projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SCTP: Clean up OOTB handling and fix infinite loop processing
[deliverable/linux.git] / net / sctp / sm_statefuns.c
1 /* SCTP kernel reference Implementation
2 * (C) Copyright IBM Corp. 2001, 2004
3 * Copyright (c) 1999-2000 Cisco, Inc.
4 * Copyright (c) 1999-2001 Motorola, Inc.
5 * Copyright (c) 2001-2002 Intel Corp.
6 * Copyright (c) 2002 Nokia Corp.
7 *
8 * This file is part of the SCTP kernel reference Implementation
9 *
10 * This is part of the SCTP Linux Kernel Reference Implementation.
11 *
12 * These are the state functions for the state machine.
13 *
14 * The SCTP reference implementation is free software;
15 * you can redistribute it and/or modify it under the terms of
16 * the GNU General Public License as published by
17 * the Free Software Foundation; either version 2, or (at your option)
18 * any later version.
19 *
20 * The SCTP reference implementation is distributed in the hope that it
21 * will be useful, but WITHOUT ANY WARRANTY; without even the implied
22 * ************************
23 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
24 * See the GNU General Public License for more details.
25 *
26 * You should have received a copy of the GNU General Public License
27 * along with GNU CC; see the file COPYING. If not, write to
28 * the Free Software Foundation, 59 Temple Place - Suite 330,
29 * Boston, MA 02111-1307, USA.
30 *
31 * Please send any bug reports or fixes you make to the
32 * email address(es):
33 * lksctp developers <lksctp-developers@lists.sourceforge.net>
34 *
35 * Or submit a bug report through the following website:
36 * http://www.sf.net/projects/lksctp
37 *
38 * Written or modified by:
39 * La Monte H.P. Yarroll <piggy@acm.org>
40 * Karl Knutson <karl@athena.chicago.il.us>
41 * Mathew Kotowsky <kotowsky@sctp.org>
42 * Sridhar Samudrala <samudrala@us.ibm.com>
43 * Jon Grimm <jgrimm@us.ibm.com>
44 * Hui Huang <hui.huang@nokia.com>
45 * Dajiang Zhang <dajiang.zhang@nokia.com>
46 * Daisy Chang <daisyc@us.ibm.com>
47 * Ardelle Fan <ardelle.fan@intel.com>
48 * Ryan Layer <rmlayer@us.ibm.com>
49 * Kevin Gao <kevin.gao@intel.com>
50 *
51 * Any bugs reported given to us we will try to fix... any fixes shared will
52 * be incorporated into the next SCTP release.
53 */
54
55 #include <linux/types.h>
56 #include <linux/kernel.h>
57 #include <linux/ip.h>
58 #include <linux/ipv6.h>
59 #include <linux/net.h>
60 #include <linux/inet.h>
61 #include <net/sock.h>
62 #include <net/inet_ecn.h>
63 #include <linux/skbuff.h>
64 #include <net/sctp/sctp.h>
65 #include <net/sctp/sm.h>
66 #include <net/sctp/structs.h>
67
68 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep,
69 const struct sctp_association *asoc,
70 struct sctp_chunk *chunk,
71 const void *payload,
72 size_t paylen);
73 static int sctp_eat_data(const struct sctp_association *asoc,
74 struct sctp_chunk *chunk,
75 sctp_cmd_seq_t *commands);
76 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc,
77 const struct sctp_chunk *chunk);
78 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep,
79 const struct sctp_association *asoc,
80 const struct sctp_chunk *chunk,
81 sctp_cmd_seq_t *commands,
82 struct sctp_chunk *err_chunk);
83 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep,
84 const struct sctp_association *asoc,
85 const sctp_subtype_t type,
86 void *arg,
87 sctp_cmd_seq_t *commands);
88 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep,
89 const struct sctp_association *asoc,
90 const sctp_subtype_t type,
91 void *arg,
92 sctp_cmd_seq_t *commands);
93 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep,
94 const struct sctp_association *asoc,
95 const sctp_subtype_t type,
96 void *arg,
97 sctp_cmd_seq_t *commands);
98 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
99
100 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands,
101 __be16 error, int sk_err,
102 const struct sctp_association *asoc,
103 struct sctp_transport *transport);
104
105 static sctp_disposition_t sctp_sf_abort_violation(
106 const struct sctp_endpoint *ep,
107 const struct sctp_association *asoc,
108 void *arg,
109 sctp_cmd_seq_t *commands,
110 const __u8 *payload,
111 const size_t paylen);
112
113 static sctp_disposition_t sctp_sf_violation_chunklen(
114 const struct sctp_endpoint *ep,
115 const struct sctp_association *asoc,
116 const sctp_subtype_t type,
117 void *arg,
118 sctp_cmd_seq_t *commands);
119
120 static sctp_disposition_t sctp_sf_violation_ctsn(
121 const struct sctp_endpoint *ep,
122 const struct sctp_association *asoc,
123 const sctp_subtype_t type,
124 void *arg,
125 sctp_cmd_seq_t *commands);
126
127 static sctp_disposition_t sctp_sf_violation_chunk(
128 const struct sctp_endpoint *ep,
129 const struct sctp_association *asoc,
130 const sctp_subtype_t type,
131 void *arg,
132 sctp_cmd_seq_t *commands);
133
134 /* Small helper function that checks if the chunk length
135 * is of the appropriate length. The 'required_length' argument
136 * is set to be the size of a specific chunk we are testing.
137 * Return Values: 1 = Valid length
138 * 0 = Invalid length
139 *
140 */
141 static inline int
142 sctp_chunk_length_valid(struct sctp_chunk *chunk,
143 __u16 required_length)
144 {
145 __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
146
147 if (unlikely(chunk_length < required_length))
148 return 0;
149
150 return 1;
151 }
152
153 /**********************************************************
154 * These are the state functions for handling chunk events.
155 **********************************************************/
156
157 /*
158 * Process the final SHUTDOWN COMPLETE.
159 *
160 * Section: 4 (C) (diagram), 9.2
161 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
162 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
163 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
164 * should stop the T2-shutdown timer and remove all knowledge of the
165 * association (and thus the association enters the CLOSED state).
166 *
167 * Verification Tag: 8.5.1(C), sctpimpguide 2.41.
168 * C) Rules for packet carrying SHUTDOWN COMPLETE:
169 * ...
170 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
171 * if the Verification Tag field of the packet matches its own tag and
172 * the T bit is not set
173 * OR
174 * it is set to its peer's tag and the T bit is set in the Chunk
175 * Flags.
176 * Otherwise, the receiver MUST silently discard the packet
177 * and take no further action. An endpoint MUST ignore the
178 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.
179 *
180 * Inputs
181 * (endpoint, asoc, chunk)
182 *
183 * Outputs
184 * (asoc, reply_msg, msg_up, timers, counters)
185 *
186 * The return value is the disposition of the chunk.
187 */
188 sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep,
189 const struct sctp_association *asoc,
190 const sctp_subtype_t type,
191 void *arg,
192 sctp_cmd_seq_t *commands)
193 {
194 struct sctp_chunk *chunk = arg;
195 struct sctp_ulpevent *ev;
196
197 if (!sctp_vtag_verify_either(chunk, asoc))
198 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
199
200 /* RFC 2960 6.10 Bundling
201 *
202 * An endpoint MUST NOT bundle INIT, INIT ACK or
203 * SHUTDOWN COMPLETE with any other chunks.
204 */
205 if (!chunk->singleton)
206 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands);
207
208 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */
209 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
210 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
211 commands);
212
213 /* RFC 2960 10.2 SCTP-to-ULP
214 *
215 * H) SHUTDOWN COMPLETE notification
216 *
217 * When SCTP completes the shutdown procedures (section 9.2) this
218 * notification is passed to the upper layer.
219 */
220 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
221 0, 0, 0, NULL, GFP_ATOMIC);
222 if (ev)
223 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
224 SCTP_ULPEVENT(ev));
225
226 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
227 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
228 * not the chunk should be discarded. If the endpoint is in
229 * the SHUTDOWN-ACK-SENT state the endpoint should stop the
230 * T2-shutdown timer and remove all knowledge of the
231 * association (and thus the association enters the CLOSED
232 * state).
233 */
234 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
235 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
236
237 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
238 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
239
240 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
241 SCTP_STATE(SCTP_STATE_CLOSED));
242
243 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);
244 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
245
246 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
247
248 return SCTP_DISPOSITION_DELETE_TCB;
249 }
250
251 /*
252 * Respond to a normal INIT chunk.
253 * We are the side that is being asked for an association.
254 *
255 * Section: 5.1 Normal Establishment of an Association, B
256 * B) "Z" shall respond immediately with an INIT ACK chunk. The
257 * destination IP address of the INIT ACK MUST be set to the source
258 * IP address of the INIT to which this INIT ACK is responding. In
259 * the response, besides filling in other parameters, "Z" must set the
260 * Verification Tag field to Tag_A, and also provide its own
261 * Verification Tag (Tag_Z) in the Initiate Tag field.
262 *
263 * Verification Tag: Must be 0.
264 *
265 * Inputs
266 * (endpoint, asoc, chunk)
267 *
268 * Outputs
269 * (asoc, reply_msg, msg_up, timers, counters)
270 *
271 * The return value is the disposition of the chunk.
272 */
273 sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep,
274 const struct sctp_association *asoc,
275 const sctp_subtype_t type,
276 void *arg,
277 sctp_cmd_seq_t *commands)
278 {
279 struct sctp_chunk *chunk = arg;
280 struct sctp_chunk *repl;
281 struct sctp_association *new_asoc;
282 struct sctp_chunk *err_chunk;
283 struct sctp_packet *packet;
284 sctp_unrecognized_param_t *unk_param;
285 int len;
286
287 /* 6.10 Bundling
288 * An endpoint MUST NOT bundle INIT, INIT ACK or
289 * SHUTDOWN COMPLETE with any other chunks.
290 *
291 * IG Section 2.11.2
292 * Furthermore, we require that the receiver of an INIT chunk MUST
293 * enforce these rules by silently discarding an arriving packet
294 * with an INIT chunk that is bundled with other chunks.
295 */
296 if (!chunk->singleton)
297 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
298
299 /* If the packet is an OOTB packet which is temporarily on the
300 * control endpoint, respond with an ABORT.
301 */
302 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep)
303 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
304
305 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
306 * Tag.
307 */
308 if (chunk->sctp_hdr->vtag != 0)
309 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
310
311 /* Make sure that the INIT chunk has a valid length.
312 * Normally, this would cause an ABORT with a Protocol Violation
313 * error, but since we don't have an association, we'll
314 * just discard the packet.
315 */
316 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
317 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
318
319 /* Verify the INIT chunk before processing it. */
320 err_chunk = NULL;
321 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
322 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
323 &err_chunk)) {
324 /* This chunk contains fatal error. It is to be discarded.
325 * Send an ABORT, with causes if there is any.
326 */
327 if (err_chunk) {
328 packet = sctp_abort_pkt_new(ep, asoc, arg,
329 (__u8 *)(err_chunk->chunk_hdr) +
330 sizeof(sctp_chunkhdr_t),
331 ntohs(err_chunk->chunk_hdr->length) -
332 sizeof(sctp_chunkhdr_t));
333
334 sctp_chunk_free(err_chunk);
335
336 if (packet) {
337 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
338 SCTP_PACKET(packet));
339 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
340 return SCTP_DISPOSITION_CONSUME;
341 } else {
342 return SCTP_DISPOSITION_NOMEM;
343 }
344 } else {
345 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg,
346 commands);
347 }
348 }
349
350 /* Grab the INIT header. */
351 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data;
352
353 /* Tag the variable length parameters. */
354 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
355
356 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
357 if (!new_asoc)
358 goto nomem;
359
360 /* The call, sctp_process_init(), can fail on memory allocation. */
361 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
362 sctp_source(chunk),
363 (sctp_init_chunk_t *)chunk->chunk_hdr,
364 GFP_ATOMIC))
365 goto nomem_init;
366
367 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
368
369 /* If there are errors need to be reported for unknown parameters,
370 * make sure to reserve enough room in the INIT ACK for them.
371 */
372 len = 0;
373 if (err_chunk)
374 len = ntohs(err_chunk->chunk_hdr->length) -
375 sizeof(sctp_chunkhdr_t);
376
377 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0)
378 goto nomem_init;
379
380 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
381 if (!repl)
382 goto nomem_init;
383
384 /* If there are errors need to be reported for unknown parameters,
385 * include them in the outgoing INIT ACK as "Unrecognized parameter"
386 * parameter.
387 */
388 if (err_chunk) {
389 /* Get the "Unrecognized parameter" parameter(s) out of the
390 * ERROR chunk generated by sctp_verify_init(). Since the
391 * error cause code for "unknown parameter" and the
392 * "Unrecognized parameter" type is the same, we can
393 * construct the parameters in INIT ACK by copying the
394 * ERROR causes over.
395 */
396 unk_param = (sctp_unrecognized_param_t *)
397 ((__u8 *)(err_chunk->chunk_hdr) +
398 sizeof(sctp_chunkhdr_t));
399 /* Replace the cause code with the "Unrecognized parameter"
400 * parameter type.
401 */
402 sctp_addto_chunk(repl, len, unk_param);
403 sctp_chunk_free(err_chunk);
404 }
405
406 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
407
408 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
409
410 /*
411 * Note: After sending out INIT ACK with the State Cookie parameter,
412 * "Z" MUST NOT allocate any resources, nor keep any states for the
413 * new association. Otherwise, "Z" will be vulnerable to resource
414 * attacks.
415 */
416 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
417
418 return SCTP_DISPOSITION_DELETE_TCB;
419
420 nomem_init:
421 sctp_association_free(new_asoc);
422 nomem:
423 if (err_chunk)
424 sctp_chunk_free(err_chunk);
425 return SCTP_DISPOSITION_NOMEM;
426 }
427
428 /*
429 * Respond to a normal INIT ACK chunk.
430 * We are the side that is initiating the association.
431 *
432 * Section: 5.1 Normal Establishment of an Association, C
433 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
434 * timer and leave COOKIE-WAIT state. "A" shall then send the State
435 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
436 * the T1-cookie timer, and enter the COOKIE-ECHOED state.
437 *
438 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound
439 * DATA chunks, but it MUST be the first chunk in the packet and
440 * until the COOKIE ACK is returned the sender MUST NOT send any
441 * other packets to the peer.
442 *
443 * Verification Tag: 3.3.3
444 * If the value of the Initiate Tag in a received INIT ACK chunk is
445 * found to be 0, the receiver MUST treat it as an error and close the
446 * association by transmitting an ABORT.
447 *
448 * Inputs
449 * (endpoint, asoc, chunk)
450 *
451 * Outputs
452 * (asoc, reply_msg, msg_up, timers, counters)
453 *
454 * The return value is the disposition of the chunk.
455 */
456 sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,
457 const struct sctp_association *asoc,
458 const sctp_subtype_t type,
459 void *arg,
460 sctp_cmd_seq_t *commands)
461 {
462 struct sctp_chunk *chunk = arg;
463 sctp_init_chunk_t *initchunk;
464 struct sctp_chunk *err_chunk;
465 struct sctp_packet *packet;
466 sctp_error_t error;
467
468 if (!sctp_vtag_verify(chunk, asoc))
469 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
470
471 /* 6.10 Bundling
472 * An endpoint MUST NOT bundle INIT, INIT ACK or
473 * SHUTDOWN COMPLETE with any other chunks.
474 */
475 if (!chunk->singleton)
476 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands);
477
478 /* Make sure that the INIT-ACK chunk has a valid length */
479 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t)))
480 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
481 commands);
482 /* Grab the INIT header. */
483 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
484
485 /* Verify the INIT chunk before processing it. */
486 err_chunk = NULL;
487 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
488 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
489 &err_chunk)) {
490
491 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
492
493 /* This chunk contains fatal error. It is to be discarded.
494 * Send an ABORT, with causes if there is any.
495 */
496 if (err_chunk) {
497 packet = sctp_abort_pkt_new(ep, asoc, arg,
498 (__u8 *)(err_chunk->chunk_hdr) +
499 sizeof(sctp_chunkhdr_t),
500 ntohs(err_chunk->chunk_hdr->length) -
501 sizeof(sctp_chunkhdr_t));
502
503 sctp_chunk_free(err_chunk);
504
505 if (packet) {
506 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
507 SCTP_PACKET(packet));
508 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
509 error = SCTP_ERROR_INV_PARAM;
510 } else {
511 error = SCTP_ERROR_NO_RESOURCE;
512 }
513 } else {
514 sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
515 error = SCTP_ERROR_INV_PARAM;
516 }
517 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED,
518 asoc, chunk->transport);
519 }
520
521 /* Tag the variable length parameters. Note that we never
522 * convert the parameters in an INIT chunk.
523 */
524 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
525
526 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr;
527
528 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
529 SCTP_PEER_INIT(initchunk));
530
531 /* Reset init error count upon receipt of INIT-ACK. */
532 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
533
534 /* 5.1 C) "A" shall stop the T1-init timer and leave
535 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie
536 * timer, and enter the COOKIE-ECHOED state.
537 */
538 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
539 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
540 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
541 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
542 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
543 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
544
545 /* 5.1 C) "A" shall then send the State Cookie received in the
546 * INIT ACK chunk in a COOKIE ECHO chunk, ...
547 */
548 /* If there is any errors to report, send the ERROR chunk generated
549 * for unknown parameters as well.
550 */
551 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
552 SCTP_CHUNK(err_chunk));
553
554 return SCTP_DISPOSITION_CONSUME;
555 }
556
557 /*
558 * Respond to a normal COOKIE ECHO chunk.
559 * We are the side that is being asked for an association.
560 *
561 * Section: 5.1 Normal Establishment of an Association, D
562 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
563 * with a COOKIE ACK chunk after building a TCB and moving to
564 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
565 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
566 * chunk MUST be the first chunk in the packet.
567 *
568 * IMPLEMENTATION NOTE: An implementation may choose to send the
569 * Communication Up notification to the SCTP user upon reception
570 * of a valid COOKIE ECHO chunk.
571 *
572 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
573 * D) Rules for packet carrying a COOKIE ECHO
574 *
575 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
576 * Initial Tag received in the INIT ACK.
577 *
578 * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
579 *
580 * Inputs
581 * (endpoint, asoc, chunk)
582 *
583 * Outputs
584 * (asoc, reply_msg, msg_up, timers, counters)
585 *
586 * The return value is the disposition of the chunk.
587 */
588 sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep,
589 const struct sctp_association *asoc,
590 const sctp_subtype_t type, void *arg,
591 sctp_cmd_seq_t *commands)
592 {
593 struct sctp_chunk *chunk = arg;
594 struct sctp_association *new_asoc;
595 sctp_init_chunk_t *peer_init;
596 struct sctp_chunk *repl;
597 struct sctp_ulpevent *ev, *ai_ev = NULL;
598 int error = 0;
599 struct sctp_chunk *err_chk_p;
600 struct sock *sk;
601
602 /* If the packet is an OOTB packet which is temporarily on the
603 * control endpoint, respond with an ABORT.
604 */
605 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep)
606 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
607
608 /* Make sure that the COOKIE_ECHO chunk has a valid length.
609 * In this case, we check that we have enough for at least a
610 * chunk header. More detailed verification is done
611 * in sctp_unpack_cookie().
612 */
613 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
614 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
615
616 /* If the endpoint is not listening or if the number of associations
617 * on the TCP-style socket exceed the max backlog, respond with an
618 * ABORT.
619 */
620 sk = ep->base.sk;
621 if (!sctp_sstate(sk, LISTENING) ||
622 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
623 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
624
625 /* "Decode" the chunk. We have no optional parameters so we
626 * are in good shape.
627 */
628 chunk->subh.cookie_hdr =
629 (struct sctp_signed_cookie *)chunk->skb->data;
630 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
631 sizeof(sctp_chunkhdr_t)))
632 goto nomem;
633
634 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
635 * "Z" will reply with a COOKIE ACK chunk after building a TCB
636 * and moving to the ESTABLISHED state.
637 */
638 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
639 &err_chk_p);
640
641 /* FIXME:
642 * If the re-build failed, what is the proper error path
643 * from here?
644 *
645 * [We should abort the association. --piggy]
646 */
647 if (!new_asoc) {
648 /* FIXME: Several errors are possible. A bad cookie should
649 * be silently discarded, but think about logging it too.
650 */
651 switch (error) {
652 case -SCTP_IERROR_NOMEM:
653 goto nomem;
654
655 case -SCTP_IERROR_STALE_COOKIE:
656 sctp_send_stale_cookie_err(ep, asoc, chunk, commands,
657 err_chk_p);
658 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
659
660 case -SCTP_IERROR_BAD_SIG:
661 default:
662 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
663 }
664 }
665
666
667 /* Delay state machine commands until later.
668 *
669 * Re-build the bind address for the association is done in
670 * the sctp_unpack_cookie() already.
671 */
672 /* This is a brand-new association, so these are not yet side
673 * effects--it is safe to run them here.
674 */
675 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
676
677 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
678 &chunk->subh.cookie_hdr->c.peer_addr,
679 peer_init, GFP_ATOMIC))
680 goto nomem_init;
681
682 repl = sctp_make_cookie_ack(new_asoc, chunk);
683 if (!repl)
684 goto nomem_init;
685
686 /* RFC 2960 5.1 Normal Establishment of an Association
687 *
688 * D) IMPLEMENTATION NOTE: An implementation may choose to
689 * send the Communication Up notification to the SCTP user
690 * upon reception of a valid COOKIE ECHO chunk.
691 */
692 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
693 new_asoc->c.sinit_num_ostreams,
694 new_asoc->c.sinit_max_instreams,
695 NULL, GFP_ATOMIC);
696 if (!ev)
697 goto nomem_ev;
698
699 /* Sockets API Draft Section 5.3.1.6
700 * When a peer sends a Adaptation Layer Indication parameter , SCTP
701 * delivers this notification to inform the application that of the
702 * peers requested adaptation layer.
703 */
704 if (new_asoc->peer.adaptation_ind) {
705 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
706 GFP_ATOMIC);
707 if (!ai_ev)
708 goto nomem_aiev;
709 }
710
711 /* Add all the state machine commands now since we've created
712 * everything. This way we don't introduce memory corruptions
713 * during side-effect processing and correclty count established
714 * associations.
715 */
716 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
717 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
718 SCTP_STATE(SCTP_STATE_ESTABLISHED));
719 SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
720 SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS);
721 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
722
723 if (new_asoc->autoclose)
724 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
725 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
726
727 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL());
728
729 /* This will send the COOKIE ACK */
730 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
731
732 /* Queue the ASSOC_CHANGE event */
733 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
734
735 /* Send up the Adaptation Layer Indication event */
736 if (ai_ev)
737 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
738 SCTP_ULPEVENT(ai_ev));
739
740 return SCTP_DISPOSITION_CONSUME;
741
742 nomem_aiev:
743 sctp_ulpevent_free(ev);
744 nomem_ev:
745 sctp_chunk_free(repl);
746 nomem_init:
747 sctp_association_free(new_asoc);
748 nomem:
749 return SCTP_DISPOSITION_NOMEM;
750 }
751
752 /*
753 * Respond to a normal COOKIE ACK chunk.
754 * We are the side that is being asked for an association.
755 *
756 * RFC 2960 5.1 Normal Establishment of an Association
757 *
758 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
759 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
760 * timer. It may also notify its ULP about the successful
761 * establishment of the association with a Communication Up
762 * notification (see Section 10).
763 *
764 * Verification Tag:
765 * Inputs
766 * (endpoint, asoc, chunk)
767 *
768 * Outputs
769 * (asoc, reply_msg, msg_up, timers, counters)
770 *
771 * The return value is the disposition of the chunk.
772 */
773 sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep,
774 const struct sctp_association *asoc,
775 const sctp_subtype_t type, void *arg,
776 sctp_cmd_seq_t *commands)
777 {
778 struct sctp_chunk *chunk = arg;
779 struct sctp_ulpevent *ev;
780
781 if (!sctp_vtag_verify(chunk, asoc))
782 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
783
784 /* Verify that the chunk length for the COOKIE-ACK is OK.
785 * If we don't do this, any bundled chunks may be junked.
786 */
787 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
788 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
789 commands);
790
791 /* Reset init error count upon receipt of COOKIE-ACK,
792 * to avoid problems with the managemement of this
793 * counter in stale cookie situations when a transition back
794 * from the COOKIE-ECHOED state to the COOKIE-WAIT
795 * state is performed.
796 */
797 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
798
799 /* RFC 2960 5.1 Normal Establishment of an Association
800 *
801 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
802 * from the COOKIE-ECHOED state to the ESTABLISHED state,
803 * stopping the T1-cookie timer.
804 */
805 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
806 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
807 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
808 SCTP_STATE(SCTP_STATE_ESTABLISHED));
809 SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
810 SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS);
811 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
812 if (asoc->autoclose)
813 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
814 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
815 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL());
816
817 /* It may also notify its ULP about the successful
818 * establishment of the association with a Communication Up
819 * notification (see Section 10).
820 */
821 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
822 0, asoc->c.sinit_num_ostreams,
823 asoc->c.sinit_max_instreams,
824 NULL, GFP_ATOMIC);
825
826 if (!ev)
827 goto nomem;
828
829 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
830
831 /* Sockets API Draft Section 5.3.1.6
832 * When a peer sends a Adaptation Layer Indication parameter , SCTP
833 * delivers this notification to inform the application that of the
834 * peers requested adaptation layer.
835 */
836 if (asoc->peer.adaptation_ind) {
837 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
838 if (!ev)
839 goto nomem;
840
841 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
842 SCTP_ULPEVENT(ev));
843 }
844
845 return SCTP_DISPOSITION_CONSUME;
846 nomem:
847 return SCTP_DISPOSITION_NOMEM;
848 }
849
850 /* Generate and sendout a heartbeat packet. */
851 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep,
852 const struct sctp_association *asoc,
853 const sctp_subtype_t type,
854 void *arg,
855 sctp_cmd_seq_t *commands)
856 {
857 struct sctp_transport *transport = (struct sctp_transport *) arg;
858 struct sctp_chunk *reply;
859 sctp_sender_hb_info_t hbinfo;
860 size_t paylen = 0;
861
862 hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO;
863 hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t));
864 hbinfo.daddr = transport->ipaddr;
865 hbinfo.sent_at = jiffies;
866 hbinfo.hb_nonce = transport->hb_nonce;
867
868 /* Send a heartbeat to our peer. */
869 paylen = sizeof(sctp_sender_hb_info_t);
870 reply = sctp_make_heartbeat(asoc, transport, &hbinfo, paylen);
871 if (!reply)
872 return SCTP_DISPOSITION_NOMEM;
873
874 /* Set rto_pending indicating that an RTT measurement
875 * is started with this heartbeat chunk.
876 */
877 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
878 SCTP_TRANSPORT(transport));
879
880 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
881 return SCTP_DISPOSITION_CONSUME;
882 }
883
884 /* Generate a HEARTBEAT packet on the given transport. */
885 sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep,
886 const struct sctp_association *asoc,
887 const sctp_subtype_t type,
888 void *arg,
889 sctp_cmd_seq_t *commands)
890 {
891 struct sctp_transport *transport = (struct sctp_transport *) arg;
892
893 if (asoc->overall_error_count >= asoc->max_retrans) {
894 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
895 SCTP_ERROR(ETIMEDOUT));
896 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
897 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
898 SCTP_PERR(SCTP_ERROR_NO_ERROR));
899 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
900 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
901 return SCTP_DISPOSITION_DELETE_TCB;
902 }
903
904 /* Section 3.3.5.
905 * The Sender-specific Heartbeat Info field should normally include
906 * information about the sender's current time when this HEARTBEAT
907 * chunk is sent and the destination transport address to which this
908 * HEARTBEAT is sent (see Section 8.3).
909 */
910
911 if (transport->param_flags & SPP_HB_ENABLE) {
912 if (SCTP_DISPOSITION_NOMEM ==
913 sctp_sf_heartbeat(ep, asoc, type, arg,
914 commands))
915 return SCTP_DISPOSITION_NOMEM;
916 /* Set transport error counter and association error counter
917 * when sending heartbeat.
918 */
919 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_RESET,
920 SCTP_TRANSPORT(transport));
921 }
922 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
923 SCTP_TRANSPORT(transport));
924
925 return SCTP_DISPOSITION_CONSUME;
926 }
927
928 /*
929 * Process an heartbeat request.
930 *
931 * Section: 8.3 Path Heartbeat
932 * The receiver of the HEARTBEAT should immediately respond with a
933 * HEARTBEAT ACK that contains the Heartbeat Information field copied
934 * from the received HEARTBEAT chunk.
935 *
936 * Verification Tag: 8.5 Verification Tag [Normal verification]
937 * When receiving an SCTP packet, the endpoint MUST ensure that the
938 * value in the Verification Tag field of the received SCTP packet
939 * matches its own Tag. If the received Verification Tag value does not
940 * match the receiver's own tag value, the receiver shall silently
941 * discard the packet and shall not process it any further except for
942 * those cases listed in Section 8.5.1 below.
943 *
944 * Inputs
945 * (endpoint, asoc, chunk)
946 *
947 * Outputs
948 * (asoc, reply_msg, msg_up, timers, counters)
949 *
950 * The return value is the disposition of the chunk.
951 */
952 sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep,
953 const struct sctp_association *asoc,
954 const sctp_subtype_t type,
955 void *arg,
956 sctp_cmd_seq_t *commands)
957 {
958 struct sctp_chunk *chunk = arg;
959 struct sctp_chunk *reply;
960 size_t paylen = 0;
961
962 if (!sctp_vtag_verify(chunk, asoc))
963 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
964
965 /* Make sure that the HEARTBEAT chunk has a valid length. */
966 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t)))
967 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
968 commands);
969
970 /* 8.3 The receiver of the HEARTBEAT should immediately
971 * respond with a HEARTBEAT ACK that contains the Heartbeat
972 * Information field copied from the received HEARTBEAT chunk.
973 */
974 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data;
975 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
976 if (!pskb_pull(chunk->skb, paylen))
977 goto nomem;
978
979 reply = sctp_make_heartbeat_ack(asoc, chunk,
980 chunk->subh.hb_hdr, paylen);
981 if (!reply)
982 goto nomem;
983
984 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
985 return SCTP_DISPOSITION_CONSUME;
986
987 nomem:
988 return SCTP_DISPOSITION_NOMEM;
989 }
990
991 /*
992 * Process the returning HEARTBEAT ACK.
993 *
994 * Section: 8.3 Path Heartbeat
995 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
996 * should clear the error counter of the destination transport
997 * address to which the HEARTBEAT was sent, and mark the destination
998 * transport address as active if it is not so marked. The endpoint may
999 * optionally report to the upper layer when an inactive destination
1000 * address is marked as active due to the reception of the latest
1001 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
1002 * clear the association overall error count as well (as defined
1003 * in section 8.1).
1004 *
1005 * The receiver of the HEARTBEAT ACK should also perform an RTT
1006 * measurement for that destination transport address using the time
1007 * value carried in the HEARTBEAT ACK chunk.
1008 *
1009 * Verification Tag: 8.5 Verification Tag [Normal verification]
1010 *
1011 * Inputs
1012 * (endpoint, asoc, chunk)
1013 *
1014 * Outputs
1015 * (asoc, reply_msg, msg_up, timers, counters)
1016 *
1017 * The return value is the disposition of the chunk.
1018 */
1019 sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep,
1020 const struct sctp_association *asoc,
1021 const sctp_subtype_t type,
1022 void *arg,
1023 sctp_cmd_seq_t *commands)
1024 {
1025 struct sctp_chunk *chunk = arg;
1026 union sctp_addr from_addr;
1027 struct sctp_transport *link;
1028 sctp_sender_hb_info_t *hbinfo;
1029 unsigned long max_interval;
1030
1031 if (!sctp_vtag_verify(chunk, asoc))
1032 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1033
1034 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */
1035 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t)))
1036 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1037 commands);
1038
1039 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
1040 /* Make sure that the length of the parameter is what we expect */
1041 if (ntohs(hbinfo->param_hdr.length) !=
1042 sizeof(sctp_sender_hb_info_t)) {
1043 return SCTP_DISPOSITION_DISCARD;
1044 }
1045
1046 from_addr = hbinfo->daddr;
1047 link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1048
1049 /* This should never happen, but lets log it if so. */
1050 if (unlikely(!link)) {
1051 if (from_addr.sa.sa_family == AF_INET6) {
1052 if (net_ratelimit())
1053 printk(KERN_WARNING
1054 "%s association %p could not find address "
1055 NIP6_FMT "\n",
1056 __FUNCTION__,
1057 asoc,
1058 NIP6(from_addr.v6.sin6_addr));
1059 } else {
1060 if (net_ratelimit())
1061 printk(KERN_WARNING
1062 "%s association %p could not find address "
1063 NIPQUAD_FMT "\n",
1064 __FUNCTION__,
1065 asoc,
1066 NIPQUAD(from_addr.v4.sin_addr.s_addr));
1067 }
1068 return SCTP_DISPOSITION_DISCARD;
1069 }
1070
1071 /* Validate the 64-bit random nonce. */
1072 if (hbinfo->hb_nonce != link->hb_nonce)
1073 return SCTP_DISPOSITION_DISCARD;
1074
1075 max_interval = link->hbinterval + link->rto;
1076
1077 /* Check if the timestamp looks valid. */
1078 if (time_after(hbinfo->sent_at, jiffies) ||
1079 time_after(jiffies, hbinfo->sent_at + max_interval)) {
1080 SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp"
1081 "received for transport: %p\n",
1082 __FUNCTION__, link);
1083 return SCTP_DISPOSITION_DISCARD;
1084 }
1085
1086 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
1087 * the HEARTBEAT should clear the error counter of the
1088 * destination transport address to which the HEARTBEAT was
1089 * sent and mark the destination transport address as active if
1090 * it is not so marked.
1091 */
1092 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1093
1094 return SCTP_DISPOSITION_CONSUME;
1095 }
1096
1097 /* Helper function to send out an abort for the restart
1098 * condition.
1099 */
1100 static int sctp_sf_send_restart_abort(union sctp_addr *ssa,
1101 struct sctp_chunk *init,
1102 sctp_cmd_seq_t *commands)
1103 {
1104 int len;
1105 struct sctp_packet *pkt;
1106 union sctp_addr_param *addrparm;
1107 struct sctp_errhdr *errhdr;
1108 struct sctp_endpoint *ep;
1109 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)];
1110 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1111
1112 /* Build the error on the stack. We are way to malloc crazy
1113 * throughout the code today.
1114 */
1115 errhdr = (struct sctp_errhdr *)buffer;
1116 addrparm = (union sctp_addr_param *)errhdr->variable;
1117
1118 /* Copy into a parm format. */
1119 len = af->to_addr_param(ssa, addrparm);
1120 len += sizeof(sctp_errhdr_t);
1121
1122 errhdr->cause = SCTP_ERROR_RESTART;
1123 errhdr->length = htons(len);
1124
1125 /* Assign to the control socket. */
1126 ep = sctp_sk((sctp_get_ctl_sock()))->ep;
1127
1128 /* Association is NULL since this may be a restart attack and we
1129 * want to send back the attacker's vtag.
1130 */
1131 pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len);
1132
1133 if (!pkt)
1134 goto out;
1135 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1136
1137 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
1138
1139 /* Discard the rest of the inbound packet. */
1140 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1141
1142 out:
1143 /* Even if there is no memory, treat as a failure so
1144 * the packet will get dropped.
1145 */
1146 return 0;
1147 }
1148
1149 /* A restart is occurring, check to make sure no new addresses
1150 * are being added as we may be under a takeover attack.
1151 */
1152 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1153 const struct sctp_association *asoc,
1154 struct sctp_chunk *init,
1155 sctp_cmd_seq_t *commands)
1156 {
1157 struct sctp_transport *new_addr, *addr;
1158 struct list_head *pos, *pos2;
1159 int found;
1160
1161 /* Implementor's Guide - Sectin 5.2.2
1162 * ...
1163 * Before responding the endpoint MUST check to see if the
1164 * unexpected INIT adds new addresses to the association. If new
1165 * addresses are added to the association, the endpoint MUST respond
1166 * with an ABORT..
1167 */
1168
1169 /* Search through all current addresses and make sure
1170 * we aren't adding any new ones.
1171 */
1172 new_addr = NULL;
1173 found = 0;
1174
1175 list_for_each(pos, &new_asoc->peer.transport_addr_list) {
1176 new_addr = list_entry(pos, struct sctp_transport, transports);
1177 found = 0;
1178 list_for_each(pos2, &asoc->peer.transport_addr_list) {
1179 addr = list_entry(pos2, struct sctp_transport,
1180 transports);
1181 if (sctp_cmp_addr_exact(&new_addr->ipaddr,
1182 &addr->ipaddr)) {
1183 found = 1;
1184 break;
1185 }
1186 }
1187 if (!found)
1188 break;
1189 }
1190
1191 /* If a new address was added, ABORT the sender. */
1192 if (!found && new_addr) {
1193 sctp_sf_send_restart_abort(&new_addr->ipaddr, init, commands);
1194 }
1195
1196 /* Return success if all addresses were found. */
1197 return found;
1198 }
1199
1200 /* Populate the verification/tie tags based on overlapping INIT
1201 * scenario.
1202 *
1203 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
1204 */
1205 static void sctp_tietags_populate(struct sctp_association *new_asoc,
1206 const struct sctp_association *asoc)
1207 {
1208 switch (asoc->state) {
1209
1210 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
1211
1212 case SCTP_STATE_COOKIE_WAIT:
1213 new_asoc->c.my_vtag = asoc->c.my_vtag;
1214 new_asoc->c.my_ttag = asoc->c.my_vtag;
1215 new_asoc->c.peer_ttag = 0;
1216 break;
1217
1218 case SCTP_STATE_COOKIE_ECHOED:
1219 new_asoc->c.my_vtag = asoc->c.my_vtag;
1220 new_asoc->c.my_ttag = asoc->c.my_vtag;
1221 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1222 break;
1223
1224 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
1225 * COOKIE-WAIT and SHUTDOWN-ACK-SENT
1226 */
1227 default:
1228 new_asoc->c.my_ttag = asoc->c.my_vtag;
1229 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1230 break;
1231 }
1232
1233 /* Other parameters for the endpoint SHOULD be copied from the
1234 * existing parameters of the association (e.g. number of
1235 * outbound streams) into the INIT ACK and cookie.
1236 */
1237 new_asoc->rwnd = asoc->rwnd;
1238 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams;
1239 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1240 new_asoc->c.initial_tsn = asoc->c.initial_tsn;
1241 }
1242
1243 /*
1244 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
1245 * handling action.
1246 *
1247 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
1248 *
1249 * Returns value representing action to be taken. These action values
1250 * correspond to Action/Description values in RFC 2960, Table 2.
1251 */
1252 static char sctp_tietags_compare(struct sctp_association *new_asoc,
1253 const struct sctp_association *asoc)
1254 {
1255 /* In this case, the peer may have restarted. */
1256 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1257 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1258 (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1259 (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1260 return 'A';
1261
1262 /* Collision case B. */
1263 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1264 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1265 (0 == asoc->c.peer_vtag))) {
1266 return 'B';
1267 }
1268
1269 /* Collision case D. */
1270 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1271 (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1272 return 'D';
1273
1274 /* Collision case C. */
1275 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1276 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1277 (0 == new_asoc->c.my_ttag) &&
1278 (0 == new_asoc->c.peer_ttag))
1279 return 'C';
1280
1281 /* No match to any of the special cases; discard this packet. */
1282 return 'E';
1283 }
1284
1285 /* Common helper routine for both duplicate and simulataneous INIT
1286 * chunk handling.
1287 */
1288 static sctp_disposition_t sctp_sf_do_unexpected_init(
1289 const struct sctp_endpoint *ep,
1290 const struct sctp_association *asoc,
1291 const sctp_subtype_t type,
1292 void *arg, sctp_cmd_seq_t *commands)
1293 {
1294 sctp_disposition_t retval;
1295 struct sctp_chunk *chunk = arg;
1296 struct sctp_chunk *repl;
1297 struct sctp_association *new_asoc;
1298 struct sctp_chunk *err_chunk;
1299 struct sctp_packet *packet;
1300 sctp_unrecognized_param_t *unk_param;
1301 int len;
1302
1303 /* 6.10 Bundling
1304 * An endpoint MUST NOT bundle INIT, INIT ACK or
1305 * SHUTDOWN COMPLETE with any other chunks.
1306 *
1307 * IG Section 2.11.2
1308 * Furthermore, we require that the receiver of an INIT chunk MUST
1309 * enforce these rules by silently discarding an arriving packet
1310 * with an INIT chunk that is bundled with other chunks.
1311 */
1312 if (!chunk->singleton)
1313 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1314
1315 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
1316 * Tag.
1317 */
1318 if (chunk->sctp_hdr->vtag != 0)
1319 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
1320
1321 /* Make sure that the INIT chunk has a valid length.
1322 * In this case, we generate a protocol violation since we have
1323 * an association established.
1324 */
1325 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
1326 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1327 commands);
1328 /* Grab the INIT header. */
1329 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
1330
1331 /* Tag the variable length parameters. */
1332 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
1333
1334 /* Verify the INIT chunk before processing it. */
1335 err_chunk = NULL;
1336 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
1337 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
1338 &err_chunk)) {
1339 /* This chunk contains fatal error. It is to be discarded.
1340 * Send an ABORT, with causes if there is any.
1341 */
1342 if (err_chunk) {
1343 packet = sctp_abort_pkt_new(ep, asoc, arg,
1344 (__u8 *)(err_chunk->chunk_hdr) +
1345 sizeof(sctp_chunkhdr_t),
1346 ntohs(err_chunk->chunk_hdr->length) -
1347 sizeof(sctp_chunkhdr_t));
1348
1349 if (packet) {
1350 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1351 SCTP_PACKET(packet));
1352 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
1353 retval = SCTP_DISPOSITION_CONSUME;
1354 } else {
1355 retval = SCTP_DISPOSITION_NOMEM;
1356 }
1357 goto cleanup;
1358 } else {
1359 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg,
1360 commands);
1361 }
1362 }
1363
1364 /*
1365 * Other parameters for the endpoint SHOULD be copied from the
1366 * existing parameters of the association (e.g. number of
1367 * outbound streams) into the INIT ACK and cookie.
1368 * FIXME: We are copying parameters from the endpoint not the
1369 * association.
1370 */
1371 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1372 if (!new_asoc)
1373 goto nomem;
1374
1375 /* In the outbound INIT ACK the endpoint MUST copy its current
1376 * Verification Tag and Peers Verification tag into a reserved
1377 * place (local tie-tag and per tie-tag) within the state cookie.
1378 */
1379 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
1380 sctp_source(chunk),
1381 (sctp_init_chunk_t *)chunk->chunk_hdr,
1382 GFP_ATOMIC))
1383 goto nomem;
1384
1385 /* Make sure no new addresses are being added during the
1386 * restart. Do not do this check for COOKIE-WAIT state,
1387 * since there are no peer addresses to check against.
1388 * Upon return an ABORT will have been sent if needed.
1389 */
1390 if (!sctp_state(asoc, COOKIE_WAIT)) {
1391 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1392 commands)) {
1393 retval = SCTP_DISPOSITION_CONSUME;
1394 goto nomem_retval;
1395 }
1396 }
1397
1398 sctp_tietags_populate(new_asoc, asoc);
1399
1400 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
1401
1402 /* If there are errors need to be reported for unknown parameters,
1403 * make sure to reserve enough room in the INIT ACK for them.
1404 */
1405 len = 0;
1406 if (err_chunk) {
1407 len = ntohs(err_chunk->chunk_hdr->length) -
1408 sizeof(sctp_chunkhdr_t);
1409 }
1410
1411 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0)
1412 goto nomem;
1413
1414 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1415 if (!repl)
1416 goto nomem;
1417
1418 /* If there are errors need to be reported for unknown parameters,
1419 * include them in the outgoing INIT ACK as "Unrecognized parameter"
1420 * parameter.
1421 */
1422 if (err_chunk) {
1423 /* Get the "Unrecognized parameter" parameter(s) out of the
1424 * ERROR chunk generated by sctp_verify_init(). Since the
1425 * error cause code for "unknown parameter" and the
1426 * "Unrecognized parameter" type is the same, we can
1427 * construct the parameters in INIT ACK by copying the
1428 * ERROR causes over.
1429 */
1430 unk_param = (sctp_unrecognized_param_t *)
1431 ((__u8 *)(err_chunk->chunk_hdr) +
1432 sizeof(sctp_chunkhdr_t));
1433 /* Replace the cause code with the "Unrecognized parameter"
1434 * parameter type.
1435 */
1436 sctp_addto_chunk(repl, len, unk_param);
1437 }
1438
1439 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1440 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1441
1442 /*
1443 * Note: After sending out INIT ACK with the State Cookie parameter,
1444 * "Z" MUST NOT allocate any resources for this new association.
1445 * Otherwise, "Z" will be vulnerable to resource attacks.
1446 */
1447 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1448 retval = SCTP_DISPOSITION_CONSUME;
1449
1450 return retval;
1451
1452 nomem:
1453 retval = SCTP_DISPOSITION_NOMEM;
1454 nomem_retval:
1455 if (new_asoc)
1456 sctp_association_free(new_asoc);
1457 cleanup:
1458 if (err_chunk)
1459 sctp_chunk_free(err_chunk);
1460 return retval;
1461 }
1462
1463 /*
1464 * Handle simultanous INIT.
1465 * This means we started an INIT and then we got an INIT request from
1466 * our peer.
1467 *
1468 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
1469 * This usually indicates an initialization collision, i.e., each
1470 * endpoint is attempting, at about the same time, to establish an
1471 * association with the other endpoint.
1472 *
1473 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
1474 * endpoint MUST respond with an INIT ACK using the same parameters it
1475 * sent in its original INIT chunk (including its Verification Tag,
1476 * unchanged). These original parameters are combined with those from the
1477 * newly received INIT chunk. The endpoint shall also generate a State
1478 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
1479 * INIT to calculate the State Cookie.
1480 *
1481 * After that, the endpoint MUST NOT change its state, the T1-init
1482 * timer shall be left running and the corresponding TCB MUST NOT be
1483 * destroyed. The normal procedures for handling State Cookies when
1484 * a TCB exists will resolve the duplicate INITs to a single association.
1485 *
1486 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
1487 * its Tie-Tags with the Tag information of itself and its peer (see
1488 * section 5.2.2 for a description of the Tie-Tags).
1489 *
1490 * Verification Tag: Not explicit, but an INIT can not have a valid
1491 * verification tag, so we skip the check.
1492 *
1493 * Inputs
1494 * (endpoint, asoc, chunk)
1495 *
1496 * Outputs
1497 * (asoc, reply_msg, msg_up, timers, counters)
1498 *
1499 * The return value is the disposition of the chunk.
1500 */
1501 sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep,
1502 const struct sctp_association *asoc,
1503 const sctp_subtype_t type,
1504 void *arg,
1505 sctp_cmd_seq_t *commands)
1506 {
1507 /* Call helper to do the real work for both simulataneous and
1508 * duplicate INIT chunk handling.
1509 */
1510 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands);
1511 }
1512
1513 /*
1514 * Handle duplicated INIT messages. These are usually delayed
1515 * restransmissions.
1516 *
1517 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
1518 * COOKIE-ECHOED and COOKIE-WAIT
1519 *
1520 * Unless otherwise stated, upon reception of an unexpected INIT for
1521 * this association, the endpoint shall generate an INIT ACK with a
1522 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its
1523 * current Verification Tag and peer's Verification Tag into a reserved
1524 * place within the state cookie. We shall refer to these locations as
1525 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet
1526 * containing this INIT ACK MUST carry a Verification Tag value equal to
1527 * the Initiation Tag found in the unexpected INIT. And the INIT ACK
1528 * MUST contain a new Initiation Tag (randomly generated see Section
1529 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the
1530 * existing parameters of the association (e.g. number of outbound
1531 * streams) into the INIT ACK and cookie.
1532 *
1533 * After sending out the INIT ACK, the endpoint shall take no further
1534 * actions, i.e., the existing association, including its current state,
1535 * and the corresponding TCB MUST NOT be changed.
1536 *
1537 * Note: Only when a TCB exists and the association is not in a COOKIE-
1538 * WAIT state are the Tie-Tags populated. For a normal association INIT
1539 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
1540 * set to 0 (indicating that no previous TCB existed). The INIT ACK and
1541 * State Cookie are populated as specified in section 5.2.1.
1542 *
1543 * Verification Tag: Not specified, but an INIT has no way of knowing
1544 * what the verification tag could be, so we ignore it.
1545 *
1546 * Inputs
1547 * (endpoint, asoc, chunk)
1548 *
1549 * Outputs
1550 * (asoc, reply_msg, msg_up, timers, counters)
1551 *
1552 * The return value is the disposition of the chunk.
1553 */
1554 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep,
1555 const struct sctp_association *asoc,
1556 const sctp_subtype_t type,
1557 void *arg,
1558 sctp_cmd_seq_t *commands)
1559 {
1560 /* Call helper to do the real work for both simulataneous and
1561 * duplicate INIT chunk handling.
1562 */
1563 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands);
1564 }
1565
1566
1567 /*
1568 * Unexpected INIT-ACK handler.
1569 *
1570 * Section 5.2.3
1571 * If an INIT ACK received by an endpoint in any state other than the
1572 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
1573 * An unexpected INIT ACK usually indicates the processing of an old or
1574 * duplicated INIT chunk.
1575 */
1576 sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep,
1577 const struct sctp_association *asoc,
1578 const sctp_subtype_t type,
1579 void *arg, sctp_cmd_seq_t *commands)
1580 {
1581 /* Per the above section, we'll discard the chunk if we have an
1582 * endpoint. If this is an OOTB INIT-ACK, treat it as such.
1583 */
1584 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep)
1585 return sctp_sf_ootb(ep, asoc, type, arg, commands);
1586 else
1587 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
1588 }
1589
1590 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
1591 *
1592 * Section 5.2.4
1593 * A) In this case, the peer may have restarted.
1594 */
1595 static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep,
1596 const struct sctp_association *asoc,
1597 struct sctp_chunk *chunk,
1598 sctp_cmd_seq_t *commands,
1599 struct sctp_association *new_asoc)
1600 {
1601 sctp_init_chunk_t *peer_init;
1602 struct sctp_ulpevent *ev;
1603 struct sctp_chunk *repl;
1604 struct sctp_chunk *err;
1605 sctp_disposition_t disposition;
1606
1607 /* new_asoc is a brand-new association, so these are not yet
1608 * side effects--it is safe to run them here.
1609 */
1610 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1611
1612 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
1613 sctp_source(chunk), peer_init,
1614 GFP_ATOMIC))
1615 goto nomem;
1616
1617 /* Make sure no new addresses are being added during the
1618 * restart. Though this is a pretty complicated attack
1619 * since you'd have to get inside the cookie.
1620 */
1621 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) {
1622 return SCTP_DISPOSITION_CONSUME;
1623 }
1624
1625 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
1626 * the peer has restarted (Action A), it MUST NOT setup a new
1627 * association but instead resend the SHUTDOWN ACK and send an ERROR
1628 * chunk with a "Cookie Received while Shutting Down" error cause to
1629 * its peer.
1630 */
1631 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1632 disposition = sctp_sf_do_9_2_reshutack(ep, asoc,
1633 SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1634 chunk, commands);
1635 if (SCTP_DISPOSITION_NOMEM == disposition)
1636 goto nomem;
1637
1638 err = sctp_make_op_error(asoc, chunk,
1639 SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1640 NULL, 0);
1641 if (err)
1642 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1643 SCTP_CHUNK(err));
1644
1645 return SCTP_DISPOSITION_CONSUME;
1646 }
1647
1648 /* For now, fail any unsent/unacked data. Consider the optional
1649 * choice of resending of this data.
1650 */
1651 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1652
1653 repl = sctp_make_cookie_ack(new_asoc, chunk);
1654 if (!repl)
1655 goto nomem;
1656
1657 /* Report association restart to upper layer. */
1658 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1659 new_asoc->c.sinit_num_ostreams,
1660 new_asoc->c.sinit_max_instreams,
1661 NULL, GFP_ATOMIC);
1662 if (!ev)
1663 goto nomem_ev;
1664
1665 /* Update the content of current association. */
1666 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1667 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1668 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1669 return SCTP_DISPOSITION_CONSUME;
1670
1671 nomem_ev:
1672 sctp_chunk_free(repl);
1673 nomem:
1674 return SCTP_DISPOSITION_NOMEM;
1675 }
1676
1677 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
1678 *
1679 * Section 5.2.4
1680 * B) In this case, both sides may be attempting to start an association
1681 * at about the same time but the peer endpoint started its INIT
1682 * after responding to the local endpoint's INIT
1683 */
1684 /* This case represents an initialization collision. */
1685 static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep,
1686 const struct sctp_association *asoc,
1687 struct sctp_chunk *chunk,
1688 sctp_cmd_seq_t *commands,
1689 struct sctp_association *new_asoc)
1690 {
1691 sctp_init_chunk_t *peer_init;
1692 struct sctp_chunk *repl;
1693
1694 /* new_asoc is a brand-new association, so these are not yet
1695 * side effects--it is safe to run them here.
1696 */
1697 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1698 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
1699 sctp_source(chunk), peer_init,
1700 GFP_ATOMIC))
1701 goto nomem;
1702
1703 /* Update the content of current association. */
1704 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1705 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1706 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1707 SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
1708 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
1709
1710 repl = sctp_make_cookie_ack(new_asoc, chunk);
1711 if (!repl)
1712 goto nomem;
1713
1714 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1715 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL());
1716
1717 /* RFC 2960 5.1 Normal Establishment of an Association
1718 *
1719 * D) IMPLEMENTATION NOTE: An implementation may choose to
1720 * send the Communication Up notification to the SCTP user
1721 * upon reception of a valid COOKIE ECHO chunk.
1722 *
1723 * Sadly, this needs to be implemented as a side-effect, because
1724 * we are not guaranteed to have set the association id of the real
1725 * association and so these notifications need to be delayed until
1726 * the association id is allocated.
1727 */
1728
1729 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
1730
1731 /* Sockets API Draft Section 5.3.1.6
1732 * When a peer sends a Adaptation Layer Indication parameter , SCTP
1733 * delivers this notification to inform the application that of the
1734 * peers requested adaptation layer.
1735 *
1736 * This also needs to be done as a side effect for the same reason as
1737 * above.
1738 */
1739 if (asoc->peer.adaptation_ind)
1740 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
1741
1742 return SCTP_DISPOSITION_CONSUME;
1743
1744 nomem:
1745 return SCTP_DISPOSITION_NOMEM;
1746 }
1747
1748 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
1749 *
1750 * Section 5.2.4
1751 * C) In this case, the local endpoint's cookie has arrived late.
1752 * Before it arrived, the local endpoint sent an INIT and received an
1753 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
1754 * but a new tag of its own.
1755 */
1756 /* This case represents an initialization collision. */
1757 static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep,
1758 const struct sctp_association *asoc,
1759 struct sctp_chunk *chunk,
1760 sctp_cmd_seq_t *commands,
1761 struct sctp_association *new_asoc)
1762 {
1763 /* The cookie should be silently discarded.
1764 * The endpoint SHOULD NOT change states and should leave
1765 * any timers running.
1766 */
1767 return SCTP_DISPOSITION_DISCARD;
1768 }
1769
1770 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
1771 *
1772 * Section 5.2.4
1773 *
1774 * D) When both local and remote tags match the endpoint should always
1775 * enter the ESTABLISHED state, if it has not already done so.
1776 */
1777 /* This case represents an initialization collision. */
1778 static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep,
1779 const struct sctp_association *asoc,
1780 struct sctp_chunk *chunk,
1781 sctp_cmd_seq_t *commands,
1782 struct sctp_association *new_asoc)
1783 {
1784 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL;
1785 struct sctp_chunk *repl;
1786
1787 /* Clarification from Implementor's Guide:
1788 * D) When both local and remote tags match the endpoint should
1789 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
1790 * It should stop any cookie timer that may be running and send
1791 * a COOKIE ACK.
1792 */
1793
1794 /* Don't accidentally move back into established state. */
1795 if (asoc->state < SCTP_STATE_ESTABLISHED) {
1796 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1797 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
1798 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1799 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1800 SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
1801 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
1802 SCTP_NULL());
1803
1804 /* RFC 2960 5.1 Normal Establishment of an Association
1805 *
1806 * D) IMPLEMENTATION NOTE: An implementation may choose
1807 * to send the Communication Up notification to the
1808 * SCTP user upon reception of a valid COOKIE
1809 * ECHO chunk.
1810 */
1811 ev = sctp_ulpevent_make_assoc_change(asoc, 0,
1812 SCTP_COMM_UP, 0,
1813 asoc->c.sinit_num_ostreams,
1814 asoc->c.sinit_max_instreams,
1815 NULL, GFP_ATOMIC);
1816 if (!ev)
1817 goto nomem;
1818
1819 /* Sockets API Draft Section 5.3.1.6
1820 * When a peer sends a Adaptation Layer Indication parameter,
1821 * SCTP delivers this notification to inform the application
1822 * that of the peers requested adaptation layer.
1823 */
1824 if (asoc->peer.adaptation_ind) {
1825 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
1826 GFP_ATOMIC);
1827 if (!ai_ev)
1828 goto nomem;
1829
1830 }
1831 }
1832 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL());
1833
1834 repl = sctp_make_cookie_ack(new_asoc, chunk);
1835 if (!repl)
1836 goto nomem;
1837
1838 if (ev)
1839 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1840 SCTP_ULPEVENT(ev));
1841 if (ai_ev)
1842 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1843 SCTP_ULPEVENT(ai_ev));
1844
1845 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1846 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSMIT, SCTP_NULL());
1847
1848 return SCTP_DISPOSITION_CONSUME;
1849
1850 nomem:
1851 if (ai_ev)
1852 sctp_ulpevent_free(ai_ev);
1853 if (ev)
1854 sctp_ulpevent_free(ev);
1855 return SCTP_DISPOSITION_NOMEM;
1856 }
1857
1858 /*
1859 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying
1860 * chunk was retransmitted and then delayed in the network.
1861 *
1862 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
1863 *
1864 * Verification Tag: None. Do cookie validation.
1865 *
1866 * Inputs
1867 * (endpoint, asoc, chunk)
1868 *
1869 * Outputs
1870 * (asoc, reply_msg, msg_up, timers, counters)
1871 *
1872 * The return value is the disposition of the chunk.
1873 */
1874 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep,
1875 const struct sctp_association *asoc,
1876 const sctp_subtype_t type,
1877 void *arg,
1878 sctp_cmd_seq_t *commands)
1879 {
1880 sctp_disposition_t retval;
1881 struct sctp_chunk *chunk = arg;
1882 struct sctp_association *new_asoc;
1883 int error = 0;
1884 char action;
1885 struct sctp_chunk *err_chk_p;
1886
1887 /* Make sure that the chunk has a valid length from the protocol
1888 * perspective. In this case check to make sure we have at least
1889 * enough for the chunk header. Cookie length verification is
1890 * done later.
1891 */
1892 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
1893 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1894 commands);
1895
1896 /* "Decode" the chunk. We have no optional parameters so we
1897 * are in good shape.
1898 */
1899 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
1900 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
1901 sizeof(sctp_chunkhdr_t)))
1902 goto nomem;
1903
1904 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
1905 * of a duplicate COOKIE ECHO match the Verification Tags of the
1906 * current association, consider the State Cookie valid even if
1907 * the lifespan is exceeded.
1908 */
1909 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
1910 &err_chk_p);
1911
1912 /* FIXME:
1913 * If the re-build failed, what is the proper error path
1914 * from here?
1915 *
1916 * [We should abort the association. --piggy]
1917 */
1918 if (!new_asoc) {
1919 /* FIXME: Several errors are possible. A bad cookie should
1920 * be silently discarded, but think about logging it too.
1921 */
1922 switch (error) {
1923 case -SCTP_IERROR_NOMEM:
1924 goto nomem;
1925
1926 case -SCTP_IERROR_STALE_COOKIE:
1927 sctp_send_stale_cookie_err(ep, asoc, chunk, commands,
1928 err_chk_p);
1929 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1930 case -SCTP_IERROR_BAD_SIG:
1931 default:
1932 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1933 }
1934 }
1935
1936 /* Compare the tie_tag in cookie with the verification tag of
1937 * current association.
1938 */
1939 action = sctp_tietags_compare(new_asoc, asoc);
1940
1941 switch (action) {
1942 case 'A': /* Association restart. */
1943 retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands,
1944 new_asoc);
1945 break;
1946
1947 case 'B': /* Collision case B. */
1948 retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands,
1949 new_asoc);
1950 break;
1951
1952 case 'C': /* Collision case C. */
1953 retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands,
1954 new_asoc);
1955 break;
1956
1957 case 'D': /* Collision case D. */
1958 retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands,
1959 new_asoc);
1960 break;
1961
1962 default: /* Discard packet for all others. */
1963 retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1964 break;
1965 }
1966
1967 /* Delete the tempory new association. */
1968 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1969 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1970
1971 return retval;
1972
1973 nomem:
1974 return SCTP_DISPOSITION_NOMEM;
1975 }
1976
1977 /*
1978 * Process an ABORT. (SHUTDOWN-PENDING state)
1979 *
1980 * See sctp_sf_do_9_1_abort().
1981 */
1982 sctp_disposition_t sctp_sf_shutdown_pending_abort(
1983 const struct sctp_endpoint *ep,
1984 const struct sctp_association *asoc,
1985 const sctp_subtype_t type,
1986 void *arg,
1987 sctp_cmd_seq_t *commands)
1988 {
1989 struct sctp_chunk *chunk = arg;
1990
1991 if (!sctp_vtag_verify_either(chunk, asoc))
1992 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1993
1994 /* Make sure that the ABORT chunk has a valid length.
1995 * Since this is an ABORT chunk, we have to discard it
1996 * because of the following text:
1997 * RFC 2960, Section 3.3.7
1998 * If an endpoint receives an ABORT with a format error or for an
1999 * association that doesn't exist, it MUST silently discard it.
2000 * Becasue the length is "invalid", we can't really discard just
2001 * as we do not know its true length. So, to be safe, discard the
2002 * packet.
2003 */
2004 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2005 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2006
2007 /* Stop the T5-shutdown guard timer. */
2008 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2009 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2010
2011 return sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);
2012 }
2013
2014 /*
2015 * Process an ABORT. (SHUTDOWN-SENT state)
2016 *
2017 * See sctp_sf_do_9_1_abort().
2018 */
2019 sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep,
2020 const struct sctp_association *asoc,
2021 const sctp_subtype_t type,
2022 void *arg,
2023 sctp_cmd_seq_t *commands)
2024 {
2025 struct sctp_chunk *chunk = arg;
2026
2027 if (!sctp_vtag_verify_either(chunk, asoc))
2028 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2029
2030 /* Make sure that the ABORT chunk has a valid length.
2031 * Since this is an ABORT chunk, we have to discard it
2032 * because of the following text:
2033 * RFC 2960, Section 3.3.7
2034 * If an endpoint receives an ABORT with a format error or for an
2035 * association that doesn't exist, it MUST silently discard it.
2036 * Becasue the length is "invalid", we can't really discard just
2037 * as we do not know its true length. So, to be safe, discard the
2038 * packet.
2039 */
2040 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2041 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2042
2043 /* Stop the T2-shutdown timer. */
2044 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2045 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2046
2047 /* Stop the T5-shutdown guard timer. */
2048 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2049 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2050
2051 return sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);
2052 }
2053
2054 /*
2055 * Process an ABORT. (SHUTDOWN-ACK-SENT state)
2056 *
2057 * See sctp_sf_do_9_1_abort().
2058 */
2059 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort(
2060 const struct sctp_endpoint *ep,
2061 const struct sctp_association *asoc,
2062 const sctp_subtype_t type,
2063 void *arg,
2064 sctp_cmd_seq_t *commands)
2065 {
2066 /* The same T2 timer, so we should be able to use
2067 * common function with the SHUTDOWN-SENT state.
2068 */
2069 return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands);
2070 }
2071
2072 /*
2073 * Handle an Error received in COOKIE_ECHOED state.
2074 *
2075 * Only handle the error type of stale COOKIE Error, the other errors will
2076 * be ignored.
2077 *
2078 * Inputs
2079 * (endpoint, asoc, chunk)
2080 *
2081 * Outputs
2082 * (asoc, reply_msg, msg_up, timers, counters)
2083 *
2084 * The return value is the disposition of the chunk.
2085 */
2086 sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep,
2087 const struct sctp_association *asoc,
2088 const sctp_subtype_t type,
2089 void *arg,
2090 sctp_cmd_seq_t *commands)
2091 {
2092 struct sctp_chunk *chunk = arg;
2093 sctp_errhdr_t *err;
2094
2095 if (!sctp_vtag_verify(chunk, asoc))
2096 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2097
2098 /* Make sure that the ERROR chunk has a valid length.
2099 * The parameter walking depends on this as well.
2100 */
2101 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
2102 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2103 commands);
2104
2105 /* Process the error here */
2106 /* FUTURE FIXME: When PR-SCTP related and other optional
2107 * parms are emitted, this will have to change to handle multiple
2108 * errors.
2109 */
2110 sctp_walk_errors(err, chunk->chunk_hdr) {
2111 if (SCTP_ERROR_STALE_COOKIE == err->cause)
2112 return sctp_sf_do_5_2_6_stale(ep, asoc, type,
2113 arg, commands);
2114 }
2115
2116 /* It is possible to have malformed error causes, and that
2117 * will cause us to end the walk early. However, since
2118 * we are discarding the packet, there should be no adverse
2119 * affects.
2120 */
2121 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2122 }
2123
2124 /*
2125 * Handle a Stale COOKIE Error
2126 *
2127 * Section: 5.2.6 Handle Stale COOKIE Error
2128 * If the association is in the COOKIE-ECHOED state, the endpoint may elect
2129 * one of the following three alternatives.
2130 * ...
2131 * 3) Send a new INIT chunk to the endpoint, adding a Cookie
2132 * Preservative parameter requesting an extension to the lifetime of
2133 * the State Cookie. When calculating the time extension, an
2134 * implementation SHOULD use the RTT information measured based on the
2135 * previous COOKIE ECHO / ERROR exchange, and should add no more
2136 * than 1 second beyond the measured RTT, due to long State Cookie
2137 * lifetimes making the endpoint more subject to a replay attack.
2138 *
2139 * Verification Tag: Not explicit, but safe to ignore.
2140 *
2141 * Inputs
2142 * (endpoint, asoc, chunk)
2143 *
2144 * Outputs
2145 * (asoc, reply_msg, msg_up, timers, counters)
2146 *
2147 * The return value is the disposition of the chunk.
2148 */
2149 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep,
2150 const struct sctp_association *asoc,
2151 const sctp_subtype_t type,
2152 void *arg,
2153 sctp_cmd_seq_t *commands)
2154 {
2155 struct sctp_chunk *chunk = arg;
2156 time_t stale;
2157 sctp_cookie_preserve_param_t bht;
2158 sctp_errhdr_t *err;
2159 struct sctp_chunk *reply;
2160 struct sctp_bind_addr *bp;
2161 int attempts = asoc->init_err_counter + 1;
2162
2163 if (attempts > asoc->max_init_attempts) {
2164 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2165 SCTP_ERROR(ETIMEDOUT));
2166 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2167 SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2168 return SCTP_DISPOSITION_DELETE_TCB;
2169 }
2170
2171 err = (sctp_errhdr_t *)(chunk->skb->data);
2172
2173 /* When calculating the time extension, an implementation
2174 * SHOULD use the RTT information measured based on the
2175 * previous COOKIE ECHO / ERROR exchange, and should add no
2176 * more than 1 second beyond the measured RTT, due to long
2177 * State Cookie lifetimes making the endpoint more subject to
2178 * a replay attack.
2179 * Measure of Staleness's unit is usec. (1/1000000 sec)
2180 * Suggested Cookie Life-span Increment's unit is msec.
2181 * (1/1000 sec)
2182 * In general, if you use the suggested cookie life, the value
2183 * found in the field of measure of staleness should be doubled
2184 * to give ample time to retransmit the new cookie and thus
2185 * yield a higher probability of success on the reattempt.
2186 */
2187 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t)));
2188 stale = (stale * 2) / 1000;
2189
2190 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2191 bht.param_hdr.length = htons(sizeof(bht));
2192 bht.lifespan_increment = htonl(stale);
2193
2194 /* Build that new INIT chunk. */
2195 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2196 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2197 if (!reply)
2198 goto nomem;
2199
2200 sctp_addto_chunk(reply, sizeof(bht), &bht);
2201
2202 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */
2203 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2204
2205 /* Stop pending T3-rtx and heartbeat timers */
2206 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2207 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2208
2209 /* Delete non-primary peer ip addresses since we are transitioning
2210 * back to the COOKIE-WAIT state
2211 */
2212 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2213
2214 /* If we've sent any data bundled with COOKIE-ECHO we will need to
2215 * resend
2216 */
2217 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN,
2218 SCTP_TRANSPORT(asoc->peer.primary_path));
2219
2220 /* Cast away the const modifier, as we want to just
2221 * rerun it through as a sideffect.
2222 */
2223 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2224
2225 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2226 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2227 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2228 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2229 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2230 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2231
2232 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2233
2234 return SCTP_DISPOSITION_CONSUME;
2235
2236 nomem:
2237 return SCTP_DISPOSITION_NOMEM;
2238 }
2239
2240 /*
2241 * Process an ABORT.
2242 *
2243 * Section: 9.1
2244 * After checking the Verification Tag, the receiving endpoint shall
2245 * remove the association from its record, and shall report the
2246 * termination to its upper layer.
2247 *
2248 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
2249 * B) Rules for packet carrying ABORT:
2250 *
2251 * - The endpoint shall always fill in the Verification Tag field of the
2252 * outbound packet with the destination endpoint's tag value if it
2253 * is known.
2254 *
2255 * - If the ABORT is sent in response to an OOTB packet, the endpoint
2256 * MUST follow the procedure described in Section 8.4.
2257 *
2258 * - The receiver MUST accept the packet if the Verification Tag
2259 * matches either its own tag, OR the tag of its peer. Otherwise, the
2260 * receiver MUST silently discard the packet and take no further
2261 * action.
2262 *
2263 * Inputs
2264 * (endpoint, asoc, chunk)
2265 *
2266 * Outputs
2267 * (asoc, reply_msg, msg_up, timers, counters)
2268 *
2269 * The return value is the disposition of the chunk.
2270 */
2271 sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
2272 const struct sctp_association *asoc,
2273 const sctp_subtype_t type,
2274 void *arg,
2275 sctp_cmd_seq_t *commands)
2276 {
2277 struct sctp_chunk *chunk = arg;
2278 unsigned len;
2279 __be16 error = SCTP_ERROR_NO_ERROR;
2280
2281 if (!sctp_vtag_verify_either(chunk, asoc))
2282 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2283
2284 /* Make sure that the ABORT chunk has a valid length.
2285 * Since this is an ABORT chunk, we have to discard it
2286 * because of the following text:
2287 * RFC 2960, Section 3.3.7
2288 * If an endpoint receives an ABORT with a format error or for an
2289 * association that doesn't exist, it MUST silently discard it.
2290 * Becasue the length is "invalid", we can't really discard just
2291 * as we do not know its true length. So, to be safe, discard the
2292 * packet.
2293 */
2294 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2295 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2296
2297 /* See if we have an error cause code in the chunk. */
2298 len = ntohs(chunk->chunk_hdr->length);
2299 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2300 error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2301
2302 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2303 /* ASSOC_FAILED will DELETE_TCB. */
2304 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2305 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
2306 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
2307
2308 return SCTP_DISPOSITION_ABORT;
2309 }
2310
2311 /*
2312 * Process an ABORT. (COOKIE-WAIT state)
2313 *
2314 * See sctp_sf_do_9_1_abort() above.
2315 */
2316 sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep,
2317 const struct sctp_association *asoc,
2318 const sctp_subtype_t type,
2319 void *arg,
2320 sctp_cmd_seq_t *commands)
2321 {
2322 struct sctp_chunk *chunk = arg;
2323 unsigned len;
2324 __be16 error = SCTP_ERROR_NO_ERROR;
2325
2326 if (!sctp_vtag_verify_either(chunk, asoc))
2327 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2328
2329 /* Make sure that the ABORT chunk has a valid length.
2330 * Since this is an ABORT chunk, we have to discard it
2331 * because of the following text:
2332 * RFC 2960, Section 3.3.7
2333 * If an endpoint receives an ABORT with a format error or for an
2334 * association that doesn't exist, it MUST silently discard it.
2335 * Becasue the length is "invalid", we can't really discard just
2336 * as we do not know its true length. So, to be safe, discard the
2337 * packet.
2338 */
2339 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2340 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2341
2342 /* See if we have an error cause code in the chunk. */
2343 len = ntohs(chunk->chunk_hdr->length);
2344 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2345 error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2346
2347 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc,
2348 chunk->transport);
2349 }
2350
2351 /*
2352 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state)
2353 */
2354 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep,
2355 const struct sctp_association *asoc,
2356 const sctp_subtype_t type,
2357 void *arg,
2358 sctp_cmd_seq_t *commands)
2359 {
2360 return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR,
2361 ENOPROTOOPT, asoc,
2362 (struct sctp_transport *)arg);
2363 }
2364
2365 /*
2366 * Process an ABORT. (COOKIE-ECHOED state)
2367 */
2368 sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep,
2369 const struct sctp_association *asoc,
2370 const sctp_subtype_t type,
2371 void *arg,
2372 sctp_cmd_seq_t *commands)
2373 {
2374 /* There is a single T1 timer, so we should be able to use
2375 * common function with the COOKIE-WAIT state.
2376 */
2377 return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands);
2378 }
2379
2380 /*
2381 * Stop T1 timer and abort association with "INIT failed".
2382 *
2383 * This is common code called by several sctp_sf_*_abort() functions above.
2384 */
2385 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands,
2386 __be16 error, int sk_err,
2387 const struct sctp_association *asoc,
2388 struct sctp_transport *transport)
2389 {
2390 SCTP_DEBUG_PRINTK("ABORT received (INIT).\n");
2391 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2392 SCTP_STATE(SCTP_STATE_CLOSED));
2393 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
2394 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2395 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2396 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2397 /* CMD_INIT_FAILED will DELETE_TCB. */
2398 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2399 SCTP_PERR(error));
2400 return SCTP_DISPOSITION_ABORT;
2401 }
2402
2403 /*
2404 * sctp_sf_do_9_2_shut
2405 *
2406 * Section: 9.2
2407 * Upon the reception of the SHUTDOWN, the peer endpoint shall
2408 * - enter the SHUTDOWN-RECEIVED state,
2409 *
2410 * - stop accepting new data from its SCTP user
2411 *
2412 * - verify, by checking the Cumulative TSN Ack field of the chunk,
2413 * that all its outstanding DATA chunks have been received by the
2414 * SHUTDOWN sender.
2415 *
2416 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT
2417 * send a SHUTDOWN in response to a ULP request. And should discard
2418 * subsequent SHUTDOWN chunks.
2419 *
2420 * If there are still outstanding DATA chunks left, the SHUTDOWN
2421 * receiver shall continue to follow normal data transmission
2422 * procedures defined in Section 6 until all outstanding DATA chunks
2423 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept
2424 * new data from its SCTP user.
2425 *
2426 * Verification Tag: 8.5 Verification Tag [Normal verification]
2427 *
2428 * Inputs
2429 * (endpoint, asoc, chunk)
2430 *
2431 * Outputs
2432 * (asoc, reply_msg, msg_up, timers, counters)
2433 *
2434 * The return value is the disposition of the chunk.
2435 */
2436 sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep,
2437 const struct sctp_association *asoc,
2438 const sctp_subtype_t type,
2439 void *arg,
2440 sctp_cmd_seq_t *commands)
2441 {
2442 struct sctp_chunk *chunk = arg;
2443 sctp_shutdownhdr_t *sdh;
2444 sctp_disposition_t disposition;
2445 struct sctp_ulpevent *ev;
2446
2447 if (!sctp_vtag_verify(chunk, asoc))
2448 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2449
2450 /* Make sure that the SHUTDOWN chunk has a valid length. */
2451 if (!sctp_chunk_length_valid(chunk,
2452 sizeof(struct sctp_shutdown_chunk_t)))
2453 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2454 commands);
2455
2456 /* Convert the elaborate header. */
2457 sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
2458 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t));
2459 chunk->subh.shutdown_hdr = sdh;
2460
2461 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
2462 * When a peer sends a SHUTDOWN, SCTP delivers this notification to
2463 * inform the application that it should cease sending data.
2464 */
2465 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2466 if (!ev) {
2467 disposition = SCTP_DISPOSITION_NOMEM;
2468 goto out;
2469 }
2470 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2471
2472 /* Upon the reception of the SHUTDOWN, the peer endpoint shall
2473 * - enter the SHUTDOWN-RECEIVED state,
2474 * - stop accepting new data from its SCTP user
2475 *
2476 * [This is implicit in the new state.]
2477 */
2478 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2479 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2480 disposition = SCTP_DISPOSITION_CONSUME;
2481
2482 if (sctp_outq_is_empty(&asoc->outqueue)) {
2483 disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type,
2484 arg, commands);
2485 }
2486
2487 if (SCTP_DISPOSITION_NOMEM == disposition)
2488 goto out;
2489
2490 /* - verify, by checking the Cumulative TSN Ack field of the
2491 * chunk, that all its outstanding DATA chunks have been
2492 * received by the SHUTDOWN sender.
2493 */
2494 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2495 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2496
2497 out:
2498 return disposition;
2499 }
2500
2501 /* RFC 2960 9.2
2502 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk
2503 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination
2504 * transport addresses (either in the IP addresses or in the INIT chunk)
2505 * that belong to this association, it should discard the INIT chunk and
2506 * retransmit the SHUTDOWN ACK chunk.
2507 */
2508 sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep,
2509 const struct sctp_association *asoc,
2510 const sctp_subtype_t type,
2511 void *arg,
2512 sctp_cmd_seq_t *commands)
2513 {
2514 struct sctp_chunk *chunk = (struct sctp_chunk *) arg;
2515 struct sctp_chunk *reply;
2516
2517 /* Make sure that the chunk has a valid length */
2518 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
2519 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2520 commands);
2521
2522 /* Since we are not going to really process this INIT, there
2523 * is no point in verifying chunk boundries. Just generate
2524 * the SHUTDOWN ACK.
2525 */
2526 reply = sctp_make_shutdown_ack(asoc, chunk);
2527 if (NULL == reply)
2528 goto nomem;
2529
2530 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
2531 * the T2-SHUTDOWN timer.
2532 */
2533 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
2534
2535 /* and restart the T2-shutdown timer. */
2536 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2537 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2538
2539 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2540
2541 return SCTP_DISPOSITION_CONSUME;
2542 nomem:
2543 return SCTP_DISPOSITION_NOMEM;
2544 }
2545
2546 /*
2547 * sctp_sf_do_ecn_cwr
2548 *
2549 * Section: Appendix A: Explicit Congestion Notification
2550 *
2551 * CWR:
2552 *
2553 * RFC 2481 details a specific bit for a sender to send in the header of
2554 * its next outbound TCP segment to indicate to its peer that it has
2555 * reduced its congestion window. This is termed the CWR bit. For
2556 * SCTP the same indication is made by including the CWR chunk.
2557 * This chunk contains one data element, i.e. the TSN number that
2558 * was sent in the ECNE chunk. This element represents the lowest
2559 * TSN number in the datagram that was originally marked with the
2560 * CE bit.
2561 *
2562 * Verification Tag: 8.5 Verification Tag [Normal verification]
2563 * Inputs
2564 * (endpoint, asoc, chunk)
2565 *
2566 * Outputs
2567 * (asoc, reply_msg, msg_up, timers, counters)
2568 *
2569 * The return value is the disposition of the chunk.
2570 */
2571 sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep,
2572 const struct sctp_association *asoc,
2573 const sctp_subtype_t type,
2574 void *arg,
2575 sctp_cmd_seq_t *commands)
2576 {
2577 sctp_cwrhdr_t *cwr;
2578 struct sctp_chunk *chunk = arg;
2579 u32 lowest_tsn;
2580
2581 if (!sctp_vtag_verify(chunk, asoc))
2582 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2583
2584 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2585 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2586 commands);
2587
2588 cwr = (sctp_cwrhdr_t *) chunk->skb->data;
2589 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t));
2590
2591 lowest_tsn = ntohl(cwr->lowest_tsn);
2592
2593 /* Does this CWR ack the last sent congestion notification? */
2594 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
2595 /* Stop sending ECNE. */
2596 sctp_add_cmd_sf(commands,
2597 SCTP_CMD_ECN_CWR,
2598 SCTP_U32(lowest_tsn));
2599 }
2600 return SCTP_DISPOSITION_CONSUME;
2601 }
2602
2603 /*
2604 * sctp_sf_do_ecne
2605 *
2606 * Section: Appendix A: Explicit Congestion Notification
2607 *
2608 * ECN-Echo
2609 *
2610 * RFC 2481 details a specific bit for a receiver to send back in its
2611 * TCP acknowledgements to notify the sender of the Congestion
2612 * Experienced (CE) bit having arrived from the network. For SCTP this
2613 * same indication is made by including the ECNE chunk. This chunk
2614 * contains one data element, i.e. the lowest TSN associated with the IP
2615 * datagram marked with the CE bit.....
2616 *
2617 * Verification Tag: 8.5 Verification Tag [Normal verification]
2618 * Inputs
2619 * (endpoint, asoc, chunk)
2620 *
2621 * Outputs
2622 * (asoc, reply_msg, msg_up, timers, counters)
2623 *
2624 * The return value is the disposition of the chunk.
2625 */
2626 sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep,
2627 const struct sctp_association *asoc,
2628 const sctp_subtype_t type,
2629 void *arg,
2630 sctp_cmd_seq_t *commands)
2631 {
2632 sctp_ecnehdr_t *ecne;
2633 struct sctp_chunk *chunk = arg;
2634
2635 if (!sctp_vtag_verify(chunk, asoc))
2636 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2637
2638 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2639 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2640 commands);
2641
2642 ecne = (sctp_ecnehdr_t *) chunk->skb->data;
2643 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t));
2644
2645 /* If this is a newer ECNE than the last CWR packet we sent out */
2646 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
2647 SCTP_U32(ntohl(ecne->lowest_tsn)));
2648
2649 return SCTP_DISPOSITION_CONSUME;
2650 }
2651
2652 /*
2653 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
2654 *
2655 * The SCTP endpoint MUST always acknowledge the reception of each valid
2656 * DATA chunk.
2657 *
2658 * The guidelines on delayed acknowledgement algorithm specified in
2659 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
2660 * acknowledgement SHOULD be generated for at least every second packet
2661 * (not every second DATA chunk) received, and SHOULD be generated within
2662 * 200 ms of the arrival of any unacknowledged DATA chunk. In some
2663 * situations it may be beneficial for an SCTP transmitter to be more
2664 * conservative than the algorithms detailed in this document allow.
2665 * However, an SCTP transmitter MUST NOT be more aggressive than the
2666 * following algorithms allow.
2667 *
2668 * A SCTP receiver MUST NOT generate more than one SACK for every
2669 * incoming packet, other than to update the offered window as the
2670 * receiving application consumes new data.
2671 *
2672 * Verification Tag: 8.5 Verification Tag [Normal verification]
2673 *
2674 * Inputs
2675 * (endpoint, asoc, chunk)
2676 *
2677 * Outputs
2678 * (asoc, reply_msg, msg_up, timers, counters)
2679 *
2680 * The return value is the disposition of the chunk.
2681 */
2682 sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep,
2683 const struct sctp_association *asoc,
2684 const sctp_subtype_t type,
2685 void *arg,
2686 sctp_cmd_seq_t *commands)
2687 {
2688 struct sctp_chunk *chunk = arg;
2689 int error;
2690
2691 if (!sctp_vtag_verify(chunk, asoc)) {
2692 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
2693 SCTP_NULL());
2694 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2695 }
2696
2697 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
2698 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2699 commands);
2700
2701 error = sctp_eat_data(asoc, chunk, commands );
2702 switch (error) {
2703 case SCTP_IERROR_NO_ERROR:
2704 break;
2705 case SCTP_IERROR_HIGH_TSN:
2706 case SCTP_IERROR_BAD_STREAM:
2707 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2708 goto discard_noforce;
2709 case SCTP_IERROR_DUP_TSN:
2710 case SCTP_IERROR_IGNORE_TSN:
2711 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2712 goto discard_force;
2713 case SCTP_IERROR_NO_DATA:
2714 goto consume;
2715 default:
2716 BUG();
2717 }
2718
2719 if (asoc->autoclose) {
2720 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2721 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
2722 }
2723
2724 /* If this is the last chunk in a packet, we need to count it
2725 * toward sack generation. Note that we need to SACK every
2726 * OTHER packet containing data chunks, EVEN IF WE DISCARD
2727 * THEM. We elect to NOT generate SACK's if the chunk fails
2728 * the verification tag test.
2729 *
2730 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
2731 *
2732 * The SCTP endpoint MUST always acknowledge the reception of
2733 * each valid DATA chunk.
2734 *
2735 * The guidelines on delayed acknowledgement algorithm
2736 * specified in Section 4.2 of [RFC2581] SHOULD be followed.
2737 * Specifically, an acknowledgement SHOULD be generated for at
2738 * least every second packet (not every second DATA chunk)
2739 * received, and SHOULD be generated within 200 ms of the
2740 * arrival of any unacknowledged DATA chunk. In some
2741 * situations it may be beneficial for an SCTP transmitter to
2742 * be more conservative than the algorithms detailed in this
2743 * document allow. However, an SCTP transmitter MUST NOT be
2744 * more aggressive than the following algorithms allow.
2745 */
2746 if (chunk->end_of_packet)
2747 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
2748
2749 return SCTP_DISPOSITION_CONSUME;
2750
2751 discard_force:
2752 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
2753 *
2754 * When a packet arrives with duplicate DATA chunk(s) and with
2755 * no new DATA chunk(s), the endpoint MUST immediately send a
2756 * SACK with no delay. If a packet arrives with duplicate
2757 * DATA chunk(s) bundled with new DATA chunks, the endpoint
2758 * MAY immediately send a SACK. Normally receipt of duplicate
2759 * DATA chunks will occur when the original SACK chunk was lost
2760 * and the peer's RTO has expired. The duplicate TSN number(s)
2761 * SHOULD be reported in the SACK as duplicate.
2762 */
2763 /* In our case, we split the MAY SACK advice up whether or not
2764 * the last chunk is a duplicate.'
2765 */
2766 if (chunk->end_of_packet)
2767 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
2768 return SCTP_DISPOSITION_DISCARD;
2769
2770 discard_noforce:
2771 if (chunk->end_of_packet)
2772 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
2773
2774 return SCTP_DISPOSITION_DISCARD;
2775 consume:
2776 return SCTP_DISPOSITION_CONSUME;
2777
2778 }
2779
2780 /*
2781 * sctp_sf_eat_data_fast_4_4
2782 *
2783 * Section: 4 (4)
2784 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received
2785 * DATA chunks without delay.
2786 *
2787 * Verification Tag: 8.5 Verification Tag [Normal verification]
2788 * Inputs
2789 * (endpoint, asoc, chunk)
2790 *
2791 * Outputs
2792 * (asoc, reply_msg, msg_up, timers, counters)
2793 *
2794 * The return value is the disposition of the chunk.
2795 */
2796 sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep,
2797 const struct sctp_association *asoc,
2798 const sctp_subtype_t type,
2799 void *arg,
2800 sctp_cmd_seq_t *commands)
2801 {
2802 struct sctp_chunk *chunk = arg;
2803 int error;
2804
2805 if (!sctp_vtag_verify(chunk, asoc)) {
2806 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
2807 SCTP_NULL());
2808 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2809 }
2810
2811 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
2812 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2813 commands);
2814
2815 error = sctp_eat_data(asoc, chunk, commands );
2816 switch (error) {
2817 case SCTP_IERROR_NO_ERROR:
2818 case SCTP_IERROR_HIGH_TSN:
2819 case SCTP_IERROR_DUP_TSN:
2820 case SCTP_IERROR_IGNORE_TSN:
2821 case SCTP_IERROR_BAD_STREAM:
2822 break;
2823 case SCTP_IERROR_NO_DATA:
2824 goto consume;
2825 default:
2826 BUG();
2827 }
2828
2829 /* Go a head and force a SACK, since we are shutting down. */
2830
2831 /* Implementor's Guide.
2832 *
2833 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
2834 * respond to each received packet containing one or more DATA chunk(s)
2835 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
2836 */
2837 if (chunk->end_of_packet) {
2838 /* We must delay the chunk creation since the cumulative
2839 * TSN has not been updated yet.
2840 */
2841 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
2842 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
2843 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2844 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2845 }
2846
2847 consume:
2848 return SCTP_DISPOSITION_CONSUME;
2849 }
2850
2851 /*
2852 * Section: 6.2 Processing a Received SACK
2853 * D) Any time a SACK arrives, the endpoint performs the following:
2854 *
2855 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,
2856 * then drop the SACK. Since Cumulative TSN Ack is monotonically
2857 * increasing, a SACK whose Cumulative TSN Ack is less than the
2858 * Cumulative TSN Ack Point indicates an out-of-order SACK.
2859 *
2860 * ii) Set rwnd equal to the newly received a_rwnd minus the number
2861 * of bytes still outstanding after processing the Cumulative TSN Ack
2862 * and the Gap Ack Blocks.
2863 *
2864 * iii) If the SACK is missing a TSN that was previously
2865 * acknowledged via a Gap Ack Block (e.g., the data receiver
2866 * reneged on the data), then mark the corresponding DATA chunk
2867 * as available for retransmit: Mark it as missing for fast
2868 * retransmit as described in Section 7.2.4 and if no retransmit
2869 * timer is running for the destination address to which the DATA
2870 * chunk was originally transmitted, then T3-rtx is started for
2871 * that destination address.
2872 *
2873 * Verification Tag: 8.5 Verification Tag [Normal verification]
2874 *
2875 * Inputs
2876 * (endpoint, asoc, chunk)
2877 *
2878 * Outputs
2879 * (asoc, reply_msg, msg_up, timers, counters)
2880 *
2881 * The return value is the disposition of the chunk.
2882 */
2883 sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep,
2884 const struct sctp_association *asoc,
2885 const sctp_subtype_t type,
2886 void *arg,
2887 sctp_cmd_seq_t *commands)
2888 {
2889 struct sctp_chunk *chunk = arg;
2890 sctp_sackhdr_t *sackh;
2891 __u32 ctsn;
2892
2893 if (!sctp_vtag_verify(chunk, asoc))
2894 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2895
2896 /* Make sure that the SACK chunk has a valid length. */
2897 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t)))
2898 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2899 commands);
2900
2901 /* Pull the SACK chunk from the data buffer */
2902 sackh = sctp_sm_pull_sack(chunk);
2903 /* Was this a bogus SACK? */
2904 if (!sackh)
2905 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2906 chunk->subh.sack_hdr = sackh;
2907 ctsn = ntohl(sackh->cum_tsn_ack);
2908
2909 /* i) If Cumulative TSN Ack is less than the Cumulative TSN
2910 * Ack Point, then drop the SACK. Since Cumulative TSN
2911 * Ack is monotonically increasing, a SACK whose
2912 * Cumulative TSN Ack is less than the Cumulative TSN Ack
2913 * Point indicates an out-of-order SACK.
2914 */
2915 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2916 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
2917 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
2918 return SCTP_DISPOSITION_DISCARD;
2919 }
2920
2921 /* If Cumulative TSN Ack beyond the max tsn currently
2922 * send, terminating the association and respond to the
2923 * sender with an ABORT.
2924 */
2925 if (!TSN_lt(ctsn, asoc->next_tsn))
2926 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);
2927
2928 /* Return this SACK for further processing. */
2929 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh));
2930
2931 /* Note: We do the rest of the work on the PROCESS_SACK
2932 * sideeffect.
2933 */
2934 return SCTP_DISPOSITION_CONSUME;
2935 }
2936
2937 /*
2938 * Generate an ABORT in response to a packet.
2939 *
2940 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41
2941 *
2942 * 8) The receiver should respond to the sender of the OOTB packet with
2943 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
2944 * MUST fill in the Verification Tag field of the outbound packet
2945 * with the value found in the Verification Tag field of the OOTB
2946 * packet and set the T-bit in the Chunk Flags to indicate that the
2947 * Verification Tag is reflected. After sending this ABORT, the
2948 * receiver of the OOTB packet shall discard the OOTB packet and take
2949 * no further action.
2950 *
2951 * Verification Tag:
2952 *
2953 * The return value is the disposition of the chunk.
2954 */
2955 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep,
2956 const struct sctp_association *asoc,
2957 const sctp_subtype_t type,
2958 void *arg,
2959 sctp_cmd_seq_t *commands)
2960 {
2961 struct sctp_packet *packet = NULL;
2962 struct sctp_chunk *chunk = arg;
2963 struct sctp_chunk *abort;
2964
2965 packet = sctp_ootb_pkt_new(asoc, chunk);
2966
2967 if (packet) {
2968 /* Make an ABORT. The T bit will be set if the asoc
2969 * is NULL.
2970 */
2971 abort = sctp_make_abort(asoc, chunk, 0);
2972 if (!abort) {
2973 sctp_ootb_pkt_free(packet);
2974 return SCTP_DISPOSITION_NOMEM;
2975 }
2976
2977 /* Reflect vtag if T-Bit is set */
2978 if (sctp_test_T_bit(abort))
2979 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
2980
2981 /* Set the skb to the belonging sock for accounting. */
2982 abort->skb->sk = ep->base.sk;
2983
2984 sctp_packet_append_chunk(packet, abort);
2985
2986 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
2987 SCTP_PACKET(packet));
2988
2989 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
2990
2991 sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2992 return SCTP_DISPOSITION_CONSUME;
2993 }
2994
2995 return SCTP_DISPOSITION_NOMEM;
2996 }
2997
2998 /*
2999 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR
3000 * event as ULP notification for each cause included in the chunk.
3001 *
3002 * API 5.3.1.3 - SCTP_REMOTE_ERROR
3003 *
3004 * The return value is the disposition of the chunk.
3005 */
3006 sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep,
3007 const struct sctp_association *asoc,
3008 const sctp_subtype_t type,
3009 void *arg,
3010 sctp_cmd_seq_t *commands)
3011 {
3012 struct sctp_chunk *chunk = arg;
3013 struct sctp_ulpevent *ev;
3014
3015 if (!sctp_vtag_verify(chunk, asoc))
3016 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3017
3018 /* Make sure that the ERROR chunk has a valid length. */
3019 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
3020 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3021 commands);
3022
3023 while (chunk->chunk_end > chunk->skb->data) {
3024 ev = sctp_ulpevent_make_remote_error(asoc, chunk, 0,
3025 GFP_ATOMIC);
3026 if (!ev)
3027 goto nomem;
3028
3029 if (!sctp_add_cmd(commands, SCTP_CMD_EVENT_ULP,
3030 SCTP_ULPEVENT(ev))) {
3031 sctp_ulpevent_free(ev);
3032 goto nomem;
3033 }
3034
3035 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3036 SCTP_CHUNK(chunk));
3037 }
3038 return SCTP_DISPOSITION_CONSUME;
3039
3040 nomem:
3041 return SCTP_DISPOSITION_NOMEM;
3042 }
3043
3044 /*
3045 * Process an inbound SHUTDOWN ACK.
3046 *
3047 * From Section 9.2:
3048 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3049 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its
3050 * peer, and remove all record of the association.
3051 *
3052 * The return value is the disposition.
3053 */
3054 sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep,
3055 const struct sctp_association *asoc,
3056 const sctp_subtype_t type,
3057 void *arg,
3058 sctp_cmd_seq_t *commands)
3059 {
3060 struct sctp_chunk *chunk = arg;
3061 struct sctp_chunk *reply;
3062 struct sctp_ulpevent *ev;
3063
3064 if (!sctp_vtag_verify(chunk, asoc))
3065 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3066
3067 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3068 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3069 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3070 commands);
3071 /* 10.2 H) SHUTDOWN COMPLETE notification
3072 *
3073 * When SCTP completes the shutdown procedures (section 9.2) this
3074 * notification is passed to the upper layer.
3075 */
3076 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3077 0, 0, 0, NULL, GFP_ATOMIC);
3078 if (!ev)
3079 goto nomem;
3080
3081 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */
3082 reply = sctp_make_shutdown_complete(asoc, chunk);
3083 if (!reply)
3084 goto nomem_chunk;
3085
3086 /* Do all the commands now (after allocation), so that we
3087 * have consistent state if memory allocation failes
3088 */
3089 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3090
3091 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3092 * stop the T2-shutdown timer,
3093 */
3094 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3095 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3096
3097 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3098 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3099
3100 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3101 SCTP_STATE(SCTP_STATE_CLOSED));
3102 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);
3103 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3104 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3105
3106 /* ...and remove all record of the association. */
3107 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3108 return SCTP_DISPOSITION_DELETE_TCB;
3109
3110 nomem_chunk:
3111 sctp_ulpevent_free(ev);
3112 nomem:
3113 return SCTP_DISPOSITION_NOMEM;
3114 }
3115
3116 /*
3117 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.
3118 *
3119 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3120 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3121 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3122 * packet must fill in the Verification Tag field of the outbound
3123 * packet with the Verification Tag received in the SHUTDOWN ACK and
3124 * set the T-bit in the Chunk Flags to indicate that the Verification
3125 * Tag is reflected.
3126 *
3127 * 8) The receiver should respond to the sender of the OOTB packet with
3128 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
3129 * MUST fill in the Verification Tag field of the outbound packet
3130 * with the value found in the Verification Tag field of the OOTB
3131 * packet and set the T-bit in the Chunk Flags to indicate that the
3132 * Verification Tag is reflected. After sending this ABORT, the
3133 * receiver of the OOTB packet shall discard the OOTB packet and take
3134 * no further action.
3135 */
3136 sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
3137 const struct sctp_association *asoc,
3138 const sctp_subtype_t type,
3139 void *arg,
3140 sctp_cmd_seq_t *commands)
3141 {
3142 struct sctp_chunk *chunk = arg;
3143 struct sk_buff *skb = chunk->skb;
3144 sctp_chunkhdr_t *ch;
3145 __u8 *ch_end;
3146 int ootb_shut_ack = 0;
3147
3148 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
3149
3150 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr;
3151 do {
3152 /* Report violation if the chunk is less then minimal */
3153 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t))
3154 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3155 commands);
3156
3157 /* Now that we know we at least have a chunk header,
3158 * do things that are type appropriate.
3159 */
3160 if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3161 ootb_shut_ack = 1;
3162
3163 /* RFC 2960, Section 3.3.7
3164 * Moreover, under any circumstances, an endpoint that
3165 * receives an ABORT MUST NOT respond to that ABORT by
3166 * sending an ABORT of its own.
3167 */
3168 if (SCTP_CID_ABORT == ch->type)
3169 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3170
3171 /* Report violation if chunk len overflows */
3172 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
3173 if (ch_end > skb_tail_pointer(skb))
3174 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3175 commands);
3176
3177 ch = (sctp_chunkhdr_t *) ch_end;
3178 } while (ch_end < skb_tail_pointer(skb));
3179
3180 if (ootb_shut_ack)
3181 return sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands);
3182 else
3183 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
3184 }
3185
3186 /*
3187 * Handle an "Out of the blue" SHUTDOWN ACK.
3188 *
3189 * Section: 8.4 5, sctpimpguide 2.41.
3190 *
3191 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3192 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3193 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3194 * packet must fill in the Verification Tag field of the outbound
3195 * packet with the Verification Tag received in the SHUTDOWN ACK and
3196 * set the T-bit in the Chunk Flags to indicate that the Verification
3197 * Tag is reflected.
3198 *
3199 * Inputs
3200 * (endpoint, asoc, type, arg, commands)
3201 *
3202 * Outputs
3203 * (sctp_disposition_t)
3204 *
3205 * The return value is the disposition of the chunk.
3206 */
3207 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep,
3208 const struct sctp_association *asoc,
3209 const sctp_subtype_t type,
3210 void *arg,
3211 sctp_cmd_seq_t *commands)
3212 {
3213 struct sctp_packet *packet = NULL;
3214 struct sctp_chunk *chunk = arg;
3215 struct sctp_chunk *shut;
3216
3217 packet = sctp_ootb_pkt_new(asoc, chunk);
3218
3219 if (packet) {
3220 /* Make an SHUTDOWN_COMPLETE.
3221 * The T bit will be set if the asoc is NULL.
3222 */
3223 shut = sctp_make_shutdown_complete(asoc, chunk);
3224 if (!shut) {
3225 sctp_ootb_pkt_free(packet);
3226 return SCTP_DISPOSITION_NOMEM;
3227 }
3228
3229 /* Reflect vtag if T-Bit is set */
3230 if (sctp_test_T_bit(shut))
3231 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3232
3233 /* Set the skb to the belonging sock for accounting. */
3234 shut->skb->sk = ep->base.sk;
3235
3236 sctp_packet_append_chunk(packet, shut);
3237
3238 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3239 SCTP_PACKET(packet));
3240
3241 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
3242
3243 /* If the chunk length is invalid, we don't want to process
3244 * the reset of the packet.
3245 */
3246 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3247 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3248
3249 /* We need to discard the rest of the packet to prevent
3250 * potential bomming attacks from additional bundled chunks.
3251 * This is documented in SCTP Threats ID.
3252 */
3253 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3254 }
3255
3256 return SCTP_DISPOSITION_NOMEM;
3257 }
3258
3259 /*
3260 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.
3261 *
3262 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK
3263 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the
3264 * procedures in section 8.4 SHOULD be followed, in other words it
3265 * should be treated as an Out Of The Blue packet.
3266 * [This means that we do NOT check the Verification Tag on these
3267 * chunks. --piggy ]
3268 *
3269 */
3270 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep,
3271 const struct sctp_association *asoc,
3272 const sctp_subtype_t type,
3273 void *arg,
3274 sctp_cmd_seq_t *commands)
3275 {
3276 struct sctp_chunk *chunk = arg;
3277
3278 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3279 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3280 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3281 commands);
3282
3283 /* Although we do have an association in this case, it corresponds
3284 * to a restarted association. So the packet is treated as an OOTB
3285 * packet and the state function that handles OOTB SHUTDOWN_ACK is
3286 * called with a NULL association.
3287 */
3288 return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands);
3289 }
3290
3291 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */
3292 sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep,
3293 const struct sctp_association *asoc,
3294 const sctp_subtype_t type, void *arg,
3295 sctp_cmd_seq_t *commands)
3296 {
3297 struct sctp_chunk *chunk = arg;
3298 struct sctp_chunk *asconf_ack = NULL;
3299 sctp_addiphdr_t *hdr;
3300 __u32 serial;
3301
3302 if (!sctp_vtag_verify(chunk, asoc)) {
3303 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3304 SCTP_NULL());
3305 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3306 }
3307
3308 /* Make sure that the ASCONF ADDIP chunk has a valid length. */
3309 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t)))
3310 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3311 commands);
3312
3313 hdr = (sctp_addiphdr_t *)chunk->skb->data;
3314 serial = ntohl(hdr->serial);
3315
3316 /* ADDIP 4.2 C1) Compare the value of the serial number to the value
3317 * the endpoint stored in a new association variable
3318 * 'Peer-Serial-Number'.
3319 */
3320 if (serial == asoc->peer.addip_serial + 1) {
3321 /* ADDIP 4.2 C2) If the value found in the serial number is
3322 * equal to the ('Peer-Serial-Number' + 1), the endpoint MUST
3323 * do V1-V5.
3324 */
3325 asconf_ack = sctp_process_asconf((struct sctp_association *)
3326 asoc, chunk);
3327 if (!asconf_ack)
3328 return SCTP_DISPOSITION_NOMEM;
3329 } else if (serial == asoc->peer.addip_serial) {
3330 /* ADDIP 4.2 C3) If the value found in the serial number is
3331 * equal to the value stored in the 'Peer-Serial-Number'
3332 * IMPLEMENTATION NOTE: As an optimization a receiver may wish
3333 * to save the last ASCONF-ACK for some predetermined period of
3334 * time and instead of re-processing the ASCONF (with the same
3335 * serial number) it may just re-transmit the ASCONF-ACK.
3336 */
3337 if (asoc->addip_last_asconf_ack)
3338 asconf_ack = asoc->addip_last_asconf_ack;
3339 else
3340 return SCTP_DISPOSITION_DISCARD;
3341 } else {
3342 /* ADDIP 4.2 C4) Otherwise, the ASCONF Chunk is discarded since
3343 * it must be either a stale packet or from an attacker.
3344 */
3345 return SCTP_DISPOSITION_DISCARD;
3346 }
3347
3348 /* ADDIP 4.2 C5) In both cases C2 and C3 the ASCONF-ACK MUST be sent
3349 * back to the source address contained in the IP header of the ASCONF
3350 * being responded to.
3351 */
3352 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3353
3354 return SCTP_DISPOSITION_CONSUME;
3355 }
3356
3357 /*
3358 * ADDIP Section 4.3 General rules for address manipulation
3359 * When building TLV parameters for the ASCONF Chunk that will add or
3360 * delete IP addresses the D0 to D13 rules should be applied:
3361 */
3362 sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep,
3363 const struct sctp_association *asoc,
3364 const sctp_subtype_t type, void *arg,
3365 sctp_cmd_seq_t *commands)
3366 {
3367 struct sctp_chunk *asconf_ack = arg;
3368 struct sctp_chunk *last_asconf = asoc->addip_last_asconf;
3369 struct sctp_chunk *abort;
3370 sctp_addiphdr_t *addip_hdr;
3371 __u32 sent_serial, rcvd_serial;
3372
3373 if (!sctp_vtag_verify(asconf_ack, asoc)) {
3374 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3375 SCTP_NULL());
3376 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3377 }
3378
3379 /* Make sure that the ADDIP chunk has a valid length. */
3380 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t)))
3381 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3382 commands);
3383
3384 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data;
3385 rcvd_serial = ntohl(addip_hdr->serial);
3386
3387 if (last_asconf) {
3388 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr;
3389 sent_serial = ntohl(addip_hdr->serial);
3390 } else {
3391 sent_serial = asoc->addip_serial - 1;
3392 }
3393
3394 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or
3395 * equal to the next serial number to be used but no ASCONF chunk is
3396 * outstanding the endpoint MUST ABORT the association. Note that a
3397 * sequence number is greater than if it is no more than 2^^31-1
3398 * larger than the current sequence number (using serial arithmetic).
3399 */
3400 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
3401 !(asoc->addip_last_asconf)) {
3402 abort = sctp_make_abort(asoc, asconf_ack,
3403 sizeof(sctp_errhdr_t));
3404 if (abort) {
3405 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
3406 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3407 SCTP_CHUNK(abort));
3408 }
3409 /* We are going to ABORT, so we might as well stop
3410 * processing the rest of the chunks in the packet.
3411 */
3412 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3413 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3414 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
3415 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3416 SCTP_ERROR(ECONNABORTED));
3417 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3418 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3419 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
3420 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3421 return SCTP_DISPOSITION_ABORT;
3422 }
3423
3424 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
3425 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3426 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3427
3428 if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
3429 asconf_ack))
3430 return SCTP_DISPOSITION_CONSUME;
3431
3432 abort = sctp_make_abort(asoc, asconf_ack,
3433 sizeof(sctp_errhdr_t));
3434 if (abort) {
3435 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
3436 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3437 SCTP_CHUNK(abort));
3438 }
3439 /* We are going to ABORT, so we might as well stop
3440 * processing the rest of the chunks in the packet.
3441 */
3442 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
3443 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3444 SCTP_ERROR(ECONNABORTED));
3445 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3446 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3447 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
3448 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3449 return SCTP_DISPOSITION_ABORT;
3450 }
3451
3452 return SCTP_DISPOSITION_DISCARD;
3453 }
3454
3455 /*
3456 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP
3457 *
3458 * When a FORWARD TSN chunk arrives, the data receiver MUST first update
3459 * its cumulative TSN point to the value carried in the FORWARD TSN
3460 * chunk, and then MUST further advance its cumulative TSN point locally
3461 * if possible.
3462 * After the above processing, the data receiver MUST stop reporting any
3463 * missing TSNs earlier than or equal to the new cumulative TSN point.
3464 *
3465 * Verification Tag: 8.5 Verification Tag [Normal verification]
3466 *
3467 * The return value is the disposition of the chunk.
3468 */
3469 sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep,
3470 const struct sctp_association *asoc,
3471 const sctp_subtype_t type,
3472 void *arg,
3473 sctp_cmd_seq_t *commands)
3474 {
3475 struct sctp_chunk *chunk = arg;
3476 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3477 __u16 len;
3478 __u32 tsn;
3479
3480 if (!sctp_vtag_verify(chunk, asoc)) {
3481 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3482 SCTP_NULL());
3483 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3484 }
3485
3486 /* Make sure that the FORWARD_TSN chunk has valid length. */
3487 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3488 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3489 commands);
3490
3491 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3492 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3493 len = ntohs(chunk->chunk_hdr->length);
3494 len -= sizeof(struct sctp_chunkhdr);
3495 skb_pull(chunk->skb, len);
3496
3497 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3498 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __FUNCTION__, tsn);
3499
3500 /* The TSN is too high--silently discard the chunk and count on it
3501 * getting retransmitted later.
3502 */
3503 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3504 goto discard_noforce;
3505
3506 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3507 if (len > sizeof(struct sctp_fwdtsn_hdr))
3508 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3509 SCTP_CHUNK(chunk));
3510
3511 /* Count this as receiving DATA. */
3512 if (asoc->autoclose) {
3513 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3514 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3515 }
3516
3517 /* FIXME: For now send a SACK, but DATA processing may
3518 * send another.
3519 */
3520 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
3521
3522 return SCTP_DISPOSITION_CONSUME;
3523
3524 discard_noforce:
3525 return SCTP_DISPOSITION_DISCARD;
3526 }
3527
3528 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast(
3529 const struct sctp_endpoint *ep,
3530 const struct sctp_association *asoc,
3531 const sctp_subtype_t type,
3532 void *arg,
3533 sctp_cmd_seq_t *commands)
3534 {
3535 struct sctp_chunk *chunk = arg;
3536 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3537 __u16 len;
3538 __u32 tsn;
3539
3540 if (!sctp_vtag_verify(chunk, asoc)) {
3541 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3542 SCTP_NULL());
3543 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3544 }
3545
3546 /* Make sure that the FORWARD_TSN chunk has a valid length. */
3547 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3548 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3549 commands);
3550
3551 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3552 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3553 len = ntohs(chunk->chunk_hdr->length);
3554 len -= sizeof(struct sctp_chunkhdr);
3555 skb_pull(chunk->skb, len);
3556
3557 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3558 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __FUNCTION__, tsn);
3559
3560 /* The TSN is too high--silently discard the chunk and count on it
3561 * getting retransmitted later.
3562 */
3563 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3564 goto gen_shutdown;
3565
3566 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3567 if (len > sizeof(struct sctp_fwdtsn_hdr))
3568 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3569 SCTP_CHUNK(chunk));
3570
3571 /* Go a head and force a SACK, since we are shutting down. */
3572 gen_shutdown:
3573 /* Implementor's Guide.
3574 *
3575 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3576 * respond to each received packet containing one or more DATA chunk(s)
3577 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3578 */
3579 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3580 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3581 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3582 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3583
3584 return SCTP_DISPOSITION_CONSUME;
3585 }
3586
3587 /*
3588 * Process an unknown chunk.
3589 *
3590 * Section: 3.2. Also, 2.1 in the implementor's guide.
3591 *
3592 * Chunk Types are encoded such that the highest-order two bits specify
3593 * the action that must be taken if the processing endpoint does not
3594 * recognize the Chunk Type.
3595 *
3596 * 00 - Stop processing this SCTP packet and discard it, do not process
3597 * any further chunks within it.
3598 *
3599 * 01 - Stop processing this SCTP packet and discard it, do not process
3600 * any further chunks within it, and report the unrecognized
3601 * chunk in an 'Unrecognized Chunk Type'.
3602 *
3603 * 10 - Skip this chunk and continue processing.
3604 *
3605 * 11 - Skip this chunk and continue processing, but report in an ERROR
3606 * Chunk using the 'Unrecognized Chunk Type' cause of error.
3607 *
3608 * The return value is the disposition of the chunk.
3609 */
3610 sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep,
3611 const struct sctp_association *asoc,
3612 const sctp_subtype_t type,
3613 void *arg,
3614 sctp_cmd_seq_t *commands)
3615 {
3616 struct sctp_chunk *unk_chunk = arg;
3617 struct sctp_chunk *err_chunk;
3618 sctp_chunkhdr_t *hdr;
3619
3620 SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk);
3621
3622 if (!sctp_vtag_verify(unk_chunk, asoc))
3623 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3624
3625 /* Make sure that the chunk has a valid length.
3626 * Since we don't know the chunk type, we use a general
3627 * chunkhdr structure to make a comparison.
3628 */
3629 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t)))
3630 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3631 commands);
3632
3633 switch (type.chunk & SCTP_CID_ACTION_MASK) {
3634 case SCTP_CID_ACTION_DISCARD:
3635 /* Discard the packet. */
3636 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3637 break;
3638 case SCTP_CID_ACTION_DISCARD_ERR:
3639 /* Discard the packet. */
3640 sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3641
3642 /* Generate an ERROR chunk as response. */
3643 hdr = unk_chunk->chunk_hdr;
3644 err_chunk = sctp_make_op_error(asoc, unk_chunk,
3645 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
3646 WORD_ROUND(ntohs(hdr->length)));
3647 if (err_chunk) {
3648 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3649 SCTP_CHUNK(err_chunk));
3650 }
3651 return SCTP_DISPOSITION_CONSUME;
3652 break;
3653 case SCTP_CID_ACTION_SKIP:
3654 /* Skip the chunk. */
3655 return SCTP_DISPOSITION_DISCARD;
3656 break;
3657 case SCTP_CID_ACTION_SKIP_ERR:
3658 /* Generate an ERROR chunk as response. */
3659 hdr = unk_chunk->chunk_hdr;
3660 err_chunk = sctp_make_op_error(asoc, unk_chunk,
3661 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
3662 WORD_ROUND(ntohs(hdr->length)));
3663 if (err_chunk) {
3664 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3665 SCTP_CHUNK(err_chunk));
3666 }
3667 /* Skip the chunk. */
3668 return SCTP_DISPOSITION_CONSUME;
3669 break;
3670 default:
3671 break;
3672 }
3673
3674 return SCTP_DISPOSITION_DISCARD;
3675 }
3676
3677 /*
3678 * Discard the chunk.
3679 *
3680 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2
3681 * [Too numerous to mention...]
3682 * Verification Tag: No verification needed.
3683 * Inputs
3684 * (endpoint, asoc, chunk)
3685 *
3686 * Outputs
3687 * (asoc, reply_msg, msg_up, timers, counters)
3688 *
3689 * The return value is the disposition of the chunk.
3690 */
3691 sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep,
3692 const struct sctp_association *asoc,
3693 const sctp_subtype_t type,
3694 void *arg,
3695 sctp_cmd_seq_t *commands)
3696 {
3697 struct sctp_chunk *chunk = arg;
3698
3699 /* Make sure that the chunk has a valid length.
3700 * Since we don't know the chunk type, we use a general
3701 * chunkhdr structure to make a comparison.
3702 */
3703 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3704 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3705 commands);
3706
3707 SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk);
3708 return SCTP_DISPOSITION_DISCARD;
3709 }
3710
3711 /*
3712 * Discard the whole packet.
3713 *
3714 * Section: 8.4 2)
3715 *
3716 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST
3717 * silently discard the OOTB packet and take no further action.
3718 *
3719 * Verification Tag: No verification necessary
3720 *
3721 * Inputs
3722 * (endpoint, asoc, chunk)
3723 *
3724 * Outputs
3725 * (asoc, reply_msg, msg_up, timers, counters)
3726 *
3727 * The return value is the disposition of the chunk.
3728 */
3729 sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep,
3730 const struct sctp_association *asoc,
3731 const sctp_subtype_t type,
3732 void *arg,
3733 sctp_cmd_seq_t *commands)
3734 {
3735 SCTP_INC_STATS(SCTP_MIB_IN_PKT_DISCARDS);
3736 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
3737
3738 return SCTP_DISPOSITION_CONSUME;
3739 }
3740
3741
3742 /*
3743 * The other end is violating protocol.
3744 *
3745 * Section: Not specified
3746 * Verification Tag: Not specified
3747 * Inputs
3748 * (endpoint, asoc, chunk)
3749 *
3750 * Outputs
3751 * (asoc, reply_msg, msg_up, timers, counters)
3752 *
3753 * We simply tag the chunk as a violation. The state machine will log
3754 * the violation and continue.
3755 */
3756 sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep,
3757 const struct sctp_association *asoc,
3758 const sctp_subtype_t type,
3759 void *arg,
3760 sctp_cmd_seq_t *commands)
3761 {
3762 struct sctp_chunk *chunk = arg;
3763
3764 /* Make sure that the chunk has a valid length. */
3765 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3766 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3767 commands);
3768
3769 return SCTP_DISPOSITION_VIOLATION;
3770 }
3771
3772 /*
3773 * Common function to handle a protocol violation.
3774 */
3775 static sctp_disposition_t sctp_sf_abort_violation(
3776 const struct sctp_endpoint *ep,
3777 const struct sctp_association *asoc,
3778 void *arg,
3779 sctp_cmd_seq_t *commands,
3780 const __u8 *payload,
3781 const size_t paylen)
3782 {
3783 struct sctp_packet *packet = NULL;
3784 struct sctp_chunk *chunk = arg;
3785 struct sctp_chunk *abort = NULL;
3786
3787 /* Make the abort chunk. */
3788 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);
3789 if (!abort)
3790 goto nomem;
3791
3792 if (asoc) {
3793 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
3794 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
3795
3796 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
3797 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3798 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
3799 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3800 SCTP_ERROR(ECONNREFUSED));
3801 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
3802 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
3803 } else {
3804 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3805 SCTP_ERROR(ECONNABORTED));
3806 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3807 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
3808 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3809 }
3810 } else {
3811 packet = sctp_ootb_pkt_new(asoc, chunk);
3812
3813 if (!packet)
3814 goto nomem_pkt;
3815
3816 if (sctp_test_T_bit(abort))
3817 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3818
3819 abort->skb->sk = ep->base.sk;
3820
3821 sctp_packet_append_chunk(packet, abort);
3822
3823 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3824 SCTP_PACKET(packet));
3825
3826 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
3827 }
3828
3829 sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
3830
3831 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
3832
3833 return SCTP_DISPOSITION_ABORT;
3834
3835 nomem_pkt:
3836 sctp_chunk_free(abort);
3837 nomem:
3838 return SCTP_DISPOSITION_NOMEM;
3839 }
3840
3841 /*
3842 * Handle a protocol violation when the chunk length is invalid.
3843 * "Invalid" length is identified as smaller then the minimal length a
3844 * given chunk can be. For example, a SACK chunk has invalid length
3845 * if it's length is set to be smaller then the size of sctp_sack_chunk_t.
3846 *
3847 * We inform the other end by sending an ABORT with a Protocol Violation
3848 * error code.
3849 *
3850 * Section: Not specified
3851 * Verification Tag: Nothing to do
3852 * Inputs
3853 * (endpoint, asoc, chunk)
3854 *
3855 * Outputs
3856 * (reply_msg, msg_up, counters)
3857 *
3858 * Generate an ABORT chunk and terminate the association.
3859 */
3860 static sctp_disposition_t sctp_sf_violation_chunklen(
3861 const struct sctp_endpoint *ep,
3862 const struct sctp_association *asoc,
3863 const sctp_subtype_t type,
3864 void *arg,
3865 sctp_cmd_seq_t *commands)
3866 {
3867 char err_str[]="The following chunk had invalid length:";
3868
3869 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,
3870 sizeof(err_str));
3871 }
3872
3873 /* Handle a protocol violation when the peer trying to advance the
3874 * cumulative tsn ack to a point beyond the max tsn currently sent.
3875 *
3876 * We inform the other end by sending an ABORT with a Protocol Violation
3877 * error code.
3878 */
3879 static sctp_disposition_t sctp_sf_violation_ctsn(
3880 const struct sctp_endpoint *ep,
3881 const struct sctp_association *asoc,
3882 const sctp_subtype_t type,
3883 void *arg,
3884 sctp_cmd_seq_t *commands)
3885 {
3886 char err_str[]="The cumulative tsn ack beyond the max tsn currently sent:";
3887
3888 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,
3889 sizeof(err_str));
3890 }
3891
3892 /* Handle protocol violation of an invalid chunk bundling. For example,
3893 * when we have an association and we recieve bundled INIT-ACK, or
3894 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle"
3895 * statement from the specs. Additinally, there might be an attacker
3896 * on the path and we may not want to continue this communication.
3897 */
3898 static sctp_disposition_t sctp_sf_violation_chunk(
3899 const struct sctp_endpoint *ep,
3900 const struct sctp_association *asoc,
3901 const sctp_subtype_t type,
3902 void *arg,
3903 sctp_cmd_seq_t *commands)
3904 {
3905 char err_str[]="The following chunk violates protocol:";
3906
3907 if (!asoc)
3908 return sctp_sf_violation(ep, asoc, type, arg, commands);
3909
3910 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,
3911 sizeof(err_str));
3912 }
3913 /***************************************************************************
3914 * These are the state functions for handling primitive (Section 10) events.
3915 ***************************************************************************/
3916 /*
3917 * sctp_sf_do_prm_asoc
3918 *
3919 * Section: 10.1 ULP-to-SCTP
3920 * B) Associate
3921 *
3922 * Format: ASSOCIATE(local SCTP instance name, destination transport addr,
3923 * outbound stream count)
3924 * -> association id [,destination transport addr list] [,outbound stream
3925 * count]
3926 *
3927 * This primitive allows the upper layer to initiate an association to a
3928 * specific peer endpoint.
3929 *
3930 * The peer endpoint shall be specified by one of the transport addresses
3931 * which defines the endpoint (see Section 1.4). If the local SCTP
3932 * instance has not been initialized, the ASSOCIATE is considered an
3933 * error.
3934 * [This is not relevant for the kernel implementation since we do all
3935 * initialization at boot time. It we hadn't initialized we wouldn't
3936 * get anywhere near this code.]
3937 *
3938 * An association id, which is a local handle to the SCTP association,
3939 * will be returned on successful establishment of the association. If
3940 * SCTP is not able to open an SCTP association with the peer endpoint,
3941 * an error is returned.
3942 * [In the kernel implementation, the struct sctp_association needs to
3943 * be created BEFORE causing this primitive to run.]
3944 *
3945 * Other association parameters may be returned, including the
3946 * complete destination transport addresses of the peer as well as the
3947 * outbound stream count of the local endpoint. One of the transport
3948 * address from the returned destination addresses will be selected by
3949 * the local endpoint as default primary path for sending SCTP packets
3950 * to this peer. The returned "destination transport addr list" can
3951 * be used by the ULP to change the default primary path or to force
3952 * sending a packet to a specific transport address. [All of this
3953 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING
3954 * function.]
3955 *
3956 * Mandatory attributes:
3957 *
3958 * o local SCTP instance name - obtained from the INITIALIZE operation.
3959 * [This is the argument asoc.]
3960 * o destination transport addr - specified as one of the transport
3961 * addresses of the peer endpoint with which the association is to be
3962 * established.
3963 * [This is asoc->peer.active_path.]
3964 * o outbound stream count - the number of outbound streams the ULP
3965 * would like to open towards this peer endpoint.
3966 * [BUG: This is not currently implemented.]
3967 * Optional attributes:
3968 *
3969 * None.
3970 *
3971 * The return value is a disposition.
3972 */
3973 sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep,
3974 const struct sctp_association *asoc,
3975 const sctp_subtype_t type,
3976 void *arg,
3977 sctp_cmd_seq_t *commands)
3978 {
3979 struct sctp_chunk *repl;
3980
3981 /* The comment below says that we enter COOKIE-WAIT AFTER
3982 * sending the INIT, but that doesn't actually work in our
3983 * implementation...
3984 */
3985 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3986 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
3987
3988 /* RFC 2960 5.1 Normal Establishment of an Association
3989 *
3990 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A"
3991 * must provide its Verification Tag (Tag_A) in the Initiate
3992 * Tag field. Tag_A SHOULD be a random number in the range of
3993 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ...
3994 */
3995
3996 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0);
3997 if (!repl)
3998 goto nomem;
3999
4000 /* Cast away the const modifier, as we want to just
4001 * rerun it through as a sideffect.
4002 */
4003 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC,
4004 SCTP_ASOC((struct sctp_association *) asoc));
4005
4006 /* Choose transport for INIT. */
4007 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
4008 SCTP_CHUNK(repl));
4009
4010 /* After sending the INIT, "A" starts the T1-init timer and
4011 * enters the COOKIE-WAIT state.
4012 */
4013 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
4014 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4015 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
4016 return SCTP_DISPOSITION_CONSUME;
4017
4018 nomem:
4019 return SCTP_DISPOSITION_NOMEM;
4020 }
4021
4022 /*
4023 * Process the SEND primitive.
4024 *
4025 * Section: 10.1 ULP-to-SCTP
4026 * E) Send
4027 *
4028 * Format: SEND(association id, buffer address, byte count [,context]
4029 * [,stream id] [,life time] [,destination transport address]
4030 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] )
4031 * -> result
4032 *
4033 * This is the main method to send user data via SCTP.
4034 *
4035 * Mandatory attributes:
4036 *
4037 * o association id - local handle to the SCTP association
4038 *
4039 * o buffer address - the location where the user message to be
4040 * transmitted is stored;
4041 *
4042 * o byte count - The size of the user data in number of bytes;
4043 *
4044 * Optional attributes:
4045 *
4046 * o context - an optional 32 bit integer that will be carried in the
4047 * sending failure notification to the ULP if the transportation of
4048 * this User Message fails.
4049 *
4050 * o stream id - to indicate which stream to send the data on. If not
4051 * specified, stream 0 will be used.
4052 *
4053 * o life time - specifies the life time of the user data. The user data
4054 * will not be sent by SCTP after the life time expires. This
4055 * parameter can be used to avoid efforts to transmit stale
4056 * user messages. SCTP notifies the ULP if the data cannot be
4057 * initiated to transport (i.e. sent to the destination via SCTP's
4058 * send primitive) within the life time variable. However, the
4059 * user data will be transmitted if SCTP has attempted to transmit a
4060 * chunk before the life time expired.
4061 *
4062 * o destination transport address - specified as one of the destination
4063 * transport addresses of the peer endpoint to which this packet
4064 * should be sent. Whenever possible, SCTP should use this destination
4065 * transport address for sending the packets, instead of the current
4066 * primary path.
4067 *
4068 * o unorder flag - this flag, if present, indicates that the user
4069 * would like the data delivered in an unordered fashion to the peer
4070 * (i.e., the U flag is set to 1 on all DATA chunks carrying this
4071 * message).
4072 *
4073 * o no-bundle flag - instructs SCTP not to bundle this user data with
4074 * other outbound DATA chunks. SCTP MAY still bundle even when
4075 * this flag is present, when faced with network congestion.
4076 *
4077 * o payload protocol-id - A 32 bit unsigned integer that is to be
4078 * passed to the peer indicating the type of payload protocol data
4079 * being transmitted. This value is passed as opaque data by SCTP.
4080 *
4081 * The return value is the disposition.
4082 */
4083 sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep,
4084 const struct sctp_association *asoc,
4085 const sctp_subtype_t type,
4086 void *arg,
4087 sctp_cmd_seq_t *commands)
4088 {
4089 struct sctp_chunk *chunk = arg;
4090
4091 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
4092 return SCTP_DISPOSITION_CONSUME;
4093 }
4094
4095 /*
4096 * Process the SHUTDOWN primitive.
4097 *
4098 * Section: 10.1:
4099 * C) Shutdown
4100 *
4101 * Format: SHUTDOWN(association id)
4102 * -> result
4103 *
4104 * Gracefully closes an association. Any locally queued user data
4105 * will be delivered to the peer. The association will be terminated only
4106 * after the peer acknowledges all the SCTP packets sent. A success code
4107 * will be returned on successful termination of the association. If
4108 * attempting to terminate the association results in a failure, an error
4109 * code shall be returned.
4110 *
4111 * Mandatory attributes:
4112 *
4113 * o association id - local handle to the SCTP association
4114 *
4115 * Optional attributes:
4116 *
4117 * None.
4118 *
4119 * The return value is the disposition.
4120 */
4121 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown(
4122 const struct sctp_endpoint *ep,
4123 const struct sctp_association *asoc,
4124 const sctp_subtype_t type,
4125 void *arg,
4126 sctp_cmd_seq_t *commands)
4127 {
4128 int disposition;
4129
4130 /* From 9.2 Shutdown of an Association
4131 * Upon receipt of the SHUTDOWN primitive from its upper
4132 * layer, the endpoint enters SHUTDOWN-PENDING state and
4133 * remains there until all outstanding data has been
4134 * acknowledged by its peer. The endpoint accepts no new data
4135 * from its upper layer, but retransmits data to the far end
4136 * if necessary to fill gaps.
4137 */
4138 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4139 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
4140
4141 /* sctpimpguide-05 Section 2.12.2
4142 * The sender of the SHUTDOWN MAY also start an overall guard timer
4143 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
4144 */
4145 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
4146 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
4147
4148 disposition = SCTP_DISPOSITION_CONSUME;
4149 if (sctp_outq_is_empty(&asoc->outqueue)) {
4150 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type,
4151 arg, commands);
4152 }
4153 return disposition;
4154 }
4155
4156 /*
4157 * Process the ABORT primitive.
4158 *
4159 * Section: 10.1:
4160 * C) Abort
4161 *
4162 * Format: Abort(association id [, cause code])
4163 * -> result
4164 *
4165 * Ungracefully closes an association. Any locally queued user data
4166 * will be discarded and an ABORT chunk is sent to the peer. A success code
4167 * will be returned on successful abortion of the association. If
4168 * attempting to abort the association results in a failure, an error
4169 * code shall be returned.
4170 *
4171 * Mandatory attributes:
4172 *
4173 * o association id - local handle to the SCTP association
4174 *
4175 * Optional attributes:
4176 *
4177 * o cause code - reason of the abort to be passed to the peer
4178 *
4179 * None.
4180 *
4181 * The return value is the disposition.
4182 */
4183 sctp_disposition_t sctp_sf_do_9_1_prm_abort(
4184 const struct sctp_endpoint *ep,
4185 const struct sctp_association *asoc,
4186 const sctp_subtype_t type,
4187 void *arg,
4188 sctp_cmd_seq_t *commands)
4189 {
4190 /* From 9.1 Abort of an Association
4191 * Upon receipt of the ABORT primitive from its upper
4192 * layer, the endpoint enters CLOSED state and
4193 * discard all outstanding data has been
4194 * acknowledged by its peer. The endpoint accepts no new data
4195 * from its upper layer, but retransmits data to the far end
4196 * if necessary to fill gaps.
4197 */
4198 struct sctp_chunk *abort = arg;
4199 sctp_disposition_t retval;
4200
4201 retval = SCTP_DISPOSITION_CONSUME;
4202
4203 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4204
4205 /* Even if we can't send the ABORT due to low memory delete the
4206 * TCB. This is a departure from our typical NOMEM handling.
4207 */
4208
4209 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4210 SCTP_ERROR(ECONNABORTED));
4211 /* Delete the established association. */
4212 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4213 SCTP_PERR(SCTP_ERROR_USER_ABORT));
4214
4215 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
4216 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
4217
4218 return retval;
4219 }
4220
4221 /* We tried an illegal operation on an association which is closed. */
4222 sctp_disposition_t sctp_sf_error_closed(const struct sctp_endpoint *ep,
4223 const struct sctp_association *asoc,
4224 const sctp_subtype_t type,
4225 void *arg,
4226 sctp_cmd_seq_t *commands)
4227 {
4228 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL));
4229 return SCTP_DISPOSITION_CONSUME;
4230 }
4231
4232 /* We tried an illegal operation on an association which is shutting
4233 * down.
4234 */
4235 sctp_disposition_t sctp_sf_error_shutdown(const struct sctp_endpoint *ep,
4236 const struct sctp_association *asoc,
4237 const sctp_subtype_t type,
4238 void *arg,
4239 sctp_cmd_seq_t *commands)
4240 {
4241 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR,
4242 SCTP_ERROR(-ESHUTDOWN));
4243 return SCTP_DISPOSITION_CONSUME;
4244 }
4245
4246 /*
4247 * sctp_cookie_wait_prm_shutdown
4248 *
4249 * Section: 4 Note: 2
4250 * Verification Tag:
4251 * Inputs
4252 * (endpoint, asoc)
4253 *
4254 * The RFC does not explicitly address this issue, but is the route through the
4255 * state table when someone issues a shutdown while in COOKIE_WAIT state.
4256 *
4257 * Outputs
4258 * (timers)
4259 */
4260 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown(
4261 const struct sctp_endpoint *ep,
4262 const struct sctp_association *asoc,
4263 const sctp_subtype_t type,
4264 void *arg,
4265 sctp_cmd_seq_t *commands)
4266 {
4267 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4268 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4269
4270 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4271 SCTP_STATE(SCTP_STATE_CLOSED));
4272
4273 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);
4274
4275 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
4276
4277 return SCTP_DISPOSITION_DELETE_TCB;
4278 }
4279
4280 /*
4281 * sctp_cookie_echoed_prm_shutdown
4282 *
4283 * Section: 4 Note: 2
4284 * Verification Tag:
4285 * Inputs
4286 * (endpoint, asoc)
4287 *
4288 * The RFC does not explcitly address this issue, but is the route through the
4289 * state table when someone issues a shutdown while in COOKIE_ECHOED state.
4290 *
4291 * Outputs
4292 * (timers)
4293 */
4294 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown(
4295 const struct sctp_endpoint *ep,
4296 const struct sctp_association *asoc,
4297 const sctp_subtype_t type,
4298 void *arg, sctp_cmd_seq_t *commands)
4299 {
4300 /* There is a single T1 timer, so we should be able to use
4301 * common function with the COOKIE-WAIT state.
4302 */
4303 return sctp_sf_cookie_wait_prm_shutdown(ep, asoc, type, arg, commands);
4304 }
4305
4306 /*
4307 * sctp_sf_cookie_wait_prm_abort
4308 *
4309 * Section: 4 Note: 2
4310 * Verification Tag:
4311 * Inputs
4312 * (endpoint, asoc)
4313 *
4314 * The RFC does not explicitly address this issue, but is the route through the
4315 * state table when someone issues an abort while in COOKIE_WAIT state.
4316 *
4317 * Outputs
4318 * (timers)
4319 */
4320 sctp_disposition_t sctp_sf_cookie_wait_prm_abort(
4321 const struct sctp_endpoint *ep,
4322 const struct sctp_association *asoc,
4323 const sctp_subtype_t type,
4324 void *arg,
4325 sctp_cmd_seq_t *commands)
4326 {
4327 struct sctp_chunk *abort = arg;
4328 sctp_disposition_t retval;
4329
4330 /* Stop T1-init timer */
4331 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4332 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4333 retval = SCTP_DISPOSITION_CONSUME;
4334
4335 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4336
4337 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4338 SCTP_STATE(SCTP_STATE_CLOSED));
4339
4340 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
4341
4342 /* Even if we can't send the ABORT due to low memory delete the
4343 * TCB. This is a departure from our typical NOMEM handling.
4344 */
4345
4346 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4347 SCTP_ERROR(ECONNREFUSED));
4348 /* Delete the established association. */
4349 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4350 SCTP_PERR(SCTP_ERROR_USER_ABORT));
4351
4352 return retval;
4353 }
4354
4355 /*
4356 * sctp_sf_cookie_echoed_prm_abort
4357 *
4358 * Section: 4 Note: 3
4359 * Verification Tag:
4360 * Inputs
4361 * (endpoint, asoc)
4362 *
4363 * The RFC does not explcitly address this issue, but is the route through the
4364 * state table when someone issues an abort while in COOKIE_ECHOED state.
4365 *
4366 * Outputs
4367 * (timers)
4368 */
4369 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort(
4370 const struct sctp_endpoint *ep,
4371 const struct sctp_association *asoc,
4372 const sctp_subtype_t type,
4373 void *arg,
4374 sctp_cmd_seq_t *commands)
4375 {
4376 /* There is a single T1 timer, so we should be able to use
4377 * common function with the COOKIE-WAIT state.
4378 */
4379 return sctp_sf_cookie_wait_prm_abort(ep, asoc, type, arg, commands);
4380 }
4381
4382 /*
4383 * sctp_sf_shutdown_pending_prm_abort
4384 *
4385 * Inputs
4386 * (endpoint, asoc)
4387 *
4388 * The RFC does not explicitly address this issue, but is the route through the
4389 * state table when someone issues an abort while in SHUTDOWN-PENDING state.
4390 *
4391 * Outputs
4392 * (timers)
4393 */
4394 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort(
4395 const struct sctp_endpoint *ep,
4396 const struct sctp_association *asoc,
4397 const sctp_subtype_t type,
4398 void *arg,
4399 sctp_cmd_seq_t *commands)
4400 {
4401 /* Stop the T5-shutdown guard timer. */
4402 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4403 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
4404
4405 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands);
4406 }
4407
4408 /*
4409 * sctp_sf_shutdown_sent_prm_abort
4410 *
4411 * Inputs
4412 * (endpoint, asoc)
4413 *
4414 * The RFC does not explicitly address this issue, but is the route through the
4415 * state table when someone issues an abort while in SHUTDOWN-SENT state.
4416 *
4417 * Outputs
4418 * (timers)
4419 */
4420 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort(
4421 const struct sctp_endpoint *ep,
4422 const struct sctp_association *asoc,
4423 const sctp_subtype_t type,
4424 void *arg,
4425 sctp_cmd_seq_t *commands)
4426 {
4427 /* Stop the T2-shutdown timer. */
4428 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4429 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
4430
4431 /* Stop the T5-shutdown guard timer. */
4432 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4433 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
4434
4435 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands);
4436 }
4437
4438 /*
4439 * sctp_sf_cookie_echoed_prm_abort
4440 *
4441 * Inputs
4442 * (endpoint, asoc)
4443 *
4444 * The RFC does not explcitly address this issue, but is the route through the
4445 * state table when someone issues an abort while in COOKIE_ECHOED state.
4446 *
4447 * Outputs
4448 * (timers)
4449 */
4450 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort(
4451 const struct sctp_endpoint *ep,
4452 const struct sctp_association *asoc,
4453 const sctp_subtype_t type,
4454 void *arg,
4455 sctp_cmd_seq_t *commands)
4456 {
4457 /* The same T2 timer, so we should be able to use
4458 * common function with the SHUTDOWN-SENT state.
4459 */
4460 return sctp_sf_shutdown_sent_prm_abort(ep, asoc, type, arg, commands);
4461 }
4462
4463 /*
4464 * Process the REQUESTHEARTBEAT primitive
4465 *
4466 * 10.1 ULP-to-SCTP
4467 * J) Request Heartbeat
4468 *
4469 * Format: REQUESTHEARTBEAT(association id, destination transport address)
4470 *
4471 * -> result
4472 *
4473 * Instructs the local endpoint to perform a HeartBeat on the specified
4474 * destination transport address of the given association. The returned
4475 * result should indicate whether the transmission of the HEARTBEAT
4476 * chunk to the destination address is successful.
4477 *
4478 * Mandatory attributes:
4479 *
4480 * o association id - local handle to the SCTP association
4481 *
4482 * o destination transport address - the transport address of the
4483 * association on which a heartbeat should be issued.
4484 */
4485 sctp_disposition_t sctp_sf_do_prm_requestheartbeat(
4486 const struct sctp_endpoint *ep,
4487 const struct sctp_association *asoc,
4488 const sctp_subtype_t type,
4489 void *arg,
4490 sctp_cmd_seq_t *commands)
4491 {
4492 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type,
4493 (struct sctp_transport *)arg, commands))
4494 return SCTP_DISPOSITION_NOMEM;
4495
4496 /*
4497 * RFC 2960 (bis), section 8.3
4498 *
4499 * D) Request an on-demand HEARTBEAT on a specific destination
4500 * transport address of a given association.
4501 *
4502 * The endpoint should increment the respective error counter of
4503 * the destination transport address each time a HEARTBEAT is sent
4504 * to that address and not acknowledged within one RTO.
4505 *
4506 */
4507 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_RESET,
4508 SCTP_TRANSPORT(arg));
4509 return SCTP_DISPOSITION_CONSUME;
4510 }
4511
4512 /*
4513 * ADDIP Section 4.1 ASCONF Chunk Procedures
4514 * When an endpoint has an ASCONF signaled change to be sent to the
4515 * remote endpoint it should do A1 to A9
4516 */
4517 sctp_disposition_t sctp_sf_do_prm_asconf(const struct sctp_endpoint *ep,
4518 const struct sctp_association *asoc,
4519 const sctp_subtype_t type,
4520 void *arg,
4521 sctp_cmd_seq_t *commands)
4522 {
4523 struct sctp_chunk *chunk = arg;
4524
4525 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
4526 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
4527 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
4528 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
4529 return SCTP_DISPOSITION_CONSUME;
4530 }
4531
4532 /*
4533 * Ignore the primitive event
4534 *
4535 * The return value is the disposition of the primitive.
4536 */
4537 sctp_disposition_t sctp_sf_ignore_primitive(
4538 const struct sctp_endpoint *ep,
4539 const struct sctp_association *asoc,
4540 const sctp_subtype_t type,
4541 void *arg,
4542 sctp_cmd_seq_t *commands)
4543 {
4544 SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive);
4545 return SCTP_DISPOSITION_DISCARD;
4546 }
4547
4548 /***************************************************************************
4549 * These are the state functions for the OTHER events.
4550 ***************************************************************************/
4551
4552 /*
4553 * Start the shutdown negotiation.
4554 *
4555 * From Section 9.2:
4556 * Once all its outstanding data has been acknowledged, the endpoint
4557 * shall send a SHUTDOWN chunk to its peer including in the Cumulative
4558 * TSN Ack field the last sequential TSN it has received from the peer.
4559 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT
4560 * state. If the timer expires, the endpoint must re-send the SHUTDOWN
4561 * with the updated last sequential TSN received from its peer.
4562 *
4563 * The return value is the disposition.
4564 */
4565 sctp_disposition_t sctp_sf_do_9_2_start_shutdown(
4566 const struct sctp_endpoint *ep,
4567 const struct sctp_association *asoc,
4568 const sctp_subtype_t type,
4569 void *arg,
4570 sctp_cmd_seq_t *commands)
4571 {
4572 struct sctp_chunk *reply;
4573
4574 /* Once all its outstanding data has been acknowledged, the
4575 * endpoint shall send a SHUTDOWN chunk to its peer including
4576 * in the Cumulative TSN Ack field the last sequential TSN it
4577 * has received from the peer.
4578 */
4579 reply = sctp_make_shutdown(asoc, NULL);
4580 if (!reply)
4581 goto nomem;
4582
4583 /* Set the transport for the SHUTDOWN chunk and the timeout for the
4584 * T2-shutdown timer.
4585 */
4586 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
4587
4588 /* It shall then start the T2-shutdown timer */
4589 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
4590 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
4591
4592 if (asoc->autoclose)
4593 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4594 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
4595
4596 /* and enter the SHUTDOWN-SENT state. */
4597 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4598 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT));
4599
4600 /* sctp-implguide 2.10 Issues with Heartbeating and failover
4601 *
4602 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
4603 * or SHUTDOWN-ACK.
4604 */
4605 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
4606
4607 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
4608
4609 return SCTP_DISPOSITION_CONSUME;
4610
4611 nomem:
4612 return SCTP_DISPOSITION_NOMEM;
4613 }
4614
4615 /*
4616 * Generate a SHUTDOWN ACK now that everything is SACK'd.
4617 *
4618 * From Section 9.2:
4619 *
4620 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver
4621 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own,
4622 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the
4623 * endpoint must re-send the SHUTDOWN ACK.
4624 *
4625 * The return value is the disposition.
4626 */
4627 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack(
4628 const struct sctp_endpoint *ep,
4629 const struct sctp_association *asoc,
4630 const sctp_subtype_t type,
4631 void *arg,
4632 sctp_cmd_seq_t *commands)
4633 {
4634 struct sctp_chunk *chunk = (struct sctp_chunk *) arg;
4635 struct sctp_chunk *reply;
4636
4637 /* There are 2 ways of getting here:
4638 * 1) called in response to a SHUTDOWN chunk
4639 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued.
4640 *
4641 * For the case (2), the arg parameter is set to NULL. We need
4642 * to check that we have a chunk before accessing it's fields.
4643 */
4644 if (chunk) {
4645 if (!sctp_vtag_verify(chunk, asoc))
4646 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
4647
4648 /* Make sure that the SHUTDOWN chunk has a valid length. */
4649 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t)))
4650 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4651 commands);
4652 }
4653
4654 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver
4655 * shall send a SHUTDOWN ACK ...
4656 */
4657 reply = sctp_make_shutdown_ack(asoc, chunk);
4658 if (!reply)
4659 goto nomem;
4660
4661 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
4662 * the T2-shutdown timer.
4663 */
4664 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
4665
4666 /* and start/restart a T2-shutdown timer of its own, */
4667 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4668 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
4669
4670 if (asoc->autoclose)
4671 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4672 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
4673
4674 /* Enter the SHUTDOWN-ACK-SENT state. */
4675 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4676 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT));
4677
4678 /* sctp-implguide 2.10 Issues with Heartbeating and failover
4679 *
4680 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
4681 * or SHUTDOWN-ACK.
4682 */
4683 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
4684
4685 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
4686
4687 return SCTP_DISPOSITION_CONSUME;
4688
4689 nomem:
4690 return SCTP_DISPOSITION_NOMEM;
4691 }
4692
4693 /*
4694 * Ignore the event defined as other
4695 *
4696 * The return value is the disposition of the event.
4697 */
4698 sctp_disposition_t sctp_sf_ignore_other(const struct sctp_endpoint *ep,
4699 const struct sctp_association *asoc,
4700 const sctp_subtype_t type,
4701 void *arg,
4702 sctp_cmd_seq_t *commands)
4703 {
4704 SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other);
4705 return SCTP_DISPOSITION_DISCARD;
4706 }
4707
4708 /************************************************************
4709 * These are the state functions for handling timeout events.
4710 ************************************************************/
4711
4712 /*
4713 * RTX Timeout
4714 *
4715 * Section: 6.3.3 Handle T3-rtx Expiration
4716 *
4717 * Whenever the retransmission timer T3-rtx expires for a destination
4718 * address, do the following:
4719 * [See below]
4720 *
4721 * The return value is the disposition of the chunk.
4722 */
4723 sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep,
4724 const struct sctp_association *asoc,
4725 const sctp_subtype_t type,
4726 void *arg,
4727 sctp_cmd_seq_t *commands)
4728 {
4729 struct sctp_transport *transport = arg;
4730
4731 SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS);
4732
4733 if (asoc->overall_error_count >= asoc->max_retrans) {
4734 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4735 SCTP_ERROR(ETIMEDOUT));
4736 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
4737 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4738 SCTP_PERR(SCTP_ERROR_NO_ERROR));
4739 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
4740 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
4741 return SCTP_DISPOSITION_DELETE_TCB;
4742 }
4743
4744 /* E1) For the destination address for which the timer
4745 * expires, adjust its ssthresh with rules defined in Section
4746 * 7.2.3 and set the cwnd <- MTU.
4747 */
4748
4749 /* E2) For the destination address for which the timer
4750 * expires, set RTO <- RTO * 2 ("back off the timer"). The
4751 * maximum value discussed in rule C7 above (RTO.max) may be
4752 * used to provide an upper bound to this doubling operation.
4753 */
4754
4755 /* E3) Determine how many of the earliest (i.e., lowest TSN)
4756 * outstanding DATA chunks for the address for which the
4757 * T3-rtx has expired will fit into a single packet, subject
4758 * to the MTU constraint for the path corresponding to the
4759 * destination transport address to which the retransmission
4760 * is being sent (this may be different from the address for
4761 * which the timer expires [see Section 6.4]). Call this
4762 * value K. Bundle and retransmit those K DATA chunks in a
4763 * single packet to the destination endpoint.
4764 *
4765 * Note: Any DATA chunks that were sent to the address for
4766 * which the T3-rtx timer expired but did not fit in one MTU
4767 * (rule E3 above), should be marked for retransmission and
4768 * sent as soon as cwnd allows (normally when a SACK arrives).
4769 */
4770
4771 /* Do some failure management (Section 8.2). */
4772 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
4773
4774 /* NB: Rules E4 and F1 are implicit in R1. */
4775 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport));
4776
4777 return SCTP_DISPOSITION_CONSUME;
4778 }
4779
4780 /*
4781 * Generate delayed SACK on timeout
4782 *
4783 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
4784 *
4785 * The guidelines on delayed acknowledgement algorithm specified in
4786 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
4787 * acknowledgement SHOULD be generated for at least every second packet
4788 * (not every second DATA chunk) received, and SHOULD be generated
4789 * within 200 ms of the arrival of any unacknowledged DATA chunk. In
4790 * some situations it may be beneficial for an SCTP transmitter to be
4791 * more conservative than the algorithms detailed in this document
4792 * allow. However, an SCTP transmitter MUST NOT be more aggressive than
4793 * the following algorithms allow.
4794 */
4795 sctp_disposition_t sctp_sf_do_6_2_sack(const struct sctp_endpoint *ep,
4796 const struct sctp_association *asoc,
4797 const sctp_subtype_t type,
4798 void *arg,
4799 sctp_cmd_seq_t *commands)
4800 {
4801 SCTP_INC_STATS(SCTP_MIB_DELAY_SACK_EXPIREDS);
4802 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
4803 return SCTP_DISPOSITION_CONSUME;
4804 }
4805
4806 /*
4807 * sctp_sf_t1_init_timer_expire
4808 *
4809 * Section: 4 Note: 2
4810 * Verification Tag:
4811 * Inputs
4812 * (endpoint, asoc)
4813 *
4814 * RFC 2960 Section 4 Notes
4815 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT
4816 * and re-start the T1-init timer without changing state. This MUST
4817 * be repeated up to 'Max.Init.Retransmits' times. After that, the
4818 * endpoint MUST abort the initialization process and report the
4819 * error to SCTP user.
4820 *
4821 * Outputs
4822 * (timers, events)
4823 *
4824 */
4825 sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep,
4826 const struct sctp_association *asoc,
4827 const sctp_subtype_t type,
4828 void *arg,
4829 sctp_cmd_seq_t *commands)
4830 {
4831 struct sctp_chunk *repl = NULL;
4832 struct sctp_bind_addr *bp;
4833 int attempts = asoc->init_err_counter + 1;
4834
4835 SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n");
4836 SCTP_INC_STATS(SCTP_MIB_T1_INIT_EXPIREDS);
4837
4838 if (attempts <= asoc->max_init_attempts) {
4839 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
4840 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0);
4841 if (!repl)
4842 return SCTP_DISPOSITION_NOMEM;
4843
4844 /* Choose transport for INIT. */
4845 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
4846 SCTP_CHUNK(repl));
4847
4848 /* Issue a sideeffect to do the needed accounting. */
4849 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART,
4850 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4851
4852 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
4853 } else {
4854 SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d"
4855 " max_init_attempts: %d\n",
4856 attempts, asoc->max_init_attempts);
4857 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4858 SCTP_ERROR(ETIMEDOUT));
4859 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4860 SCTP_PERR(SCTP_ERROR_NO_ERROR));
4861 return SCTP_DISPOSITION_DELETE_TCB;
4862 }
4863
4864 return SCTP_DISPOSITION_CONSUME;
4865 }
4866
4867 /*
4868 * sctp_sf_t1_cookie_timer_expire
4869 *
4870 * Section: 4 Note: 2
4871 * Verification Tag:
4872 * Inputs
4873 * (endpoint, asoc)
4874 *
4875 * RFC 2960 Section 4 Notes
4876 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit
4877 * COOKIE ECHO and re-start the T1-cookie timer without changing
4878 * state. This MUST be repeated up to 'Max.Init.Retransmits' times.
4879 * After that, the endpoint MUST abort the initialization process and
4880 * report the error to SCTP user.
4881 *
4882 * Outputs
4883 * (timers, events)
4884 *
4885 */
4886 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep,
4887 const struct sctp_association *asoc,
4888 const sctp_subtype_t type,
4889 void *arg,
4890 sctp_cmd_seq_t *commands)
4891 {
4892 struct sctp_chunk *repl = NULL;
4893 int attempts = asoc->init_err_counter + 1;
4894
4895 SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n");
4896 SCTP_INC_STATS(SCTP_MIB_T1_COOKIE_EXPIREDS);
4897
4898 if (attempts <= asoc->max_init_attempts) {
4899 repl = sctp_make_cookie_echo(asoc, NULL);
4900 if (!repl)
4901 return SCTP_DISPOSITION_NOMEM;
4902
4903 /* Issue a sideeffect to do the needed accounting. */
4904 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART,
4905 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
4906
4907 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
4908 } else {
4909 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4910 SCTP_ERROR(ETIMEDOUT));
4911 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4912 SCTP_PERR(SCTP_ERROR_NO_ERROR));
4913 return SCTP_DISPOSITION_DELETE_TCB;
4914 }
4915
4916 return SCTP_DISPOSITION_CONSUME;
4917 }
4918
4919 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN
4920 * with the updated last sequential TSN received from its peer.
4921 *
4922 * An endpoint should limit the number of retransmissions of the
4923 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'.
4924 * If this threshold is exceeded the endpoint should destroy the TCB and
4925 * MUST report the peer endpoint unreachable to the upper layer (and
4926 * thus the association enters the CLOSED state). The reception of any
4927 * packet from its peer (i.e. as the peer sends all of its queued DATA
4928 * chunks) should clear the endpoint's retransmission count and restart
4929 * the T2-Shutdown timer, giving its peer ample opportunity to transmit
4930 * all of its queued DATA chunks that have not yet been sent.
4931 */
4932 sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep,
4933 const struct sctp_association *asoc,
4934 const sctp_subtype_t type,
4935 void *arg,
4936 sctp_cmd_seq_t *commands)
4937 {
4938 struct sctp_chunk *reply = NULL;
4939
4940 SCTP_DEBUG_PRINTK("Timer T2 expired.\n");
4941 SCTP_INC_STATS(SCTP_MIB_T2_SHUTDOWN_EXPIREDS);
4942
4943 if (asoc->overall_error_count >= asoc->max_retrans) {
4944 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4945 SCTP_ERROR(ETIMEDOUT));
4946 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
4947 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4948 SCTP_PERR(SCTP_ERROR_NO_ERROR));
4949 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
4950 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
4951 return SCTP_DISPOSITION_DELETE_TCB;
4952 }
4953
4954 switch (asoc->state) {
4955 case SCTP_STATE_SHUTDOWN_SENT:
4956 reply = sctp_make_shutdown(asoc, NULL);
4957 break;
4958
4959 case SCTP_STATE_SHUTDOWN_ACK_SENT:
4960 reply = sctp_make_shutdown_ack(asoc, NULL);
4961 break;
4962
4963 default:
4964 BUG();
4965 break;
4966 }
4967
4968 if (!reply)
4969 goto nomem;
4970
4971 /* Do some failure management (Section 8.2). */
4972 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
4973 SCTP_TRANSPORT(asoc->shutdown_last_sent_to));
4974
4975 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for
4976 * the T2-shutdown timer.
4977 */
4978 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
4979
4980 /* Restart the T2-shutdown timer. */
4981 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4982 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
4983 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
4984 return SCTP_DISPOSITION_CONSUME;
4985
4986 nomem:
4987 return SCTP_DISPOSITION_NOMEM;
4988 }
4989
4990 /*
4991 * ADDIP Section 4.1 ASCONF CHunk Procedures
4992 * If the T4 RTO timer expires the endpoint should do B1 to B5
4993 */
4994 sctp_disposition_t sctp_sf_t4_timer_expire(
4995 const struct sctp_endpoint *ep,
4996 const struct sctp_association *asoc,
4997 const sctp_subtype_t type,
4998 void *arg,
4999 sctp_cmd_seq_t *commands)
5000 {
5001 struct sctp_chunk *chunk = asoc->addip_last_asconf;
5002 struct sctp_transport *transport = chunk->transport;
5003
5004 SCTP_INC_STATS(SCTP_MIB_T4_RTO_EXPIREDS);
5005
5006 /* ADDIP 4.1 B1) Increment the error counters and perform path failure
5007 * detection on the appropriate destination address as defined in
5008 * RFC2960 [5] section 8.1 and 8.2.
5009 */
5010 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
5011
5012 /* Reconfig T4 timer and transport. */
5013 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5014
5015 /* ADDIP 4.1 B2) Increment the association error counters and perform
5016 * endpoint failure detection on the association as defined in
5017 * RFC2960 [5] section 8.1 and 8.2.
5018 * association error counter is incremented in SCTP_CMD_STRIKE.
5019 */
5020 if (asoc->overall_error_count >= asoc->max_retrans) {
5021 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5022 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5023 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5024 SCTP_ERROR(ETIMEDOUT));
5025 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5026 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5027 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
5028 SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
5029 return SCTP_DISPOSITION_ABORT;
5030 }
5031
5032 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which
5033 * the ASCONF chunk was sent by doubling the RTO timer value.
5034 * This is done in SCTP_CMD_STRIKE.
5035 */
5036
5037 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible
5038 * choose an alternate destination address (please refer to RFC2960
5039 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this
5040 * chunk, it MUST be the same (including its serial number) as the last
5041 * ASCONF sent.
5042 */
5043 sctp_chunk_hold(asoc->addip_last_asconf);
5044 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
5045 SCTP_CHUNK(asoc->addip_last_asconf));
5046
5047 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different
5048 * destination is selected, then the RTO used will be that of the new
5049 * destination address.
5050 */
5051 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5052 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5053
5054 return SCTP_DISPOSITION_CONSUME;
5055 }
5056
5057 /* sctpimpguide-05 Section 2.12.2
5058 * The sender of the SHUTDOWN MAY also start an overall guard timer
5059 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5060 * At the expiration of this timer the sender SHOULD abort the association
5061 * by sending an ABORT chunk.
5062 */
5063 sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep,
5064 const struct sctp_association *asoc,
5065 const sctp_subtype_t type,
5066 void *arg,
5067 sctp_cmd_seq_t *commands)
5068 {
5069 struct sctp_chunk *reply = NULL;
5070
5071 SCTP_DEBUG_PRINTK("Timer T5 expired.\n");
5072 SCTP_INC_STATS(SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS);
5073
5074 reply = sctp_make_abort(asoc, NULL, 0);
5075 if (!reply)
5076 goto nomem;
5077
5078 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5079 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5080 SCTP_ERROR(ETIMEDOUT));
5081 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5082 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5083
5084 return SCTP_DISPOSITION_DELETE_TCB;
5085 nomem:
5086 return SCTP_DISPOSITION_NOMEM;
5087 }
5088
5089 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires,
5090 * the association is automatically closed by starting the shutdown process.
5091 * The work that needs to be done is same as when SHUTDOWN is initiated by
5092 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown().
5093 */
5094 sctp_disposition_t sctp_sf_autoclose_timer_expire(
5095 const struct sctp_endpoint *ep,
5096 const struct sctp_association *asoc,
5097 const sctp_subtype_t type,
5098 void *arg,
5099 sctp_cmd_seq_t *commands)
5100 {
5101 int disposition;
5102
5103 SCTP_INC_STATS(SCTP_MIB_AUTOCLOSE_EXPIREDS);
5104
5105 /* From 9.2 Shutdown of an Association
5106 * Upon receipt of the SHUTDOWN primitive from its upper
5107 * layer, the endpoint enters SHUTDOWN-PENDING state and
5108 * remains there until all outstanding data has been
5109 * acknowledged by its peer. The endpoint accepts no new data
5110 * from its upper layer, but retransmits data to the far end
5111 * if necessary to fill gaps.
5112 */
5113 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5114 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
5115
5116 /* sctpimpguide-05 Section 2.12.2
5117 * The sender of the SHUTDOWN MAY also start an overall guard timer
5118 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5119 */
5120 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5121 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5122 disposition = SCTP_DISPOSITION_CONSUME;
5123 if (sctp_outq_is_empty(&asoc->outqueue)) {
5124 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type,
5125 arg, commands);
5126 }
5127 return disposition;
5128 }
5129
5130 /*****************************************************************************
5131 * These are sa state functions which could apply to all types of events.
5132 ****************************************************************************/
5133
5134 /*
5135 * This table entry is not implemented.
5136 *
5137 * Inputs
5138 * (endpoint, asoc, chunk)
5139 *
5140 * The return value is the disposition of the chunk.
5141 */
5142 sctp_disposition_t sctp_sf_not_impl(const struct sctp_endpoint *ep,
5143 const struct sctp_association *asoc,
5144 const sctp_subtype_t type,
5145 void *arg,
5146 sctp_cmd_seq_t *commands)
5147 {
5148 return SCTP_DISPOSITION_NOT_IMPL;
5149 }
5150
5151 /*
5152 * This table entry represents a bug.
5153 *
5154 * Inputs
5155 * (endpoint, asoc, chunk)
5156 *
5157 * The return value is the disposition of the chunk.
5158 */
5159 sctp_disposition_t sctp_sf_bug(const struct sctp_endpoint *ep,
5160 const struct sctp_association *asoc,
5161 const sctp_subtype_t type,
5162 void *arg,
5163 sctp_cmd_seq_t *commands)
5164 {
5165 return SCTP_DISPOSITION_BUG;
5166 }
5167
5168 /*
5169 * This table entry represents the firing of a timer in the wrong state.
5170 * Since timer deletion cannot be guaranteed a timer 'may' end up firing
5171 * when the association is in the wrong state. This event should
5172 * be ignored, so as to prevent any rearming of the timer.
5173 *
5174 * Inputs
5175 * (endpoint, asoc, chunk)
5176 *
5177 * The return value is the disposition of the chunk.
5178 */
5179 sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep,
5180 const struct sctp_association *asoc,
5181 const sctp_subtype_t type,
5182 void *arg,
5183 sctp_cmd_seq_t *commands)
5184 {
5185 SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk);
5186 return SCTP_DISPOSITION_CONSUME;
5187 }
5188
5189 /********************************************************************
5190 * 2nd Level Abstractions
5191 ********************************************************************/
5192
5193 /* Pull the SACK chunk based on the SACK header. */
5194 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk)
5195 {
5196 struct sctp_sackhdr *sack;
5197 unsigned int len;
5198 __u16 num_blocks;
5199 __u16 num_dup_tsns;
5200
5201 /* Protect ourselves from reading too far into
5202 * the skb from a bogus sender.
5203 */
5204 sack = (struct sctp_sackhdr *) chunk->skb->data;
5205
5206 num_blocks = ntohs(sack->num_gap_ack_blocks);
5207 num_dup_tsns = ntohs(sack->num_dup_tsns);
5208 len = sizeof(struct sctp_sackhdr);
5209 len += (num_blocks + num_dup_tsns) * sizeof(__u32);
5210 if (len > chunk->skb->len)
5211 return NULL;
5212
5213 skb_pull(chunk->skb, len);
5214
5215 return sack;
5216 }
5217
5218 /* Create an ABORT packet to be sent as a response, with the specified
5219 * error causes.
5220 */
5221 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep,
5222 const struct sctp_association *asoc,
5223 struct sctp_chunk *chunk,
5224 const void *payload,
5225 size_t paylen)
5226 {
5227 struct sctp_packet *packet;
5228 struct sctp_chunk *abort;
5229
5230 packet = sctp_ootb_pkt_new(asoc, chunk);
5231
5232 if (packet) {
5233 /* Make an ABORT.
5234 * The T bit will be set if the asoc is NULL.
5235 */
5236 abort = sctp_make_abort(asoc, chunk, paylen);
5237 if (!abort) {
5238 sctp_ootb_pkt_free(packet);
5239 return NULL;
5240 }
5241
5242 /* Reflect vtag if T-Bit is set */
5243 if (sctp_test_T_bit(abort))
5244 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
5245
5246 /* Add specified error causes, i.e., payload, to the
5247 * end of the chunk.
5248 */
5249 sctp_addto_chunk(abort, paylen, payload);
5250
5251 /* Set the skb to the belonging sock for accounting. */
5252 abort->skb->sk = ep->base.sk;
5253
5254 sctp_packet_append_chunk(packet, abort);
5255
5256 }
5257
5258 return packet;
5259 }
5260
5261 /* Allocate a packet for responding in the OOTB conditions. */
5262 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc,
5263 const struct sctp_chunk *chunk)
5264 {
5265 struct sctp_packet *packet;
5266 struct sctp_transport *transport;
5267 __u16 sport;
5268 __u16 dport;
5269 __u32 vtag;
5270
5271 /* Get the source and destination port from the inbound packet. */
5272 sport = ntohs(chunk->sctp_hdr->dest);
5273 dport = ntohs(chunk->sctp_hdr->source);
5274
5275 /* The V-tag is going to be the same as the inbound packet if no
5276 * association exists, otherwise, use the peer's vtag.
5277 */
5278 if (asoc) {
5279 /* Special case the INIT-ACK as there is no peer's vtag
5280 * yet.
5281 */
5282 switch(chunk->chunk_hdr->type) {
5283 case SCTP_CID_INIT_ACK:
5284 {
5285 sctp_initack_chunk_t *initack;
5286
5287 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
5288 vtag = ntohl(initack->init_hdr.init_tag);
5289 break;
5290 }
5291 default:
5292 vtag = asoc->peer.i.init_tag;
5293 break;
5294 }
5295 } else {
5296 /* Special case the INIT and stale COOKIE_ECHO as there is no
5297 * vtag yet.
5298 */
5299 switch(chunk->chunk_hdr->type) {
5300 case SCTP_CID_INIT:
5301 {
5302 sctp_init_chunk_t *init;
5303
5304 init = (sctp_init_chunk_t *)chunk->chunk_hdr;
5305 vtag = ntohl(init->init_hdr.init_tag);
5306 break;
5307 }
5308 default:
5309 vtag = ntohl(chunk->sctp_hdr->vtag);
5310 break;
5311 }
5312 }
5313
5314 /* Make a transport for the bucket, Eliza... */
5315 transport = sctp_transport_new(sctp_source(chunk), GFP_ATOMIC);
5316 if (!transport)
5317 goto nomem;
5318
5319 /* Cache a route for the transport with the chunk's destination as
5320 * the source address.
5321 */
5322 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest,
5323 sctp_sk(sctp_get_ctl_sock()));
5324
5325 packet = sctp_packet_init(&transport->packet, transport, sport, dport);
5326 packet = sctp_packet_config(packet, vtag, 0);
5327
5328 return packet;
5329
5330 nomem:
5331 return NULL;
5332 }
5333
5334 /* Free the packet allocated earlier for responding in the OOTB condition. */
5335 void sctp_ootb_pkt_free(struct sctp_packet *packet)
5336 {
5337 sctp_transport_free(packet->transport);
5338 }
5339
5340 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */
5341 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep,
5342 const struct sctp_association *asoc,
5343 const struct sctp_chunk *chunk,
5344 sctp_cmd_seq_t *commands,
5345 struct sctp_chunk *err_chunk)
5346 {
5347 struct sctp_packet *packet;
5348
5349 if (err_chunk) {
5350 packet = sctp_ootb_pkt_new(asoc, chunk);
5351 if (packet) {
5352 struct sctp_signed_cookie *cookie;
5353
5354 /* Override the OOTB vtag from the cookie. */
5355 cookie = chunk->subh.cookie_hdr;
5356 packet->vtag = cookie->c.peer_vtag;
5357
5358 /* Set the skb to the belonging sock for accounting. */
5359 err_chunk->skb->sk = ep->base.sk;
5360 sctp_packet_append_chunk(packet, err_chunk);
5361 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
5362 SCTP_PACKET(packet));
5363 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
5364 } else
5365 sctp_chunk_free (err_chunk);
5366 }
5367 }
5368
5369
5370 /* Process a data chunk */
5371 static int sctp_eat_data(const struct sctp_association *asoc,
5372 struct sctp_chunk *chunk,
5373 sctp_cmd_seq_t *commands)
5374 {
5375 sctp_datahdr_t *data_hdr;
5376 struct sctp_chunk *err;
5377 size_t datalen;
5378 sctp_verb_t deliver;
5379 int tmp;
5380 __u32 tsn;
5381 int account_value;
5382 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
5383 struct sock *sk = asoc->base.sk;
5384 int rcvbuf_over = 0;
5385
5386 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data;
5387 skb_pull(chunk->skb, sizeof(sctp_datahdr_t));
5388
5389 tsn = ntohl(data_hdr->tsn);
5390 SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn);
5391
5392 /* ASSERT: Now skb->data is really the user data. */
5393
5394 /*
5395 * If we are established, and we have used up our receive buffer
5396 * memory, think about droping the frame.
5397 * Note that we have an opportunity to improve performance here.
5398 * If we accept one chunk from an skbuff, we have to keep all the
5399 * memory of that skbuff around until the chunk is read into user
5400 * space. Therefore, once we accept 1 chunk we may as well accept all
5401 * remaining chunks in the skbuff. The data_accepted flag helps us do
5402 * that.
5403 */
5404 if ((asoc->state == SCTP_STATE_ESTABLISHED) && (!chunk->data_accepted)) {
5405 /*
5406 * If the receive buffer policy is 1, then each
5407 * association can allocate up to sk_rcvbuf bytes
5408 * otherwise, all the associations in aggregate
5409 * may allocate up to sk_rcvbuf bytes
5410 */
5411 if (asoc->ep->rcvbuf_policy)
5412 account_value = atomic_read(&asoc->rmem_alloc);
5413 else
5414 account_value = atomic_read(&sk->sk_rmem_alloc);
5415 if (account_value > sk->sk_rcvbuf) {
5416 /*
5417 * We need to make forward progress, even when we are
5418 * under memory pressure, so we always allow the
5419 * next tsn after the ctsn ack point to be accepted.
5420 * This lets us avoid deadlocks in which we have to
5421 * drop frames that would otherwise let us drain the
5422 * receive queue.
5423 */
5424 if ((sctp_tsnmap_get_ctsn(map) + 1) != tsn)
5425 return SCTP_IERROR_IGNORE_TSN;
5426
5427 /*
5428 * We're going to accept the frame but we should renege
5429 * to make space for it. This will send us down that
5430 * path later in this function.
5431 */
5432 rcvbuf_over = 1;
5433 }
5434 }
5435
5436 /* Process ECN based congestion.
5437 *
5438 * Since the chunk structure is reused for all chunks within
5439 * a packet, we use ecn_ce_done to track if we've already
5440 * done CE processing for this packet.
5441 *
5442 * We need to do ECN processing even if we plan to discard the
5443 * chunk later.
5444 */
5445
5446 if (!chunk->ecn_ce_done) {
5447 struct sctp_af *af;
5448 chunk->ecn_ce_done = 1;
5449
5450 af = sctp_get_af_specific(
5451 ipver2af(ip_hdr(chunk->skb)->version));
5452
5453 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) {
5454 /* Do real work as sideffect. */
5455 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE,
5456 SCTP_U32(tsn));
5457 }
5458 }
5459
5460 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn);
5461 if (tmp < 0) {
5462 /* The TSN is too high--silently discard the chunk and
5463 * count on it getting retransmitted later.
5464 */
5465 return SCTP_IERROR_HIGH_TSN;
5466 } else if (tmp > 0) {
5467 /* This is a duplicate. Record it. */
5468 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn));
5469 return SCTP_IERROR_DUP_TSN;
5470 }
5471
5472 /* This is a new TSN. */
5473
5474 /* Discard if there is no room in the receive window.
5475 * Actually, allow a little bit of overflow (up to a MTU).
5476 */
5477 datalen = ntohs(chunk->chunk_hdr->length);
5478 datalen -= sizeof(sctp_data_chunk_t);
5479
5480 deliver = SCTP_CMD_CHUNK_ULP;
5481
5482 /* Think about partial delivery. */
5483 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) {
5484
5485 /* Even if we don't accept this chunk there is
5486 * memory pressure.
5487 */
5488 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL());
5489 }
5490
5491 /* Spill over rwnd a little bit. Note: While allowed, this spill over
5492 * seems a bit troublesome in that frag_point varies based on
5493 * PMTU. In cases, such as loopback, this might be a rather
5494 * large spill over.
5495 * NOTE: If we have a full receive buffer here, we only renege if
5496 * our receiver can still make progress without the tsn being
5497 * received. We do this because in the event that the associations
5498 * receive queue is empty we are filling a leading gap, and since
5499 * reneging moves the gap to the end of the tsn stream, we are likely
5500 * to stall again very shortly. Avoiding the renege when we fill a
5501 * leading gap is a good heuristic for avoiding such steady state
5502 * stalls.
5503 */
5504 if (!asoc->rwnd || asoc->rwnd_over ||
5505 (datalen > asoc->rwnd + asoc->frag_point) ||
5506 (rcvbuf_over && (!skb_queue_len(&sk->sk_receive_queue)))) {
5507
5508 /* If this is the next TSN, consider reneging to make
5509 * room. Note: Playing nice with a confused sender. A
5510 * malicious sender can still eat up all our buffer
5511 * space and in the future we may want to detect and
5512 * do more drastic reneging.
5513 */
5514 if (sctp_tsnmap_has_gap(map) &&
5515 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
5516 SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn);
5517 deliver = SCTP_CMD_RENEGE;
5518 } else {
5519 SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, "
5520 "rwnd: %d\n", tsn, datalen,
5521 asoc->rwnd);
5522 return SCTP_IERROR_IGNORE_TSN;
5523 }
5524 }
5525
5526 /*
5527 * Section 3.3.10.9 No User Data (9)
5528 *
5529 * Cause of error
5530 * ---------------
5531 * No User Data: This error cause is returned to the originator of a
5532 * DATA chunk if a received DATA chunk has no user data.
5533 */
5534 if (unlikely(0 == datalen)) {
5535 err = sctp_make_abort_no_data(asoc, chunk, tsn);
5536 if (err) {
5537 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
5538 SCTP_CHUNK(err));
5539 }
5540 /* We are going to ABORT, so we might as well stop
5541 * processing the rest of the chunks in the packet.
5542 */
5543 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
5544 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5545 SCTP_ERROR(ECONNABORTED));
5546 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5547 SCTP_PERR(SCTP_ERROR_NO_DATA));
5548 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
5549 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
5550 return SCTP_IERROR_NO_DATA;
5551 }
5552
5553 /* If definately accepting the DATA chunk, record its TSN, otherwise
5554 * wait for renege processing.
5555 */
5556 if (SCTP_CMD_CHUNK_ULP == deliver)
5557 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
5558
5559 chunk->data_accepted = 1;
5560
5561 /* Note: Some chunks may get overcounted (if we drop) or overcounted
5562 * if we renege and the chunk arrives again.
5563 */
5564 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED)
5565 SCTP_INC_STATS(SCTP_MIB_INUNORDERCHUNKS);
5566 else
5567 SCTP_INC_STATS(SCTP_MIB_INORDERCHUNKS);
5568
5569 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number
5570 *
5571 * If an endpoint receive a DATA chunk with an invalid stream
5572 * identifier, it shall acknowledge the reception of the DATA chunk
5573 * following the normal procedure, immediately send an ERROR chunk
5574 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10)
5575 * and discard the DATA chunk.
5576 */
5577 if (ntohs(data_hdr->stream) >= asoc->c.sinit_max_instreams) {
5578 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM,
5579 &data_hdr->stream,
5580 sizeof(data_hdr->stream));
5581 if (err)
5582 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
5583 SCTP_CHUNK(err));
5584 return SCTP_IERROR_BAD_STREAM;
5585 }
5586
5587 /* Send the data up to the user. Note: Schedule the
5588 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK
5589 * chunk needs the updated rwnd.
5590 */
5591 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk));
5592
5593 return SCTP_IERROR_NO_ERROR;
5594 }
Linux kernel - Deliverables
This page took 0.137758 seconds and 6 git commands to generate.