1 /* SCTP kernel reference Implementation 2 * (C) Copyright IBM Corp. 2001, 2004 3 * Copyright (c) 1999-2000 Cisco, Inc. 4 * Copyright (c) 1999-2001 Motorola, Inc. 5 * Copyright (c) 2001-2002 Intel Corp. 6 * Copyright (c) 2002 Nokia Corp. 7 * 8 * This file is part of the SCTP kernel reference Implementation 9 * 10 * This is part of the SCTP Linux Kernel Reference Implementation. 11 * 12 * These are the state functions for the state machine. 13 * 14 * The SCTP reference implementation is free software; 15 * you can redistribute it and/or modify it under the terms of 16 * the GNU General Public License as published by 17 * the Free Software Foundation; either version 2, or (at your option) 18 * any later version. 19 * 20 * The SCTP reference implementation is distributed in the hope that it 21 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 22 * ************************ 23 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 24 * See the GNU General Public License for more details. 25 * 26 * You should have received a copy of the GNU General Public License 27 * along with GNU CC; see the file COPYING. If not, write to 28 * the Free Software Foundation, 59 Temple Place - Suite 330, 29 * Boston, MA 02111-1307, USA. 30 * 31 * Please send any bug reports or fixes you make to the 32 * email address(es): 33 * lksctp developers <lksctp-developers@lists.sourceforge.net> 34 * 35 * Or submit a bug report through the following website: 36 * http://www.sf.net/projects/lksctp 37 * 38 * Written or modified by: 39 * La Monte H.P. Yarroll <piggy@acm.org> 40 * Karl Knutson <karl@athena.chicago.il.us> 41 * Mathew Kotowsky <kotowsky@sctp.org> 42 * Sridhar Samudrala <samudrala@us.ibm.com> 43 * Jon Grimm <jgrimm@us.ibm.com> 44 * Hui Huang <hui.huang@nokia.com> 45 * Dajiang Zhang <dajiang.zhang@nokia.com> 46 * Daisy Chang <daisyc@us.ibm.com> 47 * Ardelle Fan <ardelle.fan@intel.com> 48 * Ryan Layer <rmlayer@us.ibm.com> 49 * Kevin Gao <kevin.gao@intel.com> 50 * 51 * Any bugs reported given to us we will try to fix... any fixes shared will 52 * be incorporated into the next SCTP release. 53 */ 54 55 #include <linux/types.h> 56 #include <linux/kernel.h> 57 #include <linux/ip.h> 58 #include <linux/ipv6.h> 59 #include <linux/net.h> 60 #include <linux/inet.h> 61 #include <net/sock.h> 62 #include <net/inet_ecn.h> 63 #include <linux/skbuff.h> 64 #include <net/sctp/sctp.h> 65 #include <net/sctp/sm.h> 66 #include <net/sctp/structs.h> 67 68 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 69 const struct sctp_association *asoc, 70 struct sctp_chunk *chunk, 71 const void *payload, 72 size_t paylen); 73 static int sctp_eat_data(const struct sctp_association *asoc, 74 struct sctp_chunk *chunk, 75 sctp_cmd_seq_t *commands); 76 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 77 const struct sctp_chunk *chunk); 78 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 79 const struct sctp_association *asoc, 80 const struct sctp_chunk *chunk, 81 sctp_cmd_seq_t *commands, 82 struct sctp_chunk *err_chunk); 83 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 84 const struct sctp_association *asoc, 85 const sctp_subtype_t type, 86 void *arg, 87 sctp_cmd_seq_t *commands); 88 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 89 const struct sctp_association *asoc, 90 const sctp_subtype_t type, 91 void *arg, 92 sctp_cmd_seq_t *commands); 93 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 94 95 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 96 __u16 error, int sk_err, 97 const struct sctp_association *asoc, 98 struct sctp_transport *transport); 99 100 static sctp_disposition_t sctp_sf_violation_chunklen( 101 const struct sctp_endpoint *ep, 102 const struct sctp_association *asoc, 103 const sctp_subtype_t type, 104 void *arg, 105 sctp_cmd_seq_t *commands); 106 107 /* Small helper function that checks if the chunk length 108 * is of the appropriate length. The 'required_length' argument 109 * is set to be the size of a specific chunk we are testing. 110 * Return Values: 1 = Valid length 111 * 0 = Invalid length 112 * 113 */ 114 static inline int 115 sctp_chunk_length_valid(struct sctp_chunk *chunk, 116 __u16 required_length) 117 { 118 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 119 120 if (unlikely(chunk_length < required_length)) 121 return 0; 122 123 return 1; 124 } 125 126 /********************************************************** 127 * These are the state functions for handling chunk events. 128 **********************************************************/ 129 130 /* 131 * Process the final SHUTDOWN COMPLETE. 132 * 133 * Section: 4 (C) (diagram), 9.2 134 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 135 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 136 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 137 * should stop the T2-shutdown timer and remove all knowledge of the 138 * association (and thus the association enters the CLOSED state). 139 * 140 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 141 * C) Rules for packet carrying SHUTDOWN COMPLETE: 142 * ... 143 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 144 * if the Verification Tag field of the packet matches its own tag and 145 * the T bit is not set 146 * OR 147 * it is set to its peer's tag and the T bit is set in the Chunk 148 * Flags. 149 * Otherwise, the receiver MUST silently discard the packet 150 * and take no further action. An endpoint MUST ignore the 151 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 152 * 153 * Inputs 154 * (endpoint, asoc, chunk) 155 * 156 * Outputs 157 * (asoc, reply_msg, msg_up, timers, counters) 158 * 159 * The return value is the disposition of the chunk. 160 */ 161 sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep, 162 const struct sctp_association *asoc, 163 const sctp_subtype_t type, 164 void *arg, 165 sctp_cmd_seq_t *commands) 166 { 167 struct sctp_chunk *chunk = arg; 168 struct sctp_ulpevent *ev; 169 170 /* RFC 2960 6.10 Bundling 171 * 172 * An endpoint MUST NOT bundle INIT, INIT ACK or 173 * SHUTDOWN COMPLETE with any other chunks. 174 */ 175 if (!chunk->singleton) 176 return SCTP_DISPOSITION_VIOLATION; 177 178 if (!sctp_vtag_verify_either(chunk, asoc)) 179 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 180 181 /* RFC 2960 10.2 SCTP-to-ULP 182 * 183 * H) SHUTDOWN COMPLETE notification 184 * 185 * When SCTP completes the shutdown procedures (section 9.2) this 186 * notification is passed to the upper layer. 187 */ 188 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 189 0, 0, 0, GFP_ATOMIC); 190 if (!ev) 191 goto nomem; 192 193 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 194 195 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 196 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 197 * not the chunk should be discarded. If the endpoint is in 198 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 199 * T2-shutdown timer and remove all knowledge of the 200 * association (and thus the association enters the CLOSED 201 * state). 202 */ 203 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 204 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 205 206 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 207 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 208 209 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 210 SCTP_STATE(SCTP_STATE_CLOSED)); 211 212 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 213 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 214 215 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 216 217 return SCTP_DISPOSITION_DELETE_TCB; 218 219 nomem: 220 return SCTP_DISPOSITION_NOMEM; 221 } 222 223 /* 224 * Respond to a normal INIT chunk. 225 * We are the side that is being asked for an association. 226 * 227 * Section: 5.1 Normal Establishment of an Association, B 228 * B) "Z" shall respond immediately with an INIT ACK chunk. The 229 * destination IP address of the INIT ACK MUST be set to the source 230 * IP address of the INIT to which this INIT ACK is responding. In 231 * the response, besides filling in other parameters, "Z" must set the 232 * Verification Tag field to Tag_A, and also provide its own 233 * Verification Tag (Tag_Z) in the Initiate Tag field. 234 * 235 * Verification Tag: Must be 0. 236 * 237 * Inputs 238 * (endpoint, asoc, chunk) 239 * 240 * Outputs 241 * (asoc, reply_msg, msg_up, timers, counters) 242 * 243 * The return value is the disposition of the chunk. 244 */ 245 sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep, 246 const struct sctp_association *asoc, 247 const sctp_subtype_t type, 248 void *arg, 249 sctp_cmd_seq_t *commands) 250 { 251 struct sctp_chunk *chunk = arg; 252 struct sctp_chunk *repl; 253 struct sctp_association *new_asoc; 254 struct sctp_chunk *err_chunk; 255 struct sctp_packet *packet; 256 sctp_unrecognized_param_t *unk_param; 257 struct sock *sk; 258 int len; 259 260 /* 6.10 Bundling 261 * An endpoint MUST NOT bundle INIT, INIT ACK or 262 * SHUTDOWN COMPLETE with any other chunks. 263 * 264 * IG Section 2.11.2 265 * Furthermore, we require that the receiver of an INIT chunk MUST 266 * enforce these rules by silently discarding an arriving packet 267 * with an INIT chunk that is bundled with other chunks. 268 */ 269 if (!chunk->singleton) 270 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 271 272 /* If the packet is an OOTB packet which is temporarily on the 273 * control endpoint, respond with an ABORT. 274 */ 275 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 276 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 277 278 sk = ep->base.sk; 279 /* If the endpoint is not listening or if the number of associations 280 * on the TCP-style socket exceed the max backlog, respond with an 281 * ABORT. 282 */ 283 if (!sctp_sstate(sk, LISTENING) || 284 (sctp_style(sk, TCP) && 285 sk_acceptq_is_full(sk))) 286 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 287 288 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 289 * Tag. 290 */ 291 if (chunk->sctp_hdr->vtag != 0) 292 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 293 294 /* Make sure that the INIT chunk has a valid length. 295 * Normally, this would cause an ABORT with a Protocol Violation 296 * error, but since we don't have an association, we'll 297 * just discard the packet. 298 */ 299 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 300 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 301 302 /* Verify the INIT chunk before processing it. */ 303 err_chunk = NULL; 304 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 305 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 306 &err_chunk)) { 307 /* This chunk contains fatal error. It is to be discarded. 308 * Send an ABORT, with causes if there is any. 309 */ 310 if (err_chunk) { 311 packet = sctp_abort_pkt_new(ep, asoc, arg, 312 (__u8 *)(err_chunk->chunk_hdr) + 313 sizeof(sctp_chunkhdr_t), 314 ntohs(err_chunk->chunk_hdr->length) - 315 sizeof(sctp_chunkhdr_t)); 316 317 sctp_chunk_free(err_chunk); 318 319 if (packet) { 320 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 321 SCTP_PACKET(packet)); 322 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 323 return SCTP_DISPOSITION_CONSUME; 324 } else { 325 return SCTP_DISPOSITION_NOMEM; 326 } 327 } else { 328 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 329 commands); 330 } 331 } 332 333 /* Grab the INIT header. */ 334 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data; 335 336 /* Tag the variable length parameters. */ 337 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 338 339 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 340 if (!new_asoc) 341 goto nomem; 342 343 /* The call, sctp_process_init(), can fail on memory allocation. */ 344 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 345 sctp_source(chunk), 346 (sctp_init_chunk_t *)chunk->chunk_hdr, 347 GFP_ATOMIC)) 348 goto nomem_init; 349 350 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 351 352 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 353 354 /* If there are errors need to be reported for unknown parameters, 355 * make sure to reserve enough room in the INIT ACK for them. 356 */ 357 len = 0; 358 if (err_chunk) 359 len = ntohs(err_chunk->chunk_hdr->length) - 360 sizeof(sctp_chunkhdr_t); 361 362 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 363 goto nomem_ack; 364 365 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 366 if (!repl) 367 goto nomem_ack; 368 369 /* If there are errors need to be reported for unknown parameters, 370 * include them in the outgoing INIT ACK as "Unrecognized parameter" 371 * parameter. 372 */ 373 if (err_chunk) { 374 /* Get the "Unrecognized parameter" parameter(s) out of the 375 * ERROR chunk generated by sctp_verify_init(). Since the 376 * error cause code for "unknown parameter" and the 377 * "Unrecognized parameter" type is the same, we can 378 * construct the parameters in INIT ACK by copying the 379 * ERROR causes over. 380 */ 381 unk_param = (sctp_unrecognized_param_t *) 382 ((__u8 *)(err_chunk->chunk_hdr) + 383 sizeof(sctp_chunkhdr_t)); 384 /* Replace the cause code with the "Unrecognized parameter" 385 * parameter type. 386 */ 387 sctp_addto_chunk(repl, len, unk_param); 388 sctp_chunk_free(err_chunk); 389 } 390 391 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 392 393 /* 394 * Note: After sending out INIT ACK with the State Cookie parameter, 395 * "Z" MUST NOT allocate any resources, nor keep any states for the 396 * new association. Otherwise, "Z" will be vulnerable to resource 397 * attacks. 398 */ 399 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 400 401 return SCTP_DISPOSITION_DELETE_TCB; 402 403 nomem_ack: 404 if (err_chunk) 405 sctp_chunk_free(err_chunk); 406 nomem_init: 407 sctp_association_free(new_asoc); 408 nomem: 409 return SCTP_DISPOSITION_NOMEM; 410 } 411 412 /* 413 * Respond to a normal INIT ACK chunk. 414 * We are the side that is initiating the association. 415 * 416 * Section: 5.1 Normal Establishment of an Association, C 417 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 418 * timer and leave COOKIE-WAIT state. "A" shall then send the State 419 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 420 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 421 * 422 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 423 * DATA chunks, but it MUST be the first chunk in the packet and 424 * until the COOKIE ACK is returned the sender MUST NOT send any 425 * other packets to the peer. 426 * 427 * Verification Tag: 3.3.3 428 * If the value of the Initiate Tag in a received INIT ACK chunk is 429 * found to be 0, the receiver MUST treat it as an error and close the 430 * association by transmitting an ABORT. 431 * 432 * Inputs 433 * (endpoint, asoc, chunk) 434 * 435 * Outputs 436 * (asoc, reply_msg, msg_up, timers, counters) 437 * 438 * The return value is the disposition of the chunk. 439 */ 440 sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, 441 const struct sctp_association *asoc, 442 const sctp_subtype_t type, 443 void *arg, 444 sctp_cmd_seq_t *commands) 445 { 446 struct sctp_chunk *chunk = arg; 447 sctp_init_chunk_t *initchunk; 448 __u32 init_tag; 449 struct sctp_chunk *err_chunk; 450 struct sctp_packet *packet; 451 __u16 error; 452 453 if (!sctp_vtag_verify(chunk, asoc)) 454 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 455 456 /* Make sure that the INIT-ACK chunk has a valid length */ 457 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t))) 458 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 459 commands); 460 /* 6.10 Bundling 461 * An endpoint MUST NOT bundle INIT, INIT ACK or 462 * SHUTDOWN COMPLETE with any other chunks. 463 */ 464 if (!chunk->singleton) 465 return SCTP_DISPOSITION_VIOLATION; 466 467 /* Grab the INIT header. */ 468 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 469 470 init_tag = ntohl(chunk->subh.init_hdr->init_tag); 471 472 /* Verification Tag: 3.3.3 473 * If the value of the Initiate Tag in a received INIT ACK 474 * chunk is found to be 0, the receiver MUST treat it as an 475 * error and close the association by transmitting an ABORT. 476 */ 477 if (!init_tag) { 478 struct sctp_chunk *reply = sctp_make_abort(asoc, chunk, 0); 479 if (!reply) 480 goto nomem; 481 482 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 483 return sctp_stop_t1_and_abort(commands, SCTP_ERROR_INV_PARAM, 484 ECONNREFUSED, asoc, 485 chunk->transport); 486 } 487 488 /* Verify the INIT chunk before processing it. */ 489 err_chunk = NULL; 490 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 491 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 492 &err_chunk)) { 493 494 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 495 496 /* This chunk contains fatal error. It is to be discarded. 497 * Send an ABORT, with causes if there is any. 498 */ 499 if (err_chunk) { 500 packet = sctp_abort_pkt_new(ep, asoc, arg, 501 (__u8 *)(err_chunk->chunk_hdr) + 502 sizeof(sctp_chunkhdr_t), 503 ntohs(err_chunk->chunk_hdr->length) - 504 sizeof(sctp_chunkhdr_t)); 505 506 sctp_chunk_free(err_chunk); 507 508 if (packet) { 509 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 510 SCTP_PACKET(packet)); 511 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 512 error = SCTP_ERROR_INV_PARAM; 513 } else { 514 error = SCTP_ERROR_NO_RESOURCE; 515 } 516 } else { 517 sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 518 error = SCTP_ERROR_INV_PARAM; 519 } 520 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, 521 asoc, chunk->transport); 522 } 523 524 /* Tag the variable length parameters. Note that we never 525 * convert the parameters in an INIT chunk. 526 */ 527 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 528 529 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr; 530 531 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 532 SCTP_PEER_INIT(initchunk)); 533 534 /* Reset init error count upon receipt of INIT-ACK. */ 535 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 536 537 /* 5.1 C) "A" shall stop the T1-init timer and leave 538 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 539 * timer, and enter the COOKIE-ECHOED state. 540 */ 541 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 542 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 543 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 544 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 545 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 546 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 547 548 /* 5.1 C) "A" shall then send the State Cookie received in the 549 * INIT ACK chunk in a COOKIE ECHO chunk, ... 550 */ 551 /* If there is any errors to report, send the ERROR chunk generated 552 * for unknown parameters as well. 553 */ 554 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 555 SCTP_CHUNK(err_chunk)); 556 557 return SCTP_DISPOSITION_CONSUME; 558 559 nomem: 560 return SCTP_DISPOSITION_NOMEM; 561 } 562 563 /* 564 * Respond to a normal COOKIE ECHO chunk. 565 * We are the side that is being asked for an association. 566 * 567 * Section: 5.1 Normal Establishment of an Association, D 568 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 569 * with a COOKIE ACK chunk after building a TCB and moving to 570 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 571 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 572 * chunk MUST be the first chunk in the packet. 573 * 574 * IMPLEMENTATION NOTE: An implementation may choose to send the 575 * Communication Up notification to the SCTP user upon reception 576 * of a valid COOKIE ECHO chunk. 577 * 578 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 579 * D) Rules for packet carrying a COOKIE ECHO 580 * 581 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 582 * Initial Tag received in the INIT ACK. 583 * 584 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 585 * 586 * Inputs 587 * (endpoint, asoc, chunk) 588 * 589 * Outputs 590 * (asoc, reply_msg, msg_up, timers, counters) 591 * 592 * The return value is the disposition of the chunk. 593 */ 594 sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep, 595 const struct sctp_association *asoc, 596 const sctp_subtype_t type, void *arg, 597 sctp_cmd_seq_t *commands) 598 { 599 struct sctp_chunk *chunk = arg; 600 struct sctp_association *new_asoc; 601 sctp_init_chunk_t *peer_init; 602 struct sctp_chunk *repl; 603 struct sctp_ulpevent *ev; 604 int error = 0; 605 struct sctp_chunk *err_chk_p; 606 607 /* If the packet is an OOTB packet which is temporarily on the 608 * control endpoint, respond with an ABORT. 609 */ 610 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 611 return sctp_sf_ootb(ep, asoc, type, arg, commands); 612 613 /* Make sure that the COOKIE_ECHO chunk has a valid length. 614 * In this case, we check that we have enough for at least a 615 * chunk header. More detailed verification is done 616 * in sctp_unpack_cookie(). 617 */ 618 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 619 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 620 621 /* "Decode" the chunk. We have no optional parameters so we 622 * are in good shape. 623 */ 624 chunk->subh.cookie_hdr = 625 (struct sctp_signed_cookie *)chunk->skb->data; 626 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 627 sizeof(sctp_chunkhdr_t))) 628 goto nomem; 629 630 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 631 * "Z" will reply with a COOKIE ACK chunk after building a TCB 632 * and moving to the ESTABLISHED state. 633 */ 634 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 635 &err_chk_p); 636 637 /* FIXME: 638 * If the re-build failed, what is the proper error path 639 * from here? 640 * 641 * [We should abort the association. --piggy] 642 */ 643 if (!new_asoc) { 644 /* FIXME: Several errors are possible. A bad cookie should 645 * be silently discarded, but think about logging it too. 646 */ 647 switch (error) { 648 case -SCTP_IERROR_NOMEM: 649 goto nomem; 650 651 case -SCTP_IERROR_STALE_COOKIE: 652 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 653 err_chk_p); 654 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 655 656 case -SCTP_IERROR_BAD_SIG: 657 default: 658 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 659 }; 660 } 661 662 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 663 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 664 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 665 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 666 SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS); 667 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 668 669 if (new_asoc->autoclose) 670 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 671 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 672 673 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 674 675 /* Re-build the bind address for the association is done in 676 * the sctp_unpack_cookie() already. 677 */ 678 /* This is a brand-new association, so these are not yet side 679 * effects--it is safe to run them here. 680 */ 681 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 682 683 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 684 &chunk->subh.cookie_hdr->c.peer_addr, 685 peer_init, GFP_ATOMIC)) 686 goto nomem_init; 687 688 repl = sctp_make_cookie_ack(new_asoc, chunk); 689 if (!repl) 690 goto nomem_repl; 691 692 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 693 694 /* RFC 2960 5.1 Normal Establishment of an Association 695 * 696 * D) IMPLEMENTATION NOTE: An implementation may choose to 697 * send the Communication Up notification to the SCTP user 698 * upon reception of a valid COOKIE ECHO chunk. 699 */ 700 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 701 new_asoc->c.sinit_num_ostreams, 702 new_asoc->c.sinit_max_instreams, 703 GFP_ATOMIC); 704 if (!ev) 705 goto nomem_ev; 706 707 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 708 709 /* Sockets API Draft Section 5.3.1.6 710 * When a peer sends a Adaption Layer Indication parameter , SCTP 711 * delivers this notification to inform the application that of the 712 * peers requested adaption layer. 713 */ 714 if (new_asoc->peer.adaption_ind) { 715 ev = sctp_ulpevent_make_adaption_indication(new_asoc, 716 GFP_ATOMIC); 717 if (!ev) 718 goto nomem_ev; 719 720 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 721 SCTP_ULPEVENT(ev)); 722 } 723 724 return SCTP_DISPOSITION_CONSUME; 725 726 nomem_ev: 727 sctp_chunk_free(repl); 728 nomem_repl: 729 nomem_init: 730 sctp_association_free(new_asoc); 731 nomem: 732 return SCTP_DISPOSITION_NOMEM; 733 } 734 735 /* 736 * Respond to a normal COOKIE ACK chunk. 737 * We are the side that is being asked for an association. 738 * 739 * RFC 2960 5.1 Normal Establishment of an Association 740 * 741 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 742 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 743 * timer. It may also notify its ULP about the successful 744 * establishment of the association with a Communication Up 745 * notification (see Section 10). 746 * 747 * Verification Tag: 748 * Inputs 749 * (endpoint, asoc, chunk) 750 * 751 * Outputs 752 * (asoc, reply_msg, msg_up, timers, counters) 753 * 754 * The return value is the disposition of the chunk. 755 */ 756 sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep, 757 const struct sctp_association *asoc, 758 const sctp_subtype_t type, void *arg, 759 sctp_cmd_seq_t *commands) 760 { 761 struct sctp_chunk *chunk = arg; 762 struct sctp_ulpevent *ev; 763 764 if (!sctp_vtag_verify(chunk, asoc)) 765 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 766 767 /* Verify that the chunk length for the COOKIE-ACK is OK. 768 * If we don't do this, any bundled chunks may be junked. 769 */ 770 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 771 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 772 commands); 773 774 /* Reset init error count upon receipt of COOKIE-ACK, 775 * to avoid problems with the managemement of this 776 * counter in stale cookie situations when a transition back 777 * from the COOKIE-ECHOED state to the COOKIE-WAIT 778 * state is performed. 779 */ 780 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 781 782 /* RFC 2960 5.1 Normal Establishment of an Association 783 * 784 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 785 * from the COOKIE-ECHOED state to the ESTABLISHED state, 786 * stopping the T1-cookie timer. 787 */ 788 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 789 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 790 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 791 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 792 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 793 SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS); 794 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 795 if (asoc->autoclose) 796 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 797 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 798 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 799 800 /* It may also notify its ULP about the successful 801 * establishment of the association with a Communication Up 802 * notification (see Section 10). 803 */ 804 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 805 0, asoc->c.sinit_num_ostreams, 806 asoc->c.sinit_max_instreams, 807 GFP_ATOMIC); 808 809 if (!ev) 810 goto nomem; 811 812 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 813 814 /* Sockets API Draft Section 5.3.1.6 815 * When a peer sends a Adaption Layer Indication parameter , SCTP 816 * delivers this notification to inform the application that of the 817 * peers requested adaption layer. 818 */ 819 if (asoc->peer.adaption_ind) { 820 ev = sctp_ulpevent_make_adaption_indication(asoc, GFP_ATOMIC); 821 if (!ev) 822 goto nomem; 823 824 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 825 SCTP_ULPEVENT(ev)); 826 } 827 828 return SCTP_DISPOSITION_CONSUME; 829 nomem: 830 return SCTP_DISPOSITION_NOMEM; 831 } 832 833 /* Generate and sendout a heartbeat packet. */ 834 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep, 835 const struct sctp_association *asoc, 836 const sctp_subtype_t type, 837 void *arg, 838 sctp_cmd_seq_t *commands) 839 { 840 struct sctp_transport *transport = (struct sctp_transport *) arg; 841 struct sctp_chunk *reply; 842 sctp_sender_hb_info_t hbinfo; 843 size_t paylen = 0; 844 845 hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO; 846 hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t)); 847 hbinfo.daddr = transport->ipaddr; 848 hbinfo.sent_at = jiffies; 849 850 /* Send a heartbeat to our peer. */ 851 paylen = sizeof(sctp_sender_hb_info_t); 852 reply = sctp_make_heartbeat(asoc, transport, &hbinfo, paylen); 853 if (!reply) 854 return SCTP_DISPOSITION_NOMEM; 855 856 /* Set rto_pending indicating that an RTT measurement 857 * is started with this heartbeat chunk. 858 */ 859 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 860 SCTP_TRANSPORT(transport)); 861 862 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 863 return SCTP_DISPOSITION_CONSUME; 864 } 865 866 /* Generate a HEARTBEAT packet on the given transport. */ 867 sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep, 868 const struct sctp_association *asoc, 869 const sctp_subtype_t type, 870 void *arg, 871 sctp_cmd_seq_t *commands) 872 { 873 struct sctp_transport *transport = (struct sctp_transport *) arg; 874 875 if (asoc->overall_error_count >= asoc->max_retrans) { 876 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 877 SCTP_ERROR(ETIMEDOUT)); 878 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 879 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 880 SCTP_U32(SCTP_ERROR_NO_ERROR)); 881 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 882 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 883 return SCTP_DISPOSITION_DELETE_TCB; 884 } 885 886 /* Section 3.3.5. 887 * The Sender-specific Heartbeat Info field should normally include 888 * information about the sender's current time when this HEARTBEAT 889 * chunk is sent and the destination transport address to which this 890 * HEARTBEAT is sent (see Section 8.3). 891 */ 892 893 if (transport->param_flags & SPP_HB_ENABLE) { 894 if (SCTP_DISPOSITION_NOMEM == 895 sctp_sf_heartbeat(ep, asoc, type, arg, 896 commands)) 897 return SCTP_DISPOSITION_NOMEM; 898 /* Set transport error counter and association error counter 899 * when sending heartbeat. 900 */ 901 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_RESET, 902 SCTP_TRANSPORT(transport)); 903 } 904 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 905 SCTP_TRANSPORT(transport)); 906 907 return SCTP_DISPOSITION_CONSUME; 908 } 909 910 /* 911 * Process an heartbeat request. 912 * 913 * Section: 8.3 Path Heartbeat 914 * The receiver of the HEARTBEAT should immediately respond with a 915 * HEARTBEAT ACK that contains the Heartbeat Information field copied 916 * from the received HEARTBEAT chunk. 917 * 918 * Verification Tag: 8.5 Verification Tag [Normal verification] 919 * When receiving an SCTP packet, the endpoint MUST ensure that the 920 * value in the Verification Tag field of the received SCTP packet 921 * matches its own Tag. If the received Verification Tag value does not 922 * match the receiver's own tag value, the receiver shall silently 923 * discard the packet and shall not process it any further except for 924 * those cases listed in Section 8.5.1 below. 925 * 926 * Inputs 927 * (endpoint, asoc, chunk) 928 * 929 * Outputs 930 * (asoc, reply_msg, msg_up, timers, counters) 931 * 932 * The return value is the disposition of the chunk. 933 */ 934 sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep, 935 const struct sctp_association *asoc, 936 const sctp_subtype_t type, 937 void *arg, 938 sctp_cmd_seq_t *commands) 939 { 940 struct sctp_chunk *chunk = arg; 941 struct sctp_chunk *reply; 942 size_t paylen = 0; 943 944 if (!sctp_vtag_verify(chunk, asoc)) 945 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 946 947 /* Make sure that the HEARTBEAT chunk has a valid length. */ 948 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 949 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 950 commands); 951 952 /* 8.3 The receiver of the HEARTBEAT should immediately 953 * respond with a HEARTBEAT ACK that contains the Heartbeat 954 * Information field copied from the received HEARTBEAT chunk. 955 */ 956 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; 957 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); 958 if (!pskb_pull(chunk->skb, paylen)) 959 goto nomem; 960 961 reply = sctp_make_heartbeat_ack(asoc, chunk, 962 chunk->subh.hb_hdr, paylen); 963 if (!reply) 964 goto nomem; 965 966 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 967 return SCTP_DISPOSITION_CONSUME; 968 969 nomem: 970 return SCTP_DISPOSITION_NOMEM; 971 } 972 973 /* 974 * Process the returning HEARTBEAT ACK. 975 * 976 * Section: 8.3 Path Heartbeat 977 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 978 * should clear the error counter of the destination transport 979 * address to which the HEARTBEAT was sent, and mark the destination 980 * transport address as active if it is not so marked. The endpoint may 981 * optionally report to the upper layer when an inactive destination 982 * address is marked as active due to the reception of the latest 983 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 984 * clear the association overall error count as well (as defined 985 * in section 8.1). 986 * 987 * The receiver of the HEARTBEAT ACK should also perform an RTT 988 * measurement for that destination transport address using the time 989 * value carried in the HEARTBEAT ACK chunk. 990 * 991 * Verification Tag: 8.5 Verification Tag [Normal verification] 992 * 993 * Inputs 994 * (endpoint, asoc, chunk) 995 * 996 * Outputs 997 * (asoc, reply_msg, msg_up, timers, counters) 998 * 999 * The return value is the disposition of the chunk. 1000 */ 1001 sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep, 1002 const struct sctp_association *asoc, 1003 const sctp_subtype_t type, 1004 void *arg, 1005 sctp_cmd_seq_t *commands) 1006 { 1007 struct sctp_chunk *chunk = arg; 1008 union sctp_addr from_addr; 1009 struct sctp_transport *link; 1010 sctp_sender_hb_info_t *hbinfo; 1011 unsigned long max_interval; 1012 1013 if (!sctp_vtag_verify(chunk, asoc)) 1014 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1015 1016 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1017 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1018 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1019 commands); 1020 1021 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; 1022 /* Make sure that the length of the parameter is what we expect */ 1023 if (ntohs(hbinfo->param_hdr.length) != 1024 sizeof(sctp_sender_hb_info_t)) { 1025 return SCTP_DISPOSITION_DISCARD; 1026 } 1027 1028 from_addr = hbinfo->daddr; 1029 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1030 1031 /* This should never happen, but lets log it if so. */ 1032 if (unlikely(!link)) { 1033 if (from_addr.sa.sa_family == AF_INET6) { 1034 printk(KERN_WARNING 1035 "%s association %p could not find address " 1036 NIP6_FMT "\n", 1037 __FUNCTION__, 1038 asoc, 1039 NIP6(from_addr.v6.sin6_addr)); 1040 } else { 1041 printk(KERN_WARNING 1042 "%s association %p could not find address " 1043 NIPQUAD_FMT "\n", 1044 __FUNCTION__, 1045 asoc, 1046 NIPQUAD(from_addr.v4.sin_addr.s_addr)); 1047 } 1048 return SCTP_DISPOSITION_DISCARD; 1049 } 1050 1051 max_interval = link->hbinterval + link->rto; 1052 1053 /* Check if the timestamp looks valid. */ 1054 if (time_after(hbinfo->sent_at, jiffies) || 1055 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1056 SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp" 1057 "received for transport: %p\n", 1058 __FUNCTION__, link); 1059 return SCTP_DISPOSITION_DISCARD; 1060 } 1061 1062 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1063 * the HEARTBEAT should clear the error counter of the 1064 * destination transport address to which the HEARTBEAT was 1065 * sent and mark the destination transport address as active if 1066 * it is not so marked. 1067 */ 1068 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1069 1070 return SCTP_DISPOSITION_CONSUME; 1071 } 1072 1073 /* Helper function to send out an abort for the restart 1074 * condition. 1075 */ 1076 static int sctp_sf_send_restart_abort(union sctp_addr *ssa, 1077 struct sctp_chunk *init, 1078 sctp_cmd_seq_t *commands) 1079 { 1080 int len; 1081 struct sctp_packet *pkt; 1082 union sctp_addr_param *addrparm; 1083 struct sctp_errhdr *errhdr; 1084 struct sctp_endpoint *ep; 1085 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)]; 1086 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1087 1088 /* Build the error on the stack. We are way to malloc crazy 1089 * throughout the code today. 1090 */ 1091 errhdr = (struct sctp_errhdr *)buffer; 1092 addrparm = (union sctp_addr_param *)errhdr->variable; 1093 1094 /* Copy into a parm format. */ 1095 len = af->to_addr_param(ssa, addrparm); 1096 len += sizeof(sctp_errhdr_t); 1097 1098 errhdr->cause = SCTP_ERROR_RESTART; 1099 errhdr->length = htons(len); 1100 1101 /* Assign to the control socket. */ 1102 ep = sctp_sk((sctp_get_ctl_sock()))->ep; 1103 1104 /* Association is NULL since this may be a restart attack and we 1105 * want to send back the attacker's vtag. 1106 */ 1107 pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len); 1108 1109 if (!pkt) 1110 goto out; 1111 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1112 1113 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1114 1115 /* Discard the rest of the inbound packet. */ 1116 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1117 1118 out: 1119 /* Even if there is no memory, treat as a failure so 1120 * the packet will get dropped. 1121 */ 1122 return 0; 1123 } 1124 1125 /* A restart is occurring, check to make sure no new addresses 1126 * are being added as we may be under a takeover attack. 1127 */ 1128 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1129 const struct sctp_association *asoc, 1130 struct sctp_chunk *init, 1131 sctp_cmd_seq_t *commands) 1132 { 1133 struct sctp_transport *new_addr, *addr; 1134 struct list_head *pos, *pos2; 1135 int found; 1136 1137 /* Implementor's Guide - Sectin 5.2.2 1138 * ... 1139 * Before responding the endpoint MUST check to see if the 1140 * unexpected INIT adds new addresses to the association. If new 1141 * addresses are added to the association, the endpoint MUST respond 1142 * with an ABORT.. 1143 */ 1144 1145 /* Search through all current addresses and make sure 1146 * we aren't adding any new ones. 1147 */ 1148 new_addr = NULL; 1149 found = 0; 1150 1151 list_for_each(pos, &new_asoc->peer.transport_addr_list) { 1152 new_addr = list_entry(pos, struct sctp_transport, transports); 1153 found = 0; 1154 list_for_each(pos2, &asoc->peer.transport_addr_list) { 1155 addr = list_entry(pos2, struct sctp_transport, 1156 transports); 1157 if (sctp_cmp_addr_exact(&new_addr->ipaddr, 1158 &addr->ipaddr)) { 1159 found = 1; 1160 break; 1161 } 1162 } 1163 if (!found) 1164 break; 1165 } 1166 1167 /* If a new address was added, ABORT the sender. */ 1168 if (!found && new_addr) { 1169 sctp_sf_send_restart_abort(&new_addr->ipaddr, init, commands); 1170 } 1171 1172 /* Return success if all addresses were found. */ 1173 return found; 1174 } 1175 1176 /* Populate the verification/tie tags based on overlapping INIT 1177 * scenario. 1178 * 1179 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1180 */ 1181 static void sctp_tietags_populate(struct sctp_association *new_asoc, 1182 const struct sctp_association *asoc) 1183 { 1184 switch (asoc->state) { 1185 1186 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1187 1188 case SCTP_STATE_COOKIE_WAIT: 1189 new_asoc->c.my_vtag = asoc->c.my_vtag; 1190 new_asoc->c.my_ttag = asoc->c.my_vtag; 1191 new_asoc->c.peer_ttag = 0; 1192 break; 1193 1194 case SCTP_STATE_COOKIE_ECHOED: 1195 new_asoc->c.my_vtag = asoc->c.my_vtag; 1196 new_asoc->c.my_ttag = asoc->c.my_vtag; 1197 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1198 break; 1199 1200 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1201 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1202 */ 1203 default: 1204 new_asoc->c.my_ttag = asoc->c.my_vtag; 1205 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1206 break; 1207 }; 1208 1209 /* Other parameters for the endpoint SHOULD be copied from the 1210 * existing parameters of the association (e.g. number of 1211 * outbound streams) into the INIT ACK and cookie. 1212 */ 1213 new_asoc->rwnd = asoc->rwnd; 1214 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1215 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1216 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1217 } 1218 1219 /* 1220 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1221 * handling action. 1222 * 1223 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1224 * 1225 * Returns value representing action to be taken. These action values 1226 * correspond to Action/Description values in RFC 2960, Table 2. 1227 */ 1228 static char sctp_tietags_compare(struct sctp_association *new_asoc, 1229 const struct sctp_association *asoc) 1230 { 1231 /* In this case, the peer may have restarted. */ 1232 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1233 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1234 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1235 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1236 return 'A'; 1237 1238 /* Collision case B. */ 1239 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1240 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1241 (0 == asoc->c.peer_vtag))) { 1242 return 'B'; 1243 } 1244 1245 /* Collision case D. */ 1246 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1247 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1248 return 'D'; 1249 1250 /* Collision case C. */ 1251 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1252 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1253 (0 == new_asoc->c.my_ttag) && 1254 (0 == new_asoc->c.peer_ttag)) 1255 return 'C'; 1256 1257 /* No match to any of the special cases; discard this packet. */ 1258 return 'E'; 1259 } 1260 1261 /* Common helper routine for both duplicate and simulataneous INIT 1262 * chunk handling. 1263 */ 1264 static sctp_disposition_t sctp_sf_do_unexpected_init( 1265 const struct sctp_endpoint *ep, 1266 const struct sctp_association *asoc, 1267 const sctp_subtype_t type, 1268 void *arg, sctp_cmd_seq_t *commands) 1269 { 1270 sctp_disposition_t retval; 1271 struct sctp_chunk *chunk = arg; 1272 struct sctp_chunk *repl; 1273 struct sctp_association *new_asoc; 1274 struct sctp_chunk *err_chunk; 1275 struct sctp_packet *packet; 1276 sctp_unrecognized_param_t *unk_param; 1277 int len; 1278 1279 /* 6.10 Bundling 1280 * An endpoint MUST NOT bundle INIT, INIT ACK or 1281 * SHUTDOWN COMPLETE with any other chunks. 1282 * 1283 * IG Section 2.11.2 1284 * Furthermore, we require that the receiver of an INIT chunk MUST 1285 * enforce these rules by silently discarding an arriving packet 1286 * with an INIT chunk that is bundled with other chunks. 1287 */ 1288 if (!chunk->singleton) 1289 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1290 1291 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1292 * Tag. 1293 */ 1294 if (chunk->sctp_hdr->vtag != 0) 1295 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 1296 1297 /* Make sure that the INIT chunk has a valid length. 1298 * In this case, we generate a protocol violation since we have 1299 * an association established. 1300 */ 1301 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 1302 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1303 commands); 1304 /* Grab the INIT header. */ 1305 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 1306 1307 /* Tag the variable length parameters. */ 1308 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 1309 1310 /* Verify the INIT chunk before processing it. */ 1311 err_chunk = NULL; 1312 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 1313 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 1314 &err_chunk)) { 1315 /* This chunk contains fatal error. It is to be discarded. 1316 * Send an ABORT, with causes if there is any. 1317 */ 1318 if (err_chunk) { 1319 packet = sctp_abort_pkt_new(ep, asoc, arg, 1320 (__u8 *)(err_chunk->chunk_hdr) + 1321 sizeof(sctp_chunkhdr_t), 1322 ntohs(err_chunk->chunk_hdr->length) - 1323 sizeof(sctp_chunkhdr_t)); 1324 1325 if (packet) { 1326 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1327 SCTP_PACKET(packet)); 1328 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1329 retval = SCTP_DISPOSITION_CONSUME; 1330 } else { 1331 retval = SCTP_DISPOSITION_NOMEM; 1332 } 1333 goto cleanup; 1334 } else { 1335 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 1336 commands); 1337 } 1338 } 1339 1340 /* 1341 * Other parameters for the endpoint SHOULD be copied from the 1342 * existing parameters of the association (e.g. number of 1343 * outbound streams) into the INIT ACK and cookie. 1344 * FIXME: We are copying parameters from the endpoint not the 1345 * association. 1346 */ 1347 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1348 if (!new_asoc) 1349 goto nomem; 1350 1351 /* In the outbound INIT ACK the endpoint MUST copy its current 1352 * Verification Tag and Peers Verification tag into a reserved 1353 * place (local tie-tag and per tie-tag) within the state cookie. 1354 */ 1355 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1356 sctp_source(chunk), 1357 (sctp_init_chunk_t *)chunk->chunk_hdr, 1358 GFP_ATOMIC)) { 1359 retval = SCTP_DISPOSITION_NOMEM; 1360 goto nomem_init; 1361 } 1362 1363 /* Make sure no new addresses are being added during the 1364 * restart. Do not do this check for COOKIE-WAIT state, 1365 * since there are no peer addresses to check against. 1366 * Upon return an ABORT will have been sent if needed. 1367 */ 1368 if (!sctp_state(asoc, COOKIE_WAIT)) { 1369 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1370 commands)) { 1371 retval = SCTP_DISPOSITION_CONSUME; 1372 goto cleanup_asoc; 1373 } 1374 } 1375 1376 sctp_tietags_populate(new_asoc, asoc); 1377 1378 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1379 1380 /* If there are errors need to be reported for unknown parameters, 1381 * make sure to reserve enough room in the INIT ACK for them. 1382 */ 1383 len = 0; 1384 if (err_chunk) { 1385 len = ntohs(err_chunk->chunk_hdr->length) - 1386 sizeof(sctp_chunkhdr_t); 1387 } 1388 1389 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 1390 goto nomem; 1391 1392 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1393 if (!repl) 1394 goto nomem; 1395 1396 /* If there are errors need to be reported for unknown parameters, 1397 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1398 * parameter. 1399 */ 1400 if (err_chunk) { 1401 /* Get the "Unrecognized parameter" parameter(s) out of the 1402 * ERROR chunk generated by sctp_verify_init(). Since the 1403 * error cause code for "unknown parameter" and the 1404 * "Unrecognized parameter" type is the same, we can 1405 * construct the parameters in INIT ACK by copying the 1406 * ERROR causes over. 1407 */ 1408 unk_param = (sctp_unrecognized_param_t *) 1409 ((__u8 *)(err_chunk->chunk_hdr) + 1410 sizeof(sctp_chunkhdr_t)); 1411 /* Replace the cause code with the "Unrecognized parameter" 1412 * parameter type. 1413 */ 1414 sctp_addto_chunk(repl, len, unk_param); 1415 } 1416 1417 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1418 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1419 1420 /* 1421 * Note: After sending out INIT ACK with the State Cookie parameter, 1422 * "Z" MUST NOT allocate any resources for this new association. 1423 * Otherwise, "Z" will be vulnerable to resource attacks. 1424 */ 1425 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1426 retval = SCTP_DISPOSITION_CONSUME; 1427 1428 cleanup: 1429 if (err_chunk) 1430 sctp_chunk_free(err_chunk); 1431 return retval; 1432 nomem: 1433 retval = SCTP_DISPOSITION_NOMEM; 1434 goto cleanup; 1435 nomem_init: 1436 cleanup_asoc: 1437 sctp_association_free(new_asoc); 1438 goto cleanup; 1439 } 1440 1441 /* 1442 * Handle simultanous INIT. 1443 * This means we started an INIT and then we got an INIT request from 1444 * our peer. 1445 * 1446 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1447 * This usually indicates an initialization collision, i.e., each 1448 * endpoint is attempting, at about the same time, to establish an 1449 * association with the other endpoint. 1450 * 1451 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1452 * endpoint MUST respond with an INIT ACK using the same parameters it 1453 * sent in its original INIT chunk (including its Verification Tag, 1454 * unchanged). These original parameters are combined with those from the 1455 * newly received INIT chunk. The endpoint shall also generate a State 1456 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1457 * INIT to calculate the State Cookie. 1458 * 1459 * After that, the endpoint MUST NOT change its state, the T1-init 1460 * timer shall be left running and the corresponding TCB MUST NOT be 1461 * destroyed. The normal procedures for handling State Cookies when 1462 * a TCB exists will resolve the duplicate INITs to a single association. 1463 * 1464 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1465 * its Tie-Tags with the Tag information of itself and its peer (see 1466 * section 5.2.2 for a description of the Tie-Tags). 1467 * 1468 * Verification Tag: Not explicit, but an INIT can not have a valid 1469 * verification tag, so we skip the check. 1470 * 1471 * Inputs 1472 * (endpoint, asoc, chunk) 1473 * 1474 * Outputs 1475 * (asoc, reply_msg, msg_up, timers, counters) 1476 * 1477 * The return value is the disposition of the chunk. 1478 */ 1479 sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep, 1480 const struct sctp_association *asoc, 1481 const sctp_subtype_t type, 1482 void *arg, 1483 sctp_cmd_seq_t *commands) 1484 { 1485 /* Call helper to do the real work for both simulataneous and 1486 * duplicate INIT chunk handling. 1487 */ 1488 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1489 } 1490 1491 /* 1492 * Handle duplicated INIT messages. These are usually delayed 1493 * restransmissions. 1494 * 1495 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1496 * COOKIE-ECHOED and COOKIE-WAIT 1497 * 1498 * Unless otherwise stated, upon reception of an unexpected INIT for 1499 * this association, the endpoint shall generate an INIT ACK with a 1500 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1501 * current Verification Tag and peer's Verification Tag into a reserved 1502 * place within the state cookie. We shall refer to these locations as 1503 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1504 * containing this INIT ACK MUST carry a Verification Tag value equal to 1505 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1506 * MUST contain a new Initiation Tag (randomly generated see Section 1507 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1508 * existing parameters of the association (e.g. number of outbound 1509 * streams) into the INIT ACK and cookie. 1510 * 1511 * After sending out the INIT ACK, the endpoint shall take no further 1512 * actions, i.e., the existing association, including its current state, 1513 * and the corresponding TCB MUST NOT be changed. 1514 * 1515 * Note: Only when a TCB exists and the association is not in a COOKIE- 1516 * WAIT state are the Tie-Tags populated. For a normal association INIT 1517 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1518 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1519 * State Cookie are populated as specified in section 5.2.1. 1520 * 1521 * Verification Tag: Not specified, but an INIT has no way of knowing 1522 * what the verification tag could be, so we ignore it. 1523 * 1524 * Inputs 1525 * (endpoint, asoc, chunk) 1526 * 1527 * Outputs 1528 * (asoc, reply_msg, msg_up, timers, counters) 1529 * 1530 * The return value is the disposition of the chunk. 1531 */ 1532 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep, 1533 const struct sctp_association *asoc, 1534 const sctp_subtype_t type, 1535 void *arg, 1536 sctp_cmd_seq_t *commands) 1537 { 1538 /* Call helper to do the real work for both simulataneous and 1539 * duplicate INIT chunk handling. 1540 */ 1541 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1542 } 1543 1544 1545 1546 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1547 * 1548 * Section 5.2.4 1549 * A) In this case, the peer may have restarted. 1550 */ 1551 static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep, 1552 const struct sctp_association *asoc, 1553 struct sctp_chunk *chunk, 1554 sctp_cmd_seq_t *commands, 1555 struct sctp_association *new_asoc) 1556 { 1557 sctp_init_chunk_t *peer_init; 1558 struct sctp_ulpevent *ev; 1559 struct sctp_chunk *repl; 1560 struct sctp_chunk *err; 1561 sctp_disposition_t disposition; 1562 1563 /* new_asoc is a brand-new association, so these are not yet 1564 * side effects--it is safe to run them here. 1565 */ 1566 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1567 1568 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1569 sctp_source(chunk), peer_init, 1570 GFP_ATOMIC)) 1571 goto nomem; 1572 1573 /* Make sure no new addresses are being added during the 1574 * restart. Though this is a pretty complicated attack 1575 * since you'd have to get inside the cookie. 1576 */ 1577 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { 1578 return SCTP_DISPOSITION_CONSUME; 1579 } 1580 1581 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1582 * the peer has restarted (Action A), it MUST NOT setup a new 1583 * association but instead resend the SHUTDOWN ACK and send an ERROR 1584 * chunk with a "Cookie Received while Shutting Down" error cause to 1585 * its peer. 1586 */ 1587 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1588 disposition = sctp_sf_do_9_2_reshutack(ep, asoc, 1589 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1590 chunk, commands); 1591 if (SCTP_DISPOSITION_NOMEM == disposition) 1592 goto nomem; 1593 1594 err = sctp_make_op_error(asoc, chunk, 1595 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1596 NULL, 0); 1597 if (err) 1598 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1599 SCTP_CHUNK(err)); 1600 1601 return SCTP_DISPOSITION_CONSUME; 1602 } 1603 1604 /* For now, fail any unsent/unacked data. Consider the optional 1605 * choice of resending of this data. 1606 */ 1607 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1608 1609 /* Update the content of current association. */ 1610 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1611 1612 repl = sctp_make_cookie_ack(new_asoc, chunk); 1613 if (!repl) 1614 goto nomem; 1615 1616 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1617 1618 /* Report association restart to upper layer. */ 1619 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1620 new_asoc->c.sinit_num_ostreams, 1621 new_asoc->c.sinit_max_instreams, 1622 GFP_ATOMIC); 1623 if (!ev) 1624 goto nomem_ev; 1625 1626 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1627 return SCTP_DISPOSITION_CONSUME; 1628 1629 nomem_ev: 1630 sctp_chunk_free(repl); 1631 nomem: 1632 return SCTP_DISPOSITION_NOMEM; 1633 } 1634 1635 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1636 * 1637 * Section 5.2.4 1638 * B) In this case, both sides may be attempting to start an association 1639 * at about the same time but the peer endpoint started its INIT 1640 * after responding to the local endpoint's INIT 1641 */ 1642 /* This case represents an initialization collision. */ 1643 static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep, 1644 const struct sctp_association *asoc, 1645 struct sctp_chunk *chunk, 1646 sctp_cmd_seq_t *commands, 1647 struct sctp_association *new_asoc) 1648 { 1649 sctp_init_chunk_t *peer_init; 1650 struct sctp_ulpevent *ev; 1651 struct sctp_chunk *repl; 1652 1653 /* new_asoc is a brand-new association, so these are not yet 1654 * side effects--it is safe to run them here. 1655 */ 1656 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1657 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1658 sctp_source(chunk), peer_init, 1659 GFP_ATOMIC)) 1660 goto nomem; 1661 1662 /* Update the content of current association. */ 1663 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1664 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1665 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1666 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1667 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1668 1669 repl = sctp_make_cookie_ack(new_asoc, chunk); 1670 if (!repl) 1671 goto nomem; 1672 1673 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1674 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1675 1676 /* RFC 2960 5.1 Normal Establishment of an Association 1677 * 1678 * D) IMPLEMENTATION NOTE: An implementation may choose to 1679 * send the Communication Up notification to the SCTP user 1680 * upon reception of a valid COOKIE ECHO chunk. 1681 */ 1682 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 0, 1683 new_asoc->c.sinit_num_ostreams, 1684 new_asoc->c.sinit_max_instreams, 1685 GFP_ATOMIC); 1686 if (!ev) 1687 goto nomem_ev; 1688 1689 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1690 1691 /* Sockets API Draft Section 5.3.1.6 1692 * When a peer sends a Adaption Layer Indication parameter , SCTP 1693 * delivers this notification to inform the application that of the 1694 * peers requested adaption layer. 1695 */ 1696 if (asoc->peer.adaption_ind) { 1697 ev = sctp_ulpevent_make_adaption_indication(asoc, GFP_ATOMIC); 1698 if (!ev) 1699 goto nomem_ev; 1700 1701 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1702 SCTP_ULPEVENT(ev)); 1703 } 1704 1705 return SCTP_DISPOSITION_CONSUME; 1706 1707 nomem_ev: 1708 sctp_chunk_free(repl); 1709 nomem: 1710 return SCTP_DISPOSITION_NOMEM; 1711 } 1712 1713 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1714 * 1715 * Section 5.2.4 1716 * C) In this case, the local endpoint's cookie has arrived late. 1717 * Before it arrived, the local endpoint sent an INIT and received an 1718 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1719 * but a new tag of its own. 1720 */ 1721 /* This case represents an initialization collision. */ 1722 static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep, 1723 const struct sctp_association *asoc, 1724 struct sctp_chunk *chunk, 1725 sctp_cmd_seq_t *commands, 1726 struct sctp_association *new_asoc) 1727 { 1728 /* The cookie should be silently discarded. 1729 * The endpoint SHOULD NOT change states and should leave 1730 * any timers running. 1731 */ 1732 return SCTP_DISPOSITION_DISCARD; 1733 } 1734 1735 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1736 * 1737 * Section 5.2.4 1738 * 1739 * D) When both local and remote tags match the endpoint should always 1740 * enter the ESTABLISHED state, if it has not already done so. 1741 */ 1742 /* This case represents an initialization collision. */ 1743 static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep, 1744 const struct sctp_association *asoc, 1745 struct sctp_chunk *chunk, 1746 sctp_cmd_seq_t *commands, 1747 struct sctp_association *new_asoc) 1748 { 1749 struct sctp_ulpevent *ev = NULL; 1750 struct sctp_chunk *repl; 1751 1752 /* Clarification from Implementor's Guide: 1753 * D) When both local and remote tags match the endpoint should 1754 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 1755 * It should stop any cookie timer that may be running and send 1756 * a COOKIE ACK. 1757 */ 1758 1759 /* Don't accidentally move back into established state. */ 1760 if (asoc->state < SCTP_STATE_ESTABLISHED) { 1761 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1762 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 1763 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1764 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1765 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1766 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 1767 SCTP_NULL()); 1768 1769 /* RFC 2960 5.1 Normal Establishment of an Association 1770 * 1771 * D) IMPLEMENTATION NOTE: An implementation may choose 1772 * to send the Communication Up notification to the 1773 * SCTP user upon reception of a valid COOKIE 1774 * ECHO chunk. 1775 */ 1776 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, 1777 SCTP_COMM_UP, 0, 1778 new_asoc->c.sinit_num_ostreams, 1779 new_asoc->c.sinit_max_instreams, 1780 GFP_ATOMIC); 1781 if (!ev) 1782 goto nomem; 1783 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1784 SCTP_ULPEVENT(ev)); 1785 1786 /* Sockets API Draft Section 5.3.1.6 1787 * When a peer sends a Adaption Layer Indication parameter, 1788 * SCTP delivers this notification to inform the application 1789 * that of the peers requested adaption layer. 1790 */ 1791 if (new_asoc->peer.adaption_ind) { 1792 ev = sctp_ulpevent_make_adaption_indication(new_asoc, 1793 GFP_ATOMIC); 1794 if (!ev) 1795 goto nomem; 1796 1797 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1798 SCTP_ULPEVENT(ev)); 1799 } 1800 } 1801 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1802 1803 repl = sctp_make_cookie_ack(new_asoc, chunk); 1804 if (!repl) 1805 goto nomem; 1806 1807 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1808 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1809 1810 return SCTP_DISPOSITION_CONSUME; 1811 1812 nomem: 1813 if (ev) 1814 sctp_ulpevent_free(ev); 1815 return SCTP_DISPOSITION_NOMEM; 1816 } 1817 1818 /* 1819 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 1820 * chunk was retransmitted and then delayed in the network. 1821 * 1822 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 1823 * 1824 * Verification Tag: None. Do cookie validation. 1825 * 1826 * Inputs 1827 * (endpoint, asoc, chunk) 1828 * 1829 * Outputs 1830 * (asoc, reply_msg, msg_up, timers, counters) 1831 * 1832 * The return value is the disposition of the chunk. 1833 */ 1834 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep, 1835 const struct sctp_association *asoc, 1836 const sctp_subtype_t type, 1837 void *arg, 1838 sctp_cmd_seq_t *commands) 1839 { 1840 sctp_disposition_t retval; 1841 struct sctp_chunk *chunk = arg; 1842 struct sctp_association *new_asoc; 1843 int error = 0; 1844 char action; 1845 struct sctp_chunk *err_chk_p; 1846 1847 /* Make sure that the chunk has a valid length from the protocol 1848 * perspective. In this case check to make sure we have at least 1849 * enough for the chunk header. Cookie length verification is 1850 * done later. 1851 */ 1852 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 1853 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1854 commands); 1855 1856 /* "Decode" the chunk. We have no optional parameters so we 1857 * are in good shape. 1858 */ 1859 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 1860 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 1861 sizeof(sctp_chunkhdr_t))) 1862 goto nomem; 1863 1864 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 1865 * of a duplicate COOKIE ECHO match the Verification Tags of the 1866 * current association, consider the State Cookie valid even if 1867 * the lifespan is exceeded. 1868 */ 1869 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 1870 &err_chk_p); 1871 1872 /* FIXME: 1873 * If the re-build failed, what is the proper error path 1874 * from here? 1875 * 1876 * [We should abort the association. --piggy] 1877 */ 1878 if (!new_asoc) { 1879 /* FIXME: Several errors are possible. A bad cookie should 1880 * be silently discarded, but think about logging it too. 1881 */ 1882 switch (error) { 1883 case -SCTP_IERROR_NOMEM: 1884 goto nomem; 1885 1886 case -SCTP_IERROR_STALE_COOKIE: 1887 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 1888 err_chk_p); 1889 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1890 case -SCTP_IERROR_BAD_SIG: 1891 default: 1892 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1893 }; 1894 } 1895 1896 /* Compare the tie_tag in cookie with the verification tag of 1897 * current association. 1898 */ 1899 action = sctp_tietags_compare(new_asoc, asoc); 1900 1901 switch (action) { 1902 case 'A': /* Association restart. */ 1903 retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands, 1904 new_asoc); 1905 break; 1906 1907 case 'B': /* Collision case B. */ 1908 retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands, 1909 new_asoc); 1910 break; 1911 1912 case 'C': /* Collision case C. */ 1913 retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands, 1914 new_asoc); 1915 break; 1916 1917 case 'D': /* Collision case D. */ 1918 retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands, 1919 new_asoc); 1920 break; 1921 1922 default: /* Discard packet for all others. */ 1923 retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1924 break; 1925 }; 1926 1927 /* Delete the tempory new association. */ 1928 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1929 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1930 1931 return retval; 1932 1933 nomem: 1934 return SCTP_DISPOSITION_NOMEM; 1935 } 1936 1937 /* 1938 * Process an ABORT. (SHUTDOWN-PENDING state) 1939 * 1940 * See sctp_sf_do_9_1_abort(). 1941 */ 1942 sctp_disposition_t sctp_sf_shutdown_pending_abort( 1943 const struct sctp_endpoint *ep, 1944 const struct sctp_association *asoc, 1945 const sctp_subtype_t type, 1946 void *arg, 1947 sctp_cmd_seq_t *commands) 1948 { 1949 struct sctp_chunk *chunk = arg; 1950 1951 if (!sctp_vtag_verify_either(chunk, asoc)) 1952 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1953 1954 /* Make sure that the ABORT chunk has a valid length. 1955 * Since this is an ABORT chunk, we have to discard it 1956 * because of the following text: 1957 * RFC 2960, Section 3.3.7 1958 * If an endpoint receives an ABORT with a format error or for an 1959 * association that doesn't exist, it MUST silently discard it. 1960 * Becasue the length is "invalid", we can't really discard just 1961 * as we do not know its true length. So, to be safe, discard the 1962 * packet. 1963 */ 1964 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 1965 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1966 1967 /* Stop the T5-shutdown guard timer. */ 1968 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1969 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 1970 1971 return sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 1972 } 1973 1974 /* 1975 * Process an ABORT. (SHUTDOWN-SENT state) 1976 * 1977 * See sctp_sf_do_9_1_abort(). 1978 */ 1979 sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep, 1980 const struct sctp_association *asoc, 1981 const sctp_subtype_t type, 1982 void *arg, 1983 sctp_cmd_seq_t *commands) 1984 { 1985 struct sctp_chunk *chunk = arg; 1986 1987 if (!sctp_vtag_verify_either(chunk, asoc)) 1988 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1989 1990 /* Make sure that the ABORT chunk has a valid length. 1991 * Since this is an ABORT chunk, we have to discard it 1992 * because of the following text: 1993 * RFC 2960, Section 3.3.7 1994 * If an endpoint receives an ABORT with a format error or for an 1995 * association that doesn't exist, it MUST silently discard it. 1996 * Becasue the length is "invalid", we can't really discard just 1997 * as we do not know its true length. So, to be safe, discard the 1998 * packet. 1999 */ 2000 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2001 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2002 2003 /* Stop the T2-shutdown timer. */ 2004 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2005 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2006 2007 /* Stop the T5-shutdown guard timer. */ 2008 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2009 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2010 2011 return sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 2012 } 2013 2014 /* 2015 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2016 * 2017 * See sctp_sf_do_9_1_abort(). 2018 */ 2019 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort( 2020 const struct sctp_endpoint *ep, 2021 const struct sctp_association *asoc, 2022 const sctp_subtype_t type, 2023 void *arg, 2024 sctp_cmd_seq_t *commands) 2025 { 2026 /* The same T2 timer, so we should be able to use 2027 * common function with the SHUTDOWN-SENT state. 2028 */ 2029 return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands); 2030 } 2031 2032 /* 2033 * Handle an Error received in COOKIE_ECHOED state. 2034 * 2035 * Only handle the error type of stale COOKIE Error, the other errors will 2036 * be ignored. 2037 * 2038 * Inputs 2039 * (endpoint, asoc, chunk) 2040 * 2041 * Outputs 2042 * (asoc, reply_msg, msg_up, timers, counters) 2043 * 2044 * The return value is the disposition of the chunk. 2045 */ 2046 sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep, 2047 const struct sctp_association *asoc, 2048 const sctp_subtype_t type, 2049 void *arg, 2050 sctp_cmd_seq_t *commands) 2051 { 2052 struct sctp_chunk *chunk = arg; 2053 sctp_errhdr_t *err; 2054 2055 if (!sctp_vtag_verify(chunk, asoc)) 2056 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2057 2058 /* Make sure that the ERROR chunk has a valid length. 2059 * The parameter walking depends on this as well. 2060 */ 2061 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2062 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2063 commands); 2064 2065 /* Process the error here */ 2066 /* FUTURE FIXME: When PR-SCTP related and other optional 2067 * parms are emitted, this will have to change to handle multiple 2068 * errors. 2069 */ 2070 sctp_walk_errors(err, chunk->chunk_hdr) { 2071 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2072 return sctp_sf_do_5_2_6_stale(ep, asoc, type, 2073 arg, commands); 2074 } 2075 2076 /* It is possible to have malformed error causes, and that 2077 * will cause us to end the walk early. However, since 2078 * we are discarding the packet, there should be no adverse 2079 * affects. 2080 */ 2081 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2082 } 2083 2084 /* 2085 * Handle a Stale COOKIE Error 2086 * 2087 * Section: 5.2.6 Handle Stale COOKIE Error 2088 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2089 * one of the following three alternatives. 2090 * ... 2091 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2092 * Preservative parameter requesting an extension to the lifetime of 2093 * the State Cookie. When calculating the time extension, an 2094 * implementation SHOULD use the RTT information measured based on the 2095 * previous COOKIE ECHO / ERROR exchange, and should add no more 2096 * than 1 second beyond the measured RTT, due to long State Cookie 2097 * lifetimes making the endpoint more subject to a replay attack. 2098 * 2099 * Verification Tag: Not explicit, but safe to ignore. 2100 * 2101 * Inputs 2102 * (endpoint, asoc, chunk) 2103 * 2104 * Outputs 2105 * (asoc, reply_msg, msg_up, timers, counters) 2106 * 2107 * The return value is the disposition of the chunk. 2108 */ 2109 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 2110 const struct sctp_association *asoc, 2111 const sctp_subtype_t type, 2112 void *arg, 2113 sctp_cmd_seq_t *commands) 2114 { 2115 struct sctp_chunk *chunk = arg; 2116 time_t stale; 2117 sctp_cookie_preserve_param_t bht; 2118 sctp_errhdr_t *err; 2119 struct sctp_chunk *reply; 2120 struct sctp_bind_addr *bp; 2121 int attempts = asoc->init_err_counter + 1; 2122 2123 if (attempts > asoc->max_init_attempts) { 2124 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2125 SCTP_ERROR(ETIMEDOUT)); 2126 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2127 SCTP_U32(SCTP_ERROR_STALE_COOKIE)); 2128 return SCTP_DISPOSITION_DELETE_TCB; 2129 } 2130 2131 err = (sctp_errhdr_t *)(chunk->skb->data); 2132 2133 /* When calculating the time extension, an implementation 2134 * SHOULD use the RTT information measured based on the 2135 * previous COOKIE ECHO / ERROR exchange, and should add no 2136 * more than 1 second beyond the measured RTT, due to long 2137 * State Cookie lifetimes making the endpoint more subject to 2138 * a replay attack. 2139 * Measure of Staleness's unit is usec. (1/1000000 sec) 2140 * Suggested Cookie Life-span Increment's unit is msec. 2141 * (1/1000 sec) 2142 * In general, if you use the suggested cookie life, the value 2143 * found in the field of measure of staleness should be doubled 2144 * to give ample time to retransmit the new cookie and thus 2145 * yield a higher probability of success on the reattempt. 2146 */ 2147 stale = ntohl(*(suseconds_t *)((u8 *)err + sizeof(sctp_errhdr_t))); 2148 stale = (stale * 2) / 1000; 2149 2150 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2151 bht.param_hdr.length = htons(sizeof(bht)); 2152 bht.lifespan_increment = htonl(stale); 2153 2154 /* Build that new INIT chunk. */ 2155 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2156 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2157 if (!reply) 2158 goto nomem; 2159 2160 sctp_addto_chunk(reply, sizeof(bht), &bht); 2161 2162 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2163 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2164 2165 /* Stop pending T3-rtx and heartbeat timers */ 2166 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2167 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2168 2169 /* Delete non-primary peer ip addresses since we are transitioning 2170 * back to the COOKIE-WAIT state 2171 */ 2172 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2173 2174 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2175 * resend 2176 */ 2177 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, 2178 SCTP_TRANSPORT(asoc->peer.primary_path)); 2179 2180 /* Cast away the const modifier, as we want to just 2181 * rerun it through as a sideffect. 2182 */ 2183 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2184 2185 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2186 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2187 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2188 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2189 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2190 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2191 2192 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2193 2194 return SCTP_DISPOSITION_CONSUME; 2195 2196 nomem: 2197 return SCTP_DISPOSITION_NOMEM; 2198 } 2199 2200 /* 2201 * Process an ABORT. 2202 * 2203 * Section: 9.1 2204 * After checking the Verification Tag, the receiving endpoint shall 2205 * remove the association from its record, and shall report the 2206 * termination to its upper layer. 2207 * 2208 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2209 * B) Rules for packet carrying ABORT: 2210 * 2211 * - The endpoint shall always fill in the Verification Tag field of the 2212 * outbound packet with the destination endpoint's tag value if it 2213 * is known. 2214 * 2215 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2216 * MUST follow the procedure described in Section 8.4. 2217 * 2218 * - The receiver MUST accept the packet if the Verification Tag 2219 * matches either its own tag, OR the tag of its peer. Otherwise, the 2220 * receiver MUST silently discard the packet and take no further 2221 * action. 2222 * 2223 * Inputs 2224 * (endpoint, asoc, chunk) 2225 * 2226 * Outputs 2227 * (asoc, reply_msg, msg_up, timers, counters) 2228 * 2229 * The return value is the disposition of the chunk. 2230 */ 2231 sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2232 const struct sctp_association *asoc, 2233 const sctp_subtype_t type, 2234 void *arg, 2235 sctp_cmd_seq_t *commands) 2236 { 2237 struct sctp_chunk *chunk = arg; 2238 unsigned len; 2239 __u16 error = SCTP_ERROR_NO_ERROR; 2240 2241 if (!sctp_vtag_verify_either(chunk, asoc)) 2242 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2243 2244 /* Make sure that the ABORT chunk has a valid length. 2245 * Since this is an ABORT chunk, we have to discard it 2246 * because of the following text: 2247 * RFC 2960, Section 3.3.7 2248 * If an endpoint receives an ABORT with a format error or for an 2249 * association that doesn't exist, it MUST silently discard it. 2250 * Becasue the length is "invalid", we can't really discard just 2251 * as we do not know its true length. So, to be safe, discard the 2252 * packet. 2253 */ 2254 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2255 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2256 2257 /* See if we have an error cause code in the chunk. */ 2258 len = ntohs(chunk->chunk_hdr->length); 2259 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2260 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2261 2262 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2263 /* ASSOC_FAILED will DELETE_TCB. */ 2264 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_U32(error)); 2265 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2266 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 2267 2268 return SCTP_DISPOSITION_ABORT; 2269 } 2270 2271 /* 2272 * Process an ABORT. (COOKIE-WAIT state) 2273 * 2274 * See sctp_sf_do_9_1_abort() above. 2275 */ 2276 sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep, 2277 const struct sctp_association *asoc, 2278 const sctp_subtype_t type, 2279 void *arg, 2280 sctp_cmd_seq_t *commands) 2281 { 2282 struct sctp_chunk *chunk = arg; 2283 unsigned len; 2284 __u16 error = SCTP_ERROR_NO_ERROR; 2285 2286 if (!sctp_vtag_verify_either(chunk, asoc)) 2287 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2288 2289 /* Make sure that the ABORT chunk has a valid length. 2290 * Since this is an ABORT chunk, we have to discard it 2291 * because of the following text: 2292 * RFC 2960, Section 3.3.7 2293 * If an endpoint receives an ABORT with a format error or for an 2294 * association that doesn't exist, it MUST silently discard it. 2295 * Becasue the length is "invalid", we can't really discard just 2296 * as we do not know its true length. So, to be safe, discard the 2297 * packet. 2298 */ 2299 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2300 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2301 2302 /* See if we have an error cause code in the chunk. */ 2303 len = ntohs(chunk->chunk_hdr->length); 2304 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2305 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2306 2307 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc, 2308 chunk->transport); 2309 } 2310 2311 /* 2312 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2313 */ 2314 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep, 2315 const struct sctp_association *asoc, 2316 const sctp_subtype_t type, 2317 void *arg, 2318 sctp_cmd_seq_t *commands) 2319 { 2320 return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR, 2321 ENOPROTOOPT, asoc, 2322 (struct sctp_transport *)arg); 2323 } 2324 2325 /* 2326 * Process an ABORT. (COOKIE-ECHOED state) 2327 */ 2328 sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep, 2329 const struct sctp_association *asoc, 2330 const sctp_subtype_t type, 2331 void *arg, 2332 sctp_cmd_seq_t *commands) 2333 { 2334 /* There is a single T1 timer, so we should be able to use 2335 * common function with the COOKIE-WAIT state. 2336 */ 2337 return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands); 2338 } 2339 2340 /* 2341 * Stop T1 timer and abort association with "INIT failed". 2342 * 2343 * This is common code called by several sctp_sf_*_abort() functions above. 2344 */ 2345 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 2346 __u16 error, int sk_err, 2347 const struct sctp_association *asoc, 2348 struct sctp_transport *transport) 2349 { 2350 SCTP_DEBUG_PRINTK("ABORT received (INIT).\n"); 2351 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2352 SCTP_STATE(SCTP_STATE_CLOSED)); 2353 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2354 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2355 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2356 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2357 /* CMD_INIT_FAILED will DELETE_TCB. */ 2358 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2359 SCTP_U32(error)); 2360 return SCTP_DISPOSITION_ABORT; 2361 } 2362 2363 /* 2364 * sctp_sf_do_9_2_shut 2365 * 2366 * Section: 9.2 2367 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2368 * - enter the SHUTDOWN-RECEIVED state, 2369 * 2370 * - stop accepting new data from its SCTP user 2371 * 2372 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2373 * that all its outstanding DATA chunks have been received by the 2374 * SHUTDOWN sender. 2375 * 2376 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2377 * send a SHUTDOWN in response to a ULP request. And should discard 2378 * subsequent SHUTDOWN chunks. 2379 * 2380 * If there are still outstanding DATA chunks left, the SHUTDOWN 2381 * receiver shall continue to follow normal data transmission 2382 * procedures defined in Section 6 until all outstanding DATA chunks 2383 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2384 * new data from its SCTP user. 2385 * 2386 * Verification Tag: 8.5 Verification Tag [Normal verification] 2387 * 2388 * Inputs 2389 * (endpoint, asoc, chunk) 2390 * 2391 * Outputs 2392 * (asoc, reply_msg, msg_up, timers, counters) 2393 * 2394 * The return value is the disposition of the chunk. 2395 */ 2396 sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep, 2397 const struct sctp_association *asoc, 2398 const sctp_subtype_t type, 2399 void *arg, 2400 sctp_cmd_seq_t *commands) 2401 { 2402 struct sctp_chunk *chunk = arg; 2403 sctp_shutdownhdr_t *sdh; 2404 sctp_disposition_t disposition; 2405 struct sctp_ulpevent *ev; 2406 2407 if (!sctp_vtag_verify(chunk, asoc)) 2408 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2409 2410 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2411 if (!sctp_chunk_length_valid(chunk, 2412 sizeof(struct sctp_shutdown_chunk_t))) 2413 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2414 commands); 2415 2416 /* Convert the elaborate header. */ 2417 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2418 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t)); 2419 chunk->subh.shutdown_hdr = sdh; 2420 2421 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2422 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2423 * inform the application that it should cease sending data. 2424 */ 2425 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2426 if (!ev) { 2427 disposition = SCTP_DISPOSITION_NOMEM; 2428 goto out; 2429 } 2430 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2431 2432 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2433 * - enter the SHUTDOWN-RECEIVED state, 2434 * - stop accepting new data from its SCTP user 2435 * 2436 * [This is implicit in the new state.] 2437 */ 2438 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2439 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2440 disposition = SCTP_DISPOSITION_CONSUME; 2441 2442 if (sctp_outq_is_empty(&asoc->outqueue)) { 2443 disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type, 2444 arg, commands); 2445 } 2446 2447 if (SCTP_DISPOSITION_NOMEM == disposition) 2448 goto out; 2449 2450 /* - verify, by checking the Cumulative TSN Ack field of the 2451 * chunk, that all its outstanding DATA chunks have been 2452 * received by the SHUTDOWN sender. 2453 */ 2454 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2455 SCTP_U32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2456 2457 out: 2458 return disposition; 2459 } 2460 2461 /* RFC 2960 9.2 2462 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2463 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2464 * transport addresses (either in the IP addresses or in the INIT chunk) 2465 * that belong to this association, it should discard the INIT chunk and 2466 * retransmit the SHUTDOWN ACK chunk. 2467 */ 2468 sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep, 2469 const struct sctp_association *asoc, 2470 const sctp_subtype_t type, 2471 void *arg, 2472 sctp_cmd_seq_t *commands) 2473 { 2474 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 2475 struct sctp_chunk *reply; 2476 2477 /* Since we are not going to really process this INIT, there 2478 * is no point in verifying chunk boundries. Just generate 2479 * the SHUTDOWN ACK. 2480 */ 2481 reply = sctp_make_shutdown_ack(asoc, chunk); 2482 if (NULL == reply) 2483 goto nomem; 2484 2485 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2486 * the T2-SHUTDOWN timer. 2487 */ 2488 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2489 2490 /* and restart the T2-shutdown timer. */ 2491 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2492 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2493 2494 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2495 2496 return SCTP_DISPOSITION_CONSUME; 2497 nomem: 2498 return SCTP_DISPOSITION_NOMEM; 2499 } 2500 2501 /* 2502 * sctp_sf_do_ecn_cwr 2503 * 2504 * Section: Appendix A: Explicit Congestion Notification 2505 * 2506 * CWR: 2507 * 2508 * RFC 2481 details a specific bit for a sender to send in the header of 2509 * its next outbound TCP segment to indicate to its peer that it has 2510 * reduced its congestion window. This is termed the CWR bit. For 2511 * SCTP the same indication is made by including the CWR chunk. 2512 * This chunk contains one data element, i.e. the TSN number that 2513 * was sent in the ECNE chunk. This element represents the lowest 2514 * TSN number in the datagram that was originally marked with the 2515 * CE bit. 2516 * 2517 * Verification Tag: 8.5 Verification Tag [Normal verification] 2518 * Inputs 2519 * (endpoint, asoc, chunk) 2520 * 2521 * Outputs 2522 * (asoc, reply_msg, msg_up, timers, counters) 2523 * 2524 * The return value is the disposition of the chunk. 2525 */ 2526 sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep, 2527 const struct sctp_association *asoc, 2528 const sctp_subtype_t type, 2529 void *arg, 2530 sctp_cmd_seq_t *commands) 2531 { 2532 sctp_cwrhdr_t *cwr; 2533 struct sctp_chunk *chunk = arg; 2534 2535 if (!sctp_vtag_verify(chunk, asoc)) 2536 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2537 2538 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2539 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2540 commands); 2541 2542 cwr = (sctp_cwrhdr_t *) chunk->skb->data; 2543 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t)); 2544 2545 cwr->lowest_tsn = ntohl(cwr->lowest_tsn); 2546 2547 /* Does this CWR ack the last sent congestion notification? */ 2548 if (TSN_lte(asoc->last_ecne_tsn, cwr->lowest_tsn)) { 2549 /* Stop sending ECNE. */ 2550 sctp_add_cmd_sf(commands, 2551 SCTP_CMD_ECN_CWR, 2552 SCTP_U32(cwr->lowest_tsn)); 2553 } 2554 return SCTP_DISPOSITION_CONSUME; 2555 } 2556 2557 /* 2558 * sctp_sf_do_ecne 2559 * 2560 * Section: Appendix A: Explicit Congestion Notification 2561 * 2562 * ECN-Echo 2563 * 2564 * RFC 2481 details a specific bit for a receiver to send back in its 2565 * TCP acknowledgements to notify the sender of the Congestion 2566 * Experienced (CE) bit having arrived from the network. For SCTP this 2567 * same indication is made by including the ECNE chunk. This chunk 2568 * contains one data element, i.e. the lowest TSN associated with the IP 2569 * datagram marked with the CE bit..... 2570 * 2571 * Verification Tag: 8.5 Verification Tag [Normal verification] 2572 * Inputs 2573 * (endpoint, asoc, chunk) 2574 * 2575 * Outputs 2576 * (asoc, reply_msg, msg_up, timers, counters) 2577 * 2578 * The return value is the disposition of the chunk. 2579 */ 2580 sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep, 2581 const struct sctp_association *asoc, 2582 const sctp_subtype_t type, 2583 void *arg, 2584 sctp_cmd_seq_t *commands) 2585 { 2586 sctp_ecnehdr_t *ecne; 2587 struct sctp_chunk *chunk = arg; 2588 2589 if (!sctp_vtag_verify(chunk, asoc)) 2590 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2591 2592 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2593 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2594 commands); 2595 2596 ecne = (sctp_ecnehdr_t *) chunk->skb->data; 2597 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t)); 2598 2599 /* If this is a newer ECNE than the last CWR packet we sent out */ 2600 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 2601 SCTP_U32(ntohl(ecne->lowest_tsn))); 2602 2603 return SCTP_DISPOSITION_CONSUME; 2604 } 2605 2606 /* 2607 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 2608 * 2609 * The SCTP endpoint MUST always acknowledge the reception of each valid 2610 * DATA chunk. 2611 * 2612 * The guidelines on delayed acknowledgement algorithm specified in 2613 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 2614 * acknowledgement SHOULD be generated for at least every second packet 2615 * (not every second DATA chunk) received, and SHOULD be generated within 2616 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 2617 * situations it may be beneficial for an SCTP transmitter to be more 2618 * conservative than the algorithms detailed in this document allow. 2619 * However, an SCTP transmitter MUST NOT be more aggressive than the 2620 * following algorithms allow. 2621 * 2622 * A SCTP receiver MUST NOT generate more than one SACK for every 2623 * incoming packet, other than to update the offered window as the 2624 * receiving application consumes new data. 2625 * 2626 * Verification Tag: 8.5 Verification Tag [Normal verification] 2627 * 2628 * Inputs 2629 * (endpoint, asoc, chunk) 2630 * 2631 * Outputs 2632 * (asoc, reply_msg, msg_up, timers, counters) 2633 * 2634 * The return value is the disposition of the chunk. 2635 */ 2636 sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep, 2637 const struct sctp_association *asoc, 2638 const sctp_subtype_t type, 2639 void *arg, 2640 sctp_cmd_seq_t *commands) 2641 { 2642 struct sctp_chunk *chunk = arg; 2643 int error; 2644 2645 if (!sctp_vtag_verify(chunk, asoc)) { 2646 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2647 SCTP_NULL()); 2648 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2649 } 2650 2651 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2652 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2653 commands); 2654 2655 error = sctp_eat_data(asoc, chunk, commands ); 2656 switch (error) { 2657 case SCTP_IERROR_NO_ERROR: 2658 break; 2659 case SCTP_IERROR_HIGH_TSN: 2660 case SCTP_IERROR_BAD_STREAM: 2661 goto discard_noforce; 2662 case SCTP_IERROR_DUP_TSN: 2663 case SCTP_IERROR_IGNORE_TSN: 2664 goto discard_force; 2665 case SCTP_IERROR_NO_DATA: 2666 goto consume; 2667 default: 2668 BUG(); 2669 } 2670 2671 if (asoc->autoclose) { 2672 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2673 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 2674 } 2675 2676 /* If this is the last chunk in a packet, we need to count it 2677 * toward sack generation. Note that we need to SACK every 2678 * OTHER packet containing data chunks, EVEN IF WE DISCARD 2679 * THEM. We elect to NOT generate SACK's if the chunk fails 2680 * the verification tag test. 2681 * 2682 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2683 * 2684 * The SCTP endpoint MUST always acknowledge the reception of 2685 * each valid DATA chunk. 2686 * 2687 * The guidelines on delayed acknowledgement algorithm 2688 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 2689 * Specifically, an acknowledgement SHOULD be generated for at 2690 * least every second packet (not every second DATA chunk) 2691 * received, and SHOULD be generated within 200 ms of the 2692 * arrival of any unacknowledged DATA chunk. In some 2693 * situations it may be beneficial for an SCTP transmitter to 2694 * be more conservative than the algorithms detailed in this 2695 * document allow. However, an SCTP transmitter MUST NOT be 2696 * more aggressive than the following algorithms allow. 2697 */ 2698 if (chunk->end_of_packet) 2699 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2700 2701 return SCTP_DISPOSITION_CONSUME; 2702 2703 discard_force: 2704 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2705 * 2706 * When a packet arrives with duplicate DATA chunk(s) and with 2707 * no new DATA chunk(s), the endpoint MUST immediately send a 2708 * SACK with no delay. If a packet arrives with duplicate 2709 * DATA chunk(s) bundled with new DATA chunks, the endpoint 2710 * MAY immediately send a SACK. Normally receipt of duplicate 2711 * DATA chunks will occur when the original SACK chunk was lost 2712 * and the peer's RTO has expired. The duplicate TSN number(s) 2713 * SHOULD be reported in the SACK as duplicate. 2714 */ 2715 /* In our case, we split the MAY SACK advice up whether or not 2716 * the last chunk is a duplicate.' 2717 */ 2718 if (chunk->end_of_packet) 2719 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2720 return SCTP_DISPOSITION_DISCARD; 2721 2722 discard_noforce: 2723 if (chunk->end_of_packet) 2724 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2725 2726 return SCTP_DISPOSITION_DISCARD; 2727 consume: 2728 return SCTP_DISPOSITION_CONSUME; 2729 2730 } 2731 2732 /* 2733 * sctp_sf_eat_data_fast_4_4 2734 * 2735 * Section: 4 (4) 2736 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 2737 * DATA chunks without delay. 2738 * 2739 * Verification Tag: 8.5 Verification Tag [Normal verification] 2740 * Inputs 2741 * (endpoint, asoc, chunk) 2742 * 2743 * Outputs 2744 * (asoc, reply_msg, msg_up, timers, counters) 2745 * 2746 * The return value is the disposition of the chunk. 2747 */ 2748 sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep, 2749 const struct sctp_association *asoc, 2750 const sctp_subtype_t type, 2751 void *arg, 2752 sctp_cmd_seq_t *commands) 2753 { 2754 struct sctp_chunk *chunk = arg; 2755 int error; 2756 2757 if (!sctp_vtag_verify(chunk, asoc)) { 2758 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2759 SCTP_NULL()); 2760 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2761 } 2762 2763 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2764 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2765 commands); 2766 2767 error = sctp_eat_data(asoc, chunk, commands ); 2768 switch (error) { 2769 case SCTP_IERROR_NO_ERROR: 2770 case SCTP_IERROR_HIGH_TSN: 2771 case SCTP_IERROR_DUP_TSN: 2772 case SCTP_IERROR_IGNORE_TSN: 2773 case SCTP_IERROR_BAD_STREAM: 2774 break; 2775 case SCTP_IERROR_NO_DATA: 2776 goto consume; 2777 default: 2778 BUG(); 2779 } 2780 2781 /* Go a head and force a SACK, since we are shutting down. */ 2782 2783 /* Implementor's Guide. 2784 * 2785 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 2786 * respond to each received packet containing one or more DATA chunk(s) 2787 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 2788 */ 2789 if (chunk->end_of_packet) { 2790 /* We must delay the chunk creation since the cumulative 2791 * TSN has not been updated yet. 2792 */ 2793 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 2794 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2795 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2796 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2797 } 2798 2799 consume: 2800 return SCTP_DISPOSITION_CONSUME; 2801 } 2802 2803 /* 2804 * Section: 6.2 Processing a Received SACK 2805 * D) Any time a SACK arrives, the endpoint performs the following: 2806 * 2807 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 2808 * then drop the SACK. Since Cumulative TSN Ack is monotonically 2809 * increasing, a SACK whose Cumulative TSN Ack is less than the 2810 * Cumulative TSN Ack Point indicates an out-of-order SACK. 2811 * 2812 * ii) Set rwnd equal to the newly received a_rwnd minus the number 2813 * of bytes still outstanding after processing the Cumulative TSN Ack 2814 * and the Gap Ack Blocks. 2815 * 2816 * iii) If the SACK is missing a TSN that was previously 2817 * acknowledged via a Gap Ack Block (e.g., the data receiver 2818 * reneged on the data), then mark the corresponding DATA chunk 2819 * as available for retransmit: Mark it as missing for fast 2820 * retransmit as described in Section 7.2.4 and if no retransmit 2821 * timer is running for the destination address to which the DATA 2822 * chunk was originally transmitted, then T3-rtx is started for 2823 * that destination address. 2824 * 2825 * Verification Tag: 8.5 Verification Tag [Normal verification] 2826 * 2827 * Inputs 2828 * (endpoint, asoc, chunk) 2829 * 2830 * Outputs 2831 * (asoc, reply_msg, msg_up, timers, counters) 2832 * 2833 * The return value is the disposition of the chunk. 2834 */ 2835 sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep, 2836 const struct sctp_association *asoc, 2837 const sctp_subtype_t type, 2838 void *arg, 2839 sctp_cmd_seq_t *commands) 2840 { 2841 struct sctp_chunk *chunk = arg; 2842 sctp_sackhdr_t *sackh; 2843 __u32 ctsn; 2844 2845 if (!sctp_vtag_verify(chunk, asoc)) 2846 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2847 2848 /* Make sure that the SACK chunk has a valid length. */ 2849 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t))) 2850 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2851 commands); 2852 2853 /* Pull the SACK chunk from the data buffer */ 2854 sackh = sctp_sm_pull_sack(chunk); 2855 /* Was this a bogus SACK? */ 2856 if (!sackh) 2857 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2858 chunk->subh.sack_hdr = sackh; 2859 ctsn = ntohl(sackh->cum_tsn_ack); 2860 2861 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 2862 * Ack Point, then drop the SACK. Since Cumulative TSN 2863 * Ack is monotonically increasing, a SACK whose 2864 * Cumulative TSN Ack is less than the Cumulative TSN Ack 2865 * Point indicates an out-of-order SACK. 2866 */ 2867 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2868 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 2869 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 2870 return SCTP_DISPOSITION_DISCARD; 2871 } 2872 2873 /* Return this SACK for further processing. */ 2874 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh)); 2875 2876 /* Note: We do the rest of the work on the PROCESS_SACK 2877 * sideeffect. 2878 */ 2879 return SCTP_DISPOSITION_CONSUME; 2880 } 2881 2882 /* 2883 * Generate an ABORT in response to a packet. 2884 * 2885 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 2886 * 2887 * 8) The receiver should respond to the sender of the OOTB packet with 2888 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 2889 * MUST fill in the Verification Tag field of the outbound packet 2890 * with the value found in the Verification Tag field of the OOTB 2891 * packet and set the T-bit in the Chunk Flags to indicate that the 2892 * Verification Tag is reflected. After sending this ABORT, the 2893 * receiver of the OOTB packet shall discard the OOTB packet and take 2894 * no further action. 2895 * 2896 * Verification Tag: 2897 * 2898 * The return value is the disposition of the chunk. 2899 */ 2900 sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 2901 const struct sctp_association *asoc, 2902 const sctp_subtype_t type, 2903 void *arg, 2904 sctp_cmd_seq_t *commands) 2905 { 2906 struct sctp_packet *packet = NULL; 2907 struct sctp_chunk *chunk = arg; 2908 struct sctp_chunk *abort; 2909 2910 packet = sctp_ootb_pkt_new(asoc, chunk); 2911 2912 if (packet) { 2913 /* Make an ABORT. The T bit will be set if the asoc 2914 * is NULL. 2915 */ 2916 abort = sctp_make_abort(asoc, chunk, 0); 2917 if (!abort) { 2918 sctp_ootb_pkt_free(packet); 2919 return SCTP_DISPOSITION_NOMEM; 2920 } 2921 2922 /* Reflect vtag if T-Bit is set */ 2923 if (sctp_test_T_bit(abort)) 2924 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 2925 2926 /* Set the skb to the belonging sock for accounting. */ 2927 abort->skb->sk = ep->base.sk; 2928 2929 sctp_packet_append_chunk(packet, abort); 2930 2931 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 2932 SCTP_PACKET(packet)); 2933 2934 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 2935 2936 return SCTP_DISPOSITION_CONSUME; 2937 } 2938 2939 return SCTP_DISPOSITION_NOMEM; 2940 } 2941 2942 /* 2943 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 2944 * event as ULP notification for each cause included in the chunk. 2945 * 2946 * API 5.3.1.3 - SCTP_REMOTE_ERROR 2947 * 2948 * The return value is the disposition of the chunk. 2949 */ 2950 sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep, 2951 const struct sctp_association *asoc, 2952 const sctp_subtype_t type, 2953 void *arg, 2954 sctp_cmd_seq_t *commands) 2955 { 2956 struct sctp_chunk *chunk = arg; 2957 struct sctp_ulpevent *ev; 2958 2959 if (!sctp_vtag_verify(chunk, asoc)) 2960 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2961 2962 /* Make sure that the ERROR chunk has a valid length. */ 2963 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2964 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2965 commands); 2966 2967 while (chunk->chunk_end > chunk->skb->data) { 2968 ev = sctp_ulpevent_make_remote_error(asoc, chunk, 0, 2969 GFP_ATOMIC); 2970 if (!ev) 2971 goto nomem; 2972 2973 if (!sctp_add_cmd(commands, SCTP_CMD_EVENT_ULP, 2974 SCTP_ULPEVENT(ev))) { 2975 sctp_ulpevent_free(ev); 2976 goto nomem; 2977 } 2978 2979 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 2980 SCTP_CHUNK(chunk)); 2981 } 2982 return SCTP_DISPOSITION_CONSUME; 2983 2984 nomem: 2985 return SCTP_DISPOSITION_NOMEM; 2986 } 2987 2988 /* 2989 * Process an inbound SHUTDOWN ACK. 2990 * 2991 * From Section 9.2: 2992 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 2993 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 2994 * peer, and remove all record of the association. 2995 * 2996 * The return value is the disposition. 2997 */ 2998 sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep, 2999 const struct sctp_association *asoc, 3000 const sctp_subtype_t type, 3001 void *arg, 3002 sctp_cmd_seq_t *commands) 3003 { 3004 struct sctp_chunk *chunk = arg; 3005 struct sctp_chunk *reply; 3006 struct sctp_ulpevent *ev; 3007 3008 if (!sctp_vtag_verify(chunk, asoc)) 3009 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3010 3011 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3012 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3013 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3014 commands); 3015 3016 /* 10.2 H) SHUTDOWN COMPLETE notification 3017 * 3018 * When SCTP completes the shutdown procedures (section 9.2) this 3019 * notification is passed to the upper layer. 3020 */ 3021 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3022 0, 0, 0, GFP_ATOMIC); 3023 if (!ev) 3024 goto nomem; 3025 3026 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3027 3028 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3029 * stop the T2-shutdown timer, 3030 */ 3031 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3032 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3033 3034 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3035 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3036 3037 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3038 reply = sctp_make_shutdown_complete(asoc, chunk); 3039 if (!reply) 3040 goto nomem; 3041 3042 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3043 SCTP_STATE(SCTP_STATE_CLOSED)); 3044 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 3045 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3046 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3047 3048 /* ...and remove all record of the association. */ 3049 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3050 return SCTP_DISPOSITION_DELETE_TCB; 3051 3052 nomem: 3053 return SCTP_DISPOSITION_NOMEM; 3054 } 3055 3056 /* 3057 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3058 * 3059 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3060 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3061 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3062 * packet must fill in the Verification Tag field of the outbound 3063 * packet with the Verification Tag received in the SHUTDOWN ACK and 3064 * set the T-bit in the Chunk Flags to indicate that the Verification 3065 * Tag is reflected. 3066 * 3067 * 8) The receiver should respond to the sender of the OOTB packet with 3068 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3069 * MUST fill in the Verification Tag field of the outbound packet 3070 * with the value found in the Verification Tag field of the OOTB 3071 * packet and set the T-bit in the Chunk Flags to indicate that the 3072 * Verification Tag is reflected. After sending this ABORT, the 3073 * receiver of the OOTB packet shall discard the OOTB packet and take 3074 * no further action. 3075 */ 3076 sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep, 3077 const struct sctp_association *asoc, 3078 const sctp_subtype_t type, 3079 void *arg, 3080 sctp_cmd_seq_t *commands) 3081 { 3082 struct sctp_chunk *chunk = arg; 3083 struct sk_buff *skb = chunk->skb; 3084 sctp_chunkhdr_t *ch; 3085 __u8 *ch_end; 3086 int ootb_shut_ack = 0; 3087 3088 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 3089 3090 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr; 3091 do { 3092 /* Break out if chunk length is less then minimal. */ 3093 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 3094 break; 3095 3096 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 3097 if (ch_end > skb->tail) 3098 break; 3099 3100 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3101 ootb_shut_ack = 1; 3102 3103 /* RFC 2960, Section 3.3.7 3104 * Moreover, under any circumstances, an endpoint that 3105 * receives an ABORT MUST NOT respond to that ABORT by 3106 * sending an ABORT of its own. 3107 */ 3108 if (SCTP_CID_ABORT == ch->type) 3109 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3110 3111 ch = (sctp_chunkhdr_t *) ch_end; 3112 } while (ch_end < skb->tail); 3113 3114 if (ootb_shut_ack) 3115 sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands); 3116 else 3117 sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 3118 3119 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3120 } 3121 3122 /* 3123 * Handle an "Out of the blue" SHUTDOWN ACK. 3124 * 3125 * Section: 8.4 5, sctpimpguide 2.41. 3126 * 3127 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3128 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3129 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3130 * packet must fill in the Verification Tag field of the outbound 3131 * packet with the Verification Tag received in the SHUTDOWN ACK and 3132 * set the T-bit in the Chunk Flags to indicate that the Verification 3133 * Tag is reflected. 3134 * 3135 * Inputs 3136 * (endpoint, asoc, type, arg, commands) 3137 * 3138 * Outputs 3139 * (sctp_disposition_t) 3140 * 3141 * The return value is the disposition of the chunk. 3142 */ 3143 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 3144 const struct sctp_association *asoc, 3145 const sctp_subtype_t type, 3146 void *arg, 3147 sctp_cmd_seq_t *commands) 3148 { 3149 struct sctp_packet *packet = NULL; 3150 struct sctp_chunk *chunk = arg; 3151 struct sctp_chunk *shut; 3152 3153 packet = sctp_ootb_pkt_new(asoc, chunk); 3154 3155 if (packet) { 3156 /* Make an SHUTDOWN_COMPLETE. 3157 * The T bit will be set if the asoc is NULL. 3158 */ 3159 shut = sctp_make_shutdown_complete(asoc, chunk); 3160 if (!shut) { 3161 sctp_ootb_pkt_free(packet); 3162 return SCTP_DISPOSITION_NOMEM; 3163 } 3164 3165 /* Reflect vtag if T-Bit is set */ 3166 if (sctp_test_T_bit(shut)) 3167 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3168 3169 /* Set the skb to the belonging sock for accounting. */ 3170 shut->skb->sk = ep->base.sk; 3171 3172 sctp_packet_append_chunk(packet, shut); 3173 3174 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3175 SCTP_PACKET(packet)); 3176 3177 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3178 3179 /* If the chunk length is invalid, we don't want to process 3180 * the reset of the packet. 3181 */ 3182 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3183 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3184 3185 return SCTP_DISPOSITION_CONSUME; 3186 } 3187 3188 return SCTP_DISPOSITION_NOMEM; 3189 } 3190 3191 /* 3192 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3193 * 3194 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3195 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3196 * procedures in section 8.4 SHOULD be followed, in other words it 3197 * should be treated as an Out Of The Blue packet. 3198 * [This means that we do NOT check the Verification Tag on these 3199 * chunks. --piggy ] 3200 * 3201 */ 3202 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep, 3203 const struct sctp_association *asoc, 3204 const sctp_subtype_t type, 3205 void *arg, 3206 sctp_cmd_seq_t *commands) 3207 { 3208 /* Although we do have an association in this case, it corresponds 3209 * to a restarted association. So the packet is treated as an OOTB 3210 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3211 * called with a NULL association. 3212 */ 3213 return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands); 3214 } 3215 3216 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3217 sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep, 3218 const struct sctp_association *asoc, 3219 const sctp_subtype_t type, void *arg, 3220 sctp_cmd_seq_t *commands) 3221 { 3222 struct sctp_chunk *chunk = arg; 3223 struct sctp_chunk *asconf_ack = NULL; 3224 sctp_addiphdr_t *hdr; 3225 __u32 serial; 3226 3227 if (!sctp_vtag_verify(chunk, asoc)) { 3228 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3229 SCTP_NULL()); 3230 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3231 } 3232 3233 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3234 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t))) 3235 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3236 commands); 3237 3238 hdr = (sctp_addiphdr_t *)chunk->skb->data; 3239 serial = ntohl(hdr->serial); 3240 3241 /* ADDIP 4.2 C1) Compare the value of the serial number to the value 3242 * the endpoint stored in a new association variable 3243 * 'Peer-Serial-Number'. 3244 */ 3245 if (serial == asoc->peer.addip_serial + 1) { 3246 /* ADDIP 4.2 C2) If the value found in the serial number is 3247 * equal to the ('Peer-Serial-Number' + 1), the endpoint MUST 3248 * do V1-V5. 3249 */ 3250 asconf_ack = sctp_process_asconf((struct sctp_association *) 3251 asoc, chunk); 3252 if (!asconf_ack) 3253 return SCTP_DISPOSITION_NOMEM; 3254 } else if (serial == asoc->peer.addip_serial) { 3255 /* ADDIP 4.2 C3) If the value found in the serial number is 3256 * equal to the value stored in the 'Peer-Serial-Number' 3257 * IMPLEMENTATION NOTE: As an optimization a receiver may wish 3258 * to save the last ASCONF-ACK for some predetermined period of 3259 * time and instead of re-processing the ASCONF (with the same 3260 * serial number) it may just re-transmit the ASCONF-ACK. 3261 */ 3262 if (asoc->addip_last_asconf_ack) 3263 asconf_ack = asoc->addip_last_asconf_ack; 3264 else 3265 return SCTP_DISPOSITION_DISCARD; 3266 } else { 3267 /* ADDIP 4.2 C4) Otherwise, the ASCONF Chunk is discarded since 3268 * it must be either a stale packet or from an attacker. 3269 */ 3270 return SCTP_DISPOSITION_DISCARD; 3271 } 3272 3273 /* ADDIP 4.2 C5) In both cases C2 and C3 the ASCONF-ACK MUST be sent 3274 * back to the source address contained in the IP header of the ASCONF 3275 * being responded to. 3276 */ 3277 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3278 3279 return SCTP_DISPOSITION_CONSUME; 3280 } 3281 3282 /* 3283 * ADDIP Section 4.3 General rules for address manipulation 3284 * When building TLV parameters for the ASCONF Chunk that will add or 3285 * delete IP addresses the D0 to D13 rules should be applied: 3286 */ 3287 sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep, 3288 const struct sctp_association *asoc, 3289 const sctp_subtype_t type, void *arg, 3290 sctp_cmd_seq_t *commands) 3291 { 3292 struct sctp_chunk *asconf_ack = arg; 3293 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3294 struct sctp_chunk *abort; 3295 sctp_addiphdr_t *addip_hdr; 3296 __u32 sent_serial, rcvd_serial; 3297 3298 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3299 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3300 SCTP_NULL()); 3301 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3302 } 3303 3304 /* Make sure that the ADDIP chunk has a valid length. */ 3305 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t))) 3306 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3307 commands); 3308 3309 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data; 3310 rcvd_serial = ntohl(addip_hdr->serial); 3311 3312 if (last_asconf) { 3313 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr; 3314 sent_serial = ntohl(addip_hdr->serial); 3315 } else { 3316 sent_serial = asoc->addip_serial - 1; 3317 } 3318 3319 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3320 * equal to the next serial number to be used but no ASCONF chunk is 3321 * outstanding the endpoint MUST ABORT the association. Note that a 3322 * sequence number is greater than if it is no more than 2^^31-1 3323 * larger than the current sequence number (using serial arithmetic). 3324 */ 3325 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3326 !(asoc->addip_last_asconf)) { 3327 abort = sctp_make_abort(asoc, asconf_ack, 3328 sizeof(sctp_errhdr_t)); 3329 if (abort) { 3330 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, NULL, 0); 3331 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3332 SCTP_CHUNK(abort)); 3333 } 3334 /* We are going to ABORT, so we might as well stop 3335 * processing the rest of the chunks in the packet. 3336 */ 3337 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3338 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3339 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3340 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3341 SCTP_ERROR(ECONNABORTED)); 3342 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3343 SCTP_U32(SCTP_ERROR_ASCONF_ACK)); 3344 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3345 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3346 return SCTP_DISPOSITION_ABORT; 3347 } 3348 3349 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3350 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3351 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3352 3353 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3354 asconf_ack)) 3355 return SCTP_DISPOSITION_CONSUME; 3356 3357 abort = sctp_make_abort(asoc, asconf_ack, 3358 sizeof(sctp_errhdr_t)); 3359 if (abort) { 3360 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, NULL, 0); 3361 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3362 SCTP_CHUNK(abort)); 3363 } 3364 /* We are going to ABORT, so we might as well stop 3365 * processing the rest of the chunks in the packet. 3366 */ 3367 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3368 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3369 SCTP_ERROR(ECONNABORTED)); 3370 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3371 SCTP_U32(SCTP_ERROR_ASCONF_ACK)); 3372 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3373 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3374 return SCTP_DISPOSITION_ABORT; 3375 } 3376 3377 return SCTP_DISPOSITION_DISCARD; 3378 } 3379 3380 /* 3381 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 3382 * 3383 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 3384 * its cumulative TSN point to the value carried in the FORWARD TSN 3385 * chunk, and then MUST further advance its cumulative TSN point locally 3386 * if possible. 3387 * After the above processing, the data receiver MUST stop reporting any 3388 * missing TSNs earlier than or equal to the new cumulative TSN point. 3389 * 3390 * Verification Tag: 8.5 Verification Tag [Normal verification] 3391 * 3392 * The return value is the disposition of the chunk. 3393 */ 3394 sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep, 3395 const struct sctp_association *asoc, 3396 const sctp_subtype_t type, 3397 void *arg, 3398 sctp_cmd_seq_t *commands) 3399 { 3400 struct sctp_chunk *chunk = arg; 3401 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3402 __u16 len; 3403 __u32 tsn; 3404 3405 if (!sctp_vtag_verify(chunk, asoc)) { 3406 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3407 SCTP_NULL()); 3408 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3409 } 3410 3411 /* Make sure that the FORWARD_TSN chunk has valid length. */ 3412 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3413 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3414 commands); 3415 3416 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3417 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3418 len = ntohs(chunk->chunk_hdr->length); 3419 len -= sizeof(struct sctp_chunkhdr); 3420 skb_pull(chunk->skb, len); 3421 3422 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3423 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __FUNCTION__, tsn); 3424 3425 /* The TSN is too high--silently discard the chunk and count on it 3426 * getting retransmitted later. 3427 */ 3428 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3429 goto discard_noforce; 3430 3431 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3432 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3433 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3434 SCTP_CHUNK(chunk)); 3435 3436 /* Count this as receiving DATA. */ 3437 if (asoc->autoclose) { 3438 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3439 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3440 } 3441 3442 /* FIXME: For now send a SACK, but DATA processing may 3443 * send another. 3444 */ 3445 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 3446 3447 return SCTP_DISPOSITION_CONSUME; 3448 3449 discard_noforce: 3450 return SCTP_DISPOSITION_DISCARD; 3451 } 3452 3453 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast( 3454 const struct sctp_endpoint *ep, 3455 const struct sctp_association *asoc, 3456 const sctp_subtype_t type, 3457 void *arg, 3458 sctp_cmd_seq_t *commands) 3459 { 3460 struct sctp_chunk *chunk = arg; 3461 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3462 __u16 len; 3463 __u32 tsn; 3464 3465 if (!sctp_vtag_verify(chunk, asoc)) { 3466 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3467 SCTP_NULL()); 3468 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3469 } 3470 3471 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 3472 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3473 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3474 commands); 3475 3476 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3477 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3478 len = ntohs(chunk->chunk_hdr->length); 3479 len -= sizeof(struct sctp_chunkhdr); 3480 skb_pull(chunk->skb, len); 3481 3482 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3483 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __FUNCTION__, tsn); 3484 3485 /* The TSN is too high--silently discard the chunk and count on it 3486 * getting retransmitted later. 3487 */ 3488 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3489 goto gen_shutdown; 3490 3491 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3492 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3493 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3494 SCTP_CHUNK(chunk)); 3495 3496 /* Go a head and force a SACK, since we are shutting down. */ 3497 gen_shutdown: 3498 /* Implementor's Guide. 3499 * 3500 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3501 * respond to each received packet containing one or more DATA chunk(s) 3502 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3503 */ 3504 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3505 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3506 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3507 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3508 3509 return SCTP_DISPOSITION_CONSUME; 3510 } 3511 3512 /* 3513 * Process an unknown chunk. 3514 * 3515 * Section: 3.2. Also, 2.1 in the implementor's guide. 3516 * 3517 * Chunk Types are encoded such that the highest-order two bits specify 3518 * the action that must be taken if the processing endpoint does not 3519 * recognize the Chunk Type. 3520 * 3521 * 00 - Stop processing this SCTP packet and discard it, do not process 3522 * any further chunks within it. 3523 * 3524 * 01 - Stop processing this SCTP packet and discard it, do not process 3525 * any further chunks within it, and report the unrecognized 3526 * chunk in an 'Unrecognized Chunk Type'. 3527 * 3528 * 10 - Skip this chunk and continue processing. 3529 * 3530 * 11 - Skip this chunk and continue processing, but report in an ERROR 3531 * Chunk using the 'Unrecognized Chunk Type' cause of error. 3532 * 3533 * The return value is the disposition of the chunk. 3534 */ 3535 sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep, 3536 const struct sctp_association *asoc, 3537 const sctp_subtype_t type, 3538 void *arg, 3539 sctp_cmd_seq_t *commands) 3540 { 3541 struct sctp_chunk *unk_chunk = arg; 3542 struct sctp_chunk *err_chunk; 3543 sctp_chunkhdr_t *hdr; 3544 3545 SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk); 3546 3547 if (!sctp_vtag_verify(unk_chunk, asoc)) 3548 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3549 3550 /* Make sure that the chunk has a valid length. 3551 * Since we don't know the chunk type, we use a general 3552 * chunkhdr structure to make a comparison. 3553 */ 3554 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t))) 3555 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3556 commands); 3557 3558 switch (type.chunk & SCTP_CID_ACTION_MASK) { 3559 case SCTP_CID_ACTION_DISCARD: 3560 /* Discard the packet. */ 3561 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3562 break; 3563 case SCTP_CID_ACTION_DISCARD_ERR: 3564 /* Discard the packet. */ 3565 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3566 3567 /* Generate an ERROR chunk as response. */ 3568 hdr = unk_chunk->chunk_hdr; 3569 err_chunk = sctp_make_op_error(asoc, unk_chunk, 3570 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 3571 WORD_ROUND(ntohs(hdr->length))); 3572 if (err_chunk) { 3573 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3574 SCTP_CHUNK(err_chunk)); 3575 } 3576 return SCTP_DISPOSITION_CONSUME; 3577 break; 3578 case SCTP_CID_ACTION_SKIP: 3579 /* Skip the chunk. */ 3580 return SCTP_DISPOSITION_DISCARD; 3581 break; 3582 case SCTP_CID_ACTION_SKIP_ERR: 3583 /* Generate an ERROR chunk as response. */ 3584 hdr = unk_chunk->chunk_hdr; 3585 err_chunk = sctp_make_op_error(asoc, unk_chunk, 3586 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 3587 WORD_ROUND(ntohs(hdr->length))); 3588 if (err_chunk) { 3589 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3590 SCTP_CHUNK(err_chunk)); 3591 } 3592 /* Skip the chunk. */ 3593 return SCTP_DISPOSITION_CONSUME; 3594 break; 3595 default: 3596 break; 3597 } 3598 3599 return SCTP_DISPOSITION_DISCARD; 3600 } 3601 3602 /* 3603 * Discard the chunk. 3604 * 3605 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 3606 * [Too numerous to mention...] 3607 * Verification Tag: No verification needed. 3608 * Inputs 3609 * (endpoint, asoc, chunk) 3610 * 3611 * Outputs 3612 * (asoc, reply_msg, msg_up, timers, counters) 3613 * 3614 * The return value is the disposition of the chunk. 3615 */ 3616 sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep, 3617 const struct sctp_association *asoc, 3618 const sctp_subtype_t type, 3619 void *arg, 3620 sctp_cmd_seq_t *commands) 3621 { 3622 SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk); 3623 return SCTP_DISPOSITION_DISCARD; 3624 } 3625 3626 /* 3627 * Discard the whole packet. 3628 * 3629 * Section: 8.4 2) 3630 * 3631 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 3632 * silently discard the OOTB packet and take no further action. 3633 * 3634 * Verification Tag: No verification necessary 3635 * 3636 * Inputs 3637 * (endpoint, asoc, chunk) 3638 * 3639 * Outputs 3640 * (asoc, reply_msg, msg_up, timers, counters) 3641 * 3642 * The return value is the disposition of the chunk. 3643 */ 3644 sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep, 3645 const struct sctp_association *asoc, 3646 const sctp_subtype_t type, 3647 void *arg, 3648 sctp_cmd_seq_t *commands) 3649 { 3650 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3651 3652 return SCTP_DISPOSITION_CONSUME; 3653 } 3654 3655 3656 /* 3657 * The other end is violating protocol. 3658 * 3659 * Section: Not specified 3660 * Verification Tag: Not specified 3661 * Inputs 3662 * (endpoint, asoc, chunk) 3663 * 3664 * Outputs 3665 * (asoc, reply_msg, msg_up, timers, counters) 3666 * 3667 * We simply tag the chunk as a violation. The state machine will log 3668 * the violation and continue. 3669 */ 3670 sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep, 3671 const struct sctp_association *asoc, 3672 const sctp_subtype_t type, 3673 void *arg, 3674 sctp_cmd_seq_t *commands) 3675 { 3676 return SCTP_DISPOSITION_VIOLATION; 3677 } 3678 3679 3680 /* 3681 * Handle a protocol violation when the chunk length is invalid. 3682 * "Invalid" length is identified as smaller then the minimal length a 3683 * given chunk can be. For example, a SACK chunk has invalid length 3684 * if it's length is set to be smaller then the size of sctp_sack_chunk_t. 3685 * 3686 * We inform the other end by sending an ABORT with a Protocol Violation 3687 * error code. 3688 * 3689 * Section: Not specified 3690 * Verification Tag: Nothing to do 3691 * Inputs 3692 * (endpoint, asoc, chunk) 3693 * 3694 * Outputs 3695 * (reply_msg, msg_up, counters) 3696 * 3697 * Generate an ABORT chunk and terminate the association. 3698 */ 3699 static sctp_disposition_t sctp_sf_violation_chunklen( 3700 const struct sctp_endpoint *ep, 3701 const struct sctp_association *asoc, 3702 const sctp_subtype_t type, 3703 void *arg, 3704 sctp_cmd_seq_t *commands) 3705 { 3706 struct sctp_chunk *chunk = arg; 3707 struct sctp_chunk *abort = NULL; 3708 char err_str[]="The following chunk had invalid length:"; 3709 3710 /* Make the abort chunk. */ 3711 abort = sctp_make_abort_violation(asoc, chunk, err_str, 3712 sizeof(err_str)); 3713 if (!abort) 3714 goto nomem; 3715 3716 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 3717 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3718 3719 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 3720 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3721 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 3722 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3723 SCTP_ERROR(ECONNREFUSED)); 3724 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 3725 SCTP_U32(SCTP_ERROR_PROTO_VIOLATION)); 3726 } else { 3727 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3728 SCTP_ERROR(ECONNABORTED)); 3729 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3730 SCTP_U32(SCTP_ERROR_PROTO_VIOLATION)); 3731 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3732 } 3733 3734 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3735 3736 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3737 3738 return SCTP_DISPOSITION_ABORT; 3739 3740 nomem: 3741 return SCTP_DISPOSITION_NOMEM; 3742 } 3743 3744 /*************************************************************************** 3745 * These are the state functions for handling primitive (Section 10) events. 3746 ***************************************************************************/ 3747 /* 3748 * sctp_sf_do_prm_asoc 3749 * 3750 * Section: 10.1 ULP-to-SCTP 3751 * B) Associate 3752 * 3753 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 3754 * outbound stream count) 3755 * -> association id [,destination transport addr list] [,outbound stream 3756 * count] 3757 * 3758 * This primitive allows the upper layer to initiate an association to a 3759 * specific peer endpoint. 3760 * 3761 * The peer endpoint shall be specified by one of the transport addresses 3762 * which defines the endpoint (see Section 1.4). If the local SCTP 3763 * instance has not been initialized, the ASSOCIATE is considered an 3764 * error. 3765 * [This is not relevant for the kernel implementation since we do all 3766 * initialization at boot time. It we hadn't initialized we wouldn't 3767 * get anywhere near this code.] 3768 * 3769 * An association id, which is a local handle to the SCTP association, 3770 * will be returned on successful establishment of the association. If 3771 * SCTP is not able to open an SCTP association with the peer endpoint, 3772 * an error is returned. 3773 * [In the kernel implementation, the struct sctp_association needs to 3774 * be created BEFORE causing this primitive to run.] 3775 * 3776 * Other association parameters may be returned, including the 3777 * complete destination transport addresses of the peer as well as the 3778 * outbound stream count of the local endpoint. One of the transport 3779 * address from the returned destination addresses will be selected by 3780 * the local endpoint as default primary path for sending SCTP packets 3781 * to this peer. The returned "destination transport addr list" can 3782 * be used by the ULP to change the default primary path or to force 3783 * sending a packet to a specific transport address. [All of this 3784 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 3785 * function.] 3786 * 3787 * Mandatory attributes: 3788 * 3789 * o local SCTP instance name - obtained from the INITIALIZE operation. 3790 * [This is the argument asoc.] 3791 * o destination transport addr - specified as one of the transport 3792 * addresses of the peer endpoint with which the association is to be 3793 * established. 3794 * [This is asoc->peer.active_path.] 3795 * o outbound stream count - the number of outbound streams the ULP 3796 * would like to open towards this peer endpoint. 3797 * [BUG: This is not currently implemented.] 3798 * Optional attributes: 3799 * 3800 * None. 3801 * 3802 * The return value is a disposition. 3803 */ 3804 sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep, 3805 const struct sctp_association *asoc, 3806 const sctp_subtype_t type, 3807 void *arg, 3808 sctp_cmd_seq_t *commands) 3809 { 3810 struct sctp_chunk *repl; 3811 3812 /* The comment below says that we enter COOKIE-WAIT AFTER 3813 * sending the INIT, but that doesn't actually work in our 3814 * implementation... 3815 */ 3816 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3817 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 3818 3819 /* RFC 2960 5.1 Normal Establishment of an Association 3820 * 3821 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 3822 * must provide its Verification Tag (Tag_A) in the Initiate 3823 * Tag field. Tag_A SHOULD be a random number in the range of 3824 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 3825 */ 3826 3827 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 3828 if (!repl) 3829 goto nomem; 3830 3831 /* Cast away the const modifier, as we want to just 3832 * rerun it through as a sideffect. 3833 */ 3834 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, 3835 SCTP_ASOC((struct sctp_association *) asoc)); 3836 3837 /* Choose transport for INIT. */ 3838 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 3839 SCTP_CHUNK(repl)); 3840 3841 /* After sending the INIT, "A" starts the T1-init timer and 3842 * enters the COOKIE-WAIT state. 3843 */ 3844 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 3845 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 3846 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 3847 return SCTP_DISPOSITION_CONSUME; 3848 3849 nomem: 3850 return SCTP_DISPOSITION_NOMEM; 3851 } 3852 3853 /* 3854 * Process the SEND primitive. 3855 * 3856 * Section: 10.1 ULP-to-SCTP 3857 * E) Send 3858 * 3859 * Format: SEND(association id, buffer address, byte count [,context] 3860 * [,stream id] [,life time] [,destination transport address] 3861 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 3862 * -> result 3863 * 3864 * This is the main method to send user data via SCTP. 3865 * 3866 * Mandatory attributes: 3867 * 3868 * o association id - local handle to the SCTP association 3869 * 3870 * o buffer address - the location where the user message to be 3871 * transmitted is stored; 3872 * 3873 * o byte count - The size of the user data in number of bytes; 3874 * 3875 * Optional attributes: 3876 * 3877 * o context - an optional 32 bit integer that will be carried in the 3878 * sending failure notification to the ULP if the transportation of 3879 * this User Message fails. 3880 * 3881 * o stream id - to indicate which stream to send the data on. If not 3882 * specified, stream 0 will be used. 3883 * 3884 * o life time - specifies the life time of the user data. The user data 3885 * will not be sent by SCTP after the life time expires. This 3886 * parameter can be used to avoid efforts to transmit stale 3887 * user messages. SCTP notifies the ULP if the data cannot be 3888 * initiated to transport (i.e. sent to the destination via SCTP's 3889 * send primitive) within the life time variable. However, the 3890 * user data will be transmitted if SCTP has attempted to transmit a 3891 * chunk before the life time expired. 3892 * 3893 * o destination transport address - specified as one of the destination 3894 * transport addresses of the peer endpoint to which this packet 3895 * should be sent. Whenever possible, SCTP should use this destination 3896 * transport address for sending the packets, instead of the current 3897 * primary path. 3898 * 3899 * o unorder flag - this flag, if present, indicates that the user 3900 * would like the data delivered in an unordered fashion to the peer 3901 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 3902 * message). 3903 * 3904 * o no-bundle flag - instructs SCTP not to bundle this user data with 3905 * other outbound DATA chunks. SCTP MAY still bundle even when 3906 * this flag is present, when faced with network congestion. 3907 * 3908 * o payload protocol-id - A 32 bit unsigned integer that is to be 3909 * passed to the peer indicating the type of payload protocol data 3910 * being transmitted. This value is passed as opaque data by SCTP. 3911 * 3912 * The return value is the disposition. 3913 */ 3914 sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep, 3915 const struct sctp_association *asoc, 3916 const sctp_subtype_t type, 3917 void *arg, 3918 sctp_cmd_seq_t *commands) 3919 { 3920 struct sctp_chunk *chunk = arg; 3921 3922 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 3923 return SCTP_DISPOSITION_CONSUME; 3924 } 3925 3926 /* 3927 * Process the SHUTDOWN primitive. 3928 * 3929 * Section: 10.1: 3930 * C) Shutdown 3931 * 3932 * Format: SHUTDOWN(association id) 3933 * -> result 3934 * 3935 * Gracefully closes an association. Any locally queued user data 3936 * will be delivered to the peer. The association will be terminated only 3937 * after the peer acknowledges all the SCTP packets sent. A success code 3938 * will be returned on successful termination of the association. If 3939 * attempting to terminate the association results in a failure, an error 3940 * code shall be returned. 3941 * 3942 * Mandatory attributes: 3943 * 3944 * o association id - local handle to the SCTP association 3945 * 3946 * Optional attributes: 3947 * 3948 * None. 3949 * 3950 * The return value is the disposition. 3951 */ 3952 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown( 3953 const struct sctp_endpoint *ep, 3954 const struct sctp_association *asoc, 3955 const sctp_subtype_t type, 3956 void *arg, 3957 sctp_cmd_seq_t *commands) 3958 { 3959 int disposition; 3960 3961 /* From 9.2 Shutdown of an Association 3962 * Upon receipt of the SHUTDOWN primitive from its upper 3963 * layer, the endpoint enters SHUTDOWN-PENDING state and 3964 * remains there until all outstanding data has been 3965 * acknowledged by its peer. The endpoint accepts no new data 3966 * from its upper layer, but retransmits data to the far end 3967 * if necessary to fill gaps. 3968 */ 3969 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3970 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 3971 3972 /* sctpimpguide-05 Section 2.12.2 3973 * The sender of the SHUTDOWN MAY also start an overall guard timer 3974 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 3975 */ 3976 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 3977 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3978 3979 disposition = SCTP_DISPOSITION_CONSUME; 3980 if (sctp_outq_is_empty(&asoc->outqueue)) { 3981 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 3982 arg, commands); 3983 } 3984 return disposition; 3985 } 3986 3987 /* 3988 * Process the ABORT primitive. 3989 * 3990 * Section: 10.1: 3991 * C) Abort 3992 * 3993 * Format: Abort(association id [, cause code]) 3994 * -> result 3995 * 3996 * Ungracefully closes an association. Any locally queued user data 3997 * will be discarded and an ABORT chunk is sent to the peer. A success code 3998 * will be returned on successful abortion of the association. If 3999 * attempting to abort the association results in a failure, an error 4000 * code shall be returned. 4001 * 4002 * Mandatory attributes: 4003 * 4004 * o association id - local handle to the SCTP association 4005 * 4006 * Optional attributes: 4007 * 4008 * o cause code - reason of the abort to be passed to the peer 4009 * 4010 * None. 4011 * 4012 * The return value is the disposition. 4013 */ 4014 sctp_disposition_t sctp_sf_do_9_1_prm_abort( 4015 const struct sctp_endpoint *ep, 4016 const struct sctp_association *asoc, 4017 const sctp_subtype_t type, 4018 void *arg, 4019 sctp_cmd_seq_t *commands) 4020 { 4021 /* From 9.1 Abort of an Association 4022 * Upon receipt of the ABORT primitive from its upper 4023 * layer, the endpoint enters CLOSED state and 4024 * discard all outstanding data has been 4025 * acknowledged by its peer. The endpoint accepts no new data 4026 * from its upper layer, but retransmits data to the far end 4027 * if necessary to fill gaps. 4028 */ 4029 struct msghdr *msg = arg; 4030 struct sctp_chunk *abort; 4031 sctp_disposition_t retval; 4032 4033 retval = SCTP_DISPOSITION_CONSUME; 4034 4035 /* Generate ABORT chunk to send the peer. */ 4036 abort = sctp_make_abort_user(asoc, NULL, msg); 4037 if (!abort) 4038 retval = SCTP_DISPOSITION_NOMEM; 4039 else 4040 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4041 4042 /* Even if we can't send the ABORT due to low memory delete the 4043 * TCB. This is a departure from our typical NOMEM handling. 4044 */ 4045 4046 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4047 SCTP_ERROR(ECONNABORTED)); 4048 /* Delete the established association. */ 4049 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4050 SCTP_U32(SCTP_ERROR_USER_ABORT)); 4051 4052 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4053 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4054 4055 return retval; 4056 } 4057 4058 /* We tried an illegal operation on an association which is closed. */ 4059 sctp_disposition_t sctp_sf_error_closed(const struct sctp_endpoint *ep, 4060 const struct sctp_association *asoc, 4061 const sctp_subtype_t type, 4062 void *arg, 4063 sctp_cmd_seq_t *commands) 4064 { 4065 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 4066 return SCTP_DISPOSITION_CONSUME; 4067 } 4068 4069 /* We tried an illegal operation on an association which is shutting 4070 * down. 4071 */ 4072 sctp_disposition_t sctp_sf_error_shutdown(const struct sctp_endpoint *ep, 4073 const struct sctp_association *asoc, 4074 const sctp_subtype_t type, 4075 void *arg, 4076 sctp_cmd_seq_t *commands) 4077 { 4078 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 4079 SCTP_ERROR(-ESHUTDOWN)); 4080 return SCTP_DISPOSITION_CONSUME; 4081 } 4082 4083 /* 4084 * sctp_cookie_wait_prm_shutdown 4085 * 4086 * Section: 4 Note: 2 4087 * Verification Tag: 4088 * Inputs 4089 * (endpoint, asoc) 4090 * 4091 * The RFC does not explicitly address this issue, but is the route through the 4092 * state table when someone issues a shutdown while in COOKIE_WAIT state. 4093 * 4094 * Outputs 4095 * (timers) 4096 */ 4097 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown( 4098 const struct sctp_endpoint *ep, 4099 const struct sctp_association *asoc, 4100 const sctp_subtype_t type, 4101 void *arg, 4102 sctp_cmd_seq_t *commands) 4103 { 4104 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4105 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4106 4107 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4108 SCTP_STATE(SCTP_STATE_CLOSED)); 4109 4110 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 4111 4112 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 4113 4114 return SCTP_DISPOSITION_DELETE_TCB; 4115 } 4116 4117 /* 4118 * sctp_cookie_echoed_prm_shutdown 4119 * 4120 * Section: 4 Note: 2 4121 * Verification Tag: 4122 * Inputs 4123 * (endpoint, asoc) 4124 * 4125 * The RFC does not explcitly address this issue, but is the route through the 4126 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 4127 * 4128 * Outputs 4129 * (timers) 4130 */ 4131 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown( 4132 const struct sctp_endpoint *ep, 4133 const struct sctp_association *asoc, 4134 const sctp_subtype_t type, 4135 void *arg, sctp_cmd_seq_t *commands) 4136 { 4137 /* There is a single T1 timer, so we should be able to use 4138 * common function with the COOKIE-WAIT state. 4139 */ 4140 return sctp_sf_cookie_wait_prm_shutdown(ep, asoc, type, arg, commands); 4141 } 4142 4143 /* 4144 * sctp_sf_cookie_wait_prm_abort 4145 * 4146 * Section: 4 Note: 2 4147 * Verification Tag: 4148 * Inputs 4149 * (endpoint, asoc) 4150 * 4151 * The RFC does not explicitly address this issue, but is the route through the 4152 * state table when someone issues an abort while in COOKIE_WAIT state. 4153 * 4154 * Outputs 4155 * (timers) 4156 */ 4157 sctp_disposition_t sctp_sf_cookie_wait_prm_abort( 4158 const struct sctp_endpoint *ep, 4159 const struct sctp_association *asoc, 4160 const sctp_subtype_t type, 4161 void *arg, 4162 sctp_cmd_seq_t *commands) 4163 { 4164 struct msghdr *msg = arg; 4165 struct sctp_chunk *abort; 4166 sctp_disposition_t retval; 4167 4168 /* Stop T1-init timer */ 4169 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4170 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4171 retval = SCTP_DISPOSITION_CONSUME; 4172 4173 /* Generate ABORT chunk to send the peer */ 4174 abort = sctp_make_abort_user(asoc, NULL, msg); 4175 if (!abort) 4176 retval = SCTP_DISPOSITION_NOMEM; 4177 else 4178 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4179 4180 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4181 SCTP_STATE(SCTP_STATE_CLOSED)); 4182 4183 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4184 4185 /* Even if we can't send the ABORT due to low memory delete the 4186 * TCB. This is a departure from our typical NOMEM handling. 4187 */ 4188 4189 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4190 SCTP_ERROR(ECONNREFUSED)); 4191 /* Delete the established association. */ 4192 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4193 SCTP_U32(SCTP_ERROR_USER_ABORT)); 4194 4195 return retval; 4196 } 4197 4198 /* 4199 * sctp_sf_cookie_echoed_prm_abort 4200 * 4201 * Section: 4 Note: 3 4202 * Verification Tag: 4203 * Inputs 4204 * (endpoint, asoc) 4205 * 4206 * The RFC does not explcitly address this issue, but is the route through the 4207 * state table when someone issues an abort while in COOKIE_ECHOED state. 4208 * 4209 * Outputs 4210 * (timers) 4211 */ 4212 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort( 4213 const struct sctp_endpoint *ep, 4214 const struct sctp_association *asoc, 4215 const sctp_subtype_t type, 4216 void *arg, 4217 sctp_cmd_seq_t *commands) 4218 { 4219 /* There is a single T1 timer, so we should be able to use 4220 * common function with the COOKIE-WAIT state. 4221 */ 4222 return sctp_sf_cookie_wait_prm_abort(ep, asoc, type, arg, commands); 4223 } 4224 4225 /* 4226 * sctp_sf_shutdown_pending_prm_abort 4227 * 4228 * Inputs 4229 * (endpoint, asoc) 4230 * 4231 * The RFC does not explicitly address this issue, but is the route through the 4232 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 4233 * 4234 * Outputs 4235 * (timers) 4236 */ 4237 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort( 4238 const struct sctp_endpoint *ep, 4239 const struct sctp_association *asoc, 4240 const sctp_subtype_t type, 4241 void *arg, 4242 sctp_cmd_seq_t *commands) 4243 { 4244 /* Stop the T5-shutdown guard timer. */ 4245 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4246 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4247 4248 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4249 } 4250 4251 /* 4252 * sctp_sf_shutdown_sent_prm_abort 4253 * 4254 * Inputs 4255 * (endpoint, asoc) 4256 * 4257 * The RFC does not explicitly address this issue, but is the route through the 4258 * state table when someone issues an abort while in SHUTDOWN-SENT state. 4259 * 4260 * Outputs 4261 * (timers) 4262 */ 4263 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort( 4264 const struct sctp_endpoint *ep, 4265 const struct sctp_association *asoc, 4266 const sctp_subtype_t type, 4267 void *arg, 4268 sctp_cmd_seq_t *commands) 4269 { 4270 /* Stop the T2-shutdown timer. */ 4271 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4272 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4273 4274 /* Stop the T5-shutdown guard timer. */ 4275 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4276 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4277 4278 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4279 } 4280 4281 /* 4282 * sctp_sf_cookie_echoed_prm_abort 4283 * 4284 * Inputs 4285 * (endpoint, asoc) 4286 * 4287 * The RFC does not explcitly address this issue, but is the route through the 4288 * state table when someone issues an abort while in COOKIE_ECHOED state. 4289 * 4290 * Outputs 4291 * (timers) 4292 */ 4293 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort( 4294 const struct sctp_endpoint *ep, 4295 const struct sctp_association *asoc, 4296 const sctp_subtype_t type, 4297 void *arg, 4298 sctp_cmd_seq_t *commands) 4299 { 4300 /* The same T2 timer, so we should be able to use 4301 * common function with the SHUTDOWN-SENT state. 4302 */ 4303 return sctp_sf_shutdown_sent_prm_abort(ep, asoc, type, arg, commands); 4304 } 4305 4306 /* 4307 * Process the REQUESTHEARTBEAT primitive 4308 * 4309 * 10.1 ULP-to-SCTP 4310 * J) Request Heartbeat 4311 * 4312 * Format: REQUESTHEARTBEAT(association id, destination transport address) 4313 * 4314 * -> result 4315 * 4316 * Instructs the local endpoint to perform a HeartBeat on the specified 4317 * destination transport address of the given association. The returned 4318 * result should indicate whether the transmission of the HEARTBEAT 4319 * chunk to the destination address is successful. 4320 * 4321 * Mandatory attributes: 4322 * 4323 * o association id - local handle to the SCTP association 4324 * 4325 * o destination transport address - the transport address of the 4326 * association on which a heartbeat should be issued. 4327 */ 4328 sctp_disposition_t sctp_sf_do_prm_requestheartbeat( 4329 const struct sctp_endpoint *ep, 4330 const struct sctp_association *asoc, 4331 const sctp_subtype_t type, 4332 void *arg, 4333 sctp_cmd_seq_t *commands) 4334 { 4335 return sctp_sf_heartbeat(ep, asoc, type, (struct sctp_transport *)arg, 4336 commands); 4337 } 4338 4339 /* 4340 * ADDIP Section 4.1 ASCONF Chunk Procedures 4341 * When an endpoint has an ASCONF signaled change to be sent to the 4342 * remote endpoint it should do A1 to A9 4343 */ 4344 sctp_disposition_t sctp_sf_do_prm_asconf(const struct sctp_endpoint *ep, 4345 const struct sctp_association *asoc, 4346 const sctp_subtype_t type, 4347 void *arg, 4348 sctp_cmd_seq_t *commands) 4349 { 4350 struct sctp_chunk *chunk = arg; 4351 4352 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 4353 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4354 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4355 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 4356 return SCTP_DISPOSITION_CONSUME; 4357 } 4358 4359 /* 4360 * Ignore the primitive event 4361 * 4362 * The return value is the disposition of the primitive. 4363 */ 4364 sctp_disposition_t sctp_sf_ignore_primitive( 4365 const struct sctp_endpoint *ep, 4366 const struct sctp_association *asoc, 4367 const sctp_subtype_t type, 4368 void *arg, 4369 sctp_cmd_seq_t *commands) 4370 { 4371 SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive); 4372 return SCTP_DISPOSITION_DISCARD; 4373 } 4374 4375 /*************************************************************************** 4376 * These are the state functions for the OTHER events. 4377 ***************************************************************************/ 4378 4379 /* 4380 * Start the shutdown negotiation. 4381 * 4382 * From Section 9.2: 4383 * Once all its outstanding data has been acknowledged, the endpoint 4384 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 4385 * TSN Ack field the last sequential TSN it has received from the peer. 4386 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 4387 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 4388 * with the updated last sequential TSN received from its peer. 4389 * 4390 * The return value is the disposition. 4391 */ 4392 sctp_disposition_t sctp_sf_do_9_2_start_shutdown( 4393 const struct sctp_endpoint *ep, 4394 const struct sctp_association *asoc, 4395 const sctp_subtype_t type, 4396 void *arg, 4397 sctp_cmd_seq_t *commands) 4398 { 4399 struct sctp_chunk *reply; 4400 4401 /* Once all its outstanding data has been acknowledged, the 4402 * endpoint shall send a SHUTDOWN chunk to its peer including 4403 * in the Cumulative TSN Ack field the last sequential TSN it 4404 * has received from the peer. 4405 */ 4406 reply = sctp_make_shutdown(asoc, NULL); 4407 if (!reply) 4408 goto nomem; 4409 4410 /* Set the transport for the SHUTDOWN chunk and the timeout for the 4411 * T2-shutdown timer. 4412 */ 4413 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4414 4415 /* It shall then start the T2-shutdown timer */ 4416 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4417 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4418 4419 if (asoc->autoclose) 4420 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4421 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4422 4423 /* and enter the SHUTDOWN-SENT state. */ 4424 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4425 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 4426 4427 /* sctp-implguide 2.10 Issues with Heartbeating and failover 4428 * 4429 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 4430 * or SHUTDOWN-ACK. 4431 */ 4432 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 4433 4434 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4435 4436 return SCTP_DISPOSITION_CONSUME; 4437 4438 nomem: 4439 return SCTP_DISPOSITION_NOMEM; 4440 } 4441 4442 /* 4443 * Generate a SHUTDOWN ACK now that everything is SACK'd. 4444 * 4445 * From Section 9.2: 4446 * 4447 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 4448 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 4449 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 4450 * endpoint must re-send the SHUTDOWN ACK. 4451 * 4452 * The return value is the disposition. 4453 */ 4454 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack( 4455 const struct sctp_endpoint *ep, 4456 const struct sctp_association *asoc, 4457 const sctp_subtype_t type, 4458 void *arg, 4459 sctp_cmd_seq_t *commands) 4460 { 4461 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 4462 struct sctp_chunk *reply; 4463 4464 /* There are 2 ways of getting here: 4465 * 1) called in response to a SHUTDOWN chunk 4466 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 4467 * 4468 * For the case (2), the arg parameter is set to NULL. We need 4469 * to check that we have a chunk before accessing it's fields. 4470 */ 4471 if (chunk) { 4472 if (!sctp_vtag_verify(chunk, asoc)) 4473 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4474 4475 /* Make sure that the SHUTDOWN chunk has a valid length. */ 4476 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t))) 4477 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4478 commands); 4479 } 4480 4481 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 4482 * shall send a SHUTDOWN ACK ... 4483 */ 4484 reply = sctp_make_shutdown_ack(asoc, chunk); 4485 if (!reply) 4486 goto nomem; 4487 4488 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 4489 * the T2-shutdown timer. 4490 */ 4491 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4492 4493 /* and start/restart a T2-shutdown timer of its own, */ 4494 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4495 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4496 4497 if (asoc->autoclose) 4498 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4499 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4500 4501 /* Enter the SHUTDOWN-ACK-SENT state. */ 4502 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4503 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 4504 4505 /* sctp-implguide 2.10 Issues with Heartbeating and failover 4506 * 4507 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 4508 * or SHUTDOWN-ACK. 4509 */ 4510 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 4511 4512 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4513 4514 return SCTP_DISPOSITION_CONSUME; 4515 4516 nomem: 4517 return SCTP_DISPOSITION_NOMEM; 4518 } 4519 4520 /* 4521 * Ignore the event defined as other 4522 * 4523 * The return value is the disposition of the event. 4524 */ 4525 sctp_disposition_t sctp_sf_ignore_other(const struct sctp_endpoint *ep, 4526 const struct sctp_association *asoc, 4527 const sctp_subtype_t type, 4528 void *arg, 4529 sctp_cmd_seq_t *commands) 4530 { 4531 SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other); 4532 return SCTP_DISPOSITION_DISCARD; 4533 } 4534 4535 /************************************************************ 4536 * These are the state functions for handling timeout events. 4537 ************************************************************/ 4538 4539 /* 4540 * RTX Timeout 4541 * 4542 * Section: 6.3.3 Handle T3-rtx Expiration 4543 * 4544 * Whenever the retransmission timer T3-rtx expires for a destination 4545 * address, do the following: 4546 * [See below] 4547 * 4548 * The return value is the disposition of the chunk. 4549 */ 4550 sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep, 4551 const struct sctp_association *asoc, 4552 const sctp_subtype_t type, 4553 void *arg, 4554 sctp_cmd_seq_t *commands) 4555 { 4556 struct sctp_transport *transport = arg; 4557 4558 if (asoc->overall_error_count >= asoc->max_retrans) { 4559 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4560 SCTP_ERROR(ETIMEDOUT)); 4561 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 4562 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4563 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4564 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4565 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4566 return SCTP_DISPOSITION_DELETE_TCB; 4567 } 4568 4569 /* E1) For the destination address for which the timer 4570 * expires, adjust its ssthresh with rules defined in Section 4571 * 7.2.3 and set the cwnd <- MTU. 4572 */ 4573 4574 /* E2) For the destination address for which the timer 4575 * expires, set RTO <- RTO * 2 ("back off the timer"). The 4576 * maximum value discussed in rule C7 above (RTO.max) may be 4577 * used to provide an upper bound to this doubling operation. 4578 */ 4579 4580 /* E3) Determine how many of the earliest (i.e., lowest TSN) 4581 * outstanding DATA chunks for the address for which the 4582 * T3-rtx has expired will fit into a single packet, subject 4583 * to the MTU constraint for the path corresponding to the 4584 * destination transport address to which the retransmission 4585 * is being sent (this may be different from the address for 4586 * which the timer expires [see Section 6.4]). Call this 4587 * value K. Bundle and retransmit those K DATA chunks in a 4588 * single packet to the destination endpoint. 4589 * 4590 * Note: Any DATA chunks that were sent to the address for 4591 * which the T3-rtx timer expired but did not fit in one MTU 4592 * (rule E3 above), should be marked for retransmission and 4593 * sent as soon as cwnd allows (normally when a SACK arrives). 4594 */ 4595 4596 /* NB: Rules E4 and F1 are implicit in R1. */ 4597 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 4598 4599 /* Do some failure management (Section 8.2). */ 4600 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 4601 4602 return SCTP_DISPOSITION_CONSUME; 4603 } 4604 4605 /* 4606 * Generate delayed SACK on timeout 4607 * 4608 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 4609 * 4610 * The guidelines on delayed acknowledgement algorithm specified in 4611 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 4612 * acknowledgement SHOULD be generated for at least every second packet 4613 * (not every second DATA chunk) received, and SHOULD be generated 4614 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 4615 * some situations it may be beneficial for an SCTP transmitter to be 4616 * more conservative than the algorithms detailed in this document 4617 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 4618 * the following algorithms allow. 4619 */ 4620 sctp_disposition_t sctp_sf_do_6_2_sack(const struct sctp_endpoint *ep, 4621 const struct sctp_association *asoc, 4622 const sctp_subtype_t type, 4623 void *arg, 4624 sctp_cmd_seq_t *commands) 4625 { 4626 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 4627 return SCTP_DISPOSITION_CONSUME; 4628 } 4629 4630 /* 4631 * sctp_sf_t1_init_timer_expire 4632 * 4633 * Section: 4 Note: 2 4634 * Verification Tag: 4635 * Inputs 4636 * (endpoint, asoc) 4637 * 4638 * RFC 2960 Section 4 Notes 4639 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 4640 * and re-start the T1-init timer without changing state. This MUST 4641 * be repeated up to 'Max.Init.Retransmits' times. After that, the 4642 * endpoint MUST abort the initialization process and report the 4643 * error to SCTP user. 4644 * 4645 * Outputs 4646 * (timers, events) 4647 * 4648 */ 4649 sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep, 4650 const struct sctp_association *asoc, 4651 const sctp_subtype_t type, 4652 void *arg, 4653 sctp_cmd_seq_t *commands) 4654 { 4655 struct sctp_chunk *repl = NULL; 4656 struct sctp_bind_addr *bp; 4657 int attempts = asoc->init_err_counter + 1; 4658 4659 SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n"); 4660 4661 if (attempts <= asoc->max_init_attempts) { 4662 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 4663 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 4664 if (!repl) 4665 return SCTP_DISPOSITION_NOMEM; 4666 4667 /* Choose transport for INIT. */ 4668 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4669 SCTP_CHUNK(repl)); 4670 4671 /* Issue a sideeffect to do the needed accounting. */ 4672 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 4673 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4674 4675 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4676 } else { 4677 SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d" 4678 " max_init_attempts: %d\n", 4679 attempts, asoc->max_init_attempts); 4680 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4681 SCTP_ERROR(ETIMEDOUT)); 4682 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4683 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4684 return SCTP_DISPOSITION_DELETE_TCB; 4685 } 4686 4687 return SCTP_DISPOSITION_CONSUME; 4688 } 4689 4690 /* 4691 * sctp_sf_t1_cookie_timer_expire 4692 * 4693 * Section: 4 Note: 2 4694 * Verification Tag: 4695 * Inputs 4696 * (endpoint, asoc) 4697 * 4698 * RFC 2960 Section 4 Notes 4699 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 4700 * COOKIE ECHO and re-start the T1-cookie timer without changing 4701 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 4702 * After that, the endpoint MUST abort the initialization process and 4703 * report the error to SCTP user. 4704 * 4705 * Outputs 4706 * (timers, events) 4707 * 4708 */ 4709 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep, 4710 const struct sctp_association *asoc, 4711 const sctp_subtype_t type, 4712 void *arg, 4713 sctp_cmd_seq_t *commands) 4714 { 4715 struct sctp_chunk *repl = NULL; 4716 int attempts = asoc->init_err_counter + 1; 4717 4718 SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n"); 4719 4720 if (attempts <= asoc->max_init_attempts) { 4721 repl = sctp_make_cookie_echo(asoc, NULL); 4722 if (!repl) 4723 return SCTP_DISPOSITION_NOMEM; 4724 4725 /* Issue a sideeffect to do the needed accounting. */ 4726 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 4727 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 4728 4729 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4730 } else { 4731 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4732 SCTP_ERROR(ETIMEDOUT)); 4733 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4734 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4735 return SCTP_DISPOSITION_DELETE_TCB; 4736 } 4737 4738 return SCTP_DISPOSITION_CONSUME; 4739 } 4740 4741 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 4742 * with the updated last sequential TSN received from its peer. 4743 * 4744 * An endpoint should limit the number of retransmissions of the 4745 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 4746 * If this threshold is exceeded the endpoint should destroy the TCB and 4747 * MUST report the peer endpoint unreachable to the upper layer (and 4748 * thus the association enters the CLOSED state). The reception of any 4749 * packet from its peer (i.e. as the peer sends all of its queued DATA 4750 * chunks) should clear the endpoint's retransmission count and restart 4751 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 4752 * all of its queued DATA chunks that have not yet been sent. 4753 */ 4754 sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep, 4755 const struct sctp_association *asoc, 4756 const sctp_subtype_t type, 4757 void *arg, 4758 sctp_cmd_seq_t *commands) 4759 { 4760 struct sctp_chunk *reply = NULL; 4761 4762 SCTP_DEBUG_PRINTK("Timer T2 expired.\n"); 4763 if (asoc->overall_error_count >= asoc->max_retrans) { 4764 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4765 SCTP_ERROR(ETIMEDOUT)); 4766 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 4767 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4768 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4769 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4770 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4771 return SCTP_DISPOSITION_DELETE_TCB; 4772 } 4773 4774 switch (asoc->state) { 4775 case SCTP_STATE_SHUTDOWN_SENT: 4776 reply = sctp_make_shutdown(asoc, NULL); 4777 break; 4778 4779 case SCTP_STATE_SHUTDOWN_ACK_SENT: 4780 reply = sctp_make_shutdown_ack(asoc, NULL); 4781 break; 4782 4783 default: 4784 BUG(); 4785 break; 4786 }; 4787 4788 if (!reply) 4789 goto nomem; 4790 4791 /* Do some failure management (Section 8.2). */ 4792 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 4793 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 4794 4795 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 4796 * the T2-shutdown timer. 4797 */ 4798 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4799 4800 /* Restart the T2-shutdown timer. */ 4801 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4802 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4803 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4804 return SCTP_DISPOSITION_CONSUME; 4805 4806 nomem: 4807 return SCTP_DISPOSITION_NOMEM; 4808 } 4809 4810 /* 4811 * ADDIP Section 4.1 ASCONF CHunk Procedures 4812 * If the T4 RTO timer expires the endpoint should do B1 to B5 4813 */ 4814 sctp_disposition_t sctp_sf_t4_timer_expire( 4815 const struct sctp_endpoint *ep, 4816 const struct sctp_association *asoc, 4817 const sctp_subtype_t type, 4818 void *arg, 4819 sctp_cmd_seq_t *commands) 4820 { 4821 struct sctp_chunk *chunk = asoc->addip_last_asconf; 4822 struct sctp_transport *transport = chunk->transport; 4823 4824 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 4825 * detection on the appropriate destination address as defined in 4826 * RFC2960 [5] section 8.1 and 8.2. 4827 */ 4828 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 4829 4830 /* Reconfig T4 timer and transport. */ 4831 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 4832 4833 /* ADDIP 4.1 B2) Increment the association error counters and perform 4834 * endpoint failure detection on the association as defined in 4835 * RFC2960 [5] section 8.1 and 8.2. 4836 * association error counter is incremented in SCTP_CMD_STRIKE. 4837 */ 4838 if (asoc->overall_error_count >= asoc->max_retrans) { 4839 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4840 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4841 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4842 SCTP_ERROR(ETIMEDOUT)); 4843 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4844 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4845 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4846 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 4847 return SCTP_DISPOSITION_ABORT; 4848 } 4849 4850 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 4851 * the ASCONF chunk was sent by doubling the RTO timer value. 4852 * This is done in SCTP_CMD_STRIKE. 4853 */ 4854 4855 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 4856 * choose an alternate destination address (please refer to RFC2960 4857 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 4858 * chunk, it MUST be the same (including its serial number) as the last 4859 * ASCONF sent. 4860 */ 4861 sctp_chunk_hold(asoc->addip_last_asconf); 4862 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4863 SCTP_CHUNK(asoc->addip_last_asconf)); 4864 4865 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 4866 * destination is selected, then the RTO used will be that of the new 4867 * destination address. 4868 */ 4869 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4870 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4871 4872 return SCTP_DISPOSITION_CONSUME; 4873 } 4874 4875 /* sctpimpguide-05 Section 2.12.2 4876 * The sender of the SHUTDOWN MAY also start an overall guard timer 4877 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 4878 * At the expiration of this timer the sender SHOULD abort the association 4879 * by sending an ABORT chunk. 4880 */ 4881 sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep, 4882 const struct sctp_association *asoc, 4883 const sctp_subtype_t type, 4884 void *arg, 4885 sctp_cmd_seq_t *commands) 4886 { 4887 struct sctp_chunk *reply = NULL; 4888 4889 SCTP_DEBUG_PRINTK("Timer T5 expired.\n"); 4890 4891 reply = sctp_make_abort(asoc, NULL, 0); 4892 if (!reply) 4893 goto nomem; 4894 4895 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4896 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4897 SCTP_ERROR(ETIMEDOUT)); 4898 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4899 SCTP_U32(SCTP_ERROR_NO_ERROR)); 4900 4901 return SCTP_DISPOSITION_DELETE_TCB; 4902 nomem: 4903 return SCTP_DISPOSITION_NOMEM; 4904 } 4905 4906 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 4907 * the association is automatically closed by starting the shutdown process. 4908 * The work that needs to be done is same as when SHUTDOWN is initiated by 4909 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 4910 */ 4911 sctp_disposition_t sctp_sf_autoclose_timer_expire( 4912 const struct sctp_endpoint *ep, 4913 const struct sctp_association *asoc, 4914 const sctp_subtype_t type, 4915 void *arg, 4916 sctp_cmd_seq_t *commands) 4917 { 4918 int disposition; 4919 4920 /* From 9.2 Shutdown of an Association 4921 * Upon receipt of the SHUTDOWN primitive from its upper 4922 * layer, the endpoint enters SHUTDOWN-PENDING state and 4923 * remains there until all outstanding data has been 4924 * acknowledged by its peer. The endpoint accepts no new data 4925 * from its upper layer, but retransmits data to the far end 4926 * if necessary to fill gaps. 4927 */ 4928 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4929 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4930 4931 /* sctpimpguide-05 Section 2.12.2 4932 * The sender of the SHUTDOWN MAY also start an overall guard timer 4933 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 4934 */ 4935 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4936 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4937 disposition = SCTP_DISPOSITION_CONSUME; 4938 if (sctp_outq_is_empty(&asoc->outqueue)) { 4939 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 4940 arg, commands); 4941 } 4942 return disposition; 4943 } 4944 4945 /***************************************************************************** 4946 * These are sa state functions which could apply to all types of events. 4947 ****************************************************************************/ 4948 4949 /* 4950 * This table entry is not implemented. 4951 * 4952 * Inputs 4953 * (endpoint, asoc, chunk) 4954 * 4955 * The return value is the disposition of the chunk. 4956 */ 4957 sctp_disposition_t sctp_sf_not_impl(const struct sctp_endpoint *ep, 4958 const struct sctp_association *asoc, 4959 const sctp_subtype_t type, 4960 void *arg, 4961 sctp_cmd_seq_t *commands) 4962 { 4963 return SCTP_DISPOSITION_NOT_IMPL; 4964 } 4965 4966 /* 4967 * This table entry represents a bug. 4968 * 4969 * Inputs 4970 * (endpoint, asoc, chunk) 4971 * 4972 * The return value is the disposition of the chunk. 4973 */ 4974 sctp_disposition_t sctp_sf_bug(const struct sctp_endpoint *ep, 4975 const struct sctp_association *asoc, 4976 const sctp_subtype_t type, 4977 void *arg, 4978 sctp_cmd_seq_t *commands) 4979 { 4980 return SCTP_DISPOSITION_BUG; 4981 } 4982 4983 /* 4984 * This table entry represents the firing of a timer in the wrong state. 4985 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 4986 * when the association is in the wrong state. This event should 4987 * be ignored, so as to prevent any rearming of the timer. 4988 * 4989 * Inputs 4990 * (endpoint, asoc, chunk) 4991 * 4992 * The return value is the disposition of the chunk. 4993 */ 4994 sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep, 4995 const struct sctp_association *asoc, 4996 const sctp_subtype_t type, 4997 void *arg, 4998 sctp_cmd_seq_t *commands) 4999 { 5000 SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk); 5001 return SCTP_DISPOSITION_CONSUME; 5002 } 5003 5004 /******************************************************************** 5005 * 2nd Level Abstractions 5006 ********************************************************************/ 5007 5008 /* Pull the SACK chunk based on the SACK header. */ 5009 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 5010 { 5011 struct sctp_sackhdr *sack; 5012 unsigned int len; 5013 __u16 num_blocks; 5014 __u16 num_dup_tsns; 5015 5016 /* Protect ourselves from reading too far into 5017 * the skb from a bogus sender. 5018 */ 5019 sack = (struct sctp_sackhdr *) chunk->skb->data; 5020 5021 num_blocks = ntohs(sack->num_gap_ack_blocks); 5022 num_dup_tsns = ntohs(sack->num_dup_tsns); 5023 len = sizeof(struct sctp_sackhdr); 5024 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 5025 if (len > chunk->skb->len) 5026 return NULL; 5027 5028 skb_pull(chunk->skb, len); 5029 5030 return sack; 5031 } 5032 5033 /* Create an ABORT packet to be sent as a response, with the specified 5034 * error causes. 5035 */ 5036 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 5037 const struct sctp_association *asoc, 5038 struct sctp_chunk *chunk, 5039 const void *payload, 5040 size_t paylen) 5041 { 5042 struct sctp_packet *packet; 5043 struct sctp_chunk *abort; 5044 5045 packet = sctp_ootb_pkt_new(asoc, chunk); 5046 5047 if (packet) { 5048 /* Make an ABORT. 5049 * The T bit will be set if the asoc is NULL. 5050 */ 5051 abort = sctp_make_abort(asoc, chunk, paylen); 5052 if (!abort) { 5053 sctp_ootb_pkt_free(packet); 5054 return NULL; 5055 } 5056 5057 /* Reflect vtag if T-Bit is set */ 5058 if (sctp_test_T_bit(abort)) 5059 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 5060 5061 /* Add specified error causes, i.e., payload, to the 5062 * end of the chunk. 5063 */ 5064 sctp_addto_chunk(abort, paylen, payload); 5065 5066 /* Set the skb to the belonging sock for accounting. */ 5067 abort->skb->sk = ep->base.sk; 5068 5069 sctp_packet_append_chunk(packet, abort); 5070 5071 } 5072 5073 return packet; 5074 } 5075 5076 /* Allocate a packet for responding in the OOTB conditions. */ 5077 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 5078 const struct sctp_chunk *chunk) 5079 { 5080 struct sctp_packet *packet; 5081 struct sctp_transport *transport; 5082 __u16 sport; 5083 __u16 dport; 5084 __u32 vtag; 5085 5086 /* Get the source and destination port from the inbound packet. */ 5087 sport = ntohs(chunk->sctp_hdr->dest); 5088 dport = ntohs(chunk->sctp_hdr->source); 5089 5090 /* The V-tag is going to be the same as the inbound packet if no 5091 * association exists, otherwise, use the peer's vtag. 5092 */ 5093 if (asoc) { 5094 vtag = asoc->peer.i.init_tag; 5095 } else { 5096 /* Special case the INIT and stale COOKIE_ECHO as there is no 5097 * vtag yet. 5098 */ 5099 switch(chunk->chunk_hdr->type) { 5100 case SCTP_CID_INIT: 5101 { 5102 sctp_init_chunk_t *init; 5103 5104 init = (sctp_init_chunk_t *)chunk->chunk_hdr; 5105 vtag = ntohl(init->init_hdr.init_tag); 5106 break; 5107 } 5108 default: 5109 vtag = ntohl(chunk->sctp_hdr->vtag); 5110 break; 5111 } 5112 } 5113 5114 /* Make a transport for the bucket, Eliza... */ 5115 transport = sctp_transport_new(sctp_source(chunk), GFP_ATOMIC); 5116 if (!transport) 5117 goto nomem; 5118 5119 /* Cache a route for the transport with the chunk's destination as 5120 * the source address. 5121 */ 5122 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 5123 sctp_sk(sctp_get_ctl_sock())); 5124 5125 packet = sctp_packet_init(&transport->packet, transport, sport, dport); 5126 packet = sctp_packet_config(packet, vtag, 0); 5127 5128 return packet; 5129 5130 nomem: 5131 return NULL; 5132 } 5133 5134 /* Free the packet allocated earlier for responding in the OOTB condition. */ 5135 void sctp_ootb_pkt_free(struct sctp_packet *packet) 5136 { 5137 sctp_transport_free(packet->transport); 5138 } 5139 5140 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 5141 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 5142 const struct sctp_association *asoc, 5143 const struct sctp_chunk *chunk, 5144 sctp_cmd_seq_t *commands, 5145 struct sctp_chunk *err_chunk) 5146 { 5147 struct sctp_packet *packet; 5148 5149 if (err_chunk) { 5150 packet = sctp_ootb_pkt_new(asoc, chunk); 5151 if (packet) { 5152 struct sctp_signed_cookie *cookie; 5153 5154 /* Override the OOTB vtag from the cookie. */ 5155 cookie = chunk->subh.cookie_hdr; 5156 packet->vtag = cookie->c.peer_vtag; 5157 5158 /* Set the skb to the belonging sock for accounting. */ 5159 err_chunk->skb->sk = ep->base.sk; 5160 sctp_packet_append_chunk(packet, err_chunk); 5161 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 5162 SCTP_PACKET(packet)); 5163 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 5164 } else 5165 sctp_chunk_free (err_chunk); 5166 } 5167 } 5168 5169 5170 /* Process a data chunk */ 5171 static int sctp_eat_data(const struct sctp_association *asoc, 5172 struct sctp_chunk *chunk, 5173 sctp_cmd_seq_t *commands) 5174 { 5175 sctp_datahdr_t *data_hdr; 5176 struct sctp_chunk *err; 5177 size_t datalen; 5178 sctp_verb_t deliver; 5179 int tmp; 5180 __u32 tsn; 5181 int account_value; 5182 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 5183 struct sock *sk = asoc->base.sk; 5184 int rcvbuf_over = 0; 5185 5186 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data; 5187 skb_pull(chunk->skb, sizeof(sctp_datahdr_t)); 5188 5189 tsn = ntohl(data_hdr->tsn); 5190 SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn); 5191 5192 /* ASSERT: Now skb->data is really the user data. */ 5193 5194 /* 5195 * If we are established, and we have used up our receive buffer 5196 * memory, think about droping the frame. 5197 * Note that we have an opportunity to improve performance here. 5198 * If we accept one chunk from an skbuff, we have to keep all the 5199 * memory of that skbuff around until the chunk is read into user 5200 * space. Therefore, once we accept 1 chunk we may as well accept all 5201 * remaining chunks in the skbuff. The data_accepted flag helps us do 5202 * that. 5203 */ 5204 if ((asoc->state == SCTP_STATE_ESTABLISHED) && (!chunk->data_accepted)) { 5205 /* 5206 * If the receive buffer policy is 1, then each 5207 * association can allocate up to sk_rcvbuf bytes 5208 * otherwise, all the associations in aggregate 5209 * may allocate up to sk_rcvbuf bytes 5210 */ 5211 if (asoc->ep->rcvbuf_policy) 5212 account_value = atomic_read(&asoc->rmem_alloc); 5213 else 5214 account_value = atomic_read(&sk->sk_rmem_alloc); 5215 if (account_value > sk->sk_rcvbuf) { 5216 /* 5217 * We need to make forward progress, even when we are 5218 * under memory pressure, so we always allow the 5219 * next tsn after the ctsn ack point to be accepted. 5220 * This lets us avoid deadlocks in which we have to 5221 * drop frames that would otherwise let us drain the 5222 * receive queue. 5223 */ 5224 if ((sctp_tsnmap_get_ctsn(map) + 1) != tsn) 5225 return SCTP_IERROR_IGNORE_TSN; 5226 5227 /* 5228 * We're going to accept the frame but we should renege 5229 * to make space for it. This will send us down that 5230 * path later in this function. 5231 */ 5232 rcvbuf_over = 1; 5233 } 5234 } 5235 5236 /* Process ECN based congestion. 5237 * 5238 * Since the chunk structure is reused for all chunks within 5239 * a packet, we use ecn_ce_done to track if we've already 5240 * done CE processing for this packet. 5241 * 5242 * We need to do ECN processing even if we plan to discard the 5243 * chunk later. 5244 */ 5245 5246 if (!chunk->ecn_ce_done) { 5247 struct sctp_af *af; 5248 chunk->ecn_ce_done = 1; 5249 5250 af = sctp_get_af_specific( 5251 ipver2af(chunk->skb->nh.iph->version)); 5252 5253 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) { 5254 /* Do real work as sideffect. */ 5255 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 5256 SCTP_U32(tsn)); 5257 } 5258 } 5259 5260 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 5261 if (tmp < 0) { 5262 /* The TSN is too high--silently discard the chunk and 5263 * count on it getting retransmitted later. 5264 */ 5265 return SCTP_IERROR_HIGH_TSN; 5266 } else if (tmp > 0) { 5267 /* This is a duplicate. Record it. */ 5268 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 5269 return SCTP_IERROR_DUP_TSN; 5270 } 5271 5272 /* This is a new TSN. */ 5273 5274 /* Discard if there is no room in the receive window. 5275 * Actually, allow a little bit of overflow (up to a MTU). 5276 */ 5277 datalen = ntohs(chunk->chunk_hdr->length); 5278 datalen -= sizeof(sctp_data_chunk_t); 5279 5280 deliver = SCTP_CMD_CHUNK_ULP; 5281 chunk->data_accepted = 1; 5282 5283 /* Think about partial delivery. */ 5284 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 5285 5286 /* Even if we don't accept this chunk there is 5287 * memory pressure. 5288 */ 5289 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 5290 } 5291 5292 /* Spill over rwnd a little bit. Note: While allowed, this spill over 5293 * seems a bit troublesome in that frag_point varies based on 5294 * PMTU. In cases, such as loopback, this might be a rather 5295 * large spill over. 5296 * NOTE: If we have a full receive buffer here, we only renege if 5297 * our receiver can still make progress without the tsn being 5298 * received. We do this because in the event that the associations 5299 * receive queue is empty we are filling a leading gap, and since 5300 * reneging moves the gap to the end of the tsn stream, we are likely 5301 * to stall again very shortly. Avoiding the renege when we fill a 5302 * leading gap is a good heuristic for avoiding such steady state 5303 * stalls. 5304 */ 5305 if (!asoc->rwnd || asoc->rwnd_over || 5306 (datalen > asoc->rwnd + asoc->frag_point) || 5307 (rcvbuf_over && (!skb_queue_len(&sk->sk_receive_queue)))) { 5308 5309 /* If this is the next TSN, consider reneging to make 5310 * room. Note: Playing nice with a confused sender. A 5311 * malicious sender can still eat up all our buffer 5312 * space and in the future we may want to detect and 5313 * do more drastic reneging. 5314 */ 5315 if (sctp_tsnmap_has_gap(map) && 5316 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 5317 SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn); 5318 deliver = SCTP_CMD_RENEGE; 5319 } else { 5320 SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, " 5321 "rwnd: %d\n", tsn, datalen, 5322 asoc->rwnd); 5323 return SCTP_IERROR_IGNORE_TSN; 5324 } 5325 } 5326 5327 /* 5328 * Section 3.3.10.9 No User Data (9) 5329 * 5330 * Cause of error 5331 * --------------- 5332 * No User Data: This error cause is returned to the originator of a 5333 * DATA chunk if a received DATA chunk has no user data. 5334 */ 5335 if (unlikely(0 == datalen)) { 5336 err = sctp_make_abort_no_data(asoc, chunk, tsn); 5337 if (err) { 5338 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5339 SCTP_CHUNK(err)); 5340 } 5341 /* We are going to ABORT, so we might as well stop 5342 * processing the rest of the chunks in the packet. 5343 */ 5344 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 5345 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5346 SCTP_ERROR(ECONNABORTED)); 5347 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5348 SCTP_U32(SCTP_ERROR_NO_DATA)); 5349 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5350 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5351 return SCTP_IERROR_NO_DATA; 5352 } 5353 5354 /* If definately accepting the DATA chunk, record its TSN, otherwise 5355 * wait for renege processing. 5356 */ 5357 if (SCTP_CMD_CHUNK_ULP == deliver) 5358 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 5359 5360 /* Note: Some chunks may get overcounted (if we drop) or overcounted 5361 * if we renege and the chunk arrives again. 5362 */ 5363 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) 5364 SCTP_INC_STATS(SCTP_MIB_INUNORDERCHUNKS); 5365 else 5366 SCTP_INC_STATS(SCTP_MIB_INORDERCHUNKS); 5367 5368 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 5369 * 5370 * If an endpoint receive a DATA chunk with an invalid stream 5371 * identifier, it shall acknowledge the reception of the DATA chunk 5372 * following the normal procedure, immediately send an ERROR chunk 5373 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 5374 * and discard the DATA chunk. 5375 */ 5376 if (ntohs(data_hdr->stream) >= asoc->c.sinit_max_instreams) { 5377 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 5378 &data_hdr->stream, 5379 sizeof(data_hdr->stream)); 5380 if (err) 5381 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5382 SCTP_CHUNK(err)); 5383 return SCTP_IERROR_BAD_STREAM; 5384 } 5385 5386 /* Send the data up to the user. Note: Schedule the 5387 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 5388 * chunk needs the updated rwnd. 5389 */ 5390 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 5391 5392 return SCTP_IERROR_NO_ERROR; 5393 } 5394