1 /* SCTP kernel reference Implementation 2 * (C) Copyright IBM Corp. 2001, 2004 3 * Copyright (c) 1999-2000 Cisco, Inc. 4 * Copyright (c) 1999-2001 Motorola, Inc. 5 * Copyright (c) 2001-2002 Intel Corp. 6 * Copyright (c) 2002 Nokia Corp. 7 * 8 * This file is part of the SCTP kernel reference Implementation 9 * 10 * This is part of the SCTP Linux Kernel Reference Implementation. 11 * 12 * These are the state functions for the state machine. 13 * 14 * The SCTP reference implementation is free software; 15 * you can redistribute it and/or modify it under the terms of 16 * the GNU General Public License as published by 17 * the Free Software Foundation; either version 2, or (at your option) 18 * any later version. 19 * 20 * The SCTP reference implementation is distributed in the hope that it 21 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 22 * ************************ 23 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 24 * See the GNU General Public License for more details. 25 * 26 * You should have received a copy of the GNU General Public License 27 * along with GNU CC; see the file COPYING. If not, write to 28 * the Free Software Foundation, 59 Temple Place - Suite 330, 29 * Boston, MA 02111-1307, USA. 30 * 31 * Please send any bug reports or fixes you make to the 32 * email address(es): 33 * lksctp developers <lksctp-developers@lists.sourceforge.net> 34 * 35 * Or submit a bug report through the following website: 36 * http://www.sf.net/projects/lksctp 37 * 38 * Written or modified by: 39 * La Monte H.P. Yarroll <piggy@acm.org> 40 * Karl Knutson <karl@athena.chicago.il.us> 41 * Mathew Kotowsky <kotowsky@sctp.org> 42 * Sridhar Samudrala <samudrala@us.ibm.com> 43 * Jon Grimm <jgrimm@us.ibm.com> 44 * Hui Huang <hui.huang@nokia.com> 45 * Dajiang Zhang <dajiang.zhang@nokia.com> 46 * Daisy Chang <daisyc@us.ibm.com> 47 * Ardelle Fan <ardelle.fan@intel.com> 48 * Ryan Layer <rmlayer@us.ibm.com> 49 * Kevin Gao <kevin.gao@intel.com> 50 * 51 * Any bugs reported given to us we will try to fix... any fixes shared will 52 * be incorporated into the next SCTP release. 53 */ 54 55 #include <linux/types.h> 56 #include <linux/kernel.h> 57 #include <linux/ip.h> 58 #include <linux/ipv6.h> 59 #include <linux/net.h> 60 #include <linux/inet.h> 61 #include <net/sock.h> 62 #include <net/inet_ecn.h> 63 #include <linux/skbuff.h> 64 #include <net/sctp/sctp.h> 65 #include <net/sctp/sm.h> 66 #include <net/sctp/structs.h> 67 68 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 69 const struct sctp_association *asoc, 70 struct sctp_chunk *chunk, 71 const void *payload, 72 size_t paylen); 73 static int sctp_eat_data(const struct sctp_association *asoc, 74 struct sctp_chunk *chunk, 75 sctp_cmd_seq_t *commands); 76 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 77 const struct sctp_chunk *chunk); 78 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 79 const struct sctp_association *asoc, 80 const struct sctp_chunk *chunk, 81 sctp_cmd_seq_t *commands, 82 struct sctp_chunk *err_chunk); 83 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 84 const struct sctp_association *asoc, 85 const sctp_subtype_t type, 86 void *arg, 87 sctp_cmd_seq_t *commands); 88 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 89 const struct sctp_association *asoc, 90 const sctp_subtype_t type, 91 void *arg, 92 sctp_cmd_seq_t *commands); 93 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 94 95 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 96 __be16 error, int sk_err, 97 const struct sctp_association *asoc, 98 struct sctp_transport *transport); 99 100 static sctp_disposition_t sctp_sf_violation_chunklen( 101 const struct sctp_endpoint *ep, 102 const struct sctp_association *asoc, 103 const sctp_subtype_t type, 104 void *arg, 105 sctp_cmd_seq_t *commands); 106 107 /* Small helper function that checks if the chunk length 108 * is of the appropriate length. The 'required_length' argument 109 * is set to be the size of a specific chunk we are testing. 110 * Return Values: 1 = Valid length 111 * 0 = Invalid length 112 * 113 */ 114 static inline int 115 sctp_chunk_length_valid(struct sctp_chunk *chunk, 116 __u16 required_length) 117 { 118 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 119 120 if (unlikely(chunk_length < required_length)) 121 return 0; 122 123 return 1; 124 } 125 126 /********************************************************** 127 * These are the state functions for handling chunk events. 128 **********************************************************/ 129 130 /* 131 * Process the final SHUTDOWN COMPLETE. 132 * 133 * Section: 4 (C) (diagram), 9.2 134 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 135 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 136 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 137 * should stop the T2-shutdown timer and remove all knowledge of the 138 * association (and thus the association enters the CLOSED state). 139 * 140 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 141 * C) Rules for packet carrying SHUTDOWN COMPLETE: 142 * ... 143 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 144 * if the Verification Tag field of the packet matches its own tag and 145 * the T bit is not set 146 * OR 147 * it is set to its peer's tag and the T bit is set in the Chunk 148 * Flags. 149 * Otherwise, the receiver MUST silently discard the packet 150 * and take no further action. An endpoint MUST ignore the 151 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 152 * 153 * Inputs 154 * (endpoint, asoc, chunk) 155 * 156 * Outputs 157 * (asoc, reply_msg, msg_up, timers, counters) 158 * 159 * The return value is the disposition of the chunk. 160 */ 161 sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep, 162 const struct sctp_association *asoc, 163 const sctp_subtype_t type, 164 void *arg, 165 sctp_cmd_seq_t *commands) 166 { 167 struct sctp_chunk *chunk = arg; 168 struct sctp_ulpevent *ev; 169 170 /* RFC 2960 6.10 Bundling 171 * 172 * An endpoint MUST NOT bundle INIT, INIT ACK or 173 * SHUTDOWN COMPLETE with any other chunks. 174 */ 175 if (!chunk->singleton) 176 return SCTP_DISPOSITION_VIOLATION; 177 178 if (!sctp_vtag_verify_either(chunk, asoc)) 179 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 180 181 /* RFC 2960 10.2 SCTP-to-ULP 182 * 183 * H) SHUTDOWN COMPLETE notification 184 * 185 * When SCTP completes the shutdown procedures (section 9.2) this 186 * notification is passed to the upper layer. 187 */ 188 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 189 0, 0, 0, GFP_ATOMIC); 190 if (ev) 191 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 192 SCTP_ULPEVENT(ev)); 193 194 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 195 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 196 * not the chunk should be discarded. If the endpoint is in 197 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 198 * T2-shutdown timer and remove all knowledge of the 199 * association (and thus the association enters the CLOSED 200 * state). 201 */ 202 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 203 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 204 205 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 206 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 207 208 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 209 SCTP_STATE(SCTP_STATE_CLOSED)); 210 211 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 212 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 213 214 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 215 216 return SCTP_DISPOSITION_DELETE_TCB; 217 } 218 219 /* 220 * Respond to a normal INIT chunk. 221 * We are the side that is being asked for an association. 222 * 223 * Section: 5.1 Normal Establishment of an Association, B 224 * B) "Z" shall respond immediately with an INIT ACK chunk. The 225 * destination IP address of the INIT ACK MUST be set to the source 226 * IP address of the INIT to which this INIT ACK is responding. In 227 * the response, besides filling in other parameters, "Z" must set the 228 * Verification Tag field to Tag_A, and also provide its own 229 * Verification Tag (Tag_Z) in the Initiate Tag field. 230 * 231 * Verification Tag: Must be 0. 232 * 233 * Inputs 234 * (endpoint, asoc, chunk) 235 * 236 * Outputs 237 * (asoc, reply_msg, msg_up, timers, counters) 238 * 239 * The return value is the disposition of the chunk. 240 */ 241 sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep, 242 const struct sctp_association *asoc, 243 const sctp_subtype_t type, 244 void *arg, 245 sctp_cmd_seq_t *commands) 246 { 247 struct sctp_chunk *chunk = arg; 248 struct sctp_chunk *repl; 249 struct sctp_association *new_asoc; 250 struct sctp_chunk *err_chunk; 251 struct sctp_packet *packet; 252 sctp_unrecognized_param_t *unk_param; 253 struct sock *sk; 254 int len; 255 256 /* 6.10 Bundling 257 * An endpoint MUST NOT bundle INIT, INIT ACK or 258 * SHUTDOWN COMPLETE with any other chunks. 259 * 260 * IG Section 2.11.2 261 * Furthermore, we require that the receiver of an INIT chunk MUST 262 * enforce these rules by silently discarding an arriving packet 263 * with an INIT chunk that is bundled with other chunks. 264 */ 265 if (!chunk->singleton) 266 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 267 268 /* If the packet is an OOTB packet which is temporarily on the 269 * control endpoint, respond with an ABORT. 270 */ 271 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 272 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 273 274 sk = ep->base.sk; 275 /* If the endpoint is not listening or if the number of associations 276 * on the TCP-style socket exceed the max backlog, respond with an 277 * ABORT. 278 */ 279 if (!sctp_sstate(sk, LISTENING) || 280 (sctp_style(sk, TCP) && 281 sk_acceptq_is_full(sk))) 282 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 283 284 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 285 * Tag. 286 */ 287 if (chunk->sctp_hdr->vtag != 0) 288 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 289 290 /* Make sure that the INIT chunk has a valid length. 291 * Normally, this would cause an ABORT with a Protocol Violation 292 * error, but since we don't have an association, we'll 293 * just discard the packet. 294 */ 295 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 296 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 297 298 /* Verify the INIT chunk before processing it. */ 299 err_chunk = NULL; 300 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 301 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 302 &err_chunk)) { 303 /* This chunk contains fatal error. It is to be discarded. 304 * Send an ABORT, with causes if there is any. 305 */ 306 if (err_chunk) { 307 packet = sctp_abort_pkt_new(ep, asoc, arg, 308 (__u8 *)(err_chunk->chunk_hdr) + 309 sizeof(sctp_chunkhdr_t), 310 ntohs(err_chunk->chunk_hdr->length) - 311 sizeof(sctp_chunkhdr_t)); 312 313 sctp_chunk_free(err_chunk); 314 315 if (packet) { 316 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 317 SCTP_PACKET(packet)); 318 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 319 return SCTP_DISPOSITION_CONSUME; 320 } else { 321 return SCTP_DISPOSITION_NOMEM; 322 } 323 } else { 324 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 325 commands); 326 } 327 } 328 329 /* Grab the INIT header. */ 330 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data; 331 332 /* Tag the variable length parameters. */ 333 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 334 335 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 336 if (!new_asoc) 337 goto nomem; 338 339 /* The call, sctp_process_init(), can fail on memory allocation. */ 340 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 341 sctp_source(chunk), 342 (sctp_init_chunk_t *)chunk->chunk_hdr, 343 GFP_ATOMIC)) 344 goto nomem_init; 345 346 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 347 348 /* If there are errors need to be reported for unknown parameters, 349 * make sure to reserve enough room in the INIT ACK for them. 350 */ 351 len = 0; 352 if (err_chunk) 353 len = ntohs(err_chunk->chunk_hdr->length) - 354 sizeof(sctp_chunkhdr_t); 355 356 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 357 goto nomem_init; 358 359 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 360 if (!repl) 361 goto nomem_init; 362 363 /* If there are errors need to be reported for unknown parameters, 364 * include them in the outgoing INIT ACK as "Unrecognized parameter" 365 * parameter. 366 */ 367 if (err_chunk) { 368 /* Get the "Unrecognized parameter" parameter(s) out of the 369 * ERROR chunk generated by sctp_verify_init(). Since the 370 * error cause code for "unknown parameter" and the 371 * "Unrecognized parameter" type is the same, we can 372 * construct the parameters in INIT ACK by copying the 373 * ERROR causes over. 374 */ 375 unk_param = (sctp_unrecognized_param_t *) 376 ((__u8 *)(err_chunk->chunk_hdr) + 377 sizeof(sctp_chunkhdr_t)); 378 /* Replace the cause code with the "Unrecognized parameter" 379 * parameter type. 380 */ 381 sctp_addto_chunk(repl, len, unk_param); 382 sctp_chunk_free(err_chunk); 383 } 384 385 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 386 387 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 388 389 /* 390 * Note: After sending out INIT ACK with the State Cookie parameter, 391 * "Z" MUST NOT allocate any resources, nor keep any states for the 392 * new association. Otherwise, "Z" will be vulnerable to resource 393 * attacks. 394 */ 395 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 396 397 return SCTP_DISPOSITION_DELETE_TCB; 398 399 nomem_init: 400 sctp_association_free(new_asoc); 401 nomem: 402 if (err_chunk) 403 sctp_chunk_free(err_chunk); 404 return SCTP_DISPOSITION_NOMEM; 405 } 406 407 /* 408 * Respond to a normal INIT ACK chunk. 409 * We are the side that is initiating the association. 410 * 411 * Section: 5.1 Normal Establishment of an Association, C 412 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 413 * timer and leave COOKIE-WAIT state. "A" shall then send the State 414 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 415 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 416 * 417 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 418 * DATA chunks, but it MUST be the first chunk in the packet and 419 * until the COOKIE ACK is returned the sender MUST NOT send any 420 * other packets to the peer. 421 * 422 * Verification Tag: 3.3.3 423 * If the value of the Initiate Tag in a received INIT ACK chunk is 424 * found to be 0, the receiver MUST treat it as an error and close the 425 * association by transmitting an ABORT. 426 * 427 * Inputs 428 * (endpoint, asoc, chunk) 429 * 430 * Outputs 431 * (asoc, reply_msg, msg_up, timers, counters) 432 * 433 * The return value is the disposition of the chunk. 434 */ 435 sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, 436 const struct sctp_association *asoc, 437 const sctp_subtype_t type, 438 void *arg, 439 sctp_cmd_seq_t *commands) 440 { 441 struct sctp_chunk *chunk = arg; 442 sctp_init_chunk_t *initchunk; 443 struct sctp_chunk *err_chunk; 444 struct sctp_packet *packet; 445 sctp_error_t error; 446 447 if (!sctp_vtag_verify(chunk, asoc)) 448 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 449 450 /* Make sure that the INIT-ACK chunk has a valid length */ 451 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t))) 452 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 453 commands); 454 /* 6.10 Bundling 455 * An endpoint MUST NOT bundle INIT, INIT ACK or 456 * SHUTDOWN COMPLETE with any other chunks. 457 */ 458 if (!chunk->singleton) 459 return SCTP_DISPOSITION_VIOLATION; 460 461 /* Grab the INIT header. */ 462 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 463 464 /* Verify the INIT chunk before processing it. */ 465 err_chunk = NULL; 466 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 467 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 468 &err_chunk)) { 469 470 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 471 472 /* This chunk contains fatal error. It is to be discarded. 473 * Send an ABORT, with causes if there is any. 474 */ 475 if (err_chunk) { 476 packet = sctp_abort_pkt_new(ep, asoc, arg, 477 (__u8 *)(err_chunk->chunk_hdr) + 478 sizeof(sctp_chunkhdr_t), 479 ntohs(err_chunk->chunk_hdr->length) - 480 sizeof(sctp_chunkhdr_t)); 481 482 sctp_chunk_free(err_chunk); 483 484 if (packet) { 485 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 486 SCTP_PACKET(packet)); 487 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 488 error = SCTP_ERROR_INV_PARAM; 489 } else { 490 error = SCTP_ERROR_NO_RESOURCE; 491 } 492 } else { 493 sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 494 error = SCTP_ERROR_INV_PARAM; 495 } 496 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, 497 asoc, chunk->transport); 498 } 499 500 /* Tag the variable length parameters. Note that we never 501 * convert the parameters in an INIT chunk. 502 */ 503 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 504 505 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr; 506 507 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 508 SCTP_PEER_INIT(initchunk)); 509 510 /* Reset init error count upon receipt of INIT-ACK. */ 511 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 512 513 /* 5.1 C) "A" shall stop the T1-init timer and leave 514 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 515 * timer, and enter the COOKIE-ECHOED state. 516 */ 517 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 518 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 519 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 520 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 521 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 522 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 523 524 /* 5.1 C) "A" shall then send the State Cookie received in the 525 * INIT ACK chunk in a COOKIE ECHO chunk, ... 526 */ 527 /* If there is any errors to report, send the ERROR chunk generated 528 * for unknown parameters as well. 529 */ 530 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 531 SCTP_CHUNK(err_chunk)); 532 533 return SCTP_DISPOSITION_CONSUME; 534 } 535 536 /* 537 * Respond to a normal COOKIE ECHO chunk. 538 * We are the side that is being asked for an association. 539 * 540 * Section: 5.1 Normal Establishment of an Association, D 541 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 542 * with a COOKIE ACK chunk after building a TCB and moving to 543 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 544 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 545 * chunk MUST be the first chunk in the packet. 546 * 547 * IMPLEMENTATION NOTE: An implementation may choose to send the 548 * Communication Up notification to the SCTP user upon reception 549 * of a valid COOKIE ECHO chunk. 550 * 551 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 552 * D) Rules for packet carrying a COOKIE ECHO 553 * 554 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 555 * Initial Tag received in the INIT ACK. 556 * 557 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 558 * 559 * Inputs 560 * (endpoint, asoc, chunk) 561 * 562 * Outputs 563 * (asoc, reply_msg, msg_up, timers, counters) 564 * 565 * The return value is the disposition of the chunk. 566 */ 567 sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep, 568 const struct sctp_association *asoc, 569 const sctp_subtype_t type, void *arg, 570 sctp_cmd_seq_t *commands) 571 { 572 struct sctp_chunk *chunk = arg; 573 struct sctp_association *new_asoc; 574 sctp_init_chunk_t *peer_init; 575 struct sctp_chunk *repl; 576 struct sctp_ulpevent *ev, *ai_ev = NULL; 577 int error = 0; 578 struct sctp_chunk *err_chk_p; 579 580 /* If the packet is an OOTB packet which is temporarily on the 581 * control endpoint, respond with an ABORT. 582 */ 583 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 584 return sctp_sf_ootb(ep, asoc, type, arg, commands); 585 586 /* Make sure that the COOKIE_ECHO chunk has a valid length. 587 * In this case, we check that we have enough for at least a 588 * chunk header. More detailed verification is done 589 * in sctp_unpack_cookie(). 590 */ 591 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 592 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 593 594 /* "Decode" the chunk. We have no optional parameters so we 595 * are in good shape. 596 */ 597 chunk->subh.cookie_hdr = 598 (struct sctp_signed_cookie *)chunk->skb->data; 599 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 600 sizeof(sctp_chunkhdr_t))) 601 goto nomem; 602 603 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 604 * "Z" will reply with a COOKIE ACK chunk after building a TCB 605 * and moving to the ESTABLISHED state. 606 */ 607 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 608 &err_chk_p); 609 610 /* FIXME: 611 * If the re-build failed, what is the proper error path 612 * from here? 613 * 614 * [We should abort the association. --piggy] 615 */ 616 if (!new_asoc) { 617 /* FIXME: Several errors are possible. A bad cookie should 618 * be silently discarded, but think about logging it too. 619 */ 620 switch (error) { 621 case -SCTP_IERROR_NOMEM: 622 goto nomem; 623 624 case -SCTP_IERROR_STALE_COOKIE: 625 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 626 err_chk_p); 627 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 628 629 case -SCTP_IERROR_BAD_SIG: 630 default: 631 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 632 }; 633 } 634 635 636 /* Delay state machine commands until later. 637 * 638 * Re-build the bind address for the association is done in 639 * the sctp_unpack_cookie() already. 640 */ 641 /* This is a brand-new association, so these are not yet side 642 * effects--it is safe to run them here. 643 */ 644 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 645 646 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 647 &chunk->subh.cookie_hdr->c.peer_addr, 648 peer_init, GFP_ATOMIC)) 649 goto nomem_init; 650 651 repl = sctp_make_cookie_ack(new_asoc, chunk); 652 if (!repl) 653 goto nomem_init; 654 655 /* RFC 2960 5.1 Normal Establishment of an Association 656 * 657 * D) IMPLEMENTATION NOTE: An implementation may choose to 658 * send the Communication Up notification to the SCTP user 659 * upon reception of a valid COOKIE ECHO chunk. 660 */ 661 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 662 new_asoc->c.sinit_num_ostreams, 663 new_asoc->c.sinit_max_instreams, 664 GFP_ATOMIC); 665 if (!ev) 666 goto nomem_ev; 667 668 /* Sockets API Draft Section 5.3.1.6 669 * When a peer sends a Adaptation Layer Indication parameter , SCTP 670 * delivers this notification to inform the application that of the 671 * peers requested adaptation layer. 672 */ 673 if (new_asoc->peer.adaptation_ind) { 674 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 675 GFP_ATOMIC); 676 if (!ai_ev) 677 goto nomem_aiev; 678 } 679 680 /* Add all the state machine commands now since we've created 681 * everything. This way we don't introduce memory corruptions 682 * during side-effect processing and correclty count established 683 * associations. 684 */ 685 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 686 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 687 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 688 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 689 SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS); 690 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 691 692 if (new_asoc->autoclose) 693 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 694 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 695 696 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 697 698 /* This will send the COOKIE ACK */ 699 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 700 701 /* Queue the ASSOC_CHANGE event */ 702 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 703 704 /* Send up the Adaptation Layer Indication event */ 705 if (ai_ev) 706 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 707 SCTP_ULPEVENT(ai_ev)); 708 709 return SCTP_DISPOSITION_CONSUME; 710 711 nomem_aiev: 712 sctp_ulpevent_free(ev); 713 nomem_ev: 714 sctp_chunk_free(repl); 715 nomem_init: 716 sctp_association_free(new_asoc); 717 nomem: 718 return SCTP_DISPOSITION_NOMEM; 719 } 720 721 /* 722 * Respond to a normal COOKIE ACK chunk. 723 * We are the side that is being asked for an association. 724 * 725 * RFC 2960 5.1 Normal Establishment of an Association 726 * 727 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 728 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 729 * timer. It may also notify its ULP about the successful 730 * establishment of the association with a Communication Up 731 * notification (see Section 10). 732 * 733 * Verification Tag: 734 * Inputs 735 * (endpoint, asoc, chunk) 736 * 737 * Outputs 738 * (asoc, reply_msg, msg_up, timers, counters) 739 * 740 * The return value is the disposition of the chunk. 741 */ 742 sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep, 743 const struct sctp_association *asoc, 744 const sctp_subtype_t type, void *arg, 745 sctp_cmd_seq_t *commands) 746 { 747 struct sctp_chunk *chunk = arg; 748 struct sctp_ulpevent *ev; 749 750 if (!sctp_vtag_verify(chunk, asoc)) 751 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 752 753 /* Verify that the chunk length for the COOKIE-ACK is OK. 754 * If we don't do this, any bundled chunks may be junked. 755 */ 756 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 757 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 758 commands); 759 760 /* Reset init error count upon receipt of COOKIE-ACK, 761 * to avoid problems with the managemement of this 762 * counter in stale cookie situations when a transition back 763 * from the COOKIE-ECHOED state to the COOKIE-WAIT 764 * state is performed. 765 */ 766 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 767 768 /* RFC 2960 5.1 Normal Establishment of an Association 769 * 770 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 771 * from the COOKIE-ECHOED state to the ESTABLISHED state, 772 * stopping the T1-cookie timer. 773 */ 774 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 775 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 776 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 777 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 778 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 779 SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS); 780 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 781 if (asoc->autoclose) 782 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 783 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 784 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 785 786 /* It may also notify its ULP about the successful 787 * establishment of the association with a Communication Up 788 * notification (see Section 10). 789 */ 790 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 791 0, asoc->c.sinit_num_ostreams, 792 asoc->c.sinit_max_instreams, 793 GFP_ATOMIC); 794 795 if (!ev) 796 goto nomem; 797 798 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 799 800 /* Sockets API Draft Section 5.3.1.6 801 * When a peer sends a Adaptation Layer Indication parameter , SCTP 802 * delivers this notification to inform the application that of the 803 * peers requested adaptation layer. 804 */ 805 if (asoc->peer.adaptation_ind) { 806 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 807 if (!ev) 808 goto nomem; 809 810 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 811 SCTP_ULPEVENT(ev)); 812 } 813 814 return SCTP_DISPOSITION_CONSUME; 815 nomem: 816 return SCTP_DISPOSITION_NOMEM; 817 } 818 819 /* Generate and sendout a heartbeat packet. */ 820 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep, 821 const struct sctp_association *asoc, 822 const sctp_subtype_t type, 823 void *arg, 824 sctp_cmd_seq_t *commands) 825 { 826 struct sctp_transport *transport = (struct sctp_transport *) arg; 827 struct sctp_chunk *reply; 828 sctp_sender_hb_info_t hbinfo; 829 size_t paylen = 0; 830 831 hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO; 832 hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t)); 833 hbinfo.daddr = transport->ipaddr; 834 hbinfo.sent_at = jiffies; 835 hbinfo.hb_nonce = transport->hb_nonce; 836 837 /* Send a heartbeat to our peer. */ 838 paylen = sizeof(sctp_sender_hb_info_t); 839 reply = sctp_make_heartbeat(asoc, transport, &hbinfo, paylen); 840 if (!reply) 841 return SCTP_DISPOSITION_NOMEM; 842 843 /* Set rto_pending indicating that an RTT measurement 844 * is started with this heartbeat chunk. 845 */ 846 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 847 SCTP_TRANSPORT(transport)); 848 849 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 850 return SCTP_DISPOSITION_CONSUME; 851 } 852 853 /* Generate a HEARTBEAT packet on the given transport. */ 854 sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep, 855 const struct sctp_association *asoc, 856 const sctp_subtype_t type, 857 void *arg, 858 sctp_cmd_seq_t *commands) 859 { 860 struct sctp_transport *transport = (struct sctp_transport *) arg; 861 862 if (asoc->overall_error_count >= asoc->max_retrans) { 863 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 864 SCTP_ERROR(ETIMEDOUT)); 865 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 866 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 867 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 868 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 869 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 870 return SCTP_DISPOSITION_DELETE_TCB; 871 } 872 873 /* Section 3.3.5. 874 * The Sender-specific Heartbeat Info field should normally include 875 * information about the sender's current time when this HEARTBEAT 876 * chunk is sent and the destination transport address to which this 877 * HEARTBEAT is sent (see Section 8.3). 878 */ 879 880 if (transport->param_flags & SPP_HB_ENABLE) { 881 if (SCTP_DISPOSITION_NOMEM == 882 sctp_sf_heartbeat(ep, asoc, type, arg, 883 commands)) 884 return SCTP_DISPOSITION_NOMEM; 885 /* Set transport error counter and association error counter 886 * when sending heartbeat. 887 */ 888 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_RESET, 889 SCTP_TRANSPORT(transport)); 890 } 891 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 892 SCTP_TRANSPORT(transport)); 893 894 return SCTP_DISPOSITION_CONSUME; 895 } 896 897 /* 898 * Process an heartbeat request. 899 * 900 * Section: 8.3 Path Heartbeat 901 * The receiver of the HEARTBEAT should immediately respond with a 902 * HEARTBEAT ACK that contains the Heartbeat Information field copied 903 * from the received HEARTBEAT chunk. 904 * 905 * Verification Tag: 8.5 Verification Tag [Normal verification] 906 * When receiving an SCTP packet, the endpoint MUST ensure that the 907 * value in the Verification Tag field of the received SCTP packet 908 * matches its own Tag. If the received Verification Tag value does not 909 * match the receiver's own tag value, the receiver shall silently 910 * discard the packet and shall not process it any further except for 911 * those cases listed in Section 8.5.1 below. 912 * 913 * Inputs 914 * (endpoint, asoc, chunk) 915 * 916 * Outputs 917 * (asoc, reply_msg, msg_up, timers, counters) 918 * 919 * The return value is the disposition of the chunk. 920 */ 921 sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep, 922 const struct sctp_association *asoc, 923 const sctp_subtype_t type, 924 void *arg, 925 sctp_cmd_seq_t *commands) 926 { 927 struct sctp_chunk *chunk = arg; 928 struct sctp_chunk *reply; 929 size_t paylen = 0; 930 931 if (!sctp_vtag_verify(chunk, asoc)) 932 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 933 934 /* Make sure that the HEARTBEAT chunk has a valid length. */ 935 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 936 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 937 commands); 938 939 /* 8.3 The receiver of the HEARTBEAT should immediately 940 * respond with a HEARTBEAT ACK that contains the Heartbeat 941 * Information field copied from the received HEARTBEAT chunk. 942 */ 943 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; 944 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); 945 if (!pskb_pull(chunk->skb, paylen)) 946 goto nomem; 947 948 reply = sctp_make_heartbeat_ack(asoc, chunk, 949 chunk->subh.hb_hdr, paylen); 950 if (!reply) 951 goto nomem; 952 953 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 954 return SCTP_DISPOSITION_CONSUME; 955 956 nomem: 957 return SCTP_DISPOSITION_NOMEM; 958 } 959 960 /* 961 * Process the returning HEARTBEAT ACK. 962 * 963 * Section: 8.3 Path Heartbeat 964 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 965 * should clear the error counter of the destination transport 966 * address to which the HEARTBEAT was sent, and mark the destination 967 * transport address as active if it is not so marked. The endpoint may 968 * optionally report to the upper layer when an inactive destination 969 * address is marked as active due to the reception of the latest 970 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 971 * clear the association overall error count as well (as defined 972 * in section 8.1). 973 * 974 * The receiver of the HEARTBEAT ACK should also perform an RTT 975 * measurement for that destination transport address using the time 976 * value carried in the HEARTBEAT ACK chunk. 977 * 978 * Verification Tag: 8.5 Verification Tag [Normal verification] 979 * 980 * Inputs 981 * (endpoint, asoc, chunk) 982 * 983 * Outputs 984 * (asoc, reply_msg, msg_up, timers, counters) 985 * 986 * The return value is the disposition of the chunk. 987 */ 988 sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep, 989 const struct sctp_association *asoc, 990 const sctp_subtype_t type, 991 void *arg, 992 sctp_cmd_seq_t *commands) 993 { 994 struct sctp_chunk *chunk = arg; 995 union sctp_addr from_addr; 996 struct sctp_transport *link; 997 sctp_sender_hb_info_t *hbinfo; 998 unsigned long max_interval; 999 1000 if (!sctp_vtag_verify(chunk, asoc)) 1001 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1002 1003 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1004 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1005 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1006 commands); 1007 1008 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; 1009 /* Make sure that the length of the parameter is what we expect */ 1010 if (ntohs(hbinfo->param_hdr.length) != 1011 sizeof(sctp_sender_hb_info_t)) { 1012 return SCTP_DISPOSITION_DISCARD; 1013 } 1014 1015 from_addr = hbinfo->daddr; 1016 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1017 1018 /* This should never happen, but lets log it if so. */ 1019 if (unlikely(!link)) { 1020 if (from_addr.sa.sa_family == AF_INET6) { 1021 printk(KERN_WARNING 1022 "%s association %p could not find address " 1023 NIP6_FMT "\n", 1024 __FUNCTION__, 1025 asoc, 1026 NIP6(from_addr.v6.sin6_addr)); 1027 } else { 1028 printk(KERN_WARNING 1029 "%s association %p could not find address " 1030 NIPQUAD_FMT "\n", 1031 __FUNCTION__, 1032 asoc, 1033 NIPQUAD(from_addr.v4.sin_addr.s_addr)); 1034 } 1035 return SCTP_DISPOSITION_DISCARD; 1036 } 1037 1038 /* Validate the 64-bit random nonce. */ 1039 if (hbinfo->hb_nonce != link->hb_nonce) 1040 return SCTP_DISPOSITION_DISCARD; 1041 1042 max_interval = link->hbinterval + link->rto; 1043 1044 /* Check if the timestamp looks valid. */ 1045 if (time_after(hbinfo->sent_at, jiffies) || 1046 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1047 SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp" 1048 "received for transport: %p\n", 1049 __FUNCTION__, link); 1050 return SCTP_DISPOSITION_DISCARD; 1051 } 1052 1053 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1054 * the HEARTBEAT should clear the error counter of the 1055 * destination transport address to which the HEARTBEAT was 1056 * sent and mark the destination transport address as active if 1057 * it is not so marked. 1058 */ 1059 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1060 1061 return SCTP_DISPOSITION_CONSUME; 1062 } 1063 1064 /* Helper function to send out an abort for the restart 1065 * condition. 1066 */ 1067 static int sctp_sf_send_restart_abort(union sctp_addr *ssa, 1068 struct sctp_chunk *init, 1069 sctp_cmd_seq_t *commands) 1070 { 1071 int len; 1072 struct sctp_packet *pkt; 1073 union sctp_addr_param *addrparm; 1074 struct sctp_errhdr *errhdr; 1075 struct sctp_endpoint *ep; 1076 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)]; 1077 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1078 1079 /* Build the error on the stack. We are way to malloc crazy 1080 * throughout the code today. 1081 */ 1082 errhdr = (struct sctp_errhdr *)buffer; 1083 addrparm = (union sctp_addr_param *)errhdr->variable; 1084 1085 /* Copy into a parm format. */ 1086 len = af->to_addr_param(ssa, addrparm); 1087 len += sizeof(sctp_errhdr_t); 1088 1089 errhdr->cause = SCTP_ERROR_RESTART; 1090 errhdr->length = htons(len); 1091 1092 /* Assign to the control socket. */ 1093 ep = sctp_sk((sctp_get_ctl_sock()))->ep; 1094 1095 /* Association is NULL since this may be a restart attack and we 1096 * want to send back the attacker's vtag. 1097 */ 1098 pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len); 1099 1100 if (!pkt) 1101 goto out; 1102 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1103 1104 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1105 1106 /* Discard the rest of the inbound packet. */ 1107 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1108 1109 out: 1110 /* Even if there is no memory, treat as a failure so 1111 * the packet will get dropped. 1112 */ 1113 return 0; 1114 } 1115 1116 /* A restart is occurring, check to make sure no new addresses 1117 * are being added as we may be under a takeover attack. 1118 */ 1119 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1120 const struct sctp_association *asoc, 1121 struct sctp_chunk *init, 1122 sctp_cmd_seq_t *commands) 1123 { 1124 struct sctp_transport *new_addr, *addr; 1125 struct list_head *pos, *pos2; 1126 int found; 1127 1128 /* Implementor's Guide - Sectin 5.2.2 1129 * ... 1130 * Before responding the endpoint MUST check to see if the 1131 * unexpected INIT adds new addresses to the association. If new 1132 * addresses are added to the association, the endpoint MUST respond 1133 * with an ABORT.. 1134 */ 1135 1136 /* Search through all current addresses and make sure 1137 * we aren't adding any new ones. 1138 */ 1139 new_addr = NULL; 1140 found = 0; 1141 1142 list_for_each(pos, &new_asoc->peer.transport_addr_list) { 1143 new_addr = list_entry(pos, struct sctp_transport, transports); 1144 found = 0; 1145 list_for_each(pos2, &asoc->peer.transport_addr_list) { 1146 addr = list_entry(pos2, struct sctp_transport, 1147 transports); 1148 if (sctp_cmp_addr_exact(&new_addr->ipaddr, 1149 &addr->ipaddr)) { 1150 found = 1; 1151 break; 1152 } 1153 } 1154 if (!found) 1155 break; 1156 } 1157 1158 /* If a new address was added, ABORT the sender. */ 1159 if (!found && new_addr) { 1160 sctp_sf_send_restart_abort(&new_addr->ipaddr, init, commands); 1161 } 1162 1163 /* Return success if all addresses were found. */ 1164 return found; 1165 } 1166 1167 /* Populate the verification/tie tags based on overlapping INIT 1168 * scenario. 1169 * 1170 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1171 */ 1172 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1173 const struct sctp_association *asoc) 1174 { 1175 switch (asoc->state) { 1176 1177 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1178 1179 case SCTP_STATE_COOKIE_WAIT: 1180 new_asoc->c.my_vtag = asoc->c.my_vtag; 1181 new_asoc->c.my_ttag = asoc->c.my_vtag; 1182 new_asoc->c.peer_ttag = 0; 1183 break; 1184 1185 case SCTP_STATE_COOKIE_ECHOED: 1186 new_asoc->c.my_vtag = asoc->c.my_vtag; 1187 new_asoc->c.my_ttag = asoc->c.my_vtag; 1188 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1189 break; 1190 1191 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1192 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1193 */ 1194 default: 1195 new_asoc->c.my_ttag = asoc->c.my_vtag; 1196 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1197 break; 1198 }; 1199 1200 /* Other parameters for the endpoint SHOULD be copied from the 1201 * existing parameters of the association (e.g. number of 1202 * outbound streams) into the INIT ACK and cookie. 1203 */ 1204 new_asoc->rwnd = asoc->rwnd; 1205 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1206 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1207 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1208 } 1209 1210 /* 1211 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1212 * handling action. 1213 * 1214 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1215 * 1216 * Returns value representing action to be taken. These action values 1217 * correspond to Action/Description values in RFC 2960, Table 2. 1218 */ 1219 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1220 const struct sctp_association *asoc) 1221 { 1222 /* In this case, the peer may have restarted. */ 1223 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1224 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1225 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1226 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1227 return 'A'; 1228 1229 /* Collision case B. */ 1230 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1231 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1232 (0 == asoc->c.peer_vtag))) { 1233 return 'B'; 1234 } 1235 1236 /* Collision case D. */ 1237 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1238 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1239 return 'D'; 1240 1241 /* Collision case C. */ 1242 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1243 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1244 (0 == new_asoc->c.my_ttag) && 1245 (0 == new_asoc->c.peer_ttag)) 1246 return 'C'; 1247 1248 /* No match to any of the special cases; discard this packet. */ 1249 return 'E'; 1250 } 1251 1252 /* Common helper routine for both duplicate and simulataneous INIT 1253 * chunk handling. 1254 */ 1255 static sctp_disposition_t sctp_sf_do_unexpected_init( 1256 const struct sctp_endpoint *ep, 1257 const struct sctp_association *asoc, 1258 const sctp_subtype_t type, 1259 void *arg, sctp_cmd_seq_t *commands) 1260 { 1261 sctp_disposition_t retval; 1262 struct sctp_chunk *chunk = arg; 1263 struct sctp_chunk *repl; 1264 struct sctp_association *new_asoc; 1265 struct sctp_chunk *err_chunk; 1266 struct sctp_packet *packet; 1267 sctp_unrecognized_param_t *unk_param; 1268 int len; 1269 1270 /* 6.10 Bundling 1271 * An endpoint MUST NOT bundle INIT, INIT ACK or 1272 * SHUTDOWN COMPLETE with any other chunks. 1273 * 1274 * IG Section 2.11.2 1275 * Furthermore, we require that the receiver of an INIT chunk MUST 1276 * enforce these rules by silently discarding an arriving packet 1277 * with an INIT chunk that is bundled with other chunks. 1278 */ 1279 if (!chunk->singleton) 1280 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1281 1282 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1283 * Tag. 1284 */ 1285 if (chunk->sctp_hdr->vtag != 0) 1286 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 1287 1288 /* Make sure that the INIT chunk has a valid length. 1289 * In this case, we generate a protocol violation since we have 1290 * an association established. 1291 */ 1292 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 1293 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1294 commands); 1295 /* Grab the INIT header. */ 1296 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 1297 1298 /* Tag the variable length parameters. */ 1299 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 1300 1301 /* Verify the INIT chunk before processing it. */ 1302 err_chunk = NULL; 1303 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 1304 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 1305 &err_chunk)) { 1306 /* This chunk contains fatal error. It is to be discarded. 1307 * Send an ABORT, with causes if there is any. 1308 */ 1309 if (err_chunk) { 1310 packet = sctp_abort_pkt_new(ep, asoc, arg, 1311 (__u8 *)(err_chunk->chunk_hdr) + 1312 sizeof(sctp_chunkhdr_t), 1313 ntohs(err_chunk->chunk_hdr->length) - 1314 sizeof(sctp_chunkhdr_t)); 1315 1316 if (packet) { 1317 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1318 SCTP_PACKET(packet)); 1319 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1320 retval = SCTP_DISPOSITION_CONSUME; 1321 } else { 1322 retval = SCTP_DISPOSITION_NOMEM; 1323 } 1324 goto cleanup; 1325 } else { 1326 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 1327 commands); 1328 } 1329 } 1330 1331 /* 1332 * Other parameters for the endpoint SHOULD be copied from the 1333 * existing parameters of the association (e.g. number of 1334 * outbound streams) into the INIT ACK and cookie. 1335 * FIXME: We are copying parameters from the endpoint not the 1336 * association. 1337 */ 1338 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1339 if (!new_asoc) 1340 goto nomem; 1341 1342 /* In the outbound INIT ACK the endpoint MUST copy its current 1343 * Verification Tag and Peers Verification tag into a reserved 1344 * place (local tie-tag and per tie-tag) within the state cookie. 1345 */ 1346 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1347 sctp_source(chunk), 1348 (sctp_init_chunk_t *)chunk->chunk_hdr, 1349 GFP_ATOMIC)) 1350 goto nomem; 1351 1352 /* Make sure no new addresses are being added during the 1353 * restart. Do not do this check for COOKIE-WAIT state, 1354 * since there are no peer addresses to check against. 1355 * Upon return an ABORT will have been sent if needed. 1356 */ 1357 if (!sctp_state(asoc, COOKIE_WAIT)) { 1358 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1359 commands)) { 1360 retval = SCTP_DISPOSITION_CONSUME; 1361 goto nomem_retval; 1362 } 1363 } 1364 1365 sctp_tietags_populate(new_asoc, asoc); 1366 1367 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1368 1369 /* If there are errors need to be reported for unknown parameters, 1370 * make sure to reserve enough room in the INIT ACK for them. 1371 */ 1372 len = 0; 1373 if (err_chunk) { 1374 len = ntohs(err_chunk->chunk_hdr->length) - 1375 sizeof(sctp_chunkhdr_t); 1376 } 1377 1378 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 1379 goto nomem; 1380 1381 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1382 if (!repl) 1383 goto nomem; 1384 1385 /* If there are errors need to be reported for unknown parameters, 1386 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1387 * parameter. 1388 */ 1389 if (err_chunk) { 1390 /* Get the "Unrecognized parameter" parameter(s) out of the 1391 * ERROR chunk generated by sctp_verify_init(). Since the 1392 * error cause code for "unknown parameter" and the 1393 * "Unrecognized parameter" type is the same, we can 1394 * construct the parameters in INIT ACK by copying the 1395 * ERROR causes over. 1396 */ 1397 unk_param = (sctp_unrecognized_param_t *) 1398 ((__u8 *)(err_chunk->chunk_hdr) + 1399 sizeof(sctp_chunkhdr_t)); 1400 /* Replace the cause code with the "Unrecognized parameter" 1401 * parameter type. 1402 */ 1403 sctp_addto_chunk(repl, len, unk_param); 1404 } 1405 1406 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1407 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1408 1409 /* 1410 * Note: After sending out INIT ACK with the State Cookie parameter, 1411 * "Z" MUST NOT allocate any resources for this new association. 1412 * Otherwise, "Z" will be vulnerable to resource attacks. 1413 */ 1414 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1415 retval = SCTP_DISPOSITION_CONSUME; 1416 1417 return retval; 1418 1419 nomem: 1420 retval = SCTP_DISPOSITION_NOMEM; 1421 nomem_retval: 1422 if (new_asoc) 1423 sctp_association_free(new_asoc); 1424 cleanup: 1425 if (err_chunk) 1426 sctp_chunk_free(err_chunk); 1427 return retval; 1428 } 1429 1430 /* 1431 * Handle simultanous INIT. 1432 * This means we started an INIT and then we got an INIT request from 1433 * our peer. 1434 * 1435 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1436 * This usually indicates an initialization collision, i.e., each 1437 * endpoint is attempting, at about the same time, to establish an 1438 * association with the other endpoint. 1439 * 1440 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1441 * endpoint MUST respond with an INIT ACK using the same parameters it 1442 * sent in its original INIT chunk (including its Verification Tag, 1443 * unchanged). These original parameters are combined with those from the 1444 * newly received INIT chunk. The endpoint shall also generate a State 1445 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1446 * INIT to calculate the State Cookie. 1447 * 1448 * After that, the endpoint MUST NOT change its state, the T1-init 1449 * timer shall be left running and the corresponding TCB MUST NOT be 1450 * destroyed. The normal procedures for handling State Cookies when 1451 * a TCB exists will resolve the duplicate INITs to a single association. 1452 * 1453 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1454 * its Tie-Tags with the Tag information of itself and its peer (see 1455 * section 5.2.2 for a description of the Tie-Tags). 1456 * 1457 * Verification Tag: Not explicit, but an INIT can not have a valid 1458 * verification tag, so we skip the check. 1459 * 1460 * Inputs 1461 * (endpoint, asoc, chunk) 1462 * 1463 * Outputs 1464 * (asoc, reply_msg, msg_up, timers, counters) 1465 * 1466 * The return value is the disposition of the chunk. 1467 */ 1468 sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep, 1469 const struct sctp_association *asoc, 1470 const sctp_subtype_t type, 1471 void *arg, 1472 sctp_cmd_seq_t *commands) 1473 { 1474 /* Call helper to do the real work for both simulataneous and 1475 * duplicate INIT chunk handling. 1476 */ 1477 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1478 } 1479 1480 /* 1481 * Handle duplicated INIT messages. These are usually delayed 1482 * restransmissions. 1483 * 1484 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1485 * COOKIE-ECHOED and COOKIE-WAIT 1486 * 1487 * Unless otherwise stated, upon reception of an unexpected INIT for 1488 * this association, the endpoint shall generate an INIT ACK with a 1489 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1490 * current Verification Tag and peer's Verification Tag into a reserved 1491 * place within the state cookie. We shall refer to these locations as 1492 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1493 * containing this INIT ACK MUST carry a Verification Tag value equal to 1494 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1495 * MUST contain a new Initiation Tag (randomly generated see Section 1496 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1497 * existing parameters of the association (e.g. number of outbound 1498 * streams) into the INIT ACK and cookie. 1499 * 1500 * After sending out the INIT ACK, the endpoint shall take no further 1501 * actions, i.e., the existing association, including its current state, 1502 * and the corresponding TCB MUST NOT be changed. 1503 * 1504 * Note: Only when a TCB exists and the association is not in a COOKIE- 1505 * WAIT state are the Tie-Tags populated. For a normal association INIT 1506 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1507 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1508 * State Cookie are populated as specified in section 5.2.1. 1509 * 1510 * Verification Tag: Not specified, but an INIT has no way of knowing 1511 * what the verification tag could be, so we ignore it. 1512 * 1513 * Inputs 1514 * (endpoint, asoc, chunk) 1515 * 1516 * Outputs 1517 * (asoc, reply_msg, msg_up, timers, counters) 1518 * 1519 * The return value is the disposition of the chunk. 1520 */ 1521 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep, 1522 const struct sctp_association *asoc, 1523 const sctp_subtype_t type, 1524 void *arg, 1525 sctp_cmd_seq_t *commands) 1526 { 1527 /* Call helper to do the real work for both simulataneous and 1528 * duplicate INIT chunk handling. 1529 */ 1530 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1531 } 1532 1533 1534 /* 1535 * Unexpected INIT-ACK handler. 1536 * 1537 * Section 5.2.3 1538 * If an INIT ACK received by an endpoint in any state other than the 1539 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1540 * An unexpected INIT ACK usually indicates the processing of an old or 1541 * duplicated INIT chunk. 1542 */ 1543 sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep, 1544 const struct sctp_association *asoc, 1545 const sctp_subtype_t type, 1546 void *arg, sctp_cmd_seq_t *commands) 1547 { 1548 /* Per the above section, we'll discard the chunk if we have an 1549 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1550 */ 1551 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 1552 return sctp_sf_ootb(ep, asoc, type, arg, commands); 1553 else 1554 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 1555 } 1556 1557 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1558 * 1559 * Section 5.2.4 1560 * A) In this case, the peer may have restarted. 1561 */ 1562 static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep, 1563 const struct sctp_association *asoc, 1564 struct sctp_chunk *chunk, 1565 sctp_cmd_seq_t *commands, 1566 struct sctp_association *new_asoc) 1567 { 1568 sctp_init_chunk_t *peer_init; 1569 struct sctp_ulpevent *ev; 1570 struct sctp_chunk *repl; 1571 struct sctp_chunk *err; 1572 sctp_disposition_t disposition; 1573 1574 /* new_asoc is a brand-new association, so these are not yet 1575 * side effects--it is safe to run them here. 1576 */ 1577 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1578 1579 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1580 sctp_source(chunk), peer_init, 1581 GFP_ATOMIC)) 1582 goto nomem; 1583 1584 /* Make sure no new addresses are being added during the 1585 * restart. Though this is a pretty complicated attack 1586 * since you'd have to get inside the cookie. 1587 */ 1588 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { 1589 return SCTP_DISPOSITION_CONSUME; 1590 } 1591 1592 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1593 * the peer has restarted (Action A), it MUST NOT setup a new 1594 * association but instead resend the SHUTDOWN ACK and send an ERROR 1595 * chunk with a "Cookie Received while Shutting Down" error cause to 1596 * its peer. 1597 */ 1598 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1599 disposition = sctp_sf_do_9_2_reshutack(ep, asoc, 1600 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1601 chunk, commands); 1602 if (SCTP_DISPOSITION_NOMEM == disposition) 1603 goto nomem; 1604 1605 err = sctp_make_op_error(asoc, chunk, 1606 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1607 NULL, 0); 1608 if (err) 1609 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1610 SCTP_CHUNK(err)); 1611 1612 return SCTP_DISPOSITION_CONSUME; 1613 } 1614 1615 /* For now, fail any unsent/unacked data. Consider the optional 1616 * choice of resending of this data. 1617 */ 1618 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1619 1620 repl = sctp_make_cookie_ack(new_asoc, chunk); 1621 if (!repl) 1622 goto nomem; 1623 1624 /* Report association restart to upper layer. */ 1625 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1626 new_asoc->c.sinit_num_ostreams, 1627 new_asoc->c.sinit_max_instreams, 1628 GFP_ATOMIC); 1629 if (!ev) 1630 goto nomem_ev; 1631 1632 /* Update the content of current association. */ 1633 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1634 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1635 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1636 return SCTP_DISPOSITION_CONSUME; 1637 1638 nomem_ev: 1639 sctp_chunk_free(repl); 1640 nomem: 1641 return SCTP_DISPOSITION_NOMEM; 1642 } 1643 1644 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1645 * 1646 * Section 5.2.4 1647 * B) In this case, both sides may be attempting to start an association 1648 * at about the same time but the peer endpoint started its INIT 1649 * after responding to the local endpoint's INIT 1650 */ 1651 /* This case represents an initialization collision. */ 1652 static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep, 1653 const struct sctp_association *asoc, 1654 struct sctp_chunk *chunk, 1655 sctp_cmd_seq_t *commands, 1656 struct sctp_association *new_asoc) 1657 { 1658 sctp_init_chunk_t *peer_init; 1659 struct sctp_ulpevent *ev; 1660 struct sctp_chunk *repl; 1661 1662 /* new_asoc is a brand-new association, so these are not yet 1663 * side effects--it is safe to run them here. 1664 */ 1665 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1666 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1667 sctp_source(chunk), peer_init, 1668 GFP_ATOMIC)) 1669 goto nomem; 1670 1671 /* Update the content of current association. */ 1672 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1673 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1674 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1675 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1676 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1677 1678 repl = sctp_make_cookie_ack(new_asoc, chunk); 1679 if (!repl) 1680 goto nomem; 1681 1682 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1683 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1684 1685 /* RFC 2960 5.1 Normal Establishment of an Association 1686 * 1687 * D) IMPLEMENTATION NOTE: An implementation may choose to 1688 * send the Communication Up notification to the SCTP user 1689 * upon reception of a valid COOKIE ECHO chunk. 1690 */ 1691 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 0, 1692 new_asoc->c.sinit_num_ostreams, 1693 new_asoc->c.sinit_max_instreams, 1694 GFP_ATOMIC); 1695 if (!ev) 1696 goto nomem_ev; 1697 1698 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1699 1700 /* Sockets API Draft Section 5.3.1.6 1701 * When a peer sends a Adaptation Layer Indication parameter , SCTP 1702 * delivers this notification to inform the application that of the 1703 * peers requested adaptation layer. 1704 */ 1705 if (asoc->peer.adaptation_ind) { 1706 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 1707 if (!ev) 1708 goto nomem_ev; 1709 1710 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1711 SCTP_ULPEVENT(ev)); 1712 } 1713 1714 return SCTP_DISPOSITION_CONSUME; 1715 1716 nomem_ev: 1717 sctp_chunk_free(repl); 1718 nomem: 1719 return SCTP_DISPOSITION_NOMEM; 1720 } 1721 1722 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1723 * 1724 * Section 5.2.4 1725 * C) In this case, the local endpoint's cookie has arrived late. 1726 * Before it arrived, the local endpoint sent an INIT and received an 1727 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1728 * but a new tag of its own. 1729 */ 1730 /* This case represents an initialization collision. */ 1731 static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep, 1732 const struct sctp_association *asoc, 1733 struct sctp_chunk *chunk, 1734 sctp_cmd_seq_t *commands, 1735 struct sctp_association *new_asoc) 1736 { 1737 /* The cookie should be silently discarded. 1738 * The endpoint SHOULD NOT change states and should leave 1739 * any timers running. 1740 */ 1741 return SCTP_DISPOSITION_DISCARD; 1742 } 1743 1744 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1745 * 1746 * Section 5.2.4 1747 * 1748 * D) When both local and remote tags match the endpoint should always 1749 * enter the ESTABLISHED state, if it has not already done so. 1750 */ 1751 /* This case represents an initialization collision. */ 1752 static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep, 1753 const struct sctp_association *asoc, 1754 struct sctp_chunk *chunk, 1755 sctp_cmd_seq_t *commands, 1756 struct sctp_association *new_asoc) 1757 { 1758 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL; 1759 struct sctp_chunk *repl; 1760 1761 /* Clarification from Implementor's Guide: 1762 * D) When both local and remote tags match the endpoint should 1763 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 1764 * It should stop any cookie timer that may be running and send 1765 * a COOKIE ACK. 1766 */ 1767 1768 /* Don't accidentally move back into established state. */ 1769 if (asoc->state < SCTP_STATE_ESTABLISHED) { 1770 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1771 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 1772 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1773 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1774 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1775 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 1776 SCTP_NULL()); 1777 1778 /* RFC 2960 5.1 Normal Establishment of an Association 1779 * 1780 * D) IMPLEMENTATION NOTE: An implementation may choose 1781 * to send the Communication Up notification to the 1782 * SCTP user upon reception of a valid COOKIE 1783 * ECHO chunk. 1784 */ 1785 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 1786 SCTP_COMM_UP, 0, 1787 asoc->c.sinit_num_ostreams, 1788 asoc->c.sinit_max_instreams, 1789 GFP_ATOMIC); 1790 if (!ev) 1791 goto nomem; 1792 1793 /* Sockets API Draft Section 5.3.1.6 1794 * When a peer sends a Adaptation Layer Indication parameter, 1795 * SCTP delivers this notification to inform the application 1796 * that of the peers requested adaptation layer. 1797 */ 1798 if (asoc->peer.adaptation_ind) { 1799 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 1800 GFP_ATOMIC); 1801 if (!ai_ev) 1802 goto nomem; 1803 1804 } 1805 } 1806 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1807 1808 repl = sctp_make_cookie_ack(new_asoc, chunk); 1809 if (!repl) 1810 goto nomem; 1811 1812 if (ev) 1813 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1814 SCTP_ULPEVENT(ev)); 1815 if (ai_ev) 1816 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1817 SCTP_ULPEVENT(ai_ev)); 1818 1819 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1820 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1821 1822 return SCTP_DISPOSITION_CONSUME; 1823 1824 nomem: 1825 if (ai_ev) 1826 sctp_ulpevent_free(ai_ev); 1827 if (ev) 1828 sctp_ulpevent_free(ev); 1829 return SCTP_DISPOSITION_NOMEM; 1830 } 1831 1832 /* 1833 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 1834 * chunk was retransmitted and then delayed in the network. 1835 * 1836 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 1837 * 1838 * Verification Tag: None. Do cookie validation. 1839 * 1840 * Inputs 1841 * (endpoint, asoc, chunk) 1842 * 1843 * Outputs 1844 * (asoc, reply_msg, msg_up, timers, counters) 1845 * 1846 * The return value is the disposition of the chunk. 1847 */ 1848 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep, 1849 const struct sctp_association *asoc, 1850 const sctp_subtype_t type, 1851 void *arg, 1852 sctp_cmd_seq_t *commands) 1853 { 1854 sctp_disposition_t retval; 1855 struct sctp_chunk *chunk = arg; 1856 struct sctp_association *new_asoc; 1857 int error = 0; 1858 char action; 1859 struct sctp_chunk *err_chk_p; 1860 1861 /* Make sure that the chunk has a valid length from the protocol 1862 * perspective. In this case check to make sure we have at least 1863 * enough for the chunk header. Cookie length verification is 1864 * done later. 1865 */ 1866 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 1867 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1868 commands); 1869 1870 /* "Decode" the chunk. We have no optional parameters so we 1871 * are in good shape. 1872 */ 1873 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 1874 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 1875 sizeof(sctp_chunkhdr_t))) 1876 goto nomem; 1877 1878 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 1879 * of a duplicate COOKIE ECHO match the Verification Tags of the 1880 * current association, consider the State Cookie valid even if 1881 * the lifespan is exceeded. 1882 */ 1883 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 1884 &err_chk_p); 1885 1886 /* FIXME: 1887 * If the re-build failed, what is the proper error path 1888 * from here? 1889 * 1890 * [We should abort the association. --piggy] 1891 */ 1892 if (!new_asoc) { 1893 /* FIXME: Several errors are possible. A bad cookie should 1894 * be silently discarded, but think about logging it too. 1895 */ 1896 switch (error) { 1897 case -SCTP_IERROR_NOMEM: 1898 goto nomem; 1899 1900 case -SCTP_IERROR_STALE_COOKIE: 1901 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 1902 err_chk_p); 1903 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1904 case -SCTP_IERROR_BAD_SIG: 1905 default: 1906 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1907 }; 1908 } 1909 1910 /* Compare the tie_tag in cookie with the verification tag of 1911 * current association. 1912 */ 1913 action = sctp_tietags_compare(new_asoc, asoc); 1914 1915 switch (action) { 1916 case 'A': /* Association restart. */ 1917 retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands, 1918 new_asoc); 1919 break; 1920 1921 case 'B': /* Collision case B. */ 1922 retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands, 1923 new_asoc); 1924 break; 1925 1926 case 'C': /* Collision case C. */ 1927 retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands, 1928 new_asoc); 1929 break; 1930 1931 case 'D': /* Collision case D. */ 1932 retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands, 1933 new_asoc); 1934 break; 1935 1936 default: /* Discard packet for all others. */ 1937 retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1938 break; 1939 }; 1940 1941 /* Delete the tempory new association. */ 1942 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1943 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1944 1945 return retval; 1946 1947 nomem: 1948 return SCTP_DISPOSITION_NOMEM; 1949 } 1950 1951 /* 1952 * Process an ABORT. (SHUTDOWN-PENDING state) 1953 * 1954 * See sctp_sf_do_9_1_abort(). 1955 */ 1956 sctp_disposition_t sctp_sf_shutdown_pending_abort( 1957 const struct sctp_endpoint *ep, 1958 const struct sctp_association *asoc, 1959 const sctp_subtype_t type, 1960 void *arg, 1961 sctp_cmd_seq_t *commands) 1962 { 1963 struct sctp_chunk *chunk = arg; 1964 1965 if (!sctp_vtag_verify_either(chunk, asoc)) 1966 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1967 1968 /* Make sure that the ABORT chunk has a valid length. 1969 * Since this is an ABORT chunk, we have to discard it 1970 * because of the following text: 1971 * RFC 2960, Section 3.3.7 1972 * If an endpoint receives an ABORT with a format error or for an 1973 * association that doesn't exist, it MUST silently discard it. 1974 * Becasue the length is "invalid", we can't really discard just 1975 * as we do not know its true length. So, to be safe, discard the 1976 * packet. 1977 */ 1978 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 1979 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1980 1981 /* Stop the T5-shutdown guard timer. */ 1982 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1983 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 1984 1985 return sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 1986 } 1987 1988 /* 1989 * Process an ABORT. (SHUTDOWN-SENT state) 1990 * 1991 * See sctp_sf_do_9_1_abort(). 1992 */ 1993 sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep, 1994 const struct sctp_association *asoc, 1995 const sctp_subtype_t type, 1996 void *arg, 1997 sctp_cmd_seq_t *commands) 1998 { 1999 struct sctp_chunk *chunk = arg; 2000 2001 if (!sctp_vtag_verify_either(chunk, asoc)) 2002 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2003 2004 /* Make sure that the ABORT chunk has a valid length. 2005 * Since this is an ABORT chunk, we have to discard it 2006 * because of the following text: 2007 * RFC 2960, Section 3.3.7 2008 * If an endpoint receives an ABORT with a format error or for an 2009 * association that doesn't exist, it MUST silently discard it. 2010 * Becasue the length is "invalid", we can't really discard just 2011 * as we do not know its true length. So, to be safe, discard the 2012 * packet. 2013 */ 2014 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2015 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2016 2017 /* Stop the T2-shutdown timer. */ 2018 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2019 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2020 2021 /* Stop the T5-shutdown guard timer. */ 2022 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2023 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2024 2025 return sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2026 } 2027 2028 /* 2029 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2030 * 2031 * See sctp_sf_do_9_1_abort(). 2032 */ 2033 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort( 2034 const struct sctp_endpoint *ep, 2035 const struct sctp_association *asoc, 2036 const sctp_subtype_t type, 2037 void *arg, 2038 sctp_cmd_seq_t *commands) 2039 { 2040 /* The same T2 timer, so we should be able to use 2041 * common function with the SHUTDOWN-SENT state. 2042 */ 2043 return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands); 2044 } 2045 2046 /* 2047 * Handle an Error received in COOKIE_ECHOED state. 2048 * 2049 * Only handle the error type of stale COOKIE Error, the other errors will 2050 * be ignored. 2051 * 2052 * Inputs 2053 * (endpoint, asoc, chunk) 2054 * 2055 * Outputs 2056 * (asoc, reply_msg, msg_up, timers, counters) 2057 * 2058 * The return value is the disposition of the chunk. 2059 */ 2060 sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep, 2061 const struct sctp_association *asoc, 2062 const sctp_subtype_t type, 2063 void *arg, 2064 sctp_cmd_seq_t *commands) 2065 { 2066 struct sctp_chunk *chunk = arg; 2067 sctp_errhdr_t *err; 2068 2069 if (!sctp_vtag_verify(chunk, asoc)) 2070 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2071 2072 /* Make sure that the ERROR chunk has a valid length. 2073 * The parameter walking depends on this as well. 2074 */ 2075 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2076 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2077 commands); 2078 2079 /* Process the error here */ 2080 /* FUTURE FIXME: When PR-SCTP related and other optional 2081 * parms are emitted, this will have to change to handle multiple 2082 * errors. 2083 */ 2084 sctp_walk_errors(err, chunk->chunk_hdr) { 2085 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2086 return sctp_sf_do_5_2_6_stale(ep, asoc, type, 2087 arg, commands); 2088 } 2089 2090 /* It is possible to have malformed error causes, and that 2091 * will cause us to end the walk early. However, since 2092 * we are discarding the packet, there should be no adverse 2093 * affects. 2094 */ 2095 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2096 } 2097 2098 /* 2099 * Handle a Stale COOKIE Error 2100 * 2101 * Section: 5.2.6 Handle Stale COOKIE Error 2102 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2103 * one of the following three alternatives. 2104 * ... 2105 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2106 * Preservative parameter requesting an extension to the lifetime of 2107 * the State Cookie. When calculating the time extension, an 2108 * implementation SHOULD use the RTT information measured based on the 2109 * previous COOKIE ECHO / ERROR exchange, and should add no more 2110 * than 1 second beyond the measured RTT, due to long State Cookie 2111 * lifetimes making the endpoint more subject to a replay attack. 2112 * 2113 * Verification Tag: Not explicit, but safe to ignore. 2114 * 2115 * Inputs 2116 * (endpoint, asoc, chunk) 2117 * 2118 * Outputs 2119 * (asoc, reply_msg, msg_up, timers, counters) 2120 * 2121 * The return value is the disposition of the chunk. 2122 */ 2123 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 2124 const struct sctp_association *asoc, 2125 const sctp_subtype_t type, 2126 void *arg, 2127 sctp_cmd_seq_t *commands) 2128 { 2129 struct sctp_chunk *chunk = arg; 2130 time_t stale; 2131 sctp_cookie_preserve_param_t bht; 2132 sctp_errhdr_t *err; 2133 struct sctp_chunk *reply; 2134 struct sctp_bind_addr *bp; 2135 int attempts = asoc->init_err_counter + 1; 2136 2137 if (attempts > asoc->max_init_attempts) { 2138 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2139 SCTP_ERROR(ETIMEDOUT)); 2140 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2141 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2142 return SCTP_DISPOSITION_DELETE_TCB; 2143 } 2144 2145 err = (sctp_errhdr_t *)(chunk->skb->data); 2146 2147 /* When calculating the time extension, an implementation 2148 * SHOULD use the RTT information measured based on the 2149 * previous COOKIE ECHO / ERROR exchange, and should add no 2150 * more than 1 second beyond the measured RTT, due to long 2151 * State Cookie lifetimes making the endpoint more subject to 2152 * a replay attack. 2153 * Measure of Staleness's unit is usec. (1/1000000 sec) 2154 * Suggested Cookie Life-span Increment's unit is msec. 2155 * (1/1000 sec) 2156 * In general, if you use the suggested cookie life, the value 2157 * found in the field of measure of staleness should be doubled 2158 * to give ample time to retransmit the new cookie and thus 2159 * yield a higher probability of success on the reattempt. 2160 */ 2161 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t))); 2162 stale = (stale * 2) / 1000; 2163 2164 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2165 bht.param_hdr.length = htons(sizeof(bht)); 2166 bht.lifespan_increment = htonl(stale); 2167 2168 /* Build that new INIT chunk. */ 2169 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2170 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2171 if (!reply) 2172 goto nomem; 2173 2174 sctp_addto_chunk(reply, sizeof(bht), &bht); 2175 2176 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2177 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2178 2179 /* Stop pending T3-rtx and heartbeat timers */ 2180 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2181 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2182 2183 /* Delete non-primary peer ip addresses since we are transitioning 2184 * back to the COOKIE-WAIT state 2185 */ 2186 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2187 2188 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2189 * resend 2190 */ 2191 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, 2192 SCTP_TRANSPORT(asoc->peer.primary_path)); 2193 2194 /* Cast away the const modifier, as we want to just 2195 * rerun it through as a sideffect. 2196 */ 2197 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2198 2199 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2200 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2201 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2202 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2203 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2204 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2205 2206 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2207 2208 return SCTP_DISPOSITION_CONSUME; 2209 2210 nomem: 2211 return SCTP_DISPOSITION_NOMEM; 2212 } 2213 2214 /* 2215 * Process an ABORT. 2216 * 2217 * Section: 9.1 2218 * After checking the Verification Tag, the receiving endpoint shall 2219 * remove the association from its record, and shall report the 2220 * termination to its upper layer. 2221 * 2222 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2223 * B) Rules for packet carrying ABORT: 2224 * 2225 * - The endpoint shall always fill in the Verification Tag field of the 2226 * outbound packet with the destination endpoint's tag value if it 2227 * is known. 2228 * 2229 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2230 * MUST follow the procedure described in Section 8.4. 2231 * 2232 * - The receiver MUST accept the packet if the Verification Tag 2233 * matches either its own tag, OR the tag of its peer. Otherwise, the 2234 * receiver MUST silently discard the packet and take no further 2235 * action. 2236 * 2237 * Inputs 2238 * (endpoint, asoc, chunk) 2239 * 2240 * Outputs 2241 * (asoc, reply_msg, msg_up, timers, counters) 2242 * 2243 * The return value is the disposition of the chunk. 2244 */ 2245 sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2246 const struct sctp_association *asoc, 2247 const sctp_subtype_t type, 2248 void *arg, 2249 sctp_cmd_seq_t *commands) 2250 { 2251 struct sctp_chunk *chunk = arg; 2252 unsigned len; 2253 __be16 error = SCTP_ERROR_NO_ERROR; 2254 2255 if (!sctp_vtag_verify_either(chunk, asoc)) 2256 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2257 2258 /* Make sure that the ABORT chunk has a valid length. 2259 * Since this is an ABORT chunk, we have to discard it 2260 * because of the following text: 2261 * RFC 2960, Section 3.3.7 2262 * If an endpoint receives an ABORT with a format error or for an 2263 * association that doesn't exist, it MUST silently discard it. 2264 * Becasue the length is "invalid", we can't really discard just 2265 * as we do not know its true length. So, to be safe, discard the 2266 * packet. 2267 */ 2268 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2269 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2270 2271 /* See if we have an error cause code in the chunk. */ 2272 len = ntohs(chunk->chunk_hdr->length); 2273 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2274 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2275 2276 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2277 /* ASSOC_FAILED will DELETE_TCB. */ 2278 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2279 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2280 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 2281 2282 return SCTP_DISPOSITION_ABORT; 2283 } 2284 2285 /* 2286 * Process an ABORT. (COOKIE-WAIT state) 2287 * 2288 * See sctp_sf_do_9_1_abort() above. 2289 */ 2290 sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep, 2291 const struct sctp_association *asoc, 2292 const sctp_subtype_t type, 2293 void *arg, 2294 sctp_cmd_seq_t *commands) 2295 { 2296 struct sctp_chunk *chunk = arg; 2297 unsigned len; 2298 __be16 error = SCTP_ERROR_NO_ERROR; 2299 2300 if (!sctp_vtag_verify_either(chunk, asoc)) 2301 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2302 2303 /* Make sure that the ABORT chunk has a valid length. 2304 * Since this is an ABORT chunk, we have to discard it 2305 * because of the following text: 2306 * RFC 2960, Section 3.3.7 2307 * If an endpoint receives an ABORT with a format error or for an 2308 * association that doesn't exist, it MUST silently discard it. 2309 * Becasue the length is "invalid", we can't really discard just 2310 * as we do not know its true length. So, to be safe, discard the 2311 * packet. 2312 */ 2313 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2314 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2315 2316 /* See if we have an error cause code in the chunk. */ 2317 len = ntohs(chunk->chunk_hdr->length); 2318 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2319 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2320 2321 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc, 2322 chunk->transport); 2323 } 2324 2325 /* 2326 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2327 */ 2328 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep, 2329 const struct sctp_association *asoc, 2330 const sctp_subtype_t type, 2331 void *arg, 2332 sctp_cmd_seq_t *commands) 2333 { 2334 return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR, 2335 ENOPROTOOPT, asoc, 2336 (struct sctp_transport *)arg); 2337 } 2338 2339 /* 2340 * Process an ABORT. (COOKIE-ECHOED state) 2341 */ 2342 sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep, 2343 const struct sctp_association *asoc, 2344 const sctp_subtype_t type, 2345 void *arg, 2346 sctp_cmd_seq_t *commands) 2347 { 2348 /* There is a single T1 timer, so we should be able to use 2349 * common function with the COOKIE-WAIT state. 2350 */ 2351 return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands); 2352 } 2353 2354 /* 2355 * Stop T1 timer and abort association with "INIT failed". 2356 * 2357 * This is common code called by several sctp_sf_*_abort() functions above. 2358 */ 2359 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 2360 __be16 error, int sk_err, 2361 const struct sctp_association *asoc, 2362 struct sctp_transport *transport) 2363 { 2364 SCTP_DEBUG_PRINTK("ABORT received (INIT).\n"); 2365 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2366 SCTP_STATE(SCTP_STATE_CLOSED)); 2367 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2368 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2369 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2370 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2371 /* CMD_INIT_FAILED will DELETE_TCB. */ 2372 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2373 SCTP_PERR(error)); 2374 return SCTP_DISPOSITION_ABORT; 2375 } 2376 2377 /* 2378 * sctp_sf_do_9_2_shut 2379 * 2380 * Section: 9.2 2381 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2382 * - enter the SHUTDOWN-RECEIVED state, 2383 * 2384 * - stop accepting new data from its SCTP user 2385 * 2386 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2387 * that all its outstanding DATA chunks have been received by the 2388 * SHUTDOWN sender. 2389 * 2390 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2391 * send a SHUTDOWN in response to a ULP request. And should discard 2392 * subsequent SHUTDOWN chunks. 2393 * 2394 * If there are still outstanding DATA chunks left, the SHUTDOWN 2395 * receiver shall continue to follow normal data transmission 2396 * procedures defined in Section 6 until all outstanding DATA chunks 2397 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2398 * new data from its SCTP user. 2399 * 2400 * Verification Tag: 8.5 Verification Tag [Normal verification] 2401 * 2402 * Inputs 2403 * (endpoint, asoc, chunk) 2404 * 2405 * Outputs 2406 * (asoc, reply_msg, msg_up, timers, counters) 2407 * 2408 * The return value is the disposition of the chunk. 2409 */ 2410 sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep, 2411 const struct sctp_association *asoc, 2412 const sctp_subtype_t type, 2413 void *arg, 2414 sctp_cmd_seq_t *commands) 2415 { 2416 struct sctp_chunk *chunk = arg; 2417 sctp_shutdownhdr_t *sdh; 2418 sctp_disposition_t disposition; 2419 struct sctp_ulpevent *ev; 2420 2421 if (!sctp_vtag_verify(chunk, asoc)) 2422 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2423 2424 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2425 if (!sctp_chunk_length_valid(chunk, 2426 sizeof(struct sctp_shutdown_chunk_t))) 2427 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2428 commands); 2429 2430 /* Convert the elaborate header. */ 2431 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2432 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t)); 2433 chunk->subh.shutdown_hdr = sdh; 2434 2435 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2436 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2437 * inform the application that it should cease sending data. 2438 */ 2439 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2440 if (!ev) { 2441 disposition = SCTP_DISPOSITION_NOMEM; 2442 goto out; 2443 } 2444 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2445 2446 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2447 * - enter the SHUTDOWN-RECEIVED state, 2448 * - stop accepting new data from its SCTP user 2449 * 2450 * [This is implicit in the new state.] 2451 */ 2452 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2453 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2454 disposition = SCTP_DISPOSITION_CONSUME; 2455 2456 if (sctp_outq_is_empty(&asoc->outqueue)) { 2457 disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type, 2458 arg, commands); 2459 } 2460 2461 if (SCTP_DISPOSITION_NOMEM == disposition) 2462 goto out; 2463 2464 /* - verify, by checking the Cumulative TSN Ack field of the 2465 * chunk, that all its outstanding DATA chunks have been 2466 * received by the SHUTDOWN sender. 2467 */ 2468 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2469 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2470 2471 out: 2472 return disposition; 2473 } 2474 2475 /* RFC 2960 9.2 2476 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2477 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2478 * transport addresses (either in the IP addresses or in the INIT chunk) 2479 * that belong to this association, it should discard the INIT chunk and 2480 * retransmit the SHUTDOWN ACK chunk. 2481 */ 2482 sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep, 2483 const struct sctp_association *asoc, 2484 const sctp_subtype_t type, 2485 void *arg, 2486 sctp_cmd_seq_t *commands) 2487 { 2488 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 2489 struct sctp_chunk *reply; 2490 2491 /* Since we are not going to really process this INIT, there 2492 * is no point in verifying chunk boundries. Just generate 2493 * the SHUTDOWN ACK. 2494 */ 2495 reply = sctp_make_shutdown_ack(asoc, chunk); 2496 if (NULL == reply) 2497 goto nomem; 2498 2499 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2500 * the T2-SHUTDOWN timer. 2501 */ 2502 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2503 2504 /* and restart the T2-shutdown timer. */ 2505 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2506 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2507 2508 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2509 2510 return SCTP_DISPOSITION_CONSUME; 2511 nomem: 2512 return SCTP_DISPOSITION_NOMEM; 2513 } 2514 2515 /* 2516 * sctp_sf_do_ecn_cwr 2517 * 2518 * Section: Appendix A: Explicit Congestion Notification 2519 * 2520 * CWR: 2521 * 2522 * RFC 2481 details a specific bit for a sender to send in the header of 2523 * its next outbound TCP segment to indicate to its peer that it has 2524 * reduced its congestion window. This is termed the CWR bit. For 2525 * SCTP the same indication is made by including the CWR chunk. 2526 * This chunk contains one data element, i.e. the TSN number that 2527 * was sent in the ECNE chunk. This element represents the lowest 2528 * TSN number in the datagram that was originally marked with the 2529 * CE bit. 2530 * 2531 * Verification Tag: 8.5 Verification Tag [Normal verification] 2532 * Inputs 2533 * (endpoint, asoc, chunk) 2534 * 2535 * Outputs 2536 * (asoc, reply_msg, msg_up, timers, counters) 2537 * 2538 * The return value is the disposition of the chunk. 2539 */ 2540 sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep, 2541 const struct sctp_association *asoc, 2542 const sctp_subtype_t type, 2543 void *arg, 2544 sctp_cmd_seq_t *commands) 2545 { 2546 sctp_cwrhdr_t *cwr; 2547 struct sctp_chunk *chunk = arg; 2548 u32 lowest_tsn; 2549 2550 if (!sctp_vtag_verify(chunk, asoc)) 2551 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2552 2553 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2554 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2555 commands); 2556 2557 cwr = (sctp_cwrhdr_t *) chunk->skb->data; 2558 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t)); 2559 2560 lowest_tsn = ntohl(cwr->lowest_tsn); 2561 2562 /* Does this CWR ack the last sent congestion notification? */ 2563 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 2564 /* Stop sending ECNE. */ 2565 sctp_add_cmd_sf(commands, 2566 SCTP_CMD_ECN_CWR, 2567 SCTP_U32(lowest_tsn)); 2568 } 2569 return SCTP_DISPOSITION_CONSUME; 2570 } 2571 2572 /* 2573 * sctp_sf_do_ecne 2574 * 2575 * Section: Appendix A: Explicit Congestion Notification 2576 * 2577 * ECN-Echo 2578 * 2579 * RFC 2481 details a specific bit for a receiver to send back in its 2580 * TCP acknowledgements to notify the sender of the Congestion 2581 * Experienced (CE) bit having arrived from the network. For SCTP this 2582 * same indication is made by including the ECNE chunk. This chunk 2583 * contains one data element, i.e. the lowest TSN associated with the IP 2584 * datagram marked with the CE bit..... 2585 * 2586 * Verification Tag: 8.5 Verification Tag [Normal verification] 2587 * Inputs 2588 * (endpoint, asoc, chunk) 2589 * 2590 * Outputs 2591 * (asoc, reply_msg, msg_up, timers, counters) 2592 * 2593 * The return value is the disposition of the chunk. 2594 */ 2595 sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep, 2596 const struct sctp_association *asoc, 2597 const sctp_subtype_t type, 2598 void *arg, 2599 sctp_cmd_seq_t *commands) 2600 { 2601 sctp_ecnehdr_t *ecne; 2602 struct sctp_chunk *chunk = arg; 2603 2604 if (!sctp_vtag_verify(chunk, asoc)) 2605 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2606 2607 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2608 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2609 commands); 2610 2611 ecne = (sctp_ecnehdr_t *) chunk->skb->data; 2612 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t)); 2613 2614 /* If this is a newer ECNE than the last CWR packet we sent out */ 2615 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 2616 SCTP_U32(ntohl(ecne->lowest_tsn))); 2617 2618 return SCTP_DISPOSITION_CONSUME; 2619 } 2620 2621 /* 2622 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 2623 * 2624 * The SCTP endpoint MUST always acknowledge the reception of each valid 2625 * DATA chunk. 2626 * 2627 * The guidelines on delayed acknowledgement algorithm specified in 2628 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 2629 * acknowledgement SHOULD be generated for at least every second packet 2630 * (not every second DATA chunk) received, and SHOULD be generated within 2631 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 2632 * situations it may be beneficial for an SCTP transmitter to be more 2633 * conservative than the algorithms detailed in this document allow. 2634 * However, an SCTP transmitter MUST NOT be more aggressive than the 2635 * following algorithms allow. 2636 * 2637 * A SCTP receiver MUST NOT generate more than one SACK for every 2638 * incoming packet, other than to update the offered window as the 2639 * receiving application consumes new data. 2640 * 2641 * Verification Tag: 8.5 Verification Tag [Normal verification] 2642 * 2643 * Inputs 2644 * (endpoint, asoc, chunk) 2645 * 2646 * Outputs 2647 * (asoc, reply_msg, msg_up, timers, counters) 2648 * 2649 * The return value is the disposition of the chunk. 2650 */ 2651 sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep, 2652 const struct sctp_association *asoc, 2653 const sctp_subtype_t type, 2654 void *arg, 2655 sctp_cmd_seq_t *commands) 2656 { 2657 struct sctp_chunk *chunk = arg; 2658 int error; 2659 2660 if (!sctp_vtag_verify(chunk, asoc)) { 2661 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2662 SCTP_NULL()); 2663 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2664 } 2665 2666 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2667 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2668 commands); 2669 2670 error = sctp_eat_data(asoc, chunk, commands ); 2671 switch (error) { 2672 case SCTP_IERROR_NO_ERROR: 2673 break; 2674 case SCTP_IERROR_HIGH_TSN: 2675 case SCTP_IERROR_BAD_STREAM: 2676 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2677 goto discard_noforce; 2678 case SCTP_IERROR_DUP_TSN: 2679 case SCTP_IERROR_IGNORE_TSN: 2680 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2681 goto discard_force; 2682 case SCTP_IERROR_NO_DATA: 2683 goto consume; 2684 default: 2685 BUG(); 2686 } 2687 2688 if (asoc->autoclose) { 2689 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2690 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 2691 } 2692 2693 /* If this is the last chunk in a packet, we need to count it 2694 * toward sack generation. Note that we need to SACK every 2695 * OTHER packet containing data chunks, EVEN IF WE DISCARD 2696 * THEM. We elect to NOT generate SACK's if the chunk fails 2697 * the verification tag test. 2698 * 2699 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2700 * 2701 * The SCTP endpoint MUST always acknowledge the reception of 2702 * each valid DATA chunk. 2703 * 2704 * The guidelines on delayed acknowledgement algorithm 2705 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 2706 * Specifically, an acknowledgement SHOULD be generated for at 2707 * least every second packet (not every second DATA chunk) 2708 * received, and SHOULD be generated within 200 ms of the 2709 * arrival of any unacknowledged DATA chunk. In some 2710 * situations it may be beneficial for an SCTP transmitter to 2711 * be more conservative than the algorithms detailed in this 2712 * document allow. However, an SCTP transmitter MUST NOT be 2713 * more aggressive than the following algorithms allow. 2714 */ 2715 if (chunk->end_of_packet) 2716 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2717 2718 return SCTP_DISPOSITION_CONSUME; 2719 2720 discard_force: 2721 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2722 * 2723 * When a packet arrives with duplicate DATA chunk(s) and with 2724 * no new DATA chunk(s), the endpoint MUST immediately send a 2725 * SACK with no delay. If a packet arrives with duplicate 2726 * DATA chunk(s) bundled with new DATA chunks, the endpoint 2727 * MAY immediately send a SACK. Normally receipt of duplicate 2728 * DATA chunks will occur when the original SACK chunk was lost 2729 * and the peer's RTO has expired. The duplicate TSN number(s) 2730 * SHOULD be reported in the SACK as duplicate. 2731 */ 2732 /* In our case, we split the MAY SACK advice up whether or not 2733 * the last chunk is a duplicate.' 2734 */ 2735 if (chunk->end_of_packet) 2736 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2737 return SCTP_DISPOSITION_DISCARD; 2738 2739 discard_noforce: 2740 if (chunk->end_of_packet) 2741 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2742 2743 return SCTP_DISPOSITION_DISCARD; 2744 consume: 2745 return SCTP_DISPOSITION_CONSUME; 2746 2747 } 2748 2749 /* 2750 * sctp_sf_eat_data_fast_4_4 2751 * 2752 * Section: 4 (4) 2753 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 2754 * DATA chunks without delay. 2755 * 2756 * Verification Tag: 8.5 Verification Tag [Normal verification] 2757 * Inputs 2758 * (endpoint, asoc, chunk) 2759 * 2760 * Outputs 2761 * (asoc, reply_msg, msg_up, timers, counters) 2762 * 2763 * The return value is the disposition of the chunk. 2764 */ 2765 sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep, 2766 const struct sctp_association *asoc, 2767 const sctp_subtype_t type, 2768 void *arg, 2769 sctp_cmd_seq_t *commands) 2770 { 2771 struct sctp_chunk *chunk = arg; 2772 int error; 2773 2774 if (!sctp_vtag_verify(chunk, asoc)) { 2775 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2776 SCTP_NULL()); 2777 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2778 } 2779 2780 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2781 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2782 commands); 2783 2784 error = sctp_eat_data(asoc, chunk, commands ); 2785 switch (error) { 2786 case SCTP_IERROR_NO_ERROR: 2787 case SCTP_IERROR_HIGH_TSN: 2788 case SCTP_IERROR_DUP_TSN: 2789 case SCTP_IERROR_IGNORE_TSN: 2790 case SCTP_IERROR_BAD_STREAM: 2791 break; 2792 case SCTP_IERROR_NO_DATA: 2793 goto consume; 2794 default: 2795 BUG(); 2796 } 2797 2798 /* Go a head and force a SACK, since we are shutting down. */ 2799 2800 /* Implementor's Guide. 2801 * 2802 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 2803 * respond to each received packet containing one or more DATA chunk(s) 2804 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 2805 */ 2806 if (chunk->end_of_packet) { 2807 /* We must delay the chunk creation since the cumulative 2808 * TSN has not been updated yet. 2809 */ 2810 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 2811 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2812 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2813 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2814 } 2815 2816 consume: 2817 return SCTP_DISPOSITION_CONSUME; 2818 } 2819 2820 /* 2821 * Section: 6.2 Processing a Received SACK 2822 * D) Any time a SACK arrives, the endpoint performs the following: 2823 * 2824 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 2825 * then drop the SACK. Since Cumulative TSN Ack is monotonically 2826 * increasing, a SACK whose Cumulative TSN Ack is less than the 2827 * Cumulative TSN Ack Point indicates an out-of-order SACK. 2828 * 2829 * ii) Set rwnd equal to the newly received a_rwnd minus the number 2830 * of bytes still outstanding after processing the Cumulative TSN Ack 2831 * and the Gap Ack Blocks. 2832 * 2833 * iii) If the SACK is missing a TSN that was previously 2834 * acknowledged via a Gap Ack Block (e.g., the data receiver 2835 * reneged on the data), then mark the corresponding DATA chunk 2836 * as available for retransmit: Mark it as missing for fast 2837 * retransmit as described in Section 7.2.4 and if no retransmit 2838 * timer is running for the destination address to which the DATA 2839 * chunk was originally transmitted, then T3-rtx is started for 2840 * that destination address. 2841 * 2842 * Verification Tag: 8.5 Verification Tag [Normal verification] 2843 * 2844 * Inputs 2845 * (endpoint, asoc, chunk) 2846 * 2847 * Outputs 2848 * (asoc, reply_msg, msg_up, timers, counters) 2849 * 2850 * The return value is the disposition of the chunk. 2851 */ 2852 sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep, 2853 const struct sctp_association *asoc, 2854 const sctp_subtype_t type, 2855 void *arg, 2856 sctp_cmd_seq_t *commands) 2857 { 2858 struct sctp_chunk *chunk = arg; 2859 sctp_sackhdr_t *sackh; 2860 __u32 ctsn; 2861 2862 if (!sctp_vtag_verify(chunk, asoc)) 2863 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2864 2865 /* Make sure that the SACK chunk has a valid length. */ 2866 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t))) 2867 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2868 commands); 2869 2870 /* Pull the SACK chunk from the data buffer */ 2871 sackh = sctp_sm_pull_sack(chunk); 2872 /* Was this a bogus SACK? */ 2873 if (!sackh) 2874 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2875 chunk->subh.sack_hdr = sackh; 2876 ctsn = ntohl(sackh->cum_tsn_ack); 2877 2878 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 2879 * Ack Point, then drop the SACK. Since Cumulative TSN 2880 * Ack is monotonically increasing, a SACK whose 2881 * Cumulative TSN Ack is less than the Cumulative TSN Ack 2882 * Point indicates an out-of-order SACK. 2883 */ 2884 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2885 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 2886 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 2887 return SCTP_DISPOSITION_DISCARD; 2888 } 2889 2890 /* Return this SACK for further processing. */ 2891 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh)); 2892 2893 /* Note: We do the rest of the work on the PROCESS_SACK 2894 * sideeffect. 2895 */ 2896 return SCTP_DISPOSITION_CONSUME; 2897 } 2898 2899 /* 2900 * Generate an ABORT in response to a packet. 2901 * 2902 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 2903 * 2904 * 8) The receiver should respond to the sender of the OOTB packet with 2905 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 2906 * MUST fill in the Verification Tag field of the outbound packet 2907 * with the value found in the Verification Tag field of the OOTB 2908 * packet and set the T-bit in the Chunk Flags to indicate that the 2909 * Verification Tag is reflected. After sending this ABORT, the 2910 * receiver of the OOTB packet shall discard the OOTB packet and take 2911 * no further action. 2912 * 2913 * Verification Tag: 2914 * 2915 * The return value is the disposition of the chunk. 2916 */ 2917 sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 2918 const struct sctp_association *asoc, 2919 const sctp_subtype_t type, 2920 void *arg, 2921 sctp_cmd_seq_t *commands) 2922 { 2923 struct sctp_packet *packet = NULL; 2924 struct sctp_chunk *chunk = arg; 2925 struct sctp_chunk *abort; 2926 2927 packet = sctp_ootb_pkt_new(asoc, chunk); 2928 2929 if (packet) { 2930 /* Make an ABORT. The T bit will be set if the asoc 2931 * is NULL. 2932 */ 2933 abort = sctp_make_abort(asoc, chunk, 0); 2934 if (!abort) { 2935 sctp_ootb_pkt_free(packet); 2936 return SCTP_DISPOSITION_NOMEM; 2937 } 2938 2939 /* Reflect vtag if T-Bit is set */ 2940 if (sctp_test_T_bit(abort)) 2941 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 2942 2943 /* Set the skb to the belonging sock for accounting. */ 2944 abort->skb->sk = ep->base.sk; 2945 2946 sctp_packet_append_chunk(packet, abort); 2947 2948 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 2949 SCTP_PACKET(packet)); 2950 2951 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 2952 2953 return SCTP_DISPOSITION_CONSUME; 2954 } 2955 2956 return SCTP_DISPOSITION_NOMEM; 2957 } 2958 2959 /* 2960 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 2961 * event as ULP notification for each cause included in the chunk. 2962 * 2963 * API 5.3.1.3 - SCTP_REMOTE_ERROR 2964 * 2965 * The return value is the disposition of the chunk. 2966 */ 2967 sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep, 2968 const struct sctp_association *asoc, 2969 const sctp_subtype_t type, 2970 void *arg, 2971 sctp_cmd_seq_t *commands) 2972 { 2973 struct sctp_chunk *chunk = arg; 2974 struct sctp_ulpevent *ev; 2975 2976 if (!sctp_vtag_verify(chunk, asoc)) 2977 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2978 2979 /* Make sure that the ERROR chunk has a valid length. */ 2980 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2981 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2982 commands); 2983 2984 while (chunk->chunk_end > chunk->skb->data) { 2985 ev = sctp_ulpevent_make_remote_error(asoc, chunk, 0, 2986 GFP_ATOMIC); 2987 if (!ev) 2988 goto nomem; 2989 2990 if (!sctp_add_cmd(commands, SCTP_CMD_EVENT_ULP, 2991 SCTP_ULPEVENT(ev))) { 2992 sctp_ulpevent_free(ev); 2993 goto nomem; 2994 } 2995 2996 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 2997 SCTP_CHUNK(chunk)); 2998 } 2999 return SCTP_DISPOSITION_CONSUME; 3000 3001 nomem: 3002 return SCTP_DISPOSITION_NOMEM; 3003 } 3004 3005 /* 3006 * Process an inbound SHUTDOWN ACK. 3007 * 3008 * From Section 9.2: 3009 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3010 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3011 * peer, and remove all record of the association. 3012 * 3013 * The return value is the disposition. 3014 */ 3015 sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep, 3016 const struct sctp_association *asoc, 3017 const sctp_subtype_t type, 3018 void *arg, 3019 sctp_cmd_seq_t *commands) 3020 { 3021 struct sctp_chunk *chunk = arg; 3022 struct sctp_chunk *reply; 3023 struct sctp_ulpevent *ev; 3024 3025 if (!sctp_vtag_verify(chunk, asoc)) 3026 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3027 3028 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3029 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3030 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3031 commands); 3032 /* 10.2 H) SHUTDOWN COMPLETE notification 3033 * 3034 * When SCTP completes the shutdown procedures (section 9.2) this 3035 * notification is passed to the upper layer. 3036 */ 3037 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3038 0, 0, 0, GFP_ATOMIC); 3039 if (!ev) 3040 goto nomem; 3041 3042 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3043 reply = sctp_make_shutdown_complete(asoc, chunk); 3044 if (!reply) 3045 goto nomem_chunk; 3046 3047 /* Do all the commands now (after allocation), so that we 3048 * have consistent state if memory allocation failes 3049 */ 3050 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3051 3052 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3053 * stop the T2-shutdown timer, 3054 */ 3055 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3056 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3057 3058 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3059 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3060 3061 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3062 SCTP_STATE(SCTP_STATE_CLOSED)); 3063 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 3064 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3065 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3066 3067 /* ...and remove all record of the association. */ 3068 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3069 return SCTP_DISPOSITION_DELETE_TCB; 3070 3071 nomem_chunk: 3072 sctp_ulpevent_free(ev); 3073 nomem: 3074 return SCTP_DISPOSITION_NOMEM; 3075 } 3076 3077 /* 3078 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3079 * 3080 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3081 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3082 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3083 * packet must fill in the Verification Tag field of the outbound 3084 * packet with the Verification Tag received in the SHUTDOWN ACK and 3085 * set the T-bit in the Chunk Flags to indicate that the Verification 3086 * Tag is reflected. 3087 * 3088 * 8) The receiver should respond to the sender of the OOTB packet with 3089 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3090 * MUST fill in the Verification Tag field of the outbound packet 3091 * with the value found in the Verification Tag field of the OOTB 3092 * packet and set the T-bit in the Chunk Flags to indicate that the 3093 * Verification Tag is reflected. After sending this ABORT, the 3094 * receiver of the OOTB packet shall discard the OOTB packet and take 3095 * no further action. 3096 */ 3097 sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep, 3098 const struct sctp_association *asoc, 3099 const sctp_subtype_t type, 3100 void *arg, 3101 sctp_cmd_seq_t *commands) 3102 { 3103 struct sctp_chunk *chunk = arg; 3104 struct sk_buff *skb = chunk->skb; 3105 sctp_chunkhdr_t *ch; 3106 __u8 *ch_end; 3107 int ootb_shut_ack = 0; 3108 3109 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 3110 3111 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr; 3112 do { 3113 /* Break out if chunk length is less then minimal. */ 3114 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 3115 break; 3116 3117 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 3118 if (ch_end > skb->tail) 3119 break; 3120 3121 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3122 ootb_shut_ack = 1; 3123 3124 /* RFC 2960, Section 3.3.7 3125 * Moreover, under any circumstances, an endpoint that 3126 * receives an ABORT MUST NOT respond to that ABORT by 3127 * sending an ABORT of its own. 3128 */ 3129 if (SCTP_CID_ABORT == ch->type) 3130 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3131 3132 ch = (sctp_chunkhdr_t *) ch_end; 3133 } while (ch_end < skb->tail); 3134 3135 if (ootb_shut_ack) 3136 sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands); 3137 else 3138 sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 3139 3140 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3141 } 3142 3143 /* 3144 * Handle an "Out of the blue" SHUTDOWN ACK. 3145 * 3146 * Section: 8.4 5, sctpimpguide 2.41. 3147 * 3148 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3149 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3150 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3151 * packet must fill in the Verification Tag field of the outbound 3152 * packet with the Verification Tag received in the SHUTDOWN ACK and 3153 * set the T-bit in the Chunk Flags to indicate that the Verification 3154 * Tag is reflected. 3155 * 3156 * Inputs 3157 * (endpoint, asoc, type, arg, commands) 3158 * 3159 * Outputs 3160 * (sctp_disposition_t) 3161 * 3162 * The return value is the disposition of the chunk. 3163 */ 3164 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 3165 const struct sctp_association *asoc, 3166 const sctp_subtype_t type, 3167 void *arg, 3168 sctp_cmd_seq_t *commands) 3169 { 3170 struct sctp_packet *packet = NULL; 3171 struct sctp_chunk *chunk = arg; 3172 struct sctp_chunk *shut; 3173 3174 packet = sctp_ootb_pkt_new(asoc, chunk); 3175 3176 if (packet) { 3177 /* Make an SHUTDOWN_COMPLETE. 3178 * The T bit will be set if the asoc is NULL. 3179 */ 3180 shut = sctp_make_shutdown_complete(asoc, chunk); 3181 if (!shut) { 3182 sctp_ootb_pkt_free(packet); 3183 return SCTP_DISPOSITION_NOMEM; 3184 } 3185 3186 /* Reflect vtag if T-Bit is set */ 3187 if (sctp_test_T_bit(shut)) 3188 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3189 3190 /* Set the skb to the belonging sock for accounting. */ 3191 shut->skb->sk = ep->base.sk; 3192 3193 sctp_packet_append_chunk(packet, shut); 3194 3195 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3196 SCTP_PACKET(packet)); 3197 3198 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3199 3200 /* If the chunk length is invalid, we don't want to process 3201 * the reset of the packet. 3202 */ 3203 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3204 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3205 3206 return SCTP_DISPOSITION_CONSUME; 3207 } 3208 3209 return SCTP_DISPOSITION_NOMEM; 3210 } 3211 3212 /* 3213 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3214 * 3215 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3216 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3217 * procedures in section 8.4 SHOULD be followed, in other words it 3218 * should be treated as an Out Of The Blue packet. 3219 * [This means that we do NOT check the Verification Tag on these 3220 * chunks. --piggy ] 3221 * 3222 */ 3223 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep, 3224 const struct sctp_association *asoc, 3225 const sctp_subtype_t type, 3226 void *arg, 3227 sctp_cmd_seq_t *commands) 3228 { 3229 /* Although we do have an association in this case, it corresponds 3230 * to a restarted association. So the packet is treated as an OOTB 3231 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3232 * called with a NULL association. 3233 */ 3234 return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands); 3235 } 3236 3237 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3238 sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep, 3239 const struct sctp_association *asoc, 3240 const sctp_subtype_t type, void *arg, 3241 sctp_cmd_seq_t *commands) 3242 { 3243 struct sctp_chunk *chunk = arg; 3244 struct sctp_chunk *asconf_ack = NULL; 3245 sctp_addiphdr_t *hdr; 3246 __u32 serial; 3247 3248 if (!sctp_vtag_verify(chunk, asoc)) { 3249 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3250 SCTP_NULL()); 3251 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3252 } 3253 3254 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3255 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t))) 3256 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3257 commands); 3258 3259 hdr = (sctp_addiphdr_t *)chunk->skb->data; 3260 serial = ntohl(hdr->serial); 3261 3262 /* ADDIP 4.2 C1) Compare the value of the serial number to the value 3263 * the endpoint stored in a new association variable 3264 * 'Peer-Serial-Number'. 3265 */ 3266 if (serial == asoc->peer.addip_serial + 1) { 3267 /* ADDIP 4.2 C2) If the value found in the serial number is 3268 * equal to the ('Peer-Serial-Number' + 1), the endpoint MUST 3269 * do V1-V5. 3270 */ 3271 asconf_ack = sctp_process_asconf((struct sctp_association *) 3272 asoc, chunk); 3273 if (!asconf_ack) 3274 return SCTP_DISPOSITION_NOMEM; 3275 } else if (serial == asoc->peer.addip_serial) { 3276 /* ADDIP 4.2 C3) If the value found in the serial number is 3277 * equal to the value stored in the 'Peer-Serial-Number' 3278 * IMPLEMENTATION NOTE: As an optimization a receiver may wish 3279 * to save the last ASCONF-ACK for some predetermined period of 3280 * time and instead of re-processing the ASCONF (with the same 3281 * serial number) it may just re-transmit the ASCONF-ACK. 3282 */ 3283 if (asoc->addip_last_asconf_ack) 3284 asconf_ack = asoc->addip_last_asconf_ack; 3285 else 3286 return SCTP_DISPOSITION_DISCARD; 3287 } else { 3288 /* ADDIP 4.2 C4) Otherwise, the ASCONF Chunk is discarded since 3289 * it must be either a stale packet or from an attacker. 3290 */ 3291 return SCTP_DISPOSITION_DISCARD; 3292 } 3293 3294 /* ADDIP 4.2 C5) In both cases C2 and C3 the ASCONF-ACK MUST be sent 3295 * back to the source address contained in the IP header of the ASCONF 3296 * being responded to. 3297 */ 3298 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3299 3300 return SCTP_DISPOSITION_CONSUME; 3301 } 3302 3303 /* 3304 * ADDIP Section 4.3 General rules for address manipulation 3305 * When building TLV parameters for the ASCONF Chunk that will add or 3306 * delete IP addresses the D0 to D13 rules should be applied: 3307 */ 3308 sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep, 3309 const struct sctp_association *asoc, 3310 const sctp_subtype_t type, void *arg, 3311 sctp_cmd_seq_t *commands) 3312 { 3313 struct sctp_chunk *asconf_ack = arg; 3314 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3315 struct sctp_chunk *abort; 3316 sctp_addiphdr_t *addip_hdr; 3317 __u32 sent_serial, rcvd_serial; 3318 3319 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3320 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3321 SCTP_NULL()); 3322 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3323 } 3324 3325 /* Make sure that the ADDIP chunk has a valid length. */ 3326 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t))) 3327 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3328 commands); 3329 3330 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data; 3331 rcvd_serial = ntohl(addip_hdr->serial); 3332 3333 if (last_asconf) { 3334 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr; 3335 sent_serial = ntohl(addip_hdr->serial); 3336 } else { 3337 sent_serial = asoc->addip_serial - 1; 3338 } 3339 3340 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3341 * equal to the next serial number to be used but no ASCONF chunk is 3342 * outstanding the endpoint MUST ABORT the association. Note that a 3343 * sequence number is greater than if it is no more than 2^^31-1 3344 * larger than the current sequence number (using serial arithmetic). 3345 */ 3346 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3347 !(asoc->addip_last_asconf)) { 3348 abort = sctp_make_abort(asoc, asconf_ack, 3349 sizeof(sctp_errhdr_t)); 3350 if (abort) { 3351 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, NULL, 0); 3352 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3353 SCTP_CHUNK(abort)); 3354 } 3355 /* We are going to ABORT, so we might as well stop 3356 * processing the rest of the chunks in the packet. 3357 */ 3358 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3359 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3360 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3361 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3362 SCTP_ERROR(ECONNABORTED)); 3363 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3364 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3365 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3366 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3367 return SCTP_DISPOSITION_ABORT; 3368 } 3369 3370 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3371 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3372 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3373 3374 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3375 asconf_ack)) 3376 return SCTP_DISPOSITION_CONSUME; 3377 3378 abort = sctp_make_abort(asoc, asconf_ack, 3379 sizeof(sctp_errhdr_t)); 3380 if (abort) { 3381 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, NULL, 0); 3382 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3383 SCTP_CHUNK(abort)); 3384 } 3385 /* We are going to ABORT, so we might as well stop 3386 * processing the rest of the chunks in the packet. 3387 */ 3388 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3389 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3390 SCTP_ERROR(ECONNABORTED)); 3391 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3392 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3393 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3394 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3395 return SCTP_DISPOSITION_ABORT; 3396 } 3397 3398 return SCTP_DISPOSITION_DISCARD; 3399 } 3400 3401 /* 3402 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 3403 * 3404 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 3405 * its cumulative TSN point to the value carried in the FORWARD TSN 3406 * chunk, and then MUST further advance its cumulative TSN point locally 3407 * if possible. 3408 * After the above processing, the data receiver MUST stop reporting any 3409 * missing TSNs earlier than or equal to the new cumulative TSN point. 3410 * 3411 * Verification Tag: 8.5 Verification Tag [Normal verification] 3412 * 3413 * The return value is the disposition of the chunk. 3414 */ 3415 sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep, 3416 const struct sctp_association *asoc, 3417 const sctp_subtype_t type, 3418 void *arg, 3419 sctp_cmd_seq_t *commands) 3420 { 3421 struct sctp_chunk *chunk = arg; 3422 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3423 __u16 len; 3424 __u32 tsn; 3425 3426 if (!sctp_vtag_verify(chunk, asoc)) { 3427 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3428 SCTP_NULL()); 3429 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3430 } 3431 3432 /* Make sure that the FORWARD_TSN chunk has valid length. */ 3433 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3434 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3435 commands); 3436 3437 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3438 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3439 len = ntohs(chunk->chunk_hdr->length); 3440 len -= sizeof(struct sctp_chunkhdr); 3441 skb_pull(chunk->skb, len); 3442 3443 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3444 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __FUNCTION__, tsn); 3445 3446 /* The TSN is too high--silently discard the chunk and count on it 3447 * getting retransmitted later. 3448 */ 3449 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3450 goto discard_noforce; 3451 3452 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3453 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3454 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3455 SCTP_CHUNK(chunk)); 3456 3457 /* Count this as receiving DATA. */ 3458 if (asoc->autoclose) { 3459 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3460 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3461 } 3462 3463 /* FIXME: For now send a SACK, but DATA processing may 3464 * send another. 3465 */ 3466 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 3467 3468 return SCTP_DISPOSITION_CONSUME; 3469 3470 discard_noforce: 3471 return SCTP_DISPOSITION_DISCARD; 3472 } 3473 3474 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast( 3475 const struct sctp_endpoint *ep, 3476 const struct sctp_association *asoc, 3477 const sctp_subtype_t type, 3478 void *arg, 3479 sctp_cmd_seq_t *commands) 3480 { 3481 struct sctp_chunk *chunk = arg; 3482 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3483 __u16 len; 3484 __u32 tsn; 3485 3486 if (!sctp_vtag_verify(chunk, asoc)) { 3487 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3488 SCTP_NULL()); 3489 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3490 } 3491 3492 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 3493 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3494 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3495 commands); 3496 3497 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3498 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3499 len = ntohs(chunk->chunk_hdr->length); 3500 len -= sizeof(struct sctp_chunkhdr); 3501 skb_pull(chunk->skb, len); 3502 3503 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3504 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __FUNCTION__, tsn); 3505 3506 /* The TSN is too high--silently discard the chunk and count on it 3507 * getting retransmitted later. 3508 */ 3509 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3510 goto gen_shutdown; 3511 3512 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3513 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3514 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3515 SCTP_CHUNK(chunk)); 3516 3517 /* Go a head and force a SACK, since we are shutting down. */ 3518 gen_shutdown: 3519 /* Implementor's Guide. 3520 * 3521 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3522 * respond to each received packet containing one or more DATA chunk(s) 3523 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3524 */ 3525 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3526 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3527 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3528 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3529 3530 return SCTP_DISPOSITION_CONSUME; 3531 } 3532 3533 /* 3534 * Process an unknown chunk. 3535 * 3536 * Section: 3.2. Also, 2.1 in the implementor's guide. 3537 * 3538 * Chunk Types are encoded such that the highest-order two bits specify 3539 * the action that must be taken if the processing endpoint does not 3540 * recognize the Chunk Type. 3541 * 3542 * 00 - Stop processing this SCTP packet and discard it, do not process 3543 * any further chunks within it. 3544 * 3545 * 01 - Stop processing this SCTP packet and discard it, do not process 3546 * any further chunks within it, and report the unrecognized 3547 * chunk in an 'Unrecognized Chunk Type'. 3548 * 3549 * 10 - Skip this chunk and continue processing. 3550 * 3551 * 11 - Skip this chunk and continue processing, but report in an ERROR 3552 * Chunk using the 'Unrecognized Chunk Type' cause of error. 3553 * 3554 * The return value is the disposition of the chunk. 3555 */ 3556 sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep, 3557 const struct sctp_association *asoc, 3558 const sctp_subtype_t type, 3559 void *arg, 3560 sctp_cmd_seq_t *commands) 3561 { 3562 struct sctp_chunk *unk_chunk = arg; 3563 struct sctp_chunk *err_chunk; 3564 sctp_chunkhdr_t *hdr; 3565 3566 SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk); 3567 3568 if (!sctp_vtag_verify(unk_chunk, asoc)) 3569 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3570 3571 /* Make sure that the chunk has a valid length. 3572 * Since we don't know the chunk type, we use a general 3573 * chunkhdr structure to make a comparison. 3574 */ 3575 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t))) 3576 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3577 commands); 3578 3579 switch (type.chunk & SCTP_CID_ACTION_MASK) { 3580 case SCTP_CID_ACTION_DISCARD: 3581 /* Discard the packet. */ 3582 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3583 break; 3584 case SCTP_CID_ACTION_DISCARD_ERR: 3585 /* Discard the packet. */ 3586 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3587 3588 /* Generate an ERROR chunk as response. */ 3589 hdr = unk_chunk->chunk_hdr; 3590 err_chunk = sctp_make_op_error(asoc, unk_chunk, 3591 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 3592 WORD_ROUND(ntohs(hdr->length))); 3593 if (err_chunk) { 3594 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3595 SCTP_CHUNK(err_chunk)); 3596 } 3597 return SCTP_DISPOSITION_CONSUME; 3598 break; 3599 case SCTP_CID_ACTION_SKIP: 3600 /* Skip the chunk. */ 3601 return SCTP_DISPOSITION_DISCARD; 3602 break; 3603 case SCTP_CID_ACTION_SKIP_ERR: 3604 /* Generate an ERROR chunk as response. */ 3605 hdr = unk_chunk->chunk_hdr; 3606 err_chunk = sctp_make_op_error(asoc, unk_chunk, 3607 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 3608 WORD_ROUND(ntohs(hdr->length))); 3609 if (err_chunk) { 3610 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3611 SCTP_CHUNK(err_chunk)); 3612 } 3613 /* Skip the chunk. */ 3614 return SCTP_DISPOSITION_CONSUME; 3615 break; 3616 default: 3617 break; 3618 } 3619 3620 return SCTP_DISPOSITION_DISCARD; 3621 } 3622 3623 /* 3624 * Discard the chunk. 3625 * 3626 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 3627 * [Too numerous to mention...] 3628 * Verification Tag: No verification needed. 3629 * Inputs 3630 * (endpoint, asoc, chunk) 3631 * 3632 * Outputs 3633 * (asoc, reply_msg, msg_up, timers, counters) 3634 * 3635 * The return value is the disposition of the chunk. 3636 */ 3637 sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep, 3638 const struct sctp_association *asoc, 3639 const sctp_subtype_t type, 3640 void *arg, 3641 sctp_cmd_seq_t *commands) 3642 { 3643 SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk); 3644 return SCTP_DISPOSITION_DISCARD; 3645 } 3646 3647 /* 3648 * Discard the whole packet. 3649 * 3650 * Section: 8.4 2) 3651 * 3652 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 3653 * silently discard the OOTB packet and take no further action. 3654 * 3655 * Verification Tag: No verification necessary 3656 * 3657 * Inputs 3658 * (endpoint, asoc, chunk) 3659 * 3660 * Outputs 3661 * (asoc, reply_msg, msg_up, timers, counters) 3662 * 3663 * The return value is the disposition of the chunk. 3664 */ 3665 sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep, 3666 const struct sctp_association *asoc, 3667 const sctp_subtype_t type, 3668 void *arg, 3669 sctp_cmd_seq_t *commands) 3670 { 3671 SCTP_INC_STATS(SCTP_MIB_IN_PKT_DISCARDS); 3672 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3673 3674 return SCTP_DISPOSITION_CONSUME; 3675 } 3676 3677 3678 /* 3679 * The other end is violating protocol. 3680 * 3681 * Section: Not specified 3682 * Verification Tag: Not specified 3683 * Inputs 3684 * (endpoint, asoc, chunk) 3685 * 3686 * Outputs 3687 * (asoc, reply_msg, msg_up, timers, counters) 3688 * 3689 * We simply tag the chunk as a violation. The state machine will log 3690 * the violation and continue. 3691 */ 3692 sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep, 3693 const struct sctp_association *asoc, 3694 const sctp_subtype_t type, 3695 void *arg, 3696 sctp_cmd_seq_t *commands) 3697 { 3698 return SCTP_DISPOSITION_VIOLATION; 3699 } 3700 3701 3702 /* 3703 * Handle a protocol violation when the chunk length is invalid. 3704 * "Invalid" length is identified as smaller then the minimal length a 3705 * given chunk can be. For example, a SACK chunk has invalid length 3706 * if it's length is set to be smaller then the size of sctp_sack_chunk_t. 3707 * 3708 * We inform the other end by sending an ABORT with a Protocol Violation 3709 * error code. 3710 * 3711 * Section: Not specified 3712 * Verification Tag: Nothing to do 3713 * Inputs 3714 * (endpoint, asoc, chunk) 3715 * 3716 * Outputs 3717 * (reply_msg, msg_up, counters) 3718 * 3719 * Generate an ABORT chunk and terminate the association. 3720 */ 3721 static sctp_disposition_t sctp_sf_violation_chunklen( 3722 const struct sctp_endpoint *ep, 3723 const struct sctp_association *asoc, 3724 const sctp_subtype_t type, 3725 void *arg, 3726 sctp_cmd_seq_t *commands) 3727 { 3728 struct sctp_chunk *chunk = arg; 3729 struct sctp_chunk *abort = NULL; 3730 char err_str[]="The following chunk had invalid length:"; 3731 3732 /* Make the abort chunk. */ 3733 abort = sctp_make_abort_violation(asoc, chunk, err_str, 3734 sizeof(err_str)); 3735 if (!abort) 3736 goto nomem; 3737 3738 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 3739 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3740 3741 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 3742 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3743 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 3744 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3745 SCTP_ERROR(ECONNREFUSED)); 3746 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 3747 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 3748 } else { 3749 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3750 SCTP_ERROR(ECONNABORTED)); 3751 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3752 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 3753 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3754 } 3755 3756 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3757 3758 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3759 3760 return SCTP_DISPOSITION_ABORT; 3761 3762 nomem: 3763 return SCTP_DISPOSITION_NOMEM; 3764 } 3765 3766 /*************************************************************************** 3767 * These are the state functions for handling primitive (Section 10) events. 3768 ***************************************************************************/ 3769 /* 3770 * sctp_sf_do_prm_asoc 3771 * 3772 * Section: 10.1 ULP-to-SCTP 3773 * B) Associate 3774 * 3775 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 3776 * outbound stream count) 3777 * -> association id [,destination transport addr list] [,outbound stream 3778 * count] 3779 * 3780 * This primitive allows the upper layer to initiate an association to a 3781 * specific peer endpoint. 3782 * 3783 * The peer endpoint shall be specified by one of the transport addresses 3784 * which defines the endpoint (see Section 1.4). If the local SCTP 3785 * instance has not been initialized, the ASSOCIATE is considered an 3786 * error. 3787 * [This is not relevant for the kernel implementation since we do all 3788 * initialization at boot time. It we hadn't initialized we wouldn't 3789 * get anywhere near this code.] 3790 * 3791 * An association id, which is a local handle to the SCTP association, 3792 * will be returned on successful establishment of the association. If 3793 * SCTP is not able to open an SCTP association with the peer endpoint, 3794 * an error is returned. 3795 * [In the kernel implementation, the struct sctp_association needs to 3796 * be created BEFORE causing this primitive to run.] 3797 * 3798 * Other association parameters may be returned, including the 3799 * complete destination transport addresses of the peer as well as the 3800 * outbound stream count of the local endpoint. One of the transport 3801 * address from the returned destination addresses will be selected by 3802 * the local endpoint as default primary path for sending SCTP packets 3803 * to this peer. The returned "destination transport addr list" can 3804 * be used by the ULP to change the default primary path or to force 3805 * sending a packet to a specific transport address. [All of this 3806 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 3807 * function.] 3808 * 3809 * Mandatory attributes: 3810 * 3811 * o local SCTP instance name - obtained from the INITIALIZE operation. 3812 * [This is the argument asoc.] 3813 * o destination transport addr - specified as one of the transport 3814 * addresses of the peer endpoint with which the association is to be 3815 * established. 3816 * [This is asoc->peer.active_path.] 3817 * o outbound stream count - the number of outbound streams the ULP 3818 * would like to open towards this peer endpoint. 3819 * [BUG: This is not currently implemented.] 3820 * Optional attributes: 3821 * 3822 * None. 3823 * 3824 * The return value is a disposition. 3825 */ 3826 sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep, 3827 const struct sctp_association *asoc, 3828 const sctp_subtype_t type, 3829 void *arg, 3830 sctp_cmd_seq_t *commands) 3831 { 3832 struct sctp_chunk *repl; 3833 3834 /* The comment below says that we enter COOKIE-WAIT AFTER 3835 * sending the INIT, but that doesn't actually work in our 3836 * implementation... 3837 */ 3838 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3839 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 3840 3841 /* RFC 2960 5.1 Normal Establishment of an Association 3842 * 3843 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 3844 * must provide its Verification Tag (Tag_A) in the Initiate 3845 * Tag field. Tag_A SHOULD be a random number in the range of 3846 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 3847 */ 3848 3849 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 3850 if (!repl) 3851 goto nomem; 3852 3853 /* Cast away the const modifier, as we want to just 3854 * rerun it through as a sideffect. 3855 */ 3856 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, 3857 SCTP_ASOC((struct sctp_association *) asoc)); 3858 3859 /* Choose transport for INIT. */ 3860 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 3861 SCTP_CHUNK(repl)); 3862 3863 /* After sending the INIT, "A" starts the T1-init timer and 3864 * enters the COOKIE-WAIT state. 3865 */ 3866 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 3867 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 3868 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 3869 return SCTP_DISPOSITION_CONSUME; 3870 3871 nomem: 3872 return SCTP_DISPOSITION_NOMEM; 3873 } 3874 3875 /* 3876 * Process the SEND primitive. 3877 * 3878 * Section: 10.1 ULP-to-SCTP 3879 * E) Send 3880 * 3881 * Format: SEND(association id, buffer address, byte count [,context] 3882 * [,stream id] [,life time] [,destination transport address] 3883 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 3884 * -> result 3885 * 3886 * This is the main method to send user data via SCTP. 3887 * 3888 * Mandatory attributes: 3889 * 3890 * o association id - local handle to the SCTP association 3891 * 3892 * o buffer address - the location where the user message to be 3893 * transmitted is stored; 3894 * 3895 * o byte count - The size of the user data in number of bytes; 3896 * 3897 * Optional attributes: 3898 * 3899 * o context - an optional 32 bit integer that will be carried in the 3900 * sending failure notification to the ULP if the transportation of 3901 * this User Message fails. 3902 * 3903 * o stream id - to indicate which stream to send the data on. If not 3904 * specified, stream 0 will be used. 3905 * 3906 * o life time - specifies the life time of the user data. The user data 3907 * will not be sent by SCTP after the life time expires. This 3908 * parameter can be used to avoid efforts to transmit stale 3909 * user messages. SCTP notifies the ULP if the data cannot be 3910 * initiated to transport (i.e. sent to the destination via SCTP's 3911 * send primitive) within the life time variable. However, the 3912 * user data will be transmitted if SCTP has attempted to transmit a 3913 * chunk before the life time expired. 3914 * 3915 * o destination transport address - specified as one of the destination 3916 * transport addresses of the peer endpoint to which this packet 3917 * should be sent. Whenever possible, SCTP should use this destination 3918 * transport address for sending the packets, instead of the current 3919 * primary path. 3920 * 3921 * o unorder flag - this flag, if present, indicates that the user 3922 * would like the data delivered in an unordered fashion to the peer 3923 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 3924 * message). 3925 * 3926 * o no-bundle flag - instructs SCTP not to bundle this user data with 3927 * other outbound DATA chunks. SCTP MAY still bundle even when 3928 * this flag is present, when faced with network congestion. 3929 * 3930 * o payload protocol-id - A 32 bit unsigned integer that is to be 3931 * passed to the peer indicating the type of payload protocol data 3932 * being transmitted. This value is passed as opaque data by SCTP. 3933 * 3934 * The return value is the disposition. 3935 */ 3936 sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep, 3937 const struct sctp_association *asoc, 3938 const sctp_subtype_t type, 3939 void *arg, 3940 sctp_cmd_seq_t *commands) 3941 { 3942 struct sctp_chunk *chunk = arg; 3943 3944 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 3945 return SCTP_DISPOSITION_CONSUME; 3946 } 3947 3948 /* 3949 * Process the SHUTDOWN primitive. 3950 * 3951 * Section: 10.1: 3952 * C) Shutdown 3953 * 3954 * Format: SHUTDOWN(association id) 3955 * -> result 3956 * 3957 * Gracefully closes an association. Any locally queued user data 3958 * will be delivered to the peer. The association will be terminated only 3959 * after the peer acknowledges all the SCTP packets sent. A success code 3960 * will be returned on successful termination of the association. If 3961 * attempting to terminate the association results in a failure, an error 3962 * code shall be returned. 3963 * 3964 * Mandatory attributes: 3965 * 3966 * o association id - local handle to the SCTP association 3967 * 3968 * Optional attributes: 3969 * 3970 * None. 3971 * 3972 * The return value is the disposition. 3973 */ 3974 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown( 3975 const struct sctp_endpoint *ep, 3976 const struct sctp_association *asoc, 3977 const sctp_subtype_t type, 3978 void *arg, 3979 sctp_cmd_seq_t *commands) 3980 { 3981 int disposition; 3982 3983 /* From 9.2 Shutdown of an Association 3984 * Upon receipt of the SHUTDOWN primitive from its upper 3985 * layer, the endpoint enters SHUTDOWN-PENDING state and 3986 * remains there until all outstanding data has been 3987 * acknowledged by its peer. The endpoint accepts no new data 3988 * from its upper layer, but retransmits data to the far end 3989 * if necessary to fill gaps. 3990 */ 3991 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3992 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 3993 3994 /* sctpimpguide-05 Section 2.12.2 3995 * The sender of the SHUTDOWN MAY also start an overall guard timer 3996 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 3997 */ 3998 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 3999 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4000 4001 disposition = SCTP_DISPOSITION_CONSUME; 4002 if (sctp_outq_is_empty(&asoc->outqueue)) { 4003 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 4004 arg, commands); 4005 } 4006 return disposition; 4007 } 4008 4009 /* 4010 * Process the ABORT primitive. 4011 * 4012 * Section: 10.1: 4013 * C) Abort 4014 * 4015 * Format: Abort(association id [, cause code]) 4016 * -> result 4017 * 4018 * Ungracefully closes an association. Any locally queued user data 4019 * will be discarded and an ABORT chunk is sent to the peer. A success code 4020 * will be returned on successful abortion of the association. If 4021 * attempting to abort the association results in a failure, an error 4022 * code shall be returned. 4023 * 4024 * Mandatory attributes: 4025 * 4026 * o association id - local handle to the SCTP association 4027 * 4028 * Optional attributes: 4029 * 4030 * o cause code - reason of the abort to be passed to the peer 4031 * 4032 * None. 4033 * 4034 * The return value is the disposition. 4035 */ 4036 sctp_disposition_t sctp_sf_do_9_1_prm_abort( 4037 const struct sctp_endpoint *ep, 4038 const struct sctp_association *asoc, 4039 const sctp_subtype_t type, 4040 void *arg, 4041 sctp_cmd_seq_t *commands) 4042 { 4043 /* From 9.1 Abort of an Association 4044 * Upon receipt of the ABORT primitive from its upper 4045 * layer, the endpoint enters CLOSED state and 4046 * discard all outstanding data has been 4047 * acknowledged by its peer. The endpoint accepts no new data 4048 * from its upper layer, but retransmits data to the far end 4049 * if necessary to fill gaps. 4050 */ 4051 struct sctp_chunk *abort = arg; 4052 sctp_disposition_t retval; 4053 4054 retval = SCTP_DISPOSITION_CONSUME; 4055 4056 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4057 4058 /* Even if we can't send the ABORT due to low memory delete the 4059 * TCB. This is a departure from our typical NOMEM handling. 4060 */ 4061 4062 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4063 SCTP_ERROR(ECONNABORTED)); 4064 /* Delete the established association. */ 4065 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4066 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4067 4068 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4069 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4070 4071 return retval; 4072 } 4073 4074 /* We tried an illegal operation on an association which is closed. */ 4075 sctp_disposition_t sctp_sf_error_closed(const struct sctp_endpoint *ep, 4076 const struct sctp_association *asoc, 4077 const sctp_subtype_t type, 4078 void *arg, 4079 sctp_cmd_seq_t *commands) 4080 { 4081 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 4082 return SCTP_DISPOSITION_CONSUME; 4083 } 4084 4085 /* We tried an illegal operation on an association which is shutting 4086 * down. 4087 */ 4088 sctp_disposition_t sctp_sf_error_shutdown(const struct sctp_endpoint *ep, 4089 const struct sctp_association *asoc, 4090 const sctp_subtype_t type, 4091 void *arg, 4092 sctp_cmd_seq_t *commands) 4093 { 4094 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 4095 SCTP_ERROR(-ESHUTDOWN)); 4096 return SCTP_DISPOSITION_CONSUME; 4097 } 4098 4099 /* 4100 * sctp_cookie_wait_prm_shutdown 4101 * 4102 * Section: 4 Note: 2 4103 * Verification Tag: 4104 * Inputs 4105 * (endpoint, asoc) 4106 * 4107 * The RFC does not explicitly address this issue, but is the route through the 4108 * state table when someone issues a shutdown while in COOKIE_WAIT state. 4109 * 4110 * Outputs 4111 * (timers) 4112 */ 4113 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown( 4114 const struct sctp_endpoint *ep, 4115 const struct sctp_association *asoc, 4116 const sctp_subtype_t type, 4117 void *arg, 4118 sctp_cmd_seq_t *commands) 4119 { 4120 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4121 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4122 4123 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4124 SCTP_STATE(SCTP_STATE_CLOSED)); 4125 4126 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 4127 4128 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 4129 4130 return SCTP_DISPOSITION_DELETE_TCB; 4131 } 4132 4133 /* 4134 * sctp_cookie_echoed_prm_shutdown 4135 * 4136 * Section: 4 Note: 2 4137 * Verification Tag: 4138 * Inputs 4139 * (endpoint, asoc) 4140 * 4141 * The RFC does not explcitly address this issue, but is the route through the 4142 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 4143 * 4144 * Outputs 4145 * (timers) 4146 */ 4147 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown( 4148 const struct sctp_endpoint *ep, 4149 const struct sctp_association *asoc, 4150 const sctp_subtype_t type, 4151 void *arg, sctp_cmd_seq_t *commands) 4152 { 4153 /* There is a single T1 timer, so we should be able to use 4154 * common function with the COOKIE-WAIT state. 4155 */ 4156 return sctp_sf_cookie_wait_prm_shutdown(ep, asoc, type, arg, commands); 4157 } 4158 4159 /* 4160 * sctp_sf_cookie_wait_prm_abort 4161 * 4162 * Section: 4 Note: 2 4163 * Verification Tag: 4164 * Inputs 4165 * (endpoint, asoc) 4166 * 4167 * The RFC does not explicitly address this issue, but is the route through the 4168 * state table when someone issues an abort while in COOKIE_WAIT state. 4169 * 4170 * Outputs 4171 * (timers) 4172 */ 4173 sctp_disposition_t sctp_sf_cookie_wait_prm_abort( 4174 const struct sctp_endpoint *ep, 4175 const struct sctp_association *asoc, 4176 const sctp_subtype_t type, 4177 void *arg, 4178 sctp_cmd_seq_t *commands) 4179 { 4180 struct sctp_chunk *abort = arg; 4181 sctp_disposition_t retval; 4182 4183 /* Stop T1-init timer */ 4184 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4185 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4186 retval = SCTP_DISPOSITION_CONSUME; 4187 4188 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4189 4190 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4191 SCTP_STATE(SCTP_STATE_CLOSED)); 4192 4193 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4194 4195 /* Even if we can't send the ABORT due to low memory delete the 4196 * TCB. This is a departure from our typical NOMEM handling. 4197 */ 4198 4199 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4200 SCTP_ERROR(ECONNREFUSED)); 4201 /* Delete the established association. */ 4202 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4203 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4204 4205 return retval; 4206 } 4207 4208 /* 4209 * sctp_sf_cookie_echoed_prm_abort 4210 * 4211 * Section: 4 Note: 3 4212 * Verification Tag: 4213 * Inputs 4214 * (endpoint, asoc) 4215 * 4216 * The RFC does not explcitly address this issue, but is the route through the 4217 * state table when someone issues an abort while in COOKIE_ECHOED state. 4218 * 4219 * Outputs 4220 * (timers) 4221 */ 4222 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort( 4223 const struct sctp_endpoint *ep, 4224 const struct sctp_association *asoc, 4225 const sctp_subtype_t type, 4226 void *arg, 4227 sctp_cmd_seq_t *commands) 4228 { 4229 /* There is a single T1 timer, so we should be able to use 4230 * common function with the COOKIE-WAIT state. 4231 */ 4232 return sctp_sf_cookie_wait_prm_abort(ep, asoc, type, arg, commands); 4233 } 4234 4235 /* 4236 * sctp_sf_shutdown_pending_prm_abort 4237 * 4238 * Inputs 4239 * (endpoint, asoc) 4240 * 4241 * The RFC does not explicitly address this issue, but is the route through the 4242 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 4243 * 4244 * Outputs 4245 * (timers) 4246 */ 4247 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort( 4248 const struct sctp_endpoint *ep, 4249 const struct sctp_association *asoc, 4250 const sctp_subtype_t type, 4251 void *arg, 4252 sctp_cmd_seq_t *commands) 4253 { 4254 /* Stop the T5-shutdown guard timer. */ 4255 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4256 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4257 4258 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4259 } 4260 4261 /* 4262 * sctp_sf_shutdown_sent_prm_abort 4263 * 4264 * Inputs 4265 * (endpoint, asoc) 4266 * 4267 * The RFC does not explicitly address this issue, but is the route through the 4268 * state table when someone issues an abort while in SHUTDOWN-SENT state. 4269 * 4270 * Outputs 4271 * (timers) 4272 */ 4273 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort( 4274 const struct sctp_endpoint *ep, 4275 const struct sctp_association *asoc, 4276 const sctp_subtype_t type, 4277 void *arg, 4278 sctp_cmd_seq_t *commands) 4279 { 4280 /* Stop the T2-shutdown timer. */ 4281 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4282 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4283 4284 /* Stop the T5-shutdown guard timer. */ 4285 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4286 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4287 4288 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4289 } 4290 4291 /* 4292 * sctp_sf_cookie_echoed_prm_abort 4293 * 4294 * Inputs 4295 * (endpoint, asoc) 4296 * 4297 * The RFC does not explcitly address this issue, but is the route through the 4298 * state table when someone issues an abort while in COOKIE_ECHOED state. 4299 * 4300 * Outputs 4301 * (timers) 4302 */ 4303 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort( 4304 const struct sctp_endpoint *ep, 4305 const struct sctp_association *asoc, 4306 const sctp_subtype_t type, 4307 void *arg, 4308 sctp_cmd_seq_t *commands) 4309 { 4310 /* The same T2 timer, so we should be able to use 4311 * common function with the SHUTDOWN-SENT state. 4312 */ 4313 return sctp_sf_shutdown_sent_prm_abort(ep, asoc, type, arg, commands); 4314 } 4315 4316 /* 4317 * Process the REQUESTHEARTBEAT primitive 4318 * 4319 * 10.1 ULP-to-SCTP 4320 * J) Request Heartbeat 4321 * 4322 * Format: REQUESTHEARTBEAT(association id, destination transport address) 4323 * 4324 * -> result 4325 * 4326 * Instructs the local endpoint to perform a HeartBeat on the specified 4327 * destination transport address of the given association. The returned 4328 * result should indicate whether the transmission of the HEARTBEAT 4329 * chunk to the destination address is successful. 4330 * 4331 * Mandatory attributes: 4332 * 4333 * o association id - local handle to the SCTP association 4334 * 4335 * o destination transport address - the transport address of the 4336 * association on which a heartbeat should be issued. 4337 */ 4338 sctp_disposition_t sctp_sf_do_prm_requestheartbeat( 4339 const struct sctp_endpoint *ep, 4340 const struct sctp_association *asoc, 4341 const sctp_subtype_t type, 4342 void *arg, 4343 sctp_cmd_seq_t *commands) 4344 { 4345 return sctp_sf_heartbeat(ep, asoc, type, (struct sctp_transport *)arg, 4346 commands); 4347 } 4348 4349 /* 4350 * ADDIP Section 4.1 ASCONF Chunk Procedures 4351 * When an endpoint has an ASCONF signaled change to be sent to the 4352 * remote endpoint it should do A1 to A9 4353 */ 4354 sctp_disposition_t sctp_sf_do_prm_asconf(const struct sctp_endpoint *ep, 4355 const struct sctp_association *asoc, 4356 const sctp_subtype_t type, 4357 void *arg, 4358 sctp_cmd_seq_t *commands) 4359 { 4360 struct sctp_chunk *chunk = arg; 4361 4362 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 4363 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4364 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4365 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 4366 return SCTP_DISPOSITION_CONSUME; 4367 } 4368 4369 /* 4370 * Ignore the primitive event 4371 * 4372 * The return value is the disposition of the primitive. 4373 */ 4374 sctp_disposition_t sctp_sf_ignore_primitive( 4375 const struct sctp_endpoint *ep, 4376 const struct sctp_association *asoc, 4377 const sctp_subtype_t type, 4378 void *arg, 4379 sctp_cmd_seq_t *commands) 4380 { 4381 SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive); 4382 return SCTP_DISPOSITION_DISCARD; 4383 } 4384 4385 /*************************************************************************** 4386 * These are the state functions for the OTHER events. 4387 ***************************************************************************/ 4388 4389 /* 4390 * Start the shutdown negotiation. 4391 * 4392 * From Section 9.2: 4393 * Once all its outstanding data has been acknowledged, the endpoint 4394 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 4395 * TSN Ack field the last sequential TSN it has received from the peer. 4396 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 4397 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 4398 * with the updated last sequential TSN received from its peer. 4399 * 4400 * The return value is the disposition. 4401 */ 4402 sctp_disposition_t sctp_sf_do_9_2_start_shutdown( 4403 const struct sctp_endpoint *ep, 4404 const struct sctp_association *asoc, 4405 const sctp_subtype_t type, 4406 void *arg, 4407 sctp_cmd_seq_t *commands) 4408 { 4409 struct sctp_chunk *reply; 4410 4411 /* Once all its outstanding data has been acknowledged, the 4412 * endpoint shall send a SHUTDOWN chunk to its peer including 4413 * in the Cumulative TSN Ack field the last sequential TSN it 4414 * has received from the peer. 4415 */ 4416 reply = sctp_make_shutdown(asoc, NULL); 4417 if (!reply) 4418 goto nomem; 4419 4420 /* Set the transport for the SHUTDOWN chunk and the timeout for the 4421 * T2-shutdown timer. 4422 */ 4423 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4424 4425 /* It shall then start the T2-shutdown timer */ 4426 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4427 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4428 4429 if (asoc->autoclose) 4430 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4431 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4432 4433 /* and enter the SHUTDOWN-SENT state. */ 4434 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4435 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 4436 4437 /* sctp-implguide 2.10 Issues with Heartbeating and failover 4438 * 4439 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 4440 * or SHUTDOWN-ACK. 4441 */ 4442 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 4443 4444 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4445 4446 return SCTP_DISPOSITION_CONSUME; 4447 4448 nomem: 4449 return SCTP_DISPOSITION_NOMEM; 4450 } 4451 4452 /* 4453 * Generate a SHUTDOWN ACK now that everything is SACK'd. 4454 * 4455 * From Section 9.2: 4456 * 4457 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 4458 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 4459 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 4460 * endpoint must re-send the SHUTDOWN ACK. 4461 * 4462 * The return value is the disposition. 4463 */ 4464 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack( 4465 const struct sctp_endpoint *ep, 4466 const struct sctp_association *asoc, 4467 const sctp_subtype_t type, 4468 void *arg, 4469 sctp_cmd_seq_t *commands) 4470 { 4471 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 4472 struct sctp_chunk *reply; 4473 4474 /* There are 2 ways of getting here: 4475 * 1) called in response to a SHUTDOWN chunk 4476 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 4477 * 4478 * For the case (2), the arg parameter is set to NULL. We need 4479 * to check that we have a chunk before accessing it's fields. 4480 */ 4481 if (chunk) { 4482 if (!sctp_vtag_verify(chunk, asoc)) 4483 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4484 4485 /* Make sure that the SHUTDOWN chunk has a valid length. */ 4486 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t))) 4487 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4488 commands); 4489 } 4490 4491 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 4492 * shall send a SHUTDOWN ACK ... 4493 */ 4494 reply = sctp_make_shutdown_ack(asoc, chunk); 4495 if (!reply) 4496 goto nomem; 4497 4498 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 4499 * the T2-shutdown timer. 4500 */ 4501 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4502 4503 /* and start/restart a T2-shutdown timer of its own, */ 4504 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4505 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4506 4507 if (asoc->autoclose) 4508 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4509 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4510 4511 /* Enter the SHUTDOWN-ACK-SENT state. */ 4512 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4513 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 4514 4515 /* sctp-implguide 2.10 Issues with Heartbeating and failover 4516 * 4517 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 4518 * or SHUTDOWN-ACK. 4519 */ 4520 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 4521 4522 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4523 4524 return SCTP_DISPOSITION_CONSUME; 4525 4526 nomem: 4527 return SCTP_DISPOSITION_NOMEM; 4528 } 4529 4530 /* 4531 * Ignore the event defined as other 4532 * 4533 * The return value is the disposition of the event. 4534 */ 4535 sctp_disposition_t sctp_sf_ignore_other(const struct sctp_endpoint *ep, 4536 const struct sctp_association *asoc, 4537 const sctp_subtype_t type, 4538 void *arg, 4539 sctp_cmd_seq_t *commands) 4540 { 4541 SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other); 4542 return SCTP_DISPOSITION_DISCARD; 4543 } 4544 4545 /************************************************************ 4546 * These are the state functions for handling timeout events. 4547 ************************************************************/ 4548 4549 /* 4550 * RTX Timeout 4551 * 4552 * Section: 6.3.3 Handle T3-rtx Expiration 4553 * 4554 * Whenever the retransmission timer T3-rtx expires for a destination 4555 * address, do the following: 4556 * [See below] 4557 * 4558 * The return value is the disposition of the chunk. 4559 */ 4560 sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep, 4561 const struct sctp_association *asoc, 4562 const sctp_subtype_t type, 4563 void *arg, 4564 sctp_cmd_seq_t *commands) 4565 { 4566 struct sctp_transport *transport = arg; 4567 4568 SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS); 4569 4570 if (asoc->overall_error_count >= asoc->max_retrans) { 4571 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4572 SCTP_ERROR(ETIMEDOUT)); 4573 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 4574 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4575 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 4576 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4577 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4578 return SCTP_DISPOSITION_DELETE_TCB; 4579 } 4580 4581 /* E1) For the destination address for which the timer 4582 * expires, adjust its ssthresh with rules defined in Section 4583 * 7.2.3 and set the cwnd <- MTU. 4584 */ 4585 4586 /* E2) For the destination address for which the timer 4587 * expires, set RTO <- RTO * 2 ("back off the timer"). The 4588 * maximum value discussed in rule C7 above (RTO.max) may be 4589 * used to provide an upper bound to this doubling operation. 4590 */ 4591 4592 /* E3) Determine how many of the earliest (i.e., lowest TSN) 4593 * outstanding DATA chunks for the address for which the 4594 * T3-rtx has expired will fit into a single packet, subject 4595 * to the MTU constraint for the path corresponding to the 4596 * destination transport address to which the retransmission 4597 * is being sent (this may be different from the address for 4598 * which the timer expires [see Section 6.4]). Call this 4599 * value K. Bundle and retransmit those K DATA chunks in a 4600 * single packet to the destination endpoint. 4601 * 4602 * Note: Any DATA chunks that were sent to the address for 4603 * which the T3-rtx timer expired but did not fit in one MTU 4604 * (rule E3 above), should be marked for retransmission and 4605 * sent as soon as cwnd allows (normally when a SACK arrives). 4606 */ 4607 4608 /* NB: Rules E4 and F1 are implicit in R1. */ 4609 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 4610 4611 /* Do some failure management (Section 8.2). */ 4612 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 4613 4614 return SCTP_DISPOSITION_CONSUME; 4615 } 4616 4617 /* 4618 * Generate delayed SACK on timeout 4619 * 4620 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 4621 * 4622 * The guidelines on delayed acknowledgement algorithm specified in 4623 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 4624 * acknowledgement SHOULD be generated for at least every second packet 4625 * (not every second DATA chunk) received, and SHOULD be generated 4626 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 4627 * some situations it may be beneficial for an SCTP transmitter to be 4628 * more conservative than the algorithms detailed in this document 4629 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 4630 * the following algorithms allow. 4631 */ 4632 sctp_disposition_t sctp_sf_do_6_2_sack(const struct sctp_endpoint *ep, 4633 const struct sctp_association *asoc, 4634 const sctp_subtype_t type, 4635 void *arg, 4636 sctp_cmd_seq_t *commands) 4637 { 4638 SCTP_INC_STATS(SCTP_MIB_DELAY_SACK_EXPIREDS); 4639 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 4640 return SCTP_DISPOSITION_CONSUME; 4641 } 4642 4643 /* 4644 * sctp_sf_t1_init_timer_expire 4645 * 4646 * Section: 4 Note: 2 4647 * Verification Tag: 4648 * Inputs 4649 * (endpoint, asoc) 4650 * 4651 * RFC 2960 Section 4 Notes 4652 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 4653 * and re-start the T1-init timer without changing state. This MUST 4654 * be repeated up to 'Max.Init.Retransmits' times. After that, the 4655 * endpoint MUST abort the initialization process and report the 4656 * error to SCTP user. 4657 * 4658 * Outputs 4659 * (timers, events) 4660 * 4661 */ 4662 sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep, 4663 const struct sctp_association *asoc, 4664 const sctp_subtype_t type, 4665 void *arg, 4666 sctp_cmd_seq_t *commands) 4667 { 4668 struct sctp_chunk *repl = NULL; 4669 struct sctp_bind_addr *bp; 4670 int attempts = asoc->init_err_counter + 1; 4671 4672 SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n"); 4673 SCTP_INC_STATS(SCTP_MIB_T1_INIT_EXPIREDS); 4674 4675 if (attempts <= asoc->max_init_attempts) { 4676 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 4677 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 4678 if (!repl) 4679 return SCTP_DISPOSITION_NOMEM; 4680 4681 /* Choose transport for INIT. */ 4682 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4683 SCTP_CHUNK(repl)); 4684 4685 /* Issue a sideeffect to do the needed accounting. */ 4686 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 4687 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4688 4689 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4690 } else { 4691 SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d" 4692 " max_init_attempts: %d\n", 4693 attempts, asoc->max_init_attempts); 4694 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4695 SCTP_ERROR(ETIMEDOUT)); 4696 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4697 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 4698 return SCTP_DISPOSITION_DELETE_TCB; 4699 } 4700 4701 return SCTP_DISPOSITION_CONSUME; 4702 } 4703 4704 /* 4705 * sctp_sf_t1_cookie_timer_expire 4706 * 4707 * Section: 4 Note: 2 4708 * Verification Tag: 4709 * Inputs 4710 * (endpoint, asoc) 4711 * 4712 * RFC 2960 Section 4 Notes 4713 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 4714 * COOKIE ECHO and re-start the T1-cookie timer without changing 4715 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 4716 * After that, the endpoint MUST abort the initialization process and 4717 * report the error to SCTP user. 4718 * 4719 * Outputs 4720 * (timers, events) 4721 * 4722 */ 4723 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep, 4724 const struct sctp_association *asoc, 4725 const sctp_subtype_t type, 4726 void *arg, 4727 sctp_cmd_seq_t *commands) 4728 { 4729 struct sctp_chunk *repl = NULL; 4730 int attempts = asoc->init_err_counter + 1; 4731 4732 SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n"); 4733 SCTP_INC_STATS(SCTP_MIB_T1_COOKIE_EXPIREDS); 4734 4735 if (attempts <= asoc->max_init_attempts) { 4736 repl = sctp_make_cookie_echo(asoc, NULL); 4737 if (!repl) 4738 return SCTP_DISPOSITION_NOMEM; 4739 4740 /* Issue a sideeffect to do the needed accounting. */ 4741 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 4742 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 4743 4744 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4745 } else { 4746 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4747 SCTP_ERROR(ETIMEDOUT)); 4748 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4749 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 4750 return SCTP_DISPOSITION_DELETE_TCB; 4751 } 4752 4753 return SCTP_DISPOSITION_CONSUME; 4754 } 4755 4756 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 4757 * with the updated last sequential TSN received from its peer. 4758 * 4759 * An endpoint should limit the number of retransmissions of the 4760 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 4761 * If this threshold is exceeded the endpoint should destroy the TCB and 4762 * MUST report the peer endpoint unreachable to the upper layer (and 4763 * thus the association enters the CLOSED state). The reception of any 4764 * packet from its peer (i.e. as the peer sends all of its queued DATA 4765 * chunks) should clear the endpoint's retransmission count and restart 4766 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 4767 * all of its queued DATA chunks that have not yet been sent. 4768 */ 4769 sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep, 4770 const struct sctp_association *asoc, 4771 const sctp_subtype_t type, 4772 void *arg, 4773 sctp_cmd_seq_t *commands) 4774 { 4775 struct sctp_chunk *reply = NULL; 4776 4777 SCTP_DEBUG_PRINTK("Timer T2 expired.\n"); 4778 SCTP_INC_STATS(SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 4779 4780 if (asoc->overall_error_count >= asoc->max_retrans) { 4781 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4782 SCTP_ERROR(ETIMEDOUT)); 4783 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 4784 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4785 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 4786 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4787 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4788 return SCTP_DISPOSITION_DELETE_TCB; 4789 } 4790 4791 switch (asoc->state) { 4792 case SCTP_STATE_SHUTDOWN_SENT: 4793 reply = sctp_make_shutdown(asoc, NULL); 4794 break; 4795 4796 case SCTP_STATE_SHUTDOWN_ACK_SENT: 4797 reply = sctp_make_shutdown_ack(asoc, NULL); 4798 break; 4799 4800 default: 4801 BUG(); 4802 break; 4803 }; 4804 4805 if (!reply) 4806 goto nomem; 4807 4808 /* Do some failure management (Section 8.2). */ 4809 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 4810 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 4811 4812 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 4813 * the T2-shutdown timer. 4814 */ 4815 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4816 4817 /* Restart the T2-shutdown timer. */ 4818 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4819 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4820 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4821 return SCTP_DISPOSITION_CONSUME; 4822 4823 nomem: 4824 return SCTP_DISPOSITION_NOMEM; 4825 } 4826 4827 /* 4828 * ADDIP Section 4.1 ASCONF CHunk Procedures 4829 * If the T4 RTO timer expires the endpoint should do B1 to B5 4830 */ 4831 sctp_disposition_t sctp_sf_t4_timer_expire( 4832 const struct sctp_endpoint *ep, 4833 const struct sctp_association *asoc, 4834 const sctp_subtype_t type, 4835 void *arg, 4836 sctp_cmd_seq_t *commands) 4837 { 4838 struct sctp_chunk *chunk = asoc->addip_last_asconf; 4839 struct sctp_transport *transport = chunk->transport; 4840 4841 SCTP_INC_STATS(SCTP_MIB_T4_RTO_EXPIREDS); 4842 4843 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 4844 * detection on the appropriate destination address as defined in 4845 * RFC2960 [5] section 8.1 and 8.2. 4846 */ 4847 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 4848 4849 /* Reconfig T4 timer and transport. */ 4850 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 4851 4852 /* ADDIP 4.1 B2) Increment the association error counters and perform 4853 * endpoint failure detection on the association as defined in 4854 * RFC2960 [5] section 8.1 and 8.2. 4855 * association error counter is incremented in SCTP_CMD_STRIKE. 4856 */ 4857 if (asoc->overall_error_count >= asoc->max_retrans) { 4858 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4859 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4860 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4861 SCTP_ERROR(ETIMEDOUT)); 4862 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4863 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 4864 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4865 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 4866 return SCTP_DISPOSITION_ABORT; 4867 } 4868 4869 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 4870 * the ASCONF chunk was sent by doubling the RTO timer value. 4871 * This is done in SCTP_CMD_STRIKE. 4872 */ 4873 4874 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 4875 * choose an alternate destination address (please refer to RFC2960 4876 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 4877 * chunk, it MUST be the same (including its serial number) as the last 4878 * ASCONF sent. 4879 */ 4880 sctp_chunk_hold(asoc->addip_last_asconf); 4881 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4882 SCTP_CHUNK(asoc->addip_last_asconf)); 4883 4884 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 4885 * destination is selected, then the RTO used will be that of the new 4886 * destination address. 4887 */ 4888 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4889 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4890 4891 return SCTP_DISPOSITION_CONSUME; 4892 } 4893 4894 /* sctpimpguide-05 Section 2.12.2 4895 * The sender of the SHUTDOWN MAY also start an overall guard timer 4896 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 4897 * At the expiration of this timer the sender SHOULD abort the association 4898 * by sending an ABORT chunk. 4899 */ 4900 sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep, 4901 const struct sctp_association *asoc, 4902 const sctp_subtype_t type, 4903 void *arg, 4904 sctp_cmd_seq_t *commands) 4905 { 4906 struct sctp_chunk *reply = NULL; 4907 4908 SCTP_DEBUG_PRINTK("Timer T5 expired.\n"); 4909 SCTP_INC_STATS(SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 4910 4911 reply = sctp_make_abort(asoc, NULL, 0); 4912 if (!reply) 4913 goto nomem; 4914 4915 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4916 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4917 SCTP_ERROR(ETIMEDOUT)); 4918 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4919 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 4920 4921 return SCTP_DISPOSITION_DELETE_TCB; 4922 nomem: 4923 return SCTP_DISPOSITION_NOMEM; 4924 } 4925 4926 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 4927 * the association is automatically closed by starting the shutdown process. 4928 * The work that needs to be done is same as when SHUTDOWN is initiated by 4929 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 4930 */ 4931 sctp_disposition_t sctp_sf_autoclose_timer_expire( 4932 const struct sctp_endpoint *ep, 4933 const struct sctp_association *asoc, 4934 const sctp_subtype_t type, 4935 void *arg, 4936 sctp_cmd_seq_t *commands) 4937 { 4938 int disposition; 4939 4940 SCTP_INC_STATS(SCTP_MIB_AUTOCLOSE_EXPIREDS); 4941 4942 /* From 9.2 Shutdown of an Association 4943 * Upon receipt of the SHUTDOWN primitive from its upper 4944 * layer, the endpoint enters SHUTDOWN-PENDING state and 4945 * remains there until all outstanding data has been 4946 * acknowledged by its peer. The endpoint accepts no new data 4947 * from its upper layer, but retransmits data to the far end 4948 * if necessary to fill gaps. 4949 */ 4950 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4951 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4952 4953 /* sctpimpguide-05 Section 2.12.2 4954 * The sender of the SHUTDOWN MAY also start an overall guard timer 4955 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 4956 */ 4957 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4958 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4959 disposition = SCTP_DISPOSITION_CONSUME; 4960 if (sctp_outq_is_empty(&asoc->outqueue)) { 4961 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 4962 arg, commands); 4963 } 4964 return disposition; 4965 } 4966 4967 /***************************************************************************** 4968 * These are sa state functions which could apply to all types of events. 4969 ****************************************************************************/ 4970 4971 /* 4972 * This table entry is not implemented. 4973 * 4974 * Inputs 4975 * (endpoint, asoc, chunk) 4976 * 4977 * The return value is the disposition of the chunk. 4978 */ 4979 sctp_disposition_t sctp_sf_not_impl(const struct sctp_endpoint *ep, 4980 const struct sctp_association *asoc, 4981 const sctp_subtype_t type, 4982 void *arg, 4983 sctp_cmd_seq_t *commands) 4984 { 4985 return SCTP_DISPOSITION_NOT_IMPL; 4986 } 4987 4988 /* 4989 * This table entry represents a bug. 4990 * 4991 * Inputs 4992 * (endpoint, asoc, chunk) 4993 * 4994 * The return value is the disposition of the chunk. 4995 */ 4996 sctp_disposition_t sctp_sf_bug(const struct sctp_endpoint *ep, 4997 const struct sctp_association *asoc, 4998 const sctp_subtype_t type, 4999 void *arg, 5000 sctp_cmd_seq_t *commands) 5001 { 5002 return SCTP_DISPOSITION_BUG; 5003 } 5004 5005 /* 5006 * This table entry represents the firing of a timer in the wrong state. 5007 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 5008 * when the association is in the wrong state. This event should 5009 * be ignored, so as to prevent any rearming of the timer. 5010 * 5011 * Inputs 5012 * (endpoint, asoc, chunk) 5013 * 5014 * The return value is the disposition of the chunk. 5015 */ 5016 sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep, 5017 const struct sctp_association *asoc, 5018 const sctp_subtype_t type, 5019 void *arg, 5020 sctp_cmd_seq_t *commands) 5021 { 5022 SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk); 5023 return SCTP_DISPOSITION_CONSUME; 5024 } 5025 5026 /******************************************************************** 5027 * 2nd Level Abstractions 5028 ********************************************************************/ 5029 5030 /* Pull the SACK chunk based on the SACK header. */ 5031 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 5032 { 5033 struct sctp_sackhdr *sack; 5034 unsigned int len; 5035 __u16 num_blocks; 5036 __u16 num_dup_tsns; 5037 5038 /* Protect ourselves from reading too far into 5039 * the skb from a bogus sender. 5040 */ 5041 sack = (struct sctp_sackhdr *) chunk->skb->data; 5042 5043 num_blocks = ntohs(sack->num_gap_ack_blocks); 5044 num_dup_tsns = ntohs(sack->num_dup_tsns); 5045 len = sizeof(struct sctp_sackhdr); 5046 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 5047 if (len > chunk->skb->len) 5048 return NULL; 5049 5050 skb_pull(chunk->skb, len); 5051 5052 return sack; 5053 } 5054 5055 /* Create an ABORT packet to be sent as a response, with the specified 5056 * error causes. 5057 */ 5058 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 5059 const struct sctp_association *asoc, 5060 struct sctp_chunk *chunk, 5061 const void *payload, 5062 size_t paylen) 5063 { 5064 struct sctp_packet *packet; 5065 struct sctp_chunk *abort; 5066 5067 packet = sctp_ootb_pkt_new(asoc, chunk); 5068 5069 if (packet) { 5070 /* Make an ABORT. 5071 * The T bit will be set if the asoc is NULL. 5072 */ 5073 abort = sctp_make_abort(asoc, chunk, paylen); 5074 if (!abort) { 5075 sctp_ootb_pkt_free(packet); 5076 return NULL; 5077 } 5078 5079 /* Reflect vtag if T-Bit is set */ 5080 if (sctp_test_T_bit(abort)) 5081 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 5082 5083 /* Add specified error causes, i.e., payload, to the 5084 * end of the chunk. 5085 */ 5086 sctp_addto_chunk(abort, paylen, payload); 5087 5088 /* Set the skb to the belonging sock for accounting. */ 5089 abort->skb->sk = ep->base.sk; 5090 5091 sctp_packet_append_chunk(packet, abort); 5092 5093 } 5094 5095 return packet; 5096 } 5097 5098 /* Allocate a packet for responding in the OOTB conditions. */ 5099 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 5100 const struct sctp_chunk *chunk) 5101 { 5102 struct sctp_packet *packet; 5103 struct sctp_transport *transport; 5104 __u16 sport; 5105 __u16 dport; 5106 __u32 vtag; 5107 5108 /* Get the source and destination port from the inbound packet. */ 5109 sport = ntohs(chunk->sctp_hdr->dest); 5110 dport = ntohs(chunk->sctp_hdr->source); 5111 5112 /* The V-tag is going to be the same as the inbound packet if no 5113 * association exists, otherwise, use the peer's vtag. 5114 */ 5115 if (asoc) { 5116 vtag = asoc->peer.i.init_tag; 5117 } else { 5118 /* Special case the INIT and stale COOKIE_ECHO as there is no 5119 * vtag yet. 5120 */ 5121 switch(chunk->chunk_hdr->type) { 5122 case SCTP_CID_INIT: 5123 { 5124 sctp_init_chunk_t *init; 5125 5126 init = (sctp_init_chunk_t *)chunk->chunk_hdr; 5127 vtag = ntohl(init->init_hdr.init_tag); 5128 break; 5129 } 5130 default: 5131 vtag = ntohl(chunk->sctp_hdr->vtag); 5132 break; 5133 } 5134 } 5135 5136 /* Make a transport for the bucket, Eliza... */ 5137 transport = sctp_transport_new(sctp_source(chunk), GFP_ATOMIC); 5138 if (!transport) 5139 goto nomem; 5140 5141 /* Cache a route for the transport with the chunk's destination as 5142 * the source address. 5143 */ 5144 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 5145 sctp_sk(sctp_get_ctl_sock())); 5146 5147 packet = sctp_packet_init(&transport->packet, transport, sport, dport); 5148 packet = sctp_packet_config(packet, vtag, 0); 5149 5150 return packet; 5151 5152 nomem: 5153 return NULL; 5154 } 5155 5156 /* Free the packet allocated earlier for responding in the OOTB condition. */ 5157 void sctp_ootb_pkt_free(struct sctp_packet *packet) 5158 { 5159 sctp_transport_free(packet->transport); 5160 } 5161 5162 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 5163 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 5164 const struct sctp_association *asoc, 5165 const struct sctp_chunk *chunk, 5166 sctp_cmd_seq_t *commands, 5167 struct sctp_chunk *err_chunk) 5168 { 5169 struct sctp_packet *packet; 5170 5171 if (err_chunk) { 5172 packet = sctp_ootb_pkt_new(asoc, chunk); 5173 if (packet) { 5174 struct sctp_signed_cookie *cookie; 5175 5176 /* Override the OOTB vtag from the cookie. */ 5177 cookie = chunk->subh.cookie_hdr; 5178 packet->vtag = cookie->c.peer_vtag; 5179 5180 /* Set the skb to the belonging sock for accounting. */ 5181 err_chunk->skb->sk = ep->base.sk; 5182 sctp_packet_append_chunk(packet, err_chunk); 5183 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 5184 SCTP_PACKET(packet)); 5185 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 5186 } else 5187 sctp_chunk_free (err_chunk); 5188 } 5189 } 5190 5191 5192 /* Process a data chunk */ 5193 static int sctp_eat_data(const struct sctp_association *asoc, 5194 struct sctp_chunk *chunk, 5195 sctp_cmd_seq_t *commands) 5196 { 5197 sctp_datahdr_t *data_hdr; 5198 struct sctp_chunk *err; 5199 size_t datalen; 5200 sctp_verb_t deliver; 5201 int tmp; 5202 __u32 tsn; 5203 int account_value; 5204 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 5205 struct sock *sk = asoc->base.sk; 5206 int rcvbuf_over = 0; 5207 5208 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data; 5209 skb_pull(chunk->skb, sizeof(sctp_datahdr_t)); 5210 5211 tsn = ntohl(data_hdr->tsn); 5212 SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn); 5213 5214 /* ASSERT: Now skb->data is really the user data. */ 5215 5216 /* 5217 * If we are established, and we have used up our receive buffer 5218 * memory, think about droping the frame. 5219 * Note that we have an opportunity to improve performance here. 5220 * If we accept one chunk from an skbuff, we have to keep all the 5221 * memory of that skbuff around until the chunk is read into user 5222 * space. Therefore, once we accept 1 chunk we may as well accept all 5223 * remaining chunks in the skbuff. The data_accepted flag helps us do 5224 * that. 5225 */ 5226 if ((asoc->state == SCTP_STATE_ESTABLISHED) && (!chunk->data_accepted)) { 5227 /* 5228 * If the receive buffer policy is 1, then each 5229 * association can allocate up to sk_rcvbuf bytes 5230 * otherwise, all the associations in aggregate 5231 * may allocate up to sk_rcvbuf bytes 5232 */ 5233 if (asoc->ep->rcvbuf_policy) 5234 account_value = atomic_read(&asoc->rmem_alloc); 5235 else 5236 account_value = atomic_read(&sk->sk_rmem_alloc); 5237 if (account_value > sk->sk_rcvbuf) { 5238 /* 5239 * We need to make forward progress, even when we are 5240 * under memory pressure, so we always allow the 5241 * next tsn after the ctsn ack point to be accepted. 5242 * This lets us avoid deadlocks in which we have to 5243 * drop frames that would otherwise let us drain the 5244 * receive queue. 5245 */ 5246 if ((sctp_tsnmap_get_ctsn(map) + 1) != tsn) 5247 return SCTP_IERROR_IGNORE_TSN; 5248 5249 /* 5250 * We're going to accept the frame but we should renege 5251 * to make space for it. This will send us down that 5252 * path later in this function. 5253 */ 5254 rcvbuf_over = 1; 5255 } 5256 } 5257 5258 /* Process ECN based congestion. 5259 * 5260 * Since the chunk structure is reused for all chunks within 5261 * a packet, we use ecn_ce_done to track if we've already 5262 * done CE processing for this packet. 5263 * 5264 * We need to do ECN processing even if we plan to discard the 5265 * chunk later. 5266 */ 5267 5268 if (!chunk->ecn_ce_done) { 5269 struct sctp_af *af; 5270 chunk->ecn_ce_done = 1; 5271 5272 af = sctp_get_af_specific( 5273 ipver2af(chunk->skb->nh.iph->version)); 5274 5275 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) { 5276 /* Do real work as sideffect. */ 5277 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 5278 SCTP_U32(tsn)); 5279 } 5280 } 5281 5282 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 5283 if (tmp < 0) { 5284 /* The TSN is too high--silently discard the chunk and 5285 * count on it getting retransmitted later. 5286 */ 5287 return SCTP_IERROR_HIGH_TSN; 5288 } else if (tmp > 0) { 5289 /* This is a duplicate. Record it. */ 5290 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 5291 return SCTP_IERROR_DUP_TSN; 5292 } 5293 5294 /* This is a new TSN. */ 5295 5296 /* Discard if there is no room in the receive window. 5297 * Actually, allow a little bit of overflow (up to a MTU). 5298 */ 5299 datalen = ntohs(chunk->chunk_hdr->length); 5300 datalen -= sizeof(sctp_data_chunk_t); 5301 5302 deliver = SCTP_CMD_CHUNK_ULP; 5303 5304 /* Think about partial delivery. */ 5305 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 5306 5307 /* Even if we don't accept this chunk there is 5308 * memory pressure. 5309 */ 5310 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 5311 } 5312 5313 /* Spill over rwnd a little bit. Note: While allowed, this spill over 5314 * seems a bit troublesome in that frag_point varies based on 5315 * PMTU. In cases, such as loopback, this might be a rather 5316 * large spill over. 5317 * NOTE: If we have a full receive buffer here, we only renege if 5318 * our receiver can still make progress without the tsn being 5319 * received. We do this because in the event that the associations 5320 * receive queue is empty we are filling a leading gap, and since 5321 * reneging moves the gap to the end of the tsn stream, we are likely 5322 * to stall again very shortly. Avoiding the renege when we fill a 5323 * leading gap is a good heuristic for avoiding such steady state 5324 * stalls. 5325 */ 5326 if (!asoc->rwnd || asoc->rwnd_over || 5327 (datalen > asoc->rwnd + asoc->frag_point) || 5328 (rcvbuf_over && (!skb_queue_len(&sk->sk_receive_queue)))) { 5329 5330 /* If this is the next TSN, consider reneging to make 5331 * room. Note: Playing nice with a confused sender. A 5332 * malicious sender can still eat up all our buffer 5333 * space and in the future we may want to detect and 5334 * do more drastic reneging. 5335 */ 5336 if (sctp_tsnmap_has_gap(map) && 5337 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 5338 SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn); 5339 deliver = SCTP_CMD_RENEGE; 5340 } else { 5341 SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, " 5342 "rwnd: %d\n", tsn, datalen, 5343 asoc->rwnd); 5344 return SCTP_IERROR_IGNORE_TSN; 5345 } 5346 } 5347 5348 /* 5349 * Section 3.3.10.9 No User Data (9) 5350 * 5351 * Cause of error 5352 * --------------- 5353 * No User Data: This error cause is returned to the originator of a 5354 * DATA chunk if a received DATA chunk has no user data. 5355 */ 5356 if (unlikely(0 == datalen)) { 5357 err = sctp_make_abort_no_data(asoc, chunk, tsn); 5358 if (err) { 5359 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5360 SCTP_CHUNK(err)); 5361 } 5362 /* We are going to ABORT, so we might as well stop 5363 * processing the rest of the chunks in the packet. 5364 */ 5365 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 5366 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5367 SCTP_ERROR(ECONNABORTED)); 5368 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5369 SCTP_PERR(SCTP_ERROR_NO_DATA)); 5370 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5371 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5372 return SCTP_IERROR_NO_DATA; 5373 } 5374 5375 /* If definately accepting the DATA chunk, record its TSN, otherwise 5376 * wait for renege processing. 5377 */ 5378 if (SCTP_CMD_CHUNK_ULP == deliver) 5379 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 5380 5381 chunk->data_accepted = 1; 5382 5383 /* Note: Some chunks may get overcounted (if we drop) or overcounted 5384 * if we renege and the chunk arrives again. 5385 */ 5386 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) 5387 SCTP_INC_STATS(SCTP_MIB_INUNORDERCHUNKS); 5388 else 5389 SCTP_INC_STATS(SCTP_MIB_INORDERCHUNKS); 5390 5391 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 5392 * 5393 * If an endpoint receive a DATA chunk with an invalid stream 5394 * identifier, it shall acknowledge the reception of the DATA chunk 5395 * following the normal procedure, immediately send an ERROR chunk 5396 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 5397 * and discard the DATA chunk. 5398 */ 5399 if (ntohs(data_hdr->stream) >= asoc->c.sinit_max_instreams) { 5400 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 5401 &data_hdr->stream, 5402 sizeof(data_hdr->stream)); 5403 if (err) 5404 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5405 SCTP_CHUNK(err)); 5406 return SCTP_IERROR_BAD_STREAM; 5407 } 5408 5409 /* Send the data up to the user. Note: Schedule the 5410 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 5411 * chunk needs the updated rwnd. 5412 */ 5413 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 5414 5415 return SCTP_IERROR_NO_ERROR; 5416 } 5417