1 /* SCTP kernel implementation 2 * (C) Copyright IBM Corp. 2001, 2004 3 * Copyright (c) 1999-2000 Cisco, Inc. 4 * Copyright (c) 1999-2001 Motorola, Inc. 5 * Copyright (c) 2001-2002 Intel Corp. 6 * Copyright (c) 2002 Nokia Corp. 7 * 8 * This is part of the SCTP Linux Kernel Implementation. 9 * 10 * These are the state functions for the state machine. 11 * 12 * This SCTP implementation is free software; 13 * you can redistribute it and/or modify it under the terms of 14 * the GNU General Public License as published by 15 * the Free Software Foundation; either version 2, or (at your option) 16 * any later version. 17 * 18 * This SCTP implementation is distributed in the hope that it 19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 20 * ************************ 21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 22 * See the GNU General Public License for more details. 23 * 24 * You should have received a copy of the GNU General Public License 25 * along with GNU CC; see the file COPYING. If not, see 26 * <http://www.gnu.org/licenses/>. 27 * 28 * Please send any bug reports or fixes you make to the 29 * email address(es): 30 * lksctp developers <linux-sctp@vger.kernel.org> 31 * 32 * Written or modified by: 33 * La Monte H.P. Yarroll <piggy@acm.org> 34 * Karl Knutson <karl@athena.chicago.il.us> 35 * Mathew Kotowsky <kotowsky@sctp.org> 36 * Sridhar Samudrala <samudrala@us.ibm.com> 37 * Jon Grimm <jgrimm@us.ibm.com> 38 * Hui Huang <hui.huang@nokia.com> 39 * Dajiang Zhang <dajiang.zhang@nokia.com> 40 * Daisy Chang <daisyc@us.ibm.com> 41 * Ardelle Fan <ardelle.fan@intel.com> 42 * Ryan Layer <rmlayer@us.ibm.com> 43 * Kevin Gao <kevin.gao@intel.com> 44 */ 45 46 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 47 48 #include <linux/types.h> 49 #include <linux/kernel.h> 50 #include <linux/ip.h> 51 #include <linux/ipv6.h> 52 #include <linux/net.h> 53 #include <linux/inet.h> 54 #include <linux/slab.h> 55 #include <net/sock.h> 56 #include <net/inet_ecn.h> 57 #include <linux/skbuff.h> 58 #include <net/sctp/sctp.h> 59 #include <net/sctp/sm.h> 60 #include <net/sctp/structs.h> 61 62 static struct sctp_packet *sctp_abort_pkt_new(struct net *net, 63 const struct sctp_endpoint *ep, 64 const struct sctp_association *asoc, 65 struct sctp_chunk *chunk, 66 const void *payload, 67 size_t paylen); 68 static int sctp_eat_data(const struct sctp_association *asoc, 69 struct sctp_chunk *chunk, 70 sctp_cmd_seq_t *commands); 71 static struct sctp_packet *sctp_ootb_pkt_new(struct net *net, 72 const struct sctp_association *asoc, 73 const struct sctp_chunk *chunk); 74 static void sctp_send_stale_cookie_err(struct net *net, 75 const struct sctp_endpoint *ep, 76 const struct sctp_association *asoc, 77 const struct sctp_chunk *chunk, 78 sctp_cmd_seq_t *commands, 79 struct sctp_chunk *err_chunk); 80 static sctp_disposition_t sctp_sf_do_5_2_6_stale(struct net *net, 81 const struct sctp_endpoint *ep, 82 const struct sctp_association *asoc, 83 const sctp_subtype_t type, 84 void *arg, 85 sctp_cmd_seq_t *commands); 86 static sctp_disposition_t sctp_sf_shut_8_4_5(struct net *net, 87 const struct sctp_endpoint *ep, 88 const struct sctp_association *asoc, 89 const sctp_subtype_t type, 90 void *arg, 91 sctp_cmd_seq_t *commands); 92 static sctp_disposition_t sctp_sf_tabort_8_4_8(struct net *net, 93 const struct sctp_endpoint *ep, 94 const struct sctp_association *asoc, 95 const sctp_subtype_t type, 96 void *arg, 97 sctp_cmd_seq_t *commands); 98 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 99 100 static sctp_disposition_t sctp_stop_t1_and_abort(struct net *net, 101 sctp_cmd_seq_t *commands, 102 __be16 error, int sk_err, 103 const struct sctp_association *asoc, 104 struct sctp_transport *transport); 105 106 static sctp_disposition_t sctp_sf_abort_violation( 107 struct net *net, 108 const struct sctp_endpoint *ep, 109 const struct sctp_association *asoc, 110 void *arg, 111 sctp_cmd_seq_t *commands, 112 const __u8 *payload, 113 const size_t paylen); 114 115 static sctp_disposition_t sctp_sf_violation_chunklen( 116 struct net *net, 117 const struct sctp_endpoint *ep, 118 const struct sctp_association *asoc, 119 const sctp_subtype_t type, 120 void *arg, 121 sctp_cmd_seq_t *commands); 122 123 static sctp_disposition_t sctp_sf_violation_paramlen( 124 struct net *net, 125 const struct sctp_endpoint *ep, 126 const struct sctp_association *asoc, 127 const sctp_subtype_t type, 128 void *arg, void *ext, 129 sctp_cmd_seq_t *commands); 130 131 static sctp_disposition_t sctp_sf_violation_ctsn( 132 struct net *net, 133 const struct sctp_endpoint *ep, 134 const struct sctp_association *asoc, 135 const sctp_subtype_t type, 136 void *arg, 137 sctp_cmd_seq_t *commands); 138 139 static sctp_disposition_t sctp_sf_violation_chunk( 140 struct net *net, 141 const struct sctp_endpoint *ep, 142 const struct sctp_association *asoc, 143 const sctp_subtype_t type, 144 void *arg, 145 sctp_cmd_seq_t *commands); 146 147 static sctp_ierror_t sctp_sf_authenticate(struct net *net, 148 const struct sctp_endpoint *ep, 149 const struct sctp_association *asoc, 150 const sctp_subtype_t type, 151 struct sctp_chunk *chunk); 152 153 static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net, 154 const struct sctp_endpoint *ep, 155 const struct sctp_association *asoc, 156 const sctp_subtype_t type, 157 void *arg, 158 sctp_cmd_seq_t *commands); 159 160 /* Small helper function that checks if the chunk length 161 * is of the appropriate length. The 'required_length' argument 162 * is set to be the size of a specific chunk we are testing. 163 * Return Values: 1 = Valid length 164 * 0 = Invalid length 165 * 166 */ 167 static inline int 168 sctp_chunk_length_valid(struct sctp_chunk *chunk, 169 __u16 required_length) 170 { 171 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 172 173 /* Previously already marked? */ 174 if (unlikely(chunk->pdiscard)) 175 return 0; 176 if (unlikely(chunk_length < required_length)) 177 return 0; 178 179 return 1; 180 } 181 182 /********************************************************** 183 * These are the state functions for handling chunk events. 184 **********************************************************/ 185 186 /* 187 * Process the final SHUTDOWN COMPLETE. 188 * 189 * Section: 4 (C) (diagram), 9.2 190 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 191 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 192 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 193 * should stop the T2-shutdown timer and remove all knowledge of the 194 * association (and thus the association enters the CLOSED state). 195 * 196 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 197 * C) Rules for packet carrying SHUTDOWN COMPLETE: 198 * ... 199 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 200 * if the Verification Tag field of the packet matches its own tag and 201 * the T bit is not set 202 * OR 203 * it is set to its peer's tag and the T bit is set in the Chunk 204 * Flags. 205 * Otherwise, the receiver MUST silently discard the packet 206 * and take no further action. An endpoint MUST ignore the 207 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 208 * 209 * Inputs 210 * (endpoint, asoc, chunk) 211 * 212 * Outputs 213 * (asoc, reply_msg, msg_up, timers, counters) 214 * 215 * The return value is the disposition of the chunk. 216 */ 217 sctp_disposition_t sctp_sf_do_4_C(struct net *net, 218 const struct sctp_endpoint *ep, 219 const struct sctp_association *asoc, 220 const sctp_subtype_t type, 221 void *arg, 222 sctp_cmd_seq_t *commands) 223 { 224 struct sctp_chunk *chunk = arg; 225 struct sctp_ulpevent *ev; 226 227 if (!sctp_vtag_verify_either(chunk, asoc)) 228 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 229 230 /* RFC 2960 6.10 Bundling 231 * 232 * An endpoint MUST NOT bundle INIT, INIT ACK or 233 * SHUTDOWN COMPLETE with any other chunks. 234 */ 235 if (!chunk->singleton) 236 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 237 238 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ 239 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 240 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 241 commands); 242 243 /* RFC 2960 10.2 SCTP-to-ULP 244 * 245 * H) SHUTDOWN COMPLETE notification 246 * 247 * When SCTP completes the shutdown procedures (section 9.2) this 248 * notification is passed to the upper layer. 249 */ 250 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 251 0, 0, 0, NULL, GFP_ATOMIC); 252 if (ev) 253 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 254 SCTP_ULPEVENT(ev)); 255 256 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 257 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 258 * not the chunk should be discarded. If the endpoint is in 259 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 260 * T2-shutdown timer and remove all knowledge of the 261 * association (and thus the association enters the CLOSED 262 * state). 263 */ 264 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 265 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 266 267 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 268 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 269 270 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 271 SCTP_STATE(SCTP_STATE_CLOSED)); 272 273 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 274 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 275 276 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 277 278 return SCTP_DISPOSITION_DELETE_TCB; 279 } 280 281 /* 282 * Respond to a normal INIT chunk. 283 * We are the side that is being asked for an association. 284 * 285 * Section: 5.1 Normal Establishment of an Association, B 286 * B) "Z" shall respond immediately with an INIT ACK chunk. The 287 * destination IP address of the INIT ACK MUST be set to the source 288 * IP address of the INIT to which this INIT ACK is responding. In 289 * the response, besides filling in other parameters, "Z" must set the 290 * Verification Tag field to Tag_A, and also provide its own 291 * Verification Tag (Tag_Z) in the Initiate Tag field. 292 * 293 * Verification Tag: Must be 0. 294 * 295 * Inputs 296 * (endpoint, asoc, chunk) 297 * 298 * Outputs 299 * (asoc, reply_msg, msg_up, timers, counters) 300 * 301 * The return value is the disposition of the chunk. 302 */ 303 sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net, 304 const struct sctp_endpoint *ep, 305 const struct sctp_association *asoc, 306 const sctp_subtype_t type, 307 void *arg, 308 sctp_cmd_seq_t *commands) 309 { 310 struct sctp_chunk *chunk = arg; 311 struct sctp_chunk *repl; 312 struct sctp_association *new_asoc; 313 struct sctp_chunk *err_chunk; 314 struct sctp_packet *packet; 315 sctp_unrecognized_param_t *unk_param; 316 int len; 317 318 /* 6.10 Bundling 319 * An endpoint MUST NOT bundle INIT, INIT ACK or 320 * SHUTDOWN COMPLETE with any other chunks. 321 * 322 * IG Section 2.11.2 323 * Furthermore, we require that the receiver of an INIT chunk MUST 324 * enforce these rules by silently discarding an arriving packet 325 * with an INIT chunk that is bundled with other chunks. 326 */ 327 if (!chunk->singleton) 328 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 329 330 /* If the packet is an OOTB packet which is temporarily on the 331 * control endpoint, respond with an ABORT. 332 */ 333 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 334 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 335 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 336 } 337 338 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 339 * Tag. 340 */ 341 if (chunk->sctp_hdr->vtag != 0) 342 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 343 344 /* Make sure that the INIT chunk has a valid length. 345 * Normally, this would cause an ABORT with a Protocol Violation 346 * error, but since we don't have an association, we'll 347 * just discard the packet. 348 */ 349 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 350 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 351 352 /* If the INIT is coming toward a closing socket, we'll send back 353 * and ABORT. Essentially, this catches the race of INIT being 354 * backloged to the socket at the same time as the user isses close(). 355 * Since the socket and all its associations are going away, we 356 * can treat this OOTB 357 */ 358 if (sctp_sstate(ep->base.sk, CLOSING)) 359 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 360 361 /* Verify the INIT chunk before processing it. */ 362 err_chunk = NULL; 363 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 364 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 365 &err_chunk)) { 366 /* This chunk contains fatal error. It is to be discarded. 367 * Send an ABORT, with causes if there is any. 368 */ 369 if (err_chunk) { 370 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 371 (__u8 *)(err_chunk->chunk_hdr) + 372 sizeof(sctp_chunkhdr_t), 373 ntohs(err_chunk->chunk_hdr->length) - 374 sizeof(sctp_chunkhdr_t)); 375 376 sctp_chunk_free(err_chunk); 377 378 if (packet) { 379 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 380 SCTP_PACKET(packet)); 381 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 382 return SCTP_DISPOSITION_CONSUME; 383 } else { 384 return SCTP_DISPOSITION_NOMEM; 385 } 386 } else { 387 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 388 commands); 389 } 390 } 391 392 /* Grab the INIT header. */ 393 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data; 394 395 /* Tag the variable length parameters. */ 396 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 397 398 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 399 if (!new_asoc) 400 goto nomem; 401 402 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 403 sctp_scope(sctp_source(chunk)), 404 GFP_ATOMIC) < 0) 405 goto nomem_init; 406 407 /* The call, sctp_process_init(), can fail on memory allocation. */ 408 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 409 (sctp_init_chunk_t *)chunk->chunk_hdr, 410 GFP_ATOMIC)) 411 goto nomem_init; 412 413 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 414 415 /* If there are errors need to be reported for unknown parameters, 416 * make sure to reserve enough room in the INIT ACK for them. 417 */ 418 len = 0; 419 if (err_chunk) 420 len = ntohs(err_chunk->chunk_hdr->length) - 421 sizeof(sctp_chunkhdr_t); 422 423 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 424 if (!repl) 425 goto nomem_init; 426 427 /* If there are errors need to be reported for unknown parameters, 428 * include them in the outgoing INIT ACK as "Unrecognized parameter" 429 * parameter. 430 */ 431 if (err_chunk) { 432 /* Get the "Unrecognized parameter" parameter(s) out of the 433 * ERROR chunk generated by sctp_verify_init(). Since the 434 * error cause code for "unknown parameter" and the 435 * "Unrecognized parameter" type is the same, we can 436 * construct the parameters in INIT ACK by copying the 437 * ERROR causes over. 438 */ 439 unk_param = (sctp_unrecognized_param_t *) 440 ((__u8 *)(err_chunk->chunk_hdr) + 441 sizeof(sctp_chunkhdr_t)); 442 /* Replace the cause code with the "Unrecognized parameter" 443 * parameter type. 444 */ 445 sctp_addto_chunk(repl, len, unk_param); 446 sctp_chunk_free(err_chunk); 447 } 448 449 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 450 451 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 452 453 /* 454 * Note: After sending out INIT ACK with the State Cookie parameter, 455 * "Z" MUST NOT allocate any resources, nor keep any states for the 456 * new association. Otherwise, "Z" will be vulnerable to resource 457 * attacks. 458 */ 459 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 460 461 return SCTP_DISPOSITION_DELETE_TCB; 462 463 nomem_init: 464 sctp_association_free(new_asoc); 465 nomem: 466 if (err_chunk) 467 sctp_chunk_free(err_chunk); 468 return SCTP_DISPOSITION_NOMEM; 469 } 470 471 /* 472 * Respond to a normal INIT ACK chunk. 473 * We are the side that is initiating the association. 474 * 475 * Section: 5.1 Normal Establishment of an Association, C 476 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 477 * timer and leave COOKIE-WAIT state. "A" shall then send the State 478 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 479 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 480 * 481 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 482 * DATA chunks, but it MUST be the first chunk in the packet and 483 * until the COOKIE ACK is returned the sender MUST NOT send any 484 * other packets to the peer. 485 * 486 * Verification Tag: 3.3.3 487 * If the value of the Initiate Tag in a received INIT ACK chunk is 488 * found to be 0, the receiver MUST treat it as an error and close the 489 * association by transmitting an ABORT. 490 * 491 * Inputs 492 * (endpoint, asoc, chunk) 493 * 494 * Outputs 495 * (asoc, reply_msg, msg_up, timers, counters) 496 * 497 * The return value is the disposition of the chunk. 498 */ 499 sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net, 500 const struct sctp_endpoint *ep, 501 const struct sctp_association *asoc, 502 const sctp_subtype_t type, 503 void *arg, 504 sctp_cmd_seq_t *commands) 505 { 506 struct sctp_chunk *chunk = arg; 507 sctp_init_chunk_t *initchunk; 508 struct sctp_chunk *err_chunk; 509 struct sctp_packet *packet; 510 511 if (!sctp_vtag_verify(chunk, asoc)) 512 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 513 514 /* 6.10 Bundling 515 * An endpoint MUST NOT bundle INIT, INIT ACK or 516 * SHUTDOWN COMPLETE with any other chunks. 517 */ 518 if (!chunk->singleton) 519 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 520 521 /* Make sure that the INIT-ACK chunk has a valid length */ 522 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t))) 523 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 524 commands); 525 /* Grab the INIT header. */ 526 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 527 528 /* Verify the INIT chunk before processing it. */ 529 err_chunk = NULL; 530 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 531 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 532 &err_chunk)) { 533 534 sctp_error_t error = SCTP_ERROR_NO_RESOURCE; 535 536 /* This chunk contains fatal error. It is to be discarded. 537 * Send an ABORT, with causes. If there are no causes, 538 * then there wasn't enough memory. Just terminate 539 * the association. 540 */ 541 if (err_chunk) { 542 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 543 (__u8 *)(err_chunk->chunk_hdr) + 544 sizeof(sctp_chunkhdr_t), 545 ntohs(err_chunk->chunk_hdr->length) - 546 sizeof(sctp_chunkhdr_t)); 547 548 sctp_chunk_free(err_chunk); 549 550 if (packet) { 551 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 552 SCTP_PACKET(packet)); 553 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 554 error = SCTP_ERROR_INV_PARAM; 555 } 556 } 557 558 /* SCTP-AUTH, Section 6.3: 559 * It should be noted that if the receiver wants to tear 560 * down an association in an authenticated way only, the 561 * handling of malformed packets should not result in 562 * tearing down the association. 563 * 564 * This means that if we only want to abort associations 565 * in an authenticated way (i.e AUTH+ABORT), then we 566 * can't destroy this association just because the packet 567 * was malformed. 568 */ 569 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 570 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 571 572 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 573 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, 574 asoc, chunk->transport); 575 } 576 577 /* Tag the variable length parameters. Note that we never 578 * convert the parameters in an INIT chunk. 579 */ 580 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 581 582 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr; 583 584 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 585 SCTP_PEER_INIT(initchunk)); 586 587 /* Reset init error count upon receipt of INIT-ACK. */ 588 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 589 590 /* 5.1 C) "A" shall stop the T1-init timer and leave 591 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 592 * timer, and enter the COOKIE-ECHOED state. 593 */ 594 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 595 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 596 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 597 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 598 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 599 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 600 601 /* SCTP-AUTH: genereate the assocition shared keys so that 602 * we can potentially signe the COOKIE-ECHO. 603 */ 604 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); 605 606 /* 5.1 C) "A" shall then send the State Cookie received in the 607 * INIT ACK chunk in a COOKIE ECHO chunk, ... 608 */ 609 /* If there is any errors to report, send the ERROR chunk generated 610 * for unknown parameters as well. 611 */ 612 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 613 SCTP_CHUNK(err_chunk)); 614 615 return SCTP_DISPOSITION_CONSUME; 616 } 617 618 /* 619 * Respond to a normal COOKIE ECHO chunk. 620 * We are the side that is being asked for an association. 621 * 622 * Section: 5.1 Normal Establishment of an Association, D 623 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 624 * with a COOKIE ACK chunk after building a TCB and moving to 625 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 626 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 627 * chunk MUST be the first chunk in the packet. 628 * 629 * IMPLEMENTATION NOTE: An implementation may choose to send the 630 * Communication Up notification to the SCTP user upon reception 631 * of a valid COOKIE ECHO chunk. 632 * 633 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 634 * D) Rules for packet carrying a COOKIE ECHO 635 * 636 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 637 * Initial Tag received in the INIT ACK. 638 * 639 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 640 * 641 * Inputs 642 * (endpoint, asoc, chunk) 643 * 644 * Outputs 645 * (asoc, reply_msg, msg_up, timers, counters) 646 * 647 * The return value is the disposition of the chunk. 648 */ 649 sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net, 650 const struct sctp_endpoint *ep, 651 const struct sctp_association *asoc, 652 const sctp_subtype_t type, void *arg, 653 sctp_cmd_seq_t *commands) 654 { 655 struct sctp_chunk *chunk = arg; 656 struct sctp_association *new_asoc; 657 sctp_init_chunk_t *peer_init; 658 struct sctp_chunk *repl; 659 struct sctp_ulpevent *ev, *ai_ev = NULL; 660 int error = 0; 661 struct sctp_chunk *err_chk_p; 662 struct sock *sk; 663 664 /* If the packet is an OOTB packet which is temporarily on the 665 * control endpoint, respond with an ABORT. 666 */ 667 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 668 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 669 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 670 } 671 672 /* Make sure that the COOKIE_ECHO chunk has a valid length. 673 * In this case, we check that we have enough for at least a 674 * chunk header. More detailed verification is done 675 * in sctp_unpack_cookie(). 676 */ 677 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 678 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 679 680 /* If the endpoint is not listening or if the number of associations 681 * on the TCP-style socket exceed the max backlog, respond with an 682 * ABORT. 683 */ 684 sk = ep->base.sk; 685 if (!sctp_sstate(sk, LISTENING) || 686 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) 687 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 688 689 /* "Decode" the chunk. We have no optional parameters so we 690 * are in good shape. 691 */ 692 chunk->subh.cookie_hdr = 693 (struct sctp_signed_cookie *)chunk->skb->data; 694 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 695 sizeof(sctp_chunkhdr_t))) 696 goto nomem; 697 698 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 699 * "Z" will reply with a COOKIE ACK chunk after building a TCB 700 * and moving to the ESTABLISHED state. 701 */ 702 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 703 &err_chk_p); 704 705 /* FIXME: 706 * If the re-build failed, what is the proper error path 707 * from here? 708 * 709 * [We should abort the association. --piggy] 710 */ 711 if (!new_asoc) { 712 /* FIXME: Several errors are possible. A bad cookie should 713 * be silently discarded, but think about logging it too. 714 */ 715 switch (error) { 716 case -SCTP_IERROR_NOMEM: 717 goto nomem; 718 719 case -SCTP_IERROR_STALE_COOKIE: 720 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 721 err_chk_p); 722 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 723 724 case -SCTP_IERROR_BAD_SIG: 725 default: 726 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 727 } 728 } 729 730 731 /* Delay state machine commands until later. 732 * 733 * Re-build the bind address for the association is done in 734 * the sctp_unpack_cookie() already. 735 */ 736 /* This is a brand-new association, so these are not yet side 737 * effects--it is safe to run them here. 738 */ 739 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 740 741 if (!sctp_process_init(new_asoc, chunk, 742 &chunk->subh.cookie_hdr->c.peer_addr, 743 peer_init, GFP_ATOMIC)) 744 goto nomem_init; 745 746 /* SCTP-AUTH: Now that we've populate required fields in 747 * sctp_process_init, set up the assocaition shared keys as 748 * necessary so that we can potentially authenticate the ACK 749 */ 750 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); 751 if (error) 752 goto nomem_init; 753 754 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo 755 * is supposed to be authenticated and we have to do delayed 756 * authentication. We've just recreated the association using 757 * the information in the cookie and now it's much easier to 758 * do the authentication. 759 */ 760 if (chunk->auth_chunk) { 761 struct sctp_chunk auth; 762 sctp_ierror_t ret; 763 764 /* Make sure that we and the peer are AUTH capable */ 765 if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) { 766 sctp_association_free(new_asoc); 767 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 768 } 769 770 /* set-up our fake chunk so that we can process it */ 771 auth.skb = chunk->auth_chunk; 772 auth.asoc = chunk->asoc; 773 auth.sctp_hdr = chunk->sctp_hdr; 774 auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk, 775 sizeof(sctp_chunkhdr_t)); 776 skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t)); 777 auth.transport = chunk->transport; 778 779 ret = sctp_sf_authenticate(net, ep, new_asoc, type, &auth); 780 if (ret != SCTP_IERROR_NO_ERROR) { 781 sctp_association_free(new_asoc); 782 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 783 } 784 } 785 786 repl = sctp_make_cookie_ack(new_asoc, chunk); 787 if (!repl) 788 goto nomem_init; 789 790 /* RFC 2960 5.1 Normal Establishment of an Association 791 * 792 * D) IMPLEMENTATION NOTE: An implementation may choose to 793 * send the Communication Up notification to the SCTP user 794 * upon reception of a valid COOKIE ECHO chunk. 795 */ 796 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 797 new_asoc->c.sinit_num_ostreams, 798 new_asoc->c.sinit_max_instreams, 799 NULL, GFP_ATOMIC); 800 if (!ev) 801 goto nomem_ev; 802 803 /* Sockets API Draft Section 5.3.1.6 804 * When a peer sends a Adaptation Layer Indication parameter , SCTP 805 * delivers this notification to inform the application that of the 806 * peers requested adaptation layer. 807 */ 808 if (new_asoc->peer.adaptation_ind) { 809 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 810 GFP_ATOMIC); 811 if (!ai_ev) 812 goto nomem_aiev; 813 } 814 815 /* Add all the state machine commands now since we've created 816 * everything. This way we don't introduce memory corruptions 817 * during side-effect processing and correclty count established 818 * associations. 819 */ 820 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 821 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 822 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 823 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 824 SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS); 825 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 826 827 if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 828 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 829 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 830 831 /* This will send the COOKIE ACK */ 832 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 833 834 /* Queue the ASSOC_CHANGE event */ 835 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 836 837 /* Send up the Adaptation Layer Indication event */ 838 if (ai_ev) 839 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 840 SCTP_ULPEVENT(ai_ev)); 841 842 return SCTP_DISPOSITION_CONSUME; 843 844 nomem_aiev: 845 sctp_ulpevent_free(ev); 846 nomem_ev: 847 sctp_chunk_free(repl); 848 nomem_init: 849 sctp_association_free(new_asoc); 850 nomem: 851 return SCTP_DISPOSITION_NOMEM; 852 } 853 854 /* 855 * Respond to a normal COOKIE ACK chunk. 856 * We are the side that is asking for an association. 857 * 858 * RFC 2960 5.1 Normal Establishment of an Association 859 * 860 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 861 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 862 * timer. It may also notify its ULP about the successful 863 * establishment of the association with a Communication Up 864 * notification (see Section 10). 865 * 866 * Verification Tag: 867 * Inputs 868 * (endpoint, asoc, chunk) 869 * 870 * Outputs 871 * (asoc, reply_msg, msg_up, timers, counters) 872 * 873 * The return value is the disposition of the chunk. 874 */ 875 sctp_disposition_t sctp_sf_do_5_1E_ca(struct net *net, 876 const struct sctp_endpoint *ep, 877 const struct sctp_association *asoc, 878 const sctp_subtype_t type, void *arg, 879 sctp_cmd_seq_t *commands) 880 { 881 struct sctp_chunk *chunk = arg; 882 struct sctp_ulpevent *ev; 883 884 if (!sctp_vtag_verify(chunk, asoc)) 885 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 886 887 /* Verify that the chunk length for the COOKIE-ACK is OK. 888 * If we don't do this, any bundled chunks may be junked. 889 */ 890 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 891 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 892 commands); 893 894 /* Reset init error count upon receipt of COOKIE-ACK, 895 * to avoid problems with the managemement of this 896 * counter in stale cookie situations when a transition back 897 * from the COOKIE-ECHOED state to the COOKIE-WAIT 898 * state is performed. 899 */ 900 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 901 902 /* RFC 2960 5.1 Normal Establishment of an Association 903 * 904 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 905 * from the COOKIE-ECHOED state to the ESTABLISHED state, 906 * stopping the T1-cookie timer. 907 */ 908 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 909 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 910 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 911 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 912 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 913 SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS); 914 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 915 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 916 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 917 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 918 919 /* It may also notify its ULP about the successful 920 * establishment of the association with a Communication Up 921 * notification (see Section 10). 922 */ 923 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 924 0, asoc->c.sinit_num_ostreams, 925 asoc->c.sinit_max_instreams, 926 NULL, GFP_ATOMIC); 927 928 if (!ev) 929 goto nomem; 930 931 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 932 933 /* Sockets API Draft Section 5.3.1.6 934 * When a peer sends a Adaptation Layer Indication parameter , SCTP 935 * delivers this notification to inform the application that of the 936 * peers requested adaptation layer. 937 */ 938 if (asoc->peer.adaptation_ind) { 939 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 940 if (!ev) 941 goto nomem; 942 943 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 944 SCTP_ULPEVENT(ev)); 945 } 946 947 return SCTP_DISPOSITION_CONSUME; 948 nomem: 949 return SCTP_DISPOSITION_NOMEM; 950 } 951 952 /* Generate and sendout a heartbeat packet. */ 953 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep, 954 const struct sctp_association *asoc, 955 const sctp_subtype_t type, 956 void *arg, 957 sctp_cmd_seq_t *commands) 958 { 959 struct sctp_transport *transport = (struct sctp_transport *) arg; 960 struct sctp_chunk *reply; 961 962 /* Send a heartbeat to our peer. */ 963 reply = sctp_make_heartbeat(asoc, transport); 964 if (!reply) 965 return SCTP_DISPOSITION_NOMEM; 966 967 /* Set rto_pending indicating that an RTT measurement 968 * is started with this heartbeat chunk. 969 */ 970 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 971 SCTP_TRANSPORT(transport)); 972 973 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 974 return SCTP_DISPOSITION_CONSUME; 975 } 976 977 /* Generate a HEARTBEAT packet on the given transport. */ 978 sctp_disposition_t sctp_sf_sendbeat_8_3(struct net *net, 979 const struct sctp_endpoint *ep, 980 const struct sctp_association *asoc, 981 const sctp_subtype_t type, 982 void *arg, 983 sctp_cmd_seq_t *commands) 984 { 985 struct sctp_transport *transport = (struct sctp_transport *) arg; 986 987 if (asoc->overall_error_count >= asoc->max_retrans) { 988 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 989 SCTP_ERROR(ETIMEDOUT)); 990 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 991 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 992 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 993 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 994 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 995 return SCTP_DISPOSITION_DELETE_TCB; 996 } 997 998 /* Section 3.3.5. 999 * The Sender-specific Heartbeat Info field should normally include 1000 * information about the sender's current time when this HEARTBEAT 1001 * chunk is sent and the destination transport address to which this 1002 * HEARTBEAT is sent (see Section 8.3). 1003 */ 1004 1005 if (transport->param_flags & SPP_HB_ENABLE) { 1006 if (SCTP_DISPOSITION_NOMEM == 1007 sctp_sf_heartbeat(ep, asoc, type, arg, 1008 commands)) 1009 return SCTP_DISPOSITION_NOMEM; 1010 1011 /* Set transport error counter and association error counter 1012 * when sending heartbeat. 1013 */ 1014 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 1015 SCTP_TRANSPORT(transport)); 1016 } 1017 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE, 1018 SCTP_TRANSPORT(transport)); 1019 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 1020 SCTP_TRANSPORT(transport)); 1021 1022 return SCTP_DISPOSITION_CONSUME; 1023 } 1024 1025 /* 1026 * Process an heartbeat request. 1027 * 1028 * Section: 8.3 Path Heartbeat 1029 * The receiver of the HEARTBEAT should immediately respond with a 1030 * HEARTBEAT ACK that contains the Heartbeat Information field copied 1031 * from the received HEARTBEAT chunk. 1032 * 1033 * Verification Tag: 8.5 Verification Tag [Normal verification] 1034 * When receiving an SCTP packet, the endpoint MUST ensure that the 1035 * value in the Verification Tag field of the received SCTP packet 1036 * matches its own Tag. If the received Verification Tag value does not 1037 * match the receiver's own tag value, the receiver shall silently 1038 * discard the packet and shall not process it any further except for 1039 * those cases listed in Section 8.5.1 below. 1040 * 1041 * Inputs 1042 * (endpoint, asoc, chunk) 1043 * 1044 * Outputs 1045 * (asoc, reply_msg, msg_up, timers, counters) 1046 * 1047 * The return value is the disposition of the chunk. 1048 */ 1049 sctp_disposition_t sctp_sf_beat_8_3(struct net *net, 1050 const struct sctp_endpoint *ep, 1051 const struct sctp_association *asoc, 1052 const sctp_subtype_t type, 1053 void *arg, 1054 sctp_cmd_seq_t *commands) 1055 { 1056 sctp_paramhdr_t *param_hdr; 1057 struct sctp_chunk *chunk = arg; 1058 struct sctp_chunk *reply; 1059 size_t paylen = 0; 1060 1061 if (!sctp_vtag_verify(chunk, asoc)) 1062 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1063 1064 /* Make sure that the HEARTBEAT chunk has a valid length. */ 1065 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1066 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1067 commands); 1068 1069 /* 8.3 The receiver of the HEARTBEAT should immediately 1070 * respond with a HEARTBEAT ACK that contains the Heartbeat 1071 * Information field copied from the received HEARTBEAT chunk. 1072 */ 1073 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; 1074 param_hdr = (sctp_paramhdr_t *) chunk->subh.hb_hdr; 1075 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); 1076 1077 if (ntohs(param_hdr->length) > paylen) 1078 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 1079 param_hdr, commands); 1080 1081 if (!pskb_pull(chunk->skb, paylen)) 1082 goto nomem; 1083 1084 reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen); 1085 if (!reply) 1086 goto nomem; 1087 1088 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1089 return SCTP_DISPOSITION_CONSUME; 1090 1091 nomem: 1092 return SCTP_DISPOSITION_NOMEM; 1093 } 1094 1095 /* 1096 * Process the returning HEARTBEAT ACK. 1097 * 1098 * Section: 8.3 Path Heartbeat 1099 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 1100 * should clear the error counter of the destination transport 1101 * address to which the HEARTBEAT was sent, and mark the destination 1102 * transport address as active if it is not so marked. The endpoint may 1103 * optionally report to the upper layer when an inactive destination 1104 * address is marked as active due to the reception of the latest 1105 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 1106 * clear the association overall error count as well (as defined 1107 * in section 8.1). 1108 * 1109 * The receiver of the HEARTBEAT ACK should also perform an RTT 1110 * measurement for that destination transport address using the time 1111 * value carried in the HEARTBEAT ACK chunk. 1112 * 1113 * Verification Tag: 8.5 Verification Tag [Normal verification] 1114 * 1115 * Inputs 1116 * (endpoint, asoc, chunk) 1117 * 1118 * Outputs 1119 * (asoc, reply_msg, msg_up, timers, counters) 1120 * 1121 * The return value is the disposition of the chunk. 1122 */ 1123 sctp_disposition_t sctp_sf_backbeat_8_3(struct net *net, 1124 const struct sctp_endpoint *ep, 1125 const struct sctp_association *asoc, 1126 const sctp_subtype_t type, 1127 void *arg, 1128 sctp_cmd_seq_t *commands) 1129 { 1130 struct sctp_chunk *chunk = arg; 1131 union sctp_addr from_addr; 1132 struct sctp_transport *link; 1133 sctp_sender_hb_info_t *hbinfo; 1134 unsigned long max_interval; 1135 1136 if (!sctp_vtag_verify(chunk, asoc)) 1137 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1138 1139 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1140 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t) + 1141 sizeof(sctp_sender_hb_info_t))) 1142 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1143 commands); 1144 1145 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; 1146 /* Make sure that the length of the parameter is what we expect */ 1147 if (ntohs(hbinfo->param_hdr.length) != 1148 sizeof(sctp_sender_hb_info_t)) { 1149 return SCTP_DISPOSITION_DISCARD; 1150 } 1151 1152 from_addr = hbinfo->daddr; 1153 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1154 1155 /* This should never happen, but lets log it if so. */ 1156 if (unlikely(!link)) { 1157 if (from_addr.sa.sa_family == AF_INET6) { 1158 net_warn_ratelimited("%s association %p could not find address %pI6\n", 1159 __func__, 1160 asoc, 1161 &from_addr.v6.sin6_addr); 1162 } else { 1163 net_warn_ratelimited("%s association %p could not find address %pI4\n", 1164 __func__, 1165 asoc, 1166 &from_addr.v4.sin_addr.s_addr); 1167 } 1168 return SCTP_DISPOSITION_DISCARD; 1169 } 1170 1171 /* Validate the 64-bit random nonce. */ 1172 if (hbinfo->hb_nonce != link->hb_nonce) 1173 return SCTP_DISPOSITION_DISCARD; 1174 1175 max_interval = link->hbinterval + link->rto; 1176 1177 /* Check if the timestamp looks valid. */ 1178 if (time_after(hbinfo->sent_at, jiffies) || 1179 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1180 pr_debug("%s: HEARTBEAT ACK with invalid timestamp received " 1181 "for transport:%p\n", __func__, link); 1182 1183 return SCTP_DISPOSITION_DISCARD; 1184 } 1185 1186 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1187 * the HEARTBEAT should clear the error counter of the 1188 * destination transport address to which the HEARTBEAT was 1189 * sent and mark the destination transport address as active if 1190 * it is not so marked. 1191 */ 1192 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1193 1194 return SCTP_DISPOSITION_CONSUME; 1195 } 1196 1197 /* Helper function to send out an abort for the restart 1198 * condition. 1199 */ 1200 static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa, 1201 struct sctp_chunk *init, 1202 sctp_cmd_seq_t *commands) 1203 { 1204 int len; 1205 struct sctp_packet *pkt; 1206 union sctp_addr_param *addrparm; 1207 struct sctp_errhdr *errhdr; 1208 struct sctp_endpoint *ep; 1209 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)]; 1210 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1211 1212 /* Build the error on the stack. We are way to malloc crazy 1213 * throughout the code today. 1214 */ 1215 errhdr = (struct sctp_errhdr *)buffer; 1216 addrparm = (union sctp_addr_param *)errhdr->variable; 1217 1218 /* Copy into a parm format. */ 1219 len = af->to_addr_param(ssa, addrparm); 1220 len += sizeof(sctp_errhdr_t); 1221 1222 errhdr->cause = SCTP_ERROR_RESTART; 1223 errhdr->length = htons(len); 1224 1225 /* Assign to the control socket. */ 1226 ep = sctp_sk(net->sctp.ctl_sock)->ep; 1227 1228 /* Association is NULL since this may be a restart attack and we 1229 * want to send back the attacker's vtag. 1230 */ 1231 pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len); 1232 1233 if (!pkt) 1234 goto out; 1235 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1236 1237 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1238 1239 /* Discard the rest of the inbound packet. */ 1240 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1241 1242 out: 1243 /* Even if there is no memory, treat as a failure so 1244 * the packet will get dropped. 1245 */ 1246 return 0; 1247 } 1248 1249 static bool list_has_sctp_addr(const struct list_head *list, 1250 union sctp_addr *ipaddr) 1251 { 1252 struct sctp_transport *addr; 1253 1254 list_for_each_entry(addr, list, transports) { 1255 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr)) 1256 return true; 1257 } 1258 1259 return false; 1260 } 1261 /* A restart is occurring, check to make sure no new addresses 1262 * are being added as we may be under a takeover attack. 1263 */ 1264 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1265 const struct sctp_association *asoc, 1266 struct sctp_chunk *init, 1267 sctp_cmd_seq_t *commands) 1268 { 1269 struct net *net = sock_net(new_asoc->base.sk); 1270 struct sctp_transport *new_addr; 1271 int ret = 1; 1272 1273 /* Implementor's Guide - Section 5.2.2 1274 * ... 1275 * Before responding the endpoint MUST check to see if the 1276 * unexpected INIT adds new addresses to the association. If new 1277 * addresses are added to the association, the endpoint MUST respond 1278 * with an ABORT.. 1279 */ 1280 1281 /* Search through all current addresses and make sure 1282 * we aren't adding any new ones. 1283 */ 1284 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list, 1285 transports) { 1286 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list, 1287 &new_addr->ipaddr)) { 1288 sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init, 1289 commands); 1290 ret = 0; 1291 break; 1292 } 1293 } 1294 1295 /* Return success if all addresses were found. */ 1296 return ret; 1297 } 1298 1299 /* Populate the verification/tie tags based on overlapping INIT 1300 * scenario. 1301 * 1302 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1303 */ 1304 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1305 const struct sctp_association *asoc) 1306 { 1307 switch (asoc->state) { 1308 1309 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1310 1311 case SCTP_STATE_COOKIE_WAIT: 1312 new_asoc->c.my_vtag = asoc->c.my_vtag; 1313 new_asoc->c.my_ttag = asoc->c.my_vtag; 1314 new_asoc->c.peer_ttag = 0; 1315 break; 1316 1317 case SCTP_STATE_COOKIE_ECHOED: 1318 new_asoc->c.my_vtag = asoc->c.my_vtag; 1319 new_asoc->c.my_ttag = asoc->c.my_vtag; 1320 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1321 break; 1322 1323 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1324 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1325 */ 1326 default: 1327 new_asoc->c.my_ttag = asoc->c.my_vtag; 1328 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1329 break; 1330 } 1331 1332 /* Other parameters for the endpoint SHOULD be copied from the 1333 * existing parameters of the association (e.g. number of 1334 * outbound streams) into the INIT ACK and cookie. 1335 */ 1336 new_asoc->rwnd = asoc->rwnd; 1337 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1338 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1339 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1340 } 1341 1342 /* 1343 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1344 * handling action. 1345 * 1346 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1347 * 1348 * Returns value representing action to be taken. These action values 1349 * correspond to Action/Description values in RFC 2960, Table 2. 1350 */ 1351 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1352 const struct sctp_association *asoc) 1353 { 1354 /* In this case, the peer may have restarted. */ 1355 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1356 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1357 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1358 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1359 return 'A'; 1360 1361 /* Collision case B. */ 1362 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1363 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1364 (0 == asoc->c.peer_vtag))) { 1365 return 'B'; 1366 } 1367 1368 /* Collision case D. */ 1369 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1370 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1371 return 'D'; 1372 1373 /* Collision case C. */ 1374 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1375 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1376 (0 == new_asoc->c.my_ttag) && 1377 (0 == new_asoc->c.peer_ttag)) 1378 return 'C'; 1379 1380 /* No match to any of the special cases; discard this packet. */ 1381 return 'E'; 1382 } 1383 1384 /* Common helper routine for both duplicate and simulataneous INIT 1385 * chunk handling. 1386 */ 1387 static sctp_disposition_t sctp_sf_do_unexpected_init( 1388 struct net *net, 1389 const struct sctp_endpoint *ep, 1390 const struct sctp_association *asoc, 1391 const sctp_subtype_t type, 1392 void *arg, sctp_cmd_seq_t *commands) 1393 { 1394 sctp_disposition_t retval; 1395 struct sctp_chunk *chunk = arg; 1396 struct sctp_chunk *repl; 1397 struct sctp_association *new_asoc; 1398 struct sctp_chunk *err_chunk; 1399 struct sctp_packet *packet; 1400 sctp_unrecognized_param_t *unk_param; 1401 int len; 1402 1403 /* 6.10 Bundling 1404 * An endpoint MUST NOT bundle INIT, INIT ACK or 1405 * SHUTDOWN COMPLETE with any other chunks. 1406 * 1407 * IG Section 2.11.2 1408 * Furthermore, we require that the receiver of an INIT chunk MUST 1409 * enforce these rules by silently discarding an arriving packet 1410 * with an INIT chunk that is bundled with other chunks. 1411 */ 1412 if (!chunk->singleton) 1413 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1414 1415 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1416 * Tag. 1417 */ 1418 if (chunk->sctp_hdr->vtag != 0) 1419 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 1420 1421 /* Make sure that the INIT chunk has a valid length. 1422 * In this case, we generate a protocol violation since we have 1423 * an association established. 1424 */ 1425 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 1426 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1427 commands); 1428 /* Grab the INIT header. */ 1429 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 1430 1431 /* Tag the variable length parameters. */ 1432 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 1433 1434 /* Verify the INIT chunk before processing it. */ 1435 err_chunk = NULL; 1436 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 1437 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 1438 &err_chunk)) { 1439 /* This chunk contains fatal error. It is to be discarded. 1440 * Send an ABORT, with causes if there is any. 1441 */ 1442 if (err_chunk) { 1443 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 1444 (__u8 *)(err_chunk->chunk_hdr) + 1445 sizeof(sctp_chunkhdr_t), 1446 ntohs(err_chunk->chunk_hdr->length) - 1447 sizeof(sctp_chunkhdr_t)); 1448 1449 if (packet) { 1450 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1451 SCTP_PACKET(packet)); 1452 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1453 retval = SCTP_DISPOSITION_CONSUME; 1454 } else { 1455 retval = SCTP_DISPOSITION_NOMEM; 1456 } 1457 goto cleanup; 1458 } else { 1459 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 1460 commands); 1461 } 1462 } 1463 1464 /* 1465 * Other parameters for the endpoint SHOULD be copied from the 1466 * existing parameters of the association (e.g. number of 1467 * outbound streams) into the INIT ACK and cookie. 1468 * FIXME: We are copying parameters from the endpoint not the 1469 * association. 1470 */ 1471 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1472 if (!new_asoc) 1473 goto nomem; 1474 1475 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 1476 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0) 1477 goto nomem; 1478 1479 /* In the outbound INIT ACK the endpoint MUST copy its current 1480 * Verification Tag and Peers Verification tag into a reserved 1481 * place (local tie-tag and per tie-tag) within the state cookie. 1482 */ 1483 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 1484 (sctp_init_chunk_t *)chunk->chunk_hdr, 1485 GFP_ATOMIC)) 1486 goto nomem; 1487 1488 /* Make sure no new addresses are being added during the 1489 * restart. Do not do this check for COOKIE-WAIT state, 1490 * since there are no peer addresses to check against. 1491 * Upon return an ABORT will have been sent if needed. 1492 */ 1493 if (!sctp_state(asoc, COOKIE_WAIT)) { 1494 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1495 commands)) { 1496 retval = SCTP_DISPOSITION_CONSUME; 1497 goto nomem_retval; 1498 } 1499 } 1500 1501 sctp_tietags_populate(new_asoc, asoc); 1502 1503 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1504 1505 /* If there are errors need to be reported for unknown parameters, 1506 * make sure to reserve enough room in the INIT ACK for them. 1507 */ 1508 len = 0; 1509 if (err_chunk) { 1510 len = ntohs(err_chunk->chunk_hdr->length) - 1511 sizeof(sctp_chunkhdr_t); 1512 } 1513 1514 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1515 if (!repl) 1516 goto nomem; 1517 1518 /* If there are errors need to be reported for unknown parameters, 1519 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1520 * parameter. 1521 */ 1522 if (err_chunk) { 1523 /* Get the "Unrecognized parameter" parameter(s) out of the 1524 * ERROR chunk generated by sctp_verify_init(). Since the 1525 * error cause code for "unknown parameter" and the 1526 * "Unrecognized parameter" type is the same, we can 1527 * construct the parameters in INIT ACK by copying the 1528 * ERROR causes over. 1529 */ 1530 unk_param = (sctp_unrecognized_param_t *) 1531 ((__u8 *)(err_chunk->chunk_hdr) + 1532 sizeof(sctp_chunkhdr_t)); 1533 /* Replace the cause code with the "Unrecognized parameter" 1534 * parameter type. 1535 */ 1536 sctp_addto_chunk(repl, len, unk_param); 1537 } 1538 1539 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1540 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1541 1542 /* 1543 * Note: After sending out INIT ACK with the State Cookie parameter, 1544 * "Z" MUST NOT allocate any resources for this new association. 1545 * Otherwise, "Z" will be vulnerable to resource attacks. 1546 */ 1547 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1548 retval = SCTP_DISPOSITION_CONSUME; 1549 1550 return retval; 1551 1552 nomem: 1553 retval = SCTP_DISPOSITION_NOMEM; 1554 nomem_retval: 1555 if (new_asoc) 1556 sctp_association_free(new_asoc); 1557 cleanup: 1558 if (err_chunk) 1559 sctp_chunk_free(err_chunk); 1560 return retval; 1561 } 1562 1563 /* 1564 * Handle simultaneous INIT. 1565 * This means we started an INIT and then we got an INIT request from 1566 * our peer. 1567 * 1568 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1569 * This usually indicates an initialization collision, i.e., each 1570 * endpoint is attempting, at about the same time, to establish an 1571 * association with the other endpoint. 1572 * 1573 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1574 * endpoint MUST respond with an INIT ACK using the same parameters it 1575 * sent in its original INIT chunk (including its Verification Tag, 1576 * unchanged). These original parameters are combined with those from the 1577 * newly received INIT chunk. The endpoint shall also generate a State 1578 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1579 * INIT to calculate the State Cookie. 1580 * 1581 * After that, the endpoint MUST NOT change its state, the T1-init 1582 * timer shall be left running and the corresponding TCB MUST NOT be 1583 * destroyed. The normal procedures for handling State Cookies when 1584 * a TCB exists will resolve the duplicate INITs to a single association. 1585 * 1586 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1587 * its Tie-Tags with the Tag information of itself and its peer (see 1588 * section 5.2.2 for a description of the Tie-Tags). 1589 * 1590 * Verification Tag: Not explicit, but an INIT can not have a valid 1591 * verification tag, so we skip the check. 1592 * 1593 * Inputs 1594 * (endpoint, asoc, chunk) 1595 * 1596 * Outputs 1597 * (asoc, reply_msg, msg_up, timers, counters) 1598 * 1599 * The return value is the disposition of the chunk. 1600 */ 1601 sctp_disposition_t sctp_sf_do_5_2_1_siminit(struct net *net, 1602 const struct sctp_endpoint *ep, 1603 const struct sctp_association *asoc, 1604 const sctp_subtype_t type, 1605 void *arg, 1606 sctp_cmd_seq_t *commands) 1607 { 1608 /* Call helper to do the real work for both simulataneous and 1609 * duplicate INIT chunk handling. 1610 */ 1611 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1612 } 1613 1614 /* 1615 * Handle duplicated INIT messages. These are usually delayed 1616 * restransmissions. 1617 * 1618 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1619 * COOKIE-ECHOED and COOKIE-WAIT 1620 * 1621 * Unless otherwise stated, upon reception of an unexpected INIT for 1622 * this association, the endpoint shall generate an INIT ACK with a 1623 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1624 * current Verification Tag and peer's Verification Tag into a reserved 1625 * place within the state cookie. We shall refer to these locations as 1626 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1627 * containing this INIT ACK MUST carry a Verification Tag value equal to 1628 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1629 * MUST contain a new Initiation Tag (randomly generated see Section 1630 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1631 * existing parameters of the association (e.g. number of outbound 1632 * streams) into the INIT ACK and cookie. 1633 * 1634 * After sending out the INIT ACK, the endpoint shall take no further 1635 * actions, i.e., the existing association, including its current state, 1636 * and the corresponding TCB MUST NOT be changed. 1637 * 1638 * Note: Only when a TCB exists and the association is not in a COOKIE- 1639 * WAIT state are the Tie-Tags populated. For a normal association INIT 1640 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1641 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1642 * State Cookie are populated as specified in section 5.2.1. 1643 * 1644 * Verification Tag: Not specified, but an INIT has no way of knowing 1645 * what the verification tag could be, so we ignore it. 1646 * 1647 * Inputs 1648 * (endpoint, asoc, chunk) 1649 * 1650 * Outputs 1651 * (asoc, reply_msg, msg_up, timers, counters) 1652 * 1653 * The return value is the disposition of the chunk. 1654 */ 1655 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(struct net *net, 1656 const struct sctp_endpoint *ep, 1657 const struct sctp_association *asoc, 1658 const sctp_subtype_t type, 1659 void *arg, 1660 sctp_cmd_seq_t *commands) 1661 { 1662 /* Call helper to do the real work for both simulataneous and 1663 * duplicate INIT chunk handling. 1664 */ 1665 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1666 } 1667 1668 1669 /* 1670 * Unexpected INIT-ACK handler. 1671 * 1672 * Section 5.2.3 1673 * If an INIT ACK received by an endpoint in any state other than the 1674 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1675 * An unexpected INIT ACK usually indicates the processing of an old or 1676 * duplicated INIT chunk. 1677 */ 1678 sctp_disposition_t sctp_sf_do_5_2_3_initack(struct net *net, 1679 const struct sctp_endpoint *ep, 1680 const struct sctp_association *asoc, 1681 const sctp_subtype_t type, 1682 void *arg, sctp_cmd_seq_t *commands) 1683 { 1684 /* Per the above section, we'll discard the chunk if we have an 1685 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1686 */ 1687 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) 1688 return sctp_sf_ootb(net, ep, asoc, type, arg, commands); 1689 else 1690 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 1691 } 1692 1693 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1694 * 1695 * Section 5.2.4 1696 * A) In this case, the peer may have restarted. 1697 */ 1698 static sctp_disposition_t sctp_sf_do_dupcook_a(struct net *net, 1699 const struct sctp_endpoint *ep, 1700 const struct sctp_association *asoc, 1701 struct sctp_chunk *chunk, 1702 sctp_cmd_seq_t *commands, 1703 struct sctp_association *new_asoc) 1704 { 1705 sctp_init_chunk_t *peer_init; 1706 struct sctp_ulpevent *ev; 1707 struct sctp_chunk *repl; 1708 struct sctp_chunk *err; 1709 sctp_disposition_t disposition; 1710 1711 /* new_asoc is a brand-new association, so these are not yet 1712 * side effects--it is safe to run them here. 1713 */ 1714 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1715 1716 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1717 GFP_ATOMIC)) 1718 goto nomem; 1719 1720 /* Make sure no new addresses are being added during the 1721 * restart. Though this is a pretty complicated attack 1722 * since you'd have to get inside the cookie. 1723 */ 1724 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { 1725 return SCTP_DISPOSITION_CONSUME; 1726 } 1727 1728 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1729 * the peer has restarted (Action A), it MUST NOT setup a new 1730 * association but instead resend the SHUTDOWN ACK and send an ERROR 1731 * chunk with a "Cookie Received while Shutting Down" error cause to 1732 * its peer. 1733 */ 1734 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1735 disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc, 1736 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1737 chunk, commands); 1738 if (SCTP_DISPOSITION_NOMEM == disposition) 1739 goto nomem; 1740 1741 err = sctp_make_op_error(asoc, chunk, 1742 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1743 NULL, 0, 0); 1744 if (err) 1745 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1746 SCTP_CHUNK(err)); 1747 1748 return SCTP_DISPOSITION_CONSUME; 1749 } 1750 1751 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked 1752 * data. Consider the optional choice of resending of this data. 1753 */ 1754 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 1755 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1756 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK)); 1757 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1758 1759 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue 1760 * and ASCONF-ACK cache. 1761 */ 1762 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1763 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 1764 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); 1765 1766 repl = sctp_make_cookie_ack(new_asoc, chunk); 1767 if (!repl) 1768 goto nomem; 1769 1770 /* Report association restart to upper layer. */ 1771 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1772 new_asoc->c.sinit_num_ostreams, 1773 new_asoc->c.sinit_max_instreams, 1774 NULL, GFP_ATOMIC); 1775 if (!ev) 1776 goto nomem_ev; 1777 1778 /* Update the content of current association. */ 1779 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1780 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1781 if (sctp_state(asoc, SHUTDOWN_PENDING) && 1782 (sctp_sstate(asoc->base.sk, CLOSING) || 1783 sock_flag(asoc->base.sk, SOCK_DEAD))) { 1784 /* if were currently in SHUTDOWN_PENDING, but the socket 1785 * has been closed by user, don't transition to ESTABLISHED. 1786 * Instead trigger SHUTDOWN bundled with COOKIE_ACK. 1787 */ 1788 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1789 return sctp_sf_do_9_2_start_shutdown(net, ep, asoc, 1790 SCTP_ST_CHUNK(0), NULL, 1791 commands); 1792 } else { 1793 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1794 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1795 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1796 } 1797 return SCTP_DISPOSITION_CONSUME; 1798 1799 nomem_ev: 1800 sctp_chunk_free(repl); 1801 nomem: 1802 return SCTP_DISPOSITION_NOMEM; 1803 } 1804 1805 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1806 * 1807 * Section 5.2.4 1808 * B) In this case, both sides may be attempting to start an association 1809 * at about the same time but the peer endpoint started its INIT 1810 * after responding to the local endpoint's INIT 1811 */ 1812 /* This case represents an initialization collision. */ 1813 static sctp_disposition_t sctp_sf_do_dupcook_b(struct net *net, 1814 const struct sctp_endpoint *ep, 1815 const struct sctp_association *asoc, 1816 struct sctp_chunk *chunk, 1817 sctp_cmd_seq_t *commands, 1818 struct sctp_association *new_asoc) 1819 { 1820 sctp_init_chunk_t *peer_init; 1821 struct sctp_chunk *repl; 1822 1823 /* new_asoc is a brand-new association, so these are not yet 1824 * side effects--it is safe to run them here. 1825 */ 1826 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1827 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1828 GFP_ATOMIC)) 1829 goto nomem; 1830 1831 /* Update the content of current association. */ 1832 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1833 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1834 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1835 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 1836 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1837 1838 repl = sctp_make_cookie_ack(new_asoc, chunk); 1839 if (!repl) 1840 goto nomem; 1841 1842 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1843 1844 /* RFC 2960 5.1 Normal Establishment of an Association 1845 * 1846 * D) IMPLEMENTATION NOTE: An implementation may choose to 1847 * send the Communication Up notification to the SCTP user 1848 * upon reception of a valid COOKIE ECHO chunk. 1849 * 1850 * Sadly, this needs to be implemented as a side-effect, because 1851 * we are not guaranteed to have set the association id of the real 1852 * association and so these notifications need to be delayed until 1853 * the association id is allocated. 1854 */ 1855 1856 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 1857 1858 /* Sockets API Draft Section 5.3.1.6 1859 * When a peer sends a Adaptation Layer Indication parameter , SCTP 1860 * delivers this notification to inform the application that of the 1861 * peers requested adaptation layer. 1862 * 1863 * This also needs to be done as a side effect for the same reason as 1864 * above. 1865 */ 1866 if (asoc->peer.adaptation_ind) 1867 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 1868 1869 return SCTP_DISPOSITION_CONSUME; 1870 1871 nomem: 1872 return SCTP_DISPOSITION_NOMEM; 1873 } 1874 1875 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1876 * 1877 * Section 5.2.4 1878 * C) In this case, the local endpoint's cookie has arrived late. 1879 * Before it arrived, the local endpoint sent an INIT and received an 1880 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1881 * but a new tag of its own. 1882 */ 1883 /* This case represents an initialization collision. */ 1884 static sctp_disposition_t sctp_sf_do_dupcook_c(struct net *net, 1885 const struct sctp_endpoint *ep, 1886 const struct sctp_association *asoc, 1887 struct sctp_chunk *chunk, 1888 sctp_cmd_seq_t *commands, 1889 struct sctp_association *new_asoc) 1890 { 1891 /* The cookie should be silently discarded. 1892 * The endpoint SHOULD NOT change states and should leave 1893 * any timers running. 1894 */ 1895 return SCTP_DISPOSITION_DISCARD; 1896 } 1897 1898 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1899 * 1900 * Section 5.2.4 1901 * 1902 * D) When both local and remote tags match the endpoint should always 1903 * enter the ESTABLISHED state, if it has not already done so. 1904 */ 1905 /* This case represents an initialization collision. */ 1906 static sctp_disposition_t sctp_sf_do_dupcook_d(struct net *net, 1907 const struct sctp_endpoint *ep, 1908 const struct sctp_association *asoc, 1909 struct sctp_chunk *chunk, 1910 sctp_cmd_seq_t *commands, 1911 struct sctp_association *new_asoc) 1912 { 1913 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL; 1914 struct sctp_chunk *repl; 1915 1916 /* Clarification from Implementor's Guide: 1917 * D) When both local and remote tags match the endpoint should 1918 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 1919 * It should stop any cookie timer that may be running and send 1920 * a COOKIE ACK. 1921 */ 1922 1923 /* Don't accidentally move back into established state. */ 1924 if (asoc->state < SCTP_STATE_ESTABLISHED) { 1925 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1926 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 1927 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1928 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1929 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 1930 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 1931 SCTP_NULL()); 1932 1933 /* RFC 2960 5.1 Normal Establishment of an Association 1934 * 1935 * D) IMPLEMENTATION NOTE: An implementation may choose 1936 * to send the Communication Up notification to the 1937 * SCTP user upon reception of a valid COOKIE 1938 * ECHO chunk. 1939 */ 1940 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 1941 SCTP_COMM_UP, 0, 1942 asoc->c.sinit_num_ostreams, 1943 asoc->c.sinit_max_instreams, 1944 NULL, GFP_ATOMIC); 1945 if (!ev) 1946 goto nomem; 1947 1948 /* Sockets API Draft Section 5.3.1.6 1949 * When a peer sends a Adaptation Layer Indication parameter, 1950 * SCTP delivers this notification to inform the application 1951 * that of the peers requested adaptation layer. 1952 */ 1953 if (asoc->peer.adaptation_ind) { 1954 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 1955 GFP_ATOMIC); 1956 if (!ai_ev) 1957 goto nomem; 1958 1959 } 1960 } 1961 1962 repl = sctp_make_cookie_ack(new_asoc, chunk); 1963 if (!repl) 1964 goto nomem; 1965 1966 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1967 1968 if (ev) 1969 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1970 SCTP_ULPEVENT(ev)); 1971 if (ai_ev) 1972 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1973 SCTP_ULPEVENT(ai_ev)); 1974 1975 return SCTP_DISPOSITION_CONSUME; 1976 1977 nomem: 1978 if (ai_ev) 1979 sctp_ulpevent_free(ai_ev); 1980 if (ev) 1981 sctp_ulpevent_free(ev); 1982 return SCTP_DISPOSITION_NOMEM; 1983 } 1984 1985 /* 1986 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 1987 * chunk was retransmitted and then delayed in the network. 1988 * 1989 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 1990 * 1991 * Verification Tag: None. Do cookie validation. 1992 * 1993 * Inputs 1994 * (endpoint, asoc, chunk) 1995 * 1996 * Outputs 1997 * (asoc, reply_msg, msg_up, timers, counters) 1998 * 1999 * The return value is the disposition of the chunk. 2000 */ 2001 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(struct net *net, 2002 const struct sctp_endpoint *ep, 2003 const struct sctp_association *asoc, 2004 const sctp_subtype_t type, 2005 void *arg, 2006 sctp_cmd_seq_t *commands) 2007 { 2008 sctp_disposition_t retval; 2009 struct sctp_chunk *chunk = arg; 2010 struct sctp_association *new_asoc; 2011 int error = 0; 2012 char action; 2013 struct sctp_chunk *err_chk_p; 2014 2015 /* Make sure that the chunk has a valid length from the protocol 2016 * perspective. In this case check to make sure we have at least 2017 * enough for the chunk header. Cookie length verification is 2018 * done later. 2019 */ 2020 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 2021 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2022 commands); 2023 2024 /* "Decode" the chunk. We have no optional parameters so we 2025 * are in good shape. 2026 */ 2027 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 2028 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 2029 sizeof(sctp_chunkhdr_t))) 2030 goto nomem; 2031 2032 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 2033 * of a duplicate COOKIE ECHO match the Verification Tags of the 2034 * current association, consider the State Cookie valid even if 2035 * the lifespan is exceeded. 2036 */ 2037 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 2038 &err_chk_p); 2039 2040 /* FIXME: 2041 * If the re-build failed, what is the proper error path 2042 * from here? 2043 * 2044 * [We should abort the association. --piggy] 2045 */ 2046 if (!new_asoc) { 2047 /* FIXME: Several errors are possible. A bad cookie should 2048 * be silently discarded, but think about logging it too. 2049 */ 2050 switch (error) { 2051 case -SCTP_IERROR_NOMEM: 2052 goto nomem; 2053 2054 case -SCTP_IERROR_STALE_COOKIE: 2055 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 2056 err_chk_p); 2057 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2058 case -SCTP_IERROR_BAD_SIG: 2059 default: 2060 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2061 } 2062 } 2063 2064 /* Compare the tie_tag in cookie with the verification tag of 2065 * current association. 2066 */ 2067 action = sctp_tietags_compare(new_asoc, asoc); 2068 2069 switch (action) { 2070 case 'A': /* Association restart. */ 2071 retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands, 2072 new_asoc); 2073 break; 2074 2075 case 'B': /* Collision case B. */ 2076 retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands, 2077 new_asoc); 2078 break; 2079 2080 case 'C': /* Collision case C. */ 2081 retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands, 2082 new_asoc); 2083 break; 2084 2085 case 'D': /* Collision case D. */ 2086 retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands, 2087 new_asoc); 2088 break; 2089 2090 default: /* Discard packet for all others. */ 2091 retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2092 break; 2093 } 2094 2095 /* Delete the tempory new association. */ 2096 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc)); 2097 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 2098 2099 /* Restore association pointer to provide SCTP command interpeter 2100 * with a valid context in case it needs to manipulate 2101 * the queues */ 2102 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, 2103 SCTP_ASOC((struct sctp_association *)asoc)); 2104 2105 return retval; 2106 2107 nomem: 2108 return SCTP_DISPOSITION_NOMEM; 2109 } 2110 2111 /* 2112 * Process an ABORT. (SHUTDOWN-PENDING state) 2113 * 2114 * See sctp_sf_do_9_1_abort(). 2115 */ 2116 sctp_disposition_t sctp_sf_shutdown_pending_abort( 2117 struct net *net, 2118 const struct sctp_endpoint *ep, 2119 const struct sctp_association *asoc, 2120 const sctp_subtype_t type, 2121 void *arg, 2122 sctp_cmd_seq_t *commands) 2123 { 2124 struct sctp_chunk *chunk = arg; 2125 2126 if (!sctp_vtag_verify_either(chunk, asoc)) 2127 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2128 2129 /* Make sure that the ABORT chunk has a valid length. 2130 * Since this is an ABORT chunk, we have to discard it 2131 * because of the following text: 2132 * RFC 2960, Section 3.3.7 2133 * If an endpoint receives an ABORT with a format error or for an 2134 * association that doesn't exist, it MUST silently discard it. 2135 * Because the length is "invalid", we can't really discard just 2136 * as we do not know its true length. So, to be safe, discard the 2137 * packet. 2138 */ 2139 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2140 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2141 2142 /* ADD-IP: Special case for ABORT chunks 2143 * F4) One special consideration is that ABORT Chunks arriving 2144 * destined to the IP address being deleted MUST be 2145 * ignored (see Section 5.3.1 for further details). 2146 */ 2147 if (SCTP_ADDR_DEL == 2148 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2149 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 2150 2151 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2152 } 2153 2154 /* 2155 * Process an ABORT. (SHUTDOWN-SENT state) 2156 * 2157 * See sctp_sf_do_9_1_abort(). 2158 */ 2159 sctp_disposition_t sctp_sf_shutdown_sent_abort(struct net *net, 2160 const struct sctp_endpoint *ep, 2161 const struct sctp_association *asoc, 2162 const sctp_subtype_t type, 2163 void *arg, 2164 sctp_cmd_seq_t *commands) 2165 { 2166 struct sctp_chunk *chunk = arg; 2167 2168 if (!sctp_vtag_verify_either(chunk, asoc)) 2169 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2170 2171 /* Make sure that the ABORT chunk has a valid length. 2172 * Since this is an ABORT chunk, we have to discard it 2173 * because of the following text: 2174 * RFC 2960, Section 3.3.7 2175 * If an endpoint receives an ABORT with a format error or for an 2176 * association that doesn't exist, it MUST silently discard it. 2177 * Because the length is "invalid", we can't really discard just 2178 * as we do not know its true length. So, to be safe, discard the 2179 * packet. 2180 */ 2181 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2182 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2183 2184 /* ADD-IP: Special case for ABORT chunks 2185 * F4) One special consideration is that ABORT Chunks arriving 2186 * destined to the IP address being deleted MUST be 2187 * ignored (see Section 5.3.1 for further details). 2188 */ 2189 if (SCTP_ADDR_DEL == 2190 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2191 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 2192 2193 /* Stop the T2-shutdown timer. */ 2194 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2195 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2196 2197 /* Stop the T5-shutdown guard timer. */ 2198 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2199 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2200 2201 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2202 } 2203 2204 /* 2205 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2206 * 2207 * See sctp_sf_do_9_1_abort(). 2208 */ 2209 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort( 2210 struct net *net, 2211 const struct sctp_endpoint *ep, 2212 const struct sctp_association *asoc, 2213 const sctp_subtype_t type, 2214 void *arg, 2215 sctp_cmd_seq_t *commands) 2216 { 2217 /* The same T2 timer, so we should be able to use 2218 * common function with the SHUTDOWN-SENT state. 2219 */ 2220 return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands); 2221 } 2222 2223 /* 2224 * Handle an Error received in COOKIE_ECHOED state. 2225 * 2226 * Only handle the error type of stale COOKIE Error, the other errors will 2227 * be ignored. 2228 * 2229 * Inputs 2230 * (endpoint, asoc, chunk) 2231 * 2232 * Outputs 2233 * (asoc, reply_msg, msg_up, timers, counters) 2234 * 2235 * The return value is the disposition of the chunk. 2236 */ 2237 sctp_disposition_t sctp_sf_cookie_echoed_err(struct net *net, 2238 const struct sctp_endpoint *ep, 2239 const struct sctp_association *asoc, 2240 const sctp_subtype_t type, 2241 void *arg, 2242 sctp_cmd_seq_t *commands) 2243 { 2244 struct sctp_chunk *chunk = arg; 2245 sctp_errhdr_t *err; 2246 2247 if (!sctp_vtag_verify(chunk, asoc)) 2248 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2249 2250 /* Make sure that the ERROR chunk has a valid length. 2251 * The parameter walking depends on this as well. 2252 */ 2253 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2254 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2255 commands); 2256 2257 /* Process the error here */ 2258 /* FUTURE FIXME: When PR-SCTP related and other optional 2259 * parms are emitted, this will have to change to handle multiple 2260 * errors. 2261 */ 2262 sctp_walk_errors(err, chunk->chunk_hdr) { 2263 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2264 return sctp_sf_do_5_2_6_stale(net, ep, asoc, type, 2265 arg, commands); 2266 } 2267 2268 /* It is possible to have malformed error causes, and that 2269 * will cause us to end the walk early. However, since 2270 * we are discarding the packet, there should be no adverse 2271 * affects. 2272 */ 2273 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2274 } 2275 2276 /* 2277 * Handle a Stale COOKIE Error 2278 * 2279 * Section: 5.2.6 Handle Stale COOKIE Error 2280 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2281 * one of the following three alternatives. 2282 * ... 2283 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2284 * Preservative parameter requesting an extension to the lifetime of 2285 * the State Cookie. When calculating the time extension, an 2286 * implementation SHOULD use the RTT information measured based on the 2287 * previous COOKIE ECHO / ERROR exchange, and should add no more 2288 * than 1 second beyond the measured RTT, due to long State Cookie 2289 * lifetimes making the endpoint more subject to a replay attack. 2290 * 2291 * Verification Tag: Not explicit, but safe to ignore. 2292 * 2293 * Inputs 2294 * (endpoint, asoc, chunk) 2295 * 2296 * Outputs 2297 * (asoc, reply_msg, msg_up, timers, counters) 2298 * 2299 * The return value is the disposition of the chunk. 2300 */ 2301 static sctp_disposition_t sctp_sf_do_5_2_6_stale(struct net *net, 2302 const struct sctp_endpoint *ep, 2303 const struct sctp_association *asoc, 2304 const sctp_subtype_t type, 2305 void *arg, 2306 sctp_cmd_seq_t *commands) 2307 { 2308 struct sctp_chunk *chunk = arg; 2309 u32 stale; 2310 sctp_cookie_preserve_param_t bht; 2311 sctp_errhdr_t *err; 2312 struct sctp_chunk *reply; 2313 struct sctp_bind_addr *bp; 2314 int attempts = asoc->init_err_counter + 1; 2315 2316 if (attempts > asoc->max_init_attempts) { 2317 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2318 SCTP_ERROR(ETIMEDOUT)); 2319 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2320 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2321 return SCTP_DISPOSITION_DELETE_TCB; 2322 } 2323 2324 err = (sctp_errhdr_t *)(chunk->skb->data); 2325 2326 /* When calculating the time extension, an implementation 2327 * SHOULD use the RTT information measured based on the 2328 * previous COOKIE ECHO / ERROR exchange, and should add no 2329 * more than 1 second beyond the measured RTT, due to long 2330 * State Cookie lifetimes making the endpoint more subject to 2331 * a replay attack. 2332 * Measure of Staleness's unit is usec. (1/1000000 sec) 2333 * Suggested Cookie Life-span Increment's unit is msec. 2334 * (1/1000 sec) 2335 * In general, if you use the suggested cookie life, the value 2336 * found in the field of measure of staleness should be doubled 2337 * to give ample time to retransmit the new cookie and thus 2338 * yield a higher probability of success on the reattempt. 2339 */ 2340 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t))); 2341 stale = (stale * 2) / 1000; 2342 2343 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2344 bht.param_hdr.length = htons(sizeof(bht)); 2345 bht.lifespan_increment = htonl(stale); 2346 2347 /* Build that new INIT chunk. */ 2348 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2349 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2350 if (!reply) 2351 goto nomem; 2352 2353 sctp_addto_chunk(reply, sizeof(bht), &bht); 2354 2355 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2356 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2357 2358 /* Stop pending T3-rtx and heartbeat timers */ 2359 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2360 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2361 2362 /* Delete non-primary peer ip addresses since we are transitioning 2363 * back to the COOKIE-WAIT state 2364 */ 2365 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2366 2367 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2368 * resend 2369 */ 2370 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, 2371 SCTP_TRANSPORT(asoc->peer.primary_path)); 2372 2373 /* Cast away the const modifier, as we want to just 2374 * rerun it through as a sideffect. 2375 */ 2376 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2377 2378 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2379 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2380 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2381 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2382 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2383 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2384 2385 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2386 2387 return SCTP_DISPOSITION_CONSUME; 2388 2389 nomem: 2390 return SCTP_DISPOSITION_NOMEM; 2391 } 2392 2393 /* 2394 * Process an ABORT. 2395 * 2396 * Section: 9.1 2397 * After checking the Verification Tag, the receiving endpoint shall 2398 * remove the association from its record, and shall report the 2399 * termination to its upper layer. 2400 * 2401 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2402 * B) Rules for packet carrying ABORT: 2403 * 2404 * - The endpoint shall always fill in the Verification Tag field of the 2405 * outbound packet with the destination endpoint's tag value if it 2406 * is known. 2407 * 2408 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2409 * MUST follow the procedure described in Section 8.4. 2410 * 2411 * - The receiver MUST accept the packet if the Verification Tag 2412 * matches either its own tag, OR the tag of its peer. Otherwise, the 2413 * receiver MUST silently discard the packet and take no further 2414 * action. 2415 * 2416 * Inputs 2417 * (endpoint, asoc, chunk) 2418 * 2419 * Outputs 2420 * (asoc, reply_msg, msg_up, timers, counters) 2421 * 2422 * The return value is the disposition of the chunk. 2423 */ 2424 sctp_disposition_t sctp_sf_do_9_1_abort(struct net *net, 2425 const struct sctp_endpoint *ep, 2426 const struct sctp_association *asoc, 2427 const sctp_subtype_t type, 2428 void *arg, 2429 sctp_cmd_seq_t *commands) 2430 { 2431 struct sctp_chunk *chunk = arg; 2432 2433 if (!sctp_vtag_verify_either(chunk, asoc)) 2434 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2435 2436 /* Make sure that the ABORT chunk has a valid length. 2437 * Since this is an ABORT chunk, we have to discard it 2438 * because of the following text: 2439 * RFC 2960, Section 3.3.7 2440 * If an endpoint receives an ABORT with a format error or for an 2441 * association that doesn't exist, it MUST silently discard it. 2442 * Because the length is "invalid", we can't really discard just 2443 * as we do not know its true length. So, to be safe, discard the 2444 * packet. 2445 */ 2446 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2447 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2448 2449 /* ADD-IP: Special case for ABORT chunks 2450 * F4) One special consideration is that ABORT Chunks arriving 2451 * destined to the IP address being deleted MUST be 2452 * ignored (see Section 5.3.1 for further details). 2453 */ 2454 if (SCTP_ADDR_DEL == 2455 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2456 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 2457 2458 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2459 } 2460 2461 static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net, 2462 const struct sctp_endpoint *ep, 2463 const struct sctp_association *asoc, 2464 const sctp_subtype_t type, 2465 void *arg, 2466 sctp_cmd_seq_t *commands) 2467 { 2468 struct sctp_chunk *chunk = arg; 2469 unsigned int len; 2470 __be16 error = SCTP_ERROR_NO_ERROR; 2471 2472 /* See if we have an error cause code in the chunk. */ 2473 len = ntohs(chunk->chunk_hdr->length); 2474 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) { 2475 2476 sctp_errhdr_t *err; 2477 sctp_walk_errors(err, chunk->chunk_hdr); 2478 if ((void *)err != (void *)chunk->chunk_end) 2479 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2480 2481 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2482 } 2483 2484 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2485 /* ASSOC_FAILED will DELETE_TCB. */ 2486 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2487 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2488 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 2489 2490 return SCTP_DISPOSITION_ABORT; 2491 } 2492 2493 /* 2494 * Process an ABORT. (COOKIE-WAIT state) 2495 * 2496 * See sctp_sf_do_9_1_abort() above. 2497 */ 2498 sctp_disposition_t sctp_sf_cookie_wait_abort(struct net *net, 2499 const struct sctp_endpoint *ep, 2500 const struct sctp_association *asoc, 2501 const sctp_subtype_t type, 2502 void *arg, 2503 sctp_cmd_seq_t *commands) 2504 { 2505 struct sctp_chunk *chunk = arg; 2506 unsigned int len; 2507 __be16 error = SCTP_ERROR_NO_ERROR; 2508 2509 if (!sctp_vtag_verify_either(chunk, asoc)) 2510 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2511 2512 /* Make sure that the ABORT chunk has a valid length. 2513 * Since this is an ABORT chunk, we have to discard it 2514 * because of the following text: 2515 * RFC 2960, Section 3.3.7 2516 * If an endpoint receives an ABORT with a format error or for an 2517 * association that doesn't exist, it MUST silently discard it. 2518 * Because the length is "invalid", we can't really discard just 2519 * as we do not know its true length. So, to be safe, discard the 2520 * packet. 2521 */ 2522 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2523 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2524 2525 /* See if we have an error cause code in the chunk. */ 2526 len = ntohs(chunk->chunk_hdr->length); 2527 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2528 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2529 2530 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc, 2531 chunk->transport); 2532 } 2533 2534 /* 2535 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2536 */ 2537 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(struct net *net, 2538 const struct sctp_endpoint *ep, 2539 const struct sctp_association *asoc, 2540 const sctp_subtype_t type, 2541 void *arg, 2542 sctp_cmd_seq_t *commands) 2543 { 2544 return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR, 2545 ENOPROTOOPT, asoc, 2546 (struct sctp_transport *)arg); 2547 } 2548 2549 /* 2550 * Process an ABORT. (COOKIE-ECHOED state) 2551 */ 2552 sctp_disposition_t sctp_sf_cookie_echoed_abort(struct net *net, 2553 const struct sctp_endpoint *ep, 2554 const struct sctp_association *asoc, 2555 const sctp_subtype_t type, 2556 void *arg, 2557 sctp_cmd_seq_t *commands) 2558 { 2559 /* There is a single T1 timer, so we should be able to use 2560 * common function with the COOKIE-WAIT state. 2561 */ 2562 return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands); 2563 } 2564 2565 /* 2566 * Stop T1 timer and abort association with "INIT failed". 2567 * 2568 * This is common code called by several sctp_sf_*_abort() functions above. 2569 */ 2570 static sctp_disposition_t sctp_stop_t1_and_abort(struct net *net, 2571 sctp_cmd_seq_t *commands, 2572 __be16 error, int sk_err, 2573 const struct sctp_association *asoc, 2574 struct sctp_transport *transport) 2575 { 2576 pr_debug("%s: ABORT received (INIT)\n", __func__); 2577 2578 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2579 SCTP_STATE(SCTP_STATE_CLOSED)); 2580 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2581 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2582 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2583 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2584 /* CMD_INIT_FAILED will DELETE_TCB. */ 2585 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2586 SCTP_PERR(error)); 2587 2588 return SCTP_DISPOSITION_ABORT; 2589 } 2590 2591 /* 2592 * sctp_sf_do_9_2_shut 2593 * 2594 * Section: 9.2 2595 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2596 * - enter the SHUTDOWN-RECEIVED state, 2597 * 2598 * - stop accepting new data from its SCTP user 2599 * 2600 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2601 * that all its outstanding DATA chunks have been received by the 2602 * SHUTDOWN sender. 2603 * 2604 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2605 * send a SHUTDOWN in response to a ULP request. And should discard 2606 * subsequent SHUTDOWN chunks. 2607 * 2608 * If there are still outstanding DATA chunks left, the SHUTDOWN 2609 * receiver shall continue to follow normal data transmission 2610 * procedures defined in Section 6 until all outstanding DATA chunks 2611 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2612 * new data from its SCTP user. 2613 * 2614 * Verification Tag: 8.5 Verification Tag [Normal verification] 2615 * 2616 * Inputs 2617 * (endpoint, asoc, chunk) 2618 * 2619 * Outputs 2620 * (asoc, reply_msg, msg_up, timers, counters) 2621 * 2622 * The return value is the disposition of the chunk. 2623 */ 2624 sctp_disposition_t sctp_sf_do_9_2_shutdown(struct net *net, 2625 const struct sctp_endpoint *ep, 2626 const struct sctp_association *asoc, 2627 const sctp_subtype_t type, 2628 void *arg, 2629 sctp_cmd_seq_t *commands) 2630 { 2631 struct sctp_chunk *chunk = arg; 2632 sctp_shutdownhdr_t *sdh; 2633 sctp_disposition_t disposition; 2634 struct sctp_ulpevent *ev; 2635 __u32 ctsn; 2636 2637 if (!sctp_vtag_verify(chunk, asoc)) 2638 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2639 2640 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2641 if (!sctp_chunk_length_valid(chunk, 2642 sizeof(struct sctp_shutdown_chunk_t))) 2643 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2644 commands); 2645 2646 /* Convert the elaborate header. */ 2647 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2648 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t)); 2649 chunk->subh.shutdown_hdr = sdh; 2650 ctsn = ntohl(sdh->cum_tsn_ack); 2651 2652 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2653 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2654 asoc->ctsn_ack_point); 2655 2656 return SCTP_DISPOSITION_DISCARD; 2657 } 2658 2659 /* If Cumulative TSN Ack beyond the max tsn currently 2660 * send, terminating the association and respond to the 2661 * sender with an ABORT. 2662 */ 2663 if (!TSN_lt(ctsn, asoc->next_tsn)) 2664 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2665 2666 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2667 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2668 * inform the application that it should cease sending data. 2669 */ 2670 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2671 if (!ev) { 2672 disposition = SCTP_DISPOSITION_NOMEM; 2673 goto out; 2674 } 2675 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2676 2677 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2678 * - enter the SHUTDOWN-RECEIVED state, 2679 * - stop accepting new data from its SCTP user 2680 * 2681 * [This is implicit in the new state.] 2682 */ 2683 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2684 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2685 disposition = SCTP_DISPOSITION_CONSUME; 2686 2687 if (sctp_outq_is_empty(&asoc->outqueue)) { 2688 disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type, 2689 arg, commands); 2690 } 2691 2692 if (SCTP_DISPOSITION_NOMEM == disposition) 2693 goto out; 2694 2695 /* - verify, by checking the Cumulative TSN Ack field of the 2696 * chunk, that all its outstanding DATA chunks have been 2697 * received by the SHUTDOWN sender. 2698 */ 2699 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2700 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2701 2702 out: 2703 return disposition; 2704 } 2705 2706 /* 2707 * sctp_sf_do_9_2_shut_ctsn 2708 * 2709 * Once an endpoint has reached the SHUTDOWN-RECEIVED state, 2710 * it MUST NOT send a SHUTDOWN in response to a ULP request. 2711 * The Cumulative TSN Ack of the received SHUTDOWN chunk 2712 * MUST be processed. 2713 */ 2714 sctp_disposition_t sctp_sf_do_9_2_shut_ctsn(struct net *net, 2715 const struct sctp_endpoint *ep, 2716 const struct sctp_association *asoc, 2717 const sctp_subtype_t type, 2718 void *arg, 2719 sctp_cmd_seq_t *commands) 2720 { 2721 struct sctp_chunk *chunk = arg; 2722 sctp_shutdownhdr_t *sdh; 2723 __u32 ctsn; 2724 2725 if (!sctp_vtag_verify(chunk, asoc)) 2726 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2727 2728 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2729 if (!sctp_chunk_length_valid(chunk, 2730 sizeof(struct sctp_shutdown_chunk_t))) 2731 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2732 commands); 2733 2734 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2735 ctsn = ntohl(sdh->cum_tsn_ack); 2736 2737 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2738 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2739 asoc->ctsn_ack_point); 2740 2741 return SCTP_DISPOSITION_DISCARD; 2742 } 2743 2744 /* If Cumulative TSN Ack beyond the max tsn currently 2745 * send, terminating the association and respond to the 2746 * sender with an ABORT. 2747 */ 2748 if (!TSN_lt(ctsn, asoc->next_tsn)) 2749 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2750 2751 /* verify, by checking the Cumulative TSN Ack field of the 2752 * chunk, that all its outstanding DATA chunks have been 2753 * received by the SHUTDOWN sender. 2754 */ 2755 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2756 SCTP_BE32(sdh->cum_tsn_ack)); 2757 2758 return SCTP_DISPOSITION_CONSUME; 2759 } 2760 2761 /* RFC 2960 9.2 2762 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2763 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2764 * transport addresses (either in the IP addresses or in the INIT chunk) 2765 * that belong to this association, it should discard the INIT chunk and 2766 * retransmit the SHUTDOWN ACK chunk. 2767 */ 2768 sctp_disposition_t sctp_sf_do_9_2_reshutack(struct net *net, 2769 const struct sctp_endpoint *ep, 2770 const struct sctp_association *asoc, 2771 const sctp_subtype_t type, 2772 void *arg, 2773 sctp_cmd_seq_t *commands) 2774 { 2775 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 2776 struct sctp_chunk *reply; 2777 2778 /* Make sure that the chunk has a valid length */ 2779 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 2780 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2781 commands); 2782 2783 /* Since we are not going to really process this INIT, there 2784 * is no point in verifying chunk boundries. Just generate 2785 * the SHUTDOWN ACK. 2786 */ 2787 reply = sctp_make_shutdown_ack(asoc, chunk); 2788 if (NULL == reply) 2789 goto nomem; 2790 2791 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2792 * the T2-SHUTDOWN timer. 2793 */ 2794 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2795 2796 /* and restart the T2-shutdown timer. */ 2797 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2798 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2799 2800 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2801 2802 return SCTP_DISPOSITION_CONSUME; 2803 nomem: 2804 return SCTP_DISPOSITION_NOMEM; 2805 } 2806 2807 /* 2808 * sctp_sf_do_ecn_cwr 2809 * 2810 * Section: Appendix A: Explicit Congestion Notification 2811 * 2812 * CWR: 2813 * 2814 * RFC 2481 details a specific bit for a sender to send in the header of 2815 * its next outbound TCP segment to indicate to its peer that it has 2816 * reduced its congestion window. This is termed the CWR bit. For 2817 * SCTP the same indication is made by including the CWR chunk. 2818 * This chunk contains one data element, i.e. the TSN number that 2819 * was sent in the ECNE chunk. This element represents the lowest 2820 * TSN number in the datagram that was originally marked with the 2821 * CE bit. 2822 * 2823 * Verification Tag: 8.5 Verification Tag [Normal verification] 2824 * Inputs 2825 * (endpoint, asoc, chunk) 2826 * 2827 * Outputs 2828 * (asoc, reply_msg, msg_up, timers, counters) 2829 * 2830 * The return value is the disposition of the chunk. 2831 */ 2832 sctp_disposition_t sctp_sf_do_ecn_cwr(struct net *net, 2833 const struct sctp_endpoint *ep, 2834 const struct sctp_association *asoc, 2835 const sctp_subtype_t type, 2836 void *arg, 2837 sctp_cmd_seq_t *commands) 2838 { 2839 sctp_cwrhdr_t *cwr; 2840 struct sctp_chunk *chunk = arg; 2841 u32 lowest_tsn; 2842 2843 if (!sctp_vtag_verify(chunk, asoc)) 2844 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2845 2846 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2847 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2848 commands); 2849 2850 cwr = (sctp_cwrhdr_t *) chunk->skb->data; 2851 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t)); 2852 2853 lowest_tsn = ntohl(cwr->lowest_tsn); 2854 2855 /* Does this CWR ack the last sent congestion notification? */ 2856 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 2857 /* Stop sending ECNE. */ 2858 sctp_add_cmd_sf(commands, 2859 SCTP_CMD_ECN_CWR, 2860 SCTP_U32(lowest_tsn)); 2861 } 2862 return SCTP_DISPOSITION_CONSUME; 2863 } 2864 2865 /* 2866 * sctp_sf_do_ecne 2867 * 2868 * Section: Appendix A: Explicit Congestion Notification 2869 * 2870 * ECN-Echo 2871 * 2872 * RFC 2481 details a specific bit for a receiver to send back in its 2873 * TCP acknowledgements to notify the sender of the Congestion 2874 * Experienced (CE) bit having arrived from the network. For SCTP this 2875 * same indication is made by including the ECNE chunk. This chunk 2876 * contains one data element, i.e. the lowest TSN associated with the IP 2877 * datagram marked with the CE bit..... 2878 * 2879 * Verification Tag: 8.5 Verification Tag [Normal verification] 2880 * Inputs 2881 * (endpoint, asoc, chunk) 2882 * 2883 * Outputs 2884 * (asoc, reply_msg, msg_up, timers, counters) 2885 * 2886 * The return value is the disposition of the chunk. 2887 */ 2888 sctp_disposition_t sctp_sf_do_ecne(struct net *net, 2889 const struct sctp_endpoint *ep, 2890 const struct sctp_association *asoc, 2891 const sctp_subtype_t type, 2892 void *arg, 2893 sctp_cmd_seq_t *commands) 2894 { 2895 sctp_ecnehdr_t *ecne; 2896 struct sctp_chunk *chunk = arg; 2897 2898 if (!sctp_vtag_verify(chunk, asoc)) 2899 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2900 2901 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2902 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2903 commands); 2904 2905 ecne = (sctp_ecnehdr_t *) chunk->skb->data; 2906 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t)); 2907 2908 /* If this is a newer ECNE than the last CWR packet we sent out */ 2909 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 2910 SCTP_U32(ntohl(ecne->lowest_tsn))); 2911 2912 return SCTP_DISPOSITION_CONSUME; 2913 } 2914 2915 /* 2916 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 2917 * 2918 * The SCTP endpoint MUST always acknowledge the reception of each valid 2919 * DATA chunk. 2920 * 2921 * The guidelines on delayed acknowledgement algorithm specified in 2922 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 2923 * acknowledgement SHOULD be generated for at least every second packet 2924 * (not every second DATA chunk) received, and SHOULD be generated within 2925 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 2926 * situations it may be beneficial for an SCTP transmitter to be more 2927 * conservative than the algorithms detailed in this document allow. 2928 * However, an SCTP transmitter MUST NOT be more aggressive than the 2929 * following algorithms allow. 2930 * 2931 * A SCTP receiver MUST NOT generate more than one SACK for every 2932 * incoming packet, other than to update the offered window as the 2933 * receiving application consumes new data. 2934 * 2935 * Verification Tag: 8.5 Verification Tag [Normal verification] 2936 * 2937 * Inputs 2938 * (endpoint, asoc, chunk) 2939 * 2940 * Outputs 2941 * (asoc, reply_msg, msg_up, timers, counters) 2942 * 2943 * The return value is the disposition of the chunk. 2944 */ 2945 sctp_disposition_t sctp_sf_eat_data_6_2(struct net *net, 2946 const struct sctp_endpoint *ep, 2947 const struct sctp_association *asoc, 2948 const sctp_subtype_t type, 2949 void *arg, 2950 sctp_cmd_seq_t *commands) 2951 { 2952 struct sctp_chunk *chunk = arg; 2953 sctp_arg_t force = SCTP_NOFORCE(); 2954 int error; 2955 2956 if (!sctp_vtag_verify(chunk, asoc)) { 2957 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2958 SCTP_NULL()); 2959 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2960 } 2961 2962 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2963 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2964 commands); 2965 2966 error = sctp_eat_data(asoc, chunk, commands); 2967 switch (error) { 2968 case SCTP_IERROR_NO_ERROR: 2969 break; 2970 case SCTP_IERROR_HIGH_TSN: 2971 case SCTP_IERROR_BAD_STREAM: 2972 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2973 goto discard_noforce; 2974 case SCTP_IERROR_DUP_TSN: 2975 case SCTP_IERROR_IGNORE_TSN: 2976 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2977 goto discard_force; 2978 case SCTP_IERROR_NO_DATA: 2979 return SCTP_DISPOSITION_ABORT; 2980 case SCTP_IERROR_PROTO_VIOLATION: 2981 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 2982 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t)); 2983 default: 2984 BUG(); 2985 } 2986 2987 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM) 2988 force = SCTP_FORCE(); 2989 2990 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 2991 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2992 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 2993 } 2994 2995 /* If this is the last chunk in a packet, we need to count it 2996 * toward sack generation. Note that we need to SACK every 2997 * OTHER packet containing data chunks, EVEN IF WE DISCARD 2998 * THEM. We elect to NOT generate SACK's if the chunk fails 2999 * the verification tag test. 3000 * 3001 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3002 * 3003 * The SCTP endpoint MUST always acknowledge the reception of 3004 * each valid DATA chunk. 3005 * 3006 * The guidelines on delayed acknowledgement algorithm 3007 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 3008 * Specifically, an acknowledgement SHOULD be generated for at 3009 * least every second packet (not every second DATA chunk) 3010 * received, and SHOULD be generated within 200 ms of the 3011 * arrival of any unacknowledged DATA chunk. In some 3012 * situations it may be beneficial for an SCTP transmitter to 3013 * be more conservative than the algorithms detailed in this 3014 * document allow. However, an SCTP transmitter MUST NOT be 3015 * more aggressive than the following algorithms allow. 3016 */ 3017 if (chunk->end_of_packet) 3018 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3019 3020 return SCTP_DISPOSITION_CONSUME; 3021 3022 discard_force: 3023 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3024 * 3025 * When a packet arrives with duplicate DATA chunk(s) and with 3026 * no new DATA chunk(s), the endpoint MUST immediately send a 3027 * SACK with no delay. If a packet arrives with duplicate 3028 * DATA chunk(s) bundled with new DATA chunks, the endpoint 3029 * MAY immediately send a SACK. Normally receipt of duplicate 3030 * DATA chunks will occur when the original SACK chunk was lost 3031 * and the peer's RTO has expired. The duplicate TSN number(s) 3032 * SHOULD be reported in the SACK as duplicate. 3033 */ 3034 /* In our case, we split the MAY SACK advice up whether or not 3035 * the last chunk is a duplicate.' 3036 */ 3037 if (chunk->end_of_packet) 3038 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3039 return SCTP_DISPOSITION_DISCARD; 3040 3041 discard_noforce: 3042 if (chunk->end_of_packet) 3043 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3044 3045 return SCTP_DISPOSITION_DISCARD; 3046 } 3047 3048 /* 3049 * sctp_sf_eat_data_fast_4_4 3050 * 3051 * Section: 4 (4) 3052 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 3053 * DATA chunks without delay. 3054 * 3055 * Verification Tag: 8.5 Verification Tag [Normal verification] 3056 * Inputs 3057 * (endpoint, asoc, chunk) 3058 * 3059 * Outputs 3060 * (asoc, reply_msg, msg_up, timers, counters) 3061 * 3062 * The return value is the disposition of the chunk. 3063 */ 3064 sctp_disposition_t sctp_sf_eat_data_fast_4_4(struct net *net, 3065 const struct sctp_endpoint *ep, 3066 const struct sctp_association *asoc, 3067 const sctp_subtype_t type, 3068 void *arg, 3069 sctp_cmd_seq_t *commands) 3070 { 3071 struct sctp_chunk *chunk = arg; 3072 int error; 3073 3074 if (!sctp_vtag_verify(chunk, asoc)) { 3075 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3076 SCTP_NULL()); 3077 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3078 } 3079 3080 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 3081 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3082 commands); 3083 3084 error = sctp_eat_data(asoc, chunk, commands); 3085 switch (error) { 3086 case SCTP_IERROR_NO_ERROR: 3087 case SCTP_IERROR_HIGH_TSN: 3088 case SCTP_IERROR_DUP_TSN: 3089 case SCTP_IERROR_IGNORE_TSN: 3090 case SCTP_IERROR_BAD_STREAM: 3091 break; 3092 case SCTP_IERROR_NO_DATA: 3093 return SCTP_DISPOSITION_ABORT; 3094 case SCTP_IERROR_PROTO_VIOLATION: 3095 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3096 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t)); 3097 default: 3098 BUG(); 3099 } 3100 3101 /* Go a head and force a SACK, since we are shutting down. */ 3102 3103 /* Implementor's Guide. 3104 * 3105 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3106 * respond to each received packet containing one or more DATA chunk(s) 3107 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3108 */ 3109 if (chunk->end_of_packet) { 3110 /* We must delay the chunk creation since the cumulative 3111 * TSN has not been updated yet. 3112 */ 3113 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3114 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3115 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3116 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3117 } 3118 3119 return SCTP_DISPOSITION_CONSUME; 3120 } 3121 3122 /* 3123 * Section: 6.2 Processing a Received SACK 3124 * D) Any time a SACK arrives, the endpoint performs the following: 3125 * 3126 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 3127 * then drop the SACK. Since Cumulative TSN Ack is monotonically 3128 * increasing, a SACK whose Cumulative TSN Ack is less than the 3129 * Cumulative TSN Ack Point indicates an out-of-order SACK. 3130 * 3131 * ii) Set rwnd equal to the newly received a_rwnd minus the number 3132 * of bytes still outstanding after processing the Cumulative TSN Ack 3133 * and the Gap Ack Blocks. 3134 * 3135 * iii) If the SACK is missing a TSN that was previously 3136 * acknowledged via a Gap Ack Block (e.g., the data receiver 3137 * reneged on the data), then mark the corresponding DATA chunk 3138 * as available for retransmit: Mark it as missing for fast 3139 * retransmit as described in Section 7.2.4 and if no retransmit 3140 * timer is running for the destination address to which the DATA 3141 * chunk was originally transmitted, then T3-rtx is started for 3142 * that destination address. 3143 * 3144 * Verification Tag: 8.5 Verification Tag [Normal verification] 3145 * 3146 * Inputs 3147 * (endpoint, asoc, chunk) 3148 * 3149 * Outputs 3150 * (asoc, reply_msg, msg_up, timers, counters) 3151 * 3152 * The return value is the disposition of the chunk. 3153 */ 3154 sctp_disposition_t sctp_sf_eat_sack_6_2(struct net *net, 3155 const struct sctp_endpoint *ep, 3156 const struct sctp_association *asoc, 3157 const sctp_subtype_t type, 3158 void *arg, 3159 sctp_cmd_seq_t *commands) 3160 { 3161 struct sctp_chunk *chunk = arg; 3162 sctp_sackhdr_t *sackh; 3163 __u32 ctsn; 3164 3165 if (!sctp_vtag_verify(chunk, asoc)) 3166 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3167 3168 /* Make sure that the SACK chunk has a valid length. */ 3169 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t))) 3170 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3171 commands); 3172 3173 /* Pull the SACK chunk from the data buffer */ 3174 sackh = sctp_sm_pull_sack(chunk); 3175 /* Was this a bogus SACK? */ 3176 if (!sackh) 3177 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3178 chunk->subh.sack_hdr = sackh; 3179 ctsn = ntohl(sackh->cum_tsn_ack); 3180 3181 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 3182 * Ack Point, then drop the SACK. Since Cumulative TSN 3183 * Ack is monotonically increasing, a SACK whose 3184 * Cumulative TSN Ack is less than the Cumulative TSN Ack 3185 * Point indicates an out-of-order SACK. 3186 */ 3187 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 3188 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 3189 asoc->ctsn_ack_point); 3190 3191 return SCTP_DISPOSITION_DISCARD; 3192 } 3193 3194 /* If Cumulative TSN Ack beyond the max tsn currently 3195 * send, terminating the association and respond to the 3196 * sender with an ABORT. 3197 */ 3198 if (!TSN_lt(ctsn, asoc->next_tsn)) 3199 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 3200 3201 /* Return this SACK for further processing. */ 3202 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk)); 3203 3204 /* Note: We do the rest of the work on the PROCESS_SACK 3205 * sideeffect. 3206 */ 3207 return SCTP_DISPOSITION_CONSUME; 3208 } 3209 3210 /* 3211 * Generate an ABORT in response to a packet. 3212 * 3213 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 3214 * 3215 * 8) The receiver should respond to the sender of the OOTB packet with 3216 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3217 * MUST fill in the Verification Tag field of the outbound packet 3218 * with the value found in the Verification Tag field of the OOTB 3219 * packet and set the T-bit in the Chunk Flags to indicate that the 3220 * Verification Tag is reflected. After sending this ABORT, the 3221 * receiver of the OOTB packet shall discard the OOTB packet and take 3222 * no further action. 3223 * 3224 * Verification Tag: 3225 * 3226 * The return value is the disposition of the chunk. 3227 */ 3228 static sctp_disposition_t sctp_sf_tabort_8_4_8(struct net *net, 3229 const struct sctp_endpoint *ep, 3230 const struct sctp_association *asoc, 3231 const sctp_subtype_t type, 3232 void *arg, 3233 sctp_cmd_seq_t *commands) 3234 { 3235 struct sctp_packet *packet = NULL; 3236 struct sctp_chunk *chunk = arg; 3237 struct sctp_chunk *abort; 3238 3239 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3240 3241 if (packet) { 3242 /* Make an ABORT. The T bit will be set if the asoc 3243 * is NULL. 3244 */ 3245 abort = sctp_make_abort(asoc, chunk, 0); 3246 if (!abort) { 3247 sctp_ootb_pkt_free(packet); 3248 return SCTP_DISPOSITION_NOMEM; 3249 } 3250 3251 /* Reflect vtag if T-Bit is set */ 3252 if (sctp_test_T_bit(abort)) 3253 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3254 3255 /* Set the skb to the belonging sock for accounting. */ 3256 abort->skb->sk = ep->base.sk; 3257 3258 sctp_packet_append_chunk(packet, abort); 3259 3260 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3261 SCTP_PACKET(packet)); 3262 3263 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3264 3265 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3266 return SCTP_DISPOSITION_CONSUME; 3267 } 3268 3269 return SCTP_DISPOSITION_NOMEM; 3270 } 3271 3272 /* 3273 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 3274 * event as ULP notification for each cause included in the chunk. 3275 * 3276 * API 5.3.1.3 - SCTP_REMOTE_ERROR 3277 * 3278 * The return value is the disposition of the chunk. 3279 */ 3280 sctp_disposition_t sctp_sf_operr_notify(struct net *net, 3281 const struct sctp_endpoint *ep, 3282 const struct sctp_association *asoc, 3283 const sctp_subtype_t type, 3284 void *arg, 3285 sctp_cmd_seq_t *commands) 3286 { 3287 struct sctp_chunk *chunk = arg; 3288 sctp_errhdr_t *err; 3289 3290 if (!sctp_vtag_verify(chunk, asoc)) 3291 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3292 3293 /* Make sure that the ERROR chunk has a valid length. */ 3294 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 3295 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3296 commands); 3297 sctp_walk_errors(err, chunk->chunk_hdr); 3298 if ((void *)err != (void *)chunk->chunk_end) 3299 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3300 (void *)err, commands); 3301 3302 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 3303 SCTP_CHUNK(chunk)); 3304 3305 return SCTP_DISPOSITION_CONSUME; 3306 } 3307 3308 /* 3309 * Process an inbound SHUTDOWN ACK. 3310 * 3311 * From Section 9.2: 3312 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3313 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3314 * peer, and remove all record of the association. 3315 * 3316 * The return value is the disposition. 3317 */ 3318 sctp_disposition_t sctp_sf_do_9_2_final(struct net *net, 3319 const struct sctp_endpoint *ep, 3320 const struct sctp_association *asoc, 3321 const sctp_subtype_t type, 3322 void *arg, 3323 sctp_cmd_seq_t *commands) 3324 { 3325 struct sctp_chunk *chunk = arg; 3326 struct sctp_chunk *reply; 3327 struct sctp_ulpevent *ev; 3328 3329 if (!sctp_vtag_verify(chunk, asoc)) 3330 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3331 3332 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3333 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3334 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3335 commands); 3336 /* 10.2 H) SHUTDOWN COMPLETE notification 3337 * 3338 * When SCTP completes the shutdown procedures (section 9.2) this 3339 * notification is passed to the upper layer. 3340 */ 3341 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3342 0, 0, 0, NULL, GFP_ATOMIC); 3343 if (!ev) 3344 goto nomem; 3345 3346 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3347 reply = sctp_make_shutdown_complete(asoc, chunk); 3348 if (!reply) 3349 goto nomem_chunk; 3350 3351 /* Do all the commands now (after allocation), so that we 3352 * have consistent state if memory allocation failes 3353 */ 3354 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3355 3356 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3357 * stop the T2-shutdown timer, 3358 */ 3359 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3360 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3361 3362 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3363 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3364 3365 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3366 SCTP_STATE(SCTP_STATE_CLOSED)); 3367 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 3368 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3369 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3370 3371 /* ...and remove all record of the association. */ 3372 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3373 return SCTP_DISPOSITION_DELETE_TCB; 3374 3375 nomem_chunk: 3376 sctp_ulpevent_free(ev); 3377 nomem: 3378 return SCTP_DISPOSITION_NOMEM; 3379 } 3380 3381 /* 3382 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3383 * 3384 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3385 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3386 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3387 * packet must fill in the Verification Tag field of the outbound 3388 * packet with the Verification Tag received in the SHUTDOWN ACK and 3389 * set the T-bit in the Chunk Flags to indicate that the Verification 3390 * Tag is reflected. 3391 * 3392 * 8) The receiver should respond to the sender of the OOTB packet with 3393 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3394 * MUST fill in the Verification Tag field of the outbound packet 3395 * with the value found in the Verification Tag field of the OOTB 3396 * packet and set the T-bit in the Chunk Flags to indicate that the 3397 * Verification Tag is reflected. After sending this ABORT, the 3398 * receiver of the OOTB packet shall discard the OOTB packet and take 3399 * no further action. 3400 */ 3401 sctp_disposition_t sctp_sf_ootb(struct net *net, 3402 const struct sctp_endpoint *ep, 3403 const struct sctp_association *asoc, 3404 const sctp_subtype_t type, 3405 void *arg, 3406 sctp_cmd_seq_t *commands) 3407 { 3408 struct sctp_chunk *chunk = arg; 3409 struct sk_buff *skb = chunk->skb; 3410 sctp_chunkhdr_t *ch; 3411 sctp_errhdr_t *err; 3412 __u8 *ch_end; 3413 int ootb_shut_ack = 0; 3414 int ootb_cookie_ack = 0; 3415 3416 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3417 3418 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr; 3419 do { 3420 /* Report violation if the chunk is less then minimal */ 3421 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 3422 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3423 commands); 3424 3425 /* Now that we know we at least have a chunk header, 3426 * do things that are type appropriate. 3427 */ 3428 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3429 ootb_shut_ack = 1; 3430 3431 /* RFC 2960, Section 3.3.7 3432 * Moreover, under any circumstances, an endpoint that 3433 * receives an ABORT MUST NOT respond to that ABORT by 3434 * sending an ABORT of its own. 3435 */ 3436 if (SCTP_CID_ABORT == ch->type) 3437 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3438 3439 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR 3440 * or a COOKIE ACK the SCTP Packet should be silently 3441 * discarded. 3442 */ 3443 3444 if (SCTP_CID_COOKIE_ACK == ch->type) 3445 ootb_cookie_ack = 1; 3446 3447 if (SCTP_CID_ERROR == ch->type) { 3448 sctp_walk_errors(err, ch) { 3449 if (SCTP_ERROR_STALE_COOKIE == err->cause) { 3450 ootb_cookie_ack = 1; 3451 break; 3452 } 3453 } 3454 } 3455 3456 /* Report violation if chunk len overflows */ 3457 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 3458 if (ch_end > skb_tail_pointer(skb)) 3459 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3460 commands); 3461 3462 ch = (sctp_chunkhdr_t *) ch_end; 3463 } while (ch_end < skb_tail_pointer(skb)); 3464 3465 if (ootb_shut_ack) 3466 return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands); 3467 else if (ootb_cookie_ack) 3468 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3469 else 3470 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 3471 } 3472 3473 /* 3474 * Handle an "Out of the blue" SHUTDOWN ACK. 3475 * 3476 * Section: 8.4 5, sctpimpguide 2.41. 3477 * 3478 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3479 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3480 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3481 * packet must fill in the Verification Tag field of the outbound 3482 * packet with the Verification Tag received in the SHUTDOWN ACK and 3483 * set the T-bit in the Chunk Flags to indicate that the Verification 3484 * Tag is reflected. 3485 * 3486 * Inputs 3487 * (endpoint, asoc, type, arg, commands) 3488 * 3489 * Outputs 3490 * (sctp_disposition_t) 3491 * 3492 * The return value is the disposition of the chunk. 3493 */ 3494 static sctp_disposition_t sctp_sf_shut_8_4_5(struct net *net, 3495 const struct sctp_endpoint *ep, 3496 const struct sctp_association *asoc, 3497 const sctp_subtype_t type, 3498 void *arg, 3499 sctp_cmd_seq_t *commands) 3500 { 3501 struct sctp_packet *packet = NULL; 3502 struct sctp_chunk *chunk = arg; 3503 struct sctp_chunk *shut; 3504 3505 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3506 3507 if (packet) { 3508 /* Make an SHUTDOWN_COMPLETE. 3509 * The T bit will be set if the asoc is NULL. 3510 */ 3511 shut = sctp_make_shutdown_complete(asoc, chunk); 3512 if (!shut) { 3513 sctp_ootb_pkt_free(packet); 3514 return SCTP_DISPOSITION_NOMEM; 3515 } 3516 3517 /* Reflect vtag if T-Bit is set */ 3518 if (sctp_test_T_bit(shut)) 3519 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3520 3521 /* Set the skb to the belonging sock for accounting. */ 3522 shut->skb->sk = ep->base.sk; 3523 3524 sctp_packet_append_chunk(packet, shut); 3525 3526 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3527 SCTP_PACKET(packet)); 3528 3529 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3530 3531 /* If the chunk length is invalid, we don't want to process 3532 * the reset of the packet. 3533 */ 3534 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3535 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3536 3537 /* We need to discard the rest of the packet to prevent 3538 * potential bomming attacks from additional bundled chunks. 3539 * This is documented in SCTP Threats ID. 3540 */ 3541 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3542 } 3543 3544 return SCTP_DISPOSITION_NOMEM; 3545 } 3546 3547 /* 3548 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3549 * 3550 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3551 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3552 * procedures in section 8.4 SHOULD be followed, in other words it 3553 * should be treated as an Out Of The Blue packet. 3554 * [This means that we do NOT check the Verification Tag on these 3555 * chunks. --piggy ] 3556 * 3557 */ 3558 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(struct net *net, 3559 const struct sctp_endpoint *ep, 3560 const struct sctp_association *asoc, 3561 const sctp_subtype_t type, 3562 void *arg, 3563 sctp_cmd_seq_t *commands) 3564 { 3565 struct sctp_chunk *chunk = arg; 3566 3567 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3568 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3569 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3570 commands); 3571 3572 /* Although we do have an association in this case, it corresponds 3573 * to a restarted association. So the packet is treated as an OOTB 3574 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3575 * called with a NULL association. 3576 */ 3577 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3578 3579 return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands); 3580 } 3581 3582 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3583 sctp_disposition_t sctp_sf_do_asconf(struct net *net, 3584 const struct sctp_endpoint *ep, 3585 const struct sctp_association *asoc, 3586 const sctp_subtype_t type, void *arg, 3587 sctp_cmd_seq_t *commands) 3588 { 3589 struct sctp_chunk *chunk = arg; 3590 struct sctp_chunk *asconf_ack = NULL; 3591 struct sctp_paramhdr *err_param = NULL; 3592 sctp_addiphdr_t *hdr; 3593 __u32 serial; 3594 3595 if (!sctp_vtag_verify(chunk, asoc)) { 3596 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3597 SCTP_NULL()); 3598 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3599 } 3600 3601 /* ADD-IP: Section 4.1.1 3602 * This chunk MUST be sent in an authenticated way by using 3603 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3604 * is received unauthenticated it MUST be silently discarded as 3605 * described in [I-D.ietf-tsvwg-sctp-auth]. 3606 */ 3607 if (!net->sctp.addip_noauth && !chunk->auth) 3608 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 3609 3610 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3611 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t))) 3612 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3613 commands); 3614 3615 hdr = (sctp_addiphdr_t *)chunk->skb->data; 3616 serial = ntohl(hdr->serial); 3617 3618 /* Verify the ASCONF chunk before processing it. */ 3619 if (!sctp_verify_asconf(asoc, chunk, true, &err_param)) 3620 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3621 (void *)err_param, commands); 3622 3623 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3624 * the endpoint stored in a new association variable 3625 * 'Peer-Serial-Number'. 3626 */ 3627 if (serial == asoc->peer.addip_serial + 1) { 3628 /* If this is the first instance of ASCONF in the packet, 3629 * we can clean our old ASCONF-ACKs. 3630 */ 3631 if (!chunk->has_asconf) 3632 sctp_assoc_clean_asconf_ack_cache(asoc); 3633 3634 /* ADDIP 5.2 E4) When the Sequence Number matches the next one 3635 * expected, process the ASCONF as described below and after 3636 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to 3637 * the response packet and cache a copy of it (in the event it 3638 * later needs to be retransmitted). 3639 * 3640 * Essentially, do V1-V5. 3641 */ 3642 asconf_ack = sctp_process_asconf((struct sctp_association *) 3643 asoc, chunk); 3644 if (!asconf_ack) 3645 return SCTP_DISPOSITION_NOMEM; 3646 } else if (serial < asoc->peer.addip_serial + 1) { 3647 /* ADDIP 5.2 E2) 3648 * If the value found in the Sequence Number is less than the 3649 * ('Peer- Sequence-Number' + 1), simply skip to the next 3650 * ASCONF, and include in the outbound response packet 3651 * any previously cached ASCONF-ACK response that was 3652 * sent and saved that matches the Sequence Number of the 3653 * ASCONF. Note: It is possible that no cached ASCONF-ACK 3654 * Chunk exists. This will occur when an older ASCONF 3655 * arrives out of order. In such a case, the receiver 3656 * should skip the ASCONF Chunk and not include ASCONF-ACK 3657 * Chunk for that chunk. 3658 */ 3659 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial); 3660 if (!asconf_ack) 3661 return SCTP_DISPOSITION_DISCARD; 3662 3663 /* Reset the transport so that we select the correct one 3664 * this time around. This is to make sure that we don't 3665 * accidentally use a stale transport that's been removed. 3666 */ 3667 asconf_ack->transport = NULL; 3668 } else { 3669 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since 3670 * it must be either a stale packet or from an attacker. 3671 */ 3672 return SCTP_DISPOSITION_DISCARD; 3673 } 3674 3675 /* ADDIP 5.2 E6) The destination address of the SCTP packet 3676 * containing the ASCONF-ACK Chunks MUST be the source address of 3677 * the SCTP packet that held the ASCONF Chunks. 3678 * 3679 * To do this properly, we'll set the destination address of the chunk 3680 * and at the transmit time, will try look up the transport to use. 3681 * Since ASCONFs may be bundled, the correct transport may not be 3682 * created until we process the entire packet, thus this workaround. 3683 */ 3684 asconf_ack->dest = chunk->source; 3685 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3686 if (asoc->new_transport) { 3687 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands); 3688 ((struct sctp_association *)asoc)->new_transport = NULL; 3689 } 3690 3691 return SCTP_DISPOSITION_CONSUME; 3692 } 3693 3694 /* 3695 * ADDIP Section 4.3 General rules for address manipulation 3696 * When building TLV parameters for the ASCONF Chunk that will add or 3697 * delete IP addresses the D0 to D13 rules should be applied: 3698 */ 3699 sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net, 3700 const struct sctp_endpoint *ep, 3701 const struct sctp_association *asoc, 3702 const sctp_subtype_t type, void *arg, 3703 sctp_cmd_seq_t *commands) 3704 { 3705 struct sctp_chunk *asconf_ack = arg; 3706 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3707 struct sctp_chunk *abort; 3708 struct sctp_paramhdr *err_param = NULL; 3709 sctp_addiphdr_t *addip_hdr; 3710 __u32 sent_serial, rcvd_serial; 3711 3712 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3713 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3714 SCTP_NULL()); 3715 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3716 } 3717 3718 /* ADD-IP, Section 4.1.2: 3719 * This chunk MUST be sent in an authenticated way by using 3720 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3721 * is received unauthenticated it MUST be silently discarded as 3722 * described in [I-D.ietf-tsvwg-sctp-auth]. 3723 */ 3724 if (!net->sctp.addip_noauth && !asconf_ack->auth) 3725 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 3726 3727 /* Make sure that the ADDIP chunk has a valid length. */ 3728 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t))) 3729 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3730 commands); 3731 3732 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data; 3733 rcvd_serial = ntohl(addip_hdr->serial); 3734 3735 /* Verify the ASCONF-ACK chunk before processing it. */ 3736 if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param)) 3737 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3738 (void *)err_param, commands); 3739 3740 if (last_asconf) { 3741 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr; 3742 sent_serial = ntohl(addip_hdr->serial); 3743 } else { 3744 sent_serial = asoc->addip_serial - 1; 3745 } 3746 3747 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3748 * equal to the next serial number to be used but no ASCONF chunk is 3749 * outstanding the endpoint MUST ABORT the association. Note that a 3750 * sequence number is greater than if it is no more than 2^^31-1 3751 * larger than the current sequence number (using serial arithmetic). 3752 */ 3753 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3754 !(asoc->addip_last_asconf)) { 3755 abort = sctp_make_abort(asoc, asconf_ack, 3756 sizeof(sctp_errhdr_t)); 3757 if (abort) { 3758 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0); 3759 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3760 SCTP_CHUNK(abort)); 3761 } 3762 /* We are going to ABORT, so we might as well stop 3763 * processing the rest of the chunks in the packet. 3764 */ 3765 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3766 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3767 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3768 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3769 SCTP_ERROR(ECONNABORTED)); 3770 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3771 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3772 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 3773 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3774 return SCTP_DISPOSITION_ABORT; 3775 } 3776 3777 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3778 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3779 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3780 3781 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3782 asconf_ack)) { 3783 /* Successfully processed ASCONF_ACK. We can 3784 * release the next asconf if we have one. 3785 */ 3786 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF, 3787 SCTP_NULL()); 3788 return SCTP_DISPOSITION_CONSUME; 3789 } 3790 3791 abort = sctp_make_abort(asoc, asconf_ack, 3792 sizeof(sctp_errhdr_t)); 3793 if (abort) { 3794 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 3795 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3796 SCTP_CHUNK(abort)); 3797 } 3798 /* We are going to ABORT, so we might as well stop 3799 * processing the rest of the chunks in the packet. 3800 */ 3801 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3802 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3803 SCTP_ERROR(ECONNABORTED)); 3804 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3805 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3806 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 3807 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3808 return SCTP_DISPOSITION_ABORT; 3809 } 3810 3811 return SCTP_DISPOSITION_DISCARD; 3812 } 3813 3814 /* 3815 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 3816 * 3817 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 3818 * its cumulative TSN point to the value carried in the FORWARD TSN 3819 * chunk, and then MUST further advance its cumulative TSN point locally 3820 * if possible. 3821 * After the above processing, the data receiver MUST stop reporting any 3822 * missing TSNs earlier than or equal to the new cumulative TSN point. 3823 * 3824 * Verification Tag: 8.5 Verification Tag [Normal verification] 3825 * 3826 * The return value is the disposition of the chunk. 3827 */ 3828 sctp_disposition_t sctp_sf_eat_fwd_tsn(struct net *net, 3829 const struct sctp_endpoint *ep, 3830 const struct sctp_association *asoc, 3831 const sctp_subtype_t type, 3832 void *arg, 3833 sctp_cmd_seq_t *commands) 3834 { 3835 struct sctp_chunk *chunk = arg; 3836 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3837 struct sctp_fwdtsn_skip *skip; 3838 __u16 len; 3839 __u32 tsn; 3840 3841 if (!sctp_vtag_verify(chunk, asoc)) { 3842 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3843 SCTP_NULL()); 3844 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3845 } 3846 3847 /* Make sure that the FORWARD_TSN chunk has valid length. */ 3848 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3849 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3850 commands); 3851 3852 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3853 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3854 len = ntohs(chunk->chunk_hdr->length); 3855 len -= sizeof(struct sctp_chunkhdr); 3856 skb_pull(chunk->skb, len); 3857 3858 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3859 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 3860 3861 /* The TSN is too high--silently discard the chunk and count on it 3862 * getting retransmitted later. 3863 */ 3864 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3865 goto discard_noforce; 3866 3867 /* Silently discard the chunk if stream-id is not valid */ 3868 sctp_walk_fwdtsn(skip, chunk) { 3869 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams) 3870 goto discard_noforce; 3871 } 3872 3873 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3874 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3875 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3876 SCTP_CHUNK(chunk)); 3877 3878 /* Count this as receiving DATA. */ 3879 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 3880 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3881 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3882 } 3883 3884 /* FIXME: For now send a SACK, but DATA processing may 3885 * send another. 3886 */ 3887 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 3888 3889 return SCTP_DISPOSITION_CONSUME; 3890 3891 discard_noforce: 3892 return SCTP_DISPOSITION_DISCARD; 3893 } 3894 3895 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast( 3896 struct net *net, 3897 const struct sctp_endpoint *ep, 3898 const struct sctp_association *asoc, 3899 const sctp_subtype_t type, 3900 void *arg, 3901 sctp_cmd_seq_t *commands) 3902 { 3903 struct sctp_chunk *chunk = arg; 3904 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3905 struct sctp_fwdtsn_skip *skip; 3906 __u16 len; 3907 __u32 tsn; 3908 3909 if (!sctp_vtag_verify(chunk, asoc)) { 3910 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3911 SCTP_NULL()); 3912 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3913 } 3914 3915 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 3916 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3917 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3918 commands); 3919 3920 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3921 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3922 len = ntohs(chunk->chunk_hdr->length); 3923 len -= sizeof(struct sctp_chunkhdr); 3924 skb_pull(chunk->skb, len); 3925 3926 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3927 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 3928 3929 /* The TSN is too high--silently discard the chunk and count on it 3930 * getting retransmitted later. 3931 */ 3932 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3933 goto gen_shutdown; 3934 3935 /* Silently discard the chunk if stream-id is not valid */ 3936 sctp_walk_fwdtsn(skip, chunk) { 3937 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams) 3938 goto gen_shutdown; 3939 } 3940 3941 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3942 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3943 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3944 SCTP_CHUNK(chunk)); 3945 3946 /* Go a head and force a SACK, since we are shutting down. */ 3947 gen_shutdown: 3948 /* Implementor's Guide. 3949 * 3950 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3951 * respond to each received packet containing one or more DATA chunk(s) 3952 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3953 */ 3954 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3955 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3956 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3957 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3958 3959 return SCTP_DISPOSITION_CONSUME; 3960 } 3961 3962 /* 3963 * SCTP-AUTH Section 6.3 Receiving authenticated chukns 3964 * 3965 * The receiver MUST use the HMAC algorithm indicated in the HMAC 3966 * Identifier field. If this algorithm was not specified by the 3967 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 3968 * during association setup, the AUTH chunk and all chunks after it MUST 3969 * be discarded and an ERROR chunk SHOULD be sent with the error cause 3970 * defined in Section 4.1. 3971 * 3972 * If an endpoint with no shared key receives a Shared Key Identifier 3973 * other than 0, it MUST silently discard all authenticated chunks. If 3974 * the endpoint has at least one endpoint pair shared key for the peer, 3975 * it MUST use the key specified by the Shared Key Identifier if a 3976 * key has been configured for that Shared Key Identifier. If no 3977 * endpoint pair shared key has been configured for that Shared Key 3978 * Identifier, all authenticated chunks MUST be silently discarded. 3979 * 3980 * Verification Tag: 8.5 Verification Tag [Normal verification] 3981 * 3982 * The return value is the disposition of the chunk. 3983 */ 3984 static sctp_ierror_t sctp_sf_authenticate(struct net *net, 3985 const struct sctp_endpoint *ep, 3986 const struct sctp_association *asoc, 3987 const sctp_subtype_t type, 3988 struct sctp_chunk *chunk) 3989 { 3990 struct sctp_authhdr *auth_hdr; 3991 struct sctp_hmac *hmac; 3992 unsigned int sig_len; 3993 __u16 key_id; 3994 __u8 *save_digest; 3995 __u8 *digest; 3996 3997 /* Pull in the auth header, so we can do some more verification */ 3998 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 3999 chunk->subh.auth_hdr = auth_hdr; 4000 skb_pull(chunk->skb, sizeof(struct sctp_authhdr)); 4001 4002 /* Make sure that we support the HMAC algorithm from the auth 4003 * chunk. 4004 */ 4005 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id)) 4006 return SCTP_IERROR_AUTH_BAD_HMAC; 4007 4008 /* Make sure that the provided shared key identifier has been 4009 * configured 4010 */ 4011 key_id = ntohs(auth_hdr->shkey_id); 4012 if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id)) 4013 return SCTP_IERROR_AUTH_BAD_KEYID; 4014 4015 4016 /* Make sure that the length of the signature matches what 4017 * we expect. 4018 */ 4019 sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t); 4020 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id)); 4021 if (sig_len != hmac->hmac_len) 4022 return SCTP_IERROR_PROTO_VIOLATION; 4023 4024 /* Now that we've done validation checks, we can compute and 4025 * verify the hmac. The steps involved are: 4026 * 1. Save the digest from the chunk. 4027 * 2. Zero out the digest in the chunk. 4028 * 3. Compute the new digest 4029 * 4. Compare saved and new digests. 4030 */ 4031 digest = auth_hdr->hmac; 4032 skb_pull(chunk->skb, sig_len); 4033 4034 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC); 4035 if (!save_digest) 4036 goto nomem; 4037 4038 memset(digest, 0, sig_len); 4039 4040 sctp_auth_calculate_hmac(asoc, chunk->skb, 4041 (struct sctp_auth_chunk *)chunk->chunk_hdr, 4042 GFP_ATOMIC); 4043 4044 /* Discard the packet if the digests do not match */ 4045 if (memcmp(save_digest, digest, sig_len)) { 4046 kfree(save_digest); 4047 return SCTP_IERROR_BAD_SIG; 4048 } 4049 4050 kfree(save_digest); 4051 chunk->auth = 1; 4052 4053 return SCTP_IERROR_NO_ERROR; 4054 nomem: 4055 return SCTP_IERROR_NOMEM; 4056 } 4057 4058 sctp_disposition_t sctp_sf_eat_auth(struct net *net, 4059 const struct sctp_endpoint *ep, 4060 const struct sctp_association *asoc, 4061 const sctp_subtype_t type, 4062 void *arg, 4063 sctp_cmd_seq_t *commands) 4064 { 4065 struct sctp_authhdr *auth_hdr; 4066 struct sctp_chunk *chunk = arg; 4067 struct sctp_chunk *err_chunk; 4068 sctp_ierror_t error; 4069 4070 /* Make sure that the peer has AUTH capable */ 4071 if (!asoc->peer.auth_capable) 4072 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4073 4074 if (!sctp_vtag_verify(chunk, asoc)) { 4075 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4076 SCTP_NULL()); 4077 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4078 } 4079 4080 /* Make sure that the AUTH chunk has valid length. */ 4081 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk))) 4082 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4083 commands); 4084 4085 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4086 error = sctp_sf_authenticate(net, ep, asoc, type, chunk); 4087 switch (error) { 4088 case SCTP_IERROR_AUTH_BAD_HMAC: 4089 /* Generate the ERROR chunk and discard the rest 4090 * of the packet 4091 */ 4092 err_chunk = sctp_make_op_error(asoc, chunk, 4093 SCTP_ERROR_UNSUP_HMAC, 4094 &auth_hdr->hmac_id, 4095 sizeof(__u16), 0); 4096 if (err_chunk) { 4097 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4098 SCTP_CHUNK(err_chunk)); 4099 } 4100 /* Fall Through */ 4101 case SCTP_IERROR_AUTH_BAD_KEYID: 4102 case SCTP_IERROR_BAD_SIG: 4103 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4104 4105 case SCTP_IERROR_PROTO_VIOLATION: 4106 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4107 commands); 4108 4109 case SCTP_IERROR_NOMEM: 4110 return SCTP_DISPOSITION_NOMEM; 4111 4112 default: /* Prevent gcc warnings */ 4113 break; 4114 } 4115 4116 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) { 4117 struct sctp_ulpevent *ev; 4118 4119 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id), 4120 SCTP_AUTH_NEWKEY, GFP_ATOMIC); 4121 4122 if (!ev) 4123 return -ENOMEM; 4124 4125 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4126 SCTP_ULPEVENT(ev)); 4127 } 4128 4129 return SCTP_DISPOSITION_CONSUME; 4130 } 4131 4132 /* 4133 * Process an unknown chunk. 4134 * 4135 * Section: 3.2. Also, 2.1 in the implementor's guide. 4136 * 4137 * Chunk Types are encoded such that the highest-order two bits specify 4138 * the action that must be taken if the processing endpoint does not 4139 * recognize the Chunk Type. 4140 * 4141 * 00 - Stop processing this SCTP packet and discard it, do not process 4142 * any further chunks within it. 4143 * 4144 * 01 - Stop processing this SCTP packet and discard it, do not process 4145 * any further chunks within it, and report the unrecognized 4146 * chunk in an 'Unrecognized Chunk Type'. 4147 * 4148 * 10 - Skip this chunk and continue processing. 4149 * 4150 * 11 - Skip this chunk and continue processing, but report in an ERROR 4151 * Chunk using the 'Unrecognized Chunk Type' cause of error. 4152 * 4153 * The return value is the disposition of the chunk. 4154 */ 4155 sctp_disposition_t sctp_sf_unk_chunk(struct net *net, 4156 const struct sctp_endpoint *ep, 4157 const struct sctp_association *asoc, 4158 const sctp_subtype_t type, 4159 void *arg, 4160 sctp_cmd_seq_t *commands) 4161 { 4162 struct sctp_chunk *unk_chunk = arg; 4163 struct sctp_chunk *err_chunk; 4164 sctp_chunkhdr_t *hdr; 4165 4166 pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk); 4167 4168 if (!sctp_vtag_verify(unk_chunk, asoc)) 4169 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4170 4171 /* Make sure that the chunk has a valid length. 4172 * Since we don't know the chunk type, we use a general 4173 * chunkhdr structure to make a comparison. 4174 */ 4175 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t))) 4176 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4177 commands); 4178 4179 switch (type.chunk & SCTP_CID_ACTION_MASK) { 4180 case SCTP_CID_ACTION_DISCARD: 4181 /* Discard the packet. */ 4182 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4183 case SCTP_CID_ACTION_DISCARD_ERR: 4184 /* Generate an ERROR chunk as response. */ 4185 hdr = unk_chunk->chunk_hdr; 4186 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4187 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4188 WORD_ROUND(ntohs(hdr->length)), 4189 0); 4190 if (err_chunk) { 4191 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4192 SCTP_CHUNK(err_chunk)); 4193 } 4194 4195 /* Discard the packet. */ 4196 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4197 return SCTP_DISPOSITION_CONSUME; 4198 case SCTP_CID_ACTION_SKIP: 4199 /* Skip the chunk. */ 4200 return SCTP_DISPOSITION_DISCARD; 4201 case SCTP_CID_ACTION_SKIP_ERR: 4202 /* Generate an ERROR chunk as response. */ 4203 hdr = unk_chunk->chunk_hdr; 4204 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4205 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4206 WORD_ROUND(ntohs(hdr->length)), 4207 0); 4208 if (err_chunk) { 4209 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4210 SCTP_CHUNK(err_chunk)); 4211 } 4212 /* Skip the chunk. */ 4213 return SCTP_DISPOSITION_CONSUME; 4214 default: 4215 break; 4216 } 4217 4218 return SCTP_DISPOSITION_DISCARD; 4219 } 4220 4221 /* 4222 * Discard the chunk. 4223 * 4224 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 4225 * [Too numerous to mention...] 4226 * Verification Tag: No verification needed. 4227 * Inputs 4228 * (endpoint, asoc, chunk) 4229 * 4230 * Outputs 4231 * (asoc, reply_msg, msg_up, timers, counters) 4232 * 4233 * The return value is the disposition of the chunk. 4234 */ 4235 sctp_disposition_t sctp_sf_discard_chunk(struct net *net, 4236 const struct sctp_endpoint *ep, 4237 const struct sctp_association *asoc, 4238 const sctp_subtype_t type, 4239 void *arg, 4240 sctp_cmd_seq_t *commands) 4241 { 4242 struct sctp_chunk *chunk = arg; 4243 4244 /* Make sure that the chunk has a valid length. 4245 * Since we don't know the chunk type, we use a general 4246 * chunkhdr structure to make a comparison. 4247 */ 4248 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4249 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4250 commands); 4251 4252 pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk); 4253 4254 return SCTP_DISPOSITION_DISCARD; 4255 } 4256 4257 /* 4258 * Discard the whole packet. 4259 * 4260 * Section: 8.4 2) 4261 * 4262 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 4263 * silently discard the OOTB packet and take no further action. 4264 * 4265 * Verification Tag: No verification necessary 4266 * 4267 * Inputs 4268 * (endpoint, asoc, chunk) 4269 * 4270 * Outputs 4271 * (asoc, reply_msg, msg_up, timers, counters) 4272 * 4273 * The return value is the disposition of the chunk. 4274 */ 4275 sctp_disposition_t sctp_sf_pdiscard(struct net *net, 4276 const struct sctp_endpoint *ep, 4277 const struct sctp_association *asoc, 4278 const sctp_subtype_t type, 4279 void *arg, 4280 sctp_cmd_seq_t *commands) 4281 { 4282 SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS); 4283 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4284 4285 return SCTP_DISPOSITION_CONSUME; 4286 } 4287 4288 4289 /* 4290 * The other end is violating protocol. 4291 * 4292 * Section: Not specified 4293 * Verification Tag: Not specified 4294 * Inputs 4295 * (endpoint, asoc, chunk) 4296 * 4297 * Outputs 4298 * (asoc, reply_msg, msg_up, timers, counters) 4299 * 4300 * We simply tag the chunk as a violation. The state machine will log 4301 * the violation and continue. 4302 */ 4303 sctp_disposition_t sctp_sf_violation(struct net *net, 4304 const struct sctp_endpoint *ep, 4305 const struct sctp_association *asoc, 4306 const sctp_subtype_t type, 4307 void *arg, 4308 sctp_cmd_seq_t *commands) 4309 { 4310 struct sctp_chunk *chunk = arg; 4311 4312 /* Make sure that the chunk has a valid length. */ 4313 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4314 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4315 commands); 4316 4317 return SCTP_DISPOSITION_VIOLATION; 4318 } 4319 4320 /* 4321 * Common function to handle a protocol violation. 4322 */ 4323 static sctp_disposition_t sctp_sf_abort_violation( 4324 struct net *net, 4325 const struct sctp_endpoint *ep, 4326 const struct sctp_association *asoc, 4327 void *arg, 4328 sctp_cmd_seq_t *commands, 4329 const __u8 *payload, 4330 const size_t paylen) 4331 { 4332 struct sctp_packet *packet = NULL; 4333 struct sctp_chunk *chunk = arg; 4334 struct sctp_chunk *abort = NULL; 4335 4336 /* SCTP-AUTH, Section 6.3: 4337 * It should be noted that if the receiver wants to tear 4338 * down an association in an authenticated way only, the 4339 * handling of malformed packets should not result in 4340 * tearing down the association. 4341 * 4342 * This means that if we only want to abort associations 4343 * in an authenticated way (i.e AUTH+ABORT), then we 4344 * can't destroy this association just because the packet 4345 * was malformed. 4346 */ 4347 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4348 goto discard; 4349 4350 /* Make the abort chunk. */ 4351 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen); 4352 if (!abort) 4353 goto nomem; 4354 4355 if (asoc) { 4356 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */ 4357 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK && 4358 !asoc->peer.i.init_tag) { 4359 sctp_initack_chunk_t *initack; 4360 4361 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; 4362 if (!sctp_chunk_length_valid(chunk, 4363 sizeof(sctp_initack_chunk_t))) 4364 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T; 4365 else { 4366 unsigned int inittag; 4367 4368 inittag = ntohl(initack->init_hdr.init_tag); 4369 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG, 4370 SCTP_U32(inittag)); 4371 } 4372 } 4373 4374 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4375 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4376 4377 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 4378 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4379 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4380 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4381 SCTP_ERROR(ECONNREFUSED)); 4382 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4383 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4384 } else { 4385 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4386 SCTP_ERROR(ECONNABORTED)); 4387 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4388 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4389 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4390 } 4391 } else { 4392 packet = sctp_ootb_pkt_new(net, asoc, chunk); 4393 4394 if (!packet) 4395 goto nomem_pkt; 4396 4397 if (sctp_test_T_bit(abort)) 4398 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4399 4400 abort->skb->sk = ep->base.sk; 4401 4402 sctp_packet_append_chunk(packet, abort); 4403 4404 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 4405 SCTP_PACKET(packet)); 4406 4407 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4408 } 4409 4410 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4411 4412 discard: 4413 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4414 return SCTP_DISPOSITION_ABORT; 4415 4416 nomem_pkt: 4417 sctp_chunk_free(abort); 4418 nomem: 4419 return SCTP_DISPOSITION_NOMEM; 4420 } 4421 4422 /* 4423 * Handle a protocol violation when the chunk length is invalid. 4424 * "Invalid" length is identified as smaller than the minimal length a 4425 * given chunk can be. For example, a SACK chunk has invalid length 4426 * if its length is set to be smaller than the size of sctp_sack_chunk_t. 4427 * 4428 * We inform the other end by sending an ABORT with a Protocol Violation 4429 * error code. 4430 * 4431 * Section: Not specified 4432 * Verification Tag: Nothing to do 4433 * Inputs 4434 * (endpoint, asoc, chunk) 4435 * 4436 * Outputs 4437 * (reply_msg, msg_up, counters) 4438 * 4439 * Generate an ABORT chunk and terminate the association. 4440 */ 4441 static sctp_disposition_t sctp_sf_violation_chunklen( 4442 struct net *net, 4443 const struct sctp_endpoint *ep, 4444 const struct sctp_association *asoc, 4445 const sctp_subtype_t type, 4446 void *arg, 4447 sctp_cmd_seq_t *commands) 4448 { 4449 static const char err_str[] = "The following chunk had invalid length:"; 4450 4451 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4452 sizeof(err_str)); 4453 } 4454 4455 /* 4456 * Handle a protocol violation when the parameter length is invalid. 4457 * If the length is smaller than the minimum length of a given parameter, 4458 * or accumulated length in multi parameters exceeds the end of the chunk, 4459 * the length is considered as invalid. 4460 */ 4461 static sctp_disposition_t sctp_sf_violation_paramlen( 4462 struct net *net, 4463 const struct sctp_endpoint *ep, 4464 const struct sctp_association *asoc, 4465 const sctp_subtype_t type, 4466 void *arg, void *ext, 4467 sctp_cmd_seq_t *commands) 4468 { 4469 struct sctp_chunk *chunk = arg; 4470 struct sctp_paramhdr *param = ext; 4471 struct sctp_chunk *abort = NULL; 4472 4473 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4474 goto discard; 4475 4476 /* Make the abort chunk. */ 4477 abort = sctp_make_violation_paramlen(asoc, chunk, param); 4478 if (!abort) 4479 goto nomem; 4480 4481 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4482 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4483 4484 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4485 SCTP_ERROR(ECONNABORTED)); 4486 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4487 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4488 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4489 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4490 4491 discard: 4492 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4493 return SCTP_DISPOSITION_ABORT; 4494 nomem: 4495 return SCTP_DISPOSITION_NOMEM; 4496 } 4497 4498 /* Handle a protocol violation when the peer trying to advance the 4499 * cumulative tsn ack to a point beyond the max tsn currently sent. 4500 * 4501 * We inform the other end by sending an ABORT with a Protocol Violation 4502 * error code. 4503 */ 4504 static sctp_disposition_t sctp_sf_violation_ctsn( 4505 struct net *net, 4506 const struct sctp_endpoint *ep, 4507 const struct sctp_association *asoc, 4508 const sctp_subtype_t type, 4509 void *arg, 4510 sctp_cmd_seq_t *commands) 4511 { 4512 static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:"; 4513 4514 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4515 sizeof(err_str)); 4516 } 4517 4518 /* Handle protocol violation of an invalid chunk bundling. For example, 4519 * when we have an association and we receive bundled INIT-ACK, or 4520 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle" 4521 * statement from the specs. Additionally, there might be an attacker 4522 * on the path and we may not want to continue this communication. 4523 */ 4524 static sctp_disposition_t sctp_sf_violation_chunk( 4525 struct net *net, 4526 const struct sctp_endpoint *ep, 4527 const struct sctp_association *asoc, 4528 const sctp_subtype_t type, 4529 void *arg, 4530 sctp_cmd_seq_t *commands) 4531 { 4532 static const char err_str[] = "The following chunk violates protocol:"; 4533 4534 if (!asoc) 4535 return sctp_sf_violation(net, ep, asoc, type, arg, commands); 4536 4537 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4538 sizeof(err_str)); 4539 } 4540 /*************************************************************************** 4541 * These are the state functions for handling primitive (Section 10) events. 4542 ***************************************************************************/ 4543 /* 4544 * sctp_sf_do_prm_asoc 4545 * 4546 * Section: 10.1 ULP-to-SCTP 4547 * B) Associate 4548 * 4549 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 4550 * outbound stream count) 4551 * -> association id [,destination transport addr list] [,outbound stream 4552 * count] 4553 * 4554 * This primitive allows the upper layer to initiate an association to a 4555 * specific peer endpoint. 4556 * 4557 * The peer endpoint shall be specified by one of the transport addresses 4558 * which defines the endpoint (see Section 1.4). If the local SCTP 4559 * instance has not been initialized, the ASSOCIATE is considered an 4560 * error. 4561 * [This is not relevant for the kernel implementation since we do all 4562 * initialization at boot time. It we hadn't initialized we wouldn't 4563 * get anywhere near this code.] 4564 * 4565 * An association id, which is a local handle to the SCTP association, 4566 * will be returned on successful establishment of the association. If 4567 * SCTP is not able to open an SCTP association with the peer endpoint, 4568 * an error is returned. 4569 * [In the kernel implementation, the struct sctp_association needs to 4570 * be created BEFORE causing this primitive to run.] 4571 * 4572 * Other association parameters may be returned, including the 4573 * complete destination transport addresses of the peer as well as the 4574 * outbound stream count of the local endpoint. One of the transport 4575 * address from the returned destination addresses will be selected by 4576 * the local endpoint as default primary path for sending SCTP packets 4577 * to this peer. The returned "destination transport addr list" can 4578 * be used by the ULP to change the default primary path or to force 4579 * sending a packet to a specific transport address. [All of this 4580 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 4581 * function.] 4582 * 4583 * Mandatory attributes: 4584 * 4585 * o local SCTP instance name - obtained from the INITIALIZE operation. 4586 * [This is the argument asoc.] 4587 * o destination transport addr - specified as one of the transport 4588 * addresses of the peer endpoint with which the association is to be 4589 * established. 4590 * [This is asoc->peer.active_path.] 4591 * o outbound stream count - the number of outbound streams the ULP 4592 * would like to open towards this peer endpoint. 4593 * [BUG: This is not currently implemented.] 4594 * Optional attributes: 4595 * 4596 * None. 4597 * 4598 * The return value is a disposition. 4599 */ 4600 sctp_disposition_t sctp_sf_do_prm_asoc(struct net *net, 4601 const struct sctp_endpoint *ep, 4602 const struct sctp_association *asoc, 4603 const sctp_subtype_t type, 4604 void *arg, 4605 sctp_cmd_seq_t *commands) 4606 { 4607 struct sctp_chunk *repl; 4608 struct sctp_association *my_asoc; 4609 4610 /* The comment below says that we enter COOKIE-WAIT AFTER 4611 * sending the INIT, but that doesn't actually work in our 4612 * implementation... 4613 */ 4614 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4615 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 4616 4617 /* RFC 2960 5.1 Normal Establishment of an Association 4618 * 4619 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 4620 * must provide its Verification Tag (Tag_A) in the Initiate 4621 * Tag field. Tag_A SHOULD be a random number in the range of 4622 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 4623 */ 4624 4625 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 4626 if (!repl) 4627 goto nomem; 4628 4629 /* Choose transport for INIT. */ 4630 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4631 SCTP_CHUNK(repl)); 4632 4633 /* Cast away the const modifier, as we want to just 4634 * rerun it through as a sideffect. 4635 */ 4636 my_asoc = (struct sctp_association *)asoc; 4637 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc)); 4638 4639 /* After sending the INIT, "A" starts the T1-init timer and 4640 * enters the COOKIE-WAIT state. 4641 */ 4642 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4643 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4644 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4645 return SCTP_DISPOSITION_CONSUME; 4646 4647 nomem: 4648 return SCTP_DISPOSITION_NOMEM; 4649 } 4650 4651 /* 4652 * Process the SEND primitive. 4653 * 4654 * Section: 10.1 ULP-to-SCTP 4655 * E) Send 4656 * 4657 * Format: SEND(association id, buffer address, byte count [,context] 4658 * [,stream id] [,life time] [,destination transport address] 4659 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 4660 * -> result 4661 * 4662 * This is the main method to send user data via SCTP. 4663 * 4664 * Mandatory attributes: 4665 * 4666 * o association id - local handle to the SCTP association 4667 * 4668 * o buffer address - the location where the user message to be 4669 * transmitted is stored; 4670 * 4671 * o byte count - The size of the user data in number of bytes; 4672 * 4673 * Optional attributes: 4674 * 4675 * o context - an optional 32 bit integer that will be carried in the 4676 * sending failure notification to the ULP if the transportation of 4677 * this User Message fails. 4678 * 4679 * o stream id - to indicate which stream to send the data on. If not 4680 * specified, stream 0 will be used. 4681 * 4682 * o life time - specifies the life time of the user data. The user data 4683 * will not be sent by SCTP after the life time expires. This 4684 * parameter can be used to avoid efforts to transmit stale 4685 * user messages. SCTP notifies the ULP if the data cannot be 4686 * initiated to transport (i.e. sent to the destination via SCTP's 4687 * send primitive) within the life time variable. However, the 4688 * user data will be transmitted if SCTP has attempted to transmit a 4689 * chunk before the life time expired. 4690 * 4691 * o destination transport address - specified as one of the destination 4692 * transport addresses of the peer endpoint to which this packet 4693 * should be sent. Whenever possible, SCTP should use this destination 4694 * transport address for sending the packets, instead of the current 4695 * primary path. 4696 * 4697 * o unorder flag - this flag, if present, indicates that the user 4698 * would like the data delivered in an unordered fashion to the peer 4699 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 4700 * message). 4701 * 4702 * o no-bundle flag - instructs SCTP not to bundle this user data with 4703 * other outbound DATA chunks. SCTP MAY still bundle even when 4704 * this flag is present, when faced with network congestion. 4705 * 4706 * o payload protocol-id - A 32 bit unsigned integer that is to be 4707 * passed to the peer indicating the type of payload protocol data 4708 * being transmitted. This value is passed as opaque data by SCTP. 4709 * 4710 * The return value is the disposition. 4711 */ 4712 sctp_disposition_t sctp_sf_do_prm_send(struct net *net, 4713 const struct sctp_endpoint *ep, 4714 const struct sctp_association *asoc, 4715 const sctp_subtype_t type, 4716 void *arg, 4717 sctp_cmd_seq_t *commands) 4718 { 4719 struct sctp_datamsg *msg = arg; 4720 4721 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg)); 4722 return SCTP_DISPOSITION_CONSUME; 4723 } 4724 4725 /* 4726 * Process the SHUTDOWN primitive. 4727 * 4728 * Section: 10.1: 4729 * C) Shutdown 4730 * 4731 * Format: SHUTDOWN(association id) 4732 * -> result 4733 * 4734 * Gracefully closes an association. Any locally queued user data 4735 * will be delivered to the peer. The association will be terminated only 4736 * after the peer acknowledges all the SCTP packets sent. A success code 4737 * will be returned on successful termination of the association. If 4738 * attempting to terminate the association results in a failure, an error 4739 * code shall be returned. 4740 * 4741 * Mandatory attributes: 4742 * 4743 * o association id - local handle to the SCTP association 4744 * 4745 * Optional attributes: 4746 * 4747 * None. 4748 * 4749 * The return value is the disposition. 4750 */ 4751 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown( 4752 struct net *net, 4753 const struct sctp_endpoint *ep, 4754 const struct sctp_association *asoc, 4755 const sctp_subtype_t type, 4756 void *arg, 4757 sctp_cmd_seq_t *commands) 4758 { 4759 int disposition; 4760 4761 /* From 9.2 Shutdown of an Association 4762 * Upon receipt of the SHUTDOWN primitive from its upper 4763 * layer, the endpoint enters SHUTDOWN-PENDING state and 4764 * remains there until all outstanding data has been 4765 * acknowledged by its peer. The endpoint accepts no new data 4766 * from its upper layer, but retransmits data to the far end 4767 * if necessary to fill gaps. 4768 */ 4769 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4770 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4771 4772 disposition = SCTP_DISPOSITION_CONSUME; 4773 if (sctp_outq_is_empty(&asoc->outqueue)) { 4774 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 4775 arg, commands); 4776 } 4777 return disposition; 4778 } 4779 4780 /* 4781 * Process the ABORT primitive. 4782 * 4783 * Section: 10.1: 4784 * C) Abort 4785 * 4786 * Format: Abort(association id [, cause code]) 4787 * -> result 4788 * 4789 * Ungracefully closes an association. Any locally queued user data 4790 * will be discarded and an ABORT chunk is sent to the peer. A success code 4791 * will be returned on successful abortion of the association. If 4792 * attempting to abort the association results in a failure, an error 4793 * code shall be returned. 4794 * 4795 * Mandatory attributes: 4796 * 4797 * o association id - local handle to the SCTP association 4798 * 4799 * Optional attributes: 4800 * 4801 * o cause code - reason of the abort to be passed to the peer 4802 * 4803 * None. 4804 * 4805 * The return value is the disposition. 4806 */ 4807 sctp_disposition_t sctp_sf_do_9_1_prm_abort( 4808 struct net *net, 4809 const struct sctp_endpoint *ep, 4810 const struct sctp_association *asoc, 4811 const sctp_subtype_t type, 4812 void *arg, 4813 sctp_cmd_seq_t *commands) 4814 { 4815 /* From 9.1 Abort of an Association 4816 * Upon receipt of the ABORT primitive from its upper 4817 * layer, the endpoint enters CLOSED state and 4818 * discard all outstanding data has been 4819 * acknowledged by its peer. The endpoint accepts no new data 4820 * from its upper layer, but retransmits data to the far end 4821 * if necessary to fill gaps. 4822 */ 4823 struct sctp_chunk *abort = arg; 4824 4825 if (abort) 4826 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4827 4828 /* Even if we can't send the ABORT due to low memory delete the 4829 * TCB. This is a departure from our typical NOMEM handling. 4830 */ 4831 4832 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4833 SCTP_ERROR(ECONNABORTED)); 4834 /* Delete the established association. */ 4835 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4836 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4837 4838 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4839 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4840 4841 return SCTP_DISPOSITION_ABORT; 4842 } 4843 4844 /* We tried an illegal operation on an association which is closed. */ 4845 sctp_disposition_t sctp_sf_error_closed(struct net *net, 4846 const struct sctp_endpoint *ep, 4847 const struct sctp_association *asoc, 4848 const sctp_subtype_t type, 4849 void *arg, 4850 sctp_cmd_seq_t *commands) 4851 { 4852 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 4853 return SCTP_DISPOSITION_CONSUME; 4854 } 4855 4856 /* We tried an illegal operation on an association which is shutting 4857 * down. 4858 */ 4859 sctp_disposition_t sctp_sf_error_shutdown(struct net *net, 4860 const struct sctp_endpoint *ep, 4861 const struct sctp_association *asoc, 4862 const sctp_subtype_t type, 4863 void *arg, 4864 sctp_cmd_seq_t *commands) 4865 { 4866 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 4867 SCTP_ERROR(-ESHUTDOWN)); 4868 return SCTP_DISPOSITION_CONSUME; 4869 } 4870 4871 /* 4872 * sctp_cookie_wait_prm_shutdown 4873 * 4874 * Section: 4 Note: 2 4875 * Verification Tag: 4876 * Inputs 4877 * (endpoint, asoc) 4878 * 4879 * The RFC does not explicitly address this issue, but is the route through the 4880 * state table when someone issues a shutdown while in COOKIE_WAIT state. 4881 * 4882 * Outputs 4883 * (timers) 4884 */ 4885 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown( 4886 struct net *net, 4887 const struct sctp_endpoint *ep, 4888 const struct sctp_association *asoc, 4889 const sctp_subtype_t type, 4890 void *arg, 4891 sctp_cmd_seq_t *commands) 4892 { 4893 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4894 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4895 4896 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4897 SCTP_STATE(SCTP_STATE_CLOSED)); 4898 4899 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 4900 4901 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 4902 4903 return SCTP_DISPOSITION_DELETE_TCB; 4904 } 4905 4906 /* 4907 * sctp_cookie_echoed_prm_shutdown 4908 * 4909 * Section: 4 Note: 2 4910 * Verification Tag: 4911 * Inputs 4912 * (endpoint, asoc) 4913 * 4914 * The RFC does not explcitly address this issue, but is the route through the 4915 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 4916 * 4917 * Outputs 4918 * (timers) 4919 */ 4920 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown( 4921 struct net *net, 4922 const struct sctp_endpoint *ep, 4923 const struct sctp_association *asoc, 4924 const sctp_subtype_t type, 4925 void *arg, sctp_cmd_seq_t *commands) 4926 { 4927 /* There is a single T1 timer, so we should be able to use 4928 * common function with the COOKIE-WAIT state. 4929 */ 4930 return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands); 4931 } 4932 4933 /* 4934 * sctp_sf_cookie_wait_prm_abort 4935 * 4936 * Section: 4 Note: 2 4937 * Verification Tag: 4938 * Inputs 4939 * (endpoint, asoc) 4940 * 4941 * The RFC does not explicitly address this issue, but is the route through the 4942 * state table when someone issues an abort while in COOKIE_WAIT state. 4943 * 4944 * Outputs 4945 * (timers) 4946 */ 4947 sctp_disposition_t sctp_sf_cookie_wait_prm_abort( 4948 struct net *net, 4949 const struct sctp_endpoint *ep, 4950 const struct sctp_association *asoc, 4951 const sctp_subtype_t type, 4952 void *arg, 4953 sctp_cmd_seq_t *commands) 4954 { 4955 struct sctp_chunk *abort = arg; 4956 4957 /* Stop T1-init timer */ 4958 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4959 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4960 4961 if (abort) 4962 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4963 4964 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4965 SCTP_STATE(SCTP_STATE_CLOSED)); 4966 4967 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4968 4969 /* Even if we can't send the ABORT due to low memory delete the 4970 * TCB. This is a departure from our typical NOMEM handling. 4971 */ 4972 4973 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4974 SCTP_ERROR(ECONNREFUSED)); 4975 /* Delete the established association. */ 4976 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4977 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4978 4979 return SCTP_DISPOSITION_ABORT; 4980 } 4981 4982 /* 4983 * sctp_sf_cookie_echoed_prm_abort 4984 * 4985 * Section: 4 Note: 3 4986 * Verification Tag: 4987 * Inputs 4988 * (endpoint, asoc) 4989 * 4990 * The RFC does not explcitly address this issue, but is the route through the 4991 * state table when someone issues an abort while in COOKIE_ECHOED state. 4992 * 4993 * Outputs 4994 * (timers) 4995 */ 4996 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort( 4997 struct net *net, 4998 const struct sctp_endpoint *ep, 4999 const struct sctp_association *asoc, 5000 const sctp_subtype_t type, 5001 void *arg, 5002 sctp_cmd_seq_t *commands) 5003 { 5004 /* There is a single T1 timer, so we should be able to use 5005 * common function with the COOKIE-WAIT state. 5006 */ 5007 return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands); 5008 } 5009 5010 /* 5011 * sctp_sf_shutdown_pending_prm_abort 5012 * 5013 * Inputs 5014 * (endpoint, asoc) 5015 * 5016 * The RFC does not explicitly address this issue, but is the route through the 5017 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 5018 * 5019 * Outputs 5020 * (timers) 5021 */ 5022 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort( 5023 struct net *net, 5024 const struct sctp_endpoint *ep, 5025 const struct sctp_association *asoc, 5026 const sctp_subtype_t type, 5027 void *arg, 5028 sctp_cmd_seq_t *commands) 5029 { 5030 /* Stop the T5-shutdown guard timer. */ 5031 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5032 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5033 5034 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5035 } 5036 5037 /* 5038 * sctp_sf_shutdown_sent_prm_abort 5039 * 5040 * Inputs 5041 * (endpoint, asoc) 5042 * 5043 * The RFC does not explicitly address this issue, but is the route through the 5044 * state table when someone issues an abort while in SHUTDOWN-SENT state. 5045 * 5046 * Outputs 5047 * (timers) 5048 */ 5049 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort( 5050 struct net *net, 5051 const struct sctp_endpoint *ep, 5052 const struct sctp_association *asoc, 5053 const sctp_subtype_t type, 5054 void *arg, 5055 sctp_cmd_seq_t *commands) 5056 { 5057 /* Stop the T2-shutdown timer. */ 5058 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5059 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5060 5061 /* Stop the T5-shutdown guard timer. */ 5062 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5063 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5064 5065 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5066 } 5067 5068 /* 5069 * sctp_sf_cookie_echoed_prm_abort 5070 * 5071 * Inputs 5072 * (endpoint, asoc) 5073 * 5074 * The RFC does not explcitly address this issue, but is the route through the 5075 * state table when someone issues an abort while in COOKIE_ECHOED state. 5076 * 5077 * Outputs 5078 * (timers) 5079 */ 5080 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort( 5081 struct net *net, 5082 const struct sctp_endpoint *ep, 5083 const struct sctp_association *asoc, 5084 const sctp_subtype_t type, 5085 void *arg, 5086 sctp_cmd_seq_t *commands) 5087 { 5088 /* The same T2 timer, so we should be able to use 5089 * common function with the SHUTDOWN-SENT state. 5090 */ 5091 return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands); 5092 } 5093 5094 /* 5095 * Process the REQUESTHEARTBEAT primitive 5096 * 5097 * 10.1 ULP-to-SCTP 5098 * J) Request Heartbeat 5099 * 5100 * Format: REQUESTHEARTBEAT(association id, destination transport address) 5101 * 5102 * -> result 5103 * 5104 * Instructs the local endpoint to perform a HeartBeat on the specified 5105 * destination transport address of the given association. The returned 5106 * result should indicate whether the transmission of the HEARTBEAT 5107 * chunk to the destination address is successful. 5108 * 5109 * Mandatory attributes: 5110 * 5111 * o association id - local handle to the SCTP association 5112 * 5113 * o destination transport address - the transport address of the 5114 * association on which a heartbeat should be issued. 5115 */ 5116 sctp_disposition_t sctp_sf_do_prm_requestheartbeat( 5117 struct net *net, 5118 const struct sctp_endpoint *ep, 5119 const struct sctp_association *asoc, 5120 const sctp_subtype_t type, 5121 void *arg, 5122 sctp_cmd_seq_t *commands) 5123 { 5124 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 5125 (struct sctp_transport *)arg, commands)) 5126 return SCTP_DISPOSITION_NOMEM; 5127 5128 /* 5129 * RFC 2960 (bis), section 8.3 5130 * 5131 * D) Request an on-demand HEARTBEAT on a specific destination 5132 * transport address of a given association. 5133 * 5134 * The endpoint should increment the respective error counter of 5135 * the destination transport address each time a HEARTBEAT is sent 5136 * to that address and not acknowledged within one RTO. 5137 * 5138 */ 5139 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 5140 SCTP_TRANSPORT(arg)); 5141 return SCTP_DISPOSITION_CONSUME; 5142 } 5143 5144 /* 5145 * ADDIP Section 4.1 ASCONF Chunk Procedures 5146 * When an endpoint has an ASCONF signaled change to be sent to the 5147 * remote endpoint it should do A1 to A9 5148 */ 5149 sctp_disposition_t sctp_sf_do_prm_asconf(struct net *net, 5150 const struct sctp_endpoint *ep, 5151 const struct sctp_association *asoc, 5152 const sctp_subtype_t type, 5153 void *arg, 5154 sctp_cmd_seq_t *commands) 5155 { 5156 struct sctp_chunk *chunk = arg; 5157 5158 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5159 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5160 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5161 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5162 return SCTP_DISPOSITION_CONSUME; 5163 } 5164 5165 /* 5166 * Ignore the primitive event 5167 * 5168 * The return value is the disposition of the primitive. 5169 */ 5170 sctp_disposition_t sctp_sf_ignore_primitive( 5171 struct net *net, 5172 const struct sctp_endpoint *ep, 5173 const struct sctp_association *asoc, 5174 const sctp_subtype_t type, 5175 void *arg, 5176 sctp_cmd_seq_t *commands) 5177 { 5178 pr_debug("%s: primitive type:%d is ignored\n", __func__, 5179 type.primitive); 5180 5181 return SCTP_DISPOSITION_DISCARD; 5182 } 5183 5184 /*************************************************************************** 5185 * These are the state functions for the OTHER events. 5186 ***************************************************************************/ 5187 5188 /* 5189 * When the SCTP stack has no more user data to send or retransmit, this 5190 * notification is given to the user. Also, at the time when a user app 5191 * subscribes to this event, if there is no data to be sent or 5192 * retransmit, the stack will immediately send up this notification. 5193 */ 5194 sctp_disposition_t sctp_sf_do_no_pending_tsn( 5195 struct net *net, 5196 const struct sctp_endpoint *ep, 5197 const struct sctp_association *asoc, 5198 const sctp_subtype_t type, 5199 void *arg, 5200 sctp_cmd_seq_t *commands) 5201 { 5202 struct sctp_ulpevent *event; 5203 5204 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC); 5205 if (!event) 5206 return SCTP_DISPOSITION_NOMEM; 5207 5208 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event)); 5209 5210 return SCTP_DISPOSITION_CONSUME; 5211 } 5212 5213 /* 5214 * Start the shutdown negotiation. 5215 * 5216 * From Section 9.2: 5217 * Once all its outstanding data has been acknowledged, the endpoint 5218 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 5219 * TSN Ack field the last sequential TSN it has received from the peer. 5220 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 5221 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 5222 * with the updated last sequential TSN received from its peer. 5223 * 5224 * The return value is the disposition. 5225 */ 5226 sctp_disposition_t sctp_sf_do_9_2_start_shutdown( 5227 struct net *net, 5228 const struct sctp_endpoint *ep, 5229 const struct sctp_association *asoc, 5230 const sctp_subtype_t type, 5231 void *arg, 5232 sctp_cmd_seq_t *commands) 5233 { 5234 struct sctp_chunk *reply; 5235 5236 /* Once all its outstanding data has been acknowledged, the 5237 * endpoint shall send a SHUTDOWN chunk to its peer including 5238 * in the Cumulative TSN Ack field the last sequential TSN it 5239 * has received from the peer. 5240 */ 5241 reply = sctp_make_shutdown(asoc, NULL); 5242 if (!reply) 5243 goto nomem; 5244 5245 /* Set the transport for the SHUTDOWN chunk and the timeout for the 5246 * T2-shutdown timer. 5247 */ 5248 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5249 5250 /* It shall then start the T2-shutdown timer */ 5251 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5252 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5253 5254 /* RFC 4960 Section 9.2 5255 * The sender of the SHUTDOWN MAY also start an overall guard timer 5256 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5257 */ 5258 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5259 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5260 5261 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5262 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5263 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5264 5265 /* and enter the SHUTDOWN-SENT state. */ 5266 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5267 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 5268 5269 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5270 * 5271 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5272 * or SHUTDOWN-ACK. 5273 */ 5274 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5275 5276 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5277 5278 return SCTP_DISPOSITION_CONSUME; 5279 5280 nomem: 5281 return SCTP_DISPOSITION_NOMEM; 5282 } 5283 5284 /* 5285 * Generate a SHUTDOWN ACK now that everything is SACK'd. 5286 * 5287 * From Section 9.2: 5288 * 5289 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5290 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 5291 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 5292 * endpoint must re-send the SHUTDOWN ACK. 5293 * 5294 * The return value is the disposition. 5295 */ 5296 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack( 5297 struct net *net, 5298 const struct sctp_endpoint *ep, 5299 const struct sctp_association *asoc, 5300 const sctp_subtype_t type, 5301 void *arg, 5302 sctp_cmd_seq_t *commands) 5303 { 5304 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 5305 struct sctp_chunk *reply; 5306 5307 /* There are 2 ways of getting here: 5308 * 1) called in response to a SHUTDOWN chunk 5309 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 5310 * 5311 * For the case (2), the arg parameter is set to NULL. We need 5312 * to check that we have a chunk before accessing it's fields. 5313 */ 5314 if (chunk) { 5315 if (!sctp_vtag_verify(chunk, asoc)) 5316 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 5317 5318 /* Make sure that the SHUTDOWN chunk has a valid length. */ 5319 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t))) 5320 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 5321 commands); 5322 } 5323 5324 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5325 * shall send a SHUTDOWN ACK ... 5326 */ 5327 reply = sctp_make_shutdown_ack(asoc, chunk); 5328 if (!reply) 5329 goto nomem; 5330 5331 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 5332 * the T2-shutdown timer. 5333 */ 5334 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5335 5336 /* and start/restart a T2-shutdown timer of its own, */ 5337 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5338 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5339 5340 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5341 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5342 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5343 5344 /* Enter the SHUTDOWN-ACK-SENT state. */ 5345 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5346 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 5347 5348 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5349 * 5350 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5351 * or SHUTDOWN-ACK. 5352 */ 5353 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5354 5355 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5356 5357 return SCTP_DISPOSITION_CONSUME; 5358 5359 nomem: 5360 return SCTP_DISPOSITION_NOMEM; 5361 } 5362 5363 /* 5364 * Ignore the event defined as other 5365 * 5366 * The return value is the disposition of the event. 5367 */ 5368 sctp_disposition_t sctp_sf_ignore_other(struct net *net, 5369 const struct sctp_endpoint *ep, 5370 const struct sctp_association *asoc, 5371 const sctp_subtype_t type, 5372 void *arg, 5373 sctp_cmd_seq_t *commands) 5374 { 5375 pr_debug("%s: the event other type:%d is ignored\n", 5376 __func__, type.other); 5377 5378 return SCTP_DISPOSITION_DISCARD; 5379 } 5380 5381 /************************************************************ 5382 * These are the state functions for handling timeout events. 5383 ************************************************************/ 5384 5385 /* 5386 * RTX Timeout 5387 * 5388 * Section: 6.3.3 Handle T3-rtx Expiration 5389 * 5390 * Whenever the retransmission timer T3-rtx expires for a destination 5391 * address, do the following: 5392 * [See below] 5393 * 5394 * The return value is the disposition of the chunk. 5395 */ 5396 sctp_disposition_t sctp_sf_do_6_3_3_rtx(struct net *net, 5397 const struct sctp_endpoint *ep, 5398 const struct sctp_association *asoc, 5399 const sctp_subtype_t type, 5400 void *arg, 5401 sctp_cmd_seq_t *commands) 5402 { 5403 struct sctp_transport *transport = arg; 5404 5405 SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS); 5406 5407 if (asoc->overall_error_count >= asoc->max_retrans) { 5408 if (asoc->peer.zero_window_announced && 5409 asoc->state == SCTP_STATE_SHUTDOWN_PENDING) { 5410 /* 5411 * We are here likely because the receiver had its rwnd 5412 * closed for a while and we have not been able to 5413 * transmit the locally queued data within the maximum 5414 * retransmission attempts limit. Start the T5 5415 * shutdown guard timer to give the receiver one last 5416 * chance and some additional time to recover before 5417 * aborting. 5418 */ 5419 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE, 5420 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5421 } else { 5422 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5423 SCTP_ERROR(ETIMEDOUT)); 5424 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5425 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5426 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5427 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5428 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5429 return SCTP_DISPOSITION_DELETE_TCB; 5430 } 5431 } 5432 5433 /* E1) For the destination address for which the timer 5434 * expires, adjust its ssthresh with rules defined in Section 5435 * 7.2.3 and set the cwnd <- MTU. 5436 */ 5437 5438 /* E2) For the destination address for which the timer 5439 * expires, set RTO <- RTO * 2 ("back off the timer"). The 5440 * maximum value discussed in rule C7 above (RTO.max) may be 5441 * used to provide an upper bound to this doubling operation. 5442 */ 5443 5444 /* E3) Determine how many of the earliest (i.e., lowest TSN) 5445 * outstanding DATA chunks for the address for which the 5446 * T3-rtx has expired will fit into a single packet, subject 5447 * to the MTU constraint for the path corresponding to the 5448 * destination transport address to which the retransmission 5449 * is being sent (this may be different from the address for 5450 * which the timer expires [see Section 6.4]). Call this 5451 * value K. Bundle and retransmit those K DATA chunks in a 5452 * single packet to the destination endpoint. 5453 * 5454 * Note: Any DATA chunks that were sent to the address for 5455 * which the T3-rtx timer expired but did not fit in one MTU 5456 * (rule E3 above), should be marked for retransmission and 5457 * sent as soon as cwnd allows (normally when a SACK arrives). 5458 */ 5459 5460 /* Do some failure management (Section 8.2). */ 5461 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5462 5463 /* NB: Rules E4 and F1 are implicit in R1. */ 5464 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 5465 5466 return SCTP_DISPOSITION_CONSUME; 5467 } 5468 5469 /* 5470 * Generate delayed SACK on timeout 5471 * 5472 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 5473 * 5474 * The guidelines on delayed acknowledgement algorithm specified in 5475 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 5476 * acknowledgement SHOULD be generated for at least every second packet 5477 * (not every second DATA chunk) received, and SHOULD be generated 5478 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 5479 * some situations it may be beneficial for an SCTP transmitter to be 5480 * more conservative than the algorithms detailed in this document 5481 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 5482 * the following algorithms allow. 5483 */ 5484 sctp_disposition_t sctp_sf_do_6_2_sack(struct net *net, 5485 const struct sctp_endpoint *ep, 5486 const struct sctp_association *asoc, 5487 const sctp_subtype_t type, 5488 void *arg, 5489 sctp_cmd_seq_t *commands) 5490 { 5491 SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS); 5492 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 5493 return SCTP_DISPOSITION_CONSUME; 5494 } 5495 5496 /* 5497 * sctp_sf_t1_init_timer_expire 5498 * 5499 * Section: 4 Note: 2 5500 * Verification Tag: 5501 * Inputs 5502 * (endpoint, asoc) 5503 * 5504 * RFC 2960 Section 4 Notes 5505 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 5506 * and re-start the T1-init timer without changing state. This MUST 5507 * be repeated up to 'Max.Init.Retransmits' times. After that, the 5508 * endpoint MUST abort the initialization process and report the 5509 * error to SCTP user. 5510 * 5511 * Outputs 5512 * (timers, events) 5513 * 5514 */ 5515 sctp_disposition_t sctp_sf_t1_init_timer_expire(struct net *net, 5516 const struct sctp_endpoint *ep, 5517 const struct sctp_association *asoc, 5518 const sctp_subtype_t type, 5519 void *arg, 5520 sctp_cmd_seq_t *commands) 5521 { 5522 struct sctp_chunk *repl = NULL; 5523 struct sctp_bind_addr *bp; 5524 int attempts = asoc->init_err_counter + 1; 5525 5526 pr_debug("%s: timer T1 expired (INIT)\n", __func__); 5527 5528 SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS); 5529 5530 if (attempts <= asoc->max_init_attempts) { 5531 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 5532 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 5533 if (!repl) 5534 return SCTP_DISPOSITION_NOMEM; 5535 5536 /* Choose transport for INIT. */ 5537 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5538 SCTP_CHUNK(repl)); 5539 5540 /* Issue a sideeffect to do the needed accounting. */ 5541 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 5542 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5543 5544 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5545 } else { 5546 pr_debug("%s: giving up on INIT, attempts:%d " 5547 "max_init_attempts:%d\n", __func__, attempts, 5548 asoc->max_init_attempts); 5549 5550 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5551 SCTP_ERROR(ETIMEDOUT)); 5552 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5553 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5554 return SCTP_DISPOSITION_DELETE_TCB; 5555 } 5556 5557 return SCTP_DISPOSITION_CONSUME; 5558 } 5559 5560 /* 5561 * sctp_sf_t1_cookie_timer_expire 5562 * 5563 * Section: 4 Note: 2 5564 * Verification Tag: 5565 * Inputs 5566 * (endpoint, asoc) 5567 * 5568 * RFC 2960 Section 4 Notes 5569 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 5570 * COOKIE ECHO and re-start the T1-cookie timer without changing 5571 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 5572 * After that, the endpoint MUST abort the initialization process and 5573 * report the error to SCTP user. 5574 * 5575 * Outputs 5576 * (timers, events) 5577 * 5578 */ 5579 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(struct net *net, 5580 const struct sctp_endpoint *ep, 5581 const struct sctp_association *asoc, 5582 const sctp_subtype_t type, 5583 void *arg, 5584 sctp_cmd_seq_t *commands) 5585 { 5586 struct sctp_chunk *repl = NULL; 5587 int attempts = asoc->init_err_counter + 1; 5588 5589 pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__); 5590 5591 SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS); 5592 5593 if (attempts <= asoc->max_init_attempts) { 5594 repl = sctp_make_cookie_echo(asoc, NULL); 5595 if (!repl) 5596 return SCTP_DISPOSITION_NOMEM; 5597 5598 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5599 SCTP_CHUNK(repl)); 5600 /* Issue a sideeffect to do the needed accounting. */ 5601 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 5602 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 5603 5604 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5605 } else { 5606 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5607 SCTP_ERROR(ETIMEDOUT)); 5608 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5609 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5610 return SCTP_DISPOSITION_DELETE_TCB; 5611 } 5612 5613 return SCTP_DISPOSITION_CONSUME; 5614 } 5615 5616 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 5617 * with the updated last sequential TSN received from its peer. 5618 * 5619 * An endpoint should limit the number of retransmissions of the 5620 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 5621 * If this threshold is exceeded the endpoint should destroy the TCB and 5622 * MUST report the peer endpoint unreachable to the upper layer (and 5623 * thus the association enters the CLOSED state). The reception of any 5624 * packet from its peer (i.e. as the peer sends all of its queued DATA 5625 * chunks) should clear the endpoint's retransmission count and restart 5626 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 5627 * all of its queued DATA chunks that have not yet been sent. 5628 */ 5629 sctp_disposition_t sctp_sf_t2_timer_expire(struct net *net, 5630 const struct sctp_endpoint *ep, 5631 const struct sctp_association *asoc, 5632 const sctp_subtype_t type, 5633 void *arg, 5634 sctp_cmd_seq_t *commands) 5635 { 5636 struct sctp_chunk *reply = NULL; 5637 5638 pr_debug("%s: timer T2 expired\n", __func__); 5639 5640 SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 5641 5642 ((struct sctp_association *)asoc)->shutdown_retries++; 5643 5644 if (asoc->overall_error_count >= asoc->max_retrans) { 5645 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5646 SCTP_ERROR(ETIMEDOUT)); 5647 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5648 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5649 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5650 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5651 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5652 return SCTP_DISPOSITION_DELETE_TCB; 5653 } 5654 5655 switch (asoc->state) { 5656 case SCTP_STATE_SHUTDOWN_SENT: 5657 reply = sctp_make_shutdown(asoc, NULL); 5658 break; 5659 5660 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5661 reply = sctp_make_shutdown_ack(asoc, NULL); 5662 break; 5663 5664 default: 5665 BUG(); 5666 break; 5667 } 5668 5669 if (!reply) 5670 goto nomem; 5671 5672 /* Do some failure management (Section 8.2). 5673 * If we remove the transport an SHUTDOWN was last sent to, don't 5674 * do failure management. 5675 */ 5676 if (asoc->shutdown_last_sent_to) 5677 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5678 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 5679 5680 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 5681 * the T2-shutdown timer. 5682 */ 5683 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5684 5685 /* Restart the T2-shutdown timer. */ 5686 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5687 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5688 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5689 return SCTP_DISPOSITION_CONSUME; 5690 5691 nomem: 5692 return SCTP_DISPOSITION_NOMEM; 5693 } 5694 5695 /* 5696 * ADDIP Section 4.1 ASCONF CHunk Procedures 5697 * If the T4 RTO timer expires the endpoint should do B1 to B5 5698 */ 5699 sctp_disposition_t sctp_sf_t4_timer_expire( 5700 struct net *net, 5701 const struct sctp_endpoint *ep, 5702 const struct sctp_association *asoc, 5703 const sctp_subtype_t type, 5704 void *arg, 5705 sctp_cmd_seq_t *commands) 5706 { 5707 struct sctp_chunk *chunk = asoc->addip_last_asconf; 5708 struct sctp_transport *transport = chunk->transport; 5709 5710 SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS); 5711 5712 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 5713 * detection on the appropriate destination address as defined in 5714 * RFC2960 [5] section 8.1 and 8.2. 5715 */ 5716 if (transport) 5717 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5718 SCTP_TRANSPORT(transport)); 5719 5720 /* Reconfig T4 timer and transport. */ 5721 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5722 5723 /* ADDIP 4.1 B2) Increment the association error counters and perform 5724 * endpoint failure detection on the association as defined in 5725 * RFC2960 [5] section 8.1 and 8.2. 5726 * association error counter is incremented in SCTP_CMD_STRIKE. 5727 */ 5728 if (asoc->overall_error_count >= asoc->max_retrans) { 5729 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5730 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5731 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5732 SCTP_ERROR(ETIMEDOUT)); 5733 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5734 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5735 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5736 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5737 return SCTP_DISPOSITION_ABORT; 5738 } 5739 5740 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 5741 * the ASCONF chunk was sent by doubling the RTO timer value. 5742 * This is done in SCTP_CMD_STRIKE. 5743 */ 5744 5745 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 5746 * choose an alternate destination address (please refer to RFC2960 5747 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 5748 * chunk, it MUST be the same (including its serial number) as the last 5749 * ASCONF sent. 5750 */ 5751 sctp_chunk_hold(asoc->addip_last_asconf); 5752 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5753 SCTP_CHUNK(asoc->addip_last_asconf)); 5754 5755 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 5756 * destination is selected, then the RTO used will be that of the new 5757 * destination address. 5758 */ 5759 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5760 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5761 5762 return SCTP_DISPOSITION_CONSUME; 5763 } 5764 5765 /* sctpimpguide-05 Section 2.12.2 5766 * The sender of the SHUTDOWN MAY also start an overall guard timer 5767 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5768 * At the expiration of this timer the sender SHOULD abort the association 5769 * by sending an ABORT chunk. 5770 */ 5771 sctp_disposition_t sctp_sf_t5_timer_expire(struct net *net, 5772 const struct sctp_endpoint *ep, 5773 const struct sctp_association *asoc, 5774 const sctp_subtype_t type, 5775 void *arg, 5776 sctp_cmd_seq_t *commands) 5777 { 5778 struct sctp_chunk *reply = NULL; 5779 5780 pr_debug("%s: timer T5 expired\n", __func__); 5781 5782 SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 5783 5784 reply = sctp_make_abort(asoc, NULL, 0); 5785 if (!reply) 5786 goto nomem; 5787 5788 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5789 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5790 SCTP_ERROR(ETIMEDOUT)); 5791 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5792 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5793 5794 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5795 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5796 5797 return SCTP_DISPOSITION_DELETE_TCB; 5798 nomem: 5799 return SCTP_DISPOSITION_NOMEM; 5800 } 5801 5802 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 5803 * the association is automatically closed by starting the shutdown process. 5804 * The work that needs to be done is same as when SHUTDOWN is initiated by 5805 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 5806 */ 5807 sctp_disposition_t sctp_sf_autoclose_timer_expire( 5808 struct net *net, 5809 const struct sctp_endpoint *ep, 5810 const struct sctp_association *asoc, 5811 const sctp_subtype_t type, 5812 void *arg, 5813 sctp_cmd_seq_t *commands) 5814 { 5815 int disposition; 5816 5817 SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS); 5818 5819 /* From 9.2 Shutdown of an Association 5820 * Upon receipt of the SHUTDOWN primitive from its upper 5821 * layer, the endpoint enters SHUTDOWN-PENDING state and 5822 * remains there until all outstanding data has been 5823 * acknowledged by its peer. The endpoint accepts no new data 5824 * from its upper layer, but retransmits data to the far end 5825 * if necessary to fill gaps. 5826 */ 5827 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5828 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 5829 5830 disposition = SCTP_DISPOSITION_CONSUME; 5831 if (sctp_outq_is_empty(&asoc->outqueue)) { 5832 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 5833 arg, commands); 5834 } 5835 return disposition; 5836 } 5837 5838 /***************************************************************************** 5839 * These are sa state functions which could apply to all types of events. 5840 ****************************************************************************/ 5841 5842 /* 5843 * This table entry is not implemented. 5844 * 5845 * Inputs 5846 * (endpoint, asoc, chunk) 5847 * 5848 * The return value is the disposition of the chunk. 5849 */ 5850 sctp_disposition_t sctp_sf_not_impl(struct net *net, 5851 const struct sctp_endpoint *ep, 5852 const struct sctp_association *asoc, 5853 const sctp_subtype_t type, 5854 void *arg, 5855 sctp_cmd_seq_t *commands) 5856 { 5857 return SCTP_DISPOSITION_NOT_IMPL; 5858 } 5859 5860 /* 5861 * This table entry represents a bug. 5862 * 5863 * Inputs 5864 * (endpoint, asoc, chunk) 5865 * 5866 * The return value is the disposition of the chunk. 5867 */ 5868 sctp_disposition_t sctp_sf_bug(struct net *net, 5869 const struct sctp_endpoint *ep, 5870 const struct sctp_association *asoc, 5871 const sctp_subtype_t type, 5872 void *arg, 5873 sctp_cmd_seq_t *commands) 5874 { 5875 return SCTP_DISPOSITION_BUG; 5876 } 5877 5878 /* 5879 * This table entry represents the firing of a timer in the wrong state. 5880 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 5881 * when the association is in the wrong state. This event should 5882 * be ignored, so as to prevent any rearming of the timer. 5883 * 5884 * Inputs 5885 * (endpoint, asoc, chunk) 5886 * 5887 * The return value is the disposition of the chunk. 5888 */ 5889 sctp_disposition_t sctp_sf_timer_ignore(struct net *net, 5890 const struct sctp_endpoint *ep, 5891 const struct sctp_association *asoc, 5892 const sctp_subtype_t type, 5893 void *arg, 5894 sctp_cmd_seq_t *commands) 5895 { 5896 pr_debug("%s: timer %d ignored\n", __func__, type.chunk); 5897 5898 return SCTP_DISPOSITION_CONSUME; 5899 } 5900 5901 /******************************************************************** 5902 * 2nd Level Abstractions 5903 ********************************************************************/ 5904 5905 /* Pull the SACK chunk based on the SACK header. */ 5906 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 5907 { 5908 struct sctp_sackhdr *sack; 5909 unsigned int len; 5910 __u16 num_blocks; 5911 __u16 num_dup_tsns; 5912 5913 /* Protect ourselves from reading too far into 5914 * the skb from a bogus sender. 5915 */ 5916 sack = (struct sctp_sackhdr *) chunk->skb->data; 5917 5918 num_blocks = ntohs(sack->num_gap_ack_blocks); 5919 num_dup_tsns = ntohs(sack->num_dup_tsns); 5920 len = sizeof(struct sctp_sackhdr); 5921 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 5922 if (len > chunk->skb->len) 5923 return NULL; 5924 5925 skb_pull(chunk->skb, len); 5926 5927 return sack; 5928 } 5929 5930 /* Create an ABORT packet to be sent as a response, with the specified 5931 * error causes. 5932 */ 5933 static struct sctp_packet *sctp_abort_pkt_new(struct net *net, 5934 const struct sctp_endpoint *ep, 5935 const struct sctp_association *asoc, 5936 struct sctp_chunk *chunk, 5937 const void *payload, 5938 size_t paylen) 5939 { 5940 struct sctp_packet *packet; 5941 struct sctp_chunk *abort; 5942 5943 packet = sctp_ootb_pkt_new(net, asoc, chunk); 5944 5945 if (packet) { 5946 /* Make an ABORT. 5947 * The T bit will be set if the asoc is NULL. 5948 */ 5949 abort = sctp_make_abort(asoc, chunk, paylen); 5950 if (!abort) { 5951 sctp_ootb_pkt_free(packet); 5952 return NULL; 5953 } 5954 5955 /* Reflect vtag if T-Bit is set */ 5956 if (sctp_test_T_bit(abort)) 5957 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 5958 5959 /* Add specified error causes, i.e., payload, to the 5960 * end of the chunk. 5961 */ 5962 sctp_addto_chunk(abort, paylen, payload); 5963 5964 /* Set the skb to the belonging sock for accounting. */ 5965 abort->skb->sk = ep->base.sk; 5966 5967 sctp_packet_append_chunk(packet, abort); 5968 5969 } 5970 5971 return packet; 5972 } 5973 5974 /* Allocate a packet for responding in the OOTB conditions. */ 5975 static struct sctp_packet *sctp_ootb_pkt_new(struct net *net, 5976 const struct sctp_association *asoc, 5977 const struct sctp_chunk *chunk) 5978 { 5979 struct sctp_packet *packet; 5980 struct sctp_transport *transport; 5981 __u16 sport; 5982 __u16 dport; 5983 __u32 vtag; 5984 5985 /* Get the source and destination port from the inbound packet. */ 5986 sport = ntohs(chunk->sctp_hdr->dest); 5987 dport = ntohs(chunk->sctp_hdr->source); 5988 5989 /* The V-tag is going to be the same as the inbound packet if no 5990 * association exists, otherwise, use the peer's vtag. 5991 */ 5992 if (asoc) { 5993 /* Special case the INIT-ACK as there is no peer's vtag 5994 * yet. 5995 */ 5996 switch (chunk->chunk_hdr->type) { 5997 case SCTP_CID_INIT_ACK: 5998 { 5999 sctp_initack_chunk_t *initack; 6000 6001 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; 6002 vtag = ntohl(initack->init_hdr.init_tag); 6003 break; 6004 } 6005 default: 6006 vtag = asoc->peer.i.init_tag; 6007 break; 6008 } 6009 } else { 6010 /* Special case the INIT and stale COOKIE_ECHO as there is no 6011 * vtag yet. 6012 */ 6013 switch (chunk->chunk_hdr->type) { 6014 case SCTP_CID_INIT: 6015 { 6016 sctp_init_chunk_t *init; 6017 6018 init = (sctp_init_chunk_t *)chunk->chunk_hdr; 6019 vtag = ntohl(init->init_hdr.init_tag); 6020 break; 6021 } 6022 default: 6023 vtag = ntohl(chunk->sctp_hdr->vtag); 6024 break; 6025 } 6026 } 6027 6028 /* Make a transport for the bucket, Eliza... */ 6029 transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC); 6030 if (!transport) 6031 goto nomem; 6032 6033 /* Cache a route for the transport with the chunk's destination as 6034 * the source address. 6035 */ 6036 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 6037 sctp_sk(net->sctp.ctl_sock)); 6038 6039 packet = sctp_packet_init(&transport->packet, transport, sport, dport); 6040 packet = sctp_packet_config(packet, vtag, 0); 6041 6042 return packet; 6043 6044 nomem: 6045 return NULL; 6046 } 6047 6048 /* Free the packet allocated earlier for responding in the OOTB condition. */ 6049 void sctp_ootb_pkt_free(struct sctp_packet *packet) 6050 { 6051 sctp_transport_free(packet->transport); 6052 } 6053 6054 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 6055 static void sctp_send_stale_cookie_err(struct net *net, 6056 const struct sctp_endpoint *ep, 6057 const struct sctp_association *asoc, 6058 const struct sctp_chunk *chunk, 6059 sctp_cmd_seq_t *commands, 6060 struct sctp_chunk *err_chunk) 6061 { 6062 struct sctp_packet *packet; 6063 6064 if (err_chunk) { 6065 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6066 if (packet) { 6067 struct sctp_signed_cookie *cookie; 6068 6069 /* Override the OOTB vtag from the cookie. */ 6070 cookie = chunk->subh.cookie_hdr; 6071 packet->vtag = cookie->c.peer_vtag; 6072 6073 /* Set the skb to the belonging sock for accounting. */ 6074 err_chunk->skb->sk = ep->base.sk; 6075 sctp_packet_append_chunk(packet, err_chunk); 6076 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 6077 SCTP_PACKET(packet)); 6078 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 6079 } else 6080 sctp_chunk_free (err_chunk); 6081 } 6082 } 6083 6084 6085 /* Process a data chunk */ 6086 static int sctp_eat_data(const struct sctp_association *asoc, 6087 struct sctp_chunk *chunk, 6088 sctp_cmd_seq_t *commands) 6089 { 6090 sctp_datahdr_t *data_hdr; 6091 struct sctp_chunk *err; 6092 size_t datalen; 6093 sctp_verb_t deliver; 6094 int tmp; 6095 __u32 tsn; 6096 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 6097 struct sock *sk = asoc->base.sk; 6098 struct net *net = sock_net(sk); 6099 u16 ssn; 6100 u16 sid; 6101 u8 ordered = 0; 6102 6103 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data; 6104 skb_pull(chunk->skb, sizeof(sctp_datahdr_t)); 6105 6106 tsn = ntohl(data_hdr->tsn); 6107 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 6108 6109 /* ASSERT: Now skb->data is really the user data. */ 6110 6111 /* Process ECN based congestion. 6112 * 6113 * Since the chunk structure is reused for all chunks within 6114 * a packet, we use ecn_ce_done to track if we've already 6115 * done CE processing for this packet. 6116 * 6117 * We need to do ECN processing even if we plan to discard the 6118 * chunk later. 6119 */ 6120 6121 if (!chunk->ecn_ce_done) { 6122 struct sctp_af *af; 6123 chunk->ecn_ce_done = 1; 6124 6125 af = sctp_get_af_specific( 6126 ipver2af(ip_hdr(chunk->skb)->version)); 6127 6128 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) { 6129 /* Do real work as sideffect. */ 6130 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 6131 SCTP_U32(tsn)); 6132 } 6133 } 6134 6135 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 6136 if (tmp < 0) { 6137 /* The TSN is too high--silently discard the chunk and 6138 * count on it getting retransmitted later. 6139 */ 6140 if (chunk->asoc) 6141 chunk->asoc->stats.outofseqtsns++; 6142 return SCTP_IERROR_HIGH_TSN; 6143 } else if (tmp > 0) { 6144 /* This is a duplicate. Record it. */ 6145 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 6146 return SCTP_IERROR_DUP_TSN; 6147 } 6148 6149 /* This is a new TSN. */ 6150 6151 /* Discard if there is no room in the receive window. 6152 * Actually, allow a little bit of overflow (up to a MTU). 6153 */ 6154 datalen = ntohs(chunk->chunk_hdr->length); 6155 datalen -= sizeof(sctp_data_chunk_t); 6156 6157 deliver = SCTP_CMD_CHUNK_ULP; 6158 6159 /* Think about partial delivery. */ 6160 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 6161 6162 /* Even if we don't accept this chunk there is 6163 * memory pressure. 6164 */ 6165 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 6166 } 6167 6168 /* Spill over rwnd a little bit. Note: While allowed, this spill over 6169 * seems a bit troublesome in that frag_point varies based on 6170 * PMTU. In cases, such as loopback, this might be a rather 6171 * large spill over. 6172 */ 6173 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over || 6174 (datalen > asoc->rwnd + asoc->frag_point))) { 6175 6176 /* If this is the next TSN, consider reneging to make 6177 * room. Note: Playing nice with a confused sender. A 6178 * malicious sender can still eat up all our buffer 6179 * space and in the future we may want to detect and 6180 * do more drastic reneging. 6181 */ 6182 if (sctp_tsnmap_has_gap(map) && 6183 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6184 pr_debug("%s: reneging for tsn:%u\n", __func__, tsn); 6185 deliver = SCTP_CMD_RENEGE; 6186 } else { 6187 pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n", 6188 __func__, tsn, datalen, asoc->rwnd); 6189 6190 return SCTP_IERROR_IGNORE_TSN; 6191 } 6192 } 6193 6194 /* 6195 * Also try to renege to limit our memory usage in the event that 6196 * we are under memory pressure 6197 * If we can't renege, don't worry about it, the sk_rmem_schedule 6198 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our 6199 * memory usage too much 6200 */ 6201 if (*sk->sk_prot_creator->memory_pressure) { 6202 if (sctp_tsnmap_has_gap(map) && 6203 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6204 pr_debug("%s: under pressure, reneging for tsn:%u\n", 6205 __func__, tsn); 6206 deliver = SCTP_CMD_RENEGE; 6207 } 6208 } 6209 6210 /* 6211 * Section 3.3.10.9 No User Data (9) 6212 * 6213 * Cause of error 6214 * --------------- 6215 * No User Data: This error cause is returned to the originator of a 6216 * DATA chunk if a received DATA chunk has no user data. 6217 */ 6218 if (unlikely(0 == datalen)) { 6219 err = sctp_make_abort_no_data(asoc, chunk, tsn); 6220 if (err) { 6221 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6222 SCTP_CHUNK(err)); 6223 } 6224 /* We are going to ABORT, so we might as well stop 6225 * processing the rest of the chunks in the packet. 6226 */ 6227 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 6228 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6229 SCTP_ERROR(ECONNABORTED)); 6230 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6231 SCTP_PERR(SCTP_ERROR_NO_DATA)); 6232 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6233 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6234 return SCTP_IERROR_NO_DATA; 6235 } 6236 6237 chunk->data_accepted = 1; 6238 6239 /* Note: Some chunks may get overcounted (if we drop) or overcounted 6240 * if we renege and the chunk arrives again. 6241 */ 6242 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) { 6243 SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS); 6244 if (chunk->asoc) 6245 chunk->asoc->stats.iuodchunks++; 6246 } else { 6247 SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS); 6248 if (chunk->asoc) 6249 chunk->asoc->stats.iodchunks++; 6250 ordered = 1; 6251 } 6252 6253 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 6254 * 6255 * If an endpoint receive a DATA chunk with an invalid stream 6256 * identifier, it shall acknowledge the reception of the DATA chunk 6257 * following the normal procedure, immediately send an ERROR chunk 6258 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 6259 * and discard the DATA chunk. 6260 */ 6261 sid = ntohs(data_hdr->stream); 6262 if (sid >= asoc->c.sinit_max_instreams) { 6263 /* Mark tsn as received even though we drop it */ 6264 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 6265 6266 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 6267 &data_hdr->stream, 6268 sizeof(data_hdr->stream), 6269 sizeof(u16)); 6270 if (err) 6271 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6272 SCTP_CHUNK(err)); 6273 return SCTP_IERROR_BAD_STREAM; 6274 } 6275 6276 /* Check to see if the SSN is possible for this TSN. 6277 * The biggest gap we can record is 4K wide. Since SSNs wrap 6278 * at an unsigned short, there is no way that an SSN can 6279 * wrap and for a valid TSN. We can simply check if the current 6280 * SSN is smaller then the next expected one. If it is, it wrapped 6281 * and is invalid. 6282 */ 6283 ssn = ntohs(data_hdr->ssn); 6284 if (ordered && SSN_lt(ssn, sctp_ssn_peek(&asoc->ssnmap->in, sid))) { 6285 return SCTP_IERROR_PROTO_VIOLATION; 6286 } 6287 6288 /* Send the data up to the user. Note: Schedule the 6289 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 6290 * chunk needs the updated rwnd. 6291 */ 6292 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 6293 6294 return SCTP_IERROR_NO_ERROR; 6295 } 6296