1 /* SCTP kernel implementation 2 * Copyright (c) 1999-2000 Cisco, Inc. 3 * Copyright (c) 1999-2001 Motorola, Inc. 4 * Copyright (c) 2001-2003 International Business Machines, Corp. 5 * Copyright (c) 2001 Intel Corp. 6 * Copyright (c) 2001 Nokia, Inc. 7 * Copyright (c) 2001 La Monte H.P. Yarroll 8 * 9 * This file is part of the SCTP kernel implementation 10 * 11 * These functions handle all input from the IP layer into SCTP. 12 * 13 * This SCTP implementation is free software; 14 * you can redistribute it and/or modify it under the terms of 15 * the GNU General Public License as published by 16 * the Free Software Foundation; either version 2, or (at your option) 17 * any later version. 18 * 19 * This SCTP implementation is distributed in the hope that it 20 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 21 * ************************ 22 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 23 * See the GNU General Public License for more details. 24 * 25 * You should have received a copy of the GNU General Public License 26 * along with GNU CC; see the file COPYING. If not, write to 27 * the Free Software Foundation, 59 Temple Place - Suite 330, 28 * Boston, MA 02111-1307, USA. 29 * 30 * Please send any bug reports or fixes you make to the 31 * email address(es): 32 * lksctp developers <lksctp-developers@lists.sourceforge.net> 33 * 34 * Or submit a bug report through the following website: 35 * http://www.sf.net/projects/lksctp 36 * 37 * Written or modified by: 38 * La Monte H.P. Yarroll <piggy@acm.org> 39 * Karl Knutson <karl@athena.chicago.il.us> 40 * Xingang Guo <xingang.guo@intel.com> 41 * Jon Grimm <jgrimm@us.ibm.com> 42 * Hui Huang <hui.huang@nokia.com> 43 * Daisy Chang <daisyc@us.ibm.com> 44 * Sridhar Samudrala <sri@us.ibm.com> 45 * Ardelle Fan <ardelle.fan@intel.com> 46 * 47 * Any bugs reported given to us we will try to fix... any fixes shared will 48 * be incorporated into the next SCTP release. 49 */ 50 51 #include <linux/types.h> 52 #include <linux/list.h> /* For struct list_head */ 53 #include <linux/socket.h> 54 #include <linux/ip.h> 55 #include <linux/time.h> /* For struct timeval */ 56 #include <net/ip.h> 57 #include <net/icmp.h> 58 #include <net/snmp.h> 59 #include <net/sock.h> 60 #include <net/xfrm.h> 61 #include <net/sctp/sctp.h> 62 #include <net/sctp/sm.h> 63 #include <net/sctp/checksum.h> 64 #include <net/net_namespace.h> 65 66 /* Forward declarations for internal helpers. */ 67 static int sctp_rcv_ootb(struct sk_buff *); 68 static struct sctp_association *__sctp_rcv_lookup(struct sk_buff *skb, 69 const union sctp_addr *laddr, 70 const union sctp_addr *paddr, 71 struct sctp_transport **transportp); 72 static struct sctp_endpoint *__sctp_rcv_lookup_endpoint(const union sctp_addr *laddr); 73 static struct sctp_association *__sctp_lookup_association( 74 const union sctp_addr *local, 75 const union sctp_addr *peer, 76 struct sctp_transport **pt); 77 78 static void sctp_add_backlog(struct sock *sk, struct sk_buff *skb); 79 80 81 /* Calculate the SCTP checksum of an SCTP packet. */ 82 static inline int sctp_rcv_checksum(struct sk_buff *skb) 83 { 84 struct sctphdr *sh = sctp_hdr(skb); 85 __le32 cmp = sh->checksum; 86 struct sk_buff *list; 87 __le32 val; 88 __u32 tmp = sctp_start_cksum((__u8 *)sh, skb_headlen(skb)); 89 90 skb_walk_frags(skb, list) 91 tmp = sctp_update_cksum((__u8 *)list->data, skb_headlen(list), 92 tmp); 93 94 val = sctp_end_cksum(tmp); 95 96 if (val != cmp) { 97 /* CRC failure, dump it. */ 98 SCTP_INC_STATS_BH(SCTP_MIB_CHECKSUMERRORS); 99 return -1; 100 } 101 return 0; 102 } 103 104 struct sctp_input_cb { 105 union { 106 struct inet_skb_parm h4; 107 #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE) 108 struct inet6_skb_parm h6; 109 #endif 110 } header; 111 struct sctp_chunk *chunk; 112 }; 113 #define SCTP_INPUT_CB(__skb) ((struct sctp_input_cb *)&((__skb)->cb[0])) 114 115 /* 116 * This is the routine which IP calls when receiving an SCTP packet. 117 */ 118 int sctp_rcv(struct sk_buff *skb) 119 { 120 struct sock *sk; 121 struct sctp_association *asoc; 122 struct sctp_endpoint *ep = NULL; 123 struct sctp_ep_common *rcvr; 124 struct sctp_transport *transport = NULL; 125 struct sctp_chunk *chunk; 126 struct sctphdr *sh; 127 union sctp_addr src; 128 union sctp_addr dest; 129 int family; 130 struct sctp_af *af; 131 132 if (skb->pkt_type!=PACKET_HOST) 133 goto discard_it; 134 135 SCTP_INC_STATS_BH(SCTP_MIB_INSCTPPACKS); 136 137 if (skb_linearize(skb)) 138 goto discard_it; 139 140 sh = sctp_hdr(skb); 141 142 /* Pull up the IP and SCTP headers. */ 143 __skb_pull(skb, skb_transport_offset(skb)); 144 if (skb->len < sizeof(struct sctphdr)) 145 goto discard_it; 146 if (!sctp_checksum_disable && !skb_csum_unnecessary(skb) && 147 sctp_rcv_checksum(skb) < 0) 148 goto discard_it; 149 150 skb_pull(skb, sizeof(struct sctphdr)); 151 152 /* Make sure we at least have chunk headers worth of data left. */ 153 if (skb->len < sizeof(struct sctp_chunkhdr)) 154 goto discard_it; 155 156 family = ipver2af(ip_hdr(skb)->version); 157 af = sctp_get_af_specific(family); 158 if (unlikely(!af)) 159 goto discard_it; 160 161 /* Initialize local addresses for lookups. */ 162 af->from_skb(&src, skb, 1); 163 af->from_skb(&dest, skb, 0); 164 165 /* If the packet is to or from a non-unicast address, 166 * silently discard the packet. 167 * 168 * This is not clearly defined in the RFC except in section 169 * 8.4 - OOTB handling. However, based on the book "Stream Control 170 * Transmission Protocol" 2.1, "It is important to note that the 171 * IP address of an SCTP transport address must be a routable 172 * unicast address. In other words, IP multicast addresses and 173 * IP broadcast addresses cannot be used in an SCTP transport 174 * address." 175 */ 176 if (!af->addr_valid(&src, NULL, skb) || 177 !af->addr_valid(&dest, NULL, skb)) 178 goto discard_it; 179 180 asoc = __sctp_rcv_lookup(skb, &src, &dest, &transport); 181 182 if (!asoc) 183 ep = __sctp_rcv_lookup_endpoint(&dest); 184 185 /* Retrieve the common input handling substructure. */ 186 rcvr = asoc ? &asoc->base : &ep->base; 187 sk = rcvr->sk; 188 189 /* 190 * If a frame arrives on an interface and the receiving socket is 191 * bound to another interface, via SO_BINDTODEVICE, treat it as OOTB 192 */ 193 if (sk->sk_bound_dev_if && (sk->sk_bound_dev_if != af->skb_iif(skb))) 194 { 195 if (asoc) { 196 sctp_association_put(asoc); 197 asoc = NULL; 198 } else { 199 sctp_endpoint_put(ep); 200 ep = NULL; 201 } 202 sk = sctp_get_ctl_sock(); 203 ep = sctp_sk(sk)->ep; 204 sctp_endpoint_hold(ep); 205 rcvr = &ep->base; 206 } 207 208 /* 209 * RFC 2960, 8.4 - Handle "Out of the blue" Packets. 210 * An SCTP packet is called an "out of the blue" (OOTB) 211 * packet if it is correctly formed, i.e., passed the 212 * receiver's checksum check, but the receiver is not 213 * able to identify the association to which this 214 * packet belongs. 215 */ 216 if (!asoc) { 217 if (sctp_rcv_ootb(skb)) { 218 SCTP_INC_STATS_BH(SCTP_MIB_OUTOFBLUES); 219 goto discard_release; 220 } 221 } 222 223 if (!xfrm_policy_check(sk, XFRM_POLICY_IN, skb, family)) 224 goto discard_release; 225 nf_reset(skb); 226 227 if (sk_filter(sk, skb)) 228 goto discard_release; 229 230 /* Create an SCTP packet structure. */ 231 chunk = sctp_chunkify(skb, asoc, sk); 232 if (!chunk) 233 goto discard_release; 234 SCTP_INPUT_CB(skb)->chunk = chunk; 235 236 /* Remember what endpoint is to handle this packet. */ 237 chunk->rcvr = rcvr; 238 239 /* Remember the SCTP header. */ 240 chunk->sctp_hdr = sh; 241 242 /* Set the source and destination addresses of the incoming chunk. */ 243 sctp_init_addrs(chunk, &src, &dest); 244 245 /* Remember where we came from. */ 246 chunk->transport = transport; 247 248 /* Acquire access to the sock lock. Note: We are safe from other 249 * bottom halves on this lock, but a user may be in the lock too, 250 * so check if it is busy. 251 */ 252 sctp_bh_lock_sock(sk); 253 254 if (sk != rcvr->sk) { 255 /* Our cached sk is different from the rcvr->sk. This is 256 * because migrate()/accept() may have moved the association 257 * to a new socket and released all the sockets. So now we 258 * are holding a lock on the old socket while the user may 259 * be doing something with the new socket. Switch our veiw 260 * of the current sk. 261 */ 262 sctp_bh_unlock_sock(sk); 263 sk = rcvr->sk; 264 sctp_bh_lock_sock(sk); 265 } 266 267 if (sock_owned_by_user(sk)) { 268 SCTP_INC_STATS_BH(SCTP_MIB_IN_PKT_BACKLOG); 269 sctp_add_backlog(sk, skb); 270 } else { 271 SCTP_INC_STATS_BH(SCTP_MIB_IN_PKT_SOFTIRQ); 272 sctp_inq_push(&chunk->rcvr->inqueue, chunk); 273 } 274 275 sctp_bh_unlock_sock(sk); 276 277 /* Release the asoc/ep ref we took in the lookup calls. */ 278 if (asoc) 279 sctp_association_put(asoc); 280 else 281 sctp_endpoint_put(ep); 282 283 return 0; 284 285 discard_it: 286 SCTP_INC_STATS_BH(SCTP_MIB_IN_PKT_DISCARDS); 287 kfree_skb(skb); 288 return 0; 289 290 discard_release: 291 /* Release the asoc/ep ref we took in the lookup calls. */ 292 if (asoc) 293 sctp_association_put(asoc); 294 else 295 sctp_endpoint_put(ep); 296 297 goto discard_it; 298 } 299 300 /* Process the backlog queue of the socket. Every skb on 301 * the backlog holds a ref on an association or endpoint. 302 * We hold this ref throughout the state machine to make 303 * sure that the structure we need is still around. 304 */ 305 int sctp_backlog_rcv(struct sock *sk, struct sk_buff *skb) 306 { 307 struct sctp_chunk *chunk = SCTP_INPUT_CB(skb)->chunk; 308 struct sctp_inq *inqueue = &chunk->rcvr->inqueue; 309 struct sctp_ep_common *rcvr = NULL; 310 int backloged = 0; 311 312 rcvr = chunk->rcvr; 313 314 /* If the rcvr is dead then the association or endpoint 315 * has been deleted and we can safely drop the chunk 316 * and refs that we are holding. 317 */ 318 if (rcvr->dead) { 319 sctp_chunk_free(chunk); 320 goto done; 321 } 322 323 if (unlikely(rcvr->sk != sk)) { 324 /* In this case, the association moved from one socket to 325 * another. We are currently sitting on the backlog of the 326 * old socket, so we need to move. 327 * However, since we are here in the process context we 328 * need to take make sure that the user doesn't own 329 * the new socket when we process the packet. 330 * If the new socket is user-owned, queue the chunk to the 331 * backlog of the new socket without dropping any refs. 332 * Otherwise, we can safely push the chunk on the inqueue. 333 */ 334 335 sk = rcvr->sk; 336 sctp_bh_lock_sock(sk); 337 338 if (sock_owned_by_user(sk)) { 339 sk_add_backlog(sk, skb); 340 backloged = 1; 341 } else 342 sctp_inq_push(inqueue, chunk); 343 344 sctp_bh_unlock_sock(sk); 345 346 /* If the chunk was backloged again, don't drop refs */ 347 if (backloged) 348 return 0; 349 } else { 350 sctp_inq_push(inqueue, chunk); 351 } 352 353 done: 354 /* Release the refs we took in sctp_add_backlog */ 355 if (SCTP_EP_TYPE_ASSOCIATION == rcvr->type) 356 sctp_association_put(sctp_assoc(rcvr)); 357 else if (SCTP_EP_TYPE_SOCKET == rcvr->type) 358 sctp_endpoint_put(sctp_ep(rcvr)); 359 else 360 BUG(); 361 362 return 0; 363 } 364 365 static void sctp_add_backlog(struct sock *sk, struct sk_buff *skb) 366 { 367 struct sctp_chunk *chunk = SCTP_INPUT_CB(skb)->chunk; 368 struct sctp_ep_common *rcvr = chunk->rcvr; 369 370 /* Hold the assoc/ep while hanging on the backlog queue. 371 * This way, we know structures we need will not disappear from us 372 */ 373 if (SCTP_EP_TYPE_ASSOCIATION == rcvr->type) 374 sctp_association_hold(sctp_assoc(rcvr)); 375 else if (SCTP_EP_TYPE_SOCKET == rcvr->type) 376 sctp_endpoint_hold(sctp_ep(rcvr)); 377 else 378 BUG(); 379 380 sk_add_backlog(sk, skb); 381 } 382 383 /* Handle icmp frag needed error. */ 384 void sctp_icmp_frag_needed(struct sock *sk, struct sctp_association *asoc, 385 struct sctp_transport *t, __u32 pmtu) 386 { 387 if (!t || (t->pathmtu <= pmtu)) 388 return; 389 390 if (sock_owned_by_user(sk)) { 391 asoc->pmtu_pending = 1; 392 t->pmtu_pending = 1; 393 return; 394 } 395 396 if (t->param_flags & SPP_PMTUD_ENABLE) { 397 /* Update transports view of the MTU */ 398 sctp_transport_update_pmtu(t, pmtu); 399 400 /* Update association pmtu. */ 401 sctp_assoc_sync_pmtu(asoc); 402 } 403 404 /* Retransmit with the new pmtu setting. 405 * Normally, if PMTU discovery is disabled, an ICMP Fragmentation 406 * Needed will never be sent, but if a message was sent before 407 * PMTU discovery was disabled that was larger than the PMTU, it 408 * would not be fragmented, so it must be re-transmitted fragmented. 409 */ 410 sctp_retransmit(&asoc->outqueue, t, SCTP_RTXR_PMTUD); 411 } 412 413 /* 414 * SCTP Implementer's Guide, 2.37 ICMP handling procedures 415 * 416 * ICMP8) If the ICMP code is a "Unrecognized next header type encountered" 417 * or a "Protocol Unreachable" treat this message as an abort 418 * with the T bit set. 419 * 420 * This function sends an event to the state machine, which will abort the 421 * association. 422 * 423 */ 424 void sctp_icmp_proto_unreachable(struct sock *sk, 425 struct sctp_association *asoc, 426 struct sctp_transport *t) 427 { 428 SCTP_DEBUG_PRINTK("%s\n", __func__); 429 430 sctp_do_sm(SCTP_EVENT_T_OTHER, 431 SCTP_ST_OTHER(SCTP_EVENT_ICMP_PROTO_UNREACH), 432 asoc->state, asoc->ep, asoc, t, 433 GFP_ATOMIC); 434 435 } 436 437 /* Common lookup code for icmp/icmpv6 error handler. */ 438 struct sock *sctp_err_lookup(int family, struct sk_buff *skb, 439 struct sctphdr *sctphdr, 440 struct sctp_association **app, 441 struct sctp_transport **tpp) 442 { 443 union sctp_addr saddr; 444 union sctp_addr daddr; 445 struct sctp_af *af; 446 struct sock *sk = NULL; 447 struct sctp_association *asoc; 448 struct sctp_transport *transport = NULL; 449 struct sctp_init_chunk *chunkhdr; 450 __u32 vtag = ntohl(sctphdr->vtag); 451 int len = skb->len - ((void *)sctphdr - (void *)skb->data); 452 453 *app = NULL; *tpp = NULL; 454 455 af = sctp_get_af_specific(family); 456 if (unlikely(!af)) { 457 return NULL; 458 } 459 460 /* Initialize local addresses for lookups. */ 461 af->from_skb(&saddr, skb, 1); 462 af->from_skb(&daddr, skb, 0); 463 464 /* Look for an association that matches the incoming ICMP error 465 * packet. 466 */ 467 asoc = __sctp_lookup_association(&saddr, &daddr, &transport); 468 if (!asoc) 469 return NULL; 470 471 sk = asoc->base.sk; 472 473 /* RFC 4960, Appendix C. ICMP Handling 474 * 475 * ICMP6) An implementation MUST validate that the Verification Tag 476 * contained in the ICMP message matches the Verification Tag of 477 * the peer. If the Verification Tag is not 0 and does NOT 478 * match, discard the ICMP message. If it is 0 and the ICMP 479 * message contains enough bytes to verify that the chunk type is 480 * an INIT chunk and that the Initiate Tag matches the tag of the 481 * peer, continue with ICMP7. If the ICMP message is too short 482 * or the chunk type or the Initiate Tag does not match, silently 483 * discard the packet. 484 */ 485 if (vtag == 0) { 486 chunkhdr = (struct sctp_init_chunk *)((void *)sctphdr 487 + sizeof(struct sctphdr)); 488 if (len < sizeof(struct sctphdr) + sizeof(sctp_chunkhdr_t) 489 + sizeof(__be32) || 490 chunkhdr->chunk_hdr.type != SCTP_CID_INIT || 491 ntohl(chunkhdr->init_hdr.init_tag) != asoc->c.my_vtag) { 492 goto out; 493 } 494 } else if (vtag != asoc->c.peer_vtag) { 495 goto out; 496 } 497 498 sctp_bh_lock_sock(sk); 499 500 /* If too many ICMPs get dropped on busy 501 * servers this needs to be solved differently. 502 */ 503 if (sock_owned_by_user(sk)) 504 NET_INC_STATS_BH(&init_net, LINUX_MIB_LOCKDROPPEDICMPS); 505 506 *app = asoc; 507 *tpp = transport; 508 return sk; 509 510 out: 511 if (asoc) 512 sctp_association_put(asoc); 513 return NULL; 514 } 515 516 /* Common cleanup code for icmp/icmpv6 error handler. */ 517 void sctp_err_finish(struct sock *sk, struct sctp_association *asoc) 518 { 519 sctp_bh_unlock_sock(sk); 520 if (asoc) 521 sctp_association_put(asoc); 522 } 523 524 /* 525 * This routine is called by the ICMP module when it gets some 526 * sort of error condition. If err < 0 then the socket should 527 * be closed and the error returned to the user. If err > 0 528 * it's just the icmp type << 8 | icmp code. After adjustment 529 * header points to the first 8 bytes of the sctp header. We need 530 * to find the appropriate port. 531 * 532 * The locking strategy used here is very "optimistic". When 533 * someone else accesses the socket the ICMP is just dropped 534 * and for some paths there is no check at all. 535 * A more general error queue to queue errors for later handling 536 * is probably better. 537 * 538 */ 539 void sctp_v4_err(struct sk_buff *skb, __u32 info) 540 { 541 struct iphdr *iph = (struct iphdr *)skb->data; 542 const int ihlen = iph->ihl * 4; 543 const int type = icmp_hdr(skb)->type; 544 const int code = icmp_hdr(skb)->code; 545 struct sock *sk; 546 struct sctp_association *asoc = NULL; 547 struct sctp_transport *transport; 548 struct inet_sock *inet; 549 sk_buff_data_t saveip, savesctp; 550 int err; 551 552 if (skb->len < ihlen + 8) { 553 ICMP_INC_STATS_BH(&init_net, ICMP_MIB_INERRORS); 554 return; 555 } 556 557 /* Fix up skb to look at the embedded net header. */ 558 saveip = skb->network_header; 559 savesctp = skb->transport_header; 560 skb_reset_network_header(skb); 561 skb_set_transport_header(skb, ihlen); 562 sk = sctp_err_lookup(AF_INET, skb, sctp_hdr(skb), &asoc, &transport); 563 /* Put back, the original values. */ 564 skb->network_header = saveip; 565 skb->transport_header = savesctp; 566 if (!sk) { 567 ICMP_INC_STATS_BH(&init_net, ICMP_MIB_INERRORS); 568 return; 569 } 570 /* Warning: The sock lock is held. Remember to call 571 * sctp_err_finish! 572 */ 573 574 switch (type) { 575 case ICMP_PARAMETERPROB: 576 err = EPROTO; 577 break; 578 case ICMP_DEST_UNREACH: 579 if (code > NR_ICMP_UNREACH) 580 goto out_unlock; 581 582 /* PMTU discovery (RFC1191) */ 583 if (ICMP_FRAG_NEEDED == code) { 584 sctp_icmp_frag_needed(sk, asoc, transport, info); 585 goto out_unlock; 586 } 587 else { 588 if (ICMP_PROT_UNREACH == code) { 589 sctp_icmp_proto_unreachable(sk, asoc, 590 transport); 591 goto out_unlock; 592 } 593 } 594 err = icmp_err_convert[code].errno; 595 break; 596 case ICMP_TIME_EXCEEDED: 597 /* Ignore any time exceeded errors due to fragment reassembly 598 * timeouts. 599 */ 600 if (ICMP_EXC_FRAGTIME == code) 601 goto out_unlock; 602 603 err = EHOSTUNREACH; 604 break; 605 default: 606 goto out_unlock; 607 } 608 609 inet = inet_sk(sk); 610 if (!sock_owned_by_user(sk) && inet->recverr) { 611 sk->sk_err = err; 612 sk->sk_error_report(sk); 613 } else { /* Only an error on timeout */ 614 sk->sk_err_soft = err; 615 } 616 617 out_unlock: 618 sctp_err_finish(sk, asoc); 619 } 620 621 /* 622 * RFC 2960, 8.4 - Handle "Out of the blue" Packets. 623 * 624 * This function scans all the chunks in the OOTB packet to determine if 625 * the packet should be discarded right away. If a response might be needed 626 * for this packet, or, if further processing is possible, the packet will 627 * be queued to a proper inqueue for the next phase of handling. 628 * 629 * Output: 630 * Return 0 - If further processing is needed. 631 * Return 1 - If the packet can be discarded right away. 632 */ 633 static int sctp_rcv_ootb(struct sk_buff *skb) 634 { 635 sctp_chunkhdr_t *ch; 636 __u8 *ch_end; 637 sctp_errhdr_t *err; 638 639 ch = (sctp_chunkhdr_t *) skb->data; 640 641 /* Scan through all the chunks in the packet. */ 642 do { 643 /* Break out if chunk length is less then minimal. */ 644 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 645 break; 646 647 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 648 if (ch_end > skb_tail_pointer(skb)) 649 break; 650 651 /* RFC 8.4, 2) If the OOTB packet contains an ABORT chunk, the 652 * receiver MUST silently discard the OOTB packet and take no 653 * further action. 654 */ 655 if (SCTP_CID_ABORT == ch->type) 656 goto discard; 657 658 /* RFC 8.4, 6) If the packet contains a SHUTDOWN COMPLETE 659 * chunk, the receiver should silently discard the packet 660 * and take no further action. 661 */ 662 if (SCTP_CID_SHUTDOWN_COMPLETE == ch->type) 663 goto discard; 664 665 /* RFC 4460, 2.11.2 666 * This will discard packets with INIT chunk bundled as 667 * subsequent chunks in the packet. When INIT is first, 668 * the normal INIT processing will discard the chunk. 669 */ 670 if (SCTP_CID_INIT == ch->type && (void *)ch != skb->data) 671 goto discard; 672 673 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR 674 * or a COOKIE ACK the SCTP Packet should be silently 675 * discarded. 676 */ 677 if (SCTP_CID_COOKIE_ACK == ch->type) 678 goto discard; 679 680 if (SCTP_CID_ERROR == ch->type) { 681 sctp_walk_errors(err, ch) { 682 if (SCTP_ERROR_STALE_COOKIE == err->cause) 683 goto discard; 684 } 685 } 686 687 ch = (sctp_chunkhdr_t *) ch_end; 688 } while (ch_end < skb_tail_pointer(skb)); 689 690 return 0; 691 692 discard: 693 return 1; 694 } 695 696 /* Insert endpoint into the hash table. */ 697 static void __sctp_hash_endpoint(struct sctp_endpoint *ep) 698 { 699 struct sctp_ep_common *epb; 700 struct sctp_hashbucket *head; 701 702 epb = &ep->base; 703 704 epb->hashent = sctp_ep_hashfn(epb->bind_addr.port); 705 head = &sctp_ep_hashtable[epb->hashent]; 706 707 sctp_write_lock(&head->lock); 708 hlist_add_head(&epb->node, &head->chain); 709 sctp_write_unlock(&head->lock); 710 } 711 712 /* Add an endpoint to the hash. Local BH-safe. */ 713 void sctp_hash_endpoint(struct sctp_endpoint *ep) 714 { 715 sctp_local_bh_disable(); 716 __sctp_hash_endpoint(ep); 717 sctp_local_bh_enable(); 718 } 719 720 /* Remove endpoint from the hash table. */ 721 static void __sctp_unhash_endpoint(struct sctp_endpoint *ep) 722 { 723 struct sctp_hashbucket *head; 724 struct sctp_ep_common *epb; 725 726 epb = &ep->base; 727 728 if (hlist_unhashed(&epb->node)) 729 return; 730 731 epb->hashent = sctp_ep_hashfn(epb->bind_addr.port); 732 733 head = &sctp_ep_hashtable[epb->hashent]; 734 735 sctp_write_lock(&head->lock); 736 __hlist_del(&epb->node); 737 sctp_write_unlock(&head->lock); 738 } 739 740 /* Remove endpoint from the hash. Local BH-safe. */ 741 void sctp_unhash_endpoint(struct sctp_endpoint *ep) 742 { 743 sctp_local_bh_disable(); 744 __sctp_unhash_endpoint(ep); 745 sctp_local_bh_enable(); 746 } 747 748 /* Look up an endpoint. */ 749 static struct sctp_endpoint *__sctp_rcv_lookup_endpoint(const union sctp_addr *laddr) 750 { 751 struct sctp_hashbucket *head; 752 struct sctp_ep_common *epb; 753 struct sctp_endpoint *ep; 754 struct hlist_node *node; 755 int hash; 756 757 hash = sctp_ep_hashfn(ntohs(laddr->v4.sin_port)); 758 head = &sctp_ep_hashtable[hash]; 759 read_lock(&head->lock); 760 sctp_for_each_hentry(epb, node, &head->chain) { 761 ep = sctp_ep(epb); 762 if (sctp_endpoint_is_match(ep, laddr)) 763 goto hit; 764 } 765 766 ep = sctp_sk((sctp_get_ctl_sock()))->ep; 767 768 hit: 769 sctp_endpoint_hold(ep); 770 read_unlock(&head->lock); 771 return ep; 772 } 773 774 /* Insert association into the hash table. */ 775 static void __sctp_hash_established(struct sctp_association *asoc) 776 { 777 struct sctp_ep_common *epb; 778 struct sctp_hashbucket *head; 779 780 epb = &asoc->base; 781 782 /* Calculate which chain this entry will belong to. */ 783 epb->hashent = sctp_assoc_hashfn(epb->bind_addr.port, asoc->peer.port); 784 785 head = &sctp_assoc_hashtable[epb->hashent]; 786 787 sctp_write_lock(&head->lock); 788 hlist_add_head(&epb->node, &head->chain); 789 sctp_write_unlock(&head->lock); 790 } 791 792 /* Add an association to the hash. Local BH-safe. */ 793 void sctp_hash_established(struct sctp_association *asoc) 794 { 795 if (asoc->temp) 796 return; 797 798 sctp_local_bh_disable(); 799 __sctp_hash_established(asoc); 800 sctp_local_bh_enable(); 801 } 802 803 /* Remove association from the hash table. */ 804 static void __sctp_unhash_established(struct sctp_association *asoc) 805 { 806 struct sctp_hashbucket *head; 807 struct sctp_ep_common *epb; 808 809 epb = &asoc->base; 810 811 epb->hashent = sctp_assoc_hashfn(epb->bind_addr.port, 812 asoc->peer.port); 813 814 head = &sctp_assoc_hashtable[epb->hashent]; 815 816 sctp_write_lock(&head->lock); 817 __hlist_del(&epb->node); 818 sctp_write_unlock(&head->lock); 819 } 820 821 /* Remove association from the hash table. Local BH-safe. */ 822 void sctp_unhash_established(struct sctp_association *asoc) 823 { 824 if (asoc->temp) 825 return; 826 827 sctp_local_bh_disable(); 828 __sctp_unhash_established(asoc); 829 sctp_local_bh_enable(); 830 } 831 832 /* Look up an association. */ 833 static struct sctp_association *__sctp_lookup_association( 834 const union sctp_addr *local, 835 const union sctp_addr *peer, 836 struct sctp_transport **pt) 837 { 838 struct sctp_hashbucket *head; 839 struct sctp_ep_common *epb; 840 struct sctp_association *asoc; 841 struct sctp_transport *transport; 842 struct hlist_node *node; 843 int hash; 844 845 /* Optimize here for direct hit, only listening connections can 846 * have wildcards anyways. 847 */ 848 hash = sctp_assoc_hashfn(ntohs(local->v4.sin_port), ntohs(peer->v4.sin_port)); 849 head = &sctp_assoc_hashtable[hash]; 850 read_lock(&head->lock); 851 sctp_for_each_hentry(epb, node, &head->chain) { 852 asoc = sctp_assoc(epb); 853 transport = sctp_assoc_is_match(asoc, local, peer); 854 if (transport) 855 goto hit; 856 } 857 858 read_unlock(&head->lock); 859 860 return NULL; 861 862 hit: 863 *pt = transport; 864 sctp_association_hold(asoc); 865 read_unlock(&head->lock); 866 return asoc; 867 } 868 869 /* Look up an association. BH-safe. */ 870 SCTP_STATIC 871 struct sctp_association *sctp_lookup_association(const union sctp_addr *laddr, 872 const union sctp_addr *paddr, 873 struct sctp_transport **transportp) 874 { 875 struct sctp_association *asoc; 876 877 sctp_local_bh_disable(); 878 asoc = __sctp_lookup_association(laddr, paddr, transportp); 879 sctp_local_bh_enable(); 880 881 return asoc; 882 } 883 884 /* Is there an association matching the given local and peer addresses? */ 885 int sctp_has_association(const union sctp_addr *laddr, 886 const union sctp_addr *paddr) 887 { 888 struct sctp_association *asoc; 889 struct sctp_transport *transport; 890 891 if ((asoc = sctp_lookup_association(laddr, paddr, &transport))) { 892 sctp_association_put(asoc); 893 return 1; 894 } 895 896 return 0; 897 } 898 899 /* 900 * SCTP Implementors Guide, 2.18 Handling of address 901 * parameters within the INIT or INIT-ACK. 902 * 903 * D) When searching for a matching TCB upon reception of an INIT 904 * or INIT-ACK chunk the receiver SHOULD use not only the 905 * source address of the packet (containing the INIT or 906 * INIT-ACK) but the receiver SHOULD also use all valid 907 * address parameters contained within the chunk. 908 * 909 * 2.18.3 Solution description 910 * 911 * This new text clearly specifies to an implementor the need 912 * to look within the INIT or INIT-ACK. Any implementation that 913 * does not do this, may not be able to establish associations 914 * in certain circumstances. 915 * 916 */ 917 static struct sctp_association *__sctp_rcv_init_lookup(struct sk_buff *skb, 918 const union sctp_addr *laddr, struct sctp_transport **transportp) 919 { 920 struct sctp_association *asoc; 921 union sctp_addr addr; 922 union sctp_addr *paddr = &addr; 923 struct sctphdr *sh = sctp_hdr(skb); 924 sctp_chunkhdr_t *ch; 925 union sctp_params params; 926 sctp_init_chunk_t *init; 927 struct sctp_transport *transport; 928 struct sctp_af *af; 929 930 ch = (sctp_chunkhdr_t *) skb->data; 931 932 /* 933 * This code will NOT touch anything inside the chunk--it is 934 * strictly READ-ONLY. 935 * 936 * RFC 2960 3 SCTP packet Format 937 * 938 * Multiple chunks can be bundled into one SCTP packet up to 939 * the MTU size, except for the INIT, INIT ACK, and SHUTDOWN 940 * COMPLETE chunks. These chunks MUST NOT be bundled with any 941 * other chunk in a packet. See Section 6.10 for more details 942 * on chunk bundling. 943 */ 944 945 /* Find the start of the TLVs and the end of the chunk. This is 946 * the region we search for address parameters. 947 */ 948 init = (sctp_init_chunk_t *)skb->data; 949 950 /* Walk the parameters looking for embedded addresses. */ 951 sctp_walk_params(params, init, init_hdr.params) { 952 953 /* Note: Ignoring hostname addresses. */ 954 af = sctp_get_af_specific(param_type2af(params.p->type)); 955 if (!af) 956 continue; 957 958 af->from_addr_param(paddr, params.addr, sh->source, 0); 959 960 asoc = __sctp_lookup_association(laddr, paddr, &transport); 961 if (asoc) 962 return asoc; 963 } 964 965 return NULL; 966 } 967 968 /* ADD-IP, Section 5.2 969 * When an endpoint receives an ASCONF Chunk from the remote peer 970 * special procedures may be needed to identify the association the 971 * ASCONF Chunk is associated with. To properly find the association 972 * the following procedures SHOULD be followed: 973 * 974 * D2) If the association is not found, use the address found in the 975 * Address Parameter TLV combined with the port number found in the 976 * SCTP common header. If found proceed to rule D4. 977 * 978 * D2-ext) If more than one ASCONF Chunks are packed together, use the 979 * address found in the ASCONF Address Parameter TLV of each of the 980 * subsequent ASCONF Chunks. If found, proceed to rule D4. 981 */ 982 static struct sctp_association *__sctp_rcv_asconf_lookup( 983 sctp_chunkhdr_t *ch, 984 const union sctp_addr *laddr, 985 __be16 peer_port, 986 struct sctp_transport **transportp) 987 { 988 sctp_addip_chunk_t *asconf = (struct sctp_addip_chunk *)ch; 989 struct sctp_af *af; 990 union sctp_addr_param *param; 991 union sctp_addr paddr; 992 993 /* Skip over the ADDIP header and find the Address parameter */ 994 param = (union sctp_addr_param *)(asconf + 1); 995 996 af = sctp_get_af_specific(param_type2af(param->v4.param_hdr.type)); 997 if (unlikely(!af)) 998 return NULL; 999 1000 af->from_addr_param(&paddr, param, peer_port, 0); 1001 1002 return __sctp_lookup_association(laddr, &paddr, transportp); 1003 } 1004 1005 1006 /* SCTP-AUTH, Section 6.3: 1007 * If the receiver does not find a STCB for a packet containing an AUTH 1008 * chunk as the first chunk and not a COOKIE-ECHO chunk as the second 1009 * chunk, it MUST use the chunks after the AUTH chunk to look up an existing 1010 * association. 1011 * 1012 * This means that any chunks that can help us identify the association need 1013 * to be looked at to find this assocation. 1014 */ 1015 static struct sctp_association *__sctp_rcv_walk_lookup(struct sk_buff *skb, 1016 const union sctp_addr *laddr, 1017 struct sctp_transport **transportp) 1018 { 1019 struct sctp_association *asoc = NULL; 1020 sctp_chunkhdr_t *ch; 1021 int have_auth = 0; 1022 unsigned int chunk_num = 1; 1023 __u8 *ch_end; 1024 1025 /* Walk through the chunks looking for AUTH or ASCONF chunks 1026 * to help us find the association. 1027 */ 1028 ch = (sctp_chunkhdr_t *) skb->data; 1029 do { 1030 /* Break out if chunk length is less then minimal. */ 1031 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 1032 break; 1033 1034 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 1035 if (ch_end > skb_tail_pointer(skb)) 1036 break; 1037 1038 switch(ch->type) { 1039 case SCTP_CID_AUTH: 1040 have_auth = chunk_num; 1041 break; 1042 1043 case SCTP_CID_COOKIE_ECHO: 1044 /* If a packet arrives containing an AUTH chunk as 1045 * a first chunk, a COOKIE-ECHO chunk as the second 1046 * chunk, and possibly more chunks after them, and 1047 * the receiver does not have an STCB for that 1048 * packet, then authentication is based on 1049 * the contents of the COOKIE- ECHO chunk. 1050 */ 1051 if (have_auth == 1 && chunk_num == 2) 1052 return NULL; 1053 break; 1054 1055 case SCTP_CID_ASCONF: 1056 if (have_auth || sctp_addip_noauth) 1057 asoc = __sctp_rcv_asconf_lookup(ch, laddr, 1058 sctp_hdr(skb)->source, 1059 transportp); 1060 default: 1061 break; 1062 } 1063 1064 if (asoc) 1065 break; 1066 1067 ch = (sctp_chunkhdr_t *) ch_end; 1068 chunk_num++; 1069 } while (ch_end < skb_tail_pointer(skb)); 1070 1071 return asoc; 1072 } 1073 1074 /* 1075 * There are circumstances when we need to look inside the SCTP packet 1076 * for information to help us find the association. Examples 1077 * include looking inside of INIT/INIT-ACK chunks or after the AUTH 1078 * chunks. 1079 */ 1080 static struct sctp_association *__sctp_rcv_lookup_harder(struct sk_buff *skb, 1081 const union sctp_addr *laddr, 1082 struct sctp_transport **transportp) 1083 { 1084 sctp_chunkhdr_t *ch; 1085 1086 ch = (sctp_chunkhdr_t *) skb->data; 1087 1088 /* The code below will attempt to walk the chunk and extract 1089 * parameter information. Before we do that, we need to verify 1090 * that the chunk length doesn't cause overflow. Otherwise, we'll 1091 * walk off the end. 1092 */ 1093 if (WORD_ROUND(ntohs(ch->length)) > skb->len) 1094 return NULL; 1095 1096 /* If this is INIT/INIT-ACK look inside the chunk too. */ 1097 switch (ch->type) { 1098 case SCTP_CID_INIT: 1099 case SCTP_CID_INIT_ACK: 1100 return __sctp_rcv_init_lookup(skb, laddr, transportp); 1101 break; 1102 1103 default: 1104 return __sctp_rcv_walk_lookup(skb, laddr, transportp); 1105 break; 1106 } 1107 1108 1109 return NULL; 1110 } 1111 1112 /* Lookup an association for an inbound skb. */ 1113 static struct sctp_association *__sctp_rcv_lookup(struct sk_buff *skb, 1114 const union sctp_addr *paddr, 1115 const union sctp_addr *laddr, 1116 struct sctp_transport **transportp) 1117 { 1118 struct sctp_association *asoc; 1119 1120 asoc = __sctp_lookup_association(laddr, paddr, transportp); 1121 1122 /* Further lookup for INIT/INIT-ACK packets. 1123 * SCTP Implementors Guide, 2.18 Handling of address 1124 * parameters within the INIT or INIT-ACK. 1125 */ 1126 if (!asoc) 1127 asoc = __sctp_rcv_lookup_harder(skb, laddr, transportp); 1128 1129 return asoc; 1130 } 1131