1 /* SCTP kernel reference Implementation 2 * (C) Copyright IBM Corp. 2001, 2004 3 * Copyright (c) 1999-2000 Cisco, Inc. 4 * Copyright (c) 1999-2001 Motorola, Inc. 5 * Copyright (c) 2001-2002 Intel Corp. 6 * Copyright (c) 2002 Nokia Corp. 7 * 8 * This file is part of the SCTP kernel reference Implementation 9 * 10 * This is part of the SCTP Linux Kernel Reference Implementation. 11 * 12 * These are the state functions for the state machine. 13 * 14 * The SCTP reference implementation is free software; 15 * you can redistribute it and/or modify it under the terms of 16 * the GNU General Public License as published by 17 * the Free Software Foundation; either version 2, or (at your option) 18 * any later version. 19 * 20 * The SCTP reference implementation is distributed in the hope that it 21 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 22 * ************************ 23 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 24 * See the GNU General Public License for more details. 25 * 26 * You should have received a copy of the GNU General Public License 27 * along with GNU CC; see the file COPYING. If not, write to 28 * the Free Software Foundation, 59 Temple Place - Suite 330, 29 * Boston, MA 02111-1307, USA. 30 * 31 * Please send any bug reports or fixes you make to the 32 * email address(es): 33 * lksctp developers <lksctp-developers@lists.sourceforge.net> 34 * 35 * Or submit a bug report through the following website: 36 * http://www.sf.net/projects/lksctp 37 * 38 * Written or modified by: 39 * La Monte H.P. Yarroll <piggy@acm.org> 40 * Karl Knutson <karl@athena.chicago.il.us> 41 * Mathew Kotowsky <kotowsky@sctp.org> 42 * Sridhar Samudrala <samudrala@us.ibm.com> 43 * Jon Grimm <jgrimm@us.ibm.com> 44 * Hui Huang <hui.huang@nokia.com> 45 * Dajiang Zhang <dajiang.zhang@nokia.com> 46 * Daisy Chang <daisyc@us.ibm.com> 47 * Ardelle Fan <ardelle.fan@intel.com> 48 * Ryan Layer <rmlayer@us.ibm.com> 49 * Kevin Gao <kevin.gao@intel.com> 50 * 51 * Any bugs reported given to us we will try to fix... any fixes shared will 52 * be incorporated into the next SCTP release. 53 */ 54 55 #include <linux/types.h> 56 #include <linux/kernel.h> 57 #include <linux/ip.h> 58 #include <linux/ipv6.h> 59 #include <linux/net.h> 60 #include <linux/inet.h> 61 #include <net/sock.h> 62 #include <net/inet_ecn.h> 63 #include <linux/skbuff.h> 64 #include <net/sctp/sctp.h> 65 #include <net/sctp/sm.h> 66 #include <net/sctp/structs.h> 67 68 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 69 const struct sctp_association *asoc, 70 struct sctp_chunk *chunk, 71 const void *payload, 72 size_t paylen); 73 static int sctp_eat_data(const struct sctp_association *asoc, 74 struct sctp_chunk *chunk, 75 sctp_cmd_seq_t *commands); 76 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 77 const struct sctp_chunk *chunk); 78 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 79 const struct sctp_association *asoc, 80 const struct sctp_chunk *chunk, 81 sctp_cmd_seq_t *commands, 82 struct sctp_chunk *err_chunk); 83 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 84 const struct sctp_association *asoc, 85 const sctp_subtype_t type, 86 void *arg, 87 sctp_cmd_seq_t *commands); 88 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 89 const struct sctp_association *asoc, 90 const sctp_subtype_t type, 91 void *arg, 92 sctp_cmd_seq_t *commands); 93 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 94 95 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 96 __u16 error, int sk_err, 97 const struct sctp_association *asoc, 98 struct sctp_transport *transport); 99 100 static sctp_disposition_t sctp_sf_violation_chunklen( 101 const struct sctp_endpoint *ep, 102 const struct sctp_association *asoc, 103 const sctp_subtype_t type, 104 void *arg, 105 sctp_cmd_seq_t *commands); 106 107 /* Small helper function that checks if the chunk length 108 * is of the appropriate length. The 'required_length' argument 109 * is set to be the size of a specific chunk we are testing. 110 * Return Values: 1 = Valid length 111 * 0 = Invalid length 112 * 113 */ 114 static inline int 115 sctp_chunk_length_valid(struct sctp_chunk *chunk, 116 __u16 required_length) 117 { 118 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 119 120 if (unlikely(chunk_length < required_length)) 121 return 0; 122 123 return 1; 124 } 125 126 /********************************************************** 127 * These are the state functions for handling chunk events. 128 **********************************************************/ 129 130 /* 131 * Process the final SHUTDOWN COMPLETE. 132 * 133 * Section: 4 (C) (diagram), 9.2 134 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 135 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 136 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 137 * should stop the T2-shutdown timer and remove all knowledge of the 138 * association (and thus the association enters the CLOSED state). 139 * 140 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 141 * C) Rules for packet carrying SHUTDOWN COMPLETE: 142 * ... 143 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 144 * if the Verification Tag field of the packet matches its own tag and 145 * the T bit is not set 146 * OR 147 * it is set to its peer's tag and the T bit is set in the Chunk 148 * Flags. 149 * Otherwise, the receiver MUST silently discard the packet 150 * and take no further action. An endpoint MUST ignore the 151 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 152 * 153 * Inputs 154 * (endpoint, asoc, chunk) 155 * 156 * Outputs 157 * (asoc, reply_msg, msg_up, timers, counters) 158 * 159 * The return value is the disposition of the chunk. 160 */ 161 sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep, 162 const struct sctp_association *asoc, 163 const sctp_subtype_t type, 164 void *arg, 165 sctp_cmd_seq_t *commands) 166 { 167 struct sctp_chunk *chunk = arg; 168 struct sctp_ulpevent *ev; 169 170 /* RFC 2960 6.10 Bundling 171 * 172 * An endpoint MUST NOT bundle INIT, INIT ACK or 173 * SHUTDOWN COMPLETE with any other chunks. 174 */ 175 if (!chunk->singleton) 176 return SCTP_DISPOSITION_VIOLATION; 177 178 if (!sctp_vtag_verify_either(chunk, asoc)) 179 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 180 181 /* RFC 2960 10.2 SCTP-to-ULP 182 * 183 * H) SHUTDOWN COMPLETE notification 184 * 185 * When SCTP completes the shutdown procedures (section 9.2) this 186 * notification is passed to the upper layer. 187 */ 188 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 189 0, 0, 0, GFP_ATOMIC); 190 if (!ev) 191 goto nomem; 192 193 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 194 195 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 196 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 197 * not the chunk should be discarded. If the endpoint is in 198 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 199 * T2-shutdown timer and remove all knowledge of the 200 * association (and thus the association enters the CLOSED 201 * state). 202 */ 203 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 204 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 205 206 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 207 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 208 209 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 210 SCTP_STATE(SCTP_STATE_CLOSED)); 211 212 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 213 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 214 215 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 216 217 return SCTP_DISPOSITION_DELETE_TCB; 218 219 nomem: 220 return SCTP_DISPOSITION_NOMEM; 221 } 222 223 /* 224 * Respond to a normal INIT chunk. 225 * We are the side that is being asked for an association. 226 * 227 * Section: 5.1 Normal Establishment of an Association, B 228 * B) "Z" shall respond immediately with an INIT ACK chunk. The 229 * destination IP address of the INIT ACK MUST be set to the source 230 * IP address of the INIT to which this INIT ACK is responding. In 231 * the response, besides filling in other parameters, "Z" must set the 232 * Verification Tag field to Tag_A, and also provide its own 233 * Verification Tag (Tag_Z) in the Initiate Tag field. 234 * 235 * Verification Tag: Must be 0. 236 * 237 * Inputs 238 * (endpoint, asoc, chunk) 239 * 240 * Outputs 241 * (asoc, reply_msg, msg_up, timers, counters) 242 * 243 * The return value is the disposition of the chunk. 244 */ 245 sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep, 246 const struct sctp_association *asoc, 247 const sctp_subtype_t type, 248 void *arg, 249 sctp_cmd_seq_t *commands) 250 { 251 struct sctp_chunk *chunk = arg; 252 struct sctp_chunk *repl; 253 struct sctp_association *new_asoc; 254 struct sctp_chunk *err_chunk; 255 struct sctp_packet *packet; 256 sctp_unrecognized_param_t *unk_param; 257 struct sock *sk; 258 int len; 259 260 /* 6.10 Bundling 261 * An endpoint MUST NOT bundle INIT, INIT ACK or 262 * SHUTDOWN COMPLETE with any other chunks. 263 * 264 * IG Section 2.11.2 265 * Furthermore, we require that the receiver of an INIT chunk MUST 266 * enforce these rules by silently discarding an arriving packet 267 * with an INIT chunk that is bundled with other chunks. 268 */ 269 if (!chunk->singleton) 270 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 271 272 /* If the packet is an OOTB packet which is temporarily on the 273 * control endpoint, respond with an ABORT. 274 */ 275 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 276 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 277 278 sk = ep->base.sk; 279 /* If the endpoint is not listening or if the number of associations 280 * on the TCP-style socket exceed the max backlog, respond with an 281 * ABORT. 282 */ 283 if (!sctp_sstate(sk, LISTENING) || 284 (sctp_style(sk, TCP) && 285 sk_acceptq_is_full(sk))) 286 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 287 288 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 289 * Tag. 290 */ 291 if (chunk->sctp_hdr->vtag != 0) 292 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 293 294 /* Make sure that the INIT chunk has a valid length. 295 * Normally, this would cause an ABORT with a Protocol Violation 296 * error, but since we don't have an association, we'll 297 * just discard the packet. 298 */ 299 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 300 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 301 302 /* Verify the INIT chunk before processing it. */ 303 err_chunk = NULL; 304 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 305 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 306 &err_chunk)) { 307 /* This chunk contains fatal error. It is to be discarded. 308 * Send an ABORT, with causes if there is any. 309 */ 310 if (err_chunk) { 311 packet = sctp_abort_pkt_new(ep, asoc, arg, 312 (__u8 *)(err_chunk->chunk_hdr) + 313 sizeof(sctp_chunkhdr_t), 314 ntohs(err_chunk->chunk_hdr->length) - 315 sizeof(sctp_chunkhdr_t)); 316 317 sctp_chunk_free(err_chunk); 318 319 if (packet) { 320 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 321 SCTP_PACKET(packet)); 322 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 323 return SCTP_DISPOSITION_CONSUME; 324 } else { 325 return SCTP_DISPOSITION_NOMEM; 326 } 327 } else { 328 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 329 commands); 330 } 331 } 332 333 /* Grab the INIT header. */ 334 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data; 335 336 /* Tag the variable length parameters. */ 337 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 338 339 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 340 if (!new_asoc) 341 goto nomem; 342 343 /* The call, sctp_process_init(), can fail on memory allocation. */ 344 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 345 sctp_source(chunk), 346 (sctp_init_chunk_t *)chunk->chunk_hdr, 347 GFP_ATOMIC)) 348 goto nomem_init; 349 350 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 351 352 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 353 354 /* If there are errors need to be reported for unknown parameters, 355 * make sure to reserve enough room in the INIT ACK for them. 356 */ 357 len = 0; 358 if (err_chunk) 359 len = ntohs(err_chunk->chunk_hdr->length) - 360 sizeof(sctp_chunkhdr_t); 361 362 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 363 goto nomem_ack; 364 365 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 366 if (!repl) 367 goto nomem_ack; 368 369 /* If there are errors need to be reported for unknown parameters, 370 * include them in the outgoing INIT ACK as "Unrecognized parameter" 371 * parameter. 372 */ 373 if (err_chunk) { 374 /* Get the "Unrecognized parameter" parameter(s) out of the 375 * ERROR chunk generated by sctp_verify_init(). Since the 376 * error cause code for "unknown parameter" and the 377 * "Unrecognized parameter" type is the same, we can 378 * construct the parameters in INIT ACK by copying the 379 * ERROR causes over. 380 */ 381 unk_param = (sctp_unrecognized_param_t *) 382 ((__u8 *)(err_chunk->chunk_hdr) + 383 sizeof(sctp_chunkhdr_t)); 384 /* Replace the cause code with the "Unrecognized parameter" 385 * parameter type. 386 */ 387 sctp_addto_chunk(repl, len, unk_param); 388 sctp_chunk_free(err_chunk); 389 } 390 391 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 392 393 /* 394 * Note: After sending out INIT ACK with the State Cookie parameter, 395 * "Z" MUST NOT allocate any resources, nor keep any states for the 396 * new association. Otherwise, "Z" will be vulnerable to resource 397 * attacks. 398 */ 399 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 400 401 return SCTP_DISPOSITION_DELETE_TCB; 402 403 nomem_ack: 404 if (err_chunk) 405 sctp_chunk_free(err_chunk); 406 nomem_init: 407 sctp_association_free(new_asoc); 408 nomem: 409 return SCTP_DISPOSITION_NOMEM; 410 } 411 412 /* 413 * Respond to a normal INIT ACK chunk. 414 * We are the side that is initiating the association. 415 * 416 * Section: 5.1 Normal Establishment of an Association, C 417 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 418 * timer and leave COOKIE-WAIT state. "A" shall then send the State 419 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 420 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 421 * 422 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 423 * DATA chunks, but it MUST be the first chunk in the packet and 424 * until the COOKIE ACK is returned the sender MUST NOT send any 425 * other packets to the peer. 426 * 427 * Verification Tag: 3.3.3 428 * If the value of the Initiate Tag in a received INIT ACK chunk is 429 * found to be 0, the receiver MUST treat it as an error and close the 430 * association by transmitting an ABORT. 431 * 432 * Inputs 433 * (endpoint, asoc, chunk) 434 * 435 * Outputs 436 * (asoc, reply_msg, msg_up, timers, counters) 437 * 438 * The return value is the disposition of the chunk. 439 */ 440 sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, 441 const struct sctp_association *asoc, 442 const sctp_subtype_t type, 443 void *arg, 444 sctp_cmd_seq_t *commands) 445 { 446 struct sctp_chunk *chunk = arg; 447 sctp_init_chunk_t *initchunk; 448 __u32 init_tag; 449 struct sctp_chunk *err_chunk; 450 struct sctp_packet *packet; 451 __u16 error; 452 453 if (!sctp_vtag_verify(chunk, asoc)) 454 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 455 456 /* Make sure that the INIT-ACK chunk has a valid length */ 457 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t))) 458 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 459 commands); 460 /* 6.10 Bundling 461 * An endpoint MUST NOT bundle INIT, INIT ACK or 462 * SHUTDOWN COMPLETE with any other chunks. 463 */ 464 if (!chunk->singleton) 465 return SCTP_DISPOSITION_VIOLATION; 466 467 /* Grab the INIT header. */ 468 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 469 470 init_tag = ntohl(chunk->subh.init_hdr->init_tag); 471 472 /* Verification Tag: 3.3.3 473 * If the value of the Initiate Tag in a received INIT ACK 474 * chunk is found to be 0, the receiver MUST treat it as an 475 * error and close the association by transmitting an ABORT. 476 */ 477 if (!init_tag) { 478 struct sctp_chunk *reply = sctp_make_abort(asoc, chunk, 0); 479 if (!reply) 480 goto nomem; 481 482 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 483 return sctp_stop_t1_and_abort(commands, SCTP_ERROR_INV_PARAM, 484 ECONNREFUSED, asoc, 485 chunk->transport); 486 } 487 488 /* Verify the INIT chunk before processing it. */ 489 err_chunk = NULL; 490 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 491 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 492 &err_chunk)) { 493 494 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 495 496 /* This chunk contains fatal error. It is to be discarded. 497 * Send an ABORT, with causes if there is any. 498 */ 499 if (err_chunk) { 500 packet = sctp_abort_pkt_new(ep, asoc, arg, 501 (__u8 *)(err_chunk->chunk_hdr) + 502 sizeof(sctp_chunkhdr_t), 503 ntohs(err_chunk->chunk_hdr->length) - 504 sizeof(sctp_chunkhdr_t)); 505 506 sctp_chunk_free(err_chunk); 507 508 if (packet) { 509 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 510 SCTP_PACKET(packet)); 511 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 512 error = SCTP_ERROR_INV_PARAM; 513 } else { 514 error = SCTP_ERROR_NO_RESOURCE; 515 } 516 } else { 517 sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 518 error = SCTP_ERROR_INV_PARAM; 519 } 520 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, 521 asoc, chunk->transport); 522 } 523 524 /* Tag the variable length parameters. Note that we never 525 * convert the parameters in an INIT chunk. 526 */ 527 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 528 529 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr; 530 531 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 532 SCTP_PEER_INIT(initchunk)); 533 534 /* Reset init error count upon receipt of INIT-ACK. */ 535 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 536 537 /* 5.1 C) "A" shall stop the T1-init timer and leave 538 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 539 * timer, and enter the COOKIE-ECHOED state. 540 */ 541 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 542 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 543 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 544 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 545 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 546 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 547 548 /* 5.1 C) "A" shall then send the State Cookie received in the 549 * INIT ACK chunk in a COOKIE ECHO chunk, ... 550 */ 551 /* If there is any errors to report, send the ERROR chunk generated 552 * for unknown parameters as well. 553 */ 554 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 555 SCTP_CHUNK(err_chunk)); 556 557 return SCTP_DISPOSITION_CONSUME; 558 559 nomem: 560 return SCTP_DISPOSITION_NOMEM; 561 } 562 563 /* 564 * Respond to a normal COOKIE ECHO chunk. 565 * We are the side that is being asked for an association. 566 * 567 * Section: 5.1 Normal Establishment of an Association, D 568 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 569 * with a COOKIE ACK chunk after building a TCB and moving to 570 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 571 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 572 * chunk MUST be the first chunk in the packet. 573 * 574 * IMPLEMENTATION NOTE: An implementation may choose to send the 575 * Communication Up notification to the SCTP user upon reception 576 * of a valid COOKIE ECHO chunk. 577 * 578 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 579 * D) Rules for packet carrying a COOKIE ECHO 580 * 581 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 582 * Initial Tag received in the INIT ACK. 583 * 584 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 585 * 586 * Inputs 587 * (endpoint, asoc, chunk) 588 * 589 * Outputs 590 * (asoc, reply_msg, msg_up, timers, counters) 591 * 592 * The return value is the disposition of the chunk. 593 */ 594 sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep, 595 const struct sctp_association *asoc, 596 const sctp_subtype_t type, void *arg, 597 sctp_cmd_seq_t *commands) 598 { 599 struct sctp_chunk *chunk = arg; 600 struct sctp_association *new_asoc; 601 sctp_init_chunk_t *peer_init; 602 struct sctp_chunk *repl; 603 struct sctp_ulpevent *ev; 604 int error = 0; 605 struct sctp_chunk *err_chk_p; 606 607 /* If the packet is an OOTB packet which is temporarily on the 608 * control endpoint, respond with an ABORT. 609 */ 610 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 611 return sctp_sf_ootb(ep, asoc, type, arg, commands); 612 613 /* Make sure that the COOKIE_ECHO chunk has a valid length. 614 * In this case, we check that we have enough for at least a 615 * chunk header. More detailed verification is done 616 * in sctp_unpack_cookie(). 617 */ 618 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 619 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 620 621 /* "Decode" the chunk. We have no optional parameters so we 622 * are in good shape. 623 */ 624 chunk->subh.cookie_hdr = 625 (struct sctp_signed_cookie *)chunk->skb->data; 626 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 627 sizeof(sctp_chunkhdr_t))) 628 goto nomem; 629 630 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 631 * "Z" will reply with a COOKIE ACK chunk after building a TCB 632 * and moving to the ESTABLISHED state. 633 */ 634 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 635 &err_chk_p); 636 637 /* FIXME: 638 * If the re-build failed, what is the proper error path 639 * from here? 640 * 641 * [We should abort the association. --piggy] 642 */ 643 if (!new_asoc) { 644 /* FIXME: Several errors are possible. A bad cookie should 645 * be silently discarded, but think about logging it too. 646 */ 647 switch (error) { 648 case -SCTP_IERROR_NOMEM: 649 goto nomem; 650 651 case -SCTP_IERROR_STALE_COOKIE: 652 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 653 err_chk_p); 654 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 655 656 case -SCTP_IERROR_BAD_SIG: 657 default: 658 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 659 }; 660 } 661 662 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 663 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 664 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 665 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 666 SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS); 667 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 668 669 if (new_asoc->autoclose) 670 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 671 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 672 673 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 674 675 /* Re-build the bind address for the association is done in 676 * the sctp_unpack_cookie() already. 677 */ 678 /* This is a brand-new association, so these are not yet side 679 * effects--it is safe to run them here. 680 */ 681 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 682 683 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 684 &chunk->subh.cookie_hdr->c.peer_addr, 685 peer_init, GFP_ATOMIC)) 686 goto nomem_init; 687 688 repl = sctp_make_cookie_ack(new_asoc, chunk); 689 if (!repl) 690 goto nomem_repl; 691 692 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 693 694 /* RFC 2960 5.1 Normal Establishment of an Association 695 * 696 * D) IMPLEMENTATION NOTE: An implementation may choose to 697 * send the Communication Up notification to the SCTP user 698 * upon reception of a valid COOKIE ECHO chunk. 699 */ 700 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 701 new_asoc->c.sinit_num_ostreams, 702 new_asoc->c.sinit_max_instreams, 703 GFP_ATOMIC); 704 if (!ev) 705 goto nomem_ev; 706 707 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 708 709 /* Sockets API Draft Section 5.3.1.6 710 * When a peer sends a Adaption Layer Indication parameter , SCTP 711 * delivers this notification to inform the application that of the 712 * peers requested adaption layer. 713 */ 714 if (new_asoc->peer.adaption_ind) { 715 ev = sctp_ulpevent_make_adaption_indication(new_asoc, 716 GFP_ATOMIC); 717 if (!ev) 718 goto nomem_ev; 719 720 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 721 SCTP_ULPEVENT(ev)); 722 } 723 724 return SCTP_DISPOSITION_CONSUME; 725 726 nomem_ev: 727 sctp_chunk_free(repl); 728 nomem_repl: 729 nomem_init: 730 sctp_association_free(new_asoc); 731 nomem: 732 return SCTP_DISPOSITION_NOMEM; 733 } 734 735 /* 736 * Respond to a normal COOKIE ACK chunk. 737 * We are the side that is being asked for an association. 738 * 739 * RFC 2960 5.1 Normal Establishment of an Association 740 * 741 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 742 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 743 * timer. It may also notify its ULP about the successful 744 * establishment of the association with a Communication Up 745 * notification (see Section 10). 746 * 747 * Verification Tag: 748 * Inputs 749 * (endpoint, asoc, chunk) 750 * 751 * Outputs 752 * (asoc, reply_msg, msg_up, timers, counters) 753 * 754 * The return value is the disposition of the chunk. 755 */ 756 sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep, 757 const struct sctp_association *asoc, 758 const sctp_subtype_t type, void *arg, 759 sctp_cmd_seq_t *commands) 760 { 761 struct sctp_chunk *chunk = arg; 762 struct sctp_ulpevent *ev; 763 764 if (!sctp_vtag_verify(chunk, asoc)) 765 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 766 767 /* Verify that the chunk length for the COOKIE-ACK is OK. 768 * If we don't do this, any bundled chunks may be junked. 769 */ 770 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 771 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 772 commands); 773 774 /* Reset init error count upon receipt of COOKIE-ACK, 775 * to avoid problems with the managemement of this 776 * counter in stale cookie situations when a transition back 777 * from the COOKIE-ECHOED state to the COOKIE-WAIT 778 * state is performed. 779 */ 780 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 781 782 /* RFC 2960 5.1 Normal Establishment of an Association 783 * 784 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 785 * from the COOKIE-ECHOED state to the ESTABLISHED state, 786 * stopping the T1-cookie timer. 787 */ 788 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 789 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 790 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 791 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 792 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 793 SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS); 794 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 795 if (asoc->autoclose) 796 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 797 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 798 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 799 800 /* It may also notify its ULP about the successful 801 * establishment of the association with a Communication Up 802 * notification (see Section 10). 803 */ 804 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 805 0, asoc->c.sinit_num_ostreams, 806 asoc->c.sinit_max_instreams, 807 GFP_ATOMIC); 808 809 if (!ev) 810 goto nomem; 811 812 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 813 814 /* Sockets API Draft Section 5.3.1.6 815 * When a peer sends a Adaption Layer Indication parameter , SCTP 816 * delivers this notification to inform the application that of the 817 * peers requested adaption layer. 818 */ 819 if (asoc->peer.adaption_ind) { 820 ev = sctp_ulpevent_make_adaption_indication(asoc, GFP_ATOMIC); 821 if (!ev) 822 goto nomem; 823 824 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 825 SCTP_ULPEVENT(ev)); 826 } 827 828 return SCTP_DISPOSITION_CONSUME; 829 nomem: 830 return SCTP_DISPOSITION_NOMEM; 831 } 832 833 /* Generate and sendout a heartbeat packet. */ 834 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep, 835 const struct sctp_association *asoc, 836 const sctp_subtype_t type, 837 void *arg, 838 sctp_cmd_seq_t *commands) 839 { 840 struct sctp_transport *transport = (struct sctp_transport *) arg; 841 struct sctp_chunk *reply; 842 sctp_sender_hb_info_t hbinfo; 843 size_t paylen = 0; 844 845 hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO; 846 hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t)); 847 hbinfo.daddr = transport->ipaddr; 848 hbinfo.sent_at = jiffies; 849 hbinfo.hb_nonce = transport->hb_nonce; 850 851 /* Send a heartbeat to our peer. */ 852 paylen = sizeof(sctp_sender_hb_info_t); 853 reply = sctp_make_heartbeat(asoc, transport, &hbinfo, paylen); 854 if (!reply) 855 return SCTP_DISPOSITION_NOMEM; 856 857 /* Set rto_pending indicating that an RTT measurement 858 * is started with this heartbeat chunk. 859 */ 860 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 861 SCTP_TRANSPORT(transport)); 862 863 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 864 return SCTP_DISPOSITION_CONSUME; 865 } 866 867 /* Generate a HEARTBEAT packet on the given transport. */ 868 sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep, 869 const struct sctp_association *asoc, 870 const sctp_subtype_t type, 871 void *arg, 872 sctp_cmd_seq_t *commands) 873 { 874 struct sctp_transport *transport = (struct sctp_transport *) arg; 875 876 if (asoc->overall_error_count >= asoc->max_retrans) { 877 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 878 SCTP_ERROR(ETIMEDOUT)); 879 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 880 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 881 SCTP_U32(SCTP_ERROR_NO_ERROR)); 882 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 883 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 884 return SCTP_DISPOSITION_DELETE_TCB; 885 } 886 887 /* Section 3.3.5. 888 * The Sender-specific Heartbeat Info field should normally include 889 * information about the sender's current time when this HEARTBEAT 890 * chunk is sent and the destination transport address to which this 891 * HEARTBEAT is sent (see Section 8.3). 892 */ 893 894 if (transport->param_flags & SPP_HB_ENABLE) { 895 if (SCTP_DISPOSITION_NOMEM == 896 sctp_sf_heartbeat(ep, asoc, type, arg, 897 commands)) 898 return SCTP_DISPOSITION_NOMEM; 899 /* Set transport error counter and association error counter 900 * when sending heartbeat. 901 */ 902 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_RESET, 903 SCTP_TRANSPORT(transport)); 904 } 905 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 906 SCTP_TRANSPORT(transport)); 907 908 return SCTP_DISPOSITION_CONSUME; 909 } 910 911 /* 912 * Process an heartbeat request. 913 * 914 * Section: 8.3 Path Heartbeat 915 * The receiver of the HEARTBEAT should immediately respond with a 916 * HEARTBEAT ACK that contains the Heartbeat Information field copied 917 * from the received HEARTBEAT chunk. 918 * 919 * Verification Tag: 8.5 Verification Tag [Normal verification] 920 * When receiving an SCTP packet, the endpoint MUST ensure that the 921 * value in the Verification Tag field of the received SCTP packet 922 * matches its own Tag. If the received Verification Tag value does not 923 * match the receiver's own tag value, the receiver shall silently 924 * discard the packet and shall not process it any further except for 925 * those cases listed in Section 8.5.1 below. 926 * 927 * Inputs 928 * (endpoint, asoc, chunk) 929 * 930 * Outputs 931 * (asoc, reply_msg, msg_up, timers, counters) 932 * 933 * The return value is the disposition of the chunk. 934 */ 935 sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep, 936 const struct sctp_association *asoc, 937 const sctp_subtype_t type, 938 void *arg, 939 sctp_cmd_seq_t *commands) 940 { 941 struct sctp_chunk *chunk = arg; 942 struct sctp_chunk *reply; 943 size_t paylen = 0; 944 945 if (!sctp_vtag_verify(chunk, asoc)) 946 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 947 948 /* Make sure that the HEARTBEAT chunk has a valid length. */ 949 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 950 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 951 commands); 952 953 /* 8.3 The receiver of the HEARTBEAT should immediately 954 * respond with a HEARTBEAT ACK that contains the Heartbeat 955 * Information field copied from the received HEARTBEAT chunk. 956 */ 957 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; 958 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); 959 if (!pskb_pull(chunk->skb, paylen)) 960 goto nomem; 961 962 reply = sctp_make_heartbeat_ack(asoc, chunk, 963 chunk->subh.hb_hdr, paylen); 964 if (!reply) 965 goto nomem; 966 967 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 968 return SCTP_DISPOSITION_CONSUME; 969 970 nomem: 971 return SCTP_DISPOSITION_NOMEM; 972 } 973 974 /* 975 * Process the returning HEARTBEAT ACK. 976 * 977 * Section: 8.3 Path Heartbeat 978 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 979 * should clear the error counter of the destination transport 980 * address to which the HEARTBEAT was sent, and mark the destination 981 * transport address as active if it is not so marked. The endpoint may 982 * optionally report to the upper layer when an inactive destination 983 * address is marked as active due to the reception of the latest 984 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 985 * clear the association overall error count as well (as defined 986 * in section 8.1). 987 * 988 * The receiver of the HEARTBEAT ACK should also perform an RTT 989 * measurement for that destination transport address using the time 990 * value carried in the HEARTBEAT ACK chunk. 991 * 992 * Verification Tag: 8.5 Verification Tag [Normal verification] 993 * 994 * Inputs 995 * (endpoint, asoc, chunk) 996 * 997 * Outputs 998 * (asoc, reply_msg, msg_up, timers, counters) 999 * 1000 * The return value is the disposition of the chunk. 1001 */ 1002 sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep, 1003 const struct sctp_association *asoc, 1004 const sctp_subtype_t type, 1005 void *arg, 1006 sctp_cmd_seq_t *commands) 1007 { 1008 struct sctp_chunk *chunk = arg; 1009 union sctp_addr from_addr; 1010 struct sctp_transport *link; 1011 sctp_sender_hb_info_t *hbinfo; 1012 unsigned long max_interval; 1013 1014 if (!sctp_vtag_verify(chunk, asoc)) 1015 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1016 1017 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1018 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1019 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1020 commands); 1021 1022 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; 1023 /* Make sure that the length of the parameter is what we expect */ 1024 if (ntohs(hbinfo->param_hdr.length) != 1025 sizeof(sctp_sender_hb_info_t)) { 1026 return SCTP_DISPOSITION_DISCARD; 1027 } 1028 1029 from_addr = hbinfo->daddr; 1030 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1031 1032 /* This should never happen, but lets log it if so. */ 1033 if (unlikely(!link)) { 1034 if (from_addr.sa.sa_family == AF_INET6) { 1035 printk(KERN_WARNING 1036 "%s association %p could not find address " 1037 NIP6_FMT "\n", 1038 __FUNCTION__, 1039 asoc, 1040 NIP6(from_addr.v6.sin6_addr)); 1041 } else { 1042 printk(KERN_WARNING 1043 "%s association %p could not find address " 1044 NIPQUAD_FMT "\n", 1045 __FUNCTION__, 1046 asoc, 1047 NIPQUAD(from_addr.v4.sin_addr.s_addr)); 1048 } 1049 return SCTP_DISPOSITION_DISCARD; 1050 } 1051 1052 /* Validate the 64-bit random nonce. */ 1053 if (hbinfo->hb_nonce != link->hb_nonce) 1054 return SCTP_DISPOSITION_DISCARD; 1055 1056 max_interval = link->hbinterval + link->rto; 1057 1058 /* Check if the timestamp looks valid. */ 1059 if (time_after(hbinfo->sent_at, jiffies) || 1060 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1061 SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp" 1062 "received for transport: %p\n", 1063 __FUNCTION__, link); 1064 return SCTP_DISPOSITION_DISCARD; 1065 } 1066 1067 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1068 * the HEARTBEAT should clear the error counter of the 1069 * destination transport address to which the HEARTBEAT was 1070 * sent and mark the destination transport address as active if 1071 * it is not so marked. 1072 */ 1073 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1074 1075 return SCTP_DISPOSITION_CONSUME; 1076 } 1077 1078 /* Helper function to send out an abort for the restart 1079 * condition. 1080 */ 1081 static int sctp_sf_send_restart_abort(union sctp_addr *ssa, 1082 struct sctp_chunk *init, 1083 sctp_cmd_seq_t *commands) 1084 { 1085 int len; 1086 struct sctp_packet *pkt; 1087 union sctp_addr_param *addrparm; 1088 struct sctp_errhdr *errhdr; 1089 struct sctp_endpoint *ep; 1090 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)]; 1091 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1092 1093 /* Build the error on the stack. We are way to malloc crazy 1094 * throughout the code today. 1095 */ 1096 errhdr = (struct sctp_errhdr *)buffer; 1097 addrparm = (union sctp_addr_param *)errhdr->variable; 1098 1099 /* Copy into a parm format. */ 1100 len = af->to_addr_param(ssa, addrparm); 1101 len += sizeof(sctp_errhdr_t); 1102 1103 errhdr->cause = SCTP_ERROR_RESTART; 1104 errhdr->length = htons(len); 1105 1106 /* Assign to the control socket. */ 1107 ep = sctp_sk((sctp_get_ctl_sock()))->ep; 1108 1109 /* Association is NULL since this may be a restart attack and we 1110 * want to send back the attacker's vtag. 1111 */ 1112 pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len); 1113 1114 if (!pkt) 1115 goto out; 1116 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1117 1118 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1119 1120 /* Discard the rest of the inbound packet. */ 1121 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1122 1123 out: 1124 /* Even if there is no memory, treat as a failure so 1125 * the packet will get dropped. 1126 */ 1127 return 0; 1128 } 1129 1130 /* A restart is occurring, check to make sure no new addresses 1131 * are being added as we may be under a takeover attack. 1132 */ 1133 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1134 const struct sctp_association *asoc, 1135 struct sctp_chunk *init, 1136 sctp_cmd_seq_t *commands) 1137 { 1138 struct sctp_transport *new_addr, *addr; 1139 struct list_head *pos, *pos2; 1140 int found; 1141 1142 /* Implementor's Guide - Sectin 5.2.2 1143 * ... 1144 * Before responding the endpoint MUST check to see if the 1145 * unexpected INIT adds new addresses to the association. If new 1146 * addresses are added to the association, the endpoint MUST respond 1147 * with an ABORT.. 1148 */ 1149 1150 /* Search through all current addresses and make sure 1151 * we aren't adding any new ones. 1152 */ 1153 new_addr = NULL; 1154 found = 0; 1155 1156 list_for_each(pos, &new_asoc->peer.transport_addr_list) { 1157 new_addr = list_entry(pos, struct sctp_transport, transports); 1158 found = 0; 1159 list_for_each(pos2, &asoc->peer.transport_addr_list) { 1160 addr = list_entry(pos2, struct sctp_transport, 1161 transports); 1162 if (sctp_cmp_addr_exact(&new_addr->ipaddr, 1163 &addr->ipaddr)) { 1164 found = 1; 1165 break; 1166 } 1167 } 1168 if (!found) 1169 break; 1170 } 1171 1172 /* If a new address was added, ABORT the sender. */ 1173 if (!found && new_addr) { 1174 sctp_sf_send_restart_abort(&new_addr->ipaddr, init, commands); 1175 } 1176 1177 /* Return success if all addresses were found. */ 1178 return found; 1179 } 1180 1181 /* Populate the verification/tie tags based on overlapping INIT 1182 * scenario. 1183 * 1184 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1185 */ 1186 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1187 const struct sctp_association *asoc) 1188 { 1189 switch (asoc->state) { 1190 1191 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1192 1193 case SCTP_STATE_COOKIE_WAIT: 1194 new_asoc->c.my_vtag = asoc->c.my_vtag; 1195 new_asoc->c.my_ttag = asoc->c.my_vtag; 1196 new_asoc->c.peer_ttag = 0; 1197 break; 1198 1199 case SCTP_STATE_COOKIE_ECHOED: 1200 new_asoc->c.my_vtag = asoc->c.my_vtag; 1201 new_asoc->c.my_ttag = asoc->c.my_vtag; 1202 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1203 break; 1204 1205 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1206 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1207 */ 1208 default: 1209 new_asoc->c.my_ttag = asoc->c.my_vtag; 1210 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1211 break; 1212 }; 1213 1214 /* Other parameters for the endpoint SHOULD be copied from the 1215 * existing parameters of the association (e.g. number of 1216 * outbound streams) into the INIT ACK and cookie. 1217 */ 1218 new_asoc->rwnd = asoc->rwnd; 1219 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1220 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1221 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1222 } 1223 1224 /* 1225 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1226 * handling action. 1227 * 1228 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1229 * 1230 * Returns value representing action to be taken. These action values 1231 * correspond to Action/Description values in RFC 2960, Table 2. 1232 */ 1233 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1234 const struct sctp_association *asoc) 1235 { 1236 /* In this case, the peer may have restarted. */ 1237 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1238 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1239 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1240 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1241 return 'A'; 1242 1243 /* Collision case B. */ 1244 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1245 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1246 (0 == asoc->c.peer_vtag))) { 1247 return 'B'; 1248 } 1249 1250 /* Collision case D. */ 1251 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1252 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1253 return 'D'; 1254 1255 /* Collision case C. */ 1256 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1257 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1258 (0 == new_asoc->c.my_ttag) && 1259 (0 == new_asoc->c.peer_ttag)) 1260 return 'C'; 1261 1262 /* No match to any of the special cases; discard this packet. */ 1263 return 'E'; 1264 } 1265 1266 /* Common helper routine for both duplicate and simulataneous INIT 1267 * chunk handling. 1268 */ 1269 static sctp_disposition_t sctp_sf_do_unexpected_init( 1270 const struct sctp_endpoint *ep, 1271 const struct sctp_association *asoc, 1272 const sctp_subtype_t type, 1273 void *arg, sctp_cmd_seq_t *commands) 1274 { 1275 sctp_disposition_t retval; 1276 struct sctp_chunk *chunk = arg; 1277 struct sctp_chunk *repl; 1278 struct sctp_association *new_asoc; 1279 struct sctp_chunk *err_chunk; 1280 struct sctp_packet *packet; 1281 sctp_unrecognized_param_t *unk_param; 1282 int len; 1283 1284 /* 6.10 Bundling 1285 * An endpoint MUST NOT bundle INIT, INIT ACK or 1286 * SHUTDOWN COMPLETE with any other chunks. 1287 * 1288 * IG Section 2.11.2 1289 * Furthermore, we require that the receiver of an INIT chunk MUST 1290 * enforce these rules by silently discarding an arriving packet 1291 * with an INIT chunk that is bundled with other chunks. 1292 */ 1293 if (!chunk->singleton) 1294 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1295 1296 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1297 * Tag. 1298 */ 1299 if (chunk->sctp_hdr->vtag != 0) 1300 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 1301 1302 /* Make sure that the INIT chunk has a valid length. 1303 * In this case, we generate a protocol violation since we have 1304 * an association established. 1305 */ 1306 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 1307 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1308 commands); 1309 /* Grab the INIT header. */ 1310 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 1311 1312 /* Tag the variable length parameters. */ 1313 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 1314 1315 /* Verify the INIT chunk before processing it. */ 1316 err_chunk = NULL; 1317 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 1318 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 1319 &err_chunk)) { 1320 /* This chunk contains fatal error. It is to be discarded. 1321 * Send an ABORT, with causes if there is any. 1322 */ 1323 if (err_chunk) { 1324 packet = sctp_abort_pkt_new(ep, asoc, arg, 1325 (__u8 *)(err_chunk->chunk_hdr) + 1326 sizeof(sctp_chunkhdr_t), 1327 ntohs(err_chunk->chunk_hdr->length) - 1328 sizeof(sctp_chunkhdr_t)); 1329 1330 if (packet) { 1331 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1332 SCTP_PACKET(packet)); 1333 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1334 retval = SCTP_DISPOSITION_CONSUME; 1335 } else { 1336 retval = SCTP_DISPOSITION_NOMEM; 1337 } 1338 goto cleanup; 1339 } else { 1340 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 1341 commands); 1342 } 1343 } 1344 1345 /* 1346 * Other parameters for the endpoint SHOULD be copied from the 1347 * existing parameters of the association (e.g. number of 1348 * outbound streams) into the INIT ACK and cookie. 1349 * FIXME: We are copying parameters from the endpoint not the 1350 * association. 1351 */ 1352 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1353 if (!new_asoc) 1354 goto nomem; 1355 1356 /* In the outbound INIT ACK the endpoint MUST copy its current 1357 * Verification Tag and Peers Verification tag into a reserved 1358 * place (local tie-tag and per tie-tag) within the state cookie. 1359 */ 1360 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1361 sctp_source(chunk), 1362 (sctp_init_chunk_t *)chunk->chunk_hdr, 1363 GFP_ATOMIC)) { 1364 retval = SCTP_DISPOSITION_NOMEM; 1365 goto nomem_init; 1366 } 1367 1368 /* Make sure no new addresses are being added during the 1369 * restart. Do not do this check for COOKIE-WAIT state, 1370 * since there are no peer addresses to check against. 1371 * Upon return an ABORT will have been sent if needed. 1372 */ 1373 if (!sctp_state(asoc, COOKIE_WAIT)) { 1374 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1375 commands)) { 1376 retval = SCTP_DISPOSITION_CONSUME; 1377 goto cleanup_asoc; 1378 } 1379 } 1380 1381 sctp_tietags_populate(new_asoc, asoc); 1382 1383 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1384 1385 /* If there are errors need to be reported for unknown parameters, 1386 * make sure to reserve enough room in the INIT ACK for them. 1387 */ 1388 len = 0; 1389 if (err_chunk) { 1390 len = ntohs(err_chunk->chunk_hdr->length) - 1391 sizeof(sctp_chunkhdr_t); 1392 } 1393 1394 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 1395 goto nomem; 1396 1397 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1398 if (!repl) 1399 goto nomem; 1400 1401 /* If there are errors need to be reported for unknown parameters, 1402 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1403 * parameter. 1404 */ 1405 if (err_chunk) { 1406 /* Get the "Unrecognized parameter" parameter(s) out of the 1407 * ERROR chunk generated by sctp_verify_init(). Since the 1408 * error cause code for "unknown parameter" and the 1409 * "Unrecognized parameter" type is the same, we can 1410 * construct the parameters in INIT ACK by copying the 1411 * ERROR causes over. 1412 */ 1413 unk_param = (sctp_unrecognized_param_t *) 1414 ((__u8 *)(err_chunk->chunk_hdr) + 1415 sizeof(sctp_chunkhdr_t)); 1416 /* Replace the cause code with the "Unrecognized parameter" 1417 * parameter type. 1418 */ 1419 sctp_addto_chunk(repl, len, unk_param); 1420 } 1421 1422 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1423 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1424 1425 /* 1426 * Note: After sending out INIT ACK with the State Cookie parameter, 1427 * "Z" MUST NOT allocate any resources for this new association. 1428 * Otherwise, "Z" will be vulnerable to resource attacks. 1429 */ 1430 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1431 retval = SCTP_DISPOSITION_CONSUME; 1432 1433 cleanup: 1434 if (err_chunk) 1435 sctp_chunk_free(err_chunk); 1436 return retval; 1437 nomem: 1438 retval = SCTP_DISPOSITION_NOMEM; 1439 goto cleanup; 1440 nomem_init: 1441 cleanup_asoc: 1442 sctp_association_free(new_asoc); 1443 goto cleanup; 1444 } 1445 1446 /* 1447 * Handle simultanous INIT. 1448 * This means we started an INIT and then we got an INIT request from 1449 * our peer. 1450 * 1451 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1452 * This usually indicates an initialization collision, i.e., each 1453 * endpoint is attempting, at about the same time, to establish an 1454 * association with the other endpoint. 1455 * 1456 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1457 * endpoint MUST respond with an INIT ACK using the same parameters it 1458 * sent in its original INIT chunk (including its Verification Tag, 1459 * unchanged). These original parameters are combined with those from the 1460 * newly received INIT chunk. The endpoint shall also generate a State 1461 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1462 * INIT to calculate the State Cookie. 1463 * 1464 * After that, the endpoint MUST NOT change its state, the T1-init 1465 * timer shall be left running and the corresponding TCB MUST NOT be 1466 * destroyed. The normal procedures for handling State Cookies when 1467 * a TCB exists will resolve the duplicate INITs to a single association. 1468 * 1469 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1470 * its Tie-Tags with the Tag information of itself and its peer (see 1471 * section 5.2.2 for a description of the Tie-Tags). 1472 * 1473 * Verification Tag: Not explicit, but an INIT can not have a valid 1474 * verification tag, so we skip the check. 1475 * 1476 * Inputs 1477 * (endpoint, asoc, chunk) 1478 * 1479 * Outputs 1480 * (asoc, reply_msg, msg_up, timers, counters) 1481 * 1482 * The return value is the disposition of the chunk. 1483 */ 1484 sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep, 1485 const struct sctp_association *asoc, 1486 const sctp_subtype_t type, 1487 void *arg, 1488 sctp_cmd_seq_t *commands) 1489 { 1490 /* Call helper to do the real work for both simulataneous and 1491 * duplicate INIT chunk handling. 1492 */ 1493 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1494 } 1495 1496 /* 1497 * Handle duplicated INIT messages. These are usually delayed 1498 * restransmissions. 1499 * 1500 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1501 * COOKIE-ECHOED and COOKIE-WAIT 1502 * 1503 * Unless otherwise stated, upon reception of an unexpected INIT for 1504 * this association, the endpoint shall generate an INIT ACK with a 1505 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1506 * current Verification Tag and peer's Verification Tag into a reserved 1507 * place within the state cookie. We shall refer to these locations as 1508 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1509 * containing this INIT ACK MUST carry a Verification Tag value equal to 1510 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1511 * MUST contain a new Initiation Tag (randomly generated see Section 1512 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1513 * existing parameters of the association (e.g. number of outbound 1514 * streams) into the INIT ACK and cookie. 1515 * 1516 * After sending out the INIT ACK, the endpoint shall take no further 1517 * actions, i.e., the existing association, including its current state, 1518 * and the corresponding TCB MUST NOT be changed. 1519 * 1520 * Note: Only when a TCB exists and the association is not in a COOKIE- 1521 * WAIT state are the Tie-Tags populated. For a normal association INIT 1522 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1523 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1524 * State Cookie are populated as specified in section 5.2.1. 1525 * 1526 * Verification Tag: Not specified, but an INIT has no way of knowing 1527 * what the verification tag could be, so we ignore it. 1528 * 1529 * Inputs 1530 * (endpoint, asoc, chunk) 1531 * 1532 * Outputs 1533 * (asoc, reply_msg, msg_up, timers, counters) 1534 * 1535 * The return value is the disposition of the chunk. 1536 */ 1537 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep, 1538 const struct sctp_association *asoc, 1539 const sctp_subtype_t type, 1540 void *arg, 1541 sctp_cmd_seq_t *commands) 1542 { 1543 /* Call helper to do the real work for both simulataneous and 1544 * duplicate INIT chunk handling. 1545 */ 1546 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1547 } 1548 1549 1550 1551 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1552 * 1553 * Section 5.2.4 1554 * A) In this case, the peer may have restarted. 1555 */ 1556 static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep, 1557 const struct sctp_association *asoc, 1558 struct sctp_chunk *chunk, 1559 sctp_cmd_seq_t *commands, 1560 struct sctp_association *new_asoc) 1561 { 1562 sctp_init_chunk_t *peer_init; 1563 struct sctp_ulpevent *ev; 1564 struct sctp_chunk *repl; 1565 struct sctp_chunk *err; 1566 sctp_disposition_t disposition; 1567 1568 /* new_asoc is a brand-new association, so these are not yet 1569 * side effects--it is safe to run them here. 1570 */ 1571 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1572 1573 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1574 sctp_source(chunk), peer_init, 1575 GFP_ATOMIC)) 1576 goto nomem; 1577 1578 /* Make sure no new addresses are being added during the 1579 * restart. Though this is a pretty complicated attack 1580 * since you'd have to get inside the cookie. 1581 */ 1582 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { 1583 return SCTP_DISPOSITION_CONSUME; 1584 } 1585 1586 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1587 * the peer has restarted (Action A), it MUST NOT setup a new 1588 * association but instead resend the SHUTDOWN ACK and send an ERROR 1589 * chunk with a "Cookie Received while Shutting Down" error cause to 1590 * its peer. 1591 */ 1592 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1593 disposition = sctp_sf_do_9_2_reshutack(ep, asoc, 1594 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1595 chunk, commands); 1596 if (SCTP_DISPOSITION_NOMEM == disposition) 1597 goto nomem; 1598 1599 err = sctp_make_op_error(asoc, chunk, 1600 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1601 NULL, 0); 1602 if (err) 1603 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1604 SCTP_CHUNK(err)); 1605 1606 return SCTP_DISPOSITION_CONSUME; 1607 } 1608 1609 /* For now, fail any unsent/unacked data. Consider the optional 1610 * choice of resending of this data. 1611 */ 1612 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1613 1614 /* Update the content of current association. */ 1615 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1616 1617 repl = sctp_make_cookie_ack(new_asoc, chunk); 1618 if (!repl) 1619 goto nomem; 1620 1621 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1622 1623 /* Report association restart to upper layer. */ 1624 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1625 new_asoc->c.sinit_num_ostreams, 1626 new_asoc->c.sinit_max_instreams, 1627 GFP_ATOMIC); 1628 if (!ev) 1629 goto nomem_ev; 1630 1631 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1632 return SCTP_DISPOSITION_CONSUME; 1633 1634 nomem_ev: 1635 sctp_chunk_free(repl); 1636 nomem: 1637 return SCTP_DISPOSITION_NOMEM; 1638 } 1639 1640 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1641 * 1642 * Section 5.2.4 1643 * B) In this case, both sides may be attempting to start an association 1644 * at about the same time but the peer endpoint started its INIT 1645 * after responding to the local endpoint's INIT 1646 */ 1647 /* This case represents an initialization collision. */ 1648 static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep, 1649 const struct sctp_association *asoc, 1650 struct sctp_chunk *chunk, 1651 sctp_cmd_seq_t *commands, 1652 struct sctp_association *new_asoc) 1653 { 1654 sctp_init_chunk_t *peer_init; 1655 struct sctp_ulpevent *ev; 1656 struct sctp_chunk *repl; 1657 1658 /* new_asoc is a brand-new association, so these are not yet 1659 * side effects--it is safe to run them here. 1660 */ 1661 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1662 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1663 sctp_source(chunk), peer_init, 1664 GFP_ATOMIC)) 1665 goto nomem; 1666 1667 /* Update the content of current association. */ 1668 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1669 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1670 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1671 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1672 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1673 1674 repl = sctp_make_cookie_ack(new_asoc, chunk); 1675 if (!repl) 1676 goto nomem; 1677 1678 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1679 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1680 1681 /* RFC 2960 5.1 Normal Establishment of an Association 1682 * 1683 * D) IMPLEMENTATION NOTE: An implementation may choose to 1684 * send the Communication Up notification to the SCTP user 1685 * upon reception of a valid COOKIE ECHO chunk. 1686 */ 1687 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 0, 1688 new_asoc->c.sinit_num_ostreams, 1689 new_asoc->c.sinit_max_instreams, 1690 GFP_ATOMIC); 1691 if (!ev) 1692 goto nomem_ev; 1693 1694 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1695 1696 /* Sockets API Draft Section 5.3.1.6 1697 * When a peer sends a Adaption Layer Indication parameter , SCTP 1698 * delivers this notification to inform the application that of the 1699 * peers requested adaption layer. 1700 */ 1701 if (asoc->peer.adaption_ind) { 1702 ev = sctp_ulpevent_make_adaption_indication(asoc, GFP_ATOMIC); 1703 if (!ev) 1704 goto nomem_ev; 1705 1706 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1707 SCTP_ULPEVENT(ev)); 1708 } 1709 1710 return SCTP_DISPOSITION_CONSUME; 1711 1712 nomem_ev: 1713 sctp_chunk_free(repl); 1714 nomem: 1715 return SCTP_DISPOSITION_NOMEM; 1716 } 1717 1718 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1719 * 1720 * Section 5.2.4 1721 * C) In this case, the local endpoint's cookie has arrived late. 1722 * Before it arrived, the local endpoint sent an INIT and received an 1723 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1724 * but a new tag of its own. 1725 */ 1726 /* This case represents an initialization collision. */ 1727 static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep, 1728 const struct sctp_association *asoc, 1729 struct sctp_chunk *chunk, 1730 sctp_cmd_seq_t *commands, 1731 struct sctp_association *new_asoc) 1732 { 1733 /* The cookie should be silently discarded. 1734 * The endpoint SHOULD NOT change states and should leave 1735 * any timers running. 1736 */ 1737 return SCTP_DISPOSITION_DISCARD; 1738 } 1739 1740 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1741 * 1742 * Section 5.2.4 1743 * 1744 * D) When both local and remote tags match the endpoint should always 1745 * enter the ESTABLISHED state, if it has not already done so. 1746 */ 1747 /* This case represents an initialization collision. */ 1748 static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep, 1749 const struct sctp_association *asoc, 1750 struct sctp_chunk *chunk, 1751 sctp_cmd_seq_t *commands, 1752 struct sctp_association *new_asoc) 1753 { 1754 struct sctp_ulpevent *ev = NULL; 1755 struct sctp_chunk *repl; 1756 1757 /* Clarification from Implementor's Guide: 1758 * D) When both local and remote tags match the endpoint should 1759 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 1760 * It should stop any cookie timer that may be running and send 1761 * a COOKIE ACK. 1762 */ 1763 1764 /* Don't accidentally move back into established state. */ 1765 if (asoc->state < SCTP_STATE_ESTABLISHED) { 1766 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1767 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 1768 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1769 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1770 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1771 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 1772 SCTP_NULL()); 1773 1774 /* RFC 2960 5.1 Normal Establishment of an Association 1775 * 1776 * D) IMPLEMENTATION NOTE: An implementation may choose 1777 * to send the Communication Up notification to the 1778 * SCTP user upon reception of a valid COOKIE 1779 * ECHO chunk. 1780 */ 1781 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, 1782 SCTP_COMM_UP, 0, 1783 new_asoc->c.sinit_num_ostreams, 1784 new_asoc->c.sinit_max_instreams, 1785 GFP_ATOMIC); 1786 if (!ev) 1787 goto nomem; 1788 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1789 SCTP_ULPEVENT(ev)); 1790 1791 /* Sockets API Draft Section 5.3.1.6 1792 * When a peer sends a Adaption Layer Indication parameter, 1793 * SCTP delivers this notification to inform the application 1794 * that of the peers requested adaption layer. 1795 */ 1796 if (new_asoc->peer.adaption_ind) { 1797 ev = sctp_ulpevent_make_adaption_indication(new_asoc, 1798 GFP_ATOMIC); 1799 if (!ev) 1800 goto nomem; 1801 1802 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1803 SCTP_ULPEVENT(ev)); 1804 } 1805 } 1806 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1807 1808 repl = sctp_make_cookie_ack(new_asoc, chunk); 1809 if (!repl) 1810 goto nomem; 1811 1812 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1813 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1814 1815 return SCTP_DISPOSITION_CONSUME; 1816 1817 nomem: 1818 if (ev) 1819 sctp_ulpevent_free(ev); 1820 return SCTP_DISPOSITION_NOMEM; 1821 } 1822 1823 /* 1824 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 1825 * chunk was retransmitted and then delayed in the network. 1826 * 1827 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 1828 * 1829 * Verification Tag: None. Do cookie validation. 1830 * 1831 * Inputs 1832 * (endpoint, asoc, chunk) 1833 * 1834 * Outputs 1835 * (asoc, reply_msg, msg_up, timers, counters) 1836 * 1837 * The return value is the disposition of the chunk. 1838 */ 1839 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep, 1840 const struct sctp_association *asoc, 1841 const sctp_subtype_t type, 1842 void *arg, 1843 sctp_cmd_seq_t *commands) 1844 { 1845 sctp_disposition_t retval; 1846 struct sctp_chunk *chunk = arg; 1847 struct sctp_association *new_asoc; 1848 int error = 0; 1849 char action; 1850 struct sctp_chunk *err_chk_p; 1851 1852 /* Make sure that the chunk has a valid length from the protocol 1853 * perspective. In this case check to make sure we have at least 1854 * enough for the chunk header. Cookie length verification is 1855 * done later. 1856 */ 1857 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 1858 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1859 commands); 1860 1861 /* "Decode" the chunk. We have no optional parameters so we 1862 * are in good shape. 1863 */ 1864 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 1865 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 1866 sizeof(sctp_chunkhdr_t))) 1867 goto nomem; 1868 1869 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 1870 * of a duplicate COOKIE ECHO match the Verification Tags of the 1871 * current association, consider the State Cookie valid even if 1872 * the lifespan is exceeded. 1873 */ 1874 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 1875 &err_chk_p); 1876 1877 /* FIXME: 1878 * If the re-build failed, what is the proper error path 1879 * from here? 1880 * 1881 * [We should abort the association. --piggy] 1882 */ 1883 if (!new_asoc) { 1884 /* FIXME: Several errors are possible. A bad cookie should 1885 * be silently discarded, but think about logging it too. 1886 */ 1887 switch (error) { 1888 case -SCTP_IERROR_NOMEM: 1889 goto nomem; 1890 1891 case -SCTP_IERROR_STALE_COOKIE: 1892 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 1893 err_chk_p); 1894 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1895 case -SCTP_IERROR_BAD_SIG: 1896 default: 1897 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1898 }; 1899 } 1900 1901 /* Compare the tie_tag in cookie with the verification tag of 1902 * current association. 1903 */ 1904 action = sctp_tietags_compare(new_asoc, asoc); 1905 1906 switch (action) { 1907 case 'A': /* Association restart. */ 1908 retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands, 1909 new_asoc); 1910 break; 1911 1912 case 'B': /* Collision case B. */ 1913 retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands, 1914 new_asoc); 1915 break; 1916 1917 case 'C': /* Collision case C. */ 1918 retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands, 1919 new_asoc); 1920 break; 1921 1922 case 'D': /* Collision case D. */ 1923 retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands, 1924 new_asoc); 1925 break; 1926 1927 default: /* Discard packet for all others. */ 1928 retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1929 break; 1930 }; 1931 1932 /* Delete the tempory new association. */ 1933 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1934 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1935 1936 return retval; 1937 1938 nomem: 1939 return SCTP_DISPOSITION_NOMEM; 1940 } 1941 1942 /* 1943 * Process an ABORT. (SHUTDOWN-PENDING state) 1944 * 1945 * See sctp_sf_do_9_1_abort(). 1946 */ 1947 sctp_disposition_t sctp_sf_shutdown_pending_abort( 1948 const struct sctp_endpoint *ep, 1949 const struct sctp_association *asoc, 1950 const sctp_subtype_t type, 1951 void *arg, 1952 sctp_cmd_seq_t *commands) 1953 { 1954 struct sctp_chunk *chunk = arg; 1955 1956 if (!sctp_vtag_verify_either(chunk, asoc)) 1957 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1958 1959 /* Make sure that the ABORT chunk has a valid length. 1960 * Since this is an ABORT chunk, we have to discard it 1961 * because of the following text: 1962 * RFC 2960, Section 3.3.7 1963 * If an endpoint receives an ABORT with a format error or for an 1964 * association that doesn't exist, it MUST silently discard it. 1965 * Becasue the length is "invalid", we can't really discard just 1966 * as we do not know its true length. So, to be safe, discard the 1967 * packet. 1968 */ 1969 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 1970 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1971 1972 /* Stop the T5-shutdown guard timer. */ 1973 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1974 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 1975 1976 return sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 1977 } 1978 1979 /* 1980 * Process an ABORT. (SHUTDOWN-SENT state) 1981 * 1982 * See sctp_sf_do_9_1_abort(). 1983 */ 1984 sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep, 1985 const struct sctp_association *asoc, 1986 const sctp_subtype_t type, 1987 void *arg, 1988 sctp_cmd_seq_t *commands) 1989 { 1990 struct sctp_chunk *chunk = arg; 1991 1992 if (!sctp_vtag_verify_either(chunk, asoc)) 1993 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1994 1995 /* Make sure that the ABORT chunk has a valid length. 1996 * Since this is an ABORT chunk, we have to discard it 1997 * because of the following text: 1998 * RFC 2960, Section 3.3.7 1999 * If an endpoint receives an ABORT with a format error or for an 2000 * association that doesn't exist, it MUST silently discard it. 2001 * Becasue the length is "invalid", we can't really discard just 2002 * as we do not know its true length. So, to be safe, discard the 2003 * packet. 2004 */ 2005 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2006 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2007 2008 /* Stop the T2-shutdown timer. */ 2009 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2010 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2011 2012 /* Stop the T5-shutdown guard timer. */ 2013 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2014 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2015 2016 return sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2017 } 2018 2019 /* 2020 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2021 * 2022 * See sctp_sf_do_9_1_abort(). 2023 */ 2024 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort( 2025 const struct sctp_endpoint *ep, 2026 const struct sctp_association *asoc, 2027 const sctp_subtype_t type, 2028 void *arg, 2029 sctp_cmd_seq_t *commands) 2030 { 2031 /* The same T2 timer, so we should be able to use 2032 * common function with the SHUTDOWN-SENT state. 2033 */ 2034 return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands); 2035 } 2036 2037 /* 2038 * Handle an Error received in COOKIE_ECHOED state. 2039 * 2040 * Only handle the error type of stale COOKIE Error, the other errors will 2041 * be ignored. 2042 * 2043 * Inputs 2044 * (endpoint, asoc, chunk) 2045 * 2046 * Outputs 2047 * (asoc, reply_msg, msg_up, timers, counters) 2048 * 2049 * The return value is the disposition of the chunk. 2050 */ 2051 sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep, 2052 const struct sctp_association *asoc, 2053 const sctp_subtype_t type, 2054 void *arg, 2055 sctp_cmd_seq_t *commands) 2056 { 2057 struct sctp_chunk *chunk = arg; 2058 sctp_errhdr_t *err; 2059 2060 if (!sctp_vtag_verify(chunk, asoc)) 2061 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2062 2063 /* Make sure that the ERROR chunk has a valid length. 2064 * The parameter walking depends on this as well. 2065 */ 2066 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2067 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2068 commands); 2069 2070 /* Process the error here */ 2071 /* FUTURE FIXME: When PR-SCTP related and other optional 2072 * parms are emitted, this will have to change to handle multiple 2073 * errors. 2074 */ 2075 sctp_walk_errors(err, chunk->chunk_hdr) { 2076 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2077 return sctp_sf_do_5_2_6_stale(ep, asoc, type, 2078 arg, commands); 2079 } 2080 2081 /* It is possible to have malformed error causes, and that 2082 * will cause us to end the walk early. However, since 2083 * we are discarding the packet, there should be no adverse 2084 * affects. 2085 */ 2086 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2087 } 2088 2089 /* 2090 * Handle a Stale COOKIE Error 2091 * 2092 * Section: 5.2.6 Handle Stale COOKIE Error 2093 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2094 * one of the following three alternatives. 2095 * ... 2096 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2097 * Preservative parameter requesting an extension to the lifetime of 2098 * the State Cookie. When calculating the time extension, an 2099 * implementation SHOULD use the RTT information measured based on the 2100 * previous COOKIE ECHO / ERROR exchange, and should add no more 2101 * than 1 second beyond the measured RTT, due to long State Cookie 2102 * lifetimes making the endpoint more subject to a replay attack. 2103 * 2104 * Verification Tag: Not explicit, but safe to ignore. 2105 * 2106 * Inputs 2107 * (endpoint, asoc, chunk) 2108 * 2109 * Outputs 2110 * (asoc, reply_msg, msg_up, timers, counters) 2111 * 2112 * The return value is the disposition of the chunk. 2113 */ 2114 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 2115 const struct sctp_association *asoc, 2116 const sctp_subtype_t type, 2117 void *arg, 2118 sctp_cmd_seq_t *commands) 2119 { 2120 struct sctp_chunk *chunk = arg; 2121 time_t stale; 2122 sctp_cookie_preserve_param_t bht; 2123 sctp_errhdr_t *err; 2124 struct sctp_chunk *reply; 2125 struct sctp_bind_addr *bp; 2126 int attempts = asoc->init_err_counter + 1; 2127 2128 if (attempts > asoc->max_init_attempts) { 2129 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2130 SCTP_ERROR(ETIMEDOUT)); 2131 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2132 SCTP_U32(SCTP_ERROR_STALE_COOKIE)); 2133 return SCTP_DISPOSITION_DELETE_TCB; 2134 } 2135 2136 err = (sctp_errhdr_t *)(chunk->skb->data); 2137 2138 /* When calculating the time extension, an implementation 2139 * SHOULD use the RTT information measured based on the 2140 * previous COOKIE ECHO / ERROR exchange, and should add no 2141 * more than 1 second beyond the measured RTT, due to long 2142 * State Cookie lifetimes making the endpoint more subject to 2143 * a replay attack. 2144 * Measure of Staleness's unit is usec. (1/1000000 sec) 2145 * Suggested Cookie Life-span Increment's unit is msec. 2146 * (1/1000 sec) 2147 * In general, if you use the suggested cookie life, the value 2148 * found in the field of measure of staleness should be doubled 2149 * to give ample time to retransmit the new cookie and thus 2150 * yield a higher probability of success on the reattempt. 2151 */ 2152 stale = ntohl(*(suseconds_t *)((u8 *)err + sizeof(sctp_errhdr_t))); 2153 stale = (stale * 2) / 1000; 2154 2155 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2156 bht.param_hdr.length = htons(sizeof(bht)); 2157 bht.lifespan_increment = htonl(stale); 2158 2159 /* Build that new INIT chunk. */ 2160 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2161 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2162 if (!reply) 2163 goto nomem; 2164 2165 sctp_addto_chunk(reply, sizeof(bht), &bht); 2166 2167 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2168 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2169 2170 /* Stop pending T3-rtx and heartbeat timers */ 2171 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2172 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2173 2174 /* Delete non-primary peer ip addresses since we are transitioning 2175 * back to the COOKIE-WAIT state 2176 */ 2177 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2178 2179 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2180 * resend 2181 */ 2182 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, 2183 SCTP_TRANSPORT(asoc->peer.primary_path)); 2184 2185 /* Cast away the const modifier, as we want to just 2186 * rerun it through as a sideffect. 2187 */ 2188 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2189 2190 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2191 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2192 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2193 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2194 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2195 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2196 2197 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2198 2199 return SCTP_DISPOSITION_CONSUME; 2200 2201 nomem: 2202 return SCTP_DISPOSITION_NOMEM; 2203 } 2204 2205 /* 2206 * Process an ABORT. 2207 * 2208 * Section: 9.1 2209 * After checking the Verification Tag, the receiving endpoint shall 2210 * remove the association from its record, and shall report the 2211 * termination to its upper layer. 2212 * 2213 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2214 * B) Rules for packet carrying ABORT: 2215 * 2216 * - The endpoint shall always fill in the Verification Tag field of the 2217 * outbound packet with the destination endpoint's tag value if it 2218 * is known. 2219 * 2220 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2221 * MUST follow the procedure described in Section 8.4. 2222 * 2223 * - The receiver MUST accept the packet if the Verification Tag 2224 * matches either its own tag, OR the tag of its peer. Otherwise, the 2225 * receiver MUST silently discard the packet and take no further 2226 * action. 2227 * 2228 * Inputs 2229 * (endpoint, asoc, chunk) 2230 * 2231 * Outputs 2232 * (asoc, reply_msg, msg_up, timers, counters) 2233 * 2234 * The return value is the disposition of the chunk. 2235 */ 2236 sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2237 const struct sctp_association *asoc, 2238 const sctp_subtype_t type, 2239 void *arg, 2240 sctp_cmd_seq_t *commands) 2241 { 2242 struct sctp_chunk *chunk = arg; 2243 unsigned len; 2244 __u16 error = SCTP_ERROR_NO_ERROR; 2245 2246 if (!sctp_vtag_verify_either(chunk, asoc)) 2247 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2248 2249 /* Make sure that the ABORT chunk has a valid length. 2250 * Since this is an ABORT chunk, we have to discard it 2251 * because of the following text: 2252 * RFC 2960, Section 3.3.7 2253 * If an endpoint receives an ABORT with a format error or for an 2254 * association that doesn't exist, it MUST silently discard it. 2255 * Becasue the length is "invalid", we can't really discard just 2256 * as we do not know its true length. So, to be safe, discard the 2257 * packet. 2258 */ 2259 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2260 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2261 2262 /* See if we have an error cause code in the chunk. */ 2263 len = ntohs(chunk->chunk_hdr->length); 2264 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2265 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2266 2267 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2268 /* ASSOC_FAILED will DELETE_TCB. */ 2269 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_U32(error)); 2270 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2271 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 2272 2273 return SCTP_DISPOSITION_ABORT; 2274 } 2275 2276 /* 2277 * Process an ABORT. (COOKIE-WAIT state) 2278 * 2279 * See sctp_sf_do_9_1_abort() above. 2280 */ 2281 sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep, 2282 const struct sctp_association *asoc, 2283 const sctp_subtype_t type, 2284 void *arg, 2285 sctp_cmd_seq_t *commands) 2286 { 2287 struct sctp_chunk *chunk = arg; 2288 unsigned len; 2289 __u16 error = SCTP_ERROR_NO_ERROR; 2290 2291 if (!sctp_vtag_verify_either(chunk, asoc)) 2292 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2293 2294 /* Make sure that the ABORT chunk has a valid length. 2295 * Since this is an ABORT chunk, we have to discard it 2296 * because of the following text: 2297 * RFC 2960, Section 3.3.7 2298 * If an endpoint receives an ABORT with a format error or for an 2299 * association that doesn't exist, it MUST silently discard it. 2300 * Becasue the length is "invalid", we can't really discard just 2301 * as we do not know its true length. So, to be safe, discard the 2302 * packet. 2303 */ 2304 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2305 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2306 2307 /* See if we have an error cause code in the chunk. */ 2308 len = ntohs(chunk->chunk_hdr->length); 2309 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2310 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2311 2312 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc, 2313 chunk->transport); 2314 } 2315 2316 /* 2317 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2318 */ 2319 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep, 2320 const struct sctp_association *asoc, 2321 const sctp_subtype_t type, 2322 void *arg, 2323 sctp_cmd_seq_t *commands) 2324 { 2325 return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR, 2326 ENOPROTOOPT, asoc, 2327 (struct sctp_transport *)arg); 2328 } 2329 2330 /* 2331 * Process an ABORT. (COOKIE-ECHOED state) 2332 */ 2333 sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep, 2334 const struct sctp_association *asoc, 2335 const sctp_subtype_t type, 2336 void *arg, 2337 sctp_cmd_seq_t *commands) 2338 { 2339 /* There is a single T1 timer, so we should be able to use 2340 * common function with the COOKIE-WAIT state. 2341 */ 2342 return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands); 2343 } 2344 2345 /* 2346 * Stop T1 timer and abort association with "INIT failed". 2347 * 2348 * This is common code called by several sctp_sf_*_abort() functions above. 2349 */ 2350 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 2351 __u16 error, int sk_err, 2352 const struct sctp_association *asoc, 2353 struct sctp_transport *transport) 2354 { 2355 SCTP_DEBUG_PRINTK("ABORT received (INIT).\n"); 2356 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2357 SCTP_STATE(SCTP_STATE_CLOSED)); 2358 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2359 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2360 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2361 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2362 /* CMD_INIT_FAILED will DELETE_TCB. */ 2363 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2364 SCTP_U32(error)); 2365 return SCTP_DISPOSITION_ABORT; 2366 } 2367 2368 /* 2369 * sctp_sf_do_9_2_shut 2370 * 2371 * Section: 9.2 2372 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2373 * - enter the SHUTDOWN-RECEIVED state, 2374 * 2375 * - stop accepting new data from its SCTP user 2376 * 2377 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2378 * that all its outstanding DATA chunks have been received by the 2379 * SHUTDOWN sender. 2380 * 2381 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2382 * send a SHUTDOWN in response to a ULP request. And should discard 2383 * subsequent SHUTDOWN chunks. 2384 * 2385 * If there are still outstanding DATA chunks left, the SHUTDOWN 2386 * receiver shall continue to follow normal data transmission 2387 * procedures defined in Section 6 until all outstanding DATA chunks 2388 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2389 * new data from its SCTP user. 2390 * 2391 * Verification Tag: 8.5 Verification Tag [Normal verification] 2392 * 2393 * Inputs 2394 * (endpoint, asoc, chunk) 2395 * 2396 * Outputs 2397 * (asoc, reply_msg, msg_up, timers, counters) 2398 * 2399 * The return value is the disposition of the chunk. 2400 */ 2401 sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep, 2402 const struct sctp_association *asoc, 2403 const sctp_subtype_t type, 2404 void *arg, 2405 sctp_cmd_seq_t *commands) 2406 { 2407 struct sctp_chunk *chunk = arg; 2408 sctp_shutdownhdr_t *sdh; 2409 sctp_disposition_t disposition; 2410 struct sctp_ulpevent *ev; 2411 2412 if (!sctp_vtag_verify(chunk, asoc)) 2413 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2414 2415 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2416 if (!sctp_chunk_length_valid(chunk, 2417 sizeof(struct sctp_shutdown_chunk_t))) 2418 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2419 commands); 2420 2421 /* Convert the elaborate header. */ 2422 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2423 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t)); 2424 chunk->subh.shutdown_hdr = sdh; 2425 2426 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2427 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2428 * inform the application that it should cease sending data. 2429 */ 2430 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2431 if (!ev) { 2432 disposition = SCTP_DISPOSITION_NOMEM; 2433 goto out; 2434 } 2435 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2436 2437 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2438 * - enter the SHUTDOWN-RECEIVED state, 2439 * - stop accepting new data from its SCTP user 2440 * 2441 * [This is implicit in the new state.] 2442 */ 2443 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2444 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2445 disposition = SCTP_DISPOSITION_CONSUME; 2446 2447 if (sctp_outq_is_empty(&asoc->outqueue)) { 2448 disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type, 2449 arg, commands); 2450 } 2451 2452 if (SCTP_DISPOSITION_NOMEM == disposition) 2453 goto out; 2454 2455 /* - verify, by checking the Cumulative TSN Ack field of the 2456 * chunk, that all its outstanding DATA chunks have been 2457 * received by the SHUTDOWN sender. 2458 */ 2459 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2460 SCTP_U32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2461 2462 out: 2463 return disposition; 2464 } 2465 2466 /* RFC 2960 9.2 2467 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2468 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2469 * transport addresses (either in the IP addresses or in the INIT chunk) 2470 * that belong to this association, it should discard the INIT chunk and 2471 * retransmit the SHUTDOWN ACK chunk. 2472 */ 2473 sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep, 2474 const struct sctp_association *asoc, 2475 const sctp_subtype_t type, 2476 void *arg, 2477 sctp_cmd_seq_t *commands) 2478 { 2479 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 2480 struct sctp_chunk *reply; 2481 2482 /* Since we are not going to really process this INIT, there 2483 * is no point in verifying chunk boundries. Just generate 2484 * the SHUTDOWN ACK. 2485 */ 2486 reply = sctp_make_shutdown_ack(asoc, chunk); 2487 if (NULL == reply) 2488 goto nomem; 2489 2490 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2491 * the T2-SHUTDOWN timer. 2492 */ 2493 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2494 2495 /* and restart the T2-shutdown timer. */ 2496 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2497 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2498 2499 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2500 2501 return SCTP_DISPOSITION_CONSUME; 2502 nomem: 2503 return SCTP_DISPOSITION_NOMEM; 2504 } 2505 2506 /* 2507 * sctp_sf_do_ecn_cwr 2508 * 2509 * Section: Appendix A: Explicit Congestion Notification 2510 * 2511 * CWR: 2512 * 2513 * RFC 2481 details a specific bit for a sender to send in the header of 2514 * its next outbound TCP segment to indicate to its peer that it has 2515 * reduced its congestion window. This is termed the CWR bit. For 2516 * SCTP the same indication is made by including the CWR chunk. 2517 * This chunk contains one data element, i.e. the TSN number that 2518 * was sent in the ECNE chunk. This element represents the lowest 2519 * TSN number in the datagram that was originally marked with the 2520 * CE bit. 2521 * 2522 * Verification Tag: 8.5 Verification Tag [Normal verification] 2523 * Inputs 2524 * (endpoint, asoc, chunk) 2525 * 2526 * Outputs 2527 * (asoc, reply_msg, msg_up, timers, counters) 2528 * 2529 * The return value is the disposition of the chunk. 2530 */ 2531 sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep, 2532 const struct sctp_association *asoc, 2533 const sctp_subtype_t type, 2534 void *arg, 2535 sctp_cmd_seq_t *commands) 2536 { 2537 sctp_cwrhdr_t *cwr; 2538 struct sctp_chunk *chunk = arg; 2539 2540 if (!sctp_vtag_verify(chunk, asoc)) 2541 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2542 2543 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2544 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2545 commands); 2546 2547 cwr = (sctp_cwrhdr_t *) chunk->skb->data; 2548 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t)); 2549 2550 cwr->lowest_tsn = ntohl(cwr->lowest_tsn); 2551 2552 /* Does this CWR ack the last sent congestion notification? */ 2553 if (TSN_lte(asoc->last_ecne_tsn, cwr->lowest_tsn)) { 2554 /* Stop sending ECNE. */ 2555 sctp_add_cmd_sf(commands, 2556 SCTP_CMD_ECN_CWR, 2557 SCTP_U32(cwr->lowest_tsn)); 2558 } 2559 return SCTP_DISPOSITION_CONSUME; 2560 } 2561 2562 /* 2563 * sctp_sf_do_ecne 2564 * 2565 * Section: Appendix A: Explicit Congestion Notification 2566 * 2567 * ECN-Echo 2568 * 2569 * RFC 2481 details a specific bit for a receiver to send back in its 2570 * TCP acknowledgements to notify the sender of the Congestion 2571 * Experienced (CE) bit having arrived from the network. For SCTP this 2572 * same indication is made by including the ECNE chunk. This chunk 2573 * contains one data element, i.e. the lowest TSN associated with the IP 2574 * datagram marked with the CE bit..... 2575 * 2576 * Verification Tag: 8.5 Verification Tag [Normal verification] 2577 * Inputs 2578 * (endpoint, asoc, chunk) 2579 * 2580 * Outputs 2581 * (asoc, reply_msg, msg_up, timers, counters) 2582 * 2583 * The return value is the disposition of the chunk. 2584 */ 2585 sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep, 2586 const struct sctp_association *asoc, 2587 const sctp_subtype_t type, 2588 void *arg, 2589 sctp_cmd_seq_t *commands) 2590 { 2591 sctp_ecnehdr_t *ecne; 2592 struct sctp_chunk *chunk = arg; 2593 2594 if (!sctp_vtag_verify(chunk, asoc)) 2595 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2596 2597 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2598 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2599 commands); 2600 2601 ecne = (sctp_ecnehdr_t *) chunk->skb->data; 2602 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t)); 2603 2604 /* If this is a newer ECNE than the last CWR packet we sent out */ 2605 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 2606 SCTP_U32(ntohl(ecne->lowest_tsn))); 2607 2608 return SCTP_DISPOSITION_CONSUME; 2609 } 2610 2611 /* 2612 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 2613 * 2614 * The SCTP endpoint MUST always acknowledge the reception of each valid 2615 * DATA chunk. 2616 * 2617 * The guidelines on delayed acknowledgement algorithm specified in 2618 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 2619 * acknowledgement SHOULD be generated for at least every second packet 2620 * (not every second DATA chunk) received, and SHOULD be generated within 2621 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 2622 * situations it may be beneficial for an SCTP transmitter to be more 2623 * conservative than the algorithms detailed in this document allow. 2624 * However, an SCTP transmitter MUST NOT be more aggressive than the 2625 * following algorithms allow. 2626 * 2627 * A SCTP receiver MUST NOT generate more than one SACK for every 2628 * incoming packet, other than to update the offered window as the 2629 * receiving application consumes new data. 2630 * 2631 * Verification Tag: 8.5 Verification Tag [Normal verification] 2632 * 2633 * Inputs 2634 * (endpoint, asoc, chunk) 2635 * 2636 * Outputs 2637 * (asoc, reply_msg, msg_up, timers, counters) 2638 * 2639 * The return value is the disposition of the chunk. 2640 */ 2641 sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep, 2642 const struct sctp_association *asoc, 2643 const sctp_subtype_t type, 2644 void *arg, 2645 sctp_cmd_seq_t *commands) 2646 { 2647 struct sctp_chunk *chunk = arg; 2648 int error; 2649 2650 if (!sctp_vtag_verify(chunk, asoc)) { 2651 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2652 SCTP_NULL()); 2653 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2654 } 2655 2656 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2657 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2658 commands); 2659 2660 error = sctp_eat_data(asoc, chunk, commands ); 2661 switch (error) { 2662 case SCTP_IERROR_NO_ERROR: 2663 break; 2664 case SCTP_IERROR_HIGH_TSN: 2665 case SCTP_IERROR_BAD_STREAM: 2666 goto discard_noforce; 2667 case SCTP_IERROR_DUP_TSN: 2668 case SCTP_IERROR_IGNORE_TSN: 2669 goto discard_force; 2670 case SCTP_IERROR_NO_DATA: 2671 goto consume; 2672 default: 2673 BUG(); 2674 } 2675 2676 if (asoc->autoclose) { 2677 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2678 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 2679 } 2680 2681 /* If this is the last chunk in a packet, we need to count it 2682 * toward sack generation. Note that we need to SACK every 2683 * OTHER packet containing data chunks, EVEN IF WE DISCARD 2684 * THEM. We elect to NOT generate SACK's if the chunk fails 2685 * the verification tag test. 2686 * 2687 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2688 * 2689 * The SCTP endpoint MUST always acknowledge the reception of 2690 * each valid DATA chunk. 2691 * 2692 * The guidelines on delayed acknowledgement algorithm 2693 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 2694 * Specifically, an acknowledgement SHOULD be generated for at 2695 * least every second packet (not every second DATA chunk) 2696 * received, and SHOULD be generated within 200 ms of the 2697 * arrival of any unacknowledged DATA chunk. In some 2698 * situations it may be beneficial for an SCTP transmitter to 2699 * be more conservative than the algorithms detailed in this 2700 * document allow. However, an SCTP transmitter MUST NOT be 2701 * more aggressive than the following algorithms allow. 2702 */ 2703 if (chunk->end_of_packet) 2704 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2705 2706 return SCTP_DISPOSITION_CONSUME; 2707 2708 discard_force: 2709 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2710 * 2711 * When a packet arrives with duplicate DATA chunk(s) and with 2712 * no new DATA chunk(s), the endpoint MUST immediately send a 2713 * SACK with no delay. If a packet arrives with duplicate 2714 * DATA chunk(s) bundled with new DATA chunks, the endpoint 2715 * MAY immediately send a SACK. Normally receipt of duplicate 2716 * DATA chunks will occur when the original SACK chunk was lost 2717 * and the peer's RTO has expired. The duplicate TSN number(s) 2718 * SHOULD be reported in the SACK as duplicate. 2719 */ 2720 /* In our case, we split the MAY SACK advice up whether or not 2721 * the last chunk is a duplicate.' 2722 */ 2723 if (chunk->end_of_packet) 2724 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2725 return SCTP_DISPOSITION_DISCARD; 2726 2727 discard_noforce: 2728 if (chunk->end_of_packet) 2729 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2730 2731 return SCTP_DISPOSITION_DISCARD; 2732 consume: 2733 return SCTP_DISPOSITION_CONSUME; 2734 2735 } 2736 2737 /* 2738 * sctp_sf_eat_data_fast_4_4 2739 * 2740 * Section: 4 (4) 2741 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 2742 * DATA chunks without delay. 2743 * 2744 * Verification Tag: 8.5 Verification Tag [Normal verification] 2745 * Inputs 2746 * (endpoint, asoc, chunk) 2747 * 2748 * Outputs 2749 * (asoc, reply_msg, msg_up, timers, counters) 2750 * 2751 * The return value is the disposition of the chunk. 2752 */ 2753 sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep, 2754 const struct sctp_association *asoc, 2755 const sctp_subtype_t type, 2756 void *arg, 2757 sctp_cmd_seq_t *commands) 2758 { 2759 struct sctp_chunk *chunk = arg; 2760 int error; 2761 2762 if (!sctp_vtag_verify(chunk, asoc)) { 2763 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2764 SCTP_NULL()); 2765 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2766 } 2767 2768 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2769 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2770 commands); 2771 2772 error = sctp_eat_data(asoc, chunk, commands ); 2773 switch (error) { 2774 case SCTP_IERROR_NO_ERROR: 2775 case SCTP_IERROR_HIGH_TSN: 2776 case SCTP_IERROR_DUP_TSN: 2777 case SCTP_IERROR_IGNORE_TSN: 2778 case SCTP_IERROR_BAD_STREAM: 2779 break; 2780 case SCTP_IERROR_NO_DATA: 2781 goto consume; 2782 default: 2783 BUG(); 2784 } 2785 2786 /* Go a head and force a SACK, since we are shutting down. */ 2787 2788 /* Implementor's Guide. 2789 * 2790 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 2791 * respond to each received packet containing one or more DATA chunk(s) 2792 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 2793 */ 2794 if (chunk->end_of_packet) { 2795 /* We must delay the chunk creation since the cumulative 2796 * TSN has not been updated yet. 2797 */ 2798 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 2799 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2800 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2801 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2802 } 2803 2804 consume: 2805 return SCTP_DISPOSITION_CONSUME; 2806 } 2807 2808 /* 2809 * Section: 6.2 Processing a Received SACK 2810 * D) Any time a SACK arrives, the endpoint performs the following: 2811 * 2812 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 2813 * then drop the SACK. Since Cumulative TSN Ack is monotonically 2814 * increasing, a SACK whose Cumulative TSN Ack is less than the 2815 * Cumulative TSN Ack Point indicates an out-of-order SACK. 2816 * 2817 * ii) Set rwnd equal to the newly received a_rwnd minus the number 2818 * of bytes still outstanding after processing the Cumulative TSN Ack 2819 * and the Gap Ack Blocks. 2820 * 2821 * iii) If the SACK is missing a TSN that was previously 2822 * acknowledged via a Gap Ack Block (e.g., the data receiver 2823 * reneged on the data), then mark the corresponding DATA chunk 2824 * as available for retransmit: Mark it as missing for fast 2825 * retransmit as described in Section 7.2.4 and if no retransmit 2826 * timer is running for the destination address to which the DATA 2827 * chunk was originally transmitted, then T3-rtx is started for 2828 * that destination address. 2829 * 2830 * Verification Tag: 8.5 Verification Tag [Normal verification] 2831 * 2832 * Inputs 2833 * (endpoint, asoc, chunk) 2834 * 2835 * Outputs 2836 * (asoc, reply_msg, msg_up, timers, counters) 2837 * 2838 * The return value is the disposition of the chunk. 2839 */ 2840 sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep, 2841 const struct sctp_association *asoc, 2842 const sctp_subtype_t type, 2843 void *arg, 2844 sctp_cmd_seq_t *commands) 2845 { 2846 struct sctp_chunk *chunk = arg; 2847 sctp_sackhdr_t *sackh; 2848 __u32 ctsn; 2849 2850 if (!sctp_vtag_verify(chunk, asoc)) 2851 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2852 2853 /* Make sure that the SACK chunk has a valid length. */ 2854 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t))) 2855 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2856 commands); 2857 2858 /* Pull the SACK chunk from the data buffer */ 2859 sackh = sctp_sm_pull_sack(chunk); 2860 /* Was this a bogus SACK? */ 2861 if (!sackh) 2862 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2863 chunk->subh.sack_hdr = sackh; 2864 ctsn = ntohl(sackh->cum_tsn_ack); 2865 2866 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 2867 * Ack Point, then drop the SACK. Since Cumulative TSN 2868 * Ack is monotonically increasing, a SACK whose 2869 * Cumulative TSN Ack is less than the Cumulative TSN Ack 2870 * Point indicates an out-of-order SACK. 2871 */ 2872 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2873 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 2874 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 2875 return SCTP_DISPOSITION_DISCARD; 2876 } 2877 2878 /* Return this SACK for further processing. */ 2879 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh)); 2880 2881 /* Note: We do the rest of the work on the PROCESS_SACK 2882 * sideeffect. 2883 */ 2884 return SCTP_DISPOSITION_CONSUME; 2885 } 2886 2887 /* 2888 * Generate an ABORT in response to a packet. 2889 * 2890 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 2891 * 2892 * 8) The receiver should respond to the sender of the OOTB packet with 2893 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 2894 * MUST fill in the Verification Tag field of the outbound packet 2895 * with the value found in the Verification Tag field of the OOTB 2896 * packet and set the T-bit in the Chunk Flags to indicate that the 2897 * Verification Tag is reflected. After sending this ABORT, the 2898 * receiver of the OOTB packet shall discard the OOTB packet and take 2899 * no further action. 2900 * 2901 * Verification Tag: 2902 * 2903 * The return value is the disposition of the chunk. 2904 */ 2905 sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 2906 const struct sctp_association *asoc, 2907 const sctp_subtype_t type, 2908 void *arg, 2909 sctp_cmd_seq_t *commands) 2910 { 2911 struct sctp_packet *packet = NULL; 2912 struct sctp_chunk *chunk = arg; 2913 struct sctp_chunk *abort; 2914 2915 packet = sctp_ootb_pkt_new(asoc, chunk); 2916 2917 if (packet) { 2918 /* Make an ABORT. The T bit will be set if the asoc 2919 * is NULL. 2920 */ 2921 abort = sctp_make_abort(asoc, chunk, 0); 2922 if (!abort) { 2923 sctp_ootb_pkt_free(packet); 2924 return SCTP_DISPOSITION_NOMEM; 2925 } 2926 2927 /* Reflect vtag if T-Bit is set */ 2928 if (sctp_test_T_bit(abort)) 2929 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 2930 2931 /* Set the skb to the belonging sock for accounting. */ 2932 abort->skb->sk = ep->base.sk; 2933 2934 sctp_packet_append_chunk(packet, abort); 2935 2936 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 2937 SCTP_PACKET(packet)); 2938 2939 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 2940 2941 return SCTP_DISPOSITION_CONSUME; 2942 } 2943 2944 return SCTP_DISPOSITION_NOMEM; 2945 } 2946 2947 /* 2948 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 2949 * event as ULP notification for each cause included in the chunk. 2950 * 2951 * API 5.3.1.3 - SCTP_REMOTE_ERROR 2952 * 2953 * The return value is the disposition of the chunk. 2954 */ 2955 sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep, 2956 const struct sctp_association *asoc, 2957 const sctp_subtype_t type, 2958 void *arg, 2959 sctp_cmd_seq_t *commands) 2960 { 2961 struct sctp_chunk *chunk = arg; 2962 struct sctp_ulpevent *ev; 2963 2964 if (!sctp_vtag_verify(chunk, asoc)) 2965 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2966 2967 /* Make sure that the ERROR chunk has a valid length. */ 2968 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2969 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2970 commands); 2971 2972 while (chunk->chunk_end > chunk->skb->data) { 2973 ev = sctp_ulpevent_make_remote_error(asoc, chunk, 0, 2974 GFP_ATOMIC); 2975 if (!ev) 2976 goto nomem; 2977 2978 if (!sctp_add_cmd(commands, SCTP_CMD_EVENT_ULP, 2979 SCTP_ULPEVENT(ev))) { 2980 sctp_ulpevent_free(ev); 2981 goto nomem; 2982 } 2983 2984 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 2985 SCTP_CHUNK(chunk)); 2986 } 2987 return SCTP_DISPOSITION_CONSUME; 2988 2989 nomem: 2990 return SCTP_DISPOSITION_NOMEM; 2991 } 2992 2993 /* 2994 * Process an inbound SHUTDOWN ACK. 2995 * 2996 * From Section 9.2: 2997 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 2998 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 2999 * peer, and remove all record of the association. 3000 * 3001 * The return value is the disposition. 3002 */ 3003 sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep, 3004 const struct sctp_association *asoc, 3005 const sctp_subtype_t type, 3006 void *arg, 3007 sctp_cmd_seq_t *commands) 3008 { 3009 struct sctp_chunk *chunk = arg; 3010 struct sctp_chunk *reply; 3011 struct sctp_ulpevent *ev; 3012 3013 if (!sctp_vtag_verify(chunk, asoc)) 3014 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3015 3016 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3017 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3018 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3019 commands); 3020 3021 /* 10.2 H) SHUTDOWN COMPLETE notification 3022 * 3023 * When SCTP completes the shutdown procedures (section 9.2) this 3024 * notification is passed to the upper layer. 3025 */ 3026 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3027 0, 0, 0, GFP_ATOMIC); 3028 if (!ev) 3029 goto nomem; 3030 3031 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3032 3033 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3034 * stop the T2-shutdown timer, 3035 */ 3036 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3037 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3038 3039 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3040 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3041 3042 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3043 reply = sctp_make_shutdown_complete(asoc, chunk); 3044 if (!reply) 3045 goto nomem; 3046 3047 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3048 SCTP_STATE(SCTP_STATE_CLOSED)); 3049 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 3050 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3051 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3052 3053 /* ...and remove all record of the association. */ 3054 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3055 return SCTP_DISPOSITION_DELETE_TCB; 3056 3057 nomem: 3058 return SCTP_DISPOSITION_NOMEM; 3059 } 3060 3061 /* 3062 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3063 * 3064 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3065 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3066 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3067 * packet must fill in the Verification Tag field of the outbound 3068 * packet with the Verification Tag received in the SHUTDOWN ACK and 3069 * set the T-bit in the Chunk Flags to indicate that the Verification 3070 * Tag is reflected. 3071 * 3072 * 8) The receiver should respond to the sender of the OOTB packet with 3073 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3074 * MUST fill in the Verification Tag field of the outbound packet 3075 * with the value found in the Verification Tag field of the OOTB 3076 * packet and set the T-bit in the Chunk Flags to indicate that the 3077 * Verification Tag is reflected. After sending this ABORT, the 3078 * receiver of the OOTB packet shall discard the OOTB packet and take 3079 * no further action. 3080 */ 3081 sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep, 3082 const struct sctp_association *asoc, 3083 const sctp_subtype_t type, 3084 void *arg, 3085 sctp_cmd_seq_t *commands) 3086 { 3087 struct sctp_chunk *chunk = arg; 3088 struct sk_buff *skb = chunk->skb; 3089 sctp_chunkhdr_t *ch; 3090 __u8 *ch_end; 3091 int ootb_shut_ack = 0; 3092 3093 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 3094 3095 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr; 3096 do { 3097 /* Break out if chunk length is less then minimal. */ 3098 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 3099 break; 3100 3101 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 3102 if (ch_end > skb->tail) 3103 break; 3104 3105 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3106 ootb_shut_ack = 1; 3107 3108 /* RFC 2960, Section 3.3.7 3109 * Moreover, under any circumstances, an endpoint that 3110 * receives an ABORT MUST NOT respond to that ABORT by 3111 * sending an ABORT of its own. 3112 */ 3113 if (SCTP_CID_ABORT == ch->type) 3114 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3115 3116 ch = (sctp_chunkhdr_t *) ch_end; 3117 } while (ch_end < skb->tail); 3118 3119 if (ootb_shut_ack) 3120 sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands); 3121 else 3122 sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 3123 3124 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3125 } 3126 3127 /* 3128 * Handle an "Out of the blue" SHUTDOWN ACK. 3129 * 3130 * Section: 8.4 5, sctpimpguide 2.41. 3131 * 3132 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3133 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3134 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3135 * packet must fill in the Verification Tag field of the outbound 3136 * packet with the Verification Tag received in the SHUTDOWN ACK and 3137 * set the T-bit in the Chunk Flags to indicate that the Verification 3138 * Tag is reflected. 3139 * 3140 * Inputs 3141 * (endpoint, asoc, type, arg, commands) 3142 * 3143 * Outputs 3144 * (sctp_disposition_t) 3145 * 3146 * The return value is the disposition of the chunk. 3147 */ 3148 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 3149 const struct sctp_association *asoc, 3150 const sctp_subtype_t type, 3151 void *arg, 3152 sctp_cmd_seq_t *commands) 3153 { 3154 struct sctp_packet *packet = NULL; 3155 struct sctp_chunk *chunk = arg; 3156 struct sctp_chunk *shut; 3157 3158 packet = sctp_ootb_pkt_new(asoc, chunk); 3159 3160 if (packet) { 3161 /* Make an SHUTDOWN_COMPLETE. 3162 * The T bit will be set if the asoc is NULL. 3163 */ 3164 shut = sctp_make_shutdown_complete(asoc, chunk); 3165 if (!shut) { 3166 sctp_ootb_pkt_free(packet); 3167 return SCTP_DISPOSITION_NOMEM; 3168 } 3169 3170 /* Reflect vtag if T-Bit is set */ 3171 if (sctp_test_T_bit(shut)) 3172 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3173 3174 /* Set the skb to the belonging sock for accounting. */ 3175 shut->skb->sk = ep->base.sk; 3176 3177 sctp_packet_append_chunk(packet, shut); 3178 3179 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3180 SCTP_PACKET(packet)); 3181 3182 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3183 3184 /* If the chunk length is invalid, we don't want to process 3185 * the reset of the packet. 3186 */ 3187 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3188 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3189 3190 return SCTP_DISPOSITION_CONSUME; 3191 } 3192 3193 return SCTP_DISPOSITION_NOMEM; 3194 } 3195 3196 /* 3197 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3198 * 3199 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3200 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3201 * procedures in section 8.4 SHOULD be followed, in other words it 3202 * should be treated as an Out Of The Blue packet. 3203 * [This means that we do NOT check the Verification Tag on these 3204 * chunks. --piggy ] 3205 * 3206 */ 3207 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep, 3208 const struct sctp_association *asoc, 3209 const sctp_subtype_t type, 3210 void *arg, 3211 sctp_cmd_seq_t *commands) 3212 { 3213 /* Although we do have an association in this case, it corresponds 3214 * to a restarted association. So the packet is treated as an OOTB 3215 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3216 * called with a NULL association. 3217 */ 3218 return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands); 3219 } 3220 3221 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3222 sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep, 3223 const struct sctp_association *asoc, 3224 const sctp_subtype_t type, void *arg, 3225 sctp_cmd_seq_t *commands) 3226 { 3227 struct sctp_chunk *chunk = arg; 3228 struct sctp_chunk *asconf_ack = NULL; 3229 sctp_addiphdr_t *hdr; 3230 __u32 serial; 3231 3232 if (!sctp_vtag_verify(chunk, asoc)) { 3233 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3234 SCTP_NULL()); 3235 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3236 } 3237 3238 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3239 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t))) 3240 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3241 commands); 3242 3243 hdr = (sctp_addiphdr_t *)chunk->skb->data; 3244 serial = ntohl(hdr->serial); 3245 3246 /* ADDIP 4.2 C1) Compare the value of the serial number to the value 3247 * the endpoint stored in a new association variable 3248 * 'Peer-Serial-Number'. 3249 */ 3250 if (serial == asoc->peer.addip_serial + 1) { 3251 /* ADDIP 4.2 C2) If the value found in the serial number is 3252 * equal to the ('Peer-Serial-Number' + 1), the endpoint MUST 3253 * do V1-V5. 3254 */ 3255 asconf_ack = sctp_process_asconf((struct sctp_association *) 3256 asoc, chunk); 3257 if (!asconf_ack) 3258 return SCTP_DISPOSITION_NOMEM; 3259 } else if (serial == asoc->peer.addip_serial) { 3260 /* ADDIP 4.2 C3) If the value found in the serial number is 3261 * equal to the value stored in the 'Peer-Serial-Number' 3262 * IMPLEMENTATION NOTE: As an optimization a receiver may wish 3263 * to save the last ASCONF-ACK for some predetermined period of 3264 * time and instead of re-processing the ASCONF (with the same 3265 * serial number) it may just re-transmit the ASCONF-ACK. 3266 */ 3267 if (asoc->addip_last_asconf_ack) 3268 asconf_ack = asoc->addip_last_asconf_ack; 3269 else 3270 return SCTP_DISPOSITION_DISCARD; 3271 } else { 3272 /* ADDIP 4.2 C4) Otherwise, the ASCONF Chunk is discarded since 3273 * it must be either a stale packet or from an attacker. 3274 */ 3275 return SCTP_DISPOSITION_DISCARD; 3276 } 3277 3278 /* ADDIP 4.2 C5) In both cases C2 and C3 the ASCONF-ACK MUST be sent 3279 * back to the source address contained in the IP header of the ASCONF 3280 * being responded to. 3281 */ 3282 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3283 3284 return SCTP_DISPOSITION_CONSUME; 3285 } 3286 3287 /* 3288 * ADDIP Section 4.3 General rules for address manipulation 3289 * When building TLV parameters for the ASCONF Chunk that will add or 3290 * delete IP addresses the D0 to D13 rules should be applied: 3291 */ 3292 sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep, 3293 const struct sctp_association *asoc, 3294 const sctp_subtype_t type, void *arg, 3295 sctp_cmd_seq_t *commands) 3296 { 3297 struct sctp_chunk *asconf_ack = arg; 3298 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3299 struct sctp_chunk *abort; 3300 sctp_addiphdr_t *addip_hdr; 3301 __u32 sent_serial, rcvd_serial; 3302 3303 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3304 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3305 SCTP_NULL()); 3306 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3307 } 3308 3309 /* Make sure that the ADDIP chunk has a valid length. */ 3310 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t))) 3311 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3312 commands); 3313 3314 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data; 3315 rcvd_serial = ntohl(addip_hdr->serial); 3316 3317 if (last_asconf) { 3318 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr; 3319 sent_serial = ntohl(addip_hdr->serial); 3320 } else { 3321 sent_serial = asoc->addip_serial - 1; 3322 } 3323 3324 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3325 * equal to the next serial number to be used but no ASCONF chunk is 3326 * outstanding the endpoint MUST ABORT the association. Note that a 3327 * sequence number is greater than if it is no more than 2^^31-1 3328 * larger than the current sequence number (using serial arithmetic). 3329 */ 3330 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3331 !(asoc->addip_last_asconf)) { 3332 abort = sctp_make_abort(asoc, asconf_ack, 3333 sizeof(sctp_errhdr_t)); 3334 if (abort) { 3335 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, NULL, 0); 3336 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3337 SCTP_CHUNK(abort)); 3338 } 3339 /* We are going to ABORT, so we might as well stop 3340 * processing the rest of the chunks in the packet. 3341 */ 3342 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3343 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3344 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3345 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3346 SCTP_ERROR(ECONNABORTED)); 3347 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3348 SCTP_U32(SCTP_ERROR_ASCONF_ACK)); 3349 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3350 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3351 return SCTP_DISPOSITION_ABORT; 3352 } 3353 3354 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3355 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3356 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3357 3358 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3359 asconf_ack)) 3360 return SCTP_DISPOSITION_CONSUME; 3361 3362 abort = sctp_make_abort(asoc, asconf_ack, 3363 sizeof(sctp_errhdr_t)); 3364 if (abort) { 3365 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, NULL, 0); 3366 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3367 SCTP_CHUNK(abort)); 3368 } 3369 /* We are going to ABORT, so we might as well stop 3370 * processing the rest of the chunks in the packet. 3371 */ 3372 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3373 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3374 SCTP_ERROR(ECONNABORTED)); 3375 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3376 SCTP_U32(SCTP_ERROR_ASCONF_ACK)); 3377 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3378 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3379 return SCTP_DISPOSITION_ABORT; 3380 } 3381 3382 return SCTP_DISPOSITION_DISCARD; 3383 } 3384 3385 /* 3386 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 3387 * 3388 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 3389 * its cumulative TSN point to the value carried in the FORWARD TSN 3390 * chunk, and then MUST further advance its cumulative TSN point locally 3391 * if possible. 3392 * After the above processing, the data receiver MUST stop reporting any 3393 * missing TSNs earlier than or equal to the new cumulative TSN point. 3394 * 3395 * Verification Tag: 8.5 Verification Tag [Normal verification] 3396 * 3397 * The return value is the disposition of the chunk. 3398 */ 3399 sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep, 3400 const struct sctp_association *asoc, 3401 const sctp_subtype_t type, 3402 void *arg, 3403 sctp_cmd_seq_t *commands) 3404 { 3405 struct sctp_chunk *chunk = arg; 3406 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3407 __u16 len; 3408 __u32 tsn; 3409 3410 if (!sctp_vtag_verify(chunk, asoc)) { 3411 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3412 SCTP_NULL()); 3413 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3414 } 3415 3416 /* Make sure that the FORWARD_TSN chunk has valid length. */ 3417 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3418 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3419 commands); 3420 3421 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3422 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3423 len = ntohs(chunk->chunk_hdr->length); 3424 len -= sizeof(struct sctp_chunkhdr); 3425 skb_pull(chunk->skb, len); 3426 3427 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3428 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __FUNCTION__, tsn); 3429 3430 /* The TSN is too high--silently discard the chunk and count on it 3431 * getting retransmitted later. 3432 */ 3433 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3434 goto discard_noforce; 3435 3436 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3437 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3438 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3439 SCTP_CHUNK(chunk)); 3440 3441 /* Count this as receiving DATA. */ 3442 if (asoc->autoclose) { 3443 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3444 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3445 } 3446 3447 /* FIXME: For now send a SACK, but DATA processing may 3448 * send another. 3449 */ 3450 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 3451 3452 return SCTP_DISPOSITION_CONSUME; 3453 3454 discard_noforce: 3455 return SCTP_DISPOSITION_DISCARD; 3456 } 3457 3458 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast( 3459 const struct sctp_endpoint *ep, 3460 const struct sctp_association *asoc, 3461 const sctp_subtype_t type, 3462 void *arg, 3463 sctp_cmd_seq_t *commands) 3464 { 3465 struct sctp_chunk *chunk = arg; 3466 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3467 __u16 len; 3468 __u32 tsn; 3469 3470 if (!sctp_vtag_verify(chunk, asoc)) { 3471 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3472 SCTP_NULL()); 3473 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3474 } 3475 3476 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 3477 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3478 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3479 commands); 3480 3481 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3482 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3483 len = ntohs(chunk->chunk_hdr->length); 3484 len -= sizeof(struct sctp_chunkhdr); 3485 skb_pull(chunk->skb, len); 3486 3487 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3488 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __FUNCTION__, tsn); 3489 3490 /* The TSN is too high--silently discard the chunk and count on it 3491 * getting retransmitted later. 3492 */ 3493 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3494 goto gen_shutdown; 3495 3496 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3497 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3498 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3499 SCTP_CHUNK(chunk)); 3500 3501 /* Go a head and force a SACK, since we are shutting down. */ 3502 gen_shutdown: 3503 /* Implementor's Guide. 3504 * 3505 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3506 * respond to each received packet containing one or more DATA chunk(s) 3507 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3508 */ 3509 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3510 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3511 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3512 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3513 3514 return SCTP_DISPOSITION_CONSUME; 3515 } 3516 3517 /* 3518 * Process an unknown chunk. 3519 * 3520 * Section: 3.2. Also, 2.1 in the implementor's guide. 3521 * 3522 * Chunk Types are encoded such that the highest-order two bits specify 3523 * the action that must be taken if the processing endpoint does not 3524 * recognize the Chunk Type. 3525 * 3526 * 00 - Stop processing this SCTP packet and discard it, do not process 3527 * any further chunks within it. 3528 * 3529 * 01 - Stop processing this SCTP packet and discard it, do not process 3530 * any further chunks within it, and report the unrecognized 3531 * chunk in an 'Unrecognized Chunk Type'. 3532 * 3533 * 10 - Skip this chunk and continue processing. 3534 * 3535 * 11 - Skip this chunk and continue processing, but report in an ERROR 3536 * Chunk using the 'Unrecognized Chunk Type' cause of error. 3537 * 3538 * The return value is the disposition of the chunk. 3539 */ 3540 sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep, 3541 const struct sctp_association *asoc, 3542 const sctp_subtype_t type, 3543 void *arg, 3544 sctp_cmd_seq_t *commands) 3545 { 3546 struct sctp_chunk *unk_chunk = arg; 3547 struct sctp_chunk *err_chunk; 3548 sctp_chunkhdr_t *hdr; 3549 3550 SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk); 3551 3552 if (!sctp_vtag_verify(unk_chunk, asoc)) 3553 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3554 3555 /* Make sure that the chunk has a valid length. 3556 * Since we don't know the chunk type, we use a general 3557 * chunkhdr structure to make a comparison. 3558 */ 3559 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t))) 3560 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3561 commands); 3562 3563 switch (type.chunk & SCTP_CID_ACTION_MASK) { 3564 case SCTP_CID_ACTION_DISCARD: 3565 /* Discard the packet. */ 3566 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3567 break; 3568 case SCTP_CID_ACTION_DISCARD_ERR: 3569 /* Discard the packet. */ 3570 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3571 3572 /* Generate an ERROR chunk as response. */ 3573 hdr = unk_chunk->chunk_hdr; 3574 err_chunk = sctp_make_op_error(asoc, unk_chunk, 3575 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 3576 WORD_ROUND(ntohs(hdr->length))); 3577 if (err_chunk) { 3578 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3579 SCTP_CHUNK(err_chunk)); 3580 } 3581 return SCTP_DISPOSITION_CONSUME; 3582 break; 3583 case SCTP_CID_ACTION_SKIP: 3584 /* Skip the chunk. */ 3585 return SCTP_DISPOSITION_DISCARD; 3586 break; 3587 case SCTP_CID_ACTION_SKIP_ERR: 3588 /* Generate an ERROR chunk as response. */ 3589 hdr = unk_chunk->chunk_hdr; 3590 err_chunk = sctp_make_op_error(asoc, unk_chunk, 3591 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 3592 WORD_ROUND(ntohs(hdr->length))); 3593 if (err_chunk) { 3594 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3595 SCTP_CHUNK(err_chunk)); 3596 } 3597 /* Skip the chunk. */ 3598 return SCTP_DISPOSITION_CONSUME; 3599 break; 3600 default: 3601 break; 3602 } 3603 3604 return SCTP_DISPOSITION_DISCARD; 3605 } 3606 3607 /* 3608 * Discard the chunk. 3609 * 3610 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 3611 * [Too numerous to mention...] 3612 * Verification Tag: No verification needed. 3613 * Inputs 3614 * (endpoint, asoc, chunk) 3615 * 3616 * Outputs 3617 * (asoc, reply_msg, msg_up, timers, counters) 3618 * 3619 * The return value is the disposition of the chunk. 3620 */ 3621 sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep, 3622 const struct sctp_association *asoc, 3623 const sctp_subtype_t type, 3624 void *arg, 3625 sctp_cmd_seq_t *commands) 3626 { 3627 SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk); 3628 return SCTP_DISPOSITION_DISCARD; 3629 } 3630 3631 /* 3632 * Discard the whole packet. 3633 * 3634 * Section: 8.4 2) 3635 * 3636 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 3637 * silently discard the OOTB packet and take no further action. 3638 * 3639 * Verification Tag: No verification necessary 3640 * 3641 * Inputs 3642 * (endpoint, asoc, chunk) 3643 * 3644 * Outputs 3645 * (asoc, reply_msg, msg_up, timers, counters) 3646 * 3647 * The return value is the disposition of the chunk. 3648 */ 3649 sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep, 3650 const struct sctp_association *asoc, 3651 const sctp_subtype_t type, 3652 void *arg, 3653 sctp_cmd_seq_t *commands) 3654 { 3655 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3656 3657 return SCTP_DISPOSITION_CONSUME; 3658 } 3659 3660 3661 /* 3662 * The other end is violating protocol. 3663 * 3664 * Section: Not specified 3665 * Verification Tag: Not specified 3666 * Inputs 3667 * (endpoint, asoc, chunk) 3668 * 3669 * Outputs 3670 * (asoc, reply_msg, msg_up, timers, counters) 3671 * 3672 * We simply tag the chunk as a violation. The state machine will log 3673 * the violation and continue. 3674 */ 3675 sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep, 3676 const struct sctp_association *asoc, 3677 const sctp_subtype_t type, 3678 void *arg, 3679 sctp_cmd_seq_t *commands) 3680 { 3681 return SCTP_DISPOSITION_VIOLATION; 3682 } 3683 3684 3685 /* 3686 * Handle a protocol violation when the chunk length is invalid. 3687 * "Invalid" length is identified as smaller then the minimal length a 3688 * given chunk can be. For example, a SACK chunk has invalid length 3689 * if it's length is set to be smaller then the size of sctp_sack_chunk_t. 3690 * 3691 * We inform the other end by sending an ABORT with a Protocol Violation 3692 * error code. 3693 * 3694 * Section: Not specified 3695 * Verification Tag: Nothing to do 3696 * Inputs 3697 * (endpoint, asoc, chunk) 3698 * 3699 * Outputs 3700 * (reply_msg, msg_up, counters) 3701 * 3702 * Generate an ABORT chunk and terminate the association. 3703 */ 3704 static sctp_disposition_t sctp_sf_violation_chunklen( 3705 const struct sctp_endpoint *ep, 3706 const struct sctp_association *asoc, 3707 const sctp_subtype_t type, 3708 void *arg, 3709 sctp_cmd_seq_t *commands) 3710 { 3711 struct sctp_chunk *chunk = arg; 3712 struct sctp_chunk *abort = NULL; 3713 char err_str[]="The following chunk had invalid length:"; 3714 3715 /* Make the abort chunk. */ 3716 abort = sctp_make_abort_violation(asoc, chunk, err_str, 3717 sizeof(err_str)); 3718 if (!abort) 3719 goto nomem; 3720 3721 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 3722 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3723 3724 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 3725 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3726 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 3727 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3728 SCTP_ERROR(ECONNREFUSED)); 3729 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 3730 SCTP_U32(SCTP_ERROR_PROTO_VIOLATION)); 3731 } else { 3732 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3733 SCTP_ERROR(ECONNABORTED)); 3734 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3735 SCTP_U32(SCTP_ERROR_PROTO_VIOLATION)); 3736 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3737 } 3738 3739 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3740 3741 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3742 3743 return SCTP_DISPOSITION_ABORT; 3744 3745 nomem: 3746 return SCTP_DISPOSITION_NOMEM; 3747 } 3748 3749 /*************************************************************************** 3750 * These are the state functions for handling primitive (Section 10) events. 3751 ***************************************************************************/ 3752 /* 3753 * sctp_sf_do_prm_asoc 3754 * 3755 * Section: 10.1 ULP-to-SCTP 3756 * B) Associate 3757 * 3758 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 3759 * outbound stream count) 3760 * -> association id [,destination transport addr list] [,outbound stream 3761 * count] 3762 * 3763 * This primitive allows the upper layer to initiate an association to a 3764 * specific peer endpoint. 3765 * 3766 * The peer endpoint shall be specified by one of the transport addresses 3767 * which defines the endpoint (see Section 1.4). If the local SCTP 3768 * instance has not been initialized, the ASSOCIATE is considered an 3769 * error. 3770 * [This is not relevant for the kernel implementation since we do all 3771 * initialization at boot time. It we hadn't initialized we wouldn't 3772 * get anywhere near this code.] 3773 * 3774 * An association id, which is a local handle to the SCTP association, 3775 * will be returned on successful establishment of the association. If 3776 * SCTP is not able to open an SCTP association with the peer endpoint, 3777 * an error is returned. 3778 * [In the kernel implementation, the struct sctp_association needs to 3779 * be created BEFORE causing this primitive to run.] 3780 * 3781 * Other association parameters may be returned, including the 3782 * complete destination transport addresses of the peer as well as the 3783 * outbound stream count of the local endpoint. One of the transport 3784 * address from the returned destination addresses will be selected by 3785 * the local endpoint as default primary path for sending SCTP packets 3786 * to this peer. The returned "destination transport addr list" can 3787 * be used by the ULP to change the default primary path or to force 3788 * sending a packet to a specific transport address. [All of this 3789 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 3790 * function.] 3791 * 3792 * Mandatory attributes: 3793 * 3794 * o local SCTP instance name - obtained from the INITIALIZE operation. 3795 * [This is the argument asoc.] 3796 * o destination transport addr - specified as one of the transport 3797 * addresses of the peer endpoint with which the association is to be 3798 * established. 3799 * [This is asoc->peer.active_path.] 3800 * o outbound stream count - the number of outbound streams the ULP 3801 * would like to open towards this peer endpoint. 3802 * [BUG: This is not currently implemented.] 3803 * Optional attributes: 3804 * 3805 * None. 3806 * 3807 * The return value is a disposition. 3808 */ 3809 sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep, 3810 const struct sctp_association *asoc, 3811 const sctp_subtype_t type, 3812 void *arg, 3813 sctp_cmd_seq_t *commands) 3814 { 3815 struct sctp_chunk *repl; 3816 3817 /* The comment below says that we enter COOKIE-WAIT AFTER 3818 * sending the INIT, but that doesn't actually work in our 3819 * implementation... 3820 */ 3821 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3822 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 3823 3824 /* RFC 2960 5.1 Normal Establishment of an Association 3825 * 3826 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 3827 * must provide its Verification Tag (Tag_A) in the Initiate 3828 * Tag field. Tag_A SHOULD be a random number in the range of 3829 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 3830 */ 3831 3832 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 3833 if (!repl) 3834 goto nomem; 3835 3836 /* Cast away the const modifier, as we want to just 3837 * rerun it through as a sideffect. 3838 */ 3839 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, 3840 SCTP_ASOC((struct sctp_association *) asoc)); 3841 3842 /* Choose transport for INIT. */ 3843 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 3844 SCTP_CHUNK(repl)); 3845 3846 /* After sending the INIT, "A" starts the T1-init timer and 3847 * enters the COOKIE-WAIT state. 3848 */ 3849 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 3850 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 3851 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 3852 return SCTP_DISPOSITION_CONSUME; 3853 3854 nomem: 3855 return SCTP_DISPOSITION_NOMEM; 3856 } 3857 3858 /* 3859 * Process the SEND primitive. 3860 * 3861 * Section: 10.1 ULP-to-SCTP 3862 * E) Send 3863 * 3864 * Format: SEND(association id, buffer address, byte count [,context] 3865 * [,stream id] [,life time] [,destination transport address] 3866 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 3867 * -> result 3868 * 3869 * This is the main method to send user data via SCTP. 3870 * 3871 * Mandatory attributes: 3872 * 3873 * o association id - local handle to the SCTP association 3874 * 3875 * o buffer address - the location where the user message to be 3876 * transmitted is stored; 3877 * 3878 * o byte count - The size of the user data in number of bytes; 3879 * 3880 * Optional attributes: 3881 * 3882 * o context - an optional 32 bit integer that will be carried in the 3883 * sending failure notification to the ULP if the transportation of 3884 * this User Message fails. 3885 * 3886 * o stream id - to indicate which stream to send the data on. If not 3887 * specified, stream 0 will be used. 3888 * 3889 * o life time - specifies the life time of the user data. The user data 3890 * will not be sent by SCTP after the life time expires. This 3891 * parameter can be used to avoid efforts to transmit stale 3892 * user messages. SCTP notifies the ULP if the data cannot be 3893 * initiated to transport (i.e. sent to the destination via SCTP's 3894 * send primitive) within the life time variable. However, the 3895 * user data will be transmitted if SCTP has attempted to transmit a 3896 * chunk before the life time expired. 3897 * 3898 * o destination transport address - specified as one of the destination 3899 * transport addresses of the peer endpoint to which this packet 3900 * should be sent. Whenever possible, SCTP should use this destination 3901 * transport address for sending the packets, instead of the current 3902 * primary path. 3903 * 3904 * o unorder flag - this flag, if present, indicates that the user 3905 * would like the data delivered in an unordered fashion to the peer 3906 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 3907 * message). 3908 * 3909 * o no-bundle flag - instructs SCTP not to bundle this user data with 3910 * other outbound DATA chunks. SCTP MAY still bundle even when 3911 * this flag is present, when faced with network congestion. 3912 * 3913 * o payload protocol-id - A 32 bit unsigned integer that is to be 3914 * passed to the peer indicating the type of payload protocol data 3915 * being transmitted. This value is passed as opaque data by SCTP. 3916 * 3917 * The return value is the disposition. 3918 */ 3919 sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep, 3920 const struct sctp_association *asoc, 3921 const sctp_subtype_t type, 3922 void *arg, 3923 sctp_cmd_seq_t *commands) 3924 { 3925 struct sctp_chunk *chunk = arg; 3926 3927 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 3928 return SCTP_DISPOSITION_CONSUME; 3929 } 3930 3931 /* 3932 * Process the SHUTDOWN primitive. 3933 * 3934 * Section: 10.1: 3935 * C) Shutdown 3936 * 3937 * Format: SHUTDOWN(association id) 3938 * -> result 3939 * 3940 * Gracefully closes an association. Any locally queued user data 3941 * will be delivered to the peer. The association will be terminated only 3942 * after the peer acknowledges all the SCTP packets sent. A success code 3943 * will be returned on successful termination of the association. If 3944 * attempting to terminate the association results in a failure, an error 3945 * code shall be returned. 3946 * 3947 * Mandatory attributes: 3948 * 3949 * o association id - local handle to the SCTP association 3950 * 3951 * Optional attributes: 3952 * 3953 * None. 3954 * 3955 * The return value is the disposition. 3956 */ 3957 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown( 3958 const struct sctp_endpoint *ep, 3959 const struct sctp_association *asoc, 3960 const sctp_subtype_t type, 3961 void *arg, 3962 sctp_cmd_seq_t *commands) 3963 { 3964 int disposition; 3965 3966 /* From 9.2 Shutdown of an Association 3967 * Upon receipt of the SHUTDOWN primitive from its upper 3968 * layer, the endpoint enters SHUTDOWN-PENDING state and 3969 * remains there until all outstanding data has been 3970 * acknowledged by its peer. The endpoint accepts no new data 3971 * from its upper layer, but retransmits data to the far end 3972 * if necessary to fill gaps. 3973 */ 3974 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3975 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 3976 3977 /* sctpimpguide-05 Section 2.12.2 3978 * The sender of the SHUTDOWN MAY also start an overall guard timer 3979 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 3980 */ 3981 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 3982 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3983 3984 disposition = SCTP_DISPOSITION_CONSUME; 3985 if (sctp_outq_is_empty(&asoc->outqueue)) { 3986 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 3987 arg, commands); 3988 } 3989 return disposition; 3990 } 3991 3992 /* 3993 * Process the ABORT primitive. 3994 * 3995 * Section: 10.1: 3996 * C) Abort 3997 * 3998 * Format: Abort(association id [, cause code]) 3999 * -> result 4000 * 4001 * Ungracefully closes an association. Any locally queued user data 4002 * will be discarded and an ABORT chunk is sent to the peer. A success code 4003 * will be returned on successful abortion of the association. If 4004 * attempting to abort the association results in a failure, an error 4005 * code shall be returned. 4006 * 4007 * Mandatory attributes: 4008 * 4009 * o association id - local handle to the SCTP association 4010 * 4011 * Optional attributes: 4012 * 4013 * o cause code - reason of the abort to be passed to the peer 4014 * 4015 * None. 4016 * 4017 * The return value is the disposition. 4018 */ 4019 sctp_disposition_t sctp_sf_do_9_1_prm_abort( 4020 const struct sctp_endpoint *ep, 4021 const struct sctp_association *asoc, 4022 const sctp_subtype_t type, 4023 void *arg, 4024 sctp_cmd_seq_t *commands) 4025 { 4026 /* From 9.1 Abort of an Association 4027 * Upon receipt of the ABORT primitive from its upper 4028 * layer, the endpoint enters CLOSED state and 4029 * discard all outstanding data has been 4030 * acknowledged by its peer. The endpoint accepts no new data 4031 * from its upper layer, but retransmits data to the far end 4032 * if necessary to fill gaps. 4033 */ 4034 struct sctp_chunk *abort = arg; 4035 sctp_disposition_t retval; 4036 4037 retval = SCTP_DISPOSITION_CONSUME; 4038 4039 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4040 4041 /* Even if we can't send the ABORT due to low memory delete the 4042 * TCB. This is a departure from our typical NOMEM handling. 4043 */ 4044 4045 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4046 SCTP_ERROR(ECONNABORTED)); 4047 /* Delete the established association. */ 4048 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4049 SCTP_U32(SCTP_ERROR_USER_ABORT)); 4050 4051 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4052 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4053 4054 return retval; 4055 } 4056 4057 /* We tried an illegal operation on an association which is closed. */ 4058 sctp_disposition_t sctp_sf_error_closed(const struct sctp_endpoint *ep, 4059 const struct sctp_association *asoc, 4060 const sctp_subtype_t type, 4061 void *arg, 4062 sctp_cmd_seq_t *commands) 4063 { 4064 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 4065 return SCTP_DISPOSITION_CONSUME; 4066 } 4067 4068 /* We tried an illegal operation on an association which is shutting 4069 * down. 4070 */ 4071 sctp_disposition_t sctp_sf_error_shutdown(const struct sctp_endpoint *ep, 4072 const struct sctp_association *asoc, 4073 const sctp_subtype_t type, 4074 void *arg, 4075 sctp_cmd_seq_t *commands) 4076 { 4077 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 4078 SCTP_ERROR(-ESHUTDOWN)); 4079 return SCTP_DISPOSITION_CONSUME; 4080 } 4081 4082 /* 4083 * sctp_cookie_wait_prm_shutdown 4084 * 4085 * Section: 4 Note: 2 4086 * Verification Tag: 4087 * Inputs 4088 * (endpoint, asoc) 4089 * 4090 * The RFC does not explicitly address this issue, but is the route through the 4091 * state table when someone issues a shutdown while in COOKIE_WAIT state. 4092 * 4093 * Outputs 4094 * (timers) 4095 */ 4096 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown( 4097 const struct sctp_endpoint *ep, 4098 const struct sctp_association *asoc, 4099 const sctp_subtype_t type, 4100 void *arg, 4101 sctp_cmd_seq_t *commands) 4102 { 4103 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4104 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4105 4106 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4107 SCTP_STATE(SCTP_STATE_CLOSED)); 4108 4109 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 4110 4111 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 4112 4113 return SCTP_DISPOSITION_DELETE_TCB; 4114 } 4115 4116 /* 4117 * sctp_cookie_echoed_prm_shutdown 4118 * 4119 * Section: 4 Note: 2 4120 * Verification Tag: 4121 * Inputs 4122 * (endpoint, asoc) 4123 * 4124 * The RFC does not explcitly address this issue, but is the route through the 4125 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 4126 * 4127 * Outputs 4128 * (timers) 4129 */ 4130 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown( 4131 const struct sctp_endpoint *ep, 4132 const struct sctp_association *asoc, 4133 const sctp_subtype_t type, 4134 void *arg, sctp_cmd_seq_t *commands) 4135 { 4136 /* There is a single T1 timer, so we should be able to use 4137 * common function with the COOKIE-WAIT state. 4138 */ 4139 return sctp_sf_cookie_wait_prm_shutdown(ep, asoc, type, arg, commands); 4140 } 4141 4142 /* 4143 * sctp_sf_cookie_wait_prm_abort 4144 * 4145 * Section: 4 Note: 2 4146 * Verification Tag: 4147 * Inputs 4148 * (endpoint, asoc) 4149 * 4150 * The RFC does not explicitly address this issue, but is the route through the 4151 * state table when someone issues an abort while in COOKIE_WAIT state. 4152 * 4153 * Outputs 4154 * (timers) 4155 */ 4156 sctp_disposition_t sctp_sf_cookie_wait_prm_abort( 4157 const struct sctp_endpoint *ep, 4158 const struct sctp_association *asoc, 4159 const sctp_subtype_t type, 4160 void *arg, 4161 sctp_cmd_seq_t *commands) 4162 { 4163 struct sctp_chunk *abort = arg; 4164 sctp_disposition_t retval; 4165 4166 /* Stop T1-init timer */ 4167 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4168 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4169 retval = SCTP_DISPOSITION_CONSUME; 4170 4171 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4172 4173 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4174 SCTP_STATE(SCTP_STATE_CLOSED)); 4175 4176 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4177 4178 /* Even if we can't send the ABORT due to low memory delete the 4179 * TCB. This is a departure from our typical NOMEM handling. 4180 */ 4181 4182 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4183 SCTP_ERROR(ECONNREFUSED)); 4184 /* Delete the established association. */ 4185 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4186 SCTP_U32(SCTP_ERROR_USER_ABORT)); 4187 4188 return retval; 4189 } 4190 4191 /* 4192 * sctp_sf_cookie_echoed_prm_abort 4193 * 4194 * Section: 4 Note: 3 4195 * Verification Tag: 4196 * Inputs 4197 * (endpoint, asoc) 4198 * 4199 * The RFC does not explcitly address this issue, but is the route through the 4200 * state table when someone issues an abort while in COOKIE_ECHOED state. 4201 * 4202 * Outputs 4203 * (timers) 4204 */ 4205 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort( 4206 const struct sctp_endpoint *ep, 4207 const struct sctp_association *asoc, 4208 const sctp_subtype_t type, 4209 void *arg, 4210 sctp_cmd_seq_t *commands) 4211 { 4212 /* There is a single T1 timer, so we should be able to use 4213 * common function with the COOKIE-WAIT state. 4214 */ 4215 return sctp_sf_cookie_wait_prm_abort(ep, asoc, type, arg, commands); 4216 } 4217 4218 /* 4219 * sctp_sf_shutdown_pending_prm_abort 4220 * 4221 * Inputs 4222 * (endpoint, asoc) 4223 * 4224 * The RFC does not explicitly address this issue, but is the route through the 4225 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 4226 * 4227 * Outputs 4228 * (timers) 4229 */ 4230 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort( 4231 const struct sctp_endpoint *ep, 4232 const struct sctp_association *asoc, 4233 const sctp_subtype_t type, 4234 void *arg, 4235 sctp_cmd_seq_t *commands) 4236 { 4237 /* Stop the T5-shutdown guard timer. */ 4238 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4239 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4240 4241 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4242 } 4243 4244 /* 4245 * sctp_sf_shutdown_sent_prm_abort 4246 * 4247 * Inputs 4248 * (endpoint, asoc) 4249 * 4250 * The RFC does not explicitly address this issue, but is the route through the 4251 * state table when someone issues an abort while in SHUTDOWN-SENT state. 4252 * 4253 * Outputs 4254 * (timers) 4255 */ 4256 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort( 4257 const struct sctp_endpoint *ep, 4258 const struct sctp_association *asoc, 4259 const sctp_subtype_t type, 4260 void *arg, 4261 sctp_cmd_seq_t *commands) 4262 { 4263 /* Stop the T2-shutdown timer. */ 4264 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4265 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4266 4267 /* Stop the T5-shutdown guard timer. */ 4268 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4269 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4270 4271 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4272 } 4273 4274 /* 4275 * sctp_sf_cookie_echoed_prm_abort 4276 * 4277 * Inputs 4278 * (endpoint, asoc) 4279 * 4280 * The RFC does not explcitly address this issue, but is the route through the 4281 * state table when someone issues an abort while in COOKIE_ECHOED state. 4282 * 4283 * Outputs 4284 * (timers) 4285 */ 4286 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort( 4287 const struct sctp_endpoint *ep, 4288 const struct sctp_association *asoc, 4289 const sctp_subtype_t type, 4290 void *arg, 4291 sctp_cmd_seq_t *commands) 4292 { 4293 /* The same T2 timer, so we should be able to use 4294 * common function with the SHUTDOWN-SENT state. 4295 */ 4296 return sctp_sf_shutdown_sent_prm_abort(ep, asoc, type, arg, commands); 4297 } 4298 4299 /* 4300 * Process the REQUESTHEARTBEAT primitive 4301 * 4302 * 10.1 ULP-to-SCTP 4303 * J) Request Heartbeat 4304 * 4305 * Format: REQUESTHEARTBEAT(association id, destination transport address) 4306 * 4307 * -> result 4308 * 4309 * Instructs the local endpoint to perform a HeartBeat on the specified 4310 * destination transport address of the given association. The returned 4311 * result should indicate whether the transmission of the HEARTBEAT 4312 * chunk to the destination address is successful. 4313 * 4314 * Mandatory attributes: 4315 * 4316 * o association id - local handle to the SCTP association 4317 * 4318 * o destination transport address - the transport address of the 4319 * association on which a heartbeat should be issued. 4320 */ 4321 sctp_disposition_t sctp_sf_do_prm_requestheartbeat( 4322 const struct sctp_endpoint *ep, 4323 const struct sctp_association *asoc, 4324 const sctp_subtype_t type, 4325 void *arg, 4326 sctp_cmd_seq_t *commands) 4327 { 4328 return sctp_sf_heartbeat(ep, asoc, type, (struct sctp_transport *)arg, 4329 commands); 4330 } 4331 4332 /* 4333 * ADDIP Section 4.1 ASCONF Chunk Procedures 4334 * When an endpoint has an ASCONF signaled change to be sent to the 4335 * remote endpoint it should do A1 to A9 4336 */ 4337 sctp_disposition_t sctp_sf_do_prm_asconf(const struct sctp_endpoint *ep, 4338 const struct sctp_association *asoc, 4339 const sctp_subtype_t type, 4340 void *arg, 4341 sctp_cmd_seq_t *commands) 4342 { 4343 struct sctp_chunk *chunk = arg; 4344 4345 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 4346 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4347 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4348 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 4349 return SCTP_DISPOSITION_CONSUME; 4350 } 4351 4352 /* 4353 * Ignore the primitive event 4354 * 4355 * The return value is the disposition of the primitive. 4356 */ 4357 sctp_disposition_t sctp_sf_ignore_primitive( 4358 const struct sctp_endpoint *ep, 4359 const struct sctp_association *asoc, 4360 const sctp_subtype_t type, 4361 void *arg, 4362 sctp_cmd_seq_t *commands) 4363 { 4364 SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive); 4365 return SCTP_DISPOSITION_DISCARD; 4366 } 4367 4368 /*************************************************************************** 4369 * These are the state functions for the OTHER events. 4370 ***************************************************************************/ 4371 4372 /* 4373 * Start the shutdown negotiation. 4374 * 4375 * From Section 9.2: 4376 * Once all its outstanding data has been acknowledged, the endpoint 4377 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 4378 * TSN Ack field the last sequential TSN it has received from the peer. 4379 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 4380 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 4381 * with the updated last sequential TSN received from its peer. 4382 * 4383 * The return value is the disposition. 4384 */ 4385 sctp_disposition_t sctp_sf_do_9_2_start_shutdown( 4386 const struct sctp_endpoint *ep, 4387 const struct sctp_association *asoc, 4388 const sctp_subtype_t type, 4389 void *arg, 4390 sctp_cmd_seq_t *commands) 4391 { 4392 struct sctp_chunk *reply; 4393 4394 /* Once all its outstanding data has been acknowledged, the 4395 * endpoint shall send a SHUTDOWN chunk to its peer including 4396 * in the Cumulative TSN Ack field the last sequential TSN it 4397 * has received from the peer. 4398 */ 4399 reply = sctp_make_shutdown(asoc, NULL); 4400 if (!reply) 4401 goto nomem; 4402 4403 /* Set the transport for the SHUTDOWN chunk and the timeout for the 4404 * T2-shutdown timer. 4405 */ 4406 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4407 4408 /* It shall then start the T2-shutdown timer */ 4409 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4410 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4411 4412 if (asoc->autoclose) 4413 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4414 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4415 4416 /* and enter the SHUTDOWN-SENT state. */ 4417 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4418 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 4419 4420 /* sctp-implguide 2.10 Issues with Heartbeating and failover 4421 * 4422 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 4423 * or SHUTDOWN-ACK. 4424 */ 4425 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 4426 4427 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4428 4429 return SCTP_DISPOSITION_CONSUME; 4430 4431 nomem: 4432 return SCTP_DISPOSITION_NOMEM; 4433 } 4434 4435 /* 4436 * Generate a SHUTDOWN ACK now that everything is SACK'd. 4437 * 4438 * From Section 9.2: 4439 * 4440 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 4441 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 4442 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 4443 * endpoint must re-send the SHUTDOWN ACK. 4444 * 4445 * The return value is the disposition. 4446 */ 4447 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack( 4448 const struct sctp_endpoint *ep, 4449 const struct sctp_association *asoc, 4450 const sctp_subtype_t type, 4451 void *arg, 4452 sctp_cmd_seq_t *commands) 4453 { 4454 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 4455 struct sctp_chunk *reply; 4456 4457 /* There are 2 ways of getting here: 4458 * 1) called in response to a SHUTDOWN chunk 4459 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 4460 * 4461 * For the case (2), the arg parameter is set to NULL. We need 4462 * to check that we have a chunk before accessing it's fields. 4463 */ 4464 if (chunk) { 4465 if (!sctp_vtag_verify(chunk, asoc)) 4466 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4467 4468 /* Make sure that the SHUTDOWN chunk has a valid length. */ 4469 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t))) 4470 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4471 commands); 4472 } 4473 4474 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 4475 * shall send a SHUTDOWN ACK ... 4476 */ 4477 reply = sctp_make_shutdown_ack(asoc, chunk); 4478 if (!reply) 4479 goto nomem; 4480 4481 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 4482 * the T2-shutdown timer. 4483 */ 4484 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4485 4486 /* and start/restart a T2-shutdown timer of its own, */ 4487 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4488 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4489 4490 if (asoc->autoclose) 4491 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4492 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4493 4494 /* Enter the SHUTDOWN-ACK-SENT state. */ 4495 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4496 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 4497 4498 /* sctp-implguide 2.10 Issues with Heartbeating and failover 4499 * 4500 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 4501 * or SHUTDOWN-ACK. 4502 */ 4503 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 4504 4505 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4506 4507 return SCTP_DISPOSITION_CONSUME; 4508 4509 nomem: 4510 return SCTP_DISPOSITION_NOMEM; 4511 } 4512 4513 /* 4514 * Ignore the event defined as other 4515 * 4516 * The return value is the disposition of the event. 4517 */ 4518 sctp_disposition_t sctp_sf_ignore_other(const struct sctp_endpoint *ep, 4519 const struct sctp_association *asoc, 4520 const sctp_subtype_t type, 4521 void *arg, 4522 sctp_cmd_seq_t *commands) 4523 { 4524 SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other); 4525 return SCTP_DISPOSITION_DISCARD; 4526 } 4527 4528 /************************************************************ 4529 * These are the state functions for handling timeout events. 4530 ************************************************************/ 4531 4532 /* 4533 * RTX Timeout 4534 * 4535 * Section: 6.3.3 Handle T3-rtx Expiration 4536 * 4537 * Whenever the retransmission timer T3-rtx expires for a destination 4538 * address, do the following: 4539 * [See below] 4540 * 4541 * The return value is the disposition of the chunk. 4542 */ 4543 sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep, 4544 const struct sctp_association *asoc, 4545 const sctp_subtype_t type, 4546 void *arg, 4547 sctp_cmd_seq_t *commands) 4548 { 4549 struct sctp_transport *transport = arg; 4550 4551 if (asoc->overall_error_count >= asoc->max_retrans) { 4552 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4553 SCTP_ERROR(ETIMEDOUT)); 4554 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 4555 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4556 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4557 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4558 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4559 return SCTP_DISPOSITION_DELETE_TCB; 4560 } 4561 4562 /* E1) For the destination address for which the timer 4563 * expires, adjust its ssthresh with rules defined in Section 4564 * 7.2.3 and set the cwnd <- MTU. 4565 */ 4566 4567 /* E2) For the destination address for which the timer 4568 * expires, set RTO <- RTO * 2 ("back off the timer"). The 4569 * maximum value discussed in rule C7 above (RTO.max) may be 4570 * used to provide an upper bound to this doubling operation. 4571 */ 4572 4573 /* E3) Determine how many of the earliest (i.e., lowest TSN) 4574 * outstanding DATA chunks for the address for which the 4575 * T3-rtx has expired will fit into a single packet, subject 4576 * to the MTU constraint for the path corresponding to the 4577 * destination transport address to which the retransmission 4578 * is being sent (this may be different from the address for 4579 * which the timer expires [see Section 6.4]). Call this 4580 * value K. Bundle and retransmit those K DATA chunks in a 4581 * single packet to the destination endpoint. 4582 * 4583 * Note: Any DATA chunks that were sent to the address for 4584 * which the T3-rtx timer expired but did not fit in one MTU 4585 * (rule E3 above), should be marked for retransmission and 4586 * sent as soon as cwnd allows (normally when a SACK arrives). 4587 */ 4588 4589 /* NB: Rules E4 and F1 are implicit in R1. */ 4590 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 4591 4592 /* Do some failure management (Section 8.2). */ 4593 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 4594 4595 return SCTP_DISPOSITION_CONSUME; 4596 } 4597 4598 /* 4599 * Generate delayed SACK on timeout 4600 * 4601 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 4602 * 4603 * The guidelines on delayed acknowledgement algorithm specified in 4604 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 4605 * acknowledgement SHOULD be generated for at least every second packet 4606 * (not every second DATA chunk) received, and SHOULD be generated 4607 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 4608 * some situations it may be beneficial for an SCTP transmitter to be 4609 * more conservative than the algorithms detailed in this document 4610 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 4611 * the following algorithms allow. 4612 */ 4613 sctp_disposition_t sctp_sf_do_6_2_sack(const struct sctp_endpoint *ep, 4614 const struct sctp_association *asoc, 4615 const sctp_subtype_t type, 4616 void *arg, 4617 sctp_cmd_seq_t *commands) 4618 { 4619 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 4620 return SCTP_DISPOSITION_CONSUME; 4621 } 4622 4623 /* 4624 * sctp_sf_t1_init_timer_expire 4625 * 4626 * Section: 4 Note: 2 4627 * Verification Tag: 4628 * Inputs 4629 * (endpoint, asoc) 4630 * 4631 * RFC 2960 Section 4 Notes 4632 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 4633 * and re-start the T1-init timer without changing state. This MUST 4634 * be repeated up to 'Max.Init.Retransmits' times. After that, the 4635 * endpoint MUST abort the initialization process and report the 4636 * error to SCTP user. 4637 * 4638 * Outputs 4639 * (timers, events) 4640 * 4641 */ 4642 sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep, 4643 const struct sctp_association *asoc, 4644 const sctp_subtype_t type, 4645 void *arg, 4646 sctp_cmd_seq_t *commands) 4647 { 4648 struct sctp_chunk *repl = NULL; 4649 struct sctp_bind_addr *bp; 4650 int attempts = asoc->init_err_counter + 1; 4651 4652 SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n"); 4653 4654 if (attempts <= asoc->max_init_attempts) { 4655 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 4656 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 4657 if (!repl) 4658 return SCTP_DISPOSITION_NOMEM; 4659 4660 /* Choose transport for INIT. */ 4661 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4662 SCTP_CHUNK(repl)); 4663 4664 /* Issue a sideeffect to do the needed accounting. */ 4665 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 4666 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4667 4668 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4669 } else { 4670 SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d" 4671 " max_init_attempts: %d\n", 4672 attempts, asoc->max_init_attempts); 4673 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4674 SCTP_ERROR(ETIMEDOUT)); 4675 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4676 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4677 return SCTP_DISPOSITION_DELETE_TCB; 4678 } 4679 4680 return SCTP_DISPOSITION_CONSUME; 4681 } 4682 4683 /* 4684 * sctp_sf_t1_cookie_timer_expire 4685 * 4686 * Section: 4 Note: 2 4687 * Verification Tag: 4688 * Inputs 4689 * (endpoint, asoc) 4690 * 4691 * RFC 2960 Section 4 Notes 4692 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 4693 * COOKIE ECHO and re-start the T1-cookie timer without changing 4694 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 4695 * After that, the endpoint MUST abort the initialization process and 4696 * report the error to SCTP user. 4697 * 4698 * Outputs 4699 * (timers, events) 4700 * 4701 */ 4702 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep, 4703 const struct sctp_association *asoc, 4704 const sctp_subtype_t type, 4705 void *arg, 4706 sctp_cmd_seq_t *commands) 4707 { 4708 struct sctp_chunk *repl = NULL; 4709 int attempts = asoc->init_err_counter + 1; 4710 4711 SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n"); 4712 4713 if (attempts <= asoc->max_init_attempts) { 4714 repl = sctp_make_cookie_echo(asoc, NULL); 4715 if (!repl) 4716 return SCTP_DISPOSITION_NOMEM; 4717 4718 /* Issue a sideeffect to do the needed accounting. */ 4719 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 4720 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 4721 4722 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4723 } else { 4724 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4725 SCTP_ERROR(ETIMEDOUT)); 4726 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4727 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4728 return SCTP_DISPOSITION_DELETE_TCB; 4729 } 4730 4731 return SCTP_DISPOSITION_CONSUME; 4732 } 4733 4734 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 4735 * with the updated last sequential TSN received from its peer. 4736 * 4737 * An endpoint should limit the number of retransmissions of the 4738 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 4739 * If this threshold is exceeded the endpoint should destroy the TCB and 4740 * MUST report the peer endpoint unreachable to the upper layer (and 4741 * thus the association enters the CLOSED state). The reception of any 4742 * packet from its peer (i.e. as the peer sends all of its queued DATA 4743 * chunks) should clear the endpoint's retransmission count and restart 4744 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 4745 * all of its queued DATA chunks that have not yet been sent. 4746 */ 4747 sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep, 4748 const struct sctp_association *asoc, 4749 const sctp_subtype_t type, 4750 void *arg, 4751 sctp_cmd_seq_t *commands) 4752 { 4753 struct sctp_chunk *reply = NULL; 4754 4755 SCTP_DEBUG_PRINTK("Timer T2 expired.\n"); 4756 if (asoc->overall_error_count >= asoc->max_retrans) { 4757 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4758 SCTP_ERROR(ETIMEDOUT)); 4759 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 4760 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4761 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4762 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4763 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4764 return SCTP_DISPOSITION_DELETE_TCB; 4765 } 4766 4767 switch (asoc->state) { 4768 case SCTP_STATE_SHUTDOWN_SENT: 4769 reply = sctp_make_shutdown(asoc, NULL); 4770 break; 4771 4772 case SCTP_STATE_SHUTDOWN_ACK_SENT: 4773 reply = sctp_make_shutdown_ack(asoc, NULL); 4774 break; 4775 4776 default: 4777 BUG(); 4778 break; 4779 }; 4780 4781 if (!reply) 4782 goto nomem; 4783 4784 /* Do some failure management (Section 8.2). */ 4785 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 4786 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 4787 4788 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 4789 * the T2-shutdown timer. 4790 */ 4791 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4792 4793 /* Restart the T2-shutdown timer. */ 4794 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4795 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4796 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4797 return SCTP_DISPOSITION_CONSUME; 4798 4799 nomem: 4800 return SCTP_DISPOSITION_NOMEM; 4801 } 4802 4803 /* 4804 * ADDIP Section 4.1 ASCONF CHunk Procedures 4805 * If the T4 RTO timer expires the endpoint should do B1 to B5 4806 */ 4807 sctp_disposition_t sctp_sf_t4_timer_expire( 4808 const struct sctp_endpoint *ep, 4809 const struct sctp_association *asoc, 4810 const sctp_subtype_t type, 4811 void *arg, 4812 sctp_cmd_seq_t *commands) 4813 { 4814 struct sctp_chunk *chunk = asoc->addip_last_asconf; 4815 struct sctp_transport *transport = chunk->transport; 4816 4817 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 4818 * detection on the appropriate destination address as defined in 4819 * RFC2960 [5] section 8.1 and 8.2. 4820 */ 4821 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 4822 4823 /* Reconfig T4 timer and transport. */ 4824 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 4825 4826 /* ADDIP 4.1 B2) Increment the association error counters and perform 4827 * endpoint failure detection on the association as defined in 4828 * RFC2960 [5] section 8.1 and 8.2. 4829 * association error counter is incremented in SCTP_CMD_STRIKE. 4830 */ 4831 if (asoc->overall_error_count >= asoc->max_retrans) { 4832 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4833 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4834 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4835 SCTP_ERROR(ETIMEDOUT)); 4836 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4837 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4838 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4839 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 4840 return SCTP_DISPOSITION_ABORT; 4841 } 4842 4843 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 4844 * the ASCONF chunk was sent by doubling the RTO timer value. 4845 * This is done in SCTP_CMD_STRIKE. 4846 */ 4847 4848 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 4849 * choose an alternate destination address (please refer to RFC2960 4850 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 4851 * chunk, it MUST be the same (including its serial number) as the last 4852 * ASCONF sent. 4853 */ 4854 sctp_chunk_hold(asoc->addip_last_asconf); 4855 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4856 SCTP_CHUNK(asoc->addip_last_asconf)); 4857 4858 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 4859 * destination is selected, then the RTO used will be that of the new 4860 * destination address. 4861 */ 4862 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4863 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4864 4865 return SCTP_DISPOSITION_CONSUME; 4866 } 4867 4868 /* sctpimpguide-05 Section 2.12.2 4869 * The sender of the SHUTDOWN MAY also start an overall guard timer 4870 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 4871 * At the expiration of this timer the sender SHOULD abort the association 4872 * by sending an ABORT chunk. 4873 */ 4874 sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep, 4875 const struct sctp_association *asoc, 4876 const sctp_subtype_t type, 4877 void *arg, 4878 sctp_cmd_seq_t *commands) 4879 { 4880 struct sctp_chunk *reply = NULL; 4881 4882 SCTP_DEBUG_PRINTK("Timer T5 expired.\n"); 4883 4884 reply = sctp_make_abort(asoc, NULL, 0); 4885 if (!reply) 4886 goto nomem; 4887 4888 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4889 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4890 SCTP_ERROR(ETIMEDOUT)); 4891 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4892 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4893 4894 return SCTP_DISPOSITION_DELETE_TCB; 4895 nomem: 4896 return SCTP_DISPOSITION_NOMEM; 4897 } 4898 4899 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 4900 * the association is automatically closed by starting the shutdown process. 4901 * The work that needs to be done is same as when SHUTDOWN is initiated by 4902 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 4903 */ 4904 sctp_disposition_t sctp_sf_autoclose_timer_expire( 4905 const struct sctp_endpoint *ep, 4906 const struct sctp_association *asoc, 4907 const sctp_subtype_t type, 4908 void *arg, 4909 sctp_cmd_seq_t *commands) 4910 { 4911 int disposition; 4912 4913 /* From 9.2 Shutdown of an Association 4914 * Upon receipt of the SHUTDOWN primitive from its upper 4915 * layer, the endpoint enters SHUTDOWN-PENDING state and 4916 * remains there until all outstanding data has been 4917 * acknowledged by its peer. The endpoint accepts no new data 4918 * from its upper layer, but retransmits data to the far end 4919 * if necessary to fill gaps. 4920 */ 4921 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4922 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4923 4924 /* sctpimpguide-05 Section 2.12.2 4925 * The sender of the SHUTDOWN MAY also start an overall guard timer 4926 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 4927 */ 4928 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4929 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4930 disposition = SCTP_DISPOSITION_CONSUME; 4931 if (sctp_outq_is_empty(&asoc->outqueue)) { 4932 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 4933 arg, commands); 4934 } 4935 return disposition; 4936 } 4937 4938 /***************************************************************************** 4939 * These are sa state functions which could apply to all types of events. 4940 ****************************************************************************/ 4941 4942 /* 4943 * This table entry is not implemented. 4944 * 4945 * Inputs 4946 * (endpoint, asoc, chunk) 4947 * 4948 * The return value is the disposition of the chunk. 4949 */ 4950 sctp_disposition_t sctp_sf_not_impl(const struct sctp_endpoint *ep, 4951 const struct sctp_association *asoc, 4952 const sctp_subtype_t type, 4953 void *arg, 4954 sctp_cmd_seq_t *commands) 4955 { 4956 return SCTP_DISPOSITION_NOT_IMPL; 4957 } 4958 4959 /* 4960 * This table entry represents a bug. 4961 * 4962 * Inputs 4963 * (endpoint, asoc, chunk) 4964 * 4965 * The return value is the disposition of the chunk. 4966 */ 4967 sctp_disposition_t sctp_sf_bug(const struct sctp_endpoint *ep, 4968 const struct sctp_association *asoc, 4969 const sctp_subtype_t type, 4970 void *arg, 4971 sctp_cmd_seq_t *commands) 4972 { 4973 return SCTP_DISPOSITION_BUG; 4974 } 4975 4976 /* 4977 * This table entry represents the firing of a timer in the wrong state. 4978 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 4979 * when the association is in the wrong state. This event should 4980 * be ignored, so as to prevent any rearming of the timer. 4981 * 4982 * Inputs 4983 * (endpoint, asoc, chunk) 4984 * 4985 * The return value is the disposition of the chunk. 4986 */ 4987 sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep, 4988 const struct sctp_association *asoc, 4989 const sctp_subtype_t type, 4990 void *arg, 4991 sctp_cmd_seq_t *commands) 4992 { 4993 SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk); 4994 return SCTP_DISPOSITION_CONSUME; 4995 } 4996 4997 /******************************************************************** 4998 * 2nd Level Abstractions 4999 ********************************************************************/ 5000 5001 /* Pull the SACK chunk based on the SACK header. */ 5002 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 5003 { 5004 struct sctp_sackhdr *sack; 5005 unsigned int len; 5006 __u16 num_blocks; 5007 __u16 num_dup_tsns; 5008 5009 /* Protect ourselves from reading too far into 5010 * the skb from a bogus sender. 5011 */ 5012 sack = (struct sctp_sackhdr *) chunk->skb->data; 5013 5014 num_blocks = ntohs(sack->num_gap_ack_blocks); 5015 num_dup_tsns = ntohs(sack->num_dup_tsns); 5016 len = sizeof(struct sctp_sackhdr); 5017 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 5018 if (len > chunk->skb->len) 5019 return NULL; 5020 5021 skb_pull(chunk->skb, len); 5022 5023 return sack; 5024 } 5025 5026 /* Create an ABORT packet to be sent as a response, with the specified 5027 * error causes. 5028 */ 5029 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 5030 const struct sctp_association *asoc, 5031 struct sctp_chunk *chunk, 5032 const void *payload, 5033 size_t paylen) 5034 { 5035 struct sctp_packet *packet; 5036 struct sctp_chunk *abort; 5037 5038 packet = sctp_ootb_pkt_new(asoc, chunk); 5039 5040 if (packet) { 5041 /* Make an ABORT. 5042 * The T bit will be set if the asoc is NULL. 5043 */ 5044 abort = sctp_make_abort(asoc, chunk, paylen); 5045 if (!abort) { 5046 sctp_ootb_pkt_free(packet); 5047 return NULL; 5048 } 5049 5050 /* Reflect vtag if T-Bit is set */ 5051 if (sctp_test_T_bit(abort)) 5052 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 5053 5054 /* Add specified error causes, i.e., payload, to the 5055 * end of the chunk. 5056 */ 5057 sctp_addto_chunk(abort, paylen, payload); 5058 5059 /* Set the skb to the belonging sock for accounting. */ 5060 abort->skb->sk = ep->base.sk; 5061 5062 sctp_packet_append_chunk(packet, abort); 5063 5064 } 5065 5066 return packet; 5067 } 5068 5069 /* Allocate a packet for responding in the OOTB conditions. */ 5070 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 5071 const struct sctp_chunk *chunk) 5072 { 5073 struct sctp_packet *packet; 5074 struct sctp_transport *transport; 5075 __u16 sport; 5076 __u16 dport; 5077 __u32 vtag; 5078 5079 /* Get the source and destination port from the inbound packet. */ 5080 sport = ntohs(chunk->sctp_hdr->dest); 5081 dport = ntohs(chunk->sctp_hdr->source); 5082 5083 /* The V-tag is going to be the same as the inbound packet if no 5084 * association exists, otherwise, use the peer's vtag. 5085 */ 5086 if (asoc) { 5087 vtag = asoc->peer.i.init_tag; 5088 } else { 5089 /* Special case the INIT and stale COOKIE_ECHO as there is no 5090 * vtag yet. 5091 */ 5092 switch(chunk->chunk_hdr->type) { 5093 case SCTP_CID_INIT: 5094 { 5095 sctp_init_chunk_t *init; 5096 5097 init = (sctp_init_chunk_t *)chunk->chunk_hdr; 5098 vtag = ntohl(init->init_hdr.init_tag); 5099 break; 5100 } 5101 default: 5102 vtag = ntohl(chunk->sctp_hdr->vtag); 5103 break; 5104 } 5105 } 5106 5107 /* Make a transport for the bucket, Eliza... */ 5108 transport = sctp_transport_new(sctp_source(chunk), GFP_ATOMIC); 5109 if (!transport) 5110 goto nomem; 5111 5112 /* Cache a route for the transport with the chunk's destination as 5113 * the source address. 5114 */ 5115 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 5116 sctp_sk(sctp_get_ctl_sock())); 5117 5118 packet = sctp_packet_init(&transport->packet, transport, sport, dport); 5119 packet = sctp_packet_config(packet, vtag, 0); 5120 5121 return packet; 5122 5123 nomem: 5124 return NULL; 5125 } 5126 5127 /* Free the packet allocated earlier for responding in the OOTB condition. */ 5128 void sctp_ootb_pkt_free(struct sctp_packet *packet) 5129 { 5130 sctp_transport_free(packet->transport); 5131 } 5132 5133 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 5134 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 5135 const struct sctp_association *asoc, 5136 const struct sctp_chunk *chunk, 5137 sctp_cmd_seq_t *commands, 5138 struct sctp_chunk *err_chunk) 5139 { 5140 struct sctp_packet *packet; 5141 5142 if (err_chunk) { 5143 packet = sctp_ootb_pkt_new(asoc, chunk); 5144 if (packet) { 5145 struct sctp_signed_cookie *cookie; 5146 5147 /* Override the OOTB vtag from the cookie. */ 5148 cookie = chunk->subh.cookie_hdr; 5149 packet->vtag = cookie->c.peer_vtag; 5150 5151 /* Set the skb to the belonging sock for accounting. */ 5152 err_chunk->skb->sk = ep->base.sk; 5153 sctp_packet_append_chunk(packet, err_chunk); 5154 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 5155 SCTP_PACKET(packet)); 5156 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 5157 } else 5158 sctp_chunk_free (err_chunk); 5159 } 5160 } 5161 5162 5163 /* Process a data chunk */ 5164 static int sctp_eat_data(const struct sctp_association *asoc, 5165 struct sctp_chunk *chunk, 5166 sctp_cmd_seq_t *commands) 5167 { 5168 sctp_datahdr_t *data_hdr; 5169 struct sctp_chunk *err; 5170 size_t datalen; 5171 sctp_verb_t deliver; 5172 int tmp; 5173 __u32 tsn; 5174 int account_value; 5175 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 5176 struct sock *sk = asoc->base.sk; 5177 int rcvbuf_over = 0; 5178 5179 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data; 5180 skb_pull(chunk->skb, sizeof(sctp_datahdr_t)); 5181 5182 tsn = ntohl(data_hdr->tsn); 5183 SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn); 5184 5185 /* ASSERT: Now skb->data is really the user data. */ 5186 5187 /* 5188 * If we are established, and we have used up our receive buffer 5189 * memory, think about droping the frame. 5190 * Note that we have an opportunity to improve performance here. 5191 * If we accept one chunk from an skbuff, we have to keep all the 5192 * memory of that skbuff around until the chunk is read into user 5193 * space. Therefore, once we accept 1 chunk we may as well accept all 5194 * remaining chunks in the skbuff. The data_accepted flag helps us do 5195 * that. 5196 */ 5197 if ((asoc->state == SCTP_STATE_ESTABLISHED) && (!chunk->data_accepted)) { 5198 /* 5199 * If the receive buffer policy is 1, then each 5200 * association can allocate up to sk_rcvbuf bytes 5201 * otherwise, all the associations in aggregate 5202 * may allocate up to sk_rcvbuf bytes 5203 */ 5204 if (asoc->ep->rcvbuf_policy) 5205 account_value = atomic_read(&asoc->rmem_alloc); 5206 else 5207 account_value = atomic_read(&sk->sk_rmem_alloc); 5208 if (account_value > sk->sk_rcvbuf) { 5209 /* 5210 * We need to make forward progress, even when we are 5211 * under memory pressure, so we always allow the 5212 * next tsn after the ctsn ack point to be accepted. 5213 * This lets us avoid deadlocks in which we have to 5214 * drop frames that would otherwise let us drain the 5215 * receive queue. 5216 */ 5217 if ((sctp_tsnmap_get_ctsn(map) + 1) != tsn) 5218 return SCTP_IERROR_IGNORE_TSN; 5219 5220 /* 5221 * We're going to accept the frame but we should renege 5222 * to make space for it. This will send us down that 5223 * path later in this function. 5224 */ 5225 rcvbuf_over = 1; 5226 } 5227 } 5228 5229 /* Process ECN based congestion. 5230 * 5231 * Since the chunk structure is reused for all chunks within 5232 * a packet, we use ecn_ce_done to track if we've already 5233 * done CE processing for this packet. 5234 * 5235 * We need to do ECN processing even if we plan to discard the 5236 * chunk later. 5237 */ 5238 5239 if (!chunk->ecn_ce_done) { 5240 struct sctp_af *af; 5241 chunk->ecn_ce_done = 1; 5242 5243 af = sctp_get_af_specific( 5244 ipver2af(chunk->skb->nh.iph->version)); 5245 5246 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) { 5247 /* Do real work as sideffect. */ 5248 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 5249 SCTP_U32(tsn)); 5250 } 5251 } 5252 5253 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 5254 if (tmp < 0) { 5255 /* The TSN is too high--silently discard the chunk and 5256 * count on it getting retransmitted later. 5257 */ 5258 return SCTP_IERROR_HIGH_TSN; 5259 } else if (tmp > 0) { 5260 /* This is a duplicate. Record it. */ 5261 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 5262 return SCTP_IERROR_DUP_TSN; 5263 } 5264 5265 /* This is a new TSN. */ 5266 5267 /* Discard if there is no room in the receive window. 5268 * Actually, allow a little bit of overflow (up to a MTU). 5269 */ 5270 datalen = ntohs(chunk->chunk_hdr->length); 5271 datalen -= sizeof(sctp_data_chunk_t); 5272 5273 deliver = SCTP_CMD_CHUNK_ULP; 5274 5275 /* Think about partial delivery. */ 5276 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 5277 5278 /* Even if we don't accept this chunk there is 5279 * memory pressure. 5280 */ 5281 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 5282 } 5283 5284 /* Spill over rwnd a little bit. Note: While allowed, this spill over 5285 * seems a bit troublesome in that frag_point varies based on 5286 * PMTU. In cases, such as loopback, this might be a rather 5287 * large spill over. 5288 * NOTE: If we have a full receive buffer here, we only renege if 5289 * our receiver can still make progress without the tsn being 5290 * received. We do this because in the event that the associations 5291 * receive queue is empty we are filling a leading gap, and since 5292 * reneging moves the gap to the end of the tsn stream, we are likely 5293 * to stall again very shortly. Avoiding the renege when we fill a 5294 * leading gap is a good heuristic for avoiding such steady state 5295 * stalls. 5296 */ 5297 if (!asoc->rwnd || asoc->rwnd_over || 5298 (datalen > asoc->rwnd + asoc->frag_point) || 5299 (rcvbuf_over && (!skb_queue_len(&sk->sk_receive_queue)))) { 5300 5301 /* If this is the next TSN, consider reneging to make 5302 * room. Note: Playing nice with a confused sender. A 5303 * malicious sender can still eat up all our buffer 5304 * space and in the future we may want to detect and 5305 * do more drastic reneging. 5306 */ 5307 if (sctp_tsnmap_has_gap(map) && 5308 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 5309 SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn); 5310 deliver = SCTP_CMD_RENEGE; 5311 } else { 5312 SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, " 5313 "rwnd: %d\n", tsn, datalen, 5314 asoc->rwnd); 5315 return SCTP_IERROR_IGNORE_TSN; 5316 } 5317 } 5318 5319 /* 5320 * Section 3.3.10.9 No User Data (9) 5321 * 5322 * Cause of error 5323 * --------------- 5324 * No User Data: This error cause is returned to the originator of a 5325 * DATA chunk if a received DATA chunk has no user data. 5326 */ 5327 if (unlikely(0 == datalen)) { 5328 err = sctp_make_abort_no_data(asoc, chunk, tsn); 5329 if (err) { 5330 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5331 SCTP_CHUNK(err)); 5332 } 5333 /* We are going to ABORT, so we might as well stop 5334 * processing the rest of the chunks in the packet. 5335 */ 5336 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 5337 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5338 SCTP_ERROR(ECONNABORTED)); 5339 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5340 SCTP_U32(SCTP_ERROR_NO_DATA)); 5341 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5342 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5343 return SCTP_IERROR_NO_DATA; 5344 } 5345 5346 /* If definately accepting the DATA chunk, record its TSN, otherwise 5347 * wait for renege processing. 5348 */ 5349 if (SCTP_CMD_CHUNK_ULP == deliver) 5350 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 5351 5352 chunk->data_accepted = 1; 5353 5354 /* Note: Some chunks may get overcounted (if we drop) or overcounted 5355 * if we renege and the chunk arrives again. 5356 */ 5357 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) 5358 SCTP_INC_STATS(SCTP_MIB_INUNORDERCHUNKS); 5359 else 5360 SCTP_INC_STATS(SCTP_MIB_INORDERCHUNKS); 5361 5362 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 5363 * 5364 * If an endpoint receive a DATA chunk with an invalid stream 5365 * identifier, it shall acknowledge the reception of the DATA chunk 5366 * following the normal procedure, immediately send an ERROR chunk 5367 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 5368 * and discard the DATA chunk. 5369 */ 5370 if (ntohs(data_hdr->stream) >= asoc->c.sinit_max_instreams) { 5371 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 5372 &data_hdr->stream, 5373 sizeof(data_hdr->stream)); 5374 if (err) 5375 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5376 SCTP_CHUNK(err)); 5377 return SCTP_IERROR_BAD_STREAM; 5378 } 5379 5380 /* Send the data up to the user. Note: Schedule the 5381 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 5382 * chunk needs the updated rwnd. 5383 */ 5384 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 5385 5386 return SCTP_IERROR_NO_ERROR; 5387 } 5388