1 /* SCTP kernel implementation 2 * Copyright (c) 1999-2000 Cisco, Inc. 3 * Copyright (c) 1999-2001 Motorola, Inc. 4 * Copyright (c) 2001-2003 International Business Machines, Corp. 5 * Copyright (c) 2001 Intel Corp. 6 * Copyright (c) 2001 Nokia, Inc. 7 * Copyright (c) 2001 La Monte H.P. Yarroll 8 * 9 * This file is part of the SCTP kernel implementation 10 * 11 * These functions handle all input from the IP layer into SCTP. 12 * 13 * This SCTP implementation is free software; 14 * you can redistribute it and/or modify it under the terms of 15 * the GNU General Public License as published by 16 * the Free Software Foundation; either version 2, or (at your option) 17 * any later version. 18 * 19 * This SCTP implementation is distributed in the hope that it 20 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 21 * ************************ 22 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 23 * See the GNU General Public License for more details. 24 * 25 * You should have received a copy of the GNU General Public License 26 * along with GNU CC; see the file COPYING. If not, write to 27 * the Free Software Foundation, 59 Temple Place - Suite 330, 28 * Boston, MA 02111-1307, USA. 29 * 30 * Please send any bug reports or fixes you make to the 31 * email address(es): 32 * lksctp developers <lksctp-developers@lists.sourceforge.net> 33 * 34 * Or submit a bug report through the following website: 35 * http://www.sf.net/projects/lksctp 36 * 37 * Written or modified by: 38 * La Monte H.P. Yarroll <piggy@acm.org> 39 * Karl Knutson <karl@athena.chicago.il.us> 40 * Xingang Guo <xingang.guo@intel.com> 41 * Jon Grimm <jgrimm@us.ibm.com> 42 * Hui Huang <hui.huang@nokia.com> 43 * Daisy Chang <daisyc@us.ibm.com> 44 * Sridhar Samudrala <sri@us.ibm.com> 45 * Ardelle Fan <ardelle.fan@intel.com> 46 * 47 * Any bugs reported given to us we will try to fix... any fixes shared will 48 * be incorporated into the next SCTP release. 49 */ 50 51 #include <linux/types.h> 52 #include <linux/list.h> /* For struct list_head */ 53 #include <linux/socket.h> 54 #include <linux/ip.h> 55 #include <linux/time.h> /* For struct timeval */ 56 #include <linux/slab.h> 57 #include <net/ip.h> 58 #include <net/icmp.h> 59 #include <net/snmp.h> 60 #include <net/sock.h> 61 #include <net/xfrm.h> 62 #include <net/sctp/sctp.h> 63 #include <net/sctp/sm.h> 64 #include <net/sctp/checksum.h> 65 #include <net/net_namespace.h> 66 67 /* Forward declarations for internal helpers. */ 68 static int sctp_rcv_ootb(struct sk_buff *); 69 static struct sctp_association *__sctp_rcv_lookup(struct sk_buff *skb, 70 const union sctp_addr *laddr, 71 const union sctp_addr *paddr, 72 struct sctp_transport **transportp); 73 static struct sctp_endpoint *__sctp_rcv_lookup_endpoint(const union sctp_addr *laddr); 74 static struct sctp_association *__sctp_lookup_association( 75 const union sctp_addr *local, 76 const union sctp_addr *peer, 77 struct sctp_transport **pt); 78 79 static int sctp_add_backlog(struct sock *sk, struct sk_buff *skb); 80 81 82 /* Calculate the SCTP checksum of an SCTP packet. */ 83 static inline int sctp_rcv_checksum(struct sk_buff *skb) 84 { 85 struct sctphdr *sh = sctp_hdr(skb); 86 __le32 cmp = sh->checksum; 87 struct sk_buff *list; 88 __le32 val; 89 __u32 tmp = sctp_start_cksum((__u8 *)sh, skb_headlen(skb)); 90 91 skb_walk_frags(skb, list) 92 tmp = sctp_update_cksum((__u8 *)list->data, skb_headlen(list), 93 tmp); 94 95 val = sctp_end_cksum(tmp); 96 97 if (val != cmp) { 98 /* CRC failure, dump it. */ 99 SCTP_INC_STATS_BH(SCTP_MIB_CHECKSUMERRORS); 100 return -1; 101 } 102 return 0; 103 } 104 105 struct sctp_input_cb { 106 union { 107 struct inet_skb_parm h4; 108 #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE) 109 struct inet6_skb_parm h6; 110 #endif 111 } header; 112 struct sctp_chunk *chunk; 113 }; 114 #define SCTP_INPUT_CB(__skb) ((struct sctp_input_cb *)&((__skb)->cb[0])) 115 116 /* 117 * This is the routine which IP calls when receiving an SCTP packet. 118 */ 119 int sctp_rcv(struct sk_buff *skb) 120 { 121 struct sock *sk; 122 struct sctp_association *asoc; 123 struct sctp_endpoint *ep = NULL; 124 struct sctp_ep_common *rcvr; 125 struct sctp_transport *transport = NULL; 126 struct sctp_chunk *chunk; 127 struct sctphdr *sh; 128 union sctp_addr src; 129 union sctp_addr dest; 130 int family; 131 struct sctp_af *af; 132 133 if (skb->pkt_type!=PACKET_HOST) 134 goto discard_it; 135 136 SCTP_INC_STATS_BH(SCTP_MIB_INSCTPPACKS); 137 138 if (skb_linearize(skb)) 139 goto discard_it; 140 141 sh = sctp_hdr(skb); 142 143 /* Pull up the IP and SCTP headers. */ 144 __skb_pull(skb, skb_transport_offset(skb)); 145 if (skb->len < sizeof(struct sctphdr)) 146 goto discard_it; 147 if (!sctp_checksum_disable && !skb_csum_unnecessary(skb) && 148 sctp_rcv_checksum(skb) < 0) 149 goto discard_it; 150 151 skb_pull(skb, sizeof(struct sctphdr)); 152 153 /* Make sure we at least have chunk headers worth of data left. */ 154 if (skb->len < sizeof(struct sctp_chunkhdr)) 155 goto discard_it; 156 157 family = ipver2af(ip_hdr(skb)->version); 158 af = sctp_get_af_specific(family); 159 if (unlikely(!af)) 160 goto discard_it; 161 162 /* Initialize local addresses for lookups. */ 163 af->from_skb(&src, skb, 1); 164 af->from_skb(&dest, skb, 0); 165 166 /* If the packet is to or from a non-unicast address, 167 * silently discard the packet. 168 * 169 * This is not clearly defined in the RFC except in section 170 * 8.4 - OOTB handling. However, based on the book "Stream Control 171 * Transmission Protocol" 2.1, "It is important to note that the 172 * IP address of an SCTP transport address must be a routable 173 * unicast address. In other words, IP multicast addresses and 174 * IP broadcast addresses cannot be used in an SCTP transport 175 * address." 176 */ 177 if (!af->addr_valid(&src, NULL, skb) || 178 !af->addr_valid(&dest, NULL, skb)) 179 goto discard_it; 180 181 asoc = __sctp_rcv_lookup(skb, &src, &dest, &transport); 182 183 if (!asoc) 184 ep = __sctp_rcv_lookup_endpoint(&dest); 185 186 /* Retrieve the common input handling substructure. */ 187 rcvr = asoc ? &asoc->base : &ep->base; 188 sk = rcvr->sk; 189 190 /* 191 * If a frame arrives on an interface and the receiving socket is 192 * bound to another interface, via SO_BINDTODEVICE, treat it as OOTB 193 */ 194 if (sk->sk_bound_dev_if && (sk->sk_bound_dev_if != af->skb_iif(skb))) 195 { 196 if (asoc) { 197 sctp_association_put(asoc); 198 asoc = NULL; 199 } else { 200 sctp_endpoint_put(ep); 201 ep = NULL; 202 } 203 sk = sctp_get_ctl_sock(); 204 ep = sctp_sk(sk)->ep; 205 sctp_endpoint_hold(ep); 206 rcvr = &ep->base; 207 } 208 209 /* 210 * RFC 2960, 8.4 - Handle "Out of the blue" Packets. 211 * An SCTP packet is called an "out of the blue" (OOTB) 212 * packet if it is correctly formed, i.e., passed the 213 * receiver's checksum check, but the receiver is not 214 * able to identify the association to which this 215 * packet belongs. 216 */ 217 if (!asoc) { 218 if (sctp_rcv_ootb(skb)) { 219 SCTP_INC_STATS_BH(SCTP_MIB_OUTOFBLUES); 220 goto discard_release; 221 } 222 } 223 224 if (!xfrm_policy_check(sk, XFRM_POLICY_IN, skb, family)) 225 goto discard_release; 226 nf_reset(skb); 227 228 if (sk_filter(sk, skb)) 229 goto discard_release; 230 231 /* Create an SCTP packet structure. */ 232 chunk = sctp_chunkify(skb, asoc, sk); 233 if (!chunk) 234 goto discard_release; 235 SCTP_INPUT_CB(skb)->chunk = chunk; 236 237 /* Remember what endpoint is to handle this packet. */ 238 chunk->rcvr = rcvr; 239 240 /* Remember the SCTP header. */ 241 chunk->sctp_hdr = sh; 242 243 /* Set the source and destination addresses of the incoming chunk. */ 244 sctp_init_addrs(chunk, &src, &dest); 245 246 /* Remember where we came from. */ 247 chunk->transport = transport; 248 249 /* Acquire access to the sock lock. Note: We are safe from other 250 * bottom halves on this lock, but a user may be in the lock too, 251 * so check if it is busy. 252 */ 253 sctp_bh_lock_sock(sk); 254 255 if (sk != rcvr->sk) { 256 /* Our cached sk is different from the rcvr->sk. This is 257 * because migrate()/accept() may have moved the association 258 * to a new socket and released all the sockets. So now we 259 * are holding a lock on the old socket while the user may 260 * be doing something with the new socket. Switch our veiw 261 * of the current sk. 262 */ 263 sctp_bh_unlock_sock(sk); 264 sk = rcvr->sk; 265 sctp_bh_lock_sock(sk); 266 } 267 268 if (sock_owned_by_user(sk)) { 269 if (sctp_add_backlog(sk, skb)) { 270 sctp_bh_unlock_sock(sk); 271 sctp_chunk_free(chunk); 272 skb = NULL; /* sctp_chunk_free already freed the skb */ 273 goto discard_release; 274 } 275 SCTP_INC_STATS_BH(SCTP_MIB_IN_PKT_BACKLOG); 276 } else { 277 SCTP_INC_STATS_BH(SCTP_MIB_IN_PKT_SOFTIRQ); 278 sctp_inq_push(&chunk->rcvr->inqueue, chunk); 279 } 280 281 sctp_bh_unlock_sock(sk); 282 283 /* Release the asoc/ep ref we took in the lookup calls. */ 284 if (asoc) 285 sctp_association_put(asoc); 286 else 287 sctp_endpoint_put(ep); 288 289 return 0; 290 291 discard_it: 292 SCTP_INC_STATS_BH(SCTP_MIB_IN_PKT_DISCARDS); 293 kfree_skb(skb); 294 return 0; 295 296 discard_release: 297 /* Release the asoc/ep ref we took in the lookup calls. */ 298 if (asoc) 299 sctp_association_put(asoc); 300 else 301 sctp_endpoint_put(ep); 302 303 goto discard_it; 304 } 305 306 /* Process the backlog queue of the socket. Every skb on 307 * the backlog holds a ref on an association or endpoint. 308 * We hold this ref throughout the state machine to make 309 * sure that the structure we need is still around. 310 */ 311 int sctp_backlog_rcv(struct sock *sk, struct sk_buff *skb) 312 { 313 struct sctp_chunk *chunk = SCTP_INPUT_CB(skb)->chunk; 314 struct sctp_inq *inqueue = &chunk->rcvr->inqueue; 315 struct sctp_ep_common *rcvr = NULL; 316 int backloged = 0; 317 318 rcvr = chunk->rcvr; 319 320 /* If the rcvr is dead then the association or endpoint 321 * has been deleted and we can safely drop the chunk 322 * and refs that we are holding. 323 */ 324 if (rcvr->dead) { 325 sctp_chunk_free(chunk); 326 goto done; 327 } 328 329 if (unlikely(rcvr->sk != sk)) { 330 /* In this case, the association moved from one socket to 331 * another. We are currently sitting on the backlog of the 332 * old socket, so we need to move. 333 * However, since we are here in the process context we 334 * need to take make sure that the user doesn't own 335 * the new socket when we process the packet. 336 * If the new socket is user-owned, queue the chunk to the 337 * backlog of the new socket without dropping any refs. 338 * Otherwise, we can safely push the chunk on the inqueue. 339 */ 340 341 sk = rcvr->sk; 342 sctp_bh_lock_sock(sk); 343 344 if (sock_owned_by_user(sk)) { 345 if (sk_add_backlog(sk, skb)) 346 sctp_chunk_free(chunk); 347 else 348 backloged = 1; 349 } else 350 sctp_inq_push(inqueue, chunk); 351 352 sctp_bh_unlock_sock(sk); 353 354 /* If the chunk was backloged again, don't drop refs */ 355 if (backloged) 356 return 0; 357 } else { 358 sctp_inq_push(inqueue, chunk); 359 } 360 361 done: 362 /* Release the refs we took in sctp_add_backlog */ 363 if (SCTP_EP_TYPE_ASSOCIATION == rcvr->type) 364 sctp_association_put(sctp_assoc(rcvr)); 365 else if (SCTP_EP_TYPE_SOCKET == rcvr->type) 366 sctp_endpoint_put(sctp_ep(rcvr)); 367 else 368 BUG(); 369 370 return 0; 371 } 372 373 static int sctp_add_backlog(struct sock *sk, struct sk_buff *skb) 374 { 375 struct sctp_chunk *chunk = SCTP_INPUT_CB(skb)->chunk; 376 struct sctp_ep_common *rcvr = chunk->rcvr; 377 int ret; 378 379 ret = sk_add_backlog(sk, skb); 380 if (!ret) { 381 /* Hold the assoc/ep while hanging on the backlog queue. 382 * This way, we know structures we need will not disappear 383 * from us 384 */ 385 if (SCTP_EP_TYPE_ASSOCIATION == rcvr->type) 386 sctp_association_hold(sctp_assoc(rcvr)); 387 else if (SCTP_EP_TYPE_SOCKET == rcvr->type) 388 sctp_endpoint_hold(sctp_ep(rcvr)); 389 else 390 BUG(); 391 } 392 return ret; 393 394 } 395 396 /* Handle icmp frag needed error. */ 397 void sctp_icmp_frag_needed(struct sock *sk, struct sctp_association *asoc, 398 struct sctp_transport *t, __u32 pmtu) 399 { 400 if (!t || (t->pathmtu <= pmtu)) 401 return; 402 403 if (sock_owned_by_user(sk)) { 404 asoc->pmtu_pending = 1; 405 t->pmtu_pending = 1; 406 return; 407 } 408 409 if (t->param_flags & SPP_PMTUD_ENABLE) { 410 /* Update transports view of the MTU */ 411 sctp_transport_update_pmtu(t, pmtu); 412 413 /* Update association pmtu. */ 414 sctp_assoc_sync_pmtu(asoc); 415 } 416 417 /* Retransmit with the new pmtu setting. 418 * Normally, if PMTU discovery is disabled, an ICMP Fragmentation 419 * Needed will never be sent, but if a message was sent before 420 * PMTU discovery was disabled that was larger than the PMTU, it 421 * would not be fragmented, so it must be re-transmitted fragmented. 422 */ 423 sctp_retransmit(&asoc->outqueue, t, SCTP_RTXR_PMTUD); 424 } 425 426 /* 427 * SCTP Implementer's Guide, 2.37 ICMP handling procedures 428 * 429 * ICMP8) If the ICMP code is a "Unrecognized next header type encountered" 430 * or a "Protocol Unreachable" treat this message as an abort 431 * with the T bit set. 432 * 433 * This function sends an event to the state machine, which will abort the 434 * association. 435 * 436 */ 437 void sctp_icmp_proto_unreachable(struct sock *sk, 438 struct sctp_association *asoc, 439 struct sctp_transport *t) 440 { 441 SCTP_DEBUG_PRINTK("%s\n", __func__); 442 443 sctp_do_sm(SCTP_EVENT_T_OTHER, 444 SCTP_ST_OTHER(SCTP_EVENT_ICMP_PROTO_UNREACH), 445 asoc->state, asoc->ep, asoc, t, 446 GFP_ATOMIC); 447 448 } 449 450 /* Common lookup code for icmp/icmpv6 error handler. */ 451 struct sock *sctp_err_lookup(int family, struct sk_buff *skb, 452 struct sctphdr *sctphdr, 453 struct sctp_association **app, 454 struct sctp_transport **tpp) 455 { 456 union sctp_addr saddr; 457 union sctp_addr daddr; 458 struct sctp_af *af; 459 struct sock *sk = NULL; 460 struct sctp_association *asoc; 461 struct sctp_transport *transport = NULL; 462 struct sctp_init_chunk *chunkhdr; 463 __u32 vtag = ntohl(sctphdr->vtag); 464 int len = skb->len - ((void *)sctphdr - (void *)skb->data); 465 466 *app = NULL; *tpp = NULL; 467 468 af = sctp_get_af_specific(family); 469 if (unlikely(!af)) { 470 return NULL; 471 } 472 473 /* Initialize local addresses for lookups. */ 474 af->from_skb(&saddr, skb, 1); 475 af->from_skb(&daddr, skb, 0); 476 477 /* Look for an association that matches the incoming ICMP error 478 * packet. 479 */ 480 asoc = __sctp_lookup_association(&saddr, &daddr, &transport); 481 if (!asoc) 482 return NULL; 483 484 sk = asoc->base.sk; 485 486 /* RFC 4960, Appendix C. ICMP Handling 487 * 488 * ICMP6) An implementation MUST validate that the Verification Tag 489 * contained in the ICMP message matches the Verification Tag of 490 * the peer. If the Verification Tag is not 0 and does NOT 491 * match, discard the ICMP message. If it is 0 and the ICMP 492 * message contains enough bytes to verify that the chunk type is 493 * an INIT chunk and that the Initiate Tag matches the tag of the 494 * peer, continue with ICMP7. If the ICMP message is too short 495 * or the chunk type or the Initiate Tag does not match, silently 496 * discard the packet. 497 */ 498 if (vtag == 0) { 499 chunkhdr = (struct sctp_init_chunk *)((void *)sctphdr 500 + sizeof(struct sctphdr)); 501 if (len < sizeof(struct sctphdr) + sizeof(sctp_chunkhdr_t) 502 + sizeof(__be32) || 503 chunkhdr->chunk_hdr.type != SCTP_CID_INIT || 504 ntohl(chunkhdr->init_hdr.init_tag) != asoc->c.my_vtag) { 505 goto out; 506 } 507 } else if (vtag != asoc->c.peer_vtag) { 508 goto out; 509 } 510 511 sctp_bh_lock_sock(sk); 512 513 /* If too many ICMPs get dropped on busy 514 * servers this needs to be solved differently. 515 */ 516 if (sock_owned_by_user(sk)) 517 NET_INC_STATS_BH(&init_net, LINUX_MIB_LOCKDROPPEDICMPS); 518 519 *app = asoc; 520 *tpp = transport; 521 return sk; 522 523 out: 524 if (asoc) 525 sctp_association_put(asoc); 526 return NULL; 527 } 528 529 /* Common cleanup code for icmp/icmpv6 error handler. */ 530 void sctp_err_finish(struct sock *sk, struct sctp_association *asoc) 531 { 532 sctp_bh_unlock_sock(sk); 533 if (asoc) 534 sctp_association_put(asoc); 535 } 536 537 /* 538 * This routine is called by the ICMP module when it gets some 539 * sort of error condition. If err < 0 then the socket should 540 * be closed and the error returned to the user. If err > 0 541 * it's just the icmp type << 8 | icmp code. After adjustment 542 * header points to the first 8 bytes of the sctp header. We need 543 * to find the appropriate port. 544 * 545 * The locking strategy used here is very "optimistic". When 546 * someone else accesses the socket the ICMP is just dropped 547 * and for some paths there is no check at all. 548 * A more general error queue to queue errors for later handling 549 * is probably better. 550 * 551 */ 552 void sctp_v4_err(struct sk_buff *skb, __u32 info) 553 { 554 struct iphdr *iph = (struct iphdr *)skb->data; 555 const int ihlen = iph->ihl * 4; 556 const int type = icmp_hdr(skb)->type; 557 const int code = icmp_hdr(skb)->code; 558 struct sock *sk; 559 struct sctp_association *asoc = NULL; 560 struct sctp_transport *transport; 561 struct inet_sock *inet; 562 sk_buff_data_t saveip, savesctp; 563 int err; 564 565 if (skb->len < ihlen + 8) { 566 ICMP_INC_STATS_BH(&init_net, ICMP_MIB_INERRORS); 567 return; 568 } 569 570 /* Fix up skb to look at the embedded net header. */ 571 saveip = skb->network_header; 572 savesctp = skb->transport_header; 573 skb_reset_network_header(skb); 574 skb_set_transport_header(skb, ihlen); 575 sk = sctp_err_lookup(AF_INET, skb, sctp_hdr(skb), &asoc, &transport); 576 /* Put back, the original values. */ 577 skb->network_header = saveip; 578 skb->transport_header = savesctp; 579 if (!sk) { 580 ICMP_INC_STATS_BH(&init_net, ICMP_MIB_INERRORS); 581 return; 582 } 583 /* Warning: The sock lock is held. Remember to call 584 * sctp_err_finish! 585 */ 586 587 switch (type) { 588 case ICMP_PARAMETERPROB: 589 err = EPROTO; 590 break; 591 case ICMP_DEST_UNREACH: 592 if (code > NR_ICMP_UNREACH) 593 goto out_unlock; 594 595 /* PMTU discovery (RFC1191) */ 596 if (ICMP_FRAG_NEEDED == code) { 597 sctp_icmp_frag_needed(sk, asoc, transport, info); 598 goto out_unlock; 599 } 600 else { 601 if (ICMP_PROT_UNREACH == code) { 602 sctp_icmp_proto_unreachable(sk, asoc, 603 transport); 604 goto out_unlock; 605 } 606 } 607 err = icmp_err_convert[code].errno; 608 break; 609 case ICMP_TIME_EXCEEDED: 610 /* Ignore any time exceeded errors due to fragment reassembly 611 * timeouts. 612 */ 613 if (ICMP_EXC_FRAGTIME == code) 614 goto out_unlock; 615 616 err = EHOSTUNREACH; 617 break; 618 default: 619 goto out_unlock; 620 } 621 622 inet = inet_sk(sk); 623 if (!sock_owned_by_user(sk) && inet->recverr) { 624 sk->sk_err = err; 625 sk->sk_error_report(sk); 626 } else { /* Only an error on timeout */ 627 sk->sk_err_soft = err; 628 } 629 630 out_unlock: 631 sctp_err_finish(sk, asoc); 632 } 633 634 /* 635 * RFC 2960, 8.4 - Handle "Out of the blue" Packets. 636 * 637 * This function scans all the chunks in the OOTB packet to determine if 638 * the packet should be discarded right away. If a response might be needed 639 * for this packet, or, if further processing is possible, the packet will 640 * be queued to a proper inqueue for the next phase of handling. 641 * 642 * Output: 643 * Return 0 - If further processing is needed. 644 * Return 1 - If the packet can be discarded right away. 645 */ 646 static int sctp_rcv_ootb(struct sk_buff *skb) 647 { 648 sctp_chunkhdr_t *ch; 649 __u8 *ch_end; 650 sctp_errhdr_t *err; 651 652 ch = (sctp_chunkhdr_t *) skb->data; 653 654 /* Scan through all the chunks in the packet. */ 655 do { 656 /* Break out if chunk length is less then minimal. */ 657 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 658 break; 659 660 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 661 if (ch_end > skb_tail_pointer(skb)) 662 break; 663 664 /* RFC 8.4, 2) If the OOTB packet contains an ABORT chunk, the 665 * receiver MUST silently discard the OOTB packet and take no 666 * further action. 667 */ 668 if (SCTP_CID_ABORT == ch->type) 669 goto discard; 670 671 /* RFC 8.4, 6) If the packet contains a SHUTDOWN COMPLETE 672 * chunk, the receiver should silently discard the packet 673 * and take no further action. 674 */ 675 if (SCTP_CID_SHUTDOWN_COMPLETE == ch->type) 676 goto discard; 677 678 /* RFC 4460, 2.11.2 679 * This will discard packets with INIT chunk bundled as 680 * subsequent chunks in the packet. When INIT is first, 681 * the normal INIT processing will discard the chunk. 682 */ 683 if (SCTP_CID_INIT == ch->type && (void *)ch != skb->data) 684 goto discard; 685 686 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR 687 * or a COOKIE ACK the SCTP Packet should be silently 688 * discarded. 689 */ 690 if (SCTP_CID_COOKIE_ACK == ch->type) 691 goto discard; 692 693 if (SCTP_CID_ERROR == ch->type) { 694 sctp_walk_errors(err, ch) { 695 if (SCTP_ERROR_STALE_COOKIE == err->cause) 696 goto discard; 697 } 698 } 699 700 ch = (sctp_chunkhdr_t *) ch_end; 701 } while (ch_end < skb_tail_pointer(skb)); 702 703 return 0; 704 705 discard: 706 return 1; 707 } 708 709 /* Insert endpoint into the hash table. */ 710 static void __sctp_hash_endpoint(struct sctp_endpoint *ep) 711 { 712 struct sctp_ep_common *epb; 713 struct sctp_hashbucket *head; 714 715 epb = &ep->base; 716 717 epb->hashent = sctp_ep_hashfn(epb->bind_addr.port); 718 head = &sctp_ep_hashtable[epb->hashent]; 719 720 sctp_write_lock(&head->lock); 721 hlist_add_head(&epb->node, &head->chain); 722 sctp_write_unlock(&head->lock); 723 } 724 725 /* Add an endpoint to the hash. Local BH-safe. */ 726 void sctp_hash_endpoint(struct sctp_endpoint *ep) 727 { 728 sctp_local_bh_disable(); 729 __sctp_hash_endpoint(ep); 730 sctp_local_bh_enable(); 731 } 732 733 /* Remove endpoint from the hash table. */ 734 static void __sctp_unhash_endpoint(struct sctp_endpoint *ep) 735 { 736 struct sctp_hashbucket *head; 737 struct sctp_ep_common *epb; 738 739 epb = &ep->base; 740 741 if (hlist_unhashed(&epb->node)) 742 return; 743 744 epb->hashent = sctp_ep_hashfn(epb->bind_addr.port); 745 746 head = &sctp_ep_hashtable[epb->hashent]; 747 748 sctp_write_lock(&head->lock); 749 __hlist_del(&epb->node); 750 sctp_write_unlock(&head->lock); 751 } 752 753 /* Remove endpoint from the hash. Local BH-safe. */ 754 void sctp_unhash_endpoint(struct sctp_endpoint *ep) 755 { 756 sctp_local_bh_disable(); 757 __sctp_unhash_endpoint(ep); 758 sctp_local_bh_enable(); 759 } 760 761 /* Look up an endpoint. */ 762 static struct sctp_endpoint *__sctp_rcv_lookup_endpoint(const union sctp_addr *laddr) 763 { 764 struct sctp_hashbucket *head; 765 struct sctp_ep_common *epb; 766 struct sctp_endpoint *ep; 767 struct hlist_node *node; 768 int hash; 769 770 hash = sctp_ep_hashfn(ntohs(laddr->v4.sin_port)); 771 head = &sctp_ep_hashtable[hash]; 772 read_lock(&head->lock); 773 sctp_for_each_hentry(epb, node, &head->chain) { 774 ep = sctp_ep(epb); 775 if (sctp_endpoint_is_match(ep, laddr)) 776 goto hit; 777 } 778 779 ep = sctp_sk((sctp_get_ctl_sock()))->ep; 780 781 hit: 782 sctp_endpoint_hold(ep); 783 read_unlock(&head->lock); 784 return ep; 785 } 786 787 /* Insert association into the hash table. */ 788 static void __sctp_hash_established(struct sctp_association *asoc) 789 { 790 struct sctp_ep_common *epb; 791 struct sctp_hashbucket *head; 792 793 epb = &asoc->base; 794 795 /* Calculate which chain this entry will belong to. */ 796 epb->hashent = sctp_assoc_hashfn(epb->bind_addr.port, asoc->peer.port); 797 798 head = &sctp_assoc_hashtable[epb->hashent]; 799 800 sctp_write_lock(&head->lock); 801 hlist_add_head(&epb->node, &head->chain); 802 sctp_write_unlock(&head->lock); 803 } 804 805 /* Add an association to the hash. Local BH-safe. */ 806 void sctp_hash_established(struct sctp_association *asoc) 807 { 808 if (asoc->temp) 809 return; 810 811 sctp_local_bh_disable(); 812 __sctp_hash_established(asoc); 813 sctp_local_bh_enable(); 814 } 815 816 /* Remove association from the hash table. */ 817 static void __sctp_unhash_established(struct sctp_association *asoc) 818 { 819 struct sctp_hashbucket *head; 820 struct sctp_ep_common *epb; 821 822 epb = &asoc->base; 823 824 epb->hashent = sctp_assoc_hashfn(epb->bind_addr.port, 825 asoc->peer.port); 826 827 head = &sctp_assoc_hashtable[epb->hashent]; 828 829 sctp_write_lock(&head->lock); 830 __hlist_del(&epb->node); 831 sctp_write_unlock(&head->lock); 832 } 833 834 /* Remove association from the hash table. Local BH-safe. */ 835 void sctp_unhash_established(struct sctp_association *asoc) 836 { 837 if (asoc->temp) 838 return; 839 840 sctp_local_bh_disable(); 841 __sctp_unhash_established(asoc); 842 sctp_local_bh_enable(); 843 } 844 845 /* Look up an association. */ 846 static struct sctp_association *__sctp_lookup_association( 847 const union sctp_addr *local, 848 const union sctp_addr *peer, 849 struct sctp_transport **pt) 850 { 851 struct sctp_hashbucket *head; 852 struct sctp_ep_common *epb; 853 struct sctp_association *asoc; 854 struct sctp_transport *transport; 855 struct hlist_node *node; 856 int hash; 857 858 /* Optimize here for direct hit, only listening connections can 859 * have wildcards anyways. 860 */ 861 hash = sctp_assoc_hashfn(ntohs(local->v4.sin_port), ntohs(peer->v4.sin_port)); 862 head = &sctp_assoc_hashtable[hash]; 863 read_lock(&head->lock); 864 sctp_for_each_hentry(epb, node, &head->chain) { 865 asoc = sctp_assoc(epb); 866 transport = sctp_assoc_is_match(asoc, local, peer); 867 if (transport) 868 goto hit; 869 } 870 871 read_unlock(&head->lock); 872 873 return NULL; 874 875 hit: 876 *pt = transport; 877 sctp_association_hold(asoc); 878 read_unlock(&head->lock); 879 return asoc; 880 } 881 882 /* Look up an association. BH-safe. */ 883 SCTP_STATIC 884 struct sctp_association *sctp_lookup_association(const union sctp_addr *laddr, 885 const union sctp_addr *paddr, 886 struct sctp_transport **transportp) 887 { 888 struct sctp_association *asoc; 889 890 sctp_local_bh_disable(); 891 asoc = __sctp_lookup_association(laddr, paddr, transportp); 892 sctp_local_bh_enable(); 893 894 return asoc; 895 } 896 897 /* Is there an association matching the given local and peer addresses? */ 898 int sctp_has_association(const union sctp_addr *laddr, 899 const union sctp_addr *paddr) 900 { 901 struct sctp_association *asoc; 902 struct sctp_transport *transport; 903 904 if ((asoc = sctp_lookup_association(laddr, paddr, &transport))) { 905 sctp_association_put(asoc); 906 return 1; 907 } 908 909 return 0; 910 } 911 912 /* 913 * SCTP Implementors Guide, 2.18 Handling of address 914 * parameters within the INIT or INIT-ACK. 915 * 916 * D) When searching for a matching TCB upon reception of an INIT 917 * or INIT-ACK chunk the receiver SHOULD use not only the 918 * source address of the packet (containing the INIT or 919 * INIT-ACK) but the receiver SHOULD also use all valid 920 * address parameters contained within the chunk. 921 * 922 * 2.18.3 Solution description 923 * 924 * This new text clearly specifies to an implementor the need 925 * to look within the INIT or INIT-ACK. Any implementation that 926 * does not do this, may not be able to establish associations 927 * in certain circumstances. 928 * 929 */ 930 static struct sctp_association *__sctp_rcv_init_lookup(struct sk_buff *skb, 931 const union sctp_addr *laddr, struct sctp_transport **transportp) 932 { 933 struct sctp_association *asoc; 934 union sctp_addr addr; 935 union sctp_addr *paddr = &addr; 936 struct sctphdr *sh = sctp_hdr(skb); 937 sctp_chunkhdr_t *ch; 938 union sctp_params params; 939 sctp_init_chunk_t *init; 940 struct sctp_transport *transport; 941 struct sctp_af *af; 942 943 ch = (sctp_chunkhdr_t *) skb->data; 944 945 /* 946 * This code will NOT touch anything inside the chunk--it is 947 * strictly READ-ONLY. 948 * 949 * RFC 2960 3 SCTP packet Format 950 * 951 * Multiple chunks can be bundled into one SCTP packet up to 952 * the MTU size, except for the INIT, INIT ACK, and SHUTDOWN 953 * COMPLETE chunks. These chunks MUST NOT be bundled with any 954 * other chunk in a packet. See Section 6.10 for more details 955 * on chunk bundling. 956 */ 957 958 /* Find the start of the TLVs and the end of the chunk. This is 959 * the region we search for address parameters. 960 */ 961 init = (sctp_init_chunk_t *)skb->data; 962 963 /* Walk the parameters looking for embedded addresses. */ 964 sctp_walk_params(params, init, init_hdr.params) { 965 966 /* Note: Ignoring hostname addresses. */ 967 af = sctp_get_af_specific(param_type2af(params.p->type)); 968 if (!af) 969 continue; 970 971 af->from_addr_param(paddr, params.addr, sh->source, 0); 972 973 asoc = __sctp_lookup_association(laddr, paddr, &transport); 974 if (asoc) 975 return asoc; 976 } 977 978 return NULL; 979 } 980 981 /* ADD-IP, Section 5.2 982 * When an endpoint receives an ASCONF Chunk from the remote peer 983 * special procedures may be needed to identify the association the 984 * ASCONF Chunk is associated with. To properly find the association 985 * the following procedures SHOULD be followed: 986 * 987 * D2) If the association is not found, use the address found in the 988 * Address Parameter TLV combined with the port number found in the 989 * SCTP common header. If found proceed to rule D4. 990 * 991 * D2-ext) If more than one ASCONF Chunks are packed together, use the 992 * address found in the ASCONF Address Parameter TLV of each of the 993 * subsequent ASCONF Chunks. If found, proceed to rule D4. 994 */ 995 static struct sctp_association *__sctp_rcv_asconf_lookup( 996 sctp_chunkhdr_t *ch, 997 const union sctp_addr *laddr, 998 __be16 peer_port, 999 struct sctp_transport **transportp) 1000 { 1001 sctp_addip_chunk_t *asconf = (struct sctp_addip_chunk *)ch; 1002 struct sctp_af *af; 1003 union sctp_addr_param *param; 1004 union sctp_addr paddr; 1005 1006 /* Skip over the ADDIP header and find the Address parameter */ 1007 param = (union sctp_addr_param *)(asconf + 1); 1008 1009 af = sctp_get_af_specific(param_type2af(param->v4.param_hdr.type)); 1010 if (unlikely(!af)) 1011 return NULL; 1012 1013 af->from_addr_param(&paddr, param, peer_port, 0); 1014 1015 return __sctp_lookup_association(laddr, &paddr, transportp); 1016 } 1017 1018 1019 /* SCTP-AUTH, Section 6.3: 1020 * If the receiver does not find a STCB for a packet containing an AUTH 1021 * chunk as the first chunk and not a COOKIE-ECHO chunk as the second 1022 * chunk, it MUST use the chunks after the AUTH chunk to look up an existing 1023 * association. 1024 * 1025 * This means that any chunks that can help us identify the association need 1026 * to be looked at to find this assocation. 1027 */ 1028 static struct sctp_association *__sctp_rcv_walk_lookup(struct sk_buff *skb, 1029 const union sctp_addr *laddr, 1030 struct sctp_transport **transportp) 1031 { 1032 struct sctp_association *asoc = NULL; 1033 sctp_chunkhdr_t *ch; 1034 int have_auth = 0; 1035 unsigned int chunk_num = 1; 1036 __u8 *ch_end; 1037 1038 /* Walk through the chunks looking for AUTH or ASCONF chunks 1039 * to help us find the association. 1040 */ 1041 ch = (sctp_chunkhdr_t *) skb->data; 1042 do { 1043 /* Break out if chunk length is less then minimal. */ 1044 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 1045 break; 1046 1047 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 1048 if (ch_end > skb_tail_pointer(skb)) 1049 break; 1050 1051 switch(ch->type) { 1052 case SCTP_CID_AUTH: 1053 have_auth = chunk_num; 1054 break; 1055 1056 case SCTP_CID_COOKIE_ECHO: 1057 /* If a packet arrives containing an AUTH chunk as 1058 * a first chunk, a COOKIE-ECHO chunk as the second 1059 * chunk, and possibly more chunks after them, and 1060 * the receiver does not have an STCB for that 1061 * packet, then authentication is based on 1062 * the contents of the COOKIE- ECHO chunk. 1063 */ 1064 if (have_auth == 1 && chunk_num == 2) 1065 return NULL; 1066 break; 1067 1068 case SCTP_CID_ASCONF: 1069 if (have_auth || sctp_addip_noauth) 1070 asoc = __sctp_rcv_asconf_lookup(ch, laddr, 1071 sctp_hdr(skb)->source, 1072 transportp); 1073 default: 1074 break; 1075 } 1076 1077 if (asoc) 1078 break; 1079 1080 ch = (sctp_chunkhdr_t *) ch_end; 1081 chunk_num++; 1082 } while (ch_end < skb_tail_pointer(skb)); 1083 1084 return asoc; 1085 } 1086 1087 /* 1088 * There are circumstances when we need to look inside the SCTP packet 1089 * for information to help us find the association. Examples 1090 * include looking inside of INIT/INIT-ACK chunks or after the AUTH 1091 * chunks. 1092 */ 1093 static struct sctp_association *__sctp_rcv_lookup_harder(struct sk_buff *skb, 1094 const union sctp_addr *laddr, 1095 struct sctp_transport **transportp) 1096 { 1097 sctp_chunkhdr_t *ch; 1098 1099 ch = (sctp_chunkhdr_t *) skb->data; 1100 1101 /* The code below will attempt to walk the chunk and extract 1102 * parameter information. Before we do that, we need to verify 1103 * that the chunk length doesn't cause overflow. Otherwise, we'll 1104 * walk off the end. 1105 */ 1106 if (WORD_ROUND(ntohs(ch->length)) > skb->len) 1107 return NULL; 1108 1109 /* If this is INIT/INIT-ACK look inside the chunk too. */ 1110 switch (ch->type) { 1111 case SCTP_CID_INIT: 1112 case SCTP_CID_INIT_ACK: 1113 return __sctp_rcv_init_lookup(skb, laddr, transportp); 1114 break; 1115 1116 default: 1117 return __sctp_rcv_walk_lookup(skb, laddr, transportp); 1118 break; 1119 } 1120 1121 1122 return NULL; 1123 } 1124 1125 /* Lookup an association for an inbound skb. */ 1126 static struct sctp_association *__sctp_rcv_lookup(struct sk_buff *skb, 1127 const union sctp_addr *paddr, 1128 const union sctp_addr *laddr, 1129 struct sctp_transport **transportp) 1130 { 1131 struct sctp_association *asoc; 1132 1133 asoc = __sctp_lookup_association(laddr, paddr, transportp); 1134 1135 /* Further lookup for INIT/INIT-ACK packets. 1136 * SCTP Implementors Guide, 2.18 Handling of address 1137 * parameters within the INIT or INIT-ACK. 1138 */ 1139 if (!asoc) 1140 asoc = __sctp_rcv_lookup_harder(skb, laddr, transportp); 1141 1142 return asoc; 1143 } 1144