1 /* SCTP kernel implementation
2 * (C) Copyright IBM Corp. 2001, 2004
3 * Copyright (c) 1999-2000 Cisco, Inc.
4 * Copyright (c) 1999-2001 Motorola, Inc.
5 * Copyright (c) 2001-2002 Intel Corp.
6 * Copyright (c) 2002 Nokia Corp.
8 * This is part of the SCTP Linux Kernel Implementation.
10 * These are the state functions for the state machine.
12 * This SCTP implementation is free software;
13 * you can redistribute it and/or modify it under the terms of
14 * the GNU General Public License as published by
15 * the Free Software Foundation; either version 2, or (at your option)
18 * This SCTP implementation is distributed in the hope that it
19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied
20 * ************************
21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
22 * See the GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with GNU CC; see the file COPYING. If not, write to
26 * the Free Software Foundation, 59 Temple Place - Suite 330,
27 * Boston, MA 02111-1307, USA.
29 * Please send any bug reports or fixes you make to the
31 * lksctp developers <lksctp-developers@lists.sourceforge.net>
33 * Or submit a bug report through the following website:
34 * http://www.sf.net/projects/lksctp
36 * Written or modified by:
37 * La Monte H.P. Yarroll <piggy@acm.org>
38 * Karl Knutson <karl@athena.chicago.il.us>
39 * Mathew Kotowsky <kotowsky@sctp.org>
40 * Sridhar Samudrala <samudrala@us.ibm.com>
41 * Jon Grimm <jgrimm@us.ibm.com>
42 * Hui Huang <hui.huang@nokia.com>
43 * Dajiang Zhang <dajiang.zhang@nokia.com>
44 * Daisy Chang <daisyc@us.ibm.com>
45 * Ardelle Fan <ardelle.fan@intel.com>
46 * Ryan Layer <rmlayer@us.ibm.com>
47 * Kevin Gao <kevin.gao@intel.com>
49 * Any bugs reported given to us we will try to fix... any fixes shared will
50 * be incorporated into the next SCTP release.
53 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
55 #include <linux/types.h>
56 #include <linux/kernel.h>
58 #include <linux/ipv6.h>
59 #include <linux/net.h>
60 #include <linux/inet.h>
61 #include <linux/slab.h>
63 #include <net/inet_ecn.h>
64 #include <linux/skbuff.h>
65 #include <net/sctp/sctp.h>
66 #include <net/sctp/sm.h>
67 #include <net/sctp/structs.h>
69 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep,
70 const struct sctp_association *asoc,
71 struct sctp_chunk *chunk,
74 static int sctp_eat_data(const struct sctp_association *asoc,
75 struct sctp_chunk *chunk,
76 sctp_cmd_seq_t *commands);
77 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc,
78 const struct sctp_chunk *chunk);
79 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep,
80 const struct sctp_association *asoc,
81 const struct sctp_chunk *chunk,
82 sctp_cmd_seq_t *commands,
83 struct sctp_chunk *err_chunk);
84 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep,
85 const struct sctp_association *asoc,
86 const sctp_subtype_t type,
88 sctp_cmd_seq_t *commands);
89 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep,
90 const struct sctp_association *asoc,
91 const sctp_subtype_t type,
93 sctp_cmd_seq_t *commands);
94 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep,
95 const struct sctp_association *asoc,
96 const sctp_subtype_t type,
98 sctp_cmd_seq_t *commands);
99 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
101 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands,
102 __be16 error, int sk_err,
103 const struct sctp_association *asoc,
104 struct sctp_transport *transport);
106 static sctp_disposition_t sctp_sf_abort_violation(
107 const struct sctp_endpoint *ep,
108 const struct sctp_association *asoc,
110 sctp_cmd_seq_t *commands,
112 const size_t paylen);
114 static sctp_disposition_t sctp_sf_violation_chunklen(
115 const struct sctp_endpoint *ep,
116 const struct sctp_association *asoc,
117 const sctp_subtype_t type,
119 sctp_cmd_seq_t *commands);
121 static sctp_disposition_t sctp_sf_violation_paramlen(
122 const struct sctp_endpoint *ep,
123 const struct sctp_association *asoc,
124 const sctp_subtype_t type,
125 void *arg, void *ext,
126 sctp_cmd_seq_t *commands);
128 static sctp_disposition_t sctp_sf_violation_ctsn(
129 const struct sctp_endpoint *ep,
130 const struct sctp_association *asoc,
131 const sctp_subtype_t type,
133 sctp_cmd_seq_t *commands);
135 static sctp_disposition_t sctp_sf_violation_chunk(
136 const struct sctp_endpoint *ep,
137 const struct sctp_association *asoc,
138 const sctp_subtype_t type,
140 sctp_cmd_seq_t *commands);
142 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep,
143 const struct sctp_association *asoc,
144 const sctp_subtype_t type,
145 struct sctp_chunk *chunk);
147 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
148 const struct sctp_association *asoc,
149 const sctp_subtype_t type,
151 sctp_cmd_seq_t *commands);
153 /* Small helper function that checks if the chunk length
154 * is of the appropriate length. The 'required_length' argument
155 * is set to be the size of a specific chunk we are testing.
156 * Return Values: 1 = Valid length
161 sctp_chunk_length_valid(struct sctp_chunk *chunk,
162 __u16 required_length)
164 __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
166 if (unlikely(chunk_length < required_length))
172 /**********************************************************
173 * These are the state functions for handling chunk events.
174 **********************************************************/
177 * Process the final SHUTDOWN COMPLETE.
179 * Section: 4 (C) (diagram), 9.2
180 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
181 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
182 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
183 * should stop the T2-shutdown timer and remove all knowledge of the
184 * association (and thus the association enters the CLOSED state).
186 * Verification Tag: 8.5.1(C), sctpimpguide 2.41.
187 * C) Rules for packet carrying SHUTDOWN COMPLETE:
189 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
190 * if the Verification Tag field of the packet matches its own tag and
191 * the T bit is not set
193 * it is set to its peer's tag and the T bit is set in the Chunk
195 * Otherwise, the receiver MUST silently discard the packet
196 * and take no further action. An endpoint MUST ignore the
197 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.
200 * (endpoint, asoc, chunk)
203 * (asoc, reply_msg, msg_up, timers, counters)
205 * The return value is the disposition of the chunk.
207 sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep,
208 const struct sctp_association *asoc,
209 const sctp_subtype_t type,
211 sctp_cmd_seq_t *commands)
213 struct sctp_chunk *chunk = arg;
214 struct sctp_ulpevent *ev;
216 if (!sctp_vtag_verify_either(chunk, asoc))
217 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
219 /* RFC 2960 6.10 Bundling
221 * An endpoint MUST NOT bundle INIT, INIT ACK or
222 * SHUTDOWN COMPLETE with any other chunks.
224 if (!chunk->singleton)
225 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands);
227 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */
228 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
229 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
232 /* RFC 2960 10.2 SCTP-to-ULP
234 * H) SHUTDOWN COMPLETE notification
236 * When SCTP completes the shutdown procedures (section 9.2) this
237 * notification is passed to the upper layer.
239 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
240 0, 0, 0, NULL, GFP_ATOMIC);
242 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
245 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
246 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
247 * not the chunk should be discarded. If the endpoint is in
248 * the SHUTDOWN-ACK-SENT state the endpoint should stop the
249 * T2-shutdown timer and remove all knowledge of the
250 * association (and thus the association enters the CLOSED
253 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
254 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
256 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
257 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
259 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
260 SCTP_STATE(SCTP_STATE_CLOSED));
262 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);
263 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
265 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
267 return SCTP_DISPOSITION_DELETE_TCB;
271 * Respond to a normal INIT chunk.
272 * We are the side that is being asked for an association.
274 * Section: 5.1 Normal Establishment of an Association, B
275 * B) "Z" shall respond immediately with an INIT ACK chunk. The
276 * destination IP address of the INIT ACK MUST be set to the source
277 * IP address of the INIT to which this INIT ACK is responding. In
278 * the response, besides filling in other parameters, "Z" must set the
279 * Verification Tag field to Tag_A, and also provide its own
280 * Verification Tag (Tag_Z) in the Initiate Tag field.
282 * Verification Tag: Must be 0.
285 * (endpoint, asoc, chunk)
288 * (asoc, reply_msg, msg_up, timers, counters)
290 * The return value is the disposition of the chunk.
292 sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep,
293 const struct sctp_association *asoc,
294 const sctp_subtype_t type,
296 sctp_cmd_seq_t *commands)
298 struct sctp_chunk *chunk = arg;
299 struct sctp_chunk *repl;
300 struct sctp_association *new_asoc;
301 struct sctp_chunk *err_chunk;
302 struct sctp_packet *packet;
303 sctp_unrecognized_param_t *unk_param;
307 * An endpoint MUST NOT bundle INIT, INIT ACK or
308 * SHUTDOWN COMPLETE with any other chunks.
311 * Furthermore, we require that the receiver of an INIT chunk MUST
312 * enforce these rules by silently discarding an arriving packet
313 * with an INIT chunk that is bundled with other chunks.
315 if (!chunk->singleton)
316 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
318 /* If the packet is an OOTB packet which is temporarily on the
319 * control endpoint, respond with an ABORT.
321 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) {
322 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
323 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
326 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
329 if (chunk->sctp_hdr->vtag != 0)
330 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
332 /* Make sure that the INIT chunk has a valid length.
333 * Normally, this would cause an ABORT with a Protocol Violation
334 * error, but since we don't have an association, we'll
335 * just discard the packet.
337 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
338 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
340 /* If the INIT is coming toward a closing socket, we'll send back
341 * and ABORT. Essentially, this catches the race of INIT being
342 * backloged to the socket at the same time as the user isses close().
343 * Since the socket and all its associations are going away, we
344 * can treat this OOTB
346 if (sctp_sstate(ep->base.sk, CLOSING))
347 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
349 /* Verify the INIT chunk before processing it. */
351 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
352 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
354 /* This chunk contains fatal error. It is to be discarded.
355 * Send an ABORT, with causes if there is any.
358 packet = sctp_abort_pkt_new(ep, asoc, arg,
359 (__u8 *)(err_chunk->chunk_hdr) +
360 sizeof(sctp_chunkhdr_t),
361 ntohs(err_chunk->chunk_hdr->length) -
362 sizeof(sctp_chunkhdr_t));
364 sctp_chunk_free(err_chunk);
367 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
368 SCTP_PACKET(packet));
369 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
370 return SCTP_DISPOSITION_CONSUME;
372 return SCTP_DISPOSITION_NOMEM;
375 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg,
380 /* Grab the INIT header. */
381 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data;
383 /* Tag the variable length parameters. */
384 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
386 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
390 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
391 sctp_scope(sctp_source(chunk)),
395 /* The call, sctp_process_init(), can fail on memory allocation. */
396 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
397 (sctp_init_chunk_t *)chunk->chunk_hdr,
401 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
403 /* If there are errors need to be reported for unknown parameters,
404 * make sure to reserve enough room in the INIT ACK for them.
408 len = ntohs(err_chunk->chunk_hdr->length) -
409 sizeof(sctp_chunkhdr_t);
411 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
415 /* If there are errors need to be reported for unknown parameters,
416 * include them in the outgoing INIT ACK as "Unrecognized parameter"
420 /* Get the "Unrecognized parameter" parameter(s) out of the
421 * ERROR chunk generated by sctp_verify_init(). Since the
422 * error cause code for "unknown parameter" and the
423 * "Unrecognized parameter" type is the same, we can
424 * construct the parameters in INIT ACK by copying the
427 unk_param = (sctp_unrecognized_param_t *)
428 ((__u8 *)(err_chunk->chunk_hdr) +
429 sizeof(sctp_chunkhdr_t));
430 /* Replace the cause code with the "Unrecognized parameter"
433 sctp_addto_chunk(repl, len, unk_param);
434 sctp_chunk_free(err_chunk);
437 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
439 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
442 * Note: After sending out INIT ACK with the State Cookie parameter,
443 * "Z" MUST NOT allocate any resources, nor keep any states for the
444 * new association. Otherwise, "Z" will be vulnerable to resource
447 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
449 return SCTP_DISPOSITION_DELETE_TCB;
452 sctp_association_free(new_asoc);
455 sctp_chunk_free(err_chunk);
456 return SCTP_DISPOSITION_NOMEM;
460 * Respond to a normal INIT ACK chunk.
461 * We are the side that is initiating the association.
463 * Section: 5.1 Normal Establishment of an Association, C
464 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
465 * timer and leave COOKIE-WAIT state. "A" shall then send the State
466 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
467 * the T1-cookie timer, and enter the COOKIE-ECHOED state.
469 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound
470 * DATA chunks, but it MUST be the first chunk in the packet and
471 * until the COOKIE ACK is returned the sender MUST NOT send any
472 * other packets to the peer.
474 * Verification Tag: 3.3.3
475 * If the value of the Initiate Tag in a received INIT ACK chunk is
476 * found to be 0, the receiver MUST treat it as an error and close the
477 * association by transmitting an ABORT.
480 * (endpoint, asoc, chunk)
483 * (asoc, reply_msg, msg_up, timers, counters)
485 * The return value is the disposition of the chunk.
487 sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,
488 const struct sctp_association *asoc,
489 const sctp_subtype_t type,
491 sctp_cmd_seq_t *commands)
493 struct sctp_chunk *chunk = arg;
494 sctp_init_chunk_t *initchunk;
495 struct sctp_chunk *err_chunk;
496 struct sctp_packet *packet;
498 if (!sctp_vtag_verify(chunk, asoc))
499 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
502 * An endpoint MUST NOT bundle INIT, INIT ACK or
503 * SHUTDOWN COMPLETE with any other chunks.
505 if (!chunk->singleton)
506 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands);
508 /* Make sure that the INIT-ACK chunk has a valid length */
509 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t)))
510 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
512 /* Grab the INIT header. */
513 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
515 /* Verify the INIT chunk before processing it. */
517 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
518 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
521 sctp_error_t error = SCTP_ERROR_NO_RESOURCE;
523 /* This chunk contains fatal error. It is to be discarded.
524 * Send an ABORT, with causes. If there are no causes,
525 * then there wasn't enough memory. Just terminate
529 packet = sctp_abort_pkt_new(ep, asoc, arg,
530 (__u8 *)(err_chunk->chunk_hdr) +
531 sizeof(sctp_chunkhdr_t),
532 ntohs(err_chunk->chunk_hdr->length) -
533 sizeof(sctp_chunkhdr_t));
535 sctp_chunk_free(err_chunk);
538 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
539 SCTP_PACKET(packet));
540 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
541 error = SCTP_ERROR_INV_PARAM;
545 /* SCTP-AUTH, Section 6.3:
546 * It should be noted that if the receiver wants to tear
547 * down an association in an authenticated way only, the
548 * handling of malformed packets should not result in
549 * tearing down the association.
551 * This means that if we only want to abort associations
552 * in an authenticated way (i.e AUTH+ABORT), then we
553 * can't destroy this association just because the packet
556 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
557 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
559 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
560 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED,
561 asoc, chunk->transport);
564 /* Tag the variable length parameters. Note that we never
565 * convert the parameters in an INIT chunk.
567 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
569 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr;
571 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
572 SCTP_PEER_INIT(initchunk));
574 /* Reset init error count upon receipt of INIT-ACK. */
575 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
577 /* 5.1 C) "A" shall stop the T1-init timer and leave
578 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie
579 * timer, and enter the COOKIE-ECHOED state.
581 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
582 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
583 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
584 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
585 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
586 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
588 /* SCTP-AUTH: genereate the assocition shared keys so that
589 * we can potentially signe the COOKIE-ECHO.
591 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
593 /* 5.1 C) "A" shall then send the State Cookie received in the
594 * INIT ACK chunk in a COOKIE ECHO chunk, ...
596 /* If there is any errors to report, send the ERROR chunk generated
597 * for unknown parameters as well.
599 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
600 SCTP_CHUNK(err_chunk));
602 return SCTP_DISPOSITION_CONSUME;
606 * Respond to a normal COOKIE ECHO chunk.
607 * We are the side that is being asked for an association.
609 * Section: 5.1 Normal Establishment of an Association, D
610 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
611 * with a COOKIE ACK chunk after building a TCB and moving to
612 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
613 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
614 * chunk MUST be the first chunk in the packet.
616 * IMPLEMENTATION NOTE: An implementation may choose to send the
617 * Communication Up notification to the SCTP user upon reception
618 * of a valid COOKIE ECHO chunk.
620 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
621 * D) Rules for packet carrying a COOKIE ECHO
623 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
624 * Initial Tag received in the INIT ACK.
626 * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
629 * (endpoint, asoc, chunk)
632 * (asoc, reply_msg, msg_up, timers, counters)
634 * The return value is the disposition of the chunk.
636 sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep,
637 const struct sctp_association *asoc,
638 const sctp_subtype_t type, void *arg,
639 sctp_cmd_seq_t *commands)
641 struct sctp_chunk *chunk = arg;
642 struct sctp_association *new_asoc;
643 sctp_init_chunk_t *peer_init;
644 struct sctp_chunk *repl;
645 struct sctp_ulpevent *ev, *ai_ev = NULL;
647 struct sctp_chunk *err_chk_p;
650 /* If the packet is an OOTB packet which is temporarily on the
651 * control endpoint, respond with an ABORT.
653 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) {
654 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
655 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
658 /* Make sure that the COOKIE_ECHO chunk has a valid length.
659 * In this case, we check that we have enough for at least a
660 * chunk header. More detailed verification is done
661 * in sctp_unpack_cookie().
663 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
664 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
666 /* If the endpoint is not listening or if the number of associations
667 * on the TCP-style socket exceed the max backlog, respond with an
671 if (!sctp_sstate(sk, LISTENING) ||
672 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
673 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
675 /* "Decode" the chunk. We have no optional parameters so we
678 chunk->subh.cookie_hdr =
679 (struct sctp_signed_cookie *)chunk->skb->data;
680 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
681 sizeof(sctp_chunkhdr_t)))
684 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
685 * "Z" will reply with a COOKIE ACK chunk after building a TCB
686 * and moving to the ESTABLISHED state.
688 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
692 * If the re-build failed, what is the proper error path
695 * [We should abort the association. --piggy]
698 /* FIXME: Several errors are possible. A bad cookie should
699 * be silently discarded, but think about logging it too.
702 case -SCTP_IERROR_NOMEM:
705 case -SCTP_IERROR_STALE_COOKIE:
706 sctp_send_stale_cookie_err(ep, asoc, chunk, commands,
708 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
710 case -SCTP_IERROR_BAD_SIG:
712 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
717 /* Delay state machine commands until later.
719 * Re-build the bind address for the association is done in
720 * the sctp_unpack_cookie() already.
722 /* This is a brand-new association, so these are not yet side
723 * effects--it is safe to run them here.
725 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
727 if (!sctp_process_init(new_asoc, chunk,
728 &chunk->subh.cookie_hdr->c.peer_addr,
729 peer_init, GFP_ATOMIC))
732 /* SCTP-AUTH: Now that we've populate required fields in
733 * sctp_process_init, set up the assocaition shared keys as
734 * necessary so that we can potentially authenticate the ACK
736 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
740 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo
741 * is supposed to be authenticated and we have to do delayed
742 * authentication. We've just recreated the association using
743 * the information in the cookie and now it's much easier to
744 * do the authentication.
746 if (chunk->auth_chunk) {
747 struct sctp_chunk auth;
750 /* Make sure that we and the peer are AUTH capable */
751 if (!sctp_auth_enable || !new_asoc->peer.auth_capable) {
752 kfree_skb(chunk->auth_chunk);
753 sctp_association_free(new_asoc);
754 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
757 /* set-up our fake chunk so that we can process it */
758 auth.skb = chunk->auth_chunk;
759 auth.asoc = chunk->asoc;
760 auth.sctp_hdr = chunk->sctp_hdr;
761 auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk,
762 sizeof(sctp_chunkhdr_t));
763 skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t));
764 auth.transport = chunk->transport;
766 ret = sctp_sf_authenticate(ep, new_asoc, type, &auth);
768 /* We can now safely free the auth_chunk clone */
769 kfree_skb(chunk->auth_chunk);
771 if (ret != SCTP_IERROR_NO_ERROR) {
772 sctp_association_free(new_asoc);
773 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
777 repl = sctp_make_cookie_ack(new_asoc, chunk);
781 /* RFC 2960 5.1 Normal Establishment of an Association
783 * D) IMPLEMENTATION NOTE: An implementation may choose to
784 * send the Communication Up notification to the SCTP user
785 * upon reception of a valid COOKIE ECHO chunk.
787 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
788 new_asoc->c.sinit_num_ostreams,
789 new_asoc->c.sinit_max_instreams,
794 /* Sockets API Draft Section 5.3.1.6
795 * When a peer sends a Adaptation Layer Indication parameter , SCTP
796 * delivers this notification to inform the application that of the
797 * peers requested adaptation layer.
799 if (new_asoc->peer.adaptation_ind) {
800 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
806 /* Add all the state machine commands now since we've created
807 * everything. This way we don't introduce memory corruptions
808 * during side-effect processing and correclty count established
811 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
812 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
813 SCTP_STATE(SCTP_STATE_ESTABLISHED));
814 SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
815 SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS);
816 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
818 if (new_asoc->autoclose)
819 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
820 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
822 /* This will send the COOKIE ACK */
823 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
825 /* Queue the ASSOC_CHANGE event */
826 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
828 /* Send up the Adaptation Layer Indication event */
830 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
831 SCTP_ULPEVENT(ai_ev));
833 return SCTP_DISPOSITION_CONSUME;
836 sctp_ulpevent_free(ev);
838 sctp_chunk_free(repl);
840 sctp_association_free(new_asoc);
842 return SCTP_DISPOSITION_NOMEM;
846 * Respond to a normal COOKIE ACK chunk.
847 * We are the side that is being asked for an association.
849 * RFC 2960 5.1 Normal Establishment of an Association
851 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
852 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
853 * timer. It may also notify its ULP about the successful
854 * establishment of the association with a Communication Up
855 * notification (see Section 10).
859 * (endpoint, asoc, chunk)
862 * (asoc, reply_msg, msg_up, timers, counters)
864 * The return value is the disposition of the chunk.
866 sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep,
867 const struct sctp_association *asoc,
868 const sctp_subtype_t type, void *arg,
869 sctp_cmd_seq_t *commands)
871 struct sctp_chunk *chunk = arg;
872 struct sctp_ulpevent *ev;
874 if (!sctp_vtag_verify(chunk, asoc))
875 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
877 /* Verify that the chunk length for the COOKIE-ACK is OK.
878 * If we don't do this, any bundled chunks may be junked.
880 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
881 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
884 /* Reset init error count upon receipt of COOKIE-ACK,
885 * to avoid problems with the managemement of this
886 * counter in stale cookie situations when a transition back
887 * from the COOKIE-ECHOED state to the COOKIE-WAIT
888 * state is performed.
890 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
892 /* RFC 2960 5.1 Normal Establishment of an Association
894 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
895 * from the COOKIE-ECHOED state to the ESTABLISHED state,
896 * stopping the T1-cookie timer.
898 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
899 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
900 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
901 SCTP_STATE(SCTP_STATE_ESTABLISHED));
902 SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
903 SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS);
904 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
906 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
907 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
909 /* It may also notify its ULP about the successful
910 * establishment of the association with a Communication Up
911 * notification (see Section 10).
913 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
914 0, asoc->c.sinit_num_ostreams,
915 asoc->c.sinit_max_instreams,
921 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
923 /* Sockets API Draft Section 5.3.1.6
924 * When a peer sends a Adaptation Layer Indication parameter , SCTP
925 * delivers this notification to inform the application that of the
926 * peers requested adaptation layer.
928 if (asoc->peer.adaptation_ind) {
929 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
933 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
937 return SCTP_DISPOSITION_CONSUME;
939 return SCTP_DISPOSITION_NOMEM;
942 /* Generate and sendout a heartbeat packet. */
943 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep,
944 const struct sctp_association *asoc,
945 const sctp_subtype_t type,
947 sctp_cmd_seq_t *commands)
949 struct sctp_transport *transport = (struct sctp_transport *) arg;
950 struct sctp_chunk *reply;
952 /* Send a heartbeat to our peer. */
953 reply = sctp_make_heartbeat(asoc, transport);
955 return SCTP_DISPOSITION_NOMEM;
957 /* Set rto_pending indicating that an RTT measurement
958 * is started with this heartbeat chunk.
960 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
961 SCTP_TRANSPORT(transport));
963 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
964 return SCTP_DISPOSITION_CONSUME;
967 /* Generate a HEARTBEAT packet on the given transport. */
968 sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep,
969 const struct sctp_association *asoc,
970 const sctp_subtype_t type,
972 sctp_cmd_seq_t *commands)
974 struct sctp_transport *transport = (struct sctp_transport *) arg;
976 if (asoc->overall_error_count >= asoc->max_retrans) {
977 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
978 SCTP_ERROR(ETIMEDOUT));
979 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
980 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
981 SCTP_PERR(SCTP_ERROR_NO_ERROR));
982 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
983 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
984 return SCTP_DISPOSITION_DELETE_TCB;
988 * The Sender-specific Heartbeat Info field should normally include
989 * information about the sender's current time when this HEARTBEAT
990 * chunk is sent and the destination transport address to which this
991 * HEARTBEAT is sent (see Section 8.3).
994 if (transport->param_flags & SPP_HB_ENABLE) {
995 if (SCTP_DISPOSITION_NOMEM ==
996 sctp_sf_heartbeat(ep, asoc, type, arg,
998 return SCTP_DISPOSITION_NOMEM;
1000 /* Set transport error counter and association error counter
1001 * when sending heartbeat.
1003 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
1004 SCTP_TRANSPORT(transport));
1006 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
1007 SCTP_TRANSPORT(transport));
1008 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
1009 SCTP_TRANSPORT(transport));
1011 return SCTP_DISPOSITION_CONSUME;
1015 * Process an heartbeat request.
1017 * Section: 8.3 Path Heartbeat
1018 * The receiver of the HEARTBEAT should immediately respond with a
1019 * HEARTBEAT ACK that contains the Heartbeat Information field copied
1020 * from the received HEARTBEAT chunk.
1022 * Verification Tag: 8.5 Verification Tag [Normal verification]
1023 * When receiving an SCTP packet, the endpoint MUST ensure that the
1024 * value in the Verification Tag field of the received SCTP packet
1025 * matches its own Tag. If the received Verification Tag value does not
1026 * match the receiver's own tag value, the receiver shall silently
1027 * discard the packet and shall not process it any further except for
1028 * those cases listed in Section 8.5.1 below.
1031 * (endpoint, asoc, chunk)
1034 * (asoc, reply_msg, msg_up, timers, counters)
1036 * The return value is the disposition of the chunk.
1038 sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep,
1039 const struct sctp_association *asoc,
1040 const sctp_subtype_t type,
1042 sctp_cmd_seq_t *commands)
1044 struct sctp_chunk *chunk = arg;
1045 struct sctp_chunk *reply;
1048 if (!sctp_vtag_verify(chunk, asoc))
1049 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1051 /* Make sure that the HEARTBEAT chunk has a valid length. */
1052 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t)))
1053 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1056 /* 8.3 The receiver of the HEARTBEAT should immediately
1057 * respond with a HEARTBEAT ACK that contains the Heartbeat
1058 * Information field copied from the received HEARTBEAT chunk.
1060 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data;
1061 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
1062 if (!pskb_pull(chunk->skb, paylen))
1065 reply = sctp_make_heartbeat_ack(asoc, chunk,
1066 chunk->subh.hb_hdr, paylen);
1070 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1071 return SCTP_DISPOSITION_CONSUME;
1074 return SCTP_DISPOSITION_NOMEM;
1078 * Process the returning HEARTBEAT ACK.
1080 * Section: 8.3 Path Heartbeat
1081 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
1082 * should clear the error counter of the destination transport
1083 * address to which the HEARTBEAT was sent, and mark the destination
1084 * transport address as active if it is not so marked. The endpoint may
1085 * optionally report to the upper layer when an inactive destination
1086 * address is marked as active due to the reception of the latest
1087 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
1088 * clear the association overall error count as well (as defined
1091 * The receiver of the HEARTBEAT ACK should also perform an RTT
1092 * measurement for that destination transport address using the time
1093 * value carried in the HEARTBEAT ACK chunk.
1095 * Verification Tag: 8.5 Verification Tag [Normal verification]
1098 * (endpoint, asoc, chunk)
1101 * (asoc, reply_msg, msg_up, timers, counters)
1103 * The return value is the disposition of the chunk.
1105 sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep,
1106 const struct sctp_association *asoc,
1107 const sctp_subtype_t type,
1109 sctp_cmd_seq_t *commands)
1111 struct sctp_chunk *chunk = arg;
1112 union sctp_addr from_addr;
1113 struct sctp_transport *link;
1114 sctp_sender_hb_info_t *hbinfo;
1115 unsigned long max_interval;
1117 if (!sctp_vtag_verify(chunk, asoc))
1118 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1120 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */
1121 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t) +
1122 sizeof(sctp_sender_hb_info_t)))
1123 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1126 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
1127 /* Make sure that the length of the parameter is what we expect */
1128 if (ntohs(hbinfo->param_hdr.length) !=
1129 sizeof(sctp_sender_hb_info_t)) {
1130 return SCTP_DISPOSITION_DISCARD;
1133 from_addr = hbinfo->daddr;
1134 link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1136 /* This should never happen, but lets log it if so. */
1137 if (unlikely(!link)) {
1138 if (from_addr.sa.sa_family == AF_INET6) {
1139 if (net_ratelimit())
1140 pr_warn("%s association %p could not find address %pI6\n",
1143 &from_addr.v6.sin6_addr);
1145 if (net_ratelimit())
1146 pr_warn("%s association %p could not find address %pI4\n",
1149 &from_addr.v4.sin_addr.s_addr);
1151 return SCTP_DISPOSITION_DISCARD;
1154 /* Validate the 64-bit random nonce. */
1155 if (hbinfo->hb_nonce != link->hb_nonce)
1156 return SCTP_DISPOSITION_DISCARD;
1158 max_interval = link->hbinterval + link->rto;
1160 /* Check if the timestamp looks valid. */
1161 if (time_after(hbinfo->sent_at, jiffies) ||
1162 time_after(jiffies, hbinfo->sent_at + max_interval)) {
1163 SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp "
1164 "received for transport: %p\n",
1166 return SCTP_DISPOSITION_DISCARD;
1169 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
1170 * the HEARTBEAT should clear the error counter of the
1171 * destination transport address to which the HEARTBEAT was
1172 * sent and mark the destination transport address as active if
1173 * it is not so marked.
1175 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1177 return SCTP_DISPOSITION_CONSUME;
1180 /* Helper function to send out an abort for the restart
1183 static int sctp_sf_send_restart_abort(union sctp_addr *ssa,
1184 struct sctp_chunk *init,
1185 sctp_cmd_seq_t *commands)
1188 struct sctp_packet *pkt;
1189 union sctp_addr_param *addrparm;
1190 struct sctp_errhdr *errhdr;
1191 struct sctp_endpoint *ep;
1192 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)];
1193 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1195 /* Build the error on the stack. We are way to malloc crazy
1196 * throughout the code today.
1198 errhdr = (struct sctp_errhdr *)buffer;
1199 addrparm = (union sctp_addr_param *)errhdr->variable;
1201 /* Copy into a parm format. */
1202 len = af->to_addr_param(ssa, addrparm);
1203 len += sizeof(sctp_errhdr_t);
1205 errhdr->cause = SCTP_ERROR_RESTART;
1206 errhdr->length = htons(len);
1208 /* Assign to the control socket. */
1209 ep = sctp_sk((sctp_get_ctl_sock()))->ep;
1211 /* Association is NULL since this may be a restart attack and we
1212 * want to send back the attacker's vtag.
1214 pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len);
1218 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1220 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
1222 /* Discard the rest of the inbound packet. */
1223 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1226 /* Even if there is no memory, treat as a failure so
1227 * the packet will get dropped.
1232 static bool list_has_sctp_addr(const struct list_head *list,
1233 union sctp_addr *ipaddr)
1235 struct sctp_transport *addr;
1237 list_for_each_entry(addr, list, transports) {
1238 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
1244 /* A restart is occurring, check to make sure no new addresses
1245 * are being added as we may be under a takeover attack.
1247 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1248 const struct sctp_association *asoc,
1249 struct sctp_chunk *init,
1250 sctp_cmd_seq_t *commands)
1252 struct sctp_transport *new_addr;
1255 /* Implementor's Guide - Section 5.2.2
1257 * Before responding the endpoint MUST check to see if the
1258 * unexpected INIT adds new addresses to the association. If new
1259 * addresses are added to the association, the endpoint MUST respond
1263 /* Search through all current addresses and make sure
1264 * we aren't adding any new ones.
1266 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
1268 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
1269 &new_addr->ipaddr)) {
1270 sctp_sf_send_restart_abort(&new_addr->ipaddr, init,
1277 /* Return success if all addresses were found. */
1281 /* Populate the verification/tie tags based on overlapping INIT
1284 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
1286 static void sctp_tietags_populate(struct sctp_association *new_asoc,
1287 const struct sctp_association *asoc)
1289 switch (asoc->state) {
1291 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
1293 case SCTP_STATE_COOKIE_WAIT:
1294 new_asoc->c.my_vtag = asoc->c.my_vtag;
1295 new_asoc->c.my_ttag = asoc->c.my_vtag;
1296 new_asoc->c.peer_ttag = 0;
1299 case SCTP_STATE_COOKIE_ECHOED:
1300 new_asoc->c.my_vtag = asoc->c.my_vtag;
1301 new_asoc->c.my_ttag = asoc->c.my_vtag;
1302 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1305 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
1306 * COOKIE-WAIT and SHUTDOWN-ACK-SENT
1309 new_asoc->c.my_ttag = asoc->c.my_vtag;
1310 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1314 /* Other parameters for the endpoint SHOULD be copied from the
1315 * existing parameters of the association (e.g. number of
1316 * outbound streams) into the INIT ACK and cookie.
1318 new_asoc->rwnd = asoc->rwnd;
1319 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams;
1320 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1321 new_asoc->c.initial_tsn = asoc->c.initial_tsn;
1325 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
1328 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
1330 * Returns value representing action to be taken. These action values
1331 * correspond to Action/Description values in RFC 2960, Table 2.
1333 static char sctp_tietags_compare(struct sctp_association *new_asoc,
1334 const struct sctp_association *asoc)
1336 /* In this case, the peer may have restarted. */
1337 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1338 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1339 (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1340 (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1343 /* Collision case B. */
1344 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1345 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1346 (0 == asoc->c.peer_vtag))) {
1350 /* Collision case D. */
1351 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1352 (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1355 /* Collision case C. */
1356 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1357 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1358 (0 == new_asoc->c.my_ttag) &&
1359 (0 == new_asoc->c.peer_ttag))
1362 /* No match to any of the special cases; discard this packet. */
1366 /* Common helper routine for both duplicate and simulataneous INIT
1369 static sctp_disposition_t sctp_sf_do_unexpected_init(
1370 const struct sctp_endpoint *ep,
1371 const struct sctp_association *asoc,
1372 const sctp_subtype_t type,
1373 void *arg, sctp_cmd_seq_t *commands)
1375 sctp_disposition_t retval;
1376 struct sctp_chunk *chunk = arg;
1377 struct sctp_chunk *repl;
1378 struct sctp_association *new_asoc;
1379 struct sctp_chunk *err_chunk;
1380 struct sctp_packet *packet;
1381 sctp_unrecognized_param_t *unk_param;
1385 * An endpoint MUST NOT bundle INIT, INIT ACK or
1386 * SHUTDOWN COMPLETE with any other chunks.
1389 * Furthermore, we require that the receiver of an INIT chunk MUST
1390 * enforce these rules by silently discarding an arriving packet
1391 * with an INIT chunk that is bundled with other chunks.
1393 if (!chunk->singleton)
1394 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1396 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
1399 if (chunk->sctp_hdr->vtag != 0)
1400 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
1402 /* Make sure that the INIT chunk has a valid length.
1403 * In this case, we generate a protocol violation since we have
1404 * an association established.
1406 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
1407 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1409 /* Grab the INIT header. */
1410 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
1412 /* Tag the variable length parameters. */
1413 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
1415 /* Verify the INIT chunk before processing it. */
1417 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
1418 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
1420 /* This chunk contains fatal error. It is to be discarded.
1421 * Send an ABORT, with causes if there is any.
1424 packet = sctp_abort_pkt_new(ep, asoc, arg,
1425 (__u8 *)(err_chunk->chunk_hdr) +
1426 sizeof(sctp_chunkhdr_t),
1427 ntohs(err_chunk->chunk_hdr->length) -
1428 sizeof(sctp_chunkhdr_t));
1431 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1432 SCTP_PACKET(packet));
1433 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
1434 retval = SCTP_DISPOSITION_CONSUME;
1436 retval = SCTP_DISPOSITION_NOMEM;
1440 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg,
1446 * Other parameters for the endpoint SHOULD be copied from the
1447 * existing parameters of the association (e.g. number of
1448 * outbound streams) into the INIT ACK and cookie.
1449 * FIXME: We are copying parameters from the endpoint not the
1452 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1456 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
1457 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
1460 /* In the outbound INIT ACK the endpoint MUST copy its current
1461 * Verification Tag and Peers Verification tag into a reserved
1462 * place (local tie-tag and per tie-tag) within the state cookie.
1464 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
1465 (sctp_init_chunk_t *)chunk->chunk_hdr,
1469 /* Make sure no new addresses are being added during the
1470 * restart. Do not do this check for COOKIE-WAIT state,
1471 * since there are no peer addresses to check against.
1472 * Upon return an ABORT will have been sent if needed.
1474 if (!sctp_state(asoc, COOKIE_WAIT)) {
1475 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1477 retval = SCTP_DISPOSITION_CONSUME;
1482 sctp_tietags_populate(new_asoc, asoc);
1484 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
1486 /* If there are errors need to be reported for unknown parameters,
1487 * make sure to reserve enough room in the INIT ACK for them.
1491 len = ntohs(err_chunk->chunk_hdr->length) -
1492 sizeof(sctp_chunkhdr_t);
1495 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1499 /* If there are errors need to be reported for unknown parameters,
1500 * include them in the outgoing INIT ACK as "Unrecognized parameter"
1504 /* Get the "Unrecognized parameter" parameter(s) out of the
1505 * ERROR chunk generated by sctp_verify_init(). Since the
1506 * error cause code for "unknown parameter" and the
1507 * "Unrecognized parameter" type is the same, we can
1508 * construct the parameters in INIT ACK by copying the
1509 * ERROR causes over.
1511 unk_param = (sctp_unrecognized_param_t *)
1512 ((__u8 *)(err_chunk->chunk_hdr) +
1513 sizeof(sctp_chunkhdr_t));
1514 /* Replace the cause code with the "Unrecognized parameter"
1517 sctp_addto_chunk(repl, len, unk_param);
1520 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1521 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1524 * Note: After sending out INIT ACK with the State Cookie parameter,
1525 * "Z" MUST NOT allocate any resources for this new association.
1526 * Otherwise, "Z" will be vulnerable to resource attacks.
1528 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1529 retval = SCTP_DISPOSITION_CONSUME;
1534 retval = SCTP_DISPOSITION_NOMEM;
1537 sctp_association_free(new_asoc);
1540 sctp_chunk_free(err_chunk);
1545 * Handle simultaneous INIT.
1546 * This means we started an INIT and then we got an INIT request from
1549 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
1550 * This usually indicates an initialization collision, i.e., each
1551 * endpoint is attempting, at about the same time, to establish an
1552 * association with the other endpoint.
1554 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
1555 * endpoint MUST respond with an INIT ACK using the same parameters it
1556 * sent in its original INIT chunk (including its Verification Tag,
1557 * unchanged). These original parameters are combined with those from the
1558 * newly received INIT chunk. The endpoint shall also generate a State
1559 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
1560 * INIT to calculate the State Cookie.
1562 * After that, the endpoint MUST NOT change its state, the T1-init
1563 * timer shall be left running and the corresponding TCB MUST NOT be
1564 * destroyed. The normal procedures for handling State Cookies when
1565 * a TCB exists will resolve the duplicate INITs to a single association.
1567 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
1568 * its Tie-Tags with the Tag information of itself and its peer (see
1569 * section 5.2.2 for a description of the Tie-Tags).
1571 * Verification Tag: Not explicit, but an INIT can not have a valid
1572 * verification tag, so we skip the check.
1575 * (endpoint, asoc, chunk)
1578 * (asoc, reply_msg, msg_up, timers, counters)
1580 * The return value is the disposition of the chunk.
1582 sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep,
1583 const struct sctp_association *asoc,
1584 const sctp_subtype_t type,
1586 sctp_cmd_seq_t *commands)
1588 /* Call helper to do the real work for both simulataneous and
1589 * duplicate INIT chunk handling.
1591 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands);
1595 * Handle duplicated INIT messages. These are usually delayed
1598 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
1599 * COOKIE-ECHOED and COOKIE-WAIT
1601 * Unless otherwise stated, upon reception of an unexpected INIT for
1602 * this association, the endpoint shall generate an INIT ACK with a
1603 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its
1604 * current Verification Tag and peer's Verification Tag into a reserved
1605 * place within the state cookie. We shall refer to these locations as
1606 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet
1607 * containing this INIT ACK MUST carry a Verification Tag value equal to
1608 * the Initiation Tag found in the unexpected INIT. And the INIT ACK
1609 * MUST contain a new Initiation Tag (randomly generated see Section
1610 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the
1611 * existing parameters of the association (e.g. number of outbound
1612 * streams) into the INIT ACK and cookie.
1614 * After sending out the INIT ACK, the endpoint shall take no further
1615 * actions, i.e., the existing association, including its current state,
1616 * and the corresponding TCB MUST NOT be changed.
1618 * Note: Only when a TCB exists and the association is not in a COOKIE-
1619 * WAIT state are the Tie-Tags populated. For a normal association INIT
1620 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
1621 * set to 0 (indicating that no previous TCB existed). The INIT ACK and
1622 * State Cookie are populated as specified in section 5.2.1.
1624 * Verification Tag: Not specified, but an INIT has no way of knowing
1625 * what the verification tag could be, so we ignore it.
1628 * (endpoint, asoc, chunk)
1631 * (asoc, reply_msg, msg_up, timers, counters)
1633 * The return value is the disposition of the chunk.
1635 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep,
1636 const struct sctp_association *asoc,
1637 const sctp_subtype_t type,
1639 sctp_cmd_seq_t *commands)
1641 /* Call helper to do the real work for both simulataneous and
1642 * duplicate INIT chunk handling.
1644 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands);
1649 * Unexpected INIT-ACK handler.
1652 * If an INIT ACK received by an endpoint in any state other than the
1653 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
1654 * An unexpected INIT ACK usually indicates the processing of an old or
1655 * duplicated INIT chunk.
1657 sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep,
1658 const struct sctp_association *asoc,
1659 const sctp_subtype_t type,
1660 void *arg, sctp_cmd_seq_t *commands)
1662 /* Per the above section, we'll discard the chunk if we have an
1663 * endpoint. If this is an OOTB INIT-ACK, treat it as such.
1665 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep)
1666 return sctp_sf_ootb(ep, asoc, type, arg, commands);
1668 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
1671 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
1674 * A) In this case, the peer may have restarted.
1676 static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep,
1677 const struct sctp_association *asoc,
1678 struct sctp_chunk *chunk,
1679 sctp_cmd_seq_t *commands,
1680 struct sctp_association *new_asoc)
1682 sctp_init_chunk_t *peer_init;
1683 struct sctp_ulpevent *ev;
1684 struct sctp_chunk *repl;
1685 struct sctp_chunk *err;
1686 sctp_disposition_t disposition;
1688 /* new_asoc is a brand-new association, so these are not yet
1689 * side effects--it is safe to run them here.
1691 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1693 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1697 /* Make sure no new addresses are being added during the
1698 * restart. Though this is a pretty complicated attack
1699 * since you'd have to get inside the cookie.
1701 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) {
1702 return SCTP_DISPOSITION_CONSUME;
1705 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
1706 * the peer has restarted (Action A), it MUST NOT setup a new
1707 * association but instead resend the SHUTDOWN ACK and send an ERROR
1708 * chunk with a "Cookie Received while Shutting Down" error cause to
1711 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1712 disposition = sctp_sf_do_9_2_reshutack(ep, asoc,
1713 SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1715 if (SCTP_DISPOSITION_NOMEM == disposition)
1718 err = sctp_make_op_error(asoc, chunk,
1719 SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1722 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1725 return SCTP_DISPOSITION_CONSUME;
1728 /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked
1729 * data. Consider the optional choice of resending of this data.
1731 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
1732 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1733 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK));
1734 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1736 /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue
1737 * and ASCONF-ACK cache.
1739 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1740 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
1741 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());
1743 repl = sctp_make_cookie_ack(new_asoc, chunk);
1747 /* Report association restart to upper layer. */
1748 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1749 new_asoc->c.sinit_num_ostreams,
1750 new_asoc->c.sinit_max_instreams,
1755 /* Update the content of current association. */
1756 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1757 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1758 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1759 return SCTP_DISPOSITION_CONSUME;
1762 sctp_chunk_free(repl);
1764 return SCTP_DISPOSITION_NOMEM;
1767 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
1770 * B) In this case, both sides may be attempting to start an association
1771 * at about the same time but the peer endpoint started its INIT
1772 * after responding to the local endpoint's INIT
1774 /* This case represents an initialization collision. */
1775 static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep,
1776 const struct sctp_association *asoc,
1777 struct sctp_chunk *chunk,
1778 sctp_cmd_seq_t *commands,
1779 struct sctp_association *new_asoc)
1781 sctp_init_chunk_t *peer_init;
1782 struct sctp_chunk *repl;
1784 /* new_asoc is a brand-new association, so these are not yet
1785 * side effects--it is safe to run them here.
1787 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1788 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1792 /* Update the content of current association. */
1793 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1794 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1795 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1796 SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
1797 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
1799 repl = sctp_make_cookie_ack(new_asoc, chunk);
1803 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1805 /* RFC 2960 5.1 Normal Establishment of an Association
1807 * D) IMPLEMENTATION NOTE: An implementation may choose to
1808 * send the Communication Up notification to the SCTP user
1809 * upon reception of a valid COOKIE ECHO chunk.
1811 * Sadly, this needs to be implemented as a side-effect, because
1812 * we are not guaranteed to have set the association id of the real
1813 * association and so these notifications need to be delayed until
1814 * the association id is allocated.
1817 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
1819 /* Sockets API Draft Section 5.3.1.6
1820 * When a peer sends a Adaptation Layer Indication parameter , SCTP
1821 * delivers this notification to inform the application that of the
1822 * peers requested adaptation layer.
1824 * This also needs to be done as a side effect for the same reason as
1827 if (asoc->peer.adaptation_ind)
1828 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
1830 return SCTP_DISPOSITION_CONSUME;
1833 return SCTP_DISPOSITION_NOMEM;
1836 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
1839 * C) In this case, the local endpoint's cookie has arrived late.
1840 * Before it arrived, the local endpoint sent an INIT and received an
1841 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
1842 * but a new tag of its own.
1844 /* This case represents an initialization collision. */
1845 static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep,
1846 const struct sctp_association *asoc,
1847 struct sctp_chunk *chunk,
1848 sctp_cmd_seq_t *commands,
1849 struct sctp_association *new_asoc)
1851 /* The cookie should be silently discarded.
1852 * The endpoint SHOULD NOT change states and should leave
1853 * any timers running.
1855 return SCTP_DISPOSITION_DISCARD;
1858 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
1862 * D) When both local and remote tags match the endpoint should always
1863 * enter the ESTABLISHED state, if it has not already done so.
1865 /* This case represents an initialization collision. */
1866 static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep,
1867 const struct sctp_association *asoc,
1868 struct sctp_chunk *chunk,
1869 sctp_cmd_seq_t *commands,
1870 struct sctp_association *new_asoc)
1872 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL;
1873 struct sctp_chunk *repl;
1875 /* Clarification from Implementor's Guide:
1876 * D) When both local and remote tags match the endpoint should
1877 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
1878 * It should stop any cookie timer that may be running and send
1882 /* Don't accidentally move back into established state. */
1883 if (asoc->state < SCTP_STATE_ESTABLISHED) {
1884 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1885 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
1886 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1887 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1888 SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
1889 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
1892 /* RFC 2960 5.1 Normal Establishment of an Association
1894 * D) IMPLEMENTATION NOTE: An implementation may choose
1895 * to send the Communication Up notification to the
1896 * SCTP user upon reception of a valid COOKIE
1899 ev = sctp_ulpevent_make_assoc_change(asoc, 0,
1901 asoc->c.sinit_num_ostreams,
1902 asoc->c.sinit_max_instreams,
1907 /* Sockets API Draft Section 5.3.1.6
1908 * When a peer sends a Adaptation Layer Indication parameter,
1909 * SCTP delivers this notification to inform the application
1910 * that of the peers requested adaptation layer.
1912 if (asoc->peer.adaptation_ind) {
1913 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
1921 repl = sctp_make_cookie_ack(new_asoc, chunk);
1925 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1928 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1931 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1932 SCTP_ULPEVENT(ai_ev));
1934 return SCTP_DISPOSITION_CONSUME;
1938 sctp_ulpevent_free(ai_ev);
1940 sctp_ulpevent_free(ev);
1941 return SCTP_DISPOSITION_NOMEM;
1945 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying
1946 * chunk was retransmitted and then delayed in the network.
1948 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
1950 * Verification Tag: None. Do cookie validation.
1953 * (endpoint, asoc, chunk)
1956 * (asoc, reply_msg, msg_up, timers, counters)
1958 * The return value is the disposition of the chunk.
1960 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep,
1961 const struct sctp_association *asoc,
1962 const sctp_subtype_t type,
1964 sctp_cmd_seq_t *commands)
1966 sctp_disposition_t retval;
1967 struct sctp_chunk *chunk = arg;
1968 struct sctp_association *new_asoc;
1971 struct sctp_chunk *err_chk_p;
1973 /* Make sure that the chunk has a valid length from the protocol
1974 * perspective. In this case check to make sure we have at least
1975 * enough for the chunk header. Cookie length verification is
1978 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
1979 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1982 /* "Decode" the chunk. We have no optional parameters so we
1983 * are in good shape.
1985 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
1986 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
1987 sizeof(sctp_chunkhdr_t)))
1990 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
1991 * of a duplicate COOKIE ECHO match the Verification Tags of the
1992 * current association, consider the State Cookie valid even if
1993 * the lifespan is exceeded.
1995 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
1999 * If the re-build failed, what is the proper error path
2002 * [We should abort the association. --piggy]
2005 /* FIXME: Several errors are possible. A bad cookie should
2006 * be silently discarded, but think about logging it too.
2009 case -SCTP_IERROR_NOMEM:
2012 case -SCTP_IERROR_STALE_COOKIE:
2013 sctp_send_stale_cookie_err(ep, asoc, chunk, commands,
2015 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2016 case -SCTP_IERROR_BAD_SIG:
2018 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2022 /* Compare the tie_tag in cookie with the verification tag of
2023 * current association.
2025 action = sctp_tietags_compare(new_asoc, asoc);
2028 case 'A': /* Association restart. */
2029 retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands,
2033 case 'B': /* Collision case B. */
2034 retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands,
2038 case 'C': /* Collision case C. */
2039 retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands,
2043 case 'D': /* Collision case D. */
2044 retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands,
2048 default: /* Discard packet for all others. */
2049 retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2053 /* Delete the tempory new association. */
2054 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc));
2055 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
2057 /* Restore association pointer to provide SCTP command interpeter
2058 * with a valid context in case it needs to manipulate
2060 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC,
2061 SCTP_ASOC((struct sctp_association *)asoc));
2066 return SCTP_DISPOSITION_NOMEM;
2070 * Process an ABORT. (SHUTDOWN-PENDING state)
2072 * See sctp_sf_do_9_1_abort().
2074 sctp_disposition_t sctp_sf_shutdown_pending_abort(
2075 const struct sctp_endpoint *ep,
2076 const struct sctp_association *asoc,
2077 const sctp_subtype_t type,
2079 sctp_cmd_seq_t *commands)
2081 struct sctp_chunk *chunk = arg;
2083 if (!sctp_vtag_verify_either(chunk, asoc))
2084 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2086 /* Make sure that the ABORT chunk has a valid length.
2087 * Since this is an ABORT chunk, we have to discard it
2088 * because of the following text:
2089 * RFC 2960, Section 3.3.7
2090 * If an endpoint receives an ABORT with a format error or for an
2091 * association that doesn't exist, it MUST silently discard it.
2092 * Because the length is "invalid", we can't really discard just
2093 * as we do not know its true length. So, to be safe, discard the
2096 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2097 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2099 /* ADD-IP: Special case for ABORT chunks
2100 * F4) One special consideration is that ABORT Chunks arriving
2101 * destined to the IP address being deleted MUST be
2102 * ignored (see Section 5.3.1 for further details).
2104 if (SCTP_ADDR_DEL ==
2105 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2106 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
2108 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);
2112 * Process an ABORT. (SHUTDOWN-SENT state)
2114 * See sctp_sf_do_9_1_abort().
2116 sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep,
2117 const struct sctp_association *asoc,
2118 const sctp_subtype_t type,
2120 sctp_cmd_seq_t *commands)
2122 struct sctp_chunk *chunk = arg;
2124 if (!sctp_vtag_verify_either(chunk, asoc))
2125 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2127 /* Make sure that the ABORT chunk has a valid length.
2128 * Since this is an ABORT chunk, we have to discard it
2129 * because of the following text:
2130 * RFC 2960, Section 3.3.7
2131 * If an endpoint receives an ABORT with a format error or for an
2132 * association that doesn't exist, it MUST silently discard it.
2133 * Because the length is "invalid", we can't really discard just
2134 * as we do not know its true length. So, to be safe, discard the
2137 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2138 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2140 /* ADD-IP: Special case for ABORT chunks
2141 * F4) One special consideration is that ABORT Chunks arriving
2142 * destined to the IP address being deleted MUST be
2143 * ignored (see Section 5.3.1 for further details).
2145 if (SCTP_ADDR_DEL ==
2146 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2147 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
2149 /* Stop the T2-shutdown timer. */
2150 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2151 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2153 /* Stop the T5-shutdown guard timer. */
2154 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2155 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2157 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);
2161 * Process an ABORT. (SHUTDOWN-ACK-SENT state)
2163 * See sctp_sf_do_9_1_abort().
2165 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort(
2166 const struct sctp_endpoint *ep,
2167 const struct sctp_association *asoc,
2168 const sctp_subtype_t type,
2170 sctp_cmd_seq_t *commands)
2172 /* The same T2 timer, so we should be able to use
2173 * common function with the SHUTDOWN-SENT state.
2175 return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands);
2179 * Handle an Error received in COOKIE_ECHOED state.
2181 * Only handle the error type of stale COOKIE Error, the other errors will
2185 * (endpoint, asoc, chunk)
2188 * (asoc, reply_msg, msg_up, timers, counters)
2190 * The return value is the disposition of the chunk.
2192 sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep,
2193 const struct sctp_association *asoc,
2194 const sctp_subtype_t type,
2196 sctp_cmd_seq_t *commands)
2198 struct sctp_chunk *chunk = arg;
2201 if (!sctp_vtag_verify(chunk, asoc))
2202 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2204 /* Make sure that the ERROR chunk has a valid length.
2205 * The parameter walking depends on this as well.
2207 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
2208 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2211 /* Process the error here */
2212 /* FUTURE FIXME: When PR-SCTP related and other optional
2213 * parms are emitted, this will have to change to handle multiple
2216 sctp_walk_errors(err, chunk->chunk_hdr) {
2217 if (SCTP_ERROR_STALE_COOKIE == err->cause)
2218 return sctp_sf_do_5_2_6_stale(ep, asoc, type,
2222 /* It is possible to have malformed error causes, and that
2223 * will cause us to end the walk early. However, since
2224 * we are discarding the packet, there should be no adverse
2227 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2231 * Handle a Stale COOKIE Error
2233 * Section: 5.2.6 Handle Stale COOKIE Error
2234 * If the association is in the COOKIE-ECHOED state, the endpoint may elect
2235 * one of the following three alternatives.
2237 * 3) Send a new INIT chunk to the endpoint, adding a Cookie
2238 * Preservative parameter requesting an extension to the lifetime of
2239 * the State Cookie. When calculating the time extension, an
2240 * implementation SHOULD use the RTT information measured based on the
2241 * previous COOKIE ECHO / ERROR exchange, and should add no more
2242 * than 1 second beyond the measured RTT, due to long State Cookie
2243 * lifetimes making the endpoint more subject to a replay attack.
2245 * Verification Tag: Not explicit, but safe to ignore.
2248 * (endpoint, asoc, chunk)
2251 * (asoc, reply_msg, msg_up, timers, counters)
2253 * The return value is the disposition of the chunk.
2255 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep,
2256 const struct sctp_association *asoc,
2257 const sctp_subtype_t type,
2259 sctp_cmd_seq_t *commands)
2261 struct sctp_chunk *chunk = arg;
2263 sctp_cookie_preserve_param_t bht;
2265 struct sctp_chunk *reply;
2266 struct sctp_bind_addr *bp;
2267 int attempts = asoc->init_err_counter + 1;
2269 if (attempts > asoc->max_init_attempts) {
2270 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2271 SCTP_ERROR(ETIMEDOUT));
2272 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2273 SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2274 return SCTP_DISPOSITION_DELETE_TCB;
2277 err = (sctp_errhdr_t *)(chunk->skb->data);
2279 /* When calculating the time extension, an implementation
2280 * SHOULD use the RTT information measured based on the
2281 * previous COOKIE ECHO / ERROR exchange, and should add no
2282 * more than 1 second beyond the measured RTT, due to long
2283 * State Cookie lifetimes making the endpoint more subject to
2285 * Measure of Staleness's unit is usec. (1/1000000 sec)
2286 * Suggested Cookie Life-span Increment's unit is msec.
2288 * In general, if you use the suggested cookie life, the value
2289 * found in the field of measure of staleness should be doubled
2290 * to give ample time to retransmit the new cookie and thus
2291 * yield a higher probability of success on the reattempt.
2293 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t)));
2294 stale = (stale * 2) / 1000;
2296 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2297 bht.param_hdr.length = htons(sizeof(bht));
2298 bht.lifespan_increment = htonl(stale);
2300 /* Build that new INIT chunk. */
2301 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2302 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2306 sctp_addto_chunk(reply, sizeof(bht), &bht);
2308 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */
2309 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2311 /* Stop pending T3-rtx and heartbeat timers */
2312 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2313 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2315 /* Delete non-primary peer ip addresses since we are transitioning
2316 * back to the COOKIE-WAIT state
2318 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2320 /* If we've sent any data bundled with COOKIE-ECHO we will need to
2323 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
2324 SCTP_TRANSPORT(asoc->peer.primary_path));
2326 /* Cast away the const modifier, as we want to just
2327 * rerun it through as a sideffect.
2329 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2331 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2332 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2333 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2334 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2335 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2336 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2338 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2340 return SCTP_DISPOSITION_CONSUME;
2343 return SCTP_DISPOSITION_NOMEM;
2350 * After checking the Verification Tag, the receiving endpoint shall
2351 * remove the association from its record, and shall report the
2352 * termination to its upper layer.
2354 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
2355 * B) Rules for packet carrying ABORT:
2357 * - The endpoint shall always fill in the Verification Tag field of the
2358 * outbound packet with the destination endpoint's tag value if it
2361 * - If the ABORT is sent in response to an OOTB packet, the endpoint
2362 * MUST follow the procedure described in Section 8.4.
2364 * - The receiver MUST accept the packet if the Verification Tag
2365 * matches either its own tag, OR the tag of its peer. Otherwise, the
2366 * receiver MUST silently discard the packet and take no further
2370 * (endpoint, asoc, chunk)
2373 * (asoc, reply_msg, msg_up, timers, counters)
2375 * The return value is the disposition of the chunk.
2377 sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
2378 const struct sctp_association *asoc,
2379 const sctp_subtype_t type,
2381 sctp_cmd_seq_t *commands)
2383 struct sctp_chunk *chunk = arg;
2385 if (!sctp_vtag_verify_either(chunk, asoc))
2386 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2388 /* Make sure that the ABORT chunk has a valid length.
2389 * Since this is an ABORT chunk, we have to discard it
2390 * because of the following text:
2391 * RFC 2960, Section 3.3.7
2392 * If an endpoint receives an ABORT with a format error or for an
2393 * association that doesn't exist, it MUST silently discard it.
2394 * Because the length is "invalid", we can't really discard just
2395 * as we do not know its true length. So, to be safe, discard the
2398 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2399 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2401 /* ADD-IP: Special case for ABORT chunks
2402 * F4) One special consideration is that ABORT Chunks arriving
2403 * destined to the IP address being deleted MUST be
2404 * ignored (see Section 5.3.1 for further details).
2406 if (SCTP_ADDR_DEL ==
2407 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2408 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
2410 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);
2413 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
2414 const struct sctp_association *asoc,
2415 const sctp_subtype_t type,
2417 sctp_cmd_seq_t *commands)
2419 struct sctp_chunk *chunk = arg;
2421 __be16 error = SCTP_ERROR_NO_ERROR;
2423 /* See if we have an error cause code in the chunk. */
2424 len = ntohs(chunk->chunk_hdr->length);
2425 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
2428 sctp_walk_errors(err, chunk->chunk_hdr);
2429 if ((void *)err != (void *)chunk->chunk_end)
2430 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2432 error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2435 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2436 /* ASSOC_FAILED will DELETE_TCB. */
2437 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2438 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
2439 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
2441 return SCTP_DISPOSITION_ABORT;
2445 * Process an ABORT. (COOKIE-WAIT state)
2447 * See sctp_sf_do_9_1_abort() above.
2449 sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep,
2450 const struct sctp_association *asoc,
2451 const sctp_subtype_t type,
2453 sctp_cmd_seq_t *commands)
2455 struct sctp_chunk *chunk = arg;
2457 __be16 error = SCTP_ERROR_NO_ERROR;
2459 if (!sctp_vtag_verify_either(chunk, asoc))
2460 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2462 /* Make sure that the ABORT chunk has a valid length.
2463 * Since this is an ABORT chunk, we have to discard it
2464 * because of the following text:
2465 * RFC 2960, Section 3.3.7
2466 * If an endpoint receives an ABORT with a format error or for an
2467 * association that doesn't exist, it MUST silently discard it.
2468 * Because the length is "invalid", we can't really discard just
2469 * as we do not know its true length. So, to be safe, discard the
2472 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2473 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2475 /* See if we have an error cause code in the chunk. */
2476 len = ntohs(chunk->chunk_hdr->length);
2477 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2478 error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2480 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc,
2485 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state)
2487 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep,
2488 const struct sctp_association *asoc,
2489 const sctp_subtype_t type,
2491 sctp_cmd_seq_t *commands)
2493 return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR,
2495 (struct sctp_transport *)arg);
2499 * Process an ABORT. (COOKIE-ECHOED state)
2501 sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep,
2502 const struct sctp_association *asoc,
2503 const sctp_subtype_t type,
2505 sctp_cmd_seq_t *commands)
2507 /* There is a single T1 timer, so we should be able to use
2508 * common function with the COOKIE-WAIT state.
2510 return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands);
2514 * Stop T1 timer and abort association with "INIT failed".
2516 * This is common code called by several sctp_sf_*_abort() functions above.
2518 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands,
2519 __be16 error, int sk_err,
2520 const struct sctp_association *asoc,
2521 struct sctp_transport *transport)
2523 SCTP_DEBUG_PRINTK("ABORT received (INIT).\n");
2524 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2525 SCTP_STATE(SCTP_STATE_CLOSED));
2526 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
2527 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2528 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2529 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2530 /* CMD_INIT_FAILED will DELETE_TCB. */
2531 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2533 return SCTP_DISPOSITION_ABORT;
2537 * sctp_sf_do_9_2_shut
2540 * Upon the reception of the SHUTDOWN, the peer endpoint shall
2541 * - enter the SHUTDOWN-RECEIVED state,
2543 * - stop accepting new data from its SCTP user
2545 * - verify, by checking the Cumulative TSN Ack field of the chunk,
2546 * that all its outstanding DATA chunks have been received by the
2549 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT
2550 * send a SHUTDOWN in response to a ULP request. And should discard
2551 * subsequent SHUTDOWN chunks.
2553 * If there are still outstanding DATA chunks left, the SHUTDOWN
2554 * receiver shall continue to follow normal data transmission
2555 * procedures defined in Section 6 until all outstanding DATA chunks
2556 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept
2557 * new data from its SCTP user.
2559 * Verification Tag: 8.5 Verification Tag [Normal verification]
2562 * (endpoint, asoc, chunk)
2565 * (asoc, reply_msg, msg_up, timers, counters)
2567 * The return value is the disposition of the chunk.
2569 sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep,
2570 const struct sctp_association *asoc,
2571 const sctp_subtype_t type,
2573 sctp_cmd_seq_t *commands)
2575 struct sctp_chunk *chunk = arg;
2576 sctp_shutdownhdr_t *sdh;
2577 sctp_disposition_t disposition;
2578 struct sctp_ulpevent *ev;
2581 if (!sctp_vtag_verify(chunk, asoc))
2582 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2584 /* Make sure that the SHUTDOWN chunk has a valid length. */
2585 if (!sctp_chunk_length_valid(chunk,
2586 sizeof(struct sctp_shutdown_chunk_t)))
2587 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2590 /* Convert the elaborate header. */
2591 sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
2592 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t));
2593 chunk->subh.shutdown_hdr = sdh;
2594 ctsn = ntohl(sdh->cum_tsn_ack);
2596 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2597 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
2598 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
2599 return SCTP_DISPOSITION_DISCARD;
2602 /* If Cumulative TSN Ack beyond the max tsn currently
2603 * send, terminating the association and respond to the
2604 * sender with an ABORT.
2606 if (!TSN_lt(ctsn, asoc->next_tsn))
2607 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);
2609 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
2610 * When a peer sends a SHUTDOWN, SCTP delivers this notification to
2611 * inform the application that it should cease sending data.
2613 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2615 disposition = SCTP_DISPOSITION_NOMEM;
2618 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2620 /* Upon the reception of the SHUTDOWN, the peer endpoint shall
2621 * - enter the SHUTDOWN-RECEIVED state,
2622 * - stop accepting new data from its SCTP user
2624 * [This is implicit in the new state.]
2626 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2627 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2628 disposition = SCTP_DISPOSITION_CONSUME;
2630 if (sctp_outq_is_empty(&asoc->outqueue)) {
2631 disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type,
2635 if (SCTP_DISPOSITION_NOMEM == disposition)
2638 /* - verify, by checking the Cumulative TSN Ack field of the
2639 * chunk, that all its outstanding DATA chunks have been
2640 * received by the SHUTDOWN sender.
2642 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2643 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2650 * sctp_sf_do_9_2_shut_ctsn
2652 * Once an endpoint has reached the SHUTDOWN-RECEIVED state,
2653 * it MUST NOT send a SHUTDOWN in response to a ULP request.
2654 * The Cumulative TSN Ack of the received SHUTDOWN chunk
2655 * MUST be processed.
2657 sctp_disposition_t sctp_sf_do_9_2_shut_ctsn(const struct sctp_endpoint *ep,
2658 const struct sctp_association *asoc,
2659 const sctp_subtype_t type,
2661 sctp_cmd_seq_t *commands)
2663 struct sctp_chunk *chunk = arg;
2664 sctp_shutdownhdr_t *sdh;
2667 if (!sctp_vtag_verify(chunk, asoc))
2668 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2670 /* Make sure that the SHUTDOWN chunk has a valid length. */
2671 if (!sctp_chunk_length_valid(chunk,
2672 sizeof(struct sctp_shutdown_chunk_t)))
2673 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2676 sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
2677 ctsn = ntohl(sdh->cum_tsn_ack);
2679 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2680 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
2681 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
2682 return SCTP_DISPOSITION_DISCARD;
2685 /* If Cumulative TSN Ack beyond the max tsn currently
2686 * send, terminating the association and respond to the
2687 * sender with an ABORT.
2689 if (!TSN_lt(ctsn, asoc->next_tsn))
2690 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);
2692 /* verify, by checking the Cumulative TSN Ack field of the
2693 * chunk, that all its outstanding DATA chunks have been
2694 * received by the SHUTDOWN sender.
2696 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2697 SCTP_BE32(sdh->cum_tsn_ack));
2699 return SCTP_DISPOSITION_CONSUME;
2703 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk
2704 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination
2705 * transport addresses (either in the IP addresses or in the INIT chunk)
2706 * that belong to this association, it should discard the INIT chunk and
2707 * retransmit the SHUTDOWN ACK chunk.
2709 sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep,
2710 const struct sctp_association *asoc,
2711 const sctp_subtype_t type,
2713 sctp_cmd_seq_t *commands)
2715 struct sctp_chunk *chunk = (struct sctp_chunk *) arg;
2716 struct sctp_chunk *reply;
2718 /* Make sure that the chunk has a valid length */
2719 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
2720 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2723 /* Since we are not going to really process this INIT, there
2724 * is no point in verifying chunk boundries. Just generate
2727 reply = sctp_make_shutdown_ack(asoc, chunk);
2731 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
2732 * the T2-SHUTDOWN timer.
2734 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
2736 /* and restart the T2-shutdown timer. */
2737 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2738 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2740 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2742 return SCTP_DISPOSITION_CONSUME;
2744 return SCTP_DISPOSITION_NOMEM;
2748 * sctp_sf_do_ecn_cwr
2750 * Section: Appendix A: Explicit Congestion Notification
2754 * RFC 2481 details a specific bit for a sender to send in the header of
2755 * its next outbound TCP segment to indicate to its peer that it has
2756 * reduced its congestion window. This is termed the CWR bit. For
2757 * SCTP the same indication is made by including the CWR chunk.
2758 * This chunk contains one data element, i.e. the TSN number that
2759 * was sent in the ECNE chunk. This element represents the lowest
2760 * TSN number in the datagram that was originally marked with the
2763 * Verification Tag: 8.5 Verification Tag [Normal verification]
2765 * (endpoint, asoc, chunk)
2768 * (asoc, reply_msg, msg_up, timers, counters)
2770 * The return value is the disposition of the chunk.
2772 sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep,
2773 const struct sctp_association *asoc,
2774 const sctp_subtype_t type,
2776 sctp_cmd_seq_t *commands)
2779 struct sctp_chunk *chunk = arg;
2782 if (!sctp_vtag_verify(chunk, asoc))
2783 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2785 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2786 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2789 cwr = (sctp_cwrhdr_t *) chunk->skb->data;
2790 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t));
2792 lowest_tsn = ntohl(cwr->lowest_tsn);
2794 /* Does this CWR ack the last sent congestion notification? */
2795 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
2796 /* Stop sending ECNE. */
2797 sctp_add_cmd_sf(commands,
2799 SCTP_U32(lowest_tsn));
2801 return SCTP_DISPOSITION_CONSUME;
2807 * Section: Appendix A: Explicit Congestion Notification
2811 * RFC 2481 details a specific bit for a receiver to send back in its
2812 * TCP acknowledgements to notify the sender of the Congestion
2813 * Experienced (CE) bit having arrived from the network. For SCTP this
2814 * same indication is made by including the ECNE chunk. This chunk
2815 * contains one data element, i.e. the lowest TSN associated with the IP
2816 * datagram marked with the CE bit.....
2818 * Verification Tag: 8.5 Verification Tag [Normal verification]
2820 * (endpoint, asoc, chunk)
2823 * (asoc, reply_msg, msg_up, timers, counters)
2825 * The return value is the disposition of the chunk.
2827 sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep,
2828 const struct sctp_association *asoc,
2829 const sctp_subtype_t type,
2831 sctp_cmd_seq_t *commands)
2833 sctp_ecnehdr_t *ecne;
2834 struct sctp_chunk *chunk = arg;
2836 if (!sctp_vtag_verify(chunk, asoc))
2837 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2839 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2840 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2843 ecne = (sctp_ecnehdr_t *) chunk->skb->data;
2844 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t));
2846 /* If this is a newer ECNE than the last CWR packet we sent out */
2847 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
2848 SCTP_U32(ntohl(ecne->lowest_tsn)));
2850 return SCTP_DISPOSITION_CONSUME;
2854 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
2856 * The SCTP endpoint MUST always acknowledge the reception of each valid
2859 * The guidelines on delayed acknowledgement algorithm specified in
2860 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
2861 * acknowledgement SHOULD be generated for at least every second packet
2862 * (not every second DATA chunk) received, and SHOULD be generated within
2863 * 200 ms of the arrival of any unacknowledged DATA chunk. In some
2864 * situations it may be beneficial for an SCTP transmitter to be more
2865 * conservative than the algorithms detailed in this document allow.
2866 * However, an SCTP transmitter MUST NOT be more aggressive than the
2867 * following algorithms allow.
2869 * A SCTP receiver MUST NOT generate more than one SACK for every
2870 * incoming packet, other than to update the offered window as the
2871 * receiving application consumes new data.
2873 * Verification Tag: 8.5 Verification Tag [Normal verification]
2876 * (endpoint, asoc, chunk)
2879 * (asoc, reply_msg, msg_up, timers, counters)
2881 * The return value is the disposition of the chunk.
2883 sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep,
2884 const struct sctp_association *asoc,
2885 const sctp_subtype_t type,
2887 sctp_cmd_seq_t *commands)
2889 struct sctp_chunk *chunk = arg;
2890 sctp_arg_t force = SCTP_NOFORCE();
2893 if (!sctp_vtag_verify(chunk, asoc)) {
2894 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
2896 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2899 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
2900 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2903 error = sctp_eat_data(asoc, chunk, commands );
2905 case SCTP_IERROR_NO_ERROR:
2907 case SCTP_IERROR_HIGH_TSN:
2908 case SCTP_IERROR_BAD_STREAM:
2909 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2910 goto discard_noforce;
2911 case SCTP_IERROR_DUP_TSN:
2912 case SCTP_IERROR_IGNORE_TSN:
2913 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2915 case SCTP_IERROR_NO_DATA:
2917 case SCTP_IERROR_PROTO_VIOLATION:
2918 return sctp_sf_abort_violation(ep, asoc, chunk, commands,
2919 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t));
2924 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)
2925 force = SCTP_FORCE();
2927 if (asoc->autoclose) {
2928 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2929 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
2932 /* If this is the last chunk in a packet, we need to count it
2933 * toward sack generation. Note that we need to SACK every
2934 * OTHER packet containing data chunks, EVEN IF WE DISCARD
2935 * THEM. We elect to NOT generate SACK's if the chunk fails
2936 * the verification tag test.
2938 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
2940 * The SCTP endpoint MUST always acknowledge the reception of
2941 * each valid DATA chunk.
2943 * The guidelines on delayed acknowledgement algorithm
2944 * specified in Section 4.2 of [RFC2581] SHOULD be followed.
2945 * Specifically, an acknowledgement SHOULD be generated for at
2946 * least every second packet (not every second DATA chunk)
2947 * received, and SHOULD be generated within 200 ms of the
2948 * arrival of any unacknowledged DATA chunk. In some
2949 * situations it may be beneficial for an SCTP transmitter to
2950 * be more conservative than the algorithms detailed in this
2951 * document allow. However, an SCTP transmitter MUST NOT be
2952 * more aggressive than the following algorithms allow.
2954 if (chunk->end_of_packet)
2955 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
2957 return SCTP_DISPOSITION_CONSUME;
2960 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
2962 * When a packet arrives with duplicate DATA chunk(s) and with
2963 * no new DATA chunk(s), the endpoint MUST immediately send a
2964 * SACK with no delay. If a packet arrives with duplicate
2965 * DATA chunk(s) bundled with new DATA chunks, the endpoint
2966 * MAY immediately send a SACK. Normally receipt of duplicate
2967 * DATA chunks will occur when the original SACK chunk was lost
2968 * and the peer's RTO has expired. The duplicate TSN number(s)
2969 * SHOULD be reported in the SACK as duplicate.
2971 /* In our case, we split the MAY SACK advice up whether or not
2972 * the last chunk is a duplicate.'
2974 if (chunk->end_of_packet)
2975 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
2976 return SCTP_DISPOSITION_DISCARD;
2979 if (chunk->end_of_packet)
2980 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
2982 return SCTP_DISPOSITION_DISCARD;
2984 return SCTP_DISPOSITION_CONSUME;
2989 * sctp_sf_eat_data_fast_4_4
2992 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received
2993 * DATA chunks without delay.
2995 * Verification Tag: 8.5 Verification Tag [Normal verification]
2997 * (endpoint, asoc, chunk)
3000 * (asoc, reply_msg, msg_up, timers, counters)
3002 * The return value is the disposition of the chunk.
3004 sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep,
3005 const struct sctp_association *asoc,
3006 const sctp_subtype_t type,
3008 sctp_cmd_seq_t *commands)
3010 struct sctp_chunk *chunk = arg;
3013 if (!sctp_vtag_verify(chunk, asoc)) {
3014 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3016 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3019 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
3020 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3023 error = sctp_eat_data(asoc, chunk, commands );
3025 case SCTP_IERROR_NO_ERROR:
3026 case SCTP_IERROR_HIGH_TSN:
3027 case SCTP_IERROR_DUP_TSN:
3028 case SCTP_IERROR_IGNORE_TSN:
3029 case SCTP_IERROR_BAD_STREAM:
3031 case SCTP_IERROR_NO_DATA:
3033 case SCTP_IERROR_PROTO_VIOLATION:
3034 return sctp_sf_abort_violation(ep, asoc, chunk, commands,
3035 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t));
3040 /* Go a head and force a SACK, since we are shutting down. */
3042 /* Implementor's Guide.
3044 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3045 * respond to each received packet containing one or more DATA chunk(s)
3046 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3048 if (chunk->end_of_packet) {
3049 /* We must delay the chunk creation since the cumulative
3050 * TSN has not been updated yet.
3052 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3053 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3054 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3055 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3059 return SCTP_DISPOSITION_CONSUME;
3063 * Section: 6.2 Processing a Received SACK
3064 * D) Any time a SACK arrives, the endpoint performs the following:
3066 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,
3067 * then drop the SACK. Since Cumulative TSN Ack is monotonically
3068 * increasing, a SACK whose Cumulative TSN Ack is less than the
3069 * Cumulative TSN Ack Point indicates an out-of-order SACK.
3071 * ii) Set rwnd equal to the newly received a_rwnd minus the number
3072 * of bytes still outstanding after processing the Cumulative TSN Ack
3073 * and the Gap Ack Blocks.
3075 * iii) If the SACK is missing a TSN that was previously
3076 * acknowledged via a Gap Ack Block (e.g., the data receiver
3077 * reneged on the data), then mark the corresponding DATA chunk
3078 * as available for retransmit: Mark it as missing for fast
3079 * retransmit as described in Section 7.2.4 and if no retransmit
3080 * timer is running for the destination address to which the DATA
3081 * chunk was originally transmitted, then T3-rtx is started for
3082 * that destination address.
3084 * Verification Tag: 8.5 Verification Tag [Normal verification]
3087 * (endpoint, asoc, chunk)
3090 * (asoc, reply_msg, msg_up, timers, counters)
3092 * The return value is the disposition of the chunk.
3094 sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep,
3095 const struct sctp_association *asoc,
3096 const sctp_subtype_t type,
3098 sctp_cmd_seq_t *commands)
3100 struct sctp_chunk *chunk = arg;
3101 sctp_sackhdr_t *sackh;
3104 if (!sctp_vtag_verify(chunk, asoc))
3105 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3107 /* Make sure that the SACK chunk has a valid length. */
3108 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t)))
3109 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3112 /* Pull the SACK chunk from the data buffer */
3113 sackh = sctp_sm_pull_sack(chunk);
3114 /* Was this a bogus SACK? */
3116 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3117 chunk->subh.sack_hdr = sackh;
3118 ctsn = ntohl(sackh->cum_tsn_ack);
3120 /* i) If Cumulative TSN Ack is less than the Cumulative TSN
3121 * Ack Point, then drop the SACK. Since Cumulative TSN
3122 * Ack is monotonically increasing, a SACK whose
3123 * Cumulative TSN Ack is less than the Cumulative TSN Ack
3124 * Point indicates an out-of-order SACK.
3126 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
3127 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
3128 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
3129 return SCTP_DISPOSITION_DISCARD;
3132 /* If Cumulative TSN Ack beyond the max tsn currently
3133 * send, terminating the association and respond to the
3134 * sender with an ABORT.
3136 if (!TSN_lt(ctsn, asoc->next_tsn))
3137 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);
3139 /* Return this SACK for further processing. */
3140 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh));
3142 /* Note: We do the rest of the work on the PROCESS_SACK
3145 return SCTP_DISPOSITION_CONSUME;
3149 * Generate an ABORT in response to a packet.
3151 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41
3153 * 8) The receiver should respond to the sender of the OOTB packet with
3154 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
3155 * MUST fill in the Verification Tag field of the outbound packet
3156 * with the value found in the Verification Tag field of the OOTB
3157 * packet and set the T-bit in the Chunk Flags to indicate that the
3158 * Verification Tag is reflected. After sending this ABORT, the
3159 * receiver of the OOTB packet shall discard the OOTB packet and take
3160 * no further action.
3164 * The return value is the disposition of the chunk.
3166 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep,
3167 const struct sctp_association *asoc,
3168 const sctp_subtype_t type,
3170 sctp_cmd_seq_t *commands)
3172 struct sctp_packet *packet = NULL;
3173 struct sctp_chunk *chunk = arg;
3174 struct sctp_chunk *abort;
3176 packet = sctp_ootb_pkt_new(asoc, chunk);
3179 /* Make an ABORT. The T bit will be set if the asoc
3182 abort = sctp_make_abort(asoc, chunk, 0);
3184 sctp_ootb_pkt_free(packet);
3185 return SCTP_DISPOSITION_NOMEM;
3188 /* Reflect vtag if T-Bit is set */
3189 if (sctp_test_T_bit(abort))
3190 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3192 /* Set the skb to the belonging sock for accounting. */
3193 abort->skb->sk = ep->base.sk;
3195 sctp_packet_append_chunk(packet, abort);
3197 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3198 SCTP_PACKET(packet));
3200 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
3202 sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3203 return SCTP_DISPOSITION_CONSUME;
3206 return SCTP_DISPOSITION_NOMEM;
3210 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR
3211 * event as ULP notification for each cause included in the chunk.
3213 * API 5.3.1.3 - SCTP_REMOTE_ERROR
3215 * The return value is the disposition of the chunk.
3217 sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep,
3218 const struct sctp_association *asoc,
3219 const sctp_subtype_t type,
3221 sctp_cmd_seq_t *commands)
3223 struct sctp_chunk *chunk = arg;
3226 if (!sctp_vtag_verify(chunk, asoc))
3227 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3229 /* Make sure that the ERROR chunk has a valid length. */
3230 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
3231 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3233 sctp_walk_errors(err, chunk->chunk_hdr);
3234 if ((void *)err != (void *)chunk->chunk_end)
3235 return sctp_sf_violation_paramlen(ep, asoc, type, arg,
3236 (void *)err, commands);
3238 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3241 return SCTP_DISPOSITION_CONSUME;
3245 * Process an inbound SHUTDOWN ACK.
3248 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3249 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its
3250 * peer, and remove all record of the association.
3252 * The return value is the disposition.
3254 sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep,
3255 const struct sctp_association *asoc,
3256 const sctp_subtype_t type,
3258 sctp_cmd_seq_t *commands)
3260 struct sctp_chunk *chunk = arg;
3261 struct sctp_chunk *reply;
3262 struct sctp_ulpevent *ev;
3264 if (!sctp_vtag_verify(chunk, asoc))
3265 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3267 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3268 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3269 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3271 /* 10.2 H) SHUTDOWN COMPLETE notification
3273 * When SCTP completes the shutdown procedures (section 9.2) this
3274 * notification is passed to the upper layer.
3276 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3277 0, 0, 0, NULL, GFP_ATOMIC);
3281 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */
3282 reply = sctp_make_shutdown_complete(asoc, chunk);
3286 /* Do all the commands now (after allocation), so that we
3287 * have consistent state if memory allocation failes
3289 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3291 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3292 * stop the T2-shutdown timer,
3294 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3295 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3297 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3298 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3300 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3301 SCTP_STATE(SCTP_STATE_CLOSED));
3302 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);
3303 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3304 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3306 /* ...and remove all record of the association. */
3307 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3308 return SCTP_DISPOSITION_DELETE_TCB;
3311 sctp_ulpevent_free(ev);
3313 return SCTP_DISPOSITION_NOMEM;
3317 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.
3319 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3320 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3321 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3322 * packet must fill in the Verification Tag field of the outbound
3323 * packet with the Verification Tag received in the SHUTDOWN ACK and
3324 * set the T-bit in the Chunk Flags to indicate that the Verification
3327 * 8) The receiver should respond to the sender of the OOTB packet with
3328 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
3329 * MUST fill in the Verification Tag field of the outbound packet
3330 * with the value found in the Verification Tag field of the OOTB
3331 * packet and set the T-bit in the Chunk Flags to indicate that the
3332 * Verification Tag is reflected. After sending this ABORT, the
3333 * receiver of the OOTB packet shall discard the OOTB packet and take
3334 * no further action.
3336 sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
3337 const struct sctp_association *asoc,
3338 const sctp_subtype_t type,
3340 sctp_cmd_seq_t *commands)
3342 struct sctp_chunk *chunk = arg;
3343 struct sk_buff *skb = chunk->skb;
3344 sctp_chunkhdr_t *ch;
3347 int ootb_shut_ack = 0;
3348 int ootb_cookie_ack = 0;
3350 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
3352 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr;
3354 /* Report violation if the chunk is less then minimal */
3355 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t))
3356 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3359 /* Now that we know we at least have a chunk header,
3360 * do things that are type appropriate.
3362 if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3365 /* RFC 2960, Section 3.3.7
3366 * Moreover, under any circumstances, an endpoint that
3367 * receives an ABORT MUST NOT respond to that ABORT by
3368 * sending an ABORT of its own.
3370 if (SCTP_CID_ABORT == ch->type)
3371 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3373 /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR
3374 * or a COOKIE ACK the SCTP Packet should be silently
3378 if (SCTP_CID_COOKIE_ACK == ch->type)
3379 ootb_cookie_ack = 1;
3381 if (SCTP_CID_ERROR == ch->type) {
3382 sctp_walk_errors(err, ch) {
3383 if (SCTP_ERROR_STALE_COOKIE == err->cause) {
3384 ootb_cookie_ack = 1;
3390 /* Report violation if chunk len overflows */
3391 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
3392 if (ch_end > skb_tail_pointer(skb))
3393 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3396 ch = (sctp_chunkhdr_t *) ch_end;
3397 } while (ch_end < skb_tail_pointer(skb));
3400 return sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands);
3401 else if (ootb_cookie_ack)
3402 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3404 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
3408 * Handle an "Out of the blue" SHUTDOWN ACK.
3410 * Section: 8.4 5, sctpimpguide 2.41.
3412 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3413 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3414 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3415 * packet must fill in the Verification Tag field of the outbound
3416 * packet with the Verification Tag received in the SHUTDOWN ACK and
3417 * set the T-bit in the Chunk Flags to indicate that the Verification
3421 * (endpoint, asoc, type, arg, commands)
3424 * (sctp_disposition_t)
3426 * The return value is the disposition of the chunk.
3428 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep,
3429 const struct sctp_association *asoc,
3430 const sctp_subtype_t type,
3432 sctp_cmd_seq_t *commands)
3434 struct sctp_packet *packet = NULL;
3435 struct sctp_chunk *chunk = arg;
3436 struct sctp_chunk *shut;
3438 packet = sctp_ootb_pkt_new(asoc, chunk);
3441 /* Make an SHUTDOWN_COMPLETE.
3442 * The T bit will be set if the asoc is NULL.
3444 shut = sctp_make_shutdown_complete(asoc, chunk);
3446 sctp_ootb_pkt_free(packet);
3447 return SCTP_DISPOSITION_NOMEM;
3450 /* Reflect vtag if T-Bit is set */
3451 if (sctp_test_T_bit(shut))
3452 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3454 /* Set the skb to the belonging sock for accounting. */
3455 shut->skb->sk = ep->base.sk;
3457 sctp_packet_append_chunk(packet, shut);
3459 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3460 SCTP_PACKET(packet));
3462 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
3464 /* If the chunk length is invalid, we don't want to process
3465 * the reset of the packet.
3467 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3468 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3470 /* We need to discard the rest of the packet to prevent
3471 * potential bomming attacks from additional bundled chunks.
3472 * This is documented in SCTP Threats ID.
3474 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3477 return SCTP_DISPOSITION_NOMEM;
3481 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.
3483 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK
3484 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the
3485 * procedures in section 8.4 SHOULD be followed, in other words it
3486 * should be treated as an Out Of The Blue packet.
3487 * [This means that we do NOT check the Verification Tag on these
3491 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep,
3492 const struct sctp_association *asoc,
3493 const sctp_subtype_t type,
3495 sctp_cmd_seq_t *commands)
3497 struct sctp_chunk *chunk = arg;
3499 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3500 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3501 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3504 /* Although we do have an association in this case, it corresponds
3505 * to a restarted association. So the packet is treated as an OOTB
3506 * packet and the state function that handles OOTB SHUTDOWN_ACK is
3507 * called with a NULL association.
3509 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
3511 return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands);
3514 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */
3515 sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep,
3516 const struct sctp_association *asoc,
3517 const sctp_subtype_t type, void *arg,
3518 sctp_cmd_seq_t *commands)
3520 struct sctp_chunk *chunk = arg;
3521 struct sctp_chunk *asconf_ack = NULL;
3522 struct sctp_paramhdr *err_param = NULL;
3523 sctp_addiphdr_t *hdr;
3524 union sctp_addr_param *addr_param;
3528 if (!sctp_vtag_verify(chunk, asoc)) {
3529 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3531 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3534 /* ADD-IP: Section 4.1.1
3535 * This chunk MUST be sent in an authenticated way by using
3536 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3537 * is received unauthenticated it MUST be silently discarded as
3538 * described in [I-D.ietf-tsvwg-sctp-auth].
3540 if (!sctp_addip_noauth && !chunk->auth)
3541 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
3543 /* Make sure that the ASCONF ADDIP chunk has a valid length. */
3544 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t)))
3545 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3548 hdr = (sctp_addiphdr_t *)chunk->skb->data;
3549 serial = ntohl(hdr->serial);
3551 addr_param = (union sctp_addr_param *)hdr->params;
3552 length = ntohs(addr_param->p.length);
3553 if (length < sizeof(sctp_paramhdr_t))
3554 return sctp_sf_violation_paramlen(ep, asoc, type, arg,
3555 (void *)addr_param, commands);
3557 /* Verify the ASCONF chunk before processing it. */
3558 if (!sctp_verify_asconf(asoc,
3559 (sctp_paramhdr_t *)((void *)addr_param + length),
3560 (void *)chunk->chunk_end,
3562 return sctp_sf_violation_paramlen(ep, asoc, type, arg,
3563 (void *)err_param, commands);
3565 /* ADDIP 5.2 E1) Compare the value of the serial number to the value
3566 * the endpoint stored in a new association variable
3567 * 'Peer-Serial-Number'.
3569 if (serial == asoc->peer.addip_serial + 1) {
3570 /* If this is the first instance of ASCONF in the packet,
3571 * we can clean our old ASCONF-ACKs.
3573 if (!chunk->has_asconf)
3574 sctp_assoc_clean_asconf_ack_cache(asoc);
3576 /* ADDIP 5.2 E4) When the Sequence Number matches the next one
3577 * expected, process the ASCONF as described below and after
3578 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to
3579 * the response packet and cache a copy of it (in the event it
3580 * later needs to be retransmitted).
3582 * Essentially, do V1-V5.
3584 asconf_ack = sctp_process_asconf((struct sctp_association *)
3587 return SCTP_DISPOSITION_NOMEM;
3588 } else if (serial < asoc->peer.addip_serial + 1) {
3590 * If the value found in the Sequence Number is less than the
3591 * ('Peer- Sequence-Number' + 1), simply skip to the next
3592 * ASCONF, and include in the outbound response packet
3593 * any previously cached ASCONF-ACK response that was
3594 * sent and saved that matches the Sequence Number of the
3595 * ASCONF. Note: It is possible that no cached ASCONF-ACK
3596 * Chunk exists. This will occur when an older ASCONF
3597 * arrives out of order. In such a case, the receiver
3598 * should skip the ASCONF Chunk and not include ASCONF-ACK
3599 * Chunk for that chunk.
3601 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);
3603 return SCTP_DISPOSITION_DISCARD;
3605 /* Reset the transport so that we select the correct one
3606 * this time around. This is to make sure that we don't
3607 * accidentally use a stale transport that's been removed.
3609 asconf_ack->transport = NULL;
3611 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since
3612 * it must be either a stale packet or from an attacker.
3614 return SCTP_DISPOSITION_DISCARD;
3617 /* ADDIP 5.2 E6) The destination address of the SCTP packet
3618 * containing the ASCONF-ACK Chunks MUST be the source address of
3619 * the SCTP packet that held the ASCONF Chunks.
3621 * To do this properly, we'll set the destination address of the chunk
3622 * and at the transmit time, will try look up the transport to use.
3623 * Since ASCONFs may be bundled, the correct transport may not be
3624 * created until we process the entire packet, thus this workaround.
3626 asconf_ack->dest = chunk->source;
3627 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3628 if (asoc->new_transport) {
3629 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport,
3631 ((struct sctp_association *)asoc)->new_transport = NULL;
3634 return SCTP_DISPOSITION_CONSUME;
3638 * ADDIP Section 4.3 General rules for address manipulation
3639 * When building TLV parameters for the ASCONF Chunk that will add or
3640 * delete IP addresses the D0 to D13 rules should be applied:
3642 sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep,
3643 const struct sctp_association *asoc,
3644 const sctp_subtype_t type, void *arg,
3645 sctp_cmd_seq_t *commands)
3647 struct sctp_chunk *asconf_ack = arg;
3648 struct sctp_chunk *last_asconf = asoc->addip_last_asconf;
3649 struct sctp_chunk *abort;
3650 struct sctp_paramhdr *err_param = NULL;
3651 sctp_addiphdr_t *addip_hdr;
3652 __u32 sent_serial, rcvd_serial;
3654 if (!sctp_vtag_verify(asconf_ack, asoc)) {
3655 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3657 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3660 /* ADD-IP, Section 4.1.2:
3661 * This chunk MUST be sent in an authenticated way by using
3662 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3663 * is received unauthenticated it MUST be silently discarded as
3664 * described in [I-D.ietf-tsvwg-sctp-auth].
3666 if (!sctp_addip_noauth && !asconf_ack->auth)
3667 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
3669 /* Make sure that the ADDIP chunk has a valid length. */
3670 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t)))
3671 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3674 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data;
3675 rcvd_serial = ntohl(addip_hdr->serial);
3677 /* Verify the ASCONF-ACK chunk before processing it. */
3678 if (!sctp_verify_asconf(asoc,
3679 (sctp_paramhdr_t *)addip_hdr->params,
3680 (void *)asconf_ack->chunk_end,
3682 return sctp_sf_violation_paramlen(ep, asoc, type, arg,
3683 (void *)err_param, commands);
3686 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr;
3687 sent_serial = ntohl(addip_hdr->serial);
3689 sent_serial = asoc->addip_serial - 1;
3692 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or
3693 * equal to the next serial number to be used but no ASCONF chunk is
3694 * outstanding the endpoint MUST ABORT the association. Note that a
3695 * sequence number is greater than if it is no more than 2^^31-1
3696 * larger than the current sequence number (using serial arithmetic).
3698 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
3699 !(asoc->addip_last_asconf)) {
3700 abort = sctp_make_abort(asoc, asconf_ack,
3701 sizeof(sctp_errhdr_t));
3703 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
3704 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3707 /* We are going to ABORT, so we might as well stop
3708 * processing the rest of the chunks in the packet.
3710 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3711 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3712 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
3713 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3714 SCTP_ERROR(ECONNABORTED));
3715 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3716 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3717 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
3718 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3719 return SCTP_DISPOSITION_ABORT;
3722 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
3723 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3724 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3726 if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
3728 /* Successfully processed ASCONF_ACK. We can
3729 * release the next asconf if we have one.
3731 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF,
3733 return SCTP_DISPOSITION_CONSUME;
3736 abort = sctp_make_abort(asoc, asconf_ack,
3737 sizeof(sctp_errhdr_t));
3739 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
3740 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3743 /* We are going to ABORT, so we might as well stop
3744 * processing the rest of the chunks in the packet.
3746 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
3747 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3748 SCTP_ERROR(ECONNABORTED));
3749 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3750 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3751 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
3752 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3753 return SCTP_DISPOSITION_ABORT;
3756 return SCTP_DISPOSITION_DISCARD;
3760 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP
3762 * When a FORWARD TSN chunk arrives, the data receiver MUST first update
3763 * its cumulative TSN point to the value carried in the FORWARD TSN
3764 * chunk, and then MUST further advance its cumulative TSN point locally
3766 * After the above processing, the data receiver MUST stop reporting any
3767 * missing TSNs earlier than or equal to the new cumulative TSN point.
3769 * Verification Tag: 8.5 Verification Tag [Normal verification]
3771 * The return value is the disposition of the chunk.
3773 sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep,
3774 const struct sctp_association *asoc,
3775 const sctp_subtype_t type,
3777 sctp_cmd_seq_t *commands)
3779 struct sctp_chunk *chunk = arg;
3780 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3781 struct sctp_fwdtsn_skip *skip;
3785 if (!sctp_vtag_verify(chunk, asoc)) {
3786 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3788 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3791 /* Make sure that the FORWARD_TSN chunk has valid length. */
3792 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3793 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3796 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3797 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3798 len = ntohs(chunk->chunk_hdr->length);
3799 len -= sizeof(struct sctp_chunkhdr);
3800 skb_pull(chunk->skb, len);
3802 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3803 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn);
3805 /* The TSN is too high--silently discard the chunk and count on it
3806 * getting retransmitted later.
3808 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3809 goto discard_noforce;
3811 /* Silently discard the chunk if stream-id is not valid */
3812 sctp_walk_fwdtsn(skip, chunk) {
3813 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
3814 goto discard_noforce;
3817 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3818 if (len > sizeof(struct sctp_fwdtsn_hdr))
3819 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3822 /* Count this as receiving DATA. */
3823 if (asoc->autoclose) {
3824 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3825 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3828 /* FIXME: For now send a SACK, but DATA processing may
3831 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
3833 return SCTP_DISPOSITION_CONSUME;
3836 return SCTP_DISPOSITION_DISCARD;
3839 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast(
3840 const struct sctp_endpoint *ep,
3841 const struct sctp_association *asoc,
3842 const sctp_subtype_t type,
3844 sctp_cmd_seq_t *commands)
3846 struct sctp_chunk *chunk = arg;
3847 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3848 struct sctp_fwdtsn_skip *skip;
3852 if (!sctp_vtag_verify(chunk, asoc)) {
3853 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3855 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3858 /* Make sure that the FORWARD_TSN chunk has a valid length. */
3859 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3860 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3863 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3864 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3865 len = ntohs(chunk->chunk_hdr->length);
3866 len -= sizeof(struct sctp_chunkhdr);
3867 skb_pull(chunk->skb, len);
3869 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3870 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn);
3872 /* The TSN is too high--silently discard the chunk and count on it
3873 * getting retransmitted later.
3875 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3878 /* Silently discard the chunk if stream-id is not valid */
3879 sctp_walk_fwdtsn(skip, chunk) {
3880 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
3884 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3885 if (len > sizeof(struct sctp_fwdtsn_hdr))
3886 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3889 /* Go a head and force a SACK, since we are shutting down. */
3891 /* Implementor's Guide.
3893 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3894 * respond to each received packet containing one or more DATA chunk(s)
3895 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3897 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3898 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3899 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3900 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3902 return SCTP_DISPOSITION_CONSUME;
3906 * SCTP-AUTH Section 6.3 Receiving authenticated chukns
3908 * The receiver MUST use the HMAC algorithm indicated in the HMAC
3909 * Identifier field. If this algorithm was not specified by the
3910 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
3911 * during association setup, the AUTH chunk and all chunks after it MUST
3912 * be discarded and an ERROR chunk SHOULD be sent with the error cause
3913 * defined in Section 4.1.
3915 * If an endpoint with no shared key receives a Shared Key Identifier
3916 * other than 0, it MUST silently discard all authenticated chunks. If
3917 * the endpoint has at least one endpoint pair shared key for the peer,
3918 * it MUST use the key specified by the Shared Key Identifier if a
3919 * key has been configured for that Shared Key Identifier. If no
3920 * endpoint pair shared key has been configured for that Shared Key
3921 * Identifier, all authenticated chunks MUST be silently discarded.
3923 * Verification Tag: 8.5 Verification Tag [Normal verification]
3925 * The return value is the disposition of the chunk.
3927 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep,
3928 const struct sctp_association *asoc,
3929 const sctp_subtype_t type,
3930 struct sctp_chunk *chunk)
3932 struct sctp_authhdr *auth_hdr;
3933 struct sctp_hmac *hmac;
3934 unsigned int sig_len;
3939 /* Pull in the auth header, so we can do some more verification */
3940 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
3941 chunk->subh.auth_hdr = auth_hdr;
3942 skb_pull(chunk->skb, sizeof(struct sctp_authhdr));
3944 /* Make sure that we suport the HMAC algorithm from the auth
3947 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))
3948 return SCTP_IERROR_AUTH_BAD_HMAC;
3950 /* Make sure that the provided shared key identifier has been
3953 key_id = ntohs(auth_hdr->shkey_id);
3954 if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id))
3955 return SCTP_IERROR_AUTH_BAD_KEYID;
3958 /* Make sure that the length of the signature matches what
3961 sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t);
3962 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));
3963 if (sig_len != hmac->hmac_len)
3964 return SCTP_IERROR_PROTO_VIOLATION;
3966 /* Now that we've done validation checks, we can compute and
3967 * verify the hmac. The steps involved are:
3968 * 1. Save the digest from the chunk.
3969 * 2. Zero out the digest in the chunk.
3970 * 3. Compute the new digest
3971 * 4. Compare saved and new digests.
3973 digest = auth_hdr->hmac;
3974 skb_pull(chunk->skb, sig_len);
3976 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);
3980 memset(digest, 0, sig_len);
3982 sctp_auth_calculate_hmac(asoc, chunk->skb,
3983 (struct sctp_auth_chunk *)chunk->chunk_hdr,
3986 /* Discard the packet if the digests do not match */
3987 if (memcmp(save_digest, digest, sig_len)) {
3989 return SCTP_IERROR_BAD_SIG;
3995 return SCTP_IERROR_NO_ERROR;
3997 return SCTP_IERROR_NOMEM;
4000 sctp_disposition_t sctp_sf_eat_auth(const struct sctp_endpoint *ep,
4001 const struct sctp_association *asoc,
4002 const sctp_subtype_t type,
4004 sctp_cmd_seq_t *commands)
4006 struct sctp_authhdr *auth_hdr;
4007 struct sctp_chunk *chunk = arg;
4008 struct sctp_chunk *err_chunk;
4009 sctp_ierror_t error;
4011 /* Make sure that the peer has AUTH capable */
4012 if (!asoc->peer.auth_capable)
4013 return sctp_sf_unk_chunk(ep, asoc, type, arg, commands);
4015 if (!sctp_vtag_verify(chunk, asoc)) {
4016 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4018 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
4021 /* Make sure that the AUTH chunk has valid length. */
4022 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))
4023 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4026 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4027 error = sctp_sf_authenticate(ep, asoc, type, chunk);
4029 case SCTP_IERROR_AUTH_BAD_HMAC:
4030 /* Generate the ERROR chunk and discard the rest
4033 err_chunk = sctp_make_op_error(asoc, chunk,
4034 SCTP_ERROR_UNSUP_HMAC,
4038 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4039 SCTP_CHUNK(err_chunk));
4042 case SCTP_IERROR_AUTH_BAD_KEYID:
4043 case SCTP_IERROR_BAD_SIG:
4044 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
4046 case SCTP_IERROR_PROTO_VIOLATION:
4047 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4050 case SCTP_IERROR_NOMEM:
4051 return SCTP_DISPOSITION_NOMEM;
4053 default: /* Prevent gcc warnings */
4057 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) {
4058 struct sctp_ulpevent *ev;
4060 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),
4061 SCTP_AUTH_NEWKEY, GFP_ATOMIC);
4066 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4070 return SCTP_DISPOSITION_CONSUME;
4074 * Process an unknown chunk.
4076 * Section: 3.2. Also, 2.1 in the implementor's guide.
4078 * Chunk Types are encoded such that the highest-order two bits specify
4079 * the action that must be taken if the processing endpoint does not
4080 * recognize the Chunk Type.
4082 * 00 - Stop processing this SCTP packet and discard it, do not process
4083 * any further chunks within it.
4085 * 01 - Stop processing this SCTP packet and discard it, do not process
4086 * any further chunks within it, and report the unrecognized
4087 * chunk in an 'Unrecognized Chunk Type'.
4089 * 10 - Skip this chunk and continue processing.
4091 * 11 - Skip this chunk and continue processing, but report in an ERROR
4092 * Chunk using the 'Unrecognized Chunk Type' cause of error.
4094 * The return value is the disposition of the chunk.
4096 sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep,
4097 const struct sctp_association *asoc,
4098 const sctp_subtype_t type,
4100 sctp_cmd_seq_t *commands)
4102 struct sctp_chunk *unk_chunk = arg;
4103 struct sctp_chunk *err_chunk;
4104 sctp_chunkhdr_t *hdr;
4106 SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk);
4108 if (!sctp_vtag_verify(unk_chunk, asoc))
4109 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
4111 /* Make sure that the chunk has a valid length.
4112 * Since we don't know the chunk type, we use a general
4113 * chunkhdr structure to make a comparison.
4115 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t)))
4116 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4119 switch (type.chunk & SCTP_CID_ACTION_MASK) {
4120 case SCTP_CID_ACTION_DISCARD:
4121 /* Discard the packet. */
4122 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
4124 case SCTP_CID_ACTION_DISCARD_ERR:
4125 /* Generate an ERROR chunk as response. */
4126 hdr = unk_chunk->chunk_hdr;
4127 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4128 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4129 WORD_ROUND(ntohs(hdr->length)),
4132 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4133 SCTP_CHUNK(err_chunk));
4136 /* Discard the packet. */
4137 sctp_sf_pdiscard(ep, asoc, type, arg, commands);
4138 return SCTP_DISPOSITION_CONSUME;
4140 case SCTP_CID_ACTION_SKIP:
4141 /* Skip the chunk. */
4142 return SCTP_DISPOSITION_DISCARD;
4144 case SCTP_CID_ACTION_SKIP_ERR:
4145 /* Generate an ERROR chunk as response. */
4146 hdr = unk_chunk->chunk_hdr;
4147 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4148 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4149 WORD_ROUND(ntohs(hdr->length)),
4152 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4153 SCTP_CHUNK(err_chunk));
4155 /* Skip the chunk. */
4156 return SCTP_DISPOSITION_CONSUME;
4162 return SCTP_DISPOSITION_DISCARD;
4166 * Discard the chunk.
4168 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2
4169 * [Too numerous to mention...]
4170 * Verification Tag: No verification needed.
4172 * (endpoint, asoc, chunk)
4175 * (asoc, reply_msg, msg_up, timers, counters)
4177 * The return value is the disposition of the chunk.
4179 sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep,
4180 const struct sctp_association *asoc,
4181 const sctp_subtype_t type,
4183 sctp_cmd_seq_t *commands)
4185 struct sctp_chunk *chunk = arg;
4187 /* Make sure that the chunk has a valid length.
4188 * Since we don't know the chunk type, we use a general
4189 * chunkhdr structure to make a comparison.
4191 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
4192 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4195 SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk);
4196 return SCTP_DISPOSITION_DISCARD;
4200 * Discard the whole packet.
4204 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST
4205 * silently discard the OOTB packet and take no further action.
4207 * Verification Tag: No verification necessary
4210 * (endpoint, asoc, chunk)
4213 * (asoc, reply_msg, msg_up, timers, counters)
4215 * The return value is the disposition of the chunk.
4217 sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep,
4218 const struct sctp_association *asoc,
4219 const sctp_subtype_t type,
4221 sctp_cmd_seq_t *commands)
4223 SCTP_INC_STATS(SCTP_MIB_IN_PKT_DISCARDS);
4224 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4226 return SCTP_DISPOSITION_CONSUME;
4231 * The other end is violating protocol.
4233 * Section: Not specified
4234 * Verification Tag: Not specified
4236 * (endpoint, asoc, chunk)
4239 * (asoc, reply_msg, msg_up, timers, counters)
4241 * We simply tag the chunk as a violation. The state machine will log
4242 * the violation and continue.
4244 sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep,
4245 const struct sctp_association *asoc,
4246 const sctp_subtype_t type,
4248 sctp_cmd_seq_t *commands)
4250 struct sctp_chunk *chunk = arg;
4252 /* Make sure that the chunk has a valid length. */
4253 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
4254 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4257 return SCTP_DISPOSITION_VIOLATION;
4261 * Common function to handle a protocol violation.
4263 static sctp_disposition_t sctp_sf_abort_violation(
4264 const struct sctp_endpoint *ep,
4265 const struct sctp_association *asoc,
4267 sctp_cmd_seq_t *commands,
4268 const __u8 *payload,
4269 const size_t paylen)
4271 struct sctp_packet *packet = NULL;
4272 struct sctp_chunk *chunk = arg;
4273 struct sctp_chunk *abort = NULL;
4275 /* SCTP-AUTH, Section 6.3:
4276 * It should be noted that if the receiver wants to tear
4277 * down an association in an authenticated way only, the
4278 * handling of malformed packets should not result in
4279 * tearing down the association.
4281 * This means that if we only want to abort associations
4282 * in an authenticated way (i.e AUTH+ABORT), then we
4283 * can't destroy this association just because the packet
4286 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4289 /* Make the abort chunk. */
4290 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);
4295 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */
4296 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&
4297 !asoc->peer.i.init_tag) {
4298 sctp_initack_chunk_t *initack;
4300 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
4301 if (!sctp_chunk_length_valid(chunk,
4302 sizeof(sctp_initack_chunk_t)))
4303 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
4305 unsigned int inittag;
4307 inittag = ntohl(initack->init_hdr.init_tag);
4308 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
4313 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4314 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
4316 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
4317 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4318 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4319 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4320 SCTP_ERROR(ECONNREFUSED));
4321 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4322 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4324 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4325 SCTP_ERROR(ECONNABORTED));
4326 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4327 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4328 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
4331 packet = sctp_ootb_pkt_new(asoc, chunk);
4336 if (sctp_test_T_bit(abort))
4337 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
4339 abort->skb->sk = ep->base.sk;
4341 sctp_packet_append_chunk(packet, abort);
4343 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
4344 SCTP_PACKET(packet));
4346 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
4349 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
4352 sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4353 return SCTP_DISPOSITION_ABORT;
4356 sctp_chunk_free(abort);
4358 return SCTP_DISPOSITION_NOMEM;
4362 * Handle a protocol violation when the chunk length is invalid.
4363 * "Invalid" length is identified as smaller than the minimal length a
4364 * given chunk can be. For example, a SACK chunk has invalid length
4365 * if its length is set to be smaller than the size of sctp_sack_chunk_t.
4367 * We inform the other end by sending an ABORT with a Protocol Violation
4370 * Section: Not specified
4371 * Verification Tag: Nothing to do
4373 * (endpoint, asoc, chunk)
4376 * (reply_msg, msg_up, counters)
4378 * Generate an ABORT chunk and terminate the association.
4380 static sctp_disposition_t sctp_sf_violation_chunklen(
4381 const struct sctp_endpoint *ep,
4382 const struct sctp_association *asoc,
4383 const sctp_subtype_t type,
4385 sctp_cmd_seq_t *commands)
4387 static const char err_str[]="The following chunk had invalid length:";
4389 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,
4394 * Handle a protocol violation when the parameter length is invalid.
4395 * If the length is smaller than the minimum length of a given parameter,
4396 * or accumulated length in multi parameters exceeds the end of the chunk,
4397 * the length is considered as invalid.
4399 static sctp_disposition_t sctp_sf_violation_paramlen(
4400 const struct sctp_endpoint *ep,
4401 const struct sctp_association *asoc,
4402 const sctp_subtype_t type,
4403 void *arg, void *ext,
4404 sctp_cmd_seq_t *commands)
4406 struct sctp_chunk *chunk = arg;
4407 struct sctp_paramhdr *param = ext;
4408 struct sctp_chunk *abort = NULL;
4410 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4413 /* Make the abort chunk. */
4414 abort = sctp_make_violation_paramlen(asoc, chunk, param);
4418 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4419 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
4421 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4422 SCTP_ERROR(ECONNABORTED));
4423 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4424 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4425 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
4426 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
4429 sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4430 return SCTP_DISPOSITION_ABORT;
4432 return SCTP_DISPOSITION_NOMEM;
4435 /* Handle a protocol violation when the peer trying to advance the
4436 * cumulative tsn ack to a point beyond the max tsn currently sent.
4438 * We inform the other end by sending an ABORT with a Protocol Violation
4441 static sctp_disposition_t sctp_sf_violation_ctsn(
4442 const struct sctp_endpoint *ep,
4443 const struct sctp_association *asoc,
4444 const sctp_subtype_t type,
4446 sctp_cmd_seq_t *commands)
4448 static const char err_str[]="The cumulative tsn ack beyond the max tsn currently sent:";
4450 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,
4454 /* Handle protocol violation of an invalid chunk bundling. For example,
4455 * when we have an association and we receive bundled INIT-ACK, or
4456 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle"
4457 * statement from the specs. Additionally, there might be an attacker
4458 * on the path and we may not want to continue this communication.
4460 static sctp_disposition_t sctp_sf_violation_chunk(
4461 const struct sctp_endpoint *ep,
4462 const struct sctp_association *asoc,
4463 const sctp_subtype_t type,
4465 sctp_cmd_seq_t *commands)
4467 static const char err_str[]="The following chunk violates protocol:";
4470 return sctp_sf_violation(ep, asoc, type, arg, commands);
4472 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,
4475 /***************************************************************************
4476 * These are the state functions for handling primitive (Section 10) events.
4477 ***************************************************************************/
4479 * sctp_sf_do_prm_asoc
4481 * Section: 10.1 ULP-to-SCTP
4484 * Format: ASSOCIATE(local SCTP instance name, destination transport addr,
4485 * outbound stream count)
4486 * -> association id [,destination transport addr list] [,outbound stream
4489 * This primitive allows the upper layer to initiate an association to a
4490 * specific peer endpoint.
4492 * The peer endpoint shall be specified by one of the transport addresses
4493 * which defines the endpoint (see Section 1.4). If the local SCTP
4494 * instance has not been initialized, the ASSOCIATE is considered an
4496 * [This is not relevant for the kernel implementation since we do all
4497 * initialization at boot time. It we hadn't initialized we wouldn't
4498 * get anywhere near this code.]
4500 * An association id, which is a local handle to the SCTP association,
4501 * will be returned on successful establishment of the association. If
4502 * SCTP is not able to open an SCTP association with the peer endpoint,
4503 * an error is returned.
4504 * [In the kernel implementation, the struct sctp_association needs to
4505 * be created BEFORE causing this primitive to run.]
4507 * Other association parameters may be returned, including the
4508 * complete destination transport addresses of the peer as well as the
4509 * outbound stream count of the local endpoint. One of the transport
4510 * address from the returned destination addresses will be selected by
4511 * the local endpoint as default primary path for sending SCTP packets
4512 * to this peer. The returned "destination transport addr list" can
4513 * be used by the ULP to change the default primary path or to force
4514 * sending a packet to a specific transport address. [All of this
4515 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING
4518 * Mandatory attributes:
4520 * o local SCTP instance name - obtained from the INITIALIZE operation.
4521 * [This is the argument asoc.]
4522 * o destination transport addr - specified as one of the transport
4523 * addresses of the peer endpoint with which the association is to be
4525 * [This is asoc->peer.active_path.]
4526 * o outbound stream count - the number of outbound streams the ULP
4527 * would like to open towards this peer endpoint.
4528 * [BUG: This is not currently implemented.]
4529 * Optional attributes:
4533 * The return value is a disposition.
4535 sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep,
4536 const struct sctp_association *asoc,
4537 const sctp_subtype_t type,
4539 sctp_cmd_seq_t *commands)
4541 struct sctp_chunk *repl;
4542 struct sctp_association* my_asoc;
4544 /* The comment below says that we enter COOKIE-WAIT AFTER
4545 * sending the INIT, but that doesn't actually work in our
4548 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4549 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
4551 /* RFC 2960 5.1 Normal Establishment of an Association
4553 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A"
4554 * must provide its Verification Tag (Tag_A) in the Initiate
4555 * Tag field. Tag_A SHOULD be a random number in the range of
4556 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ...
4559 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0);
4563 /* Cast away the const modifier, as we want to just
4564 * rerun it through as a sideffect.
4566 my_asoc = (struct sctp_association *)asoc;
4567 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc));
4569 /* Choose transport for INIT. */
4570 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
4573 /* After sending the INIT, "A" starts the T1-init timer and
4574 * enters the COOKIE-WAIT state.
4576 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
4577 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4578 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
4579 return SCTP_DISPOSITION_CONSUME;
4582 return SCTP_DISPOSITION_NOMEM;
4586 * Process the SEND primitive.
4588 * Section: 10.1 ULP-to-SCTP
4591 * Format: SEND(association id, buffer address, byte count [,context]
4592 * [,stream id] [,life time] [,destination transport address]
4593 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] )
4596 * This is the main method to send user data via SCTP.
4598 * Mandatory attributes:
4600 * o association id - local handle to the SCTP association
4602 * o buffer address - the location where the user message to be
4603 * transmitted is stored;
4605 * o byte count - The size of the user data in number of bytes;
4607 * Optional attributes:
4609 * o context - an optional 32 bit integer that will be carried in the
4610 * sending failure notification to the ULP if the transportation of
4611 * this User Message fails.
4613 * o stream id - to indicate which stream to send the data on. If not
4614 * specified, stream 0 will be used.
4616 * o life time - specifies the life time of the user data. The user data
4617 * will not be sent by SCTP after the life time expires. This
4618 * parameter can be used to avoid efforts to transmit stale
4619 * user messages. SCTP notifies the ULP if the data cannot be
4620 * initiated to transport (i.e. sent to the destination via SCTP's
4621 * send primitive) within the life time variable. However, the
4622 * user data will be transmitted if SCTP has attempted to transmit a
4623 * chunk before the life time expired.
4625 * o destination transport address - specified as one of the destination
4626 * transport addresses of the peer endpoint to which this packet
4627 * should be sent. Whenever possible, SCTP should use this destination
4628 * transport address for sending the packets, instead of the current
4631 * o unorder flag - this flag, if present, indicates that the user
4632 * would like the data delivered in an unordered fashion to the peer
4633 * (i.e., the U flag is set to 1 on all DATA chunks carrying this
4636 * o no-bundle flag - instructs SCTP not to bundle this user data with
4637 * other outbound DATA chunks. SCTP MAY still bundle even when
4638 * this flag is present, when faced with network congestion.
4640 * o payload protocol-id - A 32 bit unsigned integer that is to be
4641 * passed to the peer indicating the type of payload protocol data
4642 * being transmitted. This value is passed as opaque data by SCTP.
4644 * The return value is the disposition.
4646 sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep,
4647 const struct sctp_association *asoc,
4648 const sctp_subtype_t type,
4650 sctp_cmd_seq_t *commands)
4652 struct sctp_datamsg *msg = arg;
4654 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg));
4655 return SCTP_DISPOSITION_CONSUME;
4659 * Process the SHUTDOWN primitive.
4664 * Format: SHUTDOWN(association id)
4667 * Gracefully closes an association. Any locally queued user data
4668 * will be delivered to the peer. The association will be terminated only
4669 * after the peer acknowledges all the SCTP packets sent. A success code
4670 * will be returned on successful termination of the association. If
4671 * attempting to terminate the association results in a failure, an error
4672 * code shall be returned.
4674 * Mandatory attributes:
4676 * o association id - local handle to the SCTP association
4678 * Optional attributes:
4682 * The return value is the disposition.
4684 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown(
4685 const struct sctp_endpoint *ep,
4686 const struct sctp_association *asoc,
4687 const sctp_subtype_t type,
4689 sctp_cmd_seq_t *commands)
4693 /* From 9.2 Shutdown of an Association
4694 * Upon receipt of the SHUTDOWN primitive from its upper
4695 * layer, the endpoint enters SHUTDOWN-PENDING state and
4696 * remains there until all outstanding data has been
4697 * acknowledged by its peer. The endpoint accepts no new data
4698 * from its upper layer, but retransmits data to the far end
4699 * if necessary to fill gaps.
4701 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4702 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
4704 disposition = SCTP_DISPOSITION_CONSUME;
4705 if (sctp_outq_is_empty(&asoc->outqueue)) {
4706 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type,
4713 * Process the ABORT primitive.
4718 * Format: Abort(association id [, cause code])
4721 * Ungracefully closes an association. Any locally queued user data
4722 * will be discarded and an ABORT chunk is sent to the peer. A success code
4723 * will be returned on successful abortion of the association. If
4724 * attempting to abort the association results in a failure, an error
4725 * code shall be returned.
4727 * Mandatory attributes:
4729 * o association id - local handle to the SCTP association
4731 * Optional attributes:
4733 * o cause code - reason of the abort to be passed to the peer
4737 * The return value is the disposition.
4739 sctp_disposition_t sctp_sf_do_9_1_prm_abort(
4740 const struct sctp_endpoint *ep,
4741 const struct sctp_association *asoc,
4742 const sctp_subtype_t type,
4744 sctp_cmd_seq_t *commands)
4746 /* From 9.1 Abort of an Association
4747 * Upon receipt of the ABORT primitive from its upper
4748 * layer, the endpoint enters CLOSED state and
4749 * discard all outstanding data has been
4750 * acknowledged by its peer. The endpoint accepts no new data
4751 * from its upper layer, but retransmits data to the far end
4752 * if necessary to fill gaps.
4754 struct sctp_chunk *abort = arg;
4755 sctp_disposition_t retval;
4757 retval = SCTP_DISPOSITION_CONSUME;
4759 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4761 /* Even if we can't send the ABORT due to low memory delete the
4762 * TCB. This is a departure from our typical NOMEM handling.
4765 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4766 SCTP_ERROR(ECONNABORTED));
4767 /* Delete the established association. */
4768 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4769 SCTP_PERR(SCTP_ERROR_USER_ABORT));
4771 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
4772 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
4777 /* We tried an illegal operation on an association which is closed. */
4778 sctp_disposition_t sctp_sf_error_closed(const struct sctp_endpoint *ep,
4779 const struct sctp_association *asoc,
4780 const sctp_subtype_t type,
4782 sctp_cmd_seq_t *commands)
4784 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL));
4785 return SCTP_DISPOSITION_CONSUME;
4788 /* We tried an illegal operation on an association which is shutting
4791 sctp_disposition_t sctp_sf_error_shutdown(const struct sctp_endpoint *ep,
4792 const struct sctp_association *asoc,
4793 const sctp_subtype_t type,
4795 sctp_cmd_seq_t *commands)
4797 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR,
4798 SCTP_ERROR(-ESHUTDOWN));
4799 return SCTP_DISPOSITION_CONSUME;
4803 * sctp_cookie_wait_prm_shutdown
4805 * Section: 4 Note: 2
4810 * The RFC does not explicitly address this issue, but is the route through the
4811 * state table when someone issues a shutdown while in COOKIE_WAIT state.
4816 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown(
4817 const struct sctp_endpoint *ep,
4818 const struct sctp_association *asoc,
4819 const sctp_subtype_t type,
4821 sctp_cmd_seq_t *commands)
4823 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4824 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4826 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4827 SCTP_STATE(SCTP_STATE_CLOSED));
4829 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);
4831 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
4833 return SCTP_DISPOSITION_DELETE_TCB;
4837 * sctp_cookie_echoed_prm_shutdown
4839 * Section: 4 Note: 2
4844 * The RFC does not explcitly address this issue, but is the route through the
4845 * state table when someone issues a shutdown while in COOKIE_ECHOED state.
4850 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown(
4851 const struct sctp_endpoint *ep,
4852 const struct sctp_association *asoc,
4853 const sctp_subtype_t type,
4854 void *arg, sctp_cmd_seq_t *commands)
4856 /* There is a single T1 timer, so we should be able to use
4857 * common function with the COOKIE-WAIT state.
4859 return sctp_sf_cookie_wait_prm_shutdown(ep, asoc, type, arg, commands);
4863 * sctp_sf_cookie_wait_prm_abort
4865 * Section: 4 Note: 2
4870 * The RFC does not explicitly address this issue, but is the route through the
4871 * state table when someone issues an abort while in COOKIE_WAIT state.
4876 sctp_disposition_t sctp_sf_cookie_wait_prm_abort(
4877 const struct sctp_endpoint *ep,
4878 const struct sctp_association *asoc,
4879 const sctp_subtype_t type,
4881 sctp_cmd_seq_t *commands)
4883 struct sctp_chunk *abort = arg;
4884 sctp_disposition_t retval;
4886 /* Stop T1-init timer */
4887 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4888 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4889 retval = SCTP_DISPOSITION_CONSUME;
4891 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4893 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4894 SCTP_STATE(SCTP_STATE_CLOSED));
4896 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
4898 /* Even if we can't send the ABORT due to low memory delete the
4899 * TCB. This is a departure from our typical NOMEM handling.
4902 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4903 SCTP_ERROR(ECONNREFUSED));
4904 /* Delete the established association. */
4905 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4906 SCTP_PERR(SCTP_ERROR_USER_ABORT));
4912 * sctp_sf_cookie_echoed_prm_abort
4914 * Section: 4 Note: 3
4919 * The RFC does not explcitly address this issue, but is the route through the
4920 * state table when someone issues an abort while in COOKIE_ECHOED state.
4925 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort(
4926 const struct sctp_endpoint *ep,
4927 const struct sctp_association *asoc,
4928 const sctp_subtype_t type,
4930 sctp_cmd_seq_t *commands)
4932 /* There is a single T1 timer, so we should be able to use
4933 * common function with the COOKIE-WAIT state.
4935 return sctp_sf_cookie_wait_prm_abort(ep, asoc, type, arg, commands);
4939 * sctp_sf_shutdown_pending_prm_abort
4944 * The RFC does not explicitly address this issue, but is the route through the
4945 * state table when someone issues an abort while in SHUTDOWN-PENDING state.
4950 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort(
4951 const struct sctp_endpoint *ep,
4952 const struct sctp_association *asoc,
4953 const sctp_subtype_t type,
4955 sctp_cmd_seq_t *commands)
4957 /* Stop the T5-shutdown guard timer. */
4958 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4959 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
4961 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands);
4965 * sctp_sf_shutdown_sent_prm_abort
4970 * The RFC does not explicitly address this issue, but is the route through the
4971 * state table when someone issues an abort while in SHUTDOWN-SENT state.
4976 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort(
4977 const struct sctp_endpoint *ep,
4978 const struct sctp_association *asoc,
4979 const sctp_subtype_t type,
4981 sctp_cmd_seq_t *commands)
4983 /* Stop the T2-shutdown timer. */
4984 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4985 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
4987 /* Stop the T5-shutdown guard timer. */
4988 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4989 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
4991 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands);
4995 * sctp_sf_cookie_echoed_prm_abort
5000 * The RFC does not explcitly address this issue, but is the route through the
5001 * state table when someone issues an abort while in COOKIE_ECHOED state.
5006 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort(
5007 const struct sctp_endpoint *ep,
5008 const struct sctp_association *asoc,
5009 const sctp_subtype_t type,
5011 sctp_cmd_seq_t *commands)
5013 /* The same T2 timer, so we should be able to use
5014 * common function with the SHUTDOWN-SENT state.
5016 return sctp_sf_shutdown_sent_prm_abort(ep, asoc, type, arg, commands);
5020 * Process the REQUESTHEARTBEAT primitive
5023 * J) Request Heartbeat
5025 * Format: REQUESTHEARTBEAT(association id, destination transport address)
5029 * Instructs the local endpoint to perform a HeartBeat on the specified
5030 * destination transport address of the given association. The returned
5031 * result should indicate whether the transmission of the HEARTBEAT
5032 * chunk to the destination address is successful.
5034 * Mandatory attributes:
5036 * o association id - local handle to the SCTP association
5038 * o destination transport address - the transport address of the
5039 * association on which a heartbeat should be issued.
5041 sctp_disposition_t sctp_sf_do_prm_requestheartbeat(
5042 const struct sctp_endpoint *ep,
5043 const struct sctp_association *asoc,
5044 const sctp_subtype_t type,
5046 sctp_cmd_seq_t *commands)
5048 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type,
5049 (struct sctp_transport *)arg, commands))
5050 return SCTP_DISPOSITION_NOMEM;
5053 * RFC 2960 (bis), section 8.3
5055 * D) Request an on-demand HEARTBEAT on a specific destination
5056 * transport address of a given association.
5058 * The endpoint should increment the respective error counter of
5059 * the destination transport address each time a HEARTBEAT is sent
5060 * to that address and not acknowledged within one RTO.
5063 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
5064 SCTP_TRANSPORT(arg));
5065 return SCTP_DISPOSITION_CONSUME;
5069 * ADDIP Section 4.1 ASCONF Chunk Procedures
5070 * When an endpoint has an ASCONF signaled change to be sent to the
5071 * remote endpoint it should do A1 to A9
5073 sctp_disposition_t sctp_sf_do_prm_asconf(const struct sctp_endpoint *ep,
5074 const struct sctp_association *asoc,
5075 const sctp_subtype_t type,
5077 sctp_cmd_seq_t *commands)
5079 struct sctp_chunk *chunk = arg;
5081 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5082 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5083 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5084 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5085 return SCTP_DISPOSITION_CONSUME;
5089 * Ignore the primitive event
5091 * The return value is the disposition of the primitive.
5093 sctp_disposition_t sctp_sf_ignore_primitive(
5094 const struct sctp_endpoint *ep,
5095 const struct sctp_association *asoc,
5096 const sctp_subtype_t type,
5098 sctp_cmd_seq_t *commands)
5100 SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive);
5101 return SCTP_DISPOSITION_DISCARD;
5104 /***************************************************************************
5105 * These are the state functions for the OTHER events.
5106 ***************************************************************************/
5109 * When the SCTP stack has no more user data to send or retransmit, this
5110 * notification is given to the user. Also, at the time when a user app
5111 * subscribes to this event, if there is no data to be sent or
5112 * retransmit, the stack will immediately send up this notification.
5114 sctp_disposition_t sctp_sf_do_no_pending_tsn(
5115 const struct sctp_endpoint *ep,
5116 const struct sctp_association *asoc,
5117 const sctp_subtype_t type,
5119 sctp_cmd_seq_t *commands)
5121 struct sctp_ulpevent *event;
5123 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC);
5125 return SCTP_DISPOSITION_NOMEM;
5127 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event));
5129 return SCTP_DISPOSITION_CONSUME;
5133 * Start the shutdown negotiation.
5136 * Once all its outstanding data has been acknowledged, the endpoint
5137 * shall send a SHUTDOWN chunk to its peer including in the Cumulative
5138 * TSN Ack field the last sequential TSN it has received from the peer.
5139 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT
5140 * state. If the timer expires, the endpoint must re-send the SHUTDOWN
5141 * with the updated last sequential TSN received from its peer.
5143 * The return value is the disposition.
5145 sctp_disposition_t sctp_sf_do_9_2_start_shutdown(
5146 const struct sctp_endpoint *ep,
5147 const struct sctp_association *asoc,
5148 const sctp_subtype_t type,
5150 sctp_cmd_seq_t *commands)
5152 struct sctp_chunk *reply;
5154 /* Once all its outstanding data has been acknowledged, the
5155 * endpoint shall send a SHUTDOWN chunk to its peer including
5156 * in the Cumulative TSN Ack field the last sequential TSN it
5157 * has received from the peer.
5159 reply = sctp_make_shutdown(asoc, NULL);
5163 /* Set the transport for the SHUTDOWN chunk and the timeout for the
5164 * T2-shutdown timer.
5166 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5168 /* It shall then start the T2-shutdown timer */
5169 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5170 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5172 /* RFC 4960 Section 9.2
5173 * The sender of the SHUTDOWN MAY also start an overall guard timer
5174 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5176 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5177 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5179 if (asoc->autoclose)
5180 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5181 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5183 /* and enter the SHUTDOWN-SENT state. */
5184 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5185 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT));
5187 /* sctp-implguide 2.10 Issues with Heartbeating and failover
5189 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5192 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5194 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5196 return SCTP_DISPOSITION_CONSUME;
5199 return SCTP_DISPOSITION_NOMEM;
5203 * Generate a SHUTDOWN ACK now that everything is SACK'd.
5207 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5208 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own,
5209 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the
5210 * endpoint must re-send the SHUTDOWN ACK.
5212 * The return value is the disposition.
5214 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack(
5215 const struct sctp_endpoint *ep,
5216 const struct sctp_association *asoc,
5217 const sctp_subtype_t type,
5219 sctp_cmd_seq_t *commands)
5221 struct sctp_chunk *chunk = (struct sctp_chunk *) arg;
5222 struct sctp_chunk *reply;
5224 /* There are 2 ways of getting here:
5225 * 1) called in response to a SHUTDOWN chunk
5226 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued.
5228 * For the case (2), the arg parameter is set to NULL. We need
5229 * to check that we have a chunk before accessing it's fields.
5232 if (!sctp_vtag_verify(chunk, asoc))
5233 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
5235 /* Make sure that the SHUTDOWN chunk has a valid length. */
5236 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t)))
5237 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
5241 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5242 * shall send a SHUTDOWN ACK ...
5244 reply = sctp_make_shutdown_ack(asoc, chunk);
5248 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
5249 * the T2-shutdown timer.
5251 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5253 /* and start/restart a T2-shutdown timer of its own, */
5254 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5255 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5257 if (asoc->autoclose)
5258 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5259 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5261 /* Enter the SHUTDOWN-ACK-SENT state. */
5262 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5263 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT));
5265 /* sctp-implguide 2.10 Issues with Heartbeating and failover
5267 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5270 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5272 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5274 return SCTP_DISPOSITION_CONSUME;
5277 return SCTP_DISPOSITION_NOMEM;
5281 * Ignore the event defined as other
5283 * The return value is the disposition of the event.
5285 sctp_disposition_t sctp_sf_ignore_other(const struct sctp_endpoint *ep,
5286 const struct sctp_association *asoc,
5287 const sctp_subtype_t type,
5289 sctp_cmd_seq_t *commands)
5291 SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other);
5292 return SCTP_DISPOSITION_DISCARD;
5295 /************************************************************
5296 * These are the state functions for handling timeout events.
5297 ************************************************************/
5302 * Section: 6.3.3 Handle T3-rtx Expiration
5304 * Whenever the retransmission timer T3-rtx expires for a destination
5305 * address, do the following:
5308 * The return value is the disposition of the chunk.
5310 sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep,
5311 const struct sctp_association *asoc,
5312 const sctp_subtype_t type,
5314 sctp_cmd_seq_t *commands)
5316 struct sctp_transport *transport = arg;
5318 SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS);
5320 if (asoc->overall_error_count >= asoc->max_retrans) {
5321 if (asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
5323 * We are here likely because the receiver had its rwnd
5324 * closed for a while and we have not been able to
5325 * transmit the locally queued data within the maximum
5326 * retransmission attempts limit. Start the T5
5327 * shutdown guard timer to give the receiver one last
5328 * chance and some additional time to recover before
5331 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE,
5332 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5334 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5335 SCTP_ERROR(ETIMEDOUT));
5336 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5337 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5338 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5339 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
5340 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
5341 return SCTP_DISPOSITION_DELETE_TCB;
5345 /* E1) For the destination address for which the timer
5346 * expires, adjust its ssthresh with rules defined in Section
5347 * 7.2.3 and set the cwnd <- MTU.
5350 /* E2) For the destination address for which the timer
5351 * expires, set RTO <- RTO * 2 ("back off the timer"). The
5352 * maximum value discussed in rule C7 above (RTO.max) may be
5353 * used to provide an upper bound to this doubling operation.
5356 /* E3) Determine how many of the earliest (i.e., lowest TSN)
5357 * outstanding DATA chunks for the address for which the
5358 * T3-rtx has expired will fit into a single packet, subject
5359 * to the MTU constraint for the path corresponding to the
5360 * destination transport address to which the retransmission
5361 * is being sent (this may be different from the address for
5362 * which the timer expires [see Section 6.4]). Call this
5363 * value K. Bundle and retransmit those K DATA chunks in a
5364 * single packet to the destination endpoint.
5366 * Note: Any DATA chunks that were sent to the address for
5367 * which the T3-rtx timer expired but did not fit in one MTU
5368 * (rule E3 above), should be marked for retransmission and
5369 * sent as soon as cwnd allows (normally when a SACK arrives).
5372 /* Do some failure management (Section 8.2). */
5373 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
5375 /* NB: Rules E4 and F1 are implicit in R1. */
5376 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport));
5378 return SCTP_DISPOSITION_CONSUME;
5382 * Generate delayed SACK on timeout
5384 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
5386 * The guidelines on delayed acknowledgement algorithm specified in
5387 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
5388 * acknowledgement SHOULD be generated for at least every second packet
5389 * (not every second DATA chunk) received, and SHOULD be generated
5390 * within 200 ms of the arrival of any unacknowledged DATA chunk. In
5391 * some situations it may be beneficial for an SCTP transmitter to be
5392 * more conservative than the algorithms detailed in this document
5393 * allow. However, an SCTP transmitter MUST NOT be more aggressive than
5394 * the following algorithms allow.
5396 sctp_disposition_t sctp_sf_do_6_2_sack(const struct sctp_endpoint *ep,
5397 const struct sctp_association *asoc,
5398 const sctp_subtype_t type,
5400 sctp_cmd_seq_t *commands)
5402 SCTP_INC_STATS(SCTP_MIB_DELAY_SACK_EXPIREDS);
5403 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
5404 return SCTP_DISPOSITION_CONSUME;
5408 * sctp_sf_t1_init_timer_expire
5410 * Section: 4 Note: 2
5415 * RFC 2960 Section 4 Notes
5416 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT
5417 * and re-start the T1-init timer without changing state. This MUST
5418 * be repeated up to 'Max.Init.Retransmits' times. After that, the
5419 * endpoint MUST abort the initialization process and report the
5420 * error to SCTP user.
5426 sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep,
5427 const struct sctp_association *asoc,
5428 const sctp_subtype_t type,
5430 sctp_cmd_seq_t *commands)
5432 struct sctp_chunk *repl = NULL;
5433 struct sctp_bind_addr *bp;
5434 int attempts = asoc->init_err_counter + 1;
5436 SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n");
5437 SCTP_INC_STATS(SCTP_MIB_T1_INIT_EXPIREDS);
5439 if (attempts <= asoc->max_init_attempts) {
5440 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
5441 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0);
5443 return SCTP_DISPOSITION_NOMEM;
5445 /* Choose transport for INIT. */
5446 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5449 /* Issue a sideeffect to do the needed accounting. */
5450 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART,
5451 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5453 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5455 SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d"
5456 " max_init_attempts: %d\n",
5457 attempts, asoc->max_init_attempts);
5458 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5459 SCTP_ERROR(ETIMEDOUT));
5460 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5461 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5462 return SCTP_DISPOSITION_DELETE_TCB;
5465 return SCTP_DISPOSITION_CONSUME;
5469 * sctp_sf_t1_cookie_timer_expire
5471 * Section: 4 Note: 2
5476 * RFC 2960 Section 4 Notes
5477 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit
5478 * COOKIE ECHO and re-start the T1-cookie timer without changing
5479 * state. This MUST be repeated up to 'Max.Init.Retransmits' times.
5480 * After that, the endpoint MUST abort the initialization process and
5481 * report the error to SCTP user.
5487 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep,
5488 const struct sctp_association *asoc,
5489 const sctp_subtype_t type,
5491 sctp_cmd_seq_t *commands)
5493 struct sctp_chunk *repl = NULL;
5494 int attempts = asoc->init_err_counter + 1;
5496 SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n");
5497 SCTP_INC_STATS(SCTP_MIB_T1_COOKIE_EXPIREDS);
5499 if (attempts <= asoc->max_init_attempts) {
5500 repl = sctp_make_cookie_echo(asoc, NULL);
5502 return SCTP_DISPOSITION_NOMEM;
5504 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5506 /* Issue a sideeffect to do the needed accounting. */
5507 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART,
5508 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
5510 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5512 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5513 SCTP_ERROR(ETIMEDOUT));
5514 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5515 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5516 return SCTP_DISPOSITION_DELETE_TCB;
5519 return SCTP_DISPOSITION_CONSUME;
5522 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN
5523 * with the updated last sequential TSN received from its peer.
5525 * An endpoint should limit the number of retransmissions of the
5526 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'.
5527 * If this threshold is exceeded the endpoint should destroy the TCB and
5528 * MUST report the peer endpoint unreachable to the upper layer (and
5529 * thus the association enters the CLOSED state). The reception of any
5530 * packet from its peer (i.e. as the peer sends all of its queued DATA
5531 * chunks) should clear the endpoint's retransmission count and restart
5532 * the T2-Shutdown timer, giving its peer ample opportunity to transmit
5533 * all of its queued DATA chunks that have not yet been sent.
5535 sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep,
5536 const struct sctp_association *asoc,
5537 const sctp_subtype_t type,
5539 sctp_cmd_seq_t *commands)
5541 struct sctp_chunk *reply = NULL;
5543 SCTP_DEBUG_PRINTK("Timer T2 expired.\n");
5544 SCTP_INC_STATS(SCTP_MIB_T2_SHUTDOWN_EXPIREDS);
5546 ((struct sctp_association *)asoc)->shutdown_retries++;
5548 if (asoc->overall_error_count >= asoc->max_retrans) {
5549 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5550 SCTP_ERROR(ETIMEDOUT));
5551 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5552 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5553 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5554 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
5555 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
5556 return SCTP_DISPOSITION_DELETE_TCB;
5559 switch (asoc->state) {
5560 case SCTP_STATE_SHUTDOWN_SENT:
5561 reply = sctp_make_shutdown(asoc, NULL);
5564 case SCTP_STATE_SHUTDOWN_ACK_SENT:
5565 reply = sctp_make_shutdown_ack(asoc, NULL);
5576 /* Do some failure management (Section 8.2).
5577 * If we remove the transport an SHUTDOWN was last sent to, don't
5578 * do failure management.
5580 if (asoc->shutdown_last_sent_to)
5581 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5582 SCTP_TRANSPORT(asoc->shutdown_last_sent_to));
5584 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for
5585 * the T2-shutdown timer.
5587 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5589 /* Restart the T2-shutdown timer. */
5590 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5591 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5592 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5593 return SCTP_DISPOSITION_CONSUME;
5596 return SCTP_DISPOSITION_NOMEM;
5600 * ADDIP Section 4.1 ASCONF CHunk Procedures
5601 * If the T4 RTO timer expires the endpoint should do B1 to B5
5603 sctp_disposition_t sctp_sf_t4_timer_expire(
5604 const struct sctp_endpoint *ep,
5605 const struct sctp_association *asoc,
5606 const sctp_subtype_t type,
5608 sctp_cmd_seq_t *commands)
5610 struct sctp_chunk *chunk = asoc->addip_last_asconf;
5611 struct sctp_transport *transport = chunk->transport;
5613 SCTP_INC_STATS(SCTP_MIB_T4_RTO_EXPIREDS);
5615 /* ADDIP 4.1 B1) Increment the error counters and perform path failure
5616 * detection on the appropriate destination address as defined in
5617 * RFC2960 [5] section 8.1 and 8.2.
5620 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5621 SCTP_TRANSPORT(transport));
5623 /* Reconfig T4 timer and transport. */
5624 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5626 /* ADDIP 4.1 B2) Increment the association error counters and perform
5627 * endpoint failure detection on the association as defined in
5628 * RFC2960 [5] section 8.1 and 8.2.
5629 * association error counter is incremented in SCTP_CMD_STRIKE.
5631 if (asoc->overall_error_count >= asoc->max_retrans) {
5632 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5633 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5634 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5635 SCTP_ERROR(ETIMEDOUT));
5636 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5637 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5638 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
5639 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
5640 return SCTP_DISPOSITION_ABORT;
5643 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which
5644 * the ASCONF chunk was sent by doubling the RTO timer value.
5645 * This is done in SCTP_CMD_STRIKE.
5648 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible
5649 * choose an alternate destination address (please refer to RFC2960
5650 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this
5651 * chunk, it MUST be the same (including its serial number) as the last
5654 sctp_chunk_hold(asoc->addip_last_asconf);
5655 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
5656 SCTP_CHUNK(asoc->addip_last_asconf));
5658 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different
5659 * destination is selected, then the RTO used will be that of the new
5660 * destination address.
5662 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5663 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5665 return SCTP_DISPOSITION_CONSUME;
5668 /* sctpimpguide-05 Section 2.12.2
5669 * The sender of the SHUTDOWN MAY also start an overall guard timer
5670 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5671 * At the expiration of this timer the sender SHOULD abort the association
5672 * by sending an ABORT chunk.
5674 sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep,
5675 const struct sctp_association *asoc,
5676 const sctp_subtype_t type,
5678 sctp_cmd_seq_t *commands)
5680 struct sctp_chunk *reply = NULL;
5682 SCTP_DEBUG_PRINTK("Timer T5 expired.\n");
5683 SCTP_INC_STATS(SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS);
5685 reply = sctp_make_abort(asoc, NULL, 0);
5689 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5690 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5691 SCTP_ERROR(ETIMEDOUT));
5692 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5693 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5695 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
5696 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
5698 return SCTP_DISPOSITION_DELETE_TCB;
5700 return SCTP_DISPOSITION_NOMEM;
5703 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires,
5704 * the association is automatically closed by starting the shutdown process.
5705 * The work that needs to be done is same as when SHUTDOWN is initiated by
5706 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown().
5708 sctp_disposition_t sctp_sf_autoclose_timer_expire(
5709 const struct sctp_endpoint *ep,
5710 const struct sctp_association *asoc,
5711 const sctp_subtype_t type,
5713 sctp_cmd_seq_t *commands)
5717 SCTP_INC_STATS(SCTP_MIB_AUTOCLOSE_EXPIREDS);
5719 /* From 9.2 Shutdown of an Association
5720 * Upon receipt of the SHUTDOWN primitive from its upper
5721 * layer, the endpoint enters SHUTDOWN-PENDING state and
5722 * remains there until all outstanding data has been
5723 * acknowledged by its peer. The endpoint accepts no new data
5724 * from its upper layer, but retransmits data to the far end
5725 * if necessary to fill gaps.
5727 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5728 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
5730 disposition = SCTP_DISPOSITION_CONSUME;
5731 if (sctp_outq_is_empty(&asoc->outqueue)) {
5732 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type,
5738 /*****************************************************************************
5739 * These are sa state functions which could apply to all types of events.
5740 ****************************************************************************/
5743 * This table entry is not implemented.
5746 * (endpoint, asoc, chunk)
5748 * The return value is the disposition of the chunk.
5750 sctp_disposition_t sctp_sf_not_impl(const struct sctp_endpoint *ep,
5751 const struct sctp_association *asoc,
5752 const sctp_subtype_t type,
5754 sctp_cmd_seq_t *commands)
5756 return SCTP_DISPOSITION_NOT_IMPL;
5760 * This table entry represents a bug.
5763 * (endpoint, asoc, chunk)
5765 * The return value is the disposition of the chunk.
5767 sctp_disposition_t sctp_sf_bug(const struct sctp_endpoint *ep,
5768 const struct sctp_association *asoc,
5769 const sctp_subtype_t type,
5771 sctp_cmd_seq_t *commands)
5773 return SCTP_DISPOSITION_BUG;
5777 * This table entry represents the firing of a timer in the wrong state.
5778 * Since timer deletion cannot be guaranteed a timer 'may' end up firing
5779 * when the association is in the wrong state. This event should
5780 * be ignored, so as to prevent any rearming of the timer.
5783 * (endpoint, asoc, chunk)
5785 * The return value is the disposition of the chunk.
5787 sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep,
5788 const struct sctp_association *asoc,
5789 const sctp_subtype_t type,
5791 sctp_cmd_seq_t *commands)
5793 SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk);
5794 return SCTP_DISPOSITION_CONSUME;
5797 /********************************************************************
5798 * 2nd Level Abstractions
5799 ********************************************************************/
5801 /* Pull the SACK chunk based on the SACK header. */
5802 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk)
5804 struct sctp_sackhdr *sack;
5809 /* Protect ourselves from reading too far into
5810 * the skb from a bogus sender.
5812 sack = (struct sctp_sackhdr *) chunk->skb->data;
5814 num_blocks = ntohs(sack->num_gap_ack_blocks);
5815 num_dup_tsns = ntohs(sack->num_dup_tsns);
5816 len = sizeof(struct sctp_sackhdr);
5817 len += (num_blocks + num_dup_tsns) * sizeof(__u32);
5818 if (len > chunk->skb->len)
5821 skb_pull(chunk->skb, len);
5826 /* Create an ABORT packet to be sent as a response, with the specified
5829 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep,
5830 const struct sctp_association *asoc,
5831 struct sctp_chunk *chunk,
5832 const void *payload,
5835 struct sctp_packet *packet;
5836 struct sctp_chunk *abort;
5838 packet = sctp_ootb_pkt_new(asoc, chunk);
5842 * The T bit will be set if the asoc is NULL.
5844 abort = sctp_make_abort(asoc, chunk, paylen);
5846 sctp_ootb_pkt_free(packet);
5850 /* Reflect vtag if T-Bit is set */
5851 if (sctp_test_T_bit(abort))
5852 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
5854 /* Add specified error causes, i.e., payload, to the
5857 sctp_addto_chunk(abort, paylen, payload);
5859 /* Set the skb to the belonging sock for accounting. */
5860 abort->skb->sk = ep->base.sk;
5862 sctp_packet_append_chunk(packet, abort);
5869 /* Allocate a packet for responding in the OOTB conditions. */
5870 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc,
5871 const struct sctp_chunk *chunk)
5873 struct sctp_packet *packet;
5874 struct sctp_transport *transport;
5879 /* Get the source and destination port from the inbound packet. */
5880 sport = ntohs(chunk->sctp_hdr->dest);
5881 dport = ntohs(chunk->sctp_hdr->source);
5883 /* The V-tag is going to be the same as the inbound packet if no
5884 * association exists, otherwise, use the peer's vtag.
5887 /* Special case the INIT-ACK as there is no peer's vtag
5890 switch(chunk->chunk_hdr->type) {
5891 case SCTP_CID_INIT_ACK:
5893 sctp_initack_chunk_t *initack;
5895 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
5896 vtag = ntohl(initack->init_hdr.init_tag);
5900 vtag = asoc->peer.i.init_tag;
5904 /* Special case the INIT and stale COOKIE_ECHO as there is no
5907 switch(chunk->chunk_hdr->type) {
5910 sctp_init_chunk_t *init;
5912 init = (sctp_init_chunk_t *)chunk->chunk_hdr;
5913 vtag = ntohl(init->init_hdr.init_tag);
5917 vtag = ntohl(chunk->sctp_hdr->vtag);
5922 /* Make a transport for the bucket, Eliza... */
5923 transport = sctp_transport_new(sctp_source(chunk), GFP_ATOMIC);
5927 /* Cache a route for the transport with the chunk's destination as
5928 * the source address.
5930 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest,
5931 sctp_sk(sctp_get_ctl_sock()));
5933 packet = sctp_packet_init(&transport->packet, transport, sport, dport);
5934 packet = sctp_packet_config(packet, vtag, 0);
5942 /* Free the packet allocated earlier for responding in the OOTB condition. */
5943 void sctp_ootb_pkt_free(struct sctp_packet *packet)
5945 sctp_transport_free(packet->transport);
5948 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */
5949 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep,
5950 const struct sctp_association *asoc,
5951 const struct sctp_chunk *chunk,
5952 sctp_cmd_seq_t *commands,
5953 struct sctp_chunk *err_chunk)
5955 struct sctp_packet *packet;
5958 packet = sctp_ootb_pkt_new(asoc, chunk);
5960 struct sctp_signed_cookie *cookie;
5962 /* Override the OOTB vtag from the cookie. */
5963 cookie = chunk->subh.cookie_hdr;
5964 packet->vtag = cookie->c.peer_vtag;
5966 /* Set the skb to the belonging sock for accounting. */
5967 err_chunk->skb->sk = ep->base.sk;
5968 sctp_packet_append_chunk(packet, err_chunk);
5969 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
5970 SCTP_PACKET(packet));
5971 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
5973 sctp_chunk_free (err_chunk);
5978 /* Process a data chunk */
5979 static int sctp_eat_data(const struct sctp_association *asoc,
5980 struct sctp_chunk *chunk,
5981 sctp_cmd_seq_t *commands)
5983 sctp_datahdr_t *data_hdr;
5984 struct sctp_chunk *err;
5986 sctp_verb_t deliver;
5989 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
5990 struct sock *sk = asoc->base.sk;
5995 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data;
5996 skb_pull(chunk->skb, sizeof(sctp_datahdr_t));
5998 tsn = ntohl(data_hdr->tsn);
5999 SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn);
6001 /* ASSERT: Now skb->data is really the user data. */
6003 /* Process ECN based congestion.
6005 * Since the chunk structure is reused for all chunks within
6006 * a packet, we use ecn_ce_done to track if we've already
6007 * done CE processing for this packet.
6009 * We need to do ECN processing even if we plan to discard the
6013 if (!chunk->ecn_ce_done) {
6015 chunk->ecn_ce_done = 1;
6017 af = sctp_get_af_specific(
6018 ipver2af(ip_hdr(chunk->skb)->version));
6020 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) {
6021 /* Do real work as sideffect. */
6022 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE,
6027 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn);
6029 /* The TSN is too high--silently discard the chunk and
6030 * count on it getting retransmitted later.
6032 return SCTP_IERROR_HIGH_TSN;
6033 } else if (tmp > 0) {
6034 /* This is a duplicate. Record it. */
6035 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn));
6036 return SCTP_IERROR_DUP_TSN;
6039 /* This is a new TSN. */
6041 /* Discard if there is no room in the receive window.
6042 * Actually, allow a little bit of overflow (up to a MTU).
6044 datalen = ntohs(chunk->chunk_hdr->length);
6045 datalen -= sizeof(sctp_data_chunk_t);
6047 deliver = SCTP_CMD_CHUNK_ULP;
6049 /* Think about partial delivery. */
6050 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) {
6052 /* Even if we don't accept this chunk there is
6055 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL());
6058 /* Spill over rwnd a little bit. Note: While allowed, this spill over
6059 * seems a bit troublesome in that frag_point varies based on
6060 * PMTU. In cases, such as loopback, this might be a rather
6063 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over ||
6064 (datalen > asoc->rwnd + asoc->frag_point))) {
6066 /* If this is the next TSN, consider reneging to make
6067 * room. Note: Playing nice with a confused sender. A
6068 * malicious sender can still eat up all our buffer
6069 * space and in the future we may want to detect and
6070 * do more drastic reneging.
6072 if (sctp_tsnmap_has_gap(map) &&
6073 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6074 SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn);
6075 deliver = SCTP_CMD_RENEGE;
6077 SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, "
6078 "rwnd: %d\n", tsn, datalen,
6080 return SCTP_IERROR_IGNORE_TSN;
6085 * Also try to renege to limit our memory usage in the event that
6086 * we are under memory pressure
6087 * If we can't renege, don't worry about it, the sk_rmem_schedule
6088 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our
6089 * memory usage too much
6091 if (*sk->sk_prot_creator->memory_pressure) {
6092 if (sctp_tsnmap_has_gap(map) &&
6093 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6094 SCTP_DEBUG_PRINTK("Under Pressure! Reneging for tsn:%u\n", tsn);
6095 deliver = SCTP_CMD_RENEGE;
6100 * Section 3.3.10.9 No User Data (9)
6104 * No User Data: This error cause is returned to the originator of a
6105 * DATA chunk if a received DATA chunk has no user data.
6107 if (unlikely(0 == datalen)) {
6108 err = sctp_make_abort_no_data(asoc, chunk, tsn);
6110 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6113 /* We are going to ABORT, so we might as well stop
6114 * processing the rest of the chunks in the packet.
6116 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
6117 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6118 SCTP_ERROR(ECONNABORTED));
6119 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6120 SCTP_PERR(SCTP_ERROR_NO_DATA));
6121 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
6122 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
6123 return SCTP_IERROR_NO_DATA;
6126 chunk->data_accepted = 1;
6128 /* Note: Some chunks may get overcounted (if we drop) or overcounted
6129 * if we renege and the chunk arrives again.
6131 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED)
6132 SCTP_INC_STATS(SCTP_MIB_INUNORDERCHUNKS);
6134 SCTP_INC_STATS(SCTP_MIB_INORDERCHUNKS);
6138 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number
6140 * If an endpoint receive a DATA chunk with an invalid stream
6141 * identifier, it shall acknowledge the reception of the DATA chunk
6142 * following the normal procedure, immediately send an ERROR chunk
6143 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10)
6144 * and discard the DATA chunk.
6146 sid = ntohs(data_hdr->stream);
6147 if (sid >= asoc->c.sinit_max_instreams) {
6148 /* Mark tsn as received even though we drop it */
6149 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
6151 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM,
6153 sizeof(data_hdr->stream),
6156 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6158 return SCTP_IERROR_BAD_STREAM;
6161 /* Check to see if the SSN is possible for this TSN.
6162 * The biggest gap we can record is 4K wide. Since SSNs wrap
6163 * at an unsigned short, there is no way that an SSN can
6164 * wrap and for a valid TSN. We can simply check if the current
6165 * SSN is smaller then the next expected one. If it is, it wrapped
6168 ssn = ntohs(data_hdr->ssn);
6169 if (ordered && SSN_lt(ssn, sctp_ssn_peek(&asoc->ssnmap->in, sid))) {
6170 return SCTP_IERROR_PROTO_VIOLATION;
6173 /* Send the data up to the user. Note: Schedule the
6174 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK
6175 * chunk needs the updated rwnd.
6177 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk));
6179 return SCTP_IERROR_NO_ERROR;