1 /* SCTP kernel implementation 2 * (C) Copyright IBM Corp. 2001, 2004 3 * Copyright (c) 1999-2000 Cisco, Inc. 4 * Copyright (c) 1999-2001 Motorola, Inc. 5 * Copyright (c) 2001-2002 Intel Corp. 6 * Copyright (c) 2002 Nokia Corp. 7 * 8 * This is part of the SCTP Linux Kernel Implementation. 9 * 10 * These are the state functions for the state machine. 11 * 12 * This SCTP implementation is free software; 13 * you can redistribute it and/or modify it under the terms of 14 * the GNU General Public License as published by 15 * the Free Software Foundation; either version 2, or (at your option) 16 * any later version. 17 * 18 * This SCTP implementation is distributed in the hope that it 19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 20 * ************************ 21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 22 * See the GNU General Public License for more details. 23 * 24 * You should have received a copy of the GNU General Public License 25 * along with GNU CC; see the file COPYING. If not, write to 26 * the Free Software Foundation, 59 Temple Place - Suite 330, 27 * Boston, MA 02111-1307, USA. 28 * 29 * Please send any bug reports or fixes you make to the 30 * email address(es): 31 * lksctp developers <lksctp-developers@lists.sourceforge.net> 32 * 33 * Or submit a bug report through the following website: 34 * http://www.sf.net/projects/lksctp 35 * 36 * Written or modified by: 37 * La Monte H.P. Yarroll <piggy@acm.org> 38 * Karl Knutson <karl@athena.chicago.il.us> 39 * Mathew Kotowsky <kotowsky@sctp.org> 40 * Sridhar Samudrala <samudrala@us.ibm.com> 41 * Jon Grimm <jgrimm@us.ibm.com> 42 * Hui Huang <hui.huang@nokia.com> 43 * Dajiang Zhang <dajiang.zhang@nokia.com> 44 * Daisy Chang <daisyc@us.ibm.com> 45 * Ardelle Fan <ardelle.fan@intel.com> 46 * Ryan Layer <rmlayer@us.ibm.com> 47 * Kevin Gao <kevin.gao@intel.com> 48 * 49 * Any bugs reported given to us we will try to fix... any fixes shared will 50 * be incorporated into the next SCTP release. 51 */ 52 53 #include <linux/types.h> 54 #include <linux/kernel.h> 55 #include <linux/ip.h> 56 #include <linux/ipv6.h> 57 #include <linux/net.h> 58 #include <linux/inet.h> 59 #include <net/sock.h> 60 #include <net/inet_ecn.h> 61 #include <linux/skbuff.h> 62 #include <net/sctp/sctp.h> 63 #include <net/sctp/sm.h> 64 #include <net/sctp/structs.h> 65 66 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 67 const struct sctp_association *asoc, 68 struct sctp_chunk *chunk, 69 const void *payload, 70 size_t paylen); 71 static int sctp_eat_data(const struct sctp_association *asoc, 72 struct sctp_chunk *chunk, 73 sctp_cmd_seq_t *commands); 74 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 75 const struct sctp_chunk *chunk); 76 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 77 const struct sctp_association *asoc, 78 const struct sctp_chunk *chunk, 79 sctp_cmd_seq_t *commands, 80 struct sctp_chunk *err_chunk); 81 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 82 const struct sctp_association *asoc, 83 const sctp_subtype_t type, 84 void *arg, 85 sctp_cmd_seq_t *commands); 86 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 87 const struct sctp_association *asoc, 88 const sctp_subtype_t type, 89 void *arg, 90 sctp_cmd_seq_t *commands); 91 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 92 const struct sctp_association *asoc, 93 const sctp_subtype_t type, 94 void *arg, 95 sctp_cmd_seq_t *commands); 96 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 97 98 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 99 __be16 error, int sk_err, 100 const struct sctp_association *asoc, 101 struct sctp_transport *transport); 102 103 static sctp_disposition_t sctp_sf_abort_violation( 104 const struct sctp_endpoint *ep, 105 const struct sctp_association *asoc, 106 void *arg, 107 sctp_cmd_seq_t *commands, 108 const __u8 *payload, 109 const size_t paylen); 110 111 static sctp_disposition_t sctp_sf_violation_chunklen( 112 const struct sctp_endpoint *ep, 113 const struct sctp_association *asoc, 114 const sctp_subtype_t type, 115 void *arg, 116 sctp_cmd_seq_t *commands); 117 118 static sctp_disposition_t sctp_sf_violation_paramlen( 119 const struct sctp_endpoint *ep, 120 const struct sctp_association *asoc, 121 const sctp_subtype_t type, 122 void *arg, 123 sctp_cmd_seq_t *commands); 124 125 static sctp_disposition_t sctp_sf_violation_ctsn( 126 const struct sctp_endpoint *ep, 127 const struct sctp_association *asoc, 128 const sctp_subtype_t type, 129 void *arg, 130 sctp_cmd_seq_t *commands); 131 132 static sctp_disposition_t sctp_sf_violation_chunk( 133 const struct sctp_endpoint *ep, 134 const struct sctp_association *asoc, 135 const sctp_subtype_t type, 136 void *arg, 137 sctp_cmd_seq_t *commands); 138 139 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep, 140 const struct sctp_association *asoc, 141 const sctp_subtype_t type, 142 struct sctp_chunk *chunk); 143 144 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 145 const struct sctp_association *asoc, 146 const sctp_subtype_t type, 147 void *arg, 148 sctp_cmd_seq_t *commands); 149 150 /* Small helper function that checks if the chunk length 151 * is of the appropriate length. The 'required_length' argument 152 * is set to be the size of a specific chunk we are testing. 153 * Return Values: 1 = Valid length 154 * 0 = Invalid length 155 * 156 */ 157 static inline int 158 sctp_chunk_length_valid(struct sctp_chunk *chunk, 159 __u16 required_length) 160 { 161 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 162 163 if (unlikely(chunk_length < required_length)) 164 return 0; 165 166 return 1; 167 } 168 169 /********************************************************** 170 * These are the state functions for handling chunk events. 171 **********************************************************/ 172 173 /* 174 * Process the final SHUTDOWN COMPLETE. 175 * 176 * Section: 4 (C) (diagram), 9.2 177 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 178 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 179 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 180 * should stop the T2-shutdown timer and remove all knowledge of the 181 * association (and thus the association enters the CLOSED state). 182 * 183 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 184 * C) Rules for packet carrying SHUTDOWN COMPLETE: 185 * ... 186 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 187 * if the Verification Tag field of the packet matches its own tag and 188 * the T bit is not set 189 * OR 190 * it is set to its peer's tag and the T bit is set in the Chunk 191 * Flags. 192 * Otherwise, the receiver MUST silently discard the packet 193 * and take no further action. An endpoint MUST ignore the 194 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 195 * 196 * Inputs 197 * (endpoint, asoc, chunk) 198 * 199 * Outputs 200 * (asoc, reply_msg, msg_up, timers, counters) 201 * 202 * The return value is the disposition of the chunk. 203 */ 204 sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep, 205 const struct sctp_association *asoc, 206 const sctp_subtype_t type, 207 void *arg, 208 sctp_cmd_seq_t *commands) 209 { 210 struct sctp_chunk *chunk = arg; 211 struct sctp_ulpevent *ev; 212 213 if (!sctp_vtag_verify_either(chunk, asoc)) 214 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 215 216 /* RFC 2960 6.10 Bundling 217 * 218 * An endpoint MUST NOT bundle INIT, INIT ACK or 219 * SHUTDOWN COMPLETE with any other chunks. 220 */ 221 if (!chunk->singleton) 222 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands); 223 224 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ 225 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 226 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 227 commands); 228 229 /* RFC 2960 10.2 SCTP-to-ULP 230 * 231 * H) SHUTDOWN COMPLETE notification 232 * 233 * When SCTP completes the shutdown procedures (section 9.2) this 234 * notification is passed to the upper layer. 235 */ 236 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 237 0, 0, 0, NULL, GFP_ATOMIC); 238 if (ev) 239 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 240 SCTP_ULPEVENT(ev)); 241 242 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 243 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 244 * not the chunk should be discarded. If the endpoint is in 245 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 246 * T2-shutdown timer and remove all knowledge of the 247 * association (and thus the association enters the CLOSED 248 * state). 249 */ 250 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 251 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 252 253 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 254 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 255 256 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 257 SCTP_STATE(SCTP_STATE_CLOSED)); 258 259 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 260 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 261 262 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 263 264 return SCTP_DISPOSITION_DELETE_TCB; 265 } 266 267 /* 268 * Respond to a normal INIT chunk. 269 * We are the side that is being asked for an association. 270 * 271 * Section: 5.1 Normal Establishment of an Association, B 272 * B) "Z" shall respond immediately with an INIT ACK chunk. The 273 * destination IP address of the INIT ACK MUST be set to the source 274 * IP address of the INIT to which this INIT ACK is responding. In 275 * the response, besides filling in other parameters, "Z" must set the 276 * Verification Tag field to Tag_A, and also provide its own 277 * Verification Tag (Tag_Z) in the Initiate Tag field. 278 * 279 * Verification Tag: Must be 0. 280 * 281 * Inputs 282 * (endpoint, asoc, chunk) 283 * 284 * Outputs 285 * (asoc, reply_msg, msg_up, timers, counters) 286 * 287 * The return value is the disposition of the chunk. 288 */ 289 sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep, 290 const struct sctp_association *asoc, 291 const sctp_subtype_t type, 292 void *arg, 293 sctp_cmd_seq_t *commands) 294 { 295 struct sctp_chunk *chunk = arg; 296 struct sctp_chunk *repl; 297 struct sctp_association *new_asoc; 298 struct sctp_chunk *err_chunk; 299 struct sctp_packet *packet; 300 sctp_unrecognized_param_t *unk_param; 301 int len; 302 303 /* 6.10 Bundling 304 * An endpoint MUST NOT bundle INIT, INIT ACK or 305 * SHUTDOWN COMPLETE with any other chunks. 306 * 307 * IG Section 2.11.2 308 * Furthermore, we require that the receiver of an INIT chunk MUST 309 * enforce these rules by silently discarding an arriving packet 310 * with an INIT chunk that is bundled with other chunks. 311 */ 312 if (!chunk->singleton) 313 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 314 315 /* If the packet is an OOTB packet which is temporarily on the 316 * control endpoint, respond with an ABORT. 317 */ 318 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 319 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 320 321 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 322 * Tag. 323 */ 324 if (chunk->sctp_hdr->vtag != 0) 325 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 326 327 /* Make sure that the INIT chunk has a valid length. 328 * Normally, this would cause an ABORT with a Protocol Violation 329 * error, but since we don't have an association, we'll 330 * just discard the packet. 331 */ 332 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 333 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 334 335 /* Verify the INIT chunk before processing it. */ 336 err_chunk = NULL; 337 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 338 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 339 &err_chunk)) { 340 /* This chunk contains fatal error. It is to be discarded. 341 * Send an ABORT, with causes if there is any. 342 */ 343 if (err_chunk) { 344 packet = sctp_abort_pkt_new(ep, asoc, arg, 345 (__u8 *)(err_chunk->chunk_hdr) + 346 sizeof(sctp_chunkhdr_t), 347 ntohs(err_chunk->chunk_hdr->length) - 348 sizeof(sctp_chunkhdr_t)); 349 350 sctp_chunk_free(err_chunk); 351 352 if (packet) { 353 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 354 SCTP_PACKET(packet)); 355 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 356 return SCTP_DISPOSITION_CONSUME; 357 } else { 358 return SCTP_DISPOSITION_NOMEM; 359 } 360 } else { 361 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 362 commands); 363 } 364 } 365 366 /* Grab the INIT header. */ 367 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data; 368 369 /* Tag the variable length parameters. */ 370 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 371 372 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 373 if (!new_asoc) 374 goto nomem; 375 376 /* The call, sctp_process_init(), can fail on memory allocation. */ 377 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 378 sctp_source(chunk), 379 (sctp_init_chunk_t *)chunk->chunk_hdr, 380 GFP_ATOMIC)) 381 goto nomem_init; 382 383 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 384 385 /* If there are errors need to be reported for unknown parameters, 386 * make sure to reserve enough room in the INIT ACK for them. 387 */ 388 len = 0; 389 if (err_chunk) 390 len = ntohs(err_chunk->chunk_hdr->length) - 391 sizeof(sctp_chunkhdr_t); 392 393 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 394 goto nomem_init; 395 396 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 397 if (!repl) 398 goto nomem_init; 399 400 /* If there are errors need to be reported for unknown parameters, 401 * include them in the outgoing INIT ACK as "Unrecognized parameter" 402 * parameter. 403 */ 404 if (err_chunk) { 405 /* Get the "Unrecognized parameter" parameter(s) out of the 406 * ERROR chunk generated by sctp_verify_init(). Since the 407 * error cause code for "unknown parameter" and the 408 * "Unrecognized parameter" type is the same, we can 409 * construct the parameters in INIT ACK by copying the 410 * ERROR causes over. 411 */ 412 unk_param = (sctp_unrecognized_param_t *) 413 ((__u8 *)(err_chunk->chunk_hdr) + 414 sizeof(sctp_chunkhdr_t)); 415 /* Replace the cause code with the "Unrecognized parameter" 416 * parameter type. 417 */ 418 sctp_addto_chunk(repl, len, unk_param); 419 sctp_chunk_free(err_chunk); 420 } 421 422 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 423 424 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 425 426 /* 427 * Note: After sending out INIT ACK with the State Cookie parameter, 428 * "Z" MUST NOT allocate any resources, nor keep any states for the 429 * new association. Otherwise, "Z" will be vulnerable to resource 430 * attacks. 431 */ 432 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 433 434 return SCTP_DISPOSITION_DELETE_TCB; 435 436 nomem_init: 437 sctp_association_free(new_asoc); 438 nomem: 439 if (err_chunk) 440 sctp_chunk_free(err_chunk); 441 return SCTP_DISPOSITION_NOMEM; 442 } 443 444 /* 445 * Respond to a normal INIT ACK chunk. 446 * We are the side that is initiating the association. 447 * 448 * Section: 5.1 Normal Establishment of an Association, C 449 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 450 * timer and leave COOKIE-WAIT state. "A" shall then send the State 451 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 452 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 453 * 454 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 455 * DATA chunks, but it MUST be the first chunk in the packet and 456 * until the COOKIE ACK is returned the sender MUST NOT send any 457 * other packets to the peer. 458 * 459 * Verification Tag: 3.3.3 460 * If the value of the Initiate Tag in a received INIT ACK chunk is 461 * found to be 0, the receiver MUST treat it as an error and close the 462 * association by transmitting an ABORT. 463 * 464 * Inputs 465 * (endpoint, asoc, chunk) 466 * 467 * Outputs 468 * (asoc, reply_msg, msg_up, timers, counters) 469 * 470 * The return value is the disposition of the chunk. 471 */ 472 sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, 473 const struct sctp_association *asoc, 474 const sctp_subtype_t type, 475 void *arg, 476 sctp_cmd_seq_t *commands) 477 { 478 struct sctp_chunk *chunk = arg; 479 sctp_init_chunk_t *initchunk; 480 struct sctp_chunk *err_chunk; 481 struct sctp_packet *packet; 482 483 if (!sctp_vtag_verify(chunk, asoc)) 484 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 485 486 /* 6.10 Bundling 487 * An endpoint MUST NOT bundle INIT, INIT ACK or 488 * SHUTDOWN COMPLETE with any other chunks. 489 */ 490 if (!chunk->singleton) 491 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands); 492 493 /* Make sure that the INIT-ACK chunk has a valid length */ 494 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t))) 495 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 496 commands); 497 /* Grab the INIT header. */ 498 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 499 500 /* Verify the INIT chunk before processing it. */ 501 err_chunk = NULL; 502 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 503 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 504 &err_chunk)) { 505 506 sctp_error_t error = SCTP_ERROR_NO_RESOURCE; 507 508 /* This chunk contains fatal error. It is to be discarded. 509 * Send an ABORT, with causes. If there are no causes, 510 * then there wasn't enough memory. Just terminate 511 * the association. 512 */ 513 if (err_chunk) { 514 packet = sctp_abort_pkt_new(ep, asoc, arg, 515 (__u8 *)(err_chunk->chunk_hdr) + 516 sizeof(sctp_chunkhdr_t), 517 ntohs(err_chunk->chunk_hdr->length) - 518 sizeof(sctp_chunkhdr_t)); 519 520 sctp_chunk_free(err_chunk); 521 522 if (packet) { 523 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 524 SCTP_PACKET(packet)); 525 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 526 error = SCTP_ERROR_INV_PARAM; 527 } 528 } 529 530 /* SCTP-AUTH, Section 6.3: 531 * It should be noted that if the receiver wants to tear 532 * down an association in an authenticated way only, the 533 * handling of malformed packets should not result in 534 * tearing down the association. 535 * 536 * This means that if we only want to abort associations 537 * in an authenticated way (i.e AUTH+ABORT), then we 538 * can't destroy this association just becuase the packet 539 * was malformed. 540 */ 541 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 542 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 543 544 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 545 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, 546 asoc, chunk->transport); 547 } 548 549 /* Tag the variable length parameters. Note that we never 550 * convert the parameters in an INIT chunk. 551 */ 552 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 553 554 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr; 555 556 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 557 SCTP_PEER_INIT(initchunk)); 558 559 /* Reset init error count upon receipt of INIT-ACK. */ 560 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 561 562 /* 5.1 C) "A" shall stop the T1-init timer and leave 563 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 564 * timer, and enter the COOKIE-ECHOED state. 565 */ 566 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 567 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 568 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 569 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 570 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 571 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 572 573 /* SCTP-AUTH: genereate the assocition shared keys so that 574 * we can potentially signe the COOKIE-ECHO. 575 */ 576 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); 577 578 /* 5.1 C) "A" shall then send the State Cookie received in the 579 * INIT ACK chunk in a COOKIE ECHO chunk, ... 580 */ 581 /* If there is any errors to report, send the ERROR chunk generated 582 * for unknown parameters as well. 583 */ 584 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 585 SCTP_CHUNK(err_chunk)); 586 587 return SCTP_DISPOSITION_CONSUME; 588 } 589 590 /* 591 * Respond to a normal COOKIE ECHO chunk. 592 * We are the side that is being asked for an association. 593 * 594 * Section: 5.1 Normal Establishment of an Association, D 595 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 596 * with a COOKIE ACK chunk after building a TCB and moving to 597 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 598 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 599 * chunk MUST be the first chunk in the packet. 600 * 601 * IMPLEMENTATION NOTE: An implementation may choose to send the 602 * Communication Up notification to the SCTP user upon reception 603 * of a valid COOKIE ECHO chunk. 604 * 605 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 606 * D) Rules for packet carrying a COOKIE ECHO 607 * 608 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 609 * Initial Tag received in the INIT ACK. 610 * 611 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 612 * 613 * Inputs 614 * (endpoint, asoc, chunk) 615 * 616 * Outputs 617 * (asoc, reply_msg, msg_up, timers, counters) 618 * 619 * The return value is the disposition of the chunk. 620 */ 621 sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep, 622 const struct sctp_association *asoc, 623 const sctp_subtype_t type, void *arg, 624 sctp_cmd_seq_t *commands) 625 { 626 struct sctp_chunk *chunk = arg; 627 struct sctp_association *new_asoc; 628 sctp_init_chunk_t *peer_init; 629 struct sctp_chunk *repl; 630 struct sctp_ulpevent *ev, *ai_ev = NULL; 631 int error = 0; 632 struct sctp_chunk *err_chk_p; 633 struct sock *sk; 634 635 /* If the packet is an OOTB packet which is temporarily on the 636 * control endpoint, respond with an ABORT. 637 */ 638 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 639 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 640 641 /* Make sure that the COOKIE_ECHO chunk has a valid length. 642 * In this case, we check that we have enough for at least a 643 * chunk header. More detailed verification is done 644 * in sctp_unpack_cookie(). 645 */ 646 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 647 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 648 649 /* If the endpoint is not listening or if the number of associations 650 * on the TCP-style socket exceed the max backlog, respond with an 651 * ABORT. 652 */ 653 sk = ep->base.sk; 654 if (!sctp_sstate(sk, LISTENING) || 655 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) 656 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 657 658 /* "Decode" the chunk. We have no optional parameters so we 659 * are in good shape. 660 */ 661 chunk->subh.cookie_hdr = 662 (struct sctp_signed_cookie *)chunk->skb->data; 663 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 664 sizeof(sctp_chunkhdr_t))) 665 goto nomem; 666 667 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 668 * "Z" will reply with a COOKIE ACK chunk after building a TCB 669 * and moving to the ESTABLISHED state. 670 */ 671 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 672 &err_chk_p); 673 674 /* FIXME: 675 * If the re-build failed, what is the proper error path 676 * from here? 677 * 678 * [We should abort the association. --piggy] 679 */ 680 if (!new_asoc) { 681 /* FIXME: Several errors are possible. A bad cookie should 682 * be silently discarded, but think about logging it too. 683 */ 684 switch (error) { 685 case -SCTP_IERROR_NOMEM: 686 goto nomem; 687 688 case -SCTP_IERROR_STALE_COOKIE: 689 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 690 err_chk_p); 691 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 692 693 case -SCTP_IERROR_BAD_SIG: 694 default: 695 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 696 } 697 } 698 699 700 /* Delay state machine commands until later. 701 * 702 * Re-build the bind address for the association is done in 703 * the sctp_unpack_cookie() already. 704 */ 705 /* This is a brand-new association, so these are not yet side 706 * effects--it is safe to run them here. 707 */ 708 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 709 710 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 711 &chunk->subh.cookie_hdr->c.peer_addr, 712 peer_init, GFP_ATOMIC)) 713 goto nomem_init; 714 715 /* SCTP-AUTH: Now that we've populate required fields in 716 * sctp_process_init, set up the assocaition shared keys as 717 * necessary so that we can potentially authenticate the ACK 718 */ 719 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); 720 if (error) 721 goto nomem_init; 722 723 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo 724 * is supposed to be authenticated and we have to do delayed 725 * authentication. We've just recreated the association using 726 * the information in the cookie and now it's much easier to 727 * do the authentication. 728 */ 729 if (chunk->auth_chunk) { 730 struct sctp_chunk auth; 731 sctp_ierror_t ret; 732 733 /* set-up our fake chunk so that we can process it */ 734 auth.skb = chunk->auth_chunk; 735 auth.asoc = chunk->asoc; 736 auth.sctp_hdr = chunk->sctp_hdr; 737 auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk, 738 sizeof(sctp_chunkhdr_t)); 739 skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t)); 740 auth.transport = chunk->transport; 741 742 ret = sctp_sf_authenticate(ep, new_asoc, type, &auth); 743 744 /* We can now safely free the auth_chunk clone */ 745 kfree_skb(chunk->auth_chunk); 746 747 if (ret != SCTP_IERROR_NO_ERROR) { 748 sctp_association_free(new_asoc); 749 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 750 } 751 } 752 753 repl = sctp_make_cookie_ack(new_asoc, chunk); 754 if (!repl) 755 goto nomem_init; 756 757 /* RFC 2960 5.1 Normal Establishment of an Association 758 * 759 * D) IMPLEMENTATION NOTE: An implementation may choose to 760 * send the Communication Up notification to the SCTP user 761 * upon reception of a valid COOKIE ECHO chunk. 762 */ 763 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 764 new_asoc->c.sinit_num_ostreams, 765 new_asoc->c.sinit_max_instreams, 766 NULL, GFP_ATOMIC); 767 if (!ev) 768 goto nomem_ev; 769 770 /* Sockets API Draft Section 5.3.1.6 771 * When a peer sends a Adaptation Layer Indication parameter , SCTP 772 * delivers this notification to inform the application that of the 773 * peers requested adaptation layer. 774 */ 775 if (new_asoc->peer.adaptation_ind) { 776 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 777 GFP_ATOMIC); 778 if (!ai_ev) 779 goto nomem_aiev; 780 } 781 782 /* Add all the state machine commands now since we've created 783 * everything. This way we don't introduce memory corruptions 784 * during side-effect processing and correclty count established 785 * associations. 786 */ 787 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 788 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 789 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 790 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 791 SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS); 792 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 793 794 if (new_asoc->autoclose) 795 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 796 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 797 798 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 799 800 /* This will send the COOKIE ACK */ 801 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 802 803 /* Queue the ASSOC_CHANGE event */ 804 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 805 806 /* Send up the Adaptation Layer Indication event */ 807 if (ai_ev) 808 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 809 SCTP_ULPEVENT(ai_ev)); 810 811 return SCTP_DISPOSITION_CONSUME; 812 813 nomem_aiev: 814 sctp_ulpevent_free(ev); 815 nomem_ev: 816 sctp_chunk_free(repl); 817 nomem_init: 818 sctp_association_free(new_asoc); 819 nomem: 820 return SCTP_DISPOSITION_NOMEM; 821 } 822 823 /* 824 * Respond to a normal COOKIE ACK chunk. 825 * We are the side that is being asked for an association. 826 * 827 * RFC 2960 5.1 Normal Establishment of an Association 828 * 829 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 830 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 831 * timer. It may also notify its ULP about the successful 832 * establishment of the association with a Communication Up 833 * notification (see Section 10). 834 * 835 * Verification Tag: 836 * Inputs 837 * (endpoint, asoc, chunk) 838 * 839 * Outputs 840 * (asoc, reply_msg, msg_up, timers, counters) 841 * 842 * The return value is the disposition of the chunk. 843 */ 844 sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep, 845 const struct sctp_association *asoc, 846 const sctp_subtype_t type, void *arg, 847 sctp_cmd_seq_t *commands) 848 { 849 struct sctp_chunk *chunk = arg; 850 struct sctp_ulpevent *ev; 851 852 if (!sctp_vtag_verify(chunk, asoc)) 853 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 854 855 /* Verify that the chunk length for the COOKIE-ACK is OK. 856 * If we don't do this, any bundled chunks may be junked. 857 */ 858 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 859 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 860 commands); 861 862 /* Reset init error count upon receipt of COOKIE-ACK, 863 * to avoid problems with the managemement of this 864 * counter in stale cookie situations when a transition back 865 * from the COOKIE-ECHOED state to the COOKIE-WAIT 866 * state is performed. 867 */ 868 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 869 870 /* RFC 2960 5.1 Normal Establishment of an Association 871 * 872 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 873 * from the COOKIE-ECHOED state to the ESTABLISHED state, 874 * stopping the T1-cookie timer. 875 */ 876 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 877 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 878 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 879 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 880 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 881 SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS); 882 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 883 if (asoc->autoclose) 884 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 885 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 886 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 887 888 /* It may also notify its ULP about the successful 889 * establishment of the association with a Communication Up 890 * notification (see Section 10). 891 */ 892 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 893 0, asoc->c.sinit_num_ostreams, 894 asoc->c.sinit_max_instreams, 895 NULL, GFP_ATOMIC); 896 897 if (!ev) 898 goto nomem; 899 900 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 901 902 /* Sockets API Draft Section 5.3.1.6 903 * When a peer sends a Adaptation Layer Indication parameter , SCTP 904 * delivers this notification to inform the application that of the 905 * peers requested adaptation layer. 906 */ 907 if (asoc->peer.adaptation_ind) { 908 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 909 if (!ev) 910 goto nomem; 911 912 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 913 SCTP_ULPEVENT(ev)); 914 } 915 916 return SCTP_DISPOSITION_CONSUME; 917 nomem: 918 return SCTP_DISPOSITION_NOMEM; 919 } 920 921 /* Generate and sendout a heartbeat packet. */ 922 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep, 923 const struct sctp_association *asoc, 924 const sctp_subtype_t type, 925 void *arg, 926 sctp_cmd_seq_t *commands) 927 { 928 struct sctp_transport *transport = (struct sctp_transport *) arg; 929 struct sctp_chunk *reply; 930 sctp_sender_hb_info_t hbinfo; 931 size_t paylen = 0; 932 933 hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO; 934 hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t)); 935 hbinfo.daddr = transport->ipaddr; 936 hbinfo.sent_at = jiffies; 937 hbinfo.hb_nonce = transport->hb_nonce; 938 939 /* Send a heartbeat to our peer. */ 940 paylen = sizeof(sctp_sender_hb_info_t); 941 reply = sctp_make_heartbeat(asoc, transport, &hbinfo, paylen); 942 if (!reply) 943 return SCTP_DISPOSITION_NOMEM; 944 945 /* Set rto_pending indicating that an RTT measurement 946 * is started with this heartbeat chunk. 947 */ 948 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 949 SCTP_TRANSPORT(transport)); 950 951 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 952 return SCTP_DISPOSITION_CONSUME; 953 } 954 955 /* Generate a HEARTBEAT packet on the given transport. */ 956 sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep, 957 const struct sctp_association *asoc, 958 const sctp_subtype_t type, 959 void *arg, 960 sctp_cmd_seq_t *commands) 961 { 962 struct sctp_transport *transport = (struct sctp_transport *) arg; 963 964 if (asoc->overall_error_count > asoc->max_retrans) { 965 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 966 SCTP_ERROR(ETIMEDOUT)); 967 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 968 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 969 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 970 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 971 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 972 return SCTP_DISPOSITION_DELETE_TCB; 973 } 974 975 /* Section 3.3.5. 976 * The Sender-specific Heartbeat Info field should normally include 977 * information about the sender's current time when this HEARTBEAT 978 * chunk is sent and the destination transport address to which this 979 * HEARTBEAT is sent (see Section 8.3). 980 */ 981 982 if (transport->param_flags & SPP_HB_ENABLE) { 983 if (SCTP_DISPOSITION_NOMEM == 984 sctp_sf_heartbeat(ep, asoc, type, arg, 985 commands)) 986 return SCTP_DISPOSITION_NOMEM; 987 /* Set transport error counter and association error counter 988 * when sending heartbeat. 989 */ 990 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_RESET, 991 SCTP_TRANSPORT(transport)); 992 } 993 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 994 SCTP_TRANSPORT(transport)); 995 996 return SCTP_DISPOSITION_CONSUME; 997 } 998 999 /* 1000 * Process an heartbeat request. 1001 * 1002 * Section: 8.3 Path Heartbeat 1003 * The receiver of the HEARTBEAT should immediately respond with a 1004 * HEARTBEAT ACK that contains the Heartbeat Information field copied 1005 * from the received HEARTBEAT chunk. 1006 * 1007 * Verification Tag: 8.5 Verification Tag [Normal verification] 1008 * When receiving an SCTP packet, the endpoint MUST ensure that the 1009 * value in the Verification Tag field of the received SCTP packet 1010 * matches its own Tag. If the received Verification Tag value does not 1011 * match the receiver's own tag value, the receiver shall silently 1012 * discard the packet and shall not process it any further except for 1013 * those cases listed in Section 8.5.1 below. 1014 * 1015 * Inputs 1016 * (endpoint, asoc, chunk) 1017 * 1018 * Outputs 1019 * (asoc, reply_msg, msg_up, timers, counters) 1020 * 1021 * The return value is the disposition of the chunk. 1022 */ 1023 sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep, 1024 const struct sctp_association *asoc, 1025 const sctp_subtype_t type, 1026 void *arg, 1027 sctp_cmd_seq_t *commands) 1028 { 1029 struct sctp_chunk *chunk = arg; 1030 struct sctp_chunk *reply; 1031 size_t paylen = 0; 1032 1033 if (!sctp_vtag_verify(chunk, asoc)) 1034 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1035 1036 /* Make sure that the HEARTBEAT chunk has a valid length. */ 1037 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1038 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1039 commands); 1040 1041 /* 8.3 The receiver of the HEARTBEAT should immediately 1042 * respond with a HEARTBEAT ACK that contains the Heartbeat 1043 * Information field copied from the received HEARTBEAT chunk. 1044 */ 1045 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; 1046 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); 1047 if (!pskb_pull(chunk->skb, paylen)) 1048 goto nomem; 1049 1050 reply = sctp_make_heartbeat_ack(asoc, chunk, 1051 chunk->subh.hb_hdr, paylen); 1052 if (!reply) 1053 goto nomem; 1054 1055 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1056 return SCTP_DISPOSITION_CONSUME; 1057 1058 nomem: 1059 return SCTP_DISPOSITION_NOMEM; 1060 } 1061 1062 /* 1063 * Process the returning HEARTBEAT ACK. 1064 * 1065 * Section: 8.3 Path Heartbeat 1066 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 1067 * should clear the error counter of the destination transport 1068 * address to which the HEARTBEAT was sent, and mark the destination 1069 * transport address as active if it is not so marked. The endpoint may 1070 * optionally report to the upper layer when an inactive destination 1071 * address is marked as active due to the reception of the latest 1072 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 1073 * clear the association overall error count as well (as defined 1074 * in section 8.1). 1075 * 1076 * The receiver of the HEARTBEAT ACK should also perform an RTT 1077 * measurement for that destination transport address using the time 1078 * value carried in the HEARTBEAT ACK chunk. 1079 * 1080 * Verification Tag: 8.5 Verification Tag [Normal verification] 1081 * 1082 * Inputs 1083 * (endpoint, asoc, chunk) 1084 * 1085 * Outputs 1086 * (asoc, reply_msg, msg_up, timers, counters) 1087 * 1088 * The return value is the disposition of the chunk. 1089 */ 1090 sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep, 1091 const struct sctp_association *asoc, 1092 const sctp_subtype_t type, 1093 void *arg, 1094 sctp_cmd_seq_t *commands) 1095 { 1096 struct sctp_chunk *chunk = arg; 1097 union sctp_addr from_addr; 1098 struct sctp_transport *link; 1099 sctp_sender_hb_info_t *hbinfo; 1100 unsigned long max_interval; 1101 1102 if (!sctp_vtag_verify(chunk, asoc)) 1103 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1104 1105 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1106 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1107 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1108 commands); 1109 1110 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; 1111 /* Make sure that the length of the parameter is what we expect */ 1112 if (ntohs(hbinfo->param_hdr.length) != 1113 sizeof(sctp_sender_hb_info_t)) { 1114 return SCTP_DISPOSITION_DISCARD; 1115 } 1116 1117 from_addr = hbinfo->daddr; 1118 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1119 1120 /* This should never happen, but lets log it if so. */ 1121 if (unlikely(!link)) { 1122 if (from_addr.sa.sa_family == AF_INET6) { 1123 if (net_ratelimit()) 1124 printk(KERN_WARNING 1125 "%s association %p could not find address " 1126 NIP6_FMT "\n", 1127 __FUNCTION__, 1128 asoc, 1129 NIP6(from_addr.v6.sin6_addr)); 1130 } else { 1131 if (net_ratelimit()) 1132 printk(KERN_WARNING 1133 "%s association %p could not find address " 1134 NIPQUAD_FMT "\n", 1135 __FUNCTION__, 1136 asoc, 1137 NIPQUAD(from_addr.v4.sin_addr.s_addr)); 1138 } 1139 return SCTP_DISPOSITION_DISCARD; 1140 } 1141 1142 /* Validate the 64-bit random nonce. */ 1143 if (hbinfo->hb_nonce != link->hb_nonce) 1144 return SCTP_DISPOSITION_DISCARD; 1145 1146 max_interval = link->hbinterval + link->rto; 1147 1148 /* Check if the timestamp looks valid. */ 1149 if (time_after(hbinfo->sent_at, jiffies) || 1150 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1151 SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp " 1152 "received for transport: %p\n", 1153 __FUNCTION__, link); 1154 return SCTP_DISPOSITION_DISCARD; 1155 } 1156 1157 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1158 * the HEARTBEAT should clear the error counter of the 1159 * destination transport address to which the HEARTBEAT was 1160 * sent and mark the destination transport address as active if 1161 * it is not so marked. 1162 */ 1163 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1164 1165 return SCTP_DISPOSITION_CONSUME; 1166 } 1167 1168 /* Helper function to send out an abort for the restart 1169 * condition. 1170 */ 1171 static int sctp_sf_send_restart_abort(union sctp_addr *ssa, 1172 struct sctp_chunk *init, 1173 sctp_cmd_seq_t *commands) 1174 { 1175 int len; 1176 struct sctp_packet *pkt; 1177 union sctp_addr_param *addrparm; 1178 struct sctp_errhdr *errhdr; 1179 struct sctp_endpoint *ep; 1180 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)]; 1181 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1182 1183 /* Build the error on the stack. We are way to malloc crazy 1184 * throughout the code today. 1185 */ 1186 errhdr = (struct sctp_errhdr *)buffer; 1187 addrparm = (union sctp_addr_param *)errhdr->variable; 1188 1189 /* Copy into a parm format. */ 1190 len = af->to_addr_param(ssa, addrparm); 1191 len += sizeof(sctp_errhdr_t); 1192 1193 errhdr->cause = SCTP_ERROR_RESTART; 1194 errhdr->length = htons(len); 1195 1196 /* Assign to the control socket. */ 1197 ep = sctp_sk((sctp_get_ctl_sock()))->ep; 1198 1199 /* Association is NULL since this may be a restart attack and we 1200 * want to send back the attacker's vtag. 1201 */ 1202 pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len); 1203 1204 if (!pkt) 1205 goto out; 1206 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1207 1208 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1209 1210 /* Discard the rest of the inbound packet. */ 1211 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1212 1213 out: 1214 /* Even if there is no memory, treat as a failure so 1215 * the packet will get dropped. 1216 */ 1217 return 0; 1218 } 1219 1220 /* A restart is occurring, check to make sure no new addresses 1221 * are being added as we may be under a takeover attack. 1222 */ 1223 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1224 const struct sctp_association *asoc, 1225 struct sctp_chunk *init, 1226 sctp_cmd_seq_t *commands) 1227 { 1228 struct sctp_transport *new_addr, *addr; 1229 struct list_head *pos, *pos2; 1230 int found; 1231 1232 /* Implementor's Guide - Sectin 5.2.2 1233 * ... 1234 * Before responding the endpoint MUST check to see if the 1235 * unexpected INIT adds new addresses to the association. If new 1236 * addresses are added to the association, the endpoint MUST respond 1237 * with an ABORT.. 1238 */ 1239 1240 /* Search through all current addresses and make sure 1241 * we aren't adding any new ones. 1242 */ 1243 new_addr = NULL; 1244 found = 0; 1245 1246 list_for_each(pos, &new_asoc->peer.transport_addr_list) { 1247 new_addr = list_entry(pos, struct sctp_transport, transports); 1248 found = 0; 1249 list_for_each(pos2, &asoc->peer.transport_addr_list) { 1250 addr = list_entry(pos2, struct sctp_transport, 1251 transports); 1252 if (sctp_cmp_addr_exact(&new_addr->ipaddr, 1253 &addr->ipaddr)) { 1254 found = 1; 1255 break; 1256 } 1257 } 1258 if (!found) 1259 break; 1260 } 1261 1262 /* If a new address was added, ABORT the sender. */ 1263 if (!found && new_addr) { 1264 sctp_sf_send_restart_abort(&new_addr->ipaddr, init, commands); 1265 } 1266 1267 /* Return success if all addresses were found. */ 1268 return found; 1269 } 1270 1271 /* Populate the verification/tie tags based on overlapping INIT 1272 * scenario. 1273 * 1274 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1275 */ 1276 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1277 const struct sctp_association *asoc) 1278 { 1279 switch (asoc->state) { 1280 1281 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1282 1283 case SCTP_STATE_COOKIE_WAIT: 1284 new_asoc->c.my_vtag = asoc->c.my_vtag; 1285 new_asoc->c.my_ttag = asoc->c.my_vtag; 1286 new_asoc->c.peer_ttag = 0; 1287 break; 1288 1289 case SCTP_STATE_COOKIE_ECHOED: 1290 new_asoc->c.my_vtag = asoc->c.my_vtag; 1291 new_asoc->c.my_ttag = asoc->c.my_vtag; 1292 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1293 break; 1294 1295 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1296 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1297 */ 1298 default: 1299 new_asoc->c.my_ttag = asoc->c.my_vtag; 1300 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1301 break; 1302 } 1303 1304 /* Other parameters for the endpoint SHOULD be copied from the 1305 * existing parameters of the association (e.g. number of 1306 * outbound streams) into the INIT ACK and cookie. 1307 */ 1308 new_asoc->rwnd = asoc->rwnd; 1309 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1310 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1311 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1312 } 1313 1314 /* 1315 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1316 * handling action. 1317 * 1318 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1319 * 1320 * Returns value representing action to be taken. These action values 1321 * correspond to Action/Description values in RFC 2960, Table 2. 1322 */ 1323 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1324 const struct sctp_association *asoc) 1325 { 1326 /* In this case, the peer may have restarted. */ 1327 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1328 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1329 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1330 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1331 return 'A'; 1332 1333 /* Collision case B. */ 1334 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1335 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1336 (0 == asoc->c.peer_vtag))) { 1337 return 'B'; 1338 } 1339 1340 /* Collision case D. */ 1341 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1342 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1343 return 'D'; 1344 1345 /* Collision case C. */ 1346 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1347 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1348 (0 == new_asoc->c.my_ttag) && 1349 (0 == new_asoc->c.peer_ttag)) 1350 return 'C'; 1351 1352 /* No match to any of the special cases; discard this packet. */ 1353 return 'E'; 1354 } 1355 1356 /* Common helper routine for both duplicate and simulataneous INIT 1357 * chunk handling. 1358 */ 1359 static sctp_disposition_t sctp_sf_do_unexpected_init( 1360 const struct sctp_endpoint *ep, 1361 const struct sctp_association *asoc, 1362 const sctp_subtype_t type, 1363 void *arg, sctp_cmd_seq_t *commands) 1364 { 1365 sctp_disposition_t retval; 1366 struct sctp_chunk *chunk = arg; 1367 struct sctp_chunk *repl; 1368 struct sctp_association *new_asoc; 1369 struct sctp_chunk *err_chunk; 1370 struct sctp_packet *packet; 1371 sctp_unrecognized_param_t *unk_param; 1372 int len; 1373 1374 /* 6.10 Bundling 1375 * An endpoint MUST NOT bundle INIT, INIT ACK or 1376 * SHUTDOWN COMPLETE with any other chunks. 1377 * 1378 * IG Section 2.11.2 1379 * Furthermore, we require that the receiver of an INIT chunk MUST 1380 * enforce these rules by silently discarding an arriving packet 1381 * with an INIT chunk that is bundled with other chunks. 1382 */ 1383 if (!chunk->singleton) 1384 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1385 1386 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1387 * Tag. 1388 */ 1389 if (chunk->sctp_hdr->vtag != 0) 1390 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 1391 1392 /* Make sure that the INIT chunk has a valid length. 1393 * In this case, we generate a protocol violation since we have 1394 * an association established. 1395 */ 1396 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 1397 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1398 commands); 1399 /* Grab the INIT header. */ 1400 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 1401 1402 /* Tag the variable length parameters. */ 1403 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 1404 1405 /* Verify the INIT chunk before processing it. */ 1406 err_chunk = NULL; 1407 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 1408 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 1409 &err_chunk)) { 1410 /* This chunk contains fatal error. It is to be discarded. 1411 * Send an ABORT, with causes if there is any. 1412 */ 1413 if (err_chunk) { 1414 packet = sctp_abort_pkt_new(ep, asoc, arg, 1415 (__u8 *)(err_chunk->chunk_hdr) + 1416 sizeof(sctp_chunkhdr_t), 1417 ntohs(err_chunk->chunk_hdr->length) - 1418 sizeof(sctp_chunkhdr_t)); 1419 1420 if (packet) { 1421 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1422 SCTP_PACKET(packet)); 1423 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1424 retval = SCTP_DISPOSITION_CONSUME; 1425 } else { 1426 retval = SCTP_DISPOSITION_NOMEM; 1427 } 1428 goto cleanup; 1429 } else { 1430 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 1431 commands); 1432 } 1433 } 1434 1435 /* 1436 * Other parameters for the endpoint SHOULD be copied from the 1437 * existing parameters of the association (e.g. number of 1438 * outbound streams) into the INIT ACK and cookie. 1439 * FIXME: We are copying parameters from the endpoint not the 1440 * association. 1441 */ 1442 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1443 if (!new_asoc) 1444 goto nomem; 1445 1446 /* In the outbound INIT ACK the endpoint MUST copy its current 1447 * Verification Tag and Peers Verification tag into a reserved 1448 * place (local tie-tag and per tie-tag) within the state cookie. 1449 */ 1450 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1451 sctp_source(chunk), 1452 (sctp_init_chunk_t *)chunk->chunk_hdr, 1453 GFP_ATOMIC)) 1454 goto nomem; 1455 1456 /* Make sure no new addresses are being added during the 1457 * restart. Do not do this check for COOKIE-WAIT state, 1458 * since there are no peer addresses to check against. 1459 * Upon return an ABORT will have been sent if needed. 1460 */ 1461 if (!sctp_state(asoc, COOKIE_WAIT)) { 1462 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1463 commands)) { 1464 retval = SCTP_DISPOSITION_CONSUME; 1465 goto nomem_retval; 1466 } 1467 } 1468 1469 sctp_tietags_populate(new_asoc, asoc); 1470 1471 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1472 1473 /* If there are errors need to be reported for unknown parameters, 1474 * make sure to reserve enough room in the INIT ACK for them. 1475 */ 1476 len = 0; 1477 if (err_chunk) { 1478 len = ntohs(err_chunk->chunk_hdr->length) - 1479 sizeof(sctp_chunkhdr_t); 1480 } 1481 1482 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 1483 goto nomem; 1484 1485 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1486 if (!repl) 1487 goto nomem; 1488 1489 /* If there are errors need to be reported for unknown parameters, 1490 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1491 * parameter. 1492 */ 1493 if (err_chunk) { 1494 /* Get the "Unrecognized parameter" parameter(s) out of the 1495 * ERROR chunk generated by sctp_verify_init(). Since the 1496 * error cause code for "unknown parameter" and the 1497 * "Unrecognized parameter" type is the same, we can 1498 * construct the parameters in INIT ACK by copying the 1499 * ERROR causes over. 1500 */ 1501 unk_param = (sctp_unrecognized_param_t *) 1502 ((__u8 *)(err_chunk->chunk_hdr) + 1503 sizeof(sctp_chunkhdr_t)); 1504 /* Replace the cause code with the "Unrecognized parameter" 1505 * parameter type. 1506 */ 1507 sctp_addto_chunk(repl, len, unk_param); 1508 } 1509 1510 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1511 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1512 1513 /* 1514 * Note: After sending out INIT ACK with the State Cookie parameter, 1515 * "Z" MUST NOT allocate any resources for this new association. 1516 * Otherwise, "Z" will be vulnerable to resource attacks. 1517 */ 1518 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1519 retval = SCTP_DISPOSITION_CONSUME; 1520 1521 return retval; 1522 1523 nomem: 1524 retval = SCTP_DISPOSITION_NOMEM; 1525 nomem_retval: 1526 if (new_asoc) 1527 sctp_association_free(new_asoc); 1528 cleanup: 1529 if (err_chunk) 1530 sctp_chunk_free(err_chunk); 1531 return retval; 1532 } 1533 1534 /* 1535 * Handle simultanous INIT. 1536 * This means we started an INIT and then we got an INIT request from 1537 * our peer. 1538 * 1539 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1540 * This usually indicates an initialization collision, i.e., each 1541 * endpoint is attempting, at about the same time, to establish an 1542 * association with the other endpoint. 1543 * 1544 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1545 * endpoint MUST respond with an INIT ACK using the same parameters it 1546 * sent in its original INIT chunk (including its Verification Tag, 1547 * unchanged). These original parameters are combined with those from the 1548 * newly received INIT chunk. The endpoint shall also generate a State 1549 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1550 * INIT to calculate the State Cookie. 1551 * 1552 * After that, the endpoint MUST NOT change its state, the T1-init 1553 * timer shall be left running and the corresponding TCB MUST NOT be 1554 * destroyed. The normal procedures for handling State Cookies when 1555 * a TCB exists will resolve the duplicate INITs to a single association. 1556 * 1557 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1558 * its Tie-Tags with the Tag information of itself and its peer (see 1559 * section 5.2.2 for a description of the Tie-Tags). 1560 * 1561 * Verification Tag: Not explicit, but an INIT can not have a valid 1562 * verification tag, so we skip the check. 1563 * 1564 * Inputs 1565 * (endpoint, asoc, chunk) 1566 * 1567 * Outputs 1568 * (asoc, reply_msg, msg_up, timers, counters) 1569 * 1570 * The return value is the disposition of the chunk. 1571 */ 1572 sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep, 1573 const struct sctp_association *asoc, 1574 const sctp_subtype_t type, 1575 void *arg, 1576 sctp_cmd_seq_t *commands) 1577 { 1578 /* Call helper to do the real work for both simulataneous and 1579 * duplicate INIT chunk handling. 1580 */ 1581 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1582 } 1583 1584 /* 1585 * Handle duplicated INIT messages. These are usually delayed 1586 * restransmissions. 1587 * 1588 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1589 * COOKIE-ECHOED and COOKIE-WAIT 1590 * 1591 * Unless otherwise stated, upon reception of an unexpected INIT for 1592 * this association, the endpoint shall generate an INIT ACK with a 1593 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1594 * current Verification Tag and peer's Verification Tag into a reserved 1595 * place within the state cookie. We shall refer to these locations as 1596 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1597 * containing this INIT ACK MUST carry a Verification Tag value equal to 1598 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1599 * MUST contain a new Initiation Tag (randomly generated see Section 1600 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1601 * existing parameters of the association (e.g. number of outbound 1602 * streams) into the INIT ACK and cookie. 1603 * 1604 * After sending out the INIT ACK, the endpoint shall take no further 1605 * actions, i.e., the existing association, including its current state, 1606 * and the corresponding TCB MUST NOT be changed. 1607 * 1608 * Note: Only when a TCB exists and the association is not in a COOKIE- 1609 * WAIT state are the Tie-Tags populated. For a normal association INIT 1610 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1611 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1612 * State Cookie are populated as specified in section 5.2.1. 1613 * 1614 * Verification Tag: Not specified, but an INIT has no way of knowing 1615 * what the verification tag could be, so we ignore it. 1616 * 1617 * Inputs 1618 * (endpoint, asoc, chunk) 1619 * 1620 * Outputs 1621 * (asoc, reply_msg, msg_up, timers, counters) 1622 * 1623 * The return value is the disposition of the chunk. 1624 */ 1625 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep, 1626 const struct sctp_association *asoc, 1627 const sctp_subtype_t type, 1628 void *arg, 1629 sctp_cmd_seq_t *commands) 1630 { 1631 /* Call helper to do the real work for both simulataneous and 1632 * duplicate INIT chunk handling. 1633 */ 1634 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1635 } 1636 1637 1638 /* 1639 * Unexpected INIT-ACK handler. 1640 * 1641 * Section 5.2.3 1642 * If an INIT ACK received by an endpoint in any state other than the 1643 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1644 * An unexpected INIT ACK usually indicates the processing of an old or 1645 * duplicated INIT chunk. 1646 */ 1647 sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep, 1648 const struct sctp_association *asoc, 1649 const sctp_subtype_t type, 1650 void *arg, sctp_cmd_seq_t *commands) 1651 { 1652 /* Per the above section, we'll discard the chunk if we have an 1653 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1654 */ 1655 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 1656 return sctp_sf_ootb(ep, asoc, type, arg, commands); 1657 else 1658 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 1659 } 1660 1661 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1662 * 1663 * Section 5.2.4 1664 * A) In this case, the peer may have restarted. 1665 */ 1666 static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep, 1667 const struct sctp_association *asoc, 1668 struct sctp_chunk *chunk, 1669 sctp_cmd_seq_t *commands, 1670 struct sctp_association *new_asoc) 1671 { 1672 sctp_init_chunk_t *peer_init; 1673 struct sctp_ulpevent *ev; 1674 struct sctp_chunk *repl; 1675 struct sctp_chunk *err; 1676 sctp_disposition_t disposition; 1677 1678 /* new_asoc is a brand-new association, so these are not yet 1679 * side effects--it is safe to run them here. 1680 */ 1681 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1682 1683 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1684 sctp_source(chunk), peer_init, 1685 GFP_ATOMIC)) 1686 goto nomem; 1687 1688 /* Make sure no new addresses are being added during the 1689 * restart. Though this is a pretty complicated attack 1690 * since you'd have to get inside the cookie. 1691 */ 1692 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { 1693 return SCTP_DISPOSITION_CONSUME; 1694 } 1695 1696 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1697 * the peer has restarted (Action A), it MUST NOT setup a new 1698 * association but instead resend the SHUTDOWN ACK and send an ERROR 1699 * chunk with a "Cookie Received while Shutting Down" error cause to 1700 * its peer. 1701 */ 1702 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1703 disposition = sctp_sf_do_9_2_reshutack(ep, asoc, 1704 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1705 chunk, commands); 1706 if (SCTP_DISPOSITION_NOMEM == disposition) 1707 goto nomem; 1708 1709 err = sctp_make_op_error(asoc, chunk, 1710 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1711 NULL, 0); 1712 if (err) 1713 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1714 SCTP_CHUNK(err)); 1715 1716 return SCTP_DISPOSITION_CONSUME; 1717 } 1718 1719 /* For now, fail any unsent/unacked data. Consider the optional 1720 * choice of resending of this data. 1721 */ 1722 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1723 1724 repl = sctp_make_cookie_ack(new_asoc, chunk); 1725 if (!repl) 1726 goto nomem; 1727 1728 /* Report association restart to upper layer. */ 1729 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1730 new_asoc->c.sinit_num_ostreams, 1731 new_asoc->c.sinit_max_instreams, 1732 NULL, GFP_ATOMIC); 1733 if (!ev) 1734 goto nomem_ev; 1735 1736 /* Update the content of current association. */ 1737 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1738 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1739 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1740 return SCTP_DISPOSITION_CONSUME; 1741 1742 nomem_ev: 1743 sctp_chunk_free(repl); 1744 nomem: 1745 return SCTP_DISPOSITION_NOMEM; 1746 } 1747 1748 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1749 * 1750 * Section 5.2.4 1751 * B) In this case, both sides may be attempting to start an association 1752 * at about the same time but the peer endpoint started its INIT 1753 * after responding to the local endpoint's INIT 1754 */ 1755 /* This case represents an initialization collision. */ 1756 static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep, 1757 const struct sctp_association *asoc, 1758 struct sctp_chunk *chunk, 1759 sctp_cmd_seq_t *commands, 1760 struct sctp_association *new_asoc) 1761 { 1762 sctp_init_chunk_t *peer_init; 1763 struct sctp_chunk *repl; 1764 1765 /* new_asoc is a brand-new association, so these are not yet 1766 * side effects--it is safe to run them here. 1767 */ 1768 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1769 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1770 sctp_source(chunk), peer_init, 1771 GFP_ATOMIC)) 1772 goto nomem; 1773 1774 /* Update the content of current association. */ 1775 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1776 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1777 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1778 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1779 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1780 1781 repl = sctp_make_cookie_ack(new_asoc, chunk); 1782 if (!repl) 1783 goto nomem; 1784 1785 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1786 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1787 1788 /* RFC 2960 5.1 Normal Establishment of an Association 1789 * 1790 * D) IMPLEMENTATION NOTE: An implementation may choose to 1791 * send the Communication Up notification to the SCTP user 1792 * upon reception of a valid COOKIE ECHO chunk. 1793 * 1794 * Sadly, this needs to be implemented as a side-effect, because 1795 * we are not guaranteed to have set the association id of the real 1796 * association and so these notifications need to be delayed until 1797 * the association id is allocated. 1798 */ 1799 1800 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 1801 1802 /* Sockets API Draft Section 5.3.1.6 1803 * When a peer sends a Adaptation Layer Indication parameter , SCTP 1804 * delivers this notification to inform the application that of the 1805 * peers requested adaptation layer. 1806 * 1807 * This also needs to be done as a side effect for the same reason as 1808 * above. 1809 */ 1810 if (asoc->peer.adaptation_ind) 1811 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 1812 1813 return SCTP_DISPOSITION_CONSUME; 1814 1815 nomem: 1816 return SCTP_DISPOSITION_NOMEM; 1817 } 1818 1819 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1820 * 1821 * Section 5.2.4 1822 * C) In this case, the local endpoint's cookie has arrived late. 1823 * Before it arrived, the local endpoint sent an INIT and received an 1824 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1825 * but a new tag of its own. 1826 */ 1827 /* This case represents an initialization collision. */ 1828 static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep, 1829 const struct sctp_association *asoc, 1830 struct sctp_chunk *chunk, 1831 sctp_cmd_seq_t *commands, 1832 struct sctp_association *new_asoc) 1833 { 1834 /* The cookie should be silently discarded. 1835 * The endpoint SHOULD NOT change states and should leave 1836 * any timers running. 1837 */ 1838 return SCTP_DISPOSITION_DISCARD; 1839 } 1840 1841 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1842 * 1843 * Section 5.2.4 1844 * 1845 * D) When both local and remote tags match the endpoint should always 1846 * enter the ESTABLISHED state, if it has not already done so. 1847 */ 1848 /* This case represents an initialization collision. */ 1849 static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep, 1850 const struct sctp_association *asoc, 1851 struct sctp_chunk *chunk, 1852 sctp_cmd_seq_t *commands, 1853 struct sctp_association *new_asoc) 1854 { 1855 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL; 1856 struct sctp_chunk *repl; 1857 1858 /* Clarification from Implementor's Guide: 1859 * D) When both local and remote tags match the endpoint should 1860 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 1861 * It should stop any cookie timer that may be running and send 1862 * a COOKIE ACK. 1863 */ 1864 1865 /* Don't accidentally move back into established state. */ 1866 if (asoc->state < SCTP_STATE_ESTABLISHED) { 1867 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1868 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 1869 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1870 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1871 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1872 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 1873 SCTP_NULL()); 1874 1875 /* RFC 2960 5.1 Normal Establishment of an Association 1876 * 1877 * D) IMPLEMENTATION NOTE: An implementation may choose 1878 * to send the Communication Up notification to the 1879 * SCTP user upon reception of a valid COOKIE 1880 * ECHO chunk. 1881 */ 1882 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 1883 SCTP_COMM_UP, 0, 1884 asoc->c.sinit_num_ostreams, 1885 asoc->c.sinit_max_instreams, 1886 NULL, GFP_ATOMIC); 1887 if (!ev) 1888 goto nomem; 1889 1890 /* Sockets API Draft Section 5.3.1.6 1891 * When a peer sends a Adaptation Layer Indication parameter, 1892 * SCTP delivers this notification to inform the application 1893 * that of the peers requested adaptation layer. 1894 */ 1895 if (asoc->peer.adaptation_ind) { 1896 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 1897 GFP_ATOMIC); 1898 if (!ai_ev) 1899 goto nomem; 1900 1901 } 1902 } 1903 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1904 1905 repl = sctp_make_cookie_ack(new_asoc, chunk); 1906 if (!repl) 1907 goto nomem; 1908 1909 if (ev) 1910 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1911 SCTP_ULPEVENT(ev)); 1912 if (ai_ev) 1913 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1914 SCTP_ULPEVENT(ai_ev)); 1915 1916 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1917 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1918 1919 return SCTP_DISPOSITION_CONSUME; 1920 1921 nomem: 1922 if (ai_ev) 1923 sctp_ulpevent_free(ai_ev); 1924 if (ev) 1925 sctp_ulpevent_free(ev); 1926 return SCTP_DISPOSITION_NOMEM; 1927 } 1928 1929 /* 1930 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 1931 * chunk was retransmitted and then delayed in the network. 1932 * 1933 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 1934 * 1935 * Verification Tag: None. Do cookie validation. 1936 * 1937 * Inputs 1938 * (endpoint, asoc, chunk) 1939 * 1940 * Outputs 1941 * (asoc, reply_msg, msg_up, timers, counters) 1942 * 1943 * The return value is the disposition of the chunk. 1944 */ 1945 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep, 1946 const struct sctp_association *asoc, 1947 const sctp_subtype_t type, 1948 void *arg, 1949 sctp_cmd_seq_t *commands) 1950 { 1951 sctp_disposition_t retval; 1952 struct sctp_chunk *chunk = arg; 1953 struct sctp_association *new_asoc; 1954 int error = 0; 1955 char action; 1956 struct sctp_chunk *err_chk_p; 1957 1958 /* Make sure that the chunk has a valid length from the protocol 1959 * perspective. In this case check to make sure we have at least 1960 * enough for the chunk header. Cookie length verification is 1961 * done later. 1962 */ 1963 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 1964 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1965 commands); 1966 1967 /* "Decode" the chunk. We have no optional parameters so we 1968 * are in good shape. 1969 */ 1970 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 1971 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 1972 sizeof(sctp_chunkhdr_t))) 1973 goto nomem; 1974 1975 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 1976 * of a duplicate COOKIE ECHO match the Verification Tags of the 1977 * current association, consider the State Cookie valid even if 1978 * the lifespan is exceeded. 1979 */ 1980 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 1981 &err_chk_p); 1982 1983 /* FIXME: 1984 * If the re-build failed, what is the proper error path 1985 * from here? 1986 * 1987 * [We should abort the association. --piggy] 1988 */ 1989 if (!new_asoc) { 1990 /* FIXME: Several errors are possible. A bad cookie should 1991 * be silently discarded, but think about logging it too. 1992 */ 1993 switch (error) { 1994 case -SCTP_IERROR_NOMEM: 1995 goto nomem; 1996 1997 case -SCTP_IERROR_STALE_COOKIE: 1998 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 1999 err_chk_p); 2000 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2001 case -SCTP_IERROR_BAD_SIG: 2002 default: 2003 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2004 } 2005 } 2006 2007 /* Compare the tie_tag in cookie with the verification tag of 2008 * current association. 2009 */ 2010 action = sctp_tietags_compare(new_asoc, asoc); 2011 2012 switch (action) { 2013 case 'A': /* Association restart. */ 2014 retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands, 2015 new_asoc); 2016 break; 2017 2018 case 'B': /* Collision case B. */ 2019 retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands, 2020 new_asoc); 2021 break; 2022 2023 case 'C': /* Collision case C. */ 2024 retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands, 2025 new_asoc); 2026 break; 2027 2028 case 'D': /* Collision case D. */ 2029 retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands, 2030 new_asoc); 2031 break; 2032 2033 default: /* Discard packet for all others. */ 2034 retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2035 break; 2036 } 2037 2038 /* Delete the tempory new association. */ 2039 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 2040 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 2041 2042 return retval; 2043 2044 nomem: 2045 return SCTP_DISPOSITION_NOMEM; 2046 } 2047 2048 /* 2049 * Process an ABORT. (SHUTDOWN-PENDING state) 2050 * 2051 * See sctp_sf_do_9_1_abort(). 2052 */ 2053 sctp_disposition_t sctp_sf_shutdown_pending_abort( 2054 const struct sctp_endpoint *ep, 2055 const struct sctp_association *asoc, 2056 const sctp_subtype_t type, 2057 void *arg, 2058 sctp_cmd_seq_t *commands) 2059 { 2060 struct sctp_chunk *chunk = arg; 2061 2062 if (!sctp_vtag_verify_either(chunk, asoc)) 2063 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2064 2065 /* Make sure that the ABORT chunk has a valid length. 2066 * Since this is an ABORT chunk, we have to discard it 2067 * because of the following text: 2068 * RFC 2960, Section 3.3.7 2069 * If an endpoint receives an ABORT with a format error or for an 2070 * association that doesn't exist, it MUST silently discard it. 2071 * Becasue the length is "invalid", we can't really discard just 2072 * as we do not know its true length. So, to be safe, discard the 2073 * packet. 2074 */ 2075 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2076 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2077 2078 /* ADD-IP: Special case for ABORT chunks 2079 * F4) One special consideration is that ABORT Chunks arriving 2080 * destined to the IP address being deleted MUST be 2081 * ignored (see Section 5.3.1 for further details). 2082 */ 2083 if (SCTP_ADDR_DEL == 2084 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2085 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2086 2087 /* Stop the T5-shutdown guard timer. */ 2088 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2089 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2090 2091 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2092 } 2093 2094 /* 2095 * Process an ABORT. (SHUTDOWN-SENT state) 2096 * 2097 * See sctp_sf_do_9_1_abort(). 2098 */ 2099 sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep, 2100 const struct sctp_association *asoc, 2101 const sctp_subtype_t type, 2102 void *arg, 2103 sctp_cmd_seq_t *commands) 2104 { 2105 struct sctp_chunk *chunk = arg; 2106 2107 if (!sctp_vtag_verify_either(chunk, asoc)) 2108 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2109 2110 /* Make sure that the ABORT chunk has a valid length. 2111 * Since this is an ABORT chunk, we have to discard it 2112 * because of the following text: 2113 * RFC 2960, Section 3.3.7 2114 * If an endpoint receives an ABORT with a format error or for an 2115 * association that doesn't exist, it MUST silently discard it. 2116 * Becasue the length is "invalid", we can't really discard just 2117 * as we do not know its true length. So, to be safe, discard the 2118 * packet. 2119 */ 2120 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2121 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2122 2123 /* ADD-IP: Special case for ABORT chunks 2124 * F4) One special consideration is that ABORT Chunks arriving 2125 * destined to the IP address being deleted MUST be 2126 * ignored (see Section 5.3.1 for further details). 2127 */ 2128 if (SCTP_ADDR_DEL == 2129 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2130 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2131 2132 /* Stop the T2-shutdown timer. */ 2133 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2134 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2135 2136 /* Stop the T5-shutdown guard timer. */ 2137 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2138 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2139 2140 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2141 } 2142 2143 /* 2144 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2145 * 2146 * See sctp_sf_do_9_1_abort(). 2147 */ 2148 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort( 2149 const struct sctp_endpoint *ep, 2150 const struct sctp_association *asoc, 2151 const sctp_subtype_t type, 2152 void *arg, 2153 sctp_cmd_seq_t *commands) 2154 { 2155 /* The same T2 timer, so we should be able to use 2156 * common function with the SHUTDOWN-SENT state. 2157 */ 2158 return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands); 2159 } 2160 2161 /* 2162 * Handle an Error received in COOKIE_ECHOED state. 2163 * 2164 * Only handle the error type of stale COOKIE Error, the other errors will 2165 * be ignored. 2166 * 2167 * Inputs 2168 * (endpoint, asoc, chunk) 2169 * 2170 * Outputs 2171 * (asoc, reply_msg, msg_up, timers, counters) 2172 * 2173 * The return value is the disposition of the chunk. 2174 */ 2175 sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep, 2176 const struct sctp_association *asoc, 2177 const sctp_subtype_t type, 2178 void *arg, 2179 sctp_cmd_seq_t *commands) 2180 { 2181 struct sctp_chunk *chunk = arg; 2182 sctp_errhdr_t *err; 2183 2184 if (!sctp_vtag_verify(chunk, asoc)) 2185 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2186 2187 /* Make sure that the ERROR chunk has a valid length. 2188 * The parameter walking depends on this as well. 2189 */ 2190 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2191 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2192 commands); 2193 2194 /* Process the error here */ 2195 /* FUTURE FIXME: When PR-SCTP related and other optional 2196 * parms are emitted, this will have to change to handle multiple 2197 * errors. 2198 */ 2199 sctp_walk_errors(err, chunk->chunk_hdr) { 2200 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2201 return sctp_sf_do_5_2_6_stale(ep, asoc, type, 2202 arg, commands); 2203 } 2204 2205 /* It is possible to have malformed error causes, and that 2206 * will cause us to end the walk early. However, since 2207 * we are discarding the packet, there should be no adverse 2208 * affects. 2209 */ 2210 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2211 } 2212 2213 /* 2214 * Handle a Stale COOKIE Error 2215 * 2216 * Section: 5.2.6 Handle Stale COOKIE Error 2217 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2218 * one of the following three alternatives. 2219 * ... 2220 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2221 * Preservative parameter requesting an extension to the lifetime of 2222 * the State Cookie. When calculating the time extension, an 2223 * implementation SHOULD use the RTT information measured based on the 2224 * previous COOKIE ECHO / ERROR exchange, and should add no more 2225 * than 1 second beyond the measured RTT, due to long State Cookie 2226 * lifetimes making the endpoint more subject to a replay attack. 2227 * 2228 * Verification Tag: Not explicit, but safe to ignore. 2229 * 2230 * Inputs 2231 * (endpoint, asoc, chunk) 2232 * 2233 * Outputs 2234 * (asoc, reply_msg, msg_up, timers, counters) 2235 * 2236 * The return value is the disposition of the chunk. 2237 */ 2238 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 2239 const struct sctp_association *asoc, 2240 const sctp_subtype_t type, 2241 void *arg, 2242 sctp_cmd_seq_t *commands) 2243 { 2244 struct sctp_chunk *chunk = arg; 2245 time_t stale; 2246 sctp_cookie_preserve_param_t bht; 2247 sctp_errhdr_t *err; 2248 struct sctp_chunk *reply; 2249 struct sctp_bind_addr *bp; 2250 int attempts = asoc->init_err_counter + 1; 2251 2252 if (attempts > asoc->max_init_attempts) { 2253 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2254 SCTP_ERROR(ETIMEDOUT)); 2255 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2256 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2257 return SCTP_DISPOSITION_DELETE_TCB; 2258 } 2259 2260 err = (sctp_errhdr_t *)(chunk->skb->data); 2261 2262 /* When calculating the time extension, an implementation 2263 * SHOULD use the RTT information measured based on the 2264 * previous COOKIE ECHO / ERROR exchange, and should add no 2265 * more than 1 second beyond the measured RTT, due to long 2266 * State Cookie lifetimes making the endpoint more subject to 2267 * a replay attack. 2268 * Measure of Staleness's unit is usec. (1/1000000 sec) 2269 * Suggested Cookie Life-span Increment's unit is msec. 2270 * (1/1000 sec) 2271 * In general, if you use the suggested cookie life, the value 2272 * found in the field of measure of staleness should be doubled 2273 * to give ample time to retransmit the new cookie and thus 2274 * yield a higher probability of success on the reattempt. 2275 */ 2276 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t))); 2277 stale = (stale * 2) / 1000; 2278 2279 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2280 bht.param_hdr.length = htons(sizeof(bht)); 2281 bht.lifespan_increment = htonl(stale); 2282 2283 /* Build that new INIT chunk. */ 2284 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2285 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2286 if (!reply) 2287 goto nomem; 2288 2289 sctp_addto_chunk(reply, sizeof(bht), &bht); 2290 2291 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2292 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2293 2294 /* Stop pending T3-rtx and heartbeat timers */ 2295 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2296 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2297 2298 /* Delete non-primary peer ip addresses since we are transitioning 2299 * back to the COOKIE-WAIT state 2300 */ 2301 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2302 2303 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2304 * resend 2305 */ 2306 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, 2307 SCTP_TRANSPORT(asoc->peer.primary_path)); 2308 2309 /* Cast away the const modifier, as we want to just 2310 * rerun it through as a sideffect. 2311 */ 2312 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2313 2314 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2315 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2316 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2317 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2318 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2319 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2320 2321 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2322 2323 return SCTP_DISPOSITION_CONSUME; 2324 2325 nomem: 2326 return SCTP_DISPOSITION_NOMEM; 2327 } 2328 2329 /* 2330 * Process an ABORT. 2331 * 2332 * Section: 9.1 2333 * After checking the Verification Tag, the receiving endpoint shall 2334 * remove the association from its record, and shall report the 2335 * termination to its upper layer. 2336 * 2337 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2338 * B) Rules for packet carrying ABORT: 2339 * 2340 * - The endpoint shall always fill in the Verification Tag field of the 2341 * outbound packet with the destination endpoint's tag value if it 2342 * is known. 2343 * 2344 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2345 * MUST follow the procedure described in Section 8.4. 2346 * 2347 * - The receiver MUST accept the packet if the Verification Tag 2348 * matches either its own tag, OR the tag of its peer. Otherwise, the 2349 * receiver MUST silently discard the packet and take no further 2350 * action. 2351 * 2352 * Inputs 2353 * (endpoint, asoc, chunk) 2354 * 2355 * Outputs 2356 * (asoc, reply_msg, msg_up, timers, counters) 2357 * 2358 * The return value is the disposition of the chunk. 2359 */ 2360 sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2361 const struct sctp_association *asoc, 2362 const sctp_subtype_t type, 2363 void *arg, 2364 sctp_cmd_seq_t *commands) 2365 { 2366 struct sctp_chunk *chunk = arg; 2367 2368 if (!sctp_vtag_verify_either(chunk, asoc)) 2369 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2370 2371 /* Make sure that the ABORT chunk has a valid length. 2372 * Since this is an ABORT chunk, we have to discard it 2373 * because of the following text: 2374 * RFC 2960, Section 3.3.7 2375 * If an endpoint receives an ABORT with a format error or for an 2376 * association that doesn't exist, it MUST silently discard it. 2377 * Becasue the length is "invalid", we can't really discard just 2378 * as we do not know its true length. So, to be safe, discard the 2379 * packet. 2380 */ 2381 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2382 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2383 2384 /* ADD-IP: Special case for ABORT chunks 2385 * F4) One special consideration is that ABORT Chunks arriving 2386 * destined to the IP address being deleted MUST be 2387 * ignored (see Section 5.3.1 for further details). 2388 */ 2389 if (SCTP_ADDR_DEL == 2390 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2391 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2392 2393 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2394 } 2395 2396 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2397 const struct sctp_association *asoc, 2398 const sctp_subtype_t type, 2399 void *arg, 2400 sctp_cmd_seq_t *commands) 2401 { 2402 struct sctp_chunk *chunk = arg; 2403 unsigned len; 2404 __be16 error = SCTP_ERROR_NO_ERROR; 2405 2406 /* See if we have an error cause code in the chunk. */ 2407 len = ntohs(chunk->chunk_hdr->length); 2408 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2409 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2410 2411 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2412 /* ASSOC_FAILED will DELETE_TCB. */ 2413 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2414 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2415 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 2416 2417 return SCTP_DISPOSITION_ABORT; 2418 } 2419 2420 /* 2421 * Process an ABORT. (COOKIE-WAIT state) 2422 * 2423 * See sctp_sf_do_9_1_abort() above. 2424 */ 2425 sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep, 2426 const struct sctp_association *asoc, 2427 const sctp_subtype_t type, 2428 void *arg, 2429 sctp_cmd_seq_t *commands) 2430 { 2431 struct sctp_chunk *chunk = arg; 2432 unsigned len; 2433 __be16 error = SCTP_ERROR_NO_ERROR; 2434 2435 if (!sctp_vtag_verify_either(chunk, asoc)) 2436 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2437 2438 /* Make sure that the ABORT chunk has a valid length. 2439 * Since this is an ABORT chunk, we have to discard it 2440 * because of the following text: 2441 * RFC 2960, Section 3.3.7 2442 * If an endpoint receives an ABORT with a format error or for an 2443 * association that doesn't exist, it MUST silently discard it. 2444 * Becasue the length is "invalid", we can't really discard just 2445 * as we do not know its true length. So, to be safe, discard the 2446 * packet. 2447 */ 2448 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2449 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2450 2451 /* See if we have an error cause code in the chunk. */ 2452 len = ntohs(chunk->chunk_hdr->length); 2453 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2454 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2455 2456 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc, 2457 chunk->transport); 2458 } 2459 2460 /* 2461 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2462 */ 2463 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep, 2464 const struct sctp_association *asoc, 2465 const sctp_subtype_t type, 2466 void *arg, 2467 sctp_cmd_seq_t *commands) 2468 { 2469 return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR, 2470 ENOPROTOOPT, asoc, 2471 (struct sctp_transport *)arg); 2472 } 2473 2474 /* 2475 * Process an ABORT. (COOKIE-ECHOED state) 2476 */ 2477 sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep, 2478 const struct sctp_association *asoc, 2479 const sctp_subtype_t type, 2480 void *arg, 2481 sctp_cmd_seq_t *commands) 2482 { 2483 /* There is a single T1 timer, so we should be able to use 2484 * common function with the COOKIE-WAIT state. 2485 */ 2486 return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands); 2487 } 2488 2489 /* 2490 * Stop T1 timer and abort association with "INIT failed". 2491 * 2492 * This is common code called by several sctp_sf_*_abort() functions above. 2493 */ 2494 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 2495 __be16 error, int sk_err, 2496 const struct sctp_association *asoc, 2497 struct sctp_transport *transport) 2498 { 2499 SCTP_DEBUG_PRINTK("ABORT received (INIT).\n"); 2500 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2501 SCTP_STATE(SCTP_STATE_CLOSED)); 2502 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2503 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2504 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2505 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2506 /* CMD_INIT_FAILED will DELETE_TCB. */ 2507 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2508 SCTP_PERR(error)); 2509 return SCTP_DISPOSITION_ABORT; 2510 } 2511 2512 /* 2513 * sctp_sf_do_9_2_shut 2514 * 2515 * Section: 9.2 2516 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2517 * - enter the SHUTDOWN-RECEIVED state, 2518 * 2519 * - stop accepting new data from its SCTP user 2520 * 2521 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2522 * that all its outstanding DATA chunks have been received by the 2523 * SHUTDOWN sender. 2524 * 2525 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2526 * send a SHUTDOWN in response to a ULP request. And should discard 2527 * subsequent SHUTDOWN chunks. 2528 * 2529 * If there are still outstanding DATA chunks left, the SHUTDOWN 2530 * receiver shall continue to follow normal data transmission 2531 * procedures defined in Section 6 until all outstanding DATA chunks 2532 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2533 * new data from its SCTP user. 2534 * 2535 * Verification Tag: 8.5 Verification Tag [Normal verification] 2536 * 2537 * Inputs 2538 * (endpoint, asoc, chunk) 2539 * 2540 * Outputs 2541 * (asoc, reply_msg, msg_up, timers, counters) 2542 * 2543 * The return value is the disposition of the chunk. 2544 */ 2545 sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep, 2546 const struct sctp_association *asoc, 2547 const sctp_subtype_t type, 2548 void *arg, 2549 sctp_cmd_seq_t *commands) 2550 { 2551 struct sctp_chunk *chunk = arg; 2552 sctp_shutdownhdr_t *sdh; 2553 sctp_disposition_t disposition; 2554 struct sctp_ulpevent *ev; 2555 2556 if (!sctp_vtag_verify(chunk, asoc)) 2557 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2558 2559 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2560 if (!sctp_chunk_length_valid(chunk, 2561 sizeof(struct sctp_shutdown_chunk_t))) 2562 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2563 commands); 2564 2565 /* Convert the elaborate header. */ 2566 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2567 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t)); 2568 chunk->subh.shutdown_hdr = sdh; 2569 2570 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2571 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2572 * inform the application that it should cease sending data. 2573 */ 2574 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2575 if (!ev) { 2576 disposition = SCTP_DISPOSITION_NOMEM; 2577 goto out; 2578 } 2579 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2580 2581 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2582 * - enter the SHUTDOWN-RECEIVED state, 2583 * - stop accepting new data from its SCTP user 2584 * 2585 * [This is implicit in the new state.] 2586 */ 2587 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2588 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2589 disposition = SCTP_DISPOSITION_CONSUME; 2590 2591 if (sctp_outq_is_empty(&asoc->outqueue)) { 2592 disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type, 2593 arg, commands); 2594 } 2595 2596 if (SCTP_DISPOSITION_NOMEM == disposition) 2597 goto out; 2598 2599 /* - verify, by checking the Cumulative TSN Ack field of the 2600 * chunk, that all its outstanding DATA chunks have been 2601 * received by the SHUTDOWN sender. 2602 */ 2603 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2604 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2605 2606 out: 2607 return disposition; 2608 } 2609 2610 /* RFC 2960 9.2 2611 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2612 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2613 * transport addresses (either in the IP addresses or in the INIT chunk) 2614 * that belong to this association, it should discard the INIT chunk and 2615 * retransmit the SHUTDOWN ACK chunk. 2616 */ 2617 sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep, 2618 const struct sctp_association *asoc, 2619 const sctp_subtype_t type, 2620 void *arg, 2621 sctp_cmd_seq_t *commands) 2622 { 2623 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 2624 struct sctp_chunk *reply; 2625 2626 /* Make sure that the chunk has a valid length */ 2627 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 2628 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2629 commands); 2630 2631 /* Since we are not going to really process this INIT, there 2632 * is no point in verifying chunk boundries. Just generate 2633 * the SHUTDOWN ACK. 2634 */ 2635 reply = sctp_make_shutdown_ack(asoc, chunk); 2636 if (NULL == reply) 2637 goto nomem; 2638 2639 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2640 * the T2-SHUTDOWN timer. 2641 */ 2642 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2643 2644 /* and restart the T2-shutdown timer. */ 2645 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2646 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2647 2648 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2649 2650 return SCTP_DISPOSITION_CONSUME; 2651 nomem: 2652 return SCTP_DISPOSITION_NOMEM; 2653 } 2654 2655 /* 2656 * sctp_sf_do_ecn_cwr 2657 * 2658 * Section: Appendix A: Explicit Congestion Notification 2659 * 2660 * CWR: 2661 * 2662 * RFC 2481 details a specific bit for a sender to send in the header of 2663 * its next outbound TCP segment to indicate to its peer that it has 2664 * reduced its congestion window. This is termed the CWR bit. For 2665 * SCTP the same indication is made by including the CWR chunk. 2666 * This chunk contains one data element, i.e. the TSN number that 2667 * was sent in the ECNE chunk. This element represents the lowest 2668 * TSN number in the datagram that was originally marked with the 2669 * CE bit. 2670 * 2671 * Verification Tag: 8.5 Verification Tag [Normal verification] 2672 * Inputs 2673 * (endpoint, asoc, chunk) 2674 * 2675 * Outputs 2676 * (asoc, reply_msg, msg_up, timers, counters) 2677 * 2678 * The return value is the disposition of the chunk. 2679 */ 2680 sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep, 2681 const struct sctp_association *asoc, 2682 const sctp_subtype_t type, 2683 void *arg, 2684 sctp_cmd_seq_t *commands) 2685 { 2686 sctp_cwrhdr_t *cwr; 2687 struct sctp_chunk *chunk = arg; 2688 u32 lowest_tsn; 2689 2690 if (!sctp_vtag_verify(chunk, asoc)) 2691 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2692 2693 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2694 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2695 commands); 2696 2697 cwr = (sctp_cwrhdr_t *) chunk->skb->data; 2698 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t)); 2699 2700 lowest_tsn = ntohl(cwr->lowest_tsn); 2701 2702 /* Does this CWR ack the last sent congestion notification? */ 2703 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 2704 /* Stop sending ECNE. */ 2705 sctp_add_cmd_sf(commands, 2706 SCTP_CMD_ECN_CWR, 2707 SCTP_U32(lowest_tsn)); 2708 } 2709 return SCTP_DISPOSITION_CONSUME; 2710 } 2711 2712 /* 2713 * sctp_sf_do_ecne 2714 * 2715 * Section: Appendix A: Explicit Congestion Notification 2716 * 2717 * ECN-Echo 2718 * 2719 * RFC 2481 details a specific bit for a receiver to send back in its 2720 * TCP acknowledgements to notify the sender of the Congestion 2721 * Experienced (CE) bit having arrived from the network. For SCTP this 2722 * same indication is made by including the ECNE chunk. This chunk 2723 * contains one data element, i.e. the lowest TSN associated with the IP 2724 * datagram marked with the CE bit..... 2725 * 2726 * Verification Tag: 8.5 Verification Tag [Normal verification] 2727 * Inputs 2728 * (endpoint, asoc, chunk) 2729 * 2730 * Outputs 2731 * (asoc, reply_msg, msg_up, timers, counters) 2732 * 2733 * The return value is the disposition of the chunk. 2734 */ 2735 sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep, 2736 const struct sctp_association *asoc, 2737 const sctp_subtype_t type, 2738 void *arg, 2739 sctp_cmd_seq_t *commands) 2740 { 2741 sctp_ecnehdr_t *ecne; 2742 struct sctp_chunk *chunk = arg; 2743 2744 if (!sctp_vtag_verify(chunk, asoc)) 2745 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2746 2747 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2748 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2749 commands); 2750 2751 ecne = (sctp_ecnehdr_t *) chunk->skb->data; 2752 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t)); 2753 2754 /* If this is a newer ECNE than the last CWR packet we sent out */ 2755 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 2756 SCTP_U32(ntohl(ecne->lowest_tsn))); 2757 2758 return SCTP_DISPOSITION_CONSUME; 2759 } 2760 2761 /* 2762 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 2763 * 2764 * The SCTP endpoint MUST always acknowledge the reception of each valid 2765 * DATA chunk. 2766 * 2767 * The guidelines on delayed acknowledgement algorithm specified in 2768 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 2769 * acknowledgement SHOULD be generated for at least every second packet 2770 * (not every second DATA chunk) received, and SHOULD be generated within 2771 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 2772 * situations it may be beneficial for an SCTP transmitter to be more 2773 * conservative than the algorithms detailed in this document allow. 2774 * However, an SCTP transmitter MUST NOT be more aggressive than the 2775 * following algorithms allow. 2776 * 2777 * A SCTP receiver MUST NOT generate more than one SACK for every 2778 * incoming packet, other than to update the offered window as the 2779 * receiving application consumes new data. 2780 * 2781 * Verification Tag: 8.5 Verification Tag [Normal verification] 2782 * 2783 * Inputs 2784 * (endpoint, asoc, chunk) 2785 * 2786 * Outputs 2787 * (asoc, reply_msg, msg_up, timers, counters) 2788 * 2789 * The return value is the disposition of the chunk. 2790 */ 2791 sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep, 2792 const struct sctp_association *asoc, 2793 const sctp_subtype_t type, 2794 void *arg, 2795 sctp_cmd_seq_t *commands) 2796 { 2797 struct sctp_chunk *chunk = arg; 2798 int error; 2799 2800 if (!sctp_vtag_verify(chunk, asoc)) { 2801 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2802 SCTP_NULL()); 2803 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2804 } 2805 2806 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2807 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2808 commands); 2809 2810 error = sctp_eat_data(asoc, chunk, commands ); 2811 switch (error) { 2812 case SCTP_IERROR_NO_ERROR: 2813 break; 2814 case SCTP_IERROR_HIGH_TSN: 2815 case SCTP_IERROR_BAD_STREAM: 2816 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2817 goto discard_noforce; 2818 case SCTP_IERROR_DUP_TSN: 2819 case SCTP_IERROR_IGNORE_TSN: 2820 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2821 goto discard_force; 2822 case SCTP_IERROR_NO_DATA: 2823 goto consume; 2824 default: 2825 BUG(); 2826 } 2827 2828 if (asoc->autoclose) { 2829 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2830 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 2831 } 2832 2833 /* If this is the last chunk in a packet, we need to count it 2834 * toward sack generation. Note that we need to SACK every 2835 * OTHER packet containing data chunks, EVEN IF WE DISCARD 2836 * THEM. We elect to NOT generate SACK's if the chunk fails 2837 * the verification tag test. 2838 * 2839 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2840 * 2841 * The SCTP endpoint MUST always acknowledge the reception of 2842 * each valid DATA chunk. 2843 * 2844 * The guidelines on delayed acknowledgement algorithm 2845 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 2846 * Specifically, an acknowledgement SHOULD be generated for at 2847 * least every second packet (not every second DATA chunk) 2848 * received, and SHOULD be generated within 200 ms of the 2849 * arrival of any unacknowledged DATA chunk. In some 2850 * situations it may be beneficial for an SCTP transmitter to 2851 * be more conservative than the algorithms detailed in this 2852 * document allow. However, an SCTP transmitter MUST NOT be 2853 * more aggressive than the following algorithms allow. 2854 */ 2855 if (chunk->end_of_packet) 2856 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2857 2858 return SCTP_DISPOSITION_CONSUME; 2859 2860 discard_force: 2861 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2862 * 2863 * When a packet arrives with duplicate DATA chunk(s) and with 2864 * no new DATA chunk(s), the endpoint MUST immediately send a 2865 * SACK with no delay. If a packet arrives with duplicate 2866 * DATA chunk(s) bundled with new DATA chunks, the endpoint 2867 * MAY immediately send a SACK. Normally receipt of duplicate 2868 * DATA chunks will occur when the original SACK chunk was lost 2869 * and the peer's RTO has expired. The duplicate TSN number(s) 2870 * SHOULD be reported in the SACK as duplicate. 2871 */ 2872 /* In our case, we split the MAY SACK advice up whether or not 2873 * the last chunk is a duplicate.' 2874 */ 2875 if (chunk->end_of_packet) 2876 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2877 return SCTP_DISPOSITION_DISCARD; 2878 2879 discard_noforce: 2880 if (chunk->end_of_packet) 2881 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2882 2883 return SCTP_DISPOSITION_DISCARD; 2884 consume: 2885 return SCTP_DISPOSITION_CONSUME; 2886 2887 } 2888 2889 /* 2890 * sctp_sf_eat_data_fast_4_4 2891 * 2892 * Section: 4 (4) 2893 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 2894 * DATA chunks without delay. 2895 * 2896 * Verification Tag: 8.5 Verification Tag [Normal verification] 2897 * Inputs 2898 * (endpoint, asoc, chunk) 2899 * 2900 * Outputs 2901 * (asoc, reply_msg, msg_up, timers, counters) 2902 * 2903 * The return value is the disposition of the chunk. 2904 */ 2905 sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep, 2906 const struct sctp_association *asoc, 2907 const sctp_subtype_t type, 2908 void *arg, 2909 sctp_cmd_seq_t *commands) 2910 { 2911 struct sctp_chunk *chunk = arg; 2912 int error; 2913 2914 if (!sctp_vtag_verify(chunk, asoc)) { 2915 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2916 SCTP_NULL()); 2917 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2918 } 2919 2920 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2921 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2922 commands); 2923 2924 error = sctp_eat_data(asoc, chunk, commands ); 2925 switch (error) { 2926 case SCTP_IERROR_NO_ERROR: 2927 case SCTP_IERROR_HIGH_TSN: 2928 case SCTP_IERROR_DUP_TSN: 2929 case SCTP_IERROR_IGNORE_TSN: 2930 case SCTP_IERROR_BAD_STREAM: 2931 break; 2932 case SCTP_IERROR_NO_DATA: 2933 goto consume; 2934 default: 2935 BUG(); 2936 } 2937 2938 /* Go a head and force a SACK, since we are shutting down. */ 2939 2940 /* Implementor's Guide. 2941 * 2942 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 2943 * respond to each received packet containing one or more DATA chunk(s) 2944 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 2945 */ 2946 if (chunk->end_of_packet) { 2947 /* We must delay the chunk creation since the cumulative 2948 * TSN has not been updated yet. 2949 */ 2950 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 2951 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2952 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2953 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2954 } 2955 2956 consume: 2957 return SCTP_DISPOSITION_CONSUME; 2958 } 2959 2960 /* 2961 * Section: 6.2 Processing a Received SACK 2962 * D) Any time a SACK arrives, the endpoint performs the following: 2963 * 2964 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 2965 * then drop the SACK. Since Cumulative TSN Ack is monotonically 2966 * increasing, a SACK whose Cumulative TSN Ack is less than the 2967 * Cumulative TSN Ack Point indicates an out-of-order SACK. 2968 * 2969 * ii) Set rwnd equal to the newly received a_rwnd minus the number 2970 * of bytes still outstanding after processing the Cumulative TSN Ack 2971 * and the Gap Ack Blocks. 2972 * 2973 * iii) If the SACK is missing a TSN that was previously 2974 * acknowledged via a Gap Ack Block (e.g., the data receiver 2975 * reneged on the data), then mark the corresponding DATA chunk 2976 * as available for retransmit: Mark it as missing for fast 2977 * retransmit as described in Section 7.2.4 and if no retransmit 2978 * timer is running for the destination address to which the DATA 2979 * chunk was originally transmitted, then T3-rtx is started for 2980 * that destination address. 2981 * 2982 * Verification Tag: 8.5 Verification Tag [Normal verification] 2983 * 2984 * Inputs 2985 * (endpoint, asoc, chunk) 2986 * 2987 * Outputs 2988 * (asoc, reply_msg, msg_up, timers, counters) 2989 * 2990 * The return value is the disposition of the chunk. 2991 */ 2992 sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep, 2993 const struct sctp_association *asoc, 2994 const sctp_subtype_t type, 2995 void *arg, 2996 sctp_cmd_seq_t *commands) 2997 { 2998 struct sctp_chunk *chunk = arg; 2999 sctp_sackhdr_t *sackh; 3000 __u32 ctsn; 3001 3002 if (!sctp_vtag_verify(chunk, asoc)) 3003 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3004 3005 /* Make sure that the SACK chunk has a valid length. */ 3006 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t))) 3007 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3008 commands); 3009 3010 /* Pull the SACK chunk from the data buffer */ 3011 sackh = sctp_sm_pull_sack(chunk); 3012 /* Was this a bogus SACK? */ 3013 if (!sackh) 3014 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3015 chunk->subh.sack_hdr = sackh; 3016 ctsn = ntohl(sackh->cum_tsn_ack); 3017 3018 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 3019 * Ack Point, then drop the SACK. Since Cumulative TSN 3020 * Ack is monotonically increasing, a SACK whose 3021 * Cumulative TSN Ack is less than the Cumulative TSN Ack 3022 * Point indicates an out-of-order SACK. 3023 */ 3024 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 3025 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 3026 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 3027 return SCTP_DISPOSITION_DISCARD; 3028 } 3029 3030 /* If Cumulative TSN Ack beyond the max tsn currently 3031 * send, terminating the association and respond to the 3032 * sender with an ABORT. 3033 */ 3034 if (!TSN_lt(ctsn, asoc->next_tsn)) 3035 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands); 3036 3037 /* Return this SACK for further processing. */ 3038 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh)); 3039 3040 /* Note: We do the rest of the work on the PROCESS_SACK 3041 * sideeffect. 3042 */ 3043 return SCTP_DISPOSITION_CONSUME; 3044 } 3045 3046 /* 3047 * Generate an ABORT in response to a packet. 3048 * 3049 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 3050 * 3051 * 8) The receiver should respond to the sender of the OOTB packet with 3052 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3053 * MUST fill in the Verification Tag field of the outbound packet 3054 * with the value found in the Verification Tag field of the OOTB 3055 * packet and set the T-bit in the Chunk Flags to indicate that the 3056 * Verification Tag is reflected. After sending this ABORT, the 3057 * receiver of the OOTB packet shall discard the OOTB packet and take 3058 * no further action. 3059 * 3060 * Verification Tag: 3061 * 3062 * The return value is the disposition of the chunk. 3063 */ 3064 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 3065 const struct sctp_association *asoc, 3066 const sctp_subtype_t type, 3067 void *arg, 3068 sctp_cmd_seq_t *commands) 3069 { 3070 struct sctp_packet *packet = NULL; 3071 struct sctp_chunk *chunk = arg; 3072 struct sctp_chunk *abort; 3073 3074 packet = sctp_ootb_pkt_new(asoc, chunk); 3075 3076 if (packet) { 3077 /* Make an ABORT. The T bit will be set if the asoc 3078 * is NULL. 3079 */ 3080 abort = sctp_make_abort(asoc, chunk, 0); 3081 if (!abort) { 3082 sctp_ootb_pkt_free(packet); 3083 return SCTP_DISPOSITION_NOMEM; 3084 } 3085 3086 /* Reflect vtag if T-Bit is set */ 3087 if (sctp_test_T_bit(abort)) 3088 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3089 3090 /* Set the skb to the belonging sock for accounting. */ 3091 abort->skb->sk = ep->base.sk; 3092 3093 sctp_packet_append_chunk(packet, abort); 3094 3095 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3096 SCTP_PACKET(packet)); 3097 3098 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3099 3100 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3101 return SCTP_DISPOSITION_CONSUME; 3102 } 3103 3104 return SCTP_DISPOSITION_NOMEM; 3105 } 3106 3107 /* 3108 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 3109 * event as ULP notification for each cause included in the chunk. 3110 * 3111 * API 5.3.1.3 - SCTP_REMOTE_ERROR 3112 * 3113 * The return value is the disposition of the chunk. 3114 */ 3115 sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep, 3116 const struct sctp_association *asoc, 3117 const sctp_subtype_t type, 3118 void *arg, 3119 sctp_cmd_seq_t *commands) 3120 { 3121 struct sctp_chunk *chunk = arg; 3122 struct sctp_ulpevent *ev; 3123 3124 if (!sctp_vtag_verify(chunk, asoc)) 3125 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3126 3127 /* Make sure that the ERROR chunk has a valid length. */ 3128 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 3129 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3130 commands); 3131 3132 while (chunk->chunk_end > chunk->skb->data) { 3133 ev = sctp_ulpevent_make_remote_error(asoc, chunk, 0, 3134 GFP_ATOMIC); 3135 if (!ev) 3136 goto nomem; 3137 3138 if (!sctp_add_cmd(commands, SCTP_CMD_EVENT_ULP, 3139 SCTP_ULPEVENT(ev))) { 3140 sctp_ulpevent_free(ev); 3141 goto nomem; 3142 } 3143 3144 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 3145 SCTP_CHUNK(chunk)); 3146 } 3147 return SCTP_DISPOSITION_CONSUME; 3148 3149 nomem: 3150 return SCTP_DISPOSITION_NOMEM; 3151 } 3152 3153 /* 3154 * Process an inbound SHUTDOWN ACK. 3155 * 3156 * From Section 9.2: 3157 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3158 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3159 * peer, and remove all record of the association. 3160 * 3161 * The return value is the disposition. 3162 */ 3163 sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep, 3164 const struct sctp_association *asoc, 3165 const sctp_subtype_t type, 3166 void *arg, 3167 sctp_cmd_seq_t *commands) 3168 { 3169 struct sctp_chunk *chunk = arg; 3170 struct sctp_chunk *reply; 3171 struct sctp_ulpevent *ev; 3172 3173 if (!sctp_vtag_verify(chunk, asoc)) 3174 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3175 3176 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3177 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3178 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3179 commands); 3180 /* 10.2 H) SHUTDOWN COMPLETE notification 3181 * 3182 * When SCTP completes the shutdown procedures (section 9.2) this 3183 * notification is passed to the upper layer. 3184 */ 3185 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3186 0, 0, 0, NULL, GFP_ATOMIC); 3187 if (!ev) 3188 goto nomem; 3189 3190 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3191 reply = sctp_make_shutdown_complete(asoc, chunk); 3192 if (!reply) 3193 goto nomem_chunk; 3194 3195 /* Do all the commands now (after allocation), so that we 3196 * have consistent state if memory allocation failes 3197 */ 3198 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3199 3200 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3201 * stop the T2-shutdown timer, 3202 */ 3203 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3204 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3205 3206 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3207 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3208 3209 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3210 SCTP_STATE(SCTP_STATE_CLOSED)); 3211 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 3212 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3213 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3214 3215 /* ...and remove all record of the association. */ 3216 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3217 return SCTP_DISPOSITION_DELETE_TCB; 3218 3219 nomem_chunk: 3220 sctp_ulpevent_free(ev); 3221 nomem: 3222 return SCTP_DISPOSITION_NOMEM; 3223 } 3224 3225 /* 3226 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3227 * 3228 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3229 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3230 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3231 * packet must fill in the Verification Tag field of the outbound 3232 * packet with the Verification Tag received in the SHUTDOWN ACK and 3233 * set the T-bit in the Chunk Flags to indicate that the Verification 3234 * Tag is reflected. 3235 * 3236 * 8) The receiver should respond to the sender of the OOTB packet with 3237 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3238 * MUST fill in the Verification Tag field of the outbound packet 3239 * with the value found in the Verification Tag field of the OOTB 3240 * packet and set the T-bit in the Chunk Flags to indicate that the 3241 * Verification Tag is reflected. After sending this ABORT, the 3242 * receiver of the OOTB packet shall discard the OOTB packet and take 3243 * no further action. 3244 */ 3245 sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep, 3246 const struct sctp_association *asoc, 3247 const sctp_subtype_t type, 3248 void *arg, 3249 sctp_cmd_seq_t *commands) 3250 { 3251 struct sctp_chunk *chunk = arg; 3252 struct sk_buff *skb = chunk->skb; 3253 sctp_chunkhdr_t *ch; 3254 __u8 *ch_end; 3255 int ootb_shut_ack = 0; 3256 3257 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 3258 3259 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr; 3260 do { 3261 /* Report violation if the chunk is less then minimal */ 3262 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 3263 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3264 commands); 3265 3266 /* Now that we know we at least have a chunk header, 3267 * do things that are type appropriate. 3268 */ 3269 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3270 ootb_shut_ack = 1; 3271 3272 /* RFC 2960, Section 3.3.7 3273 * Moreover, under any circumstances, an endpoint that 3274 * receives an ABORT MUST NOT respond to that ABORT by 3275 * sending an ABORT of its own. 3276 */ 3277 if (SCTP_CID_ABORT == ch->type) 3278 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3279 3280 /* Report violation if chunk len overflows */ 3281 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 3282 if (ch_end > skb_tail_pointer(skb)) 3283 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3284 commands); 3285 3286 ch = (sctp_chunkhdr_t *) ch_end; 3287 } while (ch_end < skb_tail_pointer(skb)); 3288 3289 if (ootb_shut_ack) 3290 return sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands); 3291 else 3292 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 3293 } 3294 3295 /* 3296 * Handle an "Out of the blue" SHUTDOWN ACK. 3297 * 3298 * Section: 8.4 5, sctpimpguide 2.41. 3299 * 3300 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3301 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3302 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3303 * packet must fill in the Verification Tag field of the outbound 3304 * packet with the Verification Tag received in the SHUTDOWN ACK and 3305 * set the T-bit in the Chunk Flags to indicate that the Verification 3306 * Tag is reflected. 3307 * 3308 * Inputs 3309 * (endpoint, asoc, type, arg, commands) 3310 * 3311 * Outputs 3312 * (sctp_disposition_t) 3313 * 3314 * The return value is the disposition of the chunk. 3315 */ 3316 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 3317 const struct sctp_association *asoc, 3318 const sctp_subtype_t type, 3319 void *arg, 3320 sctp_cmd_seq_t *commands) 3321 { 3322 struct sctp_packet *packet = NULL; 3323 struct sctp_chunk *chunk = arg; 3324 struct sctp_chunk *shut; 3325 3326 packet = sctp_ootb_pkt_new(asoc, chunk); 3327 3328 if (packet) { 3329 /* Make an SHUTDOWN_COMPLETE. 3330 * The T bit will be set if the asoc is NULL. 3331 */ 3332 shut = sctp_make_shutdown_complete(asoc, chunk); 3333 if (!shut) { 3334 sctp_ootb_pkt_free(packet); 3335 return SCTP_DISPOSITION_NOMEM; 3336 } 3337 3338 /* Reflect vtag if T-Bit is set */ 3339 if (sctp_test_T_bit(shut)) 3340 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3341 3342 /* Set the skb to the belonging sock for accounting. */ 3343 shut->skb->sk = ep->base.sk; 3344 3345 sctp_packet_append_chunk(packet, shut); 3346 3347 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3348 SCTP_PACKET(packet)); 3349 3350 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3351 3352 /* If the chunk length is invalid, we don't want to process 3353 * the reset of the packet. 3354 */ 3355 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3356 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3357 3358 /* We need to discard the rest of the packet to prevent 3359 * potential bomming attacks from additional bundled chunks. 3360 * This is documented in SCTP Threats ID. 3361 */ 3362 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3363 } 3364 3365 return SCTP_DISPOSITION_NOMEM; 3366 } 3367 3368 /* 3369 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3370 * 3371 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3372 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3373 * procedures in section 8.4 SHOULD be followed, in other words it 3374 * should be treated as an Out Of The Blue packet. 3375 * [This means that we do NOT check the Verification Tag on these 3376 * chunks. --piggy ] 3377 * 3378 */ 3379 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep, 3380 const struct sctp_association *asoc, 3381 const sctp_subtype_t type, 3382 void *arg, 3383 sctp_cmd_seq_t *commands) 3384 { 3385 struct sctp_chunk *chunk = arg; 3386 3387 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3388 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3389 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3390 commands); 3391 3392 /* Although we do have an association in this case, it corresponds 3393 * to a restarted association. So the packet is treated as an OOTB 3394 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3395 * called with a NULL association. 3396 */ 3397 return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands); 3398 } 3399 3400 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3401 sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep, 3402 const struct sctp_association *asoc, 3403 const sctp_subtype_t type, void *arg, 3404 sctp_cmd_seq_t *commands) 3405 { 3406 struct sctp_chunk *chunk = arg; 3407 struct sctp_chunk *asconf_ack = NULL; 3408 struct sctp_paramhdr *err_param = NULL; 3409 sctp_addiphdr_t *hdr; 3410 union sctp_addr_param *addr_param; 3411 __u32 serial; 3412 int length; 3413 3414 if (!sctp_vtag_verify(chunk, asoc)) { 3415 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3416 SCTP_NULL()); 3417 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3418 } 3419 3420 /* ADD-IP: Section 4.1.1 3421 * This chunk MUST be sent in an authenticated way by using 3422 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3423 * is received unauthenticated it MUST be silently discarded as 3424 * described in [I-D.ietf-tsvwg-sctp-auth]. 3425 */ 3426 if (!sctp_addip_noauth && !chunk->auth) 3427 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 3428 3429 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3430 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t))) 3431 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3432 commands); 3433 3434 hdr = (sctp_addiphdr_t *)chunk->skb->data; 3435 serial = ntohl(hdr->serial); 3436 3437 addr_param = (union sctp_addr_param *)hdr->params; 3438 length = ntohs(addr_param->p.length); 3439 if (length < sizeof(sctp_paramhdr_t)) 3440 return sctp_sf_violation_paramlen(ep, asoc, type, 3441 (void *)addr_param, commands); 3442 3443 /* Verify the ASCONF chunk before processing it. */ 3444 if (!sctp_verify_asconf(asoc, 3445 (sctp_paramhdr_t *)((void *)addr_param + length), 3446 (void *)chunk->chunk_end, 3447 &err_param)) 3448 return sctp_sf_violation_paramlen(ep, asoc, type, 3449 (void *)&err_param, commands); 3450 3451 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3452 * the endpoint stored in a new association variable 3453 * 'Peer-Serial-Number'. 3454 */ 3455 if (serial == asoc->peer.addip_serial + 1) { 3456 /* If this is the first instance of ASCONF in the packet, 3457 * we can clean our old ASCONF-ACKs. 3458 */ 3459 if (!chunk->has_asconf) 3460 sctp_assoc_clean_asconf_ack_cache(asoc); 3461 3462 /* ADDIP 5.2 E4) When the Sequence Number matches the next one 3463 * expected, process the ASCONF as described below and after 3464 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to 3465 * the response packet and cache a copy of it (in the event it 3466 * later needs to be retransmitted). 3467 * 3468 * Essentially, do V1-V5. 3469 */ 3470 asconf_ack = sctp_process_asconf((struct sctp_association *) 3471 asoc, chunk); 3472 if (!asconf_ack) 3473 return SCTP_DISPOSITION_NOMEM; 3474 } else if (serial < asoc->peer.addip_serial + 1) { 3475 /* ADDIP 5.2 E2) 3476 * If the value found in the Sequence Number is less than the 3477 * ('Peer- Sequence-Number' + 1), simply skip to the next 3478 * ASCONF, and include in the outbound response packet 3479 * any previously cached ASCONF-ACK response that was 3480 * sent and saved that matches the Sequence Number of the 3481 * ASCONF. Note: It is possible that no cached ASCONF-ACK 3482 * Chunk exists. This will occur when an older ASCONF 3483 * arrives out of order. In such a case, the receiver 3484 * should skip the ASCONF Chunk and not include ASCONF-ACK 3485 * Chunk for that chunk. 3486 */ 3487 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial); 3488 if (!asconf_ack) 3489 return SCTP_DISPOSITION_DISCARD; 3490 } else { 3491 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since 3492 * it must be either a stale packet or from an attacker. 3493 */ 3494 return SCTP_DISPOSITION_DISCARD; 3495 } 3496 3497 /* ADDIP 5.2 E6) The destination address of the SCTP packet 3498 * containing the ASCONF-ACK Chunks MUST be the source address of 3499 * the SCTP packet that held the ASCONF Chunks. 3500 * 3501 * To do this properly, we'll set the destination address of the chunk 3502 * and at the transmit time, will try look up the transport to use. 3503 * Since ASCONFs may be bundled, the correct transport may not be 3504 * created untill we process the entire packet, thus this workaround. 3505 */ 3506 asconf_ack->dest = chunk->source; 3507 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3508 3509 return SCTP_DISPOSITION_CONSUME; 3510 } 3511 3512 /* 3513 * ADDIP Section 4.3 General rules for address manipulation 3514 * When building TLV parameters for the ASCONF Chunk that will add or 3515 * delete IP addresses the D0 to D13 rules should be applied: 3516 */ 3517 sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep, 3518 const struct sctp_association *asoc, 3519 const sctp_subtype_t type, void *arg, 3520 sctp_cmd_seq_t *commands) 3521 { 3522 struct sctp_chunk *asconf_ack = arg; 3523 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3524 struct sctp_chunk *abort; 3525 struct sctp_paramhdr *err_param = NULL; 3526 sctp_addiphdr_t *addip_hdr; 3527 __u32 sent_serial, rcvd_serial; 3528 3529 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3530 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3531 SCTP_NULL()); 3532 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3533 } 3534 3535 /* ADD-IP, Section 4.1.2: 3536 * This chunk MUST be sent in an authenticated way by using 3537 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3538 * is received unauthenticated it MUST be silently discarded as 3539 * described in [I-D.ietf-tsvwg-sctp-auth]. 3540 */ 3541 if (!sctp_addip_noauth && !asconf_ack->auth) 3542 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 3543 3544 /* Make sure that the ADDIP chunk has a valid length. */ 3545 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t))) 3546 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3547 commands); 3548 3549 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data; 3550 rcvd_serial = ntohl(addip_hdr->serial); 3551 3552 /* Verify the ASCONF-ACK chunk before processing it. */ 3553 if (!sctp_verify_asconf(asoc, 3554 (sctp_paramhdr_t *)addip_hdr->params, 3555 (void *)asconf_ack->chunk_end, 3556 &err_param)) 3557 return sctp_sf_violation_paramlen(ep, asoc, type, 3558 (void *)&err_param, commands); 3559 3560 if (last_asconf) { 3561 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr; 3562 sent_serial = ntohl(addip_hdr->serial); 3563 } else { 3564 sent_serial = asoc->addip_serial - 1; 3565 } 3566 3567 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3568 * equal to the next serial number to be used but no ASCONF chunk is 3569 * outstanding the endpoint MUST ABORT the association. Note that a 3570 * sequence number is greater than if it is no more than 2^^31-1 3571 * larger than the current sequence number (using serial arithmetic). 3572 */ 3573 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3574 !(asoc->addip_last_asconf)) { 3575 abort = sctp_make_abort(asoc, asconf_ack, 3576 sizeof(sctp_errhdr_t)); 3577 if (abort) { 3578 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0); 3579 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3580 SCTP_CHUNK(abort)); 3581 } 3582 /* We are going to ABORT, so we might as well stop 3583 * processing the rest of the chunks in the packet. 3584 */ 3585 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3586 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3587 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3588 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3589 SCTP_ERROR(ECONNABORTED)); 3590 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3591 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3592 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3593 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3594 return SCTP_DISPOSITION_ABORT; 3595 } 3596 3597 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3598 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3599 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3600 3601 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3602 asconf_ack)) 3603 return SCTP_DISPOSITION_CONSUME; 3604 3605 abort = sctp_make_abort(asoc, asconf_ack, 3606 sizeof(sctp_errhdr_t)); 3607 if (abort) { 3608 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 3609 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3610 SCTP_CHUNK(abort)); 3611 } 3612 /* We are going to ABORT, so we might as well stop 3613 * processing the rest of the chunks in the packet. 3614 */ 3615 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3616 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3617 SCTP_ERROR(ECONNABORTED)); 3618 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3619 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3620 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3621 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3622 return SCTP_DISPOSITION_ABORT; 3623 } 3624 3625 return SCTP_DISPOSITION_DISCARD; 3626 } 3627 3628 /* 3629 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 3630 * 3631 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 3632 * its cumulative TSN point to the value carried in the FORWARD TSN 3633 * chunk, and then MUST further advance its cumulative TSN point locally 3634 * if possible. 3635 * After the above processing, the data receiver MUST stop reporting any 3636 * missing TSNs earlier than or equal to the new cumulative TSN point. 3637 * 3638 * Verification Tag: 8.5 Verification Tag [Normal verification] 3639 * 3640 * The return value is the disposition of the chunk. 3641 */ 3642 sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep, 3643 const struct sctp_association *asoc, 3644 const sctp_subtype_t type, 3645 void *arg, 3646 sctp_cmd_seq_t *commands) 3647 { 3648 struct sctp_chunk *chunk = arg; 3649 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3650 __u16 len; 3651 __u32 tsn; 3652 3653 if (!sctp_vtag_verify(chunk, asoc)) { 3654 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3655 SCTP_NULL()); 3656 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3657 } 3658 3659 /* Make sure that the FORWARD_TSN chunk has valid length. */ 3660 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3661 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3662 commands); 3663 3664 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3665 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3666 len = ntohs(chunk->chunk_hdr->length); 3667 len -= sizeof(struct sctp_chunkhdr); 3668 skb_pull(chunk->skb, len); 3669 3670 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3671 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __FUNCTION__, tsn); 3672 3673 /* The TSN is too high--silently discard the chunk and count on it 3674 * getting retransmitted later. 3675 */ 3676 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3677 goto discard_noforce; 3678 3679 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3680 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3681 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3682 SCTP_CHUNK(chunk)); 3683 3684 /* Count this as receiving DATA. */ 3685 if (asoc->autoclose) { 3686 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3687 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3688 } 3689 3690 /* FIXME: For now send a SACK, but DATA processing may 3691 * send another. 3692 */ 3693 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 3694 3695 return SCTP_DISPOSITION_CONSUME; 3696 3697 discard_noforce: 3698 return SCTP_DISPOSITION_DISCARD; 3699 } 3700 3701 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast( 3702 const struct sctp_endpoint *ep, 3703 const struct sctp_association *asoc, 3704 const sctp_subtype_t type, 3705 void *arg, 3706 sctp_cmd_seq_t *commands) 3707 { 3708 struct sctp_chunk *chunk = arg; 3709 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3710 __u16 len; 3711 __u32 tsn; 3712 3713 if (!sctp_vtag_verify(chunk, asoc)) { 3714 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3715 SCTP_NULL()); 3716 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3717 } 3718 3719 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 3720 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3721 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3722 commands); 3723 3724 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3725 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3726 len = ntohs(chunk->chunk_hdr->length); 3727 len -= sizeof(struct sctp_chunkhdr); 3728 skb_pull(chunk->skb, len); 3729 3730 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3731 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __FUNCTION__, tsn); 3732 3733 /* The TSN is too high--silently discard the chunk and count on it 3734 * getting retransmitted later. 3735 */ 3736 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3737 goto gen_shutdown; 3738 3739 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3740 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3741 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3742 SCTP_CHUNK(chunk)); 3743 3744 /* Go a head and force a SACK, since we are shutting down. */ 3745 gen_shutdown: 3746 /* Implementor's Guide. 3747 * 3748 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3749 * respond to each received packet containing one or more DATA chunk(s) 3750 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3751 */ 3752 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3753 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3754 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3755 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3756 3757 return SCTP_DISPOSITION_CONSUME; 3758 } 3759 3760 /* 3761 * SCTP-AUTH Section 6.3 Receving authenticated chukns 3762 * 3763 * The receiver MUST use the HMAC algorithm indicated in the HMAC 3764 * Identifier field. If this algorithm was not specified by the 3765 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 3766 * during association setup, the AUTH chunk and all chunks after it MUST 3767 * be discarded and an ERROR chunk SHOULD be sent with the error cause 3768 * defined in Section 4.1. 3769 * 3770 * If an endpoint with no shared key receives a Shared Key Identifier 3771 * other than 0, it MUST silently discard all authenticated chunks. If 3772 * the endpoint has at least one endpoint pair shared key for the peer, 3773 * it MUST use the key specified by the Shared Key Identifier if a 3774 * key has been configured for that Shared Key Identifier. If no 3775 * endpoint pair shared key has been configured for that Shared Key 3776 * Identifier, all authenticated chunks MUST be silently discarded. 3777 * 3778 * Verification Tag: 8.5 Verification Tag [Normal verification] 3779 * 3780 * The return value is the disposition of the chunk. 3781 */ 3782 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep, 3783 const struct sctp_association *asoc, 3784 const sctp_subtype_t type, 3785 struct sctp_chunk *chunk) 3786 { 3787 struct sctp_authhdr *auth_hdr; 3788 struct sctp_hmac *hmac; 3789 unsigned int sig_len; 3790 __u16 key_id; 3791 __u8 *save_digest; 3792 __u8 *digest; 3793 3794 /* Pull in the auth header, so we can do some more verification */ 3795 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 3796 chunk->subh.auth_hdr = auth_hdr; 3797 skb_pull(chunk->skb, sizeof(struct sctp_authhdr)); 3798 3799 /* Make sure that we suport the HMAC algorithm from the auth 3800 * chunk. 3801 */ 3802 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id)) 3803 return SCTP_IERROR_AUTH_BAD_HMAC; 3804 3805 /* Make sure that the provided shared key identifier has been 3806 * configured 3807 */ 3808 key_id = ntohs(auth_hdr->shkey_id); 3809 if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id)) 3810 return SCTP_IERROR_AUTH_BAD_KEYID; 3811 3812 3813 /* Make sure that the length of the signature matches what 3814 * we expect. 3815 */ 3816 sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t); 3817 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id)); 3818 if (sig_len != hmac->hmac_len) 3819 return SCTP_IERROR_PROTO_VIOLATION; 3820 3821 /* Now that we've done validation checks, we can compute and 3822 * verify the hmac. The steps involved are: 3823 * 1. Save the digest from the chunk. 3824 * 2. Zero out the digest in the chunk. 3825 * 3. Compute the new digest 3826 * 4. Compare saved and new digests. 3827 */ 3828 digest = auth_hdr->hmac; 3829 skb_pull(chunk->skb, sig_len); 3830 3831 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC); 3832 if (!save_digest) 3833 goto nomem; 3834 3835 memset(digest, 0, sig_len); 3836 3837 sctp_auth_calculate_hmac(asoc, chunk->skb, 3838 (struct sctp_auth_chunk *)chunk->chunk_hdr, 3839 GFP_ATOMIC); 3840 3841 /* Discard the packet if the digests do not match */ 3842 if (memcmp(save_digest, digest, sig_len)) { 3843 kfree(save_digest); 3844 return SCTP_IERROR_BAD_SIG; 3845 } 3846 3847 kfree(save_digest); 3848 chunk->auth = 1; 3849 3850 return SCTP_IERROR_NO_ERROR; 3851 nomem: 3852 return SCTP_IERROR_NOMEM; 3853 } 3854 3855 sctp_disposition_t sctp_sf_eat_auth(const struct sctp_endpoint *ep, 3856 const struct sctp_association *asoc, 3857 const sctp_subtype_t type, 3858 void *arg, 3859 sctp_cmd_seq_t *commands) 3860 { 3861 struct sctp_authhdr *auth_hdr; 3862 struct sctp_chunk *chunk = arg; 3863 struct sctp_chunk *err_chunk; 3864 sctp_ierror_t error; 3865 3866 /* Make sure that the peer has AUTH capable */ 3867 if (!asoc->peer.auth_capable) 3868 return sctp_sf_unk_chunk(ep, asoc, type, arg, commands); 3869 3870 if (!sctp_vtag_verify(chunk, asoc)) { 3871 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3872 SCTP_NULL()); 3873 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3874 } 3875 3876 /* Make sure that the AUTH chunk has valid length. */ 3877 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk))) 3878 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3879 commands); 3880 3881 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 3882 error = sctp_sf_authenticate(ep, asoc, type, chunk); 3883 switch (error) { 3884 case SCTP_IERROR_AUTH_BAD_HMAC: 3885 /* Generate the ERROR chunk and discard the rest 3886 * of the packet 3887 */ 3888 err_chunk = sctp_make_op_error(asoc, chunk, 3889 SCTP_ERROR_UNSUP_HMAC, 3890 &auth_hdr->hmac_id, 3891 sizeof(__u16)); 3892 if (err_chunk) { 3893 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3894 SCTP_CHUNK(err_chunk)); 3895 } 3896 /* Fall Through */ 3897 case SCTP_IERROR_AUTH_BAD_KEYID: 3898 case SCTP_IERROR_BAD_SIG: 3899 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3900 break; 3901 case SCTP_IERROR_PROTO_VIOLATION: 3902 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3903 commands); 3904 break; 3905 case SCTP_IERROR_NOMEM: 3906 return SCTP_DISPOSITION_NOMEM; 3907 default: 3908 break; 3909 } 3910 3911 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) { 3912 struct sctp_ulpevent *ev; 3913 3914 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id), 3915 SCTP_AUTH_NEWKEY, GFP_ATOMIC); 3916 3917 if (!ev) 3918 return -ENOMEM; 3919 3920 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 3921 SCTP_ULPEVENT(ev)); 3922 } 3923 3924 return SCTP_DISPOSITION_CONSUME; 3925 } 3926 3927 /* 3928 * Process an unknown chunk. 3929 * 3930 * Section: 3.2. Also, 2.1 in the implementor's guide. 3931 * 3932 * Chunk Types are encoded such that the highest-order two bits specify 3933 * the action that must be taken if the processing endpoint does not 3934 * recognize the Chunk Type. 3935 * 3936 * 00 - Stop processing this SCTP packet and discard it, do not process 3937 * any further chunks within it. 3938 * 3939 * 01 - Stop processing this SCTP packet and discard it, do not process 3940 * any further chunks within it, and report the unrecognized 3941 * chunk in an 'Unrecognized Chunk Type'. 3942 * 3943 * 10 - Skip this chunk and continue processing. 3944 * 3945 * 11 - Skip this chunk and continue processing, but report in an ERROR 3946 * Chunk using the 'Unrecognized Chunk Type' cause of error. 3947 * 3948 * The return value is the disposition of the chunk. 3949 */ 3950 sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep, 3951 const struct sctp_association *asoc, 3952 const sctp_subtype_t type, 3953 void *arg, 3954 sctp_cmd_seq_t *commands) 3955 { 3956 struct sctp_chunk *unk_chunk = arg; 3957 struct sctp_chunk *err_chunk; 3958 sctp_chunkhdr_t *hdr; 3959 3960 SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk); 3961 3962 if (!sctp_vtag_verify(unk_chunk, asoc)) 3963 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3964 3965 /* Make sure that the chunk has a valid length. 3966 * Since we don't know the chunk type, we use a general 3967 * chunkhdr structure to make a comparison. 3968 */ 3969 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t))) 3970 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3971 commands); 3972 3973 switch (type.chunk & SCTP_CID_ACTION_MASK) { 3974 case SCTP_CID_ACTION_DISCARD: 3975 /* Discard the packet. */ 3976 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3977 break; 3978 case SCTP_CID_ACTION_DISCARD_ERR: 3979 /* Discard the packet. */ 3980 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3981 3982 /* Generate an ERROR chunk as response. */ 3983 hdr = unk_chunk->chunk_hdr; 3984 err_chunk = sctp_make_op_error(asoc, unk_chunk, 3985 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 3986 WORD_ROUND(ntohs(hdr->length))); 3987 if (err_chunk) { 3988 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3989 SCTP_CHUNK(err_chunk)); 3990 } 3991 return SCTP_DISPOSITION_CONSUME; 3992 break; 3993 case SCTP_CID_ACTION_SKIP: 3994 /* Skip the chunk. */ 3995 return SCTP_DISPOSITION_DISCARD; 3996 break; 3997 case SCTP_CID_ACTION_SKIP_ERR: 3998 /* Generate an ERROR chunk as response. */ 3999 hdr = unk_chunk->chunk_hdr; 4000 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4001 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4002 WORD_ROUND(ntohs(hdr->length))); 4003 if (err_chunk) { 4004 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4005 SCTP_CHUNK(err_chunk)); 4006 } 4007 /* Skip the chunk. */ 4008 return SCTP_DISPOSITION_CONSUME; 4009 break; 4010 default: 4011 break; 4012 } 4013 4014 return SCTP_DISPOSITION_DISCARD; 4015 } 4016 4017 /* 4018 * Discard the chunk. 4019 * 4020 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 4021 * [Too numerous to mention...] 4022 * Verification Tag: No verification needed. 4023 * Inputs 4024 * (endpoint, asoc, chunk) 4025 * 4026 * Outputs 4027 * (asoc, reply_msg, msg_up, timers, counters) 4028 * 4029 * The return value is the disposition of the chunk. 4030 */ 4031 sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep, 4032 const struct sctp_association *asoc, 4033 const sctp_subtype_t type, 4034 void *arg, 4035 sctp_cmd_seq_t *commands) 4036 { 4037 struct sctp_chunk *chunk = arg; 4038 4039 /* Make sure that the chunk has a valid length. 4040 * Since we don't know the chunk type, we use a general 4041 * chunkhdr structure to make a comparison. 4042 */ 4043 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4044 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4045 commands); 4046 4047 SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk); 4048 return SCTP_DISPOSITION_DISCARD; 4049 } 4050 4051 /* 4052 * Discard the whole packet. 4053 * 4054 * Section: 8.4 2) 4055 * 4056 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 4057 * silently discard the OOTB packet and take no further action. 4058 * 4059 * Verification Tag: No verification necessary 4060 * 4061 * Inputs 4062 * (endpoint, asoc, chunk) 4063 * 4064 * Outputs 4065 * (asoc, reply_msg, msg_up, timers, counters) 4066 * 4067 * The return value is the disposition of the chunk. 4068 */ 4069 sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep, 4070 const struct sctp_association *asoc, 4071 const sctp_subtype_t type, 4072 void *arg, 4073 sctp_cmd_seq_t *commands) 4074 { 4075 SCTP_INC_STATS(SCTP_MIB_IN_PKT_DISCARDS); 4076 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4077 4078 return SCTP_DISPOSITION_CONSUME; 4079 } 4080 4081 4082 /* 4083 * The other end is violating protocol. 4084 * 4085 * Section: Not specified 4086 * Verification Tag: Not specified 4087 * Inputs 4088 * (endpoint, asoc, chunk) 4089 * 4090 * Outputs 4091 * (asoc, reply_msg, msg_up, timers, counters) 4092 * 4093 * We simply tag the chunk as a violation. The state machine will log 4094 * the violation and continue. 4095 */ 4096 sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep, 4097 const struct sctp_association *asoc, 4098 const sctp_subtype_t type, 4099 void *arg, 4100 sctp_cmd_seq_t *commands) 4101 { 4102 struct sctp_chunk *chunk = arg; 4103 4104 /* Make sure that the chunk has a valid length. */ 4105 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4106 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4107 commands); 4108 4109 return SCTP_DISPOSITION_VIOLATION; 4110 } 4111 4112 /* 4113 * Common function to handle a protocol violation. 4114 */ 4115 static sctp_disposition_t sctp_sf_abort_violation( 4116 const struct sctp_endpoint *ep, 4117 const struct sctp_association *asoc, 4118 void *arg, 4119 sctp_cmd_seq_t *commands, 4120 const __u8 *payload, 4121 const size_t paylen) 4122 { 4123 struct sctp_packet *packet = NULL; 4124 struct sctp_chunk *chunk = arg; 4125 struct sctp_chunk *abort = NULL; 4126 4127 /* SCTP-AUTH, Section 6.3: 4128 * It should be noted that if the receiver wants to tear 4129 * down an association in an authenticated way only, the 4130 * handling of malformed packets should not result in 4131 * tearing down the association. 4132 * 4133 * This means that if we only want to abort associations 4134 * in an authenticated way (i.e AUTH+ABORT), then we 4135 * can't destroy this association just becuase the packet 4136 * was malformed. 4137 */ 4138 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4139 goto discard; 4140 4141 /* Make the abort chunk. */ 4142 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen); 4143 if (!abort) 4144 goto nomem; 4145 4146 if (asoc) { 4147 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4148 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4149 4150 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 4151 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4152 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4153 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4154 SCTP_ERROR(ECONNREFUSED)); 4155 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4156 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4157 } else { 4158 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4159 SCTP_ERROR(ECONNABORTED)); 4160 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4161 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4162 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4163 } 4164 } else { 4165 packet = sctp_ootb_pkt_new(asoc, chunk); 4166 4167 if (!packet) 4168 goto nomem_pkt; 4169 4170 if (sctp_test_T_bit(abort)) 4171 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4172 4173 abort->skb->sk = ep->base.sk; 4174 4175 sctp_packet_append_chunk(packet, abort); 4176 4177 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 4178 SCTP_PACKET(packet)); 4179 4180 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4181 } 4182 4183 discard: 4184 sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4185 4186 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4187 4188 return SCTP_DISPOSITION_ABORT; 4189 4190 nomem_pkt: 4191 sctp_chunk_free(abort); 4192 nomem: 4193 return SCTP_DISPOSITION_NOMEM; 4194 } 4195 4196 /* 4197 * Handle a protocol violation when the chunk length is invalid. 4198 * "Invalid" length is identified as smaller then the minimal length a 4199 * given chunk can be. For example, a SACK chunk has invalid length 4200 * if it's length is set to be smaller then the size of sctp_sack_chunk_t. 4201 * 4202 * We inform the other end by sending an ABORT with a Protocol Violation 4203 * error code. 4204 * 4205 * Section: Not specified 4206 * Verification Tag: Nothing to do 4207 * Inputs 4208 * (endpoint, asoc, chunk) 4209 * 4210 * Outputs 4211 * (reply_msg, msg_up, counters) 4212 * 4213 * Generate an ABORT chunk and terminate the association. 4214 */ 4215 static sctp_disposition_t sctp_sf_violation_chunklen( 4216 const struct sctp_endpoint *ep, 4217 const struct sctp_association *asoc, 4218 const sctp_subtype_t type, 4219 void *arg, 4220 sctp_cmd_seq_t *commands) 4221 { 4222 char err_str[]="The following chunk had invalid length:"; 4223 4224 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4225 sizeof(err_str)); 4226 } 4227 4228 /* 4229 * Handle a protocol violation when the parameter length is invalid. 4230 * "Invalid" length is identified as smaller then the minimal length a 4231 * given parameter can be. 4232 */ 4233 static sctp_disposition_t sctp_sf_violation_paramlen( 4234 const struct sctp_endpoint *ep, 4235 const struct sctp_association *asoc, 4236 const sctp_subtype_t type, 4237 void *arg, 4238 sctp_cmd_seq_t *commands) { 4239 char err_str[] = "The following parameter had invalid length:"; 4240 4241 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4242 sizeof(err_str)); 4243 } 4244 4245 /* Handle a protocol violation when the peer trying to advance the 4246 * cumulative tsn ack to a point beyond the max tsn currently sent. 4247 * 4248 * We inform the other end by sending an ABORT with a Protocol Violation 4249 * error code. 4250 */ 4251 static sctp_disposition_t sctp_sf_violation_ctsn( 4252 const struct sctp_endpoint *ep, 4253 const struct sctp_association *asoc, 4254 const sctp_subtype_t type, 4255 void *arg, 4256 sctp_cmd_seq_t *commands) 4257 { 4258 char err_str[]="The cumulative tsn ack beyond the max tsn currently sent:"; 4259 4260 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4261 sizeof(err_str)); 4262 } 4263 4264 /* Handle protocol violation of an invalid chunk bundling. For example, 4265 * when we have an association and we recieve bundled INIT-ACK, or 4266 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle" 4267 * statement from the specs. Additinally, there might be an attacker 4268 * on the path and we may not want to continue this communication. 4269 */ 4270 static sctp_disposition_t sctp_sf_violation_chunk( 4271 const struct sctp_endpoint *ep, 4272 const struct sctp_association *asoc, 4273 const sctp_subtype_t type, 4274 void *arg, 4275 sctp_cmd_seq_t *commands) 4276 { 4277 char err_str[]="The following chunk violates protocol:"; 4278 4279 if (!asoc) 4280 return sctp_sf_violation(ep, asoc, type, arg, commands); 4281 4282 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4283 sizeof(err_str)); 4284 } 4285 /*************************************************************************** 4286 * These are the state functions for handling primitive (Section 10) events. 4287 ***************************************************************************/ 4288 /* 4289 * sctp_sf_do_prm_asoc 4290 * 4291 * Section: 10.1 ULP-to-SCTP 4292 * B) Associate 4293 * 4294 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 4295 * outbound stream count) 4296 * -> association id [,destination transport addr list] [,outbound stream 4297 * count] 4298 * 4299 * This primitive allows the upper layer to initiate an association to a 4300 * specific peer endpoint. 4301 * 4302 * The peer endpoint shall be specified by one of the transport addresses 4303 * which defines the endpoint (see Section 1.4). If the local SCTP 4304 * instance has not been initialized, the ASSOCIATE is considered an 4305 * error. 4306 * [This is not relevant for the kernel implementation since we do all 4307 * initialization at boot time. It we hadn't initialized we wouldn't 4308 * get anywhere near this code.] 4309 * 4310 * An association id, which is a local handle to the SCTP association, 4311 * will be returned on successful establishment of the association. If 4312 * SCTP is not able to open an SCTP association with the peer endpoint, 4313 * an error is returned. 4314 * [In the kernel implementation, the struct sctp_association needs to 4315 * be created BEFORE causing this primitive to run.] 4316 * 4317 * Other association parameters may be returned, including the 4318 * complete destination transport addresses of the peer as well as the 4319 * outbound stream count of the local endpoint. One of the transport 4320 * address from the returned destination addresses will be selected by 4321 * the local endpoint as default primary path for sending SCTP packets 4322 * to this peer. The returned "destination transport addr list" can 4323 * be used by the ULP to change the default primary path or to force 4324 * sending a packet to a specific transport address. [All of this 4325 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 4326 * function.] 4327 * 4328 * Mandatory attributes: 4329 * 4330 * o local SCTP instance name - obtained from the INITIALIZE operation. 4331 * [This is the argument asoc.] 4332 * o destination transport addr - specified as one of the transport 4333 * addresses of the peer endpoint with which the association is to be 4334 * established. 4335 * [This is asoc->peer.active_path.] 4336 * o outbound stream count - the number of outbound streams the ULP 4337 * would like to open towards this peer endpoint. 4338 * [BUG: This is not currently implemented.] 4339 * Optional attributes: 4340 * 4341 * None. 4342 * 4343 * The return value is a disposition. 4344 */ 4345 sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep, 4346 const struct sctp_association *asoc, 4347 const sctp_subtype_t type, 4348 void *arg, 4349 sctp_cmd_seq_t *commands) 4350 { 4351 struct sctp_chunk *repl; 4352 4353 /* The comment below says that we enter COOKIE-WAIT AFTER 4354 * sending the INIT, but that doesn't actually work in our 4355 * implementation... 4356 */ 4357 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4358 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 4359 4360 /* RFC 2960 5.1 Normal Establishment of an Association 4361 * 4362 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 4363 * must provide its Verification Tag (Tag_A) in the Initiate 4364 * Tag field. Tag_A SHOULD be a random number in the range of 4365 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 4366 */ 4367 4368 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 4369 if (!repl) 4370 goto nomem; 4371 4372 /* Cast away the const modifier, as we want to just 4373 * rerun it through as a sideffect. 4374 */ 4375 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, 4376 SCTP_ASOC((struct sctp_association *) asoc)); 4377 4378 /* Choose transport for INIT. */ 4379 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4380 SCTP_CHUNK(repl)); 4381 4382 /* After sending the INIT, "A" starts the T1-init timer and 4383 * enters the COOKIE-WAIT state. 4384 */ 4385 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4386 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4387 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4388 return SCTP_DISPOSITION_CONSUME; 4389 4390 nomem: 4391 return SCTP_DISPOSITION_NOMEM; 4392 } 4393 4394 /* 4395 * Process the SEND primitive. 4396 * 4397 * Section: 10.1 ULP-to-SCTP 4398 * E) Send 4399 * 4400 * Format: SEND(association id, buffer address, byte count [,context] 4401 * [,stream id] [,life time] [,destination transport address] 4402 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 4403 * -> result 4404 * 4405 * This is the main method to send user data via SCTP. 4406 * 4407 * Mandatory attributes: 4408 * 4409 * o association id - local handle to the SCTP association 4410 * 4411 * o buffer address - the location where the user message to be 4412 * transmitted is stored; 4413 * 4414 * o byte count - The size of the user data in number of bytes; 4415 * 4416 * Optional attributes: 4417 * 4418 * o context - an optional 32 bit integer that will be carried in the 4419 * sending failure notification to the ULP if the transportation of 4420 * this User Message fails. 4421 * 4422 * o stream id - to indicate which stream to send the data on. If not 4423 * specified, stream 0 will be used. 4424 * 4425 * o life time - specifies the life time of the user data. The user data 4426 * will not be sent by SCTP after the life time expires. This 4427 * parameter can be used to avoid efforts to transmit stale 4428 * user messages. SCTP notifies the ULP if the data cannot be 4429 * initiated to transport (i.e. sent to the destination via SCTP's 4430 * send primitive) within the life time variable. However, the 4431 * user data will be transmitted if SCTP has attempted to transmit a 4432 * chunk before the life time expired. 4433 * 4434 * o destination transport address - specified as one of the destination 4435 * transport addresses of the peer endpoint to which this packet 4436 * should be sent. Whenever possible, SCTP should use this destination 4437 * transport address for sending the packets, instead of the current 4438 * primary path. 4439 * 4440 * o unorder flag - this flag, if present, indicates that the user 4441 * would like the data delivered in an unordered fashion to the peer 4442 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 4443 * message). 4444 * 4445 * o no-bundle flag - instructs SCTP not to bundle this user data with 4446 * other outbound DATA chunks. SCTP MAY still bundle even when 4447 * this flag is present, when faced with network congestion. 4448 * 4449 * o payload protocol-id - A 32 bit unsigned integer that is to be 4450 * passed to the peer indicating the type of payload protocol data 4451 * being transmitted. This value is passed as opaque data by SCTP. 4452 * 4453 * The return value is the disposition. 4454 */ 4455 sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep, 4456 const struct sctp_association *asoc, 4457 const sctp_subtype_t type, 4458 void *arg, 4459 sctp_cmd_seq_t *commands) 4460 { 4461 struct sctp_chunk *chunk = arg; 4462 4463 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 4464 return SCTP_DISPOSITION_CONSUME; 4465 } 4466 4467 /* 4468 * Process the SHUTDOWN primitive. 4469 * 4470 * Section: 10.1: 4471 * C) Shutdown 4472 * 4473 * Format: SHUTDOWN(association id) 4474 * -> result 4475 * 4476 * Gracefully closes an association. Any locally queued user data 4477 * will be delivered to the peer. The association will be terminated only 4478 * after the peer acknowledges all the SCTP packets sent. A success code 4479 * will be returned on successful termination of the association. If 4480 * attempting to terminate the association results in a failure, an error 4481 * code shall be returned. 4482 * 4483 * Mandatory attributes: 4484 * 4485 * o association id - local handle to the SCTP association 4486 * 4487 * Optional attributes: 4488 * 4489 * None. 4490 * 4491 * The return value is the disposition. 4492 */ 4493 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown( 4494 const struct sctp_endpoint *ep, 4495 const struct sctp_association *asoc, 4496 const sctp_subtype_t type, 4497 void *arg, 4498 sctp_cmd_seq_t *commands) 4499 { 4500 int disposition; 4501 4502 /* From 9.2 Shutdown of an Association 4503 * Upon receipt of the SHUTDOWN primitive from its upper 4504 * layer, the endpoint enters SHUTDOWN-PENDING state and 4505 * remains there until all outstanding data has been 4506 * acknowledged by its peer. The endpoint accepts no new data 4507 * from its upper layer, but retransmits data to the far end 4508 * if necessary to fill gaps. 4509 */ 4510 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4511 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4512 4513 /* sctpimpguide-05 Section 2.12.2 4514 * The sender of the SHUTDOWN MAY also start an overall guard timer 4515 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 4516 */ 4517 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4518 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4519 4520 disposition = SCTP_DISPOSITION_CONSUME; 4521 if (sctp_outq_is_empty(&asoc->outqueue)) { 4522 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 4523 arg, commands); 4524 } 4525 return disposition; 4526 } 4527 4528 /* 4529 * Process the ABORT primitive. 4530 * 4531 * Section: 10.1: 4532 * C) Abort 4533 * 4534 * Format: Abort(association id [, cause code]) 4535 * -> result 4536 * 4537 * Ungracefully closes an association. Any locally queued user data 4538 * will be discarded and an ABORT chunk is sent to the peer. A success code 4539 * will be returned on successful abortion of the association. If 4540 * attempting to abort the association results in a failure, an error 4541 * code shall be returned. 4542 * 4543 * Mandatory attributes: 4544 * 4545 * o association id - local handle to the SCTP association 4546 * 4547 * Optional attributes: 4548 * 4549 * o cause code - reason of the abort to be passed to the peer 4550 * 4551 * None. 4552 * 4553 * The return value is the disposition. 4554 */ 4555 sctp_disposition_t sctp_sf_do_9_1_prm_abort( 4556 const struct sctp_endpoint *ep, 4557 const struct sctp_association *asoc, 4558 const sctp_subtype_t type, 4559 void *arg, 4560 sctp_cmd_seq_t *commands) 4561 { 4562 /* From 9.1 Abort of an Association 4563 * Upon receipt of the ABORT primitive from its upper 4564 * layer, the endpoint enters CLOSED state and 4565 * discard all outstanding data has been 4566 * acknowledged by its peer. The endpoint accepts no new data 4567 * from its upper layer, but retransmits data to the far end 4568 * if necessary to fill gaps. 4569 */ 4570 struct sctp_chunk *abort = arg; 4571 sctp_disposition_t retval; 4572 4573 retval = SCTP_DISPOSITION_CONSUME; 4574 4575 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4576 4577 /* Even if we can't send the ABORT due to low memory delete the 4578 * TCB. This is a departure from our typical NOMEM handling. 4579 */ 4580 4581 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4582 SCTP_ERROR(ECONNABORTED)); 4583 /* Delete the established association. */ 4584 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4585 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4586 4587 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4588 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4589 4590 return retval; 4591 } 4592 4593 /* We tried an illegal operation on an association which is closed. */ 4594 sctp_disposition_t sctp_sf_error_closed(const struct sctp_endpoint *ep, 4595 const struct sctp_association *asoc, 4596 const sctp_subtype_t type, 4597 void *arg, 4598 sctp_cmd_seq_t *commands) 4599 { 4600 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 4601 return SCTP_DISPOSITION_CONSUME; 4602 } 4603 4604 /* We tried an illegal operation on an association which is shutting 4605 * down. 4606 */ 4607 sctp_disposition_t sctp_sf_error_shutdown(const struct sctp_endpoint *ep, 4608 const struct sctp_association *asoc, 4609 const sctp_subtype_t type, 4610 void *arg, 4611 sctp_cmd_seq_t *commands) 4612 { 4613 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 4614 SCTP_ERROR(-ESHUTDOWN)); 4615 return SCTP_DISPOSITION_CONSUME; 4616 } 4617 4618 /* 4619 * sctp_cookie_wait_prm_shutdown 4620 * 4621 * Section: 4 Note: 2 4622 * Verification Tag: 4623 * Inputs 4624 * (endpoint, asoc) 4625 * 4626 * The RFC does not explicitly address this issue, but is the route through the 4627 * state table when someone issues a shutdown while in COOKIE_WAIT state. 4628 * 4629 * Outputs 4630 * (timers) 4631 */ 4632 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown( 4633 const struct sctp_endpoint *ep, 4634 const struct sctp_association *asoc, 4635 const sctp_subtype_t type, 4636 void *arg, 4637 sctp_cmd_seq_t *commands) 4638 { 4639 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4640 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4641 4642 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4643 SCTP_STATE(SCTP_STATE_CLOSED)); 4644 4645 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 4646 4647 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 4648 4649 return SCTP_DISPOSITION_DELETE_TCB; 4650 } 4651 4652 /* 4653 * sctp_cookie_echoed_prm_shutdown 4654 * 4655 * Section: 4 Note: 2 4656 * Verification Tag: 4657 * Inputs 4658 * (endpoint, asoc) 4659 * 4660 * The RFC does not explcitly address this issue, but is the route through the 4661 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 4662 * 4663 * Outputs 4664 * (timers) 4665 */ 4666 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown( 4667 const struct sctp_endpoint *ep, 4668 const struct sctp_association *asoc, 4669 const sctp_subtype_t type, 4670 void *arg, sctp_cmd_seq_t *commands) 4671 { 4672 /* There is a single T1 timer, so we should be able to use 4673 * common function with the COOKIE-WAIT state. 4674 */ 4675 return sctp_sf_cookie_wait_prm_shutdown(ep, asoc, type, arg, commands); 4676 } 4677 4678 /* 4679 * sctp_sf_cookie_wait_prm_abort 4680 * 4681 * Section: 4 Note: 2 4682 * Verification Tag: 4683 * Inputs 4684 * (endpoint, asoc) 4685 * 4686 * The RFC does not explicitly address this issue, but is the route through the 4687 * state table when someone issues an abort while in COOKIE_WAIT state. 4688 * 4689 * Outputs 4690 * (timers) 4691 */ 4692 sctp_disposition_t sctp_sf_cookie_wait_prm_abort( 4693 const struct sctp_endpoint *ep, 4694 const struct sctp_association *asoc, 4695 const sctp_subtype_t type, 4696 void *arg, 4697 sctp_cmd_seq_t *commands) 4698 { 4699 struct sctp_chunk *abort = arg; 4700 sctp_disposition_t retval; 4701 4702 /* Stop T1-init timer */ 4703 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4704 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4705 retval = SCTP_DISPOSITION_CONSUME; 4706 4707 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4708 4709 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4710 SCTP_STATE(SCTP_STATE_CLOSED)); 4711 4712 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4713 4714 /* Even if we can't send the ABORT due to low memory delete the 4715 * TCB. This is a departure from our typical NOMEM handling. 4716 */ 4717 4718 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4719 SCTP_ERROR(ECONNREFUSED)); 4720 /* Delete the established association. */ 4721 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4722 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4723 4724 return retval; 4725 } 4726 4727 /* 4728 * sctp_sf_cookie_echoed_prm_abort 4729 * 4730 * Section: 4 Note: 3 4731 * Verification Tag: 4732 * Inputs 4733 * (endpoint, asoc) 4734 * 4735 * The RFC does not explcitly address this issue, but is the route through the 4736 * state table when someone issues an abort while in COOKIE_ECHOED state. 4737 * 4738 * Outputs 4739 * (timers) 4740 */ 4741 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort( 4742 const struct sctp_endpoint *ep, 4743 const struct sctp_association *asoc, 4744 const sctp_subtype_t type, 4745 void *arg, 4746 sctp_cmd_seq_t *commands) 4747 { 4748 /* There is a single T1 timer, so we should be able to use 4749 * common function with the COOKIE-WAIT state. 4750 */ 4751 return sctp_sf_cookie_wait_prm_abort(ep, asoc, type, arg, commands); 4752 } 4753 4754 /* 4755 * sctp_sf_shutdown_pending_prm_abort 4756 * 4757 * Inputs 4758 * (endpoint, asoc) 4759 * 4760 * The RFC does not explicitly address this issue, but is the route through the 4761 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 4762 * 4763 * Outputs 4764 * (timers) 4765 */ 4766 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort( 4767 const struct sctp_endpoint *ep, 4768 const struct sctp_association *asoc, 4769 const sctp_subtype_t type, 4770 void *arg, 4771 sctp_cmd_seq_t *commands) 4772 { 4773 /* Stop the T5-shutdown guard timer. */ 4774 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4775 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4776 4777 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4778 } 4779 4780 /* 4781 * sctp_sf_shutdown_sent_prm_abort 4782 * 4783 * Inputs 4784 * (endpoint, asoc) 4785 * 4786 * The RFC does not explicitly address this issue, but is the route through the 4787 * state table when someone issues an abort while in SHUTDOWN-SENT state. 4788 * 4789 * Outputs 4790 * (timers) 4791 */ 4792 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort( 4793 const struct sctp_endpoint *ep, 4794 const struct sctp_association *asoc, 4795 const sctp_subtype_t type, 4796 void *arg, 4797 sctp_cmd_seq_t *commands) 4798 { 4799 /* Stop the T2-shutdown timer. */ 4800 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4801 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4802 4803 /* Stop the T5-shutdown guard timer. */ 4804 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4805 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4806 4807 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4808 } 4809 4810 /* 4811 * sctp_sf_cookie_echoed_prm_abort 4812 * 4813 * Inputs 4814 * (endpoint, asoc) 4815 * 4816 * The RFC does not explcitly address this issue, but is the route through the 4817 * state table when someone issues an abort while in COOKIE_ECHOED state. 4818 * 4819 * Outputs 4820 * (timers) 4821 */ 4822 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort( 4823 const struct sctp_endpoint *ep, 4824 const struct sctp_association *asoc, 4825 const sctp_subtype_t type, 4826 void *arg, 4827 sctp_cmd_seq_t *commands) 4828 { 4829 /* The same T2 timer, so we should be able to use 4830 * common function with the SHUTDOWN-SENT state. 4831 */ 4832 return sctp_sf_shutdown_sent_prm_abort(ep, asoc, type, arg, commands); 4833 } 4834 4835 /* 4836 * Process the REQUESTHEARTBEAT primitive 4837 * 4838 * 10.1 ULP-to-SCTP 4839 * J) Request Heartbeat 4840 * 4841 * Format: REQUESTHEARTBEAT(association id, destination transport address) 4842 * 4843 * -> result 4844 * 4845 * Instructs the local endpoint to perform a HeartBeat on the specified 4846 * destination transport address of the given association. The returned 4847 * result should indicate whether the transmission of the HEARTBEAT 4848 * chunk to the destination address is successful. 4849 * 4850 * Mandatory attributes: 4851 * 4852 * o association id - local handle to the SCTP association 4853 * 4854 * o destination transport address - the transport address of the 4855 * association on which a heartbeat should be issued. 4856 */ 4857 sctp_disposition_t sctp_sf_do_prm_requestheartbeat( 4858 const struct sctp_endpoint *ep, 4859 const struct sctp_association *asoc, 4860 const sctp_subtype_t type, 4861 void *arg, 4862 sctp_cmd_seq_t *commands) 4863 { 4864 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 4865 (struct sctp_transport *)arg, commands)) 4866 return SCTP_DISPOSITION_NOMEM; 4867 4868 /* 4869 * RFC 2960 (bis), section 8.3 4870 * 4871 * D) Request an on-demand HEARTBEAT on a specific destination 4872 * transport address of a given association. 4873 * 4874 * The endpoint should increment the respective error counter of 4875 * the destination transport address each time a HEARTBEAT is sent 4876 * to that address and not acknowledged within one RTO. 4877 * 4878 */ 4879 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_RESET, 4880 SCTP_TRANSPORT(arg)); 4881 return SCTP_DISPOSITION_CONSUME; 4882 } 4883 4884 /* 4885 * ADDIP Section 4.1 ASCONF Chunk Procedures 4886 * When an endpoint has an ASCONF signaled change to be sent to the 4887 * remote endpoint it should do A1 to A9 4888 */ 4889 sctp_disposition_t sctp_sf_do_prm_asconf(const struct sctp_endpoint *ep, 4890 const struct sctp_association *asoc, 4891 const sctp_subtype_t type, 4892 void *arg, 4893 sctp_cmd_seq_t *commands) 4894 { 4895 struct sctp_chunk *chunk = arg; 4896 4897 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 4898 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4899 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4900 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 4901 return SCTP_DISPOSITION_CONSUME; 4902 } 4903 4904 /* 4905 * Ignore the primitive event 4906 * 4907 * The return value is the disposition of the primitive. 4908 */ 4909 sctp_disposition_t sctp_sf_ignore_primitive( 4910 const struct sctp_endpoint *ep, 4911 const struct sctp_association *asoc, 4912 const sctp_subtype_t type, 4913 void *arg, 4914 sctp_cmd_seq_t *commands) 4915 { 4916 SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive); 4917 return SCTP_DISPOSITION_DISCARD; 4918 } 4919 4920 /*************************************************************************** 4921 * These are the state functions for the OTHER events. 4922 ***************************************************************************/ 4923 4924 /* 4925 * Start the shutdown negotiation. 4926 * 4927 * From Section 9.2: 4928 * Once all its outstanding data has been acknowledged, the endpoint 4929 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 4930 * TSN Ack field the last sequential TSN it has received from the peer. 4931 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 4932 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 4933 * with the updated last sequential TSN received from its peer. 4934 * 4935 * The return value is the disposition. 4936 */ 4937 sctp_disposition_t sctp_sf_do_9_2_start_shutdown( 4938 const struct sctp_endpoint *ep, 4939 const struct sctp_association *asoc, 4940 const sctp_subtype_t type, 4941 void *arg, 4942 sctp_cmd_seq_t *commands) 4943 { 4944 struct sctp_chunk *reply; 4945 4946 /* Once all its outstanding data has been acknowledged, the 4947 * endpoint shall send a SHUTDOWN chunk to its peer including 4948 * in the Cumulative TSN Ack field the last sequential TSN it 4949 * has received from the peer. 4950 */ 4951 reply = sctp_make_shutdown(asoc, NULL); 4952 if (!reply) 4953 goto nomem; 4954 4955 /* Set the transport for the SHUTDOWN chunk and the timeout for the 4956 * T2-shutdown timer. 4957 */ 4958 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4959 4960 /* It shall then start the T2-shutdown timer */ 4961 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4962 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4963 4964 if (asoc->autoclose) 4965 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4966 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4967 4968 /* and enter the SHUTDOWN-SENT state. */ 4969 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4970 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 4971 4972 /* sctp-implguide 2.10 Issues with Heartbeating and failover 4973 * 4974 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 4975 * or SHUTDOWN-ACK. 4976 */ 4977 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 4978 4979 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4980 4981 return SCTP_DISPOSITION_CONSUME; 4982 4983 nomem: 4984 return SCTP_DISPOSITION_NOMEM; 4985 } 4986 4987 /* 4988 * Generate a SHUTDOWN ACK now that everything is SACK'd. 4989 * 4990 * From Section 9.2: 4991 * 4992 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 4993 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 4994 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 4995 * endpoint must re-send the SHUTDOWN ACK. 4996 * 4997 * The return value is the disposition. 4998 */ 4999 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack( 5000 const struct sctp_endpoint *ep, 5001 const struct sctp_association *asoc, 5002 const sctp_subtype_t type, 5003 void *arg, 5004 sctp_cmd_seq_t *commands) 5005 { 5006 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 5007 struct sctp_chunk *reply; 5008 5009 /* There are 2 ways of getting here: 5010 * 1) called in response to a SHUTDOWN chunk 5011 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 5012 * 5013 * For the case (2), the arg parameter is set to NULL. We need 5014 * to check that we have a chunk before accessing it's fields. 5015 */ 5016 if (chunk) { 5017 if (!sctp_vtag_verify(chunk, asoc)) 5018 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 5019 5020 /* Make sure that the SHUTDOWN chunk has a valid length. */ 5021 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t))) 5022 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 5023 commands); 5024 } 5025 5026 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5027 * shall send a SHUTDOWN ACK ... 5028 */ 5029 reply = sctp_make_shutdown_ack(asoc, chunk); 5030 if (!reply) 5031 goto nomem; 5032 5033 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 5034 * the T2-shutdown timer. 5035 */ 5036 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5037 5038 /* and start/restart a T2-shutdown timer of its own, */ 5039 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5040 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5041 5042 if (asoc->autoclose) 5043 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5044 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5045 5046 /* Enter the SHUTDOWN-ACK-SENT state. */ 5047 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5048 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 5049 5050 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5051 * 5052 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5053 * or SHUTDOWN-ACK. 5054 */ 5055 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5056 5057 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5058 5059 return SCTP_DISPOSITION_CONSUME; 5060 5061 nomem: 5062 return SCTP_DISPOSITION_NOMEM; 5063 } 5064 5065 /* 5066 * Ignore the event defined as other 5067 * 5068 * The return value is the disposition of the event. 5069 */ 5070 sctp_disposition_t sctp_sf_ignore_other(const struct sctp_endpoint *ep, 5071 const struct sctp_association *asoc, 5072 const sctp_subtype_t type, 5073 void *arg, 5074 sctp_cmd_seq_t *commands) 5075 { 5076 SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other); 5077 return SCTP_DISPOSITION_DISCARD; 5078 } 5079 5080 /************************************************************ 5081 * These are the state functions for handling timeout events. 5082 ************************************************************/ 5083 5084 /* 5085 * RTX Timeout 5086 * 5087 * Section: 6.3.3 Handle T3-rtx Expiration 5088 * 5089 * Whenever the retransmission timer T3-rtx expires for a destination 5090 * address, do the following: 5091 * [See below] 5092 * 5093 * The return value is the disposition of the chunk. 5094 */ 5095 sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep, 5096 const struct sctp_association *asoc, 5097 const sctp_subtype_t type, 5098 void *arg, 5099 sctp_cmd_seq_t *commands) 5100 { 5101 struct sctp_transport *transport = arg; 5102 5103 SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS); 5104 5105 if (asoc->overall_error_count >= asoc->max_retrans) { 5106 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5107 SCTP_ERROR(ETIMEDOUT)); 5108 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5109 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5110 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5111 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5112 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5113 return SCTP_DISPOSITION_DELETE_TCB; 5114 } 5115 5116 /* E1) For the destination address for which the timer 5117 * expires, adjust its ssthresh with rules defined in Section 5118 * 7.2.3 and set the cwnd <- MTU. 5119 */ 5120 5121 /* E2) For the destination address for which the timer 5122 * expires, set RTO <- RTO * 2 ("back off the timer"). The 5123 * maximum value discussed in rule C7 above (RTO.max) may be 5124 * used to provide an upper bound to this doubling operation. 5125 */ 5126 5127 /* E3) Determine how many of the earliest (i.e., lowest TSN) 5128 * outstanding DATA chunks for the address for which the 5129 * T3-rtx has expired will fit into a single packet, subject 5130 * to the MTU constraint for the path corresponding to the 5131 * destination transport address to which the retransmission 5132 * is being sent (this may be different from the address for 5133 * which the timer expires [see Section 6.4]). Call this 5134 * value K. Bundle and retransmit those K DATA chunks in a 5135 * single packet to the destination endpoint. 5136 * 5137 * Note: Any DATA chunks that were sent to the address for 5138 * which the T3-rtx timer expired but did not fit in one MTU 5139 * (rule E3 above), should be marked for retransmission and 5140 * sent as soon as cwnd allows (normally when a SACK arrives). 5141 */ 5142 5143 /* Do some failure management (Section 8.2). */ 5144 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5145 5146 /* NB: Rules E4 and F1 are implicit in R1. */ 5147 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 5148 5149 return SCTP_DISPOSITION_CONSUME; 5150 } 5151 5152 /* 5153 * Generate delayed SACK on timeout 5154 * 5155 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 5156 * 5157 * The guidelines on delayed acknowledgement algorithm specified in 5158 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 5159 * acknowledgement SHOULD be generated for at least every second packet 5160 * (not every second DATA chunk) received, and SHOULD be generated 5161 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 5162 * some situations it may be beneficial for an SCTP transmitter to be 5163 * more conservative than the algorithms detailed in this document 5164 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 5165 * the following algorithms allow. 5166 */ 5167 sctp_disposition_t sctp_sf_do_6_2_sack(const struct sctp_endpoint *ep, 5168 const struct sctp_association *asoc, 5169 const sctp_subtype_t type, 5170 void *arg, 5171 sctp_cmd_seq_t *commands) 5172 { 5173 SCTP_INC_STATS(SCTP_MIB_DELAY_SACK_EXPIREDS); 5174 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 5175 return SCTP_DISPOSITION_CONSUME; 5176 } 5177 5178 /* 5179 * sctp_sf_t1_init_timer_expire 5180 * 5181 * Section: 4 Note: 2 5182 * Verification Tag: 5183 * Inputs 5184 * (endpoint, asoc) 5185 * 5186 * RFC 2960 Section 4 Notes 5187 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 5188 * and re-start the T1-init timer without changing state. This MUST 5189 * be repeated up to 'Max.Init.Retransmits' times. After that, the 5190 * endpoint MUST abort the initialization process and report the 5191 * error to SCTP user. 5192 * 5193 * Outputs 5194 * (timers, events) 5195 * 5196 */ 5197 sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep, 5198 const struct sctp_association *asoc, 5199 const sctp_subtype_t type, 5200 void *arg, 5201 sctp_cmd_seq_t *commands) 5202 { 5203 struct sctp_chunk *repl = NULL; 5204 struct sctp_bind_addr *bp; 5205 int attempts = asoc->init_err_counter + 1; 5206 5207 SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n"); 5208 SCTP_INC_STATS(SCTP_MIB_T1_INIT_EXPIREDS); 5209 5210 if (attempts <= asoc->max_init_attempts) { 5211 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 5212 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 5213 if (!repl) 5214 return SCTP_DISPOSITION_NOMEM; 5215 5216 /* Choose transport for INIT. */ 5217 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5218 SCTP_CHUNK(repl)); 5219 5220 /* Issue a sideeffect to do the needed accounting. */ 5221 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 5222 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5223 5224 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5225 } else { 5226 SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d" 5227 " max_init_attempts: %d\n", 5228 attempts, asoc->max_init_attempts); 5229 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5230 SCTP_ERROR(ETIMEDOUT)); 5231 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5232 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5233 return SCTP_DISPOSITION_DELETE_TCB; 5234 } 5235 5236 return SCTP_DISPOSITION_CONSUME; 5237 } 5238 5239 /* 5240 * sctp_sf_t1_cookie_timer_expire 5241 * 5242 * Section: 4 Note: 2 5243 * Verification Tag: 5244 * Inputs 5245 * (endpoint, asoc) 5246 * 5247 * RFC 2960 Section 4 Notes 5248 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 5249 * COOKIE ECHO and re-start the T1-cookie timer without changing 5250 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 5251 * After that, the endpoint MUST abort the initialization process and 5252 * report the error to SCTP user. 5253 * 5254 * Outputs 5255 * (timers, events) 5256 * 5257 */ 5258 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep, 5259 const struct sctp_association *asoc, 5260 const sctp_subtype_t type, 5261 void *arg, 5262 sctp_cmd_seq_t *commands) 5263 { 5264 struct sctp_chunk *repl = NULL; 5265 int attempts = asoc->init_err_counter + 1; 5266 5267 SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n"); 5268 SCTP_INC_STATS(SCTP_MIB_T1_COOKIE_EXPIREDS); 5269 5270 if (attempts <= asoc->max_init_attempts) { 5271 repl = sctp_make_cookie_echo(asoc, NULL); 5272 if (!repl) 5273 return SCTP_DISPOSITION_NOMEM; 5274 5275 /* Issue a sideeffect to do the needed accounting. */ 5276 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 5277 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 5278 5279 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5280 } else { 5281 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5282 SCTP_ERROR(ETIMEDOUT)); 5283 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5284 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5285 return SCTP_DISPOSITION_DELETE_TCB; 5286 } 5287 5288 return SCTP_DISPOSITION_CONSUME; 5289 } 5290 5291 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 5292 * with the updated last sequential TSN received from its peer. 5293 * 5294 * An endpoint should limit the number of retransmissions of the 5295 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 5296 * If this threshold is exceeded the endpoint should destroy the TCB and 5297 * MUST report the peer endpoint unreachable to the upper layer (and 5298 * thus the association enters the CLOSED state). The reception of any 5299 * packet from its peer (i.e. as the peer sends all of its queued DATA 5300 * chunks) should clear the endpoint's retransmission count and restart 5301 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 5302 * all of its queued DATA chunks that have not yet been sent. 5303 */ 5304 sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep, 5305 const struct sctp_association *asoc, 5306 const sctp_subtype_t type, 5307 void *arg, 5308 sctp_cmd_seq_t *commands) 5309 { 5310 struct sctp_chunk *reply = NULL; 5311 5312 SCTP_DEBUG_PRINTK("Timer T2 expired.\n"); 5313 SCTP_INC_STATS(SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 5314 5315 if (asoc->overall_error_count >= asoc->max_retrans) { 5316 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5317 SCTP_ERROR(ETIMEDOUT)); 5318 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5319 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5320 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5321 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5322 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5323 return SCTP_DISPOSITION_DELETE_TCB; 5324 } 5325 5326 switch (asoc->state) { 5327 case SCTP_STATE_SHUTDOWN_SENT: 5328 reply = sctp_make_shutdown(asoc, NULL); 5329 break; 5330 5331 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5332 reply = sctp_make_shutdown_ack(asoc, NULL); 5333 break; 5334 5335 default: 5336 BUG(); 5337 break; 5338 } 5339 5340 if (!reply) 5341 goto nomem; 5342 5343 /* Do some failure management (Section 8.2). */ 5344 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5345 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 5346 5347 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 5348 * the T2-shutdown timer. 5349 */ 5350 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5351 5352 /* Restart the T2-shutdown timer. */ 5353 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5354 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5355 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5356 return SCTP_DISPOSITION_CONSUME; 5357 5358 nomem: 5359 return SCTP_DISPOSITION_NOMEM; 5360 } 5361 5362 /* 5363 * ADDIP Section 4.1 ASCONF CHunk Procedures 5364 * If the T4 RTO timer expires the endpoint should do B1 to B5 5365 */ 5366 sctp_disposition_t sctp_sf_t4_timer_expire( 5367 const struct sctp_endpoint *ep, 5368 const struct sctp_association *asoc, 5369 const sctp_subtype_t type, 5370 void *arg, 5371 sctp_cmd_seq_t *commands) 5372 { 5373 struct sctp_chunk *chunk = asoc->addip_last_asconf; 5374 struct sctp_transport *transport = chunk->transport; 5375 5376 SCTP_INC_STATS(SCTP_MIB_T4_RTO_EXPIREDS); 5377 5378 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 5379 * detection on the appropriate destination address as defined in 5380 * RFC2960 [5] section 8.1 and 8.2. 5381 */ 5382 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5383 5384 /* Reconfig T4 timer and transport. */ 5385 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5386 5387 /* ADDIP 4.1 B2) Increment the association error counters and perform 5388 * endpoint failure detection on the association as defined in 5389 * RFC2960 [5] section 8.1 and 8.2. 5390 * association error counter is incremented in SCTP_CMD_STRIKE. 5391 */ 5392 if (asoc->overall_error_count >= asoc->max_retrans) { 5393 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5394 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5395 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5396 SCTP_ERROR(ETIMEDOUT)); 5397 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5398 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5399 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5400 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 5401 return SCTP_DISPOSITION_ABORT; 5402 } 5403 5404 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 5405 * the ASCONF chunk was sent by doubling the RTO timer value. 5406 * This is done in SCTP_CMD_STRIKE. 5407 */ 5408 5409 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 5410 * choose an alternate destination address (please refer to RFC2960 5411 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 5412 * chunk, it MUST be the same (including its serial number) as the last 5413 * ASCONF sent. 5414 */ 5415 sctp_chunk_hold(asoc->addip_last_asconf); 5416 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5417 SCTP_CHUNK(asoc->addip_last_asconf)); 5418 5419 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 5420 * destination is selected, then the RTO used will be that of the new 5421 * destination address. 5422 */ 5423 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5424 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5425 5426 return SCTP_DISPOSITION_CONSUME; 5427 } 5428 5429 /* sctpimpguide-05 Section 2.12.2 5430 * The sender of the SHUTDOWN MAY also start an overall guard timer 5431 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5432 * At the expiration of this timer the sender SHOULD abort the association 5433 * by sending an ABORT chunk. 5434 */ 5435 sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep, 5436 const struct sctp_association *asoc, 5437 const sctp_subtype_t type, 5438 void *arg, 5439 sctp_cmd_seq_t *commands) 5440 { 5441 struct sctp_chunk *reply = NULL; 5442 5443 SCTP_DEBUG_PRINTK("Timer T5 expired.\n"); 5444 SCTP_INC_STATS(SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 5445 5446 reply = sctp_make_abort(asoc, NULL, 0); 5447 if (!reply) 5448 goto nomem; 5449 5450 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5451 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5452 SCTP_ERROR(ETIMEDOUT)); 5453 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5454 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5455 5456 return SCTP_DISPOSITION_DELETE_TCB; 5457 nomem: 5458 return SCTP_DISPOSITION_NOMEM; 5459 } 5460 5461 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 5462 * the association is automatically closed by starting the shutdown process. 5463 * The work that needs to be done is same as when SHUTDOWN is initiated by 5464 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 5465 */ 5466 sctp_disposition_t sctp_sf_autoclose_timer_expire( 5467 const struct sctp_endpoint *ep, 5468 const struct sctp_association *asoc, 5469 const sctp_subtype_t type, 5470 void *arg, 5471 sctp_cmd_seq_t *commands) 5472 { 5473 int disposition; 5474 5475 SCTP_INC_STATS(SCTP_MIB_AUTOCLOSE_EXPIREDS); 5476 5477 /* From 9.2 Shutdown of an Association 5478 * Upon receipt of the SHUTDOWN primitive from its upper 5479 * layer, the endpoint enters SHUTDOWN-PENDING state and 5480 * remains there until all outstanding data has been 5481 * acknowledged by its peer. The endpoint accepts no new data 5482 * from its upper layer, but retransmits data to the far end 5483 * if necessary to fill gaps. 5484 */ 5485 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5486 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 5487 5488 /* sctpimpguide-05 Section 2.12.2 5489 * The sender of the SHUTDOWN MAY also start an overall guard timer 5490 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5491 */ 5492 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5493 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5494 disposition = SCTP_DISPOSITION_CONSUME; 5495 if (sctp_outq_is_empty(&asoc->outqueue)) { 5496 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 5497 arg, commands); 5498 } 5499 return disposition; 5500 } 5501 5502 /***************************************************************************** 5503 * These are sa state functions which could apply to all types of events. 5504 ****************************************************************************/ 5505 5506 /* 5507 * This table entry is not implemented. 5508 * 5509 * Inputs 5510 * (endpoint, asoc, chunk) 5511 * 5512 * The return value is the disposition of the chunk. 5513 */ 5514 sctp_disposition_t sctp_sf_not_impl(const struct sctp_endpoint *ep, 5515 const struct sctp_association *asoc, 5516 const sctp_subtype_t type, 5517 void *arg, 5518 sctp_cmd_seq_t *commands) 5519 { 5520 return SCTP_DISPOSITION_NOT_IMPL; 5521 } 5522 5523 /* 5524 * This table entry represents a bug. 5525 * 5526 * Inputs 5527 * (endpoint, asoc, chunk) 5528 * 5529 * The return value is the disposition of the chunk. 5530 */ 5531 sctp_disposition_t sctp_sf_bug(const struct sctp_endpoint *ep, 5532 const struct sctp_association *asoc, 5533 const sctp_subtype_t type, 5534 void *arg, 5535 sctp_cmd_seq_t *commands) 5536 { 5537 return SCTP_DISPOSITION_BUG; 5538 } 5539 5540 /* 5541 * This table entry represents the firing of a timer in the wrong state. 5542 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 5543 * when the association is in the wrong state. This event should 5544 * be ignored, so as to prevent any rearming of the timer. 5545 * 5546 * Inputs 5547 * (endpoint, asoc, chunk) 5548 * 5549 * The return value is the disposition of the chunk. 5550 */ 5551 sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep, 5552 const struct sctp_association *asoc, 5553 const sctp_subtype_t type, 5554 void *arg, 5555 sctp_cmd_seq_t *commands) 5556 { 5557 SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk); 5558 return SCTP_DISPOSITION_CONSUME; 5559 } 5560 5561 /******************************************************************** 5562 * 2nd Level Abstractions 5563 ********************************************************************/ 5564 5565 /* Pull the SACK chunk based on the SACK header. */ 5566 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 5567 { 5568 struct sctp_sackhdr *sack; 5569 unsigned int len; 5570 __u16 num_blocks; 5571 __u16 num_dup_tsns; 5572 5573 /* Protect ourselves from reading too far into 5574 * the skb from a bogus sender. 5575 */ 5576 sack = (struct sctp_sackhdr *) chunk->skb->data; 5577 5578 num_blocks = ntohs(sack->num_gap_ack_blocks); 5579 num_dup_tsns = ntohs(sack->num_dup_tsns); 5580 len = sizeof(struct sctp_sackhdr); 5581 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 5582 if (len > chunk->skb->len) 5583 return NULL; 5584 5585 skb_pull(chunk->skb, len); 5586 5587 return sack; 5588 } 5589 5590 /* Create an ABORT packet to be sent as a response, with the specified 5591 * error causes. 5592 */ 5593 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 5594 const struct sctp_association *asoc, 5595 struct sctp_chunk *chunk, 5596 const void *payload, 5597 size_t paylen) 5598 { 5599 struct sctp_packet *packet; 5600 struct sctp_chunk *abort; 5601 5602 packet = sctp_ootb_pkt_new(asoc, chunk); 5603 5604 if (packet) { 5605 /* Make an ABORT. 5606 * The T bit will be set if the asoc is NULL. 5607 */ 5608 abort = sctp_make_abort(asoc, chunk, paylen); 5609 if (!abort) { 5610 sctp_ootb_pkt_free(packet); 5611 return NULL; 5612 } 5613 5614 /* Reflect vtag if T-Bit is set */ 5615 if (sctp_test_T_bit(abort)) 5616 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 5617 5618 /* Add specified error causes, i.e., payload, to the 5619 * end of the chunk. 5620 */ 5621 sctp_addto_chunk(abort, paylen, payload); 5622 5623 /* Set the skb to the belonging sock for accounting. */ 5624 abort->skb->sk = ep->base.sk; 5625 5626 sctp_packet_append_chunk(packet, abort); 5627 5628 } 5629 5630 return packet; 5631 } 5632 5633 /* Allocate a packet for responding in the OOTB conditions. */ 5634 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 5635 const struct sctp_chunk *chunk) 5636 { 5637 struct sctp_packet *packet; 5638 struct sctp_transport *transport; 5639 __u16 sport; 5640 __u16 dport; 5641 __u32 vtag; 5642 5643 /* Get the source and destination port from the inbound packet. */ 5644 sport = ntohs(chunk->sctp_hdr->dest); 5645 dport = ntohs(chunk->sctp_hdr->source); 5646 5647 /* The V-tag is going to be the same as the inbound packet if no 5648 * association exists, otherwise, use the peer's vtag. 5649 */ 5650 if (asoc) { 5651 /* Special case the INIT-ACK as there is no peer's vtag 5652 * yet. 5653 */ 5654 switch(chunk->chunk_hdr->type) { 5655 case SCTP_CID_INIT_ACK: 5656 { 5657 sctp_initack_chunk_t *initack; 5658 5659 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; 5660 vtag = ntohl(initack->init_hdr.init_tag); 5661 break; 5662 } 5663 default: 5664 vtag = asoc->peer.i.init_tag; 5665 break; 5666 } 5667 } else { 5668 /* Special case the INIT and stale COOKIE_ECHO as there is no 5669 * vtag yet. 5670 */ 5671 switch(chunk->chunk_hdr->type) { 5672 case SCTP_CID_INIT: 5673 { 5674 sctp_init_chunk_t *init; 5675 5676 init = (sctp_init_chunk_t *)chunk->chunk_hdr; 5677 vtag = ntohl(init->init_hdr.init_tag); 5678 break; 5679 } 5680 default: 5681 vtag = ntohl(chunk->sctp_hdr->vtag); 5682 break; 5683 } 5684 } 5685 5686 /* Make a transport for the bucket, Eliza... */ 5687 transport = sctp_transport_new(sctp_source(chunk), GFP_ATOMIC); 5688 if (!transport) 5689 goto nomem; 5690 5691 /* Cache a route for the transport with the chunk's destination as 5692 * the source address. 5693 */ 5694 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 5695 sctp_sk(sctp_get_ctl_sock())); 5696 5697 packet = sctp_packet_init(&transport->packet, transport, sport, dport); 5698 packet = sctp_packet_config(packet, vtag, 0); 5699 5700 return packet; 5701 5702 nomem: 5703 return NULL; 5704 } 5705 5706 /* Free the packet allocated earlier for responding in the OOTB condition. */ 5707 void sctp_ootb_pkt_free(struct sctp_packet *packet) 5708 { 5709 sctp_transport_free(packet->transport); 5710 } 5711 5712 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 5713 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 5714 const struct sctp_association *asoc, 5715 const struct sctp_chunk *chunk, 5716 sctp_cmd_seq_t *commands, 5717 struct sctp_chunk *err_chunk) 5718 { 5719 struct sctp_packet *packet; 5720 5721 if (err_chunk) { 5722 packet = sctp_ootb_pkt_new(asoc, chunk); 5723 if (packet) { 5724 struct sctp_signed_cookie *cookie; 5725 5726 /* Override the OOTB vtag from the cookie. */ 5727 cookie = chunk->subh.cookie_hdr; 5728 packet->vtag = cookie->c.peer_vtag; 5729 5730 /* Set the skb to the belonging sock for accounting. */ 5731 err_chunk->skb->sk = ep->base.sk; 5732 sctp_packet_append_chunk(packet, err_chunk); 5733 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 5734 SCTP_PACKET(packet)); 5735 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 5736 } else 5737 sctp_chunk_free (err_chunk); 5738 } 5739 } 5740 5741 5742 /* Process a data chunk */ 5743 static int sctp_eat_data(const struct sctp_association *asoc, 5744 struct sctp_chunk *chunk, 5745 sctp_cmd_seq_t *commands) 5746 { 5747 sctp_datahdr_t *data_hdr; 5748 struct sctp_chunk *err; 5749 size_t datalen; 5750 sctp_verb_t deliver; 5751 int tmp; 5752 __u32 tsn; 5753 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 5754 struct sock *sk = asoc->base.sk; 5755 5756 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data; 5757 skb_pull(chunk->skb, sizeof(sctp_datahdr_t)); 5758 5759 tsn = ntohl(data_hdr->tsn); 5760 SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn); 5761 5762 /* ASSERT: Now skb->data is really the user data. */ 5763 5764 /* Process ECN based congestion. 5765 * 5766 * Since the chunk structure is reused for all chunks within 5767 * a packet, we use ecn_ce_done to track if we've already 5768 * done CE processing for this packet. 5769 * 5770 * We need to do ECN processing even if we plan to discard the 5771 * chunk later. 5772 */ 5773 5774 if (!chunk->ecn_ce_done) { 5775 struct sctp_af *af; 5776 chunk->ecn_ce_done = 1; 5777 5778 af = sctp_get_af_specific( 5779 ipver2af(ip_hdr(chunk->skb)->version)); 5780 5781 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) { 5782 /* Do real work as sideffect. */ 5783 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 5784 SCTP_U32(tsn)); 5785 } 5786 } 5787 5788 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 5789 if (tmp < 0) { 5790 /* The TSN is too high--silently discard the chunk and 5791 * count on it getting retransmitted later. 5792 */ 5793 return SCTP_IERROR_HIGH_TSN; 5794 } else if (tmp > 0) { 5795 /* This is a duplicate. Record it. */ 5796 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 5797 return SCTP_IERROR_DUP_TSN; 5798 } 5799 5800 /* This is a new TSN. */ 5801 5802 /* Discard if there is no room in the receive window. 5803 * Actually, allow a little bit of overflow (up to a MTU). 5804 */ 5805 datalen = ntohs(chunk->chunk_hdr->length); 5806 datalen -= sizeof(sctp_data_chunk_t); 5807 5808 deliver = SCTP_CMD_CHUNK_ULP; 5809 5810 /* Think about partial delivery. */ 5811 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 5812 5813 /* Even if we don't accept this chunk there is 5814 * memory pressure. 5815 */ 5816 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 5817 } 5818 5819 /* Spill over rwnd a little bit. Note: While allowed, this spill over 5820 * seems a bit troublesome in that frag_point varies based on 5821 * PMTU. In cases, such as loopback, this might be a rather 5822 * large spill over. 5823 */ 5824 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over || 5825 (datalen > asoc->rwnd + asoc->frag_point))) { 5826 5827 /* If this is the next TSN, consider reneging to make 5828 * room. Note: Playing nice with a confused sender. A 5829 * malicious sender can still eat up all our buffer 5830 * space and in the future we may want to detect and 5831 * do more drastic reneging. 5832 */ 5833 if (sctp_tsnmap_has_gap(map) && 5834 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 5835 SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn); 5836 deliver = SCTP_CMD_RENEGE; 5837 } else { 5838 SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, " 5839 "rwnd: %d\n", tsn, datalen, 5840 asoc->rwnd); 5841 return SCTP_IERROR_IGNORE_TSN; 5842 } 5843 } 5844 5845 /* 5846 * Also try to renege to limit our memory usage in the event that 5847 * we are under memory pressure 5848 * If we can't renege, don't worry about it, the sk_rmem_schedule 5849 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our 5850 * memory usage too much 5851 */ 5852 if (*sk->sk_prot_creator->memory_pressure) { 5853 if (sctp_tsnmap_has_gap(map) && 5854 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 5855 SCTP_DEBUG_PRINTK("Under Pressure! Reneging for tsn:%u\n", tsn); 5856 deliver = SCTP_CMD_RENEGE; 5857 } 5858 } 5859 5860 /* 5861 * Section 3.3.10.9 No User Data (9) 5862 * 5863 * Cause of error 5864 * --------------- 5865 * No User Data: This error cause is returned to the originator of a 5866 * DATA chunk if a received DATA chunk has no user data. 5867 */ 5868 if (unlikely(0 == datalen)) { 5869 err = sctp_make_abort_no_data(asoc, chunk, tsn); 5870 if (err) { 5871 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5872 SCTP_CHUNK(err)); 5873 } 5874 /* We are going to ABORT, so we might as well stop 5875 * processing the rest of the chunks in the packet. 5876 */ 5877 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 5878 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5879 SCTP_ERROR(ECONNABORTED)); 5880 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5881 SCTP_PERR(SCTP_ERROR_NO_DATA)); 5882 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5883 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5884 return SCTP_IERROR_NO_DATA; 5885 } 5886 5887 /* If definately accepting the DATA chunk, record its TSN, otherwise 5888 * wait for renege processing. 5889 */ 5890 if (SCTP_CMD_CHUNK_ULP == deliver) 5891 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 5892 5893 chunk->data_accepted = 1; 5894 5895 /* Note: Some chunks may get overcounted (if we drop) or overcounted 5896 * if we renege and the chunk arrives again. 5897 */ 5898 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) 5899 SCTP_INC_STATS(SCTP_MIB_INUNORDERCHUNKS); 5900 else 5901 SCTP_INC_STATS(SCTP_MIB_INORDERCHUNKS); 5902 5903 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 5904 * 5905 * If an endpoint receive a DATA chunk with an invalid stream 5906 * identifier, it shall acknowledge the reception of the DATA chunk 5907 * following the normal procedure, immediately send an ERROR chunk 5908 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 5909 * and discard the DATA chunk. 5910 */ 5911 if (ntohs(data_hdr->stream) >= asoc->c.sinit_max_instreams) { 5912 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 5913 &data_hdr->stream, 5914 sizeof(data_hdr->stream)); 5915 if (err) 5916 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5917 SCTP_CHUNK(err)); 5918 return SCTP_IERROR_BAD_STREAM; 5919 } 5920 5921 /* Send the data up to the user. Note: Schedule the 5922 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 5923 * chunk needs the updated rwnd. 5924 */ 5925 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 5926 5927 return SCTP_IERROR_NO_ERROR; 5928 } 5929