sm_statefuns.c (213775B)
1// SPDX-License-Identifier: GPL-2.0-or-later 2/* SCTP kernel implementation 3 * (C) Copyright IBM Corp. 2001, 2004 4 * Copyright (c) 1999-2000 Cisco, Inc. 5 * Copyright (c) 1999-2001 Motorola, Inc. 6 * Copyright (c) 2001-2002 Intel Corp. 7 * Copyright (c) 2002 Nokia Corp. 8 * 9 * This is part of the SCTP Linux Kernel Implementation. 10 * 11 * These are the state functions for the state machine. 12 * 13 * Please send any bug reports or fixes you make to the 14 * email address(es): 15 * lksctp developers <linux-sctp@vger.kernel.org> 16 * 17 * Written or modified by: 18 * La Monte H.P. Yarroll <piggy@acm.org> 19 * Karl Knutson <karl@athena.chicago.il.us> 20 * Mathew Kotowsky <kotowsky@sctp.org> 21 * Sridhar Samudrala <samudrala@us.ibm.com> 22 * Jon Grimm <jgrimm@us.ibm.com> 23 * Hui Huang <hui.huang@nokia.com> 24 * Dajiang Zhang <dajiang.zhang@nokia.com> 25 * Daisy Chang <daisyc@us.ibm.com> 26 * Ardelle Fan <ardelle.fan@intel.com> 27 * Ryan Layer <rmlayer@us.ibm.com> 28 * Kevin Gao <kevin.gao@intel.com> 29 */ 30 31#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 32 33#include <linux/types.h> 34#include <linux/kernel.h> 35#include <linux/ip.h> 36#include <linux/ipv6.h> 37#include <linux/net.h> 38#include <linux/inet.h> 39#include <linux/slab.h> 40#include <net/sock.h> 41#include <net/inet_ecn.h> 42#include <linux/skbuff.h> 43#include <net/sctp/sctp.h> 44#include <net/sctp/sm.h> 45#include <net/sctp/structs.h> 46 47#define CREATE_TRACE_POINTS 48#include <trace/events/sctp.h> 49 50static struct sctp_packet *sctp_abort_pkt_new( 51 struct net *net, 52 const struct sctp_endpoint *ep, 53 const struct sctp_association *asoc, 54 struct sctp_chunk *chunk, 55 const void *payload, size_t paylen); 56static int sctp_eat_data(const struct sctp_association *asoc, 57 struct sctp_chunk *chunk, 58 struct sctp_cmd_seq *commands); 59static struct sctp_packet *sctp_ootb_pkt_new( 60 struct net *net, 61 const struct sctp_association *asoc, 62 const struct sctp_chunk *chunk); 63static void sctp_send_stale_cookie_err(struct net *net, 64 const struct sctp_endpoint *ep, 65 const struct sctp_association *asoc, 66 const struct sctp_chunk *chunk, 67 struct sctp_cmd_seq *commands, 68 struct sctp_chunk *err_chunk); 69static enum sctp_disposition sctp_sf_do_5_2_6_stale( 70 struct net *net, 71 const struct sctp_endpoint *ep, 72 const struct sctp_association *asoc, 73 const union sctp_subtype type, 74 void *arg, 75 struct sctp_cmd_seq *commands); 76static enum sctp_disposition sctp_sf_shut_8_4_5( 77 struct net *net, 78 const struct sctp_endpoint *ep, 79 const struct sctp_association *asoc, 80 const union sctp_subtype type, 81 void *arg, 82 struct sctp_cmd_seq *commands); 83static enum sctp_disposition sctp_sf_tabort_8_4_8( 84 struct net *net, 85 const struct sctp_endpoint *ep, 86 const struct sctp_association *asoc, 87 const union sctp_subtype type, 88 void *arg, 89 struct sctp_cmd_seq *commands); 90static enum sctp_disposition sctp_sf_new_encap_port( 91 struct net *net, 92 const struct sctp_endpoint *ep, 93 const struct sctp_association *asoc, 94 const union sctp_subtype type, 95 void *arg, 96 struct sctp_cmd_seq *commands); 97static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); 98 99static enum sctp_disposition sctp_stop_t1_and_abort( 100 struct net *net, 101 struct sctp_cmd_seq *commands, 102 __be16 error, int sk_err, 103 const struct sctp_association *asoc, 104 struct sctp_transport *transport); 105 106static enum sctp_disposition sctp_sf_abort_violation( 107 struct net *net, 108 const struct sctp_endpoint *ep, 109 const struct sctp_association *asoc, 110 void *arg, 111 struct sctp_cmd_seq *commands, 112 const __u8 *payload, 113 const size_t paylen); 114 115static enum sctp_disposition sctp_sf_violation_chunklen( 116 struct net *net, 117 const struct sctp_endpoint *ep, 118 const struct sctp_association *asoc, 119 const union sctp_subtype type, 120 void *arg, 121 struct sctp_cmd_seq *commands); 122 123static enum sctp_disposition sctp_sf_violation_paramlen( 124 struct net *net, 125 const struct sctp_endpoint *ep, 126 const struct sctp_association *asoc, 127 const union sctp_subtype type, 128 void *arg, void *ext, 129 struct sctp_cmd_seq *commands); 130 131static enum sctp_disposition sctp_sf_violation_ctsn( 132 struct net *net, 133 const struct sctp_endpoint *ep, 134 const struct sctp_association *asoc, 135 const union sctp_subtype type, 136 void *arg, 137 struct sctp_cmd_seq *commands); 138 139static enum sctp_disposition sctp_sf_violation_chunk( 140 struct net *net, 141 const struct sctp_endpoint *ep, 142 const struct sctp_association *asoc, 143 const union sctp_subtype type, 144 void *arg, 145 struct sctp_cmd_seq *commands); 146 147static enum sctp_ierror sctp_sf_authenticate( 148 const struct sctp_association *asoc, 149 struct sctp_chunk *chunk); 150 151static enum sctp_disposition __sctp_sf_do_9_1_abort( 152 struct net *net, 153 const struct sctp_endpoint *ep, 154 const struct sctp_association *asoc, 155 const union sctp_subtype type, 156 void *arg, 157 struct sctp_cmd_seq *commands); 158 159static enum sctp_disposition 160__sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, 161 const struct sctp_association *asoc, 162 const union sctp_subtype type, void *arg, 163 struct sctp_cmd_seq *commands); 164 165/* Small helper function that checks if the chunk length 166 * is of the appropriate length. The 'required_length' argument 167 * is set to be the size of a specific chunk we are testing. 168 * Return Values: true = Valid length 169 * false = Invalid length 170 * 171 */ 172static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk, 173 __u16 required_length) 174{ 175 __u16 chunk_length = ntohs(chunk->chunk_hdr->length); 176 177 /* Previously already marked? */ 178 if (unlikely(chunk->pdiscard)) 179 return false; 180 if (unlikely(chunk_length < required_length)) 181 return false; 182 183 return true; 184} 185 186/* Check for format error in an ABORT chunk */ 187static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk) 188{ 189 struct sctp_errhdr *err; 190 191 sctp_walk_errors(err, chunk->chunk_hdr); 192 193 return (void *)err == (void *)chunk->chunk_end; 194} 195 196/********************************************************** 197 * These are the state functions for handling chunk events. 198 **********************************************************/ 199 200/* 201 * Process the final SHUTDOWN COMPLETE. 202 * 203 * Section: 4 (C) (diagram), 9.2 204 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify 205 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be 206 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint 207 * should stop the T2-shutdown timer and remove all knowledge of the 208 * association (and thus the association enters the CLOSED state). 209 * 210 * Verification Tag: 8.5.1(C), sctpimpguide 2.41. 211 * C) Rules for packet carrying SHUTDOWN COMPLETE: 212 * ... 213 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet 214 * if the Verification Tag field of the packet matches its own tag and 215 * the T bit is not set 216 * OR 217 * it is set to its peer's tag and the T bit is set in the Chunk 218 * Flags. 219 * Otherwise, the receiver MUST silently discard the packet 220 * and take no further action. An endpoint MUST ignore the 221 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. 222 * 223 * Inputs 224 * (endpoint, asoc, chunk) 225 * 226 * Outputs 227 * (asoc, reply_msg, msg_up, timers, counters) 228 * 229 * The return value is the disposition of the chunk. 230 */ 231enum sctp_disposition sctp_sf_do_4_C(struct net *net, 232 const struct sctp_endpoint *ep, 233 const struct sctp_association *asoc, 234 const union sctp_subtype type, 235 void *arg, struct sctp_cmd_seq *commands) 236{ 237 struct sctp_chunk *chunk = arg; 238 struct sctp_ulpevent *ev; 239 240 if (!sctp_vtag_verify_either(chunk, asoc)) 241 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 242 243 /* RFC 2960 6.10 Bundling 244 * 245 * An endpoint MUST NOT bundle INIT, INIT ACK or 246 * SHUTDOWN COMPLETE with any other chunks. 247 */ 248 if (!chunk->singleton) 249 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 250 251 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ 252 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 253 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 254 commands); 255 256 /* RFC 2960 10.2 SCTP-to-ULP 257 * 258 * H) SHUTDOWN COMPLETE notification 259 * 260 * When SCTP completes the shutdown procedures (section 9.2) this 261 * notification is passed to the upper layer. 262 */ 263 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 264 0, 0, 0, NULL, GFP_ATOMIC); 265 if (ev) 266 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 267 SCTP_ULPEVENT(ev)); 268 269 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint 270 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is 271 * not the chunk should be discarded. If the endpoint is in 272 * the SHUTDOWN-ACK-SENT state the endpoint should stop the 273 * T2-shutdown timer and remove all knowledge of the 274 * association (and thus the association enters the CLOSED 275 * state). 276 */ 277 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 278 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 279 280 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 281 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 282 283 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 284 SCTP_STATE(SCTP_STATE_CLOSED)); 285 286 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 287 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 288 289 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 290 291 return SCTP_DISPOSITION_DELETE_TCB; 292} 293 294/* 295 * Respond to a normal INIT chunk. 296 * We are the side that is being asked for an association. 297 * 298 * Section: 5.1 Normal Establishment of an Association, B 299 * B) "Z" shall respond immediately with an INIT ACK chunk. The 300 * destination IP address of the INIT ACK MUST be set to the source 301 * IP address of the INIT to which this INIT ACK is responding. In 302 * the response, besides filling in other parameters, "Z" must set the 303 * Verification Tag field to Tag_A, and also provide its own 304 * Verification Tag (Tag_Z) in the Initiate Tag field. 305 * 306 * Verification Tag: Must be 0. 307 * 308 * Inputs 309 * (endpoint, asoc, chunk) 310 * 311 * Outputs 312 * (asoc, reply_msg, msg_up, timers, counters) 313 * 314 * The return value is the disposition of the chunk. 315 */ 316enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, 317 const struct sctp_endpoint *ep, 318 const struct sctp_association *asoc, 319 const union sctp_subtype type, 320 void *arg, 321 struct sctp_cmd_seq *commands) 322{ 323 struct sctp_chunk *chunk = arg, *repl, *err_chunk; 324 struct sctp_unrecognized_param *unk_param; 325 struct sctp_association *new_asoc; 326 struct sctp_packet *packet; 327 int len; 328 329 /* 6.10 Bundling 330 * An endpoint MUST NOT bundle INIT, INIT ACK or 331 * SHUTDOWN COMPLETE with any other chunks. 332 * 333 * IG Section 2.11.2 334 * Furthermore, we require that the receiver of an INIT chunk MUST 335 * enforce these rules by silently discarding an arriving packet 336 * with an INIT chunk that is bundled with other chunks. 337 */ 338 if (!chunk->singleton) 339 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 340 341 /* Make sure that the INIT chunk has a valid length. 342 * Normally, this would cause an ABORT with a Protocol Violation 343 * error, but since we don't have an association, we'll 344 * just discard the packet. 345 */ 346 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 347 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 348 349 /* If the packet is an OOTB packet which is temporarily on the 350 * control endpoint, respond with an ABORT. 351 */ 352 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 353 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 354 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 355 } 356 357 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 358 * Tag. 359 */ 360 if (chunk->sctp_hdr->vtag != 0) 361 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 362 363 /* If the INIT is coming toward a closing socket, we'll send back 364 * and ABORT. Essentially, this catches the race of INIT being 365 * backloged to the socket at the same time as the user issues close(). 366 * Since the socket and all its associations are going away, we 367 * can treat this OOTB 368 */ 369 if (sctp_sstate(ep->base.sk, CLOSING)) 370 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 371 372 /* Verify the INIT chunk before processing it. */ 373 err_chunk = NULL; 374 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 375 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 376 &err_chunk)) { 377 /* This chunk contains fatal error. It is to be discarded. 378 * Send an ABORT, with causes if there is any. 379 */ 380 if (err_chunk) { 381 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 382 (__u8 *)(err_chunk->chunk_hdr) + 383 sizeof(struct sctp_chunkhdr), 384 ntohs(err_chunk->chunk_hdr->length) - 385 sizeof(struct sctp_chunkhdr)); 386 387 sctp_chunk_free(err_chunk); 388 389 if (packet) { 390 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 391 SCTP_PACKET(packet)); 392 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 393 return SCTP_DISPOSITION_CONSUME; 394 } else { 395 return SCTP_DISPOSITION_NOMEM; 396 } 397 } else { 398 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 399 commands); 400 } 401 } 402 403 /* Grab the INIT header. */ 404 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 405 406 /* Tag the variable length parameters. */ 407 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 408 409 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 410 if (!new_asoc) 411 goto nomem; 412 413 /* Update socket peer label if first association. */ 414 if (security_sctp_assoc_request(new_asoc, chunk->skb)) { 415 sctp_association_free(new_asoc); 416 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 417 } 418 419 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 420 sctp_scope(sctp_source(chunk)), 421 GFP_ATOMIC) < 0) 422 goto nomem_init; 423 424 /* The call, sctp_process_init(), can fail on memory allocation. */ 425 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 426 (struct sctp_init_chunk *)chunk->chunk_hdr, 427 GFP_ATOMIC)) 428 goto nomem_init; 429 430 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 431 432 /* If there are errors need to be reported for unknown parameters, 433 * make sure to reserve enough room in the INIT ACK for them. 434 */ 435 len = 0; 436 if (err_chunk) 437 len = ntohs(err_chunk->chunk_hdr->length) - 438 sizeof(struct sctp_chunkhdr); 439 440 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 441 if (!repl) 442 goto nomem_init; 443 444 /* If there are errors need to be reported for unknown parameters, 445 * include them in the outgoing INIT ACK as "Unrecognized parameter" 446 * parameter. 447 */ 448 if (err_chunk) { 449 /* Get the "Unrecognized parameter" parameter(s) out of the 450 * ERROR chunk generated by sctp_verify_init(). Since the 451 * error cause code for "unknown parameter" and the 452 * "Unrecognized parameter" type is the same, we can 453 * construct the parameters in INIT ACK by copying the 454 * ERROR causes over. 455 */ 456 unk_param = (struct sctp_unrecognized_param *) 457 ((__u8 *)(err_chunk->chunk_hdr) + 458 sizeof(struct sctp_chunkhdr)); 459 /* Replace the cause code with the "Unrecognized parameter" 460 * parameter type. 461 */ 462 sctp_addto_chunk(repl, len, unk_param); 463 sctp_chunk_free(err_chunk); 464 } 465 466 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 467 468 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 469 470 /* 471 * Note: After sending out INIT ACK with the State Cookie parameter, 472 * "Z" MUST NOT allocate any resources, nor keep any states for the 473 * new association. Otherwise, "Z" will be vulnerable to resource 474 * attacks. 475 */ 476 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 477 478 return SCTP_DISPOSITION_DELETE_TCB; 479 480nomem_init: 481 sctp_association_free(new_asoc); 482nomem: 483 if (err_chunk) 484 sctp_chunk_free(err_chunk); 485 return SCTP_DISPOSITION_NOMEM; 486} 487 488/* 489 * Respond to a normal INIT ACK chunk. 490 * We are the side that is initiating the association. 491 * 492 * Section: 5.1 Normal Establishment of an Association, C 493 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init 494 * timer and leave COOKIE-WAIT state. "A" shall then send the State 495 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start 496 * the T1-cookie timer, and enter the COOKIE-ECHOED state. 497 * 498 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound 499 * DATA chunks, but it MUST be the first chunk in the packet and 500 * until the COOKIE ACK is returned the sender MUST NOT send any 501 * other packets to the peer. 502 * 503 * Verification Tag: 3.3.3 504 * If the value of the Initiate Tag in a received INIT ACK chunk is 505 * found to be 0, the receiver MUST treat it as an error and close the 506 * association by transmitting an ABORT. 507 * 508 * Inputs 509 * (endpoint, asoc, chunk) 510 * 511 * Outputs 512 * (asoc, reply_msg, msg_up, timers, counters) 513 * 514 * The return value is the disposition of the chunk. 515 */ 516enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, 517 const struct sctp_endpoint *ep, 518 const struct sctp_association *asoc, 519 const union sctp_subtype type, 520 void *arg, 521 struct sctp_cmd_seq *commands) 522{ 523 struct sctp_init_chunk *initchunk; 524 struct sctp_chunk *chunk = arg; 525 struct sctp_chunk *err_chunk; 526 struct sctp_packet *packet; 527 528 if (!sctp_vtag_verify(chunk, asoc)) 529 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 530 531 /* 6.10 Bundling 532 * An endpoint MUST NOT bundle INIT, INIT ACK or 533 * SHUTDOWN COMPLETE with any other chunks. 534 */ 535 if (!chunk->singleton) 536 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); 537 538 /* Make sure that the INIT-ACK chunk has a valid length */ 539 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk))) 540 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 541 commands); 542 /* Grab the INIT header. */ 543 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 544 545 /* Verify the INIT chunk before processing it. */ 546 err_chunk = NULL; 547 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 548 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 549 &err_chunk)) { 550 551 enum sctp_error error = SCTP_ERROR_NO_RESOURCE; 552 553 /* This chunk contains fatal error. It is to be discarded. 554 * Send an ABORT, with causes. If there are no causes, 555 * then there wasn't enough memory. Just terminate 556 * the association. 557 */ 558 if (err_chunk) { 559 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 560 (__u8 *)(err_chunk->chunk_hdr) + 561 sizeof(struct sctp_chunkhdr), 562 ntohs(err_chunk->chunk_hdr->length) - 563 sizeof(struct sctp_chunkhdr)); 564 565 sctp_chunk_free(err_chunk); 566 567 if (packet) { 568 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 569 SCTP_PACKET(packet)); 570 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 571 error = SCTP_ERROR_INV_PARAM; 572 } 573 } 574 575 /* SCTP-AUTH, Section 6.3: 576 * It should be noted that if the receiver wants to tear 577 * down an association in an authenticated way only, the 578 * handling of malformed packets should not result in 579 * tearing down the association. 580 * 581 * This means that if we only want to abort associations 582 * in an authenticated way (i.e AUTH+ABORT), then we 583 * can't destroy this association just because the packet 584 * was malformed. 585 */ 586 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 587 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 588 589 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 590 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, 591 asoc, chunk->transport); 592 } 593 594 /* Tag the variable length parameters. Note that we never 595 * convert the parameters in an INIT chunk. 596 */ 597 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 598 599 initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr; 600 601 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, 602 SCTP_PEER_INIT(initchunk)); 603 604 /* Reset init error count upon receipt of INIT-ACK. */ 605 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 606 607 /* 5.1 C) "A" shall stop the T1-init timer and leave 608 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie 609 * timer, and enter the COOKIE-ECHOED state. 610 */ 611 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 612 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 613 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 614 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 615 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 616 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); 617 618 /* SCTP-AUTH: generate the association shared keys so that 619 * we can potentially sign the COOKIE-ECHO. 620 */ 621 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); 622 623 /* 5.1 C) "A" shall then send the State Cookie received in the 624 * INIT ACK chunk in a COOKIE ECHO chunk, ... 625 */ 626 /* If there is any errors to report, send the ERROR chunk generated 627 * for unknown parameters as well. 628 */ 629 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, 630 SCTP_CHUNK(err_chunk)); 631 632 return SCTP_DISPOSITION_CONSUME; 633} 634 635static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk, 636 const struct sctp_association *asoc) 637{ 638 struct sctp_chunk auth; 639 640 if (!chunk->auth_chunk) 641 return true; 642 643 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo 644 * is supposed to be authenticated and we have to do delayed 645 * authentication. We've just recreated the association using 646 * the information in the cookie and now it's much easier to 647 * do the authentication. 648 */ 649 650 /* Make sure that we and the peer are AUTH capable */ 651 if (!net->sctp.auth_enable || !asoc->peer.auth_capable) 652 return false; 653 654 /* set-up our fake chunk so that we can process it */ 655 auth.skb = chunk->auth_chunk; 656 auth.asoc = chunk->asoc; 657 auth.sctp_hdr = chunk->sctp_hdr; 658 auth.chunk_hdr = (struct sctp_chunkhdr *) 659 skb_push(chunk->auth_chunk, 660 sizeof(struct sctp_chunkhdr)); 661 skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr)); 662 auth.transport = chunk->transport; 663 664 return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR; 665} 666 667/* 668 * Respond to a normal COOKIE ECHO chunk. 669 * We are the side that is being asked for an association. 670 * 671 * Section: 5.1 Normal Establishment of an Association, D 672 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply 673 * with a COOKIE ACK chunk after building a TCB and moving to 674 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with 675 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK 676 * chunk MUST be the first chunk in the packet. 677 * 678 * IMPLEMENTATION NOTE: An implementation may choose to send the 679 * Communication Up notification to the SCTP user upon reception 680 * of a valid COOKIE ECHO chunk. 681 * 682 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 683 * D) Rules for packet carrying a COOKIE ECHO 684 * 685 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the 686 * Initial Tag received in the INIT ACK. 687 * 688 * - The receiver of a COOKIE ECHO follows the procedures in Section 5. 689 * 690 * Inputs 691 * (endpoint, asoc, chunk) 692 * 693 * Outputs 694 * (asoc, reply_msg, msg_up, timers, counters) 695 * 696 * The return value is the disposition of the chunk. 697 */ 698enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, 699 const struct sctp_endpoint *ep, 700 const struct sctp_association *asoc, 701 const union sctp_subtype type, 702 void *arg, 703 struct sctp_cmd_seq *commands) 704{ 705 struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL; 706 struct sctp_association *new_asoc; 707 struct sctp_init_chunk *peer_init; 708 struct sctp_chunk *chunk = arg; 709 struct sctp_chunk *err_chk_p; 710 struct sctp_chunk *repl; 711 struct sock *sk; 712 int error = 0; 713 714 if (asoc && !sctp_vtag_verify(chunk, asoc)) 715 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 716 717 /* If the packet is an OOTB packet which is temporarily on the 718 * control endpoint, respond with an ABORT. 719 */ 720 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { 721 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 722 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 723 } 724 725 /* Make sure that the COOKIE_ECHO chunk has a valid length. 726 * In this case, we check that we have enough for at least a 727 * chunk header. More detailed verification is done 728 * in sctp_unpack_cookie(). 729 */ 730 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 731 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 732 commands); 733 734 /* If the endpoint is not listening or if the number of associations 735 * on the TCP-style socket exceed the max backlog, respond with an 736 * ABORT. 737 */ 738 sk = ep->base.sk; 739 if (!sctp_sstate(sk, LISTENING) || 740 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) 741 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 742 743 /* "Decode" the chunk. We have no optional parameters so we 744 * are in good shape. 745 */ 746 chunk->subh.cookie_hdr = 747 (struct sctp_signed_cookie *)chunk->skb->data; 748 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 749 sizeof(struct sctp_chunkhdr))) 750 goto nomem; 751 752 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 753 * "Z" will reply with a COOKIE ACK chunk after building a TCB 754 * and moving to the ESTABLISHED state. 755 */ 756 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 757 &err_chk_p); 758 759 /* FIXME: 760 * If the re-build failed, what is the proper error path 761 * from here? 762 * 763 * [We should abort the association. --piggy] 764 */ 765 if (!new_asoc) { 766 /* FIXME: Several errors are possible. A bad cookie should 767 * be silently discarded, but think about logging it too. 768 */ 769 switch (error) { 770 case -SCTP_IERROR_NOMEM: 771 goto nomem; 772 773 case -SCTP_IERROR_STALE_COOKIE: 774 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 775 err_chk_p); 776 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 777 778 case -SCTP_IERROR_BAD_SIG: 779 default: 780 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 781 } 782 } 783 784 if (security_sctp_assoc_request(new_asoc, chunk->head_skb ?: chunk->skb)) { 785 sctp_association_free(new_asoc); 786 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 787 } 788 789 /* Delay state machine commands until later. 790 * 791 * Re-build the bind address for the association is done in 792 * the sctp_unpack_cookie() already. 793 */ 794 /* This is a brand-new association, so these are not yet side 795 * effects--it is safe to run them here. 796 */ 797 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 798 799 if (!sctp_process_init(new_asoc, chunk, 800 &chunk->subh.cookie_hdr->c.peer_addr, 801 peer_init, GFP_ATOMIC)) 802 goto nomem_init; 803 804 /* SCTP-AUTH: Now that we've populate required fields in 805 * sctp_process_init, set up the association shared keys as 806 * necessary so that we can potentially authenticate the ACK 807 */ 808 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); 809 if (error) 810 goto nomem_init; 811 812 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) { 813 sctp_association_free(new_asoc); 814 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 815 } 816 817 repl = sctp_make_cookie_ack(new_asoc, chunk); 818 if (!repl) 819 goto nomem_init; 820 821 /* RFC 2960 5.1 Normal Establishment of an Association 822 * 823 * D) IMPLEMENTATION NOTE: An implementation may choose to 824 * send the Communication Up notification to the SCTP user 825 * upon reception of a valid COOKIE ECHO chunk. 826 */ 827 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, 828 new_asoc->c.sinit_num_ostreams, 829 new_asoc->c.sinit_max_instreams, 830 NULL, GFP_ATOMIC); 831 if (!ev) 832 goto nomem_ev; 833 834 /* Sockets API Draft Section 5.3.1.6 835 * When a peer sends a Adaptation Layer Indication parameter , SCTP 836 * delivers this notification to inform the application that of the 837 * peers requested adaptation layer. 838 */ 839 if (new_asoc->peer.adaptation_ind) { 840 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, 841 GFP_ATOMIC); 842 if (!ai_ev) 843 goto nomem_aiev; 844 } 845 846 if (!new_asoc->peer.auth_capable) { 847 auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0, 848 SCTP_AUTH_NO_AUTH, 849 GFP_ATOMIC); 850 if (!auth_ev) 851 goto nomem_authev; 852 } 853 854 /* Add all the state machine commands now since we've created 855 * everything. This way we don't introduce memory corruptions 856 * during side-effect processing and correctly count established 857 * associations. 858 */ 859 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 860 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 861 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 862 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 863 SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS); 864 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 865 866 if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 867 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 868 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 869 870 /* This will send the COOKIE ACK */ 871 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 872 873 /* Queue the ASSOC_CHANGE event */ 874 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 875 876 /* Send up the Adaptation Layer Indication event */ 877 if (ai_ev) 878 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 879 SCTP_ULPEVENT(ai_ev)); 880 881 if (auth_ev) 882 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 883 SCTP_ULPEVENT(auth_ev)); 884 885 return SCTP_DISPOSITION_CONSUME; 886 887nomem_authev: 888 sctp_ulpevent_free(ai_ev); 889nomem_aiev: 890 sctp_ulpevent_free(ev); 891nomem_ev: 892 sctp_chunk_free(repl); 893nomem_init: 894 sctp_association_free(new_asoc); 895nomem: 896 return SCTP_DISPOSITION_NOMEM; 897} 898 899/* 900 * Respond to a normal COOKIE ACK chunk. 901 * We are the side that is asking for an association. 902 * 903 * RFC 2960 5.1 Normal Establishment of an Association 904 * 905 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the 906 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie 907 * timer. It may also notify its ULP about the successful 908 * establishment of the association with a Communication Up 909 * notification (see Section 10). 910 * 911 * Verification Tag: 912 * Inputs 913 * (endpoint, asoc, chunk) 914 * 915 * Outputs 916 * (asoc, reply_msg, msg_up, timers, counters) 917 * 918 * The return value is the disposition of the chunk. 919 */ 920enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, 921 const struct sctp_endpoint *ep, 922 const struct sctp_association *asoc, 923 const union sctp_subtype type, 924 void *arg, 925 struct sctp_cmd_seq *commands) 926{ 927 struct sctp_chunk *chunk = arg; 928 struct sctp_ulpevent *ev; 929 930 if (!sctp_vtag_verify(chunk, asoc)) 931 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 932 933 /* Set peer label for connection. */ 934 if (security_sctp_assoc_established((struct sctp_association *)asoc, 935 chunk->head_skb ?: chunk->skb)) 936 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 937 938 /* Verify that the chunk length for the COOKIE-ACK is OK. 939 * If we don't do this, any bundled chunks may be junked. 940 */ 941 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 942 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 943 commands); 944 945 /* Reset init error count upon receipt of COOKIE-ACK, 946 * to avoid problems with the management of this 947 * counter in stale cookie situations when a transition back 948 * from the COOKIE-ECHOED state to the COOKIE-WAIT 949 * state is performed. 950 */ 951 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); 952 953 /* RFC 2960 5.1 Normal Establishment of an Association 954 * 955 * E) Upon reception of the COOKIE ACK, endpoint "A" will move 956 * from the COOKIE-ECHOED state to the ESTABLISHED state, 957 * stopping the T1-cookie timer. 958 */ 959 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 960 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 961 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 962 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 963 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 964 SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS); 965 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 966 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 967 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 968 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 969 970 /* It may also notify its ULP about the successful 971 * establishment of the association with a Communication Up 972 * notification (see Section 10). 973 */ 974 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, 975 0, asoc->c.sinit_num_ostreams, 976 asoc->c.sinit_max_instreams, 977 NULL, GFP_ATOMIC); 978 979 if (!ev) 980 goto nomem; 981 982 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 983 984 /* Sockets API Draft Section 5.3.1.6 985 * When a peer sends a Adaptation Layer Indication parameter , SCTP 986 * delivers this notification to inform the application that of the 987 * peers requested adaptation layer. 988 */ 989 if (asoc->peer.adaptation_ind) { 990 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); 991 if (!ev) 992 goto nomem; 993 994 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 995 SCTP_ULPEVENT(ev)); 996 } 997 998 if (!asoc->peer.auth_capable) { 999 ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH, 1000 GFP_ATOMIC); 1001 if (!ev) 1002 goto nomem; 1003 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 1004 SCTP_ULPEVENT(ev)); 1005 } 1006 1007 return SCTP_DISPOSITION_CONSUME; 1008nomem: 1009 return SCTP_DISPOSITION_NOMEM; 1010} 1011 1012/* Generate and sendout a heartbeat packet. */ 1013static enum sctp_disposition sctp_sf_heartbeat( 1014 const struct sctp_endpoint *ep, 1015 const struct sctp_association *asoc, 1016 const union sctp_subtype type, 1017 void *arg, 1018 struct sctp_cmd_seq *commands) 1019{ 1020 struct sctp_transport *transport = (struct sctp_transport *) arg; 1021 struct sctp_chunk *reply; 1022 1023 /* Send a heartbeat to our peer. */ 1024 reply = sctp_make_heartbeat(asoc, transport, 0); 1025 if (!reply) 1026 return SCTP_DISPOSITION_NOMEM; 1027 1028 /* Set rto_pending indicating that an RTT measurement 1029 * is started with this heartbeat chunk. 1030 */ 1031 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, 1032 SCTP_TRANSPORT(transport)); 1033 1034 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1035 return SCTP_DISPOSITION_CONSUME; 1036} 1037 1038/* Generate a HEARTBEAT packet on the given transport. */ 1039enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net, 1040 const struct sctp_endpoint *ep, 1041 const struct sctp_association *asoc, 1042 const union sctp_subtype type, 1043 void *arg, 1044 struct sctp_cmd_seq *commands) 1045{ 1046 struct sctp_transport *transport = (struct sctp_transport *) arg; 1047 1048 if (asoc->overall_error_count >= asoc->max_retrans) { 1049 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 1050 SCTP_ERROR(ETIMEDOUT)); 1051 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 1052 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 1053 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 1054 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1055 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1056 return SCTP_DISPOSITION_DELETE_TCB; 1057 } 1058 1059 /* Section 3.3.5. 1060 * The Sender-specific Heartbeat Info field should normally include 1061 * information about the sender's current time when this HEARTBEAT 1062 * chunk is sent and the destination transport address to which this 1063 * HEARTBEAT is sent (see Section 8.3). 1064 */ 1065 1066 if (transport->param_flags & SPP_HB_ENABLE) { 1067 if (SCTP_DISPOSITION_NOMEM == 1068 sctp_sf_heartbeat(ep, asoc, type, arg, 1069 commands)) 1070 return SCTP_DISPOSITION_NOMEM; 1071 1072 /* Set transport error counter and association error counter 1073 * when sending heartbeat. 1074 */ 1075 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 1076 SCTP_TRANSPORT(transport)); 1077 } 1078 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE, 1079 SCTP_TRANSPORT(transport)); 1080 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, 1081 SCTP_TRANSPORT(transport)); 1082 1083 return SCTP_DISPOSITION_CONSUME; 1084} 1085 1086/* resend asoc strreset_chunk. */ 1087enum sctp_disposition sctp_sf_send_reconf(struct net *net, 1088 const struct sctp_endpoint *ep, 1089 const struct sctp_association *asoc, 1090 const union sctp_subtype type, 1091 void *arg, 1092 struct sctp_cmd_seq *commands) 1093{ 1094 struct sctp_transport *transport = arg; 1095 1096 if (asoc->overall_error_count >= asoc->max_retrans) { 1097 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 1098 SCTP_ERROR(ETIMEDOUT)); 1099 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 1100 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 1101 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 1102 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1103 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1104 return SCTP_DISPOSITION_DELETE_TCB; 1105 } 1106 1107 sctp_chunk_hold(asoc->strreset_chunk); 1108 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1109 SCTP_CHUNK(asoc->strreset_chunk)); 1110 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 1111 1112 return SCTP_DISPOSITION_CONSUME; 1113} 1114 1115/* send hb chunk with padding for PLPMUTD. */ 1116enum sctp_disposition sctp_sf_send_probe(struct net *net, 1117 const struct sctp_endpoint *ep, 1118 const struct sctp_association *asoc, 1119 const union sctp_subtype type, 1120 void *arg, 1121 struct sctp_cmd_seq *commands) 1122{ 1123 struct sctp_transport *transport = (struct sctp_transport *)arg; 1124 struct sctp_chunk *reply; 1125 1126 if (!sctp_transport_pl_enabled(transport)) 1127 return SCTP_DISPOSITION_CONSUME; 1128 1129 sctp_transport_pl_send(transport); 1130 reply = sctp_make_heartbeat(asoc, transport, transport->pl.probe_size); 1131 if (!reply) 1132 return SCTP_DISPOSITION_NOMEM; 1133 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1134 sctp_add_cmd_sf(commands, SCTP_CMD_PROBE_TIMER_UPDATE, 1135 SCTP_TRANSPORT(transport)); 1136 1137 return SCTP_DISPOSITION_CONSUME; 1138} 1139 1140/* 1141 * Process an heartbeat request. 1142 * 1143 * Section: 8.3 Path Heartbeat 1144 * The receiver of the HEARTBEAT should immediately respond with a 1145 * HEARTBEAT ACK that contains the Heartbeat Information field copied 1146 * from the received HEARTBEAT chunk. 1147 * 1148 * Verification Tag: 8.5 Verification Tag [Normal verification] 1149 * When receiving an SCTP packet, the endpoint MUST ensure that the 1150 * value in the Verification Tag field of the received SCTP packet 1151 * matches its own Tag. If the received Verification Tag value does not 1152 * match the receiver's own tag value, the receiver shall silently 1153 * discard the packet and shall not process it any further except for 1154 * those cases listed in Section 8.5.1 below. 1155 * 1156 * Inputs 1157 * (endpoint, asoc, chunk) 1158 * 1159 * Outputs 1160 * (asoc, reply_msg, msg_up, timers, counters) 1161 * 1162 * The return value is the disposition of the chunk. 1163 */ 1164enum sctp_disposition sctp_sf_beat_8_3(struct net *net, 1165 const struct sctp_endpoint *ep, 1166 const struct sctp_association *asoc, 1167 const union sctp_subtype type, 1168 void *arg, struct sctp_cmd_seq *commands) 1169{ 1170 struct sctp_paramhdr *param_hdr; 1171 struct sctp_chunk *chunk = arg; 1172 struct sctp_chunk *reply; 1173 size_t paylen = 0; 1174 1175 if (!sctp_vtag_verify(chunk, asoc)) 1176 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1177 1178 /* Make sure that the HEARTBEAT chunk has a valid length. */ 1179 if (!sctp_chunk_length_valid(chunk, 1180 sizeof(struct sctp_heartbeat_chunk))) 1181 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1182 commands); 1183 1184 /* 8.3 The receiver of the HEARTBEAT should immediately 1185 * respond with a HEARTBEAT ACK that contains the Heartbeat 1186 * Information field copied from the received HEARTBEAT chunk. 1187 */ 1188 chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data; 1189 param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr; 1190 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr); 1191 1192 if (ntohs(param_hdr->length) > paylen) 1193 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 1194 param_hdr, commands); 1195 1196 if (!pskb_pull(chunk->skb, paylen)) 1197 goto nomem; 1198 1199 reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen); 1200 if (!reply) 1201 goto nomem; 1202 1203 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 1204 return SCTP_DISPOSITION_CONSUME; 1205 1206nomem: 1207 return SCTP_DISPOSITION_NOMEM; 1208} 1209 1210/* 1211 * Process the returning HEARTBEAT ACK. 1212 * 1213 * Section: 8.3 Path Heartbeat 1214 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT 1215 * should clear the error counter of the destination transport 1216 * address to which the HEARTBEAT was sent, and mark the destination 1217 * transport address as active if it is not so marked. The endpoint may 1218 * optionally report to the upper layer when an inactive destination 1219 * address is marked as active due to the reception of the latest 1220 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also 1221 * clear the association overall error count as well (as defined 1222 * in section 8.1). 1223 * 1224 * The receiver of the HEARTBEAT ACK should also perform an RTT 1225 * measurement for that destination transport address using the time 1226 * value carried in the HEARTBEAT ACK chunk. 1227 * 1228 * Verification Tag: 8.5 Verification Tag [Normal verification] 1229 * 1230 * Inputs 1231 * (endpoint, asoc, chunk) 1232 * 1233 * Outputs 1234 * (asoc, reply_msg, msg_up, timers, counters) 1235 * 1236 * The return value is the disposition of the chunk. 1237 */ 1238enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net, 1239 const struct sctp_endpoint *ep, 1240 const struct sctp_association *asoc, 1241 const union sctp_subtype type, 1242 void *arg, 1243 struct sctp_cmd_seq *commands) 1244{ 1245 struct sctp_sender_hb_info *hbinfo; 1246 struct sctp_chunk *chunk = arg; 1247 struct sctp_transport *link; 1248 unsigned long max_interval; 1249 union sctp_addr from_addr; 1250 1251 if (!sctp_vtag_verify(chunk, asoc)) 1252 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1253 1254 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1255 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) + 1256 sizeof(*hbinfo))) 1257 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 1258 commands); 1259 1260 hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data; 1261 /* Make sure that the length of the parameter is what we expect */ 1262 if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo)) 1263 return SCTP_DISPOSITION_DISCARD; 1264 1265 from_addr = hbinfo->daddr; 1266 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1267 1268 /* This should never happen, but lets log it if so. */ 1269 if (unlikely(!link)) { 1270 if (from_addr.sa.sa_family == AF_INET6) { 1271 net_warn_ratelimited("%s association %p could not find address %pI6\n", 1272 __func__, 1273 asoc, 1274 &from_addr.v6.sin6_addr); 1275 } else { 1276 net_warn_ratelimited("%s association %p could not find address %pI4\n", 1277 __func__, 1278 asoc, 1279 &from_addr.v4.sin_addr.s_addr); 1280 } 1281 return SCTP_DISPOSITION_DISCARD; 1282 } 1283 1284 /* Validate the 64-bit random nonce. */ 1285 if (hbinfo->hb_nonce != link->hb_nonce) 1286 return SCTP_DISPOSITION_DISCARD; 1287 1288 if (hbinfo->probe_size) { 1289 if (hbinfo->probe_size != link->pl.probe_size || 1290 !sctp_transport_pl_enabled(link)) 1291 return SCTP_DISPOSITION_DISCARD; 1292 1293 if (sctp_transport_pl_recv(link)) 1294 return SCTP_DISPOSITION_CONSUME; 1295 1296 return sctp_sf_send_probe(net, ep, asoc, type, link, commands); 1297 } 1298 1299 max_interval = link->hbinterval + link->rto; 1300 1301 /* Check if the timestamp looks valid. */ 1302 if (time_after(hbinfo->sent_at, jiffies) || 1303 time_after(jiffies, hbinfo->sent_at + max_interval)) { 1304 pr_debug("%s: HEARTBEAT ACK with invalid timestamp received " 1305 "for transport:%p\n", __func__, link); 1306 1307 return SCTP_DISPOSITION_DISCARD; 1308 } 1309 1310 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of 1311 * the HEARTBEAT should clear the error counter of the 1312 * destination transport address to which the HEARTBEAT was 1313 * sent and mark the destination transport address as active if 1314 * it is not so marked. 1315 */ 1316 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); 1317 1318 return SCTP_DISPOSITION_CONSUME; 1319} 1320 1321/* Helper function to send out an abort for the restart 1322 * condition. 1323 */ 1324static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa, 1325 struct sctp_chunk *init, 1326 struct sctp_cmd_seq *commands) 1327{ 1328 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); 1329 union sctp_addr_param *addrparm; 1330 struct sctp_errhdr *errhdr; 1331 char buffer[sizeof(*errhdr) + sizeof(*addrparm)]; 1332 struct sctp_endpoint *ep; 1333 struct sctp_packet *pkt; 1334 int len; 1335 1336 /* Build the error on the stack. We are way to malloc crazy 1337 * throughout the code today. 1338 */ 1339 errhdr = (struct sctp_errhdr *)buffer; 1340 addrparm = (union sctp_addr_param *)errhdr->variable; 1341 1342 /* Copy into a parm format. */ 1343 len = af->to_addr_param(ssa, addrparm); 1344 len += sizeof(*errhdr); 1345 1346 errhdr->cause = SCTP_ERROR_RESTART; 1347 errhdr->length = htons(len); 1348 1349 /* Assign to the control socket. */ 1350 ep = sctp_sk(net->sctp.ctl_sock)->ep; 1351 1352 /* Association is NULL since this may be a restart attack and we 1353 * want to send back the attacker's vtag. 1354 */ 1355 pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len); 1356 1357 if (!pkt) 1358 goto out; 1359 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); 1360 1361 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1362 1363 /* Discard the rest of the inbound packet. */ 1364 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 1365 1366out: 1367 /* Even if there is no memory, treat as a failure so 1368 * the packet will get dropped. 1369 */ 1370 return 0; 1371} 1372 1373static bool list_has_sctp_addr(const struct list_head *list, 1374 union sctp_addr *ipaddr) 1375{ 1376 struct sctp_transport *addr; 1377 1378 list_for_each_entry(addr, list, transports) { 1379 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr)) 1380 return true; 1381 } 1382 1383 return false; 1384} 1385/* A restart is occurring, check to make sure no new addresses 1386 * are being added as we may be under a takeover attack. 1387 */ 1388static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, 1389 const struct sctp_association *asoc, 1390 struct sctp_chunk *init, 1391 struct sctp_cmd_seq *commands) 1392{ 1393 struct net *net = new_asoc->base.net; 1394 struct sctp_transport *new_addr; 1395 int ret = 1; 1396 1397 /* Implementor's Guide - Section 5.2.2 1398 * ... 1399 * Before responding the endpoint MUST check to see if the 1400 * unexpected INIT adds new addresses to the association. If new 1401 * addresses are added to the association, the endpoint MUST respond 1402 * with an ABORT.. 1403 */ 1404 1405 /* Search through all current addresses and make sure 1406 * we aren't adding any new ones. 1407 */ 1408 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list, 1409 transports) { 1410 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list, 1411 &new_addr->ipaddr)) { 1412 sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init, 1413 commands); 1414 ret = 0; 1415 break; 1416 } 1417 } 1418 1419 /* Return success if all addresses were found. */ 1420 return ret; 1421} 1422 1423/* Populate the verification/tie tags based on overlapping INIT 1424 * scenario. 1425 * 1426 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. 1427 */ 1428static void sctp_tietags_populate(struct sctp_association *new_asoc, 1429 const struct sctp_association *asoc) 1430{ 1431 switch (asoc->state) { 1432 1433 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ 1434 1435 case SCTP_STATE_COOKIE_WAIT: 1436 new_asoc->c.my_vtag = asoc->c.my_vtag; 1437 new_asoc->c.my_ttag = asoc->c.my_vtag; 1438 new_asoc->c.peer_ttag = 0; 1439 break; 1440 1441 case SCTP_STATE_COOKIE_ECHOED: 1442 new_asoc->c.my_vtag = asoc->c.my_vtag; 1443 new_asoc->c.my_ttag = asoc->c.my_vtag; 1444 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1445 break; 1446 1447 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, 1448 * COOKIE-WAIT and SHUTDOWN-ACK-SENT 1449 */ 1450 default: 1451 new_asoc->c.my_ttag = asoc->c.my_vtag; 1452 new_asoc->c.peer_ttag = asoc->c.peer_vtag; 1453 break; 1454 } 1455 1456 /* Other parameters for the endpoint SHOULD be copied from the 1457 * existing parameters of the association (e.g. number of 1458 * outbound streams) into the INIT ACK and cookie. 1459 */ 1460 new_asoc->rwnd = asoc->rwnd; 1461 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; 1462 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; 1463 new_asoc->c.initial_tsn = asoc->c.initial_tsn; 1464} 1465 1466/* 1467 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO 1468 * handling action. 1469 * 1470 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. 1471 * 1472 * Returns value representing action to be taken. These action values 1473 * correspond to Action/Description values in RFC 2960, Table 2. 1474 */ 1475static char sctp_tietags_compare(struct sctp_association *new_asoc, 1476 const struct sctp_association *asoc) 1477{ 1478 /* In this case, the peer may have restarted. */ 1479 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1480 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && 1481 (asoc->c.my_vtag == new_asoc->c.my_ttag) && 1482 (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) 1483 return 'A'; 1484 1485 /* Collision case B. */ 1486 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1487 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || 1488 (0 == asoc->c.peer_vtag))) { 1489 return 'B'; 1490 } 1491 1492 /* Collision case D. */ 1493 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && 1494 (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) 1495 return 'D'; 1496 1497 /* Collision case C. */ 1498 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && 1499 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && 1500 (0 == new_asoc->c.my_ttag) && 1501 (0 == new_asoc->c.peer_ttag)) 1502 return 'C'; 1503 1504 /* No match to any of the special cases; discard this packet. */ 1505 return 'E'; 1506} 1507 1508/* Common helper routine for both duplicate and simultaneous INIT 1509 * chunk handling. 1510 */ 1511static enum sctp_disposition sctp_sf_do_unexpected_init( 1512 struct net *net, 1513 const struct sctp_endpoint *ep, 1514 const struct sctp_association *asoc, 1515 const union sctp_subtype type, 1516 void *arg, 1517 struct sctp_cmd_seq *commands) 1518{ 1519 struct sctp_chunk *chunk = arg, *repl, *err_chunk; 1520 struct sctp_unrecognized_param *unk_param; 1521 struct sctp_association *new_asoc; 1522 enum sctp_disposition retval; 1523 struct sctp_packet *packet; 1524 int len; 1525 1526 /* 6.10 Bundling 1527 * An endpoint MUST NOT bundle INIT, INIT ACK or 1528 * SHUTDOWN COMPLETE with any other chunks. 1529 * 1530 * IG Section 2.11.2 1531 * Furthermore, we require that the receiver of an INIT chunk MUST 1532 * enforce these rules by silently discarding an arriving packet 1533 * with an INIT chunk that is bundled with other chunks. 1534 */ 1535 if (!chunk->singleton) 1536 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1537 1538 /* Make sure that the INIT chunk has a valid length. */ 1539 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 1540 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1541 1542 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification 1543 * Tag. 1544 */ 1545 if (chunk->sctp_hdr->vtag != 0) 1546 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 1547 1548 if (SCTP_INPUT_CB(chunk->skb)->encap_port != chunk->transport->encap_port) 1549 return sctp_sf_new_encap_port(net, ep, asoc, type, arg, commands); 1550 1551 /* Grab the INIT header. */ 1552 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; 1553 1554 /* Tag the variable length parameters. */ 1555 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); 1556 1557 /* Verify the INIT chunk before processing it. */ 1558 err_chunk = NULL; 1559 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, 1560 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, 1561 &err_chunk)) { 1562 /* This chunk contains fatal error. It is to be discarded. 1563 * Send an ABORT, with causes if there is any. 1564 */ 1565 if (err_chunk) { 1566 packet = sctp_abort_pkt_new(net, ep, asoc, arg, 1567 (__u8 *)(err_chunk->chunk_hdr) + 1568 sizeof(struct sctp_chunkhdr), 1569 ntohs(err_chunk->chunk_hdr->length) - 1570 sizeof(struct sctp_chunkhdr)); 1571 1572 if (packet) { 1573 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 1574 SCTP_PACKET(packet)); 1575 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 1576 retval = SCTP_DISPOSITION_CONSUME; 1577 } else { 1578 retval = SCTP_DISPOSITION_NOMEM; 1579 } 1580 goto cleanup; 1581 } else { 1582 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, 1583 commands); 1584 } 1585 } 1586 1587 /* 1588 * Other parameters for the endpoint SHOULD be copied from the 1589 * existing parameters of the association (e.g. number of 1590 * outbound streams) into the INIT ACK and cookie. 1591 * FIXME: We are copying parameters from the endpoint not the 1592 * association. 1593 */ 1594 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); 1595 if (!new_asoc) 1596 goto nomem; 1597 1598 /* Update socket peer label if first association. */ 1599 if (security_sctp_assoc_request(new_asoc, chunk->skb)) { 1600 sctp_association_free(new_asoc); 1601 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 1602 } 1603 1604 if (sctp_assoc_set_bind_addr_from_ep(new_asoc, 1605 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0) 1606 goto nomem; 1607 1608 /* In the outbound INIT ACK the endpoint MUST copy its current 1609 * Verification Tag and Peers Verification tag into a reserved 1610 * place (local tie-tag and per tie-tag) within the state cookie. 1611 */ 1612 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), 1613 (struct sctp_init_chunk *)chunk->chunk_hdr, 1614 GFP_ATOMIC)) 1615 goto nomem; 1616 1617 /* Make sure no new addresses are being added during the 1618 * restart. Do not do this check for COOKIE-WAIT state, 1619 * since there are no peer addresses to check against. 1620 * Upon return an ABORT will have been sent if needed. 1621 */ 1622 if (!sctp_state(asoc, COOKIE_WAIT)) { 1623 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, 1624 commands)) { 1625 retval = SCTP_DISPOSITION_CONSUME; 1626 goto nomem_retval; 1627 } 1628 } 1629 1630 sctp_tietags_populate(new_asoc, asoc); 1631 1632 /* B) "Z" shall respond immediately with an INIT ACK chunk. */ 1633 1634 /* If there are errors need to be reported for unknown parameters, 1635 * make sure to reserve enough room in the INIT ACK for them. 1636 */ 1637 len = 0; 1638 if (err_chunk) { 1639 len = ntohs(err_chunk->chunk_hdr->length) - 1640 sizeof(struct sctp_chunkhdr); 1641 } 1642 1643 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); 1644 if (!repl) 1645 goto nomem; 1646 1647 /* If there are errors need to be reported for unknown parameters, 1648 * include them in the outgoing INIT ACK as "Unrecognized parameter" 1649 * parameter. 1650 */ 1651 if (err_chunk) { 1652 /* Get the "Unrecognized parameter" parameter(s) out of the 1653 * ERROR chunk generated by sctp_verify_init(). Since the 1654 * error cause code for "unknown parameter" and the 1655 * "Unrecognized parameter" type is the same, we can 1656 * construct the parameters in INIT ACK by copying the 1657 * ERROR causes over. 1658 */ 1659 unk_param = (struct sctp_unrecognized_param *) 1660 ((__u8 *)(err_chunk->chunk_hdr) + 1661 sizeof(struct sctp_chunkhdr)); 1662 /* Replace the cause code with the "Unrecognized parameter" 1663 * parameter type. 1664 */ 1665 sctp_addto_chunk(repl, len, unk_param); 1666 } 1667 1668 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); 1669 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1670 1671 /* 1672 * Note: After sending out INIT ACK with the State Cookie parameter, 1673 * "Z" MUST NOT allocate any resources for this new association. 1674 * Otherwise, "Z" will be vulnerable to resource attacks. 1675 */ 1676 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 1677 retval = SCTP_DISPOSITION_CONSUME; 1678 1679 return retval; 1680 1681nomem: 1682 retval = SCTP_DISPOSITION_NOMEM; 1683nomem_retval: 1684 if (new_asoc) 1685 sctp_association_free(new_asoc); 1686cleanup: 1687 if (err_chunk) 1688 sctp_chunk_free(err_chunk); 1689 return retval; 1690} 1691 1692/* 1693 * Handle simultaneous INIT. 1694 * This means we started an INIT and then we got an INIT request from 1695 * our peer. 1696 * 1697 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) 1698 * This usually indicates an initialization collision, i.e., each 1699 * endpoint is attempting, at about the same time, to establish an 1700 * association with the other endpoint. 1701 * 1702 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an 1703 * endpoint MUST respond with an INIT ACK using the same parameters it 1704 * sent in its original INIT chunk (including its Verification Tag, 1705 * unchanged). These original parameters are combined with those from the 1706 * newly received INIT chunk. The endpoint shall also generate a State 1707 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its 1708 * INIT to calculate the State Cookie. 1709 * 1710 * After that, the endpoint MUST NOT change its state, the T1-init 1711 * timer shall be left running and the corresponding TCB MUST NOT be 1712 * destroyed. The normal procedures for handling State Cookies when 1713 * a TCB exists will resolve the duplicate INITs to a single association. 1714 * 1715 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate 1716 * its Tie-Tags with the Tag information of itself and its peer (see 1717 * section 5.2.2 for a description of the Tie-Tags). 1718 * 1719 * Verification Tag: Not explicit, but an INIT can not have a valid 1720 * verification tag, so we skip the check. 1721 * 1722 * Inputs 1723 * (endpoint, asoc, chunk) 1724 * 1725 * Outputs 1726 * (asoc, reply_msg, msg_up, timers, counters) 1727 * 1728 * The return value is the disposition of the chunk. 1729 */ 1730enum sctp_disposition sctp_sf_do_5_2_1_siminit( 1731 struct net *net, 1732 const struct sctp_endpoint *ep, 1733 const struct sctp_association *asoc, 1734 const union sctp_subtype type, 1735 void *arg, 1736 struct sctp_cmd_seq *commands) 1737{ 1738 /* Call helper to do the real work for both simultaneous and 1739 * duplicate INIT chunk handling. 1740 */ 1741 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1742} 1743 1744/* 1745 * Handle duplicated INIT messages. These are usually delayed 1746 * restransmissions. 1747 * 1748 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, 1749 * COOKIE-ECHOED and COOKIE-WAIT 1750 * 1751 * Unless otherwise stated, upon reception of an unexpected INIT for 1752 * this association, the endpoint shall generate an INIT ACK with a 1753 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its 1754 * current Verification Tag and peer's Verification Tag into a reserved 1755 * place within the state cookie. We shall refer to these locations as 1756 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet 1757 * containing this INIT ACK MUST carry a Verification Tag value equal to 1758 * the Initiation Tag found in the unexpected INIT. And the INIT ACK 1759 * MUST contain a new Initiation Tag (randomly generated see Section 1760 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the 1761 * existing parameters of the association (e.g. number of outbound 1762 * streams) into the INIT ACK and cookie. 1763 * 1764 * After sending out the INIT ACK, the endpoint shall take no further 1765 * actions, i.e., the existing association, including its current state, 1766 * and the corresponding TCB MUST NOT be changed. 1767 * 1768 * Note: Only when a TCB exists and the association is not in a COOKIE- 1769 * WAIT state are the Tie-Tags populated. For a normal association INIT 1770 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be 1771 * set to 0 (indicating that no previous TCB existed). The INIT ACK and 1772 * State Cookie are populated as specified in section 5.2.1. 1773 * 1774 * Verification Tag: Not specified, but an INIT has no way of knowing 1775 * what the verification tag could be, so we ignore it. 1776 * 1777 * Inputs 1778 * (endpoint, asoc, chunk) 1779 * 1780 * Outputs 1781 * (asoc, reply_msg, msg_up, timers, counters) 1782 * 1783 * The return value is the disposition of the chunk. 1784 */ 1785enum sctp_disposition sctp_sf_do_5_2_2_dupinit( 1786 struct net *net, 1787 const struct sctp_endpoint *ep, 1788 const struct sctp_association *asoc, 1789 const union sctp_subtype type, 1790 void *arg, 1791 struct sctp_cmd_seq *commands) 1792{ 1793 /* Call helper to do the real work for both simultaneous and 1794 * duplicate INIT chunk handling. 1795 */ 1796 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); 1797} 1798 1799 1800/* 1801 * Unexpected INIT-ACK handler. 1802 * 1803 * Section 5.2.3 1804 * If an INIT ACK received by an endpoint in any state other than the 1805 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. 1806 * An unexpected INIT ACK usually indicates the processing of an old or 1807 * duplicated INIT chunk. 1808*/ 1809enum sctp_disposition sctp_sf_do_5_2_3_initack( 1810 struct net *net, 1811 const struct sctp_endpoint *ep, 1812 const struct sctp_association *asoc, 1813 const union sctp_subtype type, 1814 void *arg, 1815 struct sctp_cmd_seq *commands) 1816{ 1817 /* Per the above section, we'll discard the chunk if we have an 1818 * endpoint. If this is an OOTB INIT-ACK, treat it as such. 1819 */ 1820 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) 1821 return sctp_sf_ootb(net, ep, asoc, type, arg, commands); 1822 else 1823 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); 1824} 1825 1826static int sctp_sf_do_assoc_update(struct sctp_association *asoc, 1827 struct sctp_association *new, 1828 struct sctp_cmd_seq *cmds) 1829{ 1830 struct net *net = asoc->base.net; 1831 struct sctp_chunk *abort; 1832 1833 if (!sctp_assoc_update(asoc, new)) 1834 return 0; 1835 1836 abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr)); 1837 if (abort) { 1838 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 1839 sctp_add_cmd_sf(cmds, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 1840 } 1841 sctp_add_cmd_sf(cmds, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED)); 1842 sctp_add_cmd_sf(cmds, SCTP_CMD_ASSOC_FAILED, 1843 SCTP_PERR(SCTP_ERROR_RSRC_LOW)); 1844 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 1845 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 1846 1847 return -ENOMEM; 1848} 1849 1850/* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') 1851 * 1852 * Section 5.2.4 1853 * A) In this case, the peer may have restarted. 1854 */ 1855static enum sctp_disposition sctp_sf_do_dupcook_a( 1856 struct net *net, 1857 const struct sctp_endpoint *ep, 1858 const struct sctp_association *asoc, 1859 struct sctp_chunk *chunk, 1860 struct sctp_cmd_seq *commands, 1861 struct sctp_association *new_asoc) 1862{ 1863 struct sctp_init_chunk *peer_init; 1864 enum sctp_disposition disposition; 1865 struct sctp_ulpevent *ev; 1866 struct sctp_chunk *repl; 1867 struct sctp_chunk *err; 1868 1869 /* new_asoc is a brand-new association, so these are not yet 1870 * side effects--it is safe to run them here. 1871 */ 1872 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1873 1874 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1875 GFP_ATOMIC)) 1876 goto nomem; 1877 1878 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC)) 1879 goto nomem; 1880 1881 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) 1882 return SCTP_DISPOSITION_DISCARD; 1883 1884 /* Make sure no new addresses are being added during the 1885 * restart. Though this is a pretty complicated attack 1886 * since you'd have to get inside the cookie. 1887 */ 1888 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) 1889 return SCTP_DISPOSITION_CONSUME; 1890 1891 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes 1892 * the peer has restarted (Action A), it MUST NOT setup a new 1893 * association but instead resend the SHUTDOWN ACK and send an ERROR 1894 * chunk with a "Cookie Received while Shutting Down" error cause to 1895 * its peer. 1896 */ 1897 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { 1898 disposition = __sctp_sf_do_9_2_reshutack(net, ep, asoc, 1899 SCTP_ST_CHUNK(chunk->chunk_hdr->type), 1900 chunk, commands); 1901 if (SCTP_DISPOSITION_NOMEM == disposition) 1902 goto nomem; 1903 1904 err = sctp_make_op_error(asoc, chunk, 1905 SCTP_ERROR_COOKIE_IN_SHUTDOWN, 1906 NULL, 0, 0); 1907 if (err) 1908 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 1909 SCTP_CHUNK(err)); 1910 1911 return SCTP_DISPOSITION_CONSUME; 1912 } 1913 1914 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked 1915 * data. Consider the optional choice of resending of this data. 1916 */ 1917 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 1918 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1919 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK)); 1920 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); 1921 1922 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue 1923 * and ASCONF-ACK cache. 1924 */ 1925 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 1926 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 1927 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); 1928 1929 /* Update the content of current association. */ 1930 if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands)) 1931 goto nomem; 1932 1933 repl = sctp_make_cookie_ack(asoc, chunk); 1934 if (!repl) 1935 goto nomem; 1936 1937 /* Report association restart to upper layer. */ 1938 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, 1939 asoc->c.sinit_num_ostreams, 1940 asoc->c.sinit_max_instreams, 1941 NULL, GFP_ATOMIC); 1942 if (!ev) 1943 goto nomem_ev; 1944 1945 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 1946 if ((sctp_state(asoc, SHUTDOWN_PENDING) || 1947 sctp_state(asoc, SHUTDOWN_SENT)) && 1948 (sctp_sstate(asoc->base.sk, CLOSING) || 1949 sock_flag(asoc->base.sk, SOCK_DEAD))) { 1950 /* If the socket has been closed by user, don't 1951 * transition to ESTABLISHED. Instead trigger SHUTDOWN 1952 * bundled with COOKIE_ACK. 1953 */ 1954 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1955 return sctp_sf_do_9_2_start_shutdown(net, ep, asoc, 1956 SCTP_ST_CHUNK(0), repl, 1957 commands); 1958 } else { 1959 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 1960 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 1961 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 1962 } 1963 return SCTP_DISPOSITION_CONSUME; 1964 1965nomem_ev: 1966 sctp_chunk_free(repl); 1967nomem: 1968 return SCTP_DISPOSITION_NOMEM; 1969} 1970 1971/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') 1972 * 1973 * Section 5.2.4 1974 * B) In this case, both sides may be attempting to start an association 1975 * at about the same time but the peer endpoint started its INIT 1976 * after responding to the local endpoint's INIT 1977 */ 1978/* This case represents an initialization collision. */ 1979static enum sctp_disposition sctp_sf_do_dupcook_b( 1980 struct net *net, 1981 const struct sctp_endpoint *ep, 1982 const struct sctp_association *asoc, 1983 struct sctp_chunk *chunk, 1984 struct sctp_cmd_seq *commands, 1985 struct sctp_association *new_asoc) 1986{ 1987 struct sctp_init_chunk *peer_init; 1988 struct sctp_chunk *repl; 1989 1990 /* new_asoc is a brand-new association, so these are not yet 1991 * side effects--it is safe to run them here. 1992 */ 1993 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; 1994 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, 1995 GFP_ATOMIC)) 1996 goto nomem; 1997 1998 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC)) 1999 goto nomem; 2000 2001 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) 2002 return SCTP_DISPOSITION_DISCARD; 2003 2004 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2005 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 2006 if (asoc->state < SCTP_STATE_ESTABLISHED) 2007 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 2008 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); 2009 2010 /* Update the content of current association. */ 2011 if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands)) 2012 goto nomem; 2013 2014 repl = sctp_make_cookie_ack(asoc, chunk); 2015 if (!repl) 2016 goto nomem; 2017 2018 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 2019 2020 /* RFC 2960 5.1 Normal Establishment of an Association 2021 * 2022 * D) IMPLEMENTATION NOTE: An implementation may choose to 2023 * send the Communication Up notification to the SCTP user 2024 * upon reception of a valid COOKIE ECHO chunk. 2025 * 2026 * Sadly, this needs to be implemented as a side-effect, because 2027 * we are not guaranteed to have set the association id of the real 2028 * association and so these notifications need to be delayed until 2029 * the association id is allocated. 2030 */ 2031 2032 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); 2033 2034 /* Sockets API Draft Section 5.3.1.6 2035 * When a peer sends a Adaptation Layer Indication parameter , SCTP 2036 * delivers this notification to inform the application that of the 2037 * peers requested adaptation layer. 2038 * 2039 * This also needs to be done as a side effect for the same reason as 2040 * above. 2041 */ 2042 if (asoc->peer.adaptation_ind) 2043 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); 2044 2045 if (!asoc->peer.auth_capable) 2046 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL()); 2047 2048 return SCTP_DISPOSITION_CONSUME; 2049 2050nomem: 2051 return SCTP_DISPOSITION_NOMEM; 2052} 2053 2054/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') 2055 * 2056 * Section 5.2.4 2057 * C) In this case, the local endpoint's cookie has arrived late. 2058 * Before it arrived, the local endpoint sent an INIT and received an 2059 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag 2060 * but a new tag of its own. 2061 */ 2062/* This case represents an initialization collision. */ 2063static enum sctp_disposition sctp_sf_do_dupcook_c( 2064 struct net *net, 2065 const struct sctp_endpoint *ep, 2066 const struct sctp_association *asoc, 2067 struct sctp_chunk *chunk, 2068 struct sctp_cmd_seq *commands, 2069 struct sctp_association *new_asoc) 2070{ 2071 /* The cookie should be silently discarded. 2072 * The endpoint SHOULD NOT change states and should leave 2073 * any timers running. 2074 */ 2075 return SCTP_DISPOSITION_DISCARD; 2076} 2077 2078/* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') 2079 * 2080 * Section 5.2.4 2081 * 2082 * D) When both local and remote tags match the endpoint should always 2083 * enter the ESTABLISHED state, if it has not already done so. 2084 */ 2085/* This case represents an initialization collision. */ 2086static enum sctp_disposition sctp_sf_do_dupcook_d( 2087 struct net *net, 2088 const struct sctp_endpoint *ep, 2089 const struct sctp_association *asoc, 2090 struct sctp_chunk *chunk, 2091 struct sctp_cmd_seq *commands, 2092 struct sctp_association *new_asoc) 2093{ 2094 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL; 2095 struct sctp_chunk *repl; 2096 2097 /* Clarification from Implementor's Guide: 2098 * D) When both local and remote tags match the endpoint should 2099 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. 2100 * It should stop any cookie timer that may be running and send 2101 * a COOKIE ACK. 2102 */ 2103 2104 if (!sctp_auth_chunk_verify(net, chunk, asoc)) 2105 return SCTP_DISPOSITION_DISCARD; 2106 2107 /* Don't accidentally move back into established state. */ 2108 if (asoc->state < SCTP_STATE_ESTABLISHED) { 2109 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2110 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2111 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2112 SCTP_STATE(SCTP_STATE_ESTABLISHED)); 2113 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); 2114 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, 2115 SCTP_NULL()); 2116 2117 /* RFC 2960 5.1 Normal Establishment of an Association 2118 * 2119 * D) IMPLEMENTATION NOTE: An implementation may choose 2120 * to send the Communication Up notification to the 2121 * SCTP user upon reception of a valid COOKIE 2122 * ECHO chunk. 2123 */ 2124 ev = sctp_ulpevent_make_assoc_change(asoc, 0, 2125 SCTP_COMM_UP, 0, 2126 asoc->c.sinit_num_ostreams, 2127 asoc->c.sinit_max_instreams, 2128 NULL, GFP_ATOMIC); 2129 if (!ev) 2130 goto nomem; 2131 2132 /* Sockets API Draft Section 5.3.1.6 2133 * When a peer sends a Adaptation Layer Indication parameter, 2134 * SCTP delivers this notification to inform the application 2135 * that of the peers requested adaptation layer. 2136 */ 2137 if (asoc->peer.adaptation_ind) { 2138 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, 2139 GFP_ATOMIC); 2140 if (!ai_ev) 2141 goto nomem; 2142 2143 } 2144 2145 if (!asoc->peer.auth_capable) { 2146 auth_ev = sctp_ulpevent_make_authkey(asoc, 0, 2147 SCTP_AUTH_NO_AUTH, 2148 GFP_ATOMIC); 2149 if (!auth_ev) 2150 goto nomem; 2151 } 2152 } 2153 2154 repl = sctp_make_cookie_ack(asoc, chunk); 2155 if (!repl) 2156 goto nomem; 2157 2158 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 2159 2160 if (ev) 2161 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2162 SCTP_ULPEVENT(ev)); 2163 if (ai_ev) 2164 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2165 SCTP_ULPEVENT(ai_ev)); 2166 if (auth_ev) 2167 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 2168 SCTP_ULPEVENT(auth_ev)); 2169 2170 return SCTP_DISPOSITION_CONSUME; 2171 2172nomem: 2173 if (auth_ev) 2174 sctp_ulpevent_free(auth_ev); 2175 if (ai_ev) 2176 sctp_ulpevent_free(ai_ev); 2177 if (ev) 2178 sctp_ulpevent_free(ev); 2179 return SCTP_DISPOSITION_NOMEM; 2180} 2181 2182/* 2183 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying 2184 * chunk was retransmitted and then delayed in the network. 2185 * 2186 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists 2187 * 2188 * Verification Tag: None. Do cookie validation. 2189 * 2190 * Inputs 2191 * (endpoint, asoc, chunk) 2192 * 2193 * Outputs 2194 * (asoc, reply_msg, msg_up, timers, counters) 2195 * 2196 * The return value is the disposition of the chunk. 2197 */ 2198enum sctp_disposition sctp_sf_do_5_2_4_dupcook( 2199 struct net *net, 2200 const struct sctp_endpoint *ep, 2201 const struct sctp_association *asoc, 2202 const union sctp_subtype type, 2203 void *arg, 2204 struct sctp_cmd_seq *commands) 2205{ 2206 struct sctp_association *new_asoc; 2207 struct sctp_chunk *chunk = arg; 2208 enum sctp_disposition retval; 2209 struct sctp_chunk *err_chk_p; 2210 int error = 0; 2211 char action; 2212 2213 /* Make sure that the chunk has a valid length from the protocol 2214 * perspective. In this case check to make sure we have at least 2215 * enough for the chunk header. Cookie length verification is 2216 * done later. 2217 */ 2218 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) { 2219 if (!sctp_vtag_verify(chunk, asoc)) 2220 asoc = NULL; 2221 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands); 2222 } 2223 2224 /* "Decode" the chunk. We have no optional parameters so we 2225 * are in good shape. 2226 */ 2227 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 2228 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 2229 sizeof(struct sctp_chunkhdr))) 2230 goto nomem; 2231 2232 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 2233 * of a duplicate COOKIE ECHO match the Verification Tags of the 2234 * current association, consider the State Cookie valid even if 2235 * the lifespan is exceeded. 2236 */ 2237 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, 2238 &err_chk_p); 2239 2240 /* FIXME: 2241 * If the re-build failed, what is the proper error path 2242 * from here? 2243 * 2244 * [We should abort the association. --piggy] 2245 */ 2246 if (!new_asoc) { 2247 /* FIXME: Several errors are possible. A bad cookie should 2248 * be silently discarded, but think about logging it too. 2249 */ 2250 switch (error) { 2251 case -SCTP_IERROR_NOMEM: 2252 goto nomem; 2253 2254 case -SCTP_IERROR_STALE_COOKIE: 2255 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, 2256 err_chk_p); 2257 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2258 case -SCTP_IERROR_BAD_SIG: 2259 default: 2260 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2261 } 2262 } 2263 2264 /* Update socket peer label if first association. */ 2265 if (security_sctp_assoc_request(new_asoc, chunk->head_skb ?: chunk->skb)) { 2266 sctp_association_free(new_asoc); 2267 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2268 } 2269 2270 /* Set temp so that it won't be added into hashtable */ 2271 new_asoc->temp = 1; 2272 2273 /* Compare the tie_tag in cookie with the verification tag of 2274 * current association. 2275 */ 2276 action = sctp_tietags_compare(new_asoc, asoc); 2277 2278 switch (action) { 2279 case 'A': /* Association restart. */ 2280 retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands, 2281 new_asoc); 2282 break; 2283 2284 case 'B': /* Collision case B. */ 2285 retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands, 2286 new_asoc); 2287 break; 2288 2289 case 'C': /* Collision case C. */ 2290 retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands, 2291 new_asoc); 2292 break; 2293 2294 case 'D': /* Collision case D. */ 2295 retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands, 2296 new_asoc); 2297 break; 2298 2299 default: /* Discard packet for all others. */ 2300 retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2301 break; 2302 } 2303 2304 /* Delete the temporary new association. */ 2305 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc)); 2306 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 2307 2308 /* Restore association pointer to provide SCTP command interpreter 2309 * with a valid context in case it needs to manipulate 2310 * the queues */ 2311 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, 2312 SCTP_ASOC((struct sctp_association *)asoc)); 2313 2314 return retval; 2315 2316nomem: 2317 return SCTP_DISPOSITION_NOMEM; 2318} 2319 2320/* 2321 * Process an ABORT. (SHUTDOWN-PENDING state) 2322 * 2323 * See sctp_sf_do_9_1_abort(). 2324 */ 2325enum sctp_disposition sctp_sf_shutdown_pending_abort( 2326 struct net *net, 2327 const struct sctp_endpoint *ep, 2328 const struct sctp_association *asoc, 2329 const union sctp_subtype type, 2330 void *arg, 2331 struct sctp_cmd_seq *commands) 2332{ 2333 struct sctp_chunk *chunk = arg; 2334 2335 if (!sctp_vtag_verify_either(chunk, asoc)) 2336 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2337 2338 /* Make sure that the ABORT chunk has a valid length. 2339 * Since this is an ABORT chunk, we have to discard it 2340 * because of the following text: 2341 * RFC 2960, Section 3.3.7 2342 * If an endpoint receives an ABORT with a format error or for an 2343 * association that doesn't exist, it MUST silently discard it. 2344 * Because the length is "invalid", we can't really discard just 2345 * as we do not know its true length. So, to be safe, discard the 2346 * packet. 2347 */ 2348 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2349 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2350 2351 /* ADD-IP: Special case for ABORT chunks 2352 * F4) One special consideration is that ABORT Chunks arriving 2353 * destined to the IP address being deleted MUST be 2354 * ignored (see Section 5.3.1 for further details). 2355 */ 2356 if (SCTP_ADDR_DEL == 2357 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2358 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2359 2360 if (!sctp_err_chunk_valid(chunk)) 2361 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2362 2363 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2364} 2365 2366/* 2367 * Process an ABORT. (SHUTDOWN-SENT state) 2368 * 2369 * See sctp_sf_do_9_1_abort(). 2370 */ 2371enum sctp_disposition sctp_sf_shutdown_sent_abort( 2372 struct net *net, 2373 const struct sctp_endpoint *ep, 2374 const struct sctp_association *asoc, 2375 const union sctp_subtype type, 2376 void *arg, 2377 struct sctp_cmd_seq *commands) 2378{ 2379 struct sctp_chunk *chunk = arg; 2380 2381 if (!sctp_vtag_verify_either(chunk, asoc)) 2382 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2383 2384 /* Make sure that the ABORT chunk has a valid length. 2385 * Since this is an ABORT chunk, we have to discard it 2386 * because of the following text: 2387 * RFC 2960, Section 3.3.7 2388 * If an endpoint receives an ABORT with a format error or for an 2389 * association that doesn't exist, it MUST silently discard it. 2390 * Because the length is "invalid", we can't really discard just 2391 * as we do not know its true length. So, to be safe, discard the 2392 * packet. 2393 */ 2394 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2395 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2396 2397 /* ADD-IP: Special case for ABORT chunks 2398 * F4) One special consideration is that ABORT Chunks arriving 2399 * destined to the IP address being deleted MUST be 2400 * ignored (see Section 5.3.1 for further details). 2401 */ 2402 if (SCTP_ADDR_DEL == 2403 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2404 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2405 2406 if (!sctp_err_chunk_valid(chunk)) 2407 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2408 2409 /* Stop the T2-shutdown timer. */ 2410 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2411 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 2412 2413 /* Stop the T5-shutdown guard timer. */ 2414 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2415 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 2416 2417 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2418} 2419 2420/* 2421 * Process an ABORT. (SHUTDOWN-ACK-SENT state) 2422 * 2423 * See sctp_sf_do_9_1_abort(). 2424 */ 2425enum sctp_disposition sctp_sf_shutdown_ack_sent_abort( 2426 struct net *net, 2427 const struct sctp_endpoint *ep, 2428 const struct sctp_association *asoc, 2429 const union sctp_subtype type, 2430 void *arg, 2431 struct sctp_cmd_seq *commands) 2432{ 2433 /* The same T2 timer, so we should be able to use 2434 * common function with the SHUTDOWN-SENT state. 2435 */ 2436 return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands); 2437} 2438 2439/* 2440 * Handle an Error received in COOKIE_ECHOED state. 2441 * 2442 * Only handle the error type of stale COOKIE Error, the other errors will 2443 * be ignored. 2444 * 2445 * Inputs 2446 * (endpoint, asoc, chunk) 2447 * 2448 * Outputs 2449 * (asoc, reply_msg, msg_up, timers, counters) 2450 * 2451 * The return value is the disposition of the chunk. 2452 */ 2453enum sctp_disposition sctp_sf_cookie_echoed_err( 2454 struct net *net, 2455 const struct sctp_endpoint *ep, 2456 const struct sctp_association *asoc, 2457 const union sctp_subtype type, 2458 void *arg, 2459 struct sctp_cmd_seq *commands) 2460{ 2461 struct sctp_chunk *chunk = arg; 2462 struct sctp_errhdr *err; 2463 2464 if (!sctp_vtag_verify(chunk, asoc)) 2465 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2466 2467 /* Make sure that the ERROR chunk has a valid length. 2468 * The parameter walking depends on this as well. 2469 */ 2470 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk))) 2471 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2472 commands); 2473 2474 /* Process the error here */ 2475 /* FUTURE FIXME: When PR-SCTP related and other optional 2476 * parms are emitted, this will have to change to handle multiple 2477 * errors. 2478 */ 2479 sctp_walk_errors(err, chunk->chunk_hdr) { 2480 if (SCTP_ERROR_STALE_COOKIE == err->cause) 2481 return sctp_sf_do_5_2_6_stale(net, ep, asoc, type, 2482 arg, commands); 2483 } 2484 2485 /* It is possible to have malformed error causes, and that 2486 * will cause us to end the walk early. However, since 2487 * we are discarding the packet, there should be no adverse 2488 * affects. 2489 */ 2490 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2491} 2492 2493/* 2494 * Handle a Stale COOKIE Error 2495 * 2496 * Section: 5.2.6 Handle Stale COOKIE Error 2497 * If the association is in the COOKIE-ECHOED state, the endpoint may elect 2498 * one of the following three alternatives. 2499 * ... 2500 * 3) Send a new INIT chunk to the endpoint, adding a Cookie 2501 * Preservative parameter requesting an extension to the lifetime of 2502 * the State Cookie. When calculating the time extension, an 2503 * implementation SHOULD use the RTT information measured based on the 2504 * previous COOKIE ECHO / ERROR exchange, and should add no more 2505 * than 1 second beyond the measured RTT, due to long State Cookie 2506 * lifetimes making the endpoint more subject to a replay attack. 2507 * 2508 * Verification Tag: Not explicit, but safe to ignore. 2509 * 2510 * Inputs 2511 * (endpoint, asoc, chunk) 2512 * 2513 * Outputs 2514 * (asoc, reply_msg, msg_up, timers, counters) 2515 * 2516 * The return value is the disposition of the chunk. 2517 */ 2518static enum sctp_disposition sctp_sf_do_5_2_6_stale( 2519 struct net *net, 2520 const struct sctp_endpoint *ep, 2521 const struct sctp_association *asoc, 2522 const union sctp_subtype type, 2523 void *arg, 2524 struct sctp_cmd_seq *commands) 2525{ 2526 int attempts = asoc->init_err_counter + 1; 2527 struct sctp_chunk *chunk = arg, *reply; 2528 struct sctp_cookie_preserve_param bht; 2529 struct sctp_bind_addr *bp; 2530 struct sctp_errhdr *err; 2531 u32 stale; 2532 2533 if (attempts > asoc->max_init_attempts) { 2534 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 2535 SCTP_ERROR(ETIMEDOUT)); 2536 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2537 SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); 2538 return SCTP_DISPOSITION_DELETE_TCB; 2539 } 2540 2541 err = (struct sctp_errhdr *)(chunk->skb->data); 2542 2543 /* When calculating the time extension, an implementation 2544 * SHOULD use the RTT information measured based on the 2545 * previous COOKIE ECHO / ERROR exchange, and should add no 2546 * more than 1 second beyond the measured RTT, due to long 2547 * State Cookie lifetimes making the endpoint more subject to 2548 * a replay attack. 2549 * Measure of Staleness's unit is usec. (1/1000000 sec) 2550 * Suggested Cookie Life-span Increment's unit is msec. 2551 * (1/1000 sec) 2552 * In general, if you use the suggested cookie life, the value 2553 * found in the field of measure of staleness should be doubled 2554 * to give ample time to retransmit the new cookie and thus 2555 * yield a higher probability of success on the reattempt. 2556 */ 2557 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err))); 2558 stale = (stale * 2) / 1000; 2559 2560 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; 2561 bht.param_hdr.length = htons(sizeof(bht)); 2562 bht.lifespan_increment = htonl(stale); 2563 2564 /* Build that new INIT chunk. */ 2565 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 2566 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); 2567 if (!reply) 2568 goto nomem; 2569 2570 sctp_addto_chunk(reply, sizeof(bht), &bht); 2571 2572 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ 2573 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); 2574 2575 /* Stop pending T3-rtx and heartbeat timers */ 2576 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); 2577 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 2578 2579 /* Delete non-primary peer ip addresses since we are transitioning 2580 * back to the COOKIE-WAIT state 2581 */ 2582 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); 2583 2584 /* If we've sent any data bundled with COOKIE-ECHO we will need to 2585 * resend 2586 */ 2587 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, 2588 SCTP_TRANSPORT(asoc->peer.primary_path)); 2589 2590 /* Cast away the const modifier, as we want to just 2591 * rerun it through as a sideffect. 2592 */ 2593 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); 2594 2595 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2596 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 2597 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2598 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 2599 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 2600 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2601 2602 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 2603 2604 return SCTP_DISPOSITION_CONSUME; 2605 2606nomem: 2607 return SCTP_DISPOSITION_NOMEM; 2608} 2609 2610/* 2611 * Process an ABORT. 2612 * 2613 * Section: 9.1 2614 * After checking the Verification Tag, the receiving endpoint shall 2615 * remove the association from its record, and shall report the 2616 * termination to its upper layer. 2617 * 2618 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules 2619 * B) Rules for packet carrying ABORT: 2620 * 2621 * - The endpoint shall always fill in the Verification Tag field of the 2622 * outbound packet with the destination endpoint's tag value if it 2623 * is known. 2624 * 2625 * - If the ABORT is sent in response to an OOTB packet, the endpoint 2626 * MUST follow the procedure described in Section 8.4. 2627 * 2628 * - The receiver MUST accept the packet if the Verification Tag 2629 * matches either its own tag, OR the tag of its peer. Otherwise, the 2630 * receiver MUST silently discard the packet and take no further 2631 * action. 2632 * 2633 * Inputs 2634 * (endpoint, asoc, chunk) 2635 * 2636 * Outputs 2637 * (asoc, reply_msg, msg_up, timers, counters) 2638 * 2639 * The return value is the disposition of the chunk. 2640 */ 2641enum sctp_disposition sctp_sf_do_9_1_abort( 2642 struct net *net, 2643 const struct sctp_endpoint *ep, 2644 const struct sctp_association *asoc, 2645 const union sctp_subtype type, 2646 void *arg, 2647 struct sctp_cmd_seq *commands) 2648{ 2649 struct sctp_chunk *chunk = arg; 2650 2651 if (!sctp_vtag_verify_either(chunk, asoc)) 2652 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2653 2654 /* Make sure that the ABORT chunk has a valid length. 2655 * Since this is an ABORT chunk, we have to discard it 2656 * because of the following text: 2657 * RFC 2960, Section 3.3.7 2658 * If an endpoint receives an ABORT with a format error or for an 2659 * association that doesn't exist, it MUST silently discard it. 2660 * Because the length is "invalid", we can't really discard just 2661 * as we do not know its true length. So, to be safe, discard the 2662 * packet. 2663 */ 2664 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2665 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2666 2667 /* ADD-IP: Special case for ABORT chunks 2668 * F4) One special consideration is that ABORT Chunks arriving 2669 * destined to the IP address being deleted MUST be 2670 * ignored (see Section 5.3.1 for further details). 2671 */ 2672 if (SCTP_ADDR_DEL == 2673 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) 2674 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2675 2676 if (!sctp_err_chunk_valid(chunk)) 2677 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2678 2679 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); 2680} 2681 2682static enum sctp_disposition __sctp_sf_do_9_1_abort( 2683 struct net *net, 2684 const struct sctp_endpoint *ep, 2685 const struct sctp_association *asoc, 2686 const union sctp_subtype type, 2687 void *arg, 2688 struct sctp_cmd_seq *commands) 2689{ 2690 __be16 error = SCTP_ERROR_NO_ERROR; 2691 struct sctp_chunk *chunk = arg; 2692 unsigned int len; 2693 2694 /* See if we have an error cause code in the chunk. */ 2695 len = ntohs(chunk->chunk_hdr->length); 2696 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2697 error = ((struct sctp_errhdr *)chunk->skb->data)->cause; 2698 2699 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); 2700 /* ASSOC_FAILED will DELETE_TCB. */ 2701 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); 2702 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2703 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 2704 2705 return SCTP_DISPOSITION_ABORT; 2706} 2707 2708/* 2709 * Process an ABORT. (COOKIE-WAIT state) 2710 * 2711 * See sctp_sf_do_9_1_abort() above. 2712 */ 2713enum sctp_disposition sctp_sf_cookie_wait_abort( 2714 struct net *net, 2715 const struct sctp_endpoint *ep, 2716 const struct sctp_association *asoc, 2717 const union sctp_subtype type, 2718 void *arg, 2719 struct sctp_cmd_seq *commands) 2720{ 2721 __be16 error = SCTP_ERROR_NO_ERROR; 2722 struct sctp_chunk *chunk = arg; 2723 unsigned int len; 2724 2725 if (!sctp_vtag_verify_either(chunk, asoc)) 2726 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2727 2728 /* Make sure that the ABORT chunk has a valid length. 2729 * Since this is an ABORT chunk, we have to discard it 2730 * because of the following text: 2731 * RFC 2960, Section 3.3.7 2732 * If an endpoint receives an ABORT with a format error or for an 2733 * association that doesn't exist, it MUST silently discard it. 2734 * Because the length is "invalid", we can't really discard just 2735 * as we do not know its true length. So, to be safe, discard the 2736 * packet. 2737 */ 2738 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) 2739 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2740 2741 /* See if we have an error cause code in the chunk. */ 2742 len = ntohs(chunk->chunk_hdr->length); 2743 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) 2744 error = ((struct sctp_errhdr *)chunk->skb->data)->cause; 2745 2746 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc, 2747 chunk->transport); 2748} 2749 2750/* 2751 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) 2752 */ 2753enum sctp_disposition sctp_sf_cookie_wait_icmp_abort( 2754 struct net *net, 2755 const struct sctp_endpoint *ep, 2756 const struct sctp_association *asoc, 2757 const union sctp_subtype type, 2758 void *arg, 2759 struct sctp_cmd_seq *commands) 2760{ 2761 return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR, 2762 ENOPROTOOPT, asoc, 2763 (struct sctp_transport *)arg); 2764} 2765 2766/* 2767 * Process an ABORT. (COOKIE-ECHOED state) 2768 */ 2769enum sctp_disposition sctp_sf_cookie_echoed_abort( 2770 struct net *net, 2771 const struct sctp_endpoint *ep, 2772 const struct sctp_association *asoc, 2773 const union sctp_subtype type, 2774 void *arg, 2775 struct sctp_cmd_seq *commands) 2776{ 2777 /* There is a single T1 timer, so we should be able to use 2778 * common function with the COOKIE-WAIT state. 2779 */ 2780 return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands); 2781} 2782 2783/* 2784 * Stop T1 timer and abort association with "INIT failed". 2785 * 2786 * This is common code called by several sctp_sf_*_abort() functions above. 2787 */ 2788static enum sctp_disposition sctp_stop_t1_and_abort( 2789 struct net *net, 2790 struct sctp_cmd_seq *commands, 2791 __be16 error, int sk_err, 2792 const struct sctp_association *asoc, 2793 struct sctp_transport *transport) 2794{ 2795 pr_debug("%s: ABORT received (INIT)\n", __func__); 2796 2797 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2798 SCTP_STATE(SCTP_STATE_CLOSED)); 2799 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 2800 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 2801 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 2802 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); 2803 /* CMD_INIT_FAILED will DELETE_TCB. */ 2804 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 2805 SCTP_PERR(error)); 2806 2807 return SCTP_DISPOSITION_ABORT; 2808} 2809 2810/* 2811 * sctp_sf_do_9_2_shut 2812 * 2813 * Section: 9.2 2814 * Upon the reception of the SHUTDOWN, the peer endpoint shall 2815 * - enter the SHUTDOWN-RECEIVED state, 2816 * 2817 * - stop accepting new data from its SCTP user 2818 * 2819 * - verify, by checking the Cumulative TSN Ack field of the chunk, 2820 * that all its outstanding DATA chunks have been received by the 2821 * SHUTDOWN sender. 2822 * 2823 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT 2824 * send a SHUTDOWN in response to a ULP request. And should discard 2825 * subsequent SHUTDOWN chunks. 2826 * 2827 * If there are still outstanding DATA chunks left, the SHUTDOWN 2828 * receiver shall continue to follow normal data transmission 2829 * procedures defined in Section 6 until all outstanding DATA chunks 2830 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept 2831 * new data from its SCTP user. 2832 * 2833 * Verification Tag: 8.5 Verification Tag [Normal verification] 2834 * 2835 * Inputs 2836 * (endpoint, asoc, chunk) 2837 * 2838 * Outputs 2839 * (asoc, reply_msg, msg_up, timers, counters) 2840 * 2841 * The return value is the disposition of the chunk. 2842 */ 2843enum sctp_disposition sctp_sf_do_9_2_shutdown( 2844 struct net *net, 2845 const struct sctp_endpoint *ep, 2846 const struct sctp_association *asoc, 2847 const union sctp_subtype type, 2848 void *arg, 2849 struct sctp_cmd_seq *commands) 2850{ 2851 enum sctp_disposition disposition; 2852 struct sctp_chunk *chunk = arg; 2853 struct sctp_shutdownhdr *sdh; 2854 struct sctp_ulpevent *ev; 2855 __u32 ctsn; 2856 2857 if (!sctp_vtag_verify(chunk, asoc)) 2858 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2859 2860 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2861 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) 2862 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2863 commands); 2864 2865 /* Convert the elaborate header. */ 2866 sdh = (struct sctp_shutdownhdr *)chunk->skb->data; 2867 skb_pull(chunk->skb, sizeof(*sdh)); 2868 chunk->subh.shutdown_hdr = sdh; 2869 ctsn = ntohl(sdh->cum_tsn_ack); 2870 2871 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2872 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2873 asoc->ctsn_ack_point); 2874 2875 return SCTP_DISPOSITION_DISCARD; 2876 } 2877 2878 /* If Cumulative TSN Ack beyond the max tsn currently 2879 * send, terminating the association and respond to the 2880 * sender with an ABORT. 2881 */ 2882 if (!TSN_lt(ctsn, asoc->next_tsn)) 2883 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2884 2885 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT 2886 * When a peer sends a SHUTDOWN, SCTP delivers this notification to 2887 * inform the application that it should cease sending data. 2888 */ 2889 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); 2890 if (!ev) { 2891 disposition = SCTP_DISPOSITION_NOMEM; 2892 goto out; 2893 } 2894 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 2895 2896 /* Upon the reception of the SHUTDOWN, the peer endpoint shall 2897 * - enter the SHUTDOWN-RECEIVED state, 2898 * - stop accepting new data from its SCTP user 2899 * 2900 * [This is implicit in the new state.] 2901 */ 2902 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 2903 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); 2904 disposition = SCTP_DISPOSITION_CONSUME; 2905 2906 if (sctp_outq_is_empty(&asoc->outqueue)) { 2907 disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type, 2908 arg, commands); 2909 } 2910 2911 if (SCTP_DISPOSITION_NOMEM == disposition) 2912 goto out; 2913 2914 /* - verify, by checking the Cumulative TSN Ack field of the 2915 * chunk, that all its outstanding DATA chunks have been 2916 * received by the SHUTDOWN sender. 2917 */ 2918 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2919 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); 2920 2921out: 2922 return disposition; 2923} 2924 2925/* 2926 * sctp_sf_do_9_2_shut_ctsn 2927 * 2928 * Once an endpoint has reached the SHUTDOWN-RECEIVED state, 2929 * it MUST NOT send a SHUTDOWN in response to a ULP request. 2930 * The Cumulative TSN Ack of the received SHUTDOWN chunk 2931 * MUST be processed. 2932 */ 2933enum sctp_disposition sctp_sf_do_9_2_shut_ctsn( 2934 struct net *net, 2935 const struct sctp_endpoint *ep, 2936 const struct sctp_association *asoc, 2937 const union sctp_subtype type, 2938 void *arg, 2939 struct sctp_cmd_seq *commands) 2940{ 2941 struct sctp_chunk *chunk = arg; 2942 struct sctp_shutdownhdr *sdh; 2943 __u32 ctsn; 2944 2945 if (!sctp_vtag_verify(chunk, asoc)) 2946 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 2947 2948 /* Make sure that the SHUTDOWN chunk has a valid length. */ 2949 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) 2950 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2951 commands); 2952 2953 sdh = (struct sctp_shutdownhdr *)chunk->skb->data; 2954 ctsn = ntohl(sdh->cum_tsn_ack); 2955 2956 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 2957 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 2958 asoc->ctsn_ack_point); 2959 2960 return SCTP_DISPOSITION_DISCARD; 2961 } 2962 2963 /* If Cumulative TSN Ack beyond the max tsn currently 2964 * send, terminating the association and respond to the 2965 * sender with an ABORT. 2966 */ 2967 if (!TSN_lt(ctsn, asoc->next_tsn)) 2968 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 2969 2970 /* verify, by checking the Cumulative TSN Ack field of the 2971 * chunk, that all its outstanding DATA chunks have been 2972 * received by the SHUTDOWN sender. 2973 */ 2974 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, 2975 SCTP_BE32(sdh->cum_tsn_ack)); 2976 2977 return SCTP_DISPOSITION_CONSUME; 2978} 2979 2980/* RFC 2960 9.2 2981 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk 2982 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination 2983 * transport addresses (either in the IP addresses or in the INIT chunk) 2984 * that belong to this association, it should discard the INIT chunk and 2985 * retransmit the SHUTDOWN ACK chunk. 2986 */ 2987static enum sctp_disposition 2988__sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, 2989 const struct sctp_association *asoc, 2990 const union sctp_subtype type, void *arg, 2991 struct sctp_cmd_seq *commands) 2992{ 2993 struct sctp_chunk *chunk = arg; 2994 struct sctp_chunk *reply; 2995 2996 /* Make sure that the chunk has a valid length */ 2997 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 2998 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 2999 commands); 3000 3001 /* Since we are not going to really process this INIT, there 3002 * is no point in verifying chunk boundaries. Just generate 3003 * the SHUTDOWN ACK. 3004 */ 3005 reply = sctp_make_shutdown_ack(asoc, chunk); 3006 if (NULL == reply) 3007 goto nomem; 3008 3009 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 3010 * the T2-SHUTDOWN timer. 3011 */ 3012 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 3013 3014 /* and restart the T2-shutdown timer. */ 3015 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3016 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3017 3018 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3019 3020 return SCTP_DISPOSITION_CONSUME; 3021nomem: 3022 return SCTP_DISPOSITION_NOMEM; 3023} 3024 3025enum sctp_disposition 3026sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, 3027 const struct sctp_association *asoc, 3028 const union sctp_subtype type, void *arg, 3029 struct sctp_cmd_seq *commands) 3030{ 3031 struct sctp_chunk *chunk = arg; 3032 3033 if (!chunk->singleton) 3034 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3035 3036 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) 3037 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3038 3039 if (chunk->sctp_hdr->vtag != 0) 3040 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 3041 3042 return __sctp_sf_do_9_2_reshutack(net, ep, asoc, type, arg, commands); 3043} 3044 3045/* 3046 * sctp_sf_do_ecn_cwr 3047 * 3048 * Section: Appendix A: Explicit Congestion Notification 3049 * 3050 * CWR: 3051 * 3052 * RFC 2481 details a specific bit for a sender to send in the header of 3053 * its next outbound TCP segment to indicate to its peer that it has 3054 * reduced its congestion window. This is termed the CWR bit. For 3055 * SCTP the same indication is made by including the CWR chunk. 3056 * This chunk contains one data element, i.e. the TSN number that 3057 * was sent in the ECNE chunk. This element represents the lowest 3058 * TSN number in the datagram that was originally marked with the 3059 * CE bit. 3060 * 3061 * Verification Tag: 8.5 Verification Tag [Normal verification] 3062 * Inputs 3063 * (endpoint, asoc, chunk) 3064 * 3065 * Outputs 3066 * (asoc, reply_msg, msg_up, timers, counters) 3067 * 3068 * The return value is the disposition of the chunk. 3069 */ 3070enum sctp_disposition sctp_sf_do_ecn_cwr(struct net *net, 3071 const struct sctp_endpoint *ep, 3072 const struct sctp_association *asoc, 3073 const union sctp_subtype type, 3074 void *arg, 3075 struct sctp_cmd_seq *commands) 3076{ 3077 struct sctp_chunk *chunk = arg; 3078 struct sctp_cwrhdr *cwr; 3079 u32 lowest_tsn; 3080 3081 if (!sctp_vtag_verify(chunk, asoc)) 3082 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3083 3084 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) 3085 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3086 commands); 3087 3088 cwr = (struct sctp_cwrhdr *)chunk->skb->data; 3089 skb_pull(chunk->skb, sizeof(*cwr)); 3090 3091 lowest_tsn = ntohl(cwr->lowest_tsn); 3092 3093 /* Does this CWR ack the last sent congestion notification? */ 3094 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { 3095 /* Stop sending ECNE. */ 3096 sctp_add_cmd_sf(commands, 3097 SCTP_CMD_ECN_CWR, 3098 SCTP_U32(lowest_tsn)); 3099 } 3100 return SCTP_DISPOSITION_CONSUME; 3101} 3102 3103/* 3104 * sctp_sf_do_ecne 3105 * 3106 * Section: Appendix A: Explicit Congestion Notification 3107 * 3108 * ECN-Echo 3109 * 3110 * RFC 2481 details a specific bit for a receiver to send back in its 3111 * TCP acknowledgements to notify the sender of the Congestion 3112 * Experienced (CE) bit having arrived from the network. For SCTP this 3113 * same indication is made by including the ECNE chunk. This chunk 3114 * contains one data element, i.e. the lowest TSN associated with the IP 3115 * datagram marked with the CE bit..... 3116 * 3117 * Verification Tag: 8.5 Verification Tag [Normal verification] 3118 * Inputs 3119 * (endpoint, asoc, chunk) 3120 * 3121 * Outputs 3122 * (asoc, reply_msg, msg_up, timers, counters) 3123 * 3124 * The return value is the disposition of the chunk. 3125 */ 3126enum sctp_disposition sctp_sf_do_ecne(struct net *net, 3127 const struct sctp_endpoint *ep, 3128 const struct sctp_association *asoc, 3129 const union sctp_subtype type, 3130 void *arg, struct sctp_cmd_seq *commands) 3131{ 3132 struct sctp_chunk *chunk = arg; 3133 struct sctp_ecnehdr *ecne; 3134 3135 if (!sctp_vtag_verify(chunk, asoc)) 3136 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3137 3138 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) 3139 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3140 commands); 3141 3142 ecne = (struct sctp_ecnehdr *)chunk->skb->data; 3143 skb_pull(chunk->skb, sizeof(*ecne)); 3144 3145 /* If this is a newer ECNE than the last CWR packet we sent out */ 3146 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, 3147 SCTP_U32(ntohl(ecne->lowest_tsn))); 3148 3149 return SCTP_DISPOSITION_CONSUME; 3150} 3151 3152/* 3153 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 3154 * 3155 * The SCTP endpoint MUST always acknowledge the reception of each valid 3156 * DATA chunk. 3157 * 3158 * The guidelines on delayed acknowledgement algorithm specified in 3159 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 3160 * acknowledgement SHOULD be generated for at least every second packet 3161 * (not every second DATA chunk) received, and SHOULD be generated within 3162 * 200 ms of the arrival of any unacknowledged DATA chunk. In some 3163 * situations it may be beneficial for an SCTP transmitter to be more 3164 * conservative than the algorithms detailed in this document allow. 3165 * However, an SCTP transmitter MUST NOT be more aggressive than the 3166 * following algorithms allow. 3167 * 3168 * A SCTP receiver MUST NOT generate more than one SACK for every 3169 * incoming packet, other than to update the offered window as the 3170 * receiving application consumes new data. 3171 * 3172 * Verification Tag: 8.5 Verification Tag [Normal verification] 3173 * 3174 * Inputs 3175 * (endpoint, asoc, chunk) 3176 * 3177 * Outputs 3178 * (asoc, reply_msg, msg_up, timers, counters) 3179 * 3180 * The return value is the disposition of the chunk. 3181 */ 3182enum sctp_disposition sctp_sf_eat_data_6_2(struct net *net, 3183 const struct sctp_endpoint *ep, 3184 const struct sctp_association *asoc, 3185 const union sctp_subtype type, 3186 void *arg, 3187 struct sctp_cmd_seq *commands) 3188{ 3189 union sctp_arg force = SCTP_NOFORCE(); 3190 struct sctp_chunk *chunk = arg; 3191 int error; 3192 3193 if (!sctp_vtag_verify(chunk, asoc)) { 3194 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3195 SCTP_NULL()); 3196 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3197 } 3198 3199 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream))) 3200 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3201 commands); 3202 3203 error = sctp_eat_data(asoc, chunk, commands); 3204 switch (error) { 3205 case SCTP_IERROR_NO_ERROR: 3206 break; 3207 case SCTP_IERROR_HIGH_TSN: 3208 case SCTP_IERROR_BAD_STREAM: 3209 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 3210 goto discard_noforce; 3211 case SCTP_IERROR_DUP_TSN: 3212 case SCTP_IERROR_IGNORE_TSN: 3213 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); 3214 goto discard_force; 3215 case SCTP_IERROR_NO_DATA: 3216 return SCTP_DISPOSITION_ABORT; 3217 case SCTP_IERROR_PROTO_VIOLATION: 3218 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3219 (u8 *)chunk->subh.data_hdr, 3220 sctp_datahdr_len(&asoc->stream)); 3221 default: 3222 BUG(); 3223 } 3224 3225 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM) 3226 force = SCTP_FORCE(); 3227 3228 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 3229 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3230 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 3231 } 3232 3233 /* If this is the last chunk in a packet, we need to count it 3234 * toward sack generation. Note that we need to SACK every 3235 * OTHER packet containing data chunks, EVEN IF WE DISCARD 3236 * THEM. We elect to NOT generate SACK's if the chunk fails 3237 * the verification tag test. 3238 * 3239 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3240 * 3241 * The SCTP endpoint MUST always acknowledge the reception of 3242 * each valid DATA chunk. 3243 * 3244 * The guidelines on delayed acknowledgement algorithm 3245 * specified in Section 4.2 of [RFC2581] SHOULD be followed. 3246 * Specifically, an acknowledgement SHOULD be generated for at 3247 * least every second packet (not every second DATA chunk) 3248 * received, and SHOULD be generated within 200 ms of the 3249 * arrival of any unacknowledged DATA chunk. In some 3250 * situations it may be beneficial for an SCTP transmitter to 3251 * be more conservative than the algorithms detailed in this 3252 * document allow. However, an SCTP transmitter MUST NOT be 3253 * more aggressive than the following algorithms allow. 3254 */ 3255 if (chunk->end_of_packet) 3256 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3257 3258 return SCTP_DISPOSITION_CONSUME; 3259 3260discard_force: 3261 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks 3262 * 3263 * When a packet arrives with duplicate DATA chunk(s) and with 3264 * no new DATA chunk(s), the endpoint MUST immediately send a 3265 * SACK with no delay. If a packet arrives with duplicate 3266 * DATA chunk(s) bundled with new DATA chunks, the endpoint 3267 * MAY immediately send a SACK. Normally receipt of duplicate 3268 * DATA chunks will occur when the original SACK chunk was lost 3269 * and the peer's RTO has expired. The duplicate TSN number(s) 3270 * SHOULD be reported in the SACK as duplicate. 3271 */ 3272 /* In our case, we split the MAY SACK advice up whether or not 3273 * the last chunk is a duplicate.' 3274 */ 3275 if (chunk->end_of_packet) 3276 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3277 return SCTP_DISPOSITION_DISCARD; 3278 3279discard_noforce: 3280 if (chunk->end_of_packet) 3281 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); 3282 3283 return SCTP_DISPOSITION_DISCARD; 3284} 3285 3286/* 3287 * sctp_sf_eat_data_fast_4_4 3288 * 3289 * Section: 4 (4) 3290 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received 3291 * DATA chunks without delay. 3292 * 3293 * Verification Tag: 8.5 Verification Tag [Normal verification] 3294 * Inputs 3295 * (endpoint, asoc, chunk) 3296 * 3297 * Outputs 3298 * (asoc, reply_msg, msg_up, timers, counters) 3299 * 3300 * The return value is the disposition of the chunk. 3301 */ 3302enum sctp_disposition sctp_sf_eat_data_fast_4_4( 3303 struct net *net, 3304 const struct sctp_endpoint *ep, 3305 const struct sctp_association *asoc, 3306 const union sctp_subtype type, 3307 void *arg, 3308 struct sctp_cmd_seq *commands) 3309{ 3310 struct sctp_chunk *chunk = arg; 3311 int error; 3312 3313 if (!sctp_vtag_verify(chunk, asoc)) { 3314 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3315 SCTP_NULL()); 3316 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3317 } 3318 3319 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream))) 3320 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3321 commands); 3322 3323 error = sctp_eat_data(asoc, chunk, commands); 3324 switch (error) { 3325 case SCTP_IERROR_NO_ERROR: 3326 case SCTP_IERROR_HIGH_TSN: 3327 case SCTP_IERROR_DUP_TSN: 3328 case SCTP_IERROR_IGNORE_TSN: 3329 case SCTP_IERROR_BAD_STREAM: 3330 break; 3331 case SCTP_IERROR_NO_DATA: 3332 return SCTP_DISPOSITION_ABORT; 3333 case SCTP_IERROR_PROTO_VIOLATION: 3334 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, 3335 (u8 *)chunk->subh.data_hdr, 3336 sctp_datahdr_len(&asoc->stream)); 3337 default: 3338 BUG(); 3339 } 3340 3341 /* Go a head and force a SACK, since we are shutting down. */ 3342 3343 /* Implementor's Guide. 3344 * 3345 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 3346 * respond to each received packet containing one or more DATA chunk(s) 3347 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 3348 */ 3349 if (chunk->end_of_packet) { 3350 /* We must delay the chunk creation since the cumulative 3351 * TSN has not been updated yet. 3352 */ 3353 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 3354 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 3355 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 3356 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3357 } 3358 3359 return SCTP_DISPOSITION_CONSUME; 3360} 3361 3362/* 3363 * Section: 6.2 Processing a Received SACK 3364 * D) Any time a SACK arrives, the endpoint performs the following: 3365 * 3366 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point, 3367 * then drop the SACK. Since Cumulative TSN Ack is monotonically 3368 * increasing, a SACK whose Cumulative TSN Ack is less than the 3369 * Cumulative TSN Ack Point indicates an out-of-order SACK. 3370 * 3371 * ii) Set rwnd equal to the newly received a_rwnd minus the number 3372 * of bytes still outstanding after processing the Cumulative TSN Ack 3373 * and the Gap Ack Blocks. 3374 * 3375 * iii) If the SACK is missing a TSN that was previously 3376 * acknowledged via a Gap Ack Block (e.g., the data receiver 3377 * reneged on the data), then mark the corresponding DATA chunk 3378 * as available for retransmit: Mark it as missing for fast 3379 * retransmit as described in Section 7.2.4 and if no retransmit 3380 * timer is running for the destination address to which the DATA 3381 * chunk was originally transmitted, then T3-rtx is started for 3382 * that destination address. 3383 * 3384 * Verification Tag: 8.5 Verification Tag [Normal verification] 3385 * 3386 * Inputs 3387 * (endpoint, asoc, chunk) 3388 * 3389 * Outputs 3390 * (asoc, reply_msg, msg_up, timers, counters) 3391 * 3392 * The return value is the disposition of the chunk. 3393 */ 3394enum sctp_disposition sctp_sf_eat_sack_6_2(struct net *net, 3395 const struct sctp_endpoint *ep, 3396 const struct sctp_association *asoc, 3397 const union sctp_subtype type, 3398 void *arg, 3399 struct sctp_cmd_seq *commands) 3400{ 3401 struct sctp_chunk *chunk = arg; 3402 struct sctp_sackhdr *sackh; 3403 __u32 ctsn; 3404 3405 if (!sctp_vtag_verify(chunk, asoc)) 3406 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3407 3408 /* Make sure that the SACK chunk has a valid length. */ 3409 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_sack_chunk))) 3410 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3411 commands); 3412 3413 /* Pull the SACK chunk from the data buffer */ 3414 sackh = sctp_sm_pull_sack(chunk); 3415 /* Was this a bogus SACK? */ 3416 if (!sackh) 3417 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3418 chunk->subh.sack_hdr = sackh; 3419 ctsn = ntohl(sackh->cum_tsn_ack); 3420 3421 /* If Cumulative TSN Ack beyond the max tsn currently 3422 * send, terminating the association and respond to the 3423 * sender with an ABORT. 3424 */ 3425 if (TSN_lte(asoc->next_tsn, ctsn)) 3426 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); 3427 3428 trace_sctp_probe(ep, asoc, chunk); 3429 3430 /* i) If Cumulative TSN Ack is less than the Cumulative TSN 3431 * Ack Point, then drop the SACK. Since Cumulative TSN 3432 * Ack is monotonically increasing, a SACK whose 3433 * Cumulative TSN Ack is less than the Cumulative TSN Ack 3434 * Point indicates an out-of-order SACK. 3435 */ 3436 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { 3437 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, 3438 asoc->ctsn_ack_point); 3439 3440 return SCTP_DISPOSITION_DISCARD; 3441 } 3442 3443 /* Return this SACK for further processing. */ 3444 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk)); 3445 3446 /* Note: We do the rest of the work on the PROCESS_SACK 3447 * sideeffect. 3448 */ 3449 return SCTP_DISPOSITION_CONSUME; 3450} 3451 3452/* 3453 * Generate an ABORT in response to a packet. 3454 * 3455 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41 3456 * 3457 * 8) The receiver should respond to the sender of the OOTB packet with 3458 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3459 * MUST fill in the Verification Tag field of the outbound packet 3460 * with the value found in the Verification Tag field of the OOTB 3461 * packet and set the T-bit in the Chunk Flags to indicate that the 3462 * Verification Tag is reflected. After sending this ABORT, the 3463 * receiver of the OOTB packet shall discard the OOTB packet and take 3464 * no further action. 3465 * 3466 * Verification Tag: 3467 * 3468 * The return value is the disposition of the chunk. 3469*/ 3470static enum sctp_disposition sctp_sf_tabort_8_4_8( 3471 struct net *net, 3472 const struct sctp_endpoint *ep, 3473 const struct sctp_association *asoc, 3474 const union sctp_subtype type, 3475 void *arg, 3476 struct sctp_cmd_seq *commands) 3477{ 3478 struct sctp_packet *packet = NULL; 3479 struct sctp_chunk *chunk = arg; 3480 struct sctp_chunk *abort; 3481 3482 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3483 if (!packet) 3484 return SCTP_DISPOSITION_NOMEM; 3485 3486 /* Make an ABORT. The T bit will be set if the asoc 3487 * is NULL. 3488 */ 3489 abort = sctp_make_abort(asoc, chunk, 0); 3490 if (!abort) { 3491 sctp_ootb_pkt_free(packet); 3492 return SCTP_DISPOSITION_NOMEM; 3493 } 3494 3495 /* Reflect vtag if T-Bit is set */ 3496 if (sctp_test_T_bit(abort)) 3497 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3498 3499 /* Set the skb to the belonging sock for accounting. */ 3500 abort->skb->sk = ep->base.sk; 3501 3502 sctp_packet_append_chunk(packet, abort); 3503 3504 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(packet)); 3505 3506 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3507 3508 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3509 return SCTP_DISPOSITION_CONSUME; 3510} 3511 3512/* Handling of SCTP Packets Containing an INIT Chunk Matching an 3513 * Existing Associations when the UDP encap port is incorrect. 3514 * 3515 * From Section 4 at draft-tuexen-tsvwg-sctp-udp-encaps-cons-03. 3516 */ 3517static enum sctp_disposition sctp_sf_new_encap_port( 3518 struct net *net, 3519 const struct sctp_endpoint *ep, 3520 const struct sctp_association *asoc, 3521 const union sctp_subtype type, 3522 void *arg, 3523 struct sctp_cmd_seq *commands) 3524{ 3525 struct sctp_packet *packet = NULL; 3526 struct sctp_chunk *chunk = arg; 3527 struct sctp_chunk *abort; 3528 3529 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3530 if (!packet) 3531 return SCTP_DISPOSITION_NOMEM; 3532 3533 abort = sctp_make_new_encap_port(asoc, chunk); 3534 if (!abort) { 3535 sctp_ootb_pkt_free(packet); 3536 return SCTP_DISPOSITION_NOMEM; 3537 } 3538 3539 abort->skb->sk = ep->base.sk; 3540 3541 sctp_packet_append_chunk(packet, abort); 3542 3543 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3544 SCTP_PACKET(packet)); 3545 3546 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3547 3548 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3549 return SCTP_DISPOSITION_CONSUME; 3550} 3551 3552/* 3553 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR 3554 * event as ULP notification for each cause included in the chunk. 3555 * 3556 * API 5.3.1.3 - SCTP_REMOTE_ERROR 3557 * 3558 * The return value is the disposition of the chunk. 3559*/ 3560enum sctp_disposition sctp_sf_operr_notify(struct net *net, 3561 const struct sctp_endpoint *ep, 3562 const struct sctp_association *asoc, 3563 const union sctp_subtype type, 3564 void *arg, 3565 struct sctp_cmd_seq *commands) 3566{ 3567 struct sctp_chunk *chunk = arg; 3568 struct sctp_errhdr *err; 3569 3570 if (!sctp_vtag_verify(chunk, asoc)) 3571 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3572 3573 /* Make sure that the ERROR chunk has a valid length. */ 3574 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk))) 3575 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3576 commands); 3577 sctp_walk_errors(err, chunk->chunk_hdr); 3578 if ((void *)err != (void *)chunk->chunk_end) 3579 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3580 (void *)err, commands); 3581 3582 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, 3583 SCTP_CHUNK(chunk)); 3584 3585 return SCTP_DISPOSITION_CONSUME; 3586} 3587 3588/* 3589 * Process an inbound SHUTDOWN ACK. 3590 * 3591 * From Section 9.2: 3592 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3593 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its 3594 * peer, and remove all record of the association. 3595 * 3596 * The return value is the disposition. 3597 */ 3598enum sctp_disposition sctp_sf_do_9_2_final(struct net *net, 3599 const struct sctp_endpoint *ep, 3600 const struct sctp_association *asoc, 3601 const union sctp_subtype type, 3602 void *arg, 3603 struct sctp_cmd_seq *commands) 3604{ 3605 struct sctp_chunk *chunk = arg; 3606 struct sctp_chunk *reply; 3607 struct sctp_ulpevent *ev; 3608 3609 if (!sctp_vtag_verify(chunk, asoc)) 3610 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3611 3612 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3613 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3614 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3615 commands); 3616 /* 10.2 H) SHUTDOWN COMPLETE notification 3617 * 3618 * When SCTP completes the shutdown procedures (section 9.2) this 3619 * notification is passed to the upper layer. 3620 */ 3621 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, 3622 0, 0, 0, NULL, GFP_ATOMIC); 3623 if (!ev) 3624 goto nomem; 3625 3626 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */ 3627 reply = sctp_make_shutdown_complete(asoc, chunk); 3628 if (!reply) 3629 goto nomem_chunk; 3630 3631 /* Do all the commands now (after allocation), so that we 3632 * have consistent state if memory allocation fails 3633 */ 3634 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); 3635 3636 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall 3637 * stop the T2-shutdown timer, 3638 */ 3639 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3640 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 3641 3642 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 3643 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 3644 3645 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 3646 SCTP_STATE(SCTP_STATE_CLOSED)); 3647 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 3648 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 3649 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 3650 3651 /* ...and remove all record of the association. */ 3652 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 3653 return SCTP_DISPOSITION_DELETE_TCB; 3654 3655nomem_chunk: 3656 sctp_ulpevent_free(ev); 3657nomem: 3658 return SCTP_DISPOSITION_NOMEM; 3659} 3660 3661/* 3662 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41. 3663 * 3664 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3665 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3666 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3667 * packet must fill in the Verification Tag field of the outbound 3668 * packet with the Verification Tag received in the SHUTDOWN ACK and 3669 * set the T-bit in the Chunk Flags to indicate that the Verification 3670 * Tag is reflected. 3671 * 3672 * 8) The receiver should respond to the sender of the OOTB packet with 3673 * an ABORT. When sending the ABORT, the receiver of the OOTB packet 3674 * MUST fill in the Verification Tag field of the outbound packet 3675 * with the value found in the Verification Tag field of the OOTB 3676 * packet and set the T-bit in the Chunk Flags to indicate that the 3677 * Verification Tag is reflected. After sending this ABORT, the 3678 * receiver of the OOTB packet shall discard the OOTB packet and take 3679 * no further action. 3680 */ 3681enum sctp_disposition sctp_sf_ootb(struct net *net, 3682 const struct sctp_endpoint *ep, 3683 const struct sctp_association *asoc, 3684 const union sctp_subtype type, 3685 void *arg, struct sctp_cmd_seq *commands) 3686{ 3687 struct sctp_chunk *chunk = arg; 3688 struct sk_buff *skb = chunk->skb; 3689 struct sctp_chunkhdr *ch; 3690 struct sctp_errhdr *err; 3691 int ootb_cookie_ack = 0; 3692 int ootb_shut_ack = 0; 3693 __u8 *ch_end; 3694 3695 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3696 3697 if (asoc && !sctp_vtag_verify(chunk, asoc)) 3698 asoc = NULL; 3699 3700 ch = (struct sctp_chunkhdr *)chunk->chunk_hdr; 3701 do { 3702 /* Report violation if the chunk is less then minimal */ 3703 if (ntohs(ch->length) < sizeof(*ch)) 3704 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3705 commands); 3706 3707 /* Report violation if chunk len overflows */ 3708 ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); 3709 if (ch_end > skb_tail_pointer(skb)) 3710 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3711 commands); 3712 3713 /* Now that we know we at least have a chunk header, 3714 * do things that are type appropriate. 3715 */ 3716 if (SCTP_CID_SHUTDOWN_ACK == ch->type) 3717 ootb_shut_ack = 1; 3718 3719 /* RFC 2960, Section 3.3.7 3720 * Moreover, under any circumstances, an endpoint that 3721 * receives an ABORT MUST NOT respond to that ABORT by 3722 * sending an ABORT of its own. 3723 */ 3724 if (SCTP_CID_ABORT == ch->type) 3725 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3726 3727 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR 3728 * or a COOKIE ACK the SCTP Packet should be silently 3729 * discarded. 3730 */ 3731 3732 if (SCTP_CID_COOKIE_ACK == ch->type) 3733 ootb_cookie_ack = 1; 3734 3735 if (SCTP_CID_ERROR == ch->type) { 3736 sctp_walk_errors(err, ch) { 3737 if (SCTP_ERROR_STALE_COOKIE == err->cause) { 3738 ootb_cookie_ack = 1; 3739 break; 3740 } 3741 } 3742 } 3743 3744 ch = (struct sctp_chunkhdr *)ch_end; 3745 } while (ch_end < skb_tail_pointer(skb)); 3746 3747 if (ootb_shut_ack) 3748 return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands); 3749 else if (ootb_cookie_ack) 3750 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3751 else 3752 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); 3753} 3754 3755/* 3756 * Handle an "Out of the blue" SHUTDOWN ACK. 3757 * 3758 * Section: 8.4 5, sctpimpguide 2.41. 3759 * 3760 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should 3761 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE. 3762 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB 3763 * packet must fill in the Verification Tag field of the outbound 3764 * packet with the Verification Tag received in the SHUTDOWN ACK and 3765 * set the T-bit in the Chunk Flags to indicate that the Verification 3766 * Tag is reflected. 3767 * 3768 * Inputs 3769 * (endpoint, asoc, type, arg, commands) 3770 * 3771 * Outputs 3772 * (enum sctp_disposition) 3773 * 3774 * The return value is the disposition of the chunk. 3775 */ 3776static enum sctp_disposition sctp_sf_shut_8_4_5( 3777 struct net *net, 3778 const struct sctp_endpoint *ep, 3779 const struct sctp_association *asoc, 3780 const union sctp_subtype type, 3781 void *arg, 3782 struct sctp_cmd_seq *commands) 3783{ 3784 struct sctp_packet *packet = NULL; 3785 struct sctp_chunk *chunk = arg; 3786 struct sctp_chunk *shut; 3787 3788 packet = sctp_ootb_pkt_new(net, asoc, chunk); 3789 if (!packet) 3790 return SCTP_DISPOSITION_NOMEM; 3791 3792 /* Make an SHUTDOWN_COMPLETE. 3793 * The T bit will be set if the asoc is NULL. 3794 */ 3795 shut = sctp_make_shutdown_complete(asoc, chunk); 3796 if (!shut) { 3797 sctp_ootb_pkt_free(packet); 3798 return SCTP_DISPOSITION_NOMEM; 3799 } 3800 3801 /* Reflect vtag if T-Bit is set */ 3802 if (sctp_test_T_bit(shut)) 3803 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 3804 3805 /* Set the skb to the belonging sock for accounting. */ 3806 shut->skb->sk = ep->base.sk; 3807 3808 sctp_packet_append_chunk(packet, shut); 3809 3810 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 3811 SCTP_PACKET(packet)); 3812 3813 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 3814 3815 /* We need to discard the rest of the packet to prevent 3816 * potential boomming attacks from additional bundled chunks. 3817 * This is documented in SCTP Threats ID. 3818 */ 3819 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3820} 3821 3822/* 3823 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state. 3824 * 3825 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK 3826 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the 3827 * procedures in section 8.4 SHOULD be followed, in other words it 3828 * should be treated as an Out Of The Blue packet. 3829 * [This means that we do NOT check the Verification Tag on these 3830 * chunks. --piggy ] 3831 * 3832 */ 3833enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net, 3834 const struct sctp_endpoint *ep, 3835 const struct sctp_association *asoc, 3836 const union sctp_subtype type, 3837 void *arg, 3838 struct sctp_cmd_seq *commands) 3839{ 3840 struct sctp_chunk *chunk = arg; 3841 3842 if (!sctp_vtag_verify(chunk, asoc)) 3843 asoc = NULL; 3844 3845 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ 3846 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 3847 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3848 commands); 3849 3850 /* Although we do have an association in this case, it corresponds 3851 * to a restarted association. So the packet is treated as an OOTB 3852 * packet and the state function that handles OOTB SHUTDOWN_ACK is 3853 * called with a NULL association. 3854 */ 3855 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); 3856 3857 return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands); 3858} 3859 3860/* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */ 3861enum sctp_disposition sctp_sf_do_asconf(struct net *net, 3862 const struct sctp_endpoint *ep, 3863 const struct sctp_association *asoc, 3864 const union sctp_subtype type, 3865 void *arg, 3866 struct sctp_cmd_seq *commands) 3867{ 3868 struct sctp_paramhdr *err_param = NULL; 3869 struct sctp_chunk *asconf_ack = NULL; 3870 struct sctp_chunk *chunk = arg; 3871 struct sctp_addiphdr *hdr; 3872 __u32 serial; 3873 3874 if (!sctp_vtag_verify(chunk, asoc)) { 3875 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 3876 SCTP_NULL()); 3877 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3878 } 3879 3880 /* Make sure that the ASCONF ADDIP chunk has a valid length. */ 3881 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk))) 3882 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 3883 commands); 3884 3885 /* ADD-IP: Section 4.1.1 3886 * This chunk MUST be sent in an authenticated way by using 3887 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 3888 * is received unauthenticated it MUST be silently discarded as 3889 * described in [I-D.ietf-tsvwg-sctp-auth]. 3890 */ 3891 if (!asoc->peer.asconf_capable || 3892 (!net->sctp.addip_noauth && !chunk->auth)) 3893 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 3894 3895 hdr = (struct sctp_addiphdr *)chunk->skb->data; 3896 serial = ntohl(hdr->serial); 3897 3898 /* Verify the ASCONF chunk before processing it. */ 3899 if (!sctp_verify_asconf(asoc, chunk, true, &err_param)) 3900 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 3901 (void *)err_param, commands); 3902 3903 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3904 * the endpoint stored in a new association variable 3905 * 'Peer-Serial-Number'. 3906 */ 3907 if (serial == asoc->peer.addip_serial + 1) { 3908 /* If this is the first instance of ASCONF in the packet, 3909 * we can clean our old ASCONF-ACKs. 3910 */ 3911 if (!chunk->has_asconf) 3912 sctp_assoc_clean_asconf_ack_cache(asoc); 3913 3914 /* ADDIP 5.2 E4) When the Sequence Number matches the next one 3915 * expected, process the ASCONF as described below and after 3916 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to 3917 * the response packet and cache a copy of it (in the event it 3918 * later needs to be retransmitted). 3919 * 3920 * Essentially, do V1-V5. 3921 */ 3922 asconf_ack = sctp_process_asconf((struct sctp_association *) 3923 asoc, chunk); 3924 if (!asconf_ack) 3925 return SCTP_DISPOSITION_NOMEM; 3926 } else if (serial < asoc->peer.addip_serial + 1) { 3927 /* ADDIP 5.2 E2) 3928 * If the value found in the Sequence Number is less than the 3929 * ('Peer- Sequence-Number' + 1), simply skip to the next 3930 * ASCONF, and include in the outbound response packet 3931 * any previously cached ASCONF-ACK response that was 3932 * sent and saved that matches the Sequence Number of the 3933 * ASCONF. Note: It is possible that no cached ASCONF-ACK 3934 * Chunk exists. This will occur when an older ASCONF 3935 * arrives out of order. In such a case, the receiver 3936 * should skip the ASCONF Chunk and not include ASCONF-ACK 3937 * Chunk for that chunk. 3938 */ 3939 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial); 3940 if (!asconf_ack) 3941 return SCTP_DISPOSITION_DISCARD; 3942 3943 /* Reset the transport so that we select the correct one 3944 * this time around. This is to make sure that we don't 3945 * accidentally use a stale transport that's been removed. 3946 */ 3947 asconf_ack->transport = NULL; 3948 } else { 3949 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since 3950 * it must be either a stale packet or from an attacker. 3951 */ 3952 return SCTP_DISPOSITION_DISCARD; 3953 } 3954 3955 /* ADDIP 5.2 E6) The destination address of the SCTP packet 3956 * containing the ASCONF-ACK Chunks MUST be the source address of 3957 * the SCTP packet that held the ASCONF Chunks. 3958 * 3959 * To do this properly, we'll set the destination address of the chunk 3960 * and at the transmit time, will try look up the transport to use. 3961 * Since ASCONFs may be bundled, the correct transport may not be 3962 * created until we process the entire packet, thus this workaround. 3963 */ 3964 asconf_ack->dest = chunk->source; 3965 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack)); 3966 if (asoc->new_transport) { 3967 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands); 3968 ((struct sctp_association *)asoc)->new_transport = NULL; 3969 } 3970 3971 return SCTP_DISPOSITION_CONSUME; 3972} 3973 3974static enum sctp_disposition sctp_send_next_asconf( 3975 struct net *net, 3976 const struct sctp_endpoint *ep, 3977 struct sctp_association *asoc, 3978 const union sctp_subtype type, 3979 struct sctp_cmd_seq *commands) 3980{ 3981 struct sctp_chunk *asconf; 3982 struct list_head *entry; 3983 3984 if (list_empty(&asoc->addip_chunk_list)) 3985 return SCTP_DISPOSITION_CONSUME; 3986 3987 entry = asoc->addip_chunk_list.next; 3988 asconf = list_entry(entry, struct sctp_chunk, list); 3989 3990 list_del_init(entry); 3991 sctp_chunk_hold(asconf); 3992 asoc->addip_last_asconf = asconf; 3993 3994 return sctp_sf_do_prm_asconf(net, ep, asoc, type, asconf, commands); 3995} 3996 3997/* 3998 * ADDIP Section 4.3 General rules for address manipulation 3999 * When building TLV parameters for the ASCONF Chunk that will add or 4000 * delete IP addresses the D0 to D13 rules should be applied: 4001 */ 4002enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net, 4003 const struct sctp_endpoint *ep, 4004 const struct sctp_association *asoc, 4005 const union sctp_subtype type, 4006 void *arg, 4007 struct sctp_cmd_seq *commands) 4008{ 4009 struct sctp_chunk *last_asconf = asoc->addip_last_asconf; 4010 struct sctp_paramhdr *err_param = NULL; 4011 struct sctp_chunk *asconf_ack = arg; 4012 struct sctp_addiphdr *addip_hdr; 4013 __u32 sent_serial, rcvd_serial; 4014 struct sctp_chunk *abort; 4015 4016 if (!sctp_vtag_verify(asconf_ack, asoc)) { 4017 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4018 SCTP_NULL()); 4019 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4020 } 4021 4022 /* Make sure that the ADDIP chunk has a valid length. */ 4023 if (!sctp_chunk_length_valid(asconf_ack, 4024 sizeof(struct sctp_addip_chunk))) 4025 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4026 commands); 4027 4028 /* ADD-IP, Section 4.1.2: 4029 * This chunk MUST be sent in an authenticated way by using 4030 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk 4031 * is received unauthenticated it MUST be silently discarded as 4032 * described in [I-D.ietf-tsvwg-sctp-auth]. 4033 */ 4034 if (!asoc->peer.asconf_capable || 4035 (!net->sctp.addip_noauth && !asconf_ack->auth)) 4036 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4037 4038 addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data; 4039 rcvd_serial = ntohl(addip_hdr->serial); 4040 4041 /* Verify the ASCONF-ACK chunk before processing it. */ 4042 if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param)) 4043 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 4044 (void *)err_param, commands); 4045 4046 if (last_asconf) { 4047 addip_hdr = (struct sctp_addiphdr *)last_asconf->subh.addip_hdr; 4048 sent_serial = ntohl(addip_hdr->serial); 4049 } else { 4050 sent_serial = asoc->addip_serial - 1; 4051 } 4052 4053 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or 4054 * equal to the next serial number to be used but no ASCONF chunk is 4055 * outstanding the endpoint MUST ABORT the association. Note that a 4056 * sequence number is greater than if it is no more than 2^^31-1 4057 * larger than the current sequence number (using serial arithmetic). 4058 */ 4059 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) && 4060 !(asoc->addip_last_asconf)) { 4061 abort = sctp_make_abort(asoc, asconf_ack, 4062 sizeof(struct sctp_errhdr)); 4063 if (abort) { 4064 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0); 4065 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4066 SCTP_CHUNK(abort)); 4067 } 4068 /* We are going to ABORT, so we might as well stop 4069 * processing the rest of the chunks in the packet. 4070 */ 4071 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4072 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4073 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4074 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4075 SCTP_ERROR(ECONNABORTED)); 4076 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4077 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 4078 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4079 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4080 return SCTP_DISPOSITION_ABORT; 4081 } 4082 4083 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) { 4084 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4085 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 4086 4087 if (!sctp_process_asconf_ack((struct sctp_association *)asoc, 4088 asconf_ack)) 4089 return sctp_send_next_asconf(net, ep, 4090 (struct sctp_association *)asoc, 4091 type, commands); 4092 4093 abort = sctp_make_abort(asoc, asconf_ack, 4094 sizeof(struct sctp_errhdr)); 4095 if (abort) { 4096 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); 4097 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4098 SCTP_CHUNK(abort)); 4099 } 4100 /* We are going to ABORT, so we might as well stop 4101 * processing the rest of the chunks in the packet. 4102 */ 4103 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4104 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4105 SCTP_ERROR(ECONNABORTED)); 4106 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4107 SCTP_PERR(SCTP_ERROR_ASCONF_ACK)); 4108 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4109 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4110 return SCTP_DISPOSITION_ABORT; 4111 } 4112 4113 return SCTP_DISPOSITION_DISCARD; 4114} 4115 4116/* RE-CONFIG Section 5.2 Upon reception of an RECONF Chunk. */ 4117enum sctp_disposition sctp_sf_do_reconf(struct net *net, 4118 const struct sctp_endpoint *ep, 4119 const struct sctp_association *asoc, 4120 const union sctp_subtype type, 4121 void *arg, 4122 struct sctp_cmd_seq *commands) 4123{ 4124 struct sctp_paramhdr *err_param = NULL; 4125 struct sctp_chunk *chunk = arg; 4126 struct sctp_reconf_chunk *hdr; 4127 union sctp_params param; 4128 4129 if (!sctp_vtag_verify(chunk, asoc)) { 4130 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4131 SCTP_NULL()); 4132 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4133 } 4134 4135 /* Make sure that the RECONF chunk has a valid length. */ 4136 if (!sctp_chunk_length_valid(chunk, sizeof(*hdr))) 4137 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4138 commands); 4139 4140 if (!sctp_verify_reconf(asoc, chunk, &err_param)) 4141 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, 4142 (void *)err_param, commands); 4143 4144 hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr; 4145 sctp_walk_params(param, hdr, params) { 4146 struct sctp_chunk *reply = NULL; 4147 struct sctp_ulpevent *ev = NULL; 4148 4149 if (param.p->type == SCTP_PARAM_RESET_OUT_REQUEST) 4150 reply = sctp_process_strreset_outreq( 4151 (struct sctp_association *)asoc, param, &ev); 4152 else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST) 4153 reply = sctp_process_strreset_inreq( 4154 (struct sctp_association *)asoc, param, &ev); 4155 else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST) 4156 reply = sctp_process_strreset_tsnreq( 4157 (struct sctp_association *)asoc, param, &ev); 4158 else if (param.p->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS) 4159 reply = sctp_process_strreset_addstrm_out( 4160 (struct sctp_association *)asoc, param, &ev); 4161 else if (param.p->type == SCTP_PARAM_RESET_ADD_IN_STREAMS) 4162 reply = sctp_process_strreset_addstrm_in( 4163 (struct sctp_association *)asoc, param, &ev); 4164 else if (param.p->type == SCTP_PARAM_RESET_RESPONSE) 4165 reply = sctp_process_strreset_resp( 4166 (struct sctp_association *)asoc, param, &ev); 4167 4168 if (ev) 4169 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4170 SCTP_ULPEVENT(ev)); 4171 4172 if (reply) 4173 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4174 SCTP_CHUNK(reply)); 4175 } 4176 4177 return SCTP_DISPOSITION_CONSUME; 4178} 4179 4180/* 4181 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP 4182 * 4183 * When a FORWARD TSN chunk arrives, the data receiver MUST first update 4184 * its cumulative TSN point to the value carried in the FORWARD TSN 4185 * chunk, and then MUST further advance its cumulative TSN point locally 4186 * if possible. 4187 * After the above processing, the data receiver MUST stop reporting any 4188 * missing TSNs earlier than or equal to the new cumulative TSN point. 4189 * 4190 * Verification Tag: 8.5 Verification Tag [Normal verification] 4191 * 4192 * The return value is the disposition of the chunk. 4193 */ 4194enum sctp_disposition sctp_sf_eat_fwd_tsn(struct net *net, 4195 const struct sctp_endpoint *ep, 4196 const struct sctp_association *asoc, 4197 const union sctp_subtype type, 4198 void *arg, 4199 struct sctp_cmd_seq *commands) 4200{ 4201 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 4202 struct sctp_chunk *chunk = arg; 4203 __u16 len; 4204 __u32 tsn; 4205 4206 if (!sctp_vtag_verify(chunk, asoc)) { 4207 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4208 SCTP_NULL()); 4209 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4210 } 4211 4212 if (!asoc->peer.prsctp_capable) 4213 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4214 4215 /* Make sure that the FORWARD_TSN chunk has valid length. */ 4216 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream))) 4217 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4218 commands); 4219 4220 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 4221 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 4222 len = ntohs(chunk->chunk_hdr->length); 4223 len -= sizeof(struct sctp_chunkhdr); 4224 skb_pull(chunk->skb, len); 4225 4226 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 4227 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 4228 4229 /* The TSN is too high--silently discard the chunk and count on it 4230 * getting retransmitted later. 4231 */ 4232 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 4233 goto discard_noforce; 4234 4235 if (!asoc->stream.si->validate_ftsn(chunk)) 4236 goto discard_noforce; 4237 4238 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 4239 if (len > sctp_ftsnhdr_len(&asoc->stream)) 4240 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 4241 SCTP_CHUNK(chunk)); 4242 4243 /* Count this as receiving DATA. */ 4244 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { 4245 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4246 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 4247 } 4248 4249 /* FIXME: For now send a SACK, but DATA processing may 4250 * send another. 4251 */ 4252 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE()); 4253 4254 return SCTP_DISPOSITION_CONSUME; 4255 4256discard_noforce: 4257 return SCTP_DISPOSITION_DISCARD; 4258} 4259 4260enum sctp_disposition sctp_sf_eat_fwd_tsn_fast( 4261 struct net *net, 4262 const struct sctp_endpoint *ep, 4263 const struct sctp_association *asoc, 4264 const union sctp_subtype type, 4265 void *arg, 4266 struct sctp_cmd_seq *commands) 4267{ 4268 struct sctp_fwdtsn_hdr *fwdtsn_hdr; 4269 struct sctp_chunk *chunk = arg; 4270 __u16 len; 4271 __u32 tsn; 4272 4273 if (!sctp_vtag_verify(chunk, asoc)) { 4274 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4275 SCTP_NULL()); 4276 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4277 } 4278 4279 if (!asoc->peer.prsctp_capable) 4280 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4281 4282 /* Make sure that the FORWARD_TSN chunk has a valid length. */ 4283 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream))) 4284 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4285 commands); 4286 4287 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data; 4288 chunk->subh.fwdtsn_hdr = fwdtsn_hdr; 4289 len = ntohs(chunk->chunk_hdr->length); 4290 len -= sizeof(struct sctp_chunkhdr); 4291 skb_pull(chunk->skb, len); 4292 4293 tsn = ntohl(fwdtsn_hdr->new_cum_tsn); 4294 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 4295 4296 /* The TSN is too high--silently discard the chunk and count on it 4297 * getting retransmitted later. 4298 */ 4299 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0) 4300 goto gen_shutdown; 4301 4302 if (!asoc->stream.si->validate_ftsn(chunk)) 4303 goto gen_shutdown; 4304 4305 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn)); 4306 if (len > sctp_ftsnhdr_len(&asoc->stream)) 4307 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 4308 SCTP_CHUNK(chunk)); 4309 4310 /* Go a head and force a SACK, since we are shutting down. */ 4311gen_shutdown: 4312 /* Implementor's Guide. 4313 * 4314 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately 4315 * respond to each received packet containing one or more DATA chunk(s) 4316 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer 4317 */ 4318 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL()); 4319 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 4320 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 4321 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 4322 4323 return SCTP_DISPOSITION_CONSUME; 4324} 4325 4326/* 4327 * SCTP-AUTH Section 6.3 Receiving authenticated chunks 4328 * 4329 * The receiver MUST use the HMAC algorithm indicated in the HMAC 4330 * Identifier field. If this algorithm was not specified by the 4331 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 4332 * during association setup, the AUTH chunk and all chunks after it MUST 4333 * be discarded and an ERROR chunk SHOULD be sent with the error cause 4334 * defined in Section 4.1. 4335 * 4336 * If an endpoint with no shared key receives a Shared Key Identifier 4337 * other than 0, it MUST silently discard all authenticated chunks. If 4338 * the endpoint has at least one endpoint pair shared key for the peer, 4339 * it MUST use the key specified by the Shared Key Identifier if a 4340 * key has been configured for that Shared Key Identifier. If no 4341 * endpoint pair shared key has been configured for that Shared Key 4342 * Identifier, all authenticated chunks MUST be silently discarded. 4343 * 4344 * Verification Tag: 8.5 Verification Tag [Normal verification] 4345 * 4346 * The return value is the disposition of the chunk. 4347 */ 4348static enum sctp_ierror sctp_sf_authenticate( 4349 const struct sctp_association *asoc, 4350 struct sctp_chunk *chunk) 4351{ 4352 struct sctp_shared_key *sh_key = NULL; 4353 struct sctp_authhdr *auth_hdr; 4354 __u8 *save_digest, *digest; 4355 struct sctp_hmac *hmac; 4356 unsigned int sig_len; 4357 __u16 key_id; 4358 4359 /* Pull in the auth header, so we can do some more verification */ 4360 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4361 chunk->subh.auth_hdr = auth_hdr; 4362 skb_pull(chunk->skb, sizeof(*auth_hdr)); 4363 4364 /* Make sure that we support the HMAC algorithm from the auth 4365 * chunk. 4366 */ 4367 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id)) 4368 return SCTP_IERROR_AUTH_BAD_HMAC; 4369 4370 /* Make sure that the provided shared key identifier has been 4371 * configured 4372 */ 4373 key_id = ntohs(auth_hdr->shkey_id); 4374 if (key_id != asoc->active_key_id) { 4375 sh_key = sctp_auth_get_shkey(asoc, key_id); 4376 if (!sh_key) 4377 return SCTP_IERROR_AUTH_BAD_KEYID; 4378 } 4379 4380 /* Make sure that the length of the signature matches what 4381 * we expect. 4382 */ 4383 sig_len = ntohs(chunk->chunk_hdr->length) - 4384 sizeof(struct sctp_auth_chunk); 4385 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id)); 4386 if (sig_len != hmac->hmac_len) 4387 return SCTP_IERROR_PROTO_VIOLATION; 4388 4389 /* Now that we've done validation checks, we can compute and 4390 * verify the hmac. The steps involved are: 4391 * 1. Save the digest from the chunk. 4392 * 2. Zero out the digest in the chunk. 4393 * 3. Compute the new digest 4394 * 4. Compare saved and new digests. 4395 */ 4396 digest = auth_hdr->hmac; 4397 skb_pull(chunk->skb, sig_len); 4398 4399 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC); 4400 if (!save_digest) 4401 goto nomem; 4402 4403 memset(digest, 0, sig_len); 4404 4405 sctp_auth_calculate_hmac(asoc, chunk->skb, 4406 (struct sctp_auth_chunk *)chunk->chunk_hdr, 4407 sh_key, GFP_ATOMIC); 4408 4409 /* Discard the packet if the digests do not match */ 4410 if (memcmp(save_digest, digest, sig_len)) { 4411 kfree(save_digest); 4412 return SCTP_IERROR_BAD_SIG; 4413 } 4414 4415 kfree(save_digest); 4416 chunk->auth = 1; 4417 4418 return SCTP_IERROR_NO_ERROR; 4419nomem: 4420 return SCTP_IERROR_NOMEM; 4421} 4422 4423enum sctp_disposition sctp_sf_eat_auth(struct net *net, 4424 const struct sctp_endpoint *ep, 4425 const struct sctp_association *asoc, 4426 const union sctp_subtype type, 4427 void *arg, struct sctp_cmd_seq *commands) 4428{ 4429 struct sctp_chunk *chunk = arg; 4430 struct sctp_authhdr *auth_hdr; 4431 struct sctp_chunk *err_chunk; 4432 enum sctp_ierror error; 4433 4434 /* Make sure that the peer has AUTH capable */ 4435 if (!asoc->peer.auth_capable) 4436 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands); 4437 4438 if (!sctp_vtag_verify(chunk, asoc)) { 4439 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, 4440 SCTP_NULL()); 4441 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4442 } 4443 4444 /* Make sure that the AUTH chunk has valid length. */ 4445 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk))) 4446 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4447 commands); 4448 4449 auth_hdr = (struct sctp_authhdr *)chunk->skb->data; 4450 error = sctp_sf_authenticate(asoc, chunk); 4451 switch (error) { 4452 case SCTP_IERROR_AUTH_BAD_HMAC: 4453 /* Generate the ERROR chunk and discard the rest 4454 * of the packet 4455 */ 4456 err_chunk = sctp_make_op_error(asoc, chunk, 4457 SCTP_ERROR_UNSUP_HMAC, 4458 &auth_hdr->hmac_id, 4459 sizeof(__u16), 0); 4460 if (err_chunk) { 4461 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4462 SCTP_CHUNK(err_chunk)); 4463 } 4464 fallthrough; 4465 case SCTP_IERROR_AUTH_BAD_KEYID: 4466 case SCTP_IERROR_BAD_SIG: 4467 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4468 4469 case SCTP_IERROR_PROTO_VIOLATION: 4470 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4471 commands); 4472 4473 case SCTP_IERROR_NOMEM: 4474 return SCTP_DISPOSITION_NOMEM; 4475 4476 default: /* Prevent gcc warnings */ 4477 break; 4478 } 4479 4480 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) { 4481 struct sctp_ulpevent *ev; 4482 4483 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id), 4484 SCTP_AUTH_NEW_KEY, GFP_ATOMIC); 4485 4486 if (!ev) 4487 return -ENOMEM; 4488 4489 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, 4490 SCTP_ULPEVENT(ev)); 4491 } 4492 4493 return SCTP_DISPOSITION_CONSUME; 4494} 4495 4496/* 4497 * Process an unknown chunk. 4498 * 4499 * Section: 3.2. Also, 2.1 in the implementor's guide. 4500 * 4501 * Chunk Types are encoded such that the highest-order two bits specify 4502 * the action that must be taken if the processing endpoint does not 4503 * recognize the Chunk Type. 4504 * 4505 * 00 - Stop processing this SCTP packet and discard it, do not process 4506 * any further chunks within it. 4507 * 4508 * 01 - Stop processing this SCTP packet and discard it, do not process 4509 * any further chunks within it, and report the unrecognized 4510 * chunk in an 'Unrecognized Chunk Type'. 4511 * 4512 * 10 - Skip this chunk and continue processing. 4513 * 4514 * 11 - Skip this chunk and continue processing, but report in an ERROR 4515 * Chunk using the 'Unrecognized Chunk Type' cause of error. 4516 * 4517 * The return value is the disposition of the chunk. 4518 */ 4519enum sctp_disposition sctp_sf_unk_chunk(struct net *net, 4520 const struct sctp_endpoint *ep, 4521 const struct sctp_association *asoc, 4522 const union sctp_subtype type, 4523 void *arg, 4524 struct sctp_cmd_seq *commands) 4525{ 4526 struct sctp_chunk *unk_chunk = arg; 4527 struct sctp_chunk *err_chunk; 4528 struct sctp_chunkhdr *hdr; 4529 4530 pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk); 4531 4532 if (!sctp_vtag_verify(unk_chunk, asoc)) 4533 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4534 4535 /* Make sure that the chunk has a valid length. 4536 * Since we don't know the chunk type, we use a general 4537 * chunkhdr structure to make a comparison. 4538 */ 4539 if (!sctp_chunk_length_valid(unk_chunk, sizeof(*hdr))) 4540 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4541 commands); 4542 4543 switch (type.chunk & SCTP_CID_ACTION_MASK) { 4544 case SCTP_CID_ACTION_DISCARD: 4545 /* Discard the packet. */ 4546 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4547 case SCTP_CID_ACTION_DISCARD_ERR: 4548 /* Generate an ERROR chunk as response. */ 4549 hdr = unk_chunk->chunk_hdr; 4550 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4551 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4552 SCTP_PAD4(ntohs(hdr->length)), 4553 0); 4554 if (err_chunk) { 4555 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4556 SCTP_CHUNK(err_chunk)); 4557 } 4558 4559 /* Discard the packet. */ 4560 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4561 return SCTP_DISPOSITION_CONSUME; 4562 case SCTP_CID_ACTION_SKIP: 4563 /* Skip the chunk. */ 4564 return SCTP_DISPOSITION_DISCARD; 4565 case SCTP_CID_ACTION_SKIP_ERR: 4566 /* Generate an ERROR chunk as response. */ 4567 hdr = unk_chunk->chunk_hdr; 4568 err_chunk = sctp_make_op_error(asoc, unk_chunk, 4569 SCTP_ERROR_UNKNOWN_CHUNK, hdr, 4570 SCTP_PAD4(ntohs(hdr->length)), 4571 0); 4572 if (err_chunk) { 4573 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 4574 SCTP_CHUNK(err_chunk)); 4575 } 4576 /* Skip the chunk. */ 4577 return SCTP_DISPOSITION_CONSUME; 4578 default: 4579 break; 4580 } 4581 4582 return SCTP_DISPOSITION_DISCARD; 4583} 4584 4585/* 4586 * Discard the chunk. 4587 * 4588 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2 4589 * [Too numerous to mention...] 4590 * Verification Tag: No verification needed. 4591 * Inputs 4592 * (endpoint, asoc, chunk) 4593 * 4594 * Outputs 4595 * (asoc, reply_msg, msg_up, timers, counters) 4596 * 4597 * The return value is the disposition of the chunk. 4598 */ 4599enum sctp_disposition sctp_sf_discard_chunk(struct net *net, 4600 const struct sctp_endpoint *ep, 4601 const struct sctp_association *asoc, 4602 const union sctp_subtype type, 4603 void *arg, 4604 struct sctp_cmd_seq *commands) 4605{ 4606 struct sctp_chunk *chunk = arg; 4607 4608 if (asoc && !sctp_vtag_verify(chunk, asoc)) 4609 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4610 4611 /* Make sure that the chunk has a valid length. 4612 * Since we don't know the chunk type, we use a general 4613 * chunkhdr structure to make a comparison. 4614 */ 4615 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 4616 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4617 commands); 4618 4619 pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk); 4620 4621 return SCTP_DISPOSITION_DISCARD; 4622} 4623 4624/* 4625 * Discard the whole packet. 4626 * 4627 * Section: 8.4 2) 4628 * 4629 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST 4630 * silently discard the OOTB packet and take no further action. 4631 * 4632 * Verification Tag: No verification necessary 4633 * 4634 * Inputs 4635 * (endpoint, asoc, chunk) 4636 * 4637 * Outputs 4638 * (asoc, reply_msg, msg_up, timers, counters) 4639 * 4640 * The return value is the disposition of the chunk. 4641 */ 4642enum sctp_disposition sctp_sf_pdiscard(struct net *net, 4643 const struct sctp_endpoint *ep, 4644 const struct sctp_association *asoc, 4645 const union sctp_subtype type, 4646 void *arg, struct sctp_cmd_seq *commands) 4647{ 4648 SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS); 4649 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 4650 4651 return SCTP_DISPOSITION_CONSUME; 4652} 4653 4654 4655/* 4656 * The other end is violating protocol. 4657 * 4658 * Section: Not specified 4659 * Verification Tag: Not specified 4660 * Inputs 4661 * (endpoint, asoc, chunk) 4662 * 4663 * Outputs 4664 * (asoc, reply_msg, msg_up, timers, counters) 4665 * 4666 * We simply tag the chunk as a violation. The state machine will log 4667 * the violation and continue. 4668 */ 4669enum sctp_disposition sctp_sf_violation(struct net *net, 4670 const struct sctp_endpoint *ep, 4671 const struct sctp_association *asoc, 4672 const union sctp_subtype type, 4673 void *arg, 4674 struct sctp_cmd_seq *commands) 4675{ 4676 struct sctp_chunk *chunk = arg; 4677 4678 if (!sctp_vtag_verify(chunk, asoc)) 4679 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); 4680 4681 /* Make sure that the chunk has a valid length. */ 4682 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) 4683 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, 4684 commands); 4685 4686 return SCTP_DISPOSITION_VIOLATION; 4687} 4688 4689/* 4690 * Common function to handle a protocol violation. 4691 */ 4692static enum sctp_disposition sctp_sf_abort_violation( 4693 struct net *net, 4694 const struct sctp_endpoint *ep, 4695 const struct sctp_association *asoc, 4696 void *arg, 4697 struct sctp_cmd_seq *commands, 4698 const __u8 *payload, 4699 const size_t paylen) 4700{ 4701 struct sctp_packet *packet = NULL; 4702 struct sctp_chunk *chunk = arg; 4703 struct sctp_chunk *abort = NULL; 4704 4705 /* SCTP-AUTH, Section 6.3: 4706 * It should be noted that if the receiver wants to tear 4707 * down an association in an authenticated way only, the 4708 * handling of malformed packets should not result in 4709 * tearing down the association. 4710 * 4711 * This means that if we only want to abort associations 4712 * in an authenticated way (i.e AUTH+ABORT), then we 4713 * can't destroy this association just because the packet 4714 * was malformed. 4715 */ 4716 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4717 goto discard; 4718 4719 /* Make the abort chunk. */ 4720 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen); 4721 if (!abort) 4722 goto nomem; 4723 4724 if (asoc) { 4725 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */ 4726 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK && 4727 !asoc->peer.i.init_tag) { 4728 struct sctp_initack_chunk *initack; 4729 4730 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr; 4731 if (!sctp_chunk_length_valid(chunk, sizeof(*initack))) 4732 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T; 4733 else { 4734 unsigned int inittag; 4735 4736 inittag = ntohl(initack->init_hdr.init_tag); 4737 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG, 4738 SCTP_U32(inittag)); 4739 } 4740 } 4741 4742 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4743 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4744 4745 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { 4746 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 4747 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 4748 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4749 SCTP_ERROR(ECONNREFUSED)); 4750 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 4751 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4752 } else { 4753 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4754 SCTP_ERROR(ECONNABORTED)); 4755 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4756 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4757 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4758 } 4759 } else { 4760 packet = sctp_ootb_pkt_new(net, asoc, chunk); 4761 4762 if (!packet) 4763 goto nomem_pkt; 4764 4765 if (sctp_test_T_bit(abort)) 4766 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 4767 4768 abort->skb->sk = ep->base.sk; 4769 4770 sctp_packet_append_chunk(packet, abort); 4771 4772 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 4773 SCTP_PACKET(packet)); 4774 4775 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4776 } 4777 4778 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4779 4780discard: 4781 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4782 return SCTP_DISPOSITION_ABORT; 4783 4784nomem_pkt: 4785 sctp_chunk_free(abort); 4786nomem: 4787 return SCTP_DISPOSITION_NOMEM; 4788} 4789 4790/* 4791 * Handle a protocol violation when the chunk length is invalid. 4792 * "Invalid" length is identified as smaller than the minimal length a 4793 * given chunk can be. For example, a SACK chunk has invalid length 4794 * if its length is set to be smaller than the size of struct sctp_sack_chunk. 4795 * 4796 * We inform the other end by sending an ABORT with a Protocol Violation 4797 * error code. 4798 * 4799 * Section: Not specified 4800 * Verification Tag: Nothing to do 4801 * Inputs 4802 * (endpoint, asoc, chunk) 4803 * 4804 * Outputs 4805 * (reply_msg, msg_up, counters) 4806 * 4807 * Generate an ABORT chunk and terminate the association. 4808 */ 4809static enum sctp_disposition sctp_sf_violation_chunklen( 4810 struct net *net, 4811 const struct sctp_endpoint *ep, 4812 const struct sctp_association *asoc, 4813 const union sctp_subtype type, 4814 void *arg, 4815 struct sctp_cmd_seq *commands) 4816{ 4817 static const char err_str[] = "The following chunk had invalid length:"; 4818 4819 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4820 sizeof(err_str)); 4821} 4822 4823/* 4824 * Handle a protocol violation when the parameter length is invalid. 4825 * If the length is smaller than the minimum length of a given parameter, 4826 * or accumulated length in multi parameters exceeds the end of the chunk, 4827 * the length is considered as invalid. 4828 */ 4829static enum sctp_disposition sctp_sf_violation_paramlen( 4830 struct net *net, 4831 const struct sctp_endpoint *ep, 4832 const struct sctp_association *asoc, 4833 const union sctp_subtype type, 4834 void *arg, void *ext, 4835 struct sctp_cmd_seq *commands) 4836{ 4837 struct sctp_paramhdr *param = ext; 4838 struct sctp_chunk *abort = NULL; 4839 struct sctp_chunk *chunk = arg; 4840 4841 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4842 goto discard; 4843 4844 /* Make the abort chunk. */ 4845 abort = sctp_make_violation_paramlen(asoc, chunk, param); 4846 if (!abort) 4847 goto nomem; 4848 4849 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4850 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 4851 4852 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4853 SCTP_ERROR(ECONNABORTED)); 4854 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4855 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4856 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 4857 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 4858 4859discard: 4860 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4861 return SCTP_DISPOSITION_ABORT; 4862nomem: 4863 return SCTP_DISPOSITION_NOMEM; 4864} 4865 4866/* Handle a protocol violation when the peer trying to advance the 4867 * cumulative tsn ack to a point beyond the max tsn currently sent. 4868 * 4869 * We inform the other end by sending an ABORT with a Protocol Violation 4870 * error code. 4871 */ 4872static enum sctp_disposition sctp_sf_violation_ctsn( 4873 struct net *net, 4874 const struct sctp_endpoint *ep, 4875 const struct sctp_association *asoc, 4876 const union sctp_subtype type, 4877 void *arg, 4878 struct sctp_cmd_seq *commands) 4879{ 4880 static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:"; 4881 4882 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4883 sizeof(err_str)); 4884} 4885 4886/* Handle protocol violation of an invalid chunk bundling. For example, 4887 * when we have an association and we receive bundled INIT-ACK, or 4888 * SHUTDOWN-COMPLETE, our peer is clearly violating the "MUST NOT bundle" 4889 * statement from the specs. Additionally, there might be an attacker 4890 * on the path and we may not want to continue this communication. 4891 */ 4892static enum sctp_disposition sctp_sf_violation_chunk( 4893 struct net *net, 4894 const struct sctp_endpoint *ep, 4895 const struct sctp_association *asoc, 4896 const union sctp_subtype type, 4897 void *arg, 4898 struct sctp_cmd_seq *commands) 4899{ 4900 static const char err_str[] = "The following chunk violates protocol:"; 4901 4902 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str, 4903 sizeof(err_str)); 4904} 4905/*************************************************************************** 4906 * These are the state functions for handling primitive (Section 10) events. 4907 ***************************************************************************/ 4908/* 4909 * sctp_sf_do_prm_asoc 4910 * 4911 * Section: 10.1 ULP-to-SCTP 4912 * B) Associate 4913 * 4914 * Format: ASSOCIATE(local SCTP instance name, destination transport addr, 4915 * outbound stream count) 4916 * -> association id [,destination transport addr list] [,outbound stream 4917 * count] 4918 * 4919 * This primitive allows the upper layer to initiate an association to a 4920 * specific peer endpoint. 4921 * 4922 * The peer endpoint shall be specified by one of the transport addresses 4923 * which defines the endpoint (see Section 1.4). If the local SCTP 4924 * instance has not been initialized, the ASSOCIATE is considered an 4925 * error. 4926 * [This is not relevant for the kernel implementation since we do all 4927 * initialization at boot time. It we hadn't initialized we wouldn't 4928 * get anywhere near this code.] 4929 * 4930 * An association id, which is a local handle to the SCTP association, 4931 * will be returned on successful establishment of the association. If 4932 * SCTP is not able to open an SCTP association with the peer endpoint, 4933 * an error is returned. 4934 * [In the kernel implementation, the struct sctp_association needs to 4935 * be created BEFORE causing this primitive to run.] 4936 * 4937 * Other association parameters may be returned, including the 4938 * complete destination transport addresses of the peer as well as the 4939 * outbound stream count of the local endpoint. One of the transport 4940 * address from the returned destination addresses will be selected by 4941 * the local endpoint as default primary path for sending SCTP packets 4942 * to this peer. The returned "destination transport addr list" can 4943 * be used by the ULP to change the default primary path or to force 4944 * sending a packet to a specific transport address. [All of this 4945 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING 4946 * function.] 4947 * 4948 * Mandatory attributes: 4949 * 4950 * o local SCTP instance name - obtained from the INITIALIZE operation. 4951 * [This is the argument asoc.] 4952 * o destination transport addr - specified as one of the transport 4953 * addresses of the peer endpoint with which the association is to be 4954 * established. 4955 * [This is asoc->peer.active_path.] 4956 * o outbound stream count - the number of outbound streams the ULP 4957 * would like to open towards this peer endpoint. 4958 * [BUG: This is not currently implemented.] 4959 * Optional attributes: 4960 * 4961 * None. 4962 * 4963 * The return value is a disposition. 4964 */ 4965enum sctp_disposition sctp_sf_do_prm_asoc(struct net *net, 4966 const struct sctp_endpoint *ep, 4967 const struct sctp_association *asoc, 4968 const union sctp_subtype type, 4969 void *arg, 4970 struct sctp_cmd_seq *commands) 4971{ 4972 struct sctp_association *my_asoc; 4973 struct sctp_chunk *repl; 4974 4975 /* The comment below says that we enter COOKIE-WAIT AFTER 4976 * sending the INIT, but that doesn't actually work in our 4977 * implementation... 4978 */ 4979 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 4980 SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); 4981 4982 /* RFC 2960 5.1 Normal Establishment of an Association 4983 * 4984 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A" 4985 * must provide its Verification Tag (Tag_A) in the Initiate 4986 * Tag field. Tag_A SHOULD be a random number in the range of 4987 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ... 4988 */ 4989 4990 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0); 4991 if (!repl) 4992 goto nomem; 4993 4994 /* Choose transport for INIT. */ 4995 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 4996 SCTP_CHUNK(repl)); 4997 4998 /* Cast away the const modifier, as we want to just 4999 * rerun it through as a sideffect. 5000 */ 5001 my_asoc = (struct sctp_association *)asoc; 5002 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc)); 5003 5004 /* After sending the INIT, "A" starts the T1-init timer and 5005 * enters the COOKIE-WAIT state. 5006 */ 5007 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5008 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5009 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5010 return SCTP_DISPOSITION_CONSUME; 5011 5012nomem: 5013 return SCTP_DISPOSITION_NOMEM; 5014} 5015 5016/* 5017 * Process the SEND primitive. 5018 * 5019 * Section: 10.1 ULP-to-SCTP 5020 * E) Send 5021 * 5022 * Format: SEND(association id, buffer address, byte count [,context] 5023 * [,stream id] [,life time] [,destination transport address] 5024 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] ) 5025 * -> result 5026 * 5027 * This is the main method to send user data via SCTP. 5028 * 5029 * Mandatory attributes: 5030 * 5031 * o association id - local handle to the SCTP association 5032 * 5033 * o buffer address - the location where the user message to be 5034 * transmitted is stored; 5035 * 5036 * o byte count - The size of the user data in number of bytes; 5037 * 5038 * Optional attributes: 5039 * 5040 * o context - an optional 32 bit integer that will be carried in the 5041 * sending failure notification to the ULP if the transportation of 5042 * this User Message fails. 5043 * 5044 * o stream id - to indicate which stream to send the data on. If not 5045 * specified, stream 0 will be used. 5046 * 5047 * o life time - specifies the life time of the user data. The user data 5048 * will not be sent by SCTP after the life time expires. This 5049 * parameter can be used to avoid efforts to transmit stale 5050 * user messages. SCTP notifies the ULP if the data cannot be 5051 * initiated to transport (i.e. sent to the destination via SCTP's 5052 * send primitive) within the life time variable. However, the 5053 * user data will be transmitted if SCTP has attempted to transmit a 5054 * chunk before the life time expired. 5055 * 5056 * o destination transport address - specified as one of the destination 5057 * transport addresses of the peer endpoint to which this packet 5058 * should be sent. Whenever possible, SCTP should use this destination 5059 * transport address for sending the packets, instead of the current 5060 * primary path. 5061 * 5062 * o unorder flag - this flag, if present, indicates that the user 5063 * would like the data delivered in an unordered fashion to the peer 5064 * (i.e., the U flag is set to 1 on all DATA chunks carrying this 5065 * message). 5066 * 5067 * o no-bundle flag - instructs SCTP not to bundle this user data with 5068 * other outbound DATA chunks. SCTP MAY still bundle even when 5069 * this flag is present, when faced with network congestion. 5070 * 5071 * o payload protocol-id - A 32 bit unsigned integer that is to be 5072 * passed to the peer indicating the type of payload protocol data 5073 * being transmitted. This value is passed as opaque data by SCTP. 5074 * 5075 * The return value is the disposition. 5076 */ 5077enum sctp_disposition sctp_sf_do_prm_send(struct net *net, 5078 const struct sctp_endpoint *ep, 5079 const struct sctp_association *asoc, 5080 const union sctp_subtype type, 5081 void *arg, 5082 struct sctp_cmd_seq *commands) 5083{ 5084 struct sctp_datamsg *msg = arg; 5085 5086 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg)); 5087 return SCTP_DISPOSITION_CONSUME; 5088} 5089 5090/* 5091 * Process the SHUTDOWN primitive. 5092 * 5093 * Section: 10.1: 5094 * C) Shutdown 5095 * 5096 * Format: SHUTDOWN(association id) 5097 * -> result 5098 * 5099 * Gracefully closes an association. Any locally queued user data 5100 * will be delivered to the peer. The association will be terminated only 5101 * after the peer acknowledges all the SCTP packets sent. A success code 5102 * will be returned on successful termination of the association. If 5103 * attempting to terminate the association results in a failure, an error 5104 * code shall be returned. 5105 * 5106 * Mandatory attributes: 5107 * 5108 * o association id - local handle to the SCTP association 5109 * 5110 * Optional attributes: 5111 * 5112 * None. 5113 * 5114 * The return value is the disposition. 5115 */ 5116enum sctp_disposition sctp_sf_do_9_2_prm_shutdown( 5117 struct net *net, 5118 const struct sctp_endpoint *ep, 5119 const struct sctp_association *asoc, 5120 const union sctp_subtype type, 5121 void *arg, 5122 struct sctp_cmd_seq *commands) 5123{ 5124 enum sctp_disposition disposition; 5125 5126 /* From 9.2 Shutdown of an Association 5127 * Upon receipt of the SHUTDOWN primitive from its upper 5128 * layer, the endpoint enters SHUTDOWN-PENDING state and 5129 * remains there until all outstanding data has been 5130 * acknowledged by its peer. The endpoint accepts no new data 5131 * from its upper layer, but retransmits data to the far end 5132 * if necessary to fill gaps. 5133 */ 5134 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5135 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 5136 5137 disposition = SCTP_DISPOSITION_CONSUME; 5138 if (sctp_outq_is_empty(&asoc->outqueue)) { 5139 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 5140 arg, commands); 5141 } 5142 5143 return disposition; 5144} 5145 5146/* 5147 * Process the ABORT primitive. 5148 * 5149 * Section: 10.1: 5150 * C) Abort 5151 * 5152 * Format: Abort(association id [, cause code]) 5153 * -> result 5154 * 5155 * Ungracefully closes an association. Any locally queued user data 5156 * will be discarded and an ABORT chunk is sent to the peer. A success code 5157 * will be returned on successful abortion of the association. If 5158 * attempting to abort the association results in a failure, an error 5159 * code shall be returned. 5160 * 5161 * Mandatory attributes: 5162 * 5163 * o association id - local handle to the SCTP association 5164 * 5165 * Optional attributes: 5166 * 5167 * o cause code - reason of the abort to be passed to the peer 5168 * 5169 * None. 5170 * 5171 * The return value is the disposition. 5172 */ 5173enum sctp_disposition sctp_sf_do_9_1_prm_abort( 5174 struct net *net, 5175 const struct sctp_endpoint *ep, 5176 const struct sctp_association *asoc, 5177 const union sctp_subtype type, 5178 void *arg, 5179 struct sctp_cmd_seq *commands) 5180{ 5181 /* From 9.1 Abort of an Association 5182 * Upon receipt of the ABORT primitive from its upper 5183 * layer, the endpoint enters CLOSED state and 5184 * discard all outstanding data has been 5185 * acknowledged by its peer. The endpoint accepts no new data 5186 * from its upper layer, but retransmits data to the far end 5187 * if necessary to fill gaps. 5188 */ 5189 struct sctp_chunk *abort = arg; 5190 5191 if (abort) 5192 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 5193 5194 /* Even if we can't send the ABORT due to low memory delete the 5195 * TCB. This is a departure from our typical NOMEM handling. 5196 */ 5197 5198 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5199 SCTP_ERROR(ECONNABORTED)); 5200 /* Delete the established association. */ 5201 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5202 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 5203 5204 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5205 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5206 5207 return SCTP_DISPOSITION_ABORT; 5208} 5209 5210/* We tried an illegal operation on an association which is closed. */ 5211enum sctp_disposition sctp_sf_error_closed(struct net *net, 5212 const struct sctp_endpoint *ep, 5213 const struct sctp_association *asoc, 5214 const union sctp_subtype type, 5215 void *arg, 5216 struct sctp_cmd_seq *commands) 5217{ 5218 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL)); 5219 return SCTP_DISPOSITION_CONSUME; 5220} 5221 5222/* We tried an illegal operation on an association which is shutting 5223 * down. 5224 */ 5225enum sctp_disposition sctp_sf_error_shutdown( 5226 struct net *net, 5227 const struct sctp_endpoint *ep, 5228 const struct sctp_association *asoc, 5229 const union sctp_subtype type, 5230 void *arg, 5231 struct sctp_cmd_seq *commands) 5232{ 5233 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, 5234 SCTP_ERROR(-ESHUTDOWN)); 5235 return SCTP_DISPOSITION_CONSUME; 5236} 5237 5238/* 5239 * sctp_cookie_wait_prm_shutdown 5240 * 5241 * Section: 4 Note: 2 5242 * Verification Tag: 5243 * Inputs 5244 * (endpoint, asoc) 5245 * 5246 * The RFC does not explicitly address this issue, but is the route through the 5247 * state table when someone issues a shutdown while in COOKIE_WAIT state. 5248 * 5249 * Outputs 5250 * (timers) 5251 */ 5252enum sctp_disposition sctp_sf_cookie_wait_prm_shutdown( 5253 struct net *net, 5254 const struct sctp_endpoint *ep, 5255 const struct sctp_association *asoc, 5256 const union sctp_subtype type, 5257 void *arg, 5258 struct sctp_cmd_seq *commands) 5259{ 5260 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5261 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5262 5263 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5264 SCTP_STATE(SCTP_STATE_CLOSED)); 5265 5266 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); 5267 5268 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); 5269 5270 return SCTP_DISPOSITION_DELETE_TCB; 5271} 5272 5273/* 5274 * sctp_cookie_echoed_prm_shutdown 5275 * 5276 * Section: 4 Note: 2 5277 * Verification Tag: 5278 * Inputs 5279 * (endpoint, asoc) 5280 * 5281 * The RFC does not explicitly address this issue, but is the route through the 5282 * state table when someone issues a shutdown while in COOKIE_ECHOED state. 5283 * 5284 * Outputs 5285 * (timers) 5286 */ 5287enum sctp_disposition sctp_sf_cookie_echoed_prm_shutdown( 5288 struct net *net, 5289 const struct sctp_endpoint *ep, 5290 const struct sctp_association *asoc, 5291 const union sctp_subtype type, 5292 void *arg, 5293 struct sctp_cmd_seq *commands) 5294{ 5295 /* There is a single T1 timer, so we should be able to use 5296 * common function with the COOKIE-WAIT state. 5297 */ 5298 return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands); 5299} 5300 5301/* 5302 * sctp_sf_cookie_wait_prm_abort 5303 * 5304 * Section: 4 Note: 2 5305 * Verification Tag: 5306 * Inputs 5307 * (endpoint, asoc) 5308 * 5309 * The RFC does not explicitly address this issue, but is the route through the 5310 * state table when someone issues an abort while in COOKIE_WAIT state. 5311 * 5312 * Outputs 5313 * (timers) 5314 */ 5315enum sctp_disposition sctp_sf_cookie_wait_prm_abort( 5316 struct net *net, 5317 const struct sctp_endpoint *ep, 5318 const struct sctp_association *asoc, 5319 const union sctp_subtype type, 5320 void *arg, 5321 struct sctp_cmd_seq *commands) 5322{ 5323 struct sctp_chunk *abort = arg; 5324 5325 /* Stop T1-init timer */ 5326 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5327 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5328 5329 if (abort) 5330 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 5331 5332 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5333 SCTP_STATE(SCTP_STATE_CLOSED)); 5334 5335 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5336 5337 /* Even if we can't send the ABORT due to low memory delete the 5338 * TCB. This is a departure from our typical NOMEM handling. 5339 */ 5340 5341 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5342 SCTP_ERROR(ECONNREFUSED)); 5343 /* Delete the established association. */ 5344 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5345 SCTP_PERR(SCTP_ERROR_USER_ABORT)); 5346 5347 return SCTP_DISPOSITION_ABORT; 5348} 5349 5350/* 5351 * sctp_sf_cookie_echoed_prm_abort 5352 * 5353 * Section: 4 Note: 3 5354 * Verification Tag: 5355 * Inputs 5356 * (endpoint, asoc) 5357 * 5358 * The RFC does not explcitly address this issue, but is the route through the 5359 * state table when someone issues an abort while in COOKIE_ECHOED state. 5360 * 5361 * Outputs 5362 * (timers) 5363 */ 5364enum sctp_disposition sctp_sf_cookie_echoed_prm_abort( 5365 struct net *net, 5366 const struct sctp_endpoint *ep, 5367 const struct sctp_association *asoc, 5368 const union sctp_subtype type, 5369 void *arg, 5370 struct sctp_cmd_seq *commands) 5371{ 5372 /* There is a single T1 timer, so we should be able to use 5373 * common function with the COOKIE-WAIT state. 5374 */ 5375 return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands); 5376} 5377 5378/* 5379 * sctp_sf_shutdown_pending_prm_abort 5380 * 5381 * Inputs 5382 * (endpoint, asoc) 5383 * 5384 * The RFC does not explicitly address this issue, but is the route through the 5385 * state table when someone issues an abort while in SHUTDOWN-PENDING state. 5386 * 5387 * Outputs 5388 * (timers) 5389 */ 5390enum sctp_disposition sctp_sf_shutdown_pending_prm_abort( 5391 struct net *net, 5392 const struct sctp_endpoint *ep, 5393 const struct sctp_association *asoc, 5394 const union sctp_subtype type, 5395 void *arg, 5396 struct sctp_cmd_seq *commands) 5397{ 5398 /* Stop the T5-shutdown guard timer. */ 5399 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5400 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5401 5402 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5403} 5404 5405/* 5406 * sctp_sf_shutdown_sent_prm_abort 5407 * 5408 * Inputs 5409 * (endpoint, asoc) 5410 * 5411 * The RFC does not explicitly address this issue, but is the route through the 5412 * state table when someone issues an abort while in SHUTDOWN-SENT state. 5413 * 5414 * Outputs 5415 * (timers) 5416 */ 5417enum sctp_disposition sctp_sf_shutdown_sent_prm_abort( 5418 struct net *net, 5419 const struct sctp_endpoint *ep, 5420 const struct sctp_association *asoc, 5421 const union sctp_subtype type, 5422 void *arg, 5423 struct sctp_cmd_seq *commands) 5424{ 5425 /* Stop the T2-shutdown timer. */ 5426 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5427 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5428 5429 /* Stop the T5-shutdown guard timer. */ 5430 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5431 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5432 5433 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands); 5434} 5435 5436/* 5437 * sctp_sf_cookie_echoed_prm_abort 5438 * 5439 * Inputs 5440 * (endpoint, asoc) 5441 * 5442 * The RFC does not explcitly address this issue, but is the route through the 5443 * state table when someone issues an abort while in COOKIE_ECHOED state. 5444 * 5445 * Outputs 5446 * (timers) 5447 */ 5448enum sctp_disposition sctp_sf_shutdown_ack_sent_prm_abort( 5449 struct net *net, 5450 const struct sctp_endpoint *ep, 5451 const struct sctp_association *asoc, 5452 const union sctp_subtype type, 5453 void *arg, 5454 struct sctp_cmd_seq *commands) 5455{ 5456 /* The same T2 timer, so we should be able to use 5457 * common function with the SHUTDOWN-SENT state. 5458 */ 5459 return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands); 5460} 5461 5462/* 5463 * Process the REQUESTHEARTBEAT primitive 5464 * 5465 * 10.1 ULP-to-SCTP 5466 * J) Request Heartbeat 5467 * 5468 * Format: REQUESTHEARTBEAT(association id, destination transport address) 5469 * 5470 * -> result 5471 * 5472 * Instructs the local endpoint to perform a HeartBeat on the specified 5473 * destination transport address of the given association. The returned 5474 * result should indicate whether the transmission of the HEARTBEAT 5475 * chunk to the destination address is successful. 5476 * 5477 * Mandatory attributes: 5478 * 5479 * o association id - local handle to the SCTP association 5480 * 5481 * o destination transport address - the transport address of the 5482 * association on which a heartbeat should be issued. 5483 */ 5484enum sctp_disposition sctp_sf_do_prm_requestheartbeat( 5485 struct net *net, 5486 const struct sctp_endpoint *ep, 5487 const struct sctp_association *asoc, 5488 const union sctp_subtype type, 5489 void *arg, 5490 struct sctp_cmd_seq *commands) 5491{ 5492 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type, 5493 (struct sctp_transport *)arg, commands)) 5494 return SCTP_DISPOSITION_NOMEM; 5495 5496 /* 5497 * RFC 2960 (bis), section 8.3 5498 * 5499 * D) Request an on-demand HEARTBEAT on a specific destination 5500 * transport address of a given association. 5501 * 5502 * The endpoint should increment the respective error counter of 5503 * the destination transport address each time a HEARTBEAT is sent 5504 * to that address and not acknowledged within one RTO. 5505 * 5506 */ 5507 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, 5508 SCTP_TRANSPORT(arg)); 5509 return SCTP_DISPOSITION_CONSUME; 5510} 5511 5512/* 5513 * ADDIP Section 4.1 ASCONF Chunk Procedures 5514 * When an endpoint has an ASCONF signaled change to be sent to the 5515 * remote endpoint it should do A1 to A9 5516 */ 5517enum sctp_disposition sctp_sf_do_prm_asconf(struct net *net, 5518 const struct sctp_endpoint *ep, 5519 const struct sctp_association *asoc, 5520 const union sctp_subtype type, 5521 void *arg, 5522 struct sctp_cmd_seq *commands) 5523{ 5524 struct sctp_chunk *chunk = arg; 5525 5526 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5527 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5528 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 5529 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5530 return SCTP_DISPOSITION_CONSUME; 5531} 5532 5533/* RE-CONFIG Section 5.1 RECONF Chunk Procedures */ 5534enum sctp_disposition sctp_sf_do_prm_reconf(struct net *net, 5535 const struct sctp_endpoint *ep, 5536 const struct sctp_association *asoc, 5537 const union sctp_subtype type, 5538 void *arg, 5539 struct sctp_cmd_seq *commands) 5540{ 5541 struct sctp_chunk *chunk = arg; 5542 5543 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk)); 5544 return SCTP_DISPOSITION_CONSUME; 5545} 5546 5547/* 5548 * Ignore the primitive event 5549 * 5550 * The return value is the disposition of the primitive. 5551 */ 5552enum sctp_disposition sctp_sf_ignore_primitive( 5553 struct net *net, 5554 const struct sctp_endpoint *ep, 5555 const struct sctp_association *asoc, 5556 const union sctp_subtype type, 5557 void *arg, 5558 struct sctp_cmd_seq *commands) 5559{ 5560 pr_debug("%s: primitive type:%d is ignored\n", __func__, 5561 type.primitive); 5562 5563 return SCTP_DISPOSITION_DISCARD; 5564} 5565 5566/*************************************************************************** 5567 * These are the state functions for the OTHER events. 5568 ***************************************************************************/ 5569 5570/* 5571 * When the SCTP stack has no more user data to send or retransmit, this 5572 * notification is given to the user. Also, at the time when a user app 5573 * subscribes to this event, if there is no data to be sent or 5574 * retransmit, the stack will immediately send up this notification. 5575 */ 5576enum sctp_disposition sctp_sf_do_no_pending_tsn( 5577 struct net *net, 5578 const struct sctp_endpoint *ep, 5579 const struct sctp_association *asoc, 5580 const union sctp_subtype type, 5581 void *arg, 5582 struct sctp_cmd_seq *commands) 5583{ 5584 struct sctp_ulpevent *event; 5585 5586 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC); 5587 if (!event) 5588 return SCTP_DISPOSITION_NOMEM; 5589 5590 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event)); 5591 5592 return SCTP_DISPOSITION_CONSUME; 5593} 5594 5595/* 5596 * Start the shutdown negotiation. 5597 * 5598 * From Section 9.2: 5599 * Once all its outstanding data has been acknowledged, the endpoint 5600 * shall send a SHUTDOWN chunk to its peer including in the Cumulative 5601 * TSN Ack field the last sequential TSN it has received from the peer. 5602 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT 5603 * state. If the timer expires, the endpoint must re-send the SHUTDOWN 5604 * with the updated last sequential TSN received from its peer. 5605 * 5606 * The return value is the disposition. 5607 */ 5608enum sctp_disposition sctp_sf_do_9_2_start_shutdown( 5609 struct net *net, 5610 const struct sctp_endpoint *ep, 5611 const struct sctp_association *asoc, 5612 const union sctp_subtype type, 5613 void *arg, 5614 struct sctp_cmd_seq *commands) 5615{ 5616 struct sctp_chunk *reply; 5617 5618 /* Once all its outstanding data has been acknowledged, the 5619 * endpoint shall send a SHUTDOWN chunk to its peer including 5620 * in the Cumulative TSN Ack field the last sequential TSN it 5621 * has received from the peer. 5622 */ 5623 reply = sctp_make_shutdown(asoc, arg); 5624 if (!reply) 5625 goto nomem; 5626 5627 /* Set the transport for the SHUTDOWN chunk and the timeout for the 5628 * T2-shutdown timer. 5629 */ 5630 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5631 5632 /* It shall then start the T2-shutdown timer */ 5633 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5634 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5635 5636 /* RFC 4960 Section 9.2 5637 * The sender of the SHUTDOWN MAY also start an overall guard timer 5638 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5639 */ 5640 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5641 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5642 5643 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5644 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5645 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5646 5647 /* and enter the SHUTDOWN-SENT state. */ 5648 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5649 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT)); 5650 5651 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5652 * 5653 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5654 * or SHUTDOWN-ACK. 5655 */ 5656 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5657 5658 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5659 5660 return SCTP_DISPOSITION_CONSUME; 5661 5662nomem: 5663 return SCTP_DISPOSITION_NOMEM; 5664} 5665 5666/* 5667 * Generate a SHUTDOWN ACK now that everything is SACK'd. 5668 * 5669 * From Section 9.2: 5670 * 5671 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5672 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own, 5673 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the 5674 * endpoint must re-send the SHUTDOWN ACK. 5675 * 5676 * The return value is the disposition. 5677 */ 5678enum sctp_disposition sctp_sf_do_9_2_shutdown_ack( 5679 struct net *net, 5680 const struct sctp_endpoint *ep, 5681 const struct sctp_association *asoc, 5682 const union sctp_subtype type, 5683 void *arg, 5684 struct sctp_cmd_seq *commands) 5685{ 5686 struct sctp_chunk *chunk = arg; 5687 struct sctp_chunk *reply; 5688 5689 /* There are 2 ways of getting here: 5690 * 1) called in response to a SHUTDOWN chunk 5691 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued. 5692 * 5693 * For the case (2), the arg parameter is set to NULL. We need 5694 * to check that we have a chunk before accessing it's fields. 5695 */ 5696 if (chunk) { 5697 if (!sctp_vtag_verify(chunk, asoc)) 5698 return sctp_sf_pdiscard(net, ep, asoc, type, arg, 5699 commands); 5700 5701 /* Make sure that the SHUTDOWN chunk has a valid length. */ 5702 if (!sctp_chunk_length_valid( 5703 chunk, sizeof(struct sctp_shutdown_chunk))) 5704 return sctp_sf_violation_chunklen(net, ep, asoc, type, 5705 arg, commands); 5706 } 5707 5708 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver 5709 * shall send a SHUTDOWN ACK ... 5710 */ 5711 reply = sctp_make_shutdown_ack(asoc, chunk); 5712 if (!reply) 5713 goto nomem; 5714 5715 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for 5716 * the T2-shutdown timer. 5717 */ 5718 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 5719 5720 /* and start/restart a T2-shutdown timer of its own, */ 5721 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 5722 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 5723 5724 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) 5725 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 5726 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); 5727 5728 /* Enter the SHUTDOWN-ACK-SENT state. */ 5729 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 5730 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT)); 5731 5732 /* sctp-implguide 2.10 Issues with Heartbeating and failover 5733 * 5734 * HEARTBEAT ... is discontinued after sending either SHUTDOWN 5735 * or SHUTDOWN-ACK. 5736 */ 5737 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); 5738 5739 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 5740 5741 return SCTP_DISPOSITION_CONSUME; 5742 5743nomem: 5744 return SCTP_DISPOSITION_NOMEM; 5745} 5746 5747/* 5748 * Ignore the event defined as other 5749 * 5750 * The return value is the disposition of the event. 5751 */ 5752enum sctp_disposition sctp_sf_ignore_other(struct net *net, 5753 const struct sctp_endpoint *ep, 5754 const struct sctp_association *asoc, 5755 const union sctp_subtype type, 5756 void *arg, 5757 struct sctp_cmd_seq *commands) 5758{ 5759 pr_debug("%s: the event other type:%d is ignored\n", 5760 __func__, type.other); 5761 5762 return SCTP_DISPOSITION_DISCARD; 5763} 5764 5765/************************************************************ 5766 * These are the state functions for handling timeout events. 5767 ************************************************************/ 5768 5769/* 5770 * RTX Timeout 5771 * 5772 * Section: 6.3.3 Handle T3-rtx Expiration 5773 * 5774 * Whenever the retransmission timer T3-rtx expires for a destination 5775 * address, do the following: 5776 * [See below] 5777 * 5778 * The return value is the disposition of the chunk. 5779 */ 5780enum sctp_disposition sctp_sf_do_6_3_3_rtx(struct net *net, 5781 const struct sctp_endpoint *ep, 5782 const struct sctp_association *asoc, 5783 const union sctp_subtype type, 5784 void *arg, 5785 struct sctp_cmd_seq *commands) 5786{ 5787 struct sctp_transport *transport = arg; 5788 5789 SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS); 5790 5791 if (asoc->overall_error_count >= asoc->max_retrans) { 5792 if (asoc->peer.zero_window_announced && 5793 asoc->state == SCTP_STATE_SHUTDOWN_PENDING) { 5794 /* 5795 * We are here likely because the receiver had its rwnd 5796 * closed for a while and we have not been able to 5797 * transmit the locally queued data within the maximum 5798 * retransmission attempts limit. Start the T5 5799 * shutdown guard timer to give the receiver one last 5800 * chance and some additional time to recover before 5801 * aborting. 5802 */ 5803 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE, 5804 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5805 } else { 5806 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5807 SCTP_ERROR(ETIMEDOUT)); 5808 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5809 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5810 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5811 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 5812 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 5813 return SCTP_DISPOSITION_DELETE_TCB; 5814 } 5815 } 5816 5817 /* E1) For the destination address for which the timer 5818 * expires, adjust its ssthresh with rules defined in Section 5819 * 7.2.3 and set the cwnd <- MTU. 5820 */ 5821 5822 /* E2) For the destination address for which the timer 5823 * expires, set RTO <- RTO * 2 ("back off the timer"). The 5824 * maximum value discussed in rule C7 above (RTO.max) may be 5825 * used to provide an upper bound to this doubling operation. 5826 */ 5827 5828 /* E3) Determine how many of the earliest (i.e., lowest TSN) 5829 * outstanding DATA chunks for the address for which the 5830 * T3-rtx has expired will fit into a single packet, subject 5831 * to the MTU constraint for the path corresponding to the 5832 * destination transport address to which the retransmission 5833 * is being sent (this may be different from the address for 5834 * which the timer expires [see Section 6.4]). Call this 5835 * value K. Bundle and retransmit those K DATA chunks in a 5836 * single packet to the destination endpoint. 5837 * 5838 * Note: Any DATA chunks that were sent to the address for 5839 * which the T3-rtx timer expired but did not fit in one MTU 5840 * (rule E3 above), should be marked for retransmission and 5841 * sent as soon as cwnd allows (normally when a SACK arrives). 5842 */ 5843 5844 /* Do some failure management (Section 8.2). */ 5845 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5846 5847 /* NB: Rules E4 and F1 are implicit in R1. */ 5848 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport)); 5849 5850 return SCTP_DISPOSITION_CONSUME; 5851} 5852 5853/* 5854 * Generate delayed SACK on timeout 5855 * 5856 * Section: 6.2 Acknowledgement on Reception of DATA Chunks 5857 * 5858 * The guidelines on delayed acknowledgement algorithm specified in 5859 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an 5860 * acknowledgement SHOULD be generated for at least every second packet 5861 * (not every second DATA chunk) received, and SHOULD be generated 5862 * within 200 ms of the arrival of any unacknowledged DATA chunk. In 5863 * some situations it may be beneficial for an SCTP transmitter to be 5864 * more conservative than the algorithms detailed in this document 5865 * allow. However, an SCTP transmitter MUST NOT be more aggressive than 5866 * the following algorithms allow. 5867 */ 5868enum sctp_disposition sctp_sf_do_6_2_sack(struct net *net, 5869 const struct sctp_endpoint *ep, 5870 const struct sctp_association *asoc, 5871 const union sctp_subtype type, 5872 void *arg, 5873 struct sctp_cmd_seq *commands) 5874{ 5875 SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS); 5876 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE()); 5877 return SCTP_DISPOSITION_CONSUME; 5878} 5879 5880/* 5881 * sctp_sf_t1_init_timer_expire 5882 * 5883 * Section: 4 Note: 2 5884 * Verification Tag: 5885 * Inputs 5886 * (endpoint, asoc) 5887 * 5888 * RFC 2960 Section 4 Notes 5889 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT 5890 * and re-start the T1-init timer without changing state. This MUST 5891 * be repeated up to 'Max.Init.Retransmits' times. After that, the 5892 * endpoint MUST abort the initialization process and report the 5893 * error to SCTP user. 5894 * 5895 * Outputs 5896 * (timers, events) 5897 * 5898 */ 5899enum sctp_disposition sctp_sf_t1_init_timer_expire( 5900 struct net *net, 5901 const struct sctp_endpoint *ep, 5902 const struct sctp_association *asoc, 5903 const union sctp_subtype type, 5904 void *arg, 5905 struct sctp_cmd_seq *commands) 5906{ 5907 int attempts = asoc->init_err_counter + 1; 5908 struct sctp_chunk *repl = NULL; 5909 struct sctp_bind_addr *bp; 5910 5911 pr_debug("%s: timer T1 expired (INIT)\n", __func__); 5912 5913 SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS); 5914 5915 if (attempts <= asoc->max_init_attempts) { 5916 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; 5917 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); 5918 if (!repl) 5919 return SCTP_DISPOSITION_NOMEM; 5920 5921 /* Choose transport for INIT. */ 5922 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5923 SCTP_CHUNK(repl)); 5924 5925 /* Issue a sideeffect to do the needed accounting. */ 5926 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART, 5927 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); 5928 5929 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5930 } else { 5931 pr_debug("%s: giving up on INIT, attempts:%d " 5932 "max_init_attempts:%d\n", __func__, attempts, 5933 asoc->max_init_attempts); 5934 5935 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5936 SCTP_ERROR(ETIMEDOUT)); 5937 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5938 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5939 return SCTP_DISPOSITION_DELETE_TCB; 5940 } 5941 5942 return SCTP_DISPOSITION_CONSUME; 5943} 5944 5945/* 5946 * sctp_sf_t1_cookie_timer_expire 5947 * 5948 * Section: 4 Note: 2 5949 * Verification Tag: 5950 * Inputs 5951 * (endpoint, asoc) 5952 * 5953 * RFC 2960 Section 4 Notes 5954 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit 5955 * COOKIE ECHO and re-start the T1-cookie timer without changing 5956 * state. This MUST be repeated up to 'Max.Init.Retransmits' times. 5957 * After that, the endpoint MUST abort the initialization process and 5958 * report the error to SCTP user. 5959 * 5960 * Outputs 5961 * (timers, events) 5962 * 5963 */ 5964enum sctp_disposition sctp_sf_t1_cookie_timer_expire( 5965 struct net *net, 5966 const struct sctp_endpoint *ep, 5967 const struct sctp_association *asoc, 5968 const union sctp_subtype type, 5969 void *arg, 5970 struct sctp_cmd_seq *commands) 5971{ 5972 int attempts = asoc->init_err_counter + 1; 5973 struct sctp_chunk *repl = NULL; 5974 5975 pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__); 5976 5977 SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS); 5978 5979 if (attempts <= asoc->max_init_attempts) { 5980 repl = sctp_make_cookie_echo(asoc, NULL); 5981 if (!repl) 5982 return SCTP_DISPOSITION_NOMEM; 5983 5984 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, 5985 SCTP_CHUNK(repl)); 5986 /* Issue a sideeffect to do the needed accounting. */ 5987 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART, 5988 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); 5989 5990 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); 5991 } else { 5992 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5993 SCTP_ERROR(ETIMEDOUT)); 5994 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, 5995 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5996 return SCTP_DISPOSITION_DELETE_TCB; 5997 } 5998 5999 return SCTP_DISPOSITION_CONSUME; 6000} 6001 6002/* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN 6003 * with the updated last sequential TSN received from its peer. 6004 * 6005 * An endpoint should limit the number of retransmission of the 6006 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. 6007 * If this threshold is exceeded the endpoint should destroy the TCB and 6008 * MUST report the peer endpoint unreachable to the upper layer (and 6009 * thus the association enters the CLOSED state). The reception of any 6010 * packet from its peer (i.e. as the peer sends all of its queued DATA 6011 * chunks) should clear the endpoint's retransmission count and restart 6012 * the T2-Shutdown timer, giving its peer ample opportunity to transmit 6013 * all of its queued DATA chunks that have not yet been sent. 6014 */ 6015enum sctp_disposition sctp_sf_t2_timer_expire( 6016 struct net *net, 6017 const struct sctp_endpoint *ep, 6018 const struct sctp_association *asoc, 6019 const union sctp_subtype type, 6020 void *arg, 6021 struct sctp_cmd_seq *commands) 6022{ 6023 struct sctp_chunk *reply = NULL; 6024 6025 pr_debug("%s: timer T2 expired\n", __func__); 6026 6027 SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS); 6028 6029 ((struct sctp_association *)asoc)->shutdown_retries++; 6030 6031 if (asoc->overall_error_count >= asoc->max_retrans) { 6032 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6033 SCTP_ERROR(ETIMEDOUT)); 6034 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 6035 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6036 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 6037 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6038 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6039 return SCTP_DISPOSITION_DELETE_TCB; 6040 } 6041 6042 switch (asoc->state) { 6043 case SCTP_STATE_SHUTDOWN_SENT: 6044 reply = sctp_make_shutdown(asoc, NULL); 6045 break; 6046 6047 case SCTP_STATE_SHUTDOWN_ACK_SENT: 6048 reply = sctp_make_shutdown_ack(asoc, NULL); 6049 break; 6050 6051 default: 6052 BUG(); 6053 break; 6054 } 6055 6056 if (!reply) 6057 goto nomem; 6058 6059 /* Do some failure management (Section 8.2). 6060 * If we remove the transport an SHUTDOWN was last sent to, don't 6061 * do failure management. 6062 */ 6063 if (asoc->shutdown_last_sent_to) 6064 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 6065 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 6066 6067 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 6068 * the T2-shutdown timer. 6069 */ 6070 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); 6071 6072 /* Restart the T2-shutdown timer. */ 6073 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 6074 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); 6075 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 6076 return SCTP_DISPOSITION_CONSUME; 6077 6078nomem: 6079 return SCTP_DISPOSITION_NOMEM; 6080} 6081 6082/* 6083 * ADDIP Section 4.1 ASCONF Chunk Procedures 6084 * If the T4 RTO timer expires the endpoint should do B1 to B5 6085 */ 6086enum sctp_disposition sctp_sf_t4_timer_expire( 6087 struct net *net, 6088 const struct sctp_endpoint *ep, 6089 const struct sctp_association *asoc, 6090 const union sctp_subtype type, 6091 void *arg, 6092 struct sctp_cmd_seq *commands) 6093{ 6094 struct sctp_chunk *chunk = asoc->addip_last_asconf; 6095 struct sctp_transport *transport = chunk->transport; 6096 6097 SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS); 6098 6099 /* ADDIP 4.1 B1) Increment the error counters and perform path failure 6100 * detection on the appropriate destination address as defined in 6101 * RFC2960 [5] section 8.1 and 8.2. 6102 */ 6103 if (transport) 6104 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 6105 SCTP_TRANSPORT(transport)); 6106 6107 /* Reconfig T4 timer and transport. */ 6108 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 6109 6110 /* ADDIP 4.1 B2) Increment the association error counters and perform 6111 * endpoint failure detection on the association as defined in 6112 * RFC2960 [5] section 8.1 and 8.2. 6113 * association error counter is incremented in SCTP_CMD_STRIKE. 6114 */ 6115 if (asoc->overall_error_count >= asoc->max_retrans) { 6116 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, 6117 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 6118 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6119 SCTP_ERROR(ETIMEDOUT)); 6120 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6121 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 6122 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6123 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6124 return SCTP_DISPOSITION_ABORT; 6125 } 6126 6127 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which 6128 * the ASCONF chunk was sent by doubling the RTO timer value. 6129 * This is done in SCTP_CMD_STRIKE. 6130 */ 6131 6132 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible 6133 * choose an alternate destination address (please refer to RFC2960 6134 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this 6135 * chunk, it MUST be the same (including its serial number) as the last 6136 * ASCONF sent. 6137 */ 6138 sctp_chunk_hold(asoc->addip_last_asconf); 6139 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6140 SCTP_CHUNK(asoc->addip_last_asconf)); 6141 6142 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different 6143 * destination is selected, then the RTO used will be that of the new 6144 * destination address. 6145 */ 6146 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, 6147 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); 6148 6149 return SCTP_DISPOSITION_CONSUME; 6150} 6151 6152/* sctpimpguide-05 Section 2.12.2 6153 * The sender of the SHUTDOWN MAY also start an overall guard timer 6154 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 6155 * At the expiration of this timer the sender SHOULD abort the association 6156 * by sending an ABORT chunk. 6157 */ 6158enum sctp_disposition sctp_sf_t5_timer_expire( 6159 struct net *net, 6160 const struct sctp_endpoint *ep, 6161 const struct sctp_association *asoc, 6162 const union sctp_subtype type, 6163 void *arg, 6164 struct sctp_cmd_seq *commands) 6165{ 6166 struct sctp_chunk *reply = NULL; 6167 6168 pr_debug("%s: timer T5 expired\n", __func__); 6169 6170 SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS); 6171 6172 reply = sctp_make_abort(asoc, NULL, 0); 6173 if (!reply) 6174 goto nomem; 6175 6176 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); 6177 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6178 SCTP_ERROR(ETIMEDOUT)); 6179 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6180 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 6181 6182 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6183 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6184 6185 return SCTP_DISPOSITION_DELETE_TCB; 6186nomem: 6187 return SCTP_DISPOSITION_NOMEM; 6188} 6189 6190/* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires, 6191 * the association is automatically closed by starting the shutdown process. 6192 * The work that needs to be done is same as when SHUTDOWN is initiated by 6193 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown(). 6194 */ 6195enum sctp_disposition sctp_sf_autoclose_timer_expire( 6196 struct net *net, 6197 const struct sctp_endpoint *ep, 6198 const struct sctp_association *asoc, 6199 const union sctp_subtype type, 6200 void *arg, 6201 struct sctp_cmd_seq *commands) 6202{ 6203 enum sctp_disposition disposition; 6204 6205 SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS); 6206 6207 /* From 9.2 Shutdown of an Association 6208 * Upon receipt of the SHUTDOWN primitive from its upper 6209 * layer, the endpoint enters SHUTDOWN-PENDING state and 6210 * remains there until all outstanding data has been 6211 * acknowledged by its peer. The endpoint accepts no new data 6212 * from its upper layer, but retransmits data to the far end 6213 * if necessary to fill gaps. 6214 */ 6215 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, 6216 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING)); 6217 6218 disposition = SCTP_DISPOSITION_CONSUME; 6219 if (sctp_outq_is_empty(&asoc->outqueue)) { 6220 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, 6221 NULL, commands); 6222 } 6223 6224 return disposition; 6225} 6226 6227/***************************************************************************** 6228 * These are sa state functions which could apply to all types of events. 6229 ****************************************************************************/ 6230 6231/* 6232 * This table entry is not implemented. 6233 * 6234 * Inputs 6235 * (endpoint, asoc, chunk) 6236 * 6237 * The return value is the disposition of the chunk. 6238 */ 6239enum sctp_disposition sctp_sf_not_impl(struct net *net, 6240 const struct sctp_endpoint *ep, 6241 const struct sctp_association *asoc, 6242 const union sctp_subtype type, 6243 void *arg, struct sctp_cmd_seq *commands) 6244{ 6245 return SCTP_DISPOSITION_NOT_IMPL; 6246} 6247 6248/* 6249 * This table entry represents a bug. 6250 * 6251 * Inputs 6252 * (endpoint, asoc, chunk) 6253 * 6254 * The return value is the disposition of the chunk. 6255 */ 6256enum sctp_disposition sctp_sf_bug(struct net *net, 6257 const struct sctp_endpoint *ep, 6258 const struct sctp_association *asoc, 6259 const union sctp_subtype type, 6260 void *arg, struct sctp_cmd_seq *commands) 6261{ 6262 return SCTP_DISPOSITION_BUG; 6263} 6264 6265/* 6266 * This table entry represents the firing of a timer in the wrong state. 6267 * Since timer deletion cannot be guaranteed a timer 'may' end up firing 6268 * when the association is in the wrong state. This event should 6269 * be ignored, so as to prevent any rearming of the timer. 6270 * 6271 * Inputs 6272 * (endpoint, asoc, chunk) 6273 * 6274 * The return value is the disposition of the chunk. 6275 */ 6276enum sctp_disposition sctp_sf_timer_ignore(struct net *net, 6277 const struct sctp_endpoint *ep, 6278 const struct sctp_association *asoc, 6279 const union sctp_subtype type, 6280 void *arg, 6281 struct sctp_cmd_seq *commands) 6282{ 6283 pr_debug("%s: timer %d ignored\n", __func__, type.chunk); 6284 6285 return SCTP_DISPOSITION_CONSUME; 6286} 6287 6288/******************************************************************** 6289 * 2nd Level Abstractions 6290 ********************************************************************/ 6291 6292/* Pull the SACK chunk based on the SACK header. */ 6293static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk) 6294{ 6295 struct sctp_sackhdr *sack; 6296 __u16 num_dup_tsns; 6297 unsigned int len; 6298 __u16 num_blocks; 6299 6300 /* Protect ourselves from reading too far into 6301 * the skb from a bogus sender. 6302 */ 6303 sack = (struct sctp_sackhdr *) chunk->skb->data; 6304 6305 num_blocks = ntohs(sack->num_gap_ack_blocks); 6306 num_dup_tsns = ntohs(sack->num_dup_tsns); 6307 len = sizeof(struct sctp_sackhdr); 6308 len += (num_blocks + num_dup_tsns) * sizeof(__u32); 6309 if (len > chunk->skb->len) 6310 return NULL; 6311 6312 skb_pull(chunk->skb, len); 6313 6314 return sack; 6315} 6316 6317/* Create an ABORT packet to be sent as a response, with the specified 6318 * error causes. 6319 */ 6320static struct sctp_packet *sctp_abort_pkt_new( 6321 struct net *net, 6322 const struct sctp_endpoint *ep, 6323 const struct sctp_association *asoc, 6324 struct sctp_chunk *chunk, 6325 const void *payload, size_t paylen) 6326{ 6327 struct sctp_packet *packet; 6328 struct sctp_chunk *abort; 6329 6330 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6331 6332 if (packet) { 6333 /* Make an ABORT. 6334 * The T bit will be set if the asoc is NULL. 6335 */ 6336 abort = sctp_make_abort(asoc, chunk, paylen); 6337 if (!abort) { 6338 sctp_ootb_pkt_free(packet); 6339 return NULL; 6340 } 6341 6342 /* Reflect vtag if T-Bit is set */ 6343 if (sctp_test_T_bit(abort)) 6344 packet->vtag = ntohl(chunk->sctp_hdr->vtag); 6345 6346 /* Add specified error causes, i.e., payload, to the 6347 * end of the chunk. 6348 */ 6349 sctp_addto_chunk(abort, paylen, payload); 6350 6351 /* Set the skb to the belonging sock for accounting. */ 6352 abort->skb->sk = ep->base.sk; 6353 6354 sctp_packet_append_chunk(packet, abort); 6355 6356 } 6357 6358 return packet; 6359} 6360 6361/* Allocate a packet for responding in the OOTB conditions. */ 6362static struct sctp_packet *sctp_ootb_pkt_new( 6363 struct net *net, 6364 const struct sctp_association *asoc, 6365 const struct sctp_chunk *chunk) 6366{ 6367 struct sctp_transport *transport; 6368 struct sctp_packet *packet; 6369 __u16 sport, dport; 6370 __u32 vtag; 6371 6372 /* Get the source and destination port from the inbound packet. */ 6373 sport = ntohs(chunk->sctp_hdr->dest); 6374 dport = ntohs(chunk->sctp_hdr->source); 6375 6376 /* The V-tag is going to be the same as the inbound packet if no 6377 * association exists, otherwise, use the peer's vtag. 6378 */ 6379 if (asoc) { 6380 /* Special case the INIT-ACK as there is no peer's vtag 6381 * yet. 6382 */ 6383 switch (chunk->chunk_hdr->type) { 6384 case SCTP_CID_INIT: 6385 case SCTP_CID_INIT_ACK: 6386 { 6387 struct sctp_initack_chunk *initack; 6388 6389 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr; 6390 vtag = ntohl(initack->init_hdr.init_tag); 6391 break; 6392 } 6393 default: 6394 vtag = asoc->peer.i.init_tag; 6395 break; 6396 } 6397 } else { 6398 /* Special case the INIT and stale COOKIE_ECHO as there is no 6399 * vtag yet. 6400 */ 6401 switch (chunk->chunk_hdr->type) { 6402 case SCTP_CID_INIT: 6403 { 6404 struct sctp_init_chunk *init; 6405 6406 init = (struct sctp_init_chunk *)chunk->chunk_hdr; 6407 vtag = ntohl(init->init_hdr.init_tag); 6408 break; 6409 } 6410 default: 6411 vtag = ntohl(chunk->sctp_hdr->vtag); 6412 break; 6413 } 6414 } 6415 6416 /* Make a transport for the bucket, Eliza... */ 6417 transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC); 6418 if (!transport) 6419 goto nomem; 6420 6421 transport->encap_port = SCTP_INPUT_CB(chunk->skb)->encap_port; 6422 6423 /* Cache a route for the transport with the chunk's destination as 6424 * the source address. 6425 */ 6426 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest, 6427 sctp_sk(net->sctp.ctl_sock)); 6428 6429 packet = &transport->packet; 6430 sctp_packet_init(packet, transport, sport, dport); 6431 sctp_packet_config(packet, vtag, 0); 6432 6433 return packet; 6434 6435nomem: 6436 return NULL; 6437} 6438 6439/* Free the packet allocated earlier for responding in the OOTB condition. */ 6440void sctp_ootb_pkt_free(struct sctp_packet *packet) 6441{ 6442 sctp_transport_free(packet->transport); 6443} 6444 6445/* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */ 6446static void sctp_send_stale_cookie_err(struct net *net, 6447 const struct sctp_endpoint *ep, 6448 const struct sctp_association *asoc, 6449 const struct sctp_chunk *chunk, 6450 struct sctp_cmd_seq *commands, 6451 struct sctp_chunk *err_chunk) 6452{ 6453 struct sctp_packet *packet; 6454 6455 if (err_chunk) { 6456 packet = sctp_ootb_pkt_new(net, asoc, chunk); 6457 if (packet) { 6458 struct sctp_signed_cookie *cookie; 6459 6460 /* Override the OOTB vtag from the cookie. */ 6461 cookie = chunk->subh.cookie_hdr; 6462 packet->vtag = cookie->c.peer_vtag; 6463 6464 /* Set the skb to the belonging sock for accounting. */ 6465 err_chunk->skb->sk = ep->base.sk; 6466 sctp_packet_append_chunk(packet, err_chunk); 6467 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, 6468 SCTP_PACKET(packet)); 6469 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); 6470 } else 6471 sctp_chunk_free (err_chunk); 6472 } 6473} 6474 6475 6476/* Process a data chunk */ 6477static int sctp_eat_data(const struct sctp_association *asoc, 6478 struct sctp_chunk *chunk, 6479 struct sctp_cmd_seq *commands) 6480{ 6481 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; 6482 struct sock *sk = asoc->base.sk; 6483 struct net *net = sock_net(sk); 6484 struct sctp_datahdr *data_hdr; 6485 struct sctp_chunk *err; 6486 enum sctp_verb deliver; 6487 size_t datalen; 6488 __u32 tsn; 6489 int tmp; 6490 6491 data_hdr = (struct sctp_datahdr *)chunk->skb->data; 6492 chunk->subh.data_hdr = data_hdr; 6493 skb_pull(chunk->skb, sctp_datahdr_len(&asoc->stream)); 6494 6495 tsn = ntohl(data_hdr->tsn); 6496 pr_debug("%s: TSN 0x%x\n", __func__, tsn); 6497 6498 /* ASSERT: Now skb->data is really the user data. */ 6499 6500 /* Process ECN based congestion. 6501 * 6502 * Since the chunk structure is reused for all chunks within 6503 * a packet, we use ecn_ce_done to track if we've already 6504 * done CE processing for this packet. 6505 * 6506 * We need to do ECN processing even if we plan to discard the 6507 * chunk later. 6508 */ 6509 6510 if (asoc->peer.ecn_capable && !chunk->ecn_ce_done) { 6511 struct sctp_af *af = SCTP_INPUT_CB(chunk->skb)->af; 6512 chunk->ecn_ce_done = 1; 6513 6514 if (af->is_ce(sctp_gso_headskb(chunk->skb))) { 6515 /* Do real work as side effect. */ 6516 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, 6517 SCTP_U32(tsn)); 6518 } 6519 } 6520 6521 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn); 6522 if (tmp < 0) { 6523 /* The TSN is too high--silently discard the chunk and 6524 * count on it getting retransmitted later. 6525 */ 6526 if (chunk->asoc) 6527 chunk->asoc->stats.outofseqtsns++; 6528 return SCTP_IERROR_HIGH_TSN; 6529 } else if (tmp > 0) { 6530 /* This is a duplicate. Record it. */ 6531 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn)); 6532 return SCTP_IERROR_DUP_TSN; 6533 } 6534 6535 /* This is a new TSN. */ 6536 6537 /* Discard if there is no room in the receive window. 6538 * Actually, allow a little bit of overflow (up to a MTU). 6539 */ 6540 datalen = ntohs(chunk->chunk_hdr->length); 6541 datalen -= sctp_datachk_len(&asoc->stream); 6542 6543 deliver = SCTP_CMD_CHUNK_ULP; 6544 6545 /* Think about partial delivery. */ 6546 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { 6547 6548 /* Even if we don't accept this chunk there is 6549 * memory pressure. 6550 */ 6551 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL()); 6552 } 6553 6554 /* Spill over rwnd a little bit. Note: While allowed, this spill over 6555 * seems a bit troublesome in that frag_point varies based on 6556 * PMTU. In cases, such as loopback, this might be a rather 6557 * large spill over. 6558 */ 6559 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over || 6560 (datalen > asoc->rwnd + asoc->frag_point))) { 6561 6562 /* If this is the next TSN, consider reneging to make 6563 * room. Note: Playing nice with a confused sender. A 6564 * malicious sender can still eat up all our buffer 6565 * space and in the future we may want to detect and 6566 * do more drastic reneging. 6567 */ 6568 if (sctp_tsnmap_has_gap(map) && 6569 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6570 pr_debug("%s: reneging for tsn:%u\n", __func__, tsn); 6571 deliver = SCTP_CMD_RENEGE; 6572 } else { 6573 pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n", 6574 __func__, tsn, datalen, asoc->rwnd); 6575 6576 return SCTP_IERROR_IGNORE_TSN; 6577 } 6578 } 6579 6580 /* 6581 * Also try to renege to limit our memory usage in the event that 6582 * we are under memory pressure 6583 * If we can't renege, don't worry about it, the sk_rmem_schedule 6584 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our 6585 * memory usage too much 6586 */ 6587 if (sk_under_memory_pressure(sk)) { 6588 if (sctp_tsnmap_has_gap(map) && 6589 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { 6590 pr_debug("%s: under pressure, reneging for tsn:%u\n", 6591 __func__, tsn); 6592 deliver = SCTP_CMD_RENEGE; 6593 } else { 6594 sk_mem_reclaim(sk); 6595 } 6596 } 6597 6598 /* 6599 * Section 3.3.10.9 No User Data (9) 6600 * 6601 * Cause of error 6602 * --------------- 6603 * No User Data: This error cause is returned to the originator of a 6604 * DATA chunk if a received DATA chunk has no user data. 6605 */ 6606 if (unlikely(0 == datalen)) { 6607 err = sctp_make_abort_no_data(asoc, chunk, tsn); 6608 if (err) { 6609 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6610 SCTP_CHUNK(err)); 6611 } 6612 /* We are going to ABORT, so we might as well stop 6613 * processing the rest of the chunks in the packet. 6614 */ 6615 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); 6616 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 6617 SCTP_ERROR(ECONNABORTED)); 6618 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 6619 SCTP_PERR(SCTP_ERROR_NO_DATA)); 6620 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); 6621 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); 6622 return SCTP_IERROR_NO_DATA; 6623 } 6624 6625 chunk->data_accepted = 1; 6626 6627 /* Note: Some chunks may get overcounted (if we drop) or overcounted 6628 * if we renege and the chunk arrives again. 6629 */ 6630 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) { 6631 SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS); 6632 if (chunk->asoc) 6633 chunk->asoc->stats.iuodchunks++; 6634 } else { 6635 SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS); 6636 if (chunk->asoc) 6637 chunk->asoc->stats.iodchunks++; 6638 } 6639 6640 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number 6641 * 6642 * If an endpoint receive a DATA chunk with an invalid stream 6643 * identifier, it shall acknowledge the reception of the DATA chunk 6644 * following the normal procedure, immediately send an ERROR chunk 6645 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10) 6646 * and discard the DATA chunk. 6647 */ 6648 if (ntohs(data_hdr->stream) >= asoc->stream.incnt) { 6649 /* Mark tsn as received even though we drop it */ 6650 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); 6651 6652 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 6653 &data_hdr->stream, 6654 sizeof(data_hdr->stream), 6655 sizeof(u16)); 6656 if (err) 6657 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, 6658 SCTP_CHUNK(err)); 6659 return SCTP_IERROR_BAD_STREAM; 6660 } 6661 6662 /* Check to see if the SSN is possible for this TSN. 6663 * The biggest gap we can record is 4K wide. Since SSNs wrap 6664 * at an unsigned short, there is no way that an SSN can 6665 * wrap and for a valid TSN. We can simply check if the current 6666 * SSN is smaller then the next expected one. If it is, it wrapped 6667 * and is invalid. 6668 */ 6669 if (!asoc->stream.si->validate_data(chunk)) 6670 return SCTP_IERROR_PROTO_VIOLATION; 6671 6672 /* Send the data up to the user. Note: Schedule the 6673 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK 6674 * chunk needs the updated rwnd. 6675 */ 6676 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk)); 6677 6678 return SCTP_IERROR_NO_ERROR; 6679}