1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* SCTP kernel implementation
3 * (C) Copyright IBM Corp. 2001, 2004
4 * Copyright (c) 1999-2000 Cisco, Inc.
5 * Copyright (c) 1999-2001 Motorola, Inc.
6 * Copyright (c) 2001-2002 Intel Corp.
7 * Copyright (c) 2002 Nokia Corp.
9 * This is part of the SCTP Linux Kernel Implementation.
11 * These are the state functions for the state machine.
13 * Please send any bug reports or fixes you make to the
15 * lksctp developers <linux-sctp@vger.kernel.org>
17 * Written or modified by:
18 * La Monte H.P. Yarroll <piggy@acm.org>
19 * Karl Knutson <karl@athena.chicago.il.us>
20 * Mathew Kotowsky <kotowsky@sctp.org>
21 * Sridhar Samudrala <samudrala@us.ibm.com>
22 * Jon Grimm <jgrimm@us.ibm.com>
23 * Hui Huang <hui.huang@nokia.com>
24 * Dajiang Zhang <dajiang.zhang@nokia.com>
25 * Daisy Chang <daisyc@us.ibm.com>
26 * Ardelle Fan <ardelle.fan@intel.com>
27 * Ryan Layer <rmlayer@us.ibm.com>
28 * Kevin Gao <kevin.gao@intel.com>
31 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
33 #include <linux/types.h>
34 #include <linux/kernel.h>
36 #include <linux/ipv6.h>
37 #include <linux/net.h>
38 #include <linux/inet.h>
39 #include <linux/slab.h>
41 #include <net/inet_ecn.h>
42 #include <linux/skbuff.h>
43 #include <net/sctp/sctp.h>
44 #include <net/sctp/sm.h>
45 #include <net/sctp/structs.h>
47 #define CREATE_TRACE_POINTS
48 #include <trace/events/sctp.h>
50 static struct sctp_packet *sctp_abort_pkt_new(
52 const struct sctp_endpoint *ep,
53 const struct sctp_association *asoc,
54 struct sctp_chunk *chunk,
55 const void *payload, size_t paylen);
56 static int sctp_eat_data(const struct sctp_association *asoc,
57 struct sctp_chunk *chunk,
58 struct sctp_cmd_seq *commands);
59 static struct sctp_packet *sctp_ootb_pkt_new(
61 const struct sctp_association *asoc,
62 const struct sctp_chunk *chunk);
63 static void sctp_send_stale_cookie_err(struct net *net,
64 const struct sctp_endpoint *ep,
65 const struct sctp_association *asoc,
66 const struct sctp_chunk *chunk,
67 struct sctp_cmd_seq *commands,
68 struct sctp_chunk *err_chunk);
69 static enum sctp_disposition sctp_sf_do_5_2_6_stale(
71 const struct sctp_endpoint *ep,
72 const struct sctp_association *asoc,
73 const union sctp_subtype type,
75 struct sctp_cmd_seq *commands);
76 static enum sctp_disposition sctp_sf_shut_8_4_5(
78 const struct sctp_endpoint *ep,
79 const struct sctp_association *asoc,
80 const union sctp_subtype type,
82 struct sctp_cmd_seq *commands);
83 static enum sctp_disposition sctp_sf_tabort_8_4_8(
85 const struct sctp_endpoint *ep,
86 const struct sctp_association *asoc,
87 const union sctp_subtype type,
89 struct sctp_cmd_seq *commands);
90 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
92 static enum sctp_disposition sctp_stop_t1_and_abort(
94 struct sctp_cmd_seq *commands,
95 __be16 error, int sk_err,
96 const struct sctp_association *asoc,
97 struct sctp_transport *transport);
99 static enum sctp_disposition sctp_sf_abort_violation(
101 const struct sctp_endpoint *ep,
102 const struct sctp_association *asoc,
104 struct sctp_cmd_seq *commands,
106 const size_t paylen);
108 static enum sctp_disposition sctp_sf_violation_chunklen(
110 const struct sctp_endpoint *ep,
111 const struct sctp_association *asoc,
112 const union sctp_subtype type,
114 struct sctp_cmd_seq *commands);
116 static enum sctp_disposition sctp_sf_violation_paramlen(
118 const struct sctp_endpoint *ep,
119 const struct sctp_association *asoc,
120 const union sctp_subtype type,
121 void *arg, void *ext,
122 struct sctp_cmd_seq *commands);
124 static enum sctp_disposition sctp_sf_violation_ctsn(
126 const struct sctp_endpoint *ep,
127 const struct sctp_association *asoc,
128 const union sctp_subtype type,
130 struct sctp_cmd_seq *commands);
132 static enum sctp_disposition sctp_sf_violation_chunk(
134 const struct sctp_endpoint *ep,
135 const struct sctp_association *asoc,
136 const union sctp_subtype type,
138 struct sctp_cmd_seq *commands);
140 static enum sctp_ierror sctp_sf_authenticate(
141 const struct sctp_association *asoc,
142 struct sctp_chunk *chunk);
144 static enum sctp_disposition __sctp_sf_do_9_1_abort(
146 const struct sctp_endpoint *ep,
147 const struct sctp_association *asoc,
148 const union sctp_subtype type,
150 struct sctp_cmd_seq *commands);
152 static enum sctp_disposition
153 __sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep,
154 const struct sctp_association *asoc,
155 const union sctp_subtype type, void *arg,
156 struct sctp_cmd_seq *commands);
158 /* Small helper function that checks if the chunk length
159 * is of the appropriate length. The 'required_length' argument
160 * is set to be the size of a specific chunk we are testing.
161 * Return Values: true = Valid length
162 * false = Invalid length
165 static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk,
166 __u16 required_length)
168 __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
170 /* Previously already marked? */
171 if (unlikely(chunk->pdiscard))
173 if (unlikely(chunk_length < required_length))
179 /* Check for format error in an ABORT chunk */
180 static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk)
182 struct sctp_errhdr *err;
184 sctp_walk_errors(err, chunk->chunk_hdr);
186 return (void *)err == (void *)chunk->chunk_end;
189 /**********************************************************
190 * These are the state functions for handling chunk events.
191 **********************************************************/
194 * Process the final SHUTDOWN COMPLETE.
196 * Section: 4 (C) (diagram), 9.2
197 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
198 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
199 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
200 * should stop the T2-shutdown timer and remove all knowledge of the
201 * association (and thus the association enters the CLOSED state).
203 * Verification Tag: 8.5.1(C), sctpimpguide 2.41.
204 * C) Rules for packet carrying SHUTDOWN COMPLETE:
206 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
207 * if the Verification Tag field of the packet matches its own tag and
208 * the T bit is not set
210 * it is set to its peer's tag and the T bit is set in the Chunk
212 * Otherwise, the receiver MUST silently discard the packet
213 * and take no further action. An endpoint MUST ignore the
214 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.
217 * (endpoint, asoc, chunk)
220 * (asoc, reply_msg, msg_up, timers, counters)
222 * The return value is the disposition of the chunk.
224 enum sctp_disposition sctp_sf_do_4_C(struct net *net,
225 const struct sctp_endpoint *ep,
226 const struct sctp_association *asoc,
227 const union sctp_subtype type,
228 void *arg, struct sctp_cmd_seq *commands)
230 struct sctp_chunk *chunk = arg;
231 struct sctp_ulpevent *ev;
233 if (!sctp_vtag_verify_either(chunk, asoc))
234 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
236 /* RFC 2960 6.10 Bundling
238 * An endpoint MUST NOT bundle INIT, INIT ACK or
239 * SHUTDOWN COMPLETE with any other chunks.
241 if (!chunk->singleton)
242 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
244 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */
245 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
246 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
249 /* RFC 2960 10.2 SCTP-to-ULP
251 * H) SHUTDOWN COMPLETE notification
253 * When SCTP completes the shutdown procedures (section 9.2) this
254 * notification is passed to the upper layer.
256 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
257 0, 0, 0, NULL, GFP_ATOMIC);
259 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
262 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
263 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
264 * not the chunk should be discarded. If the endpoint is in
265 * the SHUTDOWN-ACK-SENT state the endpoint should stop the
266 * T2-shutdown timer and remove all knowledge of the
267 * association (and thus the association enters the CLOSED
270 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
271 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
273 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
274 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
276 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
277 SCTP_STATE(SCTP_STATE_CLOSED));
279 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
280 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
282 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
284 return SCTP_DISPOSITION_DELETE_TCB;
288 * Respond to a normal INIT chunk.
289 * We are the side that is being asked for an association.
291 * Section: 5.1 Normal Establishment of an Association, B
292 * B) "Z" shall respond immediately with an INIT ACK chunk. The
293 * destination IP address of the INIT ACK MUST be set to the source
294 * IP address of the INIT to which this INIT ACK is responding. In
295 * the response, besides filling in other parameters, "Z" must set the
296 * Verification Tag field to Tag_A, and also provide its own
297 * Verification Tag (Tag_Z) in the Initiate Tag field.
299 * Verification Tag: Must be 0.
302 * (endpoint, asoc, chunk)
305 * (asoc, reply_msg, msg_up, timers, counters)
307 * The return value is the disposition of the chunk.
309 enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
310 const struct sctp_endpoint *ep,
311 const struct sctp_association *asoc,
312 const union sctp_subtype type,
314 struct sctp_cmd_seq *commands)
316 struct sctp_chunk *chunk = arg, *repl, *err_chunk;
317 struct sctp_unrecognized_param *unk_param;
318 struct sctp_association *new_asoc;
319 struct sctp_packet *packet;
322 /* Update socket peer label if first association. */
323 if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
325 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
328 * An endpoint MUST NOT bundle INIT, INIT ACK or
329 * SHUTDOWN COMPLETE with any other chunks.
332 * Furthermore, we require that the receiver of an INIT chunk MUST
333 * enforce these rules by silently discarding an arriving packet
334 * with an INIT chunk that is bundled with other chunks.
336 if (!chunk->singleton)
337 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
339 /* Make sure that the INIT chunk has a valid length.
340 * Normally, this would cause an ABORT with a Protocol Violation
341 * error, but since we don't have an association, we'll
342 * just discard the packet.
344 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
345 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
347 /* If the packet is an OOTB packet which is temporarily on the
348 * control endpoint, respond with an ABORT.
350 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
351 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
352 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
355 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
358 if (chunk->sctp_hdr->vtag != 0)
359 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
361 /* If the INIT is coming toward a closing socket, we'll send back
362 * and ABORT. Essentially, this catches the race of INIT being
363 * backloged to the socket at the same time as the user isses close().
364 * Since the socket and all its associations are going away, we
365 * can treat this OOTB
367 if (sctp_sstate(ep->base.sk, CLOSING))
368 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
370 /* Verify the INIT chunk before processing it. */
372 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
373 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
375 /* This chunk contains fatal error. It is to be discarded.
376 * Send an ABORT, with causes if there is any.
379 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
380 (__u8 *)(err_chunk->chunk_hdr) +
381 sizeof(struct sctp_chunkhdr),
382 ntohs(err_chunk->chunk_hdr->length) -
383 sizeof(struct sctp_chunkhdr));
385 sctp_chunk_free(err_chunk);
388 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
389 SCTP_PACKET(packet));
390 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
391 return SCTP_DISPOSITION_CONSUME;
393 return SCTP_DISPOSITION_NOMEM;
396 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
401 /* Grab the INIT header. */
402 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
404 /* Tag the variable length parameters. */
405 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
407 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
411 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
412 sctp_scope(sctp_source(chunk)),
416 /* The call, sctp_process_init(), can fail on memory allocation. */
417 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
418 (struct sctp_init_chunk *)chunk->chunk_hdr,
422 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
424 /* If there are errors need to be reported for unknown parameters,
425 * make sure to reserve enough room in the INIT ACK for them.
429 len = ntohs(err_chunk->chunk_hdr->length) -
430 sizeof(struct sctp_chunkhdr);
432 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
436 /* If there are errors need to be reported for unknown parameters,
437 * include them in the outgoing INIT ACK as "Unrecognized parameter"
441 /* Get the "Unrecognized parameter" parameter(s) out of the
442 * ERROR chunk generated by sctp_verify_init(). Since the
443 * error cause code for "unknown parameter" and the
444 * "Unrecognized parameter" type is the same, we can
445 * construct the parameters in INIT ACK by copying the
448 unk_param = (struct sctp_unrecognized_param *)
449 ((__u8 *)(err_chunk->chunk_hdr) +
450 sizeof(struct sctp_chunkhdr));
451 /* Replace the cause code with the "Unrecognized parameter"
454 sctp_addto_chunk(repl, len, unk_param);
455 sctp_chunk_free(err_chunk);
458 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
460 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
463 * Note: After sending out INIT ACK with the State Cookie parameter,
464 * "Z" MUST NOT allocate any resources, nor keep any states for the
465 * new association. Otherwise, "Z" will be vulnerable to resource
468 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
470 return SCTP_DISPOSITION_DELETE_TCB;
473 sctp_association_free(new_asoc);
476 sctp_chunk_free(err_chunk);
477 return SCTP_DISPOSITION_NOMEM;
481 * Respond to a normal INIT ACK chunk.
482 * We are the side that is initiating the association.
484 * Section: 5.1 Normal Establishment of an Association, C
485 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
486 * timer and leave COOKIE-WAIT state. "A" shall then send the State
487 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
488 * the T1-cookie timer, and enter the COOKIE-ECHOED state.
490 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound
491 * DATA chunks, but it MUST be the first chunk in the packet and
492 * until the COOKIE ACK is returned the sender MUST NOT send any
493 * other packets to the peer.
495 * Verification Tag: 3.3.3
496 * If the value of the Initiate Tag in a received INIT ACK chunk is
497 * found to be 0, the receiver MUST treat it as an error and close the
498 * association by transmitting an ABORT.
501 * (endpoint, asoc, chunk)
504 * (asoc, reply_msg, msg_up, timers, counters)
506 * The return value is the disposition of the chunk.
508 enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
509 const struct sctp_endpoint *ep,
510 const struct sctp_association *asoc,
511 const union sctp_subtype type,
513 struct sctp_cmd_seq *commands)
515 struct sctp_init_chunk *initchunk;
516 struct sctp_chunk *chunk = arg;
517 struct sctp_chunk *err_chunk;
518 struct sctp_packet *packet;
520 if (!sctp_vtag_verify(chunk, asoc))
521 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
524 * An endpoint MUST NOT bundle INIT, INIT ACK or
525 * SHUTDOWN COMPLETE with any other chunks.
527 if (!chunk->singleton)
528 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
530 /* Make sure that the INIT-ACK chunk has a valid length */
531 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk)))
532 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
534 /* Grab the INIT header. */
535 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
537 /* Verify the INIT chunk before processing it. */
539 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
540 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
543 enum sctp_error error = SCTP_ERROR_NO_RESOURCE;
545 /* This chunk contains fatal error. It is to be discarded.
546 * Send an ABORT, with causes. If there are no causes,
547 * then there wasn't enough memory. Just terminate
551 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
552 (__u8 *)(err_chunk->chunk_hdr) +
553 sizeof(struct sctp_chunkhdr),
554 ntohs(err_chunk->chunk_hdr->length) -
555 sizeof(struct sctp_chunkhdr));
557 sctp_chunk_free(err_chunk);
560 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
561 SCTP_PACKET(packet));
562 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
563 error = SCTP_ERROR_INV_PARAM;
567 /* SCTP-AUTH, Section 6.3:
568 * It should be noted that if the receiver wants to tear
569 * down an association in an authenticated way only, the
570 * handling of malformed packets should not result in
571 * tearing down the association.
573 * This means that if we only want to abort associations
574 * in an authenticated way (i.e AUTH+ABORT), then we
575 * can't destroy this association just because the packet
578 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
579 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
581 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
582 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED,
583 asoc, chunk->transport);
586 /* Tag the variable length parameters. Note that we never
587 * convert the parameters in an INIT chunk.
589 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
591 initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr;
593 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
594 SCTP_PEER_INIT(initchunk));
596 /* Reset init error count upon receipt of INIT-ACK. */
597 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
599 /* 5.1 C) "A" shall stop the T1-init timer and leave
600 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie
601 * timer, and enter the COOKIE-ECHOED state.
603 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
604 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
605 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
606 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
607 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
608 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
610 /* SCTP-AUTH: genereate the assocition shared keys so that
611 * we can potentially signe the COOKIE-ECHO.
613 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
615 /* 5.1 C) "A" shall then send the State Cookie received in the
616 * INIT ACK chunk in a COOKIE ECHO chunk, ...
618 /* If there is any errors to report, send the ERROR chunk generated
619 * for unknown parameters as well.
621 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
622 SCTP_CHUNK(err_chunk));
624 return SCTP_DISPOSITION_CONSUME;
627 static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk,
628 const struct sctp_association *asoc)
630 struct sctp_chunk auth;
632 if (!chunk->auth_chunk)
635 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo
636 * is supposed to be authenticated and we have to do delayed
637 * authentication. We've just recreated the association using
638 * the information in the cookie and now it's much easier to
639 * do the authentication.
642 /* Make sure that we and the peer are AUTH capable */
643 if (!net->sctp.auth_enable || !asoc->peer.auth_capable)
646 /* set-up our fake chunk so that we can process it */
647 auth.skb = chunk->auth_chunk;
648 auth.asoc = chunk->asoc;
649 auth.sctp_hdr = chunk->sctp_hdr;
650 auth.chunk_hdr = (struct sctp_chunkhdr *)
651 skb_push(chunk->auth_chunk,
652 sizeof(struct sctp_chunkhdr));
653 skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr));
654 auth.transport = chunk->transport;
656 return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR;
660 * Respond to a normal COOKIE ECHO chunk.
661 * We are the side that is being asked for an association.
663 * Section: 5.1 Normal Establishment of an Association, D
664 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
665 * with a COOKIE ACK chunk after building a TCB and moving to
666 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
667 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
668 * chunk MUST be the first chunk in the packet.
670 * IMPLEMENTATION NOTE: An implementation may choose to send the
671 * Communication Up notification to the SCTP user upon reception
672 * of a valid COOKIE ECHO chunk.
674 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
675 * D) Rules for packet carrying a COOKIE ECHO
677 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
678 * Initial Tag received in the INIT ACK.
680 * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
683 * (endpoint, asoc, chunk)
686 * (asoc, reply_msg, msg_up, timers, counters)
688 * The return value is the disposition of the chunk.
690 enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
691 const struct sctp_endpoint *ep,
692 const struct sctp_association *asoc,
693 const union sctp_subtype type,
695 struct sctp_cmd_seq *commands)
697 struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL;
698 struct sctp_association *new_asoc;
699 struct sctp_init_chunk *peer_init;
700 struct sctp_chunk *chunk = arg;
701 struct sctp_chunk *err_chk_p;
702 struct sctp_chunk *repl;
706 if (asoc && !sctp_vtag_verify(chunk, asoc))
707 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
709 /* If the packet is an OOTB packet which is temporarily on the
710 * control endpoint, respond with an ABORT.
712 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
713 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
714 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
717 /* Make sure that the COOKIE_ECHO chunk has a valid length.
718 * In this case, we check that we have enough for at least a
719 * chunk header. More detailed verification is done
720 * in sctp_unpack_cookie().
722 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
723 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
726 /* If the endpoint is not listening or if the number of associations
727 * on the TCP-style socket exceed the max backlog, respond with an
731 if (!sctp_sstate(sk, LISTENING) ||
732 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
733 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
735 /* "Decode" the chunk. We have no optional parameters so we
738 chunk->subh.cookie_hdr =
739 (struct sctp_signed_cookie *)chunk->skb->data;
740 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
741 sizeof(struct sctp_chunkhdr)))
744 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
745 * "Z" will reply with a COOKIE ACK chunk after building a TCB
746 * and moving to the ESTABLISHED state.
748 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
752 * If the re-build failed, what is the proper error path
755 * [We should abort the association. --piggy]
758 /* FIXME: Several errors are possible. A bad cookie should
759 * be silently discarded, but think about logging it too.
762 case -SCTP_IERROR_NOMEM:
765 case -SCTP_IERROR_STALE_COOKIE:
766 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
768 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
770 case -SCTP_IERROR_BAD_SIG:
772 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
777 /* Delay state machine commands until later.
779 * Re-build the bind address for the association is done in
780 * the sctp_unpack_cookie() already.
782 /* This is a brand-new association, so these are not yet side
783 * effects--it is safe to run them here.
785 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
787 if (!sctp_process_init(new_asoc, chunk,
788 &chunk->subh.cookie_hdr->c.peer_addr,
789 peer_init, GFP_ATOMIC))
792 /* SCTP-AUTH: Now that we've populate required fields in
793 * sctp_process_init, set up the assocaition shared keys as
794 * necessary so that we can potentially authenticate the ACK
796 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
800 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) {
801 sctp_association_free(new_asoc);
802 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
805 repl = sctp_make_cookie_ack(new_asoc, chunk);
809 /* RFC 2960 5.1 Normal Establishment of an Association
811 * D) IMPLEMENTATION NOTE: An implementation may choose to
812 * send the Communication Up notification to the SCTP user
813 * upon reception of a valid COOKIE ECHO chunk.
815 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
816 new_asoc->c.sinit_num_ostreams,
817 new_asoc->c.sinit_max_instreams,
822 /* Sockets API Draft Section 5.3.1.6
823 * When a peer sends a Adaptation Layer Indication parameter , SCTP
824 * delivers this notification to inform the application that of the
825 * peers requested adaptation layer.
827 if (new_asoc->peer.adaptation_ind) {
828 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
834 if (!new_asoc->peer.auth_capable) {
835 auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0,
842 /* Add all the state machine commands now since we've created
843 * everything. This way we don't introduce memory corruptions
844 * during side-effect processing and correclty count established
847 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
848 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
849 SCTP_STATE(SCTP_STATE_ESTABLISHED));
850 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
851 SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS);
852 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
854 if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
855 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
856 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
858 /* This will send the COOKIE ACK */
859 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
861 /* Queue the ASSOC_CHANGE event */
862 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
864 /* Send up the Adaptation Layer Indication event */
866 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
867 SCTP_ULPEVENT(ai_ev));
870 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
871 SCTP_ULPEVENT(auth_ev));
873 return SCTP_DISPOSITION_CONSUME;
876 sctp_ulpevent_free(ai_ev);
878 sctp_ulpevent_free(ev);
880 sctp_chunk_free(repl);
882 sctp_association_free(new_asoc);
884 return SCTP_DISPOSITION_NOMEM;
888 * Respond to a normal COOKIE ACK chunk.
889 * We are the side that is asking for an association.
891 * RFC 2960 5.1 Normal Establishment of an Association
893 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
894 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
895 * timer. It may also notify its ULP about the successful
896 * establishment of the association with a Communication Up
897 * notification (see Section 10).
901 * (endpoint, asoc, chunk)
904 * (asoc, reply_msg, msg_up, timers, counters)
906 * The return value is the disposition of the chunk.
908 enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
909 const struct sctp_endpoint *ep,
910 const struct sctp_association *asoc,
911 const union sctp_subtype type,
913 struct sctp_cmd_seq *commands)
915 struct sctp_chunk *chunk = arg;
916 struct sctp_ulpevent *ev;
918 if (!sctp_vtag_verify(chunk, asoc))
919 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
921 /* Verify that the chunk length for the COOKIE-ACK is OK.
922 * If we don't do this, any bundled chunks may be junked.
924 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
925 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
928 /* Reset init error count upon receipt of COOKIE-ACK,
929 * to avoid problems with the managemement of this
930 * counter in stale cookie situations when a transition back
931 * from the COOKIE-ECHOED state to the COOKIE-WAIT
932 * state is performed.
934 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
936 /* Set peer label for connection. */
937 security_inet_conn_established(ep->base.sk, chunk->skb);
939 /* RFC 2960 5.1 Normal Establishment of an Association
941 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
942 * from the COOKIE-ECHOED state to the ESTABLISHED state,
943 * stopping the T1-cookie timer.
945 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
946 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
947 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
948 SCTP_STATE(SCTP_STATE_ESTABLISHED));
949 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
950 SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS);
951 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
952 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
953 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
954 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
956 /* It may also notify its ULP about the successful
957 * establishment of the association with a Communication Up
958 * notification (see Section 10).
960 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
961 0, asoc->c.sinit_num_ostreams,
962 asoc->c.sinit_max_instreams,
968 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
970 /* Sockets API Draft Section 5.3.1.6
971 * When a peer sends a Adaptation Layer Indication parameter , SCTP
972 * delivers this notification to inform the application that of the
973 * peers requested adaptation layer.
975 if (asoc->peer.adaptation_ind) {
976 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
980 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
984 if (!asoc->peer.auth_capable) {
985 ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH,
989 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
993 return SCTP_DISPOSITION_CONSUME;
995 return SCTP_DISPOSITION_NOMEM;
998 /* Generate and sendout a heartbeat packet. */
999 static enum sctp_disposition sctp_sf_heartbeat(
1000 const struct sctp_endpoint *ep,
1001 const struct sctp_association *asoc,
1002 const union sctp_subtype type,
1004 struct sctp_cmd_seq *commands)
1006 struct sctp_transport *transport = (struct sctp_transport *) arg;
1007 struct sctp_chunk *reply;
1009 /* Send a heartbeat to our peer. */
1010 reply = sctp_make_heartbeat(asoc, transport);
1012 return SCTP_DISPOSITION_NOMEM;
1014 /* Set rto_pending indicating that an RTT measurement
1015 * is started with this heartbeat chunk.
1017 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
1018 SCTP_TRANSPORT(transport));
1020 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1021 return SCTP_DISPOSITION_CONSUME;
1024 /* Generate a HEARTBEAT packet on the given transport. */
1025 enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net,
1026 const struct sctp_endpoint *ep,
1027 const struct sctp_association *asoc,
1028 const union sctp_subtype type,
1030 struct sctp_cmd_seq *commands)
1032 struct sctp_transport *transport = (struct sctp_transport *) arg;
1034 if (asoc->overall_error_count >= asoc->max_retrans) {
1035 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
1036 SCTP_ERROR(ETIMEDOUT));
1037 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
1038 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1039 SCTP_PERR(SCTP_ERROR_NO_ERROR));
1040 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1041 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1042 return SCTP_DISPOSITION_DELETE_TCB;
1046 * The Sender-specific Heartbeat Info field should normally include
1047 * information about the sender's current time when this HEARTBEAT
1048 * chunk is sent and the destination transport address to which this
1049 * HEARTBEAT is sent (see Section 8.3).
1052 if (transport->param_flags & SPP_HB_ENABLE) {
1053 if (SCTP_DISPOSITION_NOMEM ==
1054 sctp_sf_heartbeat(ep, asoc, type, arg,
1056 return SCTP_DISPOSITION_NOMEM;
1058 /* Set transport error counter and association error counter
1059 * when sending heartbeat.
1061 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
1062 SCTP_TRANSPORT(transport));
1064 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
1065 SCTP_TRANSPORT(transport));
1066 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
1067 SCTP_TRANSPORT(transport));
1069 return SCTP_DISPOSITION_CONSUME;
1072 /* resend asoc strreset_chunk. */
1073 enum sctp_disposition sctp_sf_send_reconf(struct net *net,
1074 const struct sctp_endpoint *ep,
1075 const struct sctp_association *asoc,
1076 const union sctp_subtype type,
1078 struct sctp_cmd_seq *commands)
1080 struct sctp_transport *transport = arg;
1082 if (asoc->overall_error_count >= asoc->max_retrans) {
1083 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
1084 SCTP_ERROR(ETIMEDOUT));
1085 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
1086 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1087 SCTP_PERR(SCTP_ERROR_NO_ERROR));
1088 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1089 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1090 return SCTP_DISPOSITION_DELETE_TCB;
1093 sctp_chunk_hold(asoc->strreset_chunk);
1094 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1095 SCTP_CHUNK(asoc->strreset_chunk));
1096 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
1098 return SCTP_DISPOSITION_CONSUME;
1102 * Process an heartbeat request.
1104 * Section: 8.3 Path Heartbeat
1105 * The receiver of the HEARTBEAT should immediately respond with a
1106 * HEARTBEAT ACK that contains the Heartbeat Information field copied
1107 * from the received HEARTBEAT chunk.
1109 * Verification Tag: 8.5 Verification Tag [Normal verification]
1110 * When receiving an SCTP packet, the endpoint MUST ensure that the
1111 * value in the Verification Tag field of the received SCTP packet
1112 * matches its own Tag. If the received Verification Tag value does not
1113 * match the receiver's own tag value, the receiver shall silently
1114 * discard the packet and shall not process it any further except for
1115 * those cases listed in Section 8.5.1 below.
1118 * (endpoint, asoc, chunk)
1121 * (asoc, reply_msg, msg_up, timers, counters)
1123 * The return value is the disposition of the chunk.
1125 enum sctp_disposition sctp_sf_beat_8_3(struct net *net,
1126 const struct sctp_endpoint *ep,
1127 const struct sctp_association *asoc,
1128 const union sctp_subtype type,
1129 void *arg, struct sctp_cmd_seq *commands)
1131 struct sctp_paramhdr *param_hdr;
1132 struct sctp_chunk *chunk = arg;
1133 struct sctp_chunk *reply;
1136 if (!sctp_vtag_verify(chunk, asoc))
1137 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1139 /* Make sure that the HEARTBEAT chunk has a valid length. */
1140 if (!sctp_chunk_length_valid(chunk,
1141 sizeof(struct sctp_heartbeat_chunk)))
1142 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1145 /* 8.3 The receiver of the HEARTBEAT should immediately
1146 * respond with a HEARTBEAT ACK that contains the Heartbeat
1147 * Information field copied from the received HEARTBEAT chunk.
1149 chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data;
1150 param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr;
1151 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr);
1153 if (ntohs(param_hdr->length) > paylen)
1154 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
1155 param_hdr, commands);
1157 if (!pskb_pull(chunk->skb, paylen))
1160 reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen);
1164 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1165 return SCTP_DISPOSITION_CONSUME;
1168 return SCTP_DISPOSITION_NOMEM;
1172 * Process the returning HEARTBEAT ACK.
1174 * Section: 8.3 Path Heartbeat
1175 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
1176 * should clear the error counter of the destination transport
1177 * address to which the HEARTBEAT was sent, and mark the destination
1178 * transport address as active if it is not so marked. The endpoint may
1179 * optionally report to the upper layer when an inactive destination
1180 * address is marked as active due to the reception of the latest
1181 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
1182 * clear the association overall error count as well (as defined
1185 * The receiver of the HEARTBEAT ACK should also perform an RTT
1186 * measurement for that destination transport address using the time
1187 * value carried in the HEARTBEAT ACK chunk.
1189 * Verification Tag: 8.5 Verification Tag [Normal verification]
1192 * (endpoint, asoc, chunk)
1195 * (asoc, reply_msg, msg_up, timers, counters)
1197 * The return value is the disposition of the chunk.
1199 enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net,
1200 const struct sctp_endpoint *ep,
1201 const struct sctp_association *asoc,
1202 const union sctp_subtype type,
1204 struct sctp_cmd_seq *commands)
1206 struct sctp_sender_hb_info *hbinfo;
1207 struct sctp_chunk *chunk = arg;
1208 struct sctp_transport *link;
1209 unsigned long max_interval;
1210 union sctp_addr from_addr;
1212 if (!sctp_vtag_verify(chunk, asoc))
1213 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1215 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */
1216 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) +
1218 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1221 hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data;
1222 /* Make sure that the length of the parameter is what we expect */
1223 if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo))
1224 return SCTP_DISPOSITION_DISCARD;
1226 from_addr = hbinfo->daddr;
1227 link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1229 /* This should never happen, but lets log it if so. */
1230 if (unlikely(!link)) {
1231 if (from_addr.sa.sa_family == AF_INET6) {
1232 net_warn_ratelimited("%s association %p could not find address %pI6\n",
1235 &from_addr.v6.sin6_addr);
1237 net_warn_ratelimited("%s association %p could not find address %pI4\n",
1240 &from_addr.v4.sin_addr.s_addr);
1242 return SCTP_DISPOSITION_DISCARD;
1245 /* Validate the 64-bit random nonce. */
1246 if (hbinfo->hb_nonce != link->hb_nonce)
1247 return SCTP_DISPOSITION_DISCARD;
1249 max_interval = link->hbinterval + link->rto;
1251 /* Check if the timestamp looks valid. */
1252 if (time_after(hbinfo->sent_at, jiffies) ||
1253 time_after(jiffies, hbinfo->sent_at + max_interval)) {
1254 pr_debug("%s: HEARTBEAT ACK with invalid timestamp received "
1255 "for transport:%p\n", __func__, link);
1257 return SCTP_DISPOSITION_DISCARD;
1260 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
1261 * the HEARTBEAT should clear the error counter of the
1262 * destination transport address to which the HEARTBEAT was
1263 * sent and mark the destination transport address as active if
1264 * it is not so marked.
1266 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1268 return SCTP_DISPOSITION_CONSUME;
1271 /* Helper function to send out an abort for the restart
1274 static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa,
1275 struct sctp_chunk *init,
1276 struct sctp_cmd_seq *commands)
1278 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1279 union sctp_addr_param *addrparm;
1280 struct sctp_errhdr *errhdr;
1281 char buffer[sizeof(*errhdr) + sizeof(*addrparm)];
1282 struct sctp_endpoint *ep;
1283 struct sctp_packet *pkt;
1286 /* Build the error on the stack. We are way to malloc crazy
1287 * throughout the code today.
1289 errhdr = (struct sctp_errhdr *)buffer;
1290 addrparm = (union sctp_addr_param *)errhdr->variable;
1292 /* Copy into a parm format. */
1293 len = af->to_addr_param(ssa, addrparm);
1294 len += sizeof(*errhdr);
1296 errhdr->cause = SCTP_ERROR_RESTART;
1297 errhdr->length = htons(len);
1299 /* Assign to the control socket. */
1300 ep = sctp_sk(net->sctp.ctl_sock)->ep;
1302 /* Association is NULL since this may be a restart attack and we
1303 * want to send back the attacker's vtag.
1305 pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len);
1309 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1311 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1313 /* Discard the rest of the inbound packet. */
1314 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1317 /* Even if there is no memory, treat as a failure so
1318 * the packet will get dropped.
1323 static bool list_has_sctp_addr(const struct list_head *list,
1324 union sctp_addr *ipaddr)
1326 struct sctp_transport *addr;
1328 list_for_each_entry(addr, list, transports) {
1329 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
1335 /* A restart is occurring, check to make sure no new addresses
1336 * are being added as we may be under a takeover attack.
1338 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1339 const struct sctp_association *asoc,
1340 struct sctp_chunk *init,
1341 struct sctp_cmd_seq *commands)
1343 struct net *net = new_asoc->base.net;
1344 struct sctp_transport *new_addr;
1347 /* Implementor's Guide - Section 5.2.2
1349 * Before responding the endpoint MUST check to see if the
1350 * unexpected INIT adds new addresses to the association. If new
1351 * addresses are added to the association, the endpoint MUST respond
1355 /* Search through all current addresses and make sure
1356 * we aren't adding any new ones.
1358 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
1360 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
1361 &new_addr->ipaddr)) {
1362 sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init,
1369 /* Return success if all addresses were found. */
1373 /* Populate the verification/tie tags based on overlapping INIT
1376 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
1378 static void sctp_tietags_populate(struct sctp_association *new_asoc,
1379 const struct sctp_association *asoc)
1381 switch (asoc->state) {
1383 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
1385 case SCTP_STATE_COOKIE_WAIT:
1386 new_asoc->c.my_vtag = asoc->c.my_vtag;
1387 new_asoc->c.my_ttag = asoc->c.my_vtag;
1388 new_asoc->c.peer_ttag = 0;
1391 case SCTP_STATE_COOKIE_ECHOED:
1392 new_asoc->c.my_vtag = asoc->c.my_vtag;
1393 new_asoc->c.my_ttag = asoc->c.my_vtag;
1394 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1397 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
1398 * COOKIE-WAIT and SHUTDOWN-ACK-SENT
1401 new_asoc->c.my_ttag = asoc->c.my_vtag;
1402 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1406 /* Other parameters for the endpoint SHOULD be copied from the
1407 * existing parameters of the association (e.g. number of
1408 * outbound streams) into the INIT ACK and cookie.
1410 new_asoc->rwnd = asoc->rwnd;
1411 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams;
1412 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1413 new_asoc->c.initial_tsn = asoc->c.initial_tsn;
1417 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
1420 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
1422 * Returns value representing action to be taken. These action values
1423 * correspond to Action/Description values in RFC 2960, Table 2.
1425 static char sctp_tietags_compare(struct sctp_association *new_asoc,
1426 const struct sctp_association *asoc)
1428 /* In this case, the peer may have restarted. */
1429 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1430 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1431 (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1432 (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1435 /* Collision case B. */
1436 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1437 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1438 (0 == asoc->c.peer_vtag))) {
1442 /* Collision case D. */
1443 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1444 (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1447 /* Collision case C. */
1448 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1449 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1450 (0 == new_asoc->c.my_ttag) &&
1451 (0 == new_asoc->c.peer_ttag))
1454 /* No match to any of the special cases; discard this packet. */
1458 /* Common helper routine for both duplicate and simulataneous INIT
1461 static enum sctp_disposition sctp_sf_do_unexpected_init(
1463 const struct sctp_endpoint *ep,
1464 const struct sctp_association *asoc,
1465 const union sctp_subtype type,
1467 struct sctp_cmd_seq *commands)
1469 struct sctp_chunk *chunk = arg, *repl, *err_chunk;
1470 struct sctp_unrecognized_param *unk_param;
1471 struct sctp_association *new_asoc;
1472 enum sctp_disposition retval;
1473 struct sctp_packet *packet;
1476 /* Update socket peer label if first association. */
1477 if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
1479 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1482 * An endpoint MUST NOT bundle INIT, INIT ACK or
1483 * SHUTDOWN COMPLETE with any other chunks.
1486 * Furthermore, we require that the receiver of an INIT chunk MUST
1487 * enforce these rules by silently discarding an arriving packet
1488 * with an INIT chunk that is bundled with other chunks.
1490 if (!chunk->singleton)
1491 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1493 /* Make sure that the INIT chunk has a valid length. */
1494 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
1495 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1497 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
1500 if (chunk->sctp_hdr->vtag != 0)
1501 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
1503 /* Grab the INIT header. */
1504 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
1506 /* Tag the variable length parameters. */
1507 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
1509 /* Verify the INIT chunk before processing it. */
1511 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
1512 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
1514 /* This chunk contains fatal error. It is to be discarded.
1515 * Send an ABORT, with causes if there is any.
1518 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
1519 (__u8 *)(err_chunk->chunk_hdr) +
1520 sizeof(struct sctp_chunkhdr),
1521 ntohs(err_chunk->chunk_hdr->length) -
1522 sizeof(struct sctp_chunkhdr));
1525 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1526 SCTP_PACKET(packet));
1527 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1528 retval = SCTP_DISPOSITION_CONSUME;
1530 retval = SCTP_DISPOSITION_NOMEM;
1534 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
1540 * Other parameters for the endpoint SHOULD be copied from the
1541 * existing parameters of the association (e.g. number of
1542 * outbound streams) into the INIT ACK and cookie.
1543 * FIXME: We are copying parameters from the endpoint not the
1546 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1550 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
1551 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
1554 /* In the outbound INIT ACK the endpoint MUST copy its current
1555 * Verification Tag and Peers Verification tag into a reserved
1556 * place (local tie-tag and per tie-tag) within the state cookie.
1558 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
1559 (struct sctp_init_chunk *)chunk->chunk_hdr,
1563 /* Make sure no new addresses are being added during the
1564 * restart. Do not do this check for COOKIE-WAIT state,
1565 * since there are no peer addresses to check against.
1566 * Upon return an ABORT will have been sent if needed.
1568 if (!sctp_state(asoc, COOKIE_WAIT)) {
1569 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1571 retval = SCTP_DISPOSITION_CONSUME;
1576 sctp_tietags_populate(new_asoc, asoc);
1578 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
1580 /* If there are errors need to be reported for unknown parameters,
1581 * make sure to reserve enough room in the INIT ACK for them.
1585 len = ntohs(err_chunk->chunk_hdr->length) -
1586 sizeof(struct sctp_chunkhdr);
1589 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1593 /* If there are errors need to be reported for unknown parameters,
1594 * include them in the outgoing INIT ACK as "Unrecognized parameter"
1598 /* Get the "Unrecognized parameter" parameter(s) out of the
1599 * ERROR chunk generated by sctp_verify_init(). Since the
1600 * error cause code for "unknown parameter" and the
1601 * "Unrecognized parameter" type is the same, we can
1602 * construct the parameters in INIT ACK by copying the
1603 * ERROR causes over.
1605 unk_param = (struct sctp_unrecognized_param *)
1606 ((__u8 *)(err_chunk->chunk_hdr) +
1607 sizeof(struct sctp_chunkhdr));
1608 /* Replace the cause code with the "Unrecognized parameter"
1611 sctp_addto_chunk(repl, len, unk_param);
1614 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1615 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1618 * Note: After sending out INIT ACK with the State Cookie parameter,
1619 * "Z" MUST NOT allocate any resources for this new association.
1620 * Otherwise, "Z" will be vulnerable to resource attacks.
1622 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1623 retval = SCTP_DISPOSITION_CONSUME;
1628 retval = SCTP_DISPOSITION_NOMEM;
1631 sctp_association_free(new_asoc);
1634 sctp_chunk_free(err_chunk);
1639 * Handle simultaneous INIT.
1640 * This means we started an INIT and then we got an INIT request from
1643 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
1644 * This usually indicates an initialization collision, i.e., each
1645 * endpoint is attempting, at about the same time, to establish an
1646 * association with the other endpoint.
1648 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
1649 * endpoint MUST respond with an INIT ACK using the same parameters it
1650 * sent in its original INIT chunk (including its Verification Tag,
1651 * unchanged). These original parameters are combined with those from the
1652 * newly received INIT chunk. The endpoint shall also generate a State
1653 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
1654 * INIT to calculate the State Cookie.
1656 * After that, the endpoint MUST NOT change its state, the T1-init
1657 * timer shall be left running and the corresponding TCB MUST NOT be
1658 * destroyed. The normal procedures for handling State Cookies when
1659 * a TCB exists will resolve the duplicate INITs to a single association.
1661 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
1662 * its Tie-Tags with the Tag information of itself and its peer (see
1663 * section 5.2.2 for a description of the Tie-Tags).
1665 * Verification Tag: Not explicit, but an INIT can not have a valid
1666 * verification tag, so we skip the check.
1669 * (endpoint, asoc, chunk)
1672 * (asoc, reply_msg, msg_up, timers, counters)
1674 * The return value is the disposition of the chunk.
1676 enum sctp_disposition sctp_sf_do_5_2_1_siminit(
1678 const struct sctp_endpoint *ep,
1679 const struct sctp_association *asoc,
1680 const union sctp_subtype type,
1682 struct sctp_cmd_seq *commands)
1684 /* Call helper to do the real work for both simulataneous and
1685 * duplicate INIT chunk handling.
1687 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1691 * Handle duplicated INIT messages. These are usually delayed
1694 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
1695 * COOKIE-ECHOED and COOKIE-WAIT
1697 * Unless otherwise stated, upon reception of an unexpected INIT for
1698 * this association, the endpoint shall generate an INIT ACK with a
1699 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its
1700 * current Verification Tag and peer's Verification Tag into a reserved
1701 * place within the state cookie. We shall refer to these locations as
1702 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet
1703 * containing this INIT ACK MUST carry a Verification Tag value equal to
1704 * the Initiation Tag found in the unexpected INIT. And the INIT ACK
1705 * MUST contain a new Initiation Tag (randomly generated see Section
1706 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the
1707 * existing parameters of the association (e.g. number of outbound
1708 * streams) into the INIT ACK and cookie.
1710 * After sending out the INIT ACK, the endpoint shall take no further
1711 * actions, i.e., the existing association, including its current state,
1712 * and the corresponding TCB MUST NOT be changed.
1714 * Note: Only when a TCB exists and the association is not in a COOKIE-
1715 * WAIT state are the Tie-Tags populated. For a normal association INIT
1716 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
1717 * set to 0 (indicating that no previous TCB existed). The INIT ACK and
1718 * State Cookie are populated as specified in section 5.2.1.
1720 * Verification Tag: Not specified, but an INIT has no way of knowing
1721 * what the verification tag could be, so we ignore it.
1724 * (endpoint, asoc, chunk)
1727 * (asoc, reply_msg, msg_up, timers, counters)
1729 * The return value is the disposition of the chunk.
1731 enum sctp_disposition sctp_sf_do_5_2_2_dupinit(
1733 const struct sctp_endpoint *ep,
1734 const struct sctp_association *asoc,
1735 const union sctp_subtype type,
1737 struct sctp_cmd_seq *commands)
1739 /* Call helper to do the real work for both simulataneous and
1740 * duplicate INIT chunk handling.
1742 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1747 * Unexpected INIT-ACK handler.
1750 * If an INIT ACK received by an endpoint in any state other than the
1751 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
1752 * An unexpected INIT ACK usually indicates the processing of an old or
1753 * duplicated INIT chunk.
1755 enum sctp_disposition sctp_sf_do_5_2_3_initack(
1757 const struct sctp_endpoint *ep,
1758 const struct sctp_association *asoc,
1759 const union sctp_subtype type,
1761 struct sctp_cmd_seq *commands)
1763 /* Per the above section, we'll discard the chunk if we have an
1764 * endpoint. If this is an OOTB INIT-ACK, treat it as such.
1766 if (ep == sctp_sk(net->sctp.ctl_sock)->ep)
1767 return sctp_sf_ootb(net, ep, asoc, type, arg, commands);
1769 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
1772 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
1775 * A) In this case, the peer may have restarted.
1777 static enum sctp_disposition sctp_sf_do_dupcook_a(
1779 const struct sctp_endpoint *ep,
1780 const struct sctp_association *asoc,
1781 struct sctp_chunk *chunk,
1782 struct sctp_cmd_seq *commands,
1783 struct sctp_association *new_asoc)
1785 struct sctp_init_chunk *peer_init;
1786 enum sctp_disposition disposition;
1787 struct sctp_ulpevent *ev;
1788 struct sctp_chunk *repl;
1789 struct sctp_chunk *err;
1791 /* new_asoc is a brand-new association, so these are not yet
1792 * side effects--it is safe to run them here.
1794 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1796 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1800 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
1803 if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
1804 return SCTP_DISPOSITION_DISCARD;
1806 /* Make sure no new addresses are being added during the
1807 * restart. Though this is a pretty complicated attack
1808 * since you'd have to get inside the cookie.
1810 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands))
1811 return SCTP_DISPOSITION_CONSUME;
1813 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
1814 * the peer has restarted (Action A), it MUST NOT setup a new
1815 * association but instead resend the SHUTDOWN ACK and send an ERROR
1816 * chunk with a "Cookie Received while Shutting Down" error cause to
1819 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1820 disposition = __sctp_sf_do_9_2_reshutack(net, ep, asoc,
1821 SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1823 if (SCTP_DISPOSITION_NOMEM == disposition)
1826 err = sctp_make_op_error(asoc, chunk,
1827 SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1830 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1833 return SCTP_DISPOSITION_CONSUME;
1836 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked
1837 * data. Consider the optional choice of resending of this data.
1839 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
1840 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1841 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK));
1842 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1844 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue
1845 * and ASCONF-ACK cache.
1847 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1848 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
1849 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());
1851 /* Update the content of current association. */
1852 if (sctp_assoc_update((struct sctp_association *)asoc, new_asoc)) {
1853 struct sctp_chunk *abort;
1855 abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr));
1857 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
1858 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
1860 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED));
1861 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1862 SCTP_PERR(SCTP_ERROR_RSRC_LOW));
1863 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1864 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1868 repl = sctp_make_cookie_ack(asoc, chunk);
1872 /* Report association restart to upper layer. */
1873 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1874 asoc->c.sinit_num_ostreams,
1875 asoc->c.sinit_max_instreams,
1880 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1881 if ((sctp_state(asoc, SHUTDOWN_PENDING) ||
1882 sctp_state(asoc, SHUTDOWN_SENT)) &&
1883 (sctp_sstate(asoc->base.sk, CLOSING) ||
1884 sock_flag(asoc->base.sk, SOCK_DEAD))) {
1885 /* If the socket has been closed by user, don't
1886 * transition to ESTABLISHED. Instead trigger SHUTDOWN
1887 * bundled with COOKIE_ACK.
1889 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1890 return sctp_sf_do_9_2_start_shutdown(net, ep, asoc,
1891 SCTP_ST_CHUNK(0), repl,
1894 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1895 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1896 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1898 return SCTP_DISPOSITION_CONSUME;
1901 sctp_chunk_free(repl);
1903 return SCTP_DISPOSITION_NOMEM;
1906 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
1909 * B) In this case, both sides may be attempting to start an association
1910 * at about the same time but the peer endpoint started its INIT
1911 * after responding to the local endpoint's INIT
1913 /* This case represents an initialization collision. */
1914 static enum sctp_disposition sctp_sf_do_dupcook_b(
1916 const struct sctp_endpoint *ep,
1917 const struct sctp_association *asoc,
1918 struct sctp_chunk *chunk,
1919 struct sctp_cmd_seq *commands,
1920 struct sctp_association *new_asoc)
1922 struct sctp_init_chunk *peer_init;
1923 struct sctp_chunk *repl;
1925 /* new_asoc is a brand-new association, so these are not yet
1926 * side effects--it is safe to run them here.
1928 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1929 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1933 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
1936 if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
1937 return SCTP_DISPOSITION_DISCARD;
1939 /* Update the content of current association. */
1940 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1941 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1942 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1943 if (asoc->state < SCTP_STATE_ESTABLISHED)
1944 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
1945 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
1947 repl = sctp_make_cookie_ack(new_asoc, chunk);
1951 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1953 /* RFC 2960 5.1 Normal Establishment of an Association
1955 * D) IMPLEMENTATION NOTE: An implementation may choose to
1956 * send the Communication Up notification to the SCTP user
1957 * upon reception of a valid COOKIE ECHO chunk.
1959 * Sadly, this needs to be implemented as a side-effect, because
1960 * we are not guaranteed to have set the association id of the real
1961 * association and so these notifications need to be delayed until
1962 * the association id is allocated.
1965 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
1967 /* Sockets API Draft Section 5.3.1.6
1968 * When a peer sends a Adaptation Layer Indication parameter , SCTP
1969 * delivers this notification to inform the application that of the
1970 * peers requested adaptation layer.
1972 * This also needs to be done as a side effect for the same reason as
1975 if (asoc->peer.adaptation_ind)
1976 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
1978 if (!asoc->peer.auth_capable)
1979 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL());
1981 return SCTP_DISPOSITION_CONSUME;
1984 return SCTP_DISPOSITION_NOMEM;
1987 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
1990 * C) In this case, the local endpoint's cookie has arrived late.
1991 * Before it arrived, the local endpoint sent an INIT and received an
1992 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
1993 * but a new tag of its own.
1995 /* This case represents an initialization collision. */
1996 static enum sctp_disposition sctp_sf_do_dupcook_c(
1998 const struct sctp_endpoint *ep,
1999 const struct sctp_association *asoc,
2000 struct sctp_chunk *chunk,
2001 struct sctp_cmd_seq *commands,
2002 struct sctp_association *new_asoc)
2004 /* The cookie should be silently discarded.
2005 * The endpoint SHOULD NOT change states and should leave
2006 * any timers running.
2008 return SCTP_DISPOSITION_DISCARD;
2011 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
2015 * D) When both local and remote tags match the endpoint should always
2016 * enter the ESTABLISHED state, if it has not already done so.
2018 /* This case represents an initialization collision. */
2019 static enum sctp_disposition sctp_sf_do_dupcook_d(
2021 const struct sctp_endpoint *ep,
2022 const struct sctp_association *asoc,
2023 struct sctp_chunk *chunk,
2024 struct sctp_cmd_seq *commands,
2025 struct sctp_association *new_asoc)
2027 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL;
2028 struct sctp_chunk *repl;
2030 /* Clarification from Implementor's Guide:
2031 * D) When both local and remote tags match the endpoint should
2032 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
2033 * It should stop any cookie timer that may be running and send
2037 if (!sctp_auth_chunk_verify(net, chunk, asoc))
2038 return SCTP_DISPOSITION_DISCARD;
2040 /* Don't accidentally move back into established state. */
2041 if (asoc->state < SCTP_STATE_ESTABLISHED) {
2042 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2043 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2044 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2045 SCTP_STATE(SCTP_STATE_ESTABLISHED));
2046 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
2047 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
2050 /* RFC 2960 5.1 Normal Establishment of an Association
2052 * D) IMPLEMENTATION NOTE: An implementation may choose
2053 * to send the Communication Up notification to the
2054 * SCTP user upon reception of a valid COOKIE
2057 ev = sctp_ulpevent_make_assoc_change(asoc, 0,
2059 asoc->c.sinit_num_ostreams,
2060 asoc->c.sinit_max_instreams,
2065 /* Sockets API Draft Section 5.3.1.6
2066 * When a peer sends a Adaptation Layer Indication parameter,
2067 * SCTP delivers this notification to inform the application
2068 * that of the peers requested adaptation layer.
2070 if (asoc->peer.adaptation_ind) {
2071 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
2078 if (!asoc->peer.auth_capable) {
2079 auth_ev = sctp_ulpevent_make_authkey(asoc, 0,
2087 repl = sctp_make_cookie_ack(asoc, chunk);
2091 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
2094 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2097 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2098 SCTP_ULPEVENT(ai_ev));
2100 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2101 SCTP_ULPEVENT(auth_ev));
2103 return SCTP_DISPOSITION_CONSUME;
2107 sctp_ulpevent_free(auth_ev);
2109 sctp_ulpevent_free(ai_ev);
2111 sctp_ulpevent_free(ev);
2112 return SCTP_DISPOSITION_NOMEM;
2116 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying
2117 * chunk was retransmitted and then delayed in the network.
2119 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
2121 * Verification Tag: None. Do cookie validation.
2124 * (endpoint, asoc, chunk)
2127 * (asoc, reply_msg, msg_up, timers, counters)
2129 * The return value is the disposition of the chunk.
2131 enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
2133 const struct sctp_endpoint *ep,
2134 const struct sctp_association *asoc,
2135 const union sctp_subtype type,
2137 struct sctp_cmd_seq *commands)
2139 struct sctp_association *new_asoc;
2140 struct sctp_chunk *chunk = arg;
2141 enum sctp_disposition retval;
2142 struct sctp_chunk *err_chk_p;
2146 /* Make sure that the chunk has a valid length from the protocol
2147 * perspective. In this case check to make sure we have at least
2148 * enough for the chunk header. Cookie length verification is
2151 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) {
2152 if (!sctp_vtag_verify(chunk, asoc))
2154 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands);
2157 /* "Decode" the chunk. We have no optional parameters so we
2158 * are in good shape.
2160 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
2161 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
2162 sizeof(struct sctp_chunkhdr)))
2165 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
2166 * of a duplicate COOKIE ECHO match the Verification Tags of the
2167 * current association, consider the State Cookie valid even if
2168 * the lifespan is exceeded.
2170 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
2174 * If the re-build failed, what is the proper error path
2177 * [We should abort the association. --piggy]
2180 /* FIXME: Several errors are possible. A bad cookie should
2181 * be silently discarded, but think about logging it too.
2184 case -SCTP_IERROR_NOMEM:
2187 case -SCTP_IERROR_STALE_COOKIE:
2188 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
2190 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2191 case -SCTP_IERROR_BAD_SIG:
2193 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2197 /* Update socket peer label if first association. */
2198 if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
2200 sctp_association_free(new_asoc);
2201 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2204 /* Set temp so that it won't be added into hashtable */
2207 /* Compare the tie_tag in cookie with the verification tag of
2208 * current association.
2210 action = sctp_tietags_compare(new_asoc, asoc);
2213 case 'A': /* Association restart. */
2214 retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands,
2218 case 'B': /* Collision case B. */
2219 retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands,
2223 case 'C': /* Collision case C. */
2224 retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands,
2228 case 'D': /* Collision case D. */
2229 retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands,
2233 default: /* Discard packet for all others. */
2234 retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2238 /* Delete the tempory new association. */
2239 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc));
2240 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
2242 /* Restore association pointer to provide SCTP command interpeter
2243 * with a valid context in case it needs to manipulate
2245 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC,
2246 SCTP_ASOC((struct sctp_association *)asoc));
2251 return SCTP_DISPOSITION_NOMEM;
2255 * Process an ABORT. (SHUTDOWN-PENDING state)
2257 * See sctp_sf_do_9_1_abort().
2259 enum sctp_disposition sctp_sf_shutdown_pending_abort(
2261 const struct sctp_endpoint *ep,
2262 const struct sctp_association *asoc,
2263 const union sctp_subtype type,
2265 struct sctp_cmd_seq *commands)
2267 struct sctp_chunk *chunk = arg;
2269 if (!sctp_vtag_verify_either(chunk, asoc))
2270 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2272 /* Make sure that the ABORT chunk has a valid length.
2273 * Since this is an ABORT chunk, we have to discard it
2274 * because of the following text:
2275 * RFC 2960, Section 3.3.7
2276 * If an endpoint receives an ABORT with a format error or for an
2277 * association that doesn't exist, it MUST silently discard it.
2278 * Because the length is "invalid", we can't really discard just
2279 * as we do not know its true length. So, to be safe, discard the
2282 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2283 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2285 /* ADD-IP: Special case for ABORT chunks
2286 * F4) One special consideration is that ABORT Chunks arriving
2287 * destined to the IP address being deleted MUST be
2288 * ignored (see Section 5.3.1 for further details).
2290 if (SCTP_ADDR_DEL ==
2291 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2292 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2294 if (!sctp_err_chunk_valid(chunk))
2295 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2297 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2301 * Process an ABORT. (SHUTDOWN-SENT state)
2303 * See sctp_sf_do_9_1_abort().
2305 enum sctp_disposition sctp_sf_shutdown_sent_abort(
2307 const struct sctp_endpoint *ep,
2308 const struct sctp_association *asoc,
2309 const union sctp_subtype type,
2311 struct sctp_cmd_seq *commands)
2313 struct sctp_chunk *chunk = arg;
2315 if (!sctp_vtag_verify_either(chunk, asoc))
2316 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2318 /* Make sure that the ABORT chunk has a valid length.
2319 * Since this is an ABORT chunk, we have to discard it
2320 * because of the following text:
2321 * RFC 2960, Section 3.3.7
2322 * If an endpoint receives an ABORT with a format error or for an
2323 * association that doesn't exist, it MUST silently discard it.
2324 * Because the length is "invalid", we can't really discard just
2325 * as we do not know its true length. So, to be safe, discard the
2328 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2329 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2331 /* ADD-IP: Special case for ABORT chunks
2332 * F4) One special consideration is that ABORT Chunks arriving
2333 * destined to the IP address being deleted MUST be
2334 * ignored (see Section 5.3.1 for further details).
2336 if (SCTP_ADDR_DEL ==
2337 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2338 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2340 if (!sctp_err_chunk_valid(chunk))
2341 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2343 /* Stop the T2-shutdown timer. */
2344 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2345 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2347 /* Stop the T5-shutdown guard timer. */
2348 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2349 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2351 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2355 * Process an ABORT. (SHUTDOWN-ACK-SENT state)
2357 * See sctp_sf_do_9_1_abort().
2359 enum sctp_disposition sctp_sf_shutdown_ack_sent_abort(
2361 const struct sctp_endpoint *ep,
2362 const struct sctp_association *asoc,
2363 const union sctp_subtype type,
2365 struct sctp_cmd_seq *commands)
2367 /* The same T2 timer, so we should be able to use
2368 * common function with the SHUTDOWN-SENT state.
2370 return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands);
2374 * Handle an Error received in COOKIE_ECHOED state.
2376 * Only handle the error type of stale COOKIE Error, the other errors will
2380 * (endpoint, asoc, chunk)
2383 * (asoc, reply_msg, msg_up, timers, counters)
2385 * The return value is the disposition of the chunk.
2387 enum sctp_disposition sctp_sf_cookie_echoed_err(
2389 const struct sctp_endpoint *ep,
2390 const struct sctp_association *asoc,
2391 const union sctp_subtype type,
2393 struct sctp_cmd_seq *commands)
2395 struct sctp_chunk *chunk = arg;
2396 struct sctp_errhdr *err;
2398 if (!sctp_vtag_verify(chunk, asoc))
2399 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2401 /* Make sure that the ERROR chunk has a valid length.
2402 * The parameter walking depends on this as well.
2404 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
2405 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2408 /* Process the error here */
2409 /* FUTURE FIXME: When PR-SCTP related and other optional
2410 * parms are emitted, this will have to change to handle multiple
2413 sctp_walk_errors(err, chunk->chunk_hdr) {
2414 if (SCTP_ERROR_STALE_COOKIE == err->cause)
2415 return sctp_sf_do_5_2_6_stale(net, ep, asoc, type,
2419 /* It is possible to have malformed error causes, and that
2420 * will cause us to end the walk early. However, since
2421 * we are discarding the packet, there should be no adverse
2424 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2428 * Handle a Stale COOKIE Error
2430 * Section: 5.2.6 Handle Stale COOKIE Error
2431 * If the association is in the COOKIE-ECHOED state, the endpoint may elect
2432 * one of the following three alternatives.
2434 * 3) Send a new INIT chunk to the endpoint, adding a Cookie
2435 * Preservative parameter requesting an extension to the lifetime of
2436 * the State Cookie. When calculating the time extension, an
2437 * implementation SHOULD use the RTT information measured based on the
2438 * previous COOKIE ECHO / ERROR exchange, and should add no more
2439 * than 1 second beyond the measured RTT, due to long State Cookie
2440 * lifetimes making the endpoint more subject to a replay attack.
2442 * Verification Tag: Not explicit, but safe to ignore.
2445 * (endpoint, asoc, chunk)
2448 * (asoc, reply_msg, msg_up, timers, counters)
2450 * The return value is the disposition of the chunk.
2452 static enum sctp_disposition sctp_sf_do_5_2_6_stale(
2454 const struct sctp_endpoint *ep,
2455 const struct sctp_association *asoc,
2456 const union sctp_subtype type,
2458 struct sctp_cmd_seq *commands)
2460 int attempts = asoc->init_err_counter + 1;
2461 struct sctp_chunk *chunk = arg, *reply;
2462 struct sctp_cookie_preserve_param bht;
2463 struct sctp_bind_addr *bp;
2464 struct sctp_errhdr *err;
2467 if (attempts > asoc->max_init_attempts) {
2468 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2469 SCTP_ERROR(ETIMEDOUT));
2470 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2471 SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2472 return SCTP_DISPOSITION_DELETE_TCB;
2475 err = (struct sctp_errhdr *)(chunk->skb->data);
2477 /* When calculating the time extension, an implementation
2478 * SHOULD use the RTT information measured based on the
2479 * previous COOKIE ECHO / ERROR exchange, and should add no
2480 * more than 1 second beyond the measured RTT, due to long
2481 * State Cookie lifetimes making the endpoint more subject to
2483 * Measure of Staleness's unit is usec. (1/1000000 sec)
2484 * Suggested Cookie Life-span Increment's unit is msec.
2486 * In general, if you use the suggested cookie life, the value
2487 * found in the field of measure of staleness should be doubled
2488 * to give ample time to retransmit the new cookie and thus
2489 * yield a higher probability of success on the reattempt.
2491 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err)));
2492 stale = (stale * 2) / 1000;
2494 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2495 bht.param_hdr.length = htons(sizeof(bht));
2496 bht.lifespan_increment = htonl(stale);
2498 /* Build that new INIT chunk. */
2499 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2500 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2504 sctp_addto_chunk(reply, sizeof(bht), &bht);
2506 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */
2507 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2509 /* Stop pending T3-rtx and heartbeat timers */
2510 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2511 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2513 /* Delete non-primary peer ip addresses since we are transitioning
2514 * back to the COOKIE-WAIT state
2516 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2518 /* If we've sent any data bundled with COOKIE-ECHO we will need to
2521 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
2522 SCTP_TRANSPORT(asoc->peer.primary_path));
2524 /* Cast away the const modifier, as we want to just
2525 * rerun it through as a sideffect.
2527 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2529 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2530 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2531 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2532 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2533 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2534 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2536 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2538 return SCTP_DISPOSITION_CONSUME;
2541 return SCTP_DISPOSITION_NOMEM;
2548 * After checking the Verification Tag, the receiving endpoint shall
2549 * remove the association from its record, and shall report the
2550 * termination to its upper layer.
2552 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
2553 * B) Rules for packet carrying ABORT:
2555 * - The endpoint shall always fill in the Verification Tag field of the
2556 * outbound packet with the destination endpoint's tag value if it
2559 * - If the ABORT is sent in response to an OOTB packet, the endpoint
2560 * MUST follow the procedure described in Section 8.4.
2562 * - The receiver MUST accept the packet if the Verification Tag
2563 * matches either its own tag, OR the tag of its peer. Otherwise, the
2564 * receiver MUST silently discard the packet and take no further
2568 * (endpoint, asoc, chunk)
2571 * (asoc, reply_msg, msg_up, timers, counters)
2573 * The return value is the disposition of the chunk.
2575 enum sctp_disposition sctp_sf_do_9_1_abort(
2577 const struct sctp_endpoint *ep,
2578 const struct sctp_association *asoc,
2579 const union sctp_subtype type,
2581 struct sctp_cmd_seq *commands)
2583 struct sctp_chunk *chunk = arg;
2585 if (!sctp_vtag_verify_either(chunk, asoc))
2586 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2588 /* Make sure that the ABORT chunk has a valid length.
2589 * Since this is an ABORT chunk, we have to discard it
2590 * because of the following text:
2591 * RFC 2960, Section 3.3.7
2592 * If an endpoint receives an ABORT with a format error or for an
2593 * association that doesn't exist, it MUST silently discard it.
2594 * Because the length is "invalid", we can't really discard just
2595 * as we do not know its true length. So, to be safe, discard the
2598 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2599 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2601 /* ADD-IP: Special case for ABORT chunks
2602 * F4) One special consideration is that ABORT Chunks arriving
2603 * destined to the IP address being deleted MUST be
2604 * ignored (see Section 5.3.1 for further details).
2606 if (SCTP_ADDR_DEL ==
2607 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2608 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2610 if (!sctp_err_chunk_valid(chunk))
2611 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2613 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2616 static enum sctp_disposition __sctp_sf_do_9_1_abort(
2618 const struct sctp_endpoint *ep,
2619 const struct sctp_association *asoc,
2620 const union sctp_subtype type,
2622 struct sctp_cmd_seq *commands)
2624 __be16 error = SCTP_ERROR_NO_ERROR;
2625 struct sctp_chunk *chunk = arg;
2628 /* See if we have an error cause code in the chunk. */
2629 len = ntohs(chunk->chunk_hdr->length);
2630 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2631 error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2633 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2634 /* ASSOC_FAILED will DELETE_TCB. */
2635 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2636 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2637 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
2639 return SCTP_DISPOSITION_ABORT;
2643 * Process an ABORT. (COOKIE-WAIT state)
2645 * See sctp_sf_do_9_1_abort() above.
2647 enum sctp_disposition sctp_sf_cookie_wait_abort(
2649 const struct sctp_endpoint *ep,
2650 const struct sctp_association *asoc,
2651 const union sctp_subtype type,
2653 struct sctp_cmd_seq *commands)
2655 __be16 error = SCTP_ERROR_NO_ERROR;
2656 struct sctp_chunk *chunk = arg;
2659 if (!sctp_vtag_verify_either(chunk, asoc))
2660 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2662 /* Make sure that the ABORT chunk has a valid length.
2663 * Since this is an ABORT chunk, we have to discard it
2664 * because of the following text:
2665 * RFC 2960, Section 3.3.7
2666 * If an endpoint receives an ABORT with a format error or for an
2667 * association that doesn't exist, it MUST silently discard it.
2668 * Because the length is "invalid", we can't really discard just
2669 * as we do not know its true length. So, to be safe, discard the
2672 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2673 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2675 /* See if we have an error cause code in the chunk. */
2676 len = ntohs(chunk->chunk_hdr->length);
2677 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2678 error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2680 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc,
2685 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state)
2687 enum sctp_disposition sctp_sf_cookie_wait_icmp_abort(
2689 const struct sctp_endpoint *ep,
2690 const struct sctp_association *asoc,
2691 const union sctp_subtype type,
2693 struct sctp_cmd_seq *commands)
2695 return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR,
2697 (struct sctp_transport *)arg);
2701 * Process an ABORT. (COOKIE-ECHOED state)
2703 enum sctp_disposition sctp_sf_cookie_echoed_abort(
2705 const struct sctp_endpoint *ep,
2706 const struct sctp_association *asoc,
2707 const union sctp_subtype type,
2709 struct sctp_cmd_seq *commands)
2711 /* There is a single T1 timer, so we should be able to use
2712 * common function with the COOKIE-WAIT state.
2714 return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands);
2718 * Stop T1 timer and abort association with "INIT failed".
2720 * This is common code called by several sctp_sf_*_abort() functions above.
2722 static enum sctp_disposition sctp_stop_t1_and_abort(
2724 struct sctp_cmd_seq *commands,
2725 __be16 error, int sk_err,
2726 const struct sctp_association *asoc,
2727 struct sctp_transport *transport)
2729 pr_debug("%s: ABORT received (INIT)\n", __func__);
2731 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2732 SCTP_STATE(SCTP_STATE_CLOSED));
2733 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2734 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2735 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2736 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2737 /* CMD_INIT_FAILED will DELETE_TCB. */
2738 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2741 return SCTP_DISPOSITION_ABORT;
2745 * sctp_sf_do_9_2_shut
2748 * Upon the reception of the SHUTDOWN, the peer endpoint shall
2749 * - enter the SHUTDOWN-RECEIVED state,
2751 * - stop accepting new data from its SCTP user
2753 * - verify, by checking the Cumulative TSN Ack field of the chunk,
2754 * that all its outstanding DATA chunks have been received by the
2757 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT
2758 * send a SHUTDOWN in response to a ULP request. And should discard
2759 * subsequent SHUTDOWN chunks.
2761 * If there are still outstanding DATA chunks left, the SHUTDOWN
2762 * receiver shall continue to follow normal data transmission
2763 * procedures defined in Section 6 until all outstanding DATA chunks
2764 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept
2765 * new data from its SCTP user.
2767 * Verification Tag: 8.5 Verification Tag [Normal verification]
2770 * (endpoint, asoc, chunk)
2773 * (asoc, reply_msg, msg_up, timers, counters)
2775 * The return value is the disposition of the chunk.
2777 enum sctp_disposition sctp_sf_do_9_2_shutdown(
2779 const struct sctp_endpoint *ep,
2780 const struct sctp_association *asoc,
2781 const union sctp_subtype type,
2783 struct sctp_cmd_seq *commands)
2785 enum sctp_disposition disposition;
2786 struct sctp_chunk *chunk = arg;
2787 struct sctp_shutdownhdr *sdh;
2788 struct sctp_ulpevent *ev;
2791 if (!sctp_vtag_verify(chunk, asoc))
2792 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2794 /* Make sure that the SHUTDOWN chunk has a valid length. */
2795 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2796 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2799 /* Convert the elaborate header. */
2800 sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2801 skb_pull(chunk->skb, sizeof(*sdh));
2802 chunk->subh.shutdown_hdr = sdh;
2803 ctsn = ntohl(sdh->cum_tsn_ack);
2805 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2806 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2807 asoc->ctsn_ack_point);
2809 return SCTP_DISPOSITION_DISCARD;
2812 /* If Cumulative TSN Ack beyond the max tsn currently
2813 * send, terminating the association and respond to the
2814 * sender with an ABORT.
2816 if (!TSN_lt(ctsn, asoc->next_tsn))
2817 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2819 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
2820 * When a peer sends a SHUTDOWN, SCTP delivers this notification to
2821 * inform the application that it should cease sending data.
2823 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2825 disposition = SCTP_DISPOSITION_NOMEM;
2828 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2830 /* Upon the reception of the SHUTDOWN, the peer endpoint shall
2831 * - enter the SHUTDOWN-RECEIVED state,
2832 * - stop accepting new data from its SCTP user
2834 * [This is implicit in the new state.]
2836 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2837 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2838 disposition = SCTP_DISPOSITION_CONSUME;
2840 if (sctp_outq_is_empty(&asoc->outqueue)) {
2841 disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type,
2845 if (SCTP_DISPOSITION_NOMEM == disposition)
2848 /* - verify, by checking the Cumulative TSN Ack field of the
2849 * chunk, that all its outstanding DATA chunks have been
2850 * received by the SHUTDOWN sender.
2852 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2853 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2860 * sctp_sf_do_9_2_shut_ctsn
2862 * Once an endpoint has reached the SHUTDOWN-RECEIVED state,
2863 * it MUST NOT send a SHUTDOWN in response to a ULP request.
2864 * The Cumulative TSN Ack of the received SHUTDOWN chunk
2865 * MUST be processed.
2867 enum sctp_disposition sctp_sf_do_9_2_shut_ctsn(
2869 const struct sctp_endpoint *ep,
2870 const struct sctp_association *asoc,
2871 const union sctp_subtype type,
2873 struct sctp_cmd_seq *commands)
2875 struct sctp_chunk *chunk = arg;
2876 struct sctp_shutdownhdr *sdh;
2879 if (!sctp_vtag_verify(chunk, asoc))
2880 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2882 /* Make sure that the SHUTDOWN chunk has a valid length. */
2883 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2884 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2887 sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2888 ctsn = ntohl(sdh->cum_tsn_ack);
2890 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2891 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2892 asoc->ctsn_ack_point);
2894 return SCTP_DISPOSITION_DISCARD;
2897 /* If Cumulative TSN Ack beyond the max tsn currently
2898 * send, terminating the association and respond to the
2899 * sender with an ABORT.
2901 if (!TSN_lt(ctsn, asoc->next_tsn))
2902 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2904 /* verify, by checking the Cumulative TSN Ack field of the
2905 * chunk, that all its outstanding DATA chunks have been
2906 * received by the SHUTDOWN sender.
2908 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2909 SCTP_BE32(sdh->cum_tsn_ack));
2911 return SCTP_DISPOSITION_CONSUME;
2915 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk
2916 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination
2917 * transport addresses (either in the IP addresses or in the INIT chunk)
2918 * that belong to this association, it should discard the INIT chunk and
2919 * retransmit the SHUTDOWN ACK chunk.
2921 static enum sctp_disposition
2922 __sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep,
2923 const struct sctp_association *asoc,
2924 const union sctp_subtype type, void *arg,
2925 struct sctp_cmd_seq *commands)
2927 struct sctp_chunk *chunk = arg;
2928 struct sctp_chunk *reply;
2930 /* Make sure that the chunk has a valid length */
2931 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
2932 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2935 /* Since we are not going to really process this INIT, there
2936 * is no point in verifying chunk boundries. Just generate
2939 reply = sctp_make_shutdown_ack(asoc, chunk);
2943 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
2944 * the T2-SHUTDOWN timer.
2946 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
2948 /* and restart the T2-shutdown timer. */
2949 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2950 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2952 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2954 return SCTP_DISPOSITION_CONSUME;
2956 return SCTP_DISPOSITION_NOMEM;
2959 enum sctp_disposition
2960 sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep,
2961 const struct sctp_association *asoc,
2962 const union sctp_subtype type, void *arg,
2963 struct sctp_cmd_seq *commands)
2965 struct sctp_chunk *chunk = arg;
2967 if (!chunk->singleton)
2968 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2970 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
2971 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2973 if (chunk->sctp_hdr->vtag != 0)
2974 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
2976 return __sctp_sf_do_9_2_reshutack(net, ep, asoc, type, arg, commands);
2980 * sctp_sf_do_ecn_cwr
2982 * Section: Appendix A: Explicit Congestion Notification
2986 * RFC 2481 details a specific bit for a sender to send in the header of
2987 * its next outbound TCP segment to indicate to its peer that it has
2988 * reduced its congestion window. This is termed the CWR bit. For
2989 * SCTP the same indication is made by including the CWR chunk.
2990 * This chunk contains one data element, i.e. the TSN number that
2991 * was sent in the ECNE chunk. This element represents the lowest
2992 * TSN number in the datagram that was originally marked with the
2995 * Verification Tag: 8.5 Verification Tag [Normal verification]
2997 * (endpoint, asoc, chunk)
3000 * (asoc, reply_msg, msg_up, timers, counters)
3002 * The return value is the disposition of the chunk.
3004 enum sctp_disposition sctp_sf_do_ecn_cwr(struct net *net,
3005 const struct sctp_endpoint *ep,
3006 const struct sctp_association *asoc,
3007 const union sctp_subtype type,
3009 struct sctp_cmd_seq *commands)
3011 struct sctp_chunk *chunk = arg;
3012 struct sctp_cwrhdr *cwr;
3015 if (!sctp_vtag_verify(chunk, asoc))
3016 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3018 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
3019 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3022 cwr = (struct sctp_cwrhdr *)chunk->skb->data;
3023 skb_pull(chunk->skb, sizeof(*cwr));
3025 lowest_tsn = ntohl(cwr->lowest_tsn);
3027 /* Does this CWR ack the last sent congestion notification? */
3028 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
3029 /* Stop sending ECNE. */
3030 sctp_add_cmd_sf(commands,
3032 SCTP_U32(lowest_tsn));
3034 return SCTP_DISPOSITION_CONSUME;
3040 * Section: Appendix A: Explicit Congestion Notification
3044 * RFC 2481 details a specific bit for a receiver to send back in its
3045 * TCP acknowledgements to notify the sender of the Congestion
3046 * Experienced (CE) bit having arrived from the network. For SCTP this
3047 * same indication is made by including the ECNE chunk. This chunk
3048 * contains one data element, i.e. the lowest TSN associated with the IP
3049 * datagram marked with the CE bit.....
3051 * Verification Tag: 8.5 Verification Tag [Normal verification]
3053 * (endpoint, asoc, chunk)
3056 * (asoc, reply_msg, msg_up, timers, counters)
3058 * The return value is the disposition of the chunk.
3060 enum sctp_disposition sctp_sf_do_ecne(struct net *net,
3061 const struct sctp_endpoint *ep,
3062 const struct sctp_association *asoc,
3063 const union sctp_subtype type,
3064 void *arg, struct sctp_cmd_seq *commands)
3066 struct sctp_chunk *chunk = arg;
3067 struct sctp_ecnehdr *ecne;
3069 if (!sctp_vtag_verify(chunk, asoc))
3070 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3072 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
3073 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3076 ecne = (struct sctp_ecnehdr *)chunk->skb->data;
3077 skb_pull(chunk->skb, sizeof(*ecne));
3079 /* If this is a newer ECNE than the last CWR packet we sent out */
3080 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
3081 SCTP_U32(ntohl(ecne->lowest_tsn)));
3083 return SCTP_DISPOSITION_CONSUME;
3087 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
3089 * The SCTP endpoint MUST always acknowledge the reception of each valid
3092 * The guidelines on delayed acknowledgement algorithm specified in
3093 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
3094 * acknowledgement SHOULD be generated for at least every second packet
3095 * (not every second DATA chunk) received, and SHOULD be generated within
3096 * 200 ms of the arrival of any unacknowledged DATA chunk. In some
3097 * situations it may be beneficial for an SCTP transmitter to be more
3098 * conservative than the algorithms detailed in this document allow.
3099 * However, an SCTP transmitter MUST NOT be more aggressive than the
3100 * following algorithms allow.
3102 * A SCTP receiver MUST NOT generate more than one SACK for every
3103 * incoming packet, other than to update the offered window as the
3104 * receiving application consumes new data.
3106 * Verification Tag: 8.5 Verification Tag [Normal verification]
3109 * (endpoint, asoc, chunk)
3112 * (asoc, reply_msg, msg_up, timers, counters)
3114 * The return value is the disposition of the chunk.
3116 enum sctp_disposition sctp_sf_eat_data_6_2(struct net *net,
3117 const struct sctp_endpoint *ep,
3118 const struct sctp_association *asoc,
3119 const union sctp_subtype type,
3121 struct sctp_cmd_seq *commands)
3123 union sctp_arg force = SCTP_NOFORCE();
3124 struct sctp_chunk *chunk = arg;
3127 if (!sctp_vtag_verify(chunk, asoc)) {
3128 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3130 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3133 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream)))
3134 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3137 error = sctp_eat_data(asoc, chunk, commands);
3139 case SCTP_IERROR_NO_ERROR:
3141 case SCTP_IERROR_HIGH_TSN:
3142 case SCTP_IERROR_BAD_STREAM:
3143 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
3144 goto discard_noforce;
3145 case SCTP_IERROR_DUP_TSN:
3146 case SCTP_IERROR_IGNORE_TSN:
3147 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
3149 case SCTP_IERROR_NO_DATA:
3150 return SCTP_DISPOSITION_ABORT;
3151 case SCTP_IERROR_PROTO_VIOLATION:
3152 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3153 (u8 *)chunk->subh.data_hdr,
3154 sctp_datahdr_len(&asoc->stream));
3159 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)
3160 force = SCTP_FORCE();
3162 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
3163 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3164 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3167 /* If this is the last chunk in a packet, we need to count it
3168 * toward sack generation. Note that we need to SACK every
3169 * OTHER packet containing data chunks, EVEN IF WE DISCARD
3170 * THEM. We elect to NOT generate SACK's if the chunk fails
3171 * the verification tag test.
3173 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3175 * The SCTP endpoint MUST always acknowledge the reception of
3176 * each valid DATA chunk.
3178 * The guidelines on delayed acknowledgement algorithm
3179 * specified in Section 4.2 of [RFC2581] SHOULD be followed.
3180 * Specifically, an acknowledgement SHOULD be generated for at
3181 * least every second packet (not every second DATA chunk)
3182 * received, and SHOULD be generated within 200 ms of the
3183 * arrival of any unacknowledged DATA chunk. In some
3184 * situations it may be beneficial for an SCTP transmitter to
3185 * be more conservative than the algorithms detailed in this
3186 * document allow. However, an SCTP transmitter MUST NOT be
3187 * more aggressive than the following algorithms allow.
3189 if (chunk->end_of_packet)
3190 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3192 return SCTP_DISPOSITION_CONSUME;
3195 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3197 * When a packet arrives with duplicate DATA chunk(s) and with
3198 * no new DATA chunk(s), the endpoint MUST immediately send a
3199 * SACK with no delay. If a packet arrives with duplicate
3200 * DATA chunk(s) bundled with new DATA chunks, the endpoint
3201 * MAY immediately send a SACK. Normally receipt of duplicate
3202 * DATA chunks will occur when the original SACK chunk was lost
3203 * and the peer's RTO has expired. The duplicate TSN number(s)
3204 * SHOULD be reported in the SACK as duplicate.
3206 /* In our case, we split the MAY SACK advice up whether or not
3207 * the last chunk is a duplicate.'
3209 if (chunk->end_of_packet)
3210 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3211 return SCTP_DISPOSITION_DISCARD;
3214 if (chunk->end_of_packet)
3215 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3217 return SCTP_DISPOSITION_DISCARD;
3221 * sctp_sf_eat_data_fast_4_4
3224 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received
3225 * DATA chunks without delay.
3227 * Verification Tag: 8.5 Verification Tag [Normal verification]
3229 * (endpoint, asoc, chunk)
3232 * (asoc, reply_msg, msg_up, timers, counters)
3234 * The return value is the disposition of the chunk.
3236 enum sctp_disposition sctp_sf_eat_data_fast_4_4(
3238 const struct sctp_endpoint *ep,
3239 const struct sctp_association *asoc,
3240 const union sctp_subtype type,
3242 struct sctp_cmd_seq *commands)
3244 struct sctp_chunk *chunk = arg;
3247 if (!sctp_vtag_verify(chunk, asoc)) {
3248 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3250 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3253 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream)))
3254 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3257 error = sctp_eat_data(asoc, chunk, commands);
3259 case SCTP_IERROR_NO_ERROR:
3260 case SCTP_IERROR_HIGH_TSN:
3261 case SCTP_IERROR_DUP_TSN:
3262 case SCTP_IERROR_IGNORE_TSN:
3263 case SCTP_IERROR_BAD_STREAM:
3265 case SCTP_IERROR_NO_DATA:
3266 return SCTP_DISPOSITION_ABORT;
3267 case SCTP_IERROR_PROTO_VIOLATION:
3268 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3269 (u8 *)chunk->subh.data_hdr,
3270 sctp_datahdr_len(&asoc->stream));
3275 /* Go a head and force a SACK, since we are shutting down. */
3277 /* Implementor's Guide.
3279 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3280 * respond to each received packet containing one or more DATA chunk(s)
3281 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3283 if (chunk->end_of_packet) {
3284 /* We must delay the chunk creation since the cumulative
3285 * TSN has not been updated yet.
3287 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3288 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3289 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3290 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3293 return SCTP_DISPOSITION_CONSUME;
3297 * Section: 6.2 Processing a Received SACK
3298 * D) Any time a SACK arrives, the endpoint performs the following:
3300 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,
3301 * then drop the SACK. Since Cumulative TSN Ack is monotonically
3302 * increasing, a SACK whose Cumulative TSN Ack is less than the
3303 * Cumulative TSN Ack Point indicates an out-of-order SACK.
3305 * ii) Set rwnd equal to the newly received a_rwnd minus the number
3306 * of bytes still outstanding after processing the Cumulative TSN Ack
3307 * and the Gap Ack Blocks.
3309 * iii) If the SACK is missing a TSN that was previously
3310 * acknowledged via a Gap Ack Block (e.g., the data receiver
3311 * reneged on the data), then mark the corresponding DATA chunk
3312 * as available for retransmit: Mark it as missing for fast
3313 * retransmit as described in Section 7.2.4 and if no retransmit
3314 * timer is running for the destination address to which the DATA
3315 * chunk was originally transmitted, then T3-rtx is started for
3316 * that destination address.
3318 * Verification Tag: 8.5 Verification Tag [Normal verification]
3321 * (endpoint, asoc, chunk)
3324 * (asoc, reply_msg, msg_up, timers, counters)
3326 * The return value is the disposition of the chunk.
3328 enum sctp_disposition sctp_sf_eat_sack_6_2(struct net *net,
3329 const struct sctp_endpoint *ep,
3330 const struct sctp_association *asoc,
3331 const union sctp_subtype type,
3333 struct sctp_cmd_seq *commands)
3335 struct sctp_chunk *chunk = arg;
3336 struct sctp_sackhdr *sackh;
3339 if (!sctp_vtag_verify(chunk, asoc))
3340 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3342 /* Make sure that the SACK chunk has a valid length. */
3343 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_sack_chunk)))
3344 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3347 /* Pull the SACK chunk from the data buffer */
3348 sackh = sctp_sm_pull_sack(chunk);
3349 /* Was this a bogus SACK? */
3351 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3352 chunk->subh.sack_hdr = sackh;
3353 ctsn = ntohl(sackh->cum_tsn_ack);
3355 /* If Cumulative TSN Ack beyond the max tsn currently
3356 * send, terminating the association and respond to the
3357 * sender with an ABORT.
3359 if (TSN_lte(asoc->next_tsn, ctsn))
3360 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
3362 trace_sctp_probe(ep, asoc, chunk);
3364 /* i) If Cumulative TSN Ack is less than the Cumulative TSN
3365 * Ack Point, then drop the SACK. Since Cumulative TSN
3366 * Ack is monotonically increasing, a SACK whose
3367 * Cumulative TSN Ack is less than the Cumulative TSN Ack
3368 * Point indicates an out-of-order SACK.
3370 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
3371 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
3372 asoc->ctsn_ack_point);
3374 return SCTP_DISPOSITION_DISCARD;
3377 /* Return this SACK for further processing. */
3378 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk));
3380 /* Note: We do the rest of the work on the PROCESS_SACK
3383 return SCTP_DISPOSITION_CONSUME;
3387 * Generate an ABORT in response to a packet.
3389 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41
3391 * 8) The receiver should respond to the sender of the OOTB packet with
3392 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
3393 * MUST fill in the Verification Tag field of the outbound packet
3394 * with the value found in the Verification Tag field of the OOTB
3395 * packet and set the T-bit in the Chunk Flags to indicate that the
3396 * Verification Tag is reflected. After sending this ABORT, the
3397 * receiver of the OOTB packet shall discard the OOTB packet and take
3398 * no further action.
3402 * The return value is the disposition of the chunk.
3404 static enum sctp_disposition sctp_sf_tabort_8_4_8(
3406 const struct sctp_endpoint *ep,
3407 const struct sctp_association *asoc,
3408 const union sctp_subtype type,
3410 struct sctp_cmd_seq *commands)
3412 struct sctp_packet *packet = NULL;
3413 struct sctp_chunk *chunk = arg;
3414 struct sctp_chunk *abort;
3416 packet = sctp_ootb_pkt_new(net, asoc, chunk);
3418 return SCTP_DISPOSITION_NOMEM;
3420 /* Make an ABORT. The T bit will be set if the asoc
3423 abort = sctp_make_abort(asoc, chunk, 0);
3425 sctp_ootb_pkt_free(packet);
3426 return SCTP_DISPOSITION_NOMEM;
3429 /* Reflect vtag if T-Bit is set */
3430 if (sctp_test_T_bit(abort))
3431 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3433 /* Set the skb to the belonging sock for accounting. */
3434 abort->skb->sk = ep->base.sk;
3436 sctp_packet_append_chunk(packet, abort);
3438 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3439 SCTP_PACKET(packet));
3441 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3443 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3444 return SCTP_DISPOSITION_CONSUME;
3448 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR
3449 * event as ULP notification for each cause included in the chunk.
3451 * API 5.3.1.3 - SCTP_REMOTE_ERROR
3453 * The return value is the disposition of the chunk.
3455 enum sctp_disposition sctp_sf_operr_notify(struct net *net,
3456 const struct sctp_endpoint *ep,
3457 const struct sctp_association *asoc,
3458 const union sctp_subtype type,
3460 struct sctp_cmd_seq *commands)
3462 struct sctp_chunk *chunk = arg;
3463 struct sctp_errhdr *err;
3465 if (!sctp_vtag_verify(chunk, asoc))
3466 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3468 /* Make sure that the ERROR chunk has a valid length. */
3469 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
3470 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3472 sctp_walk_errors(err, chunk->chunk_hdr);
3473 if ((void *)err != (void *)chunk->chunk_end)
3474 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3475 (void *)err, commands);
3477 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3480 return SCTP_DISPOSITION_CONSUME;
3484 * Process an inbound SHUTDOWN ACK.
3487 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3488 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its
3489 * peer, and remove all record of the association.
3491 * The return value is the disposition.
3493 enum sctp_disposition sctp_sf_do_9_2_final(struct net *net,
3494 const struct sctp_endpoint *ep,
3495 const struct sctp_association *asoc,
3496 const union sctp_subtype type,
3498 struct sctp_cmd_seq *commands)
3500 struct sctp_chunk *chunk = arg;
3501 struct sctp_chunk *reply;
3502 struct sctp_ulpevent *ev;
3504 if (!sctp_vtag_verify(chunk, asoc))
3505 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3507 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3508 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3509 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3511 /* 10.2 H) SHUTDOWN COMPLETE notification
3513 * When SCTP completes the shutdown procedures (section 9.2) this
3514 * notification is passed to the upper layer.
3516 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3517 0, 0, 0, NULL, GFP_ATOMIC);
3521 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */
3522 reply = sctp_make_shutdown_complete(asoc, chunk);
3526 /* Do all the commands now (after allocation), so that we
3527 * have consistent state if memory allocation failes
3529 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3531 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3532 * stop the T2-shutdown timer,
3534 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3535 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3537 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3538 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3540 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3541 SCTP_STATE(SCTP_STATE_CLOSED));
3542 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
3543 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3544 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3546 /* ...and remove all record of the association. */
3547 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3548 return SCTP_DISPOSITION_DELETE_TCB;
3551 sctp_ulpevent_free(ev);
3553 return SCTP_DISPOSITION_NOMEM;
3557 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.
3559 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3560 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3561 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3562 * packet must fill in the Verification Tag field of the outbound
3563 * packet with the Verification Tag received in the SHUTDOWN ACK and
3564 * set the T-bit in the Chunk Flags to indicate that the Verification
3567 * 8) The receiver should respond to the sender of the OOTB packet with
3568 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
3569 * MUST fill in the Verification Tag field of the outbound packet
3570 * with the value found in the Verification Tag field of the OOTB
3571 * packet and set the T-bit in the Chunk Flags to indicate that the
3572 * Verification Tag is reflected. After sending this ABORT, the
3573 * receiver of the OOTB packet shall discard the OOTB packet and take
3574 * no further action.
3576 enum sctp_disposition sctp_sf_ootb(struct net *net,
3577 const struct sctp_endpoint *ep,
3578 const struct sctp_association *asoc,
3579 const union sctp_subtype type,
3580 void *arg, struct sctp_cmd_seq *commands)
3582 struct sctp_chunk *chunk = arg;
3583 struct sk_buff *skb = chunk->skb;
3584 struct sctp_chunkhdr *ch;
3585 struct sctp_errhdr *err;
3586 int ootb_cookie_ack = 0;
3587 int ootb_shut_ack = 0;
3590 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3592 if (asoc && !sctp_vtag_verify(chunk, asoc))
3595 ch = (struct sctp_chunkhdr *)chunk->chunk_hdr;
3597 /* Report violation if the chunk is less then minimal */
3598 if (ntohs(ch->length) < sizeof(*ch))
3599 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3602 /* Report violation if chunk len overflows */
3603 ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length));
3604 if (ch_end > skb_tail_pointer(skb))
3605 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3608 /* Now that we know we at least have a chunk header,
3609 * do things that are type appropriate.
3611 if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3614 /* RFC 2960, Section 3.3.7
3615 * Moreover, under any circumstances, an endpoint that
3616 * receives an ABORT MUST NOT respond to that ABORT by
3617 * sending an ABORT of its own.
3619 if (SCTP_CID_ABORT == ch->type)
3620 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3622 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR
3623 * or a COOKIE ACK the SCTP Packet should be silently
3627 if (SCTP_CID_COOKIE_ACK == ch->type)
3628 ootb_cookie_ack = 1;
3630 if (SCTP_CID_ERROR == ch->type) {
3631 sctp_walk_errors(err, ch) {
3632 if (SCTP_ERROR_STALE_COOKIE == err->cause) {
3633 ootb_cookie_ack = 1;
3639 ch = (struct sctp_chunkhdr *)ch_end;
3640 } while (ch_end < skb_tail_pointer(skb));
3643 return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands);
3644 else if (ootb_cookie_ack)
3645 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3647 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
3651 * Handle an "Out of the blue" SHUTDOWN ACK.
3653 * Section: 8.4 5, sctpimpguide 2.41.
3655 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3656 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3657 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3658 * packet must fill in the Verification Tag field of the outbound
3659 * packet with the Verification Tag received in the SHUTDOWN ACK and
3660 * set the T-bit in the Chunk Flags to indicate that the Verification
3664 * (endpoint, asoc, type, arg, commands)
3667 * (enum sctp_disposition)
3669 * The return value is the disposition of the chunk.
3671 static enum sctp_disposition sctp_sf_shut_8_4_5(
3673 const struct sctp_endpoint *ep,
3674 const struct sctp_association *asoc,
3675 const union sctp_subtype type,
3677 struct sctp_cmd_seq *commands)
3679 struct sctp_packet *packet = NULL;
3680 struct sctp_chunk *chunk = arg;
3681 struct sctp_chunk *shut;
3683 packet = sctp_ootb_pkt_new(net, asoc, chunk);
3685 return SCTP_DISPOSITION_NOMEM;
3687 /* Make an SHUTDOWN_COMPLETE.
3688 * The T bit will be set if the asoc is NULL.
3690 shut = sctp_make_shutdown_complete(asoc, chunk);
3692 sctp_ootb_pkt_free(packet);
3693 return SCTP_DISPOSITION_NOMEM;
3696 /* Reflect vtag if T-Bit is set */
3697 if (sctp_test_T_bit(shut))
3698 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3700 /* Set the skb to the belonging sock for accounting. */
3701 shut->skb->sk = ep->base.sk;
3703 sctp_packet_append_chunk(packet, shut);
3705 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3706 SCTP_PACKET(packet));
3708 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3710 /* We need to discard the rest of the packet to prevent
3711 * potential bomming attacks from additional bundled chunks.
3712 * This is documented in SCTP Threats ID.
3714 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3718 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.
3720 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK
3721 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the
3722 * procedures in section 8.4 SHOULD be followed, in other words it
3723 * should be treated as an Out Of The Blue packet.
3724 * [This means that we do NOT check the Verification Tag on these
3728 enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net,
3729 const struct sctp_endpoint *ep,
3730 const struct sctp_association *asoc,
3731 const union sctp_subtype type,
3733 struct sctp_cmd_seq *commands)
3735 struct sctp_chunk *chunk = arg;
3737 if (!sctp_vtag_verify(chunk, asoc))
3740 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3741 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3742 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3745 /* Although we do have an association in this case, it corresponds
3746 * to a restarted association. So the packet is treated as an OOTB
3747 * packet and the state function that handles OOTB SHUTDOWN_ACK is
3748 * called with a NULL association.
3750 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3752 return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands);
3755 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */
3756 enum sctp_disposition sctp_sf_do_asconf(struct net *net,
3757 const struct sctp_endpoint *ep,
3758 const struct sctp_association *asoc,
3759 const union sctp_subtype type,
3761 struct sctp_cmd_seq *commands)
3763 struct sctp_paramhdr *err_param = NULL;
3764 struct sctp_chunk *asconf_ack = NULL;
3765 struct sctp_chunk *chunk = arg;
3766 struct sctp_addiphdr *hdr;
3769 if (!sctp_vtag_verify(chunk, asoc)) {
3770 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3772 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3775 /* Make sure that the ASCONF ADDIP chunk has a valid length. */
3776 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk)))
3777 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3780 /* ADD-IP: Section 4.1.1
3781 * This chunk MUST be sent in an authenticated way by using
3782 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3783 * is received unauthenticated it MUST be silently discarded as
3784 * described in [I-D.ietf-tsvwg-sctp-auth].
3786 if (!asoc->peer.asconf_capable ||
3787 (!net->sctp.addip_noauth && !chunk->auth))
3788 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3790 hdr = (struct sctp_addiphdr *)chunk->skb->data;
3791 serial = ntohl(hdr->serial);
3793 /* Verify the ASCONF chunk before processing it. */
3794 if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
3795 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3796 (void *)err_param, commands);
3798 /* ADDIP 5.2 E1) Compare the value of the serial number to the value
3799 * the endpoint stored in a new association variable
3800 * 'Peer-Serial-Number'.
3802 if (serial == asoc->peer.addip_serial + 1) {
3803 /* If this is the first instance of ASCONF in the packet,
3804 * we can clean our old ASCONF-ACKs.
3806 if (!chunk->has_asconf)
3807 sctp_assoc_clean_asconf_ack_cache(asoc);
3809 /* ADDIP 5.2 E4) When the Sequence Number matches the next one
3810 * expected, process the ASCONF as described below and after
3811 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to
3812 * the response packet and cache a copy of it (in the event it
3813 * later needs to be retransmitted).
3815 * Essentially, do V1-V5.
3817 asconf_ack = sctp_process_asconf((struct sctp_association *)
3820 return SCTP_DISPOSITION_NOMEM;
3821 } else if (serial < asoc->peer.addip_serial + 1) {
3823 * If the value found in the Sequence Number is less than the
3824 * ('Peer- Sequence-Number' + 1), simply skip to the next
3825 * ASCONF, and include in the outbound response packet
3826 * any previously cached ASCONF-ACK response that was
3827 * sent and saved that matches the Sequence Number of the
3828 * ASCONF. Note: It is possible that no cached ASCONF-ACK
3829 * Chunk exists. This will occur when an older ASCONF
3830 * arrives out of order. In such a case, the receiver
3831 * should skip the ASCONF Chunk and not include ASCONF-ACK
3832 * Chunk for that chunk.
3834 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);
3836 return SCTP_DISPOSITION_DISCARD;
3838 /* Reset the transport so that we select the correct one
3839 * this time around. This is to make sure that we don't
3840 * accidentally use a stale transport that's been removed.
3842 asconf_ack->transport = NULL;
3844 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since
3845 * it must be either a stale packet or from an attacker.
3847 return SCTP_DISPOSITION_DISCARD;
3850 /* ADDIP 5.2 E6) The destination address of the SCTP packet
3851 * containing the ASCONF-ACK Chunks MUST be the source address of
3852 * the SCTP packet that held the ASCONF Chunks.
3854 * To do this properly, we'll set the destination address of the chunk
3855 * and at the transmit time, will try look up the transport to use.
3856 * Since ASCONFs may be bundled, the correct transport may not be
3857 * created until we process the entire packet, thus this workaround.
3859 asconf_ack->dest = chunk->source;
3860 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3861 if (asoc->new_transport) {
3862 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands);
3863 ((struct sctp_association *)asoc)->new_transport = NULL;
3866 return SCTP_DISPOSITION_CONSUME;
3869 static enum sctp_disposition sctp_send_next_asconf(
3871 const struct sctp_endpoint *ep,
3872 struct sctp_association *asoc,
3873 const union sctp_subtype type,
3874 struct sctp_cmd_seq *commands)
3876 struct sctp_chunk *asconf;
3877 struct list_head *entry;
3879 if (list_empty(&asoc->addip_chunk_list))
3880 return SCTP_DISPOSITION_CONSUME;
3882 entry = asoc->addip_chunk_list.next;
3883 asconf = list_entry(entry, struct sctp_chunk, list);
3885 list_del_init(entry);
3886 sctp_chunk_hold(asconf);
3887 asoc->addip_last_asconf = asconf;
3889 return sctp_sf_do_prm_asconf(net, ep, asoc, type, asconf, commands);
3893 * ADDIP Section 4.3 General rules for address manipulation
3894 * When building TLV parameters for the ASCONF Chunk that will add or
3895 * delete IP addresses the D0 to D13 rules should be applied:
3897 enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net,
3898 const struct sctp_endpoint *ep,
3899 const struct sctp_association *asoc,
3900 const union sctp_subtype type,
3902 struct sctp_cmd_seq *commands)
3904 struct sctp_chunk *last_asconf = asoc->addip_last_asconf;
3905 struct sctp_paramhdr *err_param = NULL;
3906 struct sctp_chunk *asconf_ack = arg;
3907 struct sctp_addiphdr *addip_hdr;
3908 __u32 sent_serial, rcvd_serial;
3909 struct sctp_chunk *abort;
3911 if (!sctp_vtag_verify(asconf_ack, asoc)) {
3912 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3914 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3917 /* Make sure that the ADDIP chunk has a valid length. */
3918 if (!sctp_chunk_length_valid(asconf_ack,
3919 sizeof(struct sctp_addip_chunk)))
3920 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3923 /* ADD-IP, Section 4.1.2:
3924 * This chunk MUST be sent in an authenticated way by using
3925 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3926 * is received unauthenticated it MUST be silently discarded as
3927 * described in [I-D.ietf-tsvwg-sctp-auth].
3929 if (!asoc->peer.asconf_capable ||
3930 (!net->sctp.addip_noauth && !asconf_ack->auth))
3931 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3933 addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data;
3934 rcvd_serial = ntohl(addip_hdr->serial);
3936 /* Verify the ASCONF-ACK chunk before processing it. */
3937 if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
3938 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3939 (void *)err_param, commands);
3942 addip_hdr = (struct sctp_addiphdr *)last_asconf->subh.addip_hdr;
3943 sent_serial = ntohl(addip_hdr->serial);
3945 sent_serial = asoc->addip_serial - 1;
3948 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or
3949 * equal to the next serial number to be used but no ASCONF chunk is
3950 * outstanding the endpoint MUST ABORT the association. Note that a
3951 * sequence number is greater than if it is no more than 2^^31-1
3952 * larger than the current sequence number (using serial arithmetic).
3954 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
3955 !(asoc->addip_last_asconf)) {
3956 abort = sctp_make_abort(asoc, asconf_ack,
3957 sizeof(struct sctp_errhdr));
3959 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
3960 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3963 /* We are going to ABORT, so we might as well stop
3964 * processing the rest of the chunks in the packet.
3966 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3967 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3968 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
3969 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3970 SCTP_ERROR(ECONNABORTED));
3971 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3972 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3973 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
3974 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3975 return SCTP_DISPOSITION_ABORT;
3978 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
3979 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3980 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3982 if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
3984 return sctp_send_next_asconf(net, ep,
3985 (struct sctp_association *)asoc,
3988 abort = sctp_make_abort(asoc, asconf_ack,
3989 sizeof(struct sctp_errhdr));
3991 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
3992 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3995 /* We are going to ABORT, so we might as well stop
3996 * processing the rest of the chunks in the packet.
3998 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
3999 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4000 SCTP_ERROR(ECONNABORTED));
4001 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4002 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
4003 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4004 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4005 return SCTP_DISPOSITION_ABORT;
4008 return SCTP_DISPOSITION_DISCARD;
4011 /* RE-CONFIG Section 5.2 Upon reception of an RECONF Chunk. */
4012 enum sctp_disposition sctp_sf_do_reconf(struct net *net,
4013 const struct sctp_endpoint *ep,
4014 const struct sctp_association *asoc,
4015 const union sctp_subtype type,
4017 struct sctp_cmd_seq *commands)
4019 struct sctp_paramhdr *err_param = NULL;
4020 struct sctp_chunk *chunk = arg;
4021 struct sctp_reconf_chunk *hdr;
4022 union sctp_params param;
4024 if (!sctp_vtag_verify(chunk, asoc)) {
4025 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4027 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4030 /* Make sure that the RECONF chunk has a valid length. */
4031 if (!sctp_chunk_length_valid(chunk, sizeof(*hdr)))
4032 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4035 if (!sctp_verify_reconf(asoc, chunk, &err_param))
4036 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
4037 (void *)err_param, commands);
4039 hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr;
4040 sctp_walk_params(param, hdr, params) {
4041 struct sctp_chunk *reply = NULL;
4042 struct sctp_ulpevent *ev = NULL;
4044 if (param.p->type == SCTP_PARAM_RESET_OUT_REQUEST)
4045 reply = sctp_process_strreset_outreq(
4046 (struct sctp_association *)asoc, param, &ev);
4047 else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST)
4048 reply = sctp_process_strreset_inreq(
4049 (struct sctp_association *)asoc, param, &ev);
4050 else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST)
4051 reply = sctp_process_strreset_tsnreq(
4052 (struct sctp_association *)asoc, param, &ev);
4053 else if (param.p->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS)
4054 reply = sctp_process_strreset_addstrm_out(
4055 (struct sctp_association *)asoc, param, &ev);
4056 else if (param.p->type == SCTP_PARAM_RESET_ADD_IN_STREAMS)
4057 reply = sctp_process_strreset_addstrm_in(
4058 (struct sctp_association *)asoc, param, &ev);
4059 else if (param.p->type == SCTP_PARAM_RESET_RESPONSE)
4060 reply = sctp_process_strreset_resp(
4061 (struct sctp_association *)asoc, param, &ev);
4064 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4068 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4072 return SCTP_DISPOSITION_CONSUME;
4076 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP
4078 * When a FORWARD TSN chunk arrives, the data receiver MUST first update
4079 * its cumulative TSN point to the value carried in the FORWARD TSN
4080 * chunk, and then MUST further advance its cumulative TSN point locally
4082 * After the above processing, the data receiver MUST stop reporting any
4083 * missing TSNs earlier than or equal to the new cumulative TSN point.
4085 * Verification Tag: 8.5 Verification Tag [Normal verification]
4087 * The return value is the disposition of the chunk.
4089 enum sctp_disposition sctp_sf_eat_fwd_tsn(struct net *net,
4090 const struct sctp_endpoint *ep,
4091 const struct sctp_association *asoc,
4092 const union sctp_subtype type,
4094 struct sctp_cmd_seq *commands)
4096 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
4097 struct sctp_chunk *chunk = arg;
4101 if (!sctp_vtag_verify(chunk, asoc)) {
4102 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4104 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4107 if (!asoc->peer.prsctp_capable)
4108 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4110 /* Make sure that the FORWARD_TSN chunk has valid length. */
4111 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream)))
4112 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4115 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
4116 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
4117 len = ntohs(chunk->chunk_hdr->length);
4118 len -= sizeof(struct sctp_chunkhdr);
4119 skb_pull(chunk->skb, len);
4121 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
4122 pr_debug("%s: TSN 0x%x\n", __func__, tsn);
4124 /* The TSN is too high--silently discard the chunk and count on it
4125 * getting retransmitted later.
4127 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
4128 goto discard_noforce;
4130 if (!asoc->stream.si->validate_ftsn(chunk))
4131 goto discard_noforce;
4133 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
4134 if (len > sctp_ftsnhdr_len(&asoc->stream))
4135 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
4138 /* Count this as receiving DATA. */
4139 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
4140 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4141 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
4144 /* FIXME: For now send a SACK, but DATA processing may
4147 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
4149 return SCTP_DISPOSITION_CONSUME;
4152 return SCTP_DISPOSITION_DISCARD;
4155 enum sctp_disposition sctp_sf_eat_fwd_tsn_fast(
4157 const struct sctp_endpoint *ep,
4158 const struct sctp_association *asoc,
4159 const union sctp_subtype type,
4161 struct sctp_cmd_seq *commands)
4163 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
4164 struct sctp_chunk *chunk = arg;
4168 if (!sctp_vtag_verify(chunk, asoc)) {
4169 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4171 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4174 if (!asoc->peer.prsctp_capable)
4175 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4177 /* Make sure that the FORWARD_TSN chunk has a valid length. */
4178 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream)))
4179 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4182 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
4183 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
4184 len = ntohs(chunk->chunk_hdr->length);
4185 len -= sizeof(struct sctp_chunkhdr);
4186 skb_pull(chunk->skb, len);
4188 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
4189 pr_debug("%s: TSN 0x%x\n", __func__, tsn);
4191 /* The TSN is too high--silently discard the chunk and count on it
4192 * getting retransmitted later.
4194 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
4197 if (!asoc->stream.si->validate_ftsn(chunk))
4200 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
4201 if (len > sctp_ftsnhdr_len(&asoc->stream))
4202 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
4205 /* Go a head and force a SACK, since we are shutting down. */
4207 /* Implementor's Guide.
4209 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
4210 * respond to each received packet containing one or more DATA chunk(s)
4211 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
4213 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
4214 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
4215 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4216 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
4218 return SCTP_DISPOSITION_CONSUME;
4222 * SCTP-AUTH Section 6.3 Receiving authenticated chukns
4224 * The receiver MUST use the HMAC algorithm indicated in the HMAC
4225 * Identifier field. If this algorithm was not specified by the
4226 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
4227 * during association setup, the AUTH chunk and all chunks after it MUST
4228 * be discarded and an ERROR chunk SHOULD be sent with the error cause
4229 * defined in Section 4.1.
4231 * If an endpoint with no shared key receives a Shared Key Identifier
4232 * other than 0, it MUST silently discard all authenticated chunks. If
4233 * the endpoint has at least one endpoint pair shared key for the peer,
4234 * it MUST use the key specified by the Shared Key Identifier if a
4235 * key has been configured for that Shared Key Identifier. If no
4236 * endpoint pair shared key has been configured for that Shared Key
4237 * Identifier, all authenticated chunks MUST be silently discarded.
4239 * Verification Tag: 8.5 Verification Tag [Normal verification]
4241 * The return value is the disposition of the chunk.
4243 static enum sctp_ierror sctp_sf_authenticate(
4244 const struct sctp_association *asoc,
4245 struct sctp_chunk *chunk)
4247 struct sctp_shared_key *sh_key = NULL;
4248 struct sctp_authhdr *auth_hdr;
4249 __u8 *save_digest, *digest;
4250 struct sctp_hmac *hmac;
4251 unsigned int sig_len;
4254 /* Pull in the auth header, so we can do some more verification */
4255 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4256 chunk->subh.auth_hdr = auth_hdr;
4257 skb_pull(chunk->skb, sizeof(*auth_hdr));
4259 /* Make sure that we support the HMAC algorithm from the auth
4262 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))
4263 return SCTP_IERROR_AUTH_BAD_HMAC;
4265 /* Make sure that the provided shared key identifier has been
4268 key_id = ntohs(auth_hdr->shkey_id);
4269 if (key_id != asoc->active_key_id) {
4270 sh_key = sctp_auth_get_shkey(asoc, key_id);
4272 return SCTP_IERROR_AUTH_BAD_KEYID;
4275 /* Make sure that the length of the signature matches what
4278 sig_len = ntohs(chunk->chunk_hdr->length) -
4279 sizeof(struct sctp_auth_chunk);
4280 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));
4281 if (sig_len != hmac->hmac_len)
4282 return SCTP_IERROR_PROTO_VIOLATION;
4284 /* Now that we've done validation checks, we can compute and
4285 * verify the hmac. The steps involved are:
4286 * 1. Save the digest from the chunk.
4287 * 2. Zero out the digest in the chunk.
4288 * 3. Compute the new digest
4289 * 4. Compare saved and new digests.
4291 digest = auth_hdr->hmac;
4292 skb_pull(chunk->skb, sig_len);
4294 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);
4298 memset(digest, 0, sig_len);
4300 sctp_auth_calculate_hmac(asoc, chunk->skb,
4301 (struct sctp_auth_chunk *)chunk->chunk_hdr,
4302 sh_key, GFP_ATOMIC);
4304 /* Discard the packet if the digests do not match */
4305 if (memcmp(save_digest, digest, sig_len)) {
4307 return SCTP_IERROR_BAD_SIG;
4313 return SCTP_IERROR_NO_ERROR;
4315 return SCTP_IERROR_NOMEM;
4318 enum sctp_disposition sctp_sf_eat_auth(struct net *net,
4319 const struct sctp_endpoint *ep,
4320 const struct sctp_association *asoc,
4321 const union sctp_subtype type,
4322 void *arg, struct sctp_cmd_seq *commands)
4324 struct sctp_chunk *chunk = arg;
4325 struct sctp_authhdr *auth_hdr;
4326 struct sctp_chunk *err_chunk;
4327 enum sctp_ierror error;
4329 /* Make sure that the peer has AUTH capable */
4330 if (!asoc->peer.auth_capable)
4331 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4333 if (!sctp_vtag_verify(chunk, asoc)) {
4334 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4336 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4339 /* Make sure that the AUTH chunk has valid length. */
4340 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))
4341 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4344 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4345 error = sctp_sf_authenticate(asoc, chunk);
4347 case SCTP_IERROR_AUTH_BAD_HMAC:
4348 /* Generate the ERROR chunk and discard the rest
4351 err_chunk = sctp_make_op_error(asoc, chunk,
4352 SCTP_ERROR_UNSUP_HMAC,
4356 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4357 SCTP_CHUNK(err_chunk));
4360 case SCTP_IERROR_AUTH_BAD_KEYID:
4361 case SCTP_IERROR_BAD_SIG:
4362 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4364 case SCTP_IERROR_PROTO_VIOLATION:
4365 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4368 case SCTP_IERROR_NOMEM:
4369 return SCTP_DISPOSITION_NOMEM;
4371 default: /* Prevent gcc warnings */
4375 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) {
4376 struct sctp_ulpevent *ev;
4378 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),
4379 SCTP_AUTH_NEW_KEY, GFP_ATOMIC);
4382 return SCTP_DISPOSITION_NOMEM;
4384 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4388 return SCTP_DISPOSITION_CONSUME;
4392 * Process an unknown chunk.
4394 * Section: 3.2. Also, 2.1 in the implementor's guide.
4396 * Chunk Types are encoded such that the highest-order two bits specify
4397 * the action that must be taken if the processing endpoint does not
4398 * recognize the Chunk Type.
4400 * 00 - Stop processing this SCTP packet and discard it, do not process
4401 * any further chunks within it.
4403 * 01 - Stop processing this SCTP packet and discard it, do not process
4404 * any further chunks within it, and report the unrecognized
4405 * chunk in an 'Unrecognized Chunk Type'.
4407 * 10 - Skip this chunk and continue processing.
4409 * 11 - Skip this chunk and continue processing, but report in an ERROR
4410 * Chunk using the 'Unrecognized Chunk Type' cause of error.
4412 * The return value is the disposition of the chunk.
4414 enum sctp_disposition sctp_sf_unk_chunk(struct net *net,
4415 const struct sctp_endpoint *ep,
4416 const struct sctp_association *asoc,
4417 const union sctp_subtype type,
4419 struct sctp_cmd_seq *commands)
4421 struct sctp_chunk *unk_chunk = arg;
4422 struct sctp_chunk *err_chunk;
4423 struct sctp_chunkhdr *hdr;
4425 pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk);
4427 if (!sctp_vtag_verify(unk_chunk, asoc))
4428 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4430 /* Make sure that the chunk has a valid length.
4431 * Since we don't know the chunk type, we use a general
4432 * chunkhdr structure to make a comparison.
4434 if (!sctp_chunk_length_valid(unk_chunk, sizeof(*hdr)))
4435 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4438 switch (type.chunk & SCTP_CID_ACTION_MASK) {
4439 case SCTP_CID_ACTION_DISCARD:
4440 /* Discard the packet. */
4441 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4442 case SCTP_CID_ACTION_DISCARD_ERR:
4443 /* Generate an ERROR chunk as response. */
4444 hdr = unk_chunk->chunk_hdr;
4445 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4446 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4447 SCTP_PAD4(ntohs(hdr->length)),
4450 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4451 SCTP_CHUNK(err_chunk));
4454 /* Discard the packet. */
4455 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4456 return SCTP_DISPOSITION_CONSUME;
4457 case SCTP_CID_ACTION_SKIP:
4458 /* Skip the chunk. */
4459 return SCTP_DISPOSITION_DISCARD;
4460 case SCTP_CID_ACTION_SKIP_ERR:
4461 /* Generate an ERROR chunk as response. */
4462 hdr = unk_chunk->chunk_hdr;
4463 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4464 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4465 SCTP_PAD4(ntohs(hdr->length)),
4468 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4469 SCTP_CHUNK(err_chunk));
4471 /* Skip the chunk. */
4472 return SCTP_DISPOSITION_CONSUME;
4477 return SCTP_DISPOSITION_DISCARD;
4481 * Discard the chunk.
4483 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2
4484 * [Too numerous to mention...]
4485 * Verification Tag: No verification needed.
4487 * (endpoint, asoc, chunk)
4490 * (asoc, reply_msg, msg_up, timers, counters)
4492 * The return value is the disposition of the chunk.
4494 enum sctp_disposition sctp_sf_discard_chunk(struct net *net,
4495 const struct sctp_endpoint *ep,
4496 const struct sctp_association *asoc,
4497 const union sctp_subtype type,
4499 struct sctp_cmd_seq *commands)
4501 struct sctp_chunk *chunk = arg;
4503 if (asoc && !sctp_vtag_verify(chunk, asoc))
4504 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4506 /* Make sure that the chunk has a valid length.
4507 * Since we don't know the chunk type, we use a general
4508 * chunkhdr structure to make a comparison.
4510 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
4511 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4514 pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk);
4516 return SCTP_DISPOSITION_DISCARD;
4520 * Discard the whole packet.
4524 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST
4525 * silently discard the OOTB packet and take no further action.
4527 * Verification Tag: No verification necessary
4530 * (endpoint, asoc, chunk)
4533 * (asoc, reply_msg, msg_up, timers, counters)
4535 * The return value is the disposition of the chunk.
4537 enum sctp_disposition sctp_sf_pdiscard(struct net *net,
4538 const struct sctp_endpoint *ep,
4539 const struct sctp_association *asoc,
4540 const union sctp_subtype type,
4541 void *arg, struct sctp_cmd_seq *commands)
4543 SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS);
4544 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4546 return SCTP_DISPOSITION_CONSUME;
4551 * The other end is violating protocol.
4553 * Section: Not specified
4554 * Verification Tag: Not specified
4556 * (endpoint, asoc, chunk)
4559 * (asoc, reply_msg, msg_up, timers, counters)
4561 * We simply tag the chunk as a violation. The state machine will log
4562 * the violation and continue.
4564 enum sctp_disposition sctp_sf_violation(struct net *net,
4565 const struct sctp_endpoint *ep,
4566 const struct sctp_association *asoc,
4567 const union sctp_subtype type,
4569 struct sctp_cmd_seq *commands)
4571 struct sctp_chunk *chunk = arg;
4573 if (!sctp_vtag_verify(chunk, asoc))
4574 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4576 /* Make sure that the chunk has a valid length. */
4577 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
4578 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4581 return SCTP_DISPOSITION_VIOLATION;
4585 * Common function to handle a protocol violation.
4587 static enum sctp_disposition sctp_sf_abort_violation(
4589 const struct sctp_endpoint *ep,
4590 const struct sctp_association *asoc,
4592 struct sctp_cmd_seq *commands,
4593 const __u8 *payload,
4594 const size_t paylen)
4596 struct sctp_packet *packet = NULL;
4597 struct sctp_chunk *chunk = arg;
4598 struct sctp_chunk *abort = NULL;
4600 /* SCTP-AUTH, Section 6.3:
4601 * It should be noted that if the receiver wants to tear
4602 * down an association in an authenticated way only, the
4603 * handling of malformed packets should not result in
4604 * tearing down the association.
4606 * This means that if we only want to abort associations
4607 * in an authenticated way (i.e AUTH+ABORT), then we
4608 * can't destroy this association just because the packet
4611 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4614 /* Make the abort chunk. */
4615 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);
4620 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */
4621 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&
4622 !asoc->peer.i.init_tag) {
4623 struct sctp_initack_chunk *initack;
4625 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr;
4626 if (!sctp_chunk_length_valid(chunk, sizeof(*initack)))
4627 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
4629 unsigned int inittag;
4631 inittag = ntohl(initack->init_hdr.init_tag);
4632 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
4637 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4638 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4640 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
4641 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4642 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4643 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4644 SCTP_ERROR(ECONNREFUSED));
4645 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4646 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4648 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4649 SCTP_ERROR(ECONNABORTED));
4650 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4651 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4652 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4655 packet = sctp_ootb_pkt_new(net, asoc, chunk);
4660 if (sctp_test_T_bit(abort))
4661 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
4663 abort->skb->sk = ep->base.sk;
4665 sctp_packet_append_chunk(packet, abort);
4667 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
4668 SCTP_PACKET(packet));
4670 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4673 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4676 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4677 return SCTP_DISPOSITION_ABORT;
4680 sctp_chunk_free(abort);
4682 return SCTP_DISPOSITION_NOMEM;
4686 * Handle a protocol violation when the chunk length is invalid.
4687 * "Invalid" length is identified as smaller than the minimal length a
4688 * given chunk can be. For example, a SACK chunk has invalid length
4689 * if its length is set to be smaller than the size of struct sctp_sack_chunk.
4691 * We inform the other end by sending an ABORT with a Protocol Violation
4694 * Section: Not specified
4695 * Verification Tag: Nothing to do
4697 * (endpoint, asoc, chunk)
4700 * (reply_msg, msg_up, counters)
4702 * Generate an ABORT chunk and terminate the association.
4704 static enum sctp_disposition sctp_sf_violation_chunklen(
4706 const struct sctp_endpoint *ep,
4707 const struct sctp_association *asoc,
4708 const union sctp_subtype type,
4710 struct sctp_cmd_seq *commands)
4712 static const char err_str[] = "The following chunk had invalid length:";
4714 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4719 * Handle a protocol violation when the parameter length is invalid.
4720 * If the length is smaller than the minimum length of a given parameter,
4721 * or accumulated length in multi parameters exceeds the end of the chunk,
4722 * the length is considered as invalid.
4724 static enum sctp_disposition sctp_sf_violation_paramlen(
4726 const struct sctp_endpoint *ep,
4727 const struct sctp_association *asoc,
4728 const union sctp_subtype type,
4729 void *arg, void *ext,
4730 struct sctp_cmd_seq *commands)
4732 struct sctp_paramhdr *param = ext;
4733 struct sctp_chunk *abort = NULL;
4734 struct sctp_chunk *chunk = arg;
4736 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4739 /* Make the abort chunk. */
4740 abort = sctp_make_violation_paramlen(asoc, chunk, param);
4744 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4745 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4747 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4748 SCTP_ERROR(ECONNABORTED));
4749 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4750 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4751 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4752 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4755 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4756 return SCTP_DISPOSITION_ABORT;
4758 return SCTP_DISPOSITION_NOMEM;
4761 /* Handle a protocol violation when the peer trying to advance the
4762 * cumulative tsn ack to a point beyond the max tsn currently sent.
4764 * We inform the other end by sending an ABORT with a Protocol Violation
4767 static enum sctp_disposition sctp_sf_violation_ctsn(
4769 const struct sctp_endpoint *ep,
4770 const struct sctp_association *asoc,
4771 const union sctp_subtype type,
4773 struct sctp_cmd_seq *commands)
4775 static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:";
4777 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4781 /* Handle protocol violation of an invalid chunk bundling. For example,
4782 * when we have an association and we receive bundled INIT-ACK, or
4783 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle"
4784 * statement from the specs. Additionally, there might be an attacker
4785 * on the path and we may not want to continue this communication.
4787 static enum sctp_disposition sctp_sf_violation_chunk(
4789 const struct sctp_endpoint *ep,
4790 const struct sctp_association *asoc,
4791 const union sctp_subtype type,
4793 struct sctp_cmd_seq *commands)
4795 static const char err_str[] = "The following chunk violates protocol:";
4798 return sctp_sf_violation(net, ep, asoc, type, arg, commands);
4800 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4803 /***************************************************************************
4804 * These are the state functions for handling primitive (Section 10) events.
4805 ***************************************************************************/
4807 * sctp_sf_do_prm_asoc
4809 * Section: 10.1 ULP-to-SCTP
4812 * Format: ASSOCIATE(local SCTP instance name, destination transport addr,
4813 * outbound stream count)
4814 * -> association id [,destination transport addr list] [,outbound stream
4817 * This primitive allows the upper layer to initiate an association to a
4818 * specific peer endpoint.
4820 * The peer endpoint shall be specified by one of the transport addresses
4821 * which defines the endpoint (see Section 1.4). If the local SCTP
4822 * instance has not been initialized, the ASSOCIATE is considered an
4824 * [This is not relevant for the kernel implementation since we do all
4825 * initialization at boot time. It we hadn't initialized we wouldn't
4826 * get anywhere near this code.]
4828 * An association id, which is a local handle to the SCTP association,
4829 * will be returned on successful establishment of the association. If
4830 * SCTP is not able to open an SCTP association with the peer endpoint,
4831 * an error is returned.
4832 * [In the kernel implementation, the struct sctp_association needs to
4833 * be created BEFORE causing this primitive to run.]
4835 * Other association parameters may be returned, including the
4836 * complete destination transport addresses of the peer as well as the
4837 * outbound stream count of the local endpoint. One of the transport
4838 * address from the returned destination addresses will be selected by
4839 * the local endpoint as default primary path for sending SCTP packets
4840 * to this peer. The returned "destination transport addr list" can
4841 * be used by the ULP to change the default primary path or to force
4842 * sending a packet to a specific transport address. [All of this
4843 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING
4846 * Mandatory attributes:
4848 * o local SCTP instance name - obtained from the INITIALIZE operation.
4849 * [This is the argument asoc.]
4850 * o destination transport addr - specified as one of the transport
4851 * addresses of the peer endpoint with which the association is to be
4853 * [This is asoc->peer.active_path.]
4854 * o outbound stream count - the number of outbound streams the ULP
4855 * would like to open towards this peer endpoint.
4856 * [BUG: This is not currently implemented.]
4857 * Optional attributes:
4861 * The return value is a disposition.
4863 enum sctp_disposition sctp_sf_do_prm_asoc(struct net *net,
4864 const struct sctp_endpoint *ep,
4865 const struct sctp_association *asoc,
4866 const union sctp_subtype type,
4868 struct sctp_cmd_seq *commands)
4870 struct sctp_association *my_asoc;
4871 struct sctp_chunk *repl;
4873 /* The comment below says that we enter COOKIE-WAIT AFTER
4874 * sending the INIT, but that doesn't actually work in our
4877 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4878 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
4880 /* RFC 2960 5.1 Normal Establishment of an Association
4882 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A"
4883 * must provide its Verification Tag (Tag_A) in the Initiate
4884 * Tag field. Tag_A SHOULD be a random number in the range of
4885 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ...
4888 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0);
4892 /* Choose transport for INIT. */
4893 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
4896 /* Cast away the const modifier, as we want to just
4897 * rerun it through as a sideffect.
4899 my_asoc = (struct sctp_association *)asoc;
4900 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc));
4902 /* After sending the INIT, "A" starts the T1-init timer and
4903 * enters the COOKIE-WAIT state.
4905 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
4906 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4907 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
4908 return SCTP_DISPOSITION_CONSUME;
4911 return SCTP_DISPOSITION_NOMEM;
4915 * Process the SEND primitive.
4917 * Section: 10.1 ULP-to-SCTP
4920 * Format: SEND(association id, buffer address, byte count [,context]
4921 * [,stream id] [,life time] [,destination transport address]
4922 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] )
4925 * This is the main method to send user data via SCTP.
4927 * Mandatory attributes:
4929 * o association id - local handle to the SCTP association
4931 * o buffer address - the location where the user message to be
4932 * transmitted is stored;
4934 * o byte count - The size of the user data in number of bytes;
4936 * Optional attributes:
4938 * o context - an optional 32 bit integer that will be carried in the
4939 * sending failure notification to the ULP if the transportation of
4940 * this User Message fails.
4942 * o stream id - to indicate which stream to send the data on. If not
4943 * specified, stream 0 will be used.
4945 * o life time - specifies the life time of the user data. The user data
4946 * will not be sent by SCTP after the life time expires. This
4947 * parameter can be used to avoid efforts to transmit stale
4948 * user messages. SCTP notifies the ULP if the data cannot be
4949 * initiated to transport (i.e. sent to the destination via SCTP's
4950 * send primitive) within the life time variable. However, the
4951 * user data will be transmitted if SCTP has attempted to transmit a
4952 * chunk before the life time expired.
4954 * o destination transport address - specified as one of the destination
4955 * transport addresses of the peer endpoint to which this packet
4956 * should be sent. Whenever possible, SCTP should use this destination
4957 * transport address for sending the packets, instead of the current
4960 * o unorder flag - this flag, if present, indicates that the user
4961 * would like the data delivered in an unordered fashion to the peer
4962 * (i.e., the U flag is set to 1 on all DATA chunks carrying this
4965 * o no-bundle flag - instructs SCTP not to bundle this user data with
4966 * other outbound DATA chunks. SCTP MAY still bundle even when
4967 * this flag is present, when faced with network congestion.
4969 * o payload protocol-id - A 32 bit unsigned integer that is to be
4970 * passed to the peer indicating the type of payload protocol data
4971 * being transmitted. This value is passed as opaque data by SCTP.
4973 * The return value is the disposition.
4975 enum sctp_disposition sctp_sf_do_prm_send(struct net *net,
4976 const struct sctp_endpoint *ep,
4977 const struct sctp_association *asoc,
4978 const union sctp_subtype type,
4980 struct sctp_cmd_seq *commands)
4982 struct sctp_datamsg *msg = arg;
4984 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg));
4985 return SCTP_DISPOSITION_CONSUME;
4989 * Process the SHUTDOWN primitive.
4994 * Format: SHUTDOWN(association id)
4997 * Gracefully closes an association. Any locally queued user data
4998 * will be delivered to the peer. The association will be terminated only
4999 * after the peer acknowledges all the SCTP packets sent. A success code
5000 * will be returned on successful termination of the association. If
5001 * attempting to terminate the association results in a failure, an error
5002 * code shall be returned.
5004 * Mandatory attributes:
5006 * o association id - local handle to the SCTP association
5008 * Optional attributes:
5012 * The return value is the disposition.
5014 enum sctp_disposition sctp_sf_do_9_2_prm_shutdown(
5016 const struct sctp_endpoint *ep,
5017 const struct sctp_association *asoc,
5018 const union sctp_subtype type,
5020 struct sctp_cmd_seq *commands)
5022 enum sctp_disposition disposition;
5024 /* From 9.2 Shutdown of an Association
5025 * Upon receipt of the SHUTDOWN primitive from its upper
5026 * layer, the endpoint enters SHUTDOWN-PENDING state and
5027 * remains there until all outstanding data has been
5028 * acknowledged by its peer. The endpoint accepts no new data
5029 * from its upper layer, but retransmits data to the far end
5030 * if necessary to fill gaps.
5032 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5033 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
5035 disposition = SCTP_DISPOSITION_CONSUME;
5036 if (sctp_outq_is_empty(&asoc->outqueue)) {
5037 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
5045 * Process the ABORT primitive.
5050 * Format: Abort(association id [, cause code])
5053 * Ungracefully closes an association. Any locally queued user data
5054 * will be discarded and an ABORT chunk is sent to the peer. A success code
5055 * will be returned on successful abortion of the association. If
5056 * attempting to abort the association results in a failure, an error
5057 * code shall be returned.
5059 * Mandatory attributes:
5061 * o association id - local handle to the SCTP association
5063 * Optional attributes:
5065 * o cause code - reason of the abort to be passed to the peer
5069 * The return value is the disposition.
5071 enum sctp_disposition sctp_sf_do_9_1_prm_abort(
5073 const struct sctp_endpoint *ep,
5074 const struct sctp_association *asoc,
5075 const union sctp_subtype type,
5077 struct sctp_cmd_seq *commands)
5079 /* From 9.1 Abort of an Association
5080 * Upon receipt of the ABORT primitive from its upper
5081 * layer, the endpoint enters CLOSED state and
5082 * discard all outstanding data has been
5083 * acknowledged by its peer. The endpoint accepts no new data
5084 * from its upper layer, but retransmits data to the far end
5085 * if necessary to fill gaps.
5087 struct sctp_chunk *abort = arg;
5090 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
5092 /* Even if we can't send the ABORT due to low memory delete the
5093 * TCB. This is a departure from our typical NOMEM handling.
5096 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5097 SCTP_ERROR(ECONNABORTED));
5098 /* Delete the established association. */
5099 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5100 SCTP_PERR(SCTP_ERROR_USER_ABORT));
5102 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5103 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5105 return SCTP_DISPOSITION_ABORT;
5108 /* We tried an illegal operation on an association which is closed. */
5109 enum sctp_disposition sctp_sf_error_closed(struct net *net,
5110 const struct sctp_endpoint *ep,
5111 const struct sctp_association *asoc,
5112 const union sctp_subtype type,
5114 struct sctp_cmd_seq *commands)
5116 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL));
5117 return SCTP_DISPOSITION_CONSUME;
5120 /* We tried an illegal operation on an association which is shutting
5123 enum sctp_disposition sctp_sf_error_shutdown(
5125 const struct sctp_endpoint *ep,
5126 const struct sctp_association *asoc,
5127 const union sctp_subtype type,
5129 struct sctp_cmd_seq *commands)
5131 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR,
5132 SCTP_ERROR(-ESHUTDOWN));
5133 return SCTP_DISPOSITION_CONSUME;
5137 * sctp_cookie_wait_prm_shutdown
5139 * Section: 4 Note: 2
5144 * The RFC does not explicitly address this issue, but is the route through the
5145 * state table when someone issues a shutdown while in COOKIE_WAIT state.
5150 enum sctp_disposition sctp_sf_cookie_wait_prm_shutdown(
5152 const struct sctp_endpoint *ep,
5153 const struct sctp_association *asoc,
5154 const union sctp_subtype type,
5156 struct sctp_cmd_seq *commands)
5158 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5159 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5161 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5162 SCTP_STATE(SCTP_STATE_CLOSED));
5164 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
5166 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
5168 return SCTP_DISPOSITION_DELETE_TCB;
5172 * sctp_cookie_echoed_prm_shutdown
5174 * Section: 4 Note: 2
5179 * The RFC does not explcitly address this issue, but is the route through the
5180 * state table when someone issues a shutdown while in COOKIE_ECHOED state.
5185 enum sctp_disposition sctp_sf_cookie_echoed_prm_shutdown(
5187 const struct sctp_endpoint *ep,
5188 const struct sctp_association *asoc,
5189 const union sctp_subtype type,
5191 struct sctp_cmd_seq *commands)
5193 /* There is a single T1 timer, so we should be able to use
5194 * common function with the COOKIE-WAIT state.
5196 return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands);
5200 * sctp_sf_cookie_wait_prm_abort
5202 * Section: 4 Note: 2
5207 * The RFC does not explicitly address this issue, but is the route through the
5208 * state table when someone issues an abort while in COOKIE_WAIT state.
5213 enum sctp_disposition sctp_sf_cookie_wait_prm_abort(
5215 const struct sctp_endpoint *ep,
5216 const struct sctp_association *asoc,
5217 const union sctp_subtype type,
5219 struct sctp_cmd_seq *commands)
5221 struct sctp_chunk *abort = arg;
5223 /* Stop T1-init timer */
5224 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5225 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5228 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
5230 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5231 SCTP_STATE(SCTP_STATE_CLOSED));
5233 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5235 /* Even if we can't send the ABORT due to low memory delete the
5236 * TCB. This is a departure from our typical NOMEM handling.
5239 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5240 SCTP_ERROR(ECONNREFUSED));
5241 /* Delete the established association. */
5242 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5243 SCTP_PERR(SCTP_ERROR_USER_ABORT));
5245 return SCTP_DISPOSITION_ABORT;
5249 * sctp_sf_cookie_echoed_prm_abort
5251 * Section: 4 Note: 3
5256 * The RFC does not explcitly address this issue, but is the route through the
5257 * state table when someone issues an abort while in COOKIE_ECHOED state.
5262 enum sctp_disposition sctp_sf_cookie_echoed_prm_abort(
5264 const struct sctp_endpoint *ep,
5265 const struct sctp_association *asoc,
5266 const union sctp_subtype type,
5268 struct sctp_cmd_seq *commands)
5270 /* There is a single T1 timer, so we should be able to use
5271 * common function with the COOKIE-WAIT state.
5273 return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands);
5277 * sctp_sf_shutdown_pending_prm_abort
5282 * The RFC does not explicitly address this issue, but is the route through the
5283 * state table when someone issues an abort while in SHUTDOWN-PENDING state.
5288 enum sctp_disposition sctp_sf_shutdown_pending_prm_abort(
5290 const struct sctp_endpoint *ep,
5291 const struct sctp_association *asoc,
5292 const union sctp_subtype type,
5294 struct sctp_cmd_seq *commands)
5296 /* Stop the T5-shutdown guard timer. */
5297 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5298 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5300 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5304 * sctp_sf_shutdown_sent_prm_abort
5309 * The RFC does not explicitly address this issue, but is the route through the
5310 * state table when someone issues an abort while in SHUTDOWN-SENT state.
5315 enum sctp_disposition sctp_sf_shutdown_sent_prm_abort(
5317 const struct sctp_endpoint *ep,
5318 const struct sctp_association *asoc,
5319 const union sctp_subtype type,
5321 struct sctp_cmd_seq *commands)
5323 /* Stop the T2-shutdown timer. */
5324 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5325 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5327 /* Stop the T5-shutdown guard timer. */
5328 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5329 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5331 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5335 * sctp_sf_cookie_echoed_prm_abort
5340 * The RFC does not explcitly address this issue, but is the route through the
5341 * state table when someone issues an abort while in COOKIE_ECHOED state.
5346 enum sctp_disposition sctp_sf_shutdown_ack_sent_prm_abort(
5348 const struct sctp_endpoint *ep,
5349 const struct sctp_association *asoc,
5350 const union sctp_subtype type,
5352 struct sctp_cmd_seq *commands)
5354 /* The same T2 timer, so we should be able to use
5355 * common function with the SHUTDOWN-SENT state.
5357 return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands);
5361 * Process the REQUESTHEARTBEAT primitive
5364 * J) Request Heartbeat
5366 * Format: REQUESTHEARTBEAT(association id, destination transport address)
5370 * Instructs the local endpoint to perform a HeartBeat on the specified
5371 * destination transport address of the given association. The returned
5372 * result should indicate whether the transmission of the HEARTBEAT
5373 * chunk to the destination address is successful.
5375 * Mandatory attributes:
5377 * o association id - local handle to the SCTP association
5379 * o destination transport address - the transport address of the
5380 * association on which a heartbeat should be issued.
5382 enum sctp_disposition sctp_sf_do_prm_requestheartbeat(
5384 const struct sctp_endpoint *ep,
5385 const struct sctp_association *asoc,
5386 const union sctp_subtype type,
5388 struct sctp_cmd_seq *commands)
5390 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type,
5391 (struct sctp_transport *)arg, commands))
5392 return SCTP_DISPOSITION_NOMEM;
5395 * RFC 2960 (bis), section 8.3
5397 * D) Request an on-demand HEARTBEAT on a specific destination
5398 * transport address of a given association.
5400 * The endpoint should increment the respective error counter of
5401 * the destination transport address each time a HEARTBEAT is sent
5402 * to that address and not acknowledged within one RTO.
5405 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
5406 SCTP_TRANSPORT(arg));
5407 return SCTP_DISPOSITION_CONSUME;
5411 * ADDIP Section 4.1 ASCONF Chunk Procedures
5412 * When an endpoint has an ASCONF signaled change to be sent to the
5413 * remote endpoint it should do A1 to A9
5415 enum sctp_disposition sctp_sf_do_prm_asconf(struct net *net,
5416 const struct sctp_endpoint *ep,
5417 const struct sctp_association *asoc,
5418 const union sctp_subtype type,
5420 struct sctp_cmd_seq *commands)
5422 struct sctp_chunk *chunk = arg;
5424 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5425 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5426 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5427 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5428 return SCTP_DISPOSITION_CONSUME;
5431 /* RE-CONFIG Section 5.1 RECONF Chunk Procedures */
5432 enum sctp_disposition sctp_sf_do_prm_reconf(struct net *net,
5433 const struct sctp_endpoint *ep,
5434 const struct sctp_association *asoc,
5435 const union sctp_subtype type,
5437 struct sctp_cmd_seq *commands)
5439 struct sctp_chunk *chunk = arg;
5441 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5442 return SCTP_DISPOSITION_CONSUME;
5446 * Ignore the primitive event
5448 * The return value is the disposition of the primitive.
5450 enum sctp_disposition sctp_sf_ignore_primitive(
5452 const struct sctp_endpoint *ep,
5453 const struct sctp_association *asoc,
5454 const union sctp_subtype type,
5456 struct sctp_cmd_seq *commands)
5458 pr_debug("%s: primitive type:%d is ignored\n", __func__,
5461 return SCTP_DISPOSITION_DISCARD;
5464 /***************************************************************************
5465 * These are the state functions for the OTHER events.
5466 ***************************************************************************/
5469 * When the SCTP stack has no more user data to send or retransmit, this
5470 * notification is given to the user. Also, at the time when a user app
5471 * subscribes to this event, if there is no data to be sent or
5472 * retransmit, the stack will immediately send up this notification.
5474 enum sctp_disposition sctp_sf_do_no_pending_tsn(
5476 const struct sctp_endpoint *ep,
5477 const struct sctp_association *asoc,
5478 const union sctp_subtype type,
5480 struct sctp_cmd_seq *commands)
5482 struct sctp_ulpevent *event;
5484 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC);
5486 return SCTP_DISPOSITION_NOMEM;
5488 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event));
5490 return SCTP_DISPOSITION_CONSUME;
5494 * Start the shutdown negotiation.
5497 * Once all its outstanding data has been acknowledged, the endpoint
5498 * shall send a SHUTDOWN chunk to its peer including in the Cumulative
5499 * TSN Ack field the last sequential TSN it has received from the peer.
5500 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT
5501 * state. If the timer expires, the endpoint must re-send the SHUTDOWN
5502 * with the updated last sequential TSN received from its peer.
5504 * The return value is the disposition.
5506 enum sctp_disposition sctp_sf_do_9_2_start_shutdown(
5508 const struct sctp_endpoint *ep,
5509 const struct sctp_association *asoc,
5510 const union sctp_subtype type,
5512 struct sctp_cmd_seq *commands)
5514 struct sctp_chunk *reply;
5516 /* Once all its outstanding data has been acknowledged, the
5517 * endpoint shall send a SHUTDOWN chunk to its peer including
5518 * in the Cumulative TSN Ack field the last sequential TSN it
5519 * has received from the peer.
5521 reply = sctp_make_shutdown(asoc, arg);
5525 /* Set the transport for the SHUTDOWN chunk and the timeout for the
5526 * T2-shutdown timer.
5528 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5530 /* It shall then start the T2-shutdown timer */
5531 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5532 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5534 /* RFC 4960 Section 9.2
5535 * The sender of the SHUTDOWN MAY also start an overall guard timer
5536 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5538 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5539 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5541 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5542 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5543 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5545 /* and enter the SHUTDOWN-SENT state. */
5546 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5547 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT));
5549 /* sctp-implguide 2.10 Issues with Heartbeating and failover
5551 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5554 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5556 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5558 return SCTP_DISPOSITION_CONSUME;
5561 return SCTP_DISPOSITION_NOMEM;
5565 * Generate a SHUTDOWN ACK now that everything is SACK'd.
5569 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5570 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own,
5571 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the
5572 * endpoint must re-send the SHUTDOWN ACK.
5574 * The return value is the disposition.
5576 enum sctp_disposition sctp_sf_do_9_2_shutdown_ack(
5578 const struct sctp_endpoint *ep,
5579 const struct sctp_association *asoc,
5580 const union sctp_subtype type,
5582 struct sctp_cmd_seq *commands)
5584 struct sctp_chunk *chunk = arg;
5585 struct sctp_chunk *reply;
5587 /* There are 2 ways of getting here:
5588 * 1) called in response to a SHUTDOWN chunk
5589 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued.
5591 * For the case (2), the arg parameter is set to NULL. We need
5592 * to check that we have a chunk before accessing it's fields.
5595 if (!sctp_vtag_verify(chunk, asoc))
5596 return sctp_sf_pdiscard(net, ep, asoc, type, arg,
5599 /* Make sure that the SHUTDOWN chunk has a valid length. */
5600 if (!sctp_chunk_length_valid(
5601 chunk, sizeof(struct sctp_shutdown_chunk)))
5602 return sctp_sf_violation_chunklen(net, ep, asoc, type,
5606 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5607 * shall send a SHUTDOWN ACK ...
5609 reply = sctp_make_shutdown_ack(asoc, chunk);
5613 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
5614 * the T2-shutdown timer.
5616 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5618 /* and start/restart a T2-shutdown timer of its own, */
5619 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5620 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5622 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5623 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5624 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5626 /* Enter the SHUTDOWN-ACK-SENT state. */
5627 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5628 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT));
5630 /* sctp-implguide 2.10 Issues with Heartbeating and failover
5632 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5635 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5637 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5639 return SCTP_DISPOSITION_CONSUME;
5642 return SCTP_DISPOSITION_NOMEM;
5646 * Ignore the event defined as other
5648 * The return value is the disposition of the event.
5650 enum sctp_disposition sctp_sf_ignore_other(struct net *net,
5651 const struct sctp_endpoint *ep,
5652 const struct sctp_association *asoc,
5653 const union sctp_subtype type,
5655 struct sctp_cmd_seq *commands)
5657 pr_debug("%s: the event other type:%d is ignored\n",
5658 __func__, type.other);
5660 return SCTP_DISPOSITION_DISCARD;
5663 /************************************************************
5664 * These are the state functions for handling timeout events.
5665 ************************************************************/
5670 * Section: 6.3.3 Handle T3-rtx Expiration
5672 * Whenever the retransmission timer T3-rtx expires for a destination
5673 * address, do the following:
5676 * The return value is the disposition of the chunk.
5678 enum sctp_disposition sctp_sf_do_6_3_3_rtx(struct net *net,
5679 const struct sctp_endpoint *ep,
5680 const struct sctp_association *asoc,
5681 const union sctp_subtype type,
5683 struct sctp_cmd_seq *commands)
5685 struct sctp_transport *transport = arg;
5687 SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS);
5689 if (asoc->overall_error_count >= asoc->max_retrans) {
5690 if (asoc->peer.zero_window_announced &&
5691 asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
5693 * We are here likely because the receiver had its rwnd
5694 * closed for a while and we have not been able to
5695 * transmit the locally queued data within the maximum
5696 * retransmission attempts limit. Start the T5
5697 * shutdown guard timer to give the receiver one last
5698 * chance and some additional time to recover before
5701 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE,
5702 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5704 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5705 SCTP_ERROR(ETIMEDOUT));
5706 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5707 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5708 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5709 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5710 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5711 return SCTP_DISPOSITION_DELETE_TCB;
5715 /* E1) For the destination address for which the timer
5716 * expires, adjust its ssthresh with rules defined in Section
5717 * 7.2.3 and set the cwnd <- MTU.
5720 /* E2) For the destination address for which the timer
5721 * expires, set RTO <- RTO * 2 ("back off the timer"). The
5722 * maximum value discussed in rule C7 above (RTO.max) may be
5723 * used to provide an upper bound to this doubling operation.
5726 /* E3) Determine how many of the earliest (i.e., lowest TSN)
5727 * outstanding DATA chunks for the address for which the
5728 * T3-rtx has expired will fit into a single packet, subject
5729 * to the MTU constraint for the path corresponding to the
5730 * destination transport address to which the retransmission
5731 * is being sent (this may be different from the address for
5732 * which the timer expires [see Section 6.4]). Call this
5733 * value K. Bundle and retransmit those K DATA chunks in a
5734 * single packet to the destination endpoint.
5736 * Note: Any DATA chunks that were sent to the address for
5737 * which the T3-rtx timer expired but did not fit in one MTU
5738 * (rule E3 above), should be marked for retransmission and
5739 * sent as soon as cwnd allows (normally when a SACK arrives).
5742 /* Do some failure management (Section 8.2). */
5743 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
5745 /* NB: Rules E4 and F1 are implicit in R1. */
5746 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport));
5748 return SCTP_DISPOSITION_CONSUME;
5752 * Generate delayed SACK on timeout
5754 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
5756 * The guidelines on delayed acknowledgement algorithm specified in
5757 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
5758 * acknowledgement SHOULD be generated for at least every second packet
5759 * (not every second DATA chunk) received, and SHOULD be generated
5760 * within 200 ms of the arrival of any unacknowledged DATA chunk. In
5761 * some situations it may be beneficial for an SCTP transmitter to be
5762 * more conservative than the algorithms detailed in this document
5763 * allow. However, an SCTP transmitter MUST NOT be more aggressive than
5764 * the following algorithms allow.
5766 enum sctp_disposition sctp_sf_do_6_2_sack(struct net *net,
5767 const struct sctp_endpoint *ep,
5768 const struct sctp_association *asoc,
5769 const union sctp_subtype type,
5771 struct sctp_cmd_seq *commands)
5773 SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS);
5774 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
5775 return SCTP_DISPOSITION_CONSUME;
5779 * sctp_sf_t1_init_timer_expire
5781 * Section: 4 Note: 2
5786 * RFC 2960 Section 4 Notes
5787 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT
5788 * and re-start the T1-init timer without changing state. This MUST
5789 * be repeated up to 'Max.Init.Retransmits' times. After that, the
5790 * endpoint MUST abort the initialization process and report the
5791 * error to SCTP user.
5797 enum sctp_disposition sctp_sf_t1_init_timer_expire(
5799 const struct sctp_endpoint *ep,
5800 const struct sctp_association *asoc,
5801 const union sctp_subtype type,
5803 struct sctp_cmd_seq *commands)
5805 int attempts = asoc->init_err_counter + 1;
5806 struct sctp_chunk *repl = NULL;
5807 struct sctp_bind_addr *bp;
5809 pr_debug("%s: timer T1 expired (INIT)\n", __func__);
5811 SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS);
5813 if (attempts <= asoc->max_init_attempts) {
5814 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
5815 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0);
5817 return SCTP_DISPOSITION_NOMEM;
5819 /* Choose transport for INIT. */
5820 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5823 /* Issue a sideeffect to do the needed accounting. */
5824 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART,
5825 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5827 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5829 pr_debug("%s: giving up on INIT, attempts:%d "
5830 "max_init_attempts:%d\n", __func__, attempts,
5831 asoc->max_init_attempts);
5833 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5834 SCTP_ERROR(ETIMEDOUT));
5835 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5836 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5837 return SCTP_DISPOSITION_DELETE_TCB;
5840 return SCTP_DISPOSITION_CONSUME;
5844 * sctp_sf_t1_cookie_timer_expire
5846 * Section: 4 Note: 2
5851 * RFC 2960 Section 4 Notes
5852 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit
5853 * COOKIE ECHO and re-start the T1-cookie timer without changing
5854 * state. This MUST be repeated up to 'Max.Init.Retransmits' times.
5855 * After that, the endpoint MUST abort the initialization process and
5856 * report the error to SCTP user.
5862 enum sctp_disposition sctp_sf_t1_cookie_timer_expire(
5864 const struct sctp_endpoint *ep,
5865 const struct sctp_association *asoc,
5866 const union sctp_subtype type,
5868 struct sctp_cmd_seq *commands)
5870 int attempts = asoc->init_err_counter + 1;
5871 struct sctp_chunk *repl = NULL;
5873 pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__);
5875 SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS);
5877 if (attempts <= asoc->max_init_attempts) {
5878 repl = sctp_make_cookie_echo(asoc, NULL);
5880 return SCTP_DISPOSITION_NOMEM;
5882 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5884 /* Issue a sideeffect to do the needed accounting. */
5885 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART,
5886 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
5888 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5890 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5891 SCTP_ERROR(ETIMEDOUT));
5892 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5893 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5894 return SCTP_DISPOSITION_DELETE_TCB;
5897 return SCTP_DISPOSITION_CONSUME;
5900 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN
5901 * with the updated last sequential TSN received from its peer.
5903 * An endpoint should limit the number of retransmissions of the
5904 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'.
5905 * If this threshold is exceeded the endpoint should destroy the TCB and
5906 * MUST report the peer endpoint unreachable to the upper layer (and
5907 * thus the association enters the CLOSED state). The reception of any
5908 * packet from its peer (i.e. as the peer sends all of its queued DATA
5909 * chunks) should clear the endpoint's retransmission count and restart
5910 * the T2-Shutdown timer, giving its peer ample opportunity to transmit
5911 * all of its queued DATA chunks that have not yet been sent.
5913 enum sctp_disposition sctp_sf_t2_timer_expire(
5915 const struct sctp_endpoint *ep,
5916 const struct sctp_association *asoc,
5917 const union sctp_subtype type,
5919 struct sctp_cmd_seq *commands)
5921 struct sctp_chunk *reply = NULL;
5923 pr_debug("%s: timer T2 expired\n", __func__);
5925 SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS);
5927 ((struct sctp_association *)asoc)->shutdown_retries++;
5929 if (asoc->overall_error_count >= asoc->max_retrans) {
5930 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5931 SCTP_ERROR(ETIMEDOUT));
5932 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5933 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5934 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5935 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5936 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5937 return SCTP_DISPOSITION_DELETE_TCB;
5940 switch (asoc->state) {
5941 case SCTP_STATE_SHUTDOWN_SENT:
5942 reply = sctp_make_shutdown(asoc, NULL);
5945 case SCTP_STATE_SHUTDOWN_ACK_SENT:
5946 reply = sctp_make_shutdown_ack(asoc, NULL);
5957 /* Do some failure management (Section 8.2).
5958 * If we remove the transport an SHUTDOWN was last sent to, don't
5959 * do failure management.
5961 if (asoc->shutdown_last_sent_to)
5962 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5963 SCTP_TRANSPORT(asoc->shutdown_last_sent_to));
5965 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for
5966 * the T2-shutdown timer.
5968 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5970 /* Restart the T2-shutdown timer. */
5971 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5972 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5973 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5974 return SCTP_DISPOSITION_CONSUME;
5977 return SCTP_DISPOSITION_NOMEM;
5981 * ADDIP Section 4.1 ASCONF CHunk Procedures
5982 * If the T4 RTO timer expires the endpoint should do B1 to B5
5984 enum sctp_disposition sctp_sf_t4_timer_expire(
5986 const struct sctp_endpoint *ep,
5987 const struct sctp_association *asoc,
5988 const union sctp_subtype type,
5990 struct sctp_cmd_seq *commands)
5992 struct sctp_chunk *chunk = asoc->addip_last_asconf;
5993 struct sctp_transport *transport = chunk->transport;
5995 SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS);
5997 /* ADDIP 4.1 B1) Increment the error counters and perform path failure
5998 * detection on the appropriate destination address as defined in
5999 * RFC2960 [5] section 8.1 and 8.2.
6002 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
6003 SCTP_TRANSPORT(transport));
6005 /* Reconfig T4 timer and transport. */
6006 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
6008 /* ADDIP 4.1 B2) Increment the association error counters and perform
6009 * endpoint failure detection on the association as defined in
6010 * RFC2960 [5] section 8.1 and 8.2.
6011 * association error counter is incremented in SCTP_CMD_STRIKE.
6013 if (asoc->overall_error_count >= asoc->max_retrans) {
6014 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
6015 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
6016 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6017 SCTP_ERROR(ETIMEDOUT));
6018 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6019 SCTP_PERR(SCTP_ERROR_NO_ERROR));
6020 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6021 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6022 return SCTP_DISPOSITION_ABORT;
6025 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which
6026 * the ASCONF chunk was sent by doubling the RTO timer value.
6027 * This is done in SCTP_CMD_STRIKE.
6030 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible
6031 * choose an alternate destination address (please refer to RFC2960
6032 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this
6033 * chunk, it MUST be the same (including its serial number) as the last
6036 sctp_chunk_hold(asoc->addip_last_asconf);
6037 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6038 SCTP_CHUNK(asoc->addip_last_asconf));
6040 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different
6041 * destination is selected, then the RTO used will be that of the new
6042 * destination address.
6044 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
6045 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
6047 return SCTP_DISPOSITION_CONSUME;
6050 /* sctpimpguide-05 Section 2.12.2
6051 * The sender of the SHUTDOWN MAY also start an overall guard timer
6052 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
6053 * At the expiration of this timer the sender SHOULD abort the association
6054 * by sending an ABORT chunk.
6056 enum sctp_disposition sctp_sf_t5_timer_expire(
6058 const struct sctp_endpoint *ep,
6059 const struct sctp_association *asoc,
6060 const union sctp_subtype type,
6062 struct sctp_cmd_seq *commands)
6064 struct sctp_chunk *reply = NULL;
6066 pr_debug("%s: timer T5 expired\n", __func__);
6068 SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS);
6070 reply = sctp_make_abort(asoc, NULL, 0);
6074 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
6075 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6076 SCTP_ERROR(ETIMEDOUT));
6077 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6078 SCTP_PERR(SCTP_ERROR_NO_ERROR));
6080 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6081 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6083 return SCTP_DISPOSITION_DELETE_TCB;
6085 return SCTP_DISPOSITION_NOMEM;
6088 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires,
6089 * the association is automatically closed by starting the shutdown process.
6090 * The work that needs to be done is same as when SHUTDOWN is initiated by
6091 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown().
6093 enum sctp_disposition sctp_sf_autoclose_timer_expire(
6095 const struct sctp_endpoint *ep,
6096 const struct sctp_association *asoc,
6097 const union sctp_subtype type,
6099 struct sctp_cmd_seq *commands)
6101 enum sctp_disposition disposition;
6103 SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS);
6105 /* From 9.2 Shutdown of an Association
6106 * Upon receipt of the SHUTDOWN primitive from its upper
6107 * layer, the endpoint enters SHUTDOWN-PENDING state and
6108 * remains there until all outstanding data has been
6109 * acknowledged by its peer. The endpoint accepts no new data
6110 * from its upper layer, but retransmits data to the far end
6111 * if necessary to fill gaps.
6113 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
6114 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
6116 disposition = SCTP_DISPOSITION_CONSUME;
6117 if (sctp_outq_is_empty(&asoc->outqueue)) {
6118 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
6125 /*****************************************************************************
6126 * These are sa state functions which could apply to all types of events.
6127 ****************************************************************************/
6130 * This table entry is not implemented.
6133 * (endpoint, asoc, chunk)
6135 * The return value is the disposition of the chunk.
6137 enum sctp_disposition sctp_sf_not_impl(struct net *net,
6138 const struct sctp_endpoint *ep,
6139 const struct sctp_association *asoc,
6140 const union sctp_subtype type,
6141 void *arg, struct sctp_cmd_seq *commands)
6143 return SCTP_DISPOSITION_NOT_IMPL;
6147 * This table entry represents a bug.
6150 * (endpoint, asoc, chunk)
6152 * The return value is the disposition of the chunk.
6154 enum sctp_disposition sctp_sf_bug(struct net *net,
6155 const struct sctp_endpoint *ep,
6156 const struct sctp_association *asoc,
6157 const union sctp_subtype type,
6158 void *arg, struct sctp_cmd_seq *commands)
6160 return SCTP_DISPOSITION_BUG;
6164 * This table entry represents the firing of a timer in the wrong state.
6165 * Since timer deletion cannot be guaranteed a timer 'may' end up firing
6166 * when the association is in the wrong state. This event should
6167 * be ignored, so as to prevent any rearming of the timer.
6170 * (endpoint, asoc, chunk)
6172 * The return value is the disposition of the chunk.
6174 enum sctp_disposition sctp_sf_timer_ignore(struct net *net,
6175 const struct sctp_endpoint *ep,
6176 const struct sctp_association *asoc,
6177 const union sctp_subtype type,
6179 struct sctp_cmd_seq *commands)
6181 pr_debug("%s: timer %d ignored\n", __func__, type.chunk);
6183 return SCTP_DISPOSITION_CONSUME;
6186 /********************************************************************
6187 * 2nd Level Abstractions
6188 ********************************************************************/
6190 /* Pull the SACK chunk based on the SACK header. */
6191 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk)
6193 struct sctp_sackhdr *sack;
6198 /* Protect ourselves from reading too far into
6199 * the skb from a bogus sender.
6201 sack = (struct sctp_sackhdr *) chunk->skb->data;
6203 num_blocks = ntohs(sack->num_gap_ack_blocks);
6204 num_dup_tsns = ntohs(sack->num_dup_tsns);
6205 len = sizeof(struct sctp_sackhdr);
6206 len += (num_blocks + num_dup_tsns) * sizeof(__u32);
6207 if (len > chunk->skb->len)
6210 skb_pull(chunk->skb, len);
6215 /* Create an ABORT packet to be sent as a response, with the specified
6218 static struct sctp_packet *sctp_abort_pkt_new(
6220 const struct sctp_endpoint *ep,
6221 const struct sctp_association *asoc,
6222 struct sctp_chunk *chunk,
6223 const void *payload, size_t paylen)
6225 struct sctp_packet *packet;
6226 struct sctp_chunk *abort;
6228 packet = sctp_ootb_pkt_new(net, asoc, chunk);
6232 * The T bit will be set if the asoc is NULL.
6234 abort = sctp_make_abort(asoc, chunk, paylen);
6236 sctp_ootb_pkt_free(packet);
6240 /* Reflect vtag if T-Bit is set */
6241 if (sctp_test_T_bit(abort))
6242 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
6244 /* Add specified error causes, i.e., payload, to the
6247 sctp_addto_chunk(abort, paylen, payload);
6249 /* Set the skb to the belonging sock for accounting. */
6250 abort->skb->sk = ep->base.sk;
6252 sctp_packet_append_chunk(packet, abort);
6259 /* Allocate a packet for responding in the OOTB conditions. */
6260 static struct sctp_packet *sctp_ootb_pkt_new(
6262 const struct sctp_association *asoc,
6263 const struct sctp_chunk *chunk)
6265 struct sctp_transport *transport;
6266 struct sctp_packet *packet;
6270 /* Get the source and destination port from the inbound packet. */
6271 sport = ntohs(chunk->sctp_hdr->dest);
6272 dport = ntohs(chunk->sctp_hdr->source);
6274 /* The V-tag is going to be the same as the inbound packet if no
6275 * association exists, otherwise, use the peer's vtag.
6278 /* Special case the INIT-ACK as there is no peer's vtag
6281 switch (chunk->chunk_hdr->type) {
6283 case SCTP_CID_INIT_ACK:
6285 struct sctp_initack_chunk *initack;
6287 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr;
6288 vtag = ntohl(initack->init_hdr.init_tag);
6292 vtag = asoc->peer.i.init_tag;
6296 /* Special case the INIT and stale COOKIE_ECHO as there is no
6299 switch (chunk->chunk_hdr->type) {
6302 struct sctp_init_chunk *init;
6304 init = (struct sctp_init_chunk *)chunk->chunk_hdr;
6305 vtag = ntohl(init->init_hdr.init_tag);
6309 vtag = ntohl(chunk->sctp_hdr->vtag);
6314 /* Make a transport for the bucket, Eliza... */
6315 transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC);
6319 /* Cache a route for the transport with the chunk's destination as
6320 * the source address.
6322 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest,
6323 sctp_sk(net->sctp.ctl_sock));
6325 packet = &transport->packet;
6326 sctp_packet_init(packet, transport, sport, dport);
6327 sctp_packet_config(packet, vtag, 0);
6335 /* Free the packet allocated earlier for responding in the OOTB condition. */
6336 void sctp_ootb_pkt_free(struct sctp_packet *packet)
6338 sctp_transport_free(packet->transport);
6341 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */
6342 static void sctp_send_stale_cookie_err(struct net *net,
6343 const struct sctp_endpoint *ep,
6344 const struct sctp_association *asoc,
6345 const struct sctp_chunk *chunk,
6346 struct sctp_cmd_seq *commands,
6347 struct sctp_chunk *err_chunk)
6349 struct sctp_packet *packet;
6352 packet = sctp_ootb_pkt_new(net, asoc, chunk);
6354 struct sctp_signed_cookie *cookie;
6356 /* Override the OOTB vtag from the cookie. */
6357 cookie = chunk->subh.cookie_hdr;
6358 packet->vtag = cookie->c.peer_vtag;
6360 /* Set the skb to the belonging sock for accounting. */
6361 err_chunk->skb->sk = ep->base.sk;
6362 sctp_packet_append_chunk(packet, err_chunk);
6363 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
6364 SCTP_PACKET(packet));
6365 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
6367 sctp_chunk_free (err_chunk);
6372 /* Process a data chunk */
6373 static int sctp_eat_data(const struct sctp_association *asoc,
6374 struct sctp_chunk *chunk,
6375 struct sctp_cmd_seq *commands)
6377 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
6378 struct sock *sk = asoc->base.sk;
6379 struct net *net = sock_net(sk);
6380 struct sctp_datahdr *data_hdr;
6381 struct sctp_chunk *err;
6382 enum sctp_verb deliver;
6387 data_hdr = (struct sctp_datahdr *)chunk->skb->data;
6388 chunk->subh.data_hdr = data_hdr;
6389 skb_pull(chunk->skb, sctp_datahdr_len(&asoc->stream));
6391 tsn = ntohl(data_hdr->tsn);
6392 pr_debug("%s: TSN 0x%x\n", __func__, tsn);
6394 /* ASSERT: Now skb->data is really the user data. */
6396 /* Process ECN based congestion.
6398 * Since the chunk structure is reused for all chunks within
6399 * a packet, we use ecn_ce_done to track if we've already
6400 * done CE processing for this packet.
6402 * We need to do ECN processing even if we plan to discard the
6406 if (asoc->peer.ecn_capable && !chunk->ecn_ce_done) {
6407 struct sctp_af *af = SCTP_INPUT_CB(chunk->skb)->af;
6408 chunk->ecn_ce_done = 1;
6410 if (af->is_ce(sctp_gso_headskb(chunk->skb))) {
6411 /* Do real work as sideffect. */
6412 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE,
6417 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn);
6419 /* The TSN is too high--silently discard the chunk and
6420 * count on it getting retransmitted later.
6423 chunk->asoc->stats.outofseqtsns++;
6424 return SCTP_IERROR_HIGH_TSN;
6425 } else if (tmp > 0) {
6426 /* This is a duplicate. Record it. */
6427 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn));
6428 return SCTP_IERROR_DUP_TSN;
6431 /* This is a new TSN. */
6433 /* Discard if there is no room in the receive window.
6434 * Actually, allow a little bit of overflow (up to a MTU).
6436 datalen = ntohs(chunk->chunk_hdr->length);
6437 datalen -= sctp_datachk_len(&asoc->stream);
6439 deliver = SCTP_CMD_CHUNK_ULP;
6441 /* Think about partial delivery. */
6442 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) {
6444 /* Even if we don't accept this chunk there is
6447 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL());
6450 /* Spill over rwnd a little bit. Note: While allowed, this spill over
6451 * seems a bit troublesome in that frag_point varies based on
6452 * PMTU. In cases, such as loopback, this might be a rather
6455 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over ||
6456 (datalen > asoc->rwnd + asoc->frag_point))) {
6458 /* If this is the next TSN, consider reneging to make
6459 * room. Note: Playing nice with a confused sender. A
6460 * malicious sender can still eat up all our buffer
6461 * space and in the future we may want to detect and
6462 * do more drastic reneging.
6464 if (sctp_tsnmap_has_gap(map) &&
6465 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6466 pr_debug("%s: reneging for tsn:%u\n", __func__, tsn);
6467 deliver = SCTP_CMD_RENEGE;
6469 pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n",
6470 __func__, tsn, datalen, asoc->rwnd);
6472 return SCTP_IERROR_IGNORE_TSN;
6477 * Also try to renege to limit our memory usage in the event that
6478 * we are under memory pressure
6479 * If we can't renege, don't worry about it, the sk_rmem_schedule
6480 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our
6481 * memory usage too much
6483 if (sk_under_memory_pressure(sk)) {
6484 if (sctp_tsnmap_has_gap(map) &&
6485 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6486 pr_debug("%s: under pressure, reneging for tsn:%u\n",
6488 deliver = SCTP_CMD_RENEGE;
6495 * Section 3.3.10.9 No User Data (9)
6499 * No User Data: This error cause is returned to the originator of a
6500 * DATA chunk if a received DATA chunk has no user data.
6502 if (unlikely(0 == datalen)) {
6503 err = sctp_make_abort_no_data(asoc, chunk, tsn);
6505 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6508 /* We are going to ABORT, so we might as well stop
6509 * processing the rest of the chunks in the packet.
6511 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
6512 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6513 SCTP_ERROR(ECONNABORTED));
6514 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6515 SCTP_PERR(SCTP_ERROR_NO_DATA));
6516 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6517 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6518 return SCTP_IERROR_NO_DATA;
6521 chunk->data_accepted = 1;
6523 /* Note: Some chunks may get overcounted (if we drop) or overcounted
6524 * if we renege and the chunk arrives again.
6526 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) {
6527 SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS);
6529 chunk->asoc->stats.iuodchunks++;
6531 SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS);
6533 chunk->asoc->stats.iodchunks++;
6536 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number
6538 * If an endpoint receive a DATA chunk with an invalid stream
6539 * identifier, it shall acknowledge the reception of the DATA chunk
6540 * following the normal procedure, immediately send an ERROR chunk
6541 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10)
6542 * and discard the DATA chunk.
6544 if (ntohs(data_hdr->stream) >= asoc->stream.incnt) {
6545 /* Mark tsn as received even though we drop it */
6546 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
6548 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM,
6550 sizeof(data_hdr->stream),
6553 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6555 return SCTP_IERROR_BAD_STREAM;
6558 /* Check to see if the SSN is possible for this TSN.
6559 * The biggest gap we can record is 4K wide. Since SSNs wrap
6560 * at an unsigned short, there is no way that an SSN can
6561 * wrap and for a valid TSN. We can simply check if the current
6562 * SSN is smaller then the next expected one. If it is, it wrapped
6565 if (!asoc->stream.si->validate_data(chunk))
6566 return SCTP_IERROR_PROTO_VIOLATION;
6568 /* Send the data up to the user. Note: Schedule the
6569 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK
6570 * chunk needs the updated rwnd.
6572 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk));
6574 return SCTP_IERROR_NO_ERROR;
projects / releases.git / blob