1 /* SCTP kernel reference Implementation 2 * (C) Copyright IBM Corp. 2001, 2004 3 * Copyright (c) 1999-2000 Cisco, Inc. 4 * Copyright (c) 1999-2001 Motorola, Inc. 5 * Copyright (c) 2001-2002 Intel Corp. 6 * Copyright (c) 2002 Nokia Corp. 7 * 8 * This file is part of the SCTP kernel reference Implementation 9 * 10 * This is part of the SCTP Linux Kernel Reference Implementation. 11 * 12 * These are the state functions for the state machine. 13 * 14 * The SCTP reference implementation is free software; 15 * you can redistribute it and/or modify it under the terms of 16 * the GNU General Public License as published by 17 * the Free Software Foundation; either version 2, or (at your option) 18 * any later version. 19 * 20 * The SCTP reference implementation is distributed in the hope that it 21 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 22 * ************************ 23 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 24 * See the GNU General Public License for more details. 25 * 26 * You should have received a copy of the GNU General Public License 27 * along with GNU CC; see the file COPYING. If not, write to 28 * the Free Software Foundation, 59 Temple Place - Suite 330, 29 * Boston, MA 02111-1307, USA. 30 * 31 * Please send any bug reports or fixes you make to the 32 * email address(es): 33 * lksctp developers <lksctp-developers@lists.sourceforge.net> 34 * 35 * Or submit a bug report through the following website: 36 * http://www.sf.net/projects/lksctp 37 * 38 * Written or modified by: 39 * La Monte H.P. Yarroll <piggy@acm.org> 40 * Karl Knutson <karl@athena.chicago.il.us> 41 * Mathew Kotowsky <kotowsky@sctp.org> 42 * Sridhar Samudrala <samudrala@us.ibm.com> 43 * Jon Grimm <jgrimm@us.ibm.com> 44 * Hui Huang <hui.huang@nokia.com> 45 * Dajiang Zhang <dajiang.zhang@nokia.com> 46 * Daisy Chang <daisyc@us.ibm.com> 47 * Ardelle Fan <ardelle.fan@intel.com> 48 * Ryan Layer <rmlayer@us.ibm.com> 49 * Kevin Gao <kevin.gao@intel.com> 50 * 51 * Any bugs reported given to us we will try to fix... any fixes shared will 52 * be incorporated into the next SCTP release. 53 */ 54 55 #include <linux/types.h> 56 #include <linux/kernel.h> 57 #include <linux/ip.h> 58 #include <linux/ipv6.h> 59 #include <linux/net.h> 60 #include <linux/inet.h> 61 #include <net/sock.h> 62 #include <net/inet_ecn.h> 63 #include <linux/skbuff.h> 64 #include <net/sctp/sctp.h> 65 #include <net/sctp/sm.h> 66 #include <net/sctp/structs.h> 67 68 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 69 const struct sctp_association *asoc, 70 struct sctp_chunk *chunk, 71 const void *payload, 72 size_t paylen); 73 static int sctp_eat_data(const struct sctp_association *asoc, 74 struct sctp_chunk *chunk, 75 sctp_cmd_seq_t *commands); 76 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 77 const struct sctp_chunk *chunk); 78 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 79 const struct sctp_association *asoc, 80 const struct sctp_chunk *chunk, 81 sctp_cmd_seq_t *commands, 82 struct sctp_chunk *err_chunk); 83 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 84 const struct sctp_association *asoc, 85 const sctp_subtype_t type, 86 void *arg, 87 sctp_cmd_seq_t *commands); 88 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 89 const struct sctp_association *asoc, 90 const sctp_subtype_t type, 91 void *arg, 92 sctp_cmd_seq_t *commands); 93 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 94 95 96 /* Small helper function that checks if the chunk length 97 * is of the appropriate length. The 'required_length' argument 98 * is set to be the size of a specific chunk we are testing. 99 * Return Values: 1 = Valid length 100 * 0 = Invalid length 101 * 102 */ 103 static inline int 104 sctp_chunk_length_valid(struct sctp_chunk *chunk, 105 __u16 required_length) 106 { 107 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 108 109 if (unlikely(chunk_length < required_length)) 110 return 0; 111 112 return 1; 113 } 114 115 /********************************************************** 116 * These are the state functions for handling chunk events. 117 **********************************************************/ 118 119 /* 120 * Process the final SHUTDOWN COMPLETE. 121 * 122 * Section: 4 (C) (diagram), 9.2 123 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 124 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 125 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 126 * should stop the T2-shutdown timer and remove all knowledge of the 127 * association (and thus the association enters the CLOSED state). 128 * 129 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 130 * C) Rules for packet carrying SHUTDOWN COMPLETE: 131 * ... 132 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 133 * if the Verification Tag field of the packet matches its own tag and 134 * the T bit is not set 135 * OR 136 * it is set to its peer's tag and the T bit is set in the Chunk 137 * Flags. 138 * Otherwise, the receiver MUST silently discard the packet 139 * and take no further action. An endpoint MUST ignore the 140 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 141 * 142 * Inputs 143 * (endpoint, asoc, chunk) 144 * 145 * Outputs 146 * (asoc, reply_msg, msg_up, timers, counters) 147 * 148 * The return value is the disposition of the chunk. 149 */ 150 sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep, 151 const struct sctp_association *asoc, 152 const sctp_subtype_t type, 153 void *arg, 154 sctp_cmd_seq_t *commands) 155 { 156 struct sctp_chunk *chunk = arg; 157 struct sctp_ulpevent *ev; 158 159 /* RFC 2960 6.10 Bundling 160 * 161 * An endpoint MUST NOT bundle INIT, INIT ACK or 162 * SHUTDOWN COMPLETE with any other chunks. 163 */ 164 if (!chunk->singleton) 165 return SCTP_DISPOSITION_VIOLATION; 166 167 if (!sctp_vtag_verify_either(chunk, asoc)) 168 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 169 170 /* RFC 2960 10.2 SCTP-to-ULP 171 * 172 * H) SHUTDOWN COMPLETE notification 173 * 174 * When SCTP completes the shutdown procedures (section 9.2) this 175 * notification is passed to the upper layer. 176 */ 177 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 178 0, 0, 0, GFP_ATOMIC); 179 if (!ev) 180 goto nomem; 181 182 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 183 184 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 185 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 186 * not the chunk should be discarded. If the endpoint is in 187 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 188 * T2-shutdown timer and remove all knowledge of the 189 * association (and thus the association enters the CLOSED 190 * state). 191 */ 192 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 193 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 194 195 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 196 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 197 198 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 199 SCTP_STATE(SCTP_STATE_CLOSED)); 200 201 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 202 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 203 204 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 205 206 return SCTP_DISPOSITION_DELETE_TCB; 207 208 nomem: 209 return SCTP_DISPOSITION_NOMEM; 210 } 211 212 /* 213 * Respond to a normal INIT chunk. 214 * We are the side that is being asked for an association. 215 * 216 * Section: 5.1 Normal Establishment of an Association, B 217 * B) "Z" shall respond immediately with an INIT ACK chunk. The 218 * destination IP address of the INIT ACK MUST be set to the source 219 * IP address of the INIT to which this INIT ACK is responding. In 220 * the response, besides filling in other parameters, "Z" must set the 221 * Verification Tag field to Tag_A, and also provide its own 222 * Verification Tag (Tag_Z) in the Initiate Tag field. 223 * 224 * Verification Tag: Must be 0. 225 * 226 * Inputs 227 * (endpoint, asoc, chunk) 228 * 229 * Outputs 230 * (asoc, reply_msg, msg_up, timers, counters) 231 * 232 * The return value is the disposition of the chunk. 233 */ 234 sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep, 235 const struct sctp_association *asoc, 236 const sctp_subtype_t type, 237 void *arg, 238 sctp_cmd_seq_t *commands) 239 { 240 struct sctp_chunk *chunk = arg; 241 struct sctp_chunk *repl; 242 struct sctp_association *new_asoc; 243 struct sctp_chunk *err_chunk; 244 struct sctp_packet *packet; 245 sctp_unrecognized_param_t *unk_param; 246 struct sock *sk; 247 int len; 248 249 /* 6.10 Bundling 250 * An endpoint MUST NOT bundle INIT, INIT ACK or 251 * SHUTDOWN COMPLETE with any other chunks. 252 * 253 * IG Section 2.11.2 254 * Furthermore, we require that the receiver of an INIT chunk MUST 255 * enforce these rules by silently discarding an arriving packet 256 * with an INIT chunk that is bundled with other chunks. 257 */ 258 if (!chunk->singleton) 259 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 260 261 /* If the packet is an OOTB packet which is temporarily on the 262 * control endpoint, respond with an ABORT. 263 */ 264 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 265 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 266 267 sk = ep->base.sk; 268 /* If the endpoint is not listening or if the number of associations 269 * on the TCP-style socket exceed the max backlog, respond with an 270 * ABORT. 271 */ 272 if (!sctp_sstate(sk, LISTENING) || 273 (sctp_style(sk, TCP) && 274 sk_acceptq_is_full(sk))) 275 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 276 277 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 278 * Tag. 279 */ 280 if (chunk->sctp_hdr->vtag != 0) 281 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 282 283 /* Make sure that the INIT chunk has a valid length. 284 * Normally, this would cause an ABORT with a Protocol Violation 285 * error, but since we don't have an association, we'll 286 * just discard the packet. 287 */ 288 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 289 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 290 291 /* Verify the INIT chunk before processing it. */ 292 err_chunk = NULL; 293 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 294 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 295 &err_chunk)) { 296 /* This chunk contains fatal error. It is to be discarded. 297 * Send an ABORT, with causes if there is any. 298 */ 299 if (err_chunk) { 300 packet = sctp_abort_pkt_new(ep, asoc, arg, 301 (__u8 *)(err_chunk->chunk_hdr) + 302 sizeof(sctp_chunkhdr_t), 303 ntohs(err_chunk->chunk_hdr->length) - 304 sizeof(sctp_chunkhdr_t)); 305 306 sctp_chunk_free(err_chunk); 307 308 if (packet) { 309 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 310 SCTP_PACKET(packet)); 311 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 312 return SCTP_DISPOSITION_CONSUME; 313 } else { 314 return SCTP_DISPOSITION_NOMEM; 315 } 316 } else { 317 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 318 commands); 319 } 320 } 321 322 /* Grab the INIT header. */ 323 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data; 324 325 /* Tag the variable length parameters. */ 326 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 327 328 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 329 if (!new_asoc) 330 goto nomem; 331 332 /* The call, sctp_process_init(), can fail on memory allocation. */ 333 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 334 sctp_source(chunk), 335 (sctp_init_chunk_t *)chunk->chunk_hdr, 336 GFP_ATOMIC)) 337 goto nomem_init; 338 339 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 340 341 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 342 343 /* If there are errors need to be reported for unknown parameters, 344 * make sure to reserve enough room in the INIT ACK for them. 345 */ 346 len = 0; 347 if (err_chunk) 348 len = ntohs(err_chunk->chunk_hdr->length) - 349 sizeof(sctp_chunkhdr_t); 350 351 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 352 goto nomem_ack; 353 354 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 355 if (!repl) 356 goto nomem_ack; 357 358 /* If there are errors need to be reported for unknown parameters, 359 * include them in the outgoing INIT ACK as "Unrecognized parameter" 360 * parameter. 361 */ 362 if (err_chunk) { 363 /* Get the "Unrecognized parameter" parameter(s) out of the 364 * ERROR chunk generated by sctp_verify_init(). Since the 365 * error cause code for "unknown parameter" and the 366 * "Unrecognized parameter" type is the same, we can 367 * construct the parameters in INIT ACK by copying the 368 * ERROR causes over. 369 */ 370 unk_param = (sctp_unrecognized_param_t *) 371 ((__u8 *)(err_chunk->chunk_hdr) + 372 sizeof(sctp_chunkhdr_t)); 373 /* Replace the cause code with the "Unrecognized parameter" 374 * parameter type. 375 */ 376 sctp_addto_chunk(repl, len, unk_param); 377 sctp_chunk_free(err_chunk); 378 } 379 380 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 381 382 /* 383 * Note: After sending out INIT ACK with the State Cookie parameter, 384 * "Z" MUST NOT allocate any resources, nor keep any states for the 385 * new association. Otherwise, "Z" will be vulnerable to resource 386 * attacks. 387 */ 388 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 389 390 return SCTP_DISPOSITION_DELETE_TCB; 391 392 nomem_ack: 393 if (err_chunk) 394 sctp_chunk_free(err_chunk); 395 nomem_init: 396 sctp_association_free(new_asoc); 397 nomem: 398 return SCTP_DISPOSITION_NOMEM; 399 } 400 401 /* 402 * Respond to a normal INIT ACK chunk. 403 * We are the side that is initiating the association. 404 * 405 * Section: 5.1 Normal Establishment of an Association, C 406 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 407 * timer and leave COOKIE-WAIT state. "A" shall then send the State 408 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 409 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 410 * 411 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 412 * DATA chunks, but it MUST be the first chunk in the packet and 413 * until the COOKIE ACK is returned the sender MUST NOT send any 414 * other packets to the peer. 415 * 416 * Verification Tag: 3.3.3 417 * If the value of the Initiate Tag in a received INIT ACK chunk is 418 * found to be 0, the receiver MUST treat it as an error and close the 419 * association by transmitting an ABORT. 420 * 421 * Inputs 422 * (endpoint, asoc, chunk) 423 * 424 * Outputs 425 * (asoc, reply_msg, msg_up, timers, counters) 426 * 427 * The return value is the disposition of the chunk. 428 */ 429 sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, 430 const struct sctp_association *asoc, 431 const sctp_subtype_t type, 432 void *arg, 433 sctp_cmd_seq_t *commands) 434 { 435 struct sctp_chunk *chunk = arg; 436 sctp_init_chunk_t *initchunk; 437 __u32 init_tag; 438 struct sctp_chunk *err_chunk; 439 struct sctp_packet *packet; 440 sctp_disposition_t ret; 441 442 if (!sctp_vtag_verify(chunk, asoc)) 443 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 444 445 /* Make sure that the INIT-ACK chunk has a valid length */ 446 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t))) 447 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 448 commands); 449 /* 6.10 Bundling 450 * An endpoint MUST NOT bundle INIT, INIT ACK or 451 * SHUTDOWN COMPLETE with any other chunks. 452 */ 453 if (!chunk->singleton) 454 return SCTP_DISPOSITION_VIOLATION; 455 456 /* Grab the INIT header. */ 457 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 458 459 init_tag = ntohl(chunk->subh.init_hdr->init_tag); 460 461 /* Verification Tag: 3.3.3 462 * If the value of the Initiate Tag in a received INIT ACK 463 * chunk is found to be 0, the receiver MUST treat it as an 464 * error and close the association by transmitting an ABORT. 465 */ 466 if (!init_tag) { 467 struct sctp_chunk *reply = sctp_make_abort(asoc, chunk, 0); 468 if (!reply) 469 goto nomem; 470 471 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 472 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 473 SCTP_STATE(SCTP_STATE_CLOSED)); 474 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 475 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 476 return SCTP_DISPOSITION_DELETE_TCB; 477 } 478 479 /* Verify the INIT chunk before processing it. */ 480 err_chunk = NULL; 481 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 482 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 483 &err_chunk)) { 484 485 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 486 487 /* This chunk contains fatal error. It is to be discarded. 488 * Send an ABORT, with causes if there is any. 489 */ 490 if (err_chunk) { 491 packet = sctp_abort_pkt_new(ep, asoc, arg, 492 (__u8 *)(err_chunk->chunk_hdr) + 493 sizeof(sctp_chunkhdr_t), 494 ntohs(err_chunk->chunk_hdr->length) - 495 sizeof(sctp_chunkhdr_t)); 496 497 sctp_chunk_free(err_chunk); 498 499 if (packet) { 500 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 501 SCTP_PACKET(packet)); 502 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 503 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 504 SCTP_STATE(SCTP_STATE_CLOSED)); 505 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, 506 SCTP_NULL()); 507 return SCTP_DISPOSITION_CONSUME; 508 } else { 509 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 510 SCTP_STATE(SCTP_STATE_CLOSED)); 511 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, 512 SCTP_NULL()); 513 return SCTP_DISPOSITION_NOMEM; 514 } 515 } else { 516 ret = sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 517 commands); 518 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 519 SCTP_STATE(SCTP_STATE_CLOSED)); 520 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, 521 SCTP_NULL()); 522 return ret; 523 } 524 } 525 526 /* Tag the variable length parameters. Note that we never 527 * convert the parameters in an INIT chunk. 528 */ 529 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 530 531 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr; 532 533 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 534 SCTP_PEER_INIT(initchunk)); 535 536 /* 5.1 C) "A" shall stop the T1-init timer and leave 537 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 538 * timer, and enter the COOKIE-ECHOED state. 539 */ 540 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 541 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 542 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 543 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 544 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 545 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 546 547 /* 5.1 C) "A" shall then send the State Cookie received in the 548 * INIT ACK chunk in a COOKIE ECHO chunk, ... 549 */ 550 /* If there is any errors to report, send the ERROR chunk generated 551 * for unknown parameters as well. 552 */ 553 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 554 SCTP_CHUNK(err_chunk)); 555 556 return SCTP_DISPOSITION_CONSUME; 557 558 nomem: 559 return SCTP_DISPOSITION_NOMEM; 560 } 561 562 /* 563 * Respond to a normal COOKIE ECHO chunk. 564 * We are the side that is being asked for an association. 565 * 566 * Section: 5.1 Normal Establishment of an Association, D 567 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 568 * with a COOKIE ACK chunk after building a TCB and moving to 569 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 570 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 571 * chunk MUST be the first chunk in the packet. 572 * 573 * IMPLEMENTATION NOTE: An implementation may choose to send the 574 * Communication Up notification to the SCTP user upon reception 575 * of a valid COOKIE ECHO chunk. 576 * 577 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 578 * D) Rules for packet carrying a COOKIE ECHO 579 * 580 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 581 * Initial Tag received in the INIT ACK. 582 * 583 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 584 * 585 * Inputs 586 * (endpoint, asoc, chunk) 587 * 588 * Outputs 589 * (asoc, reply_msg, msg_up, timers, counters) 590 * 591 * The return value is the disposition of the chunk. 592 */ 593 sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep, 594 const struct sctp_association *asoc, 595 const sctp_subtype_t type, void *arg, 596 sctp_cmd_seq_t *commands) 597 { 598 struct sctp_chunk *chunk = arg; 599 struct sctp_association *new_asoc; 600 sctp_init_chunk_t *peer_init; 601 struct sctp_chunk *repl; 602 struct sctp_ulpevent *ev; 603 int error = 0; 604 struct sctp_chunk *err_chk_p; 605 606 /* If the packet is an OOTB packet which is temporarily on the 607 * control endpoint, respond with an ABORT. 608 */ 609 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 610 return sctp_sf_ootb(ep, asoc, type, arg, commands); 611 612 /* Make sure that the COOKIE_ECHO chunk has a valid length. 613 * In this case, we check that we have enough for at least a 614 * chunk header. More detailed verification is done 615 * in sctp_unpack_cookie(). 616 */ 617 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 618 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 619 620 /* "Decode" the chunk. We have no optional parameters so we 621 * are in good shape. 622 */ 623 chunk->subh.cookie_hdr = 624 (struct sctp_signed_cookie *)chunk->skb->data; 625 skb_pull(chunk->skb, 626 ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t)); 627 628 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 629 * "Z" will reply with a COOKIE ACK chunk after building a TCB 630 * and moving to the ESTABLISHED state. 631 */ 632 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 633 &err_chk_p); 634 635 /* FIXME: 636 * If the re-build failed, what is the proper error path 637 * from here? 638 * 639 * [We should abort the association. --piggy] 640 */ 641 if (!new_asoc) { 642 /* FIXME: Several errors are possible. A bad cookie should 643 * be silently discarded, but think about logging it too. 644 */ 645 switch (error) { 646 case -SCTP_IERROR_NOMEM: 647 goto nomem; 648 649 case -SCTP_IERROR_STALE_COOKIE: 650 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 651 err_chk_p); 652 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 653 654 case -SCTP_IERROR_BAD_SIG: 655 default: 656 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 657 }; 658 } 659 660 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 661 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 662 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 663 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 664 SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS); 665 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 666 667 if (new_asoc->autoclose) 668 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 669 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 670 671 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 672 673 /* Re-build the bind address for the association is done in 674 * the sctp_unpack_cookie() already. 675 */ 676 /* This is a brand-new association, so these are not yet side 677 * effects--it is safe to run them here. 678 */ 679 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 680 681 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 682 &chunk->subh.cookie_hdr->c.peer_addr, 683 peer_init, GFP_ATOMIC)) 684 goto nomem_init; 685 686 repl = sctp_make_cookie_ack(new_asoc, chunk); 687 if (!repl) 688 goto nomem_repl; 689 690 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 691 692 /* RFC 2960 5.1 Normal Establishment of an Association 693 * 694 * D) IMPLEMENTATION NOTE: An implementation may choose to 695 * send the Communication Up notification to the SCTP user 696 * upon reception of a valid COOKIE ECHO chunk. 697 */ 698 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 699 new_asoc->c.sinit_num_ostreams, 700 new_asoc->c.sinit_max_instreams, 701 GFP_ATOMIC); 702 if (!ev) 703 goto nomem_ev; 704 705 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 706 707 /* Sockets API Draft Section 5.3.1.6 708 * When a peer sends a Adaption Layer Indication parameter , SCTP 709 * delivers this notification to inform the application that of the 710 * peers requested adaption layer. 711 */ 712 if (new_asoc->peer.adaption_ind) { 713 ev = sctp_ulpevent_make_adaption_indication(new_asoc, 714 GFP_ATOMIC); 715 if (!ev) 716 goto nomem_ev; 717 718 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 719 SCTP_ULPEVENT(ev)); 720 } 721 722 return SCTP_DISPOSITION_CONSUME; 723 724 nomem_ev: 725 sctp_chunk_free(repl); 726 nomem_repl: 727 nomem_init: 728 sctp_association_free(new_asoc); 729 nomem: 730 return SCTP_DISPOSITION_NOMEM; 731 } 732 733 /* 734 * Respond to a normal COOKIE ACK chunk. 735 * We are the side that is being asked for an association. 736 * 737 * RFC 2960 5.1 Normal Establishment of an Association 738 * 739 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 740 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 741 * timer. It may also notify its ULP about the successful 742 * establishment of the association with a Communication Up 743 * notification (see Section 10). 744 * 745 * Verification Tag: 746 * Inputs 747 * (endpoint, asoc, chunk) 748 * 749 * Outputs 750 * (asoc, reply_msg, msg_up, timers, counters) 751 * 752 * The return value is the disposition of the chunk. 753 */ 754 sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep, 755 const struct sctp_association *asoc, 756 const sctp_subtype_t type, void *arg, 757 sctp_cmd_seq_t *commands) 758 { 759 struct sctp_chunk *chunk = arg; 760 struct sctp_ulpevent *ev; 761 762 if (!sctp_vtag_verify(chunk, asoc)) 763 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 764 765 /* Verify that the chunk length for the COOKIE-ACK is OK. 766 * If we don't do this, any bundled chunks may be junked. 767 */ 768 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 769 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 770 commands); 771 772 /* Reset init error count upon receipt of COOKIE-ACK, 773 * to avoid problems with the managemement of this 774 * counter in stale cookie situations when a transition back 775 * from the COOKIE-ECHOED state to the COOKIE-WAIT 776 * state is performed. 777 */ 778 sctp_add_cmd_sf(commands, SCTP_CMD_COUNTER_RESET, 779 SCTP_COUNTER(SCTP_COUNTER_INIT_ERROR)); 780 781 /* RFC 2960 5.1 Normal Establishment of an Association 782 * 783 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 784 * from the COOKIE-ECHOED state to the ESTABLISHED state, 785 * stopping the T1-cookie timer. 786 */ 787 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 788 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 789 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 790 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 791 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 792 SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS); 793 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 794 if (asoc->autoclose) 795 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 796 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 797 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 798 799 /* It may also notify its ULP about the successful 800 * establishment of the association with a Communication Up 801 * notification (see Section 10). 802 */ 803 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 804 0, asoc->c.sinit_num_ostreams, 805 asoc->c.sinit_max_instreams, 806 GFP_ATOMIC); 807 808 if (!ev) 809 goto nomem; 810 811 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 812 813 /* Sockets API Draft Section 5.3.1.6 814 * When a peer sends a Adaption Layer Indication parameter , SCTP 815 * delivers this notification to inform the application that of the 816 * peers requested adaption layer. 817 */ 818 if (asoc->peer.adaption_ind) { 819 ev = sctp_ulpevent_make_adaption_indication(asoc, GFP_ATOMIC); 820 if (!ev) 821 goto nomem; 822 823 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 824 SCTP_ULPEVENT(ev)); 825 } 826 827 return SCTP_DISPOSITION_CONSUME; 828 nomem: 829 return SCTP_DISPOSITION_NOMEM; 830 } 831 832 /* Generate and sendout a heartbeat packet. */ 833 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep, 834 const struct sctp_association *asoc, 835 const sctp_subtype_t type, 836 void *arg, 837 sctp_cmd_seq_t *commands) 838 { 839 struct sctp_transport *transport = (struct sctp_transport *) arg; 840 struct sctp_chunk *reply; 841 sctp_sender_hb_info_t hbinfo; 842 size_t paylen = 0; 843 844 hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO; 845 hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t)); 846 hbinfo.daddr = transport->ipaddr; 847 hbinfo.sent_at = jiffies; 848 849 /* Send a heartbeat to our peer. */ 850 paylen = sizeof(sctp_sender_hb_info_t); 851 reply = sctp_make_heartbeat(asoc, transport, &hbinfo, paylen); 852 if (!reply) 853 return SCTP_DISPOSITION_NOMEM; 854 855 /* Set rto_pending indicating that an RTT measurement 856 * is started with this heartbeat chunk. 857 */ 858 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 859 SCTP_TRANSPORT(transport)); 860 861 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 862 return SCTP_DISPOSITION_CONSUME; 863 } 864 865 /* Generate a HEARTBEAT packet on the given transport. */ 866 sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep, 867 const struct sctp_association *asoc, 868 const sctp_subtype_t type, 869 void *arg, 870 sctp_cmd_seq_t *commands) 871 { 872 struct sctp_transport *transport = (struct sctp_transport *) arg; 873 874 if (asoc->overall_error_count > asoc->max_retrans) { 875 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 876 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 877 SCTP_U32(SCTP_ERROR_NO_ERROR)); 878 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 879 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 880 return SCTP_DISPOSITION_DELETE_TCB; 881 } 882 883 /* Section 3.3.5. 884 * The Sender-specific Heartbeat Info field should normally include 885 * information about the sender's current time when this HEARTBEAT 886 * chunk is sent and the destination transport address to which this 887 * HEARTBEAT is sent (see Section 8.3). 888 */ 889 890 if (transport->hb_allowed) { 891 if (SCTP_DISPOSITION_NOMEM == 892 sctp_sf_heartbeat(ep, asoc, type, arg, 893 commands)) 894 return SCTP_DISPOSITION_NOMEM; 895 /* Set transport error counter and association error counter 896 * when sending heartbeat. 897 */ 898 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_RESET, 899 SCTP_TRANSPORT(transport)); 900 } 901 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 902 SCTP_TRANSPORT(transport)); 903 904 return SCTP_DISPOSITION_CONSUME; 905 } 906 907 /* 908 * Process an heartbeat request. 909 * 910 * Section: 8.3 Path Heartbeat 911 * The receiver of the HEARTBEAT should immediately respond with a 912 * HEARTBEAT ACK that contains the Heartbeat Information field copied 913 * from the received HEARTBEAT chunk. 914 * 915 * Verification Tag: 8.5 Verification Tag [Normal verification] 916 * When receiving an SCTP packet, the endpoint MUST ensure that the 917 * value in the Verification Tag field of the received SCTP packet 918 * matches its own Tag. If the received Verification Tag value does not 919 * match the receiver's own tag value, the receiver shall silently 920 * discard the packet and shall not process it any further except for 921 * those cases listed in Section 8.5.1 below. 922 * 923 * Inputs 924 * (endpoint, asoc, chunk) 925 * 926 * Outputs 927 * (asoc, reply_msg, msg_up, timers, counters) 928 * 929 * The return value is the disposition of the chunk. 930 */ 931 sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep, 932 const struct sctp_association *asoc, 933 const sctp_subtype_t type, 934 void *arg, 935 sctp_cmd_seq_t *commands) 936 { 937 struct sctp_chunk *chunk = arg; 938 struct sctp_chunk *reply; 939 size_t paylen = 0; 940 941 if (!sctp_vtag_verify(chunk, asoc)) 942 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 943 944 /* Make sure that the HEARTBEAT chunk has a valid length. */ 945 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 946 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 947 commands); 948 949 /* 8.3 The receiver of the HEARTBEAT should immediately 950 * respond with a HEARTBEAT ACK that contains the Heartbeat 951 * Information field copied from the received HEARTBEAT chunk. 952 */ 953 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; 954 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); 955 skb_pull(chunk->skb, paylen); 956 957 reply = sctp_make_heartbeat_ack(asoc, chunk, 958 chunk->subh.hb_hdr, paylen); 959 if (!reply) 960 goto nomem; 961 962 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 963 return SCTP_DISPOSITION_CONSUME; 964 965 nomem: 966 return SCTP_DISPOSITION_NOMEM; 967 } 968 969 /* 970 * Process the returning HEARTBEAT ACK. 971 * 972 * Section: 8.3 Path Heartbeat 973 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 974 * should clear the error counter of the destination transport 975 * address to which the HEARTBEAT was sent, and mark the destination 976 * transport address as active if it is not so marked. The endpoint may 977 * optionally report to the upper layer when an inactive destination 978 * address is marked as active due to the reception of the latest 979 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 980 * clear the association overall error count as well (as defined 981 * in section 8.1). 982 * 983 * The receiver of the HEARTBEAT ACK should also perform an RTT 984 * measurement for that destination transport address using the time 985 * value carried in the HEARTBEAT ACK chunk. 986 * 987 * Verification Tag: 8.5 Verification Tag [Normal verification] 988 * 989 * Inputs 990 * (endpoint, asoc, chunk) 991 * 992 * Outputs 993 * (asoc, reply_msg, msg_up, timers, counters) 994 * 995 * The return value is the disposition of the chunk. 996 */ 997 sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep, 998 const struct sctp_association *asoc, 999 const sctp_subtype_t type, 1000 void *arg, 1001 sctp_cmd_seq_t *commands) 1002 { 1003 struct sctp_chunk *chunk = arg; 1004 union sctp_addr from_addr; 1005 struct sctp_transport *link; 1006 sctp_sender_hb_info_t *hbinfo; 1007 unsigned long max_interval; 1008 1009 if (!sctp_vtag_verify(chunk, asoc)) 1010 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1011 1012 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1013 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1014 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1015 commands); 1016 1017 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; 1018 from_addr = hbinfo->daddr; 1019 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1020 1021 /* This should never happen, but lets log it if so. */ 1022 if (!link) { 1023 printk(KERN_WARNING 1024 "%s: Could not find address %d.%d.%d.%d\n", 1025 __FUNCTION__, NIPQUAD(from_addr.v4.sin_addr)); 1026 return SCTP_DISPOSITION_DISCARD; 1027 } 1028 1029 max_interval = link->hb_interval + link->rto; 1030 1031 /* Check if the timestamp looks valid. */ 1032 if (time_after(hbinfo->sent_at, jiffies) || 1033 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1034 SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp" 1035 "received for transport: %p\n", 1036 __FUNCTION__, link); 1037 return SCTP_DISPOSITION_DISCARD; 1038 } 1039 1040 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1041 * the HEARTBEAT should clear the error counter of the 1042 * destination transport address to which the HEARTBEAT was 1043 * sent and mark the destination transport address as active if 1044 * it is not so marked. 1045 */ 1046 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1047 1048 return SCTP_DISPOSITION_CONSUME; 1049 } 1050 1051 /* Helper function to send out an abort for the restart 1052 * condition. 1053 */ 1054 static int sctp_sf_send_restart_abort(union sctp_addr *ssa, 1055 struct sctp_chunk *init, 1056 sctp_cmd_seq_t *commands) 1057 { 1058 int len; 1059 struct sctp_packet *pkt; 1060 union sctp_addr_param *addrparm; 1061 struct sctp_errhdr *errhdr; 1062 struct sctp_endpoint *ep; 1063 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)]; 1064 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1065 1066 /* Build the error on the stack. We are way to malloc crazy 1067 * throughout the code today. 1068 */ 1069 errhdr = (struct sctp_errhdr *)buffer; 1070 addrparm = (union sctp_addr_param *)errhdr->variable; 1071 1072 /* Copy into a parm format. */ 1073 len = af->to_addr_param(ssa, addrparm); 1074 len += sizeof(sctp_errhdr_t); 1075 1076 errhdr->cause = SCTP_ERROR_RESTART; 1077 errhdr->length = htons(len); 1078 1079 /* Assign to the control socket. */ 1080 ep = sctp_sk((sctp_get_ctl_sock()))->ep; 1081 1082 /* Association is NULL since this may be a restart attack and we 1083 * want to send back the attacker's vtag. 1084 */ 1085 pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len); 1086 1087 if (!pkt) 1088 goto out; 1089 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1090 1091 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1092 1093 /* Discard the rest of the inbound packet. */ 1094 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1095 1096 out: 1097 /* Even if there is no memory, treat as a failure so 1098 * the packet will get dropped. 1099 */ 1100 return 0; 1101 } 1102 1103 /* A restart is occurring, check to make sure no new addresses 1104 * are being added as we may be under a takeover attack. 1105 */ 1106 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1107 const struct sctp_association *asoc, 1108 struct sctp_chunk *init, 1109 sctp_cmd_seq_t *commands) 1110 { 1111 struct sctp_transport *new_addr, *addr; 1112 struct list_head *pos, *pos2; 1113 int found; 1114 1115 /* Implementor's Guide - Sectin 5.2.2 1116 * ... 1117 * Before responding the endpoint MUST check to see if the 1118 * unexpected INIT adds new addresses to the association. If new 1119 * addresses are added to the association, the endpoint MUST respond 1120 * with an ABORT.. 1121 */ 1122 1123 /* Search through all current addresses and make sure 1124 * we aren't adding any new ones. 1125 */ 1126 new_addr = NULL; 1127 found = 0; 1128 1129 list_for_each(pos, &new_asoc->peer.transport_addr_list) { 1130 new_addr = list_entry(pos, struct sctp_transport, transports); 1131 found = 0; 1132 list_for_each(pos2, &asoc->peer.transport_addr_list) { 1133 addr = list_entry(pos2, struct sctp_transport, 1134 transports); 1135 if (sctp_cmp_addr_exact(&new_addr->ipaddr, 1136 &addr->ipaddr)) { 1137 found = 1; 1138 break; 1139 } 1140 } 1141 if (!found) 1142 break; 1143 } 1144 1145 /* If a new address was added, ABORT the sender. */ 1146 if (!found && new_addr) { 1147 sctp_sf_send_restart_abort(&new_addr->ipaddr, init, commands); 1148 } 1149 1150 /* Return success if all addresses were found. */ 1151 return found; 1152 } 1153 1154 /* Populate the verification/tie tags based on overlapping INIT 1155 * scenario. 1156 * 1157 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1158 */ 1159 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1160 const struct sctp_association *asoc) 1161 { 1162 switch (asoc->state) { 1163 1164 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1165 1166 case SCTP_STATE_COOKIE_WAIT: 1167 new_asoc->c.my_vtag = asoc->c.my_vtag; 1168 new_asoc->c.my_ttag = asoc->c.my_vtag; 1169 new_asoc->c.peer_ttag = 0; 1170 break; 1171 1172 case SCTP_STATE_COOKIE_ECHOED: 1173 new_asoc->c.my_vtag = asoc->c.my_vtag; 1174 new_asoc->c.my_ttag = asoc->c.my_vtag; 1175 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1176 break; 1177 1178 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1179 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1180 */ 1181 default: 1182 new_asoc->c.my_ttag = asoc->c.my_vtag; 1183 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1184 break; 1185 }; 1186 1187 /* Other parameters for the endpoint SHOULD be copied from the 1188 * existing parameters of the association (e.g. number of 1189 * outbound streams) into the INIT ACK and cookie. 1190 */ 1191 new_asoc->rwnd = asoc->rwnd; 1192 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1193 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1194 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1195 } 1196 1197 /* 1198 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1199 * handling action. 1200 * 1201 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1202 * 1203 * Returns value representing action to be taken. These action values 1204 * correspond to Action/Description values in RFC 2960, Table 2. 1205 */ 1206 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1207 const struct sctp_association *asoc) 1208 { 1209 /* In this case, the peer may have restarted. */ 1210 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1211 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1212 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1213 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1214 return 'A'; 1215 1216 /* Collision case B. */ 1217 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1218 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1219 (0 == asoc->c.peer_vtag))) { 1220 return 'B'; 1221 } 1222 1223 /* Collision case D. */ 1224 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1225 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1226 return 'D'; 1227 1228 /* Collision case C. */ 1229 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1230 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1231 (0 == new_asoc->c.my_ttag) && 1232 (0 == new_asoc->c.peer_ttag)) 1233 return 'C'; 1234 1235 /* No match to any of the special cases; discard this packet. */ 1236 return 'E'; 1237 } 1238 1239 /* Common helper routine for both duplicate and simulataneous INIT 1240 * chunk handling. 1241 */ 1242 static sctp_disposition_t sctp_sf_do_unexpected_init( 1243 const struct sctp_endpoint *ep, 1244 const struct sctp_association *asoc, 1245 const sctp_subtype_t type, 1246 void *arg, sctp_cmd_seq_t *commands) 1247 { 1248 sctp_disposition_t retval; 1249 struct sctp_chunk *chunk = arg; 1250 struct sctp_chunk *repl; 1251 struct sctp_association *new_asoc; 1252 struct sctp_chunk *err_chunk; 1253 struct sctp_packet *packet; 1254 sctp_unrecognized_param_t *unk_param; 1255 int len; 1256 1257 /* 6.10 Bundling 1258 * An endpoint MUST NOT bundle INIT, INIT ACK or 1259 * SHUTDOWN COMPLETE with any other chunks. 1260 * 1261 * IG Section 2.11.2 1262 * Furthermore, we require that the receiver of an INIT chunk MUST 1263 * enforce these rules by silently discarding an arriving packet 1264 * with an INIT chunk that is bundled with other chunks. 1265 */ 1266 if (!chunk->singleton) 1267 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1268 1269 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1270 * Tag. 1271 */ 1272 if (chunk->sctp_hdr->vtag != 0) 1273 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 1274 1275 /* Make sure that the INIT chunk has a valid length. 1276 * In this case, we generate a protocol violation since we have 1277 * an association established. 1278 */ 1279 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 1280 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1281 commands); 1282 /* Grab the INIT header. */ 1283 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 1284 1285 /* Tag the variable length parameters. */ 1286 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 1287 1288 /* Verify the INIT chunk before processing it. */ 1289 err_chunk = NULL; 1290 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 1291 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 1292 &err_chunk)) { 1293 /* This chunk contains fatal error. It is to be discarded. 1294 * Send an ABORT, with causes if there is any. 1295 */ 1296 if (err_chunk) { 1297 packet = sctp_abort_pkt_new(ep, asoc, arg, 1298 (__u8 *)(err_chunk->chunk_hdr) + 1299 sizeof(sctp_chunkhdr_t), 1300 ntohs(err_chunk->chunk_hdr->length) - 1301 sizeof(sctp_chunkhdr_t)); 1302 1303 if (packet) { 1304 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1305 SCTP_PACKET(packet)); 1306 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1307 retval = SCTP_DISPOSITION_CONSUME; 1308 } else { 1309 retval = SCTP_DISPOSITION_NOMEM; 1310 } 1311 goto cleanup; 1312 } else { 1313 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 1314 commands); 1315 } 1316 } 1317 1318 /* 1319 * Other parameters for the endpoint SHOULD be copied from the 1320 * existing parameters of the association (e.g. number of 1321 * outbound streams) into the INIT ACK and cookie. 1322 * FIXME: We are copying parameters from the endpoint not the 1323 * association. 1324 */ 1325 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1326 if (!new_asoc) 1327 goto nomem; 1328 1329 /* In the outbound INIT ACK the endpoint MUST copy its current 1330 * Verification Tag and Peers Verification tag into a reserved 1331 * place (local tie-tag and per tie-tag) within the state cookie. 1332 */ 1333 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1334 sctp_source(chunk), 1335 (sctp_init_chunk_t *)chunk->chunk_hdr, 1336 GFP_ATOMIC)) { 1337 retval = SCTP_DISPOSITION_NOMEM; 1338 goto nomem_init; 1339 } 1340 1341 /* Make sure no new addresses are being added during the 1342 * restart. Do not do this check for COOKIE-WAIT state, 1343 * since there are no peer addresses to check against. 1344 * Upon return an ABORT will have been sent if needed. 1345 */ 1346 if (!sctp_state(asoc, COOKIE_WAIT)) { 1347 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1348 commands)) { 1349 retval = SCTP_DISPOSITION_CONSUME; 1350 goto cleanup_asoc; 1351 } 1352 } 1353 1354 sctp_tietags_populate(new_asoc, asoc); 1355 1356 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1357 1358 /* If there are errors need to be reported for unknown parameters, 1359 * make sure to reserve enough room in the INIT ACK for them. 1360 */ 1361 len = 0; 1362 if (err_chunk) { 1363 len = ntohs(err_chunk->chunk_hdr->length) - 1364 sizeof(sctp_chunkhdr_t); 1365 } 1366 1367 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 1368 goto nomem; 1369 1370 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1371 if (!repl) 1372 goto nomem; 1373 1374 /* If there are errors need to be reported for unknown parameters, 1375 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1376 * parameter. 1377 */ 1378 if (err_chunk) { 1379 /* Get the "Unrecognized parameter" parameter(s) out of the 1380 * ERROR chunk generated by sctp_verify_init(). Since the 1381 * error cause code for "unknown parameter" and the 1382 * "Unrecognized parameter" type is the same, we can 1383 * construct the parameters in INIT ACK by copying the 1384 * ERROR causes over. 1385 */ 1386 unk_param = (sctp_unrecognized_param_t *) 1387 ((__u8 *)(err_chunk->chunk_hdr) + 1388 sizeof(sctp_chunkhdr_t)); 1389 /* Replace the cause code with the "Unrecognized parameter" 1390 * parameter type. 1391 */ 1392 sctp_addto_chunk(repl, len, unk_param); 1393 } 1394 1395 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1396 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1397 1398 /* 1399 * Note: After sending out INIT ACK with the State Cookie parameter, 1400 * "Z" MUST NOT allocate any resources for this new association. 1401 * Otherwise, "Z" will be vulnerable to resource attacks. 1402 */ 1403 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1404 retval = SCTP_DISPOSITION_CONSUME; 1405 1406 cleanup: 1407 if (err_chunk) 1408 sctp_chunk_free(err_chunk); 1409 return retval; 1410 nomem: 1411 retval = SCTP_DISPOSITION_NOMEM; 1412 goto cleanup; 1413 nomem_init: 1414 cleanup_asoc: 1415 sctp_association_free(new_asoc); 1416 goto cleanup; 1417 } 1418 1419 /* 1420 * Handle simultanous INIT. 1421 * This means we started an INIT and then we got an INIT request from 1422 * our peer. 1423 * 1424 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1425 * This usually indicates an initialization collision, i.e., each 1426 * endpoint is attempting, at about the same time, to establish an 1427 * association with the other endpoint. 1428 * 1429 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1430 * endpoint MUST respond with an INIT ACK using the same parameters it 1431 * sent in its original INIT chunk (including its Verification Tag, 1432 * unchanged). These original parameters are combined with those from the 1433 * newly received INIT chunk. The endpoint shall also generate a State 1434 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1435 * INIT to calculate the State Cookie. 1436 * 1437 * After that, the endpoint MUST NOT change its state, the T1-init 1438 * timer shall be left running and the corresponding TCB MUST NOT be 1439 * destroyed. The normal procedures for handling State Cookies when 1440 * a TCB exists will resolve the duplicate INITs to a single association. 1441 * 1442 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1443 * its Tie-Tags with the Tag information of itself and its peer (see 1444 * section 5.2.2 for a description of the Tie-Tags). 1445 * 1446 * Verification Tag: Not explicit, but an INIT can not have a valid 1447 * verification tag, so we skip the check. 1448 * 1449 * Inputs 1450 * (endpoint, asoc, chunk) 1451 * 1452 * Outputs 1453 * (asoc, reply_msg, msg_up, timers, counters) 1454 * 1455 * The return value is the disposition of the chunk. 1456 */ 1457 sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep, 1458 const struct sctp_association *asoc, 1459 const sctp_subtype_t type, 1460 void *arg, 1461 sctp_cmd_seq_t *commands) 1462 { 1463 /* Call helper to do the real work for both simulataneous and 1464 * duplicate INIT chunk handling. 1465 */ 1466 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1467 } 1468 1469 /* 1470 * Handle duplicated INIT messages. These are usually delayed 1471 * restransmissions. 1472 * 1473 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1474 * COOKIE-ECHOED and COOKIE-WAIT 1475 * 1476 * Unless otherwise stated, upon reception of an unexpected INIT for 1477 * this association, the endpoint shall generate an INIT ACK with a 1478 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1479 * current Verification Tag and peer's Verification Tag into a reserved 1480 * place within the state cookie. We shall refer to these locations as 1481 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1482 * containing this INIT ACK MUST carry a Verification Tag value equal to 1483 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1484 * MUST contain a new Initiation Tag (randomly generated see Section 1485 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1486 * existing parameters of the association (e.g. number of outbound 1487 * streams) into the INIT ACK and cookie. 1488 * 1489 * After sending out the INIT ACK, the endpoint shall take no further 1490 * actions, i.e., the existing association, including its current state, 1491 * and the corresponding TCB MUST NOT be changed. 1492 * 1493 * Note: Only when a TCB exists and the association is not in a COOKIE- 1494 * WAIT state are the Tie-Tags populated. For a normal association INIT 1495 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1496 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1497 * State Cookie are populated as specified in section 5.2.1. 1498 * 1499 * Verification Tag: Not specified, but an INIT has no way of knowing 1500 * what the verification tag could be, so we ignore it. 1501 * 1502 * Inputs 1503 * (endpoint, asoc, chunk) 1504 * 1505 * Outputs 1506 * (asoc, reply_msg, msg_up, timers, counters) 1507 * 1508 * The return value is the disposition of the chunk. 1509 */ 1510 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep, 1511 const struct sctp_association *asoc, 1512 const sctp_subtype_t type, 1513 void *arg, 1514 sctp_cmd_seq_t *commands) 1515 { 1516 /* Call helper to do the real work for both simulataneous and 1517 * duplicate INIT chunk handling. 1518 */ 1519 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1520 } 1521 1522 1523 1524 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1525 * 1526 * Section 5.2.4 1527 * A) In this case, the peer may have restarted. 1528 */ 1529 static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep, 1530 const struct sctp_association *asoc, 1531 struct sctp_chunk *chunk, 1532 sctp_cmd_seq_t *commands, 1533 struct sctp_association *new_asoc) 1534 { 1535 sctp_init_chunk_t *peer_init; 1536 struct sctp_ulpevent *ev; 1537 struct sctp_chunk *repl; 1538 struct sctp_chunk *err; 1539 sctp_disposition_t disposition; 1540 1541 /* new_asoc is a brand-new association, so these are not yet 1542 * side effects--it is safe to run them here. 1543 */ 1544 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1545 1546 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1547 sctp_source(chunk), peer_init, 1548 GFP_ATOMIC)) 1549 goto nomem; 1550 1551 /* Make sure no new addresses are being added during the 1552 * restart. Though this is a pretty complicated attack 1553 * since you'd have to get inside the cookie. 1554 */ 1555 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { 1556 return SCTP_DISPOSITION_CONSUME; 1557 } 1558 1559 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1560 * the peer has restarted (Action A), it MUST NOT setup a new 1561 * association but instead resend the SHUTDOWN ACK and send an ERROR 1562 * chunk with a "Cookie Received while Shutting Down" error cause to 1563 * its peer. 1564 */ 1565 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1566 disposition = sctp_sf_do_9_2_reshutack(ep, asoc, 1567 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1568 chunk, commands); 1569 if (SCTP_DISPOSITION_NOMEM == disposition) 1570 goto nomem; 1571 1572 err = sctp_make_op_error(asoc, chunk, 1573 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1574 NULL, 0); 1575 if (err) 1576 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1577 SCTP_CHUNK(err)); 1578 1579 return SCTP_DISPOSITION_CONSUME; 1580 } 1581 1582 /* For now, fail any unsent/unacked data. Consider the optional 1583 * choice of resending of this data. 1584 */ 1585 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1586 1587 /* Update the content of current association. */ 1588 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1589 1590 repl = sctp_make_cookie_ack(new_asoc, chunk); 1591 if (!repl) 1592 goto nomem; 1593 1594 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1595 1596 /* Report association restart to upper layer. */ 1597 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1598 new_asoc->c.sinit_num_ostreams, 1599 new_asoc->c.sinit_max_instreams, 1600 GFP_ATOMIC); 1601 if (!ev) 1602 goto nomem_ev; 1603 1604 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1605 return SCTP_DISPOSITION_CONSUME; 1606 1607 nomem_ev: 1608 sctp_chunk_free(repl); 1609 nomem: 1610 return SCTP_DISPOSITION_NOMEM; 1611 } 1612 1613 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1614 * 1615 * Section 5.2.4 1616 * B) In this case, both sides may be attempting to start an association 1617 * at about the same time but the peer endpoint started its INIT 1618 * after responding to the local endpoint's INIT 1619 */ 1620 /* This case represents an initialization collision. */ 1621 static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep, 1622 const struct sctp_association *asoc, 1623 struct sctp_chunk *chunk, 1624 sctp_cmd_seq_t *commands, 1625 struct sctp_association *new_asoc) 1626 { 1627 sctp_init_chunk_t *peer_init; 1628 struct sctp_ulpevent *ev; 1629 struct sctp_chunk *repl; 1630 1631 /* new_asoc is a brand-new association, so these are not yet 1632 * side effects--it is safe to run them here. 1633 */ 1634 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1635 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1636 sctp_source(chunk), peer_init, 1637 GFP_ATOMIC)) 1638 goto nomem; 1639 1640 /* Update the content of current association. */ 1641 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1642 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1643 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1644 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1645 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1646 1647 repl = sctp_make_cookie_ack(new_asoc, chunk); 1648 if (!repl) 1649 goto nomem; 1650 1651 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1652 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1653 1654 /* RFC 2960 5.1 Normal Establishment of an Association 1655 * 1656 * D) IMPLEMENTATION NOTE: An implementation may choose to 1657 * send the Communication Up notification to the SCTP user 1658 * upon reception of a valid COOKIE ECHO chunk. 1659 */ 1660 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 0, 1661 new_asoc->c.sinit_num_ostreams, 1662 new_asoc->c.sinit_max_instreams, 1663 GFP_ATOMIC); 1664 if (!ev) 1665 goto nomem_ev; 1666 1667 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1668 1669 /* Sockets API Draft Section 5.3.1.6 1670 * When a peer sends a Adaption Layer Indication parameter , SCTP 1671 * delivers this notification to inform the application that of the 1672 * peers requested adaption layer. 1673 */ 1674 if (asoc->peer.adaption_ind) { 1675 ev = sctp_ulpevent_make_adaption_indication(asoc, GFP_ATOMIC); 1676 if (!ev) 1677 goto nomem_ev; 1678 1679 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1680 SCTP_ULPEVENT(ev)); 1681 } 1682 1683 return SCTP_DISPOSITION_CONSUME; 1684 1685 nomem_ev: 1686 sctp_chunk_free(repl); 1687 nomem: 1688 return SCTP_DISPOSITION_NOMEM; 1689 } 1690 1691 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1692 * 1693 * Section 5.2.4 1694 * C) In this case, the local endpoint's cookie has arrived late. 1695 * Before it arrived, the local endpoint sent an INIT and received an 1696 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1697 * but a new tag of its own. 1698 */ 1699 /* This case represents an initialization collision. */ 1700 static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep, 1701 const struct sctp_association *asoc, 1702 struct sctp_chunk *chunk, 1703 sctp_cmd_seq_t *commands, 1704 struct sctp_association *new_asoc) 1705 { 1706 /* The cookie should be silently discarded. 1707 * The endpoint SHOULD NOT change states and should leave 1708 * any timers running. 1709 */ 1710 return SCTP_DISPOSITION_DISCARD; 1711 } 1712 1713 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1714 * 1715 * Section 5.2.4 1716 * 1717 * D) When both local and remote tags match the endpoint should always 1718 * enter the ESTABLISHED state, if it has not already done so. 1719 */ 1720 /* This case represents an initialization collision. */ 1721 static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep, 1722 const struct sctp_association *asoc, 1723 struct sctp_chunk *chunk, 1724 sctp_cmd_seq_t *commands, 1725 struct sctp_association *new_asoc) 1726 { 1727 struct sctp_ulpevent *ev = NULL; 1728 struct sctp_chunk *repl; 1729 1730 /* Clarification from Implementor's Guide: 1731 * D) When both local and remote tags match the endpoint should 1732 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 1733 * It should stop any cookie timer that may be running and send 1734 * a COOKIE ACK. 1735 */ 1736 1737 /* Don't accidentally move back into established state. */ 1738 if (asoc->state < SCTP_STATE_ESTABLISHED) { 1739 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1740 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 1741 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1742 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1743 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1744 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 1745 SCTP_NULL()); 1746 1747 /* RFC 2960 5.1 Normal Establishment of an Association 1748 * 1749 * D) IMPLEMENTATION NOTE: An implementation may choose 1750 * to send the Communication Up notification to the 1751 * SCTP user upon reception of a valid COOKIE 1752 * ECHO chunk. 1753 */ 1754 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, 1755 SCTP_COMM_UP, 0, 1756 new_asoc->c.sinit_num_ostreams, 1757 new_asoc->c.sinit_max_instreams, 1758 GFP_ATOMIC); 1759 if (!ev) 1760 goto nomem; 1761 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1762 SCTP_ULPEVENT(ev)); 1763 1764 /* Sockets API Draft Section 5.3.1.6 1765 * When a peer sends a Adaption Layer Indication parameter, 1766 * SCTP delivers this notification to inform the application 1767 * that of the peers requested adaption layer. 1768 */ 1769 if (new_asoc->peer.adaption_ind) { 1770 ev = sctp_ulpevent_make_adaption_indication(new_asoc, 1771 GFP_ATOMIC); 1772 if (!ev) 1773 goto nomem; 1774 1775 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1776 SCTP_ULPEVENT(ev)); 1777 } 1778 } 1779 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1780 1781 repl = sctp_make_cookie_ack(new_asoc, chunk); 1782 if (!repl) 1783 goto nomem; 1784 1785 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1786 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1787 1788 return SCTP_DISPOSITION_CONSUME; 1789 1790 nomem: 1791 if (ev) 1792 sctp_ulpevent_free(ev); 1793 return SCTP_DISPOSITION_NOMEM; 1794 } 1795 1796 /* 1797 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 1798 * chunk was retransmitted and then delayed in the network. 1799 * 1800 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 1801 * 1802 * Verification Tag: None. Do cookie validation. 1803 * 1804 * Inputs 1805 * (endpoint, asoc, chunk) 1806 * 1807 * Outputs 1808 * (asoc, reply_msg, msg_up, timers, counters) 1809 * 1810 * The return value is the disposition of the chunk. 1811 */ 1812 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep, 1813 const struct sctp_association *asoc, 1814 const sctp_subtype_t type, 1815 void *arg, 1816 sctp_cmd_seq_t *commands) 1817 { 1818 sctp_disposition_t retval; 1819 struct sctp_chunk *chunk = arg; 1820 struct sctp_association *new_asoc; 1821 int error = 0; 1822 char action; 1823 struct sctp_chunk *err_chk_p; 1824 1825 /* Make sure that the chunk has a valid length from the protocol 1826 * perspective. In this case check to make sure we have at least 1827 * enough for the chunk header. Cookie length verification is 1828 * done later. 1829 */ 1830 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 1831 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1832 commands); 1833 1834 /* "Decode" the chunk. We have no optional parameters so we 1835 * are in good shape. 1836 */ 1837 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 1838 skb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 1839 sizeof(sctp_chunkhdr_t)); 1840 1841 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 1842 * of a duplicate COOKIE ECHO match the Verification Tags of the 1843 * current association, consider the State Cookie valid even if 1844 * the lifespan is exceeded. 1845 */ 1846 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 1847 &err_chk_p); 1848 1849 /* FIXME: 1850 * If the re-build failed, what is the proper error path 1851 * from here? 1852 * 1853 * [We should abort the association. --piggy] 1854 */ 1855 if (!new_asoc) { 1856 /* FIXME: Several errors are possible. A bad cookie should 1857 * be silently discarded, but think about logging it too. 1858 */ 1859 switch (error) { 1860 case -SCTP_IERROR_NOMEM: 1861 goto nomem; 1862 1863 case -SCTP_IERROR_STALE_COOKIE: 1864 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 1865 err_chk_p); 1866 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1867 case -SCTP_IERROR_BAD_SIG: 1868 default: 1869 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1870 }; 1871 } 1872 1873 /* Compare the tie_tag in cookie with the verification tag of 1874 * current association. 1875 */ 1876 action = sctp_tietags_compare(new_asoc, asoc); 1877 1878 switch (action) { 1879 case 'A': /* Association restart. */ 1880 retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands, 1881 new_asoc); 1882 break; 1883 1884 case 'B': /* Collision case B. */ 1885 retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands, 1886 new_asoc); 1887 break; 1888 1889 case 'C': /* Collision case C. */ 1890 retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands, 1891 new_asoc); 1892 break; 1893 1894 case 'D': /* Collision case D. */ 1895 retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands, 1896 new_asoc); 1897 break; 1898 1899 default: /* Discard packet for all others. */ 1900 retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1901 break; 1902 }; 1903 1904 /* Delete the tempory new association. */ 1905 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1906 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1907 1908 return retval; 1909 1910 nomem: 1911 return SCTP_DISPOSITION_NOMEM; 1912 } 1913 1914 /* 1915 * Process an ABORT. (SHUTDOWN-PENDING state) 1916 * 1917 * See sctp_sf_do_9_1_abort(). 1918 */ 1919 sctp_disposition_t sctp_sf_shutdown_pending_abort( 1920 const struct sctp_endpoint *ep, 1921 const struct sctp_association *asoc, 1922 const sctp_subtype_t type, 1923 void *arg, 1924 sctp_cmd_seq_t *commands) 1925 { 1926 struct sctp_chunk *chunk = arg; 1927 1928 if (!sctp_vtag_verify_either(chunk, asoc)) 1929 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1930 1931 /* Make sure that the ABORT chunk has a valid length. 1932 * Since this is an ABORT chunk, we have to discard it 1933 * because of the following text: 1934 * RFC 2960, Section 3.3.7 1935 * If an endpoint receives an ABORT with a format error or for an 1936 * association that doesn't exist, it MUST silently discard it. 1937 * Becasue the length is "invalid", we can't really discard just 1938 * as we do not know its true length. So, to be safe, discard the 1939 * packet. 1940 */ 1941 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 1942 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1943 1944 /* Stop the T5-shutdown guard timer. */ 1945 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1946 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 1947 1948 return sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 1949 } 1950 1951 /* 1952 * Process an ABORT. (SHUTDOWN-SENT state) 1953 * 1954 * See sctp_sf_do_9_1_abort(). 1955 */ 1956 sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep, 1957 const struct sctp_association *asoc, 1958 const sctp_subtype_t type, 1959 void *arg, 1960 sctp_cmd_seq_t *commands) 1961 { 1962 struct sctp_chunk *chunk = arg; 1963 1964 if (!sctp_vtag_verify_either(chunk, asoc)) 1965 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1966 1967 /* Make sure that the ABORT chunk has a valid length. 1968 * Since this is an ABORT chunk, we have to discard it 1969 * because of the following text: 1970 * RFC 2960, Section 3.3.7 1971 * If an endpoint receives an ABORT with a format error or for an 1972 * association that doesn't exist, it MUST silently discard it. 1973 * Becasue the length is "invalid", we can't really discard just 1974 * as we do not know its true length. So, to be safe, discard the 1975 * packet. 1976 */ 1977 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 1978 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1979 1980 /* Stop the T2-shutdown timer. */ 1981 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1982 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 1983 1984 /* Stop the T5-shutdown guard timer. */ 1985 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1986 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 1987 1988 return sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 1989 } 1990 1991 /* 1992 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 1993 * 1994 * See sctp_sf_do_9_1_abort(). 1995 */ 1996 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort( 1997 const struct sctp_endpoint *ep, 1998 const struct sctp_association *asoc, 1999 const sctp_subtype_t type, 2000 void *arg, 2001 sctp_cmd_seq_t *commands) 2002 { 2003 /* The same T2 timer, so we should be able to use 2004 * common function with the SHUTDOWN-SENT state. 2005 */ 2006 return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands); 2007 } 2008 2009 /* 2010 * Handle an Error received in COOKIE_ECHOED state. 2011 * 2012 * Only handle the error type of stale COOKIE Error, the other errors will 2013 * be ignored. 2014 * 2015 * Inputs 2016 * (endpoint, asoc, chunk) 2017 * 2018 * Outputs 2019 * (asoc, reply_msg, msg_up, timers, counters) 2020 * 2021 * The return value is the disposition of the chunk. 2022 */ 2023 sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep, 2024 const struct sctp_association *asoc, 2025 const sctp_subtype_t type, 2026 void *arg, 2027 sctp_cmd_seq_t *commands) 2028 { 2029 struct sctp_chunk *chunk = arg; 2030 sctp_errhdr_t *err; 2031 2032 if (!sctp_vtag_verify(chunk, asoc)) 2033 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2034 2035 /* Make sure that the ERROR chunk has a valid length. 2036 * The parameter walking depends on this as well. 2037 */ 2038 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2039 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2040 commands); 2041 2042 /* Process the error here */ 2043 /* FUTURE FIXME: When PR-SCTP related and other optional 2044 * parms are emitted, this will have to change to handle multiple 2045 * errors. 2046 */ 2047 sctp_walk_errors(err, chunk->chunk_hdr) { 2048 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2049 return sctp_sf_do_5_2_6_stale(ep, asoc, type, 2050 arg, commands); 2051 } 2052 2053 /* It is possible to have malformed error causes, and that 2054 * will cause us to end the walk early. However, since 2055 * we are discarding the packet, there should be no adverse 2056 * affects. 2057 */ 2058 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2059 } 2060 2061 /* 2062 * Handle a Stale COOKIE Error 2063 * 2064 * Section: 5.2.6 Handle Stale COOKIE Error 2065 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2066 * one of the following three alternatives. 2067 * ... 2068 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2069 * Preservative parameter requesting an extension to the lifetime of 2070 * the State Cookie. When calculating the time extension, an 2071 * implementation SHOULD use the RTT information measured based on the 2072 * previous COOKIE ECHO / ERROR exchange, and should add no more 2073 * than 1 second beyond the measured RTT, due to long State Cookie 2074 * lifetimes making the endpoint more subject to a replay attack. 2075 * 2076 * Verification Tag: Not explicit, but safe to ignore. 2077 * 2078 * Inputs 2079 * (endpoint, asoc, chunk) 2080 * 2081 * Outputs 2082 * (asoc, reply_msg, msg_up, timers, counters) 2083 * 2084 * The return value is the disposition of the chunk. 2085 */ 2086 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 2087 const struct sctp_association *asoc, 2088 const sctp_subtype_t type, 2089 void *arg, 2090 sctp_cmd_seq_t *commands) 2091 { 2092 struct sctp_chunk *chunk = arg; 2093 time_t stale; 2094 sctp_cookie_preserve_param_t bht; 2095 sctp_errhdr_t *err; 2096 struct sctp_chunk *reply; 2097 struct sctp_bind_addr *bp; 2098 int attempts; 2099 2100 attempts = asoc->counters[SCTP_COUNTER_INIT_ERROR] + 1; 2101 2102 if (attempts >= asoc->max_init_attempts) { 2103 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2104 SCTP_U32(SCTP_ERROR_STALE_COOKIE)); 2105 return SCTP_DISPOSITION_DELETE_TCB; 2106 } 2107 2108 err = (sctp_errhdr_t *)(chunk->skb->data); 2109 2110 /* When calculating the time extension, an implementation 2111 * SHOULD use the RTT information measured based on the 2112 * previous COOKIE ECHO / ERROR exchange, and should add no 2113 * more than 1 second beyond the measured RTT, due to long 2114 * State Cookie lifetimes making the endpoint more subject to 2115 * a replay attack. 2116 * Measure of Staleness's unit is usec. (1/1000000 sec) 2117 * Suggested Cookie Life-span Increment's unit is msec. 2118 * (1/1000 sec) 2119 * In general, if you use the suggested cookie life, the value 2120 * found in the field of measure of staleness should be doubled 2121 * to give ample time to retransmit the new cookie and thus 2122 * yield a higher probability of success on the reattempt. 2123 */ 2124 stale = ntohl(*(suseconds_t *)((u8 *)err + sizeof(sctp_errhdr_t))); 2125 stale = (stale * 2) / 1000; 2126 2127 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2128 bht.param_hdr.length = htons(sizeof(bht)); 2129 bht.lifespan_increment = htonl(stale); 2130 2131 /* Build that new INIT chunk. */ 2132 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2133 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2134 if (!reply) 2135 goto nomem; 2136 2137 sctp_addto_chunk(reply, sizeof(bht), &bht); 2138 2139 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2140 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2141 2142 /* Stop pending T3-rtx and heartbeat timers */ 2143 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2144 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2145 2146 /* Delete non-primary peer ip addresses since we are transitioning 2147 * back to the COOKIE-WAIT state 2148 */ 2149 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2150 2151 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2152 * resend 2153 */ 2154 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, 2155 SCTP_TRANSPORT(asoc->peer.primary_path)); 2156 2157 /* Cast away the const modifier, as we want to just 2158 * rerun it through as a sideffect. 2159 */ 2160 sctp_add_cmd_sf(commands, SCTP_CMD_COUNTER_INC, 2161 SCTP_COUNTER(SCTP_COUNTER_INIT_ERROR)); 2162 2163 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2164 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2165 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2166 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2167 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2168 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2169 2170 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2171 2172 return SCTP_DISPOSITION_CONSUME; 2173 2174 nomem: 2175 return SCTP_DISPOSITION_NOMEM; 2176 } 2177 2178 /* 2179 * Process an ABORT. 2180 * 2181 * Section: 9.1 2182 * After checking the Verification Tag, the receiving endpoint shall 2183 * remove the association from its record, and shall report the 2184 * termination to its upper layer. 2185 * 2186 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2187 * B) Rules for packet carrying ABORT: 2188 * 2189 * - The endpoint shall always fill in the Verification Tag field of the 2190 * outbound packet with the destination endpoint's tag value if it 2191 * is known. 2192 * 2193 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2194 * MUST follow the procedure described in Section 8.4. 2195 * 2196 * - The receiver MUST accept the packet if the Verification Tag 2197 * matches either its own tag, OR the tag of its peer. Otherwise, the 2198 * receiver MUST silently discard the packet and take no further 2199 * action. 2200 * 2201 * Inputs 2202 * (endpoint, asoc, chunk) 2203 * 2204 * Outputs 2205 * (asoc, reply_msg, msg_up, timers, counters) 2206 * 2207 * The return value is the disposition of the chunk. 2208 */ 2209 sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2210 const struct sctp_association *asoc, 2211 const sctp_subtype_t type, 2212 void *arg, 2213 sctp_cmd_seq_t *commands) 2214 { 2215 struct sctp_chunk *chunk = arg; 2216 unsigned len; 2217 __u16 error = SCTP_ERROR_NO_ERROR; 2218 2219 if (!sctp_vtag_verify_either(chunk, asoc)) 2220 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2221 2222 /* Make sure that the ABORT chunk has a valid length. 2223 * Since this is an ABORT chunk, we have to discard it 2224 * because of the following text: 2225 * RFC 2960, Section 3.3.7 2226 * If an endpoint receives an ABORT with a format error or for an 2227 * association that doesn't exist, it MUST silently discard it. 2228 * Becasue the length is "invalid", we can't really discard just 2229 * as we do not know its true length. So, to be safe, discard the 2230 * packet. 2231 */ 2232 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2233 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2234 2235 /* See if we have an error cause code in the chunk. */ 2236 len = ntohs(chunk->chunk_hdr->length); 2237 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2238 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2239 2240 /* ASSOC_FAILED will DELETE_TCB. */ 2241 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_U32(error)); 2242 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2243 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 2244 2245 return SCTP_DISPOSITION_ABORT; 2246 } 2247 2248 /* 2249 * Process an ABORT. (COOKIE-WAIT state) 2250 * 2251 * See sctp_sf_do_9_1_abort() above. 2252 */ 2253 sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep, 2254 const struct sctp_association *asoc, 2255 const sctp_subtype_t type, 2256 void *arg, 2257 sctp_cmd_seq_t *commands) 2258 { 2259 struct sctp_chunk *chunk = arg; 2260 unsigned len; 2261 __u16 error = SCTP_ERROR_NO_ERROR; 2262 2263 if (!sctp_vtag_verify_either(chunk, asoc)) 2264 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2265 2266 /* Make sure that the ABORT chunk has a valid length. 2267 * Since this is an ABORT chunk, we have to discard it 2268 * because of the following text: 2269 * RFC 2960, Section 3.3.7 2270 * If an endpoint receives an ABORT with a format error or for an 2271 * association that doesn't exist, it MUST silently discard it. 2272 * Becasue the length is "invalid", we can't really discard just 2273 * as we do not know its true length. So, to be safe, discard the 2274 * packet. 2275 */ 2276 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2277 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2278 2279 /* See if we have an error cause code in the chunk. */ 2280 len = ntohs(chunk->chunk_hdr->length); 2281 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2282 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2283 2284 sctp_stop_t1_and_abort(commands, error); 2285 return SCTP_DISPOSITION_ABORT; 2286 } 2287 2288 /* 2289 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2290 */ 2291 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep, 2292 const struct sctp_association *asoc, 2293 const sctp_subtype_t type, 2294 void *arg, 2295 sctp_cmd_seq_t *commands) 2296 { 2297 sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR); 2298 return SCTP_DISPOSITION_ABORT; 2299 } 2300 2301 /* 2302 * Process an ABORT. (COOKIE-ECHOED state) 2303 */ 2304 sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep, 2305 const struct sctp_association *asoc, 2306 const sctp_subtype_t type, 2307 void *arg, 2308 sctp_cmd_seq_t *commands) 2309 { 2310 /* There is a single T1 timer, so we should be able to use 2311 * common function with the COOKIE-WAIT state. 2312 */ 2313 return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands); 2314 } 2315 2316 /* 2317 * Stop T1 timer and abort association with "INIT failed". 2318 * 2319 * This is common code called by several sctp_sf_*_abort() functions above. 2320 */ 2321 void sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, __u16 error) 2322 { 2323 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2324 SCTP_STATE(SCTP_STATE_CLOSED)); 2325 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2326 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2327 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2328 /* CMD_INIT_FAILED will DELETE_TCB. */ 2329 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2330 SCTP_U32(error)); 2331 } 2332 2333 /* 2334 * sctp_sf_do_9_2_shut 2335 * 2336 * Section: 9.2 2337 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2338 * - enter the SHUTDOWN-RECEIVED state, 2339 * 2340 * - stop accepting new data from its SCTP user 2341 * 2342 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2343 * that all its outstanding DATA chunks have been received by the 2344 * SHUTDOWN sender. 2345 * 2346 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2347 * send a SHUTDOWN in response to a ULP request. And should discard 2348 * subsequent SHUTDOWN chunks. 2349 * 2350 * If there are still outstanding DATA chunks left, the SHUTDOWN 2351 * receiver shall continue to follow normal data transmission 2352 * procedures defined in Section 6 until all outstanding DATA chunks 2353 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2354 * new data from its SCTP user. 2355 * 2356 * Verification Tag: 8.5 Verification Tag [Normal verification] 2357 * 2358 * Inputs 2359 * (endpoint, asoc, chunk) 2360 * 2361 * Outputs 2362 * (asoc, reply_msg, msg_up, timers, counters) 2363 * 2364 * The return value is the disposition of the chunk. 2365 */ 2366 sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep, 2367 const struct sctp_association *asoc, 2368 const sctp_subtype_t type, 2369 void *arg, 2370 sctp_cmd_seq_t *commands) 2371 { 2372 struct sctp_chunk *chunk = arg; 2373 sctp_shutdownhdr_t *sdh; 2374 sctp_disposition_t disposition; 2375 struct sctp_ulpevent *ev; 2376 2377 if (!sctp_vtag_verify(chunk, asoc)) 2378 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2379 2380 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2381 if (!sctp_chunk_length_valid(chunk, 2382 sizeof(struct sctp_shutdown_chunk_t))) 2383 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2384 commands); 2385 2386 /* Convert the elaborate header. */ 2387 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2388 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t)); 2389 chunk->subh.shutdown_hdr = sdh; 2390 2391 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2392 * - enter the SHUTDOWN-RECEIVED state, 2393 * - stop accepting new data from its SCTP user 2394 * 2395 * [This is implicit in the new state.] 2396 */ 2397 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2398 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2399 disposition = SCTP_DISPOSITION_CONSUME; 2400 2401 if (sctp_outq_is_empty(&asoc->outqueue)) { 2402 disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type, 2403 arg, commands); 2404 } 2405 2406 if (SCTP_DISPOSITION_NOMEM == disposition) 2407 goto out; 2408 2409 /* - verify, by checking the Cumulative TSN Ack field of the 2410 * chunk, that all its outstanding DATA chunks have been 2411 * received by the SHUTDOWN sender. 2412 */ 2413 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2414 SCTP_U32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2415 2416 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2417 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2418 * inform the application that it should cease sending data. 2419 */ 2420 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2421 if (!ev) { 2422 disposition = SCTP_DISPOSITION_NOMEM; 2423 goto out; 2424 } 2425 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2426 2427 out: 2428 return disposition; 2429 } 2430 2431 /* RFC 2960 9.2 2432 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2433 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2434 * transport addresses (either in the IP addresses or in the INIT chunk) 2435 * that belong to this association, it should discard the INIT chunk and 2436 * retransmit the SHUTDOWN ACK chunk. 2437 */ 2438 sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep, 2439 const struct sctp_association *asoc, 2440 const sctp_subtype_t type, 2441 void *arg, 2442 sctp_cmd_seq_t *commands) 2443 { 2444 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 2445 struct sctp_chunk *reply; 2446 2447 /* Since we are not going to really process this INIT, there 2448 * is no point in verifying chunk boundries. Just generate 2449 * the SHUTDOWN ACK. 2450 */ 2451 reply = sctp_make_shutdown_ack(asoc, chunk); 2452 if (NULL == reply) 2453 goto nomem; 2454 2455 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2456 * the T2-SHUTDOWN timer. 2457 */ 2458 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2459 2460 /* and restart the T2-shutdown timer. */ 2461 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2462 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2463 2464 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2465 2466 return SCTP_DISPOSITION_CONSUME; 2467 nomem: 2468 return SCTP_DISPOSITION_NOMEM; 2469 } 2470 2471 /* 2472 * sctp_sf_do_ecn_cwr 2473 * 2474 * Section: Appendix A: Explicit Congestion Notification 2475 * 2476 * CWR: 2477 * 2478 * RFC 2481 details a specific bit for a sender to send in the header of 2479 * its next outbound TCP segment to indicate to its peer that it has 2480 * reduced its congestion window. This is termed the CWR bit. For 2481 * SCTP the same indication is made by including the CWR chunk. 2482 * This chunk contains one data element, i.e. the TSN number that 2483 * was sent in the ECNE chunk. This element represents the lowest 2484 * TSN number in the datagram that was originally marked with the 2485 * CE bit. 2486 * 2487 * Verification Tag: 8.5 Verification Tag [Normal verification] 2488 * Inputs 2489 * (endpoint, asoc, chunk) 2490 * 2491 * Outputs 2492 * (asoc, reply_msg, msg_up, timers, counters) 2493 * 2494 * The return value is the disposition of the chunk. 2495 */ 2496 sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep, 2497 const struct sctp_association *asoc, 2498 const sctp_subtype_t type, 2499 void *arg, 2500 sctp_cmd_seq_t *commands) 2501 { 2502 sctp_cwrhdr_t *cwr; 2503 struct sctp_chunk *chunk = arg; 2504 2505 if (!sctp_vtag_verify(chunk, asoc)) 2506 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2507 2508 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2509 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2510 commands); 2511 2512 cwr = (sctp_cwrhdr_t *) chunk->skb->data; 2513 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t)); 2514 2515 cwr->lowest_tsn = ntohl(cwr->lowest_tsn); 2516 2517 /* Does this CWR ack the last sent congestion notification? */ 2518 if (TSN_lte(asoc->last_ecne_tsn, cwr->lowest_tsn)) { 2519 /* Stop sending ECNE. */ 2520 sctp_add_cmd_sf(commands, 2521 SCTP_CMD_ECN_CWR, 2522 SCTP_U32(cwr->lowest_tsn)); 2523 } 2524 return SCTP_DISPOSITION_CONSUME; 2525 } 2526 2527 /* 2528 * sctp_sf_do_ecne 2529 * 2530 * Section: Appendix A: Explicit Congestion Notification 2531 * 2532 * ECN-Echo 2533 * 2534 * RFC 2481 details a specific bit for a receiver to send back in its 2535 * TCP acknowledgements to notify the sender of the Congestion 2536 * Experienced (CE) bit having arrived from the network. For SCTP this 2537 * same indication is made by including the ECNE chunk. This chunk 2538 * contains one data element, i.e. the lowest TSN associated with the IP 2539 * datagram marked with the CE bit..... 2540 * 2541 * Verification Tag: 8.5 Verification Tag [Normal verification] 2542 * Inputs 2543 * (endpoint, asoc, chunk) 2544 * 2545 * Outputs 2546 * (asoc, reply_msg, msg_up, timers, counters) 2547 * 2548 * The return value is the disposition of the chunk. 2549 */ 2550 sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep, 2551 const struct sctp_association *asoc, 2552 const sctp_subtype_t type, 2553 void *arg, 2554 sctp_cmd_seq_t *commands) 2555 { 2556 sctp_ecnehdr_t *ecne; 2557 struct sctp_chunk *chunk = arg; 2558 2559 if (!sctp_vtag_verify(chunk, asoc)) 2560 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2561 2562 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2563 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2564 commands); 2565 2566 ecne = (sctp_ecnehdr_t *) chunk->skb->data; 2567 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t)); 2568 2569 /* If this is a newer ECNE than the last CWR packet we sent out */ 2570 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 2571 SCTP_U32(ntohl(ecne->lowest_tsn))); 2572 2573 return SCTP_DISPOSITION_CONSUME; 2574 } 2575 2576 /* 2577 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 2578 * 2579 * The SCTP endpoint MUST always acknowledge the reception of each valid 2580 * DATA chunk. 2581 * 2582 * The guidelines on delayed acknowledgement algorithm specified in 2583 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 2584 * acknowledgement SHOULD be generated for at least every second packet 2585 * (not every second DATA chunk) received, and SHOULD be generated within 2586 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 2587 * situations it may be beneficial for an SCTP transmitter to be more 2588 * conservative than the algorithms detailed in this document allow. 2589 * However, an SCTP transmitter MUST NOT be more aggressive than the 2590 * following algorithms allow. 2591 * 2592 * A SCTP receiver MUST NOT generate more than one SACK for every 2593 * incoming packet, other than to update the offered window as the 2594 * receiving application consumes new data. 2595 * 2596 * Verification Tag: 8.5 Verification Tag [Normal verification] 2597 * 2598 * Inputs 2599 * (endpoint, asoc, chunk) 2600 * 2601 * Outputs 2602 * (asoc, reply_msg, msg_up, timers, counters) 2603 * 2604 * The return value is the disposition of the chunk. 2605 */ 2606 sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep, 2607 const struct sctp_association *asoc, 2608 const sctp_subtype_t type, 2609 void *arg, 2610 sctp_cmd_seq_t *commands) 2611 { 2612 struct sctp_chunk *chunk = arg; 2613 int error; 2614 2615 if (!sctp_vtag_verify(chunk, asoc)) { 2616 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2617 SCTP_NULL()); 2618 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2619 } 2620 2621 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2622 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2623 commands); 2624 2625 error = sctp_eat_data(asoc, chunk, commands ); 2626 switch (error) { 2627 case SCTP_IERROR_NO_ERROR: 2628 break; 2629 case SCTP_IERROR_HIGH_TSN: 2630 case SCTP_IERROR_BAD_STREAM: 2631 goto discard_noforce; 2632 case SCTP_IERROR_DUP_TSN: 2633 case SCTP_IERROR_IGNORE_TSN: 2634 goto discard_force; 2635 case SCTP_IERROR_NO_DATA: 2636 goto consume; 2637 default: 2638 BUG(); 2639 } 2640 2641 if (asoc->autoclose) { 2642 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2643 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 2644 } 2645 2646 /* If this is the last chunk in a packet, we need to count it 2647 * toward sack generation. Note that we need to SACK every 2648 * OTHER packet containing data chunks, EVEN IF WE DISCARD 2649 * THEM. We elect to NOT generate SACK's if the chunk fails 2650 * the verification tag test. 2651 * 2652 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2653 * 2654 * The SCTP endpoint MUST always acknowledge the reception of 2655 * each valid DATA chunk. 2656 * 2657 * The guidelines on delayed acknowledgement algorithm 2658 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 2659 * Specifically, an acknowledgement SHOULD be generated for at 2660 * least every second packet (not every second DATA chunk) 2661 * received, and SHOULD be generated within 200 ms of the 2662 * arrival of any unacknowledged DATA chunk. In some 2663 * situations it may be beneficial for an SCTP transmitter to 2664 * be more conservative than the algorithms detailed in this 2665 * document allow. However, an SCTP transmitter MUST NOT be 2666 * more aggressive than the following algorithms allow. 2667 */ 2668 if (chunk->end_of_packet) { 2669 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2670 2671 /* Start the SACK timer. */ 2672 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2673 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK)); 2674 } 2675 2676 return SCTP_DISPOSITION_CONSUME; 2677 2678 discard_force: 2679 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2680 * 2681 * When a packet arrives with duplicate DATA chunk(s) and with 2682 * no new DATA chunk(s), the endpoint MUST immediately send a 2683 * SACK with no delay. If a packet arrives with duplicate 2684 * DATA chunk(s) bundled with new DATA chunks, the endpoint 2685 * MAY immediately send a SACK. Normally receipt of duplicate 2686 * DATA chunks will occur when the original SACK chunk was lost 2687 * and the peer's RTO has expired. The duplicate TSN number(s) 2688 * SHOULD be reported in the SACK as duplicate. 2689 */ 2690 /* In our case, we split the MAY SACK advice up whether or not 2691 * the last chunk is a duplicate.' 2692 */ 2693 if (chunk->end_of_packet) 2694 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2695 return SCTP_DISPOSITION_DISCARD; 2696 2697 discard_noforce: 2698 if (chunk->end_of_packet) { 2699 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2700 2701 /* Start the SACK timer. */ 2702 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2703 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK)); 2704 } 2705 return SCTP_DISPOSITION_DISCARD; 2706 consume: 2707 return SCTP_DISPOSITION_CONSUME; 2708 2709 } 2710 2711 /* 2712 * sctp_sf_eat_data_fast_4_4 2713 * 2714 * Section: 4 (4) 2715 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 2716 * DATA chunks without delay. 2717 * 2718 * Verification Tag: 8.5 Verification Tag [Normal verification] 2719 * Inputs 2720 * (endpoint, asoc, chunk) 2721 * 2722 * Outputs 2723 * (asoc, reply_msg, msg_up, timers, counters) 2724 * 2725 * The return value is the disposition of the chunk. 2726 */ 2727 sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep, 2728 const struct sctp_association *asoc, 2729 const sctp_subtype_t type, 2730 void *arg, 2731 sctp_cmd_seq_t *commands) 2732 { 2733 struct sctp_chunk *chunk = arg; 2734 int error; 2735 2736 if (!sctp_vtag_verify(chunk, asoc)) { 2737 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2738 SCTP_NULL()); 2739 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2740 } 2741 2742 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2743 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2744 commands); 2745 2746 error = sctp_eat_data(asoc, chunk, commands ); 2747 switch (error) { 2748 case SCTP_IERROR_NO_ERROR: 2749 case SCTP_IERROR_HIGH_TSN: 2750 case SCTP_IERROR_DUP_TSN: 2751 case SCTP_IERROR_IGNORE_TSN: 2752 case SCTP_IERROR_BAD_STREAM: 2753 break; 2754 case SCTP_IERROR_NO_DATA: 2755 goto consume; 2756 default: 2757 BUG(); 2758 } 2759 2760 /* Go a head and force a SACK, since we are shutting down. */ 2761 2762 /* Implementor's Guide. 2763 * 2764 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 2765 * respond to each received packet containing one or more DATA chunk(s) 2766 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 2767 */ 2768 if (chunk->end_of_packet) { 2769 /* We must delay the chunk creation since the cumulative 2770 * TSN has not been updated yet. 2771 */ 2772 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 2773 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2774 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2775 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2776 } 2777 2778 consume: 2779 return SCTP_DISPOSITION_CONSUME; 2780 } 2781 2782 /* 2783 * Section: 6.2 Processing a Received SACK 2784 * D) Any time a SACK arrives, the endpoint performs the following: 2785 * 2786 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 2787 * then drop the SACK. Since Cumulative TSN Ack is monotonically 2788 * increasing, a SACK whose Cumulative TSN Ack is less than the 2789 * Cumulative TSN Ack Point indicates an out-of-order SACK. 2790 * 2791 * ii) Set rwnd equal to the newly received a_rwnd minus the number 2792 * of bytes still outstanding after processing the Cumulative TSN Ack 2793 * and the Gap Ack Blocks. 2794 * 2795 * iii) If the SACK is missing a TSN that was previously 2796 * acknowledged via a Gap Ack Block (e.g., the data receiver 2797 * reneged on the data), then mark the corresponding DATA chunk 2798 * as available for retransmit: Mark it as missing for fast 2799 * retransmit as described in Section 7.2.4 and if no retransmit 2800 * timer is running for the destination address to which the DATA 2801 * chunk was originally transmitted, then T3-rtx is started for 2802 * that destination address. 2803 * 2804 * Verification Tag: 8.5 Verification Tag [Normal verification] 2805 * 2806 * Inputs 2807 * (endpoint, asoc, chunk) 2808 * 2809 * Outputs 2810 * (asoc, reply_msg, msg_up, timers, counters) 2811 * 2812 * The return value is the disposition of the chunk. 2813 */ 2814 sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep, 2815 const struct sctp_association *asoc, 2816 const sctp_subtype_t type, 2817 void *arg, 2818 sctp_cmd_seq_t *commands) 2819 { 2820 struct sctp_chunk *chunk = arg; 2821 sctp_sackhdr_t *sackh; 2822 __u32 ctsn; 2823 2824 if (!sctp_vtag_verify(chunk, asoc)) 2825 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2826 2827 /* Make sure that the SACK chunk has a valid length. */ 2828 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t))) 2829 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2830 commands); 2831 2832 /* Pull the SACK chunk from the data buffer */ 2833 sackh = sctp_sm_pull_sack(chunk); 2834 /* Was this a bogus SACK? */ 2835 if (!sackh) 2836 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2837 chunk->subh.sack_hdr = sackh; 2838 ctsn = ntohl(sackh->cum_tsn_ack); 2839 2840 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 2841 * Ack Point, then drop the SACK. Since Cumulative TSN 2842 * Ack is monotonically increasing, a SACK whose 2843 * Cumulative TSN Ack is less than the Cumulative TSN Ack 2844 * Point indicates an out-of-order SACK. 2845 */ 2846 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2847 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 2848 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 2849 return SCTP_DISPOSITION_DISCARD; 2850 } 2851 2852 /* Return this SACK for further processing. */ 2853 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh)); 2854 2855 /* Note: We do the rest of the work on the PROCESS_SACK 2856 * sideeffect. 2857 */ 2858 return SCTP_DISPOSITION_CONSUME; 2859 } 2860 2861 /* 2862 * Generate an ABORT in response to a packet. 2863 * 2864 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 2865 * 2866 * 8) The receiver should respond to the sender of the OOTB packet with 2867 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 2868 * MUST fill in the Verification Tag field of the outbound packet 2869 * with the value found in the Verification Tag field of the OOTB 2870 * packet and set the T-bit in the Chunk Flags to indicate that the 2871 * Verification Tag is reflected. After sending this ABORT, the 2872 * receiver of the OOTB packet shall discard the OOTB packet and take 2873 * no further action. 2874 * 2875 * Verification Tag: 2876 * 2877 * The return value is the disposition of the chunk. 2878 */ 2879 sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 2880 const struct sctp_association *asoc, 2881 const sctp_subtype_t type, 2882 void *arg, 2883 sctp_cmd_seq_t *commands) 2884 { 2885 struct sctp_packet *packet = NULL; 2886 struct sctp_chunk *chunk = arg; 2887 struct sctp_chunk *abort; 2888 2889 packet = sctp_ootb_pkt_new(asoc, chunk); 2890 2891 if (packet) { 2892 /* Make an ABORT. The T bit will be set if the asoc 2893 * is NULL. 2894 */ 2895 abort = sctp_make_abort(asoc, chunk, 0); 2896 if (!abort) { 2897 sctp_ootb_pkt_free(packet); 2898 return SCTP_DISPOSITION_NOMEM; 2899 } 2900 2901 /* Reflect vtag if T-Bit is set */ 2902 if (sctp_test_T_bit(abort)) 2903 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 2904 2905 /* Set the skb to the belonging sock for accounting. */ 2906 abort->skb->sk = ep->base.sk; 2907 2908 sctp_packet_append_chunk(packet, abort); 2909 2910 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 2911 SCTP_PACKET(packet)); 2912 2913 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 2914 2915 return SCTP_DISPOSITION_CONSUME; 2916 } 2917 2918 return SCTP_DISPOSITION_NOMEM; 2919 } 2920 2921 /* 2922 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 2923 * event as ULP notification for each cause included in the chunk. 2924 * 2925 * API 5.3.1.3 - SCTP_REMOTE_ERROR 2926 * 2927 * The return value is the disposition of the chunk. 2928 */ 2929 sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep, 2930 const struct sctp_association *asoc, 2931 const sctp_subtype_t type, 2932 void *arg, 2933 sctp_cmd_seq_t *commands) 2934 { 2935 struct sctp_chunk *chunk = arg; 2936 struct sctp_ulpevent *ev; 2937 2938 if (!sctp_vtag_verify(chunk, asoc)) 2939 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2940 2941 /* Make sure that the ERROR chunk has a valid length. */ 2942 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2943 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2944 commands); 2945 2946 while (chunk->chunk_end > chunk->skb->data) { 2947 ev = sctp_ulpevent_make_remote_error(asoc, chunk, 0, 2948 GFP_ATOMIC); 2949 if (!ev) 2950 goto nomem; 2951 2952 if (!sctp_add_cmd(commands, SCTP_CMD_EVENT_ULP, 2953 SCTP_ULPEVENT(ev))) { 2954 sctp_ulpevent_free(ev); 2955 goto nomem; 2956 } 2957 2958 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 2959 SCTP_CHUNK(chunk)); 2960 } 2961 return SCTP_DISPOSITION_CONSUME; 2962 2963 nomem: 2964 return SCTP_DISPOSITION_NOMEM; 2965 } 2966 2967 /* 2968 * Process an inbound SHUTDOWN ACK. 2969 * 2970 * From Section 9.2: 2971 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 2972 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 2973 * peer, and remove all record of the association. 2974 * 2975 * The return value is the disposition. 2976 */ 2977 sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep, 2978 const struct sctp_association *asoc, 2979 const sctp_subtype_t type, 2980 void *arg, 2981 sctp_cmd_seq_t *commands) 2982 { 2983 struct sctp_chunk *chunk = arg; 2984 struct sctp_chunk *reply; 2985 struct sctp_ulpevent *ev; 2986 2987 if (!sctp_vtag_verify(chunk, asoc)) 2988 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2989 2990 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 2991 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 2992 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2993 commands); 2994 2995 /* 10.2 H) SHUTDOWN COMPLETE notification 2996 * 2997 * When SCTP completes the shutdown procedures (section 9.2) this 2998 * notification is passed to the upper layer. 2999 */ 3000 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3001 0, 0, 0, GFP_ATOMIC); 3002 if (!ev) 3003 goto nomem; 3004 3005 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3006 3007 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3008 * stop the T2-shutdown timer, 3009 */ 3010 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3011 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3012 3013 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3014 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3015 3016 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3017 reply = sctp_make_shutdown_complete(asoc, chunk); 3018 if (!reply) 3019 goto nomem; 3020 3021 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3022 SCTP_STATE(SCTP_STATE_CLOSED)); 3023 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 3024 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3025 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3026 3027 /* ...and remove all record of the association. */ 3028 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3029 return SCTP_DISPOSITION_DELETE_TCB; 3030 3031 nomem: 3032 return SCTP_DISPOSITION_NOMEM; 3033 } 3034 3035 /* 3036 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3037 * 3038 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3039 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3040 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3041 * packet must fill in the Verification Tag field of the outbound 3042 * packet with the Verification Tag received in the SHUTDOWN ACK and 3043 * set the T-bit in the Chunk Flags to indicate that the Verification 3044 * Tag is reflected. 3045 * 3046 * 8) The receiver should respond to the sender of the OOTB packet with 3047 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3048 * MUST fill in the Verification Tag field of the outbound packet 3049 * with the value found in the Verification Tag field of the OOTB 3050 * packet and set the T-bit in the Chunk Flags to indicate that the 3051 * Verification Tag is reflected. After sending this ABORT, the 3052 * receiver of the OOTB packet shall discard the OOTB packet and take 3053 * no further action. 3054 */ 3055 sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep, 3056 const struct sctp_association *asoc, 3057 const sctp_subtype_t type, 3058 void *arg, 3059 sctp_cmd_seq_t *commands) 3060 { 3061 struct sctp_chunk *chunk = arg; 3062 struct sk_buff *skb = chunk->skb; 3063 sctp_chunkhdr_t *ch; 3064 __u8 *ch_end; 3065 int ootb_shut_ack = 0; 3066 3067 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 3068 3069 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr; 3070 do { 3071 /* Break out if chunk length is less then minimal. */ 3072 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 3073 break; 3074 3075 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 3076 3077 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3078 ootb_shut_ack = 1; 3079 3080 /* RFC 2960, Section 3.3.7 3081 * Moreover, under any circumstances, an endpoint that 3082 * receives an ABORT MUST NOT respond to that ABORT by 3083 * sending an ABORT of its own. 3084 */ 3085 if (SCTP_CID_ABORT == ch->type) 3086 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3087 3088 ch = (sctp_chunkhdr_t *) ch_end; 3089 } while (ch_end < skb->tail); 3090 3091 if (ootb_shut_ack) 3092 sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands); 3093 else 3094 sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 3095 3096 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3097 } 3098 3099 /* 3100 * Handle an "Out of the blue" SHUTDOWN ACK. 3101 * 3102 * Section: 8.4 5, sctpimpguide 2.41. 3103 * 3104 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3105 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3106 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3107 * packet must fill in the Verification Tag field of the outbound 3108 * packet with the Verification Tag received in the SHUTDOWN ACK and 3109 * set the T-bit in the Chunk Flags to indicate that the Verification 3110 * Tag is reflected. 3111 * 3112 * Inputs 3113 * (endpoint, asoc, type, arg, commands) 3114 * 3115 * Outputs 3116 * (sctp_disposition_t) 3117 * 3118 * The return value is the disposition of the chunk. 3119 */ 3120 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 3121 const struct sctp_association *asoc, 3122 const sctp_subtype_t type, 3123 void *arg, 3124 sctp_cmd_seq_t *commands) 3125 { 3126 struct sctp_packet *packet = NULL; 3127 struct sctp_chunk *chunk = arg; 3128 struct sctp_chunk *shut; 3129 3130 packet = sctp_ootb_pkt_new(asoc, chunk); 3131 3132 if (packet) { 3133 /* Make an SHUTDOWN_COMPLETE. 3134 * The T bit will be set if the asoc is NULL. 3135 */ 3136 shut = sctp_make_shutdown_complete(asoc, chunk); 3137 if (!shut) { 3138 sctp_ootb_pkt_free(packet); 3139 return SCTP_DISPOSITION_NOMEM; 3140 } 3141 3142 /* Reflect vtag if T-Bit is set */ 3143 if (sctp_test_T_bit(shut)) 3144 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3145 3146 /* Set the skb to the belonging sock for accounting. */ 3147 shut->skb->sk = ep->base.sk; 3148 3149 sctp_packet_append_chunk(packet, shut); 3150 3151 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3152 SCTP_PACKET(packet)); 3153 3154 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3155 3156 /* If the chunk length is invalid, we don't want to process 3157 * the reset of the packet. 3158 */ 3159 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3160 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3161 3162 return SCTP_DISPOSITION_CONSUME; 3163 } 3164 3165 return SCTP_DISPOSITION_NOMEM; 3166 } 3167 3168 /* 3169 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3170 * 3171 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3172 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3173 * procedures in section 8.4 SHOULD be followed, in other words it 3174 * should be treated as an Out Of The Blue packet. 3175 * [This means that we do NOT check the Verification Tag on these 3176 * chunks. --piggy ] 3177 * 3178 */ 3179 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep, 3180 const struct sctp_association *asoc, 3181 const sctp_subtype_t type, 3182 void *arg, 3183 sctp_cmd_seq_t *commands) 3184 { 3185 /* Although we do have an association in this case, it corresponds 3186 * to a restarted association. So the packet is treated as an OOTB 3187 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3188 * called with a NULL association. 3189 */ 3190 return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands); 3191 } 3192 3193 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3194 sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep, 3195 const struct sctp_association *asoc, 3196 const sctp_subtype_t type, void *arg, 3197 sctp_cmd_seq_t *commands) 3198 { 3199 struct sctp_chunk *chunk = arg; 3200 struct sctp_chunk *asconf_ack = NULL; 3201 sctp_addiphdr_t *hdr; 3202 __u32 serial; 3203 3204 if (!sctp_vtag_verify(chunk, asoc)) { 3205 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3206 SCTP_NULL()); 3207 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3208 } 3209 3210 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3211 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t))) 3212 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3213 commands); 3214 3215 hdr = (sctp_addiphdr_t *)chunk->skb->data; 3216 serial = ntohl(hdr->serial); 3217 3218 /* ADDIP 4.2 C1) Compare the value of the serial number to the value 3219 * the endpoint stored in a new association variable 3220 * 'Peer-Serial-Number'. 3221 */ 3222 if (serial == asoc->peer.addip_serial + 1) { 3223 /* ADDIP 4.2 C2) If the value found in the serial number is 3224 * equal to the ('Peer-Serial-Number' + 1), the endpoint MUST 3225 * do V1-V5. 3226 */ 3227 asconf_ack = sctp_process_asconf((struct sctp_association *) 3228 asoc, chunk); 3229 if (!asconf_ack) 3230 return SCTP_DISPOSITION_NOMEM; 3231 } else if (serial == asoc->peer.addip_serial) { 3232 /* ADDIP 4.2 C3) If the value found in the serial number is 3233 * equal to the value stored in the 'Peer-Serial-Number' 3234 * IMPLEMENTATION NOTE: As an optimization a receiver may wish 3235 * to save the last ASCONF-ACK for some predetermined period of 3236 * time and instead of re-processing the ASCONF (with the same 3237 * serial number) it may just re-transmit the ASCONF-ACK. 3238 */ 3239 if (asoc->addip_last_asconf_ack) 3240 asconf_ack = asoc->addip_last_asconf_ack; 3241 else 3242 return SCTP_DISPOSITION_DISCARD; 3243 } else { 3244 /* ADDIP 4.2 C4) Otherwise, the ASCONF Chunk is discarded since 3245 * it must be either a stale packet or from an attacker. 3246 */ 3247 return SCTP_DISPOSITION_DISCARD; 3248 } 3249 3250 /* ADDIP 4.2 C5) In both cases C2 and C3 the ASCONF-ACK MUST be sent 3251 * back to the source address contained in the IP header of the ASCONF 3252 * being responded to. 3253 */ 3254 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3255 3256 return SCTP_DISPOSITION_CONSUME; 3257 } 3258 3259 /* 3260 * ADDIP Section 4.3 General rules for address manipulation 3261 * When building TLV parameters for the ASCONF Chunk that will add or 3262 * delete IP addresses the D0 to D13 rules should be applied: 3263 */ 3264 sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep, 3265 const struct sctp_association *asoc, 3266 const sctp_subtype_t type, void *arg, 3267 sctp_cmd_seq_t *commands) 3268 { 3269 struct sctp_chunk *asconf_ack = arg; 3270 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3271 struct sctp_chunk *abort; 3272 sctp_addiphdr_t *addip_hdr; 3273 __u32 sent_serial, rcvd_serial; 3274 3275 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3276 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3277 SCTP_NULL()); 3278 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3279 } 3280 3281 /* Make sure that the ADDIP chunk has a valid length. */ 3282 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t))) 3283 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3284 commands); 3285 3286 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data; 3287 rcvd_serial = ntohl(addip_hdr->serial); 3288 3289 if (last_asconf) { 3290 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr; 3291 sent_serial = ntohl(addip_hdr->serial); 3292 } else { 3293 sent_serial = asoc->addip_serial - 1; 3294 } 3295 3296 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3297 * equal to the next serial number to be used but no ASCONF chunk is 3298 * outstanding the endpoint MUST ABORT the association. Note that a 3299 * sequence number is greater than if it is no more than 2^^31-1 3300 * larger than the current sequence number (using serial arithmetic). 3301 */ 3302 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3303 !(asoc->addip_last_asconf)) { 3304 abort = sctp_make_abort(asoc, asconf_ack, 3305 sizeof(sctp_errhdr_t)); 3306 if (abort) { 3307 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, NULL, 0); 3308 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3309 SCTP_CHUNK(abort)); 3310 } 3311 /* We are going to ABORT, so we might as well stop 3312 * processing the rest of the chunks in the packet. 3313 */ 3314 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3315 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3316 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3317 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3318 SCTP_U32(SCTP_ERROR_ASCONF_ACK)); 3319 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3320 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3321 return SCTP_DISPOSITION_ABORT; 3322 } 3323 3324 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3325 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3326 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3327 3328 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3329 asconf_ack)) 3330 return SCTP_DISPOSITION_CONSUME; 3331 3332 abort = sctp_make_abort(asoc, asconf_ack, 3333 sizeof(sctp_errhdr_t)); 3334 if (abort) { 3335 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, NULL, 0); 3336 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3337 SCTP_CHUNK(abort)); 3338 } 3339 /* We are going to ABORT, so we might as well stop 3340 * processing the rest of the chunks in the packet. 3341 */ 3342 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3343 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3344 SCTP_U32(SCTP_ERROR_ASCONF_ACK)); 3345 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3346 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3347 return SCTP_DISPOSITION_ABORT; 3348 } 3349 3350 return SCTP_DISPOSITION_DISCARD; 3351 } 3352 3353 /* 3354 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 3355 * 3356 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 3357 * its cumulative TSN point to the value carried in the FORWARD TSN 3358 * chunk, and then MUST further advance its cumulative TSN point locally 3359 * if possible. 3360 * After the above processing, the data receiver MUST stop reporting any 3361 * missing TSNs earlier than or equal to the new cumulative TSN point. 3362 * 3363 * Verification Tag: 8.5 Verification Tag [Normal verification] 3364 * 3365 * The return value is the disposition of the chunk. 3366 */ 3367 sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep, 3368 const struct sctp_association *asoc, 3369 const sctp_subtype_t type, 3370 void *arg, 3371 sctp_cmd_seq_t *commands) 3372 { 3373 struct sctp_chunk *chunk = arg; 3374 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3375 __u16 len; 3376 __u32 tsn; 3377 3378 if (!sctp_vtag_verify(chunk, asoc)) { 3379 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3380 SCTP_NULL()); 3381 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3382 } 3383 3384 /* Make sure that the FORWARD_TSN chunk has valid length. */ 3385 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3386 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3387 commands); 3388 3389 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3390 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3391 len = ntohs(chunk->chunk_hdr->length); 3392 len -= sizeof(struct sctp_chunkhdr); 3393 skb_pull(chunk->skb, len); 3394 3395 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3396 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __FUNCTION__, tsn); 3397 3398 /* The TSN is too high--silently discard the chunk and count on it 3399 * getting retransmitted later. 3400 */ 3401 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3402 goto discard_noforce; 3403 3404 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3405 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3406 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3407 SCTP_CHUNK(chunk)); 3408 3409 /* Count this as receiving DATA. */ 3410 if (asoc->autoclose) { 3411 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3412 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3413 } 3414 3415 /* FIXME: For now send a SACK, but DATA processing may 3416 * send another. 3417 */ 3418 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 3419 /* Start the SACK timer. */ 3420 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3421 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK)); 3422 3423 return SCTP_DISPOSITION_CONSUME; 3424 3425 discard_noforce: 3426 return SCTP_DISPOSITION_DISCARD; 3427 } 3428 3429 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast( 3430 const struct sctp_endpoint *ep, 3431 const struct sctp_association *asoc, 3432 const sctp_subtype_t type, 3433 void *arg, 3434 sctp_cmd_seq_t *commands) 3435 { 3436 struct sctp_chunk *chunk = arg; 3437 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3438 __u16 len; 3439 __u32 tsn; 3440 3441 if (!sctp_vtag_verify(chunk, asoc)) { 3442 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3443 SCTP_NULL()); 3444 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3445 } 3446 3447 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 3448 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3449 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3450 commands); 3451 3452 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3453 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3454 len = ntohs(chunk->chunk_hdr->length); 3455 len -= sizeof(struct sctp_chunkhdr); 3456 skb_pull(chunk->skb, len); 3457 3458 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3459 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __FUNCTION__, tsn); 3460 3461 /* The TSN is too high--silently discard the chunk and count on it 3462 * getting retransmitted later. 3463 */ 3464 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3465 goto gen_shutdown; 3466 3467 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3468 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3469 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3470 SCTP_CHUNK(chunk)); 3471 3472 /* Go a head and force a SACK, since we are shutting down. */ 3473 gen_shutdown: 3474 /* Implementor's Guide. 3475 * 3476 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3477 * respond to each received packet containing one or more DATA chunk(s) 3478 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3479 */ 3480 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3481 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3482 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3483 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3484 3485 return SCTP_DISPOSITION_CONSUME; 3486 } 3487 3488 /* 3489 * Process an unknown chunk. 3490 * 3491 * Section: 3.2. Also, 2.1 in the implementor's guide. 3492 * 3493 * Chunk Types are encoded such that the highest-order two bits specify 3494 * the action that must be taken if the processing endpoint does not 3495 * recognize the Chunk Type. 3496 * 3497 * 00 - Stop processing this SCTP packet and discard it, do not process 3498 * any further chunks within it. 3499 * 3500 * 01 - Stop processing this SCTP packet and discard it, do not process 3501 * any further chunks within it, and report the unrecognized 3502 * chunk in an 'Unrecognized Chunk Type'. 3503 * 3504 * 10 - Skip this chunk and continue processing. 3505 * 3506 * 11 - Skip this chunk and continue processing, but report in an ERROR 3507 * Chunk using the 'Unrecognized Chunk Type' cause of error. 3508 * 3509 * The return value is the disposition of the chunk. 3510 */ 3511 sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep, 3512 const struct sctp_association *asoc, 3513 const sctp_subtype_t type, 3514 void *arg, 3515 sctp_cmd_seq_t *commands) 3516 { 3517 struct sctp_chunk *unk_chunk = arg; 3518 struct sctp_chunk *err_chunk; 3519 sctp_chunkhdr_t *hdr; 3520 3521 SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk); 3522 3523 if (!sctp_vtag_verify(unk_chunk, asoc)) 3524 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3525 3526 /* Make sure that the chunk has a valid length. 3527 * Since we don't know the chunk type, we use a general 3528 * chunkhdr structure to make a comparison. 3529 */ 3530 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t))) 3531 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3532 commands); 3533 3534 switch (type.chunk & SCTP_CID_ACTION_MASK) { 3535 case SCTP_CID_ACTION_DISCARD: 3536 /* Discard the packet. */ 3537 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3538 break; 3539 case SCTP_CID_ACTION_DISCARD_ERR: 3540 /* Discard the packet. */ 3541 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3542 3543 /* Generate an ERROR chunk as response. */ 3544 hdr = unk_chunk->chunk_hdr; 3545 err_chunk = sctp_make_op_error(asoc, unk_chunk, 3546 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 3547 WORD_ROUND(ntohs(hdr->length))); 3548 if (err_chunk) { 3549 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3550 SCTP_CHUNK(err_chunk)); 3551 } 3552 return SCTP_DISPOSITION_CONSUME; 3553 break; 3554 case SCTP_CID_ACTION_SKIP: 3555 /* Skip the chunk. */ 3556 return SCTP_DISPOSITION_DISCARD; 3557 break; 3558 case SCTP_CID_ACTION_SKIP_ERR: 3559 /* Generate an ERROR chunk as response. */ 3560 hdr = unk_chunk->chunk_hdr; 3561 err_chunk = sctp_make_op_error(asoc, unk_chunk, 3562 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 3563 WORD_ROUND(ntohs(hdr->length))); 3564 if (err_chunk) { 3565 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3566 SCTP_CHUNK(err_chunk)); 3567 } 3568 /* Skip the chunk. */ 3569 return SCTP_DISPOSITION_CONSUME; 3570 break; 3571 default: 3572 break; 3573 } 3574 3575 return SCTP_DISPOSITION_DISCARD; 3576 } 3577 3578 /* 3579 * Discard the chunk. 3580 * 3581 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 3582 * [Too numerous to mention...] 3583 * Verification Tag: No verification needed. 3584 * Inputs 3585 * (endpoint, asoc, chunk) 3586 * 3587 * Outputs 3588 * (asoc, reply_msg, msg_up, timers, counters) 3589 * 3590 * The return value is the disposition of the chunk. 3591 */ 3592 sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep, 3593 const struct sctp_association *asoc, 3594 const sctp_subtype_t type, 3595 void *arg, 3596 sctp_cmd_seq_t *commands) 3597 { 3598 SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk); 3599 return SCTP_DISPOSITION_DISCARD; 3600 } 3601 3602 /* 3603 * Discard the whole packet. 3604 * 3605 * Section: 8.4 2) 3606 * 3607 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 3608 * silently discard the OOTB packet and take no further action. 3609 * 3610 * Verification Tag: No verification necessary 3611 * 3612 * Inputs 3613 * (endpoint, asoc, chunk) 3614 * 3615 * Outputs 3616 * (asoc, reply_msg, msg_up, timers, counters) 3617 * 3618 * The return value is the disposition of the chunk. 3619 */ 3620 sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep, 3621 const struct sctp_association *asoc, 3622 const sctp_subtype_t type, 3623 void *arg, 3624 sctp_cmd_seq_t *commands) 3625 { 3626 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3627 3628 return SCTP_DISPOSITION_CONSUME; 3629 } 3630 3631 3632 /* 3633 * The other end is violating protocol. 3634 * 3635 * Section: Not specified 3636 * Verification Tag: Not specified 3637 * Inputs 3638 * (endpoint, asoc, chunk) 3639 * 3640 * Outputs 3641 * (asoc, reply_msg, msg_up, timers, counters) 3642 * 3643 * We simply tag the chunk as a violation. The state machine will log 3644 * the violation and continue. 3645 */ 3646 sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep, 3647 const struct sctp_association *asoc, 3648 const sctp_subtype_t type, 3649 void *arg, 3650 sctp_cmd_seq_t *commands) 3651 { 3652 return SCTP_DISPOSITION_VIOLATION; 3653 } 3654 3655 3656 /* 3657 * Handle a protocol violation when the chunk length is invalid. 3658 * "Invalid" length is identified as smaller then the minimal length a 3659 * given chunk can be. For example, a SACK chunk has invalid length 3660 * if it's length is set to be smaller then the size of sctp_sack_chunk_t. 3661 * 3662 * We inform the other end by sending an ABORT with a Protocol Violation 3663 * error code. 3664 * 3665 * Section: Not specified 3666 * Verification Tag: Nothing to do 3667 * Inputs 3668 * (endpoint, asoc, chunk) 3669 * 3670 * Outputs 3671 * (reply_msg, msg_up, counters) 3672 * 3673 * Generate an ABORT chunk and terminate the association. 3674 */ 3675 sctp_disposition_t sctp_sf_violation_chunklen(const struct sctp_endpoint *ep, 3676 const struct sctp_association *asoc, 3677 const sctp_subtype_t type, 3678 void *arg, 3679 sctp_cmd_seq_t *commands) 3680 { 3681 struct sctp_chunk *chunk = arg; 3682 struct sctp_chunk *abort = NULL; 3683 char err_str[]="The following chunk had invalid length:"; 3684 3685 /* Make the abort chunk. */ 3686 abort = sctp_make_abort_violation(asoc, chunk, err_str, 3687 sizeof(err_str)); 3688 if (!abort) 3689 goto nomem; 3690 3691 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 3692 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3693 3694 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 3695 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3696 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 3697 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 3698 SCTP_U32(SCTP_ERROR_PROTO_VIOLATION)); 3699 } else { 3700 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3701 SCTP_U32(SCTP_ERROR_PROTO_VIOLATION)); 3702 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3703 } 3704 3705 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3706 3707 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3708 3709 return SCTP_DISPOSITION_ABORT; 3710 3711 nomem: 3712 return SCTP_DISPOSITION_NOMEM; 3713 } 3714 3715 /*************************************************************************** 3716 * These are the state functions for handling primitive (Section 10) events. 3717 ***************************************************************************/ 3718 /* 3719 * sctp_sf_do_prm_asoc 3720 * 3721 * Section: 10.1 ULP-to-SCTP 3722 * B) Associate 3723 * 3724 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 3725 * outbound stream count) 3726 * -> association id [,destination transport addr list] [,outbound stream 3727 * count] 3728 * 3729 * This primitive allows the upper layer to initiate an association to a 3730 * specific peer endpoint. 3731 * 3732 * The peer endpoint shall be specified by one of the transport addresses 3733 * which defines the endpoint (see Section 1.4). If the local SCTP 3734 * instance has not been initialized, the ASSOCIATE is considered an 3735 * error. 3736 * [This is not relevant for the kernel implementation since we do all 3737 * initialization at boot time. It we hadn't initialized we wouldn't 3738 * get anywhere near this code.] 3739 * 3740 * An association id, which is a local handle to the SCTP association, 3741 * will be returned on successful establishment of the association. If 3742 * SCTP is not able to open an SCTP association with the peer endpoint, 3743 * an error is returned. 3744 * [In the kernel implementation, the struct sctp_association needs to 3745 * be created BEFORE causing this primitive to run.] 3746 * 3747 * Other association parameters may be returned, including the 3748 * complete destination transport addresses of the peer as well as the 3749 * outbound stream count of the local endpoint. One of the transport 3750 * address from the returned destination addresses will be selected by 3751 * the local endpoint as default primary path for sending SCTP packets 3752 * to this peer. The returned "destination transport addr list" can 3753 * be used by the ULP to change the default primary path or to force 3754 * sending a packet to a specific transport address. [All of this 3755 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 3756 * function.] 3757 * 3758 * Mandatory attributes: 3759 * 3760 * o local SCTP instance name - obtained from the INITIALIZE operation. 3761 * [This is the argument asoc.] 3762 * o destination transport addr - specified as one of the transport 3763 * addresses of the peer endpoint with which the association is to be 3764 * established. 3765 * [This is asoc->peer.active_path.] 3766 * o outbound stream count - the number of outbound streams the ULP 3767 * would like to open towards this peer endpoint. 3768 * [BUG: This is not currently implemented.] 3769 * Optional attributes: 3770 * 3771 * None. 3772 * 3773 * The return value is a disposition. 3774 */ 3775 sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep, 3776 const struct sctp_association *asoc, 3777 const sctp_subtype_t type, 3778 void *arg, 3779 sctp_cmd_seq_t *commands) 3780 { 3781 struct sctp_chunk *repl; 3782 3783 /* The comment below says that we enter COOKIE-WAIT AFTER 3784 * sending the INIT, but that doesn't actually work in our 3785 * implementation... 3786 */ 3787 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3788 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 3789 3790 /* RFC 2960 5.1 Normal Establishment of an Association 3791 * 3792 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 3793 * must provide its Verification Tag (Tag_A) in the Initiate 3794 * Tag field. Tag_A SHOULD be a random number in the range of 3795 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 3796 */ 3797 3798 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 3799 if (!repl) 3800 goto nomem; 3801 3802 /* Cast away the const modifier, as we want to just 3803 * rerun it through as a sideffect. 3804 */ 3805 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, 3806 SCTP_ASOC((struct sctp_association *) asoc)); 3807 3808 /* After sending the INIT, "A" starts the T1-init timer and 3809 * enters the COOKIE-WAIT state. 3810 */ 3811 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 3812 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 3813 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 3814 return SCTP_DISPOSITION_CONSUME; 3815 3816 nomem: 3817 return SCTP_DISPOSITION_NOMEM; 3818 } 3819 3820 /* 3821 * Process the SEND primitive. 3822 * 3823 * Section: 10.1 ULP-to-SCTP 3824 * E) Send 3825 * 3826 * Format: SEND(association id, buffer address, byte count [,context] 3827 * [,stream id] [,life time] [,destination transport address] 3828 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 3829 * -> result 3830 * 3831 * This is the main method to send user data via SCTP. 3832 * 3833 * Mandatory attributes: 3834 * 3835 * o association id - local handle to the SCTP association 3836 * 3837 * o buffer address - the location where the user message to be 3838 * transmitted is stored; 3839 * 3840 * o byte count - The size of the user data in number of bytes; 3841 * 3842 * Optional attributes: 3843 * 3844 * o context - an optional 32 bit integer that will be carried in the 3845 * sending failure notification to the ULP if the transportation of 3846 * this User Message fails. 3847 * 3848 * o stream id - to indicate which stream to send the data on. If not 3849 * specified, stream 0 will be used. 3850 * 3851 * o life time - specifies the life time of the user data. The user data 3852 * will not be sent by SCTP after the life time expires. This 3853 * parameter can be used to avoid efforts to transmit stale 3854 * user messages. SCTP notifies the ULP if the data cannot be 3855 * initiated to transport (i.e. sent to the destination via SCTP's 3856 * send primitive) within the life time variable. However, the 3857 * user data will be transmitted if SCTP has attempted to transmit a 3858 * chunk before the life time expired. 3859 * 3860 * o destination transport address - specified as one of the destination 3861 * transport addresses of the peer endpoint to which this packet 3862 * should be sent. Whenever possible, SCTP should use this destination 3863 * transport address for sending the packets, instead of the current 3864 * primary path. 3865 * 3866 * o unorder flag - this flag, if present, indicates that the user 3867 * would like the data delivered in an unordered fashion to the peer 3868 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 3869 * message). 3870 * 3871 * o no-bundle flag - instructs SCTP not to bundle this user data with 3872 * other outbound DATA chunks. SCTP MAY still bundle even when 3873 * this flag is present, when faced with network congestion. 3874 * 3875 * o payload protocol-id - A 32 bit unsigned integer that is to be 3876 * passed to the peer indicating the type of payload protocol data 3877 * being transmitted. This value is passed as opaque data by SCTP. 3878 * 3879 * The return value is the disposition. 3880 */ 3881 sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep, 3882 const struct sctp_association *asoc, 3883 const sctp_subtype_t type, 3884 void *arg, 3885 sctp_cmd_seq_t *commands) 3886 { 3887 struct sctp_chunk *chunk = arg; 3888 3889 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 3890 return SCTP_DISPOSITION_CONSUME; 3891 } 3892 3893 /* 3894 * Process the SHUTDOWN primitive. 3895 * 3896 * Section: 10.1: 3897 * C) Shutdown 3898 * 3899 * Format: SHUTDOWN(association id) 3900 * -> result 3901 * 3902 * Gracefully closes an association. Any locally queued user data 3903 * will be delivered to the peer. The association will be terminated only 3904 * after the peer acknowledges all the SCTP packets sent. A success code 3905 * will be returned on successful termination of the association. If 3906 * attempting to terminate the association results in a failure, an error 3907 * code shall be returned. 3908 * 3909 * Mandatory attributes: 3910 * 3911 * o association id - local handle to the SCTP association 3912 * 3913 * Optional attributes: 3914 * 3915 * None. 3916 * 3917 * The return value is the disposition. 3918 */ 3919 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown( 3920 const struct sctp_endpoint *ep, 3921 const struct sctp_association *asoc, 3922 const sctp_subtype_t type, 3923 void *arg, 3924 sctp_cmd_seq_t *commands) 3925 { 3926 int disposition; 3927 3928 /* From 9.2 Shutdown of an Association 3929 * Upon receipt of the SHUTDOWN primitive from its upper 3930 * layer, the endpoint enters SHUTDOWN-PENDING state and 3931 * remains there until all outstanding data has been 3932 * acknowledged by its peer. The endpoint accepts no new data 3933 * from its upper layer, but retransmits data to the far end 3934 * if necessary to fill gaps. 3935 */ 3936 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3937 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 3938 3939 /* sctpimpguide-05 Section 2.12.2 3940 * The sender of the SHUTDOWN MAY also start an overall guard timer 3941 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 3942 */ 3943 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 3944 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3945 3946 disposition = SCTP_DISPOSITION_CONSUME; 3947 if (sctp_outq_is_empty(&asoc->outqueue)) { 3948 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 3949 arg, commands); 3950 } 3951 return disposition; 3952 } 3953 3954 /* 3955 * Process the ABORT primitive. 3956 * 3957 * Section: 10.1: 3958 * C) Abort 3959 * 3960 * Format: Abort(association id [, cause code]) 3961 * -> result 3962 * 3963 * Ungracefully closes an association. Any locally queued user data 3964 * will be discarded and an ABORT chunk is sent to the peer. A success code 3965 * will be returned on successful abortion of the association. If 3966 * attempting to abort the association results in a failure, an error 3967 * code shall be returned. 3968 * 3969 * Mandatory attributes: 3970 * 3971 * o association id - local handle to the SCTP association 3972 * 3973 * Optional attributes: 3974 * 3975 * o cause code - reason of the abort to be passed to the peer 3976 * 3977 * None. 3978 * 3979 * The return value is the disposition. 3980 */ 3981 sctp_disposition_t sctp_sf_do_9_1_prm_abort( 3982 const struct sctp_endpoint *ep, 3983 const struct sctp_association *asoc, 3984 const sctp_subtype_t type, 3985 void *arg, 3986 sctp_cmd_seq_t *commands) 3987 { 3988 /* From 9.1 Abort of an Association 3989 * Upon receipt of the ABORT primitive from its upper 3990 * layer, the endpoint enters CLOSED state and 3991 * discard all outstanding data has been 3992 * acknowledged by its peer. The endpoint accepts no new data 3993 * from its upper layer, but retransmits data to the far end 3994 * if necessary to fill gaps. 3995 */ 3996 struct msghdr *msg = arg; 3997 struct sctp_chunk *abort; 3998 sctp_disposition_t retval; 3999 4000 retval = SCTP_DISPOSITION_CONSUME; 4001 4002 /* Generate ABORT chunk to send the peer. */ 4003 abort = sctp_make_abort_user(asoc, NULL, msg); 4004 if (!abort) 4005 retval = SCTP_DISPOSITION_NOMEM; 4006 else 4007 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4008 4009 /* Even if we can't send the ABORT due to low memory delete the 4010 * TCB. This is a departure from our typical NOMEM handling. 4011 */ 4012 4013 /* Delete the established association. */ 4014 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4015 SCTP_U32(SCTP_ERROR_USER_ABORT)); 4016 4017 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4018 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4019 4020 return retval; 4021 } 4022 4023 /* We tried an illegal operation on an association which is closed. */ 4024 sctp_disposition_t sctp_sf_error_closed(const struct sctp_endpoint *ep, 4025 const struct sctp_association *asoc, 4026 const sctp_subtype_t type, 4027 void *arg, 4028 sctp_cmd_seq_t *commands) 4029 { 4030 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 4031 return SCTP_DISPOSITION_CONSUME; 4032 } 4033 4034 /* We tried an illegal operation on an association which is shutting 4035 * down. 4036 */ 4037 sctp_disposition_t sctp_sf_error_shutdown(const struct sctp_endpoint *ep, 4038 const struct sctp_association *asoc, 4039 const sctp_subtype_t type, 4040 void *arg, 4041 sctp_cmd_seq_t *commands) 4042 { 4043 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 4044 SCTP_ERROR(-ESHUTDOWN)); 4045 return SCTP_DISPOSITION_CONSUME; 4046 } 4047 4048 /* 4049 * sctp_cookie_wait_prm_shutdown 4050 * 4051 * Section: 4 Note: 2 4052 * Verification Tag: 4053 * Inputs 4054 * (endpoint, asoc) 4055 * 4056 * The RFC does not explicitly address this issue, but is the route through the 4057 * state table when someone issues a shutdown while in COOKIE_WAIT state. 4058 * 4059 * Outputs 4060 * (timers) 4061 */ 4062 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown( 4063 const struct sctp_endpoint *ep, 4064 const struct sctp_association *asoc, 4065 const sctp_subtype_t type, 4066 void *arg, 4067 sctp_cmd_seq_t *commands) 4068 { 4069 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4070 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4071 4072 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4073 SCTP_STATE(SCTP_STATE_CLOSED)); 4074 4075 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 4076 4077 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 4078 4079 return SCTP_DISPOSITION_DELETE_TCB; 4080 } 4081 4082 /* 4083 * sctp_cookie_echoed_prm_shutdown 4084 * 4085 * Section: 4 Note: 2 4086 * Verification Tag: 4087 * Inputs 4088 * (endpoint, asoc) 4089 * 4090 * The RFC does not explcitly address this issue, but is the route through the 4091 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 4092 * 4093 * Outputs 4094 * (timers) 4095 */ 4096 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown( 4097 const struct sctp_endpoint *ep, 4098 const struct sctp_association *asoc, 4099 const sctp_subtype_t type, 4100 void *arg, sctp_cmd_seq_t *commands) 4101 { 4102 /* There is a single T1 timer, so we should be able to use 4103 * common function with the COOKIE-WAIT state. 4104 */ 4105 return sctp_sf_cookie_wait_prm_shutdown(ep, asoc, type, arg, commands); 4106 } 4107 4108 /* 4109 * sctp_sf_cookie_wait_prm_abort 4110 * 4111 * Section: 4 Note: 2 4112 * Verification Tag: 4113 * Inputs 4114 * (endpoint, asoc) 4115 * 4116 * The RFC does not explicitly address this issue, but is the route through the 4117 * state table when someone issues an abort while in COOKIE_WAIT state. 4118 * 4119 * Outputs 4120 * (timers) 4121 */ 4122 sctp_disposition_t sctp_sf_cookie_wait_prm_abort( 4123 const struct sctp_endpoint *ep, 4124 const struct sctp_association *asoc, 4125 const sctp_subtype_t type, 4126 void *arg, 4127 sctp_cmd_seq_t *commands) 4128 { 4129 struct msghdr *msg = arg; 4130 struct sctp_chunk *abort; 4131 sctp_disposition_t retval; 4132 4133 /* Stop T1-init timer */ 4134 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4135 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4136 retval = SCTP_DISPOSITION_CONSUME; 4137 4138 /* Generate ABORT chunk to send the peer */ 4139 abort = sctp_make_abort_user(asoc, NULL, msg); 4140 if (!abort) 4141 retval = SCTP_DISPOSITION_NOMEM; 4142 else 4143 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4144 4145 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4146 SCTP_STATE(SCTP_STATE_CLOSED)); 4147 4148 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4149 4150 /* Even if we can't send the ABORT due to low memory delete the 4151 * TCB. This is a departure from our typical NOMEM handling. 4152 */ 4153 4154 /* Delete the established association. */ 4155 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4156 SCTP_U32(SCTP_ERROR_USER_ABORT)); 4157 4158 return retval; 4159 } 4160 4161 /* 4162 * sctp_sf_cookie_echoed_prm_abort 4163 * 4164 * Section: 4 Note: 3 4165 * Verification Tag: 4166 * Inputs 4167 * (endpoint, asoc) 4168 * 4169 * The RFC does not explcitly address this issue, but is the route through the 4170 * state table when someone issues an abort while in COOKIE_ECHOED state. 4171 * 4172 * Outputs 4173 * (timers) 4174 */ 4175 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort( 4176 const struct sctp_endpoint *ep, 4177 const struct sctp_association *asoc, 4178 const sctp_subtype_t type, 4179 void *arg, 4180 sctp_cmd_seq_t *commands) 4181 { 4182 /* There is a single T1 timer, so we should be able to use 4183 * common function with the COOKIE-WAIT state. 4184 */ 4185 return sctp_sf_cookie_wait_prm_abort(ep, asoc, type, arg, commands); 4186 } 4187 4188 /* 4189 * sctp_sf_shutdown_pending_prm_abort 4190 * 4191 * Inputs 4192 * (endpoint, asoc) 4193 * 4194 * The RFC does not explicitly address this issue, but is the route through the 4195 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 4196 * 4197 * Outputs 4198 * (timers) 4199 */ 4200 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort( 4201 const struct sctp_endpoint *ep, 4202 const struct sctp_association *asoc, 4203 const sctp_subtype_t type, 4204 void *arg, 4205 sctp_cmd_seq_t *commands) 4206 { 4207 /* Stop the T5-shutdown guard timer. */ 4208 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4209 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4210 4211 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4212 } 4213 4214 /* 4215 * sctp_sf_shutdown_sent_prm_abort 4216 * 4217 * Inputs 4218 * (endpoint, asoc) 4219 * 4220 * The RFC does not explicitly address this issue, but is the route through the 4221 * state table when someone issues an abort while in SHUTDOWN-SENT state. 4222 * 4223 * Outputs 4224 * (timers) 4225 */ 4226 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort( 4227 const struct sctp_endpoint *ep, 4228 const struct sctp_association *asoc, 4229 const sctp_subtype_t type, 4230 void *arg, 4231 sctp_cmd_seq_t *commands) 4232 { 4233 /* Stop the T2-shutdown timer. */ 4234 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4235 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4236 4237 /* Stop the T5-shutdown guard timer. */ 4238 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4239 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4240 4241 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4242 } 4243 4244 /* 4245 * sctp_sf_cookie_echoed_prm_abort 4246 * 4247 * Inputs 4248 * (endpoint, asoc) 4249 * 4250 * The RFC does not explcitly address this issue, but is the route through the 4251 * state table when someone issues an abort while in COOKIE_ECHOED state. 4252 * 4253 * Outputs 4254 * (timers) 4255 */ 4256 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort( 4257 const struct sctp_endpoint *ep, 4258 const struct sctp_association *asoc, 4259 const sctp_subtype_t type, 4260 void *arg, 4261 sctp_cmd_seq_t *commands) 4262 { 4263 /* The same T2 timer, so we should be able to use 4264 * common function with the SHUTDOWN-SENT state. 4265 */ 4266 return sctp_sf_shutdown_sent_prm_abort(ep, asoc, type, arg, commands); 4267 } 4268 4269 /* 4270 * Process the REQUESTHEARTBEAT primitive 4271 * 4272 * 10.1 ULP-to-SCTP 4273 * J) Request Heartbeat 4274 * 4275 * Format: REQUESTHEARTBEAT(association id, destination transport address) 4276 * 4277 * -> result 4278 * 4279 * Instructs the local endpoint to perform a HeartBeat on the specified 4280 * destination transport address of the given association. The returned 4281 * result should indicate whether the transmission of the HEARTBEAT 4282 * chunk to the destination address is successful. 4283 * 4284 * Mandatory attributes: 4285 * 4286 * o association id - local handle to the SCTP association 4287 * 4288 * o destination transport address - the transport address of the 4289 * association on which a heartbeat should be issued. 4290 */ 4291 sctp_disposition_t sctp_sf_do_prm_requestheartbeat( 4292 const struct sctp_endpoint *ep, 4293 const struct sctp_association *asoc, 4294 const sctp_subtype_t type, 4295 void *arg, 4296 sctp_cmd_seq_t *commands) 4297 { 4298 return sctp_sf_heartbeat(ep, asoc, type, (struct sctp_transport *)arg, 4299 commands); 4300 } 4301 4302 /* 4303 * ADDIP Section 4.1 ASCONF Chunk Procedures 4304 * When an endpoint has an ASCONF signaled change to be sent to the 4305 * remote endpoint it should do A1 to A9 4306 */ 4307 sctp_disposition_t sctp_sf_do_prm_asconf(const struct sctp_endpoint *ep, 4308 const struct sctp_association *asoc, 4309 const sctp_subtype_t type, 4310 void *arg, 4311 sctp_cmd_seq_t *commands) 4312 { 4313 struct sctp_chunk *chunk = arg; 4314 4315 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 4316 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4317 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4318 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 4319 return SCTP_DISPOSITION_CONSUME; 4320 } 4321 4322 /* 4323 * Ignore the primitive event 4324 * 4325 * The return value is the disposition of the primitive. 4326 */ 4327 sctp_disposition_t sctp_sf_ignore_primitive( 4328 const struct sctp_endpoint *ep, 4329 const struct sctp_association *asoc, 4330 const sctp_subtype_t type, 4331 void *arg, 4332 sctp_cmd_seq_t *commands) 4333 { 4334 SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive); 4335 return SCTP_DISPOSITION_DISCARD; 4336 } 4337 4338 /*************************************************************************** 4339 * These are the state functions for the OTHER events. 4340 ***************************************************************************/ 4341 4342 /* 4343 * Start the shutdown negotiation. 4344 * 4345 * From Section 9.2: 4346 * Once all its outstanding data has been acknowledged, the endpoint 4347 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 4348 * TSN Ack field the last sequential TSN it has received from the peer. 4349 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 4350 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 4351 * with the updated last sequential TSN received from its peer. 4352 * 4353 * The return value is the disposition. 4354 */ 4355 sctp_disposition_t sctp_sf_do_9_2_start_shutdown( 4356 const struct sctp_endpoint *ep, 4357 const struct sctp_association *asoc, 4358 const sctp_subtype_t type, 4359 void *arg, 4360 sctp_cmd_seq_t *commands) 4361 { 4362 struct sctp_chunk *reply; 4363 4364 /* Once all its outstanding data has been acknowledged, the 4365 * endpoint shall send a SHUTDOWN chunk to its peer including 4366 * in the Cumulative TSN Ack field the last sequential TSN it 4367 * has received from the peer. 4368 */ 4369 reply = sctp_make_shutdown(asoc, NULL); 4370 if (!reply) 4371 goto nomem; 4372 4373 /* Set the transport for the SHUTDOWN chunk and the timeout for the 4374 * T2-shutdown timer. 4375 */ 4376 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4377 4378 /* It shall then start the T2-shutdown timer */ 4379 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4380 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4381 4382 if (asoc->autoclose) 4383 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4384 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4385 4386 /* and enter the SHUTDOWN-SENT state. */ 4387 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4388 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 4389 4390 /* sctp-implguide 2.10 Issues with Heartbeating and failover 4391 * 4392 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 4393 * or SHUTDOWN-ACK. 4394 */ 4395 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 4396 4397 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4398 4399 return SCTP_DISPOSITION_CONSUME; 4400 4401 nomem: 4402 return SCTP_DISPOSITION_NOMEM; 4403 } 4404 4405 /* 4406 * Generate a SHUTDOWN ACK now that everything is SACK'd. 4407 * 4408 * From Section 9.2: 4409 * 4410 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 4411 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 4412 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 4413 * endpoint must re-send the SHUTDOWN ACK. 4414 * 4415 * The return value is the disposition. 4416 */ 4417 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack( 4418 const struct sctp_endpoint *ep, 4419 const struct sctp_association *asoc, 4420 const sctp_subtype_t type, 4421 void *arg, 4422 sctp_cmd_seq_t *commands) 4423 { 4424 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 4425 struct sctp_chunk *reply; 4426 4427 /* There are 2 ways of getting here: 4428 * 1) called in response to a SHUTDOWN chunk 4429 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 4430 * 4431 * For the case (2), the arg parameter is set to NULL. We need 4432 * to check that we have a chunk before accessing it's fields. 4433 */ 4434 if (chunk) { 4435 if (!sctp_vtag_verify(chunk, asoc)) 4436 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4437 4438 /* Make sure that the SHUTDOWN chunk has a valid length. */ 4439 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t))) 4440 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4441 commands); 4442 } 4443 4444 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 4445 * shall send a SHUTDOWN ACK ... 4446 */ 4447 reply = sctp_make_shutdown_ack(asoc, chunk); 4448 if (!reply) 4449 goto nomem; 4450 4451 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 4452 * the T2-shutdown timer. 4453 */ 4454 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4455 4456 /* and start/restart a T2-shutdown timer of its own, */ 4457 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4458 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4459 4460 if (asoc->autoclose) 4461 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4462 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4463 4464 /* Enter the SHUTDOWN-ACK-SENT state. */ 4465 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4466 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 4467 4468 /* sctp-implguide 2.10 Issues with Heartbeating and failover 4469 * 4470 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 4471 * or SHUTDOWN-ACK. 4472 */ 4473 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 4474 4475 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4476 4477 return SCTP_DISPOSITION_CONSUME; 4478 4479 nomem: 4480 return SCTP_DISPOSITION_NOMEM; 4481 } 4482 4483 /* 4484 * Ignore the event defined as other 4485 * 4486 * The return value is the disposition of the event. 4487 */ 4488 sctp_disposition_t sctp_sf_ignore_other(const struct sctp_endpoint *ep, 4489 const struct sctp_association *asoc, 4490 const sctp_subtype_t type, 4491 void *arg, 4492 sctp_cmd_seq_t *commands) 4493 { 4494 SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other); 4495 return SCTP_DISPOSITION_DISCARD; 4496 } 4497 4498 /************************************************************ 4499 * These are the state functions for handling timeout events. 4500 ************************************************************/ 4501 4502 /* 4503 * RTX Timeout 4504 * 4505 * Section: 6.3.3 Handle T3-rtx Expiration 4506 * 4507 * Whenever the retransmission timer T3-rtx expires for a destination 4508 * address, do the following: 4509 * [See below] 4510 * 4511 * The return value is the disposition of the chunk. 4512 */ 4513 sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep, 4514 const struct sctp_association *asoc, 4515 const sctp_subtype_t type, 4516 void *arg, 4517 sctp_cmd_seq_t *commands) 4518 { 4519 struct sctp_transport *transport = arg; 4520 4521 if (asoc->overall_error_count >= asoc->max_retrans) { 4522 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 4523 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4524 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4525 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4526 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4527 return SCTP_DISPOSITION_DELETE_TCB; 4528 } 4529 4530 /* E1) For the destination address for which the timer 4531 * expires, adjust its ssthresh with rules defined in Section 4532 * 7.2.3 and set the cwnd <- MTU. 4533 */ 4534 4535 /* E2) For the destination address for which the timer 4536 * expires, set RTO <- RTO * 2 ("back off the timer"). The 4537 * maximum value discussed in rule C7 above (RTO.max) may be 4538 * used to provide an upper bound to this doubling operation. 4539 */ 4540 4541 /* E3) Determine how many of the earliest (i.e., lowest TSN) 4542 * outstanding DATA chunks for the address for which the 4543 * T3-rtx has expired will fit into a single packet, subject 4544 * to the MTU constraint for the path corresponding to the 4545 * destination transport address to which the retransmission 4546 * is being sent (this may be different from the address for 4547 * which the timer expires [see Section 6.4]). Call this 4548 * value K. Bundle and retransmit those K DATA chunks in a 4549 * single packet to the destination endpoint. 4550 * 4551 * Note: Any DATA chunks that were sent to the address for 4552 * which the T3-rtx timer expired but did not fit in one MTU 4553 * (rule E3 above), should be marked for retransmission and 4554 * sent as soon as cwnd allows (normally when a SACK arrives). 4555 */ 4556 4557 /* NB: Rules E4 and F1 are implicit in R1. */ 4558 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 4559 4560 /* Do some failure management (Section 8.2). */ 4561 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 4562 4563 return SCTP_DISPOSITION_CONSUME; 4564 } 4565 4566 /* 4567 * Generate delayed SACK on timeout 4568 * 4569 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 4570 * 4571 * The guidelines on delayed acknowledgement algorithm specified in 4572 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 4573 * acknowledgement SHOULD be generated for at least every second packet 4574 * (not every second DATA chunk) received, and SHOULD be generated 4575 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 4576 * some situations it may be beneficial for an SCTP transmitter to be 4577 * more conservative than the algorithms detailed in this document 4578 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 4579 * the following algorithms allow. 4580 */ 4581 sctp_disposition_t sctp_sf_do_6_2_sack(const struct sctp_endpoint *ep, 4582 const struct sctp_association *asoc, 4583 const sctp_subtype_t type, 4584 void *arg, 4585 sctp_cmd_seq_t *commands) 4586 { 4587 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 4588 return SCTP_DISPOSITION_CONSUME; 4589 } 4590 4591 /* 4592 * sctp_sf_t1_timer_expire 4593 * 4594 * Section: 4 Note: 2 4595 * Verification Tag: 4596 * Inputs 4597 * (endpoint, asoc) 4598 * 4599 * RFC 2960 Section 4 Notes 4600 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 4601 * and re-start the T1-init timer without changing state. This MUST 4602 * be repeated up to 'Max.Init.Retransmits' times. After that, the 4603 * endpoint MUST abort the initialization process and report the 4604 * error to SCTP user. 4605 * 4606 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 4607 * COOKIE ECHO and re-start the T1-cookie timer without changing 4608 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 4609 * After that, the endpoint MUST abort the initialization process and 4610 * report the error to SCTP user. 4611 * 4612 * Outputs 4613 * (timers, events) 4614 * 4615 */ 4616 sctp_disposition_t sctp_sf_t1_timer_expire(const struct sctp_endpoint *ep, 4617 const struct sctp_association *asoc, 4618 const sctp_subtype_t type, 4619 void *arg, 4620 sctp_cmd_seq_t *commands) 4621 { 4622 struct sctp_chunk *repl; 4623 struct sctp_bind_addr *bp; 4624 sctp_event_timeout_t timer = (sctp_event_timeout_t) arg; 4625 int timeout; 4626 int attempts; 4627 4628 timeout = asoc->timeouts[timer]; 4629 attempts = asoc->counters[SCTP_COUNTER_INIT_ERROR] + 1; 4630 repl = NULL; 4631 4632 SCTP_DEBUG_PRINTK("Timer T1 expired.\n"); 4633 4634 if (attempts < asoc->max_init_attempts) { 4635 switch (timer) { 4636 case SCTP_EVENT_TIMEOUT_T1_INIT: 4637 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 4638 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 4639 break; 4640 4641 case SCTP_EVENT_TIMEOUT_T1_COOKIE: 4642 repl = sctp_make_cookie_echo(asoc, NULL); 4643 break; 4644 4645 default: 4646 BUG(); 4647 break; 4648 }; 4649 4650 if (!repl) 4651 goto nomem; 4652 4653 /* Issue a sideeffect to do the needed accounting. */ 4654 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 4655 SCTP_TO(timer)); 4656 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4657 } else { 4658 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4659 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4660 return SCTP_DISPOSITION_DELETE_TCB; 4661 } 4662 4663 return SCTP_DISPOSITION_CONSUME; 4664 4665 nomem: 4666 return SCTP_DISPOSITION_NOMEM; 4667 } 4668 4669 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 4670 * with the updated last sequential TSN received from its peer. 4671 * 4672 * An endpoint should limit the number of retransmissions of the 4673 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 4674 * If this threshold is exceeded the endpoint should destroy the TCB and 4675 * MUST report the peer endpoint unreachable to the upper layer (and 4676 * thus the association enters the CLOSED state). The reception of any 4677 * packet from its peer (i.e. as the peer sends all of its queued DATA 4678 * chunks) should clear the endpoint's retransmission count and restart 4679 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 4680 * all of its queued DATA chunks that have not yet been sent. 4681 */ 4682 sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep, 4683 const struct sctp_association *asoc, 4684 const sctp_subtype_t type, 4685 void *arg, 4686 sctp_cmd_seq_t *commands) 4687 { 4688 struct sctp_chunk *reply = NULL; 4689 4690 SCTP_DEBUG_PRINTK("Timer T2 expired.\n"); 4691 if (asoc->overall_error_count >= asoc->max_retrans) { 4692 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 4693 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4694 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4695 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4696 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4697 return SCTP_DISPOSITION_DELETE_TCB; 4698 } 4699 4700 switch (asoc->state) { 4701 case SCTP_STATE_SHUTDOWN_SENT: 4702 reply = sctp_make_shutdown(asoc, NULL); 4703 break; 4704 4705 case SCTP_STATE_SHUTDOWN_ACK_SENT: 4706 reply = sctp_make_shutdown_ack(asoc, NULL); 4707 break; 4708 4709 default: 4710 BUG(); 4711 break; 4712 }; 4713 4714 if (!reply) 4715 goto nomem; 4716 4717 /* Do some failure management (Section 8.2). */ 4718 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 4719 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 4720 4721 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 4722 * the T2-shutdown timer. 4723 */ 4724 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4725 4726 /* Restart the T2-shutdown timer. */ 4727 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4728 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4729 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4730 return SCTP_DISPOSITION_CONSUME; 4731 4732 nomem: 4733 return SCTP_DISPOSITION_NOMEM; 4734 } 4735 4736 /* 4737 * ADDIP Section 4.1 ASCONF CHunk Procedures 4738 * If the T4 RTO timer expires the endpoint should do B1 to B5 4739 */ 4740 sctp_disposition_t sctp_sf_t4_timer_expire( 4741 const struct sctp_endpoint *ep, 4742 const struct sctp_association *asoc, 4743 const sctp_subtype_t type, 4744 void *arg, 4745 sctp_cmd_seq_t *commands) 4746 { 4747 struct sctp_chunk *chunk = asoc->addip_last_asconf; 4748 struct sctp_transport *transport = chunk->transport; 4749 4750 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 4751 * detection on the appropriate destination address as defined in 4752 * RFC2960 [5] section 8.1 and 8.2. 4753 */ 4754 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 4755 4756 /* Reconfig T4 timer and transport. */ 4757 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 4758 4759 /* ADDIP 4.1 B2) Increment the association error counters and perform 4760 * endpoint failure detection on the association as defined in 4761 * RFC2960 [5] section 8.1 and 8.2. 4762 * association error counter is incremented in SCTP_CMD_STRIKE. 4763 */ 4764 if (asoc->overall_error_count >= asoc->max_retrans) { 4765 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4766 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4767 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4768 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4769 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4770 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 4771 return SCTP_DISPOSITION_ABORT; 4772 } 4773 4774 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 4775 * the ASCONF chunk was sent by doubling the RTO timer value. 4776 * This is done in SCTP_CMD_STRIKE. 4777 */ 4778 4779 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 4780 * choose an alternate destination address (please refer to RFC2960 4781 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 4782 * chunk, it MUST be the same (including its serial number) as the last 4783 * ASCONF sent. 4784 */ 4785 sctp_chunk_hold(asoc->addip_last_asconf); 4786 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4787 SCTP_CHUNK(asoc->addip_last_asconf)); 4788 4789 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 4790 * destination is selected, then the RTO used will be that of the new 4791 * destination address. 4792 */ 4793 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4794 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4795 4796 return SCTP_DISPOSITION_CONSUME; 4797 } 4798 4799 /* sctpimpguide-05 Section 2.12.2 4800 * The sender of the SHUTDOWN MAY also start an overall guard timer 4801 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 4802 * At the expiration of this timer the sender SHOULD abort the association 4803 * by sending an ABORT chunk. 4804 */ 4805 sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep, 4806 const struct sctp_association *asoc, 4807 const sctp_subtype_t type, 4808 void *arg, 4809 sctp_cmd_seq_t *commands) 4810 { 4811 struct sctp_chunk *reply = NULL; 4812 4813 SCTP_DEBUG_PRINTK("Timer T5 expired.\n"); 4814 4815 reply = sctp_make_abort(asoc, NULL, 0); 4816 if (!reply) 4817 goto nomem; 4818 4819 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4820 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4821 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4822 4823 return SCTP_DISPOSITION_DELETE_TCB; 4824 nomem: 4825 return SCTP_DISPOSITION_NOMEM; 4826 } 4827 4828 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 4829 * the association is automatically closed by starting the shutdown process. 4830 * The work that needs to be done is same as when SHUTDOWN is initiated by 4831 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 4832 */ 4833 sctp_disposition_t sctp_sf_autoclose_timer_expire( 4834 const struct sctp_endpoint *ep, 4835 const struct sctp_association *asoc, 4836 const sctp_subtype_t type, 4837 void *arg, 4838 sctp_cmd_seq_t *commands) 4839 { 4840 int disposition; 4841 4842 /* From 9.2 Shutdown of an Association 4843 * Upon receipt of the SHUTDOWN primitive from its upper 4844 * layer, the endpoint enters SHUTDOWN-PENDING state and 4845 * remains there until all outstanding data has been 4846 * acknowledged by its peer. The endpoint accepts no new data 4847 * from its upper layer, but retransmits data to the far end 4848 * if necessary to fill gaps. 4849 */ 4850 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4851 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4852 4853 /* sctpimpguide-05 Section 2.12.2 4854 * The sender of the SHUTDOWN MAY also start an overall guard timer 4855 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 4856 */ 4857 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4858 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4859 disposition = SCTP_DISPOSITION_CONSUME; 4860 if (sctp_outq_is_empty(&asoc->outqueue)) { 4861 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 4862 arg, commands); 4863 } 4864 return disposition; 4865 } 4866 4867 /***************************************************************************** 4868 * These are sa state functions which could apply to all types of events. 4869 ****************************************************************************/ 4870 4871 /* 4872 * This table entry is not implemented. 4873 * 4874 * Inputs 4875 * (endpoint, asoc, chunk) 4876 * 4877 * The return value is the disposition of the chunk. 4878 */ 4879 sctp_disposition_t sctp_sf_not_impl(const struct sctp_endpoint *ep, 4880 const struct sctp_association *asoc, 4881 const sctp_subtype_t type, 4882 void *arg, 4883 sctp_cmd_seq_t *commands) 4884 { 4885 return SCTP_DISPOSITION_NOT_IMPL; 4886 } 4887 4888 /* 4889 * This table entry represents a bug. 4890 * 4891 * Inputs 4892 * (endpoint, asoc, chunk) 4893 * 4894 * The return value is the disposition of the chunk. 4895 */ 4896 sctp_disposition_t sctp_sf_bug(const struct sctp_endpoint *ep, 4897 const struct sctp_association *asoc, 4898 const sctp_subtype_t type, 4899 void *arg, 4900 sctp_cmd_seq_t *commands) 4901 { 4902 return SCTP_DISPOSITION_BUG; 4903 } 4904 4905 /* 4906 * This table entry represents the firing of a timer in the wrong state. 4907 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 4908 * when the association is in the wrong state. This event should 4909 * be ignored, so as to prevent any rearming of the timer. 4910 * 4911 * Inputs 4912 * (endpoint, asoc, chunk) 4913 * 4914 * The return value is the disposition of the chunk. 4915 */ 4916 sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep, 4917 const struct sctp_association *asoc, 4918 const sctp_subtype_t type, 4919 void *arg, 4920 sctp_cmd_seq_t *commands) 4921 { 4922 SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk); 4923 return SCTP_DISPOSITION_CONSUME; 4924 } 4925 4926 /******************************************************************** 4927 * 2nd Level Abstractions 4928 ********************************************************************/ 4929 4930 /* Pull the SACK chunk based on the SACK header. */ 4931 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 4932 { 4933 struct sctp_sackhdr *sack; 4934 unsigned int len; 4935 __u16 num_blocks; 4936 __u16 num_dup_tsns; 4937 4938 /* Protect ourselves from reading too far into 4939 * the skb from a bogus sender. 4940 */ 4941 sack = (struct sctp_sackhdr *) chunk->skb->data; 4942 4943 num_blocks = ntohs(sack->num_gap_ack_blocks); 4944 num_dup_tsns = ntohs(sack->num_dup_tsns); 4945 len = sizeof(struct sctp_sackhdr); 4946 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 4947 if (len > chunk->skb->len) 4948 return NULL; 4949 4950 skb_pull(chunk->skb, len); 4951 4952 return sack; 4953 } 4954 4955 /* Create an ABORT packet to be sent as a response, with the specified 4956 * error causes. 4957 */ 4958 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 4959 const struct sctp_association *asoc, 4960 struct sctp_chunk *chunk, 4961 const void *payload, 4962 size_t paylen) 4963 { 4964 struct sctp_packet *packet; 4965 struct sctp_chunk *abort; 4966 4967 packet = sctp_ootb_pkt_new(asoc, chunk); 4968 4969 if (packet) { 4970 /* Make an ABORT. 4971 * The T bit will be set if the asoc is NULL. 4972 */ 4973 abort = sctp_make_abort(asoc, chunk, paylen); 4974 if (!abort) { 4975 sctp_ootb_pkt_free(packet); 4976 return NULL; 4977 } 4978 4979 /* Reflect vtag if T-Bit is set */ 4980 if (sctp_test_T_bit(abort)) 4981 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4982 4983 /* Add specified error causes, i.e., payload, to the 4984 * end of the chunk. 4985 */ 4986 sctp_addto_chunk(abort, paylen, payload); 4987 4988 /* Set the skb to the belonging sock for accounting. */ 4989 abort->skb->sk = ep->base.sk; 4990 4991 sctp_packet_append_chunk(packet, abort); 4992 4993 } 4994 4995 return packet; 4996 } 4997 4998 /* Allocate a packet for responding in the OOTB conditions. */ 4999 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 5000 const struct sctp_chunk *chunk) 5001 { 5002 struct sctp_packet *packet; 5003 struct sctp_transport *transport; 5004 __u16 sport; 5005 __u16 dport; 5006 __u32 vtag; 5007 5008 /* Get the source and destination port from the inbound packet. */ 5009 sport = ntohs(chunk->sctp_hdr->dest); 5010 dport = ntohs(chunk->sctp_hdr->source); 5011 5012 /* The V-tag is going to be the same as the inbound packet if no 5013 * association exists, otherwise, use the peer's vtag. 5014 */ 5015 if (asoc) { 5016 vtag = asoc->peer.i.init_tag; 5017 } else { 5018 /* Special case the INIT and stale COOKIE_ECHO as there is no 5019 * vtag yet. 5020 */ 5021 switch(chunk->chunk_hdr->type) { 5022 case SCTP_CID_INIT: 5023 { 5024 sctp_init_chunk_t *init; 5025 5026 init = (sctp_init_chunk_t *)chunk->chunk_hdr; 5027 vtag = ntohl(init->init_hdr.init_tag); 5028 break; 5029 } 5030 default: 5031 vtag = ntohl(chunk->sctp_hdr->vtag); 5032 break; 5033 } 5034 } 5035 5036 /* Make a transport for the bucket, Eliza... */ 5037 transport = sctp_transport_new(sctp_source(chunk), GFP_ATOMIC); 5038 if (!transport) 5039 goto nomem; 5040 5041 /* Cache a route for the transport with the chunk's destination as 5042 * the source address. 5043 */ 5044 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 5045 sctp_sk(sctp_get_ctl_sock())); 5046 5047 packet = sctp_packet_init(&transport->packet, transport, sport, dport); 5048 packet = sctp_packet_config(packet, vtag, 0); 5049 5050 return packet; 5051 5052 nomem: 5053 return NULL; 5054 } 5055 5056 /* Free the packet allocated earlier for responding in the OOTB condition. */ 5057 void sctp_ootb_pkt_free(struct sctp_packet *packet) 5058 { 5059 sctp_transport_free(packet->transport); 5060 } 5061 5062 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 5063 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 5064 const struct sctp_association *asoc, 5065 const struct sctp_chunk *chunk, 5066 sctp_cmd_seq_t *commands, 5067 struct sctp_chunk *err_chunk) 5068 { 5069 struct sctp_packet *packet; 5070 5071 if (err_chunk) { 5072 packet = sctp_ootb_pkt_new(asoc, chunk); 5073 if (packet) { 5074 struct sctp_signed_cookie *cookie; 5075 5076 /* Override the OOTB vtag from the cookie. */ 5077 cookie = chunk->subh.cookie_hdr; 5078 packet->vtag = cookie->c.peer_vtag; 5079 5080 /* Set the skb to the belonging sock for accounting. */ 5081 err_chunk->skb->sk = ep->base.sk; 5082 sctp_packet_append_chunk(packet, err_chunk); 5083 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 5084 SCTP_PACKET(packet)); 5085 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 5086 } else 5087 sctp_chunk_free (err_chunk); 5088 } 5089 } 5090 5091 5092 /* Process a data chunk */ 5093 static int sctp_eat_data(const struct sctp_association *asoc, 5094 struct sctp_chunk *chunk, 5095 sctp_cmd_seq_t *commands) 5096 { 5097 sctp_datahdr_t *data_hdr; 5098 struct sctp_chunk *err; 5099 size_t datalen; 5100 sctp_verb_t deliver; 5101 int tmp; 5102 __u32 tsn; 5103 5104 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data; 5105 skb_pull(chunk->skb, sizeof(sctp_datahdr_t)); 5106 5107 tsn = ntohl(data_hdr->tsn); 5108 SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn); 5109 5110 /* ASSERT: Now skb->data is really the user data. */ 5111 5112 /* Process ECN based congestion. 5113 * 5114 * Since the chunk structure is reused for all chunks within 5115 * a packet, we use ecn_ce_done to track if we've already 5116 * done CE processing for this packet. 5117 * 5118 * We need to do ECN processing even if we plan to discard the 5119 * chunk later. 5120 */ 5121 5122 if (!chunk->ecn_ce_done) { 5123 struct sctp_af *af; 5124 chunk->ecn_ce_done = 1; 5125 5126 af = sctp_get_af_specific( 5127 ipver2af(chunk->skb->nh.iph->version)); 5128 5129 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) { 5130 /* Do real work as sideffect. */ 5131 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 5132 SCTP_U32(tsn)); 5133 } 5134 } 5135 5136 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 5137 if (tmp < 0) { 5138 /* The TSN is too high--silently discard the chunk and 5139 * count on it getting retransmitted later. 5140 */ 5141 return SCTP_IERROR_HIGH_TSN; 5142 } else if (tmp > 0) { 5143 /* This is a duplicate. Record it. */ 5144 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 5145 return SCTP_IERROR_DUP_TSN; 5146 } 5147 5148 /* This is a new TSN. */ 5149 5150 /* Discard if there is no room in the receive window. 5151 * Actually, allow a little bit of overflow (up to a MTU). 5152 */ 5153 datalen = ntohs(chunk->chunk_hdr->length); 5154 datalen -= sizeof(sctp_data_chunk_t); 5155 5156 deliver = SCTP_CMD_CHUNK_ULP; 5157 5158 /* Think about partial delivery. */ 5159 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 5160 5161 /* Even if we don't accept this chunk there is 5162 * memory pressure. 5163 */ 5164 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 5165 } 5166 5167 /* Spill over rwnd a little bit. Note: While allowed, this spill over 5168 * seems a bit troublesome in that frag_point varies based on 5169 * PMTU. In cases, such as loopback, this might be a rather 5170 * large spill over. 5171 */ 5172 if (!asoc->rwnd || asoc->rwnd_over || 5173 (datalen > asoc->rwnd + asoc->frag_point)) { 5174 5175 /* If this is the next TSN, consider reneging to make 5176 * room. Note: Playing nice with a confused sender. A 5177 * malicious sender can still eat up all our buffer 5178 * space and in the future we may want to detect and 5179 * do more drastic reneging. 5180 */ 5181 if (sctp_tsnmap_has_gap(&asoc->peer.tsn_map) && 5182 (sctp_tsnmap_get_ctsn(&asoc->peer.tsn_map) + 1) == tsn) { 5183 SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn); 5184 deliver = SCTP_CMD_RENEGE; 5185 } else { 5186 SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, " 5187 "rwnd: %d\n", tsn, datalen, 5188 asoc->rwnd); 5189 return SCTP_IERROR_IGNORE_TSN; 5190 } 5191 } 5192 5193 /* 5194 * Section 3.3.10.9 No User Data (9) 5195 * 5196 * Cause of error 5197 * --------------- 5198 * No User Data: This error cause is returned to the originator of a 5199 * DATA chunk if a received DATA chunk has no user data. 5200 */ 5201 if (unlikely(0 == datalen)) { 5202 err = sctp_make_abort_no_data(asoc, chunk, tsn); 5203 if (err) { 5204 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5205 SCTP_CHUNK(err)); 5206 } 5207 /* We are going to ABORT, so we might as well stop 5208 * processing the rest of the chunks in the packet. 5209 */ 5210 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 5211 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5212 SCTP_U32(SCTP_ERROR_NO_DATA)); 5213 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5214 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5215 return SCTP_IERROR_NO_DATA; 5216 } 5217 5218 /* If definately accepting the DATA chunk, record its TSN, otherwise 5219 * wait for renege processing. 5220 */ 5221 if (SCTP_CMD_CHUNK_ULP == deliver) 5222 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 5223 5224 /* Note: Some chunks may get overcounted (if we drop) or overcounted 5225 * if we renege and the chunk arrives again. 5226 */ 5227 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) 5228 SCTP_INC_STATS(SCTP_MIB_INUNORDERCHUNKS); 5229 else 5230 SCTP_INC_STATS(SCTP_MIB_INORDERCHUNKS); 5231 5232 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 5233 * 5234 * If an endpoint receive a DATA chunk with an invalid stream 5235 * identifier, it shall acknowledge the reception of the DATA chunk 5236 * following the normal procedure, immediately send an ERROR chunk 5237 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 5238 * and discard the DATA chunk. 5239 */ 5240 if (ntohs(data_hdr->stream) >= asoc->c.sinit_max_instreams) { 5241 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 5242 &data_hdr->stream, 5243 sizeof(data_hdr->stream)); 5244 if (err) 5245 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5246 SCTP_CHUNK(err)); 5247 return SCTP_IERROR_BAD_STREAM; 5248 } 5249 5250 /* Send the data up to the user. Note: Schedule the 5251 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 5252 * chunk needs the updated rwnd. 5253 */ 5254 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 5255 5256 return SCTP_IERROR_NO_ERROR; 5257 } 5258