1/* SCTP kernel reference Implementation 2 * (C) Copyright IBM Corp. 2001, 2004 3 * Copyright (c) 1999-2000 Cisco, Inc. 4 * Copyright (c) 1999-2001 Motorola, Inc. 5 * Copyright (c) 2001-2002 Intel Corp. 6 * Copyright (c) 2002 Nokia Corp. 7 * 8 * This file is part of the SCTP kernel reference Implementation 9 * 10 * This is part of the SCTP Linux Kernel Reference Implementation. 11 * 12 * These are the state functions for the state machine. 13 * 14 * The SCTP reference implementation is free software; 15 * you can redistribute it and/or modify it under the terms of 16 * the GNU General Public License as published by 17 * the Free Software Foundation; either version 2, or (at your option) 18 * any later version. 19 * 20 * The SCTP reference implementation is distributed in the hope that it 21 * will be useful, but WITHOUT ANY WARRANTY; without even the implied 22 * ************************ 23 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 24 * See the GNU General Public License for more details. 25 * 26 * You should have received a copy of the GNU General Public License 27 * along with GNU CC; see the file COPYING. If not, write to 28 * the Free Software Foundation, 59 Temple Place - Suite 330, 29 * Boston, MA 02111-1307, USA. 30 * 31 * Please send any bug reports or fixes you make to the 32 * email address(es): 33 * lksctp developers <lksctp-developers@lists.sourceforge.net> 34 * 35 * Or submit a bug report through the following website: 36 * http://www.sf.net/projects/lksctp 37 * 38 * Written or modified by: 39 * La Monte H.P. Yarroll <piggy@acm.org> 40 * Karl Knutson <karl@athena.chicago.il.us> 41 * Mathew Kotowsky <kotowsky@sctp.org> 42 * Sridhar Samudrala <samudrala@us.ibm.com> 43 * Jon Grimm <jgrimm@us.ibm.com> 44 * Hui Huang <hui.huang@nokia.com> 45 * Dajiang Zhang <dajiang.zhang@nokia.com> 46 * Daisy Chang <daisyc@us.ibm.com> 47 * Ardelle Fan <ardelle.fan@intel.com> 48 * Ryan Layer <rmlayer@us.ibm.com> 49 * Kevin Gao <kevin.gao@intel.com> 50 * 51 * Any bugs reported given to us we will try to fix... any fixes shared will 52 * be incorporated into the next SCTP release. 53 */ 54 55#include <linux/types.h> 56#include <linux/kernel.h> 57#include <linux/ip.h> 58#include <linux/ipv6.h> 59#include <linux/net.h> 60#include <linux/inet.h> 61#include <net/sock.h> 62#include <net/inet_ecn.h> 63#include <linux/skbuff.h> 64#include <net/sctp/sctp.h> 65#include <net/sctp/sm.h> 66#include <net/sctp/structs.h> 67 68static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 69 const struct sctp_association *asoc, 70 struct sctp_chunk *chunk, 71 const void *payload, 72 size_t paylen); 73static int sctp_eat_data(const struct sctp_association *asoc, 74 struct sctp_chunk *chunk, 75 sctp_cmd_seq_t *commands); 76static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 77 const struct sctp_chunk *chunk); 78static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 79 const struct sctp_association *asoc, 80 const struct sctp_chunk *chunk, 81 sctp_cmd_seq_t *commands, 82 struct sctp_chunk *err_chunk); 83static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 84 const struct sctp_association *asoc, 85 const sctp_subtype_t type, 86 void *arg, 87 sctp_cmd_seq_t *commands); 88static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 89 const struct sctp_association *asoc, 90 const sctp_subtype_t type, 91 void *arg, 92 sctp_cmd_seq_t *commands); 93static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 94 95static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 96 __be16 error, int sk_err, 97 const struct sctp_association *asoc, 98 struct sctp_transport *transport); 99 100static sctp_disposition_t sctp_sf_violation_chunklen( 101 const struct sctp_endpoint *ep, 102 const struct sctp_association *asoc, 103 const sctp_subtype_t type, 104 void *arg, 105 sctp_cmd_seq_t *commands); 106 107/* Small helper function that checks if the chunk length 108 * is of the appropriate length. The 'required_length' argument 109 * is set to be the size of a specific chunk we are testing. 110 * Return Values: 1 = Valid length 111 * 0 = Invalid length 112 * 113 */ 114static inline int 115sctp_chunk_length_valid(struct sctp_chunk *chunk, 116 __u16 required_length) 117{ 118 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 119 120 if (unlikely(chunk_length < required_length)) 121 return 0; 122 123 return 1; 124} 125 126/********************************************************** 127 * These are the state functions for handling chunk events. 128 **********************************************************/ 129 130/* 131 * Process the final SHUTDOWN COMPLETE. 132 * 133 * Section: 4 (C) (diagram), 9.2 134 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 135 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 136 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 137 * should stop the T2-shutdown timer and remove all knowledge of the 138 * association (and thus the association enters the CLOSED state). 139 * 140 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 141 * C) Rules for packet carrying SHUTDOWN COMPLETE: 142 * ... 143 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 144 * if the Verification Tag field of the packet matches its own tag and 145 * the T bit is not set 146 * OR 147 * it is set to its peer's tag and the T bit is set in the Chunk 148 * Flags. 149 * Otherwise, the receiver MUST silently discard the packet 150 * and take no further action. An endpoint MUST ignore the 151 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 152 * 153 * Inputs 154 * (endpoint, asoc, chunk) 155 * 156 * Outputs 157 * (asoc, reply_msg, msg_up, timers, counters) 158 * 159 * The return value is the disposition of the chunk. 160 */ 161sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep, 162 const struct sctp_association *asoc, 163 const sctp_subtype_t type, 164 void *arg, 165 sctp_cmd_seq_t *commands) 166{ 167 struct sctp_chunk *chunk = arg; 168 struct sctp_ulpevent *ev; 169 170 /* RFC 2960 6.10 Bundling 171 * 172 * An endpoint MUST NOT bundle INIT, INIT ACK or 173 * SHUTDOWN COMPLETE with any other chunks. 174 */ 175 if (!chunk->singleton) 176 return SCTP_DISPOSITION_VIOLATION; 177 178 if (!sctp_vtag_verify_either(chunk, asoc)) 179 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 180 181 /* RFC 2960 10.2 SCTP-to-ULP 182 * 183 * H) SHUTDOWN COMPLETE notification 184 * 185 * When SCTP completes the shutdown procedures (section 9.2) this 186 * notification is passed to the upper layer. 187 */ 188 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 189 0, 0, 0, NULL, GFP_ATOMIC); 190 if (ev) 191 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 192 SCTP_ULPEVENT(ev)); 193 194 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 195 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 196 * not the chunk should be discarded. If the endpoint is in 197 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 198 * T2-shutdown timer and remove all knowledge of the 199 * association (and thus the association enters the CLOSED 200 * state). 201 */ 202 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 203 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 204 205 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 206 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 207 208 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 209 SCTP_STATE(SCTP_STATE_CLOSED)); 210 211 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 212 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 213 214 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 215 216 return SCTP_DISPOSITION_DELETE_TCB; 217} 218 219/* 220 * Respond to a normal INIT chunk. 221 * We are the side that is being asked for an association. 222 * 223 * Section: 5.1 Normal Establishment of an Association, B 224 * B) "Z" shall respond immediately with an INIT ACK chunk. The 225 * destination IP address of the INIT ACK MUST be set to the source 226 * IP address of the INIT to which this INIT ACK is responding. In 227 * the response, besides filling in other parameters, "Z" must set the 228 * Verification Tag field to Tag_A, and also provide its own 229 * Verification Tag (Tag_Z) in the Initiate Tag field. 230 * 231 * Verification Tag: Must be 0. 232 * 233 * Inputs 234 * (endpoint, asoc, chunk) 235 * 236 * Outputs 237 * (asoc, reply_msg, msg_up, timers, counters) 238 * 239 * The return value is the disposition of the chunk. 240 */ 241sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep, 242 const struct sctp_association *asoc, 243 const sctp_subtype_t type, 244 void *arg, 245 sctp_cmd_seq_t *commands) 246{ 247 struct sctp_chunk *chunk = arg; 248 struct sctp_chunk *repl; 249 struct sctp_association *new_asoc; 250 struct sctp_chunk *err_chunk; 251 struct sctp_packet *packet; 252 sctp_unrecognized_param_t *unk_param; 253 struct sock *sk; 254 int len; 255 256 /* 6.10 Bundling 257 * An endpoint MUST NOT bundle INIT, INIT ACK or 258 * SHUTDOWN COMPLETE with any other chunks. 259 * 260 * IG Section 2.11.2 261 * Furthermore, we require that the receiver of an INIT chunk MUST 262 * enforce these rules by silently discarding an arriving packet 263 * with an INIT chunk that is bundled with other chunks. 264 */ 265 if (!chunk->singleton) 266 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 267 268 /* If the packet is an OOTB packet which is temporarily on the 269 * control endpoint, respond with an ABORT. 270 */ 271 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 272 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 273 274 sk = ep->base.sk; 275 /* If the endpoint is not listening or if the number of associations 276 * on the TCP-style socket exceed the max backlog, respond with an 277 * ABORT. 278 */ 279 if (!sctp_sstate(sk, LISTENING) || 280 (sctp_style(sk, TCP) && 281 sk_acceptq_is_full(sk))) 282 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 283 284 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 285 * Tag. 286 */ 287 if (chunk->sctp_hdr->vtag != 0) 288 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 289 290 /* Make sure that the INIT chunk has a valid length. 291 * Normally, this would cause an ABORT with a Protocol Violation 292 * error, but since we don't have an association, we'll 293 * just discard the packet. 294 */ 295 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 296 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 297 298 /* Verify the INIT chunk before processing it. */ 299 err_chunk = NULL; 300 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 301 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 302 &err_chunk)) { 303 /* This chunk contains fatal error. It is to be discarded. 304 * Send an ABORT, with causes if there is any. 305 */ 306 if (err_chunk) { 307 packet = sctp_abort_pkt_new(ep, asoc, arg, 308 (__u8 *)(err_chunk->chunk_hdr) + 309 sizeof(sctp_chunkhdr_t), 310 ntohs(err_chunk->chunk_hdr->length) - 311 sizeof(sctp_chunkhdr_t)); 312 313 sctp_chunk_free(err_chunk); 314 315 if (packet) { 316 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 317 SCTP_PACKET(packet)); 318 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 319 return SCTP_DISPOSITION_CONSUME; 320 } else { 321 return SCTP_DISPOSITION_NOMEM; 322 } 323 } else { 324 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 325 commands); 326 } 327 } 328 329 /* Grab the INIT header. */ 330 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data; 331 332 /* Tag the variable length parameters. */ 333 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 334 335 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 336 if (!new_asoc) 337 goto nomem; 338 339 /* The call, sctp_process_init(), can fail on memory allocation. */ 340 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 341 sctp_source(chunk), 342 (sctp_init_chunk_t *)chunk->chunk_hdr, 343 GFP_ATOMIC)) 344 goto nomem_init; 345 346 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 347 348 /* If there are errors need to be reported for unknown parameters, 349 * make sure to reserve enough room in the INIT ACK for them. 350 */ 351 len = 0; 352 if (err_chunk) 353 len = ntohs(err_chunk->chunk_hdr->length) - 354 sizeof(sctp_chunkhdr_t); 355 356 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 357 goto nomem_init; 358 359 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 360 if (!repl) 361 goto nomem_init; 362 363 /* If there are errors need to be reported for unknown parameters, 364 * include them in the outgoing INIT ACK as "Unrecognized parameter" 365 * parameter. 366 */ 367 if (err_chunk) { 368 /* Get the "Unrecognized parameter" parameter(s) out of the 369 * ERROR chunk generated by sctp_verify_init(). Since the 370 * error cause code for "unknown parameter" and the 371 * "Unrecognized parameter" type is the same, we can 372 * construct the parameters in INIT ACK by copying the 373 * ERROR causes over. 374 */ 375 unk_param = (sctp_unrecognized_param_t *) 376 ((__u8 *)(err_chunk->chunk_hdr) + 377 sizeof(sctp_chunkhdr_t)); 378 /* Replace the cause code with the "Unrecognized parameter" 379 * parameter type. 380 */ 381 sctp_addto_chunk(repl, len, unk_param); 382 sctp_chunk_free(err_chunk); 383 } 384 385 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 386 387 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 388 389 /* 390 * Note: After sending out INIT ACK with the State Cookie parameter, 391 * "Z" MUST NOT allocate any resources, nor keep any states for the 392 * new association. Otherwise, "Z" will be vulnerable to resource 393 * attacks. 394 */ 395 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 396 397 return SCTP_DISPOSITION_DELETE_TCB; 398 399nomem_init: 400 sctp_association_free(new_asoc); 401nomem: 402 if (err_chunk) 403 sctp_chunk_free(err_chunk); 404 return SCTP_DISPOSITION_NOMEM; 405} 406 407/* 408 * Respond to a normal INIT ACK chunk. 409 * We are the side that is initiating the association. 410 * 411 * Section: 5.1 Normal Establishment of an Association, C 412 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 413 * timer and leave COOKIE-WAIT state. "A" shall then send the State 414 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 415 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 416 * 417 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 418 * DATA chunks, but it MUST be the first chunk in the packet and 419 * until the COOKIE ACK is returned the sender MUST NOT send any 420 * other packets to the peer. 421 * 422 * Verification Tag: 3.3.3 423 * If the value of the Initiate Tag in a received INIT ACK chunk is 424 * found to be 0, the receiver MUST treat it as an error and close the 425 * association by transmitting an ABORT. 426 * 427 * Inputs 428 * (endpoint, asoc, chunk) 429 * 430 * Outputs 431 * (asoc, reply_msg, msg_up, timers, counters) 432 * 433 * The return value is the disposition of the chunk. 434 */ 435sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, 436 const struct sctp_association *asoc, 437 const sctp_subtype_t type, 438 void *arg, 439 sctp_cmd_seq_t *commands) 440{ 441 struct sctp_chunk *chunk = arg; 442 sctp_init_chunk_t *initchunk; 443 struct sctp_chunk *err_chunk; 444 struct sctp_packet *packet; 445 sctp_error_t error; 446 447 if (!sctp_vtag_verify(chunk, asoc)) 448 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 449 450 /* Make sure that the INIT-ACK chunk has a valid length */ 451 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t))) 452 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 453 commands); 454 /* 6.10 Bundling 455 * An endpoint MUST NOT bundle INIT, INIT ACK or 456 * SHUTDOWN COMPLETE with any other chunks. 457 */ 458 if (!chunk->singleton) 459 return SCTP_DISPOSITION_VIOLATION; 460 461 /* Grab the INIT header. */ 462 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 463 464 /* Verify the INIT chunk before processing it. */ 465 err_chunk = NULL; 466 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 467 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 468 &err_chunk)) { 469 470 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 471 472 /* This chunk contains fatal error. It is to be discarded. 473 * Send an ABORT, with causes if there is any. 474 */ 475 if (err_chunk) { 476 packet = sctp_abort_pkt_new(ep, asoc, arg, 477 (__u8 *)(err_chunk->chunk_hdr) + 478 sizeof(sctp_chunkhdr_t), 479 ntohs(err_chunk->chunk_hdr->length) - 480 sizeof(sctp_chunkhdr_t)); 481 482 sctp_chunk_free(err_chunk); 483 484 if (packet) { 485 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 486 SCTP_PACKET(packet)); 487 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 488 error = SCTP_ERROR_INV_PARAM; 489 } else { 490 error = SCTP_ERROR_NO_RESOURCE; 491 } 492 } else { 493 sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 494 error = SCTP_ERROR_INV_PARAM; 495 } 496 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, 497 asoc, chunk->transport); 498 } 499 500 /* Tag the variable length parameters. Note that we never 501 * convert the parameters in an INIT chunk. 502 */ 503 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 504 505 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr; 506 507 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 508 SCTP_PEER_INIT(initchunk)); 509 510 /* Reset init error count upon receipt of INIT-ACK. */ 511 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 512 513 /* 5.1 C) "A" shall stop the T1-init timer and leave 514 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 515 * timer, and enter the COOKIE-ECHOED state. 516 */ 517 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 518 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 519 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 520 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 521 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 522 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 523 524 /* 5.1 C) "A" shall then send the State Cookie received in the 525 * INIT ACK chunk in a COOKIE ECHO chunk, ... 526 */ 527 /* If there is any errors to report, send the ERROR chunk generated 528 * for unknown parameters as well. 529 */ 530 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 531 SCTP_CHUNK(err_chunk)); 532 533 return SCTP_DISPOSITION_CONSUME; 534} 535 536/* 537 * Respond to a normal COOKIE ECHO chunk. 538 * We are the side that is being asked for an association. 539 * 540 * Section: 5.1 Normal Establishment of an Association, D 541 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 542 * with a COOKIE ACK chunk after building a TCB and moving to 543 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 544 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 545 * chunk MUST be the first chunk in the packet. 546 * 547 * IMPLEMENTATION NOTE: An implementation may choose to send the 548 * Communication Up notification to the SCTP user upon reception 549 * of a valid COOKIE ECHO chunk. 550 * 551 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 552 * D) Rules for packet carrying a COOKIE ECHO 553 * 554 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 555 * Initial Tag received in the INIT ACK. 556 * 557 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 558 * 559 * Inputs 560 * (endpoint, asoc, chunk) 561 * 562 * Outputs 563 * (asoc, reply_msg, msg_up, timers, counters) 564 * 565 * The return value is the disposition of the chunk. 566 */ 567sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep, 568 const struct sctp_association *asoc, 569 const sctp_subtype_t type, void *arg, 570 sctp_cmd_seq_t *commands) 571{ 572 struct sctp_chunk *chunk = arg; 573 struct sctp_association *new_asoc; 574 sctp_init_chunk_t *peer_init; 575 struct sctp_chunk *repl; 576 struct sctp_ulpevent *ev, *ai_ev = NULL; 577 int error = 0; 578 struct sctp_chunk *err_chk_p; 579 580 /* If the packet is an OOTB packet which is temporarily on the 581 * control endpoint, respond with an ABORT. 582 */ 583 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 584 return sctp_sf_ootb(ep, asoc, type, arg, commands); 585 586 /* Make sure that the COOKIE_ECHO chunk has a valid length. 587 * In this case, we check that we have enough for at least a 588 * chunk header. More detailed verification is done 589 * in sctp_unpack_cookie(). 590 */ 591 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 592 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 593 594 /* "Decode" the chunk. We have no optional parameters so we 595 * are in good shape. 596 */ 597 chunk->subh.cookie_hdr = 598 (struct sctp_signed_cookie *)chunk->skb->data; 599 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 600 sizeof(sctp_chunkhdr_t))) 601 goto nomem; 602 603 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 604 * "Z" will reply with a COOKIE ACK chunk after building a TCB 605 * and moving to the ESTABLISHED state. 606 */ 607 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 608 &err_chk_p); 609 610 if (!new_asoc) { 611 switch (error) { 612 case -SCTP_IERROR_NOMEM: 613 goto nomem; 614 615 case -SCTP_IERROR_STALE_COOKIE: 616 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 617 err_chk_p); 618 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 619 620 case -SCTP_IERROR_BAD_SIG: 621 default: 622 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 623 } 624 } 625 626 627 /* Delay state machine commands until later. 628 * 629 * Re-build the bind address for the association is done in 630 * the sctp_unpack_cookie() already. 631 */ 632 /* This is a brand-new association, so these are not yet side 633 * effects--it is safe to run them here. 634 */ 635 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 636 637 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 638 &chunk->subh.cookie_hdr->c.peer_addr, 639 peer_init, GFP_ATOMIC)) 640 goto nomem_init; 641 642 repl = sctp_make_cookie_ack(new_asoc, chunk); 643 if (!repl) 644 goto nomem_init; 645 646 /* RFC 2960 5.1 Normal Establishment of an Association 647 * 648 * D) IMPLEMENTATION NOTE: An implementation may choose to 649 * send the Communication Up notification to the SCTP user 650 * upon reception of a valid COOKIE ECHO chunk. 651 */ 652 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 653 new_asoc->c.sinit_num_ostreams, 654 new_asoc->c.sinit_max_instreams, 655 NULL, GFP_ATOMIC); 656 if (!ev) 657 goto nomem_ev; 658 659 /* Sockets API Draft Section 5.3.1.6 660 * When a peer sends a Adaptation Layer Indication parameter , SCTP 661 * delivers this notification to inform the application that of the 662 * peers requested adaptation layer. 663 */ 664 if (new_asoc->peer.adaptation_ind) { 665 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 666 GFP_ATOMIC); 667 if (!ai_ev) 668 goto nomem_aiev; 669 } 670 671 /* Add all the state machine commands now since we've created 672 * everything. This way we don't introduce memory corruptions 673 * during side-effect processing and correclty count established 674 * associations. 675 */ 676 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 677 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 678 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 679 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 680 SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS); 681 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 682 683 if (new_asoc->autoclose) 684 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 685 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 686 687 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 688 689 /* This will send the COOKIE ACK */ 690 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 691 692 /* Queue the ASSOC_CHANGE event */ 693 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 694 695 /* Send up the Adaptation Layer Indication event */ 696 if (ai_ev) 697 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 698 SCTP_ULPEVENT(ai_ev)); 699 700 return SCTP_DISPOSITION_CONSUME; 701 702nomem_aiev: 703 sctp_ulpevent_free(ev); 704nomem_ev: 705 sctp_chunk_free(repl); 706nomem_init: 707 sctp_association_free(new_asoc); 708nomem: 709 return SCTP_DISPOSITION_NOMEM; 710} 711 712/* 713 * Respond to a normal COOKIE ACK chunk. 714 * We are the side that is being asked for an association. 715 * 716 * RFC 2960 5.1 Normal Establishment of an Association 717 * 718 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 719 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 720 * timer. It may also notify its ULP about the successful 721 * establishment of the association with a Communication Up 722 * notification (see Section 10). 723 * 724 * Verification Tag: 725 * Inputs 726 * (endpoint, asoc, chunk) 727 * 728 * Outputs 729 * (asoc, reply_msg, msg_up, timers, counters) 730 * 731 * The return value is the disposition of the chunk. 732 */ 733sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep, 734 const struct sctp_association *asoc, 735 const sctp_subtype_t type, void *arg, 736 sctp_cmd_seq_t *commands) 737{ 738 struct sctp_chunk *chunk = arg; 739 struct sctp_ulpevent *ev; 740 741 if (!sctp_vtag_verify(chunk, asoc)) 742 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 743 744 /* Verify that the chunk length for the COOKIE-ACK is OK. 745 * If we don't do this, any bundled chunks may be junked. 746 */ 747 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 748 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 749 commands); 750 751 /* Reset init error count upon receipt of COOKIE-ACK, 752 * to avoid problems with the managemement of this 753 * counter in stale cookie situations when a transition back 754 * from the COOKIE-ECHOED state to the COOKIE-WAIT 755 * state is performed. 756 */ 757 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 758 759 /* RFC 2960 5.1 Normal Establishment of an Association 760 * 761 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 762 * from the COOKIE-ECHOED state to the ESTABLISHED state, 763 * stopping the T1-cookie timer. 764 */ 765 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 766 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 767 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 768 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 769 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 770 SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS); 771 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 772 if (asoc->autoclose) 773 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 774 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 775 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 776 777 /* It may also notify its ULP about the successful 778 * establishment of the association with a Communication Up 779 * notification (see Section 10). 780 */ 781 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 782 0, asoc->c.sinit_num_ostreams, 783 asoc->c.sinit_max_instreams, 784 NULL, GFP_ATOMIC); 785 786 if (!ev) 787 goto nomem; 788 789 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 790 791 /* Sockets API Draft Section 5.3.1.6 792 * When a peer sends a Adaptation Layer Indication parameter , SCTP 793 * delivers this notification to inform the application that of the 794 * peers requested adaptation layer. 795 */ 796 if (asoc->peer.adaptation_ind) { 797 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 798 if (!ev) 799 goto nomem; 800 801 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 802 SCTP_ULPEVENT(ev)); 803 } 804 805 return SCTP_DISPOSITION_CONSUME; 806nomem: 807 return SCTP_DISPOSITION_NOMEM; 808} 809 810/* Generate and sendout a heartbeat packet. */ 811static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep, 812 const struct sctp_association *asoc, 813 const sctp_subtype_t type, 814 void *arg, 815 sctp_cmd_seq_t *commands) 816{ 817 struct sctp_transport *transport = (struct sctp_transport *) arg; 818 struct sctp_chunk *reply; 819 sctp_sender_hb_info_t hbinfo; 820 size_t paylen = 0; 821 822 hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO; 823 hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t)); 824 hbinfo.daddr = transport->ipaddr; 825 hbinfo.sent_at = jiffies; 826 hbinfo.hb_nonce = transport->hb_nonce; 827 828 /* Send a heartbeat to our peer. */ 829 paylen = sizeof(sctp_sender_hb_info_t); 830 reply = sctp_make_heartbeat(asoc, transport, &hbinfo, paylen); 831 if (!reply) 832 return SCTP_DISPOSITION_NOMEM; 833 834 /* Set rto_pending indicating that an RTT measurement 835 * is started with this heartbeat chunk. 836 */ 837 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 838 SCTP_TRANSPORT(transport)); 839 840 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 841 return SCTP_DISPOSITION_CONSUME; 842} 843 844/* Generate a HEARTBEAT packet on the given transport. */ 845sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep, 846 const struct sctp_association *asoc, 847 const sctp_subtype_t type, 848 void *arg, 849 sctp_cmd_seq_t *commands) 850{ 851 struct sctp_transport *transport = (struct sctp_transport *) arg; 852 853 if (asoc->overall_error_count >= asoc->max_retrans) { 854 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 855 SCTP_ERROR(ETIMEDOUT)); 856 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 857 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 858 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 859 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 860 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 861 return SCTP_DISPOSITION_DELETE_TCB; 862 } 863 864 /* Section 3.3.5. 865 * The Sender-specific Heartbeat Info field should normally include 866 * information about the sender's current time when this HEARTBEAT 867 * chunk is sent and the destination transport address to which this 868 * HEARTBEAT is sent (see Section 8.3). 869 */ 870 871 if (transport->param_flags & SPP_HB_ENABLE) { 872 if (SCTP_DISPOSITION_NOMEM == 873 sctp_sf_heartbeat(ep, asoc, type, arg, 874 commands)) 875 return SCTP_DISPOSITION_NOMEM; 876 /* Set transport error counter and association error counter 877 * when sending heartbeat. 878 */ 879 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_RESET, 880 SCTP_TRANSPORT(transport)); 881 } 882 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 883 SCTP_TRANSPORT(transport)); 884 885 return SCTP_DISPOSITION_CONSUME; 886} 887 888/* 889 * Process an heartbeat request. 890 * 891 * Section: 8.3 Path Heartbeat 892 * The receiver of the HEARTBEAT should immediately respond with a 893 * HEARTBEAT ACK that contains the Heartbeat Information field copied 894 * from the received HEARTBEAT chunk. 895 * 896 * Verification Tag: 8.5 Verification Tag [Normal verification] 897 * When receiving an SCTP packet, the endpoint MUST ensure that the 898 * value in the Verification Tag field of the received SCTP packet 899 * matches its own Tag. If the received Verification Tag value does not 900 * match the receiver's own tag value, the receiver shall silently 901 * discard the packet and shall not process it any further except for 902 * those cases listed in Section 8.5.1 below. 903 * 904 * Inputs 905 * (endpoint, asoc, chunk) 906 * 907 * Outputs 908 * (asoc, reply_msg, msg_up, timers, counters) 909 * 910 * The return value is the disposition of the chunk. 911 */ 912sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep, 913 const struct sctp_association *asoc, 914 const sctp_subtype_t type, 915 void *arg, 916 sctp_cmd_seq_t *commands) 917{ 918 struct sctp_chunk *chunk = arg; 919 struct sctp_chunk *reply; 920 size_t paylen = 0; 921 922 if (!sctp_vtag_verify(chunk, asoc)) 923 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 924 925 /* Make sure that the HEARTBEAT chunk has a valid length. */ 926 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 927 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 928 commands); 929 930 /* 8.3 The receiver of the HEARTBEAT should immediately 931 * respond with a HEARTBEAT ACK that contains the Heartbeat 932 * Information field copied from the received HEARTBEAT chunk. 933 */ 934 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; 935 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); 936 if (!pskb_pull(chunk->skb, paylen)) 937 goto nomem; 938 939 reply = sctp_make_heartbeat_ack(asoc, chunk, 940 chunk->subh.hb_hdr, paylen); 941 if (!reply) 942 goto nomem; 943 944 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 945 return SCTP_DISPOSITION_CONSUME; 946 947nomem: 948 return SCTP_DISPOSITION_NOMEM; 949} 950 951/* 952 * Process the returning HEARTBEAT ACK. 953 * 954 * Section: 8.3 Path Heartbeat 955 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 956 * should clear the error counter of the destination transport 957 * address to which the HEARTBEAT was sent, and mark the destination 958 * transport address as active if it is not so marked. The endpoint may 959 * optionally report to the upper layer when an inactive destination 960 * address is marked as active due to the reception of the latest 961 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 962 * clear the association overall error count as well (as defined 963 * in section 8.1). 964 * 965 * The receiver of the HEARTBEAT ACK should also perform an RTT 966 * measurement for that destination transport address using the time 967 * value carried in the HEARTBEAT ACK chunk. 968 * 969 * Verification Tag: 8.5 Verification Tag [Normal verification] 970 * 971 * Inputs 972 * (endpoint, asoc, chunk) 973 * 974 * Outputs 975 * (asoc, reply_msg, msg_up, timers, counters) 976 * 977 * The return value is the disposition of the chunk. 978 */ 979sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep, 980 const struct sctp_association *asoc, 981 const sctp_subtype_t type, 982 void *arg, 983 sctp_cmd_seq_t *commands) 984{ 985 struct sctp_chunk *chunk = arg; 986 union sctp_addr from_addr; 987 struct sctp_transport *link; 988 sctp_sender_hb_info_t *hbinfo; 989 unsigned long max_interval; 990 991 if (!sctp_vtag_verify(chunk, asoc)) 992 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 993 994 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 995 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 996 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 997 commands); 998 999 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; 1000 /* Make sure that the length of the parameter is what we expect */ 1001 if (ntohs(hbinfo->param_hdr.length) != 1002 sizeof(sctp_sender_hb_info_t)) { 1003 return SCTP_DISPOSITION_DISCARD; 1004 } 1005 1006 from_addr = hbinfo->daddr; 1007 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1008 1009 /* This should never happen, but lets log it if so. */ 1010 if (unlikely(!link)) { 1011 if (from_addr.sa.sa_family == AF_INET6) { 1012 printk(KERN_WARNING 1013 "%s association %p could not find address " 1014 NIP6_FMT "\n", 1015 __FUNCTION__, 1016 asoc, 1017 NIP6(from_addr.v6.sin6_addr)); 1018 } else { 1019 printk(KERN_WARNING 1020 "%s association %p could not find address " 1021 NIPQUAD_FMT "\n", 1022 __FUNCTION__, 1023 asoc, 1024 NIPQUAD(from_addr.v4.sin_addr.s_addr)); 1025 } 1026 return SCTP_DISPOSITION_DISCARD; 1027 } 1028 1029 /* Validate the 64-bit random nonce. */ 1030 if (hbinfo->hb_nonce != link->hb_nonce) 1031 return SCTP_DISPOSITION_DISCARD; 1032 1033 max_interval = link->hbinterval + link->rto; 1034 1035 /* Check if the timestamp looks valid. */ 1036 if (time_after(hbinfo->sent_at, jiffies) || 1037 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1038 SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp" 1039 "received for transport: %p\n", 1040 __FUNCTION__, link); 1041 return SCTP_DISPOSITION_DISCARD; 1042 } 1043 1044 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1045 * the HEARTBEAT should clear the error counter of the 1046 * destination transport address to which the HEARTBEAT was 1047 * sent and mark the destination transport address as active if 1048 * it is not so marked. 1049 */ 1050 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1051 1052 return SCTP_DISPOSITION_CONSUME; 1053} 1054 1055/* Helper function to send out an abort for the restart 1056 * condition. 1057 */ 1058static int sctp_sf_send_restart_abort(union sctp_addr *ssa, 1059 struct sctp_chunk *init, 1060 sctp_cmd_seq_t *commands) 1061{ 1062 int len; 1063 struct sctp_packet *pkt; 1064 union sctp_addr_param *addrparm; 1065 struct sctp_errhdr *errhdr; 1066 struct sctp_endpoint *ep; 1067 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)]; 1068 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1069 1070 /* Build the error on the stack. We are way to malloc crazy 1071 * throughout the code today. 1072 */ 1073 errhdr = (struct sctp_errhdr *)buffer; 1074 addrparm = (union sctp_addr_param *)errhdr->variable; 1075 1076 /* Copy into a parm format. */ 1077 len = af->to_addr_param(ssa, addrparm); 1078 len += sizeof(sctp_errhdr_t); 1079 1080 errhdr->cause = SCTP_ERROR_RESTART; 1081 errhdr->length = htons(len); 1082 1083 /* Assign to the control socket. */ 1084 ep = sctp_sk((sctp_get_ctl_sock()))->ep; 1085 1086 /* Association is NULL since this may be a restart attack and we 1087 * want to send back the attacker's vtag. 1088 */ 1089 pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len); 1090 1091 if (!pkt) 1092 goto out; 1093 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1094 1095 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1096 1097 /* Discard the rest of the inbound packet. */ 1098 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1099 1100out: 1101 /* Even if there is no memory, treat as a failure so 1102 * the packet will get dropped. 1103 */ 1104 return 0; 1105} 1106 1107/* A restart is occurring, check to make sure no new addresses 1108 * are being added as we may be under a takeover attack. 1109 */ 1110static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1111 const struct sctp_association *asoc, 1112 struct sctp_chunk *init, 1113 sctp_cmd_seq_t *commands) 1114{ 1115 struct sctp_transport *new_addr, *addr; 1116 struct list_head *pos, *pos2; 1117 int found; 1118 1119 /* Implementor's Guide - Sectin 5.2.2 1120 * ... 1121 * Before responding the endpoint MUST check to see if the 1122 * unexpected INIT adds new addresses to the association. If new 1123 * addresses are added to the association, the endpoint MUST respond 1124 * with an ABORT.. 1125 */ 1126 1127 /* Search through all current addresses and make sure 1128 * we aren't adding any new ones. 1129 */ 1130 new_addr = NULL; 1131 found = 0; 1132 1133 list_for_each(pos, &new_asoc->peer.transport_addr_list) { 1134 new_addr = list_entry(pos, struct sctp_transport, transports); 1135 found = 0; 1136 list_for_each(pos2, &asoc->peer.transport_addr_list) { 1137 addr = list_entry(pos2, struct sctp_transport, 1138 transports); 1139 if (sctp_cmp_addr_exact(&new_addr->ipaddr, 1140 &addr->ipaddr)) { 1141 found = 1; 1142 break; 1143 } 1144 } 1145 if (!found) 1146 break; 1147 } 1148 1149 /* If a new address was added, ABORT the sender. */ 1150 if (!found && new_addr) { 1151 sctp_sf_send_restart_abort(&new_addr->ipaddr, init, commands); 1152 } 1153 1154 /* Return success if all addresses were found. */ 1155 return found; 1156} 1157 1158/* Populate the verification/tie tags based on overlapping INIT 1159 * scenario. 1160 * 1161 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1162 */ 1163static void sctp_tietags_populate(struct sctp_association *new_asoc, 1164 const struct sctp_association *asoc) 1165{ 1166 switch (asoc->state) { 1167 1168 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1169 1170 case SCTP_STATE_COOKIE_WAIT: 1171 new_asoc->c.my_vtag = asoc->c.my_vtag; 1172 new_asoc->c.my_ttag = asoc->c.my_vtag; 1173 new_asoc->c.peer_ttag = 0; 1174 break; 1175 1176 case SCTP_STATE_COOKIE_ECHOED: 1177 new_asoc->c.my_vtag = asoc->c.my_vtag; 1178 new_asoc->c.my_ttag = asoc->c.my_vtag; 1179 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1180 break; 1181 1182 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1183 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1184 */ 1185 default: 1186 new_asoc->c.my_ttag = asoc->c.my_vtag; 1187 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1188 break; 1189 } 1190 1191 /* Other parameters for the endpoint SHOULD be copied from the 1192 * existing parameters of the association (e.g. number of 1193 * outbound streams) into the INIT ACK and cookie. 1194 */ 1195 new_asoc->rwnd = asoc->rwnd; 1196 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1197 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1198 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1199} 1200 1201/* 1202 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1203 * handling action. 1204 * 1205 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1206 * 1207 * Returns value representing action to be taken. These action values 1208 * correspond to Action/Description values in RFC 2960, Table 2. 1209 */ 1210static char sctp_tietags_compare(struct sctp_association *new_asoc, 1211 const struct sctp_association *asoc) 1212{ 1213 /* In this case, the peer may have restarted. */ 1214 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1215 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1216 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1217 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1218 return 'A'; 1219 1220 /* Collision case B. */ 1221 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1222 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1223 (0 == asoc->c.peer_vtag))) { 1224 return 'B'; 1225 } 1226 1227 /* Collision case D. */ 1228 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1229 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1230 return 'D'; 1231 1232 /* Collision case C. */ 1233 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1234 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1235 (0 == new_asoc->c.my_ttag) && 1236 (0 == new_asoc->c.peer_ttag)) 1237 return 'C'; 1238 1239 /* No match to any of the special cases; discard this packet. */ 1240 return 'E'; 1241} 1242 1243/* Common helper routine for both duplicate and simulataneous INIT 1244 * chunk handling. 1245 */ 1246static sctp_disposition_t sctp_sf_do_unexpected_init( 1247 const struct sctp_endpoint *ep, 1248 const struct sctp_association *asoc, 1249 const sctp_subtype_t type, 1250 void *arg, sctp_cmd_seq_t *commands) 1251{ 1252 sctp_disposition_t retval; 1253 struct sctp_chunk *chunk = arg; 1254 struct sctp_chunk *repl; 1255 struct sctp_association *new_asoc; 1256 struct sctp_chunk *err_chunk; 1257 struct sctp_packet *packet; 1258 sctp_unrecognized_param_t *unk_param; 1259 int len; 1260 1261 /* 6.10 Bundling 1262 * An endpoint MUST NOT bundle INIT, INIT ACK or 1263 * SHUTDOWN COMPLETE with any other chunks. 1264 * 1265 * IG Section 2.11.2 1266 * Furthermore, we require that the receiver of an INIT chunk MUST 1267 * enforce these rules by silently discarding an arriving packet 1268 * with an INIT chunk that is bundled with other chunks. 1269 */ 1270 if (!chunk->singleton) 1271 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1272 1273 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1274 * Tag. 1275 */ 1276 if (chunk->sctp_hdr->vtag != 0) 1277 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 1278 1279 /* Make sure that the INIT chunk has a valid length. 1280 * In this case, we generate a protocol violation since we have 1281 * an association established. 1282 */ 1283 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t))) 1284 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1285 commands); 1286 /* Grab the INIT header. */ 1287 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; 1288 1289 /* Tag the variable length parameters. */ 1290 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t)); 1291 1292 /* Verify the INIT chunk before processing it. */ 1293 err_chunk = NULL; 1294 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, 1295 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk, 1296 &err_chunk)) { 1297 /* This chunk contains fatal error. It is to be discarded. 1298 * Send an ABORT, with causes if there is any. 1299 */ 1300 if (err_chunk) { 1301 packet = sctp_abort_pkt_new(ep, asoc, arg, 1302 (__u8 *)(err_chunk->chunk_hdr) + 1303 sizeof(sctp_chunkhdr_t), 1304 ntohs(err_chunk->chunk_hdr->length) - 1305 sizeof(sctp_chunkhdr_t)); 1306 1307 if (packet) { 1308 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1309 SCTP_PACKET(packet)); 1310 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 1311 retval = SCTP_DISPOSITION_CONSUME; 1312 } else { 1313 retval = SCTP_DISPOSITION_NOMEM; 1314 } 1315 goto cleanup; 1316 } else { 1317 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, 1318 commands); 1319 } 1320 } 1321 1322 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1323 if (!new_asoc) 1324 goto nomem; 1325 1326 /* In the outbound INIT ACK the endpoint MUST copy its current 1327 * Verification Tag and Peers Verification tag into a reserved 1328 * place (local tie-tag and per tie-tag) within the state cookie. 1329 */ 1330 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1331 sctp_source(chunk), 1332 (sctp_init_chunk_t *)chunk->chunk_hdr, 1333 GFP_ATOMIC)) 1334 goto nomem; 1335 1336 /* Make sure no new addresses are being added during the 1337 * restart. Do not do this check for COOKIE-WAIT state, 1338 * since there are no peer addresses to check against. 1339 * Upon return an ABORT will have been sent if needed. 1340 */ 1341 if (!sctp_state(asoc, COOKIE_WAIT)) { 1342 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1343 commands)) { 1344 retval = SCTP_DISPOSITION_CONSUME; 1345 goto nomem_retval; 1346 } 1347 } 1348 1349 sctp_tietags_populate(new_asoc, asoc); 1350 1351 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1352 1353 /* If there are errors need to be reported for unknown parameters, 1354 * make sure to reserve enough room in the INIT ACK for them. 1355 */ 1356 len = 0; 1357 if (err_chunk) { 1358 len = ntohs(err_chunk->chunk_hdr->length) - 1359 sizeof(sctp_chunkhdr_t); 1360 } 1361 1362 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0) 1363 goto nomem; 1364 1365 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1366 if (!repl) 1367 goto nomem; 1368 1369 /* If there are errors need to be reported for unknown parameters, 1370 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1371 * parameter. 1372 */ 1373 if (err_chunk) { 1374 /* Get the "Unrecognized parameter" parameter(s) out of the 1375 * ERROR chunk generated by sctp_verify_init(). Since the 1376 * error cause code for "unknown parameter" and the 1377 * "Unrecognized parameter" type is the same, we can 1378 * construct the parameters in INIT ACK by copying the 1379 * ERROR causes over. 1380 */ 1381 unk_param = (sctp_unrecognized_param_t *) 1382 ((__u8 *)(err_chunk->chunk_hdr) + 1383 sizeof(sctp_chunkhdr_t)); 1384 /* Replace the cause code with the "Unrecognized parameter" 1385 * parameter type. 1386 */ 1387 sctp_addto_chunk(repl, len, unk_param); 1388 } 1389 1390 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1391 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1392 1393 /* 1394 * Note: After sending out INIT ACK with the State Cookie parameter, 1395 * "Z" MUST NOT allocate any resources for this new association. 1396 * Otherwise, "Z" will be vulnerable to resource attacks. 1397 */ 1398 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1399 retval = SCTP_DISPOSITION_CONSUME; 1400 1401 return retval; 1402 1403nomem: 1404 retval = SCTP_DISPOSITION_NOMEM; 1405nomem_retval: 1406 if (new_asoc) 1407 sctp_association_free(new_asoc); 1408cleanup: 1409 if (err_chunk) 1410 sctp_chunk_free(err_chunk); 1411 return retval; 1412} 1413 1414/* 1415 * Handle simultanous INIT. 1416 * This means we started an INIT and then we got an INIT request from 1417 * our peer. 1418 * 1419 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1420 * This usually indicates an initialization collision, i.e., each 1421 * endpoint is attempting, at about the same time, to establish an 1422 * association with the other endpoint. 1423 * 1424 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1425 * endpoint MUST respond with an INIT ACK using the same parameters it 1426 * sent in its original INIT chunk (including its Verification Tag, 1427 * unchanged). These original parameters are combined with those from the 1428 * newly received INIT chunk. The endpoint shall also generate a State 1429 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1430 * INIT to calculate the State Cookie. 1431 * 1432 * After that, the endpoint MUST NOT change its state, the T1-init 1433 * timer shall be left running and the corresponding TCB MUST NOT be 1434 * destroyed. The normal procedures for handling State Cookies when 1435 * a TCB exists will resolve the duplicate INITs to a single association. 1436 * 1437 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1438 * its Tie-Tags with the Tag information of itself and its peer (see 1439 * section 5.2.2 for a description of the Tie-Tags). 1440 * 1441 * Verification Tag: Not explicit, but an INIT can not have a valid 1442 * verification tag, so we skip the check. 1443 * 1444 * Inputs 1445 * (endpoint, asoc, chunk) 1446 * 1447 * Outputs 1448 * (asoc, reply_msg, msg_up, timers, counters) 1449 * 1450 * The return value is the disposition of the chunk. 1451 */ 1452sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep, 1453 const struct sctp_association *asoc, 1454 const sctp_subtype_t type, 1455 void *arg, 1456 sctp_cmd_seq_t *commands) 1457{ 1458 /* Call helper to do the real work for both simulataneous and 1459 * duplicate INIT chunk handling. 1460 */ 1461 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1462} 1463 1464/* 1465 * Handle duplicated INIT messages. These are usually delayed 1466 * restransmissions. 1467 * 1468 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1469 * COOKIE-ECHOED and COOKIE-WAIT 1470 * 1471 * Unless otherwise stated, upon reception of an unexpected INIT for 1472 * this association, the endpoint shall generate an INIT ACK with a 1473 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1474 * current Verification Tag and peer's Verification Tag into a reserved 1475 * place within the state cookie. We shall refer to these locations as 1476 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1477 * containing this INIT ACK MUST carry a Verification Tag value equal to 1478 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1479 * MUST contain a new Initiation Tag (randomly generated see Section 1480 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1481 * existing parameters of the association (e.g. number of outbound 1482 * streams) into the INIT ACK and cookie. 1483 * 1484 * After sending out the INIT ACK, the endpoint shall take no further 1485 * actions, i.e., the existing association, including its current state, 1486 * and the corresponding TCB MUST NOT be changed. 1487 * 1488 * Note: Only when a TCB exists and the association is not in a COOKIE- 1489 * WAIT state are the Tie-Tags populated. For a normal association INIT 1490 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1491 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1492 * State Cookie are populated as specified in section 5.2.1. 1493 * 1494 * Verification Tag: Not specified, but an INIT has no way of knowing 1495 * what the verification tag could be, so we ignore it. 1496 * 1497 * Inputs 1498 * (endpoint, asoc, chunk) 1499 * 1500 * Outputs 1501 * (asoc, reply_msg, msg_up, timers, counters) 1502 * 1503 * The return value is the disposition of the chunk. 1504 */ 1505sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep, 1506 const struct sctp_association *asoc, 1507 const sctp_subtype_t type, 1508 void *arg, 1509 sctp_cmd_seq_t *commands) 1510{ 1511 /* Call helper to do the real work for both simulataneous and 1512 * duplicate INIT chunk handling. 1513 */ 1514 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); 1515} 1516 1517 1518/* 1519 * Unexpected INIT-ACK handler. 1520 * 1521 * Section 5.2.3 1522 * If an INIT ACK received by an endpoint in any state other than the 1523 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1524 * An unexpected INIT ACK usually indicates the processing of an old or 1525 * duplicated INIT chunk. 1526*/ 1527sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep, 1528 const struct sctp_association *asoc, 1529 const sctp_subtype_t type, 1530 void *arg, sctp_cmd_seq_t *commands) 1531{ 1532 /* Per the above section, we'll discard the chunk if we have an 1533 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1534 */ 1535 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) 1536 return sctp_sf_ootb(ep, asoc, type, arg, commands); 1537 else 1538 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); 1539} 1540 1541/* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1542 * 1543 * Section 5.2.4 1544 * A) In this case, the peer may have restarted. 1545 */ 1546static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep, 1547 const struct sctp_association *asoc, 1548 struct sctp_chunk *chunk, 1549 sctp_cmd_seq_t *commands, 1550 struct sctp_association *new_asoc) 1551{ 1552 sctp_init_chunk_t *peer_init; 1553 struct sctp_ulpevent *ev; 1554 struct sctp_chunk *repl; 1555 struct sctp_chunk *err; 1556 sctp_disposition_t disposition; 1557 1558 /* new_asoc is a brand-new association, so these are not yet 1559 * side effects--it is safe to run them here. 1560 */ 1561 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1562 1563 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1564 sctp_source(chunk), peer_init, 1565 GFP_ATOMIC)) 1566 goto nomem; 1567 1568 /* Make sure no new addresses are being added during the 1569 * restart. Though this is a pretty complicated attack 1570 * since you'd have to get inside the cookie. 1571 */ 1572 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { 1573 return SCTP_DISPOSITION_CONSUME; 1574 } 1575 1576 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1577 * the peer has restarted (Action A), it MUST NOT setup a new 1578 * association but instead resend the SHUTDOWN ACK and send an ERROR 1579 * chunk with a "Cookie Received while Shutting Down" error cause to 1580 * its peer. 1581 */ 1582 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1583 disposition = sctp_sf_do_9_2_reshutack(ep, asoc, 1584 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1585 chunk, commands); 1586 if (SCTP_DISPOSITION_NOMEM == disposition) 1587 goto nomem; 1588 1589 err = sctp_make_op_error(asoc, chunk, 1590 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1591 NULL, 0); 1592 if (err) 1593 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1594 SCTP_CHUNK(err)); 1595 1596 return SCTP_DISPOSITION_CONSUME; 1597 } 1598 1599 /* For now, fail any unsent/unacked data. Consider the optional 1600 * choice of resending of this data. 1601 */ 1602 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1603 1604 repl = sctp_make_cookie_ack(new_asoc, chunk); 1605 if (!repl) 1606 goto nomem; 1607 1608 /* Report association restart to upper layer. */ 1609 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1610 new_asoc->c.sinit_num_ostreams, 1611 new_asoc->c.sinit_max_instreams, 1612 NULL, GFP_ATOMIC); 1613 if (!ev) 1614 goto nomem_ev; 1615 1616 /* Update the content of current association. */ 1617 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1618 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1619 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1620 return SCTP_DISPOSITION_CONSUME; 1621 1622nomem_ev: 1623 sctp_chunk_free(repl); 1624nomem: 1625 return SCTP_DISPOSITION_NOMEM; 1626} 1627 1628/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1629 * 1630 * Section 5.2.4 1631 * B) In this case, both sides may be attempting to start an association 1632 * at about the same time but the peer endpoint started its INIT 1633 * after responding to the local endpoint's INIT 1634 */ 1635/* This case represents an initialization collision. */ 1636static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep, 1637 const struct sctp_association *asoc, 1638 struct sctp_chunk *chunk, 1639 sctp_cmd_seq_t *commands, 1640 struct sctp_association *new_asoc) 1641{ 1642 sctp_init_chunk_t *peer_init; 1643 struct sctp_chunk *repl; 1644 1645 /* new_asoc is a brand-new association, so these are not yet 1646 * side effects--it is safe to run them here. 1647 */ 1648 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1649 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type, 1650 sctp_source(chunk), peer_init, 1651 GFP_ATOMIC)) 1652 goto nomem; 1653 1654 /* Update the content of current association. */ 1655 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); 1656 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1657 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1658 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1659 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 1660 1661 repl = sctp_make_cookie_ack(new_asoc, chunk); 1662 if (!repl) 1663 goto nomem; 1664 1665 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1666 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1667 1668 /* RFC 2960 5.1 Normal Establishment of an Association 1669 * 1670 * D) IMPLEMENTATION NOTE: An implementation may choose to 1671 * send the Communication Up notification to the SCTP user 1672 * upon reception of a valid COOKIE ECHO chunk. 1673 * 1674 * Sadly, this needs to be implemented as a side-effect, because 1675 * we are not guaranteed to have set the association id of the real 1676 * association and so these notifications need to be delayed until 1677 * the association id is allocated. 1678 */ 1679 1680 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 1681 1682 /* Sockets API Draft Section 5.3.1.6 1683 * When a peer sends a Adaptation Layer Indication parameter , SCTP 1684 * delivers this notification to inform the application that of the 1685 * peers requested adaptation layer. 1686 * 1687 * This also needs to be done as a side effect for the same reason as 1688 * above. 1689 */ 1690 if (asoc->peer.adaptation_ind) 1691 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 1692 1693 return SCTP_DISPOSITION_CONSUME; 1694 1695nomem: 1696 return SCTP_DISPOSITION_NOMEM; 1697} 1698 1699/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 1700 * 1701 * Section 5.2.4 1702 * C) In this case, the local endpoint's cookie has arrived late. 1703 * Before it arrived, the local endpoint sent an INIT and received an 1704 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 1705 * but a new tag of its own. 1706 */ 1707/* This case represents an initialization collision. */ 1708static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep, 1709 const struct sctp_association *asoc, 1710 struct sctp_chunk *chunk, 1711 sctp_cmd_seq_t *commands, 1712 struct sctp_association *new_asoc) 1713{ 1714 /* The cookie should be silently discarded. 1715 * The endpoint SHOULD NOT change states and should leave 1716 * any timers running. 1717 */ 1718 return SCTP_DISPOSITION_DISCARD; 1719} 1720 1721/* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 1722 * 1723 * Section 5.2.4 1724 * 1725 * D) When both local and remote tags match the endpoint should always 1726 * enter the ESTABLISHED state, if it has not already done so. 1727 */ 1728/* This case represents an initialization collision. */ 1729static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep, 1730 const struct sctp_association *asoc, 1731 struct sctp_chunk *chunk, 1732 sctp_cmd_seq_t *commands, 1733 struct sctp_association *new_asoc) 1734{ 1735 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL; 1736 struct sctp_chunk *repl; 1737 1738 /* Clarification from Implementor's Guide: 1739 * D) When both local and remote tags match the endpoint should 1740 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 1741 * It should stop any cookie timer that may be running and send 1742 * a COOKIE ACK. 1743 */ 1744 1745 /* Don't accidentally move back into established state. */ 1746 if (asoc->state < SCTP_STATE_ESTABLISHED) { 1747 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1748 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 1749 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1750 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1751 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 1752 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 1753 SCTP_NULL()); 1754 1755 /* RFC 2960 5.1 Normal Establishment of an Association 1756 * 1757 * D) IMPLEMENTATION NOTE: An implementation may choose 1758 * to send the Communication Up notification to the 1759 * SCTP user upon reception of a valid COOKIE 1760 * ECHO chunk. 1761 */ 1762 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 1763 SCTP_COMM_UP, 0, 1764 asoc->c.sinit_num_ostreams, 1765 asoc->c.sinit_max_instreams, 1766 NULL, GFP_ATOMIC); 1767 if (!ev) 1768 goto nomem; 1769 1770 /* Sockets API Draft Section 5.3.1.6 1771 * When a peer sends a Adaptation Layer Indication parameter, 1772 * SCTP delivers this notification to inform the application 1773 * that of the peers requested adaptation layer. 1774 */ 1775 if (asoc->peer.adaptation_ind) { 1776 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 1777 GFP_ATOMIC); 1778 if (!ai_ev) 1779 goto nomem; 1780 1781 } 1782 } 1783 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1784 1785 repl = sctp_make_cookie_ack(new_asoc, chunk); 1786 if (!repl) 1787 goto nomem; 1788 1789 if (ev) 1790 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1791 SCTP_ULPEVENT(ev)); 1792 if (ai_ev) 1793 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1794 SCTP_ULPEVENT(ai_ev)); 1795 1796 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1797 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL()); 1798 1799 return SCTP_DISPOSITION_CONSUME; 1800 1801nomem: 1802 if (ai_ev) 1803 sctp_ulpevent_free(ai_ev); 1804 if (ev) 1805 sctp_ulpevent_free(ev); 1806 return SCTP_DISPOSITION_NOMEM; 1807} 1808 1809/* 1810 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 1811 * chunk was retransmitted and then delayed in the network. 1812 * 1813 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 1814 * 1815 * Verification Tag: None. Do cookie validation. 1816 * 1817 * Inputs 1818 * (endpoint, asoc, chunk) 1819 * 1820 * Outputs 1821 * (asoc, reply_msg, msg_up, timers, counters) 1822 * 1823 * The return value is the disposition of the chunk. 1824 */ 1825sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep, 1826 const struct sctp_association *asoc, 1827 const sctp_subtype_t type, 1828 void *arg, 1829 sctp_cmd_seq_t *commands) 1830{ 1831 sctp_disposition_t retval; 1832 struct sctp_chunk *chunk = arg; 1833 struct sctp_association *new_asoc; 1834 int error = 0; 1835 char action; 1836 struct sctp_chunk *err_chk_p; 1837 1838 /* Make sure that the chunk has a valid length from the protocol 1839 * perspective. In this case check to make sure we have at least 1840 * enough for the chunk header. Cookie length verification is 1841 * done later. 1842 */ 1843 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 1844 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1845 commands); 1846 1847 /* "Decode" the chunk. We have no optional parameters so we 1848 * are in good shape. 1849 */ 1850 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 1851 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 1852 sizeof(sctp_chunkhdr_t))) 1853 goto nomem; 1854 1855 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 1856 * of a duplicate COOKIE ECHO match the Verification Tags of the 1857 * current association, consider the State Cookie valid even if 1858 * the lifespan is exceeded. 1859 */ 1860 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 1861 &err_chk_p); 1862 1863 if (!new_asoc) { 1864 switch (error) { 1865 case -SCTP_IERROR_NOMEM: 1866 goto nomem; 1867 1868 case -SCTP_IERROR_STALE_COOKIE: 1869 sctp_send_stale_cookie_err(ep, asoc, chunk, commands, 1870 err_chk_p); 1871 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1872 case -SCTP_IERROR_BAD_SIG: 1873 default: 1874 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1875 } 1876 } 1877 1878 /* Compare the tie_tag in cookie with the verification tag of 1879 * current association. 1880 */ 1881 action = sctp_tietags_compare(new_asoc, asoc); 1882 1883 switch (action) { 1884 case 'A': /* Association restart. */ 1885 retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands, 1886 new_asoc); 1887 break; 1888 1889 case 'B': /* Collision case B. */ 1890 retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands, 1891 new_asoc); 1892 break; 1893 1894 case 'C': /* Collision case C. */ 1895 retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands, 1896 new_asoc); 1897 break; 1898 1899 case 'D': /* Collision case D. */ 1900 retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands, 1901 new_asoc); 1902 break; 1903 1904 default: /* Discard packet for all others. */ 1905 retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1906 break; 1907 } 1908 1909 /* Delete the tempory new association. */ 1910 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1911 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1912 1913 return retval; 1914 1915nomem: 1916 return SCTP_DISPOSITION_NOMEM; 1917} 1918 1919/* 1920 * Process an ABORT. (SHUTDOWN-PENDING state) 1921 * 1922 * See sctp_sf_do_9_1_abort(). 1923 */ 1924sctp_disposition_t sctp_sf_shutdown_pending_abort( 1925 const struct sctp_endpoint *ep, 1926 const struct sctp_association *asoc, 1927 const sctp_subtype_t type, 1928 void *arg, 1929 sctp_cmd_seq_t *commands) 1930{ 1931 struct sctp_chunk *chunk = arg; 1932 1933 if (!sctp_vtag_verify_either(chunk, asoc)) 1934 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1935 1936 /* Make sure that the ABORT chunk has a valid length. 1937 * Since this is an ABORT chunk, we have to discard it 1938 * because of the following text: 1939 * RFC 2960, Section 3.3.7 1940 * If an endpoint receives an ABORT with a format error or for an 1941 * association that doesn't exist, it MUST silently discard it. 1942 * Becasue the length is "invalid", we can't really discard just 1943 * as we do not know its true length. So, to be safe, discard the 1944 * packet. 1945 */ 1946 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 1947 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1948 1949 /* Stop the T5-shutdown guard timer. */ 1950 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1951 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 1952 1953 return sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 1954} 1955 1956/* 1957 * Process an ABORT. (SHUTDOWN-SENT state) 1958 * 1959 * See sctp_sf_do_9_1_abort(). 1960 */ 1961sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep, 1962 const struct sctp_association *asoc, 1963 const sctp_subtype_t type, 1964 void *arg, 1965 sctp_cmd_seq_t *commands) 1966{ 1967 struct sctp_chunk *chunk = arg; 1968 1969 if (!sctp_vtag_verify_either(chunk, asoc)) 1970 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1971 1972 /* Make sure that the ABORT chunk has a valid length. 1973 * Since this is an ABORT chunk, we have to discard it 1974 * because of the following text: 1975 * RFC 2960, Section 3.3.7 1976 * If an endpoint receives an ABORT with a format error or for an 1977 * association that doesn't exist, it MUST silently discard it. 1978 * Becasue the length is "invalid", we can't really discard just 1979 * as we do not know its true length. So, to be safe, discard the 1980 * packet. 1981 */ 1982 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 1983 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1984 1985 /* Stop the T2-shutdown timer. */ 1986 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1987 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 1988 1989 /* Stop the T5-shutdown guard timer. */ 1990 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1991 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 1992 1993 return sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands); 1994} 1995 1996/* 1997 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 1998 * 1999 * See sctp_sf_do_9_1_abort(). 2000 */ 2001sctp_disposition_t sctp_sf_shutdown_ack_sent_abort( 2002 const struct sctp_endpoint *ep, 2003 const struct sctp_association *asoc, 2004 const sctp_subtype_t type, 2005 void *arg, 2006 sctp_cmd_seq_t *commands) 2007{ 2008 /* The same T2 timer, so we should be able to use 2009 * common function with the SHUTDOWN-SENT state. 2010 */ 2011 return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands); 2012} 2013 2014/* 2015 * Handle an Error received in COOKIE_ECHOED state. 2016 * 2017 * Only handle the error type of stale COOKIE Error, the other errors will 2018 * be ignored. 2019 * 2020 * Inputs 2021 * (endpoint, asoc, chunk) 2022 * 2023 * Outputs 2024 * (asoc, reply_msg, msg_up, timers, counters) 2025 * 2026 * The return value is the disposition of the chunk. 2027 */ 2028sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep, 2029 const struct sctp_association *asoc, 2030 const sctp_subtype_t type, 2031 void *arg, 2032 sctp_cmd_seq_t *commands) 2033{ 2034 struct sctp_chunk *chunk = arg; 2035 sctp_errhdr_t *err; 2036 2037 if (!sctp_vtag_verify(chunk, asoc)) 2038 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2039 2040 /* Make sure that the ERROR chunk has a valid length. 2041 * The parameter walking depends on this as well. 2042 */ 2043 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2044 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2045 commands); 2046 2047 /* Process the error here */ 2048 sctp_walk_errors(err, chunk->chunk_hdr) { 2049 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2050 return sctp_sf_do_5_2_6_stale(ep, asoc, type, 2051 arg, commands); 2052 } 2053 2054 /* It is possible to have malformed error causes, and that 2055 * will cause us to end the walk early. However, since 2056 * we are discarding the packet, there should be no adverse 2057 * affects. 2058 */ 2059 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2060} 2061 2062/* 2063 * Handle a Stale COOKIE Error 2064 * 2065 * Section: 5.2.6 Handle Stale COOKIE Error 2066 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2067 * one of the following three alternatives. 2068 * ... 2069 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2070 * Preservative parameter requesting an extension to the lifetime of 2071 * the State Cookie. When calculating the time extension, an 2072 * implementation SHOULD use the RTT information measured based on the 2073 * previous COOKIE ECHO / ERROR exchange, and should add no more 2074 * than 1 second beyond the measured RTT, due to long State Cookie 2075 * lifetimes making the endpoint more subject to a replay attack. 2076 * 2077 * Verification Tag: Not explicit, but safe to ignore. 2078 * 2079 * Inputs 2080 * (endpoint, asoc, chunk) 2081 * 2082 * Outputs 2083 * (asoc, reply_msg, msg_up, timers, counters) 2084 * 2085 * The return value is the disposition of the chunk. 2086 */ 2087static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, 2088 const struct sctp_association *asoc, 2089 const sctp_subtype_t type, 2090 void *arg, 2091 sctp_cmd_seq_t *commands) 2092{ 2093 struct sctp_chunk *chunk = arg; 2094 time_t stale; 2095 sctp_cookie_preserve_param_t bht; 2096 sctp_errhdr_t *err; 2097 struct sctp_chunk *reply; 2098 struct sctp_bind_addr *bp; 2099 int attempts = asoc->init_err_counter + 1; 2100 2101 if (attempts > asoc->max_init_attempts) { 2102 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2103 SCTP_ERROR(ETIMEDOUT)); 2104 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2105 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2106 return SCTP_DISPOSITION_DELETE_TCB; 2107 } 2108 2109 err = (sctp_errhdr_t *)(chunk->skb->data); 2110 2111 /* When calculating the time extension, an implementation 2112 * SHOULD use the RTT information measured based on the 2113 * previous COOKIE ECHO / ERROR exchange, and should add no 2114 * more than 1 second beyond the measured RTT, due to long 2115 * State Cookie lifetimes making the endpoint more subject to 2116 * a replay attack. 2117 * Measure of Staleness's unit is usec. (1/1000000 sec) 2118 * Suggested Cookie Life-span Increment's unit is msec. 2119 * (1/1000 sec) 2120 * In general, if you use the suggested cookie life, the value 2121 * found in the field of measure of staleness should be doubled 2122 * to give ample time to retransmit the new cookie and thus 2123 * yield a higher probability of success on the reattempt. 2124 */ 2125 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t))); 2126 stale = (stale * 2) / 1000; 2127 2128 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2129 bht.param_hdr.length = htons(sizeof(bht)); 2130 bht.lifespan_increment = htonl(stale); 2131 2132 /* Build that new INIT chunk. */ 2133 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2134 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2135 if (!reply) 2136 goto nomem; 2137 2138 sctp_addto_chunk(reply, sizeof(bht), &bht); 2139 2140 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2141 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2142 2143 /* Stop pending T3-rtx and heartbeat timers */ 2144 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2145 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2146 2147 /* Delete non-primary peer ip addresses since we are transitioning 2148 * back to the COOKIE-WAIT state 2149 */ 2150 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2151 2152 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2153 * resend 2154 */ 2155 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, 2156 SCTP_TRANSPORT(asoc->peer.primary_path)); 2157 2158 /* Cast away the const modifier, as we want to just 2159 * rerun it through as a sideffect. 2160 */ 2161 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2162 2163 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2164 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2165 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2166 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2167 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2168 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2169 2170 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2171 2172 return SCTP_DISPOSITION_CONSUME; 2173 2174nomem: 2175 return SCTP_DISPOSITION_NOMEM; 2176} 2177 2178/* 2179 * Process an ABORT. 2180 * 2181 * Section: 9.1 2182 * After checking the Verification Tag, the receiving endpoint shall 2183 * remove the association from its record, and shall report the 2184 * termination to its upper layer. 2185 * 2186 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2187 * B) Rules for packet carrying ABORT: 2188 * 2189 * - The endpoint shall always fill in the Verification Tag field of the 2190 * outbound packet with the destination endpoint's tag value if it 2191 * is known. 2192 * 2193 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2194 * MUST follow the procedure described in Section 8.4. 2195 * 2196 * - The receiver MUST accept the packet if the Verification Tag 2197 * matches either its own tag, OR the tag of its peer. Otherwise, the 2198 * receiver MUST silently discard the packet and take no further 2199 * action. 2200 * 2201 * Inputs 2202 * (endpoint, asoc, chunk) 2203 * 2204 * Outputs 2205 * (asoc, reply_msg, msg_up, timers, counters) 2206 * 2207 * The return value is the disposition of the chunk. 2208 */ 2209sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, 2210 const struct sctp_association *asoc, 2211 const sctp_subtype_t type, 2212 void *arg, 2213 sctp_cmd_seq_t *commands) 2214{ 2215 struct sctp_chunk *chunk = arg; 2216 unsigned len; 2217 __be16 error = SCTP_ERROR_NO_ERROR; 2218 2219 if (!sctp_vtag_verify_either(chunk, asoc)) 2220 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2221 2222 /* Make sure that the ABORT chunk has a valid length. 2223 * Since this is an ABORT chunk, we have to discard it 2224 * because of the following text: 2225 * RFC 2960, Section 3.3.7 2226 * If an endpoint receives an ABORT with a format error or for an 2227 * association that doesn't exist, it MUST silently discard it. 2228 * Becasue the length is "invalid", we can't really discard just 2229 * as we do not know its true length. So, to be safe, discard the 2230 * packet. 2231 */ 2232 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2233 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2234 2235 /* See if we have an error cause code in the chunk. */ 2236 len = ntohs(chunk->chunk_hdr->length); 2237 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2238 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2239 2240 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2241 /* ASSOC_FAILED will DELETE_TCB. */ 2242 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2243 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2244 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 2245 2246 return SCTP_DISPOSITION_ABORT; 2247} 2248 2249/* 2250 * Process an ABORT. (COOKIE-WAIT state) 2251 * 2252 * See sctp_sf_do_9_1_abort() above. 2253 */ 2254sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep, 2255 const struct sctp_association *asoc, 2256 const sctp_subtype_t type, 2257 void *arg, 2258 sctp_cmd_seq_t *commands) 2259{ 2260 struct sctp_chunk *chunk = arg; 2261 unsigned len; 2262 __be16 error = SCTP_ERROR_NO_ERROR; 2263 2264 if (!sctp_vtag_verify_either(chunk, asoc)) 2265 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2266 2267 /* Make sure that the ABORT chunk has a valid length. 2268 * Since this is an ABORT chunk, we have to discard it 2269 * because of the following text: 2270 * RFC 2960, Section 3.3.7 2271 * If an endpoint receives an ABORT with a format error or for an 2272 * association that doesn't exist, it MUST silently discard it. 2273 * Becasue the length is "invalid", we can't really discard just 2274 * as we do not know its true length. So, to be safe, discard the 2275 * packet. 2276 */ 2277 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t))) 2278 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2279 2280 /* See if we have an error cause code in the chunk. */ 2281 len = ntohs(chunk->chunk_hdr->length); 2282 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2283 error = ((sctp_errhdr_t *)chunk->skb->data)->cause; 2284 2285 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc, 2286 chunk->transport); 2287} 2288 2289/* 2290 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2291 */ 2292sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep, 2293 const struct sctp_association *asoc, 2294 const sctp_subtype_t type, 2295 void *arg, 2296 sctp_cmd_seq_t *commands) 2297{ 2298 return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR, 2299 ENOPROTOOPT, asoc, 2300 (struct sctp_transport *)arg); 2301} 2302 2303/* 2304 * Process an ABORT. (COOKIE-ECHOED state) 2305 */ 2306sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep, 2307 const struct sctp_association *asoc, 2308 const sctp_subtype_t type, 2309 void *arg, 2310 sctp_cmd_seq_t *commands) 2311{ 2312 /* There is a single T1 timer, so we should be able to use 2313 * common function with the COOKIE-WAIT state. 2314 */ 2315 return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands); 2316} 2317 2318/* 2319 * Stop T1 timer and abort association with "INIT failed". 2320 * 2321 * This is common code called by several sctp_sf_*_abort() functions above. 2322 */ 2323static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, 2324 __be16 error, int sk_err, 2325 const struct sctp_association *asoc, 2326 struct sctp_transport *transport) 2327{ 2328 SCTP_DEBUG_PRINTK("ABORT received (INIT).\n"); 2329 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2330 SCTP_STATE(SCTP_STATE_CLOSED)); 2331 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 2332 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2333 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2334 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2335 /* CMD_INIT_FAILED will DELETE_TCB. */ 2336 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2337 SCTP_PERR(error)); 2338 return SCTP_DISPOSITION_ABORT; 2339} 2340 2341/* 2342 * sctp_sf_do_9_2_shut 2343 * 2344 * Section: 9.2 2345 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2346 * - enter the SHUTDOWN-RECEIVED state, 2347 * 2348 * - stop accepting new data from its SCTP user 2349 * 2350 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2351 * that all its outstanding DATA chunks have been received by the 2352 * SHUTDOWN sender. 2353 * 2354 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2355 * send a SHUTDOWN in response to a ULP request. And should discard 2356 * subsequent SHUTDOWN chunks. 2357 * 2358 * If there are still outstanding DATA chunks left, the SHUTDOWN 2359 * receiver shall continue to follow normal data transmission 2360 * procedures defined in Section 6 until all outstanding DATA chunks 2361 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2362 * new data from its SCTP user. 2363 * 2364 * Verification Tag: 8.5 Verification Tag [Normal verification] 2365 * 2366 * Inputs 2367 * (endpoint, asoc, chunk) 2368 * 2369 * Outputs 2370 * (asoc, reply_msg, msg_up, timers, counters) 2371 * 2372 * The return value is the disposition of the chunk. 2373 */ 2374sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep, 2375 const struct sctp_association *asoc, 2376 const sctp_subtype_t type, 2377 void *arg, 2378 sctp_cmd_seq_t *commands) 2379{ 2380 struct sctp_chunk *chunk = arg; 2381 sctp_shutdownhdr_t *sdh; 2382 sctp_disposition_t disposition; 2383 struct sctp_ulpevent *ev; 2384 2385 if (!sctp_vtag_verify(chunk, asoc)) 2386 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2387 2388 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2389 if (!sctp_chunk_length_valid(chunk, 2390 sizeof(struct sctp_shutdown_chunk_t))) 2391 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2392 commands); 2393 2394 /* Convert the elaborate header. */ 2395 sdh = (sctp_shutdownhdr_t *)chunk->skb->data; 2396 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t)); 2397 chunk->subh.shutdown_hdr = sdh; 2398 2399 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2400 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2401 * inform the application that it should cease sending data. 2402 */ 2403 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2404 if (!ev) { 2405 disposition = SCTP_DISPOSITION_NOMEM; 2406 goto out; 2407 } 2408 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2409 2410 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2411 * - enter the SHUTDOWN-RECEIVED state, 2412 * - stop accepting new data from its SCTP user 2413 * 2414 * [This is implicit in the new state.] 2415 */ 2416 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2417 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2418 disposition = SCTP_DISPOSITION_CONSUME; 2419 2420 if (sctp_outq_is_empty(&asoc->outqueue)) { 2421 disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type, 2422 arg, commands); 2423 } 2424 2425 if (SCTP_DISPOSITION_NOMEM == disposition) 2426 goto out; 2427 2428 /* - verify, by checking the Cumulative TSN Ack field of the 2429 * chunk, that all its outstanding DATA chunks have been 2430 * received by the SHUTDOWN sender. 2431 */ 2432 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2433 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2434 2435out: 2436 return disposition; 2437} 2438 2439/* RFC 2960 9.2 2440 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2441 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2442 * transport addresses (either in the IP addresses or in the INIT chunk) 2443 * that belong to this association, it should discard the INIT chunk and 2444 * retransmit the SHUTDOWN ACK chunk. 2445 */ 2446sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep, 2447 const struct sctp_association *asoc, 2448 const sctp_subtype_t type, 2449 void *arg, 2450 sctp_cmd_seq_t *commands) 2451{ 2452 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 2453 struct sctp_chunk *reply; 2454 2455 /* Since we are not going to really process this INIT, there 2456 * is no point in verifying chunk boundries. Just generate 2457 * the SHUTDOWN ACK. 2458 */ 2459 reply = sctp_make_shutdown_ack(asoc, chunk); 2460 if (NULL == reply) 2461 goto nomem; 2462 2463 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 2464 * the T2-SHUTDOWN timer. 2465 */ 2466 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 2467 2468 /* and restart the T2-shutdown timer. */ 2469 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2470 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2471 2472 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2473 2474 return SCTP_DISPOSITION_CONSUME; 2475nomem: 2476 return SCTP_DISPOSITION_NOMEM; 2477} 2478 2479/* 2480 * sctp_sf_do_ecn_cwr 2481 * 2482 * Section: Appendix A: Explicit Congestion Notification 2483 * 2484 * CWR: 2485 * 2486 * RFC 2481 details a specific bit for a sender to send in the header of 2487 * its next outbound TCP segment to indicate to its peer that it has 2488 * reduced its congestion window. This is termed the CWR bit. For 2489 * SCTP the same indication is made by including the CWR chunk. 2490 * This chunk contains one data element, i.e. the TSN number that 2491 * was sent in the ECNE chunk. This element represents the lowest 2492 * TSN number in the datagram that was originally marked with the 2493 * CE bit. 2494 * 2495 * Verification Tag: 8.5 Verification Tag [Normal verification] 2496 * Inputs 2497 * (endpoint, asoc, chunk) 2498 * 2499 * Outputs 2500 * (asoc, reply_msg, msg_up, timers, counters) 2501 * 2502 * The return value is the disposition of the chunk. 2503 */ 2504sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep, 2505 const struct sctp_association *asoc, 2506 const sctp_subtype_t type, 2507 void *arg, 2508 sctp_cmd_seq_t *commands) 2509{ 2510 sctp_cwrhdr_t *cwr; 2511 struct sctp_chunk *chunk = arg; 2512 u32 lowest_tsn; 2513 2514 if (!sctp_vtag_verify(chunk, asoc)) 2515 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2516 2517 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2518 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2519 commands); 2520 2521 cwr = (sctp_cwrhdr_t *) chunk->skb->data; 2522 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t)); 2523 2524 lowest_tsn = ntohl(cwr->lowest_tsn); 2525 2526 /* Does this CWR ack the last sent congestion notification? */ 2527 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 2528 /* Stop sending ECNE. */ 2529 sctp_add_cmd_sf(commands, 2530 SCTP_CMD_ECN_CWR, 2531 SCTP_U32(lowest_tsn)); 2532 } 2533 return SCTP_DISPOSITION_CONSUME; 2534} 2535 2536/* 2537 * sctp_sf_do_ecne 2538 * 2539 * Section: Appendix A: Explicit Congestion Notification 2540 * 2541 * ECN-Echo 2542 * 2543 * RFC 2481 details a specific bit for a receiver to send back in its 2544 * TCP acknowledgements to notify the sender of the Congestion 2545 * Experienced (CE) bit having arrived from the network. For SCTP this 2546 * same indication is made by including the ECNE chunk. This chunk 2547 * contains one data element, i.e. the lowest TSN associated with the IP 2548 * datagram marked with the CE bit..... 2549 * 2550 * Verification Tag: 8.5 Verification Tag [Normal verification] 2551 * Inputs 2552 * (endpoint, asoc, chunk) 2553 * 2554 * Outputs 2555 * (asoc, reply_msg, msg_up, timers, counters) 2556 * 2557 * The return value is the disposition of the chunk. 2558 */ 2559sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep, 2560 const struct sctp_association *asoc, 2561 const sctp_subtype_t type, 2562 void *arg, 2563 sctp_cmd_seq_t *commands) 2564{ 2565 sctp_ecnehdr_t *ecne; 2566 struct sctp_chunk *chunk = arg; 2567 2568 if (!sctp_vtag_verify(chunk, asoc)) 2569 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2570 2571 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t))) 2572 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2573 commands); 2574 2575 ecne = (sctp_ecnehdr_t *) chunk->skb->data; 2576 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t)); 2577 2578 /* If this is a newer ECNE than the last CWR packet we sent out */ 2579 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 2580 SCTP_U32(ntohl(ecne->lowest_tsn))); 2581 2582 return SCTP_DISPOSITION_CONSUME; 2583} 2584 2585/* 2586 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 2587 * 2588 * The SCTP endpoint MUST always acknowledge the reception of each valid 2589 * DATA chunk. 2590 * 2591 * The guidelines on delayed acknowledgement algorithm specified in 2592 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 2593 * acknowledgement SHOULD be generated for at least every second packet 2594 * (not every second DATA chunk) received, and SHOULD be generated within 2595 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 2596 * situations it may be beneficial for an SCTP transmitter to be more 2597 * conservative than the algorithms detailed in this document allow. 2598 * However, an SCTP transmitter MUST NOT be more aggressive than the 2599 * following algorithms allow. 2600 * 2601 * A SCTP receiver MUST NOT generate more than one SACK for every 2602 * incoming packet, other than to update the offered window as the 2603 * receiving application consumes new data. 2604 * 2605 * Verification Tag: 8.5 Verification Tag [Normal verification] 2606 * 2607 * Inputs 2608 * (endpoint, asoc, chunk) 2609 * 2610 * Outputs 2611 * (asoc, reply_msg, msg_up, timers, counters) 2612 * 2613 * The return value is the disposition of the chunk. 2614 */ 2615sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep, 2616 const struct sctp_association *asoc, 2617 const sctp_subtype_t type, 2618 void *arg, 2619 sctp_cmd_seq_t *commands) 2620{ 2621 struct sctp_chunk *chunk = arg; 2622 int error; 2623 2624 if (!sctp_vtag_verify(chunk, asoc)) { 2625 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2626 SCTP_NULL()); 2627 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2628 } 2629 2630 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2631 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2632 commands); 2633 2634 error = sctp_eat_data(asoc, chunk, commands ); 2635 switch (error) { 2636 case SCTP_IERROR_NO_ERROR: 2637 break; 2638 case SCTP_IERROR_HIGH_TSN: 2639 case SCTP_IERROR_BAD_STREAM: 2640 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2641 goto discard_noforce; 2642 case SCTP_IERROR_DUP_TSN: 2643 case SCTP_IERROR_IGNORE_TSN: 2644 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 2645 goto discard_force; 2646 case SCTP_IERROR_NO_DATA: 2647 goto consume; 2648 default: 2649 BUG(); 2650 } 2651 2652 if (asoc->autoclose) { 2653 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2654 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 2655 } 2656 2657 /* If this is the last chunk in a packet, we need to count it 2658 * toward sack generation. Note that we need to SACK every 2659 * OTHER packet containing data chunks, EVEN IF WE DISCARD 2660 * THEM. We elect to NOT generate SACK's if the chunk fails 2661 * the verification tag test. 2662 * 2663 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2664 * 2665 * The SCTP endpoint MUST always acknowledge the reception of 2666 * each valid DATA chunk. 2667 * 2668 * The guidelines on delayed acknowledgement algorithm 2669 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 2670 * Specifically, an acknowledgement SHOULD be generated for at 2671 * least every second packet (not every second DATA chunk) 2672 * received, and SHOULD be generated within 200 ms of the 2673 * arrival of any unacknowledged DATA chunk. In some 2674 * situations it may be beneficial for an SCTP transmitter to 2675 * be more conservative than the algorithms detailed in this 2676 * document allow. However, an SCTP transmitter MUST NOT be 2677 * more aggressive than the following algorithms allow. 2678 */ 2679 if (chunk->end_of_packet) 2680 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2681 2682 return SCTP_DISPOSITION_CONSUME; 2683 2684discard_force: 2685 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 2686 * 2687 * When a packet arrives with duplicate DATA chunk(s) and with 2688 * no new DATA chunk(s), the endpoint MUST immediately send a 2689 * SACK with no delay. If a packet arrives with duplicate 2690 * DATA chunk(s) bundled with new DATA chunks, the endpoint 2691 * MAY immediately send a SACK. Normally receipt of duplicate 2692 * DATA chunks will occur when the original SACK chunk was lost 2693 * and the peer's RTO has expired. The duplicate TSN number(s) 2694 * SHOULD be reported in the SACK as duplicate. 2695 */ 2696 /* In our case, we split the MAY SACK advice up whether or not 2697 * the last chunk is a duplicate.' 2698 */ 2699 if (chunk->end_of_packet) 2700 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2701 return SCTP_DISPOSITION_DISCARD; 2702 2703discard_noforce: 2704 if (chunk->end_of_packet) 2705 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 2706 2707 return SCTP_DISPOSITION_DISCARD; 2708consume: 2709 return SCTP_DISPOSITION_CONSUME; 2710 2711} 2712 2713/* 2714 * sctp_sf_eat_data_fast_4_4 2715 * 2716 * Section: 4 (4) 2717 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 2718 * DATA chunks without delay. 2719 * 2720 * Verification Tag: 8.5 Verification Tag [Normal verification] 2721 * Inputs 2722 * (endpoint, asoc, chunk) 2723 * 2724 * Outputs 2725 * (asoc, reply_msg, msg_up, timers, counters) 2726 * 2727 * The return value is the disposition of the chunk. 2728 */ 2729sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep, 2730 const struct sctp_association *asoc, 2731 const sctp_subtype_t type, 2732 void *arg, 2733 sctp_cmd_seq_t *commands) 2734{ 2735 struct sctp_chunk *chunk = arg; 2736 int error; 2737 2738 if (!sctp_vtag_verify(chunk, asoc)) { 2739 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 2740 SCTP_NULL()); 2741 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2742 } 2743 2744 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t))) 2745 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2746 commands); 2747 2748 error = sctp_eat_data(asoc, chunk, commands ); 2749 switch (error) { 2750 case SCTP_IERROR_NO_ERROR: 2751 case SCTP_IERROR_HIGH_TSN: 2752 case SCTP_IERROR_DUP_TSN: 2753 case SCTP_IERROR_IGNORE_TSN: 2754 case SCTP_IERROR_BAD_STREAM: 2755 break; 2756 case SCTP_IERROR_NO_DATA: 2757 goto consume; 2758 default: 2759 BUG(); 2760 } 2761 2762 /* Go a head and force a SACK, since we are shutting down. */ 2763 2764 /* Implementor's Guide. 2765 * 2766 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 2767 * respond to each received packet containing one or more DATA chunk(s) 2768 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 2769 */ 2770 if (chunk->end_of_packet) { 2771 /* We must delay the chunk creation since the cumulative 2772 * TSN has not been updated yet. 2773 */ 2774 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 2775 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 2776 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 2777 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2778 } 2779 2780consume: 2781 return SCTP_DISPOSITION_CONSUME; 2782} 2783 2784/* 2785 * Section: 6.2 Processing a Received SACK 2786 * D) Any time a SACK arrives, the endpoint performs the following: 2787 * 2788 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 2789 * then drop the SACK. Since Cumulative TSN Ack is monotonically 2790 * increasing, a SACK whose Cumulative TSN Ack is less than the 2791 * Cumulative TSN Ack Point indicates an out-of-order SACK. 2792 * 2793 * ii) Set rwnd equal to the newly received a_rwnd minus the number 2794 * of bytes still outstanding after processing the Cumulative TSN Ack 2795 * and the Gap Ack Blocks. 2796 * 2797 * iii) If the SACK is missing a TSN that was previously 2798 * acknowledged via a Gap Ack Block (e.g., the data receiver 2799 * reneged on the data), then mark the corresponding DATA chunk 2800 * as available for retransmit: Mark it as missing for fast 2801 * retransmit as described in Section 7.2.4 and if no retransmit 2802 * timer is running for the destination address to which the DATA 2803 * chunk was originally transmitted, then T3-rtx is started for 2804 * that destination address. 2805 * 2806 * Verification Tag: 8.5 Verification Tag [Normal verification] 2807 * 2808 * Inputs 2809 * (endpoint, asoc, chunk) 2810 * 2811 * Outputs 2812 * (asoc, reply_msg, msg_up, timers, counters) 2813 * 2814 * The return value is the disposition of the chunk. 2815 */ 2816sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep, 2817 const struct sctp_association *asoc, 2818 const sctp_subtype_t type, 2819 void *arg, 2820 sctp_cmd_seq_t *commands) 2821{ 2822 struct sctp_chunk *chunk = arg; 2823 sctp_sackhdr_t *sackh; 2824 __u32 ctsn; 2825 2826 if (!sctp_vtag_verify(chunk, asoc)) 2827 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2828 2829 /* Make sure that the SACK chunk has a valid length. */ 2830 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t))) 2831 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2832 commands); 2833 2834 /* Pull the SACK chunk from the data buffer */ 2835 sackh = sctp_sm_pull_sack(chunk); 2836 /* Was this a bogus SACK? */ 2837 if (!sackh) 2838 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2839 chunk->subh.sack_hdr = sackh; 2840 ctsn = ntohl(sackh->cum_tsn_ack); 2841 2842 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 2843 * Ack Point, then drop the SACK. Since Cumulative TSN 2844 * Ack is monotonically increasing, a SACK whose 2845 * Cumulative TSN Ack is less than the Cumulative TSN Ack 2846 * Point indicates an out-of-order SACK. 2847 */ 2848 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2849 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn); 2850 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point); 2851 return SCTP_DISPOSITION_DISCARD; 2852 } 2853 2854 /* Return this SACK for further processing. */ 2855 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh)); 2856 2857 /* Note: We do the rest of the work on the PROCESS_SACK 2858 * sideeffect. 2859 */ 2860 return SCTP_DISPOSITION_CONSUME; 2861} 2862 2863/* 2864 * Generate an ABORT in response to a packet. 2865 * 2866 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 2867 * 2868 * 8) The receiver should respond to the sender of the OOTB packet with 2869 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 2870 * MUST fill in the Verification Tag field of the outbound packet 2871 * with the value found in the Verification Tag field of the OOTB 2872 * packet and set the T-bit in the Chunk Flags to indicate that the 2873 * Verification Tag is reflected. After sending this ABORT, the 2874 * receiver of the OOTB packet shall discard the OOTB packet and take 2875 * no further action. 2876 * 2877 * Verification Tag: 2878 * 2879 * The return value is the disposition of the chunk. 2880*/ 2881sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, 2882 const struct sctp_association *asoc, 2883 const sctp_subtype_t type, 2884 void *arg, 2885 sctp_cmd_seq_t *commands) 2886{ 2887 struct sctp_packet *packet = NULL; 2888 struct sctp_chunk *chunk = arg; 2889 struct sctp_chunk *abort; 2890 2891 packet = sctp_ootb_pkt_new(asoc, chunk); 2892 2893 if (packet) { 2894 /* Make an ABORT. The T bit will be set if the asoc 2895 * is NULL. 2896 */ 2897 abort = sctp_make_abort(asoc, chunk, 0); 2898 if (!abort) { 2899 sctp_ootb_pkt_free(packet); 2900 return SCTP_DISPOSITION_NOMEM; 2901 } 2902 2903 /* Reflect vtag if T-Bit is set */ 2904 if (sctp_test_T_bit(abort)) 2905 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 2906 2907 /* Set the skb to the belonging sock for accounting. */ 2908 abort->skb->sk = ep->base.sk; 2909 2910 sctp_packet_append_chunk(packet, abort); 2911 2912 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 2913 SCTP_PACKET(packet)); 2914 2915 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 2916 2917 return SCTP_DISPOSITION_CONSUME; 2918 } 2919 2920 return SCTP_DISPOSITION_NOMEM; 2921} 2922 2923/* 2924 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 2925 * event as ULP notification for each cause included in the chunk. 2926 * 2927 * API 5.3.1.3 - SCTP_REMOTE_ERROR 2928 * 2929 * The return value is the disposition of the chunk. 2930*/ 2931sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep, 2932 const struct sctp_association *asoc, 2933 const sctp_subtype_t type, 2934 void *arg, 2935 sctp_cmd_seq_t *commands) 2936{ 2937 struct sctp_chunk *chunk = arg; 2938 struct sctp_ulpevent *ev; 2939 2940 if (!sctp_vtag_verify(chunk, asoc)) 2941 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2942 2943 /* Make sure that the ERROR chunk has a valid length. */ 2944 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t))) 2945 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2946 commands); 2947 2948 while (chunk->chunk_end > chunk->skb->data) { 2949 ev = sctp_ulpevent_make_remote_error(asoc, chunk, 0, 2950 GFP_ATOMIC); 2951 if (!ev) 2952 goto nomem; 2953 2954 if (!sctp_add_cmd(commands, SCTP_CMD_EVENT_ULP, 2955 SCTP_ULPEVENT(ev))) { 2956 sctp_ulpevent_free(ev); 2957 goto nomem; 2958 } 2959 2960 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 2961 SCTP_CHUNK(chunk)); 2962 } 2963 return SCTP_DISPOSITION_CONSUME; 2964 2965nomem: 2966 return SCTP_DISPOSITION_NOMEM; 2967} 2968 2969/* 2970 * Process an inbound SHUTDOWN ACK. 2971 * 2972 * From Section 9.2: 2973 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 2974 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 2975 * peer, and remove all record of the association. 2976 * 2977 * The return value is the disposition. 2978 */ 2979sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep, 2980 const struct sctp_association *asoc, 2981 const sctp_subtype_t type, 2982 void *arg, 2983 sctp_cmd_seq_t *commands) 2984{ 2985 struct sctp_chunk *chunk = arg; 2986 struct sctp_chunk *reply; 2987 struct sctp_ulpevent *ev; 2988 2989 if (!sctp_vtag_verify(chunk, asoc)) 2990 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 2991 2992 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 2993 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 2994 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 2995 commands); 2996 /* 10.2 H) SHUTDOWN COMPLETE notification 2997 * 2998 * When SCTP completes the shutdown procedures (section 9.2) this 2999 * notification is passed to the upper layer. 3000 */ 3001 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3002 0, 0, 0, NULL, GFP_ATOMIC); 3003 if (!ev) 3004 goto nomem; 3005 3006 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3007 reply = sctp_make_shutdown_complete(asoc, chunk); 3008 if (!reply) 3009 goto nomem_chunk; 3010 3011 /* Do all the commands now (after allocation), so that we 3012 * have consistent state if memory allocation failes 3013 */ 3014 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3015 3016 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3017 * stop the T2-shutdown timer, 3018 */ 3019 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3020 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3021 3022 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3023 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3024 3025 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3026 SCTP_STATE(SCTP_STATE_CLOSED)); 3027 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 3028 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3029 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3030 3031 /* ...and remove all record of the association. */ 3032 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3033 return SCTP_DISPOSITION_DELETE_TCB; 3034 3035nomem_chunk: 3036 sctp_ulpevent_free(ev); 3037nomem: 3038 return SCTP_DISPOSITION_NOMEM; 3039} 3040 3041/* 3042 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3043 * 3044 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3045 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3046 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3047 * packet must fill in the Verification Tag field of the outbound 3048 * packet with the Verification Tag received in the SHUTDOWN ACK and 3049 * set the T-bit in the Chunk Flags to indicate that the Verification 3050 * Tag is reflected. 3051 * 3052 * 8) The receiver should respond to the sender of the OOTB packet with 3053 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3054 * MUST fill in the Verification Tag field of the outbound packet 3055 * with the value found in the Verification Tag field of the OOTB 3056 * packet and set the T-bit in the Chunk Flags to indicate that the 3057 * Verification Tag is reflected. After sending this ABORT, the 3058 * receiver of the OOTB packet shall discard the OOTB packet and take 3059 * no further action. 3060 */ 3061sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep, 3062 const struct sctp_association *asoc, 3063 const sctp_subtype_t type, 3064 void *arg, 3065 sctp_cmd_seq_t *commands) 3066{ 3067 struct sctp_chunk *chunk = arg; 3068 struct sk_buff *skb = chunk->skb; 3069 sctp_chunkhdr_t *ch; 3070 __u8 *ch_end; 3071 int ootb_shut_ack = 0; 3072 3073 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES); 3074 3075 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr; 3076 do { 3077 /* Break out if chunk length is less then minimal. */ 3078 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) 3079 break; 3080 3081 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); 3082 if (ch_end > skb_tail_pointer(skb)) 3083 break; 3084 3085 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3086 ootb_shut_ack = 1; 3087 3088 /* RFC 2960, Section 3.3.7 3089 * Moreover, under any circumstances, an endpoint that 3090 * receives an ABORT MUST NOT respond to that ABORT by 3091 * sending an ABORT of its own. 3092 */ 3093 if (SCTP_CID_ABORT == ch->type) 3094 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3095 3096 ch = (sctp_chunkhdr_t *) ch_end; 3097 } while (ch_end < skb_tail_pointer(skb)); 3098 3099 if (ootb_shut_ack) 3100 sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands); 3101 else 3102 sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); 3103 3104 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3105} 3106 3107/* 3108 * Handle an "Out of the blue" SHUTDOWN ACK. 3109 * 3110 * Section: 8.4 5, sctpimpguide 2.41. 3111 * 3112 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3113 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3114 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3115 * packet must fill in the Verification Tag field of the outbound 3116 * packet with the Verification Tag received in the SHUTDOWN ACK and 3117 * set the T-bit in the Chunk Flags to indicate that the Verification 3118 * Tag is reflected. 3119 * 3120 * Inputs 3121 * (endpoint, asoc, type, arg, commands) 3122 * 3123 * Outputs 3124 * (sctp_disposition_t) 3125 * 3126 * The return value is the disposition of the chunk. 3127 */ 3128static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep, 3129 const struct sctp_association *asoc, 3130 const sctp_subtype_t type, 3131 void *arg, 3132 sctp_cmd_seq_t *commands) 3133{ 3134 struct sctp_packet *packet = NULL; 3135 struct sctp_chunk *chunk = arg; 3136 struct sctp_chunk *shut; 3137 3138 packet = sctp_ootb_pkt_new(asoc, chunk); 3139 3140 if (packet) { 3141 /* Make an SHUTDOWN_COMPLETE. 3142 * The T bit will be set if the asoc is NULL. 3143 */ 3144 shut = sctp_make_shutdown_complete(asoc, chunk); 3145 if (!shut) { 3146 sctp_ootb_pkt_free(packet); 3147 return SCTP_DISPOSITION_NOMEM; 3148 } 3149 3150 /* Reflect vtag if T-Bit is set */ 3151 if (sctp_test_T_bit(shut)) 3152 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3153 3154 /* Set the skb to the belonging sock for accounting. */ 3155 shut->skb->sk = ep->base.sk; 3156 3157 sctp_packet_append_chunk(packet, shut); 3158 3159 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3160 SCTP_PACKET(packet)); 3161 3162 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3163 3164 /* If the chunk length is invalid, we don't want to process 3165 * the reset of the packet. 3166 */ 3167 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) 3168 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3169 3170 return SCTP_DISPOSITION_CONSUME; 3171 } 3172 3173 return SCTP_DISPOSITION_NOMEM; 3174} 3175 3176/* 3177 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3178 * 3179 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3180 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3181 * procedures in section 8.4 SHOULD be followed, in other words it 3182 * should be treated as an Out Of The Blue packet. 3183 * [This means that we do NOT check the Verification Tag on these 3184 * chunks. --piggy ] 3185 * 3186 */ 3187sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep, 3188 const struct sctp_association *asoc, 3189 const sctp_subtype_t type, 3190 void *arg, 3191 sctp_cmd_seq_t *commands) 3192{ 3193 /* Although we do have an association in this case, it corresponds 3194 * to a restarted association. So the packet is treated as an OOTB 3195 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3196 * called with a NULL association. 3197 */ 3198 return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands); 3199} 3200 3201/* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3202sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep, 3203 const struct sctp_association *asoc, 3204 const sctp_subtype_t type, void *arg, 3205 sctp_cmd_seq_t *commands) 3206{ 3207 struct sctp_chunk *chunk = arg; 3208 struct sctp_chunk *asconf_ack = NULL; 3209 sctp_addiphdr_t *hdr; 3210 __u32 serial; 3211 3212 if (!sctp_vtag_verify(chunk, asoc)) { 3213 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3214 SCTP_NULL()); 3215 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3216 } 3217 3218 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3219 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t))) 3220 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3221 commands); 3222 3223 hdr = (sctp_addiphdr_t *)chunk->skb->data; 3224 serial = ntohl(hdr->serial); 3225 3226 /* ADDIP 4.2 C1) Compare the value of the serial number to the value 3227 * the endpoint stored in a new association variable 3228 * 'Peer-Serial-Number'. 3229 */ 3230 if (serial == asoc->peer.addip_serial + 1) { 3231 /* ADDIP 4.2 C2) If the value found in the serial number is 3232 * equal to the ('Peer-Serial-Number' + 1), the endpoint MUST 3233 * do V1-V5. 3234 */ 3235 asconf_ack = sctp_process_asconf((struct sctp_association *) 3236 asoc, chunk); 3237 if (!asconf_ack) 3238 return SCTP_DISPOSITION_NOMEM; 3239 } else if (serial == asoc->peer.addip_serial) { 3240 /* ADDIP 4.2 C3) If the value found in the serial number is 3241 * equal to the value stored in the 'Peer-Serial-Number' 3242 * IMPLEMENTATION NOTE: As an optimization a receiver may wish 3243 * to save the last ASCONF-ACK for some predetermined period of 3244 * time and instead of re-processing the ASCONF (with the same 3245 * serial number) it may just re-transmit the ASCONF-ACK. 3246 */ 3247 if (asoc->addip_last_asconf_ack) 3248 asconf_ack = asoc->addip_last_asconf_ack; 3249 else 3250 return SCTP_DISPOSITION_DISCARD; 3251 } else { 3252 /* ADDIP 4.2 C4) Otherwise, the ASCONF Chunk is discarded since 3253 * it must be either a stale packet or from an attacker. 3254 */ 3255 return SCTP_DISPOSITION_DISCARD; 3256 } 3257 3258 /* ADDIP 4.2 C5) In both cases C2 and C3 the ASCONF-ACK MUST be sent 3259 * back to the source address contained in the IP header of the ASCONF 3260 * being responded to. 3261 */ 3262 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3263 3264 return SCTP_DISPOSITION_CONSUME; 3265} 3266 3267/* 3268 * ADDIP Section 4.3 General rules for address manipulation 3269 * When building TLV parameters for the ASCONF Chunk that will add or 3270 * delete IP addresses the D0 to D13 rules should be applied: 3271 */ 3272sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep, 3273 const struct sctp_association *asoc, 3274 const sctp_subtype_t type, void *arg, 3275 sctp_cmd_seq_t *commands) 3276{ 3277 struct sctp_chunk *asconf_ack = arg; 3278 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 3279 struct sctp_chunk *abort; 3280 sctp_addiphdr_t *addip_hdr; 3281 __u32 sent_serial, rcvd_serial; 3282 3283 if (!sctp_vtag_verify(asconf_ack, asoc)) { 3284 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3285 SCTP_NULL()); 3286 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3287 } 3288 3289 /* Make sure that the ADDIP chunk has a valid length. */ 3290 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t))) 3291 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3292 commands); 3293 3294 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data; 3295 rcvd_serial = ntohl(addip_hdr->serial); 3296 3297 if (last_asconf) { 3298 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr; 3299 sent_serial = ntohl(addip_hdr->serial); 3300 } else { 3301 sent_serial = asoc->addip_serial - 1; 3302 } 3303 3304 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 3305 * equal to the next serial number to be used but no ASCONF chunk is 3306 * outstanding the endpoint MUST ABORT the association. Note that a 3307 * sequence number is greater than if it is no more than 2^^31-1 3308 * larger than the current sequence number (using serial arithmetic). 3309 */ 3310 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 3311 !(asoc->addip_last_asconf)) { 3312 abort = sctp_make_abort(asoc, asconf_ack, 3313 sizeof(sctp_errhdr_t)); 3314 if (abort) { 3315 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, NULL, 0); 3316 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3317 SCTP_CHUNK(abort)); 3318 } 3319 /* We are going to ABORT, so we might as well stop 3320 * processing the rest of the chunks in the packet. 3321 */ 3322 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3323 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3324 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3325 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3326 SCTP_ERROR(ECONNABORTED)); 3327 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3328 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3329 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3330 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3331 return SCTP_DISPOSITION_ABORT; 3332 } 3333 3334 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 3335 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3336 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 3337 3338 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 3339 asconf_ack)) 3340 return SCTP_DISPOSITION_CONSUME; 3341 3342 abort = sctp_make_abort(asoc, asconf_ack, 3343 sizeof(sctp_errhdr_t)); 3344 if (abort) { 3345 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, NULL, 0); 3346 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3347 SCTP_CHUNK(abort)); 3348 } 3349 /* We are going to ABORT, so we might as well stop 3350 * processing the rest of the chunks in the packet. 3351 */ 3352 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 3353 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3354 SCTP_ERROR(ECONNABORTED)); 3355 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3356 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 3357 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3358 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3359 return SCTP_DISPOSITION_ABORT; 3360 } 3361 3362 return SCTP_DISPOSITION_DISCARD; 3363} 3364 3365/* 3366 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 3367 * 3368 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 3369 * its cumulative TSN point to the value carried in the FORWARD TSN 3370 * chunk, and then MUST further advance its cumulative TSN point locally 3371 * if possible. 3372 * After the above processing, the data receiver MUST stop reporting any 3373 * missing TSNs earlier than or equal to the new cumulative TSN point. 3374 * 3375 * Verification Tag: 8.5 Verification Tag [Normal verification] 3376 * 3377 * The return value is the disposition of the chunk. 3378 */ 3379sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep, 3380 const struct sctp_association *asoc, 3381 const sctp_subtype_t type, 3382 void *arg, 3383 sctp_cmd_seq_t *commands) 3384{ 3385 struct sctp_chunk *chunk = arg; 3386 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3387 __u16 len; 3388 __u32 tsn; 3389 3390 if (!sctp_vtag_verify(chunk, asoc)) { 3391 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3392 SCTP_NULL()); 3393 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3394 } 3395 3396 /* Make sure that the FORWARD_TSN chunk has valid length. */ 3397 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3398 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3399 commands); 3400 3401 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3402 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3403 len = ntohs(chunk->chunk_hdr->length); 3404 len -= sizeof(struct sctp_chunkhdr); 3405 skb_pull(chunk->skb, len); 3406 3407 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3408 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __FUNCTION__, tsn); 3409 3410 /* The TSN is too high--silently discard the chunk and count on it 3411 * getting retransmitted later. 3412 */ 3413 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3414 goto discard_noforce; 3415 3416 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3417 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3418 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3419 SCTP_CHUNK(chunk)); 3420 3421 /* Count this as receiving DATA. */ 3422 if (asoc->autoclose) { 3423 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3424 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3425 } 3426 3427 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 3428 3429 return SCTP_DISPOSITION_CONSUME; 3430 3431discard_noforce: 3432 return SCTP_DISPOSITION_DISCARD; 3433} 3434 3435sctp_disposition_t sctp_sf_eat_fwd_tsn_fast( 3436 const struct sctp_endpoint *ep, 3437 const struct sctp_association *asoc, 3438 const sctp_subtype_t type, 3439 void *arg, 3440 sctp_cmd_seq_t *commands) 3441{ 3442 struct sctp_chunk *chunk = arg; 3443 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 3444 __u16 len; 3445 __u32 tsn; 3446 3447 if (!sctp_vtag_verify(chunk, asoc)) { 3448 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3449 SCTP_NULL()); 3450 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3451 } 3452 3453 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 3454 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk))) 3455 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3456 commands); 3457 3458 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 3459 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 3460 len = ntohs(chunk->chunk_hdr->length); 3461 len -= sizeof(struct sctp_chunkhdr); 3462 skb_pull(chunk->skb, len); 3463 3464 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 3465 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __FUNCTION__, tsn); 3466 3467 /* The TSN is too high--silently discard the chunk and count on it 3468 * getting retransmitted later. 3469 */ 3470 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 3471 goto gen_shutdown; 3472 3473 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 3474 if (len > sizeof(struct sctp_fwdtsn_hdr)) 3475 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 3476 SCTP_CHUNK(chunk)); 3477 3478 /* Go a head and force a SACK, since we are shutting down. */ 3479gen_shutdown: 3480 /* Implementor's Guide. 3481 * 3482 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3483 * respond to each received packet containing one or more DATA chunk(s) 3484 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3485 */ 3486 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3487 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3488 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3489 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3490 3491 return SCTP_DISPOSITION_CONSUME; 3492} 3493 3494/* 3495 * Process an unknown chunk. 3496 * 3497 * Section: 3.2. Also, 2.1 in the implementor's guide. 3498 * 3499 * Chunk Types are encoded such that the highest-order two bits specify 3500 * the action that must be taken if the processing endpoint does not 3501 * recognize the Chunk Type. 3502 * 3503 * 00 - Stop processing this SCTP packet and discard it, do not process 3504 * any further chunks within it. 3505 * 3506 * 01 - Stop processing this SCTP packet and discard it, do not process 3507 * any further chunks within it, and report the unrecognized 3508 * chunk in an 'Unrecognized Chunk Type'. 3509 * 3510 * 10 - Skip this chunk and continue processing. 3511 * 3512 * 11 - Skip this chunk and continue processing, but report in an ERROR 3513 * Chunk using the 'Unrecognized Chunk Type' cause of error. 3514 * 3515 * The return value is the disposition of the chunk. 3516 */ 3517sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep, 3518 const struct sctp_association *asoc, 3519 const sctp_subtype_t type, 3520 void *arg, 3521 sctp_cmd_seq_t *commands) 3522{ 3523 struct sctp_chunk *unk_chunk = arg; 3524 struct sctp_chunk *err_chunk; 3525 sctp_chunkhdr_t *hdr; 3526 3527 SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk); 3528 3529 if (!sctp_vtag_verify(unk_chunk, asoc)) 3530 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3531 3532 /* Make sure that the chunk has a valid length. 3533 * Since we don't know the chunk type, we use a general 3534 * chunkhdr structure to make a comparison. 3535 */ 3536 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t))) 3537 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 3538 commands); 3539 3540 switch (type.chunk & SCTP_CID_ACTION_MASK) { 3541 case SCTP_CID_ACTION_DISCARD: 3542 /* Discard the packet. */ 3543 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3544 break; 3545 case SCTP_CID_ACTION_DISCARD_ERR: 3546 /* Discard the packet. */ 3547 sctp_sf_pdiscard(ep, asoc, type, arg, commands); 3548 3549 /* Generate an ERROR chunk as response. */ 3550 hdr = unk_chunk->chunk_hdr; 3551 err_chunk = sctp_make_op_error(asoc, unk_chunk, 3552 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 3553 WORD_ROUND(ntohs(hdr->length))); 3554 if (err_chunk) { 3555 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3556 SCTP_CHUNK(err_chunk)); 3557 } 3558 return SCTP_DISPOSITION_CONSUME; 3559 break; 3560 case SCTP_CID_ACTION_SKIP: 3561 /* Skip the chunk. */ 3562 return SCTP_DISPOSITION_DISCARD; 3563 break; 3564 case SCTP_CID_ACTION_SKIP_ERR: 3565 /* Generate an ERROR chunk as response. */ 3566 hdr = unk_chunk->chunk_hdr; 3567 err_chunk = sctp_make_op_error(asoc, unk_chunk, 3568 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 3569 WORD_ROUND(ntohs(hdr->length))); 3570 if (err_chunk) { 3571 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 3572 SCTP_CHUNK(err_chunk)); 3573 } 3574 /* Skip the chunk. */ 3575 return SCTP_DISPOSITION_CONSUME; 3576 break; 3577 default: 3578 break; 3579 } 3580 3581 return SCTP_DISPOSITION_DISCARD; 3582} 3583 3584/* 3585 * Discard the chunk. 3586 * 3587 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 3588 * [Too numerous to mention...] 3589 * Verification Tag: No verification needed. 3590 * Inputs 3591 * (endpoint, asoc, chunk) 3592 * 3593 * Outputs 3594 * (asoc, reply_msg, msg_up, timers, counters) 3595 * 3596 * The return value is the disposition of the chunk. 3597 */ 3598sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep, 3599 const struct sctp_association *asoc, 3600 const sctp_subtype_t type, 3601 void *arg, 3602 sctp_cmd_seq_t *commands) 3603{ 3604 SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk); 3605 return SCTP_DISPOSITION_DISCARD; 3606} 3607 3608/* 3609 * Discard the whole packet. 3610 * 3611 * Section: 8.4 2) 3612 * 3613 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 3614 * silently discard the OOTB packet and take no further action. 3615 * 3616 * Verification Tag: No verification necessary 3617 * 3618 * Inputs 3619 * (endpoint, asoc, chunk) 3620 * 3621 * Outputs 3622 * (asoc, reply_msg, msg_up, timers, counters) 3623 * 3624 * The return value is the disposition of the chunk. 3625 */ 3626sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep, 3627 const struct sctp_association *asoc, 3628 const sctp_subtype_t type, 3629 void *arg, 3630 sctp_cmd_seq_t *commands) 3631{ 3632 SCTP_INC_STATS(SCTP_MIB_IN_PKT_DISCARDS); 3633 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3634 3635 return SCTP_DISPOSITION_CONSUME; 3636} 3637 3638 3639/* 3640 * The other end is violating protocol. 3641 * 3642 * Section: Not specified 3643 * Verification Tag: Not specified 3644 * Inputs 3645 * (endpoint, asoc, chunk) 3646 * 3647 * Outputs 3648 * (asoc, reply_msg, msg_up, timers, counters) 3649 * 3650 * We simply tag the chunk as a violation. The state machine will log 3651 * the violation and continue. 3652 */ 3653sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep, 3654 const struct sctp_association *asoc, 3655 const sctp_subtype_t type, 3656 void *arg, 3657 sctp_cmd_seq_t *commands) 3658{ 3659 return SCTP_DISPOSITION_VIOLATION; 3660} 3661 3662 3663/* 3664 * Handle a protocol violation when the chunk length is invalid. 3665 * "Invalid" length is identified as smaller then the minimal length a 3666 * given chunk can be. For example, a SACK chunk has invalid length 3667 * if it's length is set to be smaller then the size of sctp_sack_chunk_t. 3668 * 3669 * We inform the other end by sending an ABORT with a Protocol Violation 3670 * error code. 3671 * 3672 * Section: Not specified 3673 * Verification Tag: Nothing to do 3674 * Inputs 3675 * (endpoint, asoc, chunk) 3676 * 3677 * Outputs 3678 * (reply_msg, msg_up, counters) 3679 * 3680 * Generate an ABORT chunk and terminate the association. 3681 */ 3682static sctp_disposition_t sctp_sf_violation_chunklen( 3683 const struct sctp_endpoint *ep, 3684 const struct sctp_association *asoc, 3685 const sctp_subtype_t type, 3686 void *arg, 3687 sctp_cmd_seq_t *commands) 3688{ 3689 struct sctp_chunk *chunk = arg; 3690 struct sctp_chunk *abort = NULL; 3691 char err_str[]="The following chunk had invalid length:"; 3692 3693 /* Make the abort chunk. */ 3694 abort = sctp_make_abort_violation(asoc, chunk, err_str, 3695 sizeof(err_str)); 3696 if (!abort) 3697 goto nomem; 3698 3699 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 3700 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 3701 3702 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 3703 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3704 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 3705 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3706 SCTP_ERROR(ECONNREFUSED)); 3707 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 3708 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 3709 } else { 3710 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 3711 SCTP_ERROR(ECONNABORTED)); 3712 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 3713 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 3714 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 3715 } 3716 3717 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 3718 3719 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 3720 3721 return SCTP_DISPOSITION_ABORT; 3722 3723nomem: 3724 return SCTP_DISPOSITION_NOMEM; 3725} 3726 3727/*************************************************************************** 3728 * These are the state functions for handling primitive (Section 10) events. 3729 ***************************************************************************/ 3730/* 3731 * sctp_sf_do_prm_asoc 3732 * 3733 * Section: 10.1 ULP-to-SCTP 3734 * B) Associate 3735 * 3736 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 3737 * outbound stream count) 3738 * -> association id [,destination transport addr list] [,outbound stream 3739 * count] 3740 * 3741 * This primitive allows the upper layer to initiate an association to a 3742 * specific peer endpoint. 3743 * 3744 * The peer endpoint shall be specified by one of the transport addresses 3745 * which defines the endpoint (see Section 1.4). If the local SCTP 3746 * instance has not been initialized, the ASSOCIATE is considered an 3747 * error. 3748 * [This is not relevant for the kernel implementation since we do all 3749 * initialization at boot time. It we hadn't initialized we wouldn't 3750 * get anywhere near this code.] 3751 * 3752 * An association id, which is a local handle to the SCTP association, 3753 * will be returned on successful establishment of the association. If 3754 * SCTP is not able to open an SCTP association with the peer endpoint, 3755 * an error is returned. 3756 * [In the kernel implementation, the struct sctp_association needs to 3757 * be created BEFORE causing this primitive to run.] 3758 * 3759 * Other association parameters may be returned, including the 3760 * complete destination transport addresses of the peer as well as the 3761 * outbound stream count of the local endpoint. One of the transport 3762 * address from the returned destination addresses will be selected by 3763 * the local endpoint as default primary path for sending SCTP packets 3764 * to this peer. The returned "destination transport addr list" can 3765 * be used by the ULP to change the default primary path or to force 3766 * sending a packet to a specific transport address. [All of this 3767 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 3768 * function.] 3769 * 3770 * Mandatory attributes: 3771 * 3772 * o local SCTP instance name - obtained from the INITIALIZE operation. 3773 * [This is the argument asoc.] 3774 * o destination transport addr - specified as one of the transport 3775 * addresses of the peer endpoint with which the association is to be 3776 * established. 3777 * [This is asoc->peer.active_path.] 3778 * o outbound stream count - the number of outbound streams the ULP 3779 * would like to open towards this peer endpoint. 3780 * [BUG: This is not currently implemented.] 3781 * Optional attributes: 3782 * 3783 * None. 3784 * 3785 * The return value is a disposition. 3786 */ 3787sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep, 3788 const struct sctp_association *asoc, 3789 const sctp_subtype_t type, 3790 void *arg, 3791 sctp_cmd_seq_t *commands) 3792{ 3793 struct sctp_chunk *repl; 3794 3795 /* The comment below says that we enter COOKIE-WAIT AFTER 3796 * sending the INIT, but that doesn't actually work in our 3797 * implementation... 3798 */ 3799 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3800 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 3801 3802 /* RFC 2960 5.1 Normal Establishment of an Association 3803 * 3804 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 3805 * must provide its Verification Tag (Tag_A) in the Initiate 3806 * Tag field. Tag_A SHOULD be a random number in the range of 3807 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 3808 */ 3809 3810 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 3811 if (!repl) 3812 goto nomem; 3813 3814 /* Cast away the const modifier, as we want to just 3815 * rerun it through as a sideffect. 3816 */ 3817 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, 3818 SCTP_ASOC((struct sctp_association *) asoc)); 3819 3820 /* Choose transport for INIT. */ 3821 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 3822 SCTP_CHUNK(repl)); 3823 3824 /* After sending the INIT, "A" starts the T1-init timer and 3825 * enters the COOKIE-WAIT state. 3826 */ 3827 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 3828 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 3829 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 3830 return SCTP_DISPOSITION_CONSUME; 3831 3832nomem: 3833 return SCTP_DISPOSITION_NOMEM; 3834} 3835 3836/* 3837 * Process the SEND primitive. 3838 * 3839 * Section: 10.1 ULP-to-SCTP 3840 * E) Send 3841 * 3842 * Format: SEND(association id, buffer address, byte count [,context] 3843 * [,stream id] [,life time] [,destination transport address] 3844 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 3845 * -> result 3846 * 3847 * This is the main method to send user data via SCTP. 3848 * 3849 * Mandatory attributes: 3850 * 3851 * o association id - local handle to the SCTP association 3852 * 3853 * o buffer address - the location where the user message to be 3854 * transmitted is stored; 3855 * 3856 * o byte count - The size of the user data in number of bytes; 3857 * 3858 * Optional attributes: 3859 * 3860 * o context - an optional 32 bit integer that will be carried in the 3861 * sending failure notification to the ULP if the transportation of 3862 * this User Message fails. 3863 * 3864 * o stream id - to indicate which stream to send the data on. If not 3865 * specified, stream 0 will be used. 3866 * 3867 * o life time - specifies the life time of the user data. The user data 3868 * will not be sent by SCTP after the life time expires. This 3869 * parameter can be used to avoid efforts to transmit stale 3870 * user messages. SCTP notifies the ULP if the data cannot be 3871 * initiated to transport (i.e. sent to the destination via SCTP's 3872 * send primitive) within the life time variable. However, the 3873 * user data will be transmitted if SCTP has attempted to transmit a 3874 * chunk before the life time expired. 3875 * 3876 * o destination transport address - specified as one of the destination 3877 * transport addresses of the peer endpoint to which this packet 3878 * should be sent. Whenever possible, SCTP should use this destination 3879 * transport address for sending the packets, instead of the current 3880 * primary path. 3881 * 3882 * o unorder flag - this flag, if present, indicates that the user 3883 * would like the data delivered in an unordered fashion to the peer 3884 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 3885 * message). 3886 * 3887 * o no-bundle flag - instructs SCTP not to bundle this user data with 3888 * other outbound DATA chunks. SCTP MAY still bundle even when 3889 * this flag is present, when faced with network congestion. 3890 * 3891 * o payload protocol-id - A 32 bit unsigned integer that is to be 3892 * passed to the peer indicating the type of payload protocol data 3893 * being transmitted. This value is passed as opaque data by SCTP. 3894 * 3895 * The return value is the disposition. 3896 */ 3897sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep, 3898 const struct sctp_association *asoc, 3899 const sctp_subtype_t type, 3900 void *arg, 3901 sctp_cmd_seq_t *commands) 3902{ 3903 struct sctp_chunk *chunk = arg; 3904 3905 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 3906 return SCTP_DISPOSITION_CONSUME; 3907} 3908 3909/* 3910 * Process the SHUTDOWN primitive. 3911 * 3912 * Section: 10.1: 3913 * C) Shutdown 3914 * 3915 * Format: SHUTDOWN(association id) 3916 * -> result 3917 * 3918 * Gracefully closes an association. Any locally queued user data 3919 * will be delivered to the peer. The association will be terminated only 3920 * after the peer acknowledges all the SCTP packets sent. A success code 3921 * will be returned on successful termination of the association. If 3922 * attempting to terminate the association results in a failure, an error 3923 * code shall be returned. 3924 * 3925 * Mandatory attributes: 3926 * 3927 * o association id - local handle to the SCTP association 3928 * 3929 * Optional attributes: 3930 * 3931 * None. 3932 * 3933 * The return value is the disposition. 3934 */ 3935sctp_disposition_t sctp_sf_do_9_2_prm_shutdown( 3936 const struct sctp_endpoint *ep, 3937 const struct sctp_association *asoc, 3938 const sctp_subtype_t type, 3939 void *arg, 3940 sctp_cmd_seq_t *commands) 3941{ 3942 int disposition; 3943 3944 /* From 9.2 Shutdown of an Association 3945 * Upon receipt of the SHUTDOWN primitive from its upper 3946 * layer, the endpoint enters SHUTDOWN-PENDING state and 3947 * remains there until all outstanding data has been 3948 * acknowledged by its peer. The endpoint accepts no new data 3949 * from its upper layer, but retransmits data to the far end 3950 * if necessary to fill gaps. 3951 */ 3952 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3953 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 3954 3955 /* sctpimpguide-05 Section 2.12.2 3956 * The sender of the SHUTDOWN MAY also start an overall guard timer 3957 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 3958 */ 3959 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 3960 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3961 3962 disposition = SCTP_DISPOSITION_CONSUME; 3963 if (sctp_outq_is_empty(&asoc->outqueue)) { 3964 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 3965 arg, commands); 3966 } 3967 return disposition; 3968} 3969 3970/* 3971 * Process the ABORT primitive. 3972 * 3973 * Section: 10.1: 3974 * C) Abort 3975 * 3976 * Format: Abort(association id [, cause code]) 3977 * -> result 3978 * 3979 * Ungracefully closes an association. Any locally queued user data 3980 * will be discarded and an ABORT chunk is sent to the peer. A success code 3981 * will be returned on successful abortion of the association. If 3982 * attempting to abort the association results in a failure, an error 3983 * code shall be returned. 3984 * 3985 * Mandatory attributes: 3986 * 3987 * o association id - local handle to the SCTP association 3988 * 3989 * Optional attributes: 3990 * 3991 * o cause code - reason of the abort to be passed to the peer 3992 * 3993 * None. 3994 * 3995 * The return value is the disposition. 3996 */ 3997sctp_disposition_t sctp_sf_do_9_1_prm_abort( 3998 const struct sctp_endpoint *ep, 3999 const struct sctp_association *asoc, 4000 const sctp_subtype_t type, 4001 void *arg, 4002 sctp_cmd_seq_t *commands) 4003{ 4004 /* From 9.1 Abort of an Association 4005 * Upon receipt of the ABORT primitive from its upper 4006 * layer, the endpoint enters CLOSED state and 4007 * discard all outstanding data has been 4008 * acknowledged by its peer. The endpoint accepts no new data 4009 * from its upper layer, but retransmits data to the far end 4010 * if necessary to fill gaps. 4011 */ 4012 struct sctp_chunk *abort = arg; 4013 sctp_disposition_t retval; 4014 4015 retval = SCTP_DISPOSITION_CONSUME; 4016 4017 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4018 4019 /* Even if we can't send the ABORT due to low memory delete the 4020 * TCB. This is a departure from our typical NOMEM handling. 4021 */ 4022 4023 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4024 SCTP_ERROR(ECONNABORTED)); 4025 /* Delete the established association. */ 4026 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4027 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4028 4029 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4030 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4031 4032 return retval; 4033} 4034 4035/* We tried an illegal operation on an association which is closed. */ 4036sctp_disposition_t sctp_sf_error_closed(const struct sctp_endpoint *ep, 4037 const struct sctp_association *asoc, 4038 const sctp_subtype_t type, 4039 void *arg, 4040 sctp_cmd_seq_t *commands) 4041{ 4042 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 4043 return SCTP_DISPOSITION_CONSUME; 4044} 4045 4046/* We tried an illegal operation on an association which is shutting 4047 * down. 4048 */ 4049sctp_disposition_t sctp_sf_error_shutdown(const struct sctp_endpoint *ep, 4050 const struct sctp_association *asoc, 4051 const sctp_subtype_t type, 4052 void *arg, 4053 sctp_cmd_seq_t *commands) 4054{ 4055 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 4056 SCTP_ERROR(-ESHUTDOWN)); 4057 return SCTP_DISPOSITION_CONSUME; 4058} 4059 4060/* 4061 * sctp_cookie_wait_prm_shutdown 4062 * 4063 * Section: 4 Note: 2 4064 * Verification Tag: 4065 * Inputs 4066 * (endpoint, asoc) 4067 * 4068 * The RFC does not explicitly address this issue, but is the route through the 4069 * state table when someone issues a shutdown while in COOKIE_WAIT state. 4070 * 4071 * Outputs 4072 * (timers) 4073 */ 4074sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown( 4075 const struct sctp_endpoint *ep, 4076 const struct sctp_association *asoc, 4077 const sctp_subtype_t type, 4078 void *arg, 4079 sctp_cmd_seq_t *commands) 4080{ 4081 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4082 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4083 4084 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4085 SCTP_STATE(SCTP_STATE_CLOSED)); 4086 4087 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS); 4088 4089 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 4090 4091 return SCTP_DISPOSITION_DELETE_TCB; 4092} 4093 4094/* 4095 * sctp_cookie_echoed_prm_shutdown 4096 * 4097 * Section: 4 Note: 2 4098 * Verification Tag: 4099 * Inputs 4100 * (endpoint, asoc) 4101 * 4102 * The RFC does not explcitly address this issue, but is the route through the 4103 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 4104 * 4105 * Outputs 4106 * (timers) 4107 */ 4108sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown( 4109 const struct sctp_endpoint *ep, 4110 const struct sctp_association *asoc, 4111 const sctp_subtype_t type, 4112 void *arg, sctp_cmd_seq_t *commands) 4113{ 4114 /* There is a single T1 timer, so we should be able to use 4115 * common function with the COOKIE-WAIT state. 4116 */ 4117 return sctp_sf_cookie_wait_prm_shutdown(ep, asoc, type, arg, commands); 4118} 4119 4120/* 4121 * sctp_sf_cookie_wait_prm_abort 4122 * 4123 * Section: 4 Note: 2 4124 * Verification Tag: 4125 * Inputs 4126 * (endpoint, asoc) 4127 * 4128 * The RFC does not explicitly address this issue, but is the route through the 4129 * state table when someone issues an abort while in COOKIE_WAIT state. 4130 * 4131 * Outputs 4132 * (timers) 4133 */ 4134sctp_disposition_t sctp_sf_cookie_wait_prm_abort( 4135 const struct sctp_endpoint *ep, 4136 const struct sctp_association *asoc, 4137 const sctp_subtype_t type, 4138 void *arg, 4139 sctp_cmd_seq_t *commands) 4140{ 4141 struct sctp_chunk *abort = arg; 4142 sctp_disposition_t retval; 4143 4144 /* Stop T1-init timer */ 4145 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4146 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4147 retval = SCTP_DISPOSITION_CONSUME; 4148 4149 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4150 4151 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4152 SCTP_STATE(SCTP_STATE_CLOSED)); 4153 4154 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4155 4156 /* Even if we can't send the ABORT due to low memory delete the 4157 * TCB. This is a departure from our typical NOMEM handling. 4158 */ 4159 4160 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4161 SCTP_ERROR(ECONNREFUSED)); 4162 /* Delete the established association. */ 4163 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4164 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 4165 4166 return retval; 4167} 4168 4169/* 4170 * sctp_sf_cookie_echoed_prm_abort 4171 * 4172 * Section: 4 Note: 3 4173 * Verification Tag: 4174 * Inputs 4175 * (endpoint, asoc) 4176 * 4177 * The RFC does not explcitly address this issue, but is the route through the 4178 * state table when someone issues an abort while in COOKIE_ECHOED state. 4179 * 4180 * Outputs 4181 * (timers) 4182 */ 4183sctp_disposition_t sctp_sf_cookie_echoed_prm_abort( 4184 const struct sctp_endpoint *ep, 4185 const struct sctp_association *asoc, 4186 const sctp_subtype_t type, 4187 void *arg, 4188 sctp_cmd_seq_t *commands) 4189{ 4190 /* There is a single T1 timer, so we should be able to use 4191 * common function with the COOKIE-WAIT state. 4192 */ 4193 return sctp_sf_cookie_wait_prm_abort(ep, asoc, type, arg, commands); 4194} 4195 4196/* 4197 * sctp_sf_shutdown_pending_prm_abort 4198 * 4199 * Inputs 4200 * (endpoint, asoc) 4201 * 4202 * The RFC does not explicitly address this issue, but is the route through the 4203 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 4204 * 4205 * Outputs 4206 * (timers) 4207 */ 4208sctp_disposition_t sctp_sf_shutdown_pending_prm_abort( 4209 const struct sctp_endpoint *ep, 4210 const struct sctp_association *asoc, 4211 const sctp_subtype_t type, 4212 void *arg, 4213 sctp_cmd_seq_t *commands) 4214{ 4215 /* Stop the T5-shutdown guard timer. */ 4216 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4217 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4218 4219 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4220} 4221 4222/* 4223 * sctp_sf_shutdown_sent_prm_abort 4224 * 4225 * Inputs 4226 * (endpoint, asoc) 4227 * 4228 * The RFC does not explicitly address this issue, but is the route through the 4229 * state table when someone issues an abort while in SHUTDOWN-SENT state. 4230 * 4231 * Outputs 4232 * (timers) 4233 */ 4234sctp_disposition_t sctp_sf_shutdown_sent_prm_abort( 4235 const struct sctp_endpoint *ep, 4236 const struct sctp_association *asoc, 4237 const sctp_subtype_t type, 4238 void *arg, 4239 sctp_cmd_seq_t *commands) 4240{ 4241 /* Stop the T2-shutdown timer. */ 4242 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4243 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4244 4245 /* Stop the T5-shutdown guard timer. */ 4246 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4247 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4248 4249 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands); 4250} 4251 4252/* 4253 * sctp_sf_cookie_echoed_prm_abort 4254 * 4255 * Inputs 4256 * (endpoint, asoc) 4257 * 4258 * The RFC does not explcitly address this issue, but is the route through the 4259 * state table when someone issues an abort while in COOKIE_ECHOED state. 4260 * 4261 * Outputs 4262 * (timers) 4263 */ 4264sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort( 4265 const struct sctp_endpoint *ep, 4266 const struct sctp_association *asoc, 4267 const sctp_subtype_t type, 4268 void *arg, 4269 sctp_cmd_seq_t *commands) 4270{ 4271 /* The same T2 timer, so we should be able to use 4272 * common function with the SHUTDOWN-SENT state. 4273 */ 4274 return sctp_sf_shutdown_sent_prm_abort(ep, asoc, type, arg, commands); 4275} 4276 4277/* 4278 * Process the REQUESTHEARTBEAT primitive 4279 * 4280 * 10.1 ULP-to-SCTP 4281 * J) Request Heartbeat 4282 * 4283 * Format: REQUESTHEARTBEAT(association id, destination transport address) 4284 * 4285 * -> result 4286 * 4287 * Instructs the local endpoint to perform a HeartBeat on the specified 4288 * destination transport address of the given association. The returned 4289 * result should indicate whether the transmission of the HEARTBEAT 4290 * chunk to the destination address is successful. 4291 * 4292 * Mandatory attributes: 4293 * 4294 * o association id - local handle to the SCTP association 4295 * 4296 * o destination transport address - the transport address of the 4297 * association on which a heartbeat should be issued. 4298 */ 4299sctp_disposition_t sctp_sf_do_prm_requestheartbeat( 4300 const struct sctp_endpoint *ep, 4301 const struct sctp_association *asoc, 4302 const sctp_subtype_t type, 4303 void *arg, 4304 sctp_cmd_seq_t *commands) 4305{ 4306 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 4307 (struct sctp_transport *)arg, commands)) 4308 return SCTP_DISPOSITION_NOMEM; 4309 4310 /* 4311 * RFC 2960 (bis), section 8.3 4312 * 4313 * D) Request an on-demand HEARTBEAT on a specific destination 4314 * transport address of a given association. 4315 * 4316 * The endpoint should increment the respective error counter of 4317 * the destination transport address each time a HEARTBEAT is sent 4318 * to that address and not acknowledged within one RTO. 4319 * 4320 */ 4321 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_RESET, 4322 SCTP_TRANSPORT(arg)); 4323 return SCTP_DISPOSITION_CONSUME; 4324} 4325 4326/* 4327 * ADDIP Section 4.1 ASCONF Chunk Procedures 4328 * When an endpoint has an ASCONF signaled change to be sent to the 4329 * remote endpoint it should do A1 to A9 4330 */ 4331sctp_disposition_t sctp_sf_do_prm_asconf(const struct sctp_endpoint *ep, 4332 const struct sctp_association *asoc, 4333 const sctp_subtype_t type, 4334 void *arg, 4335 sctp_cmd_seq_t *commands) 4336{ 4337 struct sctp_chunk *chunk = arg; 4338 4339 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 4340 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4341 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4342 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 4343 return SCTP_DISPOSITION_CONSUME; 4344} 4345 4346/* 4347 * Ignore the primitive event 4348 * 4349 * The return value is the disposition of the primitive. 4350 */ 4351sctp_disposition_t sctp_sf_ignore_primitive( 4352 const struct sctp_endpoint *ep, 4353 const struct sctp_association *asoc, 4354 const sctp_subtype_t type, 4355 void *arg, 4356 sctp_cmd_seq_t *commands) 4357{ 4358 SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive); 4359 return SCTP_DISPOSITION_DISCARD; 4360} 4361 4362/*************************************************************************** 4363 * These are the state functions for the OTHER events. 4364 ***************************************************************************/ 4365 4366/* 4367 * Start the shutdown negotiation. 4368 * 4369 * From Section 9.2: 4370 * Once all its outstanding data has been acknowledged, the endpoint 4371 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 4372 * TSN Ack field the last sequential TSN it has received from the peer. 4373 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 4374 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 4375 * with the updated last sequential TSN received from its peer. 4376 * 4377 * The return value is the disposition. 4378 */ 4379sctp_disposition_t sctp_sf_do_9_2_start_shutdown( 4380 const struct sctp_endpoint *ep, 4381 const struct sctp_association *asoc, 4382 const sctp_subtype_t type, 4383 void *arg, 4384 sctp_cmd_seq_t *commands) 4385{ 4386 struct sctp_chunk *reply; 4387 4388 /* Once all its outstanding data has been acknowledged, the 4389 * endpoint shall send a SHUTDOWN chunk to its peer including 4390 * in the Cumulative TSN Ack field the last sequential TSN it 4391 * has received from the peer. 4392 */ 4393 reply = sctp_make_shutdown(asoc, NULL); 4394 if (!reply) 4395 goto nomem; 4396 4397 /* Set the transport for the SHUTDOWN chunk and the timeout for the 4398 * T2-shutdown timer. 4399 */ 4400 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4401 4402 /* It shall then start the T2-shutdown timer */ 4403 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4404 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4405 4406 if (asoc->autoclose) 4407 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4408 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4409 4410 /* and enter the SHUTDOWN-SENT state. */ 4411 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4412 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 4413 4414 /* sctp-implguide 2.10 Issues with Heartbeating and failover 4415 * 4416 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 4417 * or SHUTDOWN-ACK. 4418 */ 4419 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 4420 4421 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4422 4423 return SCTP_DISPOSITION_CONSUME; 4424 4425nomem: 4426 return SCTP_DISPOSITION_NOMEM; 4427} 4428 4429/* 4430 * Generate a SHUTDOWN ACK now that everything is SACK'd. 4431 * 4432 * From Section 9.2: 4433 * 4434 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 4435 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 4436 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 4437 * endpoint must re-send the SHUTDOWN ACK. 4438 * 4439 * The return value is the disposition. 4440 */ 4441sctp_disposition_t sctp_sf_do_9_2_shutdown_ack( 4442 const struct sctp_endpoint *ep, 4443 const struct sctp_association *asoc, 4444 const sctp_subtype_t type, 4445 void *arg, 4446 sctp_cmd_seq_t *commands) 4447{ 4448 struct sctp_chunk *chunk = (struct sctp_chunk *) arg; 4449 struct sctp_chunk *reply; 4450 4451 /* There are 2 ways of getting here: 4452 * 1) called in response to a SHUTDOWN chunk 4453 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 4454 * 4455 * For the case (2), the arg parameter is set to NULL. We need 4456 * to check that we have a chunk before accessing it's fields. 4457 */ 4458 if (chunk) { 4459 if (!sctp_vtag_verify(chunk, asoc)) 4460 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 4461 4462 /* Make sure that the SHUTDOWN chunk has a valid length. */ 4463 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t))) 4464 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 4465 commands); 4466 } 4467 4468 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 4469 * shall send a SHUTDOWN ACK ... 4470 */ 4471 reply = sctp_make_shutdown_ack(asoc, chunk); 4472 if (!reply) 4473 goto nomem; 4474 4475 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 4476 * the T2-shutdown timer. 4477 */ 4478 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4479 4480 /* and start/restart a T2-shutdown timer of its own, */ 4481 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4482 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4483 4484 if (asoc->autoclose) 4485 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4486 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4487 4488 /* Enter the SHUTDOWN-ACK-SENT state. */ 4489 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4490 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 4491 4492 /* sctp-implguide 2.10 Issues with Heartbeating and failover 4493 * 4494 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 4495 * or SHUTDOWN-ACK. 4496 */ 4497 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 4498 4499 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4500 4501 return SCTP_DISPOSITION_CONSUME; 4502 4503nomem: 4504 return SCTP_DISPOSITION_NOMEM; 4505} 4506 4507/* 4508 * Ignore the event defined as other 4509 * 4510 * The return value is the disposition of the event. 4511 */ 4512sctp_disposition_t sctp_sf_ignore_other(const struct sctp_endpoint *ep, 4513 const struct sctp_association *asoc, 4514 const sctp_subtype_t type, 4515 void *arg, 4516 sctp_cmd_seq_t *commands) 4517{ 4518 SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other); 4519 return SCTP_DISPOSITION_DISCARD; 4520} 4521 4522/************************************************************ 4523 * These are the state functions for handling timeout events. 4524 ************************************************************/ 4525 4526/* 4527 * RTX Timeout 4528 * 4529 * Section: 6.3.3 Handle T3-rtx Expiration 4530 * 4531 * Whenever the retransmission timer T3-rtx expires for a destination 4532 * address, do the following: 4533 * [See below] 4534 * 4535 * The return value is the disposition of the chunk. 4536 */ 4537sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep, 4538 const struct sctp_association *asoc, 4539 const sctp_subtype_t type, 4540 void *arg, 4541 sctp_cmd_seq_t *commands) 4542{ 4543 struct sctp_transport *transport = arg; 4544 4545 SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS); 4546 4547 if (asoc->overall_error_count >= asoc->max_retrans) { 4548 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4549 SCTP_ERROR(ETIMEDOUT)); 4550 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 4551 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4552 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 4553 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4554 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4555 return SCTP_DISPOSITION_DELETE_TCB; 4556 } 4557 4558 /* E1) For the destination address for which the timer 4559 * expires, adjust its ssthresh with rules defined in Section 4560 * 7.2.3 and set the cwnd <- MTU. 4561 */ 4562 4563 /* E2) For the destination address for which the timer 4564 * expires, set RTO <- RTO * 2 ("back off the timer"). The 4565 * maximum value discussed in rule C7 above (RTO.max) may be 4566 * used to provide an upper bound to this doubling operation. 4567 */ 4568 4569 /* E3) Determine how many of the earliest (i.e., lowest TSN) 4570 * outstanding DATA chunks for the address for which the 4571 * T3-rtx has expired will fit into a single packet, subject 4572 * to the MTU constraint for the path corresponding to the 4573 * destination transport address to which the retransmission 4574 * is being sent (this may be different from the address for 4575 * which the timer expires [see Section 6.4]). Call this 4576 * value K. Bundle and retransmit those K DATA chunks in a 4577 * single packet to the destination endpoint. 4578 * 4579 * Note: Any DATA chunks that were sent to the address for 4580 * which the T3-rtx timer expired but did not fit in one MTU 4581 * (rule E3 above), should be marked for retransmission and 4582 * sent as soon as cwnd allows (normally when a SACK arrives). 4583 */ 4584 4585 /* Do some failure management (Section 8.2). */ 4586 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 4587 4588 /* NB: Rules E4 and F1 are implicit in R1. */ 4589 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 4590 4591 return SCTP_DISPOSITION_CONSUME; 4592} 4593 4594/* 4595 * Generate delayed SACK on timeout 4596 * 4597 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 4598 * 4599 * The guidelines on delayed acknowledgement algorithm specified in 4600 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 4601 * acknowledgement SHOULD be generated for at least every second packet 4602 * (not every second DATA chunk) received, and SHOULD be generated 4603 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 4604 * some situations it may be beneficial for an SCTP transmitter to be 4605 * more conservative than the algorithms detailed in this document 4606 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 4607 * the following algorithms allow. 4608 */ 4609sctp_disposition_t sctp_sf_do_6_2_sack(const struct sctp_endpoint *ep, 4610 const struct sctp_association *asoc, 4611 const sctp_subtype_t type, 4612 void *arg, 4613 sctp_cmd_seq_t *commands) 4614{ 4615 SCTP_INC_STATS(SCTP_MIB_DELAY_SACK_EXPIREDS); 4616 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 4617 return SCTP_DISPOSITION_CONSUME; 4618} 4619 4620/* 4621 * sctp_sf_t1_init_timer_expire 4622 * 4623 * Section: 4 Note: 2 4624 * Verification Tag: 4625 * Inputs 4626 * (endpoint, asoc) 4627 * 4628 * RFC 2960 Section 4 Notes 4629 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 4630 * and re-start the T1-init timer without changing state. This MUST 4631 * be repeated up to 'Max.Init.Retransmits' times. After that, the 4632 * endpoint MUST abort the initialization process and report the 4633 * error to SCTP user. 4634 * 4635 * Outputs 4636 * (timers, events) 4637 * 4638 */ 4639sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep, 4640 const struct sctp_association *asoc, 4641 const sctp_subtype_t type, 4642 void *arg, 4643 sctp_cmd_seq_t *commands) 4644{ 4645 struct sctp_chunk *repl = NULL; 4646 struct sctp_bind_addr *bp; 4647 int attempts = asoc->init_err_counter + 1; 4648 4649 SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n"); 4650 SCTP_INC_STATS(SCTP_MIB_T1_INIT_EXPIREDS); 4651 4652 if (attempts <= asoc->max_init_attempts) { 4653 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 4654 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 4655 if (!repl) 4656 return SCTP_DISPOSITION_NOMEM; 4657 4658 /* Choose transport for INIT. */ 4659 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4660 SCTP_CHUNK(repl)); 4661 4662 /* Issue a sideeffect to do the needed accounting. */ 4663 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 4664 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4665 4666 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4667 } else { 4668 SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d" 4669 " max_init_attempts: %d\n", 4670 attempts, asoc->max_init_attempts); 4671 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4672 SCTP_ERROR(ETIMEDOUT)); 4673 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4674 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 4675 return SCTP_DISPOSITION_DELETE_TCB; 4676 } 4677 4678 return SCTP_DISPOSITION_CONSUME; 4679} 4680 4681/* 4682 * sctp_sf_t1_cookie_timer_expire 4683 * 4684 * Section: 4 Note: 2 4685 * Verification Tag: 4686 * Inputs 4687 * (endpoint, asoc) 4688 * 4689 * RFC 2960 Section 4 Notes 4690 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 4691 * COOKIE ECHO and re-start the T1-cookie timer without changing 4692 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 4693 * After that, the endpoint MUST abort the initialization process and 4694 * report the error to SCTP user. 4695 * 4696 * Outputs 4697 * (timers, events) 4698 * 4699 */ 4700sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep, 4701 const struct sctp_association *asoc, 4702 const sctp_subtype_t type, 4703 void *arg, 4704 sctp_cmd_seq_t *commands) 4705{ 4706 struct sctp_chunk *repl = NULL; 4707 int attempts = asoc->init_err_counter + 1; 4708 4709 SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n"); 4710 SCTP_INC_STATS(SCTP_MIB_T1_COOKIE_EXPIREDS); 4711 4712 if (attempts <= asoc->max_init_attempts) { 4713 repl = sctp_make_cookie_echo(asoc, NULL); 4714 if (!repl) 4715 return SCTP_DISPOSITION_NOMEM; 4716 4717 /* Issue a sideeffect to do the needed accounting. */ 4718 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 4719 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 4720 4721 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 4722 } else { 4723 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4724 SCTP_ERROR(ETIMEDOUT)); 4725 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4726 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 4727 return SCTP_DISPOSITION_DELETE_TCB; 4728 } 4729 4730 return SCTP_DISPOSITION_CONSUME; 4731} 4732 4733/* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 4734 * with the updated last sequential TSN received from its peer. 4735 * 4736 * An endpoint should limit the number of retransmissions of the 4737 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 4738 * If this threshold is exceeded the endpoint should destroy the TCB and 4739 * MUST report the peer endpoint unreachable to the upper layer (and 4740 * thus the association enters the CLOSED state). The reception of any 4741 * packet from its peer (i.e. as the peer sends all of its queued DATA 4742 * chunks) should clear the endpoint's retransmission count and restart 4743 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 4744 * all of its queued DATA chunks that have not yet been sent. 4745 */ 4746sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep, 4747 const struct sctp_association *asoc, 4748 const sctp_subtype_t type, 4749 void *arg, 4750 sctp_cmd_seq_t *commands) 4751{ 4752 struct sctp_chunk *reply = NULL; 4753 4754 SCTP_DEBUG_PRINTK("Timer T2 expired.\n"); 4755 SCTP_INC_STATS(SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 4756 4757 if (asoc->overall_error_count >= asoc->max_retrans) { 4758 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4759 SCTP_ERROR(ETIMEDOUT)); 4760 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 4761 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4762 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 4763 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4764 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4765 return SCTP_DISPOSITION_DELETE_TCB; 4766 } 4767 4768 switch (asoc->state) { 4769 case SCTP_STATE_SHUTDOWN_SENT: 4770 reply = sctp_make_shutdown(asoc, NULL); 4771 break; 4772 4773 case SCTP_STATE_SHUTDOWN_ACK_SENT: 4774 reply = sctp_make_shutdown_ack(asoc, NULL); 4775 break; 4776 4777 default: 4778 BUG(); 4779 break; 4780 } 4781 4782 if (!reply) 4783 goto nomem; 4784 4785 /* Do some failure management (Section 8.2). */ 4786 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 4787 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 4788 4789 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 4790 * the T2-shutdown timer. 4791 */ 4792 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 4793 4794 /* Restart the T2-shutdown timer. */ 4795 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4796 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4797 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4798 return SCTP_DISPOSITION_CONSUME; 4799 4800nomem: 4801 return SCTP_DISPOSITION_NOMEM; 4802} 4803 4804/* 4805 * ADDIP Section 4.1 ASCONF CHunk Procedures 4806 * If the T4 RTO timer expires the endpoint should do B1 to B5 4807 */ 4808sctp_disposition_t sctp_sf_t4_timer_expire( 4809 const struct sctp_endpoint *ep, 4810 const struct sctp_association *asoc, 4811 const sctp_subtype_t type, 4812 void *arg, 4813 sctp_cmd_seq_t *commands) 4814{ 4815 struct sctp_chunk *chunk = asoc->addip_last_asconf; 4816 struct sctp_transport *transport = chunk->transport; 4817 4818 SCTP_INC_STATS(SCTP_MIB_T4_RTO_EXPIREDS); 4819 4820 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 4821 * detection on the appropriate destination address as defined in 4822 * RFC2960 [5] section 8.1 and 8.2. 4823 */ 4824 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 4825 4826 /* Reconfig T4 timer and transport. */ 4827 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 4828 4829 /* ADDIP 4.1 B2) Increment the association error counters and perform 4830 * endpoint failure detection on the association as defined in 4831 * RFC2960 [5] section 8.1 and 8.2. 4832 * association error counter is incremented in SCTP_CMD_STRIKE. 4833 */ 4834 if (asoc->overall_error_count >= asoc->max_retrans) { 4835 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4836 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4837 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4838 SCTP_ERROR(ETIMEDOUT)); 4839 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4840 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 4841 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4842 SCTP_INC_STATS(SCTP_MIB_CURRESTAB); 4843 return SCTP_DISPOSITION_ABORT; 4844 } 4845 4846 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 4847 * the ASCONF chunk was sent by doubling the RTO timer value. 4848 * This is done in SCTP_CMD_STRIKE. 4849 */ 4850 4851 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 4852 * choose an alternate destination address (please refer to RFC2960 4853 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 4854 * chunk, it MUST be the same (including its serial number) as the last 4855 * ASCONF sent. 4856 */ 4857 sctp_chunk_hold(asoc->addip_last_asconf); 4858 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4859 SCTP_CHUNK(asoc->addip_last_asconf)); 4860 4861 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 4862 * destination is selected, then the RTO used will be that of the new 4863 * destination address. 4864 */ 4865 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4866 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4867 4868 return SCTP_DISPOSITION_CONSUME; 4869} 4870 4871/* sctpimpguide-05 Section 2.12.2 4872 * The sender of the SHUTDOWN MAY also start an overall guard timer 4873 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 4874 * At the expiration of this timer the sender SHOULD abort the association 4875 * by sending an ABORT chunk. 4876 */ 4877sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep, 4878 const struct sctp_association *asoc, 4879 const sctp_subtype_t type, 4880 void *arg, 4881 sctp_cmd_seq_t *commands) 4882{ 4883 struct sctp_chunk *reply = NULL; 4884 4885 SCTP_DEBUG_PRINTK("Timer T5 expired.\n"); 4886 SCTP_INC_STATS(SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 4887 4888 reply = sctp_make_abort(asoc, NULL, 0); 4889 if (!reply) 4890 goto nomem; 4891 4892 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 4893 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4894 SCTP_ERROR(ETIMEDOUT)); 4895 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4896 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 4897 4898 return SCTP_DISPOSITION_DELETE_TCB; 4899nomem: 4900 return SCTP_DISPOSITION_NOMEM; 4901} 4902 4903/* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 4904 * the association is automatically closed by starting the shutdown process. 4905 * The work that needs to be done is same as when SHUTDOWN is initiated by 4906 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 4907 */ 4908sctp_disposition_t sctp_sf_autoclose_timer_expire( 4909 const struct sctp_endpoint *ep, 4910 const struct sctp_association *asoc, 4911 const sctp_subtype_t type, 4912 void *arg, 4913 sctp_cmd_seq_t *commands) 4914{ 4915 int disposition; 4916 4917 SCTP_INC_STATS(SCTP_MIB_AUTOCLOSE_EXPIREDS); 4918 4919 /* From 9.2 Shutdown of an Association 4920 * Upon receipt of the SHUTDOWN primitive from its upper 4921 * layer, the endpoint enters SHUTDOWN-PENDING state and 4922 * remains there until all outstanding data has been 4923 * acknowledged by its peer. The endpoint accepts no new data 4924 * from its upper layer, but retransmits data to the far end 4925 * if necessary to fill gaps. 4926 */ 4927 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4928 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 4929 4930 /* sctpimpguide-05 Section 2.12.2 4931 * The sender of the SHUTDOWN MAY also start an overall guard timer 4932 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 4933 */ 4934 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 4935 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 4936 disposition = SCTP_DISPOSITION_CONSUME; 4937 if (sctp_outq_is_empty(&asoc->outqueue)) { 4938 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type, 4939 arg, commands); 4940 } 4941 return disposition; 4942} 4943 4944/***************************************************************************** 4945 * These are sa state functions which could apply to all types of events. 4946 ****************************************************************************/ 4947 4948/* 4949 * This table entry is not implemented. 4950 * 4951 * Inputs 4952 * (endpoint, asoc, chunk) 4953 * 4954 * The return value is the disposition of the chunk. 4955 */ 4956sctp_disposition_t sctp_sf_not_impl(const struct sctp_endpoint *ep, 4957 const struct sctp_association *asoc, 4958 const sctp_subtype_t type, 4959 void *arg, 4960 sctp_cmd_seq_t *commands) 4961{ 4962 return SCTP_DISPOSITION_NOT_IMPL; 4963} 4964 4965/* 4966 * This table entry represents a bug. 4967 * 4968 * Inputs 4969 * (endpoint, asoc, chunk) 4970 * 4971 * The return value is the disposition of the chunk. 4972 */ 4973sctp_disposition_t sctp_sf_bug(const struct sctp_endpoint *ep, 4974 const struct sctp_association *asoc, 4975 const sctp_subtype_t type, 4976 void *arg, 4977 sctp_cmd_seq_t *commands) 4978{ 4979 return SCTP_DISPOSITION_BUG; 4980} 4981 4982/* 4983 * This table entry represents the firing of a timer in the wrong state. 4984 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 4985 * when the association is in the wrong state. This event should 4986 * be ignored, so as to prevent any rearming of the timer. 4987 * 4988 * Inputs 4989 * (endpoint, asoc, chunk) 4990 * 4991 * The return value is the disposition of the chunk. 4992 */ 4993sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep, 4994 const struct sctp_association *asoc, 4995 const sctp_subtype_t type, 4996 void *arg, 4997 sctp_cmd_seq_t *commands) 4998{ 4999 SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk); 5000 return SCTP_DISPOSITION_CONSUME; 5001} 5002 5003/******************************************************************** 5004 * 2nd Level Abstractions 5005 ********************************************************************/ 5006 5007/* Pull the SACK chunk based on the SACK header. */ 5008static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 5009{ 5010 struct sctp_sackhdr *sack; 5011 unsigned int len; 5012 __u16 num_blocks; 5013 __u16 num_dup_tsns; 5014 5015 /* Protect ourselves from reading too far into 5016 * the skb from a bogus sender. 5017 */ 5018 sack = (struct sctp_sackhdr *) chunk->skb->data; 5019 5020 num_blocks = ntohs(sack->num_gap_ack_blocks); 5021 num_dup_tsns = ntohs(sack->num_dup_tsns); 5022 len = sizeof(struct sctp_sackhdr); 5023 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 5024 if (len > chunk->skb->len) 5025 return NULL; 5026 5027 skb_pull(chunk->skb, len); 5028 5029 return sack; 5030} 5031 5032/* Create an ABORT packet to be sent as a response, with the specified 5033 * error causes. 5034 */ 5035static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep, 5036 const struct sctp_association *asoc, 5037 struct sctp_chunk *chunk, 5038 const void *payload, 5039 size_t paylen) 5040{ 5041 struct sctp_packet *packet; 5042 struct sctp_chunk *abort; 5043 5044 packet = sctp_ootb_pkt_new(asoc, chunk); 5045 5046 if (packet) { 5047 /* Make an ABORT. 5048 * The T bit will be set if the asoc is NULL. 5049 */ 5050 abort = sctp_make_abort(asoc, chunk, paylen); 5051 if (!abort) { 5052 sctp_ootb_pkt_free(packet); 5053 return NULL; 5054 } 5055 5056 /* Reflect vtag if T-Bit is set */ 5057 if (sctp_test_T_bit(abort)) 5058 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 5059 5060 /* Add specified error causes, i.e., payload, to the 5061 * end of the chunk. 5062 */ 5063 sctp_addto_chunk(abort, paylen, payload); 5064 5065 /* Set the skb to the belonging sock for accounting. */ 5066 abort->skb->sk = ep->base.sk; 5067 5068 sctp_packet_append_chunk(packet, abort); 5069 5070 } 5071 5072 return packet; 5073} 5074 5075/* Allocate a packet for responding in the OOTB conditions. */ 5076static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc, 5077 const struct sctp_chunk *chunk) 5078{ 5079 struct sctp_packet *packet; 5080 struct sctp_transport *transport; 5081 __u16 sport; 5082 __u16 dport; 5083 __u32 vtag; 5084 5085 /* Get the source and destination port from the inbound packet. */ 5086 sport = ntohs(chunk->sctp_hdr->dest); 5087 dport = ntohs(chunk->sctp_hdr->source); 5088 5089 /* The V-tag is going to be the same as the inbound packet if no 5090 * association exists, otherwise, use the peer's vtag. 5091 */ 5092 if (asoc) { 5093 vtag = asoc->peer.i.init_tag; 5094 } else { 5095 /* Special case the INIT and stale COOKIE_ECHO as there is no 5096 * vtag yet. 5097 */ 5098 switch(chunk->chunk_hdr->type) { 5099 case SCTP_CID_INIT: 5100 { 5101 sctp_init_chunk_t *init; 5102 5103 init = (sctp_init_chunk_t *)chunk->chunk_hdr; 5104 vtag = ntohl(init->init_hdr.init_tag); 5105 break; 5106 } 5107 default: 5108 vtag = ntohl(chunk->sctp_hdr->vtag); 5109 break; 5110 } 5111 } 5112 5113 /* Make a transport for the bucket, Eliza... */ 5114 transport = sctp_transport_new(sctp_source(chunk), GFP_ATOMIC); 5115 if (!transport) 5116 goto nomem; 5117 5118 /* Cache a route for the transport with the chunk's destination as 5119 * the source address. 5120 */ 5121 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 5122 sctp_sk(sctp_get_ctl_sock())); 5123 5124 packet = sctp_packet_init(&transport->packet, transport, sport, dport); 5125 packet = sctp_packet_config(packet, vtag, 0); 5126 5127 return packet; 5128 5129nomem: 5130 return NULL; 5131} 5132 5133/* Free the packet allocated earlier for responding in the OOTB condition. */ 5134void sctp_ootb_pkt_free(struct sctp_packet *packet) 5135{ 5136 sctp_transport_free(packet->transport); 5137} 5138 5139/* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 5140static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep, 5141 const struct sctp_association *asoc, 5142 const struct sctp_chunk *chunk, 5143 sctp_cmd_seq_t *commands, 5144 struct sctp_chunk *err_chunk) 5145{ 5146 struct sctp_packet *packet; 5147 5148 if (err_chunk) { 5149 packet = sctp_ootb_pkt_new(asoc, chunk); 5150 if (packet) { 5151 struct sctp_signed_cookie *cookie; 5152 5153 /* Override the OOTB vtag from the cookie. */ 5154 cookie = chunk->subh.cookie_hdr; 5155 packet->vtag = cookie->c.peer_vtag; 5156 5157 /* Set the skb to the belonging sock for accounting. */ 5158 err_chunk->skb->sk = ep->base.sk; 5159 sctp_packet_append_chunk(packet, err_chunk); 5160 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 5161 SCTP_PACKET(packet)); 5162 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 5163 } else 5164 sctp_chunk_free (err_chunk); 5165 } 5166} 5167 5168 5169/* Process a data chunk */ 5170static int sctp_eat_data(const struct sctp_association *asoc, 5171 struct sctp_chunk *chunk, 5172 sctp_cmd_seq_t *commands) 5173{ 5174 sctp_datahdr_t *data_hdr; 5175 struct sctp_chunk *err; 5176 size_t datalen; 5177 sctp_verb_t deliver; 5178 int tmp; 5179 __u32 tsn; 5180 int account_value; 5181 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 5182 struct sock *sk = asoc->base.sk; 5183 int rcvbuf_over = 0; 5184 5185 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data; 5186 skb_pull(chunk->skb, sizeof(sctp_datahdr_t)); 5187 5188 tsn = ntohl(data_hdr->tsn); 5189 SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn); 5190 5191 /* ASSERT: Now skb->data is really the user data. */ 5192 5193 /* 5194 * If we are established, and we have used up our receive buffer 5195 * memory, think about droping the frame. 5196 * Note that we have an opportunity to improve performance here. 5197 * If we accept one chunk from an skbuff, we have to keep all the 5198 * memory of that skbuff around until the chunk is read into user 5199 * space. Therefore, once we accept 1 chunk we may as well accept all 5200 * remaining chunks in the skbuff. The data_accepted flag helps us do 5201 * that. 5202 */ 5203 if ((asoc->state == SCTP_STATE_ESTABLISHED) && (!chunk->data_accepted)) { 5204 /* 5205 * If the receive buffer policy is 1, then each 5206 * association can allocate up to sk_rcvbuf bytes 5207 * otherwise, all the associations in aggregate 5208 * may allocate up to sk_rcvbuf bytes 5209 */ 5210 if (asoc->ep->rcvbuf_policy) 5211 account_value = atomic_read(&asoc->rmem_alloc); 5212 else 5213 account_value = atomic_read(&sk->sk_rmem_alloc); 5214 if (account_value > sk->sk_rcvbuf) { 5215 /* 5216 * We need to make forward progress, even when we are 5217 * under memory pressure, so we always allow the 5218 * next tsn after the ctsn ack point to be accepted. 5219 * This lets us avoid deadlocks in which we have to 5220 * drop frames that would otherwise let us drain the 5221 * receive queue. 5222 */ 5223 if ((sctp_tsnmap_get_ctsn(map) + 1) != tsn) 5224 return SCTP_IERROR_IGNORE_TSN; 5225 5226 /* 5227 * We're going to accept the frame but we should renege 5228 * to make space for it. This will send us down that 5229 * path later in this function. 5230 */ 5231 rcvbuf_over = 1; 5232 } 5233 } 5234 5235 /* Process ECN based congestion. 5236 * 5237 * Since the chunk structure is reused for all chunks within 5238 * a packet, we use ecn_ce_done to track if we've already 5239 * done CE processing for this packet. 5240 * 5241 * We need to do ECN processing even if we plan to discard the 5242 * chunk later. 5243 */ 5244 5245 if (!chunk->ecn_ce_done) { 5246 struct sctp_af *af; 5247 chunk->ecn_ce_done = 1; 5248 5249 af = sctp_get_af_specific( 5250 ipver2af(ip_hdr(chunk->skb)->version)); 5251 5252 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) { 5253 /* Do real work as sideffect. */ 5254 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 5255 SCTP_U32(tsn)); 5256 } 5257 } 5258 5259 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 5260 if (tmp < 0) { 5261 /* The TSN is too high--silently discard the chunk and 5262 * count on it getting retransmitted later. 5263 */ 5264 return SCTP_IERROR_HIGH_TSN; 5265 } else if (tmp > 0) { 5266 /* This is a duplicate. Record it. */ 5267 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 5268 return SCTP_IERROR_DUP_TSN; 5269 } 5270 5271 /* This is a new TSN. */ 5272 5273 /* Discard if there is no room in the receive window. 5274 * Actually, allow a little bit of overflow (up to a MTU). 5275 */ 5276 datalen = ntohs(chunk->chunk_hdr->length); 5277 datalen -= sizeof(sctp_data_chunk_t); 5278 5279 deliver = SCTP_CMD_CHUNK_ULP; 5280 5281 /* Think about partial delivery. */ 5282 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 5283 5284 /* Even if we don't accept this chunk there is 5285 * memory pressure. 5286 */ 5287 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 5288 } 5289 5290 /* Spill over rwnd a little bit. Note: While allowed, this spill over 5291 * seems a bit troublesome in that frag_point varies based on 5292 * PMTU. In cases, such as loopback, this might be a rather 5293 * large spill over. 5294 * NOTE: If we have a full receive buffer here, we only renege if 5295 * our receiver can still make progress without the tsn being 5296 * received. We do this because in the event that the associations 5297 * receive queue is empty we are filling a leading gap, and since 5298 * reneging moves the gap to the end of the tsn stream, we are likely 5299 * to stall again very shortly. Avoiding the renege when we fill a 5300 * leading gap is a good heuristic for avoiding such steady state 5301 * stalls. 5302 */ 5303 if (!asoc->rwnd || asoc->rwnd_over || 5304 (datalen > asoc->rwnd + asoc->frag_point) || 5305 (rcvbuf_over && (!skb_queue_len(&sk->sk_receive_queue)))) { 5306 5307 /* If this is the next TSN, consider reneging to make 5308 * room. Note: Playing nice with a confused sender. A 5309 * malicious sender can still eat up all our buffer 5310 * space and in the future we may want to detect and 5311 * do more drastic reneging. 5312 */ 5313 if (sctp_tsnmap_has_gap(map) && 5314 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 5315 SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn); 5316 deliver = SCTP_CMD_RENEGE; 5317 } else { 5318 SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, " 5319 "rwnd: %d\n", tsn, datalen, 5320 asoc->rwnd); 5321 return SCTP_IERROR_IGNORE_TSN; 5322 } 5323 } 5324 5325 /* 5326 * Section 3.3.10.9 No User Data (9) 5327 * 5328 * Cause of error 5329 * --------------- 5330 * No User Data: This error cause is returned to the originator of a 5331 * DATA chunk if a received DATA chunk has no user data. 5332 */ 5333 if (unlikely(0 == datalen)) { 5334 err = sctp_make_abort_no_data(asoc, chunk, tsn); 5335 if (err) { 5336 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5337 SCTP_CHUNK(err)); 5338 } 5339 /* We are going to ABORT, so we might as well stop 5340 * processing the rest of the chunks in the packet. 5341 */ 5342 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL()); 5343 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5344 SCTP_ERROR(ECONNABORTED)); 5345 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5346 SCTP_PERR(SCTP_ERROR_NO_DATA)); 5347 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5348 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5349 return SCTP_IERROR_NO_DATA; 5350 } 5351 5352 /* If definately accepting the DATA chunk, record its TSN, otherwise 5353 * wait for renege processing. 5354 */ 5355 if (SCTP_CMD_CHUNK_ULP == deliver) 5356 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 5357 5358 chunk->data_accepted = 1; 5359 5360 /* Note: Some chunks may get overcounted (if we drop) or overcounted 5361 * if we renege and the chunk arrives again. 5362 */ 5363 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) 5364 SCTP_INC_STATS(SCTP_MIB_INUNORDERCHUNKS); 5365 else 5366 SCTP_INC_STATS(SCTP_MIB_INORDERCHUNKS); 5367 5368 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 5369 * 5370 * If an endpoint receive a DATA chunk with an invalid stream 5371 * identifier, it shall acknowledge the reception of the DATA chunk 5372 * following the normal procedure, immediately send an ERROR chunk 5373 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 5374 * and discard the DATA chunk. 5375 */ 5376 if (ntohs(data_hdr->stream) >= asoc->c.sinit_max_instreams) { 5377 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 5378 &data_hdr->stream, 5379 sizeof(data_hdr->stream)); 5380 if (err) 5381 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 5382 SCTP_CHUNK(err)); 5383 return SCTP_IERROR_BAD_STREAM; 5384 } 5385 5386 /* Send the data up to the user. Note: Schedule the 5387 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 5388 * chunk needs the updated rwnd. 5389 */ 5390 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 5391 5392 return SCTP_IERROR_NO_ERROR; 5393} 5394