xref: /linux/net/sctp/sm_statefuns.c (revision c532de5a67a70f8533d495f8f2aaa9a0491c3ad0)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* SCTP kernel implementation
3  * (C) Copyright IBM Corp. 2001, 2004
4  * Copyright (c) 1999-2000 Cisco, Inc.
5  * Copyright (c) 1999-2001 Motorola, Inc.
6  * Copyright (c) 2001-2002 Intel Corp.
7  * Copyright (c) 2002      Nokia Corp.
8  *
9  * This is part of the SCTP Linux Kernel Implementation.
10  *
11  * These are the state functions for the state machine.
12  *
13  * Please send any bug reports or fixes you make to the
14  * email address(es):
15  *    lksctp developers <linux-sctp@vger.kernel.org>
16  *
17  * Written or modified by:
18  *    La Monte H.P. Yarroll <piggy@acm.org>
19  *    Karl Knutson          <karl@athena.chicago.il.us>
20  *    Mathew Kotowsky       <kotowsky@sctp.org>
21  *    Sridhar Samudrala     <samudrala@us.ibm.com>
22  *    Jon Grimm             <jgrimm@us.ibm.com>
23  *    Hui Huang 	    <hui.huang@nokia.com>
24  *    Dajiang Zhang 	    <dajiang.zhang@nokia.com>
25  *    Daisy Chang	    <daisyc@us.ibm.com>
26  *    Ardelle Fan	    <ardelle.fan@intel.com>
27  *    Ryan Layer	    <rmlayer@us.ibm.com>
28  *    Kevin Gao		    <kevin.gao@intel.com>
29  */
30 
31 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
32 
33 #include <linux/types.h>
34 #include <linux/kernel.h>
35 #include <linux/ip.h>
36 #include <linux/ipv6.h>
37 #include <linux/net.h>
38 #include <linux/inet.h>
39 #include <linux/slab.h>
40 #include <net/sock.h>
41 #include <net/proto_memory.h>
42 #include <net/inet_ecn.h>
43 #include <linux/skbuff.h>
44 #include <net/sctp/sctp.h>
45 #include <net/sctp/sm.h>
46 #include <net/sctp/structs.h>
47 
48 #define CREATE_TRACE_POINTS
49 #include <trace/events/sctp.h>
50 
51 static struct sctp_packet *sctp_abort_pkt_new(
52 					struct net *net,
53 					const struct sctp_endpoint *ep,
54 					const struct sctp_association *asoc,
55 					struct sctp_chunk *chunk,
56 					const void *payload, size_t paylen);
57 static int sctp_eat_data(const struct sctp_association *asoc,
58 			 struct sctp_chunk *chunk,
59 			 struct sctp_cmd_seq *commands);
60 static struct sctp_packet *sctp_ootb_pkt_new(
61 					struct net *net,
62 					const struct sctp_association *asoc,
63 					const struct sctp_chunk *chunk);
64 static void sctp_send_stale_cookie_err(struct net *net,
65 				       const struct sctp_endpoint *ep,
66 				       const struct sctp_association *asoc,
67 				       const struct sctp_chunk *chunk,
68 				       struct sctp_cmd_seq *commands,
69 				       struct sctp_chunk *err_chunk);
70 static enum sctp_disposition sctp_sf_do_5_2_6_stale(
71 					struct net *net,
72 					const struct sctp_endpoint *ep,
73 					const struct sctp_association *asoc,
74 					const union sctp_subtype type,
75 					void *arg,
76 					struct sctp_cmd_seq *commands);
77 static enum sctp_disposition sctp_sf_shut_8_4_5(
78 					struct net *net,
79 					const struct sctp_endpoint *ep,
80 					const struct sctp_association *asoc,
81 					const union sctp_subtype type,
82 					void *arg,
83 					struct sctp_cmd_seq *commands);
84 static enum sctp_disposition sctp_sf_tabort_8_4_8(
85 					struct net *net,
86 					const struct sctp_endpoint *ep,
87 					const struct sctp_association *asoc,
88 					const union sctp_subtype type,
89 					void *arg,
90 					struct sctp_cmd_seq *commands);
91 static enum sctp_disposition sctp_sf_new_encap_port(
92 					struct net *net,
93 					const struct sctp_endpoint *ep,
94 					const struct sctp_association *asoc,
95 					const union sctp_subtype type,
96 					void *arg,
97 					struct sctp_cmd_seq *commands);
98 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
99 
100 static enum sctp_disposition sctp_stop_t1_and_abort(
101 					struct net *net,
102 					struct sctp_cmd_seq *commands,
103 					__be16 error, int sk_err,
104 					const struct sctp_association *asoc,
105 					struct sctp_transport *transport);
106 
107 static enum sctp_disposition sctp_sf_abort_violation(
108 					struct net *net,
109 					const struct sctp_endpoint *ep,
110 					const struct sctp_association *asoc,
111 					void *arg,
112 					struct sctp_cmd_seq *commands,
113 					const __u8 *payload,
114 					const size_t paylen);
115 
116 static enum sctp_disposition sctp_sf_violation_chunklen(
117 					struct net *net,
118 					const struct sctp_endpoint *ep,
119 					const struct sctp_association *asoc,
120 					const union sctp_subtype type,
121 					void *arg,
122 					struct sctp_cmd_seq *commands);
123 
124 static enum sctp_disposition sctp_sf_violation_paramlen(
125 					struct net *net,
126 					const struct sctp_endpoint *ep,
127 					const struct sctp_association *asoc,
128 					const union sctp_subtype type,
129 					void *arg, void *ext,
130 					struct sctp_cmd_seq *commands);
131 
132 static enum sctp_disposition sctp_sf_violation_ctsn(
133 					struct net *net,
134 					const struct sctp_endpoint *ep,
135 					const struct sctp_association *asoc,
136 					const union sctp_subtype type,
137 					void *arg,
138 					struct sctp_cmd_seq *commands);
139 
140 static enum sctp_disposition sctp_sf_violation_chunk(
141 					struct net *net,
142 					const struct sctp_endpoint *ep,
143 					const struct sctp_association *asoc,
144 					const union sctp_subtype type,
145 					void *arg,
146 					struct sctp_cmd_seq *commands);
147 
148 static enum sctp_ierror sctp_sf_authenticate(
149 					const struct sctp_association *asoc,
150 					struct sctp_chunk *chunk);
151 
152 static enum sctp_disposition __sctp_sf_do_9_1_abort(
153 					struct net *net,
154 					const struct sctp_endpoint *ep,
155 					const struct sctp_association *asoc,
156 					const union sctp_subtype type,
157 					void *arg,
158 					struct sctp_cmd_seq *commands);
159 
160 static enum sctp_disposition
161 __sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep,
162 			   const struct sctp_association *asoc,
163 			   const union sctp_subtype type, void *arg,
164 			   struct sctp_cmd_seq *commands);
165 
166 /* Small helper function that checks if the chunk length
167  * is of the appropriate length.  The 'required_length' argument
168  * is set to be the size of a specific chunk we are testing.
169  * Return Values:  true  = Valid length
170  * 		   false = Invalid length
171  *
172  */
173 static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk,
174 					   __u16 required_length)
175 {
176 	__u16 chunk_length = ntohs(chunk->chunk_hdr->length);
177 
178 	/* Previously already marked? */
179 	if (unlikely(chunk->pdiscard))
180 		return false;
181 	if (unlikely(chunk_length < required_length))
182 		return false;
183 
184 	return true;
185 }
186 
187 /* Check for format error in an ABORT chunk */
188 static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk)
189 {
190 	struct sctp_errhdr *err;
191 
192 	sctp_walk_errors(err, chunk->chunk_hdr);
193 
194 	return (void *)err == (void *)chunk->chunk_end;
195 }
196 
197 /**********************************************************
198  * These are the state functions for handling chunk events.
199  **********************************************************/
200 
201 /*
202  * Process the final SHUTDOWN COMPLETE.
203  *
204  * Section: 4 (C) (diagram), 9.2
205  * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
206  * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
207  * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
208  * should stop the T2-shutdown timer and remove all knowledge of the
209  * association (and thus the association enters the CLOSED state).
210  *
211  * Verification Tag: 8.5.1(C), sctpimpguide 2.41.
212  * C) Rules for packet carrying SHUTDOWN COMPLETE:
213  * ...
214  * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
215  *   if the Verification Tag field of the packet matches its own tag and
216  *   the T bit is not set
217  *   OR
218  *   it is set to its peer's tag and the T bit is set in the Chunk
219  *   Flags.
220  *   Otherwise, the receiver MUST silently discard the packet
221  *   and take no further action.  An endpoint MUST ignore the
222  *   SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.
223  *
224  * Inputs
225  * (endpoint, asoc, chunk)
226  *
227  * Outputs
228  * (asoc, reply_msg, msg_up, timers, counters)
229  *
230  * The return value is the disposition of the chunk.
231  */
232 enum sctp_disposition sctp_sf_do_4_C(struct net *net,
233 				     const struct sctp_endpoint *ep,
234 				     const struct sctp_association *asoc,
235 				     const union sctp_subtype type,
236 				     void *arg, struct sctp_cmd_seq *commands)
237 {
238 	struct sctp_chunk *chunk = arg;
239 	struct sctp_ulpevent *ev;
240 
241 	if (!sctp_vtag_verify_either(chunk, asoc))
242 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
243 
244 	/* RFC 2960 6.10 Bundling
245 	 *
246 	 * An endpoint MUST NOT bundle INIT, INIT ACK or
247 	 * SHUTDOWN COMPLETE with any other chunks.
248 	 */
249 	if (!chunk->singleton)
250 		return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
251 
252 	/* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */
253 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
254 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
255 						  commands);
256 
257 	/* RFC 2960 10.2 SCTP-to-ULP
258 	 *
259 	 * H) SHUTDOWN COMPLETE notification
260 	 *
261 	 * When SCTP completes the shutdown procedures (section 9.2) this
262 	 * notification is passed to the upper layer.
263 	 */
264 	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
265 					     0, 0, 0, NULL, GFP_ATOMIC);
266 	if (ev)
267 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
268 				SCTP_ULPEVENT(ev));
269 
270 	/* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
271 	 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
272 	 * not the chunk should be discarded. If the endpoint is in
273 	 * the SHUTDOWN-ACK-SENT state the endpoint should stop the
274 	 * T2-shutdown timer and remove all knowledge of the
275 	 * association (and thus the association enters the CLOSED
276 	 * state).
277 	 */
278 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
279 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
280 
281 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
282 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
283 
284 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
285 			SCTP_STATE(SCTP_STATE_CLOSED));
286 
287 	SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
288 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
289 
290 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
291 
292 	return SCTP_DISPOSITION_DELETE_TCB;
293 }
294 
295 /*
296  * Respond to a normal INIT chunk.
297  * We are the side that is being asked for an association.
298  *
299  * Section: 5.1 Normal Establishment of an Association, B
300  * B) "Z" shall respond immediately with an INIT ACK chunk.  The
301  *    destination IP address of the INIT ACK MUST be set to the source
302  *    IP address of the INIT to which this INIT ACK is responding.  In
303  *    the response, besides filling in other parameters, "Z" must set the
304  *    Verification Tag field to Tag_A, and also provide its own
305  *    Verification Tag (Tag_Z) in the Initiate Tag field.
306  *
307  * Verification Tag: Must be 0.
308  *
309  * Inputs
310  * (endpoint, asoc, chunk)
311  *
312  * Outputs
313  * (asoc, reply_msg, msg_up, timers, counters)
314  *
315  * The return value is the disposition of the chunk.
316  */
317 enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
318 					   const struct sctp_endpoint *ep,
319 					   const struct sctp_association *asoc,
320 					   const union sctp_subtype type,
321 					   void *arg,
322 					   struct sctp_cmd_seq *commands)
323 {
324 	struct sctp_chunk *chunk = arg, *repl, *err_chunk;
325 	struct sctp_unrecognized_param *unk_param;
326 	struct sctp_association *new_asoc;
327 	struct sctp_packet *packet;
328 	int len;
329 
330 	/* 6.10 Bundling
331 	 * An endpoint MUST NOT bundle INIT, INIT ACK or
332 	 * SHUTDOWN COMPLETE with any other chunks.
333 	 *
334 	 * IG Section 2.11.2
335 	 * Furthermore, we require that the receiver of an INIT chunk MUST
336 	 * enforce these rules by silently discarding an arriving packet
337 	 * with an INIT chunk that is bundled with other chunks.
338 	 */
339 	if (!chunk->singleton)
340 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
341 
342 	/* Make sure that the INIT chunk has a valid length.
343 	 * Normally, this would cause an ABORT with a Protocol Violation
344 	 * error, but since we don't have an association, we'll
345 	 * just discard the packet.
346 	 */
347 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
348 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
349 
350 	/* If the packet is an OOTB packet which is temporarily on the
351 	 * control endpoint, respond with an ABORT.
352 	 */
353 	if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
354 		SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
355 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
356 	}
357 
358 	/* 3.1 A packet containing an INIT chunk MUST have a zero Verification
359 	 * Tag.
360 	 */
361 	if (chunk->sctp_hdr->vtag != 0)
362 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
363 
364 	/* If the INIT is coming toward a closing socket, we'll send back
365 	 * and ABORT.  Essentially, this catches the race of INIT being
366 	 * backloged to the socket at the same time as the user issues close().
367 	 * Since the socket and all its associations are going away, we
368 	 * can treat this OOTB
369 	 */
370 	if (sctp_sstate(ep->base.sk, CLOSING))
371 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
372 
373 	/* Verify the INIT chunk before processing it. */
374 	err_chunk = NULL;
375 	if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
376 			      (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
377 			      &err_chunk)) {
378 		/* This chunk contains fatal error. It is to be discarded.
379 		 * Send an ABORT, with causes if there is any.
380 		 */
381 		if (err_chunk) {
382 			packet = sctp_abort_pkt_new(net, ep, asoc, arg,
383 					(__u8 *)(err_chunk->chunk_hdr) +
384 					sizeof(struct sctp_chunkhdr),
385 					ntohs(err_chunk->chunk_hdr->length) -
386 					sizeof(struct sctp_chunkhdr));
387 
388 			sctp_chunk_free(err_chunk);
389 
390 			if (packet) {
391 				sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
392 						SCTP_PACKET(packet));
393 				SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
394 				return SCTP_DISPOSITION_CONSUME;
395 			} else {
396 				return SCTP_DISPOSITION_NOMEM;
397 			}
398 		} else {
399 			return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
400 						    commands);
401 		}
402 	}
403 
404 	/* Grab the INIT header.  */
405 	chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
406 
407 	/* Tag the variable length parameters.  */
408 	chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
409 
410 	new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
411 	if (!new_asoc)
412 		goto nomem;
413 
414 	/* Update socket peer label if first association. */
415 	if (security_sctp_assoc_request(new_asoc, chunk->skb)) {
416 		sctp_association_free(new_asoc);
417 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
418 	}
419 
420 	if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
421 					     sctp_scope(sctp_source(chunk)),
422 					     GFP_ATOMIC) < 0)
423 		goto nomem_init;
424 
425 	/* The call, sctp_process_init(), can fail on memory allocation.  */
426 	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
427 			       (struct sctp_init_chunk *)chunk->chunk_hdr,
428 			       GFP_ATOMIC))
429 		goto nomem_init;
430 
431 	/* B) "Z" shall respond immediately with an INIT ACK chunk.  */
432 
433 	/* If there are errors need to be reported for unknown parameters,
434 	 * make sure to reserve enough room in the INIT ACK for them.
435 	 */
436 	len = 0;
437 	if (err_chunk)
438 		len = ntohs(err_chunk->chunk_hdr->length) -
439 		      sizeof(struct sctp_chunkhdr);
440 
441 	repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
442 	if (!repl)
443 		goto nomem_init;
444 
445 	/* If there are errors need to be reported for unknown parameters,
446 	 * include them in the outgoing INIT ACK as "Unrecognized parameter"
447 	 * parameter.
448 	 */
449 	if (err_chunk) {
450 		/* Get the "Unrecognized parameter" parameter(s) out of the
451 		 * ERROR chunk generated by sctp_verify_init(). Since the
452 		 * error cause code for "unknown parameter" and the
453 		 * "Unrecognized parameter" type is the same, we can
454 		 * construct the parameters in INIT ACK by copying the
455 		 * ERROR causes over.
456 		 */
457 		unk_param = (struct sctp_unrecognized_param *)
458 			    ((__u8 *)(err_chunk->chunk_hdr) +
459 			    sizeof(struct sctp_chunkhdr));
460 		/* Replace the cause code with the "Unrecognized parameter"
461 		 * parameter type.
462 		 */
463 		sctp_addto_chunk(repl, len, unk_param);
464 		sctp_chunk_free(err_chunk);
465 	}
466 
467 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
468 
469 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
470 
471 	/*
472 	 * Note:  After sending out INIT ACK with the State Cookie parameter,
473 	 * "Z" MUST NOT allocate any resources, nor keep any states for the
474 	 * new association.  Otherwise, "Z" will be vulnerable to resource
475 	 * attacks.
476 	 */
477 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
478 
479 	return SCTP_DISPOSITION_DELETE_TCB;
480 
481 nomem_init:
482 	sctp_association_free(new_asoc);
483 nomem:
484 	if (err_chunk)
485 		sctp_chunk_free(err_chunk);
486 	return SCTP_DISPOSITION_NOMEM;
487 }
488 
489 /*
490  * Respond to a normal INIT ACK chunk.
491  * We are the side that is initiating the association.
492  *
493  * Section: 5.1 Normal Establishment of an Association, C
494  * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
495  *    timer and leave COOKIE-WAIT state. "A" shall then send the State
496  *    Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
497  *    the T1-cookie timer, and enter the COOKIE-ECHOED state.
498  *
499  *    Note: The COOKIE ECHO chunk can be bundled with any pending outbound
500  *    DATA chunks, but it MUST be the first chunk in the packet and
501  *    until the COOKIE ACK is returned the sender MUST NOT send any
502  *    other packets to the peer.
503  *
504  * Verification Tag: 3.3.3
505  *   If the value of the Initiate Tag in a received INIT ACK chunk is
506  *   found to be 0, the receiver MUST treat it as an error and close the
507  *   association by transmitting an ABORT.
508  *
509  * Inputs
510  * (endpoint, asoc, chunk)
511  *
512  * Outputs
513  * (asoc, reply_msg, msg_up, timers, counters)
514  *
515  * The return value is the disposition of the chunk.
516  */
517 enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
518 					  const struct sctp_endpoint *ep,
519 					  const struct sctp_association *asoc,
520 					  const union sctp_subtype type,
521 					  void *arg,
522 					  struct sctp_cmd_seq *commands)
523 {
524 	struct sctp_init_chunk *initchunk;
525 	struct sctp_chunk *chunk = arg;
526 	struct sctp_chunk *err_chunk;
527 	struct sctp_packet *packet;
528 
529 	if (!sctp_vtag_verify(chunk, asoc))
530 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
531 
532 	/* 6.10 Bundling
533 	 * An endpoint MUST NOT bundle INIT, INIT ACK or
534 	 * SHUTDOWN COMPLETE with any other chunks.
535 	 */
536 	if (!chunk->singleton)
537 		return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
538 
539 	/* Make sure that the INIT-ACK chunk has a valid length */
540 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk)))
541 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
542 						  commands);
543 	/* Grab the INIT header.  */
544 	chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
545 
546 	/* Verify the INIT chunk before processing it. */
547 	err_chunk = NULL;
548 	if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
549 			      (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
550 			      &err_chunk)) {
551 
552 		enum sctp_error error = SCTP_ERROR_NO_RESOURCE;
553 
554 		/* This chunk contains fatal error. It is to be discarded.
555 		 * Send an ABORT, with causes.  If there are no causes,
556 		 * then there wasn't enough memory.  Just terminate
557 		 * the association.
558 		 */
559 		if (err_chunk) {
560 			packet = sctp_abort_pkt_new(net, ep, asoc, arg,
561 					(__u8 *)(err_chunk->chunk_hdr) +
562 					sizeof(struct sctp_chunkhdr),
563 					ntohs(err_chunk->chunk_hdr->length) -
564 					sizeof(struct sctp_chunkhdr));
565 
566 			sctp_chunk_free(err_chunk);
567 
568 			if (packet) {
569 				sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
570 						SCTP_PACKET(packet));
571 				SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
572 				error = SCTP_ERROR_INV_PARAM;
573 			}
574 		}
575 
576 		/* SCTP-AUTH, Section 6.3:
577 		 *    It should be noted that if the receiver wants to tear
578 		 *    down an association in an authenticated way only, the
579 		 *    handling of malformed packets should not result in
580 		 *    tearing down the association.
581 		 *
582 		 * This means that if we only want to abort associations
583 		 * in an authenticated way (i.e AUTH+ABORT), then we
584 		 * can't destroy this association just because the packet
585 		 * was malformed.
586 		 */
587 		if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
588 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
589 
590 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
591 		return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED,
592 						asoc, chunk->transport);
593 	}
594 
595 	/* Tag the variable length parameters.  Note that we never
596 	 * convert the parameters in an INIT chunk.
597 	 */
598 	chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
599 
600 	initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr;
601 
602 	sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
603 			SCTP_PEER_INIT(initchunk));
604 
605 	/* Reset init error count upon receipt of INIT-ACK.  */
606 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
607 
608 	/* 5.1 C) "A" shall stop the T1-init timer and leave
609 	 * COOKIE-WAIT state.  "A" shall then ... start the T1-cookie
610 	 * timer, and enter the COOKIE-ECHOED state.
611 	 */
612 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
613 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
614 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
615 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
616 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
617 			SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
618 
619 	/* SCTP-AUTH: generate the association shared keys so that
620 	 * we can potentially sign the COOKIE-ECHO.
621 	 */
622 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
623 
624 	/* 5.1 C) "A" shall then send the State Cookie received in the
625 	 * INIT ACK chunk in a COOKIE ECHO chunk, ...
626 	 */
627 	/* If there is any errors to report, send the ERROR chunk generated
628 	 * for unknown parameters as well.
629 	 */
630 	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
631 			SCTP_CHUNK(err_chunk));
632 
633 	return SCTP_DISPOSITION_CONSUME;
634 }
635 
636 static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk,
637 				   const struct sctp_association *asoc)
638 {
639 	struct sctp_chunk auth;
640 
641 	if (!chunk->auth_chunk)
642 		return true;
643 
644 	/* SCTP-AUTH:  auth_chunk pointer is only set when the cookie-echo
645 	 * is supposed to be authenticated and we have to do delayed
646 	 * authentication.  We've just recreated the association using
647 	 * the information in the cookie and now it's much easier to
648 	 * do the authentication.
649 	 */
650 
651 	/* Make sure that we and the peer are AUTH capable */
652 	if (!net->sctp.auth_enable || !asoc->peer.auth_capable)
653 		return false;
654 
655 	/* set-up our fake chunk so that we can process it */
656 	auth.skb = chunk->auth_chunk;
657 	auth.asoc = chunk->asoc;
658 	auth.sctp_hdr = chunk->sctp_hdr;
659 	auth.chunk_hdr = (struct sctp_chunkhdr *)
660 				skb_push(chunk->auth_chunk,
661 					 sizeof(struct sctp_chunkhdr));
662 	skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr));
663 	auth.transport = chunk->transport;
664 
665 	return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR;
666 }
667 
668 /*
669  * Respond to a normal COOKIE ECHO chunk.
670  * We are the side that is being asked for an association.
671  *
672  * Section: 5.1 Normal Establishment of an Association, D
673  * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
674  *    with a COOKIE ACK chunk after building a TCB and moving to
675  *    the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
676  *    any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
677  *    chunk MUST be the first chunk in the packet.
678  *
679  *   IMPLEMENTATION NOTE: An implementation may choose to send the
680  *   Communication Up notification to the SCTP user upon reception
681  *   of a valid COOKIE ECHO chunk.
682  *
683  * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
684  * D) Rules for packet carrying a COOKIE ECHO
685  *
686  * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
687  *   Initial Tag received in the INIT ACK.
688  *
689  * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
690  *
691  * Inputs
692  * (endpoint, asoc, chunk)
693  *
694  * Outputs
695  * (asoc, reply_msg, msg_up, timers, counters)
696  *
697  * The return value is the disposition of the chunk.
698  */
699 enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
700 					 const struct sctp_endpoint *ep,
701 					 const struct sctp_association *asoc,
702 					 const union sctp_subtype type,
703 					 void *arg,
704 					 struct sctp_cmd_seq *commands)
705 {
706 	struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL;
707 	struct sctp_association *new_asoc;
708 	struct sctp_init_chunk *peer_init;
709 	struct sctp_chunk *chunk = arg;
710 	struct sctp_chunk *err_chk_p;
711 	struct sctp_chunk *repl;
712 	struct sock *sk;
713 	int error = 0;
714 
715 	if (asoc && !sctp_vtag_verify(chunk, asoc))
716 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
717 
718 	/* If the packet is an OOTB packet which is temporarily on the
719 	 * control endpoint, respond with an ABORT.
720 	 */
721 	if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
722 		SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
723 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
724 	}
725 
726 	/* Make sure that the COOKIE_ECHO chunk has a valid length.
727 	 * In this case, we check that we have enough for at least a
728 	 * chunk header.  More detailed verification is done
729 	 * in sctp_unpack_cookie().
730 	 */
731 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
732 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
733 						  commands);
734 
735 	/* If the endpoint is not listening or if the number of associations
736 	 * on the TCP-style socket exceed the max backlog, respond with an
737 	 * ABORT.
738 	 */
739 	sk = ep->base.sk;
740 	if (!sctp_sstate(sk, LISTENING) ||
741 	    (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
742 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
743 
744 	/* "Decode" the chunk.  We have no optional parameters so we
745 	 * are in good shape.
746 	 */
747 	chunk->subh.cookie_hdr =
748 		(struct sctp_signed_cookie *)chunk->skb->data;
749 	if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
750 					 sizeof(struct sctp_chunkhdr)))
751 		goto nomem;
752 
753 	/* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
754 	 * "Z" will reply with a COOKIE ACK chunk after building a TCB
755 	 * and moving to the ESTABLISHED state.
756 	 */
757 	new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
758 				      &err_chk_p);
759 
760 	/* FIXME:
761 	 * If the re-build failed, what is the proper error path
762 	 * from here?
763 	 *
764 	 * [We should abort the association. --piggy]
765 	 */
766 	if (!new_asoc) {
767 		/* FIXME: Several errors are possible.  A bad cookie should
768 		 * be silently discarded, but think about logging it too.
769 		 */
770 		switch (error) {
771 		case -SCTP_IERROR_NOMEM:
772 			goto nomem;
773 
774 		case -SCTP_IERROR_STALE_COOKIE:
775 			sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
776 						   err_chk_p);
777 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
778 
779 		case -SCTP_IERROR_BAD_SIG:
780 		default:
781 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
782 		}
783 	}
784 
785 	if (security_sctp_assoc_request(new_asoc, chunk->head_skb ?: chunk->skb)) {
786 		sctp_association_free(new_asoc);
787 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
788 	}
789 
790 	/* Delay state machine commands until later.
791 	 *
792 	 * Re-build the bind address for the association is done in
793 	 * the sctp_unpack_cookie() already.
794 	 */
795 	/* This is a brand-new association, so these are not yet side
796 	 * effects--it is safe to run them here.
797 	 */
798 	peer_init = (struct sctp_init_chunk *)(chunk->subh.cookie_hdr + 1);
799 	if (!sctp_process_init(new_asoc, chunk,
800 			       &chunk->subh.cookie_hdr->c.peer_addr,
801 			       peer_init, GFP_ATOMIC))
802 		goto nomem_init;
803 
804 	/* SCTP-AUTH:  Now that we've populate required fields in
805 	 * sctp_process_init, set up the association shared keys as
806 	 * necessary so that we can potentially authenticate the ACK
807 	 */
808 	error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
809 	if (error)
810 		goto nomem_init;
811 
812 	if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) {
813 		sctp_association_free(new_asoc);
814 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
815 	}
816 
817 	repl = sctp_make_cookie_ack(new_asoc, chunk);
818 	if (!repl)
819 		goto nomem_init;
820 
821 	/* RFC 2960 5.1 Normal Establishment of an Association
822 	 *
823 	 * D) IMPLEMENTATION NOTE: An implementation may choose to
824 	 * send the Communication Up notification to the SCTP user
825 	 * upon reception of a valid COOKIE ECHO chunk.
826 	 */
827 	ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
828 					     new_asoc->c.sinit_num_ostreams,
829 					     new_asoc->c.sinit_max_instreams,
830 					     NULL, GFP_ATOMIC);
831 	if (!ev)
832 		goto nomem_ev;
833 
834 	/* Sockets API Draft Section 5.3.1.6
835 	 * When a peer sends a Adaptation Layer Indication parameter , SCTP
836 	 * delivers this notification to inform the application that of the
837 	 * peers requested adaptation layer.
838 	 */
839 	if (new_asoc->peer.adaptation_ind) {
840 		ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
841 							    GFP_ATOMIC);
842 		if (!ai_ev)
843 			goto nomem_aiev;
844 	}
845 
846 	if (!new_asoc->peer.auth_capable) {
847 		auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0,
848 						     SCTP_AUTH_NO_AUTH,
849 						     GFP_ATOMIC);
850 		if (!auth_ev)
851 			goto nomem_authev;
852 	}
853 
854 	/* Add all the state machine commands now since we've created
855 	 * everything.  This way we don't introduce memory corruptions
856 	 * during side-effect processing and correctly count established
857 	 * associations.
858 	 */
859 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
860 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
861 			SCTP_STATE(SCTP_STATE_ESTABLISHED));
862 	SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
863 	SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS);
864 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
865 
866 	if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
867 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
868 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
869 
870 	/* This will send the COOKIE ACK */
871 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
872 
873 	/* Queue the ASSOC_CHANGE event */
874 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
875 
876 	/* Send up the Adaptation Layer Indication event */
877 	if (ai_ev)
878 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
879 				SCTP_ULPEVENT(ai_ev));
880 
881 	if (auth_ev)
882 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
883 				SCTP_ULPEVENT(auth_ev));
884 
885 	return SCTP_DISPOSITION_CONSUME;
886 
887 nomem_authev:
888 	sctp_ulpevent_free(ai_ev);
889 nomem_aiev:
890 	sctp_ulpevent_free(ev);
891 nomem_ev:
892 	sctp_chunk_free(repl);
893 nomem_init:
894 	sctp_association_free(new_asoc);
895 nomem:
896 	return SCTP_DISPOSITION_NOMEM;
897 }
898 
899 /*
900  * Respond to a normal COOKIE ACK chunk.
901  * We are the side that is asking for an association.
902  *
903  * RFC 2960 5.1 Normal Establishment of an Association
904  *
905  * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
906  *    COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
907  *    timer. It may also notify its ULP about the successful
908  *    establishment of the association with a Communication Up
909  *    notification (see Section 10).
910  *
911  * Verification Tag:
912  * Inputs
913  * (endpoint, asoc, chunk)
914  *
915  * Outputs
916  * (asoc, reply_msg, msg_up, timers, counters)
917  *
918  * The return value is the disposition of the chunk.
919  */
920 enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
921 					 const struct sctp_endpoint *ep,
922 					 const struct sctp_association *asoc,
923 					 const union sctp_subtype type,
924 					 void *arg,
925 					 struct sctp_cmd_seq *commands)
926 {
927 	struct sctp_chunk *chunk = arg;
928 	struct sctp_ulpevent *ev;
929 
930 	if (!sctp_vtag_verify(chunk, asoc))
931 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
932 
933 	/* Set peer label for connection. */
934 	if (security_sctp_assoc_established((struct sctp_association *)asoc,
935 					    chunk->head_skb ?: chunk->skb))
936 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
937 
938 	/* Verify that the chunk length for the COOKIE-ACK is OK.
939 	 * If we don't do this, any bundled chunks may be junked.
940 	 */
941 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
942 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
943 						  commands);
944 
945 	/* Reset init error count upon receipt of COOKIE-ACK,
946 	 * to avoid problems with the management of this
947 	 * counter in stale cookie situations when a transition back
948 	 * from the COOKIE-ECHOED state to the COOKIE-WAIT
949 	 * state is performed.
950 	 */
951 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
952 
953 	/* RFC 2960 5.1 Normal Establishment of an Association
954 	 *
955 	 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
956 	 * from the COOKIE-ECHOED state to the ESTABLISHED state,
957 	 * stopping the T1-cookie timer.
958 	 */
959 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
960 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
961 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
962 			SCTP_STATE(SCTP_STATE_ESTABLISHED));
963 	SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
964 	SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS);
965 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
966 	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
967 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
968 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
969 
970 	/* It may also notify its ULP about the successful
971 	 * establishment of the association with a Communication Up
972 	 * notification (see Section 10).
973 	 */
974 	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
975 					     0, asoc->c.sinit_num_ostreams,
976 					     asoc->c.sinit_max_instreams,
977 					     NULL, GFP_ATOMIC);
978 
979 	if (!ev)
980 		goto nomem;
981 
982 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
983 
984 	/* Sockets API Draft Section 5.3.1.6
985 	 * When a peer sends a Adaptation Layer Indication parameter , SCTP
986 	 * delivers this notification to inform the application that of the
987 	 * peers requested adaptation layer.
988 	 */
989 	if (asoc->peer.adaptation_ind) {
990 		ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
991 		if (!ev)
992 			goto nomem;
993 
994 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
995 				SCTP_ULPEVENT(ev));
996 	}
997 
998 	if (!asoc->peer.auth_capable) {
999 		ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH,
1000 						GFP_ATOMIC);
1001 		if (!ev)
1002 			goto nomem;
1003 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1004 				SCTP_ULPEVENT(ev));
1005 	}
1006 
1007 	return SCTP_DISPOSITION_CONSUME;
1008 nomem:
1009 	return SCTP_DISPOSITION_NOMEM;
1010 }
1011 
1012 /* Generate and sendout a heartbeat packet.  */
1013 static enum sctp_disposition sctp_sf_heartbeat(
1014 					const struct sctp_endpoint *ep,
1015 					const struct sctp_association *asoc,
1016 					const union sctp_subtype type,
1017 					void *arg,
1018 					struct sctp_cmd_seq *commands)
1019 {
1020 	struct sctp_transport *transport = (struct sctp_transport *) arg;
1021 	struct sctp_chunk *reply;
1022 
1023 	/* Send a heartbeat to our peer.  */
1024 	reply = sctp_make_heartbeat(asoc, transport, 0);
1025 	if (!reply)
1026 		return SCTP_DISPOSITION_NOMEM;
1027 
1028 	/* Set rto_pending indicating that an RTT measurement
1029 	 * is started with this heartbeat chunk.
1030 	 */
1031 	sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
1032 			SCTP_TRANSPORT(transport));
1033 
1034 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1035 	return SCTP_DISPOSITION_CONSUME;
1036 }
1037 
1038 /* Generate a HEARTBEAT packet on the given transport.  */
1039 enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net,
1040 					   const struct sctp_endpoint *ep,
1041 					   const struct sctp_association *asoc,
1042 					   const union sctp_subtype type,
1043 					   void *arg,
1044 					   struct sctp_cmd_seq *commands)
1045 {
1046 	struct sctp_transport *transport = (struct sctp_transport *) arg;
1047 
1048 	if (asoc->overall_error_count >= asoc->max_retrans) {
1049 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
1050 				SCTP_ERROR(ETIMEDOUT));
1051 		/* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
1052 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1053 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
1054 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1055 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1056 		return SCTP_DISPOSITION_DELETE_TCB;
1057 	}
1058 
1059 	/* Section 3.3.5.
1060 	 * The Sender-specific Heartbeat Info field should normally include
1061 	 * information about the sender's current time when this HEARTBEAT
1062 	 * chunk is sent and the destination transport address to which this
1063 	 * HEARTBEAT is sent (see Section 8.3).
1064 	 */
1065 
1066 	if (transport->param_flags & SPP_HB_ENABLE) {
1067 		if (SCTP_DISPOSITION_NOMEM ==
1068 				sctp_sf_heartbeat(ep, asoc, type, arg,
1069 						  commands))
1070 			return SCTP_DISPOSITION_NOMEM;
1071 
1072 		/* Set transport error counter and association error counter
1073 		 * when sending heartbeat.
1074 		 */
1075 		sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
1076 				SCTP_TRANSPORT(transport));
1077 	}
1078 	sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
1079 			SCTP_TRANSPORT(transport));
1080 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
1081 			SCTP_TRANSPORT(transport));
1082 
1083 	return SCTP_DISPOSITION_CONSUME;
1084 }
1085 
1086 /* resend asoc strreset_chunk.  */
1087 enum sctp_disposition sctp_sf_send_reconf(struct net *net,
1088 					  const struct sctp_endpoint *ep,
1089 					  const struct sctp_association *asoc,
1090 					  const union sctp_subtype type,
1091 					  void *arg,
1092 					  struct sctp_cmd_seq *commands)
1093 {
1094 	struct sctp_transport *transport = arg;
1095 
1096 	if (asoc->overall_error_count >= asoc->max_retrans) {
1097 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
1098 				SCTP_ERROR(ETIMEDOUT));
1099 		/* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
1100 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1101 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
1102 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1103 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1104 		return SCTP_DISPOSITION_DELETE_TCB;
1105 	}
1106 
1107 	sctp_chunk_hold(asoc->strreset_chunk);
1108 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1109 			SCTP_CHUNK(asoc->strreset_chunk));
1110 	sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
1111 
1112 	return SCTP_DISPOSITION_CONSUME;
1113 }
1114 
1115 /* send hb chunk with padding for PLPMUTD.  */
1116 enum sctp_disposition sctp_sf_send_probe(struct net *net,
1117 					 const struct sctp_endpoint *ep,
1118 					 const struct sctp_association *asoc,
1119 					 const union sctp_subtype type,
1120 					 void *arg,
1121 					 struct sctp_cmd_seq *commands)
1122 {
1123 	struct sctp_transport *transport = (struct sctp_transport *)arg;
1124 	struct sctp_chunk *reply;
1125 
1126 	if (!sctp_transport_pl_enabled(transport))
1127 		return SCTP_DISPOSITION_CONSUME;
1128 
1129 	sctp_transport_pl_send(transport);
1130 	reply = sctp_make_heartbeat(asoc, transport, transport->pl.probe_size);
1131 	if (!reply)
1132 		return SCTP_DISPOSITION_NOMEM;
1133 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1134 	sctp_add_cmd_sf(commands, SCTP_CMD_PROBE_TIMER_UPDATE,
1135 			SCTP_TRANSPORT(transport));
1136 
1137 	return SCTP_DISPOSITION_CONSUME;
1138 }
1139 
1140 /*
1141  * Process an heartbeat request.
1142  *
1143  * Section: 8.3 Path Heartbeat
1144  * The receiver of the HEARTBEAT should immediately respond with a
1145  * HEARTBEAT ACK that contains the Heartbeat Information field copied
1146  * from the received HEARTBEAT chunk.
1147  *
1148  * Verification Tag:  8.5 Verification Tag [Normal verification]
1149  * When receiving an SCTP packet, the endpoint MUST ensure that the
1150  * value in the Verification Tag field of the received SCTP packet
1151  * matches its own Tag. If the received Verification Tag value does not
1152  * match the receiver's own tag value, the receiver shall silently
1153  * discard the packet and shall not process it any further except for
1154  * those cases listed in Section 8.5.1 below.
1155  *
1156  * Inputs
1157  * (endpoint, asoc, chunk)
1158  *
1159  * Outputs
1160  * (asoc, reply_msg, msg_up, timers, counters)
1161  *
1162  * The return value is the disposition of the chunk.
1163  */
1164 enum sctp_disposition sctp_sf_beat_8_3(struct net *net,
1165 				       const struct sctp_endpoint *ep,
1166 				       const struct sctp_association *asoc,
1167 				       const union sctp_subtype type,
1168 				       void *arg, struct sctp_cmd_seq *commands)
1169 {
1170 	struct sctp_paramhdr *param_hdr;
1171 	struct sctp_chunk *chunk = arg;
1172 	struct sctp_chunk *reply;
1173 	size_t paylen = 0;
1174 
1175 	if (!sctp_vtag_verify(chunk, asoc))
1176 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1177 
1178 	/* Make sure that the HEARTBEAT chunk has a valid length. */
1179 	if (!sctp_chunk_length_valid(chunk,
1180 				     sizeof(struct sctp_heartbeat_chunk)))
1181 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1182 						  commands);
1183 
1184 	/* 8.3 The receiver of the HEARTBEAT should immediately
1185 	 * respond with a HEARTBEAT ACK that contains the Heartbeat
1186 	 * Information field copied from the received HEARTBEAT chunk.
1187 	 */
1188 	chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data;
1189 	param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr;
1190 	paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr);
1191 
1192 	if (ntohs(param_hdr->length) > paylen)
1193 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
1194 						  param_hdr, commands);
1195 
1196 	if (!pskb_pull(chunk->skb, paylen))
1197 		goto nomem;
1198 
1199 	reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen);
1200 	if (!reply)
1201 		goto nomem;
1202 
1203 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1204 	return SCTP_DISPOSITION_CONSUME;
1205 
1206 nomem:
1207 	return SCTP_DISPOSITION_NOMEM;
1208 }
1209 
1210 /*
1211  * Process the returning HEARTBEAT ACK.
1212  *
1213  * Section: 8.3 Path Heartbeat
1214  * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
1215  * should clear the error counter of the destination transport
1216  * address to which the HEARTBEAT was sent, and mark the destination
1217  * transport address as active if it is not so marked. The endpoint may
1218  * optionally report to the upper layer when an inactive destination
1219  * address is marked as active due to the reception of the latest
1220  * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
1221  * clear the association overall error count as well (as defined
1222  * in section 8.1).
1223  *
1224  * The receiver of the HEARTBEAT ACK should also perform an RTT
1225  * measurement for that destination transport address using the time
1226  * value carried in the HEARTBEAT ACK chunk.
1227  *
1228  * Verification Tag:  8.5 Verification Tag [Normal verification]
1229  *
1230  * Inputs
1231  * (endpoint, asoc, chunk)
1232  *
1233  * Outputs
1234  * (asoc, reply_msg, msg_up, timers, counters)
1235  *
1236  * The return value is the disposition of the chunk.
1237  */
1238 enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net,
1239 					   const struct sctp_endpoint *ep,
1240 					   const struct sctp_association *asoc,
1241 					   const union sctp_subtype type,
1242 					   void *arg,
1243 					   struct sctp_cmd_seq *commands)
1244 {
1245 	struct sctp_sender_hb_info *hbinfo;
1246 	struct sctp_chunk *chunk = arg;
1247 	struct sctp_transport *link;
1248 	unsigned long max_interval;
1249 	union sctp_addr from_addr;
1250 
1251 	if (!sctp_vtag_verify(chunk, asoc))
1252 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1253 
1254 	/* Make sure that the HEARTBEAT-ACK chunk has a valid length.  */
1255 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) +
1256 					    sizeof(*hbinfo)))
1257 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1258 						  commands);
1259 
1260 	hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data;
1261 	/* Make sure that the length of the parameter is what we expect */
1262 	if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo))
1263 		return SCTP_DISPOSITION_DISCARD;
1264 
1265 	from_addr = hbinfo->daddr;
1266 	link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1267 
1268 	/* This should never happen, but lets log it if so.  */
1269 	if (unlikely(!link)) {
1270 		if (from_addr.sa.sa_family == AF_INET6) {
1271 			net_warn_ratelimited("%s association %p could not find address %pI6\n",
1272 					     __func__,
1273 					     asoc,
1274 					     &from_addr.v6.sin6_addr);
1275 		} else {
1276 			net_warn_ratelimited("%s association %p could not find address %pI4\n",
1277 					     __func__,
1278 					     asoc,
1279 					     &from_addr.v4.sin_addr.s_addr);
1280 		}
1281 		return SCTP_DISPOSITION_DISCARD;
1282 	}
1283 
1284 	/* Validate the 64-bit random nonce. */
1285 	if (hbinfo->hb_nonce != link->hb_nonce)
1286 		return SCTP_DISPOSITION_DISCARD;
1287 
1288 	if (hbinfo->probe_size) {
1289 		if (hbinfo->probe_size != link->pl.probe_size ||
1290 		    !sctp_transport_pl_enabled(link))
1291 			return SCTP_DISPOSITION_DISCARD;
1292 
1293 		if (sctp_transport_pl_recv(link))
1294 			return SCTP_DISPOSITION_CONSUME;
1295 
1296 		return sctp_sf_send_probe(net, ep, asoc, type, link, commands);
1297 	}
1298 
1299 	max_interval = link->hbinterval + link->rto;
1300 
1301 	/* Check if the timestamp looks valid.  */
1302 	if (time_after(hbinfo->sent_at, jiffies) ||
1303 	    time_after(jiffies, hbinfo->sent_at + max_interval)) {
1304 		pr_debug("%s: HEARTBEAT ACK with invalid timestamp received "
1305 			 "for transport:%p\n", __func__, link);
1306 
1307 		return SCTP_DISPOSITION_DISCARD;
1308 	}
1309 
1310 	/* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
1311 	 * the HEARTBEAT should clear the error counter of the
1312 	 * destination transport address to which the HEARTBEAT was
1313 	 * sent and mark the destination transport address as active if
1314 	 * it is not so marked.
1315 	 */
1316 	sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1317 
1318 	return SCTP_DISPOSITION_CONSUME;
1319 }
1320 
1321 /* Helper function to send out an abort for the restart
1322  * condition.
1323  */
1324 static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa,
1325 				      struct sctp_chunk *init,
1326 				      struct sctp_cmd_seq *commands)
1327 {
1328 	struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1329 	union sctp_addr_param *addrparm;
1330 	struct sctp_errhdr *errhdr;
1331 	char buffer[sizeof(*errhdr) + sizeof(*addrparm)];
1332 	struct sctp_endpoint *ep;
1333 	struct sctp_packet *pkt;
1334 	int len;
1335 
1336 	/* Build the error on the stack.   We are way to malloc crazy
1337 	 * throughout the code today.
1338 	 */
1339 	errhdr = (struct sctp_errhdr *)buffer;
1340 	addrparm = (union sctp_addr_param *)(errhdr + 1);
1341 
1342 	/* Copy into a parm format. */
1343 	len = af->to_addr_param(ssa, addrparm);
1344 	len += sizeof(*errhdr);
1345 
1346 	errhdr->cause = SCTP_ERROR_RESTART;
1347 	errhdr->length = htons(len);
1348 
1349 	/* Assign to the control socket. */
1350 	ep = sctp_sk(net->sctp.ctl_sock)->ep;
1351 
1352 	/* Association is NULL since this may be a restart attack and we
1353 	 * want to send back the attacker's vtag.
1354 	 */
1355 	pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len);
1356 
1357 	if (!pkt)
1358 		goto out;
1359 	sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1360 
1361 	SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1362 
1363 	/* Discard the rest of the inbound packet. */
1364 	sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1365 
1366 out:
1367 	/* Even if there is no memory, treat as a failure so
1368 	 * the packet will get dropped.
1369 	 */
1370 	return 0;
1371 }
1372 
1373 static bool list_has_sctp_addr(const struct list_head *list,
1374 			       union sctp_addr *ipaddr)
1375 {
1376 	struct sctp_transport *addr;
1377 
1378 	list_for_each_entry(addr, list, transports) {
1379 		if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
1380 			return true;
1381 	}
1382 
1383 	return false;
1384 }
1385 /* A restart is occurring, check to make sure no new addresses
1386  * are being added as we may be under a takeover attack.
1387  */
1388 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1389 				       const struct sctp_association *asoc,
1390 				       struct sctp_chunk *init,
1391 				       struct sctp_cmd_seq *commands)
1392 {
1393 	struct net *net = new_asoc->base.net;
1394 	struct sctp_transport *new_addr;
1395 	int ret = 1;
1396 
1397 	/* Implementor's Guide - Section 5.2.2
1398 	 * ...
1399 	 * Before responding the endpoint MUST check to see if the
1400 	 * unexpected INIT adds new addresses to the association. If new
1401 	 * addresses are added to the association, the endpoint MUST respond
1402 	 * with an ABORT..
1403 	 */
1404 
1405 	/* Search through all current addresses and make sure
1406 	 * we aren't adding any new ones.
1407 	 */
1408 	list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
1409 			    transports) {
1410 		if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
1411 					&new_addr->ipaddr)) {
1412 			sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init,
1413 						   commands);
1414 			ret = 0;
1415 			break;
1416 		}
1417 	}
1418 
1419 	/* Return success if all addresses were found. */
1420 	return ret;
1421 }
1422 
1423 /* Populate the verification/tie tags based on overlapping INIT
1424  * scenario.
1425  *
1426  * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
1427  */
1428 static void sctp_tietags_populate(struct sctp_association *new_asoc,
1429 				  const struct sctp_association *asoc)
1430 {
1431 	switch (asoc->state) {
1432 
1433 	/* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
1434 
1435 	case SCTP_STATE_COOKIE_WAIT:
1436 		new_asoc->c.my_vtag     = asoc->c.my_vtag;
1437 		new_asoc->c.my_ttag     = asoc->c.my_vtag;
1438 		new_asoc->c.peer_ttag   = 0;
1439 		break;
1440 
1441 	case SCTP_STATE_COOKIE_ECHOED:
1442 		new_asoc->c.my_vtag     = asoc->c.my_vtag;
1443 		new_asoc->c.my_ttag     = asoc->c.my_vtag;
1444 		new_asoc->c.peer_ttag   = asoc->c.peer_vtag;
1445 		break;
1446 
1447 	/* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
1448 	 * COOKIE-WAIT and SHUTDOWN-ACK-SENT
1449 	 */
1450 	default:
1451 		new_asoc->c.my_ttag   = asoc->c.my_vtag;
1452 		new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1453 		break;
1454 	}
1455 
1456 	/* Other parameters for the endpoint SHOULD be copied from the
1457 	 * existing parameters of the association (e.g. number of
1458 	 * outbound streams) into the INIT ACK and cookie.
1459 	 */
1460 	new_asoc->rwnd                  = asoc->rwnd;
1461 	new_asoc->c.sinit_num_ostreams  = asoc->c.sinit_num_ostreams;
1462 	new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1463 	new_asoc->c.initial_tsn         = asoc->c.initial_tsn;
1464 }
1465 
1466 /*
1467  * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
1468  * handling action.
1469  *
1470  * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
1471  *
1472  * Returns value representing action to be taken.   These action values
1473  * correspond to Action/Description values in RFC 2960, Table 2.
1474  */
1475 static char sctp_tietags_compare(struct sctp_association *new_asoc,
1476 				 const struct sctp_association *asoc)
1477 {
1478 	/* In this case, the peer may have restarted.  */
1479 	if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1480 	    (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1481 	    (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1482 	    (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1483 		return 'A';
1484 
1485 	/* Collision case B. */
1486 	if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1487 	    ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1488 	     (0 == asoc->c.peer_vtag))) {
1489 		return 'B';
1490 	}
1491 
1492 	/* Collision case D. */
1493 	if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1494 	    (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1495 		return 'D';
1496 
1497 	/* Collision case C. */
1498 	if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1499 	    (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1500 	    (0 == new_asoc->c.my_ttag) &&
1501 	    (0 == new_asoc->c.peer_ttag))
1502 		return 'C';
1503 
1504 	/* No match to any of the special cases; discard this packet. */
1505 	return 'E';
1506 }
1507 
1508 /* Common helper routine for both duplicate and simultaneous INIT
1509  * chunk handling.
1510  */
1511 static enum sctp_disposition sctp_sf_do_unexpected_init(
1512 					struct net *net,
1513 					const struct sctp_endpoint *ep,
1514 					const struct sctp_association *asoc,
1515 					const union sctp_subtype type,
1516 					void *arg,
1517 					struct sctp_cmd_seq *commands)
1518 {
1519 	struct sctp_chunk *chunk = arg, *repl, *err_chunk;
1520 	struct sctp_unrecognized_param *unk_param;
1521 	struct sctp_association *new_asoc;
1522 	enum sctp_disposition retval;
1523 	struct sctp_packet *packet;
1524 	int len;
1525 
1526 	/* 6.10 Bundling
1527 	 * An endpoint MUST NOT bundle INIT, INIT ACK or
1528 	 * SHUTDOWN COMPLETE with any other chunks.
1529 	 *
1530 	 * IG Section 2.11.2
1531 	 * Furthermore, we require that the receiver of an INIT chunk MUST
1532 	 * enforce these rules by silently discarding an arriving packet
1533 	 * with an INIT chunk that is bundled with other chunks.
1534 	 */
1535 	if (!chunk->singleton)
1536 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1537 
1538 	/* Make sure that the INIT chunk has a valid length. */
1539 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
1540 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1541 
1542 	/* 3.1 A packet containing an INIT chunk MUST have a zero Verification
1543 	 * Tag.
1544 	 */
1545 	if (chunk->sctp_hdr->vtag != 0)
1546 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
1547 
1548 	if (SCTP_INPUT_CB(chunk->skb)->encap_port != chunk->transport->encap_port)
1549 		return sctp_sf_new_encap_port(net, ep, asoc, type, arg, commands);
1550 
1551 	/* Grab the INIT header.  */
1552 	chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
1553 
1554 	/* Tag the variable length parameters.  */
1555 	chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
1556 
1557 	/* Verify the INIT chunk before processing it. */
1558 	err_chunk = NULL;
1559 	if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
1560 			      (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
1561 			      &err_chunk)) {
1562 		/* This chunk contains fatal error. It is to be discarded.
1563 		 * Send an ABORT, with causes if there is any.
1564 		 */
1565 		if (err_chunk) {
1566 			packet = sctp_abort_pkt_new(net, ep, asoc, arg,
1567 					(__u8 *)(err_chunk->chunk_hdr) +
1568 					sizeof(struct sctp_chunkhdr),
1569 					ntohs(err_chunk->chunk_hdr->length) -
1570 					sizeof(struct sctp_chunkhdr));
1571 
1572 			if (packet) {
1573 				sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1574 						SCTP_PACKET(packet));
1575 				SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1576 				retval = SCTP_DISPOSITION_CONSUME;
1577 			} else {
1578 				retval = SCTP_DISPOSITION_NOMEM;
1579 			}
1580 			goto cleanup;
1581 		} else {
1582 			return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
1583 						    commands);
1584 		}
1585 	}
1586 
1587 	/*
1588 	 * Other parameters for the endpoint SHOULD be copied from the
1589 	 * existing parameters of the association (e.g. number of
1590 	 * outbound streams) into the INIT ACK and cookie.
1591 	 * FIXME:  We are copying parameters from the endpoint not the
1592 	 * association.
1593 	 */
1594 	new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1595 	if (!new_asoc)
1596 		goto nomem;
1597 
1598 	/* Update socket peer label if first association. */
1599 	if (security_sctp_assoc_request(new_asoc, chunk->skb)) {
1600 		sctp_association_free(new_asoc);
1601 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1602 	}
1603 
1604 	if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
1605 				sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
1606 		goto nomem;
1607 
1608 	/* In the outbound INIT ACK the endpoint MUST copy its current
1609 	 * Verification Tag and Peers Verification tag into a reserved
1610 	 * place (local tie-tag and per tie-tag) within the state cookie.
1611 	 */
1612 	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
1613 			       (struct sctp_init_chunk *)chunk->chunk_hdr,
1614 			       GFP_ATOMIC))
1615 		goto nomem;
1616 
1617 	/* Make sure no new addresses are being added during the
1618 	 * restart.   Do not do this check for COOKIE-WAIT state,
1619 	 * since there are no peer addresses to check against.
1620 	 * Upon return an ABORT will have been sent if needed.
1621 	 */
1622 	if (!sctp_state(asoc, COOKIE_WAIT)) {
1623 		if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1624 						 commands)) {
1625 			retval = SCTP_DISPOSITION_CONSUME;
1626 			goto nomem_retval;
1627 		}
1628 	}
1629 
1630 	sctp_tietags_populate(new_asoc, asoc);
1631 
1632 	/* B) "Z" shall respond immediately with an INIT ACK chunk.  */
1633 
1634 	/* If there are errors need to be reported for unknown parameters,
1635 	 * make sure to reserve enough room in the INIT ACK for them.
1636 	 */
1637 	len = 0;
1638 	if (err_chunk) {
1639 		len = ntohs(err_chunk->chunk_hdr->length) -
1640 		      sizeof(struct sctp_chunkhdr);
1641 	}
1642 
1643 	repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1644 	if (!repl)
1645 		goto nomem;
1646 
1647 	/* If there are errors need to be reported for unknown parameters,
1648 	 * include them in the outgoing INIT ACK as "Unrecognized parameter"
1649 	 * parameter.
1650 	 */
1651 	if (err_chunk) {
1652 		/* Get the "Unrecognized parameter" parameter(s) out of the
1653 		 * ERROR chunk generated by sctp_verify_init(). Since the
1654 		 * error cause code for "unknown parameter" and the
1655 		 * "Unrecognized parameter" type is the same, we can
1656 		 * construct the parameters in INIT ACK by copying the
1657 		 * ERROR causes over.
1658 		 */
1659 		unk_param = (struct sctp_unrecognized_param *)
1660 			    ((__u8 *)(err_chunk->chunk_hdr) +
1661 			    sizeof(struct sctp_chunkhdr));
1662 		/* Replace the cause code with the "Unrecognized parameter"
1663 		 * parameter type.
1664 		 */
1665 		sctp_addto_chunk(repl, len, unk_param);
1666 	}
1667 
1668 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1669 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1670 
1671 	/*
1672 	 * Note: After sending out INIT ACK with the State Cookie parameter,
1673 	 * "Z" MUST NOT allocate any resources for this new association.
1674 	 * Otherwise, "Z" will be vulnerable to resource attacks.
1675 	 */
1676 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1677 	retval = SCTP_DISPOSITION_CONSUME;
1678 
1679 	return retval;
1680 
1681 nomem:
1682 	retval = SCTP_DISPOSITION_NOMEM;
1683 nomem_retval:
1684 	if (new_asoc)
1685 		sctp_association_free(new_asoc);
1686 cleanup:
1687 	if (err_chunk)
1688 		sctp_chunk_free(err_chunk);
1689 	return retval;
1690 }
1691 
1692 /*
1693  * Handle simultaneous INIT.
1694  * This means we started an INIT and then we got an INIT request from
1695  * our peer.
1696  *
1697  * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
1698  * This usually indicates an initialization collision, i.e., each
1699  * endpoint is attempting, at about the same time, to establish an
1700  * association with the other endpoint.
1701  *
1702  * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
1703  * endpoint MUST respond with an INIT ACK using the same parameters it
1704  * sent in its original INIT chunk (including its Verification Tag,
1705  * unchanged). These original parameters are combined with those from the
1706  * newly received INIT chunk. The endpoint shall also generate a State
1707  * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
1708  * INIT to calculate the State Cookie.
1709  *
1710  * After that, the endpoint MUST NOT change its state, the T1-init
1711  * timer shall be left running and the corresponding TCB MUST NOT be
1712  * destroyed. The normal procedures for handling State Cookies when
1713  * a TCB exists will resolve the duplicate INITs to a single association.
1714  *
1715  * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
1716  * its Tie-Tags with the Tag information of itself and its peer (see
1717  * section 5.2.2 for a description of the Tie-Tags).
1718  *
1719  * Verification Tag: Not explicit, but an INIT can not have a valid
1720  * verification tag, so we skip the check.
1721  *
1722  * Inputs
1723  * (endpoint, asoc, chunk)
1724  *
1725  * Outputs
1726  * (asoc, reply_msg, msg_up, timers, counters)
1727  *
1728  * The return value is the disposition of the chunk.
1729  */
1730 enum sctp_disposition sctp_sf_do_5_2_1_siminit(
1731 					struct net *net,
1732 					const struct sctp_endpoint *ep,
1733 					const struct sctp_association *asoc,
1734 					const union sctp_subtype type,
1735 					void *arg,
1736 					struct sctp_cmd_seq *commands)
1737 {
1738 	/* Call helper to do the real work for both simultaneous and
1739 	 * duplicate INIT chunk handling.
1740 	 */
1741 	return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1742 }
1743 
1744 /*
1745  * Handle duplicated INIT messages.  These are usually delayed
1746  * restransmissions.
1747  *
1748  * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
1749  * COOKIE-ECHOED and COOKIE-WAIT
1750  *
1751  * Unless otherwise stated, upon reception of an unexpected INIT for
1752  * this association, the endpoint shall generate an INIT ACK with a
1753  * State Cookie.  In the outbound INIT ACK the endpoint MUST copy its
1754  * current Verification Tag and peer's Verification Tag into a reserved
1755  * place within the state cookie.  We shall refer to these locations as
1756  * the Peer's-Tie-Tag and the Local-Tie-Tag.  The outbound SCTP packet
1757  * containing this INIT ACK MUST carry a Verification Tag value equal to
1758  * the Initiation Tag found in the unexpected INIT.  And the INIT ACK
1759  * MUST contain a new Initiation Tag (randomly generated see Section
1760  * 5.3.1).  Other parameters for the endpoint SHOULD be copied from the
1761  * existing parameters of the association (e.g. number of outbound
1762  * streams) into the INIT ACK and cookie.
1763  *
1764  * After sending out the INIT ACK, the endpoint shall take no further
1765  * actions, i.e., the existing association, including its current state,
1766  * and the corresponding TCB MUST NOT be changed.
1767  *
1768  * Note: Only when a TCB exists and the association is not in a COOKIE-
1769  * WAIT state are the Tie-Tags populated.  For a normal association INIT
1770  * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
1771  * set to 0 (indicating that no previous TCB existed).  The INIT ACK and
1772  * State Cookie are populated as specified in section 5.2.1.
1773  *
1774  * Verification Tag: Not specified, but an INIT has no way of knowing
1775  * what the verification tag could be, so we ignore it.
1776  *
1777  * Inputs
1778  * (endpoint, asoc, chunk)
1779  *
1780  * Outputs
1781  * (asoc, reply_msg, msg_up, timers, counters)
1782  *
1783  * The return value is the disposition of the chunk.
1784  */
1785 enum sctp_disposition sctp_sf_do_5_2_2_dupinit(
1786 					struct net *net,
1787 					const struct sctp_endpoint *ep,
1788 					const struct sctp_association *asoc,
1789 					const union sctp_subtype type,
1790 					void *arg,
1791 					struct sctp_cmd_seq *commands)
1792 {
1793 	/* Call helper to do the real work for both simultaneous and
1794 	 * duplicate INIT chunk handling.
1795 	 */
1796 	return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1797 }
1798 
1799 
1800 /*
1801  * Unexpected INIT-ACK handler.
1802  *
1803  * Section 5.2.3
1804  * If an INIT ACK received by an endpoint in any state other than the
1805  * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
1806  * An unexpected INIT ACK usually indicates the processing of an old or
1807  * duplicated INIT chunk.
1808 */
1809 enum sctp_disposition sctp_sf_do_5_2_3_initack(
1810 					struct net *net,
1811 					const struct sctp_endpoint *ep,
1812 					const struct sctp_association *asoc,
1813 					const union sctp_subtype type,
1814 					void *arg,
1815 					struct sctp_cmd_seq *commands)
1816 {
1817 	/* Per the above section, we'll discard the chunk if we have an
1818 	 * endpoint.  If this is an OOTB INIT-ACK, treat it as such.
1819 	 */
1820 	if (ep == sctp_sk(net->sctp.ctl_sock)->ep)
1821 		return sctp_sf_ootb(net, ep, asoc, type, arg, commands);
1822 	else
1823 		return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
1824 }
1825 
1826 static int sctp_sf_do_assoc_update(struct sctp_association *asoc,
1827 				   struct sctp_association *new,
1828 				   struct sctp_cmd_seq *cmds)
1829 {
1830 	struct net *net = asoc->base.net;
1831 	struct sctp_chunk *abort;
1832 
1833 	if (!sctp_assoc_update(asoc, new))
1834 		return 0;
1835 
1836 	abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr));
1837 	if (abort) {
1838 		sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
1839 		sctp_add_cmd_sf(cmds, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
1840 	}
1841 	sctp_add_cmd_sf(cmds, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED));
1842 	sctp_add_cmd_sf(cmds, SCTP_CMD_ASSOC_FAILED,
1843 			SCTP_PERR(SCTP_ERROR_RSRC_LOW));
1844 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1845 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1846 
1847 	return -ENOMEM;
1848 }
1849 
1850 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
1851  *
1852  * Section 5.2.4
1853  *  A)  In this case, the peer may have restarted.
1854  */
1855 static enum sctp_disposition sctp_sf_do_dupcook_a(
1856 					struct net *net,
1857 					const struct sctp_endpoint *ep,
1858 					const struct sctp_association *asoc,
1859 					struct sctp_chunk *chunk,
1860 					struct sctp_cmd_seq *commands,
1861 					struct sctp_association *new_asoc)
1862 {
1863 	struct sctp_init_chunk *peer_init;
1864 	enum sctp_disposition disposition;
1865 	struct sctp_ulpevent *ev;
1866 	struct sctp_chunk *repl;
1867 	struct sctp_chunk *err;
1868 
1869 	/* new_asoc is a brand-new association, so these are not yet
1870 	 * side effects--it is safe to run them here.
1871 	 */
1872 	peer_init = (struct sctp_init_chunk *)(chunk->subh.cookie_hdr + 1);
1873 	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1874 			       GFP_ATOMIC))
1875 		goto nomem;
1876 
1877 	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
1878 		goto nomem;
1879 
1880 	if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
1881 		return SCTP_DISPOSITION_DISCARD;
1882 
1883 	/* Make sure no new addresses are being added during the
1884 	 * restart.  Though this is a pretty complicated attack
1885 	 * since you'd have to get inside the cookie.
1886 	 */
1887 	if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands))
1888 		return SCTP_DISPOSITION_CONSUME;
1889 
1890 	/* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
1891 	 * the peer has restarted (Action A), it MUST NOT setup a new
1892 	 * association but instead resend the SHUTDOWN ACK and send an ERROR
1893 	 * chunk with a "Cookie Received while Shutting Down" error cause to
1894 	 * its peer.
1895 	*/
1896 	if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1897 		disposition = __sctp_sf_do_9_2_reshutack(net, ep, asoc,
1898 							 SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1899 							 chunk, commands);
1900 		if (SCTP_DISPOSITION_NOMEM == disposition)
1901 			goto nomem;
1902 
1903 		err = sctp_make_op_error(asoc, chunk,
1904 					 SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1905 					 NULL, 0, 0);
1906 		if (err)
1907 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1908 					SCTP_CHUNK(err));
1909 
1910 		return SCTP_DISPOSITION_CONSUME;
1911 	}
1912 
1913 	/* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked
1914 	 * data. Consider the optional choice of resending of this data.
1915 	 */
1916 	sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
1917 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1918 			SCTP_TO(SCTP_EVENT_TIMEOUT_SACK));
1919 	sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1920 
1921 	/* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue
1922 	 * and ASCONF-ACK cache.
1923 	 */
1924 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1925 			SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
1926 	sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());
1927 
1928 	/* Update the content of current association. */
1929 	if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands))
1930 		goto nomem;
1931 
1932 	repl = sctp_make_cookie_ack(asoc, chunk);
1933 	if (!repl)
1934 		goto nomem;
1935 
1936 	/* Report association restart to upper layer. */
1937 	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1938 					     asoc->c.sinit_num_ostreams,
1939 					     asoc->c.sinit_max_instreams,
1940 					     NULL, GFP_ATOMIC);
1941 	if (!ev)
1942 		goto nomem_ev;
1943 
1944 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1945 	if ((sctp_state(asoc, SHUTDOWN_PENDING) ||
1946 	     sctp_state(asoc, SHUTDOWN_SENT)) &&
1947 	    (sctp_sstate(asoc->base.sk, CLOSING) ||
1948 	     sock_flag(asoc->base.sk, SOCK_DEAD))) {
1949 		/* If the socket has been closed by user, don't
1950 		 * transition to ESTABLISHED. Instead trigger SHUTDOWN
1951 		 * bundled with COOKIE_ACK.
1952 		 */
1953 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1954 		return sctp_sf_do_9_2_start_shutdown(net, ep, asoc,
1955 						     SCTP_ST_CHUNK(0), repl,
1956 						     commands);
1957 	} else {
1958 		sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1959 				SCTP_STATE(SCTP_STATE_ESTABLISHED));
1960 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1961 	}
1962 	return SCTP_DISPOSITION_CONSUME;
1963 
1964 nomem_ev:
1965 	sctp_chunk_free(repl);
1966 nomem:
1967 	return SCTP_DISPOSITION_NOMEM;
1968 }
1969 
1970 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
1971  *
1972  * Section 5.2.4
1973  *   B) In this case, both sides may be attempting to start an association
1974  *      at about the same time but the peer endpoint started its INIT
1975  *      after responding to the local endpoint's INIT
1976  */
1977 /* This case represents an initialization collision.  */
1978 static enum sctp_disposition sctp_sf_do_dupcook_b(
1979 					struct net *net,
1980 					const struct sctp_endpoint *ep,
1981 					const struct sctp_association *asoc,
1982 					struct sctp_chunk *chunk,
1983 					struct sctp_cmd_seq *commands,
1984 					struct sctp_association *new_asoc)
1985 {
1986 	struct sctp_init_chunk *peer_init;
1987 	struct sctp_chunk *repl;
1988 
1989 	/* new_asoc is a brand-new association, so these are not yet
1990 	 * side effects--it is safe to run them here.
1991 	 */
1992 	peer_init = (struct sctp_init_chunk *)(chunk->subh.cookie_hdr + 1);
1993 	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1994 			       GFP_ATOMIC))
1995 		goto nomem;
1996 
1997 	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
1998 		goto nomem;
1999 
2000 	if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
2001 		return SCTP_DISPOSITION_DISCARD;
2002 
2003 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2004 			SCTP_STATE(SCTP_STATE_ESTABLISHED));
2005 	if (asoc->state < SCTP_STATE_ESTABLISHED)
2006 		SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
2007 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
2008 
2009 	/* Update the content of current association.  */
2010 	if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands))
2011 		goto nomem;
2012 
2013 	repl = sctp_make_cookie_ack(asoc, chunk);
2014 	if (!repl)
2015 		goto nomem;
2016 
2017 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
2018 
2019 	/* RFC 2960 5.1 Normal Establishment of an Association
2020 	 *
2021 	 * D) IMPLEMENTATION NOTE: An implementation may choose to
2022 	 * send the Communication Up notification to the SCTP user
2023 	 * upon reception of a valid COOKIE ECHO chunk.
2024 	 *
2025 	 * Sadly, this needs to be implemented as a side-effect, because
2026 	 * we are not guaranteed to have set the association id of the real
2027 	 * association and so these notifications need to be delayed until
2028 	 * the association id is allocated.
2029 	 */
2030 
2031 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
2032 
2033 	/* Sockets API Draft Section 5.3.1.6
2034 	 * When a peer sends a Adaptation Layer Indication parameter , SCTP
2035 	 * delivers this notification to inform the application that of the
2036 	 * peers requested adaptation layer.
2037 	 *
2038 	 * This also needs to be done as a side effect for the same reason as
2039 	 * above.
2040 	 */
2041 	if (asoc->peer.adaptation_ind)
2042 		sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
2043 
2044 	if (!asoc->peer.auth_capable)
2045 		sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL());
2046 
2047 	return SCTP_DISPOSITION_CONSUME;
2048 
2049 nomem:
2050 	return SCTP_DISPOSITION_NOMEM;
2051 }
2052 
2053 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
2054  *
2055  * Section 5.2.4
2056  *  C) In this case, the local endpoint's cookie has arrived late.
2057  *     Before it arrived, the local endpoint sent an INIT and received an
2058  *     INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
2059  *     but a new tag of its own.
2060  */
2061 /* This case represents an initialization collision.  */
2062 static enum sctp_disposition sctp_sf_do_dupcook_c(
2063 					struct net *net,
2064 					const struct sctp_endpoint *ep,
2065 					const struct sctp_association *asoc,
2066 					struct sctp_chunk *chunk,
2067 					struct sctp_cmd_seq *commands,
2068 					struct sctp_association *new_asoc)
2069 {
2070 	/* The cookie should be silently discarded.
2071 	 * The endpoint SHOULD NOT change states and should leave
2072 	 * any timers running.
2073 	 */
2074 	return SCTP_DISPOSITION_DISCARD;
2075 }
2076 
2077 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
2078  *
2079  * Section 5.2.4
2080  *
2081  * D) When both local and remote tags match the endpoint should always
2082  *    enter the ESTABLISHED state, if it has not already done so.
2083  */
2084 /* This case represents an initialization collision.  */
2085 static enum sctp_disposition sctp_sf_do_dupcook_d(
2086 					struct net *net,
2087 					const struct sctp_endpoint *ep,
2088 					const struct sctp_association *asoc,
2089 					struct sctp_chunk *chunk,
2090 					struct sctp_cmd_seq *commands,
2091 					struct sctp_association *new_asoc)
2092 {
2093 	struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL;
2094 	struct sctp_chunk *repl;
2095 
2096 	/* Clarification from Implementor's Guide:
2097 	 * D) When both local and remote tags match the endpoint should
2098 	 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
2099 	 * It should stop any cookie timer that may be running and send
2100 	 * a COOKIE ACK.
2101 	 */
2102 
2103 	if (!sctp_auth_chunk_verify(net, chunk, asoc))
2104 		return SCTP_DISPOSITION_DISCARD;
2105 
2106 	/* Don't accidentally move back into established state. */
2107 	if (asoc->state < SCTP_STATE_ESTABLISHED) {
2108 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2109 				SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2110 		sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2111 				SCTP_STATE(SCTP_STATE_ESTABLISHED));
2112 		SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
2113 		sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
2114 				SCTP_NULL());
2115 
2116 		/* RFC 2960 5.1 Normal Establishment of an Association
2117 		 *
2118 		 * D) IMPLEMENTATION NOTE: An implementation may choose
2119 		 * to send the Communication Up notification to the
2120 		 * SCTP user upon reception of a valid COOKIE
2121 		 * ECHO chunk.
2122 		 */
2123 		ev = sctp_ulpevent_make_assoc_change(asoc, 0,
2124 					     SCTP_COMM_UP, 0,
2125 					     asoc->c.sinit_num_ostreams,
2126 					     asoc->c.sinit_max_instreams,
2127 					     NULL, GFP_ATOMIC);
2128 		if (!ev)
2129 			goto nomem;
2130 
2131 		/* Sockets API Draft Section 5.3.1.6
2132 		 * When a peer sends a Adaptation Layer Indication parameter,
2133 		 * SCTP delivers this notification to inform the application
2134 		 * that of the peers requested adaptation layer.
2135 		 */
2136 		if (asoc->peer.adaptation_ind) {
2137 			ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
2138 								 GFP_ATOMIC);
2139 			if (!ai_ev)
2140 				goto nomem;
2141 
2142 		}
2143 
2144 		if (!asoc->peer.auth_capable) {
2145 			auth_ev = sctp_ulpevent_make_authkey(asoc, 0,
2146 							     SCTP_AUTH_NO_AUTH,
2147 							     GFP_ATOMIC);
2148 			if (!auth_ev)
2149 				goto nomem;
2150 		}
2151 	}
2152 
2153 	repl = sctp_make_cookie_ack(asoc, chunk);
2154 	if (!repl)
2155 		goto nomem;
2156 
2157 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
2158 
2159 	if (ev)
2160 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2161 				SCTP_ULPEVENT(ev));
2162 	if (ai_ev)
2163 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2164 					SCTP_ULPEVENT(ai_ev));
2165 	if (auth_ev)
2166 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2167 				SCTP_ULPEVENT(auth_ev));
2168 
2169 	return SCTP_DISPOSITION_CONSUME;
2170 
2171 nomem:
2172 	if (auth_ev)
2173 		sctp_ulpevent_free(auth_ev);
2174 	if (ai_ev)
2175 		sctp_ulpevent_free(ai_ev);
2176 	if (ev)
2177 		sctp_ulpevent_free(ev);
2178 	return SCTP_DISPOSITION_NOMEM;
2179 }
2180 
2181 /*
2182  * Handle a duplicate COOKIE-ECHO.  This usually means a cookie-carrying
2183  * chunk was retransmitted and then delayed in the network.
2184  *
2185  * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
2186  *
2187  * Verification Tag: None.  Do cookie validation.
2188  *
2189  * Inputs
2190  * (endpoint, asoc, chunk)
2191  *
2192  * Outputs
2193  * (asoc, reply_msg, msg_up, timers, counters)
2194  *
2195  * The return value is the disposition of the chunk.
2196  */
2197 enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
2198 					struct net *net,
2199 					const struct sctp_endpoint *ep,
2200 					const struct sctp_association *asoc,
2201 					const union sctp_subtype type,
2202 					void *arg,
2203 					struct sctp_cmd_seq *commands)
2204 {
2205 	struct sctp_association *new_asoc;
2206 	struct sctp_chunk *chunk = arg;
2207 	enum sctp_disposition retval;
2208 	struct sctp_chunk *err_chk_p;
2209 	int error = 0;
2210 	char action;
2211 
2212 	/* Make sure that the chunk has a valid length from the protocol
2213 	 * perspective.  In this case check to make sure we have at least
2214 	 * enough for the chunk header.  Cookie length verification is
2215 	 * done later.
2216 	 */
2217 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) {
2218 		if (!sctp_vtag_verify(chunk, asoc))
2219 			asoc = NULL;
2220 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands);
2221 	}
2222 
2223 	/* "Decode" the chunk.  We have no optional parameters so we
2224 	 * are in good shape.
2225 	 */
2226 	chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
2227 	if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
2228 					sizeof(struct sctp_chunkhdr)))
2229 		goto nomem;
2230 
2231 	/* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
2232 	 * of a duplicate COOKIE ECHO match the Verification Tags of the
2233 	 * current association, consider the State Cookie valid even if
2234 	 * the lifespan is exceeded.
2235 	 */
2236 	new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
2237 				      &err_chk_p);
2238 
2239 	/* FIXME:
2240 	 * If the re-build failed, what is the proper error path
2241 	 * from here?
2242 	 *
2243 	 * [We should abort the association. --piggy]
2244 	 */
2245 	if (!new_asoc) {
2246 		/* FIXME: Several errors are possible.  A bad cookie should
2247 		 * be silently discarded, but think about logging it too.
2248 		 */
2249 		switch (error) {
2250 		case -SCTP_IERROR_NOMEM:
2251 			goto nomem;
2252 
2253 		case -SCTP_IERROR_STALE_COOKIE:
2254 			sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
2255 						   err_chk_p);
2256 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2257 		case -SCTP_IERROR_BAD_SIG:
2258 		default:
2259 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2260 		}
2261 	}
2262 
2263 	/* Set temp so that it won't be added into hashtable */
2264 	new_asoc->temp = 1;
2265 
2266 	/* Compare the tie_tag in cookie with the verification tag of
2267 	 * current association.
2268 	 */
2269 	action = sctp_tietags_compare(new_asoc, asoc);
2270 
2271 	/* In cases C and E the association doesn't enter the ESTABLISHED
2272 	 * state, so there is no need to call security_sctp_assoc_request().
2273 	 */
2274 	switch (action) {
2275 	case 'A': /* Association restart. */
2276 	case 'B': /* Collision case B. */
2277 	case 'D': /* Collision case D. */
2278 		/* Update socket peer label if first association. */
2279 		if (security_sctp_assoc_request((struct sctp_association *)asoc,
2280 						chunk->head_skb ?: chunk->skb)) {
2281 			sctp_association_free(new_asoc);
2282 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2283 		}
2284 		break;
2285 	}
2286 
2287 	switch (action) {
2288 	case 'A': /* Association restart. */
2289 		retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands,
2290 					      new_asoc);
2291 		break;
2292 
2293 	case 'B': /* Collision case B. */
2294 		retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands,
2295 					      new_asoc);
2296 		break;
2297 
2298 	case 'C': /* Collision case C. */
2299 		retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands,
2300 					      new_asoc);
2301 		break;
2302 
2303 	case 'D': /* Collision case D. */
2304 		retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands,
2305 					      new_asoc);
2306 		break;
2307 
2308 	default: /* Discard packet for all others. */
2309 		retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2310 		break;
2311 	}
2312 
2313 	/* Delete the temporary new association. */
2314 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc));
2315 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
2316 
2317 	/* Restore association pointer to provide SCTP command interpreter
2318 	 * with a valid context in case it needs to manipulate
2319 	 * the queues */
2320 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC,
2321 			 SCTP_ASOC((struct sctp_association *)asoc));
2322 
2323 	return retval;
2324 
2325 nomem:
2326 	return SCTP_DISPOSITION_NOMEM;
2327 }
2328 
2329 /*
2330  * Process an ABORT.  (SHUTDOWN-PENDING state)
2331  *
2332  * See sctp_sf_do_9_1_abort().
2333  */
2334 enum sctp_disposition sctp_sf_shutdown_pending_abort(
2335 					struct net *net,
2336 					const struct sctp_endpoint *ep,
2337 					const struct sctp_association *asoc,
2338 					const union sctp_subtype type,
2339 					void *arg,
2340 					struct sctp_cmd_seq *commands)
2341 {
2342 	struct sctp_chunk *chunk = arg;
2343 
2344 	if (!sctp_vtag_verify_either(chunk, asoc))
2345 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2346 
2347 	/* Make sure that the ABORT chunk has a valid length.
2348 	 * Since this is an ABORT chunk, we have to discard it
2349 	 * because of the following text:
2350 	 * RFC 2960, Section 3.3.7
2351 	 *    If an endpoint receives an ABORT with a format error or for an
2352 	 *    association that doesn't exist, it MUST silently discard it.
2353 	 * Because the length is "invalid", we can't really discard just
2354 	 * as we do not know its true length.  So, to be safe, discard the
2355 	 * packet.
2356 	 */
2357 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2358 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2359 
2360 	/* ADD-IP: Special case for ABORT chunks
2361 	 * F4)  One special consideration is that ABORT Chunks arriving
2362 	 * destined to the IP address being deleted MUST be
2363 	 * ignored (see Section 5.3.1 for further details).
2364 	 */
2365 	if (SCTP_ADDR_DEL ==
2366 		    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2367 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2368 
2369 	if (!sctp_err_chunk_valid(chunk))
2370 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2371 
2372 	return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2373 }
2374 
2375 /*
2376  * Process an ABORT.  (SHUTDOWN-SENT state)
2377  *
2378  * See sctp_sf_do_9_1_abort().
2379  */
2380 enum sctp_disposition sctp_sf_shutdown_sent_abort(
2381 					struct net *net,
2382 					const struct sctp_endpoint *ep,
2383 					const struct sctp_association *asoc,
2384 					const union sctp_subtype type,
2385 					void *arg,
2386 					struct sctp_cmd_seq *commands)
2387 {
2388 	struct sctp_chunk *chunk = arg;
2389 
2390 	if (!sctp_vtag_verify_either(chunk, asoc))
2391 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2392 
2393 	/* Make sure that the ABORT chunk has a valid length.
2394 	 * Since this is an ABORT chunk, we have to discard it
2395 	 * because of the following text:
2396 	 * RFC 2960, Section 3.3.7
2397 	 *    If an endpoint receives an ABORT with a format error or for an
2398 	 *    association that doesn't exist, it MUST silently discard it.
2399 	 * Because the length is "invalid", we can't really discard just
2400 	 * as we do not know its true length.  So, to be safe, discard the
2401 	 * packet.
2402 	 */
2403 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2404 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2405 
2406 	/* ADD-IP: Special case for ABORT chunks
2407 	 * F4)  One special consideration is that ABORT Chunks arriving
2408 	 * destined to the IP address being deleted MUST be
2409 	 * ignored (see Section 5.3.1 for further details).
2410 	 */
2411 	if (SCTP_ADDR_DEL ==
2412 		    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2413 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2414 
2415 	if (!sctp_err_chunk_valid(chunk))
2416 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2417 
2418 	/* Stop the T2-shutdown timer. */
2419 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2420 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2421 
2422 	/* Stop the T5-shutdown guard timer.  */
2423 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2424 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2425 
2426 	return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2427 }
2428 
2429 /*
2430  * Process an ABORT.  (SHUTDOWN-ACK-SENT state)
2431  *
2432  * See sctp_sf_do_9_1_abort().
2433  */
2434 enum sctp_disposition sctp_sf_shutdown_ack_sent_abort(
2435 					struct net *net,
2436 					const struct sctp_endpoint *ep,
2437 					const struct sctp_association *asoc,
2438 					const union sctp_subtype type,
2439 					void *arg,
2440 					struct sctp_cmd_seq *commands)
2441 {
2442 	/* The same T2 timer, so we should be able to use
2443 	 * common function with the SHUTDOWN-SENT state.
2444 	 */
2445 	return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands);
2446 }
2447 
2448 /*
2449  * Handle an Error received in COOKIE_ECHOED state.
2450  *
2451  * Only handle the error type of stale COOKIE Error, the other errors will
2452  * be ignored.
2453  *
2454  * Inputs
2455  * (endpoint, asoc, chunk)
2456  *
2457  * Outputs
2458  * (asoc, reply_msg, msg_up, timers, counters)
2459  *
2460  * The return value is the disposition of the chunk.
2461  */
2462 enum sctp_disposition sctp_sf_cookie_echoed_err(
2463 					struct net *net,
2464 					const struct sctp_endpoint *ep,
2465 					const struct sctp_association *asoc,
2466 					const union sctp_subtype type,
2467 					void *arg,
2468 					struct sctp_cmd_seq *commands)
2469 {
2470 	struct sctp_chunk *chunk = arg;
2471 	struct sctp_errhdr *err;
2472 
2473 	if (!sctp_vtag_verify(chunk, asoc))
2474 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2475 
2476 	/* Make sure that the ERROR chunk has a valid length.
2477 	 * The parameter walking depends on this as well.
2478 	 */
2479 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
2480 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2481 						  commands);
2482 
2483 	/* Process the error here */
2484 	/* FUTURE FIXME:  When PR-SCTP related and other optional
2485 	 * parms are emitted, this will have to change to handle multiple
2486 	 * errors.
2487 	 */
2488 	sctp_walk_errors(err, chunk->chunk_hdr) {
2489 		if (SCTP_ERROR_STALE_COOKIE == err->cause)
2490 			return sctp_sf_do_5_2_6_stale(net, ep, asoc, type,
2491 							arg, commands);
2492 	}
2493 
2494 	/* It is possible to have malformed error causes, and that
2495 	 * will cause us to end the walk early.  However, since
2496 	 * we are discarding the packet, there should be no adverse
2497 	 * affects.
2498 	 */
2499 	return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2500 }
2501 
2502 /*
2503  * Handle a Stale COOKIE Error
2504  *
2505  * Section: 5.2.6 Handle Stale COOKIE Error
2506  * If the association is in the COOKIE-ECHOED state, the endpoint may elect
2507  * one of the following three alternatives.
2508  * ...
2509  * 3) Send a new INIT chunk to the endpoint, adding a Cookie
2510  *    Preservative parameter requesting an extension to the lifetime of
2511  *    the State Cookie. When calculating the time extension, an
2512  *    implementation SHOULD use the RTT information measured based on the
2513  *    previous COOKIE ECHO / ERROR exchange, and should add no more
2514  *    than 1 second beyond the measured RTT, due to long State Cookie
2515  *    lifetimes making the endpoint more subject to a replay attack.
2516  *
2517  * Verification Tag:  Not explicit, but safe to ignore.
2518  *
2519  * Inputs
2520  * (endpoint, asoc, chunk)
2521  *
2522  * Outputs
2523  * (asoc, reply_msg, msg_up, timers, counters)
2524  *
2525  * The return value is the disposition of the chunk.
2526  */
2527 static enum sctp_disposition sctp_sf_do_5_2_6_stale(
2528 					struct net *net,
2529 					const struct sctp_endpoint *ep,
2530 					const struct sctp_association *asoc,
2531 					const union sctp_subtype type,
2532 					void *arg,
2533 					struct sctp_cmd_seq *commands)
2534 {
2535 	int attempts = asoc->init_err_counter + 1;
2536 	struct sctp_chunk *chunk = arg, *reply;
2537 	struct sctp_cookie_preserve_param bht;
2538 	struct sctp_bind_addr *bp;
2539 	struct sctp_errhdr *err;
2540 	u32 stale;
2541 
2542 	if (attempts > asoc->max_init_attempts) {
2543 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2544 				SCTP_ERROR(ETIMEDOUT));
2545 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2546 				SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2547 		return SCTP_DISPOSITION_DELETE_TCB;
2548 	}
2549 
2550 	err = (struct sctp_errhdr *)(chunk->skb->data);
2551 
2552 	/* When calculating the time extension, an implementation
2553 	 * SHOULD use the RTT information measured based on the
2554 	 * previous COOKIE ECHO / ERROR exchange, and should add no
2555 	 * more than 1 second beyond the measured RTT, due to long
2556 	 * State Cookie lifetimes making the endpoint more subject to
2557 	 * a replay attack.
2558 	 * Measure of Staleness's unit is usec. (1/1000000 sec)
2559 	 * Suggested Cookie Life-span Increment's unit is msec.
2560 	 * (1/1000 sec)
2561 	 * In general, if you use the suggested cookie life, the value
2562 	 * found in the field of measure of staleness should be doubled
2563 	 * to give ample time to retransmit the new cookie and thus
2564 	 * yield a higher probability of success on the reattempt.
2565 	 */
2566 	stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err)));
2567 	stale = (stale * 2) / 1000;
2568 
2569 	bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2570 	bht.param_hdr.length = htons(sizeof(bht));
2571 	bht.lifespan_increment = htonl(stale);
2572 
2573 	/* Build that new INIT chunk.  */
2574 	bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2575 	reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2576 	if (!reply)
2577 		goto nomem;
2578 
2579 	sctp_addto_chunk(reply, sizeof(bht), &bht);
2580 
2581 	/* Clear peer's init_tag cached in assoc as we are sending a new INIT */
2582 	sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2583 
2584 	/* Stop pending T3-rtx and heartbeat timers */
2585 	sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2586 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2587 
2588 	/* Delete non-primary peer ip addresses since we are transitioning
2589 	 * back to the COOKIE-WAIT state
2590 	 */
2591 	sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2592 
2593 	/* If we've sent any data bundled with COOKIE-ECHO we will need to
2594 	 * resend
2595 	 */
2596 	sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
2597 			SCTP_TRANSPORT(asoc->peer.primary_path));
2598 
2599 	/* Cast away the const modifier, as we want to just
2600 	 * rerun it through as a sideffect.
2601 	 */
2602 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2603 
2604 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2605 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2606 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2607 			SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2608 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2609 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2610 
2611 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2612 
2613 	return SCTP_DISPOSITION_CONSUME;
2614 
2615 nomem:
2616 	return SCTP_DISPOSITION_NOMEM;
2617 }
2618 
2619 /*
2620  * Process an ABORT.
2621  *
2622  * Section: 9.1
2623  * After checking the Verification Tag, the receiving endpoint shall
2624  * remove the association from its record, and shall report the
2625  * termination to its upper layer.
2626  *
2627  * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
2628  * B) Rules for packet carrying ABORT:
2629  *
2630  *  - The endpoint shall always fill in the Verification Tag field of the
2631  *    outbound packet with the destination endpoint's tag value if it
2632  *    is known.
2633  *
2634  *  - If the ABORT is sent in response to an OOTB packet, the endpoint
2635  *    MUST follow the procedure described in Section 8.4.
2636  *
2637  *  - The receiver MUST accept the packet if the Verification Tag
2638  *    matches either its own tag, OR the tag of its peer. Otherwise, the
2639  *    receiver MUST silently discard the packet and take no further
2640  *    action.
2641  *
2642  * Inputs
2643  * (endpoint, asoc, chunk)
2644  *
2645  * Outputs
2646  * (asoc, reply_msg, msg_up, timers, counters)
2647  *
2648  * The return value is the disposition of the chunk.
2649  */
2650 enum sctp_disposition sctp_sf_do_9_1_abort(
2651 					struct net *net,
2652 					const struct sctp_endpoint *ep,
2653 					const struct sctp_association *asoc,
2654 					const union sctp_subtype type,
2655 					void *arg,
2656 					struct sctp_cmd_seq *commands)
2657 {
2658 	struct sctp_chunk *chunk = arg;
2659 
2660 	if (!sctp_vtag_verify_either(chunk, asoc))
2661 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2662 
2663 	/* Make sure that the ABORT chunk has a valid length.
2664 	 * Since this is an ABORT chunk, we have to discard it
2665 	 * because of the following text:
2666 	 * RFC 2960, Section 3.3.7
2667 	 *    If an endpoint receives an ABORT with a format error or for an
2668 	 *    association that doesn't exist, it MUST silently discard it.
2669 	 * Because the length is "invalid", we can't really discard just
2670 	 * as we do not know its true length.  So, to be safe, discard the
2671 	 * packet.
2672 	 */
2673 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2674 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2675 
2676 	/* ADD-IP: Special case for ABORT chunks
2677 	 * F4)  One special consideration is that ABORT Chunks arriving
2678 	 * destined to the IP address being deleted MUST be
2679 	 * ignored (see Section 5.3.1 for further details).
2680 	 */
2681 	if (SCTP_ADDR_DEL ==
2682 		    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2683 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2684 
2685 	if (!sctp_err_chunk_valid(chunk))
2686 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2687 
2688 	return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2689 }
2690 
2691 static enum sctp_disposition __sctp_sf_do_9_1_abort(
2692 					struct net *net,
2693 					const struct sctp_endpoint *ep,
2694 					const struct sctp_association *asoc,
2695 					const union sctp_subtype type,
2696 					void *arg,
2697 					struct sctp_cmd_seq *commands)
2698 {
2699 	__be16 error = SCTP_ERROR_NO_ERROR;
2700 	struct sctp_chunk *chunk = arg;
2701 	unsigned int len;
2702 
2703 	/* See if we have an error cause code in the chunk.  */
2704 	len = ntohs(chunk->chunk_hdr->length);
2705 	if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2706 		error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2707 
2708 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2709 	/* ASSOC_FAILED will DELETE_TCB. */
2710 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2711 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2712 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
2713 
2714 	return SCTP_DISPOSITION_ABORT;
2715 }
2716 
2717 /*
2718  * Process an ABORT.  (COOKIE-WAIT state)
2719  *
2720  * See sctp_sf_do_9_1_abort() above.
2721  */
2722 enum sctp_disposition sctp_sf_cookie_wait_abort(
2723 					struct net *net,
2724 					const struct sctp_endpoint *ep,
2725 					const struct sctp_association *asoc,
2726 					const union sctp_subtype type,
2727 					void *arg,
2728 					struct sctp_cmd_seq *commands)
2729 {
2730 	__be16 error = SCTP_ERROR_NO_ERROR;
2731 	struct sctp_chunk *chunk = arg;
2732 	unsigned int len;
2733 
2734 	if (!sctp_vtag_verify_either(chunk, asoc))
2735 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2736 
2737 	/* Make sure that the ABORT chunk has a valid length.
2738 	 * Since this is an ABORT chunk, we have to discard it
2739 	 * because of the following text:
2740 	 * RFC 2960, Section 3.3.7
2741 	 *    If an endpoint receives an ABORT with a format error or for an
2742 	 *    association that doesn't exist, it MUST silently discard it.
2743 	 * Because the length is "invalid", we can't really discard just
2744 	 * as we do not know its true length.  So, to be safe, discard the
2745 	 * packet.
2746 	 */
2747 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2748 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2749 
2750 	/* See if we have an error cause code in the chunk.  */
2751 	len = ntohs(chunk->chunk_hdr->length);
2752 	if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2753 		error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2754 
2755 	return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc,
2756 				      chunk->transport);
2757 }
2758 
2759 /*
2760  * Process an incoming ICMP as an ABORT.  (COOKIE-WAIT state)
2761  */
2762 enum sctp_disposition sctp_sf_cookie_wait_icmp_abort(
2763 					struct net *net,
2764 					const struct sctp_endpoint *ep,
2765 					const struct sctp_association *asoc,
2766 					const union sctp_subtype type,
2767 					void *arg,
2768 					struct sctp_cmd_seq *commands)
2769 {
2770 	return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR,
2771 				      ENOPROTOOPT, asoc,
2772 				      (struct sctp_transport *)arg);
2773 }
2774 
2775 /*
2776  * Process an ABORT.  (COOKIE-ECHOED state)
2777  */
2778 enum sctp_disposition sctp_sf_cookie_echoed_abort(
2779 					struct net *net,
2780 					const struct sctp_endpoint *ep,
2781 					const struct sctp_association *asoc,
2782 					const union sctp_subtype type,
2783 					void *arg,
2784 					struct sctp_cmd_seq *commands)
2785 {
2786 	/* There is a single T1 timer, so we should be able to use
2787 	 * common function with the COOKIE-WAIT state.
2788 	 */
2789 	return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands);
2790 }
2791 
2792 /*
2793  * Stop T1 timer and abort association with "INIT failed".
2794  *
2795  * This is common code called by several sctp_sf_*_abort() functions above.
2796  */
2797 static enum sctp_disposition sctp_stop_t1_and_abort(
2798 					struct net *net,
2799 					struct sctp_cmd_seq *commands,
2800 					__be16 error, int sk_err,
2801 					const struct sctp_association *asoc,
2802 					struct sctp_transport *transport)
2803 {
2804 	pr_debug("%s: ABORT received (INIT)\n", __func__);
2805 
2806 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2807 			SCTP_STATE(SCTP_STATE_CLOSED));
2808 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2809 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2810 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2811 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2812 	/* CMD_INIT_FAILED will DELETE_TCB. */
2813 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2814 			SCTP_PERR(error));
2815 
2816 	return SCTP_DISPOSITION_ABORT;
2817 }
2818 
2819 /*
2820  * sctp_sf_do_9_2_shut
2821  *
2822  * Section: 9.2
2823  * Upon the reception of the SHUTDOWN, the peer endpoint shall
2824  *  - enter the SHUTDOWN-RECEIVED state,
2825  *
2826  *  - stop accepting new data from its SCTP user
2827  *
2828  *  - verify, by checking the Cumulative TSN Ack field of the chunk,
2829  *    that all its outstanding DATA chunks have been received by the
2830  *    SHUTDOWN sender.
2831  *
2832  * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT
2833  * send a SHUTDOWN in response to a ULP request. And should discard
2834  * subsequent SHUTDOWN chunks.
2835  *
2836  * If there are still outstanding DATA chunks left, the SHUTDOWN
2837  * receiver shall continue to follow normal data transmission
2838  * procedures defined in Section 6 until all outstanding DATA chunks
2839  * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept
2840  * new data from its SCTP user.
2841  *
2842  * Verification Tag:  8.5 Verification Tag [Normal verification]
2843  *
2844  * Inputs
2845  * (endpoint, asoc, chunk)
2846  *
2847  * Outputs
2848  * (asoc, reply_msg, msg_up, timers, counters)
2849  *
2850  * The return value is the disposition of the chunk.
2851  */
2852 enum sctp_disposition sctp_sf_do_9_2_shutdown(
2853 					struct net *net,
2854 					const struct sctp_endpoint *ep,
2855 					const struct sctp_association *asoc,
2856 					const union sctp_subtype type,
2857 					void *arg,
2858 					struct sctp_cmd_seq *commands)
2859 {
2860 	enum sctp_disposition disposition;
2861 	struct sctp_chunk *chunk = arg;
2862 	struct sctp_shutdownhdr *sdh;
2863 	struct sctp_ulpevent *ev;
2864 	__u32 ctsn;
2865 
2866 	if (!sctp_vtag_verify(chunk, asoc))
2867 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2868 
2869 	/* Make sure that the SHUTDOWN chunk has a valid length. */
2870 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2871 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2872 						  commands);
2873 
2874 	/* Convert the elaborate header.  */
2875 	sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2876 	skb_pull(chunk->skb, sizeof(*sdh));
2877 	chunk->subh.shutdown_hdr = sdh;
2878 	ctsn = ntohl(sdh->cum_tsn_ack);
2879 
2880 	if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2881 		pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2882 			 asoc->ctsn_ack_point);
2883 
2884 		return SCTP_DISPOSITION_DISCARD;
2885 	}
2886 
2887 	/* If Cumulative TSN Ack beyond the max tsn currently
2888 	 * send, terminating the association and respond to the
2889 	 * sender with an ABORT.
2890 	 */
2891 	if (!TSN_lt(ctsn, asoc->next_tsn))
2892 		return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2893 
2894 	/* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
2895 	 * When a peer sends a SHUTDOWN, SCTP delivers this notification to
2896 	 * inform the application that it should cease sending data.
2897 	 */
2898 	ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2899 	if (!ev) {
2900 		disposition = SCTP_DISPOSITION_NOMEM;
2901 		goto out;
2902 	}
2903 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2904 
2905 	/* Upon the reception of the SHUTDOWN, the peer endpoint shall
2906 	 *  - enter the SHUTDOWN-RECEIVED state,
2907 	 *  - stop accepting new data from its SCTP user
2908 	 *
2909 	 * [This is implicit in the new state.]
2910 	 */
2911 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2912 			SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2913 	disposition = SCTP_DISPOSITION_CONSUME;
2914 
2915 	if (sctp_outq_is_empty(&asoc->outqueue)) {
2916 		disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type,
2917 							  arg, commands);
2918 	}
2919 
2920 	if (SCTP_DISPOSITION_NOMEM == disposition)
2921 		goto out;
2922 
2923 	/*  - verify, by checking the Cumulative TSN Ack field of the
2924 	 *    chunk, that all its outstanding DATA chunks have been
2925 	 *    received by the SHUTDOWN sender.
2926 	 */
2927 	sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2928 			SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2929 
2930 out:
2931 	return disposition;
2932 }
2933 
2934 /*
2935  * sctp_sf_do_9_2_shut_ctsn
2936  *
2937  * Once an endpoint has reached the SHUTDOWN-RECEIVED state,
2938  * it MUST NOT send a SHUTDOWN in response to a ULP request.
2939  * The Cumulative TSN Ack of the received SHUTDOWN chunk
2940  * MUST be processed.
2941  */
2942 enum sctp_disposition sctp_sf_do_9_2_shut_ctsn(
2943 					struct net *net,
2944 					const struct sctp_endpoint *ep,
2945 					const struct sctp_association *asoc,
2946 					const union sctp_subtype type,
2947 					void *arg,
2948 					struct sctp_cmd_seq *commands)
2949 {
2950 	struct sctp_chunk *chunk = arg;
2951 	struct sctp_shutdownhdr *sdh;
2952 	__u32 ctsn;
2953 
2954 	if (!sctp_vtag_verify(chunk, asoc))
2955 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2956 
2957 	/* Make sure that the SHUTDOWN chunk has a valid length. */
2958 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2959 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2960 						  commands);
2961 
2962 	sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2963 	ctsn = ntohl(sdh->cum_tsn_ack);
2964 
2965 	if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2966 		pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2967 			 asoc->ctsn_ack_point);
2968 
2969 		return SCTP_DISPOSITION_DISCARD;
2970 	}
2971 
2972 	/* If Cumulative TSN Ack beyond the max tsn currently
2973 	 * send, terminating the association and respond to the
2974 	 * sender with an ABORT.
2975 	 */
2976 	if (!TSN_lt(ctsn, asoc->next_tsn))
2977 		return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2978 
2979 	/* verify, by checking the Cumulative TSN Ack field of the
2980 	 * chunk, that all its outstanding DATA chunks have been
2981 	 * received by the SHUTDOWN sender.
2982 	 */
2983 	sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2984 			SCTP_BE32(sdh->cum_tsn_ack));
2985 
2986 	return SCTP_DISPOSITION_CONSUME;
2987 }
2988 
2989 /* RFC 2960 9.2
2990  * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk
2991  * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination
2992  * transport addresses (either in the IP addresses or in the INIT chunk)
2993  * that belong to this association, it should discard the INIT chunk and
2994  * retransmit the SHUTDOWN ACK chunk.
2995  */
2996 static enum sctp_disposition
2997 __sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep,
2998 			   const struct sctp_association *asoc,
2999 			   const union sctp_subtype type, void *arg,
3000 			   struct sctp_cmd_seq *commands)
3001 {
3002 	struct sctp_chunk *chunk = arg;
3003 	struct sctp_chunk *reply;
3004 
3005 	/* Make sure that the chunk has a valid length */
3006 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3007 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3008 						  commands);
3009 
3010 	/* Since we are not going to really process this INIT, there
3011 	 * is no point in verifying chunk boundaries.  Just generate
3012 	 * the SHUTDOWN ACK.
3013 	 */
3014 	reply = sctp_make_shutdown_ack(asoc, chunk);
3015 	if (NULL == reply)
3016 		goto nomem;
3017 
3018 	/* Set the transport for the SHUTDOWN ACK chunk and the timeout for
3019 	 * the T2-SHUTDOWN timer.
3020 	 */
3021 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
3022 
3023 	/* and restart the T2-shutdown timer. */
3024 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3025 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3026 
3027 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3028 
3029 	return SCTP_DISPOSITION_CONSUME;
3030 nomem:
3031 	return SCTP_DISPOSITION_NOMEM;
3032 }
3033 
3034 enum sctp_disposition
3035 sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep,
3036 			 const struct sctp_association *asoc,
3037 			 const union sctp_subtype type, void *arg,
3038 			 struct sctp_cmd_seq *commands)
3039 {
3040 	struct sctp_chunk *chunk = arg;
3041 
3042 	if (!chunk->singleton)
3043 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3044 
3045 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
3046 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3047 
3048 	if (chunk->sctp_hdr->vtag != 0)
3049 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
3050 
3051 	return __sctp_sf_do_9_2_reshutack(net, ep, asoc, type, arg, commands);
3052 }
3053 
3054 /*
3055  * sctp_sf_do_ecn_cwr
3056  *
3057  * Section:  Appendix A: Explicit Congestion Notification
3058  *
3059  * CWR:
3060  *
3061  * RFC 2481 details a specific bit for a sender to send in the header of
3062  * its next outbound TCP segment to indicate to its peer that it has
3063  * reduced its congestion window.  This is termed the CWR bit.  For
3064  * SCTP the same indication is made by including the CWR chunk.
3065  * This chunk contains one data element, i.e. the TSN number that
3066  * was sent in the ECNE chunk.  This element represents the lowest
3067  * TSN number in the datagram that was originally marked with the
3068  * CE bit.
3069  *
3070  * Verification Tag: 8.5 Verification Tag [Normal verification]
3071  * Inputs
3072  * (endpoint, asoc, chunk)
3073  *
3074  * Outputs
3075  * (asoc, reply_msg, msg_up, timers, counters)
3076  *
3077  * The return value is the disposition of the chunk.
3078  */
3079 enum sctp_disposition sctp_sf_do_ecn_cwr(struct net *net,
3080 					 const struct sctp_endpoint *ep,
3081 					 const struct sctp_association *asoc,
3082 					 const union sctp_subtype type,
3083 					 void *arg,
3084 					 struct sctp_cmd_seq *commands)
3085 {
3086 	struct sctp_chunk *chunk = arg;
3087 	struct sctp_cwrhdr *cwr;
3088 	u32 lowest_tsn;
3089 
3090 	if (!sctp_vtag_verify(chunk, asoc))
3091 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3092 
3093 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
3094 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3095 						  commands);
3096 
3097 	cwr = (struct sctp_cwrhdr *)chunk->skb->data;
3098 	skb_pull(chunk->skb, sizeof(*cwr));
3099 
3100 	lowest_tsn = ntohl(cwr->lowest_tsn);
3101 
3102 	/* Does this CWR ack the last sent congestion notification? */
3103 	if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
3104 		/* Stop sending ECNE. */
3105 		sctp_add_cmd_sf(commands,
3106 				SCTP_CMD_ECN_CWR,
3107 				SCTP_U32(lowest_tsn));
3108 	}
3109 	return SCTP_DISPOSITION_CONSUME;
3110 }
3111 
3112 /*
3113  * sctp_sf_do_ecne
3114  *
3115  * Section:  Appendix A: Explicit Congestion Notification
3116  *
3117  * ECN-Echo
3118  *
3119  * RFC 2481 details a specific bit for a receiver to send back in its
3120  * TCP acknowledgements to notify the sender of the Congestion
3121  * Experienced (CE) bit having arrived from the network.  For SCTP this
3122  * same indication is made by including the ECNE chunk.  This chunk
3123  * contains one data element, i.e. the lowest TSN associated with the IP
3124  * datagram marked with the CE bit.....
3125  *
3126  * Verification Tag: 8.5 Verification Tag [Normal verification]
3127  * Inputs
3128  * (endpoint, asoc, chunk)
3129  *
3130  * Outputs
3131  * (asoc, reply_msg, msg_up, timers, counters)
3132  *
3133  * The return value is the disposition of the chunk.
3134  */
3135 enum sctp_disposition sctp_sf_do_ecne(struct net *net,
3136 				      const struct sctp_endpoint *ep,
3137 				      const struct sctp_association *asoc,
3138 				      const union sctp_subtype type,
3139 				      void *arg, struct sctp_cmd_seq *commands)
3140 {
3141 	struct sctp_chunk *chunk = arg;
3142 	struct sctp_ecnehdr *ecne;
3143 
3144 	if (!sctp_vtag_verify(chunk, asoc))
3145 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3146 
3147 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
3148 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3149 						  commands);
3150 
3151 	ecne = (struct sctp_ecnehdr *)chunk->skb->data;
3152 	skb_pull(chunk->skb, sizeof(*ecne));
3153 
3154 	/* If this is a newer ECNE than the last CWR packet we sent out */
3155 	sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
3156 			SCTP_U32(ntohl(ecne->lowest_tsn)));
3157 
3158 	return SCTP_DISPOSITION_CONSUME;
3159 }
3160 
3161 /*
3162  * Section: 6.2  Acknowledgement on Reception of DATA Chunks
3163  *
3164  * The SCTP endpoint MUST always acknowledge the reception of each valid
3165  * DATA chunk.
3166  *
3167  * The guidelines on delayed acknowledgement algorithm specified in
3168  * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
3169  * acknowledgement SHOULD be generated for at least every second packet
3170  * (not every second DATA chunk) received, and SHOULD be generated within
3171  * 200 ms of the arrival of any unacknowledged DATA chunk. In some
3172  * situations it may be beneficial for an SCTP transmitter to be more
3173  * conservative than the algorithms detailed in this document allow.
3174  * However, an SCTP transmitter MUST NOT be more aggressive than the
3175  * following algorithms allow.
3176  *
3177  * A SCTP receiver MUST NOT generate more than one SACK for every
3178  * incoming packet, other than to update the offered window as the
3179  * receiving application consumes new data.
3180  *
3181  * Verification Tag:  8.5 Verification Tag [Normal verification]
3182  *
3183  * Inputs
3184  * (endpoint, asoc, chunk)
3185  *
3186  * Outputs
3187  * (asoc, reply_msg, msg_up, timers, counters)
3188  *
3189  * The return value is the disposition of the chunk.
3190  */
3191 enum sctp_disposition sctp_sf_eat_data_6_2(struct net *net,
3192 					   const struct sctp_endpoint *ep,
3193 					   const struct sctp_association *asoc,
3194 					   const union sctp_subtype type,
3195 					   void *arg,
3196 					   struct sctp_cmd_seq *commands)
3197 {
3198 	union sctp_arg force = SCTP_NOFORCE();
3199 	struct sctp_chunk *chunk = arg;
3200 	int error;
3201 
3202 	if (!sctp_vtag_verify(chunk, asoc)) {
3203 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3204 				SCTP_NULL());
3205 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3206 	}
3207 
3208 	if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream)))
3209 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3210 						  commands);
3211 
3212 	error = sctp_eat_data(asoc, chunk, commands);
3213 	switch (error) {
3214 	case SCTP_IERROR_NO_ERROR:
3215 		break;
3216 	case SCTP_IERROR_HIGH_TSN:
3217 	case SCTP_IERROR_BAD_STREAM:
3218 		SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
3219 		goto discard_noforce;
3220 	case SCTP_IERROR_DUP_TSN:
3221 	case SCTP_IERROR_IGNORE_TSN:
3222 		SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
3223 		goto discard_force;
3224 	case SCTP_IERROR_NO_DATA:
3225 		return SCTP_DISPOSITION_ABORT;
3226 	case SCTP_IERROR_PROTO_VIOLATION:
3227 		return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3228 					       (u8 *)chunk->subh.data_hdr,
3229 					       sctp_datahdr_len(&asoc->stream));
3230 	default:
3231 		BUG();
3232 	}
3233 
3234 	if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)
3235 		force = SCTP_FORCE();
3236 
3237 	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
3238 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3239 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3240 	}
3241 
3242 	/* If this is the last chunk in a packet, we need to count it
3243 	 * toward sack generation.  Note that we need to SACK every
3244 	 * OTHER packet containing data chunks, EVEN IF WE DISCARD
3245 	 * THEM.  We elect to NOT generate SACK's if the chunk fails
3246 	 * the verification tag test.
3247 	 *
3248 	 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3249 	 *
3250 	 * The SCTP endpoint MUST always acknowledge the reception of
3251 	 * each valid DATA chunk.
3252 	 *
3253 	 * The guidelines on delayed acknowledgement algorithm
3254 	 * specified in  Section 4.2 of [RFC2581] SHOULD be followed.
3255 	 * Specifically, an acknowledgement SHOULD be generated for at
3256 	 * least every second packet (not every second DATA chunk)
3257 	 * received, and SHOULD be generated within 200 ms of the
3258 	 * arrival of any unacknowledged DATA chunk.  In some
3259 	 * situations it may be beneficial for an SCTP transmitter to
3260 	 * be more conservative than the algorithms detailed in this
3261 	 * document allow. However, an SCTP transmitter MUST NOT be
3262 	 * more aggressive than the following algorithms allow.
3263 	 */
3264 	if (chunk->end_of_packet)
3265 		sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3266 
3267 	return SCTP_DISPOSITION_CONSUME;
3268 
3269 discard_force:
3270 	/* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3271 	 *
3272 	 * When a packet arrives with duplicate DATA chunk(s) and with
3273 	 * no new DATA chunk(s), the endpoint MUST immediately send a
3274 	 * SACK with no delay.  If a packet arrives with duplicate
3275 	 * DATA chunk(s) bundled with new DATA chunks, the endpoint
3276 	 * MAY immediately send a SACK.  Normally receipt of duplicate
3277 	 * DATA chunks will occur when the original SACK chunk was lost
3278 	 * and the peer's RTO has expired.  The duplicate TSN number(s)
3279 	 * SHOULD be reported in the SACK as duplicate.
3280 	 */
3281 	/* In our case, we split the MAY SACK advice up whether or not
3282 	 * the last chunk is a duplicate.'
3283 	 */
3284 	if (chunk->end_of_packet)
3285 		sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3286 	return SCTP_DISPOSITION_DISCARD;
3287 
3288 discard_noforce:
3289 	if (chunk->end_of_packet)
3290 		sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3291 
3292 	return SCTP_DISPOSITION_DISCARD;
3293 }
3294 
3295 /*
3296  * sctp_sf_eat_data_fast_4_4
3297  *
3298  * Section: 4 (4)
3299  * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received
3300  *    DATA chunks without delay.
3301  *
3302  * Verification Tag:  8.5 Verification Tag [Normal verification]
3303  * Inputs
3304  * (endpoint, asoc, chunk)
3305  *
3306  * Outputs
3307  * (asoc, reply_msg, msg_up, timers, counters)
3308  *
3309  * The return value is the disposition of the chunk.
3310  */
3311 enum sctp_disposition sctp_sf_eat_data_fast_4_4(
3312 					struct net *net,
3313 					const struct sctp_endpoint *ep,
3314 					const struct sctp_association *asoc,
3315 					const union sctp_subtype type,
3316 					void *arg,
3317 					struct sctp_cmd_seq *commands)
3318 {
3319 	struct sctp_chunk *chunk = arg;
3320 	int error;
3321 
3322 	if (!sctp_vtag_verify(chunk, asoc)) {
3323 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3324 				SCTP_NULL());
3325 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3326 	}
3327 
3328 	if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream)))
3329 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3330 						  commands);
3331 
3332 	error = sctp_eat_data(asoc, chunk, commands);
3333 	switch (error) {
3334 	case SCTP_IERROR_NO_ERROR:
3335 	case SCTP_IERROR_HIGH_TSN:
3336 	case SCTP_IERROR_DUP_TSN:
3337 	case SCTP_IERROR_IGNORE_TSN:
3338 	case SCTP_IERROR_BAD_STREAM:
3339 		break;
3340 	case SCTP_IERROR_NO_DATA:
3341 		return SCTP_DISPOSITION_ABORT;
3342 	case SCTP_IERROR_PROTO_VIOLATION:
3343 		return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3344 					       (u8 *)chunk->subh.data_hdr,
3345 					       sctp_datahdr_len(&asoc->stream));
3346 	default:
3347 		BUG();
3348 	}
3349 
3350 	/* Go a head and force a SACK, since we are shutting down. */
3351 
3352 	/* Implementor's Guide.
3353 	 *
3354 	 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3355 	 * respond to each received packet containing one or more DATA chunk(s)
3356 	 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3357 	 */
3358 	if (chunk->end_of_packet) {
3359 		/* We must delay the chunk creation since the cumulative
3360 		 * TSN has not been updated yet.
3361 		 */
3362 		sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3363 		sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3364 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3365 				SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3366 	}
3367 
3368 	return SCTP_DISPOSITION_CONSUME;
3369 }
3370 
3371 /*
3372  * Section: 6.2  Processing a Received SACK
3373  * D) Any time a SACK arrives, the endpoint performs the following:
3374  *
3375  *     i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,
3376  *     then drop the SACK.   Since Cumulative TSN Ack is monotonically
3377  *     increasing, a SACK whose Cumulative TSN Ack is less than the
3378  *     Cumulative TSN Ack Point indicates an out-of-order SACK.
3379  *
3380  *     ii) Set rwnd equal to the newly received a_rwnd minus the number
3381  *     of bytes still outstanding after processing the Cumulative TSN Ack
3382  *     and the Gap Ack Blocks.
3383  *
3384  *     iii) If the SACK is missing a TSN that was previously
3385  *     acknowledged via a Gap Ack Block (e.g., the data receiver
3386  *     reneged on the data), then mark the corresponding DATA chunk
3387  *     as available for retransmit:  Mark it as missing for fast
3388  *     retransmit as described in Section 7.2.4 and if no retransmit
3389  *     timer is running for the destination address to which the DATA
3390  *     chunk was originally transmitted, then T3-rtx is started for
3391  *     that destination address.
3392  *
3393  * Verification Tag:  8.5 Verification Tag [Normal verification]
3394  *
3395  * Inputs
3396  * (endpoint, asoc, chunk)
3397  *
3398  * Outputs
3399  * (asoc, reply_msg, msg_up, timers, counters)
3400  *
3401  * The return value is the disposition of the chunk.
3402  */
3403 enum sctp_disposition sctp_sf_eat_sack_6_2(struct net *net,
3404 					   const struct sctp_endpoint *ep,
3405 					   const struct sctp_association *asoc,
3406 					   const union sctp_subtype type,
3407 					   void *arg,
3408 					   struct sctp_cmd_seq *commands)
3409 {
3410 	struct sctp_chunk *chunk = arg;
3411 	struct sctp_sackhdr *sackh;
3412 	__u32 ctsn;
3413 
3414 	if (!sctp_vtag_verify(chunk, asoc))
3415 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3416 
3417 	/* Make sure that the SACK chunk has a valid length. */
3418 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_sack_chunk)))
3419 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3420 						  commands);
3421 
3422 	/* Pull the SACK chunk from the data buffer */
3423 	sackh = sctp_sm_pull_sack(chunk);
3424 	/* Was this a bogus SACK? */
3425 	if (!sackh)
3426 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3427 	chunk->subh.sack_hdr = sackh;
3428 	ctsn = ntohl(sackh->cum_tsn_ack);
3429 
3430 	/* If Cumulative TSN Ack beyond the max tsn currently
3431 	 * send, terminating the association and respond to the
3432 	 * sender with an ABORT.
3433 	 */
3434 	if (TSN_lte(asoc->next_tsn, ctsn))
3435 		return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
3436 
3437 	trace_sctp_probe(ep, asoc, chunk);
3438 
3439 	/* i) If Cumulative TSN Ack is less than the Cumulative TSN
3440 	 *     Ack Point, then drop the SACK.  Since Cumulative TSN
3441 	 *     Ack is monotonically increasing, a SACK whose
3442 	 *     Cumulative TSN Ack is less than the Cumulative TSN Ack
3443 	 *     Point indicates an out-of-order SACK.
3444 	 */
3445 	if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
3446 		pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
3447 			 asoc->ctsn_ack_point);
3448 
3449 		return SCTP_DISPOSITION_DISCARD;
3450 	}
3451 
3452 	/* Return this SACK for further processing.  */
3453 	sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk));
3454 
3455 	/* Note: We do the rest of the work on the PROCESS_SACK
3456 	 * sideeffect.
3457 	 */
3458 	return SCTP_DISPOSITION_CONSUME;
3459 }
3460 
3461 /*
3462  * Generate an ABORT in response to a packet.
3463  *
3464  * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41
3465  *
3466  * 8) The receiver should respond to the sender of the OOTB packet with
3467  *    an ABORT.  When sending the ABORT, the receiver of the OOTB packet
3468  *    MUST fill in the Verification Tag field of the outbound packet
3469  *    with the value found in the Verification Tag field of the OOTB
3470  *    packet and set the T-bit in the Chunk Flags to indicate that the
3471  *    Verification Tag is reflected.  After sending this ABORT, the
3472  *    receiver of the OOTB packet shall discard the OOTB packet and take
3473  *    no further action.
3474  *
3475  * Verification Tag:
3476  *
3477  * The return value is the disposition of the chunk.
3478 */
3479 static enum sctp_disposition sctp_sf_tabort_8_4_8(
3480 					struct net *net,
3481 					const struct sctp_endpoint *ep,
3482 					const struct sctp_association *asoc,
3483 					const union sctp_subtype type,
3484 					void *arg,
3485 					struct sctp_cmd_seq *commands)
3486 {
3487 	struct sctp_packet *packet = NULL;
3488 	struct sctp_chunk *chunk = arg;
3489 	struct sctp_chunk *abort;
3490 
3491 	packet = sctp_ootb_pkt_new(net, asoc, chunk);
3492 	if (!packet)
3493 		return SCTP_DISPOSITION_NOMEM;
3494 
3495 	/* Make an ABORT. The T bit will be set if the asoc
3496 	 * is NULL.
3497 	 */
3498 	abort = sctp_make_abort(asoc, chunk, 0);
3499 	if (!abort) {
3500 		sctp_ootb_pkt_free(packet);
3501 		return SCTP_DISPOSITION_NOMEM;
3502 	}
3503 
3504 	/* Reflect vtag if T-Bit is set */
3505 	if (sctp_test_T_bit(abort))
3506 		packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3507 
3508 	/* Set the skb to the belonging sock for accounting.  */
3509 	abort->skb->sk = ep->base.sk;
3510 
3511 	sctp_packet_append_chunk(packet, abort);
3512 
3513 	sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(packet));
3514 
3515 	SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3516 
3517 	sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3518 	return SCTP_DISPOSITION_CONSUME;
3519 }
3520 
3521 /* Handling of SCTP Packets Containing an INIT Chunk Matching an
3522  * Existing Associations when the UDP encap port is incorrect.
3523  *
3524  * From Section 4 at draft-tuexen-tsvwg-sctp-udp-encaps-cons-03.
3525  */
3526 static enum sctp_disposition sctp_sf_new_encap_port(
3527 					struct net *net,
3528 					const struct sctp_endpoint *ep,
3529 					const struct sctp_association *asoc,
3530 					const union sctp_subtype type,
3531 					void *arg,
3532 					struct sctp_cmd_seq *commands)
3533 {
3534 	struct sctp_packet *packet = NULL;
3535 	struct sctp_chunk *chunk = arg;
3536 	struct sctp_chunk *abort;
3537 
3538 	packet = sctp_ootb_pkt_new(net, asoc, chunk);
3539 	if (!packet)
3540 		return SCTP_DISPOSITION_NOMEM;
3541 
3542 	abort = sctp_make_new_encap_port(asoc, chunk);
3543 	if (!abort) {
3544 		sctp_ootb_pkt_free(packet);
3545 		return SCTP_DISPOSITION_NOMEM;
3546 	}
3547 
3548 	abort->skb->sk = ep->base.sk;
3549 
3550 	sctp_packet_append_chunk(packet, abort);
3551 
3552 	sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3553 			SCTP_PACKET(packet));
3554 
3555 	SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3556 
3557 	sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3558 	return SCTP_DISPOSITION_CONSUME;
3559 }
3560 
3561 /*
3562  * Received an ERROR chunk from peer.  Generate SCTP_REMOTE_ERROR
3563  * event as ULP notification for each cause included in the chunk.
3564  *
3565  * API 5.3.1.3 - SCTP_REMOTE_ERROR
3566  *
3567  * The return value is the disposition of the chunk.
3568 */
3569 enum sctp_disposition sctp_sf_operr_notify(struct net *net,
3570 					   const struct sctp_endpoint *ep,
3571 					   const struct sctp_association *asoc,
3572 					   const union sctp_subtype type,
3573 					   void *arg,
3574 					   struct sctp_cmd_seq *commands)
3575 {
3576 	struct sctp_chunk *chunk = arg;
3577 	struct sctp_errhdr *err;
3578 
3579 	if (!sctp_vtag_verify(chunk, asoc))
3580 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3581 
3582 	/* Make sure that the ERROR chunk has a valid length. */
3583 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
3584 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3585 						  commands);
3586 	sctp_walk_errors(err, chunk->chunk_hdr);
3587 	if ((void *)err != (void *)chunk->chunk_end)
3588 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3589 						  (void *)err, commands);
3590 
3591 	sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3592 			SCTP_CHUNK(chunk));
3593 
3594 	return SCTP_DISPOSITION_CONSUME;
3595 }
3596 
3597 /*
3598  * Process an inbound SHUTDOWN ACK.
3599  *
3600  * From Section 9.2:
3601  * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3602  * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its
3603  * peer, and remove all record of the association.
3604  *
3605  * The return value is the disposition.
3606  */
3607 enum sctp_disposition sctp_sf_do_9_2_final(struct net *net,
3608 					   const struct sctp_endpoint *ep,
3609 					   const struct sctp_association *asoc,
3610 					   const union sctp_subtype type,
3611 					   void *arg,
3612 					   struct sctp_cmd_seq *commands)
3613 {
3614 	struct sctp_chunk *chunk = arg;
3615 	struct sctp_chunk *reply;
3616 	struct sctp_ulpevent *ev;
3617 
3618 	if (!sctp_vtag_verify(chunk, asoc))
3619 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3620 
3621 	/* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3622 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3623 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3624 						  commands);
3625 	/* 10.2 H) SHUTDOWN COMPLETE notification
3626 	 *
3627 	 * When SCTP completes the shutdown procedures (section 9.2) this
3628 	 * notification is passed to the upper layer.
3629 	 */
3630 	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3631 					     0, 0, 0, NULL, GFP_ATOMIC);
3632 	if (!ev)
3633 		goto nomem;
3634 
3635 	/* ...send a SHUTDOWN COMPLETE chunk to its peer, */
3636 	reply = sctp_make_shutdown_complete(asoc, chunk);
3637 	if (!reply)
3638 		goto nomem_chunk;
3639 
3640 	/* Do all the commands now (after allocation), so that we
3641 	 * have consistent state if memory allocation fails
3642 	 */
3643 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3644 
3645 	/* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3646 	 * stop the T2-shutdown timer,
3647 	 */
3648 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3649 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3650 
3651 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3652 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3653 
3654 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3655 			SCTP_STATE(SCTP_STATE_CLOSED));
3656 	SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
3657 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3658 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3659 
3660 	/* ...and remove all record of the association. */
3661 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3662 	return SCTP_DISPOSITION_DELETE_TCB;
3663 
3664 nomem_chunk:
3665 	sctp_ulpevent_free(ev);
3666 nomem:
3667 	return SCTP_DISPOSITION_NOMEM;
3668 }
3669 
3670 /*
3671  * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.
3672  *
3673  * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3674  *    respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3675  *    When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3676  *    packet must fill in the Verification Tag field of the outbound
3677  *    packet with the Verification Tag received in the SHUTDOWN ACK and
3678  *    set the T-bit in the Chunk Flags to indicate that the Verification
3679  *    Tag is reflected.
3680  *
3681  * 8) The receiver should respond to the sender of the OOTB packet with
3682  *    an ABORT.  When sending the ABORT, the receiver of the OOTB packet
3683  *    MUST fill in the Verification Tag field of the outbound packet
3684  *    with the value found in the Verification Tag field of the OOTB
3685  *    packet and set the T-bit in the Chunk Flags to indicate that the
3686  *    Verification Tag is reflected.  After sending this ABORT, the
3687  *    receiver of the OOTB packet shall discard the OOTB packet and take
3688  *    no further action.
3689  */
3690 enum sctp_disposition sctp_sf_ootb(struct net *net,
3691 				   const struct sctp_endpoint *ep,
3692 				   const struct sctp_association *asoc,
3693 				   const union sctp_subtype type,
3694 				   void *arg, struct sctp_cmd_seq *commands)
3695 {
3696 	struct sctp_chunk *chunk = arg;
3697 	struct sk_buff *skb = chunk->skb;
3698 	struct sctp_chunkhdr *ch;
3699 	struct sctp_errhdr *err;
3700 	int ootb_cookie_ack = 0;
3701 	int ootb_shut_ack = 0;
3702 	__u8 *ch_end;
3703 
3704 	SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3705 
3706 	if (asoc && !sctp_vtag_verify(chunk, asoc))
3707 		asoc = NULL;
3708 
3709 	ch = (struct sctp_chunkhdr *)chunk->chunk_hdr;
3710 	do {
3711 		/* Report violation if the chunk is less then minimal */
3712 		if (ntohs(ch->length) < sizeof(*ch))
3713 			return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3714 						  commands);
3715 
3716 		/* Report violation if chunk len overflows */
3717 		ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length));
3718 		if (ch_end > skb_tail_pointer(skb))
3719 			return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3720 						  commands);
3721 
3722 		/* Now that we know we at least have a chunk header,
3723 		 * do things that are type appropriate.
3724 		 */
3725 		if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3726 			ootb_shut_ack = 1;
3727 
3728 		/* RFC 2960, Section 3.3.7
3729 		 *   Moreover, under any circumstances, an endpoint that
3730 		 *   receives an ABORT  MUST NOT respond to that ABORT by
3731 		 *   sending an ABORT of its own.
3732 		 */
3733 		if (SCTP_CID_ABORT == ch->type)
3734 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3735 
3736 		/* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR
3737 		 * or a COOKIE ACK the SCTP Packet should be silently
3738 		 * discarded.
3739 		 */
3740 
3741 		if (SCTP_CID_COOKIE_ACK == ch->type)
3742 			ootb_cookie_ack = 1;
3743 
3744 		if (SCTP_CID_ERROR == ch->type) {
3745 			sctp_walk_errors(err, ch) {
3746 				if (SCTP_ERROR_STALE_COOKIE == err->cause) {
3747 					ootb_cookie_ack = 1;
3748 					break;
3749 				}
3750 			}
3751 		}
3752 
3753 		ch = (struct sctp_chunkhdr *)ch_end;
3754 	} while (ch_end + sizeof(*ch) < skb_tail_pointer(skb));
3755 
3756 	if (ootb_shut_ack)
3757 		return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands);
3758 	else if (ootb_cookie_ack)
3759 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3760 	else
3761 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
3762 }
3763 
3764 /*
3765  * Handle an "Out of the blue" SHUTDOWN ACK.
3766  *
3767  * Section: 8.4 5, sctpimpguide 2.41.
3768  *
3769  * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3770  *    respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3771  *    When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3772  *    packet must fill in the Verification Tag field of the outbound
3773  *    packet with the Verification Tag received in the SHUTDOWN ACK and
3774  *    set the T-bit in the Chunk Flags to indicate that the Verification
3775  *    Tag is reflected.
3776  *
3777  * Inputs
3778  * (endpoint, asoc, type, arg, commands)
3779  *
3780  * Outputs
3781  * (enum sctp_disposition)
3782  *
3783  * The return value is the disposition of the chunk.
3784  */
3785 static enum sctp_disposition sctp_sf_shut_8_4_5(
3786 					struct net *net,
3787 					const struct sctp_endpoint *ep,
3788 					const struct sctp_association *asoc,
3789 					const union sctp_subtype type,
3790 					void *arg,
3791 					struct sctp_cmd_seq *commands)
3792 {
3793 	struct sctp_packet *packet = NULL;
3794 	struct sctp_chunk *chunk = arg;
3795 	struct sctp_chunk *shut;
3796 
3797 	packet = sctp_ootb_pkt_new(net, asoc, chunk);
3798 	if (!packet)
3799 		return SCTP_DISPOSITION_NOMEM;
3800 
3801 	/* Make an SHUTDOWN_COMPLETE.
3802 	 * The T bit will be set if the asoc is NULL.
3803 	 */
3804 	shut = sctp_make_shutdown_complete(asoc, chunk);
3805 	if (!shut) {
3806 		sctp_ootb_pkt_free(packet);
3807 		return SCTP_DISPOSITION_NOMEM;
3808 	}
3809 
3810 	/* Reflect vtag if T-Bit is set */
3811 	if (sctp_test_T_bit(shut))
3812 		packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3813 
3814 	/* Set the skb to the belonging sock for accounting.  */
3815 	shut->skb->sk = ep->base.sk;
3816 
3817 	sctp_packet_append_chunk(packet, shut);
3818 
3819 	sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3820 			SCTP_PACKET(packet));
3821 
3822 	SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3823 
3824 	/* We need to discard the rest of the packet to prevent
3825 	 * potential boomming attacks from additional bundled chunks.
3826 	 * This is documented in SCTP Threats ID.
3827 	 */
3828 	return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3829 }
3830 
3831 /*
3832  * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.
3833  *
3834  * Verification Tag:  8.5.1 E) Rules for packet carrying a SHUTDOWN ACK
3835  *   If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the
3836  *   procedures in section 8.4 SHOULD be followed, in other words it
3837  *   should be treated as an Out Of The Blue packet.
3838  *   [This means that we do NOT check the Verification Tag on these
3839  *   chunks. --piggy ]
3840  *
3841  */
3842 enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net,
3843 					    const struct sctp_endpoint *ep,
3844 					    const struct sctp_association *asoc,
3845 					    const union sctp_subtype type,
3846 					    void *arg,
3847 					    struct sctp_cmd_seq *commands)
3848 {
3849 	struct sctp_chunk *chunk = arg;
3850 
3851 	if (!sctp_vtag_verify(chunk, asoc))
3852 		asoc = NULL;
3853 
3854 	/* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3855 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3856 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3857 						  commands);
3858 
3859 	/* Although we do have an association in this case, it corresponds
3860 	 * to a restarted association. So the packet is treated as an OOTB
3861 	 * packet and the state function that handles OOTB SHUTDOWN_ACK is
3862 	 * called with a NULL association.
3863 	 */
3864 	SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3865 
3866 	return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands);
3867 }
3868 
3869 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk.  */
3870 enum sctp_disposition sctp_sf_do_asconf(struct net *net,
3871 					const struct sctp_endpoint *ep,
3872 					const struct sctp_association *asoc,
3873 					const union sctp_subtype type,
3874 					void *arg,
3875 					struct sctp_cmd_seq *commands)
3876 {
3877 	struct sctp_paramhdr *err_param = NULL;
3878 	struct sctp_chunk *asconf_ack = NULL;
3879 	struct sctp_chunk *chunk = arg;
3880 	struct sctp_addiphdr *hdr;
3881 	__u32 serial;
3882 
3883 	if (!sctp_vtag_verify(chunk, asoc)) {
3884 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3885 				SCTP_NULL());
3886 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3887 	}
3888 
3889 	/* Make sure that the ASCONF ADDIP chunk has a valid length.  */
3890 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk)))
3891 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3892 						  commands);
3893 
3894 	/* ADD-IP: Section 4.1.1
3895 	 * This chunk MUST be sent in an authenticated way by using
3896 	 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3897 	 * is received unauthenticated it MUST be silently discarded as
3898 	 * described in [I-D.ietf-tsvwg-sctp-auth].
3899 	 */
3900 	if (!asoc->peer.asconf_capable ||
3901 	    (!net->sctp.addip_noauth && !chunk->auth))
3902 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3903 
3904 	hdr = (struct sctp_addiphdr *)chunk->skb->data;
3905 	serial = ntohl(hdr->serial);
3906 
3907 	/* Verify the ASCONF chunk before processing it. */
3908 	if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
3909 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3910 						  (void *)err_param, commands);
3911 
3912 	/* ADDIP 5.2 E1) Compare the value of the serial number to the value
3913 	 * the endpoint stored in a new association variable
3914 	 * 'Peer-Serial-Number'.
3915 	 */
3916 	if (serial == asoc->peer.addip_serial + 1) {
3917 		/* If this is the first instance of ASCONF in the packet,
3918 		 * we can clean our old ASCONF-ACKs.
3919 		 */
3920 		if (!chunk->has_asconf)
3921 			sctp_assoc_clean_asconf_ack_cache(asoc);
3922 
3923 		/* ADDIP 5.2 E4) When the Sequence Number matches the next one
3924 		 * expected, process the ASCONF as described below and after
3925 		 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to
3926 		 * the response packet and cache a copy of it (in the event it
3927 		 * later needs to be retransmitted).
3928 		 *
3929 		 * Essentially, do V1-V5.
3930 		 */
3931 		asconf_ack = sctp_process_asconf((struct sctp_association *)
3932 						 asoc, chunk);
3933 		if (!asconf_ack)
3934 			return SCTP_DISPOSITION_NOMEM;
3935 	} else if (serial < asoc->peer.addip_serial + 1) {
3936 		/* ADDIP 5.2 E2)
3937 		 * If the value found in the Sequence Number is less than the
3938 		 * ('Peer- Sequence-Number' + 1), simply skip to the next
3939 		 * ASCONF, and include in the outbound response packet
3940 		 * any previously cached ASCONF-ACK response that was
3941 		 * sent and saved that matches the Sequence Number of the
3942 		 * ASCONF.  Note: It is possible that no cached ASCONF-ACK
3943 		 * Chunk exists.  This will occur when an older ASCONF
3944 		 * arrives out of order.  In such a case, the receiver
3945 		 * should skip the ASCONF Chunk and not include ASCONF-ACK
3946 		 * Chunk for that chunk.
3947 		 */
3948 		asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);
3949 		if (!asconf_ack)
3950 			return SCTP_DISPOSITION_DISCARD;
3951 
3952 		/* Reset the transport so that we select the correct one
3953 		 * this time around.  This is to make sure that we don't
3954 		 * accidentally use a stale transport that's been removed.
3955 		 */
3956 		asconf_ack->transport = NULL;
3957 	} else {
3958 		/* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since
3959 		 * it must be either a stale packet or from an attacker.
3960 		 */
3961 		return SCTP_DISPOSITION_DISCARD;
3962 	}
3963 
3964 	/* ADDIP 5.2 E6)  The destination address of the SCTP packet
3965 	 * containing the ASCONF-ACK Chunks MUST be the source address of
3966 	 * the SCTP packet that held the ASCONF Chunks.
3967 	 *
3968 	 * To do this properly, we'll set the destination address of the chunk
3969 	 * and at the transmit time, will try look up the transport to use.
3970 	 * Since ASCONFs may be bundled, the correct transport may not be
3971 	 * created until we process the entire packet, thus this workaround.
3972 	 */
3973 	asconf_ack->dest = chunk->source;
3974 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3975 	if (asoc->new_transport) {
3976 		sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands);
3977 		((struct sctp_association *)asoc)->new_transport = NULL;
3978 	}
3979 
3980 	return SCTP_DISPOSITION_CONSUME;
3981 }
3982 
3983 static enum sctp_disposition sctp_send_next_asconf(
3984 					struct net *net,
3985 					const struct sctp_endpoint *ep,
3986 					struct sctp_association *asoc,
3987 					const union sctp_subtype type,
3988 					struct sctp_cmd_seq *commands)
3989 {
3990 	struct sctp_chunk *asconf;
3991 	struct list_head *entry;
3992 
3993 	if (list_empty(&asoc->addip_chunk_list))
3994 		return SCTP_DISPOSITION_CONSUME;
3995 
3996 	entry = asoc->addip_chunk_list.next;
3997 	asconf = list_entry(entry, struct sctp_chunk, list);
3998 
3999 	list_del_init(entry);
4000 	sctp_chunk_hold(asconf);
4001 	asoc->addip_last_asconf = asconf;
4002 
4003 	return sctp_sf_do_prm_asconf(net, ep, asoc, type, asconf, commands);
4004 }
4005 
4006 /*
4007  * ADDIP Section 4.3 General rules for address manipulation
4008  * When building TLV parameters for the ASCONF Chunk that will add or
4009  * delete IP addresses the D0 to D13 rules should be applied:
4010  */
4011 enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net,
4012 					    const struct sctp_endpoint *ep,
4013 					    const struct sctp_association *asoc,
4014 					    const union sctp_subtype type,
4015 					    void *arg,
4016 					    struct sctp_cmd_seq *commands)
4017 {
4018 	struct sctp_chunk *last_asconf = asoc->addip_last_asconf;
4019 	struct sctp_paramhdr *err_param = NULL;
4020 	struct sctp_chunk *asconf_ack = arg;
4021 	struct sctp_addiphdr *addip_hdr;
4022 	__u32 sent_serial, rcvd_serial;
4023 	struct sctp_chunk *abort;
4024 
4025 	if (!sctp_vtag_verify(asconf_ack, asoc)) {
4026 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4027 				SCTP_NULL());
4028 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4029 	}
4030 
4031 	/* Make sure that the ADDIP chunk has a valid length.  */
4032 	if (!sctp_chunk_length_valid(asconf_ack,
4033 				     sizeof(struct sctp_addip_chunk)))
4034 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4035 						  commands);
4036 
4037 	/* ADD-IP, Section 4.1.2:
4038 	 * This chunk MUST be sent in an authenticated way by using
4039 	 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
4040 	 * is received unauthenticated it MUST be silently discarded as
4041 	 * described in [I-D.ietf-tsvwg-sctp-auth].
4042 	 */
4043 	if (!asoc->peer.asconf_capable ||
4044 	    (!net->sctp.addip_noauth && !asconf_ack->auth))
4045 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4046 
4047 	addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data;
4048 	rcvd_serial = ntohl(addip_hdr->serial);
4049 
4050 	/* Verify the ASCONF-ACK chunk before processing it. */
4051 	if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
4052 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
4053 			   (void *)err_param, commands);
4054 
4055 	if (last_asconf) {
4056 		addip_hdr = last_asconf->subh.addip_hdr;
4057 		sent_serial = ntohl(addip_hdr->serial);
4058 	} else {
4059 		sent_serial = asoc->addip_serial - 1;
4060 	}
4061 
4062 	/* D0) If an endpoint receives an ASCONF-ACK that is greater than or
4063 	 * equal to the next serial number to be used but no ASCONF chunk is
4064 	 * outstanding the endpoint MUST ABORT the association. Note that a
4065 	 * sequence number is greater than if it is no more than 2^^31-1
4066 	 * larger than the current sequence number (using serial arithmetic).
4067 	 */
4068 	if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
4069 	    !(asoc->addip_last_asconf)) {
4070 		abort = sctp_make_abort(asoc, asconf_ack,
4071 					sizeof(struct sctp_errhdr));
4072 		if (abort) {
4073 			sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
4074 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4075 					SCTP_CHUNK(abort));
4076 		}
4077 		/* We are going to ABORT, so we might as well stop
4078 		 * processing the rest of the chunks in the packet.
4079 		 */
4080 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4081 				SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
4082 		sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4083 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4084 				SCTP_ERROR(ECONNABORTED));
4085 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4086 				SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
4087 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4088 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4089 		return SCTP_DISPOSITION_ABORT;
4090 	}
4091 
4092 	if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
4093 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4094 				SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
4095 
4096 		if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
4097 					     asconf_ack))
4098 			return sctp_send_next_asconf(net, ep,
4099 					(struct sctp_association *)asoc,
4100 							type, commands);
4101 
4102 		abort = sctp_make_abort(asoc, asconf_ack,
4103 					sizeof(struct sctp_errhdr));
4104 		if (abort) {
4105 			sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
4106 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4107 					SCTP_CHUNK(abort));
4108 		}
4109 		/* We are going to ABORT, so we might as well stop
4110 		 * processing the rest of the chunks in the packet.
4111 		 */
4112 		sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4113 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4114 				SCTP_ERROR(ECONNABORTED));
4115 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4116 				SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
4117 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4118 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4119 		return SCTP_DISPOSITION_ABORT;
4120 	}
4121 
4122 	return SCTP_DISPOSITION_DISCARD;
4123 }
4124 
4125 /* RE-CONFIG Section 5.2 Upon reception of an RECONF Chunk. */
4126 enum sctp_disposition sctp_sf_do_reconf(struct net *net,
4127 					const struct sctp_endpoint *ep,
4128 					const struct sctp_association *asoc,
4129 					const union sctp_subtype type,
4130 					void *arg,
4131 					struct sctp_cmd_seq *commands)
4132 {
4133 	struct sctp_paramhdr *err_param = NULL;
4134 	struct sctp_chunk *chunk = arg;
4135 	struct sctp_reconf_chunk *hdr;
4136 	union sctp_params param;
4137 
4138 	if (!sctp_vtag_verify(chunk, asoc)) {
4139 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4140 				SCTP_NULL());
4141 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4142 	}
4143 
4144 	/* Make sure that the RECONF chunk has a valid length.  */
4145 	if (!sctp_chunk_length_valid(chunk, sizeof(*hdr)))
4146 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4147 						  commands);
4148 
4149 	if (!sctp_verify_reconf(asoc, chunk, &err_param))
4150 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
4151 						  (void *)err_param, commands);
4152 
4153 	hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr;
4154 	sctp_walk_params(param, hdr) {
4155 		struct sctp_chunk *reply = NULL;
4156 		struct sctp_ulpevent *ev = NULL;
4157 
4158 		if (param.p->type == SCTP_PARAM_RESET_OUT_REQUEST)
4159 			reply = sctp_process_strreset_outreq(
4160 				(struct sctp_association *)asoc, param, &ev);
4161 		else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST)
4162 			reply = sctp_process_strreset_inreq(
4163 				(struct sctp_association *)asoc, param, &ev);
4164 		else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST)
4165 			reply = sctp_process_strreset_tsnreq(
4166 				(struct sctp_association *)asoc, param, &ev);
4167 		else if (param.p->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS)
4168 			reply = sctp_process_strreset_addstrm_out(
4169 				(struct sctp_association *)asoc, param, &ev);
4170 		else if (param.p->type == SCTP_PARAM_RESET_ADD_IN_STREAMS)
4171 			reply = sctp_process_strreset_addstrm_in(
4172 				(struct sctp_association *)asoc, param, &ev);
4173 		else if (param.p->type == SCTP_PARAM_RESET_RESPONSE)
4174 			reply = sctp_process_strreset_resp(
4175 				(struct sctp_association *)asoc, param, &ev);
4176 
4177 		if (ev)
4178 			sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4179 					SCTP_ULPEVENT(ev));
4180 
4181 		if (reply)
4182 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4183 					SCTP_CHUNK(reply));
4184 	}
4185 
4186 	return SCTP_DISPOSITION_CONSUME;
4187 }
4188 
4189 /*
4190  * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP
4191  *
4192  * When a FORWARD TSN chunk arrives, the data receiver MUST first update
4193  * its cumulative TSN point to the value carried in the FORWARD TSN
4194  * chunk, and then MUST further advance its cumulative TSN point locally
4195  * if possible.
4196  * After the above processing, the data receiver MUST stop reporting any
4197  * missing TSNs earlier than or equal to the new cumulative TSN point.
4198  *
4199  * Verification Tag:  8.5 Verification Tag [Normal verification]
4200  *
4201  * The return value is the disposition of the chunk.
4202  */
4203 enum sctp_disposition sctp_sf_eat_fwd_tsn(struct net *net,
4204 					  const struct sctp_endpoint *ep,
4205 					  const struct sctp_association *asoc,
4206 					  const union sctp_subtype type,
4207 					  void *arg,
4208 					  struct sctp_cmd_seq *commands)
4209 {
4210 	struct sctp_fwdtsn_hdr *fwdtsn_hdr;
4211 	struct sctp_chunk *chunk = arg;
4212 	__u16 len;
4213 	__u32 tsn;
4214 
4215 	if (!sctp_vtag_verify(chunk, asoc)) {
4216 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4217 				SCTP_NULL());
4218 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4219 	}
4220 
4221 	if (!asoc->peer.prsctp_capable)
4222 		return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4223 
4224 	/* Make sure that the FORWARD_TSN chunk has valid length.  */
4225 	if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream)))
4226 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4227 						  commands);
4228 
4229 	fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
4230 	chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
4231 	len = ntohs(chunk->chunk_hdr->length);
4232 	len -= sizeof(struct sctp_chunkhdr);
4233 	skb_pull(chunk->skb, len);
4234 
4235 	tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
4236 	pr_debug("%s: TSN 0x%x\n", __func__, tsn);
4237 
4238 	/* The TSN is too high--silently discard the chunk and count on it
4239 	 * getting retransmitted later.
4240 	 */
4241 	if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
4242 		goto discard_noforce;
4243 
4244 	if (!asoc->stream.si->validate_ftsn(chunk))
4245 		goto discard_noforce;
4246 
4247 	sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
4248 	if (len > sctp_ftsnhdr_len(&asoc->stream))
4249 		sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
4250 				SCTP_CHUNK(chunk));
4251 
4252 	/* Count this as receiving DATA. */
4253 	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
4254 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4255 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
4256 	}
4257 
4258 	/* FIXME: For now send a SACK, but DATA processing may
4259 	 * send another.
4260 	 */
4261 	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
4262 
4263 	return SCTP_DISPOSITION_CONSUME;
4264 
4265 discard_noforce:
4266 	return SCTP_DISPOSITION_DISCARD;
4267 }
4268 
4269 enum sctp_disposition sctp_sf_eat_fwd_tsn_fast(
4270 					struct net *net,
4271 					const struct sctp_endpoint *ep,
4272 					const struct sctp_association *asoc,
4273 					const union sctp_subtype type,
4274 					void *arg,
4275 					struct sctp_cmd_seq *commands)
4276 {
4277 	struct sctp_fwdtsn_hdr *fwdtsn_hdr;
4278 	struct sctp_chunk *chunk = arg;
4279 	__u16 len;
4280 	__u32 tsn;
4281 
4282 	if (!sctp_vtag_verify(chunk, asoc)) {
4283 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4284 				SCTP_NULL());
4285 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4286 	}
4287 
4288 	if (!asoc->peer.prsctp_capable)
4289 		return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4290 
4291 	/* Make sure that the FORWARD_TSN chunk has a valid length.  */
4292 	if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream)))
4293 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4294 						  commands);
4295 
4296 	fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
4297 	chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
4298 	len = ntohs(chunk->chunk_hdr->length);
4299 	len -= sizeof(struct sctp_chunkhdr);
4300 	skb_pull(chunk->skb, len);
4301 
4302 	tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
4303 	pr_debug("%s: TSN 0x%x\n", __func__, tsn);
4304 
4305 	/* The TSN is too high--silently discard the chunk and count on it
4306 	 * getting retransmitted later.
4307 	 */
4308 	if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
4309 		goto gen_shutdown;
4310 
4311 	if (!asoc->stream.si->validate_ftsn(chunk))
4312 		goto gen_shutdown;
4313 
4314 	sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
4315 	if (len > sctp_ftsnhdr_len(&asoc->stream))
4316 		sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
4317 				SCTP_CHUNK(chunk));
4318 
4319 	/* Go a head and force a SACK, since we are shutting down. */
4320 gen_shutdown:
4321 	/* Implementor's Guide.
4322 	 *
4323 	 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
4324 	 * respond to each received packet containing one or more DATA chunk(s)
4325 	 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
4326 	 */
4327 	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
4328 	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
4329 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4330 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
4331 
4332 	return SCTP_DISPOSITION_CONSUME;
4333 }
4334 
4335 /*
4336  * SCTP-AUTH Section 6.3 Receiving authenticated chunks
4337  *
4338  *    The receiver MUST use the HMAC algorithm indicated in the HMAC
4339  *    Identifier field.  If this algorithm was not specified by the
4340  *    receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
4341  *    during association setup, the AUTH chunk and all chunks after it MUST
4342  *    be discarded and an ERROR chunk SHOULD be sent with the error cause
4343  *    defined in Section 4.1.
4344  *
4345  *    If an endpoint with no shared key receives a Shared Key Identifier
4346  *    other than 0, it MUST silently discard all authenticated chunks.  If
4347  *    the endpoint has at least one endpoint pair shared key for the peer,
4348  *    it MUST use the key specified by the Shared Key Identifier if a
4349  *    key has been configured for that Shared Key Identifier.  If no
4350  *    endpoint pair shared key has been configured for that Shared Key
4351  *    Identifier, all authenticated chunks MUST be silently discarded.
4352  *
4353  * Verification Tag:  8.5 Verification Tag [Normal verification]
4354  *
4355  * The return value is the disposition of the chunk.
4356  */
4357 static enum sctp_ierror sctp_sf_authenticate(
4358 					const struct sctp_association *asoc,
4359 					struct sctp_chunk *chunk)
4360 {
4361 	struct sctp_shared_key *sh_key = NULL;
4362 	struct sctp_authhdr *auth_hdr;
4363 	__u8 *save_digest, *digest;
4364 	struct sctp_hmac *hmac;
4365 	unsigned int sig_len;
4366 	__u16 key_id;
4367 
4368 	/* Pull in the auth header, so we can do some more verification */
4369 	auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4370 	chunk->subh.auth_hdr = auth_hdr;
4371 	skb_pull(chunk->skb, sizeof(*auth_hdr));
4372 
4373 	/* Make sure that we support the HMAC algorithm from the auth
4374 	 * chunk.
4375 	 */
4376 	if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))
4377 		return SCTP_IERROR_AUTH_BAD_HMAC;
4378 
4379 	/* Make sure that the provided shared key identifier has been
4380 	 * configured
4381 	 */
4382 	key_id = ntohs(auth_hdr->shkey_id);
4383 	if (key_id != asoc->active_key_id) {
4384 		sh_key = sctp_auth_get_shkey(asoc, key_id);
4385 		if (!sh_key)
4386 			return SCTP_IERROR_AUTH_BAD_KEYID;
4387 	}
4388 
4389 	/* Make sure that the length of the signature matches what
4390 	 * we expect.
4391 	 */
4392 	sig_len = ntohs(chunk->chunk_hdr->length) -
4393 		  sizeof(struct sctp_auth_chunk);
4394 	hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));
4395 	if (sig_len != hmac->hmac_len)
4396 		return SCTP_IERROR_PROTO_VIOLATION;
4397 
4398 	/* Now that we've done validation checks, we can compute and
4399 	 * verify the hmac.  The steps involved are:
4400 	 *  1. Save the digest from the chunk.
4401 	 *  2. Zero out the digest in the chunk.
4402 	 *  3. Compute the new digest
4403 	 *  4. Compare saved and new digests.
4404 	 */
4405 	digest = (u8 *)(auth_hdr + 1);
4406 	skb_pull(chunk->skb, sig_len);
4407 
4408 	save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);
4409 	if (!save_digest)
4410 		goto nomem;
4411 
4412 	memset(digest, 0, sig_len);
4413 
4414 	sctp_auth_calculate_hmac(asoc, chunk->skb,
4415 				 (struct sctp_auth_chunk *)chunk->chunk_hdr,
4416 				 sh_key, GFP_ATOMIC);
4417 
4418 	/* Discard the packet if the digests do not match */
4419 	if (memcmp(save_digest, digest, sig_len)) {
4420 		kfree(save_digest);
4421 		return SCTP_IERROR_BAD_SIG;
4422 	}
4423 
4424 	kfree(save_digest);
4425 	chunk->auth = 1;
4426 
4427 	return SCTP_IERROR_NO_ERROR;
4428 nomem:
4429 	return SCTP_IERROR_NOMEM;
4430 }
4431 
4432 enum sctp_disposition sctp_sf_eat_auth(struct net *net,
4433 				       const struct sctp_endpoint *ep,
4434 				       const struct sctp_association *asoc,
4435 				       const union sctp_subtype type,
4436 				       void *arg, struct sctp_cmd_seq *commands)
4437 {
4438 	struct sctp_chunk *chunk = arg;
4439 	struct sctp_authhdr *auth_hdr;
4440 	struct sctp_chunk *err_chunk;
4441 	enum sctp_ierror error;
4442 
4443 	/* Make sure that the peer has AUTH capable */
4444 	if (!asoc->peer.auth_capable)
4445 		return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4446 
4447 	if (!sctp_vtag_verify(chunk, asoc)) {
4448 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4449 				SCTP_NULL());
4450 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4451 	}
4452 
4453 	/* Make sure that the AUTH chunk has valid length.  */
4454 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))
4455 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4456 						  commands);
4457 
4458 	auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4459 	error = sctp_sf_authenticate(asoc, chunk);
4460 	switch (error) {
4461 	case SCTP_IERROR_AUTH_BAD_HMAC:
4462 		/* Generate the ERROR chunk and discard the rest
4463 		 * of the packet
4464 		 */
4465 		err_chunk = sctp_make_op_error(asoc, chunk,
4466 					       SCTP_ERROR_UNSUP_HMAC,
4467 					       &auth_hdr->hmac_id,
4468 					       sizeof(__u16), 0);
4469 		if (err_chunk) {
4470 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4471 					SCTP_CHUNK(err_chunk));
4472 		}
4473 		fallthrough;
4474 	case SCTP_IERROR_AUTH_BAD_KEYID:
4475 	case SCTP_IERROR_BAD_SIG:
4476 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4477 
4478 	case SCTP_IERROR_PROTO_VIOLATION:
4479 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4480 						  commands);
4481 
4482 	case SCTP_IERROR_NOMEM:
4483 		return SCTP_DISPOSITION_NOMEM;
4484 
4485 	default:			/* Prevent gcc warnings */
4486 		break;
4487 	}
4488 
4489 	if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) {
4490 		struct sctp_ulpevent *ev;
4491 
4492 		ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),
4493 				    SCTP_AUTH_NEW_KEY, GFP_ATOMIC);
4494 
4495 		if (!ev)
4496 			return SCTP_DISPOSITION_NOMEM;
4497 
4498 		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4499 				SCTP_ULPEVENT(ev));
4500 	}
4501 
4502 	return SCTP_DISPOSITION_CONSUME;
4503 }
4504 
4505 /*
4506  * Process an unknown chunk.
4507  *
4508  * Section: 3.2. Also, 2.1 in the implementor's guide.
4509  *
4510  * Chunk Types are encoded such that the highest-order two bits specify
4511  * the action that must be taken if the processing endpoint does not
4512  * recognize the Chunk Type.
4513  *
4514  * 00 - Stop processing this SCTP packet and discard it, do not process
4515  *      any further chunks within it.
4516  *
4517  * 01 - Stop processing this SCTP packet and discard it, do not process
4518  *      any further chunks within it, and report the unrecognized
4519  *      chunk in an 'Unrecognized Chunk Type'.
4520  *
4521  * 10 - Skip this chunk and continue processing.
4522  *
4523  * 11 - Skip this chunk and continue processing, but report in an ERROR
4524  *      Chunk using the 'Unrecognized Chunk Type' cause of error.
4525  *
4526  * The return value is the disposition of the chunk.
4527  */
4528 enum sctp_disposition sctp_sf_unk_chunk(struct net *net,
4529 					const struct sctp_endpoint *ep,
4530 					const struct sctp_association *asoc,
4531 					const union sctp_subtype type,
4532 					void *arg,
4533 					struct sctp_cmd_seq *commands)
4534 {
4535 	struct sctp_chunk *unk_chunk = arg;
4536 	struct sctp_chunk *err_chunk;
4537 	struct sctp_chunkhdr *hdr;
4538 
4539 	pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk);
4540 
4541 	if (!sctp_vtag_verify(unk_chunk, asoc))
4542 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4543 
4544 	/* Make sure that the chunk has a valid length.
4545 	 * Since we don't know the chunk type, we use a general
4546 	 * chunkhdr structure to make a comparison.
4547 	 */
4548 	if (!sctp_chunk_length_valid(unk_chunk, sizeof(*hdr)))
4549 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4550 						  commands);
4551 
4552 	switch (type.chunk & SCTP_CID_ACTION_MASK) {
4553 	case SCTP_CID_ACTION_DISCARD:
4554 		/* Discard the packet.  */
4555 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4556 	case SCTP_CID_ACTION_DISCARD_ERR:
4557 		/* Generate an ERROR chunk as response. */
4558 		hdr = unk_chunk->chunk_hdr;
4559 		err_chunk = sctp_make_op_error(asoc, unk_chunk,
4560 					       SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4561 					       SCTP_PAD4(ntohs(hdr->length)),
4562 					       0);
4563 		if (err_chunk) {
4564 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4565 					SCTP_CHUNK(err_chunk));
4566 		}
4567 
4568 		/* Discard the packet.  */
4569 		sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4570 		return SCTP_DISPOSITION_CONSUME;
4571 	case SCTP_CID_ACTION_SKIP:
4572 		/* Skip the chunk.  */
4573 		return SCTP_DISPOSITION_DISCARD;
4574 	case SCTP_CID_ACTION_SKIP_ERR:
4575 		/* Generate an ERROR chunk as response. */
4576 		hdr = unk_chunk->chunk_hdr;
4577 		err_chunk = sctp_make_op_error(asoc, unk_chunk,
4578 					       SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4579 					       SCTP_PAD4(ntohs(hdr->length)),
4580 					       0);
4581 		if (err_chunk) {
4582 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4583 					SCTP_CHUNK(err_chunk));
4584 		}
4585 		/* Skip the chunk.  */
4586 		return SCTP_DISPOSITION_CONSUME;
4587 	default:
4588 		break;
4589 	}
4590 
4591 	return SCTP_DISPOSITION_DISCARD;
4592 }
4593 
4594 /*
4595  * Discard the chunk.
4596  *
4597  * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2
4598  * [Too numerous to mention...]
4599  * Verification Tag: No verification needed.
4600  * Inputs
4601  * (endpoint, asoc, chunk)
4602  *
4603  * Outputs
4604  * (asoc, reply_msg, msg_up, timers, counters)
4605  *
4606  * The return value is the disposition of the chunk.
4607  */
4608 enum sctp_disposition sctp_sf_discard_chunk(struct net *net,
4609 					    const struct sctp_endpoint *ep,
4610 					    const struct sctp_association *asoc,
4611 					    const union sctp_subtype type,
4612 					    void *arg,
4613 					    struct sctp_cmd_seq *commands)
4614 {
4615 	struct sctp_chunk *chunk = arg;
4616 
4617 	if (asoc && !sctp_vtag_verify(chunk, asoc))
4618 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4619 
4620 	/* Make sure that the chunk has a valid length.
4621 	 * Since we don't know the chunk type, we use a general
4622 	 * chunkhdr structure to make a comparison.
4623 	 */
4624 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
4625 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4626 						  commands);
4627 
4628 	pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk);
4629 
4630 	return SCTP_DISPOSITION_DISCARD;
4631 }
4632 
4633 /*
4634  * Discard the whole packet.
4635  *
4636  * Section: 8.4 2)
4637  *
4638  * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST
4639  *    silently discard the OOTB packet and take no further action.
4640  *
4641  * Verification Tag: No verification necessary
4642  *
4643  * Inputs
4644  * (endpoint, asoc, chunk)
4645  *
4646  * Outputs
4647  * (asoc, reply_msg, msg_up, timers, counters)
4648  *
4649  * The return value is the disposition of the chunk.
4650  */
4651 enum sctp_disposition sctp_sf_pdiscard(struct net *net,
4652 				       const struct sctp_endpoint *ep,
4653 				       const struct sctp_association *asoc,
4654 				       const union sctp_subtype type,
4655 				       void *arg, struct sctp_cmd_seq *commands)
4656 {
4657 	SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS);
4658 	sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4659 
4660 	return SCTP_DISPOSITION_CONSUME;
4661 }
4662 
4663 
4664 /*
4665  * The other end is violating protocol.
4666  *
4667  * Section: Not specified
4668  * Verification Tag: Not specified
4669  * Inputs
4670  * (endpoint, asoc, chunk)
4671  *
4672  * Outputs
4673  * (asoc, reply_msg, msg_up, timers, counters)
4674  *
4675  * We simply tag the chunk as a violation.  The state machine will log
4676  * the violation and continue.
4677  */
4678 enum sctp_disposition sctp_sf_violation(struct net *net,
4679 					const struct sctp_endpoint *ep,
4680 					const struct sctp_association *asoc,
4681 					const union sctp_subtype type,
4682 					void *arg,
4683 					struct sctp_cmd_seq *commands)
4684 {
4685 	struct sctp_chunk *chunk = arg;
4686 
4687 	if (!sctp_vtag_verify(chunk, asoc))
4688 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4689 
4690 	/* Make sure that the chunk has a valid length. */
4691 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
4692 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4693 						  commands);
4694 
4695 	return SCTP_DISPOSITION_VIOLATION;
4696 }
4697 
4698 /*
4699  * Common function to handle a protocol violation.
4700  */
4701 static enum sctp_disposition sctp_sf_abort_violation(
4702 					struct net *net,
4703 					const struct sctp_endpoint *ep,
4704 					const struct sctp_association *asoc,
4705 					void *arg,
4706 					struct sctp_cmd_seq *commands,
4707 					const __u8 *payload,
4708 					const size_t paylen)
4709 {
4710 	struct sctp_packet *packet = NULL;
4711 	struct sctp_chunk *chunk =  arg;
4712 	struct sctp_chunk *abort = NULL;
4713 
4714 	/* SCTP-AUTH, Section 6.3:
4715 	 *    It should be noted that if the receiver wants to tear
4716 	 *    down an association in an authenticated way only, the
4717 	 *    handling of malformed packets should not result in
4718 	 *    tearing down the association.
4719 	 *
4720 	 * This means that if we only want to abort associations
4721 	 * in an authenticated way (i.e AUTH+ABORT), then we
4722 	 * can't destroy this association just because the packet
4723 	 * was malformed.
4724 	 */
4725 	if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4726 		goto discard;
4727 
4728 	/* Make the abort chunk. */
4729 	abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);
4730 	if (!abort)
4731 		goto nomem;
4732 
4733 	if (asoc) {
4734 		/* Treat INIT-ACK as a special case during COOKIE-WAIT. */
4735 		if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&
4736 		    !asoc->peer.i.init_tag) {
4737 			struct sctp_initack_chunk *initack;
4738 
4739 			initack = (struct sctp_initack_chunk *)chunk->chunk_hdr;
4740 			if (!sctp_chunk_length_valid(chunk, sizeof(*initack)))
4741 				abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
4742 			else {
4743 				unsigned int inittag;
4744 
4745 				inittag = ntohl(initack->init_hdr.init_tag);
4746 				sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
4747 						SCTP_U32(inittag));
4748 			}
4749 		}
4750 
4751 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4752 		SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4753 
4754 		if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
4755 			sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4756 					SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4757 			sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4758 					SCTP_ERROR(ECONNREFUSED));
4759 			sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4760 					SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4761 		} else {
4762 			sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4763 					SCTP_ERROR(ECONNABORTED));
4764 			sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4765 					SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4766 			SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4767 		}
4768 	} else {
4769 		packet = sctp_ootb_pkt_new(net, asoc, chunk);
4770 
4771 		if (!packet)
4772 			goto nomem_pkt;
4773 
4774 		if (sctp_test_T_bit(abort))
4775 			packet->vtag = ntohl(chunk->sctp_hdr->vtag);
4776 
4777 		abort->skb->sk = ep->base.sk;
4778 
4779 		sctp_packet_append_chunk(packet, abort);
4780 
4781 		sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
4782 			SCTP_PACKET(packet));
4783 
4784 		SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4785 	}
4786 
4787 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4788 
4789 discard:
4790 	sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4791 	return SCTP_DISPOSITION_ABORT;
4792 
4793 nomem_pkt:
4794 	sctp_chunk_free(abort);
4795 nomem:
4796 	return SCTP_DISPOSITION_NOMEM;
4797 }
4798 
4799 /*
4800  * Handle a protocol violation when the chunk length is invalid.
4801  * "Invalid" length is identified as smaller than the minimal length a
4802  * given chunk can be.  For example, a SACK chunk has invalid length
4803  * if its length is set to be smaller than the size of struct sctp_sack_chunk.
4804  *
4805  * We inform the other end by sending an ABORT with a Protocol Violation
4806  * error code.
4807  *
4808  * Section: Not specified
4809  * Verification Tag:  Nothing to do
4810  * Inputs
4811  * (endpoint, asoc, chunk)
4812  *
4813  * Outputs
4814  * (reply_msg, msg_up, counters)
4815  *
4816  * Generate an  ABORT chunk and terminate the association.
4817  */
4818 static enum sctp_disposition sctp_sf_violation_chunklen(
4819 					struct net *net,
4820 					const struct sctp_endpoint *ep,
4821 					const struct sctp_association *asoc,
4822 					const union sctp_subtype type,
4823 					void *arg,
4824 					struct sctp_cmd_seq *commands)
4825 {
4826 	static const char err_str[] = "The following chunk had invalid length:";
4827 
4828 	return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4829 				       sizeof(err_str));
4830 }
4831 
4832 /*
4833  * Handle a protocol violation when the parameter length is invalid.
4834  * If the length is smaller than the minimum length of a given parameter,
4835  * or accumulated length in multi parameters exceeds the end of the chunk,
4836  * the length is considered as invalid.
4837  */
4838 static enum sctp_disposition sctp_sf_violation_paramlen(
4839 					struct net *net,
4840 					const struct sctp_endpoint *ep,
4841 					const struct sctp_association *asoc,
4842 					const union sctp_subtype type,
4843 					void *arg, void *ext,
4844 					struct sctp_cmd_seq *commands)
4845 {
4846 	struct sctp_paramhdr *param = ext;
4847 	struct sctp_chunk *abort = NULL;
4848 	struct sctp_chunk *chunk = arg;
4849 
4850 	if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4851 		goto discard;
4852 
4853 	/* Make the abort chunk. */
4854 	abort = sctp_make_violation_paramlen(asoc, chunk, param);
4855 	if (!abort)
4856 		goto nomem;
4857 
4858 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4859 	SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4860 
4861 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4862 			SCTP_ERROR(ECONNABORTED));
4863 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4864 			SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4865 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4866 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4867 
4868 discard:
4869 	sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4870 	return SCTP_DISPOSITION_ABORT;
4871 nomem:
4872 	return SCTP_DISPOSITION_NOMEM;
4873 }
4874 
4875 /* Handle a protocol violation when the peer trying to advance the
4876  * cumulative tsn ack to a point beyond the max tsn currently sent.
4877  *
4878  * We inform the other end by sending an ABORT with a Protocol Violation
4879  * error code.
4880  */
4881 static enum sctp_disposition sctp_sf_violation_ctsn(
4882 					struct net *net,
4883 					const struct sctp_endpoint *ep,
4884 					const struct sctp_association *asoc,
4885 					const union sctp_subtype type,
4886 					void *arg,
4887 					struct sctp_cmd_seq *commands)
4888 {
4889 	static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:";
4890 
4891 	return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4892 				       sizeof(err_str));
4893 }
4894 
4895 /* Handle protocol violation of an invalid chunk bundling.  For example,
4896  * when we have an association and we receive bundled INIT-ACK, or
4897  * SHUTDOWN-COMPLETE, our peer is clearly violating the "MUST NOT bundle"
4898  * statement from the specs.  Additionally, there might be an attacker
4899  * on the path and we may not want to continue this communication.
4900  */
4901 static enum sctp_disposition sctp_sf_violation_chunk(
4902 					struct net *net,
4903 					const struct sctp_endpoint *ep,
4904 					const struct sctp_association *asoc,
4905 					const union sctp_subtype type,
4906 					void *arg,
4907 					struct sctp_cmd_seq *commands)
4908 {
4909 	static const char err_str[] = "The following chunk violates protocol:";
4910 
4911 	return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4912 				       sizeof(err_str));
4913 }
4914 /***************************************************************************
4915  * These are the state functions for handling primitive (Section 10) events.
4916  ***************************************************************************/
4917 /*
4918  * sctp_sf_do_prm_asoc
4919  *
4920  * Section: 10.1 ULP-to-SCTP
4921  * B) Associate
4922  *
4923  * Format: ASSOCIATE(local SCTP instance name, destination transport addr,
4924  * outbound stream count)
4925  * -> association id [,destination transport addr list] [,outbound stream
4926  * count]
4927  *
4928  * This primitive allows the upper layer to initiate an association to a
4929  * specific peer endpoint.
4930  *
4931  * The peer endpoint shall be specified by one of the transport addresses
4932  * which defines the endpoint (see Section 1.4).  If the local SCTP
4933  * instance has not been initialized, the ASSOCIATE is considered an
4934  * error.
4935  * [This is not relevant for the kernel implementation since we do all
4936  * initialization at boot time.  It we hadn't initialized we wouldn't
4937  * get anywhere near this code.]
4938  *
4939  * An association id, which is a local handle to the SCTP association,
4940  * will be returned on successful establishment of the association. If
4941  * SCTP is not able to open an SCTP association with the peer endpoint,
4942  * an error is returned.
4943  * [In the kernel implementation, the struct sctp_association needs to
4944  * be created BEFORE causing this primitive to run.]
4945  *
4946  * Other association parameters may be returned, including the
4947  * complete destination transport addresses of the peer as well as the
4948  * outbound stream count of the local endpoint. One of the transport
4949  * address from the returned destination addresses will be selected by
4950  * the local endpoint as default primary path for sending SCTP packets
4951  * to this peer.  The returned "destination transport addr list" can
4952  * be used by the ULP to change the default primary path or to force
4953  * sending a packet to a specific transport address.  [All of this
4954  * stuff happens when the INIT ACK arrives.  This is a NON-BLOCKING
4955  * function.]
4956  *
4957  * Mandatory attributes:
4958  *
4959  * o local SCTP instance name - obtained from the INITIALIZE operation.
4960  *   [This is the argument asoc.]
4961  * o destination transport addr - specified as one of the transport
4962  * addresses of the peer endpoint with which the association is to be
4963  * established.
4964  *  [This is asoc->peer.active_path.]
4965  * o outbound stream count - the number of outbound streams the ULP
4966  * would like to open towards this peer endpoint.
4967  * [BUG: This is not currently implemented.]
4968  * Optional attributes:
4969  *
4970  * None.
4971  *
4972  * The return value is a disposition.
4973  */
4974 enum sctp_disposition sctp_sf_do_prm_asoc(struct net *net,
4975 					  const struct sctp_endpoint *ep,
4976 					  const struct sctp_association *asoc,
4977 					  const union sctp_subtype type,
4978 					  void *arg,
4979 					  struct sctp_cmd_seq *commands)
4980 {
4981 	struct sctp_association *my_asoc;
4982 	struct sctp_chunk *repl;
4983 
4984 	/* The comment below says that we enter COOKIE-WAIT AFTER
4985 	 * sending the INIT, but that doesn't actually work in our
4986 	 * implementation...
4987 	 */
4988 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4989 			SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
4990 
4991 	/* RFC 2960 5.1 Normal Establishment of an Association
4992 	 *
4993 	 * A) "A" first sends an INIT chunk to "Z".  In the INIT, "A"
4994 	 * must provide its Verification Tag (Tag_A) in the Initiate
4995 	 * Tag field.  Tag_A SHOULD be a random number in the range of
4996 	 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ...
4997 	 */
4998 
4999 	repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0);
5000 	if (!repl)
5001 		goto nomem;
5002 
5003 	/* Choose transport for INIT. */
5004 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5005 			SCTP_CHUNK(repl));
5006 
5007 	/* Cast away the const modifier, as we want to just
5008 	 * rerun it through as a sideffect.
5009 	 */
5010 	my_asoc = (struct sctp_association *)asoc;
5011 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc));
5012 
5013 	/* After sending the INIT, "A" starts the T1-init timer and
5014 	 * enters the COOKIE-WAIT state.
5015 	 */
5016 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5017 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5018 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5019 	return SCTP_DISPOSITION_CONSUME;
5020 
5021 nomem:
5022 	return SCTP_DISPOSITION_NOMEM;
5023 }
5024 
5025 /*
5026  * Process the SEND primitive.
5027  *
5028  * Section: 10.1 ULP-to-SCTP
5029  * E) Send
5030  *
5031  * Format: SEND(association id, buffer address, byte count [,context]
5032  *         [,stream id] [,life time] [,destination transport address]
5033  *         [,unorder flag] [,no-bundle flag] [,payload protocol-id] )
5034  * -> result
5035  *
5036  * This is the main method to send user data via SCTP.
5037  *
5038  * Mandatory attributes:
5039  *
5040  *  o association id - local handle to the SCTP association
5041  *
5042  *  o buffer address - the location where the user message to be
5043  *    transmitted is stored;
5044  *
5045  *  o byte count - The size of the user data in number of bytes;
5046  *
5047  * Optional attributes:
5048  *
5049  *  o context - an optional 32 bit integer that will be carried in the
5050  *    sending failure notification to the ULP if the transportation of
5051  *    this User Message fails.
5052  *
5053  *  o stream id - to indicate which stream to send the data on. If not
5054  *    specified, stream 0 will be used.
5055  *
5056  *  o life time - specifies the life time of the user data. The user data
5057  *    will not be sent by SCTP after the life time expires. This
5058  *    parameter can be used to avoid efforts to transmit stale
5059  *    user messages. SCTP notifies the ULP if the data cannot be
5060  *    initiated to transport (i.e. sent to the destination via SCTP's
5061  *    send primitive) within the life time variable. However, the
5062  *    user data will be transmitted if SCTP has attempted to transmit a
5063  *    chunk before the life time expired.
5064  *
5065  *  o destination transport address - specified as one of the destination
5066  *    transport addresses of the peer endpoint to which this packet
5067  *    should be sent. Whenever possible, SCTP should use this destination
5068  *    transport address for sending the packets, instead of the current
5069  *    primary path.
5070  *
5071  *  o unorder flag - this flag, if present, indicates that the user
5072  *    would like the data delivered in an unordered fashion to the peer
5073  *    (i.e., the U flag is set to 1 on all DATA chunks carrying this
5074  *    message).
5075  *
5076  *  o no-bundle flag - instructs SCTP not to bundle this user data with
5077  *    other outbound DATA chunks. SCTP MAY still bundle even when
5078  *    this flag is present, when faced with network congestion.
5079  *
5080  *  o payload protocol-id - A 32 bit unsigned integer that is to be
5081  *    passed to the peer indicating the type of payload protocol data
5082  *    being transmitted. This value is passed as opaque data by SCTP.
5083  *
5084  * The return value is the disposition.
5085  */
5086 enum sctp_disposition sctp_sf_do_prm_send(struct net *net,
5087 					  const struct sctp_endpoint *ep,
5088 					  const struct sctp_association *asoc,
5089 					  const union sctp_subtype type,
5090 					  void *arg,
5091 					  struct sctp_cmd_seq *commands)
5092 {
5093 	struct sctp_datamsg *msg = arg;
5094 
5095 	sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg));
5096 	return SCTP_DISPOSITION_CONSUME;
5097 }
5098 
5099 /*
5100  * Process the SHUTDOWN primitive.
5101  *
5102  * Section: 10.1:
5103  * C) Shutdown
5104  *
5105  * Format: SHUTDOWN(association id)
5106  * -> result
5107  *
5108  * Gracefully closes an association. Any locally queued user data
5109  * will be delivered to the peer. The association will be terminated only
5110  * after the peer acknowledges all the SCTP packets sent.  A success code
5111  * will be returned on successful termination of the association. If
5112  * attempting to terminate the association results in a failure, an error
5113  * code shall be returned.
5114  *
5115  * Mandatory attributes:
5116  *
5117  *  o association id - local handle to the SCTP association
5118  *
5119  * Optional attributes:
5120  *
5121  * None.
5122  *
5123  * The return value is the disposition.
5124  */
5125 enum sctp_disposition sctp_sf_do_9_2_prm_shutdown(
5126 					struct net *net,
5127 					const struct sctp_endpoint *ep,
5128 					const struct sctp_association *asoc,
5129 					const union sctp_subtype type,
5130 					void *arg,
5131 					struct sctp_cmd_seq *commands)
5132 {
5133 	enum sctp_disposition disposition;
5134 
5135 	/* From 9.2 Shutdown of an Association
5136 	 * Upon receipt of the SHUTDOWN primitive from its upper
5137 	 * layer, the endpoint enters SHUTDOWN-PENDING state and
5138 	 * remains there until all outstanding data has been
5139 	 * acknowledged by its peer. The endpoint accepts no new data
5140 	 * from its upper layer, but retransmits data to the far end
5141 	 * if necessary to fill gaps.
5142 	 */
5143 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5144 			SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
5145 
5146 	disposition = SCTP_DISPOSITION_CONSUME;
5147 	if (sctp_outq_is_empty(&asoc->outqueue)) {
5148 		disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
5149 							    arg, commands);
5150 	}
5151 
5152 	return disposition;
5153 }
5154 
5155 /*
5156  * Process the ABORT primitive.
5157  *
5158  * Section: 10.1:
5159  * C) Abort
5160  *
5161  * Format: Abort(association id [, cause code])
5162  * -> result
5163  *
5164  * Ungracefully closes an association. Any locally queued user data
5165  * will be discarded and an ABORT chunk is sent to the peer.  A success code
5166  * will be returned on successful abortion of the association. If
5167  * attempting to abort the association results in a failure, an error
5168  * code shall be returned.
5169  *
5170  * Mandatory attributes:
5171  *
5172  *  o association id - local handle to the SCTP association
5173  *
5174  * Optional attributes:
5175  *
5176  *  o cause code - reason of the abort to be passed to the peer
5177  *
5178  * None.
5179  *
5180  * The return value is the disposition.
5181  */
5182 enum sctp_disposition sctp_sf_do_9_1_prm_abort(
5183 					struct net *net,
5184 					const struct sctp_endpoint *ep,
5185 					const struct sctp_association *asoc,
5186 					const union sctp_subtype type,
5187 					void *arg,
5188 					struct sctp_cmd_seq *commands)
5189 {
5190 	/* From 9.1 Abort of an Association
5191 	 * Upon receipt of the ABORT primitive from its upper
5192 	 * layer, the endpoint enters CLOSED state and
5193 	 * discard all outstanding data has been
5194 	 * acknowledged by its peer. The endpoint accepts no new data
5195 	 * from its upper layer, but retransmits data to the far end
5196 	 * if necessary to fill gaps.
5197 	 */
5198 	struct sctp_chunk *abort = arg;
5199 
5200 	if (abort)
5201 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
5202 
5203 	/* Even if we can't send the ABORT due to low memory delete the
5204 	 * TCB.  This is a departure from our typical NOMEM handling.
5205 	 */
5206 
5207 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5208 			SCTP_ERROR(ECONNABORTED));
5209 	/* Delete the established association. */
5210 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5211 			SCTP_PERR(SCTP_ERROR_USER_ABORT));
5212 
5213 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5214 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5215 
5216 	return SCTP_DISPOSITION_ABORT;
5217 }
5218 
5219 /* We tried an illegal operation on an association which is closed.  */
5220 enum sctp_disposition sctp_sf_error_closed(struct net *net,
5221 					   const struct sctp_endpoint *ep,
5222 					   const struct sctp_association *asoc,
5223 					   const union sctp_subtype type,
5224 					   void *arg,
5225 					   struct sctp_cmd_seq *commands)
5226 {
5227 	sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL));
5228 	return SCTP_DISPOSITION_CONSUME;
5229 }
5230 
5231 /* We tried an illegal operation on an association which is shutting
5232  * down.
5233  */
5234 enum sctp_disposition sctp_sf_error_shutdown(
5235 					struct net *net,
5236 					const struct sctp_endpoint *ep,
5237 					const struct sctp_association *asoc,
5238 					const union sctp_subtype type,
5239 					void *arg,
5240 					struct sctp_cmd_seq *commands)
5241 {
5242 	sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR,
5243 			SCTP_ERROR(-ESHUTDOWN));
5244 	return SCTP_DISPOSITION_CONSUME;
5245 }
5246 
5247 /*
5248  * sctp_cookie_wait_prm_shutdown
5249  *
5250  * Section: 4 Note: 2
5251  * Verification Tag:
5252  * Inputs
5253  * (endpoint, asoc)
5254  *
5255  * The RFC does not explicitly address this issue, but is the route through the
5256  * state table when someone issues a shutdown while in COOKIE_WAIT state.
5257  *
5258  * Outputs
5259  * (timers)
5260  */
5261 enum sctp_disposition sctp_sf_cookie_wait_prm_shutdown(
5262 					struct net *net,
5263 					const struct sctp_endpoint *ep,
5264 					const struct sctp_association *asoc,
5265 					const union sctp_subtype type,
5266 					void *arg,
5267 					struct sctp_cmd_seq *commands)
5268 {
5269 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5270 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5271 
5272 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5273 			SCTP_STATE(SCTP_STATE_CLOSED));
5274 
5275 	SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
5276 
5277 	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
5278 
5279 	return SCTP_DISPOSITION_DELETE_TCB;
5280 }
5281 
5282 /*
5283  * sctp_cookie_echoed_prm_shutdown
5284  *
5285  * Section: 4 Note: 2
5286  * Verification Tag:
5287  * Inputs
5288  * (endpoint, asoc)
5289  *
5290  * The RFC does not explicitly address this issue, but is the route through the
5291  * state table when someone issues a shutdown while in COOKIE_ECHOED state.
5292  *
5293  * Outputs
5294  * (timers)
5295  */
5296 enum sctp_disposition sctp_sf_cookie_echoed_prm_shutdown(
5297 					struct net *net,
5298 					const struct sctp_endpoint *ep,
5299 					const struct sctp_association *asoc,
5300 					const union sctp_subtype type,
5301 					void *arg,
5302 					struct sctp_cmd_seq *commands)
5303 {
5304 	/* There is a single T1 timer, so we should be able to use
5305 	 * common function with the COOKIE-WAIT state.
5306 	 */
5307 	return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands);
5308 }
5309 
5310 /*
5311  * sctp_sf_cookie_wait_prm_abort
5312  *
5313  * Section: 4 Note: 2
5314  * Verification Tag:
5315  * Inputs
5316  * (endpoint, asoc)
5317  *
5318  * The RFC does not explicitly address this issue, but is the route through the
5319  * state table when someone issues an abort while in COOKIE_WAIT state.
5320  *
5321  * Outputs
5322  * (timers)
5323  */
5324 enum sctp_disposition sctp_sf_cookie_wait_prm_abort(
5325 					struct net *net,
5326 					const struct sctp_endpoint *ep,
5327 					const struct sctp_association *asoc,
5328 					const union sctp_subtype type,
5329 					void *arg,
5330 					struct sctp_cmd_seq *commands)
5331 {
5332 	struct sctp_chunk *abort = arg;
5333 
5334 	/* Stop T1-init timer */
5335 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5336 			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5337 
5338 	if (abort)
5339 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
5340 
5341 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5342 			SCTP_STATE(SCTP_STATE_CLOSED));
5343 
5344 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5345 
5346 	/* Even if we can't send the ABORT due to low memory delete the
5347 	 * TCB.  This is a departure from our typical NOMEM handling.
5348 	 */
5349 
5350 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5351 			SCTP_ERROR(ECONNREFUSED));
5352 	/* Delete the established association. */
5353 	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5354 			SCTP_PERR(SCTP_ERROR_USER_ABORT));
5355 
5356 	return SCTP_DISPOSITION_ABORT;
5357 }
5358 
5359 /*
5360  * sctp_sf_cookie_echoed_prm_abort
5361  *
5362  * Section: 4 Note: 3
5363  * Verification Tag:
5364  * Inputs
5365  * (endpoint, asoc)
5366  *
5367  * The RFC does not explcitly address this issue, but is the route through the
5368  * state table when someone issues an abort while in COOKIE_ECHOED state.
5369  *
5370  * Outputs
5371  * (timers)
5372  */
5373 enum sctp_disposition sctp_sf_cookie_echoed_prm_abort(
5374 					struct net *net,
5375 					const struct sctp_endpoint *ep,
5376 					const struct sctp_association *asoc,
5377 					const union sctp_subtype type,
5378 					void *arg,
5379 					struct sctp_cmd_seq *commands)
5380 {
5381 	/* There is a single T1 timer, so we should be able to use
5382 	 * common function with the COOKIE-WAIT state.
5383 	 */
5384 	return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands);
5385 }
5386 
5387 /*
5388  * sctp_sf_shutdown_pending_prm_abort
5389  *
5390  * Inputs
5391  * (endpoint, asoc)
5392  *
5393  * The RFC does not explicitly address this issue, but is the route through the
5394  * state table when someone issues an abort while in SHUTDOWN-PENDING state.
5395  *
5396  * Outputs
5397  * (timers)
5398  */
5399 enum sctp_disposition sctp_sf_shutdown_pending_prm_abort(
5400 					struct net *net,
5401 					const struct sctp_endpoint *ep,
5402 					const struct sctp_association *asoc,
5403 					const union sctp_subtype type,
5404 					void *arg,
5405 					struct sctp_cmd_seq *commands)
5406 {
5407 	/* Stop the T5-shutdown guard timer.  */
5408 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5409 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5410 
5411 	return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5412 }
5413 
5414 /*
5415  * sctp_sf_shutdown_sent_prm_abort
5416  *
5417  * Inputs
5418  * (endpoint, asoc)
5419  *
5420  * The RFC does not explicitly address this issue, but is the route through the
5421  * state table when someone issues an abort while in SHUTDOWN-SENT state.
5422  *
5423  * Outputs
5424  * (timers)
5425  */
5426 enum sctp_disposition sctp_sf_shutdown_sent_prm_abort(
5427 					struct net *net,
5428 					const struct sctp_endpoint *ep,
5429 					const struct sctp_association *asoc,
5430 					const union sctp_subtype type,
5431 					void *arg,
5432 					struct sctp_cmd_seq *commands)
5433 {
5434 	/* Stop the T2-shutdown timer.  */
5435 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5436 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5437 
5438 	/* Stop the T5-shutdown guard timer.  */
5439 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5440 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5441 
5442 	return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5443 }
5444 
5445 /*
5446  * sctp_sf_cookie_echoed_prm_abort
5447  *
5448  * Inputs
5449  * (endpoint, asoc)
5450  *
5451  * The RFC does not explcitly address this issue, but is the route through the
5452  * state table when someone issues an abort while in COOKIE_ECHOED state.
5453  *
5454  * Outputs
5455  * (timers)
5456  */
5457 enum sctp_disposition sctp_sf_shutdown_ack_sent_prm_abort(
5458 					struct net *net,
5459 					const struct sctp_endpoint *ep,
5460 					const struct sctp_association *asoc,
5461 					const union sctp_subtype type,
5462 					void *arg,
5463 					struct sctp_cmd_seq *commands)
5464 {
5465 	/* The same T2 timer, so we should be able to use
5466 	 * common function with the SHUTDOWN-SENT state.
5467 	 */
5468 	return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands);
5469 }
5470 
5471 /*
5472  * Process the REQUESTHEARTBEAT primitive
5473  *
5474  * 10.1 ULP-to-SCTP
5475  * J) Request Heartbeat
5476  *
5477  * Format: REQUESTHEARTBEAT(association id, destination transport address)
5478  *
5479  * -> result
5480  *
5481  * Instructs the local endpoint to perform a HeartBeat on the specified
5482  * destination transport address of the given association. The returned
5483  * result should indicate whether the transmission of the HEARTBEAT
5484  * chunk to the destination address is successful.
5485  *
5486  * Mandatory attributes:
5487  *
5488  * o association id - local handle to the SCTP association
5489  *
5490  * o destination transport address - the transport address of the
5491  *   association on which a heartbeat should be issued.
5492  */
5493 enum sctp_disposition sctp_sf_do_prm_requestheartbeat(
5494 					struct net *net,
5495 					const struct sctp_endpoint *ep,
5496 					const struct sctp_association *asoc,
5497 					const union sctp_subtype type,
5498 					void *arg,
5499 					struct sctp_cmd_seq *commands)
5500 {
5501 	if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type,
5502 				      (struct sctp_transport *)arg, commands))
5503 		return SCTP_DISPOSITION_NOMEM;
5504 
5505 	/*
5506 	 * RFC 2960 (bis), section 8.3
5507 	 *
5508 	 *    D) Request an on-demand HEARTBEAT on a specific destination
5509 	 *    transport address of a given association.
5510 	 *
5511 	 *    The endpoint should increment the respective error  counter of
5512 	 *    the destination transport address each time a HEARTBEAT is sent
5513 	 *    to that address and not acknowledged within one RTO.
5514 	 *
5515 	 */
5516 	sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
5517 			SCTP_TRANSPORT(arg));
5518 	return SCTP_DISPOSITION_CONSUME;
5519 }
5520 
5521 /*
5522  * ADDIP Section 4.1 ASCONF Chunk Procedures
5523  * When an endpoint has an ASCONF signaled change to be sent to the
5524  * remote endpoint it should do A1 to A9
5525  */
5526 enum sctp_disposition sctp_sf_do_prm_asconf(struct net *net,
5527 					    const struct sctp_endpoint *ep,
5528 					    const struct sctp_association *asoc,
5529 					    const union sctp_subtype type,
5530 					    void *arg,
5531 					    struct sctp_cmd_seq *commands)
5532 {
5533 	struct sctp_chunk *chunk = arg;
5534 
5535 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5536 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5537 			SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5538 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5539 	return SCTP_DISPOSITION_CONSUME;
5540 }
5541 
5542 /* RE-CONFIG Section 5.1 RECONF Chunk Procedures */
5543 enum sctp_disposition sctp_sf_do_prm_reconf(struct net *net,
5544 					    const struct sctp_endpoint *ep,
5545 					    const struct sctp_association *asoc,
5546 					    const union sctp_subtype type,
5547 					    void *arg,
5548 					    struct sctp_cmd_seq *commands)
5549 {
5550 	struct sctp_chunk *chunk = arg;
5551 
5552 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5553 	return SCTP_DISPOSITION_CONSUME;
5554 }
5555 
5556 /*
5557  * Ignore the primitive event
5558  *
5559  * The return value is the disposition of the primitive.
5560  */
5561 enum sctp_disposition sctp_sf_ignore_primitive(
5562 					struct net *net,
5563 					const struct sctp_endpoint *ep,
5564 					const struct sctp_association *asoc,
5565 					const union sctp_subtype type,
5566 					void *arg,
5567 					struct sctp_cmd_seq *commands)
5568 {
5569 	pr_debug("%s: primitive type:%d is ignored\n", __func__,
5570 		 type.primitive);
5571 
5572 	return SCTP_DISPOSITION_DISCARD;
5573 }
5574 
5575 /***************************************************************************
5576  * These are the state functions for the OTHER events.
5577  ***************************************************************************/
5578 
5579 /*
5580  * When the SCTP stack has no more user data to send or retransmit, this
5581  * notification is given to the user. Also, at the time when a user app
5582  * subscribes to this event, if there is no data to be sent or
5583  * retransmit, the stack will immediately send up this notification.
5584  */
5585 enum sctp_disposition sctp_sf_do_no_pending_tsn(
5586 					struct net *net,
5587 					const struct sctp_endpoint *ep,
5588 					const struct sctp_association *asoc,
5589 					const union sctp_subtype type,
5590 					void *arg,
5591 					struct sctp_cmd_seq *commands)
5592 {
5593 	struct sctp_ulpevent *event;
5594 
5595 	event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC);
5596 	if (!event)
5597 		return SCTP_DISPOSITION_NOMEM;
5598 
5599 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event));
5600 
5601 	return SCTP_DISPOSITION_CONSUME;
5602 }
5603 
5604 /*
5605  * Start the shutdown negotiation.
5606  *
5607  * From Section 9.2:
5608  * Once all its outstanding data has been acknowledged, the endpoint
5609  * shall send a SHUTDOWN chunk to its peer including in the Cumulative
5610  * TSN Ack field the last sequential TSN it has received from the peer.
5611  * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT
5612  * state. If the timer expires, the endpoint must re-send the SHUTDOWN
5613  * with the updated last sequential TSN received from its peer.
5614  *
5615  * The return value is the disposition.
5616  */
5617 enum sctp_disposition sctp_sf_do_9_2_start_shutdown(
5618 					struct net *net,
5619 					const struct sctp_endpoint *ep,
5620 					const struct sctp_association *asoc,
5621 					const union sctp_subtype type,
5622 					void *arg,
5623 					struct sctp_cmd_seq *commands)
5624 {
5625 	struct sctp_chunk *reply;
5626 
5627 	/* Once all its outstanding data has been acknowledged, the
5628 	 * endpoint shall send a SHUTDOWN chunk to its peer including
5629 	 * in the Cumulative TSN Ack field the last sequential TSN it
5630 	 * has received from the peer.
5631 	 */
5632 	reply = sctp_make_shutdown(asoc, arg);
5633 	if (!reply)
5634 		goto nomem;
5635 
5636 	/* Set the transport for the SHUTDOWN chunk and the timeout for the
5637 	 * T2-shutdown timer.
5638 	 */
5639 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5640 
5641 	/* It shall then start the T2-shutdown timer */
5642 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5643 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5644 
5645 	/* RFC 4960 Section 9.2
5646 	 * The sender of the SHUTDOWN MAY also start an overall guard timer
5647 	 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5648 	 */
5649 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5650 			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5651 
5652 	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5653 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5654 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5655 
5656 	/* and enter the SHUTDOWN-SENT state.  */
5657 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5658 			SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT));
5659 
5660 	/* sctp-implguide 2.10 Issues with Heartbeating and failover
5661 	 *
5662 	 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5663 	 * or SHUTDOWN-ACK.
5664 	 */
5665 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5666 
5667 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5668 
5669 	return SCTP_DISPOSITION_CONSUME;
5670 
5671 nomem:
5672 	return SCTP_DISPOSITION_NOMEM;
5673 }
5674 
5675 /*
5676  * Generate a SHUTDOWN ACK now that everything is SACK'd.
5677  *
5678  * From Section 9.2:
5679  *
5680  * If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5681  * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own,
5682  * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the
5683  * endpoint must re-send the SHUTDOWN ACK.
5684  *
5685  * The return value is the disposition.
5686  */
5687 enum sctp_disposition sctp_sf_do_9_2_shutdown_ack(
5688 					struct net *net,
5689 					const struct sctp_endpoint *ep,
5690 					const struct sctp_association *asoc,
5691 					const union sctp_subtype type,
5692 					void *arg,
5693 					struct sctp_cmd_seq *commands)
5694 {
5695 	struct sctp_chunk *chunk = arg;
5696 	struct sctp_chunk *reply;
5697 
5698 	/* There are 2 ways of getting here:
5699 	 *    1) called in response to a SHUTDOWN chunk
5700 	 *    2) called when SCTP_EVENT_NO_PENDING_TSN event is issued.
5701 	 *
5702 	 * For the case (2), the arg parameter is set to NULL.  We need
5703 	 * to check that we have a chunk before accessing it's fields.
5704 	 */
5705 	if (chunk) {
5706 		if (!sctp_vtag_verify(chunk, asoc))
5707 			return sctp_sf_pdiscard(net, ep, asoc, type, arg,
5708 						commands);
5709 
5710 		/* Make sure that the SHUTDOWN chunk has a valid length. */
5711 		if (!sctp_chunk_length_valid(
5712 				chunk, sizeof(struct sctp_shutdown_chunk)))
5713 			return sctp_sf_violation_chunklen(net, ep, asoc, type,
5714 							  arg, commands);
5715 	}
5716 
5717 	/* If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5718 	 * shall send a SHUTDOWN ACK ...
5719 	 */
5720 	reply = sctp_make_shutdown_ack(asoc, chunk);
5721 	if (!reply)
5722 		goto nomem;
5723 
5724 	/* Set the transport for the SHUTDOWN ACK chunk and the timeout for
5725 	 * the T2-shutdown timer.
5726 	 */
5727 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5728 
5729 	/* and start/restart a T2-shutdown timer of its own, */
5730 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5731 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5732 
5733 	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5734 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5735 				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5736 
5737 	/* Enter the SHUTDOWN-ACK-SENT state.  */
5738 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5739 			SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT));
5740 
5741 	/* sctp-implguide 2.10 Issues with Heartbeating and failover
5742 	 *
5743 	 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5744 	 * or SHUTDOWN-ACK.
5745 	 */
5746 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5747 
5748 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5749 
5750 	return SCTP_DISPOSITION_CONSUME;
5751 
5752 nomem:
5753 	return SCTP_DISPOSITION_NOMEM;
5754 }
5755 
5756 /*
5757  * Ignore the event defined as other
5758  *
5759  * The return value is the disposition of the event.
5760  */
5761 enum sctp_disposition sctp_sf_ignore_other(struct net *net,
5762 					   const struct sctp_endpoint *ep,
5763 					   const struct sctp_association *asoc,
5764 					   const union sctp_subtype type,
5765 					   void *arg,
5766 					   struct sctp_cmd_seq *commands)
5767 {
5768 	pr_debug("%s: the event other type:%d is ignored\n",
5769 		 __func__, type.other);
5770 
5771 	return SCTP_DISPOSITION_DISCARD;
5772 }
5773 
5774 /************************************************************
5775  * These are the state functions for handling timeout events.
5776  ************************************************************/
5777 
5778 /*
5779  * RTX Timeout
5780  *
5781  * Section: 6.3.3 Handle T3-rtx Expiration
5782  *
5783  * Whenever the retransmission timer T3-rtx expires for a destination
5784  * address, do the following:
5785  * [See below]
5786  *
5787  * The return value is the disposition of the chunk.
5788  */
5789 enum sctp_disposition sctp_sf_do_6_3_3_rtx(struct net *net,
5790 					   const struct sctp_endpoint *ep,
5791 					   const struct sctp_association *asoc,
5792 					   const union sctp_subtype type,
5793 					   void *arg,
5794 					   struct sctp_cmd_seq *commands)
5795 {
5796 	struct sctp_transport *transport = arg;
5797 
5798 	SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS);
5799 
5800 	if (asoc->overall_error_count >= asoc->max_retrans) {
5801 		if (asoc->peer.zero_window_announced &&
5802 		    asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
5803 			/*
5804 			 * We are here likely because the receiver had its rwnd
5805 			 * closed for a while and we have not been able to
5806 			 * transmit the locally queued data within the maximum
5807 			 * retransmission attempts limit.  Start the T5
5808 			 * shutdown guard timer to give the receiver one last
5809 			 * chance and some additional time to recover before
5810 			 * aborting.
5811 			 */
5812 			sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE,
5813 				SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5814 		} else {
5815 			sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5816 					SCTP_ERROR(ETIMEDOUT));
5817 			/* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5818 			sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5819 					SCTP_PERR(SCTP_ERROR_NO_ERROR));
5820 			SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5821 			SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5822 			return SCTP_DISPOSITION_DELETE_TCB;
5823 		}
5824 	}
5825 
5826 	/* E1) For the destination address for which the timer
5827 	 * expires, adjust its ssthresh with rules defined in Section
5828 	 * 7.2.3 and set the cwnd <- MTU.
5829 	 */
5830 
5831 	/* E2) For the destination address for which the timer
5832 	 * expires, set RTO <- RTO * 2 ("back off the timer").  The
5833 	 * maximum value discussed in rule C7 above (RTO.max) may be
5834 	 * used to provide an upper bound to this doubling operation.
5835 	 */
5836 
5837 	/* E3) Determine how many of the earliest (i.e., lowest TSN)
5838 	 * outstanding DATA chunks for the address for which the
5839 	 * T3-rtx has expired will fit into a single packet, subject
5840 	 * to the MTU constraint for the path corresponding to the
5841 	 * destination transport address to which the retransmission
5842 	 * is being sent (this may be different from the address for
5843 	 * which the timer expires [see Section 6.4]).  Call this
5844 	 * value K. Bundle and retransmit those K DATA chunks in a
5845 	 * single packet to the destination endpoint.
5846 	 *
5847 	 * Note: Any DATA chunks that were sent to the address for
5848 	 * which the T3-rtx timer expired but did not fit in one MTU
5849 	 * (rule E3 above), should be marked for retransmission and
5850 	 * sent as soon as cwnd allows (normally when a SACK arrives).
5851 	 */
5852 
5853 	/* Do some failure management (Section 8.2). */
5854 	sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
5855 
5856 	/* NB: Rules E4 and F1 are implicit in R1.  */
5857 	sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport));
5858 
5859 	return SCTP_DISPOSITION_CONSUME;
5860 }
5861 
5862 /*
5863  * Generate delayed SACK on timeout
5864  *
5865  * Section: 6.2  Acknowledgement on Reception of DATA Chunks
5866  *
5867  * The guidelines on delayed acknowledgement algorithm specified in
5868  * Section 4.2 of [RFC2581] SHOULD be followed.  Specifically, an
5869  * acknowledgement SHOULD be generated for at least every second packet
5870  * (not every second DATA chunk) received, and SHOULD be generated
5871  * within 200 ms of the arrival of any unacknowledged DATA chunk.  In
5872  * some situations it may be beneficial for an SCTP transmitter to be
5873  * more conservative than the algorithms detailed in this document
5874  * allow. However, an SCTP transmitter MUST NOT be more aggressive than
5875  * the following algorithms allow.
5876  */
5877 enum sctp_disposition sctp_sf_do_6_2_sack(struct net *net,
5878 					  const struct sctp_endpoint *ep,
5879 					  const struct sctp_association *asoc,
5880 					  const union sctp_subtype type,
5881 					  void *arg,
5882 					  struct sctp_cmd_seq *commands)
5883 {
5884 	SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS);
5885 	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
5886 	return SCTP_DISPOSITION_CONSUME;
5887 }
5888 
5889 /*
5890  * sctp_sf_t1_init_timer_expire
5891  *
5892  * Section: 4 Note: 2
5893  * Verification Tag:
5894  * Inputs
5895  * (endpoint, asoc)
5896  *
5897  *  RFC 2960 Section 4 Notes
5898  *  2) If the T1-init timer expires, the endpoint MUST retransmit INIT
5899  *     and re-start the T1-init timer without changing state.  This MUST
5900  *     be repeated up to 'Max.Init.Retransmits' times.  After that, the
5901  *     endpoint MUST abort the initialization process and report the
5902  *     error to SCTP user.
5903  *
5904  * Outputs
5905  * (timers, events)
5906  *
5907  */
5908 enum sctp_disposition sctp_sf_t1_init_timer_expire(
5909 					struct net *net,
5910 					const struct sctp_endpoint *ep,
5911 					const struct sctp_association *asoc,
5912 					const union sctp_subtype type,
5913 					void *arg,
5914 					struct sctp_cmd_seq *commands)
5915 {
5916 	int attempts = asoc->init_err_counter + 1;
5917 	struct sctp_chunk *repl = NULL;
5918 	struct sctp_bind_addr *bp;
5919 
5920 	pr_debug("%s: timer T1 expired (INIT)\n", __func__);
5921 
5922 	SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS);
5923 
5924 	if (attempts <= asoc->max_init_attempts) {
5925 		bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
5926 		repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0);
5927 		if (!repl)
5928 			return SCTP_DISPOSITION_NOMEM;
5929 
5930 		/* Choose transport for INIT. */
5931 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5932 				SCTP_CHUNK(repl));
5933 
5934 		/* Issue a sideeffect to do the needed accounting. */
5935 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART,
5936 				SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5937 
5938 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5939 	} else {
5940 		pr_debug("%s: giving up on INIT, attempts:%d "
5941 			 "max_init_attempts:%d\n", __func__, attempts,
5942 			 asoc->max_init_attempts);
5943 
5944 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5945 				SCTP_ERROR(ETIMEDOUT));
5946 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5947 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
5948 		return SCTP_DISPOSITION_DELETE_TCB;
5949 	}
5950 
5951 	return SCTP_DISPOSITION_CONSUME;
5952 }
5953 
5954 /*
5955  * sctp_sf_t1_cookie_timer_expire
5956  *
5957  * Section: 4 Note: 2
5958  * Verification Tag:
5959  * Inputs
5960  * (endpoint, asoc)
5961  *
5962  *  RFC 2960 Section 4 Notes
5963  *  3) If the T1-cookie timer expires, the endpoint MUST retransmit
5964  *     COOKIE ECHO and re-start the T1-cookie timer without changing
5965  *     state.  This MUST be repeated up to 'Max.Init.Retransmits' times.
5966  *     After that, the endpoint MUST abort the initialization process and
5967  *     report the error to SCTP user.
5968  *
5969  * Outputs
5970  * (timers, events)
5971  *
5972  */
5973 enum sctp_disposition sctp_sf_t1_cookie_timer_expire(
5974 					struct net *net,
5975 					const struct sctp_endpoint *ep,
5976 					const struct sctp_association *asoc,
5977 					const union sctp_subtype type,
5978 					void *arg,
5979 					struct sctp_cmd_seq *commands)
5980 {
5981 	int attempts = asoc->init_err_counter + 1;
5982 	struct sctp_chunk *repl = NULL;
5983 
5984 	pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__);
5985 
5986 	SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS);
5987 
5988 	if (attempts <= asoc->max_init_attempts) {
5989 		repl = sctp_make_cookie_echo(asoc, NULL);
5990 		if (!repl)
5991 			return SCTP_DISPOSITION_NOMEM;
5992 
5993 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5994 				SCTP_CHUNK(repl));
5995 		/* Issue a sideeffect to do the needed accounting. */
5996 		sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART,
5997 				SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
5998 
5999 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
6000 	} else {
6001 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6002 				SCTP_ERROR(ETIMEDOUT));
6003 		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
6004 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
6005 		return SCTP_DISPOSITION_DELETE_TCB;
6006 	}
6007 
6008 	return SCTP_DISPOSITION_CONSUME;
6009 }
6010 
6011 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN
6012  * with the updated last sequential TSN received from its peer.
6013  *
6014  * An endpoint should limit the number of retransmission of the
6015  * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'.
6016  * If this threshold is exceeded the endpoint should destroy the TCB and
6017  * MUST report the peer endpoint unreachable to the upper layer (and
6018  * thus the association enters the CLOSED state).  The reception of any
6019  * packet from its peer (i.e. as the peer sends all of its queued DATA
6020  * chunks) should clear the endpoint's retransmission count and restart
6021  * the T2-Shutdown timer,  giving its peer ample opportunity to transmit
6022  * all of its queued DATA chunks that have not yet been sent.
6023  */
6024 enum sctp_disposition sctp_sf_t2_timer_expire(
6025 					struct net *net,
6026 					const struct sctp_endpoint *ep,
6027 					const struct sctp_association *asoc,
6028 					const union sctp_subtype type,
6029 					void *arg,
6030 					struct sctp_cmd_seq *commands)
6031 {
6032 	struct sctp_chunk *reply = NULL;
6033 
6034 	pr_debug("%s: timer T2 expired\n", __func__);
6035 
6036 	SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS);
6037 
6038 	((struct sctp_association *)asoc)->shutdown_retries++;
6039 
6040 	if (asoc->overall_error_count >= asoc->max_retrans) {
6041 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6042 				SCTP_ERROR(ETIMEDOUT));
6043 		/* Note:  CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
6044 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6045 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
6046 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6047 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6048 		return SCTP_DISPOSITION_DELETE_TCB;
6049 	}
6050 
6051 	switch (asoc->state) {
6052 	case SCTP_STATE_SHUTDOWN_SENT:
6053 		reply = sctp_make_shutdown(asoc, NULL);
6054 		break;
6055 
6056 	case SCTP_STATE_SHUTDOWN_ACK_SENT:
6057 		reply = sctp_make_shutdown_ack(asoc, NULL);
6058 		break;
6059 
6060 	default:
6061 		BUG();
6062 		break;
6063 	}
6064 
6065 	if (!reply)
6066 		goto nomem;
6067 
6068 	/* Do some failure management (Section 8.2).
6069 	 * If we remove the transport an SHUTDOWN was last sent to, don't
6070 	 * do failure management.
6071 	 */
6072 	if (asoc->shutdown_last_sent_to)
6073 		sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
6074 				SCTP_TRANSPORT(asoc->shutdown_last_sent_to));
6075 
6076 	/* Set the transport for the SHUTDOWN/ACK chunk and the timeout for
6077 	 * the T2-shutdown timer.
6078 	 */
6079 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
6080 
6081 	/* Restart the T2-shutdown timer.  */
6082 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
6083 			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
6084 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
6085 	return SCTP_DISPOSITION_CONSUME;
6086 
6087 nomem:
6088 	return SCTP_DISPOSITION_NOMEM;
6089 }
6090 
6091 /*
6092  * ADDIP Section 4.1 ASCONF Chunk Procedures
6093  * If the T4 RTO timer expires the endpoint should do B1 to B5
6094  */
6095 enum sctp_disposition sctp_sf_t4_timer_expire(
6096 					struct net *net,
6097 					const struct sctp_endpoint *ep,
6098 					const struct sctp_association *asoc,
6099 					const union sctp_subtype type,
6100 					void *arg,
6101 					struct sctp_cmd_seq *commands)
6102 {
6103 	struct sctp_chunk *chunk = asoc->addip_last_asconf;
6104 	struct sctp_transport *transport = chunk->transport;
6105 
6106 	SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS);
6107 
6108 	/* ADDIP 4.1 B1) Increment the error counters and perform path failure
6109 	 * detection on the appropriate destination address as defined in
6110 	 * RFC2960 [5] section 8.1 and 8.2.
6111 	 */
6112 	if (transport)
6113 		sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
6114 				SCTP_TRANSPORT(transport));
6115 
6116 	/* Reconfig T4 timer and transport. */
6117 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
6118 
6119 	/* ADDIP 4.1 B2) Increment the association error counters and perform
6120 	 * endpoint failure detection on the association as defined in
6121 	 * RFC2960 [5] section 8.1 and 8.2.
6122 	 * association error counter is incremented in SCTP_CMD_STRIKE.
6123 	 */
6124 	if (asoc->overall_error_count >= asoc->max_retrans) {
6125 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
6126 				SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
6127 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6128 				SCTP_ERROR(ETIMEDOUT));
6129 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6130 				SCTP_PERR(SCTP_ERROR_NO_ERROR));
6131 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6132 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6133 		return SCTP_DISPOSITION_ABORT;
6134 	}
6135 
6136 	/* ADDIP 4.1 B3) Back-off the destination address RTO value to which
6137 	 * the ASCONF chunk was sent by doubling the RTO timer value.
6138 	 * This is done in SCTP_CMD_STRIKE.
6139 	 */
6140 
6141 	/* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible
6142 	 * choose an alternate destination address (please refer to RFC2960
6143 	 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this
6144 	 * chunk, it MUST be the same (including its serial number) as the last
6145 	 * ASCONF sent.
6146 	 */
6147 	sctp_chunk_hold(asoc->addip_last_asconf);
6148 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6149 			SCTP_CHUNK(asoc->addip_last_asconf));
6150 
6151 	/* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different
6152 	 * destination is selected, then the RTO used will be that of the new
6153 	 * destination address.
6154 	 */
6155 	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
6156 			SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
6157 
6158 	return SCTP_DISPOSITION_CONSUME;
6159 }
6160 
6161 /* sctpimpguide-05 Section 2.12.2
6162  * The sender of the SHUTDOWN MAY also start an overall guard timer
6163  * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
6164  * At the expiration of this timer the sender SHOULD abort the association
6165  * by sending an ABORT chunk.
6166  */
6167 enum sctp_disposition sctp_sf_t5_timer_expire(
6168 					struct net *net,
6169 					const struct sctp_endpoint *ep,
6170 					const struct sctp_association *asoc,
6171 					const union sctp_subtype type,
6172 					void *arg,
6173 					struct sctp_cmd_seq *commands)
6174 {
6175 	struct sctp_chunk *reply = NULL;
6176 
6177 	pr_debug("%s: timer T5 expired\n", __func__);
6178 
6179 	SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS);
6180 
6181 	reply = sctp_make_abort(asoc, NULL, 0);
6182 	if (!reply)
6183 		goto nomem;
6184 
6185 	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
6186 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6187 			SCTP_ERROR(ETIMEDOUT));
6188 	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6189 			SCTP_PERR(SCTP_ERROR_NO_ERROR));
6190 
6191 	SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6192 	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6193 
6194 	return SCTP_DISPOSITION_DELETE_TCB;
6195 nomem:
6196 	return SCTP_DISPOSITION_NOMEM;
6197 }
6198 
6199 /* Handle expiration of AUTOCLOSE timer.  When the autoclose timer expires,
6200  * the association is automatically closed by starting the shutdown process.
6201  * The work that needs to be done is same as when SHUTDOWN is initiated by
6202  * the user.  So this routine looks same as sctp_sf_do_9_2_prm_shutdown().
6203  */
6204 enum sctp_disposition sctp_sf_autoclose_timer_expire(
6205 					struct net *net,
6206 					const struct sctp_endpoint *ep,
6207 					const struct sctp_association *asoc,
6208 					const union sctp_subtype type,
6209 					void *arg,
6210 					struct sctp_cmd_seq *commands)
6211 {
6212 	enum sctp_disposition disposition;
6213 
6214 	SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS);
6215 
6216 	/* From 9.2 Shutdown of an Association
6217 	 * Upon receipt of the SHUTDOWN primitive from its upper
6218 	 * layer, the endpoint enters SHUTDOWN-PENDING state and
6219 	 * remains there until all outstanding data has been
6220 	 * acknowledged by its peer. The endpoint accepts no new data
6221 	 * from its upper layer, but retransmits data to the far end
6222 	 * if necessary to fill gaps.
6223 	 */
6224 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
6225 			SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
6226 
6227 	disposition = SCTP_DISPOSITION_CONSUME;
6228 	if (sctp_outq_is_empty(&asoc->outqueue)) {
6229 		disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
6230 							    NULL, commands);
6231 	}
6232 
6233 	return disposition;
6234 }
6235 
6236 /*****************************************************************************
6237  * These are sa state functions which could apply to all types of events.
6238  ****************************************************************************/
6239 
6240 /*
6241  * This table entry is not implemented.
6242  *
6243  * Inputs
6244  * (endpoint, asoc, chunk)
6245  *
6246  * The return value is the disposition of the chunk.
6247  */
6248 enum sctp_disposition sctp_sf_not_impl(struct net *net,
6249 				       const struct sctp_endpoint *ep,
6250 				       const struct sctp_association *asoc,
6251 				       const union sctp_subtype type,
6252 				       void *arg, struct sctp_cmd_seq *commands)
6253 {
6254 	return SCTP_DISPOSITION_NOT_IMPL;
6255 }
6256 
6257 /*
6258  * This table entry represents a bug.
6259  *
6260  * Inputs
6261  * (endpoint, asoc, chunk)
6262  *
6263  * The return value is the disposition of the chunk.
6264  */
6265 enum sctp_disposition sctp_sf_bug(struct net *net,
6266 				  const struct sctp_endpoint *ep,
6267 				  const struct sctp_association *asoc,
6268 				  const union sctp_subtype type,
6269 				  void *arg, struct sctp_cmd_seq *commands)
6270 {
6271 	return SCTP_DISPOSITION_BUG;
6272 }
6273 
6274 /*
6275  * This table entry represents the firing of a timer in the wrong state.
6276  * Since timer deletion cannot be guaranteed a timer 'may' end up firing
6277  * when the association is in the wrong state.   This event should
6278  * be ignored, so as to prevent any rearming of the timer.
6279  *
6280  * Inputs
6281  * (endpoint, asoc, chunk)
6282  *
6283  * The return value is the disposition of the chunk.
6284  */
6285 enum sctp_disposition sctp_sf_timer_ignore(struct net *net,
6286 					   const struct sctp_endpoint *ep,
6287 					   const struct sctp_association *asoc,
6288 					   const union sctp_subtype type,
6289 					   void *arg,
6290 					   struct sctp_cmd_seq *commands)
6291 {
6292 	pr_debug("%s: timer %d ignored\n", __func__, type.chunk);
6293 
6294 	return SCTP_DISPOSITION_CONSUME;
6295 }
6296 
6297 /********************************************************************
6298  * 2nd Level Abstractions
6299  ********************************************************************/
6300 
6301 /* Pull the SACK chunk based on the SACK header. */
6302 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk)
6303 {
6304 	struct sctp_sackhdr *sack;
6305 	__u16 num_dup_tsns;
6306 	unsigned int len;
6307 	__u16 num_blocks;
6308 
6309 	/* Protect ourselves from reading too far into
6310 	 * the skb from a bogus sender.
6311 	 */
6312 	sack = (struct sctp_sackhdr *) chunk->skb->data;
6313 
6314 	num_blocks = ntohs(sack->num_gap_ack_blocks);
6315 	num_dup_tsns = ntohs(sack->num_dup_tsns);
6316 	len = sizeof(struct sctp_sackhdr);
6317 	len += (num_blocks + num_dup_tsns) * sizeof(__u32);
6318 	if (len > chunk->skb->len)
6319 		return NULL;
6320 
6321 	skb_pull(chunk->skb, len);
6322 
6323 	return sack;
6324 }
6325 
6326 /* Create an ABORT packet to be sent as a response, with the specified
6327  * error causes.
6328  */
6329 static struct sctp_packet *sctp_abort_pkt_new(
6330 					struct net *net,
6331 					const struct sctp_endpoint *ep,
6332 					const struct sctp_association *asoc,
6333 					struct sctp_chunk *chunk,
6334 					const void *payload, size_t paylen)
6335 {
6336 	struct sctp_packet *packet;
6337 	struct sctp_chunk *abort;
6338 
6339 	packet = sctp_ootb_pkt_new(net, asoc, chunk);
6340 
6341 	if (packet) {
6342 		/* Make an ABORT.
6343 		 * The T bit will be set if the asoc is NULL.
6344 		 */
6345 		abort = sctp_make_abort(asoc, chunk, paylen);
6346 		if (!abort) {
6347 			sctp_ootb_pkt_free(packet);
6348 			return NULL;
6349 		}
6350 
6351 		/* Reflect vtag if T-Bit is set */
6352 		if (sctp_test_T_bit(abort))
6353 			packet->vtag = ntohl(chunk->sctp_hdr->vtag);
6354 
6355 		/* Add specified error causes, i.e., payload, to the
6356 		 * end of the chunk.
6357 		 */
6358 		sctp_addto_chunk(abort, paylen, payload);
6359 
6360 		/* Set the skb to the belonging sock for accounting.  */
6361 		abort->skb->sk = ep->base.sk;
6362 
6363 		sctp_packet_append_chunk(packet, abort);
6364 
6365 	}
6366 
6367 	return packet;
6368 }
6369 
6370 /* Allocate a packet for responding in the OOTB conditions.  */
6371 static struct sctp_packet *sctp_ootb_pkt_new(
6372 					struct net *net,
6373 					const struct sctp_association *asoc,
6374 					const struct sctp_chunk *chunk)
6375 {
6376 	struct sctp_transport *transport;
6377 	struct sctp_packet *packet;
6378 	__u16 sport, dport;
6379 	__u32 vtag;
6380 
6381 	/* Get the source and destination port from the inbound packet.  */
6382 	sport = ntohs(chunk->sctp_hdr->dest);
6383 	dport = ntohs(chunk->sctp_hdr->source);
6384 
6385 	/* The V-tag is going to be the same as the inbound packet if no
6386 	 * association exists, otherwise, use the peer's vtag.
6387 	 */
6388 	if (asoc) {
6389 		/* Special case the INIT-ACK as there is no peer's vtag
6390 		 * yet.
6391 		 */
6392 		switch (chunk->chunk_hdr->type) {
6393 		case SCTP_CID_INIT:
6394 		case SCTP_CID_INIT_ACK:
6395 		{
6396 			struct sctp_initack_chunk *initack;
6397 
6398 			initack = (struct sctp_initack_chunk *)chunk->chunk_hdr;
6399 			vtag = ntohl(initack->init_hdr.init_tag);
6400 			break;
6401 		}
6402 		default:
6403 			vtag = asoc->peer.i.init_tag;
6404 			break;
6405 		}
6406 	} else {
6407 		/* Special case the INIT and stale COOKIE_ECHO as there is no
6408 		 * vtag yet.
6409 		 */
6410 		switch (chunk->chunk_hdr->type) {
6411 		case SCTP_CID_INIT:
6412 		{
6413 			struct sctp_init_chunk *init;
6414 
6415 			init = (struct sctp_init_chunk *)chunk->chunk_hdr;
6416 			vtag = ntohl(init->init_hdr.init_tag);
6417 			break;
6418 		}
6419 		default:
6420 			vtag = ntohl(chunk->sctp_hdr->vtag);
6421 			break;
6422 		}
6423 	}
6424 
6425 	/* Make a transport for the bucket, Eliza... */
6426 	transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC);
6427 	if (!transport)
6428 		goto nomem;
6429 
6430 	transport->encap_port = SCTP_INPUT_CB(chunk->skb)->encap_port;
6431 
6432 	/* Cache a route for the transport with the chunk's destination as
6433 	 * the source address.
6434 	 */
6435 	sctp_transport_route(transport, (union sctp_addr *)&chunk->dest,
6436 			     sctp_sk(net->sctp.ctl_sock));
6437 
6438 	packet = &transport->packet;
6439 	sctp_packet_init(packet, transport, sport, dport);
6440 	sctp_packet_config(packet, vtag, 0);
6441 
6442 	return packet;
6443 
6444 nomem:
6445 	return NULL;
6446 }
6447 
6448 /* Free the packet allocated earlier for responding in the OOTB condition.  */
6449 void sctp_ootb_pkt_free(struct sctp_packet *packet)
6450 {
6451 	sctp_transport_free(packet->transport);
6452 }
6453 
6454 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found  */
6455 static void sctp_send_stale_cookie_err(struct net *net,
6456 				       const struct sctp_endpoint *ep,
6457 				       const struct sctp_association *asoc,
6458 				       const struct sctp_chunk *chunk,
6459 				       struct sctp_cmd_seq *commands,
6460 				       struct sctp_chunk *err_chunk)
6461 {
6462 	struct sctp_packet *packet;
6463 
6464 	if (err_chunk) {
6465 		packet = sctp_ootb_pkt_new(net, asoc, chunk);
6466 		if (packet) {
6467 			struct sctp_signed_cookie *cookie;
6468 
6469 			/* Override the OOTB vtag from the cookie. */
6470 			cookie = chunk->subh.cookie_hdr;
6471 			packet->vtag = cookie->c.peer_vtag;
6472 
6473 			/* Set the skb to the belonging sock for accounting. */
6474 			err_chunk->skb->sk = ep->base.sk;
6475 			sctp_packet_append_chunk(packet, err_chunk);
6476 			sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
6477 					SCTP_PACKET(packet));
6478 			SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
6479 		} else
6480 			sctp_chunk_free (err_chunk);
6481 	}
6482 }
6483 
6484 
6485 /* Process a data chunk */
6486 static int sctp_eat_data(const struct sctp_association *asoc,
6487 			 struct sctp_chunk *chunk,
6488 			 struct sctp_cmd_seq *commands)
6489 {
6490 	struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
6491 	struct sock *sk = asoc->base.sk;
6492 	struct net *net = sock_net(sk);
6493 	struct sctp_datahdr *data_hdr;
6494 	struct sctp_chunk *err;
6495 	enum sctp_verb deliver;
6496 	size_t datalen;
6497 	__u32 tsn;
6498 	int tmp;
6499 
6500 	data_hdr = (struct sctp_datahdr *)chunk->skb->data;
6501 	chunk->subh.data_hdr = data_hdr;
6502 	skb_pull(chunk->skb, sctp_datahdr_len(&asoc->stream));
6503 
6504 	tsn = ntohl(data_hdr->tsn);
6505 	pr_debug("%s: TSN 0x%x\n", __func__, tsn);
6506 
6507 	/* ASSERT:  Now skb->data is really the user data.  */
6508 
6509 	/* Process ECN based congestion.
6510 	 *
6511 	 * Since the chunk structure is reused for all chunks within
6512 	 * a packet, we use ecn_ce_done to track if we've already
6513 	 * done CE processing for this packet.
6514 	 *
6515 	 * We need to do ECN processing even if we plan to discard the
6516 	 * chunk later.
6517 	 */
6518 
6519 	if (asoc->peer.ecn_capable && !chunk->ecn_ce_done) {
6520 		struct sctp_af *af = SCTP_INPUT_CB(chunk->skb)->af;
6521 		chunk->ecn_ce_done = 1;
6522 
6523 		if (af->is_ce(sctp_gso_headskb(chunk->skb))) {
6524 			/* Do real work as side effect. */
6525 			sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE,
6526 					SCTP_U32(tsn));
6527 		}
6528 	}
6529 
6530 	tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn);
6531 	if (tmp < 0) {
6532 		/* The TSN is too high--silently discard the chunk and
6533 		 * count on it getting retransmitted later.
6534 		 */
6535 		if (chunk->asoc)
6536 			chunk->asoc->stats.outofseqtsns++;
6537 		return SCTP_IERROR_HIGH_TSN;
6538 	} else if (tmp > 0) {
6539 		/* This is a duplicate.  Record it.  */
6540 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn));
6541 		return SCTP_IERROR_DUP_TSN;
6542 	}
6543 
6544 	/* This is a new TSN.  */
6545 
6546 	/* Discard if there is no room in the receive window.
6547 	 * Actually, allow a little bit of overflow (up to a MTU).
6548 	 */
6549 	datalen = ntohs(chunk->chunk_hdr->length);
6550 	datalen -= sctp_datachk_len(&asoc->stream);
6551 
6552 	deliver = SCTP_CMD_CHUNK_ULP;
6553 
6554 	/* Think about partial delivery. */
6555 	if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) {
6556 
6557 		/* Even if we don't accept this chunk there is
6558 		 * memory pressure.
6559 		 */
6560 		sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL());
6561 	}
6562 
6563 	/* Spill over rwnd a little bit.  Note: While allowed, this spill over
6564 	 * seems a bit troublesome in that frag_point varies based on
6565 	 * PMTU.  In cases, such as loopback, this might be a rather
6566 	 * large spill over.
6567 	 */
6568 	if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over ||
6569 	    (datalen > asoc->rwnd + asoc->frag_point))) {
6570 
6571 		/* If this is the next TSN, consider reneging to make
6572 		 * room.   Note: Playing nice with a confused sender.  A
6573 		 * malicious sender can still eat up all our buffer
6574 		 * space and in the future we may want to detect and
6575 		 * do more drastic reneging.
6576 		 */
6577 		if (sctp_tsnmap_has_gap(map) &&
6578 		    (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6579 			pr_debug("%s: reneging for tsn:%u\n", __func__, tsn);
6580 			deliver = SCTP_CMD_RENEGE;
6581 		} else {
6582 			pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n",
6583 				 __func__, tsn, datalen, asoc->rwnd);
6584 
6585 			return SCTP_IERROR_IGNORE_TSN;
6586 		}
6587 	}
6588 
6589 	/*
6590 	 * Also try to renege to limit our memory usage in the event that
6591 	 * we are under memory pressure
6592 	 * If we can't renege, don't worry about it, the sk_rmem_schedule
6593 	 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our
6594 	 * memory usage too much
6595 	 */
6596 	if (sk_under_memory_pressure(sk)) {
6597 		if (sctp_tsnmap_has_gap(map) &&
6598 		    (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6599 			pr_debug("%s: under pressure, reneging for tsn:%u\n",
6600 				 __func__, tsn);
6601 			deliver = SCTP_CMD_RENEGE;
6602 		}
6603 	}
6604 
6605 	/*
6606 	 * Section 3.3.10.9 No User Data (9)
6607 	 *
6608 	 * Cause of error
6609 	 * ---------------
6610 	 * No User Data:  This error cause is returned to the originator of a
6611 	 * DATA chunk if a received DATA chunk has no user data.
6612 	 */
6613 	if (unlikely(0 == datalen)) {
6614 		err = sctp_make_abort_no_data(asoc, chunk, tsn);
6615 		if (err) {
6616 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6617 					SCTP_CHUNK(err));
6618 		}
6619 		/* We are going to ABORT, so we might as well stop
6620 		 * processing the rest of the chunks in the packet.
6621 		 */
6622 		sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
6623 		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6624 				SCTP_ERROR(ECONNABORTED));
6625 		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6626 				SCTP_PERR(SCTP_ERROR_NO_DATA));
6627 		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6628 		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6629 		return SCTP_IERROR_NO_DATA;
6630 	}
6631 
6632 	chunk->data_accepted = 1;
6633 
6634 	/* Note: Some chunks may get overcounted (if we drop) or overcounted
6635 	 * if we renege and the chunk arrives again.
6636 	 */
6637 	if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) {
6638 		SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS);
6639 		if (chunk->asoc)
6640 			chunk->asoc->stats.iuodchunks++;
6641 	} else {
6642 		SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS);
6643 		if (chunk->asoc)
6644 			chunk->asoc->stats.iodchunks++;
6645 	}
6646 
6647 	/* RFC 2960 6.5 Stream Identifier and Stream Sequence Number
6648 	 *
6649 	 * If an endpoint receive a DATA chunk with an invalid stream
6650 	 * identifier, it shall acknowledge the reception of the DATA chunk
6651 	 * following the normal procedure, immediately send an ERROR chunk
6652 	 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10)
6653 	 * and discard the DATA chunk.
6654 	 */
6655 	if (ntohs(data_hdr->stream) >= asoc->stream.incnt) {
6656 		/* Mark tsn as received even though we drop it */
6657 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
6658 
6659 		err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM,
6660 					 &data_hdr->stream,
6661 					 sizeof(data_hdr->stream),
6662 					 sizeof(u16));
6663 		if (err)
6664 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6665 					SCTP_CHUNK(err));
6666 		return SCTP_IERROR_BAD_STREAM;
6667 	}
6668 
6669 	/* Check to see if the SSN is possible for this TSN.
6670 	 * The biggest gap we can record is 4K wide.  Since SSNs wrap
6671 	 * at an unsigned short, there is no way that an SSN can
6672 	 * wrap and for a valid TSN.  We can simply check if the current
6673 	 * SSN is smaller then the next expected one.  If it is, it wrapped
6674 	 * and is invalid.
6675 	 */
6676 	if (!asoc->stream.si->validate_data(chunk))
6677 		return SCTP_IERROR_PROTO_VIOLATION;
6678 
6679 	/* Send the data up to the user.  Note:  Schedule  the
6680 	 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK
6681 	 * chunk needs the updated rwnd.
6682 	 */
6683 	sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk));
6684 
6685 	return SCTP_IERROR_NO_ERROR;
6686 }
6687