| // SPDX-License-Identifier: GPL-2.0-or-later |
| /* SCTP kernel implementation |
| * (C) Copyright IBM Corp. 2001, 2004 |
| * Copyright (c) 1999-2000 Cisco, Inc. |
| * Copyright (c) 1999-2001 Motorola, Inc. |
| * Copyright (c) 2001-2002 Intel Corp. |
| * Copyright (c) 2002 Nokia Corp. |
| * |
| * This is part of the SCTP Linux Kernel Implementation. |
| * |
| * These are the state functions for the state machine. |
| * |
| * Please send any bug reports or fixes you make to the |
| * email address(es): |
| * lksctp developers <linux-sctp@vger.kernel.org> |
| * |
| * Written or modified by: |
| * La Monte H.P. Yarroll <piggy@acm.org> |
| * Karl Knutson <karl@athena.chicago.il.us> |
| * Mathew Kotowsky <kotowsky@sctp.org> |
| * Sridhar Samudrala <samudrala@us.ibm.com> |
| * Jon Grimm <jgrimm@us.ibm.com> |
| * Hui Huang <hui.huang@nokia.com> |
| * Dajiang Zhang <dajiang.zhang@nokia.com> |
| * Daisy Chang <daisyc@us.ibm.com> |
| * Ardelle Fan <ardelle.fan@intel.com> |
| * Ryan Layer <rmlayer@us.ibm.com> |
| * Kevin Gao <kevin.gao@intel.com> |
| */ |
| |
| #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
| |
| #include <linux/types.h> |
| #include <linux/kernel.h> |
| #include <linux/ip.h> |
| #include <linux/ipv6.h> |
| #include <linux/net.h> |
| #include <linux/inet.h> |
| #include <linux/slab.h> |
| #include <net/sock.h> |
| #include <net/inet_ecn.h> |
| #include <linux/skbuff.h> |
| #include <net/sctp/sctp.h> |
| #include <net/sctp/sm.h> |
| #include <net/sctp/structs.h> |
| |
| #define CREATE_TRACE_POINTS |
| #include <trace/events/sctp.h> |
| |
| static struct sctp_packet *sctp_abort_pkt_new( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| struct sctp_chunk *chunk, |
| const void *payload, size_t paylen); |
| static int sctp_eat_data(const struct sctp_association *asoc, |
| struct sctp_chunk *chunk, |
| struct sctp_cmd_seq *commands); |
| static struct sctp_packet *sctp_ootb_pkt_new( |
| struct net *net, |
| const struct sctp_association *asoc, |
| const struct sctp_chunk *chunk); |
| static void sctp_send_stale_cookie_err(struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const struct sctp_chunk *chunk, |
| struct sctp_cmd_seq *commands, |
| struct sctp_chunk *err_chunk); |
| static enum sctp_disposition sctp_sf_do_5_2_6_stale( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands); |
| static enum sctp_disposition sctp_sf_shut_8_4_5( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands); |
| static enum sctp_disposition sctp_sf_tabort_8_4_8( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands); |
| static enum sctp_disposition sctp_sf_new_encap_port( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands); |
| static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); |
| |
| static enum sctp_disposition sctp_stop_t1_and_abort( |
| struct net *net, |
| struct sctp_cmd_seq *commands, |
| __be16 error, int sk_err, |
| const struct sctp_association *asoc, |
| struct sctp_transport *transport); |
| |
| static enum sctp_disposition sctp_sf_abort_violation( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| void *arg, |
| struct sctp_cmd_seq *commands, |
| const __u8 *payload, |
| const size_t paylen); |
| |
| static enum sctp_disposition sctp_sf_violation_chunklen( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands); |
| |
| static enum sctp_disposition sctp_sf_violation_paramlen( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, void *ext, |
| struct sctp_cmd_seq *commands); |
| |
| static enum sctp_disposition sctp_sf_violation_ctsn( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands); |
| |
| static enum sctp_disposition sctp_sf_violation_chunk( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands); |
| |
| static enum sctp_ierror sctp_sf_authenticate( |
| const struct sctp_association *asoc, |
| struct sctp_chunk *chunk); |
| |
| static enum sctp_disposition __sctp_sf_do_9_1_abort( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands); |
| |
| static enum sctp_disposition |
| __sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, void *arg, |
| struct sctp_cmd_seq *commands); |
| |
| /* Small helper function that checks if the chunk length |
| * is of the appropriate length. The 'required_length' argument |
| * is set to be the size of a specific chunk we are testing. |
| * Return Values: true = Valid length |
| * false = Invalid length |
| * |
| */ |
| static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk, |
| __u16 required_length) |
| { |
| __u16 chunk_length = ntohs(chunk->chunk_hdr->length); |
| |
| /* Previously already marked? */ |
| if (unlikely(chunk->pdiscard)) |
| return false; |
| if (unlikely(chunk_length < required_length)) |
| return false; |
| |
| return true; |
| } |
| |
| /* Check for format error in an ABORT chunk */ |
| static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk) |
| { |
| struct sctp_errhdr *err; |
| |
| sctp_walk_errors(err, chunk->chunk_hdr); |
| |
| return (void *)err == (void *)chunk->chunk_end; |
| } |
| |
| /********************************************************** |
| * These are the state functions for handling chunk events. |
| **********************************************************/ |
| |
| /* |
| * Process the final SHUTDOWN COMPLETE. |
| * |
| * Section: 4 (C) (diagram), 9.2 |
| * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify |
| * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be |
| * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint |
| * should stop the T2-shutdown timer and remove all knowledge of the |
| * association (and thus the association enters the CLOSED state). |
| * |
| * Verification Tag: 8.5.1(C), sctpimpguide 2.41. |
| * C) Rules for packet carrying SHUTDOWN COMPLETE: |
| * ... |
| * - The receiver of a SHUTDOWN COMPLETE shall accept the packet |
| * if the Verification Tag field of the packet matches its own tag and |
| * the T bit is not set |
| * OR |
| * it is set to its peer's tag and the T bit is set in the Chunk |
| * Flags. |
| * Otherwise, the receiver MUST silently discard the packet |
| * and take no further action. An endpoint MUST ignore the |
| * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state. |
| * |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_do_4_C(struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, struct sctp_cmd_seq *commands) |
| { |
| struct sctp_chunk *chunk = arg; |
| struct sctp_ulpevent *ev; |
| |
| if (!sctp_vtag_verify_either(chunk, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* RFC 2960 6.10 Bundling |
| * |
| * An endpoint MUST NOT bundle INIT, INIT ACK or |
| * SHUTDOWN COMPLETE with any other chunks. |
| */ |
| if (!chunk->singleton) |
| return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); |
| |
| /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) |
| return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, |
| commands); |
| |
| /* RFC 2960 10.2 SCTP-to-ULP |
| * |
| * H) SHUTDOWN COMPLETE notification |
| * |
| * When SCTP completes the shutdown procedures (section 9.2) this |
| * notification is passed to the upper layer. |
| */ |
| ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP, |
| 0, 0, 0, NULL, GFP_ATOMIC); |
| if (ev) |
| sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, |
| SCTP_ULPEVENT(ev)); |
| |
| /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint |
| * will verify that it is in SHUTDOWN-ACK-SENT state, if it is |
| * not the chunk should be discarded. If the endpoint is in |
| * the SHUTDOWN-ACK-SENT state the endpoint should stop the |
| * T2-shutdown timer and remove all knowledge of the |
| * association (and thus the association enters the CLOSED |
| * state). |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, |
| SCTP_STATE(SCTP_STATE_CLOSED)); |
| |
| SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS); |
| SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); |
| |
| return SCTP_DISPOSITION_DELETE_TCB; |
| } |
| |
| /* |
| * Respond to a normal INIT chunk. |
| * We are the side that is being asked for an association. |
| * |
| * Section: 5.1 Normal Establishment of an Association, B |
| * B) "Z" shall respond immediately with an INIT ACK chunk. The |
| * destination IP address of the INIT ACK MUST be set to the source |
| * IP address of the INIT to which this INIT ACK is responding. In |
| * the response, besides filling in other parameters, "Z" must set the |
| * Verification Tag field to Tag_A, and also provide its own |
| * Verification Tag (Tag_Z) in the Initiate Tag field. |
| * |
| * Verification Tag: Must be 0. |
| * |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_chunk *chunk = arg, *repl, *err_chunk; |
| struct sctp_unrecognized_param *unk_param; |
| struct sctp_association *new_asoc; |
| struct sctp_packet *packet; |
| int len; |
| |
| /* 6.10 Bundling |
| * An endpoint MUST NOT bundle INIT, INIT ACK or |
| * SHUTDOWN COMPLETE with any other chunks. |
| * |
| * IG Section 2.11.2 |
| * Furthermore, we require that the receiver of an INIT chunk MUST |
| * enforce these rules by silently discarding an arriving packet |
| * with an INIT chunk that is bundled with other chunks. |
| */ |
| if (!chunk->singleton) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* Make sure that the INIT chunk has a valid length. |
| * Normally, this would cause an ABORT with a Protocol Violation |
| * error, but since we don't have an association, we'll |
| * just discard the packet. |
| */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* If the packet is an OOTB packet which is temporarily on the |
| * control endpoint, respond with an ABORT. |
| */ |
| if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { |
| SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); |
| return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); |
| } |
| |
| /* 3.1 A packet containing an INIT chunk MUST have a zero Verification |
| * Tag. |
| */ |
| if (chunk->sctp_hdr->vtag != 0) |
| return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); |
| |
| /* If the INIT is coming toward a closing socket, we'll send back |
| * and ABORT. Essentially, this catches the race of INIT being |
| * backloged to the socket at the same time as the user issues close(). |
| * Since the socket and all its associations are going away, we |
| * can treat this OOTB |
| */ |
| if (sctp_sstate(ep->base.sk, CLOSING)) |
| return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); |
| |
| /* Verify the INIT chunk before processing it. */ |
| err_chunk = NULL; |
| if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, |
| (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, |
| &err_chunk)) { |
| /* This chunk contains fatal error. It is to be discarded. |
| * Send an ABORT, with causes if there is any. |
| */ |
| if (err_chunk) { |
| packet = sctp_abort_pkt_new(net, ep, asoc, arg, |
| (__u8 *)(err_chunk->chunk_hdr) + |
| sizeof(struct sctp_chunkhdr), |
| ntohs(err_chunk->chunk_hdr->length) - |
| sizeof(struct sctp_chunkhdr)); |
| |
| sctp_chunk_free(err_chunk); |
| |
| if (packet) { |
| sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, |
| SCTP_PACKET(packet)); |
| SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); |
| return SCTP_DISPOSITION_CONSUME; |
| } else { |
| return SCTP_DISPOSITION_NOMEM; |
| } |
| } else { |
| return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, |
| commands); |
| } |
| } |
| |
| /* Grab the INIT header. */ |
| chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; |
| |
| /* Tag the variable length parameters. */ |
| chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); |
| |
| new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); |
| if (!new_asoc) |
| goto nomem; |
| |
| /* Update socket peer label if first association. */ |
| if (security_sctp_assoc_request(new_asoc, chunk->skb)) { |
| sctp_association_free(new_asoc); |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| } |
| |
| if (sctp_assoc_set_bind_addr_from_ep(new_asoc, |
| sctp_scope(sctp_source(chunk)), |
| GFP_ATOMIC) < 0) |
| goto nomem_init; |
| |
| /* The call, sctp_process_init(), can fail on memory allocation. */ |
| if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), |
| (struct sctp_init_chunk *)chunk->chunk_hdr, |
| GFP_ATOMIC)) |
| goto nomem_init; |
| |
| /* B) "Z" shall respond immediately with an INIT ACK chunk. */ |
| |
| /* If there are errors need to be reported for unknown parameters, |
| * make sure to reserve enough room in the INIT ACK for them. |
| */ |
| len = 0; |
| if (err_chunk) |
| len = ntohs(err_chunk->chunk_hdr->length) - |
| sizeof(struct sctp_chunkhdr); |
| |
| repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); |
| if (!repl) |
| goto nomem_init; |
| |
| /* If there are errors need to be reported for unknown parameters, |
| * include them in the outgoing INIT ACK as "Unrecognized parameter" |
| * parameter. |
| */ |
| if (err_chunk) { |
| /* Get the "Unrecognized parameter" parameter(s) out of the |
| * ERROR chunk generated by sctp_verify_init(). Since the |
| * error cause code for "unknown parameter" and the |
| * "Unrecognized parameter" type is the same, we can |
| * construct the parameters in INIT ACK by copying the |
| * ERROR causes over. |
| */ |
| unk_param = (struct sctp_unrecognized_param *) |
| ((__u8 *)(err_chunk->chunk_hdr) + |
| sizeof(struct sctp_chunkhdr)); |
| /* Replace the cause code with the "Unrecognized parameter" |
| * parameter type. |
| */ |
| sctp_addto_chunk(repl, len, unk_param); |
| sctp_chunk_free(err_chunk); |
| } |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); |
| |
| /* |
| * Note: After sending out INIT ACK with the State Cookie parameter, |
| * "Z" MUST NOT allocate any resources, nor keep any states for the |
| * new association. Otherwise, "Z" will be vulnerable to resource |
| * attacks. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); |
| |
| return SCTP_DISPOSITION_DELETE_TCB; |
| |
| nomem_init: |
| sctp_association_free(new_asoc); |
| nomem: |
| if (err_chunk) |
| sctp_chunk_free(err_chunk); |
| return SCTP_DISPOSITION_NOMEM; |
| } |
| |
| /* |
| * Respond to a normal INIT ACK chunk. |
| * We are the side that is initiating the association. |
| * |
| * Section: 5.1 Normal Establishment of an Association, C |
| * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init |
| * timer and leave COOKIE-WAIT state. "A" shall then send the State |
| * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start |
| * the T1-cookie timer, and enter the COOKIE-ECHOED state. |
| * |
| * Note: The COOKIE ECHO chunk can be bundled with any pending outbound |
| * DATA chunks, but it MUST be the first chunk in the packet and |
| * until the COOKIE ACK is returned the sender MUST NOT send any |
| * other packets to the peer. |
| * |
| * Verification Tag: 3.3.3 |
| * If the value of the Initiate Tag in a received INIT ACK chunk is |
| * found to be 0, the receiver MUST treat it as an error and close the |
| * association by transmitting an ABORT. |
| * |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_init_chunk *initchunk; |
| struct sctp_chunk *chunk = arg; |
| struct sctp_chunk *err_chunk; |
| struct sctp_packet *packet; |
| |
| if (!sctp_vtag_verify(chunk, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* 6.10 Bundling |
| * An endpoint MUST NOT bundle INIT, INIT ACK or |
| * SHUTDOWN COMPLETE with any other chunks. |
| */ |
| if (!chunk->singleton) |
| return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands); |
| |
| /* Make sure that the INIT-ACK chunk has a valid length */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk))) |
| return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, |
| commands); |
| /* Grab the INIT header. */ |
| chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; |
| |
| /* Verify the INIT chunk before processing it. */ |
| err_chunk = NULL; |
| if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, |
| (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, |
| &err_chunk)) { |
| |
| enum sctp_error error = SCTP_ERROR_NO_RESOURCE; |
| |
| /* This chunk contains fatal error. It is to be discarded. |
| * Send an ABORT, with causes. If there are no causes, |
| * then there wasn't enough memory. Just terminate |
| * the association. |
| */ |
| if (err_chunk) { |
| packet = sctp_abort_pkt_new(net, ep, asoc, arg, |
| (__u8 *)(err_chunk->chunk_hdr) + |
| sizeof(struct sctp_chunkhdr), |
| ntohs(err_chunk->chunk_hdr->length) - |
| sizeof(struct sctp_chunkhdr)); |
| |
| sctp_chunk_free(err_chunk); |
| |
| if (packet) { |
| sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, |
| SCTP_PACKET(packet)); |
| SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); |
| error = SCTP_ERROR_INV_PARAM; |
| } |
| } |
| |
| /* SCTP-AUTH, Section 6.3: |
| * It should be noted that if the receiver wants to tear |
| * down an association in an authenticated way only, the |
| * handling of malformed packets should not result in |
| * tearing down the association. |
| * |
| * This means that if we only want to abort associations |
| * in an authenticated way (i.e AUTH+ABORT), then we |
| * can't destroy this association just because the packet |
| * was malformed. |
| */ |
| if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); |
| return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, |
| asoc, chunk->transport); |
| } |
| |
| /* Tag the variable length parameters. Note that we never |
| * convert the parameters in an INIT chunk. |
| */ |
| chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); |
| |
| initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr; |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, |
| SCTP_PEER_INIT(initchunk)); |
| |
| /* Reset init error count upon receipt of INIT-ACK. */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); |
| |
| /* 5.1 C) "A" shall stop the T1-init timer and leave |
| * COOKIE-WAIT state. "A" shall then ... start the T1-cookie |
| * timer, and enter the COOKIE-ECHOED state. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, |
| SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); |
| |
| /* SCTP-AUTH: generate the association shared keys so that |
| * we can potentially sign the COOKIE-ECHO. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); |
| |
| /* 5.1 C) "A" shall then send the State Cookie received in the |
| * INIT ACK chunk in a COOKIE ECHO chunk, ... |
| */ |
| /* If there is any errors to report, send the ERROR chunk generated |
| * for unknown parameters as well. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO, |
| SCTP_CHUNK(err_chunk)); |
| |
| return SCTP_DISPOSITION_CONSUME; |
| } |
| |
| static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk, |
| const struct sctp_association *asoc) |
| { |
| struct sctp_chunk auth; |
| |
| if (!chunk->auth_chunk) |
| return true; |
| |
| /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo |
| * is supposed to be authenticated and we have to do delayed |
| * authentication. We've just recreated the association using |
| * the information in the cookie and now it's much easier to |
| * do the authentication. |
| */ |
| |
| /* Make sure that we and the peer are AUTH capable */ |
| if (!net->sctp.auth_enable || !asoc->peer.auth_capable) |
| return false; |
| |
| /* set-up our fake chunk so that we can process it */ |
| auth.skb = chunk->auth_chunk; |
| auth.asoc = chunk->asoc; |
| auth.sctp_hdr = chunk->sctp_hdr; |
| auth.chunk_hdr = (struct sctp_chunkhdr *) |
| skb_push(chunk->auth_chunk, |
| sizeof(struct sctp_chunkhdr)); |
| skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr)); |
| auth.transport = chunk->transport; |
| |
| return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR; |
| } |
| |
| /* |
| * Respond to a normal COOKIE ECHO chunk. |
| * We are the side that is being asked for an association. |
| * |
| * Section: 5.1 Normal Establishment of an Association, D |
| * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply |
| * with a COOKIE ACK chunk after building a TCB and moving to |
| * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with |
| * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK |
| * chunk MUST be the first chunk in the packet. |
| * |
| * IMPLEMENTATION NOTE: An implementation may choose to send the |
| * Communication Up notification to the SCTP user upon reception |
| * of a valid COOKIE ECHO chunk. |
| * |
| * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules |
| * D) Rules for packet carrying a COOKIE ECHO |
| * |
| * - When sending a COOKIE ECHO, the endpoint MUST use the value of the |
| * Initial Tag received in the INIT ACK. |
| * |
| * - The receiver of a COOKIE ECHO follows the procedures in Section 5. |
| * |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL; |
| struct sctp_association *new_asoc; |
| struct sctp_init_chunk *peer_init; |
| struct sctp_chunk *chunk = arg; |
| struct sctp_chunk *err_chk_p; |
| struct sctp_chunk *repl; |
| struct sock *sk; |
| int error = 0; |
| |
| if (asoc && !sctp_vtag_verify(chunk, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* If the packet is an OOTB packet which is temporarily on the |
| * control endpoint, respond with an ABORT. |
| */ |
| if (ep == sctp_sk(net->sctp.ctl_sock)->ep) { |
| SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); |
| return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); |
| } |
| |
| /* Make sure that the COOKIE_ECHO chunk has a valid length. |
| * In this case, we check that we have enough for at least a |
| * chunk header. More detailed verification is done |
| * in sctp_unpack_cookie(). |
| */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) |
| return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, |
| commands); |
| |
| /* If the endpoint is not listening or if the number of associations |
| * on the TCP-style socket exceed the max backlog, respond with an |
| * ABORT. |
| */ |
| sk = ep->base.sk; |
| if (!sctp_sstate(sk, LISTENING) || |
| (sctp_style(sk, TCP) && sk_acceptq_is_full(sk))) |
| return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); |
| |
| /* "Decode" the chunk. We have no optional parameters so we |
| * are in good shape. |
| */ |
| chunk->subh.cookie_hdr = |
| (struct sctp_signed_cookie *)chunk->skb->data; |
| if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - |
| sizeof(struct sctp_chunkhdr))) |
| goto nomem; |
| |
| /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint |
| * "Z" will reply with a COOKIE ACK chunk after building a TCB |
| * and moving to the ESTABLISHED state. |
| */ |
| new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, |
| &err_chk_p); |
| |
| /* FIXME: |
| * If the re-build failed, what is the proper error path |
| * from here? |
| * |
| * [We should abort the association. --piggy] |
| */ |
| if (!new_asoc) { |
| /* FIXME: Several errors are possible. A bad cookie should |
| * be silently discarded, but think about logging it too. |
| */ |
| switch (error) { |
| case -SCTP_IERROR_NOMEM: |
| goto nomem; |
| |
| case -SCTP_IERROR_STALE_COOKIE: |
| sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, |
| err_chk_p); |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| case -SCTP_IERROR_BAD_SIG: |
| default: |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| } |
| } |
| |
| if (security_sctp_assoc_request(new_asoc, chunk->skb)) { |
| sctp_association_free(new_asoc); |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| } |
| |
| /* Delay state machine commands until later. |
| * |
| * Re-build the bind address for the association is done in |
| * the sctp_unpack_cookie() already. |
| */ |
| /* This is a brand-new association, so these are not yet side |
| * effects--it is safe to run them here. |
| */ |
| peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; |
| |
| if (!sctp_process_init(new_asoc, chunk, |
| &chunk->subh.cookie_hdr->c.peer_addr, |
| peer_init, GFP_ATOMIC)) |
| goto nomem_init; |
| |
| /* SCTP-AUTH: Now that we've populate required fields in |
| * sctp_process_init, set up the association shared keys as |
| * necessary so that we can potentially authenticate the ACK |
| */ |
| error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); |
| if (error) |
| goto nomem_init; |
| |
| if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) { |
| sctp_association_free(new_asoc); |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| } |
| |
| repl = sctp_make_cookie_ack(new_asoc, chunk); |
| if (!repl) |
| goto nomem_init; |
| |
| /* RFC 2960 5.1 Normal Establishment of an Association |
| * |
| * D) IMPLEMENTATION NOTE: An implementation may choose to |
| * send the Communication Up notification to the SCTP user |
| * upon reception of a valid COOKIE ECHO chunk. |
| */ |
| ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0, |
| new_asoc->c.sinit_num_ostreams, |
| new_asoc->c.sinit_max_instreams, |
| NULL, GFP_ATOMIC); |
| if (!ev) |
| goto nomem_ev; |
| |
| /* Sockets API Draft Section 5.3.1.6 |
| * When a peer sends a Adaptation Layer Indication parameter , SCTP |
| * delivers this notification to inform the application that of the |
| * peers requested adaptation layer. |
| */ |
| if (new_asoc->peer.adaptation_ind) { |
| ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc, |
| GFP_ATOMIC); |
| if (!ai_ev) |
| goto nomem_aiev; |
| } |
| |
| if (!new_asoc->peer.auth_capable) { |
| auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0, |
| SCTP_AUTH_NO_AUTH, |
| GFP_ATOMIC); |
| if (!auth_ev) |
| goto nomem_authev; |
| } |
| |
| /* Add all the state machine commands now since we've created |
| * everything. This way we don't introduce memory corruptions |
| * during side-effect processing and correctly count established |
| * associations. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, |
| SCTP_STATE(SCTP_STATE_ESTABLISHED)); |
| SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); |
| SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS); |
| sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); |
| |
| if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); |
| |
| /* This will send the COOKIE ACK */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); |
| |
| /* Queue the ASSOC_CHANGE event */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); |
| |
| /* Send up the Adaptation Layer Indication event */ |
| if (ai_ev) |
| sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, |
| SCTP_ULPEVENT(ai_ev)); |
| |
| if (auth_ev) |
| sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, |
| SCTP_ULPEVENT(auth_ev)); |
| |
| return SCTP_DISPOSITION_CONSUME; |
| |
| nomem_authev: |
| sctp_ulpevent_free(ai_ev); |
| nomem_aiev: |
| sctp_ulpevent_free(ev); |
| nomem_ev: |
| sctp_chunk_free(repl); |
| nomem_init: |
| sctp_association_free(new_asoc); |
| nomem: |
| return SCTP_DISPOSITION_NOMEM; |
| } |
| |
| /* |
| * Respond to a normal COOKIE ACK chunk. |
| * We are the side that is asking for an association. |
| * |
| * RFC 2960 5.1 Normal Establishment of an Association |
| * |
| * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the |
| * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie |
| * timer. It may also notify its ULP about the successful |
| * establishment of the association with a Communication Up |
| * notification (see Section 10). |
| * |
| * Verification Tag: |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_chunk *chunk = arg; |
| struct sctp_ulpevent *ev; |
| |
| if (!sctp_vtag_verify(chunk, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* Verify that the chunk length for the COOKIE-ACK is OK. |
| * If we don't do this, any bundled chunks may be junked. |
| */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) |
| return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, |
| commands); |
| |
| /* Reset init error count upon receipt of COOKIE-ACK, |
| * to avoid problems with the management of this |
| * counter in stale cookie situations when a transition back |
| * from the COOKIE-ECHOED state to the COOKIE-WAIT |
| * state is performed. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); |
| |
| /* Set peer label for connection. */ |
| security_inet_conn_established(ep->base.sk, chunk->skb); |
| |
| /* RFC 2960 5.1 Normal Establishment of an Association |
| * |
| * E) Upon reception of the COOKIE ACK, endpoint "A" will move |
| * from the COOKIE-ECHOED state to the ESTABLISHED state, |
| * stopping the T1-cookie timer. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, |
| SCTP_STATE(SCTP_STATE_ESTABLISHED)); |
| SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); |
| SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS); |
| sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); |
| if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); |
| |
| /* It may also notify its ULP about the successful |
| * establishment of the association with a Communication Up |
| * notification (see Section 10). |
| */ |
| ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP, |
| 0, asoc->c.sinit_num_ostreams, |
| asoc->c.sinit_max_instreams, |
| NULL, GFP_ATOMIC); |
| |
| if (!ev) |
| goto nomem; |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); |
| |
| /* Sockets API Draft Section 5.3.1.6 |
| * When a peer sends a Adaptation Layer Indication parameter , SCTP |
| * delivers this notification to inform the application that of the |
| * peers requested adaptation layer. |
| */ |
| if (asoc->peer.adaptation_ind) { |
| ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC); |
| if (!ev) |
| goto nomem; |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, |
| SCTP_ULPEVENT(ev)); |
| } |
| |
| if (!asoc->peer.auth_capable) { |
| ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH, |
| GFP_ATOMIC); |
| if (!ev) |
| goto nomem; |
| sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, |
| SCTP_ULPEVENT(ev)); |
| } |
| |
| return SCTP_DISPOSITION_CONSUME; |
| nomem: |
| return SCTP_DISPOSITION_NOMEM; |
| } |
| |
| /* Generate and sendout a heartbeat packet. */ |
| static enum sctp_disposition sctp_sf_heartbeat( |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_transport *transport = (struct sctp_transport *) arg; |
| struct sctp_chunk *reply; |
| |
| /* Send a heartbeat to our peer. */ |
| reply = sctp_make_heartbeat(asoc, transport, 0); |
| if (!reply) |
| return SCTP_DISPOSITION_NOMEM; |
| |
| /* Set rto_pending indicating that an RTT measurement |
| * is started with this heartbeat chunk. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING, |
| SCTP_TRANSPORT(transport)); |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); |
| return SCTP_DISPOSITION_CONSUME; |
| } |
| |
| /* Generate a HEARTBEAT packet on the given transport. */ |
| enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_transport *transport = (struct sctp_transport *) arg; |
| |
| if (asoc->overall_error_count >= asoc->max_retrans) { |
| sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, |
| SCTP_ERROR(ETIMEDOUT)); |
| /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, |
| SCTP_PERR(SCTP_ERROR_NO_ERROR)); |
| SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); |
| SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); |
| return SCTP_DISPOSITION_DELETE_TCB; |
| } |
| |
| /* Section 3.3.5. |
| * The Sender-specific Heartbeat Info field should normally include |
| * information about the sender's current time when this HEARTBEAT |
| * chunk is sent and the destination transport address to which this |
| * HEARTBEAT is sent (see Section 8.3). |
| */ |
| |
| if (transport->param_flags & SPP_HB_ENABLE) { |
| if (SCTP_DISPOSITION_NOMEM == |
| sctp_sf_heartbeat(ep, asoc, type, arg, |
| commands)) |
| return SCTP_DISPOSITION_NOMEM; |
| |
| /* Set transport error counter and association error counter |
| * when sending heartbeat. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT, |
| SCTP_TRANSPORT(transport)); |
| } |
| sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE, |
| SCTP_TRANSPORT(transport)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE, |
| SCTP_TRANSPORT(transport)); |
| |
| return SCTP_DISPOSITION_CONSUME; |
| } |
| |
| /* resend asoc strreset_chunk. */ |
| enum sctp_disposition sctp_sf_send_reconf(struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_transport *transport = arg; |
| |
| if (asoc->overall_error_count >= asoc->max_retrans) { |
| sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, |
| SCTP_ERROR(ETIMEDOUT)); |
| /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, |
| SCTP_PERR(SCTP_ERROR_NO_ERROR)); |
| SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); |
| SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); |
| return SCTP_DISPOSITION_DELETE_TCB; |
| } |
| |
| sctp_chunk_hold(asoc->strreset_chunk); |
| sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, |
| SCTP_CHUNK(asoc->strreset_chunk)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); |
| |
| return SCTP_DISPOSITION_CONSUME; |
| } |
| |
| /* send hb chunk with padding for PLPMUTD. */ |
| enum sctp_disposition sctp_sf_send_probe(struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_transport *transport = (struct sctp_transport *)arg; |
| struct sctp_chunk *reply; |
| |
| if (!sctp_transport_pl_enabled(transport)) |
| return SCTP_DISPOSITION_CONSUME; |
| |
| if (sctp_transport_pl_send(transport)) { |
| reply = sctp_make_heartbeat(asoc, transport, transport->pl.probe_size); |
| if (!reply) |
| return SCTP_DISPOSITION_NOMEM; |
| sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); |
| } |
| sctp_add_cmd_sf(commands, SCTP_CMD_PROBE_TIMER_UPDATE, |
| SCTP_TRANSPORT(transport)); |
| |
| return SCTP_DISPOSITION_CONSUME; |
| } |
| |
| /* |
| * Process an heartbeat request. |
| * |
| * Section: 8.3 Path Heartbeat |
| * The receiver of the HEARTBEAT should immediately respond with a |
| * HEARTBEAT ACK that contains the Heartbeat Information field copied |
| * from the received HEARTBEAT chunk. |
| * |
| * Verification Tag: 8.5 Verification Tag [Normal verification] |
| * When receiving an SCTP packet, the endpoint MUST ensure that the |
| * value in the Verification Tag field of the received SCTP packet |
| * matches its own Tag. If the received Verification Tag value does not |
| * match the receiver's own tag value, the receiver shall silently |
| * discard the packet and shall not process it any further except for |
| * those cases listed in Section 8.5.1 below. |
| * |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_beat_8_3(struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, struct sctp_cmd_seq *commands) |
| { |
| struct sctp_paramhdr *param_hdr; |
| struct sctp_chunk *chunk = arg; |
| struct sctp_chunk *reply; |
| size_t paylen = 0; |
| |
| if (!sctp_vtag_verify(chunk, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* Make sure that the HEARTBEAT chunk has a valid length. */ |
| if (!sctp_chunk_length_valid(chunk, |
| sizeof(struct sctp_heartbeat_chunk))) |
| return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, |
| commands); |
| |
| /* 8.3 The receiver of the HEARTBEAT should immediately |
| * respond with a HEARTBEAT ACK that contains the Heartbeat |
| * Information field copied from the received HEARTBEAT chunk. |
| */ |
| chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data; |
| param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr; |
| paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr); |
| |
| if (ntohs(param_hdr->length) > paylen) |
| return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, |
| param_hdr, commands); |
| |
| if (!pskb_pull(chunk->skb, paylen)) |
| goto nomem; |
| |
| reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen); |
| if (!reply) |
| goto nomem; |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); |
| return SCTP_DISPOSITION_CONSUME; |
| |
| nomem: |
| return SCTP_DISPOSITION_NOMEM; |
| } |
| |
| /* |
| * Process the returning HEARTBEAT ACK. |
| * |
| * Section: 8.3 Path Heartbeat |
| * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT |
| * should clear the error counter of the destination transport |
| * address to which the HEARTBEAT was sent, and mark the destination |
| * transport address as active if it is not so marked. The endpoint may |
| * optionally report to the upper layer when an inactive destination |
| * address is marked as active due to the reception of the latest |
| * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also |
| * clear the association overall error count as well (as defined |
| * in section 8.1). |
| * |
| * The receiver of the HEARTBEAT ACK should also perform an RTT |
| * measurement for that destination transport address using the time |
| * value carried in the HEARTBEAT ACK chunk. |
| * |
| * Verification Tag: 8.5 Verification Tag [Normal verification] |
| * |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_sender_hb_info *hbinfo; |
| struct sctp_chunk *chunk = arg; |
| struct sctp_transport *link; |
| unsigned long max_interval; |
| union sctp_addr from_addr; |
| |
| if (!sctp_vtag_verify(chunk, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) + |
| sizeof(*hbinfo))) |
| return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, |
| commands); |
| |
| hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data; |
| /* Make sure that the length of the parameter is what we expect */ |
| if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo)) |
| return SCTP_DISPOSITION_DISCARD; |
| |
| from_addr = hbinfo->daddr; |
| link = sctp_assoc_lookup_paddr(asoc, &from_addr); |
| |
| /* This should never happen, but lets log it if so. */ |
| if (unlikely(!link)) { |
| if (from_addr.sa.sa_family == AF_INET6) { |
| net_warn_ratelimited("%s association %p could not find address %pI6\n", |
| __func__, |
| asoc, |
| &from_addr.v6.sin6_addr); |
| } else { |
| net_warn_ratelimited("%s association %p could not find address %pI4\n", |
| __func__, |
| asoc, |
| &from_addr.v4.sin_addr.s_addr); |
| } |
| return SCTP_DISPOSITION_DISCARD; |
| } |
| |
| /* Validate the 64-bit random nonce. */ |
| if (hbinfo->hb_nonce != link->hb_nonce) |
| return SCTP_DISPOSITION_DISCARD; |
| |
| if (hbinfo->probe_size) { |
| if (hbinfo->probe_size != link->pl.probe_size || |
| !sctp_transport_pl_enabled(link)) |
| return SCTP_DISPOSITION_DISCARD; |
| |
| if (sctp_transport_pl_recv(link)) |
| return SCTP_DISPOSITION_CONSUME; |
| |
| return sctp_sf_send_probe(net, ep, asoc, type, link, commands); |
| } |
| |
| max_interval = link->hbinterval + link->rto; |
| |
| /* Check if the timestamp looks valid. */ |
| if (time_after(hbinfo->sent_at, jiffies) || |
| time_after(jiffies, hbinfo->sent_at + max_interval)) { |
| pr_debug("%s: HEARTBEAT ACK with invalid timestamp received " |
| "for transport:%p\n", __func__, link); |
| |
| return SCTP_DISPOSITION_DISCARD; |
| } |
| |
| /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of |
| * the HEARTBEAT should clear the error counter of the |
| * destination transport address to which the HEARTBEAT was |
| * sent and mark the destination transport address as active if |
| * it is not so marked. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link)); |
| |
| return SCTP_DISPOSITION_CONSUME; |
| } |
| |
| /* Helper function to send out an abort for the restart |
| * condition. |
| */ |
| static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa, |
| struct sctp_chunk *init, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family); |
| union sctp_addr_param *addrparm; |
| struct sctp_errhdr *errhdr; |
| char buffer[sizeof(*errhdr) + sizeof(*addrparm)]; |
| struct sctp_endpoint *ep; |
| struct sctp_packet *pkt; |
| int len; |
| |
| /* Build the error on the stack. We are way to malloc crazy |
| * throughout the code today. |
| */ |
| errhdr = (struct sctp_errhdr *)buffer; |
| addrparm = (union sctp_addr_param *)errhdr->variable; |
| |
| /* Copy into a parm format. */ |
| len = af->to_addr_param(ssa, addrparm); |
| len += sizeof(*errhdr); |
| |
| errhdr->cause = SCTP_ERROR_RESTART; |
| errhdr->length = htons(len); |
| |
| /* Assign to the control socket. */ |
| ep = sctp_sk(net->sctp.ctl_sock)->ep; |
| |
| /* Association is NULL since this may be a restart attack and we |
| * want to send back the attacker's vtag. |
| */ |
| pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len); |
| |
| if (!pkt) |
| goto out; |
| sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt)); |
| |
| SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); |
| |
| /* Discard the rest of the inbound packet. */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); |
| |
| out: |
| /* Even if there is no memory, treat as a failure so |
| * the packet will get dropped. |
| */ |
| return 0; |
| } |
| |
| static bool list_has_sctp_addr(const struct list_head *list, |
| union sctp_addr *ipaddr) |
| { |
| struct sctp_transport *addr; |
| |
| list_for_each_entry(addr, list, transports) { |
| if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr)) |
| return true; |
| } |
| |
| return false; |
| } |
| /* A restart is occurring, check to make sure no new addresses |
| * are being added as we may be under a takeover attack. |
| */ |
| static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc, |
| const struct sctp_association *asoc, |
| struct sctp_chunk *init, |
| struct sctp_cmd_seq *commands) |
| { |
| struct net *net = new_asoc->base.net; |
| struct sctp_transport *new_addr; |
| int ret = 1; |
| |
| /* Implementor's Guide - Section 5.2.2 |
| * ... |
| * Before responding the endpoint MUST check to see if the |
| * unexpected INIT adds new addresses to the association. If new |
| * addresses are added to the association, the endpoint MUST respond |
| * with an ABORT.. |
| */ |
| |
| /* Search through all current addresses and make sure |
| * we aren't adding any new ones. |
| */ |
| list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list, |
| transports) { |
| if (!list_has_sctp_addr(&asoc->peer.transport_addr_list, |
| &new_addr->ipaddr)) { |
| sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init, |
| commands); |
| ret = 0; |
| break; |
| } |
| } |
| |
| /* Return success if all addresses were found. */ |
| return ret; |
| } |
| |
| /* Populate the verification/tie tags based on overlapping INIT |
| * scenario. |
| * |
| * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state. |
| */ |
| static void sctp_tietags_populate(struct sctp_association *new_asoc, |
| const struct sctp_association *asoc) |
| { |
| switch (asoc->state) { |
| |
| /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */ |
| |
| case SCTP_STATE_COOKIE_WAIT: |
| new_asoc->c.my_vtag = asoc->c.my_vtag; |
| new_asoc->c.my_ttag = asoc->c.my_vtag; |
| new_asoc->c.peer_ttag = 0; |
| break; |
| |
| case SCTP_STATE_COOKIE_ECHOED: |
| new_asoc->c.my_vtag = asoc->c.my_vtag; |
| new_asoc->c.my_ttag = asoc->c.my_vtag; |
| new_asoc->c.peer_ttag = asoc->c.peer_vtag; |
| break; |
| |
| /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED, |
| * COOKIE-WAIT and SHUTDOWN-ACK-SENT |
| */ |
| default: |
| new_asoc->c.my_ttag = asoc->c.my_vtag; |
| new_asoc->c.peer_ttag = asoc->c.peer_vtag; |
| break; |
| } |
| |
| /* Other parameters for the endpoint SHOULD be copied from the |
| * existing parameters of the association (e.g. number of |
| * outbound streams) into the INIT ACK and cookie. |
| */ |
| new_asoc->rwnd = asoc->rwnd; |
| new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams; |
| new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams; |
| new_asoc->c.initial_tsn = asoc->c.initial_tsn; |
| } |
| |
| /* |
| * Compare vtag/tietag values to determine unexpected COOKIE-ECHO |
| * handling action. |
| * |
| * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists. |
| * |
| * Returns value representing action to be taken. These action values |
| * correspond to Action/Description values in RFC 2960, Table 2. |
| */ |
| static char sctp_tietags_compare(struct sctp_association *new_asoc, |
| const struct sctp_association *asoc) |
| { |
| /* In this case, the peer may have restarted. */ |
| if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && |
| (asoc->c.peer_vtag != new_asoc->c.peer_vtag) && |
| (asoc->c.my_vtag == new_asoc->c.my_ttag) && |
| (asoc->c.peer_vtag == new_asoc->c.peer_ttag)) |
| return 'A'; |
| |
| /* Collision case B. */ |
| if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && |
| ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) || |
| (0 == asoc->c.peer_vtag))) { |
| return 'B'; |
| } |
| |
| /* Collision case D. */ |
| if ((asoc->c.my_vtag == new_asoc->c.my_vtag) && |
| (asoc->c.peer_vtag == new_asoc->c.peer_vtag)) |
| return 'D'; |
| |
| /* Collision case C. */ |
| if ((asoc->c.my_vtag != new_asoc->c.my_vtag) && |
| (asoc->c.peer_vtag == new_asoc->c.peer_vtag) && |
| (0 == new_asoc->c.my_ttag) && |
| (0 == new_asoc->c.peer_ttag)) |
| return 'C'; |
| |
| /* No match to any of the special cases; discard this packet. */ |
| return 'E'; |
| } |
| |
| /* Common helper routine for both duplicate and simultaneous INIT |
| * chunk handling. |
| */ |
| static enum sctp_disposition sctp_sf_do_unexpected_init( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_chunk *chunk = arg, *repl, *err_chunk; |
| struct sctp_unrecognized_param *unk_param; |
| struct sctp_association *new_asoc; |
| enum sctp_disposition retval; |
| struct sctp_packet *packet; |
| int len; |
| |
| /* 6.10 Bundling |
| * An endpoint MUST NOT bundle INIT, INIT ACK or |
| * SHUTDOWN COMPLETE with any other chunks. |
| * |
| * IG Section 2.11.2 |
| * Furthermore, we require that the receiver of an INIT chunk MUST |
| * enforce these rules by silently discarding an arriving packet |
| * with an INIT chunk that is bundled with other chunks. |
| */ |
| if (!chunk->singleton) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* Make sure that the INIT chunk has a valid length. */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* 3.1 A packet containing an INIT chunk MUST have a zero Verification |
| * Tag. |
| */ |
| if (chunk->sctp_hdr->vtag != 0) |
| return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); |
| |
| if (SCTP_INPUT_CB(chunk->skb)->encap_port != chunk->transport->encap_port) |
| return sctp_sf_new_encap_port(net, ep, asoc, type, arg, commands); |
| |
| /* Grab the INIT header. */ |
| chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; |
| |
| /* Tag the variable length parameters. */ |
| chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr)); |
| |
| /* Verify the INIT chunk before processing it. */ |
| err_chunk = NULL; |
| if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type, |
| (struct sctp_init_chunk *)chunk->chunk_hdr, chunk, |
| &err_chunk)) { |
| /* This chunk contains fatal error. It is to be discarded. |
| * Send an ABORT, with causes if there is any. |
| */ |
| if (err_chunk) { |
| packet = sctp_abort_pkt_new(net, ep, asoc, arg, |
| (__u8 *)(err_chunk->chunk_hdr) + |
| sizeof(struct sctp_chunkhdr), |
| ntohs(err_chunk->chunk_hdr->length) - |
| sizeof(struct sctp_chunkhdr)); |
| |
| if (packet) { |
| sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, |
| SCTP_PACKET(packet)); |
| SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); |
| retval = SCTP_DISPOSITION_CONSUME; |
| } else { |
| retval = SCTP_DISPOSITION_NOMEM; |
| } |
| goto cleanup; |
| } else { |
| return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, |
| commands); |
| } |
| } |
| |
| /* |
| * Other parameters for the endpoint SHOULD be copied from the |
| * existing parameters of the association (e.g. number of |
| * outbound streams) into the INIT ACK and cookie. |
| * FIXME: We are copying parameters from the endpoint not the |
| * association. |
| */ |
| new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC); |
| if (!new_asoc) |
| goto nomem; |
| |
| /* Update socket peer label if first association. */ |
| if (security_sctp_assoc_request(new_asoc, chunk->skb)) { |
| sctp_association_free(new_asoc); |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| } |
| |
| if (sctp_assoc_set_bind_addr_from_ep(new_asoc, |
| sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0) |
| goto nomem; |
| |
| /* In the outbound INIT ACK the endpoint MUST copy its current |
| * Verification Tag and Peers Verification tag into a reserved |
| * place (local tie-tag and per tie-tag) within the state cookie. |
| */ |
| if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), |
| (struct sctp_init_chunk *)chunk->chunk_hdr, |
| GFP_ATOMIC)) |
| goto nomem; |
| |
| /* Make sure no new addresses are being added during the |
| * restart. Do not do this check for COOKIE-WAIT state, |
| * since there are no peer addresses to check against. |
| * Upon return an ABORT will have been sent if needed. |
| */ |
| if (!sctp_state(asoc, COOKIE_WAIT)) { |
| if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, |
| commands)) { |
| retval = SCTP_DISPOSITION_CONSUME; |
| goto nomem_retval; |
| } |
| } |
| |
| sctp_tietags_populate(new_asoc, asoc); |
| |
| /* B) "Z" shall respond immediately with an INIT ACK chunk. */ |
| |
| /* If there are errors need to be reported for unknown parameters, |
| * make sure to reserve enough room in the INIT ACK for them. |
| */ |
| len = 0; |
| if (err_chunk) { |
| len = ntohs(err_chunk->chunk_hdr->length) - |
| sizeof(struct sctp_chunkhdr); |
| } |
| |
| repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len); |
| if (!repl) |
| goto nomem; |
| |
| /* If there are errors need to be reported for unknown parameters, |
| * include them in the outgoing INIT ACK as "Unrecognized parameter" |
| * parameter. |
| */ |
| if (err_chunk) { |
| /* Get the "Unrecognized parameter" parameter(s) out of the |
| * ERROR chunk generated by sctp_verify_init(). Since the |
| * error cause code for "unknown parameter" and the |
| * "Unrecognized parameter" type is the same, we can |
| * construct the parameters in INIT ACK by copying the |
| * ERROR causes over. |
| */ |
| unk_param = (struct sctp_unrecognized_param *) |
| ((__u8 *)(err_chunk->chunk_hdr) + |
| sizeof(struct sctp_chunkhdr)); |
| /* Replace the cause code with the "Unrecognized parameter" |
| * parameter type. |
| */ |
| sctp_addto_chunk(repl, len, unk_param); |
| } |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); |
| |
| /* |
| * Note: After sending out INIT ACK with the State Cookie parameter, |
| * "Z" MUST NOT allocate any resources for this new association. |
| * Otherwise, "Z" will be vulnerable to resource attacks. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); |
| retval = SCTP_DISPOSITION_CONSUME; |
| |
| return retval; |
| |
| nomem: |
| retval = SCTP_DISPOSITION_NOMEM; |
| nomem_retval: |
| if (new_asoc) |
| sctp_association_free(new_asoc); |
| cleanup: |
| if (err_chunk) |
| sctp_chunk_free(err_chunk); |
| return retval; |
| } |
| |
| /* |
| * Handle simultaneous INIT. |
| * This means we started an INIT and then we got an INIT request from |
| * our peer. |
| * |
| * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B) |
| * This usually indicates an initialization collision, i.e., each |
| * endpoint is attempting, at about the same time, to establish an |
| * association with the other endpoint. |
| * |
| * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an |
| * endpoint MUST respond with an INIT ACK using the same parameters it |
| * sent in its original INIT chunk (including its Verification Tag, |
| * unchanged). These original parameters are combined with those from the |
| * newly received INIT chunk. The endpoint shall also generate a State |
| * Cookie with the INIT ACK. The endpoint uses the parameters sent in its |
| * INIT to calculate the State Cookie. |
| * |
| * After that, the endpoint MUST NOT change its state, the T1-init |
| * timer shall be left running and the corresponding TCB MUST NOT be |
| * destroyed. The normal procedures for handling State Cookies when |
| * a TCB exists will resolve the duplicate INITs to a single association. |
| * |
| * For an endpoint that is in the COOKIE-ECHOED state it MUST populate |
| * its Tie-Tags with the Tag information of itself and its peer (see |
| * section 5.2.2 for a description of the Tie-Tags). |
| * |
| * Verification Tag: Not explicit, but an INIT can not have a valid |
| * verification tag, so we skip the check. |
| * |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_do_5_2_1_siminit( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| /* Call helper to do the real work for both simultaneous and |
| * duplicate INIT chunk handling. |
| */ |
| return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); |
| } |
| |
| /* |
| * Handle duplicated INIT messages. These are usually delayed |
| * restransmissions. |
| * |
| * Section: 5.2.2 Unexpected INIT in States Other than CLOSED, |
| * COOKIE-ECHOED and COOKIE-WAIT |
| * |
| * Unless otherwise stated, upon reception of an unexpected INIT for |
| * this association, the endpoint shall generate an INIT ACK with a |
| * State Cookie. In the outbound INIT ACK the endpoint MUST copy its |
| * current Verification Tag and peer's Verification Tag into a reserved |
| * place within the state cookie. We shall refer to these locations as |
| * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet |
| * containing this INIT ACK MUST carry a Verification Tag value equal to |
| * the Initiation Tag found in the unexpected INIT. And the INIT ACK |
| * MUST contain a new Initiation Tag (randomly generated see Section |
| * 5.3.1). Other parameters for the endpoint SHOULD be copied from the |
| * existing parameters of the association (e.g. number of outbound |
| * streams) into the INIT ACK and cookie. |
| * |
| * After sending out the INIT ACK, the endpoint shall take no further |
| * actions, i.e., the existing association, including its current state, |
| * and the corresponding TCB MUST NOT be changed. |
| * |
| * Note: Only when a TCB exists and the association is not in a COOKIE- |
| * WAIT state are the Tie-Tags populated. For a normal association INIT |
| * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be |
| * set to 0 (indicating that no previous TCB existed). The INIT ACK and |
| * State Cookie are populated as specified in section 5.2.1. |
| * |
| * Verification Tag: Not specified, but an INIT has no way of knowing |
| * what the verification tag could be, so we ignore it. |
| * |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_do_5_2_2_dupinit( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| /* Call helper to do the real work for both simultaneous and |
| * duplicate INIT chunk handling. |
| */ |
| return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands); |
| } |
| |
| |
| /* |
| * Unexpected INIT-ACK handler. |
| * |
| * Section 5.2.3 |
| * If an INIT ACK received by an endpoint in any state other than the |
| * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. |
| * An unexpected INIT ACK usually indicates the processing of an old or |
| * duplicated INIT chunk. |
| */ |
| enum sctp_disposition sctp_sf_do_5_2_3_initack( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| /* Per the above section, we'll discard the chunk if we have an |
| * endpoint. If this is an OOTB INIT-ACK, treat it as such. |
| */ |
| if (ep == sctp_sk(net->sctp.ctl_sock)->ep) |
| return sctp_sf_ootb(net, ep, asoc, type, arg, commands); |
| else |
| return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); |
| } |
| |
| static int sctp_sf_do_assoc_update(struct sctp_association *asoc, |
| struct sctp_association *new, |
| struct sctp_cmd_seq *cmds) |
| { |
| struct net *net = asoc->base.net; |
| struct sctp_chunk *abort; |
| |
| if (!sctp_assoc_update(asoc, new)) |
| return 0; |
| |
| abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr)); |
| if (abort) { |
| sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); |
| sctp_add_cmd_sf(cmds, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); |
| } |
| sctp_add_cmd_sf(cmds, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED)); |
| sctp_add_cmd_sf(cmds, SCTP_CMD_ASSOC_FAILED, |
| SCTP_PERR(SCTP_ERROR_RSRC_LOW)); |
| SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); |
| SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); |
| |
| return -ENOMEM; |
| } |
| |
| /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') |
| * |
| * Section 5.2.4 |
| * A) In this case, the peer may have restarted. |
| */ |
| static enum sctp_disposition sctp_sf_do_dupcook_a( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| struct sctp_chunk *chunk, |
| struct sctp_cmd_seq *commands, |
| struct sctp_association *new_asoc) |
| { |
| struct sctp_init_chunk *peer_init; |
| enum sctp_disposition disposition; |
| struct sctp_ulpevent *ev; |
| struct sctp_chunk *repl; |
| struct sctp_chunk *err; |
| |
| /* new_asoc is a brand-new association, so these are not yet |
| * side effects--it is safe to run them here. |
| */ |
| peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; |
| |
| if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, |
| GFP_ATOMIC)) |
| goto nomem; |
| |
| if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC)) |
| goto nomem; |
| |
| if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) |
| return SCTP_DISPOSITION_DISCARD; |
| |
| /* Make sure no new addresses are being added during the |
| * restart. Though this is a pretty complicated attack |
| * since you'd have to get inside the cookie. |
| */ |
| if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) |
| return SCTP_DISPOSITION_CONSUME; |
| |
| /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes |
| * the peer has restarted (Action A), it MUST NOT setup a new |
| * association but instead resend the SHUTDOWN ACK and send an ERROR |
| * chunk with a "Cookie Received while Shutting Down" error cause to |
| * its peer. |
| */ |
| if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { |
| disposition = __sctp_sf_do_9_2_reshutack(net, ep, asoc, |
| SCTP_ST_CHUNK(chunk->chunk_hdr->type), |
| chunk, commands); |
| if (SCTP_DISPOSITION_NOMEM == disposition) |
| goto nomem; |
| |
| err = sctp_make_op_error(asoc, chunk, |
| SCTP_ERROR_COOKIE_IN_SHUTDOWN, |
| NULL, 0, 0); |
| if (err) |
| sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, |
| SCTP_CHUNK(err)); |
| |
| return SCTP_DISPOSITION_CONSUME; |
| } |
| |
| /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked |
| * data. Consider the optional choice of resending of this data. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_SACK)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL()); |
| |
| /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue |
| * and ASCONF-ACK cache. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); |
| |
| /* Update the content of current association. */ |
| if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands)) |
| goto nomem; |
| |
| repl = sctp_make_cookie_ack(asoc, chunk); |
| if (!repl) |
| goto nomem; |
| |
| /* Report association restart to upper layer. */ |
| ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, |
| asoc->c.sinit_num_ostreams, |
| asoc->c.sinit_max_instreams, |
| NULL, GFP_ATOMIC); |
| if (!ev) |
| goto nomem_ev; |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); |
| if ((sctp_state(asoc, SHUTDOWN_PENDING) || |
| sctp_state(asoc, SHUTDOWN_SENT)) && |
| (sctp_sstate(asoc->base.sk, CLOSING) || |
| sock_flag(asoc->base.sk, SOCK_DEAD))) { |
| /* If the socket has been closed by user, don't |
| * transition to ESTABLISHED. Instead trigger SHUTDOWN |
| * bundled with COOKIE_ACK. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); |
| return sctp_sf_do_9_2_start_shutdown(net, ep, asoc, |
| SCTP_ST_CHUNK(0), repl, |
| commands); |
| } else { |
| sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, |
| SCTP_STATE(SCTP_STATE_ESTABLISHED)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); |
| } |
| return SCTP_DISPOSITION_CONSUME; |
| |
| nomem_ev: |
| sctp_chunk_free(repl); |
| nomem: |
| return SCTP_DISPOSITION_NOMEM; |
| } |
| |
| /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B') |
| * |
| * Section 5.2.4 |
| * B) In this case, both sides may be attempting to start an association |
| * at about the same time but the peer endpoint started its INIT |
| * after responding to the local endpoint's INIT |
| */ |
| /* This case represents an initialization collision. */ |
| static enum sctp_disposition sctp_sf_do_dupcook_b( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| struct sctp_chunk *chunk, |
| struct sctp_cmd_seq *commands, |
| struct sctp_association *new_asoc) |
| { |
| struct sctp_init_chunk *peer_init; |
| struct sctp_chunk *repl; |
| |
| /* new_asoc is a brand-new association, so these are not yet |
| * side effects--it is safe to run them here. |
| */ |
| peer_init = &chunk->subh.cookie_hdr->c.peer_init[0]; |
| if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init, |
| GFP_ATOMIC)) |
| goto nomem; |
| |
| if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC)) |
| goto nomem; |
| |
| if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) |
| return SCTP_DISPOSITION_DISCARD; |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, |
| SCTP_STATE(SCTP_STATE_ESTABLISHED)); |
| if (asoc->state < SCTP_STATE_ESTABLISHED) |
| SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); |
| sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); |
| |
| /* Update the content of current association. */ |
| if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands)) |
| goto nomem; |
| |
| repl = sctp_make_cookie_ack(asoc, chunk); |
| if (!repl) |
| goto nomem; |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); |
| |
| /* RFC 2960 5.1 Normal Establishment of an Association |
| * |
| * D) IMPLEMENTATION NOTE: An implementation may choose to |
| * send the Communication Up notification to the SCTP user |
| * upon reception of a valid COOKIE ECHO chunk. |
| * |
| * Sadly, this needs to be implemented as a side-effect, because |
| * we are not guaranteed to have set the association id of the real |
| * association and so these notifications need to be delayed until |
| * the association id is allocated. |
| */ |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP)); |
| |
| /* Sockets API Draft Section 5.3.1.6 |
| * When a peer sends a Adaptation Layer Indication parameter , SCTP |
| * delivers this notification to inform the application that of the |
| * peers requested adaptation layer. |
| * |
| * This also needs to be done as a side effect for the same reason as |
| * above. |
| */ |
| if (asoc->peer.adaptation_ind) |
| sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL()); |
| |
| if (!asoc->peer.auth_capable) |
| sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL()); |
| |
| return SCTP_DISPOSITION_CONSUME; |
| |
| nomem: |
| return SCTP_DISPOSITION_NOMEM; |
| } |
| |
| /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C') |
| * |
| * Section 5.2.4 |
| * C) In this case, the local endpoint's cookie has arrived late. |
| * Before it arrived, the local endpoint sent an INIT and received an |
| * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag |
| * but a new tag of its own. |
| */ |
| /* This case represents an initialization collision. */ |
| static enum sctp_disposition sctp_sf_do_dupcook_c( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| struct sctp_chunk *chunk, |
| struct sctp_cmd_seq *commands, |
| struct sctp_association *new_asoc) |
| { |
| /* The cookie should be silently discarded. |
| * The endpoint SHOULD NOT change states and should leave |
| * any timers running. |
| */ |
| return SCTP_DISPOSITION_DISCARD; |
| } |
| |
| /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D') |
| * |
| * Section 5.2.4 |
| * |
| * D) When both local and remote tags match the endpoint should always |
| * enter the ESTABLISHED state, if it has not already done so. |
| */ |
| /* This case represents an initialization collision. */ |
| static enum sctp_disposition sctp_sf_do_dupcook_d( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| struct sctp_chunk *chunk, |
| struct sctp_cmd_seq *commands, |
| struct sctp_association *new_asoc) |
| { |
| struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL; |
| struct sctp_chunk *repl; |
| |
| /* Clarification from Implementor's Guide: |
| * D) When both local and remote tags match the endpoint should |
| * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state. |
| * It should stop any cookie timer that may be running and send |
| * a COOKIE ACK. |
| */ |
| |
| if (!sctp_auth_chunk_verify(net, chunk, asoc)) |
| return SCTP_DISPOSITION_DISCARD; |
| |
| /* Don't accidentally move back into established state. */ |
| if (asoc->state < SCTP_STATE_ESTABLISHED) { |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, |
| SCTP_STATE(SCTP_STATE_ESTABLISHED)); |
| SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); |
| sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, |
| SCTP_NULL()); |
| |
| /* RFC 2960 5.1 Normal Establishment of an Association |
| * |
| * D) IMPLEMENTATION NOTE: An implementation may choose |
| * to send the Communication Up notification to the |
| * SCTP user upon reception of a valid COOKIE |
| * ECHO chunk. |
| */ |
| ev = sctp_ulpevent_make_assoc_change(asoc, 0, |
| SCTP_COMM_UP, 0, |
| asoc->c.sinit_num_ostreams, |
| asoc->c.sinit_max_instreams, |
| NULL, GFP_ATOMIC); |
| if (!ev) |
| goto nomem; |
| |
| /* Sockets API Draft Section 5.3.1.6 |
| * When a peer sends a Adaptation Layer Indication parameter, |
| * SCTP delivers this notification to inform the application |
| * that of the peers requested adaptation layer. |
| */ |
| if (asoc->peer.adaptation_ind) { |
| ai_ev = sctp_ulpevent_make_adaptation_indication(asoc, |
| GFP_ATOMIC); |
| if (!ai_ev) |
| goto nomem; |
| |
| } |
| |
| if (!asoc->peer.auth_capable) { |
| auth_ev = sctp_ulpevent_make_authkey(asoc, 0, |
| SCTP_AUTH_NO_AUTH, |
| GFP_ATOMIC); |
| if (!auth_ev) |
| goto nomem; |
| } |
| } |
| |
| repl = sctp_make_cookie_ack(asoc, chunk); |
| if (!repl) |
| goto nomem; |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); |
| |
| if (ev) |
| sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, |
| SCTP_ULPEVENT(ev)); |
| if (ai_ev) |
| sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, |
| SCTP_ULPEVENT(ai_ev)); |
| if (auth_ev) |
| sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, |
| SCTP_ULPEVENT(auth_ev)); |
| |
| return SCTP_DISPOSITION_CONSUME; |
| |
| nomem: |
| if (auth_ev) |
| sctp_ulpevent_free(auth_ev); |
| if (ai_ev) |
| sctp_ulpevent_free(ai_ev); |
| if (ev) |
| sctp_ulpevent_free(ev); |
| return SCTP_DISPOSITION_NOMEM; |
| } |
| |
| /* |
| * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying |
| * chunk was retransmitted and then delayed in the network. |
| * |
| * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists |
| * |
| * Verification Tag: None. Do cookie validation. |
| * |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_do_5_2_4_dupcook( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_association *new_asoc; |
| struct sctp_chunk *chunk = arg; |
| enum sctp_disposition retval; |
| struct sctp_chunk *err_chk_p; |
| int error = 0; |
| char action; |
| |
| /* Make sure that the chunk has a valid length from the protocol |
| * perspective. In this case check to make sure we have at least |
| * enough for the chunk header. Cookie length verification is |
| * done later. |
| */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) { |
| if (!sctp_vtag_verify(chunk, asoc)) |
| asoc = NULL; |
| return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands); |
| } |
| |
| /* "Decode" the chunk. We have no optional parameters so we |
| * are in good shape. |
| */ |
| chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; |
| if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - |
| sizeof(struct sctp_chunkhdr))) |
| goto nomem; |
| |
| /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie |
| * of a duplicate COOKIE ECHO match the Verification Tags of the |
| * current association, consider the State Cookie valid even if |
| * the lifespan is exceeded. |
| */ |
| new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error, |
| &err_chk_p); |
| |
| /* FIXME: |
| * If the re-build failed, what is the proper error path |
| * from here? |
| * |
| * [We should abort the association. --piggy] |
| */ |
| if (!new_asoc) { |
| /* FIXME: Several errors are possible. A bad cookie should |
| * be silently discarded, but think about logging it too. |
| */ |
| switch (error) { |
| case -SCTP_IERROR_NOMEM: |
| goto nomem; |
| |
| case -SCTP_IERROR_STALE_COOKIE: |
| sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands, |
| err_chk_p); |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| case -SCTP_IERROR_BAD_SIG: |
| default: |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| } |
| } |
| |
| /* Update socket peer label if first association. */ |
| if (security_sctp_assoc_request(new_asoc, chunk->skb)) { |
| sctp_association_free(new_asoc); |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| } |
| |
| /* Set temp so that it won't be added into hashtable */ |
| new_asoc->temp = 1; |
| |
| /* Compare the tie_tag in cookie with the verification tag of |
| * current association. |
| */ |
| action = sctp_tietags_compare(new_asoc, asoc); |
| |
| switch (action) { |
| case 'A': /* Association restart. */ |
| retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands, |
| new_asoc); |
| break; |
| |
| case 'B': /* Collision case B. */ |
| retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands, |
| new_asoc); |
| break; |
| |
| case 'C': /* Collision case C. */ |
| retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands, |
| new_asoc); |
| break; |
| |
| case 'D': /* Collision case D. */ |
| retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands, |
| new_asoc); |
| break; |
| |
| default: /* Discard packet for all others. */ |
| retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| break; |
| } |
| |
| /* Delete the temporary new association. */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); |
| |
| /* Restore association pointer to provide SCTP command interpreter |
| * with a valid context in case it needs to manipulate |
| * the queues */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, |
| SCTP_ASOC((struct sctp_association *)asoc)); |
| |
| return retval; |
| |
| nomem: |
| return SCTP_DISPOSITION_NOMEM; |
| } |
| |
| /* |
| * Process an ABORT. (SHUTDOWN-PENDING state) |
| * |
| * See sctp_sf_do_9_1_abort(). |
| */ |
| enum sctp_disposition sctp_sf_shutdown_pending_abort( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_chunk *chunk = arg; |
| |
| if (!sctp_vtag_verify_either(chunk, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* Make sure that the ABORT chunk has a valid length. |
| * Since this is an ABORT chunk, we have to discard it |
| * because of the following text: |
| * RFC 2960, Section 3.3.7 |
| * If an endpoint receives an ABORT with a format error or for an |
| * association that doesn't exist, it MUST silently discard it. |
| * Because the length is "invalid", we can't really discard just |
| * as we do not know its true length. So, to be safe, discard the |
| * packet. |
| */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* ADD-IP: Special case for ABORT chunks |
| * F4) One special consideration is that ABORT Chunks arriving |
| * destined to the IP address being deleted MUST be |
| * ignored (see Section 5.3.1 for further details). |
| */ |
| if (SCTP_ADDR_DEL == |
| sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| if (!sctp_err_chunk_valid(chunk)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); |
| } |
| |
| /* |
| * Process an ABORT. (SHUTDOWN-SENT state) |
| * |
| * See sctp_sf_do_9_1_abort(). |
| */ |
| enum sctp_disposition sctp_sf_shutdown_sent_abort( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_chunk *chunk = arg; |
| |
| if (!sctp_vtag_verify_either(chunk, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* Make sure that the ABORT chunk has a valid length. |
| * Since this is an ABORT chunk, we have to discard it |
| * because of the following text: |
| * RFC 2960, Section 3.3.7 |
| * If an endpoint receives an ABORT with a format error or for an |
| * association that doesn't exist, it MUST silently discard it. |
| * Because the length is "invalid", we can't really discard just |
| * as we do not know its true length. So, to be safe, discard the |
| * packet. |
| */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* ADD-IP: Special case for ABORT chunks |
| * F4) One special consideration is that ABORT Chunks arriving |
| * destined to the IP address being deleted MUST be |
| * ignored (see Section 5.3.1 for further details). |
| */ |
| if (SCTP_ADDR_DEL == |
| sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| if (!sctp_err_chunk_valid(chunk)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* Stop the T2-shutdown timer. */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); |
| |
| /* Stop the T5-shutdown guard timer. */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); |
| |
| return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); |
| } |
| |
| /* |
| * Process an ABORT. (SHUTDOWN-ACK-SENT state) |
| * |
| * See sctp_sf_do_9_1_abort(). |
| */ |
| enum sctp_disposition sctp_sf_shutdown_ack_sent_abort( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| /* The same T2 timer, so we should be able to use |
| * common function with the SHUTDOWN-SENT state. |
| */ |
| return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands); |
| } |
| |
| /* |
| * Handle an Error received in COOKIE_ECHOED state. |
| * |
| * Only handle the error type of stale COOKIE Error, the other errors will |
| * be ignored. |
| * |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_cookie_echoed_err( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_chunk *chunk = arg; |
| struct sctp_errhdr *err; |
| |
| if (!sctp_vtag_verify(chunk, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* Make sure that the ERROR chunk has a valid length. |
| * The parameter walking depends on this as well. |
| */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk))) |
| return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, |
| commands); |
| |
| /* Process the error here */ |
| /* FUTURE FIXME: When PR-SCTP related and other optional |
| * parms are emitted, this will have to change to handle multiple |
| * errors. |
| */ |
| sctp_walk_errors(err, chunk->chunk_hdr) { |
| if (SCTP_ERROR_STALE_COOKIE == err->cause) |
| return sctp_sf_do_5_2_6_stale(net, ep, asoc, type, |
| arg, commands); |
| } |
| |
| /* It is possible to have malformed error causes, and that |
| * will cause us to end the walk early. However, since |
| * we are discarding the packet, there should be no adverse |
| * affects. |
| */ |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| } |
| |
| /* |
| * Handle a Stale COOKIE Error |
| * |
| * Section: 5.2.6 Handle Stale COOKIE Error |
| * If the association is in the COOKIE-ECHOED state, the endpoint may elect |
| * one of the following three alternatives. |
| * ... |
| * 3) Send a new INIT chunk to the endpoint, adding a Cookie |
| * Preservative parameter requesting an extension to the lifetime of |
| * the State Cookie. When calculating the time extension, an |
| * implementation SHOULD use the RTT information measured based on the |
| * previous COOKIE ECHO / ERROR exchange, and should add no more |
| * than 1 second beyond the measured RTT, due to long State Cookie |
| * lifetimes making the endpoint more subject to a replay attack. |
| * |
| * Verification Tag: Not explicit, but safe to ignore. |
| * |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| static enum sctp_disposition sctp_sf_do_5_2_6_stale( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| int attempts = asoc->init_err_counter + 1; |
| struct sctp_chunk *chunk = arg, *reply; |
| struct sctp_cookie_preserve_param bht; |
| struct sctp_bind_addr *bp; |
| struct sctp_errhdr *err; |
| u32 stale; |
| |
| if (attempts > asoc->max_init_attempts) { |
| sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, |
| SCTP_ERROR(ETIMEDOUT)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, |
| SCTP_PERR(SCTP_ERROR_STALE_COOKIE)); |
| return SCTP_DISPOSITION_DELETE_TCB; |
| } |
| |
| err = (struct sctp_errhdr *)(chunk->skb->data); |
| |
| /* When calculating the time extension, an implementation |
| * SHOULD use the RTT information measured based on the |
| * previous COOKIE ECHO / ERROR exchange, and should add no |
| * more than 1 second beyond the measured RTT, due to long |
| * State Cookie lifetimes making the endpoint more subject to |
| * a replay attack. |
| * Measure of Staleness's unit is usec. (1/1000000 sec) |
| * Suggested Cookie Life-span Increment's unit is msec. |
| * (1/1000 sec) |
| * In general, if you use the suggested cookie life, the value |
| * found in the field of measure of staleness should be doubled |
| * to give ample time to retransmit the new cookie and thus |
| * yield a higher probability of success on the reattempt. |
| */ |
| stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err))); |
| stale = (stale * 2) / 1000; |
| |
| bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE; |
| bht.param_hdr.length = htons(sizeof(bht)); |
| bht.lifespan_increment = htonl(stale); |
| |
| /* Build that new INIT chunk. */ |
| bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; |
| reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht)); |
| if (!reply) |
| goto nomem; |
| |
| sctp_addto_chunk(reply, sizeof(bht), &bht); |
| |
| /* Clear peer's init_tag cached in assoc as we are sending a new INIT */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL()); |
| |
| /* Stop pending T3-rtx and heartbeat timers */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL()); |
| sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL()); |
| |
| /* Delete non-primary peer ip addresses since we are transitioning |
| * back to the COOKIE-WAIT state |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL()); |
| |
| /* If we've sent any data bundled with COOKIE-ECHO we will need to |
| * resend |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN, |
| SCTP_TRANSPORT(asoc->peer.primary_path)); |
| |
| /* Cast away the const modifier, as we want to just |
| * rerun it through as a sideffect. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL()); |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, |
| SCTP_STATE(SCTP_STATE_COOKIE_WAIT)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); |
| |
| return SCTP_DISPOSITION_CONSUME; |
| |
| nomem: |
| return SCTP_DISPOSITION_NOMEM; |
| } |
| |
| /* |
| * Process an ABORT. |
| * |
| * Section: 9.1 |
| * After checking the Verification Tag, the receiving endpoint shall |
| * remove the association from its record, and shall report the |
| * termination to its upper layer. |
| * |
| * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules |
| * B) Rules for packet carrying ABORT: |
| * |
| * - The endpoint shall always fill in the Verification Tag field of the |
| * outbound packet with the destination endpoint's tag value if it |
| * is known. |
| * |
| * - If the ABORT is sent in response to an OOTB packet, the endpoint |
| * MUST follow the procedure described in Section 8.4. |
| * |
| * - The receiver MUST accept the packet if the Verification Tag |
| * matches either its own tag, OR the tag of its peer. Otherwise, the |
| * receiver MUST silently discard the packet and take no further |
| * action. |
| * |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_do_9_1_abort( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_chunk *chunk = arg; |
| |
| if (!sctp_vtag_verify_either(chunk, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* Make sure that the ABORT chunk has a valid length. |
| * Since this is an ABORT chunk, we have to discard it |
| * because of the following text: |
| * RFC 2960, Section 3.3.7 |
| * If an endpoint receives an ABORT with a format error or for an |
| * association that doesn't exist, it MUST silently discard it. |
| * Because the length is "invalid", we can't really discard just |
| * as we do not know its true length. So, to be safe, discard the |
| * packet. |
| */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* ADD-IP: Special case for ABORT chunks |
| * F4) One special consideration is that ABORT Chunks arriving |
| * destined to the IP address being deleted MUST be |
| * ignored (see Section 5.3.1 for further details). |
| */ |
| if (SCTP_ADDR_DEL == |
| sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| if (!sctp_err_chunk_valid(chunk)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); |
| } |
| |
| static enum sctp_disposition __sctp_sf_do_9_1_abort( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| __be16 error = SCTP_ERROR_NO_ERROR; |
| struct sctp_chunk *chunk = arg; |
| unsigned int len; |
| |
| /* See if we have an error cause code in the chunk. */ |
| len = ntohs(chunk->chunk_hdr->length); |
| if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) |
| error = ((struct sctp_errhdr *)chunk->skb->data)->cause; |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); |
| /* ASSOC_FAILED will DELETE_TCB. */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error)); |
| SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); |
| SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); |
| |
| return SCTP_DISPOSITION_ABORT; |
| } |
| |
| /* |
| * Process an ABORT. (COOKIE-WAIT state) |
| * |
| * See sctp_sf_do_9_1_abort() above. |
| */ |
| enum sctp_disposition sctp_sf_cookie_wait_abort( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| __be16 error = SCTP_ERROR_NO_ERROR; |
| struct sctp_chunk *chunk = arg; |
| unsigned int len; |
| |
| if (!sctp_vtag_verify_either(chunk, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* Make sure that the ABORT chunk has a valid length. |
| * Since this is an ABORT chunk, we have to discard it |
| * because of the following text: |
| * RFC 2960, Section 3.3.7 |
| * If an endpoint receives an ABORT with a format error or for an |
| * association that doesn't exist, it MUST silently discard it. |
| * Because the length is "invalid", we can't really discard just |
| * as we do not know its true length. So, to be safe, discard the |
| * packet. |
| */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk))) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* See if we have an error cause code in the chunk. */ |
| len = ntohs(chunk->chunk_hdr->length); |
| if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) |
| error = ((struct sctp_errhdr *)chunk->skb->data)->cause; |
| |
| return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc, |
| chunk->transport); |
| } |
| |
| /* |
| * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state) |
| */ |
| enum sctp_disposition sctp_sf_cookie_wait_icmp_abort( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR, |
| ENOPROTOOPT, asoc, |
| (struct sctp_transport *)arg); |
| } |
| |
| /* |
| * Process an ABORT. (COOKIE-ECHOED state) |
| */ |
| enum sctp_disposition sctp_sf_cookie_echoed_abort( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| /* There is a single T1 timer, so we should be able to use |
| * common function with the COOKIE-WAIT state. |
| */ |
| return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands); |
| } |
| |
| /* |
| * Stop T1 timer and abort association with "INIT failed". |
| * |
| * This is common code called by several sctp_sf_*_abort() functions above. |
| */ |
| static enum sctp_disposition sctp_stop_t1_and_abort( |
| struct net *net, |
| struct sctp_cmd_seq *commands, |
| __be16 error, int sk_err, |
| const struct sctp_association *asoc, |
| struct sctp_transport *transport) |
| { |
| pr_debug("%s: ABORT received (INIT)\n", __func__); |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, |
| SCTP_STATE(SCTP_STATE_CLOSED)); |
| SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); |
| sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err)); |
| /* CMD_INIT_FAILED will DELETE_TCB. */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, |
| SCTP_PERR(error)); |
| |
| return SCTP_DISPOSITION_ABORT; |
| } |
| |
| /* |
| * sctp_sf_do_9_2_shut |
| * |
| * Section: 9.2 |
| * Upon the reception of the SHUTDOWN, the peer endpoint shall |
| * - enter the SHUTDOWN-RECEIVED state, |
| * |
| * - stop accepting new data from its SCTP user |
| * |
| * - verify, by checking the Cumulative TSN Ack field of the chunk, |
| * that all its outstanding DATA chunks have been received by the |
| * SHUTDOWN sender. |
| * |
| * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT |
| * send a SHUTDOWN in response to a ULP request. And should discard |
| * subsequent SHUTDOWN chunks. |
| * |
| * If there are still outstanding DATA chunks left, the SHUTDOWN |
| * receiver shall continue to follow normal data transmission |
| * procedures defined in Section 6 until all outstanding DATA chunks |
| * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept |
| * new data from its SCTP user. |
| * |
| * Verification Tag: 8.5 Verification Tag [Normal verification] |
| * |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_do_9_2_shutdown( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| enum sctp_disposition disposition; |
| struct sctp_chunk *chunk = arg; |
| struct sctp_shutdownhdr *sdh; |
| struct sctp_ulpevent *ev; |
| __u32 ctsn; |
| |
| if (!sctp_vtag_verify(chunk, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* Make sure that the SHUTDOWN chunk has a valid length. */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) |
| return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, |
| commands); |
| |
| /* Convert the elaborate header. */ |
| sdh = (struct sctp_shutdownhdr *)chunk->skb->data; |
| skb_pull(chunk->skb, sizeof(*sdh)); |
| chunk->subh.shutdown_hdr = sdh; |
| ctsn = ntohl(sdh->cum_tsn_ack); |
| |
| if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { |
| pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, |
| asoc->ctsn_ack_point); |
| |
| return SCTP_DISPOSITION_DISCARD; |
| } |
| |
| /* If Cumulative TSN Ack beyond the max tsn currently |
| * send, terminating the association and respond to the |
| * sender with an ABORT. |
| */ |
| if (!TSN_lt(ctsn, asoc->next_tsn)) |
| return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); |
| |
| /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT |
| * When a peer sends a SHUTDOWN, SCTP delivers this notification to |
| * inform the application that it should cease sending data. |
| */ |
| ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC); |
| if (!ev) { |
| disposition = SCTP_DISPOSITION_NOMEM; |
| goto out; |
| } |
| sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); |
| |
| /* Upon the reception of the SHUTDOWN, the peer endpoint shall |
| * - enter the SHUTDOWN-RECEIVED state, |
| * - stop accepting new data from its SCTP user |
| * |
| * [This is implicit in the new state.] |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, |
| SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED)); |
| disposition = SCTP_DISPOSITION_CONSUME; |
| |
| if (sctp_outq_is_empty(&asoc->outqueue)) { |
| disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type, |
| arg, commands); |
| } |
| |
| if (SCTP_DISPOSITION_NOMEM == disposition) |
| goto out; |
| |
| /* - verify, by checking the Cumulative TSN Ack field of the |
| * chunk, that all its outstanding DATA chunks have been |
| * received by the SHUTDOWN sender. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, |
| SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack)); |
| |
| out: |
| return disposition; |
| } |
| |
| /* |
| * sctp_sf_do_9_2_shut_ctsn |
| * |
| * Once an endpoint has reached the SHUTDOWN-RECEIVED state, |
| * it MUST NOT send a SHUTDOWN in response to a ULP request. |
| * The Cumulative TSN Ack of the received SHUTDOWN chunk |
| * MUST be processed. |
| */ |
| enum sctp_disposition sctp_sf_do_9_2_shut_ctsn( |
| struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_chunk *chunk = arg; |
| struct sctp_shutdownhdr *sdh; |
| __u32 ctsn; |
| |
| if (!sctp_vtag_verify(chunk, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| /* Make sure that the SHUTDOWN chunk has a valid length. */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk))) |
| return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, |
| commands); |
| |
| sdh = (struct sctp_shutdownhdr *)chunk->skb->data; |
| ctsn = ntohl(sdh->cum_tsn_ack); |
| |
| if (TSN_lt(ctsn, asoc->ctsn_ack_point)) { |
| pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn, |
| asoc->ctsn_ack_point); |
| |
| return SCTP_DISPOSITION_DISCARD; |
| } |
| |
| /* If Cumulative TSN Ack beyond the max tsn currently |
| * send, terminating the association and respond to the |
| * sender with an ABORT. |
| */ |
| if (!TSN_lt(ctsn, asoc->next_tsn)) |
| return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands); |
| |
| /* verify, by checking the Cumulative TSN Ack field of the |
| * chunk, that all its outstanding DATA chunks have been |
| * received by the SHUTDOWN sender. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN, |
| SCTP_BE32(sdh->cum_tsn_ack)); |
| |
| return SCTP_DISPOSITION_CONSUME; |
| } |
| |
| /* RFC 2960 9.2 |
| * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk |
| * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination |
| * transport addresses (either in the IP addresses or in the INIT chunk) |
| * that belong to this association, it should discard the INIT chunk and |
| * retransmit the SHUTDOWN ACK chunk. |
| */ |
| static enum sctp_disposition |
| __sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_chunk *chunk = arg; |
| struct sctp_chunk *reply; |
| |
| /* Make sure that the chunk has a valid length */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) |
| return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, |
| commands); |
| |
| /* Since we are not going to really process this INIT, there |
| * is no point in verifying chunk boundaries. Just generate |
| * the SHUTDOWN ACK. |
| */ |
| reply = sctp_make_shutdown_ack(asoc, chunk); |
| if (NULL == reply) |
| goto nomem; |
| |
| /* Set the transport for the SHUTDOWN ACK chunk and the timeout for |
| * the T2-SHUTDOWN timer. |
| */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply)); |
| |
| /* and restart the T2-shutdown timer. */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); |
| |
| sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); |
| |
| return SCTP_DISPOSITION_CONSUME; |
| nomem: |
| return SCTP_DISPOSITION_NOMEM; |
| } |
| |
| enum sctp_disposition |
| sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_chunk *chunk = arg; |
| |
| if (!chunk->singleton) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| if (chunk->sctp_hdr->vtag != 0) |
| return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); |
| |
| return __sctp_sf_do_9_2_reshutack(net, ep, asoc, type, arg, commands); |
| } |
| |
| /* |
| * sctp_sf_do_ecn_cwr |
| * |
| * Section: Appendix A: Explicit Congestion Notification |
| * |
| * CWR: |
| * |
| * RFC 2481 details a specific bit for a sender to send in the header of |
| * its next outbound TCP segment to indicate to its peer that it has |
| * reduced its congestion window. This is termed the CWR bit. For |
| * SCTP the same indication is made by including the CWR chunk. |
| * This chunk contains one data element, i.e. the TSN number that |
| * was sent in the ECNE chunk. This element represents the lowest |
| * TSN number in the datagram that was originally marked with the |
| * CE bit. |
| * |
| * Verification Tag: 8.5 Verification Tag [Normal verification] |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_do_ecn_cwr(struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| struct sctp_chunk *chunk = arg; |
| struct sctp_cwrhdr *cwr; |
| u32 lowest_tsn; |
| |
| if (!sctp_vtag_verify(chunk, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) |
| return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, |
| commands); |
| |
| cwr = (struct sctp_cwrhdr *)chunk->skb->data; |
| skb_pull(chunk->skb, sizeof(*cwr)); |
| |
| lowest_tsn = ntohl(cwr->lowest_tsn); |
| |
| /* Does this CWR ack the last sent congestion notification? */ |
| if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) { |
| /* Stop sending ECNE. */ |
| sctp_add_cmd_sf(commands, |
| SCTP_CMD_ECN_CWR, |
| SCTP_U32(lowest_tsn)); |
| } |
| return SCTP_DISPOSITION_CONSUME; |
| } |
| |
| /* |
| * sctp_sf_do_ecne |
| * |
| * Section: Appendix A: Explicit Congestion Notification |
| * |
| * ECN-Echo |
| * |
| * RFC 2481 details a specific bit for a receiver to send back in its |
| * TCP acknowledgements to notify the sender of the Congestion |
| * Experienced (CE) bit having arrived from the network. For SCTP this |
| * same indication is made by including the ECNE chunk. This chunk |
| * contains one data element, i.e. the lowest TSN associated with the IP |
| * datagram marked with the CE bit..... |
| * |
| * Verification Tag: 8.5 Verification Tag [Normal verification] |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_do_ecne(struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, struct sctp_cmd_seq *commands) |
| { |
| struct sctp_chunk *chunk = arg; |
| struct sctp_ecnehdr *ecne; |
| |
| if (!sctp_vtag_verify(chunk, asoc)) |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk))) |
| return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, |
| commands); |
| |
| ecne = (struct sctp_ecnehdr *)chunk->skb->data; |
| skb_pull(chunk->skb, sizeof(*ecne)); |
| |
| /* If this is a newer ECNE than the last CWR packet we sent out */ |
| sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE, |
| SCTP_U32(ntohl(ecne->lowest_tsn))); |
| |
| return SCTP_DISPOSITION_CONSUME; |
| } |
| |
| /* |
| * Section: 6.2 Acknowledgement on Reception of DATA Chunks |
| * |
| * The SCTP endpoint MUST always acknowledge the reception of each valid |
| * DATA chunk. |
| * |
| * The guidelines on delayed acknowledgement algorithm specified in |
| * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an |
| * acknowledgement SHOULD be generated for at least every second packet |
| * (not every second DATA chunk) received, and SHOULD be generated within |
| * 200 ms of the arrival of any unacknowledged DATA chunk. In some |
| * situations it may be beneficial for an SCTP transmitter to be more |
| * conservative than the algorithms detailed in this document allow. |
| * However, an SCTP transmitter MUST NOT be more aggressive than the |
| * following algorithms allow. |
| * |
| * A SCTP receiver MUST NOT generate more than one SACK for every |
| * incoming packet, other than to update the offered window as the |
| * receiving application consumes new data. |
| * |
| * Verification Tag: 8.5 Verification Tag [Normal verification] |
| * |
| * Inputs |
| * (endpoint, asoc, chunk) |
| * |
| * Outputs |
| * (asoc, reply_msg, msg_up, timers, counters) |
| * |
| * The return value is the disposition of the chunk. |
| */ |
| enum sctp_disposition sctp_sf_eat_data_6_2(struct net *net, |
| const struct sctp_endpoint *ep, |
| const struct sctp_association *asoc, |
| const union sctp_subtype type, |
| void *arg, |
| struct sctp_cmd_seq *commands) |
| { |
| union sctp_arg force = SCTP_NOFORCE(); |
| struct sctp_chunk *chunk = arg; |
| int error; |
| |
| if (!sctp_vtag_verify(chunk, asoc)) { |
| sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, |
| SCTP_NULL()); |
| return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| } |
| |
| if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream))) |
| return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, |
| commands); |
| |
| error = sctp_eat_data(asoc, chunk, commands); |
| switch (error) { |
| case SCTP_IERROR_NO_ERROR: |
| break; |
| case SCTP_IERROR_HIGH_TSN: |
| case SCTP_IERROR_BAD_STREAM: |
| SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); |
| goto discard_noforce; |
| case SCTP_IERROR_DUP_TSN: |
| case SCTP_IERROR_IGNORE_TSN: |
| SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS); |
| goto discard_force; |
| case SCTP_IERROR_NO_DATA: |
| return SCTP_DISPOSITION_ABORT; |
| case SCTP_IERROR_PROTO_VIOLATION: |
| return sctp_sf_abort_violation(net, ep, asoc, chunk, commands, |
| (u8 *)chunk->subh.data_hdr, |
| sctp_datahdr_len(&asoc->stream)); |
| default: |
| BUG(); |
| } |
| |
| if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM) |
| force = SCTP_FORCE(); |
| |
| if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) { |
| sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART, |
| SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE)); |
| } |
| |
| /* If this is the last chunk in a packet, we need to count it |
| * toward sack generation. Note that we need to SACK every |
| * OTHER packet containing data chunks, EVEN IF WE DISCARD |
| * THEM. We elect to NOT generate SACK's if the chunk fails |
| * the verification tag test. |
| * |
| * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks |
| * |
| * The SCTP endpoint MUST always acknowledge the reception of |
| * each valid DATA chunk. |
| * |
| * The guidelines on delayed acknowledgement algorithm |
| * specified in Section 4.2 of [RFC2581] SHOULD be followed. |
| * Specifically, an acknowledgement SHOULD be generated for at |
| * least every second packet (not every second DATA chunk) |
| * received, and SHOULD be generated within 200 ms of the |
| * arrival of any unacknowledged DATA chunk. In some |
| * situations it may be beneficial for an SCTP transmitter to |
| * be more conservative than the algorithms detailed in this |
| * document allow. However, an SCTP transmitter MUST NOT be |
| * more aggressive than the following algorithms allow. |
| */ |
| if (chunk->end_of_packet) |
| sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force); |
| |
| return SCTP_DISPOSITION_CONSUME; |
| |
| discard_force: |
| /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks |
| * |
| * When a packet arrives with duplicate DATA chunk(s) and with |
| * no new DATA chunk(s), the endpoint MUST immediately send a |
| * SACK with no delay. If a packet arrives with duplicate |
| * DATA chunk(s) bundled with new DATA chunks, the endpoint |
| * MAY immediately send a SACK. Normally receipt of duplicate |
| * DATA chunks will occur when the original SACK chunk was lost |
| * and the peer's RTO has expired. The duplicate TSN number(s) |
| * SHOULD be reported in the SACK as duplicate. |
| |