1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* SCTP kernel implementation
3 * (C) Copyright IBM Corp. 2001, 2004
4 * Copyright (c) 1999-2000 Cisco, Inc.
5 * Copyright (c) 1999-2001 Motorola, Inc.
6 * Copyright (c) 2001-2002 Intel Corp.
7 * Copyright (c) 2002 Nokia Corp.
9 * This is part of the SCTP Linux Kernel Implementation.
11 * These are the state functions for the state machine.
13 * Please send any bug reports or fixes you make to the
15 * lksctp developers <linux-sctp@vger.kernel.org>
17 * Written or modified by:
18 * La Monte H.P. Yarroll <piggy@acm.org>
19 * Karl Knutson <karl@athena.chicago.il.us>
20 * Mathew Kotowsky <kotowsky@sctp.org>
21 * Sridhar Samudrala <samudrala@us.ibm.com>
22 * Jon Grimm <jgrimm@us.ibm.com>
23 * Hui Huang <hui.huang@nokia.com>
24 * Dajiang Zhang <dajiang.zhang@nokia.com>
25 * Daisy Chang <daisyc@us.ibm.com>
26 * Ardelle Fan <ardelle.fan@intel.com>
27 * Ryan Layer <rmlayer@us.ibm.com>
28 * Kevin Gao <kevin.gao@intel.com>
31 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
33 #include <linux/types.h>
34 #include <linux/kernel.h>
36 #include <linux/ipv6.h>
37 #include <linux/net.h>
38 #include <linux/inet.h>
39 #include <linux/slab.h>
41 #include <net/inet_ecn.h>
42 #include <linux/skbuff.h>
43 #include <net/sctp/sctp.h>
44 #include <net/sctp/sm.h>
45 #include <net/sctp/structs.h>
47 #define CREATE_TRACE_POINTS
48 #include <trace/events/sctp.h>
50 static struct sctp_packet *sctp_abort_pkt_new(
52 const struct sctp_endpoint *ep,
53 const struct sctp_association *asoc,
54 struct sctp_chunk *chunk,
55 const void *payload, size_t paylen);
56 static int sctp_eat_data(const struct sctp_association *asoc,
57 struct sctp_chunk *chunk,
58 struct sctp_cmd_seq *commands);
59 static struct sctp_packet *sctp_ootb_pkt_new(
61 const struct sctp_association *asoc,
62 const struct sctp_chunk *chunk);
63 static void sctp_send_stale_cookie_err(struct net *net,
64 const struct sctp_endpoint *ep,
65 const struct sctp_association *asoc,
66 const struct sctp_chunk *chunk,
67 struct sctp_cmd_seq *commands,
68 struct sctp_chunk *err_chunk);
69 static enum sctp_disposition sctp_sf_do_5_2_6_stale(
71 const struct sctp_endpoint *ep,
72 const struct sctp_association *asoc,
73 const union sctp_subtype type,
75 struct sctp_cmd_seq *commands);
76 static enum sctp_disposition sctp_sf_shut_8_4_5(
78 const struct sctp_endpoint *ep,
79 const struct sctp_association *asoc,
80 const union sctp_subtype type,
82 struct sctp_cmd_seq *commands);
83 static enum sctp_disposition sctp_sf_tabort_8_4_8(
85 const struct sctp_endpoint *ep,
86 const struct sctp_association *asoc,
87 const union sctp_subtype type,
89 struct sctp_cmd_seq *commands);
90 static enum sctp_disposition sctp_sf_new_encap_port(
92 const struct sctp_endpoint *ep,
93 const struct sctp_association *asoc,
94 const union sctp_subtype type,
96 struct sctp_cmd_seq *commands);
97 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
99 static enum sctp_disposition sctp_stop_t1_and_abort(
101 struct sctp_cmd_seq *commands,
102 __be16 error, int sk_err,
103 const struct sctp_association *asoc,
104 struct sctp_transport *transport);
106 static enum sctp_disposition sctp_sf_abort_violation(
108 const struct sctp_endpoint *ep,
109 const struct sctp_association *asoc,
111 struct sctp_cmd_seq *commands,
113 const size_t paylen);
115 static enum sctp_disposition sctp_sf_violation_chunklen(
117 const struct sctp_endpoint *ep,
118 const struct sctp_association *asoc,
119 const union sctp_subtype type,
121 struct sctp_cmd_seq *commands);
123 static enum sctp_disposition sctp_sf_violation_paramlen(
125 const struct sctp_endpoint *ep,
126 const struct sctp_association *asoc,
127 const union sctp_subtype type,
128 void *arg, void *ext,
129 struct sctp_cmd_seq *commands);
131 static enum sctp_disposition sctp_sf_violation_ctsn(
133 const struct sctp_endpoint *ep,
134 const struct sctp_association *asoc,
135 const union sctp_subtype type,
137 struct sctp_cmd_seq *commands);
139 static enum sctp_disposition sctp_sf_violation_chunk(
141 const struct sctp_endpoint *ep,
142 const struct sctp_association *asoc,
143 const union sctp_subtype type,
145 struct sctp_cmd_seq *commands);
147 static enum sctp_ierror sctp_sf_authenticate(
148 const struct sctp_association *asoc,
149 struct sctp_chunk *chunk);
151 static enum sctp_disposition __sctp_sf_do_9_1_abort(
153 const struct sctp_endpoint *ep,
154 const struct sctp_association *asoc,
155 const union sctp_subtype type,
157 struct sctp_cmd_seq *commands);
159 /* Small helper function that checks if the chunk length
160 * is of the appropriate length. The 'required_length' argument
161 * is set to be the size of a specific chunk we are testing.
162 * Return Values: true = Valid length
163 * false = Invalid length
166 static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk,
167 __u16 required_length)
169 __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
171 /* Previously already marked? */
172 if (unlikely(chunk->pdiscard))
174 if (unlikely(chunk_length < required_length))
180 /* Check for format error in an ABORT chunk */
181 static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk)
183 struct sctp_errhdr *err;
185 sctp_walk_errors(err, chunk->chunk_hdr);
187 return (void *)err == (void *)chunk->chunk_end;
190 /**********************************************************
191 * These are the state functions for handling chunk events.
192 **********************************************************/
195 * Process the final SHUTDOWN COMPLETE.
197 * Section: 4 (C) (diagram), 9.2
198 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
199 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
200 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
201 * should stop the T2-shutdown timer and remove all knowledge of the
202 * association (and thus the association enters the CLOSED state).
204 * Verification Tag: 8.5.1(C), sctpimpguide 2.41.
205 * C) Rules for packet carrying SHUTDOWN COMPLETE:
207 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
208 * if the Verification Tag field of the packet matches its own tag and
209 * the T bit is not set
211 * it is set to its peer's tag and the T bit is set in the Chunk
213 * Otherwise, the receiver MUST silently discard the packet
214 * and take no further action. An endpoint MUST ignore the
215 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.
218 * (endpoint, asoc, chunk)
221 * (asoc, reply_msg, msg_up, timers, counters)
223 * The return value is the disposition of the chunk.
225 enum sctp_disposition sctp_sf_do_4_C(struct net *net,
226 const struct sctp_endpoint *ep,
227 const struct sctp_association *asoc,
228 const union sctp_subtype type,
229 void *arg, struct sctp_cmd_seq *commands)
231 struct sctp_chunk *chunk = arg;
232 struct sctp_ulpevent *ev;
234 if (!sctp_vtag_verify_either(chunk, asoc))
235 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
237 /* RFC 2960 6.10 Bundling
239 * An endpoint MUST NOT bundle INIT, INIT ACK or
240 * SHUTDOWN COMPLETE with any other chunks.
242 if (!chunk->singleton)
243 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
245 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */
246 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
247 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
250 /* RFC 2960 10.2 SCTP-to-ULP
252 * H) SHUTDOWN COMPLETE notification
254 * When SCTP completes the shutdown procedures (section 9.2) this
255 * notification is passed to the upper layer.
257 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
258 0, 0, 0, NULL, GFP_ATOMIC);
260 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
263 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
264 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
265 * not the chunk should be discarded. If the endpoint is in
266 * the SHUTDOWN-ACK-SENT state the endpoint should stop the
267 * T2-shutdown timer and remove all knowledge of the
268 * association (and thus the association enters the CLOSED
271 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
272 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
274 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
275 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
277 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
278 SCTP_STATE(SCTP_STATE_CLOSED));
280 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
281 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
283 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
285 return SCTP_DISPOSITION_DELETE_TCB;
289 * Respond to a normal INIT chunk.
290 * We are the side that is being asked for an association.
292 * Section: 5.1 Normal Establishment of an Association, B
293 * B) "Z" shall respond immediately with an INIT ACK chunk. The
294 * destination IP address of the INIT ACK MUST be set to the source
295 * IP address of the INIT to which this INIT ACK is responding. In
296 * the response, besides filling in other parameters, "Z" must set the
297 * Verification Tag field to Tag_A, and also provide its own
298 * Verification Tag (Tag_Z) in the Initiate Tag field.
300 * Verification Tag: Must be 0.
303 * (endpoint, asoc, chunk)
306 * (asoc, reply_msg, msg_up, timers, counters)
308 * The return value is the disposition of the chunk.
310 enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
311 const struct sctp_endpoint *ep,
312 const struct sctp_association *asoc,
313 const union sctp_subtype type,
315 struct sctp_cmd_seq *commands)
317 struct sctp_chunk *chunk = arg, *repl, *err_chunk;
318 struct sctp_unrecognized_param *unk_param;
319 struct sctp_association *new_asoc;
320 struct sctp_packet *packet;
323 /* Update socket peer label if first association. */
324 if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
326 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
329 * An endpoint MUST NOT bundle INIT, INIT ACK or
330 * SHUTDOWN COMPLETE with any other chunks.
333 * Furthermore, we require that the receiver of an INIT chunk MUST
334 * enforce these rules by silently discarding an arriving packet
335 * with an INIT chunk that is bundled with other chunks.
337 if (!chunk->singleton)
338 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
340 /* If the packet is an OOTB packet which is temporarily on the
341 * control endpoint, respond with an ABORT.
343 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
344 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
345 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
348 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
351 if (chunk->sctp_hdr->vtag != 0)
352 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
354 /* Make sure that the INIT chunk has a valid length.
355 * Normally, this would cause an ABORT with a Protocol Violation
356 * error, but since we don't have an association, we'll
357 * just discard the packet.
359 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
360 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
362 /* If the INIT is coming toward a closing socket, we'll send back
363 * and ABORT. Essentially, this catches the race of INIT being
364 * backloged to the socket at the same time as the user isses close().
365 * Since the socket and all its associations are going away, we
366 * can treat this OOTB
368 if (sctp_sstate(ep->base.sk, CLOSING))
369 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
371 /* Verify the INIT chunk before processing it. */
373 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
374 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
376 /* This chunk contains fatal error. It is to be discarded.
377 * Send an ABORT, with causes if there is any.
380 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
381 (__u8 *)(err_chunk->chunk_hdr) +
382 sizeof(struct sctp_chunkhdr),
383 ntohs(err_chunk->chunk_hdr->length) -
384 sizeof(struct sctp_chunkhdr));
386 sctp_chunk_free(err_chunk);
389 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
390 SCTP_PACKET(packet));
391 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
392 return SCTP_DISPOSITION_CONSUME;
394 return SCTP_DISPOSITION_NOMEM;
397 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
402 /* Grab the INIT header. */
403 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
405 /* Tag the variable length parameters. */
406 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
408 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
412 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
413 sctp_scope(sctp_source(chunk)),
417 /* The call, sctp_process_init(), can fail on memory allocation. */
418 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
419 (struct sctp_init_chunk *)chunk->chunk_hdr,
423 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
425 /* If there are errors need to be reported for unknown parameters,
426 * make sure to reserve enough room in the INIT ACK for them.
430 len = ntohs(err_chunk->chunk_hdr->length) -
431 sizeof(struct sctp_chunkhdr);
433 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
437 /* If there are errors need to be reported for unknown parameters,
438 * include them in the outgoing INIT ACK as "Unrecognized parameter"
442 /* Get the "Unrecognized parameter" parameter(s) out of the
443 * ERROR chunk generated by sctp_verify_init(). Since the
444 * error cause code for "unknown parameter" and the
445 * "Unrecognized parameter" type is the same, we can
446 * construct the parameters in INIT ACK by copying the
449 unk_param = (struct sctp_unrecognized_param *)
450 ((__u8 *)(err_chunk->chunk_hdr) +
451 sizeof(struct sctp_chunkhdr));
452 /* Replace the cause code with the "Unrecognized parameter"
455 sctp_addto_chunk(repl, len, unk_param);
456 sctp_chunk_free(err_chunk);
459 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
461 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
464 * Note: After sending out INIT ACK with the State Cookie parameter,
465 * "Z" MUST NOT allocate any resources, nor keep any states for the
466 * new association. Otherwise, "Z" will be vulnerable to resource
469 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
471 return SCTP_DISPOSITION_DELETE_TCB;
474 sctp_association_free(new_asoc);
477 sctp_chunk_free(err_chunk);
478 return SCTP_DISPOSITION_NOMEM;
482 * Respond to a normal INIT ACK chunk.
483 * We are the side that is initiating the association.
485 * Section: 5.1 Normal Establishment of an Association, C
486 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
487 * timer and leave COOKIE-WAIT state. "A" shall then send the State
488 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
489 * the T1-cookie timer, and enter the COOKIE-ECHOED state.
491 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound
492 * DATA chunks, but it MUST be the first chunk in the packet and
493 * until the COOKIE ACK is returned the sender MUST NOT send any
494 * other packets to the peer.
496 * Verification Tag: 3.3.3
497 * If the value of the Initiate Tag in a received INIT ACK chunk is
498 * found to be 0, the receiver MUST treat it as an error and close the
499 * association by transmitting an ABORT.
502 * (endpoint, asoc, chunk)
505 * (asoc, reply_msg, msg_up, timers, counters)
507 * The return value is the disposition of the chunk.
509 enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
510 const struct sctp_endpoint *ep,
511 const struct sctp_association *asoc,
512 const union sctp_subtype type,
514 struct sctp_cmd_seq *commands)
516 struct sctp_init_chunk *initchunk;
517 struct sctp_chunk *chunk = arg;
518 struct sctp_chunk *err_chunk;
519 struct sctp_packet *packet;
521 if (!sctp_vtag_verify(chunk, asoc))
522 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
525 * An endpoint MUST NOT bundle INIT, INIT ACK or
526 * SHUTDOWN COMPLETE with any other chunks.
528 if (!chunk->singleton)
529 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
531 /* Make sure that the INIT-ACK chunk has a valid length */
532 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk)))
533 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
535 /* Grab the INIT header. */
536 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
538 /* Verify the INIT chunk before processing it. */
540 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
541 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
544 enum sctp_error error = SCTP_ERROR_NO_RESOURCE;
546 /* This chunk contains fatal error. It is to be discarded.
547 * Send an ABORT, with causes. If there are no causes,
548 * then there wasn't enough memory. Just terminate
552 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
553 (__u8 *)(err_chunk->chunk_hdr) +
554 sizeof(struct sctp_chunkhdr),
555 ntohs(err_chunk->chunk_hdr->length) -
556 sizeof(struct sctp_chunkhdr));
558 sctp_chunk_free(err_chunk);
561 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
562 SCTP_PACKET(packet));
563 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
564 error = SCTP_ERROR_INV_PARAM;
568 /* SCTP-AUTH, Section 6.3:
569 * It should be noted that if the receiver wants to tear
570 * down an association in an authenticated way only, the
571 * handling of malformed packets should not result in
572 * tearing down the association.
574 * This means that if we only want to abort associations
575 * in an authenticated way (i.e AUTH+ABORT), then we
576 * can't destroy this association just because the packet
579 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
580 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
582 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
583 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED,
584 asoc, chunk->transport);
587 /* Tag the variable length parameters. Note that we never
588 * convert the parameters in an INIT chunk.
590 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
592 initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr;
594 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
595 SCTP_PEER_INIT(initchunk));
597 /* Reset init error count upon receipt of INIT-ACK. */
598 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
600 /* 5.1 C) "A" shall stop the T1-init timer and leave
601 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie
602 * timer, and enter the COOKIE-ECHOED state.
604 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
605 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
606 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
607 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
608 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
609 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
611 /* SCTP-AUTH: genereate the assocition shared keys so that
612 * we can potentially signe the COOKIE-ECHO.
614 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
616 /* 5.1 C) "A" shall then send the State Cookie received in the
617 * INIT ACK chunk in a COOKIE ECHO chunk, ...
619 /* If there is any errors to report, send the ERROR chunk generated
620 * for unknown parameters as well.
622 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
623 SCTP_CHUNK(err_chunk));
625 return SCTP_DISPOSITION_CONSUME;
628 static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk,
629 const struct sctp_association *asoc)
631 struct sctp_chunk auth;
633 if (!chunk->auth_chunk)
636 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo
637 * is supposed to be authenticated and we have to do delayed
638 * authentication. We've just recreated the association using
639 * the information in the cookie and now it's much easier to
640 * do the authentication.
643 /* Make sure that we and the peer are AUTH capable */
644 if (!net->sctp.auth_enable || !asoc->peer.auth_capable)
647 /* set-up our fake chunk so that we can process it */
648 auth.skb = chunk->auth_chunk;
649 auth.asoc = chunk->asoc;
650 auth.sctp_hdr = chunk->sctp_hdr;
651 auth.chunk_hdr = (struct sctp_chunkhdr *)
652 skb_push(chunk->auth_chunk,
653 sizeof(struct sctp_chunkhdr));
654 skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr));
655 auth.transport = chunk->transport;
657 return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR;
661 * Respond to a normal COOKIE ECHO chunk.
662 * We are the side that is being asked for an association.
664 * Section: 5.1 Normal Establishment of an Association, D
665 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
666 * with a COOKIE ACK chunk after building a TCB and moving to
667 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
668 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
669 * chunk MUST be the first chunk in the packet.
671 * IMPLEMENTATION NOTE: An implementation may choose to send the
672 * Communication Up notification to the SCTP user upon reception
673 * of a valid COOKIE ECHO chunk.
675 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
676 * D) Rules for packet carrying a COOKIE ECHO
678 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
679 * Initial Tag received in the INIT ACK.
681 * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
684 * (endpoint, asoc, chunk)
687 * (asoc, reply_msg, msg_up, timers, counters)
689 * The return value is the disposition of the chunk.
691 enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
692 const struct sctp_endpoint *ep,
693 const struct sctp_association *asoc,
694 const union sctp_subtype type,
696 struct sctp_cmd_seq *commands)
698 struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL;
699 struct sctp_association *new_asoc;
700 struct sctp_init_chunk *peer_init;
701 struct sctp_chunk *chunk = arg;
702 struct sctp_chunk *err_chk_p;
703 struct sctp_chunk *repl;
707 /* If the packet is an OOTB packet which is temporarily on the
708 * control endpoint, respond with an ABORT.
710 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
711 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
712 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
715 /* Make sure that the COOKIE_ECHO chunk has a valid length.
716 * In this case, we check that we have enough for at least a
717 * chunk header. More detailed verification is done
718 * in sctp_unpack_cookie().
720 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
721 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
723 /* If the endpoint is not listening or if the number of associations
724 * on the TCP-style socket exceed the max backlog, respond with an
728 if (!sctp_sstate(sk, LISTENING) ||
729 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
730 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
732 /* "Decode" the chunk. We have no optional parameters so we
735 chunk->subh.cookie_hdr =
736 (struct sctp_signed_cookie *)chunk->skb->data;
737 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
738 sizeof(struct sctp_chunkhdr)))
741 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
742 * "Z" will reply with a COOKIE ACK chunk after building a TCB
743 * and moving to the ESTABLISHED state.
745 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
749 * If the re-build failed, what is the proper error path
752 * [We should abort the association. --piggy]
755 /* FIXME: Several errors are possible. A bad cookie should
756 * be silently discarded, but think about logging it too.
759 case -SCTP_IERROR_NOMEM:
762 case -SCTP_IERROR_STALE_COOKIE:
763 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
765 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
767 case -SCTP_IERROR_BAD_SIG:
769 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
774 /* Delay state machine commands until later.
776 * Re-build the bind address for the association is done in
777 * the sctp_unpack_cookie() already.
779 /* This is a brand-new association, so these are not yet side
780 * effects--it is safe to run them here.
782 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
784 if (!sctp_process_init(new_asoc, chunk,
785 &chunk->subh.cookie_hdr->c.peer_addr,
786 peer_init, GFP_ATOMIC))
789 /* SCTP-AUTH: Now that we've populate required fields in
790 * sctp_process_init, set up the assocaition shared keys as
791 * necessary so that we can potentially authenticate the ACK
793 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
797 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) {
798 sctp_association_free(new_asoc);
799 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
802 repl = sctp_make_cookie_ack(new_asoc, chunk);
806 /* RFC 2960 5.1 Normal Establishment of an Association
808 * D) IMPLEMENTATION NOTE: An implementation may choose to
809 * send the Communication Up notification to the SCTP user
810 * upon reception of a valid COOKIE ECHO chunk.
812 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
813 new_asoc->c.sinit_num_ostreams,
814 new_asoc->c.sinit_max_instreams,
819 /* Sockets API Draft Section 5.3.1.6
820 * When a peer sends a Adaptation Layer Indication parameter , SCTP
821 * delivers this notification to inform the application that of the
822 * peers requested adaptation layer.
824 if (new_asoc->peer.adaptation_ind) {
825 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
831 if (!new_asoc->peer.auth_capable) {
832 auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0,
839 /* Add all the state machine commands now since we've created
840 * everything. This way we don't introduce memory corruptions
841 * during side-effect processing and correclty count established
844 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
845 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
846 SCTP_STATE(SCTP_STATE_ESTABLISHED));
847 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
848 SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS);
849 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
851 if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
852 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
853 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
855 /* This will send the COOKIE ACK */
856 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
858 /* Queue the ASSOC_CHANGE event */
859 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
861 /* Send up the Adaptation Layer Indication event */
863 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
864 SCTP_ULPEVENT(ai_ev));
867 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
868 SCTP_ULPEVENT(auth_ev));
870 return SCTP_DISPOSITION_CONSUME;
873 sctp_ulpevent_free(ai_ev);
875 sctp_ulpevent_free(ev);
877 sctp_chunk_free(repl);
879 sctp_association_free(new_asoc);
881 return SCTP_DISPOSITION_NOMEM;
885 * Respond to a normal COOKIE ACK chunk.
886 * We are the side that is asking for an association.
888 * RFC 2960 5.1 Normal Establishment of an Association
890 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
891 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
892 * timer. It may also notify its ULP about the successful
893 * establishment of the association with a Communication Up
894 * notification (see Section 10).
898 * (endpoint, asoc, chunk)
901 * (asoc, reply_msg, msg_up, timers, counters)
903 * The return value is the disposition of the chunk.
905 enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
906 const struct sctp_endpoint *ep,
907 const struct sctp_association *asoc,
908 const union sctp_subtype type,
910 struct sctp_cmd_seq *commands)
912 struct sctp_chunk *chunk = arg;
913 struct sctp_ulpevent *ev;
915 if (!sctp_vtag_verify(chunk, asoc))
916 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
918 /* Verify that the chunk length for the COOKIE-ACK is OK.
919 * If we don't do this, any bundled chunks may be junked.
921 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
922 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
925 /* Reset init error count upon receipt of COOKIE-ACK,
926 * to avoid problems with the managemement of this
927 * counter in stale cookie situations when a transition back
928 * from the COOKIE-ECHOED state to the COOKIE-WAIT
929 * state is performed.
931 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
933 /* Set peer label for connection. */
934 security_inet_conn_established(ep->base.sk, chunk->skb);
936 /* RFC 2960 5.1 Normal Establishment of an Association
938 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
939 * from the COOKIE-ECHOED state to the ESTABLISHED state,
940 * stopping the T1-cookie timer.
942 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
943 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
944 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
945 SCTP_STATE(SCTP_STATE_ESTABLISHED));
946 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
947 SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS);
948 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
949 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
950 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
951 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
953 /* It may also notify its ULP about the successful
954 * establishment of the association with a Communication Up
955 * notification (see Section 10).
957 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
958 0, asoc->c.sinit_num_ostreams,
959 asoc->c.sinit_max_instreams,
965 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
967 /* Sockets API Draft Section 5.3.1.6
968 * When a peer sends a Adaptation Layer Indication parameter , SCTP
969 * delivers this notification to inform the application that of the
970 * peers requested adaptation layer.
972 if (asoc->peer.adaptation_ind) {
973 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
977 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
981 if (!asoc->peer.auth_capable) {
982 ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH,
986 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
990 return SCTP_DISPOSITION_CONSUME;
992 return SCTP_DISPOSITION_NOMEM;
995 /* Generate and sendout a heartbeat packet. */
996 static enum sctp_disposition sctp_sf_heartbeat(
997 const struct sctp_endpoint *ep,
998 const struct sctp_association *asoc,
999 const union sctp_subtype type,
1001 struct sctp_cmd_seq *commands)
1003 struct sctp_transport *transport = (struct sctp_transport *) arg;
1004 struct sctp_chunk *reply;
1006 /* Send a heartbeat to our peer. */
1007 reply = sctp_make_heartbeat(asoc, transport);
1009 return SCTP_DISPOSITION_NOMEM;
1011 /* Set rto_pending indicating that an RTT measurement
1012 * is started with this heartbeat chunk.
1014 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
1015 SCTP_TRANSPORT(transport));
1017 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1018 return SCTP_DISPOSITION_CONSUME;
1021 /* Generate a HEARTBEAT packet on the given transport. */
1022 enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net,
1023 const struct sctp_endpoint *ep,
1024 const struct sctp_association *asoc,
1025 const union sctp_subtype type,
1027 struct sctp_cmd_seq *commands)
1029 struct sctp_transport *transport = (struct sctp_transport *) arg;
1031 if (asoc->overall_error_count >= asoc->max_retrans) {
1032 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
1033 SCTP_ERROR(ETIMEDOUT));
1034 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
1035 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1036 SCTP_PERR(SCTP_ERROR_NO_ERROR));
1037 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1038 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1039 return SCTP_DISPOSITION_DELETE_TCB;
1043 * The Sender-specific Heartbeat Info field should normally include
1044 * information about the sender's current time when this HEARTBEAT
1045 * chunk is sent and the destination transport address to which this
1046 * HEARTBEAT is sent (see Section 8.3).
1049 if (transport->param_flags & SPP_HB_ENABLE) {
1050 if (SCTP_DISPOSITION_NOMEM ==
1051 sctp_sf_heartbeat(ep, asoc, type, arg,
1053 return SCTP_DISPOSITION_NOMEM;
1055 /* Set transport error counter and association error counter
1056 * when sending heartbeat.
1058 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
1059 SCTP_TRANSPORT(transport));
1061 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
1062 SCTP_TRANSPORT(transport));
1063 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
1064 SCTP_TRANSPORT(transport));
1066 return SCTP_DISPOSITION_CONSUME;
1069 /* resend asoc strreset_chunk. */
1070 enum sctp_disposition sctp_sf_send_reconf(struct net *net,
1071 const struct sctp_endpoint *ep,
1072 const struct sctp_association *asoc,
1073 const union sctp_subtype type,
1075 struct sctp_cmd_seq *commands)
1077 struct sctp_transport *transport = arg;
1079 if (asoc->overall_error_count >= asoc->max_retrans) {
1080 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
1081 SCTP_ERROR(ETIMEDOUT));
1082 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
1083 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1084 SCTP_PERR(SCTP_ERROR_NO_ERROR));
1085 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1086 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1087 return SCTP_DISPOSITION_DELETE_TCB;
1090 sctp_chunk_hold(asoc->strreset_chunk);
1091 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1092 SCTP_CHUNK(asoc->strreset_chunk));
1093 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
1095 return SCTP_DISPOSITION_CONSUME;
1099 * Process an heartbeat request.
1101 * Section: 8.3 Path Heartbeat
1102 * The receiver of the HEARTBEAT should immediately respond with a
1103 * HEARTBEAT ACK that contains the Heartbeat Information field copied
1104 * from the received HEARTBEAT chunk.
1106 * Verification Tag: 8.5 Verification Tag [Normal verification]
1107 * When receiving an SCTP packet, the endpoint MUST ensure that the
1108 * value in the Verification Tag field of the received SCTP packet
1109 * matches its own Tag. If the received Verification Tag value does not
1110 * match the receiver's own tag value, the receiver shall silently
1111 * discard the packet and shall not process it any further except for
1112 * those cases listed in Section 8.5.1 below.
1115 * (endpoint, asoc, chunk)
1118 * (asoc, reply_msg, msg_up, timers, counters)
1120 * The return value is the disposition of the chunk.
1122 enum sctp_disposition sctp_sf_beat_8_3(struct net *net,
1123 const struct sctp_endpoint *ep,
1124 const struct sctp_association *asoc,
1125 const union sctp_subtype type,
1126 void *arg, struct sctp_cmd_seq *commands)
1128 struct sctp_paramhdr *param_hdr;
1129 struct sctp_chunk *chunk = arg;
1130 struct sctp_chunk *reply;
1133 if (!sctp_vtag_verify(chunk, asoc))
1134 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1136 /* Make sure that the HEARTBEAT chunk has a valid length. */
1137 if (!sctp_chunk_length_valid(chunk,
1138 sizeof(struct sctp_heartbeat_chunk)))
1139 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1142 /* 8.3 The receiver of the HEARTBEAT should immediately
1143 * respond with a HEARTBEAT ACK that contains the Heartbeat
1144 * Information field copied from the received HEARTBEAT chunk.
1146 chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data;
1147 param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr;
1148 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr);
1150 if (ntohs(param_hdr->length) > paylen)
1151 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
1152 param_hdr, commands);
1154 if (!pskb_pull(chunk->skb, paylen))
1157 reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen);
1161 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1162 return SCTP_DISPOSITION_CONSUME;
1165 return SCTP_DISPOSITION_NOMEM;
1169 * Process the returning HEARTBEAT ACK.
1171 * Section: 8.3 Path Heartbeat
1172 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
1173 * should clear the error counter of the destination transport
1174 * address to which the HEARTBEAT was sent, and mark the destination
1175 * transport address as active if it is not so marked. The endpoint may
1176 * optionally report to the upper layer when an inactive destination
1177 * address is marked as active due to the reception of the latest
1178 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
1179 * clear the association overall error count as well (as defined
1182 * The receiver of the HEARTBEAT ACK should also perform an RTT
1183 * measurement for that destination transport address using the time
1184 * value carried in the HEARTBEAT ACK chunk.
1186 * Verification Tag: 8.5 Verification Tag [Normal verification]
1189 * (endpoint, asoc, chunk)
1192 * (asoc, reply_msg, msg_up, timers, counters)
1194 * The return value is the disposition of the chunk.
1196 enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net,
1197 const struct sctp_endpoint *ep,
1198 const struct sctp_association *asoc,
1199 const union sctp_subtype type,
1201 struct sctp_cmd_seq *commands)
1203 struct sctp_sender_hb_info *hbinfo;
1204 struct sctp_chunk *chunk = arg;
1205 struct sctp_transport *link;
1206 unsigned long max_interval;
1207 union sctp_addr from_addr;
1209 if (!sctp_vtag_verify(chunk, asoc))
1210 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1212 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */
1213 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) +
1215 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1218 hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data;
1219 /* Make sure that the length of the parameter is what we expect */
1220 if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo))
1221 return SCTP_DISPOSITION_DISCARD;
1223 from_addr = hbinfo->daddr;
1224 link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1226 /* This should never happen, but lets log it if so. */
1227 if (unlikely(!link)) {
1228 if (from_addr.sa.sa_family == AF_INET6) {
1229 net_warn_ratelimited("%s association %p could not find address %pI6\n",
1232 &from_addr.v6.sin6_addr);
1234 net_warn_ratelimited("%s association %p could not find address %pI4\n",
1237 &from_addr.v4.sin_addr.s_addr);
1239 return SCTP_DISPOSITION_DISCARD;
1242 /* Validate the 64-bit random nonce. */
1243 if (hbinfo->hb_nonce != link->hb_nonce)
1244 return SCTP_DISPOSITION_DISCARD;
1246 max_interval = link->hbinterval + link->rto;
1248 /* Check if the timestamp looks valid. */
1249 if (time_after(hbinfo->sent_at, jiffies) ||
1250 time_after(jiffies, hbinfo->sent_at + max_interval)) {
1251 pr_debug("%s: HEARTBEAT ACK with invalid timestamp received "
1252 "for transport:%p\n", __func__, link);
1254 return SCTP_DISPOSITION_DISCARD;
1257 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
1258 * the HEARTBEAT should clear the error counter of the
1259 * destination transport address to which the HEARTBEAT was
1260 * sent and mark the destination transport address as active if
1261 * it is not so marked.
1263 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1265 return SCTP_DISPOSITION_CONSUME;
1268 /* Helper function to send out an abort for the restart
1271 static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa,
1272 struct sctp_chunk *init,
1273 struct sctp_cmd_seq *commands)
1275 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1276 union sctp_addr_param *addrparm;
1277 struct sctp_errhdr *errhdr;
1278 char buffer[sizeof(*errhdr) + sizeof(*addrparm)];
1279 struct sctp_endpoint *ep;
1280 struct sctp_packet *pkt;
1283 /* Build the error on the stack. We are way to malloc crazy
1284 * throughout the code today.
1286 errhdr = (struct sctp_errhdr *)buffer;
1287 addrparm = (union sctp_addr_param *)errhdr->variable;
1289 /* Copy into a parm format. */
1290 len = af->to_addr_param(ssa, addrparm);
1291 len += sizeof(*errhdr);
1293 errhdr->cause = SCTP_ERROR_RESTART;
1294 errhdr->length = htons(len);
1296 /* Assign to the control socket. */
1297 ep = sctp_sk(net->sctp.ctl_sock)->ep;
1299 /* Association is NULL since this may be a restart attack and we
1300 * want to send back the attacker's vtag.
1302 pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len);
1306 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1308 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1310 /* Discard the rest of the inbound packet. */
1311 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1314 /* Even if there is no memory, treat as a failure so
1315 * the packet will get dropped.
1320 static bool list_has_sctp_addr(const struct list_head *list,
1321 union sctp_addr *ipaddr)
1323 struct sctp_transport *addr;
1325 list_for_each_entry(addr, list, transports) {
1326 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
1332 /* A restart is occurring, check to make sure no new addresses
1333 * are being added as we may be under a takeover attack.
1335 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1336 const struct sctp_association *asoc,
1337 struct sctp_chunk *init,
1338 struct sctp_cmd_seq *commands)
1340 struct net *net = new_asoc->base.net;
1341 struct sctp_transport *new_addr;
1344 /* Implementor's Guide - Section 5.2.2
1346 * Before responding the endpoint MUST check to see if the
1347 * unexpected INIT adds new addresses to the association. If new
1348 * addresses are added to the association, the endpoint MUST respond
1352 /* Search through all current addresses and make sure
1353 * we aren't adding any new ones.
1355 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
1357 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
1358 &new_addr->ipaddr)) {
1359 sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init,
1366 /* Return success if all addresses were found. */
1370 /* Populate the verification/tie tags based on overlapping INIT
1373 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
1375 static void sctp_tietags_populate(struct sctp_association *new_asoc,
1376 const struct sctp_association *asoc)
1378 switch (asoc->state) {
1380 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
1382 case SCTP_STATE_COOKIE_WAIT:
1383 new_asoc->c.my_vtag = asoc->c.my_vtag;
1384 new_asoc->c.my_ttag = asoc->c.my_vtag;
1385 new_asoc->c.peer_ttag = 0;
1388 case SCTP_STATE_COOKIE_ECHOED:
1389 new_asoc->c.my_vtag = asoc->c.my_vtag;
1390 new_asoc->c.my_ttag = asoc->c.my_vtag;
1391 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1394 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
1395 * COOKIE-WAIT and SHUTDOWN-ACK-SENT
1398 new_asoc->c.my_ttag = asoc->c.my_vtag;
1399 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1403 /* Other parameters for the endpoint SHOULD be copied from the
1404 * existing parameters of the association (e.g. number of
1405 * outbound streams) into the INIT ACK and cookie.
1407 new_asoc->rwnd = asoc->rwnd;
1408 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams;
1409 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1410 new_asoc->c.initial_tsn = asoc->c.initial_tsn;
1414 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
1417 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
1419 * Returns value representing action to be taken. These action values
1420 * correspond to Action/Description values in RFC 2960, Table 2.
1422 static char sctp_tietags_compare(struct sctp_association *new_asoc,
1423 const struct sctp_association *asoc)
1425 /* In this case, the peer may have restarted. */
1426 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1427 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1428 (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1429 (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1432 /* Collision case B. */
1433 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1434 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1435 (0 == asoc->c.peer_vtag))) {
1439 /* Collision case D. */
1440 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1441 (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1444 /* Collision case C. */
1445 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1446 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1447 (0 == new_asoc->c.my_ttag) &&
1448 (0 == new_asoc->c.peer_ttag))
1451 /* No match to any of the special cases; discard this packet. */
1455 /* Common helper routine for both duplicate and simultaneous INIT
1458 static enum sctp_disposition sctp_sf_do_unexpected_init(
1460 const struct sctp_endpoint *ep,
1461 const struct sctp_association *asoc,
1462 const union sctp_subtype type,
1464 struct sctp_cmd_seq *commands)
1466 struct sctp_chunk *chunk = arg, *repl, *err_chunk;
1467 struct sctp_unrecognized_param *unk_param;
1468 struct sctp_association *new_asoc;
1469 enum sctp_disposition retval;
1470 struct sctp_packet *packet;
1473 /* Update socket peer label if first association. */
1474 if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
1476 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1479 * An endpoint MUST NOT bundle INIT, INIT ACK or
1480 * SHUTDOWN COMPLETE with any other chunks.
1483 * Furthermore, we require that the receiver of an INIT chunk MUST
1484 * enforce these rules by silently discarding an arriving packet
1485 * with an INIT chunk that is bundled with other chunks.
1487 if (!chunk->singleton)
1488 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1490 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
1493 if (chunk->sctp_hdr->vtag != 0)
1494 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
1496 /* Make sure that the INIT chunk has a valid length.
1497 * In this case, we generate a protocol violation since we have
1498 * an association established.
1500 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
1501 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1504 if (SCTP_INPUT_CB(chunk->skb)->encap_port != chunk->transport->encap_port)
1505 return sctp_sf_new_encap_port(net, ep, asoc, type, arg, commands);
1507 /* Grab the INIT header. */
1508 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
1510 /* Tag the variable length parameters. */
1511 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
1513 /* Verify the INIT chunk before processing it. */
1515 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
1516 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
1518 /* This chunk contains fatal error. It is to be discarded.
1519 * Send an ABORT, with causes if there is any.
1522 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
1523 (__u8 *)(err_chunk->chunk_hdr) +
1524 sizeof(struct sctp_chunkhdr),
1525 ntohs(err_chunk->chunk_hdr->length) -
1526 sizeof(struct sctp_chunkhdr));
1529 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1530 SCTP_PACKET(packet));
1531 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1532 retval = SCTP_DISPOSITION_CONSUME;
1534 retval = SCTP_DISPOSITION_NOMEM;
1538 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
1544 * Other parameters for the endpoint SHOULD be copied from the
1545 * existing parameters of the association (e.g. number of
1546 * outbound streams) into the INIT ACK and cookie.
1547 * FIXME: We are copying parameters from the endpoint not the
1550 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1554 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
1555 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
1558 /* In the outbound INIT ACK the endpoint MUST copy its current
1559 * Verification Tag and Peers Verification tag into a reserved
1560 * place (local tie-tag and per tie-tag) within the state cookie.
1562 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
1563 (struct sctp_init_chunk *)chunk->chunk_hdr,
1567 /* Make sure no new addresses are being added during the
1568 * restart. Do not do this check for COOKIE-WAIT state,
1569 * since there are no peer addresses to check against.
1570 * Upon return an ABORT will have been sent if needed.
1572 if (!sctp_state(asoc, COOKIE_WAIT)) {
1573 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1575 retval = SCTP_DISPOSITION_CONSUME;
1580 sctp_tietags_populate(new_asoc, asoc);
1582 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
1584 /* If there are errors need to be reported for unknown parameters,
1585 * make sure to reserve enough room in the INIT ACK for them.
1589 len = ntohs(err_chunk->chunk_hdr->length) -
1590 sizeof(struct sctp_chunkhdr);
1593 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1597 /* If there are errors need to be reported for unknown parameters,
1598 * include them in the outgoing INIT ACK as "Unrecognized parameter"
1602 /* Get the "Unrecognized parameter" parameter(s) out of the
1603 * ERROR chunk generated by sctp_verify_init(). Since the
1604 * error cause code for "unknown parameter" and the
1605 * "Unrecognized parameter" type is the same, we can
1606 * construct the parameters in INIT ACK by copying the
1607 * ERROR causes over.
1609 unk_param = (struct sctp_unrecognized_param *)
1610 ((__u8 *)(err_chunk->chunk_hdr) +
1611 sizeof(struct sctp_chunkhdr));
1612 /* Replace the cause code with the "Unrecognized parameter"
1615 sctp_addto_chunk(repl, len, unk_param);
1618 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1619 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1622 * Note: After sending out INIT ACK with the State Cookie parameter,
1623 * "Z" MUST NOT allocate any resources for this new association.
1624 * Otherwise, "Z" will be vulnerable to resource attacks.
1626 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1627 retval = SCTP_DISPOSITION_CONSUME;
1632 retval = SCTP_DISPOSITION_NOMEM;
1635 sctp_association_free(new_asoc);
1638 sctp_chunk_free(err_chunk);
1643 * Handle simultaneous INIT.
1644 * This means we started an INIT and then we got an INIT request from
1647 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
1648 * This usually indicates an initialization collision, i.e., each
1649 * endpoint is attempting, at about the same time, to establish an
1650 * association with the other endpoint.
1652 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
1653 * endpoint MUST respond with an INIT ACK using the same parameters it
1654 * sent in its original INIT chunk (including its Verification Tag,
1655 * unchanged). These original parameters are combined with those from the
1656 * newly received INIT chunk. The endpoint shall also generate a State
1657 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
1658 * INIT to calculate the State Cookie.
1660 * After that, the endpoint MUST NOT change its state, the T1-init
1661 * timer shall be left running and the corresponding TCB MUST NOT be
1662 * destroyed. The normal procedures for handling State Cookies when
1663 * a TCB exists will resolve the duplicate INITs to a single association.
1665 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
1666 * its Tie-Tags with the Tag information of itself and its peer (see
1667 * section 5.2.2 for a description of the Tie-Tags).
1669 * Verification Tag: Not explicit, but an INIT can not have a valid
1670 * verification tag, so we skip the check.
1673 * (endpoint, asoc, chunk)
1676 * (asoc, reply_msg, msg_up, timers, counters)
1678 * The return value is the disposition of the chunk.
1680 enum sctp_disposition sctp_sf_do_5_2_1_siminit(
1682 const struct sctp_endpoint *ep,
1683 const struct sctp_association *asoc,
1684 const union sctp_subtype type,
1686 struct sctp_cmd_seq *commands)
1688 /* Call helper to do the real work for both simultaneous and
1689 * duplicate INIT chunk handling.
1691 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1695 * Handle duplicated INIT messages. These are usually delayed
1698 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
1699 * COOKIE-ECHOED and COOKIE-WAIT
1701 * Unless otherwise stated, upon reception of an unexpected INIT for
1702 * this association, the endpoint shall generate an INIT ACK with a
1703 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its
1704 * current Verification Tag and peer's Verification Tag into a reserved
1705 * place within the state cookie. We shall refer to these locations as
1706 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet
1707 * containing this INIT ACK MUST carry a Verification Tag value equal to
1708 * the Initiation Tag found in the unexpected INIT. And the INIT ACK
1709 * MUST contain a new Initiation Tag (randomly generated see Section
1710 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the
1711 * existing parameters of the association (e.g. number of outbound
1712 * streams) into the INIT ACK and cookie.
1714 * After sending out the INIT ACK, the endpoint shall take no further
1715 * actions, i.e., the existing association, including its current state,
1716 * and the corresponding TCB MUST NOT be changed.
1718 * Note: Only when a TCB exists and the association is not in a COOKIE-
1719 * WAIT state are the Tie-Tags populated. For a normal association INIT
1720 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
1721 * set to 0 (indicating that no previous TCB existed). The INIT ACK and
1722 * State Cookie are populated as specified in section 5.2.1.
1724 * Verification Tag: Not specified, but an INIT has no way of knowing
1725 * what the verification tag could be, so we ignore it.
1728 * (endpoint, asoc, chunk)
1731 * (asoc, reply_msg, msg_up, timers, counters)
1733 * The return value is the disposition of the chunk.
1735 enum sctp_disposition sctp_sf_do_5_2_2_dupinit(
1737 const struct sctp_endpoint *ep,
1738 const struct sctp_association *asoc,
1739 const union sctp_subtype type,
1741 struct sctp_cmd_seq *commands)
1743 /* Call helper to do the real work for both simultaneous and
1744 * duplicate INIT chunk handling.
1746 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1751 * Unexpected INIT-ACK handler.
1754 * If an INIT ACK received by an endpoint in any state other than the
1755 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
1756 * An unexpected INIT ACK usually indicates the processing of an old or
1757 * duplicated INIT chunk.
1759 enum sctp_disposition sctp_sf_do_5_2_3_initack(
1761 const struct sctp_endpoint *ep,
1762 const struct sctp_association *asoc,
1763 const union sctp_subtype type,
1765 struct sctp_cmd_seq *commands)
1767 /* Per the above section, we'll discard the chunk if we have an
1768 * endpoint. If this is an OOTB INIT-ACK, treat it as such.
1770 if (ep == sctp_sk(net->sctp.ctl_sock)->ep)
1771 return sctp_sf_ootb(net, ep, asoc, type, arg, commands);
1773 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
1776 static int sctp_sf_do_assoc_update(struct sctp_association *asoc,
1777 struct sctp_association *new,
1778 struct sctp_cmd_seq *cmds)
1780 struct net *net = asoc->base.net;
1781 struct sctp_chunk *abort;
1783 if (!sctp_assoc_update(asoc, new))
1786 abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr));
1788 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
1789 sctp_add_cmd_sf(cmds, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
1791 sctp_add_cmd_sf(cmds, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED));
1792 sctp_add_cmd_sf(cmds, SCTP_CMD_ASSOC_FAILED,
1793 SCTP_PERR(SCTP_ERROR_RSRC_LOW));
1794 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1795 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1800 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
1803 * A) In this case, the peer may have restarted.
1805 static enum sctp_disposition sctp_sf_do_dupcook_a(
1807 const struct sctp_endpoint *ep,
1808 const struct sctp_association *asoc,
1809 struct sctp_chunk *chunk,
1810 struct sctp_cmd_seq *commands,
1811 struct sctp_association *new_asoc)
1813 struct sctp_init_chunk *peer_init;
1814 enum sctp_disposition disposition;
1815 struct sctp_ulpevent *ev;
1816 struct sctp_chunk *repl;
1817 struct sctp_chunk *err;
1819 /* new_asoc is a brand-new association, so these are not yet
1820 * side effects--it is safe to run them here.
1822 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1824 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1828 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
1831 if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
1832 return SCTP_DISPOSITION_DISCARD;
1834 /* Make sure no new addresses are being added during the
1835 * restart. Though this is a pretty complicated attack
1836 * since you'd have to get inside the cookie.
1838 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands))
1839 return SCTP_DISPOSITION_CONSUME;
1841 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
1842 * the peer has restarted (Action A), it MUST NOT setup a new
1843 * association but instead resend the SHUTDOWN ACK and send an ERROR
1844 * chunk with a "Cookie Received while Shutting Down" error cause to
1847 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1848 disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc,
1849 SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1851 if (SCTP_DISPOSITION_NOMEM == disposition)
1854 err = sctp_make_op_error(asoc, chunk,
1855 SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1858 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1861 return SCTP_DISPOSITION_CONSUME;
1864 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked
1865 * data. Consider the optional choice of resending of this data.
1867 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
1868 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1869 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK));
1870 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1872 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue
1873 * and ASCONF-ACK cache.
1875 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1876 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
1877 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());
1879 /* Update the content of current association. */
1880 if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands))
1883 repl = sctp_make_cookie_ack(asoc, chunk);
1887 /* Report association restart to upper layer. */
1888 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1889 asoc->c.sinit_num_ostreams,
1890 asoc->c.sinit_max_instreams,
1895 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1896 if ((sctp_state(asoc, SHUTDOWN_PENDING) ||
1897 sctp_state(asoc, SHUTDOWN_SENT)) &&
1898 (sctp_sstate(asoc->base.sk, CLOSING) ||
1899 sock_flag(asoc->base.sk, SOCK_DEAD))) {
1900 /* If the socket has been closed by user, don't
1901 * transition to ESTABLISHED. Instead trigger SHUTDOWN
1902 * bundled with COOKIE_ACK.
1904 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1905 return sctp_sf_do_9_2_start_shutdown(net, ep, asoc,
1906 SCTP_ST_CHUNK(0), repl,
1909 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1910 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1911 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1913 return SCTP_DISPOSITION_CONSUME;
1916 sctp_chunk_free(repl);
1918 return SCTP_DISPOSITION_NOMEM;
1921 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
1924 * B) In this case, both sides may be attempting to start an association
1925 * at about the same time but the peer endpoint started its INIT
1926 * after responding to the local endpoint's INIT
1928 /* This case represents an initialization collision. */
1929 static enum sctp_disposition sctp_sf_do_dupcook_b(
1931 const struct sctp_endpoint *ep,
1932 const struct sctp_association *asoc,
1933 struct sctp_chunk *chunk,
1934 struct sctp_cmd_seq *commands,
1935 struct sctp_association *new_asoc)
1937 struct sctp_init_chunk *peer_init;
1938 struct sctp_chunk *repl;
1940 /* new_asoc is a brand-new association, so these are not yet
1941 * side effects--it is safe to run them here.
1943 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1944 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1948 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
1951 if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
1952 return SCTP_DISPOSITION_DISCARD;
1954 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1955 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1956 if (asoc->state < SCTP_STATE_ESTABLISHED)
1957 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
1958 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
1960 /* Update the content of current association. */
1961 if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands))
1964 repl = sctp_make_cookie_ack(asoc, chunk);
1968 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1970 /* RFC 2960 5.1 Normal Establishment of an Association
1972 * D) IMPLEMENTATION NOTE: An implementation may choose to
1973 * send the Communication Up notification to the SCTP user
1974 * upon reception of a valid COOKIE ECHO chunk.
1976 * Sadly, this needs to be implemented as a side-effect, because
1977 * we are not guaranteed to have set the association id of the real
1978 * association and so these notifications need to be delayed until
1979 * the association id is allocated.
1982 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
1984 /* Sockets API Draft Section 5.3.1.6
1985 * When a peer sends a Adaptation Layer Indication parameter , SCTP
1986 * delivers this notification to inform the application that of the
1987 * peers requested adaptation layer.
1989 * This also needs to be done as a side effect for the same reason as
1992 if (asoc->peer.adaptation_ind)
1993 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
1995 if (!asoc->peer.auth_capable)
1996 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL());
1998 return SCTP_DISPOSITION_CONSUME;
2001 return SCTP_DISPOSITION_NOMEM;
2004 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
2007 * C) In this case, the local endpoint's cookie has arrived late.
2008 * Before it arrived, the local endpoint sent an INIT and received an
2009 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
2010 * but a new tag of its own.
2012 /* This case represents an initialization collision. */
2013 static enum sctp_disposition sctp_sf_do_dupcook_c(
2015 const struct sctp_endpoint *ep,
2016 const struct sctp_association *asoc,
2017 struct sctp_chunk *chunk,
2018 struct sctp_cmd_seq *commands,
2019 struct sctp_association *new_asoc)
2021 /* The cookie should be silently discarded.
2022 * The endpoint SHOULD NOT change states and should leave
2023 * any timers running.
2025 return SCTP_DISPOSITION_DISCARD;
2028 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
2032 * D) When both local and remote tags match the endpoint should always
2033 * enter the ESTABLISHED state, if it has not already done so.
2035 /* This case represents an initialization collision. */
2036 static enum sctp_disposition sctp_sf_do_dupcook_d(
2038 const struct sctp_endpoint *ep,
2039 const struct sctp_association *asoc,
2040 struct sctp_chunk *chunk,
2041 struct sctp_cmd_seq *commands,
2042 struct sctp_association *new_asoc)
2044 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL;
2045 struct sctp_chunk *repl;
2047 /* Clarification from Implementor's Guide:
2048 * D) When both local and remote tags match the endpoint should
2049 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
2050 * It should stop any cookie timer that may be running and send
2054 if (!sctp_auth_chunk_verify(net, chunk, asoc))
2055 return SCTP_DISPOSITION_DISCARD;
2057 /* Don't accidentally move back into established state. */
2058 if (asoc->state < SCTP_STATE_ESTABLISHED) {
2059 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2060 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2061 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2062 SCTP_STATE(SCTP_STATE_ESTABLISHED));
2063 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
2064 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
2067 /* RFC 2960 5.1 Normal Establishment of an Association
2069 * D) IMPLEMENTATION NOTE: An implementation may choose
2070 * to send the Communication Up notification to the
2071 * SCTP user upon reception of a valid COOKIE
2074 ev = sctp_ulpevent_make_assoc_change(asoc, 0,
2076 asoc->c.sinit_num_ostreams,
2077 asoc->c.sinit_max_instreams,
2082 /* Sockets API Draft Section 5.3.1.6
2083 * When a peer sends a Adaptation Layer Indication parameter,
2084 * SCTP delivers this notification to inform the application
2085 * that of the peers requested adaptation layer.
2087 if (asoc->peer.adaptation_ind) {
2088 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
2095 if (!asoc->peer.auth_capable) {
2096 auth_ev = sctp_ulpevent_make_authkey(asoc, 0,
2104 repl = sctp_make_cookie_ack(asoc, chunk);
2108 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
2111 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2114 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2115 SCTP_ULPEVENT(ai_ev));
2117 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2118 SCTP_ULPEVENT(auth_ev));
2120 return SCTP_DISPOSITION_CONSUME;
2124 sctp_ulpevent_free(auth_ev);
2126 sctp_ulpevent_free(ai_ev);
2128 sctp_ulpevent_free(ev);
2129 return SCTP_DISPOSITION_NOMEM;
2133 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying
2134 * chunk was retransmitted and then delayed in the network.
2136 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
2138 * Verification Tag: None. Do cookie validation.
2141 * (endpoint, asoc, chunk)
2144 * (asoc, reply_msg, msg_up, timers, counters)
2146 * The return value is the disposition of the chunk.
2148 enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
2150 const struct sctp_endpoint *ep,
2151 const struct sctp_association *asoc,
2152 const union sctp_subtype type,
2154 struct sctp_cmd_seq *commands)
2156 struct sctp_association *new_asoc;
2157 struct sctp_chunk *chunk = arg;
2158 enum sctp_disposition retval;
2159 struct sctp_chunk *err_chk_p;
2163 /* Make sure that the chunk has a valid length from the protocol
2164 * perspective. In this case check to make sure we have at least
2165 * enough for the chunk header. Cookie length verification is
2168 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
2169 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2172 /* "Decode" the chunk. We have no optional parameters so we
2173 * are in good shape.
2175 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
2176 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
2177 sizeof(struct sctp_chunkhdr)))
2180 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
2181 * of a duplicate COOKIE ECHO match the Verification Tags of the
2182 * current association, consider the State Cookie valid even if
2183 * the lifespan is exceeded.
2185 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
2189 * If the re-build failed, what is the proper error path
2192 * [We should abort the association. --piggy]
2195 /* FIXME: Several errors are possible. A bad cookie should
2196 * be silently discarded, but think about logging it too.
2199 case -SCTP_IERROR_NOMEM:
2202 case -SCTP_IERROR_STALE_COOKIE:
2203 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
2205 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2206 case -SCTP_IERROR_BAD_SIG:
2208 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2212 /* Update socket peer label if first association. */
2213 if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
2215 sctp_association_free(new_asoc);
2216 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2219 /* Set temp so that it won't be added into hashtable */
2222 /* Compare the tie_tag in cookie with the verification tag of
2223 * current association.
2225 action = sctp_tietags_compare(new_asoc, asoc);
2228 case 'A': /* Association restart. */
2229 retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands,
2233 case 'B': /* Collision case B. */
2234 retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands,
2238 case 'C': /* Collision case C. */
2239 retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands,
2243 case 'D': /* Collision case D. */
2244 retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands,
2248 default: /* Discard packet for all others. */
2249 retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2253 /* Delete the temporary new association. */
2254 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc));
2255 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
2257 /* Restore association pointer to provide SCTP command interpreter
2258 * with a valid context in case it needs to manipulate
2260 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC,
2261 SCTP_ASOC((struct sctp_association *)asoc));
2266 return SCTP_DISPOSITION_NOMEM;
2270 * Process an ABORT. (SHUTDOWN-PENDING state)
2272 * See sctp_sf_do_9_1_abort().
2274 enum sctp_disposition sctp_sf_shutdown_pending_abort(
2276 const struct sctp_endpoint *ep,
2277 const struct sctp_association *asoc,
2278 const union sctp_subtype type,
2280 struct sctp_cmd_seq *commands)
2282 struct sctp_chunk *chunk = arg;
2284 if (!sctp_vtag_verify_either(chunk, asoc))
2285 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2287 /* Make sure that the ABORT chunk has a valid length.
2288 * Since this is an ABORT chunk, we have to discard it
2289 * because of the following text:
2290 * RFC 2960, Section 3.3.7
2291 * If an endpoint receives an ABORT with a format error or for an
2292 * association that doesn't exist, it MUST silently discard it.
2293 * Because the length is "invalid", we can't really discard just
2294 * as we do not know its true length. So, to be safe, discard the
2297 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2298 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2300 /* ADD-IP: Special case for ABORT chunks
2301 * F4) One special consideration is that ABORT Chunks arriving
2302 * destined to the IP address being deleted MUST be
2303 * ignored (see Section 5.3.1 for further details).
2305 if (SCTP_ADDR_DEL ==
2306 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2307 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2309 if (!sctp_err_chunk_valid(chunk))
2310 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2312 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2316 * Process an ABORT. (SHUTDOWN-SENT state)
2318 * See sctp_sf_do_9_1_abort().
2320 enum sctp_disposition sctp_sf_shutdown_sent_abort(
2322 const struct sctp_endpoint *ep,
2323 const struct sctp_association *asoc,
2324 const union sctp_subtype type,
2326 struct sctp_cmd_seq *commands)
2328 struct sctp_chunk *chunk = arg;
2330 if (!sctp_vtag_verify_either(chunk, asoc))
2331 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2333 /* Make sure that the ABORT chunk has a valid length.
2334 * Since this is an ABORT chunk, we have to discard it
2335 * because of the following text:
2336 * RFC 2960, Section 3.3.7
2337 * If an endpoint receives an ABORT with a format error or for an
2338 * association that doesn't exist, it MUST silently discard it.
2339 * Because the length is "invalid", we can't really discard just
2340 * as we do not know its true length. So, to be safe, discard the
2343 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2344 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2346 /* ADD-IP: Special case for ABORT chunks
2347 * F4) One special consideration is that ABORT Chunks arriving
2348 * destined to the IP address being deleted MUST be
2349 * ignored (see Section 5.3.1 for further details).
2351 if (SCTP_ADDR_DEL ==
2352 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2353 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2355 if (!sctp_err_chunk_valid(chunk))
2356 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2358 /* Stop the T2-shutdown timer. */
2359 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2360 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2362 /* Stop the T5-shutdown guard timer. */
2363 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2364 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2366 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2370 * Process an ABORT. (SHUTDOWN-ACK-SENT state)
2372 * See sctp_sf_do_9_1_abort().
2374 enum sctp_disposition sctp_sf_shutdown_ack_sent_abort(
2376 const struct sctp_endpoint *ep,
2377 const struct sctp_association *asoc,
2378 const union sctp_subtype type,
2380 struct sctp_cmd_seq *commands)
2382 /* The same T2 timer, so we should be able to use
2383 * common function with the SHUTDOWN-SENT state.
2385 return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands);
2389 * Handle an Error received in COOKIE_ECHOED state.
2391 * Only handle the error type of stale COOKIE Error, the other errors will
2395 * (endpoint, asoc, chunk)
2398 * (asoc, reply_msg, msg_up, timers, counters)
2400 * The return value is the disposition of the chunk.
2402 enum sctp_disposition sctp_sf_cookie_echoed_err(
2404 const struct sctp_endpoint *ep,
2405 const struct sctp_association *asoc,
2406 const union sctp_subtype type,
2408 struct sctp_cmd_seq *commands)
2410 struct sctp_chunk *chunk = arg;
2411 struct sctp_errhdr *err;
2413 if (!sctp_vtag_verify(chunk, asoc))
2414 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2416 /* Make sure that the ERROR chunk has a valid length.
2417 * The parameter walking depends on this as well.
2419 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
2420 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2423 /* Process the error here */
2424 /* FUTURE FIXME: When PR-SCTP related and other optional
2425 * parms are emitted, this will have to change to handle multiple
2428 sctp_walk_errors(err, chunk->chunk_hdr) {
2429 if (SCTP_ERROR_STALE_COOKIE == err->cause)
2430 return sctp_sf_do_5_2_6_stale(net, ep, asoc, type,
2434 /* It is possible to have malformed error causes, and that
2435 * will cause us to end the walk early. However, since
2436 * we are discarding the packet, there should be no adverse
2439 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2443 * Handle a Stale COOKIE Error
2445 * Section: 5.2.6 Handle Stale COOKIE Error
2446 * If the association is in the COOKIE-ECHOED state, the endpoint may elect
2447 * one of the following three alternatives.
2449 * 3) Send a new INIT chunk to the endpoint, adding a Cookie
2450 * Preservative parameter requesting an extension to the lifetime of
2451 * the State Cookie. When calculating the time extension, an
2452 * implementation SHOULD use the RTT information measured based on the
2453 * previous COOKIE ECHO / ERROR exchange, and should add no more
2454 * than 1 second beyond the measured RTT, due to long State Cookie
2455 * lifetimes making the endpoint more subject to a replay attack.
2457 * Verification Tag: Not explicit, but safe to ignore.
2460 * (endpoint, asoc, chunk)
2463 * (asoc, reply_msg, msg_up, timers, counters)
2465 * The return value is the disposition of the chunk.
2467 static enum sctp_disposition sctp_sf_do_5_2_6_stale(
2469 const struct sctp_endpoint *ep,
2470 const struct sctp_association *asoc,
2471 const union sctp_subtype type,
2473 struct sctp_cmd_seq *commands)
2475 int attempts = asoc->init_err_counter + 1;
2476 struct sctp_chunk *chunk = arg, *reply;
2477 struct sctp_cookie_preserve_param bht;
2478 struct sctp_bind_addr *bp;
2479 struct sctp_errhdr *err;
2482 if (attempts > asoc->max_init_attempts) {
2483 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2484 SCTP_ERROR(ETIMEDOUT));
2485 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2486 SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2487 return SCTP_DISPOSITION_DELETE_TCB;
2490 err = (struct sctp_errhdr *)(chunk->skb->data);
2492 /* When calculating the time extension, an implementation
2493 * SHOULD use the RTT information measured based on the
2494 * previous COOKIE ECHO / ERROR exchange, and should add no
2495 * more than 1 second beyond the measured RTT, due to long
2496 * State Cookie lifetimes making the endpoint more subject to
2498 * Measure of Staleness's unit is usec. (1/1000000 sec)
2499 * Suggested Cookie Life-span Increment's unit is msec.
2501 * In general, if you use the suggested cookie life, the value
2502 * found in the field of measure of staleness should be doubled
2503 * to give ample time to retransmit the new cookie and thus
2504 * yield a higher probability of success on the reattempt.
2506 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err)));
2507 stale = (stale * 2) / 1000;
2509 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2510 bht.param_hdr.length = htons(sizeof(bht));
2511 bht.lifespan_increment = htonl(stale);
2513 /* Build that new INIT chunk. */
2514 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2515 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2519 sctp_addto_chunk(reply, sizeof(bht), &bht);
2521 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */
2522 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2524 /* Stop pending T3-rtx and heartbeat timers */
2525 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2526 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2528 /* Delete non-primary peer ip addresses since we are transitioning
2529 * back to the COOKIE-WAIT state
2531 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2533 /* If we've sent any data bundled with COOKIE-ECHO we will need to
2536 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
2537 SCTP_TRANSPORT(asoc->peer.primary_path));
2539 /* Cast away the const modifier, as we want to just
2540 * rerun it through as a sideffect.
2542 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2544 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2545 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2546 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2547 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2548 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2549 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2551 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2553 return SCTP_DISPOSITION_CONSUME;
2556 return SCTP_DISPOSITION_NOMEM;
2563 * After checking the Verification Tag, the receiving endpoint shall
2564 * remove the association from its record, and shall report the
2565 * termination to its upper layer.
2567 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
2568 * B) Rules for packet carrying ABORT:
2570 * - The endpoint shall always fill in the Verification Tag field of the
2571 * outbound packet with the destination endpoint's tag value if it
2574 * - If the ABORT is sent in response to an OOTB packet, the endpoint
2575 * MUST follow the procedure described in Section 8.4.
2577 * - The receiver MUST accept the packet if the Verification Tag
2578 * matches either its own tag, OR the tag of its peer. Otherwise, the
2579 * receiver MUST silently discard the packet and take no further
2583 * (endpoint, asoc, chunk)
2586 * (asoc, reply_msg, msg_up, timers, counters)
2588 * The return value is the disposition of the chunk.
2590 enum sctp_disposition sctp_sf_do_9_1_abort(
2592 const struct sctp_endpoint *ep,
2593 const struct sctp_association *asoc,
2594 const union sctp_subtype type,
2596 struct sctp_cmd_seq *commands)
2598 struct sctp_chunk *chunk = arg;
2600 if (!sctp_vtag_verify_either(chunk, asoc))
2601 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2603 /* Make sure that the ABORT chunk has a valid length.
2604 * Since this is an ABORT chunk, we have to discard it
2605 * because of the following text:
2606 * RFC 2960, Section 3.3.7
2607 * If an endpoint receives an ABORT with a format error or for an
2608 * association that doesn't exist, it MUST silently discard it.
2609 * Because the length is "invalid", we can't really discard just
2610 * as we do not know its true length. So, to be safe, discard the
2613 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2614 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2616 /* ADD-IP: Special case for ABORT chunks
2617 * F4) One special consideration is that ABORT Chunks arriving
2618 * destined to the IP address being deleted MUST be
2619 * ignored (see Section 5.3.1 for further details).
2621 if (SCTP_ADDR_DEL ==
2622 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2623 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2625 if (!sctp_err_chunk_valid(chunk))
2626 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2628 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2631 static enum sctp_disposition __sctp_sf_do_9_1_abort(
2633 const struct sctp_endpoint *ep,
2634 const struct sctp_association *asoc,
2635 const union sctp_subtype type,
2637 struct sctp_cmd_seq *commands)
2639 __be16 error = SCTP_ERROR_NO_ERROR;
2640 struct sctp_chunk *chunk = arg;
2643 /* See if we have an error cause code in the chunk. */
2644 len = ntohs(chunk->chunk_hdr->length);
2645 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2646 error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2648 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2649 /* ASSOC_FAILED will DELETE_TCB. */
2650 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2651 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2652 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
2654 return SCTP_DISPOSITION_ABORT;
2658 * Process an ABORT. (COOKIE-WAIT state)
2660 * See sctp_sf_do_9_1_abort() above.
2662 enum sctp_disposition sctp_sf_cookie_wait_abort(
2664 const struct sctp_endpoint *ep,
2665 const struct sctp_association *asoc,
2666 const union sctp_subtype type,
2668 struct sctp_cmd_seq *commands)
2670 __be16 error = SCTP_ERROR_NO_ERROR;
2671 struct sctp_chunk *chunk = arg;
2674 if (!sctp_vtag_verify_either(chunk, asoc))
2675 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2677 /* Make sure that the ABORT chunk has a valid length.
2678 * Since this is an ABORT chunk, we have to discard it
2679 * because of the following text:
2680 * RFC 2960, Section 3.3.7
2681 * If an endpoint receives an ABORT with a format error or for an
2682 * association that doesn't exist, it MUST silently discard it.
2683 * Because the length is "invalid", we can't really discard just
2684 * as we do not know its true length. So, to be safe, discard the
2687 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2688 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2690 /* See if we have an error cause code in the chunk. */
2691 len = ntohs(chunk->chunk_hdr->length);
2692 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2693 error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2695 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc,
2700 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state)
2702 enum sctp_disposition sctp_sf_cookie_wait_icmp_abort(
2704 const struct sctp_endpoint *ep,
2705 const struct sctp_association *asoc,
2706 const union sctp_subtype type,
2708 struct sctp_cmd_seq *commands)
2710 return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR,
2712 (struct sctp_transport *)arg);
2716 * Process an ABORT. (COOKIE-ECHOED state)
2718 enum sctp_disposition sctp_sf_cookie_echoed_abort(
2720 const struct sctp_endpoint *ep,
2721 const struct sctp_association *asoc,
2722 const union sctp_subtype type,
2724 struct sctp_cmd_seq *commands)
2726 /* There is a single T1 timer, so we should be able to use
2727 * common function with the COOKIE-WAIT state.
2729 return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands);
2733 * Stop T1 timer and abort association with "INIT failed".
2735 * This is common code called by several sctp_sf_*_abort() functions above.
2737 static enum sctp_disposition sctp_stop_t1_and_abort(
2739 struct sctp_cmd_seq *commands,
2740 __be16 error, int sk_err,
2741 const struct sctp_association *asoc,
2742 struct sctp_transport *transport)
2744 pr_debug("%s: ABORT received (INIT)\n", __func__);
2746 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2747 SCTP_STATE(SCTP_STATE_CLOSED));
2748 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2749 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2750 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2751 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2752 /* CMD_INIT_FAILED will DELETE_TCB. */
2753 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2756 return SCTP_DISPOSITION_ABORT;
2760 * sctp_sf_do_9_2_shut
2763 * Upon the reception of the SHUTDOWN, the peer endpoint shall
2764 * - enter the SHUTDOWN-RECEIVED state,
2766 * - stop accepting new data from its SCTP user
2768 * - verify, by checking the Cumulative TSN Ack field of the chunk,
2769 * that all its outstanding DATA chunks have been received by the
2772 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT
2773 * send a SHUTDOWN in response to a ULP request. And should discard
2774 * subsequent SHUTDOWN chunks.
2776 * If there are still outstanding DATA chunks left, the SHUTDOWN
2777 * receiver shall continue to follow normal data transmission
2778 * procedures defined in Section 6 until all outstanding DATA chunks
2779 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept
2780 * new data from its SCTP user.
2782 * Verification Tag: 8.5 Verification Tag [Normal verification]
2785 * (endpoint, asoc, chunk)
2788 * (asoc, reply_msg, msg_up, timers, counters)
2790 * The return value is the disposition of the chunk.
2792 enum sctp_disposition sctp_sf_do_9_2_shutdown(
2794 const struct sctp_endpoint *ep,
2795 const struct sctp_association *asoc,
2796 const union sctp_subtype type,
2798 struct sctp_cmd_seq *commands)
2800 enum sctp_disposition disposition;
2801 struct sctp_chunk *chunk = arg;
2802 struct sctp_shutdownhdr *sdh;
2803 struct sctp_ulpevent *ev;
2806 if (!sctp_vtag_verify(chunk, asoc))
2807 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2809 /* Make sure that the SHUTDOWN chunk has a valid length. */
2810 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2811 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2814 /* Convert the elaborate header. */
2815 sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2816 skb_pull(chunk->skb, sizeof(*sdh));
2817 chunk->subh.shutdown_hdr = sdh;
2818 ctsn = ntohl(sdh->cum_tsn_ack);
2820 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2821 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2822 asoc->ctsn_ack_point);
2824 return SCTP_DISPOSITION_DISCARD;
2827 /* If Cumulative TSN Ack beyond the max tsn currently
2828 * send, terminating the association and respond to the
2829 * sender with an ABORT.
2831 if (!TSN_lt(ctsn, asoc->next_tsn))
2832 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2834 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
2835 * When a peer sends a SHUTDOWN, SCTP delivers this notification to
2836 * inform the application that it should cease sending data.
2838 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2840 disposition = SCTP_DISPOSITION_NOMEM;
2843 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2845 /* Upon the reception of the SHUTDOWN, the peer endpoint shall
2846 * - enter the SHUTDOWN-RECEIVED state,
2847 * - stop accepting new data from its SCTP user
2849 * [This is implicit in the new state.]
2851 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2852 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2853 disposition = SCTP_DISPOSITION_CONSUME;
2855 if (sctp_outq_is_empty(&asoc->outqueue)) {
2856 disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type,
2860 if (SCTP_DISPOSITION_NOMEM == disposition)
2863 /* - verify, by checking the Cumulative TSN Ack field of the
2864 * chunk, that all its outstanding DATA chunks have been
2865 * received by the SHUTDOWN sender.
2867 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2868 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2875 * sctp_sf_do_9_2_shut_ctsn
2877 * Once an endpoint has reached the SHUTDOWN-RECEIVED state,
2878 * it MUST NOT send a SHUTDOWN in response to a ULP request.
2879 * The Cumulative TSN Ack of the received SHUTDOWN chunk
2880 * MUST be processed.
2882 enum sctp_disposition sctp_sf_do_9_2_shut_ctsn(
2884 const struct sctp_endpoint *ep,
2885 const struct sctp_association *asoc,
2886 const union sctp_subtype type,
2888 struct sctp_cmd_seq *commands)
2890 struct sctp_chunk *chunk = arg;
2891 struct sctp_shutdownhdr *sdh;
2894 if (!sctp_vtag_verify(chunk, asoc))
2895 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2897 /* Make sure that the SHUTDOWN chunk has a valid length. */
2898 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2899 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2902 sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2903 ctsn = ntohl(sdh->cum_tsn_ack);
2905 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2906 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2907 asoc->ctsn_ack_point);
2909 return SCTP_DISPOSITION_DISCARD;
2912 /* If Cumulative TSN Ack beyond the max tsn currently
2913 * send, terminating the association and respond to the
2914 * sender with an ABORT.
2916 if (!TSN_lt(ctsn, asoc->next_tsn))
2917 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2919 /* verify, by checking the Cumulative TSN Ack field of the
2920 * chunk, that all its outstanding DATA chunks have been
2921 * received by the SHUTDOWN sender.
2923 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2924 SCTP_BE32(sdh->cum_tsn_ack));
2926 return SCTP_DISPOSITION_CONSUME;
2930 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk
2931 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination
2932 * transport addresses (either in the IP addresses or in the INIT chunk)
2933 * that belong to this association, it should discard the INIT chunk and
2934 * retransmit the SHUTDOWN ACK chunk.
2936 enum sctp_disposition sctp_sf_do_9_2_reshutack(
2938 const struct sctp_endpoint *ep,
2939 const struct sctp_association *asoc,
2940 const union sctp_subtype type,
2942 struct sctp_cmd_seq *commands)
2944 struct sctp_chunk *chunk = arg;
2945 struct sctp_chunk *reply;
2947 /* Make sure that the chunk has a valid length */
2948 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
2949 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2952 /* Since we are not going to really process this INIT, there
2953 * is no point in verifying chunk boundries. Just generate
2956 reply = sctp_make_shutdown_ack(asoc, chunk);
2960 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
2961 * the T2-SHUTDOWN timer.
2963 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
2965 /* and restart the T2-shutdown timer. */
2966 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2967 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2969 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2971 return SCTP_DISPOSITION_CONSUME;
2973 return SCTP_DISPOSITION_NOMEM;
2977 * sctp_sf_do_ecn_cwr
2979 * Section: Appendix A: Explicit Congestion Notification
2983 * RFC 2481 details a specific bit for a sender to send in the header of
2984 * its next outbound TCP segment to indicate to its peer that it has
2985 * reduced its congestion window. This is termed the CWR bit. For
2986 * SCTP the same indication is made by including the CWR chunk.
2987 * This chunk contains one data element, i.e. the TSN number that
2988 * was sent in the ECNE chunk. This element represents the lowest
2989 * TSN number in the datagram that was originally marked with the
2992 * Verification Tag: 8.5 Verification Tag [Normal verification]
2994 * (endpoint, asoc, chunk)
2997 * (asoc, reply_msg, msg_up, timers, counters)
2999 * The return value is the disposition of the chunk.
3001 enum sctp_disposition sctp_sf_do_ecn_cwr(struct net *net,
3002 const struct sctp_endpoint *ep,
3003 const struct sctp_association *asoc,
3004 const union sctp_subtype type,
3006 struct sctp_cmd_seq *commands)
3008 struct sctp_chunk *chunk = arg;
3009 struct sctp_cwrhdr *cwr;
3012 if (!sctp_vtag_verify(chunk, asoc))
3013 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3015 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
3016 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3019 cwr = (struct sctp_cwrhdr *)chunk->skb->data;
3020 skb_pull(chunk->skb, sizeof(*cwr));
3022 lowest_tsn = ntohl(cwr->lowest_tsn);
3024 /* Does this CWR ack the last sent congestion notification? */
3025 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
3026 /* Stop sending ECNE. */
3027 sctp_add_cmd_sf(commands,
3029 SCTP_U32(lowest_tsn));
3031 return SCTP_DISPOSITION_CONSUME;
3037 * Section: Appendix A: Explicit Congestion Notification
3041 * RFC 2481 details a specific bit for a receiver to send back in its
3042 * TCP acknowledgements to notify the sender of the Congestion
3043 * Experienced (CE) bit having arrived from the network. For SCTP this
3044 * same indication is made by including the ECNE chunk. This chunk
3045 * contains one data element, i.e. the lowest TSN associated with the IP
3046 * datagram marked with the CE bit.....
3048 * Verification Tag: 8.5 Verification Tag [Normal verification]
3050 * (endpoint, asoc, chunk)
3053 * (asoc, reply_msg, msg_up, timers, counters)
3055 * The return value is the disposition of the chunk.
3057 enum sctp_disposition sctp_sf_do_ecne(struct net *net,
3058 const struct sctp_endpoint *ep,
3059 const struct sctp_association *asoc,
3060 const union sctp_subtype type,
3061 void *arg, struct sctp_cmd_seq *commands)
3063 struct sctp_chunk *chunk = arg;
3064 struct sctp_ecnehdr *ecne;
3066 if (!sctp_vtag_verify(chunk, asoc))
3067 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3069 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
3070 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3073 ecne = (struct sctp_ecnehdr *)chunk->skb->data;
3074 skb_pull(chunk->skb, sizeof(*ecne));
3076 /* If this is a newer ECNE than the last CWR packet we sent out */
3077 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
3078 SCTP_U32(ntohl(ecne->lowest_tsn)));
3080 return SCTP_DISPOSITION_CONSUME;
3084 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
3086 * The SCTP endpoint MUST always acknowledge the reception of each valid
3089 * The guidelines on delayed acknowledgement algorithm specified in
3090 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
3091 * acknowledgement SHOULD be generated for at least every second packet
3092 * (not every second DATA chunk) received, and SHOULD be generated within
3093 * 200 ms of the arrival of any unacknowledged DATA chunk. In some
3094 * situations it may be beneficial for an SCTP transmitter to be more
3095 * conservative than the algorithms detailed in this document allow.
3096 * However, an SCTP transmitter MUST NOT be more aggressive than the
3097 * following algorithms allow.
3099 * A SCTP receiver MUST NOT generate more than one SACK for every
3100 * incoming packet, other than to update the offered window as the
3101 * receiving application consumes new data.
3103 * Verification Tag: 8.5 Verification Tag [Normal verification]
3106 * (endpoint, asoc, chunk)
3109 * (asoc, reply_msg, msg_up, timers, counters)
3111 * The return value is the disposition of the chunk.
3113 enum sctp_disposition sctp_sf_eat_data_6_2(struct net *net,
3114 const struct sctp_endpoint *ep,
3115 const struct sctp_association *asoc,
3116 const union sctp_subtype type,
3118 struct sctp_cmd_seq *commands)
3120 union sctp_arg force = SCTP_NOFORCE();
3121 struct sctp_chunk *chunk = arg;
3124 if (!sctp_vtag_verify(chunk, asoc)) {
3125 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3127 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3130 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream)))
3131 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3134 error = sctp_eat_data(asoc, chunk, commands);
3136 case SCTP_IERROR_NO_ERROR:
3138 case SCTP_IERROR_HIGH_TSN:
3139 case SCTP_IERROR_BAD_STREAM:
3140 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
3141 goto discard_noforce;
3142 case SCTP_IERROR_DUP_TSN:
3143 case SCTP_IERROR_IGNORE_TSN:
3144 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
3146 case SCTP_IERROR_NO_DATA:
3147 return SCTP_DISPOSITION_ABORT;
3148 case SCTP_IERROR_PROTO_VIOLATION:
3149 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3150 (u8 *)chunk->subh.data_hdr,
3151 sctp_datahdr_len(&asoc->stream));
3156 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)
3157 force = SCTP_FORCE();
3159 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
3160 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3161 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3164 /* If this is the last chunk in a packet, we need to count it
3165 * toward sack generation. Note that we need to SACK every
3166 * OTHER packet containing data chunks, EVEN IF WE DISCARD
3167 * THEM. We elect to NOT generate SACK's if the chunk fails
3168 * the verification tag test.
3170 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3172 * The SCTP endpoint MUST always acknowledge the reception of
3173 * each valid DATA chunk.
3175 * The guidelines on delayed acknowledgement algorithm
3176 * specified in Section 4.2 of [RFC2581] SHOULD be followed.
3177 * Specifically, an acknowledgement SHOULD be generated for at
3178 * least every second packet (not every second DATA chunk)
3179 * received, and SHOULD be generated within 200 ms of the
3180 * arrival of any unacknowledged DATA chunk. In some
3181 * situations it may be beneficial for an SCTP transmitter to
3182 * be more conservative than the algorithms detailed in this
3183 * document allow. However, an SCTP transmitter MUST NOT be
3184 * more aggressive than the following algorithms allow.
3186 if (chunk->end_of_packet)
3187 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3189 return SCTP_DISPOSITION_CONSUME;
3192 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3194 * When a packet arrives with duplicate DATA chunk(s) and with
3195 * no new DATA chunk(s), the endpoint MUST immediately send a
3196 * SACK with no delay. If a packet arrives with duplicate
3197 * DATA chunk(s) bundled with new DATA chunks, the endpoint
3198 * MAY immediately send a SACK. Normally receipt of duplicate
3199 * DATA chunks will occur when the original SACK chunk was lost
3200 * and the peer's RTO has expired. The duplicate TSN number(s)
3201 * SHOULD be reported in the SACK as duplicate.
3203 /* In our case, we split the MAY SACK advice up whether or not
3204 * the last chunk is a duplicate.'
3206 if (chunk->end_of_packet)
3207 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3208 return SCTP_DISPOSITION_DISCARD;
3211 if (chunk->end_of_packet)
3212 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3214 return SCTP_DISPOSITION_DISCARD;
3218 * sctp_sf_eat_data_fast_4_4
3221 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received
3222 * DATA chunks without delay.
3224 * Verification Tag: 8.5 Verification Tag [Normal verification]
3226 * (endpoint, asoc, chunk)
3229 * (asoc, reply_msg, msg_up, timers, counters)
3231 * The return value is the disposition of the chunk.
3233 enum sctp_disposition sctp_sf_eat_data_fast_4_4(
3235 const struct sctp_endpoint *ep,
3236 const struct sctp_association *asoc,
3237 const union sctp_subtype type,
3239 struct sctp_cmd_seq *commands)
3241 struct sctp_chunk *chunk = arg;
3244 if (!sctp_vtag_verify(chunk, asoc)) {
3245 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3247 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3250 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream)))
3251 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3254 error = sctp_eat_data(asoc, chunk, commands);
3256 case SCTP_IERROR_NO_ERROR:
3257 case SCTP_IERROR_HIGH_TSN:
3258 case SCTP_IERROR_DUP_TSN:
3259 case SCTP_IERROR_IGNORE_TSN:
3260 case SCTP_IERROR_BAD_STREAM:
3262 case SCTP_IERROR_NO_DATA:
3263 return SCTP_DISPOSITION_ABORT;
3264 case SCTP_IERROR_PROTO_VIOLATION:
3265 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3266 (u8 *)chunk->subh.data_hdr,
3267 sctp_datahdr_len(&asoc->stream));
3272 /* Go a head and force a SACK, since we are shutting down. */
3274 /* Implementor's Guide.
3276 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3277 * respond to each received packet containing one or more DATA chunk(s)
3278 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3280 if (chunk->end_of_packet) {
3281 /* We must delay the chunk creation since the cumulative
3282 * TSN has not been updated yet.
3284 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3285 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3286 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3287 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3290 return SCTP_DISPOSITION_CONSUME;
3294 * Section: 6.2 Processing a Received SACK
3295 * D) Any time a SACK arrives, the endpoint performs the following:
3297 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,
3298 * then drop the SACK. Since Cumulative TSN Ack is monotonically
3299 * increasing, a SACK whose Cumulative TSN Ack is less than the
3300 * Cumulative TSN Ack Point indicates an out-of-order SACK.
3302 * ii) Set rwnd equal to the newly received a_rwnd minus the number
3303 * of bytes still outstanding after processing the Cumulative TSN Ack
3304 * and the Gap Ack Blocks.
3306 * iii) If the SACK is missing a TSN that was previously
3307 * acknowledged via a Gap Ack Block (e.g., the data receiver
3308 * reneged on the data), then mark the corresponding DATA chunk
3309 * as available for retransmit: Mark it as missing for fast
3310 * retransmit as described in Section 7.2.4 and if no retransmit
3311 * timer is running for the destination address to which the DATA
3312 * chunk was originally transmitted, then T3-rtx is started for
3313 * that destination address.
3315 * Verification Tag: 8.5 Verification Tag [Normal verification]
3318 * (endpoint, asoc, chunk)
3321 * (asoc, reply_msg, msg_up, timers, counters)
3323 * The return value is the disposition of the chunk.
3325 enum sctp_disposition sctp_sf_eat_sack_6_2(struct net *net,
3326 const struct sctp_endpoint *ep,
3327 const struct sctp_association *asoc,
3328 const union sctp_subtype type,
3330 struct sctp_cmd_seq *commands)
3332 struct sctp_chunk *chunk = arg;
3333 struct sctp_sackhdr *sackh;
3336 if (!sctp_vtag_verify(chunk, asoc))
3337 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3339 /* Make sure that the SACK chunk has a valid length. */
3340 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_sack_chunk)))
3341 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3344 /* Pull the SACK chunk from the data buffer */
3345 sackh = sctp_sm_pull_sack(chunk);
3346 /* Was this a bogus SACK? */
3348 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3349 chunk->subh.sack_hdr = sackh;
3350 ctsn = ntohl(sackh->cum_tsn_ack);
3352 /* If Cumulative TSN Ack beyond the max tsn currently
3353 * send, terminating the association and respond to the
3354 * sender with an ABORT.
3356 if (TSN_lte(asoc->next_tsn, ctsn))
3357 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
3359 trace_sctp_probe(ep, asoc, chunk);
3361 /* i) If Cumulative TSN Ack is less than the Cumulative TSN
3362 * Ack Point, then drop the SACK. Since Cumulative TSN
3363 * Ack is monotonically increasing, a SACK whose
3364 * Cumulative TSN Ack is less than the Cumulative TSN Ack
3365 * Point indicates an out-of-order SACK.
3367 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
3368 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
3369 asoc->ctsn_ack_point);
3371 return SCTP_DISPOSITION_DISCARD;
3374 /* Return this SACK for further processing. */
3375 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk));
3377 /* Note: We do the rest of the work on the PROCESS_SACK
3380 return SCTP_DISPOSITION_CONSUME;
3384 * Generate an ABORT in response to a packet.
3386 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41
3388 * 8) The receiver should respond to the sender of the OOTB packet with
3389 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
3390 * MUST fill in the Verification Tag field of the outbound packet
3391 * with the value found in the Verification Tag field of the OOTB
3392 * packet and set the T-bit in the Chunk Flags to indicate that the
3393 * Verification Tag is reflected. After sending this ABORT, the
3394 * receiver of the OOTB packet shall discard the OOTB packet and take
3395 * no further action.
3399 * The return value is the disposition of the chunk.
3401 static enum sctp_disposition sctp_sf_tabort_8_4_8(
3403 const struct sctp_endpoint *ep,
3404 const struct sctp_association *asoc,
3405 const union sctp_subtype type,
3407 struct sctp_cmd_seq *commands)
3409 struct sctp_packet *packet = NULL;
3410 struct sctp_chunk *chunk = arg;
3411 struct sctp_chunk *abort;
3413 packet = sctp_ootb_pkt_new(net, asoc, chunk);
3415 return SCTP_DISPOSITION_NOMEM;
3417 /* Make an ABORT. The T bit will be set if the asoc
3420 abort = sctp_make_abort(asoc, chunk, 0);
3422 sctp_ootb_pkt_free(packet);
3423 return SCTP_DISPOSITION_NOMEM;
3426 /* Reflect vtag if T-Bit is set */
3427 if (sctp_test_T_bit(abort))
3428 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3430 /* Set the skb to the belonging sock for accounting. */
3431 abort->skb->sk = ep->base.sk;
3433 sctp_packet_append_chunk(packet, abort);
3435 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(packet));
3437 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3439 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3440 return SCTP_DISPOSITION_CONSUME;
3443 /* Handling of SCTP Packets Containing an INIT Chunk Matching an
3444 * Existing Associations when the UDP encap port is incorrect.
3446 * From Section 4 at draft-tuexen-tsvwg-sctp-udp-encaps-cons-03.
3448 static enum sctp_disposition sctp_sf_new_encap_port(
3450 const struct sctp_endpoint *ep,
3451 const struct sctp_association *asoc,
3452 const union sctp_subtype type,
3454 struct sctp_cmd_seq *commands)
3456 struct sctp_packet *packet = NULL;
3457 struct sctp_chunk *chunk = arg;
3458 struct sctp_chunk *abort;
3460 packet = sctp_ootb_pkt_new(net, asoc, chunk);
3462 return SCTP_DISPOSITION_NOMEM;
3464 abort = sctp_make_new_encap_port(asoc, chunk);
3466 sctp_ootb_pkt_free(packet);
3467 return SCTP_DISPOSITION_NOMEM;
3470 abort->skb->sk = ep->base.sk;
3472 sctp_packet_append_chunk(packet, abort);
3474 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3475 SCTP_PACKET(packet));
3477 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3479 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3480 return SCTP_DISPOSITION_CONSUME;
3484 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR
3485 * event as ULP notification for each cause included in the chunk.
3487 * API 5.3.1.3 - SCTP_REMOTE_ERROR
3489 * The return value is the disposition of the chunk.
3491 enum sctp_disposition sctp_sf_operr_notify(struct net *net,
3492 const struct sctp_endpoint *ep,
3493 const struct sctp_association *asoc,
3494 const union sctp_subtype type,
3496 struct sctp_cmd_seq *commands)
3498 struct sctp_chunk *chunk = arg;
3499 struct sctp_errhdr *err;
3501 if (!sctp_vtag_verify(chunk, asoc))
3502 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3504 /* Make sure that the ERROR chunk has a valid length. */
3505 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
3506 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3508 sctp_walk_errors(err, chunk->chunk_hdr);
3509 if ((void *)err != (void *)chunk->chunk_end)
3510 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3511 (void *)err, commands);
3513 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3516 return SCTP_DISPOSITION_CONSUME;
3520 * Process an inbound SHUTDOWN ACK.
3523 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3524 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its
3525 * peer, and remove all record of the association.
3527 * The return value is the disposition.
3529 enum sctp_disposition sctp_sf_do_9_2_final(struct net *net,
3530 const struct sctp_endpoint *ep,
3531 const struct sctp_association *asoc,
3532 const union sctp_subtype type,
3534 struct sctp_cmd_seq *commands)
3536 struct sctp_chunk *chunk = arg;
3537 struct sctp_chunk *reply;
3538 struct sctp_ulpevent *ev;
3540 if (!sctp_vtag_verify(chunk, asoc))
3541 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3543 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3544 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3545 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3547 /* 10.2 H) SHUTDOWN COMPLETE notification
3549 * When SCTP completes the shutdown procedures (section 9.2) this
3550 * notification is passed to the upper layer.
3552 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3553 0, 0, 0, NULL, GFP_ATOMIC);
3557 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */
3558 reply = sctp_make_shutdown_complete(asoc, chunk);
3562 /* Do all the commands now (after allocation), so that we
3563 * have consistent state if memory allocation failes
3565 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3567 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3568 * stop the T2-shutdown timer,
3570 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3571 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3573 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3574 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3576 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3577 SCTP_STATE(SCTP_STATE_CLOSED));
3578 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
3579 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3580 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3582 /* ...and remove all record of the association. */
3583 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3584 return SCTP_DISPOSITION_DELETE_TCB;
3587 sctp_ulpevent_free(ev);
3589 return SCTP_DISPOSITION_NOMEM;
3593 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.
3595 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3596 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3597 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3598 * packet must fill in the Verification Tag field of the outbound
3599 * packet with the Verification Tag received in the SHUTDOWN ACK and
3600 * set the T-bit in the Chunk Flags to indicate that the Verification
3603 * 8) The receiver should respond to the sender of the OOTB packet with
3604 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
3605 * MUST fill in the Verification Tag field of the outbound packet
3606 * with the value found in the Verification Tag field of the OOTB
3607 * packet and set the T-bit in the Chunk Flags to indicate that the
3608 * Verification Tag is reflected. After sending this ABORT, the
3609 * receiver of the OOTB packet shall discard the OOTB packet and take
3610 * no further action.
3612 enum sctp_disposition sctp_sf_ootb(struct net *net,
3613 const struct sctp_endpoint *ep,
3614 const struct sctp_association *asoc,
3615 const union sctp_subtype type,
3616 void *arg, struct sctp_cmd_seq *commands)
3618 struct sctp_chunk *chunk = arg;
3619 struct sk_buff *skb = chunk->skb;
3620 struct sctp_chunkhdr *ch;
3621 struct sctp_errhdr *err;
3622 int ootb_cookie_ack = 0;
3623 int ootb_shut_ack = 0;
3626 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3628 ch = (struct sctp_chunkhdr *)chunk->chunk_hdr;
3630 /* Report violation if the chunk is less then minimal */
3631 if (ntohs(ch->length) < sizeof(*ch))
3632 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3635 /* Report violation if chunk len overflows */
3636 ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length));
3637 if (ch_end > skb_tail_pointer(skb))
3638 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3641 /* Now that we know we at least have a chunk header,
3642 * do things that are type appropriate.
3644 if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3647 /* RFC 2960, Section 3.3.7
3648 * Moreover, under any circumstances, an endpoint that
3649 * receives an ABORT MUST NOT respond to that ABORT by
3650 * sending an ABORT of its own.
3652 if (SCTP_CID_ABORT == ch->type)
3653 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3655 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR
3656 * or a COOKIE ACK the SCTP Packet should be silently
3660 if (SCTP_CID_COOKIE_ACK == ch->type)
3661 ootb_cookie_ack = 1;
3663 if (SCTP_CID_ERROR == ch->type) {
3664 sctp_walk_errors(err, ch) {
3665 if (SCTP_ERROR_STALE_COOKIE == err->cause) {
3666 ootb_cookie_ack = 1;
3672 ch = (struct sctp_chunkhdr *)ch_end;
3673 } while (ch_end < skb_tail_pointer(skb));
3676 return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands);
3677 else if (ootb_cookie_ack)
3678 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3680 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
3684 * Handle an "Out of the blue" SHUTDOWN ACK.
3686 * Section: 8.4 5, sctpimpguide 2.41.
3688 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3689 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3690 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3691 * packet must fill in the Verification Tag field of the outbound
3692 * packet with the Verification Tag received in the SHUTDOWN ACK and
3693 * set the T-bit in the Chunk Flags to indicate that the Verification
3697 * (endpoint, asoc, type, arg, commands)
3700 * (enum sctp_disposition)
3702 * The return value is the disposition of the chunk.
3704 static enum sctp_disposition sctp_sf_shut_8_4_5(
3706 const struct sctp_endpoint *ep,
3707 const struct sctp_association *asoc,
3708 const union sctp_subtype type,
3710 struct sctp_cmd_seq *commands)
3712 struct sctp_packet *packet = NULL;
3713 struct sctp_chunk *chunk = arg;
3714 struct sctp_chunk *shut;
3716 packet = sctp_ootb_pkt_new(net, asoc, chunk);
3718 return SCTP_DISPOSITION_NOMEM;
3720 /* Make an SHUTDOWN_COMPLETE.
3721 * The T bit will be set if the asoc is NULL.
3723 shut = sctp_make_shutdown_complete(asoc, chunk);
3725 sctp_ootb_pkt_free(packet);
3726 return SCTP_DISPOSITION_NOMEM;
3729 /* Reflect vtag if T-Bit is set */
3730 if (sctp_test_T_bit(shut))
3731 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3733 /* Set the skb to the belonging sock for accounting. */
3734 shut->skb->sk = ep->base.sk;
3736 sctp_packet_append_chunk(packet, shut);
3738 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3739 SCTP_PACKET(packet));
3741 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3743 /* If the chunk length is invalid, we don't want to process
3744 * the reset of the packet.
3746 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3747 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3749 /* We need to discard the rest of the packet to prevent
3750 * potential bomming attacks from additional bundled chunks.
3751 * This is documented in SCTP Threats ID.
3753 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3757 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.
3759 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK
3760 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the
3761 * procedures in section 8.4 SHOULD be followed, in other words it
3762 * should be treated as an Out Of The Blue packet.
3763 * [This means that we do NOT check the Verification Tag on these
3767 enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net,
3768 const struct sctp_endpoint *ep,
3769 const struct sctp_association *asoc,
3770 const union sctp_subtype type,
3772 struct sctp_cmd_seq *commands)
3774 struct sctp_chunk *chunk = arg;
3776 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3777 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3778 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3781 /* Although we do have an association in this case, it corresponds
3782 * to a restarted association. So the packet is treated as an OOTB
3783 * packet and the state function that handles OOTB SHUTDOWN_ACK is
3784 * called with a NULL association.
3786 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3788 return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands);
3791 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */
3792 enum sctp_disposition sctp_sf_do_asconf(struct net *net,
3793 const struct sctp_endpoint *ep,
3794 const struct sctp_association *asoc,
3795 const union sctp_subtype type,
3797 struct sctp_cmd_seq *commands)
3799 struct sctp_paramhdr *err_param = NULL;
3800 struct sctp_chunk *asconf_ack = NULL;
3801 struct sctp_chunk *chunk = arg;
3802 struct sctp_addiphdr *hdr;
3805 if (!sctp_vtag_verify(chunk, asoc)) {
3806 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3808 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3811 /* ADD-IP: Section 4.1.1
3812 * This chunk MUST be sent in an authenticated way by using
3813 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3814 * is received unauthenticated it MUST be silently discarded as
3815 * described in [I-D.ietf-tsvwg-sctp-auth].
3817 if (!asoc->peer.asconf_capable ||
3818 (!net->sctp.addip_noauth && !chunk->auth))
3819 return sctp_sf_discard_chunk(net, ep, asoc, type, arg,
3822 /* Make sure that the ASCONF ADDIP chunk has a valid length. */
3823 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk)))
3824 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3827 hdr = (struct sctp_addiphdr *)chunk->skb->data;
3828 serial = ntohl(hdr->serial);
3830 /* Verify the ASCONF chunk before processing it. */
3831 if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
3832 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3833 (void *)err_param, commands);
3835 /* ADDIP 5.2 E1) Compare the value of the serial number to the value
3836 * the endpoint stored in a new association variable
3837 * 'Peer-Serial-Number'.
3839 if (serial == asoc->peer.addip_serial + 1) {
3840 /* If this is the first instance of ASCONF in the packet,
3841 * we can clean our old ASCONF-ACKs.
3843 if (!chunk->has_asconf)
3844 sctp_assoc_clean_asconf_ack_cache(asoc);
3846 /* ADDIP 5.2 E4) When the Sequence Number matches the next one
3847 * expected, process the ASCONF as described below and after
3848 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to
3849 * the response packet and cache a copy of it (in the event it
3850 * later needs to be retransmitted).
3852 * Essentially, do V1-V5.
3854 asconf_ack = sctp_process_asconf((struct sctp_association *)
3857 return SCTP_DISPOSITION_NOMEM;
3858 } else if (serial < asoc->peer.addip_serial + 1) {
3860 * If the value found in the Sequence Number is less than the
3861 * ('Peer- Sequence-Number' + 1), simply skip to the next
3862 * ASCONF, and include in the outbound response packet
3863 * any previously cached ASCONF-ACK response that was
3864 * sent and saved that matches the Sequence Number of the
3865 * ASCONF. Note: It is possible that no cached ASCONF-ACK
3866 * Chunk exists. This will occur when an older ASCONF
3867 * arrives out of order. In such a case, the receiver
3868 * should skip the ASCONF Chunk and not include ASCONF-ACK
3869 * Chunk for that chunk.
3871 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);
3873 return SCTP_DISPOSITION_DISCARD;
3875 /* Reset the transport so that we select the correct one
3876 * this time around. This is to make sure that we don't
3877 * accidentally use a stale transport that's been removed.
3879 asconf_ack->transport = NULL;
3881 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since
3882 * it must be either a stale packet or from an attacker.
3884 return SCTP_DISPOSITION_DISCARD;
3887 /* ADDIP 5.2 E6) The destination address of the SCTP packet
3888 * containing the ASCONF-ACK Chunks MUST be the source address of
3889 * the SCTP packet that held the ASCONF Chunks.
3891 * To do this properly, we'll set the destination address of the chunk
3892 * and at the transmit time, will try look up the transport to use.
3893 * Since ASCONFs may be bundled, the correct transport may not be
3894 * created until we process the entire packet, thus this workaround.
3896 asconf_ack->dest = chunk->source;
3897 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3898 if (asoc->new_transport) {
3899 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands);
3900 ((struct sctp_association *)asoc)->new_transport = NULL;
3903 return SCTP_DISPOSITION_CONSUME;
3906 static enum sctp_disposition sctp_send_next_asconf(
3908 const struct sctp_endpoint *ep,
3909 struct sctp_association *asoc,
3910 const union sctp_subtype type,
3911 struct sctp_cmd_seq *commands)
3913 struct sctp_chunk *asconf;
3914 struct list_head *entry;
3916 if (list_empty(&asoc->addip_chunk_list))
3917 return SCTP_DISPOSITION_CONSUME;
3919 entry = asoc->addip_chunk_list.next;
3920 asconf = list_entry(entry, struct sctp_chunk, list);
3922 list_del_init(entry);
3923 sctp_chunk_hold(asconf);
3924 asoc->addip_last_asconf = asconf;
3926 return sctp_sf_do_prm_asconf(net, ep, asoc, type, asconf, commands);
3930 * ADDIP Section 4.3 General rules for address manipulation
3931 * When building TLV parameters for the ASCONF Chunk that will add or
3932 * delete IP addresses the D0 to D13 rules should be applied:
3934 enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net,
3935 const struct sctp_endpoint *ep,
3936 const struct sctp_association *asoc,
3937 const union sctp_subtype type,
3939 struct sctp_cmd_seq *commands)
3941 struct sctp_chunk *last_asconf = asoc->addip_last_asconf;
3942 struct sctp_paramhdr *err_param = NULL;
3943 struct sctp_chunk *asconf_ack = arg;
3944 struct sctp_addiphdr *addip_hdr;
3945 __u32 sent_serial, rcvd_serial;
3946 struct sctp_chunk *abort;
3948 if (!sctp_vtag_verify(asconf_ack, asoc)) {
3949 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3951 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3954 /* ADD-IP, Section 4.1.2:
3955 * This chunk MUST be sent in an authenticated way by using
3956 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3957 * is received unauthenticated it MUST be silently discarded as
3958 * described in [I-D.ietf-tsvwg-sctp-auth].
3960 if (!asoc->peer.asconf_capable ||
3961 (!net->sctp.addip_noauth && !asconf_ack->auth))
3962 return sctp_sf_discard_chunk(net, ep, asoc, type, arg,
3965 /* Make sure that the ADDIP chunk has a valid length. */
3966 if (!sctp_chunk_length_valid(asconf_ack,
3967 sizeof(struct sctp_addip_chunk)))
3968 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3971 addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data;
3972 rcvd_serial = ntohl(addip_hdr->serial);
3974 /* Verify the ASCONF-ACK chunk before processing it. */
3975 if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
3976 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3977 (void *)err_param, commands);
3980 addip_hdr = (struct sctp_addiphdr *)last_asconf->subh.addip_hdr;
3981 sent_serial = ntohl(addip_hdr->serial);
3983 sent_serial = asoc->addip_serial - 1;
3986 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or
3987 * equal to the next serial number to be used but no ASCONF chunk is
3988 * outstanding the endpoint MUST ABORT the association. Note that a
3989 * sequence number is greater than if it is no more than 2^^31-1
3990 * larger than the current sequence number (using serial arithmetic).
3992 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
3993 !(asoc->addip_last_asconf)) {
3994 abort = sctp_make_abort(asoc, asconf_ack,
3995 sizeof(struct sctp_errhdr));
3997 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
3998 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4001 /* We are going to ABORT, so we might as well stop
4002 * processing the rest of the chunks in the packet.
4004 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4005 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
4006 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4007 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4008 SCTP_ERROR(ECONNABORTED));
4009 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4010 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
4011 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4012 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4013 return SCTP_DISPOSITION_ABORT;
4016 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
4017 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4018 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
4020 if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
4022 return sctp_send_next_asconf(net, ep,
4023 (struct sctp_association *)asoc,
4026 abort = sctp_make_abort(asoc, asconf_ack,
4027 sizeof(struct sctp_errhdr));
4029 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
4030 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4033 /* We are going to ABORT, so we might as well stop
4034 * processing the rest of the chunks in the packet.
4036 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4037 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4038 SCTP_ERROR(ECONNABORTED));
4039 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4040 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
4041 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4042 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4043 return SCTP_DISPOSITION_ABORT;
4046 return SCTP_DISPOSITION_DISCARD;
4049 /* RE-CONFIG Section 5.2 Upon reception of an RECONF Chunk. */
4050 enum sctp_disposition sctp_sf_do_reconf(struct net *net,
4051 const struct sctp_endpoint *ep,
4052 const struct sctp_association *asoc,
4053 const union sctp_subtype type,
4055 struct sctp_cmd_seq *commands)
4057 struct sctp_paramhdr *err_param = NULL;
4058 struct sctp_chunk *chunk = arg;
4059 struct sctp_reconf_chunk *hdr;
4060 union sctp_params param;
4062 if (!sctp_vtag_verify(chunk, asoc)) {
4063 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4065 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4068 /* Make sure that the RECONF chunk has a valid length. */
4069 if (!sctp_chunk_length_valid(chunk, sizeof(*hdr)))
4070 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4073 if (!sctp_verify_reconf(asoc, chunk, &err_param))
4074 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
4075 (void *)err_param, commands);
4077 hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr;
4078 sctp_walk_params(param, hdr, params) {
4079 struct sctp_chunk *reply = NULL;
4080 struct sctp_ulpevent *ev = NULL;
4082 if (param.p->type == SCTP_PARAM_RESET_OUT_REQUEST)
4083 reply = sctp_process_strreset_outreq(
4084 (struct sctp_association *)asoc, param, &ev);
4085 else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST)
4086 reply = sctp_process_strreset_inreq(
4087 (struct sctp_association *)asoc, param, &ev);
4088 else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST)
4089 reply = sctp_process_strreset_tsnreq(
4090 (struct sctp_association *)asoc, param, &ev);
4091 else if (param.p->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS)
4092 reply = sctp_process_strreset_addstrm_out(
4093 (struct sctp_association *)asoc, param, &ev);
4094 else if (param.p->type == SCTP_PARAM_RESET_ADD_IN_STREAMS)
4095 reply = sctp_process_strreset_addstrm_in(
4096 (struct sctp_association *)asoc, param, &ev);
4097 else if (param.p->type == SCTP_PARAM_RESET_RESPONSE)
4098 reply = sctp_process_strreset_resp(
4099 (struct sctp_association *)asoc, param, &ev);
4102 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4106 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4110 return SCTP_DISPOSITION_CONSUME;
4114 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP
4116 * When a FORWARD TSN chunk arrives, the data receiver MUST first update
4117 * its cumulative TSN point to the value carried in the FORWARD TSN
4118 * chunk, and then MUST further advance its cumulative TSN point locally
4120 * After the above processing, the data receiver MUST stop reporting any
4121 * missing TSNs earlier than or equal to the new cumulative TSN point.
4123 * Verification Tag: 8.5 Verification Tag [Normal verification]
4125 * The return value is the disposition of the chunk.
4127 enum sctp_disposition sctp_sf_eat_fwd_tsn(struct net *net,
4128 const struct sctp_endpoint *ep,
4129 const struct sctp_association *asoc,
4130 const union sctp_subtype type,
4132 struct sctp_cmd_seq *commands)
4134 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
4135 struct sctp_chunk *chunk = arg;
4139 if (!sctp_vtag_verify(chunk, asoc)) {
4140 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4142 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4145 if (!asoc->peer.prsctp_capable)
4146 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4148 /* Make sure that the FORWARD_TSN chunk has valid length. */
4149 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream)))
4150 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4153 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
4154 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
4155 len = ntohs(chunk->chunk_hdr->length);
4156 len -= sizeof(struct sctp_chunkhdr);
4157 skb_pull(chunk->skb, len);
4159 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
4160 pr_debug("%s: TSN 0x%x\n", __func__, tsn);
4162 /* The TSN is too high--silently discard the chunk and count on it
4163 * getting retransmitted later.
4165 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
4166 goto discard_noforce;
4168 if (!asoc->stream.si->validate_ftsn(chunk))
4169 goto discard_noforce;
4171 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
4172 if (len > sctp_ftsnhdr_len(&asoc->stream))
4173 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
4176 /* Count this as receiving DATA. */
4177 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
4178 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4179 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
4182 /* FIXME: For now send a SACK, but DATA processing may
4185 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
4187 return SCTP_DISPOSITION_CONSUME;
4190 return SCTP_DISPOSITION_DISCARD;
4193 enum sctp_disposition sctp_sf_eat_fwd_tsn_fast(
4195 const struct sctp_endpoint *ep,
4196 const struct sctp_association *asoc,
4197 const union sctp_subtype type,
4199 struct sctp_cmd_seq *commands)
4201 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
4202 struct sctp_chunk *chunk = arg;
4206 if (!sctp_vtag_verify(chunk, asoc)) {
4207 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4209 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4212 if (!asoc->peer.prsctp_capable)
4213 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4215 /* Make sure that the FORWARD_TSN chunk has a valid length. */
4216 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream)))
4217 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4220 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
4221 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
4222 len = ntohs(chunk->chunk_hdr->length);
4223 len -= sizeof(struct sctp_chunkhdr);
4224 skb_pull(chunk->skb, len);
4226 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
4227 pr_debug("%s: TSN 0x%x\n", __func__, tsn);
4229 /* The TSN is too high--silently discard the chunk and count on it
4230 * getting retransmitted later.
4232 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
4235 if (!asoc->stream.si->validate_ftsn(chunk))
4238 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
4239 if (len > sctp_ftsnhdr_len(&asoc->stream))
4240 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
4243 /* Go a head and force a SACK, since we are shutting down. */
4245 /* Implementor's Guide.
4247 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
4248 * respond to each received packet containing one or more DATA chunk(s)
4249 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
4251 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
4252 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
4253 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4254 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
4256 return SCTP_DISPOSITION_CONSUME;
4260 * SCTP-AUTH Section 6.3 Receiving authenticated chukns
4262 * The receiver MUST use the HMAC algorithm indicated in the HMAC
4263 * Identifier field. If this algorithm was not specified by the
4264 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
4265 * during association setup, the AUTH chunk and all chunks after it MUST
4266 * be discarded and an ERROR chunk SHOULD be sent with the error cause
4267 * defined in Section 4.1.
4269 * If an endpoint with no shared key receives a Shared Key Identifier
4270 * other than 0, it MUST silently discard all authenticated chunks. If
4271 * the endpoint has at least one endpoint pair shared key for the peer,
4272 * it MUST use the key specified by the Shared Key Identifier if a
4273 * key has been configured for that Shared Key Identifier. If no
4274 * endpoint pair shared key has been configured for that Shared Key
4275 * Identifier, all authenticated chunks MUST be silently discarded.
4277 * Verification Tag: 8.5 Verification Tag [Normal verification]
4279 * The return value is the disposition of the chunk.
4281 static enum sctp_ierror sctp_sf_authenticate(
4282 const struct sctp_association *asoc,
4283 struct sctp_chunk *chunk)
4285 struct sctp_shared_key *sh_key = NULL;
4286 struct sctp_authhdr *auth_hdr;
4287 __u8 *save_digest, *digest;
4288 struct sctp_hmac *hmac;
4289 unsigned int sig_len;
4292 /* Pull in the auth header, so we can do some more verification */
4293 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4294 chunk->subh.auth_hdr = auth_hdr;
4295 skb_pull(chunk->skb, sizeof(*auth_hdr));
4297 /* Make sure that we support the HMAC algorithm from the auth
4300 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))
4301 return SCTP_IERROR_AUTH_BAD_HMAC;
4303 /* Make sure that the provided shared key identifier has been
4306 key_id = ntohs(auth_hdr->shkey_id);
4307 if (key_id != asoc->active_key_id) {
4308 sh_key = sctp_auth_get_shkey(asoc, key_id);
4310 return SCTP_IERROR_AUTH_BAD_KEYID;
4313 /* Make sure that the length of the signature matches what
4316 sig_len = ntohs(chunk->chunk_hdr->length) -
4317 sizeof(struct sctp_auth_chunk);
4318 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));
4319 if (sig_len != hmac->hmac_len)
4320 return SCTP_IERROR_PROTO_VIOLATION;
4322 /* Now that we've done validation checks, we can compute and
4323 * verify the hmac. The steps involved are:
4324 * 1. Save the digest from the chunk.
4325 * 2. Zero out the digest in the chunk.
4326 * 3. Compute the new digest
4327 * 4. Compare saved and new digests.
4329 digest = auth_hdr->hmac;
4330 skb_pull(chunk->skb, sig_len);
4332 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);
4336 memset(digest, 0, sig_len);
4338 sctp_auth_calculate_hmac(asoc, chunk->skb,
4339 (struct sctp_auth_chunk *)chunk->chunk_hdr,
4340 sh_key, GFP_ATOMIC);
4342 /* Discard the packet if the digests do not match */
4343 if (memcmp(save_digest, digest, sig_len)) {
4345 return SCTP_IERROR_BAD_SIG;
4351 return SCTP_IERROR_NO_ERROR;
4353 return SCTP_IERROR_NOMEM;
4356 enum sctp_disposition sctp_sf_eat_auth(struct net *net,
4357 const struct sctp_endpoint *ep,
4358 const struct sctp_association *asoc,
4359 const union sctp_subtype type,
4360 void *arg, struct sctp_cmd_seq *commands)
4362 struct sctp_chunk *chunk = arg;
4363 struct sctp_authhdr *auth_hdr;
4364 struct sctp_chunk *err_chunk;
4365 enum sctp_ierror error;
4367 /* Make sure that the peer has AUTH capable */
4368 if (!asoc->peer.auth_capable)
4369 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4371 if (!sctp_vtag_verify(chunk, asoc)) {
4372 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4374 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4377 /* Make sure that the AUTH chunk has valid length. */
4378 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))
4379 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4382 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4383 error = sctp_sf_authenticate(asoc, chunk);
4385 case SCTP_IERROR_AUTH_BAD_HMAC:
4386 /* Generate the ERROR chunk and discard the rest
4389 err_chunk = sctp_make_op_error(asoc, chunk,
4390 SCTP_ERROR_UNSUP_HMAC,
4394 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4395 SCTP_CHUNK(err_chunk));
4398 case SCTP_IERROR_AUTH_BAD_KEYID:
4399 case SCTP_IERROR_BAD_SIG:
4400 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4402 case SCTP_IERROR_PROTO_VIOLATION:
4403 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4406 case SCTP_IERROR_NOMEM:
4407 return SCTP_DISPOSITION_NOMEM;
4409 default: /* Prevent gcc warnings */
4413 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) {
4414 struct sctp_ulpevent *ev;
4416 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),
4417 SCTP_AUTH_NEW_KEY, GFP_ATOMIC);
4422 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4426 return SCTP_DISPOSITION_CONSUME;
4430 * Process an unknown chunk.
4432 * Section: 3.2. Also, 2.1 in the implementor's guide.
4434 * Chunk Types are encoded such that the highest-order two bits specify
4435 * the action that must be taken if the processing endpoint does not
4436 * recognize the Chunk Type.
4438 * 00 - Stop processing this SCTP packet and discard it, do not process
4439 * any further chunks within it.
4441 * 01 - Stop processing this SCTP packet and discard it, do not process
4442 * any further chunks within it, and report the unrecognized
4443 * chunk in an 'Unrecognized Chunk Type'.
4445 * 10 - Skip this chunk and continue processing.
4447 * 11 - Skip this chunk and continue processing, but report in an ERROR
4448 * Chunk using the 'Unrecognized Chunk Type' cause of error.
4450 * The return value is the disposition of the chunk.
4452 enum sctp_disposition sctp_sf_unk_chunk(struct net *net,
4453 const struct sctp_endpoint *ep,
4454 const struct sctp_association *asoc,
4455 const union sctp_subtype type,
4457 struct sctp_cmd_seq *commands)
4459 struct sctp_chunk *unk_chunk = arg;
4460 struct sctp_chunk *err_chunk;
4461 struct sctp_chunkhdr *hdr;
4463 pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk);
4465 if (!sctp_vtag_verify(unk_chunk, asoc))
4466 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4468 /* Make sure that the chunk has a valid length.
4469 * Since we don't know the chunk type, we use a general
4470 * chunkhdr structure to make a comparison.
4472 if (!sctp_chunk_length_valid(unk_chunk, sizeof(*hdr)))
4473 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4476 switch (type.chunk & SCTP_CID_ACTION_MASK) {
4477 case SCTP_CID_ACTION_DISCARD:
4478 /* Discard the packet. */
4479 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4480 case SCTP_CID_ACTION_DISCARD_ERR:
4481 /* Generate an ERROR chunk as response. */
4482 hdr = unk_chunk->chunk_hdr;
4483 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4484 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4485 SCTP_PAD4(ntohs(hdr->length)),
4488 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4489 SCTP_CHUNK(err_chunk));
4492 /* Discard the packet. */
4493 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4494 return SCTP_DISPOSITION_CONSUME;
4495 case SCTP_CID_ACTION_SKIP:
4496 /* Skip the chunk. */
4497 return SCTP_DISPOSITION_DISCARD;
4498 case SCTP_CID_ACTION_SKIP_ERR:
4499 /* Generate an ERROR chunk as response. */
4500 hdr = unk_chunk->chunk_hdr;
4501 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4502 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4503 SCTP_PAD4(ntohs(hdr->length)),
4506 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4507 SCTP_CHUNK(err_chunk));
4509 /* Skip the chunk. */
4510 return SCTP_DISPOSITION_CONSUME;
4515 return SCTP_DISPOSITION_DISCARD;
4519 * Discard the chunk.
4521 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2
4522 * [Too numerous to mention...]
4523 * Verification Tag: No verification needed.
4525 * (endpoint, asoc, chunk)
4528 * (asoc, reply_msg, msg_up, timers, counters)
4530 * The return value is the disposition of the chunk.
4532 enum sctp_disposition sctp_sf_discard_chunk(struct net *net,
4533 const struct sctp_endpoint *ep,
4534 const struct sctp_association *asoc,
4535 const union sctp_subtype type,
4537 struct sctp_cmd_seq *commands)
4539 struct sctp_chunk *chunk = arg;
4541 /* Make sure that the chunk has a valid length.
4542 * Since we don't know the chunk type, we use a general
4543 * chunkhdr structure to make a comparison.
4545 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
4546 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4549 pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk);
4551 return SCTP_DISPOSITION_DISCARD;
4555 * Discard the whole packet.
4559 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST
4560 * silently discard the OOTB packet and take no further action.
4562 * Verification Tag: No verification necessary
4565 * (endpoint, asoc, chunk)
4568 * (asoc, reply_msg, msg_up, timers, counters)
4570 * The return value is the disposition of the chunk.
4572 enum sctp_disposition sctp_sf_pdiscard(struct net *net,
4573 const struct sctp_endpoint *ep,
4574 const struct sctp_association *asoc,
4575 const union sctp_subtype type,
4576 void *arg, struct sctp_cmd_seq *commands)
4578 SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS);
4579 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4581 return SCTP_DISPOSITION_CONSUME;
4586 * The other end is violating protocol.
4588 * Section: Not specified
4589 * Verification Tag: Not specified
4591 * (endpoint, asoc, chunk)
4594 * (asoc, reply_msg, msg_up, timers, counters)
4596 * We simply tag the chunk as a violation. The state machine will log
4597 * the violation and continue.
4599 enum sctp_disposition sctp_sf_violation(struct net *net,
4600 const struct sctp_endpoint *ep,
4601 const struct sctp_association *asoc,
4602 const union sctp_subtype type,
4604 struct sctp_cmd_seq *commands)
4606 struct sctp_chunk *chunk = arg;
4608 /* Make sure that the chunk has a valid length. */
4609 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
4610 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4613 return SCTP_DISPOSITION_VIOLATION;
4617 * Common function to handle a protocol violation.
4619 static enum sctp_disposition sctp_sf_abort_violation(
4621 const struct sctp_endpoint *ep,
4622 const struct sctp_association *asoc,
4624 struct sctp_cmd_seq *commands,
4625 const __u8 *payload,
4626 const size_t paylen)
4628 struct sctp_packet *packet = NULL;
4629 struct sctp_chunk *chunk = arg;
4630 struct sctp_chunk *abort = NULL;
4632 /* SCTP-AUTH, Section 6.3:
4633 * It should be noted that if the receiver wants to tear
4634 * down an association in an authenticated way only, the
4635 * handling of malformed packets should not result in
4636 * tearing down the association.
4638 * This means that if we only want to abort associations
4639 * in an authenticated way (i.e AUTH+ABORT), then we
4640 * can't destroy this association just because the packet
4643 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4646 /* Make the abort chunk. */
4647 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);
4652 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */
4653 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&
4654 !asoc->peer.i.init_tag) {
4655 struct sctp_initack_chunk *initack;
4657 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr;
4658 if (!sctp_chunk_length_valid(chunk, sizeof(*initack)))
4659 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
4661 unsigned int inittag;
4663 inittag = ntohl(initack->init_hdr.init_tag);
4664 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
4669 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4670 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4672 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
4673 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4674 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4675 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4676 SCTP_ERROR(ECONNREFUSED));
4677 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4678 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4680 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4681 SCTP_ERROR(ECONNABORTED));
4682 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4683 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4684 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4687 packet = sctp_ootb_pkt_new(net, asoc, chunk);
4692 if (sctp_test_T_bit(abort))
4693 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
4695 abort->skb->sk = ep->base.sk;
4697 sctp_packet_append_chunk(packet, abort);
4699 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
4700 SCTP_PACKET(packet));
4702 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4705 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4708 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4709 return SCTP_DISPOSITION_ABORT;
4712 sctp_chunk_free(abort);
4714 return SCTP_DISPOSITION_NOMEM;
4718 * Handle a protocol violation when the chunk length is invalid.
4719 * "Invalid" length is identified as smaller than the minimal length a
4720 * given chunk can be. For example, a SACK chunk has invalid length
4721 * if its length is set to be smaller than the size of struct sctp_sack_chunk.
4723 * We inform the other end by sending an ABORT with a Protocol Violation
4726 * Section: Not specified
4727 * Verification Tag: Nothing to do
4729 * (endpoint, asoc, chunk)
4732 * (reply_msg, msg_up, counters)
4734 * Generate an ABORT chunk and terminate the association.
4736 static enum sctp_disposition sctp_sf_violation_chunklen(
4738 const struct sctp_endpoint *ep,
4739 const struct sctp_association *asoc,
4740 const union sctp_subtype type,
4742 struct sctp_cmd_seq *commands)
4744 static const char err_str[] = "The following chunk had invalid length:";
4746 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4751 * Handle a protocol violation when the parameter length is invalid.
4752 * If the length is smaller than the minimum length of a given parameter,
4753 * or accumulated length in multi parameters exceeds the end of the chunk,
4754 * the length is considered as invalid.
4756 static enum sctp_disposition sctp_sf_violation_paramlen(
4758 const struct sctp_endpoint *ep,
4759 const struct sctp_association *asoc,
4760 const union sctp_subtype type,
4761 void *arg, void *ext,
4762 struct sctp_cmd_seq *commands)
4764 struct sctp_paramhdr *param = ext;
4765 struct sctp_chunk *abort = NULL;
4766 struct sctp_chunk *chunk = arg;
4768 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4771 /* Make the abort chunk. */
4772 abort = sctp_make_violation_paramlen(asoc, chunk, param);
4776 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4777 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4779 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4780 SCTP_ERROR(ECONNABORTED));
4781 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4782 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4783 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4784 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4787 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4788 return SCTP_DISPOSITION_ABORT;
4790 return SCTP_DISPOSITION_NOMEM;
4793 /* Handle a protocol violation when the peer trying to advance the
4794 * cumulative tsn ack to a point beyond the max tsn currently sent.
4796 * We inform the other end by sending an ABORT with a Protocol Violation
4799 static enum sctp_disposition sctp_sf_violation_ctsn(
4801 const struct sctp_endpoint *ep,
4802 const struct sctp_association *asoc,
4803 const union sctp_subtype type,
4805 struct sctp_cmd_seq *commands)
4807 static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:";
4809 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4813 /* Handle protocol violation of an invalid chunk bundling. For example,
4814 * when we have an association and we receive bundled INIT-ACK, or
4815 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle"
4816 * statement from the specs. Additionally, there might be an attacker
4817 * on the path and we may not want to continue this communication.
4819 static enum sctp_disposition sctp_sf_violation_chunk(
4821 const struct sctp_endpoint *ep,
4822 const struct sctp_association *asoc,
4823 const union sctp_subtype type,
4825 struct sctp_cmd_seq *commands)
4827 static const char err_str[] = "The following chunk violates protocol:";
4830 return sctp_sf_violation(net, ep, asoc, type, arg, commands);
4832 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4835 /***************************************************************************
4836 * These are the state functions for handling primitive (Section 10) events.
4837 ***************************************************************************/
4839 * sctp_sf_do_prm_asoc
4841 * Section: 10.1 ULP-to-SCTP
4844 * Format: ASSOCIATE(local SCTP instance name, destination transport addr,
4845 * outbound stream count)
4846 * -> association id [,destination transport addr list] [,outbound stream
4849 * This primitive allows the upper layer to initiate an association to a
4850 * specific peer endpoint.
4852 * The peer endpoint shall be specified by one of the transport addresses
4853 * which defines the endpoint (see Section 1.4). If the local SCTP
4854 * instance has not been initialized, the ASSOCIATE is considered an
4856 * [This is not relevant for the kernel implementation since we do all
4857 * initialization at boot time. It we hadn't initialized we wouldn't
4858 * get anywhere near this code.]
4860 * An association id, which is a local handle to the SCTP association,
4861 * will be returned on successful establishment of the association. If
4862 * SCTP is not able to open an SCTP association with the peer endpoint,
4863 * an error is returned.
4864 * [In the kernel implementation, the struct sctp_association needs to
4865 * be created BEFORE causing this primitive to run.]
4867 * Other association parameters may be returned, including the
4868 * complete destination transport addresses of the peer as well as the
4869 * outbound stream count of the local endpoint. One of the transport
4870 * address from the returned destination addresses will be selected by
4871 * the local endpoint as default primary path for sending SCTP packets
4872 * to this peer. The returned "destination transport addr list" can
4873 * be used by the ULP to change the default primary path or to force
4874 * sending a packet to a specific transport address. [All of this
4875 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING
4878 * Mandatory attributes:
4880 * o local SCTP instance name - obtained from the INITIALIZE operation.
4881 * [This is the argument asoc.]
4882 * o destination transport addr - specified as one of the transport
4883 * addresses of the peer endpoint with which the association is to be
4885 * [This is asoc->peer.active_path.]
4886 * o outbound stream count - the number of outbound streams the ULP
4887 * would like to open towards this peer endpoint.
4888 * [BUG: This is not currently implemented.]
4889 * Optional attributes:
4893 * The return value is a disposition.
4895 enum sctp_disposition sctp_sf_do_prm_asoc(struct net *net,
4896 const struct sctp_endpoint *ep,
4897 const struct sctp_association *asoc,
4898 const union sctp_subtype type,
4900 struct sctp_cmd_seq *commands)
4902 struct sctp_association *my_asoc;
4903 struct sctp_chunk *repl;
4905 /* The comment below says that we enter COOKIE-WAIT AFTER
4906 * sending the INIT, but that doesn't actually work in our
4909 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4910 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
4912 /* RFC 2960 5.1 Normal Establishment of an Association
4914 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A"
4915 * must provide its Verification Tag (Tag_A) in the Initiate
4916 * Tag field. Tag_A SHOULD be a random number in the range of
4917 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ...
4920 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0);
4924 /* Choose transport for INIT. */
4925 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
4928 /* Cast away the const modifier, as we want to just
4929 * rerun it through as a sideffect.
4931 my_asoc = (struct sctp_association *)asoc;
4932 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc));
4934 /* After sending the INIT, "A" starts the T1-init timer and
4935 * enters the COOKIE-WAIT state.
4937 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
4938 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4939 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
4940 return SCTP_DISPOSITION_CONSUME;
4943 return SCTP_DISPOSITION_NOMEM;
4947 * Process the SEND primitive.
4949 * Section: 10.1 ULP-to-SCTP
4952 * Format: SEND(association id, buffer address, byte count [,context]
4953 * [,stream id] [,life time] [,destination transport address]
4954 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] )
4957 * This is the main method to send user data via SCTP.
4959 * Mandatory attributes:
4961 * o association id - local handle to the SCTP association
4963 * o buffer address - the location where the user message to be
4964 * transmitted is stored;
4966 * o byte count - The size of the user data in number of bytes;
4968 * Optional attributes:
4970 * o context - an optional 32 bit integer that will be carried in the
4971 * sending failure notification to the ULP if the transportation of
4972 * this User Message fails.
4974 * o stream id - to indicate which stream to send the data on. If not
4975 * specified, stream 0 will be used.
4977 * o life time - specifies the life time of the user data. The user data
4978 * will not be sent by SCTP after the life time expires. This
4979 * parameter can be used to avoid efforts to transmit stale
4980 * user messages. SCTP notifies the ULP if the data cannot be
4981 * initiated to transport (i.e. sent to the destination via SCTP's
4982 * send primitive) within the life time variable. However, the
4983 * user data will be transmitted if SCTP has attempted to transmit a
4984 * chunk before the life time expired.
4986 * o destination transport address - specified as one of the destination
4987 * transport addresses of the peer endpoint to which this packet
4988 * should be sent. Whenever possible, SCTP should use this destination
4989 * transport address for sending the packets, instead of the current
4992 * o unorder flag - this flag, if present, indicates that the user
4993 * would like the data delivered in an unordered fashion to the peer
4994 * (i.e., the U flag is set to 1 on all DATA chunks carrying this
4997 * o no-bundle flag - instructs SCTP not to bundle this user data with
4998 * other outbound DATA chunks. SCTP MAY still bundle even when
4999 * this flag is present, when faced with network congestion.
5001 * o payload protocol-id - A 32 bit unsigned integer that is to be
5002 * passed to the peer indicating the type of payload protocol data
5003 * being transmitted. This value is passed as opaque data by SCTP.
5005 * The return value is the disposition.
5007 enum sctp_disposition sctp_sf_do_prm_send(struct net *net,
5008 const struct sctp_endpoint *ep,
5009 const struct sctp_association *asoc,
5010 const union sctp_subtype type,
5012 struct sctp_cmd_seq *commands)
5014 struct sctp_datamsg *msg = arg;
5016 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg));
5017 return SCTP_DISPOSITION_CONSUME;
5021 * Process the SHUTDOWN primitive.
5026 * Format: SHUTDOWN(association id)
5029 * Gracefully closes an association. Any locally queued user data
5030 * will be delivered to the peer. The association will be terminated only
5031 * after the peer acknowledges all the SCTP packets sent. A success code
5032 * will be returned on successful termination of the association. If
5033 * attempting to terminate the association results in a failure, an error
5034 * code shall be returned.
5036 * Mandatory attributes:
5038 * o association id - local handle to the SCTP association
5040 * Optional attributes:
5044 * The return value is the disposition.
5046 enum sctp_disposition sctp_sf_do_9_2_prm_shutdown(
5048 const struct sctp_endpoint *ep,
5049 const struct sctp_association *asoc,
5050 const union sctp_subtype type,
5052 struct sctp_cmd_seq *commands)
5054 enum sctp_disposition disposition;
5056 /* From 9.2 Shutdown of an Association
5057 * Upon receipt of the SHUTDOWN primitive from its upper
5058 * layer, the endpoint enters SHUTDOWN-PENDING state and
5059 * remains there until all outstanding data has been
5060 * acknowledged by its peer. The endpoint accepts no new data
5061 * from its upper layer, but retransmits data to the far end
5062 * if necessary to fill gaps.
5064 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5065 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
5067 disposition = SCTP_DISPOSITION_CONSUME;
5068 if (sctp_outq_is_empty(&asoc->outqueue)) {
5069 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
5077 * Process the ABORT primitive.
5082 * Format: Abort(association id [, cause code])
5085 * Ungracefully closes an association. Any locally queued user data
5086 * will be discarded and an ABORT chunk is sent to the peer. A success code
5087 * will be returned on successful abortion of the association. If
5088 * attempting to abort the association results in a failure, an error
5089 * code shall be returned.
5091 * Mandatory attributes:
5093 * o association id - local handle to the SCTP association
5095 * Optional attributes:
5097 * o cause code - reason of the abort to be passed to the peer
5101 * The return value is the disposition.
5103 enum sctp_disposition sctp_sf_do_9_1_prm_abort(
5105 const struct sctp_endpoint *ep,
5106 const struct sctp_association *asoc,
5107 const union sctp_subtype type,
5109 struct sctp_cmd_seq *commands)
5111 /* From 9.1 Abort of an Association
5112 * Upon receipt of the ABORT primitive from its upper
5113 * layer, the endpoint enters CLOSED state and
5114 * discard all outstanding data has been
5115 * acknowledged by its peer. The endpoint accepts no new data
5116 * from its upper layer, but retransmits data to the far end
5117 * if necessary to fill gaps.
5119 struct sctp_chunk *abort = arg;
5122 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
5124 /* Even if we can't send the ABORT due to low memory delete the
5125 * TCB. This is a departure from our typical NOMEM handling.
5128 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5129 SCTP_ERROR(ECONNABORTED));
5130 /* Delete the established association. */
5131 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5132 SCTP_PERR(SCTP_ERROR_USER_ABORT));
5134 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5135 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5137 return SCTP_DISPOSITION_ABORT;
5140 /* We tried an illegal operation on an association which is closed. */
5141 enum sctp_disposition sctp_sf_error_closed(struct net *net,
5142 const struct sctp_endpoint *ep,
5143 const struct sctp_association *asoc,
5144 const union sctp_subtype type,
5146 struct sctp_cmd_seq *commands)
5148 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL));
5149 return SCTP_DISPOSITION_CONSUME;
5152 /* We tried an illegal operation on an association which is shutting
5155 enum sctp_disposition sctp_sf_error_shutdown(
5157 const struct sctp_endpoint *ep,
5158 const struct sctp_association *asoc,
5159 const union sctp_subtype type,
5161 struct sctp_cmd_seq *commands)
5163 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR,
5164 SCTP_ERROR(-ESHUTDOWN));
5165 return SCTP_DISPOSITION_CONSUME;
5169 * sctp_cookie_wait_prm_shutdown
5171 * Section: 4 Note: 2
5176 * The RFC does not explicitly address this issue, but is the route through the
5177 * state table when someone issues a shutdown while in COOKIE_WAIT state.
5182 enum sctp_disposition sctp_sf_cookie_wait_prm_shutdown(
5184 const struct sctp_endpoint *ep,
5185 const struct sctp_association *asoc,
5186 const union sctp_subtype type,
5188 struct sctp_cmd_seq *commands)
5190 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5191 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5193 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5194 SCTP_STATE(SCTP_STATE_CLOSED));
5196 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
5198 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
5200 return SCTP_DISPOSITION_DELETE_TCB;
5204 * sctp_cookie_echoed_prm_shutdown
5206 * Section: 4 Note: 2
5211 * The RFC does not explcitly address this issue, but is the route through the
5212 * state table when someone issues a shutdown while in COOKIE_ECHOED state.
5217 enum sctp_disposition sctp_sf_cookie_echoed_prm_shutdown(
5219 const struct sctp_endpoint *ep,
5220 const struct sctp_association *asoc,
5221 const union sctp_subtype type,
5223 struct sctp_cmd_seq *commands)
5225 /* There is a single T1 timer, so we should be able to use
5226 * common function with the COOKIE-WAIT state.
5228 return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands);
5232 * sctp_sf_cookie_wait_prm_abort
5234 * Section: 4 Note: 2
5239 * The RFC does not explicitly address this issue, but is the route through the
5240 * state table when someone issues an abort while in COOKIE_WAIT state.
5245 enum sctp_disposition sctp_sf_cookie_wait_prm_abort(
5247 const struct sctp_endpoint *ep,
5248 const struct sctp_association *asoc,
5249 const union sctp_subtype type,
5251 struct sctp_cmd_seq *commands)
5253 struct sctp_chunk *abort = arg;
5255 /* Stop T1-init timer */
5256 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5257 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5260 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
5262 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5263 SCTP_STATE(SCTP_STATE_CLOSED));
5265 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5267 /* Even if we can't send the ABORT due to low memory delete the
5268 * TCB. This is a departure from our typical NOMEM handling.
5271 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5272 SCTP_ERROR(ECONNREFUSED));
5273 /* Delete the established association. */
5274 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5275 SCTP_PERR(SCTP_ERROR_USER_ABORT));
5277 return SCTP_DISPOSITION_ABORT;
5281 * sctp_sf_cookie_echoed_prm_abort
5283 * Section: 4 Note: 3
5288 * The RFC does not explcitly address this issue, but is the route through the
5289 * state table when someone issues an abort while in COOKIE_ECHOED state.
5294 enum sctp_disposition sctp_sf_cookie_echoed_prm_abort(
5296 const struct sctp_endpoint *ep,
5297 const struct sctp_association *asoc,
5298 const union sctp_subtype type,
5300 struct sctp_cmd_seq *commands)
5302 /* There is a single T1 timer, so we should be able to use
5303 * common function with the COOKIE-WAIT state.
5305 return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands);
5309 * sctp_sf_shutdown_pending_prm_abort
5314 * The RFC does not explicitly address this issue, but is the route through the
5315 * state table when someone issues an abort while in SHUTDOWN-PENDING state.
5320 enum sctp_disposition sctp_sf_shutdown_pending_prm_abort(
5322 const struct sctp_endpoint *ep,
5323 const struct sctp_association *asoc,
5324 const union sctp_subtype type,
5326 struct sctp_cmd_seq *commands)
5328 /* Stop the T5-shutdown guard timer. */
5329 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5330 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5332 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5336 * sctp_sf_shutdown_sent_prm_abort
5341 * The RFC does not explicitly address this issue, but is the route through the
5342 * state table when someone issues an abort while in SHUTDOWN-SENT state.
5347 enum sctp_disposition sctp_sf_shutdown_sent_prm_abort(
5349 const struct sctp_endpoint *ep,
5350 const struct sctp_association *asoc,
5351 const union sctp_subtype type,
5353 struct sctp_cmd_seq *commands)
5355 /* Stop the T2-shutdown timer. */
5356 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5357 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5359 /* Stop the T5-shutdown guard timer. */
5360 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5361 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5363 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5367 * sctp_sf_cookie_echoed_prm_abort
5372 * The RFC does not explcitly address this issue, but is the route through the
5373 * state table when someone issues an abort while in COOKIE_ECHOED state.
5378 enum sctp_disposition sctp_sf_shutdown_ack_sent_prm_abort(
5380 const struct sctp_endpoint *ep,
5381 const struct sctp_association *asoc,
5382 const union sctp_subtype type,
5384 struct sctp_cmd_seq *commands)
5386 /* The same T2 timer, so we should be able to use
5387 * common function with the SHUTDOWN-SENT state.
5389 return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands);
5393 * Process the REQUESTHEARTBEAT primitive
5396 * J) Request Heartbeat
5398 * Format: REQUESTHEARTBEAT(association id, destination transport address)
5402 * Instructs the local endpoint to perform a HeartBeat on the specified
5403 * destination transport address of the given association. The returned
5404 * result should indicate whether the transmission of the HEARTBEAT
5405 * chunk to the destination address is successful.
5407 * Mandatory attributes:
5409 * o association id - local handle to the SCTP association
5411 * o destination transport address - the transport address of the
5412 * association on which a heartbeat should be issued.
5414 enum sctp_disposition sctp_sf_do_prm_requestheartbeat(
5416 const struct sctp_endpoint *ep,
5417 const struct sctp_association *asoc,
5418 const union sctp_subtype type,
5420 struct sctp_cmd_seq *commands)
5422 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type,
5423 (struct sctp_transport *)arg, commands))
5424 return SCTP_DISPOSITION_NOMEM;
5427 * RFC 2960 (bis), section 8.3
5429 * D) Request an on-demand HEARTBEAT on a specific destination
5430 * transport address of a given association.
5432 * The endpoint should increment the respective error counter of
5433 * the destination transport address each time a HEARTBEAT is sent
5434 * to that address and not acknowledged within one RTO.
5437 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
5438 SCTP_TRANSPORT(arg));
5439 return SCTP_DISPOSITION_CONSUME;
5443 * ADDIP Section 4.1 ASCONF Chunk Procedures
5444 * When an endpoint has an ASCONF signaled change to be sent to the
5445 * remote endpoint it should do A1 to A9
5447 enum sctp_disposition sctp_sf_do_prm_asconf(struct net *net,
5448 const struct sctp_endpoint *ep,
5449 const struct sctp_association *asoc,
5450 const union sctp_subtype type,
5452 struct sctp_cmd_seq *commands)
5454 struct sctp_chunk *chunk = arg;
5456 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5457 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5458 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5459 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5460 return SCTP_DISPOSITION_CONSUME;
5463 /* RE-CONFIG Section 5.1 RECONF Chunk Procedures */
5464 enum sctp_disposition sctp_sf_do_prm_reconf(struct net *net,
5465 const struct sctp_endpoint *ep,
5466 const struct sctp_association *asoc,
5467 const union sctp_subtype type,
5469 struct sctp_cmd_seq *commands)
5471 struct sctp_chunk *chunk = arg;
5473 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5474 return SCTP_DISPOSITION_CONSUME;
5478 * Ignore the primitive event
5480 * The return value is the disposition of the primitive.
5482 enum sctp_disposition sctp_sf_ignore_primitive(
5484 const struct sctp_endpoint *ep,
5485 const struct sctp_association *asoc,
5486 const union sctp_subtype type,
5488 struct sctp_cmd_seq *commands)
5490 pr_debug("%s: primitive type:%d is ignored\n", __func__,
5493 return SCTP_DISPOSITION_DISCARD;
5496 /***************************************************************************
5497 * These are the state functions for the OTHER events.
5498 ***************************************************************************/
5501 * When the SCTP stack has no more user data to send or retransmit, this
5502 * notification is given to the user. Also, at the time when a user app
5503 * subscribes to this event, if there is no data to be sent or
5504 * retransmit, the stack will immediately send up this notification.
5506 enum sctp_disposition sctp_sf_do_no_pending_tsn(
5508 const struct sctp_endpoint *ep,
5509 const struct sctp_association *asoc,
5510 const union sctp_subtype type,
5512 struct sctp_cmd_seq *commands)
5514 struct sctp_ulpevent *event;
5516 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC);
5518 return SCTP_DISPOSITION_NOMEM;
5520 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event));
5522 return SCTP_DISPOSITION_CONSUME;
5526 * Start the shutdown negotiation.
5529 * Once all its outstanding data has been acknowledged, the endpoint
5530 * shall send a SHUTDOWN chunk to its peer including in the Cumulative
5531 * TSN Ack field the last sequential TSN it has received from the peer.
5532 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT
5533 * state. If the timer expires, the endpoint must re-send the SHUTDOWN
5534 * with the updated last sequential TSN received from its peer.
5536 * The return value is the disposition.
5538 enum sctp_disposition sctp_sf_do_9_2_start_shutdown(
5540 const struct sctp_endpoint *ep,
5541 const struct sctp_association *asoc,
5542 const union sctp_subtype type,
5544 struct sctp_cmd_seq *commands)
5546 struct sctp_chunk *reply;
5548 /* Once all its outstanding data has been acknowledged, the
5549 * endpoint shall send a SHUTDOWN chunk to its peer including
5550 * in the Cumulative TSN Ack field the last sequential TSN it
5551 * has received from the peer.
5553 reply = sctp_make_shutdown(asoc, arg);
5557 /* Set the transport for the SHUTDOWN chunk and the timeout for the
5558 * T2-shutdown timer.
5560 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5562 /* It shall then start the T2-shutdown timer */
5563 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5564 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5566 /* RFC 4960 Section 9.2
5567 * The sender of the SHUTDOWN MAY also start an overall guard timer
5568 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5570 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5571 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5573 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5574 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5575 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5577 /* and enter the SHUTDOWN-SENT state. */
5578 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5579 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT));
5581 /* sctp-implguide 2.10 Issues with Heartbeating and failover
5583 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5586 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5588 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5590 return SCTP_DISPOSITION_CONSUME;
5593 return SCTP_DISPOSITION_NOMEM;
5597 * Generate a SHUTDOWN ACK now that everything is SACK'd.
5601 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5602 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own,
5603 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the
5604 * endpoint must re-send the SHUTDOWN ACK.
5606 * The return value is the disposition.
5608 enum sctp_disposition sctp_sf_do_9_2_shutdown_ack(
5610 const struct sctp_endpoint *ep,
5611 const struct sctp_association *asoc,
5612 const union sctp_subtype type,
5614 struct sctp_cmd_seq *commands)
5616 struct sctp_chunk *chunk = arg;
5617 struct sctp_chunk *reply;
5619 /* There are 2 ways of getting here:
5620 * 1) called in response to a SHUTDOWN chunk
5621 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued.
5623 * For the case (2), the arg parameter is set to NULL. We need
5624 * to check that we have a chunk before accessing it's fields.
5627 if (!sctp_vtag_verify(chunk, asoc))
5628 return sctp_sf_pdiscard(net, ep, asoc, type, arg,
5631 /* Make sure that the SHUTDOWN chunk has a valid length. */
5632 if (!sctp_chunk_length_valid(
5633 chunk, sizeof(struct sctp_shutdown_chunk)))
5634 return sctp_sf_violation_chunklen(net, ep, asoc, type,
5638 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5639 * shall send a SHUTDOWN ACK ...
5641 reply = sctp_make_shutdown_ack(asoc, chunk);
5645 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
5646 * the T2-shutdown timer.
5648 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5650 /* and start/restart a T2-shutdown timer of its own, */
5651 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5652 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5654 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5655 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5656 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5658 /* Enter the SHUTDOWN-ACK-SENT state. */
5659 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5660 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT));
5662 /* sctp-implguide 2.10 Issues with Heartbeating and failover
5664 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5667 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5669 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5671 return SCTP_DISPOSITION_CONSUME;
5674 return SCTP_DISPOSITION_NOMEM;
5678 * Ignore the event defined as other
5680 * The return value is the disposition of the event.
5682 enum sctp_disposition sctp_sf_ignore_other(struct net *net,
5683 const struct sctp_endpoint *ep,
5684 const struct sctp_association *asoc,
5685 const union sctp_subtype type,
5687 struct sctp_cmd_seq *commands)
5689 pr_debug("%s: the event other type:%d is ignored\n",
5690 __func__, type.other);
5692 return SCTP_DISPOSITION_DISCARD;
5695 /************************************************************
5696 * These are the state functions for handling timeout events.
5697 ************************************************************/
5702 * Section: 6.3.3 Handle T3-rtx Expiration
5704 * Whenever the retransmission timer T3-rtx expires for a destination
5705 * address, do the following:
5708 * The return value is the disposition of the chunk.
5710 enum sctp_disposition sctp_sf_do_6_3_3_rtx(struct net *net,
5711 const struct sctp_endpoint *ep,
5712 const struct sctp_association *asoc,
5713 const union sctp_subtype type,
5715 struct sctp_cmd_seq *commands)
5717 struct sctp_transport *transport = arg;
5719 SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS);
5721 if (asoc->overall_error_count >= asoc->max_retrans) {
5722 if (asoc->peer.zero_window_announced &&
5723 asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
5725 * We are here likely because the receiver had its rwnd
5726 * closed for a while and we have not been able to
5727 * transmit the locally queued data within the maximum
5728 * retransmission attempts limit. Start the T5
5729 * shutdown guard timer to give the receiver one last
5730 * chance and some additional time to recover before
5733 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE,
5734 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5736 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5737 SCTP_ERROR(ETIMEDOUT));
5738 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5739 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5740 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5741 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5742 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5743 return SCTP_DISPOSITION_DELETE_TCB;
5747 /* E1) For the destination address for which the timer
5748 * expires, adjust its ssthresh with rules defined in Section
5749 * 7.2.3 and set the cwnd <- MTU.
5752 /* E2) For the destination address for which the timer
5753 * expires, set RTO <- RTO * 2 ("back off the timer"). The
5754 * maximum value discussed in rule C7 above (RTO.max) may be
5755 * used to provide an upper bound to this doubling operation.
5758 /* E3) Determine how many of the earliest (i.e., lowest TSN)
5759 * outstanding DATA chunks for the address for which the
5760 * T3-rtx has expired will fit into a single packet, subject
5761 * to the MTU constraint for the path corresponding to the
5762 * destination transport address to which the retransmission
5763 * is being sent (this may be different from the address for
5764 * which the timer expires [see Section 6.4]). Call this
5765 * value K. Bundle and retransmit those K DATA chunks in a
5766 * single packet to the destination endpoint.
5768 * Note: Any DATA chunks that were sent to the address for
5769 * which the T3-rtx timer expired but did not fit in one MTU
5770 * (rule E3 above), should be marked for retransmission and
5771 * sent as soon as cwnd allows (normally when a SACK arrives).
5774 /* Do some failure management (Section 8.2). */
5775 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
5777 /* NB: Rules E4 and F1 are implicit in R1. */
5778 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport));
5780 return SCTP_DISPOSITION_CONSUME;
5784 * Generate delayed SACK on timeout
5786 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
5788 * The guidelines on delayed acknowledgement algorithm specified in
5789 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
5790 * acknowledgement SHOULD be generated for at least every second packet
5791 * (not every second DATA chunk) received, and SHOULD be generated
5792 * within 200 ms of the arrival of any unacknowledged DATA chunk. In
5793 * some situations it may be beneficial for an SCTP transmitter to be
5794 * more conservative than the algorithms detailed in this document
5795 * allow. However, an SCTP transmitter MUST NOT be more aggressive than
5796 * the following algorithms allow.
5798 enum sctp_disposition sctp_sf_do_6_2_sack(struct net *net,
5799 const struct sctp_endpoint *ep,
5800 const struct sctp_association *asoc,
5801 const union sctp_subtype type,
5803 struct sctp_cmd_seq *commands)
5805 SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS);
5806 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
5807 return SCTP_DISPOSITION_CONSUME;
5811 * sctp_sf_t1_init_timer_expire
5813 * Section: 4 Note: 2
5818 * RFC 2960 Section 4 Notes
5819 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT
5820 * and re-start the T1-init timer without changing state. This MUST
5821 * be repeated up to 'Max.Init.Retransmits' times. After that, the
5822 * endpoint MUST abort the initialization process and report the
5823 * error to SCTP user.
5829 enum sctp_disposition sctp_sf_t1_init_timer_expire(
5831 const struct sctp_endpoint *ep,
5832 const struct sctp_association *asoc,
5833 const union sctp_subtype type,
5835 struct sctp_cmd_seq *commands)
5837 int attempts = asoc->init_err_counter + 1;
5838 struct sctp_chunk *repl = NULL;
5839 struct sctp_bind_addr *bp;
5841 pr_debug("%s: timer T1 expired (INIT)\n", __func__);
5843 SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS);
5845 if (attempts <= asoc->max_init_attempts) {
5846 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
5847 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0);
5849 return SCTP_DISPOSITION_NOMEM;
5851 /* Choose transport for INIT. */
5852 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5855 /* Issue a sideeffect to do the needed accounting. */
5856 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART,
5857 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5859 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5861 pr_debug("%s: giving up on INIT, attempts:%d "
5862 "max_init_attempts:%d\n", __func__, attempts,
5863 asoc->max_init_attempts);
5865 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5866 SCTP_ERROR(ETIMEDOUT));
5867 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5868 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5869 return SCTP_DISPOSITION_DELETE_TCB;
5872 return SCTP_DISPOSITION_CONSUME;
5876 * sctp_sf_t1_cookie_timer_expire
5878 * Section: 4 Note: 2
5883 * RFC 2960 Section 4 Notes
5884 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit
5885 * COOKIE ECHO and re-start the T1-cookie timer without changing
5886 * state. This MUST be repeated up to 'Max.Init.Retransmits' times.
5887 * After that, the endpoint MUST abort the initialization process and
5888 * report the error to SCTP user.
5894 enum sctp_disposition sctp_sf_t1_cookie_timer_expire(
5896 const struct sctp_endpoint *ep,
5897 const struct sctp_association *asoc,
5898 const union sctp_subtype type,
5900 struct sctp_cmd_seq *commands)
5902 int attempts = asoc->init_err_counter + 1;
5903 struct sctp_chunk *repl = NULL;
5905 pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__);
5907 SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS);
5909 if (attempts <= asoc->max_init_attempts) {
5910 repl = sctp_make_cookie_echo(asoc, NULL);
5912 return SCTP_DISPOSITION_NOMEM;
5914 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5916 /* Issue a sideeffect to do the needed accounting. */
5917 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART,
5918 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
5920 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5922 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5923 SCTP_ERROR(ETIMEDOUT));
5924 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5925 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5926 return SCTP_DISPOSITION_DELETE_TCB;
5929 return SCTP_DISPOSITION_CONSUME;
5932 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN
5933 * with the updated last sequential TSN received from its peer.
5935 * An endpoint should limit the number of retransmissions of the
5936 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'.
5937 * If this threshold is exceeded the endpoint should destroy the TCB and
5938 * MUST report the peer endpoint unreachable to the upper layer (and
5939 * thus the association enters the CLOSED state). The reception of any
5940 * packet from its peer (i.e. as the peer sends all of its queued DATA
5941 * chunks) should clear the endpoint's retransmission count and restart
5942 * the T2-Shutdown timer, giving its peer ample opportunity to transmit
5943 * all of its queued DATA chunks that have not yet been sent.
5945 enum sctp_disposition sctp_sf_t2_timer_expire(
5947 const struct sctp_endpoint *ep,
5948 const struct sctp_association *asoc,
5949 const union sctp_subtype type,
5951 struct sctp_cmd_seq *commands)
5953 struct sctp_chunk *reply = NULL;
5955 pr_debug("%s: timer T2 expired\n", __func__);
5957 SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS);
5959 ((struct sctp_association *)asoc)->shutdown_retries++;
5961 if (asoc->overall_error_count >= asoc->max_retrans) {
5962 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5963 SCTP_ERROR(ETIMEDOUT));
5964 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5965 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5966 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5967 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5968 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5969 return SCTP_DISPOSITION_DELETE_TCB;
5972 switch (asoc->state) {
5973 case SCTP_STATE_SHUTDOWN_SENT:
5974 reply = sctp_make_shutdown(asoc, NULL);
5977 case SCTP_STATE_SHUTDOWN_ACK_SENT:
5978 reply = sctp_make_shutdown_ack(asoc, NULL);
5989 /* Do some failure management (Section 8.2).
5990 * If we remove the transport an SHUTDOWN was last sent to, don't
5991 * do failure management.
5993 if (asoc->shutdown_last_sent_to)
5994 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5995 SCTP_TRANSPORT(asoc->shutdown_last_sent_to));
5997 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for
5998 * the T2-shutdown timer.
6000 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
6002 /* Restart the T2-shutdown timer. */
6003 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
6004 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
6005 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
6006 return SCTP_DISPOSITION_CONSUME;
6009 return SCTP_DISPOSITION_NOMEM;
6013 * ADDIP Section 4.1 ASCONF CHunk Procedures
6014 * If the T4 RTO timer expires the endpoint should do B1 to B5
6016 enum sctp_disposition sctp_sf_t4_timer_expire(
6018 const struct sctp_endpoint *ep,
6019 const struct sctp_association *asoc,
6020 const union sctp_subtype type,
6022 struct sctp_cmd_seq *commands)
6024 struct sctp_chunk *chunk = asoc->addip_last_asconf;
6025 struct sctp_transport *transport = chunk->transport;
6027 SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS);
6029 /* ADDIP 4.1 B1) Increment the error counters and perform path failure
6030 * detection on the appropriate destination address as defined in
6031 * RFC2960 [5] section 8.1 and 8.2.
6034 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
6035 SCTP_TRANSPORT(transport));
6037 /* Reconfig T4 timer and transport. */
6038 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
6040 /* ADDIP 4.1 B2) Increment the association error counters and perform
6041 * endpoint failure detection on the association as defined in
6042 * RFC2960 [5] section 8.1 and 8.2.
6043 * association error counter is incremented in SCTP_CMD_STRIKE.
6045 if (asoc->overall_error_count >= asoc->max_retrans) {
6046 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
6047 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
6048 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6049 SCTP_ERROR(ETIMEDOUT));
6050 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6051 SCTP_PERR(SCTP_ERROR_NO_ERROR));
6052 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6053 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6054 return SCTP_DISPOSITION_ABORT;
6057 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which
6058 * the ASCONF chunk was sent by doubling the RTO timer value.
6059 * This is done in SCTP_CMD_STRIKE.
6062 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible
6063 * choose an alternate destination address (please refer to RFC2960
6064 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this
6065 * chunk, it MUST be the same (including its serial number) as the last
6068 sctp_chunk_hold(asoc->addip_last_asconf);
6069 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6070 SCTP_CHUNK(asoc->addip_last_asconf));
6072 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different
6073 * destination is selected, then the RTO used will be that of the new
6074 * destination address.
6076 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
6077 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
6079 return SCTP_DISPOSITION_CONSUME;
6082 /* sctpimpguide-05 Section 2.12.2
6083 * The sender of the SHUTDOWN MAY also start an overall guard timer
6084 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
6085 * At the expiration of this timer the sender SHOULD abort the association
6086 * by sending an ABORT chunk.
6088 enum sctp_disposition sctp_sf_t5_timer_expire(
6090 const struct sctp_endpoint *ep,
6091 const struct sctp_association *asoc,
6092 const union sctp_subtype type,
6094 struct sctp_cmd_seq *commands)
6096 struct sctp_chunk *reply = NULL;
6098 pr_debug("%s: timer T5 expired\n", __func__);
6100 SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS);
6102 reply = sctp_make_abort(asoc, NULL, 0);
6106 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
6107 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6108 SCTP_ERROR(ETIMEDOUT));
6109 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6110 SCTP_PERR(SCTP_ERROR_NO_ERROR));
6112 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6113 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6115 return SCTP_DISPOSITION_DELETE_TCB;
6117 return SCTP_DISPOSITION_NOMEM;
6120 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires,
6121 * the association is automatically closed by starting the shutdown process.
6122 * The work that needs to be done is same as when SHUTDOWN is initiated by
6123 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown().
6125 enum sctp_disposition sctp_sf_autoclose_timer_expire(
6127 const struct sctp_endpoint *ep,
6128 const struct sctp_association *asoc,
6129 const union sctp_subtype type,
6131 struct sctp_cmd_seq *commands)
6133 enum sctp_disposition disposition;
6135 SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS);
6137 /* From 9.2 Shutdown of an Association
6138 * Upon receipt of the SHUTDOWN primitive from its upper
6139 * layer, the endpoint enters SHUTDOWN-PENDING state and
6140 * remains there until all outstanding data has been
6141 * acknowledged by its peer. The endpoint accepts no new data
6142 * from its upper layer, but retransmits data to the far end
6143 * if necessary to fill gaps.
6145 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
6146 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
6148 disposition = SCTP_DISPOSITION_CONSUME;
6149 if (sctp_outq_is_empty(&asoc->outqueue)) {
6150 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
6157 /*****************************************************************************
6158 * These are sa state functions which could apply to all types of events.
6159 ****************************************************************************/
6162 * This table entry is not implemented.
6165 * (endpoint, asoc, chunk)
6167 * The return value is the disposition of the chunk.
6169 enum sctp_disposition sctp_sf_not_impl(struct net *net,
6170 const struct sctp_endpoint *ep,
6171 const struct sctp_association *asoc,
6172 const union sctp_subtype type,
6173 void *arg, struct sctp_cmd_seq *commands)
6175 return SCTP_DISPOSITION_NOT_IMPL;
6179 * This table entry represents a bug.
6182 * (endpoint, asoc, chunk)
6184 * The return value is the disposition of the chunk.
6186 enum sctp_disposition sctp_sf_bug(struct net *net,
6187 const struct sctp_endpoint *ep,
6188 const struct sctp_association *asoc,
6189 const union sctp_subtype type,
6190 void *arg, struct sctp_cmd_seq *commands)
6192 return SCTP_DISPOSITION_BUG;
6196 * This table entry represents the firing of a timer in the wrong state.
6197 * Since timer deletion cannot be guaranteed a timer 'may' end up firing
6198 * when the association is in the wrong state. This event should
6199 * be ignored, so as to prevent any rearming of the timer.
6202 * (endpoint, asoc, chunk)
6204 * The return value is the disposition of the chunk.
6206 enum sctp_disposition sctp_sf_timer_ignore(struct net *net,
6207 const struct sctp_endpoint *ep,
6208 const struct sctp_association *asoc,
6209 const union sctp_subtype type,
6211 struct sctp_cmd_seq *commands)
6213 pr_debug("%s: timer %d ignored\n", __func__, type.chunk);
6215 return SCTP_DISPOSITION_CONSUME;
6218 /********************************************************************
6219 * 2nd Level Abstractions
6220 ********************************************************************/
6222 /* Pull the SACK chunk based on the SACK header. */
6223 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk)
6225 struct sctp_sackhdr *sack;
6230 /* Protect ourselves from reading too far into
6231 * the skb from a bogus sender.
6233 sack = (struct sctp_sackhdr *) chunk->skb->data;
6235 num_blocks = ntohs(sack->num_gap_ack_blocks);
6236 num_dup_tsns = ntohs(sack->num_dup_tsns);
6237 len = sizeof(struct sctp_sackhdr);
6238 len += (num_blocks + num_dup_tsns) * sizeof(__u32);
6239 if (len > chunk->skb->len)
6242 skb_pull(chunk->skb, len);
6247 /* Create an ABORT packet to be sent as a response, with the specified
6250 static struct sctp_packet *sctp_abort_pkt_new(
6252 const struct sctp_endpoint *ep,
6253 const struct sctp_association *asoc,
6254 struct sctp_chunk *chunk,
6255 const void *payload, size_t paylen)
6257 struct sctp_packet *packet;
6258 struct sctp_chunk *abort;
6260 packet = sctp_ootb_pkt_new(net, asoc, chunk);
6264 * The T bit will be set if the asoc is NULL.
6266 abort = sctp_make_abort(asoc, chunk, paylen);
6268 sctp_ootb_pkt_free(packet);
6272 /* Reflect vtag if T-Bit is set */
6273 if (sctp_test_T_bit(abort))
6274 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
6276 /* Add specified error causes, i.e., payload, to the
6279 sctp_addto_chunk(abort, paylen, payload);
6281 /* Set the skb to the belonging sock for accounting. */
6282 abort->skb->sk = ep->base.sk;
6284 sctp_packet_append_chunk(packet, abort);
6291 /* Allocate a packet for responding in the OOTB conditions. */
6292 static struct sctp_packet *sctp_ootb_pkt_new(
6294 const struct sctp_association *asoc,
6295 const struct sctp_chunk *chunk)
6297 struct sctp_transport *transport;
6298 struct sctp_packet *packet;
6302 /* Get the source and destination port from the inbound packet. */
6303 sport = ntohs(chunk->sctp_hdr->dest);
6304 dport = ntohs(chunk->sctp_hdr->source);
6306 /* The V-tag is going to be the same as the inbound packet if no
6307 * association exists, otherwise, use the peer's vtag.
6310 /* Special case the INIT-ACK as there is no peer's vtag
6313 switch (chunk->chunk_hdr->type) {
6314 case SCTP_CID_INIT_ACK:
6316 struct sctp_initack_chunk *initack;
6318 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr;
6319 vtag = ntohl(initack->init_hdr.init_tag);
6323 vtag = asoc->peer.i.init_tag;
6327 /* Special case the INIT and stale COOKIE_ECHO as there is no
6330 switch (chunk->chunk_hdr->type) {
6333 struct sctp_init_chunk *init;
6335 init = (struct sctp_init_chunk *)chunk->chunk_hdr;
6336 vtag = ntohl(init->init_hdr.init_tag);
6340 vtag = ntohl(chunk->sctp_hdr->vtag);
6345 /* Make a transport for the bucket, Eliza... */
6346 transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC);
6350 transport->encap_port = SCTP_INPUT_CB(chunk->skb)->encap_port;
6352 /* Cache a route for the transport with the chunk's destination as
6353 * the source address.
6355 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest,
6356 sctp_sk(net->sctp.ctl_sock));
6358 packet = &transport->packet;
6359 sctp_packet_init(packet, transport, sport, dport);
6360 sctp_packet_config(packet, vtag, 0);
6368 /* Free the packet allocated earlier for responding in the OOTB condition. */
6369 void sctp_ootb_pkt_free(struct sctp_packet *packet)
6371 sctp_transport_free(packet->transport);
6374 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */
6375 static void sctp_send_stale_cookie_err(struct net *net,
6376 const struct sctp_endpoint *ep,
6377 const struct sctp_association *asoc,
6378 const struct sctp_chunk *chunk,
6379 struct sctp_cmd_seq *commands,
6380 struct sctp_chunk *err_chunk)
6382 struct sctp_packet *packet;
6385 packet = sctp_ootb_pkt_new(net, asoc, chunk);
6387 struct sctp_signed_cookie *cookie;
6389 /* Override the OOTB vtag from the cookie. */
6390 cookie = chunk->subh.cookie_hdr;
6391 packet->vtag = cookie->c.peer_vtag;
6393 /* Set the skb to the belonging sock for accounting. */
6394 err_chunk->skb->sk = ep->base.sk;
6395 sctp_packet_append_chunk(packet, err_chunk);
6396 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
6397 SCTP_PACKET(packet));
6398 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
6400 sctp_chunk_free (err_chunk);
6405 /* Process a data chunk */
6406 static int sctp_eat_data(const struct sctp_association *asoc,
6407 struct sctp_chunk *chunk,
6408 struct sctp_cmd_seq *commands)
6410 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
6411 struct sock *sk = asoc->base.sk;
6412 struct net *net = sock_net(sk);
6413 struct sctp_datahdr *data_hdr;
6414 struct sctp_chunk *err;
6415 enum sctp_verb deliver;
6420 data_hdr = (struct sctp_datahdr *)chunk->skb->data;
6421 chunk->subh.data_hdr = data_hdr;
6422 skb_pull(chunk->skb, sctp_datahdr_len(&asoc->stream));
6424 tsn = ntohl(data_hdr->tsn);
6425 pr_debug("%s: TSN 0x%x\n", __func__, tsn);
6427 /* ASSERT: Now skb->data is really the user data. */
6429 /* Process ECN based congestion.
6431 * Since the chunk structure is reused for all chunks within
6432 * a packet, we use ecn_ce_done to track if we've already
6433 * done CE processing for this packet.
6435 * We need to do ECN processing even if we plan to discard the
6439 if (asoc->peer.ecn_capable && !chunk->ecn_ce_done) {
6440 struct sctp_af *af = SCTP_INPUT_CB(chunk->skb)->af;
6441 chunk->ecn_ce_done = 1;
6443 if (af->is_ce(sctp_gso_headskb(chunk->skb))) {
6444 /* Do real work as sideffect. */
6445 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE,
6450 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn);
6452 /* The TSN is too high--silently discard the chunk and
6453 * count on it getting retransmitted later.
6456 chunk->asoc->stats.outofseqtsns++;
6457 return SCTP_IERROR_HIGH_TSN;
6458 } else if (tmp > 0) {
6459 /* This is a duplicate. Record it. */
6460 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn));
6461 return SCTP_IERROR_DUP_TSN;
6464 /* This is a new TSN. */
6466 /* Discard if there is no room in the receive window.
6467 * Actually, allow a little bit of overflow (up to a MTU).
6469 datalen = ntohs(chunk->chunk_hdr->length);
6470 datalen -= sctp_datachk_len(&asoc->stream);
6472 deliver = SCTP_CMD_CHUNK_ULP;
6474 /* Think about partial delivery. */
6475 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) {
6477 /* Even if we don't accept this chunk there is
6480 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL());
6483 /* Spill over rwnd a little bit. Note: While allowed, this spill over
6484 * seems a bit troublesome in that frag_point varies based on
6485 * PMTU. In cases, such as loopback, this might be a rather
6488 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over ||
6489 (datalen > asoc->rwnd + asoc->frag_point))) {
6491 /* If this is the next TSN, consider reneging to make
6492 * room. Note: Playing nice with a confused sender. A
6493 * malicious sender can still eat up all our buffer
6494 * space and in the future we may want to detect and
6495 * do more drastic reneging.
6497 if (sctp_tsnmap_has_gap(map) &&
6498 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6499 pr_debug("%s: reneging for tsn:%u\n", __func__, tsn);
6500 deliver = SCTP_CMD_RENEGE;
6502 pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n",
6503 __func__, tsn, datalen, asoc->rwnd);
6505 return SCTP_IERROR_IGNORE_TSN;
6510 * Also try to renege to limit our memory usage in the event that
6511 * we are under memory pressure
6512 * If we can't renege, don't worry about it, the sk_rmem_schedule
6513 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our
6514 * memory usage too much
6516 if (sk_under_memory_pressure(sk)) {
6517 if (sctp_tsnmap_has_gap(map) &&
6518 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6519 pr_debug("%s: under pressure, reneging for tsn:%u\n",
6521 deliver = SCTP_CMD_RENEGE;
6528 * Section 3.3.10.9 No User Data (9)
6532 * No User Data: This error cause is returned to the originator of a
6533 * DATA chunk if a received DATA chunk has no user data.
6535 if (unlikely(0 == datalen)) {
6536 err = sctp_make_abort_no_data(asoc, chunk, tsn);
6538 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6541 /* We are going to ABORT, so we might as well stop
6542 * processing the rest of the chunks in the packet.
6544 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
6545 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6546 SCTP_ERROR(ECONNABORTED));
6547 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6548 SCTP_PERR(SCTP_ERROR_NO_DATA));
6549 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6550 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6551 return SCTP_IERROR_NO_DATA;
6554 chunk->data_accepted = 1;
6556 /* Note: Some chunks may get overcounted (if we drop) or overcounted
6557 * if we renege and the chunk arrives again.
6559 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) {
6560 SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS);
6562 chunk->asoc->stats.iuodchunks++;
6564 SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS);
6566 chunk->asoc->stats.iodchunks++;
6569 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number
6571 * If an endpoint receive a DATA chunk with an invalid stream
6572 * identifier, it shall acknowledge the reception of the DATA chunk
6573 * following the normal procedure, immediately send an ERROR chunk
6574 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10)
6575 * and discard the DATA chunk.
6577 if (ntohs(data_hdr->stream) >= asoc->stream.incnt) {
6578 /* Mark tsn as received even though we drop it */
6579 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
6581 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM,
6583 sizeof(data_hdr->stream),
6586 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6588 return SCTP_IERROR_BAD_STREAM;
6591 /* Check to see if the SSN is possible for this TSN.
6592 * The biggest gap we can record is 4K wide. Since SSNs wrap
6593 * at an unsigned short, there is no way that an SSN can
6594 * wrap and for a valid TSN. We can simply check if the current
6595 * SSN is smaller then the next expected one. If it is, it wrapped
6598 if (!asoc->stream.si->validate_data(chunk))
6599 return SCTP_IERROR_PROTO_VIOLATION;
6601 /* Send the data up to the user. Note: Schedule the
6602 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK
6603 * chunk needs the updated rwnd.
6605 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk));
6607 return SCTP_IERROR_NO_ERROR;
projects / linux-2.6-microblaze.git / blob