1 /* SCTP kernel implementation 2 * (C) Copyright IBM Corp. 2001, 2004 3 * Copyright (c) 1999-2000 Cisco, Inc. 4 * Copyright (c) 1999-2001 Motorola, Inc. 5 * Copyright (c) 2001-2002 Intel Corp. 6 * Copyright (c) 2002 Nokia Corp. 7 * 8 * This is part of the SCTP Linux Kernel Implementation. 9 * 10 * These are the state functions for the state machine. 11 * 12 * This SCTP implementation is free software; 13 * you can redistribute it and/or modify it under the terms of 14 * the GNU General Public License as published by 15 * the Free Software Foundation; either version 2, or (at your option) 16 * any later version. 17 * 18 * This SCTP implementation is distributed in the hope that it 19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 20 * ************************ 21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 22 * See the GNU General Public License for more details. 23 * 24 * You should have received a copy of the GNU General Public License 25 * along with GNU CC; see the file COPYING. If not, see 26 * <http://www.gnu.org/licenses/>. 27 * 28 * Please send any bug reports or fixes you make to the 29 * email address(es): 30 * lksctp developers <linux-sctp@vger.kernel.org> 31 * 32 * Written or modified by: 33 * La Monte H.P. Yarroll <piggy@acm.org> 34 * Karl Knutson <karl@athena.chicago.il.us> 35 * Mathew Kotowsky <kotowsky@sctp.org> 36 * Sridhar Samudrala <samudrala@us.ibm.com> 37 * Jon Grimm <jgrimm@us.ibm.com> 38 * Hui Huang <hui.huang@nokia.com> 39 * Dajiang Zhang <dajiang.zhang@nokia.com> 40 * Daisy Chang <daisyc@us.ibm.com> 41 * Ardelle Fan <ardelle.fan@intel.com> 42 * Ryan Layer <rmlayer@us.ibm.com> 43 * Kevin Gao <kevin.gao@intel.com> 44 */ 45 46 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 47 48 #include <linux/types.h> 49 #include <linux/kernel.h> 50 #include <linux/ip.h> 51 #include <linux/ipv6.h> 52 #include <linux/net.h> 53 #include <linux/inet.h> 54 #include <linux/slab.h> 55 #include <net/sock.h> 56 #include <net/inet_ecn.h> 57 #include <linux/skbuff.h> 58 #include <net/sctp/sctp.h> 59 #include <net/sctp/sm.h> 60 #include <net/sctp/structs.h> 61 62 #define CREATE_TRACE_POINTS 63 #include <trace/events/sctp.h> 64 65 static struct sctp_packet *sctp_abort_pkt_new( 66 struct net *net, 67 const struct sctp_endpoint *ep, 68 const struct sctp_association *asoc, 69 struct sctp_chunk *chunk, 70 const void *payload, size_t paylen); 71 static int sctp_eat_data(const struct sctp_association *asoc, 72 struct sctp_chunk *chunk, 73 struct sctp_cmd_seq *commands); 74 static struct sctp_packet *sctp_ootb_pkt_new( 75 struct net *net, 76 const struct sctp_association *asoc, 77 const struct sctp_chunk *chunk); 78 static void sctp_send_stale_cookie_err(struct net *net, 79 const struct sctp_endpoint *ep, 80 const struct sctp_association *asoc, 81 const struct sctp_chunk *chunk, 82 struct sctp_cmd_seq *commands, 83 struct sctp_chunk *err_chunk); 84 static enum sctp_disposition sctp_sf_do_5_2_6_stale( 85 struct net *net, 86 const struct sctp_endpoint *ep, 87 const struct sctp_association *asoc, 88 const union sctp_subtype type, 89 void *arg, 90 struct sctp_cmd_seq *commands); 91 static enum sctp_disposition sctp_sf_shut_8_4_5( 92 struct net *net, 93 const struct sctp_endpoint *ep, 94 const struct sctp_association *asoc, 95 const union sctp_subtype type, 96 void *arg, 97 struct sctp_cmd_seq *commands); 98 static enum sctp_disposition sctp_sf_tabort_8_4_8( 99 struct net *net, 100 const struct sctp_endpoint *ep, 101 const struct sctp_association *asoc, 102 const union sctp_subtype type, 103 void *arg, 104 struct sctp_cmd_seq *commands); 105 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 106 107 static enum sctp_disposition sctp_stop_t1_and_abort( 108 struct net *net, 109 struct sctp_cmd_seq *commands, 110 __be16 error, int sk_err, 111 const struct sctp_association *asoc, 112 struct sctp_transport *transport); 113 114 static enum sctp_disposition sctp_sf_abort_violation( 115 struct net *net, 116 const struct sctp_endpoint *ep, 117 const struct sctp_association *asoc, 118 void *arg, 119 struct sctp_cmd_seq *commands, 120 const __u8 *payload, 121 const size_t paylen); 122 123 static enum sctp_disposition sctp_sf_violation_chunklen( 124 struct net *net, 125 const struct sctp_endpoint *ep, 126 const struct sctp_association *asoc, 127 const union sctp_subtype type, 128 void *arg, 129 struct sctp_cmd_seq *commands); 130 131 static enum sctp_disposition sctp_sf_violation_paramlen( 132 struct net *net, 133 const struct sctp_endpoint *ep, 134 const struct sctp_association *asoc, 135 const union sctp_subtype type, 136 void *arg, void *ext, 137 struct sctp_cmd_seq *commands); 138 139 static enum sctp_disposition sctp_sf_violation_ctsn( 140 struct net *net, 141 const struct sctp_endpoint *ep, 142 const struct sctp_association *asoc, 143 const union sctp_subtype type, 144 void *arg, 145 struct sctp_cmd_seq *commands); 146 147 static enum sctp_disposition sctp_sf_violation_chunk( 148 struct net *net, 149 const struct sctp_endpoint *ep, 150 const struct sctp_association *asoc, 151 const union sctp_subtype type, 152 void *arg, 153 struct sctp_cmd_seq *commands); 154 155 static enum sctp_ierror sctp_sf_authenticate( 156 struct net *net, 157 const struct sctp_endpoint *ep, 158 const struct sctp_association *asoc, 159 const union sctp_subtype type, 160 struct sctp_chunk *chunk); 161 162 static enum sctp_disposition __sctp_sf_do_9_1_abort( 163 struct net *net, 164 const struct sctp_endpoint *ep, 165 const struct sctp_association *asoc, 166 const union sctp_subtype type, 167 void *arg, 168 struct sctp_cmd_seq *commands); 169 170 /* Small helper function that checks if the chunk length 171 * is of the appropriate length. The 'required_length' argument 172 * is set to be the size of a specific chunk we are testing. 173 * Return Values: true = Valid length 174 * false = Invalid length 175 * 176 */ 177 static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk, 178 __u16 required_length) 179 { 180 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 181 182 /* Previously already marked? */ 183 if (unlikely(chunk->pdiscard)) 184 return false; 185 if (unlikely(chunk_length < required_length)) 186 return false; 187 188 return true; 189 } 190 191 /********************************************************** 192 * These are the state functions for handling chunk events. 193 **********************************************************/ 194 195 /* 196 * Process the final SHUTDOWN COMPLETE. 197 * 198 * Section: 4 (C) (diagram), 9.2 199 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 200 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 201 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 202 * should stop the T2-shutdown timer and remove all knowledge of the 203 * association (and thus the association enters the CLOSED state). 204 * 205 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 206 * C) Rules for packet carrying SHUTDOWN COMPLETE: 207 * ... 208 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 209 * if the Verification Tag field of the packet matches its own tag and 210 * the T bit is not set 211 * OR 212 * it is set to its peer's tag and the T bit is set in the Chunk 213 * Flags. 214 * Otherwise, the receiver MUST silently discard the packet 215 * and take no further action. An endpoint MUST ignore the 216 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 217 * 218 * Inputs 219 * (endpoint, asoc, chunk) 220 * 221 * Outputs 222 * (asoc, reply_msg, msg_up, timers, counters) 223 * 224 * The return value is the disposition of the chunk. 225 */ 226 enum sctp_disposition sctp_sf_do_4_C(struct net *net, 227 const struct sctp_endpoint *ep, 228 const struct sctp_association *asoc, 229 const union sctp_subtype type, 230 void *arg, struct sctp_cmd_seq *commands) 231 { 232 struct sctp_chunk *chunk = arg; 233 struct sctp_ulpevent *ev; 234 235 if (!sctp_vtag_verify_either(chunk, asoc)) 236 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 237 238 /* RFC 2960 6.10 Bundling 239 * 240 * An endpoint MUST NOT bundle INIT, INIT ACK or 241 * SHUTDOWN COMPLETE with any other chunks. 242 */ 243 if (!chunk->singleton) 244 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 245 246 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ 247 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 248 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 249 commands); 250 251 /* RFC 2960 10.2 SCTP-to-ULP 252 * 253 * H) SHUTDOWN COMPLETE notification 254 * 255 * When SCTP completes the shutdown procedures (section 9.2) this 256 * notification is passed to the upper layer. 257 */ 258 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 259 0, 0, 0, NULL, GFP_ATOMIC); 260 if (ev) 261 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 262 SCTP_ULPEVENT(ev)); 263 264 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 265 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 266 * not the chunk should be discarded. If the endpoint is in 267 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 268 * T2-shutdown timer and remove all knowledge of the 269 * association (and thus the association enters the CLOSED 270 * state). 271 */ 272 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 273 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 274 275 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 276 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 277 278 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 279 SCTP_STATE(SCTP_STATE_CLOSED)); 280 281 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 282 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 283 284 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 285 286 return SCTP_DISPOSITION_DELETE_TCB; 287 } 288 289 /* 290 * Respond to a normal INIT chunk. 291 * We are the side that is being asked for an association. 292 * 293 * Section: 5.1 Normal Establishment of an Association, B 294 * B) "Z" shall respond immediately with an INIT ACK chunk. The 295 * destination IP address of the INIT ACK MUST be set to the source 296 * IP address of the INIT to which this INIT ACK is responding. In 297 * the response, besides filling in other parameters, "Z" must set the 298 * Verification Tag field to Tag_A, and also provide its own 299 * Verification Tag (Tag_Z) in the Initiate Tag field. 300 * 301 * Verification Tag: Must be 0. 302 * 303 * Inputs 304 * (endpoint, asoc, chunk) 305 * 306 * Outputs 307 * (asoc, reply_msg, msg_up, timers, counters) 308 * 309 * The return value is the disposition of the chunk. 310 */ 311 enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, 312 const struct sctp_endpoint *ep, 313 const struct sctp_association *asoc, 314 const union sctp_subtype type, 315 void *arg, 316 struct sctp_cmd_seq *commands) 317 { 318 struct sctp_chunk *chunk = arg, *repl, *err_chunk; 319 struct sctp_unrecognized_param *unk_param; 320 struct sctp_association *new_asoc; 321 struct sctp_packet *packet; 322 int len; 323 324 /* 6.10 Bundling 325 * An endpoint MUST NOT bundle INIT, INIT ACK or 326 * SHUTDOWN COMPLETE with any other chunks. 327 * 328 * IG Section 2.11.2 329 * Furthermore, we require that the receiver of an INIT chunk MUST 330 * enforce these rules by silently discarding an arriving packet 331 * with an INIT chunk that is bundled with other chunks. 332 */ 333 if (!chunk->singleton) 334 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 335 336 /* If the packet is an OOTB packet which is temporarily on the 337 * control endpoint, respond with an ABORT. 338 */ 339 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 340 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 341 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 342 } 343 344 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 345 * Tag. 346 */ 347 if (chunk->sctp_hdr->vtag != 0) 348 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 349 350 /* Make sure that the INIT chunk has a valid length. 351 * Normally, this would cause an ABORT with a Protocol Violation 352 * error, but since we don't have an association, we'll 353 * just discard the packet. 354 */ 355 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 356 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 357 358 /* If the INIT is coming toward a closing socket, we'll send back 359 * and ABORT. Essentially, this catches the race of INIT being 360 * backloged to the socket at the same time as the user isses close(). 361 * Since the socket and all its associations are going away, we 362 * can treat this OOTB 363 */ 364 if (sctp_sstate(ep->base.sk, CLOSING)) 365 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 366 367 /* Verify the INIT chunk before processing it. */ 368 err_chunk = NULL; 369 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 370 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 371 &err_chunk)) { 372 /* This chunk contains fatal error. It is to be discarded. 373 * Send an ABORT, with causes if there is any. 374 */ 375 if (err_chunk) { 376 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 377 (__u8 *)(err_chunk->chunk_hdr) + 378 sizeof(struct sctp_chunkhdr), 379 ntohs(err_chunk->chunk_hdr->length) - 380 sizeof(struct sctp_chunkhdr)); 381 382 sctp_chunk_free(err_chunk); 383 384 if (packet) { 385 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 386 SCTP_PACKET(packet)); 387 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 388 return SCTP_DISPOSITION_CONSUME; 389 } else { 390 return SCTP_DISPOSITION_NOMEM; 391 } 392 } else { 393 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 394 commands); 395 } 396 } 397 398 /* Grab the INIT header. */ 399 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 400 401 /* Tag the variable length parameters. */ 402 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 403 404 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 405 if (!new_asoc) 406 goto nomem; 407 408 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 409 sctp_scope(sctp_source(chunk)), 410 GFP_ATOMIC) < 0) 411 goto nomem_init; 412 413 /* The call, sctp_process_init(), can fail on memory allocation. */ 414 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 415 (struct sctp_init_chunk *)chunk->chunk_hdr, 416 GFP_ATOMIC)) 417 goto nomem_init; 418 419 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 420 421 /* If there are errors need to be reported for unknown parameters, 422 * make sure to reserve enough room in the INIT ACK for them. 423 */ 424 len = 0; 425 if (err_chunk) 426 len = ntohs(err_chunk->chunk_hdr->length) - 427 sizeof(struct sctp_chunkhdr); 428 429 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 430 if (!repl) 431 goto nomem_init; 432 433 /* If there are errors need to be reported for unknown parameters, 434 * include them in the outgoing INIT ACK as "Unrecognized parameter" 435 * parameter. 436 */ 437 if (err_chunk) { 438 /* Get the "Unrecognized parameter" parameter(s) out of the 439 * ERROR chunk generated by sctp_verify_init(). Since the 440 * error cause code for "unknown parameter" and the 441 * "Unrecognized parameter" type is the same, we can 442 * construct the parameters in INIT ACK by copying the 443 * ERROR causes over. 444 */ 445 unk_param = (struct sctp_unrecognized_param *) 446 ((__u8 *)(err_chunk->chunk_hdr) + 447 sizeof(struct sctp_chunkhdr)); 448 /* Replace the cause code with the "Unrecognized parameter" 449 * parameter type. 450 */ 451 sctp_addto_chunk(repl, len, unk_param); 452 sctp_chunk_free(err_chunk); 453 } 454 455 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 456 457 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 458 459 /* 460 * Note: After sending out INIT ACK with the State Cookie parameter, 461 * "Z" MUST NOT allocate any resources, nor keep any states for the 462 * new association. Otherwise, "Z" will be vulnerable to resource 463 * attacks. 464 */ 465 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 466 467 return SCTP_DISPOSITION_DELETE_TCB; 468 469 nomem_init: 470 sctp_association_free(new_asoc); 471 nomem: 472 if (err_chunk) 473 sctp_chunk_free(err_chunk); 474 return SCTP_DISPOSITION_NOMEM; 475 } 476 477 /* 478 * Respond to a normal INIT ACK chunk. 479 * We are the side that is initiating the association. 480 * 481 * Section: 5.1 Normal Establishment of an Association, C 482 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 483 * timer and leave COOKIE-WAIT state. "A" shall then send the State 484 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 485 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 486 * 487 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 488 * DATA chunks, but it MUST be the first chunk in the packet and 489 * until the COOKIE ACK is returned the sender MUST NOT send any 490 * other packets to the peer. 491 * 492 * Verification Tag: 3.3.3 493 * If the value of the Initiate Tag in a received INIT ACK chunk is 494 * found to be 0, the receiver MUST treat it as an error and close the 495 * association by transmitting an ABORT. 496 * 497 * Inputs 498 * (endpoint, asoc, chunk) 499 * 500 * Outputs 501 * (asoc, reply_msg, msg_up, timers, counters) 502 * 503 * The return value is the disposition of the chunk. 504 */ 505 enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, 506 const struct sctp_endpoint *ep, 507 const struct sctp_association *asoc, 508 const union sctp_subtype type, 509 void *arg, 510 struct sctp_cmd_seq *commands) 511 { 512 struct sctp_init_chunk *initchunk; 513 struct sctp_chunk *chunk = arg; 514 struct sctp_chunk *err_chunk; 515 struct sctp_packet *packet; 516 517 if (!sctp_vtag_verify(chunk, asoc)) 518 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 519 520 /* 6.10 Bundling 521 * An endpoint MUST NOT bundle INIT, INIT ACK or 522 * SHUTDOWN COMPLETE with any other chunks. 523 */ 524 if (!chunk->singleton) 525 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 526 527 /* Make sure that the INIT-ACK chunk has a valid length */ 528 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk))) 529 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 530 commands); 531 /* Grab the INIT header. */ 532 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 533 534 /* Verify the INIT chunk before processing it. */ 535 err_chunk = NULL; 536 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 537 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 538 &err_chunk)) { 539 540 enum sctp_error error = SCTP_ERROR_NO_RESOURCE; 541 542 /* This chunk contains fatal error. It is to be discarded. 543 * Send an ABORT, with causes. If there are no causes, 544 * then there wasn't enough memory. Just terminate 545 * the association. 546 */ 547 if (err_chunk) { 548 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 549 (__u8 *)(err_chunk->chunk_hdr) + 550 sizeof(struct sctp_chunkhdr), 551 ntohs(err_chunk->chunk_hdr->length) - 552 sizeof(struct sctp_chunkhdr)); 553 554 sctp_chunk_free(err_chunk); 555 556 if (packet) { 557 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 558 SCTP_PACKET(packet)); 559 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 560 error = SCTP_ERROR_INV_PARAM; 561 } 562 } 563 564 /* SCTP-AUTH, Section 6.3: 565 * It should be noted that if the receiver wants to tear 566 * down an association in an authenticated way only, the 567 * handling of malformed packets should not result in 568 * tearing down the association. 569 * 570 * This means that if we only want to abort associations 571 * in an authenticated way (i.e AUTH+ABORT), then we 572 * can't destroy this association just because the packet 573 * was malformed. 574 */ 575 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 576 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 577 578 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 579 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, 580 asoc, chunk->transport); 581 } 582 583 /* Tag the variable length parameters. Note that we never 584 * convert the parameters in an INIT chunk. 585 */ 586 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 587 588 initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr; 589 590 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 591 SCTP_PEER_INIT(initchunk)); 592 593 /* Reset init error count upon receipt of INIT-ACK. */ 594 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 595 596 /* 5.1 C) "A" shall stop the T1-init timer and leave 597 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 598 * timer, and enter the COOKIE-ECHOED state. 599 */ 600 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 601 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 602 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 603 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 604 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 605 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 606 607 /* SCTP-AUTH: genereate the assocition shared keys so that 608 * we can potentially signe the COOKIE-ECHO. 609 */ 610 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); 611 612 /* 5.1 C) "A" shall then send the State Cookie received in the 613 * INIT ACK chunk in a COOKIE ECHO chunk, ... 614 */ 615 /* If there is any errors to report, send the ERROR chunk generated 616 * for unknown parameters as well. 617 */ 618 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 619 SCTP_CHUNK(err_chunk)); 620 621 return SCTP_DISPOSITION_CONSUME; 622 } 623 624 /* 625 * Respond to a normal COOKIE ECHO chunk. 626 * We are the side that is being asked for an association. 627 * 628 * Section: 5.1 Normal Establishment of an Association, D 629 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 630 * with a COOKIE ACK chunk after building a TCB and moving to 631 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 632 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 633 * chunk MUST be the first chunk in the packet. 634 * 635 * IMPLEMENTATION NOTE: An implementation may choose to send the 636 * Communication Up notification to the SCTP user upon reception 637 * of a valid COOKIE ECHO chunk. 638 * 639 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 640 * D) Rules for packet carrying a COOKIE ECHO 641 * 642 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 643 * Initial Tag received in the INIT ACK. 644 * 645 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 646 * 647 * Inputs 648 * (endpoint, asoc, chunk) 649 * 650 * Outputs 651 * (asoc, reply_msg, msg_up, timers, counters) 652 * 653 * The return value is the disposition of the chunk. 654 */ 655 enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, 656 const struct sctp_endpoint *ep, 657 const struct sctp_association *asoc, 658 const union sctp_subtype type, 659 void *arg, 660 struct sctp_cmd_seq *commands) 661 { 662 struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL; 663 struct sctp_association *new_asoc; 664 struct sctp_init_chunk *peer_init; 665 struct sctp_chunk *chunk = arg; 666 struct sctp_chunk *err_chk_p; 667 struct sctp_chunk *repl; 668 struct sock *sk; 669 int error = 0; 670 671 /* If the packet is an OOTB packet which is temporarily on the 672 * control endpoint, respond with an ABORT. 673 */ 674 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 675 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 676 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 677 } 678 679 /* Make sure that the COOKIE_ECHO chunk has a valid length. 680 * In this case, we check that we have enough for at least a 681 * chunk header. More detailed verification is done 682 * in sctp_unpack_cookie(). 683 */ 684 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 685 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 686 687 /* If the endpoint is not listening or if the number of associations 688 * on the TCP-style socket exceed the max backlog, respond with an 689 * ABORT. 690 */ 691 sk = ep->base.sk; 692 if (!sctp_sstate(sk, LISTENING) || 693 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) 694 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 695 696 /* "Decode" the chunk. We have no optional parameters so we 697 * are in good shape. 698 */ 699 chunk->subh.cookie_hdr = 700 (struct sctp_signed_cookie *)chunk->skb->data; 701 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 702 sizeof(struct sctp_chunkhdr))) 703 goto nomem; 704 705 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 706 * "Z" will reply with a COOKIE ACK chunk after building a TCB 707 * and moving to the ESTABLISHED state. 708 */ 709 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 710 &err_chk_p); 711 712 /* FIXME: 713 * If the re-build failed, what is the proper error path 714 * from here? 715 * 716 * [We should abort the association. --piggy] 717 */ 718 if (!new_asoc) { 719 /* FIXME: Several errors are possible. A bad cookie should 720 * be silently discarded, but think about logging it too. 721 */ 722 switch (error) { 723 case -SCTP_IERROR_NOMEM: 724 goto nomem; 725 726 case -SCTP_IERROR_STALE_COOKIE: 727 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 728 err_chk_p); 729 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 730 731 case -SCTP_IERROR_BAD_SIG: 732 default: 733 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 734 } 735 } 736 737 738 /* Delay state machine commands until later. 739 * 740 * Re-build the bind address for the association is done in 741 * the sctp_unpack_cookie() already. 742 */ 743 /* This is a brand-new association, so these are not yet side 744 * effects--it is safe to run them here. 745 */ 746 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 747 748 if (!sctp_process_init(new_asoc, chunk, 749 &chunk->subh.cookie_hdr->c.peer_addr, 750 peer_init, GFP_ATOMIC)) 751 goto nomem_init; 752 753 /* SCTP-AUTH: Now that we've populate required fields in 754 * sctp_process_init, set up the assocaition shared keys as 755 * necessary so that we can potentially authenticate the ACK 756 */ 757 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); 758 if (error) 759 goto nomem_init; 760 761 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo 762 * is supposed to be authenticated and we have to do delayed 763 * authentication. We've just recreated the association using 764 * the information in the cookie and now it's much easier to 765 * do the authentication. 766 */ 767 if (chunk->auth_chunk) { 768 struct sctp_chunk auth; 769 enum sctp_ierror ret; 770 771 /* Make sure that we and the peer are AUTH capable */ 772 if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) { 773 sctp_association_free(new_asoc); 774 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 775 } 776 777 /* set-up our fake chunk so that we can process it */ 778 auth.skb = chunk->auth_chunk; 779 auth.asoc = chunk->asoc; 780 auth.sctp_hdr = chunk->sctp_hdr; 781 auth.chunk_hdr = (struct sctp_chunkhdr *) 782 skb_push(chunk->auth_chunk, 783 sizeof(struct sctp_chunkhdr)); 784 skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr)); 785 auth.transport = chunk->transport; 786 787 ret = sctp_sf_authenticate(net, ep, new_asoc, type, &auth); 788 if (ret != SCTP_IERROR_NO_ERROR) { 789 sctp_association_free(new_asoc); 790 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 791 } 792 } 793 794 repl = sctp_make_cookie_ack(new_asoc, chunk); 795 if (!repl) 796 goto nomem_init; 797 798 /* RFC 2960 5.1 Normal Establishment of an Association 799 * 800 * D) IMPLEMENTATION NOTE: An implementation may choose to 801 * send the Communication Up notification to the SCTP user 802 * upon reception of a valid COOKIE ECHO chunk. 803 */ 804 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 805 new_asoc->c.sinit_num_ostreams, 806 new_asoc->c.sinit_max_instreams, 807 NULL, GFP_ATOMIC); 808 if (!ev) 809 goto nomem_ev; 810 811 /* Sockets API Draft Section 5.3.1.6 812 * When a peer sends a Adaptation Layer Indication parameter , SCTP 813 * delivers this notification to inform the application that of the 814 * peers requested adaptation layer. 815 */ 816 if (new_asoc->peer.adaptation_ind) { 817 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 818 GFP_ATOMIC); 819 if (!ai_ev) 820 goto nomem_aiev; 821 } 822 823 if (!new_asoc->peer.auth_capable) { 824 auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0, 825 SCTP_AUTH_NO_AUTH, 826 GFP_ATOMIC); 827 if (!auth_ev) 828 goto nomem_authev; 829 } 830 831 /* Add all the state machine commands now since we've created 832 * everything. This way we don't introduce memory corruptions 833 * during side-effect processing and correclty count established 834 * associations. 835 */ 836 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 837 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 838 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 839 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 840 SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS); 841 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 842 843 if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 844 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 845 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 846 847 /* This will send the COOKIE ACK */ 848 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 849 850 /* Queue the ASSOC_CHANGE event */ 851 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 852 853 /* Send up the Adaptation Layer Indication event */ 854 if (ai_ev) 855 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 856 SCTP_ULPEVENT(ai_ev)); 857 858 if (auth_ev) 859 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 860 SCTP_ULPEVENT(auth_ev)); 861 862 return SCTP_DISPOSITION_CONSUME; 863 864 nomem_authev: 865 sctp_ulpevent_free(ai_ev); 866 nomem_aiev: 867 sctp_ulpevent_free(ev); 868 nomem_ev: 869 sctp_chunk_free(repl); 870 nomem_init: 871 sctp_association_free(new_asoc); 872 nomem: 873 return SCTP_DISPOSITION_NOMEM; 874 } 875 876 /* 877 * Respond to a normal COOKIE ACK chunk. 878 * We are the side that is asking for an association. 879 * 880 * RFC 2960 5.1 Normal Establishment of an Association 881 * 882 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 883 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 884 * timer. It may also notify its ULP about the successful 885 * establishment of the association with a Communication Up 886 * notification (see Section 10). 887 * 888 * Verification Tag: 889 * Inputs 890 * (endpoint, asoc, chunk) 891 * 892 * Outputs 893 * (asoc, reply_msg, msg_up, timers, counters) 894 * 895 * The return value is the disposition of the chunk. 896 */ 897 enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, 898 const struct sctp_endpoint *ep, 899 const struct sctp_association *asoc, 900 const union sctp_subtype type, 901 void *arg, 902 struct sctp_cmd_seq *commands) 903 { 904 struct sctp_chunk *chunk = arg; 905 struct sctp_ulpevent *ev; 906 907 if (!sctp_vtag_verify(chunk, asoc)) 908 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 909 910 /* Verify that the chunk length for the COOKIE-ACK is OK. 911 * If we don't do this, any bundled chunks may be junked. 912 */ 913 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 914 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 915 commands); 916 917 /* Reset init error count upon receipt of COOKIE-ACK, 918 * to avoid problems with the managemement of this 919 * counter in stale cookie situations when a transition back 920 * from the COOKIE-ECHOED state to the COOKIE-WAIT 921 * state is performed. 922 */ 923 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 924 925 /* RFC 2960 5.1 Normal Establishment of an Association 926 * 927 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 928 * from the COOKIE-ECHOED state to the ESTABLISHED state, 929 * stopping the T1-cookie timer. 930 */ 931 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 932 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 933 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 934 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 935 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 936 SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS); 937 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 938 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 939 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 940 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 941 942 /* It may also notify its ULP about the successful 943 * establishment of the association with a Communication Up 944 * notification (see Section 10). 945 */ 946 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 947 0, asoc->c.sinit_num_ostreams, 948 asoc->c.sinit_max_instreams, 949 NULL, GFP_ATOMIC); 950 951 if (!ev) 952 goto nomem; 953 954 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 955 956 /* Sockets API Draft Section 5.3.1.6 957 * When a peer sends a Adaptation Layer Indication parameter , SCTP 958 * delivers this notification to inform the application that of the 959 * peers requested adaptation layer. 960 */ 961 if (asoc->peer.adaptation_ind) { 962 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 963 if (!ev) 964 goto nomem; 965 966 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 967 SCTP_ULPEVENT(ev)); 968 } 969 970 if (!asoc->peer.auth_capable) { 971 ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH, 972 GFP_ATOMIC); 973 if (!ev) 974 goto nomem; 975 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 976 SCTP_ULPEVENT(ev)); 977 } 978 979 return SCTP_DISPOSITION_CONSUME; 980 nomem: 981 return SCTP_DISPOSITION_NOMEM; 982 } 983 984 /* Generate and sendout a heartbeat packet. */ 985 static enum sctp_disposition sctp_sf_heartbeat( 986 const struct sctp_endpoint *ep, 987 const struct sctp_association *asoc, 988 const union sctp_subtype type, 989 void *arg, 990 struct sctp_cmd_seq *commands) 991 { 992 struct sctp_transport *transport = (struct sctp_transport *) arg; 993 struct sctp_chunk *reply; 994 995 /* Send a heartbeat to our peer. */ 996 reply = sctp_make_heartbeat(asoc, transport); 997 if (!reply) 998 return SCTP_DISPOSITION_NOMEM; 999 1000 /* Set rto_pending indicating that an RTT measurement 1001 * is started with this heartbeat chunk. 1002 */ 1003 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 1004 SCTP_TRANSPORT(transport)); 1005 1006 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1007 return SCTP_DISPOSITION_CONSUME; 1008 } 1009 1010 /* Generate a HEARTBEAT packet on the given transport. */ 1011 enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net, 1012 const struct sctp_endpoint *ep, 1013 const struct sctp_association *asoc, 1014 const union sctp_subtype type, 1015 void *arg, 1016 struct sctp_cmd_seq *commands) 1017 { 1018 struct sctp_transport *transport = (struct sctp_transport *) arg; 1019 1020 if (asoc->overall_error_count >= asoc->max_retrans) { 1021 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 1022 SCTP_ERROR(ETIMEDOUT)); 1023 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 1024 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 1025 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 1026 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1027 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1028 return SCTP_DISPOSITION_DELETE_TCB; 1029 } 1030 1031 /* Section 3.3.5. 1032 * The Sender-specific Heartbeat Info field should normally include 1033 * information about the sender's current time when this HEARTBEAT 1034 * chunk is sent and the destination transport address to which this 1035 * HEARTBEAT is sent (see Section 8.3). 1036 */ 1037 1038 if (transport->param_flags & SPP_HB_ENABLE) { 1039 if (SCTP_DISPOSITION_NOMEM == 1040 sctp_sf_heartbeat(ep, asoc, type, arg, 1041 commands)) 1042 return SCTP_DISPOSITION_NOMEM; 1043 1044 /* Set transport error counter and association error counter 1045 * when sending heartbeat. 1046 */ 1047 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 1048 SCTP_TRANSPORT(transport)); 1049 } 1050 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE, 1051 SCTP_TRANSPORT(transport)); 1052 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 1053 SCTP_TRANSPORT(transport)); 1054 1055 return SCTP_DISPOSITION_CONSUME; 1056 } 1057 1058 /* resend asoc strreset_chunk. */ 1059 enum sctp_disposition sctp_sf_send_reconf(struct net *net, 1060 const struct sctp_endpoint *ep, 1061 const struct sctp_association *asoc, 1062 const union sctp_subtype type, 1063 void *arg, 1064 struct sctp_cmd_seq *commands) 1065 { 1066 struct sctp_transport *transport = arg; 1067 1068 if (asoc->overall_error_count >= asoc->max_retrans) { 1069 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 1070 SCTP_ERROR(ETIMEDOUT)); 1071 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 1072 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 1073 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 1074 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1075 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1076 return SCTP_DISPOSITION_DELETE_TCB; 1077 } 1078 1079 sctp_chunk_hold(asoc->strreset_chunk); 1080 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1081 SCTP_CHUNK(asoc->strreset_chunk)); 1082 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 1083 1084 return SCTP_DISPOSITION_CONSUME; 1085 } 1086 1087 /* 1088 * Process an heartbeat request. 1089 * 1090 * Section: 8.3 Path Heartbeat 1091 * The receiver of the HEARTBEAT should immediately respond with a 1092 * HEARTBEAT ACK that contains the Heartbeat Information field copied 1093 * from the received HEARTBEAT chunk. 1094 * 1095 * Verification Tag: 8.5 Verification Tag [Normal verification] 1096 * When receiving an SCTP packet, the endpoint MUST ensure that the 1097 * value in the Verification Tag field of the received SCTP packet 1098 * matches its own Tag. If the received Verification Tag value does not 1099 * match the receiver's own tag value, the receiver shall silently 1100 * discard the packet and shall not process it any further except for 1101 * those cases listed in Section 8.5.1 below. 1102 * 1103 * Inputs 1104 * (endpoint, asoc, chunk) 1105 * 1106 * Outputs 1107 * (asoc, reply_msg, msg_up, timers, counters) 1108 * 1109 * The return value is the disposition of the chunk. 1110 */ 1111 enum sctp_disposition sctp_sf_beat_8_3(struct net *net, 1112 const struct sctp_endpoint *ep, 1113 const struct sctp_association *asoc, 1114 const union sctp_subtype type, 1115 void *arg, struct sctp_cmd_seq *commands) 1116 { 1117 struct sctp_paramhdr *param_hdr; 1118 struct sctp_chunk *chunk = arg; 1119 struct sctp_chunk *reply; 1120 size_t paylen = 0; 1121 1122 if (!sctp_vtag_verify(chunk, asoc)) 1123 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1124 1125 /* Make sure that the HEARTBEAT chunk has a valid length. */ 1126 if (!sctp_chunk_length_valid(chunk, 1127 sizeof(struct sctp_heartbeat_chunk))) 1128 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1129 commands); 1130 1131 /* 8.3 The receiver of the HEARTBEAT should immediately 1132 * respond with a HEARTBEAT ACK that contains the Heartbeat 1133 * Information field copied from the received HEARTBEAT chunk. 1134 */ 1135 chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data; 1136 param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr; 1137 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr); 1138 1139 if (ntohs(param_hdr->length) > paylen) 1140 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 1141 param_hdr, commands); 1142 1143 if (!pskb_pull(chunk->skb, paylen)) 1144 goto nomem; 1145 1146 reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen); 1147 if (!reply) 1148 goto nomem; 1149 1150 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1151 return SCTP_DISPOSITION_CONSUME; 1152 1153 nomem: 1154 return SCTP_DISPOSITION_NOMEM; 1155 } 1156 1157 /* 1158 * Process the returning HEARTBEAT ACK. 1159 * 1160 * Section: 8.3 Path Heartbeat 1161 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 1162 * should clear the error counter of the destination transport 1163 * address to which the HEARTBEAT was sent, and mark the destination 1164 * transport address as active if it is not so marked. The endpoint may 1165 * optionally report to the upper layer when an inactive destination 1166 * address is marked as active due to the reception of the latest 1167 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 1168 * clear the association overall error count as well (as defined 1169 * in section 8.1). 1170 * 1171 * The receiver of the HEARTBEAT ACK should also perform an RTT 1172 * measurement for that destination transport address using the time 1173 * value carried in the HEARTBEAT ACK chunk. 1174 * 1175 * Verification Tag: 8.5 Verification Tag [Normal verification] 1176 * 1177 * Inputs 1178 * (endpoint, asoc, chunk) 1179 * 1180 * Outputs 1181 * (asoc, reply_msg, msg_up, timers, counters) 1182 * 1183 * The return value is the disposition of the chunk. 1184 */ 1185 enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net, 1186 const struct sctp_endpoint *ep, 1187 const struct sctp_association *asoc, 1188 const union sctp_subtype type, 1189 void *arg, 1190 struct sctp_cmd_seq *commands) 1191 { 1192 struct sctp_sender_hb_info *hbinfo; 1193 struct sctp_chunk *chunk = arg; 1194 struct sctp_transport *link; 1195 unsigned long max_interval; 1196 union sctp_addr from_addr; 1197 1198 if (!sctp_vtag_verify(chunk, asoc)) 1199 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1200 1201 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1202 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) + 1203 sizeof(*hbinfo))) 1204 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1205 commands); 1206 1207 hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data; 1208 /* Make sure that the length of the parameter is what we expect */ 1209 if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo)) 1210 return SCTP_DISPOSITION_DISCARD; 1211 1212 from_addr = hbinfo->daddr; 1213 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1214 1215 /* This should never happen, but lets log it if so. */ 1216 if (unlikely(!link)) { 1217 if (from_addr.sa.sa_family == AF_INET6) { 1218 net_warn_ratelimited("%s association %p could not find address %pI6\n", 1219 __func__, 1220 asoc, 1221 &from_addr.v6.sin6_addr); 1222 } else { 1223 net_warn_ratelimited("%s association %p could not find address %pI4\n", 1224 __func__, 1225 asoc, 1226 &from_addr.v4.sin_addr.s_addr); 1227 } 1228 return SCTP_DISPOSITION_DISCARD; 1229 } 1230 1231 /* Validate the 64-bit random nonce. */ 1232 if (hbinfo->hb_nonce != link->hb_nonce) 1233 return SCTP_DISPOSITION_DISCARD; 1234 1235 max_interval = link->hbinterval + link->rto; 1236 1237 /* Check if the timestamp looks valid. */ 1238 if (time_after(hbinfo->sent_at, jiffies) || 1239 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1240 pr_debug("%s: HEARTBEAT ACK with invalid timestamp received " 1241 "for transport:%p\n", __func__, link); 1242 1243 return SCTP_DISPOSITION_DISCARD; 1244 } 1245 1246 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1247 * the HEARTBEAT should clear the error counter of the 1248 * destination transport address to which the HEARTBEAT was 1249 * sent and mark the destination transport address as active if 1250 * it is not so marked. 1251 */ 1252 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1253 1254 return SCTP_DISPOSITION_CONSUME; 1255 } 1256 1257 /* Helper function to send out an abort for the restart 1258 * condition. 1259 */ 1260 static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa, 1261 struct sctp_chunk *init, 1262 struct sctp_cmd_seq *commands) 1263 { 1264 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1265 union sctp_addr_param *addrparm; 1266 struct sctp_errhdr *errhdr; 1267 char buffer[sizeof(*errhdr) + sizeof(*addrparm)]; 1268 struct sctp_endpoint *ep; 1269 struct sctp_packet *pkt; 1270 int len; 1271 1272 /* Build the error on the stack. We are way to malloc crazy 1273 * throughout the code today. 1274 */ 1275 errhdr = (struct sctp_errhdr *)buffer; 1276 addrparm = (union sctp_addr_param *)errhdr->variable; 1277 1278 /* Copy into a parm format. */ 1279 len = af->to_addr_param(ssa, addrparm); 1280 len += sizeof(*errhdr); 1281 1282 errhdr->cause = SCTP_ERROR_RESTART; 1283 errhdr->length = htons(len); 1284 1285 /* Assign to the control socket. */ 1286 ep = sctp_sk(net->sctp.ctl_sock)->ep; 1287 1288 /* Association is NULL since this may be a restart attack and we 1289 * want to send back the attacker's vtag. 1290 */ 1291 pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len); 1292 1293 if (!pkt) 1294 goto out; 1295 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1296 1297 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1298 1299 /* Discard the rest of the inbound packet. */ 1300 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1301 1302 out: 1303 /* Even if there is no memory, treat as a failure so 1304 * the packet will get dropped. 1305 */ 1306 return 0; 1307 } 1308 1309 static bool list_has_sctp_addr(const struct list_head *list, 1310 union sctp_addr *ipaddr) 1311 { 1312 struct sctp_transport *addr; 1313 1314 list_for_each_entry(addr, list, transports) { 1315 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr)) 1316 return true; 1317 } 1318 1319 return false; 1320 } 1321 /* A restart is occurring, check to make sure no new addresses 1322 * are being added as we may be under a takeover attack. 1323 */ 1324 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1325 const struct sctp_association *asoc, 1326 struct sctp_chunk *init, 1327 struct sctp_cmd_seq *commands) 1328 { 1329 struct net *net = sock_net(new_asoc->base.sk); 1330 struct sctp_transport *new_addr; 1331 int ret = 1; 1332 1333 /* Implementor's Guide - Section 5.2.2 1334 * ... 1335 * Before responding the endpoint MUST check to see if the 1336 * unexpected INIT adds new addresses to the association. If new 1337 * addresses are added to the association, the endpoint MUST respond 1338 * with an ABORT.. 1339 */ 1340 1341 /* Search through all current addresses and make sure 1342 * we aren't adding any new ones. 1343 */ 1344 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list, 1345 transports) { 1346 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list, 1347 &new_addr->ipaddr)) { 1348 sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init, 1349 commands); 1350 ret = 0; 1351 break; 1352 } 1353 } 1354 1355 /* Return success if all addresses were found. */ 1356 return ret; 1357 } 1358 1359 /* Populate the verification/tie tags based on overlapping INIT 1360 * scenario. 1361 * 1362 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1363 */ 1364 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1365 const struct sctp_association *asoc) 1366 { 1367 switch (asoc->state) { 1368 1369 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1370 1371 case SCTP_STATE_COOKIE_WAIT: 1372 new_asoc->c.my_vtag = asoc->c.my_vtag; 1373 new_asoc->c.my_ttag = asoc->c.my_vtag; 1374 new_asoc->c.peer_ttag = 0; 1375 break; 1376 1377 case SCTP_STATE_COOKIE_ECHOED: 1378 new_asoc->c.my_vtag = asoc->c.my_vtag; 1379 new_asoc->c.my_ttag = asoc->c.my_vtag; 1380 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1381 break; 1382 1383 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1384 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1385 */ 1386 default: 1387 new_asoc->c.my_ttag = asoc->c.my_vtag; 1388 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1389 break; 1390 } 1391 1392 /* Other parameters for the endpoint SHOULD be copied from the 1393 * existing parameters of the association (e.g. number of 1394 * outbound streams) into the INIT ACK and cookie. 1395 */ 1396 new_asoc->rwnd = asoc->rwnd; 1397 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1398 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1399 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1400 } 1401 1402 /* 1403 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1404 * handling action. 1405 * 1406 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1407 * 1408 * Returns value representing action to be taken. These action values 1409 * correspond to Action/Description values in RFC 2960, Table 2. 1410 */ 1411 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1412 const struct sctp_association *asoc) 1413 { 1414 /* In this case, the peer may have restarted. */ 1415 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1416 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1417 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1418 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1419 return 'A'; 1420 1421 /* Collision case B. */ 1422 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1423 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1424 (0 == asoc->c.peer_vtag))) { 1425 return 'B'; 1426 } 1427 1428 /* Collision case D. */ 1429 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1430 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1431 return 'D'; 1432 1433 /* Collision case C. */ 1434 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1435 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1436 (0 == new_asoc->c.my_ttag) && 1437 (0 == new_asoc->c.peer_ttag)) 1438 return 'C'; 1439 1440 /* No match to any of the special cases; discard this packet. */ 1441 return 'E'; 1442 } 1443 1444 /* Common helper routine for both duplicate and simulataneous INIT 1445 * chunk handling. 1446 */ 1447 static enum sctp_disposition sctp_sf_do_unexpected_init( 1448 struct net *net, 1449 const struct sctp_endpoint *ep, 1450 const struct sctp_association *asoc, 1451 const union sctp_subtype type, 1452 void *arg, 1453 struct sctp_cmd_seq *commands) 1454 { 1455 struct sctp_chunk *chunk = arg, *repl, *err_chunk; 1456 struct sctp_unrecognized_param *unk_param; 1457 struct sctp_association *new_asoc; 1458 enum sctp_disposition retval; 1459 struct sctp_packet *packet; 1460 int len; 1461 1462 /* 6.10 Bundling 1463 * An endpoint MUST NOT bundle INIT, INIT ACK or 1464 * SHUTDOWN COMPLETE with any other chunks. 1465 * 1466 * IG Section 2.11.2 1467 * Furthermore, we require that the receiver of an INIT chunk MUST 1468 * enforce these rules by silently discarding an arriving packet 1469 * with an INIT chunk that is bundled with other chunks. 1470 */ 1471 if (!chunk->singleton) 1472 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1473 1474 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1475 * Tag. 1476 */ 1477 if (chunk->sctp_hdr->vtag != 0) 1478 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 1479 1480 /* Make sure that the INIT chunk has a valid length. 1481 * In this case, we generate a protocol violation since we have 1482 * an association established. 1483 */ 1484 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 1485 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1486 commands); 1487 /* Grab the INIT header. */ 1488 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 1489 1490 /* Tag the variable length parameters. */ 1491 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 1492 1493 /* Verify the INIT chunk before processing it. */ 1494 err_chunk = NULL; 1495 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 1496 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 1497 &err_chunk)) { 1498 /* This chunk contains fatal error. It is to be discarded. 1499 * Send an ABORT, with causes if there is any. 1500 */ 1501 if (err_chunk) { 1502 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 1503 (__u8 *)(err_chunk->chunk_hdr) + 1504 sizeof(struct sctp_chunkhdr), 1505 ntohs(err_chunk->chunk_hdr->length) - 1506 sizeof(struct sctp_chunkhdr)); 1507 1508 if (packet) { 1509 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1510 SCTP_PACKET(packet)); 1511 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1512 retval = SCTP_DISPOSITION_CONSUME; 1513 } else { 1514 retval = SCTP_DISPOSITION_NOMEM; 1515 } 1516 goto cleanup; 1517 } else { 1518 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 1519 commands); 1520 } 1521 } 1522 1523 /* 1524 * Other parameters for the endpoint SHOULD be copied from the 1525 * existing parameters of the association (e.g. number of 1526 * outbound streams) into the INIT ACK and cookie. 1527 * FIXME: We are copying parameters from the endpoint not the 1528 * association. 1529 */ 1530 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1531 if (!new_asoc) 1532 goto nomem; 1533 1534 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 1535 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0) 1536 goto nomem; 1537 1538 /* In the outbound INIT ACK the endpoint MUST copy its current 1539 * Verification Tag and Peers Verification tag into a reserved 1540 * place (local tie-tag and per tie-tag) within the state cookie. 1541 */ 1542 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 1543 (struct sctp_init_chunk *)chunk->chunk_hdr, 1544 GFP_ATOMIC)) 1545 goto nomem; 1546 1547 /* Make sure no new addresses are being added during the 1548 * restart. Do not do this check for COOKIE-WAIT state, 1549 * since there are no peer addresses to check against. 1550 * Upon return an ABORT will have been sent if needed. 1551 */ 1552 if (!sctp_state(asoc, COOKIE_WAIT)) { 1553 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1554 commands)) { 1555 retval = SCTP_DISPOSITION_CONSUME; 1556 goto nomem_retval; 1557 } 1558 } 1559 1560 sctp_tietags_populate(new_asoc, asoc); 1561 1562 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1563 1564 /* If there are errors need to be reported for unknown parameters, 1565 * make sure to reserve enough room in the INIT ACK for them. 1566 */ 1567 len = 0; 1568 if (err_chunk) { 1569 len = ntohs(err_chunk->chunk_hdr->length) - 1570 sizeof(struct sctp_chunkhdr); 1571 } 1572 1573 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1574 if (!repl) 1575 goto nomem; 1576 1577 /* If there are errors need to be reported for unknown parameters, 1578 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1579 * parameter. 1580 */ 1581 if (err_chunk) { 1582 /* Get the "Unrecognized parameter" parameter(s) out of the 1583 * ERROR chunk generated by sctp_verify_init(). Since the 1584 * error cause code for "unknown parameter" and the 1585 * "Unrecognized parameter" type is the same, we can 1586 * construct the parameters in INIT ACK by copying the 1587 * ERROR causes over. 1588 */ 1589 unk_param = (struct sctp_unrecognized_param *) 1590 ((__u8 *)(err_chunk->chunk_hdr) + 1591 sizeof(struct sctp_chunkhdr)); 1592 /* Replace the cause code with the "Unrecognized parameter" 1593 * parameter type. 1594 */ 1595 sctp_addto_chunk(repl, len, unk_param); 1596 } 1597 1598 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1599 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1600 1601 /* 1602 * Note: After sending out INIT ACK with the State Cookie parameter, 1603 * "Z" MUST NOT allocate any resources for this new association. 1604 * Otherwise, "Z" will be vulnerable to resource attacks. 1605 */ 1606 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1607 retval = SCTP_DISPOSITION_CONSUME; 1608 1609 return retval; 1610 1611 nomem: 1612 retval = SCTP_DISPOSITION_NOMEM; 1613 nomem_retval: 1614 if (new_asoc) 1615 sctp_association_free(new_asoc); 1616 cleanup: 1617 if (err_chunk) 1618 sctp_chunk_free(err_chunk); 1619 return retval; 1620 } 1621 1622 /* 1623 * Handle simultaneous INIT. 1624 * This means we started an INIT and then we got an INIT request from 1625 * our peer. 1626 * 1627 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1628 * This usually indicates an initialization collision, i.e., each 1629 * endpoint is attempting, at about the same time, to establish an 1630 * association with the other endpoint. 1631 * 1632 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1633 * endpoint MUST respond with an INIT ACK using the same parameters it 1634 * sent in its original INIT chunk (including its Verification Tag, 1635 * unchanged). These original parameters are combined with those from the 1636 * newly received INIT chunk. The endpoint shall also generate a State 1637 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1638 * INIT to calculate the State Cookie. 1639 * 1640 * After that, the endpoint MUST NOT change its state, the T1-init 1641 * timer shall be left running and the corresponding TCB MUST NOT be 1642 * destroyed. The normal procedures for handling State Cookies when 1643 * a TCB exists will resolve the duplicate INITs to a single association. 1644 * 1645 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1646 * its Tie-Tags with the Tag information of itself and its peer (see 1647 * section 5.2.2 for a description of the Tie-Tags). 1648 * 1649 * Verification Tag: Not explicit, but an INIT can not have a valid 1650 * verification tag, so we skip the check. 1651 * 1652 * Inputs 1653 * (endpoint, asoc, chunk) 1654 * 1655 * Outputs 1656 * (asoc, reply_msg, msg_up, timers, counters) 1657 * 1658 * The return value is the disposition of the chunk. 1659 */ 1660 enum sctp_disposition sctp_sf_do_5_2_1_siminit( 1661 struct net *net, 1662 const struct sctp_endpoint *ep, 1663 const struct sctp_association *asoc, 1664 const union sctp_subtype type, 1665 void *arg, 1666 struct sctp_cmd_seq *commands) 1667 { 1668 /* Call helper to do the real work for both simulataneous and 1669 * duplicate INIT chunk handling. 1670 */ 1671 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1672 } 1673 1674 /* 1675 * Handle duplicated INIT messages. These are usually delayed 1676 * restransmissions. 1677 * 1678 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1679 * COOKIE-ECHOED and COOKIE-WAIT 1680 * 1681 * Unless otherwise stated, upon reception of an unexpected INIT for 1682 * this association, the endpoint shall generate an INIT ACK with a 1683 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1684 * current Verification Tag and peer's Verification Tag into a reserved 1685 * place within the state cookie. We shall refer to these locations as 1686 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1687 * containing this INIT ACK MUST carry a Verification Tag value equal to 1688 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1689 * MUST contain a new Initiation Tag (randomly generated see Section 1690 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1691 * existing parameters of the association (e.g. number of outbound 1692 * streams) into the INIT ACK and cookie. 1693 * 1694 * After sending out the INIT ACK, the endpoint shall take no further 1695 * actions, i.e., the existing association, including its current state, 1696 * and the corresponding TCB MUST NOT be changed. 1697 * 1698 * Note: Only when a TCB exists and the association is not in a COOKIE- 1699 * WAIT state are the Tie-Tags populated. For a normal association INIT 1700 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1701 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1702 * State Cookie are populated as specified in section 5.2.1. 1703 * 1704 * Verification Tag: Not specified, but an INIT has no way of knowing 1705 * what the verification tag could be, so we ignore it. 1706 * 1707 * Inputs 1708 * (endpoint, asoc, chunk) 1709 * 1710 * Outputs 1711 * (asoc, reply_msg, msg_up, timers, counters) 1712 * 1713 * The return value is the disposition of the chunk. 1714 */ 1715 enum sctp_disposition sctp_sf_do_5_2_2_dupinit( 1716 struct net *net, 1717 const struct sctp_endpoint *ep, 1718 const struct sctp_association *asoc, 1719 const union sctp_subtype type, 1720 void *arg, 1721 struct sctp_cmd_seq *commands) 1722 { 1723 /* Call helper to do the real work for both simulataneous and 1724 * duplicate INIT chunk handling. 1725 */ 1726 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1727 } 1728 1729 1730 /* 1731 * Unexpected INIT-ACK handler. 1732 * 1733 * Section 5.2.3 1734 * If an INIT ACK received by an endpoint in any state other than the 1735 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1736 * An unexpected INIT ACK usually indicates the processing of an old or 1737 * duplicated INIT chunk. 1738 */ 1739 enum sctp_disposition sctp_sf_do_5_2_3_initack( 1740 struct net *net, 1741 const struct sctp_endpoint *ep, 1742 const struct sctp_association *asoc, 1743 const union sctp_subtype type, 1744 void *arg, 1745 struct sctp_cmd_seq *commands) 1746 { 1747 /* Per the above section, we'll discard the chunk if we have an 1748 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1749 */ 1750 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) 1751 return sctp_sf_ootb(net, ep, asoc, type, arg, commands); 1752 else 1753 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 1754 } 1755 1756 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1757 * 1758 * Section 5.2.4 1759 * A) In this case, the peer may have restarted. 1760 */ 1761 static enum sctp_disposition sctp_sf_do_dupcook_a( 1762 struct net *net, 1763 const struct sctp_endpoint *ep, 1764 const struct sctp_association *asoc, 1765 struct sctp_chunk *chunk, 1766 struct sctp_cmd_seq *commands, 1767 struct sctp_association *new_asoc) 1768 { 1769 struct sctp_init_chunk *peer_init; 1770 enum sctp_disposition disposition; 1771 struct sctp_ulpevent *ev; 1772 struct sctp_chunk *repl; 1773 struct sctp_chunk *err; 1774 1775 /* new_asoc is a brand-new association, so these are not yet 1776 * side effects--it is safe to run them here. 1777 */ 1778 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1779 1780 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1781 GFP_ATOMIC)) 1782 goto nomem; 1783 1784 /* Make sure no new addresses are being added during the 1785 * restart. Though this is a pretty complicated attack 1786 * since you'd have to get inside the cookie. 1787 */ 1788 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { 1789 return SCTP_DISPOSITION_CONSUME; 1790 } 1791 1792 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1793 * the peer has restarted (Action A), it MUST NOT setup a new 1794 * association but instead resend the SHUTDOWN ACK and send an ERROR 1795 * chunk with a "Cookie Received while Shutting Down" error cause to 1796 * its peer. 1797 */ 1798 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1799 disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc, 1800 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1801 chunk, commands); 1802 if (SCTP_DISPOSITION_NOMEM == disposition) 1803 goto nomem; 1804 1805 err = sctp_make_op_error(asoc, chunk, 1806 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1807 NULL, 0, 0); 1808 if (err) 1809 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1810 SCTP_CHUNK(err)); 1811 1812 return SCTP_DISPOSITION_CONSUME; 1813 } 1814 1815 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked 1816 * data. Consider the optional choice of resending of this data. 1817 */ 1818 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 1819 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1820 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK)); 1821 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1822 1823 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue 1824 * and ASCONF-ACK cache. 1825 */ 1826 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1827 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 1828 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); 1829 1830 repl = sctp_make_cookie_ack(new_asoc, chunk); 1831 if (!repl) 1832 goto nomem; 1833 1834 /* Report association restart to upper layer. */ 1835 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1836 new_asoc->c.sinit_num_ostreams, 1837 new_asoc->c.sinit_max_instreams, 1838 NULL, GFP_ATOMIC); 1839 if (!ev) 1840 goto nomem_ev; 1841 1842 /* Update the content of current association. */ 1843 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1844 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1845 if (sctp_state(asoc, SHUTDOWN_PENDING) && 1846 (sctp_sstate(asoc->base.sk, CLOSING) || 1847 sock_flag(asoc->base.sk, SOCK_DEAD))) { 1848 /* if were currently in SHUTDOWN_PENDING, but the socket 1849 * has been closed by user, don't transition to ESTABLISHED. 1850 * Instead trigger SHUTDOWN bundled with COOKIE_ACK. 1851 */ 1852 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1853 return sctp_sf_do_9_2_start_shutdown(net, ep, asoc, 1854 SCTP_ST_CHUNK(0), NULL, 1855 commands); 1856 } else { 1857 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1858 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1859 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1860 } 1861 return SCTP_DISPOSITION_CONSUME; 1862 1863 nomem_ev: 1864 sctp_chunk_free(repl); 1865 nomem: 1866 return SCTP_DISPOSITION_NOMEM; 1867 } 1868 1869 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1870 * 1871 * Section 5.2.4 1872 * B) In this case, both sides may be attempting to start an association 1873 * at about the same time but the peer endpoint started its INIT 1874 * after responding to the local endpoint's INIT 1875 */ 1876 /* This case represents an initialization collision. */ 1877 static enum sctp_disposition sctp_sf_do_dupcook_b( 1878 struct net *net, 1879 const struct sctp_endpoint *ep, 1880 const struct sctp_association *asoc, 1881 struct sctp_chunk *chunk, 1882 struct sctp_cmd_seq *commands, 1883 struct sctp_association *new_asoc) 1884 { 1885 struct sctp_init_chunk *peer_init; 1886 struct sctp_chunk *repl; 1887 1888 /* new_asoc is a brand-new association, so these are not yet 1889 * side effects--it is safe to run them here. 1890 */ 1891 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1892 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1893 GFP_ATOMIC)) 1894 goto nomem; 1895 1896 /* Update the content of current association. */ 1897 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1898 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1899 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1900 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 1901 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1902 1903 repl = sctp_make_cookie_ack(new_asoc, chunk); 1904 if (!repl) 1905 goto nomem; 1906 1907 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1908 1909 /* RFC 2960 5.1 Normal Establishment of an Association 1910 * 1911 * D) IMPLEMENTATION NOTE: An implementation may choose to 1912 * send the Communication Up notification to the SCTP user 1913 * upon reception of a valid COOKIE ECHO chunk. 1914 * 1915 * Sadly, this needs to be implemented as a side-effect, because 1916 * we are not guaranteed to have set the association id of the real 1917 * association and so these notifications need to be delayed until 1918 * the association id is allocated. 1919 */ 1920 1921 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 1922 1923 /* Sockets API Draft Section 5.3.1.6 1924 * When a peer sends a Adaptation Layer Indication parameter , SCTP 1925 * delivers this notification to inform the application that of the 1926 * peers requested adaptation layer. 1927 * 1928 * This also needs to be done as a side effect for the same reason as 1929 * above. 1930 */ 1931 if (asoc->peer.adaptation_ind) 1932 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 1933 1934 if (!asoc->peer.auth_capable) 1935 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL()); 1936 1937 return SCTP_DISPOSITION_CONSUME; 1938 1939 nomem: 1940 return SCTP_DISPOSITION_NOMEM; 1941 } 1942 1943 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1944 * 1945 * Section 5.2.4 1946 * C) In this case, the local endpoint's cookie has arrived late. 1947 * Before it arrived, the local endpoint sent an INIT and received an 1948 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1949 * but a new tag of its own. 1950 */ 1951 /* This case represents an initialization collision. */ 1952 static enum sctp_disposition sctp_sf_do_dupcook_c( 1953 struct net *net, 1954 const struct sctp_endpoint *ep, 1955 const struct sctp_association *asoc, 1956 struct sctp_chunk *chunk, 1957 struct sctp_cmd_seq *commands, 1958 struct sctp_association *new_asoc) 1959 { 1960 /* The cookie should be silently discarded. 1961 * The endpoint SHOULD NOT change states and should leave 1962 * any timers running. 1963 */ 1964 return SCTP_DISPOSITION_DISCARD; 1965 } 1966 1967 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1968 * 1969 * Section 5.2.4 1970 * 1971 * D) When both local and remote tags match the endpoint should always 1972 * enter the ESTABLISHED state, if it has not already done so. 1973 */ 1974 /* This case represents an initialization collision. */ 1975 static enum sctp_disposition sctp_sf_do_dupcook_d( 1976 struct net *net, 1977 const struct sctp_endpoint *ep, 1978 const struct sctp_association *asoc, 1979 struct sctp_chunk *chunk, 1980 struct sctp_cmd_seq *commands, 1981 struct sctp_association *new_asoc) 1982 { 1983 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL; 1984 struct sctp_chunk *repl; 1985 1986 /* Clarification from Implementor's Guide: 1987 * D) When both local and remote tags match the endpoint should 1988 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 1989 * It should stop any cookie timer that may be running and send 1990 * a COOKIE ACK. 1991 */ 1992 1993 /* Don't accidentally move back into established state. */ 1994 if (asoc->state < SCTP_STATE_ESTABLISHED) { 1995 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1996 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 1997 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1998 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1999 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 2000 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 2001 SCTP_NULL()); 2002 2003 /* RFC 2960 5.1 Normal Establishment of an Association 2004 * 2005 * D) IMPLEMENTATION NOTE: An implementation may choose 2006 * to send the Communication Up notification to the 2007 * SCTP user upon reception of a valid COOKIE 2008 * ECHO chunk. 2009 */ 2010 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 2011 SCTP_COMM_UP, 0, 2012 asoc->c.sinit_num_ostreams, 2013 asoc->c.sinit_max_instreams, 2014 NULL, GFP_ATOMIC); 2015 if (!ev) 2016 goto nomem; 2017 2018 /* Sockets API Draft Section 5.3.1.6 2019 * When a peer sends a Adaptation Layer Indication parameter, 2020 * SCTP delivers this notification to inform the application 2021 * that of the peers requested adaptation layer. 2022 */ 2023 if (asoc->peer.adaptation_ind) { 2024 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 2025 GFP_ATOMIC); 2026 if (!ai_ev) 2027 goto nomem; 2028 2029 } 2030 2031 if (!asoc->peer.auth_capable) { 2032 auth_ev = sctp_ulpevent_make_authkey(asoc, 0, 2033 SCTP_AUTH_NO_AUTH, 2034 GFP_ATOMIC); 2035 if (!auth_ev) 2036 goto nomem; 2037 } 2038 } 2039 2040 repl = sctp_make_cookie_ack(new_asoc, chunk); 2041 if (!repl) 2042 goto nomem; 2043 2044 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 2045 2046 if (ev) 2047 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2048 SCTP_ULPEVENT(ev)); 2049 if (ai_ev) 2050 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2051 SCTP_ULPEVENT(ai_ev)); 2052 if (auth_ev) 2053 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2054 SCTP_ULPEVENT(auth_ev)); 2055 2056 return SCTP_DISPOSITION_CONSUME; 2057 2058 nomem: 2059 if (auth_ev) 2060 sctp_ulpevent_free(auth_ev); 2061 if (ai_ev) 2062 sctp_ulpevent_free(ai_ev); 2063 if (ev) 2064 sctp_ulpevent_free(ev); 2065 return SCTP_DISPOSITION_NOMEM; 2066 } 2067 2068 /* 2069 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 2070 * chunk was retransmitted and then delayed in the network. 2071 * 2072 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 2073 * 2074 * Verification Tag: None. Do cookie validation. 2075 * 2076 * Inputs 2077 * (endpoint, asoc, chunk) 2078 * 2079 * Outputs 2080 * (asoc, reply_msg, msg_up, timers, counters) 2081 * 2082 * The return value is the disposition of the chunk. 2083 */ 2084 enum sctp_disposition sctp_sf_do_5_2_4_dupcook( 2085 struct net *net, 2086 const struct sctp_endpoint *ep, 2087 const struct sctp_association *asoc, 2088 const union sctp_subtype type, 2089 void *arg, 2090 struct sctp_cmd_seq *commands) 2091 { 2092 struct sctp_association *new_asoc; 2093 struct sctp_chunk *chunk = arg; 2094 enum sctp_disposition retval; 2095 struct sctp_chunk *err_chk_p; 2096 int error = 0; 2097 char action; 2098 2099 /* Make sure that the chunk has a valid length from the protocol 2100 * perspective. In this case check to make sure we have at least 2101 * enough for the chunk header. Cookie length verification is 2102 * done later. 2103 */ 2104 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 2105 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2106 commands); 2107 2108 /* "Decode" the chunk. We have no optional parameters so we 2109 * are in good shape. 2110 */ 2111 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 2112 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 2113 sizeof(struct sctp_chunkhdr))) 2114 goto nomem; 2115 2116 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 2117 * of a duplicate COOKIE ECHO match the Verification Tags of the 2118 * current association, consider the State Cookie valid even if 2119 * the lifespan is exceeded. 2120 */ 2121 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 2122 &err_chk_p); 2123 2124 /* FIXME: 2125 * If the re-build failed, what is the proper error path 2126 * from here? 2127 * 2128 * [We should abort the association. --piggy] 2129 */ 2130 if (!new_asoc) { 2131 /* FIXME: Several errors are possible. A bad cookie should 2132 * be silently discarded, but think about logging it too. 2133 */ 2134 switch (error) { 2135 case -SCTP_IERROR_NOMEM: 2136 goto nomem; 2137 2138 case -SCTP_IERROR_STALE_COOKIE: 2139 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 2140 err_chk_p); 2141 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2142 case -SCTP_IERROR_BAD_SIG: 2143 default: 2144 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2145 } 2146 } 2147 2148 /* Set temp so that it won't be added into hashtable */ 2149 new_asoc->temp = 1; 2150 2151 /* Compare the tie_tag in cookie with the verification tag of 2152 * current association. 2153 */ 2154 action = sctp_tietags_compare(new_asoc, asoc); 2155 2156 switch (action) { 2157 case 'A': /* Association restart. */ 2158 retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands, 2159 new_asoc); 2160 break; 2161 2162 case 'B': /* Collision case B. */ 2163 retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands, 2164 new_asoc); 2165 break; 2166 2167 case 'C': /* Collision case C. */ 2168 retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands, 2169 new_asoc); 2170 break; 2171 2172 case 'D': /* Collision case D. */ 2173 retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands, 2174 new_asoc); 2175 break; 2176 2177 default: /* Discard packet for all others. */ 2178 retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2179 break; 2180 } 2181 2182 /* Delete the tempory new association. */ 2183 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc)); 2184 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 2185 2186 /* Restore association pointer to provide SCTP command interpeter 2187 * with a valid context in case it needs to manipulate 2188 * the queues */ 2189 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, 2190 SCTP_ASOC((struct sctp_association *)asoc)); 2191 2192 return retval; 2193 2194 nomem: 2195 return SCTP_DISPOSITION_NOMEM; 2196 } 2197 2198 /* 2199 * Process an ABORT. (SHUTDOWN-PENDING state) 2200 * 2201 * See sctp_sf_do_9_1_abort(). 2202 */ 2203 enum sctp_disposition sctp_sf_shutdown_pending_abort( 2204 struct net *net, 2205 const struct sctp_endpoint *ep, 2206 const struct sctp_association *asoc, 2207 const union sctp_subtype type, 2208 void *arg, 2209 struct sctp_cmd_seq *commands) 2210 { 2211 struct sctp_chunk *chunk = arg; 2212 2213 if (!sctp_vtag_verify_either(chunk, asoc)) 2214 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2215 2216 /* Make sure that the ABORT chunk has a valid length. 2217 * Since this is an ABORT chunk, we have to discard it 2218 * because of the following text: 2219 * RFC 2960, Section 3.3.7 2220 * If an endpoint receives an ABORT with a format error or for an 2221 * association that doesn't exist, it MUST silently discard it. 2222 * Because the length is "invalid", we can't really discard just 2223 * as we do not know its true length. So, to be safe, discard the 2224 * packet. 2225 */ 2226 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2227 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2228 2229 /* ADD-IP: Special case for ABORT chunks 2230 * F4) One special consideration is that ABORT Chunks arriving 2231 * destined to the IP address being deleted MUST be 2232 * ignored (see Section 5.3.1 for further details). 2233 */ 2234 if (SCTP_ADDR_DEL == 2235 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2236 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 2237 2238 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2239 } 2240 2241 /* 2242 * Process an ABORT. (SHUTDOWN-SENT state) 2243 * 2244 * See sctp_sf_do_9_1_abort(). 2245 */ 2246 enum sctp_disposition sctp_sf_shutdown_sent_abort( 2247 struct net *net, 2248 const struct sctp_endpoint *ep, 2249 const struct sctp_association *asoc, 2250 const union sctp_subtype type, 2251 void *arg, 2252 struct sctp_cmd_seq *commands) 2253 { 2254 struct sctp_chunk *chunk = arg; 2255 2256 if (!sctp_vtag_verify_either(chunk, asoc)) 2257 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2258 2259 /* Make sure that the ABORT chunk has a valid length. 2260 * Since this is an ABORT chunk, we have to discard it 2261 * because of the following text: 2262 * RFC 2960, Section 3.3.7 2263 * If an endpoint receives an ABORT with a format error or for an 2264 * association that doesn't exist, it MUST silently discard it. 2265 * Because the length is "invalid", we can't really discard just 2266 * as we do not know its true length. So, to be safe, discard the 2267 * packet. 2268 */ 2269 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2270 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2271 2272 /* ADD-IP: Special case for ABORT chunks 2273 * F4) One special consideration is that ABORT Chunks arriving 2274 * destined to the IP address being deleted MUST be 2275 * ignored (see Section 5.3.1 for further details). 2276 */ 2277 if (SCTP_ADDR_DEL == 2278 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2279 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 2280 2281 /* Stop the T2-shutdown timer. */ 2282 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2283 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2284 2285 /* Stop the T5-shutdown guard timer. */ 2286 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2287 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2288 2289 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2290 } 2291 2292 /* 2293 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2294 * 2295 * See sctp_sf_do_9_1_abort(). 2296 */ 2297 enum sctp_disposition sctp_sf_shutdown_ack_sent_abort( 2298 struct net *net, 2299 const struct sctp_endpoint *ep, 2300 const struct sctp_association *asoc, 2301 const union sctp_subtype type, 2302 void *arg, 2303 struct sctp_cmd_seq *commands) 2304 { 2305 /* The same T2 timer, so we should be able to use 2306 * common function with the SHUTDOWN-SENT state. 2307 */ 2308 return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands); 2309 } 2310 2311 /* 2312 * Handle an Error received in COOKIE_ECHOED state. 2313 * 2314 * Only handle the error type of stale COOKIE Error, the other errors will 2315 * be ignored. 2316 * 2317 * Inputs 2318 * (endpoint, asoc, chunk) 2319 * 2320 * Outputs 2321 * (asoc, reply_msg, msg_up, timers, counters) 2322 * 2323 * The return value is the disposition of the chunk. 2324 */ 2325 enum sctp_disposition sctp_sf_cookie_echoed_err( 2326 struct net *net, 2327 const struct sctp_endpoint *ep, 2328 const struct sctp_association *asoc, 2329 const union sctp_subtype type, 2330 void *arg, 2331 struct sctp_cmd_seq *commands) 2332 { 2333 struct sctp_chunk *chunk = arg; 2334 struct sctp_errhdr *err; 2335 2336 if (!sctp_vtag_verify(chunk, asoc)) 2337 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2338 2339 /* Make sure that the ERROR chunk has a valid length. 2340 * The parameter walking depends on this as well. 2341 */ 2342 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk))) 2343 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2344 commands); 2345 2346 /* Process the error here */ 2347 /* FUTURE FIXME: When PR-SCTP related and other optional 2348 * parms are emitted, this will have to change to handle multiple 2349 * errors. 2350 */ 2351 sctp_walk_errors(err, chunk->chunk_hdr) { 2352 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2353 return sctp_sf_do_5_2_6_stale(net, ep, asoc, type, 2354 arg, commands); 2355 } 2356 2357 /* It is possible to have malformed error causes, and that 2358 * will cause us to end the walk early. However, since 2359 * we are discarding the packet, there should be no adverse 2360 * affects. 2361 */ 2362 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2363 } 2364 2365 /* 2366 * Handle a Stale COOKIE Error 2367 * 2368 * Section: 5.2.6 Handle Stale COOKIE Error 2369 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2370 * one of the following three alternatives. 2371 * ... 2372 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2373 * Preservative parameter requesting an extension to the lifetime of 2374 * the State Cookie. When calculating the time extension, an 2375 * implementation SHOULD use the RTT information measured based on the 2376 * previous COOKIE ECHO / ERROR exchange, and should add no more 2377 * than 1 second beyond the measured RTT, due to long State Cookie 2378 * lifetimes making the endpoint more subject to a replay attack. 2379 * 2380 * Verification Tag: Not explicit, but safe to ignore. 2381 * 2382 * Inputs 2383 * (endpoint, asoc, chunk) 2384 * 2385 * Outputs 2386 * (asoc, reply_msg, msg_up, timers, counters) 2387 * 2388 * The return value is the disposition of the chunk. 2389 */ 2390 static enum sctp_disposition sctp_sf_do_5_2_6_stale( 2391 struct net *net, 2392 const struct sctp_endpoint *ep, 2393 const struct sctp_association *asoc, 2394 const union sctp_subtype type, 2395 void *arg, 2396 struct sctp_cmd_seq *commands) 2397 { 2398 int attempts = asoc->init_err_counter + 1; 2399 struct sctp_chunk *chunk = arg, *reply; 2400 struct sctp_cookie_preserve_param bht; 2401 struct sctp_bind_addr *bp; 2402 struct sctp_errhdr *err; 2403 u32 stale; 2404 2405 if (attempts > asoc->max_init_attempts) { 2406 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2407 SCTP_ERROR(ETIMEDOUT)); 2408 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2409 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2410 return SCTP_DISPOSITION_DELETE_TCB; 2411 } 2412 2413 err = (struct sctp_errhdr *)(chunk->skb->data); 2414 2415 /* When calculating the time extension, an implementation 2416 * SHOULD use the RTT information measured based on the 2417 * previous COOKIE ECHO / ERROR exchange, and should add no 2418 * more than 1 second beyond the measured RTT, due to long 2419 * State Cookie lifetimes making the endpoint more subject to 2420 * a replay attack. 2421 * Measure of Staleness's unit is usec. (1/1000000 sec) 2422 * Suggested Cookie Life-span Increment's unit is msec. 2423 * (1/1000 sec) 2424 * In general, if you use the suggested cookie life, the value 2425 * found in the field of measure of staleness should be doubled 2426 * to give ample time to retransmit the new cookie and thus 2427 * yield a higher probability of success on the reattempt. 2428 */ 2429 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err))); 2430 stale = (stale * 2) / 1000; 2431 2432 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2433 bht.param_hdr.length = htons(sizeof(bht)); 2434 bht.lifespan_increment = htonl(stale); 2435 2436 /* Build that new INIT chunk. */ 2437 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2438 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2439 if (!reply) 2440 goto nomem; 2441 2442 sctp_addto_chunk(reply, sizeof(bht), &bht); 2443 2444 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2445 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2446 2447 /* Stop pending T3-rtx and heartbeat timers */ 2448 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2449 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2450 2451 /* Delete non-primary peer ip addresses since we are transitioning 2452 * back to the COOKIE-WAIT state 2453 */ 2454 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2455 2456 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2457 * resend 2458 */ 2459 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, 2460 SCTP_TRANSPORT(asoc->peer.primary_path)); 2461 2462 /* Cast away the const modifier, as we want to just 2463 * rerun it through as a sideffect. 2464 */ 2465 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2466 2467 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2468 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2469 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2470 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2471 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2472 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2473 2474 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2475 2476 return SCTP_DISPOSITION_CONSUME; 2477 2478 nomem: 2479 return SCTP_DISPOSITION_NOMEM; 2480 } 2481 2482 /* 2483 * Process an ABORT. 2484 * 2485 * Section: 9.1 2486 * After checking the Verification Tag, the receiving endpoint shall 2487 * remove the association from its record, and shall report the 2488 * termination to its upper layer. 2489 * 2490 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2491 * B) Rules for packet carrying ABORT: 2492 * 2493 * - The endpoint shall always fill in the Verification Tag field of the 2494 * outbound packet with the destination endpoint's tag value if it 2495 * is known. 2496 * 2497 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2498 * MUST follow the procedure described in Section 8.4. 2499 * 2500 * - The receiver MUST accept the packet if the Verification Tag 2501 * matches either its own tag, OR the tag of its peer. Otherwise, the 2502 * receiver MUST silently discard the packet and take no further 2503 * action. 2504 * 2505 * Inputs 2506 * (endpoint, asoc, chunk) 2507 * 2508 * Outputs 2509 * (asoc, reply_msg, msg_up, timers, counters) 2510 * 2511 * The return value is the disposition of the chunk. 2512 */ 2513 enum sctp_disposition sctp_sf_do_9_1_abort( 2514 struct net *net, 2515 const struct sctp_endpoint *ep, 2516 const struct sctp_association *asoc, 2517 const union sctp_subtype type, 2518 void *arg, 2519 struct sctp_cmd_seq *commands) 2520 { 2521 struct sctp_chunk *chunk = arg; 2522 2523 if (!sctp_vtag_verify_either(chunk, asoc)) 2524 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2525 2526 /* Make sure that the ABORT chunk has a valid length. 2527 * Since this is an ABORT chunk, we have to discard it 2528 * because of the following text: 2529 * RFC 2960, Section 3.3.7 2530 * If an endpoint receives an ABORT with a format error or for an 2531 * association that doesn't exist, it MUST silently discard it. 2532 * Because the length is "invalid", we can't really discard just 2533 * as we do not know its true length. So, to be safe, discard the 2534 * packet. 2535 */ 2536 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2537 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2538 2539 /* ADD-IP: Special case for ABORT chunks 2540 * F4) One special consideration is that ABORT Chunks arriving 2541 * destined to the IP address being deleted MUST be 2542 * ignored (see Section 5.3.1 for further details). 2543 */ 2544 if (SCTP_ADDR_DEL == 2545 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2546 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 2547 2548 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2549 } 2550 2551 static enum sctp_disposition __sctp_sf_do_9_1_abort( 2552 struct net *net, 2553 const struct sctp_endpoint *ep, 2554 const struct sctp_association *asoc, 2555 const union sctp_subtype type, 2556 void *arg, 2557 struct sctp_cmd_seq *commands) 2558 { 2559 __be16 error = SCTP_ERROR_NO_ERROR; 2560 struct sctp_chunk *chunk = arg; 2561 unsigned int len; 2562 2563 /* See if we have an error cause code in the chunk. */ 2564 len = ntohs(chunk->chunk_hdr->length); 2565 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) { 2566 struct sctp_errhdr *err; 2567 2568 sctp_walk_errors(err, chunk->chunk_hdr); 2569 if ((void *)err != (void *)chunk->chunk_end) 2570 return sctp_sf_pdiscard(net, ep, asoc, type, arg, 2571 commands); 2572 2573 error = ((struct sctp_errhdr *)chunk->skb->data)->cause; 2574 } 2575 2576 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2577 /* ASSOC_FAILED will DELETE_TCB. */ 2578 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2579 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2580 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 2581 2582 return SCTP_DISPOSITION_ABORT; 2583 } 2584 2585 /* 2586 * Process an ABORT. (COOKIE-WAIT state) 2587 * 2588 * See sctp_sf_do_9_1_abort() above. 2589 */ 2590 enum sctp_disposition sctp_sf_cookie_wait_abort( 2591 struct net *net, 2592 const struct sctp_endpoint *ep, 2593 const struct sctp_association *asoc, 2594 const union sctp_subtype type, 2595 void *arg, 2596 struct sctp_cmd_seq *commands) 2597 { 2598 __be16 error = SCTP_ERROR_NO_ERROR; 2599 struct sctp_chunk *chunk = arg; 2600 unsigned int len; 2601 2602 if (!sctp_vtag_verify_either(chunk, asoc)) 2603 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2604 2605 /* Make sure that the ABORT chunk has a valid length. 2606 * Since this is an ABORT chunk, we have to discard it 2607 * because of the following text: 2608 * RFC 2960, Section 3.3.7 2609 * If an endpoint receives an ABORT with a format error or for an 2610 * association that doesn't exist, it MUST silently discard it. 2611 * Because the length is "invalid", we can't really discard just 2612 * as we do not know its true length. So, to be safe, discard the 2613 * packet. 2614 */ 2615 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2616 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2617 2618 /* See if we have an error cause code in the chunk. */ 2619 len = ntohs(chunk->chunk_hdr->length); 2620 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2621 error = ((struct sctp_errhdr *)chunk->skb->data)->cause; 2622 2623 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc, 2624 chunk->transport); 2625 } 2626 2627 /* 2628 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2629 */ 2630 enum sctp_disposition sctp_sf_cookie_wait_icmp_abort( 2631 struct net *net, 2632 const struct sctp_endpoint *ep, 2633 const struct sctp_association *asoc, 2634 const union sctp_subtype type, 2635 void *arg, 2636 struct sctp_cmd_seq *commands) 2637 { 2638 return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR, 2639 ENOPROTOOPT, asoc, 2640 (struct sctp_transport *)arg); 2641 } 2642 2643 /* 2644 * Process an ABORT. (COOKIE-ECHOED state) 2645 */ 2646 enum sctp_disposition sctp_sf_cookie_echoed_abort( 2647 struct net *net, 2648 const struct sctp_endpoint *ep, 2649 const struct sctp_association *asoc, 2650 const union sctp_subtype type, 2651 void *arg, 2652 struct sctp_cmd_seq *commands) 2653 { 2654 /* There is a single T1 timer, so we should be able to use 2655 * common function with the COOKIE-WAIT state. 2656 */ 2657 return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands); 2658 } 2659 2660 /* 2661 * Stop T1 timer and abort association with "INIT failed". 2662 * 2663 * This is common code called by several sctp_sf_*_abort() functions above. 2664 */ 2665 static enum sctp_disposition sctp_stop_t1_and_abort( 2666 struct net *net, 2667 struct sctp_cmd_seq *commands, 2668 __be16 error, int sk_err, 2669 const struct sctp_association *asoc, 2670 struct sctp_transport *transport) 2671 { 2672 pr_debug("%s: ABORT received (INIT)\n", __func__); 2673 2674 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2675 SCTP_STATE(SCTP_STATE_CLOSED)); 2676 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2677 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2678 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2679 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2680 /* CMD_INIT_FAILED will DELETE_TCB. */ 2681 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2682 SCTP_PERR(error)); 2683 2684 return SCTP_DISPOSITION_ABORT; 2685 } 2686 2687 /* 2688 * sctp_sf_do_9_2_shut 2689 * 2690 * Section: 9.2 2691 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2692 * - enter the SHUTDOWN-RECEIVED state, 2693 * 2694 * - stop accepting new data from its SCTP user 2695 * 2696 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2697 * that all its outstanding DATA chunks have been received by the 2698 * SHUTDOWN sender. 2699 * 2700 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2701 * send a SHUTDOWN in response to a ULP request. And should discard 2702 * subsequent SHUTDOWN chunks. 2703 * 2704 * If there are still outstanding DATA chunks left, the SHUTDOWN 2705 * receiver shall continue to follow normal data transmission 2706 * procedures defined in Section 6 until all outstanding DATA chunks 2707 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2708 * new data from its SCTP user. 2709 * 2710 * Verification Tag: 8.5 Verification Tag [Normal verification] 2711 * 2712 * Inputs 2713 * (endpoint, asoc, chunk) 2714 * 2715 * Outputs 2716 * (asoc, reply_msg, msg_up, timers, counters) 2717 * 2718 * The return value is the disposition of the chunk. 2719 */ 2720 enum sctp_disposition sctp_sf_do_9_2_shutdown( 2721 struct net *net, 2722 const struct sctp_endpoint *ep, 2723 const struct sctp_association *asoc, 2724 const union sctp_subtype type, 2725 void *arg, 2726 struct sctp_cmd_seq *commands) 2727 { 2728 enum sctp_disposition disposition; 2729 struct sctp_chunk *chunk = arg; 2730 struct sctp_shutdownhdr *sdh; 2731 struct sctp_ulpevent *ev; 2732 __u32 ctsn; 2733 2734 if (!sctp_vtag_verify(chunk, asoc)) 2735 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2736 2737 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2738 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) 2739 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2740 commands); 2741 2742 /* Convert the elaborate header. */ 2743 sdh = (struct sctp_shutdownhdr *)chunk->skb->data; 2744 skb_pull(chunk->skb, sizeof(*sdh)); 2745 chunk->subh.shutdown_hdr = sdh; 2746 ctsn = ntohl(sdh->cum_tsn_ack); 2747 2748 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2749 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2750 asoc->ctsn_ack_point); 2751 2752 return SCTP_DISPOSITION_DISCARD; 2753 } 2754 2755 /* If Cumulative TSN Ack beyond the max tsn currently 2756 * send, terminating the association and respond to the 2757 * sender with an ABORT. 2758 */ 2759 if (!TSN_lt(ctsn, asoc->next_tsn)) 2760 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2761 2762 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2763 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2764 * inform the application that it should cease sending data. 2765 */ 2766 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2767 if (!ev) { 2768 disposition = SCTP_DISPOSITION_NOMEM; 2769 goto out; 2770 } 2771 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2772 2773 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2774 * - enter the SHUTDOWN-RECEIVED state, 2775 * - stop accepting new data from its SCTP user 2776 * 2777 * [This is implicit in the new state.] 2778 */ 2779 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2780 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2781 disposition = SCTP_DISPOSITION_CONSUME; 2782 2783 if (sctp_outq_is_empty(&asoc->outqueue)) { 2784 disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type, 2785 arg, commands); 2786 } 2787 2788 if (SCTP_DISPOSITION_NOMEM == disposition) 2789 goto out; 2790 2791 /* - verify, by checking the Cumulative TSN Ack field of the 2792 * chunk, that all its outstanding DATA chunks have been 2793 * received by the SHUTDOWN sender. 2794 */ 2795 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2796 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2797 2798 out: 2799 return disposition; 2800 } 2801 2802 /* 2803 * sctp_sf_do_9_2_shut_ctsn 2804 * 2805 * Once an endpoint has reached the SHUTDOWN-RECEIVED state, 2806 * it MUST NOT send a SHUTDOWN in response to a ULP request. 2807 * The Cumulative TSN Ack of the received SHUTDOWN chunk 2808 * MUST be processed. 2809 */ 2810 enum sctp_disposition sctp_sf_do_9_2_shut_ctsn( 2811 struct net *net, 2812 const struct sctp_endpoint *ep, 2813 const struct sctp_association *asoc, 2814 const union sctp_subtype type, 2815 void *arg, 2816 struct sctp_cmd_seq *commands) 2817 { 2818 struct sctp_chunk *chunk = arg; 2819 struct sctp_shutdownhdr *sdh; 2820 __u32 ctsn; 2821 2822 if (!sctp_vtag_verify(chunk, asoc)) 2823 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2824 2825 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2826 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) 2827 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2828 commands); 2829 2830 sdh = (struct sctp_shutdownhdr *)chunk->skb->data; 2831 ctsn = ntohl(sdh->cum_tsn_ack); 2832 2833 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2834 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2835 asoc->ctsn_ack_point); 2836 2837 return SCTP_DISPOSITION_DISCARD; 2838 } 2839 2840 /* If Cumulative TSN Ack beyond the max tsn currently 2841 * send, terminating the association and respond to the 2842 * sender with an ABORT. 2843 */ 2844 if (!TSN_lt(ctsn, asoc->next_tsn)) 2845 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2846 2847 /* verify, by checking the Cumulative TSN Ack field of the 2848 * chunk, that all its outstanding DATA chunks have been 2849 * received by the SHUTDOWN sender. 2850 */ 2851 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2852 SCTP_BE32(sdh->cum_tsn_ack)); 2853 2854 return SCTP_DISPOSITION_CONSUME; 2855 } 2856 2857 /* RFC 2960 9.2 2858 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2859 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2860 * transport addresses (either in the IP addresses or in the INIT chunk) 2861 * that belong to this association, it should discard the INIT chunk and 2862 * retransmit the SHUTDOWN ACK chunk. 2863 */ 2864 enum sctp_disposition sctp_sf_do_9_2_reshutack( 2865 struct net *net, 2866 const struct sctp_endpoint *ep, 2867 const struct sctp_association *asoc, 2868 const union sctp_subtype type, 2869 void *arg, 2870 struct sctp_cmd_seq *commands) 2871 { 2872 struct sctp_chunk *chunk = arg; 2873 struct sctp_chunk *reply; 2874 2875 /* Make sure that the chunk has a valid length */ 2876 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 2877 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2878 commands); 2879 2880 /* Since we are not going to really process this INIT, there 2881 * is no point in verifying chunk boundries. Just generate 2882 * the SHUTDOWN ACK. 2883 */ 2884 reply = sctp_make_shutdown_ack(asoc, chunk); 2885 if (NULL == reply) 2886 goto nomem; 2887 2888 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2889 * the T2-SHUTDOWN timer. 2890 */ 2891 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2892 2893 /* and restart the T2-shutdown timer. */ 2894 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2895 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2896 2897 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2898 2899 return SCTP_DISPOSITION_CONSUME; 2900 nomem: 2901 return SCTP_DISPOSITION_NOMEM; 2902 } 2903 2904 /* 2905 * sctp_sf_do_ecn_cwr 2906 * 2907 * Section: Appendix A: Explicit Congestion Notification 2908 * 2909 * CWR: 2910 * 2911 * RFC 2481 details a specific bit for a sender to send in the header of 2912 * its next outbound TCP segment to indicate to its peer that it has 2913 * reduced its congestion window. This is termed the CWR bit. For 2914 * SCTP the same indication is made by including the CWR chunk. 2915 * This chunk contains one data element, i.e. the TSN number that 2916 * was sent in the ECNE chunk. This element represents the lowest 2917 * TSN number in the datagram that was originally marked with the 2918 * CE bit. 2919 * 2920 * Verification Tag: 8.5 Verification Tag [Normal verification] 2921 * Inputs 2922 * (endpoint, asoc, chunk) 2923 * 2924 * Outputs 2925 * (asoc, reply_msg, msg_up, timers, counters) 2926 * 2927 * The return value is the disposition of the chunk. 2928 */ 2929 enum sctp_disposition sctp_sf_do_ecn_cwr(struct net *net, 2930 const struct sctp_endpoint *ep, 2931 const struct sctp_association *asoc, 2932 const union sctp_subtype type, 2933 void *arg, 2934 struct sctp_cmd_seq *commands) 2935 { 2936 struct sctp_chunk *chunk = arg; 2937 struct sctp_cwrhdr *cwr; 2938 u32 lowest_tsn; 2939 2940 if (!sctp_vtag_verify(chunk, asoc)) 2941 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2942 2943 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) 2944 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2945 commands); 2946 2947 cwr = (struct sctp_cwrhdr *)chunk->skb->data; 2948 skb_pull(chunk->skb, sizeof(*cwr)); 2949 2950 lowest_tsn = ntohl(cwr->lowest_tsn); 2951 2952 /* Does this CWR ack the last sent congestion notification? */ 2953 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 2954 /* Stop sending ECNE. */ 2955 sctp_add_cmd_sf(commands, 2956 SCTP_CMD_ECN_CWR, 2957 SCTP_U32(lowest_tsn)); 2958 } 2959 return SCTP_DISPOSITION_CONSUME; 2960 } 2961 2962 /* 2963 * sctp_sf_do_ecne 2964 * 2965 * Section: Appendix A: Explicit Congestion Notification 2966 * 2967 * ECN-Echo 2968 * 2969 * RFC 2481 details a specific bit for a receiver to send back in its 2970 * TCP acknowledgements to notify the sender of the Congestion 2971 * Experienced (CE) bit having arrived from the network. For SCTP this 2972 * same indication is made by including the ECNE chunk. This chunk 2973 * contains one data element, i.e. the lowest TSN associated with the IP 2974 * datagram marked with the CE bit..... 2975 * 2976 * Verification Tag: 8.5 Verification Tag [Normal verification] 2977 * Inputs 2978 * (endpoint, asoc, chunk) 2979 * 2980 * Outputs 2981 * (asoc, reply_msg, msg_up, timers, counters) 2982 * 2983 * The return value is the disposition of the chunk. 2984 */ 2985 enum sctp_disposition sctp_sf_do_ecne(struct net *net, 2986 const struct sctp_endpoint *ep, 2987 const struct sctp_association *asoc, 2988 const union sctp_subtype type, 2989 void *arg, struct sctp_cmd_seq *commands) 2990 { 2991 struct sctp_chunk *chunk = arg; 2992 struct sctp_ecnehdr *ecne; 2993 2994 if (!sctp_vtag_verify(chunk, asoc)) 2995 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2996 2997 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) 2998 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2999 commands); 3000 3001 ecne = (struct sctp_ecnehdr *)chunk->skb->data; 3002 skb_pull(chunk->skb, sizeof(*ecne)); 3003 3004 /* If this is a newer ECNE than the last CWR packet we sent out */ 3005 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 3006 SCTP_U32(ntohl(ecne->lowest_tsn))); 3007 3008 return SCTP_DISPOSITION_CONSUME; 3009 } 3010 3011 /* 3012 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 3013 * 3014 * The SCTP endpoint MUST always acknowledge the reception of each valid 3015 * DATA chunk. 3016 * 3017 * The guidelines on delayed acknowledgement algorithm specified in 3018 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 3019 * acknowledgement SHOULD be generated for at least every second packet 3020 * (not every second DATA chunk) received, and SHOULD be generated within 3021 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 3022 * situations it may be beneficial for an SCTP transmitter to be more 3023 * conservative than the algorithms detailed in this document allow. 3024 * However, an SCTP transmitter MUST NOT be more aggressive than the 3025 * following algorithms allow. 3026 * 3027 * A SCTP receiver MUST NOT generate more than one SACK for every 3028 * incoming packet, other than to update the offered window as the 3029 * receiving application consumes new data. 3030 * 3031 * Verification Tag: 8.5 Verification Tag [Normal verification] 3032 * 3033 * Inputs 3034 * (endpoint, asoc, chunk) 3035 * 3036 * Outputs 3037 * (asoc, reply_msg, msg_up, timers, counters) 3038 * 3039 * The return value is the disposition of the chunk. 3040 */ 3041 enum sctp_disposition sctp_sf_eat_data_6_2(struct net *net, 3042 const struct sctp_endpoint *ep, 3043 const struct sctp_association *asoc, 3044 const union sctp_subtype type, 3045 void *arg, 3046 struct sctp_cmd_seq *commands) 3047 { 3048 union sctp_arg force = SCTP_NOFORCE(); 3049 struct sctp_chunk *chunk = arg; 3050 int error; 3051 3052 if (!sctp_vtag_verify(chunk, asoc)) { 3053 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3054 SCTP_NULL()); 3055 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3056 } 3057 3058 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream))) 3059 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3060 commands); 3061 3062 error = sctp_eat_data(asoc, chunk, commands); 3063 switch (error) { 3064 case SCTP_IERROR_NO_ERROR: 3065 break; 3066 case SCTP_IERROR_HIGH_TSN: 3067 case SCTP_IERROR_BAD_STREAM: 3068 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 3069 goto discard_noforce; 3070 case SCTP_IERROR_DUP_TSN: 3071 case SCTP_IERROR_IGNORE_TSN: 3072 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 3073 goto discard_force; 3074 case SCTP_IERROR_NO_DATA: 3075 return SCTP_DISPOSITION_ABORT; 3076 case SCTP_IERROR_PROTO_VIOLATION: 3077 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3078 (u8 *)chunk->subh.data_hdr, 3079 sctp_datahdr_len(&asoc->stream)); 3080 default: 3081 BUG(); 3082 } 3083 3084 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM) 3085 force = SCTP_FORCE(); 3086 3087 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 3088 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3089 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3090 } 3091 3092 /* If this is the last chunk in a packet, we need to count it 3093 * toward sack generation. Note that we need to SACK every 3094 * OTHER packet containing data chunks, EVEN IF WE DISCARD 3095 * THEM. We elect to NOT generate SACK's if the chunk fails 3096 * the verification tag test. 3097 * 3098 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3099 * 3100 * The SCTP endpoint MUST always acknowledge the reception of 3101 * each valid DATA chunk. 3102 * 3103 * The guidelines on delayed acknowledgement algorithm 3104 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 3105 * Specifically, an acknowledgement SHOULD be generated for at 3106 * least every second packet (not every second DATA chunk) 3107 * received, and SHOULD be generated within 200 ms of the 3108 * arrival of any unacknowledged DATA chunk. In some 3109 * situations it may be beneficial for an SCTP transmitter to 3110 * be more conservative than the algorithms detailed in this 3111 * document allow. However, an SCTP transmitter MUST NOT be 3112 * more aggressive than the following algorithms allow. 3113 */ 3114 if (chunk->end_of_packet) 3115 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3116 3117 return SCTP_DISPOSITION_CONSUME; 3118 3119 discard_force: 3120 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3121 * 3122 * When a packet arrives with duplicate DATA chunk(s) and with 3123 * no new DATA chunk(s), the endpoint MUST immediately send a 3124 * SACK with no delay. If a packet arrives with duplicate 3125 * DATA chunk(s) bundled with new DATA chunks, the endpoint 3126 * MAY immediately send a SACK. Normally receipt of duplicate 3127 * DATA chunks will occur when the original SACK chunk was lost 3128 * and the peer's RTO has expired. The duplicate TSN number(s) 3129 * SHOULD be reported in the SACK as duplicate. 3130 */ 3131 /* In our case, we split the MAY SACK advice up whether or not 3132 * the last chunk is a duplicate.' 3133 */ 3134 if (chunk->end_of_packet) 3135 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3136 return SCTP_DISPOSITION_DISCARD; 3137 3138 discard_noforce: 3139 if (chunk->end_of_packet) 3140 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3141 3142 return SCTP_DISPOSITION_DISCARD; 3143 } 3144 3145 /* 3146 * sctp_sf_eat_data_fast_4_4 3147 * 3148 * Section: 4 (4) 3149 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 3150 * DATA chunks without delay. 3151 * 3152 * Verification Tag: 8.5 Verification Tag [Normal verification] 3153 * Inputs 3154 * (endpoint, asoc, chunk) 3155 * 3156 * Outputs 3157 * (asoc, reply_msg, msg_up, timers, counters) 3158 * 3159 * The return value is the disposition of the chunk. 3160 */ 3161 enum sctp_disposition sctp_sf_eat_data_fast_4_4( 3162 struct net *net, 3163 const struct sctp_endpoint *ep, 3164 const struct sctp_association *asoc, 3165 const union sctp_subtype type, 3166 void *arg, 3167 struct sctp_cmd_seq *commands) 3168 { 3169 struct sctp_chunk *chunk = arg; 3170 int error; 3171 3172 if (!sctp_vtag_verify(chunk, asoc)) { 3173 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3174 SCTP_NULL()); 3175 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3176 } 3177 3178 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream))) 3179 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3180 commands); 3181 3182 error = sctp_eat_data(asoc, chunk, commands); 3183 switch (error) { 3184 case SCTP_IERROR_NO_ERROR: 3185 case SCTP_IERROR_HIGH_TSN: 3186 case SCTP_IERROR_DUP_TSN: 3187 case SCTP_IERROR_IGNORE_TSN: 3188 case SCTP_IERROR_BAD_STREAM: 3189 break; 3190 case SCTP_IERROR_NO_DATA: 3191 return SCTP_DISPOSITION_ABORT; 3192 case SCTP_IERROR_PROTO_VIOLATION: 3193 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3194 (u8 *)chunk->subh.data_hdr, 3195 sctp_datahdr_len(&asoc->stream)); 3196 default: 3197 BUG(); 3198 } 3199 3200 /* Go a head and force a SACK, since we are shutting down. */ 3201 3202 /* Implementor's Guide. 3203 * 3204 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3205 * respond to each received packet containing one or more DATA chunk(s) 3206 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3207 */ 3208 if (chunk->end_of_packet) { 3209 /* We must delay the chunk creation since the cumulative 3210 * TSN has not been updated yet. 3211 */ 3212 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3213 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3214 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3215 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3216 } 3217 3218 return SCTP_DISPOSITION_CONSUME; 3219 } 3220 3221 /* 3222 * Section: 6.2 Processing a Received SACK 3223 * D) Any time a SACK arrives, the endpoint performs the following: 3224 * 3225 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 3226 * then drop the SACK. Since Cumulative TSN Ack is monotonically 3227 * increasing, a SACK whose Cumulative TSN Ack is less than the 3228 * Cumulative TSN Ack Point indicates an out-of-order SACK. 3229 * 3230 * ii) Set rwnd equal to the newly received a_rwnd minus the number 3231 * of bytes still outstanding after processing the Cumulative TSN Ack 3232 * and the Gap Ack Blocks. 3233 * 3234 * iii) If the SACK is missing a TSN that was previously 3235 * acknowledged via a Gap Ack Block (e.g., the data receiver 3236 * reneged on the data), then mark the corresponding DATA chunk 3237 * as available for retransmit: Mark it as missing for fast 3238 * retransmit as described in Section 7.2.4 and if no retransmit 3239 * timer is running for the destination address to which the DATA 3240 * chunk was originally transmitted, then T3-rtx is started for 3241 * that destination address. 3242 * 3243 * Verification Tag: 8.5 Verification Tag [Normal verification] 3244 * 3245 * Inputs 3246 * (endpoint, asoc, chunk) 3247 * 3248 * Outputs 3249 * (asoc, reply_msg, msg_up, timers, counters) 3250 * 3251 * The return value is the disposition of the chunk. 3252 */ 3253 enum sctp_disposition sctp_sf_eat_sack_6_2(struct net *net, 3254 const struct sctp_endpoint *ep, 3255 const struct sctp_association *asoc, 3256 const union sctp_subtype type, 3257 void *arg, 3258 struct sctp_cmd_seq *commands) 3259 { 3260 struct sctp_chunk *chunk = arg; 3261 struct sctp_sackhdr *sackh; 3262 __u32 ctsn; 3263 3264 trace_sctp_probe(ep, asoc, chunk); 3265 3266 if (!sctp_vtag_verify(chunk, asoc)) 3267 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3268 3269 /* Make sure that the SACK chunk has a valid length. */ 3270 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_sack_chunk))) 3271 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3272 commands); 3273 3274 /* Pull the SACK chunk from the data buffer */ 3275 sackh = sctp_sm_pull_sack(chunk); 3276 /* Was this a bogus SACK? */ 3277 if (!sackh) 3278 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3279 chunk->subh.sack_hdr = sackh; 3280 ctsn = ntohl(sackh->cum_tsn_ack); 3281 3282 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 3283 * Ack Point, then drop the SACK. Since Cumulative TSN 3284 * Ack is monotonically increasing, a SACK whose 3285 * Cumulative TSN Ack is less than the Cumulative TSN Ack 3286 * Point indicates an out-of-order SACK. 3287 */ 3288 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 3289 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 3290 asoc->ctsn_ack_point); 3291 3292 return SCTP_DISPOSITION_DISCARD; 3293 } 3294 3295 /* If Cumulative TSN Ack beyond the max tsn currently 3296 * send, terminating the association and respond to the 3297 * sender with an ABORT. 3298 */ 3299 if (!TSN_lt(ctsn, asoc->next_tsn)) 3300 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 3301 3302 /* Return this SACK for further processing. */ 3303 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk)); 3304 3305 /* Note: We do the rest of the work on the PROCESS_SACK 3306 * sideeffect. 3307 */ 3308 return SCTP_DISPOSITION_CONSUME; 3309 } 3310 3311 /* 3312 * Generate an ABORT in response to a packet. 3313 * 3314 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 3315 * 3316 * 8) The receiver should respond to the sender of the OOTB packet with 3317 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3318 * MUST fill in the Verification Tag field of the outbound packet 3319 * with the value found in the Verification Tag field of the OOTB 3320 * packet and set the T-bit in the Chunk Flags to indicate that the 3321 * Verification Tag is reflected. After sending this ABORT, the 3322 * receiver of the OOTB packet shall discard the OOTB packet and take 3323 * no further action. 3324 * 3325 * Verification Tag: 3326 * 3327 * The return value is the disposition of the chunk. 3328 */ 3329 static enum sctp_disposition sctp_sf_tabort_8_4_8( 3330 struct net *net, 3331 const struct sctp_endpoint *ep, 3332 const struct sctp_association *asoc, 3333 const union sctp_subtype type, 3334 void *arg, 3335 struct sctp_cmd_seq *commands) 3336 { 3337 struct sctp_packet *packet = NULL; 3338 struct sctp_chunk *chunk = arg; 3339 struct sctp_chunk *abort; 3340 3341 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3342 if (!packet) 3343 return SCTP_DISPOSITION_NOMEM; 3344 3345 /* Make an ABORT. The T bit will be set if the asoc 3346 * is NULL. 3347 */ 3348 abort = sctp_make_abort(asoc, chunk, 0); 3349 if (!abort) { 3350 sctp_ootb_pkt_free(packet); 3351 return SCTP_DISPOSITION_NOMEM; 3352 } 3353 3354 /* Reflect vtag if T-Bit is set */ 3355 if (sctp_test_T_bit(abort)) 3356 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3357 3358 /* Set the skb to the belonging sock for accounting. */ 3359 abort->skb->sk = ep->base.sk; 3360 3361 sctp_packet_append_chunk(packet, abort); 3362 3363 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3364 SCTP_PACKET(packet)); 3365 3366 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3367 3368 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3369 return SCTP_DISPOSITION_CONSUME; 3370 } 3371 3372 /* 3373 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 3374 * event as ULP notification for each cause included in the chunk. 3375 * 3376 * API 5.3.1.3 - SCTP_REMOTE_ERROR 3377 * 3378 * The return value is the disposition of the chunk. 3379 */ 3380 enum sctp_disposition sctp_sf_operr_notify(struct net *net, 3381 const struct sctp_endpoint *ep, 3382 const struct sctp_association *asoc, 3383 const union sctp_subtype type, 3384 void *arg, 3385 struct sctp_cmd_seq *commands) 3386 { 3387 struct sctp_chunk *chunk = arg; 3388 struct sctp_errhdr *err; 3389 3390 if (!sctp_vtag_verify(chunk, asoc)) 3391 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3392 3393 /* Make sure that the ERROR chunk has a valid length. */ 3394 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk))) 3395 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3396 commands); 3397 sctp_walk_errors(err, chunk->chunk_hdr); 3398 if ((void *)err != (void *)chunk->chunk_end) 3399 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3400 (void *)err, commands); 3401 3402 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 3403 SCTP_CHUNK(chunk)); 3404 3405 return SCTP_DISPOSITION_CONSUME; 3406 } 3407 3408 /* 3409 * Process an inbound SHUTDOWN ACK. 3410 * 3411 * From Section 9.2: 3412 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3413 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3414 * peer, and remove all record of the association. 3415 * 3416 * The return value is the disposition. 3417 */ 3418 enum sctp_disposition sctp_sf_do_9_2_final(struct net *net, 3419 const struct sctp_endpoint *ep, 3420 const struct sctp_association *asoc, 3421 const union sctp_subtype type, 3422 void *arg, 3423 struct sctp_cmd_seq *commands) 3424 { 3425 struct sctp_chunk *chunk = arg; 3426 struct sctp_chunk *reply; 3427 struct sctp_ulpevent *ev; 3428 3429 if (!sctp_vtag_verify(chunk, asoc)) 3430 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3431 3432 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3433 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3434 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3435 commands); 3436 /* 10.2 H) SHUTDOWN COMPLETE notification 3437 * 3438 * When SCTP completes the shutdown procedures (section 9.2) this 3439 * notification is passed to the upper layer. 3440 */ 3441 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3442 0, 0, 0, NULL, GFP_ATOMIC); 3443 if (!ev) 3444 goto nomem; 3445 3446 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3447 reply = sctp_make_shutdown_complete(asoc, chunk); 3448 if (!reply) 3449 goto nomem_chunk; 3450 3451 /* Do all the commands now (after allocation), so that we 3452 * have consistent state if memory allocation failes 3453 */ 3454 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3455 3456 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3457 * stop the T2-shutdown timer, 3458 */ 3459 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3460 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3461 3462 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3463 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3464 3465 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3466 SCTP_STATE(SCTP_STATE_CLOSED)); 3467 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 3468 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3469 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3470 3471 /* ...and remove all record of the association. */ 3472 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3473 return SCTP_DISPOSITION_DELETE_TCB; 3474 3475 nomem_chunk: 3476 sctp_ulpevent_free(ev); 3477 nomem: 3478 return SCTP_DISPOSITION_NOMEM; 3479 } 3480 3481 /* 3482 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3483 * 3484 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3485 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3486 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3487 * packet must fill in the Verification Tag field of the outbound 3488 * packet with the Verification Tag received in the SHUTDOWN ACK and 3489 * set the T-bit in the Chunk Flags to indicate that the Verification 3490 * Tag is reflected. 3491 * 3492 * 8) The receiver should respond to the sender of the OOTB packet with 3493 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3494 * MUST fill in the Verification Tag field of the outbound packet 3495 * with the value found in the Verification Tag field of the OOTB 3496 * packet and set the T-bit in the Chunk Flags to indicate that the 3497 * Verification Tag is reflected. After sending this ABORT, the 3498 * receiver of the OOTB packet shall discard the OOTB packet and take 3499 * no further action. 3500 */ 3501 enum sctp_disposition sctp_sf_ootb(struct net *net, 3502 const struct sctp_endpoint *ep, 3503 const struct sctp_association *asoc, 3504 const union sctp_subtype type, 3505 void *arg, struct sctp_cmd_seq *commands) 3506 { 3507 struct sctp_chunk *chunk = arg; 3508 struct sk_buff *skb = chunk->skb; 3509 struct sctp_chunkhdr *ch; 3510 struct sctp_errhdr *err; 3511 int ootb_cookie_ack = 0; 3512 int ootb_shut_ack = 0; 3513 __u8 *ch_end; 3514 3515 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3516 3517 ch = (struct sctp_chunkhdr *)chunk->chunk_hdr; 3518 do { 3519 /* Report violation if the chunk is less then minimal */ 3520 if (ntohs(ch->length) < sizeof(*ch)) 3521 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3522 commands); 3523 3524 /* Report violation if chunk len overflows */ 3525 ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); 3526 if (ch_end > skb_tail_pointer(skb)) 3527 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3528 commands); 3529 3530 /* Now that we know we at least have a chunk header, 3531 * do things that are type appropriate. 3532 */ 3533 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3534 ootb_shut_ack = 1; 3535 3536 /* RFC 2960, Section 3.3.7 3537 * Moreover, under any circumstances, an endpoint that 3538 * receives an ABORT MUST NOT respond to that ABORT by 3539 * sending an ABORT of its own. 3540 */ 3541 if (SCTP_CID_ABORT == ch->type) 3542 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3543 3544 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR 3545 * or a COOKIE ACK the SCTP Packet should be silently 3546 * discarded. 3547 */ 3548 3549 if (SCTP_CID_COOKIE_ACK == ch->type) 3550 ootb_cookie_ack = 1; 3551 3552 if (SCTP_CID_ERROR == ch->type) { 3553 sctp_walk_errors(err, ch) { 3554 if (SCTP_ERROR_STALE_COOKIE == err->cause) { 3555 ootb_cookie_ack = 1; 3556 break; 3557 } 3558 } 3559 } 3560 3561 ch = (struct sctp_chunkhdr *)ch_end; 3562 } while (ch_end < skb_tail_pointer(skb)); 3563 3564 if (ootb_shut_ack) 3565 return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands); 3566 else if (ootb_cookie_ack) 3567 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3568 else 3569 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 3570 } 3571 3572 /* 3573 * Handle an "Out of the blue" SHUTDOWN ACK. 3574 * 3575 * Section: 8.4 5, sctpimpguide 2.41. 3576 * 3577 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3578 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3579 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3580 * packet must fill in the Verification Tag field of the outbound 3581 * packet with the Verification Tag received in the SHUTDOWN ACK and 3582 * set the T-bit in the Chunk Flags to indicate that the Verification 3583 * Tag is reflected. 3584 * 3585 * Inputs 3586 * (endpoint, asoc, type, arg, commands) 3587 * 3588 * Outputs 3589 * (enum sctp_disposition) 3590 * 3591 * The return value is the disposition of the chunk. 3592 */ 3593 static enum sctp_disposition sctp_sf_shut_8_4_5( 3594 struct net *net, 3595 const struct sctp_endpoint *ep, 3596 const struct sctp_association *asoc, 3597 const union sctp_subtype type, 3598 void *arg, 3599 struct sctp_cmd_seq *commands) 3600 { 3601 struct sctp_packet *packet = NULL; 3602 struct sctp_chunk *chunk = arg; 3603 struct sctp_chunk *shut; 3604 3605 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3606 if (!packet) 3607 return SCTP_DISPOSITION_NOMEM; 3608 3609 /* Make an SHUTDOWN_COMPLETE. 3610 * The T bit will be set if the asoc is NULL. 3611 */ 3612 shut = sctp_make_shutdown_complete(asoc, chunk); 3613 if (!shut) { 3614 sctp_ootb_pkt_free(packet); 3615 return SCTP_DISPOSITION_NOMEM; 3616 } 3617 3618 /* Reflect vtag if T-Bit is set */ 3619 if (sctp_test_T_bit(shut)) 3620 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3621 3622 /* Set the skb to the belonging sock for accounting. */ 3623 shut->skb->sk = ep->base.sk; 3624 3625 sctp_packet_append_chunk(packet, shut); 3626 3627 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3628 SCTP_PACKET(packet)); 3629 3630 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3631 3632 /* If the chunk length is invalid, we don't want to process 3633 * the reset of the packet. 3634 */ 3635 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3636 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3637 3638 /* We need to discard the rest of the packet to prevent 3639 * potential bomming attacks from additional bundled chunks. 3640 * This is documented in SCTP Threats ID. 3641 */ 3642 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3643 } 3644 3645 /* 3646 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3647 * 3648 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3649 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3650 * procedures in section 8.4 SHOULD be followed, in other words it 3651 * should be treated as an Out Of The Blue packet. 3652 * [This means that we do NOT check the Verification Tag on these 3653 * chunks. --piggy ] 3654 * 3655 */ 3656 enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net, 3657 const struct sctp_endpoint *ep, 3658 const struct sctp_association *asoc, 3659 const union sctp_subtype type, 3660 void *arg, 3661 struct sctp_cmd_seq *commands) 3662 { 3663 struct sctp_chunk *chunk = arg; 3664 3665 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3666 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3667 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3668 commands); 3669 3670 /* Although we do have an association in this case, it corresponds 3671 * to a restarted association. So the packet is treated as an OOTB 3672 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3673 * called with a NULL association. 3674 */ 3675 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3676 3677 return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands); 3678 } 3679 3680 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3681 enum sctp_disposition sctp_sf_do_asconf(struct net *net, 3682 const struct sctp_endpoint *ep, 3683 const struct sctp_association *asoc, 3684 const union sctp_subtype type, 3685 void *arg, 3686 struct sctp_cmd_seq *commands) 3687 { 3688 struct sctp_paramhdr *err_param = NULL; 3689 struct sctp_chunk *asconf_ack = NULL; 3690 struct sctp_chunk *chunk = arg; 3691 struct sctp_addiphdr *hdr; 3692 __u32 serial; 3693 3694 if (!sctp_vtag_verify(chunk, asoc)) { 3695 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3696 SCTP_NULL()); 3697 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3698 } 3699 3700 /* ADD-IP: Section 4.1.1 3701 * This chunk MUST be sent in an authenticated way by using 3702 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3703 * is received unauthenticated it MUST be silently discarded as 3704 * described in [I-D.ietf-tsvwg-sctp-auth]. 3705 */ 3706 if (!net->sctp.addip_noauth && !chunk->auth) 3707 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, 3708 commands); 3709 3710 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3711 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk))) 3712 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3713 commands); 3714 3715 hdr = (struct sctp_addiphdr *)chunk->skb->data; 3716 serial = ntohl(hdr->serial); 3717 3718 /* Verify the ASCONF chunk before processing it. */ 3719 if (!sctp_verify_asconf(asoc, chunk, true, &err_param)) 3720 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3721 (void *)err_param, commands); 3722 3723 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3724 * the endpoint stored in a new association variable 3725 * 'Peer-Serial-Number'. 3726 */ 3727 if (serial == asoc->peer.addip_serial + 1) { 3728 /* If this is the first instance of ASCONF in the packet, 3729 * we can clean our old ASCONF-ACKs. 3730 */ 3731 if (!chunk->has_asconf) 3732 sctp_assoc_clean_asconf_ack_cache(asoc); 3733 3734 /* ADDIP 5.2 E4) When the Sequence Number matches the next one 3735 * expected, process the ASCONF as described below and after 3736 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to 3737 * the response packet and cache a copy of it (in the event it 3738 * later needs to be retransmitted). 3739 * 3740 * Essentially, do V1-V5. 3741 */ 3742 asconf_ack = sctp_process_asconf((struct sctp_association *) 3743 asoc, chunk); 3744 if (!asconf_ack) 3745 return SCTP_DISPOSITION_NOMEM; 3746 } else if (serial < asoc->peer.addip_serial + 1) { 3747 /* ADDIP 5.2 E2) 3748 * If the value found in the Sequence Number is less than the 3749 * ('Peer- Sequence-Number' + 1), simply skip to the next 3750 * ASCONF, and include in the outbound response packet 3751 * any previously cached ASCONF-ACK response that was 3752 * sent and saved that matches the Sequence Number of the 3753 * ASCONF. Note: It is possible that no cached ASCONF-ACK 3754 * Chunk exists. This will occur when an older ASCONF 3755 * arrives out of order. In such a case, the receiver 3756 * should skip the ASCONF Chunk and not include ASCONF-ACK 3757 * Chunk for that chunk. 3758 */ 3759 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial); 3760 if (!asconf_ack) 3761 return SCTP_DISPOSITION_DISCARD; 3762 3763 /* Reset the transport so that we select the correct one 3764 * this time around. This is to make sure that we don't 3765 * accidentally use a stale transport that's been removed. 3766 */ 3767 asconf_ack->transport = NULL; 3768 } else { 3769 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since 3770 * it must be either a stale packet or from an attacker. 3771 */ 3772 return SCTP_DISPOSITION_DISCARD; 3773 } 3774 3775 /* ADDIP 5.2 E6) The destination address of the SCTP packet 3776 * containing the ASCONF-ACK Chunks MUST be the source address of 3777 * the SCTP packet that held the ASCONF Chunks. 3778 * 3779 * To do this properly, we'll set the destination address of the chunk 3780 * and at the transmit time, will try look up the transport to use. 3781 * Since ASCONFs may be bundled, the correct transport may not be 3782 * created until we process the entire packet, thus this workaround. 3783 */ 3784 asconf_ack->dest = chunk->source; 3785 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3786 if (asoc->new_transport) { 3787 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands); 3788 ((struct sctp_association *)asoc)->new_transport = NULL; 3789 } 3790 3791 return SCTP_DISPOSITION_CONSUME; 3792 } 3793 3794 /* 3795 * ADDIP Section 4.3 General rules for address manipulation 3796 * When building TLV parameters for the ASCONF Chunk that will add or 3797 * delete IP addresses the D0 to D13 rules should be applied: 3798 */ 3799 enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net, 3800 const struct sctp_endpoint *ep, 3801 const struct sctp_association *asoc, 3802 const union sctp_subtype type, 3803 void *arg, 3804 struct sctp_cmd_seq *commands) 3805 { 3806 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3807 struct sctp_paramhdr *err_param = NULL; 3808 struct sctp_chunk *asconf_ack = arg; 3809 struct sctp_addiphdr *addip_hdr; 3810 __u32 sent_serial, rcvd_serial; 3811 struct sctp_chunk *abort; 3812 3813 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3814 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3815 SCTP_NULL()); 3816 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3817 } 3818 3819 /* ADD-IP, Section 4.1.2: 3820 * This chunk MUST be sent in an authenticated way by using 3821 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3822 * is received unauthenticated it MUST be silently discarded as 3823 * described in [I-D.ietf-tsvwg-sctp-auth]. 3824 */ 3825 if (!net->sctp.addip_noauth && !asconf_ack->auth) 3826 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, 3827 commands); 3828 3829 /* Make sure that the ADDIP chunk has a valid length. */ 3830 if (!sctp_chunk_length_valid(asconf_ack, 3831 sizeof(struct sctp_addip_chunk))) 3832 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3833 commands); 3834 3835 addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data; 3836 rcvd_serial = ntohl(addip_hdr->serial); 3837 3838 /* Verify the ASCONF-ACK chunk before processing it. */ 3839 if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param)) 3840 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3841 (void *)err_param, commands); 3842 3843 if (last_asconf) { 3844 addip_hdr = (struct sctp_addiphdr *)last_asconf->subh.addip_hdr; 3845 sent_serial = ntohl(addip_hdr->serial); 3846 } else { 3847 sent_serial = asoc->addip_serial - 1; 3848 } 3849 3850 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3851 * equal to the next serial number to be used but no ASCONF chunk is 3852 * outstanding the endpoint MUST ABORT the association. Note that a 3853 * sequence number is greater than if it is no more than 2^^31-1 3854 * larger than the current sequence number (using serial arithmetic). 3855 */ 3856 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3857 !(asoc->addip_last_asconf)) { 3858 abort = sctp_make_abort(asoc, asconf_ack, 3859 sizeof(struct sctp_errhdr)); 3860 if (abort) { 3861 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0); 3862 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3863 SCTP_CHUNK(abort)); 3864 } 3865 /* We are going to ABORT, so we might as well stop 3866 * processing the rest of the chunks in the packet. 3867 */ 3868 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3869 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3870 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3871 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3872 SCTP_ERROR(ECONNABORTED)); 3873 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3874 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3875 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 3876 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3877 return SCTP_DISPOSITION_ABORT; 3878 } 3879 3880 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3881 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3882 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3883 3884 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3885 asconf_ack)) { 3886 /* Successfully processed ASCONF_ACK. We can 3887 * release the next asconf if we have one. 3888 */ 3889 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF, 3890 SCTP_NULL()); 3891 return SCTP_DISPOSITION_CONSUME; 3892 } 3893 3894 abort = sctp_make_abort(asoc, asconf_ack, 3895 sizeof(struct sctp_errhdr)); 3896 if (abort) { 3897 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 3898 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3899 SCTP_CHUNK(abort)); 3900 } 3901 /* We are going to ABORT, so we might as well stop 3902 * processing the rest of the chunks in the packet. 3903 */ 3904 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3905 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3906 SCTP_ERROR(ECONNABORTED)); 3907 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3908 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3909 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 3910 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3911 return SCTP_DISPOSITION_ABORT; 3912 } 3913 3914 return SCTP_DISPOSITION_DISCARD; 3915 } 3916 3917 /* RE-CONFIG Section 5.2 Upon reception of an RECONF Chunk. */ 3918 enum sctp_disposition sctp_sf_do_reconf(struct net *net, 3919 const struct sctp_endpoint *ep, 3920 const struct sctp_association *asoc, 3921 const union sctp_subtype type, 3922 void *arg, 3923 struct sctp_cmd_seq *commands) 3924 { 3925 struct sctp_paramhdr *err_param = NULL; 3926 struct sctp_chunk *chunk = arg; 3927 struct sctp_reconf_chunk *hdr; 3928 union sctp_params param; 3929 3930 if (!sctp_vtag_verify(chunk, asoc)) { 3931 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3932 SCTP_NULL()); 3933 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3934 } 3935 3936 /* Make sure that the RECONF chunk has a valid length. */ 3937 if (!sctp_chunk_length_valid(chunk, sizeof(*hdr))) 3938 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3939 commands); 3940 3941 if (!sctp_verify_reconf(asoc, chunk, &err_param)) 3942 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3943 (void *)err_param, commands); 3944 3945 hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr; 3946 sctp_walk_params(param, hdr, params) { 3947 struct sctp_chunk *reply = NULL; 3948 struct sctp_ulpevent *ev = NULL; 3949 3950 if (param.p->type == SCTP_PARAM_RESET_OUT_REQUEST) 3951 reply = sctp_process_strreset_outreq( 3952 (struct sctp_association *)asoc, param, &ev); 3953 else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST) 3954 reply = sctp_process_strreset_inreq( 3955 (struct sctp_association *)asoc, param, &ev); 3956 else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST) 3957 reply = sctp_process_strreset_tsnreq( 3958 (struct sctp_association *)asoc, param, &ev); 3959 else if (param.p->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS) 3960 reply = sctp_process_strreset_addstrm_out( 3961 (struct sctp_association *)asoc, param, &ev); 3962 else if (param.p->type == SCTP_PARAM_RESET_ADD_IN_STREAMS) 3963 reply = sctp_process_strreset_addstrm_in( 3964 (struct sctp_association *)asoc, param, &ev); 3965 else if (param.p->type == SCTP_PARAM_RESET_RESPONSE) 3966 reply = sctp_process_strreset_resp( 3967 (struct sctp_association *)asoc, param, &ev); 3968 3969 if (ev) 3970 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 3971 SCTP_ULPEVENT(ev)); 3972 3973 if (reply) 3974 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3975 SCTP_CHUNK(reply)); 3976 } 3977 3978 return SCTP_DISPOSITION_CONSUME; 3979 } 3980 3981 /* 3982 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 3983 * 3984 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 3985 * its cumulative TSN point to the value carried in the FORWARD TSN 3986 * chunk, and then MUST further advance its cumulative TSN point locally 3987 * if possible. 3988 * After the above processing, the data receiver MUST stop reporting any 3989 * missing TSNs earlier than or equal to the new cumulative TSN point. 3990 * 3991 * Verification Tag: 8.5 Verification Tag [Normal verification] 3992 * 3993 * The return value is the disposition of the chunk. 3994 */ 3995 enum sctp_disposition sctp_sf_eat_fwd_tsn(struct net *net, 3996 const struct sctp_endpoint *ep, 3997 const struct sctp_association *asoc, 3998 const union sctp_subtype type, 3999 void *arg, 4000 struct sctp_cmd_seq *commands) 4001 { 4002 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 4003 struct sctp_chunk *chunk = arg; 4004 __u16 len; 4005 __u32 tsn; 4006 4007 if (!sctp_vtag_verify(chunk, asoc)) { 4008 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4009 SCTP_NULL()); 4010 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4011 } 4012 4013 if (!asoc->peer.prsctp_capable) 4014 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4015 4016 /* Make sure that the FORWARD_TSN chunk has valid length. */ 4017 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream))) 4018 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4019 commands); 4020 4021 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 4022 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 4023 len = ntohs(chunk->chunk_hdr->length); 4024 len -= sizeof(struct sctp_chunkhdr); 4025 skb_pull(chunk->skb, len); 4026 4027 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 4028 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 4029 4030 /* The TSN is too high--silently discard the chunk and count on it 4031 * getting retransmitted later. 4032 */ 4033 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 4034 goto discard_noforce; 4035 4036 if (!asoc->stream.si->validate_ftsn(chunk)) 4037 goto discard_noforce; 4038 4039 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 4040 if (len > sctp_ftsnhdr_len(&asoc->stream)) 4041 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 4042 SCTP_CHUNK(chunk)); 4043 4044 /* Count this as receiving DATA. */ 4045 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 4046 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4047 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4048 } 4049 4050 /* FIXME: For now send a SACK, but DATA processing may 4051 * send another. 4052 */ 4053 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 4054 4055 return SCTP_DISPOSITION_CONSUME; 4056 4057 discard_noforce: 4058 return SCTP_DISPOSITION_DISCARD; 4059 } 4060 4061 enum sctp_disposition sctp_sf_eat_fwd_tsn_fast( 4062 struct net *net, 4063 const struct sctp_endpoint *ep, 4064 const struct sctp_association *asoc, 4065 const union sctp_subtype type, 4066 void *arg, 4067 struct sctp_cmd_seq *commands) 4068 { 4069 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 4070 struct sctp_chunk *chunk = arg; 4071 __u16 len; 4072 __u32 tsn; 4073 4074 if (!sctp_vtag_verify(chunk, asoc)) { 4075 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4076 SCTP_NULL()); 4077 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4078 } 4079 4080 if (!asoc->peer.prsctp_capable) 4081 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4082 4083 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 4084 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream))) 4085 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4086 commands); 4087 4088 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 4089 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 4090 len = ntohs(chunk->chunk_hdr->length); 4091 len -= sizeof(struct sctp_chunkhdr); 4092 skb_pull(chunk->skb, len); 4093 4094 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 4095 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 4096 4097 /* The TSN is too high--silently discard the chunk and count on it 4098 * getting retransmitted later. 4099 */ 4100 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 4101 goto gen_shutdown; 4102 4103 if (!asoc->stream.si->validate_ftsn(chunk)) 4104 goto gen_shutdown; 4105 4106 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 4107 if (len > sctp_ftsnhdr_len(&asoc->stream)) 4108 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 4109 SCTP_CHUNK(chunk)); 4110 4111 /* Go a head and force a SACK, since we are shutting down. */ 4112 gen_shutdown: 4113 /* Implementor's Guide. 4114 * 4115 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 4116 * respond to each received packet containing one or more DATA chunk(s) 4117 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 4118 */ 4119 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 4120 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 4121 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4122 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4123 4124 return SCTP_DISPOSITION_CONSUME; 4125 } 4126 4127 /* 4128 * SCTP-AUTH Section 6.3 Receiving authenticated chukns 4129 * 4130 * The receiver MUST use the HMAC algorithm indicated in the HMAC 4131 * Identifier field. If this algorithm was not specified by the 4132 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 4133 * during association setup, the AUTH chunk and all chunks after it MUST 4134 * be discarded and an ERROR chunk SHOULD be sent with the error cause 4135 * defined in Section 4.1. 4136 * 4137 * If an endpoint with no shared key receives a Shared Key Identifier 4138 * other than 0, it MUST silently discard all authenticated chunks. If 4139 * the endpoint has at least one endpoint pair shared key for the peer, 4140 * it MUST use the key specified by the Shared Key Identifier if a 4141 * key has been configured for that Shared Key Identifier. If no 4142 * endpoint pair shared key has been configured for that Shared Key 4143 * Identifier, all authenticated chunks MUST be silently discarded. 4144 * 4145 * Verification Tag: 8.5 Verification Tag [Normal verification] 4146 * 4147 * The return value is the disposition of the chunk. 4148 */ 4149 static enum sctp_ierror sctp_sf_authenticate( 4150 struct net *net, 4151 const struct sctp_endpoint *ep, 4152 const struct sctp_association *asoc, 4153 const union sctp_subtype type, 4154 struct sctp_chunk *chunk) 4155 { 4156 struct sctp_shared_key *sh_key = NULL; 4157 struct sctp_authhdr *auth_hdr; 4158 __u8 *save_digest, *digest; 4159 struct sctp_hmac *hmac; 4160 unsigned int sig_len; 4161 __u16 key_id; 4162 4163 /* Pull in the auth header, so we can do some more verification */ 4164 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4165 chunk->subh.auth_hdr = auth_hdr; 4166 skb_pull(chunk->skb, sizeof(*auth_hdr)); 4167 4168 /* Make sure that we support the HMAC algorithm from the auth 4169 * chunk. 4170 */ 4171 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id)) 4172 return SCTP_IERROR_AUTH_BAD_HMAC; 4173 4174 /* Make sure that the provided shared key identifier has been 4175 * configured 4176 */ 4177 key_id = ntohs(auth_hdr->shkey_id); 4178 if (key_id != asoc->active_key_id) { 4179 sh_key = sctp_auth_get_shkey(asoc, key_id); 4180 if (!sh_key) 4181 return SCTP_IERROR_AUTH_BAD_KEYID; 4182 } 4183 4184 /* Make sure that the length of the signature matches what 4185 * we expect. 4186 */ 4187 sig_len = ntohs(chunk->chunk_hdr->length) - 4188 sizeof(struct sctp_auth_chunk); 4189 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id)); 4190 if (sig_len != hmac->hmac_len) 4191 return SCTP_IERROR_PROTO_VIOLATION; 4192 4193 /* Now that we've done validation checks, we can compute and 4194 * verify the hmac. The steps involved are: 4195 * 1. Save the digest from the chunk. 4196 * 2. Zero out the digest in the chunk. 4197 * 3. Compute the new digest 4198 * 4. Compare saved and new digests. 4199 */ 4200 digest = auth_hdr->hmac; 4201 skb_pull(chunk->skb, sig_len); 4202 4203 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC); 4204 if (!save_digest) 4205 goto nomem; 4206 4207 memset(digest, 0, sig_len); 4208 4209 sctp_auth_calculate_hmac(asoc, chunk->skb, 4210 (struct sctp_auth_chunk *)chunk->chunk_hdr, 4211 sh_key, GFP_ATOMIC); 4212 4213 /* Discard the packet if the digests do not match */ 4214 if (memcmp(save_digest, digest, sig_len)) { 4215 kfree(save_digest); 4216 return SCTP_IERROR_BAD_SIG; 4217 } 4218 4219 kfree(save_digest); 4220 chunk->auth = 1; 4221 4222 return SCTP_IERROR_NO_ERROR; 4223 nomem: 4224 return SCTP_IERROR_NOMEM; 4225 } 4226 4227 enum sctp_disposition sctp_sf_eat_auth(struct net *net, 4228 const struct sctp_endpoint *ep, 4229 const struct sctp_association *asoc, 4230 const union sctp_subtype type, 4231 void *arg, struct sctp_cmd_seq *commands) 4232 { 4233 struct sctp_chunk *chunk = arg; 4234 struct sctp_authhdr *auth_hdr; 4235 struct sctp_chunk *err_chunk; 4236 enum sctp_ierror error; 4237 4238 /* Make sure that the peer has AUTH capable */ 4239 if (!asoc->peer.auth_capable) 4240 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4241 4242 if (!sctp_vtag_verify(chunk, asoc)) { 4243 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4244 SCTP_NULL()); 4245 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4246 } 4247 4248 /* Make sure that the AUTH chunk has valid length. */ 4249 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk))) 4250 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4251 commands); 4252 4253 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4254 error = sctp_sf_authenticate(net, ep, asoc, type, chunk); 4255 switch (error) { 4256 case SCTP_IERROR_AUTH_BAD_HMAC: 4257 /* Generate the ERROR chunk and discard the rest 4258 * of the packet 4259 */ 4260 err_chunk = sctp_make_op_error(asoc, chunk, 4261 SCTP_ERROR_UNSUP_HMAC, 4262 &auth_hdr->hmac_id, 4263 sizeof(__u16), 0); 4264 if (err_chunk) { 4265 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4266 SCTP_CHUNK(err_chunk)); 4267 } 4268 /* Fall Through */ 4269 case SCTP_IERROR_AUTH_BAD_KEYID: 4270 case SCTP_IERROR_BAD_SIG: 4271 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4272 4273 case SCTP_IERROR_PROTO_VIOLATION: 4274 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4275 commands); 4276 4277 case SCTP_IERROR_NOMEM: 4278 return SCTP_DISPOSITION_NOMEM; 4279 4280 default: /* Prevent gcc warnings */ 4281 break; 4282 } 4283 4284 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) { 4285 struct sctp_ulpevent *ev; 4286 4287 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id), 4288 SCTP_AUTH_NEW_KEY, GFP_ATOMIC); 4289 4290 if (!ev) 4291 return -ENOMEM; 4292 4293 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4294 SCTP_ULPEVENT(ev)); 4295 } 4296 4297 return SCTP_DISPOSITION_CONSUME; 4298 } 4299 4300 /* 4301 * Process an unknown chunk. 4302 * 4303 * Section: 3.2. Also, 2.1 in the implementor's guide. 4304 * 4305 * Chunk Types are encoded such that the highest-order two bits specify 4306 * the action that must be taken if the processing endpoint does not 4307 * recognize the Chunk Type. 4308 * 4309 * 00 - Stop processing this SCTP packet and discard it, do not process 4310 * any further chunks within it. 4311 * 4312 * 01 - Stop processing this SCTP packet and discard it, do not process 4313 * any further chunks within it, and report the unrecognized 4314 * chunk in an 'Unrecognized Chunk Type'. 4315 * 4316 * 10 - Skip this chunk and continue processing. 4317 * 4318 * 11 - Skip this chunk and continue processing, but report in an ERROR 4319 * Chunk using the 'Unrecognized Chunk Type' cause of error. 4320 * 4321 * The return value is the disposition of the chunk. 4322 */ 4323 enum sctp_disposition sctp_sf_unk_chunk(struct net *net, 4324 const struct sctp_endpoint *ep, 4325 const struct sctp_association *asoc, 4326 const union sctp_subtype type, 4327 void *arg, 4328 struct sctp_cmd_seq *commands) 4329 { 4330 struct sctp_chunk *unk_chunk = arg; 4331 struct sctp_chunk *err_chunk; 4332 struct sctp_chunkhdr *hdr; 4333 4334 pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk); 4335 4336 if (!sctp_vtag_verify(unk_chunk, asoc)) 4337 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4338 4339 /* Make sure that the chunk has a valid length. 4340 * Since we don't know the chunk type, we use a general 4341 * chunkhdr structure to make a comparison. 4342 */ 4343 if (!sctp_chunk_length_valid(unk_chunk, sizeof(*hdr))) 4344 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4345 commands); 4346 4347 switch (type.chunk & SCTP_CID_ACTION_MASK) { 4348 case SCTP_CID_ACTION_DISCARD: 4349 /* Discard the packet. */ 4350 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4351 case SCTP_CID_ACTION_DISCARD_ERR: 4352 /* Generate an ERROR chunk as response. */ 4353 hdr = unk_chunk->chunk_hdr; 4354 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4355 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4356 SCTP_PAD4(ntohs(hdr->length)), 4357 0); 4358 if (err_chunk) { 4359 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4360 SCTP_CHUNK(err_chunk)); 4361 } 4362 4363 /* Discard the packet. */ 4364 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4365 return SCTP_DISPOSITION_CONSUME; 4366 case SCTP_CID_ACTION_SKIP: 4367 /* Skip the chunk. */ 4368 return SCTP_DISPOSITION_DISCARD; 4369 case SCTP_CID_ACTION_SKIP_ERR: 4370 /* Generate an ERROR chunk as response. */ 4371 hdr = unk_chunk->chunk_hdr; 4372 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4373 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4374 SCTP_PAD4(ntohs(hdr->length)), 4375 0); 4376 if (err_chunk) { 4377 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4378 SCTP_CHUNK(err_chunk)); 4379 } 4380 /* Skip the chunk. */ 4381 return SCTP_DISPOSITION_CONSUME; 4382 default: 4383 break; 4384 } 4385 4386 return SCTP_DISPOSITION_DISCARD; 4387 } 4388 4389 /* 4390 * Discard the chunk. 4391 * 4392 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 4393 * [Too numerous to mention...] 4394 * Verification Tag: No verification needed. 4395 * Inputs 4396 * (endpoint, asoc, chunk) 4397 * 4398 * Outputs 4399 * (asoc, reply_msg, msg_up, timers, counters) 4400 * 4401 * The return value is the disposition of the chunk. 4402 */ 4403 enum sctp_disposition sctp_sf_discard_chunk(struct net *net, 4404 const struct sctp_endpoint *ep, 4405 const struct sctp_association *asoc, 4406 const union sctp_subtype type, 4407 void *arg, 4408 struct sctp_cmd_seq *commands) 4409 { 4410 struct sctp_chunk *chunk = arg; 4411 4412 /* Make sure that the chunk has a valid length. 4413 * Since we don't know the chunk type, we use a general 4414 * chunkhdr structure to make a comparison. 4415 */ 4416 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 4417 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4418 commands); 4419 4420 pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk); 4421 4422 return SCTP_DISPOSITION_DISCARD; 4423 } 4424 4425 /* 4426 * Discard the whole packet. 4427 * 4428 * Section: 8.4 2) 4429 * 4430 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 4431 * silently discard the OOTB packet and take no further action. 4432 * 4433 * Verification Tag: No verification necessary 4434 * 4435 * Inputs 4436 * (endpoint, asoc, chunk) 4437 * 4438 * Outputs 4439 * (asoc, reply_msg, msg_up, timers, counters) 4440 * 4441 * The return value is the disposition of the chunk. 4442 */ 4443 enum sctp_disposition sctp_sf_pdiscard(struct net *net, 4444 const struct sctp_endpoint *ep, 4445 const struct sctp_association *asoc, 4446 const union sctp_subtype type, 4447 void *arg, struct sctp_cmd_seq *commands) 4448 { 4449 SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS); 4450 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4451 4452 return SCTP_DISPOSITION_CONSUME; 4453 } 4454 4455 4456 /* 4457 * The other end is violating protocol. 4458 * 4459 * Section: Not specified 4460 * Verification Tag: Not specified 4461 * Inputs 4462 * (endpoint, asoc, chunk) 4463 * 4464 * Outputs 4465 * (asoc, reply_msg, msg_up, timers, counters) 4466 * 4467 * We simply tag the chunk as a violation. The state machine will log 4468 * the violation and continue. 4469 */ 4470 enum sctp_disposition sctp_sf_violation(struct net *net, 4471 const struct sctp_endpoint *ep, 4472 const struct sctp_association *asoc, 4473 const union sctp_subtype type, 4474 void *arg, 4475 struct sctp_cmd_seq *commands) 4476 { 4477 struct sctp_chunk *chunk = arg; 4478 4479 /* Make sure that the chunk has a valid length. */ 4480 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 4481 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4482 commands); 4483 4484 return SCTP_DISPOSITION_VIOLATION; 4485 } 4486 4487 /* 4488 * Common function to handle a protocol violation. 4489 */ 4490 static enum sctp_disposition sctp_sf_abort_violation( 4491 struct net *net, 4492 const struct sctp_endpoint *ep, 4493 const struct sctp_association *asoc, 4494 void *arg, 4495 struct sctp_cmd_seq *commands, 4496 const __u8 *payload, 4497 const size_t paylen) 4498 { 4499 struct sctp_packet *packet = NULL; 4500 struct sctp_chunk *chunk = arg; 4501 struct sctp_chunk *abort = NULL; 4502 4503 /* SCTP-AUTH, Section 6.3: 4504 * It should be noted that if the receiver wants to tear 4505 * down an association in an authenticated way only, the 4506 * handling of malformed packets should not result in 4507 * tearing down the association. 4508 * 4509 * This means that if we only want to abort associations 4510 * in an authenticated way (i.e AUTH+ABORT), then we 4511 * can't destroy this association just because the packet 4512 * was malformed. 4513 */ 4514 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4515 goto discard; 4516 4517 /* Make the abort chunk. */ 4518 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen); 4519 if (!abort) 4520 goto nomem; 4521 4522 if (asoc) { 4523 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */ 4524 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK && 4525 !asoc->peer.i.init_tag) { 4526 struct sctp_initack_chunk *initack; 4527 4528 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr; 4529 if (!sctp_chunk_length_valid(chunk, sizeof(*initack))) 4530 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T; 4531 else { 4532 unsigned int inittag; 4533 4534 inittag = ntohl(initack->init_hdr.init_tag); 4535 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG, 4536 SCTP_U32(inittag)); 4537 } 4538 } 4539 4540 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4541 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4542 4543 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 4544 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4545 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4546 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4547 SCTP_ERROR(ECONNREFUSED)); 4548 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4549 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4550 } else { 4551 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4552 SCTP_ERROR(ECONNABORTED)); 4553 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4554 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4555 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4556 } 4557 } else { 4558 packet = sctp_ootb_pkt_new(net, asoc, chunk); 4559 4560 if (!packet) 4561 goto nomem_pkt; 4562 4563 if (sctp_test_T_bit(abort)) 4564 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4565 4566 abort->skb->sk = ep->base.sk; 4567 4568 sctp_packet_append_chunk(packet, abort); 4569 4570 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 4571 SCTP_PACKET(packet)); 4572 4573 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4574 } 4575 4576 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4577 4578 discard: 4579 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4580 return SCTP_DISPOSITION_ABORT; 4581 4582 nomem_pkt: 4583 sctp_chunk_free(abort); 4584 nomem: 4585 return SCTP_DISPOSITION_NOMEM; 4586 } 4587 4588 /* 4589 * Handle a protocol violation when the chunk length is invalid. 4590 * "Invalid" length is identified as smaller than the minimal length a 4591 * given chunk can be. For example, a SACK chunk has invalid length 4592 * if its length is set to be smaller than the size of struct sctp_sack_chunk. 4593 * 4594 * We inform the other end by sending an ABORT with a Protocol Violation 4595 * error code. 4596 * 4597 * Section: Not specified 4598 * Verification Tag: Nothing to do 4599 * Inputs 4600 * (endpoint, asoc, chunk) 4601 * 4602 * Outputs 4603 * (reply_msg, msg_up, counters) 4604 * 4605 * Generate an ABORT chunk and terminate the association. 4606 */ 4607 static enum sctp_disposition sctp_sf_violation_chunklen( 4608 struct net *net, 4609 const struct sctp_endpoint *ep, 4610 const struct sctp_association *asoc, 4611 const union sctp_subtype type, 4612 void *arg, 4613 struct sctp_cmd_seq *commands) 4614 { 4615 static const char err_str[] = "The following chunk had invalid length:"; 4616 4617 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4618 sizeof(err_str)); 4619 } 4620 4621 /* 4622 * Handle a protocol violation when the parameter length is invalid. 4623 * If the length is smaller than the minimum length of a given parameter, 4624 * or accumulated length in multi parameters exceeds the end of the chunk, 4625 * the length is considered as invalid. 4626 */ 4627 static enum sctp_disposition sctp_sf_violation_paramlen( 4628 struct net *net, 4629 const struct sctp_endpoint *ep, 4630 const struct sctp_association *asoc, 4631 const union sctp_subtype type, 4632 void *arg, void *ext, 4633 struct sctp_cmd_seq *commands) 4634 { 4635 struct sctp_paramhdr *param = ext; 4636 struct sctp_chunk *abort = NULL; 4637 struct sctp_chunk *chunk = arg; 4638 4639 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4640 goto discard; 4641 4642 /* Make the abort chunk. */ 4643 abort = sctp_make_violation_paramlen(asoc, chunk, param); 4644 if (!abort) 4645 goto nomem; 4646 4647 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4648 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4649 4650 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4651 SCTP_ERROR(ECONNABORTED)); 4652 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4653 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4654 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4655 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4656 4657 discard: 4658 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4659 return SCTP_DISPOSITION_ABORT; 4660 nomem: 4661 return SCTP_DISPOSITION_NOMEM; 4662 } 4663 4664 /* Handle a protocol violation when the peer trying to advance the 4665 * cumulative tsn ack to a point beyond the max tsn currently sent. 4666 * 4667 * We inform the other end by sending an ABORT with a Protocol Violation 4668 * error code. 4669 */ 4670 static enum sctp_disposition sctp_sf_violation_ctsn( 4671 struct net *net, 4672 const struct sctp_endpoint *ep, 4673 const struct sctp_association *asoc, 4674 const union sctp_subtype type, 4675 void *arg, 4676 struct sctp_cmd_seq *commands) 4677 { 4678 static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:"; 4679 4680 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4681 sizeof(err_str)); 4682 } 4683 4684 /* Handle protocol violation of an invalid chunk bundling. For example, 4685 * when we have an association and we receive bundled INIT-ACK, or 4686 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle" 4687 * statement from the specs. Additionally, there might be an attacker 4688 * on the path and we may not want to continue this communication. 4689 */ 4690 static enum sctp_disposition sctp_sf_violation_chunk( 4691 struct net *net, 4692 const struct sctp_endpoint *ep, 4693 const struct sctp_association *asoc, 4694 const union sctp_subtype type, 4695 void *arg, 4696 struct sctp_cmd_seq *commands) 4697 { 4698 static const char err_str[] = "The following chunk violates protocol:"; 4699 4700 if (!asoc) 4701 return sctp_sf_violation(net, ep, asoc, type, arg, commands); 4702 4703 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4704 sizeof(err_str)); 4705 } 4706 /*************************************************************************** 4707 * These are the state functions for handling primitive (Section 10) events. 4708 ***************************************************************************/ 4709 /* 4710 * sctp_sf_do_prm_asoc 4711 * 4712 * Section: 10.1 ULP-to-SCTP 4713 * B) Associate 4714 * 4715 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 4716 * outbound stream count) 4717 * -> association id [,destination transport addr list] [,outbound stream 4718 * count] 4719 * 4720 * This primitive allows the upper layer to initiate an association to a 4721 * specific peer endpoint. 4722 * 4723 * The peer endpoint shall be specified by one of the transport addresses 4724 * which defines the endpoint (see Section 1.4). If the local SCTP 4725 * instance has not been initialized, the ASSOCIATE is considered an 4726 * error. 4727 * [This is not relevant for the kernel implementation since we do all 4728 * initialization at boot time. It we hadn't initialized we wouldn't 4729 * get anywhere near this code.] 4730 * 4731 * An association id, which is a local handle to the SCTP association, 4732 * will be returned on successful establishment of the association. If 4733 * SCTP is not able to open an SCTP association with the peer endpoint, 4734 * an error is returned. 4735 * [In the kernel implementation, the struct sctp_association needs to 4736 * be created BEFORE causing this primitive to run.] 4737 * 4738 * Other association parameters may be returned, including the 4739 * complete destination transport addresses of the peer as well as the 4740 * outbound stream count of the local endpoint. One of the transport 4741 * address from the returned destination addresses will be selected by 4742 * the local endpoint as default primary path for sending SCTP packets 4743 * to this peer. The returned "destination transport addr list" can 4744 * be used by the ULP to change the default primary path or to force 4745 * sending a packet to a specific transport address. [All of this 4746 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 4747 * function.] 4748 * 4749 * Mandatory attributes: 4750 * 4751 * o local SCTP instance name - obtained from the INITIALIZE operation. 4752 * [This is the argument asoc.] 4753 * o destination transport addr - specified as one of the transport 4754 * addresses of the peer endpoint with which the association is to be 4755 * established. 4756 * [This is asoc->peer.active_path.] 4757 * o outbound stream count - the number of outbound streams the ULP 4758 * would like to open towards this peer endpoint. 4759 * [BUG: This is not currently implemented.] 4760 * Optional attributes: 4761 * 4762 * None. 4763 * 4764 * The return value is a disposition. 4765 */ 4766 enum sctp_disposition sctp_sf_do_prm_asoc(struct net *net, 4767 const struct sctp_endpoint *ep, 4768 const struct sctp_association *asoc, 4769 const union sctp_subtype type, 4770 void *arg, 4771 struct sctp_cmd_seq *commands) 4772 { 4773 struct sctp_association *my_asoc; 4774 struct sctp_chunk *repl; 4775 4776 /* The comment below says that we enter COOKIE-WAIT AFTER 4777 * sending the INIT, but that doesn't actually work in our 4778 * implementation... 4779 */ 4780 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4781 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 4782 4783 /* RFC 2960 5.1 Normal Establishment of an Association 4784 * 4785 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 4786 * must provide its Verification Tag (Tag_A) in the Initiate 4787 * Tag field. Tag_A SHOULD be a random number in the range of 4788 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 4789 */ 4790 4791 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 4792 if (!repl) 4793 goto nomem; 4794 4795 /* Choose transport for INIT. */ 4796 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4797 SCTP_CHUNK(repl)); 4798 4799 /* Cast away the const modifier, as we want to just 4800 * rerun it through as a sideffect. 4801 */ 4802 my_asoc = (struct sctp_association *)asoc; 4803 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc)); 4804 4805 /* After sending the INIT, "A" starts the T1-init timer and 4806 * enters the COOKIE-WAIT state. 4807 */ 4808 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4809 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4810 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4811 return SCTP_DISPOSITION_CONSUME; 4812 4813 nomem: 4814 return SCTP_DISPOSITION_NOMEM; 4815 } 4816 4817 /* 4818 * Process the SEND primitive. 4819 * 4820 * Section: 10.1 ULP-to-SCTP 4821 * E) Send 4822 * 4823 * Format: SEND(association id, buffer address, byte count [,context] 4824 * [,stream id] [,life time] [,destination transport address] 4825 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 4826 * -> result 4827 * 4828 * This is the main method to send user data via SCTP. 4829 * 4830 * Mandatory attributes: 4831 * 4832 * o association id - local handle to the SCTP association 4833 * 4834 * o buffer address - the location where the user message to be 4835 * transmitted is stored; 4836 * 4837 * o byte count - The size of the user data in number of bytes; 4838 * 4839 * Optional attributes: 4840 * 4841 * o context - an optional 32 bit integer that will be carried in the 4842 * sending failure notification to the ULP if the transportation of 4843 * this User Message fails. 4844 * 4845 * o stream id - to indicate which stream to send the data on. If not 4846 * specified, stream 0 will be used. 4847 * 4848 * o life time - specifies the life time of the user data. The user data 4849 * will not be sent by SCTP after the life time expires. This 4850 * parameter can be used to avoid efforts to transmit stale 4851 * user messages. SCTP notifies the ULP if the data cannot be 4852 * initiated to transport (i.e. sent to the destination via SCTP's 4853 * send primitive) within the life time variable. However, the 4854 * user data will be transmitted if SCTP has attempted to transmit a 4855 * chunk before the life time expired. 4856 * 4857 * o destination transport address - specified as one of the destination 4858 * transport addresses of the peer endpoint to which this packet 4859 * should be sent. Whenever possible, SCTP should use this destination 4860 * transport address for sending the packets, instead of the current 4861 * primary path. 4862 * 4863 * o unorder flag - this flag, if present, indicates that the user 4864 * would like the data delivered in an unordered fashion to the peer 4865 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 4866 * message). 4867 * 4868 * o no-bundle flag - instructs SCTP not to bundle this user data with 4869 * other outbound DATA chunks. SCTP MAY still bundle even when 4870 * this flag is present, when faced with network congestion. 4871 * 4872 * o payload protocol-id - A 32 bit unsigned integer that is to be 4873 * passed to the peer indicating the type of payload protocol data 4874 * being transmitted. This value is passed as opaque data by SCTP. 4875 * 4876 * The return value is the disposition. 4877 */ 4878 enum sctp_disposition sctp_sf_do_prm_send(struct net *net, 4879 const struct sctp_endpoint *ep, 4880 const struct sctp_association *asoc, 4881 const union sctp_subtype type, 4882 void *arg, 4883 struct sctp_cmd_seq *commands) 4884 { 4885 struct sctp_datamsg *msg = arg; 4886 4887 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg)); 4888 return SCTP_DISPOSITION_CONSUME; 4889 } 4890 4891 /* 4892 * Process the SHUTDOWN primitive. 4893 * 4894 * Section: 10.1: 4895 * C) Shutdown 4896 * 4897 * Format: SHUTDOWN(association id) 4898 * -> result 4899 * 4900 * Gracefully closes an association. Any locally queued user data 4901 * will be delivered to the peer. The association will be terminated only 4902 * after the peer acknowledges all the SCTP packets sent. A success code 4903 * will be returned on successful termination of the association. If 4904 * attempting to terminate the association results in a failure, an error 4905 * code shall be returned. 4906 * 4907 * Mandatory attributes: 4908 * 4909 * o association id - local handle to the SCTP association 4910 * 4911 * Optional attributes: 4912 * 4913 * None. 4914 * 4915 * The return value is the disposition. 4916 */ 4917 enum sctp_disposition sctp_sf_do_9_2_prm_shutdown( 4918 struct net *net, 4919 const struct sctp_endpoint *ep, 4920 const struct sctp_association *asoc, 4921 const union sctp_subtype type, 4922 void *arg, 4923 struct sctp_cmd_seq *commands) 4924 { 4925 enum sctp_disposition disposition; 4926 4927 /* From 9.2 Shutdown of an Association 4928 * Upon receipt of the SHUTDOWN primitive from its upper 4929 * layer, the endpoint enters SHUTDOWN-PENDING state and 4930 * remains there until all outstanding data has been 4931 * acknowledged by its peer. The endpoint accepts no new data 4932 * from its upper layer, but retransmits data to the far end 4933 * if necessary to fill gaps. 4934 */ 4935 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4936 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4937 4938 disposition = SCTP_DISPOSITION_CONSUME; 4939 if (sctp_outq_is_empty(&asoc->outqueue)) { 4940 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 4941 arg, commands); 4942 } 4943 4944 return disposition; 4945 } 4946 4947 /* 4948 * Process the ABORT primitive. 4949 * 4950 * Section: 10.1: 4951 * C) Abort 4952 * 4953 * Format: Abort(association id [, cause code]) 4954 * -> result 4955 * 4956 * Ungracefully closes an association. Any locally queued user data 4957 * will be discarded and an ABORT chunk is sent to the peer. A success code 4958 * will be returned on successful abortion of the association. If 4959 * attempting to abort the association results in a failure, an error 4960 * code shall be returned. 4961 * 4962 * Mandatory attributes: 4963 * 4964 * o association id - local handle to the SCTP association 4965 * 4966 * Optional attributes: 4967 * 4968 * o cause code - reason of the abort to be passed to the peer 4969 * 4970 * None. 4971 * 4972 * The return value is the disposition. 4973 */ 4974 enum sctp_disposition sctp_sf_do_9_1_prm_abort( 4975 struct net *net, 4976 const struct sctp_endpoint *ep, 4977 const struct sctp_association *asoc, 4978 const union sctp_subtype type, 4979 void *arg, 4980 struct sctp_cmd_seq *commands) 4981 { 4982 /* From 9.1 Abort of an Association 4983 * Upon receipt of the ABORT primitive from its upper 4984 * layer, the endpoint enters CLOSED state and 4985 * discard all outstanding data has been 4986 * acknowledged by its peer. The endpoint accepts no new data 4987 * from its upper layer, but retransmits data to the far end 4988 * if necessary to fill gaps. 4989 */ 4990 struct sctp_chunk *abort = arg; 4991 4992 if (abort) 4993 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4994 4995 /* Even if we can't send the ABORT due to low memory delete the 4996 * TCB. This is a departure from our typical NOMEM handling. 4997 */ 4998 4999 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5000 SCTP_ERROR(ECONNABORTED)); 5001 /* Delete the established association. */ 5002 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5003 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 5004 5005 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5006 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5007 5008 return SCTP_DISPOSITION_ABORT; 5009 } 5010 5011 /* We tried an illegal operation on an association which is closed. */ 5012 enum sctp_disposition sctp_sf_error_closed(struct net *net, 5013 const struct sctp_endpoint *ep, 5014 const struct sctp_association *asoc, 5015 const union sctp_subtype type, 5016 void *arg, 5017 struct sctp_cmd_seq *commands) 5018 { 5019 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 5020 return SCTP_DISPOSITION_CONSUME; 5021 } 5022 5023 /* We tried an illegal operation on an association which is shutting 5024 * down. 5025 */ 5026 enum sctp_disposition sctp_sf_error_shutdown( 5027 struct net *net, 5028 const struct sctp_endpoint *ep, 5029 const struct sctp_association *asoc, 5030 const union sctp_subtype type, 5031 void *arg, 5032 struct sctp_cmd_seq *commands) 5033 { 5034 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 5035 SCTP_ERROR(-ESHUTDOWN)); 5036 return SCTP_DISPOSITION_CONSUME; 5037 } 5038 5039 /* 5040 * sctp_cookie_wait_prm_shutdown 5041 * 5042 * Section: 4 Note: 2 5043 * Verification Tag: 5044 * Inputs 5045 * (endpoint, asoc) 5046 * 5047 * The RFC does not explicitly address this issue, but is the route through the 5048 * state table when someone issues a shutdown while in COOKIE_WAIT state. 5049 * 5050 * Outputs 5051 * (timers) 5052 */ 5053 enum sctp_disposition sctp_sf_cookie_wait_prm_shutdown( 5054 struct net *net, 5055 const struct sctp_endpoint *ep, 5056 const struct sctp_association *asoc, 5057 const union sctp_subtype type, 5058 void *arg, 5059 struct sctp_cmd_seq *commands) 5060 { 5061 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5062 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5063 5064 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5065 SCTP_STATE(SCTP_STATE_CLOSED)); 5066 5067 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 5068 5069 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 5070 5071 return SCTP_DISPOSITION_DELETE_TCB; 5072 } 5073 5074 /* 5075 * sctp_cookie_echoed_prm_shutdown 5076 * 5077 * Section: 4 Note: 2 5078 * Verification Tag: 5079 * Inputs 5080 * (endpoint, asoc) 5081 * 5082 * The RFC does not explcitly address this issue, but is the route through the 5083 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 5084 * 5085 * Outputs 5086 * (timers) 5087 */ 5088 enum sctp_disposition sctp_sf_cookie_echoed_prm_shutdown( 5089 struct net *net, 5090 const struct sctp_endpoint *ep, 5091 const struct sctp_association *asoc, 5092 const union sctp_subtype type, 5093 void *arg, 5094 struct sctp_cmd_seq *commands) 5095 { 5096 /* There is a single T1 timer, so we should be able to use 5097 * common function with the COOKIE-WAIT state. 5098 */ 5099 return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands); 5100 } 5101 5102 /* 5103 * sctp_sf_cookie_wait_prm_abort 5104 * 5105 * Section: 4 Note: 2 5106 * Verification Tag: 5107 * Inputs 5108 * (endpoint, asoc) 5109 * 5110 * The RFC does not explicitly address this issue, but is the route through the 5111 * state table when someone issues an abort while in COOKIE_WAIT state. 5112 * 5113 * Outputs 5114 * (timers) 5115 */ 5116 enum sctp_disposition sctp_sf_cookie_wait_prm_abort( 5117 struct net *net, 5118 const struct sctp_endpoint *ep, 5119 const struct sctp_association *asoc, 5120 const union sctp_subtype type, 5121 void *arg, 5122 struct sctp_cmd_seq *commands) 5123 { 5124 struct sctp_chunk *abort = arg; 5125 5126 /* Stop T1-init timer */ 5127 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5128 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5129 5130 if (abort) 5131 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 5132 5133 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5134 SCTP_STATE(SCTP_STATE_CLOSED)); 5135 5136 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5137 5138 /* Even if we can't send the ABORT due to low memory delete the 5139 * TCB. This is a departure from our typical NOMEM handling. 5140 */ 5141 5142 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5143 SCTP_ERROR(ECONNREFUSED)); 5144 /* Delete the established association. */ 5145 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5146 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 5147 5148 return SCTP_DISPOSITION_ABORT; 5149 } 5150 5151 /* 5152 * sctp_sf_cookie_echoed_prm_abort 5153 * 5154 * Section: 4 Note: 3 5155 * Verification Tag: 5156 * Inputs 5157 * (endpoint, asoc) 5158 * 5159 * The RFC does not explcitly address this issue, but is the route through the 5160 * state table when someone issues an abort while in COOKIE_ECHOED state. 5161 * 5162 * Outputs 5163 * (timers) 5164 */ 5165 enum sctp_disposition sctp_sf_cookie_echoed_prm_abort( 5166 struct net *net, 5167 const struct sctp_endpoint *ep, 5168 const struct sctp_association *asoc, 5169 const union sctp_subtype type, 5170 void *arg, 5171 struct sctp_cmd_seq *commands) 5172 { 5173 /* There is a single T1 timer, so we should be able to use 5174 * common function with the COOKIE-WAIT state. 5175 */ 5176 return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands); 5177 } 5178 5179 /* 5180 * sctp_sf_shutdown_pending_prm_abort 5181 * 5182 * Inputs 5183 * (endpoint, asoc) 5184 * 5185 * The RFC does not explicitly address this issue, but is the route through the 5186 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 5187 * 5188 * Outputs 5189 * (timers) 5190 */ 5191 enum sctp_disposition sctp_sf_shutdown_pending_prm_abort( 5192 struct net *net, 5193 const struct sctp_endpoint *ep, 5194 const struct sctp_association *asoc, 5195 const union sctp_subtype type, 5196 void *arg, 5197 struct sctp_cmd_seq *commands) 5198 { 5199 /* Stop the T5-shutdown guard timer. */ 5200 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5201 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5202 5203 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5204 } 5205 5206 /* 5207 * sctp_sf_shutdown_sent_prm_abort 5208 * 5209 * Inputs 5210 * (endpoint, asoc) 5211 * 5212 * The RFC does not explicitly address this issue, but is the route through the 5213 * state table when someone issues an abort while in SHUTDOWN-SENT state. 5214 * 5215 * Outputs 5216 * (timers) 5217 */ 5218 enum sctp_disposition sctp_sf_shutdown_sent_prm_abort( 5219 struct net *net, 5220 const struct sctp_endpoint *ep, 5221 const struct sctp_association *asoc, 5222 const union sctp_subtype type, 5223 void *arg, 5224 struct sctp_cmd_seq *commands) 5225 { 5226 /* Stop the T2-shutdown timer. */ 5227 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5228 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5229 5230 /* Stop the T5-shutdown guard timer. */ 5231 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5232 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5233 5234 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5235 } 5236 5237 /* 5238 * sctp_sf_cookie_echoed_prm_abort 5239 * 5240 * Inputs 5241 * (endpoint, asoc) 5242 * 5243 * The RFC does not explcitly address this issue, but is the route through the 5244 * state table when someone issues an abort while in COOKIE_ECHOED state. 5245 * 5246 * Outputs 5247 * (timers) 5248 */ 5249 enum sctp_disposition sctp_sf_shutdown_ack_sent_prm_abort( 5250 struct net *net, 5251 const struct sctp_endpoint *ep, 5252 const struct sctp_association *asoc, 5253 const union sctp_subtype type, 5254 void *arg, 5255 struct sctp_cmd_seq *commands) 5256 { 5257 /* The same T2 timer, so we should be able to use 5258 * common function with the SHUTDOWN-SENT state. 5259 */ 5260 return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands); 5261 } 5262 5263 /* 5264 * Process the REQUESTHEARTBEAT primitive 5265 * 5266 * 10.1 ULP-to-SCTP 5267 * J) Request Heartbeat 5268 * 5269 * Format: REQUESTHEARTBEAT(association id, destination transport address) 5270 * 5271 * -> result 5272 * 5273 * Instructs the local endpoint to perform a HeartBeat on the specified 5274 * destination transport address of the given association. The returned 5275 * result should indicate whether the transmission of the HEARTBEAT 5276 * chunk to the destination address is successful. 5277 * 5278 * Mandatory attributes: 5279 * 5280 * o association id - local handle to the SCTP association 5281 * 5282 * o destination transport address - the transport address of the 5283 * association on which a heartbeat should be issued. 5284 */ 5285 enum sctp_disposition sctp_sf_do_prm_requestheartbeat( 5286 struct net *net, 5287 const struct sctp_endpoint *ep, 5288 const struct sctp_association *asoc, 5289 const union sctp_subtype type, 5290 void *arg, 5291 struct sctp_cmd_seq *commands) 5292 { 5293 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 5294 (struct sctp_transport *)arg, commands)) 5295 return SCTP_DISPOSITION_NOMEM; 5296 5297 /* 5298 * RFC 2960 (bis), section 8.3 5299 * 5300 * D) Request an on-demand HEARTBEAT on a specific destination 5301 * transport address of a given association. 5302 * 5303 * The endpoint should increment the respective error counter of 5304 * the destination transport address each time a HEARTBEAT is sent 5305 * to that address and not acknowledged within one RTO. 5306 * 5307 */ 5308 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 5309 SCTP_TRANSPORT(arg)); 5310 return SCTP_DISPOSITION_CONSUME; 5311 } 5312 5313 /* 5314 * ADDIP Section 4.1 ASCONF Chunk Procedures 5315 * When an endpoint has an ASCONF signaled change to be sent to the 5316 * remote endpoint it should do A1 to A9 5317 */ 5318 enum sctp_disposition sctp_sf_do_prm_asconf(struct net *net, 5319 const struct sctp_endpoint *ep, 5320 const struct sctp_association *asoc, 5321 const union sctp_subtype type, 5322 void *arg, 5323 struct sctp_cmd_seq *commands) 5324 { 5325 struct sctp_chunk *chunk = arg; 5326 5327 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5328 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5329 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5330 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5331 return SCTP_DISPOSITION_CONSUME; 5332 } 5333 5334 /* RE-CONFIG Section 5.1 RECONF Chunk Procedures */ 5335 enum sctp_disposition sctp_sf_do_prm_reconf(struct net *net, 5336 const struct sctp_endpoint *ep, 5337 const struct sctp_association *asoc, 5338 const union sctp_subtype type, 5339 void *arg, 5340 struct sctp_cmd_seq *commands) 5341 { 5342 struct sctp_chunk *chunk = arg; 5343 5344 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5345 return SCTP_DISPOSITION_CONSUME; 5346 } 5347 5348 /* 5349 * Ignore the primitive event 5350 * 5351 * The return value is the disposition of the primitive. 5352 */ 5353 enum sctp_disposition sctp_sf_ignore_primitive( 5354 struct net *net, 5355 const struct sctp_endpoint *ep, 5356 const struct sctp_association *asoc, 5357 const union sctp_subtype type, 5358 void *arg, 5359 struct sctp_cmd_seq *commands) 5360 { 5361 pr_debug("%s: primitive type:%d is ignored\n", __func__, 5362 type.primitive); 5363 5364 return SCTP_DISPOSITION_DISCARD; 5365 } 5366 5367 /*************************************************************************** 5368 * These are the state functions for the OTHER events. 5369 ***************************************************************************/ 5370 5371 /* 5372 * When the SCTP stack has no more user data to send or retransmit, this 5373 * notification is given to the user. Also, at the time when a user app 5374 * subscribes to this event, if there is no data to be sent or 5375 * retransmit, the stack will immediately send up this notification. 5376 */ 5377 enum sctp_disposition sctp_sf_do_no_pending_tsn( 5378 struct net *net, 5379 const struct sctp_endpoint *ep, 5380 const struct sctp_association *asoc, 5381 const union sctp_subtype type, 5382 void *arg, 5383 struct sctp_cmd_seq *commands) 5384 { 5385 struct sctp_ulpevent *event; 5386 5387 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC); 5388 if (!event) 5389 return SCTP_DISPOSITION_NOMEM; 5390 5391 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event)); 5392 5393 return SCTP_DISPOSITION_CONSUME; 5394 } 5395 5396 /* 5397 * Start the shutdown negotiation. 5398 * 5399 * From Section 9.2: 5400 * Once all its outstanding data has been acknowledged, the endpoint 5401 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 5402 * TSN Ack field the last sequential TSN it has received from the peer. 5403 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 5404 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 5405 * with the updated last sequential TSN received from its peer. 5406 * 5407 * The return value is the disposition. 5408 */ 5409 enum sctp_disposition sctp_sf_do_9_2_start_shutdown( 5410 struct net *net, 5411 const struct sctp_endpoint *ep, 5412 const struct sctp_association *asoc, 5413 const union sctp_subtype type, 5414 void *arg, 5415 struct sctp_cmd_seq *commands) 5416 { 5417 struct sctp_chunk *reply; 5418 5419 /* Once all its outstanding data has been acknowledged, the 5420 * endpoint shall send a SHUTDOWN chunk to its peer including 5421 * in the Cumulative TSN Ack field the last sequential TSN it 5422 * has received from the peer. 5423 */ 5424 reply = sctp_make_shutdown(asoc, NULL); 5425 if (!reply) 5426 goto nomem; 5427 5428 /* Set the transport for the SHUTDOWN chunk and the timeout for the 5429 * T2-shutdown timer. 5430 */ 5431 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5432 5433 /* It shall then start the T2-shutdown timer */ 5434 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5435 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5436 5437 /* RFC 4960 Section 9.2 5438 * The sender of the SHUTDOWN MAY also start an overall guard timer 5439 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5440 */ 5441 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5442 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5443 5444 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5445 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5446 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5447 5448 /* and enter the SHUTDOWN-SENT state. */ 5449 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5450 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 5451 5452 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5453 * 5454 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5455 * or SHUTDOWN-ACK. 5456 */ 5457 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5458 5459 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5460 5461 return SCTP_DISPOSITION_CONSUME; 5462 5463 nomem: 5464 return SCTP_DISPOSITION_NOMEM; 5465 } 5466 5467 /* 5468 * Generate a SHUTDOWN ACK now that everything is SACK'd. 5469 * 5470 * From Section 9.2: 5471 * 5472 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5473 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 5474 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 5475 * endpoint must re-send the SHUTDOWN ACK. 5476 * 5477 * The return value is the disposition. 5478 */ 5479 enum sctp_disposition sctp_sf_do_9_2_shutdown_ack( 5480 struct net *net, 5481 const struct sctp_endpoint *ep, 5482 const struct sctp_association *asoc, 5483 const union sctp_subtype type, 5484 void *arg, 5485 struct sctp_cmd_seq *commands) 5486 { 5487 struct sctp_chunk *chunk = arg; 5488 struct sctp_chunk *reply; 5489 5490 /* There are 2 ways of getting here: 5491 * 1) called in response to a SHUTDOWN chunk 5492 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 5493 * 5494 * For the case (2), the arg parameter is set to NULL. We need 5495 * to check that we have a chunk before accessing it's fields. 5496 */ 5497 if (chunk) { 5498 if (!sctp_vtag_verify(chunk, asoc)) 5499 return sctp_sf_pdiscard(net, ep, asoc, type, arg, 5500 commands); 5501 5502 /* Make sure that the SHUTDOWN chunk has a valid length. */ 5503 if (!sctp_chunk_length_valid( 5504 chunk, sizeof(struct sctp_shutdown_chunk))) 5505 return sctp_sf_violation_chunklen(net, ep, asoc, type, 5506 arg, commands); 5507 } 5508 5509 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5510 * shall send a SHUTDOWN ACK ... 5511 */ 5512 reply = sctp_make_shutdown_ack(asoc, chunk); 5513 if (!reply) 5514 goto nomem; 5515 5516 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 5517 * the T2-shutdown timer. 5518 */ 5519 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5520 5521 /* and start/restart a T2-shutdown timer of its own, */ 5522 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5523 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5524 5525 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5526 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5527 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5528 5529 /* Enter the SHUTDOWN-ACK-SENT state. */ 5530 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5531 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 5532 5533 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5534 * 5535 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5536 * or SHUTDOWN-ACK. 5537 */ 5538 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5539 5540 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5541 5542 return SCTP_DISPOSITION_CONSUME; 5543 5544 nomem: 5545 return SCTP_DISPOSITION_NOMEM; 5546 } 5547 5548 /* 5549 * Ignore the event defined as other 5550 * 5551 * The return value is the disposition of the event. 5552 */ 5553 enum sctp_disposition sctp_sf_ignore_other(struct net *net, 5554 const struct sctp_endpoint *ep, 5555 const struct sctp_association *asoc, 5556 const union sctp_subtype type, 5557 void *arg, 5558 struct sctp_cmd_seq *commands) 5559 { 5560 pr_debug("%s: the event other type:%d is ignored\n", 5561 __func__, type.other); 5562 5563 return SCTP_DISPOSITION_DISCARD; 5564 } 5565 5566 /************************************************************ 5567 * These are the state functions for handling timeout events. 5568 ************************************************************/ 5569 5570 /* 5571 * RTX Timeout 5572 * 5573 * Section: 6.3.3 Handle T3-rtx Expiration 5574 * 5575 * Whenever the retransmission timer T3-rtx expires for a destination 5576 * address, do the following: 5577 * [See below] 5578 * 5579 * The return value is the disposition of the chunk. 5580 */ 5581 enum sctp_disposition sctp_sf_do_6_3_3_rtx(struct net *net, 5582 const struct sctp_endpoint *ep, 5583 const struct sctp_association *asoc, 5584 const union sctp_subtype type, 5585 void *arg, 5586 struct sctp_cmd_seq *commands) 5587 { 5588 struct sctp_transport *transport = arg; 5589 5590 SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS); 5591 5592 if (asoc->overall_error_count >= asoc->max_retrans) { 5593 if (asoc->peer.zero_window_announced && 5594 asoc->state == SCTP_STATE_SHUTDOWN_PENDING) { 5595 /* 5596 * We are here likely because the receiver had its rwnd 5597 * closed for a while and we have not been able to 5598 * transmit the locally queued data within the maximum 5599 * retransmission attempts limit. Start the T5 5600 * shutdown guard timer to give the receiver one last 5601 * chance and some additional time to recover before 5602 * aborting. 5603 */ 5604 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE, 5605 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5606 } else { 5607 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5608 SCTP_ERROR(ETIMEDOUT)); 5609 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5610 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5611 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5612 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5613 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5614 return SCTP_DISPOSITION_DELETE_TCB; 5615 } 5616 } 5617 5618 /* E1) For the destination address for which the timer 5619 * expires, adjust its ssthresh with rules defined in Section 5620 * 7.2.3 and set the cwnd <- MTU. 5621 */ 5622 5623 /* E2) For the destination address for which the timer 5624 * expires, set RTO <- RTO * 2 ("back off the timer"). The 5625 * maximum value discussed in rule C7 above (RTO.max) may be 5626 * used to provide an upper bound to this doubling operation. 5627 */ 5628 5629 /* E3) Determine how many of the earliest (i.e., lowest TSN) 5630 * outstanding DATA chunks for the address for which the 5631 * T3-rtx has expired will fit into a single packet, subject 5632 * to the MTU constraint for the path corresponding to the 5633 * destination transport address to which the retransmission 5634 * is being sent (this may be different from the address for 5635 * which the timer expires [see Section 6.4]). Call this 5636 * value K. Bundle and retransmit those K DATA chunks in a 5637 * single packet to the destination endpoint. 5638 * 5639 * Note: Any DATA chunks that were sent to the address for 5640 * which the T3-rtx timer expired but did not fit in one MTU 5641 * (rule E3 above), should be marked for retransmission and 5642 * sent as soon as cwnd allows (normally when a SACK arrives). 5643 */ 5644 5645 /* Do some failure management (Section 8.2). */ 5646 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5647 5648 /* NB: Rules E4 and F1 are implicit in R1. */ 5649 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 5650 5651 return SCTP_DISPOSITION_CONSUME; 5652 } 5653 5654 /* 5655 * Generate delayed SACK on timeout 5656 * 5657 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 5658 * 5659 * The guidelines on delayed acknowledgement algorithm specified in 5660 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 5661 * acknowledgement SHOULD be generated for at least every second packet 5662 * (not every second DATA chunk) received, and SHOULD be generated 5663 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 5664 * some situations it may be beneficial for an SCTP transmitter to be 5665 * more conservative than the algorithms detailed in this document 5666 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 5667 * the following algorithms allow. 5668 */ 5669 enum sctp_disposition sctp_sf_do_6_2_sack(struct net *net, 5670 const struct sctp_endpoint *ep, 5671 const struct sctp_association *asoc, 5672 const union sctp_subtype type, 5673 void *arg, 5674 struct sctp_cmd_seq *commands) 5675 { 5676 SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS); 5677 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 5678 return SCTP_DISPOSITION_CONSUME; 5679 } 5680 5681 /* 5682 * sctp_sf_t1_init_timer_expire 5683 * 5684 * Section: 4 Note: 2 5685 * Verification Tag: 5686 * Inputs 5687 * (endpoint, asoc) 5688 * 5689 * RFC 2960 Section 4 Notes 5690 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 5691 * and re-start the T1-init timer without changing state. This MUST 5692 * be repeated up to 'Max.Init.Retransmits' times. After that, the 5693 * endpoint MUST abort the initialization process and report the 5694 * error to SCTP user. 5695 * 5696 * Outputs 5697 * (timers, events) 5698 * 5699 */ 5700 enum sctp_disposition sctp_sf_t1_init_timer_expire( 5701 struct net *net, 5702 const struct sctp_endpoint *ep, 5703 const struct sctp_association *asoc, 5704 const union sctp_subtype type, 5705 void *arg, 5706 struct sctp_cmd_seq *commands) 5707 { 5708 int attempts = asoc->init_err_counter + 1; 5709 struct sctp_chunk *repl = NULL; 5710 struct sctp_bind_addr *bp; 5711 5712 pr_debug("%s: timer T1 expired (INIT)\n", __func__); 5713 5714 SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS); 5715 5716 if (attempts <= asoc->max_init_attempts) { 5717 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 5718 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 5719 if (!repl) 5720 return SCTP_DISPOSITION_NOMEM; 5721 5722 /* Choose transport for INIT. */ 5723 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5724 SCTP_CHUNK(repl)); 5725 5726 /* Issue a sideeffect to do the needed accounting. */ 5727 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 5728 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5729 5730 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5731 } else { 5732 pr_debug("%s: giving up on INIT, attempts:%d " 5733 "max_init_attempts:%d\n", __func__, attempts, 5734 asoc->max_init_attempts); 5735 5736 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5737 SCTP_ERROR(ETIMEDOUT)); 5738 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5739 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5740 return SCTP_DISPOSITION_DELETE_TCB; 5741 } 5742 5743 return SCTP_DISPOSITION_CONSUME; 5744 } 5745 5746 /* 5747 * sctp_sf_t1_cookie_timer_expire 5748 * 5749 * Section: 4 Note: 2 5750 * Verification Tag: 5751 * Inputs 5752 * (endpoint, asoc) 5753 * 5754 * RFC 2960 Section 4 Notes 5755 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 5756 * COOKIE ECHO and re-start the T1-cookie timer without changing 5757 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 5758 * After that, the endpoint MUST abort the initialization process and 5759 * report the error to SCTP user. 5760 * 5761 * Outputs 5762 * (timers, events) 5763 * 5764 */ 5765 enum sctp_disposition sctp_sf_t1_cookie_timer_expire( 5766 struct net *net, 5767 const struct sctp_endpoint *ep, 5768 const struct sctp_association *asoc, 5769 const union sctp_subtype type, 5770 void *arg, 5771 struct sctp_cmd_seq *commands) 5772 { 5773 int attempts = asoc->init_err_counter + 1; 5774 struct sctp_chunk *repl = NULL; 5775 5776 pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__); 5777 5778 SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS); 5779 5780 if (attempts <= asoc->max_init_attempts) { 5781 repl = sctp_make_cookie_echo(asoc, NULL); 5782 if (!repl) 5783 return SCTP_DISPOSITION_NOMEM; 5784 5785 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5786 SCTP_CHUNK(repl)); 5787 /* Issue a sideeffect to do the needed accounting. */ 5788 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 5789 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 5790 5791 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5792 } else { 5793 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5794 SCTP_ERROR(ETIMEDOUT)); 5795 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5796 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5797 return SCTP_DISPOSITION_DELETE_TCB; 5798 } 5799 5800 return SCTP_DISPOSITION_CONSUME; 5801 } 5802 5803 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 5804 * with the updated last sequential TSN received from its peer. 5805 * 5806 * An endpoint should limit the number of retransmissions of the 5807 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 5808 * If this threshold is exceeded the endpoint should destroy the TCB and 5809 * MUST report the peer endpoint unreachable to the upper layer (and 5810 * thus the association enters the CLOSED state). The reception of any 5811 * packet from its peer (i.e. as the peer sends all of its queued DATA 5812 * chunks) should clear the endpoint's retransmission count and restart 5813 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 5814 * all of its queued DATA chunks that have not yet been sent. 5815 */ 5816 enum sctp_disposition sctp_sf_t2_timer_expire( 5817 struct net *net, 5818 const struct sctp_endpoint *ep, 5819 const struct sctp_association *asoc, 5820 const union sctp_subtype type, 5821 void *arg, 5822 struct sctp_cmd_seq *commands) 5823 { 5824 struct sctp_chunk *reply = NULL; 5825 5826 pr_debug("%s: timer T2 expired\n", __func__); 5827 5828 SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 5829 5830 ((struct sctp_association *)asoc)->shutdown_retries++; 5831 5832 if (asoc->overall_error_count >= asoc->max_retrans) { 5833 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5834 SCTP_ERROR(ETIMEDOUT)); 5835 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5836 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5837 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5838 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5839 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5840 return SCTP_DISPOSITION_DELETE_TCB; 5841 } 5842 5843 switch (asoc->state) { 5844 case SCTP_STATE_SHUTDOWN_SENT: 5845 reply = sctp_make_shutdown(asoc, NULL); 5846 break; 5847 5848 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5849 reply = sctp_make_shutdown_ack(asoc, NULL); 5850 break; 5851 5852 default: 5853 BUG(); 5854 break; 5855 } 5856 5857 if (!reply) 5858 goto nomem; 5859 5860 /* Do some failure management (Section 8.2). 5861 * If we remove the transport an SHUTDOWN was last sent to, don't 5862 * do failure management. 5863 */ 5864 if (asoc->shutdown_last_sent_to) 5865 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5866 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 5867 5868 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 5869 * the T2-shutdown timer. 5870 */ 5871 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5872 5873 /* Restart the T2-shutdown timer. */ 5874 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5875 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5876 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5877 return SCTP_DISPOSITION_CONSUME; 5878 5879 nomem: 5880 return SCTP_DISPOSITION_NOMEM; 5881 } 5882 5883 /* 5884 * ADDIP Section 4.1 ASCONF CHunk Procedures 5885 * If the T4 RTO timer expires the endpoint should do B1 to B5 5886 */ 5887 enum sctp_disposition sctp_sf_t4_timer_expire( 5888 struct net *net, 5889 const struct sctp_endpoint *ep, 5890 const struct sctp_association *asoc, 5891 const union sctp_subtype type, 5892 void *arg, 5893 struct sctp_cmd_seq *commands) 5894 { 5895 struct sctp_chunk *chunk = asoc->addip_last_asconf; 5896 struct sctp_transport *transport = chunk->transport; 5897 5898 SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS); 5899 5900 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 5901 * detection on the appropriate destination address as defined in 5902 * RFC2960 [5] section 8.1 and 8.2. 5903 */ 5904 if (transport) 5905 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5906 SCTP_TRANSPORT(transport)); 5907 5908 /* Reconfig T4 timer and transport. */ 5909 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5910 5911 /* ADDIP 4.1 B2) Increment the association error counters and perform 5912 * endpoint failure detection on the association as defined in 5913 * RFC2960 [5] section 8.1 and 8.2. 5914 * association error counter is incremented in SCTP_CMD_STRIKE. 5915 */ 5916 if (asoc->overall_error_count >= asoc->max_retrans) { 5917 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5918 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5919 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5920 SCTP_ERROR(ETIMEDOUT)); 5921 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5922 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5923 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5924 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5925 return SCTP_DISPOSITION_ABORT; 5926 } 5927 5928 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 5929 * the ASCONF chunk was sent by doubling the RTO timer value. 5930 * This is done in SCTP_CMD_STRIKE. 5931 */ 5932 5933 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 5934 * choose an alternate destination address (please refer to RFC2960 5935 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 5936 * chunk, it MUST be the same (including its serial number) as the last 5937 * ASCONF sent. 5938 */ 5939 sctp_chunk_hold(asoc->addip_last_asconf); 5940 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5941 SCTP_CHUNK(asoc->addip_last_asconf)); 5942 5943 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 5944 * destination is selected, then the RTO used will be that of the new 5945 * destination address. 5946 */ 5947 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5948 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5949 5950 return SCTP_DISPOSITION_CONSUME; 5951 } 5952 5953 /* sctpimpguide-05 Section 2.12.2 5954 * The sender of the SHUTDOWN MAY also start an overall guard timer 5955 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5956 * At the expiration of this timer the sender SHOULD abort the association 5957 * by sending an ABORT chunk. 5958 */ 5959 enum sctp_disposition sctp_sf_t5_timer_expire( 5960 struct net *net, 5961 const struct sctp_endpoint *ep, 5962 const struct sctp_association *asoc, 5963 const union sctp_subtype type, 5964 void *arg, 5965 struct sctp_cmd_seq *commands) 5966 { 5967 struct sctp_chunk *reply = NULL; 5968 5969 pr_debug("%s: timer T5 expired\n", __func__); 5970 5971 SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 5972 5973 reply = sctp_make_abort(asoc, NULL, 0); 5974 if (!reply) 5975 goto nomem; 5976 5977 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5978 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5979 SCTP_ERROR(ETIMEDOUT)); 5980 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5981 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5982 5983 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5984 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5985 5986 return SCTP_DISPOSITION_DELETE_TCB; 5987 nomem: 5988 return SCTP_DISPOSITION_NOMEM; 5989 } 5990 5991 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 5992 * the association is automatically closed by starting the shutdown process. 5993 * The work that needs to be done is same as when SHUTDOWN is initiated by 5994 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 5995 */ 5996 enum sctp_disposition sctp_sf_autoclose_timer_expire( 5997 struct net *net, 5998 const struct sctp_endpoint *ep, 5999 const struct sctp_association *asoc, 6000 const union sctp_subtype type, 6001 void *arg, 6002 struct sctp_cmd_seq *commands) 6003 { 6004 enum sctp_disposition disposition; 6005 6006 SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS); 6007 6008 /* From 9.2 Shutdown of an Association 6009 * Upon receipt of the SHUTDOWN primitive from its upper 6010 * layer, the endpoint enters SHUTDOWN-PENDING state and 6011 * remains there until all outstanding data has been 6012 * acknowledged by its peer. The endpoint accepts no new data 6013 * from its upper layer, but retransmits data to the far end 6014 * if necessary to fill gaps. 6015 */ 6016 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 6017 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 6018 6019 disposition = SCTP_DISPOSITION_CONSUME; 6020 if (sctp_outq_is_empty(&asoc->outqueue)) { 6021 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 6022 arg, commands); 6023 } 6024 6025 return disposition; 6026 } 6027 6028 /***************************************************************************** 6029 * These are sa state functions which could apply to all types of events. 6030 ****************************************************************************/ 6031 6032 /* 6033 * This table entry is not implemented. 6034 * 6035 * Inputs 6036 * (endpoint, asoc, chunk) 6037 * 6038 * The return value is the disposition of the chunk. 6039 */ 6040 enum sctp_disposition sctp_sf_not_impl(struct net *net, 6041 const struct sctp_endpoint *ep, 6042 const struct sctp_association *asoc, 6043 const union sctp_subtype type, 6044 void *arg, struct sctp_cmd_seq *commands) 6045 { 6046 return SCTP_DISPOSITION_NOT_IMPL; 6047 } 6048 6049 /* 6050 * This table entry represents a bug. 6051 * 6052 * Inputs 6053 * (endpoint, asoc, chunk) 6054 * 6055 * The return value is the disposition of the chunk. 6056 */ 6057 enum sctp_disposition sctp_sf_bug(struct net *net, 6058 const struct sctp_endpoint *ep, 6059 const struct sctp_association *asoc, 6060 const union sctp_subtype type, 6061 void *arg, struct sctp_cmd_seq *commands) 6062 { 6063 return SCTP_DISPOSITION_BUG; 6064 } 6065 6066 /* 6067 * This table entry represents the firing of a timer in the wrong state. 6068 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 6069 * when the association is in the wrong state. This event should 6070 * be ignored, so as to prevent any rearming of the timer. 6071 * 6072 * Inputs 6073 * (endpoint, asoc, chunk) 6074 * 6075 * The return value is the disposition of the chunk. 6076 */ 6077 enum sctp_disposition sctp_sf_timer_ignore(struct net *net, 6078 const struct sctp_endpoint *ep, 6079 const struct sctp_association *asoc, 6080 const union sctp_subtype type, 6081 void *arg, 6082 struct sctp_cmd_seq *commands) 6083 { 6084 pr_debug("%s: timer %d ignored\n", __func__, type.chunk); 6085 6086 return SCTP_DISPOSITION_CONSUME; 6087 } 6088 6089 /******************************************************************** 6090 * 2nd Level Abstractions 6091 ********************************************************************/ 6092 6093 /* Pull the SACK chunk based on the SACK header. */ 6094 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 6095 { 6096 struct sctp_sackhdr *sack; 6097 __u16 num_dup_tsns; 6098 unsigned int len; 6099 __u16 num_blocks; 6100 6101 /* Protect ourselves from reading too far into 6102 * the skb from a bogus sender. 6103 */ 6104 sack = (struct sctp_sackhdr *) chunk->skb->data; 6105 6106 num_blocks = ntohs(sack->num_gap_ack_blocks); 6107 num_dup_tsns = ntohs(sack->num_dup_tsns); 6108 len = sizeof(struct sctp_sackhdr); 6109 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 6110 if (len > chunk->skb->len) 6111 return NULL; 6112 6113 skb_pull(chunk->skb, len); 6114 6115 return sack; 6116 } 6117 6118 /* Create an ABORT packet to be sent as a response, with the specified 6119 * error causes. 6120 */ 6121 static struct sctp_packet *sctp_abort_pkt_new( 6122 struct net *net, 6123 const struct sctp_endpoint *ep, 6124 const struct sctp_association *asoc, 6125 struct sctp_chunk *chunk, 6126 const void *payload, size_t paylen) 6127 { 6128 struct sctp_packet *packet; 6129 struct sctp_chunk *abort; 6130 6131 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6132 6133 if (packet) { 6134 /* Make an ABORT. 6135 * The T bit will be set if the asoc is NULL. 6136 */ 6137 abort = sctp_make_abort(asoc, chunk, paylen); 6138 if (!abort) { 6139 sctp_ootb_pkt_free(packet); 6140 return NULL; 6141 } 6142 6143 /* Reflect vtag if T-Bit is set */ 6144 if (sctp_test_T_bit(abort)) 6145 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 6146 6147 /* Add specified error causes, i.e., payload, to the 6148 * end of the chunk. 6149 */ 6150 sctp_addto_chunk(abort, paylen, payload); 6151 6152 /* Set the skb to the belonging sock for accounting. */ 6153 abort->skb->sk = ep->base.sk; 6154 6155 sctp_packet_append_chunk(packet, abort); 6156 6157 } 6158 6159 return packet; 6160 } 6161 6162 /* Allocate a packet for responding in the OOTB conditions. */ 6163 static struct sctp_packet *sctp_ootb_pkt_new( 6164 struct net *net, 6165 const struct sctp_association *asoc, 6166 const struct sctp_chunk *chunk) 6167 { 6168 struct sctp_transport *transport; 6169 struct sctp_packet *packet; 6170 __u16 sport, dport; 6171 __u32 vtag; 6172 6173 /* Get the source and destination port from the inbound packet. */ 6174 sport = ntohs(chunk->sctp_hdr->dest); 6175 dport = ntohs(chunk->sctp_hdr->source); 6176 6177 /* The V-tag is going to be the same as the inbound packet if no 6178 * association exists, otherwise, use the peer's vtag. 6179 */ 6180 if (asoc) { 6181 /* Special case the INIT-ACK as there is no peer's vtag 6182 * yet. 6183 */ 6184 switch (chunk->chunk_hdr->type) { 6185 case SCTP_CID_INIT_ACK: 6186 { 6187 struct sctp_initack_chunk *initack; 6188 6189 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr; 6190 vtag = ntohl(initack->init_hdr.init_tag); 6191 break; 6192 } 6193 default: 6194 vtag = asoc->peer.i.init_tag; 6195 break; 6196 } 6197 } else { 6198 /* Special case the INIT and stale COOKIE_ECHO as there is no 6199 * vtag yet. 6200 */ 6201 switch (chunk->chunk_hdr->type) { 6202 case SCTP_CID_INIT: 6203 { 6204 struct sctp_init_chunk *init; 6205 6206 init = (struct sctp_init_chunk *)chunk->chunk_hdr; 6207 vtag = ntohl(init->init_hdr.init_tag); 6208 break; 6209 } 6210 default: 6211 vtag = ntohl(chunk->sctp_hdr->vtag); 6212 break; 6213 } 6214 } 6215 6216 /* Make a transport for the bucket, Eliza... */ 6217 transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC); 6218 if (!transport) 6219 goto nomem; 6220 6221 /* Cache a route for the transport with the chunk's destination as 6222 * the source address. 6223 */ 6224 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 6225 sctp_sk(net->sctp.ctl_sock)); 6226 6227 packet = &transport->packet; 6228 sctp_packet_init(packet, transport, sport, dport); 6229 sctp_packet_config(packet, vtag, 0); 6230 6231 return packet; 6232 6233 nomem: 6234 return NULL; 6235 } 6236 6237 /* Free the packet allocated earlier for responding in the OOTB condition. */ 6238 void sctp_ootb_pkt_free(struct sctp_packet *packet) 6239 { 6240 sctp_transport_free(packet->transport); 6241 } 6242 6243 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 6244 static void sctp_send_stale_cookie_err(struct net *net, 6245 const struct sctp_endpoint *ep, 6246 const struct sctp_association *asoc, 6247 const struct sctp_chunk *chunk, 6248 struct sctp_cmd_seq *commands, 6249 struct sctp_chunk *err_chunk) 6250 { 6251 struct sctp_packet *packet; 6252 6253 if (err_chunk) { 6254 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6255 if (packet) { 6256 struct sctp_signed_cookie *cookie; 6257 6258 /* Override the OOTB vtag from the cookie. */ 6259 cookie = chunk->subh.cookie_hdr; 6260 packet->vtag = cookie->c.peer_vtag; 6261 6262 /* Set the skb to the belonging sock for accounting. */ 6263 err_chunk->skb->sk = ep->base.sk; 6264 sctp_packet_append_chunk(packet, err_chunk); 6265 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 6266 SCTP_PACKET(packet)); 6267 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 6268 } else 6269 sctp_chunk_free (err_chunk); 6270 } 6271 } 6272 6273 6274 /* Process a data chunk */ 6275 static int sctp_eat_data(const struct sctp_association *asoc, 6276 struct sctp_chunk *chunk, 6277 struct sctp_cmd_seq *commands) 6278 { 6279 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 6280 struct sock *sk = asoc->base.sk; 6281 struct net *net = sock_net(sk); 6282 struct sctp_datahdr *data_hdr; 6283 struct sctp_chunk *err; 6284 enum sctp_verb deliver; 6285 size_t datalen; 6286 __u32 tsn; 6287 int tmp; 6288 6289 data_hdr = (struct sctp_datahdr *)chunk->skb->data; 6290 chunk->subh.data_hdr = data_hdr; 6291 skb_pull(chunk->skb, sctp_datahdr_len(&asoc->stream)); 6292 6293 tsn = ntohl(data_hdr->tsn); 6294 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 6295 6296 /* ASSERT: Now skb->data is really the user data. */ 6297 6298 /* Process ECN based congestion. 6299 * 6300 * Since the chunk structure is reused for all chunks within 6301 * a packet, we use ecn_ce_done to track if we've already 6302 * done CE processing for this packet. 6303 * 6304 * We need to do ECN processing even if we plan to discard the 6305 * chunk later. 6306 */ 6307 6308 if (asoc->peer.ecn_capable && !chunk->ecn_ce_done) { 6309 struct sctp_af *af = SCTP_INPUT_CB(chunk->skb)->af; 6310 chunk->ecn_ce_done = 1; 6311 6312 if (af->is_ce(sctp_gso_headskb(chunk->skb))) { 6313 /* Do real work as sideffect. */ 6314 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 6315 SCTP_U32(tsn)); 6316 } 6317 } 6318 6319 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 6320 if (tmp < 0) { 6321 /* The TSN is too high--silently discard the chunk and 6322 * count on it getting retransmitted later. 6323 */ 6324 if (chunk->asoc) 6325 chunk->asoc->stats.outofseqtsns++; 6326 return SCTP_IERROR_HIGH_TSN; 6327 } else if (tmp > 0) { 6328 /* This is a duplicate. Record it. */ 6329 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 6330 return SCTP_IERROR_DUP_TSN; 6331 } 6332 6333 /* This is a new TSN. */ 6334 6335 /* Discard if there is no room in the receive window. 6336 * Actually, allow a little bit of overflow (up to a MTU). 6337 */ 6338 datalen = ntohs(chunk->chunk_hdr->length); 6339 datalen -= sctp_datachk_len(&asoc->stream); 6340 6341 deliver = SCTP_CMD_CHUNK_ULP; 6342 6343 /* Think about partial delivery. */ 6344 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 6345 6346 /* Even if we don't accept this chunk there is 6347 * memory pressure. 6348 */ 6349 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 6350 } 6351 6352 /* Spill over rwnd a little bit. Note: While allowed, this spill over 6353 * seems a bit troublesome in that frag_point varies based on 6354 * PMTU. In cases, such as loopback, this might be a rather 6355 * large spill over. 6356 */ 6357 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over || 6358 (datalen > asoc->rwnd + asoc->frag_point))) { 6359 6360 /* If this is the next TSN, consider reneging to make 6361 * room. Note: Playing nice with a confused sender. A 6362 * malicious sender can still eat up all our buffer 6363 * space and in the future we may want to detect and 6364 * do more drastic reneging. 6365 */ 6366 if (sctp_tsnmap_has_gap(map) && 6367 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6368 pr_debug("%s: reneging for tsn:%u\n", __func__, tsn); 6369 deliver = SCTP_CMD_RENEGE; 6370 } else { 6371 pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n", 6372 __func__, tsn, datalen, asoc->rwnd); 6373 6374 return SCTP_IERROR_IGNORE_TSN; 6375 } 6376 } 6377 6378 /* 6379 * Also try to renege to limit our memory usage in the event that 6380 * we are under memory pressure 6381 * If we can't renege, don't worry about it, the sk_rmem_schedule 6382 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our 6383 * memory usage too much 6384 */ 6385 if (*sk->sk_prot_creator->memory_pressure) { 6386 if (sctp_tsnmap_has_gap(map) && 6387 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6388 pr_debug("%s: under pressure, reneging for tsn:%u\n", 6389 __func__, tsn); 6390 deliver = SCTP_CMD_RENEGE; 6391 } 6392 } 6393 6394 /* 6395 * Section 3.3.10.9 No User Data (9) 6396 * 6397 * Cause of error 6398 * --------------- 6399 * No User Data: This error cause is returned to the originator of a 6400 * DATA chunk if a received DATA chunk has no user data. 6401 */ 6402 if (unlikely(0 == datalen)) { 6403 err = sctp_make_abort_no_data(asoc, chunk, tsn); 6404 if (err) { 6405 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6406 SCTP_CHUNK(err)); 6407 } 6408 /* We are going to ABORT, so we might as well stop 6409 * processing the rest of the chunks in the packet. 6410 */ 6411 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 6412 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6413 SCTP_ERROR(ECONNABORTED)); 6414 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6415 SCTP_PERR(SCTP_ERROR_NO_DATA)); 6416 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6417 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6418 return SCTP_IERROR_NO_DATA; 6419 } 6420 6421 chunk->data_accepted = 1; 6422 6423 /* Note: Some chunks may get overcounted (if we drop) or overcounted 6424 * if we renege and the chunk arrives again. 6425 */ 6426 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) { 6427 SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS); 6428 if (chunk->asoc) 6429 chunk->asoc->stats.iuodchunks++; 6430 } else { 6431 SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS); 6432 if (chunk->asoc) 6433 chunk->asoc->stats.iodchunks++; 6434 } 6435 6436 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 6437 * 6438 * If an endpoint receive a DATA chunk with an invalid stream 6439 * identifier, it shall acknowledge the reception of the DATA chunk 6440 * following the normal procedure, immediately send an ERROR chunk 6441 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 6442 * and discard the DATA chunk. 6443 */ 6444 if (ntohs(data_hdr->stream) >= asoc->stream.incnt) { 6445 /* Mark tsn as received even though we drop it */ 6446 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 6447 6448 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 6449 &data_hdr->stream, 6450 sizeof(data_hdr->stream), 6451 sizeof(u16)); 6452 if (err) 6453 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6454 SCTP_CHUNK(err)); 6455 return SCTP_IERROR_BAD_STREAM; 6456 } 6457 6458 /* Check to see if the SSN is possible for this TSN. 6459 * The biggest gap we can record is 4K wide. Since SSNs wrap 6460 * at an unsigned short, there is no way that an SSN can 6461 * wrap and for a valid TSN. We can simply check if the current 6462 * SSN is smaller then the next expected one. If it is, it wrapped 6463 * and is invalid. 6464 */ 6465 if (!asoc->stream.si->validate_data(chunk)) 6466 return SCTP_IERROR_PROTO_VIOLATION; 6467 6468 /* Send the data up to the user. Note: Schedule the 6469 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 6470 * chunk needs the updated rwnd. 6471 */ 6472 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 6473 6474 return SCTP_IERROR_NO_ERROR; 6475 } 6476