1 /* SCTP kernel implementation 2 * (C) Copyright IBM Corp. 2001, 2004 3 * Copyright (c) 1999-2000 Cisco, Inc. 4 * Copyright (c) 1999-2001 Motorola, Inc. 5 * Copyright (c) 2001-2002 Intel Corp. 6 * Copyright (c) 2002 Nokia Corp. 7 * 8 * This is part of the SCTP Linux Kernel Implementation. 9 * 10 * These are the state functions for the state machine. 11 * 12 * This SCTP implementation is free software; 13 * you can redistribute it and/or modify it under the terms of 14 * the GNU General Public License as published by 15 * the Free Software Foundation; either version 2, or (at your option) 16 * any later version. 17 * 18 * This SCTP implementation is distributed in the hope that it 19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 20 * ************************ 21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 22 * See the GNU General Public License for more details. 23 * 24 * You should have received a copy of the GNU General Public License 25 * along with GNU CC; see the file COPYING. If not, write to 26 * the Free Software Foundation, 59 Temple Place - Suite 330, 27 * Boston, MA 02111-1307, USA. 28 * 29 * Please send any bug reports or fixes you make to the 30 * email address(es): 31 * lksctp developers <lksctp-developers@lists.sourceforge.net> 32 * 33 * Or submit a bug report through the following website: 34 * http://www.sf.net/projects/lksctp 35 * 36 * Written or modified by: 37 * La Monte H.P. Yarroll <piggy@acm.org> 38 * Karl Knutson <karl@athena.chicago.il.us> 39 * Mathew Kotowsky <kotowsky@sctp.org> 40 * Sridhar Samudrala <samudrala@us.ibm.com> 41 * Jon Grimm <jgrimm@us.ibm.com> 42 * Hui Huang <hui.huang@nokia.com> 43 * Dajiang Zhang <dajiang.zhang@nokia.com> 44 * Daisy Chang <daisyc@us.ibm.com> 45 * Ardelle Fan <ardelle.fan@intel.com> 46 * Ryan Layer <rmlayer@us.ibm.com> 47 * Kevin Gao <kevin.gao@intel.com> 48 * 49 * Any bugs reported given to us we will try to fix... any fixes shared will 50 * be incorporated into the next SCTP release. 51 */ 52 53 #include <linux/types.h> 54 #include <linux/kernel.h> 55 #include <linux/ip.h> 56 #include <linux/ipv6.h> 57 #include <linux/net.h> 58 #include <linux/inet.h> 59 #include <net/sock.h> 60 #include <net/inet_ecn.h> 61 #include <linux/skbuff.h> 62 #include <net/sctp/sctp.h> 63 #include <net/sctp/sm.h> 64 #include <net/sctp/structs.h> 65 66 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 67 const struct sctp_association *asoc, 68 struct sctp_chunk *chunk, 69 const void *payload, 70 size_t paylen); 71 static int sctp_eat_data(const struct sctp_association *asoc, 72 struct sctp_chunk *chunk, 73 sctp_cmd_seq_t *commands); 74 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 75 const struct sctp_chunk *chunk); 76 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 77 const struct sctp_association *asoc, 78 const struct sctp_chunk *chunk, 79 sctp_cmd_seq_t *commands, 80 struct sctp_chunk *err_chunk); 81 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 82 const struct sctp_association *asoc, 83 const sctp_subtype_t type, 84 void *arg, 85 sctp_cmd_seq_t *commands); 86 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 87 const struct sctp_association *asoc, 88 const sctp_subtype_t type, 89 void *arg, 90 sctp_cmd_seq_t *commands); 91 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 92 const struct sctp_association *asoc, 93 const sctp_subtype_t type, 94 void *arg, 95 sctp_cmd_seq_t *commands); 96 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 97 98 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 99 __be16 error, int sk_err, 100 const struct sctp_association *asoc, 101 struct sctp_transport *transport); 102 103 static sctp_disposition_t sctp_sf_abort_violation( 104 const struct sctp_endpoint *ep, 105 const struct sctp_association *asoc, 106 void *arg, 107 sctp_cmd_seq_t *commands, 108 const __u8 *payload, 109 const size_t paylen); 110 111 static sctp_disposition_t sctp_sf_violation_chunklen( 112 const struct sctp_endpoint *ep, 113 const struct sctp_association *asoc, 114 const sctp_subtype_t type, 115 void *arg, 116 sctp_cmd_seq_t *commands); 117 118 static sctp_disposition_t sctp_sf_violation_paramlen( 119 const struct sctp_endpoint *ep, 120 const struct sctp_association *asoc, 121 const sctp_subtype_t type, 122 void *arg, 123 sctp_cmd_seq_t *commands); 124 125 static sctp_disposition_t sctp_sf_violation_ctsn( 126 const struct sctp_endpoint *ep, 127 const struct sctp_association *asoc, 128 const sctp_subtype_t type, 129 void *arg, 130 sctp_cmd_seq_t *commands); 131 132 static sctp_disposition_t sctp_sf_violation_chunk( 133 const struct sctp_endpoint *ep, 134 const struct sctp_association *asoc, 135 const sctp_subtype_t type, 136 void *arg, 137 sctp_cmd_seq_t *commands); 138 139 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep, 140 const struct sctp_association *asoc, 141 const sctp_subtype_t type, 142 struct sctp_chunk *chunk); 143 144 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 145 const struct sctp_association *asoc, 146 const sctp_subtype_t type, 147 void *arg, 148 sctp_cmd_seq_t *commands); 149 150 /* Small helper function that checks if the chunk length 151 * is of the appropriate length. The 'required_length' argument 152 * is set to be the size of a specific chunk we are testing. 153 * Return Values: 1 = Valid length 154 * 0 = Invalid length 155 * 156 */ 157 static inline int 158 sctp_chunk_length_valid(struct sctp_chunk *chunk, 159 __u16 required_length) 160 { 161 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 162 163 if (unlikely(chunk_length < required_length)) 164 return 0; 165 166 return 1; 167 } 168 169 /********************************************************** 170 * These are the state functions for handling chunk events. 171 **********************************************************/ 172 173 /* 174 * Process the final SHUTDOWN COMPLETE. 175 * 176 * Section: 4 (C) (diagram), 9.2 177 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 178 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 179 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 180 * should stop the T2-shutdown timer and remove all knowledge of the 181 * association (and thus the association enters the CLOSED state). 182 * 183 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 184 * C) Rules for packet carrying SHUTDOWN COMPLETE: 185 * ... 186 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 187 * if the Verification Tag field of the packet matches its own tag and 188 * the T bit is not set 189 * OR 190 * it is set to its peer's tag and the T bit is set in the Chunk 191 * Flags. 192 * Otherwise, the receiver MUST silently discard the packet 193 * and take no further action. An endpoint MUST ignore the 194 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 195 * 196 * Inputs 197 * (endpoint, asoc, chunk) 198 * 199 * Outputs 200 * (asoc, reply_msg, msg_up, timers, counters) 201 * 202 * The return value is the disposition of the chunk. 203 */ 204 sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep, 205 const struct sctp_association *asoc, 206 const sctp_subtype_t type, 207 void *arg, 208 sctp_cmd_seq_t *commands) 209 { 210 struct sctp_chunk *chunk = arg; 211 struct sctp_ulpevent *ev; 212 213 if (!sctp_vtag_verify_either(chunk, asoc)) 214 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 215 216 /* RFC 2960 6.10 Bundling 217 * 218 * An endpoint MUST NOT bundle INIT, INIT ACK or 219 * SHUTDOWN COMPLETE with any other chunks. 220 */ 221 if (!chunk->singleton) 222 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands); 223 224 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ 225 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 226 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 227 commands); 228 229 /* RFC 2960 10.2 SCTP-to-ULP 230 * 231 * H) SHUTDOWN COMPLETE notification 232 * 233 * When SCTP completes the shutdown procedures (section 9.2) this 234 * notification is passed to the upper layer. 235 */ 236 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 237 0, 0, 0, NULL, GFP_ATOMIC); 238 if (ev) 239 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 240 SCTP_ULPEVENT(ev)); 241 242 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 243 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 244 * not the chunk should be discarded. If the endpoint is in 245 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 246 * T2-shutdown timer and remove all knowledge of the 247 * association (and thus the association enters the CLOSED 248 * state). 249 */ 250 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 251 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 252 253 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 254 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 255 256 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 257 SCTP_STATE(SCTP_STATE_CLOSED)); 258 259 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 260 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 261 262 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 263 264 return SCTP_DISPOSITION_DELETE_TCB; 265 } 266 267 /* 268 * Respond to a normal INIT chunk. 269 * We are the side that is being asked for an association. 270 * 271 * Section: 5.1 Normal Establishment of an Association, B 272 * B) "Z" shall respond immediately with an INIT ACK chunk. The 273 * destination IP address of the INIT ACK MUST be set to the source 274 * IP address of the INIT to which this INIT ACK is responding. In 275 * the response, besides filling in other parameters, "Z" must set the 276 * Verification Tag field to Tag_A, and also provide its own 277 * Verification Tag (Tag_Z) in the Initiate Tag field. 278 * 279 * Verification Tag: Must be 0. 280 * 281 * Inputs 282 * (endpoint, asoc, chunk) 283 * 284 * Outputs 285 * (asoc, reply_msg, msg_up, timers, counters) 286 * 287 * The return value is the disposition of the chunk. 288 */ 289 sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep, 290 const struct sctp_association *asoc, 291 const sctp_subtype_t type, 292 void *arg, 293 sctp_cmd_seq_t *commands) 294 { 295 struct sctp_chunk *chunk = arg; 296 struct sctp_chunk *repl; 297 struct sctp_association *new_asoc; 298 struct sctp_chunk *err_chunk; 299 struct sctp_packet *packet; 300 sctp_unrecognized_param_t *unk_param; 301 int len; 302 303 /* 6.10 Bundling 304 * An endpoint MUST NOT bundle INIT, INIT ACK or 305 * SHUTDOWN COMPLETE with any other chunks. 306 * 307 * IG Section 2.11.2 308 * Furthermore, we require that the receiver of an INIT chunk MUST 309 * enforce these rules by silently discarding an arriving packet 310 * with an INIT chunk that is bundled with other chunks. 311 */ 312 if (!chunk->singleton) 313 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 314 315 /* If the packet is an OOTB packet which is temporarily on the 316 * control endpoint, respond with an ABORT. 317 */ 318 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 319 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 320 321 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 322 * Tag. 323 */ 324 if (chunk->sctp_hdr->vtag != 0) 325 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 326 327 /* Make sure that the INIT chunk has a valid length. 328 * Normally, this would cause an ABORT with a Protocol Violation 329 * error, but since we don't have an association, we'll 330 * just discard the packet. 331 */ 332 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 333 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 334 335 /* Verify the INIT chunk before processing it. */ 336 err_chunk = NULL; 337 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 338 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 339 &err_chunk)) { 340 /* This chunk contains fatal error. It is to be discarded. 341 * Send an ABORT, with causes if there is any. 342 */ 343 if (err_chunk) { 344 packet = sctp_abort_pkt_new(ep, asoc, arg, 345 (__u8 *)(err_chunk->chunk_hdr) + 346 sizeof(sctp_chunkhdr_t), 347 ntohs(err_chunk->chunk_hdr->length) - 348 sizeof(sctp_chunkhdr_t)); 349 350 sctp_chunk_free(err_chunk); 351 352 if (packet) { 353 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 354 SCTP_PACKET(packet)); 355 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 356 return SCTP_DISPOSITION_CONSUME; 357 } else { 358 return SCTP_DISPOSITION_NOMEM; 359 } 360 } else { 361 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 362 commands); 363 } 364 } 365 366 /* Grab the INIT header. */ 367 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data; 368 369 /* Tag the variable length parameters. */ 370 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 371 372 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 373 if (!new_asoc) 374 goto nomem; 375 376 /* The call, sctp_process_init(), can fail on memory allocation. */ 377 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 378 sctp_source(chunk), 379 (sctp_init_chunk_t *)chunk->chunk_hdr, 380 GFP_ATOMIC)) 381 goto nomem_init; 382 383 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 384 385 /* If there are errors need to be reported for unknown parameters, 386 * make sure to reserve enough room in the INIT ACK for them. 387 */ 388 len = 0; 389 if (err_chunk) 390 len = ntohs(err_chunk->chunk_hdr->length) - 391 sizeof(sctp_chunkhdr_t); 392 393 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 394 goto nomem_init; 395 396 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 397 if (!repl) 398 goto nomem_init; 399 400 /* If there are errors need to be reported for unknown parameters, 401 * include them in the outgoing INIT ACK as "Unrecognized parameter" 402 * parameter. 403 */ 404 if (err_chunk) { 405 /* Get the "Unrecognized parameter" parameter(s) out of the 406 * ERROR chunk generated by sctp_verify_init(). Since the 407 * error cause code for "unknown parameter" and the 408 * "Unrecognized parameter" type is the same, we can 409 * construct the parameters in INIT ACK by copying the 410 * ERROR causes over. 411 */ 412 unk_param = (sctp_unrecognized_param_t *) 413 ((__u8 *)(err_chunk->chunk_hdr) + 414 sizeof(sctp_chunkhdr_t)); 415 /* Replace the cause code with the "Unrecognized parameter" 416 * parameter type. 417 */ 418 sctp_addto_chunk(repl, len, unk_param); 419 sctp_chunk_free(err_chunk); 420 } 421 422 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 423 424 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 425 426 /* 427 * Note: After sending out INIT ACK with the State Cookie parameter, 428 * "Z" MUST NOT allocate any resources, nor keep any states for the 429 * new association. Otherwise, "Z" will be vulnerable to resource 430 * attacks. 431 */ 432 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 433 434 return SCTP_DISPOSITION_DELETE_TCB; 435 436 nomem_init: 437 sctp_association_free(new_asoc); 438 nomem: 439 if (err_chunk) 440 sctp_chunk_free(err_chunk); 441 return SCTP_DISPOSITION_NOMEM; 442 } 443 444 /* 445 * Respond to a normal INIT ACK chunk. 446 * We are the side that is initiating the association. 447 * 448 * Section: 5.1 Normal Establishment of an Association, C 449 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 450 * timer and leave COOKIE-WAIT state. "A" shall then send the State 451 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 452 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 453 * 454 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 455 * DATA chunks, but it MUST be the first chunk in the packet and 456 * until the COOKIE ACK is returned the sender MUST NOT send any 457 * other packets to the peer. 458 * 459 * Verification Tag: 3.3.3 460 * If the value of the Initiate Tag in a received INIT ACK chunk is 461 * found to be 0, the receiver MUST treat it as an error and close the 462 * association by transmitting an ABORT. 463 * 464 * Inputs 465 * (endpoint, asoc, chunk) 466 * 467 * Outputs 468 * (asoc, reply_msg, msg_up, timers, counters) 469 * 470 * The return value is the disposition of the chunk. 471 */ 472 sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, 473 const struct sctp_association *asoc, 474 const sctp_subtype_t type, 475 void *arg, 476 sctp_cmd_seq_t *commands) 477 { 478 struct sctp_chunk *chunk = arg; 479 sctp_init_chunk_t *initchunk; 480 struct sctp_chunk *err_chunk; 481 struct sctp_packet *packet; 482 483 if (!sctp_vtag_verify(chunk, asoc)) 484 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 485 486 /* 6.10 Bundling 487 * An endpoint MUST NOT bundle INIT, INIT ACK or 488 * SHUTDOWN COMPLETE with any other chunks. 489 */ 490 if (!chunk->singleton) 491 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands); 492 493 /* Make sure that the INIT-ACK chunk has a valid length */ 494 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t))) 495 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 496 commands); 497 /* Grab the INIT header. */ 498 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 499 500 /* Verify the INIT chunk before processing it. */ 501 err_chunk = NULL; 502 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 503 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 504 &err_chunk)) { 505 506 sctp_error_t error = SCTP_ERROR_NO_RESOURCE; 507 508 /* This chunk contains fatal error. It is to be discarded. 509 * Send an ABORT, with causes. If there are no causes, 510 * then there wasn't enough memory. Just terminate 511 * the association. 512 */ 513 if (err_chunk) { 514 packet = sctp_abort_pkt_new(ep, asoc, arg, 515 (__u8 *)(err_chunk->chunk_hdr) + 516 sizeof(sctp_chunkhdr_t), 517 ntohs(err_chunk->chunk_hdr->length) - 518 sizeof(sctp_chunkhdr_t)); 519 520 sctp_chunk_free(err_chunk); 521 522 if (packet) { 523 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 524 SCTP_PACKET(packet)); 525 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 526 error = SCTP_ERROR_INV_PARAM; 527 } 528 } 529 530 /* SCTP-AUTH, Section 6.3: 531 * It should be noted that if the receiver wants to tear 532 * down an association in an authenticated way only, the 533 * handling of malformed packets should not result in 534 * tearing down the association. 535 * 536 * This means that if we only want to abort associations 537 * in an authenticated way (i.e AUTH+ABORT), then we 538 * can't destroy this association just becuase the packet 539 * was malformed. 540 */ 541 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 542 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 543 544 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 545 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, 546 asoc, chunk->transport); 547 } 548 549 /* Tag the variable length parameters. Note that we never 550 * convert the parameters in an INIT chunk. 551 */ 552 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 553 554 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr; 555 556 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 557 SCTP_PEER_INIT(initchunk)); 558 559 /* Reset init error count upon receipt of INIT-ACK. */ 560 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 561 562 /* 5.1 C) "A" shall stop the T1-init timer and leave 563 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 564 * timer, and enter the COOKIE-ECHOED state. 565 */ 566 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 567 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 568 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 569 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 570 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 571 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 572 573 /* SCTP-AUTH: genereate the assocition shared keys so that 574 * we can potentially signe the COOKIE-ECHO. 575 */ 576 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); 577 578 /* 5.1 C) "A" shall then send the State Cookie received in the 579 * INIT ACK chunk in a COOKIE ECHO chunk, ... 580 */ 581 /* If there is any errors to report, send the ERROR chunk generated 582 * for unknown parameters as well. 583 */ 584 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 585 SCTP_CHUNK(err_chunk)); 586 587 return SCTP_DISPOSITION_CONSUME; 588 } 589 590 /* 591 * Respond to a normal COOKIE ECHO chunk. 592 * We are the side that is being asked for an association. 593 * 594 * Section: 5.1 Normal Establishment of an Association, D 595 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 596 * with a COOKIE ACK chunk after building a TCB and moving to 597 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 598 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 599 * chunk MUST be the first chunk in the packet. 600 * 601 * IMPLEMENTATION NOTE: An implementation may choose to send the 602 * Communication Up notification to the SCTP user upon reception 603 * of a valid COOKIE ECHO chunk. 604 * 605 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 606 * D) Rules for packet carrying a COOKIE ECHO 607 * 608 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 609 * Initial Tag received in the INIT ACK. 610 * 611 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 612 * 613 * Inputs 614 * (endpoint, asoc, chunk) 615 * 616 * Outputs 617 * (asoc, reply_msg, msg_up, timers, counters) 618 * 619 * The return value is the disposition of the chunk. 620 */ 621 sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep, 622 const struct sctp_association *asoc, 623 const sctp_subtype_t type, void *arg, 624 sctp_cmd_seq_t *commands) 625 { 626 struct sctp_chunk *chunk = arg; 627 struct sctp_association *new_asoc; 628 sctp_init_chunk_t *peer_init; 629 struct sctp_chunk *repl; 630 struct sctp_ulpevent *ev, *ai_ev = NULL; 631 int error = 0; 632 struct sctp_chunk *err_chk_p; 633 struct sock *sk; 634 635 /* If the packet is an OOTB packet which is temporarily on the 636 * control endpoint, respond with an ABORT. 637 */ 638 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 639 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 640 641 /* Make sure that the COOKIE_ECHO chunk has a valid length. 642 * In this case, we check that we have enough for at least a 643 * chunk header. More detailed verification is done 644 * in sctp_unpack_cookie(). 645 */ 646 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 647 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 648 649 /* If the endpoint is not listening or if the number of associations 650 * on the TCP-style socket exceed the max backlog, respond with an 651 * ABORT. 652 */ 653 sk = ep->base.sk; 654 if (!sctp_sstate(sk, LISTENING) || 655 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) 656 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 657 658 /* "Decode" the chunk. We have no optional parameters so we 659 * are in good shape. 660 */ 661 chunk->subh.cookie_hdr = 662 (struct sctp_signed_cookie *)chunk->skb->data; 663 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 664 sizeof(sctp_chunkhdr_t))) 665 goto nomem; 666 667 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 668 * "Z" will reply with a COOKIE ACK chunk after building a TCB 669 * and moving to the ESTABLISHED state. 670 */ 671 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 672 &err_chk_p); 673 674 /* FIXME: 675 * If the re-build failed, what is the proper error path 676 * from here? 677 * 678 * [We should abort the association. --piggy] 679 */ 680 if (!new_asoc) { 681 /* FIXME: Several errors are possible. A bad cookie should 682 * be silently discarded, but think about logging it too. 683 */ 684 switch (error) { 685 case -SCTP_IERROR_NOMEM: 686 goto nomem; 687 688 case -SCTP_IERROR_STALE_COOKIE: 689 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 690 err_chk_p); 691 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 692 693 case -SCTP_IERROR_BAD_SIG: 694 default: 695 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 696 } 697 } 698 699 700 /* Delay state machine commands until later. 701 * 702 * Re-build the bind address for the association is done in 703 * the sctp_unpack_cookie() already. 704 */ 705 /* This is a brand-new association, so these are not yet side 706 * effects--it is safe to run them here. 707 */ 708 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 709 710 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 711 &chunk->subh.cookie_hdr->c.peer_addr, 712 peer_init, GFP_ATOMIC)) 713 goto nomem_init; 714 715 /* SCTP-AUTH: Now that we've populate required fields in 716 * sctp_process_init, set up the assocaition shared keys as 717 * necessary so that we can potentially authenticate the ACK 718 */ 719 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); 720 if (error) 721 goto nomem_init; 722 723 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo 724 * is supposed to be authenticated and we have to do delayed 725 * authentication. We've just recreated the association using 726 * the information in the cookie and now it's much easier to 727 * do the authentication. 728 */ 729 if (chunk->auth_chunk) { 730 struct sctp_chunk auth; 731 sctp_ierror_t ret; 732 733 /* set-up our fake chunk so that we can process it */ 734 auth.skb = chunk->auth_chunk; 735 auth.asoc = chunk->asoc; 736 auth.sctp_hdr = chunk->sctp_hdr; 737 auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk, 738 sizeof(sctp_chunkhdr_t)); 739 skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t)); 740 auth.transport = chunk->transport; 741 742 ret = sctp_sf_authenticate(ep, new_asoc, type, &auth); 743 744 /* We can now safely free the auth_chunk clone */ 745 kfree_skb(chunk->auth_chunk); 746 747 if (ret != SCTP_IERROR_NO_ERROR) { 748 sctp_association_free(new_asoc); 749 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 750 } 751 } 752 753 repl = sctp_make_cookie_ack(new_asoc, chunk); 754 if (!repl) 755 goto nomem_init; 756 757 /* RFC 2960 5.1 Normal Establishment of an Association 758 * 759 * D) IMPLEMENTATION NOTE: An implementation may choose to 760 * send the Communication Up notification to the SCTP user 761 * upon reception of a valid COOKIE ECHO chunk. 762 */ 763 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 764 new_asoc->c.sinit_num_ostreams, 765 new_asoc->c.sinit_max_instreams, 766 NULL, GFP_ATOMIC); 767 if (!ev) 768 goto nomem_ev; 769 770 /* Sockets API Draft Section 5.3.1.6 771 * When a peer sends a Adaptation Layer Indication parameter , SCTP 772 * delivers this notification to inform the application that of the 773 * peers requested adaptation layer. 774 */ 775 if (new_asoc->peer.adaptation_ind) { 776 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 777 GFP_ATOMIC); 778 if (!ai_ev) 779 goto nomem_aiev; 780 } 781 782 /* Add all the state machine commands now since we've created 783 * everything. This way we don't introduce memory corruptions 784 * during side-effect processing and correclty count established 785 * associations. 786 */ 787 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 788 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 789 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 790 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 791 SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS); 792 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 793 794 if (new_asoc->autoclose) 795 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 796 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 797 798 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 799 800 /* This will send the COOKIE ACK */ 801 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 802 803 /* Queue the ASSOC_CHANGE event */ 804 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 805 806 /* Send up the Adaptation Layer Indication event */ 807 if (ai_ev) 808 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 809 SCTP_ULPEVENT(ai_ev)); 810 811 return SCTP_DISPOSITION_CONSUME; 812 813 nomem_aiev: 814 sctp_ulpevent_free(ev); 815 nomem_ev: 816 sctp_chunk_free(repl); 817 nomem_init: 818 sctp_association_free(new_asoc); 819 nomem: 820 return SCTP_DISPOSITION_NOMEM; 821 } 822 823 /* 824 * Respond to a normal COOKIE ACK chunk. 825 * We are the side that is being asked for an association. 826 * 827 * RFC 2960 5.1 Normal Establishment of an Association 828 * 829 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 830 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 831 * timer. It may also notify its ULP about the successful 832 * establishment of the association with a Communication Up 833 * notification (see Section 10). 834 * 835 * Verification Tag: 836 * Inputs 837 * (endpoint, asoc, chunk) 838 * 839 * Outputs 840 * (asoc, reply_msg, msg_up, timers, counters) 841 * 842 * The return value is the disposition of the chunk. 843 */ 844 sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep, 845 const struct sctp_association *asoc, 846 const sctp_subtype_t type, void *arg, 847 sctp_cmd_seq_t *commands) 848 { 849 struct sctp_chunk *chunk = arg; 850 struct sctp_ulpevent *ev; 851 852 if (!sctp_vtag_verify(chunk, asoc)) 853 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 854 855 /* Verify that the chunk length for the COOKIE-ACK is OK. 856 * If we don't do this, any bundled chunks may be junked. 857 */ 858 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 859 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 860 commands); 861 862 /* Reset init error count upon receipt of COOKIE-ACK, 863 * to avoid problems with the managemement of this 864 * counter in stale cookie situations when a transition back 865 * from the COOKIE-ECHOED state to the COOKIE-WAIT 866 * state is performed. 867 */ 868 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 869 870 /* RFC 2960 5.1 Normal Establishment of an Association 871 * 872 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 873 * from the COOKIE-ECHOED state to the ESTABLISHED state, 874 * stopping the T1-cookie timer. 875 */ 876 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 877 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 878 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 879 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 880 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 881 SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS); 882 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 883 if (asoc->autoclose) 884 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 885 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 886 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 887 888 /* It may also notify its ULP about the successful 889 * establishment of the association with a Communication Up 890 * notification (see Section 10). 891 */ 892 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 893 0, asoc->c.sinit_num_ostreams, 894 asoc->c.sinit_max_instreams, 895 NULL, GFP_ATOMIC); 896 897 if (!ev) 898 goto nomem; 899 900 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 901 902 /* Sockets API Draft Section 5.3.1.6 903 * When a peer sends a Adaptation Layer Indication parameter , SCTP 904 * delivers this notification to inform the application that of the 905 * peers requested adaptation layer. 906 */ 907 if (asoc->peer.adaptation_ind) { 908 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 909 if (!ev) 910 goto nomem; 911 912 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 913 SCTP_ULPEVENT(ev)); 914 } 915 916 return SCTP_DISPOSITION_CONSUME; 917 nomem: 918 return SCTP_DISPOSITION_NOMEM; 919 } 920 921 /* Generate and sendout a heartbeat packet. */ 922 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep, 923 const struct sctp_association *asoc, 924 const sctp_subtype_t type, 925 void *arg, 926 sctp_cmd_seq_t *commands) 927 { 928 struct sctp_transport *transport = (struct sctp_transport *) arg; 929 struct sctp_chunk *reply; 930 sctp_sender_hb_info_t hbinfo; 931 size_t paylen = 0; 932 933 hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO; 934 hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t)); 935 hbinfo.daddr = transport->ipaddr; 936 hbinfo.sent_at = jiffies; 937 hbinfo.hb_nonce = transport->hb_nonce; 938 939 /* Send a heartbeat to our peer. */ 940 paylen = sizeof(sctp_sender_hb_info_t); 941 reply = sctp_make_heartbeat(asoc, transport, &hbinfo, paylen); 942 if (!reply) 943 return SCTP_DISPOSITION_NOMEM; 944 945 /* Set rto_pending indicating that an RTT measurement 946 * is started with this heartbeat chunk. 947 */ 948 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 949 SCTP_TRANSPORT(transport)); 950 951 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 952 return SCTP_DISPOSITION_CONSUME; 953 } 954 955 /* Generate a HEARTBEAT packet on the given transport. */ 956 sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep, 957 const struct sctp_association *asoc, 958 const sctp_subtype_t type, 959 void *arg, 960 sctp_cmd_seq_t *commands) 961 { 962 struct sctp_transport *transport = (struct sctp_transport *) arg; 963 964 if (asoc->overall_error_count > asoc->max_retrans) { 965 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 966 SCTP_ERROR(ETIMEDOUT)); 967 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 968 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 969 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 970 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 971 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 972 return SCTP_DISPOSITION_DELETE_TCB; 973 } 974 975 /* Section 3.3.5. 976 * The Sender-specific Heartbeat Info field should normally include 977 * information about the sender's current time when this HEARTBEAT 978 * chunk is sent and the destination transport address to which this 979 * HEARTBEAT is sent (see Section 8.3). 980 */ 981 982 if (transport->param_flags & SPP_HB_ENABLE) { 983 if (SCTP_DISPOSITION_NOMEM == 984 sctp_sf_heartbeat(ep, asoc, type, arg, 985 commands)) 986 return SCTP_DISPOSITION_NOMEM; 987 /* Set transport error counter and association error counter 988 * when sending heartbeat. 989 */ 990 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_RESET, 991 SCTP_TRANSPORT(transport)); 992 } 993 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 994 SCTP_TRANSPORT(transport)); 995 996 return SCTP_DISPOSITION_CONSUME; 997 } 998 999 /* 1000 * Process an heartbeat request. 1001 * 1002 * Section: 8.3 Path Heartbeat 1003 * The receiver of the HEARTBEAT should immediately respond with a 1004 * HEARTBEAT ACK that contains the Heartbeat Information field copied 1005 * from the received HEARTBEAT chunk. 1006 * 1007 * Verification Tag: 8.5 Verification Tag [Normal verification] 1008 * When receiving an SCTP packet, the endpoint MUST ensure that the 1009 * value in the Verification Tag field of the received SCTP packet 1010 * matches its own Tag. If the received Verification Tag value does not 1011 * match the receiver's own tag value, the receiver shall silently 1012 * discard the packet and shall not process it any further except for 1013 * those cases listed in Section 8.5.1 below. 1014 * 1015 * Inputs 1016 * (endpoint, asoc, chunk) 1017 * 1018 * Outputs 1019 * (asoc, reply_msg, msg_up, timers, counters) 1020 * 1021 * The return value is the disposition of the chunk. 1022 */ 1023 sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep, 1024 const struct sctp_association *asoc, 1025 const sctp_subtype_t type, 1026 void *arg, 1027 sctp_cmd_seq_t *commands) 1028 { 1029 struct sctp_chunk *chunk = arg; 1030 struct sctp_chunk *reply; 1031 size_t paylen = 0; 1032 1033 if (!sctp_vtag_verify(chunk, asoc)) 1034 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1035 1036 /* Make sure that the HEARTBEAT chunk has a valid length. */ 1037 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1038 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1039 commands); 1040 1041 /* 8.3 The receiver of the HEARTBEAT should immediately 1042 * respond with a HEARTBEAT ACK that contains the Heartbeat 1043 * Information field copied from the received HEARTBEAT chunk. 1044 */ 1045 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; 1046 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); 1047 if (!pskb_pull(chunk->skb, paylen)) 1048 goto nomem; 1049 1050 reply = sctp_make_heartbeat_ack(asoc, chunk, 1051 chunk->subh.hb_hdr, paylen); 1052 if (!reply) 1053 goto nomem; 1054 1055 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1056 return SCTP_DISPOSITION_CONSUME; 1057 1058 nomem: 1059 return SCTP_DISPOSITION_NOMEM; 1060 } 1061 1062 /* 1063 * Process the returning HEARTBEAT ACK. 1064 * 1065 * Section: 8.3 Path Heartbeat 1066 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 1067 * should clear the error counter of the destination transport 1068 * address to which the HEARTBEAT was sent, and mark the destination 1069 * transport address as active if it is not so marked. The endpoint may 1070 * optionally report to the upper layer when an inactive destination 1071 * address is marked as active due to the reception of the latest 1072 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 1073 * clear the association overall error count as well (as defined 1074 * in section 8.1). 1075 * 1076 * The receiver of the HEARTBEAT ACK should also perform an RTT 1077 * measurement for that destination transport address using the time 1078 * value carried in the HEARTBEAT ACK chunk. 1079 * 1080 * Verification Tag: 8.5 Verification Tag [Normal verification] 1081 * 1082 * Inputs 1083 * (endpoint, asoc, chunk) 1084 * 1085 * Outputs 1086 * (asoc, reply_msg, msg_up, timers, counters) 1087 * 1088 * The return value is the disposition of the chunk. 1089 */ 1090 sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep, 1091 const struct sctp_association *asoc, 1092 const sctp_subtype_t type, 1093 void *arg, 1094 sctp_cmd_seq_t *commands) 1095 { 1096 struct sctp_chunk *chunk = arg; 1097 union sctp_addr from_addr; 1098 struct sctp_transport *link; 1099 sctp_sender_hb_info_t *hbinfo; 1100 unsigned long max_interval; 1101 1102 if (!sctp_vtag_verify(chunk, asoc)) 1103 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1104 1105 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1106 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1107 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1108 commands); 1109 1110 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; 1111 /* Make sure that the length of the parameter is what we expect */ 1112 if (ntohs(hbinfo->param_hdr.length) != 1113 sizeof(sctp_sender_hb_info_t)) { 1114 return SCTP_DISPOSITION_DISCARD; 1115 } 1116 1117 from_addr = hbinfo->daddr; 1118 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1119 1120 /* This should never happen, but lets log it if so. */ 1121 if (unlikely(!link)) { 1122 if (from_addr.sa.sa_family == AF_INET6) { 1123 if (net_ratelimit()) 1124 printk(KERN_WARNING 1125 "%s association %p could not find address " 1126 NIP6_FMT "\n", 1127 __func__, 1128 asoc, 1129 NIP6(from_addr.v6.sin6_addr)); 1130 } else { 1131 if (net_ratelimit()) 1132 printk(KERN_WARNING 1133 "%s association %p could not find address " 1134 NIPQUAD_FMT "\n", 1135 __func__, 1136 asoc, 1137 NIPQUAD(from_addr.v4.sin_addr.s_addr)); 1138 } 1139 return SCTP_DISPOSITION_DISCARD; 1140 } 1141 1142 /* Validate the 64-bit random nonce. */ 1143 if (hbinfo->hb_nonce != link->hb_nonce) 1144 return SCTP_DISPOSITION_DISCARD; 1145 1146 max_interval = link->hbinterval + link->rto; 1147 1148 /* Check if the timestamp looks valid. */ 1149 if (time_after(hbinfo->sent_at, jiffies) || 1150 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1151 SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp " 1152 "received for transport: %p\n", 1153 __func__, link); 1154 return SCTP_DISPOSITION_DISCARD; 1155 } 1156 1157 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1158 * the HEARTBEAT should clear the error counter of the 1159 * destination transport address to which the HEARTBEAT was 1160 * sent and mark the destination transport address as active if 1161 * it is not so marked. 1162 */ 1163 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1164 1165 return SCTP_DISPOSITION_CONSUME; 1166 } 1167 1168 /* Helper function to send out an abort for the restart 1169 * condition. 1170 */ 1171 static int sctp_sf_send_restart_abort(union sctp_addr *ssa, 1172 struct sctp_chunk *init, 1173 sctp_cmd_seq_t *commands) 1174 { 1175 int len; 1176 struct sctp_packet *pkt; 1177 union sctp_addr_param *addrparm; 1178 struct sctp_errhdr *errhdr; 1179 struct sctp_endpoint *ep; 1180 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)]; 1181 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1182 1183 /* Build the error on the stack. We are way to malloc crazy 1184 * throughout the code today. 1185 */ 1186 errhdr = (struct sctp_errhdr *)buffer; 1187 addrparm = (union sctp_addr_param *)errhdr->variable; 1188 1189 /* Copy into a parm format. */ 1190 len = af->to_addr_param(ssa, addrparm); 1191 len += sizeof(sctp_errhdr_t); 1192 1193 errhdr->cause = SCTP_ERROR_RESTART; 1194 errhdr->length = htons(len); 1195 1196 /* Assign to the control socket. */ 1197 ep = sctp_sk((sctp_get_ctl_sock()))->ep; 1198 1199 /* Association is NULL since this may be a restart attack and we 1200 * want to send back the attacker's vtag. 1201 */ 1202 pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len); 1203 1204 if (!pkt) 1205 goto out; 1206 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1207 1208 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1209 1210 /* Discard the rest of the inbound packet. */ 1211 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1212 1213 out: 1214 /* Even if there is no memory, treat as a failure so 1215 * the packet will get dropped. 1216 */ 1217 return 0; 1218 } 1219 1220 /* A restart is occurring, check to make sure no new addresses 1221 * are being added as we may be under a takeover attack. 1222 */ 1223 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1224 const struct sctp_association *asoc, 1225 struct sctp_chunk *init, 1226 sctp_cmd_seq_t *commands) 1227 { 1228 struct sctp_transport *new_addr, *addr; 1229 int found; 1230 1231 /* Implementor's Guide - Sectin 5.2.2 1232 * ... 1233 * Before responding the endpoint MUST check to see if the 1234 * unexpected INIT adds new addresses to the association. If new 1235 * addresses are added to the association, the endpoint MUST respond 1236 * with an ABORT.. 1237 */ 1238 1239 /* Search through all current addresses and make sure 1240 * we aren't adding any new ones. 1241 */ 1242 new_addr = NULL; 1243 found = 0; 1244 1245 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list, 1246 transports) { 1247 found = 0; 1248 list_for_each_entry(addr, &asoc->peer.transport_addr_list, 1249 transports) { 1250 if (sctp_cmp_addr_exact(&new_addr->ipaddr, 1251 &addr->ipaddr)) { 1252 found = 1; 1253 break; 1254 } 1255 } 1256 if (!found) 1257 break; 1258 } 1259 1260 /* If a new address was added, ABORT the sender. */ 1261 if (!found && new_addr) { 1262 sctp_sf_send_restart_abort(&new_addr->ipaddr, init, commands); 1263 } 1264 1265 /* Return success if all addresses were found. */ 1266 return found; 1267 } 1268 1269 /* Populate the verification/tie tags based on overlapping INIT 1270 * scenario. 1271 * 1272 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1273 */ 1274 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1275 const struct sctp_association *asoc) 1276 { 1277 switch (asoc->state) { 1278 1279 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1280 1281 case SCTP_STATE_COOKIE_WAIT: 1282 new_asoc->c.my_vtag = asoc->c.my_vtag; 1283 new_asoc->c.my_ttag = asoc->c.my_vtag; 1284 new_asoc->c.peer_ttag = 0; 1285 break; 1286 1287 case SCTP_STATE_COOKIE_ECHOED: 1288 new_asoc->c.my_vtag = asoc->c.my_vtag; 1289 new_asoc->c.my_ttag = asoc->c.my_vtag; 1290 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1291 break; 1292 1293 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1294 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1295 */ 1296 default: 1297 new_asoc->c.my_ttag = asoc->c.my_vtag; 1298 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1299 break; 1300 } 1301 1302 /* Other parameters for the endpoint SHOULD be copied from the 1303 * existing parameters of the association (e.g. number of 1304 * outbound streams) into the INIT ACK and cookie. 1305 */ 1306 new_asoc->rwnd = asoc->rwnd; 1307 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1308 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1309 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1310 } 1311 1312 /* 1313 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1314 * handling action. 1315 * 1316 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1317 * 1318 * Returns value representing action to be taken. These action values 1319 * correspond to Action/Description values in RFC 2960, Table 2. 1320 */ 1321 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1322 const struct sctp_association *asoc) 1323 { 1324 /* In this case, the peer may have restarted. */ 1325 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1326 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1327 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1328 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1329 return 'A'; 1330 1331 /* Collision case B. */ 1332 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1333 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1334 (0 == asoc->c.peer_vtag))) { 1335 return 'B'; 1336 } 1337 1338 /* Collision case D. */ 1339 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1340 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1341 return 'D'; 1342 1343 /* Collision case C. */ 1344 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1345 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1346 (0 == new_asoc->c.my_ttag) && 1347 (0 == new_asoc->c.peer_ttag)) 1348 return 'C'; 1349 1350 /* No match to any of the special cases; discard this packet. */ 1351 return 'E'; 1352 } 1353 1354 /* Common helper routine for both duplicate and simulataneous INIT 1355 * chunk handling. 1356 */ 1357 static sctp_disposition_t sctp_sf_do_unexpected_init( 1358 const struct sctp_endpoint *ep, 1359 const struct sctp_association *asoc, 1360 const sctp_subtype_t type, 1361 void *arg, sctp_cmd_seq_t *commands) 1362 { 1363 sctp_disposition_t retval; 1364 struct sctp_chunk *chunk = arg; 1365 struct sctp_chunk *repl; 1366 struct sctp_association *new_asoc; 1367 struct sctp_chunk *err_chunk; 1368 struct sctp_packet *packet; 1369 sctp_unrecognized_param_t *unk_param; 1370 int len; 1371 1372 /* 6.10 Bundling 1373 * An endpoint MUST NOT bundle INIT, INIT ACK or 1374 * SHUTDOWN COMPLETE with any other chunks. 1375 * 1376 * IG Section 2.11.2 1377 * Furthermore, we require that the receiver of an INIT chunk MUST 1378 * enforce these rules by silently discarding an arriving packet 1379 * with an INIT chunk that is bundled with other chunks. 1380 */ 1381 if (!chunk->singleton) 1382 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1383 1384 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1385 * Tag. 1386 */ 1387 if (chunk->sctp_hdr->vtag != 0) 1388 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 1389 1390 /* Make sure that the INIT chunk has a valid length. 1391 * In this case, we generate a protocol violation since we have 1392 * an association established. 1393 */ 1394 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 1395 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1396 commands); 1397 /* Grab the INIT header. */ 1398 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 1399 1400 /* Tag the variable length parameters. */ 1401 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 1402 1403 /* Verify the INIT chunk before processing it. */ 1404 err_chunk = NULL; 1405 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 1406 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 1407 &err_chunk)) { 1408 /* This chunk contains fatal error. It is to be discarded. 1409 * Send an ABORT, with causes if there is any. 1410 */ 1411 if (err_chunk) { 1412 packet = sctp_abort_pkt_new(ep, asoc, arg, 1413 (__u8 *)(err_chunk->chunk_hdr) + 1414 sizeof(sctp_chunkhdr_t), 1415 ntohs(err_chunk->chunk_hdr->length) - 1416 sizeof(sctp_chunkhdr_t)); 1417 1418 if (packet) { 1419 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1420 SCTP_PACKET(packet)); 1421 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1422 retval = SCTP_DISPOSITION_CONSUME; 1423 } else { 1424 retval = SCTP_DISPOSITION_NOMEM; 1425 } 1426 goto cleanup; 1427 } else { 1428 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 1429 commands); 1430 } 1431 } 1432 1433 /* 1434 * Other parameters for the endpoint SHOULD be copied from the 1435 * existing parameters of the association (e.g. number of 1436 * outbound streams) into the INIT ACK and cookie. 1437 * FIXME: We are copying parameters from the endpoint not the 1438 * association. 1439 */ 1440 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1441 if (!new_asoc) 1442 goto nomem; 1443 1444 /* In the outbound INIT ACK the endpoint MUST copy its current 1445 * Verification Tag and Peers Verification tag into a reserved 1446 * place (local tie-tag and per tie-tag) within the state cookie. 1447 */ 1448 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1449 sctp_source(chunk), 1450 (sctp_init_chunk_t *)chunk->chunk_hdr, 1451 GFP_ATOMIC)) 1452 goto nomem; 1453 1454 /* Make sure no new addresses are being added during the 1455 * restart. Do not do this check for COOKIE-WAIT state, 1456 * since there are no peer addresses to check against. 1457 * Upon return an ABORT will have been sent if needed. 1458 */ 1459 if (!sctp_state(asoc, COOKIE_WAIT)) { 1460 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1461 commands)) { 1462 retval = SCTP_DISPOSITION_CONSUME; 1463 goto nomem_retval; 1464 } 1465 } 1466 1467 sctp_tietags_populate(new_asoc, asoc); 1468 1469 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1470 1471 /* If there are errors need to be reported for unknown parameters, 1472 * make sure to reserve enough room in the INIT ACK for them. 1473 */ 1474 len = 0; 1475 if (err_chunk) { 1476 len = ntohs(err_chunk->chunk_hdr->length) - 1477 sizeof(sctp_chunkhdr_t); 1478 } 1479 1480 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 1481 goto nomem; 1482 1483 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1484 if (!repl) 1485 goto nomem; 1486 1487 /* If there are errors need to be reported for unknown parameters, 1488 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1489 * parameter. 1490 */ 1491 if (err_chunk) { 1492 /* Get the "Unrecognized parameter" parameter(s) out of the 1493 * ERROR chunk generated by sctp_verify_init(). Since the 1494 * error cause code for "unknown parameter" and the 1495 * "Unrecognized parameter" type is the same, we can 1496 * construct the parameters in INIT ACK by copying the 1497 * ERROR causes over. 1498 */ 1499 unk_param = (sctp_unrecognized_param_t *) 1500 ((__u8 *)(err_chunk->chunk_hdr) + 1501 sizeof(sctp_chunkhdr_t)); 1502 /* Replace the cause code with the "Unrecognized parameter" 1503 * parameter type. 1504 */ 1505 sctp_addto_chunk(repl, len, unk_param); 1506 } 1507 1508 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1509 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1510 1511 /* 1512 * Note: After sending out INIT ACK with the State Cookie parameter, 1513 * "Z" MUST NOT allocate any resources for this new association. 1514 * Otherwise, "Z" will be vulnerable to resource attacks. 1515 */ 1516 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1517 retval = SCTP_DISPOSITION_CONSUME; 1518 1519 return retval; 1520 1521 nomem: 1522 retval = SCTP_DISPOSITION_NOMEM; 1523 nomem_retval: 1524 if (new_asoc) 1525 sctp_association_free(new_asoc); 1526 cleanup: 1527 if (err_chunk) 1528 sctp_chunk_free(err_chunk); 1529 return retval; 1530 } 1531 1532 /* 1533 * Handle simultanous INIT. 1534 * This means we started an INIT and then we got an INIT request from 1535 * our peer. 1536 * 1537 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1538 * This usually indicates an initialization collision, i.e., each 1539 * endpoint is attempting, at about the same time, to establish an 1540 * association with the other endpoint. 1541 * 1542 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1543 * endpoint MUST respond with an INIT ACK using the same parameters it 1544 * sent in its original INIT chunk (including its Verification Tag, 1545 * unchanged). These original parameters are combined with those from the 1546 * newly received INIT chunk. The endpoint shall also generate a State 1547 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1548 * INIT to calculate the State Cookie. 1549 * 1550 * After that, the endpoint MUST NOT change its state, the T1-init 1551 * timer shall be left running and the corresponding TCB MUST NOT be 1552 * destroyed. The normal procedures for handling State Cookies when 1553 * a TCB exists will resolve the duplicate INITs to a single association. 1554 * 1555 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1556 * its Tie-Tags with the Tag information of itself and its peer (see 1557 * section 5.2.2 for a description of the Tie-Tags). 1558 * 1559 * Verification Tag: Not explicit, but an INIT can not have a valid 1560 * verification tag, so we skip the check. 1561 * 1562 * Inputs 1563 * (endpoint, asoc, chunk) 1564 * 1565 * Outputs 1566 * (asoc, reply_msg, msg_up, timers, counters) 1567 * 1568 * The return value is the disposition of the chunk. 1569 */ 1570 sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep, 1571 const struct sctp_association *asoc, 1572 const sctp_subtype_t type, 1573 void *arg, 1574 sctp_cmd_seq_t *commands) 1575 { 1576 /* Call helper to do the real work for both simulataneous and 1577 * duplicate INIT chunk handling. 1578 */ 1579 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1580 } 1581 1582 /* 1583 * Handle duplicated INIT messages. These are usually delayed 1584 * restransmissions. 1585 * 1586 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1587 * COOKIE-ECHOED and COOKIE-WAIT 1588 * 1589 * Unless otherwise stated, upon reception of an unexpected INIT for 1590 * this association, the endpoint shall generate an INIT ACK with a 1591 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1592 * current Verification Tag and peer's Verification Tag into a reserved 1593 * place within the state cookie. We shall refer to these locations as 1594 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1595 * containing this INIT ACK MUST carry a Verification Tag value equal to 1596 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1597 * MUST contain a new Initiation Tag (randomly generated see Section 1598 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1599 * existing parameters of the association (e.g. number of outbound 1600 * streams) into the INIT ACK and cookie. 1601 * 1602 * After sending out the INIT ACK, the endpoint shall take no further 1603 * actions, i.e., the existing association, including its current state, 1604 * and the corresponding TCB MUST NOT be changed. 1605 * 1606 * Note: Only when a TCB exists and the association is not in a COOKIE- 1607 * WAIT state are the Tie-Tags populated. For a normal association INIT 1608 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1609 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1610 * State Cookie are populated as specified in section 5.2.1. 1611 * 1612 * Verification Tag: Not specified, but an INIT has no way of knowing 1613 * what the verification tag could be, so we ignore it. 1614 * 1615 * Inputs 1616 * (endpoint, asoc, chunk) 1617 * 1618 * Outputs 1619 * (asoc, reply_msg, msg_up, timers, counters) 1620 * 1621 * The return value is the disposition of the chunk. 1622 */ 1623 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep, 1624 const struct sctp_association *asoc, 1625 const sctp_subtype_t type, 1626 void *arg, 1627 sctp_cmd_seq_t *commands) 1628 { 1629 /* Call helper to do the real work for both simulataneous and 1630 * duplicate INIT chunk handling. 1631 */ 1632 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1633 } 1634 1635 1636 /* 1637 * Unexpected INIT-ACK handler. 1638 * 1639 * Section 5.2.3 1640 * If an INIT ACK received by an endpoint in any state other than the 1641 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1642 * An unexpected INIT ACK usually indicates the processing of an old or 1643 * duplicated INIT chunk. 1644 */ 1645 sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep, 1646 const struct sctp_association *asoc, 1647 const sctp_subtype_t type, 1648 void *arg, sctp_cmd_seq_t *commands) 1649 { 1650 /* Per the above section, we'll discard the chunk if we have an 1651 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1652 */ 1653 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 1654 return sctp_sf_ootb(ep, asoc, type, arg, commands); 1655 else 1656 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 1657 } 1658 1659 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1660 * 1661 * Section 5.2.4 1662 * A) In this case, the peer may have restarted. 1663 */ 1664 static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep, 1665 const struct sctp_association *asoc, 1666 struct sctp_chunk *chunk, 1667 sctp_cmd_seq_t *commands, 1668 struct sctp_association *new_asoc) 1669 { 1670 sctp_init_chunk_t *peer_init; 1671 struct sctp_ulpevent *ev; 1672 struct sctp_chunk *repl; 1673 struct sctp_chunk *err; 1674 sctp_disposition_t disposition; 1675 1676 /* new_asoc is a brand-new association, so these are not yet 1677 * side effects--it is safe to run them here. 1678 */ 1679 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1680 1681 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1682 sctp_source(chunk), peer_init, 1683 GFP_ATOMIC)) 1684 goto nomem; 1685 1686 /* Make sure no new addresses are being added during the 1687 * restart. Though this is a pretty complicated attack 1688 * since you'd have to get inside the cookie. 1689 */ 1690 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { 1691 return SCTP_DISPOSITION_CONSUME; 1692 } 1693 1694 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1695 * the peer has restarted (Action A), it MUST NOT setup a new 1696 * association but instead resend the SHUTDOWN ACK and send an ERROR 1697 * chunk with a "Cookie Received while Shutting Down" error cause to 1698 * its peer. 1699 */ 1700 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1701 disposition = sctp_sf_do_9_2_reshutack(ep, asoc, 1702 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1703 chunk, commands); 1704 if (SCTP_DISPOSITION_NOMEM == disposition) 1705 goto nomem; 1706 1707 err = sctp_make_op_error(asoc, chunk, 1708 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1709 NULL, 0); 1710 if (err) 1711 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1712 SCTP_CHUNK(err)); 1713 1714 return SCTP_DISPOSITION_CONSUME; 1715 } 1716 1717 /* For now, fail any unsent/unacked data. Consider the optional 1718 * choice of resending of this data. 1719 */ 1720 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1721 1722 repl = sctp_make_cookie_ack(new_asoc, chunk); 1723 if (!repl) 1724 goto nomem; 1725 1726 /* Report association restart to upper layer. */ 1727 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1728 new_asoc->c.sinit_num_ostreams, 1729 new_asoc->c.sinit_max_instreams, 1730 NULL, GFP_ATOMIC); 1731 if (!ev) 1732 goto nomem_ev; 1733 1734 /* Update the content of current association. */ 1735 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1736 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1737 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1738 return SCTP_DISPOSITION_CONSUME; 1739 1740 nomem_ev: 1741 sctp_chunk_free(repl); 1742 nomem: 1743 return SCTP_DISPOSITION_NOMEM; 1744 } 1745 1746 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1747 * 1748 * Section 5.2.4 1749 * B) In this case, both sides may be attempting to start an association 1750 * at about the same time but the peer endpoint started its INIT 1751 * after responding to the local endpoint's INIT 1752 */ 1753 /* This case represents an initialization collision. */ 1754 static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep, 1755 const struct sctp_association *asoc, 1756 struct sctp_chunk *chunk, 1757 sctp_cmd_seq_t *commands, 1758 struct sctp_association *new_asoc) 1759 { 1760 sctp_init_chunk_t *peer_init; 1761 struct sctp_chunk *repl; 1762 1763 /* new_asoc is a brand-new association, so these are not yet 1764 * side effects--it is safe to run them here. 1765 */ 1766 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1767 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1768 sctp_source(chunk), peer_init, 1769 GFP_ATOMIC)) 1770 goto nomem; 1771 1772 /* Update the content of current association. */ 1773 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1774 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1775 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1776 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1777 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1778 1779 repl = sctp_make_cookie_ack(new_asoc, chunk); 1780 if (!repl) 1781 goto nomem; 1782 1783 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1784 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1785 1786 /* RFC 2960 5.1 Normal Establishment of an Association 1787 * 1788 * D) IMPLEMENTATION NOTE: An implementation may choose to 1789 * send the Communication Up notification to the SCTP user 1790 * upon reception of a valid COOKIE ECHO chunk. 1791 * 1792 * Sadly, this needs to be implemented as a side-effect, because 1793 * we are not guaranteed to have set the association id of the real 1794 * association and so these notifications need to be delayed until 1795 * the association id is allocated. 1796 */ 1797 1798 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 1799 1800 /* Sockets API Draft Section 5.3.1.6 1801 * When a peer sends a Adaptation Layer Indication parameter , SCTP 1802 * delivers this notification to inform the application that of the 1803 * peers requested adaptation layer. 1804 * 1805 * This also needs to be done as a side effect for the same reason as 1806 * above. 1807 */ 1808 if (asoc->peer.adaptation_ind) 1809 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 1810 1811 return SCTP_DISPOSITION_CONSUME; 1812 1813 nomem: 1814 return SCTP_DISPOSITION_NOMEM; 1815 } 1816 1817 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1818 * 1819 * Section 5.2.4 1820 * C) In this case, the local endpoint's cookie has arrived late. 1821 * Before it arrived, the local endpoint sent an INIT and received an 1822 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1823 * but a new tag of its own. 1824 */ 1825 /* This case represents an initialization collision. */ 1826 static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep, 1827 const struct sctp_association *asoc, 1828 struct sctp_chunk *chunk, 1829 sctp_cmd_seq_t *commands, 1830 struct sctp_association *new_asoc) 1831 { 1832 /* The cookie should be silently discarded. 1833 * The endpoint SHOULD NOT change states and should leave 1834 * any timers running. 1835 */ 1836 return SCTP_DISPOSITION_DISCARD; 1837 } 1838 1839 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1840 * 1841 * Section 5.2.4 1842 * 1843 * D) When both local and remote tags match the endpoint should always 1844 * enter the ESTABLISHED state, if it has not already done so. 1845 */ 1846 /* This case represents an initialization collision. */ 1847 static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep, 1848 const struct sctp_association *asoc, 1849 struct sctp_chunk *chunk, 1850 sctp_cmd_seq_t *commands, 1851 struct sctp_association *new_asoc) 1852 { 1853 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL; 1854 struct sctp_chunk *repl; 1855 1856 /* Clarification from Implementor's Guide: 1857 * D) When both local and remote tags match the endpoint should 1858 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 1859 * It should stop any cookie timer that may be running and send 1860 * a COOKIE ACK. 1861 */ 1862 1863 /* Don't accidentally move back into established state. */ 1864 if (asoc->state < SCTP_STATE_ESTABLISHED) { 1865 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1866 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 1867 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1868 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1869 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1870 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 1871 SCTP_NULL()); 1872 1873 /* RFC 2960 5.1 Normal Establishment of an Association 1874 * 1875 * D) IMPLEMENTATION NOTE: An implementation may choose 1876 * to send the Communication Up notification to the 1877 * SCTP user upon reception of a valid COOKIE 1878 * ECHO chunk. 1879 */ 1880 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 1881 SCTP_COMM_UP, 0, 1882 asoc->c.sinit_num_ostreams, 1883 asoc->c.sinit_max_instreams, 1884 NULL, GFP_ATOMIC); 1885 if (!ev) 1886 goto nomem; 1887 1888 /* Sockets API Draft Section 5.3.1.6 1889 * When a peer sends a Adaptation Layer Indication parameter, 1890 * SCTP delivers this notification to inform the application 1891 * that of the peers requested adaptation layer. 1892 */ 1893 if (asoc->peer.adaptation_ind) { 1894 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 1895 GFP_ATOMIC); 1896 if (!ai_ev) 1897 goto nomem; 1898 1899 } 1900 } 1901 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1902 1903 repl = sctp_make_cookie_ack(new_asoc, chunk); 1904 if (!repl) 1905 goto nomem; 1906 1907 if (ev) 1908 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1909 SCTP_ULPEVENT(ev)); 1910 if (ai_ev) 1911 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1912 SCTP_ULPEVENT(ai_ev)); 1913 1914 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1915 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1916 1917 return SCTP_DISPOSITION_CONSUME; 1918 1919 nomem: 1920 if (ai_ev) 1921 sctp_ulpevent_free(ai_ev); 1922 if (ev) 1923 sctp_ulpevent_free(ev); 1924 return SCTP_DISPOSITION_NOMEM; 1925 } 1926 1927 /* 1928 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 1929 * chunk was retransmitted and then delayed in the network. 1930 * 1931 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 1932 * 1933 * Verification Tag: None. Do cookie validation. 1934 * 1935 * Inputs 1936 * (endpoint, asoc, chunk) 1937 * 1938 * Outputs 1939 * (asoc, reply_msg, msg_up, timers, counters) 1940 * 1941 * The return value is the disposition of the chunk. 1942 */ 1943 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep, 1944 const struct sctp_association *asoc, 1945 const sctp_subtype_t type, 1946 void *arg, 1947 sctp_cmd_seq_t *commands) 1948 { 1949 sctp_disposition_t retval; 1950 struct sctp_chunk *chunk = arg; 1951 struct sctp_association *new_asoc; 1952 int error = 0; 1953 char action; 1954 struct sctp_chunk *err_chk_p; 1955 1956 /* Make sure that the chunk has a valid length from the protocol 1957 * perspective. In this case check to make sure we have at least 1958 * enough for the chunk header. Cookie length verification is 1959 * done later. 1960 */ 1961 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 1962 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1963 commands); 1964 1965 /* "Decode" the chunk. We have no optional parameters so we 1966 * are in good shape. 1967 */ 1968 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 1969 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 1970 sizeof(sctp_chunkhdr_t))) 1971 goto nomem; 1972 1973 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 1974 * of a duplicate COOKIE ECHO match the Verification Tags of the 1975 * current association, consider the State Cookie valid even if 1976 * the lifespan is exceeded. 1977 */ 1978 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 1979 &err_chk_p); 1980 1981 /* FIXME: 1982 * If the re-build failed, what is the proper error path 1983 * from here? 1984 * 1985 * [We should abort the association. --piggy] 1986 */ 1987 if (!new_asoc) { 1988 /* FIXME: Several errors are possible. A bad cookie should 1989 * be silently discarded, but think about logging it too. 1990 */ 1991 switch (error) { 1992 case -SCTP_IERROR_NOMEM: 1993 goto nomem; 1994 1995 case -SCTP_IERROR_STALE_COOKIE: 1996 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 1997 err_chk_p); 1998 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1999 case -SCTP_IERROR_BAD_SIG: 2000 default: 2001 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2002 } 2003 } 2004 2005 /* Compare the tie_tag in cookie with the verification tag of 2006 * current association. 2007 */ 2008 action = sctp_tietags_compare(new_asoc, asoc); 2009 2010 switch (action) { 2011 case 'A': /* Association restart. */ 2012 retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands, 2013 new_asoc); 2014 break; 2015 2016 case 'B': /* Collision case B. */ 2017 retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands, 2018 new_asoc); 2019 break; 2020 2021 case 'C': /* Collision case C. */ 2022 retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands, 2023 new_asoc); 2024 break; 2025 2026 case 'D': /* Collision case D. */ 2027 retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands, 2028 new_asoc); 2029 break; 2030 2031 default: /* Discard packet for all others. */ 2032 retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2033 break; 2034 } 2035 2036 /* Delete the tempory new association. */ 2037 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 2038 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 2039 2040 return retval; 2041 2042 nomem: 2043 return SCTP_DISPOSITION_NOMEM; 2044 } 2045 2046 /* 2047 * Process an ABORT. (SHUTDOWN-PENDING state) 2048 * 2049 * See sctp_sf_do_9_1_abort(). 2050 */ 2051 sctp_disposition_t sctp_sf_shutdown_pending_abort( 2052 const struct sctp_endpoint *ep, 2053 const struct sctp_association *asoc, 2054 const sctp_subtype_t type, 2055 void *arg, 2056 sctp_cmd_seq_t *commands) 2057 { 2058 struct sctp_chunk *chunk = arg; 2059 2060 if (!sctp_vtag_verify_either(chunk, asoc)) 2061 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2062 2063 /* Make sure that the ABORT chunk has a valid length. 2064 * Since this is an ABORT chunk, we have to discard it 2065 * because of the following text: 2066 * RFC 2960, Section 3.3.7 2067 * If an endpoint receives an ABORT with a format error or for an 2068 * association that doesn't exist, it MUST silently discard it. 2069 * Becasue the length is "invalid", we can't really discard just 2070 * as we do not know its true length. So, to be safe, discard the 2071 * packet. 2072 */ 2073 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2074 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2075 2076 /* ADD-IP: Special case for ABORT chunks 2077 * F4) One special consideration is that ABORT Chunks arriving 2078 * destined to the IP address being deleted MUST be 2079 * ignored (see Section 5.3.1 for further details). 2080 */ 2081 if (SCTP_ADDR_DEL == 2082 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2083 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2084 2085 /* Stop the T5-shutdown guard timer. */ 2086 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2087 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2088 2089 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2090 } 2091 2092 /* 2093 * Process an ABORT. (SHUTDOWN-SENT state) 2094 * 2095 * See sctp_sf_do_9_1_abort(). 2096 */ 2097 sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep, 2098 const struct sctp_association *asoc, 2099 const sctp_subtype_t type, 2100 void *arg, 2101 sctp_cmd_seq_t *commands) 2102 { 2103 struct sctp_chunk *chunk = arg; 2104 2105 if (!sctp_vtag_verify_either(chunk, asoc)) 2106 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2107 2108 /* Make sure that the ABORT chunk has a valid length. 2109 * Since this is an ABORT chunk, we have to discard it 2110 * because of the following text: 2111 * RFC 2960, Section 3.3.7 2112 * If an endpoint receives an ABORT with a format error or for an 2113 * association that doesn't exist, it MUST silently discard it. 2114 * Becasue the length is "invalid", we can't really discard just 2115 * as we do not know its true length. So, to be safe, discard the 2116 * packet. 2117 */ 2118 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2119 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2120 2121 /* ADD-IP: Special case for ABORT chunks 2122 * F4) One special consideration is that ABORT Chunks arriving 2123 * destined to the IP address being deleted MUST be 2124 * ignored (see Section 5.3.1 for further details). 2125 */ 2126 if (SCTP_ADDR_DEL == 2127 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2128 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2129 2130 /* Stop the T2-shutdown timer. */ 2131 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2132 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2133 2134 /* Stop the T5-shutdown guard timer. */ 2135 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2136 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2137 2138 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2139 } 2140 2141 /* 2142 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2143 * 2144 * See sctp_sf_do_9_1_abort(). 2145 */ 2146 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort( 2147 const struct sctp_endpoint *ep, 2148 const struct sctp_association *asoc, 2149 const sctp_subtype_t type, 2150 void *arg, 2151 sctp_cmd_seq_t *commands) 2152 { 2153 /* The same T2 timer, so we should be able to use 2154 * common function with the SHUTDOWN-SENT state. 2155 */ 2156 return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands); 2157 } 2158 2159 /* 2160 * Handle an Error received in COOKIE_ECHOED state. 2161 * 2162 * Only handle the error type of stale COOKIE Error, the other errors will 2163 * be ignored. 2164 * 2165 * Inputs 2166 * (endpoint, asoc, chunk) 2167 * 2168 * Outputs 2169 * (asoc, reply_msg, msg_up, timers, counters) 2170 * 2171 * The return value is the disposition of the chunk. 2172 */ 2173 sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep, 2174 const struct sctp_association *asoc, 2175 const sctp_subtype_t type, 2176 void *arg, 2177 sctp_cmd_seq_t *commands) 2178 { 2179 struct sctp_chunk *chunk = arg; 2180 sctp_errhdr_t *err; 2181 2182 if (!sctp_vtag_verify(chunk, asoc)) 2183 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2184 2185 /* Make sure that the ERROR chunk has a valid length. 2186 * The parameter walking depends on this as well. 2187 */ 2188 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2189 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2190 commands); 2191 2192 /* Process the error here */ 2193 /* FUTURE FIXME: When PR-SCTP related and other optional 2194 * parms are emitted, this will have to change to handle multiple 2195 * errors. 2196 */ 2197 sctp_walk_errors(err, chunk->chunk_hdr) { 2198 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2199 return sctp_sf_do_5_2_6_stale(ep, asoc, type, 2200 arg, commands); 2201 } 2202 2203 /* It is possible to have malformed error causes, and that 2204 * will cause us to end the walk early. However, since 2205 * we are discarding the packet, there should be no adverse 2206 * affects. 2207 */ 2208 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2209 } 2210 2211 /* 2212 * Handle a Stale COOKIE Error 2213 * 2214 * Section: 5.2.6 Handle Stale COOKIE Error 2215 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2216 * one of the following three alternatives. 2217 * ... 2218 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2219 * Preservative parameter requesting an extension to the lifetime of 2220 * the State Cookie. When calculating the time extension, an 2221 * implementation SHOULD use the RTT information measured based on the 2222 * previous COOKIE ECHO / ERROR exchange, and should add no more 2223 * than 1 second beyond the measured RTT, due to long State Cookie 2224 * lifetimes making the endpoint more subject to a replay attack. 2225 * 2226 * Verification Tag: Not explicit, but safe to ignore. 2227 * 2228 * Inputs 2229 * (endpoint, asoc, chunk) 2230 * 2231 * Outputs 2232 * (asoc, reply_msg, msg_up, timers, counters) 2233 * 2234 * The return value is the disposition of the chunk. 2235 */ 2236 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 2237 const struct sctp_association *asoc, 2238 const sctp_subtype_t type, 2239 void *arg, 2240 sctp_cmd_seq_t *commands) 2241 { 2242 struct sctp_chunk *chunk = arg; 2243 time_t stale; 2244 sctp_cookie_preserve_param_t bht; 2245 sctp_errhdr_t *err; 2246 struct sctp_chunk *reply; 2247 struct sctp_bind_addr *bp; 2248 int attempts = asoc->init_err_counter + 1; 2249 2250 if (attempts > asoc->max_init_attempts) { 2251 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2252 SCTP_ERROR(ETIMEDOUT)); 2253 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2254 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2255 return SCTP_DISPOSITION_DELETE_TCB; 2256 } 2257 2258 err = (sctp_errhdr_t *)(chunk->skb->data); 2259 2260 /* When calculating the time extension, an implementation 2261 * SHOULD use the RTT information measured based on the 2262 * previous COOKIE ECHO / ERROR exchange, and should add no 2263 * more than 1 second beyond the measured RTT, due to long 2264 * State Cookie lifetimes making the endpoint more subject to 2265 * a replay attack. 2266 * Measure of Staleness's unit is usec. (1/1000000 sec) 2267 * Suggested Cookie Life-span Increment's unit is msec. 2268 * (1/1000 sec) 2269 * In general, if you use the suggested cookie life, the value 2270 * found in the field of measure of staleness should be doubled 2271 * to give ample time to retransmit the new cookie and thus 2272 * yield a higher probability of success on the reattempt. 2273 */ 2274 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t))); 2275 stale = (stale * 2) / 1000; 2276 2277 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2278 bht.param_hdr.length = htons(sizeof(bht)); 2279 bht.lifespan_increment = htonl(stale); 2280 2281 /* Build that new INIT chunk. */ 2282 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2283 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2284 if (!reply) 2285 goto nomem; 2286 2287 sctp_addto_chunk(reply, sizeof(bht), &bht); 2288 2289 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2290 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2291 2292 /* Stop pending T3-rtx and heartbeat timers */ 2293 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2294 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2295 2296 /* Delete non-primary peer ip addresses since we are transitioning 2297 * back to the COOKIE-WAIT state 2298 */ 2299 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2300 2301 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2302 * resend 2303 */ 2304 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, 2305 SCTP_TRANSPORT(asoc->peer.primary_path)); 2306 2307 /* Cast away the const modifier, as we want to just 2308 * rerun it through as a sideffect. 2309 */ 2310 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2311 2312 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2313 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2314 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2315 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2316 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2317 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2318 2319 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2320 2321 return SCTP_DISPOSITION_CONSUME; 2322 2323 nomem: 2324 return SCTP_DISPOSITION_NOMEM; 2325 } 2326 2327 /* 2328 * Process an ABORT. 2329 * 2330 * Section: 9.1 2331 * After checking the Verification Tag, the receiving endpoint shall 2332 * remove the association from its record, and shall report the 2333 * termination to its upper layer. 2334 * 2335 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2336 * B) Rules for packet carrying ABORT: 2337 * 2338 * - The endpoint shall always fill in the Verification Tag field of the 2339 * outbound packet with the destination endpoint's tag value if it 2340 * is known. 2341 * 2342 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2343 * MUST follow the procedure described in Section 8.4. 2344 * 2345 * - The receiver MUST accept the packet if the Verification Tag 2346 * matches either its own tag, OR the tag of its peer. Otherwise, the 2347 * receiver MUST silently discard the packet and take no further 2348 * action. 2349 * 2350 * Inputs 2351 * (endpoint, asoc, chunk) 2352 * 2353 * Outputs 2354 * (asoc, reply_msg, msg_up, timers, counters) 2355 * 2356 * The return value is the disposition of the chunk. 2357 */ 2358 sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2359 const struct sctp_association *asoc, 2360 const sctp_subtype_t type, 2361 void *arg, 2362 sctp_cmd_seq_t *commands) 2363 { 2364 struct sctp_chunk *chunk = arg; 2365 2366 if (!sctp_vtag_verify_either(chunk, asoc)) 2367 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2368 2369 /* Make sure that the ABORT chunk has a valid length. 2370 * Since this is an ABORT chunk, we have to discard it 2371 * because of the following text: 2372 * RFC 2960, Section 3.3.7 2373 * If an endpoint receives an ABORT with a format error or for an 2374 * association that doesn't exist, it MUST silently discard it. 2375 * Becasue the length is "invalid", we can't really discard just 2376 * as we do not know its true length. So, to be safe, discard the 2377 * packet. 2378 */ 2379 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2380 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2381 2382 /* ADD-IP: Special case for ABORT chunks 2383 * F4) One special consideration is that ABORT Chunks arriving 2384 * destined to the IP address being deleted MUST be 2385 * ignored (see Section 5.3.1 for further details). 2386 */ 2387 if (SCTP_ADDR_DEL == 2388 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2389 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 2390 2391 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2392 } 2393 2394 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2395 const struct sctp_association *asoc, 2396 const sctp_subtype_t type, 2397 void *arg, 2398 sctp_cmd_seq_t *commands) 2399 { 2400 struct sctp_chunk *chunk = arg; 2401 unsigned len; 2402 __be16 error = SCTP_ERROR_NO_ERROR; 2403 2404 /* See if we have an error cause code in the chunk. */ 2405 len = ntohs(chunk->chunk_hdr->length); 2406 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2407 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2408 2409 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2410 /* ASSOC_FAILED will DELETE_TCB. */ 2411 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2412 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2413 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 2414 2415 return SCTP_DISPOSITION_ABORT; 2416 } 2417 2418 /* 2419 * Process an ABORT. (COOKIE-WAIT state) 2420 * 2421 * See sctp_sf_do_9_1_abort() above. 2422 */ 2423 sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep, 2424 const struct sctp_association *asoc, 2425 const sctp_subtype_t type, 2426 void *arg, 2427 sctp_cmd_seq_t *commands) 2428 { 2429 struct sctp_chunk *chunk = arg; 2430 unsigned len; 2431 __be16 error = SCTP_ERROR_NO_ERROR; 2432 2433 if (!sctp_vtag_verify_either(chunk, asoc)) 2434 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2435 2436 /* Make sure that the ABORT chunk has a valid length. 2437 * Since this is an ABORT chunk, we have to discard it 2438 * because of the following text: 2439 * RFC 2960, Section 3.3.7 2440 * If an endpoint receives an ABORT with a format error or for an 2441 * association that doesn't exist, it MUST silently discard it. 2442 * Becasue the length is "invalid", we can't really discard just 2443 * as we do not know its true length. So, to be safe, discard the 2444 * packet. 2445 */ 2446 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2447 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2448 2449 /* See if we have an error cause code in the chunk. */ 2450 len = ntohs(chunk->chunk_hdr->length); 2451 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2452 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2453 2454 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc, 2455 chunk->transport); 2456 } 2457 2458 /* 2459 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2460 */ 2461 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep, 2462 const struct sctp_association *asoc, 2463 const sctp_subtype_t type, 2464 void *arg, 2465 sctp_cmd_seq_t *commands) 2466 { 2467 return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR, 2468 ENOPROTOOPT, asoc, 2469 (struct sctp_transport *)arg); 2470 } 2471 2472 /* 2473 * Process an ABORT. (COOKIE-ECHOED state) 2474 */ 2475 sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep, 2476 const struct sctp_association *asoc, 2477 const sctp_subtype_t type, 2478 void *arg, 2479 sctp_cmd_seq_t *commands) 2480 { 2481 /* There is a single T1 timer, so we should be able to use 2482 * common function with the COOKIE-WAIT state. 2483 */ 2484 return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands); 2485 } 2486 2487 /* 2488 * Stop T1 timer and abort association with "INIT failed". 2489 * 2490 * This is common code called by several sctp_sf_*_abort() functions above. 2491 */ 2492 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 2493 __be16 error, int sk_err, 2494 const struct sctp_association *asoc, 2495 struct sctp_transport *transport) 2496 { 2497 SCTP_DEBUG_PRINTK("ABORT received (INIT).\n"); 2498 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2499 SCTP_STATE(SCTP_STATE_CLOSED)); 2500 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2501 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2502 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2503 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2504 /* CMD_INIT_FAILED will DELETE_TCB. */ 2505 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2506 SCTP_PERR(error)); 2507 return SCTP_DISPOSITION_ABORT; 2508 } 2509 2510 /* 2511 * sctp_sf_do_9_2_shut 2512 * 2513 * Section: 9.2 2514 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2515 * - enter the SHUTDOWN-RECEIVED state, 2516 * 2517 * - stop accepting new data from its SCTP user 2518 * 2519 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2520 * that all its outstanding DATA chunks have been received by the 2521 * SHUTDOWN sender. 2522 * 2523 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2524 * send a SHUTDOWN in response to a ULP request. And should discard 2525 * subsequent SHUTDOWN chunks. 2526 * 2527 * If there are still outstanding DATA chunks left, the SHUTDOWN 2528 * receiver shall continue to follow normal data transmission 2529 * procedures defined in Section 6 until all outstanding DATA chunks 2530 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2531 * new data from its SCTP user. 2532 * 2533 * Verification Tag: 8.5 Verification Tag [Normal verification] 2534 * 2535 * Inputs 2536 * (endpoint, asoc, chunk) 2537 * 2538 * Outputs 2539 * (asoc, reply_msg, msg_up, timers, counters) 2540 * 2541 * The return value is the disposition of the chunk. 2542 */ 2543 sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep, 2544 const struct sctp_association *asoc, 2545 const sctp_subtype_t type, 2546 void *arg, 2547 sctp_cmd_seq_t *commands) 2548 { 2549 struct sctp_chunk *chunk = arg; 2550 sctp_shutdownhdr_t *sdh; 2551 sctp_disposition_t disposition; 2552 struct sctp_ulpevent *ev; 2553 2554 if (!sctp_vtag_verify(chunk, asoc)) 2555 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2556 2557 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2558 if (!sctp_chunk_length_valid(chunk, 2559 sizeof(struct sctp_shutdown_chunk_t))) 2560 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2561 commands); 2562 2563 /* Convert the elaborate header. */ 2564 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2565 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t)); 2566 chunk->subh.shutdown_hdr = sdh; 2567 2568 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2569 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2570 * inform the application that it should cease sending data. 2571 */ 2572 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2573 if (!ev) { 2574 disposition = SCTP_DISPOSITION_NOMEM; 2575 goto out; 2576 } 2577 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2578 2579 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2580 * - enter the SHUTDOWN-RECEIVED state, 2581 * - stop accepting new data from its SCTP user 2582 * 2583 * [This is implicit in the new state.] 2584 */ 2585 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2586 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2587 disposition = SCTP_DISPOSITION_CONSUME; 2588 2589 if (sctp_outq_is_empty(&asoc->outqueue)) { 2590 disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type, 2591 arg, commands); 2592 } 2593 2594 if (SCTP_DISPOSITION_NOMEM == disposition) 2595 goto out; 2596 2597 /* - verify, by checking the Cumulative TSN Ack field of the 2598 * chunk, that all its outstanding DATA chunks have been 2599 * received by the SHUTDOWN sender. 2600 */ 2601 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2602 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2603 2604 out: 2605 return disposition; 2606 } 2607 2608 /* RFC 2960 9.2 2609 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2610 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2611 * transport addresses (either in the IP addresses or in the INIT chunk) 2612 * that belong to this association, it should discard the INIT chunk and 2613 * retransmit the SHUTDOWN ACK chunk. 2614 */ 2615 sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep, 2616 const struct sctp_association *asoc, 2617 const sctp_subtype_t type, 2618 void *arg, 2619 sctp_cmd_seq_t *commands) 2620 { 2621 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 2622 struct sctp_chunk *reply; 2623 2624 /* Make sure that the chunk has a valid length */ 2625 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 2626 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2627 commands); 2628 2629 /* Since we are not going to really process this INIT, there 2630 * is no point in verifying chunk boundries. Just generate 2631 * the SHUTDOWN ACK. 2632 */ 2633 reply = sctp_make_shutdown_ack(asoc, chunk); 2634 if (NULL == reply) 2635 goto nomem; 2636 2637 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2638 * the T2-SHUTDOWN timer. 2639 */ 2640 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2641 2642 /* and restart the T2-shutdown timer. */ 2643 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2644 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2645 2646 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2647 2648 return SCTP_DISPOSITION_CONSUME; 2649 nomem: 2650 return SCTP_DISPOSITION_NOMEM; 2651 } 2652 2653 /* 2654 * sctp_sf_do_ecn_cwr 2655 * 2656 * Section: Appendix A: Explicit Congestion Notification 2657 * 2658 * CWR: 2659 * 2660 * RFC 2481 details a specific bit for a sender to send in the header of 2661 * its next outbound TCP segment to indicate to its peer that it has 2662 * reduced its congestion window. This is termed the CWR bit. For 2663 * SCTP the same indication is made by including the CWR chunk. 2664 * This chunk contains one data element, i.e. the TSN number that 2665 * was sent in the ECNE chunk. This element represents the lowest 2666 * TSN number in the datagram that was originally marked with the 2667 * CE bit. 2668 * 2669 * Verification Tag: 8.5 Verification Tag [Normal verification] 2670 * Inputs 2671 * (endpoint, asoc, chunk) 2672 * 2673 * Outputs 2674 * (asoc, reply_msg, msg_up, timers, counters) 2675 * 2676 * The return value is the disposition of the chunk. 2677 */ 2678 sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep, 2679 const struct sctp_association *asoc, 2680 const sctp_subtype_t type, 2681 void *arg, 2682 sctp_cmd_seq_t *commands) 2683 { 2684 sctp_cwrhdr_t *cwr; 2685 struct sctp_chunk *chunk = arg; 2686 u32 lowest_tsn; 2687 2688 if (!sctp_vtag_verify(chunk, asoc)) 2689 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2690 2691 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2692 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2693 commands); 2694 2695 cwr = (sctp_cwrhdr_t *) chunk->skb->data; 2696 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t)); 2697 2698 lowest_tsn = ntohl(cwr->lowest_tsn); 2699 2700 /* Does this CWR ack the last sent congestion notification? */ 2701 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 2702 /* Stop sending ECNE. */ 2703 sctp_add_cmd_sf(commands, 2704 SCTP_CMD_ECN_CWR, 2705 SCTP_U32(lowest_tsn)); 2706 } 2707 return SCTP_DISPOSITION_CONSUME; 2708 } 2709 2710 /* 2711 * sctp_sf_do_ecne 2712 * 2713 * Section: Appendix A: Explicit Congestion Notification 2714 * 2715 * ECN-Echo 2716 * 2717 * RFC 2481 details a specific bit for a receiver to send back in its 2718 * TCP acknowledgements to notify the sender of the Congestion 2719 * Experienced (CE) bit having arrived from the network. For SCTP this 2720 * same indication is made by including the ECNE chunk. This chunk 2721 * contains one data element, i.e. the lowest TSN associated with the IP 2722 * datagram marked with the CE bit..... 2723 * 2724 * Verification Tag: 8.5 Verification Tag [Normal verification] 2725 * Inputs 2726 * (endpoint, asoc, chunk) 2727 * 2728 * Outputs 2729 * (asoc, reply_msg, msg_up, timers, counters) 2730 * 2731 * The return value is the disposition of the chunk. 2732 */ 2733 sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep, 2734 const struct sctp_association *asoc, 2735 const sctp_subtype_t type, 2736 void *arg, 2737 sctp_cmd_seq_t *commands) 2738 { 2739 sctp_ecnehdr_t *ecne; 2740 struct sctp_chunk *chunk = arg; 2741 2742 if (!sctp_vtag_verify(chunk, asoc)) 2743 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2744 2745 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2746 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2747 commands); 2748 2749 ecne = (sctp_ecnehdr_t *) chunk->skb->data; 2750 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t)); 2751 2752 /* If this is a newer ECNE than the last CWR packet we sent out */ 2753 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 2754 SCTP_U32(ntohl(ecne->lowest_tsn))); 2755 2756 return SCTP_DISPOSITION_CONSUME; 2757 } 2758 2759 /* 2760 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 2761 * 2762 * The SCTP endpoint MUST always acknowledge the reception of each valid 2763 * DATA chunk. 2764 * 2765 * The guidelines on delayed acknowledgement algorithm specified in 2766 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 2767 * acknowledgement SHOULD be generated for at least every second packet 2768 * (not every second DATA chunk) received, and SHOULD be generated within 2769 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 2770 * situations it may be beneficial for an SCTP transmitter to be more 2771 * conservative than the algorithms detailed in this document allow. 2772 * However, an SCTP transmitter MUST NOT be more aggressive than the 2773 * following algorithms allow. 2774 * 2775 * A SCTP receiver MUST NOT generate more than one SACK for every 2776 * incoming packet, other than to update the offered window as the 2777 * receiving application consumes new data. 2778 * 2779 * Verification Tag: 8.5 Verification Tag [Normal verification] 2780 * 2781 * Inputs 2782 * (endpoint, asoc, chunk) 2783 * 2784 * Outputs 2785 * (asoc, reply_msg, msg_up, timers, counters) 2786 * 2787 * The return value is the disposition of the chunk. 2788 */ 2789 sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep, 2790 const struct sctp_association *asoc, 2791 const sctp_subtype_t type, 2792 void *arg, 2793 sctp_cmd_seq_t *commands) 2794 { 2795 struct sctp_chunk *chunk = arg; 2796 int error; 2797 2798 if (!sctp_vtag_verify(chunk, asoc)) { 2799 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2800 SCTP_NULL()); 2801 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2802 } 2803 2804 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2805 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2806 commands); 2807 2808 error = sctp_eat_data(asoc, chunk, commands ); 2809 switch (error) { 2810 case SCTP_IERROR_NO_ERROR: 2811 break; 2812 case SCTP_IERROR_HIGH_TSN: 2813 case SCTP_IERROR_BAD_STREAM: 2814 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2815 goto discard_noforce; 2816 case SCTP_IERROR_DUP_TSN: 2817 case SCTP_IERROR_IGNORE_TSN: 2818 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2819 goto discard_force; 2820 case SCTP_IERROR_NO_DATA: 2821 goto consume; 2822 default: 2823 BUG(); 2824 } 2825 2826 if (asoc->autoclose) { 2827 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2828 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 2829 } 2830 2831 /* If this is the last chunk in a packet, we need to count it 2832 * toward sack generation. Note that we need to SACK every 2833 * OTHER packet containing data chunks, EVEN IF WE DISCARD 2834 * THEM. We elect to NOT generate SACK's if the chunk fails 2835 * the verification tag test. 2836 * 2837 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2838 * 2839 * The SCTP endpoint MUST always acknowledge the reception of 2840 * each valid DATA chunk. 2841 * 2842 * The guidelines on delayed acknowledgement algorithm 2843 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 2844 * Specifically, an acknowledgement SHOULD be generated for at 2845 * least every second packet (not every second DATA chunk) 2846 * received, and SHOULD be generated within 200 ms of the 2847 * arrival of any unacknowledged DATA chunk. In some 2848 * situations it may be beneficial for an SCTP transmitter to 2849 * be more conservative than the algorithms detailed in this 2850 * document allow. However, an SCTP transmitter MUST NOT be 2851 * more aggressive than the following algorithms allow. 2852 */ 2853 if (chunk->end_of_packet) 2854 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2855 2856 return SCTP_DISPOSITION_CONSUME; 2857 2858 discard_force: 2859 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2860 * 2861 * When a packet arrives with duplicate DATA chunk(s) and with 2862 * no new DATA chunk(s), the endpoint MUST immediately send a 2863 * SACK with no delay. If a packet arrives with duplicate 2864 * DATA chunk(s) bundled with new DATA chunks, the endpoint 2865 * MAY immediately send a SACK. Normally receipt of duplicate 2866 * DATA chunks will occur when the original SACK chunk was lost 2867 * and the peer's RTO has expired. The duplicate TSN number(s) 2868 * SHOULD be reported in the SACK as duplicate. 2869 */ 2870 /* In our case, we split the MAY SACK advice up whether or not 2871 * the last chunk is a duplicate.' 2872 */ 2873 if (chunk->end_of_packet) 2874 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2875 return SCTP_DISPOSITION_DISCARD; 2876 2877 discard_noforce: 2878 if (chunk->end_of_packet) 2879 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2880 2881 return SCTP_DISPOSITION_DISCARD; 2882 consume: 2883 return SCTP_DISPOSITION_CONSUME; 2884 2885 } 2886 2887 /* 2888 * sctp_sf_eat_data_fast_4_4 2889 * 2890 * Section: 4 (4) 2891 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 2892 * DATA chunks without delay. 2893 * 2894 * Verification Tag: 8.5 Verification Tag [Normal verification] 2895 * Inputs 2896 * (endpoint, asoc, chunk) 2897 * 2898 * Outputs 2899 * (asoc, reply_msg, msg_up, timers, counters) 2900 * 2901 * The return value is the disposition of the chunk. 2902 */ 2903 sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep, 2904 const struct sctp_association *asoc, 2905 const sctp_subtype_t type, 2906 void *arg, 2907 sctp_cmd_seq_t *commands) 2908 { 2909 struct sctp_chunk *chunk = arg; 2910 int error; 2911 2912 if (!sctp_vtag_verify(chunk, asoc)) { 2913 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2914 SCTP_NULL()); 2915 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2916 } 2917 2918 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2919 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2920 commands); 2921 2922 error = sctp_eat_data(asoc, chunk, commands ); 2923 switch (error) { 2924 case SCTP_IERROR_NO_ERROR: 2925 case SCTP_IERROR_HIGH_TSN: 2926 case SCTP_IERROR_DUP_TSN: 2927 case SCTP_IERROR_IGNORE_TSN: 2928 case SCTP_IERROR_BAD_STREAM: 2929 break; 2930 case SCTP_IERROR_NO_DATA: 2931 goto consume; 2932 default: 2933 BUG(); 2934 } 2935 2936 /* Go a head and force a SACK, since we are shutting down. */ 2937 2938 /* Implementor's Guide. 2939 * 2940 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 2941 * respond to each received packet containing one or more DATA chunk(s) 2942 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 2943 */ 2944 if (chunk->end_of_packet) { 2945 /* We must delay the chunk creation since the cumulative 2946 * TSN has not been updated yet. 2947 */ 2948 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 2949 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2950 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2951 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2952 } 2953 2954 consume: 2955 return SCTP_DISPOSITION_CONSUME; 2956 } 2957 2958 /* 2959 * Section: 6.2 Processing a Received SACK 2960 * D) Any time a SACK arrives, the endpoint performs the following: 2961 * 2962 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 2963 * then drop the SACK. Since Cumulative TSN Ack is monotonically 2964 * increasing, a SACK whose Cumulative TSN Ack is less than the 2965 * Cumulative TSN Ack Point indicates an out-of-order SACK. 2966 * 2967 * ii) Set rwnd equal to the newly received a_rwnd minus the number 2968 * of bytes still outstanding after processing the Cumulative TSN Ack 2969 * and the Gap Ack Blocks. 2970 * 2971 * iii) If the SACK is missing a TSN that was previously 2972 * acknowledged via a Gap Ack Block (e.g., the data receiver 2973 * reneged on the data), then mark the corresponding DATA chunk 2974 * as available for retransmit: Mark it as missing for fast 2975 * retransmit as described in Section 7.2.4 and if no retransmit 2976 * timer is running for the destination address to which the DATA 2977 * chunk was originally transmitted, then T3-rtx is started for 2978 * that destination address. 2979 * 2980 * Verification Tag: 8.5 Verification Tag [Normal verification] 2981 * 2982 * Inputs 2983 * (endpoint, asoc, chunk) 2984 * 2985 * Outputs 2986 * (asoc, reply_msg, msg_up, timers, counters) 2987 * 2988 * The return value is the disposition of the chunk. 2989 */ 2990 sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep, 2991 const struct sctp_association *asoc, 2992 const sctp_subtype_t type, 2993 void *arg, 2994 sctp_cmd_seq_t *commands) 2995 { 2996 struct sctp_chunk *chunk = arg; 2997 sctp_sackhdr_t *sackh; 2998 __u32 ctsn; 2999 3000 if (!sctp_vtag_verify(chunk, asoc)) 3001 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3002 3003 /* Make sure that the SACK chunk has a valid length. */ 3004 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t))) 3005 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3006 commands); 3007 3008 /* Pull the SACK chunk from the data buffer */ 3009 sackh = sctp_sm_pull_sack(chunk); 3010 /* Was this a bogus SACK? */ 3011 if (!sackh) 3012 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3013 chunk->subh.sack_hdr = sackh; 3014 ctsn = ntohl(sackh->cum_tsn_ack); 3015 3016 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 3017 * Ack Point, then drop the SACK. Since Cumulative TSN 3018 * Ack is monotonically increasing, a SACK whose 3019 * Cumulative TSN Ack is less than the Cumulative TSN Ack 3020 * Point indicates an out-of-order SACK. 3021 */ 3022 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 3023 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 3024 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 3025 return SCTP_DISPOSITION_DISCARD; 3026 } 3027 3028 /* If Cumulative TSN Ack beyond the max tsn currently 3029 * send, terminating the association and respond to the 3030 * sender with an ABORT. 3031 */ 3032 if (!TSN_lt(ctsn, asoc->next_tsn)) 3033 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands); 3034 3035 /* Return this SACK for further processing. */ 3036 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh)); 3037 3038 /* Note: We do the rest of the work on the PROCESS_SACK 3039 * sideeffect. 3040 */ 3041 return SCTP_DISPOSITION_CONSUME; 3042 } 3043 3044 /* 3045 * Generate an ABORT in response to a packet. 3046 * 3047 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 3048 * 3049 * 8) The receiver should respond to the sender of the OOTB packet with 3050 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3051 * MUST fill in the Verification Tag field of the outbound packet 3052 * with the value found in the Verification Tag field of the OOTB 3053 * packet and set the T-bit in the Chunk Flags to indicate that the 3054 * Verification Tag is reflected. After sending this ABORT, the 3055 * receiver of the OOTB packet shall discard the OOTB packet and take 3056 * no further action. 3057 * 3058 * Verification Tag: 3059 * 3060 * The return value is the disposition of the chunk. 3061 */ 3062 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 3063 const struct sctp_association *asoc, 3064 const sctp_subtype_t type, 3065 void *arg, 3066 sctp_cmd_seq_t *commands) 3067 { 3068 struct sctp_packet *packet = NULL; 3069 struct sctp_chunk *chunk = arg; 3070 struct sctp_chunk *abort; 3071 3072 packet = sctp_ootb_pkt_new(asoc, chunk); 3073 3074 if (packet) { 3075 /* Make an ABORT. The T bit will be set if the asoc 3076 * is NULL. 3077 */ 3078 abort = sctp_make_abort(asoc, chunk, 0); 3079 if (!abort) { 3080 sctp_ootb_pkt_free(packet); 3081 return SCTP_DISPOSITION_NOMEM; 3082 } 3083 3084 /* Reflect vtag if T-Bit is set */ 3085 if (sctp_test_T_bit(abort)) 3086 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3087 3088 /* Set the skb to the belonging sock for accounting. */ 3089 abort->skb->sk = ep->base.sk; 3090 3091 sctp_packet_append_chunk(packet, abort); 3092 3093 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3094 SCTP_PACKET(packet)); 3095 3096 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3097 3098 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3099 return SCTP_DISPOSITION_CONSUME; 3100 } 3101 3102 return SCTP_DISPOSITION_NOMEM; 3103 } 3104 3105 /* 3106 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 3107 * event as ULP notification for each cause included in the chunk. 3108 * 3109 * API 5.3.1.3 - SCTP_REMOTE_ERROR 3110 * 3111 * The return value is the disposition of the chunk. 3112 */ 3113 sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep, 3114 const struct sctp_association *asoc, 3115 const sctp_subtype_t type, 3116 void *arg, 3117 sctp_cmd_seq_t *commands) 3118 { 3119 struct sctp_chunk *chunk = arg; 3120 struct sctp_ulpevent *ev; 3121 3122 if (!sctp_vtag_verify(chunk, asoc)) 3123 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3124 3125 /* Make sure that the ERROR chunk has a valid length. */ 3126 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 3127 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3128 commands); 3129 3130 while (chunk->chunk_end > chunk->skb->data) { 3131 ev = sctp_ulpevent_make_remote_error(asoc, chunk, 0, 3132 GFP_ATOMIC); 3133 if (!ev) 3134 goto nomem; 3135 3136 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 3137 SCTP_ULPEVENT(ev)); 3138 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 3139 SCTP_CHUNK(chunk)); 3140 } 3141 return SCTP_DISPOSITION_CONSUME; 3142 3143 nomem: 3144 return SCTP_DISPOSITION_NOMEM; 3145 } 3146 3147 /* 3148 * Process an inbound SHUTDOWN ACK. 3149 * 3150 * From Section 9.2: 3151 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3152 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3153 * peer, and remove all record of the association. 3154 * 3155 * The return value is the disposition. 3156 */ 3157 sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep, 3158 const struct sctp_association *asoc, 3159 const sctp_subtype_t type, 3160 void *arg, 3161 sctp_cmd_seq_t *commands) 3162 { 3163 struct sctp_chunk *chunk = arg; 3164 struct sctp_chunk *reply; 3165 struct sctp_ulpevent *ev; 3166 3167 if (!sctp_vtag_verify(chunk, asoc)) 3168 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3169 3170 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3171 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3172 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3173 commands); 3174 /* 10.2 H) SHUTDOWN COMPLETE notification 3175 * 3176 * When SCTP completes the shutdown procedures (section 9.2) this 3177 * notification is passed to the upper layer. 3178 */ 3179 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3180 0, 0, 0, NULL, GFP_ATOMIC); 3181 if (!ev) 3182 goto nomem; 3183 3184 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3185 reply = sctp_make_shutdown_complete(asoc, chunk); 3186 if (!reply) 3187 goto nomem_chunk; 3188 3189 /* Do all the commands now (after allocation), so that we 3190 * have consistent state if memory allocation failes 3191 */ 3192 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3193 3194 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3195 * stop the T2-shutdown timer, 3196 */ 3197 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3198 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3199 3200 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3201 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3202 3203 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3204 SCTP_STATE(SCTP_STATE_CLOSED)); 3205 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 3206 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3207 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3208 3209 /* ...and remove all record of the association. */ 3210 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3211 return SCTP_DISPOSITION_DELETE_TCB; 3212 3213 nomem_chunk: 3214 sctp_ulpevent_free(ev); 3215 nomem: 3216 return SCTP_DISPOSITION_NOMEM; 3217 } 3218 3219 /* 3220 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3221 * 3222 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3223 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3224 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3225 * packet must fill in the Verification Tag field of the outbound 3226 * packet with the Verification Tag received in the SHUTDOWN ACK and 3227 * set the T-bit in the Chunk Flags to indicate that the Verification 3228 * Tag is reflected. 3229 * 3230 * 8) The receiver should respond to the sender of the OOTB packet with 3231 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3232 * MUST fill in the Verification Tag field of the outbound packet 3233 * with the value found in the Verification Tag field of the OOTB 3234 * packet and set the T-bit in the Chunk Flags to indicate that the 3235 * Verification Tag is reflected. After sending this ABORT, the 3236 * receiver of the OOTB packet shall discard the OOTB packet and take 3237 * no further action. 3238 */ 3239 sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep, 3240 const struct sctp_association *asoc, 3241 const sctp_subtype_t type, 3242 void *arg, 3243 sctp_cmd_seq_t *commands) 3244 { 3245 struct sctp_chunk *chunk = arg; 3246 struct sk_buff *skb = chunk->skb; 3247 sctp_chunkhdr_t *ch; 3248 __u8 *ch_end; 3249 int ootb_shut_ack = 0; 3250 3251 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 3252 3253 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr; 3254 do { 3255 /* Report violation if the chunk is less then minimal */ 3256 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 3257 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3258 commands); 3259 3260 /* Now that we know we at least have a chunk header, 3261 * do things that are type appropriate. 3262 */ 3263 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3264 ootb_shut_ack = 1; 3265 3266 /* RFC 2960, Section 3.3.7 3267 * Moreover, under any circumstances, an endpoint that 3268 * receives an ABORT MUST NOT respond to that ABORT by 3269 * sending an ABORT of its own. 3270 */ 3271 if (SCTP_CID_ABORT == ch->type) 3272 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3273 3274 /* Report violation if chunk len overflows */ 3275 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 3276 if (ch_end > skb_tail_pointer(skb)) 3277 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3278 commands); 3279 3280 ch = (sctp_chunkhdr_t *) ch_end; 3281 } while (ch_end < skb_tail_pointer(skb)); 3282 3283 if (ootb_shut_ack) 3284 return sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands); 3285 else 3286 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 3287 } 3288 3289 /* 3290 * Handle an "Out of the blue" SHUTDOWN ACK. 3291 * 3292 * Section: 8.4 5, sctpimpguide 2.41. 3293 * 3294 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3295 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3296 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3297 * packet must fill in the Verification Tag field of the outbound 3298 * packet with the Verification Tag received in the SHUTDOWN ACK and 3299 * set the T-bit in the Chunk Flags to indicate that the Verification 3300 * Tag is reflected. 3301 * 3302 * Inputs 3303 * (endpoint, asoc, type, arg, commands) 3304 * 3305 * Outputs 3306 * (sctp_disposition_t) 3307 * 3308 * The return value is the disposition of the chunk. 3309 */ 3310 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 3311 const struct sctp_association *asoc, 3312 const sctp_subtype_t type, 3313 void *arg, 3314 sctp_cmd_seq_t *commands) 3315 { 3316 struct sctp_packet *packet = NULL; 3317 struct sctp_chunk *chunk = arg; 3318 struct sctp_chunk *shut; 3319 3320 packet = sctp_ootb_pkt_new(asoc, chunk); 3321 3322 if (packet) { 3323 /* Make an SHUTDOWN_COMPLETE. 3324 * The T bit will be set if the asoc is NULL. 3325 */ 3326 shut = sctp_make_shutdown_complete(asoc, chunk); 3327 if (!shut) { 3328 sctp_ootb_pkt_free(packet); 3329 return SCTP_DISPOSITION_NOMEM; 3330 } 3331 3332 /* Reflect vtag if T-Bit is set */ 3333 if (sctp_test_T_bit(shut)) 3334 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3335 3336 /* Set the skb to the belonging sock for accounting. */ 3337 shut->skb->sk = ep->base.sk; 3338 3339 sctp_packet_append_chunk(packet, shut); 3340 3341 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3342 SCTP_PACKET(packet)); 3343 3344 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3345 3346 /* If the chunk length is invalid, we don't want to process 3347 * the reset of the packet. 3348 */ 3349 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3350 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3351 3352 /* We need to discard the rest of the packet to prevent 3353 * potential bomming attacks from additional bundled chunks. 3354 * This is documented in SCTP Threats ID. 3355 */ 3356 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3357 } 3358 3359 return SCTP_DISPOSITION_NOMEM; 3360 } 3361 3362 /* 3363 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3364 * 3365 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3366 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3367 * procedures in section 8.4 SHOULD be followed, in other words it 3368 * should be treated as an Out Of The Blue packet. 3369 * [This means that we do NOT check the Verification Tag on these 3370 * chunks. --piggy ] 3371 * 3372 */ 3373 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep, 3374 const struct sctp_association *asoc, 3375 const sctp_subtype_t type, 3376 void *arg, 3377 sctp_cmd_seq_t *commands) 3378 { 3379 struct sctp_chunk *chunk = arg; 3380 3381 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3382 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3383 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3384 commands); 3385 3386 /* Although we do have an association in this case, it corresponds 3387 * to a restarted association. So the packet is treated as an OOTB 3388 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3389 * called with a NULL association. 3390 */ 3391 return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands); 3392 } 3393 3394 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3395 sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep, 3396 const struct sctp_association *asoc, 3397 const sctp_subtype_t type, void *arg, 3398 sctp_cmd_seq_t *commands) 3399 { 3400 struct sctp_chunk *chunk = arg; 3401 struct sctp_chunk *asconf_ack = NULL; 3402 struct sctp_paramhdr *err_param = NULL; 3403 sctp_addiphdr_t *hdr; 3404 union sctp_addr_param *addr_param; 3405 __u32 serial; 3406 int length; 3407 3408 if (!sctp_vtag_verify(chunk, asoc)) { 3409 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3410 SCTP_NULL()); 3411 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3412 } 3413 3414 /* ADD-IP: Section 4.1.1 3415 * This chunk MUST be sent in an authenticated way by using 3416 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3417 * is received unauthenticated it MUST be silently discarded as 3418 * described in [I-D.ietf-tsvwg-sctp-auth]. 3419 */ 3420 if (!sctp_addip_noauth && !chunk->auth) 3421 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 3422 3423 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3424 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t))) 3425 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3426 commands); 3427 3428 hdr = (sctp_addiphdr_t *)chunk->skb->data; 3429 serial = ntohl(hdr->serial); 3430 3431 addr_param = (union sctp_addr_param *)hdr->params; 3432 length = ntohs(addr_param->p.length); 3433 if (length < sizeof(sctp_paramhdr_t)) 3434 return sctp_sf_violation_paramlen(ep, asoc, type, 3435 (void *)addr_param, commands); 3436 3437 /* Verify the ASCONF chunk before processing it. */ 3438 if (!sctp_verify_asconf(asoc, 3439 (sctp_paramhdr_t *)((void *)addr_param + length), 3440 (void *)chunk->chunk_end, 3441 &err_param)) 3442 return sctp_sf_violation_paramlen(ep, asoc, type, 3443 (void *)&err_param, commands); 3444 3445 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3446 * the endpoint stored in a new association variable 3447 * 'Peer-Serial-Number'. 3448 */ 3449 if (serial == asoc->peer.addip_serial + 1) { 3450 /* If this is the first instance of ASCONF in the packet, 3451 * we can clean our old ASCONF-ACKs. 3452 */ 3453 if (!chunk->has_asconf) 3454 sctp_assoc_clean_asconf_ack_cache(asoc); 3455 3456 /* ADDIP 5.2 E4) When the Sequence Number matches the next one 3457 * expected, process the ASCONF as described below and after 3458 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to 3459 * the response packet and cache a copy of it (in the event it 3460 * later needs to be retransmitted). 3461 * 3462 * Essentially, do V1-V5. 3463 */ 3464 asconf_ack = sctp_process_asconf((struct sctp_association *) 3465 asoc, chunk); 3466 if (!asconf_ack) 3467 return SCTP_DISPOSITION_NOMEM; 3468 } else if (serial < asoc->peer.addip_serial + 1) { 3469 /* ADDIP 5.2 E2) 3470 * If the value found in the Sequence Number is less than the 3471 * ('Peer- Sequence-Number' + 1), simply skip to the next 3472 * ASCONF, and include in the outbound response packet 3473 * any previously cached ASCONF-ACK response that was 3474 * sent and saved that matches the Sequence Number of the 3475 * ASCONF. Note: It is possible that no cached ASCONF-ACK 3476 * Chunk exists. This will occur when an older ASCONF 3477 * arrives out of order. In such a case, the receiver 3478 * should skip the ASCONF Chunk and not include ASCONF-ACK 3479 * Chunk for that chunk. 3480 */ 3481 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial); 3482 if (!asconf_ack) 3483 return SCTP_DISPOSITION_DISCARD; 3484 } else { 3485 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since 3486 * it must be either a stale packet or from an attacker. 3487 */ 3488 return SCTP_DISPOSITION_DISCARD; 3489 } 3490 3491 /* ADDIP 5.2 E6) The destination address of the SCTP packet 3492 * containing the ASCONF-ACK Chunks MUST be the source address of 3493 * the SCTP packet that held the ASCONF Chunks. 3494 * 3495 * To do this properly, we'll set the destination address of the chunk 3496 * and at the transmit time, will try look up the transport to use. 3497 * Since ASCONFs may be bundled, the correct transport may not be 3498 * created untill we process the entire packet, thus this workaround. 3499 */ 3500 asconf_ack->dest = chunk->source; 3501 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3502 3503 return SCTP_DISPOSITION_CONSUME; 3504 } 3505 3506 /* 3507 * ADDIP Section 4.3 General rules for address manipulation 3508 * When building TLV parameters for the ASCONF Chunk that will add or 3509 * delete IP addresses the D0 to D13 rules should be applied: 3510 */ 3511 sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep, 3512 const struct sctp_association *asoc, 3513 const sctp_subtype_t type, void *arg, 3514 sctp_cmd_seq_t *commands) 3515 { 3516 struct sctp_chunk *asconf_ack = arg; 3517 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3518 struct sctp_chunk *abort; 3519 struct sctp_paramhdr *err_param = NULL; 3520 sctp_addiphdr_t *addip_hdr; 3521 __u32 sent_serial, rcvd_serial; 3522 3523 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3524 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3525 SCTP_NULL()); 3526 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3527 } 3528 3529 /* ADD-IP, Section 4.1.2: 3530 * This chunk MUST be sent in an authenticated way by using 3531 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3532 * is received unauthenticated it MUST be silently discarded as 3533 * described in [I-D.ietf-tsvwg-sctp-auth]. 3534 */ 3535 if (!sctp_addip_noauth && !asconf_ack->auth) 3536 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 3537 3538 /* Make sure that the ADDIP chunk has a valid length. */ 3539 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t))) 3540 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3541 commands); 3542 3543 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data; 3544 rcvd_serial = ntohl(addip_hdr->serial); 3545 3546 /* Verify the ASCONF-ACK chunk before processing it. */ 3547 if (!sctp_verify_asconf(asoc, 3548 (sctp_paramhdr_t *)addip_hdr->params, 3549 (void *)asconf_ack->chunk_end, 3550 &err_param)) 3551 return sctp_sf_violation_paramlen(ep, asoc, type, 3552 (void *)&err_param, commands); 3553 3554 if (last_asconf) { 3555 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr; 3556 sent_serial = ntohl(addip_hdr->serial); 3557 } else { 3558 sent_serial = asoc->addip_serial - 1; 3559 } 3560 3561 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3562 * equal to the next serial number to be used but no ASCONF chunk is 3563 * outstanding the endpoint MUST ABORT the association. Note that a 3564 * sequence number is greater than if it is no more than 2^^31-1 3565 * larger than the current sequence number (using serial arithmetic). 3566 */ 3567 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3568 !(asoc->addip_last_asconf)) { 3569 abort = sctp_make_abort(asoc, asconf_ack, 3570 sizeof(sctp_errhdr_t)); 3571 if (abort) { 3572 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0); 3573 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3574 SCTP_CHUNK(abort)); 3575 } 3576 /* We are going to ABORT, so we might as well stop 3577 * processing the rest of the chunks in the packet. 3578 */ 3579 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3580 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3581 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3582 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3583 SCTP_ERROR(ECONNABORTED)); 3584 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3585 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3586 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3587 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3588 return SCTP_DISPOSITION_ABORT; 3589 } 3590 3591 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3592 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3593 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3594 3595 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3596 asconf_ack)) 3597 return SCTP_DISPOSITION_CONSUME; 3598 3599 abort = sctp_make_abort(asoc, asconf_ack, 3600 sizeof(sctp_errhdr_t)); 3601 if (abort) { 3602 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 3603 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3604 SCTP_CHUNK(abort)); 3605 } 3606 /* We are going to ABORT, so we might as well stop 3607 * processing the rest of the chunks in the packet. 3608 */ 3609 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3610 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3611 SCTP_ERROR(ECONNABORTED)); 3612 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3613 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3614 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3615 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3616 return SCTP_DISPOSITION_ABORT; 3617 } 3618 3619 return SCTP_DISPOSITION_DISCARD; 3620 } 3621 3622 /* 3623 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 3624 * 3625 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 3626 * its cumulative TSN point to the value carried in the FORWARD TSN 3627 * chunk, and then MUST further advance its cumulative TSN point locally 3628 * if possible. 3629 * After the above processing, the data receiver MUST stop reporting any 3630 * missing TSNs earlier than or equal to the new cumulative TSN point. 3631 * 3632 * Verification Tag: 8.5 Verification Tag [Normal verification] 3633 * 3634 * The return value is the disposition of the chunk. 3635 */ 3636 sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep, 3637 const struct sctp_association *asoc, 3638 const sctp_subtype_t type, 3639 void *arg, 3640 sctp_cmd_seq_t *commands) 3641 { 3642 struct sctp_chunk *chunk = arg; 3643 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3644 __u16 len; 3645 __u32 tsn; 3646 3647 if (!sctp_vtag_verify(chunk, asoc)) { 3648 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3649 SCTP_NULL()); 3650 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3651 } 3652 3653 /* Make sure that the FORWARD_TSN chunk has valid length. */ 3654 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3655 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3656 commands); 3657 3658 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3659 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3660 len = ntohs(chunk->chunk_hdr->length); 3661 len -= sizeof(struct sctp_chunkhdr); 3662 skb_pull(chunk->skb, len); 3663 3664 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3665 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn); 3666 3667 /* The TSN is too high--silently discard the chunk and count on it 3668 * getting retransmitted later. 3669 */ 3670 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3671 goto discard_noforce; 3672 3673 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3674 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3675 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3676 SCTP_CHUNK(chunk)); 3677 3678 /* Count this as receiving DATA. */ 3679 if (asoc->autoclose) { 3680 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3681 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3682 } 3683 3684 /* FIXME: For now send a SACK, but DATA processing may 3685 * send another. 3686 */ 3687 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 3688 3689 return SCTP_DISPOSITION_CONSUME; 3690 3691 discard_noforce: 3692 return SCTP_DISPOSITION_DISCARD; 3693 } 3694 3695 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast( 3696 const struct sctp_endpoint *ep, 3697 const struct sctp_association *asoc, 3698 const sctp_subtype_t type, 3699 void *arg, 3700 sctp_cmd_seq_t *commands) 3701 { 3702 struct sctp_chunk *chunk = arg; 3703 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3704 __u16 len; 3705 __u32 tsn; 3706 3707 if (!sctp_vtag_verify(chunk, asoc)) { 3708 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3709 SCTP_NULL()); 3710 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3711 } 3712 3713 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 3714 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3715 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3716 commands); 3717 3718 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3719 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3720 len = ntohs(chunk->chunk_hdr->length); 3721 len -= sizeof(struct sctp_chunkhdr); 3722 skb_pull(chunk->skb, len); 3723 3724 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3725 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn); 3726 3727 /* The TSN is too high--silently discard the chunk and count on it 3728 * getting retransmitted later. 3729 */ 3730 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3731 goto gen_shutdown; 3732 3733 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3734 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3735 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3736 SCTP_CHUNK(chunk)); 3737 3738 /* Go a head and force a SACK, since we are shutting down. */ 3739 gen_shutdown: 3740 /* Implementor's Guide. 3741 * 3742 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3743 * respond to each received packet containing one or more DATA chunk(s) 3744 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3745 */ 3746 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3747 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3748 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3749 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3750 3751 return SCTP_DISPOSITION_CONSUME; 3752 } 3753 3754 /* 3755 * SCTP-AUTH Section 6.3 Receving authenticated chukns 3756 * 3757 * The receiver MUST use the HMAC algorithm indicated in the HMAC 3758 * Identifier field. If this algorithm was not specified by the 3759 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 3760 * during association setup, the AUTH chunk and all chunks after it MUST 3761 * be discarded and an ERROR chunk SHOULD be sent with the error cause 3762 * defined in Section 4.1. 3763 * 3764 * If an endpoint with no shared key receives a Shared Key Identifier 3765 * other than 0, it MUST silently discard all authenticated chunks. If 3766 * the endpoint has at least one endpoint pair shared key for the peer, 3767 * it MUST use the key specified by the Shared Key Identifier if a 3768 * key has been configured for that Shared Key Identifier. If no 3769 * endpoint pair shared key has been configured for that Shared Key 3770 * Identifier, all authenticated chunks MUST be silently discarded. 3771 * 3772 * Verification Tag: 8.5 Verification Tag [Normal verification] 3773 * 3774 * The return value is the disposition of the chunk. 3775 */ 3776 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep, 3777 const struct sctp_association *asoc, 3778 const sctp_subtype_t type, 3779 struct sctp_chunk *chunk) 3780 { 3781 struct sctp_authhdr *auth_hdr; 3782 struct sctp_hmac *hmac; 3783 unsigned int sig_len; 3784 __u16 key_id; 3785 __u8 *save_digest; 3786 __u8 *digest; 3787 3788 /* Pull in the auth header, so we can do some more verification */ 3789 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 3790 chunk->subh.auth_hdr = auth_hdr; 3791 skb_pull(chunk->skb, sizeof(struct sctp_authhdr)); 3792 3793 /* Make sure that we suport the HMAC algorithm from the auth 3794 * chunk. 3795 */ 3796 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id)) 3797 return SCTP_IERROR_AUTH_BAD_HMAC; 3798 3799 /* Make sure that the provided shared key identifier has been 3800 * configured 3801 */ 3802 key_id = ntohs(auth_hdr->shkey_id); 3803 if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id)) 3804 return SCTP_IERROR_AUTH_BAD_KEYID; 3805 3806 3807 /* Make sure that the length of the signature matches what 3808 * we expect. 3809 */ 3810 sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t); 3811 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id)); 3812 if (sig_len != hmac->hmac_len) 3813 return SCTP_IERROR_PROTO_VIOLATION; 3814 3815 /* Now that we've done validation checks, we can compute and 3816 * verify the hmac. The steps involved are: 3817 * 1. Save the digest from the chunk. 3818 * 2. Zero out the digest in the chunk. 3819 * 3. Compute the new digest 3820 * 4. Compare saved and new digests. 3821 */ 3822 digest = auth_hdr->hmac; 3823 skb_pull(chunk->skb, sig_len); 3824 3825 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC); 3826 if (!save_digest) 3827 goto nomem; 3828 3829 memset(digest, 0, sig_len); 3830 3831 sctp_auth_calculate_hmac(asoc, chunk->skb, 3832 (struct sctp_auth_chunk *)chunk->chunk_hdr, 3833 GFP_ATOMIC); 3834 3835 /* Discard the packet if the digests do not match */ 3836 if (memcmp(save_digest, digest, sig_len)) { 3837 kfree(save_digest); 3838 return SCTP_IERROR_BAD_SIG; 3839 } 3840 3841 kfree(save_digest); 3842 chunk->auth = 1; 3843 3844 return SCTP_IERROR_NO_ERROR; 3845 nomem: 3846 return SCTP_IERROR_NOMEM; 3847 } 3848 3849 sctp_disposition_t sctp_sf_eat_auth(const struct sctp_endpoint *ep, 3850 const struct sctp_association *asoc, 3851 const sctp_subtype_t type, 3852 void *arg, 3853 sctp_cmd_seq_t *commands) 3854 { 3855 struct sctp_authhdr *auth_hdr; 3856 struct sctp_chunk *chunk = arg; 3857 struct sctp_chunk *err_chunk; 3858 sctp_ierror_t error; 3859 3860 /* Make sure that the peer has AUTH capable */ 3861 if (!asoc->peer.auth_capable) 3862 return sctp_sf_unk_chunk(ep, asoc, type, arg, commands); 3863 3864 if (!sctp_vtag_verify(chunk, asoc)) { 3865 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3866 SCTP_NULL()); 3867 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3868 } 3869 3870 /* Make sure that the AUTH chunk has valid length. */ 3871 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk))) 3872 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3873 commands); 3874 3875 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 3876 error = sctp_sf_authenticate(ep, asoc, type, chunk); 3877 switch (error) { 3878 case SCTP_IERROR_AUTH_BAD_HMAC: 3879 /* Generate the ERROR chunk and discard the rest 3880 * of the packet 3881 */ 3882 err_chunk = sctp_make_op_error(asoc, chunk, 3883 SCTP_ERROR_UNSUP_HMAC, 3884 &auth_hdr->hmac_id, 3885 sizeof(__u16)); 3886 if (err_chunk) { 3887 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3888 SCTP_CHUNK(err_chunk)); 3889 } 3890 /* Fall Through */ 3891 case SCTP_IERROR_AUTH_BAD_KEYID: 3892 case SCTP_IERROR_BAD_SIG: 3893 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3894 break; 3895 case SCTP_IERROR_PROTO_VIOLATION: 3896 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3897 commands); 3898 break; 3899 case SCTP_IERROR_NOMEM: 3900 return SCTP_DISPOSITION_NOMEM; 3901 default: 3902 break; 3903 } 3904 3905 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) { 3906 struct sctp_ulpevent *ev; 3907 3908 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id), 3909 SCTP_AUTH_NEWKEY, GFP_ATOMIC); 3910 3911 if (!ev) 3912 return -ENOMEM; 3913 3914 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 3915 SCTP_ULPEVENT(ev)); 3916 } 3917 3918 return SCTP_DISPOSITION_CONSUME; 3919 } 3920 3921 /* 3922 * Process an unknown chunk. 3923 * 3924 * Section: 3.2. Also, 2.1 in the implementor's guide. 3925 * 3926 * Chunk Types are encoded such that the highest-order two bits specify 3927 * the action that must be taken if the processing endpoint does not 3928 * recognize the Chunk Type. 3929 * 3930 * 00 - Stop processing this SCTP packet and discard it, do not process 3931 * any further chunks within it. 3932 * 3933 * 01 - Stop processing this SCTP packet and discard it, do not process 3934 * any further chunks within it, and report the unrecognized 3935 * chunk in an 'Unrecognized Chunk Type'. 3936 * 3937 * 10 - Skip this chunk and continue processing. 3938 * 3939 * 11 - Skip this chunk and continue processing, but report in an ERROR 3940 * Chunk using the 'Unrecognized Chunk Type' cause of error. 3941 * 3942 * The return value is the disposition of the chunk. 3943 */ 3944 sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep, 3945 const struct sctp_association *asoc, 3946 const sctp_subtype_t type, 3947 void *arg, 3948 sctp_cmd_seq_t *commands) 3949 { 3950 struct sctp_chunk *unk_chunk = arg; 3951 struct sctp_chunk *err_chunk; 3952 sctp_chunkhdr_t *hdr; 3953 3954 SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk); 3955 3956 if (!sctp_vtag_verify(unk_chunk, asoc)) 3957 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3958 3959 /* Make sure that the chunk has a valid length. 3960 * Since we don't know the chunk type, we use a general 3961 * chunkhdr structure to make a comparison. 3962 */ 3963 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t))) 3964 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3965 commands); 3966 3967 switch (type.chunk & SCTP_CID_ACTION_MASK) { 3968 case SCTP_CID_ACTION_DISCARD: 3969 /* Discard the packet. */ 3970 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3971 break; 3972 case SCTP_CID_ACTION_DISCARD_ERR: 3973 /* Discard the packet. */ 3974 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3975 3976 /* Generate an ERROR chunk as response. */ 3977 hdr = unk_chunk->chunk_hdr; 3978 err_chunk = sctp_make_op_error(asoc, unk_chunk, 3979 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 3980 WORD_ROUND(ntohs(hdr->length))); 3981 if (err_chunk) { 3982 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3983 SCTP_CHUNK(err_chunk)); 3984 } 3985 return SCTP_DISPOSITION_CONSUME; 3986 break; 3987 case SCTP_CID_ACTION_SKIP: 3988 /* Skip the chunk. */ 3989 return SCTP_DISPOSITION_DISCARD; 3990 break; 3991 case SCTP_CID_ACTION_SKIP_ERR: 3992 /* Generate an ERROR chunk as response. */ 3993 hdr = unk_chunk->chunk_hdr; 3994 err_chunk = sctp_make_op_error(asoc, unk_chunk, 3995 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 3996 WORD_ROUND(ntohs(hdr->length))); 3997 if (err_chunk) { 3998 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3999 SCTP_CHUNK(err_chunk)); 4000 } 4001 /* Skip the chunk. */ 4002 return SCTP_DISPOSITION_CONSUME; 4003 break; 4004 default: 4005 break; 4006 } 4007 4008 return SCTP_DISPOSITION_DISCARD; 4009 } 4010 4011 /* 4012 * Discard the chunk. 4013 * 4014 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 4015 * [Too numerous to mention...] 4016 * Verification Tag: No verification needed. 4017 * Inputs 4018 * (endpoint, asoc, chunk) 4019 * 4020 * Outputs 4021 * (asoc, reply_msg, msg_up, timers, counters) 4022 * 4023 * The return value is the disposition of the chunk. 4024 */ 4025 sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep, 4026 const struct sctp_association *asoc, 4027 const sctp_subtype_t type, 4028 void *arg, 4029 sctp_cmd_seq_t *commands) 4030 { 4031 struct sctp_chunk *chunk = arg; 4032 4033 /* Make sure that the chunk has a valid length. 4034 * Since we don't know the chunk type, we use a general 4035 * chunkhdr structure to make a comparison. 4036 */ 4037 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4038 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4039 commands); 4040 4041 SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk); 4042 return SCTP_DISPOSITION_DISCARD; 4043 } 4044 4045 /* 4046 * Discard the whole packet. 4047 * 4048 * Section: 8.4 2) 4049 * 4050 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 4051 * silently discard the OOTB packet and take no further action. 4052 * 4053 * Verification Tag: No verification necessary 4054 * 4055 * Inputs 4056 * (endpoint, asoc, chunk) 4057 * 4058 * Outputs 4059 * (asoc, reply_msg, msg_up, timers, counters) 4060 * 4061 * The return value is the disposition of the chunk. 4062 */ 4063 sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep, 4064 const struct sctp_association *asoc, 4065 const sctp_subtype_t type, 4066 void *arg, 4067 sctp_cmd_seq_t *commands) 4068 { 4069 SCTP_INC_STATS(SCTP_MIB_IN_PKT_DISCARDS); 4070 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4071 4072 return SCTP_DISPOSITION_CONSUME; 4073 } 4074 4075 4076 /* 4077 * The other end is violating protocol. 4078 * 4079 * Section: Not specified 4080 * Verification Tag: Not specified 4081 * Inputs 4082 * (endpoint, asoc, chunk) 4083 * 4084 * Outputs 4085 * (asoc, reply_msg, msg_up, timers, counters) 4086 * 4087 * We simply tag the chunk as a violation. The state machine will log 4088 * the violation and continue. 4089 */ 4090 sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep, 4091 const struct sctp_association *asoc, 4092 const sctp_subtype_t type, 4093 void *arg, 4094 sctp_cmd_seq_t *commands) 4095 { 4096 struct sctp_chunk *chunk = arg; 4097 4098 /* Make sure that the chunk has a valid length. */ 4099 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 4100 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4101 commands); 4102 4103 return SCTP_DISPOSITION_VIOLATION; 4104 } 4105 4106 /* 4107 * Common function to handle a protocol violation. 4108 */ 4109 static sctp_disposition_t sctp_sf_abort_violation( 4110 const struct sctp_endpoint *ep, 4111 const struct sctp_association *asoc, 4112 void *arg, 4113 sctp_cmd_seq_t *commands, 4114 const __u8 *payload, 4115 const size_t paylen) 4116 { 4117 struct sctp_packet *packet = NULL; 4118 struct sctp_chunk *chunk = arg; 4119 struct sctp_chunk *abort = NULL; 4120 4121 /* SCTP-AUTH, Section 6.3: 4122 * It should be noted that if the receiver wants to tear 4123 * down an association in an authenticated way only, the 4124 * handling of malformed packets should not result in 4125 * tearing down the association. 4126 * 4127 * This means that if we only want to abort associations 4128 * in an authenticated way (i.e AUTH+ABORT), then we 4129 * can't destroy this association just becuase the packet 4130 * was malformed. 4131 */ 4132 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4133 goto discard; 4134 4135 /* Make the abort chunk. */ 4136 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen); 4137 if (!abort) 4138 goto nomem; 4139 4140 if (asoc) { 4141 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */ 4142 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK && 4143 !asoc->peer.i.init_tag) { 4144 sctp_initack_chunk_t *initack; 4145 4146 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; 4147 if (!sctp_chunk_length_valid(chunk, 4148 sizeof(sctp_initack_chunk_t))) 4149 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T; 4150 else { 4151 unsigned int inittag; 4152 4153 inittag = ntohl(initack->init_hdr.init_tag); 4154 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG, 4155 SCTP_U32(inittag)); 4156 } 4157 } 4158 4159 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4160 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4161 4162 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 4163 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4164 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4165 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4166 SCTP_ERROR(ECONNREFUSED)); 4167 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4168 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4169 } else { 4170 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4171 SCTP_ERROR(ECONNABORTED)); 4172 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4173 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4174 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4175 } 4176 } else { 4177 packet = sctp_ootb_pkt_new(asoc, chunk); 4178 4179 if (!packet) 4180 goto nomem_pkt; 4181 4182 if (sctp_test_T_bit(abort)) 4183 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4184 4185 abort->skb->sk = ep->base.sk; 4186 4187 sctp_packet_append_chunk(packet, abort); 4188 4189 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 4190 SCTP_PACKET(packet)); 4191 4192 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4193 } 4194 4195 discard: 4196 sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4197 4198 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4199 4200 return SCTP_DISPOSITION_ABORT; 4201 4202 nomem_pkt: 4203 sctp_chunk_free(abort); 4204 nomem: 4205 return SCTP_DISPOSITION_NOMEM; 4206 } 4207 4208 /* 4209 * Handle a protocol violation when the chunk length is invalid. 4210 * "Invalid" length is identified as smaller then the minimal length a 4211 * given chunk can be. For example, a SACK chunk has invalid length 4212 * if it's length is set to be smaller then the size of sctp_sack_chunk_t. 4213 * 4214 * We inform the other end by sending an ABORT with a Protocol Violation 4215 * error code. 4216 * 4217 * Section: Not specified 4218 * Verification Tag: Nothing to do 4219 * Inputs 4220 * (endpoint, asoc, chunk) 4221 * 4222 * Outputs 4223 * (reply_msg, msg_up, counters) 4224 * 4225 * Generate an ABORT chunk and terminate the association. 4226 */ 4227 static sctp_disposition_t sctp_sf_violation_chunklen( 4228 const struct sctp_endpoint *ep, 4229 const struct sctp_association *asoc, 4230 const sctp_subtype_t type, 4231 void *arg, 4232 sctp_cmd_seq_t *commands) 4233 { 4234 static const char err_str[]="The following chunk had invalid length:"; 4235 4236 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4237 sizeof(err_str)); 4238 } 4239 4240 /* 4241 * Handle a protocol violation when the parameter length is invalid. 4242 * "Invalid" length is identified as smaller then the minimal length a 4243 * given parameter can be. 4244 */ 4245 static sctp_disposition_t sctp_sf_violation_paramlen( 4246 const struct sctp_endpoint *ep, 4247 const struct sctp_association *asoc, 4248 const sctp_subtype_t type, 4249 void *arg, 4250 sctp_cmd_seq_t *commands) { 4251 static const char err_str[] = "The following parameter had invalid length:"; 4252 4253 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4254 sizeof(err_str)); 4255 } 4256 4257 /* Handle a protocol violation when the peer trying to advance the 4258 * cumulative tsn ack to a point beyond the max tsn currently sent. 4259 * 4260 * We inform the other end by sending an ABORT with a Protocol Violation 4261 * error code. 4262 */ 4263 static sctp_disposition_t sctp_sf_violation_ctsn( 4264 const struct sctp_endpoint *ep, 4265 const struct sctp_association *asoc, 4266 const sctp_subtype_t type, 4267 void *arg, 4268 sctp_cmd_seq_t *commands) 4269 { 4270 static const char err_str[]="The cumulative tsn ack beyond the max tsn currently sent:"; 4271 4272 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4273 sizeof(err_str)); 4274 } 4275 4276 /* Handle protocol violation of an invalid chunk bundling. For example, 4277 * when we have an association and we recieve bundled INIT-ACK, or 4278 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle" 4279 * statement from the specs. Additinally, there might be an attacker 4280 * on the path and we may not want to continue this communication. 4281 */ 4282 static sctp_disposition_t sctp_sf_violation_chunk( 4283 const struct sctp_endpoint *ep, 4284 const struct sctp_association *asoc, 4285 const sctp_subtype_t type, 4286 void *arg, 4287 sctp_cmd_seq_t *commands) 4288 { 4289 static const char err_str[]="The following chunk violates protocol:"; 4290 4291 if (!asoc) 4292 return sctp_sf_violation(ep, asoc, type, arg, commands); 4293 4294 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4295 sizeof(err_str)); 4296 } 4297 /*************************************************************************** 4298 * These are the state functions for handling primitive (Section 10) events. 4299 ***************************************************************************/ 4300 /* 4301 * sctp_sf_do_prm_asoc 4302 * 4303 * Section: 10.1 ULP-to-SCTP 4304 * B) Associate 4305 * 4306 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 4307 * outbound stream count) 4308 * -> association id [,destination transport addr list] [,outbound stream 4309 * count] 4310 * 4311 * This primitive allows the upper layer to initiate an association to a 4312 * specific peer endpoint. 4313 * 4314 * The peer endpoint shall be specified by one of the transport addresses 4315 * which defines the endpoint (see Section 1.4). If the local SCTP 4316 * instance has not been initialized, the ASSOCIATE is considered an 4317 * error. 4318 * [This is not relevant for the kernel implementation since we do all 4319 * initialization at boot time. It we hadn't initialized we wouldn't 4320 * get anywhere near this code.] 4321 * 4322 * An association id, which is a local handle to the SCTP association, 4323 * will be returned on successful establishment of the association. If 4324 * SCTP is not able to open an SCTP association with the peer endpoint, 4325 * an error is returned. 4326 * [In the kernel implementation, the struct sctp_association needs to 4327 * be created BEFORE causing this primitive to run.] 4328 * 4329 * Other association parameters may be returned, including the 4330 * complete destination transport addresses of the peer as well as the 4331 * outbound stream count of the local endpoint. One of the transport 4332 * address from the returned destination addresses will be selected by 4333 * the local endpoint as default primary path for sending SCTP packets 4334 * to this peer. The returned "destination transport addr list" can 4335 * be used by the ULP to change the default primary path or to force 4336 * sending a packet to a specific transport address. [All of this 4337 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 4338 * function.] 4339 * 4340 * Mandatory attributes: 4341 * 4342 * o local SCTP instance name - obtained from the INITIALIZE operation. 4343 * [This is the argument asoc.] 4344 * o destination transport addr - specified as one of the transport 4345 * addresses of the peer endpoint with which the association is to be 4346 * established. 4347 * [This is asoc->peer.active_path.] 4348 * o outbound stream count - the number of outbound streams the ULP 4349 * would like to open towards this peer endpoint. 4350 * [BUG: This is not currently implemented.] 4351 * Optional attributes: 4352 * 4353 * None. 4354 * 4355 * The return value is a disposition. 4356 */ 4357 sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep, 4358 const struct sctp_association *asoc, 4359 const sctp_subtype_t type, 4360 void *arg, 4361 sctp_cmd_seq_t *commands) 4362 { 4363 struct sctp_chunk *repl; 4364 struct sctp_association* my_asoc; 4365 4366 /* The comment below says that we enter COOKIE-WAIT AFTER 4367 * sending the INIT, but that doesn't actually work in our 4368 * implementation... 4369 */ 4370 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4371 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 4372 4373 /* RFC 2960 5.1 Normal Establishment of an Association 4374 * 4375 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 4376 * must provide its Verification Tag (Tag_A) in the Initiate 4377 * Tag field. Tag_A SHOULD be a random number in the range of 4378 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 4379 */ 4380 4381 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 4382 if (!repl) 4383 goto nomem; 4384 4385 /* Cast away the const modifier, as we want to just 4386 * rerun it through as a sideffect. 4387 */ 4388 my_asoc = (struct sctp_association *)asoc; 4389 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc)); 4390 4391 /* Choose transport for INIT. */ 4392 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4393 SCTP_CHUNK(repl)); 4394 4395 /* After sending the INIT, "A" starts the T1-init timer and 4396 * enters the COOKIE-WAIT state. 4397 */ 4398 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4399 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4400 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4401 return SCTP_DISPOSITION_CONSUME; 4402 4403 nomem: 4404 return SCTP_DISPOSITION_NOMEM; 4405 } 4406 4407 /* 4408 * Process the SEND primitive. 4409 * 4410 * Section: 10.1 ULP-to-SCTP 4411 * E) Send 4412 * 4413 * Format: SEND(association id, buffer address, byte count [,context] 4414 * [,stream id] [,life time] [,destination transport address] 4415 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 4416 * -> result 4417 * 4418 * This is the main method to send user data via SCTP. 4419 * 4420 * Mandatory attributes: 4421 * 4422 * o association id - local handle to the SCTP association 4423 * 4424 * o buffer address - the location where the user message to be 4425 * transmitted is stored; 4426 * 4427 * o byte count - The size of the user data in number of bytes; 4428 * 4429 * Optional attributes: 4430 * 4431 * o context - an optional 32 bit integer that will be carried in the 4432 * sending failure notification to the ULP if the transportation of 4433 * this User Message fails. 4434 * 4435 * o stream id - to indicate which stream to send the data on. If not 4436 * specified, stream 0 will be used. 4437 * 4438 * o life time - specifies the life time of the user data. The user data 4439 * will not be sent by SCTP after the life time expires. This 4440 * parameter can be used to avoid efforts to transmit stale 4441 * user messages. SCTP notifies the ULP if the data cannot be 4442 * initiated to transport (i.e. sent to the destination via SCTP's 4443 * send primitive) within the life time variable. However, the 4444 * user data will be transmitted if SCTP has attempted to transmit a 4445 * chunk before the life time expired. 4446 * 4447 * o destination transport address - specified as one of the destination 4448 * transport addresses of the peer endpoint to which this packet 4449 * should be sent. Whenever possible, SCTP should use this destination 4450 * transport address for sending the packets, instead of the current 4451 * primary path. 4452 * 4453 * o unorder flag - this flag, if present, indicates that the user 4454 * would like the data delivered in an unordered fashion to the peer 4455 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 4456 * message). 4457 * 4458 * o no-bundle flag - instructs SCTP not to bundle this user data with 4459 * other outbound DATA chunks. SCTP MAY still bundle even when 4460 * this flag is present, when faced with network congestion. 4461 * 4462 * o payload protocol-id - A 32 bit unsigned integer that is to be 4463 * passed to the peer indicating the type of payload protocol data 4464 * being transmitted. This value is passed as opaque data by SCTP. 4465 * 4466 * The return value is the disposition. 4467 */ 4468 sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep, 4469 const struct sctp_association *asoc, 4470 const sctp_subtype_t type, 4471 void *arg, 4472 sctp_cmd_seq_t *commands) 4473 { 4474 struct sctp_chunk *chunk = arg; 4475 4476 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 4477 return SCTP_DISPOSITION_CONSUME; 4478 } 4479 4480 /* 4481 * Process the SHUTDOWN primitive. 4482 * 4483 * Section: 10.1: 4484 * C) Shutdown 4485 * 4486 * Format: SHUTDOWN(association id) 4487 * -> result 4488 * 4489 * Gracefully closes an association. Any locally queued user data 4490 * will be delivered to the peer. The association will be terminated only 4491 * after the peer acknowledges all the SCTP packets sent. A success code 4492 * will be returned on successful termination of the association. If 4493 * attempting to terminate the association results in a failure, an error 4494 * code shall be returned. 4495 * 4496 * Mandatory attributes: 4497 * 4498 * o association id - local handle to the SCTP association 4499 * 4500 * Optional attributes: 4501 * 4502 * None. 4503 * 4504 * The return value is the disposition. 4505 */ 4506 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown( 4507 const struct sctp_endpoint *ep, 4508 const struct sctp_association *asoc, 4509 const sctp_subtype_t type, 4510 void *arg, 4511 sctp_cmd_seq_t *commands) 4512 { 4513 int disposition; 4514 4515 /* From 9.2 Shutdown of an Association 4516 * Upon receipt of the SHUTDOWN primitive from its upper 4517 * layer, the endpoint enters SHUTDOWN-PENDING state and 4518 * remains there until all outstanding data has been 4519 * acknowledged by its peer. The endpoint accepts no new data 4520 * from its upper layer, but retransmits data to the far end 4521 * if necessary to fill gaps. 4522 */ 4523 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4524 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4525 4526 /* sctpimpguide-05 Section 2.12.2 4527 * The sender of the SHUTDOWN MAY also start an overall guard timer 4528 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 4529 */ 4530 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4531 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4532 4533 disposition = SCTP_DISPOSITION_CONSUME; 4534 if (sctp_outq_is_empty(&asoc->outqueue)) { 4535 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 4536 arg, commands); 4537 } 4538 return disposition; 4539 } 4540 4541 /* 4542 * Process the ABORT primitive. 4543 * 4544 * Section: 10.1: 4545 * C) Abort 4546 * 4547 * Format: Abort(association id [, cause code]) 4548 * -> result 4549 * 4550 * Ungracefully closes an association. Any locally queued user data 4551 * will be discarded and an ABORT chunk is sent to the peer. A success code 4552 * will be returned on successful abortion of the association. If 4553 * attempting to abort the association results in a failure, an error 4554 * code shall be returned. 4555 * 4556 * Mandatory attributes: 4557 * 4558 * o association id - local handle to the SCTP association 4559 * 4560 * Optional attributes: 4561 * 4562 * o cause code - reason of the abort to be passed to the peer 4563 * 4564 * None. 4565 * 4566 * The return value is the disposition. 4567 */ 4568 sctp_disposition_t sctp_sf_do_9_1_prm_abort( 4569 const struct sctp_endpoint *ep, 4570 const struct sctp_association *asoc, 4571 const sctp_subtype_t type, 4572 void *arg, 4573 sctp_cmd_seq_t *commands) 4574 { 4575 /* From 9.1 Abort of an Association 4576 * Upon receipt of the ABORT primitive from its upper 4577 * layer, the endpoint enters CLOSED state and 4578 * discard all outstanding data has been 4579 * acknowledged by its peer. The endpoint accepts no new data 4580 * from its upper layer, but retransmits data to the far end 4581 * if necessary to fill gaps. 4582 */ 4583 struct sctp_chunk *abort = arg; 4584 sctp_disposition_t retval; 4585 4586 retval = SCTP_DISPOSITION_CONSUME; 4587 4588 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4589 4590 /* Even if we can't send the ABORT due to low memory delete the 4591 * TCB. This is a departure from our typical NOMEM handling. 4592 */ 4593 4594 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4595 SCTP_ERROR(ECONNABORTED)); 4596 /* Delete the established association. */ 4597 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4598 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4599 4600 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4601 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4602 4603 return retval; 4604 } 4605 4606 /* We tried an illegal operation on an association which is closed. */ 4607 sctp_disposition_t sctp_sf_error_closed(const struct sctp_endpoint *ep, 4608 const struct sctp_association *asoc, 4609 const sctp_subtype_t type, 4610 void *arg, 4611 sctp_cmd_seq_t *commands) 4612 { 4613 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 4614 return SCTP_DISPOSITION_CONSUME; 4615 } 4616 4617 /* We tried an illegal operation on an association which is shutting 4618 * down. 4619 */ 4620 sctp_disposition_t sctp_sf_error_shutdown(const struct sctp_endpoint *ep, 4621 const struct sctp_association *asoc, 4622 const sctp_subtype_t type, 4623 void *arg, 4624 sctp_cmd_seq_t *commands) 4625 { 4626 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 4627 SCTP_ERROR(-ESHUTDOWN)); 4628 return SCTP_DISPOSITION_CONSUME; 4629 } 4630 4631 /* 4632 * sctp_cookie_wait_prm_shutdown 4633 * 4634 * Section: 4 Note: 2 4635 * Verification Tag: 4636 * Inputs 4637 * (endpoint, asoc) 4638 * 4639 * The RFC does not explicitly address this issue, but is the route through the 4640 * state table when someone issues a shutdown while in COOKIE_WAIT state. 4641 * 4642 * Outputs 4643 * (timers) 4644 */ 4645 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown( 4646 const struct sctp_endpoint *ep, 4647 const struct sctp_association *asoc, 4648 const sctp_subtype_t type, 4649 void *arg, 4650 sctp_cmd_seq_t *commands) 4651 { 4652 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4653 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4654 4655 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4656 SCTP_STATE(SCTP_STATE_CLOSED)); 4657 4658 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 4659 4660 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 4661 4662 return SCTP_DISPOSITION_DELETE_TCB; 4663 } 4664 4665 /* 4666 * sctp_cookie_echoed_prm_shutdown 4667 * 4668 * Section: 4 Note: 2 4669 * Verification Tag: 4670 * Inputs 4671 * (endpoint, asoc) 4672 * 4673 * The RFC does not explcitly address this issue, but is the route through the 4674 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 4675 * 4676 * Outputs 4677 * (timers) 4678 */ 4679 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown( 4680 const struct sctp_endpoint *ep, 4681 const struct sctp_association *asoc, 4682 const sctp_subtype_t type, 4683 void *arg, sctp_cmd_seq_t *commands) 4684 { 4685 /* There is a single T1 timer, so we should be able to use 4686 * common function with the COOKIE-WAIT state. 4687 */ 4688 return sctp_sf_cookie_wait_prm_shutdown(ep, asoc, type, arg, commands); 4689 } 4690 4691 /* 4692 * sctp_sf_cookie_wait_prm_abort 4693 * 4694 * Section: 4 Note: 2 4695 * Verification Tag: 4696 * Inputs 4697 * (endpoint, asoc) 4698 * 4699 * The RFC does not explicitly address this issue, but is the route through the 4700 * state table when someone issues an abort while in COOKIE_WAIT state. 4701 * 4702 * Outputs 4703 * (timers) 4704 */ 4705 sctp_disposition_t sctp_sf_cookie_wait_prm_abort( 4706 const struct sctp_endpoint *ep, 4707 const struct sctp_association *asoc, 4708 const sctp_subtype_t type, 4709 void *arg, 4710 sctp_cmd_seq_t *commands) 4711 { 4712 struct sctp_chunk *abort = arg; 4713 sctp_disposition_t retval; 4714 4715 /* Stop T1-init timer */ 4716 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4717 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4718 retval = SCTP_DISPOSITION_CONSUME; 4719 4720 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4721 4722 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4723 SCTP_STATE(SCTP_STATE_CLOSED)); 4724 4725 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4726 4727 /* Even if we can't send the ABORT due to low memory delete the 4728 * TCB. This is a departure from our typical NOMEM handling. 4729 */ 4730 4731 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4732 SCTP_ERROR(ECONNREFUSED)); 4733 /* Delete the established association. */ 4734 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4735 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4736 4737 return retval; 4738 } 4739 4740 /* 4741 * sctp_sf_cookie_echoed_prm_abort 4742 * 4743 * Section: 4 Note: 3 4744 * Verification Tag: 4745 * Inputs 4746 * (endpoint, asoc) 4747 * 4748 * The RFC does not explcitly address this issue, but is the route through the 4749 * state table when someone issues an abort while in COOKIE_ECHOED state. 4750 * 4751 * Outputs 4752 * (timers) 4753 */ 4754 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort( 4755 const struct sctp_endpoint *ep, 4756 const struct sctp_association *asoc, 4757 const sctp_subtype_t type, 4758 void *arg, 4759 sctp_cmd_seq_t *commands) 4760 { 4761 /* There is a single T1 timer, so we should be able to use 4762 * common function with the COOKIE-WAIT state. 4763 */ 4764 return sctp_sf_cookie_wait_prm_abort(ep, asoc, type, arg, commands); 4765 } 4766 4767 /* 4768 * sctp_sf_shutdown_pending_prm_abort 4769 * 4770 * Inputs 4771 * (endpoint, asoc) 4772 * 4773 * The RFC does not explicitly address this issue, but is the route through the 4774 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 4775 * 4776 * Outputs 4777 * (timers) 4778 */ 4779 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort( 4780 const struct sctp_endpoint *ep, 4781 const struct sctp_association *asoc, 4782 const sctp_subtype_t type, 4783 void *arg, 4784 sctp_cmd_seq_t *commands) 4785 { 4786 /* Stop the T5-shutdown guard timer. */ 4787 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4788 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4789 4790 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4791 } 4792 4793 /* 4794 * sctp_sf_shutdown_sent_prm_abort 4795 * 4796 * Inputs 4797 * (endpoint, asoc) 4798 * 4799 * The RFC does not explicitly address this issue, but is the route through the 4800 * state table when someone issues an abort while in SHUTDOWN-SENT state. 4801 * 4802 * Outputs 4803 * (timers) 4804 */ 4805 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort( 4806 const struct sctp_endpoint *ep, 4807 const struct sctp_association *asoc, 4808 const sctp_subtype_t type, 4809 void *arg, 4810 sctp_cmd_seq_t *commands) 4811 { 4812 /* Stop the T2-shutdown timer. */ 4813 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4814 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4815 4816 /* Stop the T5-shutdown guard timer. */ 4817 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4818 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4819 4820 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4821 } 4822 4823 /* 4824 * sctp_sf_cookie_echoed_prm_abort 4825 * 4826 * Inputs 4827 * (endpoint, asoc) 4828 * 4829 * The RFC does not explcitly address this issue, but is the route through the 4830 * state table when someone issues an abort while in COOKIE_ECHOED state. 4831 * 4832 * Outputs 4833 * (timers) 4834 */ 4835 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort( 4836 const struct sctp_endpoint *ep, 4837 const struct sctp_association *asoc, 4838 const sctp_subtype_t type, 4839 void *arg, 4840 sctp_cmd_seq_t *commands) 4841 { 4842 /* The same T2 timer, so we should be able to use 4843 * common function with the SHUTDOWN-SENT state. 4844 */ 4845 return sctp_sf_shutdown_sent_prm_abort(ep, asoc, type, arg, commands); 4846 } 4847 4848 /* 4849 * Process the REQUESTHEARTBEAT primitive 4850 * 4851 * 10.1 ULP-to-SCTP 4852 * J) Request Heartbeat 4853 * 4854 * Format: REQUESTHEARTBEAT(association id, destination transport address) 4855 * 4856 * -> result 4857 * 4858 * Instructs the local endpoint to perform a HeartBeat on the specified 4859 * destination transport address of the given association. The returned 4860 * result should indicate whether the transmission of the HEARTBEAT 4861 * chunk to the destination address is successful. 4862 * 4863 * Mandatory attributes: 4864 * 4865 * o association id - local handle to the SCTP association 4866 * 4867 * o destination transport address - the transport address of the 4868 * association on which a heartbeat should be issued. 4869 */ 4870 sctp_disposition_t sctp_sf_do_prm_requestheartbeat( 4871 const struct sctp_endpoint *ep, 4872 const struct sctp_association *asoc, 4873 const sctp_subtype_t type, 4874 void *arg, 4875 sctp_cmd_seq_t *commands) 4876 { 4877 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 4878 (struct sctp_transport *)arg, commands)) 4879 return SCTP_DISPOSITION_NOMEM; 4880 4881 /* 4882 * RFC 2960 (bis), section 8.3 4883 * 4884 * D) Request an on-demand HEARTBEAT on a specific destination 4885 * transport address of a given association. 4886 * 4887 * The endpoint should increment the respective error counter of 4888 * the destination transport address each time a HEARTBEAT is sent 4889 * to that address and not acknowledged within one RTO. 4890 * 4891 */ 4892 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_RESET, 4893 SCTP_TRANSPORT(arg)); 4894 return SCTP_DISPOSITION_CONSUME; 4895 } 4896 4897 /* 4898 * ADDIP Section 4.1 ASCONF Chunk Procedures 4899 * When an endpoint has an ASCONF signaled change to be sent to the 4900 * remote endpoint it should do A1 to A9 4901 */ 4902 sctp_disposition_t sctp_sf_do_prm_asconf(const struct sctp_endpoint *ep, 4903 const struct sctp_association *asoc, 4904 const sctp_subtype_t type, 4905 void *arg, 4906 sctp_cmd_seq_t *commands) 4907 { 4908 struct sctp_chunk *chunk = arg; 4909 4910 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 4911 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4912 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4913 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 4914 return SCTP_DISPOSITION_CONSUME; 4915 } 4916 4917 /* 4918 * Ignore the primitive event 4919 * 4920 * The return value is the disposition of the primitive. 4921 */ 4922 sctp_disposition_t sctp_sf_ignore_primitive( 4923 const struct sctp_endpoint *ep, 4924 const struct sctp_association *asoc, 4925 const sctp_subtype_t type, 4926 void *arg, 4927 sctp_cmd_seq_t *commands) 4928 { 4929 SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive); 4930 return SCTP_DISPOSITION_DISCARD; 4931 } 4932 4933 /*************************************************************************** 4934 * These are the state functions for the OTHER events. 4935 ***************************************************************************/ 4936 4937 /* 4938 * Start the shutdown negotiation. 4939 * 4940 * From Section 9.2: 4941 * Once all its outstanding data has been acknowledged, the endpoint 4942 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 4943 * TSN Ack field the last sequential TSN it has received from the peer. 4944 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 4945 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 4946 * with the updated last sequential TSN received from its peer. 4947 * 4948 * The return value is the disposition. 4949 */ 4950 sctp_disposition_t sctp_sf_do_9_2_start_shutdown( 4951 const struct sctp_endpoint *ep, 4952 const struct sctp_association *asoc, 4953 const sctp_subtype_t type, 4954 void *arg, 4955 sctp_cmd_seq_t *commands) 4956 { 4957 struct sctp_chunk *reply; 4958 4959 /* Once all its outstanding data has been acknowledged, the 4960 * endpoint shall send a SHUTDOWN chunk to its peer including 4961 * in the Cumulative TSN Ack field the last sequential TSN it 4962 * has received from the peer. 4963 */ 4964 reply = sctp_make_shutdown(asoc, NULL); 4965 if (!reply) 4966 goto nomem; 4967 4968 /* Set the transport for the SHUTDOWN chunk and the timeout for the 4969 * T2-shutdown timer. 4970 */ 4971 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4972 4973 /* It shall then start the T2-shutdown timer */ 4974 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4975 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4976 4977 if (asoc->autoclose) 4978 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4979 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4980 4981 /* and enter the SHUTDOWN-SENT state. */ 4982 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4983 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 4984 4985 /* sctp-implguide 2.10 Issues with Heartbeating and failover 4986 * 4987 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 4988 * or SHUTDOWN-ACK. 4989 */ 4990 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 4991 4992 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4993 4994 return SCTP_DISPOSITION_CONSUME; 4995 4996 nomem: 4997 return SCTP_DISPOSITION_NOMEM; 4998 } 4999 5000 /* 5001 * Generate a SHUTDOWN ACK now that everything is SACK'd. 5002 * 5003 * From Section 9.2: 5004 * 5005 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5006 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 5007 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 5008 * endpoint must re-send the SHUTDOWN ACK. 5009 * 5010 * The return value is the disposition. 5011 */ 5012 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack( 5013 const struct sctp_endpoint *ep, 5014 const struct sctp_association *asoc, 5015 const sctp_subtype_t type, 5016 void *arg, 5017 sctp_cmd_seq_t *commands) 5018 { 5019 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 5020 struct sctp_chunk *reply; 5021 5022 /* There are 2 ways of getting here: 5023 * 1) called in response to a SHUTDOWN chunk 5024 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 5025 * 5026 * For the case (2), the arg parameter is set to NULL. We need 5027 * to check that we have a chunk before accessing it's fields. 5028 */ 5029 if (chunk) { 5030 if (!sctp_vtag_verify(chunk, asoc)) 5031 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 5032 5033 /* Make sure that the SHUTDOWN chunk has a valid length. */ 5034 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t))) 5035 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 5036 commands); 5037 } 5038 5039 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5040 * shall send a SHUTDOWN ACK ... 5041 */ 5042 reply = sctp_make_shutdown_ack(asoc, chunk); 5043 if (!reply) 5044 goto nomem; 5045 5046 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 5047 * the T2-shutdown timer. 5048 */ 5049 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5050 5051 /* and start/restart a T2-shutdown timer of its own, */ 5052 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5053 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5054 5055 if (asoc->autoclose) 5056 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5057 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5058 5059 /* Enter the SHUTDOWN-ACK-SENT state. */ 5060 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5061 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 5062 5063 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5064 * 5065 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5066 * or SHUTDOWN-ACK. 5067 */ 5068 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5069 5070 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5071 5072 return SCTP_DISPOSITION_CONSUME; 5073 5074 nomem: 5075 return SCTP_DISPOSITION_NOMEM; 5076 } 5077 5078 /* 5079 * Ignore the event defined as other 5080 * 5081 * The return value is the disposition of the event. 5082 */ 5083 sctp_disposition_t sctp_sf_ignore_other(const struct sctp_endpoint *ep, 5084 const struct sctp_association *asoc, 5085 const sctp_subtype_t type, 5086 void *arg, 5087 sctp_cmd_seq_t *commands) 5088 { 5089 SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other); 5090 return SCTP_DISPOSITION_DISCARD; 5091 } 5092 5093 /************************************************************ 5094 * These are the state functions for handling timeout events. 5095 ************************************************************/ 5096 5097 /* 5098 * RTX Timeout 5099 * 5100 * Section: 6.3.3 Handle T3-rtx Expiration 5101 * 5102 * Whenever the retransmission timer T3-rtx expires for a destination 5103 * address, do the following: 5104 * [See below] 5105 * 5106 * The return value is the disposition of the chunk. 5107 */ 5108 sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep, 5109 const struct sctp_association *asoc, 5110 const sctp_subtype_t type, 5111 void *arg, 5112 sctp_cmd_seq_t *commands) 5113 { 5114 struct sctp_transport *transport = arg; 5115 5116 SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS); 5117 5118 if (asoc->overall_error_count >= asoc->max_retrans) { 5119 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5120 SCTP_ERROR(ETIMEDOUT)); 5121 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5122 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5123 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5124 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5125 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5126 return SCTP_DISPOSITION_DELETE_TCB; 5127 } 5128 5129 /* E1) For the destination address for which the timer 5130 * expires, adjust its ssthresh with rules defined in Section 5131 * 7.2.3 and set the cwnd <- MTU. 5132 */ 5133 5134 /* E2) For the destination address for which the timer 5135 * expires, set RTO <- RTO * 2 ("back off the timer"). The 5136 * maximum value discussed in rule C7 above (RTO.max) may be 5137 * used to provide an upper bound to this doubling operation. 5138 */ 5139 5140 /* E3) Determine how many of the earliest (i.e., lowest TSN) 5141 * outstanding DATA chunks for the address for which the 5142 * T3-rtx has expired will fit into a single packet, subject 5143 * to the MTU constraint for the path corresponding to the 5144 * destination transport address to which the retransmission 5145 * is being sent (this may be different from the address for 5146 * which the timer expires [see Section 6.4]). Call this 5147 * value K. Bundle and retransmit those K DATA chunks in a 5148 * single packet to the destination endpoint. 5149 * 5150 * Note: Any DATA chunks that were sent to the address for 5151 * which the T3-rtx timer expired but did not fit in one MTU 5152 * (rule E3 above), should be marked for retransmission and 5153 * sent as soon as cwnd allows (normally when a SACK arrives). 5154 */ 5155 5156 /* Do some failure management (Section 8.2). */ 5157 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5158 5159 /* NB: Rules E4 and F1 are implicit in R1. */ 5160 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 5161 5162 return SCTP_DISPOSITION_CONSUME; 5163 } 5164 5165 /* 5166 * Generate delayed SACK on timeout 5167 * 5168 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 5169 * 5170 * The guidelines on delayed acknowledgement algorithm specified in 5171 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 5172 * acknowledgement SHOULD be generated for at least every second packet 5173 * (not every second DATA chunk) received, and SHOULD be generated 5174 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 5175 * some situations it may be beneficial for an SCTP transmitter to be 5176 * more conservative than the algorithms detailed in this document 5177 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 5178 * the following algorithms allow. 5179 */ 5180 sctp_disposition_t sctp_sf_do_6_2_sack(const struct sctp_endpoint *ep, 5181 const struct sctp_association *asoc, 5182 const sctp_subtype_t type, 5183 void *arg, 5184 sctp_cmd_seq_t *commands) 5185 { 5186 SCTP_INC_STATS(SCTP_MIB_DELAY_SACK_EXPIREDS); 5187 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 5188 return SCTP_DISPOSITION_CONSUME; 5189 } 5190 5191 /* 5192 * sctp_sf_t1_init_timer_expire 5193 * 5194 * Section: 4 Note: 2 5195 * Verification Tag: 5196 * Inputs 5197 * (endpoint, asoc) 5198 * 5199 * RFC 2960 Section 4 Notes 5200 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 5201 * and re-start the T1-init timer without changing state. This MUST 5202 * be repeated up to 'Max.Init.Retransmits' times. After that, the 5203 * endpoint MUST abort the initialization process and report the 5204 * error to SCTP user. 5205 * 5206 * Outputs 5207 * (timers, events) 5208 * 5209 */ 5210 sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep, 5211 const struct sctp_association *asoc, 5212 const sctp_subtype_t type, 5213 void *arg, 5214 sctp_cmd_seq_t *commands) 5215 { 5216 struct sctp_chunk *repl = NULL; 5217 struct sctp_bind_addr *bp; 5218 int attempts = asoc->init_err_counter + 1; 5219 5220 SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n"); 5221 SCTP_INC_STATS(SCTP_MIB_T1_INIT_EXPIREDS); 5222 5223 if (attempts <= asoc->max_init_attempts) { 5224 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 5225 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 5226 if (!repl) 5227 return SCTP_DISPOSITION_NOMEM; 5228 5229 /* Choose transport for INIT. */ 5230 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5231 SCTP_CHUNK(repl)); 5232 5233 /* Issue a sideeffect to do the needed accounting. */ 5234 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 5235 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5236 5237 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5238 } else { 5239 SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d" 5240 " max_init_attempts: %d\n", 5241 attempts, asoc->max_init_attempts); 5242 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5243 SCTP_ERROR(ETIMEDOUT)); 5244 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5245 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5246 return SCTP_DISPOSITION_DELETE_TCB; 5247 } 5248 5249 return SCTP_DISPOSITION_CONSUME; 5250 } 5251 5252 /* 5253 * sctp_sf_t1_cookie_timer_expire 5254 * 5255 * Section: 4 Note: 2 5256 * Verification Tag: 5257 * Inputs 5258 * (endpoint, asoc) 5259 * 5260 * RFC 2960 Section 4 Notes 5261 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 5262 * COOKIE ECHO and re-start the T1-cookie timer without changing 5263 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 5264 * After that, the endpoint MUST abort the initialization process and 5265 * report the error to SCTP user. 5266 * 5267 * Outputs 5268 * (timers, events) 5269 * 5270 */ 5271 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep, 5272 const struct sctp_association *asoc, 5273 const sctp_subtype_t type, 5274 void *arg, 5275 sctp_cmd_seq_t *commands) 5276 { 5277 struct sctp_chunk *repl = NULL; 5278 int attempts = asoc->init_err_counter + 1; 5279 5280 SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n"); 5281 SCTP_INC_STATS(SCTP_MIB_T1_COOKIE_EXPIREDS); 5282 5283 if (attempts <= asoc->max_init_attempts) { 5284 repl = sctp_make_cookie_echo(asoc, NULL); 5285 if (!repl) 5286 return SCTP_DISPOSITION_NOMEM; 5287 5288 /* Issue a sideeffect to do the needed accounting. */ 5289 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 5290 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 5291 5292 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5293 } else { 5294 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5295 SCTP_ERROR(ETIMEDOUT)); 5296 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5297 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5298 return SCTP_DISPOSITION_DELETE_TCB; 5299 } 5300 5301 return SCTP_DISPOSITION_CONSUME; 5302 } 5303 5304 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 5305 * with the updated last sequential TSN received from its peer. 5306 * 5307 * An endpoint should limit the number of retransmissions of the 5308 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 5309 * If this threshold is exceeded the endpoint should destroy the TCB and 5310 * MUST report the peer endpoint unreachable to the upper layer (and 5311 * thus the association enters the CLOSED state). The reception of any 5312 * packet from its peer (i.e. as the peer sends all of its queued DATA 5313 * chunks) should clear the endpoint's retransmission count and restart 5314 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 5315 * all of its queued DATA chunks that have not yet been sent. 5316 */ 5317 sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep, 5318 const struct sctp_association *asoc, 5319 const sctp_subtype_t type, 5320 void *arg, 5321 sctp_cmd_seq_t *commands) 5322 { 5323 struct sctp_chunk *reply = NULL; 5324 5325 SCTP_DEBUG_PRINTK("Timer T2 expired.\n"); 5326 SCTP_INC_STATS(SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 5327 5328 ((struct sctp_association *)asoc)->shutdown_retries++; 5329 5330 if (asoc->overall_error_count >= asoc->max_retrans) { 5331 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5332 SCTP_ERROR(ETIMEDOUT)); 5333 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5334 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5335 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5336 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5337 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5338 return SCTP_DISPOSITION_DELETE_TCB; 5339 } 5340 5341 switch (asoc->state) { 5342 case SCTP_STATE_SHUTDOWN_SENT: 5343 reply = sctp_make_shutdown(asoc, NULL); 5344 break; 5345 5346 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5347 reply = sctp_make_shutdown_ack(asoc, NULL); 5348 break; 5349 5350 default: 5351 BUG(); 5352 break; 5353 } 5354 5355 if (!reply) 5356 goto nomem; 5357 5358 /* Do some failure management (Section 8.2). */ 5359 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5360 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 5361 5362 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 5363 * the T2-shutdown timer. 5364 */ 5365 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5366 5367 /* Restart the T2-shutdown timer. */ 5368 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5369 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5370 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5371 return SCTP_DISPOSITION_CONSUME; 5372 5373 nomem: 5374 return SCTP_DISPOSITION_NOMEM; 5375 } 5376 5377 /* 5378 * ADDIP Section 4.1 ASCONF CHunk Procedures 5379 * If the T4 RTO timer expires the endpoint should do B1 to B5 5380 */ 5381 sctp_disposition_t sctp_sf_t4_timer_expire( 5382 const struct sctp_endpoint *ep, 5383 const struct sctp_association *asoc, 5384 const sctp_subtype_t type, 5385 void *arg, 5386 sctp_cmd_seq_t *commands) 5387 { 5388 struct sctp_chunk *chunk = asoc->addip_last_asconf; 5389 struct sctp_transport *transport = chunk->transport; 5390 5391 SCTP_INC_STATS(SCTP_MIB_T4_RTO_EXPIREDS); 5392 5393 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 5394 * detection on the appropriate destination address as defined in 5395 * RFC2960 [5] section 8.1 and 8.2. 5396 */ 5397 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5398 5399 /* Reconfig T4 timer and transport. */ 5400 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5401 5402 /* ADDIP 4.1 B2) Increment the association error counters and perform 5403 * endpoint failure detection on the association as defined in 5404 * RFC2960 [5] section 8.1 and 8.2. 5405 * association error counter is incremented in SCTP_CMD_STRIKE. 5406 */ 5407 if (asoc->overall_error_count >= asoc->max_retrans) { 5408 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5409 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5410 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5411 SCTP_ERROR(ETIMEDOUT)); 5412 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5413 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5414 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5415 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 5416 return SCTP_DISPOSITION_ABORT; 5417 } 5418 5419 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 5420 * the ASCONF chunk was sent by doubling the RTO timer value. 5421 * This is done in SCTP_CMD_STRIKE. 5422 */ 5423 5424 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 5425 * choose an alternate destination address (please refer to RFC2960 5426 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 5427 * chunk, it MUST be the same (including its serial number) as the last 5428 * ASCONF sent. 5429 */ 5430 sctp_chunk_hold(asoc->addip_last_asconf); 5431 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5432 SCTP_CHUNK(asoc->addip_last_asconf)); 5433 5434 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 5435 * destination is selected, then the RTO used will be that of the new 5436 * destination address. 5437 */ 5438 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5439 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5440 5441 return SCTP_DISPOSITION_CONSUME; 5442 } 5443 5444 /* sctpimpguide-05 Section 2.12.2 5445 * The sender of the SHUTDOWN MAY also start an overall guard timer 5446 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5447 * At the expiration of this timer the sender SHOULD abort the association 5448 * by sending an ABORT chunk. 5449 */ 5450 sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep, 5451 const struct sctp_association *asoc, 5452 const sctp_subtype_t type, 5453 void *arg, 5454 sctp_cmd_seq_t *commands) 5455 { 5456 struct sctp_chunk *reply = NULL; 5457 5458 SCTP_DEBUG_PRINTK("Timer T5 expired.\n"); 5459 SCTP_INC_STATS(SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 5460 5461 reply = sctp_make_abort(asoc, NULL, 0); 5462 if (!reply) 5463 goto nomem; 5464 5465 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5466 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5467 SCTP_ERROR(ETIMEDOUT)); 5468 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5469 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5470 5471 return SCTP_DISPOSITION_DELETE_TCB; 5472 nomem: 5473 return SCTP_DISPOSITION_NOMEM; 5474 } 5475 5476 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 5477 * the association is automatically closed by starting the shutdown process. 5478 * The work that needs to be done is same as when SHUTDOWN is initiated by 5479 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 5480 */ 5481 sctp_disposition_t sctp_sf_autoclose_timer_expire( 5482 const struct sctp_endpoint *ep, 5483 const struct sctp_association *asoc, 5484 const sctp_subtype_t type, 5485 void *arg, 5486 sctp_cmd_seq_t *commands) 5487 { 5488 int disposition; 5489 5490 SCTP_INC_STATS(SCTP_MIB_AUTOCLOSE_EXPIREDS); 5491 5492 /* From 9.2 Shutdown of an Association 5493 * Upon receipt of the SHUTDOWN primitive from its upper 5494 * layer, the endpoint enters SHUTDOWN-PENDING state and 5495 * remains there until all outstanding data has been 5496 * acknowledged by its peer. The endpoint accepts no new data 5497 * from its upper layer, but retransmits data to the far end 5498 * if necessary to fill gaps. 5499 */ 5500 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5501 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 5502 5503 /* sctpimpguide-05 Section 2.12.2 5504 * The sender of the SHUTDOWN MAY also start an overall guard timer 5505 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5506 */ 5507 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5508 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5509 disposition = SCTP_DISPOSITION_CONSUME; 5510 if (sctp_outq_is_empty(&asoc->outqueue)) { 5511 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 5512 arg, commands); 5513 } 5514 return disposition; 5515 } 5516 5517 /***************************************************************************** 5518 * These are sa state functions which could apply to all types of events. 5519 ****************************************************************************/ 5520 5521 /* 5522 * This table entry is not implemented. 5523 * 5524 * Inputs 5525 * (endpoint, asoc, chunk) 5526 * 5527 * The return value is the disposition of the chunk. 5528 */ 5529 sctp_disposition_t sctp_sf_not_impl(const struct sctp_endpoint *ep, 5530 const struct sctp_association *asoc, 5531 const sctp_subtype_t type, 5532 void *arg, 5533 sctp_cmd_seq_t *commands) 5534 { 5535 return SCTP_DISPOSITION_NOT_IMPL; 5536 } 5537 5538 /* 5539 * This table entry represents a bug. 5540 * 5541 * Inputs 5542 * (endpoint, asoc, chunk) 5543 * 5544 * The return value is the disposition of the chunk. 5545 */ 5546 sctp_disposition_t sctp_sf_bug(const struct sctp_endpoint *ep, 5547 const struct sctp_association *asoc, 5548 const sctp_subtype_t type, 5549 void *arg, 5550 sctp_cmd_seq_t *commands) 5551 { 5552 return SCTP_DISPOSITION_BUG; 5553 } 5554 5555 /* 5556 * This table entry represents the firing of a timer in the wrong state. 5557 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 5558 * when the association is in the wrong state. This event should 5559 * be ignored, so as to prevent any rearming of the timer. 5560 * 5561 * Inputs 5562 * (endpoint, asoc, chunk) 5563 * 5564 * The return value is the disposition of the chunk. 5565 */ 5566 sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep, 5567 const struct sctp_association *asoc, 5568 const sctp_subtype_t type, 5569 void *arg, 5570 sctp_cmd_seq_t *commands) 5571 { 5572 SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk); 5573 return SCTP_DISPOSITION_CONSUME; 5574 } 5575 5576 /******************************************************************** 5577 * 2nd Level Abstractions 5578 ********************************************************************/ 5579 5580 /* Pull the SACK chunk based on the SACK header. */ 5581 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 5582 { 5583 struct sctp_sackhdr *sack; 5584 unsigned int len; 5585 __u16 num_blocks; 5586 __u16 num_dup_tsns; 5587 5588 /* Protect ourselves from reading too far into 5589 * the skb from a bogus sender. 5590 */ 5591 sack = (struct sctp_sackhdr *) chunk->skb->data; 5592 5593 num_blocks = ntohs(sack->num_gap_ack_blocks); 5594 num_dup_tsns = ntohs(sack->num_dup_tsns); 5595 len = sizeof(struct sctp_sackhdr); 5596 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 5597 if (len > chunk->skb->len) 5598 return NULL; 5599 5600 skb_pull(chunk->skb, len); 5601 5602 return sack; 5603 } 5604 5605 /* Create an ABORT packet to be sent as a response, with the specified 5606 * error causes. 5607 */ 5608 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 5609 const struct sctp_association *asoc, 5610 struct sctp_chunk *chunk, 5611 const void *payload, 5612 size_t paylen) 5613 { 5614 struct sctp_packet *packet; 5615 struct sctp_chunk *abort; 5616 5617 packet = sctp_ootb_pkt_new(asoc, chunk); 5618 5619 if (packet) { 5620 /* Make an ABORT. 5621 * The T bit will be set if the asoc is NULL. 5622 */ 5623 abort = sctp_make_abort(asoc, chunk, paylen); 5624 if (!abort) { 5625 sctp_ootb_pkt_free(packet); 5626 return NULL; 5627 } 5628 5629 /* Reflect vtag if T-Bit is set */ 5630 if (sctp_test_T_bit(abort)) 5631 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 5632 5633 /* Add specified error causes, i.e., payload, to the 5634 * end of the chunk. 5635 */ 5636 sctp_addto_chunk(abort, paylen, payload); 5637 5638 /* Set the skb to the belonging sock for accounting. */ 5639 abort->skb->sk = ep->base.sk; 5640 5641 sctp_packet_append_chunk(packet, abort); 5642 5643 } 5644 5645 return packet; 5646 } 5647 5648 /* Allocate a packet for responding in the OOTB conditions. */ 5649 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 5650 const struct sctp_chunk *chunk) 5651 { 5652 struct sctp_packet *packet; 5653 struct sctp_transport *transport; 5654 __u16 sport; 5655 __u16 dport; 5656 __u32 vtag; 5657 5658 /* Get the source and destination port from the inbound packet. */ 5659 sport = ntohs(chunk->sctp_hdr->dest); 5660 dport = ntohs(chunk->sctp_hdr->source); 5661 5662 /* The V-tag is going to be the same as the inbound packet if no 5663 * association exists, otherwise, use the peer's vtag. 5664 */ 5665 if (asoc) { 5666 /* Special case the INIT-ACK as there is no peer's vtag 5667 * yet. 5668 */ 5669 switch(chunk->chunk_hdr->type) { 5670 case SCTP_CID_INIT_ACK: 5671 { 5672 sctp_initack_chunk_t *initack; 5673 5674 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; 5675 vtag = ntohl(initack->init_hdr.init_tag); 5676 break; 5677 } 5678 default: 5679 vtag = asoc->peer.i.init_tag; 5680 break; 5681 } 5682 } else { 5683 /* Special case the INIT and stale COOKIE_ECHO as there is no 5684 * vtag yet. 5685 */ 5686 switch(chunk->chunk_hdr->type) { 5687 case SCTP_CID_INIT: 5688 { 5689 sctp_init_chunk_t *init; 5690 5691 init = (sctp_init_chunk_t *)chunk->chunk_hdr; 5692 vtag = ntohl(init->init_hdr.init_tag); 5693 break; 5694 } 5695 default: 5696 vtag = ntohl(chunk->sctp_hdr->vtag); 5697 break; 5698 } 5699 } 5700 5701 /* Make a transport for the bucket, Eliza... */ 5702 transport = sctp_transport_new(sctp_source(chunk), GFP_ATOMIC); 5703 if (!transport) 5704 goto nomem; 5705 5706 /* Cache a route for the transport with the chunk's destination as 5707 * the source address. 5708 */ 5709 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 5710 sctp_sk(sctp_get_ctl_sock())); 5711 5712 packet = sctp_packet_init(&transport->packet, transport, sport, dport); 5713 packet = sctp_packet_config(packet, vtag, 0); 5714 5715 return packet; 5716 5717 nomem: 5718 return NULL; 5719 } 5720 5721 /* Free the packet allocated earlier for responding in the OOTB condition. */ 5722 void sctp_ootb_pkt_free(struct sctp_packet *packet) 5723 { 5724 sctp_transport_free(packet->transport); 5725 } 5726 5727 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 5728 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 5729 const struct sctp_association *asoc, 5730 const struct sctp_chunk *chunk, 5731 sctp_cmd_seq_t *commands, 5732 struct sctp_chunk *err_chunk) 5733 { 5734 struct sctp_packet *packet; 5735 5736 if (err_chunk) { 5737 packet = sctp_ootb_pkt_new(asoc, chunk); 5738 if (packet) { 5739 struct sctp_signed_cookie *cookie; 5740 5741 /* Override the OOTB vtag from the cookie. */ 5742 cookie = chunk->subh.cookie_hdr; 5743 packet->vtag = cookie->c.peer_vtag; 5744 5745 /* Set the skb to the belonging sock for accounting. */ 5746 err_chunk->skb->sk = ep->base.sk; 5747 sctp_packet_append_chunk(packet, err_chunk); 5748 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 5749 SCTP_PACKET(packet)); 5750 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 5751 } else 5752 sctp_chunk_free (err_chunk); 5753 } 5754 } 5755 5756 5757 /* Process a data chunk */ 5758 static int sctp_eat_data(const struct sctp_association *asoc, 5759 struct sctp_chunk *chunk, 5760 sctp_cmd_seq_t *commands) 5761 { 5762 sctp_datahdr_t *data_hdr; 5763 struct sctp_chunk *err; 5764 size_t datalen; 5765 sctp_verb_t deliver; 5766 int tmp; 5767 __u32 tsn; 5768 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 5769 struct sock *sk = asoc->base.sk; 5770 5771 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data; 5772 skb_pull(chunk->skb, sizeof(sctp_datahdr_t)); 5773 5774 tsn = ntohl(data_hdr->tsn); 5775 SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn); 5776 5777 /* ASSERT: Now skb->data is really the user data. */ 5778 5779 /* Process ECN based congestion. 5780 * 5781 * Since the chunk structure is reused for all chunks within 5782 * a packet, we use ecn_ce_done to track if we've already 5783 * done CE processing for this packet. 5784 * 5785 * We need to do ECN processing even if we plan to discard the 5786 * chunk later. 5787 */ 5788 5789 if (!chunk->ecn_ce_done) { 5790 struct sctp_af *af; 5791 chunk->ecn_ce_done = 1; 5792 5793 af = sctp_get_af_specific( 5794 ipver2af(ip_hdr(chunk->skb)->version)); 5795 5796 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) { 5797 /* Do real work as sideffect. */ 5798 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 5799 SCTP_U32(tsn)); 5800 } 5801 } 5802 5803 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 5804 if (tmp < 0) { 5805 /* The TSN is too high--silently discard the chunk and 5806 * count on it getting retransmitted later. 5807 */ 5808 return SCTP_IERROR_HIGH_TSN; 5809 } else if (tmp > 0) { 5810 /* This is a duplicate. Record it. */ 5811 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 5812 return SCTP_IERROR_DUP_TSN; 5813 } 5814 5815 /* This is a new TSN. */ 5816 5817 /* Discard if there is no room in the receive window. 5818 * Actually, allow a little bit of overflow (up to a MTU). 5819 */ 5820 datalen = ntohs(chunk->chunk_hdr->length); 5821 datalen -= sizeof(sctp_data_chunk_t); 5822 5823 deliver = SCTP_CMD_CHUNK_ULP; 5824 5825 /* Think about partial delivery. */ 5826 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 5827 5828 /* Even if we don't accept this chunk there is 5829 * memory pressure. 5830 */ 5831 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 5832 } 5833 5834 /* Spill over rwnd a little bit. Note: While allowed, this spill over 5835 * seems a bit troublesome in that frag_point varies based on 5836 * PMTU. In cases, such as loopback, this might be a rather 5837 * large spill over. 5838 */ 5839 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over || 5840 (datalen > asoc->rwnd + asoc->frag_point))) { 5841 5842 /* If this is the next TSN, consider reneging to make 5843 * room. Note: Playing nice with a confused sender. A 5844 * malicious sender can still eat up all our buffer 5845 * space and in the future we may want to detect and 5846 * do more drastic reneging. 5847 */ 5848 if (sctp_tsnmap_has_gap(map) && 5849 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 5850 SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn); 5851 deliver = SCTP_CMD_RENEGE; 5852 } else { 5853 SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, " 5854 "rwnd: %d\n", tsn, datalen, 5855 asoc->rwnd); 5856 return SCTP_IERROR_IGNORE_TSN; 5857 } 5858 } 5859 5860 /* 5861 * Also try to renege to limit our memory usage in the event that 5862 * we are under memory pressure 5863 * If we can't renege, don't worry about it, the sk_rmem_schedule 5864 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our 5865 * memory usage too much 5866 */ 5867 if (*sk->sk_prot_creator->memory_pressure) { 5868 if (sctp_tsnmap_has_gap(map) && 5869 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 5870 SCTP_DEBUG_PRINTK("Under Pressure! Reneging for tsn:%u\n", tsn); 5871 deliver = SCTP_CMD_RENEGE; 5872 } 5873 } 5874 5875 /* 5876 * Section 3.3.10.9 No User Data (9) 5877 * 5878 * Cause of error 5879 * --------------- 5880 * No User Data: This error cause is returned to the originator of a 5881 * DATA chunk if a received DATA chunk has no user data. 5882 */ 5883 if (unlikely(0 == datalen)) { 5884 err = sctp_make_abort_no_data(asoc, chunk, tsn); 5885 if (err) { 5886 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5887 SCTP_CHUNK(err)); 5888 } 5889 /* We are going to ABORT, so we might as well stop 5890 * processing the rest of the chunks in the packet. 5891 */ 5892 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 5893 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5894 SCTP_ERROR(ECONNABORTED)); 5895 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5896 SCTP_PERR(SCTP_ERROR_NO_DATA)); 5897 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5898 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5899 return SCTP_IERROR_NO_DATA; 5900 } 5901 5902 /* If definately accepting the DATA chunk, record its TSN, otherwise 5903 * wait for renege processing. 5904 */ 5905 if (SCTP_CMD_CHUNK_ULP == deliver) 5906 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 5907 5908 chunk->data_accepted = 1; 5909 5910 /* Note: Some chunks may get overcounted (if we drop) or overcounted 5911 * if we renege and the chunk arrives again. 5912 */ 5913 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) 5914 SCTP_INC_STATS(SCTP_MIB_INUNORDERCHUNKS); 5915 else 5916 SCTP_INC_STATS(SCTP_MIB_INORDERCHUNKS); 5917 5918 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 5919 * 5920 * If an endpoint receive a DATA chunk with an invalid stream 5921 * identifier, it shall acknowledge the reception of the DATA chunk 5922 * following the normal procedure, immediately send an ERROR chunk 5923 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 5924 * and discard the DATA chunk. 5925 */ 5926 if (ntohs(data_hdr->stream) >= asoc->c.sinit_max_instreams) { 5927 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 5928 &data_hdr->stream, 5929 sizeof(data_hdr->stream)); 5930 if (err) 5931 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5932 SCTP_CHUNK(err)); 5933 return SCTP_IERROR_BAD_STREAM; 5934 } 5935 5936 /* Send the data up to the user. Note: Schedule the 5937 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 5938 * chunk needs the updated rwnd. 5939 */ 5940 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 5941 5942 return SCTP_IERROR_NO_ERROR; 5943 } 5944