1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* SCTP kernel implementation 3 * (C) Copyright IBM Corp. 2001, 2004 4 * Copyright (c) 1999-2000 Cisco, Inc. 5 * Copyright (c) 1999-2001 Motorola, Inc. 6 * Copyright (c) 2001-2002 Intel Corp. 7 * Copyright (c) 2002 Nokia Corp. 8 * 9 * This is part of the SCTP Linux Kernel Implementation. 10 * 11 * These are the state functions for the state machine. 12 * 13 * Please send any bug reports or fixes you make to the 14 * email address(es): 15 * lksctp developers <linux-sctp@vger.kernel.org> 16 * 17 * Written or modified by: 18 * La Monte H.P. Yarroll <piggy@acm.org> 19 * Karl Knutson <karl@athena.chicago.il.us> 20 * Mathew Kotowsky <kotowsky@sctp.org> 21 * Sridhar Samudrala <samudrala@us.ibm.com> 22 * Jon Grimm <jgrimm@us.ibm.com> 23 * Hui Huang <hui.huang@nokia.com> 24 * Dajiang Zhang <dajiang.zhang@nokia.com> 25 * Daisy Chang <daisyc@us.ibm.com> 26 * Ardelle Fan <ardelle.fan@intel.com> 27 * Ryan Layer <rmlayer@us.ibm.com> 28 * Kevin Gao <kevin.gao@intel.com> 29 */ 30 31 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 32 33 #include <linux/types.h> 34 #include <linux/kernel.h> 35 #include <linux/ip.h> 36 #include <linux/ipv6.h> 37 #include <linux/net.h> 38 #include <linux/inet.h> 39 #include <linux/slab.h> 40 #include <net/sock.h> 41 #include <net/inet_ecn.h> 42 #include <linux/skbuff.h> 43 #include <net/sctp/sctp.h> 44 #include <net/sctp/sm.h> 45 #include <net/sctp/structs.h> 46 47 #define CREATE_TRACE_POINTS 48 #include <trace/events/sctp.h> 49 50 static struct sctp_packet *sctp_abort_pkt_new( 51 struct net *net, 52 const struct sctp_endpoint *ep, 53 const struct sctp_association *asoc, 54 struct sctp_chunk *chunk, 55 const void *payload, size_t paylen); 56 static int sctp_eat_data(const struct sctp_association *asoc, 57 struct sctp_chunk *chunk, 58 struct sctp_cmd_seq *commands); 59 static struct sctp_packet *sctp_ootb_pkt_new( 60 struct net *net, 61 const struct sctp_association *asoc, 62 const struct sctp_chunk *chunk); 63 static void sctp_send_stale_cookie_err(struct net *net, 64 const struct sctp_endpoint *ep, 65 const struct sctp_association *asoc, 66 const struct sctp_chunk *chunk, 67 struct sctp_cmd_seq *commands, 68 struct sctp_chunk *err_chunk); 69 static enum sctp_disposition sctp_sf_do_5_2_6_stale( 70 struct net *net, 71 const struct sctp_endpoint *ep, 72 const struct sctp_association *asoc, 73 const union sctp_subtype type, 74 void *arg, 75 struct sctp_cmd_seq *commands); 76 static enum sctp_disposition sctp_sf_shut_8_4_5( 77 struct net *net, 78 const struct sctp_endpoint *ep, 79 const struct sctp_association *asoc, 80 const union sctp_subtype type, 81 void *arg, 82 struct sctp_cmd_seq *commands); 83 static enum sctp_disposition sctp_sf_tabort_8_4_8( 84 struct net *net, 85 const struct sctp_endpoint *ep, 86 const struct sctp_association *asoc, 87 const union sctp_subtype type, 88 void *arg, 89 struct sctp_cmd_seq *commands); 90 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 91 92 static enum sctp_disposition sctp_stop_t1_and_abort( 93 struct net *net, 94 struct sctp_cmd_seq *commands, 95 __be16 error, int sk_err, 96 const struct sctp_association *asoc, 97 struct sctp_transport *transport); 98 99 static enum sctp_disposition sctp_sf_abort_violation( 100 struct net *net, 101 const struct sctp_endpoint *ep, 102 const struct sctp_association *asoc, 103 void *arg, 104 struct sctp_cmd_seq *commands, 105 const __u8 *payload, 106 const size_t paylen); 107 108 static enum sctp_disposition sctp_sf_violation_chunklen( 109 struct net *net, 110 const struct sctp_endpoint *ep, 111 const struct sctp_association *asoc, 112 const union sctp_subtype type, 113 void *arg, 114 struct sctp_cmd_seq *commands); 115 116 static enum sctp_disposition sctp_sf_violation_paramlen( 117 struct net *net, 118 const struct sctp_endpoint *ep, 119 const struct sctp_association *asoc, 120 const union sctp_subtype type, 121 void *arg, void *ext, 122 struct sctp_cmd_seq *commands); 123 124 static enum sctp_disposition sctp_sf_violation_ctsn( 125 struct net *net, 126 const struct sctp_endpoint *ep, 127 const struct sctp_association *asoc, 128 const union sctp_subtype type, 129 void *arg, 130 struct sctp_cmd_seq *commands); 131 132 static enum sctp_disposition sctp_sf_violation_chunk( 133 struct net *net, 134 const struct sctp_endpoint *ep, 135 const struct sctp_association *asoc, 136 const union sctp_subtype type, 137 void *arg, 138 struct sctp_cmd_seq *commands); 139 140 static enum sctp_ierror sctp_sf_authenticate( 141 const struct sctp_association *asoc, 142 struct sctp_chunk *chunk); 143 144 static enum sctp_disposition __sctp_sf_do_9_1_abort( 145 struct net *net, 146 const struct sctp_endpoint *ep, 147 const struct sctp_association *asoc, 148 const union sctp_subtype type, 149 void *arg, 150 struct sctp_cmd_seq *commands); 151 152 /* Small helper function that checks if the chunk length 153 * is of the appropriate length. The 'required_length' argument 154 * is set to be the size of a specific chunk we are testing. 155 * Return Values: true = Valid length 156 * false = Invalid length 157 * 158 */ 159 static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk, 160 __u16 required_length) 161 { 162 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 163 164 /* Previously already marked? */ 165 if (unlikely(chunk->pdiscard)) 166 return false; 167 if (unlikely(chunk_length < required_length)) 168 return false; 169 170 return true; 171 } 172 173 /* Check for format error in an ABORT chunk */ 174 static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk) 175 { 176 struct sctp_errhdr *err; 177 178 sctp_walk_errors(err, chunk->chunk_hdr); 179 180 return (void *)err == (void *)chunk->chunk_end; 181 } 182 183 /********************************************************** 184 * These are the state functions for handling chunk events. 185 **********************************************************/ 186 187 /* 188 * Process the final SHUTDOWN COMPLETE. 189 * 190 * Section: 4 (C) (diagram), 9.2 191 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 192 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 193 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 194 * should stop the T2-shutdown timer and remove all knowledge of the 195 * association (and thus the association enters the CLOSED state). 196 * 197 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 198 * C) Rules for packet carrying SHUTDOWN COMPLETE: 199 * ... 200 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 201 * if the Verification Tag field of the packet matches its own tag and 202 * the T bit is not set 203 * OR 204 * it is set to its peer's tag and the T bit is set in the Chunk 205 * Flags. 206 * Otherwise, the receiver MUST silently discard the packet 207 * and take no further action. An endpoint MUST ignore the 208 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 209 * 210 * Inputs 211 * (endpoint, asoc, chunk) 212 * 213 * Outputs 214 * (asoc, reply_msg, msg_up, timers, counters) 215 * 216 * The return value is the disposition of the chunk. 217 */ 218 enum sctp_disposition sctp_sf_do_4_C(struct net *net, 219 const struct sctp_endpoint *ep, 220 const struct sctp_association *asoc, 221 const union sctp_subtype type, 222 void *arg, struct sctp_cmd_seq *commands) 223 { 224 struct sctp_chunk *chunk = arg; 225 struct sctp_ulpevent *ev; 226 227 if (!sctp_vtag_verify_either(chunk, asoc)) 228 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 229 230 /* RFC 2960 6.10 Bundling 231 * 232 * An endpoint MUST NOT bundle INIT, INIT ACK or 233 * SHUTDOWN COMPLETE with any other chunks. 234 */ 235 if (!chunk->singleton) 236 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 237 238 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ 239 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 240 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 241 commands); 242 243 /* RFC 2960 10.2 SCTP-to-ULP 244 * 245 * H) SHUTDOWN COMPLETE notification 246 * 247 * When SCTP completes the shutdown procedures (section 9.2) this 248 * notification is passed to the upper layer. 249 */ 250 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 251 0, 0, 0, NULL, GFP_ATOMIC); 252 if (ev) 253 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 254 SCTP_ULPEVENT(ev)); 255 256 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 257 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 258 * not the chunk should be discarded. If the endpoint is in 259 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 260 * T2-shutdown timer and remove all knowledge of the 261 * association (and thus the association enters the CLOSED 262 * state). 263 */ 264 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 265 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 266 267 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 268 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 269 270 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 271 SCTP_STATE(SCTP_STATE_CLOSED)); 272 273 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 274 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 275 276 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 277 278 return SCTP_DISPOSITION_DELETE_TCB; 279 } 280 281 /* 282 * Respond to a normal INIT chunk. 283 * We are the side that is being asked for an association. 284 * 285 * Section: 5.1 Normal Establishment of an Association, B 286 * B) "Z" shall respond immediately with an INIT ACK chunk. The 287 * destination IP address of the INIT ACK MUST be set to the source 288 * IP address of the INIT to which this INIT ACK is responding. In 289 * the response, besides filling in other parameters, "Z" must set the 290 * Verification Tag field to Tag_A, and also provide its own 291 * Verification Tag (Tag_Z) in the Initiate Tag field. 292 * 293 * Verification Tag: Must be 0. 294 * 295 * Inputs 296 * (endpoint, asoc, chunk) 297 * 298 * Outputs 299 * (asoc, reply_msg, msg_up, timers, counters) 300 * 301 * The return value is the disposition of the chunk. 302 */ 303 enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, 304 const struct sctp_endpoint *ep, 305 const struct sctp_association *asoc, 306 const union sctp_subtype type, 307 void *arg, 308 struct sctp_cmd_seq *commands) 309 { 310 struct sctp_chunk *chunk = arg, *repl, *err_chunk; 311 struct sctp_unrecognized_param *unk_param; 312 struct sctp_association *new_asoc; 313 struct sctp_packet *packet; 314 int len; 315 316 /* Update socket peer label if first association. */ 317 if (security_sctp_assoc_request((struct sctp_endpoint *)ep, 318 chunk->skb)) 319 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 320 321 /* 6.10 Bundling 322 * An endpoint MUST NOT bundle INIT, INIT ACK or 323 * SHUTDOWN COMPLETE with any other chunks. 324 * 325 * IG Section 2.11.2 326 * Furthermore, we require that the receiver of an INIT chunk MUST 327 * enforce these rules by silently discarding an arriving packet 328 * with an INIT chunk that is bundled with other chunks. 329 */ 330 if (!chunk->singleton) 331 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 332 333 /* If the packet is an OOTB packet which is temporarily on the 334 * control endpoint, respond with an ABORT. 335 */ 336 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 337 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 338 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 339 } 340 341 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 342 * Tag. 343 */ 344 if (chunk->sctp_hdr->vtag != 0) 345 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 346 347 /* Make sure that the INIT chunk has a valid length. 348 * Normally, this would cause an ABORT with a Protocol Violation 349 * error, but since we don't have an association, we'll 350 * just discard the packet. 351 */ 352 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 353 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 354 355 /* If the INIT is coming toward a closing socket, we'll send back 356 * and ABORT. Essentially, this catches the race of INIT being 357 * backloged to the socket at the same time as the user isses close(). 358 * Since the socket and all its associations are going away, we 359 * can treat this OOTB 360 */ 361 if (sctp_sstate(ep->base.sk, CLOSING)) 362 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 363 364 /* Verify the INIT chunk before processing it. */ 365 err_chunk = NULL; 366 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 367 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 368 &err_chunk)) { 369 /* This chunk contains fatal error. It is to be discarded. 370 * Send an ABORT, with causes if there is any. 371 */ 372 if (err_chunk) { 373 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 374 (__u8 *)(err_chunk->chunk_hdr) + 375 sizeof(struct sctp_chunkhdr), 376 ntohs(err_chunk->chunk_hdr->length) - 377 sizeof(struct sctp_chunkhdr)); 378 379 sctp_chunk_free(err_chunk); 380 381 if (packet) { 382 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 383 SCTP_PACKET(packet)); 384 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 385 return SCTP_DISPOSITION_CONSUME; 386 } else { 387 return SCTP_DISPOSITION_NOMEM; 388 } 389 } else { 390 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 391 commands); 392 } 393 } 394 395 /* Grab the INIT header. */ 396 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 397 398 /* Tag the variable length parameters. */ 399 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 400 401 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 402 if (!new_asoc) 403 goto nomem; 404 405 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 406 sctp_scope(sctp_source(chunk)), 407 GFP_ATOMIC) < 0) 408 goto nomem_init; 409 410 /* The call, sctp_process_init(), can fail on memory allocation. */ 411 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 412 (struct sctp_init_chunk *)chunk->chunk_hdr, 413 GFP_ATOMIC)) 414 goto nomem_init; 415 416 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 417 418 /* If there are errors need to be reported for unknown parameters, 419 * make sure to reserve enough room in the INIT ACK for them. 420 */ 421 len = 0; 422 if (err_chunk) 423 len = ntohs(err_chunk->chunk_hdr->length) - 424 sizeof(struct sctp_chunkhdr); 425 426 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 427 if (!repl) 428 goto nomem_init; 429 430 /* If there are errors need to be reported for unknown parameters, 431 * include them in the outgoing INIT ACK as "Unrecognized parameter" 432 * parameter. 433 */ 434 if (err_chunk) { 435 /* Get the "Unrecognized parameter" parameter(s) out of the 436 * ERROR chunk generated by sctp_verify_init(). Since the 437 * error cause code for "unknown parameter" and the 438 * "Unrecognized parameter" type is the same, we can 439 * construct the parameters in INIT ACK by copying the 440 * ERROR causes over. 441 */ 442 unk_param = (struct sctp_unrecognized_param *) 443 ((__u8 *)(err_chunk->chunk_hdr) + 444 sizeof(struct sctp_chunkhdr)); 445 /* Replace the cause code with the "Unrecognized parameter" 446 * parameter type. 447 */ 448 sctp_addto_chunk(repl, len, unk_param); 449 sctp_chunk_free(err_chunk); 450 } 451 452 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 453 454 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 455 456 /* 457 * Note: After sending out INIT ACK with the State Cookie parameter, 458 * "Z" MUST NOT allocate any resources, nor keep any states for the 459 * new association. Otherwise, "Z" will be vulnerable to resource 460 * attacks. 461 */ 462 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 463 464 return SCTP_DISPOSITION_DELETE_TCB; 465 466 nomem_init: 467 sctp_association_free(new_asoc); 468 nomem: 469 if (err_chunk) 470 sctp_chunk_free(err_chunk); 471 return SCTP_DISPOSITION_NOMEM; 472 } 473 474 /* 475 * Respond to a normal INIT ACK chunk. 476 * We are the side that is initiating the association. 477 * 478 * Section: 5.1 Normal Establishment of an Association, C 479 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 480 * timer and leave COOKIE-WAIT state. "A" shall then send the State 481 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 482 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 483 * 484 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 485 * DATA chunks, but it MUST be the first chunk in the packet and 486 * until the COOKIE ACK is returned the sender MUST NOT send any 487 * other packets to the peer. 488 * 489 * Verification Tag: 3.3.3 490 * If the value of the Initiate Tag in a received INIT ACK chunk is 491 * found to be 0, the receiver MUST treat it as an error and close the 492 * association by transmitting an ABORT. 493 * 494 * Inputs 495 * (endpoint, asoc, chunk) 496 * 497 * Outputs 498 * (asoc, reply_msg, msg_up, timers, counters) 499 * 500 * The return value is the disposition of the chunk. 501 */ 502 enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, 503 const struct sctp_endpoint *ep, 504 const struct sctp_association *asoc, 505 const union sctp_subtype type, 506 void *arg, 507 struct sctp_cmd_seq *commands) 508 { 509 struct sctp_init_chunk *initchunk; 510 struct sctp_chunk *chunk = arg; 511 struct sctp_chunk *err_chunk; 512 struct sctp_packet *packet; 513 514 if (!sctp_vtag_verify(chunk, asoc)) 515 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 516 517 /* 6.10 Bundling 518 * An endpoint MUST NOT bundle INIT, INIT ACK or 519 * SHUTDOWN COMPLETE with any other chunks. 520 */ 521 if (!chunk->singleton) 522 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 523 524 /* Make sure that the INIT-ACK chunk has a valid length */ 525 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk))) 526 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 527 commands); 528 /* Grab the INIT header. */ 529 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 530 531 /* Verify the INIT chunk before processing it. */ 532 err_chunk = NULL; 533 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 534 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 535 &err_chunk)) { 536 537 enum sctp_error error = SCTP_ERROR_NO_RESOURCE; 538 539 /* This chunk contains fatal error. It is to be discarded. 540 * Send an ABORT, with causes. If there are no causes, 541 * then there wasn't enough memory. Just terminate 542 * the association. 543 */ 544 if (err_chunk) { 545 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 546 (__u8 *)(err_chunk->chunk_hdr) + 547 sizeof(struct sctp_chunkhdr), 548 ntohs(err_chunk->chunk_hdr->length) - 549 sizeof(struct sctp_chunkhdr)); 550 551 sctp_chunk_free(err_chunk); 552 553 if (packet) { 554 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 555 SCTP_PACKET(packet)); 556 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 557 error = SCTP_ERROR_INV_PARAM; 558 } 559 } 560 561 /* SCTP-AUTH, Section 6.3: 562 * It should be noted that if the receiver wants to tear 563 * down an association in an authenticated way only, the 564 * handling of malformed packets should not result in 565 * tearing down the association. 566 * 567 * This means that if we only want to abort associations 568 * in an authenticated way (i.e AUTH+ABORT), then we 569 * can't destroy this association just because the packet 570 * was malformed. 571 */ 572 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 573 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 574 575 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 576 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, 577 asoc, chunk->transport); 578 } 579 580 /* Tag the variable length parameters. Note that we never 581 * convert the parameters in an INIT chunk. 582 */ 583 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 584 585 initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr; 586 587 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 588 SCTP_PEER_INIT(initchunk)); 589 590 /* Reset init error count upon receipt of INIT-ACK. */ 591 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 592 593 /* 5.1 C) "A" shall stop the T1-init timer and leave 594 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 595 * timer, and enter the COOKIE-ECHOED state. 596 */ 597 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 598 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 599 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 600 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 601 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 602 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 603 604 /* SCTP-AUTH: genereate the assocition shared keys so that 605 * we can potentially signe the COOKIE-ECHO. 606 */ 607 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); 608 609 /* 5.1 C) "A" shall then send the State Cookie received in the 610 * INIT ACK chunk in a COOKIE ECHO chunk, ... 611 */ 612 /* If there is any errors to report, send the ERROR chunk generated 613 * for unknown parameters as well. 614 */ 615 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 616 SCTP_CHUNK(err_chunk)); 617 618 return SCTP_DISPOSITION_CONSUME; 619 } 620 621 static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk, 622 const struct sctp_association *asoc) 623 { 624 struct sctp_chunk auth; 625 626 if (!chunk->auth_chunk) 627 return true; 628 629 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo 630 * is supposed to be authenticated and we have to do delayed 631 * authentication. We've just recreated the association using 632 * the information in the cookie and now it's much easier to 633 * do the authentication. 634 */ 635 636 /* Make sure that we and the peer are AUTH capable */ 637 if (!net->sctp.auth_enable || !asoc->peer.auth_capable) 638 return false; 639 640 /* set-up our fake chunk so that we can process it */ 641 auth.skb = chunk->auth_chunk; 642 auth.asoc = chunk->asoc; 643 auth.sctp_hdr = chunk->sctp_hdr; 644 auth.chunk_hdr = (struct sctp_chunkhdr *) 645 skb_push(chunk->auth_chunk, 646 sizeof(struct sctp_chunkhdr)); 647 skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr)); 648 auth.transport = chunk->transport; 649 650 return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR; 651 } 652 653 /* 654 * Respond to a normal COOKIE ECHO chunk. 655 * We are the side that is being asked for an association. 656 * 657 * Section: 5.1 Normal Establishment of an Association, D 658 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 659 * with a COOKIE ACK chunk after building a TCB and moving to 660 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 661 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 662 * chunk MUST be the first chunk in the packet. 663 * 664 * IMPLEMENTATION NOTE: An implementation may choose to send the 665 * Communication Up notification to the SCTP user upon reception 666 * of a valid COOKIE ECHO chunk. 667 * 668 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 669 * D) Rules for packet carrying a COOKIE ECHO 670 * 671 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 672 * Initial Tag received in the INIT ACK. 673 * 674 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 675 * 676 * Inputs 677 * (endpoint, asoc, chunk) 678 * 679 * Outputs 680 * (asoc, reply_msg, msg_up, timers, counters) 681 * 682 * The return value is the disposition of the chunk. 683 */ 684 enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, 685 const struct sctp_endpoint *ep, 686 const struct sctp_association *asoc, 687 const union sctp_subtype type, 688 void *arg, 689 struct sctp_cmd_seq *commands) 690 { 691 struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL; 692 struct sctp_association *new_asoc; 693 struct sctp_init_chunk *peer_init; 694 struct sctp_chunk *chunk = arg; 695 struct sctp_chunk *err_chk_p; 696 struct sctp_chunk *repl; 697 struct sock *sk; 698 int error = 0; 699 700 /* If the packet is an OOTB packet which is temporarily on the 701 * control endpoint, respond with an ABORT. 702 */ 703 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 704 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 705 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 706 } 707 708 /* Make sure that the COOKIE_ECHO chunk has a valid length. 709 * In this case, we check that we have enough for at least a 710 * chunk header. More detailed verification is done 711 * in sctp_unpack_cookie(). 712 */ 713 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 714 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 715 716 /* If the endpoint is not listening or if the number of associations 717 * on the TCP-style socket exceed the max backlog, respond with an 718 * ABORT. 719 */ 720 sk = ep->base.sk; 721 if (!sctp_sstate(sk, LISTENING) || 722 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) 723 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 724 725 /* "Decode" the chunk. We have no optional parameters so we 726 * are in good shape. 727 */ 728 chunk->subh.cookie_hdr = 729 (struct sctp_signed_cookie *)chunk->skb->data; 730 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 731 sizeof(struct sctp_chunkhdr))) 732 goto nomem; 733 734 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 735 * "Z" will reply with a COOKIE ACK chunk after building a TCB 736 * and moving to the ESTABLISHED state. 737 */ 738 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 739 &err_chk_p); 740 741 /* FIXME: 742 * If the re-build failed, what is the proper error path 743 * from here? 744 * 745 * [We should abort the association. --piggy] 746 */ 747 if (!new_asoc) { 748 /* FIXME: Several errors are possible. A bad cookie should 749 * be silently discarded, but think about logging it too. 750 */ 751 switch (error) { 752 case -SCTP_IERROR_NOMEM: 753 goto nomem; 754 755 case -SCTP_IERROR_STALE_COOKIE: 756 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 757 err_chk_p); 758 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 759 760 case -SCTP_IERROR_BAD_SIG: 761 default: 762 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 763 } 764 } 765 766 767 /* Delay state machine commands until later. 768 * 769 * Re-build the bind address for the association is done in 770 * the sctp_unpack_cookie() already. 771 */ 772 /* This is a brand-new association, so these are not yet side 773 * effects--it is safe to run them here. 774 */ 775 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 776 777 if (!sctp_process_init(new_asoc, chunk, 778 &chunk->subh.cookie_hdr->c.peer_addr, 779 peer_init, GFP_ATOMIC)) 780 goto nomem_init; 781 782 /* SCTP-AUTH: Now that we've populate required fields in 783 * sctp_process_init, set up the assocaition shared keys as 784 * necessary so that we can potentially authenticate the ACK 785 */ 786 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); 787 if (error) 788 goto nomem_init; 789 790 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) { 791 sctp_association_free(new_asoc); 792 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 793 } 794 795 repl = sctp_make_cookie_ack(new_asoc, chunk); 796 if (!repl) 797 goto nomem_init; 798 799 /* RFC 2960 5.1 Normal Establishment of an Association 800 * 801 * D) IMPLEMENTATION NOTE: An implementation may choose to 802 * send the Communication Up notification to the SCTP user 803 * upon reception of a valid COOKIE ECHO chunk. 804 */ 805 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 806 new_asoc->c.sinit_num_ostreams, 807 new_asoc->c.sinit_max_instreams, 808 NULL, GFP_ATOMIC); 809 if (!ev) 810 goto nomem_ev; 811 812 /* Sockets API Draft Section 5.3.1.6 813 * When a peer sends a Adaptation Layer Indication parameter , SCTP 814 * delivers this notification to inform the application that of the 815 * peers requested adaptation layer. 816 */ 817 if (new_asoc->peer.adaptation_ind) { 818 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 819 GFP_ATOMIC); 820 if (!ai_ev) 821 goto nomem_aiev; 822 } 823 824 if (!new_asoc->peer.auth_capable) { 825 auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0, 826 SCTP_AUTH_NO_AUTH, 827 GFP_ATOMIC); 828 if (!auth_ev) 829 goto nomem_authev; 830 } 831 832 /* Add all the state machine commands now since we've created 833 * everything. This way we don't introduce memory corruptions 834 * during side-effect processing and correclty count established 835 * associations. 836 */ 837 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 838 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 839 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 840 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 841 SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS); 842 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 843 844 if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 845 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 846 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 847 848 /* This will send the COOKIE ACK */ 849 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 850 851 /* Queue the ASSOC_CHANGE event */ 852 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 853 854 /* Send up the Adaptation Layer Indication event */ 855 if (ai_ev) 856 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 857 SCTP_ULPEVENT(ai_ev)); 858 859 if (auth_ev) 860 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 861 SCTP_ULPEVENT(auth_ev)); 862 863 return SCTP_DISPOSITION_CONSUME; 864 865 nomem_authev: 866 sctp_ulpevent_free(ai_ev); 867 nomem_aiev: 868 sctp_ulpevent_free(ev); 869 nomem_ev: 870 sctp_chunk_free(repl); 871 nomem_init: 872 sctp_association_free(new_asoc); 873 nomem: 874 return SCTP_DISPOSITION_NOMEM; 875 } 876 877 /* 878 * Respond to a normal COOKIE ACK chunk. 879 * We are the side that is asking for an association. 880 * 881 * RFC 2960 5.1 Normal Establishment of an Association 882 * 883 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 884 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 885 * timer. It may also notify its ULP about the successful 886 * establishment of the association with a Communication Up 887 * notification (see Section 10). 888 * 889 * Verification Tag: 890 * Inputs 891 * (endpoint, asoc, chunk) 892 * 893 * Outputs 894 * (asoc, reply_msg, msg_up, timers, counters) 895 * 896 * The return value is the disposition of the chunk. 897 */ 898 enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, 899 const struct sctp_endpoint *ep, 900 const struct sctp_association *asoc, 901 const union sctp_subtype type, 902 void *arg, 903 struct sctp_cmd_seq *commands) 904 { 905 struct sctp_chunk *chunk = arg; 906 struct sctp_ulpevent *ev; 907 908 if (!sctp_vtag_verify(chunk, asoc)) 909 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 910 911 /* Verify that the chunk length for the COOKIE-ACK is OK. 912 * If we don't do this, any bundled chunks may be junked. 913 */ 914 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 915 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 916 commands); 917 918 /* Reset init error count upon receipt of COOKIE-ACK, 919 * to avoid problems with the managemement of this 920 * counter in stale cookie situations when a transition back 921 * from the COOKIE-ECHOED state to the COOKIE-WAIT 922 * state is performed. 923 */ 924 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 925 926 /* Set peer label for connection. */ 927 security_inet_conn_established(ep->base.sk, chunk->skb); 928 929 /* RFC 2960 5.1 Normal Establishment of an Association 930 * 931 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 932 * from the COOKIE-ECHOED state to the ESTABLISHED state, 933 * stopping the T1-cookie timer. 934 */ 935 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 936 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 937 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 938 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 939 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 940 SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS); 941 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 942 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 943 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 944 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 945 946 /* It may also notify its ULP about the successful 947 * establishment of the association with a Communication Up 948 * notification (see Section 10). 949 */ 950 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 951 0, asoc->c.sinit_num_ostreams, 952 asoc->c.sinit_max_instreams, 953 NULL, GFP_ATOMIC); 954 955 if (!ev) 956 goto nomem; 957 958 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 959 960 /* Sockets API Draft Section 5.3.1.6 961 * When a peer sends a Adaptation Layer Indication parameter , SCTP 962 * delivers this notification to inform the application that of the 963 * peers requested adaptation layer. 964 */ 965 if (asoc->peer.adaptation_ind) { 966 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 967 if (!ev) 968 goto nomem; 969 970 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 971 SCTP_ULPEVENT(ev)); 972 } 973 974 if (!asoc->peer.auth_capable) { 975 ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH, 976 GFP_ATOMIC); 977 if (!ev) 978 goto nomem; 979 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 980 SCTP_ULPEVENT(ev)); 981 } 982 983 return SCTP_DISPOSITION_CONSUME; 984 nomem: 985 return SCTP_DISPOSITION_NOMEM; 986 } 987 988 /* Generate and sendout a heartbeat packet. */ 989 static enum sctp_disposition sctp_sf_heartbeat( 990 const struct sctp_endpoint *ep, 991 const struct sctp_association *asoc, 992 const union sctp_subtype type, 993 void *arg, 994 struct sctp_cmd_seq *commands) 995 { 996 struct sctp_transport *transport = (struct sctp_transport *) arg; 997 struct sctp_chunk *reply; 998 999 /* Send a heartbeat to our peer. */ 1000 reply = sctp_make_heartbeat(asoc, transport); 1001 if (!reply) 1002 return SCTP_DISPOSITION_NOMEM; 1003 1004 /* Set rto_pending indicating that an RTT measurement 1005 * is started with this heartbeat chunk. 1006 */ 1007 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 1008 SCTP_TRANSPORT(transport)); 1009 1010 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1011 return SCTP_DISPOSITION_CONSUME; 1012 } 1013 1014 /* Generate a HEARTBEAT packet on the given transport. */ 1015 enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net, 1016 const struct sctp_endpoint *ep, 1017 const struct sctp_association *asoc, 1018 const union sctp_subtype type, 1019 void *arg, 1020 struct sctp_cmd_seq *commands) 1021 { 1022 struct sctp_transport *transport = (struct sctp_transport *) arg; 1023 1024 if (asoc->overall_error_count >= asoc->max_retrans) { 1025 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 1026 SCTP_ERROR(ETIMEDOUT)); 1027 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 1028 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 1029 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 1030 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1031 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1032 return SCTP_DISPOSITION_DELETE_TCB; 1033 } 1034 1035 /* Section 3.3.5. 1036 * The Sender-specific Heartbeat Info field should normally include 1037 * information about the sender's current time when this HEARTBEAT 1038 * chunk is sent and the destination transport address to which this 1039 * HEARTBEAT is sent (see Section 8.3). 1040 */ 1041 1042 if (transport->param_flags & SPP_HB_ENABLE) { 1043 if (SCTP_DISPOSITION_NOMEM == 1044 sctp_sf_heartbeat(ep, asoc, type, arg, 1045 commands)) 1046 return SCTP_DISPOSITION_NOMEM; 1047 1048 /* Set transport error counter and association error counter 1049 * when sending heartbeat. 1050 */ 1051 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 1052 SCTP_TRANSPORT(transport)); 1053 } 1054 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE, 1055 SCTP_TRANSPORT(transport)); 1056 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 1057 SCTP_TRANSPORT(transport)); 1058 1059 return SCTP_DISPOSITION_CONSUME; 1060 } 1061 1062 /* resend asoc strreset_chunk. */ 1063 enum sctp_disposition sctp_sf_send_reconf(struct net *net, 1064 const struct sctp_endpoint *ep, 1065 const struct sctp_association *asoc, 1066 const union sctp_subtype type, 1067 void *arg, 1068 struct sctp_cmd_seq *commands) 1069 { 1070 struct sctp_transport *transport = arg; 1071 1072 if (asoc->overall_error_count >= asoc->max_retrans) { 1073 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 1074 SCTP_ERROR(ETIMEDOUT)); 1075 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 1076 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 1077 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 1078 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1079 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1080 return SCTP_DISPOSITION_DELETE_TCB; 1081 } 1082 1083 sctp_chunk_hold(asoc->strreset_chunk); 1084 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1085 SCTP_CHUNK(asoc->strreset_chunk)); 1086 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 1087 1088 return SCTP_DISPOSITION_CONSUME; 1089 } 1090 1091 /* 1092 * Process an heartbeat request. 1093 * 1094 * Section: 8.3 Path Heartbeat 1095 * The receiver of the HEARTBEAT should immediately respond with a 1096 * HEARTBEAT ACK that contains the Heartbeat Information field copied 1097 * from the received HEARTBEAT chunk. 1098 * 1099 * Verification Tag: 8.5 Verification Tag [Normal verification] 1100 * When receiving an SCTP packet, the endpoint MUST ensure that the 1101 * value in the Verification Tag field of the received SCTP packet 1102 * matches its own Tag. If the received Verification Tag value does not 1103 * match the receiver's own tag value, the receiver shall silently 1104 * discard the packet and shall not process it any further except for 1105 * those cases listed in Section 8.5.1 below. 1106 * 1107 * Inputs 1108 * (endpoint, asoc, chunk) 1109 * 1110 * Outputs 1111 * (asoc, reply_msg, msg_up, timers, counters) 1112 * 1113 * The return value is the disposition of the chunk. 1114 */ 1115 enum sctp_disposition sctp_sf_beat_8_3(struct net *net, 1116 const struct sctp_endpoint *ep, 1117 const struct sctp_association *asoc, 1118 const union sctp_subtype type, 1119 void *arg, struct sctp_cmd_seq *commands) 1120 { 1121 struct sctp_paramhdr *param_hdr; 1122 struct sctp_chunk *chunk = arg; 1123 struct sctp_chunk *reply; 1124 size_t paylen = 0; 1125 1126 if (!sctp_vtag_verify(chunk, asoc)) 1127 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1128 1129 /* Make sure that the HEARTBEAT chunk has a valid length. */ 1130 if (!sctp_chunk_length_valid(chunk, 1131 sizeof(struct sctp_heartbeat_chunk))) 1132 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1133 commands); 1134 1135 /* 8.3 The receiver of the HEARTBEAT should immediately 1136 * respond with a HEARTBEAT ACK that contains the Heartbeat 1137 * Information field copied from the received HEARTBEAT chunk. 1138 */ 1139 chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data; 1140 param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr; 1141 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr); 1142 1143 if (ntohs(param_hdr->length) > paylen) 1144 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 1145 param_hdr, commands); 1146 1147 if (!pskb_pull(chunk->skb, paylen)) 1148 goto nomem; 1149 1150 reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen); 1151 if (!reply) 1152 goto nomem; 1153 1154 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1155 return SCTP_DISPOSITION_CONSUME; 1156 1157 nomem: 1158 return SCTP_DISPOSITION_NOMEM; 1159 } 1160 1161 /* 1162 * Process the returning HEARTBEAT ACK. 1163 * 1164 * Section: 8.3 Path Heartbeat 1165 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 1166 * should clear the error counter of the destination transport 1167 * address to which the HEARTBEAT was sent, and mark the destination 1168 * transport address as active if it is not so marked. The endpoint may 1169 * optionally report to the upper layer when an inactive destination 1170 * address is marked as active due to the reception of the latest 1171 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 1172 * clear the association overall error count as well (as defined 1173 * in section 8.1). 1174 * 1175 * The receiver of the HEARTBEAT ACK should also perform an RTT 1176 * measurement for that destination transport address using the time 1177 * value carried in the HEARTBEAT ACK chunk. 1178 * 1179 * Verification Tag: 8.5 Verification Tag [Normal verification] 1180 * 1181 * Inputs 1182 * (endpoint, asoc, chunk) 1183 * 1184 * Outputs 1185 * (asoc, reply_msg, msg_up, timers, counters) 1186 * 1187 * The return value is the disposition of the chunk. 1188 */ 1189 enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net, 1190 const struct sctp_endpoint *ep, 1191 const struct sctp_association *asoc, 1192 const union sctp_subtype type, 1193 void *arg, 1194 struct sctp_cmd_seq *commands) 1195 { 1196 struct sctp_sender_hb_info *hbinfo; 1197 struct sctp_chunk *chunk = arg; 1198 struct sctp_transport *link; 1199 unsigned long max_interval; 1200 union sctp_addr from_addr; 1201 1202 if (!sctp_vtag_verify(chunk, asoc)) 1203 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1204 1205 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1206 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) + 1207 sizeof(*hbinfo))) 1208 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1209 commands); 1210 1211 hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data; 1212 /* Make sure that the length of the parameter is what we expect */ 1213 if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo)) 1214 return SCTP_DISPOSITION_DISCARD; 1215 1216 from_addr = hbinfo->daddr; 1217 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1218 1219 /* This should never happen, but lets log it if so. */ 1220 if (unlikely(!link)) { 1221 if (from_addr.sa.sa_family == AF_INET6) { 1222 net_warn_ratelimited("%s association %p could not find address %pI6\n", 1223 __func__, 1224 asoc, 1225 &from_addr.v6.sin6_addr); 1226 } else { 1227 net_warn_ratelimited("%s association %p could not find address %pI4\n", 1228 __func__, 1229 asoc, 1230 &from_addr.v4.sin_addr.s_addr); 1231 } 1232 return SCTP_DISPOSITION_DISCARD; 1233 } 1234 1235 /* Validate the 64-bit random nonce. */ 1236 if (hbinfo->hb_nonce != link->hb_nonce) 1237 return SCTP_DISPOSITION_DISCARD; 1238 1239 max_interval = link->hbinterval + link->rto; 1240 1241 /* Check if the timestamp looks valid. */ 1242 if (time_after(hbinfo->sent_at, jiffies) || 1243 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1244 pr_debug("%s: HEARTBEAT ACK with invalid timestamp received " 1245 "for transport:%p\n", __func__, link); 1246 1247 return SCTP_DISPOSITION_DISCARD; 1248 } 1249 1250 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1251 * the HEARTBEAT should clear the error counter of the 1252 * destination transport address to which the HEARTBEAT was 1253 * sent and mark the destination transport address as active if 1254 * it is not so marked. 1255 */ 1256 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1257 1258 return SCTP_DISPOSITION_CONSUME; 1259 } 1260 1261 /* Helper function to send out an abort for the restart 1262 * condition. 1263 */ 1264 static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa, 1265 struct sctp_chunk *init, 1266 struct sctp_cmd_seq *commands) 1267 { 1268 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1269 union sctp_addr_param *addrparm; 1270 struct sctp_errhdr *errhdr; 1271 char buffer[sizeof(*errhdr) + sizeof(*addrparm)]; 1272 struct sctp_endpoint *ep; 1273 struct sctp_packet *pkt; 1274 int len; 1275 1276 /* Build the error on the stack. We are way to malloc crazy 1277 * throughout the code today. 1278 */ 1279 errhdr = (struct sctp_errhdr *)buffer; 1280 addrparm = (union sctp_addr_param *)errhdr->variable; 1281 1282 /* Copy into a parm format. */ 1283 len = af->to_addr_param(ssa, addrparm); 1284 len += sizeof(*errhdr); 1285 1286 errhdr->cause = SCTP_ERROR_RESTART; 1287 errhdr->length = htons(len); 1288 1289 /* Assign to the control socket. */ 1290 ep = sctp_sk(net->sctp.ctl_sock)->ep; 1291 1292 /* Association is NULL since this may be a restart attack and we 1293 * want to send back the attacker's vtag. 1294 */ 1295 pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len); 1296 1297 if (!pkt) 1298 goto out; 1299 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1300 1301 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1302 1303 /* Discard the rest of the inbound packet. */ 1304 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1305 1306 out: 1307 /* Even if there is no memory, treat as a failure so 1308 * the packet will get dropped. 1309 */ 1310 return 0; 1311 } 1312 1313 static bool list_has_sctp_addr(const struct list_head *list, 1314 union sctp_addr *ipaddr) 1315 { 1316 struct sctp_transport *addr; 1317 1318 list_for_each_entry(addr, list, transports) { 1319 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr)) 1320 return true; 1321 } 1322 1323 return false; 1324 } 1325 /* A restart is occurring, check to make sure no new addresses 1326 * are being added as we may be under a takeover attack. 1327 */ 1328 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1329 const struct sctp_association *asoc, 1330 struct sctp_chunk *init, 1331 struct sctp_cmd_seq *commands) 1332 { 1333 struct net *net = new_asoc->base.net; 1334 struct sctp_transport *new_addr; 1335 int ret = 1; 1336 1337 /* Implementor's Guide - Section 5.2.2 1338 * ... 1339 * Before responding the endpoint MUST check to see if the 1340 * unexpected INIT adds new addresses to the association. If new 1341 * addresses are added to the association, the endpoint MUST respond 1342 * with an ABORT.. 1343 */ 1344 1345 /* Search through all current addresses and make sure 1346 * we aren't adding any new ones. 1347 */ 1348 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list, 1349 transports) { 1350 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list, 1351 &new_addr->ipaddr)) { 1352 sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init, 1353 commands); 1354 ret = 0; 1355 break; 1356 } 1357 } 1358 1359 /* Return success if all addresses were found. */ 1360 return ret; 1361 } 1362 1363 /* Populate the verification/tie tags based on overlapping INIT 1364 * scenario. 1365 * 1366 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1367 */ 1368 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1369 const struct sctp_association *asoc) 1370 { 1371 switch (asoc->state) { 1372 1373 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1374 1375 case SCTP_STATE_COOKIE_WAIT: 1376 new_asoc->c.my_vtag = asoc->c.my_vtag; 1377 new_asoc->c.my_ttag = asoc->c.my_vtag; 1378 new_asoc->c.peer_ttag = 0; 1379 break; 1380 1381 case SCTP_STATE_COOKIE_ECHOED: 1382 new_asoc->c.my_vtag = asoc->c.my_vtag; 1383 new_asoc->c.my_ttag = asoc->c.my_vtag; 1384 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1385 break; 1386 1387 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1388 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1389 */ 1390 default: 1391 new_asoc->c.my_ttag = asoc->c.my_vtag; 1392 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1393 break; 1394 } 1395 1396 /* Other parameters for the endpoint SHOULD be copied from the 1397 * existing parameters of the association (e.g. number of 1398 * outbound streams) into the INIT ACK and cookie. 1399 */ 1400 new_asoc->rwnd = asoc->rwnd; 1401 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1402 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1403 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1404 } 1405 1406 /* 1407 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1408 * handling action. 1409 * 1410 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1411 * 1412 * Returns value representing action to be taken. These action values 1413 * correspond to Action/Description values in RFC 2960, Table 2. 1414 */ 1415 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1416 const struct sctp_association *asoc) 1417 { 1418 /* In this case, the peer may have restarted. */ 1419 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1420 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1421 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1422 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1423 return 'A'; 1424 1425 /* Collision case B. */ 1426 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1427 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1428 (0 == asoc->c.peer_vtag))) { 1429 return 'B'; 1430 } 1431 1432 /* Collision case D. */ 1433 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1434 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1435 return 'D'; 1436 1437 /* Collision case C. */ 1438 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1439 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1440 (0 == new_asoc->c.my_ttag) && 1441 (0 == new_asoc->c.peer_ttag)) 1442 return 'C'; 1443 1444 /* No match to any of the special cases; discard this packet. */ 1445 return 'E'; 1446 } 1447 1448 /* Common helper routine for both duplicate and simulataneous INIT 1449 * chunk handling. 1450 */ 1451 static enum sctp_disposition sctp_sf_do_unexpected_init( 1452 struct net *net, 1453 const struct sctp_endpoint *ep, 1454 const struct sctp_association *asoc, 1455 const union sctp_subtype type, 1456 void *arg, 1457 struct sctp_cmd_seq *commands) 1458 { 1459 struct sctp_chunk *chunk = arg, *repl, *err_chunk; 1460 struct sctp_unrecognized_param *unk_param; 1461 struct sctp_association *new_asoc; 1462 enum sctp_disposition retval; 1463 struct sctp_packet *packet; 1464 int len; 1465 1466 /* Update socket peer label if first association. */ 1467 if (security_sctp_assoc_request((struct sctp_endpoint *)ep, 1468 chunk->skb)) 1469 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1470 1471 /* 6.10 Bundling 1472 * An endpoint MUST NOT bundle INIT, INIT ACK or 1473 * SHUTDOWN COMPLETE with any other chunks. 1474 * 1475 * IG Section 2.11.2 1476 * Furthermore, we require that the receiver of an INIT chunk MUST 1477 * enforce these rules by silently discarding an arriving packet 1478 * with an INIT chunk that is bundled with other chunks. 1479 */ 1480 if (!chunk->singleton) 1481 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1482 1483 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1484 * Tag. 1485 */ 1486 if (chunk->sctp_hdr->vtag != 0) 1487 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 1488 1489 /* Make sure that the INIT chunk has a valid length. 1490 * In this case, we generate a protocol violation since we have 1491 * an association established. 1492 */ 1493 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 1494 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1495 commands); 1496 /* Grab the INIT header. */ 1497 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 1498 1499 /* Tag the variable length parameters. */ 1500 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 1501 1502 /* Verify the INIT chunk before processing it. */ 1503 err_chunk = NULL; 1504 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 1505 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 1506 &err_chunk)) { 1507 /* This chunk contains fatal error. It is to be discarded. 1508 * Send an ABORT, with causes if there is any. 1509 */ 1510 if (err_chunk) { 1511 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 1512 (__u8 *)(err_chunk->chunk_hdr) + 1513 sizeof(struct sctp_chunkhdr), 1514 ntohs(err_chunk->chunk_hdr->length) - 1515 sizeof(struct sctp_chunkhdr)); 1516 1517 if (packet) { 1518 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1519 SCTP_PACKET(packet)); 1520 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1521 retval = SCTP_DISPOSITION_CONSUME; 1522 } else { 1523 retval = SCTP_DISPOSITION_NOMEM; 1524 } 1525 goto cleanup; 1526 } else { 1527 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 1528 commands); 1529 } 1530 } 1531 1532 /* 1533 * Other parameters for the endpoint SHOULD be copied from the 1534 * existing parameters of the association (e.g. number of 1535 * outbound streams) into the INIT ACK and cookie. 1536 * FIXME: We are copying parameters from the endpoint not the 1537 * association. 1538 */ 1539 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1540 if (!new_asoc) 1541 goto nomem; 1542 1543 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 1544 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0) 1545 goto nomem; 1546 1547 /* In the outbound INIT ACK the endpoint MUST copy its current 1548 * Verification Tag and Peers Verification tag into a reserved 1549 * place (local tie-tag and per tie-tag) within the state cookie. 1550 */ 1551 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 1552 (struct sctp_init_chunk *)chunk->chunk_hdr, 1553 GFP_ATOMIC)) 1554 goto nomem; 1555 1556 /* Make sure no new addresses are being added during the 1557 * restart. Do not do this check for COOKIE-WAIT state, 1558 * since there are no peer addresses to check against. 1559 * Upon return an ABORT will have been sent if needed. 1560 */ 1561 if (!sctp_state(asoc, COOKIE_WAIT)) { 1562 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1563 commands)) { 1564 retval = SCTP_DISPOSITION_CONSUME; 1565 goto nomem_retval; 1566 } 1567 } 1568 1569 sctp_tietags_populate(new_asoc, asoc); 1570 1571 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1572 1573 /* If there are errors need to be reported for unknown parameters, 1574 * make sure to reserve enough room in the INIT ACK for them. 1575 */ 1576 len = 0; 1577 if (err_chunk) { 1578 len = ntohs(err_chunk->chunk_hdr->length) - 1579 sizeof(struct sctp_chunkhdr); 1580 } 1581 1582 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1583 if (!repl) 1584 goto nomem; 1585 1586 /* If there are errors need to be reported for unknown parameters, 1587 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1588 * parameter. 1589 */ 1590 if (err_chunk) { 1591 /* Get the "Unrecognized parameter" parameter(s) out of the 1592 * ERROR chunk generated by sctp_verify_init(). Since the 1593 * error cause code for "unknown parameter" and the 1594 * "Unrecognized parameter" type is the same, we can 1595 * construct the parameters in INIT ACK by copying the 1596 * ERROR causes over. 1597 */ 1598 unk_param = (struct sctp_unrecognized_param *) 1599 ((__u8 *)(err_chunk->chunk_hdr) + 1600 sizeof(struct sctp_chunkhdr)); 1601 /* Replace the cause code with the "Unrecognized parameter" 1602 * parameter type. 1603 */ 1604 sctp_addto_chunk(repl, len, unk_param); 1605 } 1606 1607 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1608 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1609 1610 /* 1611 * Note: After sending out INIT ACK with the State Cookie parameter, 1612 * "Z" MUST NOT allocate any resources for this new association. 1613 * Otherwise, "Z" will be vulnerable to resource attacks. 1614 */ 1615 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1616 retval = SCTP_DISPOSITION_CONSUME; 1617 1618 return retval; 1619 1620 nomem: 1621 retval = SCTP_DISPOSITION_NOMEM; 1622 nomem_retval: 1623 if (new_asoc) 1624 sctp_association_free(new_asoc); 1625 cleanup: 1626 if (err_chunk) 1627 sctp_chunk_free(err_chunk); 1628 return retval; 1629 } 1630 1631 /* 1632 * Handle simultaneous INIT. 1633 * This means we started an INIT and then we got an INIT request from 1634 * our peer. 1635 * 1636 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1637 * This usually indicates an initialization collision, i.e., each 1638 * endpoint is attempting, at about the same time, to establish an 1639 * association with the other endpoint. 1640 * 1641 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1642 * endpoint MUST respond with an INIT ACK using the same parameters it 1643 * sent in its original INIT chunk (including its Verification Tag, 1644 * unchanged). These original parameters are combined with those from the 1645 * newly received INIT chunk. The endpoint shall also generate a State 1646 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1647 * INIT to calculate the State Cookie. 1648 * 1649 * After that, the endpoint MUST NOT change its state, the T1-init 1650 * timer shall be left running and the corresponding TCB MUST NOT be 1651 * destroyed. The normal procedures for handling State Cookies when 1652 * a TCB exists will resolve the duplicate INITs to a single association. 1653 * 1654 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1655 * its Tie-Tags with the Tag information of itself and its peer (see 1656 * section 5.2.2 for a description of the Tie-Tags). 1657 * 1658 * Verification Tag: Not explicit, but an INIT can not have a valid 1659 * verification tag, so we skip the check. 1660 * 1661 * Inputs 1662 * (endpoint, asoc, chunk) 1663 * 1664 * Outputs 1665 * (asoc, reply_msg, msg_up, timers, counters) 1666 * 1667 * The return value is the disposition of the chunk. 1668 */ 1669 enum sctp_disposition sctp_sf_do_5_2_1_siminit( 1670 struct net *net, 1671 const struct sctp_endpoint *ep, 1672 const struct sctp_association *asoc, 1673 const union sctp_subtype type, 1674 void *arg, 1675 struct sctp_cmd_seq *commands) 1676 { 1677 /* Call helper to do the real work for both simulataneous and 1678 * duplicate INIT chunk handling. 1679 */ 1680 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1681 } 1682 1683 /* 1684 * Handle duplicated INIT messages. These are usually delayed 1685 * restransmissions. 1686 * 1687 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1688 * COOKIE-ECHOED and COOKIE-WAIT 1689 * 1690 * Unless otherwise stated, upon reception of an unexpected INIT for 1691 * this association, the endpoint shall generate an INIT ACK with a 1692 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1693 * current Verification Tag and peer's Verification Tag into a reserved 1694 * place within the state cookie. We shall refer to these locations as 1695 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1696 * containing this INIT ACK MUST carry a Verification Tag value equal to 1697 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1698 * MUST contain a new Initiation Tag (randomly generated see Section 1699 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1700 * existing parameters of the association (e.g. number of outbound 1701 * streams) into the INIT ACK and cookie. 1702 * 1703 * After sending out the INIT ACK, the endpoint shall take no further 1704 * actions, i.e., the existing association, including its current state, 1705 * and the corresponding TCB MUST NOT be changed. 1706 * 1707 * Note: Only when a TCB exists and the association is not in a COOKIE- 1708 * WAIT state are the Tie-Tags populated. For a normal association INIT 1709 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1710 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1711 * State Cookie are populated as specified in section 5.2.1. 1712 * 1713 * Verification Tag: Not specified, but an INIT has no way of knowing 1714 * what the verification tag could be, so we ignore it. 1715 * 1716 * Inputs 1717 * (endpoint, asoc, chunk) 1718 * 1719 * Outputs 1720 * (asoc, reply_msg, msg_up, timers, counters) 1721 * 1722 * The return value is the disposition of the chunk. 1723 */ 1724 enum sctp_disposition sctp_sf_do_5_2_2_dupinit( 1725 struct net *net, 1726 const struct sctp_endpoint *ep, 1727 const struct sctp_association *asoc, 1728 const union sctp_subtype type, 1729 void *arg, 1730 struct sctp_cmd_seq *commands) 1731 { 1732 /* Call helper to do the real work for both simulataneous and 1733 * duplicate INIT chunk handling. 1734 */ 1735 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1736 } 1737 1738 1739 /* 1740 * Unexpected INIT-ACK handler. 1741 * 1742 * Section 5.2.3 1743 * If an INIT ACK received by an endpoint in any state other than the 1744 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1745 * An unexpected INIT ACK usually indicates the processing of an old or 1746 * duplicated INIT chunk. 1747 */ 1748 enum sctp_disposition sctp_sf_do_5_2_3_initack( 1749 struct net *net, 1750 const struct sctp_endpoint *ep, 1751 const struct sctp_association *asoc, 1752 const union sctp_subtype type, 1753 void *arg, 1754 struct sctp_cmd_seq *commands) 1755 { 1756 /* Per the above section, we'll discard the chunk if we have an 1757 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1758 */ 1759 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) 1760 return sctp_sf_ootb(net, ep, asoc, type, arg, commands); 1761 else 1762 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 1763 } 1764 1765 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1766 * 1767 * Section 5.2.4 1768 * A) In this case, the peer may have restarted. 1769 */ 1770 static enum sctp_disposition sctp_sf_do_dupcook_a( 1771 struct net *net, 1772 const struct sctp_endpoint *ep, 1773 const struct sctp_association *asoc, 1774 struct sctp_chunk *chunk, 1775 struct sctp_cmd_seq *commands, 1776 struct sctp_association *new_asoc) 1777 { 1778 struct sctp_init_chunk *peer_init; 1779 enum sctp_disposition disposition; 1780 struct sctp_ulpevent *ev; 1781 struct sctp_chunk *repl; 1782 struct sctp_chunk *err; 1783 1784 /* new_asoc is a brand-new association, so these are not yet 1785 * side effects--it is safe to run them here. 1786 */ 1787 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1788 1789 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1790 GFP_ATOMIC)) 1791 goto nomem; 1792 1793 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC)) 1794 goto nomem; 1795 1796 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) 1797 return SCTP_DISPOSITION_DISCARD; 1798 1799 /* Make sure no new addresses are being added during the 1800 * restart. Though this is a pretty complicated attack 1801 * since you'd have to get inside the cookie. 1802 */ 1803 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) 1804 return SCTP_DISPOSITION_CONSUME; 1805 1806 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1807 * the peer has restarted (Action A), it MUST NOT setup a new 1808 * association but instead resend the SHUTDOWN ACK and send an ERROR 1809 * chunk with a "Cookie Received while Shutting Down" error cause to 1810 * its peer. 1811 */ 1812 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1813 disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc, 1814 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1815 chunk, commands); 1816 if (SCTP_DISPOSITION_NOMEM == disposition) 1817 goto nomem; 1818 1819 err = sctp_make_op_error(asoc, chunk, 1820 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1821 NULL, 0, 0); 1822 if (err) 1823 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1824 SCTP_CHUNK(err)); 1825 1826 return SCTP_DISPOSITION_CONSUME; 1827 } 1828 1829 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked 1830 * data. Consider the optional choice of resending of this data. 1831 */ 1832 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 1833 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1834 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK)); 1835 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1836 1837 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue 1838 * and ASCONF-ACK cache. 1839 */ 1840 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1841 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 1842 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); 1843 1844 repl = sctp_make_cookie_ack(new_asoc, chunk); 1845 if (!repl) 1846 goto nomem; 1847 1848 /* Report association restart to upper layer. */ 1849 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1850 new_asoc->c.sinit_num_ostreams, 1851 new_asoc->c.sinit_max_instreams, 1852 NULL, GFP_ATOMIC); 1853 if (!ev) 1854 goto nomem_ev; 1855 1856 /* Update the content of current association. */ 1857 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1858 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1859 if ((sctp_state(asoc, SHUTDOWN_PENDING) || 1860 sctp_state(asoc, SHUTDOWN_SENT)) && 1861 (sctp_sstate(asoc->base.sk, CLOSING) || 1862 sock_flag(asoc->base.sk, SOCK_DEAD))) { 1863 /* If the socket has been closed by user, don't 1864 * transition to ESTABLISHED. Instead trigger SHUTDOWN 1865 * bundled with COOKIE_ACK. 1866 */ 1867 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1868 return sctp_sf_do_9_2_start_shutdown(net, ep, asoc, 1869 SCTP_ST_CHUNK(0), repl, 1870 commands); 1871 } else { 1872 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1873 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1874 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1875 } 1876 return SCTP_DISPOSITION_CONSUME; 1877 1878 nomem_ev: 1879 sctp_chunk_free(repl); 1880 nomem: 1881 return SCTP_DISPOSITION_NOMEM; 1882 } 1883 1884 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1885 * 1886 * Section 5.2.4 1887 * B) In this case, both sides may be attempting to start an association 1888 * at about the same time but the peer endpoint started its INIT 1889 * after responding to the local endpoint's INIT 1890 */ 1891 /* This case represents an initialization collision. */ 1892 static enum sctp_disposition sctp_sf_do_dupcook_b( 1893 struct net *net, 1894 const struct sctp_endpoint *ep, 1895 const struct sctp_association *asoc, 1896 struct sctp_chunk *chunk, 1897 struct sctp_cmd_seq *commands, 1898 struct sctp_association *new_asoc) 1899 { 1900 struct sctp_init_chunk *peer_init; 1901 struct sctp_chunk *repl; 1902 1903 /* new_asoc is a brand-new association, so these are not yet 1904 * side effects--it is safe to run them here. 1905 */ 1906 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1907 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1908 GFP_ATOMIC)) 1909 goto nomem; 1910 1911 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC)) 1912 goto nomem; 1913 1914 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) 1915 return SCTP_DISPOSITION_DISCARD; 1916 1917 /* Update the content of current association. */ 1918 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1919 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1920 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1921 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 1922 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1923 1924 repl = sctp_make_cookie_ack(new_asoc, chunk); 1925 if (!repl) 1926 goto nomem; 1927 1928 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1929 1930 /* RFC 2960 5.1 Normal Establishment of an Association 1931 * 1932 * D) IMPLEMENTATION NOTE: An implementation may choose to 1933 * send the Communication Up notification to the SCTP user 1934 * upon reception of a valid COOKIE ECHO chunk. 1935 * 1936 * Sadly, this needs to be implemented as a side-effect, because 1937 * we are not guaranteed to have set the association id of the real 1938 * association and so these notifications need to be delayed until 1939 * the association id is allocated. 1940 */ 1941 1942 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 1943 1944 /* Sockets API Draft Section 5.3.1.6 1945 * When a peer sends a Adaptation Layer Indication parameter , SCTP 1946 * delivers this notification to inform the application that of the 1947 * peers requested adaptation layer. 1948 * 1949 * This also needs to be done as a side effect for the same reason as 1950 * above. 1951 */ 1952 if (asoc->peer.adaptation_ind) 1953 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 1954 1955 if (!asoc->peer.auth_capable) 1956 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL()); 1957 1958 return SCTP_DISPOSITION_CONSUME; 1959 1960 nomem: 1961 return SCTP_DISPOSITION_NOMEM; 1962 } 1963 1964 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1965 * 1966 * Section 5.2.4 1967 * C) In this case, the local endpoint's cookie has arrived late. 1968 * Before it arrived, the local endpoint sent an INIT and received an 1969 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1970 * but a new tag of its own. 1971 */ 1972 /* This case represents an initialization collision. */ 1973 static enum sctp_disposition sctp_sf_do_dupcook_c( 1974 struct net *net, 1975 const struct sctp_endpoint *ep, 1976 const struct sctp_association *asoc, 1977 struct sctp_chunk *chunk, 1978 struct sctp_cmd_seq *commands, 1979 struct sctp_association *new_asoc) 1980 { 1981 /* The cookie should be silently discarded. 1982 * The endpoint SHOULD NOT change states and should leave 1983 * any timers running. 1984 */ 1985 return SCTP_DISPOSITION_DISCARD; 1986 } 1987 1988 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1989 * 1990 * Section 5.2.4 1991 * 1992 * D) When both local and remote tags match the endpoint should always 1993 * enter the ESTABLISHED state, if it has not already done so. 1994 */ 1995 /* This case represents an initialization collision. */ 1996 static enum sctp_disposition sctp_sf_do_dupcook_d( 1997 struct net *net, 1998 const struct sctp_endpoint *ep, 1999 const struct sctp_association *asoc, 2000 struct sctp_chunk *chunk, 2001 struct sctp_cmd_seq *commands, 2002 struct sctp_association *new_asoc) 2003 { 2004 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL; 2005 struct sctp_chunk *repl; 2006 2007 /* Clarification from Implementor's Guide: 2008 * D) When both local and remote tags match the endpoint should 2009 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 2010 * It should stop any cookie timer that may be running and send 2011 * a COOKIE ACK. 2012 */ 2013 2014 if (!sctp_auth_chunk_verify(net, chunk, asoc)) 2015 return SCTP_DISPOSITION_DISCARD; 2016 2017 /* Don't accidentally move back into established state. */ 2018 if (asoc->state < SCTP_STATE_ESTABLISHED) { 2019 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2020 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2021 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2022 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 2023 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 2024 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 2025 SCTP_NULL()); 2026 2027 /* RFC 2960 5.1 Normal Establishment of an Association 2028 * 2029 * D) IMPLEMENTATION NOTE: An implementation may choose 2030 * to send the Communication Up notification to the 2031 * SCTP user upon reception of a valid COOKIE 2032 * ECHO chunk. 2033 */ 2034 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 2035 SCTP_COMM_UP, 0, 2036 asoc->c.sinit_num_ostreams, 2037 asoc->c.sinit_max_instreams, 2038 NULL, GFP_ATOMIC); 2039 if (!ev) 2040 goto nomem; 2041 2042 /* Sockets API Draft Section 5.3.1.6 2043 * When a peer sends a Adaptation Layer Indication parameter, 2044 * SCTP delivers this notification to inform the application 2045 * that of the peers requested adaptation layer. 2046 */ 2047 if (asoc->peer.adaptation_ind) { 2048 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 2049 GFP_ATOMIC); 2050 if (!ai_ev) 2051 goto nomem; 2052 2053 } 2054 2055 if (!asoc->peer.auth_capable) { 2056 auth_ev = sctp_ulpevent_make_authkey(asoc, 0, 2057 SCTP_AUTH_NO_AUTH, 2058 GFP_ATOMIC); 2059 if (!auth_ev) 2060 goto nomem; 2061 } 2062 } 2063 2064 repl = sctp_make_cookie_ack(asoc, chunk); 2065 if (!repl) 2066 goto nomem; 2067 2068 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 2069 2070 if (ev) 2071 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2072 SCTP_ULPEVENT(ev)); 2073 if (ai_ev) 2074 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2075 SCTP_ULPEVENT(ai_ev)); 2076 if (auth_ev) 2077 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2078 SCTP_ULPEVENT(auth_ev)); 2079 2080 return SCTP_DISPOSITION_CONSUME; 2081 2082 nomem: 2083 if (auth_ev) 2084 sctp_ulpevent_free(auth_ev); 2085 if (ai_ev) 2086 sctp_ulpevent_free(ai_ev); 2087 if (ev) 2088 sctp_ulpevent_free(ev); 2089 return SCTP_DISPOSITION_NOMEM; 2090 } 2091 2092 /* 2093 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 2094 * chunk was retransmitted and then delayed in the network. 2095 * 2096 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 2097 * 2098 * Verification Tag: None. Do cookie validation. 2099 * 2100 * Inputs 2101 * (endpoint, asoc, chunk) 2102 * 2103 * Outputs 2104 * (asoc, reply_msg, msg_up, timers, counters) 2105 * 2106 * The return value is the disposition of the chunk. 2107 */ 2108 enum sctp_disposition sctp_sf_do_5_2_4_dupcook( 2109 struct net *net, 2110 const struct sctp_endpoint *ep, 2111 const struct sctp_association *asoc, 2112 const union sctp_subtype type, 2113 void *arg, 2114 struct sctp_cmd_seq *commands) 2115 { 2116 struct sctp_association *new_asoc; 2117 struct sctp_chunk *chunk = arg; 2118 enum sctp_disposition retval; 2119 struct sctp_chunk *err_chk_p; 2120 int error = 0; 2121 char action; 2122 2123 /* Make sure that the chunk has a valid length from the protocol 2124 * perspective. In this case check to make sure we have at least 2125 * enough for the chunk header. Cookie length verification is 2126 * done later. 2127 */ 2128 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 2129 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2130 commands); 2131 2132 /* "Decode" the chunk. We have no optional parameters so we 2133 * are in good shape. 2134 */ 2135 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 2136 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 2137 sizeof(struct sctp_chunkhdr))) 2138 goto nomem; 2139 2140 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 2141 * of a duplicate COOKIE ECHO match the Verification Tags of the 2142 * current association, consider the State Cookie valid even if 2143 * the lifespan is exceeded. 2144 */ 2145 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 2146 &err_chk_p); 2147 2148 /* FIXME: 2149 * If the re-build failed, what is the proper error path 2150 * from here? 2151 * 2152 * [We should abort the association. --piggy] 2153 */ 2154 if (!new_asoc) { 2155 /* FIXME: Several errors are possible. A bad cookie should 2156 * be silently discarded, but think about logging it too. 2157 */ 2158 switch (error) { 2159 case -SCTP_IERROR_NOMEM: 2160 goto nomem; 2161 2162 case -SCTP_IERROR_STALE_COOKIE: 2163 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 2164 err_chk_p); 2165 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2166 case -SCTP_IERROR_BAD_SIG: 2167 default: 2168 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2169 } 2170 } 2171 2172 /* Update socket peer label if first association. */ 2173 if (security_sctp_assoc_request((struct sctp_endpoint *)ep, 2174 chunk->skb)) { 2175 sctp_association_free(new_asoc); 2176 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2177 } 2178 2179 /* Set temp so that it won't be added into hashtable */ 2180 new_asoc->temp = 1; 2181 2182 /* Compare the tie_tag in cookie with the verification tag of 2183 * current association. 2184 */ 2185 action = sctp_tietags_compare(new_asoc, asoc); 2186 2187 switch (action) { 2188 case 'A': /* Association restart. */ 2189 retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands, 2190 new_asoc); 2191 break; 2192 2193 case 'B': /* Collision case B. */ 2194 retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands, 2195 new_asoc); 2196 break; 2197 2198 case 'C': /* Collision case C. */ 2199 retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands, 2200 new_asoc); 2201 break; 2202 2203 case 'D': /* Collision case D. */ 2204 retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands, 2205 new_asoc); 2206 break; 2207 2208 default: /* Discard packet for all others. */ 2209 retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2210 break; 2211 } 2212 2213 /* Delete the tempory new association. */ 2214 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc)); 2215 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 2216 2217 /* Restore association pointer to provide SCTP command interpeter 2218 * with a valid context in case it needs to manipulate 2219 * the queues */ 2220 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, 2221 SCTP_ASOC((struct sctp_association *)asoc)); 2222 2223 return retval; 2224 2225 nomem: 2226 return SCTP_DISPOSITION_NOMEM; 2227 } 2228 2229 /* 2230 * Process an ABORT. (SHUTDOWN-PENDING state) 2231 * 2232 * See sctp_sf_do_9_1_abort(). 2233 */ 2234 enum sctp_disposition sctp_sf_shutdown_pending_abort( 2235 struct net *net, 2236 const struct sctp_endpoint *ep, 2237 const struct sctp_association *asoc, 2238 const union sctp_subtype type, 2239 void *arg, 2240 struct sctp_cmd_seq *commands) 2241 { 2242 struct sctp_chunk *chunk = arg; 2243 2244 if (!sctp_vtag_verify_either(chunk, asoc)) 2245 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2246 2247 /* Make sure that the ABORT chunk has a valid length. 2248 * Since this is an ABORT chunk, we have to discard it 2249 * because of the following text: 2250 * RFC 2960, Section 3.3.7 2251 * If an endpoint receives an ABORT with a format error or for an 2252 * association that doesn't exist, it MUST silently discard it. 2253 * Because the length is "invalid", we can't really discard just 2254 * as we do not know its true length. So, to be safe, discard the 2255 * packet. 2256 */ 2257 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2258 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2259 2260 /* ADD-IP: Special case for ABORT chunks 2261 * F4) One special consideration is that ABORT Chunks arriving 2262 * destined to the IP address being deleted MUST be 2263 * ignored (see Section 5.3.1 for further details). 2264 */ 2265 if (SCTP_ADDR_DEL == 2266 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2267 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 2268 2269 if (!sctp_err_chunk_valid(chunk)) 2270 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2271 2272 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2273 } 2274 2275 /* 2276 * Process an ABORT. (SHUTDOWN-SENT state) 2277 * 2278 * See sctp_sf_do_9_1_abort(). 2279 */ 2280 enum sctp_disposition sctp_sf_shutdown_sent_abort( 2281 struct net *net, 2282 const struct sctp_endpoint *ep, 2283 const struct sctp_association *asoc, 2284 const union sctp_subtype type, 2285 void *arg, 2286 struct sctp_cmd_seq *commands) 2287 { 2288 struct sctp_chunk *chunk = arg; 2289 2290 if (!sctp_vtag_verify_either(chunk, asoc)) 2291 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2292 2293 /* Make sure that the ABORT chunk has a valid length. 2294 * Since this is an ABORT chunk, we have to discard it 2295 * because of the following text: 2296 * RFC 2960, Section 3.3.7 2297 * If an endpoint receives an ABORT with a format error or for an 2298 * association that doesn't exist, it MUST silently discard it. 2299 * Because the length is "invalid", we can't really discard just 2300 * as we do not know its true length. So, to be safe, discard the 2301 * packet. 2302 */ 2303 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2304 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2305 2306 /* ADD-IP: Special case for ABORT chunks 2307 * F4) One special consideration is that ABORT Chunks arriving 2308 * destined to the IP address being deleted MUST be 2309 * ignored (see Section 5.3.1 for further details). 2310 */ 2311 if (SCTP_ADDR_DEL == 2312 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2313 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 2314 2315 if (!sctp_err_chunk_valid(chunk)) 2316 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2317 2318 /* Stop the T2-shutdown timer. */ 2319 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2320 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2321 2322 /* Stop the T5-shutdown guard timer. */ 2323 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2324 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2325 2326 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2327 } 2328 2329 /* 2330 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2331 * 2332 * See sctp_sf_do_9_1_abort(). 2333 */ 2334 enum sctp_disposition sctp_sf_shutdown_ack_sent_abort( 2335 struct net *net, 2336 const struct sctp_endpoint *ep, 2337 const struct sctp_association *asoc, 2338 const union sctp_subtype type, 2339 void *arg, 2340 struct sctp_cmd_seq *commands) 2341 { 2342 /* The same T2 timer, so we should be able to use 2343 * common function with the SHUTDOWN-SENT state. 2344 */ 2345 return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands); 2346 } 2347 2348 /* 2349 * Handle an Error received in COOKIE_ECHOED state. 2350 * 2351 * Only handle the error type of stale COOKIE Error, the other errors will 2352 * be ignored. 2353 * 2354 * Inputs 2355 * (endpoint, asoc, chunk) 2356 * 2357 * Outputs 2358 * (asoc, reply_msg, msg_up, timers, counters) 2359 * 2360 * The return value is the disposition of the chunk. 2361 */ 2362 enum sctp_disposition sctp_sf_cookie_echoed_err( 2363 struct net *net, 2364 const struct sctp_endpoint *ep, 2365 const struct sctp_association *asoc, 2366 const union sctp_subtype type, 2367 void *arg, 2368 struct sctp_cmd_seq *commands) 2369 { 2370 struct sctp_chunk *chunk = arg; 2371 struct sctp_errhdr *err; 2372 2373 if (!sctp_vtag_verify(chunk, asoc)) 2374 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2375 2376 /* Make sure that the ERROR chunk has a valid length. 2377 * The parameter walking depends on this as well. 2378 */ 2379 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk))) 2380 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2381 commands); 2382 2383 /* Process the error here */ 2384 /* FUTURE FIXME: When PR-SCTP related and other optional 2385 * parms are emitted, this will have to change to handle multiple 2386 * errors. 2387 */ 2388 sctp_walk_errors(err, chunk->chunk_hdr) { 2389 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2390 return sctp_sf_do_5_2_6_stale(net, ep, asoc, type, 2391 arg, commands); 2392 } 2393 2394 /* It is possible to have malformed error causes, and that 2395 * will cause us to end the walk early. However, since 2396 * we are discarding the packet, there should be no adverse 2397 * affects. 2398 */ 2399 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2400 } 2401 2402 /* 2403 * Handle a Stale COOKIE Error 2404 * 2405 * Section: 5.2.6 Handle Stale COOKIE Error 2406 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2407 * one of the following three alternatives. 2408 * ... 2409 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2410 * Preservative parameter requesting an extension to the lifetime of 2411 * the State Cookie. When calculating the time extension, an 2412 * implementation SHOULD use the RTT information measured based on the 2413 * previous COOKIE ECHO / ERROR exchange, and should add no more 2414 * than 1 second beyond the measured RTT, due to long State Cookie 2415 * lifetimes making the endpoint more subject to a replay attack. 2416 * 2417 * Verification Tag: Not explicit, but safe to ignore. 2418 * 2419 * Inputs 2420 * (endpoint, asoc, chunk) 2421 * 2422 * Outputs 2423 * (asoc, reply_msg, msg_up, timers, counters) 2424 * 2425 * The return value is the disposition of the chunk. 2426 */ 2427 static enum sctp_disposition sctp_sf_do_5_2_6_stale( 2428 struct net *net, 2429 const struct sctp_endpoint *ep, 2430 const struct sctp_association *asoc, 2431 const union sctp_subtype type, 2432 void *arg, 2433 struct sctp_cmd_seq *commands) 2434 { 2435 int attempts = asoc->init_err_counter + 1; 2436 struct sctp_chunk *chunk = arg, *reply; 2437 struct sctp_cookie_preserve_param bht; 2438 struct sctp_bind_addr *bp; 2439 struct sctp_errhdr *err; 2440 u32 stale; 2441 2442 if (attempts > asoc->max_init_attempts) { 2443 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2444 SCTP_ERROR(ETIMEDOUT)); 2445 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2446 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2447 return SCTP_DISPOSITION_DELETE_TCB; 2448 } 2449 2450 err = (struct sctp_errhdr *)(chunk->skb->data); 2451 2452 /* When calculating the time extension, an implementation 2453 * SHOULD use the RTT information measured based on the 2454 * previous COOKIE ECHO / ERROR exchange, and should add no 2455 * more than 1 second beyond the measured RTT, due to long 2456 * State Cookie lifetimes making the endpoint more subject to 2457 * a replay attack. 2458 * Measure of Staleness's unit is usec. (1/1000000 sec) 2459 * Suggested Cookie Life-span Increment's unit is msec. 2460 * (1/1000 sec) 2461 * In general, if you use the suggested cookie life, the value 2462 * found in the field of measure of staleness should be doubled 2463 * to give ample time to retransmit the new cookie and thus 2464 * yield a higher probability of success on the reattempt. 2465 */ 2466 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err))); 2467 stale = (stale * 2) / 1000; 2468 2469 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2470 bht.param_hdr.length = htons(sizeof(bht)); 2471 bht.lifespan_increment = htonl(stale); 2472 2473 /* Build that new INIT chunk. */ 2474 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2475 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2476 if (!reply) 2477 goto nomem; 2478 2479 sctp_addto_chunk(reply, sizeof(bht), &bht); 2480 2481 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2482 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2483 2484 /* Stop pending T3-rtx and heartbeat timers */ 2485 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2486 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2487 2488 /* Delete non-primary peer ip addresses since we are transitioning 2489 * back to the COOKIE-WAIT state 2490 */ 2491 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2492 2493 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2494 * resend 2495 */ 2496 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, 2497 SCTP_TRANSPORT(asoc->peer.primary_path)); 2498 2499 /* Cast away the const modifier, as we want to just 2500 * rerun it through as a sideffect. 2501 */ 2502 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2503 2504 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2505 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2506 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2507 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2508 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2509 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2510 2511 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2512 2513 return SCTP_DISPOSITION_CONSUME; 2514 2515 nomem: 2516 return SCTP_DISPOSITION_NOMEM; 2517 } 2518 2519 /* 2520 * Process an ABORT. 2521 * 2522 * Section: 9.1 2523 * After checking the Verification Tag, the receiving endpoint shall 2524 * remove the association from its record, and shall report the 2525 * termination to its upper layer. 2526 * 2527 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2528 * B) Rules for packet carrying ABORT: 2529 * 2530 * - The endpoint shall always fill in the Verification Tag field of the 2531 * outbound packet with the destination endpoint's tag value if it 2532 * is known. 2533 * 2534 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2535 * MUST follow the procedure described in Section 8.4. 2536 * 2537 * - The receiver MUST accept the packet if the Verification Tag 2538 * matches either its own tag, OR the tag of its peer. Otherwise, the 2539 * receiver MUST silently discard the packet and take no further 2540 * action. 2541 * 2542 * Inputs 2543 * (endpoint, asoc, chunk) 2544 * 2545 * Outputs 2546 * (asoc, reply_msg, msg_up, timers, counters) 2547 * 2548 * The return value is the disposition of the chunk. 2549 */ 2550 enum sctp_disposition sctp_sf_do_9_1_abort( 2551 struct net *net, 2552 const struct sctp_endpoint *ep, 2553 const struct sctp_association *asoc, 2554 const union sctp_subtype type, 2555 void *arg, 2556 struct sctp_cmd_seq *commands) 2557 { 2558 struct sctp_chunk *chunk = arg; 2559 2560 if (!sctp_vtag_verify_either(chunk, asoc)) 2561 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2562 2563 /* Make sure that the ABORT chunk has a valid length. 2564 * Since this is an ABORT chunk, we have to discard it 2565 * because of the following text: 2566 * RFC 2960, Section 3.3.7 2567 * If an endpoint receives an ABORT with a format error or for an 2568 * association that doesn't exist, it MUST silently discard it. 2569 * Because the length is "invalid", we can't really discard just 2570 * as we do not know its true length. So, to be safe, discard the 2571 * packet. 2572 */ 2573 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2574 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2575 2576 /* ADD-IP: Special case for ABORT chunks 2577 * F4) One special consideration is that ABORT Chunks arriving 2578 * destined to the IP address being deleted MUST be 2579 * ignored (see Section 5.3.1 for further details). 2580 */ 2581 if (SCTP_ADDR_DEL == 2582 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2583 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 2584 2585 if (!sctp_err_chunk_valid(chunk)) 2586 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2587 2588 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2589 } 2590 2591 static enum sctp_disposition __sctp_sf_do_9_1_abort( 2592 struct net *net, 2593 const struct sctp_endpoint *ep, 2594 const struct sctp_association *asoc, 2595 const union sctp_subtype type, 2596 void *arg, 2597 struct sctp_cmd_seq *commands) 2598 { 2599 __be16 error = SCTP_ERROR_NO_ERROR; 2600 struct sctp_chunk *chunk = arg; 2601 unsigned int len; 2602 2603 /* See if we have an error cause code in the chunk. */ 2604 len = ntohs(chunk->chunk_hdr->length); 2605 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2606 error = ((struct sctp_errhdr *)chunk->skb->data)->cause; 2607 2608 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2609 /* ASSOC_FAILED will DELETE_TCB. */ 2610 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2611 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2612 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 2613 2614 return SCTP_DISPOSITION_ABORT; 2615 } 2616 2617 /* 2618 * Process an ABORT. (COOKIE-WAIT state) 2619 * 2620 * See sctp_sf_do_9_1_abort() above. 2621 */ 2622 enum sctp_disposition sctp_sf_cookie_wait_abort( 2623 struct net *net, 2624 const struct sctp_endpoint *ep, 2625 const struct sctp_association *asoc, 2626 const union sctp_subtype type, 2627 void *arg, 2628 struct sctp_cmd_seq *commands) 2629 { 2630 __be16 error = SCTP_ERROR_NO_ERROR; 2631 struct sctp_chunk *chunk = arg; 2632 unsigned int len; 2633 2634 if (!sctp_vtag_verify_either(chunk, asoc)) 2635 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2636 2637 /* Make sure that the ABORT chunk has a valid length. 2638 * Since this is an ABORT chunk, we have to discard it 2639 * because of the following text: 2640 * RFC 2960, Section 3.3.7 2641 * If an endpoint receives an ABORT with a format error or for an 2642 * association that doesn't exist, it MUST silently discard it. 2643 * Because the length is "invalid", we can't really discard just 2644 * as we do not know its true length. So, to be safe, discard the 2645 * packet. 2646 */ 2647 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2648 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2649 2650 /* See if we have an error cause code in the chunk. */ 2651 len = ntohs(chunk->chunk_hdr->length); 2652 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2653 error = ((struct sctp_errhdr *)chunk->skb->data)->cause; 2654 2655 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc, 2656 chunk->transport); 2657 } 2658 2659 /* 2660 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2661 */ 2662 enum sctp_disposition sctp_sf_cookie_wait_icmp_abort( 2663 struct net *net, 2664 const struct sctp_endpoint *ep, 2665 const struct sctp_association *asoc, 2666 const union sctp_subtype type, 2667 void *arg, 2668 struct sctp_cmd_seq *commands) 2669 { 2670 return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR, 2671 ENOPROTOOPT, asoc, 2672 (struct sctp_transport *)arg); 2673 } 2674 2675 /* 2676 * Process an ABORT. (COOKIE-ECHOED state) 2677 */ 2678 enum sctp_disposition sctp_sf_cookie_echoed_abort( 2679 struct net *net, 2680 const struct sctp_endpoint *ep, 2681 const struct sctp_association *asoc, 2682 const union sctp_subtype type, 2683 void *arg, 2684 struct sctp_cmd_seq *commands) 2685 { 2686 /* There is a single T1 timer, so we should be able to use 2687 * common function with the COOKIE-WAIT state. 2688 */ 2689 return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands); 2690 } 2691 2692 /* 2693 * Stop T1 timer and abort association with "INIT failed". 2694 * 2695 * This is common code called by several sctp_sf_*_abort() functions above. 2696 */ 2697 static enum sctp_disposition sctp_stop_t1_and_abort( 2698 struct net *net, 2699 struct sctp_cmd_seq *commands, 2700 __be16 error, int sk_err, 2701 const struct sctp_association *asoc, 2702 struct sctp_transport *transport) 2703 { 2704 pr_debug("%s: ABORT received (INIT)\n", __func__); 2705 2706 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2707 SCTP_STATE(SCTP_STATE_CLOSED)); 2708 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2709 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2710 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2711 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2712 /* CMD_INIT_FAILED will DELETE_TCB. */ 2713 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2714 SCTP_PERR(error)); 2715 2716 return SCTP_DISPOSITION_ABORT; 2717 } 2718 2719 /* 2720 * sctp_sf_do_9_2_shut 2721 * 2722 * Section: 9.2 2723 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2724 * - enter the SHUTDOWN-RECEIVED state, 2725 * 2726 * - stop accepting new data from its SCTP user 2727 * 2728 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2729 * that all its outstanding DATA chunks have been received by the 2730 * SHUTDOWN sender. 2731 * 2732 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2733 * send a SHUTDOWN in response to a ULP request. And should discard 2734 * subsequent SHUTDOWN chunks. 2735 * 2736 * If there are still outstanding DATA chunks left, the SHUTDOWN 2737 * receiver shall continue to follow normal data transmission 2738 * procedures defined in Section 6 until all outstanding DATA chunks 2739 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2740 * new data from its SCTP user. 2741 * 2742 * Verification Tag: 8.5 Verification Tag [Normal verification] 2743 * 2744 * Inputs 2745 * (endpoint, asoc, chunk) 2746 * 2747 * Outputs 2748 * (asoc, reply_msg, msg_up, timers, counters) 2749 * 2750 * The return value is the disposition of the chunk. 2751 */ 2752 enum sctp_disposition sctp_sf_do_9_2_shutdown( 2753 struct net *net, 2754 const struct sctp_endpoint *ep, 2755 const struct sctp_association *asoc, 2756 const union sctp_subtype type, 2757 void *arg, 2758 struct sctp_cmd_seq *commands) 2759 { 2760 enum sctp_disposition disposition; 2761 struct sctp_chunk *chunk = arg; 2762 struct sctp_shutdownhdr *sdh; 2763 struct sctp_ulpevent *ev; 2764 __u32 ctsn; 2765 2766 if (!sctp_vtag_verify(chunk, asoc)) 2767 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2768 2769 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2770 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) 2771 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2772 commands); 2773 2774 /* Convert the elaborate header. */ 2775 sdh = (struct sctp_shutdownhdr *)chunk->skb->data; 2776 skb_pull(chunk->skb, sizeof(*sdh)); 2777 chunk->subh.shutdown_hdr = sdh; 2778 ctsn = ntohl(sdh->cum_tsn_ack); 2779 2780 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2781 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2782 asoc->ctsn_ack_point); 2783 2784 return SCTP_DISPOSITION_DISCARD; 2785 } 2786 2787 /* If Cumulative TSN Ack beyond the max tsn currently 2788 * send, terminating the association and respond to the 2789 * sender with an ABORT. 2790 */ 2791 if (!TSN_lt(ctsn, asoc->next_tsn)) 2792 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2793 2794 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2795 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2796 * inform the application that it should cease sending data. 2797 */ 2798 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2799 if (!ev) { 2800 disposition = SCTP_DISPOSITION_NOMEM; 2801 goto out; 2802 } 2803 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2804 2805 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2806 * - enter the SHUTDOWN-RECEIVED state, 2807 * - stop accepting new data from its SCTP user 2808 * 2809 * [This is implicit in the new state.] 2810 */ 2811 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2812 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2813 disposition = SCTP_DISPOSITION_CONSUME; 2814 2815 if (sctp_outq_is_empty(&asoc->outqueue)) { 2816 disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type, 2817 arg, commands); 2818 } 2819 2820 if (SCTP_DISPOSITION_NOMEM == disposition) 2821 goto out; 2822 2823 /* - verify, by checking the Cumulative TSN Ack field of the 2824 * chunk, that all its outstanding DATA chunks have been 2825 * received by the SHUTDOWN sender. 2826 */ 2827 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2828 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2829 2830 out: 2831 return disposition; 2832 } 2833 2834 /* 2835 * sctp_sf_do_9_2_shut_ctsn 2836 * 2837 * Once an endpoint has reached the SHUTDOWN-RECEIVED state, 2838 * it MUST NOT send a SHUTDOWN in response to a ULP request. 2839 * The Cumulative TSN Ack of the received SHUTDOWN chunk 2840 * MUST be processed. 2841 */ 2842 enum sctp_disposition sctp_sf_do_9_2_shut_ctsn( 2843 struct net *net, 2844 const struct sctp_endpoint *ep, 2845 const struct sctp_association *asoc, 2846 const union sctp_subtype type, 2847 void *arg, 2848 struct sctp_cmd_seq *commands) 2849 { 2850 struct sctp_chunk *chunk = arg; 2851 struct sctp_shutdownhdr *sdh; 2852 __u32 ctsn; 2853 2854 if (!sctp_vtag_verify(chunk, asoc)) 2855 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2856 2857 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2858 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) 2859 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2860 commands); 2861 2862 sdh = (struct sctp_shutdownhdr *)chunk->skb->data; 2863 ctsn = ntohl(sdh->cum_tsn_ack); 2864 2865 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2866 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2867 asoc->ctsn_ack_point); 2868 2869 return SCTP_DISPOSITION_DISCARD; 2870 } 2871 2872 /* If Cumulative TSN Ack beyond the max tsn currently 2873 * send, terminating the association and respond to the 2874 * sender with an ABORT. 2875 */ 2876 if (!TSN_lt(ctsn, asoc->next_tsn)) 2877 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2878 2879 /* verify, by checking the Cumulative TSN Ack field of the 2880 * chunk, that all its outstanding DATA chunks have been 2881 * received by the SHUTDOWN sender. 2882 */ 2883 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2884 SCTP_BE32(sdh->cum_tsn_ack)); 2885 2886 return SCTP_DISPOSITION_CONSUME; 2887 } 2888 2889 /* RFC 2960 9.2 2890 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2891 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2892 * transport addresses (either in the IP addresses or in the INIT chunk) 2893 * that belong to this association, it should discard the INIT chunk and 2894 * retransmit the SHUTDOWN ACK chunk. 2895 */ 2896 enum sctp_disposition sctp_sf_do_9_2_reshutack( 2897 struct net *net, 2898 const struct sctp_endpoint *ep, 2899 const struct sctp_association *asoc, 2900 const union sctp_subtype type, 2901 void *arg, 2902 struct sctp_cmd_seq *commands) 2903 { 2904 struct sctp_chunk *chunk = arg; 2905 struct sctp_chunk *reply; 2906 2907 /* Make sure that the chunk has a valid length */ 2908 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 2909 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2910 commands); 2911 2912 /* Since we are not going to really process this INIT, there 2913 * is no point in verifying chunk boundries. Just generate 2914 * the SHUTDOWN ACK. 2915 */ 2916 reply = sctp_make_shutdown_ack(asoc, chunk); 2917 if (NULL == reply) 2918 goto nomem; 2919 2920 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2921 * the T2-SHUTDOWN timer. 2922 */ 2923 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2924 2925 /* and restart the T2-shutdown timer. */ 2926 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2927 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2928 2929 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2930 2931 return SCTP_DISPOSITION_CONSUME; 2932 nomem: 2933 return SCTP_DISPOSITION_NOMEM; 2934 } 2935 2936 /* 2937 * sctp_sf_do_ecn_cwr 2938 * 2939 * Section: Appendix A: Explicit Congestion Notification 2940 * 2941 * CWR: 2942 * 2943 * RFC 2481 details a specific bit for a sender to send in the header of 2944 * its next outbound TCP segment to indicate to its peer that it has 2945 * reduced its congestion window. This is termed the CWR bit. For 2946 * SCTP the same indication is made by including the CWR chunk. 2947 * This chunk contains one data element, i.e. the TSN number that 2948 * was sent in the ECNE chunk. This element represents the lowest 2949 * TSN number in the datagram that was originally marked with the 2950 * CE bit. 2951 * 2952 * Verification Tag: 8.5 Verification Tag [Normal verification] 2953 * Inputs 2954 * (endpoint, asoc, chunk) 2955 * 2956 * Outputs 2957 * (asoc, reply_msg, msg_up, timers, counters) 2958 * 2959 * The return value is the disposition of the chunk. 2960 */ 2961 enum sctp_disposition sctp_sf_do_ecn_cwr(struct net *net, 2962 const struct sctp_endpoint *ep, 2963 const struct sctp_association *asoc, 2964 const union sctp_subtype type, 2965 void *arg, 2966 struct sctp_cmd_seq *commands) 2967 { 2968 struct sctp_chunk *chunk = arg; 2969 struct sctp_cwrhdr *cwr; 2970 u32 lowest_tsn; 2971 2972 if (!sctp_vtag_verify(chunk, asoc)) 2973 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2974 2975 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) 2976 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2977 commands); 2978 2979 cwr = (struct sctp_cwrhdr *)chunk->skb->data; 2980 skb_pull(chunk->skb, sizeof(*cwr)); 2981 2982 lowest_tsn = ntohl(cwr->lowest_tsn); 2983 2984 /* Does this CWR ack the last sent congestion notification? */ 2985 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 2986 /* Stop sending ECNE. */ 2987 sctp_add_cmd_sf(commands, 2988 SCTP_CMD_ECN_CWR, 2989 SCTP_U32(lowest_tsn)); 2990 } 2991 return SCTP_DISPOSITION_CONSUME; 2992 } 2993 2994 /* 2995 * sctp_sf_do_ecne 2996 * 2997 * Section: Appendix A: Explicit Congestion Notification 2998 * 2999 * ECN-Echo 3000 * 3001 * RFC 2481 details a specific bit for a receiver to send back in its 3002 * TCP acknowledgements to notify the sender of the Congestion 3003 * Experienced (CE) bit having arrived from the network. For SCTP this 3004 * same indication is made by including the ECNE chunk. This chunk 3005 * contains one data element, i.e. the lowest TSN associated with the IP 3006 * datagram marked with the CE bit..... 3007 * 3008 * Verification Tag: 8.5 Verification Tag [Normal verification] 3009 * Inputs 3010 * (endpoint, asoc, chunk) 3011 * 3012 * Outputs 3013 * (asoc, reply_msg, msg_up, timers, counters) 3014 * 3015 * The return value is the disposition of the chunk. 3016 */ 3017 enum sctp_disposition sctp_sf_do_ecne(struct net *net, 3018 const struct sctp_endpoint *ep, 3019 const struct sctp_association *asoc, 3020 const union sctp_subtype type, 3021 void *arg, struct sctp_cmd_seq *commands) 3022 { 3023 struct sctp_chunk *chunk = arg; 3024 struct sctp_ecnehdr *ecne; 3025 3026 if (!sctp_vtag_verify(chunk, asoc)) 3027 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3028 3029 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) 3030 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3031 commands); 3032 3033 ecne = (struct sctp_ecnehdr *)chunk->skb->data; 3034 skb_pull(chunk->skb, sizeof(*ecne)); 3035 3036 /* If this is a newer ECNE than the last CWR packet we sent out */ 3037 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 3038 SCTP_U32(ntohl(ecne->lowest_tsn))); 3039 3040 return SCTP_DISPOSITION_CONSUME; 3041 } 3042 3043 /* 3044 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 3045 * 3046 * The SCTP endpoint MUST always acknowledge the reception of each valid 3047 * DATA chunk. 3048 * 3049 * The guidelines on delayed acknowledgement algorithm specified in 3050 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 3051 * acknowledgement SHOULD be generated for at least every second packet 3052 * (not every second DATA chunk) received, and SHOULD be generated within 3053 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 3054 * situations it may be beneficial for an SCTP transmitter to be more 3055 * conservative than the algorithms detailed in this document allow. 3056 * However, an SCTP transmitter MUST NOT be more aggressive than the 3057 * following algorithms allow. 3058 * 3059 * A SCTP receiver MUST NOT generate more than one SACK for every 3060 * incoming packet, other than to update the offered window as the 3061 * receiving application consumes new data. 3062 * 3063 * Verification Tag: 8.5 Verification Tag [Normal verification] 3064 * 3065 * Inputs 3066 * (endpoint, asoc, chunk) 3067 * 3068 * Outputs 3069 * (asoc, reply_msg, msg_up, timers, counters) 3070 * 3071 * The return value is the disposition of the chunk. 3072 */ 3073 enum sctp_disposition sctp_sf_eat_data_6_2(struct net *net, 3074 const struct sctp_endpoint *ep, 3075 const struct sctp_association *asoc, 3076 const union sctp_subtype type, 3077 void *arg, 3078 struct sctp_cmd_seq *commands) 3079 { 3080 union sctp_arg force = SCTP_NOFORCE(); 3081 struct sctp_chunk *chunk = arg; 3082 int error; 3083 3084 if (!sctp_vtag_verify(chunk, asoc)) { 3085 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3086 SCTP_NULL()); 3087 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3088 } 3089 3090 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream))) 3091 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3092 commands); 3093 3094 error = sctp_eat_data(asoc, chunk, commands); 3095 switch (error) { 3096 case SCTP_IERROR_NO_ERROR: 3097 break; 3098 case SCTP_IERROR_HIGH_TSN: 3099 case SCTP_IERROR_BAD_STREAM: 3100 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 3101 goto discard_noforce; 3102 case SCTP_IERROR_DUP_TSN: 3103 case SCTP_IERROR_IGNORE_TSN: 3104 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 3105 goto discard_force; 3106 case SCTP_IERROR_NO_DATA: 3107 return SCTP_DISPOSITION_ABORT; 3108 case SCTP_IERROR_PROTO_VIOLATION: 3109 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3110 (u8 *)chunk->subh.data_hdr, 3111 sctp_datahdr_len(&asoc->stream)); 3112 default: 3113 BUG(); 3114 } 3115 3116 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM) 3117 force = SCTP_FORCE(); 3118 3119 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 3120 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3121 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3122 } 3123 3124 /* If this is the last chunk in a packet, we need to count it 3125 * toward sack generation. Note that we need to SACK every 3126 * OTHER packet containing data chunks, EVEN IF WE DISCARD 3127 * THEM. We elect to NOT generate SACK's if the chunk fails 3128 * the verification tag test. 3129 * 3130 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3131 * 3132 * The SCTP endpoint MUST always acknowledge the reception of 3133 * each valid DATA chunk. 3134 * 3135 * The guidelines on delayed acknowledgement algorithm 3136 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 3137 * Specifically, an acknowledgement SHOULD be generated for at 3138 * least every second packet (not every second DATA chunk) 3139 * received, and SHOULD be generated within 200 ms of the 3140 * arrival of any unacknowledged DATA chunk. In some 3141 * situations it may be beneficial for an SCTP transmitter to 3142 * be more conservative than the algorithms detailed in this 3143 * document allow. However, an SCTP transmitter MUST NOT be 3144 * more aggressive than the following algorithms allow. 3145 */ 3146 if (chunk->end_of_packet) 3147 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3148 3149 return SCTP_DISPOSITION_CONSUME; 3150 3151 discard_force: 3152 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3153 * 3154 * When a packet arrives with duplicate DATA chunk(s) and with 3155 * no new DATA chunk(s), the endpoint MUST immediately send a 3156 * SACK with no delay. If a packet arrives with duplicate 3157 * DATA chunk(s) bundled with new DATA chunks, the endpoint 3158 * MAY immediately send a SACK. Normally receipt of duplicate 3159 * DATA chunks will occur when the original SACK chunk was lost 3160 * and the peer's RTO has expired. The duplicate TSN number(s) 3161 * SHOULD be reported in the SACK as duplicate. 3162 */ 3163 /* In our case, we split the MAY SACK advice up whether or not 3164 * the last chunk is a duplicate.' 3165 */ 3166 if (chunk->end_of_packet) 3167 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3168 return SCTP_DISPOSITION_DISCARD; 3169 3170 discard_noforce: 3171 if (chunk->end_of_packet) 3172 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3173 3174 return SCTP_DISPOSITION_DISCARD; 3175 } 3176 3177 /* 3178 * sctp_sf_eat_data_fast_4_4 3179 * 3180 * Section: 4 (4) 3181 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 3182 * DATA chunks without delay. 3183 * 3184 * Verification Tag: 8.5 Verification Tag [Normal verification] 3185 * Inputs 3186 * (endpoint, asoc, chunk) 3187 * 3188 * Outputs 3189 * (asoc, reply_msg, msg_up, timers, counters) 3190 * 3191 * The return value is the disposition of the chunk. 3192 */ 3193 enum sctp_disposition sctp_sf_eat_data_fast_4_4( 3194 struct net *net, 3195 const struct sctp_endpoint *ep, 3196 const struct sctp_association *asoc, 3197 const union sctp_subtype type, 3198 void *arg, 3199 struct sctp_cmd_seq *commands) 3200 { 3201 struct sctp_chunk *chunk = arg; 3202 int error; 3203 3204 if (!sctp_vtag_verify(chunk, asoc)) { 3205 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3206 SCTP_NULL()); 3207 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3208 } 3209 3210 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream))) 3211 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3212 commands); 3213 3214 error = sctp_eat_data(asoc, chunk, commands); 3215 switch (error) { 3216 case SCTP_IERROR_NO_ERROR: 3217 case SCTP_IERROR_HIGH_TSN: 3218 case SCTP_IERROR_DUP_TSN: 3219 case SCTP_IERROR_IGNORE_TSN: 3220 case SCTP_IERROR_BAD_STREAM: 3221 break; 3222 case SCTP_IERROR_NO_DATA: 3223 return SCTP_DISPOSITION_ABORT; 3224 case SCTP_IERROR_PROTO_VIOLATION: 3225 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3226 (u8 *)chunk->subh.data_hdr, 3227 sctp_datahdr_len(&asoc->stream)); 3228 default: 3229 BUG(); 3230 } 3231 3232 /* Go a head and force a SACK, since we are shutting down. */ 3233 3234 /* Implementor's Guide. 3235 * 3236 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3237 * respond to each received packet containing one or more DATA chunk(s) 3238 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3239 */ 3240 if (chunk->end_of_packet) { 3241 /* We must delay the chunk creation since the cumulative 3242 * TSN has not been updated yet. 3243 */ 3244 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3245 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3246 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3247 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3248 } 3249 3250 return SCTP_DISPOSITION_CONSUME; 3251 } 3252 3253 /* 3254 * Section: 6.2 Processing a Received SACK 3255 * D) Any time a SACK arrives, the endpoint performs the following: 3256 * 3257 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 3258 * then drop the SACK. Since Cumulative TSN Ack is monotonically 3259 * increasing, a SACK whose Cumulative TSN Ack is less than the 3260 * Cumulative TSN Ack Point indicates an out-of-order SACK. 3261 * 3262 * ii) Set rwnd equal to the newly received a_rwnd minus the number 3263 * of bytes still outstanding after processing the Cumulative TSN Ack 3264 * and the Gap Ack Blocks. 3265 * 3266 * iii) If the SACK is missing a TSN that was previously 3267 * acknowledged via a Gap Ack Block (e.g., the data receiver 3268 * reneged on the data), then mark the corresponding DATA chunk 3269 * as available for retransmit: Mark it as missing for fast 3270 * retransmit as described in Section 7.2.4 and if no retransmit 3271 * timer is running for the destination address to which the DATA 3272 * chunk was originally transmitted, then T3-rtx is started for 3273 * that destination address. 3274 * 3275 * Verification Tag: 8.5 Verification Tag [Normal verification] 3276 * 3277 * Inputs 3278 * (endpoint, asoc, chunk) 3279 * 3280 * Outputs 3281 * (asoc, reply_msg, msg_up, timers, counters) 3282 * 3283 * The return value is the disposition of the chunk. 3284 */ 3285 enum sctp_disposition sctp_sf_eat_sack_6_2(struct net *net, 3286 const struct sctp_endpoint *ep, 3287 const struct sctp_association *asoc, 3288 const union sctp_subtype type, 3289 void *arg, 3290 struct sctp_cmd_seq *commands) 3291 { 3292 struct sctp_chunk *chunk = arg; 3293 struct sctp_sackhdr *sackh; 3294 __u32 ctsn; 3295 3296 if (!sctp_vtag_verify(chunk, asoc)) 3297 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3298 3299 /* Make sure that the SACK chunk has a valid length. */ 3300 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_sack_chunk))) 3301 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3302 commands); 3303 3304 /* Pull the SACK chunk from the data buffer */ 3305 sackh = sctp_sm_pull_sack(chunk); 3306 /* Was this a bogus SACK? */ 3307 if (!sackh) 3308 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3309 chunk->subh.sack_hdr = sackh; 3310 ctsn = ntohl(sackh->cum_tsn_ack); 3311 3312 /* If Cumulative TSN Ack beyond the max tsn currently 3313 * send, terminating the association and respond to the 3314 * sender with an ABORT. 3315 */ 3316 if (TSN_lte(asoc->next_tsn, ctsn)) 3317 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 3318 3319 trace_sctp_probe(ep, asoc, chunk); 3320 3321 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 3322 * Ack Point, then drop the SACK. Since Cumulative TSN 3323 * Ack is monotonically increasing, a SACK whose 3324 * Cumulative TSN Ack is less than the Cumulative TSN Ack 3325 * Point indicates an out-of-order SACK. 3326 */ 3327 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 3328 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 3329 asoc->ctsn_ack_point); 3330 3331 return SCTP_DISPOSITION_DISCARD; 3332 } 3333 3334 /* Return this SACK for further processing. */ 3335 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk)); 3336 3337 /* Note: We do the rest of the work on the PROCESS_SACK 3338 * sideeffect. 3339 */ 3340 return SCTP_DISPOSITION_CONSUME; 3341 } 3342 3343 /* 3344 * Generate an ABORT in response to a packet. 3345 * 3346 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 3347 * 3348 * 8) The receiver should respond to the sender of the OOTB packet with 3349 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3350 * MUST fill in the Verification Tag field of the outbound packet 3351 * with the value found in the Verification Tag field of the OOTB 3352 * packet and set the T-bit in the Chunk Flags to indicate that the 3353 * Verification Tag is reflected. After sending this ABORT, the 3354 * receiver of the OOTB packet shall discard the OOTB packet and take 3355 * no further action. 3356 * 3357 * Verification Tag: 3358 * 3359 * The return value is the disposition of the chunk. 3360 */ 3361 static enum sctp_disposition sctp_sf_tabort_8_4_8( 3362 struct net *net, 3363 const struct sctp_endpoint *ep, 3364 const struct sctp_association *asoc, 3365 const union sctp_subtype type, 3366 void *arg, 3367 struct sctp_cmd_seq *commands) 3368 { 3369 struct sctp_packet *packet = NULL; 3370 struct sctp_chunk *chunk = arg; 3371 struct sctp_chunk *abort; 3372 3373 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3374 if (!packet) 3375 return SCTP_DISPOSITION_NOMEM; 3376 3377 /* Make an ABORT. The T bit will be set if the asoc 3378 * is NULL. 3379 */ 3380 abort = sctp_make_abort(asoc, chunk, 0); 3381 if (!abort) { 3382 sctp_ootb_pkt_free(packet); 3383 return SCTP_DISPOSITION_NOMEM; 3384 } 3385 3386 /* Reflect vtag if T-Bit is set */ 3387 if (sctp_test_T_bit(abort)) 3388 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3389 3390 /* Set the skb to the belonging sock for accounting. */ 3391 abort->skb->sk = ep->base.sk; 3392 3393 sctp_packet_append_chunk(packet, abort); 3394 3395 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3396 SCTP_PACKET(packet)); 3397 3398 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3399 3400 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3401 return SCTP_DISPOSITION_CONSUME; 3402 } 3403 3404 /* 3405 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 3406 * event as ULP notification for each cause included in the chunk. 3407 * 3408 * API 5.3.1.3 - SCTP_REMOTE_ERROR 3409 * 3410 * The return value is the disposition of the chunk. 3411 */ 3412 enum sctp_disposition sctp_sf_operr_notify(struct net *net, 3413 const struct sctp_endpoint *ep, 3414 const struct sctp_association *asoc, 3415 const union sctp_subtype type, 3416 void *arg, 3417 struct sctp_cmd_seq *commands) 3418 { 3419 struct sctp_chunk *chunk = arg; 3420 struct sctp_errhdr *err; 3421 3422 if (!sctp_vtag_verify(chunk, asoc)) 3423 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3424 3425 /* Make sure that the ERROR chunk has a valid length. */ 3426 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk))) 3427 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3428 commands); 3429 sctp_walk_errors(err, chunk->chunk_hdr); 3430 if ((void *)err != (void *)chunk->chunk_end) 3431 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3432 (void *)err, commands); 3433 3434 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 3435 SCTP_CHUNK(chunk)); 3436 3437 return SCTP_DISPOSITION_CONSUME; 3438 } 3439 3440 /* 3441 * Process an inbound SHUTDOWN ACK. 3442 * 3443 * From Section 9.2: 3444 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3445 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3446 * peer, and remove all record of the association. 3447 * 3448 * The return value is the disposition. 3449 */ 3450 enum sctp_disposition sctp_sf_do_9_2_final(struct net *net, 3451 const struct sctp_endpoint *ep, 3452 const struct sctp_association *asoc, 3453 const union sctp_subtype type, 3454 void *arg, 3455 struct sctp_cmd_seq *commands) 3456 { 3457 struct sctp_chunk *chunk = arg; 3458 struct sctp_chunk *reply; 3459 struct sctp_ulpevent *ev; 3460 3461 if (!sctp_vtag_verify(chunk, asoc)) 3462 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3463 3464 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3465 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3466 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3467 commands); 3468 /* 10.2 H) SHUTDOWN COMPLETE notification 3469 * 3470 * When SCTP completes the shutdown procedures (section 9.2) this 3471 * notification is passed to the upper layer. 3472 */ 3473 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3474 0, 0, 0, NULL, GFP_ATOMIC); 3475 if (!ev) 3476 goto nomem; 3477 3478 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3479 reply = sctp_make_shutdown_complete(asoc, chunk); 3480 if (!reply) 3481 goto nomem_chunk; 3482 3483 /* Do all the commands now (after allocation), so that we 3484 * have consistent state if memory allocation failes 3485 */ 3486 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3487 3488 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3489 * stop the T2-shutdown timer, 3490 */ 3491 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3492 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3493 3494 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3495 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3496 3497 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3498 SCTP_STATE(SCTP_STATE_CLOSED)); 3499 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 3500 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3501 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3502 3503 /* ...and remove all record of the association. */ 3504 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3505 return SCTP_DISPOSITION_DELETE_TCB; 3506 3507 nomem_chunk: 3508 sctp_ulpevent_free(ev); 3509 nomem: 3510 return SCTP_DISPOSITION_NOMEM; 3511 } 3512 3513 /* 3514 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3515 * 3516 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3517 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3518 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3519 * packet must fill in the Verification Tag field of the outbound 3520 * packet with the Verification Tag received in the SHUTDOWN ACK and 3521 * set the T-bit in the Chunk Flags to indicate that the Verification 3522 * Tag is reflected. 3523 * 3524 * 8) The receiver should respond to the sender of the OOTB packet with 3525 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3526 * MUST fill in the Verification Tag field of the outbound packet 3527 * with the value found in the Verification Tag field of the OOTB 3528 * packet and set the T-bit in the Chunk Flags to indicate that the 3529 * Verification Tag is reflected. After sending this ABORT, the 3530 * receiver of the OOTB packet shall discard the OOTB packet and take 3531 * no further action. 3532 */ 3533 enum sctp_disposition sctp_sf_ootb(struct net *net, 3534 const struct sctp_endpoint *ep, 3535 const struct sctp_association *asoc, 3536 const union sctp_subtype type, 3537 void *arg, struct sctp_cmd_seq *commands) 3538 { 3539 struct sctp_chunk *chunk = arg; 3540 struct sk_buff *skb = chunk->skb; 3541 struct sctp_chunkhdr *ch; 3542 struct sctp_errhdr *err; 3543 int ootb_cookie_ack = 0; 3544 int ootb_shut_ack = 0; 3545 __u8 *ch_end; 3546 3547 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3548 3549 ch = (struct sctp_chunkhdr *)chunk->chunk_hdr; 3550 do { 3551 /* Report violation if the chunk is less then minimal */ 3552 if (ntohs(ch->length) < sizeof(*ch)) 3553 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3554 commands); 3555 3556 /* Report violation if chunk len overflows */ 3557 ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); 3558 if (ch_end > skb_tail_pointer(skb)) 3559 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3560 commands); 3561 3562 /* Now that we know we at least have a chunk header, 3563 * do things that are type appropriate. 3564 */ 3565 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3566 ootb_shut_ack = 1; 3567 3568 /* RFC 2960, Section 3.3.7 3569 * Moreover, under any circumstances, an endpoint that 3570 * receives an ABORT MUST NOT respond to that ABORT by 3571 * sending an ABORT of its own. 3572 */ 3573 if (SCTP_CID_ABORT == ch->type) 3574 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3575 3576 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR 3577 * or a COOKIE ACK the SCTP Packet should be silently 3578 * discarded. 3579 */ 3580 3581 if (SCTP_CID_COOKIE_ACK == ch->type) 3582 ootb_cookie_ack = 1; 3583 3584 if (SCTP_CID_ERROR == ch->type) { 3585 sctp_walk_errors(err, ch) { 3586 if (SCTP_ERROR_STALE_COOKIE == err->cause) { 3587 ootb_cookie_ack = 1; 3588 break; 3589 } 3590 } 3591 } 3592 3593 ch = (struct sctp_chunkhdr *)ch_end; 3594 } while (ch_end < skb_tail_pointer(skb)); 3595 3596 if (ootb_shut_ack) 3597 return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands); 3598 else if (ootb_cookie_ack) 3599 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3600 else 3601 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 3602 } 3603 3604 /* 3605 * Handle an "Out of the blue" SHUTDOWN ACK. 3606 * 3607 * Section: 8.4 5, sctpimpguide 2.41. 3608 * 3609 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3610 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3611 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3612 * packet must fill in the Verification Tag field of the outbound 3613 * packet with the Verification Tag received in the SHUTDOWN ACK and 3614 * set the T-bit in the Chunk Flags to indicate that the Verification 3615 * Tag is reflected. 3616 * 3617 * Inputs 3618 * (endpoint, asoc, type, arg, commands) 3619 * 3620 * Outputs 3621 * (enum sctp_disposition) 3622 * 3623 * The return value is the disposition of the chunk. 3624 */ 3625 static enum sctp_disposition sctp_sf_shut_8_4_5( 3626 struct net *net, 3627 const struct sctp_endpoint *ep, 3628 const struct sctp_association *asoc, 3629 const union sctp_subtype type, 3630 void *arg, 3631 struct sctp_cmd_seq *commands) 3632 { 3633 struct sctp_packet *packet = NULL; 3634 struct sctp_chunk *chunk = arg; 3635 struct sctp_chunk *shut; 3636 3637 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3638 if (!packet) 3639 return SCTP_DISPOSITION_NOMEM; 3640 3641 /* Make an SHUTDOWN_COMPLETE. 3642 * The T bit will be set if the asoc is NULL. 3643 */ 3644 shut = sctp_make_shutdown_complete(asoc, chunk); 3645 if (!shut) { 3646 sctp_ootb_pkt_free(packet); 3647 return SCTP_DISPOSITION_NOMEM; 3648 } 3649 3650 /* Reflect vtag if T-Bit is set */ 3651 if (sctp_test_T_bit(shut)) 3652 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3653 3654 /* Set the skb to the belonging sock for accounting. */ 3655 shut->skb->sk = ep->base.sk; 3656 3657 sctp_packet_append_chunk(packet, shut); 3658 3659 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3660 SCTP_PACKET(packet)); 3661 3662 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3663 3664 /* If the chunk length is invalid, we don't want to process 3665 * the reset of the packet. 3666 */ 3667 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3668 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3669 3670 /* We need to discard the rest of the packet to prevent 3671 * potential bomming attacks from additional bundled chunks. 3672 * This is documented in SCTP Threats ID. 3673 */ 3674 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3675 } 3676 3677 /* 3678 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3679 * 3680 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3681 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3682 * procedures in section 8.4 SHOULD be followed, in other words it 3683 * should be treated as an Out Of The Blue packet. 3684 * [This means that we do NOT check the Verification Tag on these 3685 * chunks. --piggy ] 3686 * 3687 */ 3688 enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net, 3689 const struct sctp_endpoint *ep, 3690 const struct sctp_association *asoc, 3691 const union sctp_subtype type, 3692 void *arg, 3693 struct sctp_cmd_seq *commands) 3694 { 3695 struct sctp_chunk *chunk = arg; 3696 3697 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3698 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3699 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3700 commands); 3701 3702 /* Although we do have an association in this case, it corresponds 3703 * to a restarted association. So the packet is treated as an OOTB 3704 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3705 * called with a NULL association. 3706 */ 3707 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3708 3709 return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands); 3710 } 3711 3712 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3713 enum sctp_disposition sctp_sf_do_asconf(struct net *net, 3714 const struct sctp_endpoint *ep, 3715 const struct sctp_association *asoc, 3716 const union sctp_subtype type, 3717 void *arg, 3718 struct sctp_cmd_seq *commands) 3719 { 3720 struct sctp_paramhdr *err_param = NULL; 3721 struct sctp_chunk *asconf_ack = NULL; 3722 struct sctp_chunk *chunk = arg; 3723 struct sctp_addiphdr *hdr; 3724 __u32 serial; 3725 3726 if (!sctp_vtag_verify(chunk, asoc)) { 3727 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3728 SCTP_NULL()); 3729 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3730 } 3731 3732 /* ADD-IP: Section 4.1.1 3733 * This chunk MUST be sent in an authenticated way by using 3734 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3735 * is received unauthenticated it MUST be silently discarded as 3736 * described in [I-D.ietf-tsvwg-sctp-auth]. 3737 */ 3738 if (!asoc->peer.asconf_capable || 3739 (!net->sctp.addip_noauth && !chunk->auth)) 3740 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, 3741 commands); 3742 3743 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3744 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk))) 3745 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3746 commands); 3747 3748 hdr = (struct sctp_addiphdr *)chunk->skb->data; 3749 serial = ntohl(hdr->serial); 3750 3751 /* Verify the ASCONF chunk before processing it. */ 3752 if (!sctp_verify_asconf(asoc, chunk, true, &err_param)) 3753 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3754 (void *)err_param, commands); 3755 3756 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3757 * the endpoint stored in a new association variable 3758 * 'Peer-Serial-Number'. 3759 */ 3760 if (serial == asoc->peer.addip_serial + 1) { 3761 /* If this is the first instance of ASCONF in the packet, 3762 * we can clean our old ASCONF-ACKs. 3763 */ 3764 if (!chunk->has_asconf) 3765 sctp_assoc_clean_asconf_ack_cache(asoc); 3766 3767 /* ADDIP 5.2 E4) When the Sequence Number matches the next one 3768 * expected, process the ASCONF as described below and after 3769 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to 3770 * the response packet and cache a copy of it (in the event it 3771 * later needs to be retransmitted). 3772 * 3773 * Essentially, do V1-V5. 3774 */ 3775 asconf_ack = sctp_process_asconf((struct sctp_association *) 3776 asoc, chunk); 3777 if (!asconf_ack) 3778 return SCTP_DISPOSITION_NOMEM; 3779 } else if (serial < asoc->peer.addip_serial + 1) { 3780 /* ADDIP 5.2 E2) 3781 * If the value found in the Sequence Number is less than the 3782 * ('Peer- Sequence-Number' + 1), simply skip to the next 3783 * ASCONF, and include in the outbound response packet 3784 * any previously cached ASCONF-ACK response that was 3785 * sent and saved that matches the Sequence Number of the 3786 * ASCONF. Note: It is possible that no cached ASCONF-ACK 3787 * Chunk exists. This will occur when an older ASCONF 3788 * arrives out of order. In such a case, the receiver 3789 * should skip the ASCONF Chunk and not include ASCONF-ACK 3790 * Chunk for that chunk. 3791 */ 3792 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial); 3793 if (!asconf_ack) 3794 return SCTP_DISPOSITION_DISCARD; 3795 3796 /* Reset the transport so that we select the correct one 3797 * this time around. This is to make sure that we don't 3798 * accidentally use a stale transport that's been removed. 3799 */ 3800 asconf_ack->transport = NULL; 3801 } else { 3802 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since 3803 * it must be either a stale packet or from an attacker. 3804 */ 3805 return SCTP_DISPOSITION_DISCARD; 3806 } 3807 3808 /* ADDIP 5.2 E6) The destination address of the SCTP packet 3809 * containing the ASCONF-ACK Chunks MUST be the source address of 3810 * the SCTP packet that held the ASCONF Chunks. 3811 * 3812 * To do this properly, we'll set the destination address of the chunk 3813 * and at the transmit time, will try look up the transport to use. 3814 * Since ASCONFs may be bundled, the correct transport may not be 3815 * created until we process the entire packet, thus this workaround. 3816 */ 3817 asconf_ack->dest = chunk->source; 3818 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3819 if (asoc->new_transport) { 3820 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands); 3821 ((struct sctp_association *)asoc)->new_transport = NULL; 3822 } 3823 3824 return SCTP_DISPOSITION_CONSUME; 3825 } 3826 3827 static enum sctp_disposition sctp_send_next_asconf( 3828 struct net *net, 3829 const struct sctp_endpoint *ep, 3830 struct sctp_association *asoc, 3831 const union sctp_subtype type, 3832 struct sctp_cmd_seq *commands) 3833 { 3834 struct sctp_chunk *asconf; 3835 struct list_head *entry; 3836 3837 if (list_empty(&asoc->addip_chunk_list)) 3838 return SCTP_DISPOSITION_CONSUME; 3839 3840 entry = asoc->addip_chunk_list.next; 3841 asconf = list_entry(entry, struct sctp_chunk, list); 3842 3843 list_del_init(entry); 3844 sctp_chunk_hold(asconf); 3845 asoc->addip_last_asconf = asconf; 3846 3847 return sctp_sf_do_prm_asconf(net, ep, asoc, type, asconf, commands); 3848 } 3849 3850 /* 3851 * ADDIP Section 4.3 General rules for address manipulation 3852 * When building TLV parameters for the ASCONF Chunk that will add or 3853 * delete IP addresses the D0 to D13 rules should be applied: 3854 */ 3855 enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net, 3856 const struct sctp_endpoint *ep, 3857 const struct sctp_association *asoc, 3858 const union sctp_subtype type, 3859 void *arg, 3860 struct sctp_cmd_seq *commands) 3861 { 3862 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3863 struct sctp_paramhdr *err_param = NULL; 3864 struct sctp_chunk *asconf_ack = arg; 3865 struct sctp_addiphdr *addip_hdr; 3866 __u32 sent_serial, rcvd_serial; 3867 struct sctp_chunk *abort; 3868 3869 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3870 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3871 SCTP_NULL()); 3872 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3873 } 3874 3875 /* ADD-IP, Section 4.1.2: 3876 * This chunk MUST be sent in an authenticated way by using 3877 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3878 * is received unauthenticated it MUST be silently discarded as 3879 * described in [I-D.ietf-tsvwg-sctp-auth]. 3880 */ 3881 if (!asoc->peer.asconf_capable || 3882 (!net->sctp.addip_noauth && !asconf_ack->auth)) 3883 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, 3884 commands); 3885 3886 /* Make sure that the ADDIP chunk has a valid length. */ 3887 if (!sctp_chunk_length_valid(asconf_ack, 3888 sizeof(struct sctp_addip_chunk))) 3889 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3890 commands); 3891 3892 addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data; 3893 rcvd_serial = ntohl(addip_hdr->serial); 3894 3895 /* Verify the ASCONF-ACK chunk before processing it. */ 3896 if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param)) 3897 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3898 (void *)err_param, commands); 3899 3900 if (last_asconf) { 3901 addip_hdr = (struct sctp_addiphdr *)last_asconf->subh.addip_hdr; 3902 sent_serial = ntohl(addip_hdr->serial); 3903 } else { 3904 sent_serial = asoc->addip_serial - 1; 3905 } 3906 3907 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3908 * equal to the next serial number to be used but no ASCONF chunk is 3909 * outstanding the endpoint MUST ABORT the association. Note that a 3910 * sequence number is greater than if it is no more than 2^^31-1 3911 * larger than the current sequence number (using serial arithmetic). 3912 */ 3913 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3914 !(asoc->addip_last_asconf)) { 3915 abort = sctp_make_abort(asoc, asconf_ack, 3916 sizeof(struct sctp_errhdr)); 3917 if (abort) { 3918 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0); 3919 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3920 SCTP_CHUNK(abort)); 3921 } 3922 /* We are going to ABORT, so we might as well stop 3923 * processing the rest of the chunks in the packet. 3924 */ 3925 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3926 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3927 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3928 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3929 SCTP_ERROR(ECONNABORTED)); 3930 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3931 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3932 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 3933 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3934 return SCTP_DISPOSITION_ABORT; 3935 } 3936 3937 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3938 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3939 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3940 3941 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3942 asconf_ack)) 3943 return sctp_send_next_asconf(net, ep, 3944 (struct sctp_association *)asoc, 3945 type, commands); 3946 3947 abort = sctp_make_abort(asoc, asconf_ack, 3948 sizeof(struct sctp_errhdr)); 3949 if (abort) { 3950 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 3951 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3952 SCTP_CHUNK(abort)); 3953 } 3954 /* We are going to ABORT, so we might as well stop 3955 * processing the rest of the chunks in the packet. 3956 */ 3957 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3958 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3959 SCTP_ERROR(ECONNABORTED)); 3960 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3961 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3962 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 3963 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3964 return SCTP_DISPOSITION_ABORT; 3965 } 3966 3967 return SCTP_DISPOSITION_DISCARD; 3968 } 3969 3970 /* RE-CONFIG Section 5.2 Upon reception of an RECONF Chunk. */ 3971 enum sctp_disposition sctp_sf_do_reconf(struct net *net, 3972 const struct sctp_endpoint *ep, 3973 const struct sctp_association *asoc, 3974 const union sctp_subtype type, 3975 void *arg, 3976 struct sctp_cmd_seq *commands) 3977 { 3978 struct sctp_paramhdr *err_param = NULL; 3979 struct sctp_chunk *chunk = arg; 3980 struct sctp_reconf_chunk *hdr; 3981 union sctp_params param; 3982 3983 if (!sctp_vtag_verify(chunk, asoc)) { 3984 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3985 SCTP_NULL()); 3986 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3987 } 3988 3989 /* Make sure that the RECONF chunk has a valid length. */ 3990 if (!sctp_chunk_length_valid(chunk, sizeof(*hdr))) 3991 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3992 commands); 3993 3994 if (!sctp_verify_reconf(asoc, chunk, &err_param)) 3995 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3996 (void *)err_param, commands); 3997 3998 hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr; 3999 sctp_walk_params(param, hdr, params) { 4000 struct sctp_chunk *reply = NULL; 4001 struct sctp_ulpevent *ev = NULL; 4002 4003 if (param.p->type == SCTP_PARAM_RESET_OUT_REQUEST) 4004 reply = sctp_process_strreset_outreq( 4005 (struct sctp_association *)asoc, param, &ev); 4006 else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST) 4007 reply = sctp_process_strreset_inreq( 4008 (struct sctp_association *)asoc, param, &ev); 4009 else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST) 4010 reply = sctp_process_strreset_tsnreq( 4011 (struct sctp_association *)asoc, param, &ev); 4012 else if (param.p->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS) 4013 reply = sctp_process_strreset_addstrm_out( 4014 (struct sctp_association *)asoc, param, &ev); 4015 else if (param.p->type == SCTP_PARAM_RESET_ADD_IN_STREAMS) 4016 reply = sctp_process_strreset_addstrm_in( 4017 (struct sctp_association *)asoc, param, &ev); 4018 else if (param.p->type == SCTP_PARAM_RESET_RESPONSE) 4019 reply = sctp_process_strreset_resp( 4020 (struct sctp_association *)asoc, param, &ev); 4021 4022 if (ev) 4023 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4024 SCTP_ULPEVENT(ev)); 4025 4026 if (reply) 4027 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4028 SCTP_CHUNK(reply)); 4029 } 4030 4031 return SCTP_DISPOSITION_CONSUME; 4032 } 4033 4034 /* 4035 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 4036 * 4037 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 4038 * its cumulative TSN point to the value carried in the FORWARD TSN 4039 * chunk, and then MUST further advance its cumulative TSN point locally 4040 * if possible. 4041 * After the above processing, the data receiver MUST stop reporting any 4042 * missing TSNs earlier than or equal to the new cumulative TSN point. 4043 * 4044 * Verification Tag: 8.5 Verification Tag [Normal verification] 4045 * 4046 * The return value is the disposition of the chunk. 4047 */ 4048 enum sctp_disposition sctp_sf_eat_fwd_tsn(struct net *net, 4049 const struct sctp_endpoint *ep, 4050 const struct sctp_association *asoc, 4051 const union sctp_subtype type, 4052 void *arg, 4053 struct sctp_cmd_seq *commands) 4054 { 4055 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 4056 struct sctp_chunk *chunk = arg; 4057 __u16 len; 4058 __u32 tsn; 4059 4060 if (!sctp_vtag_verify(chunk, asoc)) { 4061 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4062 SCTP_NULL()); 4063 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4064 } 4065 4066 if (!asoc->peer.prsctp_capable) 4067 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4068 4069 /* Make sure that the FORWARD_TSN chunk has valid length. */ 4070 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream))) 4071 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4072 commands); 4073 4074 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 4075 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 4076 len = ntohs(chunk->chunk_hdr->length); 4077 len -= sizeof(struct sctp_chunkhdr); 4078 skb_pull(chunk->skb, len); 4079 4080 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 4081 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 4082 4083 /* The TSN is too high--silently discard the chunk and count on it 4084 * getting retransmitted later. 4085 */ 4086 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 4087 goto discard_noforce; 4088 4089 if (!asoc->stream.si->validate_ftsn(chunk)) 4090 goto discard_noforce; 4091 4092 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 4093 if (len > sctp_ftsnhdr_len(&asoc->stream)) 4094 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 4095 SCTP_CHUNK(chunk)); 4096 4097 /* Count this as receiving DATA. */ 4098 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 4099 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4100 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4101 } 4102 4103 /* FIXME: For now send a SACK, but DATA processing may 4104 * send another. 4105 */ 4106 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 4107 4108 return SCTP_DISPOSITION_CONSUME; 4109 4110 discard_noforce: 4111 return SCTP_DISPOSITION_DISCARD; 4112 } 4113 4114 enum sctp_disposition sctp_sf_eat_fwd_tsn_fast( 4115 struct net *net, 4116 const struct sctp_endpoint *ep, 4117 const struct sctp_association *asoc, 4118 const union sctp_subtype type, 4119 void *arg, 4120 struct sctp_cmd_seq *commands) 4121 { 4122 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 4123 struct sctp_chunk *chunk = arg; 4124 __u16 len; 4125 __u32 tsn; 4126 4127 if (!sctp_vtag_verify(chunk, asoc)) { 4128 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4129 SCTP_NULL()); 4130 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4131 } 4132 4133 if (!asoc->peer.prsctp_capable) 4134 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4135 4136 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 4137 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream))) 4138 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4139 commands); 4140 4141 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 4142 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 4143 len = ntohs(chunk->chunk_hdr->length); 4144 len -= sizeof(struct sctp_chunkhdr); 4145 skb_pull(chunk->skb, len); 4146 4147 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 4148 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 4149 4150 /* The TSN is too high--silently discard the chunk and count on it 4151 * getting retransmitted later. 4152 */ 4153 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 4154 goto gen_shutdown; 4155 4156 if (!asoc->stream.si->validate_ftsn(chunk)) 4157 goto gen_shutdown; 4158 4159 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 4160 if (len > sctp_ftsnhdr_len(&asoc->stream)) 4161 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 4162 SCTP_CHUNK(chunk)); 4163 4164 /* Go a head and force a SACK, since we are shutting down. */ 4165 gen_shutdown: 4166 /* Implementor's Guide. 4167 * 4168 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 4169 * respond to each received packet containing one or more DATA chunk(s) 4170 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 4171 */ 4172 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 4173 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 4174 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4175 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4176 4177 return SCTP_DISPOSITION_CONSUME; 4178 } 4179 4180 /* 4181 * SCTP-AUTH Section 6.3 Receiving authenticated chukns 4182 * 4183 * The receiver MUST use the HMAC algorithm indicated in the HMAC 4184 * Identifier field. If this algorithm was not specified by the 4185 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 4186 * during association setup, the AUTH chunk and all chunks after it MUST 4187 * be discarded and an ERROR chunk SHOULD be sent with the error cause 4188 * defined in Section 4.1. 4189 * 4190 * If an endpoint with no shared key receives a Shared Key Identifier 4191 * other than 0, it MUST silently discard all authenticated chunks. If 4192 * the endpoint has at least one endpoint pair shared key for the peer, 4193 * it MUST use the key specified by the Shared Key Identifier if a 4194 * key has been configured for that Shared Key Identifier. If no 4195 * endpoint pair shared key has been configured for that Shared Key 4196 * Identifier, all authenticated chunks MUST be silently discarded. 4197 * 4198 * Verification Tag: 8.5 Verification Tag [Normal verification] 4199 * 4200 * The return value is the disposition of the chunk. 4201 */ 4202 static enum sctp_ierror sctp_sf_authenticate( 4203 const struct sctp_association *asoc, 4204 struct sctp_chunk *chunk) 4205 { 4206 struct sctp_shared_key *sh_key = NULL; 4207 struct sctp_authhdr *auth_hdr; 4208 __u8 *save_digest, *digest; 4209 struct sctp_hmac *hmac; 4210 unsigned int sig_len; 4211 __u16 key_id; 4212 4213 /* Pull in the auth header, so we can do some more verification */ 4214 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4215 chunk->subh.auth_hdr = auth_hdr; 4216 skb_pull(chunk->skb, sizeof(*auth_hdr)); 4217 4218 /* Make sure that we support the HMAC algorithm from the auth 4219 * chunk. 4220 */ 4221 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id)) 4222 return SCTP_IERROR_AUTH_BAD_HMAC; 4223 4224 /* Make sure that the provided shared key identifier has been 4225 * configured 4226 */ 4227 key_id = ntohs(auth_hdr->shkey_id); 4228 if (key_id != asoc->active_key_id) { 4229 sh_key = sctp_auth_get_shkey(asoc, key_id); 4230 if (!sh_key) 4231 return SCTP_IERROR_AUTH_BAD_KEYID; 4232 } 4233 4234 /* Make sure that the length of the signature matches what 4235 * we expect. 4236 */ 4237 sig_len = ntohs(chunk->chunk_hdr->length) - 4238 sizeof(struct sctp_auth_chunk); 4239 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id)); 4240 if (sig_len != hmac->hmac_len) 4241 return SCTP_IERROR_PROTO_VIOLATION; 4242 4243 /* Now that we've done validation checks, we can compute and 4244 * verify the hmac. The steps involved are: 4245 * 1. Save the digest from the chunk. 4246 * 2. Zero out the digest in the chunk. 4247 * 3. Compute the new digest 4248 * 4. Compare saved and new digests. 4249 */ 4250 digest = auth_hdr->hmac; 4251 skb_pull(chunk->skb, sig_len); 4252 4253 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC); 4254 if (!save_digest) 4255 goto nomem; 4256 4257 memset(digest, 0, sig_len); 4258 4259 sctp_auth_calculate_hmac(asoc, chunk->skb, 4260 (struct sctp_auth_chunk *)chunk->chunk_hdr, 4261 sh_key, GFP_ATOMIC); 4262 4263 /* Discard the packet if the digests do not match */ 4264 if (memcmp(save_digest, digest, sig_len)) { 4265 kfree(save_digest); 4266 return SCTP_IERROR_BAD_SIG; 4267 } 4268 4269 kfree(save_digest); 4270 chunk->auth = 1; 4271 4272 return SCTP_IERROR_NO_ERROR; 4273 nomem: 4274 return SCTP_IERROR_NOMEM; 4275 } 4276 4277 enum sctp_disposition sctp_sf_eat_auth(struct net *net, 4278 const struct sctp_endpoint *ep, 4279 const struct sctp_association *asoc, 4280 const union sctp_subtype type, 4281 void *arg, struct sctp_cmd_seq *commands) 4282 { 4283 struct sctp_chunk *chunk = arg; 4284 struct sctp_authhdr *auth_hdr; 4285 struct sctp_chunk *err_chunk; 4286 enum sctp_ierror error; 4287 4288 /* Make sure that the peer has AUTH capable */ 4289 if (!asoc->peer.auth_capable) 4290 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4291 4292 if (!sctp_vtag_verify(chunk, asoc)) { 4293 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4294 SCTP_NULL()); 4295 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4296 } 4297 4298 /* Make sure that the AUTH chunk has valid length. */ 4299 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk))) 4300 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4301 commands); 4302 4303 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4304 error = sctp_sf_authenticate(asoc, chunk); 4305 switch (error) { 4306 case SCTP_IERROR_AUTH_BAD_HMAC: 4307 /* Generate the ERROR chunk and discard the rest 4308 * of the packet 4309 */ 4310 err_chunk = sctp_make_op_error(asoc, chunk, 4311 SCTP_ERROR_UNSUP_HMAC, 4312 &auth_hdr->hmac_id, 4313 sizeof(__u16), 0); 4314 if (err_chunk) { 4315 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4316 SCTP_CHUNK(err_chunk)); 4317 } 4318 /* Fall Through */ 4319 case SCTP_IERROR_AUTH_BAD_KEYID: 4320 case SCTP_IERROR_BAD_SIG: 4321 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4322 4323 case SCTP_IERROR_PROTO_VIOLATION: 4324 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4325 commands); 4326 4327 case SCTP_IERROR_NOMEM: 4328 return SCTP_DISPOSITION_NOMEM; 4329 4330 default: /* Prevent gcc warnings */ 4331 break; 4332 } 4333 4334 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) { 4335 struct sctp_ulpevent *ev; 4336 4337 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id), 4338 SCTP_AUTH_NEW_KEY, GFP_ATOMIC); 4339 4340 if (!ev) 4341 return -ENOMEM; 4342 4343 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4344 SCTP_ULPEVENT(ev)); 4345 } 4346 4347 return SCTP_DISPOSITION_CONSUME; 4348 } 4349 4350 /* 4351 * Process an unknown chunk. 4352 * 4353 * Section: 3.2. Also, 2.1 in the implementor's guide. 4354 * 4355 * Chunk Types are encoded such that the highest-order two bits specify 4356 * the action that must be taken if the processing endpoint does not 4357 * recognize the Chunk Type. 4358 * 4359 * 00 - Stop processing this SCTP packet and discard it, do not process 4360 * any further chunks within it. 4361 * 4362 * 01 - Stop processing this SCTP packet and discard it, do not process 4363 * any further chunks within it, and report the unrecognized 4364 * chunk in an 'Unrecognized Chunk Type'. 4365 * 4366 * 10 - Skip this chunk and continue processing. 4367 * 4368 * 11 - Skip this chunk and continue processing, but report in an ERROR 4369 * Chunk using the 'Unrecognized Chunk Type' cause of error. 4370 * 4371 * The return value is the disposition of the chunk. 4372 */ 4373 enum sctp_disposition sctp_sf_unk_chunk(struct net *net, 4374 const struct sctp_endpoint *ep, 4375 const struct sctp_association *asoc, 4376 const union sctp_subtype type, 4377 void *arg, 4378 struct sctp_cmd_seq *commands) 4379 { 4380 struct sctp_chunk *unk_chunk = arg; 4381 struct sctp_chunk *err_chunk; 4382 struct sctp_chunkhdr *hdr; 4383 4384 pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk); 4385 4386 if (!sctp_vtag_verify(unk_chunk, asoc)) 4387 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4388 4389 /* Make sure that the chunk has a valid length. 4390 * Since we don't know the chunk type, we use a general 4391 * chunkhdr structure to make a comparison. 4392 */ 4393 if (!sctp_chunk_length_valid(unk_chunk, sizeof(*hdr))) 4394 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4395 commands); 4396 4397 switch (type.chunk & SCTP_CID_ACTION_MASK) { 4398 case SCTP_CID_ACTION_DISCARD: 4399 /* Discard the packet. */ 4400 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4401 case SCTP_CID_ACTION_DISCARD_ERR: 4402 /* Generate an ERROR chunk as response. */ 4403 hdr = unk_chunk->chunk_hdr; 4404 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4405 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4406 SCTP_PAD4(ntohs(hdr->length)), 4407 0); 4408 if (err_chunk) { 4409 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4410 SCTP_CHUNK(err_chunk)); 4411 } 4412 4413 /* Discard the packet. */ 4414 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4415 return SCTP_DISPOSITION_CONSUME; 4416 case SCTP_CID_ACTION_SKIP: 4417 /* Skip the chunk. */ 4418 return SCTP_DISPOSITION_DISCARD; 4419 case SCTP_CID_ACTION_SKIP_ERR: 4420 /* Generate an ERROR chunk as response. */ 4421 hdr = unk_chunk->chunk_hdr; 4422 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4423 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4424 SCTP_PAD4(ntohs(hdr->length)), 4425 0); 4426 if (err_chunk) { 4427 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4428 SCTP_CHUNK(err_chunk)); 4429 } 4430 /* Skip the chunk. */ 4431 return SCTP_DISPOSITION_CONSUME; 4432 default: 4433 break; 4434 } 4435 4436 return SCTP_DISPOSITION_DISCARD; 4437 } 4438 4439 /* 4440 * Discard the chunk. 4441 * 4442 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 4443 * [Too numerous to mention...] 4444 * Verification Tag: No verification needed. 4445 * Inputs 4446 * (endpoint, asoc, chunk) 4447 * 4448 * Outputs 4449 * (asoc, reply_msg, msg_up, timers, counters) 4450 * 4451 * The return value is the disposition of the chunk. 4452 */ 4453 enum sctp_disposition sctp_sf_discard_chunk(struct net *net, 4454 const struct sctp_endpoint *ep, 4455 const struct sctp_association *asoc, 4456 const union sctp_subtype type, 4457 void *arg, 4458 struct sctp_cmd_seq *commands) 4459 { 4460 struct sctp_chunk *chunk = arg; 4461 4462 /* Make sure that the chunk has a valid length. 4463 * Since we don't know the chunk type, we use a general 4464 * chunkhdr structure to make a comparison. 4465 */ 4466 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 4467 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4468 commands); 4469 4470 pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk); 4471 4472 return SCTP_DISPOSITION_DISCARD; 4473 } 4474 4475 /* 4476 * Discard the whole packet. 4477 * 4478 * Section: 8.4 2) 4479 * 4480 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 4481 * silently discard the OOTB packet and take no further action. 4482 * 4483 * Verification Tag: No verification necessary 4484 * 4485 * Inputs 4486 * (endpoint, asoc, chunk) 4487 * 4488 * Outputs 4489 * (asoc, reply_msg, msg_up, timers, counters) 4490 * 4491 * The return value is the disposition of the chunk. 4492 */ 4493 enum sctp_disposition sctp_sf_pdiscard(struct net *net, 4494 const struct sctp_endpoint *ep, 4495 const struct sctp_association *asoc, 4496 const union sctp_subtype type, 4497 void *arg, struct sctp_cmd_seq *commands) 4498 { 4499 SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS); 4500 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4501 4502 return SCTP_DISPOSITION_CONSUME; 4503 } 4504 4505 4506 /* 4507 * The other end is violating protocol. 4508 * 4509 * Section: Not specified 4510 * Verification Tag: Not specified 4511 * Inputs 4512 * (endpoint, asoc, chunk) 4513 * 4514 * Outputs 4515 * (asoc, reply_msg, msg_up, timers, counters) 4516 * 4517 * We simply tag the chunk as a violation. The state machine will log 4518 * the violation and continue. 4519 */ 4520 enum sctp_disposition sctp_sf_violation(struct net *net, 4521 const struct sctp_endpoint *ep, 4522 const struct sctp_association *asoc, 4523 const union sctp_subtype type, 4524 void *arg, 4525 struct sctp_cmd_seq *commands) 4526 { 4527 struct sctp_chunk *chunk = arg; 4528 4529 /* Make sure that the chunk has a valid length. */ 4530 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 4531 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4532 commands); 4533 4534 return SCTP_DISPOSITION_VIOLATION; 4535 } 4536 4537 /* 4538 * Common function to handle a protocol violation. 4539 */ 4540 static enum sctp_disposition sctp_sf_abort_violation( 4541 struct net *net, 4542 const struct sctp_endpoint *ep, 4543 const struct sctp_association *asoc, 4544 void *arg, 4545 struct sctp_cmd_seq *commands, 4546 const __u8 *payload, 4547 const size_t paylen) 4548 { 4549 struct sctp_packet *packet = NULL; 4550 struct sctp_chunk *chunk = arg; 4551 struct sctp_chunk *abort = NULL; 4552 4553 /* SCTP-AUTH, Section 6.3: 4554 * It should be noted that if the receiver wants to tear 4555 * down an association in an authenticated way only, the 4556 * handling of malformed packets should not result in 4557 * tearing down the association. 4558 * 4559 * This means that if we only want to abort associations 4560 * in an authenticated way (i.e AUTH+ABORT), then we 4561 * can't destroy this association just because the packet 4562 * was malformed. 4563 */ 4564 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4565 goto discard; 4566 4567 /* Make the abort chunk. */ 4568 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen); 4569 if (!abort) 4570 goto nomem; 4571 4572 if (asoc) { 4573 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */ 4574 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK && 4575 !asoc->peer.i.init_tag) { 4576 struct sctp_initack_chunk *initack; 4577 4578 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr; 4579 if (!sctp_chunk_length_valid(chunk, sizeof(*initack))) 4580 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T; 4581 else { 4582 unsigned int inittag; 4583 4584 inittag = ntohl(initack->init_hdr.init_tag); 4585 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG, 4586 SCTP_U32(inittag)); 4587 } 4588 } 4589 4590 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4591 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4592 4593 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 4594 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4595 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4596 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4597 SCTP_ERROR(ECONNREFUSED)); 4598 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4599 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4600 } else { 4601 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4602 SCTP_ERROR(ECONNABORTED)); 4603 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4604 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4605 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4606 } 4607 } else { 4608 packet = sctp_ootb_pkt_new(net, asoc, chunk); 4609 4610 if (!packet) 4611 goto nomem_pkt; 4612 4613 if (sctp_test_T_bit(abort)) 4614 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4615 4616 abort->skb->sk = ep->base.sk; 4617 4618 sctp_packet_append_chunk(packet, abort); 4619 4620 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 4621 SCTP_PACKET(packet)); 4622 4623 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4624 } 4625 4626 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4627 4628 discard: 4629 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4630 return SCTP_DISPOSITION_ABORT; 4631 4632 nomem_pkt: 4633 sctp_chunk_free(abort); 4634 nomem: 4635 return SCTP_DISPOSITION_NOMEM; 4636 } 4637 4638 /* 4639 * Handle a protocol violation when the chunk length is invalid. 4640 * "Invalid" length is identified as smaller than the minimal length a 4641 * given chunk can be. For example, a SACK chunk has invalid length 4642 * if its length is set to be smaller than the size of struct sctp_sack_chunk. 4643 * 4644 * We inform the other end by sending an ABORT with a Protocol Violation 4645 * error code. 4646 * 4647 * Section: Not specified 4648 * Verification Tag: Nothing to do 4649 * Inputs 4650 * (endpoint, asoc, chunk) 4651 * 4652 * Outputs 4653 * (reply_msg, msg_up, counters) 4654 * 4655 * Generate an ABORT chunk and terminate the association. 4656 */ 4657 static enum sctp_disposition sctp_sf_violation_chunklen( 4658 struct net *net, 4659 const struct sctp_endpoint *ep, 4660 const struct sctp_association *asoc, 4661 const union sctp_subtype type, 4662 void *arg, 4663 struct sctp_cmd_seq *commands) 4664 { 4665 static const char err_str[] = "The following chunk had invalid length:"; 4666 4667 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4668 sizeof(err_str)); 4669 } 4670 4671 /* 4672 * Handle a protocol violation when the parameter length is invalid. 4673 * If the length is smaller than the minimum length of a given parameter, 4674 * or accumulated length in multi parameters exceeds the end of the chunk, 4675 * the length is considered as invalid. 4676 */ 4677 static enum sctp_disposition sctp_sf_violation_paramlen( 4678 struct net *net, 4679 const struct sctp_endpoint *ep, 4680 const struct sctp_association *asoc, 4681 const union sctp_subtype type, 4682 void *arg, void *ext, 4683 struct sctp_cmd_seq *commands) 4684 { 4685 struct sctp_paramhdr *param = ext; 4686 struct sctp_chunk *abort = NULL; 4687 struct sctp_chunk *chunk = arg; 4688 4689 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4690 goto discard; 4691 4692 /* Make the abort chunk. */ 4693 abort = sctp_make_violation_paramlen(asoc, chunk, param); 4694 if (!abort) 4695 goto nomem; 4696 4697 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4698 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4699 4700 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4701 SCTP_ERROR(ECONNABORTED)); 4702 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4703 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4704 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4705 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4706 4707 discard: 4708 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4709 return SCTP_DISPOSITION_ABORT; 4710 nomem: 4711 return SCTP_DISPOSITION_NOMEM; 4712 } 4713 4714 /* Handle a protocol violation when the peer trying to advance the 4715 * cumulative tsn ack to a point beyond the max tsn currently sent. 4716 * 4717 * We inform the other end by sending an ABORT with a Protocol Violation 4718 * error code. 4719 */ 4720 static enum sctp_disposition sctp_sf_violation_ctsn( 4721 struct net *net, 4722 const struct sctp_endpoint *ep, 4723 const struct sctp_association *asoc, 4724 const union sctp_subtype type, 4725 void *arg, 4726 struct sctp_cmd_seq *commands) 4727 { 4728 static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:"; 4729 4730 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4731 sizeof(err_str)); 4732 } 4733 4734 /* Handle protocol violation of an invalid chunk bundling. For example, 4735 * when we have an association and we receive bundled INIT-ACK, or 4736 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle" 4737 * statement from the specs. Additionally, there might be an attacker 4738 * on the path and we may not want to continue this communication. 4739 */ 4740 static enum sctp_disposition sctp_sf_violation_chunk( 4741 struct net *net, 4742 const struct sctp_endpoint *ep, 4743 const struct sctp_association *asoc, 4744 const union sctp_subtype type, 4745 void *arg, 4746 struct sctp_cmd_seq *commands) 4747 { 4748 static const char err_str[] = "The following chunk violates protocol:"; 4749 4750 if (!asoc) 4751 return sctp_sf_violation(net, ep, asoc, type, arg, commands); 4752 4753 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4754 sizeof(err_str)); 4755 } 4756 /*************************************************************************** 4757 * These are the state functions for handling primitive (Section 10) events. 4758 ***************************************************************************/ 4759 /* 4760 * sctp_sf_do_prm_asoc 4761 * 4762 * Section: 10.1 ULP-to-SCTP 4763 * B) Associate 4764 * 4765 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 4766 * outbound stream count) 4767 * -> association id [,destination transport addr list] [,outbound stream 4768 * count] 4769 * 4770 * This primitive allows the upper layer to initiate an association to a 4771 * specific peer endpoint. 4772 * 4773 * The peer endpoint shall be specified by one of the transport addresses 4774 * which defines the endpoint (see Section 1.4). If the local SCTP 4775 * instance has not been initialized, the ASSOCIATE is considered an 4776 * error. 4777 * [This is not relevant for the kernel implementation since we do all 4778 * initialization at boot time. It we hadn't initialized we wouldn't 4779 * get anywhere near this code.] 4780 * 4781 * An association id, which is a local handle to the SCTP association, 4782 * will be returned on successful establishment of the association. If 4783 * SCTP is not able to open an SCTP association with the peer endpoint, 4784 * an error is returned. 4785 * [In the kernel implementation, the struct sctp_association needs to 4786 * be created BEFORE causing this primitive to run.] 4787 * 4788 * Other association parameters may be returned, including the 4789 * complete destination transport addresses of the peer as well as the 4790 * outbound stream count of the local endpoint. One of the transport 4791 * address from the returned destination addresses will be selected by 4792 * the local endpoint as default primary path for sending SCTP packets 4793 * to this peer. The returned "destination transport addr list" can 4794 * be used by the ULP to change the default primary path or to force 4795 * sending a packet to a specific transport address. [All of this 4796 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 4797 * function.] 4798 * 4799 * Mandatory attributes: 4800 * 4801 * o local SCTP instance name - obtained from the INITIALIZE operation. 4802 * [This is the argument asoc.] 4803 * o destination transport addr - specified as one of the transport 4804 * addresses of the peer endpoint with which the association is to be 4805 * established. 4806 * [This is asoc->peer.active_path.] 4807 * o outbound stream count - the number of outbound streams the ULP 4808 * would like to open towards this peer endpoint. 4809 * [BUG: This is not currently implemented.] 4810 * Optional attributes: 4811 * 4812 * None. 4813 * 4814 * The return value is a disposition. 4815 */ 4816 enum sctp_disposition sctp_sf_do_prm_asoc(struct net *net, 4817 const struct sctp_endpoint *ep, 4818 const struct sctp_association *asoc, 4819 const union sctp_subtype type, 4820 void *arg, 4821 struct sctp_cmd_seq *commands) 4822 { 4823 struct sctp_association *my_asoc; 4824 struct sctp_chunk *repl; 4825 4826 /* The comment below says that we enter COOKIE-WAIT AFTER 4827 * sending the INIT, but that doesn't actually work in our 4828 * implementation... 4829 */ 4830 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4831 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 4832 4833 /* RFC 2960 5.1 Normal Establishment of an Association 4834 * 4835 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 4836 * must provide its Verification Tag (Tag_A) in the Initiate 4837 * Tag field. Tag_A SHOULD be a random number in the range of 4838 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 4839 */ 4840 4841 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 4842 if (!repl) 4843 goto nomem; 4844 4845 /* Choose transport for INIT. */ 4846 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4847 SCTP_CHUNK(repl)); 4848 4849 /* Cast away the const modifier, as we want to just 4850 * rerun it through as a sideffect. 4851 */ 4852 my_asoc = (struct sctp_association *)asoc; 4853 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc)); 4854 4855 /* After sending the INIT, "A" starts the T1-init timer and 4856 * enters the COOKIE-WAIT state. 4857 */ 4858 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4859 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4860 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4861 return SCTP_DISPOSITION_CONSUME; 4862 4863 nomem: 4864 return SCTP_DISPOSITION_NOMEM; 4865 } 4866 4867 /* 4868 * Process the SEND primitive. 4869 * 4870 * Section: 10.1 ULP-to-SCTP 4871 * E) Send 4872 * 4873 * Format: SEND(association id, buffer address, byte count [,context] 4874 * [,stream id] [,life time] [,destination transport address] 4875 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 4876 * -> result 4877 * 4878 * This is the main method to send user data via SCTP. 4879 * 4880 * Mandatory attributes: 4881 * 4882 * o association id - local handle to the SCTP association 4883 * 4884 * o buffer address - the location where the user message to be 4885 * transmitted is stored; 4886 * 4887 * o byte count - The size of the user data in number of bytes; 4888 * 4889 * Optional attributes: 4890 * 4891 * o context - an optional 32 bit integer that will be carried in the 4892 * sending failure notification to the ULP if the transportation of 4893 * this User Message fails. 4894 * 4895 * o stream id - to indicate which stream to send the data on. If not 4896 * specified, stream 0 will be used. 4897 * 4898 * o life time - specifies the life time of the user data. The user data 4899 * will not be sent by SCTP after the life time expires. This 4900 * parameter can be used to avoid efforts to transmit stale 4901 * user messages. SCTP notifies the ULP if the data cannot be 4902 * initiated to transport (i.e. sent to the destination via SCTP's 4903 * send primitive) within the life time variable. However, the 4904 * user data will be transmitted if SCTP has attempted to transmit a 4905 * chunk before the life time expired. 4906 * 4907 * o destination transport address - specified as one of the destination 4908 * transport addresses of the peer endpoint to which this packet 4909 * should be sent. Whenever possible, SCTP should use this destination 4910 * transport address for sending the packets, instead of the current 4911 * primary path. 4912 * 4913 * o unorder flag - this flag, if present, indicates that the user 4914 * would like the data delivered in an unordered fashion to the peer 4915 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 4916 * message). 4917 * 4918 * o no-bundle flag - instructs SCTP not to bundle this user data with 4919 * other outbound DATA chunks. SCTP MAY still bundle even when 4920 * this flag is present, when faced with network congestion. 4921 * 4922 * o payload protocol-id - A 32 bit unsigned integer that is to be 4923 * passed to the peer indicating the type of payload protocol data 4924 * being transmitted. This value is passed as opaque data by SCTP. 4925 * 4926 * The return value is the disposition. 4927 */ 4928 enum sctp_disposition sctp_sf_do_prm_send(struct net *net, 4929 const struct sctp_endpoint *ep, 4930 const struct sctp_association *asoc, 4931 const union sctp_subtype type, 4932 void *arg, 4933 struct sctp_cmd_seq *commands) 4934 { 4935 struct sctp_datamsg *msg = arg; 4936 4937 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg)); 4938 return SCTP_DISPOSITION_CONSUME; 4939 } 4940 4941 /* 4942 * Process the SHUTDOWN primitive. 4943 * 4944 * Section: 10.1: 4945 * C) Shutdown 4946 * 4947 * Format: SHUTDOWN(association id) 4948 * -> result 4949 * 4950 * Gracefully closes an association. Any locally queued user data 4951 * will be delivered to the peer. The association will be terminated only 4952 * after the peer acknowledges all the SCTP packets sent. A success code 4953 * will be returned on successful termination of the association. If 4954 * attempting to terminate the association results in a failure, an error 4955 * code shall be returned. 4956 * 4957 * Mandatory attributes: 4958 * 4959 * o association id - local handle to the SCTP association 4960 * 4961 * Optional attributes: 4962 * 4963 * None. 4964 * 4965 * The return value is the disposition. 4966 */ 4967 enum sctp_disposition sctp_sf_do_9_2_prm_shutdown( 4968 struct net *net, 4969 const struct sctp_endpoint *ep, 4970 const struct sctp_association *asoc, 4971 const union sctp_subtype type, 4972 void *arg, 4973 struct sctp_cmd_seq *commands) 4974 { 4975 enum sctp_disposition disposition; 4976 4977 /* From 9.2 Shutdown of an Association 4978 * Upon receipt of the SHUTDOWN primitive from its upper 4979 * layer, the endpoint enters SHUTDOWN-PENDING state and 4980 * remains there until all outstanding data has been 4981 * acknowledged by its peer. The endpoint accepts no new data 4982 * from its upper layer, but retransmits data to the far end 4983 * if necessary to fill gaps. 4984 */ 4985 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4986 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4987 4988 disposition = SCTP_DISPOSITION_CONSUME; 4989 if (sctp_outq_is_empty(&asoc->outqueue)) { 4990 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 4991 arg, commands); 4992 } 4993 4994 return disposition; 4995 } 4996 4997 /* 4998 * Process the ABORT primitive. 4999 * 5000 * Section: 10.1: 5001 * C) Abort 5002 * 5003 * Format: Abort(association id [, cause code]) 5004 * -> result 5005 * 5006 * Ungracefully closes an association. Any locally queued user data 5007 * will be discarded and an ABORT chunk is sent to the peer. A success code 5008 * will be returned on successful abortion of the association. If 5009 * attempting to abort the association results in a failure, an error 5010 * code shall be returned. 5011 * 5012 * Mandatory attributes: 5013 * 5014 * o association id - local handle to the SCTP association 5015 * 5016 * Optional attributes: 5017 * 5018 * o cause code - reason of the abort to be passed to the peer 5019 * 5020 * None. 5021 * 5022 * The return value is the disposition. 5023 */ 5024 enum sctp_disposition sctp_sf_do_9_1_prm_abort( 5025 struct net *net, 5026 const struct sctp_endpoint *ep, 5027 const struct sctp_association *asoc, 5028 const union sctp_subtype type, 5029 void *arg, 5030 struct sctp_cmd_seq *commands) 5031 { 5032 /* From 9.1 Abort of an Association 5033 * Upon receipt of the ABORT primitive from its upper 5034 * layer, the endpoint enters CLOSED state and 5035 * discard all outstanding data has been 5036 * acknowledged by its peer. The endpoint accepts no new data 5037 * from its upper layer, but retransmits data to the far end 5038 * if necessary to fill gaps. 5039 */ 5040 struct sctp_chunk *abort = arg; 5041 5042 if (abort) 5043 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 5044 5045 /* Even if we can't send the ABORT due to low memory delete the 5046 * TCB. This is a departure from our typical NOMEM handling. 5047 */ 5048 5049 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5050 SCTP_ERROR(ECONNABORTED)); 5051 /* Delete the established association. */ 5052 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5053 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 5054 5055 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5056 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5057 5058 return SCTP_DISPOSITION_ABORT; 5059 } 5060 5061 /* We tried an illegal operation on an association which is closed. */ 5062 enum sctp_disposition sctp_sf_error_closed(struct net *net, 5063 const struct sctp_endpoint *ep, 5064 const struct sctp_association *asoc, 5065 const union sctp_subtype type, 5066 void *arg, 5067 struct sctp_cmd_seq *commands) 5068 { 5069 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 5070 return SCTP_DISPOSITION_CONSUME; 5071 } 5072 5073 /* We tried an illegal operation on an association which is shutting 5074 * down. 5075 */ 5076 enum sctp_disposition sctp_sf_error_shutdown( 5077 struct net *net, 5078 const struct sctp_endpoint *ep, 5079 const struct sctp_association *asoc, 5080 const union sctp_subtype type, 5081 void *arg, 5082 struct sctp_cmd_seq *commands) 5083 { 5084 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 5085 SCTP_ERROR(-ESHUTDOWN)); 5086 return SCTP_DISPOSITION_CONSUME; 5087 } 5088 5089 /* 5090 * sctp_cookie_wait_prm_shutdown 5091 * 5092 * Section: 4 Note: 2 5093 * Verification Tag: 5094 * Inputs 5095 * (endpoint, asoc) 5096 * 5097 * The RFC does not explicitly address this issue, but is the route through the 5098 * state table when someone issues a shutdown while in COOKIE_WAIT state. 5099 * 5100 * Outputs 5101 * (timers) 5102 */ 5103 enum sctp_disposition sctp_sf_cookie_wait_prm_shutdown( 5104 struct net *net, 5105 const struct sctp_endpoint *ep, 5106 const struct sctp_association *asoc, 5107 const union sctp_subtype type, 5108 void *arg, 5109 struct sctp_cmd_seq *commands) 5110 { 5111 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5112 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5113 5114 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5115 SCTP_STATE(SCTP_STATE_CLOSED)); 5116 5117 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 5118 5119 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 5120 5121 return SCTP_DISPOSITION_DELETE_TCB; 5122 } 5123 5124 /* 5125 * sctp_cookie_echoed_prm_shutdown 5126 * 5127 * Section: 4 Note: 2 5128 * Verification Tag: 5129 * Inputs 5130 * (endpoint, asoc) 5131 * 5132 * The RFC does not explcitly address this issue, but is the route through the 5133 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 5134 * 5135 * Outputs 5136 * (timers) 5137 */ 5138 enum sctp_disposition sctp_sf_cookie_echoed_prm_shutdown( 5139 struct net *net, 5140 const struct sctp_endpoint *ep, 5141 const struct sctp_association *asoc, 5142 const union sctp_subtype type, 5143 void *arg, 5144 struct sctp_cmd_seq *commands) 5145 { 5146 /* There is a single T1 timer, so we should be able to use 5147 * common function with the COOKIE-WAIT state. 5148 */ 5149 return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands); 5150 } 5151 5152 /* 5153 * sctp_sf_cookie_wait_prm_abort 5154 * 5155 * Section: 4 Note: 2 5156 * Verification Tag: 5157 * Inputs 5158 * (endpoint, asoc) 5159 * 5160 * The RFC does not explicitly address this issue, but is the route through the 5161 * state table when someone issues an abort while in COOKIE_WAIT state. 5162 * 5163 * Outputs 5164 * (timers) 5165 */ 5166 enum sctp_disposition sctp_sf_cookie_wait_prm_abort( 5167 struct net *net, 5168 const struct sctp_endpoint *ep, 5169 const struct sctp_association *asoc, 5170 const union sctp_subtype type, 5171 void *arg, 5172 struct sctp_cmd_seq *commands) 5173 { 5174 struct sctp_chunk *abort = arg; 5175 5176 /* Stop T1-init timer */ 5177 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5178 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5179 5180 if (abort) 5181 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 5182 5183 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5184 SCTP_STATE(SCTP_STATE_CLOSED)); 5185 5186 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5187 5188 /* Even if we can't send the ABORT due to low memory delete the 5189 * TCB. This is a departure from our typical NOMEM handling. 5190 */ 5191 5192 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5193 SCTP_ERROR(ECONNREFUSED)); 5194 /* Delete the established association. */ 5195 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5196 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 5197 5198 return SCTP_DISPOSITION_ABORT; 5199 } 5200 5201 /* 5202 * sctp_sf_cookie_echoed_prm_abort 5203 * 5204 * Section: 4 Note: 3 5205 * Verification Tag: 5206 * Inputs 5207 * (endpoint, asoc) 5208 * 5209 * The RFC does not explcitly address this issue, but is the route through the 5210 * state table when someone issues an abort while in COOKIE_ECHOED state. 5211 * 5212 * Outputs 5213 * (timers) 5214 */ 5215 enum sctp_disposition sctp_sf_cookie_echoed_prm_abort( 5216 struct net *net, 5217 const struct sctp_endpoint *ep, 5218 const struct sctp_association *asoc, 5219 const union sctp_subtype type, 5220 void *arg, 5221 struct sctp_cmd_seq *commands) 5222 { 5223 /* There is a single T1 timer, so we should be able to use 5224 * common function with the COOKIE-WAIT state. 5225 */ 5226 return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands); 5227 } 5228 5229 /* 5230 * sctp_sf_shutdown_pending_prm_abort 5231 * 5232 * Inputs 5233 * (endpoint, asoc) 5234 * 5235 * The RFC does not explicitly address this issue, but is the route through the 5236 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 5237 * 5238 * Outputs 5239 * (timers) 5240 */ 5241 enum sctp_disposition sctp_sf_shutdown_pending_prm_abort( 5242 struct net *net, 5243 const struct sctp_endpoint *ep, 5244 const struct sctp_association *asoc, 5245 const union sctp_subtype type, 5246 void *arg, 5247 struct sctp_cmd_seq *commands) 5248 { 5249 /* Stop the T5-shutdown guard timer. */ 5250 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5251 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5252 5253 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5254 } 5255 5256 /* 5257 * sctp_sf_shutdown_sent_prm_abort 5258 * 5259 * Inputs 5260 * (endpoint, asoc) 5261 * 5262 * The RFC does not explicitly address this issue, but is the route through the 5263 * state table when someone issues an abort while in SHUTDOWN-SENT state. 5264 * 5265 * Outputs 5266 * (timers) 5267 */ 5268 enum sctp_disposition sctp_sf_shutdown_sent_prm_abort( 5269 struct net *net, 5270 const struct sctp_endpoint *ep, 5271 const struct sctp_association *asoc, 5272 const union sctp_subtype type, 5273 void *arg, 5274 struct sctp_cmd_seq *commands) 5275 { 5276 /* Stop the T2-shutdown timer. */ 5277 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5278 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5279 5280 /* Stop the T5-shutdown guard timer. */ 5281 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5282 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5283 5284 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5285 } 5286 5287 /* 5288 * sctp_sf_cookie_echoed_prm_abort 5289 * 5290 * Inputs 5291 * (endpoint, asoc) 5292 * 5293 * The RFC does not explcitly address this issue, but is the route through the 5294 * state table when someone issues an abort while in COOKIE_ECHOED state. 5295 * 5296 * Outputs 5297 * (timers) 5298 */ 5299 enum sctp_disposition sctp_sf_shutdown_ack_sent_prm_abort( 5300 struct net *net, 5301 const struct sctp_endpoint *ep, 5302 const struct sctp_association *asoc, 5303 const union sctp_subtype type, 5304 void *arg, 5305 struct sctp_cmd_seq *commands) 5306 { 5307 /* The same T2 timer, so we should be able to use 5308 * common function with the SHUTDOWN-SENT state. 5309 */ 5310 return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands); 5311 } 5312 5313 /* 5314 * Process the REQUESTHEARTBEAT primitive 5315 * 5316 * 10.1 ULP-to-SCTP 5317 * J) Request Heartbeat 5318 * 5319 * Format: REQUESTHEARTBEAT(association id, destination transport address) 5320 * 5321 * -> result 5322 * 5323 * Instructs the local endpoint to perform a HeartBeat on the specified 5324 * destination transport address of the given association. The returned 5325 * result should indicate whether the transmission of the HEARTBEAT 5326 * chunk to the destination address is successful. 5327 * 5328 * Mandatory attributes: 5329 * 5330 * o association id - local handle to the SCTP association 5331 * 5332 * o destination transport address - the transport address of the 5333 * association on which a heartbeat should be issued. 5334 */ 5335 enum sctp_disposition sctp_sf_do_prm_requestheartbeat( 5336 struct net *net, 5337 const struct sctp_endpoint *ep, 5338 const struct sctp_association *asoc, 5339 const union sctp_subtype type, 5340 void *arg, 5341 struct sctp_cmd_seq *commands) 5342 { 5343 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 5344 (struct sctp_transport *)arg, commands)) 5345 return SCTP_DISPOSITION_NOMEM; 5346 5347 /* 5348 * RFC 2960 (bis), section 8.3 5349 * 5350 * D) Request an on-demand HEARTBEAT on a specific destination 5351 * transport address of a given association. 5352 * 5353 * The endpoint should increment the respective error counter of 5354 * the destination transport address each time a HEARTBEAT is sent 5355 * to that address and not acknowledged within one RTO. 5356 * 5357 */ 5358 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 5359 SCTP_TRANSPORT(arg)); 5360 return SCTP_DISPOSITION_CONSUME; 5361 } 5362 5363 /* 5364 * ADDIP Section 4.1 ASCONF Chunk Procedures 5365 * When an endpoint has an ASCONF signaled change to be sent to the 5366 * remote endpoint it should do A1 to A9 5367 */ 5368 enum sctp_disposition sctp_sf_do_prm_asconf(struct net *net, 5369 const struct sctp_endpoint *ep, 5370 const struct sctp_association *asoc, 5371 const union sctp_subtype type, 5372 void *arg, 5373 struct sctp_cmd_seq *commands) 5374 { 5375 struct sctp_chunk *chunk = arg; 5376 5377 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5378 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5379 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5380 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5381 return SCTP_DISPOSITION_CONSUME; 5382 } 5383 5384 /* RE-CONFIG Section 5.1 RECONF Chunk Procedures */ 5385 enum sctp_disposition sctp_sf_do_prm_reconf(struct net *net, 5386 const struct sctp_endpoint *ep, 5387 const struct sctp_association *asoc, 5388 const union sctp_subtype type, 5389 void *arg, 5390 struct sctp_cmd_seq *commands) 5391 { 5392 struct sctp_chunk *chunk = arg; 5393 5394 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5395 return SCTP_DISPOSITION_CONSUME; 5396 } 5397 5398 /* 5399 * Ignore the primitive event 5400 * 5401 * The return value is the disposition of the primitive. 5402 */ 5403 enum sctp_disposition sctp_sf_ignore_primitive( 5404 struct net *net, 5405 const struct sctp_endpoint *ep, 5406 const struct sctp_association *asoc, 5407 const union sctp_subtype type, 5408 void *arg, 5409 struct sctp_cmd_seq *commands) 5410 { 5411 pr_debug("%s: primitive type:%d is ignored\n", __func__, 5412 type.primitive); 5413 5414 return SCTP_DISPOSITION_DISCARD; 5415 } 5416 5417 /*************************************************************************** 5418 * These are the state functions for the OTHER events. 5419 ***************************************************************************/ 5420 5421 /* 5422 * When the SCTP stack has no more user data to send or retransmit, this 5423 * notification is given to the user. Also, at the time when a user app 5424 * subscribes to this event, if there is no data to be sent or 5425 * retransmit, the stack will immediately send up this notification. 5426 */ 5427 enum sctp_disposition sctp_sf_do_no_pending_tsn( 5428 struct net *net, 5429 const struct sctp_endpoint *ep, 5430 const struct sctp_association *asoc, 5431 const union sctp_subtype type, 5432 void *arg, 5433 struct sctp_cmd_seq *commands) 5434 { 5435 struct sctp_ulpevent *event; 5436 5437 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC); 5438 if (!event) 5439 return SCTP_DISPOSITION_NOMEM; 5440 5441 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event)); 5442 5443 return SCTP_DISPOSITION_CONSUME; 5444 } 5445 5446 /* 5447 * Start the shutdown negotiation. 5448 * 5449 * From Section 9.2: 5450 * Once all its outstanding data has been acknowledged, the endpoint 5451 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 5452 * TSN Ack field the last sequential TSN it has received from the peer. 5453 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 5454 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 5455 * with the updated last sequential TSN received from its peer. 5456 * 5457 * The return value is the disposition. 5458 */ 5459 enum sctp_disposition sctp_sf_do_9_2_start_shutdown( 5460 struct net *net, 5461 const struct sctp_endpoint *ep, 5462 const struct sctp_association *asoc, 5463 const union sctp_subtype type, 5464 void *arg, 5465 struct sctp_cmd_seq *commands) 5466 { 5467 struct sctp_chunk *reply; 5468 5469 /* Once all its outstanding data has been acknowledged, the 5470 * endpoint shall send a SHUTDOWN chunk to its peer including 5471 * in the Cumulative TSN Ack field the last sequential TSN it 5472 * has received from the peer. 5473 */ 5474 reply = sctp_make_shutdown(asoc, arg); 5475 if (!reply) 5476 goto nomem; 5477 5478 /* Set the transport for the SHUTDOWN chunk and the timeout for the 5479 * T2-shutdown timer. 5480 */ 5481 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5482 5483 /* It shall then start the T2-shutdown timer */ 5484 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5485 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5486 5487 /* RFC 4960 Section 9.2 5488 * The sender of the SHUTDOWN MAY also start an overall guard timer 5489 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5490 */ 5491 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5492 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5493 5494 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5495 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5496 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5497 5498 /* and enter the SHUTDOWN-SENT state. */ 5499 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5500 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 5501 5502 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5503 * 5504 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5505 * or SHUTDOWN-ACK. 5506 */ 5507 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5508 5509 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5510 5511 return SCTP_DISPOSITION_CONSUME; 5512 5513 nomem: 5514 return SCTP_DISPOSITION_NOMEM; 5515 } 5516 5517 /* 5518 * Generate a SHUTDOWN ACK now that everything is SACK'd. 5519 * 5520 * From Section 9.2: 5521 * 5522 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5523 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 5524 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 5525 * endpoint must re-send the SHUTDOWN ACK. 5526 * 5527 * The return value is the disposition. 5528 */ 5529 enum sctp_disposition sctp_sf_do_9_2_shutdown_ack( 5530 struct net *net, 5531 const struct sctp_endpoint *ep, 5532 const struct sctp_association *asoc, 5533 const union sctp_subtype type, 5534 void *arg, 5535 struct sctp_cmd_seq *commands) 5536 { 5537 struct sctp_chunk *chunk = arg; 5538 struct sctp_chunk *reply; 5539 5540 /* There are 2 ways of getting here: 5541 * 1) called in response to a SHUTDOWN chunk 5542 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 5543 * 5544 * For the case (2), the arg parameter is set to NULL. We need 5545 * to check that we have a chunk before accessing it's fields. 5546 */ 5547 if (chunk) { 5548 if (!sctp_vtag_verify(chunk, asoc)) 5549 return sctp_sf_pdiscard(net, ep, asoc, type, arg, 5550 commands); 5551 5552 /* Make sure that the SHUTDOWN chunk has a valid length. */ 5553 if (!sctp_chunk_length_valid( 5554 chunk, sizeof(struct sctp_shutdown_chunk))) 5555 return sctp_sf_violation_chunklen(net, ep, asoc, type, 5556 arg, commands); 5557 } 5558 5559 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5560 * shall send a SHUTDOWN ACK ... 5561 */ 5562 reply = sctp_make_shutdown_ack(asoc, chunk); 5563 if (!reply) 5564 goto nomem; 5565 5566 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 5567 * the T2-shutdown timer. 5568 */ 5569 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5570 5571 /* and start/restart a T2-shutdown timer of its own, */ 5572 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5573 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5574 5575 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5576 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5577 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5578 5579 /* Enter the SHUTDOWN-ACK-SENT state. */ 5580 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5581 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 5582 5583 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5584 * 5585 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5586 * or SHUTDOWN-ACK. 5587 */ 5588 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5589 5590 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5591 5592 return SCTP_DISPOSITION_CONSUME; 5593 5594 nomem: 5595 return SCTP_DISPOSITION_NOMEM; 5596 } 5597 5598 /* 5599 * Ignore the event defined as other 5600 * 5601 * The return value is the disposition of the event. 5602 */ 5603 enum sctp_disposition sctp_sf_ignore_other(struct net *net, 5604 const struct sctp_endpoint *ep, 5605 const struct sctp_association *asoc, 5606 const union sctp_subtype type, 5607 void *arg, 5608 struct sctp_cmd_seq *commands) 5609 { 5610 pr_debug("%s: the event other type:%d is ignored\n", 5611 __func__, type.other); 5612 5613 return SCTP_DISPOSITION_DISCARD; 5614 } 5615 5616 /************************************************************ 5617 * These are the state functions for handling timeout events. 5618 ************************************************************/ 5619 5620 /* 5621 * RTX Timeout 5622 * 5623 * Section: 6.3.3 Handle T3-rtx Expiration 5624 * 5625 * Whenever the retransmission timer T3-rtx expires for a destination 5626 * address, do the following: 5627 * [See below] 5628 * 5629 * The return value is the disposition of the chunk. 5630 */ 5631 enum sctp_disposition sctp_sf_do_6_3_3_rtx(struct net *net, 5632 const struct sctp_endpoint *ep, 5633 const struct sctp_association *asoc, 5634 const union sctp_subtype type, 5635 void *arg, 5636 struct sctp_cmd_seq *commands) 5637 { 5638 struct sctp_transport *transport = arg; 5639 5640 SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS); 5641 5642 if (asoc->overall_error_count >= asoc->max_retrans) { 5643 if (asoc->peer.zero_window_announced && 5644 asoc->state == SCTP_STATE_SHUTDOWN_PENDING) { 5645 /* 5646 * We are here likely because the receiver had its rwnd 5647 * closed for a while and we have not been able to 5648 * transmit the locally queued data within the maximum 5649 * retransmission attempts limit. Start the T5 5650 * shutdown guard timer to give the receiver one last 5651 * chance and some additional time to recover before 5652 * aborting. 5653 */ 5654 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE, 5655 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5656 } else { 5657 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5658 SCTP_ERROR(ETIMEDOUT)); 5659 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5660 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5661 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5662 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5663 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5664 return SCTP_DISPOSITION_DELETE_TCB; 5665 } 5666 } 5667 5668 /* E1) For the destination address for which the timer 5669 * expires, adjust its ssthresh with rules defined in Section 5670 * 7.2.3 and set the cwnd <- MTU. 5671 */ 5672 5673 /* E2) For the destination address for which the timer 5674 * expires, set RTO <- RTO * 2 ("back off the timer"). The 5675 * maximum value discussed in rule C7 above (RTO.max) may be 5676 * used to provide an upper bound to this doubling operation. 5677 */ 5678 5679 /* E3) Determine how many of the earliest (i.e., lowest TSN) 5680 * outstanding DATA chunks for the address for which the 5681 * T3-rtx has expired will fit into a single packet, subject 5682 * to the MTU constraint for the path corresponding to the 5683 * destination transport address to which the retransmission 5684 * is being sent (this may be different from the address for 5685 * which the timer expires [see Section 6.4]). Call this 5686 * value K. Bundle and retransmit those K DATA chunks in a 5687 * single packet to the destination endpoint. 5688 * 5689 * Note: Any DATA chunks that were sent to the address for 5690 * which the T3-rtx timer expired but did not fit in one MTU 5691 * (rule E3 above), should be marked for retransmission and 5692 * sent as soon as cwnd allows (normally when a SACK arrives). 5693 */ 5694 5695 /* Do some failure management (Section 8.2). */ 5696 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5697 5698 /* NB: Rules E4 and F1 are implicit in R1. */ 5699 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 5700 5701 return SCTP_DISPOSITION_CONSUME; 5702 } 5703 5704 /* 5705 * Generate delayed SACK on timeout 5706 * 5707 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 5708 * 5709 * The guidelines on delayed acknowledgement algorithm specified in 5710 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 5711 * acknowledgement SHOULD be generated for at least every second packet 5712 * (not every second DATA chunk) received, and SHOULD be generated 5713 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 5714 * some situations it may be beneficial for an SCTP transmitter to be 5715 * more conservative than the algorithms detailed in this document 5716 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 5717 * the following algorithms allow. 5718 */ 5719 enum sctp_disposition sctp_sf_do_6_2_sack(struct net *net, 5720 const struct sctp_endpoint *ep, 5721 const struct sctp_association *asoc, 5722 const union sctp_subtype type, 5723 void *arg, 5724 struct sctp_cmd_seq *commands) 5725 { 5726 SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS); 5727 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 5728 return SCTP_DISPOSITION_CONSUME; 5729 } 5730 5731 /* 5732 * sctp_sf_t1_init_timer_expire 5733 * 5734 * Section: 4 Note: 2 5735 * Verification Tag: 5736 * Inputs 5737 * (endpoint, asoc) 5738 * 5739 * RFC 2960 Section 4 Notes 5740 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 5741 * and re-start the T1-init timer without changing state. This MUST 5742 * be repeated up to 'Max.Init.Retransmits' times. After that, the 5743 * endpoint MUST abort the initialization process and report the 5744 * error to SCTP user. 5745 * 5746 * Outputs 5747 * (timers, events) 5748 * 5749 */ 5750 enum sctp_disposition sctp_sf_t1_init_timer_expire( 5751 struct net *net, 5752 const struct sctp_endpoint *ep, 5753 const struct sctp_association *asoc, 5754 const union sctp_subtype type, 5755 void *arg, 5756 struct sctp_cmd_seq *commands) 5757 { 5758 int attempts = asoc->init_err_counter + 1; 5759 struct sctp_chunk *repl = NULL; 5760 struct sctp_bind_addr *bp; 5761 5762 pr_debug("%s: timer T1 expired (INIT)\n", __func__); 5763 5764 SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS); 5765 5766 if (attempts <= asoc->max_init_attempts) { 5767 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 5768 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 5769 if (!repl) 5770 return SCTP_DISPOSITION_NOMEM; 5771 5772 /* Choose transport for INIT. */ 5773 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5774 SCTP_CHUNK(repl)); 5775 5776 /* Issue a sideeffect to do the needed accounting. */ 5777 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 5778 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5779 5780 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5781 } else { 5782 pr_debug("%s: giving up on INIT, attempts:%d " 5783 "max_init_attempts:%d\n", __func__, attempts, 5784 asoc->max_init_attempts); 5785 5786 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5787 SCTP_ERROR(ETIMEDOUT)); 5788 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5789 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5790 return SCTP_DISPOSITION_DELETE_TCB; 5791 } 5792 5793 return SCTP_DISPOSITION_CONSUME; 5794 } 5795 5796 /* 5797 * sctp_sf_t1_cookie_timer_expire 5798 * 5799 * Section: 4 Note: 2 5800 * Verification Tag: 5801 * Inputs 5802 * (endpoint, asoc) 5803 * 5804 * RFC 2960 Section 4 Notes 5805 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 5806 * COOKIE ECHO and re-start the T1-cookie timer without changing 5807 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 5808 * After that, the endpoint MUST abort the initialization process and 5809 * report the error to SCTP user. 5810 * 5811 * Outputs 5812 * (timers, events) 5813 * 5814 */ 5815 enum sctp_disposition sctp_sf_t1_cookie_timer_expire( 5816 struct net *net, 5817 const struct sctp_endpoint *ep, 5818 const struct sctp_association *asoc, 5819 const union sctp_subtype type, 5820 void *arg, 5821 struct sctp_cmd_seq *commands) 5822 { 5823 int attempts = asoc->init_err_counter + 1; 5824 struct sctp_chunk *repl = NULL; 5825 5826 pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__); 5827 5828 SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS); 5829 5830 if (attempts <= asoc->max_init_attempts) { 5831 repl = sctp_make_cookie_echo(asoc, NULL); 5832 if (!repl) 5833 return SCTP_DISPOSITION_NOMEM; 5834 5835 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5836 SCTP_CHUNK(repl)); 5837 /* Issue a sideeffect to do the needed accounting. */ 5838 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 5839 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 5840 5841 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5842 } else { 5843 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5844 SCTP_ERROR(ETIMEDOUT)); 5845 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5846 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5847 return SCTP_DISPOSITION_DELETE_TCB; 5848 } 5849 5850 return SCTP_DISPOSITION_CONSUME; 5851 } 5852 5853 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 5854 * with the updated last sequential TSN received from its peer. 5855 * 5856 * An endpoint should limit the number of retransmissions of the 5857 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 5858 * If this threshold is exceeded the endpoint should destroy the TCB and 5859 * MUST report the peer endpoint unreachable to the upper layer (and 5860 * thus the association enters the CLOSED state). The reception of any 5861 * packet from its peer (i.e. as the peer sends all of its queued DATA 5862 * chunks) should clear the endpoint's retransmission count and restart 5863 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 5864 * all of its queued DATA chunks that have not yet been sent. 5865 */ 5866 enum sctp_disposition sctp_sf_t2_timer_expire( 5867 struct net *net, 5868 const struct sctp_endpoint *ep, 5869 const struct sctp_association *asoc, 5870 const union sctp_subtype type, 5871 void *arg, 5872 struct sctp_cmd_seq *commands) 5873 { 5874 struct sctp_chunk *reply = NULL; 5875 5876 pr_debug("%s: timer T2 expired\n", __func__); 5877 5878 SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 5879 5880 ((struct sctp_association *)asoc)->shutdown_retries++; 5881 5882 if (asoc->overall_error_count >= asoc->max_retrans) { 5883 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5884 SCTP_ERROR(ETIMEDOUT)); 5885 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5886 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5887 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5888 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5889 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5890 return SCTP_DISPOSITION_DELETE_TCB; 5891 } 5892 5893 switch (asoc->state) { 5894 case SCTP_STATE_SHUTDOWN_SENT: 5895 reply = sctp_make_shutdown(asoc, NULL); 5896 break; 5897 5898 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5899 reply = sctp_make_shutdown_ack(asoc, NULL); 5900 break; 5901 5902 default: 5903 BUG(); 5904 break; 5905 } 5906 5907 if (!reply) 5908 goto nomem; 5909 5910 /* Do some failure management (Section 8.2). 5911 * If we remove the transport an SHUTDOWN was last sent to, don't 5912 * do failure management. 5913 */ 5914 if (asoc->shutdown_last_sent_to) 5915 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5916 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 5917 5918 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 5919 * the T2-shutdown timer. 5920 */ 5921 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5922 5923 /* Restart the T2-shutdown timer. */ 5924 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5925 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5926 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5927 return SCTP_DISPOSITION_CONSUME; 5928 5929 nomem: 5930 return SCTP_DISPOSITION_NOMEM; 5931 } 5932 5933 /* 5934 * ADDIP Section 4.1 ASCONF CHunk Procedures 5935 * If the T4 RTO timer expires the endpoint should do B1 to B5 5936 */ 5937 enum sctp_disposition sctp_sf_t4_timer_expire( 5938 struct net *net, 5939 const struct sctp_endpoint *ep, 5940 const struct sctp_association *asoc, 5941 const union sctp_subtype type, 5942 void *arg, 5943 struct sctp_cmd_seq *commands) 5944 { 5945 struct sctp_chunk *chunk = asoc->addip_last_asconf; 5946 struct sctp_transport *transport = chunk->transport; 5947 5948 SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS); 5949 5950 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 5951 * detection on the appropriate destination address as defined in 5952 * RFC2960 [5] section 8.1 and 8.2. 5953 */ 5954 if (transport) 5955 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5956 SCTP_TRANSPORT(transport)); 5957 5958 /* Reconfig T4 timer and transport. */ 5959 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5960 5961 /* ADDIP 4.1 B2) Increment the association error counters and perform 5962 * endpoint failure detection on the association as defined in 5963 * RFC2960 [5] section 8.1 and 8.2. 5964 * association error counter is incremented in SCTP_CMD_STRIKE. 5965 */ 5966 if (asoc->overall_error_count >= asoc->max_retrans) { 5967 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5968 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5969 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5970 SCTP_ERROR(ETIMEDOUT)); 5971 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5972 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5973 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5974 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5975 return SCTP_DISPOSITION_ABORT; 5976 } 5977 5978 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 5979 * the ASCONF chunk was sent by doubling the RTO timer value. 5980 * This is done in SCTP_CMD_STRIKE. 5981 */ 5982 5983 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 5984 * choose an alternate destination address (please refer to RFC2960 5985 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 5986 * chunk, it MUST be the same (including its serial number) as the last 5987 * ASCONF sent. 5988 */ 5989 sctp_chunk_hold(asoc->addip_last_asconf); 5990 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5991 SCTP_CHUNK(asoc->addip_last_asconf)); 5992 5993 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 5994 * destination is selected, then the RTO used will be that of the new 5995 * destination address. 5996 */ 5997 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5998 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5999 6000 return SCTP_DISPOSITION_CONSUME; 6001 } 6002 6003 /* sctpimpguide-05 Section 2.12.2 6004 * The sender of the SHUTDOWN MAY also start an overall guard timer 6005 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 6006 * At the expiration of this timer the sender SHOULD abort the association 6007 * by sending an ABORT chunk. 6008 */ 6009 enum sctp_disposition sctp_sf_t5_timer_expire( 6010 struct net *net, 6011 const struct sctp_endpoint *ep, 6012 const struct sctp_association *asoc, 6013 const union sctp_subtype type, 6014 void *arg, 6015 struct sctp_cmd_seq *commands) 6016 { 6017 struct sctp_chunk *reply = NULL; 6018 6019 pr_debug("%s: timer T5 expired\n", __func__); 6020 6021 SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 6022 6023 reply = sctp_make_abort(asoc, NULL, 0); 6024 if (!reply) 6025 goto nomem; 6026 6027 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 6028 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6029 SCTP_ERROR(ETIMEDOUT)); 6030 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6031 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 6032 6033 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6034 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6035 6036 return SCTP_DISPOSITION_DELETE_TCB; 6037 nomem: 6038 return SCTP_DISPOSITION_NOMEM; 6039 } 6040 6041 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 6042 * the association is automatically closed by starting the shutdown process. 6043 * The work that needs to be done is same as when SHUTDOWN is initiated by 6044 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 6045 */ 6046 enum sctp_disposition sctp_sf_autoclose_timer_expire( 6047 struct net *net, 6048 const struct sctp_endpoint *ep, 6049 const struct sctp_association *asoc, 6050 const union sctp_subtype type, 6051 void *arg, 6052 struct sctp_cmd_seq *commands) 6053 { 6054 enum sctp_disposition disposition; 6055 6056 SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS); 6057 6058 /* From 9.2 Shutdown of an Association 6059 * Upon receipt of the SHUTDOWN primitive from its upper 6060 * layer, the endpoint enters SHUTDOWN-PENDING state and 6061 * remains there until all outstanding data has been 6062 * acknowledged by its peer. The endpoint accepts no new data 6063 * from its upper layer, but retransmits data to the far end 6064 * if necessary to fill gaps. 6065 */ 6066 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 6067 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 6068 6069 disposition = SCTP_DISPOSITION_CONSUME; 6070 if (sctp_outq_is_empty(&asoc->outqueue)) { 6071 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 6072 NULL, commands); 6073 } 6074 6075 return disposition; 6076 } 6077 6078 /***************************************************************************** 6079 * These are sa state functions which could apply to all types of events. 6080 ****************************************************************************/ 6081 6082 /* 6083 * This table entry is not implemented. 6084 * 6085 * Inputs 6086 * (endpoint, asoc, chunk) 6087 * 6088 * The return value is the disposition of the chunk. 6089 */ 6090 enum sctp_disposition sctp_sf_not_impl(struct net *net, 6091 const struct sctp_endpoint *ep, 6092 const struct sctp_association *asoc, 6093 const union sctp_subtype type, 6094 void *arg, struct sctp_cmd_seq *commands) 6095 { 6096 return SCTP_DISPOSITION_NOT_IMPL; 6097 } 6098 6099 /* 6100 * This table entry represents a bug. 6101 * 6102 * Inputs 6103 * (endpoint, asoc, chunk) 6104 * 6105 * The return value is the disposition of the chunk. 6106 */ 6107 enum sctp_disposition sctp_sf_bug(struct net *net, 6108 const struct sctp_endpoint *ep, 6109 const struct sctp_association *asoc, 6110 const union sctp_subtype type, 6111 void *arg, struct sctp_cmd_seq *commands) 6112 { 6113 return SCTP_DISPOSITION_BUG; 6114 } 6115 6116 /* 6117 * This table entry represents the firing of a timer in the wrong state. 6118 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 6119 * when the association is in the wrong state. This event should 6120 * be ignored, so as to prevent any rearming of the timer. 6121 * 6122 * Inputs 6123 * (endpoint, asoc, chunk) 6124 * 6125 * The return value is the disposition of the chunk. 6126 */ 6127 enum sctp_disposition sctp_sf_timer_ignore(struct net *net, 6128 const struct sctp_endpoint *ep, 6129 const struct sctp_association *asoc, 6130 const union sctp_subtype type, 6131 void *arg, 6132 struct sctp_cmd_seq *commands) 6133 { 6134 pr_debug("%s: timer %d ignored\n", __func__, type.chunk); 6135 6136 return SCTP_DISPOSITION_CONSUME; 6137 } 6138 6139 /******************************************************************** 6140 * 2nd Level Abstractions 6141 ********************************************************************/ 6142 6143 /* Pull the SACK chunk based on the SACK header. */ 6144 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 6145 { 6146 struct sctp_sackhdr *sack; 6147 __u16 num_dup_tsns; 6148 unsigned int len; 6149 __u16 num_blocks; 6150 6151 /* Protect ourselves from reading too far into 6152 * the skb from a bogus sender. 6153 */ 6154 sack = (struct sctp_sackhdr *) chunk->skb->data; 6155 6156 num_blocks = ntohs(sack->num_gap_ack_blocks); 6157 num_dup_tsns = ntohs(sack->num_dup_tsns); 6158 len = sizeof(struct sctp_sackhdr); 6159 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 6160 if (len > chunk->skb->len) 6161 return NULL; 6162 6163 skb_pull(chunk->skb, len); 6164 6165 return sack; 6166 } 6167 6168 /* Create an ABORT packet to be sent as a response, with the specified 6169 * error causes. 6170 */ 6171 static struct sctp_packet *sctp_abort_pkt_new( 6172 struct net *net, 6173 const struct sctp_endpoint *ep, 6174 const struct sctp_association *asoc, 6175 struct sctp_chunk *chunk, 6176 const void *payload, size_t paylen) 6177 { 6178 struct sctp_packet *packet; 6179 struct sctp_chunk *abort; 6180 6181 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6182 6183 if (packet) { 6184 /* Make an ABORT. 6185 * The T bit will be set if the asoc is NULL. 6186 */ 6187 abort = sctp_make_abort(asoc, chunk, paylen); 6188 if (!abort) { 6189 sctp_ootb_pkt_free(packet); 6190 return NULL; 6191 } 6192 6193 /* Reflect vtag if T-Bit is set */ 6194 if (sctp_test_T_bit(abort)) 6195 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 6196 6197 /* Add specified error causes, i.e., payload, to the 6198 * end of the chunk. 6199 */ 6200 sctp_addto_chunk(abort, paylen, payload); 6201 6202 /* Set the skb to the belonging sock for accounting. */ 6203 abort->skb->sk = ep->base.sk; 6204 6205 sctp_packet_append_chunk(packet, abort); 6206 6207 } 6208 6209 return packet; 6210 } 6211 6212 /* Allocate a packet for responding in the OOTB conditions. */ 6213 static struct sctp_packet *sctp_ootb_pkt_new( 6214 struct net *net, 6215 const struct sctp_association *asoc, 6216 const struct sctp_chunk *chunk) 6217 { 6218 struct sctp_transport *transport; 6219 struct sctp_packet *packet; 6220 __u16 sport, dport; 6221 __u32 vtag; 6222 6223 /* Get the source and destination port from the inbound packet. */ 6224 sport = ntohs(chunk->sctp_hdr->dest); 6225 dport = ntohs(chunk->sctp_hdr->source); 6226 6227 /* The V-tag is going to be the same as the inbound packet if no 6228 * association exists, otherwise, use the peer's vtag. 6229 */ 6230 if (asoc) { 6231 /* Special case the INIT-ACK as there is no peer's vtag 6232 * yet. 6233 */ 6234 switch (chunk->chunk_hdr->type) { 6235 case SCTP_CID_INIT_ACK: 6236 { 6237 struct sctp_initack_chunk *initack; 6238 6239 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr; 6240 vtag = ntohl(initack->init_hdr.init_tag); 6241 break; 6242 } 6243 default: 6244 vtag = asoc->peer.i.init_tag; 6245 break; 6246 } 6247 } else { 6248 /* Special case the INIT and stale COOKIE_ECHO as there is no 6249 * vtag yet. 6250 */ 6251 switch (chunk->chunk_hdr->type) { 6252 case SCTP_CID_INIT: 6253 { 6254 struct sctp_init_chunk *init; 6255 6256 init = (struct sctp_init_chunk *)chunk->chunk_hdr; 6257 vtag = ntohl(init->init_hdr.init_tag); 6258 break; 6259 } 6260 default: 6261 vtag = ntohl(chunk->sctp_hdr->vtag); 6262 break; 6263 } 6264 } 6265 6266 /* Make a transport for the bucket, Eliza... */ 6267 transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC); 6268 if (!transport) 6269 goto nomem; 6270 6271 /* Cache a route for the transport with the chunk's destination as 6272 * the source address. 6273 */ 6274 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 6275 sctp_sk(net->sctp.ctl_sock)); 6276 6277 packet = &transport->packet; 6278 sctp_packet_init(packet, transport, sport, dport); 6279 sctp_packet_config(packet, vtag, 0); 6280 6281 return packet; 6282 6283 nomem: 6284 return NULL; 6285 } 6286 6287 /* Free the packet allocated earlier for responding in the OOTB condition. */ 6288 void sctp_ootb_pkt_free(struct sctp_packet *packet) 6289 { 6290 sctp_transport_free(packet->transport); 6291 } 6292 6293 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 6294 static void sctp_send_stale_cookie_err(struct net *net, 6295 const struct sctp_endpoint *ep, 6296 const struct sctp_association *asoc, 6297 const struct sctp_chunk *chunk, 6298 struct sctp_cmd_seq *commands, 6299 struct sctp_chunk *err_chunk) 6300 { 6301 struct sctp_packet *packet; 6302 6303 if (err_chunk) { 6304 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6305 if (packet) { 6306 struct sctp_signed_cookie *cookie; 6307 6308 /* Override the OOTB vtag from the cookie. */ 6309 cookie = chunk->subh.cookie_hdr; 6310 packet->vtag = cookie->c.peer_vtag; 6311 6312 /* Set the skb to the belonging sock for accounting. */ 6313 err_chunk->skb->sk = ep->base.sk; 6314 sctp_packet_append_chunk(packet, err_chunk); 6315 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 6316 SCTP_PACKET(packet)); 6317 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 6318 } else 6319 sctp_chunk_free (err_chunk); 6320 } 6321 } 6322 6323 6324 /* Process a data chunk */ 6325 static int sctp_eat_data(const struct sctp_association *asoc, 6326 struct sctp_chunk *chunk, 6327 struct sctp_cmd_seq *commands) 6328 { 6329 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 6330 struct sock *sk = asoc->base.sk; 6331 struct net *net = sock_net(sk); 6332 struct sctp_datahdr *data_hdr; 6333 struct sctp_chunk *err; 6334 enum sctp_verb deliver; 6335 size_t datalen; 6336 __u32 tsn; 6337 int tmp; 6338 6339 data_hdr = (struct sctp_datahdr *)chunk->skb->data; 6340 chunk->subh.data_hdr = data_hdr; 6341 skb_pull(chunk->skb, sctp_datahdr_len(&asoc->stream)); 6342 6343 tsn = ntohl(data_hdr->tsn); 6344 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 6345 6346 /* ASSERT: Now skb->data is really the user data. */ 6347 6348 /* Process ECN based congestion. 6349 * 6350 * Since the chunk structure is reused for all chunks within 6351 * a packet, we use ecn_ce_done to track if we've already 6352 * done CE processing for this packet. 6353 * 6354 * We need to do ECN processing even if we plan to discard the 6355 * chunk later. 6356 */ 6357 6358 if (asoc->peer.ecn_capable && !chunk->ecn_ce_done) { 6359 struct sctp_af *af = SCTP_INPUT_CB(chunk->skb)->af; 6360 chunk->ecn_ce_done = 1; 6361 6362 if (af->is_ce(sctp_gso_headskb(chunk->skb))) { 6363 /* Do real work as sideffect. */ 6364 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 6365 SCTP_U32(tsn)); 6366 } 6367 } 6368 6369 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 6370 if (tmp < 0) { 6371 /* The TSN is too high--silently discard the chunk and 6372 * count on it getting retransmitted later. 6373 */ 6374 if (chunk->asoc) 6375 chunk->asoc->stats.outofseqtsns++; 6376 return SCTP_IERROR_HIGH_TSN; 6377 } else if (tmp > 0) { 6378 /* This is a duplicate. Record it. */ 6379 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 6380 return SCTP_IERROR_DUP_TSN; 6381 } 6382 6383 /* This is a new TSN. */ 6384 6385 /* Discard if there is no room in the receive window. 6386 * Actually, allow a little bit of overflow (up to a MTU). 6387 */ 6388 datalen = ntohs(chunk->chunk_hdr->length); 6389 datalen -= sctp_datachk_len(&asoc->stream); 6390 6391 deliver = SCTP_CMD_CHUNK_ULP; 6392 6393 /* Think about partial delivery. */ 6394 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 6395 6396 /* Even if we don't accept this chunk there is 6397 * memory pressure. 6398 */ 6399 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 6400 } 6401 6402 /* Spill over rwnd a little bit. Note: While allowed, this spill over 6403 * seems a bit troublesome in that frag_point varies based on 6404 * PMTU. In cases, such as loopback, this might be a rather 6405 * large spill over. 6406 */ 6407 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over || 6408 (datalen > asoc->rwnd + asoc->frag_point))) { 6409 6410 /* If this is the next TSN, consider reneging to make 6411 * room. Note: Playing nice with a confused sender. A 6412 * malicious sender can still eat up all our buffer 6413 * space and in the future we may want to detect and 6414 * do more drastic reneging. 6415 */ 6416 if (sctp_tsnmap_has_gap(map) && 6417 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6418 pr_debug("%s: reneging for tsn:%u\n", __func__, tsn); 6419 deliver = SCTP_CMD_RENEGE; 6420 } else { 6421 pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n", 6422 __func__, tsn, datalen, asoc->rwnd); 6423 6424 return SCTP_IERROR_IGNORE_TSN; 6425 } 6426 } 6427 6428 /* 6429 * Also try to renege to limit our memory usage in the event that 6430 * we are under memory pressure 6431 * If we can't renege, don't worry about it, the sk_rmem_schedule 6432 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our 6433 * memory usage too much 6434 */ 6435 if (sk_under_memory_pressure(sk)) { 6436 if (sctp_tsnmap_has_gap(map) && 6437 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6438 pr_debug("%s: under pressure, reneging for tsn:%u\n", 6439 __func__, tsn); 6440 deliver = SCTP_CMD_RENEGE; 6441 } else { 6442 sk_mem_reclaim(sk); 6443 } 6444 } 6445 6446 /* 6447 * Section 3.3.10.9 No User Data (9) 6448 * 6449 * Cause of error 6450 * --------------- 6451 * No User Data: This error cause is returned to the originator of a 6452 * DATA chunk if a received DATA chunk has no user data. 6453 */ 6454 if (unlikely(0 == datalen)) { 6455 err = sctp_make_abort_no_data(asoc, chunk, tsn); 6456 if (err) { 6457 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6458 SCTP_CHUNK(err)); 6459 } 6460 /* We are going to ABORT, so we might as well stop 6461 * processing the rest of the chunks in the packet. 6462 */ 6463 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 6464 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6465 SCTP_ERROR(ECONNABORTED)); 6466 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6467 SCTP_PERR(SCTP_ERROR_NO_DATA)); 6468 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6469 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6470 return SCTP_IERROR_NO_DATA; 6471 } 6472 6473 chunk->data_accepted = 1; 6474 6475 /* Note: Some chunks may get overcounted (if we drop) or overcounted 6476 * if we renege and the chunk arrives again. 6477 */ 6478 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) { 6479 SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS); 6480 if (chunk->asoc) 6481 chunk->asoc->stats.iuodchunks++; 6482 } else { 6483 SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS); 6484 if (chunk->asoc) 6485 chunk->asoc->stats.iodchunks++; 6486 } 6487 6488 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 6489 * 6490 * If an endpoint receive a DATA chunk with an invalid stream 6491 * identifier, it shall acknowledge the reception of the DATA chunk 6492 * following the normal procedure, immediately send an ERROR chunk 6493 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 6494 * and discard the DATA chunk. 6495 */ 6496 if (ntohs(data_hdr->stream) >= asoc->stream.incnt) { 6497 /* Mark tsn as received even though we drop it */ 6498 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 6499 6500 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 6501 &data_hdr->stream, 6502 sizeof(data_hdr->stream), 6503 sizeof(u16)); 6504 if (err) 6505 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6506 SCTP_CHUNK(err)); 6507 return SCTP_IERROR_BAD_STREAM; 6508 } 6509 6510 /* Check to see if the SSN is possible for this TSN. 6511 * The biggest gap we can record is 4K wide. Since SSNs wrap 6512 * at an unsigned short, there is no way that an SSN can 6513 * wrap and for a valid TSN. We can simply check if the current 6514 * SSN is smaller then the next expected one. If it is, it wrapped 6515 * and is invalid. 6516 */ 6517 if (!asoc->stream.si->validate_data(chunk)) 6518 return SCTP_IERROR_PROTO_VIOLATION; 6519 6520 /* Send the data up to the user. Note: Schedule the 6521 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 6522 * chunk needs the updated rwnd. 6523 */ 6524 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 6525 6526 return SCTP_IERROR_NO_ERROR; 6527 } 6528