogus sender. 5793 */ 5794 sack = (struct sctp_sackhdr *) chunk->skb->data; 5795 5796 num_blocks = ntohs(sack->num_gap_ack_blocks); 5797 num_dup_tsns = ntohs(sack->num_dup_tsns); 5798 len = sizeof(struct sctp_sackhdr); 5799 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 5800 if (len > chunk->skb->len) 5801 return NULL; 5802 5803 skb_pull(chunk->skb, len); 5804 5805 return sack; 5806 } 5807 5808 /* Create an ABORT packet to be sent as a response, with the specified 5809 * error causes. 5810 */ 5811 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 5812 const struct sctp_association *asoc, 5813 struct sctp_chunk *chunk, 5814 const void *payload, 5815 size_t paylen) 5816 { 5817 struct sctp_packet *packet; 5818 struct sctp_chunk *abort; 5819 5820 packet = sctp_ootb_pkt_new(asoc, chunk); 5821 5822 if (packet) { 5823 /* Make an ABORT. 5824 * The T bit will be set if the asoc is NULL. 5825 */ 5826 abort = sctp_make_abort(asoc, chunk, paylen); 5827 if (!abort) { 5828 sctp_ootb_pkt_free(packet); 5829 return NULL; 5830 } 5831 5832 /* Reflect vtag if T-Bit is set */ 5833 if (sctp_test_T_bit(abort)) 5834 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 5835 5836 /* Add specified error causes, i.e., payload, to the 5837 * end of the chunk. 5838 */ 5839 sctp_addto_chunk(abort, paylen, payload); 5840 5841 /* Set the skb to the belonging sock for accounting. */ 5842 abort->skb->sk = ep->base.sk; 5843 5844 sctp_packet_append_chunk(packet, abort); 5845 5846 } 5847 5848 return packet; 5849 } 5850 5851 /* Allocate a packet for responding in the OOTB conditions. */ 5852 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 5853 const struct sctp_chunk *chunk) 5854 { 5855 struct sctp_packet *packet; 5856 struct sctp_transport *transport; 5857 __u16 sport; 5858 __u16 dport; 5859 __u32 vtag; 5860 5861 /* Get the source and destination port from the inbound packet. */ 5862 sport = ntohs(chunk->sctp_hdr->dest); 5863 dport = ntohs(chunk->sctp_hdr->source); 5864 5865 /* The V-tag is going to be the same as the inbound packet if no 5866 * association exists, otherwise, use the peer's vtag. 5867 */ 5868 if (asoc) { 5869 /* Special case the INIT-ACK as there is no peer's vtag 5870 * yet. 5871 */ 5872 switch(chunk->chunk_hdr->type) { 5873 case SCTP_CID_INIT_ACK: 5874 { 5875 sctp_initack_chunk_t *initack; 5876 5877 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; 5878 vtag = ntohl(initack->init_hdr.init_tag); 5879 break; 5880 } 5881 default: 5882 vtag = asoc->peer.i.init_tag; 5883 break; 5884 } 5885 } else { 5886 /* Special case the INIT and stale COOKIE_ECHO as there is no 5887 * vtag yet. 5888 */ 5889 switch(chunk->chunk_hdr->type) { 5890 case SCTP_CID_INIT: 5891 { 5892 sctp_init_chunk_t *init; 5893 5894 init = (sctp_init_chunk_t *)chunk->chunk_hdr; 5895 vtag = ntohl(init->init_hdr.init_tag); 5896 break; 5897 } 5898 default: 5899 vtag = ntohl(chunk->sctp_hdr->vtag); 5900 break; 5901 } 5902 } 5903 5904 /* Make a transport for the bucket, Eliza... */ 5905 transport = sctp_transport_new(sctp_source(chunk), GFP_ATOMIC); 5906 if (!transport) 5907 goto nomem; 5908 5909 /* Cache a route for the transport with the chunk's destination as 5910 * the source address. 5911 */ 5912 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 5913 sctp_sk(sctp_get_ctl_sock())); 5914 5915 packet = sctp_packet_init(&transport->packet, transport, sport, dport); 5916 packet = sctp_packet_config(packet, vtag, 0); 5917 5918 return packet; 5919 5920 nomem: 5921 return NULL; 5922 } 5923 5924 /* Free the packet allocated earlier for responding in the OOTB condition. */ 5925 void sctp_ootb_pkt_free(struct sctp_packet *packet) 5926 { 5927 sctp_transport_free(packet->transport); 5928 } 5929 5930 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 5931 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 5932 const struct sctp_association *asoc, 5933 const struct sctp_chunk *chunk, 5934 sctp_cmd_seq_t *commands, 5935 struct sctp_chunk *err_chunk) 5936 { 5937 struct sctp_packet *packet; 5938 5939 if (err_chunk) { 5940 packet = sctp_ootb_pkt_new(asoc, chunk); 5941 if (packet) { 5942 struct sctp_signed_cookie *cookie; 5943 5944 /* Override the OOTB vtag from the cookie. */ 5945 cookie = chunk->subh.cookie_hdr; 5946 packet->vtag = cookie->c.peer_vtag; 5947 5948 /* Set the skb to the belonging sock for accounting. */ 5949 err_chunk->skb->sk = ep->base.sk; 5950 sctp_packet_append_chunk(packet, err_chunk); 5951 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 5952 SCTP_PACKET(packet)); 5953 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 5954 } else 5955 sctp_chunk_free (err_chunk); 5956 } 5957 } 5958 5959 5960 /* Process a data chunk */ 5961 static int sctp_eat_data(const struct sctp_association *asoc, 5962 struct sctp_chunk *chunk, 5963 sctp_cmd_seq_t *commands) 5964 { 5965 sctp_datahdr_t *data_hdr; 5966 struct sctp_chunk *err; 5967 size_t datalen; 5968 sctp_verb_t deliver; 5969 int tmp; 5970 __u32 tsn; 5971 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 5972 struct sock *sk = asoc->base.sk; 5973 u16 ssn; 5974 u16 sid; 5975 u8 ordered = 0; 5976 5977 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data; 5978 skb_pull(chunk->skb, sizeof(sctp_datahdr_t)); 5979 5980 tsn = ntohl(data_hdr->tsn); 5981 SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn); 5982 5983 /* ASSERT: Now skb->data is really the user data. */ 5984 5985 /* Process ECN based congestion. 5986 * 5987 * Since the chunk structure is reused for all chunks within 5988 * a packet, we use ecn_ce_done to track if we've already 5989 * done CE processing for this packet. 5990 * 5991 * We need to do ECN processing even if we plan to discard the 5992 * chunk later. 5993 */ 5994 5995 if (!chunk->ecn_ce_done) { 5996 struct sctp_af *af; 5997 chunk->ecn_ce_done = 1; 5998 5999 af = sctp_get_af_specific( 6000 ipver2af(ip_hdr(chunk->skb)->version)); 6001 6002 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) { 6003 /* Do real work as sideffect. */ 6004 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 6005 SCTP_U32(tsn)); 6006 } 6007 } 6008 6009 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 6010 if (tmp < 0) { 6011 /* The TSN is too high--silently discard the chunk and 6012 * count on it getting retransmitted later. 6013 */ 6014 return SCTP_IERROR_HIGH_TSN; 6015 } else if (tmp > 0) { 6016 /* This is a duplicate. Record it. */ 6017 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 6018 return SCTP_IERROR_DUP_TSN; 6019 } 6020 6021 /* This is a new TSN. */ 6022 6023 /* Discard if there is no room in the receive window. 6024 * Actually, allow a little bit of overflow (up to a MTU). 6025 */ 6026 datalen = ntohs(chunk->chunk_hdr->length); 6027 datalen -= sizeof(sctp_data_chunk_t); 6028 6029 deliver = SCTP_CMD_CHUNK_ULP; 6030 6031 /* Think about partial delivery. */ 6032 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 6033 6034 /* Even if we don't accept this chunk there is 6035 * memory pressure. 6036 */ 6037 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 6038 } 6039 6040 /* Spill over rwnd a little bit. Note: While allowed, this spill over 6041 * seems a bit troublesome in that frag_point varies based on 6042 * PMTU. In cases, such as loopback, this might be a rather 6043 * large spill over. 6044 */ 6045 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over || 6046 (datalen > asoc->rwnd + asoc->frag_point))) { 6047 6048 /* If this is the next TSN, consider reneging to make 6049 * room. Note: Playing nice with a confused sender. A 6050 * malicious sender can still eat up all our buffer 6051 * space and in the future we may want to detect and 6052 * do more drastic reneging. 6053 */ 6054 if (sctp_tsnmap_has_gap(map) && 6055 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6056 SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn); 6057 deliver = SCTP_CMD_RENEGE; 6058 } else { 6059 SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, " 6060 "rwnd: %d\n", tsn, datalen, 6061 asoc->rwnd); 6062 return SCTP_IERROR_IGNORE_TSN; 6063 } 6064 } 6065 6066 /* 6067 * Also try to renege to limit our memory usage in the event that 6068 * we are under memory pressure 6069 * If we can't renege, don't worry about it, the sk_rmem_schedule 6070 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our 6071 * memory usage too much 6072 */ 6073 if (*sk->sk_prot_creator->memory_pressure) { 6074 if (sctp_tsnmap_has_gap(map) && 6075 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6076 SCTP_DEBUG_PRINTK("Under Pressure! Reneging for tsn:%u\n", tsn); 6077 deliver = SCTP_CMD_RENEGE; 6078 } 6079 } 6080 6081 /* 6082 * Section 3.3.10.9 No User Data (9) 6083 * 6084 * Cause of error 6085 * --------------- 6086 * No User Data: This error cause is returned to the originator of a 6087 * DATA chunk if a received DATA chunk has no user data. 6088 */ 6089 if (unlikely(0 == datalen)) { 6090 err = sctp_make_abort_no_data(asoc, chunk, tsn); 6091 if (err) { 6092 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6093 SCTP_CHUNK(err)); 6094 } 6095 /* We are going to ABORT, so we might as well stop 6096 * processing the rest of the chunks in the packet. 6097 */ 6098 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 6099 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6100 SCTP_ERROR(ECONNABORTED)); 6101 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6102 SCTP_PERR(SCTP_ERROR_NO_DATA)); 6103 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 6104 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 6105 return SCTP_IERROR_NO_DATA; 6106 } 6107 6108 chunk->data_accepted = 1; 6109 6110 /* Note: Some chunks may get overcounted (if we drop) or overcounted 6111 * if we renege and the chunk arrives again. 6112 */ 6113 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) 6114 SCTP_INC_STATS(SCTP_MIB_INUNORDERCHUNKS); 6115 else { 6116 SCTP_INC_STATS(SCTP_MIB_INORDERCHUNKS); 6117 ordered = 1; 6118 } 6119 6120 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 6121 * 6122 * If an endpoint receive a DATA chunk with an invalid stream 6123 * identifier, it shall acknowledge the reception of the DATA chunk 6124 * following the normal procedure, immediately send an ERROR chunk 6125 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 6126 * and discard the DATA chunk. 6127 */ 6128 sid = ntohs(data_hdr->stream); 6129 if (sid >= asoc->c.sinit_max_instreams) { 6130 /* Mark tsn as received even though we drop it */ 6131 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 6132 6133 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 6134 &data_hdr->stream, 6135 sizeof(data_hdr->stream), 6136 sizeof(u16)); 6137 if (err) 6138 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6139 SCTP_CHUNK(err)); 6140 return SCTP_IERROR_BAD_STREAM; 6141 } 6142 6143 /* Check to see if the SSN is possible for this TSN. 6144 * The biggest gap we can record is 4K wide. Since SSNs wrap 6145 * at an unsigned short, there is no way that an SSN can 6146 * wrap and for a valid TSN. We can simply check if the current 6147 * SSN is smaller then the next expected one. If it is, it wrapped 6148 * and is invalid. 6149 */ 6150 ssn = ntohs(data_hdr->ssn); 6151 if (ordered && SSN_lt(ssn, sctp_ssn_peek(&asoc->ssnmap->in, sid))) { 6152 return SCTP_IERROR_PROTO_VIOLATION; 6153 } 6154 6155 /* Send the data up to the user. Note: Schedule the 6156 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 6157 * chunk needs the updated rwnd. 6158 */ 6159 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 6160 6161 return SCTP_IERROR_NO_ERROR; 6162 } 6163