1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* SCTP kernel implementation 3 * (C) Copyright IBM Corp. 2001, 2004 4 * Copyright (c) 1999-2000 Cisco, Inc. 5 * Copyright (c) 1999-2001 Motorola, Inc. 6 * Copyright (c) 2001-2002 Intel Corp. 7 * Copyright (c) 2002 Nokia Corp. 8 * 9 * This is part of the SCTP Linux Kernel Implementation. 10 * 11 * These are the state functions for the state machine. 12 * 13 * Please send any bug reports or fixes you make to the 14 * email address(es): 15 * lksctp developers <linux-sctp@vger.kernel.org> 16 * 17 * Written or modified by: 18 * La Monte H.P. Yarroll <piggy@acm.org> 19 * Karl Knutson <karl@athena.chicago.il.us> 20 * Mathew Kotowsky <kotowsky@sctp.org> 21 * Sridhar Samudrala <samudrala@us.ibm.com> 22 * Jon Grimm <jgrimm@us.ibm.com> 23 * Hui Huang <hui.huang@nokia.com> 24 * Dajiang Zhang <dajiang.zhang@nokia.com> 25 * Daisy Chang <daisyc@us.ibm.com> 26 * Ardelle Fan <ardelle.fan@intel.com> 27 * Ryan Layer <rmlayer@us.ibm.com> 28 * Kevin Gao <kevin.gao@intel.com> 29 */ 30 31 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 32 33 #include <linux/types.h> 34 #include <linux/kernel.h> 35 #include <linux/ip.h> 36 #include <linux/ipv6.h> 37 #include <linux/net.h> 38 #include <linux/inet.h> 39 #include <linux/slab.h> 40 #include <net/sock.h> 41 #include <net/proto_memory.h> 42 #include <net/inet_ecn.h> 43 #include <linux/skbuff.h> 44 #include <net/sctp/sctp.h> 45 #include <net/sctp/sm.h> 46 #include <net/sctp/structs.h> 47 48 #define CREATE_TRACE_POINTS 49 #include <trace/events/sctp.h> 50 51 static struct sctp_packet *sctp_abort_pkt_new( 52 struct net *net, 53 const struct sctp_endpoint *ep, 54 const struct sctp_association *asoc, 55 struct sctp_chunk *chunk, 56 const void *payload, size_t paylen); 57 static int sctp_eat_data(const struct sctp_association *asoc, 58 struct sctp_chunk *chunk, 59 struct sctp_cmd_seq *commands); 60 static struct sctp_packet *sctp_ootb_pkt_new( 61 struct net *net, 62 const struct sctp_association *asoc, 63 const struct sctp_chunk *chunk); 64 static void sctp_send_stale_cookie_err(struct net *net, 65 const struct sctp_endpoint *ep, 66 const struct sctp_association *asoc, 67 const struct sctp_chunk *chunk, 68 struct sctp_cmd_seq *commands, 69 struct sctp_chunk *err_chunk); 70 static enum sctp_disposition sctp_sf_do_5_2_6_stale( 71 struct net *net, 72 const struct sctp_endpoint *ep, 73 const struct sctp_association *asoc, 74 const union sctp_subtype type, 75 void *arg, 76 struct sctp_cmd_seq *commands); 77 static enum sctp_disposition sctp_sf_shut_8_4_5( 78 struct net *net, 79 const struct sctp_endpoint *ep, 80 const struct sctp_association *asoc, 81 const union sctp_subtype type, 82 void *arg, 83 struct sctp_cmd_seq *commands); 84 static enum sctp_disposition sctp_sf_tabort_8_4_8( 85 struct net *net, 86 const struct sctp_endpoint *ep, 87 const struct sctp_association *asoc, 88 const union sctp_subtype type, 89 void *arg, 90 struct sctp_cmd_seq *commands); 91 static enum sctp_disposition sctp_sf_new_encap_port( 92 struct net *net, 93 const struct sctp_endpoint *ep, 94 const struct sctp_association *asoc, 95 const union sctp_subtype type, 96 void *arg, 97 struct sctp_cmd_seq *commands); 98 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 99 100 static enum sctp_disposition sctp_stop_t1_and_abort( 101 struct net *net, 102 struct sctp_cmd_seq *commands, 103 __be16 error, int sk_err, 104 const struct sctp_association *asoc, 105 struct sctp_transport *transport); 106 107 static enum sctp_disposition sctp_sf_abort_violation( 108 struct net *net, 109 const struct sctp_endpoint *ep, 110 const struct sctp_association *asoc, 111 void *arg, 112 struct sctp_cmd_seq *commands, 113 const __u8 *payload, 114 const size_t paylen); 115 116 static enum sctp_disposition sctp_sf_violation_chunklen( 117 struct net *net, 118 const struct sctp_endpoint *ep, 119 const struct sctp_association *asoc, 120 const union sctp_subtype type, 121 void *arg, 122 struct sctp_cmd_seq *commands); 123 124 static enum sctp_disposition sctp_sf_violation_paramlen( 125 struct net *net, 126 const struct sctp_endpoint *ep, 127 const struct sctp_association *asoc, 128 const union sctp_subtype type, 129 void *arg, void *ext, 130 struct sctp_cmd_seq *commands); 131 132 static enum sctp_disposition sctp_sf_violation_ctsn( 133 struct net *net, 134 const struct sctp_endpoint *ep, 135 const struct sctp_association *asoc, 136 const union sctp_subtype type, 137 void *arg, 138 struct sctp_cmd_seq *commands); 139 140 static enum sctp_disposition sctp_sf_violation_chunk( 141 struct net *net, 142 const struct sctp_endpoint *ep, 143 const struct sctp_association *asoc, 144 const union sctp_subtype type, 145 void *arg, 146 struct sctp_cmd_seq *commands); 147 148 static enum sctp_ierror sctp_sf_authenticate( 149 const struct sctp_association *asoc, 150 struct sctp_chunk *chunk); 151 152 static enum sctp_disposition __sctp_sf_do_9_1_abort( 153 struct net *net, 154 const struct sctp_endpoint *ep, 155 const struct sctp_association *asoc, 156 const union sctp_subtype type, 157 void *arg, 158 struct sctp_cmd_seq *commands); 159 160 static enum sctp_disposition 161 __sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, 162 const struct sctp_association *asoc, 163 const union sctp_subtype type, void *arg, 164 struct sctp_cmd_seq *commands); 165 166 /* Small helper function that checks if the chunk length 167 * is of the appropriate length. The 'required_length' argument 168 * is set to be the size of a specific chunk we are testing. 169 * Return Values: true = Valid length 170 * false = Invalid length 171 * 172 */ 173 static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk, 174 __u16 required_length) 175 { 176 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 177 178 /* Previously already marked? */ 179 if (unlikely(chunk->pdiscard)) 180 return false; 181 if (unlikely(chunk_length < required_length)) 182 return false; 183 184 return true; 185 } 186 187 /* Check for format error in an ABORT chunk */ 188 static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk) 189 { 190 struct sctp_errhdr *err; 191 192 sctp_walk_errors(err, chunk->chunk_hdr); 193 194 return (void *)err == (void *)chunk->chunk_end; 195 } 196 197 /********************************************************** 198 * These are the state functions for handling chunk events. 199 **********************************************************/ 200 201 /* 202 * Process the final SHUTDOWN COMPLETE. 203 * 204 * Section: 4 (C) (diagram), 9.2 205 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 206 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 207 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 208 * should stop the T2-shutdown timer and remove all knowledge of the 209 * association (and thus the association enters the CLOSED state). 210 * 211 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 212 * C) Rules for packet carrying SHUTDOWN COMPLETE: 213 * ... 214 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 215 * if the Verification Tag field of the packet matches its own tag and 216 * the T bit is not set 217 * OR 218 * it is set to its peer's tag and the T bit is set in the Chunk 219 * Flags. 220 * Otherwise, the receiver MUST silently discard the packet 221 * and take no further action. An endpoint MUST ignore the 222 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 223 * 224 * Inputs 225 * (endpoint, asoc, chunk) 226 * 227 * Outputs 228 * (asoc, reply_msg, msg_up, timers, counters) 229 * 230 * The return value is the disposition of the chunk. 231 */ 232 enum sctp_disposition sctp_sf_do_4_C(struct net *net, 233 const struct sctp_endpoint *ep, 234 const struct sctp_association *asoc, 235 const union sctp_subtype type, 236 void *arg, struct sctp_cmd_seq *commands) 237 { 238 struct sctp_chunk *chunk = arg; 239 struct sctp_ulpevent *ev; 240 241 if (!sctp_vtag_verify_either(chunk, asoc)) 242 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 243 244 /* RFC 2960 6.10 Bundling 245 * 246 * An endpoint MUST NOT bundle INIT, INIT ACK or 247 * SHUTDOWN COMPLETE with any other chunks. 248 */ 249 if (!chunk->singleton) 250 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 251 252 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ 253 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 254 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 255 commands); 256 257 /* RFC 2960 10.2 SCTP-to-ULP 258 * 259 * H) SHUTDOWN COMPLETE notification 260 * 261 * When SCTP completes the shutdown procedures (section 9.2) this 262 * notification is passed to the upper layer. 263 */ 264 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 265 0, 0, 0, NULL, GFP_ATOMIC); 266 if (ev) 267 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 268 SCTP_ULPEVENT(ev)); 269 270 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 271 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 272 * not the chunk should be discarded. If the endpoint is in 273 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 274 * T2-shutdown timer and remove all knowledge of the 275 * association (and thus the association enters the CLOSED 276 * state). 277 */ 278 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 279 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 280 281 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 282 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 283 284 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 285 SCTP_STATE(SCTP_STATE_CLOSED)); 286 287 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 288 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 289 290 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 291 292 return SCTP_DISPOSITION_DELETE_TCB; 293 } 294 295 /* 296 * Respond to a normal INIT chunk. 297 * We are the side that is being asked for an association. 298 * 299 * Section: 5.1 Normal Establishment of an Association, B 300 * B) "Z" shall respond immediately with an INIT ACK chunk. The 301 * destination IP address of the INIT ACK MUST be set to the source 302 * IP address of the INIT to which this INIT ACK is responding. In 303 * the response, besides filling in other parameters, "Z" must set the 304 * Verification Tag field to Tag_A, and also provide its own 305 * Verification Tag (Tag_Z) in the Initiate Tag field. 306 * 307 * Verification Tag: Must be 0. 308 * 309 * Inputs 310 * (endpoint, asoc, chunk) 311 * 312 * Outputs 313 * (asoc, reply_msg, msg_up, timers, counters) 314 * 315 * The return value is the disposition of the chunk. 316 */ 317 enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, 318 const struct sctp_endpoint *ep, 319 const struct sctp_association *asoc, 320 const union sctp_subtype type, 321 void *arg, 322 struct sctp_cmd_seq *commands) 323 { 324 struct sctp_chunk *chunk = arg, *repl, *err_chunk; 325 struct sctp_unrecognized_param *unk_param; 326 struct sctp_association *new_asoc; 327 struct sctp_packet *packet; 328 int len; 329 330 /* 6.10 Bundling 331 * An endpoint MUST NOT bundle INIT, INIT ACK or 332 * SHUTDOWN COMPLETE with any other chunks. 333 * 334 * IG Section 2.11.2 335 * Furthermore, we require that the receiver of an INIT chunk MUST 336 * enforce these rules by silently discarding an arriving packet 337 * with an INIT chunk that is bundled with other chunks. 338 */ 339 if (!chunk->singleton) 340 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 341 342 /* Make sure that the INIT chunk has a valid length. 343 * Normally, this would cause an ABORT with a Protocol Violation 344 * error, but since we don't have an association, we'll 345 * just discard the packet. 346 */ 347 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 348 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 349 350 /* If the packet is an OOTB packet which is temporarily on the 351 * control endpoint, respond with an ABORT. 352 */ 353 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 354 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 355 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 356 } 357 358 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 359 * Tag. 360 */ 361 if (chunk->sctp_hdr->vtag != 0) 362 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 363 364 /* If the INIT is coming toward a closing socket, we'll send back 365 * and ABORT. Essentially, this catches the race of INIT being 366 * backloged to the socket at the same time as the user issues close(). 367 * Since the socket and all its associations are going away, we 368 * can treat this OOTB 369 */ 370 if (sctp_sstate(ep->base.sk, CLOSING)) 371 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 372 373 /* Verify the INIT chunk before processing it. */ 374 err_chunk = NULL; 375 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 376 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 377 &err_chunk)) { 378 /* This chunk contains fatal error. It is to be discarded. 379 * Send an ABORT, with causes if there is any. 380 */ 381 if (err_chunk) { 382 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 383 (__u8 *)(err_chunk->chunk_hdr) + 384 sizeof(struct sctp_chunkhdr), 385 ntohs(err_chunk->chunk_hdr->length) - 386 sizeof(struct sctp_chunkhdr)); 387 388 sctp_chunk_free(err_chunk); 389 390 if (packet) { 391 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 392 SCTP_PACKET(packet)); 393 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 394 return SCTP_DISPOSITION_CONSUME; 395 } else { 396 return SCTP_DISPOSITION_NOMEM; 397 } 398 } else { 399 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 400 commands); 401 } 402 } 403 404 /* Grab the INIT header. */ 405 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 406 407 /* Tag the variable length parameters. */ 408 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 409 410 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 411 if (!new_asoc) 412 goto nomem; 413 414 /* Update socket peer label if first association. */ 415 if (security_sctp_assoc_request(new_asoc, chunk->skb)) { 416 sctp_association_free(new_asoc); 417 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 418 } 419 420 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 421 sctp_scope(sctp_source(chunk)), 422 GFP_ATOMIC) < 0) 423 goto nomem_init; 424 425 /* The call, sctp_process_init(), can fail on memory allocation. */ 426 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 427 (struct sctp_init_chunk *)chunk->chunk_hdr, 428 GFP_ATOMIC)) 429 goto nomem_init; 430 431 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 432 433 /* If there are errors need to be reported for unknown parameters, 434 * make sure to reserve enough room in the INIT ACK for them. 435 */ 436 len = 0; 437 if (err_chunk) 438 len = ntohs(err_chunk->chunk_hdr->length) - 439 sizeof(struct sctp_chunkhdr); 440 441 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 442 if (!repl) 443 goto nomem_init; 444 445 /* If there are errors need to be reported for unknown parameters, 446 * include them in the outgoing INIT ACK as "Unrecognized parameter" 447 * parameter. 448 */ 449 if (err_chunk) { 450 /* Get the "Unrecognized parameter" parameter(s) out of the 451 * ERROR chunk generated by sctp_verify_init(). Since the 452 * error cause code for "unknown parameter" and the 453 * "Unrecognized parameter" type is the same, we can 454 * construct the parameters in INIT ACK by copying the 455 * ERROR causes over. 456 */ 457 unk_param = (struct sctp_unrecognized_param *) 458 ((__u8 *)(err_chunk->chunk_hdr) + 459 sizeof(struct sctp_chunkhdr)); 460 /* Replace the cause code with the "Unrecognized parameter" 461 * parameter type. 462 */ 463 sctp_addto_chunk(repl, len, unk_param); 464 sctp_chunk_free(err_chunk); 465 } 466 467 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 468 469 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 470 471 /* 472 * Note: After sending out INIT ACK with the State Cookie parameter, 473 * "Z" MUST NOT allocate any resources, nor keep any states for the 474 * new association. Otherwise, "Z" will be vulnerable to resource 475 * attacks. 476 */ 477 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 478 479 return SCTP_DISPOSITION_DELETE_TCB; 480 481 nomem_init: 482 sctp_association_free(new_asoc); 483 nomem: 484 if (err_chunk) 485 sctp_chunk_free(err_chunk); 486 return SCTP_DISPOSITION_NOMEM; 487 } 488 489 /* 490 * Respond to a normal INIT ACK chunk. 491 * We are the side that is initiating the association. 492 * 493 * Section: 5.1 Normal Establishment of an Association, C 494 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 495 * timer and leave COOKIE-WAIT state. "A" shall then send the State 496 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 497 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 498 * 499 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 500 * DATA chunks, but it MUST be the first chunk in the packet and 501 * until the COOKIE ACK is returned the sender MUST NOT send any 502 * other packets to the peer. 503 * 504 * Verification Tag: 3.3.3 505 * If the value of the Initiate Tag in a received INIT ACK chunk is 506 * found to be 0, the receiver MUST treat it as an error and close the 507 * association by transmitting an ABORT. 508 * 509 * Inputs 510 * (endpoint, asoc, chunk) 511 * 512 * Outputs 513 * (asoc, reply_msg, msg_up, timers, counters) 514 * 515 * The return value is the disposition of the chunk. 516 */ 517 enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, 518 const struct sctp_endpoint *ep, 519 const struct sctp_association *asoc, 520 const union sctp_subtype type, 521 void *arg, 522 struct sctp_cmd_seq *commands) 523 { 524 struct sctp_init_chunk *initchunk; 525 struct sctp_chunk *chunk = arg; 526 struct sctp_chunk *err_chunk; 527 struct sctp_packet *packet; 528 529 if (!sctp_vtag_verify(chunk, asoc)) 530 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 531 532 /* 6.10 Bundling 533 * An endpoint MUST NOT bundle INIT, INIT ACK or 534 * SHUTDOWN COMPLETE with any other chunks. 535 */ 536 if (!chunk->singleton) 537 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 538 539 /* Make sure that the INIT-ACK chunk has a valid length */ 540 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk))) 541 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 542 commands); 543 /* Grab the INIT header. */ 544 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 545 546 /* Verify the INIT chunk before processing it. */ 547 err_chunk = NULL; 548 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 549 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 550 &err_chunk)) { 551 552 enum sctp_error error = SCTP_ERROR_NO_RESOURCE; 553 554 /* This chunk contains fatal error. It is to be discarded. 555 * Send an ABORT, with causes. If there are no causes, 556 * then there wasn't enough memory. Just terminate 557 * the association. 558 */ 559 if (err_chunk) { 560 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 561 (__u8 *)(err_chunk->chunk_hdr) + 562 sizeof(struct sctp_chunkhdr), 563 ntohs(err_chunk->chunk_hdr->length) - 564 sizeof(struct sctp_chunkhdr)); 565 566 sctp_chunk_free(err_chunk); 567 568 if (packet) { 569 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 570 SCTP_PACKET(packet)); 571 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 572 error = SCTP_ERROR_INV_PARAM; 573 } 574 } 575 576 /* SCTP-AUTH, Section 6.3: 577 * It should be noted that if the receiver wants to tear 578 * down an association in an authenticated way only, the 579 * handling of malformed packets should not result in 580 * tearing down the association. 581 * 582 * This means that if we only want to abort associations 583 * in an authenticated way (i.e AUTH+ABORT), then we 584 * can't destroy this association just because the packet 585 * was malformed. 586 */ 587 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 588 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 589 590 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 591 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, 592 asoc, chunk->transport); 593 } 594 595 /* Tag the variable length parameters. Note that we never 596 * convert the parameters in an INIT chunk. 597 */ 598 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 599 600 initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr; 601 602 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 603 SCTP_PEER_INIT(initchunk)); 604 605 /* Reset init error count upon receipt of INIT-ACK. */ 606 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 607 608 /* 5.1 C) "A" shall stop the T1-init timer and leave 609 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 610 * timer, and enter the COOKIE-ECHOED state. 611 */ 612 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 613 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 614 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 615 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 616 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 617 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 618 619 /* SCTP-AUTH: generate the association shared keys so that 620 * we can potentially sign the COOKIE-ECHO. 621 */ 622 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); 623 624 /* 5.1 C) "A" shall then send the State Cookie received in the 625 * INIT ACK chunk in a COOKIE ECHO chunk, ... 626 */ 627 /* If there is any errors to report, send the ERROR chunk generated 628 * for unknown parameters as well. 629 */ 630 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 631 SCTP_CHUNK(err_chunk)); 632 633 return SCTP_DISPOSITION_CONSUME; 634 } 635 636 static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk, 637 const struct sctp_association *asoc) 638 { 639 struct sctp_chunk auth; 640 641 if (!chunk->auth_chunk) 642 return true; 643 644 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo 645 * is supposed to be authenticated and we have to do delayed 646 * authentication. We've just recreated the association using 647 * the information in the cookie and now it's much easier to 648 * do the authentication. 649 */ 650 651 /* Make sure that we and the peer are AUTH capable */ 652 if (!net->sctp.auth_enable || !asoc->peer.auth_capable) 653 return false; 654 655 /* set-up our fake chunk so that we can process it */ 656 auth.skb = chunk->auth_chunk; 657 auth.asoc = chunk->asoc; 658 auth.sctp_hdr = chunk->sctp_hdr; 659 auth.chunk_hdr = (struct sctp_chunkhdr *) 660 skb_push(chunk->auth_chunk, 661 sizeof(struct sctp_chunkhdr)); 662 skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr)); 663 auth.transport = chunk->transport; 664 665 return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR; 666 } 667 668 /* 669 * Respond to a normal COOKIE ECHO chunk. 670 * We are the side that is being asked for an association. 671 * 672 * Section: 5.1 Normal Establishment of an Association, D 673 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 674 * with a COOKIE ACK chunk after building a TCB and moving to 675 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 676 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 677 * chunk MUST be the first chunk in the packet. 678 * 679 * IMPLEMENTATION NOTE: An implementation may choose to send the 680 * Communication Up notification to the SCTP user upon reception 681 * of a valid COOKIE ECHO chunk. 682 * 683 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 684 * D) Rules for packet carrying a COOKIE ECHO 685 * 686 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 687 * Initial Tag received in the INIT ACK. 688 * 689 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 690 * 691 * Inputs 692 * (endpoint, asoc, chunk) 693 * 694 * Outputs 695 * (asoc, reply_msg, msg_up, timers, counters) 696 * 697 * The return value is the disposition of the chunk. 698 */ 699 enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, 700 const struct sctp_endpoint *ep, 701 const struct sctp_association *asoc, 702 const union sctp_subtype type, 703 void *arg, 704 struct sctp_cmd_seq *commands) 705 { 706 struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL; 707 struct sctp_association *new_asoc; 708 struct sctp_init_chunk *peer_init; 709 struct sctp_chunk *chunk = arg; 710 struct sctp_chunk *err_chk_p; 711 struct sctp_chunk *repl; 712 struct sock *sk; 713 int error = 0; 714 715 if (asoc && !sctp_vtag_verify(chunk, asoc)) 716 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 717 718 /* If the packet is an OOTB packet which is temporarily on the 719 * control endpoint, respond with an ABORT. 720 */ 721 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 722 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 723 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 724 } 725 726 /* Make sure that the COOKIE_ECHO chunk has a valid length. 727 * In this case, we check that we have enough for at least a 728 * chunk header. More detailed verification is done 729 * in sctp_unpack_cookie(). 730 */ 731 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 732 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 733 commands); 734 735 /* If the endpoint is not listening or if the number of associations 736 * on the TCP-style socket exceed the max backlog, respond with an 737 * ABORT. 738 */ 739 sk = ep->base.sk; 740 if (!sctp_sstate(sk, LISTENING) || 741 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) 742 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 743 744 /* "Decode" the chunk. We have no optional parameters so we 745 * are in good shape. 746 */ 747 chunk->subh.cookie_hdr = 748 (struct sctp_signed_cookie *)chunk->skb->data; 749 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 750 sizeof(struct sctp_chunkhdr))) 751 goto nomem; 752 753 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 754 * "Z" will reply with a COOKIE ACK chunk after building a TCB 755 * and moving to the ESTABLISHED state. 756 */ 757 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 758 &err_chk_p); 759 760 /* FIXME: 761 * If the re-build failed, what is the proper error path 762 * from here? 763 * 764 * [We should abort the association. --piggy] 765 */ 766 if (!new_asoc) { 767 /* FIXME: Several errors are possible. A bad cookie should 768 * be silently discarded, but think about logging it too. 769 */ 770 switch (error) { 771 case -SCTP_IERROR_NOMEM: 772 goto nomem; 773 774 case -SCTP_IERROR_STALE_COOKIE: 775 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 776 err_chk_p); 777 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 778 779 case -SCTP_IERROR_BAD_SIG: 780 default: 781 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 782 } 783 } 784 785 if (security_sctp_assoc_request(new_asoc, chunk->head_skb ?: chunk->skb)) { 786 sctp_association_free(new_asoc); 787 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 788 } 789 790 /* Delay state machine commands until later. 791 * 792 * Re-build the bind address for the association is done in 793 * the sctp_unpack_cookie() already. 794 */ 795 /* This is a brand-new association, so these are not yet side 796 * effects--it is safe to run them here. 797 */ 798 peer_init = (struct sctp_init_chunk *)(chunk->subh.cookie_hdr + 1); 799 if (!sctp_process_init(new_asoc, chunk, 800 &chunk->subh.cookie_hdr->c.peer_addr, 801 peer_init, GFP_ATOMIC)) 802 goto nomem_init; 803 804 /* SCTP-AUTH: Now that we've populate required fields in 805 * sctp_process_init, set up the association shared keys as 806 * necessary so that we can potentially authenticate the ACK 807 */ 808 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); 809 if (error) 810 goto nomem_init; 811 812 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) { 813 sctp_association_free(new_asoc); 814 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 815 } 816 817 repl = sctp_make_cookie_ack(new_asoc, chunk); 818 if (!repl) 819 goto nomem_init; 820 821 /* RFC 2960 5.1 Normal Establishment of an Association 822 * 823 * D) IMPLEMENTATION NOTE: An implementation may choose to 824 * send the Communication Up notification to the SCTP user 825 * upon reception of a valid COOKIE ECHO chunk. 826 */ 827 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 828 new_asoc->c.sinit_num_ostreams, 829 new_asoc->c.sinit_max_instreams, 830 NULL, GFP_ATOMIC); 831 if (!ev) 832 goto nomem_ev; 833 834 /* Sockets API Draft Section 5.3.1.6 835 * When a peer sends a Adaptation Layer Indication parameter , SCTP 836 * delivers this notification to inform the application that of the 837 * peers requested adaptation layer. 838 */ 839 if (new_asoc->peer.adaptation_ind) { 840 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 841 GFP_ATOMIC); 842 if (!ai_ev) 843 goto nomem_aiev; 844 } 845 846 if (!new_asoc->peer.auth_capable) { 847 auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0, 848 SCTP_AUTH_NO_AUTH, 849 GFP_ATOMIC); 850 if (!auth_ev) 851 goto nomem_authev; 852 } 853 854 /* Add all the state machine commands now since we've created 855 * everything. This way we don't introduce memory corruptions 856 * during side-effect processing and correctly count established 857 * associations. 858 */ 859 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 860 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 861 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 862 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 863 SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS); 864 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 865 866 if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 867 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 868 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 869 870 /* This will send the COOKIE ACK */ 871 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 872 873 /* Queue the ASSOC_CHANGE event */ 874 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 875 876 /* Send up the Adaptation Layer Indication event */ 877 if (ai_ev) 878 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 879 SCTP_ULPEVENT(ai_ev)); 880 881 if (auth_ev) 882 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 883 SCTP_ULPEVENT(auth_ev)); 884 885 return SCTP_DISPOSITION_CONSUME; 886 887 nomem_authev: 888 sctp_ulpevent_free(ai_ev); 889 nomem_aiev: 890 sctp_ulpevent_free(ev); 891 nomem_ev: 892 sctp_chunk_free(repl); 893 nomem_init: 894 sctp_association_free(new_asoc); 895 nomem: 896 return SCTP_DISPOSITION_NOMEM; 897 } 898 899 /* 900 * Respond to a normal COOKIE ACK chunk. 901 * We are the side that is asking for an association. 902 * 903 * RFC 2960 5.1 Normal Establishment of an Association 904 * 905 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 906 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 907 * timer. It may also notify its ULP about the successful 908 * establishment of the association with a Communication Up 909 * notification (see Section 10). 910 * 911 * Verification Tag: 912 * Inputs 913 * (endpoint, asoc, chunk) 914 * 915 * Outputs 916 * (asoc, reply_msg, msg_up, timers, counters) 917 * 918 * The return value is the disposition of the chunk. 919 */ 920 enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, 921 const struct sctp_endpoint *ep, 922 const struct sctp_association *asoc, 923 const union sctp_subtype type, 924 void *arg, 925 struct sctp_cmd_seq *commands) 926 { 927 struct sctp_chunk *chunk = arg; 928 struct sctp_ulpevent *ev; 929 930 if (!sctp_vtag_verify(chunk, asoc)) 931 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 932 933 /* Set peer label for connection. */ 934 if (security_sctp_assoc_established((struct sctp_association *)asoc, 935 chunk->head_skb ?: chunk->skb)) 936 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 937 938 /* Verify that the chunk length for the COOKIE-ACK is OK. 939 * If we don't do this, any bundled chunks may be junked. 940 */ 941 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 942 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 943 commands); 944 945 /* Reset init error count upon receipt of COOKIE-ACK, 946 * to avoid problems with the management of this 947 * counter in stale cookie situations when a transition back 948 * from the COOKIE-ECHOED state to the COOKIE-WAIT 949 * state is performed. 950 */ 951 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 952 953 /* RFC 2960 5.1 Normal Establishment of an Association 954 * 955 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 956 * from the COOKIE-ECHOED state to the ESTABLISHED state, 957 * stopping the T1-cookie timer. 958 */ 959 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 960 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 961 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 962 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 963 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 964 SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS); 965 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 966 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 967 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 968 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 969 970 /* It may also notify its ULP about the successful 971 * establishment of the association with a Communication Up 972 * notification (see Section 10). 973 */ 974 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 975 0, asoc->c.sinit_num_ostreams, 976 asoc->c.sinit_max_instreams, 977 NULL, GFP_ATOMIC); 978 979 if (!ev) 980 goto nomem; 981 982 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 983 984 /* Sockets API Draft Section 5.3.1.6 985 * When a peer sends a Adaptation Layer Indication parameter , SCTP 986 * delivers this notification to inform the application that of the 987 * peers requested adaptation layer. 988 */ 989 if (asoc->peer.adaptation_ind) { 990 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 991 if (!ev) 992 goto nomem; 993 994 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 995 SCTP_ULPEVENT(ev)); 996 } 997 998 if (!asoc->peer.auth_capable) { 999 ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH, 1000 GFP_ATOMIC); 1001 if (!ev) 1002 goto nomem; 1003 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1004 SCTP_ULPEVENT(ev)); 1005 } 1006 1007 return SCTP_DISPOSITION_CONSUME; 1008 nomem: 1009 return SCTP_DISPOSITION_NOMEM; 1010 } 1011 1012 /* Generate and sendout a heartbeat packet. */ 1013 static enum sctp_disposition sctp_sf_heartbeat( 1014 const struct sctp_endpoint *ep, 1015 const struct sctp_association *asoc, 1016 const union sctp_subtype type, 1017 void *arg, 1018 struct sctp_cmd_seq *commands) 1019 { 1020 struct sctp_transport *transport = (struct sctp_transport *) arg; 1021 struct sctp_chunk *reply; 1022 1023 /* Send a heartbeat to our peer. */ 1024 reply = sctp_make_heartbeat(asoc, transport, 0); 1025 if (!reply) 1026 return SCTP_DISPOSITION_NOMEM; 1027 1028 /* Set rto_pending indicating that an RTT measurement 1029 * is started with this heartbeat chunk. 1030 */ 1031 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 1032 SCTP_TRANSPORT(transport)); 1033 1034 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1035 return SCTP_DISPOSITION_CONSUME; 1036 } 1037 1038 /* Generate a HEARTBEAT packet on the given transport. */ 1039 enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net, 1040 const struct sctp_endpoint *ep, 1041 const struct sctp_association *asoc, 1042 const union sctp_subtype type, 1043 void *arg, 1044 struct sctp_cmd_seq *commands) 1045 { 1046 struct sctp_transport *transport = (struct sctp_transport *) arg; 1047 1048 if (asoc->overall_error_count >= asoc->max_retrans) { 1049 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 1050 SCTP_ERROR(ETIMEDOUT)); 1051 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 1052 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 1053 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 1054 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1055 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1056 return SCTP_DISPOSITION_DELETE_TCB; 1057 } 1058 1059 /* Section 3.3.5. 1060 * The Sender-specific Heartbeat Info field should normally include 1061 * information about the sender's current time when this HEARTBEAT 1062 * chunk is sent and the destination transport address to which this 1063 * HEARTBEAT is sent (see Section 8.3). 1064 */ 1065 1066 if (transport->param_flags & SPP_HB_ENABLE) { 1067 if (SCTP_DISPOSITION_NOMEM == 1068 sctp_sf_heartbeat(ep, asoc, type, arg, 1069 commands)) 1070 return SCTP_DISPOSITION_NOMEM; 1071 1072 /* Set transport error counter and association error counter 1073 * when sending heartbeat. 1074 */ 1075 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 1076 SCTP_TRANSPORT(transport)); 1077 } 1078 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE, 1079 SCTP_TRANSPORT(transport)); 1080 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 1081 SCTP_TRANSPORT(transport)); 1082 1083 return SCTP_DISPOSITION_CONSUME; 1084 } 1085 1086 /* resend asoc strreset_chunk. */ 1087 enum sctp_disposition sctp_sf_send_reconf(struct net *net, 1088 const struct sctp_endpoint *ep, 1089 const struct sctp_association *asoc, 1090 const union sctp_subtype type, 1091 void *arg, 1092 struct sctp_cmd_seq *commands) 1093 { 1094 struct sctp_transport *transport = arg; 1095 1096 if (asoc->overall_error_count >= asoc->max_retrans) { 1097 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 1098 SCTP_ERROR(ETIMEDOUT)); 1099 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 1100 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 1101 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 1102 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1103 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1104 return SCTP_DISPOSITION_DELETE_TCB; 1105 } 1106 1107 sctp_chunk_hold(asoc->strreset_chunk); 1108 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1109 SCTP_CHUNK(asoc->strreset_chunk)); 1110 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 1111 1112 return SCTP_DISPOSITION_CONSUME; 1113 } 1114 1115 /* send hb chunk with padding for PLPMUTD. */ 1116 enum sctp_disposition sctp_sf_send_probe(struct net *net, 1117 const struct sctp_endpoint *ep, 1118 const struct sctp_association *asoc, 1119 const union sctp_subtype type, 1120 void *arg, 1121 struct sctp_cmd_seq *commands) 1122 { 1123 struct sctp_transport *transport = (struct sctp_transport *)arg; 1124 struct sctp_chunk *reply; 1125 1126 if (!sctp_transport_pl_enabled(transport)) 1127 return SCTP_DISPOSITION_CONSUME; 1128 1129 sctp_transport_pl_send(transport); 1130 reply = sctp_make_heartbeat(asoc, transport, transport->pl.probe_size); 1131 if (!reply) 1132 return SCTP_DISPOSITION_NOMEM; 1133 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1134 sctp_add_cmd_sf(commands, SCTP_CMD_PROBE_TIMER_UPDATE, 1135 SCTP_TRANSPORT(transport)); 1136 1137 return SCTP_DISPOSITION_CONSUME; 1138 } 1139 1140 /* 1141 * Process an heartbeat request. 1142 * 1143 * Section: 8.3 Path Heartbeat 1144 * The receiver of the HEARTBEAT should immediately respond with a 1145 * HEARTBEAT ACK that contains the Heartbeat Information field copied 1146 * from the received HEARTBEAT chunk. 1147 * 1148 * Verification Tag: 8.5 Verification Tag [Normal verification] 1149 * When receiving an SCTP packet, the endpoint MUST ensure that the 1150 * value in the Verification Tag field of the received SCTP packet 1151 * matches its own Tag. If the received Verification Tag value does not 1152 * match the receiver's own tag value, the receiver shall silently 1153 * discard the packet and shall not process it any further except for 1154 * those cases listed in Section 8.5.1 below. 1155 * 1156 * Inputs 1157 * (endpoint, asoc, chunk) 1158 * 1159 * Outputs 1160 * (asoc, reply_msg, msg_up, timers, counters) 1161 * 1162 * The return value is the disposition of the chunk. 1163 */ 1164 enum sctp_disposition sctp_sf_beat_8_3(struct net *net, 1165 const struct sctp_endpoint *ep, 1166 const struct sctp_association *asoc, 1167 const union sctp_subtype type, 1168 void *arg, struct sctp_cmd_seq *commands) 1169 { 1170 struct sctp_paramhdr *param_hdr; 1171 struct sctp_chunk *chunk = arg; 1172 struct sctp_chunk *reply; 1173 size_t paylen = 0; 1174 1175 if (!sctp_vtag_verify(chunk, asoc)) 1176 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1177 1178 /* Make sure that the HEARTBEAT chunk has a valid length. */ 1179 if (!sctp_chunk_length_valid(chunk, 1180 sizeof(struct sctp_heartbeat_chunk))) 1181 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1182 commands); 1183 1184 /* 8.3 The receiver of the HEARTBEAT should immediately 1185 * respond with a HEARTBEAT ACK that contains the Heartbeat 1186 * Information field copied from the received HEARTBEAT chunk. 1187 */ 1188 chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data; 1189 param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr; 1190 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr); 1191 1192 if (ntohs(param_hdr->length) > paylen) 1193 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 1194 param_hdr, commands); 1195 1196 if (!pskb_pull(chunk->skb, paylen)) 1197 goto nomem; 1198 1199 reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen); 1200 if (!reply) 1201 goto nomem; 1202 1203 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1204 return SCTP_DISPOSITION_CONSUME; 1205 1206 nomem: 1207 return SCTP_DISPOSITION_NOMEM; 1208 } 1209 1210 /* 1211 * Process the returning HEARTBEAT ACK. 1212 * 1213 * Section: 8.3 Path Heartbeat 1214 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 1215 * should clear the error counter of the destination transport 1216 * address to which the HEARTBEAT was sent, and mark the destination 1217 * transport address as active if it is not so marked. The endpoint may 1218 * optionally report to the upper layer when an inactive destination 1219 * address is marked as active due to the reception of the latest 1220 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 1221 * clear the association overall error count as well (as defined 1222 * in section 8.1). 1223 * 1224 * The receiver of the HEARTBEAT ACK should also perform an RTT 1225 * measurement for that destination transport address using the time 1226 * value carried in the HEARTBEAT ACK chunk. 1227 * 1228 * Verification Tag: 8.5 Verification Tag [Normal verification] 1229 * 1230 * Inputs 1231 * (endpoint, asoc, chunk) 1232 * 1233 * Outputs 1234 * (asoc, reply_msg, msg_up, timers, counters) 1235 * 1236 * The return value is the disposition of the chunk. 1237 */ 1238 enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net, 1239 const struct sctp_endpoint *ep, 1240 const struct sctp_association *asoc, 1241 const union sctp_subtype type, 1242 void *arg, 1243 struct sctp_cmd_seq *commands) 1244 { 1245 struct sctp_sender_hb_info *hbinfo; 1246 struct sctp_chunk *chunk = arg; 1247 struct sctp_transport *link; 1248 unsigned long max_interval; 1249 union sctp_addr from_addr; 1250 1251 if (!sctp_vtag_verify(chunk, asoc)) 1252 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1253 1254 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1255 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) + 1256 sizeof(*hbinfo))) 1257 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1258 commands); 1259 1260 hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data; 1261 /* Make sure that the length of the parameter is what we expect */ 1262 if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo)) 1263 return SCTP_DISPOSITION_DISCARD; 1264 1265 from_addr = hbinfo->daddr; 1266 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1267 1268 /* This should never happen, but lets log it if so. */ 1269 if (unlikely(!link)) { 1270 if (from_addr.sa.sa_family == AF_INET6) { 1271 net_warn_ratelimited("%s association %p could not find address %pI6\n", 1272 __func__, 1273 asoc, 1274 &from_addr.v6.sin6_addr); 1275 } else { 1276 net_warn_ratelimited("%s association %p could not find address %pI4\n", 1277 __func__, 1278 asoc, 1279 &from_addr.v4.sin_addr.s_addr); 1280 } 1281 return SCTP_DISPOSITION_DISCARD; 1282 } 1283 1284 /* Validate the 64-bit random nonce. */ 1285 if (hbinfo->hb_nonce != link->hb_nonce) 1286 return SCTP_DISPOSITION_DISCARD; 1287 1288 if (hbinfo->probe_size) { 1289 if (hbinfo->probe_size != link->pl.probe_size || 1290 !sctp_transport_pl_enabled(link)) 1291 return SCTP_DISPOSITION_DISCARD; 1292 1293 if (sctp_transport_pl_recv(link)) 1294 return SCTP_DISPOSITION_CONSUME; 1295 1296 return sctp_sf_send_probe(net, ep, asoc, type, link, commands); 1297 } 1298 1299 max_interval = link->hbinterval + link->rto; 1300 1301 /* Check if the timestamp looks valid. */ 1302 if (time_after(hbinfo->sent_at, jiffies) || 1303 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1304 pr_debug("%s: HEARTBEAT ACK with invalid timestamp received " 1305 "for transport:%p\n", __func__, link); 1306 1307 return SCTP_DISPOSITION_DISCARD; 1308 } 1309 1310 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1311 * the HEARTBEAT should clear the error counter of the 1312 * destination transport address to which the HEARTBEAT was 1313 * sent and mark the destination transport address as active if 1314 * it is not so marked. 1315 */ 1316 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1317 1318 return SCTP_DISPOSITION_CONSUME; 1319 } 1320 1321 /* Helper function to send out an abort for the restart 1322 * condition. 1323 */ 1324 static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa, 1325 struct sctp_chunk *init, 1326 struct sctp_cmd_seq *commands) 1327 { 1328 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1329 union sctp_addr_param *addrparm; 1330 struct sctp_errhdr *errhdr; 1331 char buffer[sizeof(*errhdr) + sizeof(*addrparm)]; 1332 struct sctp_endpoint *ep; 1333 struct sctp_packet *pkt; 1334 int len; 1335 1336 /* Build the error on the stack. We are way to malloc crazy 1337 * throughout the code today. 1338 */ 1339 errhdr = (struct sctp_errhdr *)buffer; 1340 addrparm = (union sctp_addr_param *)(errhdr + 1); 1341 1342 /* Copy into a parm format. */ 1343 len = af->to_addr_param(ssa, addrparm); 1344 len += sizeof(*errhdr); 1345 1346 errhdr->cause = SCTP_ERROR_RESTART; 1347 errhdr->length = htons(len); 1348 1349 /* Assign to the control socket. */ 1350 ep = sctp_sk(net->sctp.ctl_sock)->ep; 1351 1352 /* Association is NULL since this may be a restart attack and we 1353 * want to send back the attacker's vtag. 1354 */ 1355 pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len); 1356 1357 if (!pkt) 1358 goto out; 1359 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1360 1361 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1362 1363 /* Discard the rest of the inbound packet. */ 1364 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1365 1366 out: 1367 /* Even if there is no memory, treat as a failure so 1368 * the packet will get dropped. 1369 */ 1370 return 0; 1371 } 1372 1373 static bool list_has_sctp_addr(const struct list_head *list, 1374 union sctp_addr *ipaddr) 1375 { 1376 struct sctp_transport *addr; 1377 1378 list_for_each_entry(addr, list, transports) { 1379 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr)) 1380 return true; 1381 } 1382 1383 return false; 1384 } 1385 /* A restart is occurring, check to make sure no new addresses 1386 * are being added as we may be under a takeover attack. 1387 */ 1388 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1389 const struct sctp_association *asoc, 1390 struct sctp_chunk *init, 1391 struct sctp_cmd_seq *commands) 1392 { 1393 struct net *net = new_asoc->base.net; 1394 struct sctp_transport *new_addr; 1395 int ret = 1; 1396 1397 /* Implementor's Guide - Section 5.2.2 1398 * ... 1399 * Before responding the endpoint MUST check to see if the 1400 * unexpected INIT adds new addresses to the association. If new 1401 * addresses are added to the association, the endpoint MUST respond 1402 * with an ABORT.. 1403 */ 1404 1405 /* Search through all current addresses and make sure 1406 * we aren't adding any new ones. 1407 */ 1408 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list, 1409 transports) { 1410 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list, 1411 &new_addr->ipaddr)) { 1412 sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init, 1413 commands); 1414 ret = 0; 1415 break; 1416 } 1417 } 1418 1419 /* Return success if all addresses were found. */ 1420 return ret; 1421 } 1422 1423 /* Populate the verification/tie tags based on overlapping INIT 1424 * scenario. 1425 * 1426 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1427 */ 1428 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1429 const struct sctp_association *asoc) 1430 { 1431 switch (asoc->state) { 1432 1433 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1434 1435 case SCTP_STATE_COOKIE_WAIT: 1436 new_asoc->c.my_vtag = asoc->c.my_vtag; 1437 new_asoc->c.my_ttag = asoc->c.my_vtag; 1438 new_asoc->c.peer_ttag = 0; 1439 break; 1440 1441 case SCTP_STATE_COOKIE_ECHOED: 1442 new_asoc->c.my_vtag = asoc->c.my_vtag; 1443 new_asoc->c.my_ttag = asoc->c.my_vtag; 1444 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1445 break; 1446 1447 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1448 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1449 */ 1450 default: 1451 new_asoc->c.my_ttag = asoc->c.my_vtag; 1452 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1453 break; 1454 } 1455 1456 /* Other parameters for the endpoint SHOULD be copied from the 1457 * existing parameters of the association (e.g. number of 1458 * outbound streams) into the INIT ACK and cookie. 1459 */ 1460 new_asoc->rwnd = asoc->rwnd; 1461 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1462 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1463 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1464 } 1465 1466 /* 1467 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1468 * handling action. 1469 * 1470 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1471 * 1472 * Returns value representing action to be taken. These action values 1473 * correspond to Action/Description values in RFC 2960, Table 2. 1474 */ 1475 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1476 const struct sctp_association *asoc) 1477 { 1478 /* In this case, the peer may have restarted. */ 1479 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1480 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1481 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1482 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1483 return 'A'; 1484 1485 /* Collision case B. */ 1486 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1487 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1488 (0 == asoc->c.peer_vtag))) { 1489 return 'B'; 1490 } 1491 1492 /* Collision case D. */ 1493 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1494 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1495 return 'D'; 1496 1497 /* Collision case C. */ 1498 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1499 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1500 (0 == new_asoc->c.my_ttag) && 1501 (0 == new_asoc->c.peer_ttag)) 1502 return 'C'; 1503 1504 /* No match to any of the special cases; discard this packet. */ 1505 return 'E'; 1506 } 1507 1508 /* Common helper routine for both duplicate and simultaneous INIT 1509 * chunk handling. 1510 */ 1511 static enum sctp_disposition sctp_sf_do_unexpected_init( 1512 struct net *net, 1513 const struct sctp_endpoint *ep, 1514 const struct sctp_association *asoc, 1515 const union sctp_subtype type, 1516 void *arg, 1517 struct sctp_cmd_seq *commands) 1518 { 1519 struct sctp_chunk *chunk = arg, *repl, *err_chunk; 1520 struct sctp_unrecognized_param *unk_param; 1521 struct sctp_association *new_asoc; 1522 enum sctp_disposition retval; 1523 struct sctp_packet *packet; 1524 int len; 1525 1526 /* 6.10 Bundling 1527 * An endpoint MUST NOT bundle INIT, INIT ACK or 1528 * SHUTDOWN COMPLETE with any other chunks. 1529 * 1530 * IG Section 2.11.2 1531 * Furthermore, we require that the receiver of an INIT chunk MUST 1532 * enforce these rules by silently discarding an arriving packet 1533 * with an INIT chunk that is bundled with other chunks. 1534 */ 1535 if (!chunk->singleton) 1536 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1537 1538 /* Make sure that the INIT chunk has a valid length. */ 1539 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 1540 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1541 1542 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1543 * Tag. 1544 */ 1545 if (chunk->sctp_hdr->vtag != 0) 1546 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 1547 1548 if (SCTP_INPUT_CB(chunk->skb)->encap_port != chunk->transport->encap_port) 1549 return sctp_sf_new_encap_port(net, ep, asoc, type, arg, commands); 1550 1551 /* Grab the INIT header. */ 1552 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 1553 1554 /* Tag the variable length parameters. */ 1555 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 1556 1557 /* Verify the INIT chunk before processing it. */ 1558 err_chunk = NULL; 1559 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 1560 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 1561 &err_chunk)) { 1562 /* This chunk contains fatal error. It is to be discarded. 1563 * Send an ABORT, with causes if there is any. 1564 */ 1565 if (err_chunk) { 1566 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 1567 (__u8 *)(err_chunk->chunk_hdr) + 1568 sizeof(struct sctp_chunkhdr), 1569 ntohs(err_chunk->chunk_hdr->length) - 1570 sizeof(struct sctp_chunkhdr)); 1571 1572 if (packet) { 1573 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1574 SCTP_PACKET(packet)); 1575 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1576 retval = SCTP_DISPOSITION_CONSUME; 1577 } else { 1578 retval = SCTP_DISPOSITION_NOMEM; 1579 } 1580 goto cleanup; 1581 } else { 1582 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 1583 commands); 1584 } 1585 } 1586 1587 /* 1588 * Other parameters for the endpoint SHOULD be copied from the 1589 * existing parameters of the association (e.g. number of 1590 * outbound streams) into the INIT ACK and cookie. 1591 * FIXME: We are copying parameters from the endpoint not the 1592 * association. 1593 */ 1594 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1595 if (!new_asoc) 1596 goto nomem; 1597 1598 /* Update socket peer label if first association. */ 1599 if (security_sctp_assoc_request(new_asoc, chunk->skb)) { 1600 sctp_association_free(new_asoc); 1601 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1602 } 1603 1604 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 1605 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0) 1606 goto nomem; 1607 1608 /* In the outbound INIT ACK the endpoint MUST copy its current 1609 * Verification Tag and Peers Verification tag into a reserved 1610 * place (local tie-tag and per tie-tag) within the state cookie. 1611 */ 1612 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 1613 (struct sctp_init_chunk *)chunk->chunk_hdr, 1614 GFP_ATOMIC)) 1615 goto nomem; 1616 1617 /* Make sure no new addresses are being added during the 1618 * restart. Do not do this check for COOKIE-WAIT state, 1619 * since there are no peer addresses to check against. 1620 * Upon return an ABORT will have been sent if needed. 1621 */ 1622 if (!sctp_state(asoc, COOKIE_WAIT)) { 1623 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1624 commands)) { 1625 retval = SCTP_DISPOSITION_CONSUME; 1626 goto nomem_retval; 1627 } 1628 } 1629 1630 sctp_tietags_populate(new_asoc, asoc); 1631 1632 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1633 1634 /* If there are errors need to be reported for unknown parameters, 1635 * make sure to reserve enough room in the INIT ACK for them. 1636 */ 1637 len = 0; 1638 if (err_chunk) { 1639 len = ntohs(err_chunk->chunk_hdr->length) - 1640 sizeof(struct sctp_chunkhdr); 1641 } 1642 1643 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1644 if (!repl) 1645 goto nomem; 1646 1647 /* If there are errors need to be reported for unknown parameters, 1648 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1649 * parameter. 1650 */ 1651 if (err_chunk) { 1652 /* Get the "Unrecognized parameter" parameter(s) out of the 1653 * ERROR chunk generated by sctp_verify_init(). Since the 1654 * error cause code for "unknown parameter" and the 1655 * "Unrecognized parameter" type is the same, we can 1656 * construct the parameters in INIT ACK by copying the 1657 * ERROR causes over. 1658 */ 1659 unk_param = (struct sctp_unrecognized_param *) 1660 ((__u8 *)(err_chunk->chunk_hdr) + 1661 sizeof(struct sctp_chunkhdr)); 1662 /* Replace the cause code with the "Unrecognized parameter" 1663 * parameter type. 1664 */ 1665 sctp_addto_chunk(repl, len, unk_param); 1666 } 1667 1668 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1669 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1670 1671 /* 1672 * Note: After sending out INIT ACK with the State Cookie parameter, 1673 * "Z" MUST NOT allocate any resources for this new association. 1674 * Otherwise, "Z" will be vulnerable to resource attacks. 1675 */ 1676 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1677 retval = SCTP_DISPOSITION_CONSUME; 1678 1679 return retval; 1680 1681 nomem: 1682 retval = SCTP_DISPOSITION_NOMEM; 1683 nomem_retval: 1684 if (new_asoc) 1685 sctp_association_free(new_asoc); 1686 cleanup: 1687 if (err_chunk) 1688 sctp_chunk_free(err_chunk); 1689 return retval; 1690 } 1691 1692 /* 1693 * Handle simultaneous INIT. 1694 * This means we started an INIT and then we got an INIT request from 1695 * our peer. 1696 * 1697 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1698 * This usually indicates an initialization collision, i.e., each 1699 * endpoint is attempting, at about the same time, to establish an 1700 * association with the other endpoint. 1701 * 1702 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1703 * endpoint MUST respond with an INIT ACK using the same parameters it 1704 * sent in its original INIT chunk (including its Verification Tag, 1705 * unchanged). These original parameters are combined with those from the 1706 * newly received INIT chunk. The endpoint shall also generate a State 1707 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1708 * INIT to calculate the State Cookie. 1709 * 1710 * After that, the endpoint MUST NOT change its state, the T1-init 1711 * timer shall be left running and the corresponding TCB MUST NOT be 1712 * destroyed. The normal procedures for handling State Cookies when 1713 * a TCB exists will resolve the duplicate INITs to a single association. 1714 * 1715 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1716 * its Tie-Tags with the Tag information of itself and its peer (see 1717 * section 5.2.2 for a description of the Tie-Tags). 1718 * 1719 * Verification Tag: Not explicit, but an INIT can not have a valid 1720 * verification tag, so we skip the check. 1721 * 1722 * Inputs 1723 * (endpoint, asoc, chunk) 1724 * 1725 * Outputs 1726 * (asoc, reply_msg, msg_up, timers, counters) 1727 * 1728 * The return value is the disposition of the chunk. 1729 */ 1730 enum sctp_disposition sctp_sf_do_5_2_1_siminit( 1731 struct net *net, 1732 const struct sctp_endpoint *ep, 1733 const struct sctp_association *asoc, 1734 const union sctp_subtype type, 1735 void *arg, 1736 struct sctp_cmd_seq *commands) 1737 { 1738 /* Call helper to do the real work for both simultaneous and 1739 * duplicate INIT chunk handling. 1740 */ 1741 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1742 } 1743 1744 /* 1745 * Handle duplicated INIT messages. These are usually delayed 1746 * restransmissions. 1747 * 1748 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1749 * COOKIE-ECHOED and COOKIE-WAIT 1750 * 1751 * Unless otherwise stated, upon reception of an unexpected INIT for 1752 * this association, the endpoint shall generate an INIT ACK with a 1753 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1754 * current Verification Tag and peer's Verification Tag into a reserved 1755 * place within the state cookie. We shall refer to these locations as 1756 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1757 * containing this INIT ACK MUST carry a Verification Tag value equal to 1758 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1759 * MUST contain a new Initiation Tag (randomly generated see Section 1760 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1761 * existing parameters of the association (e.g. number of outbound 1762 * streams) into the INIT ACK and cookie. 1763 * 1764 * After sending out the INIT ACK, the endpoint shall take no further 1765 * actions, i.e., the existing association, including its current state, 1766 * and the corresponding TCB MUST NOT be changed. 1767 * 1768 * Note: Only when a TCB exists and the association is not in a COOKIE- 1769 * WAIT state are the Tie-Tags populated. For a normal association INIT 1770 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1771 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1772 * State Cookie are populated as specified in section 5.2.1. 1773 * 1774 * Verification Tag: Not specified, but an INIT has no way of knowing 1775 * what the verification tag could be, so we ignore it. 1776 * 1777 * Inputs 1778 * (endpoint, asoc, chunk) 1779 * 1780 * Outputs 1781 * (asoc, reply_msg, msg_up, timers, counters) 1782 * 1783 * The return value is the disposition of the chunk. 1784 */ 1785 enum sctp_disposition sctp_sf_do_5_2_2_dupinit( 1786 struct net *net, 1787 const struct sctp_endpoint *ep, 1788 const struct sctp_association *asoc, 1789 const union sctp_subtype type, 1790 void *arg, 1791 struct sctp_cmd_seq *commands) 1792 { 1793 /* Call helper to do the real work for both simultaneous and 1794 * duplicate INIT chunk handling. 1795 */ 1796 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1797 } 1798 1799 1800 /* 1801 * Unexpected INIT-ACK handler. 1802 * 1803 * Section 5.2.3 1804 * If an INIT ACK received by an endpoint in any state other than the 1805 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1806 * An unexpected INIT ACK usually indicates the processing of an old or 1807 * duplicated INIT chunk. 1808 */ 1809 enum sctp_disposition sctp_sf_do_5_2_3_initack( 1810 struct net *net, 1811 const struct sctp_endpoint *ep, 1812 const struct sctp_association *asoc, 1813 const union sctp_subtype type, 1814 void *arg, 1815 struct sctp_cmd_seq *commands) 1816 { 1817 /* Per the above section, we'll discard the chunk if we have an 1818 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1819 */ 1820 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) 1821 return sctp_sf_ootb(net, ep, asoc, type, arg, commands); 1822 else 1823 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 1824 } 1825 1826 static int sctp_sf_do_assoc_update(struct sctp_association *asoc, 1827 struct sctp_association *new, 1828 struct sctp_cmd_seq *cmds) 1829 { 1830 struct net *net = asoc->base.net; 1831 struct sctp_chunk *abort; 1832 1833 if (!sctp_assoc_update(asoc, new)) 1834 return 0; 1835 1836 abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr)); 1837 if (abort) { 1838 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 1839 sctp_add_cmd_sf(cmds, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 1840 } 1841 sctp_add_cmd_sf(cmds, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED)); 1842 sctp_add_cmd_sf(cmds, SCTP_CMD_ASSOC_FAILED, 1843 SCTP_PERR(SCTP_ERROR_RSRC_LOW)); 1844 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1845 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1846 1847 return -ENOMEM; 1848 } 1849 1850 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1851 * 1852 * Section 5.2.4 1853 * A) In this case, the peer may have restarted. 1854 */ 1855 static enum sctp_disposition sctp_sf_do_dupcook_a( 1856 struct net *net, 1857 const struct sctp_endpoint *ep, 1858 const struct sctp_association *asoc, 1859 struct sctp_chunk *chunk, 1860 struct sctp_cmd_seq *commands, 1861 struct sctp_association *new_asoc) 1862 { 1863 struct sctp_init_chunk *peer_init; 1864 enum sctp_disposition disposition; 1865 struct sctp_ulpevent *ev; 1866 struct sctp_chunk *repl; 1867 struct sctp_chunk *err; 1868 1869 /* new_asoc is a brand-new association, so these are not yet 1870 * side effects--it is safe to run them here. 1871 */ 1872 peer_init = (struct sctp_init_chunk *)(chunk->subh.cookie_hdr + 1); 1873 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1874 GFP_ATOMIC)) 1875 goto nomem; 1876 1877 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC)) 1878 goto nomem; 1879 1880 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) 1881 return SCTP_DISPOSITION_DISCARD; 1882 1883 /* Make sure no new addresses are being added during the 1884 * restart. Though this is a pretty complicated attack 1885 * since you'd have to get inside the cookie. 1886 */ 1887 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) 1888 return SCTP_DISPOSITION_CONSUME; 1889 1890 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1891 * the peer has restarted (Action A), it MUST NOT setup a new 1892 * association but instead resend the SHUTDOWN ACK and send an ERROR 1893 * chunk with a "Cookie Received while Shutting Down" error cause to 1894 * its peer. 1895 */ 1896 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1897 disposition = __sctp_sf_do_9_2_reshutack(net, ep, asoc, 1898 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1899 chunk, commands); 1900 if (SCTP_DISPOSITION_NOMEM == disposition) 1901 goto nomem; 1902 1903 err = sctp_make_op_error(asoc, chunk, 1904 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1905 NULL, 0, 0); 1906 if (err) 1907 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1908 SCTP_CHUNK(err)); 1909 1910 return SCTP_DISPOSITION_CONSUME; 1911 } 1912 1913 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked 1914 * data. Consider the optional choice of resending of this data. 1915 */ 1916 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 1917 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1918 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK)); 1919 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1920 1921 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue 1922 * and ASCONF-ACK cache. 1923 */ 1924 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1925 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 1926 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); 1927 1928 /* Update the content of current association. */ 1929 if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands)) 1930 goto nomem; 1931 1932 repl = sctp_make_cookie_ack(asoc, chunk); 1933 if (!repl) 1934 goto nomem; 1935 1936 /* Report association restart to upper layer. */ 1937 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1938 asoc->c.sinit_num_ostreams, 1939 asoc->c.sinit_max_instreams, 1940 NULL, GFP_ATOMIC); 1941 if (!ev) 1942 goto nomem_ev; 1943 1944 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1945 if ((sctp_state(asoc, SHUTDOWN_PENDING) || 1946 sctp_state(asoc, SHUTDOWN_SENT)) && 1947 (sctp_sstate(asoc->base.sk, CLOSING) || 1948 sock_flag(asoc->base.sk, SOCK_DEAD))) { 1949 /* If the socket has been closed by user, don't 1950 * transition to ESTABLISHED. Instead trigger SHUTDOWN 1951 * bundled with COOKIE_ACK. 1952 */ 1953 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1954 return sctp_sf_do_9_2_start_shutdown(net, ep, asoc, 1955 SCTP_ST_CHUNK(0), repl, 1956 commands); 1957 } else { 1958 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1959 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1960 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1961 } 1962 return SCTP_DISPOSITION_CONSUME; 1963 1964 nomem_ev: 1965 sctp_chunk_free(repl); 1966 nomem: 1967 return SCTP_DISPOSITION_NOMEM; 1968 } 1969 1970 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1971 * 1972 * Section 5.2.4 1973 * B) In this case, both sides may be attempting to start an association 1974 * at about the same time but the peer endpoint started its INIT 1975 * after responding to the local endpoint's INIT 1976 */ 1977 /* This case represents an initialization collision. */ 1978 static enum sctp_disposition sctp_sf_do_dupcook_b( 1979 struct net *net, 1980 const struct sctp_endpoint *ep, 1981 const struct sctp_association *asoc, 1982 struct sctp_chunk *chunk, 1983 struct sctp_cmd_seq *commands, 1984 struct sctp_association *new_asoc) 1985 { 1986 struct sctp_init_chunk *peer_init; 1987 struct sctp_chunk *repl; 1988 1989 /* new_asoc is a brand-new association, so these are not yet 1990 * side effects--it is safe to run them here. 1991 */ 1992 peer_init = (struct sctp_init_chunk *)(chunk->subh.cookie_hdr + 1); 1993 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1994 GFP_ATOMIC)) 1995 goto nomem; 1996 1997 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC)) 1998 goto nomem; 1999 2000 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) 2001 return SCTP_DISPOSITION_DISCARD; 2002 2003 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2004 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 2005 if (asoc->state < SCTP_STATE_ESTABLISHED) 2006 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 2007 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 2008 2009 /* Update the content of current association. */ 2010 if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands)) 2011 goto nomem; 2012 2013 repl = sctp_make_cookie_ack(asoc, chunk); 2014 if (!repl) 2015 goto nomem; 2016 2017 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 2018 2019 /* RFC 2960 5.1 Normal Establishment of an Association 2020 * 2021 * D) IMPLEMENTATION NOTE: An implementation may choose to 2022 * send the Communication Up notification to the SCTP user 2023 * upon reception of a valid COOKIE ECHO chunk. 2024 * 2025 * Sadly, this needs to be implemented as a side-effect, because 2026 * we are not guaranteed to have set the association id of the real 2027 * association and so these notifications need to be delayed until 2028 * the association id is allocated. 2029 */ 2030 2031 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 2032 2033 /* Sockets API Draft Section 5.3.1.6 2034 * When a peer sends a Adaptation Layer Indication parameter , SCTP 2035 * delivers this notification to inform the application that of the 2036 * peers requested adaptation layer. 2037 * 2038 * This also needs to be done as a side effect for the same reason as 2039 * above. 2040 */ 2041 if (asoc->peer.adaptation_ind) 2042 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 2043 2044 if (!asoc->peer.auth_capable) 2045 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL()); 2046 2047 return SCTP_DISPOSITION_CONSUME; 2048 2049 nomem: 2050 return SCTP_DISPOSITION_NOMEM; 2051 } 2052 2053 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 2054 * 2055 * Section 5.2.4 2056 * C) In this case, the local endpoint's cookie has arrived late. 2057 * Before it arrived, the local endpoint sent an INIT and received an 2058 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 2059 * but a new tag of its own. 2060 */ 2061 /* This case represents an initialization collision. */ 2062 static enum sctp_disposition sctp_sf_do_dupcook_c( 2063 struct net *net, 2064 const struct sctp_endpoint *ep, 2065 const struct sctp_association *asoc, 2066 struct sctp_chunk *chunk, 2067 struct sctp_cmd_seq *commands, 2068 struct sctp_association *new_asoc) 2069 { 2070 /* The cookie should be silently discarded. 2071 * The endpoint SHOULD NOT change states and should leave 2072 * any timers running. 2073 */ 2074 return SCTP_DISPOSITION_DISCARD; 2075 } 2076 2077 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 2078 * 2079 * Section 5.2.4 2080 * 2081 * D) When both local and remote tags match the endpoint should always 2082 * enter the ESTABLISHED state, if it has not already done so. 2083 */ 2084 /* This case represents an initialization collision. */ 2085 static enum sctp_disposition sctp_sf_do_dupcook_d( 2086 struct net *net, 2087 const struct sctp_endpoint *ep, 2088 const struct sctp_association *asoc, 2089 struct sctp_chunk *chunk, 2090 struct sctp_cmd_seq *commands, 2091 struct sctp_association *new_asoc) 2092 { 2093 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL; 2094 struct sctp_chunk *repl; 2095 2096 /* Clarification from Implementor's Guide: 2097 * D) When both local and remote tags match the endpoint should 2098 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 2099 * It should stop any cookie timer that may be running and send 2100 * a COOKIE ACK. 2101 */ 2102 2103 if (!sctp_auth_chunk_verify(net, chunk, asoc)) 2104 return SCTP_DISPOSITION_DISCARD; 2105 2106 /* Don't accidentally move back into established state. */ 2107 if (asoc->state < SCTP_STATE_ESTABLISHED) { 2108 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2109 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2110 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2111 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 2112 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 2113 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 2114 SCTP_NULL()); 2115 2116 /* RFC 2960 5.1 Normal Establishment of an Association 2117 * 2118 * D) IMPLEMENTATION NOTE: An implementation may choose 2119 * to send the Communication Up notification to the 2120 * SCTP user upon reception of a valid COOKIE 2121 * ECHO chunk. 2122 */ 2123 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 2124 SCTP_COMM_UP, 0, 2125 asoc->c.sinit_num_ostreams, 2126 asoc->c.sinit_max_instreams, 2127 NULL, GFP_ATOMIC); 2128 if (!ev) 2129 goto nomem; 2130 2131 /* Sockets API Draft Section 5.3.1.6 2132 * When a peer sends a Adaptation Layer Indication parameter, 2133 * SCTP delivers this notification to inform the application 2134 * that of the peers requested adaptation layer. 2135 */ 2136 if (asoc->peer.adaptation_ind) { 2137 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 2138 GFP_ATOMIC); 2139 if (!ai_ev) 2140 goto nomem; 2141 2142 } 2143 2144 if (!asoc->peer.auth_capable) { 2145 auth_ev = sctp_ulpevent_make_authkey(asoc, 0, 2146 SCTP_AUTH_NO_AUTH, 2147 GFP_ATOMIC); 2148 if (!auth_ev) 2149 goto nomem; 2150 } 2151 } 2152 2153 repl = sctp_make_cookie_ack(asoc, chunk); 2154 if (!repl) 2155 goto nomem; 2156 2157 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 2158 2159 if (ev) 2160 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2161 SCTP_ULPEVENT(ev)); 2162 if (ai_ev) 2163 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2164 SCTP_ULPEVENT(ai_ev)); 2165 if (auth_ev) 2166 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2167 SCTP_ULPEVENT(auth_ev)); 2168 2169 return SCTP_DISPOSITION_CONSUME; 2170 2171 nomem: 2172 if (auth_ev) 2173 sctp_ulpevent_free(auth_ev); 2174 if (ai_ev) 2175 sctp_ulpevent_free(ai_ev); 2176 if (ev) 2177 sctp_ulpevent_free(ev); 2178 return SCTP_DISPOSITION_NOMEM; 2179 } 2180 2181 /* 2182 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 2183 * chunk was retransmitted and then delayed in the network. 2184 * 2185 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 2186 * 2187 * Verification Tag: None. Do cookie validation. 2188 * 2189 * Inputs 2190 * (endpoint, asoc, chunk) 2191 * 2192 * Outputs 2193 * (asoc, reply_msg, msg_up, timers, counters) 2194 * 2195 * The return value is the disposition of the chunk. 2196 */ 2197 enum sctp_disposition sctp_sf_do_5_2_4_dupcook( 2198 struct net *net, 2199 const struct sctp_endpoint *ep, 2200 const struct sctp_association *asoc, 2201 const union sctp_subtype type, 2202 void *arg, 2203 struct sctp_cmd_seq *commands) 2204 { 2205 struct sctp_association *new_asoc; 2206 struct sctp_chunk *chunk = arg; 2207 enum sctp_disposition retval; 2208 struct sctp_chunk *err_chk_p; 2209 int error = 0; 2210 char action; 2211 2212 /* Make sure that the chunk has a valid length from the protocol 2213 * perspective. In this case check to make sure we have at least 2214 * enough for the chunk header. Cookie length verification is 2215 * done later. 2216 */ 2217 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) { 2218 if (!sctp_vtag_verify(chunk, asoc)) 2219 asoc = NULL; 2220 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands); 2221 } 2222 2223 /* "Decode" the chunk. We have no optional parameters so we 2224 * are in good shape. 2225 */ 2226 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 2227 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 2228 sizeof(struct sctp_chunkhdr))) 2229 goto nomem; 2230 2231 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 2232 * of a duplicate COOKIE ECHO match the Verification Tags of the 2233 * current association, consider the State Cookie valid even if 2234 * the lifespan is exceeded. 2235 */ 2236 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 2237 &err_chk_p); 2238 2239 /* FIXME: 2240 * If the re-build failed, what is the proper error path 2241 * from here? 2242 * 2243 * [We should abort the association. --piggy] 2244 */ 2245 if (!new_asoc) { 2246 /* FIXME: Several errors are possible. A bad cookie should 2247 * be silently discarded, but think about logging it too. 2248 */ 2249 switch (error) { 2250 case -SCTP_IERROR_NOMEM: 2251 goto nomem; 2252 2253 case -SCTP_IERROR_STALE_COOKIE: 2254 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 2255 err_chk_p); 2256 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2257 case -SCTP_IERROR_BAD_SIG: 2258 default: 2259 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2260 } 2261 } 2262 2263 /* Set temp so that it won't be added into hashtable */ 2264 new_asoc->temp = 1; 2265 2266 /* Compare the tie_tag in cookie with the verification tag of 2267 * current association. 2268 */ 2269 action = sctp_tietags_compare(new_asoc, asoc); 2270 2271 /* In cases C and E the association doesn't enter the ESTABLISHED 2272 * state, so there is no need to call security_sctp_assoc_request(). 2273 */ 2274 switch (action) { 2275 case 'A': /* Association restart. */ 2276 case 'B': /* Collision case B. */ 2277 case 'D': /* Collision case D. */ 2278 /* Update socket peer label if first association. */ 2279 if (security_sctp_assoc_request((struct sctp_association *)asoc, 2280 chunk->head_skb ?: chunk->skb)) { 2281 sctp_association_free(new_asoc); 2282 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2283 } 2284 break; 2285 } 2286 2287 switch (action) { 2288 case 'A': /* Association restart. */ 2289 retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands, 2290 new_asoc); 2291 break; 2292 2293 case 'B': /* Collision case B. */ 2294 retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands, 2295 new_asoc); 2296 break; 2297 2298 case 'C': /* Collision case C. */ 2299 retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands, 2300 new_asoc); 2301 break; 2302 2303 case 'D': /* Collision case D. */ 2304 retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands, 2305 new_asoc); 2306 break; 2307 2308 default: /* Discard packet for all others. */ 2309 retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2310 break; 2311 } 2312 2313 /* Delete the temporary new association. */ 2314 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc)); 2315 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 2316 2317 /* Restore association pointer to provide SCTP command interpreter 2318 * with a valid context in case it needs to manipulate 2319 * the queues */ 2320 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, 2321 SCTP_ASOC((struct sctp_association *)asoc)); 2322 2323 return retval; 2324 2325 nomem: 2326 return SCTP_DISPOSITION_NOMEM; 2327 } 2328 2329 /* 2330 * Process an ABORT. (SHUTDOWN-PENDING state) 2331 * 2332 * See sctp_sf_do_9_1_abort(). 2333 */ 2334 enum sctp_disposition sctp_sf_shutdown_pending_abort( 2335 struct net *net, 2336 const struct sctp_endpoint *ep, 2337 const struct sctp_association *asoc, 2338 const union sctp_subtype type, 2339 void *arg, 2340 struct sctp_cmd_seq *commands) 2341 { 2342 struct sctp_chunk *chunk = arg; 2343 2344 if (!sctp_vtag_verify_either(chunk, asoc)) 2345 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2346 2347 /* Make sure that the ABORT chunk has a valid length. 2348 * Since this is an ABORT chunk, we have to discard it 2349 * because of the following text: 2350 * RFC 2960, Section 3.3.7 2351 * If an endpoint receives an ABORT with a format error or for an 2352 * association that doesn't exist, it MUST silently discard it. 2353 * Because the length is "invalid", we can't really discard just 2354 * as we do not know its true length. So, to be safe, discard the 2355 * packet. 2356 */ 2357 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2358 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2359 2360 /* ADD-IP: Special case for ABORT chunks 2361 * F4) One special consideration is that ABORT Chunks arriving 2362 * destined to the IP address being deleted MUST be 2363 * ignored (see Section 5.3.1 for further details). 2364 */ 2365 if (SCTP_ADDR_DEL == 2366 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2367 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2368 2369 if (!sctp_err_chunk_valid(chunk)) 2370 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2371 2372 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2373 } 2374 2375 /* 2376 * Process an ABORT. (SHUTDOWN-SENT state) 2377 * 2378 * See sctp_sf_do_9_1_abort(). 2379 */ 2380 enum sctp_disposition sctp_sf_shutdown_sent_abort( 2381 struct net *net, 2382 const struct sctp_endpoint *ep, 2383 const struct sctp_association *asoc, 2384 const union sctp_subtype type, 2385 void *arg, 2386 struct sctp_cmd_seq *commands) 2387 { 2388 struct sctp_chunk *chunk = arg; 2389 2390 if (!sctp_vtag_verify_either(chunk, asoc)) 2391 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2392 2393 /* Make sure that the ABORT chunk has a valid length. 2394 * Since this is an ABORT chunk, we have to discard it 2395 * because of the following text: 2396 * RFC 2960, Section 3.3.7 2397 * If an endpoint receives an ABORT with a format error or for an 2398 * association that doesn't exist, it MUST silently discard it. 2399 * Because the length is "invalid", we can't really discard just 2400 * as we do not know its true length. So, to be safe, discard the 2401 * packet. 2402 */ 2403 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2404 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2405 2406 /* ADD-IP: Special case for ABORT chunks 2407 * F4) One special consideration is that ABORT Chunks arriving 2408 * destined to the IP address being deleted MUST be 2409 * ignored (see Section 5.3.1 for further details). 2410 */ 2411 if (SCTP_ADDR_DEL == 2412 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2413 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2414 2415 if (!sctp_err_chunk_valid(chunk)) 2416 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2417 2418 /* Stop the T2-shutdown timer. */ 2419 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2420 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2421 2422 /* Stop the T5-shutdown guard timer. */ 2423 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2424 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2425 2426 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2427 } 2428 2429 /* 2430 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2431 * 2432 * See sctp_sf_do_9_1_abort(). 2433 */ 2434 enum sctp_disposition sctp_sf_shutdown_ack_sent_abort( 2435 struct net *net, 2436 const struct sctp_endpoint *ep, 2437 const struct sctp_association *asoc, 2438 const union sctp_subtype type, 2439 void *arg, 2440 struct sctp_cmd_seq *commands) 2441 { 2442 /* The same T2 timer, so we should be able to use 2443 * common function with the SHUTDOWN-SENT state. 2444 */ 2445 return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands); 2446 } 2447 2448 /* 2449 * Handle an Error received in COOKIE_ECHOED state. 2450 * 2451 * Only handle the error type of stale COOKIE Error, the other errors will 2452 * be ignored. 2453 * 2454 * Inputs 2455 * (endpoint, asoc, chunk) 2456 * 2457 * Outputs 2458 * (asoc, reply_msg, msg_up, timers, counters) 2459 * 2460 * The return value is the disposition of the chunk. 2461 */ 2462 enum sctp_disposition sctp_sf_cookie_echoed_err( 2463 struct net *net, 2464 const struct sctp_endpoint *ep, 2465 const struct sctp_association *asoc, 2466 const union sctp_subtype type, 2467 void *arg, 2468 struct sctp_cmd_seq *commands) 2469 { 2470 struct sctp_chunk *chunk = arg; 2471 struct sctp_errhdr *err; 2472 2473 if (!sctp_vtag_verify(chunk, asoc)) 2474 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2475 2476 /* Make sure that the ERROR chunk has a valid length. 2477 * The parameter walking depends on this as well. 2478 */ 2479 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk))) 2480 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2481 commands); 2482 2483 /* Process the error here */ 2484 /* FUTURE FIXME: When PR-SCTP related and other optional 2485 * parms are emitted, this will have to change to handle multiple 2486 * errors. 2487 */ 2488 sctp_walk_errors(err, chunk->chunk_hdr) { 2489 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2490 return sctp_sf_do_5_2_6_stale(net, ep, asoc, type, 2491 arg, commands); 2492 } 2493 2494 /* It is possible to have malformed error causes, and that 2495 * will cause us to end the walk early. However, since 2496 * we are discarding the packet, there should be no adverse 2497 * affects. 2498 */ 2499 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2500 } 2501 2502 /* 2503 * Handle a Stale COOKIE Error 2504 * 2505 * Section: 5.2.6 Handle Stale COOKIE Error 2506 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2507 * one of the following three alternatives. 2508 * ... 2509 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2510 * Preservative parameter requesting an extension to the lifetime of 2511 * the State Cookie. When calculating the time extension, an 2512 * implementation SHOULD use the RTT information measured based on the 2513 * previous COOKIE ECHO / ERROR exchange, and should add no more 2514 * than 1 second beyond the measured RTT, due to long State Cookie 2515 * lifetimes making the endpoint more subject to a replay attack. 2516 * 2517 * Verification Tag: Not explicit, but safe to ignore. 2518 * 2519 * Inputs 2520 * (endpoint, asoc, chunk) 2521 * 2522 * Outputs 2523 * (asoc, reply_msg, msg_up, timers, counters) 2524 * 2525 * The return value is the disposition of the chunk. 2526 */ 2527 static enum sctp_disposition sctp_sf_do_5_2_6_stale( 2528 struct net *net, 2529 const struct sctp_endpoint *ep, 2530 const struct sctp_association *asoc, 2531 const union sctp_subtype type, 2532 void *arg, 2533 struct sctp_cmd_seq *commands) 2534 { 2535 int attempts = asoc->init_err_counter + 1; 2536 struct sctp_chunk *chunk = arg, *reply; 2537 struct sctp_cookie_preserve_param bht; 2538 struct sctp_bind_addr *bp; 2539 struct sctp_errhdr *err; 2540 u32 stale; 2541 2542 if (attempts > asoc->max_init_attempts) { 2543 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2544 SCTP_ERROR(ETIMEDOUT)); 2545 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2546 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2547 return SCTP_DISPOSITION_DELETE_TCB; 2548 } 2549 2550 err = (struct sctp_errhdr *)(chunk->skb->data); 2551 2552 /* When calculating the time extension, an implementation 2553 * SHOULD use the RTT information measured based on the 2554 * previous COOKIE ECHO / ERROR exchange, and should add no 2555 * more than 1 second beyond the measured RTT, due to long 2556 * State Cookie lifetimes making the endpoint more subject to 2557 * a replay attack. 2558 * Measure of Staleness's unit is usec. (1/1000000 sec) 2559 * Suggested Cookie Life-span Increment's unit is msec. 2560 * (1/1000 sec) 2561 * In general, if you use the suggested cookie life, the value 2562 * found in the field of measure of staleness should be doubled 2563 * to give ample time to retransmit the new cookie and thus 2564 * yield a higher probability of success on the reattempt. 2565 */ 2566 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err))); 2567 stale = (stale * 2) / 1000; 2568 2569 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2570 bht.param_hdr.length = htons(sizeof(bht)); 2571 bht.lifespan_increment = htonl(stale); 2572 2573 /* Build that new INIT chunk. */ 2574 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2575 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2576 if (!reply) 2577 goto nomem; 2578 2579 sctp_addto_chunk(reply, sizeof(bht), &bht); 2580 2581 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2582 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2583 2584 /* Stop pending T3-rtx and heartbeat timers */ 2585 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2586 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2587 2588 /* Delete non-primary peer ip addresses since we are transitioning 2589 * back to the COOKIE-WAIT state 2590 */ 2591 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2592 2593 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2594 * resend 2595 */ 2596 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, 2597 SCTP_TRANSPORT(asoc->peer.primary_path)); 2598 2599 /* Cast away the const modifier, as we want to just 2600 * rerun it through as a sideffect. 2601 */ 2602 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2603 2604 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2605 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2606 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2607 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2608 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2609 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2610 2611 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2612 2613 return SCTP_DISPOSITION_CONSUME; 2614 2615 nomem: 2616 return SCTP_DISPOSITION_NOMEM; 2617 } 2618 2619 /* 2620 * Process an ABORT. 2621 * 2622 * Section: 9.1 2623 * After checking the Verification Tag, the receiving endpoint shall 2624 * remove the association from its record, and shall report the 2625 * termination to its upper layer. 2626 * 2627 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2628 * B) Rules for packet carrying ABORT: 2629 * 2630 * - The endpoint shall always fill in the Verification Tag field of the 2631 * outbound packet with the destination endpoint's tag value if it 2632 * is known. 2633 * 2634 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2635 * MUST follow the procedure described in Section 8.4. 2636 * 2637 * - The receiver MUST accept the packet if the Verification Tag 2638 * matches either its own tag, OR the tag of its peer. Otherwise, the 2639 * receiver MUST silently discard the packet and take no further 2640 * action. 2641 * 2642 * Inputs 2643 * (endpoint, asoc, chunk) 2644 * 2645 * Outputs 2646 * (asoc, reply_msg, msg_up, timers, counters) 2647 * 2648 * The return value is the disposition of the chunk. 2649 */ 2650 enum sctp_disposition sctp_sf_do_9_1_abort( 2651 struct net *net, 2652 const struct sctp_endpoint *ep, 2653 const struct sctp_association *asoc, 2654 const union sctp_subtype type, 2655 void *arg, 2656 struct sctp_cmd_seq *commands) 2657 { 2658 struct sctp_chunk *chunk = arg; 2659 2660 if (!sctp_vtag_verify_either(chunk, asoc)) 2661 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2662 2663 /* Make sure that the ABORT chunk has a valid length. 2664 * Since this is an ABORT chunk, we have to discard it 2665 * because of the following text: 2666 * RFC 2960, Section 3.3.7 2667 * If an endpoint receives an ABORT with a format error or for an 2668 * association that doesn't exist, it MUST silently discard it. 2669 * Because the length is "invalid", we can't really discard just 2670 * as we do not know its true length. So, to be safe, discard the 2671 * packet. 2672 */ 2673 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2674 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2675 2676 /* ADD-IP: Special case for ABORT chunks 2677 * F4) One special consideration is that ABORT Chunks arriving 2678 * destined to the IP address being deleted MUST be 2679 * ignored (see Section 5.3.1 for further details). 2680 */ 2681 if (SCTP_ADDR_DEL == 2682 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2683 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2684 2685 if (!sctp_err_chunk_valid(chunk)) 2686 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2687 2688 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2689 } 2690 2691 static enum sctp_disposition __sctp_sf_do_9_1_abort( 2692 struct net *net, 2693 const struct sctp_endpoint *ep, 2694 const struct sctp_association *asoc, 2695 const union sctp_subtype type, 2696 void *arg, 2697 struct sctp_cmd_seq *commands) 2698 { 2699 __be16 error = SCTP_ERROR_NO_ERROR; 2700 struct sctp_chunk *chunk = arg; 2701 unsigned int len; 2702 2703 /* See if we have an error cause code in the chunk. */ 2704 len = ntohs(chunk->chunk_hdr->length); 2705 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2706 error = ((struct sctp_errhdr *)chunk->skb->data)->cause; 2707 2708 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2709 /* ASSOC_FAILED will DELETE_TCB. */ 2710 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2711 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2712 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 2713 2714 return SCTP_DISPOSITION_ABORT; 2715 } 2716 2717 /* 2718 * Process an ABORT. (COOKIE-WAIT state) 2719 * 2720 * See sctp_sf_do_9_1_abort() above. 2721 */ 2722 enum sctp_disposition sctp_sf_cookie_wait_abort( 2723 struct net *net, 2724 const struct sctp_endpoint *ep, 2725 const struct sctp_association *asoc, 2726 const union sctp_subtype type, 2727 void *arg, 2728 struct sctp_cmd_seq *commands) 2729 { 2730 __be16 error = SCTP_ERROR_NO_ERROR; 2731 struct sctp_chunk *chunk = arg; 2732 unsigned int len; 2733 2734 if (!sctp_vtag_verify_either(chunk, asoc)) 2735 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2736 2737 /* Make sure that the ABORT chunk has a valid length. 2738 * Since this is an ABORT chunk, we have to discard it 2739 * because of the following text: 2740 * RFC 2960, Section 3.3.7 2741 * If an endpoint receives an ABORT with a format error or for an 2742 * association that doesn't exist, it MUST silently discard it. 2743 * Because the length is "invalid", we can't really discard just 2744 * as we do not know its true length. So, to be safe, discard the 2745 * packet. 2746 */ 2747 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2748 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2749 2750 /* See if we have an error cause code in the chunk. */ 2751 len = ntohs(chunk->chunk_hdr->length); 2752 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2753 error = ((struct sctp_errhdr *)chunk->skb->data)->cause; 2754 2755 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc, 2756 chunk->transport); 2757 } 2758 2759 /* 2760 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2761 */ 2762 enum sctp_disposition sctp_sf_cookie_wait_icmp_abort( 2763 struct net *net, 2764 const struct sctp_endpoint *ep, 2765 const struct sctp_association *asoc, 2766 const union sctp_subtype type, 2767 void *arg, 2768 struct sctp_cmd_seq *commands) 2769 { 2770 return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR, 2771 ENOPROTOOPT, asoc, 2772 (struct sctp_transport *)arg); 2773 } 2774 2775 /* 2776 * Process an ABORT. (COOKIE-ECHOED state) 2777 */ 2778 enum sctp_disposition sctp_sf_cookie_echoed_abort( 2779 struct net *net, 2780 const struct sctp_endpoint *ep, 2781 const struct sctp_association *asoc, 2782 const union sctp_subtype type, 2783 void *arg, 2784 struct sctp_cmd_seq *commands) 2785 { 2786 /* There is a single T1 timer, so we should be able to use 2787 * common function with the COOKIE-WAIT state. 2788 */ 2789 return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands); 2790 } 2791 2792 /* 2793 * Stop T1 timer and abort association with "INIT failed". 2794 * 2795 * This is common code called by several sctp_sf_*_abort() functions above. 2796 */ 2797 static enum sctp_disposition sctp_stop_t1_and_abort( 2798 struct net *net, 2799 struct sctp_cmd_seq *commands, 2800 __be16 error, int sk_err, 2801 const struct sctp_association *asoc, 2802 struct sctp_transport *transport) 2803 { 2804 pr_debug("%s: ABORT received (INIT)\n", __func__); 2805 2806 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2807 SCTP_STATE(SCTP_STATE_CLOSED)); 2808 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2809 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2810 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2811 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2812 /* CMD_INIT_FAILED will DELETE_TCB. */ 2813 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2814 SCTP_PERR(error)); 2815 2816 return SCTP_DISPOSITION_ABORT; 2817 } 2818 2819 /* 2820 * sctp_sf_do_9_2_shut 2821 * 2822 * Section: 9.2 2823 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2824 * - enter the SHUTDOWN-RECEIVED state, 2825 * 2826 * - stop accepting new data from its SCTP user 2827 * 2828 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2829 * that all its outstanding DATA chunks have been received by the 2830 * SHUTDOWN sender. 2831 * 2832 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2833 * send a SHUTDOWN in response to a ULP request. And should discard 2834 * subsequent SHUTDOWN chunks. 2835 * 2836 * If there are still outstanding DATA chunks left, the SHUTDOWN 2837 * receiver shall continue to follow normal data transmission 2838 * procedures defined in Section 6 until all outstanding DATA chunks 2839 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2840 * new data from its SCTP user. 2841 * 2842 * Verification Tag: 8.5 Verification Tag [Normal verification] 2843 * 2844 * Inputs 2845 * (endpoint, asoc, chunk) 2846 * 2847 * Outputs 2848 * (asoc, reply_msg, msg_up, timers, counters) 2849 * 2850 * The return value is the disposition of the chunk. 2851 */ 2852 enum sctp_disposition sctp_sf_do_9_2_shutdown( 2853 struct net *net, 2854 const struct sctp_endpoint *ep, 2855 const struct sctp_association *asoc, 2856 const union sctp_subtype type, 2857 void *arg, 2858 struct sctp_cmd_seq *commands) 2859 { 2860 enum sctp_disposition disposition; 2861 struct sctp_chunk *chunk = arg; 2862 struct sctp_shutdownhdr *sdh; 2863 struct sctp_ulpevent *ev; 2864 __u32 ctsn; 2865 2866 if (!sctp_vtag_verify(chunk, asoc)) 2867 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2868 2869 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2870 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) 2871 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2872 commands); 2873 2874 /* Convert the elaborate header. */ 2875 sdh = (struct sctp_shutdownhdr *)chunk->skb->data; 2876 skb_pull(chunk->skb, sizeof(*sdh)); 2877 chunk->subh.shutdown_hdr = sdh; 2878 ctsn = ntohl(sdh->cum_tsn_ack); 2879 2880 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2881 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2882 asoc->ctsn_ack_point); 2883 2884 return SCTP_DISPOSITION_DISCARD; 2885 } 2886 2887 /* If Cumulative TSN Ack beyond the max tsn currently 2888 * send, terminating the association and respond to the 2889 * sender with an ABORT. 2890 */ 2891 if (!TSN_lt(ctsn, asoc->next_tsn)) 2892 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2893 2894 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2895 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2896 * inform the application that it should cease sending data. 2897 */ 2898 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2899 if (!ev) { 2900 disposition = SCTP_DISPOSITION_NOMEM; 2901 goto out; 2902 } 2903 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2904 2905 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2906 * - enter the SHUTDOWN-RECEIVED state, 2907 * - stop accepting new data from its SCTP user 2908 * 2909 * [This is implicit in the new state.] 2910 */ 2911 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2912 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2913 disposition = SCTP_DISPOSITION_CONSUME; 2914 2915 if (sctp_outq_is_empty(&asoc->outqueue)) { 2916 disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type, 2917 arg, commands); 2918 } 2919 2920 if (SCTP_DISPOSITION_NOMEM == disposition) 2921 goto out; 2922 2923 /* - verify, by checking the Cumulative TSN Ack field of the 2924 * chunk, that all its outstanding DATA chunks have been 2925 * received by the SHUTDOWN sender. 2926 */ 2927 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2928 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2929 2930 out: 2931 return disposition; 2932 } 2933 2934 /* 2935 * sctp_sf_do_9_2_shut_ctsn 2936 * 2937 * Once an endpoint has reached the SHUTDOWN-RECEIVED state, 2938 * it MUST NOT send a SHUTDOWN in response to a ULP request. 2939 * The Cumulative TSN Ack of the received SHUTDOWN chunk 2940 * MUST be processed. 2941 */ 2942 enum sctp_disposition sctp_sf_do_9_2_shut_ctsn( 2943 struct net *net, 2944 const struct sctp_endpoint *ep, 2945 const struct sctp_association *asoc, 2946 const union sctp_subtype type, 2947 void *arg, 2948 struct sctp_cmd_seq *commands) 2949 { 2950 struct sctp_chunk *chunk = arg; 2951 struct sctp_shutdownhdr *sdh; 2952 __u32 ctsn; 2953 2954 if (!sctp_vtag_verify(chunk, asoc)) 2955 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2956 2957 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2958 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) 2959 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2960 commands); 2961 2962 sdh = (struct sctp_shutdownhdr *)chunk->skb->data; 2963 ctsn = ntohl(sdh->cum_tsn_ack); 2964 2965 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2966 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2967 asoc->ctsn_ack_point); 2968 2969 return SCTP_DISPOSITION_DISCARD; 2970 } 2971 2972 /* If Cumulative TSN Ack beyond the max tsn currently 2973 * send, terminating the association and respond to the 2974 * sender with an ABORT. 2975 */ 2976 if (!TSN_lt(ctsn, asoc->next_tsn)) 2977 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2978 2979 /* verify, by checking the Cumulative TSN Ack field of the 2980 * chunk, that all its outstanding DATA chunks have been 2981 * received by the SHUTDOWN sender. 2982 */ 2983 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2984 SCTP_BE32(sdh->cum_tsn_ack)); 2985 2986 return SCTP_DISPOSITION_CONSUME; 2987 } 2988 2989 /* RFC 2960 9.2 2990 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2991 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2992 * transport addresses (either in the IP addresses or in the INIT chunk) 2993 * that belong to this association, it should discard the INIT chunk and 2994 * retransmit the SHUTDOWN ACK chunk. 2995 */ 2996 static enum sctp_disposition 2997 __sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, 2998 const struct sctp_association *asoc, 2999 const union sctp_subtype type, void *arg, 3000 struct sctp_cmd_seq *commands) 3001 { 3002 struct sctp_chunk *chunk = arg; 3003 struct sctp_chunk *reply; 3004 3005 /* Make sure that the chunk has a valid length */ 3006 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3007 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3008 commands); 3009 3010 /* Since we are not going to really process this INIT, there 3011 * is no point in verifying chunk boundaries. Just generate 3012 * the SHUTDOWN ACK. 3013 */ 3014 reply = sctp_make_shutdown_ack(asoc, chunk); 3015 if (NULL == reply) 3016 goto nomem; 3017 3018 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 3019 * the T2-SHUTDOWN timer. 3020 */ 3021 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 3022 3023 /* and restart the T2-shutdown timer. */ 3024 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3025 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3026 3027 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3028 3029 return SCTP_DISPOSITION_CONSUME; 3030 nomem: 3031 return SCTP_DISPOSITION_NOMEM; 3032 } 3033 3034 enum sctp_disposition 3035 sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, 3036 const struct sctp_association *asoc, 3037 const union sctp_subtype type, void *arg, 3038 struct sctp_cmd_seq *commands) 3039 { 3040 struct sctp_chunk *chunk = arg; 3041 3042 if (!chunk->singleton) 3043 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3044 3045 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 3046 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3047 3048 if (chunk->sctp_hdr->vtag != 0) 3049 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 3050 3051 return __sctp_sf_do_9_2_reshutack(net, ep, asoc, type, arg, commands); 3052 } 3053 3054 /* 3055 * sctp_sf_do_ecn_cwr 3056 * 3057 * Section: Appendix A: Explicit Congestion Notification 3058 * 3059 * CWR: 3060 * 3061 * RFC 2481 details a specific bit for a sender to send in the header of 3062 * its next outbound TCP segment to indicate to its peer that it has 3063 * reduced its congestion window. This is termed the CWR bit. For 3064 * SCTP the same indication is made by including the CWR chunk. 3065 * This chunk contains one data element, i.e. the TSN number that 3066 * was sent in the ECNE chunk. This element represents the lowest 3067 * TSN number in the datagram that was originally marked with the 3068 * CE bit. 3069 * 3070 * Verification Tag: 8.5 Verification Tag [Normal verification] 3071 * Inputs 3072 * (endpoint, asoc, chunk) 3073 * 3074 * Outputs 3075 * (asoc, reply_msg, msg_up, timers, counters) 3076 * 3077 * The return value is the disposition of the chunk. 3078 */ 3079 enum sctp_disposition sctp_sf_do_ecn_cwr(struct net *net, 3080 const struct sctp_endpoint *ep, 3081 const struct sctp_association *asoc, 3082 const union sctp_subtype type, 3083 void *arg, 3084 struct sctp_cmd_seq *commands) 3085 { 3086 struct sctp_chunk *chunk = arg; 3087 struct sctp_cwrhdr *cwr; 3088 u32 lowest_tsn; 3089 3090 if (!sctp_vtag_verify(chunk, asoc)) 3091 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3092 3093 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) 3094 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3095 commands); 3096 3097 cwr = (struct sctp_cwrhdr *)chunk->skb->data; 3098 skb_pull(chunk->skb, sizeof(*cwr)); 3099 3100 lowest_tsn = ntohl(cwr->lowest_tsn); 3101 3102 /* Does this CWR ack the last sent congestion notification? */ 3103 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 3104 /* Stop sending ECNE. */ 3105 sctp_add_cmd_sf(commands, 3106 SCTP_CMD_ECN_CWR, 3107 SCTP_U32(lowest_tsn)); 3108 } 3109 return SCTP_DISPOSITION_CONSUME; 3110 } 3111 3112 /* 3113 * sctp_sf_do_ecne 3114 * 3115 * Section: Appendix A: Explicit Congestion Notification 3116 * 3117 * ECN-Echo 3118 * 3119 * RFC 2481 details a specific bit for a receiver to send back in its 3120 * TCP acknowledgements to notify the sender of the Congestion 3121 * Experienced (CE) bit having arrived from the network. For SCTP this 3122 * same indication is made by including the ECNE chunk. This chunk 3123 * contains one data element, i.e. the lowest TSN associated with the IP 3124 * datagram marked with the CE bit..... 3125 * 3126 * Verification Tag: 8.5 Verification Tag [Normal verification] 3127 * Inputs 3128 * (endpoint, asoc, chunk) 3129 * 3130 * Outputs 3131 * (asoc, reply_msg, msg_up, timers, counters) 3132 * 3133 * The return value is the disposition of the chunk. 3134 */ 3135 enum sctp_disposition sctp_sf_do_ecne(struct net *net, 3136 const struct sctp_endpoint *ep, 3137 const struct sctp_association *asoc, 3138 const union sctp_subtype type, 3139 void *arg, struct sctp_cmd_seq *commands) 3140 { 3141 struct sctp_chunk *chunk = arg; 3142 struct sctp_ecnehdr *ecne; 3143 3144 if (!sctp_vtag_verify(chunk, asoc)) 3145 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3146 3147 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) 3148 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3149 commands); 3150 3151 ecne = (struct sctp_ecnehdr *)chunk->skb->data; 3152 skb_pull(chunk->skb, sizeof(*ecne)); 3153 3154 /* If this is a newer ECNE than the last CWR packet we sent out */ 3155 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 3156 SCTP_U32(ntohl(ecne->lowest_tsn))); 3157 3158 return SCTP_DISPOSITION_CONSUME; 3159 } 3160 3161 /* 3162 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 3163 * 3164 * The SCTP endpoint MUST always acknowledge the reception of each valid 3165 * DATA chunk. 3166 * 3167 * The guidelines on delayed acknowledgement algorithm specified in 3168 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 3169 * acknowledgement SHOULD be generated for at least every second packet 3170 * (not every second DATA chunk) received, and SHOULD be generated within 3171 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 3172 * situations it may be beneficial for an SCTP transmitter to be more 3173 * conservative than the algorithms detailed in this document allow. 3174 * However, an SCTP transmitter MUST NOT be more aggressive than the 3175 * following algorithms allow. 3176 * 3177 * A SCTP receiver MUST NOT generate more than one SACK for every 3178 * incoming packet, other than to update the offered window as the 3179 * receiving application consumes new data. 3180 * 3181 * Verification Tag: 8.5 Verification Tag [Normal verification] 3182 * 3183 * Inputs 3184 * (endpoint, asoc, chunk) 3185 * 3186 * Outputs 3187 * (asoc, reply_msg, msg_up, timers, counters) 3188 * 3189 * The return value is the disposition of the chunk. 3190 */ 3191 enum sctp_disposition sctp_sf_eat_data_6_2(struct net *net, 3192 const struct sctp_endpoint *ep, 3193 const struct sctp_association *asoc, 3194 const union sctp_subtype type, 3195 void *arg, 3196 struct sctp_cmd_seq *commands) 3197 { 3198 union sctp_arg force = SCTP_NOFORCE(); 3199 struct sctp_chunk *chunk = arg; 3200 int error; 3201 3202 if (!sctp_vtag_verify(chunk, asoc)) { 3203 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3204 SCTP_NULL()); 3205 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3206 } 3207 3208 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream))) 3209 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3210 commands); 3211 3212 error = sctp_eat_data(asoc, chunk, commands); 3213 switch (error) { 3214 case SCTP_IERROR_NO_ERROR: 3215 break; 3216 case SCTP_IERROR_HIGH_TSN: 3217 case SCTP_IERROR_BAD_STREAM: 3218 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 3219 goto discard_noforce; 3220 case SCTP_IERROR_DUP_TSN: 3221 case SCTP_IERROR_IGNORE_TSN: 3222 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 3223 goto discard_force; 3224 case SCTP_IERROR_NO_DATA: 3225 return SCTP_DISPOSITION_ABORT; 3226 case SCTP_IERROR_PROTO_VIOLATION: 3227 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3228 (u8 *)chunk->subh.data_hdr, 3229 sctp_datahdr_len(&asoc->stream)); 3230 default: 3231 BUG(); 3232 } 3233 3234 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM) 3235 force = SCTP_FORCE(); 3236 3237 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 3238 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3239 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3240 } 3241 3242 /* If this is the last chunk in a packet, we need to count it 3243 * toward sack generation. Note that we need to SACK every 3244 * OTHER packet containing data chunks, EVEN IF WE DISCARD 3245 * THEM. We elect to NOT generate SACK's if the chunk fails 3246 * the verification tag test. 3247 * 3248 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3249 * 3250 * The SCTP endpoint MUST always acknowledge the reception of 3251 * each valid DATA chunk. 3252 * 3253 * The guidelines on delayed acknowledgement algorithm 3254 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 3255 * Specifically, an acknowledgement SHOULD be generated for at 3256 * least every second packet (not every second DATA chunk) 3257 * received, and SHOULD be generated within 200 ms of the 3258 * arrival of any unacknowledged DATA chunk. In some 3259 * situations it may be beneficial for an SCTP transmitter to 3260 * be more conservative than the algorithms detailed in this 3261 * document allow. However, an SCTP transmitter MUST NOT be 3262 * more aggressive than the following algorithms allow. 3263 */ 3264 if (chunk->end_of_packet) 3265 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3266 3267 return SCTP_DISPOSITION_CONSUME; 3268 3269 discard_force: 3270 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3271 * 3272 * When a packet arrives with duplicate DATA chunk(s) and with 3273 * no new DATA chunk(s), the endpoint MUST immediately send a 3274 * SACK with no delay. If a packet arrives with duplicate 3275 * DATA chunk(s) bundled with new DATA chunks, the endpoint 3276 * MAY immediately send a SACK. Normally receipt of duplicate 3277 * DATA chunks will occur when the original SACK chunk was lost 3278 * and the peer's RTO has expired. The duplicate TSN number(s) 3279 * SHOULD be reported in the SACK as duplicate. 3280 */ 3281 /* In our case, we split the MAY SACK advice up whether or not 3282 * the last chunk is a duplicate.' 3283 */ 3284 if (chunk->end_of_packet) 3285 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3286 return SCTP_DISPOSITION_DISCARD; 3287 3288 discard_noforce: 3289 if (chunk->end_of_packet) 3290 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3291 3292 return SCTP_DISPOSITION_DISCARD; 3293 } 3294 3295 /* 3296 * sctp_sf_eat_data_fast_4_4 3297 * 3298 * Section: 4 (4) 3299 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 3300 * DATA chunks without delay. 3301 * 3302 * Verification Tag: 8.5 Verification Tag [Normal verification] 3303 * Inputs 3304 * (endpoint, asoc, chunk) 3305 * 3306 * Outputs 3307 * (asoc, reply_msg, msg_up, timers, counters) 3308 * 3309 * The return value is the disposition of the chunk. 3310 */ 3311 enum sctp_disposition sctp_sf_eat_data_fast_4_4( 3312 struct net *net, 3313 const struct sctp_endpoint *ep, 3314 const struct sctp_association *asoc, 3315 const union sctp_subtype type, 3316 void *arg, 3317 struct sctp_cmd_seq *commands) 3318 { 3319 struct sctp_chunk *chunk = arg; 3320 int error; 3321 3322 if (!sctp_vtag_verify(chunk, asoc)) { 3323 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3324 SCTP_NULL()); 3325 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3326 } 3327 3328 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream))) 3329 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3330 commands); 3331 3332 error = sctp_eat_data(asoc, chunk, commands); 3333 switch (error) { 3334 case SCTP_IERROR_NO_ERROR: 3335 case SCTP_IERROR_HIGH_TSN: 3336 case SCTP_IERROR_DUP_TSN: 3337 case SCTP_IERROR_IGNORE_TSN: 3338 case SCTP_IERROR_BAD_STREAM: 3339 break; 3340 case SCTP_IERROR_NO_DATA: 3341 return SCTP_DISPOSITION_ABORT; 3342 case SCTP_IERROR_PROTO_VIOLATION: 3343 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3344 (u8 *)chunk->subh.data_hdr, 3345 sctp_datahdr_len(&asoc->stream)); 3346 default: 3347 BUG(); 3348 } 3349 3350 /* Go a head and force a SACK, since we are shutting down. */ 3351 3352 /* Implementor's Guide. 3353 * 3354 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3355 * respond to each received packet containing one or more DATA chunk(s) 3356 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3357 */ 3358 if (chunk->end_of_packet) { 3359 /* We must delay the chunk creation since the cumulative 3360 * TSN has not been updated yet. 3361 */ 3362 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3363 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3364 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3365 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3366 } 3367 3368 return SCTP_DISPOSITION_CONSUME; 3369 } 3370 3371 /* 3372 * Section: 6.2 Processing a Received SACK 3373 * D) Any time a SACK arrives, the endpoint performs the following: 3374 * 3375 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 3376 * then drop the SACK. Since Cumulative TSN Ack is monotonically 3377 * increasing, a SACK whose Cumulative TSN Ack is less than the 3378 * Cumulative TSN Ack Point indicates an out-of-order SACK. 3379 * 3380 * ii) Set rwnd equal to the newly received a_rwnd minus the number 3381 * of bytes still outstanding after processing the Cumulative TSN Ack 3382 * and the Gap Ack Blocks. 3383 * 3384 * iii) If the SACK is missing a TSN that was previously 3385 * acknowledged via a Gap Ack Block (e.g., the data receiver 3386 * reneged on the data), then mark the corresponding DATA chunk 3387 * as available for retransmit: Mark it as missing for fast 3388 * retransmit as described in Section 7.2.4 and if no retransmit 3389 * timer is running for the destination address to which the DATA 3390 * chunk was originally transmitted, then T3-rtx is started for 3391 * that destination address. 3392 * 3393 * Verification Tag: 8.5 Verification Tag [Normal verification] 3394 * 3395 * Inputs 3396 * (endpoint, asoc, chunk) 3397 * 3398 * Outputs 3399 * (asoc, reply_msg, msg_up, timers, counters) 3400 * 3401 * The return value is the disposition of the chunk. 3402 */ 3403 enum sctp_disposition sctp_sf_eat_sack_6_2(struct net *net, 3404 const struct sctp_endpoint *ep, 3405 const struct sctp_association *asoc, 3406 const union sctp_subtype type, 3407 void *arg, 3408 struct sctp_cmd_seq *commands) 3409 { 3410 struct sctp_chunk *chunk = arg; 3411 struct sctp_sackhdr *sackh; 3412 __u32 ctsn; 3413 3414 if (!sctp_vtag_verify(chunk, asoc)) 3415 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3416 3417 /* Make sure that the SACK chunk has a valid length. */ 3418 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_sack_chunk))) 3419 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3420 commands); 3421 3422 /* Pull the SACK chunk from the data buffer */ 3423 sackh = sctp_sm_pull_sack(chunk); 3424 /* Was this a bogus SACK? */ 3425 if (!sackh) 3426 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3427 chunk->subh.sack_hdr = sackh; 3428 ctsn = ntohl(sackh->cum_tsn_ack); 3429 3430 /* If Cumulative TSN Ack beyond the max tsn currently 3431 * send, terminating the association and respond to the 3432 * sender with an ABORT. 3433 */ 3434 if (TSN_lte(asoc->next_tsn, ctsn)) 3435 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 3436 3437 trace_sctp_probe(ep, asoc, chunk); 3438 3439 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 3440 * Ack Point, then drop the SACK. Since Cumulative TSN 3441 * Ack is monotonically increasing, a SACK whose 3442 * Cumulative TSN Ack is less than the Cumulative TSN Ack 3443 * Point indicates an out-of-order SACK. 3444 */ 3445 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 3446 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 3447 asoc->ctsn_ack_point); 3448 3449 return SCTP_DISPOSITION_DISCARD; 3450 } 3451 3452 /* Return this SACK for further processing. */ 3453 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk)); 3454 3455 /* Note: We do the rest of the work on the PROCESS_SACK 3456 * sideeffect. 3457 */ 3458 return SCTP_DISPOSITION_CONSUME; 3459 } 3460 3461 /* 3462 * Generate an ABORT in response to a packet. 3463 * 3464 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 3465 * 3466 * 8) The receiver should respond to the sender of the OOTB packet with 3467 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3468 * MUST fill in the Verification Tag field of the outbound packet 3469 * with the value found in the Verification Tag field of the OOTB 3470 * packet and set the T-bit in the Chunk Flags to indicate that the 3471 * Verification Tag is reflected. After sending this ABORT, the 3472 * receiver of the OOTB packet shall discard the OOTB packet and take 3473 * no further action. 3474 * 3475 * Verification Tag: 3476 * 3477 * The return value is the disposition of the chunk. 3478 */ 3479 static enum sctp_disposition sctp_sf_tabort_8_4_8( 3480 struct net *net, 3481 const struct sctp_endpoint *ep, 3482 const struct sctp_association *asoc, 3483 const union sctp_subtype type, 3484 void *arg, 3485 struct sctp_cmd_seq *commands) 3486 { 3487 struct sctp_packet *packet = NULL; 3488 struct sctp_chunk *chunk = arg; 3489 struct sctp_chunk *abort; 3490 3491 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3492 if (!packet) 3493 return SCTP_DISPOSITION_NOMEM; 3494 3495 /* Make an ABORT. The T bit will be set if the asoc 3496 * is NULL. 3497 */ 3498 abort = sctp_make_abort(asoc, chunk, 0); 3499 if (!abort) { 3500 sctp_ootb_pkt_free(packet); 3501 return SCTP_DISPOSITION_NOMEM; 3502 } 3503 3504 /* Reflect vtag if T-Bit is set */ 3505 if (sctp_test_T_bit(abort)) 3506 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3507 3508 /* Set the skb to the belonging sock for accounting. */ 3509 abort->skb->sk = ep->base.sk; 3510 3511 sctp_packet_append_chunk(packet, abort); 3512 3513 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(packet)); 3514 3515 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3516 3517 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3518 return SCTP_DISPOSITION_CONSUME; 3519 } 3520 3521 /* Handling of SCTP Packets Containing an INIT Chunk Matching an 3522 * Existing Associations when the UDP encap port is incorrect. 3523 * 3524 * From Section 4 at draft-tuexen-tsvwg-sctp-udp-encaps-cons-03. 3525 */ 3526 static enum sctp_disposition sctp_sf_new_encap_port( 3527 struct net *net, 3528 const struct sctp_endpoint *ep, 3529 const struct sctp_association *asoc, 3530 const union sctp_subtype type, 3531 void *arg, 3532 struct sctp_cmd_seq *commands) 3533 { 3534 struct sctp_packet *packet = NULL; 3535 struct sctp_chunk *chunk = arg; 3536 struct sctp_chunk *abort; 3537 3538 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3539 if (!packet) 3540 return SCTP_DISPOSITION_NOMEM; 3541 3542 abort = sctp_make_new_encap_port(asoc, chunk); 3543 if (!abort) { 3544 sctp_ootb_pkt_free(packet); 3545 return SCTP_DISPOSITION_NOMEM; 3546 } 3547 3548 abort->skb->sk = ep->base.sk; 3549 3550 sctp_packet_append_chunk(packet, abort); 3551 3552 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3553 SCTP_PACKET(packet)); 3554 3555 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3556 3557 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3558 return SCTP_DISPOSITION_CONSUME; 3559 } 3560 3561 /* 3562 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 3563 * event as ULP notification for each cause included in the chunk. 3564 * 3565 * API 5.3.1.3 - SCTP_REMOTE_ERROR 3566 * 3567 * The return value is the disposition of the chunk. 3568 */ 3569 enum sctp_disposition sctp_sf_operr_notify(struct net *net, 3570 const struct sctp_endpoint *ep, 3571 const struct sctp_association *asoc, 3572 const union sctp_subtype type, 3573 void *arg, 3574 struct sctp_cmd_seq *commands) 3575 { 3576 struct sctp_chunk *chunk = arg; 3577 struct sctp_errhdr *err; 3578 3579 if (!sctp_vtag_verify(chunk, asoc)) 3580 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3581 3582 /* Make sure that the ERROR chunk has a valid length. */ 3583 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk))) 3584 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3585 commands); 3586 sctp_walk_errors(err, chunk->chunk_hdr); 3587 if ((void *)err != (void *)chunk->chunk_end) 3588 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3589 (void *)err, commands); 3590 3591 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 3592 SCTP_CHUNK(chunk)); 3593 3594 return SCTP_DISPOSITION_CONSUME; 3595 } 3596 3597 /* 3598 * Process an inbound SHUTDOWN ACK. 3599 * 3600 * From Section 9.2: 3601 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3602 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3603 * peer, and remove all record of the association. 3604 * 3605 * The return value is the disposition. 3606 */ 3607 enum sctp_disposition sctp_sf_do_9_2_final(struct net *net, 3608 const struct sctp_endpoint *ep, 3609 const struct sctp_association *asoc, 3610 const union sctp_subtype type, 3611 void *arg, 3612 struct sctp_cmd_seq *commands) 3613 { 3614 struct sctp_chunk *chunk = arg; 3615 struct sctp_chunk *reply; 3616 struct sctp_ulpevent *ev; 3617 3618 if (!sctp_vtag_verify(chunk, asoc)) 3619 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3620 3621 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3622 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3623 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3624 commands); 3625 /* 10.2 H) SHUTDOWN COMPLETE notification 3626 * 3627 * When SCTP completes the shutdown procedures (section 9.2) this 3628 * notification is passed to the upper layer. 3629 */ 3630 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3631 0, 0, 0, NULL, GFP_ATOMIC); 3632 if (!ev) 3633 goto nomem; 3634 3635 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3636 reply = sctp_make_shutdown_complete(asoc, chunk); 3637 if (!reply) 3638 goto nomem_chunk; 3639 3640 /* Do all the commands now (after allocation), so that we 3641 * have consistent state if memory allocation fails 3642 */ 3643 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3644 3645 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3646 * stop the T2-shutdown timer, 3647 */ 3648 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3649 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3650 3651 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3652 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3653 3654 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3655 SCTP_STATE(SCTP_STATE_CLOSED)); 3656 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 3657 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3658 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3659 3660 /* ...and remove all record of the association. */ 3661 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3662 return SCTP_DISPOSITION_DELETE_TCB; 3663 3664 nomem_chunk: 3665 sctp_ulpevent_free(ev); 3666 nomem: 3667 return SCTP_DISPOSITION_NOMEM; 3668 } 3669 3670 /* 3671 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3672 * 3673 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3674 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3675 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3676 * packet must fill in the Verification Tag field of the outbound 3677 * packet with the Verification Tag received in the SHUTDOWN ACK and 3678 * set the T-bit in the Chunk Flags to indicate that the Verification 3679 * Tag is reflected. 3680 * 3681 * 8) The receiver should respond to the sender of the OOTB packet with 3682 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3683 * MUST fill in the Verification Tag field of the outbound packet 3684 * with the value found in the Verification Tag field of the OOTB 3685 * packet and set the T-bit in the Chunk Flags to indicate that the 3686 * Verification Tag is reflected. After sending this ABORT, the 3687 * receiver of the OOTB packet shall discard the OOTB packet and take 3688 * no further action. 3689 */ 3690 enum sctp_disposition sctp_sf_ootb(struct net *net, 3691 const struct sctp_endpoint *ep, 3692 const struct sctp_association *asoc, 3693 const union sctp_subtype type, 3694 void *arg, struct sctp_cmd_seq *commands) 3695 { 3696 struct sctp_chunk *chunk = arg; 3697 struct sk_buff *skb = chunk->skb; 3698 struct sctp_chunkhdr *ch; 3699 struct sctp_errhdr *err; 3700 int ootb_cookie_ack = 0; 3701 int ootb_shut_ack = 0; 3702 __u8 *ch_end; 3703 3704 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3705 3706 if (asoc && !sctp_vtag_verify(chunk, asoc)) 3707 asoc = NULL; 3708 3709 ch = (struct sctp_chunkhdr *)chunk->chunk_hdr; 3710 do { 3711 /* Report violation if the chunk is less then minimal */ 3712 if (ntohs(ch->length) < sizeof(*ch)) 3713 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3714 commands); 3715 3716 /* Report violation if chunk len overflows */ 3717 ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); 3718 if (ch_end > skb_tail_pointer(skb)) 3719 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3720 commands); 3721 3722 /* Now that we know we at least have a chunk header, 3723 * do things that are type appropriate. 3724 */ 3725 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3726 ootb_shut_ack = 1; 3727 3728 /* RFC 2960, Section 3.3.7 3729 * Moreover, under any circumstances, an endpoint that 3730 * receives an ABORT MUST NOT respond to that ABORT by 3731 * sending an ABORT of its own. 3732 */ 3733 if (SCTP_CID_ABORT == ch->type) 3734 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3735 3736 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR 3737 * or a COOKIE ACK the SCTP Packet should be silently 3738 * discarded. 3739 */ 3740 3741 if (SCTP_CID_COOKIE_ACK == ch->type) 3742 ootb_cookie_ack = 1; 3743 3744 if (SCTP_CID_ERROR == ch->type) { 3745 sctp_walk_errors(err, ch) { 3746 if (SCTP_ERROR_STALE_COOKIE == err->cause) { 3747 ootb_cookie_ack = 1; 3748 break; 3749 } 3750 } 3751 } 3752 3753 ch = (struct sctp_chunkhdr *)ch_end; 3754 } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb)); 3755 3756 if (ootb_shut_ack) 3757 return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands); 3758 else if (ootb_cookie_ack) 3759 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3760 else 3761 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 3762 } 3763 3764 /* 3765 * Handle an "Out of the blue" SHUTDOWN ACK. 3766 * 3767 * Section: 8.4 5, sctpimpguide 2.41. 3768 * 3769 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3770 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3771 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3772 * packet must fill in the Verification Tag field of the outbound 3773 * packet with the Verification Tag received in the SHUTDOWN ACK and 3774 * set the T-bit in the Chunk Flags to indicate that the Verification 3775 * Tag is reflected. 3776 * 3777 * Inputs 3778 * (endpoint, asoc, type, arg, commands) 3779 * 3780 * Outputs 3781 * (enum sctp_disposition) 3782 * 3783 * The return value is the disposition of the chunk. 3784 */ 3785 static enum sctp_disposition sctp_sf_shut_8_4_5( 3786 struct net *net, 3787 const struct sctp_endpoint *ep, 3788 const struct sctp_association *asoc, 3789 const union sctp_subtype type, 3790 void *arg, 3791 struct sctp_cmd_seq *commands) 3792 { 3793 struct sctp_packet *packet = NULL; 3794 struct sctp_chunk *chunk = arg; 3795 struct sctp_chunk *shut; 3796 3797 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3798 if (!packet) 3799 return SCTP_DISPOSITION_NOMEM; 3800 3801 /* Make an SHUTDOWN_COMPLETE. 3802 * The T bit will be set if the asoc is NULL. 3803 */ 3804 shut = sctp_make_shutdown_complete(asoc, chunk); 3805 if (!shut) { 3806 sctp_ootb_pkt_free(packet); 3807 return SCTP_DISPOSITION_NOMEM; 3808 } 3809 3810 /* Reflect vtag if T-Bit is set */ 3811 if (sctp_test_T_bit(shut)) 3812 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3813 3814 /* Set the skb to the belonging sock for accounting. */ 3815 shut->skb->sk = ep->base.sk; 3816 3817 sctp_packet_append_chunk(packet, shut); 3818 3819 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3820 SCTP_PACKET(packet)); 3821 3822 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3823 3824 /* We need to discard the rest of the packet to prevent 3825 * potential boomming attacks from additional bundled chunks. 3826 * This is documented in SCTP Threats ID. 3827 */ 3828 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3829 } 3830 3831 /* 3832 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3833 * 3834 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3835 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3836 * procedures in section 8.4 SHOULD be followed, in other words it 3837 * should be treated as an Out Of The Blue packet. 3838 * [This means that we do NOT check the Verification Tag on these 3839 * chunks. --piggy ] 3840 * 3841 */ 3842 enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net, 3843 const struct sctp_endpoint *ep, 3844 const struct sctp_association *asoc, 3845 const union sctp_subtype type, 3846 void *arg, 3847 struct sctp_cmd_seq *commands) 3848 { 3849 struct sctp_chunk *chunk = arg; 3850 3851 if (!sctp_vtag_verify(chunk, asoc)) 3852 asoc = NULL; 3853 3854 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3855 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3856 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3857 commands); 3858 3859 /* Although we do have an association in this case, it corresponds 3860 * to a restarted association. So the packet is treated as an OOTB 3861 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3862 * called with a NULL association. 3863 */ 3864 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3865 3866 return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands); 3867 } 3868 3869 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3870 enum sctp_disposition sctp_sf_do_asconf(struct net *net, 3871 const struct sctp_endpoint *ep, 3872 const struct sctp_association *asoc, 3873 const union sctp_subtype type, 3874 void *arg, 3875 struct sctp_cmd_seq *commands) 3876 { 3877 struct sctp_paramhdr *err_param = NULL; 3878 struct sctp_chunk *asconf_ack = NULL; 3879 struct sctp_chunk *chunk = arg; 3880 struct sctp_addiphdr *hdr; 3881 __u32 serial; 3882 3883 if (!sctp_vtag_verify(chunk, asoc)) { 3884 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3885 SCTP_NULL()); 3886 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3887 } 3888 3889 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3890 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk))) 3891 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3892 commands); 3893 3894 /* ADD-IP: Section 4.1.1 3895 * This chunk MUST be sent in an authenticated way by using 3896 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3897 * is received unauthenticated it MUST be silently discarded as 3898 * described in [I-D.ietf-tsvwg-sctp-auth]. 3899 */ 3900 if (!asoc->peer.asconf_capable || 3901 (!net->sctp.addip_noauth && !chunk->auth)) 3902 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3903 3904 hdr = (struct sctp_addiphdr *)chunk->skb->data; 3905 serial = ntohl(hdr->serial); 3906 3907 /* Verify the ASCONF chunk before processing it. */ 3908 if (!sctp_verify_asconf(asoc, chunk, true, &err_param)) 3909 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3910 (void *)err_param, commands); 3911 3912 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3913 * the endpoint stored in a new association variable 3914 * 'Peer-Serial-Number'. 3915 */ 3916 if (serial == asoc->peer.addip_serial + 1) { 3917 /* If this is the first instance of ASCONF in the packet, 3918 * we can clean our old ASCONF-ACKs. 3919 */ 3920 if (!chunk->has_asconf) 3921 sctp_assoc_clean_asconf_ack_cache(asoc); 3922 3923 /* ADDIP 5.2 E4) When the Sequence Number matches the next one 3924 * expected, process the ASCONF as described below and after 3925 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to 3926 * the response packet and cache a copy of it (in the event it 3927 * later needs to be retransmitted). 3928 * 3929 * Essentially, do V1-V5. 3930 */ 3931 asconf_ack = sctp_process_asconf((struct sctp_association *) 3932 asoc, chunk); 3933 if (!asconf_ack) 3934 return SCTP_DISPOSITION_NOMEM; 3935 } else if (serial < asoc->peer.addip_serial + 1) { 3936 /* ADDIP 5.2 E2) 3937 * If the value found in the Sequence Number is less than the 3938 * ('Peer- Sequence-Number' + 1), simply skip to the next 3939 * ASCONF, and include in the outbound response packet 3940 * any previously cached ASCONF-ACK response that was 3941 * sent and saved that matches the Sequence Number of the 3942 * ASCONF. Note: It is possible that no cached ASCONF-ACK 3943 * Chunk exists. This will occur when an older ASCONF 3944 * arrives out of order. In such a case, the receiver 3945 * should skip the ASCONF Chunk and not include ASCONF-ACK 3946 * Chunk for that chunk. 3947 */ 3948 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial); 3949 if (!asconf_ack) 3950 return SCTP_DISPOSITION_DISCARD; 3951 3952 /* Reset the transport so that we select the correct one 3953 * this time around. This is to make sure that we don't 3954 * accidentally use a stale transport that's been removed. 3955 */ 3956 asconf_ack->transport = NULL; 3957 } else { 3958 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since 3959 * it must be either a stale packet or from an attacker. 3960 */ 3961 return SCTP_DISPOSITION_DISCARD; 3962 } 3963 3964 /* ADDIP 5.2 E6) The destination address of the SCTP packet 3965 * containing the ASCONF-ACK Chunks MUST be the source address of 3966 * the SCTP packet that held the ASCONF Chunks. 3967 * 3968 * To do this properly, we'll set the destination address of the chunk 3969 * and at the transmit time, will try look up the transport to use. 3970 * Since ASCONFs may be bundled, the correct transport may not be 3971 * created until we process the entire packet, thus this workaround. 3972 */ 3973 asconf_ack->dest = chunk->source; 3974 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3975 if (asoc->new_transport) { 3976 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands); 3977 ((struct sctp_association *)asoc)->new_transport = NULL; 3978 } 3979 3980 return SCTP_DISPOSITION_CONSUME; 3981 } 3982 3983 static enum sctp_disposition sctp_send_next_asconf( 3984 struct net *net, 3985 const struct sctp_endpoint *ep, 3986 struct sctp_association *asoc, 3987 const union sctp_subtype type, 3988 struct sctp_cmd_seq *commands) 3989 { 3990 struct sctp_chunk *asconf; 3991 struct list_head *entry; 3992 3993 if (list_empty(&asoc->addip_chunk_list)) 3994 return SCTP_DISPOSITION_CONSUME; 3995 3996 entry = asoc->addip_chunk_list.next; 3997 asconf = list_entry(entry, struct sctp_chunk, list); 3998 3999 list_del_init(entry); 4000 sctp_chunk_hold(asconf); 4001 asoc->addip_last_asconf = asconf; 4002 4003 return sctp_sf_do_prm_asconf(net, ep, asoc, type, asconf, commands); 4004 } 4005 4006 /* 4007 * ADDIP Section 4.3 General rules for address manipulation 4008 * When building TLV parameters for the ASCONF Chunk that will add or 4009 * delete IP addresses the D0 to D13 rules should be applied: 4010 */ 4011 enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net, 4012 const struct sctp_endpoint *ep, 4013 const struct sctp_association *asoc, 4014 const union sctp_subtype type, 4015 void *arg, 4016 struct sctp_cmd_seq *commands) 4017 { 4018 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 4019 struct sctp_paramhdr *err_param = NULL; 4020 struct sctp_chunk *asconf_ack = arg; 4021 struct sctp_addiphdr *addip_hdr; 4022 __u32 sent_serial, rcvd_serial; 4023 struct sctp_chunk *abort; 4024 4025 if (!sctp_vtag_verify(asconf_ack, asoc)) { 4026 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4027 SCTP_NULL()); 4028 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4029 } 4030 4031 /* Make sure that the ADDIP chunk has a valid length. */ 4032 if (!sctp_chunk_length_valid(asconf_ack, 4033 sizeof(struct sctp_addip_chunk))) 4034 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4035 commands); 4036 4037 /* ADD-IP, Section 4.1.2: 4038 * This chunk MUST be sent in an authenticated way by using 4039 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 4040 * is received unauthenticated it MUST be silently discarded as 4041 * described in [I-D.ietf-tsvwg-sctp-auth]. 4042 */ 4043 if (!asoc->peer.asconf_capable || 4044 (!net->sctp.addip_noauth && !asconf_ack->auth)) 4045 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4046 4047 addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data; 4048 rcvd_serial = ntohl(addip_hdr->serial); 4049 4050 /* Verify the ASCONF-ACK chunk before processing it. */ 4051 if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param)) 4052 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 4053 (void *)err_param, commands); 4054 4055 if (last_asconf) { 4056 addip_hdr = last_asconf->subh.addip_hdr; 4057 sent_serial = ntohl(addip_hdr->serial); 4058 } else { 4059 sent_serial = asoc->addip_serial - 1; 4060 } 4061 4062 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 4063 * equal to the next serial number to be used but no ASCONF chunk is 4064 * outstanding the endpoint MUST ABORT the association. Note that a 4065 * sequence number is greater than if it is no more than 2^^31-1 4066 * larger than the current sequence number (using serial arithmetic). 4067 */ 4068 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 4069 !(asoc->addip_last_asconf)) { 4070 abort = sctp_make_abort(asoc, asconf_ack, 4071 sizeof(struct sctp_errhdr)); 4072 if (abort) { 4073 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0); 4074 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4075 SCTP_CHUNK(abort)); 4076 } 4077 /* We are going to ABORT, so we might as well stop 4078 * processing the rest of the chunks in the packet. 4079 */ 4080 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4081 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4082 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4083 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4084 SCTP_ERROR(ECONNABORTED)); 4085 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4086 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 4087 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4088 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4089 return SCTP_DISPOSITION_ABORT; 4090 } 4091 4092 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 4093 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4094 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4095 4096 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 4097 asconf_ack)) 4098 return sctp_send_next_asconf(net, ep, 4099 (struct sctp_association *)asoc, 4100 type, commands); 4101 4102 abort = sctp_make_abort(asoc, asconf_ack, 4103 sizeof(struct sctp_errhdr)); 4104 if (abort) { 4105 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 4106 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4107 SCTP_CHUNK(abort)); 4108 } 4109 /* We are going to ABORT, so we might as well stop 4110 * processing the rest of the chunks in the packet. 4111 */ 4112 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4113 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4114 SCTP_ERROR(ECONNABORTED)); 4115 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4116 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 4117 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4118 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4119 return SCTP_DISPOSITION_ABORT; 4120 } 4121 4122 return SCTP_DISPOSITION_DISCARD; 4123 } 4124 4125 /* RE-CONFIG Section 5.2 Upon reception of an RECONF Chunk. */ 4126 enum sctp_disposition sctp_sf_do_reconf(struct net *net, 4127 const struct sctp_endpoint *ep, 4128 const struct sctp_association *asoc, 4129 const union sctp_subtype type, 4130 void *arg, 4131 struct sctp_cmd_seq *commands) 4132 { 4133 struct sctp_paramhdr *err_param = NULL; 4134 struct sctp_chunk *chunk = arg; 4135 struct sctp_reconf_chunk *hdr; 4136 union sctp_params param; 4137 4138 if (!sctp_vtag_verify(chunk, asoc)) { 4139 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4140 SCTP_NULL()); 4141 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4142 } 4143 4144 /* Make sure that the RECONF chunk has a valid length. */ 4145 if (!sctp_chunk_length_valid(chunk, sizeof(*hdr))) 4146 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4147 commands); 4148 4149 if (!sctp_verify_reconf(asoc, chunk, &err_param)) 4150 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 4151 (void *)err_param, commands); 4152 4153 hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr; 4154 sctp_walk_params(param, hdr) { 4155 struct sctp_chunk *reply = NULL; 4156 struct sctp_ulpevent *ev = NULL; 4157 4158 if (param.p->type == SCTP_PARAM_RESET_OUT_REQUEST) 4159 reply = sctp_process_strreset_outreq( 4160 (struct sctp_association *)asoc, param, &ev); 4161 else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST) 4162 reply = sctp_process_strreset_inreq( 4163 (struct sctp_association *)asoc, param, &ev); 4164 else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST) 4165 reply = sctp_process_strreset_tsnreq( 4166 (struct sctp_association *)asoc, param, &ev); 4167 else if (param.p->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS) 4168 reply = sctp_process_strreset_addstrm_out( 4169 (struct sctp_association *)asoc, param, &ev); 4170 else if (param.p->type == SCTP_PARAM_RESET_ADD_IN_STREAMS) 4171 reply = sctp_process_strreset_addstrm_in( 4172 (struct sctp_association *)asoc, param, &ev); 4173 else if (param.p->type == SCTP_PARAM_RESET_RESPONSE) 4174 reply = sctp_process_strreset_resp( 4175 (struct sctp_association *)asoc, param, &ev); 4176 4177 if (ev) 4178 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4179 SCTP_ULPEVENT(ev)); 4180 4181 if (reply) 4182 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4183 SCTP_CHUNK(reply)); 4184 } 4185 4186 return SCTP_DISPOSITION_CONSUME; 4187 } 4188 4189 /* 4190 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 4191 * 4192 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 4193 * its cumulative TSN point to the value carried in the FORWARD TSN 4194 * chunk, and then MUST further advance its cumulative TSN point locally 4195 * if possible. 4196 * After the above processing, the data receiver MUST stop reporting any 4197 * missing TSNs earlier than or equal to the new cumulative TSN point. 4198 * 4199 * Verification Tag: 8.5 Verification Tag [Normal verification] 4200 * 4201 * The return value is the disposition of the chunk. 4202 */ 4203 enum sctp_disposition sctp_sf_eat_fwd_tsn(struct net *net, 4204 const struct sctp_endpoint *ep, 4205 const struct sctp_association *asoc, 4206 const union sctp_subtype type, 4207 void *arg, 4208 struct sctp_cmd_seq *commands) 4209 { 4210 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 4211 struct sctp_chunk *chunk = arg; 4212 __u16 len; 4213 __u32 tsn; 4214 4215 if (!sctp_vtag_verify(chunk, asoc)) { 4216 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4217 SCTP_NULL()); 4218 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4219 } 4220 4221 if (!asoc->peer.prsctp_capable) 4222 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4223 4224 /* Make sure that the FORWARD_TSN chunk has valid length. */ 4225 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream))) 4226 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4227 commands); 4228 4229 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 4230 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 4231 len = ntohs(chunk->chunk_hdr->length); 4232 len -= sizeof(struct sctp_chunkhdr); 4233 skb_pull(chunk->skb, len); 4234 4235 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 4236 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 4237 4238 /* The TSN is too high--silently discard the chunk and count on it 4239 * getting retransmitted later. 4240 */ 4241 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 4242 goto discard_noforce; 4243 4244 if (!asoc->stream.si->validate_ftsn(chunk)) 4245 goto discard_noforce; 4246 4247 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 4248 if (len > sctp_ftsnhdr_len(&asoc->stream)) 4249 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 4250 SCTP_CHUNK(chunk)); 4251 4252 /* Count this as receiving DATA. */ 4253 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 4254 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4255 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4256 } 4257 4258 /* FIXME: For now send a SACK, but DATA processing may 4259 * send another. 4260 */ 4261 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 4262 4263 return SCTP_DISPOSITION_CONSUME; 4264 4265 discard_noforce: 4266 return SCTP_DISPOSITION_DISCARD; 4267 } 4268 4269 enum sctp_disposition sctp_sf_eat_fwd_tsn_fast( 4270 struct net *net, 4271 const struct sctp_endpoint *ep, 4272 const struct sctp_association *asoc, 4273 const union sctp_subtype type, 4274 void *arg, 4275 struct sctp_cmd_seq *commands) 4276 { 4277 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 4278 struct sctp_chunk *chunk = arg; 4279 __u16 len; 4280 __u32 tsn; 4281 4282 if (!sctp_vtag_verify(chunk, asoc)) { 4283 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4284 SCTP_NULL()); 4285 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4286 } 4287 4288 if (!asoc->peer.prsctp_capable) 4289 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4290 4291 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 4292 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream))) 4293 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4294 commands); 4295 4296 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 4297 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 4298 len = ntohs(chunk->chunk_hdr->length); 4299 len -= sizeof(struct sctp_chunkhdr); 4300 skb_pull(chunk->skb, len); 4301 4302 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 4303 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 4304 4305 /* The TSN is too high--silently discard the chunk and count on it 4306 * getting retransmitted later. 4307 */ 4308 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 4309 goto gen_shutdown; 4310 4311 if (!asoc->stream.si->validate_ftsn(chunk)) 4312 goto gen_shutdown; 4313 4314 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 4315 if (len > sctp_ftsnhdr_len(&asoc->stream)) 4316 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 4317 SCTP_CHUNK(chunk)); 4318 4319 /* Go a head and force a SACK, since we are shutting down. */ 4320 gen_shutdown: 4321 /* Implementor's Guide. 4322 * 4323 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 4324 * respond to each received packet containing one or more DATA chunk(s) 4325 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 4326 */ 4327 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 4328 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 4329 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4330 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4331 4332 return SCTP_DISPOSITION_CONSUME; 4333 } 4334 4335 /* 4336 * SCTP-AUTH Section 6.3 Receiving authenticated chunks 4337 * 4338 * The receiver MUST use the HMAC algorithm indicated in the HMAC 4339 * Identifier field. If this algorithm was not specified by the 4340 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 4341 * during association setup, the AUTH chunk and all chunks after it MUST 4342 * be discarded and an ERROR chunk SHOULD be sent with the error cause 4343 * defined in Section 4.1. 4344 * 4345 * If an endpoint with no shared key receives a Shared Key Identifier 4346 * other than 0, it MUST silently discard all authenticated chunks. If 4347 * the endpoint has at least one endpoint pair shared key for the peer, 4348 * it MUST use the key specified by the Shared Key Identifier if a 4349 * key has been configured for that Shared Key Identifier. If no 4350 * endpoint pair shared key has been configured for that Shared Key 4351 * Identifier, all authenticated chunks MUST be silently discarded. 4352 * 4353 * Verification Tag: 8.5 Verification Tag [Normal verification] 4354 * 4355 * The return value is the disposition of the chunk. 4356 */ 4357 static enum sctp_ierror sctp_sf_authenticate( 4358 const struct sctp_association *asoc, 4359 struct sctp_chunk *chunk) 4360 { 4361 struct sctp_shared_key *sh_key = NULL; 4362 struct sctp_authhdr *auth_hdr; 4363 __u8 *save_digest, *digest; 4364 struct sctp_hmac *hmac; 4365 unsigned int sig_len; 4366 __u16 key_id; 4367 4368 /* Pull in the auth header, so we can do some more verification */ 4369 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4370 chunk->subh.auth_hdr = auth_hdr; 4371 skb_pull(chunk->skb, sizeof(*auth_hdr)); 4372 4373 /* Make sure that we support the HMAC algorithm from the auth 4374 * chunk. 4375 */ 4376 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id)) 4377 return SCTP_IERROR_AUTH_BAD_HMAC; 4378 4379 /* Make sure that the provided shared key identifier has been 4380 * configured 4381 */ 4382 key_id = ntohs(auth_hdr->shkey_id); 4383 if (key_id != asoc->active_key_id) { 4384 sh_key = sctp_auth_get_shkey(asoc, key_id); 4385 if (!sh_key) 4386 return SCTP_IERROR_AUTH_BAD_KEYID; 4387 } 4388 4389 /* Make sure that the length of the signature matches what 4390 * we expect. 4391 */ 4392 sig_len = ntohs(chunk->chunk_hdr->length) - 4393 sizeof(struct sctp_auth_chunk); 4394 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id)); 4395 if (sig_len != hmac->hmac_len) 4396 return SCTP_IERROR_PROTO_VIOLATION; 4397 4398 /* Now that we've done validation checks, we can compute and 4399 * verify the hmac. The steps involved are: 4400 * 1. Save the digest from the chunk. 4401 * 2. Zero out the digest in the chunk. 4402 * 3. Compute the new digest 4403 * 4. Compare saved and new digests. 4404 */ 4405 digest = (u8 *)(auth_hdr + 1); 4406 skb_pull(chunk->skb, sig_len); 4407 4408 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC); 4409 if (!save_digest) 4410 goto nomem; 4411 4412 memset(digest, 0, sig_len); 4413 4414 sctp_auth_calculate_hmac(asoc, chunk->skb, 4415 (struct sctp_auth_chunk *)chunk->chunk_hdr, 4416 sh_key, GFP_ATOMIC); 4417 4418 /* Discard the packet if the digests do not match */ 4419 if (memcmp(save_digest, digest, sig_len)) { 4420 kfree(save_digest); 4421 return SCTP_IERROR_BAD_SIG; 4422 } 4423 4424 kfree(save_digest); 4425 chunk->auth = 1; 4426 4427 return SCTP_IERROR_NO_ERROR; 4428 nomem: 4429 return SCTP_IERROR_NOMEM; 4430 } 4431 4432 enum sctp_disposition sctp_sf_eat_auth(struct net *net, 4433 const struct sctp_endpoint *ep, 4434 const struct sctp_association *asoc, 4435 const union sctp_subtype type, 4436 void *arg, struct sctp_cmd_seq *commands) 4437 { 4438 struct sctp_chunk *chunk = arg; 4439 struct sctp_authhdr *auth_hdr; 4440 struct sctp_chunk *err_chunk; 4441 enum sctp_ierror error; 4442 4443 /* Make sure that the peer has AUTH capable */ 4444 if (!asoc->peer.auth_capable) 4445 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4446 4447 if (!sctp_vtag_verify(chunk, asoc)) { 4448 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4449 SCTP_NULL()); 4450 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4451 } 4452 4453 /* Make sure that the AUTH chunk has valid length. */ 4454 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk))) 4455 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4456 commands); 4457 4458 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4459 error = sctp_sf_authenticate(asoc, chunk); 4460 switch (error) { 4461 case SCTP_IERROR_AUTH_BAD_HMAC: 4462 /* Generate the ERROR chunk and discard the rest 4463 * of the packet 4464 */ 4465 err_chunk = sctp_make_op_error(asoc, chunk, 4466 SCTP_ERROR_UNSUP_HMAC, 4467 &auth_hdr->hmac_id, 4468 sizeof(__u16), 0); 4469 if (err_chunk) { 4470 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4471 SCTP_CHUNK(err_chunk)); 4472 } 4473 fallthrough; 4474 case SCTP_IERROR_AUTH_BAD_KEYID: 4475 case SCTP_IERROR_BAD_SIG: 4476 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4477 4478 case SCTP_IERROR_PROTO_VIOLATION: 4479 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4480 commands); 4481 4482 case SCTP_IERROR_NOMEM: 4483 return SCTP_DISPOSITION_NOMEM; 4484 4485 default: /* Prevent gcc warnings */ 4486 break; 4487 } 4488 4489 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) { 4490 struct sctp_ulpevent *ev; 4491 4492 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id), 4493 SCTP_AUTH_NEW_KEY, GFP_ATOMIC); 4494 4495 if (!ev) 4496 return SCTP_DISPOSITION_NOMEM; 4497 4498 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4499 SCTP_ULPEVENT(ev)); 4500 } 4501 4502 return SCTP_DISPOSITION_CONSUME; 4503 } 4504 4505 /* 4506 * Process an unknown chunk. 4507 * 4508 * Section: 3.2. Also, 2.1 in the implementor's guide. 4509 * 4510 * Chunk Types are encoded such that the highest-order two bits specify 4511 * the action that must be taken if the processing endpoint does not 4512 * recognize the Chunk Type. 4513 * 4514 * 00 - Stop processing this SCTP packet and discard it, do not process 4515 * any further chunks within it. 4516 * 4517 * 01 - Stop processing this SCTP packet and discard it, do not process 4518 * any further chunks within it, and report the unrecognized 4519 * chunk in an 'Unrecognized Chunk Type'. 4520 * 4521 * 10 - Skip this chunk and continue processing. 4522 * 4523 * 11 - Skip this chunk and continue processing, but report in an ERROR 4524 * Chunk using the 'Unrecognized Chunk Type' cause of error. 4525 * 4526 * The return value is the disposition of the chunk. 4527 */ 4528 enum sctp_disposition sctp_sf_unk_chunk(struct net *net, 4529 const struct sctp_endpoint *ep, 4530 const struct sctp_association *asoc, 4531 const union sctp_subtype type, 4532 void *arg, 4533 struct sctp_cmd_seq *commands) 4534 { 4535 struct sctp_chunk *unk_chunk = arg; 4536 struct sctp_chunk *err_chunk; 4537 struct sctp_chunkhdr *hdr; 4538 4539 pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk); 4540 4541 if (!sctp_vtag_verify(unk_chunk, asoc)) 4542 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4543 4544 /* Make sure that the chunk has a valid length. 4545 * Since we don't know the chunk type, we use a general 4546 * chunkhdr structure to make a comparison. 4547 */ 4548 if (!sctp_chunk_length_valid(unk_chunk, sizeof(*hdr))) 4549 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4550 commands); 4551 4552 switch (type.chunk & SCTP_CID_ACTION_MASK) { 4553 case SCTP_CID_ACTION_DISCARD: 4554 /* Discard the packet. */ 4555 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4556 case SCTP_CID_ACTION_DISCARD_ERR: 4557 /* Generate an ERROR chunk as response. */ 4558 hdr = unk_chunk->chunk_hdr; 4559 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4560 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4561 SCTP_PAD4(ntohs(hdr->length)), 4562 0); 4563 if (err_chunk) { 4564 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4565 SCTP_CHUNK(err_chunk)); 4566 } 4567 4568 /* Discard the packet. */ 4569 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4570 return SCTP_DISPOSITION_CONSUME; 4571 case SCTP_CID_ACTION_SKIP: 4572 /* Skip the chunk. */ 4573 return SCTP_DISPOSITION_DISCARD; 4574 case SCTP_CID_ACTION_SKIP_ERR: 4575 /* Generate an ERROR chunk as response. */ 4576 hdr = unk_chunk->chunk_hdr; 4577 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4578 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4579 SCTP_PAD4(ntohs(hdr->length)), 4580 0); 4581 if (err_chunk) { 4582 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4583 SCTP_CHUNK(err_chunk)); 4584 } 4585 /* Skip the chunk. */ 4586 return SCTP_DISPOSITION_CONSUME; 4587 default: 4588 break; 4589 } 4590 4591 return SCTP_DISPOSITION_DISCARD; 4592 } 4593 4594 /* 4595 * Discard the chunk. 4596 * 4597 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 4598 * [Too numerous to mention...] 4599 * Verification Tag: No verification needed. 4600 * Inputs 4601 * (endpoint, asoc, chunk) 4602 * 4603 * Outputs 4604 * (asoc, reply_msg, msg_up, timers, counters) 4605 * 4606 * The return value is the disposition of the chunk. 4607 */ 4608 enum sctp_disposition sctp_sf_discard_chunk(struct net *net, 4609 const struct sctp_endpoint *ep, 4610 const struct sctp_association *asoc, 4611 const union sctp_subtype type, 4612 void *arg, 4613 struct sctp_cmd_seq *commands) 4614 { 4615 struct sctp_chunk *chunk = arg; 4616 4617 if (asoc && !sctp_vtag_verify(chunk, asoc)) 4618 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4619 4620 /* Make sure that the chunk has a valid length. 4621 * Since we don't know the chunk type, we use a general 4622 * chunkhdr structure to make a comparison. 4623 */ 4624 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 4625 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4626 commands); 4627 4628 pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk); 4629 4630 return SCTP_DISPOSITION_DISCARD; 4631 } 4632 4633 /* 4634 * Discard the whole packet. 4635 * 4636 * Section: 8.4 2) 4637 * 4638 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 4639 * silently discard the OOTB packet and take no further action. 4640 * 4641 * Verification Tag: No verification necessary 4642 * 4643 * Inputs 4644 * (endpoint, asoc, chunk) 4645 * 4646 * Outputs 4647 * (asoc, reply_msg, msg_up, timers, counters) 4648 * 4649 * The return value is the disposition of the chunk. 4650 */ 4651 enum sctp_disposition sctp_sf_pdiscard(struct net *net, 4652 const struct sctp_endpoint *ep, 4653 const struct sctp_association *asoc, 4654 const union sctp_subtype type, 4655 void *arg, struct sctp_cmd_seq *commands) 4656 { 4657 SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS); 4658 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4659 4660 return SCTP_DISPOSITION_CONSUME; 4661 } 4662 4663 4664 /* 4665 * The other end is violating protocol. 4666 * 4667 * Section: Not specified 4668 * Verification Tag: Not specified 4669 * Inputs 4670 * (endpoint, asoc, chunk) 4671 * 4672 * Outputs 4673 * (asoc, reply_msg, msg_up, timers, counters) 4674 * 4675 * We simply tag the chunk as a violation. The state machine will log 4676 * the violation and continue. 4677 */ 4678 enum sctp_disposition sctp_sf_violation(struct net *net, 4679 const struct sctp_endpoint *ep, 4680 const struct sctp_association *asoc, 4681 const union sctp_subtype type, 4682 void *arg, 4683 struct sctp_cmd_seq *commands) 4684 { 4685 struct sctp_chunk *chunk = arg; 4686 4687 if (!sctp_vtag_verify(chunk, asoc)) 4688 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4689 4690 /* Make sure that the chunk has a valid length. */ 4691 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 4692 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4693 commands); 4694 4695 return SCTP_DISPOSITION_VIOLATION; 4696 } 4697 4698 /* 4699 * Common function to handle a protocol violation. 4700 */ 4701 static enum sctp_disposition sctp_sf_abort_violation( 4702 struct net *net, 4703 const struct sctp_endpoint *ep, 4704 const struct sctp_association *asoc, 4705 void *arg, 4706 struct sctp_cmd_seq *commands, 4707 const __u8 *payload, 4708 const size_t paylen) 4709 { 4710 struct sctp_packet *packet = NULL; 4711 struct sctp_chunk *chunk = arg; 4712 struct sctp_chunk *abort = NULL; 4713 4714 /* SCTP-AUTH, Section 6.3: 4715 * It should be noted that if the receiver wants to tear 4716 * down an association in an authenticated way only, the 4717 * handling of malformed packets should not result in 4718 * tearing down the association. 4719 * 4720 * This means that if we only want to abort associations 4721 * in an authenticated way (i.e AUTH+ABORT), then we 4722 * can't destroy this association just because the packet 4723 * was malformed. 4724 */ 4725 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4726 goto discard; 4727 4728 /* Make the abort chunk. */ 4729 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen); 4730 if (!abort) 4731 goto nomem; 4732 4733 if (asoc) { 4734 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */ 4735 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK && 4736 !asoc->peer.i.init_tag) { 4737 struct sctp_initack_chunk *initack; 4738 4739 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr; 4740 if (!sctp_chunk_length_valid(chunk, sizeof(*initack))) 4741 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T; 4742 else { 4743 unsigned int inittag; 4744 4745 inittag = ntohl(initack->init_hdr.init_tag); 4746 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG, 4747 SCTP_U32(inittag)); 4748 } 4749 } 4750 4751 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4752 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4753 4754 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 4755 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4756 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4757 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4758 SCTP_ERROR(ECONNREFUSED)); 4759 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4760 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4761 } else { 4762 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4763 SCTP_ERROR(ECONNABORTED)); 4764 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4765 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4766 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4767 } 4768 } else { 4769 packet = sctp_ootb_pkt_new(net, asoc, chunk); 4770 4771 if (!packet) 4772 goto nomem_pkt; 4773 4774 if (sctp_test_T_bit(abort)) 4775 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4776 4777 abort->skb->sk = ep->base.sk; 4778 4779 sctp_packet_append_chunk(packet, abort); 4780 4781 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 4782 SCTP_PACKET(packet)); 4783 4784 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4785 } 4786 4787 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4788 4789 discard: 4790 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4791 return SCTP_DISPOSITION_ABORT; 4792 4793 nomem_pkt: 4794 sctp_chunk_free(abort); 4795 nomem: 4796 return SCTP_DISPOSITION_NOMEM; 4797 } 4798 4799 /* 4800 * Handle a protocol violation when the chunk length is invalid. 4801 * "Invalid" length is identified as smaller than the minimal length a 4802 * given chunk can be. For example, a SACK chunk has invalid length 4803 * if its length is set to be smaller than the size of struct sctp_sack_chunk. 4804 * 4805 * We inform the other end by sending an ABORT with a Protocol Violation 4806 * error code. 4807 * 4808 * Section: Not specified 4809 * Verification Tag: Nothing to do 4810 * Inputs 4811 * (endpoint, asoc, chunk) 4812 * 4813 * Outputs 4814 * (reply_msg, msg_up, counters) 4815 * 4816 * Generate an ABORT chunk and terminate the association. 4817 */ 4818 static enum sctp_disposition sctp_sf_violation_chunklen( 4819 struct net *net, 4820 const struct sctp_endpoint *ep, 4821 const struct sctp_association *asoc, 4822 const union sctp_subtype type, 4823 void *arg, 4824 struct sctp_cmd_seq *commands) 4825 { 4826 static const char err_str[] = "The following chunk had invalid length:"; 4827 4828 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4829 sizeof(err_str)); 4830 } 4831 4832 /* 4833 * Handle a protocol violation when the parameter length is invalid. 4834 * If the length is smaller than the minimum length of a given parameter, 4835 * or accumulated length in multi parameters exceeds the end of the chunk, 4836 * the length is considered as invalid. 4837 */ 4838 static enum sctp_disposition sctp_sf_violation_paramlen( 4839 struct net *net, 4840 const struct sctp_endpoint *ep, 4841 const struct sctp_association *asoc, 4842 const union sctp_subtype type, 4843 void *arg, void *ext, 4844 struct sctp_cmd_seq *commands) 4845 { 4846 struct sctp_paramhdr *param = ext; 4847 struct sctp_chunk *abort = NULL; 4848 struct sctp_chunk *chunk = arg; 4849 4850 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4851 goto discard; 4852 4853 /* Make the abort chunk. */ 4854 abort = sctp_make_violation_paramlen(asoc, chunk, param); 4855 if (!abort) 4856 goto nomem; 4857 4858 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4859 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4860 4861 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4862 SCTP_ERROR(ECONNABORTED)); 4863 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4864 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4865 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4866 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4867 4868 discard: 4869 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4870 return SCTP_DISPOSITION_ABORT; 4871 nomem: 4872 return SCTP_DISPOSITION_NOMEM; 4873 } 4874 4875 /* Handle a protocol violation when the peer trying to advance the 4876 * cumulative tsn ack to a point beyond the max tsn currently sent. 4877 * 4878 * We inform the other end by sending an ABORT with a Protocol Violation 4879 * error code. 4880 */ 4881 static enum sctp_disposition sctp_sf_violation_ctsn( 4882 struct net *net, 4883 const struct sctp_endpoint *ep, 4884 const struct sctp_association *asoc, 4885 const union sctp_subtype type, 4886 void *arg, 4887 struct sctp_cmd_seq *commands) 4888 { 4889 static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:"; 4890 4891 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4892 sizeof(err_str)); 4893 } 4894 4895 /* Handle protocol violation of an invalid chunk bundling. For example, 4896 * when we have an association and we receive bundled INIT-ACK, or 4897 * SHUTDOWN-COMPLETE, our peer is clearly violating the "MUST NOT bundle" 4898 * statement from the specs. Additionally, there might be an attacker 4899 * on the path and we may not want to continue this communication. 4900 */ 4901 static enum sctp_disposition sctp_sf_violation_chunk( 4902 struct net *net, 4903 const struct sctp_endpoint *ep, 4904 const struct sctp_association *asoc, 4905 const union sctp_subtype type, 4906 void *arg, 4907 struct sctp_cmd_seq *commands) 4908 { 4909 static const char err_str[] = "The following chunk violates protocol:"; 4910 4911 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4912 sizeof(err_str)); 4913 } 4914 /*************************************************************************** 4915 * These are the state functions for handling primitive (Section 10) events. 4916 ***************************************************************************/ 4917 /* 4918 * sctp_sf_do_prm_asoc 4919 * 4920 * Section: 10.1 ULP-to-SCTP 4921 * B) Associate 4922 * 4923 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 4924 * outbound stream count) 4925 * -> association id [,destination transport addr list] [,outbound stream 4926 * count] 4927 * 4928 * This primitive allows the upper layer to initiate an association to a 4929 * specific peer endpoint. 4930 * 4931 * The peer endpoint shall be specified by one of the transport addresses 4932 * which defines the endpoint (see Section 1.4). If the local SCTP 4933 * instance has not been initialized, the ASSOCIATE is considered an 4934 * error. 4935 * [This is not relevant for the kernel implementation since we do all 4936 * initialization at boot time. It we hadn't initialized we wouldn't 4937 * get anywhere near this code.] 4938 * 4939 * An association id, which is a local handle to the SCTP association, 4940 * will be returned on successful establishment of the association. If 4941 * SCTP is not able to open an SCTP association with the peer endpoint, 4942 * an error is returned. 4943 * [In the kernel implementation, the struct sctp_association needs to 4944 * be created BEFORE causing this primitive to run.] 4945 * 4946 * Other association parameters may be returned, including the 4947 * complete destination transport addresses of the peer as well as the 4948 * outbound stream count of the local endpoint. One of the transport 4949 * address from the returned destination addresses will be selected by 4950 * the local endpoint as default primary path for sending SCTP packets 4951 * to this peer. The returned "destination transport addr list" can 4952 * be used by the ULP to change the default primary path or to force 4953 * sending a packet to a specific transport address. [All of this 4954 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 4955 * function.] 4956 * 4957 * Mandatory attributes: 4958 * 4959 * o local SCTP instance name - obtained from the INITIALIZE operation. 4960 * [This is the argument asoc.] 4961 * o destination transport addr - specified as one of the transport 4962 * addresses of the peer endpoint with which the association is to be 4963 * established. 4964 * [This is asoc->peer.active_path.] 4965 * o outbound stream count - the number of outbound streams the ULP 4966 * would like to open towards this peer endpoint. 4967 * [BUG: This is not currently implemented.] 4968 * Optional attributes: 4969 * 4970 * None. 4971 * 4972 * The return value is a disposition. 4973 */ 4974 enum sctp_disposition sctp_sf_do_prm_asoc(struct net *net, 4975 const struct sctp_endpoint *ep, 4976 const struct sctp_association *asoc, 4977 const union sctp_subtype type, 4978 void *arg, 4979 struct sctp_cmd_seq *commands) 4980 { 4981 struct sctp_association *my_asoc; 4982 struct sctp_chunk *repl; 4983 4984 /* The comment below says that we enter COOKIE-WAIT AFTER 4985 * sending the INIT, but that doesn't actually work in our 4986 * implementation... 4987 */ 4988 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4989 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 4990 4991 /* RFC 2960 5.1 Normal Establishment of an Association 4992 * 4993 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 4994 * must provide its Verification Tag (Tag_A) in the Initiate 4995 * Tag field. Tag_A SHOULD be a random number in the range of 4996 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 4997 */ 4998 4999 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 5000 if (!repl) 5001 goto nomem; 5002 5003 /* Choose transport for INIT. */ 5004 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5005 SCTP_CHUNK(repl)); 5006 5007 /* Cast away the const modifier, as we want to just 5008 * rerun it through as a sideffect. 5009 */ 5010 my_asoc = (struct sctp_association *)asoc; 5011 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc)); 5012 5013 /* After sending the INIT, "A" starts the T1-init timer and 5014 * enters the COOKIE-WAIT state. 5015 */ 5016 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5017 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5018 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5019 return SCTP_DISPOSITION_CONSUME; 5020 5021 nomem: 5022 return SCTP_DISPOSITION_NOMEM; 5023 } 5024 5025 /* 5026 * Process the SEND primitive. 5027 * 5028 * Section: 10.1 ULP-to-SCTP 5029 * E) Send 5030 * 5031 * Format: SEND(association id, buffer address, byte count [,context] 5032 * [,stream id] [,life time] [,destination transport address] 5033 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 5034 * -> result 5035 * 5036 * This is the main method to send user data via SCTP. 5037 * 5038 * Mandatory attributes: 5039 * 5040 * o association id - local handle to the SCTP association 5041 * 5042 * o buffer address - the location where the user message to be 5043 * transmitted is stored; 5044 * 5045 * o byte count - The size of the user data in number of bytes; 5046 * 5047 * Optional attributes: 5048 * 5049 * o context - an optional 32 bit integer that will be carried in the 5050 * sending failure notification to the ULP if the transportation of 5051 * this User Message fails. 5052 * 5053 * o stream id - to indicate which stream to send the data on. If not 5054 * specified, stream 0 will be used. 5055 * 5056 * o life time - specifies the life time of the user data. The user data 5057 * will not be sent by SCTP after the life time expires. This 5058 * parameter can be used to avoid efforts to transmit stale 5059 * user messages. SCTP notifies the ULP if the data cannot be 5060 * initiated to transport (i.e. sent to the destination via SCTP's 5061 * send primitive) within the life time variable. However, the 5062 * user data will be transmitted if SCTP has attempted to transmit a 5063 * chunk before the life time expired. 5064 * 5065 * o destination transport address - specified as one of the destination 5066 * transport addresses of the peer endpoint to which this packet 5067 * should be sent. Whenever possible, SCTP should use this destination 5068 * transport address for sending the packets, instead of the current 5069 * primary path. 5070 * 5071 * o unorder flag - this flag, if present, indicates that the user 5072 * would like the data delivered in an unordered fashion to the peer 5073 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 5074 * message). 5075 * 5076 * o no-bundle flag - instructs SCTP not to bundle this user data with 5077 * other outbound DATA chunks. SCTP MAY still bundle even when 5078 * this flag is present, when faced with network congestion. 5079 * 5080 * o payload protocol-id - A 32 bit unsigned integer that is to be 5081 * passed to the peer indicating the type of payload protocol data 5082 * being transmitted. This value is passed as opaque data by SCTP. 5083 * 5084 * The return value is the disposition. 5085 */ 5086 enum sctp_disposition sctp_sf_do_prm_send(struct net *net, 5087 const struct sctp_endpoint *ep, 5088 const struct sctp_association *asoc, 5089 const union sctp_subtype type, 5090 void *arg, 5091 struct sctp_cmd_seq *commands) 5092 { 5093 struct sctp_datamsg *msg = arg; 5094 5095 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg)); 5096 return SCTP_DISPOSITION_CONSUME; 5097 } 5098 5099 /* 5100 * Process the SHUTDOWN primitive. 5101 * 5102 * Section: 10.1: 5103 * C) Shutdown 5104 * 5105 * Format: SHUTDOWN(association id) 5106 * -> result 5107 * 5108 * Gracefully closes an association. Any locally queued user data 5109 * will be delivered to the peer. The association will be terminated only 5110 * after the peer acknowledges all the SCTP packets sent. A success code 5111 * will be returned on successful termination of the association. If 5112 * attempting to terminate the association results in a failure, an error 5113 * code shall be returned. 5114 * 5115 * Mandatory attributes: 5116 * 5117 * o association id - local handle to the SCTP association 5118 * 5119 * Optional attributes: 5120 * 5121 * None. 5122 * 5123 * The return value is the disposition. 5124 */ 5125 enum sctp_disposition sctp_sf_do_9_2_prm_shutdown( 5126 struct net *net, 5127 const struct sctp_endpoint *ep, 5128 const struct sctp_association *asoc, 5129 const union sctp_subtype type, 5130 void *arg, 5131 struct sctp_cmd_seq *commands) 5132 { 5133 enum sctp_disposition disposition; 5134 5135 /* From 9.2 Shutdown of an Association 5136 * Upon receipt of the SHUTDOWN primitive from its upper 5137 * layer, the endpoint enters SHUTDOWN-PENDING state and 5138 * remains there until all outstanding data has been 5139 * acknowledged by its peer. The endpoint accepts no new data 5140 * from its upper layer, but retransmits data to the far end 5141 * if necessary to fill gaps. 5142 */ 5143 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5144 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 5145 5146 disposition = SCTP_DISPOSITION_CONSUME; 5147 if (sctp_outq_is_empty(&asoc->outqueue)) { 5148 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 5149 arg, commands); 5150 } 5151 5152 return disposition; 5153 } 5154 5155 /* 5156 * Process the ABORT primitive. 5157 * 5158 * Section: 10.1: 5159 * C) Abort 5160 * 5161 * Format: Abort(association id [, cause code]) 5162 * -> result 5163 * 5164 * Ungracefully closes an association. Any locally queued user data 5165 * will be discarded and an ABORT chunk is sent to the peer. A success code 5166 * will be returned on successful abortion of the association. If 5167 * attempting to abort the association results in a failure, an error 5168 * code shall be returned. 5169 * 5170 * Mandatory attributes: 5171 * 5172 * o association id - local handle to the SCTP association 5173 * 5174 * Optional attributes: 5175 * 5176 * o cause code - reason of the abort to be passed to the peer 5177 * 5178 * None. 5179 * 5180 * The return value is the disposition. 5181 */ 5182 enum sctp_disposition sctp_sf_do_9_1_prm_abort( 5183 struct net *net, 5184 const struct sctp_endpoint *ep, 5185 const struct sctp_association *asoc, 5186 const union sctp_subtype type, 5187 void *arg, 5188 struct sctp_cmd_seq *commands) 5189 { 5190 /* From 9.1 Abort of an Association 5191 * Upon receipt of the ABORT primitive from its upper 5192 * layer, the endpoint enters CLOSED state and 5193 * discard all outstanding data has been 5194 * acknowledged by its peer. The endpoint accepts no new data 5195 * from its upper layer, but retransmits data to the far end 5196 * if necessary to fill gaps. 5197 */ 5198 struct sctp_chunk *abort = arg; 5199 5200 if (abort) 5201 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 5202 5203 /* Even if we can't send the ABORT due to low memory delete the 5204 * TCB. This is a departure from our typical NOMEM handling. 5205 */ 5206 5207 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5208 SCTP_ERROR(ECONNABORTED)); 5209 /* Delete the established association. */ 5210 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5211 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 5212 5213 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5214 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5215 5216 return SCTP_DISPOSITION_ABORT; 5217 } 5218 5219 /* We tried an illegal operation on an association which is closed. */ 5220 enum sctp_disposition sctp_sf_error_closed(struct net *net, 5221 const struct sctp_endpoint *ep, 5222 const struct sctp_association *asoc, 5223 const union sctp_subtype type, 5224 void *arg, 5225 struct sctp_cmd_seq *commands) 5226 { 5227 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 5228 return SCTP_DISPOSITION_CONSUME; 5229 } 5230 5231 /* We tried an illegal operation on an association which is shutting 5232 * down. 5233 */ 5234 enum sctp_disposition sctp_sf_error_shutdown( 5235 struct net *net, 5236 const struct sctp_endpoint *ep, 5237 const struct sctp_association *asoc, 5238 const union sctp_subtype type, 5239 void *arg, 5240 struct sctp_cmd_seq *commands) 5241 { 5242 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 5243 SCTP_ERROR(-ESHUTDOWN)); 5244 return SCTP_DISPOSITION_CONSUME; 5245 } 5246 5247 /* 5248 * sctp_cookie_wait_prm_shutdown 5249 * 5250 * Section: 4 Note: 2 5251 * Verification Tag: 5252 * Inputs 5253 * (endpoint, asoc) 5254 * 5255 * The RFC does not explicitly address this issue, but is the route through the 5256 * state table when someone issues a shutdown while in COOKIE_WAIT state. 5257 * 5258 * Outputs 5259 * (timers) 5260 */ 5261 enum sctp_disposition sctp_sf_cookie_wait_prm_shutdown( 5262 struct net *net, 5263 const struct sctp_endpoint *ep, 5264 const struct sctp_association *asoc, 5265 const union sctp_subtype type, 5266 void *arg, 5267 struct sctp_cmd_seq *commands) 5268 { 5269 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5270 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5271 5272 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5273 SCTP_STATE(SCTP_STATE_CLOSED)); 5274 5275 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 5276 5277 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 5278 5279 return SCTP_DISPOSITION_DELETE_TCB; 5280 } 5281 5282 /* 5283 * sctp_cookie_echoed_prm_shutdown 5284 * 5285 * Section: 4 Note: 2 5286 * Verification Tag: 5287 * Inputs 5288 * (endpoint, asoc) 5289 * 5290 * The RFC does not explicitly address this issue, but is the route through the 5291 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 5292 * 5293 * Outputs 5294 * (timers) 5295 */ 5296 enum sctp_disposition sctp_sf_cookie_echoed_prm_shutdown( 5297 struct net *net, 5298 const struct sctp_endpoint *ep, 5299 const struct sctp_association *asoc, 5300 const union sctp_subtype type, 5301 void *arg, 5302 struct sctp_cmd_seq *commands) 5303 { 5304 /* There is a single T1 timer, so we should be able to use 5305 * common function with the COOKIE-WAIT state. 5306 */ 5307 return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands); 5308 } 5309 5310 /* 5311 * sctp_sf_cookie_wait_prm_abort 5312 * 5313 * Section: 4 Note: 2 5314 * Verification Tag: 5315 * Inputs 5316 * (endpoint, asoc) 5317 * 5318 * The RFC does not explicitly address this issue, but is the route through the 5319 * state table when someone issues an abort while in COOKIE_WAIT state. 5320 * 5321 * Outputs 5322 * (timers) 5323 */ 5324 enum sctp_disposition sctp_sf_cookie_wait_prm_abort( 5325 struct net *net, 5326 const struct sctp_endpoint *ep, 5327 const struct sctp_association *asoc, 5328 const union sctp_subtype type, 5329 void *arg, 5330 struct sctp_cmd_seq *commands) 5331 { 5332 struct sctp_chunk *abort = arg; 5333 5334 /* Stop T1-init timer */ 5335 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5336 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5337 5338 if (abort) 5339 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 5340 5341 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5342 SCTP_STATE(SCTP_STATE_CLOSED)); 5343 5344 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5345 5346 /* Even if we can't send the ABORT due to low memory delete the 5347 * TCB. This is a departure from our typical NOMEM handling. 5348 */ 5349 5350 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5351 SCTP_ERROR(ECONNREFUSED)); 5352 /* Delete the established association. */ 5353 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5354 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 5355 5356 return SCTP_DISPOSITION_ABORT; 5357 } 5358 5359 /* 5360 * sctp_sf_cookie_echoed_prm_abort 5361 * 5362 * Section: 4 Note: 3 5363 * Verification Tag: 5364 * Inputs 5365 * (endpoint, asoc) 5366 * 5367 * The RFC does not explcitly address this issue, but is the route through the 5368 * state table when someone issues an abort while in COOKIE_ECHOED state. 5369 * 5370 * Outputs 5371 * (timers) 5372 */ 5373 enum sctp_disposition sctp_sf_cookie_echoed_prm_abort( 5374 struct net *net, 5375 const struct sctp_endpoint *ep, 5376 const struct sctp_association *asoc, 5377 const union sctp_subtype type, 5378 void *arg, 5379 struct sctp_cmd_seq *commands) 5380 { 5381 /* There is a single T1 timer, so we should be able to use 5382 * common function with the COOKIE-WAIT state. 5383 */ 5384 return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands); 5385 } 5386 5387 /* 5388 * sctp_sf_shutdown_pending_prm_abort 5389 * 5390 * Inputs 5391 * (endpoint, asoc) 5392 * 5393 * The RFC does not explicitly address this issue, but is the route through the 5394 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 5395 * 5396 * Outputs 5397 * (timers) 5398 */ 5399 enum sctp_disposition sctp_sf_shutdown_pending_prm_abort( 5400 struct net *net, 5401 const struct sctp_endpoint *ep, 5402 const struct sctp_association *asoc, 5403 const union sctp_subtype type, 5404 void *arg, 5405 struct sctp_cmd_seq *commands) 5406 { 5407 /* Stop the T5-shutdown guard timer. */ 5408 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5409 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5410 5411 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5412 } 5413 5414 /* 5415 * sctp_sf_shutdown_sent_prm_abort 5416 * 5417 * Inputs 5418 * (endpoint, asoc) 5419 * 5420 * The RFC does not explicitly address this issue, but is the route through the 5421 * state table when someone issues an abort while in SHUTDOWN-SENT state. 5422 * 5423 * Outputs 5424 * (timers) 5425 */ 5426 enum sctp_disposition sctp_sf_shutdown_sent_prm_abort( 5427 struct net *net, 5428 const struct sctp_endpoint *ep, 5429 const struct sctp_association *asoc, 5430 const union sctp_subtype type, 5431 void *arg, 5432 struct sctp_cmd_seq *commands) 5433 { 5434 /* Stop the T2-shutdown timer. */ 5435 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5436 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5437 5438 /* Stop the T5-shutdown guard timer. */ 5439 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5440 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5441 5442 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5443 } 5444 5445 /* 5446 * sctp_sf_cookie_echoed_prm_abort 5447 * 5448 * Inputs 5449 * (endpoint, asoc) 5450 * 5451 * The RFC does not explcitly address this issue, but is the route through the 5452 * state table when someone issues an abort while in COOKIE_ECHOED state. 5453 * 5454 * Outputs 5455 * (timers) 5456 */ 5457 enum sctp_disposition sctp_sf_shutdown_ack_sent_prm_abort( 5458 struct net *net, 5459 const struct sctp_endpoint *ep, 5460 const struct sctp_association *asoc, 5461 const union sctp_subtype type, 5462 void *arg, 5463 struct sctp_cmd_seq *commands) 5464 { 5465 /* The same T2 timer, so we should be able to use 5466 * common function with the SHUTDOWN-SENT state. 5467 */ 5468 return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands); 5469 } 5470 5471 /* 5472 * Process the REQUESTHEARTBEAT primitive 5473 * 5474 * 10.1 ULP-to-SCTP 5475 * J) Request Heartbeat 5476 * 5477 * Format: REQUESTHEARTBEAT(association id, destination transport address) 5478 * 5479 * -> result 5480 * 5481 * Instructs the local endpoint to perform a HeartBeat on the specified 5482 * destination transport address of the given association. The returned 5483 * result should indicate whether the transmission of the HEARTBEAT 5484 * chunk to the destination address is successful. 5485 * 5486 * Mandatory attributes: 5487 * 5488 * o association id - local handle to the SCTP association 5489 * 5490 * o destination transport address - the transport address of the 5491 * association on which a heartbeat should be issued. 5492 */ 5493 enum sctp_disposition sctp_sf_do_prm_requestheartbeat( 5494 struct net *net, 5495 const struct sctp_endpoint *ep, 5496 const struct sctp_association *asoc, 5497 const union sctp_subtype type, 5498 void *arg, 5499 struct sctp_cmd_seq *commands) 5500 { 5501 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 5502 (struct sctp_transport *)arg, commands)) 5503 return SCTP_DISPOSITION_NOMEM; 5504 5505 /* 5506 * RFC 2960 (bis), section 8.3 5507 * 5508 * D) Request an on-demand HEARTBEAT on a specific destination 5509 * transport address of a given association. 5510 * 5511 * The endpoint should increment the respective error counter of 5512 * the destination transport address each time a HEARTBEAT is sent 5513 * to that address and not acknowledged within one RTO. 5514 * 5515 */ 5516 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 5517 SCTP_TRANSPORT(arg)); 5518 return SCTP_DISPOSITION_CONSUME; 5519 } 5520 5521 /* 5522 * ADDIP Section 4.1 ASCONF Chunk Procedures 5523 * When an endpoint has an ASCONF signaled change to be sent to the 5524 * remote endpoint it should do A1 to A9 5525 */ 5526 enum sctp_disposition sctp_sf_do_prm_asconf(struct net *net, 5527 const struct sctp_endpoint *ep, 5528 const struct sctp_association *asoc, 5529 const union sctp_subtype type, 5530 void *arg, 5531 struct sctp_cmd_seq *commands) 5532 { 5533 struct sctp_chunk *chunk = arg; 5534 5535 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5536 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5537 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5538 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5539 return SCTP_DISPOSITION_CONSUME; 5540 } 5541 5542 /* RE-CONFIG Section 5.1 RECONF Chunk Procedures */ 5543 enum sctp_disposition sctp_sf_do_prm_reconf(struct net *net, 5544 const struct sctp_endpoint *ep, 5545 const struct sctp_association *asoc, 5546 const union sctp_subtype type, 5547 void *arg, 5548 struct sctp_cmd_seq *commands) 5549 { 5550 struct sctp_chunk *chunk = arg; 5551 5552 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5553 return SCTP_DISPOSITION_CONSUME; 5554 } 5555 5556 /* 5557 * Ignore the primitive event 5558 * 5559 * The return value is the disposition of the primitive. 5560 */ 5561 enum sctp_disposition sctp_sf_ignore_primitive( 5562 struct net *net, 5563 const struct sctp_endpoint *ep, 5564 const struct sctp_association *asoc, 5565 const union sctp_subtype type, 5566 void *arg, 5567 struct sctp_cmd_seq *commands) 5568 { 5569 pr_debug("%s: primitive type:%d is ignored\n", __func__, 5570 type.primitive); 5571 5572 return SCTP_DISPOSITION_DISCARD; 5573 } 5574 5575 /*************************************************************************** 5576 * These are the state functions for the OTHER events. 5577 ***************************************************************************/ 5578 5579 /* 5580 * When the SCTP stack has no more user data to send or retransmit, this 5581 * notification is given to the user. Also, at the time when a user app 5582 * subscribes to this event, if there is no data to be sent or 5583 * retransmit, the stack will immediately send up this notification. 5584 */ 5585 enum sctp_disposition sctp_sf_do_no_pending_tsn( 5586 struct net *net, 5587 const struct sctp_endpoint *ep, 5588 const struct sctp_association *asoc, 5589 const union sctp_subtype type, 5590 void *arg, 5591 struct sctp_cmd_seq *commands) 5592 { 5593 struct sctp_ulpevent *event; 5594 5595 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC); 5596 if (!event) 5597 return SCTP_DISPOSITION_NOMEM; 5598 5599 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event)); 5600 5601 return SCTP_DISPOSITION_CONSUME; 5602 } 5603 5604 /* 5605 * Start the shutdown negotiation. 5606 * 5607 * From Section 9.2: 5608 * Once all its outstanding data has been acknowledged, the endpoint 5609 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 5610 * TSN Ack field the last sequential TSN it has received from the peer. 5611 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 5612 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 5613 * with the updated last sequential TSN received from its peer. 5614 * 5615 * The return value is the disposition. 5616 */ 5617 enum sctp_disposition sctp_sf_do_9_2_start_shutdown( 5618 struct net *net, 5619 const struct sctp_endpoint *ep, 5620 const struct sctp_association *asoc, 5621 const union sctp_subtype type, 5622 void *arg, 5623 struct sctp_cmd_seq *commands) 5624 { 5625 struct sctp_chunk *reply; 5626 5627 /* Once all its outstanding data has been acknowledged, the 5628 * endpoint shall send a SHUTDOWN chunk to its peer including 5629 * in the Cumulative TSN Ack field the last sequential TSN it 5630 * has received from the peer. 5631 */ 5632 reply = sctp_make_shutdown(asoc, arg); 5633 if (!reply) 5634 goto nomem; 5635 5636 /* Set the transport for the SHUTDOWN chunk and the timeout for the 5637 * T2-shutdown timer. 5638 */ 5639 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5640 5641 /* It shall then start the T2-shutdown timer */ 5642 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5643 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5644 5645 /* RFC 4960 Section 9.2 5646 * The sender of the SHUTDOWN MAY also start an overall guard timer 5647 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5648 */ 5649 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5650 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5651 5652 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5653 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5654 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5655 5656 /* and enter the SHUTDOWN-SENT state. */ 5657 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5658 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 5659 5660 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5661 * 5662 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5663 * or SHUTDOWN-ACK. 5664 */ 5665 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5666 5667 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5668 5669 return SCTP_DISPOSITION_CONSUME; 5670 5671 nomem: 5672 return SCTP_DISPOSITION_NOMEM; 5673 } 5674 5675 /* 5676 * Generate a SHUTDOWN ACK now that everything is SACK'd. 5677 * 5678 * From Section 9.2: 5679 * 5680 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5681 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 5682 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 5683 * endpoint must re-send the SHUTDOWN ACK. 5684 * 5685 * The return value is the disposition. 5686 */ 5687 enum sctp_disposition sctp_sf_do_9_2_shutdown_ack( 5688 struct net *net, 5689 const struct sctp_endpoint *ep, 5690 const struct sctp_association *asoc, 5691 const union sctp_subtype type, 5692 void *arg, 5693 struct sctp_cmd_seq *commands) 5694 { 5695 struct sctp_chunk *chunk = arg; 5696 struct sctp_chunk *reply; 5697 5698 /* There are 2 ways of getting here: 5699 * 1) called in response to a SHUTDOWN chunk 5700 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 5701 * 5702 * For the case (2), the arg parameter is set to NULL. We need 5703 * to check that we have a chunk before accessing it's fields. 5704 */ 5705 if (chunk) { 5706 if (!sctp_vtag_verify(chunk, asoc)) 5707 return sctp_sf_pdiscard(net, ep, asoc, type, arg, 5708 commands); 5709 5710 /* Make sure that the SHUTDOWN chunk has a valid length. */ 5711 if (!sctp_chunk_length_valid( 5712 chunk, sizeof(struct sctp_shutdown_chunk))) 5713 return sctp_sf_violation_chunklen(net, ep, asoc, type, 5714 arg, commands); 5715 } 5716 5717 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5718 * shall send a SHUTDOWN ACK ... 5719 */ 5720 reply = sctp_make_shutdown_ack(asoc, chunk); 5721 if (!reply) 5722 goto nomem; 5723 5724 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 5725 * the T2-shutdown timer. 5726 */ 5727 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5728 5729 /* and start/restart a T2-shutdown timer of its own, */ 5730 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5731 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5732 5733 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5734 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5735 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5736 5737 /* Enter the SHUTDOWN-ACK-SENT state. */ 5738 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5739 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 5740 5741 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5742 * 5743 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5744 * or SHUTDOWN-ACK. 5745 */ 5746 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5747 5748 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5749 5750 return SCTP_DISPOSITION_CONSUME; 5751 5752 nomem: 5753 return SCTP_DISPOSITION_NOMEM; 5754 } 5755 5756 /* 5757 * Ignore the event defined as other 5758 * 5759 * The return value is the disposition of the event. 5760 */ 5761 enum sctp_disposition sctp_sf_ignore_other(struct net *net, 5762 const struct sctp_endpoint *ep, 5763 const struct sctp_association *asoc, 5764 const union sctp_subtype type, 5765 void *arg, 5766 struct sctp_cmd_seq *commands) 5767 { 5768 pr_debug("%s: the event other type:%d is ignored\n", 5769 __func__, type.other); 5770 5771 return SCTP_DISPOSITION_DISCARD; 5772 } 5773 5774 /************************************************************ 5775 * These are the state functions for handling timeout events. 5776 ************************************************************/ 5777 5778 /* 5779 * RTX Timeout 5780 * 5781 * Section: 6.3.3 Handle T3-rtx Expiration 5782 * 5783 * Whenever the retransmission timer T3-rtx expires for a destination 5784 * address, do the following: 5785 * [See below] 5786 * 5787 * The return value is the disposition of the chunk. 5788 */ 5789 enum sctp_disposition sctp_sf_do_6_3_3_rtx(struct net *net, 5790 const struct sctp_endpoint *ep, 5791 const struct sctp_association *asoc, 5792 const union sctp_subtype type, 5793 void *arg, 5794 struct sctp_cmd_seq *commands) 5795 { 5796 struct sctp_transport *transport = arg; 5797 5798 SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS); 5799 5800 if (asoc->overall_error_count >= asoc->max_retrans) { 5801 if (asoc->peer.zero_window_announced && 5802 asoc->state == SCTP_STATE_SHUTDOWN_PENDING) { 5803 /* 5804 * We are here likely because the receiver had its rwnd 5805 * closed for a while and we have not been able to 5806 * transmit the locally queued data within the maximum 5807 * retransmission attempts limit. Start the T5 5808 * shutdown guard timer to give the receiver one last 5809 * chance and some additional time to recover before 5810 * aborting. 5811 */ 5812 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE, 5813 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5814 } else { 5815 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5816 SCTP_ERROR(ETIMEDOUT)); 5817 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5818 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5819 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5820 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5821 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5822 return SCTP_DISPOSITION_DELETE_TCB; 5823 } 5824 } 5825 5826 /* E1) For the destination address for which the timer 5827 * expires, adjust its ssthresh with rules defined in Section 5828 * 7.2.3 and set the cwnd <- MTU. 5829 */ 5830 5831 /* E2) For the destination address for which the timer 5832 * expires, set RTO <- RTO * 2 ("back off the timer"). The 5833 * maximum value discussed in rule C7 above (RTO.max) may be 5834 * used to provide an upper bound to this doubling operation. 5835 */ 5836 5837 /* E3) Determine how many of the earliest (i.e., lowest TSN) 5838 * outstanding DATA chunks for the address for which the 5839 * T3-rtx has expired will fit into a single packet, subject 5840 * to the MTU constraint for the path corresponding to the 5841 * destination transport address to which the retransmission 5842 * is being sent (this may be different from the address for 5843 * which the timer expires [see Section 6.4]). Call this 5844 * value K. Bundle and retransmit those K DATA chunks in a 5845 * single packet to the destination endpoint. 5846 * 5847 * Note: Any DATA chunks that were sent to the address for 5848 * which the T3-rtx timer expired but did not fit in one MTU 5849 * (rule E3 above), should be marked for retransmission and 5850 * sent as soon as cwnd allows (normally when a SACK arrives). 5851 */ 5852 5853 /* Do some failure management (Section 8.2). */ 5854 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5855 5856 /* NB: Rules E4 and F1 are implicit in R1. */ 5857 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 5858 5859 return SCTP_DISPOSITION_CONSUME; 5860 } 5861 5862 /* 5863 * Generate delayed SACK on timeout 5864 * 5865 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 5866 * 5867 * The guidelines on delayed acknowledgement algorithm specified in 5868 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 5869 * acknowledgement SHOULD be generated for at least every second packet 5870 * (not every second DATA chunk) received, and SHOULD be generated 5871 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 5872 * some situations it may be beneficial for an SCTP transmitter to be 5873 * more conservative than the algorithms detailed in this document 5874 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 5875 * the following algorithms allow. 5876 */ 5877 enum sctp_disposition sctp_sf_do_6_2_sack(struct net *net, 5878 const struct sctp_endpoint *ep, 5879 const struct sctp_association *asoc, 5880 const union sctp_subtype type, 5881 void *arg, 5882 struct sctp_cmd_seq *commands) 5883 { 5884 SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS); 5885 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 5886 return SCTP_DISPOSITION_CONSUME; 5887 } 5888 5889 /* 5890 * sctp_sf_t1_init_timer_expire 5891 * 5892 * Section: 4 Note: 2 5893 * Verification Tag: 5894 * Inputs 5895 * (endpoint, asoc) 5896 * 5897 * RFC 2960 Section 4 Notes 5898 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 5899 * and re-start the T1-init timer without changing state. This MUST 5900 * be repeated up to 'Max.Init.Retransmits' times. After that, the 5901 * endpoint MUST abort the initialization process and report the 5902 * error to SCTP user. 5903 * 5904 * Outputs 5905 * (timers, events) 5906 * 5907 */ 5908 enum sctp_disposition sctp_sf_t1_init_timer_expire( 5909 struct net *net, 5910 const struct sctp_endpoint *ep, 5911 const struct sctp_association *asoc, 5912 const union sctp_subtype type, 5913 void *arg, 5914 struct sctp_cmd_seq *commands) 5915 { 5916 int attempts = asoc->init_err_counter + 1; 5917 struct sctp_chunk *repl = NULL; 5918 struct sctp_bind_addr *bp; 5919 5920 pr_debug("%s: timer T1 expired (INIT)\n", __func__); 5921 5922 SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS); 5923 5924 if (attempts <= asoc->max_init_attempts) { 5925 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 5926 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 5927 if (!repl) 5928 return SCTP_DISPOSITION_NOMEM; 5929 5930 /* Choose transport for INIT. */ 5931 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5932 SCTP_CHUNK(repl)); 5933 5934 /* Issue a sideeffect to do the needed accounting. */ 5935 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 5936 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5937 5938 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5939 } else { 5940 pr_debug("%s: giving up on INIT, attempts:%d " 5941 "max_init_attempts:%d\n", __func__, attempts, 5942 asoc->max_init_attempts); 5943 5944 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5945 SCTP_ERROR(ETIMEDOUT)); 5946 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5947 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5948 return SCTP_DISPOSITION_DELETE_TCB; 5949 } 5950 5951 return SCTP_DISPOSITION_CONSUME; 5952 } 5953 5954 /* 5955 * sctp_sf_t1_cookie_timer_expire 5956 * 5957 * Section: 4 Note: 2 5958 * Verification Tag: 5959 * Inputs 5960 * (endpoint, asoc) 5961 * 5962 * RFC 2960 Section 4 Notes 5963 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 5964 * COOKIE ECHO and re-start the T1-cookie timer without changing 5965 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 5966 * After that, the endpoint MUST abort the initialization process and 5967 * report the error to SCTP user. 5968 * 5969 * Outputs 5970 * (timers, events) 5971 * 5972 */ 5973 enum sctp_disposition sctp_sf_t1_cookie_timer_expire( 5974 struct net *net, 5975 const struct sctp_endpoint *ep, 5976 const struct sctp_association *asoc, 5977 const union sctp_subtype type, 5978 void *arg, 5979 struct sctp_cmd_seq *commands) 5980 { 5981 int attempts = asoc->init_err_counter + 1; 5982 struct sctp_chunk *repl = NULL; 5983 5984 pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__); 5985 5986 SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS); 5987 5988 if (attempts <= asoc->max_init_attempts) { 5989 repl = sctp_make_cookie_echo(asoc, NULL); 5990 if (!repl) 5991 return SCTP_DISPOSITION_NOMEM; 5992 5993 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5994 SCTP_CHUNK(repl)); 5995 /* Issue a sideeffect to do the needed accounting. */ 5996 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 5997 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 5998 5999 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 6000 } else { 6001 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6002 SCTP_ERROR(ETIMEDOUT)); 6003 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 6004 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 6005 return SCTP_DISPOSITION_DELETE_TCB; 6006 } 6007 6008 return SCTP_DISPOSITION_CONSUME; 6009 } 6010 6011 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 6012 * with the updated last sequential TSN received from its peer. 6013 * 6014 * An endpoint should limit the number of retransmission of the 6015 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 6016 * If this threshold is exceeded the endpoint should destroy the TCB and 6017 * MUST report the peer endpoint unreachable to the upper layer (and 6018 * thus the association enters the CLOSED state). The reception of any 6019 * packet from its peer (i.e. as the peer sends all of its queued DATA 6020 * chunks) should clear the endpoint's retransmission count and restart 6021 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 6022 * all of its queued DATA chunks that have not yet been sent. 6023 */ 6024 enum sctp_disposition sctp_sf_t2_timer_expire( 6025 struct net *net, 6026 const struct sctp_endpoint *ep, 6027 const struct sctp_association *asoc, 6028 const union sctp_subtype type, 6029 void *arg, 6030 struct sctp_cmd_seq *commands) 6031 { 6032 struct sctp_chunk *reply = NULL; 6033 6034 pr_debug("%s: timer T2 expired\n", __func__); 6035 6036 SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 6037 6038 ((struct sctp_association *)asoc)->shutdown_retries++; 6039 6040 if (asoc->overall_error_count >= asoc->max_retrans) { 6041 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6042 SCTP_ERROR(ETIMEDOUT)); 6043 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 6044 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6045 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 6046 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6047 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6048 return SCTP_DISPOSITION_DELETE_TCB; 6049 } 6050 6051 switch (asoc->state) { 6052 case SCTP_STATE_SHUTDOWN_SENT: 6053 reply = sctp_make_shutdown(asoc, NULL); 6054 break; 6055 6056 case SCTP_STATE_SHUTDOWN_ACK_SENT: 6057 reply = sctp_make_shutdown_ack(asoc, NULL); 6058 break; 6059 6060 default: 6061 BUG(); 6062 break; 6063 } 6064 6065 if (!reply) 6066 goto nomem; 6067 6068 /* Do some failure management (Section 8.2). 6069 * If we remove the transport an SHUTDOWN was last sent to, don't 6070 * do failure management. 6071 */ 6072 if (asoc->shutdown_last_sent_to) 6073 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 6074 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 6075 6076 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 6077 * the T2-shutdown timer. 6078 */ 6079 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 6080 6081 /* Restart the T2-shutdown timer. */ 6082 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 6083 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 6084 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 6085 return SCTP_DISPOSITION_CONSUME; 6086 6087 nomem: 6088 return SCTP_DISPOSITION_NOMEM; 6089 } 6090 6091 /* 6092 * ADDIP Section 4.1 ASCONF Chunk Procedures 6093 * If the T4 RTO timer expires the endpoint should do B1 to B5 6094 */ 6095 enum sctp_disposition sctp_sf_t4_timer_expire( 6096 struct net *net, 6097 const struct sctp_endpoint *ep, 6098 const struct sctp_association *asoc, 6099 const union sctp_subtype type, 6100 void *arg, 6101 struct sctp_cmd_seq *commands) 6102 { 6103 struct sctp_chunk *chunk = asoc->addip_last_asconf; 6104 struct sctp_transport *transport = chunk->transport; 6105 6106 SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS); 6107 6108 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 6109 * detection on the appropriate destination address as defined in 6110 * RFC2960 [5] section 8.1 and 8.2. 6111 */ 6112 if (transport) 6113 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 6114 SCTP_TRANSPORT(transport)); 6115 6116 /* Reconfig T4 timer and transport. */ 6117 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 6118 6119 /* ADDIP 4.1 B2) Increment the association error counters and perform 6120 * endpoint failure detection on the association as defined in 6121 * RFC2960 [5] section 8.1 and 8.2. 6122 * association error counter is incremented in SCTP_CMD_STRIKE. 6123 */ 6124 if (asoc->overall_error_count >= asoc->max_retrans) { 6125 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 6126 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 6127 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6128 SCTP_ERROR(ETIMEDOUT)); 6129 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6130 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 6131 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6132 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6133 return SCTP_DISPOSITION_ABORT; 6134 } 6135 6136 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 6137 * the ASCONF chunk was sent by doubling the RTO timer value. 6138 * This is done in SCTP_CMD_STRIKE. 6139 */ 6140 6141 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 6142 * choose an alternate destination address (please refer to RFC2960 6143 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 6144 * chunk, it MUST be the same (including its serial number) as the last 6145 * ASCONF sent. 6146 */ 6147 sctp_chunk_hold(asoc->addip_last_asconf); 6148 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6149 SCTP_CHUNK(asoc->addip_last_asconf)); 6150 6151 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 6152 * destination is selected, then the RTO used will be that of the new 6153 * destination address. 6154 */ 6155 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 6156 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 6157 6158 return SCTP_DISPOSITION_CONSUME; 6159 } 6160 6161 /* sctpimpguide-05 Section 2.12.2 6162 * The sender of the SHUTDOWN MAY also start an overall guard timer 6163 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 6164 * At the expiration of this timer the sender SHOULD abort the association 6165 * by sending an ABORT chunk. 6166 */ 6167 enum sctp_disposition sctp_sf_t5_timer_expire( 6168 struct net *net, 6169 const struct sctp_endpoint *ep, 6170 const struct sctp_association *asoc, 6171 const union sctp_subtype type, 6172 void *arg, 6173 struct sctp_cmd_seq *commands) 6174 { 6175 struct sctp_chunk *reply = NULL; 6176 6177 pr_debug("%s: timer T5 expired\n", __func__); 6178 6179 SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 6180 6181 reply = sctp_make_abort(asoc, NULL, 0); 6182 if (!reply) 6183 goto nomem; 6184 6185 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 6186 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6187 SCTP_ERROR(ETIMEDOUT)); 6188 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6189 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 6190 6191 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6192 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6193 6194 return SCTP_DISPOSITION_DELETE_TCB; 6195 nomem: 6196 return SCTP_DISPOSITION_NOMEM; 6197 } 6198 6199 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 6200 * the association is automatically closed by starting the shutdown process. 6201 * The work that needs to be done is same as when SHUTDOWN is initiated by 6202 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 6203 */ 6204 enum sctp_disposition sctp_sf_autoclose_timer_expire( 6205 struct net *net, 6206 const struct sctp_endpoint *ep, 6207 const struct sctp_association *asoc, 6208 const union sctp_subtype type, 6209 void *arg, 6210 struct sctp_cmd_seq *commands) 6211 { 6212 enum sctp_disposition disposition; 6213 6214 SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS); 6215 6216 /* From 9.2 Shutdown of an Association 6217 * Upon receipt of the SHUTDOWN primitive from its upper 6218 * layer, the endpoint enters SHUTDOWN-PENDING state and 6219 * remains there until all outstanding data has been 6220 * acknowledged by its peer. The endpoint accepts no new data 6221 * from its upper layer, but retransmits data to the far end 6222 * if necessary to fill gaps. 6223 */ 6224 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 6225 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 6226 6227 disposition = SCTP_DISPOSITION_CONSUME; 6228 if (sctp_outq_is_empty(&asoc->outqueue)) { 6229 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 6230 NULL, commands); 6231 } 6232 6233 return disposition; 6234 } 6235 6236 /***************************************************************************** 6237 * These are sa state functions which could apply to all types of events. 6238 ****************************************************************************/ 6239 6240 /* 6241 * This table entry is not implemented. 6242 * 6243 * Inputs 6244 * (endpoint, asoc, chunk) 6245 * 6246 * The return value is the disposition of the chunk. 6247 */ 6248 enum sctp_disposition sctp_sf_not_impl(struct net *net, 6249 const struct sctp_endpoint *ep, 6250 const struct sctp_association *asoc, 6251 const union sctp_subtype type, 6252 void *arg, struct sctp_cmd_seq *commands) 6253 { 6254 return SCTP_DISPOSITION_NOT_IMPL; 6255 } 6256 6257 /* 6258 * This table entry represents a bug. 6259 * 6260 * Inputs 6261 * (endpoint, asoc, chunk) 6262 * 6263 * The return value is the disposition of the chunk. 6264 */ 6265 enum sctp_disposition sctp_sf_bug(struct net *net, 6266 const struct sctp_endpoint *ep, 6267 const struct sctp_association *asoc, 6268 const union sctp_subtype type, 6269 void *arg, struct sctp_cmd_seq *commands) 6270 { 6271 return SCTP_DISPOSITION_BUG; 6272 } 6273 6274 /* 6275 * This table entry represents the firing of a timer in the wrong state. 6276 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 6277 * when the association is in the wrong state. This event should 6278 * be ignored, so as to prevent any rearming of the timer. 6279 * 6280 * Inputs 6281 * (endpoint, asoc, chunk) 6282 * 6283 * The return value is the disposition of the chunk. 6284 */ 6285 enum sctp_disposition sctp_sf_timer_ignore(struct net *net, 6286 const struct sctp_endpoint *ep, 6287 const struct sctp_association *asoc, 6288 const union sctp_subtype type, 6289 void *arg, 6290 struct sctp_cmd_seq *commands) 6291 { 6292 pr_debug("%s: timer %d ignored\n", __func__, type.chunk); 6293 6294 return SCTP_DISPOSITION_CONSUME; 6295 } 6296 6297 /******************************************************************** 6298 * 2nd Level Abstractions 6299 ********************************************************************/ 6300 6301 /* Pull the SACK chunk based on the SACK header. */ 6302 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 6303 { 6304 struct sctp_sackhdr *sack; 6305 __u16 num_dup_tsns; 6306 unsigned int len; 6307 __u16 num_blocks; 6308 6309 /* Protect ourselves from reading too far into 6310 * the skb from a bogus sender. 6311 */ 6312 sack = (struct sctp_sackhdr *) chunk->skb->data; 6313 6314 num_blocks = ntohs(sack->num_gap_ack_blocks); 6315 num_dup_tsns = ntohs(sack->num_dup_tsns); 6316 len = sizeof(struct sctp_sackhdr); 6317 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 6318 if (len > chunk->skb->len) 6319 return NULL; 6320 6321 skb_pull(chunk->skb, len); 6322 6323 return sack; 6324 } 6325 6326 /* Create an ABORT packet to be sent as a response, with the specified 6327 * error causes. 6328 */ 6329 static struct sctp_packet *sctp_abort_pkt_new( 6330 struct net *net, 6331 const struct sctp_endpoint *ep, 6332 const struct sctp_association *asoc, 6333 struct sctp_chunk *chunk, 6334 const void *payload, size_t paylen) 6335 { 6336 struct sctp_packet *packet; 6337 struct sctp_chunk *abort; 6338 6339 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6340 6341 if (packet) { 6342 /* Make an ABORT. 6343 * The T bit will be set if the asoc is NULL. 6344 */ 6345 abort = sctp_make_abort(asoc, chunk, paylen); 6346 if (!abort) { 6347 sctp_ootb_pkt_free(packet); 6348 return NULL; 6349 } 6350 6351 /* Reflect vtag if T-Bit is set */ 6352 if (sctp_test_T_bit(abort)) 6353 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 6354 6355 /* Add specified error causes, i.e., payload, to the 6356 * end of the chunk. 6357 */ 6358 sctp_addto_chunk(abort, paylen, payload); 6359 6360 /* Set the skb to the belonging sock for accounting. */ 6361 abort->skb->sk = ep->base.sk; 6362 6363 sctp_packet_append_chunk(packet, abort); 6364 6365 } 6366 6367 return packet; 6368 } 6369 6370 /* Allocate a packet for responding in the OOTB conditions. */ 6371 static struct sctp_packet *sctp_ootb_pkt_new( 6372 struct net *net, 6373 const struct sctp_association *asoc, 6374 const struct sctp_chunk *chunk) 6375 { 6376 struct sctp_transport *transport; 6377 struct sctp_packet *packet; 6378 __u16 sport, dport; 6379 __u32 vtag; 6380 6381 /* Get the source and destination port from the inbound packet. */ 6382 sport = ntohs(chunk->sctp_hdr->dest); 6383 dport = ntohs(chunk->sctp_hdr->source); 6384 6385 /* The V-tag is going to be the same as the inbound packet if no 6386 * association exists, otherwise, use the peer's vtag. 6387 */ 6388 if (asoc) { 6389 /* Special case the INIT-ACK as there is no peer's vtag 6390 * yet. 6391 */ 6392 switch (chunk->chunk_hdr->type) { 6393 case SCTP_CID_INIT: 6394 case SCTP_CID_INIT_ACK: 6395 { 6396 struct sctp_initack_chunk *initack; 6397 6398 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr; 6399 vtag = ntohl(initack->init_hdr.init_tag); 6400 break; 6401 } 6402 default: 6403 vtag = asoc->peer.i.init_tag; 6404 break; 6405 } 6406 } else { 6407 /* Special case the INIT and stale COOKIE_ECHO as there is no 6408 * vtag yet. 6409 */ 6410 switch (chunk->chunk_hdr->type) { 6411 case SCTP_CID_INIT: 6412 { 6413 struct sctp_init_chunk *init; 6414 6415 init = (struct sctp_init_chunk *)chunk->chunk_hdr; 6416 vtag = ntohl(init->init_hdr.init_tag); 6417 break; 6418 } 6419 default: 6420 vtag = ntohl(chunk->sctp_hdr->vtag); 6421 break; 6422 } 6423 } 6424 6425 /* Make a transport for the bucket, Eliza... */ 6426 transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC); 6427 if (!transport) 6428 goto nomem; 6429 6430 transport->encap_port = SCTP_INPUT_CB(chunk->skb)->encap_port; 6431 6432 /* Cache a route for the transport with the chunk's destination as 6433 * the source address. 6434 */ 6435 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 6436 sctp_sk(net->sctp.ctl_sock)); 6437 6438 packet = &transport->packet; 6439 sctp_packet_init(packet, transport, sport, dport); 6440 sctp_packet_config(packet, vtag, 0); 6441 6442 return packet; 6443 6444 nomem: 6445 return NULL; 6446 } 6447 6448 /* Free the packet allocated earlier for responding in the OOTB condition. */ 6449 void sctp_ootb_pkt_free(struct sctp_packet *packet) 6450 { 6451 sctp_transport_free(packet->transport); 6452 } 6453 6454 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 6455 static void sctp_send_stale_cookie_err(struct net *net, 6456 const struct sctp_endpoint *ep, 6457 const struct sctp_association *asoc, 6458 const struct sctp_chunk *chunk, 6459 struct sctp_cmd_seq *commands, 6460 struct sctp_chunk *err_chunk) 6461 { 6462 struct sctp_packet *packet; 6463 6464 if (err_chunk) { 6465 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6466 if (packet) { 6467 struct sctp_signed_cookie *cookie; 6468 6469 /* Override the OOTB vtag from the cookie. */ 6470 cookie = chunk->subh.cookie_hdr; 6471 packet->vtag = cookie->c.peer_vtag; 6472 6473 /* Set the skb to the belonging sock for accounting. */ 6474 err_chunk->skb->sk = ep->base.sk; 6475 sctp_packet_append_chunk(packet, err_chunk); 6476 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 6477 SCTP_PACKET(packet)); 6478 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 6479 } else 6480 sctp_chunk_free (err_chunk); 6481 } 6482 } 6483 6484 6485 /* Process a data chunk */ 6486 static int sctp_eat_data(const struct sctp_association *asoc, 6487 struct sctp_chunk *chunk, 6488 struct sctp_cmd_seq *commands) 6489 { 6490 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 6491 struct sock *sk = asoc->base.sk; 6492 struct net *net = sock_net(sk); 6493 struct sctp_datahdr *data_hdr; 6494 struct sctp_chunk *err; 6495 enum sctp_verb deliver; 6496 size_t datalen; 6497 __u32 tsn; 6498 int tmp; 6499 6500 data_hdr = (struct sctp_datahdr *)chunk->skb->data; 6501 chunk->subh.data_hdr = data_hdr; 6502 skb_pull(chunk->skb, sctp_datahdr_len(&asoc->stream)); 6503 6504 tsn = ntohl(data_hdr->tsn); 6505 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 6506 6507 /* ASSERT: Now skb->data is really the user data. */ 6508 6509 /* Process ECN based congestion. 6510 * 6511 * Since the chunk structure is reused for all chunks within 6512 * a packet, we use ecn_ce_done to track if we've already 6513 * done CE processing for this packet. 6514 * 6515 * We need to do ECN processing even if we plan to discard the 6516 * chunk later. 6517 */ 6518 6519 if (asoc->peer.ecn_capable && !chunk->ecn_ce_done) { 6520 struct sctp_af *af = SCTP_INPUT_CB(chunk->skb)->af; 6521 chunk->ecn_ce_done = 1; 6522 6523 if (af->is_ce(sctp_gso_headskb(chunk->skb))) { 6524 /* Do real work as side effect. */ 6525 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 6526 SCTP_U32(tsn)); 6527 } 6528 } 6529 6530 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 6531 if (tmp < 0) { 6532 /* The TSN is too high--silently discard the chunk and 6533 * count on it getting retransmitted later. 6534 */ 6535 if (chunk->asoc) 6536 chunk->asoc->stats.outofseqtsns++; 6537 return SCTP_IERROR_HIGH_TSN; 6538 } else if (tmp > 0) { 6539 /* This is a duplicate. Record it. */ 6540 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 6541 return SCTP_IERROR_DUP_TSN; 6542 } 6543 6544 /* This is a new TSN. */ 6545 6546 /* Discard if there is no room in the receive window. 6547 * Actually, allow a little bit of overflow (up to a MTU). 6548 */ 6549 datalen = ntohs(chunk->chunk_hdr->length); 6550 datalen -= sctp_datachk_len(&asoc->stream); 6551 6552 deliver = SCTP_CMD_CHUNK_ULP; 6553 6554 /* Think about partial delivery. */ 6555 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 6556 6557 /* Even if we don't accept this chunk there is 6558 * memory pressure. 6559 */ 6560 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 6561 } 6562 6563 /* Spill over rwnd a little bit. Note: While allowed, this spill over 6564 * seems a bit troublesome in that frag_point varies based on 6565 * PMTU. In cases, such as loopback, this might be a rather 6566 * large spill over. 6567 */ 6568 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over || 6569 (datalen > asoc->rwnd + asoc->frag_point))) { 6570 6571 /* If this is the next TSN, consider reneging to make 6572 * room. Note: Playing nice with a confused sender. A 6573 * malicious sender can still eat up all our buffer 6574 * space and in the future we may want to detect and 6575 * do more drastic reneging. 6576 */ 6577 if (sctp_tsnmap_has_gap(map) && 6578 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6579 pr_debug("%s: reneging for tsn:%u\n", __func__, tsn); 6580 deliver = SCTP_CMD_RENEGE; 6581 } else { 6582 pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n", 6583 __func__, tsn, datalen, asoc->rwnd); 6584 6585 return SCTP_IERROR_IGNORE_TSN; 6586 } 6587 } 6588 6589 /* 6590 * Also try to renege to limit our memory usage in the event that 6591 * we are under memory pressure 6592 * If we can't renege, don't worry about it, the sk_rmem_schedule 6593 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our 6594 * memory usage too much 6595 */ 6596 if (sk_under_memory_pressure(sk)) { 6597 if (sctp_tsnmap_has_gap(map) && 6598 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6599 pr_debug("%s: under pressure, reneging for tsn:%u\n", 6600 __func__, tsn); 6601 deliver = SCTP_CMD_RENEGE; 6602 } 6603 } 6604 6605 /* 6606 * Section 3.3.10.9 No User Data (9) 6607 * 6608 * Cause of error 6609 * --------------- 6610 * No User Data: This error cause is returned to the originator of a 6611 * DATA chunk if a received DATA chunk has no user data. 6612 */ 6613 if (unlikely(0 == datalen)) { 6614 err = sctp_make_abort_no_data(asoc, chunk, tsn); 6615 if (err) { 6616 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6617 SCTP_CHUNK(err)); 6618 } 6619 /* We are going to ABORT, so we might as well stop 6620 * processing the rest of the chunks in the packet. 6621 */ 6622 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 6623 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6624 SCTP_ERROR(ECONNABORTED)); 6625 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6626 SCTP_PERR(SCTP_ERROR_NO_DATA)); 6627 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6628 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6629 return SCTP_IERROR_NO_DATA; 6630 } 6631 6632 chunk->data_accepted = 1; 6633 6634 /* Note: Some chunks may get overcounted (if we drop) or overcounted 6635 * if we renege and the chunk arrives again. 6636 */ 6637 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) { 6638 SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS); 6639 if (chunk->asoc) 6640 chunk->asoc->stats.iuodchunks++; 6641 } else { 6642 SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS); 6643 if (chunk->asoc) 6644 chunk->asoc->stats.iodchunks++; 6645 } 6646 6647 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 6648 * 6649 * If an endpoint receive a DATA chunk with an invalid stream 6650 * identifier, it shall acknowledge the reception of the DATA chunk 6651 * following the normal procedure, immediately send an ERROR chunk 6652 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 6653 * and discard the DATA chunk. 6654 */ 6655 if (ntohs(data_hdr->stream) >= asoc->stream.incnt) { 6656 /* Mark tsn as received even though we drop it */ 6657 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 6658 6659 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 6660 &data_hdr->stream, 6661 sizeof(data_hdr->stream), 6662 sizeof(u16)); 6663 if (err) 6664 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6665 SCTP_CHUNK(err)); 6666 return SCTP_IERROR_BAD_STREAM; 6667 } 6668 6669 /* Check to see if the SSN is possible for this TSN. 6670 * The biggest gap we can record is 4K wide. Since SSNs wrap 6671 * at an unsigned short, there is no way that an SSN can 6672 * wrap and for a valid TSN. We can simply check if the current 6673 * SSN is smaller then the next expected one. If it is, it wrapped 6674 * and is invalid. 6675 */ 6676 if (!asoc->stream.si->validate_data(chunk)) 6677 return SCTP_IERROR_PROTO_VIOLATION; 6678 6679 /* Send the data up to the user. Note: Schedule the 6680 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 6681 * chunk needs the updated rwnd. 6682 */ 6683 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 6684 6685 return SCTP_IERROR_NO_ERROR; 6686 } 6687