1// SPDX-License-Identifier: GPL-2.0-or-later 2/* SCTP kernel implementation 3 * (C) Copyright IBM Corp. 2001, 2004 4 * Copyright (c) 1999-2000 Cisco, Inc. 5 * Copyright (c) 1999-2001 Motorola, Inc. 6 * Copyright (c) 2001-2002 Intel Corp. 7 * Copyright (c) 2002 Nokia Corp. 8 * 9 * This is part of the SCTP Linux Kernel Implementation. 10 * 11 * These are the state functions for the state machine. 12 * 13 * Please send any bug reports or fixes you make to the 14 * email address(es): 15 * lksctp developers <linux-sctp@vger.kernel.org> 16 * 17 * Written or modified by: 18 * La Monte H.P. Yarroll <piggy@acm.org> 19 * Karl Knutson <karl@athena.chicago.il.us> 20 * Mathew Kotowsky <kotowsky@sctp.org> 21 * Sridhar Samudrala <samudrala@us.ibm.com> 22 * Jon Grimm <jgrimm@us.ibm.com> 23 * Hui Huang <hui.huang@nokia.com> 24 * Dajiang Zhang <dajiang.zhang@nokia.com> 25 * Daisy Chang <daisyc@us.ibm.com> 26 * Ardelle Fan <ardelle.fan@intel.com> 27 * Ryan Layer <rmlayer@us.ibm.com> 28 * Kevin Gao <kevin.gao@intel.com> 29 */ 30 31#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 32 33#include <linux/types.h> 34#include <linux/kernel.h> 35#include <linux/ip.h> 36#include <linux/ipv6.h> 37#include <linux/net.h> 38#include <linux/inet.h> 39#include <linux/slab.h> 40#include <net/sock.h> 41#include <net/inet_ecn.h> 42#include <linux/skbuff.h> 43#include <net/sctp/sctp.h> 44#include <net/sctp/sm.h> 45#include <net/sctp/structs.h> 46 47#define CREATE_TRACE_POINTS 48#include <trace/events/sctp.h> 49 50static struct sctp_packet *sctp_abort_pkt_new( 51 struct net *net, 52 const struct sctp_endpoint *ep, 53 const struct sctp_association *asoc, 54 struct sctp_chunk *chunk, 55 const void *payload, size_t paylen); 56static int sctp_eat_data(const struct sctp_association *asoc, 57 struct sctp_chunk *chunk, 58 struct sctp_cmd_seq *commands); 59static struct sctp_packet *sctp_ootb_pkt_new( 60 struct net *net, 61 const struct sctp_association *asoc, 62 const struct sctp_chunk *chunk); 63static void sctp_send_stale_cookie_err(struct net *net, 64 const struct sctp_endpoint *ep, 65 const struct sctp_association *asoc, 66 const struct sctp_chunk *chunk, 67 struct sctp_cmd_seq *commands, 68 struct sctp_chunk *err_chunk); 69static enum sctp_disposition sctp_sf_do_5_2_6_stale( 70 struct net *net, 71 const struct sctp_endpoint *ep, 72 const struct sctp_association *asoc, 73 const union sctp_subtype type, 74 void *arg, 75 struct sctp_cmd_seq *commands); 76static enum sctp_disposition sctp_sf_shut_8_4_5( 77 struct net *net, 78 const struct sctp_endpoint *ep, 79 const struct sctp_association *asoc, 80 const union sctp_subtype type, 81 void *arg, 82 struct sctp_cmd_seq *commands); 83static enum sctp_disposition sctp_sf_tabort_8_4_8( 84 struct net *net, 85 const struct sctp_endpoint *ep, 86 const struct sctp_association *asoc, 87 const union sctp_subtype type, 88 void *arg, 89 struct sctp_cmd_seq *commands); 90static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 91 92static enum sctp_disposition sctp_stop_t1_and_abort( 93 struct net *net, 94 struct sctp_cmd_seq *commands, 95 __be16 error, int sk_err, 96 const struct sctp_association *asoc, 97 struct sctp_transport *transport); 98 99static enum sctp_disposition sctp_sf_abort_violation( 100 struct net *net, 101 const struct sctp_endpoint *ep, 102 const struct sctp_association *asoc, 103 void *arg, 104 struct sctp_cmd_seq *commands, 105 const __u8 *payload, 106 const size_t paylen); 107 108static enum sctp_disposition sctp_sf_violation_chunklen( 109 struct net *net, 110 const struct sctp_endpoint *ep, 111 const struct sctp_association *asoc, 112 const union sctp_subtype type, 113 void *arg, 114 struct sctp_cmd_seq *commands); 115 116static enum sctp_disposition sctp_sf_violation_paramlen( 117 struct net *net, 118 const struct sctp_endpoint *ep, 119 const struct sctp_association *asoc, 120 const union sctp_subtype type, 121 void *arg, void *ext, 122 struct sctp_cmd_seq *commands); 123 124static enum sctp_disposition sctp_sf_violation_ctsn( 125 struct net *net, 126 const struct sctp_endpoint *ep, 127 const struct sctp_association *asoc, 128 const union sctp_subtype type, 129 void *arg, 130 struct sctp_cmd_seq *commands); 131 132static enum sctp_disposition sctp_sf_violation_chunk( 133 struct net *net, 134 const struct sctp_endpoint *ep, 135 const struct sctp_association *asoc, 136 const union sctp_subtype type, 137 void *arg, 138 struct sctp_cmd_seq *commands); 139 140static enum sctp_ierror sctp_sf_authenticate( 141 const struct sctp_association *asoc, 142 struct sctp_chunk *chunk); 143 144static enum sctp_disposition __sctp_sf_do_9_1_abort( 145 struct net *net, 146 const struct sctp_endpoint *ep, 147 const struct sctp_association *asoc, 148 const union sctp_subtype type, 149 void *arg, 150 struct sctp_cmd_seq *commands); 151 152static enum sctp_disposition 153__sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, 154 const struct sctp_association *asoc, 155 const union sctp_subtype type, void *arg, 156 struct sctp_cmd_seq *commands); 157 158/* Small helper function that checks if the chunk length 159 * is of the appropriate length. The 'required_length' argument 160 * is set to be the size of a specific chunk we are testing. 161 * Return Values: true = Valid length 162 * false = Invalid length 163 * 164 */ 165static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk, 166 __u16 required_length) 167{ 168 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 169 170 /* Previously already marked? */ 171 if (unlikely(chunk->pdiscard)) 172 return false; 173 if (unlikely(chunk_length < required_length)) 174 return false; 175 176 return true; 177} 178 179/* Check for format error in an ABORT chunk */ 180static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk) 181{ 182 struct sctp_errhdr *err; 183 184 sctp_walk_errors(err, chunk->chunk_hdr); 185 186 return (void *)err == (void *)chunk->chunk_end; 187} 188 189/********************************************************** 190 * These are the state functions for handling chunk events. 191 **********************************************************/ 192 193/* 194 * Process the final SHUTDOWN COMPLETE. 195 * 196 * Section: 4 (C) (diagram), 9.2 197 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 198 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 199 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 200 * should stop the T2-shutdown timer and remove all knowledge of the 201 * association (and thus the association enters the CLOSED state). 202 * 203 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 204 * C) Rules for packet carrying SHUTDOWN COMPLETE: 205 * ... 206 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 207 * if the Verification Tag field of the packet matches its own tag and 208 * the T bit is not set 209 * OR 210 * it is set to its peer's tag and the T bit is set in the Chunk 211 * Flags. 212 * Otherwise, the receiver MUST silently discard the packet 213 * and take no further action. An endpoint MUST ignore the 214 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 215 * 216 * Inputs 217 * (endpoint, asoc, chunk) 218 * 219 * Outputs 220 * (asoc, reply_msg, msg_up, timers, counters) 221 * 222 * The return value is the disposition of the chunk. 223 */ 224enum sctp_disposition sctp_sf_do_4_C(struct net *net, 225 const struct sctp_endpoint *ep, 226 const struct sctp_association *asoc, 227 const union sctp_subtype type, 228 void *arg, struct sctp_cmd_seq *commands) 229{ 230 struct sctp_chunk *chunk = arg; 231 struct sctp_ulpevent *ev; 232 233 if (!sctp_vtag_verify_either(chunk, asoc)) 234 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 235 236 /* RFC 2960 6.10 Bundling 237 * 238 * An endpoint MUST NOT bundle INIT, INIT ACK or 239 * SHUTDOWN COMPLETE with any other chunks. 240 */ 241 if (!chunk->singleton) 242 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 243 244 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ 245 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 246 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 247 commands); 248 249 /* RFC 2960 10.2 SCTP-to-ULP 250 * 251 * H) SHUTDOWN COMPLETE notification 252 * 253 * When SCTP completes the shutdown procedures (section 9.2) this 254 * notification is passed to the upper layer. 255 */ 256 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 257 0, 0, 0, NULL, GFP_ATOMIC); 258 if (ev) 259 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 260 SCTP_ULPEVENT(ev)); 261 262 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 263 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 264 * not the chunk should be discarded. If the endpoint is in 265 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 266 * T2-shutdown timer and remove all knowledge of the 267 * association (and thus the association enters the CLOSED 268 * state). 269 */ 270 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 271 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 272 273 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 274 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 275 276 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 277 SCTP_STATE(SCTP_STATE_CLOSED)); 278 279 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 280 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 281 282 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 283 284 return SCTP_DISPOSITION_DELETE_TCB; 285} 286 287/* 288 * Respond to a normal INIT chunk. 289 * We are the side that is being asked for an association. 290 * 291 * Section: 5.1 Normal Establishment of an Association, B 292 * B) "Z" shall respond immediately with an INIT ACK chunk. The 293 * destination IP address of the INIT ACK MUST be set to the source 294 * IP address of the INIT to which this INIT ACK is responding. In 295 * the response, besides filling in other parameters, "Z" must set the 296 * Verification Tag field to Tag_A, and also provide its own 297 * Verification Tag (Tag_Z) in the Initiate Tag field. 298 * 299 * Verification Tag: Must be 0. 300 * 301 * Inputs 302 * (endpoint, asoc, chunk) 303 * 304 * Outputs 305 * (asoc, reply_msg, msg_up, timers, counters) 306 * 307 * The return value is the disposition of the chunk. 308 */ 309enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, 310 const struct sctp_endpoint *ep, 311 const struct sctp_association *asoc, 312 const union sctp_subtype type, 313 void *arg, 314 struct sctp_cmd_seq *commands) 315{ 316 struct sctp_chunk *chunk = arg, *repl, *err_chunk; 317 struct sctp_unrecognized_param *unk_param; 318 struct sctp_association *new_asoc; 319 struct sctp_packet *packet; 320 int len; 321 322 /* Update socket peer label if first association. */ 323 if (security_sctp_assoc_request((struct sctp_endpoint *)ep, 324 chunk->skb)) 325 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 326 327 /* 6.10 Bundling 328 * An endpoint MUST NOT bundle INIT, INIT ACK or 329 * SHUTDOWN COMPLETE with any other chunks. 330 * 331 * IG Section 2.11.2 332 * Furthermore, we require that the receiver of an INIT chunk MUST 333 * enforce these rules by silently discarding an arriving packet 334 * with an INIT chunk that is bundled with other chunks. 335 */ 336 if (!chunk->singleton) 337 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 338 339 /* Make sure that the INIT chunk has a valid length. 340 * Normally, this would cause an ABORT with a Protocol Violation 341 * error, but since we don't have an association, we'll 342 * just discard the packet. 343 */ 344 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 345 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 346 347 /* If the packet is an OOTB packet which is temporarily on the 348 * control endpoint, respond with an ABORT. 349 */ 350 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 351 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 352 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 353 } 354 355 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 356 * Tag. 357 */ 358 if (chunk->sctp_hdr->vtag != 0) 359 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 360 361 /* If the INIT is coming toward a closing socket, we'll send back 362 * and ABORT. Essentially, this catches the race of INIT being 363 * backloged to the socket at the same time as the user isses close(). 364 * Since the socket and all its associations are going away, we 365 * can treat this OOTB 366 */ 367 if (sctp_sstate(ep->base.sk, CLOSING)) 368 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 369 370 /* Verify the INIT chunk before processing it. */ 371 err_chunk = NULL; 372 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 373 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 374 &err_chunk)) { 375 /* This chunk contains fatal error. It is to be discarded. 376 * Send an ABORT, with causes if there is any. 377 */ 378 if (err_chunk) { 379 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 380 (__u8 *)(err_chunk->chunk_hdr) + 381 sizeof(struct sctp_chunkhdr), 382 ntohs(err_chunk->chunk_hdr->length) - 383 sizeof(struct sctp_chunkhdr)); 384 385 sctp_chunk_free(err_chunk); 386 387 if (packet) { 388 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 389 SCTP_PACKET(packet)); 390 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 391 return SCTP_DISPOSITION_CONSUME; 392 } else { 393 return SCTP_DISPOSITION_NOMEM; 394 } 395 } else { 396 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 397 commands); 398 } 399 } 400 401 /* Grab the INIT header. */ 402 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 403 404 /* Tag the variable length parameters. */ 405 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 406 407 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 408 if (!new_asoc) 409 goto nomem; 410 411 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 412 sctp_scope(sctp_source(chunk)), 413 GFP_ATOMIC) < 0) 414 goto nomem_init; 415 416 /* The call, sctp_process_init(), can fail on memory allocation. */ 417 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 418 (struct sctp_init_chunk *)chunk->chunk_hdr, 419 GFP_ATOMIC)) 420 goto nomem_init; 421 422 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 423 424 /* If there are errors need to be reported for unknown parameters, 425 * make sure to reserve enough room in the INIT ACK for them. 426 */ 427 len = 0; 428 if (err_chunk) 429 len = ntohs(err_chunk->chunk_hdr->length) - 430 sizeof(struct sctp_chunkhdr); 431 432 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 433 if (!repl) 434 goto nomem_init; 435 436 /* If there are errors need to be reported for unknown parameters, 437 * include them in the outgoing INIT ACK as "Unrecognized parameter" 438 * parameter. 439 */ 440 if (err_chunk) { 441 /* Get the "Unrecognized parameter" parameter(s) out of the 442 * ERROR chunk generated by sctp_verify_init(). Since the 443 * error cause code for "unknown parameter" and the 444 * "Unrecognized parameter" type is the same, we can 445 * construct the parameters in INIT ACK by copying the 446 * ERROR causes over. 447 */ 448 unk_param = (struct sctp_unrecognized_param *) 449 ((__u8 *)(err_chunk->chunk_hdr) + 450 sizeof(struct sctp_chunkhdr)); 451 /* Replace the cause code with the "Unrecognized parameter" 452 * parameter type. 453 */ 454 sctp_addto_chunk(repl, len, unk_param); 455 sctp_chunk_free(err_chunk); 456 } 457 458 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 459 460 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 461 462 /* 463 * Note: After sending out INIT ACK with the State Cookie parameter, 464 * "Z" MUST NOT allocate any resources, nor keep any states for the 465 * new association. Otherwise, "Z" will be vulnerable to resource 466 * attacks. 467 */ 468 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 469 470 return SCTP_DISPOSITION_DELETE_TCB; 471 472nomem_init: 473 sctp_association_free(new_asoc); 474nomem: 475 if (err_chunk) 476 sctp_chunk_free(err_chunk); 477 return SCTP_DISPOSITION_NOMEM; 478} 479 480/* 481 * Respond to a normal INIT ACK chunk. 482 * We are the side that is initiating the association. 483 * 484 * Section: 5.1 Normal Establishment of an Association, C 485 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 486 * timer and leave COOKIE-WAIT state. "A" shall then send the State 487 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 488 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 489 * 490 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 491 * DATA chunks, but it MUST be the first chunk in the packet and 492 * until the COOKIE ACK is returned the sender MUST NOT send any 493 * other packets to the peer. 494 * 495 * Verification Tag: 3.3.3 496 * If the value of the Initiate Tag in a received INIT ACK chunk is 497 * found to be 0, the receiver MUST treat it as an error and close the 498 * association by transmitting an ABORT. 499 * 500 * Inputs 501 * (endpoint, asoc, chunk) 502 * 503 * Outputs 504 * (asoc, reply_msg, msg_up, timers, counters) 505 * 506 * The return value is the disposition of the chunk. 507 */ 508enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, 509 const struct sctp_endpoint *ep, 510 const struct sctp_association *asoc, 511 const union sctp_subtype type, 512 void *arg, 513 struct sctp_cmd_seq *commands) 514{ 515 struct sctp_init_chunk *initchunk; 516 struct sctp_chunk *chunk = arg; 517 struct sctp_chunk *err_chunk; 518 struct sctp_packet *packet; 519 520 if (!sctp_vtag_verify(chunk, asoc)) 521 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 522 523 /* 6.10 Bundling 524 * An endpoint MUST NOT bundle INIT, INIT ACK or 525 * SHUTDOWN COMPLETE with any other chunks. 526 */ 527 if (!chunk->singleton) 528 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 529 530 /* Make sure that the INIT-ACK chunk has a valid length */ 531 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk))) 532 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 533 commands); 534 /* Grab the INIT header. */ 535 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 536 537 /* Verify the INIT chunk before processing it. */ 538 err_chunk = NULL; 539 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 540 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 541 &err_chunk)) { 542 543 enum sctp_error error = SCTP_ERROR_NO_RESOURCE; 544 545 /* This chunk contains fatal error. It is to be discarded. 546 * Send an ABORT, with causes. If there are no causes, 547 * then there wasn't enough memory. Just terminate 548 * the association. 549 */ 550 if (err_chunk) { 551 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 552 (__u8 *)(err_chunk->chunk_hdr) + 553 sizeof(struct sctp_chunkhdr), 554 ntohs(err_chunk->chunk_hdr->length) - 555 sizeof(struct sctp_chunkhdr)); 556 557 sctp_chunk_free(err_chunk); 558 559 if (packet) { 560 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 561 SCTP_PACKET(packet)); 562 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 563 error = SCTP_ERROR_INV_PARAM; 564 } 565 } 566 567 /* SCTP-AUTH, Section 6.3: 568 * It should be noted that if the receiver wants to tear 569 * down an association in an authenticated way only, the 570 * handling of malformed packets should not result in 571 * tearing down the association. 572 * 573 * This means that if we only want to abort associations 574 * in an authenticated way (i.e AUTH+ABORT), then we 575 * can't destroy this association just because the packet 576 * was malformed. 577 */ 578 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 579 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 580 581 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 582 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, 583 asoc, chunk->transport); 584 } 585 586 /* Tag the variable length parameters. Note that we never 587 * convert the parameters in an INIT chunk. 588 */ 589 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 590 591 initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr; 592 593 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 594 SCTP_PEER_INIT(initchunk)); 595 596 /* Reset init error count upon receipt of INIT-ACK. */ 597 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 598 599 /* 5.1 C) "A" shall stop the T1-init timer and leave 600 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 601 * timer, and enter the COOKIE-ECHOED state. 602 */ 603 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 604 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 605 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 606 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 607 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 608 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 609 610 /* SCTP-AUTH: genereate the assocition shared keys so that 611 * we can potentially signe the COOKIE-ECHO. 612 */ 613 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); 614 615 /* 5.1 C) "A" shall then send the State Cookie received in the 616 * INIT ACK chunk in a COOKIE ECHO chunk, ... 617 */ 618 /* If there is any errors to report, send the ERROR chunk generated 619 * for unknown parameters as well. 620 */ 621 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 622 SCTP_CHUNK(err_chunk)); 623 624 return SCTP_DISPOSITION_CONSUME; 625} 626 627static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk, 628 const struct sctp_association *asoc) 629{ 630 struct sctp_chunk auth; 631 632 if (!chunk->auth_chunk) 633 return true; 634 635 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo 636 * is supposed to be authenticated and we have to do delayed 637 * authentication. We've just recreated the association using 638 * the information in the cookie and now it's much easier to 639 * do the authentication. 640 */ 641 642 /* Make sure that we and the peer are AUTH capable */ 643 if (!net->sctp.auth_enable || !asoc->peer.auth_capable) 644 return false; 645 646 /* set-up our fake chunk so that we can process it */ 647 auth.skb = chunk->auth_chunk; 648 auth.asoc = chunk->asoc; 649 auth.sctp_hdr = chunk->sctp_hdr; 650 auth.chunk_hdr = (struct sctp_chunkhdr *) 651 skb_push(chunk->auth_chunk, 652 sizeof(struct sctp_chunkhdr)); 653 skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr)); 654 auth.transport = chunk->transport; 655 656 return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR; 657} 658 659/* 660 * Respond to a normal COOKIE ECHO chunk. 661 * We are the side that is being asked for an association. 662 * 663 * Section: 5.1 Normal Establishment of an Association, D 664 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 665 * with a COOKIE ACK chunk after building a TCB and moving to 666 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 667 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 668 * chunk MUST be the first chunk in the packet. 669 * 670 * IMPLEMENTATION NOTE: An implementation may choose to send the 671 * Communication Up notification to the SCTP user upon reception 672 * of a valid COOKIE ECHO chunk. 673 * 674 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 675 * D) Rules for packet carrying a COOKIE ECHO 676 * 677 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 678 * Initial Tag received in the INIT ACK. 679 * 680 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 681 * 682 * Inputs 683 * (endpoint, asoc, chunk) 684 * 685 * Outputs 686 * (asoc, reply_msg, msg_up, timers, counters) 687 * 688 * The return value is the disposition of the chunk. 689 */ 690enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, 691 const struct sctp_endpoint *ep, 692 const struct sctp_association *asoc, 693 const union sctp_subtype type, 694 void *arg, 695 struct sctp_cmd_seq *commands) 696{ 697 struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL; 698 struct sctp_association *new_asoc; 699 struct sctp_init_chunk *peer_init; 700 struct sctp_chunk *chunk = arg; 701 struct sctp_chunk *err_chk_p; 702 struct sctp_chunk *repl; 703 struct sock *sk; 704 int error = 0; 705 706 if (asoc && !sctp_vtag_verify(chunk, asoc)) 707 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 708 709 /* If the packet is an OOTB packet which is temporarily on the 710 * control endpoint, respond with an ABORT. 711 */ 712 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 713 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 714 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 715 } 716 717 /* Make sure that the COOKIE_ECHO chunk has a valid length. 718 * In this case, we check that we have enough for at least a 719 * chunk header. More detailed verification is done 720 * in sctp_unpack_cookie(). 721 */ 722 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 723 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 724 commands); 725 726 /* If the endpoint is not listening or if the number of associations 727 * on the TCP-style socket exceed the max backlog, respond with an 728 * ABORT. 729 */ 730 sk = ep->base.sk; 731 if (!sctp_sstate(sk, LISTENING) || 732 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) 733 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 734 735 /* "Decode" the chunk. We have no optional parameters so we 736 * are in good shape. 737 */ 738 chunk->subh.cookie_hdr = 739 (struct sctp_signed_cookie *)chunk->skb->data; 740 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 741 sizeof(struct sctp_chunkhdr))) 742 goto nomem; 743 744 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 745 * "Z" will reply with a COOKIE ACK chunk after building a TCB 746 * and moving to the ESTABLISHED state. 747 */ 748 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 749 &err_chk_p); 750 751 /* FIXME: 752 * If the re-build failed, what is the proper error path 753 * from here? 754 * 755 * [We should abort the association. --piggy] 756 */ 757 if (!new_asoc) { 758 /* FIXME: Several errors are possible. A bad cookie should 759 * be silently discarded, but think about logging it too. 760 */ 761 switch (error) { 762 case -SCTP_IERROR_NOMEM: 763 goto nomem; 764 765 case -SCTP_IERROR_STALE_COOKIE: 766 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 767 err_chk_p); 768 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 769 770 case -SCTP_IERROR_BAD_SIG: 771 default: 772 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 773 } 774 } 775 776 777 /* Delay state machine commands until later. 778 * 779 * Re-build the bind address for the association is done in 780 * the sctp_unpack_cookie() already. 781 */ 782 /* This is a brand-new association, so these are not yet side 783 * effects--it is safe to run them here. 784 */ 785 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 786 787 if (!sctp_process_init(new_asoc, chunk, 788 &chunk->subh.cookie_hdr->c.peer_addr, 789 peer_init, GFP_ATOMIC)) 790 goto nomem_init; 791 792 /* SCTP-AUTH: Now that we've populate required fields in 793 * sctp_process_init, set up the assocaition shared keys as 794 * necessary so that we can potentially authenticate the ACK 795 */ 796 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); 797 if (error) 798 goto nomem_init; 799 800 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) { 801 sctp_association_free(new_asoc); 802 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 803 } 804 805 repl = sctp_make_cookie_ack(new_asoc, chunk); 806 if (!repl) 807 goto nomem_init; 808 809 /* RFC 2960 5.1 Normal Establishment of an Association 810 * 811 * D) IMPLEMENTATION NOTE: An implementation may choose to 812 * send the Communication Up notification to the SCTP user 813 * upon reception of a valid COOKIE ECHO chunk. 814 */ 815 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 816 new_asoc->c.sinit_num_ostreams, 817 new_asoc->c.sinit_max_instreams, 818 NULL, GFP_ATOMIC); 819 if (!ev) 820 goto nomem_ev; 821 822 /* Sockets API Draft Section 5.3.1.6 823 * When a peer sends a Adaptation Layer Indication parameter , SCTP 824 * delivers this notification to inform the application that of the 825 * peers requested adaptation layer. 826 */ 827 if (new_asoc->peer.adaptation_ind) { 828 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 829 GFP_ATOMIC); 830 if (!ai_ev) 831 goto nomem_aiev; 832 } 833 834 if (!new_asoc->peer.auth_capable) { 835 auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0, 836 SCTP_AUTH_NO_AUTH, 837 GFP_ATOMIC); 838 if (!auth_ev) 839 goto nomem_authev; 840 } 841 842 /* Add all the state machine commands now since we've created 843 * everything. This way we don't introduce memory corruptions 844 * during side-effect processing and correclty count established 845 * associations. 846 */ 847 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 848 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 849 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 850 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 851 SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS); 852 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 853 854 if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 855 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 856 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 857 858 /* This will send the COOKIE ACK */ 859 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 860 861 /* Queue the ASSOC_CHANGE event */ 862 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 863 864 /* Send up the Adaptation Layer Indication event */ 865 if (ai_ev) 866 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 867 SCTP_ULPEVENT(ai_ev)); 868 869 if (auth_ev) 870 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 871 SCTP_ULPEVENT(auth_ev)); 872 873 return SCTP_DISPOSITION_CONSUME; 874 875nomem_authev: 876 sctp_ulpevent_free(ai_ev); 877nomem_aiev: 878 sctp_ulpevent_free(ev); 879nomem_ev: 880 sctp_chunk_free(repl); 881nomem_init: 882 sctp_association_free(new_asoc); 883nomem: 884 return SCTP_DISPOSITION_NOMEM; 885} 886 887/* 888 * Respond to a normal COOKIE ACK chunk. 889 * We are the side that is asking for an association. 890 * 891 * RFC 2960 5.1 Normal Establishment of an Association 892 * 893 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 894 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 895 * timer. It may also notify its ULP about the successful 896 * establishment of the association with a Communication Up 897 * notification (see Section 10). 898 * 899 * Verification Tag: 900 * Inputs 901 * (endpoint, asoc, chunk) 902 * 903 * Outputs 904 * (asoc, reply_msg, msg_up, timers, counters) 905 * 906 * The return value is the disposition of the chunk. 907 */ 908enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, 909 const struct sctp_endpoint *ep, 910 const struct sctp_association *asoc, 911 const union sctp_subtype type, 912 void *arg, 913 struct sctp_cmd_seq *commands) 914{ 915 struct sctp_chunk *chunk = arg; 916 struct sctp_ulpevent *ev; 917 918 if (!sctp_vtag_verify(chunk, asoc)) 919 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 920 921 /* Verify that the chunk length for the COOKIE-ACK is OK. 922 * If we don't do this, any bundled chunks may be junked. 923 */ 924 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 925 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 926 commands); 927 928 /* Reset init error count upon receipt of COOKIE-ACK, 929 * to avoid problems with the managemement of this 930 * counter in stale cookie situations when a transition back 931 * from the COOKIE-ECHOED state to the COOKIE-WAIT 932 * state is performed. 933 */ 934 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 935 936 /* Set peer label for connection. */ 937 security_inet_conn_established(ep->base.sk, chunk->skb); 938 939 /* RFC 2960 5.1 Normal Establishment of an Association 940 * 941 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 942 * from the COOKIE-ECHOED state to the ESTABLISHED state, 943 * stopping the T1-cookie timer. 944 */ 945 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 946 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 947 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 948 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 949 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 950 SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS); 951 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 952 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 953 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 954 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 955 956 /* It may also notify its ULP about the successful 957 * establishment of the association with a Communication Up 958 * notification (see Section 10). 959 */ 960 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 961 0, asoc->c.sinit_num_ostreams, 962 asoc->c.sinit_max_instreams, 963 NULL, GFP_ATOMIC); 964 965 if (!ev) 966 goto nomem; 967 968 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 969 970 /* Sockets API Draft Section 5.3.1.6 971 * When a peer sends a Adaptation Layer Indication parameter , SCTP 972 * delivers this notification to inform the application that of the 973 * peers requested adaptation layer. 974 */ 975 if (asoc->peer.adaptation_ind) { 976 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 977 if (!ev) 978 goto nomem; 979 980 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 981 SCTP_ULPEVENT(ev)); 982 } 983 984 if (!asoc->peer.auth_capable) { 985 ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH, 986 GFP_ATOMIC); 987 if (!ev) 988 goto nomem; 989 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 990 SCTP_ULPEVENT(ev)); 991 } 992 993 return SCTP_DISPOSITION_CONSUME; 994nomem: 995 return SCTP_DISPOSITION_NOMEM; 996} 997 998/* Generate and sendout a heartbeat packet. */ 999static enum sctp_disposition sctp_sf_heartbeat( 1000 const struct sctp_endpoint *ep, 1001 const struct sctp_association *asoc, 1002 const union sctp_subtype type, 1003 void *arg, 1004 struct sctp_cmd_seq *commands) 1005{ 1006 struct sctp_transport *transport = (struct sctp_transport *) arg; 1007 struct sctp_chunk *reply; 1008 1009 /* Send a heartbeat to our peer. */ 1010 reply = sctp_make_heartbeat(asoc, transport); 1011 if (!reply) 1012 return SCTP_DISPOSITION_NOMEM; 1013 1014 /* Set rto_pending indicating that an RTT measurement 1015 * is started with this heartbeat chunk. 1016 */ 1017 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 1018 SCTP_TRANSPORT(transport)); 1019 1020 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1021 return SCTP_DISPOSITION_CONSUME; 1022} 1023 1024/* Generate a HEARTBEAT packet on the given transport. */ 1025enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net, 1026 const struct sctp_endpoint *ep, 1027 const struct sctp_association *asoc, 1028 const union sctp_subtype type, 1029 void *arg, 1030 struct sctp_cmd_seq *commands) 1031{ 1032 struct sctp_transport *transport = (struct sctp_transport *) arg; 1033 1034 if (asoc->overall_error_count >= asoc->max_retrans) { 1035 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 1036 SCTP_ERROR(ETIMEDOUT)); 1037 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 1038 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 1039 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 1040 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1041 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1042 return SCTP_DISPOSITION_DELETE_TCB; 1043 } 1044 1045 /* Section 3.3.5. 1046 * The Sender-specific Heartbeat Info field should normally include 1047 * information about the sender's current time when this HEARTBEAT 1048 * chunk is sent and the destination transport address to which this 1049 * HEARTBEAT is sent (see Section 8.3). 1050 */ 1051 1052 if (transport->param_flags & SPP_HB_ENABLE) { 1053 if (SCTP_DISPOSITION_NOMEM == 1054 sctp_sf_heartbeat(ep, asoc, type, arg, 1055 commands)) 1056 return SCTP_DISPOSITION_NOMEM; 1057 1058 /* Set transport error counter and association error counter 1059 * when sending heartbeat. 1060 */ 1061 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 1062 SCTP_TRANSPORT(transport)); 1063 } 1064 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE, 1065 SCTP_TRANSPORT(transport)); 1066 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 1067 SCTP_TRANSPORT(transport)); 1068 1069 return SCTP_DISPOSITION_CONSUME; 1070} 1071 1072/* resend asoc strreset_chunk. */ 1073enum sctp_disposition sctp_sf_send_reconf(struct net *net, 1074 const struct sctp_endpoint *ep, 1075 const struct sctp_association *asoc, 1076 const union sctp_subtype type, 1077 void *arg, 1078 struct sctp_cmd_seq *commands) 1079{ 1080 struct sctp_transport *transport = arg; 1081 1082 if (asoc->overall_error_count >= asoc->max_retrans) { 1083 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 1084 SCTP_ERROR(ETIMEDOUT)); 1085 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 1086 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 1087 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 1088 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1089 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1090 return SCTP_DISPOSITION_DELETE_TCB; 1091 } 1092 1093 sctp_chunk_hold(asoc->strreset_chunk); 1094 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1095 SCTP_CHUNK(asoc->strreset_chunk)); 1096 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 1097 1098 return SCTP_DISPOSITION_CONSUME; 1099} 1100 1101/* 1102 * Process an heartbeat request. 1103 * 1104 * Section: 8.3 Path Heartbeat 1105 * The receiver of the HEARTBEAT should immediately respond with a 1106 * HEARTBEAT ACK that contains the Heartbeat Information field copied 1107 * from the received HEARTBEAT chunk. 1108 * 1109 * Verification Tag: 8.5 Verification Tag [Normal verification] 1110 * When receiving an SCTP packet, the endpoint MUST ensure that the 1111 * value in the Verification Tag field of the received SCTP packet 1112 * matches its own Tag. If the received Verification Tag value does not 1113 * match the receiver's own tag value, the receiver shall silently 1114 * discard the packet and shall not process it any further except for 1115 * those cases listed in Section 8.5.1 below. 1116 * 1117 * Inputs 1118 * (endpoint, asoc, chunk) 1119 * 1120 * Outputs 1121 * (asoc, reply_msg, msg_up, timers, counters) 1122 * 1123 * The return value is the disposition of the chunk. 1124 */ 1125enum sctp_disposition sctp_sf_beat_8_3(struct net *net, 1126 const struct sctp_endpoint *ep, 1127 const struct sctp_association *asoc, 1128 const union sctp_subtype type, 1129 void *arg, struct sctp_cmd_seq *commands) 1130{ 1131 struct sctp_paramhdr *param_hdr; 1132 struct sctp_chunk *chunk = arg; 1133 struct sctp_chunk *reply; 1134 size_t paylen = 0; 1135 1136 if (!sctp_vtag_verify(chunk, asoc)) 1137 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1138 1139 /* Make sure that the HEARTBEAT chunk has a valid length. */ 1140 if (!sctp_chunk_length_valid(chunk, 1141 sizeof(struct sctp_heartbeat_chunk))) 1142 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1143 commands); 1144 1145 /* 8.3 The receiver of the HEARTBEAT should immediately 1146 * respond with a HEARTBEAT ACK that contains the Heartbeat 1147 * Information field copied from the received HEARTBEAT chunk. 1148 */ 1149 chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data; 1150 param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr; 1151 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr); 1152 1153 if (ntohs(param_hdr->length) > paylen) 1154 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 1155 param_hdr, commands); 1156 1157 if (!pskb_pull(chunk->skb, paylen)) 1158 goto nomem; 1159 1160 reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen); 1161 if (!reply) 1162 goto nomem; 1163 1164 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1165 return SCTP_DISPOSITION_CONSUME; 1166 1167nomem: 1168 return SCTP_DISPOSITION_NOMEM; 1169} 1170 1171/* 1172 * Process the returning HEARTBEAT ACK. 1173 * 1174 * Section: 8.3 Path Heartbeat 1175 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 1176 * should clear the error counter of the destination transport 1177 * address to which the HEARTBEAT was sent, and mark the destination 1178 * transport address as active if it is not so marked. The endpoint may 1179 * optionally report to the upper layer when an inactive destination 1180 * address is marked as active due to the reception of the latest 1181 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 1182 * clear the association overall error count as well (as defined 1183 * in section 8.1). 1184 * 1185 * The receiver of the HEARTBEAT ACK should also perform an RTT 1186 * measurement for that destination transport address using the time 1187 * value carried in the HEARTBEAT ACK chunk. 1188 * 1189 * Verification Tag: 8.5 Verification Tag [Normal verification] 1190 * 1191 * Inputs 1192 * (endpoint, asoc, chunk) 1193 * 1194 * Outputs 1195 * (asoc, reply_msg, msg_up, timers, counters) 1196 * 1197 * The return value is the disposition of the chunk. 1198 */ 1199enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net, 1200 const struct sctp_endpoint *ep, 1201 const struct sctp_association *asoc, 1202 const union sctp_subtype type, 1203 void *arg, 1204 struct sctp_cmd_seq *commands) 1205{ 1206 struct sctp_sender_hb_info *hbinfo; 1207 struct sctp_chunk *chunk = arg; 1208 struct sctp_transport *link; 1209 unsigned long max_interval; 1210 union sctp_addr from_addr; 1211 1212 if (!sctp_vtag_verify(chunk, asoc)) 1213 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1214 1215 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1216 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) + 1217 sizeof(*hbinfo))) 1218 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1219 commands); 1220 1221 hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data; 1222 /* Make sure that the length of the parameter is what we expect */ 1223 if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo)) 1224 return SCTP_DISPOSITION_DISCARD; 1225 1226 from_addr = hbinfo->daddr; 1227 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1228 1229 /* This should never happen, but lets log it if so. */ 1230 if (unlikely(!link)) { 1231 if (from_addr.sa.sa_family == AF_INET6) { 1232 net_warn_ratelimited("%s association %p could not find address %pI6\n", 1233 __func__, 1234 asoc, 1235 &from_addr.v6.sin6_addr); 1236 } else { 1237 net_warn_ratelimited("%s association %p could not find address %pI4\n", 1238 __func__, 1239 asoc, 1240 &from_addr.v4.sin_addr.s_addr); 1241 } 1242 return SCTP_DISPOSITION_DISCARD; 1243 } 1244 1245 /* Validate the 64-bit random nonce. */ 1246 if (hbinfo->hb_nonce != link->hb_nonce) 1247 return SCTP_DISPOSITION_DISCARD; 1248 1249 max_interval = link->hbinterval + link->rto; 1250 1251 /* Check if the timestamp looks valid. */ 1252 if (time_after(hbinfo->sent_at, jiffies) || 1253 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1254 pr_debug("%s: HEARTBEAT ACK with invalid timestamp received " 1255 "for transport:%p\n", __func__, link); 1256 1257 return SCTP_DISPOSITION_DISCARD; 1258 } 1259 1260 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1261 * the HEARTBEAT should clear the error counter of the 1262 * destination transport address to which the HEARTBEAT was 1263 * sent and mark the destination transport address as active if 1264 * it is not so marked. 1265 */ 1266 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1267 1268 return SCTP_DISPOSITION_CONSUME; 1269} 1270 1271/* Helper function to send out an abort for the restart 1272 * condition. 1273 */ 1274static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa, 1275 struct sctp_chunk *init, 1276 struct sctp_cmd_seq *commands) 1277{ 1278 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1279 union sctp_addr_param *addrparm; 1280 struct sctp_errhdr *errhdr; 1281 char buffer[sizeof(*errhdr) + sizeof(*addrparm)]; 1282 struct sctp_endpoint *ep; 1283 struct sctp_packet *pkt; 1284 int len; 1285 1286 /* Build the error on the stack. We are way to malloc crazy 1287 * throughout the code today. 1288 */ 1289 errhdr = (struct sctp_errhdr *)buffer; 1290 addrparm = (union sctp_addr_param *)errhdr->variable; 1291 1292 /* Copy into a parm format. */ 1293 len = af->to_addr_param(ssa, addrparm); 1294 len += sizeof(*errhdr); 1295 1296 errhdr->cause = SCTP_ERROR_RESTART; 1297 errhdr->length = htons(len); 1298 1299 /* Assign to the control socket. */ 1300 ep = sctp_sk(net->sctp.ctl_sock)->ep; 1301 1302 /* Association is NULL since this may be a restart attack and we 1303 * want to send back the attacker's vtag. 1304 */ 1305 pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len); 1306 1307 if (!pkt) 1308 goto out; 1309 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1310 1311 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1312 1313 /* Discard the rest of the inbound packet. */ 1314 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1315 1316out: 1317 /* Even if there is no memory, treat as a failure so 1318 * the packet will get dropped. 1319 */ 1320 return 0; 1321} 1322 1323static bool list_has_sctp_addr(const struct list_head *list, 1324 union sctp_addr *ipaddr) 1325{ 1326 struct sctp_transport *addr; 1327 1328 list_for_each_entry(addr, list, transports) { 1329 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr)) 1330 return true; 1331 } 1332 1333 return false; 1334} 1335/* A restart is occurring, check to make sure no new addresses 1336 * are being added as we may be under a takeover attack. 1337 */ 1338static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1339 const struct sctp_association *asoc, 1340 struct sctp_chunk *init, 1341 struct sctp_cmd_seq *commands) 1342{ 1343 struct net *net = new_asoc->base.net; 1344 struct sctp_transport *new_addr; 1345 int ret = 1; 1346 1347 /* Implementor's Guide - Section 5.2.2 1348 * ... 1349 * Before responding the endpoint MUST check to see if the 1350 * unexpected INIT adds new addresses to the association. If new 1351 * addresses are added to the association, the endpoint MUST respond 1352 * with an ABORT.. 1353 */ 1354 1355 /* Search through all current addresses and make sure 1356 * we aren't adding any new ones. 1357 */ 1358 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list, 1359 transports) { 1360 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list, 1361 &new_addr->ipaddr)) { 1362 sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init, 1363 commands); 1364 ret = 0; 1365 break; 1366 } 1367 } 1368 1369 /* Return success if all addresses were found. */ 1370 return ret; 1371} 1372 1373/* Populate the verification/tie tags based on overlapping INIT 1374 * scenario. 1375 * 1376 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1377 */ 1378static void sctp_tietags_populate(struct sctp_association *new_asoc, 1379 const struct sctp_association *asoc) 1380{ 1381 switch (asoc->state) { 1382 1383 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1384 1385 case SCTP_STATE_COOKIE_WAIT: 1386 new_asoc->c.my_vtag = asoc->c.my_vtag; 1387 new_asoc->c.my_ttag = asoc->c.my_vtag; 1388 new_asoc->c.peer_ttag = 0; 1389 break; 1390 1391 case SCTP_STATE_COOKIE_ECHOED: 1392 new_asoc->c.my_vtag = asoc->c.my_vtag; 1393 new_asoc->c.my_ttag = asoc->c.my_vtag; 1394 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1395 break; 1396 1397 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1398 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1399 */ 1400 default: 1401 new_asoc->c.my_ttag = asoc->c.my_vtag; 1402 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1403 break; 1404 } 1405 1406 /* Other parameters for the endpoint SHOULD be copied from the 1407 * existing parameters of the association (e.g. number of 1408 * outbound streams) into the INIT ACK and cookie. 1409 */ 1410 new_asoc->rwnd = asoc->rwnd; 1411 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1412 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1413 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1414} 1415 1416/* 1417 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1418 * handling action. 1419 * 1420 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1421 * 1422 * Returns value representing action to be taken. These action values 1423 * correspond to Action/Description values in RFC 2960, Table 2. 1424 */ 1425static char sctp_tietags_compare(struct sctp_association *new_asoc, 1426 const struct sctp_association *asoc) 1427{ 1428 /* In this case, the peer may have restarted. */ 1429 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1430 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1431 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1432 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1433 return 'A'; 1434 1435 /* Collision case B. */ 1436 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1437 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1438 (0 == asoc->c.peer_vtag))) { 1439 return 'B'; 1440 } 1441 1442 /* Collision case D. */ 1443 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1444 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1445 return 'D'; 1446 1447 /* Collision case C. */ 1448 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1449 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1450 (0 == new_asoc->c.my_ttag) && 1451 (0 == new_asoc->c.peer_ttag)) 1452 return 'C'; 1453 1454 /* No match to any of the special cases; discard this packet. */ 1455 return 'E'; 1456} 1457 1458/* Common helper routine for both duplicate and simulataneous INIT 1459 * chunk handling. 1460 */ 1461static enum sctp_disposition sctp_sf_do_unexpected_init( 1462 struct net *net, 1463 const struct sctp_endpoint *ep, 1464 const struct sctp_association *asoc, 1465 const union sctp_subtype type, 1466 void *arg, 1467 struct sctp_cmd_seq *commands) 1468{ 1469 struct sctp_chunk *chunk = arg, *repl, *err_chunk; 1470 struct sctp_unrecognized_param *unk_param; 1471 struct sctp_association *new_asoc; 1472 enum sctp_disposition retval; 1473 struct sctp_packet *packet; 1474 int len; 1475 1476 /* Update socket peer label if first association. */ 1477 if (security_sctp_assoc_request((struct sctp_endpoint *)ep, 1478 chunk->skb)) 1479 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1480 1481 /* 6.10 Bundling 1482 * An endpoint MUST NOT bundle INIT, INIT ACK or 1483 * SHUTDOWN COMPLETE with any other chunks. 1484 * 1485 * IG Section 2.11.2 1486 * Furthermore, we require that the receiver of an INIT chunk MUST 1487 * enforce these rules by silently discarding an arriving packet 1488 * with an INIT chunk that is bundled with other chunks. 1489 */ 1490 if (!chunk->singleton) 1491 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1492 1493 /* Make sure that the INIT chunk has a valid length. */ 1494 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 1495 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1496 1497 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1498 * Tag. 1499 */ 1500 if (chunk->sctp_hdr->vtag != 0) 1501 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 1502 1503 /* Grab the INIT header. */ 1504 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 1505 1506 /* Tag the variable length parameters. */ 1507 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 1508 1509 /* Verify the INIT chunk before processing it. */ 1510 err_chunk = NULL; 1511 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 1512 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 1513 &err_chunk)) { 1514 /* This chunk contains fatal error. It is to be discarded. 1515 * Send an ABORT, with causes if there is any. 1516 */ 1517 if (err_chunk) { 1518 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 1519 (__u8 *)(err_chunk->chunk_hdr) + 1520 sizeof(struct sctp_chunkhdr), 1521 ntohs(err_chunk->chunk_hdr->length) - 1522 sizeof(struct sctp_chunkhdr)); 1523 1524 if (packet) { 1525 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1526 SCTP_PACKET(packet)); 1527 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1528 retval = SCTP_DISPOSITION_CONSUME; 1529 } else { 1530 retval = SCTP_DISPOSITION_NOMEM; 1531 } 1532 goto cleanup; 1533 } else { 1534 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 1535 commands); 1536 } 1537 } 1538 1539 /* 1540 * Other parameters for the endpoint SHOULD be copied from the 1541 * existing parameters of the association (e.g. number of 1542 * outbound streams) into the INIT ACK and cookie. 1543 * FIXME: We are copying parameters from the endpoint not the 1544 * association. 1545 */ 1546 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1547 if (!new_asoc) 1548 goto nomem; 1549 1550 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 1551 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0) 1552 goto nomem; 1553 1554 /* In the outbound INIT ACK the endpoint MUST copy its current 1555 * Verification Tag and Peers Verification tag into a reserved 1556 * place (local tie-tag and per tie-tag) within the state cookie. 1557 */ 1558 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 1559 (struct sctp_init_chunk *)chunk->chunk_hdr, 1560 GFP_ATOMIC)) 1561 goto nomem; 1562 1563 /* Make sure no new addresses are being added during the 1564 * restart. Do not do this check for COOKIE-WAIT state, 1565 * since there are no peer addresses to check against. 1566 * Upon return an ABORT will have been sent if needed. 1567 */ 1568 if (!sctp_state(asoc, COOKIE_WAIT)) { 1569 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1570 commands)) { 1571 retval = SCTP_DISPOSITION_CONSUME; 1572 goto nomem_retval; 1573 } 1574 } 1575 1576 sctp_tietags_populate(new_asoc, asoc); 1577 1578 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1579 1580 /* If there are errors need to be reported for unknown parameters, 1581 * make sure to reserve enough room in the INIT ACK for them. 1582 */ 1583 len = 0; 1584 if (err_chunk) { 1585 len = ntohs(err_chunk->chunk_hdr->length) - 1586 sizeof(struct sctp_chunkhdr); 1587 } 1588 1589 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1590 if (!repl) 1591 goto nomem; 1592 1593 /* If there are errors need to be reported for unknown parameters, 1594 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1595 * parameter. 1596 */ 1597 if (err_chunk) { 1598 /* Get the "Unrecognized parameter" parameter(s) out of the 1599 * ERROR chunk generated by sctp_verify_init(). Since the 1600 * error cause code for "unknown parameter" and the 1601 * "Unrecognized parameter" type is the same, we can 1602 * construct the parameters in INIT ACK by copying the 1603 * ERROR causes over. 1604 */ 1605 unk_param = (struct sctp_unrecognized_param *) 1606 ((__u8 *)(err_chunk->chunk_hdr) + 1607 sizeof(struct sctp_chunkhdr)); 1608 /* Replace the cause code with the "Unrecognized parameter" 1609 * parameter type. 1610 */ 1611 sctp_addto_chunk(repl, len, unk_param); 1612 } 1613 1614 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1615 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1616 1617 /* 1618 * Note: After sending out INIT ACK with the State Cookie parameter, 1619 * "Z" MUST NOT allocate any resources for this new association. 1620 * Otherwise, "Z" will be vulnerable to resource attacks. 1621 */ 1622 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1623 retval = SCTP_DISPOSITION_CONSUME; 1624 1625 return retval; 1626 1627nomem: 1628 retval = SCTP_DISPOSITION_NOMEM; 1629nomem_retval: 1630 if (new_asoc) 1631 sctp_association_free(new_asoc); 1632cleanup: 1633 if (err_chunk) 1634 sctp_chunk_free(err_chunk); 1635 return retval; 1636} 1637 1638/* 1639 * Handle simultaneous INIT. 1640 * This means we started an INIT and then we got an INIT request from 1641 * our peer. 1642 * 1643 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1644 * This usually indicates an initialization collision, i.e., each 1645 * endpoint is attempting, at about the same time, to establish an 1646 * association with the other endpoint. 1647 * 1648 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1649 * endpoint MUST respond with an INIT ACK using the same parameters it 1650 * sent in its original INIT chunk (including its Verification Tag, 1651 * unchanged). These original parameters are combined with those from the 1652 * newly received INIT chunk. The endpoint shall also generate a State 1653 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1654 * INIT to calculate the State Cookie. 1655 * 1656 * After that, the endpoint MUST NOT change its state, the T1-init 1657 * timer shall be left running and the corresponding TCB MUST NOT be 1658 * destroyed. The normal procedures for handling State Cookies when 1659 * a TCB exists will resolve the duplicate INITs to a single association. 1660 * 1661 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1662 * its Tie-Tags with the Tag information of itself and its peer (see 1663 * section 5.2.2 for a description of the Tie-Tags). 1664 * 1665 * Verification Tag: Not explicit, but an INIT can not have a valid 1666 * verification tag, so we skip the check. 1667 * 1668 * Inputs 1669 * (endpoint, asoc, chunk) 1670 * 1671 * Outputs 1672 * (asoc, reply_msg, msg_up, timers, counters) 1673 * 1674 * The return value is the disposition of the chunk. 1675 */ 1676enum sctp_disposition sctp_sf_do_5_2_1_siminit( 1677 struct net *net, 1678 const struct sctp_endpoint *ep, 1679 const struct sctp_association *asoc, 1680 const union sctp_subtype type, 1681 void *arg, 1682 struct sctp_cmd_seq *commands) 1683{ 1684 /* Call helper to do the real work for both simulataneous and 1685 * duplicate INIT chunk handling. 1686 */ 1687 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1688} 1689 1690/* 1691 * Handle duplicated INIT messages. These are usually delayed 1692 * restransmissions. 1693 * 1694 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1695 * COOKIE-ECHOED and COOKIE-WAIT 1696 * 1697 * Unless otherwise stated, upon reception of an unexpected INIT for 1698 * this association, the endpoint shall generate an INIT ACK with a 1699 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1700 * current Verification Tag and peer's Verification Tag into a reserved 1701 * place within the state cookie. We shall refer to these locations as 1702 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1703 * containing this INIT ACK MUST carry a Verification Tag value equal to 1704 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1705 * MUST contain a new Initiation Tag (randomly generated see Section 1706 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1707 * existing parameters of the association (e.g. number of outbound 1708 * streams) into the INIT ACK and cookie. 1709 * 1710 * After sending out the INIT ACK, the endpoint shall take no further 1711 * actions, i.e., the existing association, including its current state, 1712 * and the corresponding TCB MUST NOT be changed. 1713 * 1714 * Note: Only when a TCB exists and the association is not in a COOKIE- 1715 * WAIT state are the Tie-Tags populated. For a normal association INIT 1716 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1717 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1718 * State Cookie are populated as specified in section 5.2.1. 1719 * 1720 * Verification Tag: Not specified, but an INIT has no way of knowing 1721 * what the verification tag could be, so we ignore it. 1722 * 1723 * Inputs 1724 * (endpoint, asoc, chunk) 1725 * 1726 * Outputs 1727 * (asoc, reply_msg, msg_up, timers, counters) 1728 * 1729 * The return value is the disposition of the chunk. 1730 */ 1731enum sctp_disposition sctp_sf_do_5_2_2_dupinit( 1732 struct net *net, 1733 const struct sctp_endpoint *ep, 1734 const struct sctp_association *asoc, 1735 const union sctp_subtype type, 1736 void *arg, 1737 struct sctp_cmd_seq *commands) 1738{ 1739 /* Call helper to do the real work for both simulataneous and 1740 * duplicate INIT chunk handling. 1741 */ 1742 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1743} 1744 1745 1746/* 1747 * Unexpected INIT-ACK handler. 1748 * 1749 * Section 5.2.3 1750 * If an INIT ACK received by an endpoint in any state other than the 1751 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1752 * An unexpected INIT ACK usually indicates the processing of an old or 1753 * duplicated INIT chunk. 1754*/ 1755enum sctp_disposition sctp_sf_do_5_2_3_initack( 1756 struct net *net, 1757 const struct sctp_endpoint *ep, 1758 const struct sctp_association *asoc, 1759 const union sctp_subtype type, 1760 void *arg, 1761 struct sctp_cmd_seq *commands) 1762{ 1763 /* Per the above section, we'll discard the chunk if we have an 1764 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1765 */ 1766 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) 1767 return sctp_sf_ootb(net, ep, asoc, type, arg, commands); 1768 else 1769 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 1770} 1771 1772/* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1773 * 1774 * Section 5.2.4 1775 * A) In this case, the peer may have restarted. 1776 */ 1777static enum sctp_disposition sctp_sf_do_dupcook_a( 1778 struct net *net, 1779 const struct sctp_endpoint *ep, 1780 const struct sctp_association *asoc, 1781 struct sctp_chunk *chunk, 1782 struct sctp_cmd_seq *commands, 1783 struct sctp_association *new_asoc) 1784{ 1785 struct sctp_init_chunk *peer_init; 1786 enum sctp_disposition disposition; 1787 struct sctp_ulpevent *ev; 1788 struct sctp_chunk *repl; 1789 struct sctp_chunk *err; 1790 1791 /* new_asoc is a brand-new association, so these are not yet 1792 * side effects--it is safe to run them here. 1793 */ 1794 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1795 1796 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1797 GFP_ATOMIC)) 1798 goto nomem; 1799 1800 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC)) 1801 goto nomem; 1802 1803 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) 1804 return SCTP_DISPOSITION_DISCARD; 1805 1806 /* Make sure no new addresses are being added during the 1807 * restart. Though this is a pretty complicated attack 1808 * since you'd have to get inside the cookie. 1809 */ 1810 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) 1811 return SCTP_DISPOSITION_CONSUME; 1812 1813 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1814 * the peer has restarted (Action A), it MUST NOT setup a new 1815 * association but instead resend the SHUTDOWN ACK and send an ERROR 1816 * chunk with a "Cookie Received while Shutting Down" error cause to 1817 * its peer. 1818 */ 1819 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1820 disposition = __sctp_sf_do_9_2_reshutack(net, ep, asoc, 1821 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1822 chunk, commands); 1823 if (SCTP_DISPOSITION_NOMEM == disposition) 1824 goto nomem; 1825 1826 err = sctp_make_op_error(asoc, chunk, 1827 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1828 NULL, 0, 0); 1829 if (err) 1830 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1831 SCTP_CHUNK(err)); 1832 1833 return SCTP_DISPOSITION_CONSUME; 1834 } 1835 1836 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked 1837 * data. Consider the optional choice of resending of this data. 1838 */ 1839 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 1840 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1841 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK)); 1842 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1843 1844 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue 1845 * and ASCONF-ACK cache. 1846 */ 1847 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1848 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 1849 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); 1850 1851 /* Update the content of current association. */ 1852 if (sctp_assoc_update((struct sctp_association *)asoc, new_asoc)) { 1853 struct sctp_chunk *abort; 1854 1855 abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr)); 1856 if (abort) { 1857 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 1858 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 1859 } 1860 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED)); 1861 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 1862 SCTP_PERR(SCTP_ERROR_RSRC_LOW)); 1863 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1864 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1865 goto nomem; 1866 } 1867 1868 repl = sctp_make_cookie_ack(asoc, chunk); 1869 if (!repl) 1870 goto nomem; 1871 1872 /* Report association restart to upper layer. */ 1873 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1874 asoc->c.sinit_num_ostreams, 1875 asoc->c.sinit_max_instreams, 1876 NULL, GFP_ATOMIC); 1877 if (!ev) 1878 goto nomem_ev; 1879 1880 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1881 if ((sctp_state(asoc, SHUTDOWN_PENDING) || 1882 sctp_state(asoc, SHUTDOWN_SENT)) && 1883 (sctp_sstate(asoc->base.sk, CLOSING) || 1884 sock_flag(asoc->base.sk, SOCK_DEAD))) { 1885 /* If the socket has been closed by user, don't 1886 * transition to ESTABLISHED. Instead trigger SHUTDOWN 1887 * bundled with COOKIE_ACK. 1888 */ 1889 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1890 return sctp_sf_do_9_2_start_shutdown(net, ep, asoc, 1891 SCTP_ST_CHUNK(0), repl, 1892 commands); 1893 } else { 1894 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1895 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1896 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1897 } 1898 return SCTP_DISPOSITION_CONSUME; 1899 1900nomem_ev: 1901 sctp_chunk_free(repl); 1902nomem: 1903 return SCTP_DISPOSITION_NOMEM; 1904} 1905 1906/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1907 * 1908 * Section 5.2.4 1909 * B) In this case, both sides may be attempting to start an association 1910 * at about the same time but the peer endpoint started its INIT 1911 * after responding to the local endpoint's INIT 1912 */ 1913/* This case represents an initialization collision. */ 1914static enum sctp_disposition sctp_sf_do_dupcook_b( 1915 struct net *net, 1916 const struct sctp_endpoint *ep, 1917 const struct sctp_association *asoc, 1918 struct sctp_chunk *chunk, 1919 struct sctp_cmd_seq *commands, 1920 struct sctp_association *new_asoc) 1921{ 1922 struct sctp_init_chunk *peer_init; 1923 struct sctp_chunk *repl; 1924 1925 /* new_asoc is a brand-new association, so these are not yet 1926 * side effects--it is safe to run them here. 1927 */ 1928 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1929 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1930 GFP_ATOMIC)) 1931 goto nomem; 1932 1933 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC)) 1934 goto nomem; 1935 1936 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) 1937 return SCTP_DISPOSITION_DISCARD; 1938 1939 /* Update the content of current association. */ 1940 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1941 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1942 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1943 if (asoc->state < SCTP_STATE_ESTABLISHED) 1944 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 1945 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1946 1947 repl = sctp_make_cookie_ack(new_asoc, chunk); 1948 if (!repl) 1949 goto nomem; 1950 1951 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1952 1953 /* RFC 2960 5.1 Normal Establishment of an Association 1954 * 1955 * D) IMPLEMENTATION NOTE: An implementation may choose to 1956 * send the Communication Up notification to the SCTP user 1957 * upon reception of a valid COOKIE ECHO chunk. 1958 * 1959 * Sadly, this needs to be implemented as a side-effect, because 1960 * we are not guaranteed to have set the association id of the real 1961 * association and so these notifications need to be delayed until 1962 * the association id is allocated. 1963 */ 1964 1965 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 1966 1967 /* Sockets API Draft Section 5.3.1.6 1968 * When a peer sends a Adaptation Layer Indication parameter , SCTP 1969 * delivers this notification to inform the application that of the 1970 * peers requested adaptation layer. 1971 * 1972 * This also needs to be done as a side effect for the same reason as 1973 * above. 1974 */ 1975 if (asoc->peer.adaptation_ind) 1976 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 1977 1978 if (!asoc->peer.auth_capable) 1979 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL()); 1980 1981 return SCTP_DISPOSITION_CONSUME; 1982 1983nomem: 1984 return SCTP_DISPOSITION_NOMEM; 1985} 1986 1987/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1988 * 1989 * Section 5.2.4 1990 * C) In this case, the local endpoint's cookie has arrived late. 1991 * Before it arrived, the local endpoint sent an INIT and received an 1992 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1993 * but a new tag of its own. 1994 */ 1995/* This case represents an initialization collision. */ 1996static enum sctp_disposition sctp_sf_do_dupcook_c( 1997 struct net *net, 1998 const struct sctp_endpoint *ep, 1999 const struct sctp_association *asoc, 2000 struct sctp_chunk *chunk, 2001 struct sctp_cmd_seq *commands, 2002 struct sctp_association *new_asoc) 2003{ 2004 /* The cookie should be silently discarded. 2005 * The endpoint SHOULD NOT change states and should leave 2006 * any timers running. 2007 */ 2008 return SCTP_DISPOSITION_DISCARD; 2009} 2010 2011/* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 2012 * 2013 * Section 5.2.4 2014 * 2015 * D) When both local and remote tags match the endpoint should always 2016 * enter the ESTABLISHED state, if it has not already done so. 2017 */ 2018/* This case represents an initialization collision. */ 2019static enum sctp_disposition sctp_sf_do_dupcook_d( 2020 struct net *net, 2021 const struct sctp_endpoint *ep, 2022 const struct sctp_association *asoc, 2023 struct sctp_chunk *chunk, 2024 struct sctp_cmd_seq *commands, 2025 struct sctp_association *new_asoc) 2026{ 2027 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL; 2028 struct sctp_chunk *repl; 2029 2030 /* Clarification from Implementor's Guide: 2031 * D) When both local and remote tags match the endpoint should 2032 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 2033 * It should stop any cookie timer that may be running and send 2034 * a COOKIE ACK. 2035 */ 2036 2037 if (!sctp_auth_chunk_verify(net, chunk, asoc)) 2038 return SCTP_DISPOSITION_DISCARD; 2039 2040 /* Don't accidentally move back into established state. */ 2041 if (asoc->state < SCTP_STATE_ESTABLISHED) { 2042 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2043 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2044 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2045 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 2046 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 2047 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 2048 SCTP_NULL()); 2049 2050 /* RFC 2960 5.1 Normal Establishment of an Association 2051 * 2052 * D) IMPLEMENTATION NOTE: An implementation may choose 2053 * to send the Communication Up notification to the 2054 * SCTP user upon reception of a valid COOKIE 2055 * ECHO chunk. 2056 */ 2057 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 2058 SCTP_COMM_UP, 0, 2059 asoc->c.sinit_num_ostreams, 2060 asoc->c.sinit_max_instreams, 2061 NULL, GFP_ATOMIC); 2062 if (!ev) 2063 goto nomem; 2064 2065 /* Sockets API Draft Section 5.3.1.6 2066 * When a peer sends a Adaptation Layer Indication parameter, 2067 * SCTP delivers this notification to inform the application 2068 * that of the peers requested adaptation layer. 2069 */ 2070 if (asoc->peer.adaptation_ind) { 2071 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 2072 GFP_ATOMIC); 2073 if (!ai_ev) 2074 goto nomem; 2075 2076 } 2077 2078 if (!asoc->peer.auth_capable) { 2079 auth_ev = sctp_ulpevent_make_authkey(asoc, 0, 2080 SCTP_AUTH_NO_AUTH, 2081 GFP_ATOMIC); 2082 if (!auth_ev) 2083 goto nomem; 2084 } 2085 } 2086 2087 repl = sctp_make_cookie_ack(asoc, chunk); 2088 if (!repl) 2089 goto nomem; 2090 2091 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 2092 2093 if (ev) 2094 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2095 SCTP_ULPEVENT(ev)); 2096 if (ai_ev) 2097 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2098 SCTP_ULPEVENT(ai_ev)); 2099 if (auth_ev) 2100 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2101 SCTP_ULPEVENT(auth_ev)); 2102 2103 return SCTP_DISPOSITION_CONSUME; 2104 2105nomem: 2106 if (auth_ev) 2107 sctp_ulpevent_free(auth_ev); 2108 if (ai_ev) 2109 sctp_ulpevent_free(ai_ev); 2110 if (ev) 2111 sctp_ulpevent_free(ev); 2112 return SCTP_DISPOSITION_NOMEM; 2113} 2114 2115/* 2116 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 2117 * chunk was retransmitted and then delayed in the network. 2118 * 2119 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 2120 * 2121 * Verification Tag: None. Do cookie validation. 2122 * 2123 * Inputs 2124 * (endpoint, asoc, chunk) 2125 * 2126 * Outputs 2127 * (asoc, reply_msg, msg_up, timers, counters) 2128 * 2129 * The return value is the disposition of the chunk. 2130 */ 2131enum sctp_disposition sctp_sf_do_5_2_4_dupcook( 2132 struct net *net, 2133 const struct sctp_endpoint *ep, 2134 const struct sctp_association *asoc, 2135 const union sctp_subtype type, 2136 void *arg, 2137 struct sctp_cmd_seq *commands) 2138{ 2139 struct sctp_association *new_asoc; 2140 struct sctp_chunk *chunk = arg; 2141 enum sctp_disposition retval; 2142 struct sctp_chunk *err_chk_p; 2143 int error = 0; 2144 char action; 2145 2146 /* Make sure that the chunk has a valid length from the protocol 2147 * perspective. In this case check to make sure we have at least 2148 * enough for the chunk header. Cookie length verification is 2149 * done later. 2150 */ 2151 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) { 2152 if (!sctp_vtag_verify(chunk, asoc)) 2153 asoc = NULL; 2154 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands); 2155 } 2156 2157 /* "Decode" the chunk. We have no optional parameters so we 2158 * are in good shape. 2159 */ 2160 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 2161 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 2162 sizeof(struct sctp_chunkhdr))) 2163 goto nomem; 2164 2165 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 2166 * of a duplicate COOKIE ECHO match the Verification Tags of the 2167 * current association, consider the State Cookie valid even if 2168 * the lifespan is exceeded. 2169 */ 2170 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 2171 &err_chk_p); 2172 2173 /* FIXME: 2174 * If the re-build failed, what is the proper error path 2175 * from here? 2176 * 2177 * [We should abort the association. --piggy] 2178 */ 2179 if (!new_asoc) { 2180 /* FIXME: Several errors are possible. A bad cookie should 2181 * be silently discarded, but think about logging it too. 2182 */ 2183 switch (error) { 2184 case -SCTP_IERROR_NOMEM: 2185 goto nomem; 2186 2187 case -SCTP_IERROR_STALE_COOKIE: 2188 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 2189 err_chk_p); 2190 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2191 case -SCTP_IERROR_BAD_SIG: 2192 default: 2193 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2194 } 2195 } 2196 2197 /* Update socket peer label if first association. */ 2198 if (security_sctp_assoc_request((struct sctp_endpoint *)ep, 2199 chunk->skb)) { 2200 sctp_association_free(new_asoc); 2201 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2202 } 2203 2204 /* Set temp so that it won't be added into hashtable */ 2205 new_asoc->temp = 1; 2206 2207 /* Compare the tie_tag in cookie with the verification tag of 2208 * current association. 2209 */ 2210 action = sctp_tietags_compare(new_asoc, asoc); 2211 2212 switch (action) { 2213 case 'A': /* Association restart. */ 2214 retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands, 2215 new_asoc); 2216 break; 2217 2218 case 'B': /* Collision case B. */ 2219 retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands, 2220 new_asoc); 2221 break; 2222 2223 case 'C': /* Collision case C. */ 2224 retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands, 2225 new_asoc); 2226 break; 2227 2228 case 'D': /* Collision case D. */ 2229 retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands, 2230 new_asoc); 2231 break; 2232 2233 default: /* Discard packet for all others. */ 2234 retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2235 break; 2236 } 2237 2238 /* Delete the tempory new association. */ 2239 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc)); 2240 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 2241 2242 /* Restore association pointer to provide SCTP command interpeter 2243 * with a valid context in case it needs to manipulate 2244 * the queues */ 2245 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, 2246 SCTP_ASOC((struct sctp_association *)asoc)); 2247 2248 return retval; 2249 2250nomem: 2251 return SCTP_DISPOSITION_NOMEM; 2252} 2253 2254/* 2255 * Process an ABORT. (SHUTDOWN-PENDING state) 2256 * 2257 * See sctp_sf_do_9_1_abort(). 2258 */ 2259enum sctp_disposition sctp_sf_shutdown_pending_abort( 2260 struct net *net, 2261 const struct sctp_endpoint *ep, 2262 const struct sctp_association *asoc, 2263 const union sctp_subtype type, 2264 void *arg, 2265 struct sctp_cmd_seq *commands) 2266{ 2267 struct sctp_chunk *chunk = arg; 2268 2269 if (!sctp_vtag_verify_either(chunk, asoc)) 2270 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2271 2272 /* Make sure that the ABORT chunk has a valid length. 2273 * Since this is an ABORT chunk, we have to discard it 2274 * because of the following text: 2275 * RFC 2960, Section 3.3.7 2276 * If an endpoint receives an ABORT with a format error or for an 2277 * association that doesn't exist, it MUST silently discard it. 2278 * Because the length is "invalid", we can't really discard just 2279 * as we do not know its true length. So, to be safe, discard the 2280 * packet. 2281 */ 2282 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2283 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2284 2285 /* ADD-IP: Special case for ABORT chunks 2286 * F4) One special consideration is that ABORT Chunks arriving 2287 * destined to the IP address being deleted MUST be 2288 * ignored (see Section 5.3.1 for further details). 2289 */ 2290 if (SCTP_ADDR_DEL == 2291 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2292 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2293 2294 if (!sctp_err_chunk_valid(chunk)) 2295 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2296 2297 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2298} 2299 2300/* 2301 * Process an ABORT. (SHUTDOWN-SENT state) 2302 * 2303 * See sctp_sf_do_9_1_abort(). 2304 */ 2305enum sctp_disposition sctp_sf_shutdown_sent_abort( 2306 struct net *net, 2307 const struct sctp_endpoint *ep, 2308 const struct sctp_association *asoc, 2309 const union sctp_subtype type, 2310 void *arg, 2311 struct sctp_cmd_seq *commands) 2312{ 2313 struct sctp_chunk *chunk = arg; 2314 2315 if (!sctp_vtag_verify_either(chunk, asoc)) 2316 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2317 2318 /* Make sure that the ABORT chunk has a valid length. 2319 * Since this is an ABORT chunk, we have to discard it 2320 * because of the following text: 2321 * RFC 2960, Section 3.3.7 2322 * If an endpoint receives an ABORT with a format error or for an 2323 * association that doesn't exist, it MUST silently discard it. 2324 * Because the length is "invalid", we can't really discard just 2325 * as we do not know its true length. So, to be safe, discard the 2326 * packet. 2327 */ 2328 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2329 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2330 2331 /* ADD-IP: Special case for ABORT chunks 2332 * F4) One special consideration is that ABORT Chunks arriving 2333 * destined to the IP address being deleted MUST be 2334 * ignored (see Section 5.3.1 for further details). 2335 */ 2336 if (SCTP_ADDR_DEL == 2337 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2338 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2339 2340 if (!sctp_err_chunk_valid(chunk)) 2341 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2342 2343 /* Stop the T2-shutdown timer. */ 2344 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2345 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2346 2347 /* Stop the T5-shutdown guard timer. */ 2348 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2349 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2350 2351 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2352} 2353 2354/* 2355 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2356 * 2357 * See sctp_sf_do_9_1_abort(). 2358 */ 2359enum sctp_disposition sctp_sf_shutdown_ack_sent_abort( 2360 struct net *net, 2361 const struct sctp_endpoint *ep, 2362 const struct sctp_association *asoc, 2363 const union sctp_subtype type, 2364 void *arg, 2365 struct sctp_cmd_seq *commands) 2366{ 2367 /* The same T2 timer, so we should be able to use 2368 * common function with the SHUTDOWN-SENT state. 2369 */ 2370 return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands); 2371} 2372 2373/* 2374 * Handle an Error received in COOKIE_ECHOED state. 2375 * 2376 * Only handle the error type of stale COOKIE Error, the other errors will 2377 * be ignored. 2378 * 2379 * Inputs 2380 * (endpoint, asoc, chunk) 2381 * 2382 * Outputs 2383 * (asoc, reply_msg, msg_up, timers, counters) 2384 * 2385 * The return value is the disposition of the chunk. 2386 */ 2387enum sctp_disposition sctp_sf_cookie_echoed_err( 2388 struct net *net, 2389 const struct sctp_endpoint *ep, 2390 const struct sctp_association *asoc, 2391 const union sctp_subtype type, 2392 void *arg, 2393 struct sctp_cmd_seq *commands) 2394{ 2395 struct sctp_chunk *chunk = arg; 2396 struct sctp_errhdr *err; 2397 2398 if (!sctp_vtag_verify(chunk, asoc)) 2399 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2400 2401 /* Make sure that the ERROR chunk has a valid length. 2402 * The parameter walking depends on this as well. 2403 */ 2404 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk))) 2405 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2406 commands); 2407 2408 /* Process the error here */ 2409 /* FUTURE FIXME: When PR-SCTP related and other optional 2410 * parms are emitted, this will have to change to handle multiple 2411 * errors. 2412 */ 2413 sctp_walk_errors(err, chunk->chunk_hdr) { 2414 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2415 return sctp_sf_do_5_2_6_stale(net, ep, asoc, type, 2416 arg, commands); 2417 } 2418 2419 /* It is possible to have malformed error causes, and that 2420 * will cause us to end the walk early. However, since 2421 * we are discarding the packet, there should be no adverse 2422 * affects. 2423 */ 2424 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2425} 2426 2427/* 2428 * Handle a Stale COOKIE Error 2429 * 2430 * Section: 5.2.6 Handle Stale COOKIE Error 2431 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2432 * one of the following three alternatives. 2433 * ... 2434 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2435 * Preservative parameter requesting an extension to the lifetime of 2436 * the State Cookie. When calculating the time extension, an 2437 * implementation SHOULD use the RTT information measured based on the 2438 * previous COOKIE ECHO / ERROR exchange, and should add no more 2439 * than 1 second beyond the measured RTT, due to long State Cookie 2440 * lifetimes making the endpoint more subject to a replay attack. 2441 * 2442 * Verification Tag: Not explicit, but safe to ignore. 2443 * 2444 * Inputs 2445 * (endpoint, asoc, chunk) 2446 * 2447 * Outputs 2448 * (asoc, reply_msg, msg_up, timers, counters) 2449 * 2450 * The return value is the disposition of the chunk. 2451 */ 2452static enum sctp_disposition sctp_sf_do_5_2_6_stale( 2453 struct net *net, 2454 const struct sctp_endpoint *ep, 2455 const struct sctp_association *asoc, 2456 const union sctp_subtype type, 2457 void *arg, 2458 struct sctp_cmd_seq *commands) 2459{ 2460 int attempts = asoc->init_err_counter + 1; 2461 struct sctp_chunk *chunk = arg, *reply; 2462 struct sctp_cookie_preserve_param bht; 2463 struct sctp_bind_addr *bp; 2464 struct sctp_errhdr *err; 2465 u32 stale; 2466 2467 if (attempts > asoc->max_init_attempts) { 2468 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2469 SCTP_ERROR(ETIMEDOUT)); 2470 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2471 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2472 return SCTP_DISPOSITION_DELETE_TCB; 2473 } 2474 2475 err = (struct sctp_errhdr *)(chunk->skb->data); 2476 2477 /* When calculating the time extension, an implementation 2478 * SHOULD use the RTT information measured based on the 2479 * previous COOKIE ECHO / ERROR exchange, and should add no 2480 * more than 1 second beyond the measured RTT, due to long 2481 * State Cookie lifetimes making the endpoint more subject to 2482 * a replay attack. 2483 * Measure of Staleness's unit is usec. (1/1000000 sec) 2484 * Suggested Cookie Life-span Increment's unit is msec. 2485 * (1/1000 sec) 2486 * In general, if you use the suggested cookie life, the value 2487 * found in the field of measure of staleness should be doubled 2488 * to give ample time to retransmit the new cookie and thus 2489 * yield a higher probability of success on the reattempt. 2490 */ 2491 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err))); 2492 stale = (stale * 2) / 1000; 2493 2494 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2495 bht.param_hdr.length = htons(sizeof(bht)); 2496 bht.lifespan_increment = htonl(stale); 2497 2498 /* Build that new INIT chunk. */ 2499 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2500 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2501 if (!reply) 2502 goto nomem; 2503 2504 sctp_addto_chunk(reply, sizeof(bht), &bht); 2505 2506 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2507 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2508 2509 /* Stop pending T3-rtx and heartbeat timers */ 2510 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2511 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2512 2513 /* Delete non-primary peer ip addresses since we are transitioning 2514 * back to the COOKIE-WAIT state 2515 */ 2516 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2517 2518 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2519 * resend 2520 */ 2521 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, 2522 SCTP_TRANSPORT(asoc->peer.primary_path)); 2523 2524 /* Cast away the const modifier, as we want to just 2525 * rerun it through as a sideffect. 2526 */ 2527 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2528 2529 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2530 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2531 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2532 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2533 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2534 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2535 2536 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2537 2538 return SCTP_DISPOSITION_CONSUME; 2539 2540nomem: 2541 return SCTP_DISPOSITION_NOMEM; 2542} 2543 2544/* 2545 * Process an ABORT. 2546 * 2547 * Section: 9.1 2548 * After checking the Verification Tag, the receiving endpoint shall 2549 * remove the association from its record, and shall report the 2550 * termination to its upper layer. 2551 * 2552 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2553 * B) Rules for packet carrying ABORT: 2554 * 2555 * - The endpoint shall always fill in the Verification Tag field of the 2556 * outbound packet with the destination endpoint's tag value if it 2557 * is known. 2558 * 2559 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2560 * MUST follow the procedure described in Section 8.4. 2561 * 2562 * - The receiver MUST accept the packet if the Verification Tag 2563 * matches either its own tag, OR the tag of its peer. Otherwise, the 2564 * receiver MUST silently discard the packet and take no further 2565 * action. 2566 * 2567 * Inputs 2568 * (endpoint, asoc, chunk) 2569 * 2570 * Outputs 2571 * (asoc, reply_msg, msg_up, timers, counters) 2572 * 2573 * The return value is the disposition of the chunk. 2574 */ 2575enum sctp_disposition sctp_sf_do_9_1_abort( 2576 struct net *net, 2577 const struct sctp_endpoint *ep, 2578 const struct sctp_association *asoc, 2579 const union sctp_subtype type, 2580 void *arg, 2581 struct sctp_cmd_seq *commands) 2582{ 2583 struct sctp_chunk *chunk = arg; 2584 2585 if (!sctp_vtag_verify_either(chunk, asoc)) 2586 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2587 2588 /* Make sure that the ABORT chunk has a valid length. 2589 * Since this is an ABORT chunk, we have to discard it 2590 * because of the following text: 2591 * RFC 2960, Section 3.3.7 2592 * If an endpoint receives an ABORT with a format error or for an 2593 * association that doesn't exist, it MUST silently discard it. 2594 * Because the length is "invalid", we can't really discard just 2595 * as we do not know its true length. So, to be safe, discard the 2596 * packet. 2597 */ 2598 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2599 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2600 2601 /* ADD-IP: Special case for ABORT chunks 2602 * F4) One special consideration is that ABORT Chunks arriving 2603 * destined to the IP address being deleted MUST be 2604 * ignored (see Section 5.3.1 for further details). 2605 */ 2606 if (SCTP_ADDR_DEL == 2607 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2608 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2609 2610 if (!sctp_err_chunk_valid(chunk)) 2611 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2612 2613 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2614} 2615 2616static enum sctp_disposition __sctp_sf_do_9_1_abort( 2617 struct net *net, 2618 const struct sctp_endpoint *ep, 2619 const struct sctp_association *asoc, 2620 const union sctp_subtype type, 2621 void *arg, 2622 struct sctp_cmd_seq *commands) 2623{ 2624 __be16 error = SCTP_ERROR_NO_ERROR; 2625 struct sctp_chunk *chunk = arg; 2626 unsigned int len; 2627 2628 /* See if we have an error cause code in the chunk. */ 2629 len = ntohs(chunk->chunk_hdr->length); 2630 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2631 error = ((struct sctp_errhdr *)chunk->skb->data)->cause; 2632 2633 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2634 /* ASSOC_FAILED will DELETE_TCB. */ 2635 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2636 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2637 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 2638 2639 return SCTP_DISPOSITION_ABORT; 2640} 2641 2642/* 2643 * Process an ABORT. (COOKIE-WAIT state) 2644 * 2645 * See sctp_sf_do_9_1_abort() above. 2646 */ 2647enum sctp_disposition sctp_sf_cookie_wait_abort( 2648 struct net *net, 2649 const struct sctp_endpoint *ep, 2650 const struct sctp_association *asoc, 2651 const union sctp_subtype type, 2652 void *arg, 2653 struct sctp_cmd_seq *commands) 2654{ 2655 __be16 error = SCTP_ERROR_NO_ERROR; 2656 struct sctp_chunk *chunk = arg; 2657 unsigned int len; 2658 2659 if (!sctp_vtag_verify_either(chunk, asoc)) 2660 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2661 2662 /* Make sure that the ABORT chunk has a valid length. 2663 * Since this is an ABORT chunk, we have to discard it 2664 * because of the following text: 2665 * RFC 2960, Section 3.3.7 2666 * If an endpoint receives an ABORT with a format error or for an 2667 * association that doesn't exist, it MUST silently discard it. 2668 * Because the length is "invalid", we can't really discard just 2669 * as we do not know its true length. So, to be safe, discard the 2670 * packet. 2671 */ 2672 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2673 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2674 2675 /* See if we have an error cause code in the chunk. */ 2676 len = ntohs(chunk->chunk_hdr->length); 2677 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2678 error = ((struct sctp_errhdr *)chunk->skb->data)->cause; 2679 2680 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc, 2681 chunk->transport); 2682} 2683 2684/* 2685 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2686 */ 2687enum sctp_disposition sctp_sf_cookie_wait_icmp_abort( 2688 struct net *net, 2689 const struct sctp_endpoint *ep, 2690 const struct sctp_association *asoc, 2691 const union sctp_subtype type, 2692 void *arg, 2693 struct sctp_cmd_seq *commands) 2694{ 2695 return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR, 2696 ENOPROTOOPT, asoc, 2697 (struct sctp_transport *)arg); 2698} 2699 2700/* 2701 * Process an ABORT. (COOKIE-ECHOED state) 2702 */ 2703enum sctp_disposition sctp_sf_cookie_echoed_abort( 2704 struct net *net, 2705 const struct sctp_endpoint *ep, 2706 const struct sctp_association *asoc, 2707 const union sctp_subtype type, 2708 void *arg, 2709 struct sctp_cmd_seq *commands) 2710{ 2711 /* There is a single T1 timer, so we should be able to use 2712 * common function with the COOKIE-WAIT state. 2713 */ 2714 return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands); 2715} 2716 2717/* 2718 * Stop T1 timer and abort association with "INIT failed". 2719 * 2720 * This is common code called by several sctp_sf_*_abort() functions above. 2721 */ 2722static enum sctp_disposition sctp_stop_t1_and_abort( 2723 struct net *net, 2724 struct sctp_cmd_seq *commands, 2725 __be16 error, int sk_err, 2726 const struct sctp_association *asoc, 2727 struct sctp_transport *transport) 2728{ 2729 pr_debug("%s: ABORT received (INIT)\n", __func__); 2730 2731 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2732 SCTP_STATE(SCTP_STATE_CLOSED)); 2733 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2734 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2735 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2736 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2737 /* CMD_INIT_FAILED will DELETE_TCB. */ 2738 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2739 SCTP_PERR(error)); 2740 2741 return SCTP_DISPOSITION_ABORT; 2742} 2743 2744/* 2745 * sctp_sf_do_9_2_shut 2746 * 2747 * Section: 9.2 2748 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2749 * - enter the SHUTDOWN-RECEIVED state, 2750 * 2751 * - stop accepting new data from its SCTP user 2752 * 2753 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2754 * that all its outstanding DATA chunks have been received by the 2755 * SHUTDOWN sender. 2756 * 2757 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2758 * send a SHUTDOWN in response to a ULP request. And should discard 2759 * subsequent SHUTDOWN chunks. 2760 * 2761 * If there are still outstanding DATA chunks left, the SHUTDOWN 2762 * receiver shall continue to follow normal data transmission 2763 * procedures defined in Section 6 until all outstanding DATA chunks 2764 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2765 * new data from its SCTP user. 2766 * 2767 * Verification Tag: 8.5 Verification Tag [Normal verification] 2768 * 2769 * Inputs 2770 * (endpoint, asoc, chunk) 2771 * 2772 * Outputs 2773 * (asoc, reply_msg, msg_up, timers, counters) 2774 * 2775 * The return value is the disposition of the chunk. 2776 */ 2777enum sctp_disposition sctp_sf_do_9_2_shutdown( 2778 struct net *net, 2779 const struct sctp_endpoint *ep, 2780 const struct sctp_association *asoc, 2781 const union sctp_subtype type, 2782 void *arg, 2783 struct sctp_cmd_seq *commands) 2784{ 2785 enum sctp_disposition disposition; 2786 struct sctp_chunk *chunk = arg; 2787 struct sctp_shutdownhdr *sdh; 2788 struct sctp_ulpevent *ev; 2789 __u32 ctsn; 2790 2791 if (!sctp_vtag_verify(chunk, asoc)) 2792 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2793 2794 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2795 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) 2796 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2797 commands); 2798 2799 /* Convert the elaborate header. */ 2800 sdh = (struct sctp_shutdownhdr *)chunk->skb->data; 2801 skb_pull(chunk->skb, sizeof(*sdh)); 2802 chunk->subh.shutdown_hdr = sdh; 2803 ctsn = ntohl(sdh->cum_tsn_ack); 2804 2805 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2806 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2807 asoc->ctsn_ack_point); 2808 2809 return SCTP_DISPOSITION_DISCARD; 2810 } 2811 2812 /* If Cumulative TSN Ack beyond the max tsn currently 2813 * send, terminating the association and respond to the 2814 * sender with an ABORT. 2815 */ 2816 if (!TSN_lt(ctsn, asoc->next_tsn)) 2817 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2818 2819 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2820 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2821 * inform the application that it should cease sending data. 2822 */ 2823 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2824 if (!ev) { 2825 disposition = SCTP_DISPOSITION_NOMEM; 2826 goto out; 2827 } 2828 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2829 2830 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2831 * - enter the SHUTDOWN-RECEIVED state, 2832 * - stop accepting new data from its SCTP user 2833 * 2834 * [This is implicit in the new state.] 2835 */ 2836 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2837 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2838 disposition = SCTP_DISPOSITION_CONSUME; 2839 2840 if (sctp_outq_is_empty(&asoc->outqueue)) { 2841 disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type, 2842 arg, commands); 2843 } 2844 2845 if (SCTP_DISPOSITION_NOMEM == disposition) 2846 goto out; 2847 2848 /* - verify, by checking the Cumulative TSN Ack field of the 2849 * chunk, that all its outstanding DATA chunks have been 2850 * received by the SHUTDOWN sender. 2851 */ 2852 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2853 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2854 2855out: 2856 return disposition; 2857} 2858 2859/* 2860 * sctp_sf_do_9_2_shut_ctsn 2861 * 2862 * Once an endpoint has reached the SHUTDOWN-RECEIVED state, 2863 * it MUST NOT send a SHUTDOWN in response to a ULP request. 2864 * The Cumulative TSN Ack of the received SHUTDOWN chunk 2865 * MUST be processed. 2866 */ 2867enum sctp_disposition sctp_sf_do_9_2_shut_ctsn( 2868 struct net *net, 2869 const struct sctp_endpoint *ep, 2870 const struct sctp_association *asoc, 2871 const union sctp_subtype type, 2872 void *arg, 2873 struct sctp_cmd_seq *commands) 2874{ 2875 struct sctp_chunk *chunk = arg; 2876 struct sctp_shutdownhdr *sdh; 2877 __u32 ctsn; 2878 2879 if (!sctp_vtag_verify(chunk, asoc)) 2880 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2881 2882 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2883 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) 2884 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2885 commands); 2886 2887 sdh = (struct sctp_shutdownhdr *)chunk->skb->data; 2888 ctsn = ntohl(sdh->cum_tsn_ack); 2889 2890 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2891 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2892 asoc->ctsn_ack_point); 2893 2894 return SCTP_DISPOSITION_DISCARD; 2895 } 2896 2897 /* If Cumulative TSN Ack beyond the max tsn currently 2898 * send, terminating the association and respond to the 2899 * sender with an ABORT. 2900 */ 2901 if (!TSN_lt(ctsn, asoc->next_tsn)) 2902 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2903 2904 /* verify, by checking the Cumulative TSN Ack field of the 2905 * chunk, that all its outstanding DATA chunks have been 2906 * received by the SHUTDOWN sender. 2907 */ 2908 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2909 SCTP_BE32(sdh->cum_tsn_ack)); 2910 2911 return SCTP_DISPOSITION_CONSUME; 2912} 2913 2914/* RFC 2960 9.2 2915 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2916 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2917 * transport addresses (either in the IP addresses or in the INIT chunk) 2918 * that belong to this association, it should discard the INIT chunk and 2919 * retransmit the SHUTDOWN ACK chunk. 2920 */ 2921static enum sctp_disposition 2922__sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, 2923 const struct sctp_association *asoc, 2924 const union sctp_subtype type, void *arg, 2925 struct sctp_cmd_seq *commands) 2926{ 2927 struct sctp_chunk *chunk = arg; 2928 struct sctp_chunk *reply; 2929 2930 /* Make sure that the chunk has a valid length */ 2931 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 2932 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2933 commands); 2934 2935 /* Since we are not going to really process this INIT, there 2936 * is no point in verifying chunk boundries. Just generate 2937 * the SHUTDOWN ACK. 2938 */ 2939 reply = sctp_make_shutdown_ack(asoc, chunk); 2940 if (NULL == reply) 2941 goto nomem; 2942 2943 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2944 * the T2-SHUTDOWN timer. 2945 */ 2946 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2947 2948 /* and restart the T2-shutdown timer. */ 2949 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2950 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2951 2952 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2953 2954 return SCTP_DISPOSITION_CONSUME; 2955nomem: 2956 return SCTP_DISPOSITION_NOMEM; 2957} 2958 2959enum sctp_disposition 2960sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, 2961 const struct sctp_association *asoc, 2962 const union sctp_subtype type, void *arg, 2963 struct sctp_cmd_seq *commands) 2964{ 2965 struct sctp_chunk *chunk = arg; 2966 2967 if (!chunk->singleton) 2968 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2969 2970 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 2971 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2972 2973 if (chunk->sctp_hdr->vtag != 0) 2974 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 2975 2976 return __sctp_sf_do_9_2_reshutack(net, ep, asoc, type, arg, commands); 2977} 2978 2979/* 2980 * sctp_sf_do_ecn_cwr 2981 * 2982 * Section: Appendix A: Explicit Congestion Notification 2983 * 2984 * CWR: 2985 * 2986 * RFC 2481 details a specific bit for a sender to send in the header of 2987 * its next outbound TCP segment to indicate to its peer that it has 2988 * reduced its congestion window. This is termed the CWR bit. For 2989 * SCTP the same indication is made by including the CWR chunk. 2990 * This chunk contains one data element, i.e. the TSN number that 2991 * was sent in the ECNE chunk. This element represents the lowest 2992 * TSN number in the datagram that was originally marked with the 2993 * CE bit. 2994 * 2995 * Verification Tag: 8.5 Verification Tag [Normal verification] 2996 * Inputs 2997 * (endpoint, asoc, chunk) 2998 * 2999 * Outputs 3000 * (asoc, reply_msg, msg_up, timers, counters) 3001 * 3002 * The return value is the disposition of the chunk. 3003 */ 3004enum sctp_disposition sctp_sf_do_ecn_cwr(struct net *net, 3005 const struct sctp_endpoint *ep, 3006 const struct sctp_association *asoc, 3007 const union sctp_subtype type, 3008 void *arg, 3009 struct sctp_cmd_seq *commands) 3010{ 3011 struct sctp_chunk *chunk = arg; 3012 struct sctp_cwrhdr *cwr; 3013 u32 lowest_tsn; 3014 3015 if (!sctp_vtag_verify(chunk, asoc)) 3016 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3017 3018 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) 3019 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3020 commands); 3021 3022 cwr = (struct sctp_cwrhdr *)chunk->skb->data; 3023 skb_pull(chunk->skb, sizeof(*cwr)); 3024 3025 lowest_tsn = ntohl(cwr->lowest_tsn); 3026 3027 /* Does this CWR ack the last sent congestion notification? */ 3028 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 3029 /* Stop sending ECNE. */ 3030 sctp_add_cmd_sf(commands, 3031 SCTP_CMD_ECN_CWR, 3032 SCTP_U32(lowest_tsn)); 3033 } 3034 return SCTP_DISPOSITION_CONSUME; 3035} 3036 3037/* 3038 * sctp_sf_do_ecne 3039 * 3040 * Section: Appendix A: Explicit Congestion Notification 3041 * 3042 * ECN-Echo 3043 * 3044 * RFC 2481 details a specific bit for a receiver to send back in its 3045 * TCP acknowledgements to notify the sender of the Congestion 3046 * Experienced (CE) bit having arrived from the network. For SCTP this 3047 * same indication is made by including the ECNE chunk. This chunk 3048 * contains one data element, i.e. the lowest TSN associated with the IP 3049 * datagram marked with the CE bit..... 3050 * 3051 * Verification Tag: 8.5 Verification Tag [Normal verification] 3052 * Inputs 3053 * (endpoint, asoc, chunk) 3054 * 3055 * Outputs 3056 * (asoc, reply_msg, msg_up, timers, counters) 3057 * 3058 * The return value is the disposition of the chunk. 3059 */ 3060enum sctp_disposition sctp_sf_do_ecne(struct net *net, 3061 const struct sctp_endpoint *ep, 3062 const struct sctp_association *asoc, 3063 const union sctp_subtype type, 3064 void *arg, struct sctp_cmd_seq *commands) 3065{ 3066 struct sctp_chunk *chunk = arg; 3067 struct sctp_ecnehdr *ecne; 3068 3069 if (!sctp_vtag_verify(chunk, asoc)) 3070 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3071 3072 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) 3073 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3074 commands); 3075 3076 ecne = (struct sctp_ecnehdr *)chunk->skb->data; 3077 skb_pull(chunk->skb, sizeof(*ecne)); 3078 3079 /* If this is a newer ECNE than the last CWR packet we sent out */ 3080 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 3081 SCTP_U32(ntohl(ecne->lowest_tsn))); 3082 3083 return SCTP_DISPOSITION_CONSUME; 3084} 3085 3086/* 3087 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 3088 * 3089 * The SCTP endpoint MUST always acknowledge the reception of each valid 3090 * DATA chunk. 3091 * 3092 * The guidelines on delayed acknowledgement algorithm specified in 3093 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 3094 * acknowledgement SHOULD be generated for at least every second packet 3095 * (not every second DATA chunk) received, and SHOULD be generated within 3096 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 3097 * situations it may be beneficial for an SCTP transmitter to be more 3098 * conservative than the algorithms detailed in this document allow. 3099 * However, an SCTP transmitter MUST NOT be more aggressive than the 3100 * following algorithms allow. 3101 * 3102 * A SCTP receiver MUST NOT generate more than one SACK for every 3103 * incoming packet, other than to update the offered window as the 3104 * receiving application consumes new data. 3105 * 3106 * Verification Tag: 8.5 Verification Tag [Normal verification] 3107 * 3108 * Inputs 3109 * (endpoint, asoc, chunk) 3110 * 3111 * Outputs 3112 * (asoc, reply_msg, msg_up, timers, counters) 3113 * 3114 * The return value is the disposition of the chunk. 3115 */ 3116enum sctp_disposition sctp_sf_eat_data_6_2(struct net *net, 3117 const struct sctp_endpoint *ep, 3118 const struct sctp_association *asoc, 3119 const union sctp_subtype type, 3120 void *arg, 3121 struct sctp_cmd_seq *commands) 3122{ 3123 union sctp_arg force = SCTP_NOFORCE(); 3124 struct sctp_chunk *chunk = arg; 3125 int error; 3126 3127 if (!sctp_vtag_verify(chunk, asoc)) { 3128 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3129 SCTP_NULL()); 3130 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3131 } 3132 3133 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream))) 3134 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3135 commands); 3136 3137 error = sctp_eat_data(asoc, chunk, commands); 3138 switch (error) { 3139 case SCTP_IERROR_NO_ERROR: 3140 break; 3141 case SCTP_IERROR_HIGH_TSN: 3142 case SCTP_IERROR_BAD_STREAM: 3143 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 3144 goto discard_noforce; 3145 case SCTP_IERROR_DUP_TSN: 3146 case SCTP_IERROR_IGNORE_TSN: 3147 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 3148 goto discard_force; 3149 case SCTP_IERROR_NO_DATA: 3150 return SCTP_DISPOSITION_ABORT; 3151 case SCTP_IERROR_PROTO_VIOLATION: 3152 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3153 (u8 *)chunk->subh.data_hdr, 3154 sctp_datahdr_len(&asoc->stream)); 3155 default: 3156 BUG(); 3157 } 3158 3159 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM) 3160 force = SCTP_FORCE(); 3161 3162 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 3163 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3164 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3165 } 3166 3167 /* If this is the last chunk in a packet, we need to count it 3168 * toward sack generation. Note that we need to SACK every 3169 * OTHER packet containing data chunks, EVEN IF WE DISCARD 3170 * THEM. We elect to NOT generate SACK's if the chunk fails 3171 * the verification tag test. 3172 * 3173 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3174 * 3175 * The SCTP endpoint MUST always acknowledge the reception of 3176 * each valid DATA chunk. 3177 * 3178 * The guidelines on delayed acknowledgement algorithm 3179 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 3180 * Specifically, an acknowledgement SHOULD be generated for at 3181 * least every second packet (not every second DATA chunk) 3182 * received, and SHOULD be generated within 200 ms of the 3183 * arrival of any unacknowledged DATA chunk. In some 3184 * situations it may be beneficial for an SCTP transmitter to 3185 * be more conservative than the algorithms detailed in this 3186 * document allow. However, an SCTP transmitter MUST NOT be 3187 * more aggressive than the following algorithms allow. 3188 */ 3189 if (chunk->end_of_packet) 3190 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3191 3192 return SCTP_DISPOSITION_CONSUME; 3193 3194discard_force: 3195 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3196 * 3197 * When a packet arrives with duplicate DATA chunk(s) and with 3198 * no new DATA chunk(s), the endpoint MUST immediately send a 3199 * SACK with no delay. If a packet arrives with duplicate 3200 * DATA chunk(s) bundled with new DATA chunks, the endpoint 3201 * MAY immediately send a SACK. Normally receipt of duplicate 3202 * DATA chunks will occur when the original SACK chunk was lost 3203 * and the peer's RTO has expired. The duplicate TSN number(s) 3204 * SHOULD be reported in the SACK as duplicate. 3205 */ 3206 /* In our case, we split the MAY SACK advice up whether or not 3207 * the last chunk is a duplicate.' 3208 */ 3209 if (chunk->end_of_packet) 3210 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3211 return SCTP_DISPOSITION_DISCARD; 3212 3213discard_noforce: 3214 if (chunk->end_of_packet) 3215 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3216 3217 return SCTP_DISPOSITION_DISCARD; 3218} 3219 3220/* 3221 * sctp_sf_eat_data_fast_4_4 3222 * 3223 * Section: 4 (4) 3224 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 3225 * DATA chunks without delay. 3226 * 3227 * Verification Tag: 8.5 Verification Tag [Normal verification] 3228 * Inputs 3229 * (endpoint, asoc, chunk) 3230 * 3231 * Outputs 3232 * (asoc, reply_msg, msg_up, timers, counters) 3233 * 3234 * The return value is the disposition of the chunk. 3235 */ 3236enum sctp_disposition sctp_sf_eat_data_fast_4_4( 3237 struct net *net, 3238 const struct sctp_endpoint *ep, 3239 const struct sctp_association *asoc, 3240 const union sctp_subtype type, 3241 void *arg, 3242 struct sctp_cmd_seq *commands) 3243{ 3244 struct sctp_chunk *chunk = arg; 3245 int error; 3246 3247 if (!sctp_vtag_verify(chunk, asoc)) { 3248 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3249 SCTP_NULL()); 3250 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3251 } 3252 3253 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream))) 3254 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3255 commands); 3256 3257 error = sctp_eat_data(asoc, chunk, commands); 3258 switch (error) { 3259 case SCTP_IERROR_NO_ERROR: 3260 case SCTP_IERROR_HIGH_TSN: 3261 case SCTP_IERROR_DUP_TSN: 3262 case SCTP_IERROR_IGNORE_TSN: 3263 case SCTP_IERROR_BAD_STREAM: 3264 break; 3265 case SCTP_IERROR_NO_DATA: 3266 return SCTP_DISPOSITION_ABORT; 3267 case SCTP_IERROR_PROTO_VIOLATION: 3268 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3269 (u8 *)chunk->subh.data_hdr, 3270 sctp_datahdr_len(&asoc->stream)); 3271 default: 3272 BUG(); 3273 } 3274 3275 /* Go a head and force a SACK, since we are shutting down. */ 3276 3277 /* Implementor's Guide. 3278 * 3279 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3280 * respond to each received packet containing one or more DATA chunk(s) 3281 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3282 */ 3283 if (chunk->end_of_packet) { 3284 /* We must delay the chunk creation since the cumulative 3285 * TSN has not been updated yet. 3286 */ 3287 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3288 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3289 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3290 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3291 } 3292 3293 return SCTP_DISPOSITION_CONSUME; 3294} 3295 3296/* 3297 * Section: 6.2 Processing a Received SACK 3298 * D) Any time a SACK arrives, the endpoint performs the following: 3299 * 3300 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 3301 * then drop the SACK. Since Cumulative TSN Ack is monotonically 3302 * increasing, a SACK whose Cumulative TSN Ack is less than the 3303 * Cumulative TSN Ack Point indicates an out-of-order SACK. 3304 * 3305 * ii) Set rwnd equal to the newly received a_rwnd minus the number 3306 * of bytes still outstanding after processing the Cumulative TSN Ack 3307 * and the Gap Ack Blocks. 3308 * 3309 * iii) If the SACK is missing a TSN that was previously 3310 * acknowledged via a Gap Ack Block (e.g., the data receiver 3311 * reneged on the data), then mark the corresponding DATA chunk 3312 * as available for retransmit: Mark it as missing for fast 3313 * retransmit as described in Section 7.2.4 and if no retransmit 3314 * timer is running for the destination address to which the DATA 3315 * chunk was originally transmitted, then T3-rtx is started for 3316 * that destination address. 3317 * 3318 * Verification Tag: 8.5 Verification Tag [Normal verification] 3319 * 3320 * Inputs 3321 * (endpoint, asoc, chunk) 3322 * 3323 * Outputs 3324 * (asoc, reply_msg, msg_up, timers, counters) 3325 * 3326 * The return value is the disposition of the chunk. 3327 */ 3328enum sctp_disposition sctp_sf_eat_sack_6_2(struct net *net, 3329 const struct sctp_endpoint *ep, 3330 const struct sctp_association *asoc, 3331 const union sctp_subtype type, 3332 void *arg, 3333 struct sctp_cmd_seq *commands) 3334{ 3335 struct sctp_chunk *chunk = arg; 3336 struct sctp_sackhdr *sackh; 3337 __u32 ctsn; 3338 3339 if (!sctp_vtag_verify(chunk, asoc)) 3340 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3341 3342 /* Make sure that the SACK chunk has a valid length. */ 3343 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_sack_chunk))) 3344 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3345 commands); 3346 3347 /* Pull the SACK chunk from the data buffer */ 3348 sackh = sctp_sm_pull_sack(chunk); 3349 /* Was this a bogus SACK? */ 3350 if (!sackh) 3351 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3352 chunk->subh.sack_hdr = sackh; 3353 ctsn = ntohl(sackh->cum_tsn_ack); 3354 3355 /* If Cumulative TSN Ack beyond the max tsn currently 3356 * send, terminating the association and respond to the 3357 * sender with an ABORT. 3358 */ 3359 if (TSN_lte(asoc->next_tsn, ctsn)) 3360 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 3361 3362 trace_sctp_probe(ep, asoc, chunk); 3363 3364 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 3365 * Ack Point, then drop the SACK. Since Cumulative TSN 3366 * Ack is monotonically increasing, a SACK whose 3367 * Cumulative TSN Ack is less than the Cumulative TSN Ack 3368 * Point indicates an out-of-order SACK. 3369 */ 3370 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 3371 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 3372 asoc->ctsn_ack_point); 3373 3374 return SCTP_DISPOSITION_DISCARD; 3375 } 3376 3377 /* Return this SACK for further processing. */ 3378 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk)); 3379 3380 /* Note: We do the rest of the work on the PROCESS_SACK 3381 * sideeffect. 3382 */ 3383 return SCTP_DISPOSITION_CONSUME; 3384} 3385 3386/* 3387 * Generate an ABORT in response to a packet. 3388 * 3389 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 3390 * 3391 * 8) The receiver should respond to the sender of the OOTB packet with 3392 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3393 * MUST fill in the Verification Tag field of the outbound packet 3394 * with the value found in the Verification Tag field of the OOTB 3395 * packet and set the T-bit in the Chunk Flags to indicate that the 3396 * Verification Tag is reflected. After sending this ABORT, the 3397 * receiver of the OOTB packet shall discard the OOTB packet and take 3398 * no further action. 3399 * 3400 * Verification Tag: 3401 * 3402 * The return value is the disposition of the chunk. 3403*/ 3404static enum sctp_disposition sctp_sf_tabort_8_4_8( 3405 struct net *net, 3406 const struct sctp_endpoint *ep, 3407 const struct sctp_association *asoc, 3408 const union sctp_subtype type, 3409 void *arg, 3410 struct sctp_cmd_seq *commands) 3411{ 3412 struct sctp_packet *packet = NULL; 3413 struct sctp_chunk *chunk = arg; 3414 struct sctp_chunk *abort; 3415 3416 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3417 if (!packet) 3418 return SCTP_DISPOSITION_NOMEM; 3419 3420 /* Make an ABORT. The T bit will be set if the asoc 3421 * is NULL. 3422 */ 3423 abort = sctp_make_abort(asoc, chunk, 0); 3424 if (!abort) { 3425 sctp_ootb_pkt_free(packet); 3426 return SCTP_DISPOSITION_NOMEM; 3427 } 3428 3429 /* Reflect vtag if T-Bit is set */ 3430 if (sctp_test_T_bit(abort)) 3431 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3432 3433 /* Set the skb to the belonging sock for accounting. */ 3434 abort->skb->sk = ep->base.sk; 3435 3436 sctp_packet_append_chunk(packet, abort); 3437 3438 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3439 SCTP_PACKET(packet)); 3440 3441 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3442 3443 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3444 return SCTP_DISPOSITION_CONSUME; 3445} 3446 3447/* 3448 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 3449 * event as ULP notification for each cause included in the chunk. 3450 * 3451 * API 5.3.1.3 - SCTP_REMOTE_ERROR 3452 * 3453 * The return value is the disposition of the chunk. 3454*/ 3455enum sctp_disposition sctp_sf_operr_notify(struct net *net, 3456 const struct sctp_endpoint *ep, 3457 const struct sctp_association *asoc, 3458 const union sctp_subtype type, 3459 void *arg, 3460 struct sctp_cmd_seq *commands) 3461{ 3462 struct sctp_chunk *chunk = arg; 3463 struct sctp_errhdr *err; 3464 3465 if (!sctp_vtag_verify(chunk, asoc)) 3466 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3467 3468 /* Make sure that the ERROR chunk has a valid length. */ 3469 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk))) 3470 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3471 commands); 3472 sctp_walk_errors(err, chunk->chunk_hdr); 3473 if ((void *)err != (void *)chunk->chunk_end) 3474 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3475 (void *)err, commands); 3476 3477 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 3478 SCTP_CHUNK(chunk)); 3479 3480 return SCTP_DISPOSITION_CONSUME; 3481} 3482 3483/* 3484 * Process an inbound SHUTDOWN ACK. 3485 * 3486 * From Section 9.2: 3487 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3488 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3489 * peer, and remove all record of the association. 3490 * 3491 * The return value is the disposition. 3492 */ 3493enum sctp_disposition sctp_sf_do_9_2_final(struct net *net, 3494 const struct sctp_endpoint *ep, 3495 const struct sctp_association *asoc, 3496 const union sctp_subtype type, 3497 void *arg, 3498 struct sctp_cmd_seq *commands) 3499{ 3500 struct sctp_chunk *chunk = arg; 3501 struct sctp_chunk *reply; 3502 struct sctp_ulpevent *ev; 3503 3504 if (!sctp_vtag_verify(chunk, asoc)) 3505 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3506 3507 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3508 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3509 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3510 commands); 3511 /* 10.2 H) SHUTDOWN COMPLETE notification 3512 * 3513 * When SCTP completes the shutdown procedures (section 9.2) this 3514 * notification is passed to the upper layer. 3515 */ 3516 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3517 0, 0, 0, NULL, GFP_ATOMIC); 3518 if (!ev) 3519 goto nomem; 3520 3521 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3522 reply = sctp_make_shutdown_complete(asoc, chunk); 3523 if (!reply) 3524 goto nomem_chunk; 3525 3526 /* Do all the commands now (after allocation), so that we 3527 * have consistent state if memory allocation failes 3528 */ 3529 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3530 3531 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3532 * stop the T2-shutdown timer, 3533 */ 3534 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3535 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3536 3537 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3538 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3539 3540 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3541 SCTP_STATE(SCTP_STATE_CLOSED)); 3542 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 3543 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3544 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3545 3546 /* ...and remove all record of the association. */ 3547 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3548 return SCTP_DISPOSITION_DELETE_TCB; 3549 3550nomem_chunk: 3551 sctp_ulpevent_free(ev); 3552nomem: 3553 return SCTP_DISPOSITION_NOMEM; 3554} 3555 3556/* 3557 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3558 * 3559 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3560 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3561 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3562 * packet must fill in the Verification Tag field of the outbound 3563 * packet with the Verification Tag received in the SHUTDOWN ACK and 3564 * set the T-bit in the Chunk Flags to indicate that the Verification 3565 * Tag is reflected. 3566 * 3567 * 8) The receiver should respond to the sender of the OOTB packet with 3568 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3569 * MUST fill in the Verification Tag field of the outbound packet 3570 * with the value found in the Verification Tag field of the OOTB 3571 * packet and set the T-bit in the Chunk Flags to indicate that the 3572 * Verification Tag is reflected. After sending this ABORT, the 3573 * receiver of the OOTB packet shall discard the OOTB packet and take 3574 * no further action. 3575 */ 3576enum sctp_disposition sctp_sf_ootb(struct net *net, 3577 const struct sctp_endpoint *ep, 3578 const struct sctp_association *asoc, 3579 const union sctp_subtype type, 3580 void *arg, struct sctp_cmd_seq *commands) 3581{ 3582 struct sctp_chunk *chunk = arg; 3583 struct sk_buff *skb = chunk->skb; 3584 struct sctp_chunkhdr *ch; 3585 struct sctp_errhdr *err; 3586 int ootb_cookie_ack = 0; 3587 int ootb_shut_ack = 0; 3588 __u8 *ch_end; 3589 3590 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3591 3592 if (asoc && !sctp_vtag_verify(chunk, asoc)) 3593 asoc = NULL; 3594 3595 ch = (struct sctp_chunkhdr *)chunk->chunk_hdr; 3596 do { 3597 /* Report violation if the chunk is less then minimal */ 3598 if (ntohs(ch->length) < sizeof(*ch)) 3599 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3600 commands); 3601 3602 /* Report violation if chunk len overflows */ 3603 ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); 3604 if (ch_end > skb_tail_pointer(skb)) 3605 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3606 commands); 3607 3608 /* Now that we know we at least have a chunk header, 3609 * do things that are type appropriate. 3610 */ 3611 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3612 ootb_shut_ack = 1; 3613 3614 /* RFC 2960, Section 3.3.7 3615 * Moreover, under any circumstances, an endpoint that 3616 * receives an ABORT MUST NOT respond to that ABORT by 3617 * sending an ABORT of its own. 3618 */ 3619 if (SCTP_CID_ABORT == ch->type) 3620 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3621 3622 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR 3623 * or a COOKIE ACK the SCTP Packet should be silently 3624 * discarded. 3625 */ 3626 3627 if (SCTP_CID_COOKIE_ACK == ch->type) 3628 ootb_cookie_ack = 1; 3629 3630 if (SCTP_CID_ERROR == ch->type) { 3631 sctp_walk_errors(err, ch) { 3632 if (SCTP_ERROR_STALE_COOKIE == err->cause) { 3633 ootb_cookie_ack = 1; 3634 break; 3635 } 3636 } 3637 } 3638 3639 ch = (struct sctp_chunkhdr *)ch_end; 3640 } while (ch_end < skb_tail_pointer(skb)); 3641 3642 if (ootb_shut_ack) 3643 return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands); 3644 else if (ootb_cookie_ack) 3645 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3646 else 3647 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 3648} 3649 3650/* 3651 * Handle an "Out of the blue" SHUTDOWN ACK. 3652 * 3653 * Section: 8.4 5, sctpimpguide 2.41. 3654 * 3655 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3656 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3657 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3658 * packet must fill in the Verification Tag field of the outbound 3659 * packet with the Verification Tag received in the SHUTDOWN ACK and 3660 * set the T-bit in the Chunk Flags to indicate that the Verification 3661 * Tag is reflected. 3662 * 3663 * Inputs 3664 * (endpoint, asoc, type, arg, commands) 3665 * 3666 * Outputs 3667 * (enum sctp_disposition) 3668 * 3669 * The return value is the disposition of the chunk. 3670 */ 3671static enum sctp_disposition sctp_sf_shut_8_4_5( 3672 struct net *net, 3673 const struct sctp_endpoint *ep, 3674 const struct sctp_association *asoc, 3675 const union sctp_subtype type, 3676 void *arg, 3677 struct sctp_cmd_seq *commands) 3678{ 3679 struct sctp_packet *packet = NULL; 3680 struct sctp_chunk *chunk = arg; 3681 struct sctp_chunk *shut; 3682 3683 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3684 if (!packet) 3685 return SCTP_DISPOSITION_NOMEM; 3686 3687 /* Make an SHUTDOWN_COMPLETE. 3688 * The T bit will be set if the asoc is NULL. 3689 */ 3690 shut = sctp_make_shutdown_complete(asoc, chunk); 3691 if (!shut) { 3692 sctp_ootb_pkt_free(packet); 3693 return SCTP_DISPOSITION_NOMEM; 3694 } 3695 3696 /* Reflect vtag if T-Bit is set */ 3697 if (sctp_test_T_bit(shut)) 3698 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3699 3700 /* Set the skb to the belonging sock for accounting. */ 3701 shut->skb->sk = ep->base.sk; 3702 3703 sctp_packet_append_chunk(packet, shut); 3704 3705 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3706 SCTP_PACKET(packet)); 3707 3708 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3709 3710 /* We need to discard the rest of the packet to prevent 3711 * potential bomming attacks from additional bundled chunks. 3712 * This is documented in SCTP Threats ID. 3713 */ 3714 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3715} 3716 3717/* 3718 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3719 * 3720 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3721 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3722 * procedures in section 8.4 SHOULD be followed, in other words it 3723 * should be treated as an Out Of The Blue packet. 3724 * [This means that we do NOT check the Verification Tag on these 3725 * chunks. --piggy ] 3726 * 3727 */ 3728enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net, 3729 const struct sctp_endpoint *ep, 3730 const struct sctp_association *asoc, 3731 const union sctp_subtype type, 3732 void *arg, 3733 struct sctp_cmd_seq *commands) 3734{ 3735 struct sctp_chunk *chunk = arg; 3736 3737 if (!sctp_vtag_verify(chunk, asoc)) 3738 asoc = NULL; 3739 3740 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3741 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3742 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3743 commands); 3744 3745 /* Although we do have an association in this case, it corresponds 3746 * to a restarted association. So the packet is treated as an OOTB 3747 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3748 * called with a NULL association. 3749 */ 3750 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3751 3752 return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands); 3753} 3754 3755/* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3756enum sctp_disposition sctp_sf_do_asconf(struct net *net, 3757 const struct sctp_endpoint *ep, 3758 const struct sctp_association *asoc, 3759 const union sctp_subtype type, 3760 void *arg, 3761 struct sctp_cmd_seq *commands) 3762{ 3763 struct sctp_paramhdr *err_param = NULL; 3764 struct sctp_chunk *asconf_ack = NULL; 3765 struct sctp_chunk *chunk = arg; 3766 struct sctp_addiphdr *hdr; 3767 __u32 serial; 3768 3769 if (!sctp_vtag_verify(chunk, asoc)) { 3770 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3771 SCTP_NULL()); 3772 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3773 } 3774 3775 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3776 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk))) 3777 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3778 commands); 3779 3780 /* ADD-IP: Section 4.1.1 3781 * This chunk MUST be sent in an authenticated way by using 3782 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3783 * is received unauthenticated it MUST be silently discarded as 3784 * described in [I-D.ietf-tsvwg-sctp-auth]. 3785 */ 3786 if (!asoc->peer.asconf_capable || 3787 (!net->sctp.addip_noauth && !chunk->auth)) 3788 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3789 3790 hdr = (struct sctp_addiphdr *)chunk->skb->data; 3791 serial = ntohl(hdr->serial); 3792 3793 /* Verify the ASCONF chunk before processing it. */ 3794 if (!sctp_verify_asconf(asoc, chunk, true, &err_param)) 3795 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3796 (void *)err_param, commands); 3797 3798 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3799 * the endpoint stored in a new association variable 3800 * 'Peer-Serial-Number'. 3801 */ 3802 if (serial == asoc->peer.addip_serial + 1) { 3803 /* If this is the first instance of ASCONF in the packet, 3804 * we can clean our old ASCONF-ACKs. 3805 */ 3806 if (!chunk->has_asconf) 3807 sctp_assoc_clean_asconf_ack_cache(asoc); 3808 3809 /* ADDIP 5.2 E4) When the Sequence Number matches the next one 3810 * expected, process the ASCONF as described below and after 3811 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to 3812 * the response packet and cache a copy of it (in the event it 3813 * later needs to be retransmitted). 3814 * 3815 * Essentially, do V1-V5. 3816 */ 3817 asconf_ack = sctp_process_asconf((struct sctp_association *) 3818 asoc, chunk); 3819 if (!asconf_ack) 3820 return SCTP_DISPOSITION_NOMEM; 3821 } else if (serial < asoc->peer.addip_serial + 1) { 3822 /* ADDIP 5.2 E2) 3823 * If the value found in the Sequence Number is less than the 3824 * ('Peer- Sequence-Number' + 1), simply skip to the next 3825 * ASCONF, and include in the outbound response packet 3826 * any previously cached ASCONF-ACK response that was 3827 * sent and saved that matches the Sequence Number of the 3828 * ASCONF. Note: It is possible that no cached ASCONF-ACK 3829 * Chunk exists. This will occur when an older ASCONF 3830 * arrives out of order. In such a case, the receiver 3831 * should skip the ASCONF Chunk and not include ASCONF-ACK 3832 * Chunk for that chunk. 3833 */ 3834 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial); 3835 if (!asconf_ack) 3836 return SCTP_DISPOSITION_DISCARD; 3837 3838 /* Reset the transport so that we select the correct one 3839 * this time around. This is to make sure that we don't 3840 * accidentally use a stale transport that's been removed. 3841 */ 3842 asconf_ack->transport = NULL; 3843 } else { 3844 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since 3845 * it must be either a stale packet or from an attacker. 3846 */ 3847 return SCTP_DISPOSITION_DISCARD; 3848 } 3849 3850 /* ADDIP 5.2 E6) The destination address of the SCTP packet 3851 * containing the ASCONF-ACK Chunks MUST be the source address of 3852 * the SCTP packet that held the ASCONF Chunks. 3853 * 3854 * To do this properly, we'll set the destination address of the chunk 3855 * and at the transmit time, will try look up the transport to use. 3856 * Since ASCONFs may be bundled, the correct transport may not be 3857 * created until we process the entire packet, thus this workaround. 3858 */ 3859 asconf_ack->dest = chunk->source; 3860 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3861 if (asoc->new_transport) { 3862 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands); 3863 ((struct sctp_association *)asoc)->new_transport = NULL; 3864 } 3865 3866 return SCTP_DISPOSITION_CONSUME; 3867} 3868 3869static enum sctp_disposition sctp_send_next_asconf( 3870 struct net *net, 3871 const struct sctp_endpoint *ep, 3872 struct sctp_association *asoc, 3873 const union sctp_subtype type, 3874 struct sctp_cmd_seq *commands) 3875{ 3876 struct sctp_chunk *asconf; 3877 struct list_head *entry; 3878 3879 if (list_empty(&asoc->addip_chunk_list)) 3880 return SCTP_DISPOSITION_CONSUME; 3881 3882 entry = asoc->addip_chunk_list.next; 3883 asconf = list_entry(entry, struct sctp_chunk, list); 3884 3885 list_del_init(entry); 3886 sctp_chunk_hold(asconf); 3887 asoc->addip_last_asconf = asconf; 3888 3889 return sctp_sf_do_prm_asconf(net, ep, asoc, type, asconf, commands); 3890} 3891 3892/* 3893 * ADDIP Section 4.3 General rules for address manipulation 3894 * When building TLV parameters for the ASCONF Chunk that will add or 3895 * delete IP addresses the D0 to D13 rules should be applied: 3896 */ 3897enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net, 3898 const struct sctp_endpoint *ep, 3899 const struct sctp_association *asoc, 3900 const union sctp_subtype type, 3901 void *arg, 3902 struct sctp_cmd_seq *commands) 3903{ 3904 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3905 struct sctp_paramhdr *err_param = NULL; 3906 struct sctp_chunk *asconf_ack = arg; 3907 struct sctp_addiphdr *addip_hdr; 3908 __u32 sent_serial, rcvd_serial; 3909 struct sctp_chunk *abort; 3910 3911 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3912 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3913 SCTP_NULL()); 3914 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3915 } 3916 3917 /* Make sure that the ADDIP chunk has a valid length. */ 3918 if (!sctp_chunk_length_valid(asconf_ack, 3919 sizeof(struct sctp_addip_chunk))) 3920 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3921 commands); 3922 3923 /* ADD-IP, Section 4.1.2: 3924 * This chunk MUST be sent in an authenticated way by using 3925 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3926 * is received unauthenticated it MUST be silently discarded as 3927 * described in [I-D.ietf-tsvwg-sctp-auth]. 3928 */ 3929 if (!asoc->peer.asconf_capable || 3930 (!net->sctp.addip_noauth && !asconf_ack->auth)) 3931 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3932 3933 addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data; 3934 rcvd_serial = ntohl(addip_hdr->serial); 3935 3936 /* Verify the ASCONF-ACK chunk before processing it. */ 3937 if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param)) 3938 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3939 (void *)err_param, commands); 3940 3941 if (last_asconf) { 3942 addip_hdr = (struct sctp_addiphdr *)last_asconf->subh.addip_hdr; 3943 sent_serial = ntohl(addip_hdr->serial); 3944 } else { 3945 sent_serial = asoc->addip_serial - 1; 3946 } 3947 3948 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3949 * equal to the next serial number to be used but no ASCONF chunk is 3950 * outstanding the endpoint MUST ABORT the association. Note that a 3951 * sequence number is greater than if it is no more than 2^^31-1 3952 * larger than the current sequence number (using serial arithmetic). 3953 */ 3954 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3955 !(asoc->addip_last_asconf)) { 3956 abort = sctp_make_abort(asoc, asconf_ack, 3957 sizeof(struct sctp_errhdr)); 3958 if (abort) { 3959 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0); 3960 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3961 SCTP_CHUNK(abort)); 3962 } 3963 /* We are going to ABORT, so we might as well stop 3964 * processing the rest of the chunks in the packet. 3965 */ 3966 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3967 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3968 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3969 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3970 SCTP_ERROR(ECONNABORTED)); 3971 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3972 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3973 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 3974 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3975 return SCTP_DISPOSITION_ABORT; 3976 } 3977 3978 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3979 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3980 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3981 3982 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3983 asconf_ack)) 3984 return sctp_send_next_asconf(net, ep, 3985 (struct sctp_association *)asoc, 3986 type, commands); 3987 3988 abort = sctp_make_abort(asoc, asconf_ack, 3989 sizeof(struct sctp_errhdr)); 3990 if (abort) { 3991 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 3992 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3993 SCTP_CHUNK(abort)); 3994 } 3995 /* We are going to ABORT, so we might as well stop 3996 * processing the rest of the chunks in the packet. 3997 */ 3998 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3999 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4000 SCTP_ERROR(ECONNABORTED)); 4001 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4002 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 4003 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4004 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4005 return SCTP_DISPOSITION_ABORT; 4006 } 4007 4008 return SCTP_DISPOSITION_DISCARD; 4009} 4010 4011/* RE-CONFIG Section 5.2 Upon reception of an RECONF Chunk. */ 4012enum sctp_disposition sctp_sf_do_reconf(struct net *net, 4013 const struct sctp_endpoint *ep, 4014 const struct sctp_association *asoc, 4015 const union sctp_subtype type, 4016 void *arg, 4017 struct sctp_cmd_seq *commands) 4018{ 4019 struct sctp_paramhdr *err_param = NULL; 4020 struct sctp_chunk *chunk = arg; 4021 struct sctp_reconf_chunk *hdr; 4022 union sctp_params param; 4023 4024 if (!sctp_vtag_verify(chunk, asoc)) { 4025 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4026 SCTP_NULL()); 4027 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4028 } 4029 4030 /* Make sure that the RECONF chunk has a valid length. */ 4031 if (!sctp_chunk_length_valid(chunk, sizeof(*hdr))) 4032 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4033 commands); 4034 4035 if (!sctp_verify_reconf(asoc, chunk, &err_param)) 4036 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 4037 (void *)err_param, commands); 4038 4039 hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr; 4040 sctp_walk_params(param, hdr, params) { 4041 struct sctp_chunk *reply = NULL; 4042 struct sctp_ulpevent *ev = NULL; 4043 4044 if (param.p->type == SCTP_PARAM_RESET_OUT_REQUEST) 4045 reply = sctp_process_strreset_outreq( 4046 (struct sctp_association *)asoc, param, &ev); 4047 else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST) 4048 reply = sctp_process_strreset_inreq( 4049 (struct sctp_association *)asoc, param, &ev); 4050 else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST) 4051 reply = sctp_process_strreset_tsnreq( 4052 (struct sctp_association *)asoc, param, &ev); 4053 else if (param.p->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS) 4054 reply = sctp_process_strreset_addstrm_out( 4055 (struct sctp_association *)asoc, param, &ev); 4056 else if (param.p->type == SCTP_PARAM_RESET_ADD_IN_STREAMS) 4057 reply = sctp_process_strreset_addstrm_in( 4058 (struct sctp_association *)asoc, param, &ev); 4059 else if (param.p->type == SCTP_PARAM_RESET_RESPONSE) 4060 reply = sctp_process_strreset_resp( 4061 (struct sctp_association *)asoc, param, &ev); 4062 4063 if (ev) 4064 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4065 SCTP_ULPEVENT(ev)); 4066 4067 if (reply) 4068 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4069 SCTP_CHUNK(reply)); 4070 } 4071 4072 return SCTP_DISPOSITION_CONSUME; 4073} 4074 4075/* 4076 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 4077 * 4078 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 4079 * its cumulative TSN point to the value carried in the FORWARD TSN 4080 * chunk, and then MUST further advance its cumulative TSN point locally 4081 * if possible. 4082 * After the above processing, the data receiver MUST stop reporting any 4083 * missing TSNs earlier than or equal to the new cumulative TSN point. 4084 * 4085 * Verification Tag: 8.5 Verification Tag [Normal verification] 4086 * 4087 * The return value is the disposition of the chunk. 4088 */ 4089enum sctp_disposition sctp_sf_eat_fwd_tsn(struct net *net, 4090 const struct sctp_endpoint *ep, 4091 const struct sctp_association *asoc, 4092 const union sctp_subtype type, 4093 void *arg, 4094 struct sctp_cmd_seq *commands) 4095{ 4096 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 4097 struct sctp_chunk *chunk = arg; 4098 __u16 len; 4099 __u32 tsn; 4100 4101 if (!sctp_vtag_verify(chunk, asoc)) { 4102 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4103 SCTP_NULL()); 4104 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4105 } 4106 4107 if (!asoc->peer.prsctp_capable) 4108 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4109 4110 /* Make sure that the FORWARD_TSN chunk has valid length. */ 4111 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream))) 4112 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4113 commands); 4114 4115 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 4116 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 4117 len = ntohs(chunk->chunk_hdr->length); 4118 len -= sizeof(struct sctp_chunkhdr); 4119 skb_pull(chunk->skb, len); 4120 4121 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 4122 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 4123 4124 /* The TSN is too high--silently discard the chunk and count on it 4125 * getting retransmitted later. 4126 */ 4127 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 4128 goto discard_noforce; 4129 4130 if (!asoc->stream.si->validate_ftsn(chunk)) 4131 goto discard_noforce; 4132 4133 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 4134 if (len > sctp_ftsnhdr_len(&asoc->stream)) 4135 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 4136 SCTP_CHUNK(chunk)); 4137 4138 /* Count this as receiving DATA. */ 4139 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 4140 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4141 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4142 } 4143 4144 /* FIXME: For now send a SACK, but DATA processing may 4145 * send another. 4146 */ 4147 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 4148 4149 return SCTP_DISPOSITION_CONSUME; 4150 4151discard_noforce: 4152 return SCTP_DISPOSITION_DISCARD; 4153} 4154 4155enum sctp_disposition sctp_sf_eat_fwd_tsn_fast( 4156 struct net *net, 4157 const struct sctp_endpoint *ep, 4158 const struct sctp_association *asoc, 4159 const union sctp_subtype type, 4160 void *arg, 4161 struct sctp_cmd_seq *commands) 4162{ 4163 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 4164 struct sctp_chunk *chunk = arg; 4165 __u16 len; 4166 __u32 tsn; 4167 4168 if (!sctp_vtag_verify(chunk, asoc)) { 4169 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4170 SCTP_NULL()); 4171 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4172 } 4173 4174 if (!asoc->peer.prsctp_capable) 4175 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4176 4177 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 4178 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream))) 4179 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4180 commands); 4181 4182 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 4183 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 4184 len = ntohs(chunk->chunk_hdr->length); 4185 len -= sizeof(struct sctp_chunkhdr); 4186 skb_pull(chunk->skb, len); 4187 4188 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 4189 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 4190 4191 /* The TSN is too high--silently discard the chunk and count on it 4192 * getting retransmitted later. 4193 */ 4194 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 4195 goto gen_shutdown; 4196 4197 if (!asoc->stream.si->validate_ftsn(chunk)) 4198 goto gen_shutdown; 4199 4200 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 4201 if (len > sctp_ftsnhdr_len(&asoc->stream)) 4202 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 4203 SCTP_CHUNK(chunk)); 4204 4205 /* Go a head and force a SACK, since we are shutting down. */ 4206gen_shutdown: 4207 /* Implementor's Guide. 4208 * 4209 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 4210 * respond to each received packet containing one or more DATA chunk(s) 4211 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 4212 */ 4213 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 4214 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 4215 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4216 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4217 4218 return SCTP_DISPOSITION_CONSUME; 4219} 4220 4221/* 4222 * SCTP-AUTH Section 6.3 Receiving authenticated chukns 4223 * 4224 * The receiver MUST use the HMAC algorithm indicated in the HMAC 4225 * Identifier field. If this algorithm was not specified by the 4226 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 4227 * during association setup, the AUTH chunk and all chunks after it MUST 4228 * be discarded and an ERROR chunk SHOULD be sent with the error cause 4229 * defined in Section 4.1. 4230 * 4231 * If an endpoint with no shared key receives a Shared Key Identifier 4232 * other than 0, it MUST silently discard all authenticated chunks. If 4233 * the endpoint has at least one endpoint pair shared key for the peer, 4234 * it MUST use the key specified by the Shared Key Identifier if a 4235 * key has been configured for that Shared Key Identifier. If no 4236 * endpoint pair shared key has been configured for that Shared Key 4237 * Identifier, all authenticated chunks MUST be silently discarded. 4238 * 4239 * Verification Tag: 8.5 Verification Tag [Normal verification] 4240 * 4241 * The return value is the disposition of the chunk. 4242 */ 4243static enum sctp_ierror sctp_sf_authenticate( 4244 const struct sctp_association *asoc, 4245 struct sctp_chunk *chunk) 4246{ 4247 struct sctp_shared_key *sh_key = NULL; 4248 struct sctp_authhdr *auth_hdr; 4249 __u8 *save_digest, *digest; 4250 struct sctp_hmac *hmac; 4251 unsigned int sig_len; 4252 __u16 key_id; 4253 4254 /* Pull in the auth header, so we can do some more verification */ 4255 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4256 chunk->subh.auth_hdr = auth_hdr; 4257 skb_pull(chunk->skb, sizeof(*auth_hdr)); 4258 4259 /* Make sure that we support the HMAC algorithm from the auth 4260 * chunk. 4261 */ 4262 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id)) 4263 return SCTP_IERROR_AUTH_BAD_HMAC; 4264 4265 /* Make sure that the provided shared key identifier has been 4266 * configured 4267 */ 4268 key_id = ntohs(auth_hdr->shkey_id); 4269 if (key_id != asoc->active_key_id) { 4270 sh_key = sctp_auth_get_shkey(asoc, key_id); 4271 if (!sh_key) 4272 return SCTP_IERROR_AUTH_BAD_KEYID; 4273 } 4274 4275 /* Make sure that the length of the signature matches what 4276 * we expect. 4277 */ 4278 sig_len = ntohs(chunk->chunk_hdr->length) - 4279 sizeof(struct sctp_auth_chunk); 4280 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id)); 4281 if (sig_len != hmac->hmac_len) 4282 return SCTP_IERROR_PROTO_VIOLATION; 4283 4284 /* Now that we've done validation checks, we can compute and 4285 * verify the hmac. The steps involved are: 4286 * 1. Save the digest from the chunk. 4287 * 2. Zero out the digest in the chunk. 4288 * 3. Compute the new digest 4289 * 4. Compare saved and new digests. 4290 */ 4291 digest = auth_hdr->hmac; 4292 skb_pull(chunk->skb, sig_len); 4293 4294 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC); 4295 if (!save_digest) 4296 goto nomem; 4297 4298 memset(digest, 0, sig_len); 4299 4300 sctp_auth_calculate_hmac(asoc, chunk->skb, 4301 (struct sctp_auth_chunk *)chunk->chunk_hdr, 4302 sh_key, GFP_ATOMIC); 4303 4304 /* Discard the packet if the digests do not match */ 4305 if (memcmp(save_digest, digest, sig_len)) { 4306 kfree(save_digest); 4307 return SCTP_IERROR_BAD_SIG; 4308 } 4309 4310 kfree(save_digest); 4311 chunk->auth = 1; 4312 4313 return SCTP_IERROR_NO_ERROR; 4314nomem: 4315 return SCTP_IERROR_NOMEM; 4316} 4317 4318enum sctp_disposition sctp_sf_eat_auth(struct net *net, 4319 const struct sctp_endpoint *ep, 4320 const struct sctp_association *asoc, 4321 const union sctp_subtype type, 4322 void *arg, struct sctp_cmd_seq *commands) 4323{ 4324 struct sctp_chunk *chunk = arg; 4325 struct sctp_authhdr *auth_hdr; 4326 struct sctp_chunk *err_chunk; 4327 enum sctp_ierror error; 4328 4329 /* Make sure that the peer has AUTH capable */ 4330 if (!asoc->peer.auth_capable) 4331 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4332 4333 if (!sctp_vtag_verify(chunk, asoc)) { 4334 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4335 SCTP_NULL()); 4336 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4337 } 4338 4339 /* Make sure that the AUTH chunk has valid length. */ 4340 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk))) 4341 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4342 commands); 4343 4344 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4345 error = sctp_sf_authenticate(asoc, chunk); 4346 switch (error) { 4347 case SCTP_IERROR_AUTH_BAD_HMAC: 4348 /* Generate the ERROR chunk and discard the rest 4349 * of the packet 4350 */ 4351 err_chunk = sctp_make_op_error(asoc, chunk, 4352 SCTP_ERROR_UNSUP_HMAC, 4353 &auth_hdr->hmac_id, 4354 sizeof(__u16), 0); 4355 if (err_chunk) { 4356 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4357 SCTP_CHUNK(err_chunk)); 4358 } 4359 fallthrough; 4360 case SCTP_IERROR_AUTH_BAD_KEYID: 4361 case SCTP_IERROR_BAD_SIG: 4362 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4363 4364 case SCTP_IERROR_PROTO_VIOLATION: 4365 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4366 commands); 4367 4368 case SCTP_IERROR_NOMEM: 4369 return SCTP_DISPOSITION_NOMEM; 4370 4371 default: /* Prevent gcc warnings */ 4372 break; 4373 } 4374 4375 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) { 4376 struct sctp_ulpevent *ev; 4377 4378 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id), 4379 SCTP_AUTH_NEW_KEY, GFP_ATOMIC); 4380 4381 if (!ev) 4382 return SCTP_DISPOSITION_NOMEM; 4383 4384 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4385 SCTP_ULPEVENT(ev)); 4386 } 4387 4388 return SCTP_DISPOSITION_CONSUME; 4389} 4390 4391/* 4392 * Process an unknown chunk. 4393 * 4394 * Section: 3.2. Also, 2.1 in the implementor's guide. 4395 * 4396 * Chunk Types are encoded such that the highest-order two bits specify 4397 * the action that must be taken if the processing endpoint does not 4398 * recognize the Chunk Type. 4399 * 4400 * 00 - Stop processing this SCTP packet and discard it, do not process 4401 * any further chunks within it. 4402 * 4403 * 01 - Stop processing this SCTP packet and discard it, do not process 4404 * any further chunks within it, and report the unrecognized 4405 * chunk in an 'Unrecognized Chunk Type'. 4406 * 4407 * 10 - Skip this chunk and continue processing. 4408 * 4409 * 11 - Skip this chunk and continue processing, but report in an ERROR 4410 * Chunk using the 'Unrecognized Chunk Type' cause of error. 4411 * 4412 * The return value is the disposition of the chunk. 4413 */ 4414enum sctp_disposition sctp_sf_unk_chunk(struct net *net, 4415 const struct sctp_endpoint *ep, 4416 const struct sctp_association *asoc, 4417 const union sctp_subtype type, 4418 void *arg, 4419 struct sctp_cmd_seq *commands) 4420{ 4421 struct sctp_chunk *unk_chunk = arg; 4422 struct sctp_chunk *err_chunk; 4423 struct sctp_chunkhdr *hdr; 4424 4425 pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk); 4426 4427 if (!sctp_vtag_verify(unk_chunk, asoc)) 4428 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4429 4430 /* Make sure that the chunk has a valid length. 4431 * Since we don't know the chunk type, we use a general 4432 * chunkhdr structure to make a comparison. 4433 */ 4434 if (!sctp_chunk_length_valid(unk_chunk, sizeof(*hdr))) 4435 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4436 commands); 4437 4438 switch (type.chunk & SCTP_CID_ACTION_MASK) { 4439 case SCTP_CID_ACTION_DISCARD: 4440 /* Discard the packet. */ 4441 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4442 case SCTP_CID_ACTION_DISCARD_ERR: 4443 /* Generate an ERROR chunk as response. */ 4444 hdr = unk_chunk->chunk_hdr; 4445 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4446 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4447 SCTP_PAD4(ntohs(hdr->length)), 4448 0); 4449 if (err_chunk) { 4450 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4451 SCTP_CHUNK(err_chunk)); 4452 } 4453 4454 /* Discard the packet. */ 4455 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4456 return SCTP_DISPOSITION_CONSUME; 4457 case SCTP_CID_ACTION_SKIP: 4458 /* Skip the chunk. */ 4459 return SCTP_DISPOSITION_DISCARD; 4460 case SCTP_CID_ACTION_SKIP_ERR: 4461 /* Generate an ERROR chunk as response. */ 4462 hdr = unk_chunk->chunk_hdr; 4463 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4464 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4465 SCTP_PAD4(ntohs(hdr->length)), 4466 0); 4467 if (err_chunk) { 4468 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4469 SCTP_CHUNK(err_chunk)); 4470 } 4471 /* Skip the chunk. */ 4472 return SCTP_DISPOSITION_CONSUME; 4473 default: 4474 break; 4475 } 4476 4477 return SCTP_DISPOSITION_DISCARD; 4478} 4479 4480/* 4481 * Discard the chunk. 4482 * 4483 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 4484 * [Too numerous to mention...] 4485 * Verification Tag: No verification needed. 4486 * Inputs 4487 * (endpoint, asoc, chunk) 4488 * 4489 * Outputs 4490 * (asoc, reply_msg, msg_up, timers, counters) 4491 * 4492 * The return value is the disposition of the chunk. 4493 */ 4494enum sctp_disposition sctp_sf_discard_chunk(struct net *net, 4495 const struct sctp_endpoint *ep, 4496 const struct sctp_association *asoc, 4497 const union sctp_subtype type, 4498 void *arg, 4499 struct sctp_cmd_seq *commands) 4500{ 4501 struct sctp_chunk *chunk = arg; 4502 4503 if (asoc && !sctp_vtag_verify(chunk, asoc)) 4504 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4505 4506 /* Make sure that the chunk has a valid length. 4507 * Since we don't know the chunk type, we use a general 4508 * chunkhdr structure to make a comparison. 4509 */ 4510 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 4511 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4512 commands); 4513 4514 pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk); 4515 4516 return SCTP_DISPOSITION_DISCARD; 4517} 4518 4519/* 4520 * Discard the whole packet. 4521 * 4522 * Section: 8.4 2) 4523 * 4524 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 4525 * silently discard the OOTB packet and take no further action. 4526 * 4527 * Verification Tag: No verification necessary 4528 * 4529 * Inputs 4530 * (endpoint, asoc, chunk) 4531 * 4532 * Outputs 4533 * (asoc, reply_msg, msg_up, timers, counters) 4534 * 4535 * The return value is the disposition of the chunk. 4536 */ 4537enum sctp_disposition sctp_sf_pdiscard(struct net *net, 4538 const struct sctp_endpoint *ep, 4539 const struct sctp_association *asoc, 4540 const union sctp_subtype type, 4541 void *arg, struct sctp_cmd_seq *commands) 4542{ 4543 SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS); 4544 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4545 4546 return SCTP_DISPOSITION_CONSUME; 4547} 4548 4549 4550/* 4551 * The other end is violating protocol. 4552 * 4553 * Section: Not specified 4554 * Verification Tag: Not specified 4555 * Inputs 4556 * (endpoint, asoc, chunk) 4557 * 4558 * Outputs 4559 * (asoc, reply_msg, msg_up, timers, counters) 4560 * 4561 * We simply tag the chunk as a violation. The state machine will log 4562 * the violation and continue. 4563 */ 4564enum sctp_disposition sctp_sf_violation(struct net *net, 4565 const struct sctp_endpoint *ep, 4566 const struct sctp_association *asoc, 4567 const union sctp_subtype type, 4568 void *arg, 4569 struct sctp_cmd_seq *commands) 4570{ 4571 struct sctp_chunk *chunk = arg; 4572 4573 if (!sctp_vtag_verify(chunk, asoc)) 4574 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4575 4576 /* Make sure that the chunk has a valid length. */ 4577 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 4578 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4579 commands); 4580 4581 return SCTP_DISPOSITION_VIOLATION; 4582} 4583 4584/* 4585 * Common function to handle a protocol violation. 4586 */ 4587static enum sctp_disposition sctp_sf_abort_violation( 4588 struct net *net, 4589 const struct sctp_endpoint *ep, 4590 const struct sctp_association *asoc, 4591 void *arg, 4592 struct sctp_cmd_seq *commands, 4593 const __u8 *payload, 4594 const size_t paylen) 4595{ 4596 struct sctp_packet *packet = NULL; 4597 struct sctp_chunk *chunk = arg; 4598 struct sctp_chunk *abort = NULL; 4599 4600 /* SCTP-AUTH, Section 6.3: 4601 * It should be noted that if the receiver wants to tear 4602 * down an association in an authenticated way only, the 4603 * handling of malformed packets should not result in 4604 * tearing down the association. 4605 * 4606 * This means that if we only want to abort associations 4607 * in an authenticated way (i.e AUTH+ABORT), then we 4608 * can't destroy this association just because the packet 4609 * was malformed. 4610 */ 4611 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4612 goto discard; 4613 4614 /* Make the abort chunk. */ 4615 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen); 4616 if (!abort) 4617 goto nomem; 4618 4619 if (asoc) { 4620 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */ 4621 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK && 4622 !asoc->peer.i.init_tag) { 4623 struct sctp_initack_chunk *initack; 4624 4625 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr; 4626 if (!sctp_chunk_length_valid(chunk, sizeof(*initack))) 4627 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T; 4628 else { 4629 unsigned int inittag; 4630 4631 inittag = ntohl(initack->init_hdr.init_tag); 4632 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG, 4633 SCTP_U32(inittag)); 4634 } 4635 } 4636 4637 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4638 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4639 4640 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 4641 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4642 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4643 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4644 SCTP_ERROR(ECONNREFUSED)); 4645 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4646 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4647 } else { 4648 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4649 SCTP_ERROR(ECONNABORTED)); 4650 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4651 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4652 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4653 } 4654 } else { 4655 packet = sctp_ootb_pkt_new(net, asoc, chunk); 4656 4657 if (!packet) 4658 goto nomem_pkt; 4659 4660 if (sctp_test_T_bit(abort)) 4661 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4662 4663 abort->skb->sk = ep->base.sk; 4664 4665 sctp_packet_append_chunk(packet, abort); 4666 4667 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 4668 SCTP_PACKET(packet)); 4669 4670 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4671 } 4672 4673 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4674 4675discard: 4676 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4677 return SCTP_DISPOSITION_ABORT; 4678 4679nomem_pkt: 4680 sctp_chunk_free(abort); 4681nomem: 4682 return SCTP_DISPOSITION_NOMEM; 4683} 4684 4685/* 4686 * Handle a protocol violation when the chunk length is invalid. 4687 * "Invalid" length is identified as smaller than the minimal length a 4688 * given chunk can be. For example, a SACK chunk has invalid length 4689 * if its length is set to be smaller than the size of struct sctp_sack_chunk. 4690 * 4691 * We inform the other end by sending an ABORT with a Protocol Violation 4692 * error code. 4693 * 4694 * Section: Not specified 4695 * Verification Tag: Nothing to do 4696 * Inputs 4697 * (endpoint, asoc, chunk) 4698 * 4699 * Outputs 4700 * (reply_msg, msg_up, counters) 4701 * 4702 * Generate an ABORT chunk and terminate the association. 4703 */ 4704static enum sctp_disposition sctp_sf_violation_chunklen( 4705 struct net *net, 4706 const struct sctp_endpoint *ep, 4707 const struct sctp_association *asoc, 4708 const union sctp_subtype type, 4709 void *arg, 4710 struct sctp_cmd_seq *commands) 4711{ 4712 static const char err_str[] = "The following chunk had invalid length:"; 4713 4714 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4715 sizeof(err_str)); 4716} 4717 4718/* 4719 * Handle a protocol violation when the parameter length is invalid. 4720 * If the length is smaller than the minimum length of a given parameter, 4721 * or accumulated length in multi parameters exceeds the end of the chunk, 4722 * the length is considered as invalid. 4723 */ 4724static enum sctp_disposition sctp_sf_violation_paramlen( 4725 struct net *net, 4726 const struct sctp_endpoint *ep, 4727 const struct sctp_association *asoc, 4728 const union sctp_subtype type, 4729 void *arg, void *ext, 4730 struct sctp_cmd_seq *commands) 4731{ 4732 struct sctp_paramhdr *param = ext; 4733 struct sctp_chunk *abort = NULL; 4734 struct sctp_chunk *chunk = arg; 4735 4736 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4737 goto discard; 4738 4739 /* Make the abort chunk. */ 4740 abort = sctp_make_violation_paramlen(asoc, chunk, param); 4741 if (!abort) 4742 goto nomem; 4743 4744 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4745 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4746 4747 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4748 SCTP_ERROR(ECONNABORTED)); 4749 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4750 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4751 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4752 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4753 4754discard: 4755 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4756 return SCTP_DISPOSITION_ABORT; 4757nomem: 4758 return SCTP_DISPOSITION_NOMEM; 4759} 4760 4761/* Handle a protocol violation when the peer trying to advance the 4762 * cumulative tsn ack to a point beyond the max tsn currently sent. 4763 * 4764 * We inform the other end by sending an ABORT with a Protocol Violation 4765 * error code. 4766 */ 4767static enum sctp_disposition sctp_sf_violation_ctsn( 4768 struct net *net, 4769 const struct sctp_endpoint *ep, 4770 const struct sctp_association *asoc, 4771 const union sctp_subtype type, 4772 void *arg, 4773 struct sctp_cmd_seq *commands) 4774{ 4775 static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:"; 4776 4777 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4778 sizeof(err_str)); 4779} 4780 4781/* Handle protocol violation of an invalid chunk bundling. For example, 4782 * when we have an association and we receive bundled INIT-ACK, or 4783 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle" 4784 * statement from the specs. Additionally, there might be an attacker 4785 * on the path and we may not want to continue this communication. 4786 */ 4787static enum sctp_disposition sctp_sf_violation_chunk( 4788 struct net *net, 4789 const struct sctp_endpoint *ep, 4790 const struct sctp_association *asoc, 4791 const union sctp_subtype type, 4792 void *arg, 4793 struct sctp_cmd_seq *commands) 4794{ 4795 static const char err_str[] = "The following chunk violates protocol:"; 4796 4797 if (!asoc) 4798 return sctp_sf_violation(net, ep, asoc, type, arg, commands); 4799 4800 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4801 sizeof(err_str)); 4802} 4803/*************************************************************************** 4804 * These are the state functions for handling primitive (Section 10) events. 4805 ***************************************************************************/ 4806/* 4807 * sctp_sf_do_prm_asoc 4808 * 4809 * Section: 10.1 ULP-to-SCTP 4810 * B) Associate 4811 * 4812 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 4813 * outbound stream count) 4814 * -> association id [,destination transport addr list] [,outbound stream 4815 * count] 4816 * 4817 * This primitive allows the upper layer to initiate an association to a 4818 * specific peer endpoint. 4819 * 4820 * The peer endpoint shall be specified by one of the transport addresses 4821 * which defines the endpoint (see Section 1.4). If the local SCTP 4822 * instance has not been initialized, the ASSOCIATE is considered an 4823 * error. 4824 * [This is not relevant for the kernel implementation since we do all 4825 * initialization at boot time. It we hadn't initialized we wouldn't 4826 * get anywhere near this code.] 4827 * 4828 * An association id, which is a local handle to the SCTP association, 4829 * will be returned on successful establishment of the association. If 4830 * SCTP is not able to open an SCTP association with the peer endpoint, 4831 * an error is returned. 4832 * [In the kernel implementation, the struct sctp_association needs to 4833 * be created BEFORE causing this primitive to run.] 4834 * 4835 * Other association parameters may be returned, including the 4836 * complete destination transport addresses of the peer as well as the 4837 * outbound stream count of the local endpoint. One of the transport 4838 * address from the returned destination addresses will be selected by 4839 * the local endpoint as default primary path for sending SCTP packets 4840 * to this peer. The returned "destination transport addr list" can 4841 * be used by the ULP to change the default primary path or to force 4842 * sending a packet to a specific transport address. [All of this 4843 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 4844 * function.] 4845 * 4846 * Mandatory attributes: 4847 * 4848 * o local SCTP instance name - obtained from the INITIALIZE operation. 4849 * [This is the argument asoc.] 4850 * o destination transport addr - specified as one of the transport 4851 * addresses of the peer endpoint with which the association is to be 4852 * established. 4853 * [This is asoc->peer.active_path.] 4854 * o outbound stream count - the number of outbound streams the ULP 4855 * would like to open towards this peer endpoint. 4856 * [BUG: This is not currently implemented.] 4857 * Optional attributes: 4858 * 4859 * None. 4860 * 4861 * The return value is a disposition. 4862 */ 4863enum sctp_disposition sctp_sf_do_prm_asoc(struct net *net, 4864 const struct sctp_endpoint *ep, 4865 const struct sctp_association *asoc, 4866 const union sctp_subtype type, 4867 void *arg, 4868 struct sctp_cmd_seq *commands) 4869{ 4870 struct sctp_association *my_asoc; 4871 struct sctp_chunk *repl; 4872 4873 /* The comment below says that we enter COOKIE-WAIT AFTER 4874 * sending the INIT, but that doesn't actually work in our 4875 * implementation... 4876 */ 4877 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4878 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 4879 4880 /* RFC 2960 5.1 Normal Establishment of an Association 4881 * 4882 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 4883 * must provide its Verification Tag (Tag_A) in the Initiate 4884 * Tag field. Tag_A SHOULD be a random number in the range of 4885 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 4886 */ 4887 4888 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 4889 if (!repl) 4890 goto nomem; 4891 4892 /* Choose transport for INIT. */ 4893 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4894 SCTP_CHUNK(repl)); 4895 4896 /* Cast away the const modifier, as we want to just 4897 * rerun it through as a sideffect. 4898 */ 4899 my_asoc = (struct sctp_association *)asoc; 4900 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc)); 4901 4902 /* After sending the INIT, "A" starts the T1-init timer and 4903 * enters the COOKIE-WAIT state. 4904 */ 4905 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4906 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4907 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4908 return SCTP_DISPOSITION_CONSUME; 4909 4910nomem: 4911 return SCTP_DISPOSITION_NOMEM; 4912} 4913 4914/* 4915 * Process the SEND primitive. 4916 * 4917 * Section: 10.1 ULP-to-SCTP 4918 * E) Send 4919 * 4920 * Format: SEND(association id, buffer address, byte count [,context] 4921 * [,stream id] [,life time] [,destination transport address] 4922 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 4923 * -> result 4924 * 4925 * This is the main method to send user data via SCTP. 4926 * 4927 * Mandatory attributes: 4928 * 4929 * o association id - local handle to the SCTP association 4930 * 4931 * o buffer address - the location where the user message to be 4932 * transmitted is stored; 4933 * 4934 * o byte count - The size of the user data in number of bytes; 4935 * 4936 * Optional attributes: 4937 * 4938 * o context - an optional 32 bit integer that will be carried in the 4939 * sending failure notification to the ULP if the transportation of 4940 * this User Message fails. 4941 * 4942 * o stream id - to indicate which stream to send the data on. If not 4943 * specified, stream 0 will be used. 4944 * 4945 * o life time - specifies the life time of the user data. The user data 4946 * will not be sent by SCTP after the life time expires. This 4947 * parameter can be used to avoid efforts to transmit stale 4948 * user messages. SCTP notifies the ULP if the data cannot be 4949 * initiated to transport (i.e. sent to the destination via SCTP's 4950 * send primitive) within the life time variable. However, the 4951 * user data will be transmitted if SCTP has attempted to transmit a 4952 * chunk before the life time expired. 4953 * 4954 * o destination transport address - specified as one of the destination 4955 * transport addresses of the peer endpoint to which this packet 4956 * should be sent. Whenever possible, SCTP should use this destination 4957 * transport address for sending the packets, instead of the current 4958 * primary path. 4959 * 4960 * o unorder flag - this flag, if present, indicates that the user 4961 * would like the data delivered in an unordered fashion to the peer 4962 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 4963 * message). 4964 * 4965 * o no-bundle flag - instructs SCTP not to bundle this user data with 4966 * other outbound DATA chunks. SCTP MAY still bundle even when 4967 * this flag is present, when faced with network congestion. 4968 * 4969 * o payload protocol-id - A 32 bit unsigned integer that is to be 4970 * passed to the peer indicating the type of payload protocol data 4971 * being transmitted. This value is passed as opaque data by SCTP. 4972 * 4973 * The return value is the disposition. 4974 */ 4975enum sctp_disposition sctp_sf_do_prm_send(struct net *net, 4976 const struct sctp_endpoint *ep, 4977 const struct sctp_association *asoc, 4978 const union sctp_subtype type, 4979 void *arg, 4980 struct sctp_cmd_seq *commands) 4981{ 4982 struct sctp_datamsg *msg = arg; 4983 4984 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg)); 4985 return SCTP_DISPOSITION_CONSUME; 4986} 4987 4988/* 4989 * Process the SHUTDOWN primitive. 4990 * 4991 * Section: 10.1: 4992 * C) Shutdown 4993 * 4994 * Format: SHUTDOWN(association id) 4995 * -> result 4996 * 4997 * Gracefully closes an association. Any locally queued user data 4998 * will be delivered to the peer. The association will be terminated only 4999 * after the peer acknowledges all the SCTP packets sent. A success code 5000 * will be returned on successful termination of the association. If 5001 * attempting to terminate the association results in a failure, an error 5002 * code shall be returned. 5003 * 5004 * Mandatory attributes: 5005 * 5006 * o association id - local handle to the SCTP association 5007 * 5008 * Optional attributes: 5009 * 5010 * None. 5011 * 5012 * The return value is the disposition. 5013 */ 5014enum sctp_disposition sctp_sf_do_9_2_prm_shutdown( 5015 struct net *net, 5016 const struct sctp_endpoint *ep, 5017 const struct sctp_association *asoc, 5018 const union sctp_subtype type, 5019 void *arg, 5020 struct sctp_cmd_seq *commands) 5021{ 5022 enum sctp_disposition disposition; 5023 5024 /* From 9.2 Shutdown of an Association 5025 * Upon receipt of the SHUTDOWN primitive from its upper 5026 * layer, the endpoint enters SHUTDOWN-PENDING state and 5027 * remains there until all outstanding data has been 5028 * acknowledged by its peer. The endpoint accepts no new data 5029 * from its upper layer, but retransmits data to the far end 5030 * if necessary to fill gaps. 5031 */ 5032 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5033 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 5034 5035 disposition = SCTP_DISPOSITION_CONSUME; 5036 if (sctp_outq_is_empty(&asoc->outqueue)) { 5037 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 5038 arg, commands); 5039 } 5040 5041 return disposition; 5042} 5043 5044/* 5045 * Process the ABORT primitive. 5046 * 5047 * Section: 10.1: 5048 * C) Abort 5049 * 5050 * Format: Abort(association id [, cause code]) 5051 * -> result 5052 * 5053 * Ungracefully closes an association. Any locally queued user data 5054 * will be discarded and an ABORT chunk is sent to the peer. A success code 5055 * will be returned on successful abortion of the association. If 5056 * attempting to abort the association results in a failure, an error 5057 * code shall be returned. 5058 * 5059 * Mandatory attributes: 5060 * 5061 * o association id - local handle to the SCTP association 5062 * 5063 * Optional attributes: 5064 * 5065 * o cause code - reason of the abort to be passed to the peer 5066 * 5067 * None. 5068 * 5069 * The return value is the disposition. 5070 */ 5071enum sctp_disposition sctp_sf_do_9_1_prm_abort( 5072 struct net *net, 5073 const struct sctp_endpoint *ep, 5074 const struct sctp_association *asoc, 5075 const union sctp_subtype type, 5076 void *arg, 5077 struct sctp_cmd_seq *commands) 5078{ 5079 /* From 9.1 Abort of an Association 5080 * Upon receipt of the ABORT primitive from its upper 5081 * layer, the endpoint enters CLOSED state and 5082 * discard all outstanding data has been 5083 * acknowledged by its peer. The endpoint accepts no new data 5084 * from its upper layer, but retransmits data to the far end 5085 * if necessary to fill gaps. 5086 */ 5087 struct sctp_chunk *abort = arg; 5088 5089 if (abort) 5090 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 5091 5092 /* Even if we can't send the ABORT due to low memory delete the 5093 * TCB. This is a departure from our typical NOMEM handling. 5094 */ 5095 5096 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5097 SCTP_ERROR(ECONNABORTED)); 5098 /* Delete the established association. */ 5099 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5100 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 5101 5102 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5103 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5104 5105 return SCTP_DISPOSITION_ABORT; 5106} 5107 5108/* We tried an illegal operation on an association which is closed. */ 5109enum sctp_disposition sctp_sf_error_closed(struct net *net, 5110 const struct sctp_endpoint *ep, 5111 const struct sctp_association *asoc, 5112 const union sctp_subtype type, 5113 void *arg, 5114 struct sctp_cmd_seq *commands) 5115{ 5116 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 5117 return SCTP_DISPOSITION_CONSUME; 5118} 5119 5120/* We tried an illegal operation on an association which is shutting 5121 * down. 5122 */ 5123enum sctp_disposition sctp_sf_error_shutdown( 5124 struct net *net, 5125 const struct sctp_endpoint *ep, 5126 const struct sctp_association *asoc, 5127 const union sctp_subtype type, 5128 void *arg, 5129 struct sctp_cmd_seq *commands) 5130{ 5131 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 5132 SCTP_ERROR(-ESHUTDOWN)); 5133 return SCTP_DISPOSITION_CONSUME; 5134} 5135 5136/* 5137 * sctp_cookie_wait_prm_shutdown 5138 * 5139 * Section: 4 Note: 2 5140 * Verification Tag: 5141 * Inputs 5142 * (endpoint, asoc) 5143 * 5144 * The RFC does not explicitly address this issue, but is the route through the 5145 * state table when someone issues a shutdown while in COOKIE_WAIT state. 5146 * 5147 * Outputs 5148 * (timers) 5149 */ 5150enum sctp_disposition sctp_sf_cookie_wait_prm_shutdown( 5151 struct net *net, 5152 const struct sctp_endpoint *ep, 5153 const struct sctp_association *asoc, 5154 const union sctp_subtype type, 5155 void *arg, 5156 struct sctp_cmd_seq *commands) 5157{ 5158 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5159 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5160 5161 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5162 SCTP_STATE(SCTP_STATE_CLOSED)); 5163 5164 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 5165 5166 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 5167 5168 return SCTP_DISPOSITION_DELETE_TCB; 5169} 5170 5171/* 5172 * sctp_cookie_echoed_prm_shutdown 5173 * 5174 * Section: 4 Note: 2 5175 * Verification Tag: 5176 * Inputs 5177 * (endpoint, asoc) 5178 * 5179 * The RFC does not explcitly address this issue, but is the route through the 5180 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 5181 * 5182 * Outputs 5183 * (timers) 5184 */ 5185enum sctp_disposition sctp_sf_cookie_echoed_prm_shutdown( 5186 struct net *net, 5187 const struct sctp_endpoint *ep, 5188 const struct sctp_association *asoc, 5189 const union sctp_subtype type, 5190 void *arg, 5191 struct sctp_cmd_seq *commands) 5192{ 5193 /* There is a single T1 timer, so we should be able to use 5194 * common function with the COOKIE-WAIT state. 5195 */ 5196 return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands); 5197} 5198 5199/* 5200 * sctp_sf_cookie_wait_prm_abort 5201 * 5202 * Section: 4 Note: 2 5203 * Verification Tag: 5204 * Inputs 5205 * (endpoint, asoc) 5206 * 5207 * The RFC does not explicitly address this issue, but is the route through the 5208 * state table when someone issues an abort while in COOKIE_WAIT state. 5209 * 5210 * Outputs 5211 * (timers) 5212 */ 5213enum sctp_disposition sctp_sf_cookie_wait_prm_abort( 5214 struct net *net, 5215 const struct sctp_endpoint *ep, 5216 const struct sctp_association *asoc, 5217 const union sctp_subtype type, 5218 void *arg, 5219 struct sctp_cmd_seq *commands) 5220{ 5221 struct sctp_chunk *abort = arg; 5222 5223 /* Stop T1-init timer */ 5224 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5225 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5226 5227 if (abort) 5228 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 5229 5230 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5231 SCTP_STATE(SCTP_STATE_CLOSED)); 5232 5233 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5234 5235 /* Even if we can't send the ABORT due to low memory delete the 5236 * TCB. This is a departure from our typical NOMEM handling. 5237 */ 5238 5239 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5240 SCTP_ERROR(ECONNREFUSED)); 5241 /* Delete the established association. */ 5242 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5243 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 5244 5245 return SCTP_DISPOSITION_ABORT; 5246} 5247 5248/* 5249 * sctp_sf_cookie_echoed_prm_abort 5250 * 5251 * Section: 4 Note: 3 5252 * Verification Tag: 5253 * Inputs 5254 * (endpoint, asoc) 5255 * 5256 * The RFC does not explcitly address this issue, but is the route through the 5257 * state table when someone issues an abort while in COOKIE_ECHOED state. 5258 * 5259 * Outputs 5260 * (timers) 5261 */ 5262enum sctp_disposition sctp_sf_cookie_echoed_prm_abort( 5263 struct net *net, 5264 const struct sctp_endpoint *ep, 5265 const struct sctp_association *asoc, 5266 const union sctp_subtype type, 5267 void *arg, 5268 struct sctp_cmd_seq *commands) 5269{ 5270 /* There is a single T1 timer, so we should be able to use 5271 * common function with the COOKIE-WAIT state. 5272 */ 5273 return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands); 5274} 5275 5276/* 5277 * sctp_sf_shutdown_pending_prm_abort 5278 * 5279 * Inputs 5280 * (endpoint, asoc) 5281 * 5282 * The RFC does not explicitly address this issue, but is the route through the 5283 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 5284 * 5285 * Outputs 5286 * (timers) 5287 */ 5288enum sctp_disposition sctp_sf_shutdown_pending_prm_abort( 5289 struct net *net, 5290 const struct sctp_endpoint *ep, 5291 const struct sctp_association *asoc, 5292 const union sctp_subtype type, 5293 void *arg, 5294 struct sctp_cmd_seq *commands) 5295{ 5296 /* Stop the T5-shutdown guard timer. */ 5297 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5298 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5299 5300 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5301} 5302 5303/* 5304 * sctp_sf_shutdown_sent_prm_abort 5305 * 5306 * Inputs 5307 * (endpoint, asoc) 5308 * 5309 * The RFC does not explicitly address this issue, but is the route through the 5310 * state table when someone issues an abort while in SHUTDOWN-SENT state. 5311 * 5312 * Outputs 5313 * (timers) 5314 */ 5315enum sctp_disposition sctp_sf_shutdown_sent_prm_abort( 5316 struct net *net, 5317 const struct sctp_endpoint *ep, 5318 const struct sctp_association *asoc, 5319 const union sctp_subtype type, 5320 void *arg, 5321 struct sctp_cmd_seq *commands) 5322{ 5323 /* Stop the T2-shutdown timer. */ 5324 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5325 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5326 5327 /* Stop the T5-shutdown guard timer. */ 5328 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5329 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5330 5331 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5332} 5333 5334/* 5335 * sctp_sf_cookie_echoed_prm_abort 5336 * 5337 * Inputs 5338 * (endpoint, asoc) 5339 * 5340 * The RFC does not explcitly address this issue, but is the route through the 5341 * state table when someone issues an abort while in COOKIE_ECHOED state. 5342 * 5343 * Outputs 5344 * (timers) 5345 */ 5346enum sctp_disposition sctp_sf_shutdown_ack_sent_prm_abort( 5347 struct net *net, 5348 const struct sctp_endpoint *ep, 5349 const struct sctp_association *asoc, 5350 const union sctp_subtype type, 5351 void *arg, 5352 struct sctp_cmd_seq *commands) 5353{ 5354 /* The same T2 timer, so we should be able to use 5355 * common function with the SHUTDOWN-SENT state. 5356 */ 5357 return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands); 5358} 5359 5360/* 5361 * Process the REQUESTHEARTBEAT primitive 5362 * 5363 * 10.1 ULP-to-SCTP 5364 * J) Request Heartbeat 5365 * 5366 * Format: REQUESTHEARTBEAT(association id, destination transport address) 5367 * 5368 * -> result 5369 * 5370 * Instructs the local endpoint to perform a HeartBeat on the specified 5371 * destination transport address of the given association. The returned 5372 * result should indicate whether the transmission of the HEARTBEAT 5373 * chunk to the destination address is successful. 5374 * 5375 * Mandatory attributes: 5376 * 5377 * o association id - local handle to the SCTP association 5378 * 5379 * o destination transport address - the transport address of the 5380 * association on which a heartbeat should be issued. 5381 */ 5382enum sctp_disposition sctp_sf_do_prm_requestheartbeat( 5383 struct net *net, 5384 const struct sctp_endpoint *ep, 5385 const struct sctp_association *asoc, 5386 const union sctp_subtype type, 5387 void *arg, 5388 struct sctp_cmd_seq *commands) 5389{ 5390 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 5391 (struct sctp_transport *)arg, commands)) 5392 return SCTP_DISPOSITION_NOMEM; 5393 5394 /* 5395 * RFC 2960 (bis), section 8.3 5396 * 5397 * D) Request an on-demand HEARTBEAT on a specific destination 5398 * transport address of a given association. 5399 * 5400 * The endpoint should increment the respective error counter of 5401 * the destination transport address each time a HEARTBEAT is sent 5402 * to that address and not acknowledged within one RTO. 5403 * 5404 */ 5405 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 5406 SCTP_TRANSPORT(arg)); 5407 return SCTP_DISPOSITION_CONSUME; 5408} 5409 5410/* 5411 * ADDIP Section 4.1 ASCONF Chunk Procedures 5412 * When an endpoint has an ASCONF signaled change to be sent to the 5413 * remote endpoint it should do A1 to A9 5414 */ 5415enum sctp_disposition sctp_sf_do_prm_asconf(struct net *net, 5416 const struct sctp_endpoint *ep, 5417 const struct sctp_association *asoc, 5418 const union sctp_subtype type, 5419 void *arg, 5420 struct sctp_cmd_seq *commands) 5421{ 5422 struct sctp_chunk *chunk = arg; 5423 5424 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5425 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5426 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5427 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5428 return SCTP_DISPOSITION_CONSUME; 5429} 5430 5431/* RE-CONFIG Section 5.1 RECONF Chunk Procedures */ 5432enum sctp_disposition sctp_sf_do_prm_reconf(struct net *net, 5433 const struct sctp_endpoint *ep, 5434 const struct sctp_association *asoc, 5435 const union sctp_subtype type, 5436 void *arg, 5437 struct sctp_cmd_seq *commands) 5438{ 5439 struct sctp_chunk *chunk = arg; 5440 5441 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5442 return SCTP_DISPOSITION_CONSUME; 5443} 5444 5445/* 5446 * Ignore the primitive event 5447 * 5448 * The return value is the disposition of the primitive. 5449 */ 5450enum sctp_disposition sctp_sf_ignore_primitive( 5451 struct net *net, 5452 const struct sctp_endpoint *ep, 5453 const struct sctp_association *asoc, 5454 const union sctp_subtype type, 5455 void *arg, 5456 struct sctp_cmd_seq *commands) 5457{ 5458 pr_debug("%s: primitive type:%d is ignored\n", __func__, 5459 type.primitive); 5460 5461 return SCTP_DISPOSITION_DISCARD; 5462} 5463 5464/*************************************************************************** 5465 * These are the state functions for the OTHER events. 5466 ***************************************************************************/ 5467 5468/* 5469 * When the SCTP stack has no more user data to send or retransmit, this 5470 * notification is given to the user. Also, at the time when a user app 5471 * subscribes to this event, if there is no data to be sent or 5472 * retransmit, the stack will immediately send up this notification. 5473 */ 5474enum sctp_disposition sctp_sf_do_no_pending_tsn( 5475 struct net *net, 5476 const struct sctp_endpoint *ep, 5477 const struct sctp_association *asoc, 5478 const union sctp_subtype type, 5479 void *arg, 5480 struct sctp_cmd_seq *commands) 5481{ 5482 struct sctp_ulpevent *event; 5483 5484 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC); 5485 if (!event) 5486 return SCTP_DISPOSITION_NOMEM; 5487 5488 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event)); 5489 5490 return SCTP_DISPOSITION_CONSUME; 5491} 5492 5493/* 5494 * Start the shutdown negotiation. 5495 * 5496 * From Section 9.2: 5497 * Once all its outstanding data has been acknowledged, the endpoint 5498 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 5499 * TSN Ack field the last sequential TSN it has received from the peer. 5500 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 5501 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 5502 * with the updated last sequential TSN received from its peer. 5503 * 5504 * The return value is the disposition. 5505 */ 5506enum sctp_disposition sctp_sf_do_9_2_start_shutdown( 5507 struct net *net, 5508 const struct sctp_endpoint *ep, 5509 const struct sctp_association *asoc, 5510 const union sctp_subtype type, 5511 void *arg, 5512 struct sctp_cmd_seq *commands) 5513{ 5514 struct sctp_chunk *reply; 5515 5516 /* Once all its outstanding data has been acknowledged, the 5517 * endpoint shall send a SHUTDOWN chunk to its peer including 5518 * in the Cumulative TSN Ack field the last sequential TSN it 5519 * has received from the peer. 5520 */ 5521 reply = sctp_make_shutdown(asoc, arg); 5522 if (!reply) 5523 goto nomem; 5524 5525 /* Set the transport for the SHUTDOWN chunk and the timeout for the 5526 * T2-shutdown timer. 5527 */ 5528 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5529 5530 /* It shall then start the T2-shutdown timer */ 5531 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5532 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5533 5534 /* RFC 4960 Section 9.2 5535 * The sender of the SHUTDOWN MAY also start an overall guard timer 5536 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5537 */ 5538 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5539 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5540 5541 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5542 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5543 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5544 5545 /* and enter the SHUTDOWN-SENT state. */ 5546 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5547 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 5548 5549 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5550 * 5551 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5552 * or SHUTDOWN-ACK. 5553 */ 5554 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5555 5556 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5557 5558 return SCTP_DISPOSITION_CONSUME; 5559 5560nomem: 5561 return SCTP_DISPOSITION_NOMEM; 5562} 5563 5564/* 5565 * Generate a SHUTDOWN ACK now that everything is SACK'd. 5566 * 5567 * From Section 9.2: 5568 * 5569 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5570 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 5571 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 5572 * endpoint must re-send the SHUTDOWN ACK. 5573 * 5574 * The return value is the disposition. 5575 */ 5576enum sctp_disposition sctp_sf_do_9_2_shutdown_ack( 5577 struct net *net, 5578 const struct sctp_endpoint *ep, 5579 const struct sctp_association *asoc, 5580 const union sctp_subtype type, 5581 void *arg, 5582 struct sctp_cmd_seq *commands) 5583{ 5584 struct sctp_chunk *chunk = arg; 5585 struct sctp_chunk *reply; 5586 5587 /* There are 2 ways of getting here: 5588 * 1) called in response to a SHUTDOWN chunk 5589 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 5590 * 5591 * For the case (2), the arg parameter is set to NULL. We need 5592 * to check that we have a chunk before accessing it's fields. 5593 */ 5594 if (chunk) { 5595 if (!sctp_vtag_verify(chunk, asoc)) 5596 return sctp_sf_pdiscard(net, ep, asoc, type, arg, 5597 commands); 5598 5599 /* Make sure that the SHUTDOWN chunk has a valid length. */ 5600 if (!sctp_chunk_length_valid( 5601 chunk, sizeof(struct sctp_shutdown_chunk))) 5602 return sctp_sf_violation_chunklen(net, ep, asoc, type, 5603 arg, commands); 5604 } 5605 5606 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5607 * shall send a SHUTDOWN ACK ... 5608 */ 5609 reply = sctp_make_shutdown_ack(asoc, chunk); 5610 if (!reply) 5611 goto nomem; 5612 5613 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 5614 * the T2-shutdown timer. 5615 */ 5616 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5617 5618 /* and start/restart a T2-shutdown timer of its own, */ 5619 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5620 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5621 5622 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5623 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5624 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5625 5626 /* Enter the SHUTDOWN-ACK-SENT state. */ 5627 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5628 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 5629 5630 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5631 * 5632 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5633 * or SHUTDOWN-ACK. 5634 */ 5635 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5636 5637 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5638 5639 return SCTP_DISPOSITION_CONSUME; 5640 5641nomem: 5642 return SCTP_DISPOSITION_NOMEM; 5643} 5644 5645/* 5646 * Ignore the event defined as other 5647 * 5648 * The return value is the disposition of the event. 5649 */ 5650enum sctp_disposition sctp_sf_ignore_other(struct net *net, 5651 const struct sctp_endpoint *ep, 5652 const struct sctp_association *asoc, 5653 const union sctp_subtype type, 5654 void *arg, 5655 struct sctp_cmd_seq *commands) 5656{ 5657 pr_debug("%s: the event other type:%d is ignored\n", 5658 __func__, type.other); 5659 5660 return SCTP_DISPOSITION_DISCARD; 5661} 5662 5663/************************************************************ 5664 * These are the state functions for handling timeout events. 5665 ************************************************************/ 5666 5667/* 5668 * RTX Timeout 5669 * 5670 * Section: 6.3.3 Handle T3-rtx Expiration 5671 * 5672 * Whenever the retransmission timer T3-rtx expires for a destination 5673 * address, do the following: 5674 * [See below] 5675 * 5676 * The return value is the disposition of the chunk. 5677 */ 5678enum sctp_disposition sctp_sf_do_6_3_3_rtx(struct net *net, 5679 const struct sctp_endpoint *ep, 5680 const struct sctp_association *asoc, 5681 const union sctp_subtype type, 5682 void *arg, 5683 struct sctp_cmd_seq *commands) 5684{ 5685 struct sctp_transport *transport = arg; 5686 5687 SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS); 5688 5689 if (asoc->overall_error_count >= asoc->max_retrans) { 5690 if (asoc->peer.zero_window_announced && 5691 asoc->state == SCTP_STATE_SHUTDOWN_PENDING) { 5692 /* 5693 * We are here likely because the receiver had its rwnd 5694 * closed for a while and we have not been able to 5695 * transmit the locally queued data within the maximum 5696 * retransmission attempts limit. Start the T5 5697 * shutdown guard timer to give the receiver one last 5698 * chance and some additional time to recover before 5699 * aborting. 5700 */ 5701 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE, 5702 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5703 } else { 5704 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5705 SCTP_ERROR(ETIMEDOUT)); 5706 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5707 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5708 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5709 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5710 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5711 return SCTP_DISPOSITION_DELETE_TCB; 5712 } 5713 } 5714 5715 /* E1) For the destination address for which the timer 5716 * expires, adjust its ssthresh with rules defined in Section 5717 * 7.2.3 and set the cwnd <- MTU. 5718 */ 5719 5720 /* E2) For the destination address for which the timer 5721 * expires, set RTO <- RTO * 2 ("back off the timer"). The 5722 * maximum value discussed in rule C7 above (RTO.max) may be 5723 * used to provide an upper bound to this doubling operation. 5724 */ 5725 5726 /* E3) Determine how many of the earliest (i.e., lowest TSN) 5727 * outstanding DATA chunks for the address for which the 5728 * T3-rtx has expired will fit into a single packet, subject 5729 * to the MTU constraint for the path corresponding to the 5730 * destination transport address to which the retransmission 5731 * is being sent (this may be different from the address for 5732 * which the timer expires [see Section 6.4]). Call this 5733 * value K. Bundle and retransmit those K DATA chunks in a 5734 * single packet to the destination endpoint. 5735 * 5736 * Note: Any DATA chunks that were sent to the address for 5737 * which the T3-rtx timer expired but did not fit in one MTU 5738 * (rule E3 above), should be marked for retransmission and 5739 * sent as soon as cwnd allows (normally when a SACK arrives). 5740 */ 5741 5742 /* Do some failure management (Section 8.2). */ 5743 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5744 5745 /* NB: Rules E4 and F1 are implicit in R1. */ 5746 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 5747 5748 return SCTP_DISPOSITION_CONSUME; 5749} 5750 5751/* 5752 * Generate delayed SACK on timeout 5753 * 5754 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 5755 * 5756 * The guidelines on delayed acknowledgement algorithm specified in 5757 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 5758 * acknowledgement SHOULD be generated for at least every second packet 5759 * (not every second DATA chunk) received, and SHOULD be generated 5760 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 5761 * some situations it may be beneficial for an SCTP transmitter to be 5762 * more conservative than the algorithms detailed in this document 5763 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 5764 * the following algorithms allow. 5765 */ 5766enum sctp_disposition sctp_sf_do_6_2_sack(struct net *net, 5767 const struct sctp_endpoint *ep, 5768 const struct sctp_association *asoc, 5769 const union sctp_subtype type, 5770 void *arg, 5771 struct sctp_cmd_seq *commands) 5772{ 5773 SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS); 5774 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 5775 return SCTP_DISPOSITION_CONSUME; 5776} 5777 5778/* 5779 * sctp_sf_t1_init_timer_expire 5780 * 5781 * Section: 4 Note: 2 5782 * Verification Tag: 5783 * Inputs 5784 * (endpoint, asoc) 5785 * 5786 * RFC 2960 Section 4 Notes 5787 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 5788 * and re-start the T1-init timer without changing state. This MUST 5789 * be repeated up to 'Max.Init.Retransmits' times. After that, the 5790 * endpoint MUST abort the initialization process and report the 5791 * error to SCTP user. 5792 * 5793 * Outputs 5794 * (timers, events) 5795 * 5796 */ 5797enum sctp_disposition sctp_sf_t1_init_timer_expire( 5798 struct net *net, 5799 const struct sctp_endpoint *ep, 5800 const struct sctp_association *asoc, 5801 const union sctp_subtype type, 5802 void *arg, 5803 struct sctp_cmd_seq *commands) 5804{ 5805 int attempts = asoc->init_err_counter + 1; 5806 struct sctp_chunk *repl = NULL; 5807 struct sctp_bind_addr *bp; 5808 5809 pr_debug("%s: timer T1 expired (INIT)\n", __func__); 5810 5811 SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS); 5812 5813 if (attempts <= asoc->max_init_attempts) { 5814 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 5815 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 5816 if (!repl) 5817 return SCTP_DISPOSITION_NOMEM; 5818 5819 /* Choose transport for INIT. */ 5820 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5821 SCTP_CHUNK(repl)); 5822 5823 /* Issue a sideeffect to do the needed accounting. */ 5824 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 5825 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5826 5827 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5828 } else { 5829 pr_debug("%s: giving up on INIT, attempts:%d " 5830 "max_init_attempts:%d\n", __func__, attempts, 5831 asoc->max_init_attempts); 5832 5833 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5834 SCTP_ERROR(ETIMEDOUT)); 5835 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5836 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5837 return SCTP_DISPOSITION_DELETE_TCB; 5838 } 5839 5840 return SCTP_DISPOSITION_CONSUME; 5841} 5842 5843/* 5844 * sctp_sf_t1_cookie_timer_expire 5845 * 5846 * Section: 4 Note: 2 5847 * Verification Tag: 5848 * Inputs 5849 * (endpoint, asoc) 5850 * 5851 * RFC 2960 Section 4 Notes 5852 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 5853 * COOKIE ECHO and re-start the T1-cookie timer without changing 5854 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 5855 * After that, the endpoint MUST abort the initialization process and 5856 * report the error to SCTP user. 5857 * 5858 * Outputs 5859 * (timers, events) 5860 * 5861 */ 5862enum sctp_disposition sctp_sf_t1_cookie_timer_expire( 5863 struct net *net, 5864 const struct sctp_endpoint *ep, 5865 const struct sctp_association *asoc, 5866 const union sctp_subtype type, 5867 void *arg, 5868 struct sctp_cmd_seq *commands) 5869{ 5870 int attempts = asoc->init_err_counter + 1; 5871 struct sctp_chunk *repl = NULL; 5872 5873 pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__); 5874 5875 SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS); 5876 5877 if (attempts <= asoc->max_init_attempts) { 5878 repl = sctp_make_cookie_echo(asoc, NULL); 5879 if (!repl) 5880 return SCTP_DISPOSITION_NOMEM; 5881 5882 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5883 SCTP_CHUNK(repl)); 5884 /* Issue a sideeffect to do the needed accounting. */ 5885 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 5886 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 5887 5888 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5889 } else { 5890 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5891 SCTP_ERROR(ETIMEDOUT)); 5892 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5893 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5894 return SCTP_DISPOSITION_DELETE_TCB; 5895 } 5896 5897 return SCTP_DISPOSITION_CONSUME; 5898} 5899 5900/* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 5901 * with the updated last sequential TSN received from its peer. 5902 * 5903 * An endpoint should limit the number of retransmissions of the 5904 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 5905 * If this threshold is exceeded the endpoint should destroy the TCB and 5906 * MUST report the peer endpoint unreachable to the upper layer (and 5907 * thus the association enters the CLOSED state). The reception of any 5908 * packet from its peer (i.e. as the peer sends all of its queued DATA 5909 * chunks) should clear the endpoint's retransmission count and restart 5910 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 5911 * all of its queued DATA chunks that have not yet been sent. 5912 */ 5913enum sctp_disposition sctp_sf_t2_timer_expire( 5914 struct net *net, 5915 const struct sctp_endpoint *ep, 5916 const struct sctp_association *asoc, 5917 const union sctp_subtype type, 5918 void *arg, 5919 struct sctp_cmd_seq *commands) 5920{ 5921 struct sctp_chunk *reply = NULL; 5922 5923 pr_debug("%s: timer T2 expired\n", __func__); 5924 5925 SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 5926 5927 ((struct sctp_association *)asoc)->shutdown_retries++; 5928 5929 if (asoc->overall_error_count >= asoc->max_retrans) { 5930 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5931 SCTP_ERROR(ETIMEDOUT)); 5932 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5933 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5934 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5935 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5936 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5937 return SCTP_DISPOSITION_DELETE_TCB; 5938 } 5939 5940 switch (asoc->state) { 5941 case SCTP_STATE_SHUTDOWN_SENT: 5942 reply = sctp_make_shutdown(asoc, NULL); 5943 break; 5944 5945 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5946 reply = sctp_make_shutdown_ack(asoc, NULL); 5947 break; 5948 5949 default: 5950 BUG(); 5951 break; 5952 } 5953 5954 if (!reply) 5955 goto nomem; 5956 5957 /* Do some failure management (Section 8.2). 5958 * If we remove the transport an SHUTDOWN was last sent to, don't 5959 * do failure management. 5960 */ 5961 if (asoc->shutdown_last_sent_to) 5962 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5963 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 5964 5965 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 5966 * the T2-shutdown timer. 5967 */ 5968 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5969 5970 /* Restart the T2-shutdown timer. */ 5971 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5972 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5973 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5974 return SCTP_DISPOSITION_CONSUME; 5975 5976nomem: 5977 return SCTP_DISPOSITION_NOMEM; 5978} 5979 5980/* 5981 * ADDIP Section 4.1 ASCONF CHunk Procedures 5982 * If the T4 RTO timer expires the endpoint should do B1 to B5 5983 */ 5984enum sctp_disposition sctp_sf_t4_timer_expire( 5985 struct net *net, 5986 const struct sctp_endpoint *ep, 5987 const struct sctp_association *asoc, 5988 const union sctp_subtype type, 5989 void *arg, 5990 struct sctp_cmd_seq *commands) 5991{ 5992 struct sctp_chunk *chunk = asoc->addip_last_asconf; 5993 struct sctp_transport *transport = chunk->transport; 5994 5995 SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS); 5996 5997 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 5998 * detection on the appropriate destination address as defined in 5999 * RFC2960 [5] section 8.1 and 8.2. 6000 */ 6001 if (transport) 6002 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 6003 SCTP_TRANSPORT(transport)); 6004 6005 /* Reconfig T4 timer and transport. */ 6006 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 6007 6008 /* ADDIP 4.1 B2) Increment the association error counters and perform 6009 * endpoint failure detection on the association as defined in 6010 * RFC2960 [5] section 8.1 and 8.2. 6011 * association error counter is incremented in SCTP_CMD_STRIKE. 6012 */ 6013 if (asoc->overall_error_count >= asoc->max_retrans) { 6014 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 6015 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 6016 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6017 SCTP_ERROR(ETIMEDOUT)); 6018 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6019 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 6020 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6021 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6022 return SCTP_DISPOSITION_ABORT; 6023 } 6024 6025 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 6026 * the ASCONF chunk was sent by doubling the RTO timer value. 6027 * This is done in SCTP_CMD_STRIKE. 6028 */ 6029 6030 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 6031 * choose an alternate destination address (please refer to RFC2960 6032 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 6033 * chunk, it MUST be the same (including its serial number) as the last 6034 * ASCONF sent. 6035 */ 6036 sctp_chunk_hold(asoc->addip_last_asconf); 6037 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6038 SCTP_CHUNK(asoc->addip_last_asconf)); 6039 6040 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 6041 * destination is selected, then the RTO used will be that of the new 6042 * destination address. 6043 */ 6044 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 6045 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 6046 6047 return SCTP_DISPOSITION_CONSUME; 6048} 6049 6050/* sctpimpguide-05 Section 2.12.2 6051 * The sender of the SHUTDOWN MAY also start an overall guard timer 6052 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 6053 * At the expiration of this timer the sender SHOULD abort the association 6054 * by sending an ABORT chunk. 6055 */ 6056enum sctp_disposition sctp_sf_t5_timer_expire( 6057 struct net *net, 6058 const struct sctp_endpoint *ep, 6059 const struct sctp_association *asoc, 6060 const union sctp_subtype type, 6061 void *arg, 6062 struct sctp_cmd_seq *commands) 6063{ 6064 struct sctp_chunk *reply = NULL; 6065 6066 pr_debug("%s: timer T5 expired\n", __func__); 6067 6068 SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 6069 6070 reply = sctp_make_abort(asoc, NULL, 0); 6071 if (!reply) 6072 goto nomem; 6073 6074 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 6075 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6076 SCTP_ERROR(ETIMEDOUT)); 6077 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6078 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 6079 6080 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6081 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6082 6083 return SCTP_DISPOSITION_DELETE_TCB; 6084nomem: 6085 return SCTP_DISPOSITION_NOMEM; 6086} 6087 6088/* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 6089 * the association is automatically closed by starting the shutdown process. 6090 * The work that needs to be done is same as when SHUTDOWN is initiated by 6091 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 6092 */ 6093enum sctp_disposition sctp_sf_autoclose_timer_expire( 6094 struct net *net, 6095 const struct sctp_endpoint *ep, 6096 const struct sctp_association *asoc, 6097 const union sctp_subtype type, 6098 void *arg, 6099 struct sctp_cmd_seq *commands) 6100{ 6101 enum sctp_disposition disposition; 6102 6103 SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS); 6104 6105 /* From 9.2 Shutdown of an Association 6106 * Upon receipt of the SHUTDOWN primitive from its upper 6107 * layer, the endpoint enters SHUTDOWN-PENDING state and 6108 * remains there until all outstanding data has been 6109 * acknowledged by its peer. The endpoint accepts no new data 6110 * from its upper layer, but retransmits data to the far end 6111 * if necessary to fill gaps. 6112 */ 6113 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 6114 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 6115 6116 disposition = SCTP_DISPOSITION_CONSUME; 6117 if (sctp_outq_is_empty(&asoc->outqueue)) { 6118 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 6119 NULL, commands); 6120 } 6121 6122 return disposition; 6123} 6124 6125/***************************************************************************** 6126 * These are sa state functions which could apply to all types of events. 6127 ****************************************************************************/ 6128 6129/* 6130 * This table entry is not implemented. 6131 * 6132 * Inputs 6133 * (endpoint, asoc, chunk) 6134 * 6135 * The return value is the disposition of the chunk. 6136 */ 6137enum sctp_disposition sctp_sf_not_impl(struct net *net, 6138 const struct sctp_endpoint *ep, 6139 const struct sctp_association *asoc, 6140 const union sctp_subtype type, 6141 void *arg, struct sctp_cmd_seq *commands) 6142{ 6143 return SCTP_DISPOSITION_NOT_IMPL; 6144} 6145 6146/* 6147 * This table entry represents a bug. 6148 * 6149 * Inputs 6150 * (endpoint, asoc, chunk) 6151 * 6152 * The return value is the disposition of the chunk. 6153 */ 6154enum sctp_disposition sctp_sf_bug(struct net *net, 6155 const struct sctp_endpoint *ep, 6156 const struct sctp_association *asoc, 6157 const union sctp_subtype type, 6158 void *arg, struct sctp_cmd_seq *commands) 6159{ 6160 return SCTP_DISPOSITION_BUG; 6161} 6162 6163/* 6164 * This table entry represents the firing of a timer in the wrong state. 6165 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 6166 * when the association is in the wrong state. This event should 6167 * be ignored, so as to prevent any rearming of the timer. 6168 * 6169 * Inputs 6170 * (endpoint, asoc, chunk) 6171 * 6172 * The return value is the disposition of the chunk. 6173 */ 6174enum sctp_disposition sctp_sf_timer_ignore(struct net *net, 6175 const struct sctp_endpoint *ep, 6176 const struct sctp_association *asoc, 6177 const union sctp_subtype type, 6178 void *arg, 6179 struct sctp_cmd_seq *commands) 6180{ 6181 pr_debug("%s: timer %d ignored\n", __func__, type.chunk); 6182 6183 return SCTP_DISPOSITION_CONSUME; 6184} 6185 6186/******************************************************************** 6187 * 2nd Level Abstractions 6188 ********************************************************************/ 6189 6190/* Pull the SACK chunk based on the SACK header. */ 6191static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 6192{ 6193 struct sctp_sackhdr *sack; 6194 __u16 num_dup_tsns; 6195 unsigned int len; 6196 __u16 num_blocks; 6197 6198 /* Protect ourselves from reading too far into 6199 * the skb from a bogus sender. 6200 */ 6201 sack = (struct sctp_sackhdr *) chunk->skb->data; 6202 6203 num_blocks = ntohs(sack->num_gap_ack_blocks); 6204 num_dup_tsns = ntohs(sack->num_dup_tsns); 6205 len = sizeof(struct sctp_sackhdr); 6206 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 6207 if (len > chunk->skb->len) 6208 return NULL; 6209 6210 skb_pull(chunk->skb, len); 6211 6212 return sack; 6213} 6214 6215/* Create an ABORT packet to be sent as a response, with the specified 6216 * error causes. 6217 */ 6218static struct sctp_packet *sctp_abort_pkt_new( 6219 struct net *net, 6220 const struct sctp_endpoint *ep, 6221 const struct sctp_association *asoc, 6222 struct sctp_chunk *chunk, 6223 const void *payload, size_t paylen) 6224{ 6225 struct sctp_packet *packet; 6226 struct sctp_chunk *abort; 6227 6228 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6229 6230 if (packet) { 6231 /* Make an ABORT. 6232 * The T bit will be set if the asoc is NULL. 6233 */ 6234 abort = sctp_make_abort(asoc, chunk, paylen); 6235 if (!abort) { 6236 sctp_ootb_pkt_free(packet); 6237 return NULL; 6238 } 6239 6240 /* Reflect vtag if T-Bit is set */ 6241 if (sctp_test_T_bit(abort)) 6242 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 6243 6244 /* Add specified error causes, i.e., payload, to the 6245 * end of the chunk. 6246 */ 6247 sctp_addto_chunk(abort, paylen, payload); 6248 6249 /* Set the skb to the belonging sock for accounting. */ 6250 abort->skb->sk = ep->base.sk; 6251 6252 sctp_packet_append_chunk(packet, abort); 6253 6254 } 6255 6256 return packet; 6257} 6258 6259/* Allocate a packet for responding in the OOTB conditions. */ 6260static struct sctp_packet *sctp_ootb_pkt_new( 6261 struct net *net, 6262 const struct sctp_association *asoc, 6263 const struct sctp_chunk *chunk) 6264{ 6265 struct sctp_transport *transport; 6266 struct sctp_packet *packet; 6267 __u16 sport, dport; 6268 __u32 vtag; 6269 6270 /* Get the source and destination port from the inbound packet. */ 6271 sport = ntohs(chunk->sctp_hdr->dest); 6272 dport = ntohs(chunk->sctp_hdr->source); 6273 6274 /* The V-tag is going to be the same as the inbound packet if no 6275 * association exists, otherwise, use the peer's vtag. 6276 */ 6277 if (asoc) { 6278 /* Special case the INIT-ACK as there is no peer's vtag 6279 * yet. 6280 */ 6281 switch (chunk->chunk_hdr->type) { 6282 case SCTP_CID_INIT: 6283 case SCTP_CID_INIT_ACK: 6284 { 6285 struct sctp_initack_chunk *initack; 6286 6287 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr; 6288 vtag = ntohl(initack->init_hdr.init_tag); 6289 break; 6290 } 6291 default: 6292 vtag = asoc->peer.i.init_tag; 6293 break; 6294 } 6295 } else { 6296 /* Special case the INIT and stale COOKIE_ECHO as there is no 6297 * vtag yet. 6298 */ 6299 switch (chunk->chunk_hdr->type) { 6300 case SCTP_CID_INIT: 6301 { 6302 struct sctp_init_chunk *init; 6303 6304 init = (struct sctp_init_chunk *)chunk->chunk_hdr; 6305 vtag = ntohl(init->init_hdr.init_tag); 6306 break; 6307 } 6308 default: 6309 vtag = ntohl(chunk->sctp_hdr->vtag); 6310 break; 6311 } 6312 } 6313 6314 /* Make a transport for the bucket, Eliza... */ 6315 transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC); 6316 if (!transport) 6317 goto nomem; 6318 6319 /* Cache a route for the transport with the chunk's destination as 6320 * the source address. 6321 */ 6322 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 6323 sctp_sk(net->sctp.ctl_sock)); 6324 6325 packet = &transport->packet; 6326 sctp_packet_init(packet, transport, sport, dport); 6327 sctp_packet_config(packet, vtag, 0); 6328 6329 return packet; 6330 6331nomem: 6332 return NULL; 6333} 6334 6335/* Free the packet allocated earlier for responding in the OOTB condition. */ 6336void sctp_ootb_pkt_free(struct sctp_packet *packet) 6337{ 6338 sctp_transport_free(packet->transport); 6339} 6340 6341/* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 6342static void sctp_send_stale_cookie_err(struct net *net, 6343 const struct sctp_endpoint *ep, 6344 const struct sctp_association *asoc, 6345 const struct sctp_chunk *chunk, 6346 struct sctp_cmd_seq *commands, 6347 struct sctp_chunk *err_chunk) 6348{ 6349 struct sctp_packet *packet; 6350 6351 if (err_chunk) { 6352 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6353 if (packet) { 6354 struct sctp_signed_cookie *cookie; 6355 6356 /* Override the OOTB vtag from the cookie. */ 6357 cookie = chunk->subh.cookie_hdr; 6358 packet->vtag = cookie->c.peer_vtag; 6359 6360 /* Set the skb to the belonging sock for accounting. */ 6361 err_chunk->skb->sk = ep->base.sk; 6362 sctp_packet_append_chunk(packet, err_chunk); 6363 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 6364 SCTP_PACKET(packet)); 6365 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 6366 } else 6367 sctp_chunk_free (err_chunk); 6368 } 6369} 6370 6371 6372/* Process a data chunk */ 6373static int sctp_eat_data(const struct sctp_association *asoc, 6374 struct sctp_chunk *chunk, 6375 struct sctp_cmd_seq *commands) 6376{ 6377 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 6378 struct sock *sk = asoc->base.sk; 6379 struct net *net = sock_net(sk); 6380 struct sctp_datahdr *data_hdr; 6381 struct sctp_chunk *err; 6382 enum sctp_verb deliver; 6383 size_t datalen; 6384 __u32 tsn; 6385 int tmp; 6386 6387 data_hdr = (struct sctp_datahdr *)chunk->skb->data; 6388 chunk->subh.data_hdr = data_hdr; 6389 skb_pull(chunk->skb, sctp_datahdr_len(&asoc->stream)); 6390 6391 tsn = ntohl(data_hdr->tsn); 6392 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 6393 6394 /* ASSERT: Now skb->data is really the user data. */ 6395 6396 /* Process ECN based congestion. 6397 * 6398 * Since the chunk structure is reused for all chunks within 6399 * a packet, we use ecn_ce_done to track if we've already 6400 * done CE processing for this packet. 6401 * 6402 * We need to do ECN processing even if we plan to discard the 6403 * chunk later. 6404 */ 6405 6406 if (asoc->peer.ecn_capable && !chunk->ecn_ce_done) { 6407 struct sctp_af *af = SCTP_INPUT_CB(chunk->skb)->af; 6408 chunk->ecn_ce_done = 1; 6409 6410 if (af->is_ce(sctp_gso_headskb(chunk->skb))) { 6411 /* Do real work as sideffect. */ 6412 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 6413 SCTP_U32(tsn)); 6414 } 6415 } 6416 6417 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 6418 if (tmp < 0) { 6419 /* The TSN is too high--silently discard the chunk and 6420 * count on it getting retransmitted later. 6421 */ 6422 if (chunk->asoc) 6423 chunk->asoc->stats.outofseqtsns++; 6424 return SCTP_IERROR_HIGH_TSN; 6425 } else if (tmp > 0) { 6426 /* This is a duplicate. Record it. */ 6427 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 6428 return SCTP_IERROR_DUP_TSN; 6429 } 6430 6431 /* This is a new TSN. */ 6432 6433 /* Discard if there is no room in the receive window. 6434 * Actually, allow a little bit of overflow (up to a MTU). 6435 */ 6436 datalen = ntohs(chunk->chunk_hdr->length); 6437 datalen -= sctp_datachk_len(&asoc->stream); 6438 6439 deliver = SCTP_CMD_CHUNK_ULP; 6440 6441 /* Think about partial delivery. */ 6442 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 6443 6444 /* Even if we don't accept this chunk there is 6445 * memory pressure. 6446 */ 6447 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 6448 } 6449 6450 /* Spill over rwnd a little bit. Note: While allowed, this spill over 6451 * seems a bit troublesome in that frag_point varies based on 6452 * PMTU. In cases, such as loopback, this might be a rather 6453 * large spill over. 6454 */ 6455 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over || 6456 (datalen > asoc->rwnd + asoc->frag_point))) { 6457 6458 /* If this is the next TSN, consider reneging to make 6459 * room. Note: Playing nice with a confused sender. A 6460 * malicious sender can still eat up all our buffer 6461 * space and in the future we may want to detect and 6462 * do more drastic reneging. 6463 */ 6464 if (sctp_tsnmap_has_gap(map) && 6465 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6466 pr_debug("%s: reneging for tsn:%u\n", __func__, tsn); 6467 deliver = SCTP_CMD_RENEGE; 6468 } else { 6469 pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n", 6470 __func__, tsn, datalen, asoc->rwnd); 6471 6472 return SCTP_IERROR_IGNORE_TSN; 6473 } 6474 } 6475 6476 /* 6477 * Also try to renege to limit our memory usage in the event that 6478 * we are under memory pressure 6479 * If we can't renege, don't worry about it, the sk_rmem_schedule 6480 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our 6481 * memory usage too much 6482 */ 6483 if (sk_under_memory_pressure(sk)) { 6484 if (sctp_tsnmap_has_gap(map) && 6485 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6486 pr_debug("%s: under pressure, reneging for tsn:%u\n", 6487 __func__, tsn); 6488 deliver = SCTP_CMD_RENEGE; 6489 } else { 6490 sk_mem_reclaim(sk); 6491 } 6492 } 6493 6494 /* 6495 * Section 3.3.10.9 No User Data (9) 6496 * 6497 * Cause of error 6498 * --------------- 6499 * No User Data: This error cause is returned to the originator of a 6500 * DATA chunk if a received DATA chunk has no user data. 6501 */ 6502 if (unlikely(0 == datalen)) { 6503 err = sctp_make_abort_no_data(asoc, chunk, tsn); 6504 if (err) { 6505 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6506 SCTP_CHUNK(err)); 6507 } 6508 /* We are going to ABORT, so we might as well stop 6509 * processing the rest of the chunks in the packet. 6510 */ 6511 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 6512 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6513 SCTP_ERROR(ECONNABORTED)); 6514 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6515 SCTP_PERR(SCTP_ERROR_NO_DATA)); 6516 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6517 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6518 return SCTP_IERROR_NO_DATA; 6519 } 6520 6521 chunk->data_accepted = 1; 6522 6523 /* Note: Some chunks may get overcounted (if we drop) or overcounted 6524 * if we renege and the chunk arrives again. 6525 */ 6526 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) { 6527 SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS); 6528 if (chunk->asoc) 6529 chunk->asoc->stats.iuodchunks++; 6530 } else { 6531 SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS); 6532 if (chunk->asoc) 6533 chunk->asoc->stats.iodchunks++; 6534 } 6535 6536 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 6537 * 6538 * If an endpoint receive a DATA chunk with an invalid stream 6539 * identifier, it shall acknowledge the reception of the DATA chunk 6540 * following the normal procedure, immediately send an ERROR chunk 6541 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 6542 * and discard the DATA chunk. 6543 */ 6544 if (ntohs(data_hdr->stream) >= asoc->stream.incnt) { 6545 /* Mark tsn as received even though we drop it */ 6546 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 6547 6548 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 6549 &data_hdr->stream, 6550 sizeof(data_hdr->stream), 6551 sizeof(u16)); 6552 if (err) 6553 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6554 SCTP_CHUNK(err)); 6555 return SCTP_IERROR_BAD_STREAM; 6556 } 6557 6558 /* Check to see if the SSN is possible for this TSN. 6559 * The biggest gap we can record is 4K wide. Since SSNs wrap 6560 * at an unsigned short, there is no way that an SSN can 6561 * wrap and for a valid TSN. We can simply check if the current 6562 * SSN is smaller then the next expected one. If it is, it wrapped 6563 * and is invalid. 6564 */ 6565 if (!asoc->stream.si->validate_data(chunk)) 6566 return SCTP_IERROR_PROTO_VIOLATION; 6567 6568 /* Send the data up to the user. Note: Schedule the 6569 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 6570 * chunk needs the updated rwnd. 6571 */ 6572 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 6573 6574 return SCTP_IERROR_NO_ERROR; 6575} 6576