xref: /openbmc/linux/net/sctp/sm_statefuns.c (revision c93db682)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* SCTP kernel implementation
3  * (C) Copyright IBM Corp. 2001, 2004
4  * Copyright (c) 1999-2000 Cisco, Inc.
5  * Copyright (c) 1999-2001 Motorola, Inc.
6  * Copyright (c) 2001-2002 Intel Corp.
7  * Copyright (c) 2002      Nokia Corp.
8  *
9  * This is part of the SCTP Linux Kernel Implementation.
10  *
11  * These are the state functions for the state machine.
12  *
13  * Please send any bug reports or fixes you make to the
14  * email address(es):
15  *    lksctp developers <linux-sctp@vger.kernel.org>
16  *
17  * Written or modified by:
18  *    La Monte H.P. Yarroll <piggy@acm.org>
19  *    Karl Knutson          <karl@athena.chicago.il.us>
20  *    Mathew Kotowsky       <kotowsky@sctp.org>
21  *    Sridhar Samudrala     <samudrala@us.ibm.com>
22  *    Jon Grimm             <jgrimm@us.ibm.com>
23  *    Hui Huang 	    <hui.huang@nokia.com>
24  *    Dajiang Zhang 	    <dajiang.zhang@nokia.com>
25  *    Daisy Chang	    <daisyc@us.ibm.com>
26  *    Ardelle Fan	    <ardelle.fan@intel.com>
27  *    Ryan Layer	    <rmlayer@us.ibm.com>
28  *    Kevin Gao		    <kevin.gao@intel.com>
29  */
30 
31 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
32 
33 #include <linux/types.h>
34 #include <linux/kernel.h>
35 #include <linux/ip.h>
36 #include <linux/ipv6.h>
37 #include <linux/net.h>
38 #include <linux/inet.h>
39 #include <linux/slab.h>
40 #include <net/sock.h>
41 #include <net/inet_ecn.h>
42 #include <linux/skbuff.h>
43 #include <net/sctp/sctp.h>
44 #include <net/sctp/sm.h>
45 #include <net/sctp/structs.h>
46 
47 #define CREATE_TRACE_POINTS
48 #include <trace/events/sctp.h>
49 
50 static struct sctp_packet *sctp_abort_pkt_new(
51 					struct net *net,
52 					const struct sctp_endpoint *ep,
53 					const struct sctp_association *asoc,
54 					struct sctp_chunk *chunk,
55 					const void *payload, size_t paylen);
56 static int sctp_eat_data(const struct sctp_association *asoc,
57 			 struct sctp_chunk *chunk,
58 			 struct sctp_cmd_seq *commands);
59 static struct sctp_packet *sctp_ootb_pkt_new(
60 					struct net *net,
61 					const struct sctp_association *asoc,
62 					const struct sctp_chunk *chunk);
63 static void sctp_send_stale_cookie_err(struct net *net,
64 				       const struct sctp_endpoint *ep,
65 				       const struct sctp_association *asoc,
66 				       const struct sctp_chunk *chunk,
67 				       struct sctp_cmd_seq *commands,
68 				       struct sctp_chunk *err_chunk);
69 static enum sctp_disposition sctp_sf_do_5_2_6_stale(
70 					struct net *net,
71 					const struct sctp_endpoint *ep,
72 					const struct sctp_association *asoc,
73 					const union sctp_subtype type,
74 					void *arg,
75 					struct sctp_cmd_seq *commands);
76 static enum sctp_disposition sctp_sf_shut_8_4_5(
77 					struct net *net,
78 					const struct sctp_endpoint *ep,
79 					const struct sctp_association *asoc,
80 					const union sctp_subtype type,
81 					void *arg,
82 					struct sctp_cmd_seq *commands);
83 static enum sctp_disposition sctp_sf_tabort_8_4_8(
84 					struct net *net,
85 					const struct sctp_endpoint *ep,
86 					const struct sctp_association *asoc,
87 					const union sctp_subtype type,
88 					void *arg,
89 					struct sctp_cmd_seq *commands);
90 static enum sctp_disposition sctp_sf_new_encap_port(
91 					struct net *net,
92 					const struct sctp_endpoint *ep,
93 					const struct sctp_association *asoc,
94 					const union sctp_subtype type,
95 					void *arg,
96 					struct sctp_cmd_seq *commands);
97 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
98 
99 static enum sctp_disposition sctp_stop_t1_and_abort(
100 					struct net *net,
101 					struct sctp_cmd_seq *commands,
102 					__be16 error, int sk_err,
103 					const struct sctp_association *asoc,
104 					struct sctp_transport *transport);
105 
106 static enum sctp_disposition sctp_sf_abort_violation(
107 					struct net *net,
108 					const struct sctp_endpoint *ep,
109 					const struct sctp_association *asoc,
110 					void *arg,
111 					struct sctp_cmd_seq *commands,
112 					const __u8 *payload,
113 					const size_t paylen);
114 
115 static enum sctp_disposition sctp_sf_violation_chunklen(
116 					struct net *net,
117 					const struct sctp_endpoint *ep,
118 					const struct sctp_association *asoc,
119 					const union sctp_subtype type,
120 					void *arg,
121 					struct sctp_cmd_seq *commands);
122 
123 static enum sctp_disposition sctp_sf_violation_paramlen(
124 					struct net *net,
125 					const struct sctp_endpoint *ep,
126 					const struct sctp_association *asoc,
127 					const union sctp_subtype type,
128 					void *arg, void *ext,
129 					struct sctp_cmd_seq *commands);
130 
131 static enum sctp_disposition sctp_sf_violation_ctsn(
132 					struct net *net,
133 					const struct sctp_endpoint *ep,
134 					const struct sctp_association *asoc,
135 					const union sctp_subtype type,
136 					void *arg,
137 					struct sctp_cmd_seq *commands);
138 
139 static enum sctp_disposition sctp_sf_violation_chunk(
140 					struct net *net,
141 					const struct sctp_endpoint *ep,
142 					const struct sctp_association *asoc,
143 					const union sctp_subtype type,
144 					void *arg,
145 					struct sctp_cmd_seq *commands);
146 
147 static enum sctp_ierror sctp_sf_authenticate(
148 					const struct sctp_association *asoc,
149 					struct sctp_chunk *chunk);
150 
151 static enum sctp_disposition __sctp_sf_do_9_1_abort(
152 					struct net *net,
153 					const struct sctp_endpoint *ep,
154 					const struct sctp_association *asoc,
155 					const union sctp_subtype type,
156 					void *arg,
157 					struct sctp_cmd_seq *commands);
158 
159 /* Small helper function that checks if the chunk length
160  * is of the appropriate length.  The 'required_length' argument
161  * is set to be the size of a specific chunk we are testing.
162  * Return Values:  true  = Valid length
163  * 		   false = Invalid length
164  *
165  */
166 static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk,
167 					   __u16 required_length)
168 {
169 	__u16 chunk_length = ntohs(chunk->chunk_hdr->length);
170 
171 	/* Previously already marked? */
172 	if (unlikely(chunk->pdiscard))
173 		return false;
174 	if (unlikely(chunk_length < required_length))
175 		return false;
176 
177 	return true;
178 }
179 
180 /* Check for format error in an ABORT chunk */
181 static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk)
182 {
183 	struct sctp_errhdr *err;
184 
185 	sctp_walk_errors(err, chunk->chunk_hdr);
186 
187 	return (void *)err == (void *)chunk->chunk_end;
188 }
189 
190 /**********************************************************
191  * These are the state functions for handling chunk events.
192  **********************************************************/
193 
194 /*
195  * Process the final SHUTDOWN COMPLETE.
196  *
197  * Section: 4 (C) (diagram), 9.2
198  * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
199  * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
200  * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
201  * should stop the T2-shutdown timer and remove all knowledge of the
202  * association (and thus the association enters the CLOSED state).
203  *
204  * Verification Tag: 8.5.1(C), sctpimpguide 2.41.
205  * C) Rules for packet carrying SHUTDOWN COMPLETE:
206  * ...
207  * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
208  *   if the Verification Tag field of the packet matches its own tag and
209  *   the T bit is not set
210  *   OR
211  *   it is set to its peer's tag and the T bit is set in the Chunk
212  *   Flags.
213  *   Otherwise, the receiver MUST silently discard the packet
214  *   and take no further action.  An endpoint MUST ignore the
215  *   SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.
216  *
217  * Inputs
218  * (endpoint, asoc, chunk)
219  *
220  * Outputs
221  * (asoc, reply_msg, msg_up, timers, counters)
222  *
223  * The return value is the disposition of the chunk.
224  */
225 enum sctp_disposition sctp_sf_do_4_C(struct net *net,
226 				     const struct sctp_endpoint *ep,
227 				     const struct sctp_association *asoc,
228 				     const union sctp_subtype type,
229 				     void *arg, struct sctp_cmd_seq *commands)
230 {
231 	struct sctp_chunk *chunk = arg;
232 	struct sctp_ulpevent *ev;
233 
234 	if (!sctp_vtag_verify_either(chunk, asoc))
235 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
236 
237 	/* RFC 2960 6.10 Bundling
238 	 *
239 	 * An endpoint MUST NOT bundle INIT, INIT ACK or
240 	 * SHUTDOWN COMPLETE with any other chunks.
241 	 */
242 	if (!chunk->singleton)
243 		return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
244 
245 	/* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */
246 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
247 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
248 						  commands);
249 
250 	/* RFC 2960 10.2 SCTP-to-ULP
251 	 *
252 	 * H) SHUTDOWN COMPLETE notification
253 	 *
254 	 * When SCTP completes the shutdown procedures (section 9.2) this
255 	 * notification is passed to the upper layer.
256 	 */
257 	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
258 					     0, 0, 0, NULL, GFP_ATOMIC);
259 	if (ev)
260 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
261 				SCTP_ULPEVENT(ev));
262 
263 	/* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
264 	 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
265 	 * not the chunk should be discarded. If the endpoint is in
266 	 * the SHUTDOWN-ACK-SENT state the endpoint should stop the
267 	 * T2-shutdown timer and remove all knowledge of the
268 	 * association (and thus the association enters the CLOSED
269 	 * state).
270 	 */
271 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
272 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
273 
274 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
275 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
276 
277 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
278 			SCTP_STATE(SCTP_STATE_CLOSED));
279 
280 	SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
281 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
282 
283 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
284 
285 	return SCTP_DISPOSITION_DELETE_TCB;
286 }
287 
288 /*
289  * Respond to a normal INIT chunk.
290  * We are the side that is being asked for an association.
291  *
292  * Section: 5.1 Normal Establishment of an Association, B
293  * B) "Z" shall respond immediately with an INIT ACK chunk.  The
294  *    destination IP address of the INIT ACK MUST be set to the source
295  *    IP address of the INIT to which this INIT ACK is responding.  In
296  *    the response, besides filling in other parameters, "Z" must set the
297  *    Verification Tag field to Tag_A, and also provide its own
298  *    Verification Tag (Tag_Z) in the Initiate Tag field.
299  *
300  * Verification Tag: Must be 0.
301  *
302  * Inputs
303  * (endpoint, asoc, chunk)
304  *
305  * Outputs
306  * (asoc, reply_msg, msg_up, timers, counters)
307  *
308  * The return value is the disposition of the chunk.
309  */
310 enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
311 					   const struct sctp_endpoint *ep,
312 					   const struct sctp_association *asoc,
313 					   const union sctp_subtype type,
314 					   void *arg,
315 					   struct sctp_cmd_seq *commands)
316 {
317 	struct sctp_chunk *chunk = arg, *repl, *err_chunk;
318 	struct sctp_unrecognized_param *unk_param;
319 	struct sctp_association *new_asoc;
320 	struct sctp_packet *packet;
321 	int len;
322 
323 	/* Update socket peer label if first association. */
324 	if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
325 					chunk->skb))
326 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
327 
328 	/* 6.10 Bundling
329 	 * An endpoint MUST NOT bundle INIT, INIT ACK or
330 	 * SHUTDOWN COMPLETE with any other chunks.
331 	 *
332 	 * IG Section 2.11.2
333 	 * Furthermore, we require that the receiver of an INIT chunk MUST
334 	 * enforce these rules by silently discarding an arriving packet
335 	 * with an INIT chunk that is bundled with other chunks.
336 	 */
337 	if (!chunk->singleton)
338 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
339 
340 	/* If the packet is an OOTB packet which is temporarily on the
341 	 * control endpoint, respond with an ABORT.
342 	 */
343 	if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
344 		SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
345 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
346 	}
347 
348 	/* 3.1 A packet containing an INIT chunk MUST have a zero Verification
349 	 * Tag.
350 	 */
351 	if (chunk->sctp_hdr->vtag != 0)
352 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
353 
354 	/* Make sure that the INIT chunk has a valid length.
355 	 * Normally, this would cause an ABORT with a Protocol Violation
356 	 * error, but since we don't have an association, we'll
357 	 * just discard the packet.
358 	 */
359 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
360 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
361 
362 	/* If the INIT is coming toward a closing socket, we'll send back
363 	 * and ABORT.  Essentially, this catches the race of INIT being
364 	 * backloged to the socket at the same time as the user isses close().
365 	 * Since the socket and all its associations are going away, we
366 	 * can treat this OOTB
367 	 */
368 	if (sctp_sstate(ep->base.sk, CLOSING))
369 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
370 
371 	/* Verify the INIT chunk before processing it. */
372 	err_chunk = NULL;
373 	if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
374 			      (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
375 			      &err_chunk)) {
376 		/* This chunk contains fatal error. It is to be discarded.
377 		 * Send an ABORT, with causes if there is any.
378 		 */
379 		if (err_chunk) {
380 			packet = sctp_abort_pkt_new(net, ep, asoc, arg,
381 					(__u8 *)(err_chunk->chunk_hdr) +
382 					sizeof(struct sctp_chunkhdr),
383 					ntohs(err_chunk->chunk_hdr->length) -
384 					sizeof(struct sctp_chunkhdr));
385 
386 			sctp_chunk_free(err_chunk);
387 
388 			if (packet) {
389 				sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
390 						SCTP_PACKET(packet));
391 				SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
392 				return SCTP_DISPOSITION_CONSUME;
393 			} else {
394 				return SCTP_DISPOSITION_NOMEM;
395 			}
396 		} else {
397 			return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
398 						    commands);
399 		}
400 	}
401 
402 	/* Grab the INIT header.  */
403 	chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
404 
405 	/* Tag the variable length parameters.  */
406 	chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
407 
408 	new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
409 	if (!new_asoc)
410 		goto nomem;
411 
412 	if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
413 					     sctp_scope(sctp_source(chunk)),
414 					     GFP_ATOMIC) < 0)
415 		goto nomem_init;
416 
417 	/* The call, sctp_process_init(), can fail on memory allocation.  */
418 	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
419 			       (struct sctp_init_chunk *)chunk->chunk_hdr,
420 			       GFP_ATOMIC))
421 		goto nomem_init;
422 
423 	/* B) "Z" shall respond immediately with an INIT ACK chunk.  */
424 
425 	/* If there are errors need to be reported for unknown parameters,
426 	 * make sure to reserve enough room in the INIT ACK for them.
427 	 */
428 	len = 0;
429 	if (err_chunk)
430 		len = ntohs(err_chunk->chunk_hdr->length) -
431 		      sizeof(struct sctp_chunkhdr);
432 
433 	repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
434 	if (!repl)
435 		goto nomem_init;
436 
437 	/* If there are errors need to be reported for unknown parameters,
438 	 * include them in the outgoing INIT ACK as "Unrecognized parameter"
439 	 * parameter.
440 	 */
441 	if (err_chunk) {
442 		/* Get the "Unrecognized parameter" parameter(s) out of the
443 		 * ERROR chunk generated by sctp_verify_init(). Since the
444 		 * error cause code for "unknown parameter" and the
445 		 * "Unrecognized parameter" type is the same, we can
446 		 * construct the parameters in INIT ACK by copying the
447 		 * ERROR causes over.
448 		 */
449 		unk_param = (struct sctp_unrecognized_param *)
450 			    ((__u8 *)(err_chunk->chunk_hdr) +
451 			    sizeof(struct sctp_chunkhdr));
452 		/* Replace the cause code with the "Unrecognized parameter"
453 		 * parameter type.
454 		 */
455 		sctp_addto_chunk(repl, len, unk_param);
456 		sctp_chunk_free(err_chunk);
457 	}
458 
459 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
460 
461 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
462 
463 	/*
464 	 * Note:  After sending out INIT ACK with the State Cookie parameter,
465 	 * "Z" MUST NOT allocate any resources, nor keep any states for the
466 	 * new association.  Otherwise, "Z" will be vulnerable to resource
467 	 * attacks.
468 	 */
469 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
470 
471 	return SCTP_DISPOSITION_DELETE_TCB;
472 
473 nomem_init:
474 	sctp_association_free(new_asoc);
475 nomem:
476 	if (err_chunk)
477 		sctp_chunk_free(err_chunk);
478 	return SCTP_DISPOSITION_NOMEM;
479 }
480 
481 /*
482  * Respond to a normal INIT ACK chunk.
483  * We are the side that is initiating the association.
484  *
485  * Section: 5.1 Normal Establishment of an Association, C
486  * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
487  *    timer and leave COOKIE-WAIT state. "A" shall then send the State
488  *    Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
489  *    the T1-cookie timer, and enter the COOKIE-ECHOED state.
490  *
491  *    Note: The COOKIE ECHO chunk can be bundled with any pending outbound
492  *    DATA chunks, but it MUST be the first chunk in the packet and
493  *    until the COOKIE ACK is returned the sender MUST NOT send any
494  *    other packets to the peer.
495  *
496  * Verification Tag: 3.3.3
497  *   If the value of the Initiate Tag in a received INIT ACK chunk is
498  *   found to be 0, the receiver MUST treat it as an error and close the
499  *   association by transmitting an ABORT.
500  *
501  * Inputs
502  * (endpoint, asoc, chunk)
503  *
504  * Outputs
505  * (asoc, reply_msg, msg_up, timers, counters)
506  *
507  * The return value is the disposition of the chunk.
508  */
509 enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
510 					  const struct sctp_endpoint *ep,
511 					  const struct sctp_association *asoc,
512 					  const union sctp_subtype type,
513 					  void *arg,
514 					  struct sctp_cmd_seq *commands)
515 {
516 	struct sctp_init_chunk *initchunk;
517 	struct sctp_chunk *chunk = arg;
518 	struct sctp_chunk *err_chunk;
519 	struct sctp_packet *packet;
520 
521 	if (!sctp_vtag_verify(chunk, asoc))
522 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
523 
524 	/* 6.10 Bundling
525 	 * An endpoint MUST NOT bundle INIT, INIT ACK or
526 	 * SHUTDOWN COMPLETE with any other chunks.
527 	 */
528 	if (!chunk->singleton)
529 		return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
530 
531 	/* Make sure that the INIT-ACK chunk has a valid length */
532 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk)))
533 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
534 						  commands);
535 	/* Grab the INIT header.  */
536 	chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
537 
538 	/* Verify the INIT chunk before processing it. */
539 	err_chunk = NULL;
540 	if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
541 			      (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
542 			      &err_chunk)) {
543 
544 		enum sctp_error error = SCTP_ERROR_NO_RESOURCE;
545 
546 		/* This chunk contains fatal error. It is to be discarded.
547 		 * Send an ABORT, with causes.  If there are no causes,
548 		 * then there wasn't enough memory.  Just terminate
549 		 * the association.
550 		 */
551 		if (err_chunk) {
552 			packet = sctp_abort_pkt_new(net, ep, asoc, arg,
553 					(__u8 *)(err_chunk->chunk_hdr) +
554 					sizeof(struct sctp_chunkhdr),
555 					ntohs(err_chunk->chunk_hdr->length) -
556 					sizeof(struct sctp_chunkhdr));
557 
558 			sctp_chunk_free(err_chunk);
559 
560 			if (packet) {
561 				sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
562 						SCTP_PACKET(packet));
563 				SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
564 				error = SCTP_ERROR_INV_PARAM;
565 			}
566 		}
567 
568 		/* SCTP-AUTH, Section 6.3:
569 		 *    It should be noted that if the receiver wants to tear
570 		 *    down an association in an authenticated way only, the
571 		 *    handling of malformed packets should not result in
572 		 *    tearing down the association.
573 		 *
574 		 * This means that if we only want to abort associations
575 		 * in an authenticated way (i.e AUTH+ABORT), then we
576 		 * can't destroy this association just because the packet
577 		 * was malformed.
578 		 */
579 		if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
580 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
581 
582 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
583 		return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED,
584 						asoc, chunk->transport);
585 	}
586 
587 	/* Tag the variable length parameters.  Note that we never
588 	 * convert the parameters in an INIT chunk.
589 	 */
590 	chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
591 
592 	initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr;
593 
594 	sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
595 			SCTP_PEER_INIT(initchunk));
596 
597 	/* Reset init error count upon receipt of INIT-ACK.  */
598 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
599 
600 	/* 5.1 C) "A" shall stop the T1-init timer and leave
601 	 * COOKIE-WAIT state.  "A" shall then ... start the T1-cookie
602 	 * timer, and enter the COOKIE-ECHOED state.
603 	 */
604 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
605 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
606 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
607 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
608 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
609 			SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
610 
611 	/* SCTP-AUTH: genereate the assocition shared keys so that
612 	 * we can potentially signe the COOKIE-ECHO.
613 	 */
614 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
615 
616 	/* 5.1 C) "A" shall then send the State Cookie received in the
617 	 * INIT ACK chunk in a COOKIE ECHO chunk, ...
618 	 */
619 	/* If there is any errors to report, send the ERROR chunk generated
620 	 * for unknown parameters as well.
621 	 */
622 	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
623 			SCTP_CHUNK(err_chunk));
624 
625 	return SCTP_DISPOSITION_CONSUME;
626 }
627 
628 static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk,
629 				   const struct sctp_association *asoc)
630 {
631 	struct sctp_chunk auth;
632 
633 	if (!chunk->auth_chunk)
634 		return true;
635 
636 	/* SCTP-AUTH:  auth_chunk pointer is only set when the cookie-echo
637 	 * is supposed to be authenticated and we have to do delayed
638 	 * authentication.  We've just recreated the association using
639 	 * the information in the cookie and now it's much easier to
640 	 * do the authentication.
641 	 */
642 
643 	/* Make sure that we and the peer are AUTH capable */
644 	if (!net->sctp.auth_enable || !asoc->peer.auth_capable)
645 		return false;
646 
647 	/* set-up our fake chunk so that we can process it */
648 	auth.skb = chunk->auth_chunk;
649 	auth.asoc = chunk->asoc;
650 	auth.sctp_hdr = chunk->sctp_hdr;
651 	auth.chunk_hdr = (struct sctp_chunkhdr *)
652 				skb_push(chunk->auth_chunk,
653 					 sizeof(struct sctp_chunkhdr));
654 	skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr));
655 	auth.transport = chunk->transport;
656 
657 	return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR;
658 }
659 
660 /*
661  * Respond to a normal COOKIE ECHO chunk.
662  * We are the side that is being asked for an association.
663  *
664  * Section: 5.1 Normal Establishment of an Association, D
665  * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
666  *    with a COOKIE ACK chunk after building a TCB and moving to
667  *    the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
668  *    any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
669  *    chunk MUST be the first chunk in the packet.
670  *
671  *   IMPLEMENTATION NOTE: An implementation may choose to send the
672  *   Communication Up notification to the SCTP user upon reception
673  *   of a valid COOKIE ECHO chunk.
674  *
675  * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
676  * D) Rules for packet carrying a COOKIE ECHO
677  *
678  * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
679  *   Initial Tag received in the INIT ACK.
680  *
681  * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
682  *
683  * Inputs
684  * (endpoint, asoc, chunk)
685  *
686  * Outputs
687  * (asoc, reply_msg, msg_up, timers, counters)
688  *
689  * The return value is the disposition of the chunk.
690  */
691 enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
692 					 const struct sctp_endpoint *ep,
693 					 const struct sctp_association *asoc,
694 					 const union sctp_subtype type,
695 					 void *arg,
696 					 struct sctp_cmd_seq *commands)
697 {
698 	struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL;
699 	struct sctp_association *new_asoc;
700 	struct sctp_init_chunk *peer_init;
701 	struct sctp_chunk *chunk = arg;
702 	struct sctp_chunk *err_chk_p;
703 	struct sctp_chunk *repl;
704 	struct sock *sk;
705 	int error = 0;
706 
707 	/* If the packet is an OOTB packet which is temporarily on the
708 	 * control endpoint, respond with an ABORT.
709 	 */
710 	if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
711 		SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
712 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
713 	}
714 
715 	/* Make sure that the COOKIE_ECHO chunk has a valid length.
716 	 * In this case, we check that we have enough for at least a
717 	 * chunk header.  More detailed verification is done
718 	 * in sctp_unpack_cookie().
719 	 */
720 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
721 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
722 
723 	/* If the endpoint is not listening or if the number of associations
724 	 * on the TCP-style socket exceed the max backlog, respond with an
725 	 * ABORT.
726 	 */
727 	sk = ep->base.sk;
728 	if (!sctp_sstate(sk, LISTENING) ||
729 	    (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
730 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
731 
732 	/* "Decode" the chunk.  We have no optional parameters so we
733 	 * are in good shape.
734 	 */
735 	chunk->subh.cookie_hdr =
736 		(struct sctp_signed_cookie *)chunk->skb->data;
737 	if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
738 					 sizeof(struct sctp_chunkhdr)))
739 		goto nomem;
740 
741 	/* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
742 	 * "Z" will reply with a COOKIE ACK chunk after building a TCB
743 	 * and moving to the ESTABLISHED state.
744 	 */
745 	new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
746 				      &err_chk_p);
747 
748 	/* FIXME:
749 	 * If the re-build failed, what is the proper error path
750 	 * from here?
751 	 *
752 	 * [We should abort the association. --piggy]
753 	 */
754 	if (!new_asoc) {
755 		/* FIXME: Several errors are possible.  A bad cookie should
756 		 * be silently discarded, but think about logging it too.
757 		 */
758 		switch (error) {
759 		case -SCTP_IERROR_NOMEM:
760 			goto nomem;
761 
762 		case -SCTP_IERROR_STALE_COOKIE:
763 			sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
764 						   err_chk_p);
765 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
766 
767 		case -SCTP_IERROR_BAD_SIG:
768 		default:
769 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
770 		}
771 	}
772 
773 
774 	/* Delay state machine commands until later.
775 	 *
776 	 * Re-build the bind address for the association is done in
777 	 * the sctp_unpack_cookie() already.
778 	 */
779 	/* This is a brand-new association, so these are not yet side
780 	 * effects--it is safe to run them here.
781 	 */
782 	peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
783 
784 	if (!sctp_process_init(new_asoc, chunk,
785 			       &chunk->subh.cookie_hdr->c.peer_addr,
786 			       peer_init, GFP_ATOMIC))
787 		goto nomem_init;
788 
789 	/* SCTP-AUTH:  Now that we've populate required fields in
790 	 * sctp_process_init, set up the assocaition shared keys as
791 	 * necessary so that we can potentially authenticate the ACK
792 	 */
793 	error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
794 	if (error)
795 		goto nomem_init;
796 
797 	if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) {
798 		sctp_association_free(new_asoc);
799 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
800 	}
801 
802 	repl = sctp_make_cookie_ack(new_asoc, chunk);
803 	if (!repl)
804 		goto nomem_init;
805 
806 	/* RFC 2960 5.1 Normal Establishment of an Association
807 	 *
808 	 * D) IMPLEMENTATION NOTE: An implementation may choose to
809 	 * send the Communication Up notification to the SCTP user
810 	 * upon reception of a valid COOKIE ECHO chunk.
811 	 */
812 	ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
813 					     new_asoc->c.sinit_num_ostreams,
814 					     new_asoc->c.sinit_max_instreams,
815 					     NULL, GFP_ATOMIC);
816 	if (!ev)
817 		goto nomem_ev;
818 
819 	/* Sockets API Draft Section 5.3.1.6
820 	 * When a peer sends a Adaptation Layer Indication parameter , SCTP
821 	 * delivers this notification to inform the application that of the
822 	 * peers requested adaptation layer.
823 	 */
824 	if (new_asoc->peer.adaptation_ind) {
825 		ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
826 							    GFP_ATOMIC);
827 		if (!ai_ev)
828 			goto nomem_aiev;
829 	}
830 
831 	if (!new_asoc->peer.auth_capable) {
832 		auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0,
833 						     SCTP_AUTH_NO_AUTH,
834 						     GFP_ATOMIC);
835 		if (!auth_ev)
836 			goto nomem_authev;
837 	}
838 
839 	/* Add all the state machine commands now since we've created
840 	 * everything.  This way we don't introduce memory corruptions
841 	 * during side-effect processing and correclty count established
842 	 * associations.
843 	 */
844 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
845 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
846 			SCTP_STATE(SCTP_STATE_ESTABLISHED));
847 	SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
848 	SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS);
849 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
850 
851 	if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
852 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
853 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
854 
855 	/* This will send the COOKIE ACK */
856 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
857 
858 	/* Queue the ASSOC_CHANGE event */
859 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
860 
861 	/* Send up the Adaptation Layer Indication event */
862 	if (ai_ev)
863 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
864 				SCTP_ULPEVENT(ai_ev));
865 
866 	if (auth_ev)
867 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
868 				SCTP_ULPEVENT(auth_ev));
869 
870 	return SCTP_DISPOSITION_CONSUME;
871 
872 nomem_authev:
873 	sctp_ulpevent_free(ai_ev);
874 nomem_aiev:
875 	sctp_ulpevent_free(ev);
876 nomem_ev:
877 	sctp_chunk_free(repl);
878 nomem_init:
879 	sctp_association_free(new_asoc);
880 nomem:
881 	return SCTP_DISPOSITION_NOMEM;
882 }
883 
884 /*
885  * Respond to a normal COOKIE ACK chunk.
886  * We are the side that is asking for an association.
887  *
888  * RFC 2960 5.1 Normal Establishment of an Association
889  *
890  * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
891  *    COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
892  *    timer. It may also notify its ULP about the successful
893  *    establishment of the association with a Communication Up
894  *    notification (see Section 10).
895  *
896  * Verification Tag:
897  * Inputs
898  * (endpoint, asoc, chunk)
899  *
900  * Outputs
901  * (asoc, reply_msg, msg_up, timers, counters)
902  *
903  * The return value is the disposition of the chunk.
904  */
905 enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
906 					 const struct sctp_endpoint *ep,
907 					 const struct sctp_association *asoc,
908 					 const union sctp_subtype type,
909 					 void *arg,
910 					 struct sctp_cmd_seq *commands)
911 {
912 	struct sctp_chunk *chunk = arg;
913 	struct sctp_ulpevent *ev;
914 
915 	if (!sctp_vtag_verify(chunk, asoc))
916 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
917 
918 	/* Verify that the chunk length for the COOKIE-ACK is OK.
919 	 * If we don't do this, any bundled chunks may be junked.
920 	 */
921 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
922 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
923 						  commands);
924 
925 	/* Reset init error count upon receipt of COOKIE-ACK,
926 	 * to avoid problems with the managemement of this
927 	 * counter in stale cookie situations when a transition back
928 	 * from the COOKIE-ECHOED state to the COOKIE-WAIT
929 	 * state is performed.
930 	 */
931 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
932 
933 	/* Set peer label for connection. */
934 	security_inet_conn_established(ep->base.sk, chunk->skb);
935 
936 	/* RFC 2960 5.1 Normal Establishment of an Association
937 	 *
938 	 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
939 	 * from the COOKIE-ECHOED state to the ESTABLISHED state,
940 	 * stopping the T1-cookie timer.
941 	 */
942 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
943 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
944 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
945 			SCTP_STATE(SCTP_STATE_ESTABLISHED));
946 	SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
947 	SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS);
948 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
949 	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
950 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
951 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
952 
953 	/* It may also notify its ULP about the successful
954 	 * establishment of the association with a Communication Up
955 	 * notification (see Section 10).
956 	 */
957 	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
958 					     0, asoc->c.sinit_num_ostreams,
959 					     asoc->c.sinit_max_instreams,
960 					     NULL, GFP_ATOMIC);
961 
962 	if (!ev)
963 		goto nomem;
964 
965 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
966 
967 	/* Sockets API Draft Section 5.3.1.6
968 	 * When a peer sends a Adaptation Layer Indication parameter , SCTP
969 	 * delivers this notification to inform the application that of the
970 	 * peers requested adaptation layer.
971 	 */
972 	if (asoc->peer.adaptation_ind) {
973 		ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
974 		if (!ev)
975 			goto nomem;
976 
977 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
978 				SCTP_ULPEVENT(ev));
979 	}
980 
981 	if (!asoc->peer.auth_capable) {
982 		ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH,
983 						GFP_ATOMIC);
984 		if (!ev)
985 			goto nomem;
986 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
987 				SCTP_ULPEVENT(ev));
988 	}
989 
990 	return SCTP_DISPOSITION_CONSUME;
991 nomem:
992 	return SCTP_DISPOSITION_NOMEM;
993 }
994 
995 /* Generate and sendout a heartbeat packet.  */
996 static enum sctp_disposition sctp_sf_heartbeat(
997 					const struct sctp_endpoint *ep,
998 					const struct sctp_association *asoc,
999 					const union sctp_subtype type,
1000 					void *arg,
1001 					struct sctp_cmd_seq *commands)
1002 {
1003 	struct sctp_transport *transport = (struct sctp_transport *) arg;
1004 	struct sctp_chunk *reply;
1005 
1006 	/* Send a heartbeat to our peer.  */
1007 	reply = sctp_make_heartbeat(asoc, transport);
1008 	if (!reply)
1009 		return SCTP_DISPOSITION_NOMEM;
1010 
1011 	/* Set rto_pending indicating that an RTT measurement
1012 	 * is started with this heartbeat chunk.
1013 	 */
1014 	sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
1015 			SCTP_TRANSPORT(transport));
1016 
1017 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1018 	return SCTP_DISPOSITION_CONSUME;
1019 }
1020 
1021 /* Generate a HEARTBEAT packet on the given transport.  */
1022 enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net,
1023 					   const struct sctp_endpoint *ep,
1024 					   const struct sctp_association *asoc,
1025 					   const union sctp_subtype type,
1026 					   void *arg,
1027 					   struct sctp_cmd_seq *commands)
1028 {
1029 	struct sctp_transport *transport = (struct sctp_transport *) arg;
1030 
1031 	if (asoc->overall_error_count >= asoc->max_retrans) {
1032 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
1033 				SCTP_ERROR(ETIMEDOUT));
1034 		/* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
1035 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1036 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
1037 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1038 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1039 		return SCTP_DISPOSITION_DELETE_TCB;
1040 	}
1041 
1042 	/* Section 3.3.5.
1043 	 * The Sender-specific Heartbeat Info field should normally include
1044 	 * information about the sender's current time when this HEARTBEAT
1045 	 * chunk is sent and the destination transport address to which this
1046 	 * HEARTBEAT is sent (see Section 8.3).
1047 	 */
1048 
1049 	if (transport->param_flags & SPP_HB_ENABLE) {
1050 		if (SCTP_DISPOSITION_NOMEM ==
1051 				sctp_sf_heartbeat(ep, asoc, type, arg,
1052 						  commands))
1053 			return SCTP_DISPOSITION_NOMEM;
1054 
1055 		/* Set transport error counter and association error counter
1056 		 * when sending heartbeat.
1057 		 */
1058 		sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
1059 				SCTP_TRANSPORT(transport));
1060 	}
1061 	sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
1062 			SCTP_TRANSPORT(transport));
1063 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
1064 			SCTP_TRANSPORT(transport));
1065 
1066 	return SCTP_DISPOSITION_CONSUME;
1067 }
1068 
1069 /* resend asoc strreset_chunk.  */
1070 enum sctp_disposition sctp_sf_send_reconf(struct net *net,
1071 					  const struct sctp_endpoint *ep,
1072 					  const struct sctp_association *asoc,
1073 					  const union sctp_subtype type,
1074 					  void *arg,
1075 					  struct sctp_cmd_seq *commands)
1076 {
1077 	struct sctp_transport *transport = arg;
1078 
1079 	if (asoc->overall_error_count >= asoc->max_retrans) {
1080 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
1081 				SCTP_ERROR(ETIMEDOUT));
1082 		/* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
1083 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1084 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
1085 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1086 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1087 		return SCTP_DISPOSITION_DELETE_TCB;
1088 	}
1089 
1090 	sctp_chunk_hold(asoc->strreset_chunk);
1091 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1092 			SCTP_CHUNK(asoc->strreset_chunk));
1093 	sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
1094 
1095 	return SCTP_DISPOSITION_CONSUME;
1096 }
1097 
1098 /*
1099  * Process an heartbeat request.
1100  *
1101  * Section: 8.3 Path Heartbeat
1102  * The receiver of the HEARTBEAT should immediately respond with a
1103  * HEARTBEAT ACK that contains the Heartbeat Information field copied
1104  * from the received HEARTBEAT chunk.
1105  *
1106  * Verification Tag:  8.5 Verification Tag [Normal verification]
1107  * When receiving an SCTP packet, the endpoint MUST ensure that the
1108  * value in the Verification Tag field of the received SCTP packet
1109  * matches its own Tag. If the received Verification Tag value does not
1110  * match the receiver's own tag value, the receiver shall silently
1111  * discard the packet and shall not process it any further except for
1112  * those cases listed in Section 8.5.1 below.
1113  *
1114  * Inputs
1115  * (endpoint, asoc, chunk)
1116  *
1117  * Outputs
1118  * (asoc, reply_msg, msg_up, timers, counters)
1119  *
1120  * The return value is the disposition of the chunk.
1121  */
1122 enum sctp_disposition sctp_sf_beat_8_3(struct net *net,
1123 				       const struct sctp_endpoint *ep,
1124 				       const struct sctp_association *asoc,
1125 				       const union sctp_subtype type,
1126 				       void *arg, struct sctp_cmd_seq *commands)
1127 {
1128 	struct sctp_paramhdr *param_hdr;
1129 	struct sctp_chunk *chunk = arg;
1130 	struct sctp_chunk *reply;
1131 	size_t paylen = 0;
1132 
1133 	if (!sctp_vtag_verify(chunk, asoc))
1134 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1135 
1136 	/* Make sure that the HEARTBEAT chunk has a valid length. */
1137 	if (!sctp_chunk_length_valid(chunk,
1138 				     sizeof(struct sctp_heartbeat_chunk)))
1139 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1140 						  commands);
1141 
1142 	/* 8.3 The receiver of the HEARTBEAT should immediately
1143 	 * respond with a HEARTBEAT ACK that contains the Heartbeat
1144 	 * Information field copied from the received HEARTBEAT chunk.
1145 	 */
1146 	chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data;
1147 	param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr;
1148 	paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr);
1149 
1150 	if (ntohs(param_hdr->length) > paylen)
1151 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
1152 						  param_hdr, commands);
1153 
1154 	if (!pskb_pull(chunk->skb, paylen))
1155 		goto nomem;
1156 
1157 	reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen);
1158 	if (!reply)
1159 		goto nomem;
1160 
1161 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1162 	return SCTP_DISPOSITION_CONSUME;
1163 
1164 nomem:
1165 	return SCTP_DISPOSITION_NOMEM;
1166 }
1167 
1168 /*
1169  * Process the returning HEARTBEAT ACK.
1170  *
1171  * Section: 8.3 Path Heartbeat
1172  * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
1173  * should clear the error counter of the destination transport
1174  * address to which the HEARTBEAT was sent, and mark the destination
1175  * transport address as active if it is not so marked. The endpoint may
1176  * optionally report to the upper layer when an inactive destination
1177  * address is marked as active due to the reception of the latest
1178  * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
1179  * clear the association overall error count as well (as defined
1180  * in section 8.1).
1181  *
1182  * The receiver of the HEARTBEAT ACK should also perform an RTT
1183  * measurement for that destination transport address using the time
1184  * value carried in the HEARTBEAT ACK chunk.
1185  *
1186  * Verification Tag:  8.5 Verification Tag [Normal verification]
1187  *
1188  * Inputs
1189  * (endpoint, asoc, chunk)
1190  *
1191  * Outputs
1192  * (asoc, reply_msg, msg_up, timers, counters)
1193  *
1194  * The return value is the disposition of the chunk.
1195  */
1196 enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net,
1197 					   const struct sctp_endpoint *ep,
1198 					   const struct sctp_association *asoc,
1199 					   const union sctp_subtype type,
1200 					   void *arg,
1201 					   struct sctp_cmd_seq *commands)
1202 {
1203 	struct sctp_sender_hb_info *hbinfo;
1204 	struct sctp_chunk *chunk = arg;
1205 	struct sctp_transport *link;
1206 	unsigned long max_interval;
1207 	union sctp_addr from_addr;
1208 
1209 	if (!sctp_vtag_verify(chunk, asoc))
1210 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1211 
1212 	/* Make sure that the HEARTBEAT-ACK chunk has a valid length.  */
1213 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) +
1214 					    sizeof(*hbinfo)))
1215 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1216 						  commands);
1217 
1218 	hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data;
1219 	/* Make sure that the length of the parameter is what we expect */
1220 	if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo))
1221 		return SCTP_DISPOSITION_DISCARD;
1222 
1223 	from_addr = hbinfo->daddr;
1224 	link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1225 
1226 	/* This should never happen, but lets log it if so.  */
1227 	if (unlikely(!link)) {
1228 		if (from_addr.sa.sa_family == AF_INET6) {
1229 			net_warn_ratelimited("%s association %p could not find address %pI6\n",
1230 					     __func__,
1231 					     asoc,
1232 					     &from_addr.v6.sin6_addr);
1233 		} else {
1234 			net_warn_ratelimited("%s association %p could not find address %pI4\n",
1235 					     __func__,
1236 					     asoc,
1237 					     &from_addr.v4.sin_addr.s_addr);
1238 		}
1239 		return SCTP_DISPOSITION_DISCARD;
1240 	}
1241 
1242 	/* Validate the 64-bit random nonce. */
1243 	if (hbinfo->hb_nonce != link->hb_nonce)
1244 		return SCTP_DISPOSITION_DISCARD;
1245 
1246 	max_interval = link->hbinterval + link->rto;
1247 
1248 	/* Check if the timestamp looks valid.  */
1249 	if (time_after(hbinfo->sent_at, jiffies) ||
1250 	    time_after(jiffies, hbinfo->sent_at + max_interval)) {
1251 		pr_debug("%s: HEARTBEAT ACK with invalid timestamp received "
1252 			 "for transport:%p\n", __func__, link);
1253 
1254 		return SCTP_DISPOSITION_DISCARD;
1255 	}
1256 
1257 	/* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
1258 	 * the HEARTBEAT should clear the error counter of the
1259 	 * destination transport address to which the HEARTBEAT was
1260 	 * sent and mark the destination transport address as active if
1261 	 * it is not so marked.
1262 	 */
1263 	sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1264 
1265 	return SCTP_DISPOSITION_CONSUME;
1266 }
1267 
1268 /* Helper function to send out an abort for the restart
1269  * condition.
1270  */
1271 static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa,
1272 				      struct sctp_chunk *init,
1273 				      struct sctp_cmd_seq *commands)
1274 {
1275 	struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1276 	union sctp_addr_param *addrparm;
1277 	struct sctp_errhdr *errhdr;
1278 	char buffer[sizeof(*errhdr) + sizeof(*addrparm)];
1279 	struct sctp_endpoint *ep;
1280 	struct sctp_packet *pkt;
1281 	int len;
1282 
1283 	/* Build the error on the stack.   We are way to malloc crazy
1284 	 * throughout the code today.
1285 	 */
1286 	errhdr = (struct sctp_errhdr *)buffer;
1287 	addrparm = (union sctp_addr_param *)errhdr->variable;
1288 
1289 	/* Copy into a parm format. */
1290 	len = af->to_addr_param(ssa, addrparm);
1291 	len += sizeof(*errhdr);
1292 
1293 	errhdr->cause = SCTP_ERROR_RESTART;
1294 	errhdr->length = htons(len);
1295 
1296 	/* Assign to the control socket. */
1297 	ep = sctp_sk(net->sctp.ctl_sock)->ep;
1298 
1299 	/* Association is NULL since this may be a restart attack and we
1300 	 * want to send back the attacker's vtag.
1301 	 */
1302 	pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len);
1303 
1304 	if (!pkt)
1305 		goto out;
1306 	sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1307 
1308 	SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1309 
1310 	/* Discard the rest of the inbound packet. */
1311 	sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1312 
1313 out:
1314 	/* Even if there is no memory, treat as a failure so
1315 	 * the packet will get dropped.
1316 	 */
1317 	return 0;
1318 }
1319 
1320 static bool list_has_sctp_addr(const struct list_head *list,
1321 			       union sctp_addr *ipaddr)
1322 {
1323 	struct sctp_transport *addr;
1324 
1325 	list_for_each_entry(addr, list, transports) {
1326 		if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
1327 			return true;
1328 	}
1329 
1330 	return false;
1331 }
1332 /* A restart is occurring, check to make sure no new addresses
1333  * are being added as we may be under a takeover attack.
1334  */
1335 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1336 				       const struct sctp_association *asoc,
1337 				       struct sctp_chunk *init,
1338 				       struct sctp_cmd_seq *commands)
1339 {
1340 	struct net *net = new_asoc->base.net;
1341 	struct sctp_transport *new_addr;
1342 	int ret = 1;
1343 
1344 	/* Implementor's Guide - Section 5.2.2
1345 	 * ...
1346 	 * Before responding the endpoint MUST check to see if the
1347 	 * unexpected INIT adds new addresses to the association. If new
1348 	 * addresses are added to the association, the endpoint MUST respond
1349 	 * with an ABORT..
1350 	 */
1351 
1352 	/* Search through all current addresses and make sure
1353 	 * we aren't adding any new ones.
1354 	 */
1355 	list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
1356 			    transports) {
1357 		if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
1358 					&new_addr->ipaddr)) {
1359 			sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init,
1360 						   commands);
1361 			ret = 0;
1362 			break;
1363 		}
1364 	}
1365 
1366 	/* Return success if all addresses were found. */
1367 	return ret;
1368 }
1369 
1370 /* Populate the verification/tie tags based on overlapping INIT
1371  * scenario.
1372  *
1373  * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
1374  */
1375 static void sctp_tietags_populate(struct sctp_association *new_asoc,
1376 				  const struct sctp_association *asoc)
1377 {
1378 	switch (asoc->state) {
1379 
1380 	/* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
1381 
1382 	case SCTP_STATE_COOKIE_WAIT:
1383 		new_asoc->c.my_vtag     = asoc->c.my_vtag;
1384 		new_asoc->c.my_ttag     = asoc->c.my_vtag;
1385 		new_asoc->c.peer_ttag   = 0;
1386 		break;
1387 
1388 	case SCTP_STATE_COOKIE_ECHOED:
1389 		new_asoc->c.my_vtag     = asoc->c.my_vtag;
1390 		new_asoc->c.my_ttag     = asoc->c.my_vtag;
1391 		new_asoc->c.peer_ttag   = asoc->c.peer_vtag;
1392 		break;
1393 
1394 	/* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
1395 	 * COOKIE-WAIT and SHUTDOWN-ACK-SENT
1396 	 */
1397 	default:
1398 		new_asoc->c.my_ttag   = asoc->c.my_vtag;
1399 		new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1400 		break;
1401 	}
1402 
1403 	/* Other parameters for the endpoint SHOULD be copied from the
1404 	 * existing parameters of the association (e.g. number of
1405 	 * outbound streams) into the INIT ACK and cookie.
1406 	 */
1407 	new_asoc->rwnd                  = asoc->rwnd;
1408 	new_asoc->c.sinit_num_ostreams  = asoc->c.sinit_num_ostreams;
1409 	new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1410 	new_asoc->c.initial_tsn         = asoc->c.initial_tsn;
1411 }
1412 
1413 /*
1414  * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
1415  * handling action.
1416  *
1417  * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
1418  *
1419  * Returns value representing action to be taken.   These action values
1420  * correspond to Action/Description values in RFC 2960, Table 2.
1421  */
1422 static char sctp_tietags_compare(struct sctp_association *new_asoc,
1423 				 const struct sctp_association *asoc)
1424 {
1425 	/* In this case, the peer may have restarted.  */
1426 	if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1427 	    (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1428 	    (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1429 	    (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1430 		return 'A';
1431 
1432 	/* Collision case B. */
1433 	if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1434 	    ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1435 	     (0 == asoc->c.peer_vtag))) {
1436 		return 'B';
1437 	}
1438 
1439 	/* Collision case D. */
1440 	if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1441 	    (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1442 		return 'D';
1443 
1444 	/* Collision case C. */
1445 	if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1446 	    (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1447 	    (0 == new_asoc->c.my_ttag) &&
1448 	    (0 == new_asoc->c.peer_ttag))
1449 		return 'C';
1450 
1451 	/* No match to any of the special cases; discard this packet. */
1452 	return 'E';
1453 }
1454 
1455 /* Common helper routine for both duplicate and simultaneous INIT
1456  * chunk handling.
1457  */
1458 static enum sctp_disposition sctp_sf_do_unexpected_init(
1459 					struct net *net,
1460 					const struct sctp_endpoint *ep,
1461 					const struct sctp_association *asoc,
1462 					const union sctp_subtype type,
1463 					void *arg,
1464 					struct sctp_cmd_seq *commands)
1465 {
1466 	struct sctp_chunk *chunk = arg, *repl, *err_chunk;
1467 	struct sctp_unrecognized_param *unk_param;
1468 	struct sctp_association *new_asoc;
1469 	enum sctp_disposition retval;
1470 	struct sctp_packet *packet;
1471 	int len;
1472 
1473 	/* Update socket peer label if first association. */
1474 	if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
1475 					chunk->skb))
1476 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1477 
1478 	/* 6.10 Bundling
1479 	 * An endpoint MUST NOT bundle INIT, INIT ACK or
1480 	 * SHUTDOWN COMPLETE with any other chunks.
1481 	 *
1482 	 * IG Section 2.11.2
1483 	 * Furthermore, we require that the receiver of an INIT chunk MUST
1484 	 * enforce these rules by silently discarding an arriving packet
1485 	 * with an INIT chunk that is bundled with other chunks.
1486 	 */
1487 	if (!chunk->singleton)
1488 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1489 
1490 	/* 3.1 A packet containing an INIT chunk MUST have a zero Verification
1491 	 * Tag.
1492 	 */
1493 	if (chunk->sctp_hdr->vtag != 0)
1494 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
1495 
1496 	/* Make sure that the INIT chunk has a valid length.
1497 	 * In this case, we generate a protocol violation since we have
1498 	 * an association established.
1499 	 */
1500 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
1501 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1502 						  commands);
1503 
1504 	if (SCTP_INPUT_CB(chunk->skb)->encap_port != chunk->transport->encap_port)
1505 		return sctp_sf_new_encap_port(net, ep, asoc, type, arg, commands);
1506 
1507 	/* Grab the INIT header.  */
1508 	chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
1509 
1510 	/* Tag the variable length parameters.  */
1511 	chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
1512 
1513 	/* Verify the INIT chunk before processing it. */
1514 	err_chunk = NULL;
1515 	if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
1516 			      (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
1517 			      &err_chunk)) {
1518 		/* This chunk contains fatal error. It is to be discarded.
1519 		 * Send an ABORT, with causes if there is any.
1520 		 */
1521 		if (err_chunk) {
1522 			packet = sctp_abort_pkt_new(net, ep, asoc, arg,
1523 					(__u8 *)(err_chunk->chunk_hdr) +
1524 					sizeof(struct sctp_chunkhdr),
1525 					ntohs(err_chunk->chunk_hdr->length) -
1526 					sizeof(struct sctp_chunkhdr));
1527 
1528 			if (packet) {
1529 				sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1530 						SCTP_PACKET(packet));
1531 				SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1532 				retval = SCTP_DISPOSITION_CONSUME;
1533 			} else {
1534 				retval = SCTP_DISPOSITION_NOMEM;
1535 			}
1536 			goto cleanup;
1537 		} else {
1538 			return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
1539 						    commands);
1540 		}
1541 	}
1542 
1543 	/*
1544 	 * Other parameters for the endpoint SHOULD be copied from the
1545 	 * existing parameters of the association (e.g. number of
1546 	 * outbound streams) into the INIT ACK and cookie.
1547 	 * FIXME:  We are copying parameters from the endpoint not the
1548 	 * association.
1549 	 */
1550 	new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1551 	if (!new_asoc)
1552 		goto nomem;
1553 
1554 	if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
1555 				sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
1556 		goto nomem;
1557 
1558 	/* In the outbound INIT ACK the endpoint MUST copy its current
1559 	 * Verification Tag and Peers Verification tag into a reserved
1560 	 * place (local tie-tag and per tie-tag) within the state cookie.
1561 	 */
1562 	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
1563 			       (struct sctp_init_chunk *)chunk->chunk_hdr,
1564 			       GFP_ATOMIC))
1565 		goto nomem;
1566 
1567 	/* Make sure no new addresses are being added during the
1568 	 * restart.   Do not do this check for COOKIE-WAIT state,
1569 	 * since there are no peer addresses to check against.
1570 	 * Upon return an ABORT will have been sent if needed.
1571 	 */
1572 	if (!sctp_state(asoc, COOKIE_WAIT)) {
1573 		if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1574 						 commands)) {
1575 			retval = SCTP_DISPOSITION_CONSUME;
1576 			goto nomem_retval;
1577 		}
1578 	}
1579 
1580 	sctp_tietags_populate(new_asoc, asoc);
1581 
1582 	/* B) "Z" shall respond immediately with an INIT ACK chunk.  */
1583 
1584 	/* If there are errors need to be reported for unknown parameters,
1585 	 * make sure to reserve enough room in the INIT ACK for them.
1586 	 */
1587 	len = 0;
1588 	if (err_chunk) {
1589 		len = ntohs(err_chunk->chunk_hdr->length) -
1590 		      sizeof(struct sctp_chunkhdr);
1591 	}
1592 
1593 	repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1594 	if (!repl)
1595 		goto nomem;
1596 
1597 	/* If there are errors need to be reported for unknown parameters,
1598 	 * include them in the outgoing INIT ACK as "Unrecognized parameter"
1599 	 * parameter.
1600 	 */
1601 	if (err_chunk) {
1602 		/* Get the "Unrecognized parameter" parameter(s) out of the
1603 		 * ERROR chunk generated by sctp_verify_init(). Since the
1604 		 * error cause code for "unknown parameter" and the
1605 		 * "Unrecognized parameter" type is the same, we can
1606 		 * construct the parameters in INIT ACK by copying the
1607 		 * ERROR causes over.
1608 		 */
1609 		unk_param = (struct sctp_unrecognized_param *)
1610 			    ((__u8 *)(err_chunk->chunk_hdr) +
1611 			    sizeof(struct sctp_chunkhdr));
1612 		/* Replace the cause code with the "Unrecognized parameter"
1613 		 * parameter type.
1614 		 */
1615 		sctp_addto_chunk(repl, len, unk_param);
1616 	}
1617 
1618 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1619 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1620 
1621 	/*
1622 	 * Note: After sending out INIT ACK with the State Cookie parameter,
1623 	 * "Z" MUST NOT allocate any resources for this new association.
1624 	 * Otherwise, "Z" will be vulnerable to resource attacks.
1625 	 */
1626 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1627 	retval = SCTP_DISPOSITION_CONSUME;
1628 
1629 	return retval;
1630 
1631 nomem:
1632 	retval = SCTP_DISPOSITION_NOMEM;
1633 nomem_retval:
1634 	if (new_asoc)
1635 		sctp_association_free(new_asoc);
1636 cleanup:
1637 	if (err_chunk)
1638 		sctp_chunk_free(err_chunk);
1639 	return retval;
1640 }
1641 
1642 /*
1643  * Handle simultaneous INIT.
1644  * This means we started an INIT and then we got an INIT request from
1645  * our peer.
1646  *
1647  * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
1648  * This usually indicates an initialization collision, i.e., each
1649  * endpoint is attempting, at about the same time, to establish an
1650  * association with the other endpoint.
1651  *
1652  * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
1653  * endpoint MUST respond with an INIT ACK using the same parameters it
1654  * sent in its original INIT chunk (including its Verification Tag,
1655  * unchanged). These original parameters are combined with those from the
1656  * newly received INIT chunk. The endpoint shall also generate a State
1657  * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
1658  * INIT to calculate the State Cookie.
1659  *
1660  * After that, the endpoint MUST NOT change its state, the T1-init
1661  * timer shall be left running and the corresponding TCB MUST NOT be
1662  * destroyed. The normal procedures for handling State Cookies when
1663  * a TCB exists will resolve the duplicate INITs to a single association.
1664  *
1665  * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
1666  * its Tie-Tags with the Tag information of itself and its peer (see
1667  * section 5.2.2 for a description of the Tie-Tags).
1668  *
1669  * Verification Tag: Not explicit, but an INIT can not have a valid
1670  * verification tag, so we skip the check.
1671  *
1672  * Inputs
1673  * (endpoint, asoc, chunk)
1674  *
1675  * Outputs
1676  * (asoc, reply_msg, msg_up, timers, counters)
1677  *
1678  * The return value is the disposition of the chunk.
1679  */
1680 enum sctp_disposition sctp_sf_do_5_2_1_siminit(
1681 					struct net *net,
1682 					const struct sctp_endpoint *ep,
1683 					const struct sctp_association *asoc,
1684 					const union sctp_subtype type,
1685 					void *arg,
1686 					struct sctp_cmd_seq *commands)
1687 {
1688 	/* Call helper to do the real work for both simultaneous and
1689 	 * duplicate INIT chunk handling.
1690 	 */
1691 	return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1692 }
1693 
1694 /*
1695  * Handle duplicated INIT messages.  These are usually delayed
1696  * restransmissions.
1697  *
1698  * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
1699  * COOKIE-ECHOED and COOKIE-WAIT
1700  *
1701  * Unless otherwise stated, upon reception of an unexpected INIT for
1702  * this association, the endpoint shall generate an INIT ACK with a
1703  * State Cookie.  In the outbound INIT ACK the endpoint MUST copy its
1704  * current Verification Tag and peer's Verification Tag into a reserved
1705  * place within the state cookie.  We shall refer to these locations as
1706  * the Peer's-Tie-Tag and the Local-Tie-Tag.  The outbound SCTP packet
1707  * containing this INIT ACK MUST carry a Verification Tag value equal to
1708  * the Initiation Tag found in the unexpected INIT.  And the INIT ACK
1709  * MUST contain a new Initiation Tag (randomly generated see Section
1710  * 5.3.1).  Other parameters for the endpoint SHOULD be copied from the
1711  * existing parameters of the association (e.g. number of outbound
1712  * streams) into the INIT ACK and cookie.
1713  *
1714  * After sending out the INIT ACK, the endpoint shall take no further
1715  * actions, i.e., the existing association, including its current state,
1716  * and the corresponding TCB MUST NOT be changed.
1717  *
1718  * Note: Only when a TCB exists and the association is not in a COOKIE-
1719  * WAIT state are the Tie-Tags populated.  For a normal association INIT
1720  * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
1721  * set to 0 (indicating that no previous TCB existed).  The INIT ACK and
1722  * State Cookie are populated as specified in section 5.2.1.
1723  *
1724  * Verification Tag: Not specified, but an INIT has no way of knowing
1725  * what the verification tag could be, so we ignore it.
1726  *
1727  * Inputs
1728  * (endpoint, asoc, chunk)
1729  *
1730  * Outputs
1731  * (asoc, reply_msg, msg_up, timers, counters)
1732  *
1733  * The return value is the disposition of the chunk.
1734  */
1735 enum sctp_disposition sctp_sf_do_5_2_2_dupinit(
1736 					struct net *net,
1737 					const struct sctp_endpoint *ep,
1738 					const struct sctp_association *asoc,
1739 					const union sctp_subtype type,
1740 					void *arg,
1741 					struct sctp_cmd_seq *commands)
1742 {
1743 	/* Call helper to do the real work for both simultaneous and
1744 	 * duplicate INIT chunk handling.
1745 	 */
1746 	return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1747 }
1748 
1749 
1750 /*
1751  * Unexpected INIT-ACK handler.
1752  *
1753  * Section 5.2.3
1754  * If an INIT ACK received by an endpoint in any state other than the
1755  * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
1756  * An unexpected INIT ACK usually indicates the processing of an old or
1757  * duplicated INIT chunk.
1758 */
1759 enum sctp_disposition sctp_sf_do_5_2_3_initack(
1760 					struct net *net,
1761 					const struct sctp_endpoint *ep,
1762 					const struct sctp_association *asoc,
1763 					const union sctp_subtype type,
1764 					void *arg,
1765 					struct sctp_cmd_seq *commands)
1766 {
1767 	/* Per the above section, we'll discard the chunk if we have an
1768 	 * endpoint.  If this is an OOTB INIT-ACK, treat it as such.
1769 	 */
1770 	if (ep == sctp_sk(net->sctp.ctl_sock)->ep)
1771 		return sctp_sf_ootb(net, ep, asoc, type, arg, commands);
1772 	else
1773 		return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
1774 }
1775 
1776 static int sctp_sf_do_assoc_update(struct sctp_association *asoc,
1777 				   struct sctp_association *new,
1778 				   struct sctp_cmd_seq *cmds)
1779 {
1780 	struct net *net = asoc->base.net;
1781 	struct sctp_chunk *abort;
1782 
1783 	if (!sctp_assoc_update(asoc, new))
1784 		return 0;
1785 
1786 	abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr));
1787 	if (abort) {
1788 		sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
1789 		sctp_add_cmd_sf(cmds, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
1790 	}
1791 	sctp_add_cmd_sf(cmds, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED));
1792 	sctp_add_cmd_sf(cmds, SCTP_CMD_ASSOC_FAILED,
1793 			SCTP_PERR(SCTP_ERROR_RSRC_LOW));
1794 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1795 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1796 
1797 	return -ENOMEM;
1798 }
1799 
1800 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
1801  *
1802  * Section 5.2.4
1803  *  A)  In this case, the peer may have restarted.
1804  */
1805 static enum sctp_disposition sctp_sf_do_dupcook_a(
1806 					struct net *net,
1807 					const struct sctp_endpoint *ep,
1808 					const struct sctp_association *asoc,
1809 					struct sctp_chunk *chunk,
1810 					struct sctp_cmd_seq *commands,
1811 					struct sctp_association *new_asoc)
1812 {
1813 	struct sctp_init_chunk *peer_init;
1814 	enum sctp_disposition disposition;
1815 	struct sctp_ulpevent *ev;
1816 	struct sctp_chunk *repl;
1817 	struct sctp_chunk *err;
1818 
1819 	/* new_asoc is a brand-new association, so these are not yet
1820 	 * side effects--it is safe to run them here.
1821 	 */
1822 	peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1823 
1824 	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1825 			       GFP_ATOMIC))
1826 		goto nomem;
1827 
1828 	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
1829 		goto nomem;
1830 
1831 	if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
1832 		return SCTP_DISPOSITION_DISCARD;
1833 
1834 	/* Make sure no new addresses are being added during the
1835 	 * restart.  Though this is a pretty complicated attack
1836 	 * since you'd have to get inside the cookie.
1837 	 */
1838 	if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands))
1839 		return SCTP_DISPOSITION_CONSUME;
1840 
1841 	/* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
1842 	 * the peer has restarted (Action A), it MUST NOT setup a new
1843 	 * association but instead resend the SHUTDOWN ACK and send an ERROR
1844 	 * chunk with a "Cookie Received while Shutting Down" error cause to
1845 	 * its peer.
1846 	*/
1847 	if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1848 		disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc,
1849 				SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1850 				chunk, commands);
1851 		if (SCTP_DISPOSITION_NOMEM == disposition)
1852 			goto nomem;
1853 
1854 		err = sctp_make_op_error(asoc, chunk,
1855 					 SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1856 					 NULL, 0, 0);
1857 		if (err)
1858 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1859 					SCTP_CHUNK(err));
1860 
1861 		return SCTP_DISPOSITION_CONSUME;
1862 	}
1863 
1864 	/* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked
1865 	 * data. Consider the optional choice of resending of this data.
1866 	 */
1867 	sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
1868 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1869 			SCTP_TO(SCTP_EVENT_TIMEOUT_SACK));
1870 	sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1871 
1872 	/* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue
1873 	 * and ASCONF-ACK cache.
1874 	 */
1875 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1876 			SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
1877 	sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());
1878 
1879 	/* Update the content of current association. */
1880 	if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands))
1881 		goto nomem;
1882 
1883 	repl = sctp_make_cookie_ack(asoc, chunk);
1884 	if (!repl)
1885 		goto nomem;
1886 
1887 	/* Report association restart to upper layer. */
1888 	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1889 					     asoc->c.sinit_num_ostreams,
1890 					     asoc->c.sinit_max_instreams,
1891 					     NULL, GFP_ATOMIC);
1892 	if (!ev)
1893 		goto nomem_ev;
1894 
1895 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1896 	if ((sctp_state(asoc, SHUTDOWN_PENDING) ||
1897 	     sctp_state(asoc, SHUTDOWN_SENT)) &&
1898 	    (sctp_sstate(asoc->base.sk, CLOSING) ||
1899 	     sock_flag(asoc->base.sk, SOCK_DEAD))) {
1900 		/* If the socket has been closed by user, don't
1901 		 * transition to ESTABLISHED. Instead trigger SHUTDOWN
1902 		 * bundled with COOKIE_ACK.
1903 		 */
1904 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1905 		return sctp_sf_do_9_2_start_shutdown(net, ep, asoc,
1906 						     SCTP_ST_CHUNK(0), repl,
1907 						     commands);
1908 	} else {
1909 		sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1910 				SCTP_STATE(SCTP_STATE_ESTABLISHED));
1911 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1912 	}
1913 	return SCTP_DISPOSITION_CONSUME;
1914 
1915 nomem_ev:
1916 	sctp_chunk_free(repl);
1917 nomem:
1918 	return SCTP_DISPOSITION_NOMEM;
1919 }
1920 
1921 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
1922  *
1923  * Section 5.2.4
1924  *   B) In this case, both sides may be attempting to start an association
1925  *      at about the same time but the peer endpoint started its INIT
1926  *      after responding to the local endpoint's INIT
1927  */
1928 /* This case represents an initialization collision.  */
1929 static enum sctp_disposition sctp_sf_do_dupcook_b(
1930 					struct net *net,
1931 					const struct sctp_endpoint *ep,
1932 					const struct sctp_association *asoc,
1933 					struct sctp_chunk *chunk,
1934 					struct sctp_cmd_seq *commands,
1935 					struct sctp_association *new_asoc)
1936 {
1937 	struct sctp_init_chunk *peer_init;
1938 	struct sctp_chunk *repl;
1939 
1940 	/* new_asoc is a brand-new association, so these are not yet
1941 	 * side effects--it is safe to run them here.
1942 	 */
1943 	peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1944 	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1945 			       GFP_ATOMIC))
1946 		goto nomem;
1947 
1948 	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
1949 		goto nomem;
1950 
1951 	if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
1952 		return SCTP_DISPOSITION_DISCARD;
1953 
1954 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1955 			SCTP_STATE(SCTP_STATE_ESTABLISHED));
1956 	if (asoc->state < SCTP_STATE_ESTABLISHED)
1957 		SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
1958 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
1959 
1960 	/* Update the content of current association.  */
1961 	if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands))
1962 		goto nomem;
1963 
1964 	repl = sctp_make_cookie_ack(asoc, chunk);
1965 	if (!repl)
1966 		goto nomem;
1967 
1968 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1969 
1970 	/* RFC 2960 5.1 Normal Establishment of an Association
1971 	 *
1972 	 * D) IMPLEMENTATION NOTE: An implementation may choose to
1973 	 * send the Communication Up notification to the SCTP user
1974 	 * upon reception of a valid COOKIE ECHO chunk.
1975 	 *
1976 	 * Sadly, this needs to be implemented as a side-effect, because
1977 	 * we are not guaranteed to have set the association id of the real
1978 	 * association and so these notifications need to be delayed until
1979 	 * the association id is allocated.
1980 	 */
1981 
1982 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
1983 
1984 	/* Sockets API Draft Section 5.3.1.6
1985 	 * When a peer sends a Adaptation Layer Indication parameter , SCTP
1986 	 * delivers this notification to inform the application that of the
1987 	 * peers requested adaptation layer.
1988 	 *
1989 	 * This also needs to be done as a side effect for the same reason as
1990 	 * above.
1991 	 */
1992 	if (asoc->peer.adaptation_ind)
1993 		sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
1994 
1995 	if (!asoc->peer.auth_capable)
1996 		sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL());
1997 
1998 	return SCTP_DISPOSITION_CONSUME;
1999 
2000 nomem:
2001 	return SCTP_DISPOSITION_NOMEM;
2002 }
2003 
2004 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
2005  *
2006  * Section 5.2.4
2007  *  C) In this case, the local endpoint's cookie has arrived late.
2008  *     Before it arrived, the local endpoint sent an INIT and received an
2009  *     INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
2010  *     but a new tag of its own.
2011  */
2012 /* This case represents an initialization collision.  */
2013 static enum sctp_disposition sctp_sf_do_dupcook_c(
2014 					struct net *net,
2015 					const struct sctp_endpoint *ep,
2016 					const struct sctp_association *asoc,
2017 					struct sctp_chunk *chunk,
2018 					struct sctp_cmd_seq *commands,
2019 					struct sctp_association *new_asoc)
2020 {
2021 	/* The cookie should be silently discarded.
2022 	 * The endpoint SHOULD NOT change states and should leave
2023 	 * any timers running.
2024 	 */
2025 	return SCTP_DISPOSITION_DISCARD;
2026 }
2027 
2028 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
2029  *
2030  * Section 5.2.4
2031  *
2032  * D) When both local and remote tags match the endpoint should always
2033  *    enter the ESTABLISHED state, if it has not already done so.
2034  */
2035 /* This case represents an initialization collision.  */
2036 static enum sctp_disposition sctp_sf_do_dupcook_d(
2037 					struct net *net,
2038 					const struct sctp_endpoint *ep,
2039 					const struct sctp_association *asoc,
2040 					struct sctp_chunk *chunk,
2041 					struct sctp_cmd_seq *commands,
2042 					struct sctp_association *new_asoc)
2043 {
2044 	struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL;
2045 	struct sctp_chunk *repl;
2046 
2047 	/* Clarification from Implementor's Guide:
2048 	 * D) When both local and remote tags match the endpoint should
2049 	 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
2050 	 * It should stop any cookie timer that may be running and send
2051 	 * a COOKIE ACK.
2052 	 */
2053 
2054 	if (!sctp_auth_chunk_verify(net, chunk, asoc))
2055 		return SCTP_DISPOSITION_DISCARD;
2056 
2057 	/* Don't accidentally move back into established state. */
2058 	if (asoc->state < SCTP_STATE_ESTABLISHED) {
2059 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2060 				SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2061 		sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2062 				SCTP_STATE(SCTP_STATE_ESTABLISHED));
2063 		SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
2064 		sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
2065 				SCTP_NULL());
2066 
2067 		/* RFC 2960 5.1 Normal Establishment of an Association
2068 		 *
2069 		 * D) IMPLEMENTATION NOTE: An implementation may choose
2070 		 * to send the Communication Up notification to the
2071 		 * SCTP user upon reception of a valid COOKIE
2072 		 * ECHO chunk.
2073 		 */
2074 		ev = sctp_ulpevent_make_assoc_change(asoc, 0,
2075 					     SCTP_COMM_UP, 0,
2076 					     asoc->c.sinit_num_ostreams,
2077 					     asoc->c.sinit_max_instreams,
2078 					     NULL, GFP_ATOMIC);
2079 		if (!ev)
2080 			goto nomem;
2081 
2082 		/* Sockets API Draft Section 5.3.1.6
2083 		 * When a peer sends a Adaptation Layer Indication parameter,
2084 		 * SCTP delivers this notification to inform the application
2085 		 * that of the peers requested adaptation layer.
2086 		 */
2087 		if (asoc->peer.adaptation_ind) {
2088 			ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
2089 								 GFP_ATOMIC);
2090 			if (!ai_ev)
2091 				goto nomem;
2092 
2093 		}
2094 
2095 		if (!asoc->peer.auth_capable) {
2096 			auth_ev = sctp_ulpevent_make_authkey(asoc, 0,
2097 							     SCTP_AUTH_NO_AUTH,
2098 							     GFP_ATOMIC);
2099 			if (!auth_ev)
2100 				goto nomem;
2101 		}
2102 	}
2103 
2104 	repl = sctp_make_cookie_ack(asoc, chunk);
2105 	if (!repl)
2106 		goto nomem;
2107 
2108 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
2109 
2110 	if (ev)
2111 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2112 				SCTP_ULPEVENT(ev));
2113 	if (ai_ev)
2114 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2115 					SCTP_ULPEVENT(ai_ev));
2116 	if (auth_ev)
2117 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2118 				SCTP_ULPEVENT(auth_ev));
2119 
2120 	return SCTP_DISPOSITION_CONSUME;
2121 
2122 nomem:
2123 	if (auth_ev)
2124 		sctp_ulpevent_free(auth_ev);
2125 	if (ai_ev)
2126 		sctp_ulpevent_free(ai_ev);
2127 	if (ev)
2128 		sctp_ulpevent_free(ev);
2129 	return SCTP_DISPOSITION_NOMEM;
2130 }
2131 
2132 /*
2133  * Handle a duplicate COOKIE-ECHO.  This usually means a cookie-carrying
2134  * chunk was retransmitted and then delayed in the network.
2135  *
2136  * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
2137  *
2138  * Verification Tag: None.  Do cookie validation.
2139  *
2140  * Inputs
2141  * (endpoint, asoc, chunk)
2142  *
2143  * Outputs
2144  * (asoc, reply_msg, msg_up, timers, counters)
2145  *
2146  * The return value is the disposition of the chunk.
2147  */
2148 enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
2149 					struct net *net,
2150 					const struct sctp_endpoint *ep,
2151 					const struct sctp_association *asoc,
2152 					const union sctp_subtype type,
2153 					void *arg,
2154 					struct sctp_cmd_seq *commands)
2155 {
2156 	struct sctp_association *new_asoc;
2157 	struct sctp_chunk *chunk = arg;
2158 	enum sctp_disposition retval;
2159 	struct sctp_chunk *err_chk_p;
2160 	int error = 0;
2161 	char action;
2162 
2163 	/* Make sure that the chunk has a valid length from the protocol
2164 	 * perspective.  In this case check to make sure we have at least
2165 	 * enough for the chunk header.  Cookie length verification is
2166 	 * done later.
2167 	 */
2168 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
2169 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2170 						  commands);
2171 
2172 	/* "Decode" the chunk.  We have no optional parameters so we
2173 	 * are in good shape.
2174 	 */
2175 	chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
2176 	if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
2177 					sizeof(struct sctp_chunkhdr)))
2178 		goto nomem;
2179 
2180 	/* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
2181 	 * of a duplicate COOKIE ECHO match the Verification Tags of the
2182 	 * current association, consider the State Cookie valid even if
2183 	 * the lifespan is exceeded.
2184 	 */
2185 	new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
2186 				      &err_chk_p);
2187 
2188 	/* FIXME:
2189 	 * If the re-build failed, what is the proper error path
2190 	 * from here?
2191 	 *
2192 	 * [We should abort the association. --piggy]
2193 	 */
2194 	if (!new_asoc) {
2195 		/* FIXME: Several errors are possible.  A bad cookie should
2196 		 * be silently discarded, but think about logging it too.
2197 		 */
2198 		switch (error) {
2199 		case -SCTP_IERROR_NOMEM:
2200 			goto nomem;
2201 
2202 		case -SCTP_IERROR_STALE_COOKIE:
2203 			sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
2204 						   err_chk_p);
2205 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2206 		case -SCTP_IERROR_BAD_SIG:
2207 		default:
2208 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2209 		}
2210 	}
2211 
2212 	/* Update socket peer label if first association. */
2213 	if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
2214 					chunk->skb)) {
2215 		sctp_association_free(new_asoc);
2216 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2217 	}
2218 
2219 	/* Set temp so that it won't be added into hashtable */
2220 	new_asoc->temp = 1;
2221 
2222 	/* Compare the tie_tag in cookie with the verification tag of
2223 	 * current association.
2224 	 */
2225 	action = sctp_tietags_compare(new_asoc, asoc);
2226 
2227 	switch (action) {
2228 	case 'A': /* Association restart. */
2229 		retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands,
2230 					      new_asoc);
2231 		break;
2232 
2233 	case 'B': /* Collision case B. */
2234 		retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands,
2235 					      new_asoc);
2236 		break;
2237 
2238 	case 'C': /* Collision case C. */
2239 		retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands,
2240 					      new_asoc);
2241 		break;
2242 
2243 	case 'D': /* Collision case D. */
2244 		retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands,
2245 					      new_asoc);
2246 		break;
2247 
2248 	default: /* Discard packet for all others. */
2249 		retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2250 		break;
2251 	}
2252 
2253 	/* Delete the temporary new association. */
2254 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc));
2255 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
2256 
2257 	/* Restore association pointer to provide SCTP command interpreter
2258 	 * with a valid context in case it needs to manipulate
2259 	 * the queues */
2260 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC,
2261 			 SCTP_ASOC((struct sctp_association *)asoc));
2262 
2263 	return retval;
2264 
2265 nomem:
2266 	return SCTP_DISPOSITION_NOMEM;
2267 }
2268 
2269 /*
2270  * Process an ABORT.  (SHUTDOWN-PENDING state)
2271  *
2272  * See sctp_sf_do_9_1_abort().
2273  */
2274 enum sctp_disposition sctp_sf_shutdown_pending_abort(
2275 					struct net *net,
2276 					const struct sctp_endpoint *ep,
2277 					const struct sctp_association *asoc,
2278 					const union sctp_subtype type,
2279 					void *arg,
2280 					struct sctp_cmd_seq *commands)
2281 {
2282 	struct sctp_chunk *chunk = arg;
2283 
2284 	if (!sctp_vtag_verify_either(chunk, asoc))
2285 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2286 
2287 	/* Make sure that the ABORT chunk has a valid length.
2288 	 * Since this is an ABORT chunk, we have to discard it
2289 	 * because of the following text:
2290 	 * RFC 2960, Section 3.3.7
2291 	 *    If an endpoint receives an ABORT with a format error or for an
2292 	 *    association that doesn't exist, it MUST silently discard it.
2293 	 * Because the length is "invalid", we can't really discard just
2294 	 * as we do not know its true length.  So, to be safe, discard the
2295 	 * packet.
2296 	 */
2297 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2298 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2299 
2300 	/* ADD-IP: Special case for ABORT chunks
2301 	 * F4)  One special consideration is that ABORT Chunks arriving
2302 	 * destined to the IP address being deleted MUST be
2303 	 * ignored (see Section 5.3.1 for further details).
2304 	 */
2305 	if (SCTP_ADDR_DEL ==
2306 		    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2307 		return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2308 
2309 	if (!sctp_err_chunk_valid(chunk))
2310 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2311 
2312 	return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2313 }
2314 
2315 /*
2316  * Process an ABORT.  (SHUTDOWN-SENT state)
2317  *
2318  * See sctp_sf_do_9_1_abort().
2319  */
2320 enum sctp_disposition sctp_sf_shutdown_sent_abort(
2321 					struct net *net,
2322 					const struct sctp_endpoint *ep,
2323 					const struct sctp_association *asoc,
2324 					const union sctp_subtype type,
2325 					void *arg,
2326 					struct sctp_cmd_seq *commands)
2327 {
2328 	struct sctp_chunk *chunk = arg;
2329 
2330 	if (!sctp_vtag_verify_either(chunk, asoc))
2331 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2332 
2333 	/* Make sure that the ABORT chunk has a valid length.
2334 	 * Since this is an ABORT chunk, we have to discard it
2335 	 * because of the following text:
2336 	 * RFC 2960, Section 3.3.7
2337 	 *    If an endpoint receives an ABORT with a format error or for an
2338 	 *    association that doesn't exist, it MUST silently discard it.
2339 	 * Because the length is "invalid", we can't really discard just
2340 	 * as we do not know its true length.  So, to be safe, discard the
2341 	 * packet.
2342 	 */
2343 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2344 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2345 
2346 	/* ADD-IP: Special case for ABORT chunks
2347 	 * F4)  One special consideration is that ABORT Chunks arriving
2348 	 * destined to the IP address being deleted MUST be
2349 	 * ignored (see Section 5.3.1 for further details).
2350 	 */
2351 	if (SCTP_ADDR_DEL ==
2352 		    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2353 		return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2354 
2355 	if (!sctp_err_chunk_valid(chunk))
2356 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2357 
2358 	/* Stop the T2-shutdown timer. */
2359 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2360 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2361 
2362 	/* Stop the T5-shutdown guard timer.  */
2363 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2364 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2365 
2366 	return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2367 }
2368 
2369 /*
2370  * Process an ABORT.  (SHUTDOWN-ACK-SENT state)
2371  *
2372  * See sctp_sf_do_9_1_abort().
2373  */
2374 enum sctp_disposition sctp_sf_shutdown_ack_sent_abort(
2375 					struct net *net,
2376 					const struct sctp_endpoint *ep,
2377 					const struct sctp_association *asoc,
2378 					const union sctp_subtype type,
2379 					void *arg,
2380 					struct sctp_cmd_seq *commands)
2381 {
2382 	/* The same T2 timer, so we should be able to use
2383 	 * common function with the SHUTDOWN-SENT state.
2384 	 */
2385 	return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands);
2386 }
2387 
2388 /*
2389  * Handle an Error received in COOKIE_ECHOED state.
2390  *
2391  * Only handle the error type of stale COOKIE Error, the other errors will
2392  * be ignored.
2393  *
2394  * Inputs
2395  * (endpoint, asoc, chunk)
2396  *
2397  * Outputs
2398  * (asoc, reply_msg, msg_up, timers, counters)
2399  *
2400  * The return value is the disposition of the chunk.
2401  */
2402 enum sctp_disposition sctp_sf_cookie_echoed_err(
2403 					struct net *net,
2404 					const struct sctp_endpoint *ep,
2405 					const struct sctp_association *asoc,
2406 					const union sctp_subtype type,
2407 					void *arg,
2408 					struct sctp_cmd_seq *commands)
2409 {
2410 	struct sctp_chunk *chunk = arg;
2411 	struct sctp_errhdr *err;
2412 
2413 	if (!sctp_vtag_verify(chunk, asoc))
2414 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2415 
2416 	/* Make sure that the ERROR chunk has a valid length.
2417 	 * The parameter walking depends on this as well.
2418 	 */
2419 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
2420 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2421 						  commands);
2422 
2423 	/* Process the error here */
2424 	/* FUTURE FIXME:  When PR-SCTP related and other optional
2425 	 * parms are emitted, this will have to change to handle multiple
2426 	 * errors.
2427 	 */
2428 	sctp_walk_errors(err, chunk->chunk_hdr) {
2429 		if (SCTP_ERROR_STALE_COOKIE == err->cause)
2430 			return sctp_sf_do_5_2_6_stale(net, ep, asoc, type,
2431 							arg, commands);
2432 	}
2433 
2434 	/* It is possible to have malformed error causes, and that
2435 	 * will cause us to end the walk early.  However, since
2436 	 * we are discarding the packet, there should be no adverse
2437 	 * affects.
2438 	 */
2439 	return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2440 }
2441 
2442 /*
2443  * Handle a Stale COOKIE Error
2444  *
2445  * Section: 5.2.6 Handle Stale COOKIE Error
2446  * If the association is in the COOKIE-ECHOED state, the endpoint may elect
2447  * one of the following three alternatives.
2448  * ...
2449  * 3) Send a new INIT chunk to the endpoint, adding a Cookie
2450  *    Preservative parameter requesting an extension to the lifetime of
2451  *    the State Cookie. When calculating the time extension, an
2452  *    implementation SHOULD use the RTT information measured based on the
2453  *    previous COOKIE ECHO / ERROR exchange, and should add no more
2454  *    than 1 second beyond the measured RTT, due to long State Cookie
2455  *    lifetimes making the endpoint more subject to a replay attack.
2456  *
2457  * Verification Tag:  Not explicit, but safe to ignore.
2458  *
2459  * Inputs
2460  * (endpoint, asoc, chunk)
2461  *
2462  * Outputs
2463  * (asoc, reply_msg, msg_up, timers, counters)
2464  *
2465  * The return value is the disposition of the chunk.
2466  */
2467 static enum sctp_disposition sctp_sf_do_5_2_6_stale(
2468 					struct net *net,
2469 					const struct sctp_endpoint *ep,
2470 					const struct sctp_association *asoc,
2471 					const union sctp_subtype type,
2472 					void *arg,
2473 					struct sctp_cmd_seq *commands)
2474 {
2475 	int attempts = asoc->init_err_counter + 1;
2476 	struct sctp_chunk *chunk = arg, *reply;
2477 	struct sctp_cookie_preserve_param bht;
2478 	struct sctp_bind_addr *bp;
2479 	struct sctp_errhdr *err;
2480 	u32 stale;
2481 
2482 	if (attempts > asoc->max_init_attempts) {
2483 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2484 				SCTP_ERROR(ETIMEDOUT));
2485 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2486 				SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2487 		return SCTP_DISPOSITION_DELETE_TCB;
2488 	}
2489 
2490 	err = (struct sctp_errhdr *)(chunk->skb->data);
2491 
2492 	/* When calculating the time extension, an implementation
2493 	 * SHOULD use the RTT information measured based on the
2494 	 * previous COOKIE ECHO / ERROR exchange, and should add no
2495 	 * more than 1 second beyond the measured RTT, due to long
2496 	 * State Cookie lifetimes making the endpoint more subject to
2497 	 * a replay attack.
2498 	 * Measure of Staleness's unit is usec. (1/1000000 sec)
2499 	 * Suggested Cookie Life-span Increment's unit is msec.
2500 	 * (1/1000 sec)
2501 	 * In general, if you use the suggested cookie life, the value
2502 	 * found in the field of measure of staleness should be doubled
2503 	 * to give ample time to retransmit the new cookie and thus
2504 	 * yield a higher probability of success on the reattempt.
2505 	 */
2506 	stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err)));
2507 	stale = (stale * 2) / 1000;
2508 
2509 	bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2510 	bht.param_hdr.length = htons(sizeof(bht));
2511 	bht.lifespan_increment = htonl(stale);
2512 
2513 	/* Build that new INIT chunk.  */
2514 	bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2515 	reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2516 	if (!reply)
2517 		goto nomem;
2518 
2519 	sctp_addto_chunk(reply, sizeof(bht), &bht);
2520 
2521 	/* Clear peer's init_tag cached in assoc as we are sending a new INIT */
2522 	sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2523 
2524 	/* Stop pending T3-rtx and heartbeat timers */
2525 	sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2526 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2527 
2528 	/* Delete non-primary peer ip addresses since we are transitioning
2529 	 * back to the COOKIE-WAIT state
2530 	 */
2531 	sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2532 
2533 	/* If we've sent any data bundled with COOKIE-ECHO we will need to
2534 	 * resend
2535 	 */
2536 	sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
2537 			SCTP_TRANSPORT(asoc->peer.primary_path));
2538 
2539 	/* Cast away the const modifier, as we want to just
2540 	 * rerun it through as a sideffect.
2541 	 */
2542 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2543 
2544 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2545 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2546 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2547 			SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2548 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2549 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2550 
2551 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2552 
2553 	return SCTP_DISPOSITION_CONSUME;
2554 
2555 nomem:
2556 	return SCTP_DISPOSITION_NOMEM;
2557 }
2558 
2559 /*
2560  * Process an ABORT.
2561  *
2562  * Section: 9.1
2563  * After checking the Verification Tag, the receiving endpoint shall
2564  * remove the association from its record, and shall report the
2565  * termination to its upper layer.
2566  *
2567  * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
2568  * B) Rules for packet carrying ABORT:
2569  *
2570  *  - The endpoint shall always fill in the Verification Tag field of the
2571  *    outbound packet with the destination endpoint's tag value if it
2572  *    is known.
2573  *
2574  *  - If the ABORT is sent in response to an OOTB packet, the endpoint
2575  *    MUST follow the procedure described in Section 8.4.
2576  *
2577  *  - The receiver MUST accept the packet if the Verification Tag
2578  *    matches either its own tag, OR the tag of its peer. Otherwise, the
2579  *    receiver MUST silently discard the packet and take no further
2580  *    action.
2581  *
2582  * Inputs
2583  * (endpoint, asoc, chunk)
2584  *
2585  * Outputs
2586  * (asoc, reply_msg, msg_up, timers, counters)
2587  *
2588  * The return value is the disposition of the chunk.
2589  */
2590 enum sctp_disposition sctp_sf_do_9_1_abort(
2591 					struct net *net,
2592 					const struct sctp_endpoint *ep,
2593 					const struct sctp_association *asoc,
2594 					const union sctp_subtype type,
2595 					void *arg,
2596 					struct sctp_cmd_seq *commands)
2597 {
2598 	struct sctp_chunk *chunk = arg;
2599 
2600 	if (!sctp_vtag_verify_either(chunk, asoc))
2601 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2602 
2603 	/* Make sure that the ABORT chunk has a valid length.
2604 	 * Since this is an ABORT chunk, we have to discard it
2605 	 * because of the following text:
2606 	 * RFC 2960, Section 3.3.7
2607 	 *    If an endpoint receives an ABORT with a format error or for an
2608 	 *    association that doesn't exist, it MUST silently discard it.
2609 	 * Because the length is "invalid", we can't really discard just
2610 	 * as we do not know its true length.  So, to be safe, discard the
2611 	 * packet.
2612 	 */
2613 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2614 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2615 
2616 	/* ADD-IP: Special case for ABORT chunks
2617 	 * F4)  One special consideration is that ABORT Chunks arriving
2618 	 * destined to the IP address being deleted MUST be
2619 	 * ignored (see Section 5.3.1 for further details).
2620 	 */
2621 	if (SCTP_ADDR_DEL ==
2622 		    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2623 		return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2624 
2625 	if (!sctp_err_chunk_valid(chunk))
2626 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2627 
2628 	return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2629 }
2630 
2631 static enum sctp_disposition __sctp_sf_do_9_1_abort(
2632 					struct net *net,
2633 					const struct sctp_endpoint *ep,
2634 					const struct sctp_association *asoc,
2635 					const union sctp_subtype type,
2636 					void *arg,
2637 					struct sctp_cmd_seq *commands)
2638 {
2639 	__be16 error = SCTP_ERROR_NO_ERROR;
2640 	struct sctp_chunk *chunk = arg;
2641 	unsigned int len;
2642 
2643 	/* See if we have an error cause code in the chunk.  */
2644 	len = ntohs(chunk->chunk_hdr->length);
2645 	if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2646 		error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2647 
2648 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2649 	/* ASSOC_FAILED will DELETE_TCB. */
2650 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2651 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2652 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
2653 
2654 	return SCTP_DISPOSITION_ABORT;
2655 }
2656 
2657 /*
2658  * Process an ABORT.  (COOKIE-WAIT state)
2659  *
2660  * See sctp_sf_do_9_1_abort() above.
2661  */
2662 enum sctp_disposition sctp_sf_cookie_wait_abort(
2663 					struct net *net,
2664 					const struct sctp_endpoint *ep,
2665 					const struct sctp_association *asoc,
2666 					const union sctp_subtype type,
2667 					void *arg,
2668 					struct sctp_cmd_seq *commands)
2669 {
2670 	__be16 error = SCTP_ERROR_NO_ERROR;
2671 	struct sctp_chunk *chunk = arg;
2672 	unsigned int len;
2673 
2674 	if (!sctp_vtag_verify_either(chunk, asoc))
2675 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2676 
2677 	/* Make sure that the ABORT chunk has a valid length.
2678 	 * Since this is an ABORT chunk, we have to discard it
2679 	 * because of the following text:
2680 	 * RFC 2960, Section 3.3.7
2681 	 *    If an endpoint receives an ABORT with a format error or for an
2682 	 *    association that doesn't exist, it MUST silently discard it.
2683 	 * Because the length is "invalid", we can't really discard just
2684 	 * as we do not know its true length.  So, to be safe, discard the
2685 	 * packet.
2686 	 */
2687 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2688 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2689 
2690 	/* See if we have an error cause code in the chunk.  */
2691 	len = ntohs(chunk->chunk_hdr->length);
2692 	if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2693 		error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2694 
2695 	return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc,
2696 				      chunk->transport);
2697 }
2698 
2699 /*
2700  * Process an incoming ICMP as an ABORT.  (COOKIE-WAIT state)
2701  */
2702 enum sctp_disposition sctp_sf_cookie_wait_icmp_abort(
2703 					struct net *net,
2704 					const struct sctp_endpoint *ep,
2705 					const struct sctp_association *asoc,
2706 					const union sctp_subtype type,
2707 					void *arg,
2708 					struct sctp_cmd_seq *commands)
2709 {
2710 	return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR,
2711 				      ENOPROTOOPT, asoc,
2712 				      (struct sctp_transport *)arg);
2713 }
2714 
2715 /*
2716  * Process an ABORT.  (COOKIE-ECHOED state)
2717  */
2718 enum sctp_disposition sctp_sf_cookie_echoed_abort(
2719 					struct net *net,
2720 					const struct sctp_endpoint *ep,
2721 					const struct sctp_association *asoc,
2722 					const union sctp_subtype type,
2723 					void *arg,
2724 					struct sctp_cmd_seq *commands)
2725 {
2726 	/* There is a single T1 timer, so we should be able to use
2727 	 * common function with the COOKIE-WAIT state.
2728 	 */
2729 	return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands);
2730 }
2731 
2732 /*
2733  * Stop T1 timer and abort association with "INIT failed".
2734  *
2735  * This is common code called by several sctp_sf_*_abort() functions above.
2736  */
2737 static enum sctp_disposition sctp_stop_t1_and_abort(
2738 					struct net *net,
2739 					struct sctp_cmd_seq *commands,
2740 					__be16 error, int sk_err,
2741 					const struct sctp_association *asoc,
2742 					struct sctp_transport *transport)
2743 {
2744 	pr_debug("%s: ABORT received (INIT)\n", __func__);
2745 
2746 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2747 			SCTP_STATE(SCTP_STATE_CLOSED));
2748 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2749 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2750 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2751 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2752 	/* CMD_INIT_FAILED will DELETE_TCB. */
2753 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2754 			SCTP_PERR(error));
2755 
2756 	return SCTP_DISPOSITION_ABORT;
2757 }
2758 
2759 /*
2760  * sctp_sf_do_9_2_shut
2761  *
2762  * Section: 9.2
2763  * Upon the reception of the SHUTDOWN, the peer endpoint shall
2764  *  - enter the SHUTDOWN-RECEIVED state,
2765  *
2766  *  - stop accepting new data from its SCTP user
2767  *
2768  *  - verify, by checking the Cumulative TSN Ack field of the chunk,
2769  *    that all its outstanding DATA chunks have been received by the
2770  *    SHUTDOWN sender.
2771  *
2772  * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT
2773  * send a SHUTDOWN in response to a ULP request. And should discard
2774  * subsequent SHUTDOWN chunks.
2775  *
2776  * If there are still outstanding DATA chunks left, the SHUTDOWN
2777  * receiver shall continue to follow normal data transmission
2778  * procedures defined in Section 6 until all outstanding DATA chunks
2779  * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept
2780  * new data from its SCTP user.
2781  *
2782  * Verification Tag:  8.5 Verification Tag [Normal verification]
2783  *
2784  * Inputs
2785  * (endpoint, asoc, chunk)
2786  *
2787  * Outputs
2788  * (asoc, reply_msg, msg_up, timers, counters)
2789  *
2790  * The return value is the disposition of the chunk.
2791  */
2792 enum sctp_disposition sctp_sf_do_9_2_shutdown(
2793 					struct net *net,
2794 					const struct sctp_endpoint *ep,
2795 					const struct sctp_association *asoc,
2796 					const union sctp_subtype type,
2797 					void *arg,
2798 					struct sctp_cmd_seq *commands)
2799 {
2800 	enum sctp_disposition disposition;
2801 	struct sctp_chunk *chunk = arg;
2802 	struct sctp_shutdownhdr *sdh;
2803 	struct sctp_ulpevent *ev;
2804 	__u32 ctsn;
2805 
2806 	if (!sctp_vtag_verify(chunk, asoc))
2807 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2808 
2809 	/* Make sure that the SHUTDOWN chunk has a valid length. */
2810 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2811 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2812 						  commands);
2813 
2814 	/* Convert the elaborate header.  */
2815 	sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2816 	skb_pull(chunk->skb, sizeof(*sdh));
2817 	chunk->subh.shutdown_hdr = sdh;
2818 	ctsn = ntohl(sdh->cum_tsn_ack);
2819 
2820 	if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2821 		pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2822 			 asoc->ctsn_ack_point);
2823 
2824 		return SCTP_DISPOSITION_DISCARD;
2825 	}
2826 
2827 	/* If Cumulative TSN Ack beyond the max tsn currently
2828 	 * send, terminating the association and respond to the
2829 	 * sender with an ABORT.
2830 	 */
2831 	if (!TSN_lt(ctsn, asoc->next_tsn))
2832 		return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2833 
2834 	/* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
2835 	 * When a peer sends a SHUTDOWN, SCTP delivers this notification to
2836 	 * inform the application that it should cease sending data.
2837 	 */
2838 	ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2839 	if (!ev) {
2840 		disposition = SCTP_DISPOSITION_NOMEM;
2841 		goto out;
2842 	}
2843 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2844 
2845 	/* Upon the reception of the SHUTDOWN, the peer endpoint shall
2846 	 *  - enter the SHUTDOWN-RECEIVED state,
2847 	 *  - stop accepting new data from its SCTP user
2848 	 *
2849 	 * [This is implicit in the new state.]
2850 	 */
2851 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2852 			SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2853 	disposition = SCTP_DISPOSITION_CONSUME;
2854 
2855 	if (sctp_outq_is_empty(&asoc->outqueue)) {
2856 		disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type,
2857 							  arg, commands);
2858 	}
2859 
2860 	if (SCTP_DISPOSITION_NOMEM == disposition)
2861 		goto out;
2862 
2863 	/*  - verify, by checking the Cumulative TSN Ack field of the
2864 	 *    chunk, that all its outstanding DATA chunks have been
2865 	 *    received by the SHUTDOWN sender.
2866 	 */
2867 	sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2868 			SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2869 
2870 out:
2871 	return disposition;
2872 }
2873 
2874 /*
2875  * sctp_sf_do_9_2_shut_ctsn
2876  *
2877  * Once an endpoint has reached the SHUTDOWN-RECEIVED state,
2878  * it MUST NOT send a SHUTDOWN in response to a ULP request.
2879  * The Cumulative TSN Ack of the received SHUTDOWN chunk
2880  * MUST be processed.
2881  */
2882 enum sctp_disposition sctp_sf_do_9_2_shut_ctsn(
2883 					struct net *net,
2884 					const struct sctp_endpoint *ep,
2885 					const struct sctp_association *asoc,
2886 					const union sctp_subtype type,
2887 					void *arg,
2888 					struct sctp_cmd_seq *commands)
2889 {
2890 	struct sctp_chunk *chunk = arg;
2891 	struct sctp_shutdownhdr *sdh;
2892 	__u32 ctsn;
2893 
2894 	if (!sctp_vtag_verify(chunk, asoc))
2895 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2896 
2897 	/* Make sure that the SHUTDOWN chunk has a valid length. */
2898 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2899 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2900 						  commands);
2901 
2902 	sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2903 	ctsn = ntohl(sdh->cum_tsn_ack);
2904 
2905 	if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2906 		pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2907 			 asoc->ctsn_ack_point);
2908 
2909 		return SCTP_DISPOSITION_DISCARD;
2910 	}
2911 
2912 	/* If Cumulative TSN Ack beyond the max tsn currently
2913 	 * send, terminating the association and respond to the
2914 	 * sender with an ABORT.
2915 	 */
2916 	if (!TSN_lt(ctsn, asoc->next_tsn))
2917 		return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2918 
2919 	/* verify, by checking the Cumulative TSN Ack field of the
2920 	 * chunk, that all its outstanding DATA chunks have been
2921 	 * received by the SHUTDOWN sender.
2922 	 */
2923 	sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2924 			SCTP_BE32(sdh->cum_tsn_ack));
2925 
2926 	return SCTP_DISPOSITION_CONSUME;
2927 }
2928 
2929 /* RFC 2960 9.2
2930  * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk
2931  * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination
2932  * transport addresses (either in the IP addresses or in the INIT chunk)
2933  * that belong to this association, it should discard the INIT chunk and
2934  * retransmit the SHUTDOWN ACK chunk.
2935  */
2936 enum sctp_disposition sctp_sf_do_9_2_reshutack(
2937 					struct net *net,
2938 					const struct sctp_endpoint *ep,
2939 					const struct sctp_association *asoc,
2940 					const union sctp_subtype type,
2941 					void *arg,
2942 					struct sctp_cmd_seq *commands)
2943 {
2944 	struct sctp_chunk *chunk = arg;
2945 	struct sctp_chunk *reply;
2946 
2947 	/* Make sure that the chunk has a valid length */
2948 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
2949 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2950 						  commands);
2951 
2952 	/* Since we are not going to really process this INIT, there
2953 	 * is no point in verifying chunk boundries.  Just generate
2954 	 * the SHUTDOWN ACK.
2955 	 */
2956 	reply = sctp_make_shutdown_ack(asoc, chunk);
2957 	if (NULL == reply)
2958 		goto nomem;
2959 
2960 	/* Set the transport for the SHUTDOWN ACK chunk and the timeout for
2961 	 * the T2-SHUTDOWN timer.
2962 	 */
2963 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
2964 
2965 	/* and restart the T2-shutdown timer. */
2966 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2967 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2968 
2969 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2970 
2971 	return SCTP_DISPOSITION_CONSUME;
2972 nomem:
2973 	return SCTP_DISPOSITION_NOMEM;
2974 }
2975 
2976 /*
2977  * sctp_sf_do_ecn_cwr
2978  *
2979  * Section:  Appendix A: Explicit Congestion Notification
2980  *
2981  * CWR:
2982  *
2983  * RFC 2481 details a specific bit for a sender to send in the header of
2984  * its next outbound TCP segment to indicate to its peer that it has
2985  * reduced its congestion window.  This is termed the CWR bit.  For
2986  * SCTP the same indication is made by including the CWR chunk.
2987  * This chunk contains one data element, i.e. the TSN number that
2988  * was sent in the ECNE chunk.  This element represents the lowest
2989  * TSN number in the datagram that was originally marked with the
2990  * CE bit.
2991  *
2992  * Verification Tag: 8.5 Verification Tag [Normal verification]
2993  * Inputs
2994  * (endpoint, asoc, chunk)
2995  *
2996  * Outputs
2997  * (asoc, reply_msg, msg_up, timers, counters)
2998  *
2999  * The return value is the disposition of the chunk.
3000  */
3001 enum sctp_disposition sctp_sf_do_ecn_cwr(struct net *net,
3002 					 const struct sctp_endpoint *ep,
3003 					 const struct sctp_association *asoc,
3004 					 const union sctp_subtype type,
3005 					 void *arg,
3006 					 struct sctp_cmd_seq *commands)
3007 {
3008 	struct sctp_chunk *chunk = arg;
3009 	struct sctp_cwrhdr *cwr;
3010 	u32 lowest_tsn;
3011 
3012 	if (!sctp_vtag_verify(chunk, asoc))
3013 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3014 
3015 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
3016 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3017 						  commands);
3018 
3019 	cwr = (struct sctp_cwrhdr *)chunk->skb->data;
3020 	skb_pull(chunk->skb, sizeof(*cwr));
3021 
3022 	lowest_tsn = ntohl(cwr->lowest_tsn);
3023 
3024 	/* Does this CWR ack the last sent congestion notification? */
3025 	if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
3026 		/* Stop sending ECNE. */
3027 		sctp_add_cmd_sf(commands,
3028 				SCTP_CMD_ECN_CWR,
3029 				SCTP_U32(lowest_tsn));
3030 	}
3031 	return SCTP_DISPOSITION_CONSUME;
3032 }
3033 
3034 /*
3035  * sctp_sf_do_ecne
3036  *
3037  * Section:  Appendix A: Explicit Congestion Notification
3038  *
3039  * ECN-Echo
3040  *
3041  * RFC 2481 details a specific bit for a receiver to send back in its
3042  * TCP acknowledgements to notify the sender of the Congestion
3043  * Experienced (CE) bit having arrived from the network.  For SCTP this
3044  * same indication is made by including the ECNE chunk.  This chunk
3045  * contains one data element, i.e. the lowest TSN associated with the IP
3046  * datagram marked with the CE bit.....
3047  *
3048  * Verification Tag: 8.5 Verification Tag [Normal verification]
3049  * Inputs
3050  * (endpoint, asoc, chunk)
3051  *
3052  * Outputs
3053  * (asoc, reply_msg, msg_up, timers, counters)
3054  *
3055  * The return value is the disposition of the chunk.
3056  */
3057 enum sctp_disposition sctp_sf_do_ecne(struct net *net,
3058 				      const struct sctp_endpoint *ep,
3059 				      const struct sctp_association *asoc,
3060 				      const union sctp_subtype type,
3061 				      void *arg, struct sctp_cmd_seq *commands)
3062 {
3063 	struct sctp_chunk *chunk = arg;
3064 	struct sctp_ecnehdr *ecne;
3065 
3066 	if (!sctp_vtag_verify(chunk, asoc))
3067 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3068 
3069 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
3070 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3071 						  commands);
3072 
3073 	ecne = (struct sctp_ecnehdr *)chunk->skb->data;
3074 	skb_pull(chunk->skb, sizeof(*ecne));
3075 
3076 	/* If this is a newer ECNE than the last CWR packet we sent out */
3077 	sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
3078 			SCTP_U32(ntohl(ecne->lowest_tsn)));
3079 
3080 	return SCTP_DISPOSITION_CONSUME;
3081 }
3082 
3083 /*
3084  * Section: 6.2  Acknowledgement on Reception of DATA Chunks
3085  *
3086  * The SCTP endpoint MUST always acknowledge the reception of each valid
3087  * DATA chunk.
3088  *
3089  * The guidelines on delayed acknowledgement algorithm specified in
3090  * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
3091  * acknowledgement SHOULD be generated for at least every second packet
3092  * (not every second DATA chunk) received, and SHOULD be generated within
3093  * 200 ms of the arrival of any unacknowledged DATA chunk. In some
3094  * situations it may be beneficial for an SCTP transmitter to be more
3095  * conservative than the algorithms detailed in this document allow.
3096  * However, an SCTP transmitter MUST NOT be more aggressive than the
3097  * following algorithms allow.
3098  *
3099  * A SCTP receiver MUST NOT generate more than one SACK for every
3100  * incoming packet, other than to update the offered window as the
3101  * receiving application consumes new data.
3102  *
3103  * Verification Tag:  8.5 Verification Tag [Normal verification]
3104  *
3105  * Inputs
3106  * (endpoint, asoc, chunk)
3107  *
3108  * Outputs
3109  * (asoc, reply_msg, msg_up, timers, counters)
3110  *
3111  * The return value is the disposition of the chunk.
3112  */
3113 enum sctp_disposition sctp_sf_eat_data_6_2(struct net *net,
3114 					   const struct sctp_endpoint *ep,
3115 					   const struct sctp_association *asoc,
3116 					   const union sctp_subtype type,
3117 					   void *arg,
3118 					   struct sctp_cmd_seq *commands)
3119 {
3120 	union sctp_arg force = SCTP_NOFORCE();
3121 	struct sctp_chunk *chunk = arg;
3122 	int error;
3123 
3124 	if (!sctp_vtag_verify(chunk, asoc)) {
3125 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3126 				SCTP_NULL());
3127 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3128 	}
3129 
3130 	if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream)))
3131 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3132 						  commands);
3133 
3134 	error = sctp_eat_data(asoc, chunk, commands);
3135 	switch (error) {
3136 	case SCTP_IERROR_NO_ERROR:
3137 		break;
3138 	case SCTP_IERROR_HIGH_TSN:
3139 	case SCTP_IERROR_BAD_STREAM:
3140 		SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
3141 		goto discard_noforce;
3142 	case SCTP_IERROR_DUP_TSN:
3143 	case SCTP_IERROR_IGNORE_TSN:
3144 		SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
3145 		goto discard_force;
3146 	case SCTP_IERROR_NO_DATA:
3147 		return SCTP_DISPOSITION_ABORT;
3148 	case SCTP_IERROR_PROTO_VIOLATION:
3149 		return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3150 					       (u8 *)chunk->subh.data_hdr,
3151 					       sctp_datahdr_len(&asoc->stream));
3152 	default:
3153 		BUG();
3154 	}
3155 
3156 	if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)
3157 		force = SCTP_FORCE();
3158 
3159 	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
3160 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3161 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3162 	}
3163 
3164 	/* If this is the last chunk in a packet, we need to count it
3165 	 * toward sack generation.  Note that we need to SACK every
3166 	 * OTHER packet containing data chunks, EVEN IF WE DISCARD
3167 	 * THEM.  We elect to NOT generate SACK's if the chunk fails
3168 	 * the verification tag test.
3169 	 *
3170 	 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3171 	 *
3172 	 * The SCTP endpoint MUST always acknowledge the reception of
3173 	 * each valid DATA chunk.
3174 	 *
3175 	 * The guidelines on delayed acknowledgement algorithm
3176 	 * specified in  Section 4.2 of [RFC2581] SHOULD be followed.
3177 	 * Specifically, an acknowledgement SHOULD be generated for at
3178 	 * least every second packet (not every second DATA chunk)
3179 	 * received, and SHOULD be generated within 200 ms of the
3180 	 * arrival of any unacknowledged DATA chunk.  In some
3181 	 * situations it may be beneficial for an SCTP transmitter to
3182 	 * be more conservative than the algorithms detailed in this
3183 	 * document allow. However, an SCTP transmitter MUST NOT be
3184 	 * more aggressive than the following algorithms allow.
3185 	 */
3186 	if (chunk->end_of_packet)
3187 		sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3188 
3189 	return SCTP_DISPOSITION_CONSUME;
3190 
3191 discard_force:
3192 	/* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3193 	 *
3194 	 * When a packet arrives with duplicate DATA chunk(s) and with
3195 	 * no new DATA chunk(s), the endpoint MUST immediately send a
3196 	 * SACK with no delay.  If a packet arrives with duplicate
3197 	 * DATA chunk(s) bundled with new DATA chunks, the endpoint
3198 	 * MAY immediately send a SACK.  Normally receipt of duplicate
3199 	 * DATA chunks will occur when the original SACK chunk was lost
3200 	 * and the peer's RTO has expired.  The duplicate TSN number(s)
3201 	 * SHOULD be reported in the SACK as duplicate.
3202 	 */
3203 	/* In our case, we split the MAY SACK advice up whether or not
3204 	 * the last chunk is a duplicate.'
3205 	 */
3206 	if (chunk->end_of_packet)
3207 		sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3208 	return SCTP_DISPOSITION_DISCARD;
3209 
3210 discard_noforce:
3211 	if (chunk->end_of_packet)
3212 		sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3213 
3214 	return SCTP_DISPOSITION_DISCARD;
3215 }
3216 
3217 /*
3218  * sctp_sf_eat_data_fast_4_4
3219  *
3220  * Section: 4 (4)
3221  * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received
3222  *    DATA chunks without delay.
3223  *
3224  * Verification Tag:  8.5 Verification Tag [Normal verification]
3225  * Inputs
3226  * (endpoint, asoc, chunk)
3227  *
3228  * Outputs
3229  * (asoc, reply_msg, msg_up, timers, counters)
3230  *
3231  * The return value is the disposition of the chunk.
3232  */
3233 enum sctp_disposition sctp_sf_eat_data_fast_4_4(
3234 					struct net *net,
3235 					const struct sctp_endpoint *ep,
3236 					const struct sctp_association *asoc,
3237 					const union sctp_subtype type,
3238 					void *arg,
3239 					struct sctp_cmd_seq *commands)
3240 {
3241 	struct sctp_chunk *chunk = arg;
3242 	int error;
3243 
3244 	if (!sctp_vtag_verify(chunk, asoc)) {
3245 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3246 				SCTP_NULL());
3247 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3248 	}
3249 
3250 	if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream)))
3251 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3252 						  commands);
3253 
3254 	error = sctp_eat_data(asoc, chunk, commands);
3255 	switch (error) {
3256 	case SCTP_IERROR_NO_ERROR:
3257 	case SCTP_IERROR_HIGH_TSN:
3258 	case SCTP_IERROR_DUP_TSN:
3259 	case SCTP_IERROR_IGNORE_TSN:
3260 	case SCTP_IERROR_BAD_STREAM:
3261 		break;
3262 	case SCTP_IERROR_NO_DATA:
3263 		return SCTP_DISPOSITION_ABORT;
3264 	case SCTP_IERROR_PROTO_VIOLATION:
3265 		return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3266 					       (u8 *)chunk->subh.data_hdr,
3267 					       sctp_datahdr_len(&asoc->stream));
3268 	default:
3269 		BUG();
3270 	}
3271 
3272 	/* Go a head and force a SACK, since we are shutting down. */
3273 
3274 	/* Implementor's Guide.
3275 	 *
3276 	 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3277 	 * respond to each received packet containing one or more DATA chunk(s)
3278 	 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3279 	 */
3280 	if (chunk->end_of_packet) {
3281 		/* We must delay the chunk creation since the cumulative
3282 		 * TSN has not been updated yet.
3283 		 */
3284 		sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3285 		sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3286 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3287 				SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3288 	}
3289 
3290 	return SCTP_DISPOSITION_CONSUME;
3291 }
3292 
3293 /*
3294  * Section: 6.2  Processing a Received SACK
3295  * D) Any time a SACK arrives, the endpoint performs the following:
3296  *
3297  *     i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,
3298  *     then drop the SACK.   Since Cumulative TSN Ack is monotonically
3299  *     increasing, a SACK whose Cumulative TSN Ack is less than the
3300  *     Cumulative TSN Ack Point indicates an out-of-order SACK.
3301  *
3302  *     ii) Set rwnd equal to the newly received a_rwnd minus the number
3303  *     of bytes still outstanding after processing the Cumulative TSN Ack
3304  *     and the Gap Ack Blocks.
3305  *
3306  *     iii) If the SACK is missing a TSN that was previously
3307  *     acknowledged via a Gap Ack Block (e.g., the data receiver
3308  *     reneged on the data), then mark the corresponding DATA chunk
3309  *     as available for retransmit:  Mark it as missing for fast
3310  *     retransmit as described in Section 7.2.4 and if no retransmit
3311  *     timer is running for the destination address to which the DATA
3312  *     chunk was originally transmitted, then T3-rtx is started for
3313  *     that destination address.
3314  *
3315  * Verification Tag:  8.5 Verification Tag [Normal verification]
3316  *
3317  * Inputs
3318  * (endpoint, asoc, chunk)
3319  *
3320  * Outputs
3321  * (asoc, reply_msg, msg_up, timers, counters)
3322  *
3323  * The return value is the disposition of the chunk.
3324  */
3325 enum sctp_disposition sctp_sf_eat_sack_6_2(struct net *net,
3326 					   const struct sctp_endpoint *ep,
3327 					   const struct sctp_association *asoc,
3328 					   const union sctp_subtype type,
3329 					   void *arg,
3330 					   struct sctp_cmd_seq *commands)
3331 {
3332 	struct sctp_chunk *chunk = arg;
3333 	struct sctp_sackhdr *sackh;
3334 	__u32 ctsn;
3335 
3336 	if (!sctp_vtag_verify(chunk, asoc))
3337 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3338 
3339 	/* Make sure that the SACK chunk has a valid length. */
3340 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_sack_chunk)))
3341 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3342 						  commands);
3343 
3344 	/* Pull the SACK chunk from the data buffer */
3345 	sackh = sctp_sm_pull_sack(chunk);
3346 	/* Was this a bogus SACK? */
3347 	if (!sackh)
3348 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3349 	chunk->subh.sack_hdr = sackh;
3350 	ctsn = ntohl(sackh->cum_tsn_ack);
3351 
3352 	/* If Cumulative TSN Ack beyond the max tsn currently
3353 	 * send, terminating the association and respond to the
3354 	 * sender with an ABORT.
3355 	 */
3356 	if (TSN_lte(asoc->next_tsn, ctsn))
3357 		return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
3358 
3359 	trace_sctp_probe(ep, asoc, chunk);
3360 
3361 	/* i) If Cumulative TSN Ack is less than the Cumulative TSN
3362 	 *     Ack Point, then drop the SACK.  Since Cumulative TSN
3363 	 *     Ack is monotonically increasing, a SACK whose
3364 	 *     Cumulative TSN Ack is less than the Cumulative TSN Ack
3365 	 *     Point indicates an out-of-order SACK.
3366 	 */
3367 	if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
3368 		pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
3369 			 asoc->ctsn_ack_point);
3370 
3371 		return SCTP_DISPOSITION_DISCARD;
3372 	}
3373 
3374 	/* Return this SACK for further processing.  */
3375 	sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk));
3376 
3377 	/* Note: We do the rest of the work on the PROCESS_SACK
3378 	 * sideeffect.
3379 	 */
3380 	return SCTP_DISPOSITION_CONSUME;
3381 }
3382 
3383 /*
3384  * Generate an ABORT in response to a packet.
3385  *
3386  * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41
3387  *
3388  * 8) The receiver should respond to the sender of the OOTB packet with
3389  *    an ABORT.  When sending the ABORT, the receiver of the OOTB packet
3390  *    MUST fill in the Verification Tag field of the outbound packet
3391  *    with the value found in the Verification Tag field of the OOTB
3392  *    packet and set the T-bit in the Chunk Flags to indicate that the
3393  *    Verification Tag is reflected.  After sending this ABORT, the
3394  *    receiver of the OOTB packet shall discard the OOTB packet and take
3395  *    no further action.
3396  *
3397  * Verification Tag:
3398  *
3399  * The return value is the disposition of the chunk.
3400 */
3401 static enum sctp_disposition sctp_sf_tabort_8_4_8(
3402 					struct net *net,
3403 					const struct sctp_endpoint *ep,
3404 					const struct sctp_association *asoc,
3405 					const union sctp_subtype type,
3406 					void *arg,
3407 					struct sctp_cmd_seq *commands)
3408 {
3409 	struct sctp_packet *packet = NULL;
3410 	struct sctp_chunk *chunk = arg;
3411 	struct sctp_chunk *abort;
3412 
3413 	packet = sctp_ootb_pkt_new(net, asoc, chunk);
3414 	if (!packet)
3415 		return SCTP_DISPOSITION_NOMEM;
3416 
3417 	/* Make an ABORT. The T bit will be set if the asoc
3418 	 * is NULL.
3419 	 */
3420 	abort = sctp_make_abort(asoc, chunk, 0);
3421 	if (!abort) {
3422 		sctp_ootb_pkt_free(packet);
3423 		return SCTP_DISPOSITION_NOMEM;
3424 	}
3425 
3426 	/* Reflect vtag if T-Bit is set */
3427 	if (sctp_test_T_bit(abort))
3428 		packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3429 
3430 	/* Set the skb to the belonging sock for accounting.  */
3431 	abort->skb->sk = ep->base.sk;
3432 
3433 	sctp_packet_append_chunk(packet, abort);
3434 
3435 	sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(packet));
3436 
3437 	SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3438 
3439 	sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3440 	return SCTP_DISPOSITION_CONSUME;
3441 }
3442 
3443 /* Handling of SCTP Packets Containing an INIT Chunk Matching an
3444  * Existing Associations when the UDP encap port is incorrect.
3445  *
3446  * From Section 4 at draft-tuexen-tsvwg-sctp-udp-encaps-cons-03.
3447  */
3448 static enum sctp_disposition sctp_sf_new_encap_port(
3449 					struct net *net,
3450 					const struct sctp_endpoint *ep,
3451 					const struct sctp_association *asoc,
3452 					const union sctp_subtype type,
3453 					void *arg,
3454 					struct sctp_cmd_seq *commands)
3455 {
3456 	struct sctp_packet *packet = NULL;
3457 	struct sctp_chunk *chunk = arg;
3458 	struct sctp_chunk *abort;
3459 
3460 	packet = sctp_ootb_pkt_new(net, asoc, chunk);
3461 	if (!packet)
3462 		return SCTP_DISPOSITION_NOMEM;
3463 
3464 	abort = sctp_make_new_encap_port(asoc, chunk);
3465 	if (!abort) {
3466 		sctp_ootb_pkt_free(packet);
3467 		return SCTP_DISPOSITION_NOMEM;
3468 	}
3469 
3470 	abort->skb->sk = ep->base.sk;
3471 
3472 	sctp_packet_append_chunk(packet, abort);
3473 
3474 	sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3475 			SCTP_PACKET(packet));
3476 
3477 	SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3478 
3479 	sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3480 	return SCTP_DISPOSITION_CONSUME;
3481 }
3482 
3483 /*
3484  * Received an ERROR chunk from peer.  Generate SCTP_REMOTE_ERROR
3485  * event as ULP notification for each cause included in the chunk.
3486  *
3487  * API 5.3.1.3 - SCTP_REMOTE_ERROR
3488  *
3489  * The return value is the disposition of the chunk.
3490 */
3491 enum sctp_disposition sctp_sf_operr_notify(struct net *net,
3492 					   const struct sctp_endpoint *ep,
3493 					   const struct sctp_association *asoc,
3494 					   const union sctp_subtype type,
3495 					   void *arg,
3496 					   struct sctp_cmd_seq *commands)
3497 {
3498 	struct sctp_chunk *chunk = arg;
3499 	struct sctp_errhdr *err;
3500 
3501 	if (!sctp_vtag_verify(chunk, asoc))
3502 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3503 
3504 	/* Make sure that the ERROR chunk has a valid length. */
3505 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
3506 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3507 						  commands);
3508 	sctp_walk_errors(err, chunk->chunk_hdr);
3509 	if ((void *)err != (void *)chunk->chunk_end)
3510 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3511 						  (void *)err, commands);
3512 
3513 	sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3514 			SCTP_CHUNK(chunk));
3515 
3516 	return SCTP_DISPOSITION_CONSUME;
3517 }
3518 
3519 /*
3520  * Process an inbound SHUTDOWN ACK.
3521  *
3522  * From Section 9.2:
3523  * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3524  * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its
3525  * peer, and remove all record of the association.
3526  *
3527  * The return value is the disposition.
3528  */
3529 enum sctp_disposition sctp_sf_do_9_2_final(struct net *net,
3530 					   const struct sctp_endpoint *ep,
3531 					   const struct sctp_association *asoc,
3532 					   const union sctp_subtype type,
3533 					   void *arg,
3534 					   struct sctp_cmd_seq *commands)
3535 {
3536 	struct sctp_chunk *chunk = arg;
3537 	struct sctp_chunk *reply;
3538 	struct sctp_ulpevent *ev;
3539 
3540 	if (!sctp_vtag_verify(chunk, asoc))
3541 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3542 
3543 	/* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3544 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3545 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3546 						  commands);
3547 	/* 10.2 H) SHUTDOWN COMPLETE notification
3548 	 *
3549 	 * When SCTP completes the shutdown procedures (section 9.2) this
3550 	 * notification is passed to the upper layer.
3551 	 */
3552 	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3553 					     0, 0, 0, NULL, GFP_ATOMIC);
3554 	if (!ev)
3555 		goto nomem;
3556 
3557 	/* ...send a SHUTDOWN COMPLETE chunk to its peer, */
3558 	reply = sctp_make_shutdown_complete(asoc, chunk);
3559 	if (!reply)
3560 		goto nomem_chunk;
3561 
3562 	/* Do all the commands now (after allocation), so that we
3563 	 * have consistent state if memory allocation failes
3564 	 */
3565 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3566 
3567 	/* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3568 	 * stop the T2-shutdown timer,
3569 	 */
3570 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3571 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3572 
3573 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3574 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3575 
3576 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3577 			SCTP_STATE(SCTP_STATE_CLOSED));
3578 	SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
3579 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3580 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3581 
3582 	/* ...and remove all record of the association. */
3583 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3584 	return SCTP_DISPOSITION_DELETE_TCB;
3585 
3586 nomem_chunk:
3587 	sctp_ulpevent_free(ev);
3588 nomem:
3589 	return SCTP_DISPOSITION_NOMEM;
3590 }
3591 
3592 /*
3593  * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.
3594  *
3595  * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3596  *    respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3597  *    When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3598  *    packet must fill in the Verification Tag field of the outbound
3599  *    packet with the Verification Tag received in the SHUTDOWN ACK and
3600  *    set the T-bit in the Chunk Flags to indicate that the Verification
3601  *    Tag is reflected.
3602  *
3603  * 8) The receiver should respond to the sender of the OOTB packet with
3604  *    an ABORT.  When sending the ABORT, the receiver of the OOTB packet
3605  *    MUST fill in the Verification Tag field of the outbound packet
3606  *    with the value found in the Verification Tag field of the OOTB
3607  *    packet and set the T-bit in the Chunk Flags to indicate that the
3608  *    Verification Tag is reflected.  After sending this ABORT, the
3609  *    receiver of the OOTB packet shall discard the OOTB packet and take
3610  *    no further action.
3611  */
3612 enum sctp_disposition sctp_sf_ootb(struct net *net,
3613 				   const struct sctp_endpoint *ep,
3614 				   const struct sctp_association *asoc,
3615 				   const union sctp_subtype type,
3616 				   void *arg, struct sctp_cmd_seq *commands)
3617 {
3618 	struct sctp_chunk *chunk = arg;
3619 	struct sk_buff *skb = chunk->skb;
3620 	struct sctp_chunkhdr *ch;
3621 	struct sctp_errhdr *err;
3622 	int ootb_cookie_ack = 0;
3623 	int ootb_shut_ack = 0;
3624 	__u8 *ch_end;
3625 
3626 	SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3627 
3628 	ch = (struct sctp_chunkhdr *)chunk->chunk_hdr;
3629 	do {
3630 		/* Report violation if the chunk is less then minimal */
3631 		if (ntohs(ch->length) < sizeof(*ch))
3632 			return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3633 						  commands);
3634 
3635 		/* Report violation if chunk len overflows */
3636 		ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length));
3637 		if (ch_end > skb_tail_pointer(skb))
3638 			return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3639 						  commands);
3640 
3641 		/* Now that we know we at least have a chunk header,
3642 		 * do things that are type appropriate.
3643 		 */
3644 		if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3645 			ootb_shut_ack = 1;
3646 
3647 		/* RFC 2960, Section 3.3.7
3648 		 *   Moreover, under any circumstances, an endpoint that
3649 		 *   receives an ABORT  MUST NOT respond to that ABORT by
3650 		 *   sending an ABORT of its own.
3651 		 */
3652 		if (SCTP_CID_ABORT == ch->type)
3653 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3654 
3655 		/* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR
3656 		 * or a COOKIE ACK the SCTP Packet should be silently
3657 		 * discarded.
3658 		 */
3659 
3660 		if (SCTP_CID_COOKIE_ACK == ch->type)
3661 			ootb_cookie_ack = 1;
3662 
3663 		if (SCTP_CID_ERROR == ch->type) {
3664 			sctp_walk_errors(err, ch) {
3665 				if (SCTP_ERROR_STALE_COOKIE == err->cause) {
3666 					ootb_cookie_ack = 1;
3667 					break;
3668 				}
3669 			}
3670 		}
3671 
3672 		ch = (struct sctp_chunkhdr *)ch_end;
3673 	} while (ch_end < skb_tail_pointer(skb));
3674 
3675 	if (ootb_shut_ack)
3676 		return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands);
3677 	else if (ootb_cookie_ack)
3678 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3679 	else
3680 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
3681 }
3682 
3683 /*
3684  * Handle an "Out of the blue" SHUTDOWN ACK.
3685  *
3686  * Section: 8.4 5, sctpimpguide 2.41.
3687  *
3688  * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3689  *    respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3690  *    When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3691  *    packet must fill in the Verification Tag field of the outbound
3692  *    packet with the Verification Tag received in the SHUTDOWN ACK and
3693  *    set the T-bit in the Chunk Flags to indicate that the Verification
3694  *    Tag is reflected.
3695  *
3696  * Inputs
3697  * (endpoint, asoc, type, arg, commands)
3698  *
3699  * Outputs
3700  * (enum sctp_disposition)
3701  *
3702  * The return value is the disposition of the chunk.
3703  */
3704 static enum sctp_disposition sctp_sf_shut_8_4_5(
3705 					struct net *net,
3706 					const struct sctp_endpoint *ep,
3707 					const struct sctp_association *asoc,
3708 					const union sctp_subtype type,
3709 					void *arg,
3710 					struct sctp_cmd_seq *commands)
3711 {
3712 	struct sctp_packet *packet = NULL;
3713 	struct sctp_chunk *chunk = arg;
3714 	struct sctp_chunk *shut;
3715 
3716 	packet = sctp_ootb_pkt_new(net, asoc, chunk);
3717 	if (!packet)
3718 		return SCTP_DISPOSITION_NOMEM;
3719 
3720 	/* Make an SHUTDOWN_COMPLETE.
3721 	 * The T bit will be set if the asoc is NULL.
3722 	 */
3723 	shut = sctp_make_shutdown_complete(asoc, chunk);
3724 	if (!shut) {
3725 		sctp_ootb_pkt_free(packet);
3726 		return SCTP_DISPOSITION_NOMEM;
3727 	}
3728 
3729 	/* Reflect vtag if T-Bit is set */
3730 	if (sctp_test_T_bit(shut))
3731 		packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3732 
3733 	/* Set the skb to the belonging sock for accounting.  */
3734 	shut->skb->sk = ep->base.sk;
3735 
3736 	sctp_packet_append_chunk(packet, shut);
3737 
3738 	sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3739 			SCTP_PACKET(packet));
3740 
3741 	SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3742 
3743 	/* If the chunk length is invalid, we don't want to process
3744 	 * the reset of the packet.
3745 	 */
3746 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3747 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3748 
3749 	/* We need to discard the rest of the packet to prevent
3750 	 * potential bomming attacks from additional bundled chunks.
3751 	 * This is documented in SCTP Threats ID.
3752 	 */
3753 	return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3754 }
3755 
3756 /*
3757  * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.
3758  *
3759  * Verification Tag:  8.5.1 E) Rules for packet carrying a SHUTDOWN ACK
3760  *   If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the
3761  *   procedures in section 8.4 SHOULD be followed, in other words it
3762  *   should be treated as an Out Of The Blue packet.
3763  *   [This means that we do NOT check the Verification Tag on these
3764  *   chunks. --piggy ]
3765  *
3766  */
3767 enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net,
3768 					    const struct sctp_endpoint *ep,
3769 					    const struct sctp_association *asoc,
3770 					    const union sctp_subtype type,
3771 					    void *arg,
3772 					    struct sctp_cmd_seq *commands)
3773 {
3774 	struct sctp_chunk *chunk = arg;
3775 
3776 	/* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3777 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3778 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3779 						  commands);
3780 
3781 	/* Although we do have an association in this case, it corresponds
3782 	 * to a restarted association. So the packet is treated as an OOTB
3783 	 * packet and the state function that handles OOTB SHUTDOWN_ACK is
3784 	 * called with a NULL association.
3785 	 */
3786 	SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3787 
3788 	return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands);
3789 }
3790 
3791 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk.  */
3792 enum sctp_disposition sctp_sf_do_asconf(struct net *net,
3793 					const struct sctp_endpoint *ep,
3794 					const struct sctp_association *asoc,
3795 					const union sctp_subtype type,
3796 					void *arg,
3797 					struct sctp_cmd_seq *commands)
3798 {
3799 	struct sctp_paramhdr *err_param = NULL;
3800 	struct sctp_chunk *asconf_ack = NULL;
3801 	struct sctp_chunk *chunk = arg;
3802 	struct sctp_addiphdr *hdr;
3803 	__u32 serial;
3804 
3805 	if (!sctp_vtag_verify(chunk, asoc)) {
3806 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3807 				SCTP_NULL());
3808 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3809 	}
3810 
3811 	/* ADD-IP: Section 4.1.1
3812 	 * This chunk MUST be sent in an authenticated way by using
3813 	 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3814 	 * is received unauthenticated it MUST be silently discarded as
3815 	 * described in [I-D.ietf-tsvwg-sctp-auth].
3816 	 */
3817 	if (!asoc->peer.asconf_capable ||
3818 	    (!net->sctp.addip_noauth && !chunk->auth))
3819 		return sctp_sf_discard_chunk(net, ep, asoc, type, arg,
3820 					     commands);
3821 
3822 	/* Make sure that the ASCONF ADDIP chunk has a valid length.  */
3823 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk)))
3824 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3825 						  commands);
3826 
3827 	hdr = (struct sctp_addiphdr *)chunk->skb->data;
3828 	serial = ntohl(hdr->serial);
3829 
3830 	/* Verify the ASCONF chunk before processing it. */
3831 	if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
3832 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3833 						  (void *)err_param, commands);
3834 
3835 	/* ADDIP 5.2 E1) Compare the value of the serial number to the value
3836 	 * the endpoint stored in a new association variable
3837 	 * 'Peer-Serial-Number'.
3838 	 */
3839 	if (serial == asoc->peer.addip_serial + 1) {
3840 		/* If this is the first instance of ASCONF in the packet,
3841 		 * we can clean our old ASCONF-ACKs.
3842 		 */
3843 		if (!chunk->has_asconf)
3844 			sctp_assoc_clean_asconf_ack_cache(asoc);
3845 
3846 		/* ADDIP 5.2 E4) When the Sequence Number matches the next one
3847 		 * expected, process the ASCONF as described below and after
3848 		 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to
3849 		 * the response packet and cache a copy of it (in the event it
3850 		 * later needs to be retransmitted).
3851 		 *
3852 		 * Essentially, do V1-V5.
3853 		 */
3854 		asconf_ack = sctp_process_asconf((struct sctp_association *)
3855 						 asoc, chunk);
3856 		if (!asconf_ack)
3857 			return SCTP_DISPOSITION_NOMEM;
3858 	} else if (serial < asoc->peer.addip_serial + 1) {
3859 		/* ADDIP 5.2 E2)
3860 		 * If the value found in the Sequence Number is less than the
3861 		 * ('Peer- Sequence-Number' + 1), simply skip to the next
3862 		 * ASCONF, and include in the outbound response packet
3863 		 * any previously cached ASCONF-ACK response that was
3864 		 * sent and saved that matches the Sequence Number of the
3865 		 * ASCONF.  Note: It is possible that no cached ASCONF-ACK
3866 		 * Chunk exists.  This will occur when an older ASCONF
3867 		 * arrives out of order.  In such a case, the receiver
3868 		 * should skip the ASCONF Chunk and not include ASCONF-ACK
3869 		 * Chunk for that chunk.
3870 		 */
3871 		asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);
3872 		if (!asconf_ack)
3873 			return SCTP_DISPOSITION_DISCARD;
3874 
3875 		/* Reset the transport so that we select the correct one
3876 		 * this time around.  This is to make sure that we don't
3877 		 * accidentally use a stale transport that's been removed.
3878 		 */
3879 		asconf_ack->transport = NULL;
3880 	} else {
3881 		/* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since
3882 		 * it must be either a stale packet or from an attacker.
3883 		 */
3884 		return SCTP_DISPOSITION_DISCARD;
3885 	}
3886 
3887 	/* ADDIP 5.2 E6)  The destination address of the SCTP packet
3888 	 * containing the ASCONF-ACK Chunks MUST be the source address of
3889 	 * the SCTP packet that held the ASCONF Chunks.
3890 	 *
3891 	 * To do this properly, we'll set the destination address of the chunk
3892 	 * and at the transmit time, will try look up the transport to use.
3893 	 * Since ASCONFs may be bundled, the correct transport may not be
3894 	 * created until we process the entire packet, thus this workaround.
3895 	 */
3896 	asconf_ack->dest = chunk->source;
3897 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3898 	if (asoc->new_transport) {
3899 		sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands);
3900 		((struct sctp_association *)asoc)->new_transport = NULL;
3901 	}
3902 
3903 	return SCTP_DISPOSITION_CONSUME;
3904 }
3905 
3906 static enum sctp_disposition sctp_send_next_asconf(
3907 					struct net *net,
3908 					const struct sctp_endpoint *ep,
3909 					struct sctp_association *asoc,
3910 					const union sctp_subtype type,
3911 					struct sctp_cmd_seq *commands)
3912 {
3913 	struct sctp_chunk *asconf;
3914 	struct list_head *entry;
3915 
3916 	if (list_empty(&asoc->addip_chunk_list))
3917 		return SCTP_DISPOSITION_CONSUME;
3918 
3919 	entry = asoc->addip_chunk_list.next;
3920 	asconf = list_entry(entry, struct sctp_chunk, list);
3921 
3922 	list_del_init(entry);
3923 	sctp_chunk_hold(asconf);
3924 	asoc->addip_last_asconf = asconf;
3925 
3926 	return sctp_sf_do_prm_asconf(net, ep, asoc, type, asconf, commands);
3927 }
3928 
3929 /*
3930  * ADDIP Section 4.3 General rules for address manipulation
3931  * When building TLV parameters for the ASCONF Chunk that will add or
3932  * delete IP addresses the D0 to D13 rules should be applied:
3933  */
3934 enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net,
3935 					    const struct sctp_endpoint *ep,
3936 					    const struct sctp_association *asoc,
3937 					    const union sctp_subtype type,
3938 					    void *arg,
3939 					    struct sctp_cmd_seq *commands)
3940 {
3941 	struct sctp_chunk *last_asconf = asoc->addip_last_asconf;
3942 	struct sctp_paramhdr *err_param = NULL;
3943 	struct sctp_chunk *asconf_ack = arg;
3944 	struct sctp_addiphdr *addip_hdr;
3945 	__u32 sent_serial, rcvd_serial;
3946 	struct sctp_chunk *abort;
3947 
3948 	if (!sctp_vtag_verify(asconf_ack, asoc)) {
3949 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3950 				SCTP_NULL());
3951 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3952 	}
3953 
3954 	/* ADD-IP, Section 4.1.2:
3955 	 * This chunk MUST be sent in an authenticated way by using
3956 	 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3957 	 * is received unauthenticated it MUST be silently discarded as
3958 	 * described in [I-D.ietf-tsvwg-sctp-auth].
3959 	 */
3960 	if (!asoc->peer.asconf_capable ||
3961 	    (!net->sctp.addip_noauth && !asconf_ack->auth))
3962 		return sctp_sf_discard_chunk(net, ep, asoc, type, arg,
3963 					     commands);
3964 
3965 	/* Make sure that the ADDIP chunk has a valid length.  */
3966 	if (!sctp_chunk_length_valid(asconf_ack,
3967 				     sizeof(struct sctp_addip_chunk)))
3968 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3969 						  commands);
3970 
3971 	addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data;
3972 	rcvd_serial = ntohl(addip_hdr->serial);
3973 
3974 	/* Verify the ASCONF-ACK chunk before processing it. */
3975 	if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
3976 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3977 			   (void *)err_param, commands);
3978 
3979 	if (last_asconf) {
3980 		addip_hdr = (struct sctp_addiphdr *)last_asconf->subh.addip_hdr;
3981 		sent_serial = ntohl(addip_hdr->serial);
3982 	} else {
3983 		sent_serial = asoc->addip_serial - 1;
3984 	}
3985 
3986 	/* D0) If an endpoint receives an ASCONF-ACK that is greater than or
3987 	 * equal to the next serial number to be used but no ASCONF chunk is
3988 	 * outstanding the endpoint MUST ABORT the association. Note that a
3989 	 * sequence number is greater than if it is no more than 2^^31-1
3990 	 * larger than the current sequence number (using serial arithmetic).
3991 	 */
3992 	if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
3993 	    !(asoc->addip_last_asconf)) {
3994 		abort = sctp_make_abort(asoc, asconf_ack,
3995 					sizeof(struct sctp_errhdr));
3996 		if (abort) {
3997 			sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
3998 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3999 					SCTP_CHUNK(abort));
4000 		}
4001 		/* We are going to ABORT, so we might as well stop
4002 		 * processing the rest of the chunks in the packet.
4003 		 */
4004 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4005 				SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
4006 		sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4007 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4008 				SCTP_ERROR(ECONNABORTED));
4009 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4010 				SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
4011 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4012 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4013 		return SCTP_DISPOSITION_ABORT;
4014 	}
4015 
4016 	if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
4017 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4018 				SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
4019 
4020 		if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
4021 					     asconf_ack))
4022 			return sctp_send_next_asconf(net, ep,
4023 					(struct sctp_association *)asoc,
4024 							type, commands);
4025 
4026 		abort = sctp_make_abort(asoc, asconf_ack,
4027 					sizeof(struct sctp_errhdr));
4028 		if (abort) {
4029 			sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
4030 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4031 					SCTP_CHUNK(abort));
4032 		}
4033 		/* We are going to ABORT, so we might as well stop
4034 		 * processing the rest of the chunks in the packet.
4035 		 */
4036 		sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4037 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4038 				SCTP_ERROR(ECONNABORTED));
4039 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4040 				SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
4041 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4042 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4043 		return SCTP_DISPOSITION_ABORT;
4044 	}
4045 
4046 	return SCTP_DISPOSITION_DISCARD;
4047 }
4048 
4049 /* RE-CONFIG Section 5.2 Upon reception of an RECONF Chunk. */
4050 enum sctp_disposition sctp_sf_do_reconf(struct net *net,
4051 					const struct sctp_endpoint *ep,
4052 					const struct sctp_association *asoc,
4053 					const union sctp_subtype type,
4054 					void *arg,
4055 					struct sctp_cmd_seq *commands)
4056 {
4057 	struct sctp_paramhdr *err_param = NULL;
4058 	struct sctp_chunk *chunk = arg;
4059 	struct sctp_reconf_chunk *hdr;
4060 	union sctp_params param;
4061 
4062 	if (!sctp_vtag_verify(chunk, asoc)) {
4063 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4064 				SCTP_NULL());
4065 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4066 	}
4067 
4068 	/* Make sure that the RECONF chunk has a valid length.  */
4069 	if (!sctp_chunk_length_valid(chunk, sizeof(*hdr)))
4070 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4071 						  commands);
4072 
4073 	if (!sctp_verify_reconf(asoc, chunk, &err_param))
4074 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
4075 						  (void *)err_param, commands);
4076 
4077 	hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr;
4078 	sctp_walk_params(param, hdr, params) {
4079 		struct sctp_chunk *reply = NULL;
4080 		struct sctp_ulpevent *ev = NULL;
4081 
4082 		if (param.p->type == SCTP_PARAM_RESET_OUT_REQUEST)
4083 			reply = sctp_process_strreset_outreq(
4084 				(struct sctp_association *)asoc, param, &ev);
4085 		else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST)
4086 			reply = sctp_process_strreset_inreq(
4087 				(struct sctp_association *)asoc, param, &ev);
4088 		else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST)
4089 			reply = sctp_process_strreset_tsnreq(
4090 				(struct sctp_association *)asoc, param, &ev);
4091 		else if (param.p->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS)
4092 			reply = sctp_process_strreset_addstrm_out(
4093 				(struct sctp_association *)asoc, param, &ev);
4094 		else if (param.p->type == SCTP_PARAM_RESET_ADD_IN_STREAMS)
4095 			reply = sctp_process_strreset_addstrm_in(
4096 				(struct sctp_association *)asoc, param, &ev);
4097 		else if (param.p->type == SCTP_PARAM_RESET_RESPONSE)
4098 			reply = sctp_process_strreset_resp(
4099 				(struct sctp_association *)asoc, param, &ev);
4100 
4101 		if (ev)
4102 			sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4103 					SCTP_ULPEVENT(ev));
4104 
4105 		if (reply)
4106 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4107 					SCTP_CHUNK(reply));
4108 	}
4109 
4110 	return SCTP_DISPOSITION_CONSUME;
4111 }
4112 
4113 /*
4114  * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP
4115  *
4116  * When a FORWARD TSN chunk arrives, the data receiver MUST first update
4117  * its cumulative TSN point to the value carried in the FORWARD TSN
4118  * chunk, and then MUST further advance its cumulative TSN point locally
4119  * if possible.
4120  * After the above processing, the data receiver MUST stop reporting any
4121  * missing TSNs earlier than or equal to the new cumulative TSN point.
4122  *
4123  * Verification Tag:  8.5 Verification Tag [Normal verification]
4124  *
4125  * The return value is the disposition of the chunk.
4126  */
4127 enum sctp_disposition sctp_sf_eat_fwd_tsn(struct net *net,
4128 					  const struct sctp_endpoint *ep,
4129 					  const struct sctp_association *asoc,
4130 					  const union sctp_subtype type,
4131 					  void *arg,
4132 					  struct sctp_cmd_seq *commands)
4133 {
4134 	struct sctp_fwdtsn_hdr *fwdtsn_hdr;
4135 	struct sctp_chunk *chunk = arg;
4136 	__u16 len;
4137 	__u32 tsn;
4138 
4139 	if (!sctp_vtag_verify(chunk, asoc)) {
4140 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4141 				SCTP_NULL());
4142 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4143 	}
4144 
4145 	if (!asoc->peer.prsctp_capable)
4146 		return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4147 
4148 	/* Make sure that the FORWARD_TSN chunk has valid length.  */
4149 	if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream)))
4150 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4151 						  commands);
4152 
4153 	fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
4154 	chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
4155 	len = ntohs(chunk->chunk_hdr->length);
4156 	len -= sizeof(struct sctp_chunkhdr);
4157 	skb_pull(chunk->skb, len);
4158 
4159 	tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
4160 	pr_debug("%s: TSN 0x%x\n", __func__, tsn);
4161 
4162 	/* The TSN is too high--silently discard the chunk and count on it
4163 	 * getting retransmitted later.
4164 	 */
4165 	if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
4166 		goto discard_noforce;
4167 
4168 	if (!asoc->stream.si->validate_ftsn(chunk))
4169 		goto discard_noforce;
4170 
4171 	sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
4172 	if (len > sctp_ftsnhdr_len(&asoc->stream))
4173 		sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
4174 				SCTP_CHUNK(chunk));
4175 
4176 	/* Count this as receiving DATA. */
4177 	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
4178 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4179 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
4180 	}
4181 
4182 	/* FIXME: For now send a SACK, but DATA processing may
4183 	 * send another.
4184 	 */
4185 	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
4186 
4187 	return SCTP_DISPOSITION_CONSUME;
4188 
4189 discard_noforce:
4190 	return SCTP_DISPOSITION_DISCARD;
4191 }
4192 
4193 enum sctp_disposition sctp_sf_eat_fwd_tsn_fast(
4194 					struct net *net,
4195 					const struct sctp_endpoint *ep,
4196 					const struct sctp_association *asoc,
4197 					const union sctp_subtype type,
4198 					void *arg,
4199 					struct sctp_cmd_seq *commands)
4200 {
4201 	struct sctp_fwdtsn_hdr *fwdtsn_hdr;
4202 	struct sctp_chunk *chunk = arg;
4203 	__u16 len;
4204 	__u32 tsn;
4205 
4206 	if (!sctp_vtag_verify(chunk, asoc)) {
4207 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4208 				SCTP_NULL());
4209 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4210 	}
4211 
4212 	if (!asoc->peer.prsctp_capable)
4213 		return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4214 
4215 	/* Make sure that the FORWARD_TSN chunk has a valid length.  */
4216 	if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream)))
4217 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4218 						  commands);
4219 
4220 	fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
4221 	chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
4222 	len = ntohs(chunk->chunk_hdr->length);
4223 	len -= sizeof(struct sctp_chunkhdr);
4224 	skb_pull(chunk->skb, len);
4225 
4226 	tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
4227 	pr_debug("%s: TSN 0x%x\n", __func__, tsn);
4228 
4229 	/* The TSN is too high--silently discard the chunk and count on it
4230 	 * getting retransmitted later.
4231 	 */
4232 	if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
4233 		goto gen_shutdown;
4234 
4235 	if (!asoc->stream.si->validate_ftsn(chunk))
4236 		goto gen_shutdown;
4237 
4238 	sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
4239 	if (len > sctp_ftsnhdr_len(&asoc->stream))
4240 		sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
4241 				SCTP_CHUNK(chunk));
4242 
4243 	/* Go a head and force a SACK, since we are shutting down. */
4244 gen_shutdown:
4245 	/* Implementor's Guide.
4246 	 *
4247 	 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
4248 	 * respond to each received packet containing one or more DATA chunk(s)
4249 	 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
4250 	 */
4251 	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
4252 	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
4253 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4254 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
4255 
4256 	return SCTP_DISPOSITION_CONSUME;
4257 }
4258 
4259 /*
4260  * SCTP-AUTH Section 6.3 Receiving authenticated chukns
4261  *
4262  *    The receiver MUST use the HMAC algorithm indicated in the HMAC
4263  *    Identifier field.  If this algorithm was not specified by the
4264  *    receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
4265  *    during association setup, the AUTH chunk and all chunks after it MUST
4266  *    be discarded and an ERROR chunk SHOULD be sent with the error cause
4267  *    defined in Section 4.1.
4268  *
4269  *    If an endpoint with no shared key receives a Shared Key Identifier
4270  *    other than 0, it MUST silently discard all authenticated chunks.  If
4271  *    the endpoint has at least one endpoint pair shared key for the peer,
4272  *    it MUST use the key specified by the Shared Key Identifier if a
4273  *    key has been configured for that Shared Key Identifier.  If no
4274  *    endpoint pair shared key has been configured for that Shared Key
4275  *    Identifier, all authenticated chunks MUST be silently discarded.
4276  *
4277  * Verification Tag:  8.5 Verification Tag [Normal verification]
4278  *
4279  * The return value is the disposition of the chunk.
4280  */
4281 static enum sctp_ierror sctp_sf_authenticate(
4282 					const struct sctp_association *asoc,
4283 					struct sctp_chunk *chunk)
4284 {
4285 	struct sctp_shared_key *sh_key = NULL;
4286 	struct sctp_authhdr *auth_hdr;
4287 	__u8 *save_digest, *digest;
4288 	struct sctp_hmac *hmac;
4289 	unsigned int sig_len;
4290 	__u16 key_id;
4291 
4292 	/* Pull in the auth header, so we can do some more verification */
4293 	auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4294 	chunk->subh.auth_hdr = auth_hdr;
4295 	skb_pull(chunk->skb, sizeof(*auth_hdr));
4296 
4297 	/* Make sure that we support the HMAC algorithm from the auth
4298 	 * chunk.
4299 	 */
4300 	if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))
4301 		return SCTP_IERROR_AUTH_BAD_HMAC;
4302 
4303 	/* Make sure that the provided shared key identifier has been
4304 	 * configured
4305 	 */
4306 	key_id = ntohs(auth_hdr->shkey_id);
4307 	if (key_id != asoc->active_key_id) {
4308 		sh_key = sctp_auth_get_shkey(asoc, key_id);
4309 		if (!sh_key)
4310 			return SCTP_IERROR_AUTH_BAD_KEYID;
4311 	}
4312 
4313 	/* Make sure that the length of the signature matches what
4314 	 * we expect.
4315 	 */
4316 	sig_len = ntohs(chunk->chunk_hdr->length) -
4317 		  sizeof(struct sctp_auth_chunk);
4318 	hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));
4319 	if (sig_len != hmac->hmac_len)
4320 		return SCTP_IERROR_PROTO_VIOLATION;
4321 
4322 	/* Now that we've done validation checks, we can compute and
4323 	 * verify the hmac.  The steps involved are:
4324 	 *  1. Save the digest from the chunk.
4325 	 *  2. Zero out the digest in the chunk.
4326 	 *  3. Compute the new digest
4327 	 *  4. Compare saved and new digests.
4328 	 */
4329 	digest = auth_hdr->hmac;
4330 	skb_pull(chunk->skb, sig_len);
4331 
4332 	save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);
4333 	if (!save_digest)
4334 		goto nomem;
4335 
4336 	memset(digest, 0, sig_len);
4337 
4338 	sctp_auth_calculate_hmac(asoc, chunk->skb,
4339 				 (struct sctp_auth_chunk *)chunk->chunk_hdr,
4340 				 sh_key, GFP_ATOMIC);
4341 
4342 	/* Discard the packet if the digests do not match */
4343 	if (memcmp(save_digest, digest, sig_len)) {
4344 		kfree(save_digest);
4345 		return SCTP_IERROR_BAD_SIG;
4346 	}
4347 
4348 	kfree(save_digest);
4349 	chunk->auth = 1;
4350 
4351 	return SCTP_IERROR_NO_ERROR;
4352 nomem:
4353 	return SCTP_IERROR_NOMEM;
4354 }
4355 
4356 enum sctp_disposition sctp_sf_eat_auth(struct net *net,
4357 				       const struct sctp_endpoint *ep,
4358 				       const struct sctp_association *asoc,
4359 				       const union sctp_subtype type,
4360 				       void *arg, struct sctp_cmd_seq *commands)
4361 {
4362 	struct sctp_chunk *chunk = arg;
4363 	struct sctp_authhdr *auth_hdr;
4364 	struct sctp_chunk *err_chunk;
4365 	enum sctp_ierror error;
4366 
4367 	/* Make sure that the peer has AUTH capable */
4368 	if (!asoc->peer.auth_capable)
4369 		return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4370 
4371 	if (!sctp_vtag_verify(chunk, asoc)) {
4372 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4373 				SCTP_NULL());
4374 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4375 	}
4376 
4377 	/* Make sure that the AUTH chunk has valid length.  */
4378 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))
4379 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4380 						  commands);
4381 
4382 	auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4383 	error = sctp_sf_authenticate(asoc, chunk);
4384 	switch (error) {
4385 	case SCTP_IERROR_AUTH_BAD_HMAC:
4386 		/* Generate the ERROR chunk and discard the rest
4387 		 * of the packet
4388 		 */
4389 		err_chunk = sctp_make_op_error(asoc, chunk,
4390 					       SCTP_ERROR_UNSUP_HMAC,
4391 					       &auth_hdr->hmac_id,
4392 					       sizeof(__u16), 0);
4393 		if (err_chunk) {
4394 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4395 					SCTP_CHUNK(err_chunk));
4396 		}
4397 		fallthrough;
4398 	case SCTP_IERROR_AUTH_BAD_KEYID:
4399 	case SCTP_IERROR_BAD_SIG:
4400 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4401 
4402 	case SCTP_IERROR_PROTO_VIOLATION:
4403 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4404 						  commands);
4405 
4406 	case SCTP_IERROR_NOMEM:
4407 		return SCTP_DISPOSITION_NOMEM;
4408 
4409 	default:			/* Prevent gcc warnings */
4410 		break;
4411 	}
4412 
4413 	if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) {
4414 		struct sctp_ulpevent *ev;
4415 
4416 		ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),
4417 				    SCTP_AUTH_NEW_KEY, GFP_ATOMIC);
4418 
4419 		if (!ev)
4420 			return -ENOMEM;
4421 
4422 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4423 				SCTP_ULPEVENT(ev));
4424 	}
4425 
4426 	return SCTP_DISPOSITION_CONSUME;
4427 }
4428 
4429 /*
4430  * Process an unknown chunk.
4431  *
4432  * Section: 3.2. Also, 2.1 in the implementor's guide.
4433  *
4434  * Chunk Types are encoded such that the highest-order two bits specify
4435  * the action that must be taken if the processing endpoint does not
4436  * recognize the Chunk Type.
4437  *
4438  * 00 - Stop processing this SCTP packet and discard it, do not process
4439  *      any further chunks within it.
4440  *
4441  * 01 - Stop processing this SCTP packet and discard it, do not process
4442  *      any further chunks within it, and report the unrecognized
4443  *      chunk in an 'Unrecognized Chunk Type'.
4444  *
4445  * 10 - Skip this chunk and continue processing.
4446  *
4447  * 11 - Skip this chunk and continue processing, but report in an ERROR
4448  *      Chunk using the 'Unrecognized Chunk Type' cause of error.
4449  *
4450  * The return value is the disposition of the chunk.
4451  */
4452 enum sctp_disposition sctp_sf_unk_chunk(struct net *net,
4453 					const struct sctp_endpoint *ep,
4454 					const struct sctp_association *asoc,
4455 					const union sctp_subtype type,
4456 					void *arg,
4457 					struct sctp_cmd_seq *commands)
4458 {
4459 	struct sctp_chunk *unk_chunk = arg;
4460 	struct sctp_chunk *err_chunk;
4461 	struct sctp_chunkhdr *hdr;
4462 
4463 	pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk);
4464 
4465 	if (!sctp_vtag_verify(unk_chunk, asoc))
4466 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4467 
4468 	/* Make sure that the chunk has a valid length.
4469 	 * Since we don't know the chunk type, we use a general
4470 	 * chunkhdr structure to make a comparison.
4471 	 */
4472 	if (!sctp_chunk_length_valid(unk_chunk, sizeof(*hdr)))
4473 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4474 						  commands);
4475 
4476 	switch (type.chunk & SCTP_CID_ACTION_MASK) {
4477 	case SCTP_CID_ACTION_DISCARD:
4478 		/* Discard the packet.  */
4479 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4480 	case SCTP_CID_ACTION_DISCARD_ERR:
4481 		/* Generate an ERROR chunk as response. */
4482 		hdr = unk_chunk->chunk_hdr;
4483 		err_chunk = sctp_make_op_error(asoc, unk_chunk,
4484 					       SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4485 					       SCTP_PAD4(ntohs(hdr->length)),
4486 					       0);
4487 		if (err_chunk) {
4488 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4489 					SCTP_CHUNK(err_chunk));
4490 		}
4491 
4492 		/* Discard the packet.  */
4493 		sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4494 		return SCTP_DISPOSITION_CONSUME;
4495 	case SCTP_CID_ACTION_SKIP:
4496 		/* Skip the chunk.  */
4497 		return SCTP_DISPOSITION_DISCARD;
4498 	case SCTP_CID_ACTION_SKIP_ERR:
4499 		/* Generate an ERROR chunk as response. */
4500 		hdr = unk_chunk->chunk_hdr;
4501 		err_chunk = sctp_make_op_error(asoc, unk_chunk,
4502 					       SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4503 					       SCTP_PAD4(ntohs(hdr->length)),
4504 					       0);
4505 		if (err_chunk) {
4506 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4507 					SCTP_CHUNK(err_chunk));
4508 		}
4509 		/* Skip the chunk.  */
4510 		return SCTP_DISPOSITION_CONSUME;
4511 	default:
4512 		break;
4513 	}
4514 
4515 	return SCTP_DISPOSITION_DISCARD;
4516 }
4517 
4518 /*
4519  * Discard the chunk.
4520  *
4521  * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2
4522  * [Too numerous to mention...]
4523  * Verification Tag: No verification needed.
4524  * Inputs
4525  * (endpoint, asoc, chunk)
4526  *
4527  * Outputs
4528  * (asoc, reply_msg, msg_up, timers, counters)
4529  *
4530  * The return value is the disposition of the chunk.
4531  */
4532 enum sctp_disposition sctp_sf_discard_chunk(struct net *net,
4533 					    const struct sctp_endpoint *ep,
4534 					    const struct sctp_association *asoc,
4535 					    const union sctp_subtype type,
4536 					    void *arg,
4537 					    struct sctp_cmd_seq *commands)
4538 {
4539 	struct sctp_chunk *chunk = arg;
4540 
4541 	/* Make sure that the chunk has a valid length.
4542 	 * Since we don't know the chunk type, we use a general
4543 	 * chunkhdr structure to make a comparison.
4544 	 */
4545 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
4546 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4547 						  commands);
4548 
4549 	pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk);
4550 
4551 	return SCTP_DISPOSITION_DISCARD;
4552 }
4553 
4554 /*
4555  * Discard the whole packet.
4556  *
4557  * Section: 8.4 2)
4558  *
4559  * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST
4560  *    silently discard the OOTB packet and take no further action.
4561  *
4562  * Verification Tag: No verification necessary
4563  *
4564  * Inputs
4565  * (endpoint, asoc, chunk)
4566  *
4567  * Outputs
4568  * (asoc, reply_msg, msg_up, timers, counters)
4569  *
4570  * The return value is the disposition of the chunk.
4571  */
4572 enum sctp_disposition sctp_sf_pdiscard(struct net *net,
4573 				       const struct sctp_endpoint *ep,
4574 				       const struct sctp_association *asoc,
4575 				       const union sctp_subtype type,
4576 				       void *arg, struct sctp_cmd_seq *commands)
4577 {
4578 	SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS);
4579 	sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4580 
4581 	return SCTP_DISPOSITION_CONSUME;
4582 }
4583 
4584 
4585 /*
4586  * The other end is violating protocol.
4587  *
4588  * Section: Not specified
4589  * Verification Tag: Not specified
4590  * Inputs
4591  * (endpoint, asoc, chunk)
4592  *
4593  * Outputs
4594  * (asoc, reply_msg, msg_up, timers, counters)
4595  *
4596  * We simply tag the chunk as a violation.  The state machine will log
4597  * the violation and continue.
4598  */
4599 enum sctp_disposition sctp_sf_violation(struct net *net,
4600 					const struct sctp_endpoint *ep,
4601 					const struct sctp_association *asoc,
4602 					const union sctp_subtype type,
4603 					void *arg,
4604 					struct sctp_cmd_seq *commands)
4605 {
4606 	struct sctp_chunk *chunk = arg;
4607 
4608 	/* Make sure that the chunk has a valid length. */
4609 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
4610 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4611 						  commands);
4612 
4613 	return SCTP_DISPOSITION_VIOLATION;
4614 }
4615 
4616 /*
4617  * Common function to handle a protocol violation.
4618  */
4619 static enum sctp_disposition sctp_sf_abort_violation(
4620 					struct net *net,
4621 					const struct sctp_endpoint *ep,
4622 					const struct sctp_association *asoc,
4623 					void *arg,
4624 					struct sctp_cmd_seq *commands,
4625 					const __u8 *payload,
4626 					const size_t paylen)
4627 {
4628 	struct sctp_packet *packet = NULL;
4629 	struct sctp_chunk *chunk =  arg;
4630 	struct sctp_chunk *abort = NULL;
4631 
4632 	/* SCTP-AUTH, Section 6.3:
4633 	 *    It should be noted that if the receiver wants to tear
4634 	 *    down an association in an authenticated way only, the
4635 	 *    handling of malformed packets should not result in
4636 	 *    tearing down the association.
4637 	 *
4638 	 * This means that if we only want to abort associations
4639 	 * in an authenticated way (i.e AUTH+ABORT), then we
4640 	 * can't destroy this association just because the packet
4641 	 * was malformed.
4642 	 */
4643 	if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4644 		goto discard;
4645 
4646 	/* Make the abort chunk. */
4647 	abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);
4648 	if (!abort)
4649 		goto nomem;
4650 
4651 	if (asoc) {
4652 		/* Treat INIT-ACK as a special case during COOKIE-WAIT. */
4653 		if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&
4654 		    !asoc->peer.i.init_tag) {
4655 			struct sctp_initack_chunk *initack;
4656 
4657 			initack = (struct sctp_initack_chunk *)chunk->chunk_hdr;
4658 			if (!sctp_chunk_length_valid(chunk, sizeof(*initack)))
4659 				abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
4660 			else {
4661 				unsigned int inittag;
4662 
4663 				inittag = ntohl(initack->init_hdr.init_tag);
4664 				sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
4665 						SCTP_U32(inittag));
4666 			}
4667 		}
4668 
4669 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4670 		SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4671 
4672 		if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
4673 			sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4674 					SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4675 			sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4676 					SCTP_ERROR(ECONNREFUSED));
4677 			sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4678 					SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4679 		} else {
4680 			sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4681 					SCTP_ERROR(ECONNABORTED));
4682 			sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4683 					SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4684 			SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4685 		}
4686 	} else {
4687 		packet = sctp_ootb_pkt_new(net, asoc, chunk);
4688 
4689 		if (!packet)
4690 			goto nomem_pkt;
4691 
4692 		if (sctp_test_T_bit(abort))
4693 			packet->vtag = ntohl(chunk->sctp_hdr->vtag);
4694 
4695 		abort->skb->sk = ep->base.sk;
4696 
4697 		sctp_packet_append_chunk(packet, abort);
4698 
4699 		sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
4700 			SCTP_PACKET(packet));
4701 
4702 		SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4703 	}
4704 
4705 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4706 
4707 discard:
4708 	sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4709 	return SCTP_DISPOSITION_ABORT;
4710 
4711 nomem_pkt:
4712 	sctp_chunk_free(abort);
4713 nomem:
4714 	return SCTP_DISPOSITION_NOMEM;
4715 }
4716 
4717 /*
4718  * Handle a protocol violation when the chunk length is invalid.
4719  * "Invalid" length is identified as smaller than the minimal length a
4720  * given chunk can be.  For example, a SACK chunk has invalid length
4721  * if its length is set to be smaller than the size of struct sctp_sack_chunk.
4722  *
4723  * We inform the other end by sending an ABORT with a Protocol Violation
4724  * error code.
4725  *
4726  * Section: Not specified
4727  * Verification Tag:  Nothing to do
4728  * Inputs
4729  * (endpoint, asoc, chunk)
4730  *
4731  * Outputs
4732  * (reply_msg, msg_up, counters)
4733  *
4734  * Generate an  ABORT chunk and terminate the association.
4735  */
4736 static enum sctp_disposition sctp_sf_violation_chunklen(
4737 					struct net *net,
4738 					const struct sctp_endpoint *ep,
4739 					const struct sctp_association *asoc,
4740 					const union sctp_subtype type,
4741 					void *arg,
4742 					struct sctp_cmd_seq *commands)
4743 {
4744 	static const char err_str[] = "The following chunk had invalid length:";
4745 
4746 	return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4747 				       sizeof(err_str));
4748 }
4749 
4750 /*
4751  * Handle a protocol violation when the parameter length is invalid.
4752  * If the length is smaller than the minimum length of a given parameter,
4753  * or accumulated length in multi parameters exceeds the end of the chunk,
4754  * the length is considered as invalid.
4755  */
4756 static enum sctp_disposition sctp_sf_violation_paramlen(
4757 					struct net *net,
4758 					const struct sctp_endpoint *ep,
4759 					const struct sctp_association *asoc,
4760 					const union sctp_subtype type,
4761 					void *arg, void *ext,
4762 					struct sctp_cmd_seq *commands)
4763 {
4764 	struct sctp_paramhdr *param = ext;
4765 	struct sctp_chunk *abort = NULL;
4766 	struct sctp_chunk *chunk = arg;
4767 
4768 	if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4769 		goto discard;
4770 
4771 	/* Make the abort chunk. */
4772 	abort = sctp_make_violation_paramlen(asoc, chunk, param);
4773 	if (!abort)
4774 		goto nomem;
4775 
4776 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4777 	SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4778 
4779 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4780 			SCTP_ERROR(ECONNABORTED));
4781 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4782 			SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4783 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4784 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4785 
4786 discard:
4787 	sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4788 	return SCTP_DISPOSITION_ABORT;
4789 nomem:
4790 	return SCTP_DISPOSITION_NOMEM;
4791 }
4792 
4793 /* Handle a protocol violation when the peer trying to advance the
4794  * cumulative tsn ack to a point beyond the max tsn currently sent.
4795  *
4796  * We inform the other end by sending an ABORT with a Protocol Violation
4797  * error code.
4798  */
4799 static enum sctp_disposition sctp_sf_violation_ctsn(
4800 					struct net *net,
4801 					const struct sctp_endpoint *ep,
4802 					const struct sctp_association *asoc,
4803 					const union sctp_subtype type,
4804 					void *arg,
4805 					struct sctp_cmd_seq *commands)
4806 {
4807 	static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:";
4808 
4809 	return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4810 				       sizeof(err_str));
4811 }
4812 
4813 /* Handle protocol violation of an invalid chunk bundling.  For example,
4814  * when we have an association and we receive bundled INIT-ACK, or
4815  * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle"
4816  * statement from the specs.  Additionally, there might be an attacker
4817  * on the path and we may not want to continue this communication.
4818  */
4819 static enum sctp_disposition sctp_sf_violation_chunk(
4820 					struct net *net,
4821 					const struct sctp_endpoint *ep,
4822 					const struct sctp_association *asoc,
4823 					const union sctp_subtype type,
4824 					void *arg,
4825 					struct sctp_cmd_seq *commands)
4826 {
4827 	static const char err_str[] = "The following chunk violates protocol:";
4828 
4829 	if (!asoc)
4830 		return sctp_sf_violation(net, ep, asoc, type, arg, commands);
4831 
4832 	return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4833 				       sizeof(err_str));
4834 }
4835 /***************************************************************************
4836  * These are the state functions for handling primitive (Section 10) events.
4837  ***************************************************************************/
4838 /*
4839  * sctp_sf_do_prm_asoc
4840  *
4841  * Section: 10.1 ULP-to-SCTP
4842  * B) Associate
4843  *
4844  * Format: ASSOCIATE(local SCTP instance name, destination transport addr,
4845  * outbound stream count)
4846  * -> association id [,destination transport addr list] [,outbound stream
4847  * count]
4848  *
4849  * This primitive allows the upper layer to initiate an association to a
4850  * specific peer endpoint.
4851  *
4852  * The peer endpoint shall be specified by one of the transport addresses
4853  * which defines the endpoint (see Section 1.4).  If the local SCTP
4854  * instance has not been initialized, the ASSOCIATE is considered an
4855  * error.
4856  * [This is not relevant for the kernel implementation since we do all
4857  * initialization at boot time.  It we hadn't initialized we wouldn't
4858  * get anywhere near this code.]
4859  *
4860  * An association id, which is a local handle to the SCTP association,
4861  * will be returned on successful establishment of the association. If
4862  * SCTP is not able to open an SCTP association with the peer endpoint,
4863  * an error is returned.
4864  * [In the kernel implementation, the struct sctp_association needs to
4865  * be created BEFORE causing this primitive to run.]
4866  *
4867  * Other association parameters may be returned, including the
4868  * complete destination transport addresses of the peer as well as the
4869  * outbound stream count of the local endpoint. One of the transport
4870  * address from the returned destination addresses will be selected by
4871  * the local endpoint as default primary path for sending SCTP packets
4872  * to this peer.  The returned "destination transport addr list" can
4873  * be used by the ULP to change the default primary path or to force
4874  * sending a packet to a specific transport address.  [All of this
4875  * stuff happens when the INIT ACK arrives.  This is a NON-BLOCKING
4876  * function.]
4877  *
4878  * Mandatory attributes:
4879  *
4880  * o local SCTP instance name - obtained from the INITIALIZE operation.
4881  *   [This is the argument asoc.]
4882  * o destination transport addr - specified as one of the transport
4883  * addresses of the peer endpoint with which the association is to be
4884  * established.
4885  *  [This is asoc->peer.active_path.]
4886  * o outbound stream count - the number of outbound streams the ULP
4887  * would like to open towards this peer endpoint.
4888  * [BUG: This is not currently implemented.]
4889  * Optional attributes:
4890  *
4891  * None.
4892  *
4893  * The return value is a disposition.
4894  */
4895 enum sctp_disposition sctp_sf_do_prm_asoc(struct net *net,
4896 					  const struct sctp_endpoint *ep,
4897 					  const struct sctp_association *asoc,
4898 					  const union sctp_subtype type,
4899 					  void *arg,
4900 					  struct sctp_cmd_seq *commands)
4901 {
4902 	struct sctp_association *my_asoc;
4903 	struct sctp_chunk *repl;
4904 
4905 	/* The comment below says that we enter COOKIE-WAIT AFTER
4906 	 * sending the INIT, but that doesn't actually work in our
4907 	 * implementation...
4908 	 */
4909 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4910 			SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
4911 
4912 	/* RFC 2960 5.1 Normal Establishment of an Association
4913 	 *
4914 	 * A) "A" first sends an INIT chunk to "Z".  In the INIT, "A"
4915 	 * must provide its Verification Tag (Tag_A) in the Initiate
4916 	 * Tag field.  Tag_A SHOULD be a random number in the range of
4917 	 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ...
4918 	 */
4919 
4920 	repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0);
4921 	if (!repl)
4922 		goto nomem;
4923 
4924 	/* Choose transport for INIT. */
4925 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
4926 			SCTP_CHUNK(repl));
4927 
4928 	/* Cast away the const modifier, as we want to just
4929 	 * rerun it through as a sideffect.
4930 	 */
4931 	my_asoc = (struct sctp_association *)asoc;
4932 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc));
4933 
4934 	/* After sending the INIT, "A" starts the T1-init timer and
4935 	 * enters the COOKIE-WAIT state.
4936 	 */
4937 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
4938 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4939 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
4940 	return SCTP_DISPOSITION_CONSUME;
4941 
4942 nomem:
4943 	return SCTP_DISPOSITION_NOMEM;
4944 }
4945 
4946 /*
4947  * Process the SEND primitive.
4948  *
4949  * Section: 10.1 ULP-to-SCTP
4950  * E) Send
4951  *
4952  * Format: SEND(association id, buffer address, byte count [,context]
4953  *         [,stream id] [,life time] [,destination transport address]
4954  *         [,unorder flag] [,no-bundle flag] [,payload protocol-id] )
4955  * -> result
4956  *
4957  * This is the main method to send user data via SCTP.
4958  *
4959  * Mandatory attributes:
4960  *
4961  *  o association id - local handle to the SCTP association
4962  *
4963  *  o buffer address - the location where the user message to be
4964  *    transmitted is stored;
4965  *
4966  *  o byte count - The size of the user data in number of bytes;
4967  *
4968  * Optional attributes:
4969  *
4970  *  o context - an optional 32 bit integer that will be carried in the
4971  *    sending failure notification to the ULP if the transportation of
4972  *    this User Message fails.
4973  *
4974  *  o stream id - to indicate which stream to send the data on. If not
4975  *    specified, stream 0 will be used.
4976  *
4977  *  o life time - specifies the life time of the user data. The user data
4978  *    will not be sent by SCTP after the life time expires. This
4979  *    parameter can be used to avoid efforts to transmit stale
4980  *    user messages. SCTP notifies the ULP if the data cannot be
4981  *    initiated to transport (i.e. sent to the destination via SCTP's
4982  *    send primitive) within the life time variable. However, the
4983  *    user data will be transmitted if SCTP has attempted to transmit a
4984  *    chunk before the life time expired.
4985  *
4986  *  o destination transport address - specified as one of the destination
4987  *    transport addresses of the peer endpoint to which this packet
4988  *    should be sent. Whenever possible, SCTP should use this destination
4989  *    transport address for sending the packets, instead of the current
4990  *    primary path.
4991  *
4992  *  o unorder flag - this flag, if present, indicates that the user
4993  *    would like the data delivered in an unordered fashion to the peer
4994  *    (i.e., the U flag is set to 1 on all DATA chunks carrying this
4995  *    message).
4996  *
4997  *  o no-bundle flag - instructs SCTP not to bundle this user data with
4998  *    other outbound DATA chunks. SCTP MAY still bundle even when
4999  *    this flag is present, when faced with network congestion.
5000  *
5001  *  o payload protocol-id - A 32 bit unsigned integer that is to be
5002  *    passed to the peer indicating the type of payload protocol data
5003  *    being transmitted. This value is passed as opaque data by SCTP.
5004  *
5005  * The return value is the disposition.
5006  */
5007 enum sctp_disposition sctp_sf_do_prm_send(struct net *net,
5008 					  const struct sctp_endpoint *ep,
5009 					  const struct sctp_association *asoc,
5010 					  const union sctp_subtype type,
5011 					  void *arg,
5012 					  struct sctp_cmd_seq *commands)
5013 {
5014 	struct sctp_datamsg *msg = arg;
5015 
5016 	sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg));
5017 	return SCTP_DISPOSITION_CONSUME;
5018 }
5019 
5020 /*
5021  * Process the SHUTDOWN primitive.
5022  *
5023  * Section: 10.1:
5024  * C) Shutdown
5025  *
5026  * Format: SHUTDOWN(association id)
5027  * -> result
5028  *
5029  * Gracefully closes an association. Any locally queued user data
5030  * will be delivered to the peer. The association will be terminated only
5031  * after the peer acknowledges all the SCTP packets sent.  A success code
5032  * will be returned on successful termination of the association. If
5033  * attempting to terminate the association results in a failure, an error
5034  * code shall be returned.
5035  *
5036  * Mandatory attributes:
5037  *
5038  *  o association id - local handle to the SCTP association
5039  *
5040  * Optional attributes:
5041  *
5042  * None.
5043  *
5044  * The return value is the disposition.
5045  */
5046 enum sctp_disposition sctp_sf_do_9_2_prm_shutdown(
5047 					struct net *net,
5048 					const struct sctp_endpoint *ep,
5049 					const struct sctp_association *asoc,
5050 					const union sctp_subtype type,
5051 					void *arg,
5052 					struct sctp_cmd_seq *commands)
5053 {
5054 	enum sctp_disposition disposition;
5055 
5056 	/* From 9.2 Shutdown of an Association
5057 	 * Upon receipt of the SHUTDOWN primitive from its upper
5058 	 * layer, the endpoint enters SHUTDOWN-PENDING state and
5059 	 * remains there until all outstanding data has been
5060 	 * acknowledged by its peer. The endpoint accepts no new data
5061 	 * from its upper layer, but retransmits data to the far end
5062 	 * if necessary to fill gaps.
5063 	 */
5064 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5065 			SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
5066 
5067 	disposition = SCTP_DISPOSITION_CONSUME;
5068 	if (sctp_outq_is_empty(&asoc->outqueue)) {
5069 		disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
5070 							    arg, commands);
5071 	}
5072 
5073 	return disposition;
5074 }
5075 
5076 /*
5077  * Process the ABORT primitive.
5078  *
5079  * Section: 10.1:
5080  * C) Abort
5081  *
5082  * Format: Abort(association id [, cause code])
5083  * -> result
5084  *
5085  * Ungracefully closes an association. Any locally queued user data
5086  * will be discarded and an ABORT chunk is sent to the peer.  A success code
5087  * will be returned on successful abortion of the association. If
5088  * attempting to abort the association results in a failure, an error
5089  * code shall be returned.
5090  *
5091  * Mandatory attributes:
5092  *
5093  *  o association id - local handle to the SCTP association
5094  *
5095  * Optional attributes:
5096  *
5097  *  o cause code - reason of the abort to be passed to the peer
5098  *
5099  * None.
5100  *
5101  * The return value is the disposition.
5102  */
5103 enum sctp_disposition sctp_sf_do_9_1_prm_abort(
5104 					struct net *net,
5105 					const struct sctp_endpoint *ep,
5106 					const struct sctp_association *asoc,
5107 					const union sctp_subtype type,
5108 					void *arg,
5109 					struct sctp_cmd_seq *commands)
5110 {
5111 	/* From 9.1 Abort of an Association
5112 	 * Upon receipt of the ABORT primitive from its upper
5113 	 * layer, the endpoint enters CLOSED state and
5114 	 * discard all outstanding data has been
5115 	 * acknowledged by its peer. The endpoint accepts no new data
5116 	 * from its upper layer, but retransmits data to the far end
5117 	 * if necessary to fill gaps.
5118 	 */
5119 	struct sctp_chunk *abort = arg;
5120 
5121 	if (abort)
5122 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
5123 
5124 	/* Even if we can't send the ABORT due to low memory delete the
5125 	 * TCB.  This is a departure from our typical NOMEM handling.
5126 	 */
5127 
5128 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5129 			SCTP_ERROR(ECONNABORTED));
5130 	/* Delete the established association. */
5131 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5132 			SCTP_PERR(SCTP_ERROR_USER_ABORT));
5133 
5134 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5135 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5136 
5137 	return SCTP_DISPOSITION_ABORT;
5138 }
5139 
5140 /* We tried an illegal operation on an association which is closed.  */
5141 enum sctp_disposition sctp_sf_error_closed(struct net *net,
5142 					   const struct sctp_endpoint *ep,
5143 					   const struct sctp_association *asoc,
5144 					   const union sctp_subtype type,
5145 					   void *arg,
5146 					   struct sctp_cmd_seq *commands)
5147 {
5148 	sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL));
5149 	return SCTP_DISPOSITION_CONSUME;
5150 }
5151 
5152 /* We tried an illegal operation on an association which is shutting
5153  * down.
5154  */
5155 enum sctp_disposition sctp_sf_error_shutdown(
5156 					struct net *net,
5157 					const struct sctp_endpoint *ep,
5158 					const struct sctp_association *asoc,
5159 					const union sctp_subtype type,
5160 					void *arg,
5161 					struct sctp_cmd_seq *commands)
5162 {
5163 	sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR,
5164 			SCTP_ERROR(-ESHUTDOWN));
5165 	return SCTP_DISPOSITION_CONSUME;
5166 }
5167 
5168 /*
5169  * sctp_cookie_wait_prm_shutdown
5170  *
5171  * Section: 4 Note: 2
5172  * Verification Tag:
5173  * Inputs
5174  * (endpoint, asoc)
5175  *
5176  * The RFC does not explicitly address this issue, but is the route through the
5177  * state table when someone issues a shutdown while in COOKIE_WAIT state.
5178  *
5179  * Outputs
5180  * (timers)
5181  */
5182 enum sctp_disposition sctp_sf_cookie_wait_prm_shutdown(
5183 					struct net *net,
5184 					const struct sctp_endpoint *ep,
5185 					const struct sctp_association *asoc,
5186 					const union sctp_subtype type,
5187 					void *arg,
5188 					struct sctp_cmd_seq *commands)
5189 {
5190 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5191 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5192 
5193 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5194 			SCTP_STATE(SCTP_STATE_CLOSED));
5195 
5196 	SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
5197 
5198 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
5199 
5200 	return SCTP_DISPOSITION_DELETE_TCB;
5201 }
5202 
5203 /*
5204  * sctp_cookie_echoed_prm_shutdown
5205  *
5206  * Section: 4 Note: 2
5207  * Verification Tag:
5208  * Inputs
5209  * (endpoint, asoc)
5210  *
5211  * The RFC does not explcitly address this issue, but is the route through the
5212  * state table when someone issues a shutdown while in COOKIE_ECHOED state.
5213  *
5214  * Outputs
5215  * (timers)
5216  */
5217 enum sctp_disposition sctp_sf_cookie_echoed_prm_shutdown(
5218 					struct net *net,
5219 					const struct sctp_endpoint *ep,
5220 					const struct sctp_association *asoc,
5221 					const union sctp_subtype type,
5222 					void *arg,
5223 					struct sctp_cmd_seq *commands)
5224 {
5225 	/* There is a single T1 timer, so we should be able to use
5226 	 * common function with the COOKIE-WAIT state.
5227 	 */
5228 	return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands);
5229 }
5230 
5231 /*
5232  * sctp_sf_cookie_wait_prm_abort
5233  *
5234  * Section: 4 Note: 2
5235  * Verification Tag:
5236  * Inputs
5237  * (endpoint, asoc)
5238  *
5239  * The RFC does not explicitly address this issue, but is the route through the
5240  * state table when someone issues an abort while in COOKIE_WAIT state.
5241  *
5242  * Outputs
5243  * (timers)
5244  */
5245 enum sctp_disposition sctp_sf_cookie_wait_prm_abort(
5246 					struct net *net,
5247 					const struct sctp_endpoint *ep,
5248 					const struct sctp_association *asoc,
5249 					const union sctp_subtype type,
5250 					void *arg,
5251 					struct sctp_cmd_seq *commands)
5252 {
5253 	struct sctp_chunk *abort = arg;
5254 
5255 	/* Stop T1-init timer */
5256 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5257 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5258 
5259 	if (abort)
5260 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
5261 
5262 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5263 			SCTP_STATE(SCTP_STATE_CLOSED));
5264 
5265 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5266 
5267 	/* Even if we can't send the ABORT due to low memory delete the
5268 	 * TCB.  This is a departure from our typical NOMEM handling.
5269 	 */
5270 
5271 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5272 			SCTP_ERROR(ECONNREFUSED));
5273 	/* Delete the established association. */
5274 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5275 			SCTP_PERR(SCTP_ERROR_USER_ABORT));
5276 
5277 	return SCTP_DISPOSITION_ABORT;
5278 }
5279 
5280 /*
5281  * sctp_sf_cookie_echoed_prm_abort
5282  *
5283  * Section: 4 Note: 3
5284  * Verification Tag:
5285  * Inputs
5286  * (endpoint, asoc)
5287  *
5288  * The RFC does not explcitly address this issue, but is the route through the
5289  * state table when someone issues an abort while in COOKIE_ECHOED state.
5290  *
5291  * Outputs
5292  * (timers)
5293  */
5294 enum sctp_disposition sctp_sf_cookie_echoed_prm_abort(
5295 					struct net *net,
5296 					const struct sctp_endpoint *ep,
5297 					const struct sctp_association *asoc,
5298 					const union sctp_subtype type,
5299 					void *arg,
5300 					struct sctp_cmd_seq *commands)
5301 {
5302 	/* There is a single T1 timer, so we should be able to use
5303 	 * common function with the COOKIE-WAIT state.
5304 	 */
5305 	return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands);
5306 }
5307 
5308 /*
5309  * sctp_sf_shutdown_pending_prm_abort
5310  *
5311  * Inputs
5312  * (endpoint, asoc)
5313  *
5314  * The RFC does not explicitly address this issue, but is the route through the
5315  * state table when someone issues an abort while in SHUTDOWN-PENDING state.
5316  *
5317  * Outputs
5318  * (timers)
5319  */
5320 enum sctp_disposition sctp_sf_shutdown_pending_prm_abort(
5321 					struct net *net,
5322 					const struct sctp_endpoint *ep,
5323 					const struct sctp_association *asoc,
5324 					const union sctp_subtype type,
5325 					void *arg,
5326 					struct sctp_cmd_seq *commands)
5327 {
5328 	/* Stop the T5-shutdown guard timer.  */
5329 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5330 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5331 
5332 	return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5333 }
5334 
5335 /*
5336  * sctp_sf_shutdown_sent_prm_abort
5337  *
5338  * Inputs
5339  * (endpoint, asoc)
5340  *
5341  * The RFC does not explicitly address this issue, but is the route through the
5342  * state table when someone issues an abort while in SHUTDOWN-SENT state.
5343  *
5344  * Outputs
5345  * (timers)
5346  */
5347 enum sctp_disposition sctp_sf_shutdown_sent_prm_abort(
5348 					struct net *net,
5349 					const struct sctp_endpoint *ep,
5350 					const struct sctp_association *asoc,
5351 					const union sctp_subtype type,
5352 					void *arg,
5353 					struct sctp_cmd_seq *commands)
5354 {
5355 	/* Stop the T2-shutdown timer.  */
5356 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5357 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5358 
5359 	/* Stop the T5-shutdown guard timer.  */
5360 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5361 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5362 
5363 	return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5364 }
5365 
5366 /*
5367  * sctp_sf_cookie_echoed_prm_abort
5368  *
5369  * Inputs
5370  * (endpoint, asoc)
5371  *
5372  * The RFC does not explcitly address this issue, but is the route through the
5373  * state table when someone issues an abort while in COOKIE_ECHOED state.
5374  *
5375  * Outputs
5376  * (timers)
5377  */
5378 enum sctp_disposition sctp_sf_shutdown_ack_sent_prm_abort(
5379 					struct net *net,
5380 					const struct sctp_endpoint *ep,
5381 					const struct sctp_association *asoc,
5382 					const union sctp_subtype type,
5383 					void *arg,
5384 					struct sctp_cmd_seq *commands)
5385 {
5386 	/* The same T2 timer, so we should be able to use
5387 	 * common function with the SHUTDOWN-SENT state.
5388 	 */
5389 	return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands);
5390 }
5391 
5392 /*
5393  * Process the REQUESTHEARTBEAT primitive
5394  *
5395  * 10.1 ULP-to-SCTP
5396  * J) Request Heartbeat
5397  *
5398  * Format: REQUESTHEARTBEAT(association id, destination transport address)
5399  *
5400  * -> result
5401  *
5402  * Instructs the local endpoint to perform a HeartBeat on the specified
5403  * destination transport address of the given association. The returned
5404  * result should indicate whether the transmission of the HEARTBEAT
5405  * chunk to the destination address is successful.
5406  *
5407  * Mandatory attributes:
5408  *
5409  * o association id - local handle to the SCTP association
5410  *
5411  * o destination transport address - the transport address of the
5412  *   association on which a heartbeat should be issued.
5413  */
5414 enum sctp_disposition sctp_sf_do_prm_requestheartbeat(
5415 					struct net *net,
5416 					const struct sctp_endpoint *ep,
5417 					const struct sctp_association *asoc,
5418 					const union sctp_subtype type,
5419 					void *arg,
5420 					struct sctp_cmd_seq *commands)
5421 {
5422 	if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type,
5423 				      (struct sctp_transport *)arg, commands))
5424 		return SCTP_DISPOSITION_NOMEM;
5425 
5426 	/*
5427 	 * RFC 2960 (bis), section 8.3
5428 	 *
5429 	 *    D) Request an on-demand HEARTBEAT on a specific destination
5430 	 *    transport address of a given association.
5431 	 *
5432 	 *    The endpoint should increment the respective error  counter of
5433 	 *    the destination transport address each time a HEARTBEAT is sent
5434 	 *    to that address and not acknowledged within one RTO.
5435 	 *
5436 	 */
5437 	sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
5438 			SCTP_TRANSPORT(arg));
5439 	return SCTP_DISPOSITION_CONSUME;
5440 }
5441 
5442 /*
5443  * ADDIP Section 4.1 ASCONF Chunk Procedures
5444  * When an endpoint has an ASCONF signaled change to be sent to the
5445  * remote endpoint it should do A1 to A9
5446  */
5447 enum sctp_disposition sctp_sf_do_prm_asconf(struct net *net,
5448 					    const struct sctp_endpoint *ep,
5449 					    const struct sctp_association *asoc,
5450 					    const union sctp_subtype type,
5451 					    void *arg,
5452 					    struct sctp_cmd_seq *commands)
5453 {
5454 	struct sctp_chunk *chunk = arg;
5455 
5456 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5457 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5458 			SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5459 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5460 	return SCTP_DISPOSITION_CONSUME;
5461 }
5462 
5463 /* RE-CONFIG Section 5.1 RECONF Chunk Procedures */
5464 enum sctp_disposition sctp_sf_do_prm_reconf(struct net *net,
5465 					    const struct sctp_endpoint *ep,
5466 					    const struct sctp_association *asoc,
5467 					    const union sctp_subtype type,
5468 					    void *arg,
5469 					    struct sctp_cmd_seq *commands)
5470 {
5471 	struct sctp_chunk *chunk = arg;
5472 
5473 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5474 	return SCTP_DISPOSITION_CONSUME;
5475 }
5476 
5477 /*
5478  * Ignore the primitive event
5479  *
5480  * The return value is the disposition of the primitive.
5481  */
5482 enum sctp_disposition sctp_sf_ignore_primitive(
5483 					struct net *net,
5484 					const struct sctp_endpoint *ep,
5485 					const struct sctp_association *asoc,
5486 					const union sctp_subtype type,
5487 					void *arg,
5488 					struct sctp_cmd_seq *commands)
5489 {
5490 	pr_debug("%s: primitive type:%d is ignored\n", __func__,
5491 		 type.primitive);
5492 
5493 	return SCTP_DISPOSITION_DISCARD;
5494 }
5495 
5496 /***************************************************************************
5497  * These are the state functions for the OTHER events.
5498  ***************************************************************************/
5499 
5500 /*
5501  * When the SCTP stack has no more user data to send or retransmit, this
5502  * notification is given to the user. Also, at the time when a user app
5503  * subscribes to this event, if there is no data to be sent or
5504  * retransmit, the stack will immediately send up this notification.
5505  */
5506 enum sctp_disposition sctp_sf_do_no_pending_tsn(
5507 					struct net *net,
5508 					const struct sctp_endpoint *ep,
5509 					const struct sctp_association *asoc,
5510 					const union sctp_subtype type,
5511 					void *arg,
5512 					struct sctp_cmd_seq *commands)
5513 {
5514 	struct sctp_ulpevent *event;
5515 
5516 	event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC);
5517 	if (!event)
5518 		return SCTP_DISPOSITION_NOMEM;
5519 
5520 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event));
5521 
5522 	return SCTP_DISPOSITION_CONSUME;
5523 }
5524 
5525 /*
5526  * Start the shutdown negotiation.
5527  *
5528  * From Section 9.2:
5529  * Once all its outstanding data has been acknowledged, the endpoint
5530  * shall send a SHUTDOWN chunk to its peer including in the Cumulative
5531  * TSN Ack field the last sequential TSN it has received from the peer.
5532  * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT
5533  * state. If the timer expires, the endpoint must re-send the SHUTDOWN
5534  * with the updated last sequential TSN received from its peer.
5535  *
5536  * The return value is the disposition.
5537  */
5538 enum sctp_disposition sctp_sf_do_9_2_start_shutdown(
5539 					struct net *net,
5540 					const struct sctp_endpoint *ep,
5541 					const struct sctp_association *asoc,
5542 					const union sctp_subtype type,
5543 					void *arg,
5544 					struct sctp_cmd_seq *commands)
5545 {
5546 	struct sctp_chunk *reply;
5547 
5548 	/* Once all its outstanding data has been acknowledged, the
5549 	 * endpoint shall send a SHUTDOWN chunk to its peer including
5550 	 * in the Cumulative TSN Ack field the last sequential TSN it
5551 	 * has received from the peer.
5552 	 */
5553 	reply = sctp_make_shutdown(asoc, arg);
5554 	if (!reply)
5555 		goto nomem;
5556 
5557 	/* Set the transport for the SHUTDOWN chunk and the timeout for the
5558 	 * T2-shutdown timer.
5559 	 */
5560 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5561 
5562 	/* It shall then start the T2-shutdown timer */
5563 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5564 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5565 
5566 	/* RFC 4960 Section 9.2
5567 	 * The sender of the SHUTDOWN MAY also start an overall guard timer
5568 	 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5569 	 */
5570 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5571 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5572 
5573 	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5574 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5575 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5576 
5577 	/* and enter the SHUTDOWN-SENT state.  */
5578 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5579 			SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT));
5580 
5581 	/* sctp-implguide 2.10 Issues with Heartbeating and failover
5582 	 *
5583 	 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5584 	 * or SHUTDOWN-ACK.
5585 	 */
5586 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5587 
5588 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5589 
5590 	return SCTP_DISPOSITION_CONSUME;
5591 
5592 nomem:
5593 	return SCTP_DISPOSITION_NOMEM;
5594 }
5595 
5596 /*
5597  * Generate a SHUTDOWN ACK now that everything is SACK'd.
5598  *
5599  * From Section 9.2:
5600  *
5601  * If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5602  * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own,
5603  * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the
5604  * endpoint must re-send the SHUTDOWN ACK.
5605  *
5606  * The return value is the disposition.
5607  */
5608 enum sctp_disposition sctp_sf_do_9_2_shutdown_ack(
5609 					struct net *net,
5610 					const struct sctp_endpoint *ep,
5611 					const struct sctp_association *asoc,
5612 					const union sctp_subtype type,
5613 					void *arg,
5614 					struct sctp_cmd_seq *commands)
5615 {
5616 	struct sctp_chunk *chunk = arg;
5617 	struct sctp_chunk *reply;
5618 
5619 	/* There are 2 ways of getting here:
5620 	 *    1) called in response to a SHUTDOWN chunk
5621 	 *    2) called when SCTP_EVENT_NO_PENDING_TSN event is issued.
5622 	 *
5623 	 * For the case (2), the arg parameter is set to NULL.  We need
5624 	 * to check that we have a chunk before accessing it's fields.
5625 	 */
5626 	if (chunk) {
5627 		if (!sctp_vtag_verify(chunk, asoc))
5628 			return sctp_sf_pdiscard(net, ep, asoc, type, arg,
5629 						commands);
5630 
5631 		/* Make sure that the SHUTDOWN chunk has a valid length. */
5632 		if (!sctp_chunk_length_valid(
5633 				chunk, sizeof(struct sctp_shutdown_chunk)))
5634 			return sctp_sf_violation_chunklen(net, ep, asoc, type,
5635 							  arg, commands);
5636 	}
5637 
5638 	/* If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5639 	 * shall send a SHUTDOWN ACK ...
5640 	 */
5641 	reply = sctp_make_shutdown_ack(asoc, chunk);
5642 	if (!reply)
5643 		goto nomem;
5644 
5645 	/* Set the transport for the SHUTDOWN ACK chunk and the timeout for
5646 	 * the T2-shutdown timer.
5647 	 */
5648 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5649 
5650 	/* and start/restart a T2-shutdown timer of its own, */
5651 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5652 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5653 
5654 	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5655 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5656 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5657 
5658 	/* Enter the SHUTDOWN-ACK-SENT state.  */
5659 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5660 			SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT));
5661 
5662 	/* sctp-implguide 2.10 Issues with Heartbeating and failover
5663 	 *
5664 	 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5665 	 * or SHUTDOWN-ACK.
5666 	 */
5667 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5668 
5669 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5670 
5671 	return SCTP_DISPOSITION_CONSUME;
5672 
5673 nomem:
5674 	return SCTP_DISPOSITION_NOMEM;
5675 }
5676 
5677 /*
5678  * Ignore the event defined as other
5679  *
5680  * The return value is the disposition of the event.
5681  */
5682 enum sctp_disposition sctp_sf_ignore_other(struct net *net,
5683 					   const struct sctp_endpoint *ep,
5684 					   const struct sctp_association *asoc,
5685 					   const union sctp_subtype type,
5686 					   void *arg,
5687 					   struct sctp_cmd_seq *commands)
5688 {
5689 	pr_debug("%s: the event other type:%d is ignored\n",
5690 		 __func__, type.other);
5691 
5692 	return SCTP_DISPOSITION_DISCARD;
5693 }
5694 
5695 /************************************************************
5696  * These are the state functions for handling timeout events.
5697  ************************************************************/
5698 
5699 /*
5700  * RTX Timeout
5701  *
5702  * Section: 6.3.3 Handle T3-rtx Expiration
5703  *
5704  * Whenever the retransmission timer T3-rtx expires for a destination
5705  * address, do the following:
5706  * [See below]
5707  *
5708  * The return value is the disposition of the chunk.
5709  */
5710 enum sctp_disposition sctp_sf_do_6_3_3_rtx(struct net *net,
5711 					   const struct sctp_endpoint *ep,
5712 					   const struct sctp_association *asoc,
5713 					   const union sctp_subtype type,
5714 					   void *arg,
5715 					   struct sctp_cmd_seq *commands)
5716 {
5717 	struct sctp_transport *transport = arg;
5718 
5719 	SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS);
5720 
5721 	if (asoc->overall_error_count >= asoc->max_retrans) {
5722 		if (asoc->peer.zero_window_announced &&
5723 		    asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
5724 			/*
5725 			 * We are here likely because the receiver had its rwnd
5726 			 * closed for a while and we have not been able to
5727 			 * transmit the locally queued data within the maximum
5728 			 * retransmission attempts limit.  Start the T5
5729 			 * shutdown guard timer to give the receiver one last
5730 			 * chance and some additional time to recover before
5731 			 * aborting.
5732 			 */
5733 			sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE,
5734 				SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5735 		} else {
5736 			sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5737 					SCTP_ERROR(ETIMEDOUT));
5738 			/* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5739 			sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5740 					SCTP_PERR(SCTP_ERROR_NO_ERROR));
5741 			SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5742 			SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5743 			return SCTP_DISPOSITION_DELETE_TCB;
5744 		}
5745 	}
5746 
5747 	/* E1) For the destination address for which the timer
5748 	 * expires, adjust its ssthresh with rules defined in Section
5749 	 * 7.2.3 and set the cwnd <- MTU.
5750 	 */
5751 
5752 	/* E2) For the destination address for which the timer
5753 	 * expires, set RTO <- RTO * 2 ("back off the timer").  The
5754 	 * maximum value discussed in rule C7 above (RTO.max) may be
5755 	 * used to provide an upper bound to this doubling operation.
5756 	 */
5757 
5758 	/* E3) Determine how many of the earliest (i.e., lowest TSN)
5759 	 * outstanding DATA chunks for the address for which the
5760 	 * T3-rtx has expired will fit into a single packet, subject
5761 	 * to the MTU constraint for the path corresponding to the
5762 	 * destination transport address to which the retransmission
5763 	 * is being sent (this may be different from the address for
5764 	 * which the timer expires [see Section 6.4]).  Call this
5765 	 * value K. Bundle and retransmit those K DATA chunks in a
5766 	 * single packet to the destination endpoint.
5767 	 *
5768 	 * Note: Any DATA chunks that were sent to the address for
5769 	 * which the T3-rtx timer expired but did not fit in one MTU
5770 	 * (rule E3 above), should be marked for retransmission and
5771 	 * sent as soon as cwnd allows (normally when a SACK arrives).
5772 	 */
5773 
5774 	/* Do some failure management (Section 8.2). */
5775 	sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
5776 
5777 	/* NB: Rules E4 and F1 are implicit in R1.  */
5778 	sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport));
5779 
5780 	return SCTP_DISPOSITION_CONSUME;
5781 }
5782 
5783 /*
5784  * Generate delayed SACK on timeout
5785  *
5786  * Section: 6.2  Acknowledgement on Reception of DATA Chunks
5787  *
5788  * The guidelines on delayed acknowledgement algorithm specified in
5789  * Section 4.2 of [RFC2581] SHOULD be followed.  Specifically, an
5790  * acknowledgement SHOULD be generated for at least every second packet
5791  * (not every second DATA chunk) received, and SHOULD be generated
5792  * within 200 ms of the arrival of any unacknowledged DATA chunk.  In
5793  * some situations it may be beneficial for an SCTP transmitter to be
5794  * more conservative than the algorithms detailed in this document
5795  * allow. However, an SCTP transmitter MUST NOT be more aggressive than
5796  * the following algorithms allow.
5797  */
5798 enum sctp_disposition sctp_sf_do_6_2_sack(struct net *net,
5799 					  const struct sctp_endpoint *ep,
5800 					  const struct sctp_association *asoc,
5801 					  const union sctp_subtype type,
5802 					  void *arg,
5803 					  struct sctp_cmd_seq *commands)
5804 {
5805 	SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS);
5806 	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
5807 	return SCTP_DISPOSITION_CONSUME;
5808 }
5809 
5810 /*
5811  * sctp_sf_t1_init_timer_expire
5812  *
5813  * Section: 4 Note: 2
5814  * Verification Tag:
5815  * Inputs
5816  * (endpoint, asoc)
5817  *
5818  *  RFC 2960 Section 4 Notes
5819  *  2) If the T1-init timer expires, the endpoint MUST retransmit INIT
5820  *     and re-start the T1-init timer without changing state.  This MUST
5821  *     be repeated up to 'Max.Init.Retransmits' times.  After that, the
5822  *     endpoint MUST abort the initialization process and report the
5823  *     error to SCTP user.
5824  *
5825  * Outputs
5826  * (timers, events)
5827  *
5828  */
5829 enum sctp_disposition sctp_sf_t1_init_timer_expire(
5830 					struct net *net,
5831 					const struct sctp_endpoint *ep,
5832 					const struct sctp_association *asoc,
5833 					const union sctp_subtype type,
5834 					void *arg,
5835 					struct sctp_cmd_seq *commands)
5836 {
5837 	int attempts = asoc->init_err_counter + 1;
5838 	struct sctp_chunk *repl = NULL;
5839 	struct sctp_bind_addr *bp;
5840 
5841 	pr_debug("%s: timer T1 expired (INIT)\n", __func__);
5842 
5843 	SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS);
5844 
5845 	if (attempts <= asoc->max_init_attempts) {
5846 		bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
5847 		repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0);
5848 		if (!repl)
5849 			return SCTP_DISPOSITION_NOMEM;
5850 
5851 		/* Choose transport for INIT. */
5852 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5853 				SCTP_CHUNK(repl));
5854 
5855 		/* Issue a sideeffect to do the needed accounting. */
5856 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART,
5857 				SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5858 
5859 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5860 	} else {
5861 		pr_debug("%s: giving up on INIT, attempts:%d "
5862 			 "max_init_attempts:%d\n", __func__, attempts,
5863 			 asoc->max_init_attempts);
5864 
5865 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5866 				SCTP_ERROR(ETIMEDOUT));
5867 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5868 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
5869 		return SCTP_DISPOSITION_DELETE_TCB;
5870 	}
5871 
5872 	return SCTP_DISPOSITION_CONSUME;
5873 }
5874 
5875 /*
5876  * sctp_sf_t1_cookie_timer_expire
5877  *
5878  * Section: 4 Note: 2
5879  * Verification Tag:
5880  * Inputs
5881  * (endpoint, asoc)
5882  *
5883  *  RFC 2960 Section 4 Notes
5884  *  3) If the T1-cookie timer expires, the endpoint MUST retransmit
5885  *     COOKIE ECHO and re-start the T1-cookie timer without changing
5886  *     state.  This MUST be repeated up to 'Max.Init.Retransmits' times.
5887  *     After that, the endpoint MUST abort the initialization process and
5888  *     report the error to SCTP user.
5889  *
5890  * Outputs
5891  * (timers, events)
5892  *
5893  */
5894 enum sctp_disposition sctp_sf_t1_cookie_timer_expire(
5895 					struct net *net,
5896 					const struct sctp_endpoint *ep,
5897 					const struct sctp_association *asoc,
5898 					const union sctp_subtype type,
5899 					void *arg,
5900 					struct sctp_cmd_seq *commands)
5901 {
5902 	int attempts = asoc->init_err_counter + 1;
5903 	struct sctp_chunk *repl = NULL;
5904 
5905 	pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__);
5906 
5907 	SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS);
5908 
5909 	if (attempts <= asoc->max_init_attempts) {
5910 		repl = sctp_make_cookie_echo(asoc, NULL);
5911 		if (!repl)
5912 			return SCTP_DISPOSITION_NOMEM;
5913 
5914 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5915 				SCTP_CHUNK(repl));
5916 		/* Issue a sideeffect to do the needed accounting. */
5917 		sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART,
5918 				SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
5919 
5920 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5921 	} else {
5922 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5923 				SCTP_ERROR(ETIMEDOUT));
5924 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5925 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
5926 		return SCTP_DISPOSITION_DELETE_TCB;
5927 	}
5928 
5929 	return SCTP_DISPOSITION_CONSUME;
5930 }
5931 
5932 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN
5933  * with the updated last sequential TSN received from its peer.
5934  *
5935  * An endpoint should limit the number of retransmissions of the
5936  * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'.
5937  * If this threshold is exceeded the endpoint should destroy the TCB and
5938  * MUST report the peer endpoint unreachable to the upper layer (and
5939  * thus the association enters the CLOSED state).  The reception of any
5940  * packet from its peer (i.e. as the peer sends all of its queued DATA
5941  * chunks) should clear the endpoint's retransmission count and restart
5942  * the T2-Shutdown timer,  giving its peer ample opportunity to transmit
5943  * all of its queued DATA chunks that have not yet been sent.
5944  */
5945 enum sctp_disposition sctp_sf_t2_timer_expire(
5946 					struct net *net,
5947 					const struct sctp_endpoint *ep,
5948 					const struct sctp_association *asoc,
5949 					const union sctp_subtype type,
5950 					void *arg,
5951 					struct sctp_cmd_seq *commands)
5952 {
5953 	struct sctp_chunk *reply = NULL;
5954 
5955 	pr_debug("%s: timer T2 expired\n", __func__);
5956 
5957 	SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS);
5958 
5959 	((struct sctp_association *)asoc)->shutdown_retries++;
5960 
5961 	if (asoc->overall_error_count >= asoc->max_retrans) {
5962 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5963 				SCTP_ERROR(ETIMEDOUT));
5964 		/* Note:  CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5965 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5966 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
5967 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5968 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5969 		return SCTP_DISPOSITION_DELETE_TCB;
5970 	}
5971 
5972 	switch (asoc->state) {
5973 	case SCTP_STATE_SHUTDOWN_SENT:
5974 		reply = sctp_make_shutdown(asoc, NULL);
5975 		break;
5976 
5977 	case SCTP_STATE_SHUTDOWN_ACK_SENT:
5978 		reply = sctp_make_shutdown_ack(asoc, NULL);
5979 		break;
5980 
5981 	default:
5982 		BUG();
5983 		break;
5984 	}
5985 
5986 	if (!reply)
5987 		goto nomem;
5988 
5989 	/* Do some failure management (Section 8.2).
5990 	 * If we remove the transport an SHUTDOWN was last sent to, don't
5991 	 * do failure management.
5992 	 */
5993 	if (asoc->shutdown_last_sent_to)
5994 		sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5995 				SCTP_TRANSPORT(asoc->shutdown_last_sent_to));
5996 
5997 	/* Set the transport for the SHUTDOWN/ACK chunk and the timeout for
5998 	 * the T2-shutdown timer.
5999 	 */
6000 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
6001 
6002 	/* Restart the T2-shutdown timer.  */
6003 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
6004 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
6005 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
6006 	return SCTP_DISPOSITION_CONSUME;
6007 
6008 nomem:
6009 	return SCTP_DISPOSITION_NOMEM;
6010 }
6011 
6012 /*
6013  * ADDIP Section 4.1 ASCONF CHunk Procedures
6014  * If the T4 RTO timer expires the endpoint should do B1 to B5
6015  */
6016 enum sctp_disposition sctp_sf_t4_timer_expire(
6017 					struct net *net,
6018 					const struct sctp_endpoint *ep,
6019 					const struct sctp_association *asoc,
6020 					const union sctp_subtype type,
6021 					void *arg,
6022 					struct sctp_cmd_seq *commands)
6023 {
6024 	struct sctp_chunk *chunk = asoc->addip_last_asconf;
6025 	struct sctp_transport *transport = chunk->transport;
6026 
6027 	SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS);
6028 
6029 	/* ADDIP 4.1 B1) Increment the error counters and perform path failure
6030 	 * detection on the appropriate destination address as defined in
6031 	 * RFC2960 [5] section 8.1 and 8.2.
6032 	 */
6033 	if (transport)
6034 		sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
6035 				SCTP_TRANSPORT(transport));
6036 
6037 	/* Reconfig T4 timer and transport. */
6038 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
6039 
6040 	/* ADDIP 4.1 B2) Increment the association error counters and perform
6041 	 * endpoint failure detection on the association as defined in
6042 	 * RFC2960 [5] section 8.1 and 8.2.
6043 	 * association error counter is incremented in SCTP_CMD_STRIKE.
6044 	 */
6045 	if (asoc->overall_error_count >= asoc->max_retrans) {
6046 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
6047 				SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
6048 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6049 				SCTP_ERROR(ETIMEDOUT));
6050 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6051 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
6052 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6053 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6054 		return SCTP_DISPOSITION_ABORT;
6055 	}
6056 
6057 	/* ADDIP 4.1 B3) Back-off the destination address RTO value to which
6058 	 * the ASCONF chunk was sent by doubling the RTO timer value.
6059 	 * This is done in SCTP_CMD_STRIKE.
6060 	 */
6061 
6062 	/* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible
6063 	 * choose an alternate destination address (please refer to RFC2960
6064 	 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this
6065 	 * chunk, it MUST be the same (including its serial number) as the last
6066 	 * ASCONF sent.
6067 	 */
6068 	sctp_chunk_hold(asoc->addip_last_asconf);
6069 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6070 			SCTP_CHUNK(asoc->addip_last_asconf));
6071 
6072 	/* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different
6073 	 * destination is selected, then the RTO used will be that of the new
6074 	 * destination address.
6075 	 */
6076 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
6077 			SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
6078 
6079 	return SCTP_DISPOSITION_CONSUME;
6080 }
6081 
6082 /* sctpimpguide-05 Section 2.12.2
6083  * The sender of the SHUTDOWN MAY also start an overall guard timer
6084  * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
6085  * At the expiration of this timer the sender SHOULD abort the association
6086  * by sending an ABORT chunk.
6087  */
6088 enum sctp_disposition sctp_sf_t5_timer_expire(
6089 					struct net *net,
6090 					const struct sctp_endpoint *ep,
6091 					const struct sctp_association *asoc,
6092 					const union sctp_subtype type,
6093 					void *arg,
6094 					struct sctp_cmd_seq *commands)
6095 {
6096 	struct sctp_chunk *reply = NULL;
6097 
6098 	pr_debug("%s: timer T5 expired\n", __func__);
6099 
6100 	SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS);
6101 
6102 	reply = sctp_make_abort(asoc, NULL, 0);
6103 	if (!reply)
6104 		goto nomem;
6105 
6106 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
6107 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6108 			SCTP_ERROR(ETIMEDOUT));
6109 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6110 			SCTP_PERR(SCTP_ERROR_NO_ERROR));
6111 
6112 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6113 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6114 
6115 	return SCTP_DISPOSITION_DELETE_TCB;
6116 nomem:
6117 	return SCTP_DISPOSITION_NOMEM;
6118 }
6119 
6120 /* Handle expiration of AUTOCLOSE timer.  When the autoclose timer expires,
6121  * the association is automatically closed by starting the shutdown process.
6122  * The work that needs to be done is same as when SHUTDOWN is initiated by
6123  * the user.  So this routine looks same as sctp_sf_do_9_2_prm_shutdown().
6124  */
6125 enum sctp_disposition sctp_sf_autoclose_timer_expire(
6126 					struct net *net,
6127 					const struct sctp_endpoint *ep,
6128 					const struct sctp_association *asoc,
6129 					const union sctp_subtype type,
6130 					void *arg,
6131 					struct sctp_cmd_seq *commands)
6132 {
6133 	enum sctp_disposition disposition;
6134 
6135 	SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS);
6136 
6137 	/* From 9.2 Shutdown of an Association
6138 	 * Upon receipt of the SHUTDOWN primitive from its upper
6139 	 * layer, the endpoint enters SHUTDOWN-PENDING state and
6140 	 * remains there until all outstanding data has been
6141 	 * acknowledged by its peer. The endpoint accepts no new data
6142 	 * from its upper layer, but retransmits data to the far end
6143 	 * if necessary to fill gaps.
6144 	 */
6145 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
6146 			SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
6147 
6148 	disposition = SCTP_DISPOSITION_CONSUME;
6149 	if (sctp_outq_is_empty(&asoc->outqueue)) {
6150 		disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
6151 							    NULL, commands);
6152 	}
6153 
6154 	return disposition;
6155 }
6156 
6157 /*****************************************************************************
6158  * These are sa state functions which could apply to all types of events.
6159  ****************************************************************************/
6160 
6161 /*
6162  * This table entry is not implemented.
6163  *
6164  * Inputs
6165  * (endpoint, asoc, chunk)
6166  *
6167  * The return value is the disposition of the chunk.
6168  */
6169 enum sctp_disposition sctp_sf_not_impl(struct net *net,
6170 				       const struct sctp_endpoint *ep,
6171 				       const struct sctp_association *asoc,
6172 				       const union sctp_subtype type,
6173 				       void *arg, struct sctp_cmd_seq *commands)
6174 {
6175 	return SCTP_DISPOSITION_NOT_IMPL;
6176 }
6177 
6178 /*
6179  * This table entry represents a bug.
6180  *
6181  * Inputs
6182  * (endpoint, asoc, chunk)
6183  *
6184  * The return value is the disposition of the chunk.
6185  */
6186 enum sctp_disposition sctp_sf_bug(struct net *net,
6187 				  const struct sctp_endpoint *ep,
6188 				  const struct sctp_association *asoc,
6189 				  const union sctp_subtype type,
6190 				  void *arg, struct sctp_cmd_seq *commands)
6191 {
6192 	return SCTP_DISPOSITION_BUG;
6193 }
6194 
6195 /*
6196  * This table entry represents the firing of a timer in the wrong state.
6197  * Since timer deletion cannot be guaranteed a timer 'may' end up firing
6198  * when the association is in the wrong state.   This event should
6199  * be ignored, so as to prevent any rearming of the timer.
6200  *
6201  * Inputs
6202  * (endpoint, asoc, chunk)
6203  *
6204  * The return value is the disposition of the chunk.
6205  */
6206 enum sctp_disposition sctp_sf_timer_ignore(struct net *net,
6207 					   const struct sctp_endpoint *ep,
6208 					   const struct sctp_association *asoc,
6209 					   const union sctp_subtype type,
6210 					   void *arg,
6211 					   struct sctp_cmd_seq *commands)
6212 {
6213 	pr_debug("%s: timer %d ignored\n", __func__, type.chunk);
6214 
6215 	return SCTP_DISPOSITION_CONSUME;
6216 }
6217 
6218 /********************************************************************
6219  * 2nd Level Abstractions
6220  ********************************************************************/
6221 
6222 /* Pull the SACK chunk based on the SACK header. */
6223 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk)
6224 {
6225 	struct sctp_sackhdr *sack;
6226 	__u16 num_dup_tsns;
6227 	unsigned int len;
6228 	__u16 num_blocks;
6229 
6230 	/* Protect ourselves from reading too far into
6231 	 * the skb from a bogus sender.
6232 	 */
6233 	sack = (struct sctp_sackhdr *) chunk->skb->data;
6234 
6235 	num_blocks = ntohs(sack->num_gap_ack_blocks);
6236 	num_dup_tsns = ntohs(sack->num_dup_tsns);
6237 	len = sizeof(struct sctp_sackhdr);
6238 	len += (num_blocks + num_dup_tsns) * sizeof(__u32);
6239 	if (len > chunk->skb->len)
6240 		return NULL;
6241 
6242 	skb_pull(chunk->skb, len);
6243 
6244 	return sack;
6245 }
6246 
6247 /* Create an ABORT packet to be sent as a response, with the specified
6248  * error causes.
6249  */
6250 static struct sctp_packet *sctp_abort_pkt_new(
6251 					struct net *net,
6252 					const struct sctp_endpoint *ep,
6253 					const struct sctp_association *asoc,
6254 					struct sctp_chunk *chunk,
6255 					const void *payload, size_t paylen)
6256 {
6257 	struct sctp_packet *packet;
6258 	struct sctp_chunk *abort;
6259 
6260 	packet = sctp_ootb_pkt_new(net, asoc, chunk);
6261 
6262 	if (packet) {
6263 		/* Make an ABORT.
6264 		 * The T bit will be set if the asoc is NULL.
6265 		 */
6266 		abort = sctp_make_abort(asoc, chunk, paylen);
6267 		if (!abort) {
6268 			sctp_ootb_pkt_free(packet);
6269 			return NULL;
6270 		}
6271 
6272 		/* Reflect vtag if T-Bit is set */
6273 		if (sctp_test_T_bit(abort))
6274 			packet->vtag = ntohl(chunk->sctp_hdr->vtag);
6275 
6276 		/* Add specified error causes, i.e., payload, to the
6277 		 * end of the chunk.
6278 		 */
6279 		sctp_addto_chunk(abort, paylen, payload);
6280 
6281 		/* Set the skb to the belonging sock for accounting.  */
6282 		abort->skb->sk = ep->base.sk;
6283 
6284 		sctp_packet_append_chunk(packet, abort);
6285 
6286 	}
6287 
6288 	return packet;
6289 }
6290 
6291 /* Allocate a packet for responding in the OOTB conditions.  */
6292 static struct sctp_packet *sctp_ootb_pkt_new(
6293 					struct net *net,
6294 					const struct sctp_association *asoc,
6295 					const struct sctp_chunk *chunk)
6296 {
6297 	struct sctp_transport *transport;
6298 	struct sctp_packet *packet;
6299 	__u16 sport, dport;
6300 	__u32 vtag;
6301 
6302 	/* Get the source and destination port from the inbound packet.  */
6303 	sport = ntohs(chunk->sctp_hdr->dest);
6304 	dport = ntohs(chunk->sctp_hdr->source);
6305 
6306 	/* The V-tag is going to be the same as the inbound packet if no
6307 	 * association exists, otherwise, use the peer's vtag.
6308 	 */
6309 	if (asoc) {
6310 		/* Special case the INIT-ACK as there is no peer's vtag
6311 		 * yet.
6312 		 */
6313 		switch (chunk->chunk_hdr->type) {
6314 		case SCTP_CID_INIT_ACK:
6315 		{
6316 			struct sctp_initack_chunk *initack;
6317 
6318 			initack = (struct sctp_initack_chunk *)chunk->chunk_hdr;
6319 			vtag = ntohl(initack->init_hdr.init_tag);
6320 			break;
6321 		}
6322 		default:
6323 			vtag = asoc->peer.i.init_tag;
6324 			break;
6325 		}
6326 	} else {
6327 		/* Special case the INIT and stale COOKIE_ECHO as there is no
6328 		 * vtag yet.
6329 		 */
6330 		switch (chunk->chunk_hdr->type) {
6331 		case SCTP_CID_INIT:
6332 		{
6333 			struct sctp_init_chunk *init;
6334 
6335 			init = (struct sctp_init_chunk *)chunk->chunk_hdr;
6336 			vtag = ntohl(init->init_hdr.init_tag);
6337 			break;
6338 		}
6339 		default:
6340 			vtag = ntohl(chunk->sctp_hdr->vtag);
6341 			break;
6342 		}
6343 	}
6344 
6345 	/* Make a transport for the bucket, Eliza... */
6346 	transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC);
6347 	if (!transport)
6348 		goto nomem;
6349 
6350 	transport->encap_port = SCTP_INPUT_CB(chunk->skb)->encap_port;
6351 
6352 	/* Cache a route for the transport with the chunk's destination as
6353 	 * the source address.
6354 	 */
6355 	sctp_transport_route(transport, (union sctp_addr *)&chunk->dest,
6356 			     sctp_sk(net->sctp.ctl_sock));
6357 
6358 	packet = &transport->packet;
6359 	sctp_packet_init(packet, transport, sport, dport);
6360 	sctp_packet_config(packet, vtag, 0);
6361 
6362 	return packet;
6363 
6364 nomem:
6365 	return NULL;
6366 }
6367 
6368 /* Free the packet allocated earlier for responding in the OOTB condition.  */
6369 void sctp_ootb_pkt_free(struct sctp_packet *packet)
6370 {
6371 	sctp_transport_free(packet->transport);
6372 }
6373 
6374 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found  */
6375 static void sctp_send_stale_cookie_err(struct net *net,
6376 				       const struct sctp_endpoint *ep,
6377 				       const struct sctp_association *asoc,
6378 				       const struct sctp_chunk *chunk,
6379 				       struct sctp_cmd_seq *commands,
6380 				       struct sctp_chunk *err_chunk)
6381 {
6382 	struct sctp_packet *packet;
6383 
6384 	if (err_chunk) {
6385 		packet = sctp_ootb_pkt_new(net, asoc, chunk);
6386 		if (packet) {
6387 			struct sctp_signed_cookie *cookie;
6388 
6389 			/* Override the OOTB vtag from the cookie. */
6390 			cookie = chunk->subh.cookie_hdr;
6391 			packet->vtag = cookie->c.peer_vtag;
6392 
6393 			/* Set the skb to the belonging sock for accounting. */
6394 			err_chunk->skb->sk = ep->base.sk;
6395 			sctp_packet_append_chunk(packet, err_chunk);
6396 			sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
6397 					SCTP_PACKET(packet));
6398 			SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
6399 		} else
6400 			sctp_chunk_free (err_chunk);
6401 	}
6402 }
6403 
6404 
6405 /* Process a data chunk */
6406 static int sctp_eat_data(const struct sctp_association *asoc,
6407 			 struct sctp_chunk *chunk,
6408 			 struct sctp_cmd_seq *commands)
6409 {
6410 	struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
6411 	struct sock *sk = asoc->base.sk;
6412 	struct net *net = sock_net(sk);
6413 	struct sctp_datahdr *data_hdr;
6414 	struct sctp_chunk *err;
6415 	enum sctp_verb deliver;
6416 	size_t datalen;
6417 	__u32 tsn;
6418 	int tmp;
6419 
6420 	data_hdr = (struct sctp_datahdr *)chunk->skb->data;
6421 	chunk->subh.data_hdr = data_hdr;
6422 	skb_pull(chunk->skb, sctp_datahdr_len(&asoc->stream));
6423 
6424 	tsn = ntohl(data_hdr->tsn);
6425 	pr_debug("%s: TSN 0x%x\n", __func__, tsn);
6426 
6427 	/* ASSERT:  Now skb->data is really the user data.  */
6428 
6429 	/* Process ECN based congestion.
6430 	 *
6431 	 * Since the chunk structure is reused for all chunks within
6432 	 * a packet, we use ecn_ce_done to track if we've already
6433 	 * done CE processing for this packet.
6434 	 *
6435 	 * We need to do ECN processing even if we plan to discard the
6436 	 * chunk later.
6437 	 */
6438 
6439 	if (asoc->peer.ecn_capable && !chunk->ecn_ce_done) {
6440 		struct sctp_af *af = SCTP_INPUT_CB(chunk->skb)->af;
6441 		chunk->ecn_ce_done = 1;
6442 
6443 		if (af->is_ce(sctp_gso_headskb(chunk->skb))) {
6444 			/* Do real work as sideffect. */
6445 			sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE,
6446 					SCTP_U32(tsn));
6447 		}
6448 	}
6449 
6450 	tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn);
6451 	if (tmp < 0) {
6452 		/* The TSN is too high--silently discard the chunk and
6453 		 * count on it getting retransmitted later.
6454 		 */
6455 		if (chunk->asoc)
6456 			chunk->asoc->stats.outofseqtsns++;
6457 		return SCTP_IERROR_HIGH_TSN;
6458 	} else if (tmp > 0) {
6459 		/* This is a duplicate.  Record it.  */
6460 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn));
6461 		return SCTP_IERROR_DUP_TSN;
6462 	}
6463 
6464 	/* This is a new TSN.  */
6465 
6466 	/* Discard if there is no room in the receive window.
6467 	 * Actually, allow a little bit of overflow (up to a MTU).
6468 	 */
6469 	datalen = ntohs(chunk->chunk_hdr->length);
6470 	datalen -= sctp_datachk_len(&asoc->stream);
6471 
6472 	deliver = SCTP_CMD_CHUNK_ULP;
6473 
6474 	/* Think about partial delivery. */
6475 	if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) {
6476 
6477 		/* Even if we don't accept this chunk there is
6478 		 * memory pressure.
6479 		 */
6480 		sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL());
6481 	}
6482 
6483 	/* Spill over rwnd a little bit.  Note: While allowed, this spill over
6484 	 * seems a bit troublesome in that frag_point varies based on
6485 	 * PMTU.  In cases, such as loopback, this might be a rather
6486 	 * large spill over.
6487 	 */
6488 	if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over ||
6489 	    (datalen > asoc->rwnd + asoc->frag_point))) {
6490 
6491 		/* If this is the next TSN, consider reneging to make
6492 		 * room.   Note: Playing nice with a confused sender.  A
6493 		 * malicious sender can still eat up all our buffer
6494 		 * space and in the future we may want to detect and
6495 		 * do more drastic reneging.
6496 		 */
6497 		if (sctp_tsnmap_has_gap(map) &&
6498 		    (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6499 			pr_debug("%s: reneging for tsn:%u\n", __func__, tsn);
6500 			deliver = SCTP_CMD_RENEGE;
6501 		} else {
6502 			pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n",
6503 				 __func__, tsn, datalen, asoc->rwnd);
6504 
6505 			return SCTP_IERROR_IGNORE_TSN;
6506 		}
6507 	}
6508 
6509 	/*
6510 	 * Also try to renege to limit our memory usage in the event that
6511 	 * we are under memory pressure
6512 	 * If we can't renege, don't worry about it, the sk_rmem_schedule
6513 	 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our
6514 	 * memory usage too much
6515 	 */
6516 	if (sk_under_memory_pressure(sk)) {
6517 		if (sctp_tsnmap_has_gap(map) &&
6518 		    (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6519 			pr_debug("%s: under pressure, reneging for tsn:%u\n",
6520 				 __func__, tsn);
6521 			deliver = SCTP_CMD_RENEGE;
6522 		} else {
6523 			sk_mem_reclaim(sk);
6524 		}
6525 	}
6526 
6527 	/*
6528 	 * Section 3.3.10.9 No User Data (9)
6529 	 *
6530 	 * Cause of error
6531 	 * ---------------
6532 	 * No User Data:  This error cause is returned to the originator of a
6533 	 * DATA chunk if a received DATA chunk has no user data.
6534 	 */
6535 	if (unlikely(0 == datalen)) {
6536 		err = sctp_make_abort_no_data(asoc, chunk, tsn);
6537 		if (err) {
6538 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6539 					SCTP_CHUNK(err));
6540 		}
6541 		/* We are going to ABORT, so we might as well stop
6542 		 * processing the rest of the chunks in the packet.
6543 		 */
6544 		sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
6545 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6546 				SCTP_ERROR(ECONNABORTED));
6547 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6548 				SCTP_PERR(SCTP_ERROR_NO_DATA));
6549 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6550 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6551 		return SCTP_IERROR_NO_DATA;
6552 	}
6553 
6554 	chunk->data_accepted = 1;
6555 
6556 	/* Note: Some chunks may get overcounted (if we drop) or overcounted
6557 	 * if we renege and the chunk arrives again.
6558 	 */
6559 	if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) {
6560 		SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS);
6561 		if (chunk->asoc)
6562 			chunk->asoc->stats.iuodchunks++;
6563 	} else {
6564 		SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS);
6565 		if (chunk->asoc)
6566 			chunk->asoc->stats.iodchunks++;
6567 	}
6568 
6569 	/* RFC 2960 6.5 Stream Identifier and Stream Sequence Number
6570 	 *
6571 	 * If an endpoint receive a DATA chunk with an invalid stream
6572 	 * identifier, it shall acknowledge the reception of the DATA chunk
6573 	 * following the normal procedure, immediately send an ERROR chunk
6574 	 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10)
6575 	 * and discard the DATA chunk.
6576 	 */
6577 	if (ntohs(data_hdr->stream) >= asoc->stream.incnt) {
6578 		/* Mark tsn as received even though we drop it */
6579 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
6580 
6581 		err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM,
6582 					 &data_hdr->stream,
6583 					 sizeof(data_hdr->stream),
6584 					 sizeof(u16));
6585 		if (err)
6586 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6587 					SCTP_CHUNK(err));
6588 		return SCTP_IERROR_BAD_STREAM;
6589 	}
6590 
6591 	/* Check to see if the SSN is possible for this TSN.
6592 	 * The biggest gap we can record is 4K wide.  Since SSNs wrap
6593 	 * at an unsigned short, there is no way that an SSN can
6594 	 * wrap and for a valid TSN.  We can simply check if the current
6595 	 * SSN is smaller then the next expected one.  If it is, it wrapped
6596 	 * and is invalid.
6597 	 */
6598 	if (!asoc->stream.si->validate_data(chunk))
6599 		return SCTP_IERROR_PROTO_VIOLATION;
6600 
6601 	/* Send the data up to the user.  Note:  Schedule  the
6602 	 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK
6603 	 * chunk needs the updated rwnd.
6604 	 */
6605 	sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk));
6606 
6607 	return SCTP_IERROR_NO_ERROR;
6608 }
6609