/* SCTP kernel implementation1* (C) Copyright IBM Corp. 2001, 20042* Copyright (c) 1999-2000 Cisco, Inc.3* Copyright (c) 1999-2001 Motorola, Inc.4* Copyright (c) 2001-2002 Intel Corp.5* Copyright (c) 2002 Nokia Corp.6*7* This is part of the SCTP Linux Kernel Implementation.8*9* These are the state functions for the state machine.10*11* This SCTP implementation is free software;12* you can redistribute it and/or modify it under the terms of13* the GNU General Public License as published by14* the Free Software Foundation; either version 2, or (at your option)15* any later version.16*17* This SCTP implementation is distributed in the hope that it18* will be useful, but WITHOUT ANY WARRANTY; without even the implied19* ************************20* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.21* See the GNU General Public License for more details.22*23* You should have received a copy of the GNU General Public License24* along with GNU CC; see the file COPYING. If not, write to25* the Free Software Foundation, 59 Temple Place - Suite 330,26* Boston, MA 02111-1307, USA.27*28* Please send any bug reports or fixes you make to the29* email address(es):30* lksctp developers <[email protected]>31*32* Or submit a bug report through the following website:33* http://www.sf.net/projects/lksctp34*35* Written or modified by:36* La Monte H.P. Yarroll <[email protected]>37* Karl Knutson <[email protected]>38* Mathew Kotowsky <[email protected]>39* Sridhar Samudrala <[email protected]>40* Jon Grimm <[email protected]>41* Hui Huang <[email protected]>42* Dajiang Zhang <[email protected]>43* Daisy Chang <[email protected]>44* Ardelle Fan <[email protected]>45* Ryan Layer <[email protected]>46* Kevin Gao <[email protected]>47*48* Any bugs reported given to us we will try to fix... any fixes shared will49* be incorporated into the next SCTP release.50*/5152#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt5354#include <linux/types.h>55#include <linux/kernel.h>56#include <linux/ip.h>57#include <linux/ipv6.h>58#include <linux/net.h>59#include <linux/inet.h>60#include <linux/slab.h>61#include <net/sock.h>62#include <net/inet_ecn.h>63#include <linux/skbuff.h>64#include <net/sctp/sctp.h>65#include <net/sctp/sm.h>66#include <net/sctp/structs.h>6768static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep,69const struct sctp_association *asoc,70struct sctp_chunk *chunk,71const void *payload,72size_t paylen);73static int sctp_eat_data(const struct sctp_association *asoc,74struct sctp_chunk *chunk,75sctp_cmd_seq_t *commands);76static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc,77const struct sctp_chunk *chunk);78static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep,79const struct sctp_association *asoc,80const struct sctp_chunk *chunk,81sctp_cmd_seq_t *commands,82struct sctp_chunk *err_chunk);83static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep,84const struct sctp_association *asoc,85const sctp_subtype_t type,86void *arg,87sctp_cmd_seq_t *commands);88static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep,89const struct sctp_association *asoc,90const sctp_subtype_t type,91void *arg,92sctp_cmd_seq_t *commands);93static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep,94const struct sctp_association *asoc,95const sctp_subtype_t type,96void *arg,97sctp_cmd_seq_t *commands);98static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);99100static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands,101__be16 error, int sk_err,102const struct sctp_association *asoc,103struct sctp_transport *transport);104105static sctp_disposition_t sctp_sf_abort_violation(106const struct sctp_endpoint *ep,107const struct sctp_association *asoc,108void *arg,109sctp_cmd_seq_t *commands,110const __u8 *payload,111const size_t paylen);112113static sctp_disposition_t sctp_sf_violation_chunklen(114const struct sctp_endpoint *ep,115const struct sctp_association *asoc,116const sctp_subtype_t type,117void *arg,118sctp_cmd_seq_t *commands);119120static sctp_disposition_t sctp_sf_violation_paramlen(121const struct sctp_endpoint *ep,122const struct sctp_association *asoc,123const sctp_subtype_t type,124void *arg, void *ext,125sctp_cmd_seq_t *commands);126127static sctp_disposition_t sctp_sf_violation_ctsn(128const struct sctp_endpoint *ep,129const struct sctp_association *asoc,130const sctp_subtype_t type,131void *arg,132sctp_cmd_seq_t *commands);133134static sctp_disposition_t sctp_sf_violation_chunk(135const struct sctp_endpoint *ep,136const struct sctp_association *asoc,137const sctp_subtype_t type,138void *arg,139sctp_cmd_seq_t *commands);140141static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep,142const struct sctp_association *asoc,143const sctp_subtype_t type,144struct sctp_chunk *chunk);145146static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,147const struct sctp_association *asoc,148const sctp_subtype_t type,149void *arg,150sctp_cmd_seq_t *commands);151152/* Small helper function that checks if the chunk length153* is of the appropriate length. The 'required_length' argument154* is set to be the size of a specific chunk we are testing.155* Return Values: 1 = Valid length156* 0 = Invalid length157*158*/159static inline int160sctp_chunk_length_valid(struct sctp_chunk *chunk,161__u16 required_length)162{163__u16 chunk_length = ntohs(chunk->chunk_hdr->length);164165if (unlikely(chunk_length < required_length))166return 0;167168return 1;169}170171/**********************************************************172* These are the state functions for handling chunk events.173**********************************************************/174175/*176* Process the final SHUTDOWN COMPLETE.177*178* Section: 4 (C) (diagram), 9.2179* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify180* that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be181* discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint182* should stop the T2-shutdown timer and remove all knowledge of the183* association (and thus the association enters the CLOSED state).184*185* Verification Tag: 8.5.1(C), sctpimpguide 2.41.186* C) Rules for packet carrying SHUTDOWN COMPLETE:187* ...188* - The receiver of a SHUTDOWN COMPLETE shall accept the packet189* if the Verification Tag field of the packet matches its own tag and190* the T bit is not set191* OR192* it is set to its peer's tag and the T bit is set in the Chunk193* Flags.194* Otherwise, the receiver MUST silently discard the packet195* and take no further action. An endpoint MUST ignore the196* SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.197*198* Inputs199* (endpoint, asoc, chunk)200*201* Outputs202* (asoc, reply_msg, msg_up, timers, counters)203*204* The return value is the disposition of the chunk.205*/206sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep,207const struct sctp_association *asoc,208const sctp_subtype_t type,209void *arg,210sctp_cmd_seq_t *commands)211{212struct sctp_chunk *chunk = arg;213struct sctp_ulpevent *ev;214215if (!sctp_vtag_verify_either(chunk, asoc))216return sctp_sf_pdiscard(ep, asoc, type, arg, commands);217218/* RFC 2960 6.10 Bundling219*220* An endpoint MUST NOT bundle INIT, INIT ACK or221* SHUTDOWN COMPLETE with any other chunks.222*/223if (!chunk->singleton)224return sctp_sf_violation_chunk(ep, asoc, type, arg, commands);225226/* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */227if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))228return sctp_sf_violation_chunklen(ep, asoc, type, arg,229commands);230231/* RFC 2960 10.2 SCTP-to-ULP232*233* H) SHUTDOWN COMPLETE notification234*235* When SCTP completes the shutdown procedures (section 9.2) this236* notification is passed to the upper layer.237*/238ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,2390, 0, 0, NULL, GFP_ATOMIC);240if (ev)241sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,242SCTP_ULPEVENT(ev));243244/* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint245* will verify that it is in SHUTDOWN-ACK-SENT state, if it is246* not the chunk should be discarded. If the endpoint is in247* the SHUTDOWN-ACK-SENT state the endpoint should stop the248* T2-shutdown timer and remove all knowledge of the249* association (and thus the association enters the CLOSED250* state).251*/252sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,253SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));254255sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,256SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));257258sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,259SCTP_STATE(SCTP_STATE_CLOSED));260261SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);262SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);263264sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());265266return SCTP_DISPOSITION_DELETE_TCB;267}268269/*270* Respond to a normal INIT chunk.271* We are the side that is being asked for an association.272*273* Section: 5.1 Normal Establishment of an Association, B274* B) "Z" shall respond immediately with an INIT ACK chunk. The275* destination IP address of the INIT ACK MUST be set to the source276* IP address of the INIT to which this INIT ACK is responding. In277* the response, besides filling in other parameters, "Z" must set the278* Verification Tag field to Tag_A, and also provide its own279* Verification Tag (Tag_Z) in the Initiate Tag field.280*281* Verification Tag: Must be 0.282*283* Inputs284* (endpoint, asoc, chunk)285*286* Outputs287* (asoc, reply_msg, msg_up, timers, counters)288*289* The return value is the disposition of the chunk.290*/291sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep,292const struct sctp_association *asoc,293const sctp_subtype_t type,294void *arg,295sctp_cmd_seq_t *commands)296{297struct sctp_chunk *chunk = arg;298struct sctp_chunk *repl;299struct sctp_association *new_asoc;300struct sctp_chunk *err_chunk;301struct sctp_packet *packet;302sctp_unrecognized_param_t *unk_param;303int len;304305/* 6.10 Bundling306* An endpoint MUST NOT bundle INIT, INIT ACK or307* SHUTDOWN COMPLETE with any other chunks.308*309* IG Section 2.11.2310* Furthermore, we require that the receiver of an INIT chunk MUST311* enforce these rules by silently discarding an arriving packet312* with an INIT chunk that is bundled with other chunks.313*/314if (!chunk->singleton)315return sctp_sf_pdiscard(ep, asoc, type, arg, commands);316317/* If the packet is an OOTB packet which is temporarily on the318* control endpoint, respond with an ABORT.319*/320if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) {321SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);322return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);323}324325/* 3.1 A packet containing an INIT chunk MUST have a zero Verification326* Tag.327*/328if (chunk->sctp_hdr->vtag != 0)329return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);330331/* Make sure that the INIT chunk has a valid length.332* Normally, this would cause an ABORT with a Protocol Violation333* error, but since we don't have an association, we'll334* just discard the packet.335*/336if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))337return sctp_sf_pdiscard(ep, asoc, type, arg, commands);338339/* If the INIT is coming toward a closing socket, we'll send back340* and ABORT. Essentially, this catches the race of INIT being341* backloged to the socket at the same time as the user isses close().342* Since the socket and all its associations are going away, we343* can treat this OOTB344*/345if (sctp_sstate(ep->base.sk, CLOSING))346return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);347348/* Verify the INIT chunk before processing it. */349err_chunk = NULL;350if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,351(sctp_init_chunk_t *)chunk->chunk_hdr, chunk,352&err_chunk)) {353/* This chunk contains fatal error. It is to be discarded.354* Send an ABORT, with causes if there is any.355*/356if (err_chunk) {357packet = sctp_abort_pkt_new(ep, asoc, arg,358(__u8 *)(err_chunk->chunk_hdr) +359sizeof(sctp_chunkhdr_t),360ntohs(err_chunk->chunk_hdr->length) -361sizeof(sctp_chunkhdr_t));362363sctp_chunk_free(err_chunk);364365if (packet) {366sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,367SCTP_PACKET(packet));368SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);369return SCTP_DISPOSITION_CONSUME;370} else {371return SCTP_DISPOSITION_NOMEM;372}373} else {374return sctp_sf_tabort_8_4_8(ep, asoc, type, arg,375commands);376}377}378379/* Grab the INIT header. */380chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data;381382/* Tag the variable length parameters. */383chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));384385new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);386if (!new_asoc)387goto nomem;388389if (sctp_assoc_set_bind_addr_from_ep(new_asoc,390sctp_scope(sctp_source(chunk)),391GFP_ATOMIC) < 0)392goto nomem_init;393394/* The call, sctp_process_init(), can fail on memory allocation. */395if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),396(sctp_init_chunk_t *)chunk->chunk_hdr,397GFP_ATOMIC))398goto nomem_init;399400/* B) "Z" shall respond immediately with an INIT ACK chunk. */401402/* If there are errors need to be reported for unknown parameters,403* make sure to reserve enough room in the INIT ACK for them.404*/405len = 0;406if (err_chunk)407len = ntohs(err_chunk->chunk_hdr->length) -408sizeof(sctp_chunkhdr_t);409410repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);411if (!repl)412goto nomem_init;413414/* If there are errors need to be reported for unknown parameters,415* include them in the outgoing INIT ACK as "Unrecognized parameter"416* parameter.417*/418if (err_chunk) {419/* Get the "Unrecognized parameter" parameter(s) out of the420* ERROR chunk generated by sctp_verify_init(). Since the421* error cause code for "unknown parameter" and the422* "Unrecognized parameter" type is the same, we can423* construct the parameters in INIT ACK by copying the424* ERROR causes over.425*/426unk_param = (sctp_unrecognized_param_t *)427((__u8 *)(err_chunk->chunk_hdr) +428sizeof(sctp_chunkhdr_t));429/* Replace the cause code with the "Unrecognized parameter"430* parameter type.431*/432sctp_addto_chunk(repl, len, unk_param);433sctp_chunk_free(err_chunk);434}435436sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));437438sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));439440/*441* Note: After sending out INIT ACK with the State Cookie parameter,442* "Z" MUST NOT allocate any resources, nor keep any states for the443* new association. Otherwise, "Z" will be vulnerable to resource444* attacks.445*/446sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());447448return SCTP_DISPOSITION_DELETE_TCB;449450nomem_init:451sctp_association_free(new_asoc);452nomem:453if (err_chunk)454sctp_chunk_free(err_chunk);455return SCTP_DISPOSITION_NOMEM;456}457458/*459* Respond to a normal INIT ACK chunk.460* We are the side that is initiating the association.461*462* Section: 5.1 Normal Establishment of an Association, C463* C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init464* timer and leave COOKIE-WAIT state. "A" shall then send the State465* Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start466* the T1-cookie timer, and enter the COOKIE-ECHOED state.467*468* Note: The COOKIE ECHO chunk can be bundled with any pending outbound469* DATA chunks, but it MUST be the first chunk in the packet and470* until the COOKIE ACK is returned the sender MUST NOT send any471* other packets to the peer.472*473* Verification Tag: 3.3.3474* If the value of the Initiate Tag in a received INIT ACK chunk is475* found to be 0, the receiver MUST treat it as an error and close the476* association by transmitting an ABORT.477*478* Inputs479* (endpoint, asoc, chunk)480*481* Outputs482* (asoc, reply_msg, msg_up, timers, counters)483*484* The return value is the disposition of the chunk.485*/486sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,487const struct sctp_association *asoc,488const sctp_subtype_t type,489void *arg,490sctp_cmd_seq_t *commands)491{492struct sctp_chunk *chunk = arg;493sctp_init_chunk_t *initchunk;494struct sctp_chunk *err_chunk;495struct sctp_packet *packet;496497if (!sctp_vtag_verify(chunk, asoc))498return sctp_sf_pdiscard(ep, asoc, type, arg, commands);499500/* 6.10 Bundling501* An endpoint MUST NOT bundle INIT, INIT ACK or502* SHUTDOWN COMPLETE with any other chunks.503*/504if (!chunk->singleton)505return sctp_sf_violation_chunk(ep, asoc, type, arg, commands);506507/* Make sure that the INIT-ACK chunk has a valid length */508if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t)))509return sctp_sf_violation_chunklen(ep, asoc, type, arg,510commands);511/* Grab the INIT header. */512chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;513514/* Verify the INIT chunk before processing it. */515err_chunk = NULL;516if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,517(sctp_init_chunk_t *)chunk->chunk_hdr, chunk,518&err_chunk)) {519520sctp_error_t error = SCTP_ERROR_NO_RESOURCE;521522/* This chunk contains fatal error. It is to be discarded.523* Send an ABORT, with causes. If there are no causes,524* then there wasn't enough memory. Just terminate525* the association.526*/527if (err_chunk) {528packet = sctp_abort_pkt_new(ep, asoc, arg,529(__u8 *)(err_chunk->chunk_hdr) +530sizeof(sctp_chunkhdr_t),531ntohs(err_chunk->chunk_hdr->length) -532sizeof(sctp_chunkhdr_t));533534sctp_chunk_free(err_chunk);535536if (packet) {537sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,538SCTP_PACKET(packet));539SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);540error = SCTP_ERROR_INV_PARAM;541}542}543544/* SCTP-AUTH, Section 6.3:545* It should be noted that if the receiver wants to tear546* down an association in an authenticated way only, the547* handling of malformed packets should not result in548* tearing down the association.549*550* This means that if we only want to abort associations551* in an authenticated way (i.e AUTH+ABORT), then we552* can't destroy this association just because the packet553* was malformed.554*/555if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))556return sctp_sf_pdiscard(ep, asoc, type, arg, commands);557558SCTP_INC_STATS(SCTP_MIB_ABORTEDS);559return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED,560asoc, chunk->transport);561}562563/* Tag the variable length parameters. Note that we never564* convert the parameters in an INIT chunk.565*/566chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));567568initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr;569570sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,571SCTP_PEER_INIT(initchunk));572573/* Reset init error count upon receipt of INIT-ACK. */574sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());575576/* 5.1 C) "A" shall stop the T1-init timer and leave577* COOKIE-WAIT state. "A" shall then ... start the T1-cookie578* timer, and enter the COOKIE-ECHOED state.579*/580sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,581SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));582sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,583SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));584sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,585SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));586587/* SCTP-AUTH: genereate the assocition shared keys so that588* we can potentially signe the COOKIE-ECHO.589*/590sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());591592/* 5.1 C) "A" shall then send the State Cookie received in the593* INIT ACK chunk in a COOKIE ECHO chunk, ...594*/595/* If there is any errors to report, send the ERROR chunk generated596* for unknown parameters as well.597*/598sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,599SCTP_CHUNK(err_chunk));600601return SCTP_DISPOSITION_CONSUME;602}603604/*605* Respond to a normal COOKIE ECHO chunk.606* We are the side that is being asked for an association.607*608* Section: 5.1 Normal Establishment of an Association, D609* D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply610* with a COOKIE ACK chunk after building a TCB and moving to611* the ESTABLISHED state. A COOKIE ACK chunk may be bundled with612* any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK613* chunk MUST be the first chunk in the packet.614*615* IMPLEMENTATION NOTE: An implementation may choose to send the616* Communication Up notification to the SCTP user upon reception617* of a valid COOKIE ECHO chunk.618*619* Verification Tag: 8.5.1 Exceptions in Verification Tag Rules620* D) Rules for packet carrying a COOKIE ECHO621*622* - When sending a COOKIE ECHO, the endpoint MUST use the value of the623* Initial Tag received in the INIT ACK.624*625* - The receiver of a COOKIE ECHO follows the procedures in Section 5.626*627* Inputs628* (endpoint, asoc, chunk)629*630* Outputs631* (asoc, reply_msg, msg_up, timers, counters)632*633* The return value is the disposition of the chunk.634*/635sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep,636const struct sctp_association *asoc,637const sctp_subtype_t type, void *arg,638sctp_cmd_seq_t *commands)639{640struct sctp_chunk *chunk = arg;641struct sctp_association *new_asoc;642sctp_init_chunk_t *peer_init;643struct sctp_chunk *repl;644struct sctp_ulpevent *ev, *ai_ev = NULL;645int error = 0;646struct sctp_chunk *err_chk_p;647struct sock *sk;648649/* If the packet is an OOTB packet which is temporarily on the650* control endpoint, respond with an ABORT.651*/652if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) {653SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);654return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);655}656657/* Make sure that the COOKIE_ECHO chunk has a valid length.658* In this case, we check that we have enough for at least a659* chunk header. More detailed verification is done660* in sctp_unpack_cookie().661*/662if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))663return sctp_sf_pdiscard(ep, asoc, type, arg, commands);664665/* If the endpoint is not listening or if the number of associations666* on the TCP-style socket exceed the max backlog, respond with an667* ABORT.668*/669sk = ep->base.sk;670if (!sctp_sstate(sk, LISTENING) ||671(sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))672return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);673674/* "Decode" the chunk. We have no optional parameters so we675* are in good shape.676*/677chunk->subh.cookie_hdr =678(struct sctp_signed_cookie *)chunk->skb->data;679if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -680sizeof(sctp_chunkhdr_t)))681goto nomem;682683/* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint684* "Z" will reply with a COOKIE ACK chunk after building a TCB685* and moving to the ESTABLISHED state.686*/687new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,688&err_chk_p);689690/* FIXME:691* If the re-build failed, what is the proper error path692* from here?693*694* [We should abort the association. --piggy]695*/696if (!new_asoc) {697/* FIXME: Several errors are possible. A bad cookie should698* be silently discarded, but think about logging it too.699*/700switch (error) {701case -SCTP_IERROR_NOMEM:702goto nomem;703704case -SCTP_IERROR_STALE_COOKIE:705sctp_send_stale_cookie_err(ep, asoc, chunk, commands,706err_chk_p);707return sctp_sf_pdiscard(ep, asoc, type, arg, commands);708709case -SCTP_IERROR_BAD_SIG:710default:711return sctp_sf_pdiscard(ep, asoc, type, arg, commands);712}713}714715716/* Delay state machine commands until later.717*718* Re-build the bind address for the association is done in719* the sctp_unpack_cookie() already.720*/721/* This is a brand-new association, so these are not yet side722* effects--it is safe to run them here.723*/724peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];725726if (!sctp_process_init(new_asoc, chunk,727&chunk->subh.cookie_hdr->c.peer_addr,728peer_init, GFP_ATOMIC))729goto nomem_init;730731/* SCTP-AUTH: Now that we've populate required fields in732* sctp_process_init, set up the assocaition shared keys as733* necessary so that we can potentially authenticate the ACK734*/735error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);736if (error)737goto nomem_init;738739/* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo740* is supposed to be authenticated and we have to do delayed741* authentication. We've just recreated the association using742* the information in the cookie and now it's much easier to743* do the authentication.744*/745if (chunk->auth_chunk) {746struct sctp_chunk auth;747sctp_ierror_t ret;748749/* set-up our fake chunk so that we can process it */750auth.skb = chunk->auth_chunk;751auth.asoc = chunk->asoc;752auth.sctp_hdr = chunk->sctp_hdr;753auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk,754sizeof(sctp_chunkhdr_t));755skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t));756auth.transport = chunk->transport;757758ret = sctp_sf_authenticate(ep, new_asoc, type, &auth);759760/* We can now safely free the auth_chunk clone */761kfree_skb(chunk->auth_chunk);762763if (ret != SCTP_IERROR_NO_ERROR) {764sctp_association_free(new_asoc);765return sctp_sf_pdiscard(ep, asoc, type, arg, commands);766}767}768769repl = sctp_make_cookie_ack(new_asoc, chunk);770if (!repl)771goto nomem_init;772773/* RFC 2960 5.1 Normal Establishment of an Association774*775* D) IMPLEMENTATION NOTE: An implementation may choose to776* send the Communication Up notification to the SCTP user777* upon reception of a valid COOKIE ECHO chunk.778*/779ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,780new_asoc->c.sinit_num_ostreams,781new_asoc->c.sinit_max_instreams,782NULL, GFP_ATOMIC);783if (!ev)784goto nomem_ev;785786/* Sockets API Draft Section 5.3.1.6787* When a peer sends a Adaptation Layer Indication parameter , SCTP788* delivers this notification to inform the application that of the789* peers requested adaptation layer.790*/791if (new_asoc->peer.adaptation_ind) {792ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,793GFP_ATOMIC);794if (!ai_ev)795goto nomem_aiev;796}797798/* Add all the state machine commands now since we've created799* everything. This way we don't introduce memory corruptions800* during side-effect processing and correclty count established801* associations.802*/803sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));804sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,805SCTP_STATE(SCTP_STATE_ESTABLISHED));806SCTP_INC_STATS(SCTP_MIB_CURRESTAB);807SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS);808sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());809810if (new_asoc->autoclose)811sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,812SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));813814/* This will send the COOKIE ACK */815sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));816817/* Queue the ASSOC_CHANGE event */818sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));819820/* Send up the Adaptation Layer Indication event */821if (ai_ev)822sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,823SCTP_ULPEVENT(ai_ev));824825return SCTP_DISPOSITION_CONSUME;826827nomem_aiev:828sctp_ulpevent_free(ev);829nomem_ev:830sctp_chunk_free(repl);831nomem_init:832sctp_association_free(new_asoc);833nomem:834return SCTP_DISPOSITION_NOMEM;835}836837/*838* Respond to a normal COOKIE ACK chunk.839* We are the side that is being asked for an association.840*841* RFC 2960 5.1 Normal Establishment of an Association842*843* E) Upon reception of the COOKIE ACK, endpoint "A" will move from the844* COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie845* timer. It may also notify its ULP about the successful846* establishment of the association with a Communication Up847* notification (see Section 10).848*849* Verification Tag:850* Inputs851* (endpoint, asoc, chunk)852*853* Outputs854* (asoc, reply_msg, msg_up, timers, counters)855*856* The return value is the disposition of the chunk.857*/858sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep,859const struct sctp_association *asoc,860const sctp_subtype_t type, void *arg,861sctp_cmd_seq_t *commands)862{863struct sctp_chunk *chunk = arg;864struct sctp_ulpevent *ev;865866if (!sctp_vtag_verify(chunk, asoc))867return sctp_sf_pdiscard(ep, asoc, type, arg, commands);868869/* Verify that the chunk length for the COOKIE-ACK is OK.870* If we don't do this, any bundled chunks may be junked.871*/872if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))873return sctp_sf_violation_chunklen(ep, asoc, type, arg,874commands);875876/* Reset init error count upon receipt of COOKIE-ACK,877* to avoid problems with the managemement of this878* counter in stale cookie situations when a transition back879* from the COOKIE-ECHOED state to the COOKIE-WAIT880* state is performed.881*/882sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());883884/* RFC 2960 5.1 Normal Establishment of an Association885*886* E) Upon reception of the COOKIE ACK, endpoint "A" will move887* from the COOKIE-ECHOED state to the ESTABLISHED state,888* stopping the T1-cookie timer.889*/890sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,891SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));892sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,893SCTP_STATE(SCTP_STATE_ESTABLISHED));894SCTP_INC_STATS(SCTP_MIB_CURRESTAB);895SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS);896sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());897if (asoc->autoclose)898sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,899SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));900901/* It may also notify its ULP about the successful902* establishment of the association with a Communication Up903* notification (see Section 10).904*/905ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,9060, asoc->c.sinit_num_ostreams,907asoc->c.sinit_max_instreams,908NULL, GFP_ATOMIC);909910if (!ev)911goto nomem;912913sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));914915/* Sockets API Draft Section 5.3.1.6916* When a peer sends a Adaptation Layer Indication parameter , SCTP917* delivers this notification to inform the application that of the918* peers requested adaptation layer.919*/920if (asoc->peer.adaptation_ind) {921ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);922if (!ev)923goto nomem;924925sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,926SCTP_ULPEVENT(ev));927}928929return SCTP_DISPOSITION_CONSUME;930nomem:931return SCTP_DISPOSITION_NOMEM;932}933934/* Generate and sendout a heartbeat packet. */935static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep,936const struct sctp_association *asoc,937const sctp_subtype_t type,938void *arg,939sctp_cmd_seq_t *commands)940{941struct sctp_transport *transport = (struct sctp_transport *) arg;942struct sctp_chunk *reply;943944/* Send a heartbeat to our peer. */945reply = sctp_make_heartbeat(asoc, transport);946if (!reply)947return SCTP_DISPOSITION_NOMEM;948949/* Set rto_pending indicating that an RTT measurement950* is started with this heartbeat chunk.951*/952sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,953SCTP_TRANSPORT(transport));954955sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));956return SCTP_DISPOSITION_CONSUME;957}958959/* Generate a HEARTBEAT packet on the given transport. */960sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep,961const struct sctp_association *asoc,962const sctp_subtype_t type,963void *arg,964sctp_cmd_seq_t *commands)965{966struct sctp_transport *transport = (struct sctp_transport *) arg;967968if (asoc->overall_error_count >= asoc->max_retrans) {969sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,970SCTP_ERROR(ETIMEDOUT));971/* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */972sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,973SCTP_PERR(SCTP_ERROR_NO_ERROR));974SCTP_INC_STATS(SCTP_MIB_ABORTEDS);975SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);976return SCTP_DISPOSITION_DELETE_TCB;977}978979/* Section 3.3.5.980* The Sender-specific Heartbeat Info field should normally include981* information about the sender's current time when this HEARTBEAT982* chunk is sent and the destination transport address to which this983* HEARTBEAT is sent (see Section 8.3).984*/985986if (transport->param_flags & SPP_HB_ENABLE) {987if (SCTP_DISPOSITION_NOMEM ==988sctp_sf_heartbeat(ep, asoc, type, arg,989commands))990return SCTP_DISPOSITION_NOMEM;991992/* Set transport error counter and association error counter993* when sending heartbeat.994*/995sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,996SCTP_TRANSPORT(transport));997}998sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,999SCTP_TRANSPORT(transport));1000sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,1001SCTP_TRANSPORT(transport));10021003return SCTP_DISPOSITION_CONSUME;1004}10051006/*1007* Process an heartbeat request.1008*1009* Section: 8.3 Path Heartbeat1010* The receiver of the HEARTBEAT should immediately respond with a1011* HEARTBEAT ACK that contains the Heartbeat Information field copied1012* from the received HEARTBEAT chunk.1013*1014* Verification Tag: 8.5 Verification Tag [Normal verification]1015* When receiving an SCTP packet, the endpoint MUST ensure that the1016* value in the Verification Tag field of the received SCTP packet1017* matches its own Tag. If the received Verification Tag value does not1018* match the receiver's own tag value, the receiver shall silently1019* discard the packet and shall not process it any further except for1020* those cases listed in Section 8.5.1 below.1021*1022* Inputs1023* (endpoint, asoc, chunk)1024*1025* Outputs1026* (asoc, reply_msg, msg_up, timers, counters)1027*1028* The return value is the disposition of the chunk.1029*/1030sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep,1031const struct sctp_association *asoc,1032const sctp_subtype_t type,1033void *arg,1034sctp_cmd_seq_t *commands)1035{1036struct sctp_chunk *chunk = arg;1037struct sctp_chunk *reply;1038size_t paylen = 0;10391040if (!sctp_vtag_verify(chunk, asoc))1041return sctp_sf_pdiscard(ep, asoc, type, arg, commands);10421043/* Make sure that the HEARTBEAT chunk has a valid length. */1044if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t)))1045return sctp_sf_violation_chunklen(ep, asoc, type, arg,1046commands);10471048/* 8.3 The receiver of the HEARTBEAT should immediately1049* respond with a HEARTBEAT ACK that contains the Heartbeat1050* Information field copied from the received HEARTBEAT chunk.1051*/1052chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data;1053paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);1054if (!pskb_pull(chunk->skb, paylen))1055goto nomem;10561057reply = sctp_make_heartbeat_ack(asoc, chunk,1058chunk->subh.hb_hdr, paylen);1059if (!reply)1060goto nomem;10611062sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));1063return SCTP_DISPOSITION_CONSUME;10641065nomem:1066return SCTP_DISPOSITION_NOMEM;1067}10681069/*1070* Process the returning HEARTBEAT ACK.1071*1072* Section: 8.3 Path Heartbeat1073* Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT1074* should clear the error counter of the destination transport1075* address to which the HEARTBEAT was sent, and mark the destination1076* transport address as active if it is not so marked. The endpoint may1077* optionally report to the upper layer when an inactive destination1078* address is marked as active due to the reception of the latest1079* HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also1080* clear the association overall error count as well (as defined1081* in section 8.1).1082*1083* The receiver of the HEARTBEAT ACK should also perform an RTT1084* measurement for that destination transport address using the time1085* value carried in the HEARTBEAT ACK chunk.1086*1087* Verification Tag: 8.5 Verification Tag [Normal verification]1088*1089* Inputs1090* (endpoint, asoc, chunk)1091*1092* Outputs1093* (asoc, reply_msg, msg_up, timers, counters)1094*1095* The return value is the disposition of the chunk.1096*/1097sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep,1098const struct sctp_association *asoc,1099const sctp_subtype_t type,1100void *arg,1101sctp_cmd_seq_t *commands)1102{1103struct sctp_chunk *chunk = arg;1104union sctp_addr from_addr;1105struct sctp_transport *link;1106sctp_sender_hb_info_t *hbinfo;1107unsigned long max_interval;11081109if (!sctp_vtag_verify(chunk, asoc))1110return sctp_sf_pdiscard(ep, asoc, type, arg, commands);11111112/* Make sure that the HEARTBEAT-ACK chunk has a valid length. */1113if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t) +1114sizeof(sctp_sender_hb_info_t)))1115return sctp_sf_violation_chunklen(ep, asoc, type, arg,1116commands);11171118hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;1119/* Make sure that the length of the parameter is what we expect */1120if (ntohs(hbinfo->param_hdr.length) !=1121sizeof(sctp_sender_hb_info_t)) {1122return SCTP_DISPOSITION_DISCARD;1123}11241125from_addr = hbinfo->daddr;1126link = sctp_assoc_lookup_paddr(asoc, &from_addr);11271128/* This should never happen, but lets log it if so. */1129if (unlikely(!link)) {1130if (from_addr.sa.sa_family == AF_INET6) {1131if (net_ratelimit())1132pr_warn("%s association %p could not find address %pI6\n",1133__func__,1134asoc,1135&from_addr.v6.sin6_addr);1136} else {1137if (net_ratelimit())1138pr_warn("%s association %p could not find address %pI4\n",1139__func__,1140asoc,1141&from_addr.v4.sin_addr.s_addr);1142}1143return SCTP_DISPOSITION_DISCARD;1144}11451146/* Validate the 64-bit random nonce. */1147if (hbinfo->hb_nonce != link->hb_nonce)1148return SCTP_DISPOSITION_DISCARD;11491150max_interval = link->hbinterval + link->rto;11511152/* Check if the timestamp looks valid. */1153if (time_after(hbinfo->sent_at, jiffies) ||1154time_after(jiffies, hbinfo->sent_at + max_interval)) {1155SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp "1156"received for transport: %p\n",1157__func__, link);1158return SCTP_DISPOSITION_DISCARD;1159}11601161/* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of1162* the HEARTBEAT should clear the error counter of the1163* destination transport address to which the HEARTBEAT was1164* sent and mark the destination transport address as active if1165* it is not so marked.1166*/1167sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));11681169return SCTP_DISPOSITION_CONSUME;1170}11711172/* Helper function to send out an abort for the restart1173* condition.1174*/1175static int sctp_sf_send_restart_abort(union sctp_addr *ssa,1176struct sctp_chunk *init,1177sctp_cmd_seq_t *commands)1178{1179int len;1180struct sctp_packet *pkt;1181union sctp_addr_param *addrparm;1182struct sctp_errhdr *errhdr;1183struct sctp_endpoint *ep;1184char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)];1185struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);11861187/* Build the error on the stack. We are way to malloc crazy1188* throughout the code today.1189*/1190errhdr = (struct sctp_errhdr *)buffer;1191addrparm = (union sctp_addr_param *)errhdr->variable;11921193/* Copy into a parm format. */1194len = af->to_addr_param(ssa, addrparm);1195len += sizeof(sctp_errhdr_t);11961197errhdr->cause = SCTP_ERROR_RESTART;1198errhdr->length = htons(len);11991200/* Assign to the control socket. */1201ep = sctp_sk((sctp_get_ctl_sock()))->ep;12021203/* Association is NULL since this may be a restart attack and we1204* want to send back the attacker's vtag.1205*/1206pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len);12071208if (!pkt)1209goto out;1210sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));12111212SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);12131214/* Discard the rest of the inbound packet. */1215sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());12161217out:1218/* Even if there is no memory, treat as a failure so1219* the packet will get dropped.1220*/1221return 0;1222}12231224static bool list_has_sctp_addr(const struct list_head *list,1225union sctp_addr *ipaddr)1226{1227struct sctp_transport *addr;12281229list_for_each_entry(addr, list, transports) {1230if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))1231return true;1232}12331234return false;1235}1236/* A restart is occurring, check to make sure no new addresses1237* are being added as we may be under a takeover attack.1238*/1239static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,1240const struct sctp_association *asoc,1241struct sctp_chunk *init,1242sctp_cmd_seq_t *commands)1243{1244struct sctp_transport *new_addr;1245int ret = 1;12461247/* Implementor's Guide - Section 5.2.21248* ...1249* Before responding the endpoint MUST check to see if the1250* unexpected INIT adds new addresses to the association. If new1251* addresses are added to the association, the endpoint MUST respond1252* with an ABORT..1253*/12541255/* Search through all current addresses and make sure1256* we aren't adding any new ones.1257*/1258list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,1259transports) {1260if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,1261&new_addr->ipaddr)) {1262sctp_sf_send_restart_abort(&new_addr->ipaddr, init,1263commands);1264ret = 0;1265break;1266}1267}12681269/* Return success if all addresses were found. */1270return ret;1271}12721273/* Populate the verification/tie tags based on overlapping INIT1274* scenario.1275*1276* Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.1277*/1278static void sctp_tietags_populate(struct sctp_association *new_asoc,1279const struct sctp_association *asoc)1280{1281switch (asoc->state) {12821283/* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */12841285case SCTP_STATE_COOKIE_WAIT:1286new_asoc->c.my_vtag = asoc->c.my_vtag;1287new_asoc->c.my_ttag = asoc->c.my_vtag;1288new_asoc->c.peer_ttag = 0;1289break;12901291case SCTP_STATE_COOKIE_ECHOED:1292new_asoc->c.my_vtag = asoc->c.my_vtag;1293new_asoc->c.my_ttag = asoc->c.my_vtag;1294new_asoc->c.peer_ttag = asoc->c.peer_vtag;1295break;12961297/* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,1298* COOKIE-WAIT and SHUTDOWN-ACK-SENT1299*/1300default:1301new_asoc->c.my_ttag = asoc->c.my_vtag;1302new_asoc->c.peer_ttag = asoc->c.peer_vtag;1303break;1304}13051306/* Other parameters for the endpoint SHOULD be copied from the1307* existing parameters of the association (e.g. number of1308* outbound streams) into the INIT ACK and cookie.1309*/1310new_asoc->rwnd = asoc->rwnd;1311new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams;1312new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;1313new_asoc->c.initial_tsn = asoc->c.initial_tsn;1314}13151316/*1317* Compare vtag/tietag values to determine unexpected COOKIE-ECHO1318* handling action.1319*1320* RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.1321*1322* Returns value representing action to be taken. These action values1323* correspond to Action/Description values in RFC 2960, Table 2.1324*/1325static char sctp_tietags_compare(struct sctp_association *new_asoc,1326const struct sctp_association *asoc)1327{1328/* In this case, the peer may have restarted. */1329if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&1330(asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&1331(asoc->c.my_vtag == new_asoc->c.my_ttag) &&1332(asoc->c.peer_vtag == new_asoc->c.peer_ttag))1333return 'A';13341335/* Collision case B. */1336if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&1337((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||1338(0 == asoc->c.peer_vtag))) {1339return 'B';1340}13411342/* Collision case D. */1343if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&1344(asoc->c.peer_vtag == new_asoc->c.peer_vtag))1345return 'D';13461347/* Collision case C. */1348if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&1349(asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&1350(0 == new_asoc->c.my_ttag) &&1351(0 == new_asoc->c.peer_ttag))1352return 'C';13531354/* No match to any of the special cases; discard this packet. */1355return 'E';1356}13571358/* Common helper routine for both duplicate and simulataneous INIT1359* chunk handling.1360*/1361static sctp_disposition_t sctp_sf_do_unexpected_init(1362const struct sctp_endpoint *ep,1363const struct sctp_association *asoc,1364const sctp_subtype_t type,1365void *arg, sctp_cmd_seq_t *commands)1366{1367sctp_disposition_t retval;1368struct sctp_chunk *chunk = arg;1369struct sctp_chunk *repl;1370struct sctp_association *new_asoc;1371struct sctp_chunk *err_chunk;1372struct sctp_packet *packet;1373sctp_unrecognized_param_t *unk_param;1374int len;13751376/* 6.10 Bundling1377* An endpoint MUST NOT bundle INIT, INIT ACK or1378* SHUTDOWN COMPLETE with any other chunks.1379*1380* IG Section 2.11.21381* Furthermore, we require that the receiver of an INIT chunk MUST1382* enforce these rules by silently discarding an arriving packet1383* with an INIT chunk that is bundled with other chunks.1384*/1385if (!chunk->singleton)1386return sctp_sf_pdiscard(ep, asoc, type, arg, commands);13871388/* 3.1 A packet containing an INIT chunk MUST have a zero Verification1389* Tag.1390*/1391if (chunk->sctp_hdr->vtag != 0)1392return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);13931394/* Make sure that the INIT chunk has a valid length.1395* In this case, we generate a protocol violation since we have1396* an association established.1397*/1398if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))1399return sctp_sf_violation_chunklen(ep, asoc, type, arg,1400commands);1401/* Grab the INIT header. */1402chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;14031404/* Tag the variable length parameters. */1405chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));14061407/* Verify the INIT chunk before processing it. */1408err_chunk = NULL;1409if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,1410(sctp_init_chunk_t *)chunk->chunk_hdr, chunk,1411&err_chunk)) {1412/* This chunk contains fatal error. It is to be discarded.1413* Send an ABORT, with causes if there is any.1414*/1415if (err_chunk) {1416packet = sctp_abort_pkt_new(ep, asoc, arg,1417(__u8 *)(err_chunk->chunk_hdr) +1418sizeof(sctp_chunkhdr_t),1419ntohs(err_chunk->chunk_hdr->length) -1420sizeof(sctp_chunkhdr_t));14211422if (packet) {1423sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,1424SCTP_PACKET(packet));1425SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);1426retval = SCTP_DISPOSITION_CONSUME;1427} else {1428retval = SCTP_DISPOSITION_NOMEM;1429}1430goto cleanup;1431} else {1432return sctp_sf_tabort_8_4_8(ep, asoc, type, arg,1433commands);1434}1435}14361437/*1438* Other parameters for the endpoint SHOULD be copied from the1439* existing parameters of the association (e.g. number of1440* outbound streams) into the INIT ACK and cookie.1441* FIXME: We are copying parameters from the endpoint not the1442* association.1443*/1444new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);1445if (!new_asoc)1446goto nomem;14471448if (sctp_assoc_set_bind_addr_from_ep(new_asoc,1449sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)1450goto nomem;14511452/* In the outbound INIT ACK the endpoint MUST copy its current1453* Verification Tag and Peers Verification tag into a reserved1454* place (local tie-tag and per tie-tag) within the state cookie.1455*/1456if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),1457(sctp_init_chunk_t *)chunk->chunk_hdr,1458GFP_ATOMIC))1459goto nomem;14601461/* Make sure no new addresses are being added during the1462* restart. Do not do this check for COOKIE-WAIT state,1463* since there are no peer addresses to check against.1464* Upon return an ABORT will have been sent if needed.1465*/1466if (!sctp_state(asoc, COOKIE_WAIT)) {1467if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,1468commands)) {1469retval = SCTP_DISPOSITION_CONSUME;1470goto nomem_retval;1471}1472}14731474sctp_tietags_populate(new_asoc, asoc);14751476/* B) "Z" shall respond immediately with an INIT ACK chunk. */14771478/* If there are errors need to be reported for unknown parameters,1479* make sure to reserve enough room in the INIT ACK for them.1480*/1481len = 0;1482if (err_chunk) {1483len = ntohs(err_chunk->chunk_hdr->length) -1484sizeof(sctp_chunkhdr_t);1485}14861487repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);1488if (!repl)1489goto nomem;14901491/* If there are errors need to be reported for unknown parameters,1492* include them in the outgoing INIT ACK as "Unrecognized parameter"1493* parameter.1494*/1495if (err_chunk) {1496/* Get the "Unrecognized parameter" parameter(s) out of the1497* ERROR chunk generated by sctp_verify_init(). Since the1498* error cause code for "unknown parameter" and the1499* "Unrecognized parameter" type is the same, we can1500* construct the parameters in INIT ACK by copying the1501* ERROR causes over.1502*/1503unk_param = (sctp_unrecognized_param_t *)1504((__u8 *)(err_chunk->chunk_hdr) +1505sizeof(sctp_chunkhdr_t));1506/* Replace the cause code with the "Unrecognized parameter"1507* parameter type.1508*/1509sctp_addto_chunk(repl, len, unk_param);1510}15111512sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));1513sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));15141515/*1516* Note: After sending out INIT ACK with the State Cookie parameter,1517* "Z" MUST NOT allocate any resources for this new association.1518* Otherwise, "Z" will be vulnerable to resource attacks.1519*/1520sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());1521retval = SCTP_DISPOSITION_CONSUME;15221523return retval;15241525nomem:1526retval = SCTP_DISPOSITION_NOMEM;1527nomem_retval:1528if (new_asoc)1529sctp_association_free(new_asoc);1530cleanup:1531if (err_chunk)1532sctp_chunk_free(err_chunk);1533return retval;1534}15351536/*1537* Handle simultaneous INIT.1538* This means we started an INIT and then we got an INIT request from1539* our peer.1540*1541* Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)1542* This usually indicates an initialization collision, i.e., each1543* endpoint is attempting, at about the same time, to establish an1544* association with the other endpoint.1545*1546* Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an1547* endpoint MUST respond with an INIT ACK using the same parameters it1548* sent in its original INIT chunk (including its Verification Tag,1549* unchanged). These original parameters are combined with those from the1550* newly received INIT chunk. The endpoint shall also generate a State1551* Cookie with the INIT ACK. The endpoint uses the parameters sent in its1552* INIT to calculate the State Cookie.1553*1554* After that, the endpoint MUST NOT change its state, the T1-init1555* timer shall be left running and the corresponding TCB MUST NOT be1556* destroyed. The normal procedures for handling State Cookies when1557* a TCB exists will resolve the duplicate INITs to a single association.1558*1559* For an endpoint that is in the COOKIE-ECHOED state it MUST populate1560* its Tie-Tags with the Tag information of itself and its peer (see1561* section 5.2.2 for a description of the Tie-Tags).1562*1563* Verification Tag: Not explicit, but an INIT can not have a valid1564* verification tag, so we skip the check.1565*1566* Inputs1567* (endpoint, asoc, chunk)1568*1569* Outputs1570* (asoc, reply_msg, msg_up, timers, counters)1571*1572* The return value is the disposition of the chunk.1573*/1574sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep,1575const struct sctp_association *asoc,1576const sctp_subtype_t type,1577void *arg,1578sctp_cmd_seq_t *commands)1579{1580/* Call helper to do the real work for both simulataneous and1581* duplicate INIT chunk handling.1582*/1583return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands);1584}15851586/*1587* Handle duplicated INIT messages. These are usually delayed1588* restransmissions.1589*1590* Section: 5.2.2 Unexpected INIT in States Other than CLOSED,1591* COOKIE-ECHOED and COOKIE-WAIT1592*1593* Unless otherwise stated, upon reception of an unexpected INIT for1594* this association, the endpoint shall generate an INIT ACK with a1595* State Cookie. In the outbound INIT ACK the endpoint MUST copy its1596* current Verification Tag and peer's Verification Tag into a reserved1597* place within the state cookie. We shall refer to these locations as1598* the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet1599* containing this INIT ACK MUST carry a Verification Tag value equal to1600* the Initiation Tag found in the unexpected INIT. And the INIT ACK1601* MUST contain a new Initiation Tag (randomly generated see Section1602* 5.3.1). Other parameters for the endpoint SHOULD be copied from the1603* existing parameters of the association (e.g. number of outbound1604* streams) into the INIT ACK and cookie.1605*1606* After sending out the INIT ACK, the endpoint shall take no further1607* actions, i.e., the existing association, including its current state,1608* and the corresponding TCB MUST NOT be changed.1609*1610* Note: Only when a TCB exists and the association is not in a COOKIE-1611* WAIT state are the Tie-Tags populated. For a normal association INIT1612* (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be1613* set to 0 (indicating that no previous TCB existed). The INIT ACK and1614* State Cookie are populated as specified in section 5.2.1.1615*1616* Verification Tag: Not specified, but an INIT has no way of knowing1617* what the verification tag could be, so we ignore it.1618*1619* Inputs1620* (endpoint, asoc, chunk)1621*1622* Outputs1623* (asoc, reply_msg, msg_up, timers, counters)1624*1625* The return value is the disposition of the chunk.1626*/1627sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep,1628const struct sctp_association *asoc,1629const sctp_subtype_t type,1630void *arg,1631sctp_cmd_seq_t *commands)1632{1633/* Call helper to do the real work for both simulataneous and1634* duplicate INIT chunk handling.1635*/1636return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands);1637}163816391640/*1641* Unexpected INIT-ACK handler.1642*1643* Section 5.2.31644* If an INIT ACK received by an endpoint in any state other than the1645* COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.1646* An unexpected INIT ACK usually indicates the processing of an old or1647* duplicated INIT chunk.1648*/1649sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep,1650const struct sctp_association *asoc,1651const sctp_subtype_t type,1652void *arg, sctp_cmd_seq_t *commands)1653{1654/* Per the above section, we'll discard the chunk if we have an1655* endpoint. If this is an OOTB INIT-ACK, treat it as such.1656*/1657if (ep == sctp_sk((sctp_get_ctl_sock()))->ep)1658return sctp_sf_ootb(ep, asoc, type, arg, commands);1659else1660return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);1661}16621663/* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')1664*1665* Section 5.2.41666* A) In this case, the peer may have restarted.1667*/1668static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep,1669const struct sctp_association *asoc,1670struct sctp_chunk *chunk,1671sctp_cmd_seq_t *commands,1672struct sctp_association *new_asoc)1673{1674sctp_init_chunk_t *peer_init;1675struct sctp_ulpevent *ev;1676struct sctp_chunk *repl;1677struct sctp_chunk *err;1678sctp_disposition_t disposition;16791680/* new_asoc is a brand-new association, so these are not yet1681* side effects--it is safe to run them here.1682*/1683peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];16841685if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,1686GFP_ATOMIC))1687goto nomem;16881689/* Make sure no new addresses are being added during the1690* restart. Though this is a pretty complicated attack1691* since you'd have to get inside the cookie.1692*/1693if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) {1694return SCTP_DISPOSITION_CONSUME;1695}16961697/* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes1698* the peer has restarted (Action A), it MUST NOT setup a new1699* association but instead resend the SHUTDOWN ACK and send an ERROR1700* chunk with a "Cookie Received while Shutting Down" error cause to1701* its peer.1702*/1703if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {1704disposition = sctp_sf_do_9_2_reshutack(ep, asoc,1705SCTP_ST_CHUNK(chunk->chunk_hdr->type),1706chunk, commands);1707if (SCTP_DISPOSITION_NOMEM == disposition)1708goto nomem;17091710err = sctp_make_op_error(asoc, chunk,1711SCTP_ERROR_COOKIE_IN_SHUTDOWN,1712NULL, 0, 0);1713if (err)1714sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,1715SCTP_CHUNK(err));17161717return SCTP_DISPOSITION_CONSUME;1718}17191720/* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked1721* data. Consider the optional choice of resending of this data.1722*/1723sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());1724sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,1725SCTP_TO(SCTP_EVENT_TIMEOUT_SACK));1726sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());17271728/* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue1729* and ASCONF-ACK cache.1730*/1731sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,1732SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));1733sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());17341735repl = sctp_make_cookie_ack(new_asoc, chunk);1736if (!repl)1737goto nomem;17381739/* Report association restart to upper layer. */1740ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,1741new_asoc->c.sinit_num_ostreams,1742new_asoc->c.sinit_max_instreams,1743NULL, GFP_ATOMIC);1744if (!ev)1745goto nomem_ev;17461747/* Update the content of current association. */1748sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));1749sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));1750sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));1751return SCTP_DISPOSITION_CONSUME;17521753nomem_ev:1754sctp_chunk_free(repl);1755nomem:1756return SCTP_DISPOSITION_NOMEM;1757}17581759/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')1760*1761* Section 5.2.41762* B) In this case, both sides may be attempting to start an association1763* at about the same time but the peer endpoint started its INIT1764* after responding to the local endpoint's INIT1765*/1766/* This case represents an initialization collision. */1767static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep,1768const struct sctp_association *asoc,1769struct sctp_chunk *chunk,1770sctp_cmd_seq_t *commands,1771struct sctp_association *new_asoc)1772{1773sctp_init_chunk_t *peer_init;1774struct sctp_chunk *repl;17751776/* new_asoc is a brand-new association, so these are not yet1777* side effects--it is safe to run them here.1778*/1779peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];1780if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,1781GFP_ATOMIC))1782goto nomem;17831784/* Update the content of current association. */1785sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));1786sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,1787SCTP_STATE(SCTP_STATE_ESTABLISHED));1788SCTP_INC_STATS(SCTP_MIB_CURRESTAB);1789sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());17901791repl = sctp_make_cookie_ack(new_asoc, chunk);1792if (!repl)1793goto nomem;17941795sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));17961797/* RFC 2960 5.1 Normal Establishment of an Association1798*1799* D) IMPLEMENTATION NOTE: An implementation may choose to1800* send the Communication Up notification to the SCTP user1801* upon reception of a valid COOKIE ECHO chunk.1802*1803* Sadly, this needs to be implemented as a side-effect, because1804* we are not guaranteed to have set the association id of the real1805* association and so these notifications need to be delayed until1806* the association id is allocated.1807*/18081809sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));18101811/* Sockets API Draft Section 5.3.1.61812* When a peer sends a Adaptation Layer Indication parameter , SCTP1813* delivers this notification to inform the application that of the1814* peers requested adaptation layer.1815*1816* This also needs to be done as a side effect for the same reason as1817* above.1818*/1819if (asoc->peer.adaptation_ind)1820sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());18211822return SCTP_DISPOSITION_CONSUME;18231824nomem:1825return SCTP_DISPOSITION_NOMEM;1826}18271828/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')1829*1830* Section 5.2.41831* C) In this case, the local endpoint's cookie has arrived late.1832* Before it arrived, the local endpoint sent an INIT and received an1833* INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag1834* but a new tag of its own.1835*/1836/* This case represents an initialization collision. */1837static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep,1838const struct sctp_association *asoc,1839struct sctp_chunk *chunk,1840sctp_cmd_seq_t *commands,1841struct sctp_association *new_asoc)1842{1843/* The cookie should be silently discarded.1844* The endpoint SHOULD NOT change states and should leave1845* any timers running.1846*/1847return SCTP_DISPOSITION_DISCARD;1848}18491850/* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')1851*1852* Section 5.2.41853*1854* D) When both local and remote tags match the endpoint should always1855* enter the ESTABLISHED state, if it has not already done so.1856*/1857/* This case represents an initialization collision. */1858static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep,1859const struct sctp_association *asoc,1860struct sctp_chunk *chunk,1861sctp_cmd_seq_t *commands,1862struct sctp_association *new_asoc)1863{1864struct sctp_ulpevent *ev = NULL, *ai_ev = NULL;1865struct sctp_chunk *repl;18661867/* Clarification from Implementor's Guide:1868* D) When both local and remote tags match the endpoint should1869* enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.1870* It should stop any cookie timer that may be running and send1871* a COOKIE ACK.1872*/18731874/* Don't accidentally move back into established state. */1875if (asoc->state < SCTP_STATE_ESTABLISHED) {1876sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,1877SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));1878sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,1879SCTP_STATE(SCTP_STATE_ESTABLISHED));1880SCTP_INC_STATS(SCTP_MIB_CURRESTAB);1881sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,1882SCTP_NULL());18831884/* RFC 2960 5.1 Normal Establishment of an Association1885*1886* D) IMPLEMENTATION NOTE: An implementation may choose1887* to send the Communication Up notification to the1888* SCTP user upon reception of a valid COOKIE1889* ECHO chunk.1890*/1891ev = sctp_ulpevent_make_assoc_change(asoc, 0,1892SCTP_COMM_UP, 0,1893asoc->c.sinit_num_ostreams,1894asoc->c.sinit_max_instreams,1895NULL, GFP_ATOMIC);1896if (!ev)1897goto nomem;18981899/* Sockets API Draft Section 5.3.1.61900* When a peer sends a Adaptation Layer Indication parameter,1901* SCTP delivers this notification to inform the application1902* that of the peers requested adaptation layer.1903*/1904if (asoc->peer.adaptation_ind) {1905ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,1906GFP_ATOMIC);1907if (!ai_ev)1908goto nomem;19091910}1911}19121913repl = sctp_make_cookie_ack(new_asoc, chunk);1914if (!repl)1915goto nomem;19161917sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));19181919if (ev)1920sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,1921SCTP_ULPEVENT(ev));1922if (ai_ev)1923sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,1924SCTP_ULPEVENT(ai_ev));19251926return SCTP_DISPOSITION_CONSUME;19271928nomem:1929if (ai_ev)1930sctp_ulpevent_free(ai_ev);1931if (ev)1932sctp_ulpevent_free(ev);1933return SCTP_DISPOSITION_NOMEM;1934}19351936/*1937* Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying1938* chunk was retransmitted and then delayed in the network.1939*1940* Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists1941*1942* Verification Tag: None. Do cookie validation.1943*1944* Inputs1945* (endpoint, asoc, chunk)1946*1947* Outputs1948* (asoc, reply_msg, msg_up, timers, counters)1949*1950* The return value is the disposition of the chunk.1951*/1952sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep,1953const struct sctp_association *asoc,1954const sctp_subtype_t type,1955void *arg,1956sctp_cmd_seq_t *commands)1957{1958sctp_disposition_t retval;1959struct sctp_chunk *chunk = arg;1960struct sctp_association *new_asoc;1961int error = 0;1962char action;1963struct sctp_chunk *err_chk_p;19641965/* Make sure that the chunk has a valid length from the protocol1966* perspective. In this case check to make sure we have at least1967* enough for the chunk header. Cookie length verification is1968* done later.1969*/1970if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))1971return sctp_sf_violation_chunklen(ep, asoc, type, arg,1972commands);19731974/* "Decode" the chunk. We have no optional parameters so we1975* are in good shape.1976*/1977chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;1978if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -1979sizeof(sctp_chunkhdr_t)))1980goto nomem;19811982/* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie1983* of a duplicate COOKIE ECHO match the Verification Tags of the1984* current association, consider the State Cookie valid even if1985* the lifespan is exceeded.1986*/1987new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,1988&err_chk_p);19891990/* FIXME:1991* If the re-build failed, what is the proper error path1992* from here?1993*1994* [We should abort the association. --piggy]1995*/1996if (!new_asoc) {1997/* FIXME: Several errors are possible. A bad cookie should1998* be silently discarded, but think about logging it too.1999*/2000switch (error) {2001case -SCTP_IERROR_NOMEM:2002goto nomem;20032004case -SCTP_IERROR_STALE_COOKIE:2005sctp_send_stale_cookie_err(ep, asoc, chunk, commands,2006err_chk_p);2007return sctp_sf_pdiscard(ep, asoc, type, arg, commands);2008case -SCTP_IERROR_BAD_SIG:2009default:2010return sctp_sf_pdiscard(ep, asoc, type, arg, commands);2011}2012}20132014/* Compare the tie_tag in cookie with the verification tag of2015* current association.2016*/2017action = sctp_tietags_compare(new_asoc, asoc);20182019switch (action) {2020case 'A': /* Association restart. */2021retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands,2022new_asoc);2023break;20242025case 'B': /* Collision case B. */2026retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands,2027new_asoc);2028break;20292030case 'C': /* Collision case C. */2031retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands,2032new_asoc);2033break;20342035case 'D': /* Collision case D. */2036retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands,2037new_asoc);2038break;20392040default: /* Discard packet for all others. */2041retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands);2042break;2043}20442045/* Delete the tempory new association. */2046sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));2047sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());20482049return retval;20502051nomem:2052return SCTP_DISPOSITION_NOMEM;2053}20542055/*2056* Process an ABORT. (SHUTDOWN-PENDING state)2057*2058* See sctp_sf_do_9_1_abort().2059*/2060sctp_disposition_t sctp_sf_shutdown_pending_abort(2061const struct sctp_endpoint *ep,2062const struct sctp_association *asoc,2063const sctp_subtype_t type,2064void *arg,2065sctp_cmd_seq_t *commands)2066{2067struct sctp_chunk *chunk = arg;20682069if (!sctp_vtag_verify_either(chunk, asoc))2070return sctp_sf_pdiscard(ep, asoc, type, arg, commands);20712072/* Make sure that the ABORT chunk has a valid length.2073* Since this is an ABORT chunk, we have to discard it2074* because of the following text:2075* RFC 2960, Section 3.3.72076* If an endpoint receives an ABORT with a format error or for an2077* association that doesn't exist, it MUST silently discard it.2078* Because the length is "invalid", we can't really discard just2079* as we do not know its true length. So, to be safe, discard the2080* packet.2081*/2082if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))2083return sctp_sf_pdiscard(ep, asoc, type, arg, commands);20842085/* ADD-IP: Special case for ABORT chunks2086* F4) One special consideration is that ABORT Chunks arriving2087* destined to the IP address being deleted MUST be2088* ignored (see Section 5.3.1 for further details).2089*/2090if (SCTP_ADDR_DEL ==2091sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))2092return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);20932094return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);2095}20962097/*2098* Process an ABORT. (SHUTDOWN-SENT state)2099*2100* See sctp_sf_do_9_1_abort().2101*/2102sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep,2103const struct sctp_association *asoc,2104const sctp_subtype_t type,2105void *arg,2106sctp_cmd_seq_t *commands)2107{2108struct sctp_chunk *chunk = arg;21092110if (!sctp_vtag_verify_either(chunk, asoc))2111return sctp_sf_pdiscard(ep, asoc, type, arg, commands);21122113/* Make sure that the ABORT chunk has a valid length.2114* Since this is an ABORT chunk, we have to discard it2115* because of the following text:2116* RFC 2960, Section 3.3.72117* If an endpoint receives an ABORT with a format error or for an2118* association that doesn't exist, it MUST silently discard it.2119* Because the length is "invalid", we can't really discard just2120* as we do not know its true length. So, to be safe, discard the2121* packet.2122*/2123if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))2124return sctp_sf_pdiscard(ep, asoc, type, arg, commands);21252126/* ADD-IP: Special case for ABORT chunks2127* F4) One special consideration is that ABORT Chunks arriving2128* destined to the IP address being deleted MUST be2129* ignored (see Section 5.3.1 for further details).2130*/2131if (SCTP_ADDR_DEL ==2132sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))2133return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);21342135/* Stop the T2-shutdown timer. */2136sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,2137SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));21382139/* Stop the T5-shutdown guard timer. */2140sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,2141SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));21422143return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);2144}21452146/*2147* Process an ABORT. (SHUTDOWN-ACK-SENT state)2148*2149* See sctp_sf_do_9_1_abort().2150*/2151sctp_disposition_t sctp_sf_shutdown_ack_sent_abort(2152const struct sctp_endpoint *ep,2153const struct sctp_association *asoc,2154const sctp_subtype_t type,2155void *arg,2156sctp_cmd_seq_t *commands)2157{2158/* The same T2 timer, so we should be able to use2159* common function with the SHUTDOWN-SENT state.2160*/2161return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands);2162}21632164/*2165* Handle an Error received in COOKIE_ECHOED state.2166*2167* Only handle the error type of stale COOKIE Error, the other errors will2168* be ignored.2169*2170* Inputs2171* (endpoint, asoc, chunk)2172*2173* Outputs2174* (asoc, reply_msg, msg_up, timers, counters)2175*2176* The return value is the disposition of the chunk.2177*/2178sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep,2179const struct sctp_association *asoc,2180const sctp_subtype_t type,2181void *arg,2182sctp_cmd_seq_t *commands)2183{2184struct sctp_chunk *chunk = arg;2185sctp_errhdr_t *err;21862187if (!sctp_vtag_verify(chunk, asoc))2188return sctp_sf_pdiscard(ep, asoc, type, arg, commands);21892190/* Make sure that the ERROR chunk has a valid length.2191* The parameter walking depends on this as well.2192*/2193if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))2194return sctp_sf_violation_chunklen(ep, asoc, type, arg,2195commands);21962197/* Process the error here */2198/* FUTURE FIXME: When PR-SCTP related and other optional2199* parms are emitted, this will have to change to handle multiple2200* errors.2201*/2202sctp_walk_errors(err, chunk->chunk_hdr) {2203if (SCTP_ERROR_STALE_COOKIE == err->cause)2204return sctp_sf_do_5_2_6_stale(ep, asoc, type,2205arg, commands);2206}22072208/* It is possible to have malformed error causes, and that2209* will cause us to end the walk early. However, since2210* we are discarding the packet, there should be no adverse2211* affects.2212*/2213return sctp_sf_pdiscard(ep, asoc, type, arg, commands);2214}22152216/*2217* Handle a Stale COOKIE Error2218*2219* Section: 5.2.6 Handle Stale COOKIE Error2220* If the association is in the COOKIE-ECHOED state, the endpoint may elect2221* one of the following three alternatives.2222* ...2223* 3) Send a new INIT chunk to the endpoint, adding a Cookie2224* Preservative parameter requesting an extension to the lifetime of2225* the State Cookie. When calculating the time extension, an2226* implementation SHOULD use the RTT information measured based on the2227* previous COOKIE ECHO / ERROR exchange, and should add no more2228* than 1 second beyond the measured RTT, due to long State Cookie2229* lifetimes making the endpoint more subject to a replay attack.2230*2231* Verification Tag: Not explicit, but safe to ignore.2232*2233* Inputs2234* (endpoint, asoc, chunk)2235*2236* Outputs2237* (asoc, reply_msg, msg_up, timers, counters)2238*2239* The return value is the disposition of the chunk.2240*/2241static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep,2242const struct sctp_association *asoc,2243const sctp_subtype_t type,2244void *arg,2245sctp_cmd_seq_t *commands)2246{2247struct sctp_chunk *chunk = arg;2248time_t stale;2249sctp_cookie_preserve_param_t bht;2250sctp_errhdr_t *err;2251struct sctp_chunk *reply;2252struct sctp_bind_addr *bp;2253int attempts = asoc->init_err_counter + 1;22542255if (attempts > asoc->max_init_attempts) {2256sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,2257SCTP_ERROR(ETIMEDOUT));2258sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,2259SCTP_PERR(SCTP_ERROR_STALE_COOKIE));2260return SCTP_DISPOSITION_DELETE_TCB;2261}22622263err = (sctp_errhdr_t *)(chunk->skb->data);22642265/* When calculating the time extension, an implementation2266* SHOULD use the RTT information measured based on the2267* previous COOKIE ECHO / ERROR exchange, and should add no2268* more than 1 second beyond the measured RTT, due to long2269* State Cookie lifetimes making the endpoint more subject to2270* a replay attack.2271* Measure of Staleness's unit is usec. (1/1000000 sec)2272* Suggested Cookie Life-span Increment's unit is msec.2273* (1/1000 sec)2274* In general, if you use the suggested cookie life, the value2275* found in the field of measure of staleness should be doubled2276* to give ample time to retransmit the new cookie and thus2277* yield a higher probability of success on the reattempt.2278*/2279stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t)));2280stale = (stale * 2) / 1000;22812282bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;2283bht.param_hdr.length = htons(sizeof(bht));2284bht.lifespan_increment = htonl(stale);22852286/* Build that new INIT chunk. */2287bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;2288reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));2289if (!reply)2290goto nomem;22912292sctp_addto_chunk(reply, sizeof(bht), &bht);22932294/* Clear peer's init_tag cached in assoc as we are sending a new INIT */2295sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());22962297/* Stop pending T3-rtx and heartbeat timers */2298sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());2299sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());23002301/* Delete non-primary peer ip addresses since we are transitioning2302* back to the COOKIE-WAIT state2303*/2304sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());23052306/* If we've sent any data bundled with COOKIE-ECHO we will need to2307* resend2308*/2309sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,2310SCTP_TRANSPORT(asoc->peer.primary_path));23112312/* Cast away the const modifier, as we want to just2313* rerun it through as a sideffect.2314*/2315sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());23162317sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,2318SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));2319sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,2320SCTP_STATE(SCTP_STATE_COOKIE_WAIT));2321sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,2322SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));23232324sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));23252326return SCTP_DISPOSITION_CONSUME;23272328nomem:2329return SCTP_DISPOSITION_NOMEM;2330}23312332/*2333* Process an ABORT.2334*2335* Section: 9.12336* After checking the Verification Tag, the receiving endpoint shall2337* remove the association from its record, and shall report the2338* termination to its upper layer.2339*2340* Verification Tag: 8.5.1 Exceptions in Verification Tag Rules2341* B) Rules for packet carrying ABORT:2342*2343* - The endpoint shall always fill in the Verification Tag field of the2344* outbound packet with the destination endpoint's tag value if it2345* is known.2346*2347* - If the ABORT is sent in response to an OOTB packet, the endpoint2348* MUST follow the procedure described in Section 8.4.2349*2350* - The receiver MUST accept the packet if the Verification Tag2351* matches either its own tag, OR the tag of its peer. Otherwise, the2352* receiver MUST silently discard the packet and take no further2353* action.2354*2355* Inputs2356* (endpoint, asoc, chunk)2357*2358* Outputs2359* (asoc, reply_msg, msg_up, timers, counters)2360*2361* The return value is the disposition of the chunk.2362*/2363sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,2364const struct sctp_association *asoc,2365const sctp_subtype_t type,2366void *arg,2367sctp_cmd_seq_t *commands)2368{2369struct sctp_chunk *chunk = arg;23702371if (!sctp_vtag_verify_either(chunk, asoc))2372return sctp_sf_pdiscard(ep, asoc, type, arg, commands);23732374/* Make sure that the ABORT chunk has a valid length.2375* Since this is an ABORT chunk, we have to discard it2376* because of the following text:2377* RFC 2960, Section 3.3.72378* If an endpoint receives an ABORT with a format error or for an2379* association that doesn't exist, it MUST silently discard it.2380* Because the length is "invalid", we can't really discard just2381* as we do not know its true length. So, to be safe, discard the2382* packet.2383*/2384if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))2385return sctp_sf_pdiscard(ep, asoc, type, arg, commands);23862387/* ADD-IP: Special case for ABORT chunks2388* F4) One special consideration is that ABORT Chunks arriving2389* destined to the IP address being deleted MUST be2390* ignored (see Section 5.3.1 for further details).2391*/2392if (SCTP_ADDR_DEL ==2393sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))2394return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);23952396return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);2397}23982399static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,2400const struct sctp_association *asoc,2401const sctp_subtype_t type,2402void *arg,2403sctp_cmd_seq_t *commands)2404{2405struct sctp_chunk *chunk = arg;2406unsigned len;2407__be16 error = SCTP_ERROR_NO_ERROR;24082409/* See if we have an error cause code in the chunk. */2410len = ntohs(chunk->chunk_hdr->length);2411if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {24122413sctp_errhdr_t *err;2414sctp_walk_errors(err, chunk->chunk_hdr);2415if ((void *)err != (void *)chunk->chunk_end)2416return sctp_sf_pdiscard(ep, asoc, type, arg, commands);24172418error = ((sctp_errhdr_t *)chunk->skb->data)->cause;2419}24202421sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));2422/* ASSOC_FAILED will DELETE_TCB. */2423sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));2424SCTP_INC_STATS(SCTP_MIB_ABORTEDS);2425SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);24262427return SCTP_DISPOSITION_ABORT;2428}24292430/*2431* Process an ABORT. (COOKIE-WAIT state)2432*2433* See sctp_sf_do_9_1_abort() above.2434*/2435sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep,2436const struct sctp_association *asoc,2437const sctp_subtype_t type,2438void *arg,2439sctp_cmd_seq_t *commands)2440{2441struct sctp_chunk *chunk = arg;2442unsigned len;2443__be16 error = SCTP_ERROR_NO_ERROR;24442445if (!sctp_vtag_verify_either(chunk, asoc))2446return sctp_sf_pdiscard(ep, asoc, type, arg, commands);24472448/* Make sure that the ABORT chunk has a valid length.2449* Since this is an ABORT chunk, we have to discard it2450* because of the following text:2451* RFC 2960, Section 3.3.72452* If an endpoint receives an ABORT with a format error or for an2453* association that doesn't exist, it MUST silently discard it.2454* Because the length is "invalid", we can't really discard just2455* as we do not know its true length. So, to be safe, discard the2456* packet.2457*/2458if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))2459return sctp_sf_pdiscard(ep, asoc, type, arg, commands);24602461/* See if we have an error cause code in the chunk. */2462len = ntohs(chunk->chunk_hdr->length);2463if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))2464error = ((sctp_errhdr_t *)chunk->skb->data)->cause;24652466return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc,2467chunk->transport);2468}24692470/*2471* Process an incoming ICMP as an ABORT. (COOKIE-WAIT state)2472*/2473sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep,2474const struct sctp_association *asoc,2475const sctp_subtype_t type,2476void *arg,2477sctp_cmd_seq_t *commands)2478{2479return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR,2480ENOPROTOOPT, asoc,2481(struct sctp_transport *)arg);2482}24832484/*2485* Process an ABORT. (COOKIE-ECHOED state)2486*/2487sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep,2488const struct sctp_association *asoc,2489const sctp_subtype_t type,2490void *arg,2491sctp_cmd_seq_t *commands)2492{2493/* There is a single T1 timer, so we should be able to use2494* common function with the COOKIE-WAIT state.2495*/2496return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands);2497}24982499/*2500* Stop T1 timer and abort association with "INIT failed".2501*2502* This is common code called by several sctp_sf_*_abort() functions above.2503*/2504static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands,2505__be16 error, int sk_err,2506const struct sctp_association *asoc,2507struct sctp_transport *transport)2508{2509SCTP_DEBUG_PRINTK("ABORT received (INIT).\n");2510sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,2511SCTP_STATE(SCTP_STATE_CLOSED));2512SCTP_INC_STATS(SCTP_MIB_ABORTEDS);2513sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,2514SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));2515sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));2516/* CMD_INIT_FAILED will DELETE_TCB. */2517sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,2518SCTP_PERR(error));2519return SCTP_DISPOSITION_ABORT;2520}25212522/*2523* sctp_sf_do_9_2_shut2524*2525* Section: 9.22526* Upon the reception of the SHUTDOWN, the peer endpoint shall2527* - enter the SHUTDOWN-RECEIVED state,2528*2529* - stop accepting new data from its SCTP user2530*2531* - verify, by checking the Cumulative TSN Ack field of the chunk,2532* that all its outstanding DATA chunks have been received by the2533* SHUTDOWN sender.2534*2535* Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT2536* send a SHUTDOWN in response to a ULP request. And should discard2537* subsequent SHUTDOWN chunks.2538*2539* If there are still outstanding DATA chunks left, the SHUTDOWN2540* receiver shall continue to follow normal data transmission2541* procedures defined in Section 6 until all outstanding DATA chunks2542* are acknowledged; however, the SHUTDOWN receiver MUST NOT accept2543* new data from its SCTP user.2544*2545* Verification Tag: 8.5 Verification Tag [Normal verification]2546*2547* Inputs2548* (endpoint, asoc, chunk)2549*2550* Outputs2551* (asoc, reply_msg, msg_up, timers, counters)2552*2553* The return value is the disposition of the chunk.2554*/2555sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep,2556const struct sctp_association *asoc,2557const sctp_subtype_t type,2558void *arg,2559sctp_cmd_seq_t *commands)2560{2561struct sctp_chunk *chunk = arg;2562sctp_shutdownhdr_t *sdh;2563sctp_disposition_t disposition;2564struct sctp_ulpevent *ev;2565__u32 ctsn;25662567if (!sctp_vtag_verify(chunk, asoc))2568return sctp_sf_pdiscard(ep, asoc, type, arg, commands);25692570/* Make sure that the SHUTDOWN chunk has a valid length. */2571if (!sctp_chunk_length_valid(chunk,2572sizeof(struct sctp_shutdown_chunk_t)))2573return sctp_sf_violation_chunklen(ep, asoc, type, arg,2574commands);25752576/* Convert the elaborate header. */2577sdh = (sctp_shutdownhdr_t *)chunk->skb->data;2578skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t));2579chunk->subh.shutdown_hdr = sdh;2580ctsn = ntohl(sdh->cum_tsn_ack);25812582if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {2583SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);2584SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);2585return SCTP_DISPOSITION_DISCARD;2586}25872588/* If Cumulative TSN Ack beyond the max tsn currently2589* send, terminating the association and respond to the2590* sender with an ABORT.2591*/2592if (!TSN_lt(ctsn, asoc->next_tsn))2593return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);25942595/* API 5.3.1.5 SCTP_SHUTDOWN_EVENT2596* When a peer sends a SHUTDOWN, SCTP delivers this notification to2597* inform the application that it should cease sending data.2598*/2599ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);2600if (!ev) {2601disposition = SCTP_DISPOSITION_NOMEM;2602goto out;2603}2604sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));26052606/* Upon the reception of the SHUTDOWN, the peer endpoint shall2607* - enter the SHUTDOWN-RECEIVED state,2608* - stop accepting new data from its SCTP user2609*2610* [This is implicit in the new state.]2611*/2612sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,2613SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));2614disposition = SCTP_DISPOSITION_CONSUME;26152616if (sctp_outq_is_empty(&asoc->outqueue)) {2617disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type,2618arg, commands);2619}26202621if (SCTP_DISPOSITION_NOMEM == disposition)2622goto out;26232624/* - verify, by checking the Cumulative TSN Ack field of the2625* chunk, that all its outstanding DATA chunks have been2626* received by the SHUTDOWN sender.2627*/2628sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,2629SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));26302631out:2632return disposition;2633}26342635/*2636* sctp_sf_do_9_2_shut_ctsn2637*2638* Once an endpoint has reached the SHUTDOWN-RECEIVED state,2639* it MUST NOT send a SHUTDOWN in response to a ULP request.2640* The Cumulative TSN Ack of the received SHUTDOWN chunk2641* MUST be processed.2642*/2643sctp_disposition_t sctp_sf_do_9_2_shut_ctsn(const struct sctp_endpoint *ep,2644const struct sctp_association *asoc,2645const sctp_subtype_t type,2646void *arg,2647sctp_cmd_seq_t *commands)2648{2649struct sctp_chunk *chunk = arg;2650sctp_shutdownhdr_t *sdh;2651__u32 ctsn;26522653if (!sctp_vtag_verify(chunk, asoc))2654return sctp_sf_pdiscard(ep, asoc, type, arg, commands);26552656/* Make sure that the SHUTDOWN chunk has a valid length. */2657if (!sctp_chunk_length_valid(chunk,2658sizeof(struct sctp_shutdown_chunk_t)))2659return sctp_sf_violation_chunklen(ep, asoc, type, arg,2660commands);26612662sdh = (sctp_shutdownhdr_t *)chunk->skb->data;2663ctsn = ntohl(sdh->cum_tsn_ack);26642665if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {2666SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);2667SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);2668return SCTP_DISPOSITION_DISCARD;2669}26702671/* If Cumulative TSN Ack beyond the max tsn currently2672* send, terminating the association and respond to the2673* sender with an ABORT.2674*/2675if (!TSN_lt(ctsn, asoc->next_tsn))2676return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);26772678/* verify, by checking the Cumulative TSN Ack field of the2679* chunk, that all its outstanding DATA chunks have been2680* received by the SHUTDOWN sender.2681*/2682sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,2683SCTP_BE32(sdh->cum_tsn_ack));26842685return SCTP_DISPOSITION_CONSUME;2686}26872688/* RFC 2960 9.22689* If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk2690* (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination2691* transport addresses (either in the IP addresses or in the INIT chunk)2692* that belong to this association, it should discard the INIT chunk and2693* retransmit the SHUTDOWN ACK chunk.2694*/2695sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep,2696const struct sctp_association *asoc,2697const sctp_subtype_t type,2698void *arg,2699sctp_cmd_seq_t *commands)2700{2701struct sctp_chunk *chunk = (struct sctp_chunk *) arg;2702struct sctp_chunk *reply;27032704/* Make sure that the chunk has a valid length */2705if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))2706return sctp_sf_violation_chunklen(ep, asoc, type, arg,2707commands);27082709/* Since we are not going to really process this INIT, there2710* is no point in verifying chunk boundries. Just generate2711* the SHUTDOWN ACK.2712*/2713reply = sctp_make_shutdown_ack(asoc, chunk);2714if (NULL == reply)2715goto nomem;27162717/* Set the transport for the SHUTDOWN ACK chunk and the timeout for2718* the T2-SHUTDOWN timer.2719*/2720sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));27212722/* and restart the T2-shutdown timer. */2723sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,2724SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));27252726sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));27272728return SCTP_DISPOSITION_CONSUME;2729nomem:2730return SCTP_DISPOSITION_NOMEM;2731}27322733/*2734* sctp_sf_do_ecn_cwr2735*2736* Section: Appendix A: Explicit Congestion Notification2737*2738* CWR:2739*2740* RFC 2481 details a specific bit for a sender to send in the header of2741* its next outbound TCP segment to indicate to its peer that it has2742* reduced its congestion window. This is termed the CWR bit. For2743* SCTP the same indication is made by including the CWR chunk.2744* This chunk contains one data element, i.e. the TSN number that2745* was sent in the ECNE chunk. This element represents the lowest2746* TSN number in the datagram that was originally marked with the2747* CE bit.2748*2749* Verification Tag: 8.5 Verification Tag [Normal verification]2750* Inputs2751* (endpoint, asoc, chunk)2752*2753* Outputs2754* (asoc, reply_msg, msg_up, timers, counters)2755*2756* The return value is the disposition of the chunk.2757*/2758sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep,2759const struct sctp_association *asoc,2760const sctp_subtype_t type,2761void *arg,2762sctp_cmd_seq_t *commands)2763{2764sctp_cwrhdr_t *cwr;2765struct sctp_chunk *chunk = arg;2766u32 lowest_tsn;27672768if (!sctp_vtag_verify(chunk, asoc))2769return sctp_sf_pdiscard(ep, asoc, type, arg, commands);27702771if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))2772return sctp_sf_violation_chunklen(ep, asoc, type, arg,2773commands);27742775cwr = (sctp_cwrhdr_t *) chunk->skb->data;2776skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t));27772778lowest_tsn = ntohl(cwr->lowest_tsn);27792780/* Does this CWR ack the last sent congestion notification? */2781if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {2782/* Stop sending ECNE. */2783sctp_add_cmd_sf(commands,2784SCTP_CMD_ECN_CWR,2785SCTP_U32(lowest_tsn));2786}2787return SCTP_DISPOSITION_CONSUME;2788}27892790/*2791* sctp_sf_do_ecne2792*2793* Section: Appendix A: Explicit Congestion Notification2794*2795* ECN-Echo2796*2797* RFC 2481 details a specific bit for a receiver to send back in its2798* TCP acknowledgements to notify the sender of the Congestion2799* Experienced (CE) bit having arrived from the network. For SCTP this2800* same indication is made by including the ECNE chunk. This chunk2801* contains one data element, i.e. the lowest TSN associated with the IP2802* datagram marked with the CE bit.....2803*2804* Verification Tag: 8.5 Verification Tag [Normal verification]2805* Inputs2806* (endpoint, asoc, chunk)2807*2808* Outputs2809* (asoc, reply_msg, msg_up, timers, counters)2810*2811* The return value is the disposition of the chunk.2812*/2813sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep,2814const struct sctp_association *asoc,2815const sctp_subtype_t type,2816void *arg,2817sctp_cmd_seq_t *commands)2818{2819sctp_ecnehdr_t *ecne;2820struct sctp_chunk *chunk = arg;28212822if (!sctp_vtag_verify(chunk, asoc))2823return sctp_sf_pdiscard(ep, asoc, type, arg, commands);28242825if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))2826return sctp_sf_violation_chunklen(ep, asoc, type, arg,2827commands);28282829ecne = (sctp_ecnehdr_t *) chunk->skb->data;2830skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t));28312832/* If this is a newer ECNE than the last CWR packet we sent out */2833sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,2834SCTP_U32(ntohl(ecne->lowest_tsn)));28352836return SCTP_DISPOSITION_CONSUME;2837}28382839/*2840* Section: 6.2 Acknowledgement on Reception of DATA Chunks2841*2842* The SCTP endpoint MUST always acknowledge the reception of each valid2843* DATA chunk.2844*2845* The guidelines on delayed acknowledgement algorithm specified in2846* Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an2847* acknowledgement SHOULD be generated for at least every second packet2848* (not every second DATA chunk) received, and SHOULD be generated within2849* 200 ms of the arrival of any unacknowledged DATA chunk. In some2850* situations it may be beneficial for an SCTP transmitter to be more2851* conservative than the algorithms detailed in this document allow.2852* However, an SCTP transmitter MUST NOT be more aggressive than the2853* following algorithms allow.2854*2855* A SCTP receiver MUST NOT generate more than one SACK for every2856* incoming packet, other than to update the offered window as the2857* receiving application consumes new data.2858*2859* Verification Tag: 8.5 Verification Tag [Normal verification]2860*2861* Inputs2862* (endpoint, asoc, chunk)2863*2864* Outputs2865* (asoc, reply_msg, msg_up, timers, counters)2866*2867* The return value is the disposition of the chunk.2868*/2869sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep,2870const struct sctp_association *asoc,2871const sctp_subtype_t type,2872void *arg,2873sctp_cmd_seq_t *commands)2874{2875struct sctp_chunk *chunk = arg;2876sctp_arg_t force = SCTP_NOFORCE();2877int error;28782879if (!sctp_vtag_verify(chunk, asoc)) {2880sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,2881SCTP_NULL());2882return sctp_sf_pdiscard(ep, asoc, type, arg, commands);2883}28842885if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))2886return sctp_sf_violation_chunklen(ep, asoc, type, arg,2887commands);28882889error = sctp_eat_data(asoc, chunk, commands );2890switch (error) {2891case SCTP_IERROR_NO_ERROR:2892break;2893case SCTP_IERROR_HIGH_TSN:2894case SCTP_IERROR_BAD_STREAM:2895SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS);2896goto discard_noforce;2897case SCTP_IERROR_DUP_TSN:2898case SCTP_IERROR_IGNORE_TSN:2899SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS);2900goto discard_force;2901case SCTP_IERROR_NO_DATA:2902goto consume;2903case SCTP_IERROR_PROTO_VIOLATION:2904return sctp_sf_abort_violation(ep, asoc, chunk, commands,2905(u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t));2906default:2907BUG();2908}29092910if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)2911force = SCTP_FORCE();29122913if (asoc->autoclose) {2914sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,2915SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));2916}29172918/* If this is the last chunk in a packet, we need to count it2919* toward sack generation. Note that we need to SACK every2920* OTHER packet containing data chunks, EVEN IF WE DISCARD2921* THEM. We elect to NOT generate SACK's if the chunk fails2922* the verification tag test.2923*2924* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks2925*2926* The SCTP endpoint MUST always acknowledge the reception of2927* each valid DATA chunk.2928*2929* The guidelines on delayed acknowledgement algorithm2930* specified in Section 4.2 of [RFC2581] SHOULD be followed.2931* Specifically, an acknowledgement SHOULD be generated for at2932* least every second packet (not every second DATA chunk)2933* received, and SHOULD be generated within 200 ms of the2934* arrival of any unacknowledged DATA chunk. In some2935* situations it may be beneficial for an SCTP transmitter to2936* be more conservative than the algorithms detailed in this2937* document allow. However, an SCTP transmitter MUST NOT be2938* more aggressive than the following algorithms allow.2939*/2940if (chunk->end_of_packet)2941sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);29422943return SCTP_DISPOSITION_CONSUME;29442945discard_force:2946/* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks2947*2948* When a packet arrives with duplicate DATA chunk(s) and with2949* no new DATA chunk(s), the endpoint MUST immediately send a2950* SACK with no delay. If a packet arrives with duplicate2951* DATA chunk(s) bundled with new DATA chunks, the endpoint2952* MAY immediately send a SACK. Normally receipt of duplicate2953* DATA chunks will occur when the original SACK chunk was lost2954* and the peer's RTO has expired. The duplicate TSN number(s)2955* SHOULD be reported in the SACK as duplicate.2956*/2957/* In our case, we split the MAY SACK advice up whether or not2958* the last chunk is a duplicate.'2959*/2960if (chunk->end_of_packet)2961sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());2962return SCTP_DISPOSITION_DISCARD;29632964discard_noforce:2965if (chunk->end_of_packet)2966sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);29672968return SCTP_DISPOSITION_DISCARD;2969consume:2970return SCTP_DISPOSITION_CONSUME;29712972}29732974/*2975* sctp_sf_eat_data_fast_4_42976*2977* Section: 4 (4)2978* (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received2979* DATA chunks without delay.2980*2981* Verification Tag: 8.5 Verification Tag [Normal verification]2982* Inputs2983* (endpoint, asoc, chunk)2984*2985* Outputs2986* (asoc, reply_msg, msg_up, timers, counters)2987*2988* The return value is the disposition of the chunk.2989*/2990sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep,2991const struct sctp_association *asoc,2992const sctp_subtype_t type,2993void *arg,2994sctp_cmd_seq_t *commands)2995{2996struct sctp_chunk *chunk = arg;2997int error;29982999if (!sctp_vtag_verify(chunk, asoc)) {3000sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,3001SCTP_NULL());3002return sctp_sf_pdiscard(ep, asoc, type, arg, commands);3003}30043005if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))3006return sctp_sf_violation_chunklen(ep, asoc, type, arg,3007commands);30083009error = sctp_eat_data(asoc, chunk, commands );3010switch (error) {3011case SCTP_IERROR_NO_ERROR:3012case SCTP_IERROR_HIGH_TSN:3013case SCTP_IERROR_DUP_TSN:3014case SCTP_IERROR_IGNORE_TSN:3015case SCTP_IERROR_BAD_STREAM:3016break;3017case SCTP_IERROR_NO_DATA:3018goto consume;3019case SCTP_IERROR_PROTO_VIOLATION:3020return sctp_sf_abort_violation(ep, asoc, chunk, commands,3021(u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t));3022default:3023BUG();3024}30253026/* Go a head and force a SACK, since we are shutting down. */30273028/* Implementor's Guide.3029*3030* While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately3031* respond to each received packet containing one or more DATA chunk(s)3032* with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer3033*/3034if (chunk->end_of_packet) {3035/* We must delay the chunk creation since the cumulative3036* TSN has not been updated yet.3037*/3038sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());3039sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());3040sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,3041SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));3042}30433044consume:3045return SCTP_DISPOSITION_CONSUME;3046}30473048/*3049* Section: 6.2 Processing a Received SACK3050* D) Any time a SACK arrives, the endpoint performs the following:3051*3052* i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,3053* then drop the SACK. Since Cumulative TSN Ack is monotonically3054* increasing, a SACK whose Cumulative TSN Ack is less than the3055* Cumulative TSN Ack Point indicates an out-of-order SACK.3056*3057* ii) Set rwnd equal to the newly received a_rwnd minus the number3058* of bytes still outstanding after processing the Cumulative TSN Ack3059* and the Gap Ack Blocks.3060*3061* iii) If the SACK is missing a TSN that was previously3062* acknowledged via a Gap Ack Block (e.g., the data receiver3063* reneged on the data), then mark the corresponding DATA chunk3064* as available for retransmit: Mark it as missing for fast3065* retransmit as described in Section 7.2.4 and if no retransmit3066* timer is running for the destination address to which the DATA3067* chunk was originally transmitted, then T3-rtx is started for3068* that destination address.3069*3070* Verification Tag: 8.5 Verification Tag [Normal verification]3071*3072* Inputs3073* (endpoint, asoc, chunk)3074*3075* Outputs3076* (asoc, reply_msg, msg_up, timers, counters)3077*3078* The return value is the disposition of the chunk.3079*/3080sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep,3081const struct sctp_association *asoc,3082const sctp_subtype_t type,3083void *arg,3084sctp_cmd_seq_t *commands)3085{3086struct sctp_chunk *chunk = arg;3087sctp_sackhdr_t *sackh;3088__u32 ctsn;30893090if (!sctp_vtag_verify(chunk, asoc))3091return sctp_sf_pdiscard(ep, asoc, type, arg, commands);30923093/* Make sure that the SACK chunk has a valid length. */3094if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t)))3095return sctp_sf_violation_chunklen(ep, asoc, type, arg,3096commands);30973098/* Pull the SACK chunk from the data buffer */3099sackh = sctp_sm_pull_sack(chunk);3100/* Was this a bogus SACK? */3101if (!sackh)3102return sctp_sf_pdiscard(ep, asoc, type, arg, commands);3103chunk->subh.sack_hdr = sackh;3104ctsn = ntohl(sackh->cum_tsn_ack);31053106/* i) If Cumulative TSN Ack is less than the Cumulative TSN3107* Ack Point, then drop the SACK. Since Cumulative TSN3108* Ack is monotonically increasing, a SACK whose3109* Cumulative TSN Ack is less than the Cumulative TSN Ack3110* Point indicates an out-of-order SACK.3111*/3112if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {3113SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);3114SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);3115return SCTP_DISPOSITION_DISCARD;3116}31173118/* If Cumulative TSN Ack beyond the max tsn currently3119* send, terminating the association and respond to the3120* sender with an ABORT.3121*/3122if (!TSN_lt(ctsn, asoc->next_tsn))3123return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);31243125/* Return this SACK for further processing. */3126sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh));31273128/* Note: We do the rest of the work on the PROCESS_SACK3129* sideeffect.3130*/3131return SCTP_DISPOSITION_CONSUME;3132}31333134/*3135* Generate an ABORT in response to a packet.3136*3137* Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.413138*3139* 8) The receiver should respond to the sender of the OOTB packet with3140* an ABORT. When sending the ABORT, the receiver of the OOTB packet3141* MUST fill in the Verification Tag field of the outbound packet3142* with the value found in the Verification Tag field of the OOTB3143* packet and set the T-bit in the Chunk Flags to indicate that the3144* Verification Tag is reflected. After sending this ABORT, the3145* receiver of the OOTB packet shall discard the OOTB packet and take3146* no further action.3147*3148* Verification Tag:3149*3150* The return value is the disposition of the chunk.3151*/3152static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep,3153const struct sctp_association *asoc,3154const sctp_subtype_t type,3155void *arg,3156sctp_cmd_seq_t *commands)3157{3158struct sctp_packet *packet = NULL;3159struct sctp_chunk *chunk = arg;3160struct sctp_chunk *abort;31613162packet = sctp_ootb_pkt_new(asoc, chunk);31633164if (packet) {3165/* Make an ABORT. The T bit will be set if the asoc3166* is NULL.3167*/3168abort = sctp_make_abort(asoc, chunk, 0);3169if (!abort) {3170sctp_ootb_pkt_free(packet);3171return SCTP_DISPOSITION_NOMEM;3172}31733174/* Reflect vtag if T-Bit is set */3175if (sctp_test_T_bit(abort))3176packet->vtag = ntohl(chunk->sctp_hdr->vtag);31773178/* Set the skb to the belonging sock for accounting. */3179abort->skb->sk = ep->base.sk;31803181sctp_packet_append_chunk(packet, abort);31823183sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,3184SCTP_PACKET(packet));31853186SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);31873188sctp_sf_pdiscard(ep, asoc, type, arg, commands);3189return SCTP_DISPOSITION_CONSUME;3190}31913192return SCTP_DISPOSITION_NOMEM;3193}31943195/*3196* Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR3197* event as ULP notification for each cause included in the chunk.3198*3199* API 5.3.1.3 - SCTP_REMOTE_ERROR3200*3201* The return value is the disposition of the chunk.3202*/3203sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep,3204const struct sctp_association *asoc,3205const sctp_subtype_t type,3206void *arg,3207sctp_cmd_seq_t *commands)3208{3209struct sctp_chunk *chunk = arg;3210sctp_errhdr_t *err;32113212if (!sctp_vtag_verify(chunk, asoc))3213return sctp_sf_pdiscard(ep, asoc, type, arg, commands);32143215/* Make sure that the ERROR chunk has a valid length. */3216if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))3217return sctp_sf_violation_chunklen(ep, asoc, type, arg,3218commands);3219sctp_walk_errors(err, chunk->chunk_hdr);3220if ((void *)err != (void *)chunk->chunk_end)3221return sctp_sf_violation_paramlen(ep, asoc, type, arg,3222(void *)err, commands);32233224sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,3225SCTP_CHUNK(chunk));32263227return SCTP_DISPOSITION_CONSUME;3228}32293230/*3231* Process an inbound SHUTDOWN ACK.3232*3233* From Section 9.2:3234* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall3235* stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its3236* peer, and remove all record of the association.3237*3238* The return value is the disposition.3239*/3240sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep,3241const struct sctp_association *asoc,3242const sctp_subtype_t type,3243void *arg,3244sctp_cmd_seq_t *commands)3245{3246struct sctp_chunk *chunk = arg;3247struct sctp_chunk *reply;3248struct sctp_ulpevent *ev;32493250if (!sctp_vtag_verify(chunk, asoc))3251return sctp_sf_pdiscard(ep, asoc, type, arg, commands);32523253/* Make sure that the SHUTDOWN_ACK chunk has a valid length. */3254if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))3255return sctp_sf_violation_chunklen(ep, asoc, type, arg,3256commands);3257/* 10.2 H) SHUTDOWN COMPLETE notification3258*3259* When SCTP completes the shutdown procedures (section 9.2) this3260* notification is passed to the upper layer.3261*/3262ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,32630, 0, 0, NULL, GFP_ATOMIC);3264if (!ev)3265goto nomem;32663267/* ...send a SHUTDOWN COMPLETE chunk to its peer, */3268reply = sctp_make_shutdown_complete(asoc, chunk);3269if (!reply)3270goto nomem_chunk;32713272/* Do all the commands now (after allocation), so that we3273* have consistent state if memory allocation failes3274*/3275sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));32763277/* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall3278* stop the T2-shutdown timer,3279*/3280sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,3281SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));32823283sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,3284SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));32853286sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,3287SCTP_STATE(SCTP_STATE_CLOSED));3288SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);3289SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);3290sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));32913292/* ...and remove all record of the association. */3293sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());3294return SCTP_DISPOSITION_DELETE_TCB;32953296nomem_chunk:3297sctp_ulpevent_free(ev);3298nomem:3299return SCTP_DISPOSITION_NOMEM;3300}33013302/*3303* RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.3304*3305* 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should3306* respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.3307* When sending the SHUTDOWN COMPLETE, the receiver of the OOTB3308* packet must fill in the Verification Tag field of the outbound3309* packet with the Verification Tag received in the SHUTDOWN ACK and3310* set the T-bit in the Chunk Flags to indicate that the Verification3311* Tag is reflected.3312*3313* 8) The receiver should respond to the sender of the OOTB packet with3314* an ABORT. When sending the ABORT, the receiver of the OOTB packet3315* MUST fill in the Verification Tag field of the outbound packet3316* with the value found in the Verification Tag field of the OOTB3317* packet and set the T-bit in the Chunk Flags to indicate that the3318* Verification Tag is reflected. After sending this ABORT, the3319* receiver of the OOTB packet shall discard the OOTB packet and take3320* no further action.3321*/3322sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,3323const struct sctp_association *asoc,3324const sctp_subtype_t type,3325void *arg,3326sctp_cmd_seq_t *commands)3327{3328struct sctp_chunk *chunk = arg;3329struct sk_buff *skb = chunk->skb;3330sctp_chunkhdr_t *ch;3331sctp_errhdr_t *err;3332__u8 *ch_end;3333int ootb_shut_ack = 0;3334int ootb_cookie_ack = 0;33353336SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);33373338ch = (sctp_chunkhdr_t *) chunk->chunk_hdr;3339do {3340/* Report violation if the chunk is less then minimal */3341if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t))3342return sctp_sf_violation_chunklen(ep, asoc, type, arg,3343commands);33443345/* Now that we know we at least have a chunk header,3346* do things that are type appropriate.3347*/3348if (SCTP_CID_SHUTDOWN_ACK == ch->type)3349ootb_shut_ack = 1;33503351/* RFC 2960, Section 3.3.73352* Moreover, under any circumstances, an endpoint that3353* receives an ABORT MUST NOT respond to that ABORT by3354* sending an ABORT of its own.3355*/3356if (SCTP_CID_ABORT == ch->type)3357return sctp_sf_pdiscard(ep, asoc, type, arg, commands);33583359/* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR3360* or a COOKIE ACK the SCTP Packet should be silently3361* discarded.3362*/33633364if (SCTP_CID_COOKIE_ACK == ch->type)3365ootb_cookie_ack = 1;33663367if (SCTP_CID_ERROR == ch->type) {3368sctp_walk_errors(err, ch) {3369if (SCTP_ERROR_STALE_COOKIE == err->cause) {3370ootb_cookie_ack = 1;3371break;3372}3373}3374}33753376/* Report violation if chunk len overflows */3377ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));3378if (ch_end > skb_tail_pointer(skb))3379return sctp_sf_violation_chunklen(ep, asoc, type, arg,3380commands);33813382ch = (sctp_chunkhdr_t *) ch_end;3383} while (ch_end < skb_tail_pointer(skb));33843385if (ootb_shut_ack)3386return sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands);3387else if (ootb_cookie_ack)3388return sctp_sf_pdiscard(ep, asoc, type, arg, commands);3389else3390return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);3391}33923393/*3394* Handle an "Out of the blue" SHUTDOWN ACK.3395*3396* Section: 8.4 5, sctpimpguide 2.41.3397*3398* 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should3399* respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.3400* When sending the SHUTDOWN COMPLETE, the receiver of the OOTB3401* packet must fill in the Verification Tag field of the outbound3402* packet with the Verification Tag received in the SHUTDOWN ACK and3403* set the T-bit in the Chunk Flags to indicate that the Verification3404* Tag is reflected.3405*3406* Inputs3407* (endpoint, asoc, type, arg, commands)3408*3409* Outputs3410* (sctp_disposition_t)3411*3412* The return value is the disposition of the chunk.3413*/3414static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep,3415const struct sctp_association *asoc,3416const sctp_subtype_t type,3417void *arg,3418sctp_cmd_seq_t *commands)3419{3420struct sctp_packet *packet = NULL;3421struct sctp_chunk *chunk = arg;3422struct sctp_chunk *shut;34233424packet = sctp_ootb_pkt_new(asoc, chunk);34253426if (packet) {3427/* Make an SHUTDOWN_COMPLETE.3428* The T bit will be set if the asoc is NULL.3429*/3430shut = sctp_make_shutdown_complete(asoc, chunk);3431if (!shut) {3432sctp_ootb_pkt_free(packet);3433return SCTP_DISPOSITION_NOMEM;3434}34353436/* Reflect vtag if T-Bit is set */3437if (sctp_test_T_bit(shut))3438packet->vtag = ntohl(chunk->sctp_hdr->vtag);34393440/* Set the skb to the belonging sock for accounting. */3441shut->skb->sk = ep->base.sk;34423443sctp_packet_append_chunk(packet, shut);34443445sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,3446SCTP_PACKET(packet));34473448SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);34493450/* If the chunk length is invalid, we don't want to process3451* the reset of the packet.3452*/3453if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))3454return sctp_sf_pdiscard(ep, asoc, type, arg, commands);34553456/* We need to discard the rest of the packet to prevent3457* potential bomming attacks from additional bundled chunks.3458* This is documented in SCTP Threats ID.3459*/3460return sctp_sf_pdiscard(ep, asoc, type, arg, commands);3461}34623463return SCTP_DISPOSITION_NOMEM;3464}34653466/*3467* Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.3468*3469* Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK3470* If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the3471* procedures in section 8.4 SHOULD be followed, in other words it3472* should be treated as an Out Of The Blue packet.3473* [This means that we do NOT check the Verification Tag on these3474* chunks. --piggy ]3475*3476*/3477sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep,3478const struct sctp_association *asoc,3479const sctp_subtype_t type,3480void *arg,3481sctp_cmd_seq_t *commands)3482{3483struct sctp_chunk *chunk = arg;34843485/* Make sure that the SHUTDOWN_ACK chunk has a valid length. */3486if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))3487return sctp_sf_violation_chunklen(ep, asoc, type, arg,3488commands);34893490/* Although we do have an association in this case, it corresponds3491* to a restarted association. So the packet is treated as an OOTB3492* packet and the state function that handles OOTB SHUTDOWN_ACK is3493* called with a NULL association.3494*/3495SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);34963497return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands);3498}34993500/* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */3501sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep,3502const struct sctp_association *asoc,3503const sctp_subtype_t type, void *arg,3504sctp_cmd_seq_t *commands)3505{3506struct sctp_chunk *chunk = arg;3507struct sctp_chunk *asconf_ack = NULL;3508struct sctp_paramhdr *err_param = NULL;3509sctp_addiphdr_t *hdr;3510union sctp_addr_param *addr_param;3511__u32 serial;3512int length;35133514if (!sctp_vtag_verify(chunk, asoc)) {3515sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,3516SCTP_NULL());3517return sctp_sf_pdiscard(ep, asoc, type, arg, commands);3518}35193520/* ADD-IP: Section 4.1.13521* This chunk MUST be sent in an authenticated way by using3522* the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk3523* is received unauthenticated it MUST be silently discarded as3524* described in [I-D.ietf-tsvwg-sctp-auth].3525*/3526if (!sctp_addip_noauth && !chunk->auth)3527return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);35283529/* Make sure that the ASCONF ADDIP chunk has a valid length. */3530if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t)))3531return sctp_sf_violation_chunklen(ep, asoc, type, arg,3532commands);35333534hdr = (sctp_addiphdr_t *)chunk->skb->data;3535serial = ntohl(hdr->serial);35363537addr_param = (union sctp_addr_param *)hdr->params;3538length = ntohs(addr_param->p.length);3539if (length < sizeof(sctp_paramhdr_t))3540return sctp_sf_violation_paramlen(ep, asoc, type, arg,3541(void *)addr_param, commands);35423543/* Verify the ASCONF chunk before processing it. */3544if (!sctp_verify_asconf(asoc,3545(sctp_paramhdr_t *)((void *)addr_param + length),3546(void *)chunk->chunk_end,3547&err_param))3548return sctp_sf_violation_paramlen(ep, asoc, type, arg,3549(void *)err_param, commands);35503551/* ADDIP 5.2 E1) Compare the value of the serial number to the value3552* the endpoint stored in a new association variable3553* 'Peer-Serial-Number'.3554*/3555if (serial == asoc->peer.addip_serial + 1) {3556/* If this is the first instance of ASCONF in the packet,3557* we can clean our old ASCONF-ACKs.3558*/3559if (!chunk->has_asconf)3560sctp_assoc_clean_asconf_ack_cache(asoc);35613562/* ADDIP 5.2 E4) When the Sequence Number matches the next one3563* expected, process the ASCONF as described below and after3564* processing the ASCONF Chunk, append an ASCONF-ACK Chunk to3565* the response packet and cache a copy of it (in the event it3566* later needs to be retransmitted).3567*3568* Essentially, do V1-V5.3569*/3570asconf_ack = sctp_process_asconf((struct sctp_association *)3571asoc, chunk);3572if (!asconf_ack)3573return SCTP_DISPOSITION_NOMEM;3574} else if (serial < asoc->peer.addip_serial + 1) {3575/* ADDIP 5.2 E2)3576* If the value found in the Sequence Number is less than the3577* ('Peer- Sequence-Number' + 1), simply skip to the next3578* ASCONF, and include in the outbound response packet3579* any previously cached ASCONF-ACK response that was3580* sent and saved that matches the Sequence Number of the3581* ASCONF. Note: It is possible that no cached ASCONF-ACK3582* Chunk exists. This will occur when an older ASCONF3583* arrives out of order. In such a case, the receiver3584* should skip the ASCONF Chunk and not include ASCONF-ACK3585* Chunk for that chunk.3586*/3587asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);3588if (!asconf_ack)3589return SCTP_DISPOSITION_DISCARD;35903591/* Reset the transport so that we select the correct one3592* this time around. This is to make sure that we don't3593* accidentally use a stale transport that's been removed.3594*/3595asconf_ack->transport = NULL;3596} else {3597/* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since3598* it must be either a stale packet or from an attacker.3599*/3600return SCTP_DISPOSITION_DISCARD;3601}36023603/* ADDIP 5.2 E6) The destination address of the SCTP packet3604* containing the ASCONF-ACK Chunks MUST be the source address of3605* the SCTP packet that held the ASCONF Chunks.3606*3607* To do this properly, we'll set the destination address of the chunk3608* and at the transmit time, will try look up the transport to use.3609* Since ASCONFs may be bundled, the correct transport may not be3610* created until we process the entire packet, thus this workaround.3611*/3612asconf_ack->dest = chunk->source;3613sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));36143615return SCTP_DISPOSITION_CONSUME;3616}36173618/*3619* ADDIP Section 4.3 General rules for address manipulation3620* When building TLV parameters for the ASCONF Chunk that will add or3621* delete IP addresses the D0 to D13 rules should be applied:3622*/3623sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep,3624const struct sctp_association *asoc,3625const sctp_subtype_t type, void *arg,3626sctp_cmd_seq_t *commands)3627{3628struct sctp_chunk *asconf_ack = arg;3629struct sctp_chunk *last_asconf = asoc->addip_last_asconf;3630struct sctp_chunk *abort;3631struct sctp_paramhdr *err_param = NULL;3632sctp_addiphdr_t *addip_hdr;3633__u32 sent_serial, rcvd_serial;36343635if (!sctp_vtag_verify(asconf_ack, asoc)) {3636sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,3637SCTP_NULL());3638return sctp_sf_pdiscard(ep, asoc, type, arg, commands);3639}36403641/* ADD-IP, Section 4.1.2:3642* This chunk MUST be sent in an authenticated way by using3643* the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk3644* is received unauthenticated it MUST be silently discarded as3645* described in [I-D.ietf-tsvwg-sctp-auth].3646*/3647if (!sctp_addip_noauth && !asconf_ack->auth)3648return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);36493650/* Make sure that the ADDIP chunk has a valid length. */3651if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t)))3652return sctp_sf_violation_chunklen(ep, asoc, type, arg,3653commands);36543655addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data;3656rcvd_serial = ntohl(addip_hdr->serial);36573658/* Verify the ASCONF-ACK chunk before processing it. */3659if (!sctp_verify_asconf(asoc,3660(sctp_paramhdr_t *)addip_hdr->params,3661(void *)asconf_ack->chunk_end,3662&err_param))3663return sctp_sf_violation_paramlen(ep, asoc, type, arg,3664(void *)err_param, commands);36653666if (last_asconf) {3667addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr;3668sent_serial = ntohl(addip_hdr->serial);3669} else {3670sent_serial = asoc->addip_serial - 1;3671}36723673/* D0) If an endpoint receives an ASCONF-ACK that is greater than or3674* equal to the next serial number to be used but no ASCONF chunk is3675* outstanding the endpoint MUST ABORT the association. Note that a3676* sequence number is greater than if it is no more than 2^^31-13677* larger than the current sequence number (using serial arithmetic).3678*/3679if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&3680!(asoc->addip_last_asconf)) {3681abort = sctp_make_abort(asoc, asconf_ack,3682sizeof(sctp_errhdr_t));3683if (abort) {3684sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);3685sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,3686SCTP_CHUNK(abort));3687}3688/* We are going to ABORT, so we might as well stop3689* processing the rest of the chunks in the packet.3690*/3691sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,3692SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));3693sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());3694sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,3695SCTP_ERROR(ECONNABORTED));3696sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,3697SCTP_PERR(SCTP_ERROR_ASCONF_ACK));3698SCTP_INC_STATS(SCTP_MIB_ABORTEDS);3699SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);3700return SCTP_DISPOSITION_ABORT;3701}37023703if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {3704sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,3705SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));37063707if (!sctp_process_asconf_ack((struct sctp_association *)asoc,3708asconf_ack)) {3709/* Successfully processed ASCONF_ACK. We can3710* release the next asconf if we have one.3711*/3712sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF,3713SCTP_NULL());3714return SCTP_DISPOSITION_CONSUME;3715}37163717abort = sctp_make_abort(asoc, asconf_ack,3718sizeof(sctp_errhdr_t));3719if (abort) {3720sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);3721sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,3722SCTP_CHUNK(abort));3723}3724/* We are going to ABORT, so we might as well stop3725* processing the rest of the chunks in the packet.3726*/3727sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());3728sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,3729SCTP_ERROR(ECONNABORTED));3730sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,3731SCTP_PERR(SCTP_ERROR_ASCONF_ACK));3732SCTP_INC_STATS(SCTP_MIB_ABORTEDS);3733SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);3734return SCTP_DISPOSITION_ABORT;3735}37363737return SCTP_DISPOSITION_DISCARD;3738}37393740/*3741* PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP3742*3743* When a FORWARD TSN chunk arrives, the data receiver MUST first update3744* its cumulative TSN point to the value carried in the FORWARD TSN3745* chunk, and then MUST further advance its cumulative TSN point locally3746* if possible.3747* After the above processing, the data receiver MUST stop reporting any3748* missing TSNs earlier than or equal to the new cumulative TSN point.3749*3750* Verification Tag: 8.5 Verification Tag [Normal verification]3751*3752* The return value is the disposition of the chunk.3753*/3754sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep,3755const struct sctp_association *asoc,3756const sctp_subtype_t type,3757void *arg,3758sctp_cmd_seq_t *commands)3759{3760struct sctp_chunk *chunk = arg;3761struct sctp_fwdtsn_hdr *fwdtsn_hdr;3762struct sctp_fwdtsn_skip *skip;3763__u16 len;3764__u32 tsn;37653766if (!sctp_vtag_verify(chunk, asoc)) {3767sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,3768SCTP_NULL());3769return sctp_sf_pdiscard(ep, asoc, type, arg, commands);3770}37713772/* Make sure that the FORWARD_TSN chunk has valid length. */3773if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))3774return sctp_sf_violation_chunklen(ep, asoc, type, arg,3775commands);37763777fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;3778chunk->subh.fwdtsn_hdr = fwdtsn_hdr;3779len = ntohs(chunk->chunk_hdr->length);3780len -= sizeof(struct sctp_chunkhdr);3781skb_pull(chunk->skb, len);37823783tsn = ntohl(fwdtsn_hdr->new_cum_tsn);3784SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn);37853786/* The TSN is too high--silently discard the chunk and count on it3787* getting retransmitted later.3788*/3789if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)3790goto discard_noforce;37913792/* Silently discard the chunk if stream-id is not valid */3793sctp_walk_fwdtsn(skip, chunk) {3794if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)3795goto discard_noforce;3796}37973798sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));3799if (len > sizeof(struct sctp_fwdtsn_hdr))3800sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,3801SCTP_CHUNK(chunk));38023803/* Count this as receiving DATA. */3804if (asoc->autoclose) {3805sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,3806SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));3807}38083809/* FIXME: For now send a SACK, but DATA processing may3810* send another.3811*/3812sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());38133814return SCTP_DISPOSITION_CONSUME;38153816discard_noforce:3817return SCTP_DISPOSITION_DISCARD;3818}38193820sctp_disposition_t sctp_sf_eat_fwd_tsn_fast(3821const struct sctp_endpoint *ep,3822const struct sctp_association *asoc,3823const sctp_subtype_t type,3824void *arg,3825sctp_cmd_seq_t *commands)3826{3827struct sctp_chunk *chunk = arg;3828struct sctp_fwdtsn_hdr *fwdtsn_hdr;3829struct sctp_fwdtsn_skip *skip;3830__u16 len;3831__u32 tsn;38323833if (!sctp_vtag_verify(chunk, asoc)) {3834sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,3835SCTP_NULL());3836return sctp_sf_pdiscard(ep, asoc, type, arg, commands);3837}38383839/* Make sure that the FORWARD_TSN chunk has a valid length. */3840if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))3841return sctp_sf_violation_chunklen(ep, asoc, type, arg,3842commands);38433844fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;3845chunk->subh.fwdtsn_hdr = fwdtsn_hdr;3846len = ntohs(chunk->chunk_hdr->length);3847len -= sizeof(struct sctp_chunkhdr);3848skb_pull(chunk->skb, len);38493850tsn = ntohl(fwdtsn_hdr->new_cum_tsn);3851SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn);38523853/* The TSN is too high--silently discard the chunk and count on it3854* getting retransmitted later.3855*/3856if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)3857goto gen_shutdown;38583859/* Silently discard the chunk if stream-id is not valid */3860sctp_walk_fwdtsn(skip, chunk) {3861if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)3862goto gen_shutdown;3863}38643865sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));3866if (len > sizeof(struct sctp_fwdtsn_hdr))3867sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,3868SCTP_CHUNK(chunk));38693870/* Go a head and force a SACK, since we are shutting down. */3871gen_shutdown:3872/* Implementor's Guide.3873*3874* While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately3875* respond to each received packet containing one or more DATA chunk(s)3876* with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer3877*/3878sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());3879sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());3880sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,3881SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));38823883return SCTP_DISPOSITION_CONSUME;3884}38853886/*3887* SCTP-AUTH Section 6.3 Receiving authenticated chukns3888*3889* The receiver MUST use the HMAC algorithm indicated in the HMAC3890* Identifier field. If this algorithm was not specified by the3891* receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk3892* during association setup, the AUTH chunk and all chunks after it MUST3893* be discarded and an ERROR chunk SHOULD be sent with the error cause3894* defined in Section 4.1.3895*3896* If an endpoint with no shared key receives a Shared Key Identifier3897* other than 0, it MUST silently discard all authenticated chunks. If3898* the endpoint has at least one endpoint pair shared key for the peer,3899* it MUST use the key specified by the Shared Key Identifier if a3900* key has been configured for that Shared Key Identifier. If no3901* endpoint pair shared key has been configured for that Shared Key3902* Identifier, all authenticated chunks MUST be silently discarded.3903*3904* Verification Tag: 8.5 Verification Tag [Normal verification]3905*3906* The return value is the disposition of the chunk.3907*/3908static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep,3909const struct sctp_association *asoc,3910const sctp_subtype_t type,3911struct sctp_chunk *chunk)3912{3913struct sctp_authhdr *auth_hdr;3914struct sctp_hmac *hmac;3915unsigned int sig_len;3916__u16 key_id;3917__u8 *save_digest;3918__u8 *digest;39193920/* Pull in the auth header, so we can do some more verification */3921auth_hdr = (struct sctp_authhdr *)chunk->skb->data;3922chunk->subh.auth_hdr = auth_hdr;3923skb_pull(chunk->skb, sizeof(struct sctp_authhdr));39243925/* Make sure that we suport the HMAC algorithm from the auth3926* chunk.3927*/3928if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))3929return SCTP_IERROR_AUTH_BAD_HMAC;39303931/* Make sure that the provided shared key identifier has been3932* configured3933*/3934key_id = ntohs(auth_hdr->shkey_id);3935if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id))3936return SCTP_IERROR_AUTH_BAD_KEYID;393739383939/* Make sure that the length of the signature matches what3940* we expect.3941*/3942sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t);3943hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));3944if (sig_len != hmac->hmac_len)3945return SCTP_IERROR_PROTO_VIOLATION;39463947/* Now that we've done validation checks, we can compute and3948* verify the hmac. The steps involved are:3949* 1. Save the digest from the chunk.3950* 2. Zero out the digest in the chunk.3951* 3. Compute the new digest3952* 4. Compare saved and new digests.3953*/3954digest = auth_hdr->hmac;3955skb_pull(chunk->skb, sig_len);39563957save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);3958if (!save_digest)3959goto nomem;39603961memset(digest, 0, sig_len);39623963sctp_auth_calculate_hmac(asoc, chunk->skb,3964(struct sctp_auth_chunk *)chunk->chunk_hdr,3965GFP_ATOMIC);39663967/* Discard the packet if the digests do not match */3968if (memcmp(save_digest, digest, sig_len)) {3969kfree(save_digest);3970return SCTP_IERROR_BAD_SIG;3971}39723973kfree(save_digest);3974chunk->auth = 1;39753976return SCTP_IERROR_NO_ERROR;3977nomem:3978return SCTP_IERROR_NOMEM;3979}39803981sctp_disposition_t sctp_sf_eat_auth(const struct sctp_endpoint *ep,3982const struct sctp_association *asoc,3983const sctp_subtype_t type,3984void *arg,3985sctp_cmd_seq_t *commands)3986{3987struct sctp_authhdr *auth_hdr;3988struct sctp_chunk *chunk = arg;3989struct sctp_chunk *err_chunk;3990sctp_ierror_t error;39913992/* Make sure that the peer has AUTH capable */3993if (!asoc->peer.auth_capable)3994return sctp_sf_unk_chunk(ep, asoc, type, arg, commands);39953996if (!sctp_vtag_verify(chunk, asoc)) {3997sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,3998SCTP_NULL());3999return sctp_sf_pdiscard(ep, asoc, type, arg, commands);4000}40014002/* Make sure that the AUTH chunk has valid length. */4003if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))4004return sctp_sf_violation_chunklen(ep, asoc, type, arg,4005commands);40064007auth_hdr = (struct sctp_authhdr *)chunk->skb->data;4008error = sctp_sf_authenticate(ep, asoc, type, chunk);4009switch (error) {4010case SCTP_IERROR_AUTH_BAD_HMAC:4011/* Generate the ERROR chunk and discard the rest4012* of the packet4013*/4014err_chunk = sctp_make_op_error(asoc, chunk,4015SCTP_ERROR_UNSUP_HMAC,4016&auth_hdr->hmac_id,4017sizeof(__u16), 0);4018if (err_chunk) {4019sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,4020SCTP_CHUNK(err_chunk));4021}4022/* Fall Through */4023case SCTP_IERROR_AUTH_BAD_KEYID:4024case SCTP_IERROR_BAD_SIG:4025return sctp_sf_pdiscard(ep, asoc, type, arg, commands);4026break;4027case SCTP_IERROR_PROTO_VIOLATION:4028return sctp_sf_violation_chunklen(ep, asoc, type, arg,4029commands);4030break;4031case SCTP_IERROR_NOMEM:4032return SCTP_DISPOSITION_NOMEM;4033default:4034break;4035}40364037if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) {4038struct sctp_ulpevent *ev;40394040ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),4041SCTP_AUTH_NEWKEY, GFP_ATOMIC);40424043if (!ev)4044return -ENOMEM;40454046sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,4047SCTP_ULPEVENT(ev));4048}40494050return SCTP_DISPOSITION_CONSUME;4051}40524053/*4054* Process an unknown chunk.4055*4056* Section: 3.2. Also, 2.1 in the implementor's guide.4057*4058* Chunk Types are encoded such that the highest-order two bits specify4059* the action that must be taken if the processing endpoint does not4060* recognize the Chunk Type.4061*4062* 00 - Stop processing this SCTP packet and discard it, do not process4063* any further chunks within it.4064*4065* 01 - Stop processing this SCTP packet and discard it, do not process4066* any further chunks within it, and report the unrecognized4067* chunk in an 'Unrecognized Chunk Type'.4068*4069* 10 - Skip this chunk and continue processing.4070*4071* 11 - Skip this chunk and continue processing, but report in an ERROR4072* Chunk using the 'Unrecognized Chunk Type' cause of error.4073*4074* The return value is the disposition of the chunk.4075*/4076sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep,4077const struct sctp_association *asoc,4078const sctp_subtype_t type,4079void *arg,4080sctp_cmd_seq_t *commands)4081{4082struct sctp_chunk *unk_chunk = arg;4083struct sctp_chunk *err_chunk;4084sctp_chunkhdr_t *hdr;40854086SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk);40874088if (!sctp_vtag_verify(unk_chunk, asoc))4089return sctp_sf_pdiscard(ep, asoc, type, arg, commands);40904091/* Make sure that the chunk has a valid length.4092* Since we don't know the chunk type, we use a general4093* chunkhdr structure to make a comparison.4094*/4095if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t)))4096return sctp_sf_violation_chunklen(ep, asoc, type, arg,4097commands);40984099switch (type.chunk & SCTP_CID_ACTION_MASK) {4100case SCTP_CID_ACTION_DISCARD:4101/* Discard the packet. */4102return sctp_sf_pdiscard(ep, asoc, type, arg, commands);4103break;4104case SCTP_CID_ACTION_DISCARD_ERR:4105/* Generate an ERROR chunk as response. */4106hdr = unk_chunk->chunk_hdr;4107err_chunk = sctp_make_op_error(asoc, unk_chunk,4108SCTP_ERROR_UNKNOWN_CHUNK, hdr,4109WORD_ROUND(ntohs(hdr->length)),41100);4111if (err_chunk) {4112sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,4113SCTP_CHUNK(err_chunk));4114}41154116/* Discard the packet. */4117sctp_sf_pdiscard(ep, asoc, type, arg, commands);4118return SCTP_DISPOSITION_CONSUME;4119break;4120case SCTP_CID_ACTION_SKIP:4121/* Skip the chunk. */4122return SCTP_DISPOSITION_DISCARD;4123break;4124case SCTP_CID_ACTION_SKIP_ERR:4125/* Generate an ERROR chunk as response. */4126hdr = unk_chunk->chunk_hdr;4127err_chunk = sctp_make_op_error(asoc, unk_chunk,4128SCTP_ERROR_UNKNOWN_CHUNK, hdr,4129WORD_ROUND(ntohs(hdr->length)),41300);4131if (err_chunk) {4132sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,4133SCTP_CHUNK(err_chunk));4134}4135/* Skip the chunk. */4136return SCTP_DISPOSITION_CONSUME;4137break;4138default:4139break;4140}41414142return SCTP_DISPOSITION_DISCARD;4143}41444145/*4146* Discard the chunk.4147*4148* Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.24149* [Too numerous to mention...]4150* Verification Tag: No verification needed.4151* Inputs4152* (endpoint, asoc, chunk)4153*4154* Outputs4155* (asoc, reply_msg, msg_up, timers, counters)4156*4157* The return value is the disposition of the chunk.4158*/4159sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep,4160const struct sctp_association *asoc,4161const sctp_subtype_t type,4162void *arg,4163sctp_cmd_seq_t *commands)4164{4165struct sctp_chunk *chunk = arg;41664167/* Make sure that the chunk has a valid length.4168* Since we don't know the chunk type, we use a general4169* chunkhdr structure to make a comparison.4170*/4171if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))4172return sctp_sf_violation_chunklen(ep, asoc, type, arg,4173commands);41744175SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk);4176return SCTP_DISPOSITION_DISCARD;4177}41784179/*4180* Discard the whole packet.4181*4182* Section: 8.4 2)4183*4184* 2) If the OOTB packet contains an ABORT chunk, the receiver MUST4185* silently discard the OOTB packet and take no further action.4186*4187* Verification Tag: No verification necessary4188*4189* Inputs4190* (endpoint, asoc, chunk)4191*4192* Outputs4193* (asoc, reply_msg, msg_up, timers, counters)4194*4195* The return value is the disposition of the chunk.4196*/4197sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep,4198const struct sctp_association *asoc,4199const sctp_subtype_t type,4200void *arg,4201sctp_cmd_seq_t *commands)4202{4203SCTP_INC_STATS(SCTP_MIB_IN_PKT_DISCARDS);4204sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());42054206return SCTP_DISPOSITION_CONSUME;4207}420842094210/*4211* The other end is violating protocol.4212*4213* Section: Not specified4214* Verification Tag: Not specified4215* Inputs4216* (endpoint, asoc, chunk)4217*4218* Outputs4219* (asoc, reply_msg, msg_up, timers, counters)4220*4221* We simply tag the chunk as a violation. The state machine will log4222* the violation and continue.4223*/4224sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep,4225const struct sctp_association *asoc,4226const sctp_subtype_t type,4227void *arg,4228sctp_cmd_seq_t *commands)4229{4230struct sctp_chunk *chunk = arg;42314232/* Make sure that the chunk has a valid length. */4233if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))4234return sctp_sf_violation_chunklen(ep, asoc, type, arg,4235commands);42364237return SCTP_DISPOSITION_VIOLATION;4238}42394240/*4241* Common function to handle a protocol violation.4242*/4243static sctp_disposition_t sctp_sf_abort_violation(4244const struct sctp_endpoint *ep,4245const struct sctp_association *asoc,4246void *arg,4247sctp_cmd_seq_t *commands,4248const __u8 *payload,4249const size_t paylen)4250{4251struct sctp_packet *packet = NULL;4252struct sctp_chunk *chunk = arg;4253struct sctp_chunk *abort = NULL;42544255/* SCTP-AUTH, Section 6.3:4256* It should be noted that if the receiver wants to tear4257* down an association in an authenticated way only, the4258* handling of malformed packets should not result in4259* tearing down the association.4260*4261* This means that if we only want to abort associations4262* in an authenticated way (i.e AUTH+ABORT), then we4263* can't destroy this association just because the packet4264* was malformed.4265*/4266if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))4267goto discard;42684269/* Make the abort chunk. */4270abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);4271if (!abort)4272goto nomem;42734274if (asoc) {4275/* Treat INIT-ACK as a special case during COOKIE-WAIT. */4276if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&4277!asoc->peer.i.init_tag) {4278sctp_initack_chunk_t *initack;42794280initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;4281if (!sctp_chunk_length_valid(chunk,4282sizeof(sctp_initack_chunk_t)))4283abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;4284else {4285unsigned int inittag;42864287inittag = ntohl(initack->init_hdr.init_tag);4288sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,4289SCTP_U32(inittag));4290}4291}42924293sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));4294SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);42954296if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {4297sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,4298SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));4299sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,4300SCTP_ERROR(ECONNREFUSED));4301sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,4302SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));4303} else {4304sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,4305SCTP_ERROR(ECONNABORTED));4306sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,4307SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));4308SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);4309}4310} else {4311packet = sctp_ootb_pkt_new(asoc, chunk);43124313if (!packet)4314goto nomem_pkt;43154316if (sctp_test_T_bit(abort))4317packet->vtag = ntohl(chunk->sctp_hdr->vtag);43184319abort->skb->sk = ep->base.sk;43204321sctp_packet_append_chunk(packet, abort);43224323sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,4324SCTP_PACKET(packet));43254326SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);4327}43284329SCTP_INC_STATS(SCTP_MIB_ABORTEDS);43304331discard:4332sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands);4333return SCTP_DISPOSITION_ABORT;43344335nomem_pkt:4336sctp_chunk_free(abort);4337nomem:4338return SCTP_DISPOSITION_NOMEM;4339}43404341/*4342* Handle a protocol violation when the chunk length is invalid.4343* "Invalid" length is identified as smaller than the minimal length a4344* given chunk can be. For example, a SACK chunk has invalid length4345* if its length is set to be smaller than the size of sctp_sack_chunk_t.4346*4347* We inform the other end by sending an ABORT with a Protocol Violation4348* error code.4349*4350* Section: Not specified4351* Verification Tag: Nothing to do4352* Inputs4353* (endpoint, asoc, chunk)4354*4355* Outputs4356* (reply_msg, msg_up, counters)4357*4358* Generate an ABORT chunk and terminate the association.4359*/4360static sctp_disposition_t sctp_sf_violation_chunklen(4361const struct sctp_endpoint *ep,4362const struct sctp_association *asoc,4363const sctp_subtype_t type,4364void *arg,4365sctp_cmd_seq_t *commands)4366{4367static const char err_str[]="The following chunk had invalid length:";43684369return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,4370sizeof(err_str));4371}43724373/*4374* Handle a protocol violation when the parameter length is invalid.4375* If the length is smaller than the minimum length of a given parameter,4376* or accumulated length in multi parameters exceeds the end of the chunk,4377* the length is considered as invalid.4378*/4379static sctp_disposition_t sctp_sf_violation_paramlen(4380const struct sctp_endpoint *ep,4381const struct sctp_association *asoc,4382const sctp_subtype_t type,4383void *arg, void *ext,4384sctp_cmd_seq_t *commands)4385{4386struct sctp_chunk *chunk = arg;4387struct sctp_paramhdr *param = ext;4388struct sctp_chunk *abort = NULL;43894390if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))4391goto discard;43924393/* Make the abort chunk. */4394abort = sctp_make_violation_paramlen(asoc, chunk, param);4395if (!abort)4396goto nomem;43974398sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));4399SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);44004401sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,4402SCTP_ERROR(ECONNABORTED));4403sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,4404SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));4405SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);4406SCTP_INC_STATS(SCTP_MIB_ABORTEDS);44074408discard:4409sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands);4410return SCTP_DISPOSITION_ABORT;4411nomem:4412return SCTP_DISPOSITION_NOMEM;4413}44144415/* Handle a protocol violation when the peer trying to advance the4416* cumulative tsn ack to a point beyond the max tsn currently sent.4417*4418* We inform the other end by sending an ABORT with a Protocol Violation4419* error code.4420*/4421static sctp_disposition_t sctp_sf_violation_ctsn(4422const struct sctp_endpoint *ep,4423const struct sctp_association *asoc,4424const sctp_subtype_t type,4425void *arg,4426sctp_cmd_seq_t *commands)4427{4428static const char err_str[]="The cumulative tsn ack beyond the max tsn currently sent:";44294430return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,4431sizeof(err_str));4432}44334434/* Handle protocol violation of an invalid chunk bundling. For example,4435* when we have an association and we receive bundled INIT-ACK, or4436* SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle"4437* statement from the specs. Additionally, there might be an attacker4438* on the path and we may not want to continue this communication.4439*/4440static sctp_disposition_t sctp_sf_violation_chunk(4441const struct sctp_endpoint *ep,4442const struct sctp_association *asoc,4443const sctp_subtype_t type,4444void *arg,4445sctp_cmd_seq_t *commands)4446{4447static const char err_str[]="The following chunk violates protocol:";44484449if (!asoc)4450return sctp_sf_violation(ep, asoc, type, arg, commands);44514452return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,4453sizeof(err_str));4454}4455/***************************************************************************4456* These are the state functions for handling primitive (Section 10) events.4457***************************************************************************/4458/*4459* sctp_sf_do_prm_asoc4460*4461* Section: 10.1 ULP-to-SCTP4462* B) Associate4463*4464* Format: ASSOCIATE(local SCTP instance name, destination transport addr,4465* outbound stream count)4466* -> association id [,destination transport addr list] [,outbound stream4467* count]4468*4469* This primitive allows the upper layer to initiate an association to a4470* specific peer endpoint.4471*4472* The peer endpoint shall be specified by one of the transport addresses4473* which defines the endpoint (see Section 1.4). If the local SCTP4474* instance has not been initialized, the ASSOCIATE is considered an4475* error.4476* [This is not relevant for the kernel implementation since we do all4477* initialization at boot time. It we hadn't initialized we wouldn't4478* get anywhere near this code.]4479*4480* An association id, which is a local handle to the SCTP association,4481* will be returned on successful establishment of the association. If4482* SCTP is not able to open an SCTP association with the peer endpoint,4483* an error is returned.4484* [In the kernel implementation, the struct sctp_association needs to4485* be created BEFORE causing this primitive to run.]4486*4487* Other association parameters may be returned, including the4488* complete destination transport addresses of the peer as well as the4489* outbound stream count of the local endpoint. One of the transport4490* address from the returned destination addresses will be selected by4491* the local endpoint as default primary path for sending SCTP packets4492* to this peer. The returned "destination transport addr list" can4493* be used by the ULP to change the default primary path or to force4494* sending a packet to a specific transport address. [All of this4495* stuff happens when the INIT ACK arrives. This is a NON-BLOCKING4496* function.]4497*4498* Mandatory attributes:4499*4500* o local SCTP instance name - obtained from the INITIALIZE operation.4501* [This is the argument asoc.]4502* o destination transport addr - specified as one of the transport4503* addresses of the peer endpoint with which the association is to be4504* established.4505* [This is asoc->peer.active_path.]4506* o outbound stream count - the number of outbound streams the ULP4507* would like to open towards this peer endpoint.4508* [BUG: This is not currently implemented.]4509* Optional attributes:4510*4511* None.4512*4513* The return value is a disposition.4514*/4515sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep,4516const struct sctp_association *asoc,4517const sctp_subtype_t type,4518void *arg,4519sctp_cmd_seq_t *commands)4520{4521struct sctp_chunk *repl;4522struct sctp_association* my_asoc;45234524/* The comment below says that we enter COOKIE-WAIT AFTER4525* sending the INIT, but that doesn't actually work in our4526* implementation...4527*/4528sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,4529SCTP_STATE(SCTP_STATE_COOKIE_WAIT));45304531/* RFC 2960 5.1 Normal Establishment of an Association4532*4533* A) "A" first sends an INIT chunk to "Z". In the INIT, "A"4534* must provide its Verification Tag (Tag_A) in the Initiate4535* Tag field. Tag_A SHOULD be a random number in the range of4536* 1 to 4294967295 (see 5.3.1 for Tag value selection). ...4537*/45384539repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0);4540if (!repl)4541goto nomem;45424543/* Cast away the const modifier, as we want to just4544* rerun it through as a sideffect.4545*/4546my_asoc = (struct sctp_association *)asoc;4547sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc));45484549/* Choose transport for INIT. */4550sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,4551SCTP_CHUNK(repl));45524553/* After sending the INIT, "A" starts the T1-init timer and4554* enters the COOKIE-WAIT state.4555*/4556sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,4557SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));4558sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));4559return SCTP_DISPOSITION_CONSUME;45604561nomem:4562return SCTP_DISPOSITION_NOMEM;4563}45644565/*4566* Process the SEND primitive.4567*4568* Section: 10.1 ULP-to-SCTP4569* E) Send4570*4571* Format: SEND(association id, buffer address, byte count [,context]4572* [,stream id] [,life time] [,destination transport address]4573* [,unorder flag] [,no-bundle flag] [,payload protocol-id] )4574* -> result4575*4576* This is the main method to send user data via SCTP.4577*4578* Mandatory attributes:4579*4580* o association id - local handle to the SCTP association4581*4582* o buffer address - the location where the user message to be4583* transmitted is stored;4584*4585* o byte count - The size of the user data in number of bytes;4586*4587* Optional attributes:4588*4589* o context - an optional 32 bit integer that will be carried in the4590* sending failure notification to the ULP if the transportation of4591* this User Message fails.4592*4593* o stream id - to indicate which stream to send the data on. If not4594* specified, stream 0 will be used.4595*4596* o life time - specifies the life time of the user data. The user data4597* will not be sent by SCTP after the life time expires. This4598* parameter can be used to avoid efforts to transmit stale4599* user messages. SCTP notifies the ULP if the data cannot be4600* initiated to transport (i.e. sent to the destination via SCTP's4601* send primitive) within the life time variable. However, the4602* user data will be transmitted if SCTP has attempted to transmit a4603* chunk before the life time expired.4604*4605* o destination transport address - specified as one of the destination4606* transport addresses of the peer endpoint to which this packet4607* should be sent. Whenever possible, SCTP should use this destination4608* transport address for sending the packets, instead of the current4609* primary path.4610*4611* o unorder flag - this flag, if present, indicates that the user4612* would like the data delivered in an unordered fashion to the peer4613* (i.e., the U flag is set to 1 on all DATA chunks carrying this4614* message).4615*4616* o no-bundle flag - instructs SCTP not to bundle this user data with4617* other outbound DATA chunks. SCTP MAY still bundle even when4618* this flag is present, when faced with network congestion.4619*4620* o payload protocol-id - A 32 bit unsigned integer that is to be4621* passed to the peer indicating the type of payload protocol data4622* being transmitted. This value is passed as opaque data by SCTP.4623*4624* The return value is the disposition.4625*/4626sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep,4627const struct sctp_association *asoc,4628const sctp_subtype_t type,4629void *arg,4630sctp_cmd_seq_t *commands)4631{4632struct sctp_datamsg *msg = arg;46334634sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg));4635return SCTP_DISPOSITION_CONSUME;4636}46374638/*4639* Process the SHUTDOWN primitive.4640*4641* Section: 10.1:4642* C) Shutdown4643*4644* Format: SHUTDOWN(association id)4645* -> result4646*4647* Gracefully closes an association. Any locally queued user data4648* will be delivered to the peer. The association will be terminated only4649* after the peer acknowledges all the SCTP packets sent. A success code4650* will be returned on successful termination of the association. If4651* attempting to terminate the association results in a failure, an error4652* code shall be returned.4653*4654* Mandatory attributes:4655*4656* o association id - local handle to the SCTP association4657*4658* Optional attributes:4659*4660* None.4661*4662* The return value is the disposition.4663*/4664sctp_disposition_t sctp_sf_do_9_2_prm_shutdown(4665const struct sctp_endpoint *ep,4666const struct sctp_association *asoc,4667const sctp_subtype_t type,4668void *arg,4669sctp_cmd_seq_t *commands)4670{4671int disposition;46724673/* From 9.2 Shutdown of an Association4674* Upon receipt of the SHUTDOWN primitive from its upper4675* layer, the endpoint enters SHUTDOWN-PENDING state and4676* remains there until all outstanding data has been4677* acknowledged by its peer. The endpoint accepts no new data4678* from its upper layer, but retransmits data to the far end4679* if necessary to fill gaps.4680*/4681sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,4682SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));46834684disposition = SCTP_DISPOSITION_CONSUME;4685if (sctp_outq_is_empty(&asoc->outqueue)) {4686disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type,4687arg, commands);4688}4689return disposition;4690}46914692/*4693* Process the ABORT primitive.4694*4695* Section: 10.1:4696* C) Abort4697*4698* Format: Abort(association id [, cause code])4699* -> result4700*4701* Ungracefully closes an association. Any locally queued user data4702* will be discarded and an ABORT chunk is sent to the peer. A success code4703* will be returned on successful abortion of the association. If4704* attempting to abort the association results in a failure, an error4705* code shall be returned.4706*4707* Mandatory attributes:4708*4709* o association id - local handle to the SCTP association4710*4711* Optional attributes:4712*4713* o cause code - reason of the abort to be passed to the peer4714*4715* None.4716*4717* The return value is the disposition.4718*/4719sctp_disposition_t sctp_sf_do_9_1_prm_abort(4720const struct sctp_endpoint *ep,4721const struct sctp_association *asoc,4722const sctp_subtype_t type,4723void *arg,4724sctp_cmd_seq_t *commands)4725{4726/* From 9.1 Abort of an Association4727* Upon receipt of the ABORT primitive from its upper4728* layer, the endpoint enters CLOSED state and4729* discard all outstanding data has been4730* acknowledged by its peer. The endpoint accepts no new data4731* from its upper layer, but retransmits data to the far end4732* if necessary to fill gaps.4733*/4734struct sctp_chunk *abort = arg;4735sctp_disposition_t retval;47364737retval = SCTP_DISPOSITION_CONSUME;47384739sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));47404741/* Even if we can't send the ABORT due to low memory delete the4742* TCB. This is a departure from our typical NOMEM handling.4743*/47444745sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,4746SCTP_ERROR(ECONNABORTED));4747/* Delete the established association. */4748sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,4749SCTP_PERR(SCTP_ERROR_USER_ABORT));47504751SCTP_INC_STATS(SCTP_MIB_ABORTEDS);4752SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);47534754return retval;4755}47564757/* We tried an illegal operation on an association which is closed. */4758sctp_disposition_t sctp_sf_error_closed(const struct sctp_endpoint *ep,4759const struct sctp_association *asoc,4760const sctp_subtype_t type,4761void *arg,4762sctp_cmd_seq_t *commands)4763{4764sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL));4765return SCTP_DISPOSITION_CONSUME;4766}47674768/* We tried an illegal operation on an association which is shutting4769* down.4770*/4771sctp_disposition_t sctp_sf_error_shutdown(const struct sctp_endpoint *ep,4772const struct sctp_association *asoc,4773const sctp_subtype_t type,4774void *arg,4775sctp_cmd_seq_t *commands)4776{4777sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR,4778SCTP_ERROR(-ESHUTDOWN));4779return SCTP_DISPOSITION_CONSUME;4780}47814782/*4783* sctp_cookie_wait_prm_shutdown4784*4785* Section: 4 Note: 24786* Verification Tag:4787* Inputs4788* (endpoint, asoc)4789*4790* The RFC does not explicitly address this issue, but is the route through the4791* state table when someone issues a shutdown while in COOKIE_WAIT state.4792*4793* Outputs4794* (timers)4795*/4796sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown(4797const struct sctp_endpoint *ep,4798const struct sctp_association *asoc,4799const sctp_subtype_t type,4800void *arg,4801sctp_cmd_seq_t *commands)4802{4803sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,4804SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));48054806sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,4807SCTP_STATE(SCTP_STATE_CLOSED));48084809SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);48104811sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());48124813return SCTP_DISPOSITION_DELETE_TCB;4814}48154816/*4817* sctp_cookie_echoed_prm_shutdown4818*4819* Section: 4 Note: 24820* Verification Tag:4821* Inputs4822* (endpoint, asoc)4823*4824* The RFC does not explcitly address this issue, but is the route through the4825* state table when someone issues a shutdown while in COOKIE_ECHOED state.4826*4827* Outputs4828* (timers)4829*/4830sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown(4831const struct sctp_endpoint *ep,4832const struct sctp_association *asoc,4833const sctp_subtype_t type,4834void *arg, sctp_cmd_seq_t *commands)4835{4836/* There is a single T1 timer, so we should be able to use4837* common function with the COOKIE-WAIT state.4838*/4839return sctp_sf_cookie_wait_prm_shutdown(ep, asoc, type, arg, commands);4840}48414842/*4843* sctp_sf_cookie_wait_prm_abort4844*4845* Section: 4 Note: 24846* Verification Tag:4847* Inputs4848* (endpoint, asoc)4849*4850* The RFC does not explicitly address this issue, but is the route through the4851* state table when someone issues an abort while in COOKIE_WAIT state.4852*4853* Outputs4854* (timers)4855*/4856sctp_disposition_t sctp_sf_cookie_wait_prm_abort(4857const struct sctp_endpoint *ep,4858const struct sctp_association *asoc,4859const sctp_subtype_t type,4860void *arg,4861sctp_cmd_seq_t *commands)4862{4863struct sctp_chunk *abort = arg;4864sctp_disposition_t retval;48654866/* Stop T1-init timer */4867sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,4868SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));4869retval = SCTP_DISPOSITION_CONSUME;48704871sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));48724873sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,4874SCTP_STATE(SCTP_STATE_CLOSED));48754876SCTP_INC_STATS(SCTP_MIB_ABORTEDS);48774878/* Even if we can't send the ABORT due to low memory delete the4879* TCB. This is a departure from our typical NOMEM handling.4880*/48814882sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,4883SCTP_ERROR(ECONNREFUSED));4884/* Delete the established association. */4885sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,4886SCTP_PERR(SCTP_ERROR_USER_ABORT));48874888return retval;4889}48904891/*4892* sctp_sf_cookie_echoed_prm_abort4893*4894* Section: 4 Note: 34895* Verification Tag:4896* Inputs4897* (endpoint, asoc)4898*4899* The RFC does not explcitly address this issue, but is the route through the4900* state table when someone issues an abort while in COOKIE_ECHOED state.4901*4902* Outputs4903* (timers)4904*/4905sctp_disposition_t sctp_sf_cookie_echoed_prm_abort(4906const struct sctp_endpoint *ep,4907const struct sctp_association *asoc,4908const sctp_subtype_t type,4909void *arg,4910sctp_cmd_seq_t *commands)4911{4912/* There is a single T1 timer, so we should be able to use4913* common function with the COOKIE-WAIT state.4914*/4915return sctp_sf_cookie_wait_prm_abort(ep, asoc, type, arg, commands);4916}49174918/*4919* sctp_sf_shutdown_pending_prm_abort4920*4921* Inputs4922* (endpoint, asoc)4923*4924* The RFC does not explicitly address this issue, but is the route through the4925* state table when someone issues an abort while in SHUTDOWN-PENDING state.4926*4927* Outputs4928* (timers)4929*/4930sctp_disposition_t sctp_sf_shutdown_pending_prm_abort(4931const struct sctp_endpoint *ep,4932const struct sctp_association *asoc,4933const sctp_subtype_t type,4934void *arg,4935sctp_cmd_seq_t *commands)4936{4937/* Stop the T5-shutdown guard timer. */4938sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,4939SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));49404941return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands);4942}49434944/*4945* sctp_sf_shutdown_sent_prm_abort4946*4947* Inputs4948* (endpoint, asoc)4949*4950* The RFC does not explicitly address this issue, but is the route through the4951* state table when someone issues an abort while in SHUTDOWN-SENT state.4952*4953* Outputs4954* (timers)4955*/4956sctp_disposition_t sctp_sf_shutdown_sent_prm_abort(4957const struct sctp_endpoint *ep,4958const struct sctp_association *asoc,4959const sctp_subtype_t type,4960void *arg,4961sctp_cmd_seq_t *commands)4962{4963/* Stop the T2-shutdown timer. */4964sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,4965SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));49664967/* Stop the T5-shutdown guard timer. */4968sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,4969SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));49704971return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands);4972}49734974/*4975* sctp_sf_cookie_echoed_prm_abort4976*4977* Inputs4978* (endpoint, asoc)4979*4980* The RFC does not explcitly address this issue, but is the route through the4981* state table when someone issues an abort while in COOKIE_ECHOED state.4982*4983* Outputs4984* (timers)4985*/4986sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort(4987const struct sctp_endpoint *ep,4988const struct sctp_association *asoc,4989const sctp_subtype_t type,4990void *arg,4991sctp_cmd_seq_t *commands)4992{4993/* The same T2 timer, so we should be able to use4994* common function with the SHUTDOWN-SENT state.4995*/4996return sctp_sf_shutdown_sent_prm_abort(ep, asoc, type, arg, commands);4997}49984999/*5000* Process the REQUESTHEARTBEAT primitive5001*5002* 10.1 ULP-to-SCTP5003* J) Request Heartbeat5004*5005* Format: REQUESTHEARTBEAT(association id, destination transport address)5006*5007* -> result5008*5009* Instructs the local endpoint to perform a HeartBeat on the specified5010* destination transport address of the given association. The returned5011* result should indicate whether the transmission of the HEARTBEAT5012* chunk to the destination address is successful.5013*5014* Mandatory attributes:5015*5016* o association id - local handle to the SCTP association5017*5018* o destination transport address - the transport address of the5019* association on which a heartbeat should be issued.5020*/5021sctp_disposition_t sctp_sf_do_prm_requestheartbeat(5022const struct sctp_endpoint *ep,5023const struct sctp_association *asoc,5024const sctp_subtype_t type,5025void *arg,5026sctp_cmd_seq_t *commands)5027{5028if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type,5029(struct sctp_transport *)arg, commands))5030return SCTP_DISPOSITION_NOMEM;50315032/*5033* RFC 2960 (bis), section 8.35034*5035* D) Request an on-demand HEARTBEAT on a specific destination5036* transport address of a given association.5037*5038* The endpoint should increment the respective error counter of5039* the destination transport address each time a HEARTBEAT is sent5040* to that address and not acknowledged within one RTO.5041*5042*/5043sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,5044SCTP_TRANSPORT(arg));5045return SCTP_DISPOSITION_CONSUME;5046}50475048/*5049* ADDIP Section 4.1 ASCONF Chunk Procedures5050* When an endpoint has an ASCONF signaled change to be sent to the5051* remote endpoint it should do A1 to A95052*/5053sctp_disposition_t sctp_sf_do_prm_asconf(const struct sctp_endpoint *ep,5054const struct sctp_association *asoc,5055const sctp_subtype_t type,5056void *arg,5057sctp_cmd_seq_t *commands)5058{5059struct sctp_chunk *chunk = arg;50605061sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));5062sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,5063SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));5064sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));5065return SCTP_DISPOSITION_CONSUME;5066}50675068/*5069* Ignore the primitive event5070*5071* The return value is the disposition of the primitive.5072*/5073sctp_disposition_t sctp_sf_ignore_primitive(5074const struct sctp_endpoint *ep,5075const struct sctp_association *asoc,5076const sctp_subtype_t type,5077void *arg,5078sctp_cmd_seq_t *commands)5079{5080SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive);5081return SCTP_DISPOSITION_DISCARD;5082}50835084/***************************************************************************5085* These are the state functions for the OTHER events.5086***************************************************************************/50875088/*5089* When the SCTP stack has no more user data to send or retransmit, this5090* notification is given to the user. Also, at the time when a user app5091* subscribes to this event, if there is no data to be sent or5092* retransmit, the stack will immediately send up this notification.5093*/5094sctp_disposition_t sctp_sf_do_no_pending_tsn(5095const struct sctp_endpoint *ep,5096const struct sctp_association *asoc,5097const sctp_subtype_t type,5098void *arg,5099sctp_cmd_seq_t *commands)5100{5101struct sctp_ulpevent *event;51025103event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC);5104if (!event)5105return SCTP_DISPOSITION_NOMEM;51065107sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event));51085109return SCTP_DISPOSITION_CONSUME;5110}51115112/*5113* Start the shutdown negotiation.5114*5115* From Section 9.2:5116* Once all its outstanding data has been acknowledged, the endpoint5117* shall send a SHUTDOWN chunk to its peer including in the Cumulative5118* TSN Ack field the last sequential TSN it has received from the peer.5119* It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT5120* state. If the timer expires, the endpoint must re-send the SHUTDOWN5121* with the updated last sequential TSN received from its peer.5122*5123* The return value is the disposition.5124*/5125sctp_disposition_t sctp_sf_do_9_2_start_shutdown(5126const struct sctp_endpoint *ep,5127const struct sctp_association *asoc,5128const sctp_subtype_t type,5129void *arg,5130sctp_cmd_seq_t *commands)5131{5132struct sctp_chunk *reply;51335134/* Once all its outstanding data has been acknowledged, the5135* endpoint shall send a SHUTDOWN chunk to its peer including5136* in the Cumulative TSN Ack field the last sequential TSN it5137* has received from the peer.5138*/5139reply = sctp_make_shutdown(asoc, NULL);5140if (!reply)5141goto nomem;51425143/* Set the transport for the SHUTDOWN chunk and the timeout for the5144* T2-shutdown timer.5145*/5146sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));51475148/* It shall then start the T2-shutdown timer */5149sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,5150SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));51515152/* RFC 4960 Section 9.25153* The sender of the SHUTDOWN MAY also start an overall guard timer5154* 'T5-shutdown-guard' to bound the overall time for shutdown sequence.5155*/5156sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,5157SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));51585159if (asoc->autoclose)5160sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,5161SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));51625163/* and enter the SHUTDOWN-SENT state. */5164sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,5165SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT));51665167/* sctp-implguide 2.10 Issues with Heartbeating and failover5168*5169* HEARTBEAT ... is discontinued after sending either SHUTDOWN5170* or SHUTDOWN-ACK.5171*/5172sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());51735174sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));51755176return SCTP_DISPOSITION_CONSUME;51775178nomem:5179return SCTP_DISPOSITION_NOMEM;5180}51815182/*5183* Generate a SHUTDOWN ACK now that everything is SACK'd.5184*5185* From Section 9.2:5186*5187* If it has no more outstanding DATA chunks, the SHUTDOWN receiver5188* shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own,5189* entering the SHUTDOWN-ACK-SENT state. If the timer expires, the5190* endpoint must re-send the SHUTDOWN ACK.5191*5192* The return value is the disposition.5193*/5194sctp_disposition_t sctp_sf_do_9_2_shutdown_ack(5195const struct sctp_endpoint *ep,5196const struct sctp_association *asoc,5197const sctp_subtype_t type,5198void *arg,5199sctp_cmd_seq_t *commands)5200{5201struct sctp_chunk *chunk = (struct sctp_chunk *) arg;5202struct sctp_chunk *reply;52035204/* There are 2 ways of getting here:5205* 1) called in response to a SHUTDOWN chunk5206* 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued.5207*5208* For the case (2), the arg parameter is set to NULL. We need5209* to check that we have a chunk before accessing it's fields.5210*/5211if (chunk) {5212if (!sctp_vtag_verify(chunk, asoc))5213return sctp_sf_pdiscard(ep, asoc, type, arg, commands);52145215/* Make sure that the SHUTDOWN chunk has a valid length. */5216if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t)))5217return sctp_sf_violation_chunklen(ep, asoc, type, arg,5218commands);5219}52205221/* If it has no more outstanding DATA chunks, the SHUTDOWN receiver5222* shall send a SHUTDOWN ACK ...5223*/5224reply = sctp_make_shutdown_ack(asoc, chunk);5225if (!reply)5226goto nomem;52275228/* Set the transport for the SHUTDOWN ACK chunk and the timeout for5229* the T2-shutdown timer.5230*/5231sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));52325233/* and start/restart a T2-shutdown timer of its own, */5234sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,5235SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));52365237if (asoc->autoclose)5238sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,5239SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));52405241/* Enter the SHUTDOWN-ACK-SENT state. */5242sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,5243SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT));52445245/* sctp-implguide 2.10 Issues with Heartbeating and failover5246*5247* HEARTBEAT ... is discontinued after sending either SHUTDOWN5248* or SHUTDOWN-ACK.5249*/5250sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());52515252sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));52535254return SCTP_DISPOSITION_CONSUME;52555256nomem:5257return SCTP_DISPOSITION_NOMEM;5258}52595260/*5261* Ignore the event defined as other5262*5263* The return value is the disposition of the event.5264*/5265sctp_disposition_t sctp_sf_ignore_other(const struct sctp_endpoint *ep,5266const struct sctp_association *asoc,5267const sctp_subtype_t type,5268void *arg,5269sctp_cmd_seq_t *commands)5270{5271SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other);5272return SCTP_DISPOSITION_DISCARD;5273}52745275/************************************************************5276* These are the state functions for handling timeout events.5277************************************************************/52785279/*5280* RTX Timeout5281*5282* Section: 6.3.3 Handle T3-rtx Expiration5283*5284* Whenever the retransmission timer T3-rtx expires for a destination5285* address, do the following:5286* [See below]5287*5288* The return value is the disposition of the chunk.5289*/5290sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep,5291const struct sctp_association *asoc,5292const sctp_subtype_t type,5293void *arg,5294sctp_cmd_seq_t *commands)5295{5296struct sctp_transport *transport = arg;52975298SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS);52995300if (asoc->overall_error_count >= asoc->max_retrans) {5301if (asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {5302/*5303* We are here likely because the receiver had its rwnd5304* closed for a while and we have not been able to5305* transmit the locally queued data within the maximum5306* retransmission attempts limit. Start the T55307* shutdown guard timer to give the receiver one last5308* chance and some additional time to recover before5309* aborting.5310*/5311sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE,5312SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));5313} else {5314sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,5315SCTP_ERROR(ETIMEDOUT));5316/* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */5317sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,5318SCTP_PERR(SCTP_ERROR_NO_ERROR));5319SCTP_INC_STATS(SCTP_MIB_ABORTEDS);5320SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);5321return SCTP_DISPOSITION_DELETE_TCB;5322}5323}53245325/* E1) For the destination address for which the timer5326* expires, adjust its ssthresh with rules defined in Section5327* 7.2.3 and set the cwnd <- MTU.5328*/53295330/* E2) For the destination address for which the timer5331* expires, set RTO <- RTO * 2 ("back off the timer"). The5332* maximum value discussed in rule C7 above (RTO.max) may be5333* used to provide an upper bound to this doubling operation.5334*/53355336/* E3) Determine how many of the earliest (i.e., lowest TSN)5337* outstanding DATA chunks for the address for which the5338* T3-rtx has expired will fit into a single packet, subject5339* to the MTU constraint for the path corresponding to the5340* destination transport address to which the retransmission5341* is being sent (this may be different from the address for5342* which the timer expires [see Section 6.4]). Call this5343* value K. Bundle and retransmit those K DATA chunks in a5344* single packet to the destination endpoint.5345*5346* Note: Any DATA chunks that were sent to the address for5347* which the T3-rtx timer expired but did not fit in one MTU5348* (rule E3 above), should be marked for retransmission and5349* sent as soon as cwnd allows (normally when a SACK arrives).5350*/53515352/* Do some failure management (Section 8.2). */5353sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));53545355/* NB: Rules E4 and F1 are implicit in R1. */5356sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport));53575358return SCTP_DISPOSITION_CONSUME;5359}53605361/*5362* Generate delayed SACK on timeout5363*5364* Section: 6.2 Acknowledgement on Reception of DATA Chunks5365*5366* The guidelines on delayed acknowledgement algorithm specified in5367* Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an5368* acknowledgement SHOULD be generated for at least every second packet5369* (not every second DATA chunk) received, and SHOULD be generated5370* within 200 ms of the arrival of any unacknowledged DATA chunk. In5371* some situations it may be beneficial for an SCTP transmitter to be5372* more conservative than the algorithms detailed in this document5373* allow. However, an SCTP transmitter MUST NOT be more aggressive than5374* the following algorithms allow.5375*/5376sctp_disposition_t sctp_sf_do_6_2_sack(const struct sctp_endpoint *ep,5377const struct sctp_association *asoc,5378const sctp_subtype_t type,5379void *arg,5380sctp_cmd_seq_t *commands)5381{5382SCTP_INC_STATS(SCTP_MIB_DELAY_SACK_EXPIREDS);5383sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());5384return SCTP_DISPOSITION_CONSUME;5385}53865387/*5388* sctp_sf_t1_init_timer_expire5389*5390* Section: 4 Note: 25391* Verification Tag:5392* Inputs5393* (endpoint, asoc)5394*5395* RFC 2960 Section 4 Notes5396* 2) If the T1-init timer expires, the endpoint MUST retransmit INIT5397* and re-start the T1-init timer without changing state. This MUST5398* be repeated up to 'Max.Init.Retransmits' times. After that, the5399* endpoint MUST abort the initialization process and report the5400* error to SCTP user.5401*5402* Outputs5403* (timers, events)5404*5405*/5406sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep,5407const struct sctp_association *asoc,5408const sctp_subtype_t type,5409void *arg,5410sctp_cmd_seq_t *commands)5411{5412struct sctp_chunk *repl = NULL;5413struct sctp_bind_addr *bp;5414int attempts = asoc->init_err_counter + 1;54155416SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n");5417SCTP_INC_STATS(SCTP_MIB_T1_INIT_EXPIREDS);54185419if (attempts <= asoc->max_init_attempts) {5420bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;5421repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0);5422if (!repl)5423return SCTP_DISPOSITION_NOMEM;54245425/* Choose transport for INIT. */5426sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,5427SCTP_CHUNK(repl));54285429/* Issue a sideeffect to do the needed accounting. */5430sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART,5431SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));54325433sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));5434} else {5435SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d"5436" max_init_attempts: %d\n",5437attempts, asoc->max_init_attempts);5438sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,5439SCTP_ERROR(ETIMEDOUT));5440sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,5441SCTP_PERR(SCTP_ERROR_NO_ERROR));5442return SCTP_DISPOSITION_DELETE_TCB;5443}54445445return SCTP_DISPOSITION_CONSUME;5446}54475448/*5449* sctp_sf_t1_cookie_timer_expire5450*5451* Section: 4 Note: 25452* Verification Tag:5453* Inputs5454* (endpoint, asoc)5455*5456* RFC 2960 Section 4 Notes5457* 3) If the T1-cookie timer expires, the endpoint MUST retransmit5458* COOKIE ECHO and re-start the T1-cookie timer without changing5459* state. This MUST be repeated up to 'Max.Init.Retransmits' times.5460* After that, the endpoint MUST abort the initialization process and5461* report the error to SCTP user.5462*5463* Outputs5464* (timers, events)5465*5466*/5467sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep,5468const struct sctp_association *asoc,5469const sctp_subtype_t type,5470void *arg,5471sctp_cmd_seq_t *commands)5472{5473struct sctp_chunk *repl = NULL;5474int attempts = asoc->init_err_counter + 1;54755476SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n");5477SCTP_INC_STATS(SCTP_MIB_T1_COOKIE_EXPIREDS);54785479if (attempts <= asoc->max_init_attempts) {5480repl = sctp_make_cookie_echo(asoc, NULL);5481if (!repl)5482return SCTP_DISPOSITION_NOMEM;54835484sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,5485SCTP_CHUNK(repl));5486/* Issue a sideeffect to do the needed accounting. */5487sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART,5488SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));54895490sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));5491} else {5492sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,5493SCTP_ERROR(ETIMEDOUT));5494sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,5495SCTP_PERR(SCTP_ERROR_NO_ERROR));5496return SCTP_DISPOSITION_DELETE_TCB;5497}54985499return SCTP_DISPOSITION_CONSUME;5500}55015502/* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN5503* with the updated last sequential TSN received from its peer.5504*5505* An endpoint should limit the number of retransmissions of the5506* SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'.5507* If this threshold is exceeded the endpoint should destroy the TCB and5508* MUST report the peer endpoint unreachable to the upper layer (and5509* thus the association enters the CLOSED state). The reception of any5510* packet from its peer (i.e. as the peer sends all of its queued DATA5511* chunks) should clear the endpoint's retransmission count and restart5512* the T2-Shutdown timer, giving its peer ample opportunity to transmit5513* all of its queued DATA chunks that have not yet been sent.5514*/5515sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep,5516const struct sctp_association *asoc,5517const sctp_subtype_t type,5518void *arg,5519sctp_cmd_seq_t *commands)5520{5521struct sctp_chunk *reply = NULL;55225523SCTP_DEBUG_PRINTK("Timer T2 expired.\n");5524SCTP_INC_STATS(SCTP_MIB_T2_SHUTDOWN_EXPIREDS);55255526((struct sctp_association *)asoc)->shutdown_retries++;55275528if (asoc->overall_error_count >= asoc->max_retrans) {5529sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,5530SCTP_ERROR(ETIMEDOUT));5531/* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */5532sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,5533SCTP_PERR(SCTP_ERROR_NO_ERROR));5534SCTP_INC_STATS(SCTP_MIB_ABORTEDS);5535SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);5536return SCTP_DISPOSITION_DELETE_TCB;5537}55385539switch (asoc->state) {5540case SCTP_STATE_SHUTDOWN_SENT:5541reply = sctp_make_shutdown(asoc, NULL);5542break;55435544case SCTP_STATE_SHUTDOWN_ACK_SENT:5545reply = sctp_make_shutdown_ack(asoc, NULL);5546break;55475548default:5549BUG();5550break;5551}55525553if (!reply)5554goto nomem;55555556/* Do some failure management (Section 8.2).5557* If we remove the transport an SHUTDOWN was last sent to, don't5558* do failure management.5559*/5560if (asoc->shutdown_last_sent_to)5561sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,5562SCTP_TRANSPORT(asoc->shutdown_last_sent_to));55635564/* Set the transport for the SHUTDOWN/ACK chunk and the timeout for5565* the T2-shutdown timer.5566*/5567sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));55685569/* Restart the T2-shutdown timer. */5570sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,5571SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));5572sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));5573return SCTP_DISPOSITION_CONSUME;55745575nomem:5576return SCTP_DISPOSITION_NOMEM;5577}55785579/*5580* ADDIP Section 4.1 ASCONF CHunk Procedures5581* If the T4 RTO timer expires the endpoint should do B1 to B55582*/5583sctp_disposition_t sctp_sf_t4_timer_expire(5584const struct sctp_endpoint *ep,5585const struct sctp_association *asoc,5586const sctp_subtype_t type,5587void *arg,5588sctp_cmd_seq_t *commands)5589{5590struct sctp_chunk *chunk = asoc->addip_last_asconf;5591struct sctp_transport *transport = chunk->transport;55925593SCTP_INC_STATS(SCTP_MIB_T4_RTO_EXPIREDS);55945595/* ADDIP 4.1 B1) Increment the error counters and perform path failure5596* detection on the appropriate destination address as defined in5597* RFC2960 [5] section 8.1 and 8.2.5598*/5599if (transport)5600sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,5601SCTP_TRANSPORT(transport));56025603/* Reconfig T4 timer and transport. */5604sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));56055606/* ADDIP 4.1 B2) Increment the association error counters and perform5607* endpoint failure detection on the association as defined in5608* RFC2960 [5] section 8.1 and 8.2.5609* association error counter is incremented in SCTP_CMD_STRIKE.5610*/5611if (asoc->overall_error_count >= asoc->max_retrans) {5612sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,5613SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));5614sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,5615SCTP_ERROR(ETIMEDOUT));5616sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,5617SCTP_PERR(SCTP_ERROR_NO_ERROR));5618SCTP_INC_STATS(SCTP_MIB_ABORTEDS);5619SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);5620return SCTP_DISPOSITION_ABORT;5621}56225623/* ADDIP 4.1 B3) Back-off the destination address RTO value to which5624* the ASCONF chunk was sent by doubling the RTO timer value.5625* This is done in SCTP_CMD_STRIKE.5626*/56275628/* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible5629* choose an alternate destination address (please refer to RFC29605630* [5] section 6.4.1). An endpoint MUST NOT add new parameters to this5631* chunk, it MUST be the same (including its serial number) as the last5632* ASCONF sent.5633*/5634sctp_chunk_hold(asoc->addip_last_asconf);5635sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,5636SCTP_CHUNK(asoc->addip_last_asconf));56375638/* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different5639* destination is selected, then the RTO used will be that of the new5640* destination address.5641*/5642sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,5643SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));56445645return SCTP_DISPOSITION_CONSUME;5646}56475648/* sctpimpguide-05 Section 2.12.25649* The sender of the SHUTDOWN MAY also start an overall guard timer5650* 'T5-shutdown-guard' to bound the overall time for shutdown sequence.5651* At the expiration of this timer the sender SHOULD abort the association5652* by sending an ABORT chunk.5653*/5654sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep,5655const struct sctp_association *asoc,5656const sctp_subtype_t type,5657void *arg,5658sctp_cmd_seq_t *commands)5659{5660struct sctp_chunk *reply = NULL;56615662SCTP_DEBUG_PRINTK("Timer T5 expired.\n");5663SCTP_INC_STATS(SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS);56645665reply = sctp_make_abort(asoc, NULL, 0);5666if (!reply)5667goto nomem;56685669sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));5670sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,5671SCTP_ERROR(ETIMEDOUT));5672sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,5673SCTP_PERR(SCTP_ERROR_NO_ERROR));56745675SCTP_INC_STATS(SCTP_MIB_ABORTEDS);5676SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);56775678return SCTP_DISPOSITION_DELETE_TCB;5679nomem:5680return SCTP_DISPOSITION_NOMEM;5681}56825683/* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires,5684* the association is automatically closed by starting the shutdown process.5685* The work that needs to be done is same as when SHUTDOWN is initiated by5686* the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown().5687*/5688sctp_disposition_t sctp_sf_autoclose_timer_expire(5689const struct sctp_endpoint *ep,5690const struct sctp_association *asoc,5691const sctp_subtype_t type,5692void *arg,5693sctp_cmd_seq_t *commands)5694{5695int disposition;56965697SCTP_INC_STATS(SCTP_MIB_AUTOCLOSE_EXPIREDS);56985699/* From 9.2 Shutdown of an Association5700* Upon receipt of the SHUTDOWN primitive from its upper5701* layer, the endpoint enters SHUTDOWN-PENDING state and5702* remains there until all outstanding data has been5703* acknowledged by its peer. The endpoint accepts no new data5704* from its upper layer, but retransmits data to the far end5705* if necessary to fill gaps.5706*/5707sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,5708SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));57095710disposition = SCTP_DISPOSITION_CONSUME;5711if (sctp_outq_is_empty(&asoc->outqueue)) {5712disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type,5713arg, commands);5714}5715return disposition;5716}57175718/*****************************************************************************5719* These are sa state functions which could apply to all types of events.5720****************************************************************************/57215722/*5723* This table entry is not implemented.5724*5725* Inputs5726* (endpoint, asoc, chunk)5727*5728* The return value is the disposition of the chunk.5729*/5730sctp_disposition_t sctp_sf_not_impl(const struct sctp_endpoint *ep,5731const struct sctp_association *asoc,5732const sctp_subtype_t type,5733void *arg,5734sctp_cmd_seq_t *commands)5735{5736return SCTP_DISPOSITION_NOT_IMPL;5737}57385739/*5740* This table entry represents a bug.5741*5742* Inputs5743* (endpoint, asoc, chunk)5744*5745* The return value is the disposition of the chunk.5746*/5747sctp_disposition_t sctp_sf_bug(const struct sctp_endpoint *ep,5748const struct sctp_association *asoc,5749const sctp_subtype_t type,5750void *arg,5751sctp_cmd_seq_t *commands)5752{5753return SCTP_DISPOSITION_BUG;5754}57555756/*5757* This table entry represents the firing of a timer in the wrong state.5758* Since timer deletion cannot be guaranteed a timer 'may' end up firing5759* when the association is in the wrong state. This event should5760* be ignored, so as to prevent any rearming of the timer.5761*5762* Inputs5763* (endpoint, asoc, chunk)5764*5765* The return value is the disposition of the chunk.5766*/5767sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep,5768const struct sctp_association *asoc,5769const sctp_subtype_t type,5770void *arg,5771sctp_cmd_seq_t *commands)5772{5773SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk);5774return SCTP_DISPOSITION_CONSUME;5775}57765777/********************************************************************5778* 2nd Level Abstractions5779********************************************************************/57805781/* Pull the SACK chunk based on the SACK header. */5782static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk)5783{5784struct sctp_sackhdr *sack;5785unsigned int len;5786__u16 num_blocks;5787__u16 num_dup_tsns;57885789/* Protect ourselves from reading too far into5790* the skb from a bogus sender.5791*/5792sack = (struct sctp_sackhdr *) chunk->skb->data;57935794num_blocks = ntohs(sack->num_gap_ack_blocks);5795num_dup_tsns = ntohs(sack->num_dup_tsns);5796len = sizeof(struct sctp_sackhdr);5797len += (num_blocks + num_dup_tsns) * sizeof(__u32);5798if (len > chunk->skb->len)5799return NULL;58005801skb_pull(chunk->skb, len);58025803return sack;5804}58055806/* Create an ABORT packet to be sent as a response, with the specified5807* error causes.5808*/5809static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep,5810const struct sctp_association *asoc,5811struct sctp_chunk *chunk,5812const void *payload,5813size_t paylen)5814{5815struct sctp_packet *packet;5816struct sctp_chunk *abort;58175818packet = sctp_ootb_pkt_new(asoc, chunk);58195820if (packet) {5821/* Make an ABORT.5822* The T bit will be set if the asoc is NULL.5823*/5824abort = sctp_make_abort(asoc, chunk, paylen);5825if (!abort) {5826sctp_ootb_pkt_free(packet);5827return NULL;5828}58295830/* Reflect vtag if T-Bit is set */5831if (sctp_test_T_bit(abort))5832packet->vtag = ntohl(chunk->sctp_hdr->vtag);58335834/* Add specified error causes, i.e., payload, to the5835* end of the chunk.5836*/5837sctp_addto_chunk(abort, paylen, payload);58385839/* Set the skb to the belonging sock for accounting. */5840abort->skb->sk = ep->base.sk;58415842sctp_packet_append_chunk(packet, abort);58435844}58455846return packet;5847}58485849/* Allocate a packet for responding in the OOTB conditions. */5850static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc,5851const struct sctp_chunk *chunk)5852{5853struct sctp_packet *packet;5854struct sctp_transport *transport;5855__u16 sport;5856__u16 dport;5857__u32 vtag;58585859/* Get the source and destination port from the inbound packet. */5860sport = ntohs(chunk->sctp_hdr->dest);5861dport = ntohs(chunk->sctp_hdr->source);58625863/* The V-tag is going to be the same as the inbound packet if no5864* association exists, otherwise, use the peer's vtag.5865*/5866if (asoc) {5867/* Special case the INIT-ACK as there is no peer's vtag5868* yet.5869*/5870switch(chunk->chunk_hdr->type) {5871case SCTP_CID_INIT_ACK:5872{5873sctp_initack_chunk_t *initack;58745875initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;5876vtag = ntohl(initack->init_hdr.init_tag);5877break;5878}5879default:5880vtag = asoc->peer.i.init_tag;5881break;5882}5883} else {5884/* Special case the INIT and stale COOKIE_ECHO as there is no5885* vtag yet.5886*/5887switch(chunk->chunk_hdr->type) {5888case SCTP_CID_INIT:5889{5890sctp_init_chunk_t *init;58915892init = (sctp_init_chunk_t *)chunk->chunk_hdr;5893vtag = ntohl(init->init_hdr.init_tag);5894break;5895}5896default:5897vtag = ntohl(chunk->sctp_hdr->vtag);5898break;5899}5900}59015902/* Make a transport for the bucket, Eliza... */5903transport = sctp_transport_new(sctp_source(chunk), GFP_ATOMIC);5904if (!transport)5905goto nomem;59065907/* Cache a route for the transport with the chunk's destination as5908* the source address.5909*/5910sctp_transport_route(transport, (union sctp_addr *)&chunk->dest,5911sctp_sk(sctp_get_ctl_sock()));59125913packet = sctp_packet_init(&transport->packet, transport, sport, dport);5914packet = sctp_packet_config(packet, vtag, 0);59155916return packet;59175918nomem:5919return NULL;5920}59215922/* Free the packet allocated earlier for responding in the OOTB condition. */5923void sctp_ootb_pkt_free(struct sctp_packet *packet)5924{5925sctp_transport_free(packet->transport);5926}59275928/* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */5929static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep,5930const struct sctp_association *asoc,5931const struct sctp_chunk *chunk,5932sctp_cmd_seq_t *commands,5933struct sctp_chunk *err_chunk)5934{5935struct sctp_packet *packet;59365937if (err_chunk) {5938packet = sctp_ootb_pkt_new(asoc, chunk);5939if (packet) {5940struct sctp_signed_cookie *cookie;59415942/* Override the OOTB vtag from the cookie. */5943cookie = chunk->subh.cookie_hdr;5944packet->vtag = cookie->c.peer_vtag;59455946/* Set the skb to the belonging sock for accounting. */5947err_chunk->skb->sk = ep->base.sk;5948sctp_packet_append_chunk(packet, err_chunk);5949sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,5950SCTP_PACKET(packet));5951SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);5952} else5953sctp_chunk_free (err_chunk);5954}5955}595659575958/* Process a data chunk */5959static int sctp_eat_data(const struct sctp_association *asoc,5960struct sctp_chunk *chunk,5961sctp_cmd_seq_t *commands)5962{5963sctp_datahdr_t *data_hdr;5964struct sctp_chunk *err;5965size_t datalen;5966sctp_verb_t deliver;5967int tmp;5968__u32 tsn;5969struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;5970struct sock *sk = asoc->base.sk;5971u16 ssn;5972u16 sid;5973u8 ordered = 0;59745975data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data;5976skb_pull(chunk->skb, sizeof(sctp_datahdr_t));59775978tsn = ntohl(data_hdr->tsn);5979SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn);59805981/* ASSERT: Now skb->data is really the user data. */59825983/* Process ECN based congestion.5984*5985* Since the chunk structure is reused for all chunks within5986* a packet, we use ecn_ce_done to track if we've already5987* done CE processing for this packet.5988*5989* We need to do ECN processing even if we plan to discard the5990* chunk later.5991*/59925993if (!chunk->ecn_ce_done) {5994struct sctp_af *af;5995chunk->ecn_ce_done = 1;59965997af = sctp_get_af_specific(5998ipver2af(ip_hdr(chunk->skb)->version));59996000if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) {6001/* Do real work as sideffect. */6002sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE,6003SCTP_U32(tsn));6004}6005}60066007tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn);6008if (tmp < 0) {6009/* The TSN is too high--silently discard the chunk and6010* count on it getting retransmitted later.6011*/6012return SCTP_IERROR_HIGH_TSN;6013} else if (tmp > 0) {6014/* This is a duplicate. Record it. */6015sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn));6016return SCTP_IERROR_DUP_TSN;6017}60186019/* This is a new TSN. */60206021/* Discard if there is no room in the receive window.6022* Actually, allow a little bit of overflow (up to a MTU).6023*/6024datalen = ntohs(chunk->chunk_hdr->length);6025datalen -= sizeof(sctp_data_chunk_t);60266027deliver = SCTP_CMD_CHUNK_ULP;60286029/* Think about partial delivery. */6030if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) {60316032/* Even if we don't accept this chunk there is6033* memory pressure.6034*/6035sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL());6036}60376038/* Spill over rwnd a little bit. Note: While allowed, this spill over6039* seems a bit troublesome in that frag_point varies based on6040* PMTU. In cases, such as loopback, this might be a rather6041* large spill over.6042*/6043if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over ||6044(datalen > asoc->rwnd + asoc->frag_point))) {60456046/* If this is the next TSN, consider reneging to make6047* room. Note: Playing nice with a confused sender. A6048* malicious sender can still eat up all our buffer6049* space and in the future we may want to detect and6050* do more drastic reneging.6051*/6052if (sctp_tsnmap_has_gap(map) &&6053(sctp_tsnmap_get_ctsn(map) + 1) == tsn) {6054SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn);6055deliver = SCTP_CMD_RENEGE;6056} else {6057SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, "6058"rwnd: %d\n", tsn, datalen,6059asoc->rwnd);6060return SCTP_IERROR_IGNORE_TSN;6061}6062}60636064/*6065* Also try to renege to limit our memory usage in the event that6066* we are under memory pressure6067* If we can't renege, don't worry about it, the sk_rmem_schedule6068* in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our6069* memory usage too much6070*/6071if (*sk->sk_prot_creator->memory_pressure) {6072if (sctp_tsnmap_has_gap(map) &&6073(sctp_tsnmap_get_ctsn(map) + 1) == tsn) {6074SCTP_DEBUG_PRINTK("Under Pressure! Reneging for tsn:%u\n", tsn);6075deliver = SCTP_CMD_RENEGE;6076}6077}60786079/*6080* Section 3.3.10.9 No User Data (9)6081*6082* Cause of error6083* ---------------6084* No User Data: This error cause is returned to the originator of a6085* DATA chunk if a received DATA chunk has no user data.6086*/6087if (unlikely(0 == datalen)) {6088err = sctp_make_abort_no_data(asoc, chunk, tsn);6089if (err) {6090sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,6091SCTP_CHUNK(err));6092}6093/* We are going to ABORT, so we might as well stop6094* processing the rest of the chunks in the packet.6095*/6096sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());6097sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,6098SCTP_ERROR(ECONNABORTED));6099sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,6100SCTP_PERR(SCTP_ERROR_NO_DATA));6101SCTP_INC_STATS(SCTP_MIB_ABORTEDS);6102SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);6103return SCTP_IERROR_NO_DATA;6104}61056106chunk->data_accepted = 1;61076108/* Note: Some chunks may get overcounted (if we drop) or overcounted6109* if we renege and the chunk arrives again.6110*/6111if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED)6112SCTP_INC_STATS(SCTP_MIB_INUNORDERCHUNKS);6113else {6114SCTP_INC_STATS(SCTP_MIB_INORDERCHUNKS);6115ordered = 1;6116}61176118/* RFC 2960 6.5 Stream Identifier and Stream Sequence Number6119*6120* If an endpoint receive a DATA chunk with an invalid stream6121* identifier, it shall acknowledge the reception of the DATA chunk6122* following the normal procedure, immediately send an ERROR chunk6123* with cause set to "Invalid Stream Identifier" (See Section 3.3.10)6124* and discard the DATA chunk.6125*/6126sid = ntohs(data_hdr->stream);6127if (sid >= asoc->c.sinit_max_instreams) {6128/* Mark tsn as received even though we drop it */6129sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));61306131err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM,6132&data_hdr->stream,6133sizeof(data_hdr->stream),6134sizeof(u16));6135if (err)6136sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,6137SCTP_CHUNK(err));6138return SCTP_IERROR_BAD_STREAM;6139}61406141/* Check to see if the SSN is possible for this TSN.6142* The biggest gap we can record is 4K wide. Since SSNs wrap6143* at an unsigned short, there is no way that an SSN can6144* wrap and for a valid TSN. We can simply check if the current6145* SSN is smaller then the next expected one. If it is, it wrapped6146* and is invalid.6147*/6148ssn = ntohs(data_hdr->ssn);6149if (ordered && SSN_lt(ssn, sctp_ssn_peek(&asoc->ssnmap->in, sid))) {6150return SCTP_IERROR_PROTO_VIOLATION;6151}61526153/* Send the data up to the user. Note: Schedule the6154* SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK6155* chunk needs the updated rwnd.6156*/6157sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk));61586159return SCTP_IERROR_NO_ERROR;6160}616161626163