1 /* SCTP kernel implementation
2 * (C) Copyright IBM Corp. 2001, 2004
3 * Copyright (c) 1999-2000 Cisco, Inc.
4 * Copyright (c) 1999-2001 Motorola, Inc.
5 * Copyright (c) 2001-2002 Intel Corp.
6 * Copyright (c) 2002 Nokia Corp.
8 * This is part of the SCTP Linux Kernel Implementation.
10 * These are the state functions for the state machine.
12 * This SCTP implementation is free software;
13 * you can redistribute it and/or modify it under the terms of
14 * the GNU General Public License as published by
15 * the Free Software Foundation; either version 2, or (at your option)
18 * This SCTP implementation is distributed in the hope that it
19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied
20 * ************************
21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
22 * See the GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with GNU CC; see the file COPYING. If not, see
26 * <http://www.gnu.org/licenses/>.
28 * Please send any bug reports or fixes you make to the
30 * lksctp developers <linux-sctp@vger.kernel.org>
32 * Written or modified by:
33 * La Monte H.P. Yarroll <piggy@acm.org>
34 * Karl Knutson <karl@athena.chicago.il.us>
35 * Mathew Kotowsky <kotowsky@sctp.org>
36 * Sridhar Samudrala <samudrala@us.ibm.com>
37 * Jon Grimm <jgrimm@us.ibm.com>
38 * Hui Huang <hui.huang@nokia.com>
39 * Dajiang Zhang <dajiang.zhang@nokia.com>
40 * Daisy Chang <daisyc@us.ibm.com>
41 * Ardelle Fan <ardelle.fan@intel.com>
42 * Ryan Layer <rmlayer@us.ibm.com>
43 * Kevin Gao <kevin.gao@intel.com>
46 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
48 #include <linux/types.h>
49 #include <linux/kernel.h>
51 #include <linux/ipv6.h>
52 #include <linux/net.h>
53 #include <linux/inet.h>
54 #include <linux/slab.h>
56 #include <net/inet_ecn.h>
57 #include <linux/skbuff.h>
58 #include <net/sctp/sctp.h>
59 #include <net/sctp/sm.h>
60 #include <net/sctp/structs.h>
62 static struct sctp_packet *sctp_abort_pkt_new(struct net *net,
63 const struct sctp_endpoint *ep,
64 const struct sctp_association *asoc,
65 struct sctp_chunk *chunk,
68 static int sctp_eat_data(const struct sctp_association *asoc,
69 struct sctp_chunk *chunk,
70 struct sctp_cmd_seq *commands);
71 static struct sctp_packet *sctp_ootb_pkt_new(struct net *net,
72 const struct sctp_association *asoc,
73 const struct sctp_chunk *chunk);
74 static void sctp_send_stale_cookie_err(struct net *net,
75 const struct sctp_endpoint *ep,
76 const struct sctp_association *asoc,
77 const struct sctp_chunk *chunk,
78 struct sctp_cmd_seq *commands,
79 struct sctp_chunk *err_chunk);
80 static sctp_disposition_t sctp_sf_do_5_2_6_stale(struct net *net,
81 const struct sctp_endpoint *ep,
82 const struct sctp_association *asoc,
83 const union sctp_subtype type,
85 struct sctp_cmd_seq *commands);
86 static sctp_disposition_t sctp_sf_shut_8_4_5(struct net *net,
87 const struct sctp_endpoint *ep,
88 const struct sctp_association *asoc,
89 const union sctp_subtype type,
91 struct sctp_cmd_seq *commands);
92 static sctp_disposition_t sctp_sf_tabort_8_4_8(struct net *net,
93 const struct sctp_endpoint *ep,
94 const struct sctp_association *asoc,
95 const union sctp_subtype type,
97 struct sctp_cmd_seq *commands);
98 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
100 static sctp_disposition_t sctp_stop_t1_and_abort(struct net *net,
101 struct sctp_cmd_seq *commands,
102 __be16 error, int sk_err,
103 const struct sctp_association *asoc,
104 struct sctp_transport *transport);
106 static sctp_disposition_t sctp_sf_abort_violation(
108 const struct sctp_endpoint *ep,
109 const struct sctp_association *asoc,
111 struct sctp_cmd_seq *commands,
113 const size_t paylen);
115 static sctp_disposition_t sctp_sf_violation_chunklen(
117 const struct sctp_endpoint *ep,
118 const struct sctp_association *asoc,
119 const union sctp_subtype type,
121 struct sctp_cmd_seq *commands);
123 static sctp_disposition_t sctp_sf_violation_paramlen(
125 const struct sctp_endpoint *ep,
126 const struct sctp_association *asoc,
127 const union sctp_subtype type,
128 void *arg, void *ext,
129 struct sctp_cmd_seq *commands);
131 static sctp_disposition_t sctp_sf_violation_ctsn(
133 const struct sctp_endpoint *ep,
134 const struct sctp_association *asoc,
135 const union sctp_subtype type,
137 struct sctp_cmd_seq *commands);
139 static sctp_disposition_t sctp_sf_violation_chunk(
141 const struct sctp_endpoint *ep,
142 const struct sctp_association *asoc,
143 const union sctp_subtype type,
145 struct sctp_cmd_seq *commands);
147 static enum sctp_ierror sctp_sf_authenticate(
149 const struct sctp_endpoint *ep,
150 const struct sctp_association *asoc,
151 const union sctp_subtype type,
152 struct sctp_chunk *chunk);
154 static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net,
155 const struct sctp_endpoint *ep,
156 const struct sctp_association *asoc,
157 const union sctp_subtype type,
159 struct sctp_cmd_seq *commands);
161 /* Small helper function that checks if the chunk length
162 * is of the appropriate length. The 'required_length' argument
163 * is set to be the size of a specific chunk we are testing.
164 * Return Values: true = Valid length
165 * false = Invalid length
169 sctp_chunk_length_valid(struct sctp_chunk *chunk, __u16 required_length)
171 __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
173 /* Previously already marked? */
174 if (unlikely(chunk->pdiscard))
176 if (unlikely(chunk_length < required_length))
182 /**********************************************************
183 * These are the state functions for handling chunk events.
184 **********************************************************/
187 * Process the final SHUTDOWN COMPLETE.
189 * Section: 4 (C) (diagram), 9.2
190 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
191 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
192 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
193 * should stop the T2-shutdown timer and remove all knowledge of the
194 * association (and thus the association enters the CLOSED state).
196 * Verification Tag: 8.5.1(C), sctpimpguide 2.41.
197 * C) Rules for packet carrying SHUTDOWN COMPLETE:
199 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
200 * if the Verification Tag field of the packet matches its own tag and
201 * the T bit is not set
203 * it is set to its peer's tag and the T bit is set in the Chunk
205 * Otherwise, the receiver MUST silently discard the packet
206 * and take no further action. An endpoint MUST ignore the
207 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.
210 * (endpoint, asoc, chunk)
213 * (asoc, reply_msg, msg_up, timers, counters)
215 * The return value is the disposition of the chunk.
217 sctp_disposition_t sctp_sf_do_4_C(struct net *net,
218 const struct sctp_endpoint *ep,
219 const struct sctp_association *asoc,
220 const union sctp_subtype type,
222 struct sctp_cmd_seq *commands)
224 struct sctp_chunk *chunk = arg;
225 struct sctp_ulpevent *ev;
227 if (!sctp_vtag_verify_either(chunk, asoc))
228 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
230 /* RFC 2960 6.10 Bundling
232 * An endpoint MUST NOT bundle INIT, INIT ACK or
233 * SHUTDOWN COMPLETE with any other chunks.
235 if (!chunk->singleton)
236 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
238 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */
239 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
240 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
243 /* RFC 2960 10.2 SCTP-to-ULP
245 * H) SHUTDOWN COMPLETE notification
247 * When SCTP completes the shutdown procedures (section 9.2) this
248 * notification is passed to the upper layer.
250 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
251 0, 0, 0, NULL, GFP_ATOMIC);
253 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
256 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
257 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
258 * not the chunk should be discarded. If the endpoint is in
259 * the SHUTDOWN-ACK-SENT state the endpoint should stop the
260 * T2-shutdown timer and remove all knowledge of the
261 * association (and thus the association enters the CLOSED
264 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
265 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
267 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
268 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
270 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
271 SCTP_STATE(SCTP_STATE_CLOSED));
273 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
274 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
276 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
278 return SCTP_DISPOSITION_DELETE_TCB;
282 * Respond to a normal INIT chunk.
283 * We are the side that is being asked for an association.
285 * Section: 5.1 Normal Establishment of an Association, B
286 * B) "Z" shall respond immediately with an INIT ACK chunk. The
287 * destination IP address of the INIT ACK MUST be set to the source
288 * IP address of the INIT to which this INIT ACK is responding. In
289 * the response, besides filling in other parameters, "Z" must set the
290 * Verification Tag field to Tag_A, and also provide its own
291 * Verification Tag (Tag_Z) in the Initiate Tag field.
293 * Verification Tag: Must be 0.
296 * (endpoint, asoc, chunk)
299 * (asoc, reply_msg, msg_up, timers, counters)
301 * The return value is the disposition of the chunk.
303 sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
304 const struct sctp_endpoint *ep,
305 const struct sctp_association *asoc,
306 const union sctp_subtype type,
308 struct sctp_cmd_seq *commands)
310 struct sctp_chunk *chunk = arg, *repl, *err_chunk;
311 struct sctp_unrecognized_param *unk_param;
312 struct sctp_association *new_asoc;
313 struct sctp_packet *packet;
317 * An endpoint MUST NOT bundle INIT, INIT ACK or
318 * SHUTDOWN COMPLETE with any other chunks.
321 * Furthermore, we require that the receiver of an INIT chunk MUST
322 * enforce these rules by silently discarding an arriving packet
323 * with an INIT chunk that is bundled with other chunks.
325 if (!chunk->singleton)
326 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
328 /* If the packet is an OOTB packet which is temporarily on the
329 * control endpoint, respond with an ABORT.
331 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
332 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
333 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
336 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
339 if (chunk->sctp_hdr->vtag != 0)
340 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
342 /* Make sure that the INIT chunk has a valid length.
343 * Normally, this would cause an ABORT with a Protocol Violation
344 * error, but since we don't have an association, we'll
345 * just discard the packet.
347 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
348 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
350 /* If the INIT is coming toward a closing socket, we'll send back
351 * and ABORT. Essentially, this catches the race of INIT being
352 * backloged to the socket at the same time as the user isses close().
353 * Since the socket and all its associations are going away, we
354 * can treat this OOTB
356 if (sctp_sstate(ep->base.sk, CLOSING))
357 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
359 /* Verify the INIT chunk before processing it. */
361 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
362 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
364 /* This chunk contains fatal error. It is to be discarded.
365 * Send an ABORT, with causes if there is any.
368 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
369 (__u8 *)(err_chunk->chunk_hdr) +
370 sizeof(struct sctp_chunkhdr),
371 ntohs(err_chunk->chunk_hdr->length) -
372 sizeof(struct sctp_chunkhdr));
374 sctp_chunk_free(err_chunk);
377 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
378 SCTP_PACKET(packet));
379 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
380 return SCTP_DISPOSITION_CONSUME;
382 return SCTP_DISPOSITION_NOMEM;
385 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
390 /* Grab the INIT header. */
391 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
393 /* Tag the variable length parameters. */
394 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
396 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
400 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
401 sctp_scope(sctp_source(chunk)),
405 /* The call, sctp_process_init(), can fail on memory allocation. */
406 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
407 (struct sctp_init_chunk *)chunk->chunk_hdr,
411 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
413 /* If there are errors need to be reported for unknown parameters,
414 * make sure to reserve enough room in the INIT ACK for them.
418 len = ntohs(err_chunk->chunk_hdr->length) -
419 sizeof(struct sctp_chunkhdr);
421 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
425 /* If there are errors need to be reported for unknown parameters,
426 * include them in the outgoing INIT ACK as "Unrecognized parameter"
430 /* Get the "Unrecognized parameter" parameter(s) out of the
431 * ERROR chunk generated by sctp_verify_init(). Since the
432 * error cause code for "unknown parameter" and the
433 * "Unrecognized parameter" type is the same, we can
434 * construct the parameters in INIT ACK by copying the
437 unk_param = (struct sctp_unrecognized_param *)
438 ((__u8 *)(err_chunk->chunk_hdr) +
439 sizeof(struct sctp_chunkhdr));
440 /* Replace the cause code with the "Unrecognized parameter"
443 sctp_addto_chunk(repl, len, unk_param);
444 sctp_chunk_free(err_chunk);
447 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
449 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
452 * Note: After sending out INIT ACK with the State Cookie parameter,
453 * "Z" MUST NOT allocate any resources, nor keep any states for the
454 * new association. Otherwise, "Z" will be vulnerable to resource
457 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
459 return SCTP_DISPOSITION_DELETE_TCB;
462 sctp_association_free(new_asoc);
465 sctp_chunk_free(err_chunk);
466 return SCTP_DISPOSITION_NOMEM;
470 * Respond to a normal INIT ACK chunk.
471 * We are the side that is initiating the association.
473 * Section: 5.1 Normal Establishment of an Association, C
474 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
475 * timer and leave COOKIE-WAIT state. "A" shall then send the State
476 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
477 * the T1-cookie timer, and enter the COOKIE-ECHOED state.
479 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound
480 * DATA chunks, but it MUST be the first chunk in the packet and
481 * until the COOKIE ACK is returned the sender MUST NOT send any
482 * other packets to the peer.
484 * Verification Tag: 3.3.3
485 * If the value of the Initiate Tag in a received INIT ACK chunk is
486 * found to be 0, the receiver MUST treat it as an error and close the
487 * association by transmitting an ABORT.
490 * (endpoint, asoc, chunk)
493 * (asoc, reply_msg, msg_up, timers, counters)
495 * The return value is the disposition of the chunk.
497 sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
498 const struct sctp_endpoint *ep,
499 const struct sctp_association *asoc,
500 const union sctp_subtype type,
502 struct sctp_cmd_seq *commands)
504 struct sctp_chunk *chunk = arg;
505 struct sctp_init_chunk *initchunk;
506 struct sctp_chunk *err_chunk;
507 struct sctp_packet *packet;
509 if (!sctp_vtag_verify(chunk, asoc))
510 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
513 * An endpoint MUST NOT bundle INIT, INIT ACK or
514 * SHUTDOWN COMPLETE with any other chunks.
516 if (!chunk->singleton)
517 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
519 /* Make sure that the INIT-ACK chunk has a valid length */
520 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk)))
521 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
523 /* Grab the INIT header. */
524 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
526 /* Verify the INIT chunk before processing it. */
528 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
529 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
532 enum sctp_error error = SCTP_ERROR_NO_RESOURCE;
534 /* This chunk contains fatal error. It is to be discarded.
535 * Send an ABORT, with causes. If there are no causes,
536 * then there wasn't enough memory. Just terminate
540 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
541 (__u8 *)(err_chunk->chunk_hdr) +
542 sizeof(struct sctp_chunkhdr),
543 ntohs(err_chunk->chunk_hdr->length) -
544 sizeof(struct sctp_chunkhdr));
546 sctp_chunk_free(err_chunk);
549 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
550 SCTP_PACKET(packet));
551 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
552 error = SCTP_ERROR_INV_PARAM;
556 /* SCTP-AUTH, Section 6.3:
557 * It should be noted that if the receiver wants to tear
558 * down an association in an authenticated way only, the
559 * handling of malformed packets should not result in
560 * tearing down the association.
562 * This means that if we only want to abort associations
563 * in an authenticated way (i.e AUTH+ABORT), then we
564 * can't destroy this association just because the packet
567 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
568 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
570 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
571 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED,
572 asoc, chunk->transport);
575 /* Tag the variable length parameters. Note that we never
576 * convert the parameters in an INIT chunk.
578 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
580 initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr;
582 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
583 SCTP_PEER_INIT(initchunk));
585 /* Reset init error count upon receipt of INIT-ACK. */
586 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
588 /* 5.1 C) "A" shall stop the T1-init timer and leave
589 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie
590 * timer, and enter the COOKIE-ECHOED state.
592 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
593 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
594 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
595 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
596 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
597 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
599 /* SCTP-AUTH: genereate the assocition shared keys so that
600 * we can potentially signe the COOKIE-ECHO.
602 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
604 /* 5.1 C) "A" shall then send the State Cookie received in the
605 * INIT ACK chunk in a COOKIE ECHO chunk, ...
607 /* If there is any errors to report, send the ERROR chunk generated
608 * for unknown parameters as well.
610 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
611 SCTP_CHUNK(err_chunk));
613 return SCTP_DISPOSITION_CONSUME;
617 * Respond to a normal COOKIE ECHO chunk.
618 * We are the side that is being asked for an association.
620 * Section: 5.1 Normal Establishment of an Association, D
621 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
622 * with a COOKIE ACK chunk after building a TCB and moving to
623 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
624 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
625 * chunk MUST be the first chunk in the packet.
627 * IMPLEMENTATION NOTE: An implementation may choose to send the
628 * Communication Up notification to the SCTP user upon reception
629 * of a valid COOKIE ECHO chunk.
631 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
632 * D) Rules for packet carrying a COOKIE ECHO
634 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
635 * Initial Tag received in the INIT ACK.
637 * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
640 * (endpoint, asoc, chunk)
643 * (asoc, reply_msg, msg_up, timers, counters)
645 * The return value is the disposition of the chunk.
647 sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
648 const struct sctp_endpoint *ep,
649 const struct sctp_association *asoc,
650 const union sctp_subtype type, void *arg,
651 struct sctp_cmd_seq *commands)
653 struct sctp_chunk *chunk = arg;
654 struct sctp_association *new_asoc;
655 struct sctp_init_chunk *peer_init;
656 struct sctp_chunk *repl;
657 struct sctp_ulpevent *ev, *ai_ev = NULL;
659 struct sctp_chunk *err_chk_p;
662 /* If the packet is an OOTB packet which is temporarily on the
663 * control endpoint, respond with an ABORT.
665 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
666 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
667 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
670 /* Make sure that the COOKIE_ECHO chunk has a valid length.
671 * In this case, we check that we have enough for at least a
672 * chunk header. More detailed verification is done
673 * in sctp_unpack_cookie().
675 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
676 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
678 /* If the endpoint is not listening or if the number of associations
679 * on the TCP-style socket exceed the max backlog, respond with an
683 if (!sctp_sstate(sk, LISTENING) ||
684 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
685 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
687 /* "Decode" the chunk. We have no optional parameters so we
690 chunk->subh.cookie_hdr =
691 (struct sctp_signed_cookie *)chunk->skb->data;
692 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
693 sizeof(struct sctp_chunkhdr)))
696 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
697 * "Z" will reply with a COOKIE ACK chunk after building a TCB
698 * and moving to the ESTABLISHED state.
700 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
704 * If the re-build failed, what is the proper error path
707 * [We should abort the association. --piggy]
710 /* FIXME: Several errors are possible. A bad cookie should
711 * be silently discarded, but think about logging it too.
714 case -SCTP_IERROR_NOMEM:
717 case -SCTP_IERROR_STALE_COOKIE:
718 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
720 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
722 case -SCTP_IERROR_BAD_SIG:
724 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
729 /* Delay state machine commands until later.
731 * Re-build the bind address for the association is done in
732 * the sctp_unpack_cookie() already.
734 /* This is a brand-new association, so these are not yet side
735 * effects--it is safe to run them here.
737 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
739 if (!sctp_process_init(new_asoc, chunk,
740 &chunk->subh.cookie_hdr->c.peer_addr,
741 peer_init, GFP_ATOMIC))
744 /* SCTP-AUTH: Now that we've populate required fields in
745 * sctp_process_init, set up the assocaition shared keys as
746 * necessary so that we can potentially authenticate the ACK
748 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
752 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo
753 * is supposed to be authenticated and we have to do delayed
754 * authentication. We've just recreated the association using
755 * the information in the cookie and now it's much easier to
756 * do the authentication.
758 if (chunk->auth_chunk) {
759 struct sctp_chunk auth;
760 enum sctp_ierror ret;
762 /* Make sure that we and the peer are AUTH capable */
763 if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
764 sctp_association_free(new_asoc);
765 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
768 /* set-up our fake chunk so that we can process it */
769 auth.skb = chunk->auth_chunk;
770 auth.asoc = chunk->asoc;
771 auth.sctp_hdr = chunk->sctp_hdr;
772 auth.chunk_hdr = (struct sctp_chunkhdr *)
773 skb_push(chunk->auth_chunk,
774 sizeof(struct sctp_chunkhdr));
775 skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr));
776 auth.transport = chunk->transport;
778 ret = sctp_sf_authenticate(net, ep, new_asoc, type, &auth);
779 if (ret != SCTP_IERROR_NO_ERROR) {
780 sctp_association_free(new_asoc);
781 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
785 repl = sctp_make_cookie_ack(new_asoc, chunk);
789 /* RFC 2960 5.1 Normal Establishment of an Association
791 * D) IMPLEMENTATION NOTE: An implementation may choose to
792 * send the Communication Up notification to the SCTP user
793 * upon reception of a valid COOKIE ECHO chunk.
795 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
796 new_asoc->c.sinit_num_ostreams,
797 new_asoc->c.sinit_max_instreams,
802 /* Sockets API Draft Section 5.3.1.6
803 * When a peer sends a Adaptation Layer Indication parameter , SCTP
804 * delivers this notification to inform the application that of the
805 * peers requested adaptation layer.
807 if (new_asoc->peer.adaptation_ind) {
808 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
814 /* Add all the state machine commands now since we've created
815 * everything. This way we don't introduce memory corruptions
816 * during side-effect processing and correclty count established
819 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
820 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
821 SCTP_STATE(SCTP_STATE_ESTABLISHED));
822 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
823 SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS);
824 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
826 if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
827 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
828 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
830 /* This will send the COOKIE ACK */
831 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
833 /* Queue the ASSOC_CHANGE event */
834 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
836 /* Send up the Adaptation Layer Indication event */
838 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
839 SCTP_ULPEVENT(ai_ev));
841 return SCTP_DISPOSITION_CONSUME;
844 sctp_ulpevent_free(ev);
846 sctp_chunk_free(repl);
848 sctp_association_free(new_asoc);
850 return SCTP_DISPOSITION_NOMEM;
854 * Respond to a normal COOKIE ACK chunk.
855 * We are the side that is asking for an association.
857 * RFC 2960 5.1 Normal Establishment of an Association
859 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
860 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
861 * timer. It may also notify its ULP about the successful
862 * establishment of the association with a Communication Up
863 * notification (see Section 10).
867 * (endpoint, asoc, chunk)
870 * (asoc, reply_msg, msg_up, timers, counters)
872 * The return value is the disposition of the chunk.
874 sctp_disposition_t sctp_sf_do_5_1E_ca(struct net *net,
875 const struct sctp_endpoint *ep,
876 const struct sctp_association *asoc,
877 const union sctp_subtype type, void *arg,
878 struct sctp_cmd_seq *commands)
880 struct sctp_chunk *chunk = arg;
881 struct sctp_ulpevent *ev;
883 if (!sctp_vtag_verify(chunk, asoc))
884 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
886 /* Verify that the chunk length for the COOKIE-ACK is OK.
887 * If we don't do this, any bundled chunks may be junked.
889 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
890 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
893 /* Reset init error count upon receipt of COOKIE-ACK,
894 * to avoid problems with the managemement of this
895 * counter in stale cookie situations when a transition back
896 * from the COOKIE-ECHOED state to the COOKIE-WAIT
897 * state is performed.
899 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
901 /* RFC 2960 5.1 Normal Establishment of an Association
903 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
904 * from the COOKIE-ECHOED state to the ESTABLISHED state,
905 * stopping the T1-cookie timer.
907 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
908 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
909 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
910 SCTP_STATE(SCTP_STATE_ESTABLISHED));
911 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
912 SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS);
913 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
914 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
915 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
916 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
918 /* It may also notify its ULP about the successful
919 * establishment of the association with a Communication Up
920 * notification (see Section 10).
922 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
923 0, asoc->c.sinit_num_ostreams,
924 asoc->c.sinit_max_instreams,
930 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
932 /* Sockets API Draft Section 5.3.1.6
933 * When a peer sends a Adaptation Layer Indication parameter , SCTP
934 * delivers this notification to inform the application that of the
935 * peers requested adaptation layer.
937 if (asoc->peer.adaptation_ind) {
938 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
942 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
946 return SCTP_DISPOSITION_CONSUME;
948 return SCTP_DISPOSITION_NOMEM;
951 /* Generate and sendout a heartbeat packet. */
952 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep,
953 const struct sctp_association *asoc,
954 const union sctp_subtype type,
956 struct sctp_cmd_seq *commands)
958 struct sctp_transport *transport = (struct sctp_transport *) arg;
959 struct sctp_chunk *reply;
961 /* Send a heartbeat to our peer. */
962 reply = sctp_make_heartbeat(asoc, transport);
964 return SCTP_DISPOSITION_NOMEM;
966 /* Set rto_pending indicating that an RTT measurement
967 * is started with this heartbeat chunk.
969 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
970 SCTP_TRANSPORT(transport));
972 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
973 return SCTP_DISPOSITION_CONSUME;
976 /* Generate a HEARTBEAT packet on the given transport. */
977 sctp_disposition_t sctp_sf_sendbeat_8_3(struct net *net,
978 const struct sctp_endpoint *ep,
979 const struct sctp_association *asoc,
980 const union sctp_subtype type,
982 struct sctp_cmd_seq *commands)
984 struct sctp_transport *transport = (struct sctp_transport *) arg;
986 if (asoc->overall_error_count >= asoc->max_retrans) {
987 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
988 SCTP_ERROR(ETIMEDOUT));
989 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
990 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
991 SCTP_PERR(SCTP_ERROR_NO_ERROR));
992 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
993 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
994 return SCTP_DISPOSITION_DELETE_TCB;
998 * The Sender-specific Heartbeat Info field should normally include
999 * information about the sender's current time when this HEARTBEAT
1000 * chunk is sent and the destination transport address to which this
1001 * HEARTBEAT is sent (see Section 8.3).
1004 if (transport->param_flags & SPP_HB_ENABLE) {
1005 if (SCTP_DISPOSITION_NOMEM ==
1006 sctp_sf_heartbeat(ep, asoc, type, arg,
1008 return SCTP_DISPOSITION_NOMEM;
1010 /* Set transport error counter and association error counter
1011 * when sending heartbeat.
1013 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
1014 SCTP_TRANSPORT(transport));
1016 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
1017 SCTP_TRANSPORT(transport));
1018 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
1019 SCTP_TRANSPORT(transport));
1021 return SCTP_DISPOSITION_CONSUME;
1024 /* resend asoc strreset_chunk. */
1025 sctp_disposition_t sctp_sf_send_reconf(struct net *net,
1026 const struct sctp_endpoint *ep,
1027 const struct sctp_association *asoc,
1028 const union sctp_subtype type, void *arg,
1029 struct sctp_cmd_seq *commands)
1031 struct sctp_transport *transport = arg;
1033 if (asoc->overall_error_count >= asoc->max_retrans) {
1034 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
1035 SCTP_ERROR(ETIMEDOUT));
1036 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
1037 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1038 SCTP_PERR(SCTP_ERROR_NO_ERROR));
1039 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1040 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1041 return SCTP_DISPOSITION_DELETE_TCB;
1044 sctp_chunk_hold(asoc->strreset_chunk);
1045 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1046 SCTP_CHUNK(asoc->strreset_chunk));
1047 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
1049 return SCTP_DISPOSITION_CONSUME;
1053 * Process an heartbeat request.
1055 * Section: 8.3 Path Heartbeat
1056 * The receiver of the HEARTBEAT should immediately respond with a
1057 * HEARTBEAT ACK that contains the Heartbeat Information field copied
1058 * from the received HEARTBEAT chunk.
1060 * Verification Tag: 8.5 Verification Tag [Normal verification]
1061 * When receiving an SCTP packet, the endpoint MUST ensure that the
1062 * value in the Verification Tag field of the received SCTP packet
1063 * matches its own Tag. If the received Verification Tag value does not
1064 * match the receiver's own tag value, the receiver shall silently
1065 * discard the packet and shall not process it any further except for
1066 * those cases listed in Section 8.5.1 below.
1069 * (endpoint, asoc, chunk)
1072 * (asoc, reply_msg, msg_up, timers, counters)
1074 * The return value is the disposition of the chunk.
1076 sctp_disposition_t sctp_sf_beat_8_3(struct net *net,
1077 const struct sctp_endpoint *ep,
1078 const struct sctp_association *asoc,
1079 const union sctp_subtype type,
1081 struct sctp_cmd_seq *commands)
1083 struct sctp_paramhdr *param_hdr;
1084 struct sctp_chunk *chunk = arg;
1085 struct sctp_chunk *reply;
1088 if (!sctp_vtag_verify(chunk, asoc))
1089 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1091 /* Make sure that the HEARTBEAT chunk has a valid length. */
1092 if (!sctp_chunk_length_valid(chunk,
1093 sizeof(struct sctp_heartbeat_chunk)))
1094 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1097 /* 8.3 The receiver of the HEARTBEAT should immediately
1098 * respond with a HEARTBEAT ACK that contains the Heartbeat
1099 * Information field copied from the received HEARTBEAT chunk.
1101 chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data;
1102 param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr;
1103 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr);
1105 if (ntohs(param_hdr->length) > paylen)
1106 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
1107 param_hdr, commands);
1109 if (!pskb_pull(chunk->skb, paylen))
1112 reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen);
1116 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1117 return SCTP_DISPOSITION_CONSUME;
1120 return SCTP_DISPOSITION_NOMEM;
1124 * Process the returning HEARTBEAT ACK.
1126 * Section: 8.3 Path Heartbeat
1127 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
1128 * should clear the error counter of the destination transport
1129 * address to which the HEARTBEAT was sent, and mark the destination
1130 * transport address as active if it is not so marked. The endpoint may
1131 * optionally report to the upper layer when an inactive destination
1132 * address is marked as active due to the reception of the latest
1133 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
1134 * clear the association overall error count as well (as defined
1137 * The receiver of the HEARTBEAT ACK should also perform an RTT
1138 * measurement for that destination transport address using the time
1139 * value carried in the HEARTBEAT ACK chunk.
1141 * Verification Tag: 8.5 Verification Tag [Normal verification]
1144 * (endpoint, asoc, chunk)
1147 * (asoc, reply_msg, msg_up, timers, counters)
1149 * The return value is the disposition of the chunk.
1151 sctp_disposition_t sctp_sf_backbeat_8_3(struct net *net,
1152 const struct sctp_endpoint *ep,
1153 const struct sctp_association *asoc,
1154 const union sctp_subtype type,
1156 struct sctp_cmd_seq *commands)
1158 struct sctp_sender_hb_info *hbinfo;
1159 struct sctp_chunk *chunk = arg;
1160 struct sctp_transport *link;
1161 unsigned long max_interval;
1162 union sctp_addr from_addr;
1164 if (!sctp_vtag_verify(chunk, asoc))
1165 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1167 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */
1168 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) +
1170 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1173 hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data;
1174 /* Make sure that the length of the parameter is what we expect */
1175 if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo))
1176 return SCTP_DISPOSITION_DISCARD;
1178 from_addr = hbinfo->daddr;
1179 link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1181 /* This should never happen, but lets log it if so. */
1182 if (unlikely(!link)) {
1183 if (from_addr.sa.sa_family == AF_INET6) {
1184 net_warn_ratelimited("%s association %p could not find address %pI6\n",
1187 &from_addr.v6.sin6_addr);
1189 net_warn_ratelimited("%s association %p could not find address %pI4\n",
1192 &from_addr.v4.sin_addr.s_addr);
1194 return SCTP_DISPOSITION_DISCARD;
1197 /* Validate the 64-bit random nonce. */
1198 if (hbinfo->hb_nonce != link->hb_nonce)
1199 return SCTP_DISPOSITION_DISCARD;
1201 max_interval = link->hbinterval + link->rto;
1203 /* Check if the timestamp looks valid. */
1204 if (time_after(hbinfo->sent_at, jiffies) ||
1205 time_after(jiffies, hbinfo->sent_at + max_interval)) {
1206 pr_debug("%s: HEARTBEAT ACK with invalid timestamp received "
1207 "for transport:%p\n", __func__, link);
1209 return SCTP_DISPOSITION_DISCARD;
1212 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
1213 * the HEARTBEAT should clear the error counter of the
1214 * destination transport address to which the HEARTBEAT was
1215 * sent and mark the destination transport address as active if
1216 * it is not so marked.
1218 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1220 return SCTP_DISPOSITION_CONSUME;
1223 /* Helper function to send out an abort for the restart
1226 static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa,
1227 struct sctp_chunk *init,
1228 struct sctp_cmd_seq *commands)
1231 struct sctp_packet *pkt;
1232 union sctp_addr_param *addrparm;
1233 struct sctp_errhdr *errhdr;
1234 struct sctp_endpoint *ep;
1235 char buffer[sizeof(*errhdr) + sizeof(*addrparm)];
1236 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1238 /* Build the error on the stack. We are way to malloc crazy
1239 * throughout the code today.
1241 errhdr = (struct sctp_errhdr *)buffer;
1242 addrparm = (union sctp_addr_param *)errhdr->variable;
1244 /* Copy into a parm format. */
1245 len = af->to_addr_param(ssa, addrparm);
1246 len += sizeof(*errhdr);
1248 errhdr->cause = SCTP_ERROR_RESTART;
1249 errhdr->length = htons(len);
1251 /* Assign to the control socket. */
1252 ep = sctp_sk(net->sctp.ctl_sock)->ep;
1254 /* Association is NULL since this may be a restart attack and we
1255 * want to send back the attacker's vtag.
1257 pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len);
1261 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1263 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1265 /* Discard the rest of the inbound packet. */
1266 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1269 /* Even if there is no memory, treat as a failure so
1270 * the packet will get dropped.
1275 static bool list_has_sctp_addr(const struct list_head *list,
1276 union sctp_addr *ipaddr)
1278 struct sctp_transport *addr;
1280 list_for_each_entry(addr, list, transports) {
1281 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
1287 /* A restart is occurring, check to make sure no new addresses
1288 * are being added as we may be under a takeover attack.
1290 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1291 const struct sctp_association *asoc,
1292 struct sctp_chunk *init,
1293 struct sctp_cmd_seq *commands)
1295 struct net *net = sock_net(new_asoc->base.sk);
1296 struct sctp_transport *new_addr;
1299 /* Implementor's Guide - Section 5.2.2
1301 * Before responding the endpoint MUST check to see if the
1302 * unexpected INIT adds new addresses to the association. If new
1303 * addresses are added to the association, the endpoint MUST respond
1307 /* Search through all current addresses and make sure
1308 * we aren't adding any new ones.
1310 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
1312 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
1313 &new_addr->ipaddr)) {
1314 sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init,
1321 /* Return success if all addresses were found. */
1325 /* Populate the verification/tie tags based on overlapping INIT
1328 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
1330 static void sctp_tietags_populate(struct sctp_association *new_asoc,
1331 const struct sctp_association *asoc)
1333 switch (asoc->state) {
1335 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
1337 case SCTP_STATE_COOKIE_WAIT:
1338 new_asoc->c.my_vtag = asoc->c.my_vtag;
1339 new_asoc->c.my_ttag = asoc->c.my_vtag;
1340 new_asoc->c.peer_ttag = 0;
1343 case SCTP_STATE_COOKIE_ECHOED:
1344 new_asoc->c.my_vtag = asoc->c.my_vtag;
1345 new_asoc->c.my_ttag = asoc->c.my_vtag;
1346 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1349 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
1350 * COOKIE-WAIT and SHUTDOWN-ACK-SENT
1353 new_asoc->c.my_ttag = asoc->c.my_vtag;
1354 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1358 /* Other parameters for the endpoint SHOULD be copied from the
1359 * existing parameters of the association (e.g. number of
1360 * outbound streams) into the INIT ACK and cookie.
1362 new_asoc->rwnd = asoc->rwnd;
1363 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams;
1364 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1365 new_asoc->c.initial_tsn = asoc->c.initial_tsn;
1369 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
1372 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
1374 * Returns value representing action to be taken. These action values
1375 * correspond to Action/Description values in RFC 2960, Table 2.
1377 static char sctp_tietags_compare(struct sctp_association *new_asoc,
1378 const struct sctp_association *asoc)
1380 /* In this case, the peer may have restarted. */
1381 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1382 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1383 (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1384 (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1387 /* Collision case B. */
1388 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1389 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1390 (0 == asoc->c.peer_vtag))) {
1394 /* Collision case D. */
1395 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1396 (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1399 /* Collision case C. */
1400 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1401 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1402 (0 == new_asoc->c.my_ttag) &&
1403 (0 == new_asoc->c.peer_ttag))
1406 /* No match to any of the special cases; discard this packet. */
1410 /* Common helper routine for both duplicate and simulataneous INIT
1413 static sctp_disposition_t sctp_sf_do_unexpected_init(
1415 const struct sctp_endpoint *ep,
1416 const struct sctp_association *asoc,
1417 const union sctp_subtype type,
1418 void *arg, struct sctp_cmd_seq *commands)
1420 struct sctp_chunk *chunk = arg, *repl, *err_chunk;
1421 struct sctp_unrecognized_param *unk_param;
1422 struct sctp_association *new_asoc;
1423 struct sctp_packet *packet;
1424 sctp_disposition_t retval;
1428 * An endpoint MUST NOT bundle INIT, INIT ACK or
1429 * SHUTDOWN COMPLETE with any other chunks.
1432 * Furthermore, we require that the receiver of an INIT chunk MUST
1433 * enforce these rules by silently discarding an arriving packet
1434 * with an INIT chunk that is bundled with other chunks.
1436 if (!chunk->singleton)
1437 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1439 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
1442 if (chunk->sctp_hdr->vtag != 0)
1443 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
1445 /* Make sure that the INIT chunk has a valid length.
1446 * In this case, we generate a protocol violation since we have
1447 * an association established.
1449 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
1450 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1452 /* Grab the INIT header. */
1453 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
1455 /* Tag the variable length parameters. */
1456 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
1458 /* Verify the INIT chunk before processing it. */
1460 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
1461 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
1463 /* This chunk contains fatal error. It is to be discarded.
1464 * Send an ABORT, with causes if there is any.
1467 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
1468 (__u8 *)(err_chunk->chunk_hdr) +
1469 sizeof(struct sctp_chunkhdr),
1470 ntohs(err_chunk->chunk_hdr->length) -
1471 sizeof(struct sctp_chunkhdr));
1474 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1475 SCTP_PACKET(packet));
1476 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1477 retval = SCTP_DISPOSITION_CONSUME;
1479 retval = SCTP_DISPOSITION_NOMEM;
1483 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
1489 * Other parameters for the endpoint SHOULD be copied from the
1490 * existing parameters of the association (e.g. number of
1491 * outbound streams) into the INIT ACK and cookie.
1492 * FIXME: We are copying parameters from the endpoint not the
1495 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1499 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
1500 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
1503 /* In the outbound INIT ACK the endpoint MUST copy its current
1504 * Verification Tag and Peers Verification tag into a reserved
1505 * place (local tie-tag and per tie-tag) within the state cookie.
1507 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
1508 (struct sctp_init_chunk *)chunk->chunk_hdr,
1512 /* Make sure no new addresses are being added during the
1513 * restart. Do not do this check for COOKIE-WAIT state,
1514 * since there are no peer addresses to check against.
1515 * Upon return an ABORT will have been sent if needed.
1517 if (!sctp_state(asoc, COOKIE_WAIT)) {
1518 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1520 retval = SCTP_DISPOSITION_CONSUME;
1525 sctp_tietags_populate(new_asoc, asoc);
1527 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
1529 /* If there are errors need to be reported for unknown parameters,
1530 * make sure to reserve enough room in the INIT ACK for them.
1534 len = ntohs(err_chunk->chunk_hdr->length) -
1535 sizeof(struct sctp_chunkhdr);
1538 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1542 /* If there are errors need to be reported for unknown parameters,
1543 * include them in the outgoing INIT ACK as "Unrecognized parameter"
1547 /* Get the "Unrecognized parameter" parameter(s) out of the
1548 * ERROR chunk generated by sctp_verify_init(). Since the
1549 * error cause code for "unknown parameter" and the
1550 * "Unrecognized parameter" type is the same, we can
1551 * construct the parameters in INIT ACK by copying the
1552 * ERROR causes over.
1554 unk_param = (struct sctp_unrecognized_param *)
1555 ((__u8 *)(err_chunk->chunk_hdr) +
1556 sizeof(struct sctp_chunkhdr));
1557 /* Replace the cause code with the "Unrecognized parameter"
1560 sctp_addto_chunk(repl, len, unk_param);
1563 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1564 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1567 * Note: After sending out INIT ACK with the State Cookie parameter,
1568 * "Z" MUST NOT allocate any resources for this new association.
1569 * Otherwise, "Z" will be vulnerable to resource attacks.
1571 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1572 retval = SCTP_DISPOSITION_CONSUME;
1577 retval = SCTP_DISPOSITION_NOMEM;
1580 sctp_association_free(new_asoc);
1583 sctp_chunk_free(err_chunk);
1588 * Handle simultaneous INIT.
1589 * This means we started an INIT and then we got an INIT request from
1592 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
1593 * This usually indicates an initialization collision, i.e., each
1594 * endpoint is attempting, at about the same time, to establish an
1595 * association with the other endpoint.
1597 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
1598 * endpoint MUST respond with an INIT ACK using the same parameters it
1599 * sent in its original INIT chunk (including its Verification Tag,
1600 * unchanged). These original parameters are combined with those from the
1601 * newly received INIT chunk. The endpoint shall also generate a State
1602 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
1603 * INIT to calculate the State Cookie.
1605 * After that, the endpoint MUST NOT change its state, the T1-init
1606 * timer shall be left running and the corresponding TCB MUST NOT be
1607 * destroyed. The normal procedures for handling State Cookies when
1608 * a TCB exists will resolve the duplicate INITs to a single association.
1610 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
1611 * its Tie-Tags with the Tag information of itself and its peer (see
1612 * section 5.2.2 for a description of the Tie-Tags).
1614 * Verification Tag: Not explicit, but an INIT can not have a valid
1615 * verification tag, so we skip the check.
1618 * (endpoint, asoc, chunk)
1621 * (asoc, reply_msg, msg_up, timers, counters)
1623 * The return value is the disposition of the chunk.
1625 sctp_disposition_t sctp_sf_do_5_2_1_siminit(struct net *net,
1626 const struct sctp_endpoint *ep,
1627 const struct sctp_association *asoc,
1628 const union sctp_subtype type,
1630 struct sctp_cmd_seq *commands)
1632 /* Call helper to do the real work for both simulataneous and
1633 * duplicate INIT chunk handling.
1635 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1639 * Handle duplicated INIT messages. These are usually delayed
1642 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
1643 * COOKIE-ECHOED and COOKIE-WAIT
1645 * Unless otherwise stated, upon reception of an unexpected INIT for
1646 * this association, the endpoint shall generate an INIT ACK with a
1647 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its
1648 * current Verification Tag and peer's Verification Tag into a reserved
1649 * place within the state cookie. We shall refer to these locations as
1650 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet
1651 * containing this INIT ACK MUST carry a Verification Tag value equal to
1652 * the Initiation Tag found in the unexpected INIT. And the INIT ACK
1653 * MUST contain a new Initiation Tag (randomly generated see Section
1654 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the
1655 * existing parameters of the association (e.g. number of outbound
1656 * streams) into the INIT ACK and cookie.
1658 * After sending out the INIT ACK, the endpoint shall take no further
1659 * actions, i.e., the existing association, including its current state,
1660 * and the corresponding TCB MUST NOT be changed.
1662 * Note: Only when a TCB exists and the association is not in a COOKIE-
1663 * WAIT state are the Tie-Tags populated. For a normal association INIT
1664 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
1665 * set to 0 (indicating that no previous TCB existed). The INIT ACK and
1666 * State Cookie are populated as specified in section 5.2.1.
1668 * Verification Tag: Not specified, but an INIT has no way of knowing
1669 * what the verification tag could be, so we ignore it.
1672 * (endpoint, asoc, chunk)
1675 * (asoc, reply_msg, msg_up, timers, counters)
1677 * The return value is the disposition of the chunk.
1679 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(struct net *net,
1680 const struct sctp_endpoint *ep,
1681 const struct sctp_association *asoc,
1682 const union sctp_subtype type,
1684 struct sctp_cmd_seq *commands)
1686 /* Call helper to do the real work for both simulataneous and
1687 * duplicate INIT chunk handling.
1689 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1694 * Unexpected INIT-ACK handler.
1697 * If an INIT ACK received by an endpoint in any state other than the
1698 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
1699 * An unexpected INIT ACK usually indicates the processing of an old or
1700 * duplicated INIT chunk.
1702 sctp_disposition_t sctp_sf_do_5_2_3_initack(struct net *net,
1703 const struct sctp_endpoint *ep,
1704 const struct sctp_association *asoc,
1705 const union sctp_subtype type,
1707 struct sctp_cmd_seq *commands)
1709 /* Per the above section, we'll discard the chunk if we have an
1710 * endpoint. If this is an OOTB INIT-ACK, treat it as such.
1712 if (ep == sctp_sk(net->sctp.ctl_sock)->ep)
1713 return sctp_sf_ootb(net, ep, asoc, type, arg, commands);
1715 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
1718 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
1721 * A) In this case, the peer may have restarted.
1723 static sctp_disposition_t sctp_sf_do_dupcook_a(struct net *net,
1724 const struct sctp_endpoint *ep,
1725 const struct sctp_association *asoc,
1726 struct sctp_chunk *chunk,
1727 struct sctp_cmd_seq *commands,
1728 struct sctp_association *new_asoc)
1730 struct sctp_init_chunk *peer_init;
1731 struct sctp_ulpevent *ev;
1732 struct sctp_chunk *repl;
1733 struct sctp_chunk *err;
1734 sctp_disposition_t disposition;
1736 /* new_asoc is a brand-new association, so these are not yet
1737 * side effects--it is safe to run them here.
1739 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1741 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1745 /* Make sure no new addresses are being added during the
1746 * restart. Though this is a pretty complicated attack
1747 * since you'd have to get inside the cookie.
1749 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) {
1750 return SCTP_DISPOSITION_CONSUME;
1753 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
1754 * the peer has restarted (Action A), it MUST NOT setup a new
1755 * association but instead resend the SHUTDOWN ACK and send an ERROR
1756 * chunk with a "Cookie Received while Shutting Down" error cause to
1759 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1760 disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc,
1761 SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1763 if (SCTP_DISPOSITION_NOMEM == disposition)
1766 err = sctp_make_op_error(asoc, chunk,
1767 SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1770 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1773 return SCTP_DISPOSITION_CONSUME;
1776 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked
1777 * data. Consider the optional choice of resending of this data.
1779 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
1780 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1781 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK));
1782 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1784 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue
1785 * and ASCONF-ACK cache.
1787 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1788 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
1789 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());
1791 repl = sctp_make_cookie_ack(new_asoc, chunk);
1795 /* Report association restart to upper layer. */
1796 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1797 new_asoc->c.sinit_num_ostreams,
1798 new_asoc->c.sinit_max_instreams,
1803 /* Update the content of current association. */
1804 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1805 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1806 if (sctp_state(asoc, SHUTDOWN_PENDING) &&
1807 (sctp_sstate(asoc->base.sk, CLOSING) ||
1808 sock_flag(asoc->base.sk, SOCK_DEAD))) {
1809 /* if were currently in SHUTDOWN_PENDING, but the socket
1810 * has been closed by user, don't transition to ESTABLISHED.
1811 * Instead trigger SHUTDOWN bundled with COOKIE_ACK.
1813 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1814 return sctp_sf_do_9_2_start_shutdown(net, ep, asoc,
1815 SCTP_ST_CHUNK(0), NULL,
1818 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1819 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1820 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1822 return SCTP_DISPOSITION_CONSUME;
1825 sctp_chunk_free(repl);
1827 return SCTP_DISPOSITION_NOMEM;
1830 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
1833 * B) In this case, both sides may be attempting to start an association
1834 * at about the same time but the peer endpoint started its INIT
1835 * after responding to the local endpoint's INIT
1837 /* This case represents an initialization collision. */
1838 static sctp_disposition_t sctp_sf_do_dupcook_b(struct net *net,
1839 const struct sctp_endpoint *ep,
1840 const struct sctp_association *asoc,
1841 struct sctp_chunk *chunk,
1842 struct sctp_cmd_seq *commands,
1843 struct sctp_association *new_asoc)
1845 struct sctp_init_chunk *peer_init;
1846 struct sctp_chunk *repl;
1848 /* new_asoc is a brand-new association, so these are not yet
1849 * side effects--it is safe to run them here.
1851 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1852 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1856 /* Update the content of current association. */
1857 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1858 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1859 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1860 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
1861 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
1863 repl = sctp_make_cookie_ack(new_asoc, chunk);
1867 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1869 /* RFC 2960 5.1 Normal Establishment of an Association
1871 * D) IMPLEMENTATION NOTE: An implementation may choose to
1872 * send the Communication Up notification to the SCTP user
1873 * upon reception of a valid COOKIE ECHO chunk.
1875 * Sadly, this needs to be implemented as a side-effect, because
1876 * we are not guaranteed to have set the association id of the real
1877 * association and so these notifications need to be delayed until
1878 * the association id is allocated.
1881 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
1883 /* Sockets API Draft Section 5.3.1.6
1884 * When a peer sends a Adaptation Layer Indication parameter , SCTP
1885 * delivers this notification to inform the application that of the
1886 * peers requested adaptation layer.
1888 * This also needs to be done as a side effect for the same reason as
1891 if (asoc->peer.adaptation_ind)
1892 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
1894 return SCTP_DISPOSITION_CONSUME;
1897 return SCTP_DISPOSITION_NOMEM;
1900 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
1903 * C) In this case, the local endpoint's cookie has arrived late.
1904 * Before it arrived, the local endpoint sent an INIT and received an
1905 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
1906 * but a new tag of its own.
1908 /* This case represents an initialization collision. */
1909 static sctp_disposition_t sctp_sf_do_dupcook_c(struct net *net,
1910 const struct sctp_endpoint *ep,
1911 const struct sctp_association *asoc,
1912 struct sctp_chunk *chunk,
1913 struct sctp_cmd_seq *commands,
1914 struct sctp_association *new_asoc)
1916 /* The cookie should be silently discarded.
1917 * The endpoint SHOULD NOT change states and should leave
1918 * any timers running.
1920 return SCTP_DISPOSITION_DISCARD;
1923 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
1927 * D) When both local and remote tags match the endpoint should always
1928 * enter the ESTABLISHED state, if it has not already done so.
1930 /* This case represents an initialization collision. */
1931 static sctp_disposition_t sctp_sf_do_dupcook_d(struct net *net,
1932 const struct sctp_endpoint *ep,
1933 const struct sctp_association *asoc,
1934 struct sctp_chunk *chunk,
1935 struct sctp_cmd_seq *commands,
1936 struct sctp_association *new_asoc)
1938 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL;
1939 struct sctp_chunk *repl;
1941 /* Clarification from Implementor's Guide:
1942 * D) When both local and remote tags match the endpoint should
1943 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
1944 * It should stop any cookie timer that may be running and send
1948 /* Don't accidentally move back into established state. */
1949 if (asoc->state < SCTP_STATE_ESTABLISHED) {
1950 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1951 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
1952 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1953 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1954 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
1955 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
1958 /* RFC 2960 5.1 Normal Establishment of an Association
1960 * D) IMPLEMENTATION NOTE: An implementation may choose
1961 * to send the Communication Up notification to the
1962 * SCTP user upon reception of a valid COOKIE
1965 ev = sctp_ulpevent_make_assoc_change(asoc, 0,
1967 asoc->c.sinit_num_ostreams,
1968 asoc->c.sinit_max_instreams,
1973 /* Sockets API Draft Section 5.3.1.6
1974 * When a peer sends a Adaptation Layer Indication parameter,
1975 * SCTP delivers this notification to inform the application
1976 * that of the peers requested adaptation layer.
1978 if (asoc->peer.adaptation_ind) {
1979 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
1987 repl = sctp_make_cookie_ack(new_asoc, chunk);
1991 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1994 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1997 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1998 SCTP_ULPEVENT(ai_ev));
2000 return SCTP_DISPOSITION_CONSUME;
2004 sctp_ulpevent_free(ai_ev);
2006 sctp_ulpevent_free(ev);
2007 return SCTP_DISPOSITION_NOMEM;
2011 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying
2012 * chunk was retransmitted and then delayed in the network.
2014 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
2016 * Verification Tag: None. Do cookie validation.
2019 * (endpoint, asoc, chunk)
2022 * (asoc, reply_msg, msg_up, timers, counters)
2024 * The return value is the disposition of the chunk.
2026 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(struct net *net,
2027 const struct sctp_endpoint *ep,
2028 const struct sctp_association *asoc,
2029 const union sctp_subtype type,
2031 struct sctp_cmd_seq *commands)
2033 sctp_disposition_t retval;
2034 struct sctp_chunk *chunk = arg;
2035 struct sctp_association *new_asoc;
2038 struct sctp_chunk *err_chk_p;
2040 /* Make sure that the chunk has a valid length from the protocol
2041 * perspective. In this case check to make sure we have at least
2042 * enough for the chunk header. Cookie length verification is
2045 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
2046 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2049 /* "Decode" the chunk. We have no optional parameters so we
2050 * are in good shape.
2052 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
2053 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
2054 sizeof(struct sctp_chunkhdr)))
2057 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
2058 * of a duplicate COOKIE ECHO match the Verification Tags of the
2059 * current association, consider the State Cookie valid even if
2060 * the lifespan is exceeded.
2062 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
2066 * If the re-build failed, what is the proper error path
2069 * [We should abort the association. --piggy]
2072 /* FIXME: Several errors are possible. A bad cookie should
2073 * be silently discarded, but think about logging it too.
2076 case -SCTP_IERROR_NOMEM:
2079 case -SCTP_IERROR_STALE_COOKIE:
2080 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
2082 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2083 case -SCTP_IERROR_BAD_SIG:
2085 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2089 /* Set temp so that it won't be added into hashtable */
2092 /* Compare the tie_tag in cookie with the verification tag of
2093 * current association.
2095 action = sctp_tietags_compare(new_asoc, asoc);
2098 case 'A': /* Association restart. */
2099 retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands,
2103 case 'B': /* Collision case B. */
2104 retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands,
2108 case 'C': /* Collision case C. */
2109 retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands,
2113 case 'D': /* Collision case D. */
2114 retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands,
2118 default: /* Discard packet for all others. */
2119 retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2123 /* Delete the tempory new association. */
2124 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc));
2125 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
2127 /* Restore association pointer to provide SCTP command interpeter
2128 * with a valid context in case it needs to manipulate
2130 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC,
2131 SCTP_ASOC((struct sctp_association *)asoc));
2136 return SCTP_DISPOSITION_NOMEM;
2140 * Process an ABORT. (SHUTDOWN-PENDING state)
2142 * See sctp_sf_do_9_1_abort().
2144 sctp_disposition_t sctp_sf_shutdown_pending_abort(
2146 const struct sctp_endpoint *ep,
2147 const struct sctp_association *asoc,
2148 const union sctp_subtype type,
2150 struct sctp_cmd_seq *commands)
2152 struct sctp_chunk *chunk = arg;
2154 if (!sctp_vtag_verify_either(chunk, asoc))
2155 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2157 /* Make sure that the ABORT chunk has a valid length.
2158 * Since this is an ABORT chunk, we have to discard it
2159 * because of the following text:
2160 * RFC 2960, Section 3.3.7
2161 * If an endpoint receives an ABORT with a format error or for an
2162 * association that doesn't exist, it MUST silently discard it.
2163 * Because the length is "invalid", we can't really discard just
2164 * as we do not know its true length. So, to be safe, discard the
2167 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2168 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2170 /* ADD-IP: Special case for ABORT chunks
2171 * F4) One special consideration is that ABORT Chunks arriving
2172 * destined to the IP address being deleted MUST be
2173 * ignored (see Section 5.3.1 for further details).
2175 if (SCTP_ADDR_DEL ==
2176 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2177 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2179 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2183 * Process an ABORT. (SHUTDOWN-SENT state)
2185 * See sctp_sf_do_9_1_abort().
2187 sctp_disposition_t sctp_sf_shutdown_sent_abort(struct net *net,
2188 const struct sctp_endpoint *ep,
2189 const struct sctp_association *asoc,
2190 const union sctp_subtype type,
2192 struct sctp_cmd_seq *commands)
2194 struct sctp_chunk *chunk = arg;
2196 if (!sctp_vtag_verify_either(chunk, asoc))
2197 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2199 /* Make sure that the ABORT chunk has a valid length.
2200 * Since this is an ABORT chunk, we have to discard it
2201 * because of the following text:
2202 * RFC 2960, Section 3.3.7
2203 * If an endpoint receives an ABORT with a format error or for an
2204 * association that doesn't exist, it MUST silently discard it.
2205 * Because the length is "invalid", we can't really discard just
2206 * as we do not know its true length. So, to be safe, discard the
2209 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2210 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2212 /* ADD-IP: Special case for ABORT chunks
2213 * F4) One special consideration is that ABORT Chunks arriving
2214 * destined to the IP address being deleted MUST be
2215 * ignored (see Section 5.3.1 for further details).
2217 if (SCTP_ADDR_DEL ==
2218 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2219 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2221 /* Stop the T2-shutdown timer. */
2222 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2223 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2225 /* Stop the T5-shutdown guard timer. */
2226 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2227 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2229 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2233 * Process an ABORT. (SHUTDOWN-ACK-SENT state)
2235 * See sctp_sf_do_9_1_abort().
2237 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort(
2239 const struct sctp_endpoint *ep,
2240 const struct sctp_association *asoc,
2241 const union sctp_subtype type,
2243 struct sctp_cmd_seq *commands)
2245 /* The same T2 timer, so we should be able to use
2246 * common function with the SHUTDOWN-SENT state.
2248 return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands);
2252 * Handle an Error received in COOKIE_ECHOED state.
2254 * Only handle the error type of stale COOKIE Error, the other errors will
2258 * (endpoint, asoc, chunk)
2261 * (asoc, reply_msg, msg_up, timers, counters)
2263 * The return value is the disposition of the chunk.
2265 sctp_disposition_t sctp_sf_cookie_echoed_err(struct net *net,
2266 const struct sctp_endpoint *ep,
2267 const struct sctp_association *asoc,
2268 const union sctp_subtype type,
2270 struct sctp_cmd_seq *commands)
2272 struct sctp_chunk *chunk = arg;
2273 struct sctp_errhdr *err;
2275 if (!sctp_vtag_verify(chunk, asoc))
2276 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2278 /* Make sure that the ERROR chunk has a valid length.
2279 * The parameter walking depends on this as well.
2281 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
2282 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2285 /* Process the error here */
2286 /* FUTURE FIXME: When PR-SCTP related and other optional
2287 * parms are emitted, this will have to change to handle multiple
2290 sctp_walk_errors(err, chunk->chunk_hdr) {
2291 if (SCTP_ERROR_STALE_COOKIE == err->cause)
2292 return sctp_sf_do_5_2_6_stale(net, ep, asoc, type,
2296 /* It is possible to have malformed error causes, and that
2297 * will cause us to end the walk early. However, since
2298 * we are discarding the packet, there should be no adverse
2301 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2305 * Handle a Stale COOKIE Error
2307 * Section: 5.2.6 Handle Stale COOKIE Error
2308 * If the association is in the COOKIE-ECHOED state, the endpoint may elect
2309 * one of the following three alternatives.
2311 * 3) Send a new INIT chunk to the endpoint, adding a Cookie
2312 * Preservative parameter requesting an extension to the lifetime of
2313 * the State Cookie. When calculating the time extension, an
2314 * implementation SHOULD use the RTT information measured based on the
2315 * previous COOKIE ECHO / ERROR exchange, and should add no more
2316 * than 1 second beyond the measured RTT, due to long State Cookie
2317 * lifetimes making the endpoint more subject to a replay attack.
2319 * Verification Tag: Not explicit, but safe to ignore.
2322 * (endpoint, asoc, chunk)
2325 * (asoc, reply_msg, msg_up, timers, counters)
2327 * The return value is the disposition of the chunk.
2329 static sctp_disposition_t sctp_sf_do_5_2_6_stale(struct net *net,
2330 const struct sctp_endpoint *ep,
2331 const struct sctp_association *asoc,
2332 const union sctp_subtype type,
2334 struct sctp_cmd_seq *commands)
2336 int attempts = asoc->init_err_counter + 1;
2337 struct sctp_chunk *chunk = arg, *reply;
2338 struct sctp_cookie_preserve_param bht;
2339 struct sctp_bind_addr *bp;
2340 struct sctp_errhdr *err;
2343 if (attempts > asoc->max_init_attempts) {
2344 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2345 SCTP_ERROR(ETIMEDOUT));
2346 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2347 SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2348 return SCTP_DISPOSITION_DELETE_TCB;
2351 err = (struct sctp_errhdr *)(chunk->skb->data);
2353 /* When calculating the time extension, an implementation
2354 * SHOULD use the RTT information measured based on the
2355 * previous COOKIE ECHO / ERROR exchange, and should add no
2356 * more than 1 second beyond the measured RTT, due to long
2357 * State Cookie lifetimes making the endpoint more subject to
2359 * Measure of Staleness's unit is usec. (1/1000000 sec)
2360 * Suggested Cookie Life-span Increment's unit is msec.
2362 * In general, if you use the suggested cookie life, the value
2363 * found in the field of measure of staleness should be doubled
2364 * to give ample time to retransmit the new cookie and thus
2365 * yield a higher probability of success on the reattempt.
2367 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err)));
2368 stale = (stale * 2) / 1000;
2370 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2371 bht.param_hdr.length = htons(sizeof(bht));
2372 bht.lifespan_increment = htonl(stale);
2374 /* Build that new INIT chunk. */
2375 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2376 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2380 sctp_addto_chunk(reply, sizeof(bht), &bht);
2382 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */
2383 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2385 /* Stop pending T3-rtx and heartbeat timers */
2386 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2387 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2389 /* Delete non-primary peer ip addresses since we are transitioning
2390 * back to the COOKIE-WAIT state
2392 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2394 /* If we've sent any data bundled with COOKIE-ECHO we will need to
2397 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
2398 SCTP_TRANSPORT(asoc->peer.primary_path));
2400 /* Cast away the const modifier, as we want to just
2401 * rerun it through as a sideffect.
2403 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2405 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2406 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2407 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2408 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2409 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2410 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2412 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2414 return SCTP_DISPOSITION_CONSUME;
2417 return SCTP_DISPOSITION_NOMEM;
2424 * After checking the Verification Tag, the receiving endpoint shall
2425 * remove the association from its record, and shall report the
2426 * termination to its upper layer.
2428 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
2429 * B) Rules for packet carrying ABORT:
2431 * - The endpoint shall always fill in the Verification Tag field of the
2432 * outbound packet with the destination endpoint's tag value if it
2435 * - If the ABORT is sent in response to an OOTB packet, the endpoint
2436 * MUST follow the procedure described in Section 8.4.
2438 * - The receiver MUST accept the packet if the Verification Tag
2439 * matches either its own tag, OR the tag of its peer. Otherwise, the
2440 * receiver MUST silently discard the packet and take no further
2444 * (endpoint, asoc, chunk)
2447 * (asoc, reply_msg, msg_up, timers, counters)
2449 * The return value is the disposition of the chunk.
2451 sctp_disposition_t sctp_sf_do_9_1_abort(struct net *net,
2452 const struct sctp_endpoint *ep,
2453 const struct sctp_association *asoc,
2454 const union sctp_subtype type,
2456 struct sctp_cmd_seq *commands)
2458 struct sctp_chunk *chunk = arg;
2460 if (!sctp_vtag_verify_either(chunk, asoc))
2461 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2463 /* Make sure that the ABORT chunk has a valid length.
2464 * Since this is an ABORT chunk, we have to discard it
2465 * because of the following text:
2466 * RFC 2960, Section 3.3.7
2467 * If an endpoint receives an ABORT with a format error or for an
2468 * association that doesn't exist, it MUST silently discard it.
2469 * Because the length is "invalid", we can't really discard just
2470 * as we do not know its true length. So, to be safe, discard the
2473 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2474 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2476 /* ADD-IP: Special case for ABORT chunks
2477 * F4) One special consideration is that ABORT Chunks arriving
2478 * destined to the IP address being deleted MUST be
2479 * ignored (see Section 5.3.1 for further details).
2481 if (SCTP_ADDR_DEL ==
2482 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2483 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2485 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2488 static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net,
2489 const struct sctp_endpoint *ep,
2490 const struct sctp_association *asoc,
2491 const union sctp_subtype type,
2493 struct sctp_cmd_seq *commands)
2495 struct sctp_chunk *chunk = arg;
2497 __be16 error = SCTP_ERROR_NO_ERROR;
2499 /* See if we have an error cause code in the chunk. */
2500 len = ntohs(chunk->chunk_hdr->length);
2501 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
2502 struct sctp_errhdr *err;
2504 sctp_walk_errors(err, chunk->chunk_hdr);
2505 if ((void *)err != (void *)chunk->chunk_end)
2506 return sctp_sf_pdiscard(net, ep, asoc, type, arg,
2509 error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2512 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2513 /* ASSOC_FAILED will DELETE_TCB. */
2514 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2515 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2516 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
2518 return SCTP_DISPOSITION_ABORT;
2522 * Process an ABORT. (COOKIE-WAIT state)
2524 * See sctp_sf_do_9_1_abort() above.
2526 sctp_disposition_t sctp_sf_cookie_wait_abort(struct net *net,
2527 const struct sctp_endpoint *ep,
2528 const struct sctp_association *asoc,
2529 const union sctp_subtype type,
2531 struct sctp_cmd_seq *commands)
2533 struct sctp_chunk *chunk = arg;
2535 __be16 error = SCTP_ERROR_NO_ERROR;
2537 if (!sctp_vtag_verify_either(chunk, asoc))
2538 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2540 /* Make sure that the ABORT chunk has a valid length.
2541 * Since this is an ABORT chunk, we have to discard it
2542 * because of the following text:
2543 * RFC 2960, Section 3.3.7
2544 * If an endpoint receives an ABORT with a format error or for an
2545 * association that doesn't exist, it MUST silently discard it.
2546 * Because the length is "invalid", we can't really discard just
2547 * as we do not know its true length. So, to be safe, discard the
2550 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2551 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2553 /* See if we have an error cause code in the chunk. */
2554 len = ntohs(chunk->chunk_hdr->length);
2555 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2556 error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2558 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc,
2563 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state)
2565 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(struct net *net,
2566 const struct sctp_endpoint *ep,
2567 const struct sctp_association *asoc,
2568 const union sctp_subtype type,
2570 struct sctp_cmd_seq *commands)
2572 return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR,
2574 (struct sctp_transport *)arg);
2578 * Process an ABORT. (COOKIE-ECHOED state)
2580 sctp_disposition_t sctp_sf_cookie_echoed_abort(struct net *net,
2581 const struct sctp_endpoint *ep,
2582 const struct sctp_association *asoc,
2583 const union sctp_subtype type,
2585 struct sctp_cmd_seq *commands)
2587 /* There is a single T1 timer, so we should be able to use
2588 * common function with the COOKIE-WAIT state.
2590 return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands);
2594 * Stop T1 timer and abort association with "INIT failed".
2596 * This is common code called by several sctp_sf_*_abort() functions above.
2598 static sctp_disposition_t sctp_stop_t1_and_abort(struct net *net,
2599 struct sctp_cmd_seq *commands,
2600 __be16 error, int sk_err,
2601 const struct sctp_association *asoc,
2602 struct sctp_transport *transport)
2604 pr_debug("%s: ABORT received (INIT)\n", __func__);
2606 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2607 SCTP_STATE(SCTP_STATE_CLOSED));
2608 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2609 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2610 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2611 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2612 /* CMD_INIT_FAILED will DELETE_TCB. */
2613 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2616 return SCTP_DISPOSITION_ABORT;
2620 * sctp_sf_do_9_2_shut
2623 * Upon the reception of the SHUTDOWN, the peer endpoint shall
2624 * - enter the SHUTDOWN-RECEIVED state,
2626 * - stop accepting new data from its SCTP user
2628 * - verify, by checking the Cumulative TSN Ack field of the chunk,
2629 * that all its outstanding DATA chunks have been received by the
2632 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT
2633 * send a SHUTDOWN in response to a ULP request. And should discard
2634 * subsequent SHUTDOWN chunks.
2636 * If there are still outstanding DATA chunks left, the SHUTDOWN
2637 * receiver shall continue to follow normal data transmission
2638 * procedures defined in Section 6 until all outstanding DATA chunks
2639 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept
2640 * new data from its SCTP user.
2642 * Verification Tag: 8.5 Verification Tag [Normal verification]
2645 * (endpoint, asoc, chunk)
2648 * (asoc, reply_msg, msg_up, timers, counters)
2650 * The return value is the disposition of the chunk.
2652 sctp_disposition_t sctp_sf_do_9_2_shutdown(struct net *net,
2653 const struct sctp_endpoint *ep,
2654 const struct sctp_association *asoc,
2655 const union sctp_subtype type,
2657 struct sctp_cmd_seq *commands)
2659 struct sctp_chunk *chunk = arg;
2660 sctp_disposition_t disposition;
2661 struct sctp_shutdownhdr *sdh;
2662 struct sctp_ulpevent *ev;
2665 if (!sctp_vtag_verify(chunk, asoc))
2666 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2668 /* Make sure that the SHUTDOWN chunk has a valid length. */
2669 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2670 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2673 /* Convert the elaborate header. */
2674 sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2675 skb_pull(chunk->skb, sizeof(*sdh));
2676 chunk->subh.shutdown_hdr = sdh;
2677 ctsn = ntohl(sdh->cum_tsn_ack);
2679 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2680 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2681 asoc->ctsn_ack_point);
2683 return SCTP_DISPOSITION_DISCARD;
2686 /* If Cumulative TSN Ack beyond the max tsn currently
2687 * send, terminating the association and respond to the
2688 * sender with an ABORT.
2690 if (!TSN_lt(ctsn, asoc->next_tsn))
2691 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2693 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
2694 * When a peer sends a SHUTDOWN, SCTP delivers this notification to
2695 * inform the application that it should cease sending data.
2697 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2699 disposition = SCTP_DISPOSITION_NOMEM;
2702 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2704 /* Upon the reception of the SHUTDOWN, the peer endpoint shall
2705 * - enter the SHUTDOWN-RECEIVED state,
2706 * - stop accepting new data from its SCTP user
2708 * [This is implicit in the new state.]
2710 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2711 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2712 disposition = SCTP_DISPOSITION_CONSUME;
2714 if (sctp_outq_is_empty(&asoc->outqueue)) {
2715 disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type,
2719 if (SCTP_DISPOSITION_NOMEM == disposition)
2722 /* - verify, by checking the Cumulative TSN Ack field of the
2723 * chunk, that all its outstanding DATA chunks have been
2724 * received by the SHUTDOWN sender.
2726 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2727 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2734 * sctp_sf_do_9_2_shut_ctsn
2736 * Once an endpoint has reached the SHUTDOWN-RECEIVED state,
2737 * it MUST NOT send a SHUTDOWN in response to a ULP request.
2738 * The Cumulative TSN Ack of the received SHUTDOWN chunk
2739 * MUST be processed.
2741 sctp_disposition_t sctp_sf_do_9_2_shut_ctsn(struct net *net,
2742 const struct sctp_endpoint *ep,
2743 const struct sctp_association *asoc,
2744 const union sctp_subtype type,
2746 struct sctp_cmd_seq *commands)
2748 struct sctp_chunk *chunk = arg;
2749 struct sctp_shutdownhdr *sdh;
2752 if (!sctp_vtag_verify(chunk, asoc))
2753 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2755 /* Make sure that the SHUTDOWN chunk has a valid length. */
2756 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2757 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2760 sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2761 ctsn = ntohl(sdh->cum_tsn_ack);
2763 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2764 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2765 asoc->ctsn_ack_point);
2767 return SCTP_DISPOSITION_DISCARD;
2770 /* If Cumulative TSN Ack beyond the max tsn currently
2771 * send, terminating the association and respond to the
2772 * sender with an ABORT.
2774 if (!TSN_lt(ctsn, asoc->next_tsn))
2775 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2777 /* verify, by checking the Cumulative TSN Ack field of the
2778 * chunk, that all its outstanding DATA chunks have been
2779 * received by the SHUTDOWN sender.
2781 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2782 SCTP_BE32(sdh->cum_tsn_ack));
2784 return SCTP_DISPOSITION_CONSUME;
2788 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk
2789 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination
2790 * transport addresses (either in the IP addresses or in the INIT chunk)
2791 * that belong to this association, it should discard the INIT chunk and
2792 * retransmit the SHUTDOWN ACK chunk.
2794 sctp_disposition_t sctp_sf_do_9_2_reshutack(struct net *net,
2795 const struct sctp_endpoint *ep,
2796 const struct sctp_association *asoc,
2797 const union sctp_subtype type,
2799 struct sctp_cmd_seq *commands)
2801 struct sctp_chunk *chunk = (struct sctp_chunk *) arg;
2802 struct sctp_chunk *reply;
2804 /* Make sure that the chunk has a valid length */
2805 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
2806 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2809 /* Since we are not going to really process this INIT, there
2810 * is no point in verifying chunk boundries. Just generate
2813 reply = sctp_make_shutdown_ack(asoc, chunk);
2817 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
2818 * the T2-SHUTDOWN timer.
2820 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
2822 /* and restart the T2-shutdown timer. */
2823 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2824 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2826 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2828 return SCTP_DISPOSITION_CONSUME;
2830 return SCTP_DISPOSITION_NOMEM;
2834 * sctp_sf_do_ecn_cwr
2836 * Section: Appendix A: Explicit Congestion Notification
2840 * RFC 2481 details a specific bit for a sender to send in the header of
2841 * its next outbound TCP segment to indicate to its peer that it has
2842 * reduced its congestion window. This is termed the CWR bit. For
2843 * SCTP the same indication is made by including the CWR chunk.
2844 * This chunk contains one data element, i.e. the TSN number that
2845 * was sent in the ECNE chunk. This element represents the lowest
2846 * TSN number in the datagram that was originally marked with the
2849 * Verification Tag: 8.5 Verification Tag [Normal verification]
2851 * (endpoint, asoc, chunk)
2854 * (asoc, reply_msg, msg_up, timers, counters)
2856 * The return value is the disposition of the chunk.
2858 sctp_disposition_t sctp_sf_do_ecn_cwr(struct net *net,
2859 const struct sctp_endpoint *ep,
2860 const struct sctp_association *asoc,
2861 const union sctp_subtype type,
2863 struct sctp_cmd_seq *commands)
2865 struct sctp_chunk *chunk = arg;
2866 struct sctp_cwrhdr *cwr;
2869 if (!sctp_vtag_verify(chunk, asoc))
2870 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2872 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
2873 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2876 cwr = (struct sctp_cwrhdr *)chunk->skb->data;
2877 skb_pull(chunk->skb, sizeof(*cwr));
2879 lowest_tsn = ntohl(cwr->lowest_tsn);
2881 /* Does this CWR ack the last sent congestion notification? */
2882 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
2883 /* Stop sending ECNE. */
2884 sctp_add_cmd_sf(commands,
2886 SCTP_U32(lowest_tsn));
2888 return SCTP_DISPOSITION_CONSUME;
2894 * Section: Appendix A: Explicit Congestion Notification
2898 * RFC 2481 details a specific bit for a receiver to send back in its
2899 * TCP acknowledgements to notify the sender of the Congestion
2900 * Experienced (CE) bit having arrived from the network. For SCTP this
2901 * same indication is made by including the ECNE chunk. This chunk
2902 * contains one data element, i.e. the lowest TSN associated with the IP
2903 * datagram marked with the CE bit.....
2905 * Verification Tag: 8.5 Verification Tag [Normal verification]
2907 * (endpoint, asoc, chunk)
2910 * (asoc, reply_msg, msg_up, timers, counters)
2912 * The return value is the disposition of the chunk.
2914 sctp_disposition_t sctp_sf_do_ecne(struct net *net,
2915 const struct sctp_endpoint *ep,
2916 const struct sctp_association *asoc,
2917 const union sctp_subtype type,
2919 struct sctp_cmd_seq *commands)
2921 struct sctp_chunk *chunk = arg;
2922 struct sctp_ecnehdr *ecne;
2924 if (!sctp_vtag_verify(chunk, asoc))
2925 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2927 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
2928 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2931 ecne = (struct sctp_ecnehdr *)chunk->skb->data;
2932 skb_pull(chunk->skb, sizeof(*ecne));
2934 /* If this is a newer ECNE than the last CWR packet we sent out */
2935 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
2936 SCTP_U32(ntohl(ecne->lowest_tsn)));
2938 return SCTP_DISPOSITION_CONSUME;
2942 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
2944 * The SCTP endpoint MUST always acknowledge the reception of each valid
2947 * The guidelines on delayed acknowledgement algorithm specified in
2948 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
2949 * acknowledgement SHOULD be generated for at least every second packet
2950 * (not every second DATA chunk) received, and SHOULD be generated within
2951 * 200 ms of the arrival of any unacknowledged DATA chunk. In some
2952 * situations it may be beneficial for an SCTP transmitter to be more
2953 * conservative than the algorithms detailed in this document allow.
2954 * However, an SCTP transmitter MUST NOT be more aggressive than the
2955 * following algorithms allow.
2957 * A SCTP receiver MUST NOT generate more than one SACK for every
2958 * incoming packet, other than to update the offered window as the
2959 * receiving application consumes new data.
2961 * Verification Tag: 8.5 Verification Tag [Normal verification]
2964 * (endpoint, asoc, chunk)
2967 * (asoc, reply_msg, msg_up, timers, counters)
2969 * The return value is the disposition of the chunk.
2971 sctp_disposition_t sctp_sf_eat_data_6_2(struct net *net,
2972 const struct sctp_endpoint *ep,
2973 const struct sctp_association *asoc,
2974 const union sctp_subtype type,
2976 struct sctp_cmd_seq *commands)
2978 union sctp_arg force = SCTP_NOFORCE();
2979 struct sctp_chunk *chunk = arg;
2982 if (!sctp_vtag_verify(chunk, asoc)) {
2983 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
2985 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2988 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_data_chunk)))
2989 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2992 error = sctp_eat_data(asoc, chunk, commands);
2994 case SCTP_IERROR_NO_ERROR:
2996 case SCTP_IERROR_HIGH_TSN:
2997 case SCTP_IERROR_BAD_STREAM:
2998 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2999 goto discard_noforce;
3000 case SCTP_IERROR_DUP_TSN:
3001 case SCTP_IERROR_IGNORE_TSN:
3002 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
3004 case SCTP_IERROR_NO_DATA:
3005 return SCTP_DISPOSITION_ABORT;
3006 case SCTP_IERROR_PROTO_VIOLATION:
3007 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3008 (u8 *)chunk->subh.data_hdr,
3009 sizeof(struct sctp_datahdr));
3014 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)
3015 force = SCTP_FORCE();
3017 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
3018 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3019 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3022 /* If this is the last chunk in a packet, we need to count it
3023 * toward sack generation. Note that we need to SACK every
3024 * OTHER packet containing data chunks, EVEN IF WE DISCARD
3025 * THEM. We elect to NOT generate SACK's if the chunk fails
3026 * the verification tag test.
3028 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3030 * The SCTP endpoint MUST always acknowledge the reception of
3031 * each valid DATA chunk.
3033 * The guidelines on delayed acknowledgement algorithm
3034 * specified in Section 4.2 of [RFC2581] SHOULD be followed.
3035 * Specifically, an acknowledgement SHOULD be generated for at
3036 * least every second packet (not every second DATA chunk)
3037 * received, and SHOULD be generated within 200 ms of the
3038 * arrival of any unacknowledged DATA chunk. In some
3039 * situations it may be beneficial for an SCTP transmitter to
3040 * be more conservative than the algorithms detailed in this
3041 * document allow. However, an SCTP transmitter MUST NOT be
3042 * more aggressive than the following algorithms allow.
3044 if (chunk->end_of_packet)
3045 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3047 return SCTP_DISPOSITION_CONSUME;
3050 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3052 * When a packet arrives with duplicate DATA chunk(s) and with
3053 * no new DATA chunk(s), the endpoint MUST immediately send a
3054 * SACK with no delay. If a packet arrives with duplicate
3055 * DATA chunk(s) bundled with new DATA chunks, the endpoint
3056 * MAY immediately send a SACK. Normally receipt of duplicate
3057 * DATA chunks will occur when the original SACK chunk was lost
3058 * and the peer's RTO has expired. The duplicate TSN number(s)
3059 * SHOULD be reported in the SACK as duplicate.
3061 /* In our case, we split the MAY SACK advice up whether or not
3062 * the last chunk is a duplicate.'
3064 if (chunk->end_of_packet)
3065 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3066 return SCTP_DISPOSITION_DISCARD;
3069 if (chunk->end_of_packet)
3070 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3072 return SCTP_DISPOSITION_DISCARD;
3076 * sctp_sf_eat_data_fast_4_4
3079 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received
3080 * DATA chunks without delay.
3082 * Verification Tag: 8.5 Verification Tag [Normal verification]
3084 * (endpoint, asoc, chunk)
3087 * (asoc, reply_msg, msg_up, timers, counters)
3089 * The return value is the disposition of the chunk.
3091 sctp_disposition_t sctp_sf_eat_data_fast_4_4(struct net *net,
3092 const struct sctp_endpoint *ep,
3093 const struct sctp_association *asoc,
3094 const union sctp_subtype type,
3096 struct sctp_cmd_seq *commands)
3098 struct sctp_chunk *chunk = arg;
3101 if (!sctp_vtag_verify(chunk, asoc)) {
3102 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3104 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3107 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_data_chunk)))
3108 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3111 error = sctp_eat_data(asoc, chunk, commands);
3113 case SCTP_IERROR_NO_ERROR:
3114 case SCTP_IERROR_HIGH_TSN:
3115 case SCTP_IERROR_DUP_TSN:
3116 case SCTP_IERROR_IGNORE_TSN:
3117 case SCTP_IERROR_BAD_STREAM:
3119 case SCTP_IERROR_NO_DATA:
3120 return SCTP_DISPOSITION_ABORT;
3121 case SCTP_IERROR_PROTO_VIOLATION:
3122 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3123 (u8 *)chunk->subh.data_hdr,
3124 sizeof(struct sctp_datahdr));
3129 /* Go a head and force a SACK, since we are shutting down. */
3131 /* Implementor's Guide.
3133 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3134 * respond to each received packet containing one or more DATA chunk(s)
3135 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3137 if (chunk->end_of_packet) {
3138 /* We must delay the chunk creation since the cumulative
3139 * TSN has not been updated yet.
3141 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3142 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3143 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3144 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3147 return SCTP_DISPOSITION_CONSUME;
3151 * Section: 6.2 Processing a Received SACK
3152 * D) Any time a SACK arrives, the endpoint performs the following:
3154 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,
3155 * then drop the SACK. Since Cumulative TSN Ack is monotonically
3156 * increasing, a SACK whose Cumulative TSN Ack is less than the
3157 * Cumulative TSN Ack Point indicates an out-of-order SACK.
3159 * ii) Set rwnd equal to the newly received a_rwnd minus the number
3160 * of bytes still outstanding after processing the Cumulative TSN Ack
3161 * and the Gap Ack Blocks.
3163 * iii) If the SACK is missing a TSN that was previously
3164 * acknowledged via a Gap Ack Block (e.g., the data receiver
3165 * reneged on the data), then mark the corresponding DATA chunk
3166 * as available for retransmit: Mark it as missing for fast
3167 * retransmit as described in Section 7.2.4 and if no retransmit
3168 * timer is running for the destination address to which the DATA
3169 * chunk was originally transmitted, then T3-rtx is started for
3170 * that destination address.
3172 * Verification Tag: 8.5 Verification Tag [Normal verification]
3175 * (endpoint, asoc, chunk)
3178 * (asoc, reply_msg, msg_up, timers, counters)
3180 * The return value is the disposition of the chunk.
3182 sctp_disposition_t sctp_sf_eat_sack_6_2(struct net *net,
3183 const struct sctp_endpoint *ep,
3184 const struct sctp_association *asoc,
3185 const union sctp_subtype type,
3187 struct sctp_cmd_seq *commands)
3189 struct sctp_chunk *chunk = arg;
3190 struct sctp_sackhdr *sackh;
3193 if (!sctp_vtag_verify(chunk, asoc))
3194 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3196 /* Make sure that the SACK chunk has a valid length. */
3197 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_sack_chunk)))
3198 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3201 /* Pull the SACK chunk from the data buffer */
3202 sackh = sctp_sm_pull_sack(chunk);
3203 /* Was this a bogus SACK? */
3205 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3206 chunk->subh.sack_hdr = sackh;
3207 ctsn = ntohl(sackh->cum_tsn_ack);
3209 /* i) If Cumulative TSN Ack is less than the Cumulative TSN
3210 * Ack Point, then drop the SACK. Since Cumulative TSN
3211 * Ack is monotonically increasing, a SACK whose
3212 * Cumulative TSN Ack is less than the Cumulative TSN Ack
3213 * Point indicates an out-of-order SACK.
3215 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
3216 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
3217 asoc->ctsn_ack_point);
3219 return SCTP_DISPOSITION_DISCARD;
3222 /* If Cumulative TSN Ack beyond the max tsn currently
3223 * send, terminating the association and respond to the
3224 * sender with an ABORT.
3226 if (!TSN_lt(ctsn, asoc->next_tsn))
3227 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
3229 /* Return this SACK for further processing. */
3230 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk));
3232 /* Note: We do the rest of the work on the PROCESS_SACK
3235 return SCTP_DISPOSITION_CONSUME;
3239 * Generate an ABORT in response to a packet.
3241 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41
3243 * 8) The receiver should respond to the sender of the OOTB packet with
3244 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
3245 * MUST fill in the Verification Tag field of the outbound packet
3246 * with the value found in the Verification Tag field of the OOTB
3247 * packet and set the T-bit in the Chunk Flags to indicate that the
3248 * Verification Tag is reflected. After sending this ABORT, the
3249 * receiver of the OOTB packet shall discard the OOTB packet and take
3250 * no further action.
3254 * The return value is the disposition of the chunk.
3256 static sctp_disposition_t sctp_sf_tabort_8_4_8(struct net *net,
3257 const struct sctp_endpoint *ep,
3258 const struct sctp_association *asoc,
3259 const union sctp_subtype type,
3261 struct sctp_cmd_seq *commands)
3263 struct sctp_packet *packet = NULL;
3264 struct sctp_chunk *chunk = arg;
3265 struct sctp_chunk *abort;
3267 packet = sctp_ootb_pkt_new(net, asoc, chunk);
3269 return SCTP_DISPOSITION_NOMEM;
3271 /* Make an ABORT. The T bit will be set if the asoc
3274 abort = sctp_make_abort(asoc, chunk, 0);
3276 sctp_ootb_pkt_free(packet);
3277 return SCTP_DISPOSITION_NOMEM;
3280 /* Reflect vtag if T-Bit is set */
3281 if (sctp_test_T_bit(abort))
3282 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3284 /* Set the skb to the belonging sock for accounting. */
3285 abort->skb->sk = ep->base.sk;
3287 sctp_packet_append_chunk(packet, abort);
3289 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3290 SCTP_PACKET(packet));
3292 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3294 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3295 return SCTP_DISPOSITION_CONSUME;
3299 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR
3300 * event as ULP notification for each cause included in the chunk.
3302 * API 5.3.1.3 - SCTP_REMOTE_ERROR
3304 * The return value is the disposition of the chunk.
3306 sctp_disposition_t sctp_sf_operr_notify(struct net *net,
3307 const struct sctp_endpoint *ep,
3308 const struct sctp_association *asoc,
3309 const union sctp_subtype type,
3311 struct sctp_cmd_seq *commands)
3313 struct sctp_chunk *chunk = arg;
3314 struct sctp_errhdr *err;
3316 if (!sctp_vtag_verify(chunk, asoc))
3317 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3319 /* Make sure that the ERROR chunk has a valid length. */
3320 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
3321 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3323 sctp_walk_errors(err, chunk->chunk_hdr);
3324 if ((void *)err != (void *)chunk->chunk_end)
3325 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3326 (void *)err, commands);
3328 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3331 return SCTP_DISPOSITION_CONSUME;
3335 * Process an inbound SHUTDOWN ACK.
3338 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3339 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its
3340 * peer, and remove all record of the association.
3342 * The return value is the disposition.
3344 sctp_disposition_t sctp_sf_do_9_2_final(struct net *net,
3345 const struct sctp_endpoint *ep,
3346 const struct sctp_association *asoc,
3347 const union sctp_subtype type,
3349 struct sctp_cmd_seq *commands)
3351 struct sctp_chunk *chunk = arg;
3352 struct sctp_chunk *reply;
3353 struct sctp_ulpevent *ev;
3355 if (!sctp_vtag_verify(chunk, asoc))
3356 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3358 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3359 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3360 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3362 /* 10.2 H) SHUTDOWN COMPLETE notification
3364 * When SCTP completes the shutdown procedures (section 9.2) this
3365 * notification is passed to the upper layer.
3367 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3368 0, 0, 0, NULL, GFP_ATOMIC);
3372 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */
3373 reply = sctp_make_shutdown_complete(asoc, chunk);
3377 /* Do all the commands now (after allocation), so that we
3378 * have consistent state if memory allocation failes
3380 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3382 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3383 * stop the T2-shutdown timer,
3385 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3386 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3388 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3389 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3391 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3392 SCTP_STATE(SCTP_STATE_CLOSED));
3393 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
3394 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3395 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3397 /* ...and remove all record of the association. */
3398 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3399 return SCTP_DISPOSITION_DELETE_TCB;
3402 sctp_ulpevent_free(ev);
3404 return SCTP_DISPOSITION_NOMEM;
3408 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.
3410 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3411 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3412 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3413 * packet must fill in the Verification Tag field of the outbound
3414 * packet with the Verification Tag received in the SHUTDOWN ACK and
3415 * set the T-bit in the Chunk Flags to indicate that the Verification
3418 * 8) The receiver should respond to the sender of the OOTB packet with
3419 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
3420 * MUST fill in the Verification Tag field of the outbound packet
3421 * with the value found in the Verification Tag field of the OOTB
3422 * packet and set the T-bit in the Chunk Flags to indicate that the
3423 * Verification Tag is reflected. After sending this ABORT, the
3424 * receiver of the OOTB packet shall discard the OOTB packet and take
3425 * no further action.
3427 sctp_disposition_t sctp_sf_ootb(struct net *net,
3428 const struct sctp_endpoint *ep,
3429 const struct sctp_association *asoc,
3430 const union sctp_subtype type,
3432 struct sctp_cmd_seq *commands)
3434 struct sctp_chunk *chunk = arg;
3435 struct sk_buff *skb = chunk->skb;
3436 struct sctp_chunkhdr *ch;
3437 struct sctp_errhdr *err;
3439 int ootb_shut_ack = 0;
3440 int ootb_cookie_ack = 0;
3442 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3444 ch = (struct sctp_chunkhdr *)chunk->chunk_hdr;
3446 /* Report violation if the chunk is less then minimal */
3447 if (ntohs(ch->length) < sizeof(*ch))
3448 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3451 /* Report violation if chunk len overflows */
3452 ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length));
3453 if (ch_end > skb_tail_pointer(skb))
3454 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3457 /* Now that we know we at least have a chunk header,
3458 * do things that are type appropriate.
3460 if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3463 /* RFC 2960, Section 3.3.7
3464 * Moreover, under any circumstances, an endpoint that
3465 * receives an ABORT MUST NOT respond to that ABORT by
3466 * sending an ABORT of its own.
3468 if (SCTP_CID_ABORT == ch->type)
3469 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3471 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR
3472 * or a COOKIE ACK the SCTP Packet should be silently
3476 if (SCTP_CID_COOKIE_ACK == ch->type)
3477 ootb_cookie_ack = 1;
3479 if (SCTP_CID_ERROR == ch->type) {
3480 sctp_walk_errors(err, ch) {
3481 if (SCTP_ERROR_STALE_COOKIE == err->cause) {
3482 ootb_cookie_ack = 1;
3488 ch = (struct sctp_chunkhdr *)ch_end;
3489 } while (ch_end < skb_tail_pointer(skb));
3492 return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands);
3493 else if (ootb_cookie_ack)
3494 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3496 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
3500 * Handle an "Out of the blue" SHUTDOWN ACK.
3502 * Section: 8.4 5, sctpimpguide 2.41.
3504 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3505 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3506 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3507 * packet must fill in the Verification Tag field of the outbound
3508 * packet with the Verification Tag received in the SHUTDOWN ACK and
3509 * set the T-bit in the Chunk Flags to indicate that the Verification
3513 * (endpoint, asoc, type, arg, commands)
3516 * (sctp_disposition_t)
3518 * The return value is the disposition of the chunk.
3520 static sctp_disposition_t sctp_sf_shut_8_4_5(struct net *net,
3521 const struct sctp_endpoint *ep,
3522 const struct sctp_association *asoc,
3523 const union sctp_subtype type,
3525 struct sctp_cmd_seq *commands)
3527 struct sctp_packet *packet = NULL;
3528 struct sctp_chunk *chunk = arg;
3529 struct sctp_chunk *shut;
3531 packet = sctp_ootb_pkt_new(net, asoc, chunk);
3533 return SCTP_DISPOSITION_NOMEM;
3535 /* Make an SHUTDOWN_COMPLETE.
3536 * The T bit will be set if the asoc is NULL.
3538 shut = sctp_make_shutdown_complete(asoc, chunk);
3540 sctp_ootb_pkt_free(packet);
3541 return SCTP_DISPOSITION_NOMEM;
3544 /* Reflect vtag if T-Bit is set */
3545 if (sctp_test_T_bit(shut))
3546 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3548 /* Set the skb to the belonging sock for accounting. */
3549 shut->skb->sk = ep->base.sk;
3551 sctp_packet_append_chunk(packet, shut);
3553 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3554 SCTP_PACKET(packet));
3556 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3558 /* If the chunk length is invalid, we don't want to process
3559 * the reset of the packet.
3561 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3562 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3564 /* We need to discard the rest of the packet to prevent
3565 * potential bomming attacks from additional bundled chunks.
3566 * This is documented in SCTP Threats ID.
3568 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3572 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.
3574 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK
3575 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the
3576 * procedures in section 8.4 SHOULD be followed, in other words it
3577 * should be treated as an Out Of The Blue packet.
3578 * [This means that we do NOT check the Verification Tag on these
3582 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(struct net *net,
3583 const struct sctp_endpoint *ep,
3584 const struct sctp_association *asoc,
3585 const union sctp_subtype type,
3587 struct sctp_cmd_seq *commands)
3589 struct sctp_chunk *chunk = arg;
3591 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3592 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3593 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3596 /* Although we do have an association in this case, it corresponds
3597 * to a restarted association. So the packet is treated as an OOTB
3598 * packet and the state function that handles OOTB SHUTDOWN_ACK is
3599 * called with a NULL association.
3601 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3603 return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands);
3606 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */
3607 sctp_disposition_t sctp_sf_do_asconf(struct net *net,
3608 const struct sctp_endpoint *ep,
3609 const struct sctp_association *asoc,
3610 const union sctp_subtype type, void *arg,
3611 struct sctp_cmd_seq *commands)
3613 struct sctp_chunk *chunk = arg;
3614 struct sctp_chunk *asconf_ack = NULL;
3615 struct sctp_paramhdr *err_param = NULL;
3616 struct sctp_addiphdr *hdr;
3619 if (!sctp_vtag_verify(chunk, asoc)) {
3620 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3622 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3625 /* ADD-IP: Section 4.1.1
3626 * This chunk MUST be sent in an authenticated way by using
3627 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3628 * is received unauthenticated it MUST be silently discarded as
3629 * described in [I-D.ietf-tsvwg-sctp-auth].
3631 if (!net->sctp.addip_noauth && !chunk->auth)
3632 return sctp_sf_discard_chunk(net, ep, asoc, type, arg,
3635 /* Make sure that the ASCONF ADDIP chunk has a valid length. */
3636 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk)))
3637 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3640 hdr = (struct sctp_addiphdr *)chunk->skb->data;
3641 serial = ntohl(hdr->serial);
3643 /* Verify the ASCONF chunk before processing it. */
3644 if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
3645 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3646 (void *)err_param, commands);
3648 /* ADDIP 5.2 E1) Compare the value of the serial number to the value
3649 * the endpoint stored in a new association variable
3650 * 'Peer-Serial-Number'.
3652 if (serial == asoc->peer.addip_serial + 1) {
3653 /* If this is the first instance of ASCONF in the packet,
3654 * we can clean our old ASCONF-ACKs.
3656 if (!chunk->has_asconf)
3657 sctp_assoc_clean_asconf_ack_cache(asoc);
3659 /* ADDIP 5.2 E4) When the Sequence Number matches the next one
3660 * expected, process the ASCONF as described below and after
3661 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to
3662 * the response packet and cache a copy of it (in the event it
3663 * later needs to be retransmitted).
3665 * Essentially, do V1-V5.
3667 asconf_ack = sctp_process_asconf((struct sctp_association *)
3670 return SCTP_DISPOSITION_NOMEM;
3671 } else if (serial < asoc->peer.addip_serial + 1) {
3673 * If the value found in the Sequence Number is less than the
3674 * ('Peer- Sequence-Number' + 1), simply skip to the next
3675 * ASCONF, and include in the outbound response packet
3676 * any previously cached ASCONF-ACK response that was
3677 * sent and saved that matches the Sequence Number of the
3678 * ASCONF. Note: It is possible that no cached ASCONF-ACK
3679 * Chunk exists. This will occur when an older ASCONF
3680 * arrives out of order. In such a case, the receiver
3681 * should skip the ASCONF Chunk and not include ASCONF-ACK
3682 * Chunk for that chunk.
3684 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);
3686 return SCTP_DISPOSITION_DISCARD;
3688 /* Reset the transport so that we select the correct one
3689 * this time around. This is to make sure that we don't
3690 * accidentally use a stale transport that's been removed.
3692 asconf_ack->transport = NULL;
3694 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since
3695 * it must be either a stale packet or from an attacker.
3697 return SCTP_DISPOSITION_DISCARD;
3700 /* ADDIP 5.2 E6) The destination address of the SCTP packet
3701 * containing the ASCONF-ACK Chunks MUST be the source address of
3702 * the SCTP packet that held the ASCONF Chunks.
3704 * To do this properly, we'll set the destination address of the chunk
3705 * and at the transmit time, will try look up the transport to use.
3706 * Since ASCONFs may be bundled, the correct transport may not be
3707 * created until we process the entire packet, thus this workaround.
3709 asconf_ack->dest = chunk->source;
3710 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3711 if (asoc->new_transport) {
3712 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands);
3713 ((struct sctp_association *)asoc)->new_transport = NULL;
3716 return SCTP_DISPOSITION_CONSUME;
3720 * ADDIP Section 4.3 General rules for address manipulation
3721 * When building TLV parameters for the ASCONF Chunk that will add or
3722 * delete IP addresses the D0 to D13 rules should be applied:
3724 sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net,
3725 const struct sctp_endpoint *ep,
3726 const struct sctp_association *asoc,
3727 const union sctp_subtype type,
3729 struct sctp_cmd_seq *commands)
3731 struct sctp_chunk *asconf_ack = arg;
3732 struct sctp_chunk *last_asconf = asoc->addip_last_asconf;
3733 struct sctp_chunk *abort;
3734 struct sctp_paramhdr *err_param = NULL;
3735 struct sctp_addiphdr *addip_hdr;
3736 __u32 sent_serial, rcvd_serial;
3738 if (!sctp_vtag_verify(asconf_ack, asoc)) {
3739 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3741 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3744 /* ADD-IP, Section 4.1.2:
3745 * This chunk MUST be sent in an authenticated way by using
3746 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3747 * is received unauthenticated it MUST be silently discarded as
3748 * described in [I-D.ietf-tsvwg-sctp-auth].
3750 if (!net->sctp.addip_noauth && !asconf_ack->auth)
3751 return sctp_sf_discard_chunk(net, ep, asoc, type, arg,
3754 /* Make sure that the ADDIP chunk has a valid length. */
3755 if (!sctp_chunk_length_valid(asconf_ack,
3756 sizeof(struct sctp_addip_chunk)))
3757 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3760 addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data;
3761 rcvd_serial = ntohl(addip_hdr->serial);
3763 /* Verify the ASCONF-ACK chunk before processing it. */
3764 if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
3765 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3766 (void *)err_param, commands);
3769 addip_hdr = (struct sctp_addiphdr *)last_asconf->subh.addip_hdr;
3770 sent_serial = ntohl(addip_hdr->serial);
3772 sent_serial = asoc->addip_serial - 1;
3775 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or
3776 * equal to the next serial number to be used but no ASCONF chunk is
3777 * outstanding the endpoint MUST ABORT the association. Note that a
3778 * sequence number is greater than if it is no more than 2^^31-1
3779 * larger than the current sequence number (using serial arithmetic).
3781 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
3782 !(asoc->addip_last_asconf)) {
3783 abort = sctp_make_abort(asoc, asconf_ack,
3784 sizeof(struct sctp_errhdr));
3786 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
3787 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3790 /* We are going to ABORT, so we might as well stop
3791 * processing the rest of the chunks in the packet.
3793 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3794 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3795 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
3796 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3797 SCTP_ERROR(ECONNABORTED));
3798 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3799 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3800 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
3801 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3802 return SCTP_DISPOSITION_ABORT;
3805 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
3806 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3807 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3809 if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
3811 /* Successfully processed ASCONF_ACK. We can
3812 * release the next asconf if we have one.
3814 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF,
3816 return SCTP_DISPOSITION_CONSUME;
3819 abort = sctp_make_abort(asoc, asconf_ack,
3820 sizeof(struct sctp_errhdr));
3822 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
3823 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3826 /* We are going to ABORT, so we might as well stop
3827 * processing the rest of the chunks in the packet.
3829 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
3830 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3831 SCTP_ERROR(ECONNABORTED));
3832 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3833 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3834 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
3835 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3836 return SCTP_DISPOSITION_ABORT;
3839 return SCTP_DISPOSITION_DISCARD;
3842 /* RE-CONFIG Section 5.2 Upon reception of an RECONF Chunk. */
3843 sctp_disposition_t sctp_sf_do_reconf(struct net *net,
3844 const struct sctp_endpoint *ep,
3845 const struct sctp_association *asoc,
3846 const union sctp_subtype type, void *arg,
3847 struct sctp_cmd_seq *commands)
3849 struct sctp_paramhdr *err_param = NULL;
3850 struct sctp_chunk *chunk = arg;
3851 struct sctp_reconf_chunk *hdr;
3852 union sctp_params param;
3854 if (!sctp_vtag_verify(chunk, asoc)) {
3855 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3857 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3860 /* Make sure that the RECONF chunk has a valid length. */
3861 if (!sctp_chunk_length_valid(chunk, sizeof(*hdr)))
3862 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3865 if (!sctp_verify_reconf(asoc, chunk, &err_param))
3866 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3867 (void *)err_param, commands);
3869 hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr;
3870 sctp_walk_params(param, hdr, params) {
3871 struct sctp_chunk *reply = NULL;
3872 struct sctp_ulpevent *ev = NULL;
3874 if (param.p->type == SCTP_PARAM_RESET_OUT_REQUEST)
3875 reply = sctp_process_strreset_outreq(
3876 (struct sctp_association *)asoc, param, &ev);
3877 else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST)
3878 reply = sctp_process_strreset_inreq(
3879 (struct sctp_association *)asoc, param, &ev);
3880 else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST)
3881 reply = sctp_process_strreset_tsnreq(
3882 (struct sctp_association *)asoc, param, &ev);
3883 else if (param.p->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS)
3884 reply = sctp_process_strreset_addstrm_out(
3885 (struct sctp_association *)asoc, param, &ev);
3886 else if (param.p->type == SCTP_PARAM_RESET_ADD_IN_STREAMS)
3887 reply = sctp_process_strreset_addstrm_in(
3888 (struct sctp_association *)asoc, param, &ev);
3889 else if (param.p->type == SCTP_PARAM_RESET_RESPONSE)
3890 reply = sctp_process_strreset_resp(
3891 (struct sctp_association *)asoc, param, &ev);
3894 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
3898 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3902 return SCTP_DISPOSITION_CONSUME;
3906 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP
3908 * When a FORWARD TSN chunk arrives, the data receiver MUST first update
3909 * its cumulative TSN point to the value carried in the FORWARD TSN
3910 * chunk, and then MUST further advance its cumulative TSN point locally
3912 * After the above processing, the data receiver MUST stop reporting any
3913 * missing TSNs earlier than or equal to the new cumulative TSN point.
3915 * Verification Tag: 8.5 Verification Tag [Normal verification]
3917 * The return value is the disposition of the chunk.
3919 sctp_disposition_t sctp_sf_eat_fwd_tsn(struct net *net,
3920 const struct sctp_endpoint *ep,
3921 const struct sctp_association *asoc,
3922 const union sctp_subtype type,
3924 struct sctp_cmd_seq *commands)
3926 struct sctp_chunk *chunk = arg;
3927 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3928 struct sctp_fwdtsn_skip *skip;
3932 if (!sctp_vtag_verify(chunk, asoc)) {
3933 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3935 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3938 if (!asoc->peer.prsctp_capable)
3939 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
3941 /* Make sure that the FORWARD_TSN chunk has valid length. */
3942 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3943 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3946 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3947 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3948 len = ntohs(chunk->chunk_hdr->length);
3949 len -= sizeof(struct sctp_chunkhdr);
3950 skb_pull(chunk->skb, len);
3952 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3953 pr_debug("%s: TSN 0x%x\n", __func__, tsn);
3955 /* The TSN is too high--silently discard the chunk and count on it
3956 * getting retransmitted later.
3958 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3959 goto discard_noforce;
3961 /* Silently discard the chunk if stream-id is not valid */
3962 sctp_walk_fwdtsn(skip, chunk) {
3963 if (ntohs(skip->stream) >= asoc->stream.incnt)
3964 goto discard_noforce;
3967 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3968 if (len > sizeof(struct sctp_fwdtsn_hdr))
3969 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3972 /* Count this as receiving DATA. */
3973 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
3974 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3975 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3978 /* FIXME: For now send a SACK, but DATA processing may
3981 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
3983 return SCTP_DISPOSITION_CONSUME;
3986 return SCTP_DISPOSITION_DISCARD;
3989 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast(
3991 const struct sctp_endpoint *ep,
3992 const struct sctp_association *asoc,
3993 const union sctp_subtype type,
3995 struct sctp_cmd_seq *commands)
3997 struct sctp_chunk *chunk = arg;
3998 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3999 struct sctp_fwdtsn_skip *skip;
4003 if (!sctp_vtag_verify(chunk, asoc)) {
4004 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4006 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4009 if (!asoc->peer.prsctp_capable)
4010 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4012 /* Make sure that the FORWARD_TSN chunk has a valid length. */
4013 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
4014 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4017 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
4018 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
4019 len = ntohs(chunk->chunk_hdr->length);
4020 len -= sizeof(struct sctp_chunkhdr);
4021 skb_pull(chunk->skb, len);
4023 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
4024 pr_debug("%s: TSN 0x%x\n", __func__, tsn);
4026 /* The TSN is too high--silently discard the chunk and count on it
4027 * getting retransmitted later.
4029 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
4032 /* Silently discard the chunk if stream-id is not valid */
4033 sctp_walk_fwdtsn(skip, chunk) {
4034 if (ntohs(skip->stream) >= asoc->stream.incnt)
4038 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
4039 if (len > sizeof(struct sctp_fwdtsn_hdr))
4040 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
4043 /* Go a head and force a SACK, since we are shutting down. */
4045 /* Implementor's Guide.
4047 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
4048 * respond to each received packet containing one or more DATA chunk(s)
4049 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
4051 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
4052 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
4053 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4054 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
4056 return SCTP_DISPOSITION_CONSUME;
4060 * SCTP-AUTH Section 6.3 Receiving authenticated chukns
4062 * The receiver MUST use the HMAC algorithm indicated in the HMAC
4063 * Identifier field. If this algorithm was not specified by the
4064 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
4065 * during association setup, the AUTH chunk and all chunks after it MUST
4066 * be discarded and an ERROR chunk SHOULD be sent with the error cause
4067 * defined in Section 4.1.
4069 * If an endpoint with no shared key receives a Shared Key Identifier
4070 * other than 0, it MUST silently discard all authenticated chunks. If
4071 * the endpoint has at least one endpoint pair shared key for the peer,
4072 * it MUST use the key specified by the Shared Key Identifier if a
4073 * key has been configured for that Shared Key Identifier. If no
4074 * endpoint pair shared key has been configured for that Shared Key
4075 * Identifier, all authenticated chunks MUST be silently discarded.
4077 * Verification Tag: 8.5 Verification Tag [Normal verification]
4079 * The return value is the disposition of the chunk.
4081 static enum sctp_ierror sctp_sf_authenticate(
4083 const struct sctp_endpoint *ep,
4084 const struct sctp_association *asoc,
4085 const union sctp_subtype type,
4086 struct sctp_chunk *chunk)
4088 struct sctp_authhdr *auth_hdr;
4089 struct sctp_hmac *hmac;
4090 unsigned int sig_len;
4095 /* Pull in the auth header, so we can do some more verification */
4096 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4097 chunk->subh.auth_hdr = auth_hdr;
4098 skb_pull(chunk->skb, sizeof(*auth_hdr));
4100 /* Make sure that we support the HMAC algorithm from the auth
4103 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))
4104 return SCTP_IERROR_AUTH_BAD_HMAC;
4106 /* Make sure that the provided shared key identifier has been
4109 key_id = ntohs(auth_hdr->shkey_id);
4110 if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id))
4111 return SCTP_IERROR_AUTH_BAD_KEYID;
4114 /* Make sure that the length of the signature matches what
4117 sig_len = ntohs(chunk->chunk_hdr->length) -
4118 sizeof(struct sctp_auth_chunk);
4119 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));
4120 if (sig_len != hmac->hmac_len)
4121 return SCTP_IERROR_PROTO_VIOLATION;
4123 /* Now that we've done validation checks, we can compute and
4124 * verify the hmac. The steps involved are:
4125 * 1. Save the digest from the chunk.
4126 * 2. Zero out the digest in the chunk.
4127 * 3. Compute the new digest
4128 * 4. Compare saved and new digests.
4130 digest = auth_hdr->hmac;
4131 skb_pull(chunk->skb, sig_len);
4133 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);
4137 memset(digest, 0, sig_len);
4139 sctp_auth_calculate_hmac(asoc, chunk->skb,
4140 (struct sctp_auth_chunk *)chunk->chunk_hdr,
4143 /* Discard the packet if the digests do not match */
4144 if (memcmp(save_digest, digest, sig_len)) {
4146 return SCTP_IERROR_BAD_SIG;
4152 return SCTP_IERROR_NO_ERROR;
4154 return SCTP_IERROR_NOMEM;
4157 sctp_disposition_t sctp_sf_eat_auth(struct net *net,
4158 const struct sctp_endpoint *ep,
4159 const struct sctp_association *asoc,
4160 const union sctp_subtype type,
4162 struct sctp_cmd_seq *commands)
4164 struct sctp_chunk *chunk = arg;
4165 struct sctp_authhdr *auth_hdr;
4166 struct sctp_chunk *err_chunk;
4167 enum sctp_ierror error;
4169 /* Make sure that the peer has AUTH capable */
4170 if (!asoc->peer.auth_capable)
4171 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4173 if (!sctp_vtag_verify(chunk, asoc)) {
4174 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4176 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4179 /* Make sure that the AUTH chunk has valid length. */
4180 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))
4181 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4184 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4185 error = sctp_sf_authenticate(net, ep, asoc, type, chunk);
4187 case SCTP_IERROR_AUTH_BAD_HMAC:
4188 /* Generate the ERROR chunk and discard the rest
4191 err_chunk = sctp_make_op_error(asoc, chunk,
4192 SCTP_ERROR_UNSUP_HMAC,
4196 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4197 SCTP_CHUNK(err_chunk));
4200 case SCTP_IERROR_AUTH_BAD_KEYID:
4201 case SCTP_IERROR_BAD_SIG:
4202 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4204 case SCTP_IERROR_PROTO_VIOLATION:
4205 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4208 case SCTP_IERROR_NOMEM:
4209 return SCTP_DISPOSITION_NOMEM;
4211 default: /* Prevent gcc warnings */
4215 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) {
4216 struct sctp_ulpevent *ev;
4218 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),
4219 SCTP_AUTH_NEWKEY, GFP_ATOMIC);
4224 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4228 return SCTP_DISPOSITION_CONSUME;
4232 * Process an unknown chunk.
4234 * Section: 3.2. Also, 2.1 in the implementor's guide.
4236 * Chunk Types are encoded such that the highest-order two bits specify
4237 * the action that must be taken if the processing endpoint does not
4238 * recognize the Chunk Type.
4240 * 00 - Stop processing this SCTP packet and discard it, do not process
4241 * any further chunks within it.
4243 * 01 - Stop processing this SCTP packet and discard it, do not process
4244 * any further chunks within it, and report the unrecognized
4245 * chunk in an 'Unrecognized Chunk Type'.
4247 * 10 - Skip this chunk and continue processing.
4249 * 11 - Skip this chunk and continue processing, but report in an ERROR
4250 * Chunk using the 'Unrecognized Chunk Type' cause of error.
4252 * The return value is the disposition of the chunk.
4254 sctp_disposition_t sctp_sf_unk_chunk(struct net *net,
4255 const struct sctp_endpoint *ep,
4256 const struct sctp_association *asoc,
4257 const union sctp_subtype type,
4259 struct sctp_cmd_seq *commands)
4261 struct sctp_chunk *unk_chunk = arg;
4262 struct sctp_chunk *err_chunk;
4263 struct sctp_chunkhdr *hdr;
4265 pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk);
4267 if (!sctp_vtag_verify(unk_chunk, asoc))
4268 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4270 /* Make sure that the chunk has a valid length.
4271 * Since we don't know the chunk type, we use a general
4272 * chunkhdr structure to make a comparison.
4274 if (!sctp_chunk_length_valid(unk_chunk, sizeof(*hdr)))
4275 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4278 switch (type.chunk & SCTP_CID_ACTION_MASK) {
4279 case SCTP_CID_ACTION_DISCARD:
4280 /* Discard the packet. */
4281 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4282 case SCTP_CID_ACTION_DISCARD_ERR:
4283 /* Generate an ERROR chunk as response. */
4284 hdr = unk_chunk->chunk_hdr;
4285 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4286 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4287 SCTP_PAD4(ntohs(hdr->length)),
4290 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4291 SCTP_CHUNK(err_chunk));
4294 /* Discard the packet. */
4295 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4296 return SCTP_DISPOSITION_CONSUME;
4297 case SCTP_CID_ACTION_SKIP:
4298 /* Skip the chunk. */
4299 return SCTP_DISPOSITION_DISCARD;
4300 case SCTP_CID_ACTION_SKIP_ERR:
4301 /* Generate an ERROR chunk as response. */
4302 hdr = unk_chunk->chunk_hdr;
4303 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4304 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4305 SCTP_PAD4(ntohs(hdr->length)),
4308 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4309 SCTP_CHUNK(err_chunk));
4311 /* Skip the chunk. */
4312 return SCTP_DISPOSITION_CONSUME;
4317 return SCTP_DISPOSITION_DISCARD;
4321 * Discard the chunk.
4323 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2
4324 * [Too numerous to mention...]
4325 * Verification Tag: No verification needed.
4327 * (endpoint, asoc, chunk)
4330 * (asoc, reply_msg, msg_up, timers, counters)
4332 * The return value is the disposition of the chunk.
4334 sctp_disposition_t sctp_sf_discard_chunk(struct net *net,
4335 const struct sctp_endpoint *ep,
4336 const struct sctp_association *asoc,
4337 const union sctp_subtype type,
4339 struct sctp_cmd_seq *commands)
4341 struct sctp_chunk *chunk = arg;
4343 /* Make sure that the chunk has a valid length.
4344 * Since we don't know the chunk type, we use a general
4345 * chunkhdr structure to make a comparison.
4347 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
4348 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4351 pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk);
4353 return SCTP_DISPOSITION_DISCARD;
4357 * Discard the whole packet.
4361 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST
4362 * silently discard the OOTB packet and take no further action.
4364 * Verification Tag: No verification necessary
4367 * (endpoint, asoc, chunk)
4370 * (asoc, reply_msg, msg_up, timers, counters)
4372 * The return value is the disposition of the chunk.
4374 sctp_disposition_t sctp_sf_pdiscard(struct net *net,
4375 const struct sctp_endpoint *ep,
4376 const struct sctp_association *asoc,
4377 const union sctp_subtype type,
4379 struct sctp_cmd_seq *commands)
4381 SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS);
4382 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4384 return SCTP_DISPOSITION_CONSUME;
4389 * The other end is violating protocol.
4391 * Section: Not specified
4392 * Verification Tag: Not specified
4394 * (endpoint, asoc, chunk)
4397 * (asoc, reply_msg, msg_up, timers, counters)
4399 * We simply tag the chunk as a violation. The state machine will log
4400 * the violation and continue.
4402 sctp_disposition_t sctp_sf_violation(struct net *net,
4403 const struct sctp_endpoint *ep,
4404 const struct sctp_association *asoc,
4405 const union sctp_subtype type,
4407 struct sctp_cmd_seq *commands)
4409 struct sctp_chunk *chunk = arg;
4411 /* Make sure that the chunk has a valid length. */
4412 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
4413 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4416 return SCTP_DISPOSITION_VIOLATION;
4420 * Common function to handle a protocol violation.
4422 static sctp_disposition_t sctp_sf_abort_violation(
4424 const struct sctp_endpoint *ep,
4425 const struct sctp_association *asoc,
4427 struct sctp_cmd_seq *commands,
4428 const __u8 *payload,
4429 const size_t paylen)
4431 struct sctp_packet *packet = NULL;
4432 struct sctp_chunk *chunk = arg;
4433 struct sctp_chunk *abort = NULL;
4435 /* SCTP-AUTH, Section 6.3:
4436 * It should be noted that if the receiver wants to tear
4437 * down an association in an authenticated way only, the
4438 * handling of malformed packets should not result in
4439 * tearing down the association.
4441 * This means that if we only want to abort associations
4442 * in an authenticated way (i.e AUTH+ABORT), then we
4443 * can't destroy this association just because the packet
4446 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4449 /* Make the abort chunk. */
4450 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);
4455 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */
4456 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&
4457 !asoc->peer.i.init_tag) {
4458 struct sctp_initack_chunk *initack;
4460 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr;
4461 if (!sctp_chunk_length_valid(chunk, sizeof(*initack)))
4462 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
4464 unsigned int inittag;
4466 inittag = ntohl(initack->init_hdr.init_tag);
4467 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
4472 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4473 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4475 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
4476 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4477 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4478 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4479 SCTP_ERROR(ECONNREFUSED));
4480 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4481 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4483 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4484 SCTP_ERROR(ECONNABORTED));
4485 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4486 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4487 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4490 packet = sctp_ootb_pkt_new(net, asoc, chunk);
4495 if (sctp_test_T_bit(abort))
4496 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
4498 abort->skb->sk = ep->base.sk;
4500 sctp_packet_append_chunk(packet, abort);
4502 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
4503 SCTP_PACKET(packet));
4505 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4508 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4511 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4512 return SCTP_DISPOSITION_ABORT;
4515 sctp_chunk_free(abort);
4517 return SCTP_DISPOSITION_NOMEM;
4521 * Handle a protocol violation when the chunk length is invalid.
4522 * "Invalid" length is identified as smaller than the minimal length a
4523 * given chunk can be. For example, a SACK chunk has invalid length
4524 * if its length is set to be smaller than the size of struct sctp_sack_chunk.
4526 * We inform the other end by sending an ABORT with a Protocol Violation
4529 * Section: Not specified
4530 * Verification Tag: Nothing to do
4532 * (endpoint, asoc, chunk)
4535 * (reply_msg, msg_up, counters)
4537 * Generate an ABORT chunk and terminate the association.
4539 static sctp_disposition_t sctp_sf_violation_chunklen(
4541 const struct sctp_endpoint *ep,
4542 const struct sctp_association *asoc,
4543 const union sctp_subtype type,
4545 struct sctp_cmd_seq *commands)
4547 static const char err_str[] = "The following chunk had invalid length:";
4549 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4554 * Handle a protocol violation when the parameter length is invalid.
4555 * If the length is smaller than the minimum length of a given parameter,
4556 * or accumulated length in multi parameters exceeds the end of the chunk,
4557 * the length is considered as invalid.
4559 static sctp_disposition_t sctp_sf_violation_paramlen(
4561 const struct sctp_endpoint *ep,
4562 const struct sctp_association *asoc,
4563 const union sctp_subtype type,
4564 void *arg, void *ext,
4565 struct sctp_cmd_seq *commands)
4567 struct sctp_chunk *chunk = arg;
4568 struct sctp_paramhdr *param = ext;
4569 struct sctp_chunk *abort = NULL;
4571 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4574 /* Make the abort chunk. */
4575 abort = sctp_make_violation_paramlen(asoc, chunk, param);
4579 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4580 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4582 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4583 SCTP_ERROR(ECONNABORTED));
4584 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4585 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4586 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4587 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4590 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4591 return SCTP_DISPOSITION_ABORT;
4593 return SCTP_DISPOSITION_NOMEM;
4596 /* Handle a protocol violation when the peer trying to advance the
4597 * cumulative tsn ack to a point beyond the max tsn currently sent.
4599 * We inform the other end by sending an ABORT with a Protocol Violation
4602 static sctp_disposition_t sctp_sf_violation_ctsn(
4604 const struct sctp_endpoint *ep,
4605 const struct sctp_association *asoc,
4606 const union sctp_subtype type,
4608 struct sctp_cmd_seq *commands)
4610 static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:";
4612 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4616 /* Handle protocol violation of an invalid chunk bundling. For example,
4617 * when we have an association and we receive bundled INIT-ACK, or
4618 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle"
4619 * statement from the specs. Additionally, there might be an attacker
4620 * on the path and we may not want to continue this communication.
4622 static sctp_disposition_t sctp_sf_violation_chunk(
4624 const struct sctp_endpoint *ep,
4625 const struct sctp_association *asoc,
4626 const union sctp_subtype type,
4628 struct sctp_cmd_seq *commands)
4630 static const char err_str[] = "The following chunk violates protocol:";
4633 return sctp_sf_violation(net, ep, asoc, type, arg, commands);
4635 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4638 /***************************************************************************
4639 * These are the state functions for handling primitive (Section 10) events.
4640 ***************************************************************************/
4642 * sctp_sf_do_prm_asoc
4644 * Section: 10.1 ULP-to-SCTP
4647 * Format: ASSOCIATE(local SCTP instance name, destination transport addr,
4648 * outbound stream count)
4649 * -> association id [,destination transport addr list] [,outbound stream
4652 * This primitive allows the upper layer to initiate an association to a
4653 * specific peer endpoint.
4655 * The peer endpoint shall be specified by one of the transport addresses
4656 * which defines the endpoint (see Section 1.4). If the local SCTP
4657 * instance has not been initialized, the ASSOCIATE is considered an
4659 * [This is not relevant for the kernel implementation since we do all
4660 * initialization at boot time. It we hadn't initialized we wouldn't
4661 * get anywhere near this code.]
4663 * An association id, which is a local handle to the SCTP association,
4664 * will be returned on successful establishment of the association. If
4665 * SCTP is not able to open an SCTP association with the peer endpoint,
4666 * an error is returned.
4667 * [In the kernel implementation, the struct sctp_association needs to
4668 * be created BEFORE causing this primitive to run.]
4670 * Other association parameters may be returned, including the
4671 * complete destination transport addresses of the peer as well as the
4672 * outbound stream count of the local endpoint. One of the transport
4673 * address from the returned destination addresses will be selected by
4674 * the local endpoint as default primary path for sending SCTP packets
4675 * to this peer. The returned "destination transport addr list" can
4676 * be used by the ULP to change the default primary path or to force
4677 * sending a packet to a specific transport address. [All of this
4678 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING
4681 * Mandatory attributes:
4683 * o local SCTP instance name - obtained from the INITIALIZE operation.
4684 * [This is the argument asoc.]
4685 * o destination transport addr - specified as one of the transport
4686 * addresses of the peer endpoint with which the association is to be
4688 * [This is asoc->peer.active_path.]
4689 * o outbound stream count - the number of outbound streams the ULP
4690 * would like to open towards this peer endpoint.
4691 * [BUG: This is not currently implemented.]
4692 * Optional attributes:
4696 * The return value is a disposition.
4698 sctp_disposition_t sctp_sf_do_prm_asoc(struct net *net,
4699 const struct sctp_endpoint *ep,
4700 const struct sctp_association *asoc,
4701 const union sctp_subtype type,
4703 struct sctp_cmd_seq *commands)
4705 struct sctp_chunk *repl;
4706 struct sctp_association *my_asoc;
4708 /* The comment below says that we enter COOKIE-WAIT AFTER
4709 * sending the INIT, but that doesn't actually work in our
4712 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4713 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
4715 /* RFC 2960 5.1 Normal Establishment of an Association
4717 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A"
4718 * must provide its Verification Tag (Tag_A) in the Initiate
4719 * Tag field. Tag_A SHOULD be a random number in the range of
4720 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ...
4723 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0);
4727 /* Choose transport for INIT. */
4728 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
4731 /* Cast away the const modifier, as we want to just
4732 * rerun it through as a sideffect.
4734 my_asoc = (struct sctp_association *)asoc;
4735 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc));
4737 /* After sending the INIT, "A" starts the T1-init timer and
4738 * enters the COOKIE-WAIT state.
4740 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
4741 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4742 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
4743 return SCTP_DISPOSITION_CONSUME;
4746 return SCTP_DISPOSITION_NOMEM;
4750 * Process the SEND primitive.
4752 * Section: 10.1 ULP-to-SCTP
4755 * Format: SEND(association id, buffer address, byte count [,context]
4756 * [,stream id] [,life time] [,destination transport address]
4757 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] )
4760 * This is the main method to send user data via SCTP.
4762 * Mandatory attributes:
4764 * o association id - local handle to the SCTP association
4766 * o buffer address - the location where the user message to be
4767 * transmitted is stored;
4769 * o byte count - The size of the user data in number of bytes;
4771 * Optional attributes:
4773 * o context - an optional 32 bit integer that will be carried in the
4774 * sending failure notification to the ULP if the transportation of
4775 * this User Message fails.
4777 * o stream id - to indicate which stream to send the data on. If not
4778 * specified, stream 0 will be used.
4780 * o life time - specifies the life time of the user data. The user data
4781 * will not be sent by SCTP after the life time expires. This
4782 * parameter can be used to avoid efforts to transmit stale
4783 * user messages. SCTP notifies the ULP if the data cannot be
4784 * initiated to transport (i.e. sent to the destination via SCTP's
4785 * send primitive) within the life time variable. However, the
4786 * user data will be transmitted if SCTP has attempted to transmit a
4787 * chunk before the life time expired.
4789 * o destination transport address - specified as one of the destination
4790 * transport addresses of the peer endpoint to which this packet
4791 * should be sent. Whenever possible, SCTP should use this destination
4792 * transport address for sending the packets, instead of the current
4795 * o unorder flag - this flag, if present, indicates that the user
4796 * would like the data delivered in an unordered fashion to the peer
4797 * (i.e., the U flag is set to 1 on all DATA chunks carrying this
4800 * o no-bundle flag - instructs SCTP not to bundle this user data with
4801 * other outbound DATA chunks. SCTP MAY still bundle even when
4802 * this flag is present, when faced with network congestion.
4804 * o payload protocol-id - A 32 bit unsigned integer that is to be
4805 * passed to the peer indicating the type of payload protocol data
4806 * being transmitted. This value is passed as opaque data by SCTP.
4808 * The return value is the disposition.
4810 sctp_disposition_t sctp_sf_do_prm_send(struct net *net,
4811 const struct sctp_endpoint *ep,
4812 const struct sctp_association *asoc,
4813 const union sctp_subtype type,
4815 struct sctp_cmd_seq *commands)
4817 struct sctp_datamsg *msg = arg;
4819 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg));
4820 return SCTP_DISPOSITION_CONSUME;
4824 * Process the SHUTDOWN primitive.
4829 * Format: SHUTDOWN(association id)
4832 * Gracefully closes an association. Any locally queued user data
4833 * will be delivered to the peer. The association will be terminated only
4834 * after the peer acknowledges all the SCTP packets sent. A success code
4835 * will be returned on successful termination of the association. If
4836 * attempting to terminate the association results in a failure, an error
4837 * code shall be returned.
4839 * Mandatory attributes:
4841 * o association id - local handle to the SCTP association
4843 * Optional attributes:
4847 * The return value is the disposition.
4849 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown(
4851 const struct sctp_endpoint *ep,
4852 const struct sctp_association *asoc,
4853 const union sctp_subtype type,
4855 struct sctp_cmd_seq *commands)
4859 /* From 9.2 Shutdown of an Association
4860 * Upon receipt of the SHUTDOWN primitive from its upper
4861 * layer, the endpoint enters SHUTDOWN-PENDING state and
4862 * remains there until all outstanding data has been
4863 * acknowledged by its peer. The endpoint accepts no new data
4864 * from its upper layer, but retransmits data to the far end
4865 * if necessary to fill gaps.
4867 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4868 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
4870 disposition = SCTP_DISPOSITION_CONSUME;
4871 if (sctp_outq_is_empty(&asoc->outqueue)) {
4872 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
4879 * Process the ABORT primitive.
4884 * Format: Abort(association id [, cause code])
4887 * Ungracefully closes an association. Any locally queued user data
4888 * will be discarded and an ABORT chunk is sent to the peer. A success code
4889 * will be returned on successful abortion of the association. If
4890 * attempting to abort the association results in a failure, an error
4891 * code shall be returned.
4893 * Mandatory attributes:
4895 * o association id - local handle to the SCTP association
4897 * Optional attributes:
4899 * o cause code - reason of the abort to be passed to the peer
4903 * The return value is the disposition.
4905 sctp_disposition_t sctp_sf_do_9_1_prm_abort(
4907 const struct sctp_endpoint *ep,
4908 const struct sctp_association *asoc,
4909 const union sctp_subtype type,
4911 struct sctp_cmd_seq *commands)
4913 /* From 9.1 Abort of an Association
4914 * Upon receipt of the ABORT primitive from its upper
4915 * layer, the endpoint enters CLOSED state and
4916 * discard all outstanding data has been
4917 * acknowledged by its peer. The endpoint accepts no new data
4918 * from its upper layer, but retransmits data to the far end
4919 * if necessary to fill gaps.
4921 struct sctp_chunk *abort = arg;
4924 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4926 /* Even if we can't send the ABORT due to low memory delete the
4927 * TCB. This is a departure from our typical NOMEM handling.
4930 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4931 SCTP_ERROR(ECONNABORTED));
4932 /* Delete the established association. */
4933 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4934 SCTP_PERR(SCTP_ERROR_USER_ABORT));
4936 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4937 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4939 return SCTP_DISPOSITION_ABORT;
4942 /* We tried an illegal operation on an association which is closed. */
4943 sctp_disposition_t sctp_sf_error_closed(struct net *net,
4944 const struct sctp_endpoint *ep,
4945 const struct sctp_association *asoc,
4946 const union sctp_subtype type,
4948 struct sctp_cmd_seq *commands)
4950 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL));
4951 return SCTP_DISPOSITION_CONSUME;
4954 /* We tried an illegal operation on an association which is shutting
4957 sctp_disposition_t sctp_sf_error_shutdown(struct net *net,
4958 const struct sctp_endpoint *ep,
4959 const struct sctp_association *asoc,
4960 const union sctp_subtype type,
4962 struct sctp_cmd_seq *commands)
4964 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR,
4965 SCTP_ERROR(-ESHUTDOWN));
4966 return SCTP_DISPOSITION_CONSUME;
4970 * sctp_cookie_wait_prm_shutdown
4972 * Section: 4 Note: 2
4977 * The RFC does not explicitly address this issue, but is the route through the
4978 * state table when someone issues a shutdown while in COOKIE_WAIT state.
4983 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown(
4985 const struct sctp_endpoint *ep,
4986 const struct sctp_association *asoc,
4987 const union sctp_subtype type,
4989 struct sctp_cmd_seq *commands)
4991 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4992 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4994 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4995 SCTP_STATE(SCTP_STATE_CLOSED));
4997 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
4999 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
5001 return SCTP_DISPOSITION_DELETE_TCB;
5005 * sctp_cookie_echoed_prm_shutdown
5007 * Section: 4 Note: 2
5012 * The RFC does not explcitly address this issue, but is the route through the
5013 * state table when someone issues a shutdown while in COOKIE_ECHOED state.
5018 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown(
5020 const struct sctp_endpoint *ep,
5021 const struct sctp_association *asoc,
5022 const union sctp_subtype type,
5023 void *arg, struct sctp_cmd_seq *commands)
5025 /* There is a single T1 timer, so we should be able to use
5026 * common function with the COOKIE-WAIT state.
5028 return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands);
5032 * sctp_sf_cookie_wait_prm_abort
5034 * Section: 4 Note: 2
5039 * The RFC does not explicitly address this issue, but is the route through the
5040 * state table when someone issues an abort while in COOKIE_WAIT state.
5045 sctp_disposition_t sctp_sf_cookie_wait_prm_abort(
5047 const struct sctp_endpoint *ep,
5048 const struct sctp_association *asoc,
5049 const union sctp_subtype type,
5051 struct sctp_cmd_seq *commands)
5053 struct sctp_chunk *abort = arg;
5055 /* Stop T1-init timer */
5056 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5057 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5060 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
5062 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5063 SCTP_STATE(SCTP_STATE_CLOSED));
5065 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5067 /* Even if we can't send the ABORT due to low memory delete the
5068 * TCB. This is a departure from our typical NOMEM handling.
5071 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5072 SCTP_ERROR(ECONNREFUSED));
5073 /* Delete the established association. */
5074 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5075 SCTP_PERR(SCTP_ERROR_USER_ABORT));
5077 return SCTP_DISPOSITION_ABORT;
5081 * sctp_sf_cookie_echoed_prm_abort
5083 * Section: 4 Note: 3
5088 * The RFC does not explcitly address this issue, but is the route through the
5089 * state table when someone issues an abort while in COOKIE_ECHOED state.
5094 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort(
5096 const struct sctp_endpoint *ep,
5097 const struct sctp_association *asoc,
5098 const union sctp_subtype type,
5100 struct sctp_cmd_seq *commands)
5102 /* There is a single T1 timer, so we should be able to use
5103 * common function with the COOKIE-WAIT state.
5105 return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands);
5109 * sctp_sf_shutdown_pending_prm_abort
5114 * The RFC does not explicitly address this issue, but is the route through the
5115 * state table when someone issues an abort while in SHUTDOWN-PENDING state.
5120 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort(
5122 const struct sctp_endpoint *ep,
5123 const struct sctp_association *asoc,
5124 const union sctp_subtype type,
5126 struct sctp_cmd_seq *commands)
5128 /* Stop the T5-shutdown guard timer. */
5129 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5130 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5132 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5136 * sctp_sf_shutdown_sent_prm_abort
5141 * The RFC does not explicitly address this issue, but is the route through the
5142 * state table when someone issues an abort while in SHUTDOWN-SENT state.
5147 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort(
5149 const struct sctp_endpoint *ep,
5150 const struct sctp_association *asoc,
5151 const union sctp_subtype type,
5153 struct sctp_cmd_seq *commands)
5155 /* Stop the T2-shutdown timer. */
5156 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5157 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5159 /* Stop the T5-shutdown guard timer. */
5160 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5161 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5163 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5167 * sctp_sf_cookie_echoed_prm_abort
5172 * The RFC does not explcitly address this issue, but is the route through the
5173 * state table when someone issues an abort while in COOKIE_ECHOED state.
5178 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort(
5180 const struct sctp_endpoint *ep,
5181 const struct sctp_association *asoc,
5182 const union sctp_subtype type,
5184 struct sctp_cmd_seq *commands)
5186 /* The same T2 timer, so we should be able to use
5187 * common function with the SHUTDOWN-SENT state.
5189 return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands);
5193 * Process the REQUESTHEARTBEAT primitive
5196 * J) Request Heartbeat
5198 * Format: REQUESTHEARTBEAT(association id, destination transport address)
5202 * Instructs the local endpoint to perform a HeartBeat on the specified
5203 * destination transport address of the given association. The returned
5204 * result should indicate whether the transmission of the HEARTBEAT
5205 * chunk to the destination address is successful.
5207 * Mandatory attributes:
5209 * o association id - local handle to the SCTP association
5211 * o destination transport address - the transport address of the
5212 * association on which a heartbeat should be issued.
5214 sctp_disposition_t sctp_sf_do_prm_requestheartbeat(
5216 const struct sctp_endpoint *ep,
5217 const struct sctp_association *asoc,
5218 const union sctp_subtype type,
5220 struct sctp_cmd_seq *commands)
5222 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type,
5223 (struct sctp_transport *)arg, commands))
5224 return SCTP_DISPOSITION_NOMEM;
5227 * RFC 2960 (bis), section 8.3
5229 * D) Request an on-demand HEARTBEAT on a specific destination
5230 * transport address of a given association.
5232 * The endpoint should increment the respective error counter of
5233 * the destination transport address each time a HEARTBEAT is sent
5234 * to that address and not acknowledged within one RTO.
5237 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
5238 SCTP_TRANSPORT(arg));
5239 return SCTP_DISPOSITION_CONSUME;
5243 * ADDIP Section 4.1 ASCONF Chunk Procedures
5244 * When an endpoint has an ASCONF signaled change to be sent to the
5245 * remote endpoint it should do A1 to A9
5247 sctp_disposition_t sctp_sf_do_prm_asconf(struct net *net,
5248 const struct sctp_endpoint *ep,
5249 const struct sctp_association *asoc,
5250 const union sctp_subtype type,
5252 struct sctp_cmd_seq *commands)
5254 struct sctp_chunk *chunk = arg;
5256 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5257 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5258 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5259 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5260 return SCTP_DISPOSITION_CONSUME;
5263 /* RE-CONFIG Section 5.1 RECONF Chunk Procedures */
5264 sctp_disposition_t sctp_sf_do_prm_reconf(struct net *net,
5265 const struct sctp_endpoint *ep,
5266 const struct sctp_association *asoc,
5267 const union sctp_subtype type,
5269 struct sctp_cmd_seq *commands)
5271 struct sctp_chunk *chunk = arg;
5273 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5274 return SCTP_DISPOSITION_CONSUME;
5278 * Ignore the primitive event
5280 * The return value is the disposition of the primitive.
5282 sctp_disposition_t sctp_sf_ignore_primitive(
5284 const struct sctp_endpoint *ep,
5285 const struct sctp_association *asoc,
5286 const union sctp_subtype type,
5288 struct sctp_cmd_seq *commands)
5290 pr_debug("%s: primitive type:%d is ignored\n", __func__,
5293 return SCTP_DISPOSITION_DISCARD;
5296 /***************************************************************************
5297 * These are the state functions for the OTHER events.
5298 ***************************************************************************/
5301 * When the SCTP stack has no more user data to send or retransmit, this
5302 * notification is given to the user. Also, at the time when a user app
5303 * subscribes to this event, if there is no data to be sent or
5304 * retransmit, the stack will immediately send up this notification.
5306 sctp_disposition_t sctp_sf_do_no_pending_tsn(
5308 const struct sctp_endpoint *ep,
5309 const struct sctp_association *asoc,
5310 const union sctp_subtype type,
5312 struct sctp_cmd_seq *commands)
5314 struct sctp_ulpevent *event;
5316 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC);
5318 return SCTP_DISPOSITION_NOMEM;
5320 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event));
5322 return SCTP_DISPOSITION_CONSUME;
5326 * Start the shutdown negotiation.
5329 * Once all its outstanding data has been acknowledged, the endpoint
5330 * shall send a SHUTDOWN chunk to its peer including in the Cumulative
5331 * TSN Ack field the last sequential TSN it has received from the peer.
5332 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT
5333 * state. If the timer expires, the endpoint must re-send the SHUTDOWN
5334 * with the updated last sequential TSN received from its peer.
5336 * The return value is the disposition.
5338 sctp_disposition_t sctp_sf_do_9_2_start_shutdown(
5340 const struct sctp_endpoint *ep,
5341 const struct sctp_association *asoc,
5342 const union sctp_subtype type,
5344 struct sctp_cmd_seq *commands)
5346 struct sctp_chunk *reply;
5348 /* Once all its outstanding data has been acknowledged, the
5349 * endpoint shall send a SHUTDOWN chunk to its peer including
5350 * in the Cumulative TSN Ack field the last sequential TSN it
5351 * has received from the peer.
5353 reply = sctp_make_shutdown(asoc, NULL);
5357 /* Set the transport for the SHUTDOWN chunk and the timeout for the
5358 * T2-shutdown timer.
5360 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5362 /* It shall then start the T2-shutdown timer */
5363 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5364 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5366 /* RFC 4960 Section 9.2
5367 * The sender of the SHUTDOWN MAY also start an overall guard timer
5368 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5370 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5371 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5373 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5374 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5375 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5377 /* and enter the SHUTDOWN-SENT state. */
5378 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5379 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT));
5381 /* sctp-implguide 2.10 Issues with Heartbeating and failover
5383 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5386 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5388 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5390 return SCTP_DISPOSITION_CONSUME;
5393 return SCTP_DISPOSITION_NOMEM;
5397 * Generate a SHUTDOWN ACK now that everything is SACK'd.
5401 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5402 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own,
5403 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the
5404 * endpoint must re-send the SHUTDOWN ACK.
5406 * The return value is the disposition.
5408 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack(
5410 const struct sctp_endpoint *ep,
5411 const struct sctp_association *asoc,
5412 const union sctp_subtype type,
5414 struct sctp_cmd_seq *commands)
5416 struct sctp_chunk *chunk = (struct sctp_chunk *) arg;
5417 struct sctp_chunk *reply;
5419 /* There are 2 ways of getting here:
5420 * 1) called in response to a SHUTDOWN chunk
5421 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued.
5423 * For the case (2), the arg parameter is set to NULL. We need
5424 * to check that we have a chunk before accessing it's fields.
5427 if (!sctp_vtag_verify(chunk, asoc))
5428 return sctp_sf_pdiscard(net, ep, asoc, type, arg,
5431 /* Make sure that the SHUTDOWN chunk has a valid length. */
5432 if (!sctp_chunk_length_valid(
5433 chunk, sizeof(struct sctp_shutdown_chunk)))
5434 return sctp_sf_violation_chunklen(net, ep, asoc, type,
5438 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5439 * shall send a SHUTDOWN ACK ...
5441 reply = sctp_make_shutdown_ack(asoc, chunk);
5445 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
5446 * the T2-shutdown timer.
5448 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5450 /* and start/restart a T2-shutdown timer of its own, */
5451 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5452 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5454 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5455 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5456 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5458 /* Enter the SHUTDOWN-ACK-SENT state. */
5459 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5460 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT));
5462 /* sctp-implguide 2.10 Issues with Heartbeating and failover
5464 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5467 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5469 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5471 return SCTP_DISPOSITION_CONSUME;
5474 return SCTP_DISPOSITION_NOMEM;
5478 * Ignore the event defined as other
5480 * The return value is the disposition of the event.
5482 sctp_disposition_t sctp_sf_ignore_other(struct net *net,
5483 const struct sctp_endpoint *ep,
5484 const struct sctp_association *asoc,
5485 const union sctp_subtype type,
5487 struct sctp_cmd_seq *commands)
5489 pr_debug("%s: the event other type:%d is ignored\n",
5490 __func__, type.other);
5492 return SCTP_DISPOSITION_DISCARD;
5495 /************************************************************
5496 * These are the state functions for handling timeout events.
5497 ************************************************************/
5502 * Section: 6.3.3 Handle T3-rtx Expiration
5504 * Whenever the retransmission timer T3-rtx expires for a destination
5505 * address, do the following:
5508 * The return value is the disposition of the chunk.
5510 sctp_disposition_t sctp_sf_do_6_3_3_rtx(struct net *net,
5511 const struct sctp_endpoint *ep,
5512 const struct sctp_association *asoc,
5513 const union sctp_subtype type,
5515 struct sctp_cmd_seq *commands)
5517 struct sctp_transport *transport = arg;
5519 SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS);
5521 if (asoc->overall_error_count >= asoc->max_retrans) {
5522 if (asoc->peer.zero_window_announced &&
5523 asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
5525 * We are here likely because the receiver had its rwnd
5526 * closed for a while and we have not been able to
5527 * transmit the locally queued data within the maximum
5528 * retransmission attempts limit. Start the T5
5529 * shutdown guard timer to give the receiver one last
5530 * chance and some additional time to recover before
5533 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE,
5534 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5536 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5537 SCTP_ERROR(ETIMEDOUT));
5538 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5539 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5540 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5541 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5542 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5543 return SCTP_DISPOSITION_DELETE_TCB;
5547 /* E1) For the destination address for which the timer
5548 * expires, adjust its ssthresh with rules defined in Section
5549 * 7.2.3 and set the cwnd <- MTU.
5552 /* E2) For the destination address for which the timer
5553 * expires, set RTO <- RTO * 2 ("back off the timer"). The
5554 * maximum value discussed in rule C7 above (RTO.max) may be
5555 * used to provide an upper bound to this doubling operation.
5558 /* E3) Determine how many of the earliest (i.e., lowest TSN)
5559 * outstanding DATA chunks for the address for which the
5560 * T3-rtx has expired will fit into a single packet, subject
5561 * to the MTU constraint for the path corresponding to the
5562 * destination transport address to which the retransmission
5563 * is being sent (this may be different from the address for
5564 * which the timer expires [see Section 6.4]). Call this
5565 * value K. Bundle and retransmit those K DATA chunks in a
5566 * single packet to the destination endpoint.
5568 * Note: Any DATA chunks that were sent to the address for
5569 * which the T3-rtx timer expired but did not fit in one MTU
5570 * (rule E3 above), should be marked for retransmission and
5571 * sent as soon as cwnd allows (normally when a SACK arrives).
5574 /* Do some failure management (Section 8.2). */
5575 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
5577 /* NB: Rules E4 and F1 are implicit in R1. */
5578 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport));
5580 return SCTP_DISPOSITION_CONSUME;
5584 * Generate delayed SACK on timeout
5586 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
5588 * The guidelines on delayed acknowledgement algorithm specified in
5589 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
5590 * acknowledgement SHOULD be generated for at least every second packet
5591 * (not every second DATA chunk) received, and SHOULD be generated
5592 * within 200 ms of the arrival of any unacknowledged DATA chunk. In
5593 * some situations it may be beneficial for an SCTP transmitter to be
5594 * more conservative than the algorithms detailed in this document
5595 * allow. However, an SCTP transmitter MUST NOT be more aggressive than
5596 * the following algorithms allow.
5598 sctp_disposition_t sctp_sf_do_6_2_sack(struct net *net,
5599 const struct sctp_endpoint *ep,
5600 const struct sctp_association *asoc,
5601 const union sctp_subtype type,
5603 struct sctp_cmd_seq *commands)
5605 SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS);
5606 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
5607 return SCTP_DISPOSITION_CONSUME;
5611 * sctp_sf_t1_init_timer_expire
5613 * Section: 4 Note: 2
5618 * RFC 2960 Section 4 Notes
5619 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT
5620 * and re-start the T1-init timer without changing state. This MUST
5621 * be repeated up to 'Max.Init.Retransmits' times. After that, the
5622 * endpoint MUST abort the initialization process and report the
5623 * error to SCTP user.
5629 sctp_disposition_t sctp_sf_t1_init_timer_expire(struct net *net,
5630 const struct sctp_endpoint *ep,
5631 const struct sctp_association *asoc,
5632 const union sctp_subtype type,
5634 struct sctp_cmd_seq *commands)
5636 struct sctp_chunk *repl = NULL;
5637 struct sctp_bind_addr *bp;
5638 int attempts = asoc->init_err_counter + 1;
5640 pr_debug("%s: timer T1 expired (INIT)\n", __func__);
5642 SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS);
5644 if (attempts <= asoc->max_init_attempts) {
5645 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
5646 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0);
5648 return SCTP_DISPOSITION_NOMEM;
5650 /* Choose transport for INIT. */
5651 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5654 /* Issue a sideeffect to do the needed accounting. */
5655 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART,
5656 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5658 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5660 pr_debug("%s: giving up on INIT, attempts:%d "
5661 "max_init_attempts:%d\n", __func__, attempts,
5662 asoc->max_init_attempts);
5664 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5665 SCTP_ERROR(ETIMEDOUT));
5666 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5667 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5668 return SCTP_DISPOSITION_DELETE_TCB;
5671 return SCTP_DISPOSITION_CONSUME;
5675 * sctp_sf_t1_cookie_timer_expire
5677 * Section: 4 Note: 2
5682 * RFC 2960 Section 4 Notes
5683 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit
5684 * COOKIE ECHO and re-start the T1-cookie timer without changing
5685 * state. This MUST be repeated up to 'Max.Init.Retransmits' times.
5686 * After that, the endpoint MUST abort the initialization process and
5687 * report the error to SCTP user.
5693 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(struct net *net,
5694 const struct sctp_endpoint *ep,
5695 const struct sctp_association *asoc,
5696 const union sctp_subtype type,
5698 struct sctp_cmd_seq *commands)
5700 struct sctp_chunk *repl = NULL;
5701 int attempts = asoc->init_err_counter + 1;
5703 pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__);
5705 SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS);
5707 if (attempts <= asoc->max_init_attempts) {
5708 repl = sctp_make_cookie_echo(asoc, NULL);
5710 return SCTP_DISPOSITION_NOMEM;
5712 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5714 /* Issue a sideeffect to do the needed accounting. */
5715 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART,
5716 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
5718 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5720 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5721 SCTP_ERROR(ETIMEDOUT));
5722 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5723 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5724 return SCTP_DISPOSITION_DELETE_TCB;
5727 return SCTP_DISPOSITION_CONSUME;
5730 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN
5731 * with the updated last sequential TSN received from its peer.
5733 * An endpoint should limit the number of retransmissions of the
5734 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'.
5735 * If this threshold is exceeded the endpoint should destroy the TCB and
5736 * MUST report the peer endpoint unreachable to the upper layer (and
5737 * thus the association enters the CLOSED state). The reception of any
5738 * packet from its peer (i.e. as the peer sends all of its queued DATA
5739 * chunks) should clear the endpoint's retransmission count and restart
5740 * the T2-Shutdown timer, giving its peer ample opportunity to transmit
5741 * all of its queued DATA chunks that have not yet been sent.
5743 sctp_disposition_t sctp_sf_t2_timer_expire(struct net *net,
5744 const struct sctp_endpoint *ep,
5745 const struct sctp_association *asoc,
5746 const union sctp_subtype type,
5748 struct sctp_cmd_seq *commands)
5750 struct sctp_chunk *reply = NULL;
5752 pr_debug("%s: timer T2 expired\n", __func__);
5754 SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS);
5756 ((struct sctp_association *)asoc)->shutdown_retries++;
5758 if (asoc->overall_error_count >= asoc->max_retrans) {
5759 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5760 SCTP_ERROR(ETIMEDOUT));
5761 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5762 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5763 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5764 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5765 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5766 return SCTP_DISPOSITION_DELETE_TCB;
5769 switch (asoc->state) {
5770 case SCTP_STATE_SHUTDOWN_SENT:
5771 reply = sctp_make_shutdown(asoc, NULL);
5774 case SCTP_STATE_SHUTDOWN_ACK_SENT:
5775 reply = sctp_make_shutdown_ack(asoc, NULL);
5786 /* Do some failure management (Section 8.2).
5787 * If we remove the transport an SHUTDOWN was last sent to, don't
5788 * do failure management.
5790 if (asoc->shutdown_last_sent_to)
5791 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5792 SCTP_TRANSPORT(asoc->shutdown_last_sent_to));
5794 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for
5795 * the T2-shutdown timer.
5797 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5799 /* Restart the T2-shutdown timer. */
5800 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5801 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5802 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5803 return SCTP_DISPOSITION_CONSUME;
5806 return SCTP_DISPOSITION_NOMEM;
5810 * ADDIP Section 4.1 ASCONF CHunk Procedures
5811 * If the T4 RTO timer expires the endpoint should do B1 to B5
5813 sctp_disposition_t sctp_sf_t4_timer_expire(
5815 const struct sctp_endpoint *ep,
5816 const struct sctp_association *asoc,
5817 const union sctp_subtype type,
5819 struct sctp_cmd_seq *commands)
5821 struct sctp_chunk *chunk = asoc->addip_last_asconf;
5822 struct sctp_transport *transport = chunk->transport;
5824 SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS);
5826 /* ADDIP 4.1 B1) Increment the error counters and perform path failure
5827 * detection on the appropriate destination address as defined in
5828 * RFC2960 [5] section 8.1 and 8.2.
5831 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5832 SCTP_TRANSPORT(transport));
5834 /* Reconfig T4 timer and transport. */
5835 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5837 /* ADDIP 4.1 B2) Increment the association error counters and perform
5838 * endpoint failure detection on the association as defined in
5839 * RFC2960 [5] section 8.1 and 8.2.
5840 * association error counter is incremented in SCTP_CMD_STRIKE.
5842 if (asoc->overall_error_count >= asoc->max_retrans) {
5843 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5844 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5845 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5846 SCTP_ERROR(ETIMEDOUT));
5847 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5848 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5849 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5850 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5851 return SCTP_DISPOSITION_ABORT;
5854 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which
5855 * the ASCONF chunk was sent by doubling the RTO timer value.
5856 * This is done in SCTP_CMD_STRIKE.
5859 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible
5860 * choose an alternate destination address (please refer to RFC2960
5861 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this
5862 * chunk, it MUST be the same (including its serial number) as the last
5865 sctp_chunk_hold(asoc->addip_last_asconf);
5866 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
5867 SCTP_CHUNK(asoc->addip_last_asconf));
5869 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different
5870 * destination is selected, then the RTO used will be that of the new
5871 * destination address.
5873 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5874 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5876 return SCTP_DISPOSITION_CONSUME;
5879 /* sctpimpguide-05 Section 2.12.2
5880 * The sender of the SHUTDOWN MAY also start an overall guard timer
5881 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5882 * At the expiration of this timer the sender SHOULD abort the association
5883 * by sending an ABORT chunk.
5885 sctp_disposition_t sctp_sf_t5_timer_expire(struct net *net,
5886 const struct sctp_endpoint *ep,
5887 const struct sctp_association *asoc,
5888 const union sctp_subtype type,
5890 struct sctp_cmd_seq *commands)
5892 struct sctp_chunk *reply = NULL;
5894 pr_debug("%s: timer T5 expired\n", __func__);
5896 SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS);
5898 reply = sctp_make_abort(asoc, NULL, 0);
5902 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5903 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5904 SCTP_ERROR(ETIMEDOUT));
5905 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5906 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5908 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5909 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5911 return SCTP_DISPOSITION_DELETE_TCB;
5913 return SCTP_DISPOSITION_NOMEM;
5916 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires,
5917 * the association is automatically closed by starting the shutdown process.
5918 * The work that needs to be done is same as when SHUTDOWN is initiated by
5919 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown().
5921 sctp_disposition_t sctp_sf_autoclose_timer_expire(
5923 const struct sctp_endpoint *ep,
5924 const struct sctp_association *asoc,
5925 const union sctp_subtype type,
5927 struct sctp_cmd_seq *commands)
5931 SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS);
5933 /* From 9.2 Shutdown of an Association
5934 * Upon receipt of the SHUTDOWN primitive from its upper
5935 * layer, the endpoint enters SHUTDOWN-PENDING state and
5936 * remains there until all outstanding data has been
5937 * acknowledged by its peer. The endpoint accepts no new data
5938 * from its upper layer, but retransmits data to the far end
5939 * if necessary to fill gaps.
5941 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5942 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
5944 disposition = SCTP_DISPOSITION_CONSUME;
5945 if (sctp_outq_is_empty(&asoc->outqueue)) {
5946 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
5952 /*****************************************************************************
5953 * These are sa state functions which could apply to all types of events.
5954 ****************************************************************************/
5957 * This table entry is not implemented.
5960 * (endpoint, asoc, chunk)
5962 * The return value is the disposition of the chunk.
5964 sctp_disposition_t sctp_sf_not_impl(struct net *net,
5965 const struct sctp_endpoint *ep,
5966 const struct sctp_association *asoc,
5967 const union sctp_subtype type,
5969 struct sctp_cmd_seq *commands)
5971 return SCTP_DISPOSITION_NOT_IMPL;
5975 * This table entry represents a bug.
5978 * (endpoint, asoc, chunk)
5980 * The return value is the disposition of the chunk.
5982 sctp_disposition_t sctp_sf_bug(struct net *net,
5983 const struct sctp_endpoint *ep,
5984 const struct sctp_association *asoc,
5985 const union sctp_subtype type,
5987 struct sctp_cmd_seq *commands)
5989 return SCTP_DISPOSITION_BUG;
5993 * This table entry represents the firing of a timer in the wrong state.
5994 * Since timer deletion cannot be guaranteed a timer 'may' end up firing
5995 * when the association is in the wrong state. This event should
5996 * be ignored, so as to prevent any rearming of the timer.
5999 * (endpoint, asoc, chunk)
6001 * The return value is the disposition of the chunk.
6003 sctp_disposition_t sctp_sf_timer_ignore(struct net *net,
6004 const struct sctp_endpoint *ep,
6005 const struct sctp_association *asoc,
6006 const union sctp_subtype type,
6008 struct sctp_cmd_seq *commands)
6010 pr_debug("%s: timer %d ignored\n", __func__, type.chunk);
6012 return SCTP_DISPOSITION_CONSUME;
6015 /********************************************************************
6016 * 2nd Level Abstractions
6017 ********************************************************************/
6019 /* Pull the SACK chunk based on the SACK header. */
6020 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk)
6022 struct sctp_sackhdr *sack;
6027 /* Protect ourselves from reading too far into
6028 * the skb from a bogus sender.
6030 sack = (struct sctp_sackhdr *) chunk->skb->data;
6032 num_blocks = ntohs(sack->num_gap_ack_blocks);
6033 num_dup_tsns = ntohs(sack->num_dup_tsns);
6034 len = sizeof(struct sctp_sackhdr);
6035 len += (num_blocks + num_dup_tsns) * sizeof(__u32);
6036 if (len > chunk->skb->len)
6039 skb_pull(chunk->skb, len);
6044 /* Create an ABORT packet to be sent as a response, with the specified
6047 static struct sctp_packet *sctp_abort_pkt_new(struct net *net,
6048 const struct sctp_endpoint *ep,
6049 const struct sctp_association *asoc,
6050 struct sctp_chunk *chunk,
6051 const void *payload,
6054 struct sctp_packet *packet;
6055 struct sctp_chunk *abort;
6057 packet = sctp_ootb_pkt_new(net, asoc, chunk);
6061 * The T bit will be set if the asoc is NULL.
6063 abort = sctp_make_abort(asoc, chunk, paylen);
6065 sctp_ootb_pkt_free(packet);
6069 /* Reflect vtag if T-Bit is set */
6070 if (sctp_test_T_bit(abort))
6071 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
6073 /* Add specified error causes, i.e., payload, to the
6076 sctp_addto_chunk(abort, paylen, payload);
6078 /* Set the skb to the belonging sock for accounting. */
6079 abort->skb->sk = ep->base.sk;
6081 sctp_packet_append_chunk(packet, abort);
6088 /* Allocate a packet for responding in the OOTB conditions. */
6089 static struct sctp_packet *sctp_ootb_pkt_new(struct net *net,
6090 const struct sctp_association *asoc,
6091 const struct sctp_chunk *chunk)
6093 struct sctp_packet *packet;
6094 struct sctp_transport *transport;
6099 /* Get the source and destination port from the inbound packet. */
6100 sport = ntohs(chunk->sctp_hdr->dest);
6101 dport = ntohs(chunk->sctp_hdr->source);
6103 /* The V-tag is going to be the same as the inbound packet if no
6104 * association exists, otherwise, use the peer's vtag.
6107 /* Special case the INIT-ACK as there is no peer's vtag
6110 switch (chunk->chunk_hdr->type) {
6111 case SCTP_CID_INIT_ACK:
6113 struct sctp_initack_chunk *initack;
6115 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr;
6116 vtag = ntohl(initack->init_hdr.init_tag);
6120 vtag = asoc->peer.i.init_tag;
6124 /* Special case the INIT and stale COOKIE_ECHO as there is no
6127 switch (chunk->chunk_hdr->type) {
6130 struct sctp_init_chunk *init;
6132 init = (struct sctp_init_chunk *)chunk->chunk_hdr;
6133 vtag = ntohl(init->init_hdr.init_tag);
6137 vtag = ntohl(chunk->sctp_hdr->vtag);
6142 /* Make a transport for the bucket, Eliza... */
6143 transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC);
6147 /* Cache a route for the transport with the chunk's destination as
6148 * the source address.
6150 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest,
6151 sctp_sk(net->sctp.ctl_sock));
6153 packet = &transport->packet;
6154 sctp_packet_init(packet, transport, sport, dport);
6155 sctp_packet_config(packet, vtag, 0);
6163 /* Free the packet allocated earlier for responding in the OOTB condition. */
6164 void sctp_ootb_pkt_free(struct sctp_packet *packet)
6166 sctp_transport_free(packet->transport);
6169 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */
6170 static void sctp_send_stale_cookie_err(struct net *net,
6171 const struct sctp_endpoint *ep,
6172 const struct sctp_association *asoc,
6173 const struct sctp_chunk *chunk,
6174 struct sctp_cmd_seq *commands,
6175 struct sctp_chunk *err_chunk)
6177 struct sctp_packet *packet;
6180 packet = sctp_ootb_pkt_new(net, asoc, chunk);
6182 struct sctp_signed_cookie *cookie;
6184 /* Override the OOTB vtag from the cookie. */
6185 cookie = chunk->subh.cookie_hdr;
6186 packet->vtag = cookie->c.peer_vtag;
6188 /* Set the skb to the belonging sock for accounting. */
6189 err_chunk->skb->sk = ep->base.sk;
6190 sctp_packet_append_chunk(packet, err_chunk);
6191 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
6192 SCTP_PACKET(packet));
6193 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
6195 sctp_chunk_free (err_chunk);
6200 /* Process a data chunk */
6201 static int sctp_eat_data(const struct sctp_association *asoc,
6202 struct sctp_chunk *chunk,
6203 struct sctp_cmd_seq *commands)
6205 struct sctp_datahdr *data_hdr;
6206 struct sctp_chunk *err;
6208 sctp_verb_t deliver;
6211 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
6212 struct sock *sk = asoc->base.sk;
6213 struct net *net = sock_net(sk);
6218 data_hdr = (struct sctp_datahdr *)chunk->skb->data;
6219 chunk->subh.data_hdr = data_hdr;
6220 skb_pull(chunk->skb, sizeof(*data_hdr));
6222 tsn = ntohl(data_hdr->tsn);
6223 pr_debug("%s: TSN 0x%x\n", __func__, tsn);
6225 /* ASSERT: Now skb->data is really the user data. */
6227 /* Process ECN based congestion.
6229 * Since the chunk structure is reused for all chunks within
6230 * a packet, we use ecn_ce_done to track if we've already
6231 * done CE processing for this packet.
6233 * We need to do ECN processing even if we plan to discard the
6237 if (asoc->peer.ecn_capable && !chunk->ecn_ce_done) {
6238 struct sctp_af *af = SCTP_INPUT_CB(chunk->skb)->af;
6239 chunk->ecn_ce_done = 1;
6241 if (af->is_ce(sctp_gso_headskb(chunk->skb))) {
6242 /* Do real work as sideffect. */
6243 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE,
6248 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn);
6250 /* The TSN is too high--silently discard the chunk and
6251 * count on it getting retransmitted later.
6254 chunk->asoc->stats.outofseqtsns++;
6255 return SCTP_IERROR_HIGH_TSN;
6256 } else if (tmp > 0) {
6257 /* This is a duplicate. Record it. */
6258 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn));
6259 return SCTP_IERROR_DUP_TSN;
6262 /* This is a new TSN. */
6264 /* Discard if there is no room in the receive window.
6265 * Actually, allow a little bit of overflow (up to a MTU).
6267 datalen = ntohs(chunk->chunk_hdr->length);
6268 datalen -= sizeof(struct sctp_data_chunk);
6270 deliver = SCTP_CMD_CHUNK_ULP;
6272 /* Think about partial delivery. */
6273 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) {
6275 /* Even if we don't accept this chunk there is
6278 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL());
6281 /* Spill over rwnd a little bit. Note: While allowed, this spill over
6282 * seems a bit troublesome in that frag_point varies based on
6283 * PMTU. In cases, such as loopback, this might be a rather
6286 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over ||
6287 (datalen > asoc->rwnd + asoc->frag_point))) {
6289 /* If this is the next TSN, consider reneging to make
6290 * room. Note: Playing nice with a confused sender. A
6291 * malicious sender can still eat up all our buffer
6292 * space and in the future we may want to detect and
6293 * do more drastic reneging.
6295 if (sctp_tsnmap_has_gap(map) &&
6296 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6297 pr_debug("%s: reneging for tsn:%u\n", __func__, tsn);
6298 deliver = SCTP_CMD_RENEGE;
6300 pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n",
6301 __func__, tsn, datalen, asoc->rwnd);
6303 return SCTP_IERROR_IGNORE_TSN;
6308 * Also try to renege to limit our memory usage in the event that
6309 * we are under memory pressure
6310 * If we can't renege, don't worry about it, the sk_rmem_schedule
6311 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our
6312 * memory usage too much
6314 if (*sk->sk_prot_creator->memory_pressure) {
6315 if (sctp_tsnmap_has_gap(map) &&
6316 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6317 pr_debug("%s: under pressure, reneging for tsn:%u\n",
6319 deliver = SCTP_CMD_RENEGE;
6324 * Section 3.3.10.9 No User Data (9)
6328 * No User Data: This error cause is returned to the originator of a
6329 * DATA chunk if a received DATA chunk has no user data.
6331 if (unlikely(0 == datalen)) {
6332 err = sctp_make_abort_no_data(asoc, chunk, tsn);
6334 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6337 /* We are going to ABORT, so we might as well stop
6338 * processing the rest of the chunks in the packet.
6340 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
6341 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6342 SCTP_ERROR(ECONNABORTED));
6343 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6344 SCTP_PERR(SCTP_ERROR_NO_DATA));
6345 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6346 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6347 return SCTP_IERROR_NO_DATA;
6350 chunk->data_accepted = 1;
6352 /* Note: Some chunks may get overcounted (if we drop) or overcounted
6353 * if we renege and the chunk arrives again.
6355 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) {
6356 SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS);
6358 chunk->asoc->stats.iuodchunks++;
6360 SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS);
6362 chunk->asoc->stats.iodchunks++;
6366 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number
6368 * If an endpoint receive a DATA chunk with an invalid stream
6369 * identifier, it shall acknowledge the reception of the DATA chunk
6370 * following the normal procedure, immediately send an ERROR chunk
6371 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10)
6372 * and discard the DATA chunk.
6374 sid = ntohs(data_hdr->stream);
6375 if (sid >= asoc->stream.incnt) {
6376 /* Mark tsn as received even though we drop it */
6377 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
6379 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM,
6381 sizeof(data_hdr->stream),
6384 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6386 return SCTP_IERROR_BAD_STREAM;
6389 /* Check to see if the SSN is possible for this TSN.
6390 * The biggest gap we can record is 4K wide. Since SSNs wrap
6391 * at an unsigned short, there is no way that an SSN can
6392 * wrap and for a valid TSN. We can simply check if the current
6393 * SSN is smaller then the next expected one. If it is, it wrapped
6396 ssn = ntohs(data_hdr->ssn);
6397 if (ordered && SSN_lt(ssn, sctp_ssn_peek(&asoc->stream, in, sid)))
6398 return SCTP_IERROR_PROTO_VIOLATION;
6400 /* Send the data up to the user. Note: Schedule the
6401 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK
6402 * chunk needs the updated rwnd.
6404 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk));
6406 return SCTP_IERROR_NO_ERROR;