1 /* SCTP kernel implementation
2 * (C) Copyright IBM Corp. 2001, 2004
3 * Copyright (c) 1999-2000 Cisco, Inc.
4 * Copyright (c) 1999-2001 Motorola, Inc.
5 * Copyright (c) 2001-2002 Intel Corp.
6 * Copyright (c) 2002 Nokia Corp.
8 * This is part of the SCTP Linux Kernel Implementation.
10 * These are the state functions for the state machine.
12 * This SCTP implementation is free software;
13 * you can redistribute it and/or modify it under the terms of
14 * the GNU General Public License as published by
15 * the Free Software Foundation; either version 2, or (at your option)
18 * This SCTP implementation is distributed in the hope that it
19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied
20 * ************************
21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
22 * See the GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with GNU CC; see the file COPYING. If not, write to
26 * the Free Software Foundation, 59 Temple Place - Suite 330,
27 * Boston, MA 02111-1307, USA.
29 * Please send any bug reports or fixes you make to the
31 * lksctp developers <lksctp-developers@lists.sourceforge.net>
33 * Or submit a bug report through the following website:
34 * http://www.sf.net/projects/lksctp
36 * Written or modified by:
37 * La Monte H.P. Yarroll <piggy@acm.org>
38 * Karl Knutson <karl@athena.chicago.il.us>
39 * Mathew Kotowsky <kotowsky@sctp.org>
40 * Sridhar Samudrala <samudrala@us.ibm.com>
41 * Jon Grimm <jgrimm@us.ibm.com>
42 * Hui Huang <hui.huang@nokia.com>
43 * Dajiang Zhang <dajiang.zhang@nokia.com>
44 * Daisy Chang <daisyc@us.ibm.com>
45 * Ardelle Fan <ardelle.fan@intel.com>
46 * Ryan Layer <rmlayer@us.ibm.com>
47 * Kevin Gao <kevin.gao@intel.com>
49 * Any bugs reported given to us we will try to fix... any fixes shared will
50 * be incorporated into the next SCTP release.
53 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
55 #include <linux/types.h>
56 #include <linux/kernel.h>
58 #include <linux/ipv6.h>
59 #include <linux/net.h>
60 #include <linux/inet.h>
61 #include <linux/slab.h>
63 #include <net/inet_ecn.h>
64 #include <linux/skbuff.h>
65 #include <net/sctp/sctp.h>
66 #include <net/sctp/sm.h>
67 #include <net/sctp/structs.h>
69 static struct sctp_packet *sctp_abort_pkt_new(struct net *net,
70 const struct sctp_endpoint *ep,
71 const struct sctp_association *asoc,
72 struct sctp_chunk *chunk,
75 static int sctp_eat_data(const struct sctp_association *asoc,
76 struct sctp_chunk *chunk,
77 sctp_cmd_seq_t *commands);
78 static struct sctp_packet *sctp_ootb_pkt_new(struct net *net,
79 const struct sctp_association *asoc,
80 const struct sctp_chunk *chunk);
81 static void sctp_send_stale_cookie_err(struct net *net,
82 const struct sctp_endpoint *ep,
83 const struct sctp_association *asoc,
84 const struct sctp_chunk *chunk,
85 sctp_cmd_seq_t *commands,
86 struct sctp_chunk *err_chunk);
87 static sctp_disposition_t sctp_sf_do_5_2_6_stale(struct net *net,
88 const struct sctp_endpoint *ep,
89 const struct sctp_association *asoc,
90 const sctp_subtype_t type,
92 sctp_cmd_seq_t *commands);
93 static sctp_disposition_t sctp_sf_shut_8_4_5(struct net *net,
94 const struct sctp_endpoint *ep,
95 const struct sctp_association *asoc,
96 const sctp_subtype_t type,
98 sctp_cmd_seq_t *commands);
99 static sctp_disposition_t sctp_sf_tabort_8_4_8(struct net *net,
100 const struct sctp_endpoint *ep,
101 const struct sctp_association *asoc,
102 const sctp_subtype_t type,
104 sctp_cmd_seq_t *commands);
105 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
107 static sctp_disposition_t sctp_stop_t1_and_abort(struct net *net,
108 sctp_cmd_seq_t *commands,
109 __be16 error, int sk_err,
110 const struct sctp_association *asoc,
111 struct sctp_transport *transport);
113 static sctp_disposition_t sctp_sf_abort_violation(
115 const struct sctp_endpoint *ep,
116 const struct sctp_association *asoc,
118 sctp_cmd_seq_t *commands,
120 const size_t paylen);
122 static sctp_disposition_t sctp_sf_violation_chunklen(
124 const struct sctp_endpoint *ep,
125 const struct sctp_association *asoc,
126 const sctp_subtype_t type,
128 sctp_cmd_seq_t *commands);
130 static sctp_disposition_t sctp_sf_violation_paramlen(
132 const struct sctp_endpoint *ep,
133 const struct sctp_association *asoc,
134 const sctp_subtype_t type,
135 void *arg, void *ext,
136 sctp_cmd_seq_t *commands);
138 static sctp_disposition_t sctp_sf_violation_ctsn(
140 const struct sctp_endpoint *ep,
141 const struct sctp_association *asoc,
142 const sctp_subtype_t type,
144 sctp_cmd_seq_t *commands);
146 static sctp_disposition_t sctp_sf_violation_chunk(
148 const struct sctp_endpoint *ep,
149 const struct sctp_association *asoc,
150 const sctp_subtype_t type,
152 sctp_cmd_seq_t *commands);
154 static sctp_ierror_t sctp_sf_authenticate(struct net *net,
155 const struct sctp_endpoint *ep,
156 const struct sctp_association *asoc,
157 const sctp_subtype_t type,
158 struct sctp_chunk *chunk);
160 static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net,
161 const struct sctp_endpoint *ep,
162 const struct sctp_association *asoc,
163 const sctp_subtype_t type,
165 sctp_cmd_seq_t *commands);
167 /* Small helper function that checks if the chunk length
168 * is of the appropriate length. The 'required_length' argument
169 * is set to be the size of a specific chunk we are testing.
170 * Return Values: 1 = Valid length
175 sctp_chunk_length_valid(struct sctp_chunk *chunk,
176 __u16 required_length)
178 __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
180 /* Previously already marked? */
181 if (unlikely(chunk->pdiscard))
183 if (unlikely(chunk_length < required_length))
189 /**********************************************************
190 * These are the state functions for handling chunk events.
191 **********************************************************/
194 * Process the final SHUTDOWN COMPLETE.
196 * Section: 4 (C) (diagram), 9.2
197 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
198 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
199 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
200 * should stop the T2-shutdown timer and remove all knowledge of the
201 * association (and thus the association enters the CLOSED state).
203 * Verification Tag: 8.5.1(C), sctpimpguide 2.41.
204 * C) Rules for packet carrying SHUTDOWN COMPLETE:
206 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
207 * if the Verification Tag field of the packet matches its own tag and
208 * the T bit is not set
210 * it is set to its peer's tag and the T bit is set in the Chunk
212 * Otherwise, the receiver MUST silently discard the packet
213 * and take no further action. An endpoint MUST ignore the
214 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.
217 * (endpoint, asoc, chunk)
220 * (asoc, reply_msg, msg_up, timers, counters)
222 * The return value is the disposition of the chunk.
224 sctp_disposition_t sctp_sf_do_4_C(struct net *net,
225 const struct sctp_endpoint *ep,
226 const struct sctp_association *asoc,
227 const sctp_subtype_t type,
229 sctp_cmd_seq_t *commands)
231 struct sctp_chunk *chunk = arg;
232 struct sctp_ulpevent *ev;
234 if (!sctp_vtag_verify_either(chunk, asoc))
235 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
237 /* RFC 2960 6.10 Bundling
239 * An endpoint MUST NOT bundle INIT, INIT ACK or
240 * SHUTDOWN COMPLETE with any other chunks.
242 if (!chunk->singleton)
243 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
245 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */
246 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
247 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
250 /* RFC 2960 10.2 SCTP-to-ULP
252 * H) SHUTDOWN COMPLETE notification
254 * When SCTP completes the shutdown procedures (section 9.2) this
255 * notification is passed to the upper layer.
257 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
258 0, 0, 0, NULL, GFP_ATOMIC);
260 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
263 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
264 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
265 * not the chunk should be discarded. If the endpoint is in
266 * the SHUTDOWN-ACK-SENT state the endpoint should stop the
267 * T2-shutdown timer and remove all knowledge of the
268 * association (and thus the association enters the CLOSED
271 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
272 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
274 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
275 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
277 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
278 SCTP_STATE(SCTP_STATE_CLOSED));
280 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
281 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
283 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
285 return SCTP_DISPOSITION_DELETE_TCB;
289 * Respond to a normal INIT chunk.
290 * We are the side that is being asked for an association.
292 * Section: 5.1 Normal Establishment of an Association, B
293 * B) "Z" shall respond immediately with an INIT ACK chunk. The
294 * destination IP address of the INIT ACK MUST be set to the source
295 * IP address of the INIT to which this INIT ACK is responding. In
296 * the response, besides filling in other parameters, "Z" must set the
297 * Verification Tag field to Tag_A, and also provide its own
298 * Verification Tag (Tag_Z) in the Initiate Tag field.
300 * Verification Tag: Must be 0.
303 * (endpoint, asoc, chunk)
306 * (asoc, reply_msg, msg_up, timers, counters)
308 * The return value is the disposition of the chunk.
310 sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
311 const struct sctp_endpoint *ep,
312 const struct sctp_association *asoc,
313 const sctp_subtype_t type,
315 sctp_cmd_seq_t *commands)
317 struct sctp_chunk *chunk = arg;
318 struct sctp_chunk *repl;
319 struct sctp_association *new_asoc;
320 struct sctp_chunk *err_chunk;
321 struct sctp_packet *packet;
322 sctp_unrecognized_param_t *unk_param;
326 * An endpoint MUST NOT bundle INIT, INIT ACK or
327 * SHUTDOWN COMPLETE with any other chunks.
330 * Furthermore, we require that the receiver of an INIT chunk MUST
331 * enforce these rules by silently discarding an arriving packet
332 * with an INIT chunk that is bundled with other chunks.
334 if (!chunk->singleton)
335 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
337 /* If the packet is an OOTB packet which is temporarily on the
338 * control endpoint, respond with an ABORT.
340 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
341 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
342 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
345 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
348 if (chunk->sctp_hdr->vtag != 0)
349 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
351 /* Make sure that the INIT chunk has a valid length.
352 * Normally, this would cause an ABORT with a Protocol Violation
353 * error, but since we don't have an association, we'll
354 * just discard the packet.
356 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
357 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
359 /* If the INIT is coming toward a closing socket, we'll send back
360 * and ABORT. Essentially, this catches the race of INIT being
361 * backloged to the socket at the same time as the user isses close().
362 * Since the socket and all its associations are going away, we
363 * can treat this OOTB
365 if (sctp_sstate(ep->base.sk, CLOSING))
366 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
368 /* Verify the INIT chunk before processing it. */
370 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
371 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
373 /* This chunk contains fatal error. It is to be discarded.
374 * Send an ABORT, with causes if there is any.
377 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
378 (__u8 *)(err_chunk->chunk_hdr) +
379 sizeof(sctp_chunkhdr_t),
380 ntohs(err_chunk->chunk_hdr->length) -
381 sizeof(sctp_chunkhdr_t));
383 sctp_chunk_free(err_chunk);
386 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
387 SCTP_PACKET(packet));
388 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
389 return SCTP_DISPOSITION_CONSUME;
391 return SCTP_DISPOSITION_NOMEM;
394 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
399 /* Grab the INIT header. */
400 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data;
402 /* Tag the variable length parameters. */
403 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
405 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
409 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
410 sctp_scope(sctp_source(chunk)),
414 /* The call, sctp_process_init(), can fail on memory allocation. */
415 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
416 (sctp_init_chunk_t *)chunk->chunk_hdr,
420 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
422 /* If there are errors need to be reported for unknown parameters,
423 * make sure to reserve enough room in the INIT ACK for them.
427 len = ntohs(err_chunk->chunk_hdr->length) -
428 sizeof(sctp_chunkhdr_t);
430 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
434 /* If there are errors need to be reported for unknown parameters,
435 * include them in the outgoing INIT ACK as "Unrecognized parameter"
439 /* Get the "Unrecognized parameter" parameter(s) out of the
440 * ERROR chunk generated by sctp_verify_init(). Since the
441 * error cause code for "unknown parameter" and the
442 * "Unrecognized parameter" type is the same, we can
443 * construct the parameters in INIT ACK by copying the
446 unk_param = (sctp_unrecognized_param_t *)
447 ((__u8 *)(err_chunk->chunk_hdr) +
448 sizeof(sctp_chunkhdr_t));
449 /* Replace the cause code with the "Unrecognized parameter"
452 sctp_addto_chunk(repl, len, unk_param);
453 sctp_chunk_free(err_chunk);
456 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
458 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
461 * Note: After sending out INIT ACK with the State Cookie parameter,
462 * "Z" MUST NOT allocate any resources, nor keep any states for the
463 * new association. Otherwise, "Z" will be vulnerable to resource
466 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
468 return SCTP_DISPOSITION_DELETE_TCB;
471 sctp_association_free(new_asoc);
474 sctp_chunk_free(err_chunk);
475 return SCTP_DISPOSITION_NOMEM;
479 * Respond to a normal INIT ACK chunk.
480 * We are the side that is initiating the association.
482 * Section: 5.1 Normal Establishment of an Association, C
483 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
484 * timer and leave COOKIE-WAIT state. "A" shall then send the State
485 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
486 * the T1-cookie timer, and enter the COOKIE-ECHOED state.
488 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound
489 * DATA chunks, but it MUST be the first chunk in the packet and
490 * until the COOKIE ACK is returned the sender MUST NOT send any
491 * other packets to the peer.
493 * Verification Tag: 3.3.3
494 * If the value of the Initiate Tag in a received INIT ACK chunk is
495 * found to be 0, the receiver MUST treat it as an error and close the
496 * association by transmitting an ABORT.
499 * (endpoint, asoc, chunk)
502 * (asoc, reply_msg, msg_up, timers, counters)
504 * The return value is the disposition of the chunk.
506 sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
507 const struct sctp_endpoint *ep,
508 const struct sctp_association *asoc,
509 const sctp_subtype_t type,
511 sctp_cmd_seq_t *commands)
513 struct sctp_chunk *chunk = arg;
514 sctp_init_chunk_t *initchunk;
515 struct sctp_chunk *err_chunk;
516 struct sctp_packet *packet;
518 if (!sctp_vtag_verify(chunk, asoc))
519 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
522 * An endpoint MUST NOT bundle INIT, INIT ACK or
523 * SHUTDOWN COMPLETE with any other chunks.
525 if (!chunk->singleton)
526 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
528 /* Make sure that the INIT-ACK chunk has a valid length */
529 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t)))
530 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
532 /* Grab the INIT header. */
533 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
535 /* Verify the INIT chunk before processing it. */
537 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
538 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
541 sctp_error_t error = SCTP_ERROR_NO_RESOURCE;
543 /* This chunk contains fatal error. It is to be discarded.
544 * Send an ABORT, with causes. If there are no causes,
545 * then there wasn't enough memory. Just terminate
549 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
550 (__u8 *)(err_chunk->chunk_hdr) +
551 sizeof(sctp_chunkhdr_t),
552 ntohs(err_chunk->chunk_hdr->length) -
553 sizeof(sctp_chunkhdr_t));
555 sctp_chunk_free(err_chunk);
558 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
559 SCTP_PACKET(packet));
560 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
561 error = SCTP_ERROR_INV_PARAM;
565 /* SCTP-AUTH, Section 6.3:
566 * It should be noted that if the receiver wants to tear
567 * down an association in an authenticated way only, the
568 * handling of malformed packets should not result in
569 * tearing down the association.
571 * This means that if we only want to abort associations
572 * in an authenticated way (i.e AUTH+ABORT), then we
573 * can't destroy this association just because the packet
576 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
577 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
579 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
580 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED,
581 asoc, chunk->transport);
584 /* Tag the variable length parameters. Note that we never
585 * convert the parameters in an INIT chunk.
587 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
589 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr;
591 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
592 SCTP_PEER_INIT(initchunk));
594 /* Reset init error count upon receipt of INIT-ACK. */
595 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
597 /* 5.1 C) "A" shall stop the T1-init timer and leave
598 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie
599 * timer, and enter the COOKIE-ECHOED state.
601 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
602 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
603 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
604 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
605 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
606 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
608 /* SCTP-AUTH: genereate the assocition shared keys so that
609 * we can potentially signe the COOKIE-ECHO.
611 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
613 /* 5.1 C) "A" shall then send the State Cookie received in the
614 * INIT ACK chunk in a COOKIE ECHO chunk, ...
616 /* If there is any errors to report, send the ERROR chunk generated
617 * for unknown parameters as well.
619 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
620 SCTP_CHUNK(err_chunk));
622 return SCTP_DISPOSITION_CONSUME;
626 * Respond to a normal COOKIE ECHO chunk.
627 * We are the side that is being asked for an association.
629 * Section: 5.1 Normal Establishment of an Association, D
630 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
631 * with a COOKIE ACK chunk after building a TCB and moving to
632 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
633 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
634 * chunk MUST be the first chunk in the packet.
636 * IMPLEMENTATION NOTE: An implementation may choose to send the
637 * Communication Up notification to the SCTP user upon reception
638 * of a valid COOKIE ECHO chunk.
640 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
641 * D) Rules for packet carrying a COOKIE ECHO
643 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
644 * Initial Tag received in the INIT ACK.
646 * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
649 * (endpoint, asoc, chunk)
652 * (asoc, reply_msg, msg_up, timers, counters)
654 * The return value is the disposition of the chunk.
656 sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
657 const struct sctp_endpoint *ep,
658 const struct sctp_association *asoc,
659 const sctp_subtype_t type, void *arg,
660 sctp_cmd_seq_t *commands)
662 struct sctp_chunk *chunk = arg;
663 struct sctp_association *new_asoc;
664 sctp_init_chunk_t *peer_init;
665 struct sctp_chunk *repl;
666 struct sctp_ulpevent *ev, *ai_ev = NULL;
668 struct sctp_chunk *err_chk_p;
671 /* If the packet is an OOTB packet which is temporarily on the
672 * control endpoint, respond with an ABORT.
674 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
675 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
676 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
679 /* Make sure that the COOKIE_ECHO chunk has a valid length.
680 * In this case, we check that we have enough for at least a
681 * chunk header. More detailed verification is done
682 * in sctp_unpack_cookie().
684 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
685 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
687 /* If the endpoint is not listening or if the number of associations
688 * on the TCP-style socket exceed the max backlog, respond with an
692 if (!sctp_sstate(sk, LISTENING) ||
693 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
694 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
696 /* "Decode" the chunk. We have no optional parameters so we
699 chunk->subh.cookie_hdr =
700 (struct sctp_signed_cookie *)chunk->skb->data;
701 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
702 sizeof(sctp_chunkhdr_t)))
705 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
706 * "Z" will reply with a COOKIE ACK chunk after building a TCB
707 * and moving to the ESTABLISHED state.
709 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
713 * If the re-build failed, what is the proper error path
716 * [We should abort the association. --piggy]
719 /* FIXME: Several errors are possible. A bad cookie should
720 * be silently discarded, but think about logging it too.
723 case -SCTP_IERROR_NOMEM:
726 case -SCTP_IERROR_STALE_COOKIE:
727 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
729 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
731 case -SCTP_IERROR_BAD_SIG:
733 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
738 /* Delay state machine commands until later.
740 * Re-build the bind address for the association is done in
741 * the sctp_unpack_cookie() already.
743 /* This is a brand-new association, so these are not yet side
744 * effects--it is safe to run them here.
746 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
748 if (!sctp_process_init(new_asoc, chunk,
749 &chunk->subh.cookie_hdr->c.peer_addr,
750 peer_init, GFP_ATOMIC))
753 /* SCTP-AUTH: Now that we've populate required fields in
754 * sctp_process_init, set up the assocaition shared keys as
755 * necessary so that we can potentially authenticate the ACK
757 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
761 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo
762 * is supposed to be authenticated and we have to do delayed
763 * authentication. We've just recreated the association using
764 * the information in the cookie and now it's much easier to
765 * do the authentication.
767 if (chunk->auth_chunk) {
768 struct sctp_chunk auth;
771 /* Make sure that we and the peer are AUTH capable */
772 if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
773 sctp_association_free(new_asoc);
774 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
777 /* set-up our fake chunk so that we can process it */
778 auth.skb = chunk->auth_chunk;
779 auth.asoc = chunk->asoc;
780 auth.sctp_hdr = chunk->sctp_hdr;
781 auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk,
782 sizeof(sctp_chunkhdr_t));
783 skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t));
784 auth.transport = chunk->transport;
786 ret = sctp_sf_authenticate(net, ep, new_asoc, type, &auth);
787 if (ret != SCTP_IERROR_NO_ERROR) {
788 sctp_association_free(new_asoc);
789 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
793 repl = sctp_make_cookie_ack(new_asoc, chunk);
797 /* RFC 2960 5.1 Normal Establishment of an Association
799 * D) IMPLEMENTATION NOTE: An implementation may choose to
800 * send the Communication Up notification to the SCTP user
801 * upon reception of a valid COOKIE ECHO chunk.
803 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
804 new_asoc->c.sinit_num_ostreams,
805 new_asoc->c.sinit_max_instreams,
810 /* Sockets API Draft Section 5.3.1.6
811 * When a peer sends a Adaptation Layer Indication parameter , SCTP
812 * delivers this notification to inform the application that of the
813 * peers requested adaptation layer.
815 if (new_asoc->peer.adaptation_ind) {
816 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
822 /* Add all the state machine commands now since we've created
823 * everything. This way we don't introduce memory corruptions
824 * during side-effect processing and correclty count established
827 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
828 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
829 SCTP_STATE(SCTP_STATE_ESTABLISHED));
830 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
831 SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS);
832 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
834 if (new_asoc->autoclose)
835 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
836 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
838 /* This will send the COOKIE ACK */
839 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
841 /* Queue the ASSOC_CHANGE event */
842 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
844 /* Send up the Adaptation Layer Indication event */
846 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
847 SCTP_ULPEVENT(ai_ev));
849 return SCTP_DISPOSITION_CONSUME;
852 sctp_ulpevent_free(ev);
854 sctp_chunk_free(repl);
856 sctp_association_free(new_asoc);
858 return SCTP_DISPOSITION_NOMEM;
862 * Respond to a normal COOKIE ACK chunk.
863 * We are the side that is being asked for an association.
865 * RFC 2960 5.1 Normal Establishment of an Association
867 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
868 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
869 * timer. It may also notify its ULP about the successful
870 * establishment of the association with a Communication Up
871 * notification (see Section 10).
875 * (endpoint, asoc, chunk)
878 * (asoc, reply_msg, msg_up, timers, counters)
880 * The return value is the disposition of the chunk.
882 sctp_disposition_t sctp_sf_do_5_1E_ca(struct net *net,
883 const struct sctp_endpoint *ep,
884 const struct sctp_association *asoc,
885 const sctp_subtype_t type, void *arg,
886 sctp_cmd_seq_t *commands)
888 struct sctp_chunk *chunk = arg;
889 struct sctp_ulpevent *ev;
891 if (!sctp_vtag_verify(chunk, asoc))
892 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
894 /* Verify that the chunk length for the COOKIE-ACK is OK.
895 * If we don't do this, any bundled chunks may be junked.
897 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
898 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
901 /* Reset init error count upon receipt of COOKIE-ACK,
902 * to avoid problems with the managemement of this
903 * counter in stale cookie situations when a transition back
904 * from the COOKIE-ECHOED state to the COOKIE-WAIT
905 * state is performed.
907 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
909 /* RFC 2960 5.1 Normal Establishment of an Association
911 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
912 * from the COOKIE-ECHOED state to the ESTABLISHED state,
913 * stopping the T1-cookie timer.
915 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
916 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
917 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
918 SCTP_STATE(SCTP_STATE_ESTABLISHED));
919 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
920 SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS);
921 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
923 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
924 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
926 /* It may also notify its ULP about the successful
927 * establishment of the association with a Communication Up
928 * notification (see Section 10).
930 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
931 0, asoc->c.sinit_num_ostreams,
932 asoc->c.sinit_max_instreams,
938 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
940 /* Sockets API Draft Section 5.3.1.6
941 * When a peer sends a Adaptation Layer Indication parameter , SCTP
942 * delivers this notification to inform the application that of the
943 * peers requested adaptation layer.
945 if (asoc->peer.adaptation_ind) {
946 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
950 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
954 return SCTP_DISPOSITION_CONSUME;
956 return SCTP_DISPOSITION_NOMEM;
959 /* Generate and sendout a heartbeat packet. */
960 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep,
961 const struct sctp_association *asoc,
962 const sctp_subtype_t type,
964 sctp_cmd_seq_t *commands)
966 struct sctp_transport *transport = (struct sctp_transport *) arg;
967 struct sctp_chunk *reply;
969 /* Send a heartbeat to our peer. */
970 reply = sctp_make_heartbeat(asoc, transport);
972 return SCTP_DISPOSITION_NOMEM;
974 /* Set rto_pending indicating that an RTT measurement
975 * is started with this heartbeat chunk.
977 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
978 SCTP_TRANSPORT(transport));
980 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
981 return SCTP_DISPOSITION_CONSUME;
984 /* Generate a HEARTBEAT packet on the given transport. */
985 sctp_disposition_t sctp_sf_sendbeat_8_3(struct net *net,
986 const struct sctp_endpoint *ep,
987 const struct sctp_association *asoc,
988 const sctp_subtype_t type,
990 sctp_cmd_seq_t *commands)
992 struct sctp_transport *transport = (struct sctp_transport *) arg;
994 if (asoc->overall_error_count >= asoc->max_retrans) {
995 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
996 SCTP_ERROR(ETIMEDOUT));
997 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
998 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
999 SCTP_PERR(SCTP_ERROR_NO_ERROR));
1000 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1001 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1002 return SCTP_DISPOSITION_DELETE_TCB;
1006 * The Sender-specific Heartbeat Info field should normally include
1007 * information about the sender's current time when this HEARTBEAT
1008 * chunk is sent and the destination transport address to which this
1009 * HEARTBEAT is sent (see Section 8.3).
1012 if (transport->param_flags & SPP_HB_ENABLE) {
1013 if (SCTP_DISPOSITION_NOMEM ==
1014 sctp_sf_heartbeat(ep, asoc, type, arg,
1016 return SCTP_DISPOSITION_NOMEM;
1018 /* Set transport error counter and association error counter
1019 * when sending heartbeat.
1021 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
1022 SCTP_TRANSPORT(transport));
1024 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
1025 SCTP_TRANSPORT(transport));
1026 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
1027 SCTP_TRANSPORT(transport));
1029 return SCTP_DISPOSITION_CONSUME;
1033 * Process an heartbeat request.
1035 * Section: 8.3 Path Heartbeat
1036 * The receiver of the HEARTBEAT should immediately respond with a
1037 * HEARTBEAT ACK that contains the Heartbeat Information field copied
1038 * from the received HEARTBEAT chunk.
1040 * Verification Tag: 8.5 Verification Tag [Normal verification]
1041 * When receiving an SCTP packet, the endpoint MUST ensure that the
1042 * value in the Verification Tag field of the received SCTP packet
1043 * matches its own Tag. If the received Verification Tag value does not
1044 * match the receiver's own tag value, the receiver shall silently
1045 * discard the packet and shall not process it any further except for
1046 * those cases listed in Section 8.5.1 below.
1049 * (endpoint, asoc, chunk)
1052 * (asoc, reply_msg, msg_up, timers, counters)
1054 * The return value is the disposition of the chunk.
1056 sctp_disposition_t sctp_sf_beat_8_3(struct net *net,
1057 const struct sctp_endpoint *ep,
1058 const struct sctp_association *asoc,
1059 const sctp_subtype_t type,
1061 sctp_cmd_seq_t *commands)
1063 sctp_paramhdr_t *param_hdr;
1064 struct sctp_chunk *chunk = arg;
1065 struct sctp_chunk *reply;
1068 if (!sctp_vtag_verify(chunk, asoc))
1069 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1071 /* Make sure that the HEARTBEAT chunk has a valid length. */
1072 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t)))
1073 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1076 /* 8.3 The receiver of the HEARTBEAT should immediately
1077 * respond with a HEARTBEAT ACK that contains the Heartbeat
1078 * Information field copied from the received HEARTBEAT chunk.
1080 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data;
1081 param_hdr = (sctp_paramhdr_t *) chunk->subh.hb_hdr;
1082 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
1084 if (ntohs(param_hdr->length) > paylen)
1085 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
1086 param_hdr, commands);
1088 if (!pskb_pull(chunk->skb, paylen))
1091 reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen);
1095 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1096 return SCTP_DISPOSITION_CONSUME;
1099 return SCTP_DISPOSITION_NOMEM;
1103 * Process the returning HEARTBEAT ACK.
1105 * Section: 8.3 Path Heartbeat
1106 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
1107 * should clear the error counter of the destination transport
1108 * address to which the HEARTBEAT was sent, and mark the destination
1109 * transport address as active if it is not so marked. The endpoint may
1110 * optionally report to the upper layer when an inactive destination
1111 * address is marked as active due to the reception of the latest
1112 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
1113 * clear the association overall error count as well (as defined
1116 * The receiver of the HEARTBEAT ACK should also perform an RTT
1117 * measurement for that destination transport address using the time
1118 * value carried in the HEARTBEAT ACK chunk.
1120 * Verification Tag: 8.5 Verification Tag [Normal verification]
1123 * (endpoint, asoc, chunk)
1126 * (asoc, reply_msg, msg_up, timers, counters)
1128 * The return value is the disposition of the chunk.
1130 sctp_disposition_t sctp_sf_backbeat_8_3(struct net *net,
1131 const struct sctp_endpoint *ep,
1132 const struct sctp_association *asoc,
1133 const sctp_subtype_t type,
1135 sctp_cmd_seq_t *commands)
1137 struct sctp_chunk *chunk = arg;
1138 union sctp_addr from_addr;
1139 struct sctp_transport *link;
1140 sctp_sender_hb_info_t *hbinfo;
1141 unsigned long max_interval;
1143 if (!sctp_vtag_verify(chunk, asoc))
1144 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1146 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */
1147 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t) +
1148 sizeof(sctp_sender_hb_info_t)))
1149 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1152 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
1153 /* Make sure that the length of the parameter is what we expect */
1154 if (ntohs(hbinfo->param_hdr.length) !=
1155 sizeof(sctp_sender_hb_info_t)) {
1156 return SCTP_DISPOSITION_DISCARD;
1159 from_addr = hbinfo->daddr;
1160 link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1162 /* This should never happen, but lets log it if so. */
1163 if (unlikely(!link)) {
1164 if (from_addr.sa.sa_family == AF_INET6) {
1165 net_warn_ratelimited("%s association %p could not find address %pI6\n",
1168 &from_addr.v6.sin6_addr);
1170 net_warn_ratelimited("%s association %p could not find address %pI4\n",
1173 &from_addr.v4.sin_addr.s_addr);
1175 return SCTP_DISPOSITION_DISCARD;
1178 /* Validate the 64-bit random nonce. */
1179 if (hbinfo->hb_nonce != link->hb_nonce)
1180 return SCTP_DISPOSITION_DISCARD;
1182 max_interval = link->hbinterval + link->rto;
1184 /* Check if the timestamp looks valid. */
1185 if (time_after(hbinfo->sent_at, jiffies) ||
1186 time_after(jiffies, hbinfo->sent_at + max_interval)) {
1187 SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp "
1188 "received for transport: %p\n",
1190 return SCTP_DISPOSITION_DISCARD;
1193 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
1194 * the HEARTBEAT should clear the error counter of the
1195 * destination transport address to which the HEARTBEAT was
1196 * sent and mark the destination transport address as active if
1197 * it is not so marked.
1199 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1201 return SCTP_DISPOSITION_CONSUME;
1204 /* Helper function to send out an abort for the restart
1207 static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa,
1208 struct sctp_chunk *init,
1209 sctp_cmd_seq_t *commands)
1212 struct sctp_packet *pkt;
1213 union sctp_addr_param *addrparm;
1214 struct sctp_errhdr *errhdr;
1215 struct sctp_endpoint *ep;
1216 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)];
1217 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1219 /* Build the error on the stack. We are way to malloc crazy
1220 * throughout the code today.
1222 errhdr = (struct sctp_errhdr *)buffer;
1223 addrparm = (union sctp_addr_param *)errhdr->variable;
1225 /* Copy into a parm format. */
1226 len = af->to_addr_param(ssa, addrparm);
1227 len += sizeof(sctp_errhdr_t);
1229 errhdr->cause = SCTP_ERROR_RESTART;
1230 errhdr->length = htons(len);
1232 /* Assign to the control socket. */
1233 ep = sctp_sk(net->sctp.ctl_sock)->ep;
1235 /* Association is NULL since this may be a restart attack and we
1236 * want to send back the attacker's vtag.
1238 pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len);
1242 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1244 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1246 /* Discard the rest of the inbound packet. */
1247 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1250 /* Even if there is no memory, treat as a failure so
1251 * the packet will get dropped.
1256 static bool list_has_sctp_addr(const struct list_head *list,
1257 union sctp_addr *ipaddr)
1259 struct sctp_transport *addr;
1261 list_for_each_entry(addr, list, transports) {
1262 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
1268 /* A restart is occurring, check to make sure no new addresses
1269 * are being added as we may be under a takeover attack.
1271 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1272 const struct sctp_association *asoc,
1273 struct sctp_chunk *init,
1274 sctp_cmd_seq_t *commands)
1276 struct net *net = sock_net(new_asoc->base.sk);
1277 struct sctp_transport *new_addr;
1280 /* Implementor's Guide - Section 5.2.2
1282 * Before responding the endpoint MUST check to see if the
1283 * unexpected INIT adds new addresses to the association. If new
1284 * addresses are added to the association, the endpoint MUST respond
1288 /* Search through all current addresses and make sure
1289 * we aren't adding any new ones.
1291 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
1293 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
1294 &new_addr->ipaddr)) {
1295 sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init,
1302 /* Return success if all addresses were found. */
1306 /* Populate the verification/tie tags based on overlapping INIT
1309 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
1311 static void sctp_tietags_populate(struct sctp_association *new_asoc,
1312 const struct sctp_association *asoc)
1314 switch (asoc->state) {
1316 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
1318 case SCTP_STATE_COOKIE_WAIT:
1319 new_asoc->c.my_vtag = asoc->c.my_vtag;
1320 new_asoc->c.my_ttag = asoc->c.my_vtag;
1321 new_asoc->c.peer_ttag = 0;
1324 case SCTP_STATE_COOKIE_ECHOED:
1325 new_asoc->c.my_vtag = asoc->c.my_vtag;
1326 new_asoc->c.my_ttag = asoc->c.my_vtag;
1327 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1330 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
1331 * COOKIE-WAIT and SHUTDOWN-ACK-SENT
1334 new_asoc->c.my_ttag = asoc->c.my_vtag;
1335 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1339 /* Other parameters for the endpoint SHOULD be copied from the
1340 * existing parameters of the association (e.g. number of
1341 * outbound streams) into the INIT ACK and cookie.
1343 new_asoc->rwnd = asoc->rwnd;
1344 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams;
1345 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1346 new_asoc->c.initial_tsn = asoc->c.initial_tsn;
1350 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
1353 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
1355 * Returns value representing action to be taken. These action values
1356 * correspond to Action/Description values in RFC 2960, Table 2.
1358 static char sctp_tietags_compare(struct sctp_association *new_asoc,
1359 const struct sctp_association *asoc)
1361 /* In this case, the peer may have restarted. */
1362 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1363 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1364 (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1365 (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1368 /* Collision case B. */
1369 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1370 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1371 (0 == asoc->c.peer_vtag))) {
1375 /* Collision case D. */
1376 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1377 (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1380 /* Collision case C. */
1381 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1382 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1383 (0 == new_asoc->c.my_ttag) &&
1384 (0 == new_asoc->c.peer_ttag))
1387 /* No match to any of the special cases; discard this packet. */
1391 /* Common helper routine for both duplicate and simulataneous INIT
1394 static sctp_disposition_t sctp_sf_do_unexpected_init(
1396 const struct sctp_endpoint *ep,
1397 const struct sctp_association *asoc,
1398 const sctp_subtype_t type,
1399 void *arg, sctp_cmd_seq_t *commands)
1401 sctp_disposition_t retval;
1402 struct sctp_chunk *chunk = arg;
1403 struct sctp_chunk *repl;
1404 struct sctp_association *new_asoc;
1405 struct sctp_chunk *err_chunk;
1406 struct sctp_packet *packet;
1407 sctp_unrecognized_param_t *unk_param;
1411 * An endpoint MUST NOT bundle INIT, INIT ACK or
1412 * SHUTDOWN COMPLETE with any other chunks.
1415 * Furthermore, we require that the receiver of an INIT chunk MUST
1416 * enforce these rules by silently discarding an arriving packet
1417 * with an INIT chunk that is bundled with other chunks.
1419 if (!chunk->singleton)
1420 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1422 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
1425 if (chunk->sctp_hdr->vtag != 0)
1426 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
1428 /* Make sure that the INIT chunk has a valid length.
1429 * In this case, we generate a protocol violation since we have
1430 * an association established.
1432 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
1433 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1435 /* Grab the INIT header. */
1436 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
1438 /* Tag the variable length parameters. */
1439 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
1441 /* Verify the INIT chunk before processing it. */
1443 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
1444 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
1446 /* This chunk contains fatal error. It is to be discarded.
1447 * Send an ABORT, with causes if there is any.
1450 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
1451 (__u8 *)(err_chunk->chunk_hdr) +
1452 sizeof(sctp_chunkhdr_t),
1453 ntohs(err_chunk->chunk_hdr->length) -
1454 sizeof(sctp_chunkhdr_t));
1457 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1458 SCTP_PACKET(packet));
1459 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1460 retval = SCTP_DISPOSITION_CONSUME;
1462 retval = SCTP_DISPOSITION_NOMEM;
1466 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
1472 * Other parameters for the endpoint SHOULD be copied from the
1473 * existing parameters of the association (e.g. number of
1474 * outbound streams) into the INIT ACK and cookie.
1475 * FIXME: We are copying parameters from the endpoint not the
1478 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1482 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
1483 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
1486 /* In the outbound INIT ACK the endpoint MUST copy its current
1487 * Verification Tag and Peers Verification tag into a reserved
1488 * place (local tie-tag and per tie-tag) within the state cookie.
1490 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
1491 (sctp_init_chunk_t *)chunk->chunk_hdr,
1495 /* Make sure no new addresses are being added during the
1496 * restart. Do not do this check for COOKIE-WAIT state,
1497 * since there are no peer addresses to check against.
1498 * Upon return an ABORT will have been sent if needed.
1500 if (!sctp_state(asoc, COOKIE_WAIT)) {
1501 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1503 retval = SCTP_DISPOSITION_CONSUME;
1508 sctp_tietags_populate(new_asoc, asoc);
1510 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
1512 /* If there are errors need to be reported for unknown parameters,
1513 * make sure to reserve enough room in the INIT ACK for them.
1517 len = ntohs(err_chunk->chunk_hdr->length) -
1518 sizeof(sctp_chunkhdr_t);
1521 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1525 /* If there are errors need to be reported for unknown parameters,
1526 * include them in the outgoing INIT ACK as "Unrecognized parameter"
1530 /* Get the "Unrecognized parameter" parameter(s) out of the
1531 * ERROR chunk generated by sctp_verify_init(). Since the
1532 * error cause code for "unknown parameter" and the
1533 * "Unrecognized parameter" type is the same, we can
1534 * construct the parameters in INIT ACK by copying the
1535 * ERROR causes over.
1537 unk_param = (sctp_unrecognized_param_t *)
1538 ((__u8 *)(err_chunk->chunk_hdr) +
1539 sizeof(sctp_chunkhdr_t));
1540 /* Replace the cause code with the "Unrecognized parameter"
1543 sctp_addto_chunk(repl, len, unk_param);
1546 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1547 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1550 * Note: After sending out INIT ACK with the State Cookie parameter,
1551 * "Z" MUST NOT allocate any resources for this new association.
1552 * Otherwise, "Z" will be vulnerable to resource attacks.
1554 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1555 retval = SCTP_DISPOSITION_CONSUME;
1560 retval = SCTP_DISPOSITION_NOMEM;
1563 sctp_association_free(new_asoc);
1566 sctp_chunk_free(err_chunk);
1571 * Handle simultaneous INIT.
1572 * This means we started an INIT and then we got an INIT request from
1575 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
1576 * This usually indicates an initialization collision, i.e., each
1577 * endpoint is attempting, at about the same time, to establish an
1578 * association with the other endpoint.
1580 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
1581 * endpoint MUST respond with an INIT ACK using the same parameters it
1582 * sent in its original INIT chunk (including its Verification Tag,
1583 * unchanged). These original parameters are combined with those from the
1584 * newly received INIT chunk. The endpoint shall also generate a State
1585 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
1586 * INIT to calculate the State Cookie.
1588 * After that, the endpoint MUST NOT change its state, the T1-init
1589 * timer shall be left running and the corresponding TCB MUST NOT be
1590 * destroyed. The normal procedures for handling State Cookies when
1591 * a TCB exists will resolve the duplicate INITs to a single association.
1593 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
1594 * its Tie-Tags with the Tag information of itself and its peer (see
1595 * section 5.2.2 for a description of the Tie-Tags).
1597 * Verification Tag: Not explicit, but an INIT can not have a valid
1598 * verification tag, so we skip the check.
1601 * (endpoint, asoc, chunk)
1604 * (asoc, reply_msg, msg_up, timers, counters)
1606 * The return value is the disposition of the chunk.
1608 sctp_disposition_t sctp_sf_do_5_2_1_siminit(struct net *net,
1609 const struct sctp_endpoint *ep,
1610 const struct sctp_association *asoc,
1611 const sctp_subtype_t type,
1613 sctp_cmd_seq_t *commands)
1615 /* Call helper to do the real work for both simulataneous and
1616 * duplicate INIT chunk handling.
1618 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1622 * Handle duplicated INIT messages. These are usually delayed
1625 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
1626 * COOKIE-ECHOED and COOKIE-WAIT
1628 * Unless otherwise stated, upon reception of an unexpected INIT for
1629 * this association, the endpoint shall generate an INIT ACK with a
1630 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its
1631 * current Verification Tag and peer's Verification Tag into a reserved
1632 * place within the state cookie. We shall refer to these locations as
1633 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet
1634 * containing this INIT ACK MUST carry a Verification Tag value equal to
1635 * the Initiation Tag found in the unexpected INIT. And the INIT ACK
1636 * MUST contain a new Initiation Tag (randomly generated see Section
1637 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the
1638 * existing parameters of the association (e.g. number of outbound
1639 * streams) into the INIT ACK and cookie.
1641 * After sending out the INIT ACK, the endpoint shall take no further
1642 * actions, i.e., the existing association, including its current state,
1643 * and the corresponding TCB MUST NOT be changed.
1645 * Note: Only when a TCB exists and the association is not in a COOKIE-
1646 * WAIT state are the Tie-Tags populated. For a normal association INIT
1647 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
1648 * set to 0 (indicating that no previous TCB existed). The INIT ACK and
1649 * State Cookie are populated as specified in section 5.2.1.
1651 * Verification Tag: Not specified, but an INIT has no way of knowing
1652 * what the verification tag could be, so we ignore it.
1655 * (endpoint, asoc, chunk)
1658 * (asoc, reply_msg, msg_up, timers, counters)
1660 * The return value is the disposition of the chunk.
1662 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(struct net *net,
1663 const struct sctp_endpoint *ep,
1664 const struct sctp_association *asoc,
1665 const sctp_subtype_t type,
1667 sctp_cmd_seq_t *commands)
1669 /* Call helper to do the real work for both simulataneous and
1670 * duplicate INIT chunk handling.
1672 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1677 * Unexpected INIT-ACK handler.
1680 * If an INIT ACK received by an endpoint in any state other than the
1681 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
1682 * An unexpected INIT ACK usually indicates the processing of an old or
1683 * duplicated INIT chunk.
1685 sctp_disposition_t sctp_sf_do_5_2_3_initack(struct net *net,
1686 const struct sctp_endpoint *ep,
1687 const struct sctp_association *asoc,
1688 const sctp_subtype_t type,
1689 void *arg, sctp_cmd_seq_t *commands)
1691 /* Per the above section, we'll discard the chunk if we have an
1692 * endpoint. If this is an OOTB INIT-ACK, treat it as such.
1694 if (ep == sctp_sk(net->sctp.ctl_sock)->ep)
1695 return sctp_sf_ootb(net, ep, asoc, type, arg, commands);
1697 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
1700 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
1703 * A) In this case, the peer may have restarted.
1705 static sctp_disposition_t sctp_sf_do_dupcook_a(struct net *net,
1706 const struct sctp_endpoint *ep,
1707 const struct sctp_association *asoc,
1708 struct sctp_chunk *chunk,
1709 sctp_cmd_seq_t *commands,
1710 struct sctp_association *new_asoc)
1712 sctp_init_chunk_t *peer_init;
1713 struct sctp_ulpevent *ev;
1714 struct sctp_chunk *repl;
1715 struct sctp_chunk *err;
1716 sctp_disposition_t disposition;
1718 /* new_asoc is a brand-new association, so these are not yet
1719 * side effects--it is safe to run them here.
1721 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1723 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1727 /* Make sure no new addresses are being added during the
1728 * restart. Though this is a pretty complicated attack
1729 * since you'd have to get inside the cookie.
1731 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) {
1732 return SCTP_DISPOSITION_CONSUME;
1735 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
1736 * the peer has restarted (Action A), it MUST NOT setup a new
1737 * association but instead resend the SHUTDOWN ACK and send an ERROR
1738 * chunk with a "Cookie Received while Shutting Down" error cause to
1741 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1742 disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc,
1743 SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1745 if (SCTP_DISPOSITION_NOMEM == disposition)
1748 err = sctp_make_op_error(asoc, chunk,
1749 SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1752 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1755 return SCTP_DISPOSITION_CONSUME;
1758 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked
1759 * data. Consider the optional choice of resending of this data.
1761 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
1762 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1763 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK));
1764 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1766 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue
1767 * and ASCONF-ACK cache.
1769 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1770 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
1771 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());
1773 repl = sctp_make_cookie_ack(new_asoc, chunk);
1777 /* Report association restart to upper layer. */
1778 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1779 new_asoc->c.sinit_num_ostreams,
1780 new_asoc->c.sinit_max_instreams,
1785 /* Update the content of current association. */
1786 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1787 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1788 if (sctp_state(asoc, SHUTDOWN_PENDING) &&
1789 (sctp_sstate(asoc->base.sk, CLOSING) ||
1790 sock_flag(asoc->base.sk, SOCK_DEAD))) {
1791 /* if were currently in SHUTDOWN_PENDING, but the socket
1792 * has been closed by user, don't transition to ESTABLISHED.
1793 * Instead trigger SHUTDOWN bundled with COOKIE_ACK.
1795 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1796 return sctp_sf_do_9_2_start_shutdown(net, ep, asoc,
1797 SCTP_ST_CHUNK(0), NULL,
1800 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1801 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1802 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1804 return SCTP_DISPOSITION_CONSUME;
1807 sctp_chunk_free(repl);
1809 return SCTP_DISPOSITION_NOMEM;
1812 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
1815 * B) In this case, both sides may be attempting to start an association
1816 * at about the same time but the peer endpoint started its INIT
1817 * after responding to the local endpoint's INIT
1819 /* This case represents an initialization collision. */
1820 static sctp_disposition_t sctp_sf_do_dupcook_b(struct net *net,
1821 const struct sctp_endpoint *ep,
1822 const struct sctp_association *asoc,
1823 struct sctp_chunk *chunk,
1824 sctp_cmd_seq_t *commands,
1825 struct sctp_association *new_asoc)
1827 sctp_init_chunk_t *peer_init;
1828 struct sctp_chunk *repl;
1830 /* new_asoc is a brand-new association, so these are not yet
1831 * side effects--it is safe to run them here.
1833 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1834 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1838 /* Update the content of current association. */
1839 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1840 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1841 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1842 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
1843 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
1845 repl = sctp_make_cookie_ack(new_asoc, chunk);
1849 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1851 /* RFC 2960 5.1 Normal Establishment of an Association
1853 * D) IMPLEMENTATION NOTE: An implementation may choose to
1854 * send the Communication Up notification to the SCTP user
1855 * upon reception of a valid COOKIE ECHO chunk.
1857 * Sadly, this needs to be implemented as a side-effect, because
1858 * we are not guaranteed to have set the association id of the real
1859 * association and so these notifications need to be delayed until
1860 * the association id is allocated.
1863 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
1865 /* Sockets API Draft Section 5.3.1.6
1866 * When a peer sends a Adaptation Layer Indication parameter , SCTP
1867 * delivers this notification to inform the application that of the
1868 * peers requested adaptation layer.
1870 * This also needs to be done as a side effect for the same reason as
1873 if (asoc->peer.adaptation_ind)
1874 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
1876 return SCTP_DISPOSITION_CONSUME;
1879 return SCTP_DISPOSITION_NOMEM;
1882 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
1885 * C) In this case, the local endpoint's cookie has arrived late.
1886 * Before it arrived, the local endpoint sent an INIT and received an
1887 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
1888 * but a new tag of its own.
1890 /* This case represents an initialization collision. */
1891 static sctp_disposition_t sctp_sf_do_dupcook_c(struct net *net,
1892 const struct sctp_endpoint *ep,
1893 const struct sctp_association *asoc,
1894 struct sctp_chunk *chunk,
1895 sctp_cmd_seq_t *commands,
1896 struct sctp_association *new_asoc)
1898 /* The cookie should be silently discarded.
1899 * The endpoint SHOULD NOT change states and should leave
1900 * any timers running.
1902 return SCTP_DISPOSITION_DISCARD;
1905 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
1909 * D) When both local and remote tags match the endpoint should always
1910 * enter the ESTABLISHED state, if it has not already done so.
1912 /* This case represents an initialization collision. */
1913 static sctp_disposition_t sctp_sf_do_dupcook_d(struct net *net,
1914 const struct sctp_endpoint *ep,
1915 const struct sctp_association *asoc,
1916 struct sctp_chunk *chunk,
1917 sctp_cmd_seq_t *commands,
1918 struct sctp_association *new_asoc)
1920 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL;
1921 struct sctp_chunk *repl;
1923 /* Clarification from Implementor's Guide:
1924 * D) When both local and remote tags match the endpoint should
1925 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
1926 * It should stop any cookie timer that may be running and send
1930 /* Don't accidentally move back into established state. */
1931 if (asoc->state < SCTP_STATE_ESTABLISHED) {
1932 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1933 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
1934 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1935 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1936 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
1937 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
1940 /* RFC 2960 5.1 Normal Establishment of an Association
1942 * D) IMPLEMENTATION NOTE: An implementation may choose
1943 * to send the Communication Up notification to the
1944 * SCTP user upon reception of a valid COOKIE
1947 ev = sctp_ulpevent_make_assoc_change(asoc, 0,
1949 asoc->c.sinit_num_ostreams,
1950 asoc->c.sinit_max_instreams,
1955 /* Sockets API Draft Section 5.3.1.6
1956 * When a peer sends a Adaptation Layer Indication parameter,
1957 * SCTP delivers this notification to inform the application
1958 * that of the peers requested adaptation layer.
1960 if (asoc->peer.adaptation_ind) {
1961 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
1969 repl = sctp_make_cookie_ack(new_asoc, chunk);
1973 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1976 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1979 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1980 SCTP_ULPEVENT(ai_ev));
1982 return SCTP_DISPOSITION_CONSUME;
1986 sctp_ulpevent_free(ai_ev);
1988 sctp_ulpevent_free(ev);
1989 return SCTP_DISPOSITION_NOMEM;
1993 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying
1994 * chunk was retransmitted and then delayed in the network.
1996 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
1998 * Verification Tag: None. Do cookie validation.
2001 * (endpoint, asoc, chunk)
2004 * (asoc, reply_msg, msg_up, timers, counters)
2006 * The return value is the disposition of the chunk.
2008 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(struct net *net,
2009 const struct sctp_endpoint *ep,
2010 const struct sctp_association *asoc,
2011 const sctp_subtype_t type,
2013 sctp_cmd_seq_t *commands)
2015 sctp_disposition_t retval;
2016 struct sctp_chunk *chunk = arg;
2017 struct sctp_association *new_asoc;
2020 struct sctp_chunk *err_chk_p;
2022 /* Make sure that the chunk has a valid length from the protocol
2023 * perspective. In this case check to make sure we have at least
2024 * enough for the chunk header. Cookie length verification is
2027 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
2028 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2031 /* "Decode" the chunk. We have no optional parameters so we
2032 * are in good shape.
2034 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
2035 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
2036 sizeof(sctp_chunkhdr_t)))
2039 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
2040 * of a duplicate COOKIE ECHO match the Verification Tags of the
2041 * current association, consider the State Cookie valid even if
2042 * the lifespan is exceeded.
2044 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
2048 * If the re-build failed, what is the proper error path
2051 * [We should abort the association. --piggy]
2054 /* FIXME: Several errors are possible. A bad cookie should
2055 * be silently discarded, but think about logging it too.
2058 case -SCTP_IERROR_NOMEM:
2061 case -SCTP_IERROR_STALE_COOKIE:
2062 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
2064 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2065 case -SCTP_IERROR_BAD_SIG:
2067 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2071 /* Compare the tie_tag in cookie with the verification tag of
2072 * current association.
2074 action = sctp_tietags_compare(new_asoc, asoc);
2077 case 'A': /* Association restart. */
2078 retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands,
2082 case 'B': /* Collision case B. */
2083 retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands,
2087 case 'C': /* Collision case C. */
2088 retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands,
2092 case 'D': /* Collision case D. */
2093 retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands,
2097 default: /* Discard packet for all others. */
2098 retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2102 /* Delete the tempory new association. */
2103 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc));
2104 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
2106 /* Restore association pointer to provide SCTP command interpeter
2107 * with a valid context in case it needs to manipulate
2109 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC,
2110 SCTP_ASOC((struct sctp_association *)asoc));
2115 return SCTP_DISPOSITION_NOMEM;
2119 * Process an ABORT. (SHUTDOWN-PENDING state)
2121 * See sctp_sf_do_9_1_abort().
2123 sctp_disposition_t sctp_sf_shutdown_pending_abort(
2125 const struct sctp_endpoint *ep,
2126 const struct sctp_association *asoc,
2127 const sctp_subtype_t type,
2129 sctp_cmd_seq_t *commands)
2131 struct sctp_chunk *chunk = arg;
2133 if (!sctp_vtag_verify_either(chunk, asoc))
2134 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2136 /* Make sure that the ABORT chunk has a valid length.
2137 * Since this is an ABORT chunk, we have to discard it
2138 * because of the following text:
2139 * RFC 2960, Section 3.3.7
2140 * If an endpoint receives an ABORT with a format error or for an
2141 * association that doesn't exist, it MUST silently discard it.
2142 * Because the length is "invalid", we can't really discard just
2143 * as we do not know its true length. So, to be safe, discard the
2146 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2147 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2149 /* ADD-IP: Special case for ABORT chunks
2150 * F4) One special consideration is that ABORT Chunks arriving
2151 * destined to the IP address being deleted MUST be
2152 * ignored (see Section 5.3.1 for further details).
2154 if (SCTP_ADDR_DEL ==
2155 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2156 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2158 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2162 * Process an ABORT. (SHUTDOWN-SENT state)
2164 * See sctp_sf_do_9_1_abort().
2166 sctp_disposition_t sctp_sf_shutdown_sent_abort(struct net *net,
2167 const struct sctp_endpoint *ep,
2168 const struct sctp_association *asoc,
2169 const sctp_subtype_t type,
2171 sctp_cmd_seq_t *commands)
2173 struct sctp_chunk *chunk = arg;
2175 if (!sctp_vtag_verify_either(chunk, asoc))
2176 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2178 /* Make sure that the ABORT chunk has a valid length.
2179 * Since this is an ABORT chunk, we have to discard it
2180 * because of the following text:
2181 * RFC 2960, Section 3.3.7
2182 * If an endpoint receives an ABORT with a format error or for an
2183 * association that doesn't exist, it MUST silently discard it.
2184 * Because the length is "invalid", we can't really discard just
2185 * as we do not know its true length. So, to be safe, discard the
2188 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2189 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2191 /* ADD-IP: Special case for ABORT chunks
2192 * F4) One special consideration is that ABORT Chunks arriving
2193 * destined to the IP address being deleted MUST be
2194 * ignored (see Section 5.3.1 for further details).
2196 if (SCTP_ADDR_DEL ==
2197 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2198 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2200 /* Stop the T2-shutdown timer. */
2201 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2202 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2204 /* Stop the T5-shutdown guard timer. */
2205 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2206 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2208 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2212 * Process an ABORT. (SHUTDOWN-ACK-SENT state)
2214 * See sctp_sf_do_9_1_abort().
2216 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort(
2218 const struct sctp_endpoint *ep,
2219 const struct sctp_association *asoc,
2220 const sctp_subtype_t type,
2222 sctp_cmd_seq_t *commands)
2224 /* The same T2 timer, so we should be able to use
2225 * common function with the SHUTDOWN-SENT state.
2227 return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands);
2231 * Handle an Error received in COOKIE_ECHOED state.
2233 * Only handle the error type of stale COOKIE Error, the other errors will
2237 * (endpoint, asoc, chunk)
2240 * (asoc, reply_msg, msg_up, timers, counters)
2242 * The return value is the disposition of the chunk.
2244 sctp_disposition_t sctp_sf_cookie_echoed_err(struct net *net,
2245 const struct sctp_endpoint *ep,
2246 const struct sctp_association *asoc,
2247 const sctp_subtype_t type,
2249 sctp_cmd_seq_t *commands)
2251 struct sctp_chunk *chunk = arg;
2254 if (!sctp_vtag_verify(chunk, asoc))
2255 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2257 /* Make sure that the ERROR chunk has a valid length.
2258 * The parameter walking depends on this as well.
2260 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
2261 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2264 /* Process the error here */
2265 /* FUTURE FIXME: When PR-SCTP related and other optional
2266 * parms are emitted, this will have to change to handle multiple
2269 sctp_walk_errors(err, chunk->chunk_hdr) {
2270 if (SCTP_ERROR_STALE_COOKIE == err->cause)
2271 return sctp_sf_do_5_2_6_stale(net, ep, asoc, type,
2275 /* It is possible to have malformed error causes, and that
2276 * will cause us to end the walk early. However, since
2277 * we are discarding the packet, there should be no adverse
2280 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2284 * Handle a Stale COOKIE Error
2286 * Section: 5.2.6 Handle Stale COOKIE Error
2287 * If the association is in the COOKIE-ECHOED state, the endpoint may elect
2288 * one of the following three alternatives.
2290 * 3) Send a new INIT chunk to the endpoint, adding a Cookie
2291 * Preservative parameter requesting an extension to the lifetime of
2292 * the State Cookie. When calculating the time extension, an
2293 * implementation SHOULD use the RTT information measured based on the
2294 * previous COOKIE ECHO / ERROR exchange, and should add no more
2295 * than 1 second beyond the measured RTT, due to long State Cookie
2296 * lifetimes making the endpoint more subject to a replay attack.
2298 * Verification Tag: Not explicit, but safe to ignore.
2301 * (endpoint, asoc, chunk)
2304 * (asoc, reply_msg, msg_up, timers, counters)
2306 * The return value is the disposition of the chunk.
2308 static sctp_disposition_t sctp_sf_do_5_2_6_stale(struct net *net,
2309 const struct sctp_endpoint *ep,
2310 const struct sctp_association *asoc,
2311 const sctp_subtype_t type,
2313 sctp_cmd_seq_t *commands)
2315 struct sctp_chunk *chunk = arg;
2317 sctp_cookie_preserve_param_t bht;
2319 struct sctp_chunk *reply;
2320 struct sctp_bind_addr *bp;
2321 int attempts = asoc->init_err_counter + 1;
2323 if (attempts > asoc->max_init_attempts) {
2324 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2325 SCTP_ERROR(ETIMEDOUT));
2326 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2327 SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2328 return SCTP_DISPOSITION_DELETE_TCB;
2331 err = (sctp_errhdr_t *)(chunk->skb->data);
2333 /* When calculating the time extension, an implementation
2334 * SHOULD use the RTT information measured based on the
2335 * previous COOKIE ECHO / ERROR exchange, and should add no
2336 * more than 1 second beyond the measured RTT, due to long
2337 * State Cookie lifetimes making the endpoint more subject to
2339 * Measure of Staleness's unit is usec. (1/1000000 sec)
2340 * Suggested Cookie Life-span Increment's unit is msec.
2342 * In general, if you use the suggested cookie life, the value
2343 * found in the field of measure of staleness should be doubled
2344 * to give ample time to retransmit the new cookie and thus
2345 * yield a higher probability of success on the reattempt.
2347 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t)));
2348 stale = (stale * 2) / 1000;
2350 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2351 bht.param_hdr.length = htons(sizeof(bht));
2352 bht.lifespan_increment = htonl(stale);
2354 /* Build that new INIT chunk. */
2355 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2356 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2360 sctp_addto_chunk(reply, sizeof(bht), &bht);
2362 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */
2363 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2365 /* Stop pending T3-rtx and heartbeat timers */
2366 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2367 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2369 /* Delete non-primary peer ip addresses since we are transitioning
2370 * back to the COOKIE-WAIT state
2372 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2374 /* If we've sent any data bundled with COOKIE-ECHO we will need to
2377 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
2378 SCTP_TRANSPORT(asoc->peer.primary_path));
2380 /* Cast away the const modifier, as we want to just
2381 * rerun it through as a sideffect.
2383 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2385 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2386 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2387 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2388 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2389 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2390 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2392 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2394 return SCTP_DISPOSITION_CONSUME;
2397 return SCTP_DISPOSITION_NOMEM;
2404 * After checking the Verification Tag, the receiving endpoint shall
2405 * remove the association from its record, and shall report the
2406 * termination to its upper layer.
2408 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
2409 * B) Rules for packet carrying ABORT:
2411 * - The endpoint shall always fill in the Verification Tag field of the
2412 * outbound packet with the destination endpoint's tag value if it
2415 * - If the ABORT is sent in response to an OOTB packet, the endpoint
2416 * MUST follow the procedure described in Section 8.4.
2418 * - The receiver MUST accept the packet if the Verification Tag
2419 * matches either its own tag, OR the tag of its peer. Otherwise, the
2420 * receiver MUST silently discard the packet and take no further
2424 * (endpoint, asoc, chunk)
2427 * (asoc, reply_msg, msg_up, timers, counters)
2429 * The return value is the disposition of the chunk.
2431 sctp_disposition_t sctp_sf_do_9_1_abort(struct net *net,
2432 const struct sctp_endpoint *ep,
2433 const struct sctp_association *asoc,
2434 const sctp_subtype_t type,
2436 sctp_cmd_seq_t *commands)
2438 struct sctp_chunk *chunk = arg;
2440 if (!sctp_vtag_verify_either(chunk, asoc))
2441 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2443 /* Make sure that the ABORT chunk has a valid length.
2444 * Since this is an ABORT chunk, we have to discard it
2445 * because of the following text:
2446 * RFC 2960, Section 3.3.7
2447 * If an endpoint receives an ABORT with a format error or for an
2448 * association that doesn't exist, it MUST silently discard it.
2449 * Because the length is "invalid", we can't really discard just
2450 * as we do not know its true length. So, to be safe, discard the
2453 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2454 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2456 /* ADD-IP: Special case for ABORT chunks
2457 * F4) One special consideration is that ABORT Chunks arriving
2458 * destined to the IP address being deleted MUST be
2459 * ignored (see Section 5.3.1 for further details).
2461 if (SCTP_ADDR_DEL ==
2462 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2463 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2465 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2468 static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net,
2469 const struct sctp_endpoint *ep,
2470 const struct sctp_association *asoc,
2471 const sctp_subtype_t type,
2473 sctp_cmd_seq_t *commands)
2475 struct sctp_chunk *chunk = arg;
2477 __be16 error = SCTP_ERROR_NO_ERROR;
2479 /* See if we have an error cause code in the chunk. */
2480 len = ntohs(chunk->chunk_hdr->length);
2481 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
2484 sctp_walk_errors(err, chunk->chunk_hdr);
2485 if ((void *)err != (void *)chunk->chunk_end)
2486 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2488 error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2491 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2492 /* ASSOC_FAILED will DELETE_TCB. */
2493 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2494 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2495 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
2497 return SCTP_DISPOSITION_ABORT;
2501 * Process an ABORT. (COOKIE-WAIT state)
2503 * See sctp_sf_do_9_1_abort() above.
2505 sctp_disposition_t sctp_sf_cookie_wait_abort(struct net *net,
2506 const struct sctp_endpoint *ep,
2507 const struct sctp_association *asoc,
2508 const sctp_subtype_t type,
2510 sctp_cmd_seq_t *commands)
2512 struct sctp_chunk *chunk = arg;
2514 __be16 error = SCTP_ERROR_NO_ERROR;
2516 if (!sctp_vtag_verify_either(chunk, asoc))
2517 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2519 /* Make sure that the ABORT chunk has a valid length.
2520 * Since this is an ABORT chunk, we have to discard it
2521 * because of the following text:
2522 * RFC 2960, Section 3.3.7
2523 * If an endpoint receives an ABORT with a format error or for an
2524 * association that doesn't exist, it MUST silently discard it.
2525 * Because the length is "invalid", we can't really discard just
2526 * as we do not know its true length. So, to be safe, discard the
2529 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2530 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2532 /* See if we have an error cause code in the chunk. */
2533 len = ntohs(chunk->chunk_hdr->length);
2534 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2535 error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2537 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc,
2542 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state)
2544 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(struct net *net,
2545 const struct sctp_endpoint *ep,
2546 const struct sctp_association *asoc,
2547 const sctp_subtype_t type,
2549 sctp_cmd_seq_t *commands)
2551 return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR,
2553 (struct sctp_transport *)arg);
2557 * Process an ABORT. (COOKIE-ECHOED state)
2559 sctp_disposition_t sctp_sf_cookie_echoed_abort(struct net *net,
2560 const struct sctp_endpoint *ep,
2561 const struct sctp_association *asoc,
2562 const sctp_subtype_t type,
2564 sctp_cmd_seq_t *commands)
2566 /* There is a single T1 timer, so we should be able to use
2567 * common function with the COOKIE-WAIT state.
2569 return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands);
2573 * Stop T1 timer and abort association with "INIT failed".
2575 * This is common code called by several sctp_sf_*_abort() functions above.
2577 static sctp_disposition_t sctp_stop_t1_and_abort(struct net *net,
2578 sctp_cmd_seq_t *commands,
2579 __be16 error, int sk_err,
2580 const struct sctp_association *asoc,
2581 struct sctp_transport *transport)
2583 SCTP_DEBUG_PRINTK("ABORT received (INIT).\n");
2584 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2585 SCTP_STATE(SCTP_STATE_CLOSED));
2586 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2587 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2588 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2589 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2590 /* CMD_INIT_FAILED will DELETE_TCB. */
2591 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2593 return SCTP_DISPOSITION_ABORT;
2597 * sctp_sf_do_9_2_shut
2600 * Upon the reception of the SHUTDOWN, the peer endpoint shall
2601 * - enter the SHUTDOWN-RECEIVED state,
2603 * - stop accepting new data from its SCTP user
2605 * - verify, by checking the Cumulative TSN Ack field of the chunk,
2606 * that all its outstanding DATA chunks have been received by the
2609 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT
2610 * send a SHUTDOWN in response to a ULP request. And should discard
2611 * subsequent SHUTDOWN chunks.
2613 * If there are still outstanding DATA chunks left, the SHUTDOWN
2614 * receiver shall continue to follow normal data transmission
2615 * procedures defined in Section 6 until all outstanding DATA chunks
2616 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept
2617 * new data from its SCTP user.
2619 * Verification Tag: 8.5 Verification Tag [Normal verification]
2622 * (endpoint, asoc, chunk)
2625 * (asoc, reply_msg, msg_up, timers, counters)
2627 * The return value is the disposition of the chunk.
2629 sctp_disposition_t sctp_sf_do_9_2_shutdown(struct net *net,
2630 const struct sctp_endpoint *ep,
2631 const struct sctp_association *asoc,
2632 const sctp_subtype_t type,
2634 sctp_cmd_seq_t *commands)
2636 struct sctp_chunk *chunk = arg;
2637 sctp_shutdownhdr_t *sdh;
2638 sctp_disposition_t disposition;
2639 struct sctp_ulpevent *ev;
2642 if (!sctp_vtag_verify(chunk, asoc))
2643 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2645 /* Make sure that the SHUTDOWN chunk has a valid length. */
2646 if (!sctp_chunk_length_valid(chunk,
2647 sizeof(struct sctp_shutdown_chunk_t)))
2648 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2651 /* Convert the elaborate header. */
2652 sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
2653 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t));
2654 chunk->subh.shutdown_hdr = sdh;
2655 ctsn = ntohl(sdh->cum_tsn_ack);
2657 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2658 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
2659 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
2660 return SCTP_DISPOSITION_DISCARD;
2663 /* If Cumulative TSN Ack beyond the max tsn currently
2664 * send, terminating the association and respond to the
2665 * sender with an ABORT.
2667 if (!TSN_lt(ctsn, asoc->next_tsn))
2668 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2670 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
2671 * When a peer sends a SHUTDOWN, SCTP delivers this notification to
2672 * inform the application that it should cease sending data.
2674 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2676 disposition = SCTP_DISPOSITION_NOMEM;
2679 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2681 /* Upon the reception of the SHUTDOWN, the peer endpoint shall
2682 * - enter the SHUTDOWN-RECEIVED state,
2683 * - stop accepting new data from its SCTP user
2685 * [This is implicit in the new state.]
2687 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2688 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2689 disposition = SCTP_DISPOSITION_CONSUME;
2691 if (sctp_outq_is_empty(&asoc->outqueue)) {
2692 disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type,
2696 if (SCTP_DISPOSITION_NOMEM == disposition)
2699 /* - verify, by checking the Cumulative TSN Ack field of the
2700 * chunk, that all its outstanding DATA chunks have been
2701 * received by the SHUTDOWN sender.
2703 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2704 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2711 * sctp_sf_do_9_2_shut_ctsn
2713 * Once an endpoint has reached the SHUTDOWN-RECEIVED state,
2714 * it MUST NOT send a SHUTDOWN in response to a ULP request.
2715 * The Cumulative TSN Ack of the received SHUTDOWN chunk
2716 * MUST be processed.
2718 sctp_disposition_t sctp_sf_do_9_2_shut_ctsn(struct net *net,
2719 const struct sctp_endpoint *ep,
2720 const struct sctp_association *asoc,
2721 const sctp_subtype_t type,
2723 sctp_cmd_seq_t *commands)
2725 struct sctp_chunk *chunk = arg;
2726 sctp_shutdownhdr_t *sdh;
2729 if (!sctp_vtag_verify(chunk, asoc))
2730 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2732 /* Make sure that the SHUTDOWN chunk has a valid length. */
2733 if (!sctp_chunk_length_valid(chunk,
2734 sizeof(struct sctp_shutdown_chunk_t)))
2735 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2738 sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
2739 ctsn = ntohl(sdh->cum_tsn_ack);
2741 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2742 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
2743 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
2744 return SCTP_DISPOSITION_DISCARD;
2747 /* If Cumulative TSN Ack beyond the max tsn currently
2748 * send, terminating the association and respond to the
2749 * sender with an ABORT.
2751 if (!TSN_lt(ctsn, asoc->next_tsn))
2752 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2754 /* verify, by checking the Cumulative TSN Ack field of the
2755 * chunk, that all its outstanding DATA chunks have been
2756 * received by the SHUTDOWN sender.
2758 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2759 SCTP_BE32(sdh->cum_tsn_ack));
2761 return SCTP_DISPOSITION_CONSUME;
2765 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk
2766 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination
2767 * transport addresses (either in the IP addresses or in the INIT chunk)
2768 * that belong to this association, it should discard the INIT chunk and
2769 * retransmit the SHUTDOWN ACK chunk.
2771 sctp_disposition_t sctp_sf_do_9_2_reshutack(struct net *net,
2772 const struct sctp_endpoint *ep,
2773 const struct sctp_association *asoc,
2774 const sctp_subtype_t type,
2776 sctp_cmd_seq_t *commands)
2778 struct sctp_chunk *chunk = (struct sctp_chunk *) arg;
2779 struct sctp_chunk *reply;
2781 /* Make sure that the chunk has a valid length */
2782 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
2783 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2786 /* Since we are not going to really process this INIT, there
2787 * is no point in verifying chunk boundries. Just generate
2790 reply = sctp_make_shutdown_ack(asoc, chunk);
2794 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
2795 * the T2-SHUTDOWN timer.
2797 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
2799 /* and restart the T2-shutdown timer. */
2800 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2801 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2803 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2805 return SCTP_DISPOSITION_CONSUME;
2807 return SCTP_DISPOSITION_NOMEM;
2811 * sctp_sf_do_ecn_cwr
2813 * Section: Appendix A: Explicit Congestion Notification
2817 * RFC 2481 details a specific bit for a sender to send in the header of
2818 * its next outbound TCP segment to indicate to its peer that it has
2819 * reduced its congestion window. This is termed the CWR bit. For
2820 * SCTP the same indication is made by including the CWR chunk.
2821 * This chunk contains one data element, i.e. the TSN number that
2822 * was sent in the ECNE chunk. This element represents the lowest
2823 * TSN number in the datagram that was originally marked with the
2826 * Verification Tag: 8.5 Verification Tag [Normal verification]
2828 * (endpoint, asoc, chunk)
2831 * (asoc, reply_msg, msg_up, timers, counters)
2833 * The return value is the disposition of the chunk.
2835 sctp_disposition_t sctp_sf_do_ecn_cwr(struct net *net,
2836 const struct sctp_endpoint *ep,
2837 const struct sctp_association *asoc,
2838 const sctp_subtype_t type,
2840 sctp_cmd_seq_t *commands)
2843 struct sctp_chunk *chunk = arg;
2846 if (!sctp_vtag_verify(chunk, asoc))
2847 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2849 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2850 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2853 cwr = (sctp_cwrhdr_t *) chunk->skb->data;
2854 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t));
2856 lowest_tsn = ntohl(cwr->lowest_tsn);
2858 /* Does this CWR ack the last sent congestion notification? */
2859 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
2860 /* Stop sending ECNE. */
2861 sctp_add_cmd_sf(commands,
2863 SCTP_U32(lowest_tsn));
2865 return SCTP_DISPOSITION_CONSUME;
2871 * Section: Appendix A: Explicit Congestion Notification
2875 * RFC 2481 details a specific bit for a receiver to send back in its
2876 * TCP acknowledgements to notify the sender of the Congestion
2877 * Experienced (CE) bit having arrived from the network. For SCTP this
2878 * same indication is made by including the ECNE chunk. This chunk
2879 * contains one data element, i.e. the lowest TSN associated with the IP
2880 * datagram marked with the CE bit.....
2882 * Verification Tag: 8.5 Verification Tag [Normal verification]
2884 * (endpoint, asoc, chunk)
2887 * (asoc, reply_msg, msg_up, timers, counters)
2889 * The return value is the disposition of the chunk.
2891 sctp_disposition_t sctp_sf_do_ecne(struct net *net,
2892 const struct sctp_endpoint *ep,
2893 const struct sctp_association *asoc,
2894 const sctp_subtype_t type,
2896 sctp_cmd_seq_t *commands)
2898 sctp_ecnehdr_t *ecne;
2899 struct sctp_chunk *chunk = arg;
2901 if (!sctp_vtag_verify(chunk, asoc))
2902 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2904 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2905 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2908 ecne = (sctp_ecnehdr_t *) chunk->skb->data;
2909 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t));
2911 /* If this is a newer ECNE than the last CWR packet we sent out */
2912 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
2913 SCTP_U32(ntohl(ecne->lowest_tsn)));
2915 return SCTP_DISPOSITION_CONSUME;
2919 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
2921 * The SCTP endpoint MUST always acknowledge the reception of each valid
2924 * The guidelines on delayed acknowledgement algorithm specified in
2925 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
2926 * acknowledgement SHOULD be generated for at least every second packet
2927 * (not every second DATA chunk) received, and SHOULD be generated within
2928 * 200 ms of the arrival of any unacknowledged DATA chunk. In some
2929 * situations it may be beneficial for an SCTP transmitter to be more
2930 * conservative than the algorithms detailed in this document allow.
2931 * However, an SCTP transmitter MUST NOT be more aggressive than the
2932 * following algorithms allow.
2934 * A SCTP receiver MUST NOT generate more than one SACK for every
2935 * incoming packet, other than to update the offered window as the
2936 * receiving application consumes new data.
2938 * Verification Tag: 8.5 Verification Tag [Normal verification]
2941 * (endpoint, asoc, chunk)
2944 * (asoc, reply_msg, msg_up, timers, counters)
2946 * The return value is the disposition of the chunk.
2948 sctp_disposition_t sctp_sf_eat_data_6_2(struct net *net,
2949 const struct sctp_endpoint *ep,
2950 const struct sctp_association *asoc,
2951 const sctp_subtype_t type,
2953 sctp_cmd_seq_t *commands)
2955 struct sctp_chunk *chunk = arg;
2956 sctp_arg_t force = SCTP_NOFORCE();
2959 if (!sctp_vtag_verify(chunk, asoc)) {
2960 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
2962 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2965 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
2966 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2969 error = sctp_eat_data(asoc, chunk, commands );
2971 case SCTP_IERROR_NO_ERROR:
2973 case SCTP_IERROR_HIGH_TSN:
2974 case SCTP_IERROR_BAD_STREAM:
2975 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2976 goto discard_noforce;
2977 case SCTP_IERROR_DUP_TSN:
2978 case SCTP_IERROR_IGNORE_TSN:
2979 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2981 case SCTP_IERROR_NO_DATA:
2983 case SCTP_IERROR_PROTO_VIOLATION:
2984 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
2985 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t));
2990 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)
2991 force = SCTP_FORCE();
2993 if (asoc->autoclose) {
2994 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2995 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
2998 /* If this is the last chunk in a packet, we need to count it
2999 * toward sack generation. Note that we need to SACK every
3000 * OTHER packet containing data chunks, EVEN IF WE DISCARD
3001 * THEM. We elect to NOT generate SACK's if the chunk fails
3002 * the verification tag test.
3004 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3006 * The SCTP endpoint MUST always acknowledge the reception of
3007 * each valid DATA chunk.
3009 * The guidelines on delayed acknowledgement algorithm
3010 * specified in Section 4.2 of [RFC2581] SHOULD be followed.
3011 * Specifically, an acknowledgement SHOULD be generated for at
3012 * least every second packet (not every second DATA chunk)
3013 * received, and SHOULD be generated within 200 ms of the
3014 * arrival of any unacknowledged DATA chunk. In some
3015 * situations it may be beneficial for an SCTP transmitter to
3016 * be more conservative than the algorithms detailed in this
3017 * document allow. However, an SCTP transmitter MUST NOT be
3018 * more aggressive than the following algorithms allow.
3020 if (chunk->end_of_packet)
3021 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3023 return SCTP_DISPOSITION_CONSUME;
3026 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3028 * When a packet arrives with duplicate DATA chunk(s) and with
3029 * no new DATA chunk(s), the endpoint MUST immediately send a
3030 * SACK with no delay. If a packet arrives with duplicate
3031 * DATA chunk(s) bundled with new DATA chunks, the endpoint
3032 * MAY immediately send a SACK. Normally receipt of duplicate
3033 * DATA chunks will occur when the original SACK chunk was lost
3034 * and the peer's RTO has expired. The duplicate TSN number(s)
3035 * SHOULD be reported in the SACK as duplicate.
3037 /* In our case, we split the MAY SACK advice up whether or not
3038 * the last chunk is a duplicate.'
3040 if (chunk->end_of_packet)
3041 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3042 return SCTP_DISPOSITION_DISCARD;
3045 if (chunk->end_of_packet)
3046 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3048 return SCTP_DISPOSITION_DISCARD;
3050 return SCTP_DISPOSITION_CONSUME;
3055 * sctp_sf_eat_data_fast_4_4
3058 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received
3059 * DATA chunks without delay.
3061 * Verification Tag: 8.5 Verification Tag [Normal verification]
3063 * (endpoint, asoc, chunk)
3066 * (asoc, reply_msg, msg_up, timers, counters)
3068 * The return value is the disposition of the chunk.
3070 sctp_disposition_t sctp_sf_eat_data_fast_4_4(struct net *net,
3071 const struct sctp_endpoint *ep,
3072 const struct sctp_association *asoc,
3073 const sctp_subtype_t type,
3075 sctp_cmd_seq_t *commands)
3077 struct sctp_chunk *chunk = arg;
3080 if (!sctp_vtag_verify(chunk, asoc)) {
3081 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3083 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3086 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
3087 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3090 error = sctp_eat_data(asoc, chunk, commands );
3092 case SCTP_IERROR_NO_ERROR:
3093 case SCTP_IERROR_HIGH_TSN:
3094 case SCTP_IERROR_DUP_TSN:
3095 case SCTP_IERROR_IGNORE_TSN:
3096 case SCTP_IERROR_BAD_STREAM:
3098 case SCTP_IERROR_NO_DATA:
3100 case SCTP_IERROR_PROTO_VIOLATION:
3101 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3102 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t));
3107 /* Go a head and force a SACK, since we are shutting down. */
3109 /* Implementor's Guide.
3111 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3112 * respond to each received packet containing one or more DATA chunk(s)
3113 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3115 if (chunk->end_of_packet) {
3116 /* We must delay the chunk creation since the cumulative
3117 * TSN has not been updated yet.
3119 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3120 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3121 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3122 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3126 return SCTP_DISPOSITION_CONSUME;
3130 * Section: 6.2 Processing a Received SACK
3131 * D) Any time a SACK arrives, the endpoint performs the following:
3133 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,
3134 * then drop the SACK. Since Cumulative TSN Ack is monotonically
3135 * increasing, a SACK whose Cumulative TSN Ack is less than the
3136 * Cumulative TSN Ack Point indicates an out-of-order SACK.
3138 * ii) Set rwnd equal to the newly received a_rwnd minus the number
3139 * of bytes still outstanding after processing the Cumulative TSN Ack
3140 * and the Gap Ack Blocks.
3142 * iii) If the SACK is missing a TSN that was previously
3143 * acknowledged via a Gap Ack Block (e.g., the data receiver
3144 * reneged on the data), then mark the corresponding DATA chunk
3145 * as available for retransmit: Mark it as missing for fast
3146 * retransmit as described in Section 7.2.4 and if no retransmit
3147 * timer is running for the destination address to which the DATA
3148 * chunk was originally transmitted, then T3-rtx is started for
3149 * that destination address.
3151 * Verification Tag: 8.5 Verification Tag [Normal verification]
3154 * (endpoint, asoc, chunk)
3157 * (asoc, reply_msg, msg_up, timers, counters)
3159 * The return value is the disposition of the chunk.
3161 sctp_disposition_t sctp_sf_eat_sack_6_2(struct net *net,
3162 const struct sctp_endpoint *ep,
3163 const struct sctp_association *asoc,
3164 const sctp_subtype_t type,
3166 sctp_cmd_seq_t *commands)
3168 struct sctp_chunk *chunk = arg;
3169 sctp_sackhdr_t *sackh;
3172 if (!sctp_vtag_verify(chunk, asoc))
3173 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3175 /* Make sure that the SACK chunk has a valid length. */
3176 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t)))
3177 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3180 /* Pull the SACK chunk from the data buffer */
3181 sackh = sctp_sm_pull_sack(chunk);
3182 /* Was this a bogus SACK? */
3184 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3185 chunk->subh.sack_hdr = sackh;
3186 ctsn = ntohl(sackh->cum_tsn_ack);
3188 /* i) If Cumulative TSN Ack is less than the Cumulative TSN
3189 * Ack Point, then drop the SACK. Since Cumulative TSN
3190 * Ack is monotonically increasing, a SACK whose
3191 * Cumulative TSN Ack is less than the Cumulative TSN Ack
3192 * Point indicates an out-of-order SACK.
3194 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
3195 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
3196 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
3197 return SCTP_DISPOSITION_DISCARD;
3200 /* If Cumulative TSN Ack beyond the max tsn currently
3201 * send, terminating the association and respond to the
3202 * sender with an ABORT.
3204 if (!TSN_lt(ctsn, asoc->next_tsn))
3205 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
3207 /* Return this SACK for further processing. */
3208 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk));
3210 /* Note: We do the rest of the work on the PROCESS_SACK
3213 return SCTP_DISPOSITION_CONSUME;
3217 * Generate an ABORT in response to a packet.
3219 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41
3221 * 8) The receiver should respond to the sender of the OOTB packet with
3222 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
3223 * MUST fill in the Verification Tag field of the outbound packet
3224 * with the value found in the Verification Tag field of the OOTB
3225 * packet and set the T-bit in the Chunk Flags to indicate that the
3226 * Verification Tag is reflected. After sending this ABORT, the
3227 * receiver of the OOTB packet shall discard the OOTB packet and take
3228 * no further action.
3232 * The return value is the disposition of the chunk.
3234 static sctp_disposition_t sctp_sf_tabort_8_4_8(struct net *net,
3235 const struct sctp_endpoint *ep,
3236 const struct sctp_association *asoc,
3237 const sctp_subtype_t type,
3239 sctp_cmd_seq_t *commands)
3241 struct sctp_packet *packet = NULL;
3242 struct sctp_chunk *chunk = arg;
3243 struct sctp_chunk *abort;
3245 packet = sctp_ootb_pkt_new(net, asoc, chunk);
3248 /* Make an ABORT. The T bit will be set if the asoc
3251 abort = sctp_make_abort(asoc, chunk, 0);
3253 sctp_ootb_pkt_free(packet);
3254 return SCTP_DISPOSITION_NOMEM;
3257 /* Reflect vtag if T-Bit is set */
3258 if (sctp_test_T_bit(abort))
3259 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3261 /* Set the skb to the belonging sock for accounting. */
3262 abort->skb->sk = ep->base.sk;
3264 sctp_packet_append_chunk(packet, abort);
3266 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3267 SCTP_PACKET(packet));
3269 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3271 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3272 return SCTP_DISPOSITION_CONSUME;
3275 return SCTP_DISPOSITION_NOMEM;
3279 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR
3280 * event as ULP notification for each cause included in the chunk.
3282 * API 5.3.1.3 - SCTP_REMOTE_ERROR
3284 * The return value is the disposition of the chunk.
3286 sctp_disposition_t sctp_sf_operr_notify(struct net *net,
3287 const struct sctp_endpoint *ep,
3288 const struct sctp_association *asoc,
3289 const sctp_subtype_t type,
3291 sctp_cmd_seq_t *commands)
3293 struct sctp_chunk *chunk = arg;
3296 if (!sctp_vtag_verify(chunk, asoc))
3297 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3299 /* Make sure that the ERROR chunk has a valid length. */
3300 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
3301 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3303 sctp_walk_errors(err, chunk->chunk_hdr);
3304 if ((void *)err != (void *)chunk->chunk_end)
3305 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3306 (void *)err, commands);
3308 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3311 return SCTP_DISPOSITION_CONSUME;
3315 * Process an inbound SHUTDOWN ACK.
3318 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3319 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its
3320 * peer, and remove all record of the association.
3322 * The return value is the disposition.
3324 sctp_disposition_t sctp_sf_do_9_2_final(struct net *net,
3325 const struct sctp_endpoint *ep,
3326 const struct sctp_association *asoc,
3327 const sctp_subtype_t type,
3329 sctp_cmd_seq_t *commands)
3331 struct sctp_chunk *chunk = arg;
3332 struct sctp_chunk *reply;
3333 struct sctp_ulpevent *ev;
3335 if (!sctp_vtag_verify(chunk, asoc))
3336 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3338 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3339 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3340 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3342 /* 10.2 H) SHUTDOWN COMPLETE notification
3344 * When SCTP completes the shutdown procedures (section 9.2) this
3345 * notification is passed to the upper layer.
3347 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3348 0, 0, 0, NULL, GFP_ATOMIC);
3352 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */
3353 reply = sctp_make_shutdown_complete(asoc, chunk);
3357 /* Do all the commands now (after allocation), so that we
3358 * have consistent state if memory allocation failes
3360 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3362 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3363 * stop the T2-shutdown timer,
3365 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3366 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3368 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3369 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3371 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3372 SCTP_STATE(SCTP_STATE_CLOSED));
3373 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
3374 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3375 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3377 /* ...and remove all record of the association. */
3378 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3379 return SCTP_DISPOSITION_DELETE_TCB;
3382 sctp_ulpevent_free(ev);
3384 return SCTP_DISPOSITION_NOMEM;
3388 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.
3390 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3391 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3392 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3393 * packet must fill in the Verification Tag field of the outbound
3394 * packet with the Verification Tag received in the SHUTDOWN ACK and
3395 * set the T-bit in the Chunk Flags to indicate that the Verification
3398 * 8) The receiver should respond to the sender of the OOTB packet with
3399 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
3400 * MUST fill in the Verification Tag field of the outbound packet
3401 * with the value found in the Verification Tag field of the OOTB
3402 * packet and set the T-bit in the Chunk Flags to indicate that the
3403 * Verification Tag is reflected. After sending this ABORT, the
3404 * receiver of the OOTB packet shall discard the OOTB packet and take
3405 * no further action.
3407 sctp_disposition_t sctp_sf_ootb(struct net *net,
3408 const struct sctp_endpoint *ep,
3409 const struct sctp_association *asoc,
3410 const sctp_subtype_t type,
3412 sctp_cmd_seq_t *commands)
3414 struct sctp_chunk *chunk = arg;
3415 struct sk_buff *skb = chunk->skb;
3416 sctp_chunkhdr_t *ch;
3419 int ootb_shut_ack = 0;
3420 int ootb_cookie_ack = 0;
3422 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3424 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr;
3426 /* Report violation if the chunk is less then minimal */
3427 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t))
3428 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3431 /* Now that we know we at least have a chunk header,
3432 * do things that are type appropriate.
3434 if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3437 /* RFC 2960, Section 3.3.7
3438 * Moreover, under any circumstances, an endpoint that
3439 * receives an ABORT MUST NOT respond to that ABORT by
3440 * sending an ABORT of its own.
3442 if (SCTP_CID_ABORT == ch->type)
3443 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3445 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR
3446 * or a COOKIE ACK the SCTP Packet should be silently
3450 if (SCTP_CID_COOKIE_ACK == ch->type)
3451 ootb_cookie_ack = 1;
3453 if (SCTP_CID_ERROR == ch->type) {
3454 sctp_walk_errors(err, ch) {
3455 if (SCTP_ERROR_STALE_COOKIE == err->cause) {
3456 ootb_cookie_ack = 1;
3462 /* Report violation if chunk len overflows */
3463 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
3464 if (ch_end > skb_tail_pointer(skb))
3465 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3468 ch = (sctp_chunkhdr_t *) ch_end;
3469 } while (ch_end < skb_tail_pointer(skb));
3472 return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands);
3473 else if (ootb_cookie_ack)
3474 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3476 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
3480 * Handle an "Out of the blue" SHUTDOWN ACK.
3482 * Section: 8.4 5, sctpimpguide 2.41.
3484 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3485 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3486 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3487 * packet must fill in the Verification Tag field of the outbound
3488 * packet with the Verification Tag received in the SHUTDOWN ACK and
3489 * set the T-bit in the Chunk Flags to indicate that the Verification
3493 * (endpoint, asoc, type, arg, commands)
3496 * (sctp_disposition_t)
3498 * The return value is the disposition of the chunk.
3500 static sctp_disposition_t sctp_sf_shut_8_4_5(struct net *net,
3501 const struct sctp_endpoint *ep,
3502 const struct sctp_association *asoc,
3503 const sctp_subtype_t type,
3505 sctp_cmd_seq_t *commands)
3507 struct sctp_packet *packet = NULL;
3508 struct sctp_chunk *chunk = arg;
3509 struct sctp_chunk *shut;
3511 packet = sctp_ootb_pkt_new(net, asoc, chunk);
3514 /* Make an SHUTDOWN_COMPLETE.
3515 * The T bit will be set if the asoc is NULL.
3517 shut = sctp_make_shutdown_complete(asoc, chunk);
3519 sctp_ootb_pkt_free(packet);
3520 return SCTP_DISPOSITION_NOMEM;
3523 /* Reflect vtag if T-Bit is set */
3524 if (sctp_test_T_bit(shut))
3525 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3527 /* Set the skb to the belonging sock for accounting. */
3528 shut->skb->sk = ep->base.sk;
3530 sctp_packet_append_chunk(packet, shut);
3532 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3533 SCTP_PACKET(packet));
3535 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3537 /* If the chunk length is invalid, we don't want to process
3538 * the reset of the packet.
3540 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3541 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3543 /* We need to discard the rest of the packet to prevent
3544 * potential bomming attacks from additional bundled chunks.
3545 * This is documented in SCTP Threats ID.
3547 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3550 return SCTP_DISPOSITION_NOMEM;
3554 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.
3556 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK
3557 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the
3558 * procedures in section 8.4 SHOULD be followed, in other words it
3559 * should be treated as an Out Of The Blue packet.
3560 * [This means that we do NOT check the Verification Tag on these
3564 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(struct net *net,
3565 const struct sctp_endpoint *ep,
3566 const struct sctp_association *asoc,
3567 const sctp_subtype_t type,
3569 sctp_cmd_seq_t *commands)
3571 struct sctp_chunk *chunk = arg;
3573 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3574 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3575 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3578 /* Although we do have an association in this case, it corresponds
3579 * to a restarted association. So the packet is treated as an OOTB
3580 * packet and the state function that handles OOTB SHUTDOWN_ACK is
3581 * called with a NULL association.
3583 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3585 return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands);
3588 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */
3589 sctp_disposition_t sctp_sf_do_asconf(struct net *net,
3590 const struct sctp_endpoint *ep,
3591 const struct sctp_association *asoc,
3592 const sctp_subtype_t type, void *arg,
3593 sctp_cmd_seq_t *commands)
3595 struct sctp_chunk *chunk = arg;
3596 struct sctp_chunk *asconf_ack = NULL;
3597 struct sctp_paramhdr *err_param = NULL;
3598 sctp_addiphdr_t *hdr;
3601 if (!sctp_vtag_verify(chunk, asoc)) {
3602 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3604 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3607 /* ADD-IP: Section 4.1.1
3608 * This chunk MUST be sent in an authenticated way by using
3609 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3610 * is received unauthenticated it MUST be silently discarded as
3611 * described in [I-D.ietf-tsvwg-sctp-auth].
3613 if (!net->sctp.addip_noauth && !chunk->auth)
3614 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
3616 /* Make sure that the ASCONF ADDIP chunk has a valid length. */
3617 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t)))
3618 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3621 hdr = (sctp_addiphdr_t *)chunk->skb->data;
3622 serial = ntohl(hdr->serial);
3624 /* Verify the ASCONF chunk before processing it. */
3625 if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
3626 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3627 (void *)err_param, commands);
3629 /* ADDIP 5.2 E1) Compare the value of the serial number to the value
3630 * the endpoint stored in a new association variable
3631 * 'Peer-Serial-Number'.
3633 if (serial == asoc->peer.addip_serial + 1) {
3634 /* If this is the first instance of ASCONF in the packet,
3635 * we can clean our old ASCONF-ACKs.
3637 if (!chunk->has_asconf)
3638 sctp_assoc_clean_asconf_ack_cache(asoc);
3640 /* ADDIP 5.2 E4) When the Sequence Number matches the next one
3641 * expected, process the ASCONF as described below and after
3642 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to
3643 * the response packet and cache a copy of it (in the event it
3644 * later needs to be retransmitted).
3646 * Essentially, do V1-V5.
3648 asconf_ack = sctp_process_asconf((struct sctp_association *)
3651 return SCTP_DISPOSITION_NOMEM;
3652 } else if (serial < asoc->peer.addip_serial + 1) {
3654 * If the value found in the Sequence Number is less than the
3655 * ('Peer- Sequence-Number' + 1), simply skip to the next
3656 * ASCONF, and include in the outbound response packet
3657 * any previously cached ASCONF-ACK response that was
3658 * sent and saved that matches the Sequence Number of the
3659 * ASCONF. Note: It is possible that no cached ASCONF-ACK
3660 * Chunk exists. This will occur when an older ASCONF
3661 * arrives out of order. In such a case, the receiver
3662 * should skip the ASCONF Chunk and not include ASCONF-ACK
3663 * Chunk for that chunk.
3665 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);
3667 return SCTP_DISPOSITION_DISCARD;
3669 /* Reset the transport so that we select the correct one
3670 * this time around. This is to make sure that we don't
3671 * accidentally use a stale transport that's been removed.
3673 asconf_ack->transport = NULL;
3675 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since
3676 * it must be either a stale packet or from an attacker.
3678 return SCTP_DISPOSITION_DISCARD;
3681 /* ADDIP 5.2 E6) The destination address of the SCTP packet
3682 * containing the ASCONF-ACK Chunks MUST be the source address of
3683 * the SCTP packet that held the ASCONF Chunks.
3685 * To do this properly, we'll set the destination address of the chunk
3686 * and at the transmit time, will try look up the transport to use.
3687 * Since ASCONFs may be bundled, the correct transport may not be
3688 * created until we process the entire packet, thus this workaround.
3690 asconf_ack->dest = chunk->source;
3691 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3692 if (asoc->new_transport) {
3693 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport,
3695 ((struct sctp_association *)asoc)->new_transport = NULL;
3698 return SCTP_DISPOSITION_CONSUME;
3702 * ADDIP Section 4.3 General rules for address manipulation
3703 * When building TLV parameters for the ASCONF Chunk that will add or
3704 * delete IP addresses the D0 to D13 rules should be applied:
3706 sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net,
3707 const struct sctp_endpoint *ep,
3708 const struct sctp_association *asoc,
3709 const sctp_subtype_t type, void *arg,
3710 sctp_cmd_seq_t *commands)
3712 struct sctp_chunk *asconf_ack = arg;
3713 struct sctp_chunk *last_asconf = asoc->addip_last_asconf;
3714 struct sctp_chunk *abort;
3715 struct sctp_paramhdr *err_param = NULL;
3716 sctp_addiphdr_t *addip_hdr;
3717 __u32 sent_serial, rcvd_serial;
3719 if (!sctp_vtag_verify(asconf_ack, asoc)) {
3720 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3722 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3725 /* ADD-IP, Section 4.1.2:
3726 * This chunk MUST be sent in an authenticated way by using
3727 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3728 * is received unauthenticated it MUST be silently discarded as
3729 * described in [I-D.ietf-tsvwg-sctp-auth].
3731 if (!net->sctp.addip_noauth && !asconf_ack->auth)
3732 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
3734 /* Make sure that the ADDIP chunk has a valid length. */
3735 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t)))
3736 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3739 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data;
3740 rcvd_serial = ntohl(addip_hdr->serial);
3742 /* Verify the ASCONF-ACK chunk before processing it. */
3743 if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
3744 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3745 (void *)err_param, commands);
3748 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr;
3749 sent_serial = ntohl(addip_hdr->serial);
3751 sent_serial = asoc->addip_serial - 1;
3754 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or
3755 * equal to the next serial number to be used but no ASCONF chunk is
3756 * outstanding the endpoint MUST ABORT the association. Note that a
3757 * sequence number is greater than if it is no more than 2^^31-1
3758 * larger than the current sequence number (using serial arithmetic).
3760 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
3761 !(asoc->addip_last_asconf)) {
3762 abort = sctp_make_abort(asoc, asconf_ack,
3763 sizeof(sctp_errhdr_t));
3765 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
3766 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3769 /* We are going to ABORT, so we might as well stop
3770 * processing the rest of the chunks in the packet.
3772 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3773 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3774 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
3775 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3776 SCTP_ERROR(ECONNABORTED));
3777 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3778 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3779 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
3780 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3781 return SCTP_DISPOSITION_ABORT;
3784 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
3785 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3786 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3788 if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
3790 /* Successfully processed ASCONF_ACK. We can
3791 * release the next asconf if we have one.
3793 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF,
3795 return SCTP_DISPOSITION_CONSUME;
3798 abort = sctp_make_abort(asoc, asconf_ack,
3799 sizeof(sctp_errhdr_t));
3801 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
3802 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3805 /* We are going to ABORT, so we might as well stop
3806 * processing the rest of the chunks in the packet.
3808 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
3809 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3810 SCTP_ERROR(ECONNABORTED));
3811 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3812 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3813 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
3814 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3815 return SCTP_DISPOSITION_ABORT;
3818 return SCTP_DISPOSITION_DISCARD;
3822 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP
3824 * When a FORWARD TSN chunk arrives, the data receiver MUST first update
3825 * its cumulative TSN point to the value carried in the FORWARD TSN
3826 * chunk, and then MUST further advance its cumulative TSN point locally
3828 * After the above processing, the data receiver MUST stop reporting any
3829 * missing TSNs earlier than or equal to the new cumulative TSN point.
3831 * Verification Tag: 8.5 Verification Tag [Normal verification]
3833 * The return value is the disposition of the chunk.
3835 sctp_disposition_t sctp_sf_eat_fwd_tsn(struct net *net,
3836 const struct sctp_endpoint *ep,
3837 const struct sctp_association *asoc,
3838 const sctp_subtype_t type,
3840 sctp_cmd_seq_t *commands)
3842 struct sctp_chunk *chunk = arg;
3843 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3844 struct sctp_fwdtsn_skip *skip;
3848 if (!sctp_vtag_verify(chunk, asoc)) {
3849 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3851 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3854 /* Make sure that the FORWARD_TSN chunk has valid length. */
3855 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3856 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3859 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3860 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3861 len = ntohs(chunk->chunk_hdr->length);
3862 len -= sizeof(struct sctp_chunkhdr);
3863 skb_pull(chunk->skb, len);
3865 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3866 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn);
3868 /* The TSN is too high--silently discard the chunk and count on it
3869 * getting retransmitted later.
3871 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3872 goto discard_noforce;
3874 /* Silently discard the chunk if stream-id is not valid */
3875 sctp_walk_fwdtsn(skip, chunk) {
3876 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
3877 goto discard_noforce;
3880 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3881 if (len > sizeof(struct sctp_fwdtsn_hdr))
3882 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3885 /* Count this as receiving DATA. */
3886 if (asoc->autoclose) {
3887 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3888 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3891 /* FIXME: For now send a SACK, but DATA processing may
3894 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
3896 return SCTP_DISPOSITION_CONSUME;
3899 return SCTP_DISPOSITION_DISCARD;
3902 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast(
3904 const struct sctp_endpoint *ep,
3905 const struct sctp_association *asoc,
3906 const sctp_subtype_t type,
3908 sctp_cmd_seq_t *commands)
3910 struct sctp_chunk *chunk = arg;
3911 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3912 struct sctp_fwdtsn_skip *skip;
3916 if (!sctp_vtag_verify(chunk, asoc)) {
3917 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3919 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3922 /* Make sure that the FORWARD_TSN chunk has a valid length. */
3923 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3924 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3927 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3928 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3929 len = ntohs(chunk->chunk_hdr->length);
3930 len -= sizeof(struct sctp_chunkhdr);
3931 skb_pull(chunk->skb, len);
3933 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3934 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn);
3936 /* The TSN is too high--silently discard the chunk and count on it
3937 * getting retransmitted later.
3939 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3942 /* Silently discard the chunk if stream-id is not valid */
3943 sctp_walk_fwdtsn(skip, chunk) {
3944 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
3948 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3949 if (len > sizeof(struct sctp_fwdtsn_hdr))
3950 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3953 /* Go a head and force a SACK, since we are shutting down. */
3955 /* Implementor's Guide.
3957 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3958 * respond to each received packet containing one or more DATA chunk(s)
3959 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3961 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3962 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3963 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3964 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3966 return SCTP_DISPOSITION_CONSUME;
3970 * SCTP-AUTH Section 6.3 Receiving authenticated chukns
3972 * The receiver MUST use the HMAC algorithm indicated in the HMAC
3973 * Identifier field. If this algorithm was not specified by the
3974 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
3975 * during association setup, the AUTH chunk and all chunks after it MUST
3976 * be discarded and an ERROR chunk SHOULD be sent with the error cause
3977 * defined in Section 4.1.
3979 * If an endpoint with no shared key receives a Shared Key Identifier
3980 * other than 0, it MUST silently discard all authenticated chunks. If
3981 * the endpoint has at least one endpoint pair shared key for the peer,
3982 * it MUST use the key specified by the Shared Key Identifier if a
3983 * key has been configured for that Shared Key Identifier. If no
3984 * endpoint pair shared key has been configured for that Shared Key
3985 * Identifier, all authenticated chunks MUST be silently discarded.
3987 * Verification Tag: 8.5 Verification Tag [Normal verification]
3989 * The return value is the disposition of the chunk.
3991 static sctp_ierror_t sctp_sf_authenticate(struct net *net,
3992 const struct sctp_endpoint *ep,
3993 const struct sctp_association *asoc,
3994 const sctp_subtype_t type,
3995 struct sctp_chunk *chunk)
3997 struct sctp_authhdr *auth_hdr;
3998 struct sctp_hmac *hmac;
3999 unsigned int sig_len;
4004 /* Pull in the auth header, so we can do some more verification */
4005 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4006 chunk->subh.auth_hdr = auth_hdr;
4007 skb_pull(chunk->skb, sizeof(struct sctp_authhdr));
4009 /* Make sure that we support the HMAC algorithm from the auth
4012 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))
4013 return SCTP_IERROR_AUTH_BAD_HMAC;
4015 /* Make sure that the provided shared key identifier has been
4018 key_id = ntohs(auth_hdr->shkey_id);
4019 if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id))
4020 return SCTP_IERROR_AUTH_BAD_KEYID;
4023 /* Make sure that the length of the signature matches what
4026 sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t);
4027 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));
4028 if (sig_len != hmac->hmac_len)
4029 return SCTP_IERROR_PROTO_VIOLATION;
4031 /* Now that we've done validation checks, we can compute and
4032 * verify the hmac. The steps involved are:
4033 * 1. Save the digest from the chunk.
4034 * 2. Zero out the digest in the chunk.
4035 * 3. Compute the new digest
4036 * 4. Compare saved and new digests.
4038 digest = auth_hdr->hmac;
4039 skb_pull(chunk->skb, sig_len);
4041 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);
4045 memset(digest, 0, sig_len);
4047 sctp_auth_calculate_hmac(asoc, chunk->skb,
4048 (struct sctp_auth_chunk *)chunk->chunk_hdr,
4051 /* Discard the packet if the digests do not match */
4052 if (memcmp(save_digest, digest, sig_len)) {
4054 return SCTP_IERROR_BAD_SIG;
4060 return SCTP_IERROR_NO_ERROR;
4062 return SCTP_IERROR_NOMEM;
4065 sctp_disposition_t sctp_sf_eat_auth(struct net *net,
4066 const struct sctp_endpoint *ep,
4067 const struct sctp_association *asoc,
4068 const sctp_subtype_t type,
4070 sctp_cmd_seq_t *commands)
4072 struct sctp_authhdr *auth_hdr;
4073 struct sctp_chunk *chunk = arg;
4074 struct sctp_chunk *err_chunk;
4075 sctp_ierror_t error;
4077 /* Make sure that the peer has AUTH capable */
4078 if (!asoc->peer.auth_capable)
4079 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4081 if (!sctp_vtag_verify(chunk, asoc)) {
4082 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4084 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4087 /* Make sure that the AUTH chunk has valid length. */
4088 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))
4089 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4092 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4093 error = sctp_sf_authenticate(net, ep, asoc, type, chunk);
4095 case SCTP_IERROR_AUTH_BAD_HMAC:
4096 /* Generate the ERROR chunk and discard the rest
4099 err_chunk = sctp_make_op_error(asoc, chunk,
4100 SCTP_ERROR_UNSUP_HMAC,
4104 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4105 SCTP_CHUNK(err_chunk));
4108 case SCTP_IERROR_AUTH_BAD_KEYID:
4109 case SCTP_IERROR_BAD_SIG:
4110 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4112 case SCTP_IERROR_PROTO_VIOLATION:
4113 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4116 case SCTP_IERROR_NOMEM:
4117 return SCTP_DISPOSITION_NOMEM;
4119 default: /* Prevent gcc warnings */
4123 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) {
4124 struct sctp_ulpevent *ev;
4126 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),
4127 SCTP_AUTH_NEWKEY, GFP_ATOMIC);
4132 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4136 return SCTP_DISPOSITION_CONSUME;
4140 * Process an unknown chunk.
4142 * Section: 3.2. Also, 2.1 in the implementor's guide.
4144 * Chunk Types are encoded such that the highest-order two bits specify
4145 * the action that must be taken if the processing endpoint does not
4146 * recognize the Chunk Type.
4148 * 00 - Stop processing this SCTP packet and discard it, do not process
4149 * any further chunks within it.
4151 * 01 - Stop processing this SCTP packet and discard it, do not process
4152 * any further chunks within it, and report the unrecognized
4153 * chunk in an 'Unrecognized Chunk Type'.
4155 * 10 - Skip this chunk and continue processing.
4157 * 11 - Skip this chunk and continue processing, but report in an ERROR
4158 * Chunk using the 'Unrecognized Chunk Type' cause of error.
4160 * The return value is the disposition of the chunk.
4162 sctp_disposition_t sctp_sf_unk_chunk(struct net *net,
4163 const struct sctp_endpoint *ep,
4164 const struct sctp_association *asoc,
4165 const sctp_subtype_t type,
4167 sctp_cmd_seq_t *commands)
4169 struct sctp_chunk *unk_chunk = arg;
4170 struct sctp_chunk *err_chunk;
4171 sctp_chunkhdr_t *hdr;
4173 SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk);
4175 if (!sctp_vtag_verify(unk_chunk, asoc))
4176 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4178 /* Make sure that the chunk has a valid length.
4179 * Since we don't know the chunk type, we use a general
4180 * chunkhdr structure to make a comparison.
4182 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t)))
4183 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4186 switch (type.chunk & SCTP_CID_ACTION_MASK) {
4187 case SCTP_CID_ACTION_DISCARD:
4188 /* Discard the packet. */
4189 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4191 case SCTP_CID_ACTION_DISCARD_ERR:
4192 /* Generate an ERROR chunk as response. */
4193 hdr = unk_chunk->chunk_hdr;
4194 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4195 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4196 WORD_ROUND(ntohs(hdr->length)),
4199 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4200 SCTP_CHUNK(err_chunk));
4203 /* Discard the packet. */
4204 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4205 return SCTP_DISPOSITION_CONSUME;
4207 case SCTP_CID_ACTION_SKIP:
4208 /* Skip the chunk. */
4209 return SCTP_DISPOSITION_DISCARD;
4211 case SCTP_CID_ACTION_SKIP_ERR:
4212 /* Generate an ERROR chunk as response. */
4213 hdr = unk_chunk->chunk_hdr;
4214 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4215 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4216 WORD_ROUND(ntohs(hdr->length)),
4219 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4220 SCTP_CHUNK(err_chunk));
4222 /* Skip the chunk. */
4223 return SCTP_DISPOSITION_CONSUME;
4229 return SCTP_DISPOSITION_DISCARD;
4233 * Discard the chunk.
4235 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2
4236 * [Too numerous to mention...]
4237 * Verification Tag: No verification needed.
4239 * (endpoint, asoc, chunk)
4242 * (asoc, reply_msg, msg_up, timers, counters)
4244 * The return value is the disposition of the chunk.
4246 sctp_disposition_t sctp_sf_discard_chunk(struct net *net,
4247 const struct sctp_endpoint *ep,
4248 const struct sctp_association *asoc,
4249 const sctp_subtype_t type,
4251 sctp_cmd_seq_t *commands)
4253 struct sctp_chunk *chunk = arg;
4255 /* Make sure that the chunk has a valid length.
4256 * Since we don't know the chunk type, we use a general
4257 * chunkhdr structure to make a comparison.
4259 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
4260 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4263 SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk);
4264 return SCTP_DISPOSITION_DISCARD;
4268 * Discard the whole packet.
4272 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST
4273 * silently discard the OOTB packet and take no further action.
4275 * Verification Tag: No verification necessary
4278 * (endpoint, asoc, chunk)
4281 * (asoc, reply_msg, msg_up, timers, counters)
4283 * The return value is the disposition of the chunk.
4285 sctp_disposition_t sctp_sf_pdiscard(struct net *net,
4286 const struct sctp_endpoint *ep,
4287 const struct sctp_association *asoc,
4288 const sctp_subtype_t type,
4290 sctp_cmd_seq_t *commands)
4292 SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS);
4293 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4295 return SCTP_DISPOSITION_CONSUME;
4300 * The other end is violating protocol.
4302 * Section: Not specified
4303 * Verification Tag: Not specified
4305 * (endpoint, asoc, chunk)
4308 * (asoc, reply_msg, msg_up, timers, counters)
4310 * We simply tag the chunk as a violation. The state machine will log
4311 * the violation and continue.
4313 sctp_disposition_t sctp_sf_violation(struct net *net,
4314 const struct sctp_endpoint *ep,
4315 const struct sctp_association *asoc,
4316 const sctp_subtype_t type,
4318 sctp_cmd_seq_t *commands)
4320 struct sctp_chunk *chunk = arg;
4322 /* Make sure that the chunk has a valid length. */
4323 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
4324 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4327 return SCTP_DISPOSITION_VIOLATION;
4331 * Common function to handle a protocol violation.
4333 static sctp_disposition_t sctp_sf_abort_violation(
4335 const struct sctp_endpoint *ep,
4336 const struct sctp_association *asoc,
4338 sctp_cmd_seq_t *commands,
4339 const __u8 *payload,
4340 const size_t paylen)
4342 struct sctp_packet *packet = NULL;
4343 struct sctp_chunk *chunk = arg;
4344 struct sctp_chunk *abort = NULL;
4346 /* SCTP-AUTH, Section 6.3:
4347 * It should be noted that if the receiver wants to tear
4348 * down an association in an authenticated way only, the
4349 * handling of malformed packets should not result in
4350 * tearing down the association.
4352 * This means that if we only want to abort associations
4353 * in an authenticated way (i.e AUTH+ABORT), then we
4354 * can't destroy this association just because the packet
4357 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4360 /* Make the abort chunk. */
4361 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);
4366 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */
4367 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&
4368 !asoc->peer.i.init_tag) {
4369 sctp_initack_chunk_t *initack;
4371 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
4372 if (!sctp_chunk_length_valid(chunk,
4373 sizeof(sctp_initack_chunk_t)))
4374 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
4376 unsigned int inittag;
4378 inittag = ntohl(initack->init_hdr.init_tag);
4379 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
4384 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4385 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4387 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
4388 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4389 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4390 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4391 SCTP_ERROR(ECONNREFUSED));
4392 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4393 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4395 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4396 SCTP_ERROR(ECONNABORTED));
4397 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4398 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4399 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4402 packet = sctp_ootb_pkt_new(net, asoc, chunk);
4407 if (sctp_test_T_bit(abort))
4408 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
4410 abort->skb->sk = ep->base.sk;
4412 sctp_packet_append_chunk(packet, abort);
4414 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
4415 SCTP_PACKET(packet));
4417 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4420 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4423 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4424 return SCTP_DISPOSITION_ABORT;
4427 sctp_chunk_free(abort);
4429 return SCTP_DISPOSITION_NOMEM;
4433 * Handle a protocol violation when the chunk length is invalid.
4434 * "Invalid" length is identified as smaller than the minimal length a
4435 * given chunk can be. For example, a SACK chunk has invalid length
4436 * if its length is set to be smaller than the size of sctp_sack_chunk_t.
4438 * We inform the other end by sending an ABORT with a Protocol Violation
4441 * Section: Not specified
4442 * Verification Tag: Nothing to do
4444 * (endpoint, asoc, chunk)
4447 * (reply_msg, msg_up, counters)
4449 * Generate an ABORT chunk and terminate the association.
4451 static sctp_disposition_t sctp_sf_violation_chunklen(
4453 const struct sctp_endpoint *ep,
4454 const struct sctp_association *asoc,
4455 const sctp_subtype_t type,
4457 sctp_cmd_seq_t *commands)
4459 static const char err_str[]="The following chunk had invalid length:";
4461 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4466 * Handle a protocol violation when the parameter length is invalid.
4467 * If the length is smaller than the minimum length of a given parameter,
4468 * or accumulated length in multi parameters exceeds the end of the chunk,
4469 * the length is considered as invalid.
4471 static sctp_disposition_t sctp_sf_violation_paramlen(
4473 const struct sctp_endpoint *ep,
4474 const struct sctp_association *asoc,
4475 const sctp_subtype_t type,
4476 void *arg, void *ext,
4477 sctp_cmd_seq_t *commands)
4479 struct sctp_chunk *chunk = arg;
4480 struct sctp_paramhdr *param = ext;
4481 struct sctp_chunk *abort = NULL;
4483 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4486 /* Make the abort chunk. */
4487 abort = sctp_make_violation_paramlen(asoc, chunk, param);
4491 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4492 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4494 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4495 SCTP_ERROR(ECONNABORTED));
4496 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4497 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4498 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4499 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4502 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4503 return SCTP_DISPOSITION_ABORT;
4505 return SCTP_DISPOSITION_NOMEM;
4508 /* Handle a protocol violation when the peer trying to advance the
4509 * cumulative tsn ack to a point beyond the max tsn currently sent.
4511 * We inform the other end by sending an ABORT with a Protocol Violation
4514 static sctp_disposition_t sctp_sf_violation_ctsn(
4516 const struct sctp_endpoint *ep,
4517 const struct sctp_association *asoc,
4518 const sctp_subtype_t type,
4520 sctp_cmd_seq_t *commands)
4522 static const char err_str[]="The cumulative tsn ack beyond the max tsn currently sent:";
4524 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4528 /* Handle protocol violation of an invalid chunk bundling. For example,
4529 * when we have an association and we receive bundled INIT-ACK, or
4530 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle"
4531 * statement from the specs. Additionally, there might be an attacker
4532 * on the path and we may not want to continue this communication.
4534 static sctp_disposition_t sctp_sf_violation_chunk(
4536 const struct sctp_endpoint *ep,
4537 const struct sctp_association *asoc,
4538 const sctp_subtype_t type,
4540 sctp_cmd_seq_t *commands)
4542 static const char err_str[]="The following chunk violates protocol:";
4545 return sctp_sf_violation(net, ep, asoc, type, arg, commands);
4547 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4550 /***************************************************************************
4551 * These are the state functions for handling primitive (Section 10) events.
4552 ***************************************************************************/
4554 * sctp_sf_do_prm_asoc
4556 * Section: 10.1 ULP-to-SCTP
4559 * Format: ASSOCIATE(local SCTP instance name, destination transport addr,
4560 * outbound stream count)
4561 * -> association id [,destination transport addr list] [,outbound stream
4564 * This primitive allows the upper layer to initiate an association to a
4565 * specific peer endpoint.
4567 * The peer endpoint shall be specified by one of the transport addresses
4568 * which defines the endpoint (see Section 1.4). If the local SCTP
4569 * instance has not been initialized, the ASSOCIATE is considered an
4571 * [This is not relevant for the kernel implementation since we do all
4572 * initialization at boot time. It we hadn't initialized we wouldn't
4573 * get anywhere near this code.]
4575 * An association id, which is a local handle to the SCTP association,
4576 * will be returned on successful establishment of the association. If
4577 * SCTP is not able to open an SCTP association with the peer endpoint,
4578 * an error is returned.
4579 * [In the kernel implementation, the struct sctp_association needs to
4580 * be created BEFORE causing this primitive to run.]
4582 * Other association parameters may be returned, including the
4583 * complete destination transport addresses of the peer as well as the
4584 * outbound stream count of the local endpoint. One of the transport
4585 * address from the returned destination addresses will be selected by
4586 * the local endpoint as default primary path for sending SCTP packets
4587 * to this peer. The returned "destination transport addr list" can
4588 * be used by the ULP to change the default primary path or to force
4589 * sending a packet to a specific transport address. [All of this
4590 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING
4593 * Mandatory attributes:
4595 * o local SCTP instance name - obtained from the INITIALIZE operation.
4596 * [This is the argument asoc.]
4597 * o destination transport addr - specified as one of the transport
4598 * addresses of the peer endpoint with which the association is to be
4600 * [This is asoc->peer.active_path.]
4601 * o outbound stream count - the number of outbound streams the ULP
4602 * would like to open towards this peer endpoint.
4603 * [BUG: This is not currently implemented.]
4604 * Optional attributes:
4608 * The return value is a disposition.
4610 sctp_disposition_t sctp_sf_do_prm_asoc(struct net *net,
4611 const struct sctp_endpoint *ep,
4612 const struct sctp_association *asoc,
4613 const sctp_subtype_t type,
4615 sctp_cmd_seq_t *commands)
4617 struct sctp_chunk *repl;
4618 struct sctp_association* my_asoc;
4620 /* The comment below says that we enter COOKIE-WAIT AFTER
4621 * sending the INIT, but that doesn't actually work in our
4624 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4625 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
4627 /* RFC 2960 5.1 Normal Establishment of an Association
4629 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A"
4630 * must provide its Verification Tag (Tag_A) in the Initiate
4631 * Tag field. Tag_A SHOULD be a random number in the range of
4632 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ...
4635 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0);
4639 /* Cast away the const modifier, as we want to just
4640 * rerun it through as a sideffect.
4642 my_asoc = (struct sctp_association *)asoc;
4643 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc));
4645 /* Choose transport for INIT. */
4646 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
4649 /* After sending the INIT, "A" starts the T1-init timer and
4650 * enters the COOKIE-WAIT state.
4652 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
4653 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4654 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
4655 return SCTP_DISPOSITION_CONSUME;
4658 return SCTP_DISPOSITION_NOMEM;
4662 * Process the SEND primitive.
4664 * Section: 10.1 ULP-to-SCTP
4667 * Format: SEND(association id, buffer address, byte count [,context]
4668 * [,stream id] [,life time] [,destination transport address]
4669 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] )
4672 * This is the main method to send user data via SCTP.
4674 * Mandatory attributes:
4676 * o association id - local handle to the SCTP association
4678 * o buffer address - the location where the user message to be
4679 * transmitted is stored;
4681 * o byte count - The size of the user data in number of bytes;
4683 * Optional attributes:
4685 * o context - an optional 32 bit integer that will be carried in the
4686 * sending failure notification to the ULP if the transportation of
4687 * this User Message fails.
4689 * o stream id - to indicate which stream to send the data on. If not
4690 * specified, stream 0 will be used.
4692 * o life time - specifies the life time of the user data. The user data
4693 * will not be sent by SCTP after the life time expires. This
4694 * parameter can be used to avoid efforts to transmit stale
4695 * user messages. SCTP notifies the ULP if the data cannot be
4696 * initiated to transport (i.e. sent to the destination via SCTP's
4697 * send primitive) within the life time variable. However, the
4698 * user data will be transmitted if SCTP has attempted to transmit a
4699 * chunk before the life time expired.
4701 * o destination transport address - specified as one of the destination
4702 * transport addresses of the peer endpoint to which this packet
4703 * should be sent. Whenever possible, SCTP should use this destination
4704 * transport address for sending the packets, instead of the current
4707 * o unorder flag - this flag, if present, indicates that the user
4708 * would like the data delivered in an unordered fashion to the peer
4709 * (i.e., the U flag is set to 1 on all DATA chunks carrying this
4712 * o no-bundle flag - instructs SCTP not to bundle this user data with
4713 * other outbound DATA chunks. SCTP MAY still bundle even when
4714 * this flag is present, when faced with network congestion.
4716 * o payload protocol-id - A 32 bit unsigned integer that is to be
4717 * passed to the peer indicating the type of payload protocol data
4718 * being transmitted. This value is passed as opaque data by SCTP.
4720 * The return value is the disposition.
4722 sctp_disposition_t sctp_sf_do_prm_send(struct net *net,
4723 const struct sctp_endpoint *ep,
4724 const struct sctp_association *asoc,
4725 const sctp_subtype_t type,
4727 sctp_cmd_seq_t *commands)
4729 struct sctp_datamsg *msg = arg;
4731 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg));
4732 return SCTP_DISPOSITION_CONSUME;
4736 * Process the SHUTDOWN primitive.
4741 * Format: SHUTDOWN(association id)
4744 * Gracefully closes an association. Any locally queued user data
4745 * will be delivered to the peer. The association will be terminated only
4746 * after the peer acknowledges all the SCTP packets sent. A success code
4747 * will be returned on successful termination of the association. If
4748 * attempting to terminate the association results in a failure, an error
4749 * code shall be returned.
4751 * Mandatory attributes:
4753 * o association id - local handle to the SCTP association
4755 * Optional attributes:
4759 * The return value is the disposition.
4761 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown(
4763 const struct sctp_endpoint *ep,
4764 const struct sctp_association *asoc,
4765 const sctp_subtype_t type,
4767 sctp_cmd_seq_t *commands)
4771 /* From 9.2 Shutdown of an Association
4772 * Upon receipt of the SHUTDOWN primitive from its upper
4773 * layer, the endpoint enters SHUTDOWN-PENDING state and
4774 * remains there until all outstanding data has been
4775 * acknowledged by its peer. The endpoint accepts no new data
4776 * from its upper layer, but retransmits data to the far end
4777 * if necessary to fill gaps.
4779 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4780 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
4782 disposition = SCTP_DISPOSITION_CONSUME;
4783 if (sctp_outq_is_empty(&asoc->outqueue)) {
4784 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
4791 * Process the ABORT primitive.
4796 * Format: Abort(association id [, cause code])
4799 * Ungracefully closes an association. Any locally queued user data
4800 * will be discarded and an ABORT chunk is sent to the peer. A success code
4801 * will be returned on successful abortion of the association. If
4802 * attempting to abort the association results in a failure, an error
4803 * code shall be returned.
4805 * Mandatory attributes:
4807 * o association id - local handle to the SCTP association
4809 * Optional attributes:
4811 * o cause code - reason of the abort to be passed to the peer
4815 * The return value is the disposition.
4817 sctp_disposition_t sctp_sf_do_9_1_prm_abort(
4819 const struct sctp_endpoint *ep,
4820 const struct sctp_association *asoc,
4821 const sctp_subtype_t type,
4823 sctp_cmd_seq_t *commands)
4825 /* From 9.1 Abort of an Association
4826 * Upon receipt of the ABORT primitive from its upper
4827 * layer, the endpoint enters CLOSED state and
4828 * discard all outstanding data has been
4829 * acknowledged by its peer. The endpoint accepts no new data
4830 * from its upper layer, but retransmits data to the far end
4831 * if necessary to fill gaps.
4833 struct sctp_chunk *abort = arg;
4834 sctp_disposition_t retval;
4836 retval = SCTP_DISPOSITION_CONSUME;
4838 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4840 /* Even if we can't send the ABORT due to low memory delete the
4841 * TCB. This is a departure from our typical NOMEM handling.
4844 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4845 SCTP_ERROR(ECONNABORTED));
4846 /* Delete the established association. */
4847 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4848 SCTP_PERR(SCTP_ERROR_USER_ABORT));
4850 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4851 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4856 /* We tried an illegal operation on an association which is closed. */
4857 sctp_disposition_t sctp_sf_error_closed(struct net *net,
4858 const struct sctp_endpoint *ep,
4859 const struct sctp_association *asoc,
4860 const sctp_subtype_t type,
4862 sctp_cmd_seq_t *commands)
4864 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL));
4865 return SCTP_DISPOSITION_CONSUME;
4868 /* We tried an illegal operation on an association which is shutting
4871 sctp_disposition_t sctp_sf_error_shutdown(struct net *net,
4872 const struct sctp_endpoint *ep,
4873 const struct sctp_association *asoc,
4874 const sctp_subtype_t type,
4876 sctp_cmd_seq_t *commands)
4878 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR,
4879 SCTP_ERROR(-ESHUTDOWN));
4880 return SCTP_DISPOSITION_CONSUME;
4884 * sctp_cookie_wait_prm_shutdown
4886 * Section: 4 Note: 2
4891 * The RFC does not explicitly address this issue, but is the route through the
4892 * state table when someone issues a shutdown while in COOKIE_WAIT state.
4897 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown(
4899 const struct sctp_endpoint *ep,
4900 const struct sctp_association *asoc,
4901 const sctp_subtype_t type,
4903 sctp_cmd_seq_t *commands)
4905 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4906 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4908 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4909 SCTP_STATE(SCTP_STATE_CLOSED));
4911 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
4913 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
4915 return SCTP_DISPOSITION_DELETE_TCB;
4919 * sctp_cookie_echoed_prm_shutdown
4921 * Section: 4 Note: 2
4926 * The RFC does not explcitly address this issue, but is the route through the
4927 * state table when someone issues a shutdown while in COOKIE_ECHOED state.
4932 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown(
4934 const struct sctp_endpoint *ep,
4935 const struct sctp_association *asoc,
4936 const sctp_subtype_t type,
4937 void *arg, sctp_cmd_seq_t *commands)
4939 /* There is a single T1 timer, so we should be able to use
4940 * common function with the COOKIE-WAIT state.
4942 return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands);
4946 * sctp_sf_cookie_wait_prm_abort
4948 * Section: 4 Note: 2
4953 * The RFC does not explicitly address this issue, but is the route through the
4954 * state table when someone issues an abort while in COOKIE_WAIT state.
4959 sctp_disposition_t sctp_sf_cookie_wait_prm_abort(
4961 const struct sctp_endpoint *ep,
4962 const struct sctp_association *asoc,
4963 const sctp_subtype_t type,
4965 sctp_cmd_seq_t *commands)
4967 struct sctp_chunk *abort = arg;
4968 sctp_disposition_t retval;
4970 /* Stop T1-init timer */
4971 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4972 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4973 retval = SCTP_DISPOSITION_CONSUME;
4975 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4977 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4978 SCTP_STATE(SCTP_STATE_CLOSED));
4980 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4982 /* Even if we can't send the ABORT due to low memory delete the
4983 * TCB. This is a departure from our typical NOMEM handling.
4986 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4987 SCTP_ERROR(ECONNREFUSED));
4988 /* Delete the established association. */
4989 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4990 SCTP_PERR(SCTP_ERROR_USER_ABORT));
4996 * sctp_sf_cookie_echoed_prm_abort
4998 * Section: 4 Note: 3
5003 * The RFC does not explcitly address this issue, but is the route through the
5004 * state table when someone issues an abort while in COOKIE_ECHOED state.
5009 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort(
5011 const struct sctp_endpoint *ep,
5012 const struct sctp_association *asoc,
5013 const sctp_subtype_t type,
5015 sctp_cmd_seq_t *commands)
5017 /* There is a single T1 timer, so we should be able to use
5018 * common function with the COOKIE-WAIT state.
5020 return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands);
5024 * sctp_sf_shutdown_pending_prm_abort
5029 * The RFC does not explicitly address this issue, but is the route through the
5030 * state table when someone issues an abort while in SHUTDOWN-PENDING state.
5035 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort(
5037 const struct sctp_endpoint *ep,
5038 const struct sctp_association *asoc,
5039 const sctp_subtype_t type,
5041 sctp_cmd_seq_t *commands)
5043 /* Stop the T5-shutdown guard timer. */
5044 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5045 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5047 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5051 * sctp_sf_shutdown_sent_prm_abort
5056 * The RFC does not explicitly address this issue, but is the route through the
5057 * state table when someone issues an abort while in SHUTDOWN-SENT state.
5062 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort(
5064 const struct sctp_endpoint *ep,
5065 const struct sctp_association *asoc,
5066 const sctp_subtype_t type,
5068 sctp_cmd_seq_t *commands)
5070 /* Stop the T2-shutdown timer. */
5071 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5072 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5074 /* Stop the T5-shutdown guard timer. */
5075 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5076 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5078 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5082 * sctp_sf_cookie_echoed_prm_abort
5087 * The RFC does not explcitly address this issue, but is the route through the
5088 * state table when someone issues an abort while in COOKIE_ECHOED state.
5093 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort(
5095 const struct sctp_endpoint *ep,
5096 const struct sctp_association *asoc,
5097 const sctp_subtype_t type,
5099 sctp_cmd_seq_t *commands)
5101 /* The same T2 timer, so we should be able to use
5102 * common function with the SHUTDOWN-SENT state.
5104 return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands);
5108 * Process the REQUESTHEARTBEAT primitive
5111 * J) Request Heartbeat
5113 * Format: REQUESTHEARTBEAT(association id, destination transport address)
5117 * Instructs the local endpoint to perform a HeartBeat on the specified
5118 * destination transport address of the given association. The returned
5119 * result should indicate whether the transmission of the HEARTBEAT
5120 * chunk to the destination address is successful.
5122 * Mandatory attributes:
5124 * o association id - local handle to the SCTP association
5126 * o destination transport address - the transport address of the
5127 * association on which a heartbeat should be issued.
5129 sctp_disposition_t sctp_sf_do_prm_requestheartbeat(
5131 const struct sctp_endpoint *ep,
5132 const struct sctp_association *asoc,
5133 const sctp_subtype_t type,
5135 sctp_cmd_seq_t *commands)
5137 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type,
5138 (struct sctp_transport *)arg, commands))
5139 return SCTP_DISPOSITION_NOMEM;
5142 * RFC 2960 (bis), section 8.3
5144 * D) Request an on-demand HEARTBEAT on a specific destination
5145 * transport address of a given association.
5147 * The endpoint should increment the respective error counter of
5148 * the destination transport address each time a HEARTBEAT is sent
5149 * to that address and not acknowledged within one RTO.
5152 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
5153 SCTP_TRANSPORT(arg));
5154 return SCTP_DISPOSITION_CONSUME;
5158 * ADDIP Section 4.1 ASCONF Chunk Procedures
5159 * When an endpoint has an ASCONF signaled change to be sent to the
5160 * remote endpoint it should do A1 to A9
5162 sctp_disposition_t sctp_sf_do_prm_asconf(struct net *net,
5163 const struct sctp_endpoint *ep,
5164 const struct sctp_association *asoc,
5165 const sctp_subtype_t type,
5167 sctp_cmd_seq_t *commands)
5169 struct sctp_chunk *chunk = arg;
5171 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5172 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5173 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5174 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5175 return SCTP_DISPOSITION_CONSUME;
5179 * Ignore the primitive event
5181 * The return value is the disposition of the primitive.
5183 sctp_disposition_t sctp_sf_ignore_primitive(
5185 const struct sctp_endpoint *ep,
5186 const struct sctp_association *asoc,
5187 const sctp_subtype_t type,
5189 sctp_cmd_seq_t *commands)
5191 SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive);
5192 return SCTP_DISPOSITION_DISCARD;
5195 /***************************************************************************
5196 * These are the state functions for the OTHER events.
5197 ***************************************************************************/
5200 * When the SCTP stack has no more user data to send or retransmit, this
5201 * notification is given to the user. Also, at the time when a user app
5202 * subscribes to this event, if there is no data to be sent or
5203 * retransmit, the stack will immediately send up this notification.
5205 sctp_disposition_t sctp_sf_do_no_pending_tsn(
5207 const struct sctp_endpoint *ep,
5208 const struct sctp_association *asoc,
5209 const sctp_subtype_t type,
5211 sctp_cmd_seq_t *commands)
5213 struct sctp_ulpevent *event;
5215 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC);
5217 return SCTP_DISPOSITION_NOMEM;
5219 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event));
5221 return SCTP_DISPOSITION_CONSUME;
5225 * Start the shutdown negotiation.
5228 * Once all its outstanding data has been acknowledged, the endpoint
5229 * shall send a SHUTDOWN chunk to its peer including in the Cumulative
5230 * TSN Ack field the last sequential TSN it has received from the peer.
5231 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT
5232 * state. If the timer expires, the endpoint must re-send the SHUTDOWN
5233 * with the updated last sequential TSN received from its peer.
5235 * The return value is the disposition.
5237 sctp_disposition_t sctp_sf_do_9_2_start_shutdown(
5239 const struct sctp_endpoint *ep,
5240 const struct sctp_association *asoc,
5241 const sctp_subtype_t type,
5243 sctp_cmd_seq_t *commands)
5245 struct sctp_chunk *reply;
5247 /* Once all its outstanding data has been acknowledged, the
5248 * endpoint shall send a SHUTDOWN chunk to its peer including
5249 * in the Cumulative TSN Ack field the last sequential TSN it
5250 * has received from the peer.
5252 reply = sctp_make_shutdown(asoc, NULL);
5256 /* Set the transport for the SHUTDOWN chunk and the timeout for the
5257 * T2-shutdown timer.
5259 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5261 /* It shall then start the T2-shutdown timer */
5262 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5263 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5265 /* RFC 4960 Section 9.2
5266 * The sender of the SHUTDOWN MAY also start an overall guard timer
5267 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5269 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5270 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5272 if (asoc->autoclose)
5273 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5274 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5276 /* and enter the SHUTDOWN-SENT state. */
5277 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5278 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT));
5280 /* sctp-implguide 2.10 Issues with Heartbeating and failover
5282 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5285 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5287 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5289 return SCTP_DISPOSITION_CONSUME;
5292 return SCTP_DISPOSITION_NOMEM;
5296 * Generate a SHUTDOWN ACK now that everything is SACK'd.
5300 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5301 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own,
5302 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the
5303 * endpoint must re-send the SHUTDOWN ACK.
5305 * The return value is the disposition.
5307 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack(
5309 const struct sctp_endpoint *ep,
5310 const struct sctp_association *asoc,
5311 const sctp_subtype_t type,
5313 sctp_cmd_seq_t *commands)
5315 struct sctp_chunk *chunk = (struct sctp_chunk *) arg;
5316 struct sctp_chunk *reply;
5318 /* There are 2 ways of getting here:
5319 * 1) called in response to a SHUTDOWN chunk
5320 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued.
5322 * For the case (2), the arg parameter is set to NULL. We need
5323 * to check that we have a chunk before accessing it's fields.
5326 if (!sctp_vtag_verify(chunk, asoc))
5327 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
5329 /* Make sure that the SHUTDOWN chunk has a valid length. */
5330 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t)))
5331 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
5335 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5336 * shall send a SHUTDOWN ACK ...
5338 reply = sctp_make_shutdown_ack(asoc, chunk);
5342 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
5343 * the T2-shutdown timer.
5345 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5347 /* and start/restart a T2-shutdown timer of its own, */
5348 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5349 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5351 if (asoc->autoclose)
5352 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5353 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5355 /* Enter the SHUTDOWN-ACK-SENT state. */
5356 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5357 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT));
5359 /* sctp-implguide 2.10 Issues with Heartbeating and failover
5361 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5364 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5366 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5368 return SCTP_DISPOSITION_CONSUME;
5371 return SCTP_DISPOSITION_NOMEM;
5375 * Ignore the event defined as other
5377 * The return value is the disposition of the event.
5379 sctp_disposition_t sctp_sf_ignore_other(struct net *net,
5380 const struct sctp_endpoint *ep,
5381 const struct sctp_association *asoc,
5382 const sctp_subtype_t type,
5384 sctp_cmd_seq_t *commands)
5386 SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other);
5387 return SCTP_DISPOSITION_DISCARD;
5390 /************************************************************
5391 * These are the state functions for handling timeout events.
5392 ************************************************************/
5397 * Section: 6.3.3 Handle T3-rtx Expiration
5399 * Whenever the retransmission timer T3-rtx expires for a destination
5400 * address, do the following:
5403 * The return value is the disposition of the chunk.
5405 sctp_disposition_t sctp_sf_do_6_3_3_rtx(struct net *net,
5406 const struct sctp_endpoint *ep,
5407 const struct sctp_association *asoc,
5408 const sctp_subtype_t type,
5410 sctp_cmd_seq_t *commands)
5412 struct sctp_transport *transport = arg;
5414 SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS);
5416 if (asoc->overall_error_count >= asoc->max_retrans) {
5417 if (asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
5419 * We are here likely because the receiver had its rwnd
5420 * closed for a while and we have not been able to
5421 * transmit the locally queued data within the maximum
5422 * retransmission attempts limit. Start the T5
5423 * shutdown guard timer to give the receiver one last
5424 * chance and some additional time to recover before
5427 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE,
5428 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5430 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5431 SCTP_ERROR(ETIMEDOUT));
5432 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5433 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5434 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5435 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5436 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5437 return SCTP_DISPOSITION_DELETE_TCB;
5441 /* E1) For the destination address for which the timer
5442 * expires, adjust its ssthresh with rules defined in Section
5443 * 7.2.3 and set the cwnd <- MTU.
5446 /* E2) For the destination address for which the timer
5447 * expires, set RTO <- RTO * 2 ("back off the timer"). The
5448 * maximum value discussed in rule C7 above (RTO.max) may be
5449 * used to provide an upper bound to this doubling operation.
5452 /* E3) Determine how many of the earliest (i.e., lowest TSN)
5453 * outstanding DATA chunks for the address for which the
5454 * T3-rtx has expired will fit into a single packet, subject
5455 * to the MTU constraint for the path corresponding to the
5456 * destination transport address to which the retransmission
5457 * is being sent (this may be different from the address for
5458 * which the timer expires [see Section 6.4]). Call this
5459 * value K. Bundle and retransmit those K DATA chunks in a
5460 * single packet to the destination endpoint.
5462 * Note: Any DATA chunks that were sent to the address for
5463 * which the T3-rtx timer expired but did not fit in one MTU
5464 * (rule E3 above), should be marked for retransmission and
5465 * sent as soon as cwnd allows (normally when a SACK arrives).
5468 /* Do some failure management (Section 8.2). */
5469 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
5471 /* NB: Rules E4 and F1 are implicit in R1. */
5472 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport));
5474 return SCTP_DISPOSITION_CONSUME;
5478 * Generate delayed SACK on timeout
5480 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
5482 * The guidelines on delayed acknowledgement algorithm specified in
5483 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
5484 * acknowledgement SHOULD be generated for at least every second packet
5485 * (not every second DATA chunk) received, and SHOULD be generated
5486 * within 200 ms of the arrival of any unacknowledged DATA chunk. In
5487 * some situations it may be beneficial for an SCTP transmitter to be
5488 * more conservative than the algorithms detailed in this document
5489 * allow. However, an SCTP transmitter MUST NOT be more aggressive than
5490 * the following algorithms allow.
5492 sctp_disposition_t sctp_sf_do_6_2_sack(struct net *net,
5493 const struct sctp_endpoint *ep,
5494 const struct sctp_association *asoc,
5495 const sctp_subtype_t type,
5497 sctp_cmd_seq_t *commands)
5499 SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS);
5500 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
5501 return SCTP_DISPOSITION_CONSUME;
5505 * sctp_sf_t1_init_timer_expire
5507 * Section: 4 Note: 2
5512 * RFC 2960 Section 4 Notes
5513 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT
5514 * and re-start the T1-init timer without changing state. This MUST
5515 * be repeated up to 'Max.Init.Retransmits' times. After that, the
5516 * endpoint MUST abort the initialization process and report the
5517 * error to SCTP user.
5523 sctp_disposition_t sctp_sf_t1_init_timer_expire(struct net *net,
5524 const struct sctp_endpoint *ep,
5525 const struct sctp_association *asoc,
5526 const sctp_subtype_t type,
5528 sctp_cmd_seq_t *commands)
5530 struct sctp_chunk *repl = NULL;
5531 struct sctp_bind_addr *bp;
5532 int attempts = asoc->init_err_counter + 1;
5534 SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n");
5535 SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS);
5537 if (attempts <= asoc->max_init_attempts) {
5538 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
5539 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0);
5541 return SCTP_DISPOSITION_NOMEM;
5543 /* Choose transport for INIT. */
5544 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5547 /* Issue a sideeffect to do the needed accounting. */
5548 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART,
5549 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5551 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5553 SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d"
5554 " max_init_attempts: %d\n",
5555 attempts, asoc->max_init_attempts);
5556 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5557 SCTP_ERROR(ETIMEDOUT));
5558 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5559 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5560 return SCTP_DISPOSITION_DELETE_TCB;
5563 return SCTP_DISPOSITION_CONSUME;
5567 * sctp_sf_t1_cookie_timer_expire
5569 * Section: 4 Note: 2
5574 * RFC 2960 Section 4 Notes
5575 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit
5576 * COOKIE ECHO and re-start the T1-cookie timer without changing
5577 * state. This MUST be repeated up to 'Max.Init.Retransmits' times.
5578 * After that, the endpoint MUST abort the initialization process and
5579 * report the error to SCTP user.
5585 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(struct net *net,
5586 const struct sctp_endpoint *ep,
5587 const struct sctp_association *asoc,
5588 const sctp_subtype_t type,
5590 sctp_cmd_seq_t *commands)
5592 struct sctp_chunk *repl = NULL;
5593 int attempts = asoc->init_err_counter + 1;
5595 SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n");
5596 SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS);
5598 if (attempts <= asoc->max_init_attempts) {
5599 repl = sctp_make_cookie_echo(asoc, NULL);
5601 return SCTP_DISPOSITION_NOMEM;
5603 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5605 /* Issue a sideeffect to do the needed accounting. */
5606 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART,
5607 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
5609 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5611 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5612 SCTP_ERROR(ETIMEDOUT));
5613 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5614 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5615 return SCTP_DISPOSITION_DELETE_TCB;
5618 return SCTP_DISPOSITION_CONSUME;
5621 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN
5622 * with the updated last sequential TSN received from its peer.
5624 * An endpoint should limit the number of retransmissions of the
5625 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'.
5626 * If this threshold is exceeded the endpoint should destroy the TCB and
5627 * MUST report the peer endpoint unreachable to the upper layer (and
5628 * thus the association enters the CLOSED state). The reception of any
5629 * packet from its peer (i.e. as the peer sends all of its queued DATA
5630 * chunks) should clear the endpoint's retransmission count and restart
5631 * the T2-Shutdown timer, giving its peer ample opportunity to transmit
5632 * all of its queued DATA chunks that have not yet been sent.
5634 sctp_disposition_t sctp_sf_t2_timer_expire(struct net *net,
5635 const struct sctp_endpoint *ep,
5636 const struct sctp_association *asoc,
5637 const sctp_subtype_t type,
5639 sctp_cmd_seq_t *commands)
5641 struct sctp_chunk *reply = NULL;
5643 SCTP_DEBUG_PRINTK("Timer T2 expired.\n");
5644 SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS);
5646 ((struct sctp_association *)asoc)->shutdown_retries++;
5648 if (asoc->overall_error_count >= asoc->max_retrans) {
5649 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5650 SCTP_ERROR(ETIMEDOUT));
5651 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5652 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5653 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5654 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5655 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5656 return SCTP_DISPOSITION_DELETE_TCB;
5659 switch (asoc->state) {
5660 case SCTP_STATE_SHUTDOWN_SENT:
5661 reply = sctp_make_shutdown(asoc, NULL);
5664 case SCTP_STATE_SHUTDOWN_ACK_SENT:
5665 reply = sctp_make_shutdown_ack(asoc, NULL);
5676 /* Do some failure management (Section 8.2).
5677 * If we remove the transport an SHUTDOWN was last sent to, don't
5678 * do failure management.
5680 if (asoc->shutdown_last_sent_to)
5681 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5682 SCTP_TRANSPORT(asoc->shutdown_last_sent_to));
5684 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for
5685 * the T2-shutdown timer.
5687 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5689 /* Restart the T2-shutdown timer. */
5690 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5691 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5692 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5693 return SCTP_DISPOSITION_CONSUME;
5696 return SCTP_DISPOSITION_NOMEM;
5700 * ADDIP Section 4.1 ASCONF CHunk Procedures
5701 * If the T4 RTO timer expires the endpoint should do B1 to B5
5703 sctp_disposition_t sctp_sf_t4_timer_expire(
5705 const struct sctp_endpoint *ep,
5706 const struct sctp_association *asoc,
5707 const sctp_subtype_t type,
5709 sctp_cmd_seq_t *commands)
5711 struct sctp_chunk *chunk = asoc->addip_last_asconf;
5712 struct sctp_transport *transport = chunk->transport;
5714 SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS);
5716 /* ADDIP 4.1 B1) Increment the error counters and perform path failure
5717 * detection on the appropriate destination address as defined in
5718 * RFC2960 [5] section 8.1 and 8.2.
5721 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5722 SCTP_TRANSPORT(transport));
5724 /* Reconfig T4 timer and transport. */
5725 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5727 /* ADDIP 4.1 B2) Increment the association error counters and perform
5728 * endpoint failure detection on the association as defined in
5729 * RFC2960 [5] section 8.1 and 8.2.
5730 * association error counter is incremented in SCTP_CMD_STRIKE.
5732 if (asoc->overall_error_count >= asoc->max_retrans) {
5733 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5734 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5735 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5736 SCTP_ERROR(ETIMEDOUT));
5737 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5738 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5739 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5740 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5741 return SCTP_DISPOSITION_ABORT;
5744 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which
5745 * the ASCONF chunk was sent by doubling the RTO timer value.
5746 * This is done in SCTP_CMD_STRIKE.
5749 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible
5750 * choose an alternate destination address (please refer to RFC2960
5751 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this
5752 * chunk, it MUST be the same (including its serial number) as the last
5755 sctp_chunk_hold(asoc->addip_last_asconf);
5756 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
5757 SCTP_CHUNK(asoc->addip_last_asconf));
5759 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different
5760 * destination is selected, then the RTO used will be that of the new
5761 * destination address.
5763 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5764 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5766 return SCTP_DISPOSITION_CONSUME;
5769 /* sctpimpguide-05 Section 2.12.2
5770 * The sender of the SHUTDOWN MAY also start an overall guard timer
5771 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5772 * At the expiration of this timer the sender SHOULD abort the association
5773 * by sending an ABORT chunk.
5775 sctp_disposition_t sctp_sf_t5_timer_expire(struct net *net,
5776 const struct sctp_endpoint *ep,
5777 const struct sctp_association *asoc,
5778 const sctp_subtype_t type,
5780 sctp_cmd_seq_t *commands)
5782 struct sctp_chunk *reply = NULL;
5784 SCTP_DEBUG_PRINTK("Timer T5 expired.\n");
5785 SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS);
5787 reply = sctp_make_abort(asoc, NULL, 0);
5791 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5792 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5793 SCTP_ERROR(ETIMEDOUT));
5794 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5795 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5797 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5798 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5800 return SCTP_DISPOSITION_DELETE_TCB;
5802 return SCTP_DISPOSITION_NOMEM;
5805 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires,
5806 * the association is automatically closed by starting the shutdown process.
5807 * The work that needs to be done is same as when SHUTDOWN is initiated by
5808 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown().
5810 sctp_disposition_t sctp_sf_autoclose_timer_expire(
5812 const struct sctp_endpoint *ep,
5813 const struct sctp_association *asoc,
5814 const sctp_subtype_t type,
5816 sctp_cmd_seq_t *commands)
5820 SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS);
5822 /* From 9.2 Shutdown of an Association
5823 * Upon receipt of the SHUTDOWN primitive from its upper
5824 * layer, the endpoint enters SHUTDOWN-PENDING state and
5825 * remains there until all outstanding data has been
5826 * acknowledged by its peer. The endpoint accepts no new data
5827 * from its upper layer, but retransmits data to the far end
5828 * if necessary to fill gaps.
5830 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5831 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
5833 disposition = SCTP_DISPOSITION_CONSUME;
5834 if (sctp_outq_is_empty(&asoc->outqueue)) {
5835 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
5841 /*****************************************************************************
5842 * These are sa state functions which could apply to all types of events.
5843 ****************************************************************************/
5846 * This table entry is not implemented.
5849 * (endpoint, asoc, chunk)
5851 * The return value is the disposition of the chunk.
5853 sctp_disposition_t sctp_sf_not_impl(struct net *net,
5854 const struct sctp_endpoint *ep,
5855 const struct sctp_association *asoc,
5856 const sctp_subtype_t type,
5858 sctp_cmd_seq_t *commands)
5860 return SCTP_DISPOSITION_NOT_IMPL;
5864 * This table entry represents a bug.
5867 * (endpoint, asoc, chunk)
5869 * The return value is the disposition of the chunk.
5871 sctp_disposition_t sctp_sf_bug(struct net *net,
5872 const struct sctp_endpoint *ep,
5873 const struct sctp_association *asoc,
5874 const sctp_subtype_t type,
5876 sctp_cmd_seq_t *commands)
5878 return SCTP_DISPOSITION_BUG;
5882 * This table entry represents the firing of a timer in the wrong state.
5883 * Since timer deletion cannot be guaranteed a timer 'may' end up firing
5884 * when the association is in the wrong state. This event should
5885 * be ignored, so as to prevent any rearming of the timer.
5888 * (endpoint, asoc, chunk)
5890 * The return value is the disposition of the chunk.
5892 sctp_disposition_t sctp_sf_timer_ignore(struct net *net,
5893 const struct sctp_endpoint *ep,
5894 const struct sctp_association *asoc,
5895 const sctp_subtype_t type,
5897 sctp_cmd_seq_t *commands)
5899 SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk);
5900 return SCTP_DISPOSITION_CONSUME;
5903 /********************************************************************
5904 * 2nd Level Abstractions
5905 ********************************************************************/
5907 /* Pull the SACK chunk based on the SACK header. */
5908 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk)
5910 struct sctp_sackhdr *sack;
5915 /* Protect ourselves from reading too far into
5916 * the skb from a bogus sender.
5918 sack = (struct sctp_sackhdr *) chunk->skb->data;
5920 num_blocks = ntohs(sack->num_gap_ack_blocks);
5921 num_dup_tsns = ntohs(sack->num_dup_tsns);
5922 len = sizeof(struct sctp_sackhdr);
5923 len += (num_blocks + num_dup_tsns) * sizeof(__u32);
5924 if (len > chunk->skb->len)
5927 skb_pull(chunk->skb, len);
5932 /* Create an ABORT packet to be sent as a response, with the specified
5935 static struct sctp_packet *sctp_abort_pkt_new(struct net *net,
5936 const struct sctp_endpoint *ep,
5937 const struct sctp_association *asoc,
5938 struct sctp_chunk *chunk,
5939 const void *payload,
5942 struct sctp_packet *packet;
5943 struct sctp_chunk *abort;
5945 packet = sctp_ootb_pkt_new(net, asoc, chunk);
5949 * The T bit will be set if the asoc is NULL.
5951 abort = sctp_make_abort(asoc, chunk, paylen);
5953 sctp_ootb_pkt_free(packet);
5957 /* Reflect vtag if T-Bit is set */
5958 if (sctp_test_T_bit(abort))
5959 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
5961 /* Add specified error causes, i.e., payload, to the
5964 sctp_addto_chunk(abort, paylen, payload);
5966 /* Set the skb to the belonging sock for accounting. */
5967 abort->skb->sk = ep->base.sk;
5969 sctp_packet_append_chunk(packet, abort);
5976 /* Allocate a packet for responding in the OOTB conditions. */
5977 static struct sctp_packet *sctp_ootb_pkt_new(struct net *net,
5978 const struct sctp_association *asoc,
5979 const struct sctp_chunk *chunk)
5981 struct sctp_packet *packet;
5982 struct sctp_transport *transport;
5987 /* Get the source and destination port from the inbound packet. */
5988 sport = ntohs(chunk->sctp_hdr->dest);
5989 dport = ntohs(chunk->sctp_hdr->source);
5991 /* The V-tag is going to be the same as the inbound packet if no
5992 * association exists, otherwise, use the peer's vtag.
5995 /* Special case the INIT-ACK as there is no peer's vtag
5998 switch(chunk->chunk_hdr->type) {
5999 case SCTP_CID_INIT_ACK:
6001 sctp_initack_chunk_t *initack;
6003 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
6004 vtag = ntohl(initack->init_hdr.init_tag);
6008 vtag = asoc->peer.i.init_tag;
6012 /* Special case the INIT and stale COOKIE_ECHO as there is no
6015 switch(chunk->chunk_hdr->type) {
6018 sctp_init_chunk_t *init;
6020 init = (sctp_init_chunk_t *)chunk->chunk_hdr;
6021 vtag = ntohl(init->init_hdr.init_tag);
6025 vtag = ntohl(chunk->sctp_hdr->vtag);
6030 /* Make a transport for the bucket, Eliza... */
6031 transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC);
6035 /* Cache a route for the transport with the chunk's destination as
6036 * the source address.
6038 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest,
6039 sctp_sk(net->sctp.ctl_sock));
6041 packet = sctp_packet_init(&transport->packet, transport, sport, dport);
6042 packet = sctp_packet_config(packet, vtag, 0);
6050 /* Free the packet allocated earlier for responding in the OOTB condition. */
6051 void sctp_ootb_pkt_free(struct sctp_packet *packet)
6053 sctp_transport_free(packet->transport);
6056 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */
6057 static void sctp_send_stale_cookie_err(struct net *net,
6058 const struct sctp_endpoint *ep,
6059 const struct sctp_association *asoc,
6060 const struct sctp_chunk *chunk,
6061 sctp_cmd_seq_t *commands,
6062 struct sctp_chunk *err_chunk)
6064 struct sctp_packet *packet;
6067 packet = sctp_ootb_pkt_new(net, asoc, chunk);
6069 struct sctp_signed_cookie *cookie;
6071 /* Override the OOTB vtag from the cookie. */
6072 cookie = chunk->subh.cookie_hdr;
6073 packet->vtag = cookie->c.peer_vtag;
6075 /* Set the skb to the belonging sock for accounting. */
6076 err_chunk->skb->sk = ep->base.sk;
6077 sctp_packet_append_chunk(packet, err_chunk);
6078 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
6079 SCTP_PACKET(packet));
6080 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
6082 sctp_chunk_free (err_chunk);
6087 /* Process a data chunk */
6088 static int sctp_eat_data(const struct sctp_association *asoc,
6089 struct sctp_chunk *chunk,
6090 sctp_cmd_seq_t *commands)
6092 sctp_datahdr_t *data_hdr;
6093 struct sctp_chunk *err;
6095 sctp_verb_t deliver;
6098 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
6099 struct sock *sk = asoc->base.sk;
6100 struct net *net = sock_net(sk);
6105 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data;
6106 skb_pull(chunk->skb, sizeof(sctp_datahdr_t));
6108 tsn = ntohl(data_hdr->tsn);
6109 SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn);
6111 /* ASSERT: Now skb->data is really the user data. */
6113 /* Process ECN based congestion.
6115 * Since the chunk structure is reused for all chunks within
6116 * a packet, we use ecn_ce_done to track if we've already
6117 * done CE processing for this packet.
6119 * We need to do ECN processing even if we plan to discard the
6123 if (!chunk->ecn_ce_done) {
6125 chunk->ecn_ce_done = 1;
6127 af = sctp_get_af_specific(
6128 ipver2af(ip_hdr(chunk->skb)->version));
6130 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) {
6131 /* Do real work as sideffect. */
6132 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE,
6137 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn);
6139 /* The TSN is too high--silently discard the chunk and
6140 * count on it getting retransmitted later.
6143 chunk->asoc->stats.outofseqtsns++;
6144 return SCTP_IERROR_HIGH_TSN;
6145 } else if (tmp > 0) {
6146 /* This is a duplicate. Record it. */
6147 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn));
6148 return SCTP_IERROR_DUP_TSN;
6151 /* This is a new TSN. */
6153 /* Discard if there is no room in the receive window.
6154 * Actually, allow a little bit of overflow (up to a MTU).
6156 datalen = ntohs(chunk->chunk_hdr->length);
6157 datalen -= sizeof(sctp_data_chunk_t);
6159 deliver = SCTP_CMD_CHUNK_ULP;
6161 /* Think about partial delivery. */
6162 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) {
6164 /* Even if we don't accept this chunk there is
6167 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL());
6170 /* Spill over rwnd a little bit. Note: While allowed, this spill over
6171 * seems a bit troublesome in that frag_point varies based on
6172 * PMTU. In cases, such as loopback, this might be a rather
6175 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over ||
6176 (datalen > asoc->rwnd + asoc->frag_point))) {
6178 /* If this is the next TSN, consider reneging to make
6179 * room. Note: Playing nice with a confused sender. A
6180 * malicious sender can still eat up all our buffer
6181 * space and in the future we may want to detect and
6182 * do more drastic reneging.
6184 if (sctp_tsnmap_has_gap(map) &&
6185 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6186 SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn);
6187 deliver = SCTP_CMD_RENEGE;
6189 SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, "
6190 "rwnd: %d\n", tsn, datalen,
6192 return SCTP_IERROR_IGNORE_TSN;
6197 * Also try to renege to limit our memory usage in the event that
6198 * we are under memory pressure
6199 * If we can't renege, don't worry about it, the sk_rmem_schedule
6200 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our
6201 * memory usage too much
6203 if (*sk->sk_prot_creator->memory_pressure) {
6204 if (sctp_tsnmap_has_gap(map) &&
6205 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6206 SCTP_DEBUG_PRINTK("Under Pressure! Reneging for tsn:%u\n", tsn);
6207 deliver = SCTP_CMD_RENEGE;
6212 * Section 3.3.10.9 No User Data (9)
6216 * No User Data: This error cause is returned to the originator of a
6217 * DATA chunk if a received DATA chunk has no user data.
6219 if (unlikely(0 == datalen)) {
6220 err = sctp_make_abort_no_data(asoc, chunk, tsn);
6222 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6225 /* We are going to ABORT, so we might as well stop
6226 * processing the rest of the chunks in the packet.
6228 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
6229 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6230 SCTP_ERROR(ECONNABORTED));
6231 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6232 SCTP_PERR(SCTP_ERROR_NO_DATA));
6233 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6234 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6235 return SCTP_IERROR_NO_DATA;
6238 chunk->data_accepted = 1;
6240 /* Note: Some chunks may get overcounted (if we drop) or overcounted
6241 * if we renege and the chunk arrives again.
6243 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) {
6244 SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS);
6246 chunk->asoc->stats.iuodchunks++;
6248 SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS);
6250 chunk->asoc->stats.iodchunks++;
6254 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number
6256 * If an endpoint receive a DATA chunk with an invalid stream
6257 * identifier, it shall acknowledge the reception of the DATA chunk
6258 * following the normal procedure, immediately send an ERROR chunk
6259 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10)
6260 * and discard the DATA chunk.
6262 sid = ntohs(data_hdr->stream);
6263 if (sid >= asoc->c.sinit_max_instreams) {
6264 /* Mark tsn as received even though we drop it */
6265 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
6267 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM,
6269 sizeof(data_hdr->stream),
6272 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6274 return SCTP_IERROR_BAD_STREAM;
6277 /* Check to see if the SSN is possible for this TSN.
6278 * The biggest gap we can record is 4K wide. Since SSNs wrap
6279 * at an unsigned short, there is no way that an SSN can
6280 * wrap and for a valid TSN. We can simply check if the current
6281 * SSN is smaller then the next expected one. If it is, it wrapped
6284 ssn = ntohs(data_hdr->ssn);
6285 if (ordered && SSN_lt(ssn, sctp_ssn_peek(&asoc->ssnmap->in, sid))) {
6286 return SCTP_IERROR_PROTO_VIOLATION;
6289 /* Send the data up to the user. Note: Schedule the
6290 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK
6291 * chunk needs the updated rwnd.
6293 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk));
6295 return SCTP_IERROR_NO_ERROR;