1 /* SCTP kernel implementation 2 * (C) Copyright IBM Corp. 2001, 2004 3 * Copyright (c) 1999-2000 Cisco, Inc. 4 * Copyright (c) 1999-2001 Motorola, Inc. 5 * Copyright (c) 2001-2002 Intel Corp. 6 * Copyright (c) 2002 Nokia Corp. 7 * 8 * This is part of the SCTP Linux Kernel Implementation. 9 * 10 * These are the state functions for the state machine. 11 * 12 * This SCTP implementation is free software; 13 * you can redistribute it and/or modify it under the terms of 14 * the GNU General Public License as published by 15 * the Free Software Foundation; either version 2, or (at your option) 16 * any later version. 17 * 18 * This SCTP implementation is distributed in the hope that it 19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 20 * ************************ 21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 22 * See the GNU General Public License for more details. 23 * 24 * You should have received a copy of the GNU General Public License 25 * along with GNU CC; see the file COPYING. If not, write to 26 * the Free Software Foundation, 59 Temple Place - Suite 330, 27 * Boston, MA 02111-1307, USA. 28 * 29 * Please send any bug reports or fixes you make to the 30 * email address(es): 31 * lksctp developers <lksctp-developers@lists.sourceforge.net> 32 * 33 * Or submit a bug report through the following website: 34 * http://www.sf.net/projects/lksctp 35 * 36 * Written or modified by: 37 * La Monte H.P. Yarroll <piggy@acm.org> 38 * Karl Knutson <karl@athena.chicago.il.us> 39 * Mathew Kotowsky <kotowsky@sctp.org> 40 * Sridhar Samudrala <samudrala@us.ibm.com> 41 * Jon Grimm <jgrimm@us.ibm.com> 42 * Hui Huang <hui.huang@nokia.com> 43 * Dajiang Zhang <dajiang.zhang@nokia.com> 44 * Daisy Chang <daisyc@us.ibm.com> 45 * Ardelle Fan <ardelle.fan@intel.com> 46 * Ryan Layer <rmlayer@us.ibm.com> 47 * Kevin Gao <kevin.gao@intel.com> 48 * 49 * Any bugs reported given to us we will try to fix... any fixes shared will 50 * be incorporated into the next SCTP release. 51 */ 52 53 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 54 55 #include <linux/types.h> 56 #include <linux/kernel.h> 57 #include <linux/ip.h> 58 #include <linux/ipv6.h> 59 #include <linux/net.h> 60 #include <linux/inet.h> 61 #include <linux/slab.h> 62 #include <net/sock.h> 63 #include <net/inet_ecn.h> 64 #include <linux/skbuff.h> 65 #include <net/sctp/sctp.h> 66 #include <net/sctp/sm.h> 67 #include <net/sctp/structs.h> 68 69 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 70 const struct sctp_association *asoc, 71 struct sctp_chunk *chunk, 72 const void *payload, 73 size_t paylen); 74 static int sctp_eat_data(const struct sctp_association *asoc, 75 struct sctp_chunk *chunk, 76 sctp_cmd_seq_t *commands); 77 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 78 const struct sctp_chunk *chunk); 79 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 80 const struct sctp_association *asoc, 81 const struct sctp_chunk *chunk, 82 sctp_cmd_seq_t *commands, 83 struct sctp_chunk *err_chunk); 84 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 85 const struct sctp_association *asoc, 86 const sctp_subtype_t type, 87 void *arg, 88 sctp_cmd_seq_t *commands); 89 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 90 const struct sctp_association *asoc, 91 const sctp_subtype_t type, 92 void *arg, 93 sctp_cmd_seq_t *commands); 94 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 95 const struct sctp_association *asoc, 96 const sctp_subtype_t type, 97 void *arg, 98 sctp_cmd_seq_t *commands); 99 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 100 101 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 102 __be16 error, int sk_err, 103 const struct sctp_association *asoc, 104 struct sctp_transport *transport); 105 106 static sctp_disposition_t sctp_sf_abort_violation( 107 const struct sctp_endpoint *ep, 108 const struct sctp_association *asoc, 109 void *arg, 110 sctp_cmd_seq_t *commands, 111 const __u8 *payload, 112 const size_t paylen); 113 114 static sctp_disposition_t sctp_sf_violation_chunklen( 115 const struct sctp_endpoint *ep, 116 const struct sctp_association *asoc, 117 const sctp_subtype_t type, 118 void *arg, 119 sctp_cmd_seq_t *commands); 120 121 static sctp_disposition_t sctp_sf_violation_paramlen( 122 const struct sctp_endpoint *ep, 123 const struct sctp_association *asoc, 124 const sctp_subtype_t type, 125 void *arg, void *ext, 126 sctp_cmd_seq_t *commands); 127 128 static sctp_disposition_t sctp_sf_violation_ctsn( 129 const struct sctp_endpoint *ep, 130 const struct sctp_association *asoc, 131 const sctp_subtype_t type, 132 void *arg, 133 sctp_cmd_seq_t *commands); 134 135 static sctp_disposition_t sctp_sf_violation_chunk( 136 const struct sctp_endpoint *ep, 137 const struct sctp_association *asoc, 138 const sctp_subtype_t type, 139 void *arg, 140 sctp_cmd_seq_t *commands); 141 142 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep, 143 const struct sctp_association *asoc, 144 const sctp_subtype_t type, 145 struct sctp_chunk *chunk); 146 147 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 148 const struct sctp_association *asoc, 149 const sctp_subtype_t type, 150 void *arg, 151 sctp_cmd_seq_t *commands); 152 153 /* Small helper function that checks if the chunk length 154 * is of the appropriate length. The 'required_length' argument 155 * is set to be the size of a specific chunk we are testing. 156 * Return Values: 1 = Valid length 157 * 0 = Invalid length 158 * 159 */ 160 static inline int 161 sctp_chunk_length_valid(struct sctp_chunk *chunk, 162 __u16 required_length) 163 { 164 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 165 166 if (unlikely(chunk_length < required_length)) 167 return 0; 168 169 return 1; 170 } 171 172 /********************************************************** 173 * These are the state functions for handling chunk events. 174 **********************************************************/ 175 176 /* 177 * Process the final SHUTDOWN COMPLETE. 178 * 179 * Section: 4 (C) (diagram), 9.2 180 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 181 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 182 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 183 * should stop the T2-shutdown timer and remove all knowledge of the 184 * association (and thus the association enters the CLOSED state). 185 * 186 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 187 * C) Rules for packet carrying SHUTDOWN COMPLETE: 188 * ... 189 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 190 * if the Verification Tag field of the packet matches its own tag and 191 * the T bit is not set 192 * OR 193 * it is set to its peer's tag and the T bit is set in the Chunk 194 * Flags. 195 * Otherwise, the receiver MUST silently discard the packet 196 * and take no further action. An endpoint MUST ignore the 197 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 198 * 199 * Inputs 200 * (endpoint, asoc, chunk) 201 * 202 * Outputs 203 * (asoc, reply_msg, msg_up, timers, counters) 204 * 205 * The return value is the disposition of the chunk. 206 */ 207 sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep, 208 const struct sctp_association *asoc, 209 const sctp_subtype_t type, 210 void *arg, 211 sctp_cmd_seq_t *commands) 212 { 213 struct sctp_chunk *chunk = arg; 214 struct sctp_ulpevent *ev; 215 216 if (!sctp_vtag_verify_either(chunk, asoc)) 217 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 218 219 /* RFC 2960 6.10 Bundling 220 * 221 * An endpoint MUST NOT bundle INIT, INIT ACK or 222 * SHUTDOWN COMPLETE with any other chunks. 223 */ 224 if (!chunk->singleton) 225 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands); 226 227 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ 228 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 229 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 230 commands); 231 232 /* RFC 2960 10.2 SCTP-to-ULP 233 * 234 * H) SHUTDOWN COMPLETE notification 235 * 236 * When SCTP completes the shutdown procedures (section 9.2) this 237 * notification is passed to the upper layer. 238 */ 239 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 240 0, 0, 0, NULL, GFP_ATOMIC); 241 if (ev) 242 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 243 SCTP_ULPEVENT(ev)); 244 245 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 246 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 247 * not the chunk should be discarded. If the endpoint is in 248 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 249 * T2-shutdown timer and remove all knowledge of the 250 * association (and thus the association enters the CLOSED 251 * state). 252 */ 253 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 254 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 255 256 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 257 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 258 259 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 260 SCTP_STATE(SCTP_STATE_CLOSED)); 261 262 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 263 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 264 265 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 266 267 return SCTP_DISPOSITION_DELETE_TCB; 268 } 269 270 /* 271 * Respond to a normal INIT chunk. 272 * We are the side that is being asked for an association. 273 * 274 * Section: 5.1 Normal Establishment of an Association, B 275 * B) "Z" shall respond immediately with an INIT ACK chunk. The 276 * destination IP address of the INIT ACK MUST be set to the source 277 * IP address of the INIT to which this INIT ACK is responding. In 278 * the response, besides filling in other parameters, "Z" must set the 279 * Verification Tag field to Tag_A, and also provide its own 280 * Verification Tag (Tag_Z) in the Initiate Tag field. 281 * 282 * Verification Tag: Must be 0. 283 * 284 * Inputs 285 * (endpoint, asoc, chunk) 286 * 287 * Outputs 288 * (asoc, reply_msg, msg_up, timers, counters) 289 * 290 * The return value is the disposition of the chunk. 291 */ 292 sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep, 293 const struct sctp_association *asoc, 294 const sctp_subtype_t type, 295 void *arg, 296 sctp_cmd_seq_t *commands) 297 { 298 struct sctp_chunk *chunk = arg; 299 struct sctp_chunk *repl; 300 struct sctp_association *new_asoc; 301 struct sctp_chunk *err_chunk; 302 struct sctp_packet *packet; 303 sctp_unrecognized_param_t *unk_param; 304 int len; 305 306 /* 6.10 Bundling 307 * An endpoint MUST NOT bundle INIT, INIT ACK or 308 * SHUTDOWN COMPLETE with any other chunks. 309 * 310 * IG Section 2.11.2 311 * Furthermore, we require that the receiver of an INIT chunk MUST 312 * enforce these rules by silently discarding an arriving packet 313 * with an INIT chunk that is bundled with other chunks. 314 */ 315 if (!chunk->singleton) 316 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 317 318 /* If the packet is an OOTB packet which is temporarily on the 319 * control endpoint, respond with an ABORT. 320 */ 321 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) { 322 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 323 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 324 } 325 326 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 327 * Tag. 328 */ 329 if (chunk->sctp_hdr->vtag != 0) 330 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 331 332 /* Make sure that the INIT chunk has a valid length. 333 * Normally, this would cause an ABORT with a Protocol Violation 334 * error, but since we don't have an association, we'll 335 * just discard the packet. 336 */ 337 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 338 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 339 340 /* If the INIT is coming toward a closing socket, we'll send back 341 * and ABORT. Essentially, this catches the race of INIT being 342 * backloged to the socket at the same time as the user isses close(). 343 * Since the socket and all its associations are going away, we 344 * can treat this OOTB 345 */ 346 if (sctp_sstate(ep->base.sk, CLOSING)) 347 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 348 349 /* Verify the INIT chunk before processing it. */ 350 err_chunk = NULL; 351 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 352 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 353 &err_chunk)) { 354 /* This chunk contains fatal error. It is to be discarded. 355 * Send an ABORT, with causes if there is any. 356 */ 357 if (err_chunk) { 358 packet = sctp_abort_pkt_new(ep, asoc, arg, 359 (__u8 *)(err_chunk->chunk_hdr) + 360 sizeof(sctp_chunkhdr_t), 361 ntohs(err_chunk->chunk_hdr->length) - 362 sizeof(sctp_chunkhdr_t)); 363 364 sctp_chunk_free(err_chunk); 365 366 if (packet) { 367 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 368 SCTP_PACKET(packet)); 369 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 370 return SCTP_DISPOSITION_CONSUME; 371 } else { 372 return SCTP_DISPOSITION_NOMEM; 373 } 374 } else { 375 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 376 commands); 377 } 378 } 379 380 /* Grab the INIT header. */ 381 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data; 382 383 /* Tag the variable length parameters. */ 384 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 385 386 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 387 if (!new_asoc) 388 goto nomem; 389 390 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 391 sctp_scope(sctp_source(chunk)), 392 GFP_ATOMIC) < 0) 393 goto nomem_init; 394 395 /* The call, sctp_process_init(), can fail on memory allocation. */ 396 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 397 sctp_source(chunk), 398 (sctp_init_chunk_t *)chunk->chunk_hdr, 399 GFP_ATOMIC)) 400 goto nomem_init; 401 402 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 403 404 /* If there are errors need to be reported for unknown parameters, 405 * make sure to reserve enough room in the INIT ACK for them. 406 */ 407 len = 0; 408 if (err_chunk) 409 len = ntohs(err_chunk->chunk_hdr->length) - 410 sizeof(sctp_chunkhdr_t); 411 412 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 413 if (!repl) 414 goto nomem_init; 415 416 /* If there are errors need to be reported for unknown parameters, 417 * include them in the outgoing INIT ACK as "Unrecognized parameter" 418 * parameter. 419 */ 420 if (err_chunk) { 421 /* Get the "Unrecognized parameter" parameter(s) out of the 422 * ERROR chunk generated by sctp_verify_init(). Since the 423 * error cause code for "unknown parameter" and the 424 * "Unrecognized parameter" type is the same, we can 425 * construct the parameters in INIT ACK by copying the 426 * ERROR causes over. 427 */ 428 unk_param = (sctp_unrecognized_param_t *) 429 ((__u8 *)(err_chunk->chunk_hdr) + 430 sizeof(sctp_chunkhdr_t)); 431 /* Replace the cause code with the "Unrecognized parameter" 432 * parameter type. 433 */ 434 sctp_addto_chunk(repl, len, unk_param); 435 sctp_chunk_free(err_chunk); 436 } 437 438 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 439 440 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 441 442 /* 443 * Note: After sending out INIT ACK with the State Cookie parameter, 444 * "Z" MUST NOT allocate any resources, nor keep any states for the 445 * new association. Otherwise, "Z" will be vulnerable to resource 446 * attacks. 447 */ 448 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 449 450 return SCTP_DISPOSITION_DELETE_TCB; 451 452 nomem_init: 453 sctp_association_free(new_asoc); 454 nomem: 455 if (err_chunk) 456 sctp_chunk_free(err_chunk); 457 return SCTP_DISPOSITION_NOMEM; 458 } 459 460 /* 461 * Respond to a normal INIT ACK chunk. 462 * We are the side that is initiating the association. 463 * 464 * Section: 5.1 Normal Establishment of an Association, C 465 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 466 * timer and leave COOKIE-WAIT state. "A" shall then send the State 467 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 468 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 469 * 470 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 471 * DATA chunks, but it MUST be the first chunk in the packet and 472 * until the COOKIE ACK is returned the sender MUST NOT send any 473 * other packets to the peer. 474 * 475 * Verification Tag: 3.3.3 476 * If the value of the Initiate Tag in a received INIT ACK chunk is 477 * found to be 0, the receiver MUST treat it as an error and close the 478 * association by transmitting an ABORT. 479 * 480 * Inputs 481 * (endpoint, asoc, chunk) 482 * 483 * Outputs 484 * (asoc, reply_msg, msg_up, timers, counters) 485 * 486 * The return value is the disposition of the chunk. 487 */ 488 sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, 489 const struct sctp_association *asoc, 490 const sctp_subtype_t type, 491 void *arg, 492 sctp_cmd_seq_t *commands) 493 { 494 struct sctp_chunk *chunk = arg; 495 sctp_init_chunk_t *initchunk; 496 struct sctp_chunk *err_chunk; 497 struct sctp_packet *packet; 498 499 if (!sctp_vtag_verify(chunk, asoc)) 500 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 501 502 /* 6.10 Bundling 503 * An endpoint MUST NOT bundle INIT, INIT ACK or 504 * SHUTDOWN COMPLETE with any other chunks. 505 */ 506 if (!chunk->singleton) 507 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands); 508 509 /* Make sure that the INIT-ACK chunk has a valid length */ 510 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t))) 511 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 512 commands); 513 /* Grab the INIT header. */ 514 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 515 516 /* Verify the INIT chunk before processing it. */ 517 err_chunk = NULL; 518 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 519 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 520 &err_chunk)) { 521 522 sctp_error_t error = SCTP_ERROR_NO_RESOURCE; 523 524 /* This chunk contains fatal error. It is to be discarded. 525 * Send an ABORT, with causes. If there are no causes, 526 * then there wasn't enough memory. Just terminate 527 * the association. 528 */ 529 if (err_chunk) { 530 packet = sctp_abort_pkt_new(ep, asoc, arg, 531 (__u8 *)(err_chunk->chunk_hdr) + 532 sizeof(sctp_chunkhdr_t), 533 ntohs(err_chunk->chunk_hdr->length) - 534 sizeof(sctp_chunkhdr_t)); 535 536 sctp_chunk_free(err_chunk); 537 538 if (packet) { 539 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 540 SCTP_PACKET(packet)); 541 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 542 error = SCTP_ERROR_INV_PARAM; 543 } 544 } 545 546 /* SCTP-AUTH, Section 6.3: 547 * It should be noted that if the receiver wants to tear 548 * down an association in an authenticated way only, the 549 * handling of malformed packets should not result in 550 * tearing down the association. 551 * 552 * This means that if we only want to abort associations 553 * in an authenticated way (i.e AUTH+ABORT), then we 554 * can't destroy this association just becuase the packet 555 * was malformed. 556 */ 557 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 558 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 559 560 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 561 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, 562 asoc, chunk->transport); 563 } 564 565 /* Tag the variable length parameters. Note that we never 566 * convert the parameters in an INIT chunk. 567 */ 568 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 569 570 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr; 571 572 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 573 SCTP_PEER_INIT(initchunk)); 574 575 /* Reset init error count upon receipt of INIT-ACK. */ 576 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 577 578 /* 5.1 C) "A" shall stop the T1-init timer and leave 579 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 580 * timer, and enter the COOKIE-ECHOED state. 581 */ 582 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 583 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 584 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 585 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 586 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 587 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 588 589 /* SCTP-AUTH: genereate the assocition shared keys so that 590 * we can potentially signe the COOKIE-ECHO. 591 */ 592 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); 593 594 /* 5.1 C) "A" shall then send the State Cookie received in the 595 * INIT ACK chunk in a COOKIE ECHO chunk, ... 596 */ 597 /* If there is any errors to report, send the ERROR chunk generated 598 * for unknown parameters as well. 599 */ 600 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 601 SCTP_CHUNK(err_chunk)); 602 603 return SCTP_DISPOSITION_CONSUME; 604 } 605 606 /* 607 * Respond to a normal COOKIE ECHO chunk. 608 * We are the side that is being asked for an association. 609 * 610 * Section: 5.1 Normal Establishment of an Association, D 611 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 612 * with a COOKIE ACK chunk after building a TCB and moving to 613 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 614 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 615 * chunk MUST be the first chunk in the packet. 616 * 617 * IMPLEMENTATION NOTE: An implementation may choose to send the 618 * Communication Up notification to the SCTP user upon reception 619 * of a valid COOKIE ECHO chunk. 620 * 621 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 622 * D) Rules for packet carrying a COOKIE ECHO 623 * 624 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 625 * Initial Tag received in the INIT ACK. 626 * 627 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 628 * 629 * Inputs 630 * (endpoint, asoc, chunk) 631 * 632 * Outputs 633 * (asoc, reply_msg, msg_up, timers, counters) 634 * 635 * The return value is the disposition of the chunk. 636 */ 637 sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep, 638 const struct sctp_association *asoc, 639 const sctp_subtype_t type, void *arg, 640 sctp_cmd_seq_t *commands) 641 { 642 struct sctp_chunk *chunk = arg; 643 struct sctp_association *new_asoc; 644 sctp_init_chunk_t *peer_init; 645 struct sctp_chunk *repl; 646 struct sctp_ulpevent *ev, *ai_ev = NULL; 647 int error = 0; 648 struct sctp_chunk *err_chk_p; 649 struct sock *sk; 650 651 /* If the packet is an OOTB packet which is temporarily on the 652 * control endpoint, respond with an ABORT. 653 */ 654 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) { 655 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 656 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 657 } 658 659 /* Make sure that the COOKIE_ECHO chunk has a valid length. 660 * In this case, we check that we have enough for at least a 661 * chunk header. More detailed verification is done 662 * in sctp_unpack_cookie(). 663 */ 664 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 665 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 666 667 /* If the endpoint is not listening or if the number of associations 668 * on the TCP-style socket exceed the max backlog, respond with an 669 * ABORT. 670 */ 671 sk = ep->base.sk; 672 if (!sctp_sstate(sk, LISTENING) || 673 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) 674 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 675 676 /* "Decode" the chunk. We have no optional parameters so we 677 * are in good shape. 678 */ 679 chunk->subh.cookie_hdr = 680 (struct sctp_signed_cookie *)chunk->skb->data; 681 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 682 sizeof(sctp_chunkhdr_t))) 683 goto nomem; 684 685 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 686 * "Z" will reply with a COOKIE ACK chunk after building a TCB 687 * and moving to the ESTABLISHED state. 688 */ 689 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 690 &err_chk_p); 691 692 /* FIXME: 693 * If the re-build failed, what is the proper error path 694 * from here? 695 * 696 * [We should abort the association. --piggy] 697 */ 698 if (!new_asoc) { 699 /* FIXME: Several errors are possible. A bad cookie should 700 * be silently discarded, but think about logging it too. 701 */ 702 switch (error) { 703 case -SCTP_IERROR_NOMEM: 704 goto nomem; 705 706 case -SCTP_IERROR_STALE_COOKIE: 707 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 708 err_chk_p); 709 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 710 711 case -SCTP_IERROR_BAD_SIG: 712 default: 713 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 714 } 715 } 716 717 718 /* Delay state machine commands until later. 719 * 720 * Re-build the bind address for the association is done in 721 * the sctp_unpack_cookie() already. 722 */ 723 /* This is a brand-new association, so these are not yet side 724 * effects--it is safe to run them here. 725 */ 726 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 727 728 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 729 &chunk->subh.cookie_hdr->c.peer_addr, 730 peer_init, GFP_ATOMIC)) 731 goto nomem_init; 732 733 /* SCTP-AUTH: Now that we've populate required fields in 734 * sctp_process_init, set up the assocaition shared keys as 735 * necessary so that we can potentially authenticate the ACK 736 */ 737 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); 738 if (error) 739 goto nomem_init; 740 741 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo 742 * is supposed to be authenticated and we have to do delayed 743 * authentication. We've just recreated the association using 744 * the information in the cookie and now it's much easier to 745 * do the authentication. 746 */ 747 if (chunk->auth_chunk) { 748 struct sctp_chunk auth; 749 sctp_ierror_t ret; 750 751 /* set-up our fake chunk so that we can process it */ 752 auth.skb = chunk->auth_chunk; 753 auth.asoc = chunk->asoc; 754 auth.sctp_hdr = chunk->sctp_hdr; 755 auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk, 756 sizeof(sctp_chunkhdr_t)); 757 skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t)); 758 auth.transport = chunk->transport; 759 760 ret = sctp_sf_authenticate(ep, new_asoc, type, &auth); 761 762 /* We can now safely free the auth_chunk clone */ 763 kfree_skb(chunk->auth_chunk); 764 765 if (ret != SCTP_IERROR_NO_ERROR) { 766 sctp_association_free(new_asoc); 767 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 768 } 769 } 770 771 repl = sctp_make_cookie_ack(new_asoc, chunk); 772 if (!repl) 773 goto nomem_init; 774 775 /* RFC 2960 5.1 Normal Establishment of an Association 776 * 777 * D) IMPLEMENTATION NOTE: An implementation may choose to 778 * send the Communication Up notification to the SCTP user 779 * upon reception of a valid COOKIE ECHO chunk. 780 */ 781 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 782 new_asoc->c.sinit_num_ostreams, 783 new_asoc->c.sinit_max_instreams, 784 NULL, GFP_ATOMIC); 785 if (!ev) 786 goto nomem_ev; 787 788 /* Sockets API Draft Section 5.3.1.6 789 * When a peer sends a Adaptation Layer Indication parameter , SCTP 790 * delivers this notification to inform the application that of the 791 * peers requested adaptation layer. 792 */ 793 if (new_asoc->peer.adaptation_ind) { 794 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 795 GFP_ATOMIC); 796 if (!ai_ev) 797 goto nomem_aiev; 798 } 799 800 /* Add all the state machine commands now since we've created 801 * everything. This way we don't introduce memory corruptions 802 * during side-effect processing and correclty count established 803 * associations. 804 */ 805 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 806 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 807 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 808 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 809 SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS); 810 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 811 812 if (new_asoc->autoclose) 813 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 814 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 815 816 /* This will send the COOKIE ACK */ 817 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 818 819 /* Queue the ASSOC_CHANGE event */ 820 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 821 822 /* Send up the Adaptation Layer Indication event */ 823 if (ai_ev) 824 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 825 SCTP_ULPEVENT(ai_ev)); 826 827 return SCTP_DISPOSITION_CONSUME; 828 829 nomem_aiev: 830 sctp_ulpevent_free(ev); 831 nomem_ev: 832 sctp_chunk_free(repl); 833 nomem_init: 834 sctp_association_free(new_asoc); 835 nomem: 836 return SCTP_DISPOSITION_NOMEM; 837 } 838 839 /* 840 * Respond to a normal COOKIE ACK chunk. 841 * We are the side that is being asked for an association. 842 * 843 * RFC 2960 5.1 Normal Establishment of an Association 844 * 845 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 846 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 847 * timer. It may also notify its ULP about the successful 848 * establishment of the association with a Communication Up 849 * notification (see Section 10). 850 * 851 * Verification Tag: 852 * Inputs 853 * (endpoint, asoc, chunk) 854 * 855 * Outputs 856 * (asoc, reply_msg, msg_up, timers, counters) 857 * 858 * The return value is the disposition of the chunk. 859 */ 860 sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep, 861 const struct sctp_association *asoc, 862 const sctp_subtype_t type, void *arg, 863 sctp_cmd_seq_t *commands) 864 { 865 struct sctp_chunk *chunk = arg; 866 struct sctp_ulpevent *ev; 867 868 if (!sctp_vtag_verify(chunk, asoc)) 869 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 870 871 /* Verify that the chunk length for the COOKIE-ACK is OK. 872 * If we don't do this, any bundled chunks may be junked. 873 */ 874 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 875 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 876 commands); 877 878 /* Reset init error count upon receipt of COOKIE-ACK, 879 * to avoid problems with the managemement of this 880 * counter in stale cookie situations when a transition back 881 * from the COOKIE-ECHOED state to the COOKIE-WAIT 882 * state is performed. 883 */ 884 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 885 886 /* RFC 2960 5.1 Normal Establishment of an Association 887 * 888 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 889 * from the COOKIE-ECHOED state to the ESTABLISHED state, 890 * stopping the T1-cookie timer. 891 */ 892 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 893 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 894 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 895 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 896 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 897 SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS); 898 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 899 if (asoc->autoclose) 900 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 901 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 902 903 /* It may also notify its ULP about the successful 904 * establishment of the association with a Communication Up 905 * notification (see Section 10). 906 */ 907 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 908 0, asoc->c.sinit_num_ostreams, 909 asoc->c.sinit_max_instreams, 910 NULL, GFP_ATOMIC); 911 912 if (!ev) 913 goto nomem; 914 915 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 916 917 /* Sockets API Draft Section 5.3.1.6 918 * When a peer sends a Adaptation Layer Indication parameter , SCTP 919 * delivers this notification to inform the application that of the 920 * peers requested adaptation layer. 921 */ 922 if (asoc->peer.adaptation_ind) { 923 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 924 if (!ev) 925 goto nomem; 926 927 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 928 SCTP_ULPEVENT(ev)); 929 } 930 931 return SCTP_DISPOSITION_CONSUME; 932 nomem: 933 return SCTP_DISPOSITION_NOMEM; 934 } 935 936 /* Generate and sendout a heartbeat packet. */ 937 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep, 938 const struct sctp_association *asoc, 939 const sctp_subtype_t type, 940 void *arg, 941 sctp_cmd_seq_t *commands) 942 { 943 struct sctp_transport *transport = (struct sctp_transport *) arg; 944 struct sctp_chunk *reply; 945 sctp_sender_hb_info_t hbinfo; 946 size_t paylen = 0; 947 948 hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO; 949 hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t)); 950 hbinfo.daddr = transport->ipaddr; 951 hbinfo.sent_at = jiffies; 952 hbinfo.hb_nonce = transport->hb_nonce; 953 954 /* Send a heartbeat to our peer. */ 955 paylen = sizeof(sctp_sender_hb_info_t); 956 reply = sctp_make_heartbeat(asoc, transport, &hbinfo, paylen); 957 if (!reply) 958 return SCTP_DISPOSITION_NOMEM; 959 960 /* Set rto_pending indicating that an RTT measurement 961 * is started with this heartbeat chunk. 962 */ 963 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 964 SCTP_TRANSPORT(transport)); 965 966 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 967 return SCTP_DISPOSITION_CONSUME; 968 } 969 970 /* Generate a HEARTBEAT packet on the given transport. */ 971 sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep, 972 const struct sctp_association *asoc, 973 const sctp_subtype_t type, 974 void *arg, 975 sctp_cmd_seq_t *commands) 976 { 977 struct sctp_transport *transport = (struct sctp_transport *) arg; 978 979 if (asoc->overall_error_count >= asoc->max_retrans) { 980 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 981 SCTP_ERROR(ETIMEDOUT)); 982 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 983 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 984 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 985 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 986 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 987 return SCTP_DISPOSITION_DELETE_TCB; 988 } 989 990 /* Section 3.3.5. 991 * The Sender-specific Heartbeat Info field should normally include 992 * information about the sender's current time when this HEARTBEAT 993 * chunk is sent and the destination transport address to which this 994 * HEARTBEAT is sent (see Section 8.3). 995 */ 996 997 if (transport->param_flags & SPP_HB_ENABLE) { 998 if (SCTP_DISPOSITION_NOMEM == 999 sctp_sf_heartbeat(ep, asoc, type, arg, 1000 commands)) 1001 return SCTP_DISPOSITION_NOMEM; 1002 1003 /* Set transport error counter and association error counter 1004 * when sending heartbeat. 1005 */ 1006 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 1007 SCTP_TRANSPORT(transport)); 1008 } 1009 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE, 1010 SCTP_TRANSPORT(transport)); 1011 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 1012 SCTP_TRANSPORT(transport)); 1013 1014 return SCTP_DISPOSITION_CONSUME; 1015 } 1016 1017 /* 1018 * Process an heartbeat request. 1019 * 1020 * Section: 8.3 Path Heartbeat 1021 * The receiver of the HEARTBEAT should immediately respond with a 1022 * HEARTBEAT ACK that contains the Heartbeat Information field copied 1023 * from the received HEARTBEAT chunk. 1024 * 1025 * Verification Tag: 8.5 Verification Tag [Normal verification] 1026 * When receiving an SCTP packet, the endpoint MUST ensure that the 1027 * value in the Verification Tag field of the received SCTP packet 1028 * matches its own Tag. If the received Verification Tag value does not 1029 * match the receiver's own tag value, the receiver shall silently 1030 * discard the packet and shall not process it any further except for 1031 * those cases listed in Section 8.5.1 below. 1032 * 1033 * Inputs 1034 * (endpoint, asoc, chunk) 1035 * 1036 * Outputs 1037 * (asoc, reply_msg, msg_up, timers, counters) 1038 * 1039 * The return value is the disposition of the chunk. 1040 */ 1041 sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep, 1042 const struct sctp_association *asoc, 1043 const sctp_subtype_t type, 1044 void *arg, 1045 sctp_cmd_seq_t *commands) 1046 { 1047 struct sctp_chunk *chunk = arg; 1048 struct sctp_chunk *reply; 1049 size_t paylen = 0; 1050 1051 if (!sctp_vtag_verify(chunk, asoc)) 1052 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1053 1054 /* Make sure that the HEARTBEAT chunk has a valid length. */ 1055 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1056 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1057 commands); 1058 1059 /* 8.3 The receiver of the HEARTBEAT should immediately 1060 * respond with a HEARTBEAT ACK that contains the Heartbeat 1061 * Information field copied from the received HEARTBEAT chunk. 1062 */ 1063 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; 1064 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); 1065 if (!pskb_pull(chunk->skb, paylen)) 1066 goto nomem; 1067 1068 reply = sctp_make_heartbeat_ack(asoc, chunk, 1069 chunk->subh.hb_hdr, paylen); 1070 if (!reply) 1071 goto nomem; 1072 1073 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1074 return SCTP_DISPOSITION_CONSUME; 1075 1076 nomem: 1077 return SCTP_DISPOSITION_NOMEM; 1078 } 1079 1080 /* 1081 * Process the returning HEARTBEAT ACK. 1082 * 1083 * Section: 8.3 Path Heartbeat 1084 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 1085 * should clear the error counter of the destination transport 1086 * address to which the HEARTBEAT was sent, and mark the destination 1087 * transport address as active if it is not so marked. The endpoint may 1088 * optionally report to the upper layer when an inactive destination 1089 * address is marked as active due to the reception of the latest 1090 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 1091 * clear the association overall error count as well (as defined 1092 * in section 8.1). 1093 * 1094 * The receiver of the HEARTBEAT ACK should also perform an RTT 1095 * measurement for that destination transport address using the time 1096 * value carried in the HEARTBEAT ACK chunk. 1097 * 1098 * Verification Tag: 8.5 Verification Tag [Normal verification] 1099 * 1100 * Inputs 1101 * (endpoint, asoc, chunk) 1102 * 1103 * Outputs 1104 * (asoc, reply_msg, msg_up, timers, counters) 1105 * 1106 * The return value is the disposition of the chunk. 1107 */ 1108 sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep, 1109 const struct sctp_association *asoc, 1110 const sctp_subtype_t type, 1111 void *arg, 1112 sctp_cmd_seq_t *commands) 1113 { 1114 struct sctp_chunk *chunk = arg; 1115 union sctp_addr from_addr; 1116 struct sctp_transport *link; 1117 sctp_sender_hb_info_t *hbinfo; 1118 unsigned long max_interval; 1119 1120 if (!sctp_vtag_verify(chunk, asoc)) 1121 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1122 1123 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1124 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t) + 1125 sizeof(sctp_sender_hb_info_t))) 1126 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1127 commands); 1128 1129 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; 1130 /* Make sure that the length of the parameter is what we expect */ 1131 if (ntohs(hbinfo->param_hdr.length) != 1132 sizeof(sctp_sender_hb_info_t)) { 1133 return SCTP_DISPOSITION_DISCARD; 1134 } 1135 1136 from_addr = hbinfo->daddr; 1137 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1138 1139 /* This should never happen, but lets log it if so. */ 1140 if (unlikely(!link)) { 1141 if (from_addr.sa.sa_family == AF_INET6) { 1142 if (net_ratelimit()) 1143 pr_warn("%s association %p could not find address %pI6\n", 1144 __func__, 1145 asoc, 1146 &from_addr.v6.sin6_addr); 1147 } else { 1148 if (net_ratelimit()) 1149 pr_warn("%s association %p could not find address %pI4\n", 1150 __func__, 1151 asoc, 1152 &from_addr.v4.sin_addr.s_addr); 1153 } 1154 return SCTP_DISPOSITION_DISCARD; 1155 } 1156 1157 /* Validate the 64-bit random nonce. */ 1158 if (hbinfo->hb_nonce != link->hb_nonce) 1159 return SCTP_DISPOSITION_DISCARD; 1160 1161 max_interval = link->hbinterval + link->rto; 1162 1163 /* Check if the timestamp looks valid. */ 1164 if (time_after(hbinfo->sent_at, jiffies) || 1165 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1166 SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp " 1167 "received for transport: %p\n", 1168 __func__, link); 1169 return SCTP_DISPOSITION_DISCARD; 1170 } 1171 1172 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1173 * the HEARTBEAT should clear the error counter of the 1174 * destination transport address to which the HEARTBEAT was 1175 * sent and mark the destination transport address as active if 1176 * it is not so marked. 1177 */ 1178 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1179 1180 return SCTP_DISPOSITION_CONSUME; 1181 } 1182 1183 /* Helper function to send out an abort for the restart 1184 * condition. 1185 */ 1186 static int sctp_sf_send_restart_abort(union sctp_addr *ssa, 1187 struct sctp_chunk *init, 1188 sctp_cmd_seq_t *commands) 1189 { 1190 int len; 1191 struct sctp_packet *pkt; 1192 union sctp_addr_param *addrparm; 1193 struct sctp_errhdr *errhdr; 1194 struct sctp_endpoint *ep; 1195 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)]; 1196 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1197 1198 /* Build the error on the stack. We are way to malloc crazy 1199 * throughout the code today. 1200 */ 1201 errhdr = (struct sctp_errhdr *)buffer; 1202 addrparm = (union sctp_addr_param *)errhdr->variable; 1203 1204 /* Copy into a parm format. */ 1205 len = af->to_addr_param(ssa, addrparm); 1206 len += sizeof(sctp_errhdr_t); 1207 1208 errhdr->cause = SCTP_ERROR_RESTART; 1209 errhdr->length = htons(len); 1210 1211 /* Assign to the control socket. */ 1212 ep = sctp_sk((sctp_get_ctl_sock()))->ep; 1213 1214 /* Association is NULL since this may be a restart attack and we 1215 * want to send back the attacker's vtag. 1216 */ 1217 pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len); 1218 1219 if (!pkt) 1220 goto out; 1221 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1222 1223 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1224 1225 /* Discard the rest of the inbound packet. */ 1226 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1227 1228 out: 1229 /* Even if there is no memory, treat as a failure so 1230 * the packet will get dropped. 1231 */ 1232 return 0; 1233 } 1234 1235 static bool list_has_sctp_addr(const struct list_head *list, 1236 union sctp_addr *ipaddr) 1237 { 1238 struct sctp_transport *addr; 1239 1240 list_for_each_entry(addr, list, transports) { 1241 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr)) 1242 return true; 1243 } 1244 1245 return false; 1246 } 1247 /* A restart is occurring, check to make sure no new addresses 1248 * are being added as we may be under a takeover attack. 1249 */ 1250 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1251 const struct sctp_association *asoc, 1252 struct sctp_chunk *init, 1253 sctp_cmd_seq_t *commands) 1254 { 1255 struct sctp_transport *new_addr; 1256 int ret = 1; 1257 1258 /* Implementor's Guide - Section 5.2.2 1259 * ... 1260 * Before responding the endpoint MUST check to see if the 1261 * unexpected INIT adds new addresses to the association. If new 1262 * addresses are added to the association, the endpoint MUST respond 1263 * with an ABORT.. 1264 */ 1265 1266 /* Search through all current addresses and make sure 1267 * we aren't adding any new ones. 1268 */ 1269 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list, 1270 transports) { 1271 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list, 1272 &new_addr->ipaddr)) { 1273 sctp_sf_send_restart_abort(&new_addr->ipaddr, init, 1274 commands); 1275 ret = 0; 1276 break; 1277 } 1278 } 1279 1280 /* Return success if all addresses were found. */ 1281 return ret; 1282 } 1283 1284 /* Populate the verification/tie tags based on overlapping INIT 1285 * scenario. 1286 * 1287 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1288 */ 1289 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1290 const struct sctp_association *asoc) 1291 { 1292 switch (asoc->state) { 1293 1294 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1295 1296 case SCTP_STATE_COOKIE_WAIT: 1297 new_asoc->c.my_vtag = asoc->c.my_vtag; 1298 new_asoc->c.my_ttag = asoc->c.my_vtag; 1299 new_asoc->c.peer_ttag = 0; 1300 break; 1301 1302 case SCTP_STATE_COOKIE_ECHOED: 1303 new_asoc->c.my_vtag = asoc->c.my_vtag; 1304 new_asoc->c.my_ttag = asoc->c.my_vtag; 1305 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1306 break; 1307 1308 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1309 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1310 */ 1311 default: 1312 new_asoc->c.my_ttag = asoc->c.my_vtag; 1313 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1314 break; 1315 } 1316 1317 /* Other parameters for the endpoint SHOULD be copied from the 1318 * existing parameters of the association (e.g. number of 1319 * outbound streams) into the INIT ACK and cookie. 1320 */ 1321 new_asoc->rwnd = asoc->rwnd; 1322 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1323 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1324 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1325 } 1326 1327 /* 1328 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1329 * handling action. 1330 * 1331 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1332 * 1333 * Returns value representing action to be taken. These action values 1334 * correspond to Action/Description values in RFC 2960, Table 2. 1335 */ 1336 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1337 const struct sctp_association *asoc) 1338 { 1339 /* In this case, the peer may have restarted. */ 1340 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1341 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1342 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1343 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1344 return 'A'; 1345 1346 /* Collision case B. */ 1347 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1348 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1349 (0 == asoc->c.peer_vtag))) { 1350 return 'B'; 1351 } 1352 1353 /* Collision case D. */ 1354 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1355 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1356 return 'D'; 1357 1358 /* Collision case C. */ 1359 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1360 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1361 (0 == new_asoc->c.my_ttag) && 1362 (0 == new_asoc->c.peer_ttag)) 1363 return 'C'; 1364 1365 /* No match to any of the special cases; discard this packet. */ 1366 return 'E'; 1367 } 1368 1369 /* Common helper routine for both duplicate and simulataneous INIT 1370 * chunk handling. 1371 */ 1372 static sctp_disposition_t sctp_sf_do_unexpected_init( 1373 const struct sctp_endpoint *ep, 1374 const struct sctp_association *asoc, 1375 const sctp_subtype_t type, 1376 void *arg, sctp_cmd_seq_t *commands) 1377 { 1378 sctp_disposition_t retval; 1379 struct sctp_chunk *chunk = arg; 1380 struct sctp_chunk *repl; 1381 struct sctp_association *new_asoc; 1382 struct sctp_chunk *err_chunk; 1383 struct sctp_packet *packet; 1384 sctp_unrecognized_param_t *unk_param; 1385 int len; 1386 1387 /* 6.10 Bundling 1388 * An endpoint MUST NOT bundle INIT, INIT ACK or 1389 * SHUTDOWN COMPLETE with any other chunks. 1390 * 1391 * IG Section 2.11.2 1392 * Furthermore, we require that the receiver of an INIT chunk MUST 1393 * enforce these rules by silently discarding an arriving packet 1394 * with an INIT chunk that is bundled with other chunks. 1395 */ 1396 if (!chunk->singleton) 1397 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1398 1399 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1400 * Tag. 1401 */ 1402 if (chunk->sctp_hdr->vtag != 0) 1403 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 1404 1405 /* Make sure that the INIT chunk has a valid length. 1406 * In this case, we generate a protocol violation since we have 1407 * an association established. 1408 */ 1409 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 1410 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1411 commands); 1412 /* Grab the INIT header. */ 1413 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 1414 1415 /* Tag the variable length parameters. */ 1416 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 1417 1418 /* Verify the INIT chunk before processing it. */ 1419 err_chunk = NULL; 1420 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 1421 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 1422 &err_chunk)) { 1423 /* This chunk contains fatal error. It is to be discarded. 1424 * Send an ABORT, with causes if there is any. 1425 */ 1426 if (err_chunk) { 1427 packet = sctp_abort_pkt_new(ep, asoc, arg, 1428 (__u8 *)(err_chunk->chunk_hdr) + 1429 sizeof(sctp_chunkhdr_t), 1430 ntohs(err_chunk->chunk_hdr->length) - 1431 sizeof(sctp_chunkhdr_t)); 1432 1433 if (packet) { 1434 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1435 SCTP_PACKET(packet)); 1436 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1437 retval = SCTP_DISPOSITION_CONSUME; 1438 } else { 1439 retval = SCTP_DISPOSITION_NOMEM; 1440 } 1441 goto cleanup; 1442 } else { 1443 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 1444 commands); 1445 } 1446 } 1447 1448 /* 1449 * Other parameters for the endpoint SHOULD be copied from the 1450 * existing parameters of the association (e.g. number of 1451 * outbound streams) into the INIT ACK and cookie. 1452 * FIXME: We are copying parameters from the endpoint not the 1453 * association. 1454 */ 1455 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1456 if (!new_asoc) 1457 goto nomem; 1458 1459 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 1460 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0) 1461 goto nomem; 1462 1463 /* In the outbound INIT ACK the endpoint MUST copy its current 1464 * Verification Tag and Peers Verification tag into a reserved 1465 * place (local tie-tag and per tie-tag) within the state cookie. 1466 */ 1467 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1468 sctp_source(chunk), 1469 (sctp_init_chunk_t *)chunk->chunk_hdr, 1470 GFP_ATOMIC)) 1471 goto nomem; 1472 1473 /* Make sure no new addresses are being added during the 1474 * restart. Do not do this check for COOKIE-WAIT state, 1475 * since there are no peer addresses to check against. 1476 * Upon return an ABORT will have been sent if needed. 1477 */ 1478 if (!sctp_state(asoc, COOKIE_WAIT)) { 1479 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1480 commands)) { 1481 retval = SCTP_DISPOSITION_CONSUME; 1482 goto nomem_retval; 1483 } 1484 } 1485 1486 sctp_tietags_populate(new_asoc, asoc); 1487 1488 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1489 1490 /* If there are errors need to be reported for unknown parameters, 1491 * make sure to reserve enough room in the INIT ACK for them. 1492 */ 1493 len = 0; 1494 if (err_chunk) { 1495 len = ntohs(err_chunk->chunk_hdr->length) - 1496 sizeof(sctp_chunkhdr_t); 1497 } 1498 1499 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1500 if (!repl) 1501 goto nomem; 1502 1503 /* If there are errors need to be reported for unknown parameters, 1504 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1505 * parameter. 1506 */ 1507 if (err_chunk) { 1508 /* Get the "Unrecognized parameter" parameter(s) out of the 1509 * ERROR chunk generated by sctp_verify_init(). Since the 1510 * error cause code for "unknown parameter" and the 1511 * "Unrecognized parameter" type is the same, we can 1512 * construct the parameters in INIT ACK by copying the 1513 * ERROR causes over. 1514 */ 1515 unk_param = (sctp_unrecognized_param_t *) 1516 ((__u8 *)(err_chunk->chunk_hdr) + 1517 sizeof(sctp_chunkhdr_t)); 1518 /* Replace the cause code with the "Unrecognized parameter" 1519 * parameter type. 1520 */ 1521 sctp_addto_chunk(repl, len, unk_param); 1522 } 1523 1524 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1525 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1526 1527 /* 1528 * Note: After sending out INIT ACK with the State Cookie parameter, 1529 * "Z" MUST NOT allocate any resources for this new association. 1530 * Otherwise, "Z" will be vulnerable to resource attacks. 1531 */ 1532 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1533 retval = SCTP_DISPOSITION_CONSUME; 1534 1535 return retval; 1536 1537 nomem: 1538 retval = SCTP_DISPOSITION_NOMEM; 1539 nomem_retval: 1540 if (new_asoc) 1541 sctp_association_free(new_asoc); 1542 cleanup: 1543 if (err_chunk) 1544 sctp_chunk_free(err_chunk); 1545 return retval; 1546 } 1547 1548 /* 1549 * Handle simultanous INIT. 1550 * This means we started an INIT and then we got an INIT request from 1551 * our peer. 1552 * 1553 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1554 * This usually indicates an initialization collision, i.e., each 1555 * endpoint is attempting, at about the same time, to establish an 1556 * association with the other endpoint. 1557 * 1558 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1559 * endpoint MUST respond with an INIT ACK using the same parameters it 1560 * sent in its original INIT chunk (including its Verification Tag, 1561 * unchanged). These original parameters are combined with those from the 1562 * newly received INIT chunk. The endpoint shall also generate a State 1563 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1564 * INIT to calculate the State Cookie. 1565 * 1566 * After that, the endpoint MUST NOT change its state, the T1-init 1567 * timer shall be left running and the corresponding TCB MUST NOT be 1568 * destroyed. The normal procedures for handling State Cookies when 1569 * a TCB exists will resolve the duplicate INITs to a single association. 1570 * 1571 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1572 * its Tie-Tags with the Tag information of itself and its peer (see 1573 * section 5.2.2 for a description of the Tie-Tags). 1574 * 1575 * Verification Tag: Not explicit, but an INIT can not have a valid 1576 * verification tag, so we skip the check. 1577 * 1578 * Inputs 1579 * (endpoint, asoc, chunk) 1580 * 1581 * Outputs 1582 * (asoc, reply_msg, msg_up, timers, counters) 1583 * 1584 * The return value is the disposition of the chunk. 1585 */ 1586 sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep, 1587 const struct sctp_association *asoc, 1588 const sctp_subtype_t type, 1589 void *arg, 1590 sctp_cmd_seq_t *commands) 1591 { 1592 /* Call helper to do the real work for both simulataneous and 1593 * duplicate INIT chunk handling. 1594 */ 1595 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1596 } 1597 1598 /* 1599 * Handle duplicated INIT messages. These are usually delayed 1600 * restransmissions. 1601 * 1602 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1603 * COOKIE-ECHOED and COOKIE-WAIT 1604 * 1605 * Unless otherwise stated, upon reception of an unexpected INIT for 1606 * this association, the endpoint shall generate an INIT ACK with a 1607 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1608 * current Verification Tag and peer's Verification Tag into a reserved 1609 * place within the state cookie. We shall refer to these locations as 1610 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1611 * containing this INIT ACK MUST carry a Verification Tag value equal to 1612 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1613 * MUST contain a new Initiation Tag (randomly generated see Section 1614 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1615 * existing parameters of the association (e.g. number of outbound 1616 * streams) into the INIT ACK and cookie. 1617 * 1618 * After sending out the INIT ACK, the endpoint shall take no further 1619 * actions, i.e., the existing association, including its current state, 1620 * and the corresponding TCB MUST NOT be changed. 1621 * 1622 * Note: Only when a TCB exists and the association is not in a COOKIE- 1623 * WAIT state are the Tie-Tags populated. For a normal association INIT 1624 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1625 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1626 * State Cookie are populated as specified in section 5.2.1. 1627 * 1628 * Verification Tag: Not specified, but an INIT has no way of knowing 1629 * what the verification tag could be, so we ignore it. 1630 * 1631 * Inputs 1632 * (endpoint, asoc, chunk) 1633 * 1634 * Outputs 1635 * (asoc, reply_msg, msg_up, timers, counters) 1636 * 1637 * The return value is the disposition of the chunk. 1638 */ 1639 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep, 1640 const struct sctp_association *asoc, 1641 const sctp_subtype_t type, 1642 void *arg, 1643 sctp_cmd_seq_t *commands) 1644 { 1645 /* Call helper to do the real work for both simulataneous and 1646 * duplicate INIT chunk handling. 1647 */ 1648 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1649 } 1650 1651 1652 /* 1653 * Unexpected INIT-ACK handler. 1654 * 1655 * Section 5.2.3 1656 * If an INIT ACK received by an endpoint in any state other than the 1657 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1658 * An unexpected INIT ACK usually indicates the processing of an old or 1659 * duplicated INIT chunk. 1660 */ 1661 sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep, 1662 const struct sctp_association *asoc, 1663 const sctp_subtype_t type, 1664 void *arg, sctp_cmd_seq_t *commands) 1665 { 1666 /* Per the above section, we'll discard the chunk if we have an 1667 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1668 */ 1669 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 1670 return sctp_sf_ootb(ep, asoc, type, arg, commands); 1671 else 1672 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 1673 } 1674 1675 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1676 * 1677 * Section 5.2.4 1678 * A) In this case, the peer may have restarted. 1679 */ 1680 static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep, 1681 const struct sctp_association *asoc, 1682 struct sctp_chunk *chunk, 1683 sctp_cmd_seq_t *commands, 1684 struct sctp_association *new_asoc) 1685 { 1686 sctp_init_chunk_t *peer_init; 1687 struct sctp_ulpevent *ev; 1688 struct sctp_chunk *repl; 1689 struct sctp_chunk *err; 1690 sctp_disposition_t disposition; 1691 1692 /* new_asoc is a brand-new association, so these are not yet 1693 * side effects--it is safe to run them here. 1694 */ 1695 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1696 1697 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1698 sctp_source(chunk), peer_init, 1699 GFP_ATOMIC)) 1700 goto nomem; 1701 1702 /* Make sure no new addresses are being added during the 1703 * restart. Though this is a pretty complicated attack 1704 * since you'd have to get inside the cookie. 1705 */ 1706 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { 1707 return SCTP_DISPOSITION_CONSUME; 1708 } 1709 1710 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1711 * the peer has restarted (Action A), it MUST NOT setup a new 1712 * association but instead resend the SHUTDOWN ACK and send an ERROR 1713 * chunk with a "Cookie Received while Shutting Down" error cause to 1714 * its peer. 1715 */ 1716 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1717 disposition = sctp_sf_do_9_2_reshutack(ep, asoc, 1718 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1719 chunk, commands); 1720 if (SCTP_DISPOSITION_NOMEM == disposition) 1721 goto nomem; 1722 1723 err = sctp_make_op_error(asoc, chunk, 1724 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1725 NULL, 0, 0); 1726 if (err) 1727 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1728 SCTP_CHUNK(err)); 1729 1730 return SCTP_DISPOSITION_CONSUME; 1731 } 1732 1733 /* For now, fail any unsent/unacked data. Consider the optional 1734 * choice of resending of this data. 1735 */ 1736 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1737 1738 repl = sctp_make_cookie_ack(new_asoc, chunk); 1739 if (!repl) 1740 goto nomem; 1741 1742 /* Report association restart to upper layer. */ 1743 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1744 new_asoc->c.sinit_num_ostreams, 1745 new_asoc->c.sinit_max_instreams, 1746 NULL, GFP_ATOMIC); 1747 if (!ev) 1748 goto nomem_ev; 1749 1750 /* Update the content of current association. */ 1751 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1752 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1753 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1754 return SCTP_DISPOSITION_CONSUME; 1755 1756 nomem_ev: 1757 sctp_chunk_free(repl); 1758 nomem: 1759 return SCTP_DISPOSITION_NOMEM; 1760 } 1761 1762 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1763 * 1764 * Section 5.2.4 1765 * B) In this case, both sides may be attempting to start an association 1766 * at about the same time but the peer endpoint started its INIT 1767 * after responding to the local endpoint's INIT 1768 */ 1769 /* This case represents an initialization collision. */ 1770 static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep, 1771 const struct sctp_association *asoc, 1772 struct sctp_chunk *chunk, 1773 sctp_cmd_seq_t *commands, 1774 struct sctp_association *new_asoc) 1775 { 1776 sctp_init_chunk_t *peer_init; 1777 struct sctp_chunk *repl; 1778 1779 /* new_asoc is a brand-new association, so these are not yet 1780 * side effects--it is safe to run them here. 1781 */ 1782 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1783 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1784 sctp_source(chunk), peer_init, 1785 GFP_ATOMIC)) 1786 goto nomem; 1787 1788 /* Update the content of current association. */ 1789 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1790 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1791 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1792 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1793 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1794 1795 repl = sctp_make_cookie_ack(new_asoc, chunk); 1796 if (!repl) 1797 goto nomem; 1798 1799 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1800 1801 /* RFC 2960 5.1 Normal Establishment of an Association 1802 * 1803 * D) IMPLEMENTATION NOTE: An implementation may choose to 1804 * send the Communication Up notification to the SCTP user 1805 * upon reception of a valid COOKIE ECHO chunk. 1806 * 1807 * Sadly, this needs to be implemented as a side-effect, because 1808 * we are not guaranteed to have set the association id of the real 1809 * association and so these notifications need to be delayed until 1810 * the association id is allocated. 1811 */ 1812 1813 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 1814 1815 /* Sockets API Draft Section 5.3.1.6 1816 * When a peer sends a Adaptation Layer Indication parameter , SCTP 1817 * delivers this notification to inform the application that of the 1818 * peers requested adaptation layer. 1819 * 1820 * This also needs to be done as a side effect for the same reason as 1821 * above. 1822 */ 1823 if (asoc->peer.adaptation_ind) 1824 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 1825 1826 return SCTP_DISPOSITION_CONSUME; 1827 1828 nomem: 1829 return SCTP_DISPOSITION_NOMEM; 1830 } 1831 1832 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1833 * 1834 * Section 5.2.4 1835 * C) In this case, the local endpoint's cookie has arrived late. 1836 * Before it arrived, the local endpoint sent an INIT and received an 1837 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1838 * but a new tag of its own. 1839 */ 1840 /* This case represents an initialization collision. */ 1841 static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep, 1842 const struct sctp_association *asoc, 1843 struct sctp_chunk *chunk, 1844 sctp_cmd_seq_t *commands, 1845 struct sctp_association *new_asoc) 1846 { 1847 /* The cookie should be silently discarded. 1848 * The endpoint SHOULD NOT change states and should leave 1849 * any timers running. 1850 */ 1851 return SCTP_DISPOSITION_DISCARD; 1852 } 1853 1854 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1855 * 1856 * Section 5.2.4 1857 * 1858 * D) When both local and remote tags match the endpoint should always 1859 * enter the ESTABLISHED state, if it has not already done so. 1860 */ 1861 /* This case represents an initialization collision. */ 1862 static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep, 1863 const struct sctp_association *asoc, 1864 struct sctp_chunk *chunk, 1865 sctp_cmd_seq_t *commands, 1866 struct sctp_association *new_asoc) 1867 { 1868 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL; 1869 struct sctp_chunk *repl; 1870 1871 /* Clarification from Implementor's Guide: 1872 * D) When both local and remote tags match the endpoint should 1873 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 1874 * It should stop any cookie timer that may be running and send 1875 * a COOKIE ACK. 1876 */ 1877 1878 /* Don't accidentally move back into established state. */ 1879 if (asoc->state < SCTP_STATE_ESTABLISHED) { 1880 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1881 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 1882 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1883 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1884 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1885 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 1886 SCTP_NULL()); 1887 1888 /* RFC 2960 5.1 Normal Establishment of an Association 1889 * 1890 * D) IMPLEMENTATION NOTE: An implementation may choose 1891 * to send the Communication Up notification to the 1892 * SCTP user upon reception of a valid COOKIE 1893 * ECHO chunk. 1894 */ 1895 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 1896 SCTP_COMM_UP, 0, 1897 asoc->c.sinit_num_ostreams, 1898 asoc->c.sinit_max_instreams, 1899 NULL, GFP_ATOMIC); 1900 if (!ev) 1901 goto nomem; 1902 1903 /* Sockets API Draft Section 5.3.1.6 1904 * When a peer sends a Adaptation Layer Indication parameter, 1905 * SCTP delivers this notification to inform the application 1906 * that of the peers requested adaptation layer. 1907 */ 1908 if (asoc->peer.adaptation_ind) { 1909 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 1910 GFP_ATOMIC); 1911 if (!ai_ev) 1912 goto nomem; 1913 1914 } 1915 } 1916 1917 repl = sctp_make_cookie_ack(new_asoc, chunk); 1918 if (!repl) 1919 goto nomem; 1920 1921 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1922 1923 if (ev) 1924 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1925 SCTP_ULPEVENT(ev)); 1926 if (ai_ev) 1927 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1928 SCTP_ULPEVENT(ai_ev)); 1929 1930 return SCTP_DISPOSITION_CONSUME; 1931 1932 nomem: 1933 if (ai_ev) 1934 sctp_ulpevent_free(ai_ev); 1935 if (ev) 1936 sctp_ulpevent_free(ev); 1937 return SCTP_DISPOSITION_NOMEM; 1938 } 1939 1940 /* 1941 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 1942 * chunk was retransmitted and then delayed in the network. 1943 * 1944 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 1945 * 1946 * Verification Tag: None. Do cookie validation. 1947 * 1948 * Inputs 1949 * (endpoint, asoc, chunk) 1950 * 1951 * Outputs 1952 * (asoc, reply_msg, msg_up, timers, counters) 1953 * 1954 * The return value is the disposition of the chunk. 1955 */ 1956 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep, 1957 const struct sctp_association *asoc, 1958 const sctp_subtype_t type, 1959 void *arg, 1960 sctp_cmd_seq_t *commands) 1961 { 1962 sctp_disposition_t retval; 1963 struct sctp_chunk *chunk = arg; 1964 struct sctp_association *new_asoc; 1965 int error = 0; 1966 char action; 1967 struct sctp_chunk *err_chk_p; 1968 1969 /* Make sure that the chunk has a valid length from the protocol 1970 * perspective. In this case check to make sure we have at least 1971 * enough for the chunk header. Cookie length verification is 1972 * done later. 1973 */ 1974 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 1975 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1976 commands); 1977 1978 /* "Decode" the chunk. We have no optional parameters so we 1979 * are in good shape. 1980 */ 1981 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 1982 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 1983 sizeof(sctp_chunkhdr_t))) 1984 goto nomem; 1985 1986 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 1987 * of a duplicate COOKIE ECHO match the Verification Tags of the 1988 * current association, consider the State Cookie valid even if 1989 * the lifespan is exceeded. 1990 */ 1991 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 1992 &err_chk_p); 1993 1994 /* FIXME: 1995 * If the re-build failed, what is the proper error path 1996 * from here? 1997 * 1998 * [We should abort the association. --piggy] 1999 */ 2000 if (!new_asoc) { 2001 /* FIXME: Several errors are possible. A bad cookie should 2002 * be silently discarded, but think about logging it too. 2003 */ 2004 switch (error) { 2005 case -SCTP_IERROR_NOMEM: 2006 goto nomem; 2007 2008 case -SCTP_IERROR_STALE_COOKIE: 2009 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 2010 err_chk_p); 2011 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2012 case -SCTP_IERROR_BAD_SIG: 2013 default: 2014 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2015 } 2016 } 2017 2018 /* Compare the tie_tag in cookie with the verification tag of 2019 * current association. 2020 */ 2021 action = sctp_tietags_compare(new_asoc, asoc); 2022 2023 switch (action) { 2024 case 'A': /* Association restart. */ 2025 retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands, 2026 new_asoc); 2027 break; 2028 2029 case 'B': /* Collision case B. */ 2030 retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands, 2031 new_asoc); 2032 break; 2033 2034 case 'C': /* Collision case C. */ 2035 retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands, 2036 new_asoc); 2037 break; 2038 2039 case 'D': /* Collision case D. */ 2040 retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands, 2041 new_asoc); 2042 break; 2043 2044 default: /* Discard packet for all others. */ 2045 retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2046 break; 2047 } 2048 2049 /* Delete the tempory new association. */ 2050 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 2051 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 2052 2053 return retval; 2054 2055 nomem: 2056 return SCTP_DISPOSITION_NOMEM; 2057 } 2058 2059 /* 2060 * Process an ABORT. (SHUTDOWN-PENDING state) 2061 * 2062 * See sctp_sf_do_9_1_abort(). 2063 */ 2064 sctp_disposition_t sctp_sf_shutdown_pending_abort( 2065 const struct sctp_endpoint *ep, 2066 const struct sctp_association *asoc, 2067 const sctp_subtype_t type, 2068 void *arg, 2069 sctp_cmd_seq_t *commands) 2070 { 2071 struct sctp_chunk *chunk = arg; 2072 2073 if (!sctp_vtag_verify_either(chunk, asoc)) 2074 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2075 2076 /* Make sure that the ABORT chunk has a valid length. 2077 * Since this is an ABORT chunk, we have to discard it 2078 * because of the following text: 2079 * RFC 2960, Section 3.3.7 2080 * If an endpoint receives an ABORT with a format error or for an 2081 * association that doesn't exist, it MUST silently discard it. 2082 * Becasue the length is "invalid", we can't really discard just 2083 * as we do not know its true length. So, to be safe, discard the 2084 * packet. 2085 */ 2086 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2087 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2088 2089 /* ADD-IP: Special case for ABORT chunks 2090 * F4) One special consideration is that ABORT Chunks arriving 2091 * destined to the IP address being deleted MUST be 2092 * ignored (see Section 5.3.1 for further details). 2093 */ 2094 if (SCTP_ADDR_DEL == 2095 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2096 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2097 2098 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2099 } 2100 2101 /* 2102 * Process an ABORT. (SHUTDOWN-SENT state) 2103 * 2104 * See sctp_sf_do_9_1_abort(). 2105 */ 2106 sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep, 2107 const struct sctp_association *asoc, 2108 const sctp_subtype_t type, 2109 void *arg, 2110 sctp_cmd_seq_t *commands) 2111 { 2112 struct sctp_chunk *chunk = arg; 2113 2114 if (!sctp_vtag_verify_either(chunk, asoc)) 2115 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2116 2117 /* Make sure that the ABORT chunk has a valid length. 2118 * Since this is an ABORT chunk, we have to discard it 2119 * because of the following text: 2120 * RFC 2960, Section 3.3.7 2121 * If an endpoint receives an ABORT with a format error or for an 2122 * association that doesn't exist, it MUST silently discard it. 2123 * Becasue the length is "invalid", we can't really discard just 2124 * as we do not know its true length. So, to be safe, discard the 2125 * packet. 2126 */ 2127 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2128 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2129 2130 /* ADD-IP: Special case for ABORT chunks 2131 * F4) One special consideration is that ABORT Chunks arriving 2132 * destined to the IP address being deleted MUST be 2133 * ignored (see Section 5.3.1 for further details). 2134 */ 2135 if (SCTP_ADDR_DEL == 2136 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2137 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2138 2139 /* Stop the T2-shutdown timer. */ 2140 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2141 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2142 2143 /* Stop the T5-shutdown guard timer. */ 2144 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2145 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2146 2147 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2148 } 2149 2150 /* 2151 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2152 * 2153 * See sctp_sf_do_9_1_abort(). 2154 */ 2155 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort( 2156 const struct sctp_endpoint *ep, 2157 const struct sctp_association *asoc, 2158 const sctp_subtype_t type, 2159 void *arg, 2160 sctp_cmd_seq_t *commands) 2161 { 2162 /* The same T2 timer, so we should be able to use 2163 * common function with the SHUTDOWN-SENT state. 2164 */ 2165 return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands); 2166 } 2167 2168 /* 2169 * Handle an Error received in COOKIE_ECHOED state. 2170 * 2171 * Only handle the error type of stale COOKIE Error, the other errors will 2172 * be ignored. 2173 * 2174 * Inputs 2175 * (endpoint, asoc, chunk) 2176 * 2177 * Outputs 2178 * (asoc, reply_msg, msg_up, timers, counters) 2179 * 2180 * The return value is the disposition of the chunk. 2181 */ 2182 sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep, 2183 const struct sctp_association *asoc, 2184 const sctp_subtype_t type, 2185 void *arg, 2186 sctp_cmd_seq_t *commands) 2187 { 2188 struct sctp_chunk *chunk = arg; 2189 sctp_errhdr_t *err; 2190 2191 if (!sctp_vtag_verify(chunk, asoc)) 2192 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2193 2194 /* Make sure that the ERROR chunk has a valid length. 2195 * The parameter walking depends on this as well. 2196 */ 2197 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2198 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2199 commands); 2200 2201 /* Process the error here */ 2202 /* FUTURE FIXME: When PR-SCTP related and other optional 2203 * parms are emitted, this will have to change to handle multiple 2204 * errors. 2205 */ 2206 sctp_walk_errors(err, chunk->chunk_hdr) { 2207 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2208 return sctp_sf_do_5_2_6_stale(ep, asoc, type, 2209 arg, commands); 2210 } 2211 2212 /* It is possible to have malformed error causes, and that 2213 * will cause us to end the walk early. However, since 2214 * we are discarding the packet, there should be no adverse 2215 * affects. 2216 */ 2217 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2218 } 2219 2220 /* 2221 * Handle a Stale COOKIE Error 2222 * 2223 * Section: 5.2.6 Handle Stale COOKIE Error 2224 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2225 * one of the following three alternatives. 2226 * ... 2227 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2228 * Preservative parameter requesting an extension to the lifetime of 2229 * the State Cookie. When calculating the time extension, an 2230 * implementation SHOULD use the RTT information measured based on the 2231 * previous COOKIE ECHO / ERROR exchange, and should add no more 2232 * than 1 second beyond the measured RTT, due to long State Cookie 2233 * lifetimes making the endpoint more subject to a replay attack. 2234 * 2235 * Verification Tag: Not explicit, but safe to ignore. 2236 * 2237 * Inputs 2238 * (endpoint, asoc, chunk) 2239 * 2240 * Outputs 2241 * (asoc, reply_msg, msg_up, timers, counters) 2242 * 2243 * The return value is the disposition of the chunk. 2244 */ 2245 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 2246 const struct sctp_association *asoc, 2247 const sctp_subtype_t type, 2248 void *arg, 2249 sctp_cmd_seq_t *commands) 2250 { 2251 struct sctp_chunk *chunk = arg; 2252 time_t stale; 2253 sctp_cookie_preserve_param_t bht; 2254 sctp_errhdr_t *err; 2255 struct sctp_chunk *reply; 2256 struct sctp_bind_addr *bp; 2257 int attempts = asoc->init_err_counter + 1; 2258 2259 if (attempts > asoc->max_init_attempts) { 2260 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2261 SCTP_ERROR(ETIMEDOUT)); 2262 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2263 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2264 return SCTP_DISPOSITION_DELETE_TCB; 2265 } 2266 2267 err = (sctp_errhdr_t *)(chunk->skb->data); 2268 2269 /* When calculating the time extension, an implementation 2270 * SHOULD use the RTT information measured based on the 2271 * previous COOKIE ECHO / ERROR exchange, and should add no 2272 * more than 1 second beyond the measured RTT, due to long 2273 * State Cookie lifetimes making the endpoint more subject to 2274 * a replay attack. 2275 * Measure of Staleness's unit is usec. (1/1000000 sec) 2276 * Suggested Cookie Life-span Increment's unit is msec. 2277 * (1/1000 sec) 2278 * In general, if you use the suggested cookie life, the value 2279 * found in the field of measure of staleness should be doubled 2280 * to give ample time to retransmit the new cookie and thus 2281 * yield a higher probability of success on the reattempt. 2282 */ 2283 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t))); 2284 stale = (stale * 2) / 1000; 2285 2286 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2287 bht.param_hdr.length = htons(sizeof(bht)); 2288 bht.lifespan_increment = htonl(stale); 2289 2290 /* Build that new INIT chunk. */ 2291 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2292 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2293 if (!reply) 2294 goto nomem; 2295 2296 sctp_addto_chunk(reply, sizeof(bht), &bht); 2297 2298 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2299 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2300 2301 /* Stop pending T3-rtx and heartbeat timers */ 2302 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2303 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2304 2305 /* Delete non-primary peer ip addresses since we are transitioning 2306 * back to the COOKIE-WAIT state 2307 */ 2308 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2309 2310 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2311 * resend 2312 */ 2313 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, 2314 SCTP_TRANSPORT(asoc->peer.primary_path)); 2315 2316 /* Cast away the const modifier, as we want to just 2317 * rerun it through as a sideffect. 2318 */ 2319 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2320 2321 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2322 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2323 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2324 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2325 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2326 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2327 2328 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2329 2330 return SCTP_DISPOSITION_CONSUME; 2331 2332 nomem: 2333 return SCTP_DISPOSITION_NOMEM; 2334 } 2335 2336 /* 2337 * Process an ABORT. 2338 * 2339 * Section: 9.1 2340 * After checking the Verification Tag, the receiving endpoint shall 2341 * remove the association from its record, and shall report the 2342 * termination to its upper layer. 2343 * 2344 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2345 * B) Rules for packet carrying ABORT: 2346 * 2347 * - The endpoint shall always fill in the Verification Tag field of the 2348 * outbound packet with the destination endpoint's tag value if it 2349 * is known. 2350 * 2351 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2352 * MUST follow the procedure described in Section 8.4. 2353 * 2354 * - The receiver MUST accept the packet if the Verification Tag 2355 * matches either its own tag, OR the tag of its peer. Otherwise, the 2356 * receiver MUST silently discard the packet and take no further 2357 * action. 2358 * 2359 * Inputs 2360 * (endpoint, asoc, chunk) 2361 * 2362 * Outputs 2363 * (asoc, reply_msg, msg_up, timers, counters) 2364 * 2365 * The return value is the disposition of the chunk. 2366 */ 2367 sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2368 const struct sctp_association *asoc, 2369 const sctp_subtype_t type, 2370 void *arg, 2371 sctp_cmd_seq_t *commands) 2372 { 2373 struct sctp_chunk *chunk = arg; 2374 2375 if (!sctp_vtag_verify_either(chunk, asoc)) 2376 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2377 2378 /* Make sure that the ABORT chunk has a valid length. 2379 * Since this is an ABORT chunk, we have to discard it 2380 * because of the following text: 2381 * RFC 2960, Section 3.3.7 2382 * If an endpoint receives an ABORT with a format error or for an 2383 * association that doesn't exist, it MUST silently discard it. 2384 * Becasue the length is "invalid", we can't really discard just 2385 * as we do not know its true length. So, to be safe, discard the 2386 * packet. 2387 */ 2388 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2389 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2390 2391 /* ADD-IP: Special case for ABORT chunks 2392 * F4) One special consideration is that ABORT Chunks arriving 2393 * destined to the IP address being deleted MUST be 2394 * ignored (see Section 5.3.1 for further details). 2395 */ 2396 if (SCTP_ADDR_DEL == 2397 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2398 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2399 2400 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2401 } 2402 2403 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2404 const struct sctp_association *asoc, 2405 const sctp_subtype_t type, 2406 void *arg, 2407 sctp_cmd_seq_t *commands) 2408 { 2409 struct sctp_chunk *chunk = arg; 2410 unsigned len; 2411 __be16 error = SCTP_ERROR_NO_ERROR; 2412 2413 /* See if we have an error cause code in the chunk. */ 2414 len = ntohs(chunk->chunk_hdr->length); 2415 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2416 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2417 2418 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2419 /* ASSOC_FAILED will DELETE_TCB. */ 2420 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2421 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2422 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 2423 2424 return SCTP_DISPOSITION_ABORT; 2425 } 2426 2427 /* 2428 * Process an ABORT. (COOKIE-WAIT state) 2429 * 2430 * See sctp_sf_do_9_1_abort() above. 2431 */ 2432 sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep, 2433 const struct sctp_association *asoc, 2434 const sctp_subtype_t type, 2435 void *arg, 2436 sctp_cmd_seq_t *commands) 2437 { 2438 struct sctp_chunk *chunk = arg; 2439 unsigned len; 2440 __be16 error = SCTP_ERROR_NO_ERROR; 2441 2442 if (!sctp_vtag_verify_either(chunk, asoc)) 2443 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2444 2445 /* Make sure that the ABORT chunk has a valid length. 2446 * Since this is an ABORT chunk, we have to discard it 2447 * because of the following text: 2448 * RFC 2960, Section 3.3.7 2449 * If an endpoint receives an ABORT with a format error or for an 2450 * association that doesn't exist, it MUST silently discard it. 2451 * Becasue the length is "invalid", we can't really discard just 2452 * as we do not know its true length. So, to be safe, discard the 2453 * packet. 2454 */ 2455 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2456 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2457 2458 /* See if we have an error cause code in the chunk. */ 2459 len = ntohs(chunk->chunk_hdr->length); 2460 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2461 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2462 2463 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc, 2464 chunk->transport); 2465 } 2466 2467 /* 2468 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2469 */ 2470 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep, 2471 const struct sctp_association *asoc, 2472 const sctp_subtype_t type, 2473 void *arg, 2474 sctp_cmd_seq_t *commands) 2475 { 2476 return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR, 2477 ENOPROTOOPT, asoc, 2478 (struct sctp_transport *)arg); 2479 } 2480 2481 /* 2482 * Process an ABORT. (COOKIE-ECHOED state) 2483 */ 2484 sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep, 2485 const struct sctp_association *asoc, 2486 const sctp_subtype_t type, 2487 void *arg, 2488 sctp_cmd_seq_t *commands) 2489 { 2490 /* There is a single T1 timer, so we should be able to use 2491 * common function with the COOKIE-WAIT state. 2492 */ 2493 return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands); 2494 } 2495 2496 /* 2497 * Stop T1 timer and abort association with "INIT failed". 2498 * 2499 * This is common code called by several sctp_sf_*_abort() functions above. 2500 */ 2501 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 2502 __be16 error, int sk_err, 2503 const struct sctp_association *asoc, 2504 struct sctp_transport *transport) 2505 { 2506 SCTP_DEBUG_PRINTK("ABORT received (INIT).\n"); 2507 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2508 SCTP_STATE(SCTP_STATE_CLOSED)); 2509 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2510 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2511 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2512 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2513 /* CMD_INIT_FAILED will DELETE_TCB. */ 2514 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2515 SCTP_PERR(error)); 2516 return SCTP_DISPOSITION_ABORT; 2517 } 2518 2519 /* 2520 * sctp_sf_do_9_2_shut 2521 * 2522 * Section: 9.2 2523 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2524 * - enter the SHUTDOWN-RECEIVED state, 2525 * 2526 * - stop accepting new data from its SCTP user 2527 * 2528 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2529 * that all its outstanding DATA chunks have been received by the 2530 * SHUTDOWN sender. 2531 * 2532 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2533 * send a SHUTDOWN in response to a ULP request. And should discard 2534 * subsequent SHUTDOWN chunks. 2535 * 2536 * If there are still outstanding DATA chunks left, the SHUTDOWN 2537 * receiver shall continue to follow normal data transmission 2538 * procedures defined in Section 6 until all outstanding DATA chunks 2539 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2540 * new data from its SCTP user. 2541 * 2542 * Verification Tag: 8.5 Verification Tag [Normal verification] 2543 * 2544 * Inputs 2545 * (endpoint, asoc, chunk) 2546 * 2547 * Outputs 2548 * (asoc, reply_msg, msg_up, timers, counters) 2549 * 2550 * The return value is the disposition of the chunk. 2551 */ 2552 sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep, 2553 const struct sctp_association *asoc, 2554 const sctp_subtype_t type, 2555 void *arg, 2556 sctp_cmd_seq_t *commands) 2557 { 2558 struct sctp_chunk *chunk = arg; 2559 sctp_shutdownhdr_t *sdh; 2560 sctp_disposition_t disposition; 2561 struct sctp_ulpevent *ev; 2562 __u32 ctsn; 2563 2564 if (!sctp_vtag_verify(chunk, asoc)) 2565 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2566 2567 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2568 if (!sctp_chunk_length_valid(chunk, 2569 sizeof(struct sctp_shutdown_chunk_t))) 2570 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2571 commands); 2572 2573 /* Convert the elaborate header. */ 2574 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2575 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t)); 2576 chunk->subh.shutdown_hdr = sdh; 2577 ctsn = ntohl(sdh->cum_tsn_ack); 2578 2579 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2580 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 2581 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 2582 return SCTP_DISPOSITION_DISCARD; 2583 } 2584 2585 /* If Cumulative TSN Ack beyond the max tsn currently 2586 * send, terminating the association and respond to the 2587 * sender with an ABORT. 2588 */ 2589 if (!TSN_lt(ctsn, asoc->next_tsn)) 2590 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands); 2591 2592 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2593 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2594 * inform the application that it should cease sending data. 2595 */ 2596 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2597 if (!ev) { 2598 disposition = SCTP_DISPOSITION_NOMEM; 2599 goto out; 2600 } 2601 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2602 2603 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2604 * - enter the SHUTDOWN-RECEIVED state, 2605 * - stop accepting new data from its SCTP user 2606 * 2607 * [This is implicit in the new state.] 2608 */ 2609 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2610 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2611 disposition = SCTP_DISPOSITION_CONSUME; 2612 2613 if (sctp_outq_is_empty(&asoc->outqueue)) { 2614 disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type, 2615 arg, commands); 2616 } 2617 2618 if (SCTP_DISPOSITION_NOMEM == disposition) 2619 goto out; 2620 2621 /* - verify, by checking the Cumulative TSN Ack field of the 2622 * chunk, that all its outstanding DATA chunks have been 2623 * received by the SHUTDOWN sender. 2624 */ 2625 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2626 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2627 2628 out: 2629 return disposition; 2630 } 2631 2632 /* 2633 * sctp_sf_do_9_2_shut_ctsn 2634 * 2635 * Once an endpoint has reached the SHUTDOWN-RECEIVED state, 2636 * it MUST NOT send a SHUTDOWN in response to a ULP request. 2637 * The Cumulative TSN Ack of the received SHUTDOWN chunk 2638 * MUST be processed. 2639 */ 2640 sctp_disposition_t sctp_sf_do_9_2_shut_ctsn(const struct sctp_endpoint *ep, 2641 const struct sctp_association *asoc, 2642 const sctp_subtype_t type, 2643 void *arg, 2644 sctp_cmd_seq_t *commands) 2645 { 2646 struct sctp_chunk *chunk = arg; 2647 sctp_shutdownhdr_t *sdh; 2648 __u32 ctsn; 2649 2650 if (!sctp_vtag_verify(chunk, asoc)) 2651 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2652 2653 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2654 if (!sctp_chunk_length_valid(chunk, 2655 sizeof(struct sctp_shutdown_chunk_t))) 2656 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2657 commands); 2658 2659 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2660 ctsn = ntohl(sdh->cum_tsn_ack); 2661 2662 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2663 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 2664 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 2665 return SCTP_DISPOSITION_DISCARD; 2666 } 2667 2668 /* If Cumulative TSN Ack beyond the max tsn currently 2669 * send, terminating the association and respond to the 2670 * sender with an ABORT. 2671 */ 2672 if (!TSN_lt(ctsn, asoc->next_tsn)) 2673 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands); 2674 2675 /* verify, by checking the Cumulative TSN Ack field of the 2676 * chunk, that all its outstanding DATA chunks have been 2677 * received by the SHUTDOWN sender. 2678 */ 2679 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2680 SCTP_BE32(sdh->cum_tsn_ack)); 2681 2682 return SCTP_DISPOSITION_CONSUME; 2683 } 2684 2685 /* RFC 2960 9.2 2686 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2687 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2688 * transport addresses (either in the IP addresses or in the INIT chunk) 2689 * that belong to this association, it should discard the INIT chunk and 2690 * retransmit the SHUTDOWN ACK chunk. 2691 */ 2692 sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep, 2693 const struct sctp_association *asoc, 2694 const sctp_subtype_t type, 2695 void *arg, 2696 sctp_cmd_seq_t *commands) 2697 { 2698 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 2699 struct sctp_chunk *reply; 2700 2701 /* Make sure that the chunk has a valid length */ 2702 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 2703 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2704 commands); 2705 2706 /* Since we are not going to really process this INIT, there 2707 * is no point in verifying chunk boundries. Just generate 2708 * the SHUTDOWN ACK. 2709 */ 2710 reply = sctp_make_shutdown_ack(asoc, chunk); 2711 if (NULL == reply) 2712 goto nomem; 2713 2714 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2715 * the T2-SHUTDOWN timer. 2716 */ 2717 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2718 2719 /* and restart the T2-shutdown timer. */ 2720 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2721 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2722 2723 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2724 2725 return SCTP_DISPOSITION_CONSUME; 2726 nomem: 2727 return SCTP_DISPOSITION_NOMEM; 2728 } 2729 2730 /* 2731 * sctp_sf_do_ecn_cwr 2732 * 2733 * Section: Appendix A: Explicit Congestion Notification 2734 * 2735 * CWR: 2736 * 2737 * RFC 2481 details a specific bit for a sender to send in the header of 2738 * its next outbound TCP segment to indicate to its peer that it has 2739 * reduced its congestion window. This is termed the CWR bit. For 2740 * SCTP the same indication is made by including the CWR chunk. 2741 * This chunk contains one data element, i.e. the TSN number that 2742 * was sent in the ECNE chunk. This element represents the lowest 2743 * TSN number in the datagram that was originally marked with the 2744 * CE bit. 2745 * 2746 * Verification Tag: 8.5 Verification Tag [Normal verification] 2747 * Inputs 2748 * (endpoint, asoc, chunk) 2749 * 2750 * Outputs 2751 * (asoc, reply_msg, msg_up, timers, counters) 2752 * 2753 * The return value is the disposition of the chunk. 2754 */ 2755 sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep, 2756 const struct sctp_association *asoc, 2757 const sctp_subtype_t type, 2758 void *arg, 2759 sctp_cmd_seq_t *commands) 2760 { 2761 sctp_cwrhdr_t *cwr; 2762 struct sctp_chunk *chunk = arg; 2763 u32 lowest_tsn; 2764 2765 if (!sctp_vtag_verify(chunk, asoc)) 2766 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2767 2768 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2769 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2770 commands); 2771 2772 cwr = (sctp_cwrhdr_t *) chunk->skb->data; 2773 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t)); 2774 2775 lowest_tsn = ntohl(cwr->lowest_tsn); 2776 2777 /* Does this CWR ack the last sent congestion notification? */ 2778 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 2779 /* Stop sending ECNE. */ 2780 sctp_add_cmd_sf(commands, 2781 SCTP_CMD_ECN_CWR, 2782 SCTP_U32(lowest_tsn)); 2783 } 2784 return SCTP_DISPOSITION_CONSUME; 2785 } 2786 2787 /* 2788 * sctp_sf_do_ecne 2789 * 2790 * Section: Appendix A: Explicit Congestion Notification 2791 * 2792 * ECN-Echo 2793 * 2794 * RFC 2481 details a specific bit for a receiver to send back in its 2795 * TCP acknowledgements to notify the sender of the Congestion 2796 * Experienced (CE) bit having arrived from the network. For SCTP this 2797 * same indication is made by including the ECNE chunk. This chunk 2798 * contains one data element, i.e. the lowest TSN associated with the IP 2799 * datagram marked with the CE bit..... 2800 * 2801 * Verification Tag: 8.5 Verification Tag [Normal verification] 2802 * Inputs 2803 * (endpoint, asoc, chunk) 2804 * 2805 * Outputs 2806 * (asoc, reply_msg, msg_up, timers, counters) 2807 * 2808 * The return value is the disposition of the chunk. 2809 */ 2810 sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep, 2811 const struct sctp_association *asoc, 2812 const sctp_subtype_t type, 2813 void *arg, 2814 sctp_cmd_seq_t *commands) 2815 { 2816 sctp_ecnehdr_t *ecne; 2817 struct sctp_chunk *chunk = arg; 2818 2819 if (!sctp_vtag_verify(chunk, asoc)) 2820 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2821 2822 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2823 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2824 commands); 2825 2826 ecne = (sctp_ecnehdr_t *) chunk->skb->data; 2827 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t)); 2828 2829 /* If this is a newer ECNE than the last CWR packet we sent out */ 2830 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 2831 SCTP_U32(ntohl(ecne->lowest_tsn))); 2832 2833 return SCTP_DISPOSITION_CONSUME; 2834 } 2835 2836 /* 2837 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 2838 * 2839 * The SCTP endpoint MUST always acknowledge the reception of each valid 2840 * DATA chunk. 2841 * 2842 * The guidelines on delayed acknowledgement algorithm specified in 2843 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 2844 * acknowledgement SHOULD be generated for at least every second packet 2845 * (not every second DATA chunk) received, and SHOULD be generated within 2846 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 2847 * situations it may be beneficial for an SCTP transmitter to be more 2848 * conservative than the algorithms detailed in this document allow. 2849 * However, an SCTP transmitter MUST NOT be more aggressive than the 2850 * following algorithms allow. 2851 * 2852 * A SCTP receiver MUST NOT generate more than one SACK for every 2853 * incoming packet, other than to update the offered window as the 2854 * receiving application consumes new data. 2855 * 2856 * Verification Tag: 8.5 Verification Tag [Normal verification] 2857 * 2858 * Inputs 2859 * (endpoint, asoc, chunk) 2860 * 2861 * Outputs 2862 * (asoc, reply_msg, msg_up, timers, counters) 2863 * 2864 * The return value is the disposition of the chunk. 2865 */ 2866 sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep, 2867 const struct sctp_association *asoc, 2868 const sctp_subtype_t type, 2869 void *arg, 2870 sctp_cmd_seq_t *commands) 2871 { 2872 struct sctp_chunk *chunk = arg; 2873 sctp_arg_t force = SCTP_NOFORCE(); 2874 int error; 2875 2876 if (!sctp_vtag_verify(chunk, asoc)) { 2877 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2878 SCTP_NULL()); 2879 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2880 } 2881 2882 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2883 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2884 commands); 2885 2886 error = sctp_eat_data(asoc, chunk, commands ); 2887 switch (error) { 2888 case SCTP_IERROR_NO_ERROR: 2889 break; 2890 case SCTP_IERROR_HIGH_TSN: 2891 case SCTP_IERROR_BAD_STREAM: 2892 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2893 goto discard_noforce; 2894 case SCTP_IERROR_DUP_TSN: 2895 case SCTP_IERROR_IGNORE_TSN: 2896 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2897 goto discard_force; 2898 case SCTP_IERROR_NO_DATA: 2899 goto consume; 2900 case SCTP_IERROR_PROTO_VIOLATION: 2901 return sctp_sf_abort_violation(ep, asoc, chunk, commands, 2902 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t)); 2903 default: 2904 BUG(); 2905 } 2906 2907 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM) 2908 force = SCTP_FORCE(); 2909 2910 if (asoc->autoclose) { 2911 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2912 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 2913 } 2914 2915 /* If this is the last chunk in a packet, we need to count it 2916 * toward sack generation. Note that we need to SACK every 2917 * OTHER packet containing data chunks, EVEN IF WE DISCARD 2918 * THEM. We elect to NOT generate SACK's if the chunk fails 2919 * the verification tag test. 2920 * 2921 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2922 * 2923 * The SCTP endpoint MUST always acknowledge the reception of 2924 * each valid DATA chunk. 2925 * 2926 * The guidelines on delayed acknowledgement algorithm 2927 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 2928 * Specifically, an acknowledgement SHOULD be generated for at 2929 * least every second packet (not every second DATA chunk) 2930 * received, and SHOULD be generated within 200 ms of the 2931 * arrival of any unacknowledged DATA chunk. In some 2932 * situations it may be beneficial for an SCTP transmitter to 2933 * be more conservative than the algorithms detailed in this 2934 * document allow. However, an SCTP transmitter MUST NOT be 2935 * more aggressive than the following algorithms allow. 2936 */ 2937 if (chunk->end_of_packet) 2938 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 2939 2940 return SCTP_DISPOSITION_CONSUME; 2941 2942 discard_force: 2943 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2944 * 2945 * When a packet arrives with duplicate DATA chunk(s) and with 2946 * no new DATA chunk(s), the endpoint MUST immediately send a 2947 * SACK with no delay. If a packet arrives with duplicate 2948 * DATA chunk(s) bundled with new DATA chunks, the endpoint 2949 * MAY immediately send a SACK. Normally receipt of duplicate 2950 * DATA chunks will occur when the original SACK chunk was lost 2951 * and the peer's RTO has expired. The duplicate TSN number(s) 2952 * SHOULD be reported in the SACK as duplicate. 2953 */ 2954 /* In our case, we split the MAY SACK advice up whether or not 2955 * the last chunk is a duplicate.' 2956 */ 2957 if (chunk->end_of_packet) 2958 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2959 return SCTP_DISPOSITION_DISCARD; 2960 2961 discard_noforce: 2962 if (chunk->end_of_packet) 2963 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 2964 2965 return SCTP_DISPOSITION_DISCARD; 2966 consume: 2967 return SCTP_DISPOSITION_CONSUME; 2968 2969 } 2970 2971 /* 2972 * sctp_sf_eat_data_fast_4_4 2973 * 2974 * Section: 4 (4) 2975 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 2976 * DATA chunks without delay. 2977 * 2978 * Verification Tag: 8.5 Verification Tag [Normal verification] 2979 * Inputs 2980 * (endpoint, asoc, chunk) 2981 * 2982 * Outputs 2983 * (asoc, reply_msg, msg_up, timers, counters) 2984 * 2985 * The return value is the disposition of the chunk. 2986 */ 2987 sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep, 2988 const struct sctp_association *asoc, 2989 const sctp_subtype_t type, 2990 void *arg, 2991 sctp_cmd_seq_t *commands) 2992 { 2993 struct sctp_chunk *chunk = arg; 2994 int error; 2995 2996 if (!sctp_vtag_verify(chunk, asoc)) { 2997 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2998 SCTP_NULL()); 2999 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3000 } 3001 3002 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 3003 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3004 commands); 3005 3006 error = sctp_eat_data(asoc, chunk, commands ); 3007 switch (error) { 3008 case SCTP_IERROR_NO_ERROR: 3009 case SCTP_IERROR_HIGH_TSN: 3010 case SCTP_IERROR_DUP_TSN: 3011 case SCTP_IERROR_IGNORE_TSN: 3012 case SCTP_IERROR_BAD_STREAM: 3013 break; 3014 case SCTP_IERROR_NO_DATA: 3015 goto consume; 3016 case SCTP_IERROR_PROTO_VIOLATION: 3017 return sctp_sf_abort_violation(ep, asoc, chunk, commands, 3018 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t)); 3019 default: 3020 BUG(); 3021 } 3022 3023 /* Go a head and force a SACK, since we are shutting down. */ 3024 3025 /* Implementor's Guide. 3026 * 3027 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3028 * respond to each received packet containing one or more DATA chunk(s) 3029 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3030 */ 3031 if (chunk->end_of_packet) { 3032 /* We must delay the chunk creation since the cumulative 3033 * TSN has not been updated yet. 3034 */ 3035 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3036 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3037 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3038 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3039 } 3040 3041 consume: 3042 return SCTP_DISPOSITION_CONSUME; 3043 } 3044 3045 /* 3046 * Section: 6.2 Processing a Received SACK 3047 * D) Any time a SACK arrives, the endpoint performs the following: 3048 * 3049 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 3050 * then drop the SACK. Since Cumulative TSN Ack is monotonically 3051 * increasing, a SACK whose Cumulative TSN Ack is less than the 3052 * Cumulative TSN Ack Point indicates an out-of-order SACK. 3053 * 3054 * ii) Set rwnd equal to the newly received a_rwnd minus the number 3055 * of bytes still outstanding after processing the Cumulative TSN Ack 3056 * and the Gap Ack Blocks. 3057 * 3058 * iii) If the SACK is missing a TSN that was previously 3059 * acknowledged via a Gap Ack Block (e.g., the data receiver 3060 * reneged on the data), then mark the corresponding DATA chunk 3061 * as available for retransmit: Mark it as missing for fast 3062 * retransmit as described in Section 7.2.4 and if no retransmit 3063 * timer is running for the destination address to which the DATA 3064 * chunk was originally transmitted, then T3-rtx is started for 3065 * that destination address. 3066 * 3067 * Verification Tag: 8.5 Verification Tag [Normal verification] 3068 * 3069 * Inputs 3070 * (endpoint, asoc, chunk) 3071 * 3072 * Outputs 3073 * (asoc, reply_msg, msg_up, timers, counters) 3074 * 3075 * The return value is the disposition of the chunk. 3076 */ 3077 sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep, 3078 const struct sctp_association *asoc, 3079 const sctp_subtype_t type, 3080 void *arg, 3081 sctp_cmd_seq_t *commands) 3082 { 3083 struct sctp_chunk *chunk = arg; 3084 sctp_sackhdr_t *sackh; 3085 __u32 ctsn; 3086 3087 if (!sctp_vtag_verify(chunk, asoc)) 3088 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3089 3090 /* Make sure that the SACK chunk has a valid length. */ 3091 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t))) 3092 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3093 commands); 3094 3095 /* Pull the SACK chunk from the data buffer */ 3096 sackh = sctp_sm_pull_sack(chunk); 3097 /* Was this a bogus SACK? */ 3098 if (!sackh) 3099 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3100 chunk->subh.sack_hdr = sackh; 3101 ctsn = ntohl(sackh->cum_tsn_ack); 3102 3103 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 3104 * Ack Point, then drop the SACK. Since Cumulative TSN 3105 * Ack is monotonically increasing, a SACK whose 3106 * Cumulative TSN Ack is less than the Cumulative TSN Ack 3107 * Point indicates an out-of-order SACK. 3108 */ 3109 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 3110 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 3111 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 3112 return SCTP_DISPOSITION_DISCARD; 3113 } 3114 3115 /* If Cumulative TSN Ack beyond the max tsn currently 3116 * send, terminating the association and respond to the 3117 * sender with an ABORT. 3118 */ 3119 if (!TSN_lt(ctsn, asoc->next_tsn)) 3120 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands); 3121 3122 /* Return this SACK for further processing. */ 3123 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh)); 3124 3125 /* Note: We do the rest of the work on the PROCESS_SACK 3126 * sideeffect. 3127 */ 3128 return SCTP_DISPOSITION_CONSUME; 3129 } 3130 3131 /* 3132 * Generate an ABORT in response to a packet. 3133 * 3134 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 3135 * 3136 * 8) The receiver should respond to the sender of the OOTB packet with 3137 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3138 * MUST fill in the Verification Tag field of the outbound packet 3139 * with the value found in the Verification Tag field of the OOTB 3140 * packet and set the T-bit in the Chunk Flags to indicate that the 3141 * Verification Tag is reflected. After sending this ABORT, the 3142 * receiver of the OOTB packet shall discard the OOTB packet and take 3143 * no further action. 3144 * 3145 * Verification Tag: 3146 * 3147 * The return value is the disposition of the chunk. 3148 */ 3149 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 3150 const struct sctp_association *asoc, 3151 const sctp_subtype_t type, 3152 void *arg, 3153 sctp_cmd_seq_t *commands) 3154 { 3155 struct sctp_packet *packet = NULL; 3156 struct sctp_chunk *chunk = arg; 3157 struct sctp_chunk *abort; 3158 3159 packet = sctp_ootb_pkt_new(asoc, chunk); 3160 3161 if (packet) { 3162 /* Make an ABORT. The T bit will be set if the asoc 3163 * is NULL. 3164 */ 3165 abort = sctp_make_abort(asoc, chunk, 0); 3166 if (!abort) { 3167 sctp_ootb_pkt_free(packet); 3168 return SCTP_DISPOSITION_NOMEM; 3169 } 3170 3171 /* Reflect vtag if T-Bit is set */ 3172 if (sctp_test_T_bit(abort)) 3173 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3174 3175 /* Set the skb to the belonging sock for accounting. */ 3176 abort->skb->sk = ep->base.sk; 3177 3178 sctp_packet_append_chunk(packet, abort); 3179 3180 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3181 SCTP_PACKET(packet)); 3182 3183 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3184 3185 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3186 return SCTP_DISPOSITION_CONSUME; 3187 } 3188 3189 return SCTP_DISPOSITION_NOMEM; 3190 } 3191 3192 /* 3193 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 3194 * event as ULP notification for each cause included in the chunk. 3195 * 3196 * API 5.3.1.3 - SCTP_REMOTE_ERROR 3197 * 3198 * The return value is the disposition of the chunk. 3199 */ 3200 sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep, 3201 const struct sctp_association *asoc, 3202 const sctp_subtype_t type, 3203 void *arg, 3204 sctp_cmd_seq_t *commands) 3205 { 3206 struct sctp_chunk *chunk = arg; 3207 3208 if (!sctp_vtag_verify(chunk, asoc)) 3209 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3210 3211 /* Make sure that the ERROR chunk has a valid length. */ 3212 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 3213 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3214 commands); 3215 3216 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 3217 SCTP_CHUNK(chunk)); 3218 3219 return SCTP_DISPOSITION_CONSUME; 3220 } 3221 3222 /* 3223 * Process an inbound SHUTDOWN ACK. 3224 * 3225 * From Section 9.2: 3226 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3227 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3228 * peer, and remove all record of the association. 3229 * 3230 * The return value is the disposition. 3231 */ 3232 sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep, 3233 const struct sctp_association *asoc, 3234 const sctp_subtype_t type, 3235 void *arg, 3236 sctp_cmd_seq_t *commands) 3237 { 3238 struct sctp_chunk *chunk = arg; 3239 struct sctp_chunk *reply; 3240 struct sctp_ulpevent *ev; 3241 3242 if (!sctp_vtag_verify(chunk, asoc)) 3243 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3244 3245 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3246 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3247 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3248 commands); 3249 /* 10.2 H) SHUTDOWN COMPLETE notification 3250 * 3251 * When SCTP completes the shutdown procedures (section 9.2) this 3252 * notification is passed to the upper layer. 3253 */ 3254 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3255 0, 0, 0, NULL, GFP_ATOMIC); 3256 if (!ev) 3257 goto nomem; 3258 3259 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3260 reply = sctp_make_shutdown_complete(asoc, chunk); 3261 if (!reply) 3262 goto nomem_chunk; 3263 3264 /* Do all the commands now (after allocation), so that we 3265 * have consistent state if memory allocation failes 3266 */ 3267 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3268 3269 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3270 * stop the T2-shutdown timer, 3271 */ 3272 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3273 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3274 3275 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3276 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3277 3278 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3279 SCTP_STATE(SCTP_STATE_CLOSED)); 3280 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 3281 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3282 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3283 3284 /* ...and remove all record of the association. */ 3285 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3286 return SCTP_DISPOSITION_DELETE_TCB; 3287 3288 nomem_chunk: 3289 sctp_ulpevent_free(ev); 3290 nomem: 3291 return SCTP_DISPOSITION_NOMEM; 3292 } 3293 3294 /* 3295 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3296 * 3297 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3298 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3299 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3300 * packet must fill in the Verification Tag field of the outbound 3301 * packet with the Verification Tag received in the SHUTDOWN ACK and 3302 * set the T-bit in the Chunk Flags to indicate that the Verification 3303 * Tag is reflected. 3304 * 3305 * 8) The receiver should respond to the sender of the OOTB packet with 3306 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3307 * MUST fill in the Verification Tag field of the outbound packet 3308 * with the value found in the Verification Tag field of the OOTB 3309 * packet and set the T-bit in the Chunk Flags to indicate that the 3310 * Verification Tag is reflected. After sending this ABORT, the 3311 * receiver of the OOTB packet shall discard the OOTB packet and take 3312 * no further action. 3313 */ 3314 sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep, 3315 const struct sctp_association *asoc, 3316 const sctp_subtype_t type, 3317 void *arg, 3318 sctp_cmd_seq_t *commands) 3319 { 3320 struct sctp_chunk *chunk = arg; 3321 struct sk_buff *skb = chunk->skb; 3322 sctp_chunkhdr_t *ch; 3323 __u8 *ch_end; 3324 int ootb_shut_ack = 0; 3325 3326 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 3327 3328 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr; 3329 do { 3330 /* Report violation if the chunk is less then minimal */ 3331 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 3332 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3333 commands); 3334 3335 /* Now that we know we at least have a chunk header, 3336 * do things that are type appropriate. 3337 */ 3338 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3339 ootb_shut_ack = 1; 3340 3341 /* RFC 2960, Section 3.3.7 3342 * Moreover, under any circumstances, an endpoint that 3343 * receives an ABORT MUST NOT respond to that ABORT by 3344 * sending an ABORT of its own. 3345 */ 3346 if (SCTP_CID_ABORT == ch->type) 3347 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3348 3349 /* Report violation if chunk len overflows */ 3350 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 3351 if (ch_end > skb_tail_pointer(skb)) 3352 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3353 commands); 3354 3355 ch = (sctp_chunkhdr_t *) ch_end; 3356 } while (ch_end < skb_tail_pointer(skb)); 3357 3358 if (ootb_shut_ack) 3359 return sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands); 3360 else 3361 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 3362 } 3363 3364 /* 3365 * Handle an "Out of the blue" SHUTDOWN ACK. 3366 * 3367 * Section: 8.4 5, sctpimpguide 2.41. 3368 * 3369 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3370 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3371 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3372 * packet must fill in the Verification Tag field of the outbound 3373 * packet with the Verification Tag received in the SHUTDOWN ACK and 3374 * set the T-bit in the Chunk Flags to indicate that the Verification 3375 * Tag is reflected. 3376 * 3377 * Inputs 3378 * (endpoint, asoc, type, arg, commands) 3379 * 3380 * Outputs 3381 * (sctp_disposition_t) 3382 * 3383 * The return value is the disposition of the chunk. 3384 */ 3385 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 3386 const struct sctp_association *asoc, 3387 const sctp_subtype_t type, 3388 void *arg, 3389 sctp_cmd_seq_t *commands) 3390 { 3391 struct sctp_packet *packet = NULL; 3392 struct sctp_chunk *chunk = arg; 3393 struct sctp_chunk *shut; 3394 3395 packet = sctp_ootb_pkt_new(asoc, chunk); 3396 3397 if (packet) { 3398 /* Make an SHUTDOWN_COMPLETE. 3399 * The T bit will be set if the asoc is NULL. 3400 */ 3401 shut = sctp_make_shutdown_complete(asoc, chunk); 3402 if (!shut) { 3403 sctp_ootb_pkt_free(packet); 3404 return SCTP_DISPOSITION_NOMEM; 3405 } 3406 3407 /* Reflect vtag if T-Bit is set */ 3408 if (sctp_test_T_bit(shut)) 3409 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3410 3411 /* Set the skb to the belonging sock for accounting. */ 3412 shut->skb->sk = ep->base.sk; 3413 3414 sctp_packet_append_chunk(packet, shut); 3415 3416 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3417 SCTP_PACKET(packet)); 3418 3419 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3420 3421 /* If the chunk length is invalid, we don't want to process 3422 * the reset of the packet. 3423 */ 3424 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3425 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3426 3427 /* We need to discard the rest of the packet to prevent 3428 * potential bomming attacks from additional bundled chunks. 3429 * This is documented in SCTP Threats ID. 3430 */ 3431 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3432 } 3433 3434 return SCTP_DISPOSITION_NOMEM; 3435 } 3436 3437 /* 3438 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3439 * 3440 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3441 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3442 * procedures in section 8.4 SHOULD be followed, in other words it 3443 * should be treated as an Out Of The Blue packet. 3444 * [This means that we do NOT check the Verification Tag on these 3445 * chunks. --piggy ] 3446 * 3447 */ 3448 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep, 3449 const struct sctp_association *asoc, 3450 const sctp_subtype_t type, 3451 void *arg, 3452 sctp_cmd_seq_t *commands) 3453 { 3454 struct sctp_chunk *chunk = arg; 3455 3456 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3457 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3458 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3459 commands); 3460 3461 /* Although we do have an association in this case, it corresponds 3462 * to a restarted association. So the packet is treated as an OOTB 3463 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3464 * called with a NULL association. 3465 */ 3466 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 3467 3468 return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands); 3469 } 3470 3471 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3472 sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep, 3473 const struct sctp_association *asoc, 3474 const sctp_subtype_t type, void *arg, 3475 sctp_cmd_seq_t *commands) 3476 { 3477 struct sctp_chunk *chunk = arg; 3478 struct sctp_chunk *asconf_ack = NULL; 3479 struct sctp_paramhdr *err_param = NULL; 3480 sctp_addiphdr_t *hdr; 3481 union sctp_addr_param *addr_param; 3482 __u32 serial; 3483 int length; 3484 3485 if (!sctp_vtag_verify(chunk, asoc)) { 3486 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3487 SCTP_NULL()); 3488 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3489 } 3490 3491 /* ADD-IP: Section 4.1.1 3492 * This chunk MUST be sent in an authenticated way by using 3493 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3494 * is received unauthenticated it MUST be silently discarded as 3495 * described in [I-D.ietf-tsvwg-sctp-auth]. 3496 */ 3497 if (!sctp_addip_noauth && !chunk->auth) 3498 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 3499 3500 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3501 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t))) 3502 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3503 commands); 3504 3505 hdr = (sctp_addiphdr_t *)chunk->skb->data; 3506 serial = ntohl(hdr->serial); 3507 3508 addr_param = (union sctp_addr_param *)hdr->params; 3509 length = ntohs(addr_param->p.length); 3510 if (length < sizeof(sctp_paramhdr_t)) 3511 return sctp_sf_violation_paramlen(ep, asoc, type, arg, 3512 (void *)addr_param, commands); 3513 3514 /* Verify the ASCONF chunk before processing it. */ 3515 if (!sctp_verify_asconf(asoc, 3516 (sctp_paramhdr_t *)((void *)addr_param + length), 3517 (void *)chunk->chunk_end, 3518 &err_param)) 3519 return sctp_sf_violation_paramlen(ep, asoc, type, arg, 3520 (void *)err_param, commands); 3521 3522 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3523 * the endpoint stored in a new association variable 3524 * 'Peer-Serial-Number'. 3525 */ 3526 if (serial == asoc->peer.addip_serial + 1) { 3527 /* If this is the first instance of ASCONF in the packet, 3528 * we can clean our old ASCONF-ACKs. 3529 */ 3530 if (!chunk->has_asconf) 3531 sctp_assoc_clean_asconf_ack_cache(asoc); 3532 3533 /* ADDIP 5.2 E4) When the Sequence Number matches the next one 3534 * expected, process the ASCONF as described below and after 3535 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to 3536 * the response packet and cache a copy of it (in the event it 3537 * later needs to be retransmitted). 3538 * 3539 * Essentially, do V1-V5. 3540 */ 3541 asconf_ack = sctp_process_asconf((struct sctp_association *) 3542 asoc, chunk); 3543 if (!asconf_ack) 3544 return SCTP_DISPOSITION_NOMEM; 3545 } else if (serial < asoc->peer.addip_serial + 1) { 3546 /* ADDIP 5.2 E2) 3547 * If the value found in the Sequence Number is less than the 3548 * ('Peer- Sequence-Number' + 1), simply skip to the next 3549 * ASCONF, and include in the outbound response packet 3550 * any previously cached ASCONF-ACK response that was 3551 * sent and saved that matches the Sequence Number of the 3552 * ASCONF. Note: It is possible that no cached ASCONF-ACK 3553 * Chunk exists. This will occur when an older ASCONF 3554 * arrives out of order. In such a case, the receiver 3555 * should skip the ASCONF Chunk and not include ASCONF-ACK 3556 * Chunk for that chunk. 3557 */ 3558 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial); 3559 if (!asconf_ack) 3560 return SCTP_DISPOSITION_DISCARD; 3561 3562 /* Reset the transport so that we select the correct one 3563 * this time around. This is to make sure that we don't 3564 * accidentally use a stale transport that's been removed. 3565 */ 3566 asconf_ack->transport = NULL; 3567 } else { 3568 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since 3569 * it must be either a stale packet or from an attacker. 3570 */ 3571 return SCTP_DISPOSITION_DISCARD; 3572 } 3573 3574 /* ADDIP 5.2 E6) The destination address of the SCTP packet 3575 * containing the ASCONF-ACK Chunks MUST be the source address of 3576 * the SCTP packet that held the ASCONF Chunks. 3577 * 3578 * To do this properly, we'll set the destination address of the chunk 3579 * and at the transmit time, will try look up the transport to use. 3580 * Since ASCONFs may be bundled, the correct transport may not be 3581 * created until we process the entire packet, thus this workaround. 3582 */ 3583 asconf_ack->dest = chunk->source; 3584 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3585 3586 return SCTP_DISPOSITION_CONSUME; 3587 } 3588 3589 /* 3590 * ADDIP Section 4.3 General rules for address manipulation 3591 * When building TLV parameters for the ASCONF Chunk that will add or 3592 * delete IP addresses the D0 to D13 rules should be applied: 3593 */ 3594 sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep, 3595 const struct sctp_association *asoc, 3596 const sctp_subtype_t type, void *arg, 3597 sctp_cmd_seq_t *commands) 3598 { 3599 struct sctp_chunk *asconf_ack = arg; 3600 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3601 struct sctp_chunk *abort; 3602 struct sctp_paramhdr *err_param = NULL; 3603 sctp_addiphdr_t *addip_hdr; 3604 __u32 sent_serial, rcvd_serial; 3605 3606 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3607 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3608 SCTP_NULL()); 3609 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3610 } 3611 3612 /* ADD-IP, Section 4.1.2: 3613 * This chunk MUST be sent in an authenticated way by using 3614 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3615 * is received unauthenticated it MUST be silently discarded as 3616 * described in [I-D.ietf-tsvwg-sctp-auth]. 3617 */ 3618 if (!sctp_addip_noauth && !asconf_ack->auth) 3619 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 3620 3621 /* Make sure that the ADDIP chunk has a valid length. */ 3622 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t))) 3623 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3624 commands); 3625 3626 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data; 3627 rcvd_serial = ntohl(addip_hdr->serial); 3628 3629 /* Verify the ASCONF-ACK chunk before processing it. */ 3630 if (!sctp_verify_asconf(asoc, 3631 (sctp_paramhdr_t *)addip_hdr->params, 3632 (void *)asconf_ack->chunk_end, 3633 &err_param)) 3634 return sctp_sf_violation_paramlen(ep, asoc, type, arg, 3635 (void *)err_param, commands); 3636 3637 if (last_asconf) { 3638 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr; 3639 sent_serial = ntohl(addip_hdr->serial); 3640 } else { 3641 sent_serial = asoc->addip_serial - 1; 3642 } 3643 3644 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3645 * equal to the next serial number to be used but no ASCONF chunk is 3646 * outstanding the endpoint MUST ABORT the association. Note that a 3647 * sequence number is greater than if it is no more than 2^^31-1 3648 * larger than the current sequence number (using serial arithmetic). 3649 */ 3650 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3651 !(asoc->addip_last_asconf)) { 3652 abort = sctp_make_abort(asoc, asconf_ack, 3653 sizeof(sctp_errhdr_t)); 3654 if (abort) { 3655 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0); 3656 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3657 SCTP_CHUNK(abort)); 3658 } 3659 /* We are going to ABORT, so we might as well stop 3660 * processing the rest of the chunks in the packet. 3661 */ 3662 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3663 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3664 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3665 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3666 SCTP_ERROR(ECONNABORTED)); 3667 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3668 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3669 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3670 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3671 return SCTP_DISPOSITION_ABORT; 3672 } 3673 3674 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3675 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3676 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3677 3678 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3679 asconf_ack)) { 3680 /* Successfully processed ASCONF_ACK. We can 3681 * release the next asconf if we have one. 3682 */ 3683 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF, 3684 SCTP_NULL()); 3685 return SCTP_DISPOSITION_CONSUME; 3686 } 3687 3688 abort = sctp_make_abort(asoc, asconf_ack, 3689 sizeof(sctp_errhdr_t)); 3690 if (abort) { 3691 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 3692 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3693 SCTP_CHUNK(abort)); 3694 } 3695 /* We are going to ABORT, so we might as well stop 3696 * processing the rest of the chunks in the packet. 3697 */ 3698 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3699 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3700 SCTP_ERROR(ECONNABORTED)); 3701 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3702 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3703 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3704 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3705 return SCTP_DISPOSITION_ABORT; 3706 } 3707 3708 return SCTP_DISPOSITION_DISCARD; 3709 } 3710 3711 /* 3712 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 3713 * 3714 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 3715 * its cumulative TSN point to the value carried in the FORWARD TSN 3716 * chunk, and then MUST further advance its cumulative TSN point locally 3717 * if possible. 3718 * After the above processing, the data receiver MUST stop reporting any 3719 * missing TSNs earlier than or equal to the new cumulative TSN point. 3720 * 3721 * Verification Tag: 8.5 Verification Tag [Normal verification] 3722 * 3723 * The return value is the disposition of the chunk. 3724 */ 3725 sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep, 3726 const struct sctp_association *asoc, 3727 const sctp_subtype_t type, 3728 void *arg, 3729 sctp_cmd_seq_t *commands) 3730 { 3731 struct sctp_chunk *chunk = arg; 3732 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3733 struct sctp_fwdtsn_skip *skip; 3734 __u16 len; 3735 __u32 tsn; 3736 3737 if (!sctp_vtag_verify(chunk, asoc)) { 3738 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3739 SCTP_NULL()); 3740 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3741 } 3742 3743 /* Make sure that the FORWARD_TSN chunk has valid length. */ 3744 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3745 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3746 commands); 3747 3748 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3749 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3750 len = ntohs(chunk->chunk_hdr->length); 3751 len -= sizeof(struct sctp_chunkhdr); 3752 skb_pull(chunk->skb, len); 3753 3754 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3755 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn); 3756 3757 /* The TSN is too high--silently discard the chunk and count on it 3758 * getting retransmitted later. 3759 */ 3760 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3761 goto discard_noforce; 3762 3763 /* Silently discard the chunk if stream-id is not valid */ 3764 sctp_walk_fwdtsn(skip, chunk) { 3765 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams) 3766 goto discard_noforce; 3767 } 3768 3769 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3770 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3771 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3772 SCTP_CHUNK(chunk)); 3773 3774 /* Count this as receiving DATA. */ 3775 if (asoc->autoclose) { 3776 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3777 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3778 } 3779 3780 /* FIXME: For now send a SACK, but DATA processing may 3781 * send another. 3782 */ 3783 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 3784 3785 return SCTP_DISPOSITION_CONSUME; 3786 3787 discard_noforce: 3788 return SCTP_DISPOSITION_DISCARD; 3789 } 3790 3791 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast( 3792 const struct sctp_endpoint *ep, 3793 const struct sctp_association *asoc, 3794 const sctp_subtype_t type, 3795 void *arg, 3796 sctp_cmd_seq_t *commands) 3797 { 3798 struct sctp_chunk *chunk = arg; 3799 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3800 struct sctp_fwdtsn_skip *skip; 3801 __u16 len; 3802 __u32 tsn; 3803 3804 if (!sctp_vtag_verify(chunk, asoc)) { 3805 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3806 SCTP_NULL()); 3807 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3808 } 3809 3810 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 3811 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3812 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3813 commands); 3814 3815 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3816 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3817 len = ntohs(chunk->chunk_hdr->length); 3818 len -= sizeof(struct sctp_chunkhdr); 3819 skb_pull(chunk->skb, len); 3820 3821 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3822 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn); 3823 3824 /* The TSN is too high--silently discard the chunk and count on it 3825 * getting retransmitted later. 3826 */ 3827 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3828 goto gen_shutdown; 3829 3830 /* Silently discard the chunk if stream-id is not valid */ 3831 sctp_walk_fwdtsn(skip, chunk) { 3832 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams) 3833 goto gen_shutdown; 3834 } 3835 3836 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3837 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3838 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3839 SCTP_CHUNK(chunk)); 3840 3841 /* Go a head and force a SACK, since we are shutting down. */ 3842 gen_shutdown: 3843 /* Implementor's Guide. 3844 * 3845 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3846 * respond to each received packet containing one or more DATA chunk(s) 3847 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3848 */ 3849 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3850 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3851 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3852 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3853 3854 return SCTP_DISPOSITION_CONSUME; 3855 } 3856 3857 /* 3858 * SCTP-AUTH Section 6.3 Receving authenticated chukns 3859 * 3860 * The receiver MUST use the HMAC algorithm indicated in the HMAC 3861 * Identifier field. If this algorithm was not specified by the 3862 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 3863 * during association setup, the AUTH chunk and all chunks after it MUST 3864 * be discarded and an ERROR chunk SHOULD be sent with the error cause 3865 * defined in Section 4.1. 3866 * 3867 * If an endpoint with no shared key receives a Shared Key Identifier 3868 * other than 0, it MUST silently discard all authenticated chunks. If 3869 * the endpoint has at least one endpoint pair shared key for the peer, 3870 * it MUST use the key specified by the Shared Key Identifier if a 3871 * key has been configured for that Shared Key Identifier. If no 3872 * endpoint pair shared key has been configured for that Shared Key 3873 * Identifier, all authenticated chunks MUST be silently discarded. 3874 * 3875 * Verification Tag: 8.5 Verification Tag [Normal verification] 3876 * 3877 * The return value is the disposition of the chunk. 3878 */ 3879 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep, 3880 const struct sctp_association *asoc, 3881 const sctp_subtype_t type, 3882 struct sctp_chunk *chunk) 3883 { 3884 struct sctp_authhdr *auth_hdr; 3885 struct sctp_hmac *hmac; 3886 unsigned int sig_len; 3887 __u16 key_id; 3888 __u8 *save_digest; 3889 __u8 *digest; 3890 3891 /* Pull in the auth header, so we can do some more verification */ 3892 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 3893 chunk->subh.auth_hdr = auth_hdr; 3894 skb_pull(chunk->skb, sizeof(struct sctp_authhdr)); 3895 3896 /* Make sure that we suport the HMAC algorithm from the auth 3897 * chunk. 3898 */ 3899 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id)) 3900 return SCTP_IERROR_AUTH_BAD_HMAC; 3901 3902 /* Make sure that the provided shared key identifier has been 3903 * configured 3904 */ 3905 key_id = ntohs(auth_hdr->shkey_id); 3906 if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id)) 3907 return SCTP_IERROR_AUTH_BAD_KEYID; 3908 3909 3910 /* Make sure that the length of the signature matches what 3911 * we expect. 3912 */ 3913 sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t); 3914 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id)); 3915 if (sig_len != hmac->hmac_len) 3916 return SCTP_IERROR_PROTO_VIOLATION; 3917 3918 /* Now that we've done validation checks, we can compute and 3919 * verify the hmac. The steps involved are: 3920 * 1. Save the digest from the chunk. 3921 * 2. Zero out the digest in the chunk. 3922 * 3. Compute the new digest 3923 * 4. Compare saved and new digests. 3924 */ 3925 digest = auth_hdr->hmac; 3926 skb_pull(chunk->skb, sig_len); 3927 3928 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC); 3929 if (!save_digest) 3930 goto nomem; 3931 3932 memset(digest, 0, sig_len); 3933 3934 sctp_auth_calculate_hmac(asoc, chunk->skb, 3935 (struct sctp_auth_chunk *)chunk->chunk_hdr, 3936 GFP_ATOMIC); 3937 3938 /* Discard the packet if the digests do not match */ 3939 if (memcmp(save_digest, digest, sig_len)) { 3940 kfree(save_digest); 3941 return SCTP_IERROR_BAD_SIG; 3942 } 3943 3944 kfree(save_digest); 3945 chunk->auth = 1; 3946 3947 return SCTP_IERROR_NO_ERROR; 3948 nomem: 3949 return SCTP_IERROR_NOMEM; 3950 } 3951 3952 sctp_disposition_t sctp_sf_eat_auth(const struct sctp_endpoint *ep, 3953 const struct sctp_association *asoc, 3954 const sctp_subtype_t type, 3955 void *arg, 3956 sctp_cmd_seq_t *commands) 3957 { 3958 struct sctp_authhdr *auth_hdr; 3959 struct sctp_chunk *chunk = arg; 3960 struct sctp_chunk *err_chunk; 3961 sctp_ierror_t error; 3962 3963 /* Make sure that the peer has AUTH capable */ 3964 if (!asoc->peer.auth_capable) 3965 return sctp_sf_unk_chunk(ep, asoc, type, arg, commands); 3966 3967 if (!sctp_vtag_verify(chunk, asoc)) { 3968 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3969 SCTP_NULL()); 3970 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3971 } 3972 3973 /* Make sure that the AUTH chunk has valid length. */ 3974 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk))) 3975 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3976 commands); 3977 3978 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 3979 error = sctp_sf_authenticate(ep, asoc, type, chunk); 3980 switch (error) { 3981 case SCTP_IERROR_AUTH_BAD_HMAC: 3982 /* Generate the ERROR chunk and discard the rest 3983 * of the packet 3984 */ 3985 err_chunk = sctp_make_op_error(asoc, chunk, 3986 SCTP_ERROR_UNSUP_HMAC, 3987 &auth_hdr->hmac_id, 3988 sizeof(__u16), 0); 3989 if (err_chunk) { 3990 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3991 SCTP_CHUNK(err_chunk)); 3992 } 3993 /* Fall Through */ 3994 case SCTP_IERROR_AUTH_BAD_KEYID: 3995 case SCTP_IERROR_BAD_SIG: 3996 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3997 break; 3998 case SCTP_IERROR_PROTO_VIOLATION: 3999 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4000 commands); 4001 break; 4002 case SCTP_IERROR_NOMEM: 4003 return SCTP_DISPOSITION_NOMEM; 4004 default: 4005 break; 4006 } 4007 4008 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) { 4009 struct sctp_ulpevent *ev; 4010 4011 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id), 4012 SCTP_AUTH_NEWKEY, GFP_ATOMIC); 4013 4014 if (!ev) 4015 return -ENOMEM; 4016 4017 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4018 SCTP_ULPEVENT(ev)); 4019 } 4020 4021 return SCTP_DISPOSITION_CONSUME; 4022 } 4023 4024 /* 4025 * Process an unknown chunk. 4026 * 4027 * Section: 3.2. Also, 2.1 in the implementor's guide. 4028 * 4029 * Chunk Types are encoded such that the highest-order two bits specify 4030 * the action that must be taken if the processing endpoint does not 4031 * recognize the Chunk Type. 4032 * 4033 * 00 - Stop processing this SCTP packet and discard it, do not process 4034 * any further chunks within it. 4035 * 4036 * 01 - Stop processing this SCTP packet and discard it, do not process 4037 * any further chunks within it, and report the unrecognized 4038 * chunk in an 'Unrecognized Chunk Type'. 4039 * 4040 * 10 - Skip this chunk and continue processing. 4041 * 4042 * 11 - Skip this chunk and continue processing, but report in an ERROR 4043 * Chunk using the 'Unrecognized Chunk Type' cause of error. 4044 * 4045 * The return value is the disposition of the chunk. 4046 */ 4047 sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep, 4048 const struct sctp_association *asoc, 4049 const sctp_subtype_t type, 4050 void *arg, 4051 sctp_cmd_seq_t *commands) 4052 { 4053 struct sctp_chunk *unk_chunk = arg; 4054 struct sctp_chunk *err_chunk; 4055 sctp_chunkhdr_t *hdr; 4056 4057 SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk); 4058 4059 if (!sctp_vtag_verify(unk_chunk, asoc)) 4060 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4061 4062 /* Make sure that the chunk has a valid length. 4063 * Since we don't know the chunk type, we use a general 4064 * chunkhdr structure to make a comparison. 4065 */ 4066 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t))) 4067 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4068 commands); 4069 4070 switch (type.chunk & SCTP_CID_ACTION_MASK) { 4071 case SCTP_CID_ACTION_DISCARD: 4072 /* Discard the packet. */ 4073 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4074 break; 4075 case SCTP_CID_ACTION_DISCARD_ERR: 4076 /* Generate an ERROR chunk as response. */ 4077 hdr = unk_chunk->chunk_hdr; 4078 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4079 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4080 WORD_ROUND(ntohs(hdr->length)), 4081 0); 4082 if (err_chunk) { 4083 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4084 SCTP_CHUNK(err_chunk)); 4085 } 4086 4087 /* Discard the packet. */ 4088 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4089 return SCTP_DISPOSITION_CONSUME; 4090 break; 4091 case SCTP_CID_ACTION_SKIP: 4092 /* Skip the chunk. */ 4093 return SCTP_DISPOSITION_DISCARD; 4094 break; 4095 case SCTP_CID_ACTION_SKIP_ERR: 4096 /* Generate an ERROR chunk as response. */ 4097 hdr = unk_chunk->chunk_hdr; 4098 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4099 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4100 WORD_ROUND(ntohs(hdr->length)), 4101 0); 4102 if (err_chunk) { 4103 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4104 SCTP_CHUNK(err_chunk)); 4105 } 4106 /* Skip the chunk. */ 4107 return SCTP_DISPOSITION_CONSUME; 4108 break; 4109 default: 4110 break; 4111 } 4112 4113 return SCTP_DISPOSITION_DISCARD; 4114 } 4115 4116 /* 4117 * Discard the chunk. 4118 * 4119 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 4120 * [Too numerous to mention...] 4121 * Verification Tag: No verification needed. 4122 * Inputs 4123 * (endpoint, asoc, chunk) 4124 * 4125 * Outputs 4126 * (asoc, reply_msg, msg_up, timers, counters) 4127 * 4128 * The return value is the disposition of the chunk. 4129 */ 4130 sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep, 4131 const struct sctp_association *asoc, 4132 const sctp_subtype_t type, 4133 void *arg, 4134 sctp_cmd_seq_t *commands) 4135 { 4136 struct sctp_chunk *chunk = arg; 4137 4138 /* Make sure that the chunk has a valid length. 4139 * Since we don't know the chunk type, we use a general 4140 * chunkhdr structure to make a comparison. 4141 */ 4142 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4143 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4144 commands); 4145 4146 SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk); 4147 return SCTP_DISPOSITION_DISCARD; 4148 } 4149 4150 /* 4151 * Discard the whole packet. 4152 * 4153 * Section: 8.4 2) 4154 * 4155 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 4156 * silently discard the OOTB packet and take no further action. 4157 * 4158 * Verification Tag: No verification necessary 4159 * 4160 * Inputs 4161 * (endpoint, asoc, chunk) 4162 * 4163 * Outputs 4164 * (asoc, reply_msg, msg_up, timers, counters) 4165 * 4166 * The return value is the disposition of the chunk. 4167 */ 4168 sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep, 4169 const struct sctp_association *asoc, 4170 const sctp_subtype_t type, 4171 void *arg, 4172 sctp_cmd_seq_t *commands) 4173 { 4174 SCTP_INC_STATS(SCTP_MIB_IN_PKT_DISCARDS); 4175 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4176 4177 return SCTP_DISPOSITION_CONSUME; 4178 } 4179 4180 4181 /* 4182 * The other end is violating protocol. 4183 * 4184 * Section: Not specified 4185 * Verification Tag: Not specified 4186 * Inputs 4187 * (endpoint, asoc, chunk) 4188 * 4189 * Outputs 4190 * (asoc, reply_msg, msg_up, timers, counters) 4191 * 4192 * We simply tag the chunk as a violation. The state machine will log 4193 * the violation and continue. 4194 */ 4195 sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep, 4196 const struct sctp_association *asoc, 4197 const sctp_subtype_t type, 4198 void *arg, 4199 sctp_cmd_seq_t *commands) 4200 { 4201 struct sctp_chunk *chunk = arg; 4202 4203 /* Make sure that the chunk has a valid length. */ 4204 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4205 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4206 commands); 4207 4208 return SCTP_DISPOSITION_VIOLATION; 4209 } 4210 4211 /* 4212 * Common function to handle a protocol violation. 4213 */ 4214 static sctp_disposition_t sctp_sf_abort_violation( 4215 const struct sctp_endpoint *ep, 4216 const struct sctp_association *asoc, 4217 void *arg, 4218 sctp_cmd_seq_t *commands, 4219 const __u8 *payload, 4220 const size_t paylen) 4221 { 4222 struct sctp_packet *packet = NULL; 4223 struct sctp_chunk *chunk = arg; 4224 struct sctp_chunk *abort = NULL; 4225 4226 /* SCTP-AUTH, Section 6.3: 4227 * It should be noted that if the receiver wants to tear 4228 * down an association in an authenticated way only, the 4229 * handling of malformed packets should not result in 4230 * tearing down the association. 4231 * 4232 * This means that if we only want to abort associations 4233 * in an authenticated way (i.e AUTH+ABORT), then we 4234 * can't destroy this association just becuase the packet 4235 * was malformed. 4236 */ 4237 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4238 goto discard; 4239 4240 /* Make the abort chunk. */ 4241 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen); 4242 if (!abort) 4243 goto nomem; 4244 4245 if (asoc) { 4246 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */ 4247 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK && 4248 !asoc->peer.i.init_tag) { 4249 sctp_initack_chunk_t *initack; 4250 4251 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; 4252 if (!sctp_chunk_length_valid(chunk, 4253 sizeof(sctp_initack_chunk_t))) 4254 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T; 4255 else { 4256 unsigned int inittag; 4257 4258 inittag = ntohl(initack->init_hdr.init_tag); 4259 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG, 4260 SCTP_U32(inittag)); 4261 } 4262 } 4263 4264 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4265 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4266 4267 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 4268 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4269 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4270 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4271 SCTP_ERROR(ECONNREFUSED)); 4272 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4273 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4274 } else { 4275 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4276 SCTP_ERROR(ECONNABORTED)); 4277 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4278 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4279 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4280 } 4281 } else { 4282 packet = sctp_ootb_pkt_new(asoc, chunk); 4283 4284 if (!packet) 4285 goto nomem_pkt; 4286 4287 if (sctp_test_T_bit(abort)) 4288 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4289 4290 abort->skb->sk = ep->base.sk; 4291 4292 sctp_packet_append_chunk(packet, abort); 4293 4294 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 4295 SCTP_PACKET(packet)); 4296 4297 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4298 } 4299 4300 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4301 4302 discard: 4303 sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4304 return SCTP_DISPOSITION_ABORT; 4305 4306 nomem_pkt: 4307 sctp_chunk_free(abort); 4308 nomem: 4309 return SCTP_DISPOSITION_NOMEM; 4310 } 4311 4312 /* 4313 * Handle a protocol violation when the chunk length is invalid. 4314 * "Invalid" length is identified as smaller than the minimal length a 4315 * given chunk can be. For example, a SACK chunk has invalid length 4316 * if its length is set to be smaller than the size of sctp_sack_chunk_t. 4317 * 4318 * We inform the other end by sending an ABORT with a Protocol Violation 4319 * error code. 4320 * 4321 * Section: Not specified 4322 * Verification Tag: Nothing to do 4323 * Inputs 4324 * (endpoint, asoc, chunk) 4325 * 4326 * Outputs 4327 * (reply_msg, msg_up, counters) 4328 * 4329 * Generate an ABORT chunk and terminate the association. 4330 */ 4331 static sctp_disposition_t sctp_sf_violation_chunklen( 4332 const struct sctp_endpoint *ep, 4333 const struct sctp_association *asoc, 4334 const sctp_subtype_t type, 4335 void *arg, 4336 sctp_cmd_seq_t *commands) 4337 { 4338 static const char err_str[]="The following chunk had invalid length:"; 4339 4340 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4341 sizeof(err_str)); 4342 } 4343 4344 /* 4345 * Handle a protocol violation when the parameter length is invalid. 4346 * "Invalid" length is identified as smaller than the minimal length a 4347 * given parameter can be. 4348 */ 4349 static sctp_disposition_t sctp_sf_violation_paramlen( 4350 const struct sctp_endpoint *ep, 4351 const struct sctp_association *asoc, 4352 const sctp_subtype_t type, 4353 void *arg, void *ext, 4354 sctp_cmd_seq_t *commands) 4355 { 4356 struct sctp_chunk *chunk = arg; 4357 struct sctp_paramhdr *param = ext; 4358 struct sctp_chunk *abort = NULL; 4359 4360 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4361 goto discard; 4362 4363 /* Make the abort chunk. */ 4364 abort = sctp_make_violation_paramlen(asoc, chunk, param); 4365 if (!abort) 4366 goto nomem; 4367 4368 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4369 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4370 4371 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4372 SCTP_ERROR(ECONNABORTED)); 4373 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4374 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4375 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4376 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4377 4378 discard: 4379 sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4380 return SCTP_DISPOSITION_ABORT; 4381 nomem: 4382 return SCTP_DISPOSITION_NOMEM; 4383 } 4384 4385 /* Handle a protocol violation when the peer trying to advance the 4386 * cumulative tsn ack to a point beyond the max tsn currently sent. 4387 * 4388 * We inform the other end by sending an ABORT with a Protocol Violation 4389 * error code. 4390 */ 4391 static sctp_disposition_t sctp_sf_violation_ctsn( 4392 const struct sctp_endpoint *ep, 4393 const struct sctp_association *asoc, 4394 const sctp_subtype_t type, 4395 void *arg, 4396 sctp_cmd_seq_t *commands) 4397 { 4398 static const char err_str[]="The cumulative tsn ack beyond the max tsn currently sent:"; 4399 4400 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4401 sizeof(err_str)); 4402 } 4403 4404 /* Handle protocol violation of an invalid chunk bundling. For example, 4405 * when we have an association and we recieve bundled INIT-ACK, or 4406 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle" 4407 * statement from the specs. Additinally, there might be an attacker 4408 * on the path and we may not want to continue this communication. 4409 */ 4410 static sctp_disposition_t sctp_sf_violation_chunk( 4411 const struct sctp_endpoint *ep, 4412 const struct sctp_association *asoc, 4413 const sctp_subtype_t type, 4414 void *arg, 4415 sctp_cmd_seq_t *commands) 4416 { 4417 static const char err_str[]="The following chunk violates protocol:"; 4418 4419 if (!asoc) 4420 return sctp_sf_violation(ep, asoc, type, arg, commands); 4421 4422 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4423 sizeof(err_str)); 4424 } 4425 /*************************************************************************** 4426 * These are the state functions for handling primitive (Section 10) events. 4427 ***************************************************************************/ 4428 /* 4429 * sctp_sf_do_prm_asoc 4430 * 4431 * Section: 10.1 ULP-to-SCTP 4432 * B) Associate 4433 * 4434 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 4435 * outbound stream count) 4436 * -> association id [,destination transport addr list] [,outbound stream 4437 * count] 4438 * 4439 * This primitive allows the upper layer to initiate an association to a 4440 * specific peer endpoint. 4441 * 4442 * The peer endpoint shall be specified by one of the transport addresses 4443 * which defines the endpoint (see Section 1.4). If the local SCTP 4444 * instance has not been initialized, the ASSOCIATE is considered an 4445 * error. 4446 * [This is not relevant for the kernel implementation since we do all 4447 * initialization at boot time. It we hadn't initialized we wouldn't 4448 * get anywhere near this code.] 4449 * 4450 * An association id, which is a local handle to the SCTP association, 4451 * will be returned on successful establishment of the association. If 4452 * SCTP is not able to open an SCTP association with the peer endpoint, 4453 * an error is returned. 4454 * [In the kernel implementation, the struct sctp_association needs to 4455 * be created BEFORE causing this primitive to run.] 4456 * 4457 * Other association parameters may be returned, including the 4458 * complete destination transport addresses of the peer as well as the 4459 * outbound stream count of the local endpoint. One of the transport 4460 * address from the returned destination addresses will be selected by 4461 * the local endpoint as default primary path for sending SCTP packets 4462 * to this peer. The returned "destination transport addr list" can 4463 * be used by the ULP to change the default primary path or to force 4464 * sending a packet to a specific transport address. [All of this 4465 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 4466 * function.] 4467 * 4468 * Mandatory attributes: 4469 * 4470 * o local SCTP instance name - obtained from the INITIALIZE operation. 4471 * [This is the argument asoc.] 4472 * o destination transport addr - specified as one of the transport 4473 * addresses of the peer endpoint with which the association is to be 4474 * established. 4475 * [This is asoc->peer.active_path.] 4476 * o outbound stream count - the number of outbound streams the ULP 4477 * would like to open towards this peer endpoint. 4478 * [BUG: This is not currently implemented.] 4479 * Optional attributes: 4480 * 4481 * None. 4482 * 4483 * The return value is a disposition. 4484 */ 4485 sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep, 4486 const struct sctp_association *asoc, 4487 const sctp_subtype_t type, 4488 void *arg, 4489 sctp_cmd_seq_t *commands) 4490 { 4491 struct sctp_chunk *repl; 4492 struct sctp_association* my_asoc; 4493 4494 /* The comment below says that we enter COOKIE-WAIT AFTER 4495 * sending the INIT, but that doesn't actually work in our 4496 * implementation... 4497 */ 4498 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4499 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 4500 4501 /* RFC 2960 5.1 Normal Establishment of an Association 4502 * 4503 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 4504 * must provide its Verification Tag (Tag_A) in the Initiate 4505 * Tag field. Tag_A SHOULD be a random number in the range of 4506 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 4507 */ 4508 4509 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 4510 if (!repl) 4511 goto nomem; 4512 4513 /* Cast away the const modifier, as we want to just 4514 * rerun it through as a sideffect. 4515 */ 4516 my_asoc = (struct sctp_association *)asoc; 4517 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc)); 4518 4519 /* Choose transport for INIT. */ 4520 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4521 SCTP_CHUNK(repl)); 4522 4523 /* After sending the INIT, "A" starts the T1-init timer and 4524 * enters the COOKIE-WAIT state. 4525 */ 4526 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4527 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4528 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4529 return SCTP_DISPOSITION_CONSUME; 4530 4531 nomem: 4532 return SCTP_DISPOSITION_NOMEM; 4533 } 4534 4535 /* 4536 * Process the SEND primitive. 4537 * 4538 * Section: 10.1 ULP-to-SCTP 4539 * E) Send 4540 * 4541 * Format: SEND(association id, buffer address, byte count [,context] 4542 * [,stream id] [,life time] [,destination transport address] 4543 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 4544 * -> result 4545 * 4546 * This is the main method to send user data via SCTP. 4547 * 4548 * Mandatory attributes: 4549 * 4550 * o association id - local handle to the SCTP association 4551 * 4552 * o buffer address - the location where the user message to be 4553 * transmitted is stored; 4554 * 4555 * o byte count - The size of the user data in number of bytes; 4556 * 4557 * Optional attributes: 4558 * 4559 * o context - an optional 32 bit integer that will be carried in the 4560 * sending failure notification to the ULP if the transportation of 4561 * this User Message fails. 4562 * 4563 * o stream id - to indicate which stream to send the data on. If not 4564 * specified, stream 0 will be used. 4565 * 4566 * o life time - specifies the life time of the user data. The user data 4567 * will not be sent by SCTP after the life time expires. This 4568 * parameter can be used to avoid efforts to transmit stale 4569 * user messages. SCTP notifies the ULP if the data cannot be 4570 * initiated to transport (i.e. sent to the destination via SCTP's 4571 * send primitive) within the life time variable. However, the 4572 * user data will be transmitted if SCTP has attempted to transmit a 4573 * chunk before the life time expired. 4574 * 4575 * o destination transport address - specified as one of the destination 4576 * transport addresses of the peer endpoint to which this packet 4577 * should be sent. Whenever possible, SCTP should use this destination 4578 * transport address for sending the packets, instead of the current 4579 * primary path. 4580 * 4581 * o unorder flag - this flag, if present, indicates that the user 4582 * would like the data delivered in an unordered fashion to the peer 4583 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 4584 * message). 4585 * 4586 * o no-bundle flag - instructs SCTP not to bundle this user data with 4587 * other outbound DATA chunks. SCTP MAY still bundle even when 4588 * this flag is present, when faced with network congestion. 4589 * 4590 * o payload protocol-id - A 32 bit unsigned integer that is to be 4591 * passed to the peer indicating the type of payload protocol data 4592 * being transmitted. This value is passed as opaque data by SCTP. 4593 * 4594 * The return value is the disposition. 4595 */ 4596 sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep, 4597 const struct sctp_association *asoc, 4598 const sctp_subtype_t type, 4599 void *arg, 4600 sctp_cmd_seq_t *commands) 4601 { 4602 struct sctp_datamsg *msg = arg; 4603 4604 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg)); 4605 return SCTP_DISPOSITION_CONSUME; 4606 } 4607 4608 /* 4609 * Process the SHUTDOWN primitive. 4610 * 4611 * Section: 10.1: 4612 * C) Shutdown 4613 * 4614 * Format: SHUTDOWN(association id) 4615 * -> result 4616 * 4617 * Gracefully closes an association. Any locally queued user data 4618 * will be delivered to the peer. The association will be terminated only 4619 * after the peer acknowledges all the SCTP packets sent. A success code 4620 * will be returned on successful termination of the association. If 4621 * attempting to terminate the association results in a failure, an error 4622 * code shall be returned. 4623 * 4624 * Mandatory attributes: 4625 * 4626 * o association id - local handle to the SCTP association 4627 * 4628 * Optional attributes: 4629 * 4630 * None. 4631 * 4632 * The return value is the disposition. 4633 */ 4634 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown( 4635 const struct sctp_endpoint *ep, 4636 const struct sctp_association *asoc, 4637 const sctp_subtype_t type, 4638 void *arg, 4639 sctp_cmd_seq_t *commands) 4640 { 4641 int disposition; 4642 4643 /* From 9.2 Shutdown of an Association 4644 * Upon receipt of the SHUTDOWN primitive from its upper 4645 * layer, the endpoint enters SHUTDOWN-PENDING state and 4646 * remains there until all outstanding data has been 4647 * acknowledged by its peer. The endpoint accepts no new data 4648 * from its upper layer, but retransmits data to the far end 4649 * if necessary to fill gaps. 4650 */ 4651 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4652 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4653 4654 disposition = SCTP_DISPOSITION_CONSUME; 4655 if (sctp_outq_is_empty(&asoc->outqueue)) { 4656 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 4657 arg, commands); 4658 } 4659 return disposition; 4660 } 4661 4662 /* 4663 * Process the ABORT primitive. 4664 * 4665 * Section: 10.1: 4666 * C) Abort 4667 * 4668 * Format: Abort(association id [, cause code]) 4669 * -> result 4670 * 4671 * Ungracefully closes an association. Any locally queued user data 4672 * will be discarded and an ABORT chunk is sent to the peer. A success code 4673 * will be returned on successful abortion of the association. If 4674 * attempting to abort the association results in a failure, an error 4675 * code shall be returned. 4676 * 4677 * Mandatory attributes: 4678 * 4679 * o association id - local handle to the SCTP association 4680 * 4681 * Optional attributes: 4682 * 4683 * o cause code - reason of the abort to be passed to the peer 4684 * 4685 * None. 4686 * 4687 * The return value is the disposition. 4688 */ 4689 sctp_disposition_t sctp_sf_do_9_1_prm_abort( 4690 const struct sctp_endpoint *ep, 4691 const struct sctp_association *asoc, 4692 const sctp_subtype_t type, 4693 void *arg, 4694 sctp_cmd_seq_t *commands) 4695 { 4696 /* From 9.1 Abort of an Association 4697 * Upon receipt of the ABORT primitive from its upper 4698 * layer, the endpoint enters CLOSED state and 4699 * discard all outstanding data has been 4700 * acknowledged by its peer. The endpoint accepts no new data 4701 * from its upper layer, but retransmits data to the far end 4702 * if necessary to fill gaps. 4703 */ 4704 struct sctp_chunk *abort = arg; 4705 sctp_disposition_t retval; 4706 4707 retval = SCTP_DISPOSITION_CONSUME; 4708 4709 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4710 4711 /* Even if we can't send the ABORT due to low memory delete the 4712 * TCB. This is a departure from our typical NOMEM handling. 4713 */ 4714 4715 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4716 SCTP_ERROR(ECONNABORTED)); 4717 /* Delete the established association. */ 4718 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4719 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4720 4721 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4722 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4723 4724 return retval; 4725 } 4726 4727 /* We tried an illegal operation on an association which is closed. */ 4728 sctp_disposition_t sctp_sf_error_closed(const struct sctp_endpoint *ep, 4729 const struct sctp_association *asoc, 4730 const sctp_subtype_t type, 4731 void *arg, 4732 sctp_cmd_seq_t *commands) 4733 { 4734 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 4735 return SCTP_DISPOSITION_CONSUME; 4736 } 4737 4738 /* We tried an illegal operation on an association which is shutting 4739 * down. 4740 */ 4741 sctp_disposition_t sctp_sf_error_shutdown(const struct sctp_endpoint *ep, 4742 const struct sctp_association *asoc, 4743 const sctp_subtype_t type, 4744 void *arg, 4745 sctp_cmd_seq_t *commands) 4746 { 4747 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 4748 SCTP_ERROR(-ESHUTDOWN)); 4749 return SCTP_DISPOSITION_CONSUME; 4750 } 4751 4752 /* 4753 * sctp_cookie_wait_prm_shutdown 4754 * 4755 * Section: 4 Note: 2 4756 * Verification Tag: 4757 * Inputs 4758 * (endpoint, asoc) 4759 * 4760 * The RFC does not explicitly address this issue, but is the route through the 4761 * state table when someone issues a shutdown while in COOKIE_WAIT state. 4762 * 4763 * Outputs 4764 * (timers) 4765 */ 4766 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown( 4767 const struct sctp_endpoint *ep, 4768 const struct sctp_association *asoc, 4769 const sctp_subtype_t type, 4770 void *arg, 4771 sctp_cmd_seq_t *commands) 4772 { 4773 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4774 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4775 4776 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4777 SCTP_STATE(SCTP_STATE_CLOSED)); 4778 4779 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 4780 4781 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 4782 4783 return SCTP_DISPOSITION_DELETE_TCB; 4784 } 4785 4786 /* 4787 * sctp_cookie_echoed_prm_shutdown 4788 * 4789 * Section: 4 Note: 2 4790 * Verification Tag: 4791 * Inputs 4792 * (endpoint, asoc) 4793 * 4794 * The RFC does not explcitly address this issue, but is the route through the 4795 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 4796 * 4797 * Outputs 4798 * (timers) 4799 */ 4800 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown( 4801 const struct sctp_endpoint *ep, 4802 const struct sctp_association *asoc, 4803 const sctp_subtype_t type, 4804 void *arg, sctp_cmd_seq_t *commands) 4805 { 4806 /* There is a single T1 timer, so we should be able to use 4807 * common function with the COOKIE-WAIT state. 4808 */ 4809 return sctp_sf_cookie_wait_prm_shutdown(ep, asoc, type, arg, commands); 4810 } 4811 4812 /* 4813 * sctp_sf_cookie_wait_prm_abort 4814 * 4815 * Section: 4 Note: 2 4816 * Verification Tag: 4817 * Inputs 4818 * (endpoint, asoc) 4819 * 4820 * The RFC does not explicitly address this issue, but is the route through the 4821 * state table when someone issues an abort while in COOKIE_WAIT state. 4822 * 4823 * Outputs 4824 * (timers) 4825 */ 4826 sctp_disposition_t sctp_sf_cookie_wait_prm_abort( 4827 const struct sctp_endpoint *ep, 4828 const struct sctp_association *asoc, 4829 const sctp_subtype_t type, 4830 void *arg, 4831 sctp_cmd_seq_t *commands) 4832 { 4833 struct sctp_chunk *abort = arg; 4834 sctp_disposition_t retval; 4835 4836 /* Stop T1-init timer */ 4837 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4838 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4839 retval = SCTP_DISPOSITION_CONSUME; 4840 4841 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4842 4843 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4844 SCTP_STATE(SCTP_STATE_CLOSED)); 4845 4846 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4847 4848 /* Even if we can't send the ABORT due to low memory delete the 4849 * TCB. This is a departure from our typical NOMEM handling. 4850 */ 4851 4852 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4853 SCTP_ERROR(ECONNREFUSED)); 4854 /* Delete the established association. */ 4855 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4856 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4857 4858 return retval; 4859 } 4860 4861 /* 4862 * sctp_sf_cookie_echoed_prm_abort 4863 * 4864 * Section: 4 Note: 3 4865 * Verification Tag: 4866 * Inputs 4867 * (endpoint, asoc) 4868 * 4869 * The RFC does not explcitly address this issue, but is the route through the 4870 * state table when someone issues an abort while in COOKIE_ECHOED state. 4871 * 4872 * Outputs 4873 * (timers) 4874 */ 4875 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort( 4876 const struct sctp_endpoint *ep, 4877 const struct sctp_association *asoc, 4878 const sctp_subtype_t type, 4879 void *arg, 4880 sctp_cmd_seq_t *commands) 4881 { 4882 /* There is a single T1 timer, so we should be able to use 4883 * common function with the COOKIE-WAIT state. 4884 */ 4885 return sctp_sf_cookie_wait_prm_abort(ep, asoc, type, arg, commands); 4886 } 4887 4888 /* 4889 * sctp_sf_shutdown_pending_prm_abort 4890 * 4891 * Inputs 4892 * (endpoint, asoc) 4893 * 4894 * The RFC does not explicitly address this issue, but is the route through the 4895 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 4896 * 4897 * Outputs 4898 * (timers) 4899 */ 4900 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort( 4901 const struct sctp_endpoint *ep, 4902 const struct sctp_association *asoc, 4903 const sctp_subtype_t type, 4904 void *arg, 4905 sctp_cmd_seq_t *commands) 4906 { 4907 /* Stop the T5-shutdown guard timer. */ 4908 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4909 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4910 4911 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4912 } 4913 4914 /* 4915 * sctp_sf_shutdown_sent_prm_abort 4916 * 4917 * Inputs 4918 * (endpoint, asoc) 4919 * 4920 * The RFC does not explicitly address this issue, but is the route through the 4921 * state table when someone issues an abort while in SHUTDOWN-SENT state. 4922 * 4923 * Outputs 4924 * (timers) 4925 */ 4926 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort( 4927 const struct sctp_endpoint *ep, 4928 const struct sctp_association *asoc, 4929 const sctp_subtype_t type, 4930 void *arg, 4931 sctp_cmd_seq_t *commands) 4932 { 4933 /* Stop the T2-shutdown timer. */ 4934 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4935 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4936 4937 /* Stop the T5-shutdown guard timer. */ 4938 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4939 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4940 4941 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4942 } 4943 4944 /* 4945 * sctp_sf_cookie_echoed_prm_abort 4946 * 4947 * Inputs 4948 * (endpoint, asoc) 4949 * 4950 * The RFC does not explcitly address this issue, but is the route through the 4951 * state table when someone issues an abort while in COOKIE_ECHOED state. 4952 * 4953 * Outputs 4954 * (timers) 4955 */ 4956 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort( 4957 const struct sctp_endpoint *ep, 4958 const struct sctp_association *asoc, 4959 const sctp_subtype_t type, 4960 void *arg, 4961 sctp_cmd_seq_t *commands) 4962 { 4963 /* The same T2 timer, so we should be able to use 4964 * common function with the SHUTDOWN-SENT state. 4965 */ 4966 return sctp_sf_shutdown_sent_prm_abort(ep, asoc, type, arg, commands); 4967 } 4968 4969 /* 4970 * Process the REQUESTHEARTBEAT primitive 4971 * 4972 * 10.1 ULP-to-SCTP 4973 * J) Request Heartbeat 4974 * 4975 * Format: REQUESTHEARTBEAT(association id, destination transport address) 4976 * 4977 * -> result 4978 * 4979 * Instructs the local endpoint to perform a HeartBeat on the specified 4980 * destination transport address of the given association. The returned 4981 * result should indicate whether the transmission of the HEARTBEAT 4982 * chunk to the destination address is successful. 4983 * 4984 * Mandatory attributes: 4985 * 4986 * o association id - local handle to the SCTP association 4987 * 4988 * o destination transport address - the transport address of the 4989 * association on which a heartbeat should be issued. 4990 */ 4991 sctp_disposition_t sctp_sf_do_prm_requestheartbeat( 4992 const struct sctp_endpoint *ep, 4993 const struct sctp_association *asoc, 4994 const sctp_subtype_t type, 4995 void *arg, 4996 sctp_cmd_seq_t *commands) 4997 { 4998 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 4999 (struct sctp_transport *)arg, commands)) 5000 return SCTP_DISPOSITION_NOMEM; 5001 5002 /* 5003 * RFC 2960 (bis), section 8.3 5004 * 5005 * D) Request an on-demand HEARTBEAT on a specific destination 5006 * transport address of a given association. 5007 * 5008 * The endpoint should increment the respective error counter of 5009 * the destination transport address each time a HEARTBEAT is sent 5010 * to that address and not acknowledged within one RTO. 5011 * 5012 */ 5013 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 5014 SCTP_TRANSPORT(arg)); 5015 return SCTP_DISPOSITION_CONSUME; 5016 } 5017 5018 /* 5019 * ADDIP Section 4.1 ASCONF Chunk Procedures 5020 * When an endpoint has an ASCONF signaled change to be sent to the 5021 * remote endpoint it should do A1 to A9 5022 */ 5023 sctp_disposition_t sctp_sf_do_prm_asconf(const struct sctp_endpoint *ep, 5024 const struct sctp_association *asoc, 5025 const sctp_subtype_t type, 5026 void *arg, 5027 sctp_cmd_seq_t *commands) 5028 { 5029 struct sctp_chunk *chunk = arg; 5030 5031 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5032 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5033 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5034 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5035 return SCTP_DISPOSITION_CONSUME; 5036 } 5037 5038 /* 5039 * Ignore the primitive event 5040 * 5041 * The return value is the disposition of the primitive. 5042 */ 5043 sctp_disposition_t sctp_sf_ignore_primitive( 5044 const struct sctp_endpoint *ep, 5045 const struct sctp_association *asoc, 5046 const sctp_subtype_t type, 5047 void *arg, 5048 sctp_cmd_seq_t *commands) 5049 { 5050 SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive); 5051 return SCTP_DISPOSITION_DISCARD; 5052 } 5053 5054 /*************************************************************************** 5055 * These are the state functions for the OTHER events. 5056 ***************************************************************************/ 5057 5058 /* 5059 * Start the shutdown negotiation. 5060 * 5061 * From Section 9.2: 5062 * Once all its outstanding data has been acknowledged, the endpoint 5063 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 5064 * TSN Ack field the last sequential TSN it has received from the peer. 5065 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 5066 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 5067 * with the updated last sequential TSN received from its peer. 5068 * 5069 * The return value is the disposition. 5070 */ 5071 sctp_disposition_t sctp_sf_do_9_2_start_shutdown( 5072 const struct sctp_endpoint *ep, 5073 const struct sctp_association *asoc, 5074 const sctp_subtype_t type, 5075 void *arg, 5076 sctp_cmd_seq_t *commands) 5077 { 5078 struct sctp_chunk *reply; 5079 5080 /* Once all its outstanding data has been acknowledged, the 5081 * endpoint shall send a SHUTDOWN chunk to its peer including 5082 * in the Cumulative TSN Ack field the last sequential TSN it 5083 * has received from the peer. 5084 */ 5085 reply = sctp_make_shutdown(asoc, NULL); 5086 if (!reply) 5087 goto nomem; 5088 5089 /* Set the transport for the SHUTDOWN chunk and the timeout for the 5090 * T2-shutdown timer. 5091 */ 5092 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5093 5094 /* It shall then start the T2-shutdown timer */ 5095 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5096 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5097 5098 /* RFC 4960 Section 9.2 5099 * The sender of the SHUTDOWN MAY also start an overall guard timer 5100 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5101 */ 5102 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5103 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5104 5105 if (asoc->autoclose) 5106 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5107 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5108 5109 /* and enter the SHUTDOWN-SENT state. */ 5110 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5111 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 5112 5113 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5114 * 5115 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5116 * or SHUTDOWN-ACK. 5117 */ 5118 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5119 5120 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5121 5122 return SCTP_DISPOSITION_CONSUME; 5123 5124 nomem: 5125 return SCTP_DISPOSITION_NOMEM; 5126 } 5127 5128 /* 5129 * Generate a SHUTDOWN ACK now that everything is SACK'd. 5130 * 5131 * From Section 9.2: 5132 * 5133 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5134 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 5135 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 5136 * endpoint must re-send the SHUTDOWN ACK. 5137 * 5138 * The return value is the disposition. 5139 */ 5140 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack( 5141 const struct sctp_endpoint *ep, 5142 const struct sctp_association *asoc, 5143 const sctp_subtype_t type, 5144 void *arg, 5145 sctp_cmd_seq_t *commands) 5146 { 5147 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 5148 struct sctp_chunk *reply; 5149 5150 /* There are 2 ways of getting here: 5151 * 1) called in response to a SHUTDOWN chunk 5152 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 5153 * 5154 * For the case (2), the arg parameter is set to NULL. We need 5155 * to check that we have a chunk before accessing it's fields. 5156 */ 5157 if (chunk) { 5158 if (!sctp_vtag_verify(chunk, asoc)) 5159 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 5160 5161 /* Make sure that the SHUTDOWN chunk has a valid length. */ 5162 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t))) 5163 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 5164 commands); 5165 } 5166 5167 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5168 * shall send a SHUTDOWN ACK ... 5169 */ 5170 reply = sctp_make_shutdown_ack(asoc, chunk); 5171 if (!reply) 5172 goto nomem; 5173 5174 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 5175 * the T2-shutdown timer. 5176 */ 5177 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5178 5179 /* and start/restart a T2-shutdown timer of its own, */ 5180 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5181 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5182 5183 if (asoc->autoclose) 5184 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5185 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5186 5187 /* Enter the SHUTDOWN-ACK-SENT state. */ 5188 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5189 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 5190 5191 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5192 * 5193 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5194 * or SHUTDOWN-ACK. 5195 */ 5196 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5197 5198 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5199 5200 return SCTP_DISPOSITION_CONSUME; 5201 5202 nomem: 5203 return SCTP_DISPOSITION_NOMEM; 5204 } 5205 5206 /* 5207 * Ignore the event defined as other 5208 * 5209 * The return value is the disposition of the event. 5210 */ 5211 sctp_disposition_t sctp_sf_ignore_other(const struct sctp_endpoint *ep, 5212 const struct sctp_association *asoc, 5213 const sctp_subtype_t type, 5214 void *arg, 5215 sctp_cmd_seq_t *commands) 5216 { 5217 SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other); 5218 return SCTP_DISPOSITION_DISCARD; 5219 } 5220 5221 /************************************************************ 5222 * These are the state functions for handling timeout events. 5223 ************************************************************/ 5224 5225 /* 5226 * RTX Timeout 5227 * 5228 * Section: 6.3.3 Handle T3-rtx Expiration 5229 * 5230 * Whenever the retransmission timer T3-rtx expires for a destination 5231 * address, do the following: 5232 * [See below] 5233 * 5234 * The return value is the disposition of the chunk. 5235 */ 5236 sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep, 5237 const struct sctp_association *asoc, 5238 const sctp_subtype_t type, 5239 void *arg, 5240 sctp_cmd_seq_t *commands) 5241 { 5242 struct sctp_transport *transport = arg; 5243 5244 SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS); 5245 5246 if (asoc->overall_error_count >= asoc->max_retrans) { 5247 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5248 SCTP_ERROR(ETIMEDOUT)); 5249 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5250 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5251 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5252 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5253 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5254 return SCTP_DISPOSITION_DELETE_TCB; 5255 } 5256 5257 /* E1) For the destination address for which the timer 5258 * expires, adjust its ssthresh with rules defined in Section 5259 * 7.2.3 and set the cwnd <- MTU. 5260 */ 5261 5262 /* E2) For the destination address for which the timer 5263 * expires, set RTO <- RTO * 2 ("back off the timer"). The 5264 * maximum value discussed in rule C7 above (RTO.max) may be 5265 * used to provide an upper bound to this doubling operation. 5266 */ 5267 5268 /* E3) Determine how many of the earliest (i.e., lowest TSN) 5269 * outstanding DATA chunks for the address for which the 5270 * T3-rtx has expired will fit into a single packet, subject 5271 * to the MTU constraint for the path corresponding to the 5272 * destination transport address to which the retransmission 5273 * is being sent (this may be different from the address for 5274 * which the timer expires [see Section 6.4]). Call this 5275 * value K. Bundle and retransmit those K DATA chunks in a 5276 * single packet to the destination endpoint. 5277 * 5278 * Note: Any DATA chunks that were sent to the address for 5279 * which the T3-rtx timer expired but did not fit in one MTU 5280 * (rule E3 above), should be marked for retransmission and 5281 * sent as soon as cwnd allows (normally when a SACK arrives). 5282 */ 5283 5284 /* Do some failure management (Section 8.2). */ 5285 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5286 5287 /* NB: Rules E4 and F1 are implicit in R1. */ 5288 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 5289 5290 return SCTP_DISPOSITION_CONSUME; 5291 } 5292 5293 /* 5294 * Generate delayed SACK on timeout 5295 * 5296 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 5297 * 5298 * The guidelines on delayed acknowledgement algorithm specified in 5299 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 5300 * acknowledgement SHOULD be generated for at least every second packet 5301 * (not every second DATA chunk) received, and SHOULD be generated 5302 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 5303 * some situations it may be beneficial for an SCTP transmitter to be 5304 * more conservative than the algorithms detailed in this document 5305 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 5306 * the following algorithms allow. 5307 */ 5308 sctp_disposition_t sctp_sf_do_6_2_sack(const struct sctp_endpoint *ep, 5309 const struct sctp_association *asoc, 5310 const sctp_subtype_t type, 5311 void *arg, 5312 sctp_cmd_seq_t *commands) 5313 { 5314 SCTP_INC_STATS(SCTP_MIB_DELAY_SACK_EXPIREDS); 5315 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 5316 return SCTP_DISPOSITION_CONSUME; 5317 } 5318 5319 /* 5320 * sctp_sf_t1_init_timer_expire 5321 * 5322 * Section: 4 Note: 2 5323 * Verification Tag: 5324 * Inputs 5325 * (endpoint, asoc) 5326 * 5327 * RFC 2960 Section 4 Notes 5328 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 5329 * and re-start the T1-init timer without changing state. This MUST 5330 * be repeated up to 'Max.Init.Retransmits' times. After that, the 5331 * endpoint MUST abort the initialization process and report the 5332 * error to SCTP user. 5333 * 5334 * Outputs 5335 * (timers, events) 5336 * 5337 */ 5338 sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep, 5339 const struct sctp_association *asoc, 5340 const sctp_subtype_t type, 5341 void *arg, 5342 sctp_cmd_seq_t *commands) 5343 { 5344 struct sctp_chunk *repl = NULL; 5345 struct sctp_bind_addr *bp; 5346 int attempts = asoc->init_err_counter + 1; 5347 5348 SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n"); 5349 SCTP_INC_STATS(SCTP_MIB_T1_INIT_EXPIREDS); 5350 5351 if (attempts <= asoc->max_init_attempts) { 5352 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 5353 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 5354 if (!repl) 5355 return SCTP_DISPOSITION_NOMEM; 5356 5357 /* Choose transport for INIT. */ 5358 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5359 SCTP_CHUNK(repl)); 5360 5361 /* Issue a sideeffect to do the needed accounting. */ 5362 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 5363 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5364 5365 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5366 } else { 5367 SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d" 5368 " max_init_attempts: %d\n", 5369 attempts, asoc->max_init_attempts); 5370 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5371 SCTP_ERROR(ETIMEDOUT)); 5372 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5373 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5374 return SCTP_DISPOSITION_DELETE_TCB; 5375 } 5376 5377 return SCTP_DISPOSITION_CONSUME; 5378 } 5379 5380 /* 5381 * sctp_sf_t1_cookie_timer_expire 5382 * 5383 * Section: 4 Note: 2 5384 * Verification Tag: 5385 * Inputs 5386 * (endpoint, asoc) 5387 * 5388 * RFC 2960 Section 4 Notes 5389 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 5390 * COOKIE ECHO and re-start the T1-cookie timer without changing 5391 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 5392 * After that, the endpoint MUST abort the initialization process and 5393 * report the error to SCTP user. 5394 * 5395 * Outputs 5396 * (timers, events) 5397 * 5398 */ 5399 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep, 5400 const struct sctp_association *asoc, 5401 const sctp_subtype_t type, 5402 void *arg, 5403 sctp_cmd_seq_t *commands) 5404 { 5405 struct sctp_chunk *repl = NULL; 5406 int attempts = asoc->init_err_counter + 1; 5407 5408 SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n"); 5409 SCTP_INC_STATS(SCTP_MIB_T1_COOKIE_EXPIREDS); 5410 5411 if (attempts <= asoc->max_init_attempts) { 5412 repl = sctp_make_cookie_echo(asoc, NULL); 5413 if (!repl) 5414 return SCTP_DISPOSITION_NOMEM; 5415 5416 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5417 SCTP_CHUNK(repl)); 5418 /* Issue a sideeffect to do the needed accounting. */ 5419 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 5420 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 5421 5422 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5423 } else { 5424 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5425 SCTP_ERROR(ETIMEDOUT)); 5426 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5427 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5428 return SCTP_DISPOSITION_DELETE_TCB; 5429 } 5430 5431 return SCTP_DISPOSITION_CONSUME; 5432 } 5433 5434 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 5435 * with the updated last sequential TSN received from its peer. 5436 * 5437 * An endpoint should limit the number of retransmissions of the 5438 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 5439 * If this threshold is exceeded the endpoint should destroy the TCB and 5440 * MUST report the peer endpoint unreachable to the upper layer (and 5441 * thus the association enters the CLOSED state). The reception of any 5442 * packet from its peer (i.e. as the peer sends all of its queued DATA 5443 * chunks) should clear the endpoint's retransmission count and restart 5444 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 5445 * all of its queued DATA chunks that have not yet been sent. 5446 */ 5447 sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep, 5448 const struct sctp_association *asoc, 5449 const sctp_subtype_t type, 5450 void *arg, 5451 sctp_cmd_seq_t *commands) 5452 { 5453 struct sctp_chunk *reply = NULL; 5454 5455 SCTP_DEBUG_PRINTK("Timer T2 expired.\n"); 5456 SCTP_INC_STATS(SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 5457 5458 ((struct sctp_association *)asoc)->shutdown_retries++; 5459 5460 if (asoc->overall_error_count >= asoc->max_retrans) { 5461 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5462 SCTP_ERROR(ETIMEDOUT)); 5463 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5464 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5465 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5466 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5467 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5468 return SCTP_DISPOSITION_DELETE_TCB; 5469 } 5470 5471 switch (asoc->state) { 5472 case SCTP_STATE_SHUTDOWN_SENT: 5473 reply = sctp_make_shutdown(asoc, NULL); 5474 break; 5475 5476 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5477 reply = sctp_make_shutdown_ack(asoc, NULL); 5478 break; 5479 5480 default: 5481 BUG(); 5482 break; 5483 } 5484 5485 if (!reply) 5486 goto nomem; 5487 5488 /* Do some failure management (Section 8.2). 5489 * If we remove the transport an SHUTDOWN was last sent to, don't 5490 * do failure management. 5491 */ 5492 if (asoc->shutdown_last_sent_to) 5493 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5494 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 5495 5496 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 5497 * the T2-shutdown timer. 5498 */ 5499 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5500 5501 /* Restart the T2-shutdown timer. */ 5502 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5503 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5504 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5505 return SCTP_DISPOSITION_CONSUME; 5506 5507 nomem: 5508 return SCTP_DISPOSITION_NOMEM; 5509 } 5510 5511 /* 5512 * ADDIP Section 4.1 ASCONF CHunk Procedures 5513 * If the T4 RTO timer expires the endpoint should do B1 to B5 5514 */ 5515 sctp_disposition_t sctp_sf_t4_timer_expire( 5516 const struct sctp_endpoint *ep, 5517 const struct sctp_association *asoc, 5518 const sctp_subtype_t type, 5519 void *arg, 5520 sctp_cmd_seq_t *commands) 5521 { 5522 struct sctp_chunk *chunk = asoc->addip_last_asconf; 5523 struct sctp_transport *transport = chunk->transport; 5524 5525 SCTP_INC_STATS(SCTP_MIB_T4_RTO_EXPIREDS); 5526 5527 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 5528 * detection on the appropriate destination address as defined in 5529 * RFC2960 [5] section 8.1 and 8.2. 5530 */ 5531 if (transport) 5532 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5533 SCTP_TRANSPORT(transport)); 5534 5535 /* Reconfig T4 timer and transport. */ 5536 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5537 5538 /* ADDIP 4.1 B2) Increment the association error counters and perform 5539 * endpoint failure detection on the association as defined in 5540 * RFC2960 [5] section 8.1 and 8.2. 5541 * association error counter is incremented in SCTP_CMD_STRIKE. 5542 */ 5543 if (asoc->overall_error_count >= asoc->max_retrans) { 5544 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5545 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5546 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5547 SCTP_ERROR(ETIMEDOUT)); 5548 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5549 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5550 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5551 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5552 return SCTP_DISPOSITION_ABORT; 5553 } 5554 5555 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 5556 * the ASCONF chunk was sent by doubling the RTO timer value. 5557 * This is done in SCTP_CMD_STRIKE. 5558 */ 5559 5560 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 5561 * choose an alternate destination address (please refer to RFC2960 5562 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 5563 * chunk, it MUST be the same (including its serial number) as the last 5564 * ASCONF sent. 5565 */ 5566 sctp_chunk_hold(asoc->addip_last_asconf); 5567 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5568 SCTP_CHUNK(asoc->addip_last_asconf)); 5569 5570 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 5571 * destination is selected, then the RTO used will be that of the new 5572 * destination address. 5573 */ 5574 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5575 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5576 5577 return SCTP_DISPOSITION_CONSUME; 5578 } 5579 5580 /* sctpimpguide-05 Section 2.12.2 5581 * The sender of the SHUTDOWN MAY also start an overall guard timer 5582 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5583 * At the expiration of this timer the sender SHOULD abort the association 5584 * by sending an ABORT chunk. 5585 */ 5586 sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep, 5587 const struct sctp_association *asoc, 5588 const sctp_subtype_t type, 5589 void *arg, 5590 sctp_cmd_seq_t *commands) 5591 { 5592 struct sctp_chunk *reply = NULL; 5593 5594 SCTP_DEBUG_PRINTK("Timer T5 expired.\n"); 5595 SCTP_INC_STATS(SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 5596 5597 reply = sctp_make_abort(asoc, NULL, 0); 5598 if (!reply) 5599 goto nomem; 5600 5601 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5602 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5603 SCTP_ERROR(ETIMEDOUT)); 5604 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5605 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5606 5607 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5608 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5609 5610 return SCTP_DISPOSITION_DELETE_TCB; 5611 nomem: 5612 return SCTP_DISPOSITION_NOMEM; 5613 } 5614 5615 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 5616 * the association is automatically closed by starting the shutdown process. 5617 * The work that needs to be done is same as when SHUTDOWN is initiated by 5618 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 5619 */ 5620 sctp_disposition_t sctp_sf_autoclose_timer_expire( 5621 const struct sctp_endpoint *ep, 5622 const struct sctp_association *asoc, 5623 const sctp_subtype_t type, 5624 void *arg, 5625 sctp_cmd_seq_t *commands) 5626 { 5627 int disposition; 5628 5629 SCTP_INC_STATS(SCTP_MIB_AUTOCLOSE_EXPIREDS); 5630 5631 /* From 9.2 Shutdown of an Association 5632 * Upon receipt of the SHUTDOWN primitive from its upper 5633 * layer, the endpoint enters SHUTDOWN-PENDING state and 5634 * remains there until all outstanding data has been 5635 * acknowledged by its peer. The endpoint accepts no new data 5636 * from its upper layer, but retransmits data to the far end 5637 * if necessary to fill gaps. 5638 */ 5639 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5640 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 5641 5642 disposition = SCTP_DISPOSITION_CONSUME; 5643 if (sctp_outq_is_empty(&asoc->outqueue)) { 5644 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 5645 arg, commands); 5646 } 5647 return disposition; 5648 } 5649 5650 /***************************************************************************** 5651 * These are sa state functions which could apply to all types of events. 5652 ****************************************************************************/ 5653 5654 /* 5655 * This table entry is not implemented. 5656 * 5657 * Inputs 5658 * (endpoint, asoc, chunk) 5659 * 5660 * The return value is the disposition of the chunk. 5661 */ 5662 sctp_disposition_t sctp_sf_not_impl(const struct sctp_endpoint *ep, 5663 const struct sctp_association *asoc, 5664 const sctp_subtype_t type, 5665 void *arg, 5666 sctp_cmd_seq_t *commands) 5667 { 5668 return SCTP_DISPOSITION_NOT_IMPL; 5669 } 5670 5671 /* 5672 * This table entry represents a bug. 5673 * 5674 * Inputs 5675 * (endpoint, asoc, chunk) 5676 * 5677 * The return value is the disposition of the chunk. 5678 */ 5679 sctp_disposition_t sctp_sf_bug(const struct sctp_endpoint *ep, 5680 const struct sctp_association *asoc, 5681 const sctp_subtype_t type, 5682 void *arg, 5683 sctp_cmd_seq_t *commands) 5684 { 5685 return SCTP_DISPOSITION_BUG; 5686 } 5687 5688 /* 5689 * This table entry represents the firing of a timer in the wrong state. 5690 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 5691 * when the association is in the wrong state. This event should 5692 * be ignored, so as to prevent any rearming of the timer. 5693 * 5694 * Inputs 5695 * (endpoint, asoc, chunk) 5696 * 5697 * The return value is the disposition of the chunk. 5698 */ 5699 sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep, 5700 const struct sctp_association *asoc, 5701 const sctp_subtype_t type, 5702 void *arg, 5703 sctp_cmd_seq_t *commands) 5704 { 5705 SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk); 5706 return SCTP_DISPOSITION_CONSUME; 5707 } 5708 5709 /******************************************************************** 5710 * 2nd Level Abstractions 5711 ********************************************************************/ 5712 5713 /* Pull the SACK chunk based on the SACK header. */ 5714 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 5715 { 5716 struct sctp_sackhdr *sack; 5717 unsigned int len; 5718 __u16 num_blocks; 5719 __u16 num_dup_tsns; 5720 5721 /* Protect ourselves from reading too far into 5722 * the skb from a bogus sender. 5723 */ 5724 sack = (struct sctp_sackhdr *) chunk->skb->data; 5725 5726 num_blocks = ntohs(sack->num_gap_ack_blocks); 5727 num_dup_tsns = ntohs(sack->num_dup_tsns); 5728 len = sizeof(struct sctp_sackhdr); 5729 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 5730 if (len > chunk->skb->len) 5731 return NULL; 5732 5733 skb_pull(chunk->skb, len); 5734 5735 return sack; 5736 } 5737 5738 /* Create an ABORT packet to be sent as a response, with the specified 5739 * error causes. 5740 */ 5741 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 5742 const struct sctp_association *asoc, 5743 struct sctp_chunk *chunk, 5744 const void *payload, 5745 size_t paylen) 5746 { 5747 struct sctp_packet *packet; 5748 struct sctp_chunk *abort; 5749 5750 packet = sctp_ootb_pkt_new(asoc, chunk); 5751 5752 if (packet) { 5753 /* Make an ABORT. 5754 * The T bit will be set if the asoc is NULL. 5755 */ 5756 abort = sctp_make_abort(asoc, chunk, paylen); 5757 if (!abort) { 5758 sctp_ootb_pkt_free(packet); 5759 return NULL; 5760 } 5761 5762 /* Reflect vtag if T-Bit is set */ 5763 if (sctp_test_T_bit(abort)) 5764 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 5765 5766 /* Add specified error causes, i.e., payload, to the 5767 * end of the chunk. 5768 */ 5769 sctp_addto_chunk(abort, paylen, payload); 5770 5771 /* Set the skb to the belonging sock for accounting. */ 5772 abort->skb->sk = ep->base.sk; 5773 5774 sctp_packet_append_chunk(packet, abort); 5775 5776 } 5777 5778 return packet; 5779 } 5780 5781 /* Allocate a packet for responding in the OOTB conditions. */ 5782 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 5783 const struct sctp_chunk *chunk) 5784 { 5785 struct sctp_packet *packet; 5786 struct sctp_transport *transport; 5787 __u16 sport; 5788 __u16 dport; 5789 __u32 vtag; 5790 5791 /* Get the source and destination port from the inbound packet. */ 5792 sport = ntohs(chunk->sctp_hdr->dest); 5793 dport = ntohs(chunk->sctp_hdr->source); 5794 5795 /* The V-tag is going to be the same as the inbound packet if no 5796 * association exists, otherwise, use the peer's vtag. 5797 */ 5798 if (asoc) { 5799 /* Special case the INIT-ACK as there is no peer's vtag 5800 * yet. 5801 */ 5802 switch(chunk->chunk_hdr->type) { 5803 case SCTP_CID_INIT_ACK: 5804 { 5805 sctp_initack_chunk_t *initack; 5806 5807 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; 5808 vtag = ntohl(initack->init_hdr.init_tag); 5809 break; 5810 } 5811 default: 5812 vtag = asoc->peer.i.init_tag; 5813 break; 5814 } 5815 } else { 5816 /* Special case the INIT and stale COOKIE_ECHO as there is no 5817 * vtag yet. 5818 */ 5819 switch(chunk->chunk_hdr->type) { 5820 case SCTP_CID_INIT: 5821 { 5822 sctp_init_chunk_t *init; 5823 5824 init = (sctp_init_chunk_t *)chunk->chunk_hdr; 5825 vtag = ntohl(init->init_hdr.init_tag); 5826 break; 5827 } 5828 default: 5829 vtag = ntohl(chunk->sctp_hdr->vtag); 5830 break; 5831 } 5832 } 5833 5834 /* Make a transport for the bucket, Eliza... */ 5835 transport = sctp_transport_new(sctp_source(chunk), GFP_ATOMIC); 5836 if (!transport) 5837 goto nomem; 5838 5839 /* Cache a route for the transport with the chunk's destination as 5840 * the source address. 5841 */ 5842 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 5843 sctp_sk(sctp_get_ctl_sock())); 5844 5845 packet = sctp_packet_init(&transport->packet, transport, sport, dport); 5846 packet = sctp_packet_config(packet, vtag, 0); 5847 5848 return packet; 5849 5850 nomem: 5851 return NULL; 5852 } 5853 5854 /* Free the packet allocated earlier for responding in the OOTB condition. */ 5855 void sctp_ootb_pkt_free(struct sctp_packet *packet) 5856 { 5857 sctp_transport_free(packet->transport); 5858 } 5859 5860 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 5861 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 5862 const struct sctp_association *asoc, 5863 const struct sctp_chunk *chunk, 5864 sctp_cmd_seq_t *commands, 5865 struct sctp_chunk *err_chunk) 5866 { 5867 struct sctp_packet *packet; 5868 5869 if (err_chunk) { 5870 packet = sctp_ootb_pkt_new(asoc, chunk); 5871 if (packet) { 5872 struct sctp_signed_cookie *cookie; 5873 5874 /* Override the OOTB vtag from the cookie. */ 5875 cookie = chunk->subh.cookie_hdr; 5876 packet->vtag = cookie->c.peer_vtag; 5877 5878 /* Set the skb to the belonging sock for accounting. */ 5879 err_chunk->skb->sk = ep->base.sk; 5880 sctp_packet_append_chunk(packet, err_chunk); 5881 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 5882 SCTP_PACKET(packet)); 5883 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 5884 } else 5885 sctp_chunk_free (err_chunk); 5886 } 5887 } 5888 5889 5890 /* Process a data chunk */ 5891 static int sctp_eat_data(const struct sctp_association *asoc, 5892 struct sctp_chunk *chunk, 5893 sctp_cmd_seq_t *commands) 5894 { 5895 sctp_datahdr_t *data_hdr; 5896 struct sctp_chunk *err; 5897 size_t datalen; 5898 sctp_verb_t deliver; 5899 int tmp; 5900 __u32 tsn; 5901 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 5902 struct sock *sk = asoc->base.sk; 5903 u16 ssn; 5904 u16 sid; 5905 u8 ordered = 0; 5906 5907 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data; 5908 skb_pull(chunk->skb, sizeof(sctp_datahdr_t)); 5909 5910 tsn = ntohl(data_hdr->tsn); 5911 SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn); 5912 5913 /* ASSERT: Now skb->data is really the user data. */ 5914 5915 /* Process ECN based congestion. 5916 * 5917 * Since the chunk structure is reused for all chunks within 5918 * a packet, we use ecn_ce_done to track if we've already 5919 * done CE processing for this packet. 5920 * 5921 * We need to do ECN processing even if we plan to discard the 5922 * chunk later. 5923 */ 5924 5925 if (!chunk->ecn_ce_done) { 5926 struct sctp_af *af; 5927 chunk->ecn_ce_done = 1; 5928 5929 af = sctp_get_af_specific( 5930 ipver2af(ip_hdr(chunk->skb)->version)); 5931 5932 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) { 5933 /* Do real work as sideffect. */ 5934 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 5935 SCTP_U32(tsn)); 5936 } 5937 } 5938 5939 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 5940 if (tmp < 0) { 5941 /* The TSN is too high--silently discard the chunk and 5942 * count on it getting retransmitted later. 5943 */ 5944 return SCTP_IERROR_HIGH_TSN; 5945 } else if (tmp > 0) { 5946 /* This is a duplicate. Record it. */ 5947 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 5948 return SCTP_IERROR_DUP_TSN; 5949 } 5950 5951 /* This is a new TSN. */ 5952 5953 /* Discard if there is no room in the receive window. 5954 * Actually, allow a little bit of overflow (up to a MTU). 5955 */ 5956 datalen = ntohs(chunk->chunk_hdr->length); 5957 datalen -= sizeof(sctp_data_chunk_t); 5958 5959 deliver = SCTP_CMD_CHUNK_ULP; 5960 5961 /* Think about partial delivery. */ 5962 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 5963 5964 /* Even if we don't accept this chunk there is 5965 * memory pressure. 5966 */ 5967 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 5968 } 5969 5970 /* Spill over rwnd a little bit. Note: While allowed, this spill over 5971 * seems a bit troublesome in that frag_point varies based on 5972 * PMTU. In cases, such as loopback, this might be a rather 5973 * large spill over. 5974 */ 5975 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over || 5976 (datalen > asoc->rwnd + asoc->frag_point))) { 5977 5978 /* If this is the next TSN, consider reneging to make 5979 * room. Note: Playing nice with a confused sender. A 5980 * malicious sender can still eat up all our buffer 5981 * space and in the future we may want to detect and 5982 * do more drastic reneging. 5983 */ 5984 if (sctp_tsnmap_has_gap(map) && 5985 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 5986 SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn); 5987 deliver = SCTP_CMD_RENEGE; 5988 } else { 5989 SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, " 5990 "rwnd: %d\n", tsn, datalen, 5991 asoc->rwnd); 5992 return SCTP_IERROR_IGNORE_TSN; 5993 } 5994 } 5995 5996 /* 5997 * Also try to renege to limit our memory usage in the event that 5998 * we are under memory pressure 5999 * If we can't renege, don't worry about it, the sk_rmem_schedule 6000 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our 6001 * memory usage too much 6002 */ 6003 if (*sk->sk_prot_creator->memory_pressure) { 6004 if (sctp_tsnmap_has_gap(map) && 6005 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6006 SCTP_DEBUG_PRINTK("Under Pressure! Reneging for tsn:%u\n", tsn); 6007 deliver = SCTP_CMD_RENEGE; 6008 } 6009 } 6010 6011 /* 6012 * Section 3.3.10.9 No User Data (9) 6013 * 6014 * Cause of error 6015 * --------------- 6016 * No User Data: This error cause is returned to the originator of a 6017 * DATA chunk if a received DATA chunk has no user data. 6018 */ 6019 if (unlikely(0 == datalen)) { 6020 err = sctp_make_abort_no_data(asoc, chunk, tsn); 6021 if (err) { 6022 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6023 SCTP_CHUNK(err)); 6024 } 6025 /* We are going to ABORT, so we might as well stop 6026 * processing the rest of the chunks in the packet. 6027 */ 6028 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 6029 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6030 SCTP_ERROR(ECONNABORTED)); 6031 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6032 SCTP_PERR(SCTP_ERROR_NO_DATA)); 6033 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 6034 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 6035 return SCTP_IERROR_NO_DATA; 6036 } 6037 6038 chunk->data_accepted = 1; 6039 6040 /* Note: Some chunks may get overcounted (if we drop) or overcounted 6041 * if we renege and the chunk arrives again. 6042 */ 6043 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) 6044 SCTP_INC_STATS(SCTP_MIB_INUNORDERCHUNKS); 6045 else { 6046 SCTP_INC_STATS(SCTP_MIB_INORDERCHUNKS); 6047 ordered = 1; 6048 } 6049 6050 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 6051 * 6052 * If an endpoint receive a DATA chunk with an invalid stream 6053 * identifier, it shall acknowledge the reception of the DATA chunk 6054 * following the normal procedure, immediately send an ERROR chunk 6055 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 6056 * and discard the DATA chunk. 6057 */ 6058 sid = ntohs(data_hdr->stream); 6059 if (sid >= asoc->c.sinit_max_instreams) { 6060 /* Mark tsn as received even though we drop it */ 6061 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 6062 6063 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 6064 &data_hdr->stream, 6065 sizeof(data_hdr->stream), 6066 sizeof(u16)); 6067 if (err) 6068 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6069 SCTP_CHUNK(err)); 6070 return SCTP_IERROR_BAD_STREAM; 6071 } 6072 6073 /* Check to see if the SSN is possible for this TSN. 6074 * The biggest gap we can record is 4K wide. Since SSNs wrap 6075 * at an unsigned short, there is no way that an SSN can 6076 * wrap and for a valid TSN. We can simply check if the current 6077 * SSN is smaller then the next expected one. If it is, it wrapped 6078 * and is invalid. 6079 */ 6080 ssn = ntohs(data_hdr->ssn); 6081 if (ordered && SSN_lt(ssn, sctp_ssn_peek(&asoc->ssnmap->in, sid))) { 6082 return SCTP_IERROR_PROTO_VIOLATION; 6083 } 6084 6085 /* Send the data up to the user. Note: Schedule the 6086 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 6087 * chunk needs the updated rwnd. 6088 */ 6089 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 6090 6091 return SCTP_IERROR_NO_ERROR; 6092 } 6093