linux/net/sctp/sm_statefuns.c
<<
>>
Prefs
   1/* SCTP kernel implementation
   2 * (C) Copyright IBM Corp. 2001, 2004
   3 * Copyright (c) 1999-2000 Cisco, Inc.
   4 * Copyright (c) 1999-2001 Motorola, Inc.
   5 * Copyright (c) 2001-2002 Intel Corp.
   6 * Copyright (c) 2002      Nokia Corp.
   7 *
   8 * This is part of the SCTP Linux Kernel Implementation.
   9 *
  10 * These are the state functions for the state machine.
  11 *
  12 * This SCTP implementation is free software;
  13 * you can redistribute it and/or modify it under the terms of
  14 * the GNU General Public License as published by
  15 * the Free Software Foundation; either version 2, or (at your option)
  16 * any later version.
  17 *
  18 * This SCTP implementation is distributed in the hope that it
  19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied
  20 *                 ************************
  21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  22 * See the GNU General Public License for more details.
  23 *
  24 * You should have received a copy of the GNU General Public License
  25 * along with GNU CC; see the file COPYING.  If not, write to
  26 * the Free Software Foundation, 59 Temple Place - Suite 330,
  27 * Boston, MA 02111-1307, USA.
  28 *
  29 * Please send any bug reports or fixes you make to the
  30 * email address(es):
  31 *    lksctp developers <lksctp-developers@lists.sourceforge.net>
  32 *
  33 * Or submit a bug report through the following website:
  34 *    http://www.sf.net/projects/lksctp
  35 *
  36 * Written or modified by:
  37 *    La Monte H.P. Yarroll <piggy@acm.org>
  38 *    Karl Knutson          <karl@athena.chicago.il.us>
  39 *    Mathew Kotowsky       <kotowsky@sctp.org>
  40 *    Sridhar Samudrala     <samudrala@us.ibm.com>
  41 *    Jon Grimm             <jgrimm@us.ibm.com>
  42 *    Hui Huang             <hui.huang@nokia.com>
  43 *    Dajiang Zhang         <dajiang.zhang@nokia.com>
  44 *    Daisy Chang           <daisyc@us.ibm.com>
  45 *    Ardelle Fan           <ardelle.fan@intel.com>
  46 *    Ryan Layer            <rmlayer@us.ibm.com>
  47 *    Kevin Gao             <kevin.gao@intel.com>
  48 *
  49 * Any bugs reported given to us we will try to fix... any fixes shared will
  50 * be incorporated into the next SCTP release.
  51 */
  52
  53#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  54
  55#include <linux/types.h>
  56#include <linux/kernel.h>
  57#include <linux/ip.h>
  58#include <linux/ipv6.h>
  59#include <linux/net.h>
  60#include <linux/inet.h>
  61#include <linux/slab.h>
  62#include <net/sock.h>
  63#include <net/inet_ecn.h>
  64#include <linux/skbuff.h>
  65#include <net/sctp/sctp.h>
  66#include <net/sctp/sm.h>
  67#include <net/sctp/structs.h>
  68
  69static struct sctp_packet *sctp_abort_pkt_new(struct net *net,
  70                                  const struct sctp_endpoint *ep,
  71                                  const struct sctp_association *asoc,
  72                                  struct sctp_chunk *chunk,
  73                                  const void *payload,
  74                                  size_t paylen);
  75static int sctp_eat_data(const struct sctp_association *asoc,
  76                         struct sctp_chunk *chunk,
  77                         sctp_cmd_seq_t *commands);
  78static struct sctp_packet *sctp_ootb_pkt_new(struct net *net,
  79                                             const struct sctp_association *asoc,
  80                                             const struct sctp_chunk *chunk);
  81static void sctp_send_stale_cookie_err(struct net *net,
  82                                       const struct sctp_endpoint *ep,
  83                                       const struct sctp_association *asoc,
  84                                       const struct sctp_chunk *chunk,
  85                                       sctp_cmd_seq_t *commands,
  86                                       struct sctp_chunk *err_chunk);
  87static sctp_disposition_t sctp_sf_do_5_2_6_stale(struct net *net,
  88                                                 const struct sctp_endpoint *ep,
  89                                                 const struct sctp_association *asoc,
  90                                                 const sctp_subtype_t type,
  91                                                 void *arg,
  92                                                 sctp_cmd_seq_t *commands);
  93static sctp_disposition_t sctp_sf_shut_8_4_5(struct net *net,
  94                                             const struct sctp_endpoint *ep,
  95                                             const struct sctp_association *asoc,
  96                                             const sctp_subtype_t type,
  97                                             void *arg,
  98                                             sctp_cmd_seq_t *commands);
  99static sctp_disposition_t sctp_sf_tabort_8_4_8(struct net *net,
 100                                        const struct sctp_endpoint *ep,
 101                                        const struct sctp_association *asoc,
 102                                        const sctp_subtype_t type,
 103                                        void *arg,
 104                                        sctp_cmd_seq_t *commands);
 105static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
 106
 107static sctp_disposition_t sctp_stop_t1_and_abort(struct net *net,
 108                                           sctp_cmd_seq_t *commands,
 109                                           __be16 error, int sk_err,
 110                                           const struct sctp_association *asoc,
 111                                           struct sctp_transport *transport);
 112
 113static sctp_disposition_t sctp_sf_abort_violation(
 114                                     struct net *net,
 115                                     const struct sctp_endpoint *ep,
 116                                     const struct sctp_association *asoc,
 117                                     void *arg,
 118                                     sctp_cmd_seq_t *commands,
 119                                     const __u8 *payload,
 120                                     const size_t paylen);
 121
 122static sctp_disposition_t sctp_sf_violation_chunklen(
 123                                     struct net *net,
 124                                     const struct sctp_endpoint *ep,
 125                                     const struct sctp_association *asoc,
 126                                     const sctp_subtype_t type,
 127                                     void *arg,
 128                                     sctp_cmd_seq_t *commands);
 129
 130static sctp_disposition_t sctp_sf_violation_paramlen(
 131                                     struct net *net,
 132                                     const struct sctp_endpoint *ep,
 133                                     const struct sctp_association *asoc,
 134                                     const sctp_subtype_t type,
 135                                     void *arg, void *ext,
 136                                     sctp_cmd_seq_t *commands);
 137
 138static sctp_disposition_t sctp_sf_violation_ctsn(
 139                                     struct net *net,
 140                                     const struct sctp_endpoint *ep,
 141                                     const struct sctp_association *asoc,
 142                                     const sctp_subtype_t type,
 143                                     void *arg,
 144                                     sctp_cmd_seq_t *commands);
 145
 146static sctp_disposition_t sctp_sf_violation_chunk(
 147                                     struct net *net,
 148                                     const struct sctp_endpoint *ep,
 149                                     const struct sctp_association *asoc,
 150                                     const sctp_subtype_t type,
 151                                     void *arg,
 152                                     sctp_cmd_seq_t *commands);
 153
 154static sctp_ierror_t sctp_sf_authenticate(struct net *net,
 155                                    const struct sctp_endpoint *ep,
 156                                    const struct sctp_association *asoc,
 157                                    const sctp_subtype_t type,
 158                                    struct sctp_chunk *chunk);
 159
 160static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net,
 161                                        const struct sctp_endpoint *ep,
 162                                        const struct sctp_association *asoc,
 163                                        const sctp_subtype_t type,
 164                                        void *arg,
 165                                        sctp_cmd_seq_t *commands);
 166
 167/* Small helper function that checks if the chunk length
 168 * is of the appropriate length.  The 'required_length' argument
 169 * is set to be the size of a specific chunk we are testing.
 170 * Return Values:  1 = Valid length
 171 *                 0 = Invalid length
 172 *
 173 */
 174static inline int
 175sctp_chunk_length_valid(struct sctp_chunk *chunk,
 176                           __u16 required_length)
 177{
 178        __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
 179
 180        if (unlikely(chunk_length < required_length))
 181                return 0;
 182
 183        return 1;
 184}
 185
 186/**********************************************************
 187 * These are the state functions for handling chunk events.
 188 **********************************************************/
 189
 190/*
 191 * Process the final SHUTDOWN COMPLETE.
 192 *
 193 * Section: 4 (C) (diagram), 9.2
 194 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
 195 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
 196 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
 197 * should stop the T2-shutdown timer and remove all knowledge of the
 198 * association (and thus the association enters the CLOSED state).
 199 *
 200 * Verification Tag: 8.5.1(C), sctpimpguide 2.41.
 201 * C) Rules for packet carrying SHUTDOWN COMPLETE:
 202 * ...
 203 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
 204 *   if the Verification Tag field of the packet matches its own tag and
 205 *   the T bit is not set
 206 *   OR
 207 *   it is set to its peer's tag and the T bit is set in the Chunk
 208 *   Flags.
 209 *   Otherwise, the receiver MUST silently discard the packet
 210 *   and take no further action.  An endpoint MUST ignore the
 211 *   SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.
 212 *
 213 * Inputs
 214 * (endpoint, asoc, chunk)
 215 *
 216 * Outputs
 217 * (asoc, reply_msg, msg_up, timers, counters)
 218 *
 219 * The return value is the disposition of the chunk.
 220 */
 221sctp_disposition_t sctp_sf_do_4_C(struct net *net,
 222                                  const struct sctp_endpoint *ep,
 223                                  const struct sctp_association *asoc,
 224                                  const sctp_subtype_t type,
 225                                  void *arg,
 226                                  sctp_cmd_seq_t *commands)
 227{
 228        struct sctp_chunk *chunk = arg;
 229        struct sctp_ulpevent *ev;
 230
 231        if (!sctp_vtag_verify_either(chunk, asoc))
 232                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 233
 234        /* RFC 2960 6.10 Bundling
 235         *
 236         * An endpoint MUST NOT bundle INIT, INIT ACK or
 237         * SHUTDOWN COMPLETE with any other chunks.
 238         */
 239        if (!chunk->singleton)
 240                return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
 241
 242        /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */
 243        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
 244                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
 245                                                  commands);
 246
 247        /* RFC 2960 10.2 SCTP-to-ULP
 248         *
 249         * H) SHUTDOWN COMPLETE notification
 250         *
 251         * When SCTP completes the shutdown procedures (section 9.2) this
 252         * notification is passed to the upper layer.
 253         */
 254        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
 255                                             0, 0, 0, NULL, GFP_ATOMIC);
 256        if (ev)
 257                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 258                                SCTP_ULPEVENT(ev));
 259
 260        /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
 261         * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
 262         * not the chunk should be discarded. If the endpoint is in
 263         * the SHUTDOWN-ACK-SENT state the endpoint should stop the
 264         * T2-shutdown timer and remove all knowledge of the
 265         * association (and thus the association enters the CLOSED
 266         * state).
 267         */
 268        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 269                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
 270
 271        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 272                        SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
 273
 274        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 275                        SCTP_STATE(SCTP_STATE_CLOSED));
 276
 277        SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
 278        SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
 279
 280        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
 281
 282        return SCTP_DISPOSITION_DELETE_TCB;
 283}
 284
 285/*
 286 * Respond to a normal INIT chunk.
 287 * We are the side that is being asked for an association.
 288 *
 289 * Section: 5.1 Normal Establishment of an Association, B
 290 * B) "Z" shall respond immediately with an INIT ACK chunk.  The
 291 *    destination IP address of the INIT ACK MUST be set to the source
 292 *    IP address of the INIT to which this INIT ACK is responding.  In
 293 *    the response, besides filling in other parameters, "Z" must set the
 294 *    Verification Tag field to Tag_A, and also provide its own
 295 *    Verification Tag (Tag_Z) in the Initiate Tag field.
 296 *
 297 * Verification Tag: Must be 0.
 298 *
 299 * Inputs
 300 * (endpoint, asoc, chunk)
 301 *
 302 * Outputs
 303 * (asoc, reply_msg, msg_up, timers, counters)
 304 *
 305 * The return value is the disposition of the chunk.
 306 */
 307sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
 308                                        const struct sctp_endpoint *ep,
 309                                        const struct sctp_association *asoc,
 310                                        const sctp_subtype_t type,
 311                                        void *arg,
 312                                        sctp_cmd_seq_t *commands)
 313{
 314        struct sctp_chunk *chunk = arg;
 315        struct sctp_chunk *repl;
 316        struct sctp_association *new_asoc;
 317        struct sctp_chunk *err_chunk;
 318        struct sctp_packet *packet;
 319        sctp_unrecognized_param_t *unk_param;
 320        int len;
 321
 322        /* 6.10 Bundling
 323         * An endpoint MUST NOT bundle INIT, INIT ACK or
 324         * SHUTDOWN COMPLETE with any other chunks.
 325         *
 326         * IG Section 2.11.2
 327         * Furthermore, we require that the receiver of an INIT chunk MUST
 328         * enforce these rules by silently discarding an arriving packet
 329         * with an INIT chunk that is bundled with other chunks.
 330         */
 331        if (!chunk->singleton)
 332                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 333
 334        /* If the packet is an OOTB packet which is temporarily on the
 335         * control endpoint, respond with an ABORT.
 336         */
 337        if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
 338                SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
 339                return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
 340        }
 341
 342        /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
 343         * Tag.
 344         */
 345        if (chunk->sctp_hdr->vtag != 0)
 346                return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
 347
 348        /* Make sure that the INIT chunk has a valid length.
 349         * Normally, this would cause an ABORT with a Protocol Violation
 350         * error, but since we don't have an association, we'll
 351         * just discard the packet.
 352         */
 353        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
 354                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 355
 356        /* If the INIT is coming toward a closing socket, we'll send back
 357         * and ABORT.  Essentially, this catches the race of INIT being
 358         * backloged to the socket at the same time as the user isses close().
 359         * Since the socket and all its associations are going away, we
 360         * can treat this OOTB
 361         */
 362        if (sctp_sstate(ep->base.sk, CLOSING))
 363                return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
 364
 365        /* Verify the INIT chunk before processing it. */
 366        err_chunk = NULL;
 367        if (!sctp_verify_init(net, asoc, chunk->chunk_hdr->type,
 368                              (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
 369                              &err_chunk)) {
 370                /* This chunk contains fatal error. It is to be discarded.
 371                 * Send an ABORT, with causes if there is any.
 372                 */
 373                if (err_chunk) {
 374                        packet = sctp_abort_pkt_new(net, ep, asoc, arg,
 375                                        (__u8 *)(err_chunk->chunk_hdr) +
 376                                        sizeof(sctp_chunkhdr_t),
 377                                        ntohs(err_chunk->chunk_hdr->length) -
 378                                        sizeof(sctp_chunkhdr_t));
 379
 380                        sctp_chunk_free(err_chunk);
 381
 382                        if (packet) {
 383                                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
 384                                                SCTP_PACKET(packet));
 385                                SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
 386                                return SCTP_DISPOSITION_CONSUME;
 387                        } else {
 388                                return SCTP_DISPOSITION_NOMEM;
 389                        }
 390                } else {
 391                        return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
 392                                                    commands);
 393                }
 394        }
 395
 396        /* Grab the INIT header.  */
 397        chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data;
 398
 399        /* Tag the variable length parameters.  */
 400        chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
 401
 402        new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
 403        if (!new_asoc)
 404                goto nomem;
 405
 406        if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
 407                                             sctp_scope(sctp_source(chunk)),
 408                                             GFP_ATOMIC) < 0)
 409                goto nomem_init;
 410
 411        /* The call, sctp_process_init(), can fail on memory allocation.  */
 412        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
 413                               (sctp_init_chunk_t *)chunk->chunk_hdr,
 414                               GFP_ATOMIC))
 415                goto nomem_init;
 416
 417        /* B) "Z" shall respond immediately with an INIT ACK chunk.  */
 418
 419        /* If there are errors need to be reported for unknown parameters,
 420         * make sure to reserve enough room in the INIT ACK for them.
 421         */
 422        len = 0;
 423        if (err_chunk)
 424                len = ntohs(err_chunk->chunk_hdr->length) -
 425                        sizeof(sctp_chunkhdr_t);
 426
 427        repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
 428        if (!repl)
 429                goto nomem_init;
 430
 431        /* If there are errors need to be reported for unknown parameters,
 432         * include them in the outgoing INIT ACK as "Unrecognized parameter"
 433         * parameter.
 434         */
 435        if (err_chunk) {
 436                /* Get the "Unrecognized parameter" parameter(s) out of the
 437                 * ERROR chunk generated by sctp_verify_init(). Since the
 438                 * error cause code for "unknown parameter" and the
 439                 * "Unrecognized parameter" type is the same, we can
 440                 * construct the parameters in INIT ACK by copying the
 441                 * ERROR causes over.
 442                 */
 443                unk_param = (sctp_unrecognized_param_t *)
 444                            ((__u8 *)(err_chunk->chunk_hdr) +
 445                            sizeof(sctp_chunkhdr_t));
 446                /* Replace the cause code with the "Unrecognized parameter"
 447                 * parameter type.
 448                 */
 449                sctp_addto_chunk(repl, len, unk_param);
 450                sctp_chunk_free(err_chunk);
 451        }
 452
 453        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
 454
 455        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
 456
 457        /*
 458         * Note:  After sending out INIT ACK with the State Cookie parameter,
 459         * "Z" MUST NOT allocate any resources, nor keep any states for the
 460         * new association.  Otherwise, "Z" will be vulnerable to resource
 461         * attacks.
 462         */
 463        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
 464
 465        return SCTP_DISPOSITION_DELETE_TCB;
 466
 467nomem_init:
 468        sctp_association_free(new_asoc);
 469nomem:
 470        if (err_chunk)
 471                sctp_chunk_free(err_chunk);
 472        return SCTP_DISPOSITION_NOMEM;
 473}
 474
 475/*
 476 * Respond to a normal INIT ACK chunk.
 477 * We are the side that is initiating the association.
 478 *
 479 * Section: 5.1 Normal Establishment of an Association, C
 480 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
 481 *    timer and leave COOKIE-WAIT state. "A" shall then send the State
 482 *    Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
 483 *    the T1-cookie timer, and enter the COOKIE-ECHOED state.
 484 *
 485 *    Note: The COOKIE ECHO chunk can be bundled with any pending outbound
 486 *    DATA chunks, but it MUST be the first chunk in the packet and
 487 *    until the COOKIE ACK is returned the sender MUST NOT send any
 488 *    other packets to the peer.
 489 *
 490 * Verification Tag: 3.3.3
 491 *   If the value of the Initiate Tag in a received INIT ACK chunk is
 492 *   found to be 0, the receiver MUST treat it as an error and close the
 493 *   association by transmitting an ABORT.
 494 *
 495 * Inputs
 496 * (endpoint, asoc, chunk)
 497 *
 498 * Outputs
 499 * (asoc, reply_msg, msg_up, timers, counters)
 500 *
 501 * The return value is the disposition of the chunk.
 502 */
 503sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
 504                                       const struct sctp_endpoint *ep,
 505                                       const struct sctp_association *asoc,
 506                                       const sctp_subtype_t type,
 507                                       void *arg,
 508                                       sctp_cmd_seq_t *commands)
 509{
 510        struct sctp_chunk *chunk = arg;
 511        sctp_init_chunk_t *initchunk;
 512        struct sctp_chunk *err_chunk;
 513        struct sctp_packet *packet;
 514
 515        if (!sctp_vtag_verify(chunk, asoc))
 516                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 517
 518        /* 6.10 Bundling
 519         * An endpoint MUST NOT bundle INIT, INIT ACK or
 520         * SHUTDOWN COMPLETE with any other chunks.
 521         */
 522        if (!chunk->singleton)
 523                return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
 524
 525        /* Make sure that the INIT-ACK chunk has a valid length */
 526        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t)))
 527                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
 528                                                  commands);
 529        /* Grab the INIT header.  */
 530        chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
 531
 532        /* Verify the INIT chunk before processing it. */
 533        err_chunk = NULL;
 534        if (!sctp_verify_init(net, asoc, chunk->chunk_hdr->type,
 535                              (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
 536                              &err_chunk)) {
 537
 538                sctp_error_t error = SCTP_ERROR_NO_RESOURCE;
 539
 540                /* This chunk contains fatal error. It is to be discarded.
 541                 * Send an ABORT, with causes.  If there are no causes,
 542                 * then there wasn't enough memory.  Just terminate
 543                 * the association.
 544                 */
 545                if (err_chunk) {
 546                        packet = sctp_abort_pkt_new(net, ep, asoc, arg,
 547                                        (__u8 *)(err_chunk->chunk_hdr) +
 548                                        sizeof(sctp_chunkhdr_t),
 549                                        ntohs(err_chunk->chunk_hdr->length) -
 550                                        sizeof(sctp_chunkhdr_t));
 551
 552                        sctp_chunk_free(err_chunk);
 553
 554                        if (packet) {
 555                                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
 556                                                SCTP_PACKET(packet));
 557                                SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
 558                                error = SCTP_ERROR_INV_PARAM;
 559                        }
 560                }
 561
 562                /* SCTP-AUTH, Section 6.3:
 563                 *    It should be noted that if the receiver wants to tear
 564                 *    down an association in an authenticated way only, the
 565                 *    handling of malformed packets should not result in
 566                 *    tearing down the association.
 567                 *
 568                 * This means that if we only want to abort associations
 569                 * in an authenticated way (i.e AUTH+ABORT), then we
 570                 * can't destroy this association just because the packet
 571                 * was malformed.
 572                 */
 573                if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
 574                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 575
 576                SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
 577                return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED,
 578                                                asoc, chunk->transport);
 579        }
 580
 581        /* Tag the variable length parameters.  Note that we never
 582         * convert the parameters in an INIT chunk.
 583         */
 584        chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
 585
 586        initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr;
 587
 588        sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
 589                        SCTP_PEER_INIT(initchunk));
 590
 591        /* Reset init error count upon receipt of INIT-ACK.  */
 592        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
 593
 594        /* 5.1 C) "A" shall stop the T1-init timer and leave
 595         * COOKIE-WAIT state.  "A" shall then ... start the T1-cookie
 596         * timer, and enter the COOKIE-ECHOED state.
 597         */
 598        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 599                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
 600        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
 601                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
 602        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 603                        SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
 604
 605        /* SCTP-AUTH: genereate the assocition shared keys so that
 606         * we can potentially signe the COOKIE-ECHO.
 607         */
 608        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
 609
 610        /* 5.1 C) "A" shall then send the State Cookie received in the
 611         * INIT ACK chunk in a COOKIE ECHO chunk, ...
 612         */
 613        /* If there is any errors to report, send the ERROR chunk generated
 614         * for unknown parameters as well.
 615         */
 616        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
 617                        SCTP_CHUNK(err_chunk));
 618
 619        return SCTP_DISPOSITION_CONSUME;
 620}
 621
 622/*
 623 * Respond to a normal COOKIE ECHO chunk.
 624 * We are the side that is being asked for an association.
 625 *
 626 * Section: 5.1 Normal Establishment of an Association, D
 627 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
 628 *    with a COOKIE ACK chunk after building a TCB and moving to
 629 *    the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
 630 *    any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
 631 *    chunk MUST be the first chunk in the packet.
 632 *
 633 *   IMPLEMENTATION NOTE: An implementation may choose to send the
 634 *   Communication Up notification to the SCTP user upon reception
 635 *   of a valid COOKIE ECHO chunk.
 636 *
 637 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
 638 * D) Rules for packet carrying a COOKIE ECHO
 639 *
 640 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
 641 *   Initial Tag received in the INIT ACK.
 642 *
 643 * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
 644 *
 645 * Inputs
 646 * (endpoint, asoc, chunk)
 647 *
 648 * Outputs
 649 * (asoc, reply_msg, msg_up, timers, counters)
 650 *
 651 * The return value is the disposition of the chunk.
 652 */
 653sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
 654                                      const struct sctp_endpoint *ep,
 655                                      const struct sctp_association *asoc,
 656                                      const sctp_subtype_t type, void *arg,
 657                                      sctp_cmd_seq_t *commands)
 658{
 659        struct sctp_chunk *chunk = arg;
 660        struct sctp_association *new_asoc;
 661        sctp_init_chunk_t *peer_init;
 662        struct sctp_chunk *repl;
 663        struct sctp_ulpevent *ev, *ai_ev = NULL;
 664        int error = 0;
 665        struct sctp_chunk *err_chk_p;
 666        struct sock *sk;
 667
 668        /* If the packet is an OOTB packet which is temporarily on the
 669         * control endpoint, respond with an ABORT.
 670         */
 671        if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
 672                SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
 673                return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
 674        }
 675
 676        /* Make sure that the COOKIE_ECHO chunk has a valid length.
 677         * In this case, we check that we have enough for at least a
 678         * chunk header.  More detailed verification is done
 679         * in sctp_unpack_cookie().
 680         */
 681        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
 682                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 683
 684        /* If the endpoint is not listening or if the number of associations
 685         * on the TCP-style socket exceed the max backlog, respond with an
 686         * ABORT.
 687         */
 688        sk = ep->base.sk;
 689        if (!sctp_sstate(sk, LISTENING) ||
 690            (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
 691                return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
 692
 693        /* "Decode" the chunk.  We have no optional parameters so we
 694         * are in good shape.
 695         */
 696        chunk->subh.cookie_hdr =
 697                (struct sctp_signed_cookie *)chunk->skb->data;
 698        if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
 699                                         sizeof(sctp_chunkhdr_t)))
 700                goto nomem;
 701
 702        /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
 703         * "Z" will reply with a COOKIE ACK chunk after building a TCB
 704         * and moving to the ESTABLISHED state.
 705         */
 706        new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
 707                                      &err_chk_p);
 708
 709        /* FIXME:
 710         * If the re-build failed, what is the proper error path
 711         * from here?
 712         *
 713         * [We should abort the association. --piggy]
 714         */
 715        if (!new_asoc) {
 716                /* FIXME: Several errors are possible.  A bad cookie should
 717                 * be silently discarded, but think about logging it too.
 718                 */
 719                switch (error) {
 720                case -SCTP_IERROR_NOMEM:
 721                        goto nomem;
 722
 723                case -SCTP_IERROR_STALE_COOKIE:
 724                        sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
 725                                                   err_chk_p);
 726                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 727
 728                case -SCTP_IERROR_BAD_SIG:
 729                default:
 730                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 731                }
 732        }
 733
 734
 735        /* Delay state machine commands until later.
 736         *
 737         * Re-build the bind address for the association is done in
 738         * the sctp_unpack_cookie() already.
 739         */
 740        /* This is a brand-new association, so these are not yet side
 741         * effects--it is safe to run them here.
 742         */
 743        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
 744
 745        if (!sctp_process_init(new_asoc, chunk,
 746                               &chunk->subh.cookie_hdr->c.peer_addr,
 747                               peer_init, GFP_ATOMIC))
 748                goto nomem_init;
 749
 750        /* SCTP-AUTH:  Now that we've populate required fields in
 751         * sctp_process_init, set up the assocaition shared keys as
 752         * necessary so that we can potentially authenticate the ACK
 753         */
 754        error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
 755        if (error)
 756                goto nomem_init;
 757
 758        /* SCTP-AUTH:  auth_chunk pointer is only set when the cookie-echo
 759         * is supposed to be authenticated and we have to do delayed
 760         * authentication.  We've just recreated the association using
 761         * the information in the cookie and now it's much easier to
 762         * do the authentication.
 763         */
 764        if (chunk->auth_chunk) {
 765                struct sctp_chunk auth;
 766                sctp_ierror_t ret;
 767
 768                /* set-up our fake chunk so that we can process it */
 769                auth.skb = chunk->auth_chunk;
 770                auth.asoc = chunk->asoc;
 771                auth.sctp_hdr = chunk->sctp_hdr;
 772                auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk,
 773                                            sizeof(sctp_chunkhdr_t));
 774                skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t));
 775                auth.transport = chunk->transport;
 776
 777                ret = sctp_sf_authenticate(net, ep, new_asoc, type, &auth);
 778
 779                /* We can now safely free the auth_chunk clone */
 780                kfree_skb(chunk->auth_chunk);
 781
 782                if (ret != SCTP_IERROR_NO_ERROR) {
 783                        sctp_association_free(new_asoc);
 784                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 785                }
 786        }
 787
 788        repl = sctp_make_cookie_ack(new_asoc, chunk);
 789        if (!repl)
 790                goto nomem_init;
 791
 792        /* RFC 2960 5.1 Normal Establishment of an Association
 793         *
 794         * D) IMPLEMENTATION NOTE: An implementation may choose to
 795         * send the Communication Up notification to the SCTP user
 796         * upon reception of a valid COOKIE ECHO chunk.
 797         */
 798        ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
 799                                             new_asoc->c.sinit_num_ostreams,
 800                                             new_asoc->c.sinit_max_instreams,
 801                                             NULL, GFP_ATOMIC);
 802        if (!ev)
 803                goto nomem_ev;
 804
 805        /* Sockets API Draft Section 5.3.1.6
 806         * When a peer sends a Adaptation Layer Indication parameter , SCTP
 807         * delivers this notification to inform the application that of the
 808         * peers requested adaptation layer.
 809         */
 810        if (new_asoc->peer.adaptation_ind) {
 811                ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
 812                                                            GFP_ATOMIC);
 813                if (!ai_ev)
 814                        goto nomem_aiev;
 815        }
 816
 817        /* Add all the state machine commands now since we've created
 818         * everything.  This way we don't introduce memory corruptions
 819         * during side-effect processing and correclty count established
 820         * associations.
 821         */
 822        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
 823        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 824                        SCTP_STATE(SCTP_STATE_ESTABLISHED));
 825        SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
 826        SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS);
 827        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
 828
 829        if (new_asoc->autoclose)
 830                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
 831                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
 832
 833        /* This will send the COOKIE ACK */
 834        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
 835
 836        /* Queue the ASSOC_CHANGE event */
 837        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
 838
 839        /* Send up the Adaptation Layer Indication event */
 840        if (ai_ev)
 841                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 842                                SCTP_ULPEVENT(ai_ev));
 843
 844        return SCTP_DISPOSITION_CONSUME;
 845
 846nomem_aiev:
 847        sctp_ulpevent_free(ev);
 848nomem_ev:
 849        sctp_chunk_free(repl);
 850nomem_init:
 851        sctp_association_free(new_asoc);
 852nomem:
 853        return SCTP_DISPOSITION_NOMEM;
 854}
 855
 856/*
 857 * Respond to a normal COOKIE ACK chunk.
 858 * We are the side that is being asked for an association.
 859 *
 860 * RFC 2960 5.1 Normal Establishment of an Association
 861 *
 862 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
 863 *    COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
 864 *    timer. It may also notify its ULP about the successful
 865 *    establishment of the association with a Communication Up
 866 *    notification (see Section 10).
 867 *
 868 * Verification Tag:
 869 * Inputs
 870 * (endpoint, asoc, chunk)
 871 *
 872 * Outputs
 873 * (asoc, reply_msg, msg_up, timers, counters)
 874 *
 875 * The return value is the disposition of the chunk.
 876 */
 877sctp_disposition_t sctp_sf_do_5_1E_ca(struct net *net,
 878                                      const struct sctp_endpoint *ep,
 879                                      const struct sctp_association *asoc,
 880                                      const sctp_subtype_t type, void *arg,
 881                                      sctp_cmd_seq_t *commands)
 882{
 883        struct sctp_chunk *chunk = arg;
 884        struct sctp_ulpevent *ev;
 885
 886        if (!sctp_vtag_verify(chunk, asoc))
 887                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 888
 889        /* Verify that the chunk length for the COOKIE-ACK is OK.
 890         * If we don't do this, any bundled chunks may be junked.
 891         */
 892        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
 893                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
 894                                                  commands);
 895
 896        /* Reset init error count upon receipt of COOKIE-ACK,
 897         * to avoid problems with the managemement of this
 898         * counter in stale cookie situations when a transition back
 899         * from the COOKIE-ECHOED state to the COOKIE-WAIT
 900         * state is performed.
 901         */
 902        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
 903
 904        /* RFC 2960 5.1 Normal Establishment of an Association
 905         *
 906         * E) Upon reception of the COOKIE ACK, endpoint "A" will move
 907         * from the COOKIE-ECHOED state to the ESTABLISHED state,
 908         * stopping the T1-cookie timer.
 909         */
 910        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 911                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
 912        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 913                        SCTP_STATE(SCTP_STATE_ESTABLISHED));
 914        SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
 915        SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS);
 916        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
 917        if (asoc->autoclose)
 918                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
 919                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
 920
 921        /* It may also notify its ULP about the successful
 922         * establishment of the association with a Communication Up
 923         * notification (see Section 10).
 924         */
 925        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
 926                                             0, asoc->c.sinit_num_ostreams,
 927                                             asoc->c.sinit_max_instreams,
 928                                             NULL, GFP_ATOMIC);
 929
 930        if (!ev)
 931                goto nomem;
 932
 933        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
 934
 935        /* Sockets API Draft Section 5.3.1.6
 936         * When a peer sends a Adaptation Layer Indication parameter , SCTP
 937         * delivers this notification to inform the application that of the
 938         * peers requested adaptation layer.
 939         */
 940        if (asoc->peer.adaptation_ind) {
 941                ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
 942                if (!ev)
 943                        goto nomem;
 944
 945                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 946                                SCTP_ULPEVENT(ev));
 947        }
 948
 949        return SCTP_DISPOSITION_CONSUME;
 950nomem:
 951        return SCTP_DISPOSITION_NOMEM;
 952}
 953
 954/* Generate and sendout a heartbeat packet.  */
 955static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep,
 956                                            const struct sctp_association *asoc,
 957                                            const sctp_subtype_t type,
 958                                            void *arg,
 959                                            sctp_cmd_seq_t *commands)
 960{
 961        struct sctp_transport *transport = (struct sctp_transport *) arg;
 962        struct sctp_chunk *reply;
 963
 964        /* Send a heartbeat to our peer.  */
 965        reply = sctp_make_heartbeat(asoc, transport);
 966        if (!reply)
 967                return SCTP_DISPOSITION_NOMEM;
 968
 969        /* Set rto_pending indicating that an RTT measurement
 970         * is started with this heartbeat chunk.
 971         */
 972        sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
 973                        SCTP_TRANSPORT(transport));
 974
 975        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
 976        return SCTP_DISPOSITION_CONSUME;
 977}
 978
 979/* Generate a HEARTBEAT packet on the given transport.  */
 980sctp_disposition_t sctp_sf_sendbeat_8_3(struct net *net,
 981                                        const struct sctp_endpoint *ep,
 982                                        const struct sctp_association *asoc,
 983                                        const sctp_subtype_t type,
 984                                        void *arg,
 985                                        sctp_cmd_seq_t *commands)
 986{
 987        struct sctp_transport *transport = (struct sctp_transport *) arg;
 988
 989        if (asoc->overall_error_count >= asoc->max_retrans) {
 990                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
 991                                SCTP_ERROR(ETIMEDOUT));
 992                /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
 993                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
 994                                SCTP_PERR(SCTP_ERROR_NO_ERROR));
 995                SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
 996                SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
 997                return SCTP_DISPOSITION_DELETE_TCB;
 998        }
 999
1000        /* Section 3.3.5.
1001         * The Sender-specific Heartbeat Info field should normally include
1002         * information about the sender's current time when this HEARTBEAT
1003         * chunk is sent and the destination transport address to which this
1004         * HEARTBEAT is sent (see Section 8.3).
1005         */
1006
1007        if (transport->param_flags & SPP_HB_ENABLE) {
1008                if (SCTP_DISPOSITION_NOMEM ==
1009                                sctp_sf_heartbeat(ep, asoc, type, arg,
1010                                                  commands))
1011                        return SCTP_DISPOSITION_NOMEM;
1012
1013                /* Set transport error counter and association error counter
1014                 * when sending heartbeat.
1015                 */
1016                sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
1017                                SCTP_TRANSPORT(transport));
1018        }
1019        sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
1020                        SCTP_TRANSPORT(transport));
1021        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
1022                        SCTP_TRANSPORT(transport));
1023
1024        return SCTP_DISPOSITION_CONSUME;
1025}
1026
1027/*
1028 * Process an heartbeat request.
1029 *
1030 * Section: 8.3 Path Heartbeat
1031 * The receiver of the HEARTBEAT should immediately respond with a
1032 * HEARTBEAT ACK that contains the Heartbeat Information field copied
1033 * from the received HEARTBEAT chunk.
1034 *
1035 * Verification Tag:  8.5 Verification Tag [Normal verification]
1036 * When receiving an SCTP packet, the endpoint MUST ensure that the
1037 * value in the Verification Tag field of the received SCTP packet
1038 * matches its own Tag. If the received Verification Tag value does not
1039 * match the receiver's own tag value, the receiver shall silently
1040 * discard the packet and shall not process it any further except for
1041 * those cases listed in Section 8.5.1 below.
1042 *
1043 * Inputs
1044 * (endpoint, asoc, chunk)
1045 *
1046 * Outputs
1047 * (asoc, reply_msg, msg_up, timers, counters)
1048 *
1049 * The return value is the disposition of the chunk.
1050 */
1051sctp_disposition_t sctp_sf_beat_8_3(struct net *net,
1052                                    const struct sctp_endpoint *ep,
1053                                    const struct sctp_association *asoc,
1054                                    const sctp_subtype_t type,
1055                                    void *arg,
1056                                    sctp_cmd_seq_t *commands)
1057{
1058        sctp_paramhdr_t *param_hdr;
1059        struct sctp_chunk *chunk = arg;
1060        struct sctp_chunk *reply;
1061        size_t paylen = 0;
1062
1063        if (!sctp_vtag_verify(chunk, asoc))
1064                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1065
1066        /* Make sure that the HEARTBEAT chunk has a valid length. */
1067        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t)))
1068                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1069                                                  commands);
1070
1071        /* 8.3 The receiver of the HEARTBEAT should immediately
1072         * respond with a HEARTBEAT ACK that contains the Heartbeat
1073         * Information field copied from the received HEARTBEAT chunk.
1074         */
1075        chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data;
1076        param_hdr = (sctp_paramhdr_t *) chunk->subh.hb_hdr;
1077        paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
1078
1079        if (ntohs(param_hdr->length) > paylen)
1080                return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
1081                                                  param_hdr, commands);
1082
1083        if (!pskb_pull(chunk->skb, paylen))
1084                goto nomem;
1085
1086        reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen);
1087        if (!reply)
1088                goto nomem;
1089
1090        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1091        return SCTP_DISPOSITION_CONSUME;
1092
1093nomem:
1094        return SCTP_DISPOSITION_NOMEM;
1095}
1096
1097/*
1098 * Process the returning HEARTBEAT ACK.
1099 *
1100 * Section: 8.3 Path Heartbeat
1101 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
1102 * should clear the error counter of the destination transport
1103 * address to which the HEARTBEAT was sent, and mark the destination
1104 * transport address as active if it is not so marked. The endpoint may
1105 * optionally report to the upper layer when an inactive destination
1106 * address is marked as active due to the reception of the latest
1107 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
1108 * clear the association overall error count as well (as defined
1109 * in section 8.1).
1110 *
1111 * The receiver of the HEARTBEAT ACK should also perform an RTT
1112 * measurement for that destination transport address using the time
1113 * value carried in the HEARTBEAT ACK chunk.
1114 *
1115 * Verification Tag:  8.5 Verification Tag [Normal verification]
1116 *
1117 * Inputs
1118 * (endpoint, asoc, chunk)
1119 *
1120 * Outputs
1121 * (asoc, reply_msg, msg_up, timers, counters)
1122 *
1123 * The return value is the disposition of the chunk.
1124 */
1125sctp_disposition_t sctp_sf_backbeat_8_3(struct net *net,
1126                                        const struct sctp_endpoint *ep,
1127                                        const struct sctp_association *asoc,
1128                                        const sctp_subtype_t type,
1129                                        void *arg,
1130                                        sctp_cmd_seq_t *commands)
1131{
1132        struct sctp_chunk *chunk = arg;
1133        union sctp_addr from_addr;
1134        struct sctp_transport *link;
1135        sctp_sender_hb_info_t *hbinfo;
1136        unsigned long max_interval;
1137
1138        if (!sctp_vtag_verify(chunk, asoc))
1139                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1140
1141        /* Make sure that the HEARTBEAT-ACK chunk has a valid length.  */
1142        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t) +
1143                                            sizeof(sctp_sender_hb_info_t)))
1144                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1145                                                  commands);
1146
1147        hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
1148        /* Make sure that the length of the parameter is what we expect */
1149        if (ntohs(hbinfo->param_hdr.length) !=
1150                                    sizeof(sctp_sender_hb_info_t)) {
1151                return SCTP_DISPOSITION_DISCARD;
1152        }
1153
1154        from_addr = hbinfo->daddr;
1155        link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1156
1157        /* This should never happen, but lets log it if so.  */
1158        if (unlikely(!link)) {
1159                if (from_addr.sa.sa_family == AF_INET6) {
1160                        net_warn_ratelimited("%s association %p could not find address %pI6\n",
1161                                             __func__,
1162                                             asoc,
1163                                             &from_addr.v6.sin6_addr);
1164                } else {
1165                        net_warn_ratelimited("%s association %p could not find address %pI4\n",
1166                                             __func__,
1167                                             asoc,
1168                                             &from_addr.v4.sin_addr.s_addr);
1169                }
1170                return SCTP_DISPOSITION_DISCARD;
1171        }
1172
1173        /* Validate the 64-bit random nonce. */
1174        if (hbinfo->hb_nonce != link->hb_nonce)
1175                return SCTP_DISPOSITION_DISCARD;
1176
1177        max_interval = link->hbinterval + link->rto;
1178
1179        /* Check if the timestamp looks valid.  */
1180        if (time_after(hbinfo->sent_at, jiffies) ||
1181            time_after(jiffies, hbinfo->sent_at + max_interval)) {
1182                SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp "
1183                                  "received for transport: %p\n",
1184                                   __func__, link);
1185                return SCTP_DISPOSITION_DISCARD;
1186        }
1187
1188        /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
1189         * the HEARTBEAT should clear the error counter of the
1190         * destination transport address to which the HEARTBEAT was
1191         * sent and mark the destination transport address as active if
1192         * it is not so marked.
1193         */
1194        sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1195
1196        return SCTP_DISPOSITION_CONSUME;
1197}
1198
1199/* Helper function to send out an abort for the restart
1200 * condition.
1201 */
1202static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa,
1203                                      struct sctp_chunk *init,
1204                                      sctp_cmd_seq_t *commands)
1205{
1206        int len;
1207        struct sctp_packet *pkt;
1208        union sctp_addr_param *addrparm;
1209        struct sctp_errhdr *errhdr;
1210        struct sctp_endpoint *ep;
1211        char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)];
1212        struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1213
1214        /* Build the error on the stack.   We are way to malloc crazy
1215         * throughout the code today.
1216         */
1217        errhdr = (struct sctp_errhdr *)buffer;
1218        addrparm = (union sctp_addr_param *)errhdr->variable;
1219
1220        /* Copy into a parm format. */
1221        len = af->to_addr_param(ssa, addrparm);
1222        len += sizeof(sctp_errhdr_t);
1223
1224        errhdr->cause = SCTP_ERROR_RESTART;
1225        errhdr->length = htons(len);
1226
1227        /* Assign to the control socket. */
1228        ep = sctp_sk(net->sctp.ctl_sock)->ep;
1229
1230        /* Association is NULL since this may be a restart attack and we
1231         * want to send back the attacker's vtag.
1232         */
1233        pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len);
1234
1235        if (!pkt)
1236                goto out;
1237        sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1238
1239        SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1240
1241        /* Discard the rest of the inbound packet. */
1242        sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1243
1244out:
1245        /* Even if there is no memory, treat as a failure so
1246         * the packet will get dropped.
1247         */
1248        return 0;
1249}
1250
1251static bool list_has_sctp_addr(const struct list_head *list,
1252                               union sctp_addr *ipaddr)
1253{
1254        struct sctp_transport *addr;
1255
1256        list_for_each_entry(addr, list, transports) {
1257                if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
1258                        return true;
1259        }
1260
1261        return false;
1262}
1263/* A restart is occurring, check to make sure no new addresses
1264 * are being added as we may be under a takeover attack.
1265 */
1266static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1267                                       const struct sctp_association *asoc,
1268                                       struct sctp_chunk *init,
1269                                       sctp_cmd_seq_t *commands)
1270{
1271        struct net *net = sock_net(new_asoc->base.sk);
1272        struct sctp_transport *new_addr;
1273        int ret = 1;
1274
1275        /* Implementor's Guide - Section 5.2.2
1276         * ...
1277         * Before responding the endpoint MUST check to see if the
1278         * unexpected INIT adds new addresses to the association. If new
1279         * addresses are added to the association, the endpoint MUST respond
1280         * with an ABORT..
1281         */
1282
1283        /* Search through all current addresses and make sure
1284         * we aren't adding any new ones.
1285         */
1286        list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
1287                            transports) {
1288                if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
1289                                        &new_addr->ipaddr)) {
1290                        sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init,
1291                                                   commands);
1292                        ret = 0;
1293                        break;
1294                }
1295        }
1296
1297        /* Return success if all addresses were found. */
1298        return ret;
1299}
1300
1301/* Populate the verification/tie tags based on overlapping INIT
1302 * scenario.
1303 *
1304 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
1305 */
1306static void sctp_tietags_populate(struct sctp_association *new_asoc,
1307                                  const struct sctp_association *asoc)
1308{
1309        switch (asoc->state) {
1310
1311        /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
1312
1313        case SCTP_STATE_COOKIE_WAIT:
1314                new_asoc->c.my_vtag     = asoc->c.my_vtag;
1315                new_asoc->c.my_ttag     = asoc->c.my_vtag;
1316                new_asoc->c.peer_ttag   = 0;
1317                break;
1318
1319        case SCTP_STATE_COOKIE_ECHOED:
1320                new_asoc->c.my_vtag     = asoc->c.my_vtag;
1321                new_asoc->c.my_ttag     = asoc->c.my_vtag;
1322                new_asoc->c.peer_ttag   = asoc->c.peer_vtag;
1323                break;
1324
1325        /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
1326         * COOKIE-WAIT and SHUTDOWN-ACK-SENT
1327         */
1328        default:
1329                new_asoc->c.my_ttag   = asoc->c.my_vtag;
1330                new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1331                break;
1332        }
1333
1334        /* Other parameters for the endpoint SHOULD be copied from the
1335         * existing parameters of the association (e.g. number of
1336         * outbound streams) into the INIT ACK and cookie.
1337         */
1338        new_asoc->rwnd                  = asoc->rwnd;
1339        new_asoc->c.sinit_num_ostreams  = asoc->c.sinit_num_ostreams;
1340        new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1341        new_asoc->c.initial_tsn         = asoc->c.initial_tsn;
1342}
1343
1344/*
1345 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
1346 * handling action.
1347 *
1348 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
1349 *
1350 * Returns value representing action to be taken.   These action values
1351 * correspond to Action/Description values in RFC 2960, Table 2.
1352 */
1353static char sctp_tietags_compare(struct sctp_association *new_asoc,
1354                                 const struct sctp_association *asoc)
1355{
1356        /* In this case, the peer may have restarted.  */
1357        if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1358            (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1359            (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1360            (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1361                return 'A';
1362
1363        /* Collision case B. */
1364        if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1365            ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1366             (0 == asoc->c.peer_vtag))) {
1367                return 'B';
1368        }
1369
1370        /* Collision case D. */
1371        if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1372            (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1373                return 'D';
1374
1375        /* Collision case C. */
1376        if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1377            (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1378            (0 == new_asoc->c.my_ttag) &&
1379            (0 == new_asoc->c.peer_ttag))
1380                return 'C';
1381
1382        /* No match to any of the special cases; discard this packet. */
1383        return 'E';
1384}
1385
1386/* Common helper routine for both duplicate and simulataneous INIT
1387 * chunk handling.
1388 */
1389static sctp_disposition_t sctp_sf_do_unexpected_init(
1390        struct net *net,
1391        const struct sctp_endpoint *ep,
1392        const struct sctp_association *asoc,
1393        const sctp_subtype_t type,
1394        void *arg, sctp_cmd_seq_t *commands)
1395{
1396        sctp_disposition_t retval;
1397        struct sctp_chunk *chunk = arg;
1398        struct sctp_chunk *repl;
1399        struct sctp_association *new_asoc;
1400        struct sctp_chunk *err_chunk;
1401        struct sctp_packet *packet;
1402        sctp_unrecognized_param_t *unk_param;
1403        int len;
1404
1405        /* 6.10 Bundling
1406         * An endpoint MUST NOT bundle INIT, INIT ACK or
1407         * SHUTDOWN COMPLETE with any other chunks.
1408         *
1409         * IG Section 2.11.2
1410         * Furthermore, we require that the receiver of an INIT chunk MUST
1411         * enforce these rules by silently discarding an arriving packet
1412         * with an INIT chunk that is bundled with other chunks.
1413         */
1414        if (!chunk->singleton)
1415                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1416
1417        /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
1418         * Tag.
1419         */
1420        if (chunk->sctp_hdr->vtag != 0)
1421                return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
1422
1423        /* Make sure that the INIT chunk has a valid length.
1424         * In this case, we generate a protocol violation since we have
1425         * an association established.
1426         */
1427        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
1428                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1429                                                  commands);
1430        /* Grab the INIT header.  */
1431        chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
1432
1433        /* Tag the variable length parameters.  */
1434        chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
1435
1436        /* Verify the INIT chunk before processing it. */
1437        err_chunk = NULL;
1438        if (!sctp_verify_init(net, asoc, chunk->chunk_hdr->type,
1439                              (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
1440                              &err_chunk)) {
1441                /* This chunk contains fatal error. It is to be discarded.
1442                 * Send an ABORT, with causes if there is any.
1443                 */
1444                if (err_chunk) {
1445                        packet = sctp_abort_pkt_new(net, ep, asoc, arg,
1446                                        (__u8 *)(err_chunk->chunk_hdr) +
1447                                        sizeof(sctp_chunkhdr_t),
1448                                        ntohs(err_chunk->chunk_hdr->length) -
1449                                        sizeof(sctp_chunkhdr_t));
1450
1451                        if (packet) {
1452                                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1453                                                SCTP_PACKET(packet));
1454                                SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1455                                retval = SCTP_DISPOSITION_CONSUME;
1456                        } else {
1457                                retval = SCTP_DISPOSITION_NOMEM;
1458                        }
1459                        goto cleanup;
1460                } else {
1461                        return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
1462                                                    commands);
1463                }
1464        }
1465
1466        /*
1467         * Other parameters for the endpoint SHOULD be copied from the
1468         * existing parameters of the association (e.g. number of
1469         * outbound streams) into the INIT ACK and cookie.
1470         * FIXME:  We are copying parameters from the endpoint not the
1471         * association.
1472         */
1473        new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1474        if (!new_asoc)
1475                goto nomem;
1476
1477        if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
1478                                sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
1479                goto nomem;
1480
1481        /* In the outbound INIT ACK the endpoint MUST copy its current
1482         * Verification Tag and Peers Verification tag into a reserved
1483         * place (local tie-tag and per tie-tag) within the state cookie.
1484         */
1485        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
1486                               (sctp_init_chunk_t *)chunk->chunk_hdr,
1487                               GFP_ATOMIC))
1488                goto nomem;
1489
1490        /* Make sure no new addresses are being added during the
1491         * restart.   Do not do this check for COOKIE-WAIT state,
1492         * since there are no peer addresses to check against.
1493         * Upon return an ABORT will have been sent if needed.
1494         */
1495        if (!sctp_state(asoc, COOKIE_WAIT)) {
1496                if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1497                                                 commands)) {
1498                        retval = SCTP_DISPOSITION_CONSUME;
1499                        goto nomem_retval;
1500                }
1501        }
1502
1503        sctp_tietags_populate(new_asoc, asoc);
1504
1505        /* B) "Z" shall respond immediately with an INIT ACK chunk.  */
1506
1507        /* If there are errors need to be reported for unknown parameters,
1508         * make sure to reserve enough room in the INIT ACK for them.
1509         */
1510        len = 0;
1511        if (err_chunk) {
1512                len = ntohs(err_chunk->chunk_hdr->length) -
1513                        sizeof(sctp_chunkhdr_t);
1514        }
1515
1516        repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1517        if (!repl)
1518                goto nomem;
1519
1520        /* If there are errors need to be reported for unknown parameters,
1521         * include them in the outgoing INIT ACK as "Unrecognized parameter"
1522         * parameter.
1523         */
1524        if (err_chunk) {
1525                /* Get the "Unrecognized parameter" parameter(s) out of the
1526                 * ERROR chunk generated by sctp_verify_init(). Since the
1527                 * error cause code for "unknown parameter" and the
1528                 * "Unrecognized parameter" type is the same, we can
1529                 * construct the parameters in INIT ACK by copying the
1530                 * ERROR causes over.
1531                 */
1532                unk_param = (sctp_unrecognized_param_t *)
1533                            ((__u8 *)(err_chunk->chunk_hdr) +
1534                            sizeof(sctp_chunkhdr_t));
1535                /* Replace the cause code with the "Unrecognized parameter"
1536                 * parameter type.
1537                 */
1538                sctp_addto_chunk(repl, len, unk_param);
1539        }
1540
1541        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1542        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1543
1544        /*
1545         * Note: After sending out INIT ACK with the State Cookie parameter,
1546         * "Z" MUST NOT allocate any resources for this new association.
1547         * Otherwise, "Z" will be vulnerable to resource attacks.
1548         */
1549        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1550        retval = SCTP_DISPOSITION_CONSUME;
1551
1552        return retval;
1553
1554nomem:
1555        retval = SCTP_DISPOSITION_NOMEM;
1556nomem_retval:
1557        if (new_asoc)
1558                sctp_association_free(new_asoc);
1559cleanup:
1560        if (err_chunk)
1561                sctp_chunk_free(err_chunk);
1562        return retval;
1563}
1564
1565/*
1566 * Handle simultaneous INIT.
1567 * This means we started an INIT and then we got an INIT request from
1568 * our peer.
1569 *
1570 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
1571 * This usually indicates an initialization collision, i.e., each
1572 * endpoint is attempting, at about the same time, to establish an
1573 * association with the other endpoint.
1574 *
1575 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
1576 * endpoint MUST respond with an INIT ACK using the same parameters it
1577 * sent in its original INIT chunk (including its Verification Tag,
1578 * unchanged). These original parameters are combined with those from the
1579 * newly received INIT chunk. The endpoint shall also generate a State
1580 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
1581 * INIT to calculate the State Cookie.
1582 *
1583 * After that, the endpoint MUST NOT change its state, the T1-init
1584 * timer shall be left running and the corresponding TCB MUST NOT be
1585 * destroyed. The normal procedures for handling State Cookies when
1586 * a TCB exists will resolve the duplicate INITs to a single association.
1587 *
1588 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
1589 * its Tie-Tags with the Tag information of itself and its peer (see
1590 * section 5.2.2 for a description of the Tie-Tags).
1591 *
1592 * Verification Tag: Not explicit, but an INIT can not have a valid
1593 * verification tag, so we skip the check.
1594 *
1595 * Inputs
1596 * (endpoint, asoc, chunk)
1597 *
1598 * Outputs
1599 * (asoc, reply_msg, msg_up, timers, counters)
1600 *
1601 * The return value is the disposition of the chunk.
1602 */
1603sctp_disposition_t sctp_sf_do_5_2_1_siminit(struct net *net,
1604                                    const struct sctp_endpoint *ep,
1605                                    const struct sctp_association *asoc,
1606                                    const sctp_subtype_t type,
1607                                    void *arg,
1608                                    sctp_cmd_seq_t *commands)
1609{
1610        /* Call helper to do the real work for both simulataneous and
1611         * duplicate INIT chunk handling.
1612         */
1613        return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1614}
1615
1616/*
1617 * Handle duplicated INIT messages.  These are usually delayed
1618 * restransmissions.
1619 *
1620 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
1621 * COOKIE-ECHOED and COOKIE-WAIT
1622 *
1623 * Unless otherwise stated, upon reception of an unexpected INIT for
1624 * this association, the endpoint shall generate an INIT ACK with a
1625 * State Cookie.  In the outbound INIT ACK the endpoint MUST copy its
1626 * current Verification Tag and peer's Verification Tag into a reserved
1627 * place within the state cookie.  We shall refer to these locations as
1628 * the Peer's-Tie-Tag and the Local-Tie-Tag.  The outbound SCTP packet
1629 * containing this INIT ACK MUST carry a Verification Tag value equal to
1630 * the Initiation Tag found in the unexpected INIT.  And the INIT ACK
1631 * MUST contain a new Initiation Tag (randomly generated see Section
1632 * 5.3.1).  Other parameters for the endpoint SHOULD be copied from the
1633 * existing parameters of the association (e.g. number of outbound
1634 * streams) into the INIT ACK and cookie.
1635 *
1636 * After sending out the INIT ACK, the endpoint shall take no further
1637 * actions, i.e., the existing association, including its current state,
1638 * and the corresponding TCB MUST NOT be changed.
1639 *
1640 * Note: Only when a TCB exists and the association is not in a COOKIE-
1641 * WAIT state are the Tie-Tags populated.  For a normal association INIT
1642 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
1643 * set to 0 (indicating that no previous TCB existed).  The INIT ACK and
1644 * State Cookie are populated as specified in section 5.2.1.
1645 *
1646 * Verification Tag: Not specified, but an INIT has no way of knowing
1647 * what the verification tag could be, so we ignore it.
1648 *
1649 * Inputs
1650 * (endpoint, asoc, chunk)
1651 *
1652 * Outputs
1653 * (asoc, reply_msg, msg_up, timers, counters)
1654 *
1655 * The return value is the disposition of the chunk.
1656 */
1657sctp_disposition_t sctp_sf_do_5_2_2_dupinit(struct net *net,
1658                                        const struct sctp_endpoint *ep,
1659                                        const struct sctp_association *asoc,
1660                                        const sctp_subtype_t type,
1661                                        void *arg,
1662                                        sctp_cmd_seq_t *commands)
1663{
1664        /* Call helper to do the real work for both simulataneous and
1665         * duplicate INIT chunk handling.
1666         */
1667        return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1668}
1669
1670
1671/*
1672 * Unexpected INIT-ACK handler.
1673 *
1674 * Section 5.2.3
1675 * If an INIT ACK received by an endpoint in any state other than the
1676 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
1677 * An unexpected INIT ACK usually indicates the processing of an old or
1678 * duplicated INIT chunk.
1679*/
1680sctp_disposition_t sctp_sf_do_5_2_3_initack(struct net *net,
1681                                            const struct sctp_endpoint *ep,
1682                                            const struct sctp_association *asoc,
1683                                            const sctp_subtype_t type,
1684                                            void *arg, sctp_cmd_seq_t *commands)
1685{
1686        /* Per the above section, we'll discard the chunk if we have an
1687         * endpoint.  If this is an OOTB INIT-ACK, treat it as such.
1688         */
1689        if (ep == sctp_sk(net->sctp.ctl_sock)->ep)
1690                return sctp_sf_ootb(net, ep, asoc, type, arg, commands);
1691        else
1692                return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
1693}
1694
1695/* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
1696 *
1697 * Section 5.2.4
1698 *  A)  In this case, the peer may have restarted.
1699 */
1700static sctp_disposition_t sctp_sf_do_dupcook_a(struct net *net,
1701                                        const struct sctp_endpoint *ep,
1702                                        const struct sctp_association *asoc,
1703                                        struct sctp_chunk *chunk,
1704                                        sctp_cmd_seq_t *commands,
1705                                        struct sctp_association *new_asoc)
1706{
1707        sctp_init_chunk_t *peer_init;
1708        struct sctp_ulpevent *ev;
1709        struct sctp_chunk *repl;
1710        struct sctp_chunk *err;
1711        sctp_disposition_t disposition;
1712
1713        /* new_asoc is a brand-new association, so these are not yet
1714         * side effects--it is safe to run them here.
1715         */
1716        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1717
1718        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1719                               GFP_ATOMIC))
1720                goto nomem;
1721
1722        /* Make sure no new addresses are being added during the
1723         * restart.  Though this is a pretty complicated attack
1724         * since you'd have to get inside the cookie.
1725         */
1726        if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) {
1727                return SCTP_DISPOSITION_CONSUME;
1728        }
1729
1730        /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
1731         * the peer has restarted (Action A), it MUST NOT setup a new
1732         * association but instead resend the SHUTDOWN ACK and send an ERROR
1733         * chunk with a "Cookie Received while Shutting Down" error cause to
1734         * its peer.
1735        */
1736        if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1737                disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc,
1738                                SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1739                                chunk, commands);
1740                if (SCTP_DISPOSITION_NOMEM == disposition)
1741                        goto nomem;
1742
1743                err = sctp_make_op_error(asoc, chunk,
1744                                         SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1745                                         NULL, 0, 0);
1746                if (err)
1747                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1748                                        SCTP_CHUNK(err));
1749
1750                return SCTP_DISPOSITION_CONSUME;
1751        }
1752
1753        /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked
1754         * data. Consider the optional choice of resending of this data.
1755         */
1756        sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
1757        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1758                        SCTP_TO(SCTP_EVENT_TIMEOUT_SACK));
1759        sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1760
1761        /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue
1762         * and ASCONF-ACK cache.
1763         */
1764        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1765                        SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
1766        sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());
1767
1768        repl = sctp_make_cookie_ack(new_asoc, chunk);
1769        if (!repl)
1770                goto nomem;
1771
1772        /* Report association restart to upper layer. */
1773        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1774                                             new_asoc->c.sinit_num_ostreams,
1775                                             new_asoc->c.sinit_max_instreams,
1776                                             NULL, GFP_ATOMIC);
1777        if (!ev)
1778                goto nomem_ev;
1779
1780        /* Update the content of current association. */
1781        sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1782        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1783        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1784                        SCTP_STATE(SCTP_STATE_ESTABLISHED));
1785        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1786        return SCTP_DISPOSITION_CONSUME;
1787
1788nomem_ev:
1789        sctp_chunk_free(repl);
1790nomem:
1791        return SCTP_DISPOSITION_NOMEM;
1792}
1793
1794/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
1795 *
1796 * Section 5.2.4
1797 *   B) In this case, both sides may be attempting to start an association
1798 *      at about the same time but the peer endpoint started its INIT
1799 *      after responding to the local endpoint's INIT
1800 */
1801/* This case represents an initialization collision.  */
1802static sctp_disposition_t sctp_sf_do_dupcook_b(struct net *net,
1803                                        const struct sctp_endpoint *ep,
1804                                        const struct sctp_association *asoc,
1805                                        struct sctp_chunk *chunk,
1806                                        sctp_cmd_seq_t *commands,
1807                                        struct sctp_association *new_asoc)
1808{
1809        sctp_init_chunk_t *peer_init;
1810        struct sctp_chunk *repl;
1811
1812        /* new_asoc is a brand-new association, so these are not yet
1813         * side effects--it is safe to run them here.
1814         */
1815        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1816        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1817                               GFP_ATOMIC))
1818                goto nomem;
1819
1820        /* Update the content of current association.  */
1821        sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1822        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1823                        SCTP_STATE(SCTP_STATE_ESTABLISHED));
1824        SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
1825        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
1826
1827        repl = sctp_make_cookie_ack(new_asoc, chunk);
1828        if (!repl)
1829                goto nomem;
1830
1831        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1832
1833        /* RFC 2960 5.1 Normal Establishment of an Association
1834         *
1835         * D) IMPLEMENTATION NOTE: An implementation may choose to
1836         * send the Communication Up notification to the SCTP user
1837         * upon reception of a valid COOKIE ECHO chunk.
1838         *
1839         * Sadly, this needs to be implemented as a side-effect, because
1840         * we are not guaranteed to have set the association id of the real
1841         * association and so these notifications need to be delayed until
1842         * the association id is allocated.
1843         */
1844
1845        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
1846
1847        /* Sockets API Draft Section 5.3.1.6
1848         * When a peer sends a Adaptation Layer Indication parameter , SCTP
1849         * delivers this notification to inform the application that of the
1850         * peers requested adaptation layer.
1851         *
1852         * This also needs to be done as a side effect for the same reason as
1853         * above.
1854         */
1855        if (asoc->peer.adaptation_ind)
1856                sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
1857
1858        return SCTP_DISPOSITION_CONSUME;
1859
1860nomem:
1861        return SCTP_DISPOSITION_NOMEM;
1862}
1863
1864/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
1865 *
1866 * Section 5.2.4
1867 *  C) In this case, the local endpoint's cookie has arrived late.
1868 *     Before it arrived, the local endpoint sent an INIT and received an
1869 *     INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
1870 *     but a new tag of its own.
1871 */
1872/* This case represents an initialization collision.  */
1873static sctp_disposition_t sctp_sf_do_dupcook_c(struct net *net,
1874                                        const struct sctp_endpoint *ep,
1875                                        const struct sctp_association *asoc,
1876                                        struct sctp_chunk *chunk,
1877                                        sctp_cmd_seq_t *commands,
1878                                        struct sctp_association *new_asoc)
1879{
1880        /* The cookie should be silently discarded.
1881         * The endpoint SHOULD NOT change states and should leave
1882         * any timers running.
1883         */
1884        return SCTP_DISPOSITION_DISCARD;
1885}
1886
1887/* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
1888 *
1889 * Section 5.2.4
1890 *
1891 * D) When both local and remote tags match the endpoint should always
1892 *    enter the ESTABLISHED state, if it has not already done so.
1893 */
1894/* This case represents an initialization collision.  */
1895static sctp_disposition_t sctp_sf_do_dupcook_d(struct net *net,
1896                                        const struct sctp_endpoint *ep,
1897                                        const struct sctp_association *asoc,
1898                                        struct sctp_chunk *chunk,
1899                                        sctp_cmd_seq_t *commands,
1900                                        struct sctp_association *new_asoc)
1901{
1902        struct sctp_ulpevent *ev = NULL, *ai_ev = NULL;
1903        struct sctp_chunk *repl;
1904
1905        /* Clarification from Implementor's Guide:
1906         * D) When both local and remote tags match the endpoint should
1907         * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
1908         * It should stop any cookie timer that may be running and send
1909         * a COOKIE ACK.
1910         */
1911
1912        /* Don't accidentally move back into established state. */
1913        if (asoc->state < SCTP_STATE_ESTABLISHED) {
1914                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1915                                SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
1916                sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1917                                SCTP_STATE(SCTP_STATE_ESTABLISHED));
1918                SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
1919                sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
1920                                SCTP_NULL());
1921
1922                /* RFC 2960 5.1 Normal Establishment of an Association
1923                 *
1924                 * D) IMPLEMENTATION NOTE: An implementation may choose
1925                 * to send the Communication Up notification to the
1926                 * SCTP user upon reception of a valid COOKIE
1927                 * ECHO chunk.
1928                 */
1929                ev = sctp_ulpevent_make_assoc_change(asoc, 0,
1930                                             SCTP_COMM_UP, 0,
1931                                             asoc->c.sinit_num_ostreams,
1932                                             asoc->c.sinit_max_instreams,
1933                                             NULL, GFP_ATOMIC);
1934                if (!ev)
1935                        goto nomem;
1936
1937                /* Sockets API Draft Section 5.3.1.6
1938                 * When a peer sends a Adaptation Layer Indication parameter,
1939                 * SCTP delivers this notification to inform the application
1940                 * that of the peers requested adaptation layer.
1941                 */
1942                if (asoc->peer.adaptation_ind) {
1943                        ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
1944                                                                 GFP_ATOMIC);
1945                        if (!ai_ev)
1946                                goto nomem;
1947
1948                }
1949        }
1950
1951        repl = sctp_make_cookie_ack(new_asoc, chunk);
1952        if (!repl)
1953                goto nomem;
1954
1955        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1956
1957        if (ev)
1958                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1959                                SCTP_ULPEVENT(ev));
1960        if (ai_ev)
1961                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1962                                        SCTP_ULPEVENT(ai_ev));
1963
1964        return SCTP_DISPOSITION_CONSUME;
1965
1966nomem:
1967        if (ai_ev)
1968                sctp_ulpevent_free(ai_ev);
1969        if (ev)
1970                sctp_ulpevent_free(ev);
1971        return SCTP_DISPOSITION_NOMEM;
1972}
1973
1974/*
1975 * Handle a duplicate COOKIE-ECHO.  This usually means a cookie-carrying
1976 * chunk was retransmitted and then delayed in the network.
1977 *
1978 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
1979 *
1980 * Verification Tag: None.  Do cookie validation.
1981 *
1982 * Inputs
1983 * (endpoint, asoc, chunk)
1984 *
1985 * Outputs
1986 * (asoc, reply_msg, msg_up, timers, counters)
1987 *
1988 * The return value is the disposition of the chunk.
1989 */
1990sctp_disposition_t sctp_sf_do_5_2_4_dupcook(struct net *net,
1991                                        const struct sctp_endpoint *ep,
1992                                        const struct sctp_association *asoc,
1993                                        const sctp_subtype_t type,
1994                                        void *arg,
1995                                        sctp_cmd_seq_t *commands)
1996{
1997        sctp_disposition_t retval;
1998        struct sctp_chunk *chunk = arg;
1999        struct sctp_association *new_asoc;
2000        int error = 0;
2001        char action;
2002        struct sctp_chunk *err_chk_p;
2003
2004        /* Make sure that the chunk has a valid length from the protocol
2005         * perspective.  In this case check to make sure we have at least
2006         * enough for the chunk header.  Cookie length verification is
2007         * done later.
2008         */
2009        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
2010                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2011                                                  commands);
2012
2013        /* "Decode" the chunk.  We have no optional parameters so we
2014         * are in good shape.
2015         */
2016        chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
2017        if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
2018                                        sizeof(sctp_chunkhdr_t)))
2019                goto nomem;
2020
2021        /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
2022         * of a duplicate COOKIE ECHO match the Verification Tags of the
2023         * current association, consider the State Cookie valid even if
2024         * the lifespan is exceeded.
2025         */
2026        new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
2027                                      &err_chk_p);
2028
2029        /* FIXME:
2030         * If the re-build failed, what is the proper error path
2031         * from here?
2032         *
2033         * [We should abort the association. --piggy]
2034         */
2035        if (!new_asoc) {
2036                /* FIXME: Several errors are possible.  A bad cookie should
2037                 * be silently discarded, but think about logging it too.
2038                 */
2039                switch (error) {
2040                case -SCTP_IERROR_NOMEM:
2041                        goto nomem;
2042
2043                case -SCTP_IERROR_STALE_COOKIE:
2044                        sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
2045                                                   err_chk_p);
2046                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2047                case -SCTP_IERROR_BAD_SIG:
2048                default:
2049                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2050                }
2051        }
2052
2053        /* Compare the tie_tag in cookie with the verification tag of
2054         * current association.
2055         */
2056        action = sctp_tietags_compare(new_asoc, asoc);
2057
2058        switch (action) {
2059        case 'A': /* Association restart. */
2060                retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands,
2061                                              new_asoc);
2062                break;
2063
2064        case 'B': /* Collision case B. */
2065                retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands,
2066                                              new_asoc);
2067                break;
2068
2069        case 'C': /* Collision case C. */
2070                retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands,
2071                                              new_asoc);
2072                break;
2073
2074        case 'D': /* Collision case D. */
2075                retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands,
2076                                              new_asoc);
2077                break;
2078
2079        default: /* Discard packet for all others. */
2080                retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2081                break;
2082        }
2083
2084        /* Delete the tempory new association. */
2085        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
2086        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
2087
2088        /* Restore association pointer to provide SCTP command interpeter
2089         * with a valid context in case it needs to manipulate
2090         * the queues */
2091        sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC,
2092                         SCTP_ASOC((struct sctp_association *)asoc));
2093
2094        return retval;
2095
2096nomem:
2097        return SCTP_DISPOSITION_NOMEM;
2098}
2099
2100/*
2101 * Process an ABORT.  (SHUTDOWN-PENDING state)
2102 *
2103 * See sctp_sf_do_9_1_abort().
2104 */
2105sctp_disposition_t sctp_sf_shutdown_pending_abort(
2106        struct net *net,
2107        const struct sctp_endpoint *ep,
2108        const struct sctp_association *asoc,
2109        const sctp_subtype_t type,
2110        void *arg,
2111        sctp_cmd_seq_t *commands)
2112{
2113        struct sctp_chunk *chunk = arg;
2114
2115        if (!sctp_vtag_verify_either(chunk, asoc))
2116                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2117
2118        /* Make sure that the ABORT chunk has a valid length.
2119         * Since this is an ABORT chunk, we have to discard it
2120         * because of the following text:
2121         * RFC 2960, Section 3.3.7
2122         *    If an endpoint receives an ABORT with a format error or for an
2123         *    association that doesn't exist, it MUST silently discard it.
2124         * Because the length is "invalid", we can't really discard just
2125         * as we do not know its true length.  So, to be safe, discard the
2126         * packet.
2127         */
2128        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2129                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2130
2131        /* ADD-IP: Special case for ABORT chunks
2132         * F4)  One special consideration is that ABORT Chunks arriving
2133         * destined to the IP address being deleted MUST be
2134         * ignored (see Section 5.3.1 for further details).
2135         */
2136        if (SCTP_ADDR_DEL ==
2137                    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2138                return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2139
2140        return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2141}
2142
2143/*
2144 * Process an ABORT.  (SHUTDOWN-SENT state)
2145 *
2146 * See sctp_sf_do_9_1_abort().
2147 */
2148sctp_disposition_t sctp_sf_shutdown_sent_abort(struct net *net,
2149                                        const struct sctp_endpoint *ep,
2150                                        const struct sctp_association *asoc,
2151                                        const sctp_subtype_t type,
2152                                        void *arg,
2153                                        sctp_cmd_seq_t *commands)
2154{
2155        struct sctp_chunk *chunk = arg;
2156
2157        if (!sctp_vtag_verify_either(chunk, asoc))
2158                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2159
2160        /* Make sure that the ABORT chunk has a valid length.
2161         * Since this is an ABORT chunk, we have to discard it
2162         * because of the following text:
2163         * RFC 2960, Section 3.3.7
2164         *    If an endpoint receives an ABORT with a format error or for an
2165         *    association that doesn't exist, it MUST silently discard it.
2166         * Because the length is "invalid", we can't really discard just
2167         * as we do not know its true length.  So, to be safe, discard the
2168         * packet.
2169         */
2170        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2171                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2172
2173        /* ADD-IP: Special case for ABORT chunks
2174         * F4)  One special consideration is that ABORT Chunks arriving
2175         * destined to the IP address being deleted MUST be
2176         * ignored (see Section 5.3.1 for further details).
2177         */
2178        if (SCTP_ADDR_DEL ==
2179                    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2180                return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2181
2182        /* Stop the T2-shutdown timer. */
2183        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2184                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2185
2186        /* Stop the T5-shutdown guard timer.  */
2187        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2188                        SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2189
2190        return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2191}
2192
2193/*
2194 * Process an ABORT.  (SHUTDOWN-ACK-SENT state)
2195 *
2196 * See sctp_sf_do_9_1_abort().
2197 */
2198sctp_disposition_t sctp_sf_shutdown_ack_sent_abort(
2199        struct net *net,
2200        const struct sctp_endpoint *ep,
2201        const struct sctp_association *asoc,
2202        const sctp_subtype_t type,
2203        void *arg,
2204        sctp_cmd_seq_t *commands)
2205{
2206        /* The same T2 timer, so we should be able to use
2207         * common function with the SHUTDOWN-SENT state.
2208         */
2209        return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands);
2210}
2211
2212/*
2213 * Handle an Error received in COOKIE_ECHOED state.
2214 *
2215 * Only handle the error type of stale COOKIE Error, the other errors will
2216 * be ignored.
2217 *
2218 * Inputs
2219 * (endpoint, asoc, chunk)
2220 *
2221 * Outputs
2222 * (asoc, reply_msg, msg_up, timers, counters)
2223 *
2224 * The return value is the disposition of the chunk.
2225 */
2226sctp_disposition_t sctp_sf_cookie_echoed_err(struct net *net,
2227                                        const struct sctp_endpoint *ep,
2228                                        const struct sctp_association *asoc,
2229                                        const sctp_subtype_t type,
2230                                        void *arg,
2231                                        sctp_cmd_seq_t *commands)
2232{
2233        struct sctp_chunk *chunk = arg;
2234        sctp_errhdr_t *err;
2235
2236        if (!sctp_vtag_verify(chunk, asoc))
2237                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2238
2239        /* Make sure that the ERROR chunk has a valid length.
2240         * The parameter walking depends on this as well.
2241         */
2242        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
2243                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2244                                                  commands);
2245
2246        /* Process the error here */
2247        /* FUTURE FIXME:  When PR-SCTP related and other optional
2248         * parms are emitted, this will have to change to handle multiple
2249         * errors.
2250         */
2251        sctp_walk_errors(err, chunk->chunk_hdr) {
2252                if (SCTP_ERROR_STALE_COOKIE == err->cause)
2253                        return sctp_sf_do_5_2_6_stale(net, ep, asoc, type,
2254                                                        arg, commands);
2255        }
2256
2257        /* It is possible to have malformed error causes, and that
2258         * will cause us to end the walk early.  However, since
2259         * we are discarding the packet, there should be no adverse
2260         * affects.
2261         */
2262        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2263}
2264
2265/*
2266 * Handle a Stale COOKIE Error
2267 *
2268 * Section: 5.2.6 Handle Stale COOKIE Error
2269 * If the association is in the COOKIE-ECHOED state, the endpoint may elect
2270 * one of the following three alternatives.
2271 * ...
2272 * 3) Send a new INIT chunk to the endpoint, adding a Cookie
2273 *    Preservative parameter requesting an extension to the lifetime of
2274 *    the State Cookie. When calculating the time extension, an
2275 *    implementation SHOULD use the RTT information measured based on the
2276 *    previous COOKIE ECHO / ERROR exchange, and should add no more
2277 *    than 1 second beyond the measured RTT, due to long State Cookie
2278 *    lifetimes making the endpoint more subject to a replay attack.
2279 *
2280 * Verification Tag:  Not explicit, but safe to ignore.
2281 *
2282 * Inputs
2283 * (endpoint, asoc, chunk)
2284 *
2285 * Outputs
2286 * (asoc, reply_msg, msg_up, timers, counters)
2287 *
2288 * The return value is the disposition of the chunk.
2289 */
2290static sctp_disposition_t sctp_sf_do_5_2_6_stale(struct net *net,
2291                                                 const struct sctp_endpoint *ep,
2292                                                 const struct sctp_association *asoc,
2293                                                 const sctp_subtype_t type,
2294                                                 void *arg,
2295                                                 sctp_cmd_seq_t *commands)
2296{
2297        struct sctp_chunk *chunk = arg;
2298        time_t stale;
2299        sctp_cookie_preserve_param_t bht;
2300        sctp_errhdr_t *err;
2301        struct sctp_chunk *reply;
2302        struct sctp_bind_addr *bp;
2303        int attempts = asoc->init_err_counter + 1;
2304
2305        if (attempts > asoc->max_init_attempts) {
2306                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2307                                SCTP_ERROR(ETIMEDOUT));
2308                sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2309                                SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2310                return SCTP_DISPOSITION_DELETE_TCB;
2311        }
2312
2313        err = (sctp_errhdr_t *)(chunk->skb->data);
2314
2315        /* When calculating the time extension, an implementation
2316         * SHOULD use the RTT information measured based on the
2317         * previous COOKIE ECHO / ERROR exchange, and should add no
2318         * more than 1 second beyond the measured RTT, due to long
2319         * State Cookie lifetimes making the endpoint more subject to
2320         * a replay attack.
2321         * Measure of Staleness's unit is usec. (1/1000000 sec)
2322         * Suggested Cookie Life-span Increment's unit is msec.
2323         * (1/1000 sec)
2324         * In general, if you use the suggested cookie life, the value
2325         * found in the field of measure of staleness should be doubled
2326         * to give ample time to retransmit the new cookie and thus
2327         * yield a higher probability of success on the reattempt.
2328         */
2329        stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t)));
2330        stale = (stale * 2) / 1000;
2331
2332        bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2333        bht.param_hdr.length = htons(sizeof(bht));
2334        bht.lifespan_increment = htonl(stale);
2335
2336        /* Build that new INIT chunk.  */
2337        bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2338        reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2339        if (!reply)
2340                goto nomem;
2341
2342        sctp_addto_chunk(reply, sizeof(bht), &bht);
2343
2344        /* Clear peer's init_tag cached in assoc as we are sending a new INIT */
2345        sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2346
2347        /* Stop pending T3-rtx and heartbeat timers */
2348        sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2349        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2350
2351        /* Delete non-primary peer ip addresses since we are transitioning
2352         * back to the COOKIE-WAIT state
2353         */
2354        sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2355
2356        /* If we've sent any data bundled with COOKIE-ECHO we will need to
2357         * resend
2358         */
2359        sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
2360                        SCTP_TRANSPORT(asoc->peer.primary_path));
2361
2362        /* Cast away the const modifier, as we want to just
2363         * rerun it through as a sideffect.
2364         */
2365        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2366
2367        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2368                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2369        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2370                        SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2371        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2372                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2373
2374        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2375
2376        return SCTP_DISPOSITION_CONSUME;
2377
2378nomem:
2379        return SCTP_DISPOSITION_NOMEM;
2380}
2381
2382/*
2383 * Process an ABORT.
2384 *
2385 * Section: 9.1
2386 * After checking the Verification Tag, the receiving endpoint shall
2387 * remove the association from its record, and shall report the
2388 * termination to its upper layer.
2389 *
2390 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
2391 * B) Rules for packet carrying ABORT:
2392 *
2393 *  - The endpoint shall always fill in the Verification Tag field of the
2394 *    outbound packet with the destination endpoint's tag value if it
2395 *    is known.
2396 *
2397 *  - If the ABORT is sent in response to an OOTB packet, the endpoint
2398 *    MUST follow the procedure described in Section 8.4.
2399 *
2400 *  - The receiver MUST accept the packet if the Verification Tag
2401 *    matches either its own tag, OR the tag of its peer. Otherwise, the
2402 *    receiver MUST silently discard the packet and take no further
2403 *    action.
2404 *
2405 * Inputs
2406 * (endpoint, asoc, chunk)
2407 *
2408 * Outputs
2409 * (asoc, reply_msg, msg_up, timers, counters)
2410 *
2411 * The return value is the disposition of the chunk.
2412 */
2413sctp_disposition_t sctp_sf_do_9_1_abort(struct net *net,
2414                                        const struct sctp_endpoint *ep,
2415                                        const struct sctp_association *asoc,
2416                                        const sctp_subtype_t type,
2417                                        void *arg,
2418                                        sctp_cmd_seq_t *commands)
2419{
2420        struct sctp_chunk *chunk = arg;
2421
2422        if (!sctp_vtag_verify_either(chunk, asoc))
2423                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2424
2425        /* Make sure that the ABORT chunk has a valid length.
2426         * Since this is an ABORT chunk, we have to discard it
2427         * because of the following text:
2428         * RFC 2960, Section 3.3.7
2429         *    If an endpoint receives an ABORT with a format error or for an
2430         *    association that doesn't exist, it MUST silently discard it.
2431         * Because the length is "invalid", we can't really discard just
2432         * as we do not know its true length.  So, to be safe, discard the
2433         * packet.
2434         */
2435        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2436                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2437
2438        /* ADD-IP: Special case for ABORT chunks
2439         * F4)  One special consideration is that ABORT Chunks arriving
2440         * destined to the IP address being deleted MUST be
2441         * ignored (see Section 5.3.1 for further details).
2442         */
2443        if (SCTP_ADDR_DEL ==
2444                    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2445                return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2446
2447        return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2448}
2449
2450static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net,
2451                                        const struct sctp_endpoint *ep,
2452                                        const struct sctp_association *asoc,
2453                                        const sctp_subtype_t type,
2454                                        void *arg,
2455                                        sctp_cmd_seq_t *commands)
2456{
2457        struct sctp_chunk *chunk = arg;
2458        unsigned int len;
2459        __be16 error = SCTP_ERROR_NO_ERROR;
2460
2461        /* See if we have an error cause code in the chunk.  */
2462        len = ntohs(chunk->chunk_hdr->length);
2463        if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
2464
2465                sctp_errhdr_t *err;
2466                sctp_walk_errors(err, chunk->chunk_hdr);
2467                if ((void *)err != (void *)chunk->chunk_end)
2468                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2469
2470                error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2471        }
2472
2473        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2474        /* ASSOC_FAILED will DELETE_TCB. */
2475        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2476        SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2477        SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
2478
2479        return SCTP_DISPOSITION_ABORT;
2480}
2481
2482/*
2483 * Process an ABORT.  (COOKIE-WAIT state)
2484 *
2485 * See sctp_sf_do_9_1_abort() above.
2486 */
2487sctp_disposition_t sctp_sf_cookie_wait_abort(struct net *net,
2488                                     const struct sctp_endpoint *ep,
2489                                     const struct sctp_association *asoc,
2490                                     const sctp_subtype_t type,
2491                                     void *arg,
2492                                     sctp_cmd_seq_t *commands)
2493{
2494        struct sctp_chunk *chunk = arg;
2495        unsigned int len;
2496        __be16 error = SCTP_ERROR_NO_ERROR;
2497
2498        if (!sctp_vtag_verify_either(chunk, asoc))
2499                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2500
2501        /* Make sure that the ABORT chunk has a valid length.
2502         * Since this is an ABORT chunk, we have to discard it
2503         * because of the following text:
2504         * RFC 2960, Section 3.3.7
2505         *    If an endpoint receives an ABORT with a format error or for an
2506         *    association that doesn't exist, it MUST silently discard it.
2507         * Because the length is "invalid", we can't really discard just
2508         * as we do not know its true length.  So, to be safe, discard the
2509         * packet.
2510         */
2511        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2512                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2513
2514        /* See if we have an error cause code in the chunk.  */
2515        len = ntohs(chunk->chunk_hdr->length);
2516        if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2517                error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2518
2519        return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc,
2520                                      chunk->transport);
2521}
2522
2523/*
2524 * Process an incoming ICMP as an ABORT.  (COOKIE-WAIT state)
2525 */
2526sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(struct net *net,
2527                                        const struct sctp_endpoint *ep,
2528                                        const struct sctp_association *asoc,
2529                                        const sctp_subtype_t type,
2530                                        void *arg,
2531                                        sctp_cmd_seq_t *commands)
2532{
2533        return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR,
2534                                      ENOPROTOOPT, asoc,
2535                                      (struct sctp_transport *)arg);
2536}
2537
2538/*
2539 * Process an ABORT.  (COOKIE-ECHOED state)
2540 */
2541sctp_disposition_t sctp_sf_cookie_echoed_abort(struct net *net,
2542                                               const struct sctp_endpoint *ep,
2543                                               const struct sctp_association *asoc,
2544                                               const sctp_subtype_t type,
2545                                               void *arg,
2546                                               sctp_cmd_seq_t *commands)
2547{
2548        /* There is a single T1 timer, so we should be able to use
2549         * common function with the COOKIE-WAIT state.
2550         */
2551        return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands);
2552}
2553
2554/*
2555 * Stop T1 timer and abort association with "INIT failed".
2556 *
2557 * This is common code called by several sctp_sf_*_abort() functions above.
2558 */
2559static sctp_disposition_t sctp_stop_t1_and_abort(struct net *net,
2560                                           sctp_cmd_seq_t *commands,
2561                                           __be16 error, int sk_err,
2562                                           const struct sctp_association *asoc,
2563                                           struct sctp_transport *transport)
2564{
2565        SCTP_DEBUG_PRINTK("ABORT received (INIT).\n");
2566        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2567                        SCTP_STATE(SCTP_STATE_CLOSED));
2568        SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2569        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2570                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2571        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2572        /* CMD_INIT_FAILED will DELETE_TCB. */
2573        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2574                        SCTP_PERR(error));
2575        return SCTP_DISPOSITION_ABORT;
2576}
2577
2578/*
2579 * sctp_sf_do_9_2_shut
2580 *
2581 * Section: 9.2
2582 * Upon the reception of the SHUTDOWN, the peer endpoint shall
2583 *  - enter the SHUTDOWN-RECEIVED state,
2584 *
2585 *  - stop accepting new data from its SCTP user
2586 *
2587 *  - verify, by checking the Cumulative TSN Ack field of the chunk,
2588 *    that all its outstanding DATA chunks have been received by the
2589 *    SHUTDOWN sender.
2590 *
2591 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT
2592 * send a SHUTDOWN in response to a ULP request. And should discard
2593 * subsequent SHUTDOWN chunks.
2594 *
2595 * If there are still outstanding DATA chunks left, the SHUTDOWN
2596 * receiver shall continue to follow normal data transmission
2597 * procedures defined in Section 6 until all outstanding DATA chunks
2598 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept
2599 * new data from its SCTP user.
2600 *
2601 * Verification Tag:  8.5 Verification Tag [Normal verification]
2602 *
2603 * Inputs
2604 * (endpoint, asoc, chunk)
2605 *
2606 * Outputs
2607 * (asoc, reply_msg, msg_up, timers, counters)
2608 *
2609 * The return value is the disposition of the chunk.
2610 */
2611sctp_disposition_t sctp_sf_do_9_2_shutdown(struct net *net,
2612                                           const struct sctp_endpoint *ep,
2613                                           const struct sctp_association *asoc,
2614                                           const sctp_subtype_t type,
2615                                           void *arg,
2616                                           sctp_cmd_seq_t *commands)
2617{
2618        struct sctp_chunk *chunk = arg;
2619        sctp_shutdownhdr_t *sdh;
2620        sctp_disposition_t disposition;
2621        struct sctp_ulpevent *ev;
2622        __u32 ctsn;
2623
2624        if (!sctp_vtag_verify(chunk, asoc))
2625                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2626
2627        /* Make sure that the SHUTDOWN chunk has a valid length. */
2628        if (!sctp_chunk_length_valid(chunk,
2629                                      sizeof(struct sctp_shutdown_chunk_t)))
2630                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2631                                                  commands);
2632
2633        /* Convert the elaborate header.  */
2634        sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
2635        skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t));
2636        chunk->subh.shutdown_hdr = sdh;
2637        ctsn = ntohl(sdh->cum_tsn_ack);
2638
2639        if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2640                SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
2641                SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
2642                return SCTP_DISPOSITION_DISCARD;
2643        }
2644
2645        /* If Cumulative TSN Ack beyond the max tsn currently
2646         * send, terminating the association and respond to the
2647         * sender with an ABORT.
2648         */
2649        if (!TSN_lt(ctsn, asoc->next_tsn))
2650                return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2651
2652        /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
2653         * When a peer sends a SHUTDOWN, SCTP delivers this notification to
2654         * inform the application that it should cease sending data.
2655         */
2656        ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2657        if (!ev) {
2658                disposition = SCTP_DISPOSITION_NOMEM;
2659                goto out;
2660        }
2661        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2662
2663        /* Upon the reception of the SHUTDOWN, the peer endpoint shall
2664         *  - enter the SHUTDOWN-RECEIVED state,
2665         *  - stop accepting new data from its SCTP user
2666         *
2667         * [This is implicit in the new state.]
2668         */
2669        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2670                        SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2671        disposition = SCTP_DISPOSITION_CONSUME;
2672
2673        if (sctp_outq_is_empty(&asoc->outqueue)) {
2674                disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type,
2675                                                          arg, commands);
2676        }
2677
2678        if (SCTP_DISPOSITION_NOMEM == disposition)
2679                goto out;
2680
2681        /*  - verify, by checking the Cumulative TSN Ack field of the
2682         *    chunk, that all its outstanding DATA chunks have been
2683         *    received by the SHUTDOWN sender.
2684         */
2685        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2686                        SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2687
2688out:
2689        return disposition;
2690}
2691
2692/*
2693 * sctp_sf_do_9_2_shut_ctsn
2694 *
2695 * Once an endpoint has reached the SHUTDOWN-RECEIVED state,
2696 * it MUST NOT send a SHUTDOWN in response to a ULP request.
2697 * The Cumulative TSN Ack of the received SHUTDOWN chunk
2698 * MUST be processed.
2699 */
2700sctp_disposition_t sctp_sf_do_9_2_shut_ctsn(struct net *net,
2701                                           const struct sctp_endpoint *ep,
2702                                           const struct sctp_association *asoc,
2703                                           const sctp_subtype_t type,
2704                                           void *arg,
2705                                           sctp_cmd_seq_t *commands)
2706{
2707        struct sctp_chunk *chunk = arg;
2708        sctp_shutdownhdr_t *sdh;
2709        __u32 ctsn;
2710
2711        if (!sctp_vtag_verify(chunk, asoc))
2712                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2713
2714        /* Make sure that the SHUTDOWN chunk has a valid length. */
2715        if (!sctp_chunk_length_valid(chunk,
2716                                      sizeof(struct sctp_shutdown_chunk_t)))
2717                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2718                                                  commands);
2719
2720        sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
2721        ctsn = ntohl(sdh->cum_tsn_ack);
2722
2723        if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2724                SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
2725                SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
2726                return SCTP_DISPOSITION_DISCARD;
2727        }
2728
2729        /* If Cumulative TSN Ack beyond the max tsn currently
2730         * send, terminating the association and respond to the
2731         * sender with an ABORT.
2732         */
2733        if (!TSN_lt(ctsn, asoc->next_tsn))
2734                return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2735
2736        /* verify, by checking the Cumulative TSN Ack field of the
2737         * chunk, that all its outstanding DATA chunks have been
2738         * received by the SHUTDOWN sender.
2739         */
2740        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2741                        SCTP_BE32(sdh->cum_tsn_ack));
2742
2743        return SCTP_DISPOSITION_CONSUME;
2744}
2745
2746/* RFC 2960 9.2
2747 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk
2748 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination
2749 * transport addresses (either in the IP addresses or in the INIT chunk)
2750 * that belong to this association, it should discard the INIT chunk and
2751 * retransmit the SHUTDOWN ACK chunk.
2752 */
2753sctp_disposition_t sctp_sf_do_9_2_reshutack(struct net *net,
2754                                    const struct sctp_endpoint *ep,
2755                                    const struct sctp_association *asoc,
2756                                    const sctp_subtype_t type,
2757                                    void *arg,
2758                                    sctp_cmd_seq_t *commands)
2759{
2760        struct sctp_chunk *chunk = (struct sctp_chunk *) arg;
2761        struct sctp_chunk *reply;
2762
2763        /* Make sure that the chunk has a valid length */
2764        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
2765                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2766                                                  commands);
2767
2768        /* Since we are not going to really process this INIT, there
2769         * is no point in verifying chunk boundries.  Just generate
2770         * the SHUTDOWN ACK.
2771         */
2772        reply = sctp_make_shutdown_ack(asoc, chunk);
2773        if (NULL == reply)
2774                goto nomem;
2775
2776        /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
2777         * the T2-SHUTDOWN timer.
2778         */
2779        sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
2780
2781        /* and restart the T2-shutdown timer. */
2782        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2783                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2784
2785        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2786
2787        return SCTP_DISPOSITION_CONSUME;
2788nomem:
2789        return SCTP_DISPOSITION_NOMEM;
2790}
2791
2792/*
2793 * sctp_sf_do_ecn_cwr
2794 *
2795 * Section:  Appendix A: Explicit Congestion Notification
2796 *
2797 * CWR:
2798 *
2799 * RFC 2481 details a specific bit for a sender to send in the header of
2800 * its next outbound TCP segment to indicate to its peer that it has
2801 * reduced its congestion window.  This is termed the CWR bit.  For
2802 * SCTP the same indication is made by including the CWR chunk.
2803 * This chunk contains one data element, i.e. the TSN number that
2804 * was sent in the ECNE chunk.  This element represents the lowest
2805 * TSN number in the datagram that was originally marked with the
2806 * CE bit.
2807 *
2808 * Verification Tag: 8.5 Verification Tag [Normal verification]
2809 * Inputs
2810 * (endpoint, asoc, chunk)
2811 *
2812 * Outputs
2813 * (asoc, reply_msg, msg_up, timers, counters)
2814 *
2815 * The return value is the disposition of the chunk.
2816 */
2817sctp_disposition_t sctp_sf_do_ecn_cwr(struct net *net,
2818                                      const struct sctp_endpoint *ep,
2819                                      const struct sctp_association *asoc,
2820                                      const sctp_subtype_t type,
2821                                      void *arg,
2822                                      sctp_cmd_seq_t *commands)
2823{
2824        sctp_cwrhdr_t *cwr;
2825        struct sctp_chunk *chunk = arg;
2826        u32 lowest_tsn;
2827
2828        if (!sctp_vtag_verify(chunk, asoc))
2829                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2830
2831        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2832                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2833                                                  commands);
2834
2835        cwr = (sctp_cwrhdr_t *) chunk->skb->data;
2836        skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t));
2837
2838        lowest_tsn = ntohl(cwr->lowest_tsn);
2839
2840        /* Does this CWR ack the last sent congestion notification? */
2841        if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
2842                /* Stop sending ECNE. */
2843                sctp_add_cmd_sf(commands,
2844                                SCTP_CMD_ECN_CWR,
2845                                SCTP_U32(lowest_tsn));
2846        }
2847        return SCTP_DISPOSITION_CONSUME;
2848}
2849
2850/*
2851 * sctp_sf_do_ecne
2852 *
2853 * Section:  Appendix A: Explicit Congestion Notification
2854 *
2855 * ECN-Echo
2856 *
2857 * RFC 2481 details a specific bit for a receiver to send back in its
2858 * TCP acknowledgements to notify the sender of the Congestion
2859 * Experienced (CE) bit having arrived from the network.  For SCTP this
2860 * same indication is made by including the ECNE chunk.  This chunk
2861 * contains one data element, i.e. the lowest TSN associated with the IP
2862 * datagram marked with the CE bit.....
2863 *
2864 * Verification Tag: 8.5 Verification Tag [Normal verification]
2865 * Inputs
2866 * (endpoint, asoc, chunk)
2867 *
2868 * Outputs
2869 * (asoc, reply_msg, msg_up, timers, counters)
2870 *
2871 * The return value is the disposition of the chunk.
2872 */
2873sctp_disposition_t sctp_sf_do_ecne(struct net *net,
2874                                   const struct sctp_endpoint *ep,
2875                                   const struct sctp_association *asoc,
2876                                   const sctp_subtype_t type,
2877                                   void *arg,
2878                                   sctp_cmd_seq_t *commands)
2879{
2880        sctp_ecnehdr_t *ecne;
2881        struct sctp_chunk *chunk = arg;
2882
2883        if (!sctp_vtag_verify(chunk, asoc))
2884                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2885
2886        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2887                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2888                                                  commands);
2889
2890        ecne = (sctp_ecnehdr_t *) chunk->skb->data;
2891        skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t));
2892
2893        /* If this is a newer ECNE than the last CWR packet we sent out */
2894        sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
2895                        SCTP_U32(ntohl(ecne->lowest_tsn)));
2896
2897        return SCTP_DISPOSITION_CONSUME;
2898}
2899
2900/*
2901 * Section: 6.2  Acknowledgement on Reception of DATA Chunks
2902 *
2903 * The SCTP endpoint MUST always acknowledge the reception of each valid
2904 * DATA chunk.
2905 *
2906 * The guidelines on delayed acknowledgement algorithm specified in
2907 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
2908 * acknowledgement SHOULD be generated for at least every second packet
2909 * (not every second DATA chunk) received, and SHOULD be generated within
2910 * 200 ms of the arrival of any unacknowledged DATA chunk. In some
2911 * situations it may be beneficial for an SCTP transmitter to be more
2912 * conservative than the algorithms detailed in this document allow.
2913 * However, an SCTP transmitter MUST NOT be more aggressive than the
2914 * following algorithms allow.
2915 *
2916 * A SCTP receiver MUST NOT generate more than one SACK for every
2917 * incoming packet, other than to update the offered window as the
2918 * receiving application consumes new data.
2919 *
2920 * Verification Tag:  8.5 Verification Tag [Normal verification]
2921 *
2922 * Inputs
2923 * (endpoint, asoc, chunk)
2924 *
2925 * Outputs
2926 * (asoc, reply_msg, msg_up, timers, counters)
2927 *
2928 * The return value is the disposition of the chunk.
2929 */
2930sctp_disposition_t sctp_sf_eat_data_6_2(struct net *net,
2931                                        const struct sctp_endpoint *ep,
2932                                        const struct sctp_association *asoc,
2933                                        const sctp_subtype_t type,
2934                                        void *arg,
2935                                        sctp_cmd_seq_t *commands)
2936{
2937        struct sctp_chunk *chunk = arg;
2938        sctp_arg_t force = SCTP_NOFORCE();
2939        int error;
2940
2941        if (!sctp_vtag_verify(chunk, asoc)) {
2942                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
2943                                SCTP_NULL());
2944                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2945        }
2946
2947        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
2948                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2949                                                  commands);
2950
2951        error = sctp_eat_data(asoc, chunk, commands );
2952        switch (error) {
2953        case SCTP_IERROR_NO_ERROR:
2954                break;
2955        case SCTP_IERROR_HIGH_TSN:
2956        case SCTP_IERROR_BAD_STREAM:
2957                SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2958                goto discard_noforce;
2959        case SCTP_IERROR_DUP_TSN:
2960        case SCTP_IERROR_IGNORE_TSN:
2961                SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2962                goto discard_force;
2963        case SCTP_IERROR_NO_DATA:
2964                goto consume;
2965        case SCTP_IERROR_PROTO_VIOLATION:
2966                return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
2967                        (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t));
2968        default:
2969                BUG();
2970        }
2971
2972        if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)
2973                force = SCTP_FORCE();
2974
2975        if (asoc->autoclose) {
2976                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2977                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
2978        }
2979
2980        /* If this is the last chunk in a packet, we need to count it
2981         * toward sack generation.  Note that we need to SACK every
2982         * OTHER packet containing data chunks, EVEN IF WE DISCARD
2983         * THEM.  We elect to NOT generate SACK's if the chunk fails
2984         * the verification tag test.
2985         *
2986         * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
2987         *
2988         * The SCTP endpoint MUST always acknowledge the reception of
2989         * each valid DATA chunk.
2990         *
2991         * The guidelines on delayed acknowledgement algorithm
2992         * specified in  Section 4.2 of [RFC2581] SHOULD be followed.
2993         * Specifically, an acknowledgement SHOULD be generated for at
2994         * least every second packet (not every second DATA chunk)
2995         * received, and SHOULD be generated within 200 ms of the
2996         * arrival of any unacknowledged DATA chunk.  In some
2997         * situations it may be beneficial for an SCTP transmitter to
2998         * be more conservative than the algorithms detailed in this
2999         * document allow. However, an SCTP transmitter MUST NOT be
3000         * more aggressive than the following algorithms allow.
3001         */
3002        if (chunk->end_of_packet)
3003                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3004
3005        return SCTP_DISPOSITION_CONSUME;
3006
3007discard_force:
3008        /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3009         *
3010         * When a packet arrives with duplicate DATA chunk(s) and with
3011         * no new DATA chunk(s), the endpoint MUST immediately send a
3012         * SACK with no delay.  If a packet arrives with duplicate
3013         * DATA chunk(s) bundled with new DATA chunks, the endpoint
3014         * MAY immediately send a SACK.  Normally receipt of duplicate
3015         * DATA chunks will occur when the original SACK chunk was lost
3016         * and the peer's RTO has expired.  The duplicate TSN number(s)
3017         * SHOULD be reported in the SACK as duplicate.
3018         */
3019        /* In our case, we split the MAY SACK advice up whether or not
3020         * the last chunk is a duplicate.'
3021         */
3022        if (chunk->end_of_packet)
3023                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3024        return SCTP_DISPOSITION_DISCARD;
3025
3026discard_noforce:
3027        if (chunk->end_of_packet)
3028                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3029
3030        return SCTP_DISPOSITION_DISCARD;
3031consume:
3032        return SCTP_DISPOSITION_CONSUME;
3033
3034}
3035
3036/*
3037 * sctp_sf_eat_data_fast_4_4
3038 *
3039 * Section: 4 (4)
3040 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received
3041 *    DATA chunks without delay.
3042 *
3043 * Verification Tag:  8.5 Verification Tag [Normal verification]
3044 * Inputs
3045 * (endpoint, asoc, chunk)
3046 *
3047 * Outputs
3048 * (asoc, reply_msg, msg_up, timers, counters)
3049 *
3050 * The return value is the disposition of the chunk.
3051 */
3052sctp_disposition_t sctp_sf_eat_data_fast_4_4(struct net *net,
3053                                     const struct sctp_endpoint *ep,
3054                                     const struct sctp_association *asoc,
3055                                     const sctp_subtype_t type,
3056                                     void *arg,
3057                                     sctp_cmd_seq_t *commands)
3058{
3059        struct sctp_chunk *chunk = arg;
3060        int error;
3061
3062        if (!sctp_vtag_verify(chunk, asoc)) {
3063                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3064                                SCTP_NULL());
3065                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3066        }
3067
3068        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
3069                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3070                                                  commands);
3071
3072        error = sctp_eat_data(asoc, chunk, commands );
3073        switch (error) {
3074        case SCTP_IERROR_NO_ERROR:
3075        case SCTP_IERROR_HIGH_TSN:
3076        case SCTP_IERROR_DUP_TSN:
3077        case SCTP_IERROR_IGNORE_TSN:
3078        case SCTP_IERROR_BAD_STREAM:
3079                break;
3080        case SCTP_IERROR_NO_DATA:
3081                goto consume;
3082        case SCTP_IERROR_PROTO_VIOLATION:
3083                return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3084                        (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t));
3085        default:
3086                BUG();
3087        }
3088
3089        /* Go a head and force a SACK, since we are shutting down. */
3090
3091        /* Implementor's Guide.
3092         *
3093         * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3094         * respond to each received packet containing one or more DATA chunk(s)
3095         * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3096         */
3097        if (chunk->end_of_packet) {
3098                /* We must delay the chunk creation since the cumulative
3099                 * TSN has not been updated yet.
3100                 */
3101                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3102                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3103                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3104                                SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3105        }
3106
3107consume:
3108        return SCTP_DISPOSITION_CONSUME;
3109}
3110
3111/*
3112 * Section: 6.2  Processing a Received SACK
3113 * D) Any time a SACK arrives, the endpoint performs the following:
3114 *
3115 *     i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,
3116 *     then drop the SACK.   Since Cumulative TSN Ack is monotonically
3117 *     increasing, a SACK whose Cumulative TSN Ack is less than the
3118 *     Cumulative TSN Ack Point indicates an out-of-order SACK.
3119 *
3120 *     ii) Set rwnd equal to the newly received a_rwnd minus the number
3121 *     of bytes still outstanding after processing the Cumulative TSN Ack
3122 *     and the Gap Ack Blocks.
3123 *
3124 *     iii) If the SACK is missing a TSN that was previously
3125 *     acknowledged via a Gap Ack Block (e.g., the data receiver
3126 *     reneged on the data), then mark the corresponding DATA chunk
3127 *     as available for retransmit:  Mark it as missing for fast
3128 *     retransmit as described in Section 7.2.4 and if no retransmit
3129 *     timer is running for the destination address to which the DATA
3130 *     chunk was originally transmitted, then T3-rtx is started for
3131 *     that destination address.
3132 *
3133 * Verification Tag:  8.5 Verification Tag [Normal verification]
3134 *
3135 * Inputs
3136 * (endpoint, asoc, chunk)
3137 *
3138 * Outputs
3139 * (asoc, reply_msg, msg_up, timers, counters)
3140 *
3141 * The return value is the disposition of the chunk.
3142 */
3143sctp_disposition_t sctp_sf_eat_sack_6_2(struct net *net,
3144                                        const struct sctp_endpoint *ep,
3145                                        const struct sctp_association *asoc,
3146                                        const sctp_subtype_t type,
3147                                        void *arg,
3148                                        sctp_cmd_seq_t *commands)
3149{
3150        struct sctp_chunk *chunk = arg;
3151        sctp_sackhdr_t *sackh;
3152        __u32 ctsn;
3153
3154        if (!sctp_vtag_verify(chunk, asoc))
3155                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3156
3157        /* Make sure that the SACK chunk has a valid length. */
3158        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t)))
3159                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3160                                                  commands);
3161
3162        /* Pull the SACK chunk from the data buffer */
3163        sackh = sctp_sm_pull_sack(chunk);
3164        /* Was this a bogus SACK? */
3165        if (!sackh)
3166                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3167        chunk->subh.sack_hdr = sackh;
3168        ctsn = ntohl(sackh->cum_tsn_ack);
3169
3170        /* i) If Cumulative TSN Ack is less than the Cumulative TSN
3171         *     Ack Point, then drop the SACK.  Since Cumulative TSN
3172         *     Ack is monotonically increasing, a SACK whose
3173         *     Cumulative TSN Ack is less than the Cumulative TSN Ack
3174         *     Point indicates an out-of-order SACK.
3175         */
3176        if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
3177                SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
3178                SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
3179                return SCTP_DISPOSITION_DISCARD;
3180        }
3181
3182        /* If Cumulative TSN Ack beyond the max tsn currently
3183         * send, terminating the association and respond to the
3184         * sender with an ABORT.
3185         */
3186        if (!TSN_lt(ctsn, asoc->next_tsn))
3187                return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
3188
3189        /* Return this SACK for further processing.  */
3190        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk));
3191
3192        /* Note: We do the rest of the work on the PROCESS_SACK
3193         * sideeffect.
3194         */
3195        return SCTP_DISPOSITION_CONSUME;
3196}
3197
3198/*
3199 * Generate an ABORT in response to a packet.
3200 *
3201 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41
3202 *
3203 * 8) The receiver should respond to the sender of the OOTB packet with
3204 *    an ABORT.  When sending the ABORT, the receiver of the OOTB packet
3205 *    MUST fill in the Verification Tag field of the outbound packet
3206 *    with the value found in the Verification Tag field of the OOTB
3207 *    packet and set the T-bit in the Chunk Flags to indicate that the
3208 *    Verification Tag is reflected.  After sending this ABORT, the
3209 *    receiver of the OOTB packet shall discard the OOTB packet and take
3210 *    no further action.
3211 *
3212 * Verification Tag:
3213 *
3214 * The return value is the disposition of the chunk.
3215*/
3216static sctp_disposition_t sctp_sf_tabort_8_4_8(struct net *net,
3217                                        const struct sctp_endpoint *ep,
3218                                        const struct sctp_association *asoc,
3219                                        const sctp_subtype_t type,
3220                                        void *arg,
3221                                        sctp_cmd_seq_t *commands)
3222{
3223        struct sctp_packet *packet = NULL;
3224        struct sctp_chunk *chunk = arg;
3225        struct sctp_chunk *abort;
3226
3227        packet = sctp_ootb_pkt_new(net, asoc, chunk);
3228
3229        if (packet) {
3230                /* Make an ABORT. The T bit will be set if the asoc
3231                 * is NULL.
3232                 */
3233                abort = sctp_make_abort(asoc, chunk, 0);
3234                if (!abort) {
3235                        sctp_ootb_pkt_free(packet);
3236                        return SCTP_DISPOSITION_NOMEM;
3237                }
3238
3239                /* Reflect vtag if T-Bit is set */
3240                if (sctp_test_T_bit(abort))
3241                        packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3242
3243                /* Set the skb to the belonging sock for accounting.  */
3244                abort->skb->sk = ep->base.sk;
3245
3246                sctp_packet_append_chunk(packet, abort);
3247
3248                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3249                                SCTP_PACKET(packet));
3250
3251                SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3252
3253                sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3254                return SCTP_DISPOSITION_CONSUME;
3255        }
3256
3257        return SCTP_DISPOSITION_NOMEM;
3258}
3259
3260/*
3261 * Received an ERROR chunk from peer.  Generate SCTP_REMOTE_ERROR
3262 * event as ULP notification for each cause included in the chunk.
3263 *
3264 * API 5.3.1.3 - SCTP_REMOTE_ERROR
3265 *
3266 * The return value is the disposition of the chunk.
3267*/
3268sctp_disposition_t sctp_sf_operr_notify(struct net *net,
3269                                        const struct sctp_endpoint *ep,
3270                                        const struct sctp_association *asoc,
3271                                        const sctp_subtype_t type,
3272                                        void *arg,
3273                                        sctp_cmd_seq_t *commands)
3274{
3275        struct sctp_chunk *chunk = arg;
3276        sctp_errhdr_t *err;
3277
3278        if (!sctp_vtag_verify(chunk, asoc))
3279                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3280
3281        /* Make sure that the ERROR chunk has a valid length. */
3282        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
3283                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3284                                                  commands);
3285        sctp_walk_errors(err, chunk->chunk_hdr);
3286        if ((void *)err != (void *)chunk->chunk_end)
3287                return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3288                                                  (void *)err, commands);
3289
3290        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3291                        SCTP_CHUNK(chunk));
3292
3293        return SCTP_DISPOSITION_CONSUME;
3294}
3295
3296/*
3297 * Process an inbound SHUTDOWN ACK.
3298 *
3299 * From Section 9.2:
3300 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3301 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its
3302 * peer, and remove all record of the association.
3303 *
3304 * The return value is the disposition.
3305 */
3306sctp_disposition_t sctp_sf_do_9_2_final(struct net *net,
3307                                        const struct sctp_endpoint *ep,
3308                                        const struct sctp_association *asoc,
3309                                        const sctp_subtype_t type,
3310                                        void *arg,
3311                                        sctp_cmd_seq_t *commands)
3312{
3313        struct sctp_chunk *chunk = arg;
3314        struct sctp_chunk *reply;
3315        struct sctp_ulpevent *ev;
3316
3317        if (!sctp_vtag_verify(chunk, asoc))
3318                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3319
3320        /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3321        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3322                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3323                                                  commands);
3324        /* 10.2 H) SHUTDOWN COMPLETE notification
3325         *
3326         * When SCTP completes the shutdown procedures (section 9.2) this
3327         * notification is passed to the upper layer.
3328         */
3329        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3330                                             0, 0, 0, NULL, GFP_ATOMIC);
3331        if (!ev)
3332                goto nomem;
3333
3334        /* ...send a SHUTDOWN COMPLETE chunk to its peer, */
3335        reply = sctp_make_shutdown_complete(asoc, chunk);
3336        if (!reply)
3337                goto nomem_chunk;
3338
3339        /* Do all the commands now (after allocation), so that we
3340         * have consistent state if memory allocation failes
3341         */
3342        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3343
3344        /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3345         * stop the T2-shutdown timer,
3346         */
3347        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3348                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3349
3350        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3351                        SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3352
3353        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3354                        SCTP_STATE(SCTP_STATE_CLOSED));
3355        SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
3356        SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3357        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3358
3359        /* ...and remove all record of the association. */
3360        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3361        return SCTP_DISPOSITION_DELETE_TCB;
3362
3363nomem_chunk:
3364        sctp_ulpevent_free(ev);
3365nomem:
3366        return SCTP_DISPOSITION_NOMEM;
3367}
3368
3369/*
3370 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.
3371 *
3372 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3373 *    respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3374 *    When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3375 *    packet must fill in the Verification Tag field of the outbound
3376 *    packet with the Verification Tag received in the SHUTDOWN ACK and
3377 *    set the T-bit in the Chunk Flags to indicate that the Verification
3378 *    Tag is reflected.
3379 *
3380 * 8) The receiver should respond to the sender of the OOTB packet with
3381 *    an ABORT.  When sending the ABORT, the receiver of the OOTB packet
3382 *    MUST fill in the Verification Tag field of the outbound packet
3383 *    with the value found in the Verification Tag field of the OOTB
3384 *    packet and set the T-bit in the Chunk Flags to indicate that the
3385 *    Verification Tag is reflected.  After sending this ABORT, the
3386 *    receiver of the OOTB packet shall discard the OOTB packet and take
3387 *    no further action.
3388 */
3389sctp_disposition_t sctp_sf_ootb(struct net *net,
3390                                const struct sctp_endpoint *ep,
3391                                const struct sctp_association *asoc,
3392                                const sctp_subtype_t type,
3393                                void *arg,
3394                                sctp_cmd_seq_t *commands)
3395{
3396        struct sctp_chunk *chunk = arg;
3397        struct sk_buff *skb = chunk->skb;
3398        sctp_chunkhdr_t *ch;
3399        sctp_errhdr_t *err;
3400        __u8 *ch_end;
3401        int ootb_shut_ack = 0;
3402        int ootb_cookie_ack = 0;
3403
3404        SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3405
3406        ch = (sctp_chunkhdr_t *) chunk->chunk_hdr;
3407        do {
3408                /* Report violation if the chunk is less then minimal */
3409                if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t))
3410                        return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3411                                                  commands);
3412
3413                /* Now that we know we at least have a chunk header,
3414                 * do things that are type appropriate.
3415                 */
3416                if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3417                        ootb_shut_ack = 1;
3418
3419                /* RFC 2960, Section 3.3.7
3420                 *   Moreover, under any circumstances, an endpoint that
3421                 *   receives an ABORT  MUST NOT respond to that ABORT by
3422                 *   sending an ABORT of its own.
3423                 */
3424                if (SCTP_CID_ABORT == ch->type)
3425                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3426
3427                /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR
3428                 * or a COOKIE ACK the SCTP Packet should be silently
3429                 * discarded.
3430                 */
3431
3432                if (SCTP_CID_COOKIE_ACK == ch->type)
3433                        ootb_cookie_ack = 1;
3434
3435                if (SCTP_CID_ERROR == ch->type) {
3436                        sctp_walk_errors(err, ch) {
3437                                if (SCTP_ERROR_STALE_COOKIE == err->cause) {
3438                                        ootb_cookie_ack = 1;
3439                                        break;
3440                                }
3441                        }
3442                }
3443
3444                /* Report violation if chunk len overflows */
3445                ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
3446                if (ch_end > skb_tail_pointer(skb))
3447                        return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3448                                                  commands);
3449
3450                ch = (sctp_chunkhdr_t *) ch_end;
3451        } while (ch_end < skb_tail_pointer(skb));
3452
3453        if (ootb_shut_ack)
3454                return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands);
3455        else if (ootb_cookie_ack)
3456                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3457        else
3458                return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
3459}
3460
3461/*
3462 * Handle an "Out of the blue" SHUTDOWN ACK.
3463 *
3464 * Section: 8.4 5, sctpimpguide 2.41.
3465 *
3466 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3467 *    respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3468 *    When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3469 *    packet must fill in the Verification Tag field of the outbound
3470 *    packet with the Verification Tag received in the SHUTDOWN ACK and
3471 *    set the T-bit in the Chunk Flags to indicate that the Verification
3472 *    Tag is reflected.
3473 *
3474 * Inputs
3475 * (endpoint, asoc, type, arg, commands)
3476 *
3477 * Outputs
3478 * (sctp_disposition_t)
3479 *
3480 * The return value is the disposition of the chunk.
3481 */
3482static sctp_disposition_t sctp_sf_shut_8_4_5(struct net *net,
3483                                             const struct sctp_endpoint *ep,
3484                                             const struct sctp_association *asoc,
3485                                             const sctp_subtype_t type,
3486                                             void *arg,
3487                                             sctp_cmd_seq_t *commands)
3488{
3489        struct sctp_packet *packet = NULL;
3490        struct sctp_chunk *chunk = arg;
3491        struct sctp_chunk *shut;
3492
3493        packet = sctp_ootb_pkt_new(net, asoc, chunk);
3494
3495        if (packet) {
3496                /* Make an SHUTDOWN_COMPLETE.
3497                 * The T bit will be set if the asoc is NULL.
3498                 */
3499                shut = sctp_make_shutdown_complete(asoc, chunk);
3500                if (!shut) {
3501                        sctp_ootb_pkt_free(packet);
3502                        return SCTP_DISPOSITION_NOMEM;
3503                }
3504
3505                /* Reflect vtag if T-Bit is set */
3506                if (sctp_test_T_bit(shut))
3507                        packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3508
3509                /* Set the skb to the belonging sock for accounting.  */
3510                shut->skb->sk = ep->base.sk;
3511
3512                sctp_packet_append_chunk(packet, shut);
3513
3514                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3515                                SCTP_PACKET(packet));
3516
3517                SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3518
3519                /* If the chunk length is invalid, we don't want to process
3520                 * the reset of the packet.
3521                 */
3522                if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3523                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3524
3525                /* We need to discard the rest of the packet to prevent
3526                 * potential bomming attacks from additional bundled chunks.
3527                 * This is documented in SCTP Threats ID.
3528                 */
3529                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3530        }
3531
3532        return SCTP_DISPOSITION_NOMEM;
3533}
3534
3535/*
3536 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.
3537 *
3538 * Verification Tag:  8.5.1 E) Rules for packet carrying a SHUTDOWN ACK
3539 *   If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the
3540 *   procedures in section 8.4 SHOULD be followed, in other words it
3541 *   should be treated as an Out Of The Blue packet.
3542 *   [This means that we do NOT check the Verification Tag on these
3543 *   chunks. --piggy ]
3544 *
3545 */
3546sctp_disposition_t sctp_sf_do_8_5_1_E_sa(struct net *net,
3547                                      const struct sctp_endpoint *ep,
3548                                      const struct sctp_association *asoc,
3549                                      const sctp_subtype_t type,
3550                                      void *arg,
3551                                      sctp_cmd_seq_t *commands)
3552{
3553        struct sctp_chunk *chunk = arg;
3554
3555        /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3556        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3557                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3558                                                  commands);
3559
3560        /* Although we do have an association in this case, it corresponds
3561         * to a restarted association. So the packet is treated as an OOTB
3562         * packet and the state function that handles OOTB SHUTDOWN_ACK is
3563         * called with a NULL association.
3564         */
3565        SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3566
3567        return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands);
3568}
3569
3570/* ADDIP Section 4.2 Upon reception of an ASCONF Chunk.  */
3571sctp_disposition_t sctp_sf_do_asconf(struct net *net,
3572                                     const struct sctp_endpoint *ep,
3573                                     const struct sctp_association *asoc,
3574                                     const sctp_subtype_t type, void *arg,
3575                                     sctp_cmd_seq_t *commands)
3576{
3577        struct sctp_chunk       *chunk = arg;
3578        struct sctp_chunk       *asconf_ack = NULL;
3579        struct sctp_paramhdr    *err_param = NULL;
3580        sctp_addiphdr_t         *hdr;
3581        union sctp_addr_param   *addr_param;
3582        __u32                   serial;
3583        int                     length;
3584
3585        if (!sctp_vtag_verify(chunk, asoc)) {
3586                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3587                                SCTP_NULL());
3588                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3589        }
3590
3591        /* ADD-IP: Section 4.1.1
3592         * This chunk MUST be sent in an authenticated way by using
3593         * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3594         * is received unauthenticated it MUST be silently discarded as
3595         * described in [I-D.ietf-tsvwg-sctp-auth].
3596         */
3597        if (!net->sctp.addip_noauth && !chunk->auth)
3598                return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
3599
3600        /* Make sure that the ASCONF ADDIP chunk has a valid length.  */
3601        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t)))
3602                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3603                                                  commands);
3604
3605        hdr = (sctp_addiphdr_t *)chunk->skb->data;
3606        serial = ntohl(hdr->serial);
3607
3608        addr_param = (union sctp_addr_param *)hdr->params;
3609        length = ntohs(addr_param->p.length);
3610        if (length < sizeof(sctp_paramhdr_t))
3611                return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3612                           (void *)addr_param, commands);
3613
3614        /* Verify the ASCONF chunk before processing it. */
3615        if (!sctp_verify_asconf(asoc,
3616                            (sctp_paramhdr_t *)((void *)addr_param + length),
3617                            (void *)chunk->chunk_end,
3618                            &err_param))
3619                return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3620                                                  (void *)err_param, commands);
3621
3622        /* ADDIP 5.2 E1) Compare the value of the serial number to the value
3623         * the endpoint stored in a new association variable
3624         * 'Peer-Serial-Number'.
3625         */
3626        if (serial == asoc->peer.addip_serial + 1) {
3627                /* If this is the first instance of ASCONF in the packet,
3628                 * we can clean our old ASCONF-ACKs.
3629                 */
3630                if (!chunk->has_asconf)
3631                        sctp_assoc_clean_asconf_ack_cache(asoc);
3632
3633                /* ADDIP 5.2 E4) When the Sequence Number matches the next one
3634                 * expected, process the ASCONF as described below and after
3635                 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to
3636                 * the response packet and cache a copy of it (in the event it
3637                 * later needs to be retransmitted).
3638                 *
3639                 * Essentially, do V1-V5.
3640                 */
3641                asconf_ack = sctp_process_asconf((struct sctp_association *)
3642                                                 asoc, chunk);
3643                if (!asconf_ack)
3644                        return SCTP_DISPOSITION_NOMEM;
3645        } else if (serial < asoc->peer.addip_serial + 1) {
3646                /* ADDIP 5.2 E2)
3647                 * If the value found in the Sequence Number is less than the
3648                 * ('Peer- Sequence-Number' + 1), simply skip to the next
3649                 * ASCONF, and include in the outbound response packet
3650                 * any previously cached ASCONF-ACK response that was
3651                 * sent and saved that matches the Sequence Number of the
3652                 * ASCONF.  Note: It is possible that no cached ASCONF-ACK
3653                 * Chunk exists.  This will occur when an older ASCONF
3654                 * arrives out of order.  In such a case, the receiver
3655                 * should skip the ASCONF Chunk and not include ASCONF-ACK
3656                 * Chunk for that chunk.
3657                 */
3658                asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);
3659                if (!asconf_ack)
3660                        return SCTP_DISPOSITION_DISCARD;
3661
3662                /* Reset the transport so that we select the correct one
3663                 * this time around.  This is to make sure that we don't
3664                 * accidentally use a stale transport that's been removed.
3665                 */
3666                asconf_ack->transport = NULL;
3667        } else {
3668                /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since
3669                 * it must be either a stale packet or from an attacker.
3670                 */
3671                return SCTP_DISPOSITION_DISCARD;
3672        }
3673
3674        /* ADDIP 5.2 E6)  The destination address of the SCTP packet
3675         * containing the ASCONF-ACK Chunks MUST be the source address of
3676         * the SCTP packet that held the ASCONF Chunks.
3677         *
3678         * To do this properly, we'll set the destination address of the chunk
3679         * and at the transmit time, will try look up the transport to use.
3680         * Since ASCONFs may be bundled, the correct transport may not be
3681         * created until we process the entire packet, thus this workaround.
3682         */
3683        asconf_ack->dest = chunk->source;
3684        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3685        if (asoc->new_transport) {
3686                sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport,
3687                    commands);
3688                ((struct sctp_association *)asoc)->new_transport = NULL;
3689        }
3690
3691        return SCTP_DISPOSITION_CONSUME;
3692}
3693
3694/*
3695 * ADDIP Section 4.3 General rules for address manipulation
3696 * When building TLV parameters for the ASCONF Chunk that will add or
3697 * delete IP addresses the D0 to D13 rules should be applied:
3698 */
3699sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net,
3700                                         const struct sctp_endpoint *ep,
3701                                         const struct sctp_association *asoc,
3702                                         const sctp_subtype_t type, void *arg,
3703                                         sctp_cmd_seq_t *commands)
3704{
3705        struct sctp_chunk       *asconf_ack = arg;
3706        struct sctp_chunk       *last_asconf = asoc->addip_last_asconf;
3707        struct sctp_chunk       *abort;
3708        struct sctp_paramhdr    *err_param = NULL;
3709        sctp_addiphdr_t         *addip_hdr;
3710        __u32                   sent_serial, rcvd_serial;
3711
3712        if (!sctp_vtag_verify(asconf_ack, asoc)) {
3713                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3714                                SCTP_NULL());
3715                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3716        }
3717
3718        /* ADD-IP, Section 4.1.2:
3719         * This chunk MUST be sent in an authenticated way by using
3720         * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3721         * is received unauthenticated it MUST be silently discarded as
3722         * described in [I-D.ietf-tsvwg-sctp-auth].
3723         */
3724        if (!net->sctp.addip_noauth && !asconf_ack->auth)
3725                return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
3726
3727        /* Make sure that the ADDIP chunk has a valid length.  */
3728        if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t)))
3729                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3730                                                  commands);
3731
3732        addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data;
3733        rcvd_serial = ntohl(addip_hdr->serial);
3734
3735        /* Verify the ASCONF-ACK chunk before processing it. */
3736        if (!sctp_verify_asconf(asoc,
3737            (sctp_paramhdr_t *)addip_hdr->params,
3738            (void *)asconf_ack->chunk_end,
3739            &err_param))
3740                return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3741                           (void *)err_param, commands);
3742
3743        if (last_asconf) {
3744                addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr;
3745                sent_serial = ntohl(addip_hdr->serial);
3746        } else {
3747                sent_serial = asoc->addip_serial - 1;
3748        }
3749
3750        /* D0) If an endpoint receives an ASCONF-ACK that is greater than or
3751         * equal to the next serial number to be used but no ASCONF chunk is
3752         * outstanding the endpoint MUST ABORT the association. Note that a
3753         * sequence number is greater than if it is no more than 2^^31-1
3754         * larger than the current sequence number (using serial arithmetic).
3755         */
3756        if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
3757            !(asoc->addip_last_asconf)) {
3758                abort = sctp_make_abort(asoc, asconf_ack,
3759                                        sizeof(sctp_errhdr_t));
3760                if (abort) {
3761                        sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
3762                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3763                                        SCTP_CHUNK(abort));
3764                }
3765                /* We are going to ABORT, so we might as well stop
3766                 * processing the rest of the chunks in the packet.
3767                 */
3768                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3769                                SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3770                sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
3771                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3772                                SCTP_ERROR(ECONNABORTED));
3773                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3774                                SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3775                SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
3776                SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3777                return SCTP_DISPOSITION_ABORT;
3778        }
3779
3780        if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
3781                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3782                                SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3783
3784                if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
3785                                             asconf_ack)) {
3786                        /* Successfully processed ASCONF_ACK.  We can
3787                         * release the next asconf if we have one.
3788                         */
3789                        sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF,
3790                                        SCTP_NULL());
3791                        return SCTP_DISPOSITION_CONSUME;
3792                }
3793
3794                abort = sctp_make_abort(asoc, asconf_ack,
3795                                        sizeof(sctp_errhdr_t));
3796                if (abort) {
3797                        sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
3798                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3799                                        SCTP_CHUNK(abort));
3800                }
3801                /* We are going to ABORT, so we might as well stop
3802                 * processing the rest of the chunks in the packet.
3803                 */
3804                sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
3805                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3806                                SCTP_ERROR(ECONNABORTED));
3807                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3808                                SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3809                SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
3810                SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3811                return SCTP_DISPOSITION_ABORT;
3812        }
3813
3814        return SCTP_DISPOSITION_DISCARD;
3815}
3816
3817/*
3818 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP
3819 *
3820 * When a FORWARD TSN chunk arrives, the data receiver MUST first update
3821 * its cumulative TSN point to the value carried in the FORWARD TSN
3822 * chunk, and then MUST further advance its cumulative TSN point locally
3823 * if possible.
3824 * After the above processing, the data receiver MUST stop reporting any
3825 * missing TSNs earlier than or equal to the new cumulative TSN point.
3826 *
3827 * Verification Tag:  8.5 Verification Tag [Normal verification]
3828 *
3829 * The return value is the disposition of the chunk.
3830 */
3831sctp_disposition_t sctp_sf_eat_fwd_tsn(struct net *net,
3832                                       const struct sctp_endpoint *ep,
3833                                       const struct sctp_association *asoc,
3834                                       const sctp_subtype_t type,
3835                                       void *arg,
3836                                       sctp_cmd_seq_t *commands)
3837{
3838        struct sctp_chunk *chunk = arg;
3839        struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3840        struct sctp_fwdtsn_skip *skip;
3841        __u16 len;
3842        __u32 tsn;
3843
3844        if (!sctp_vtag_verify(chunk, asoc)) {
3845                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3846                                SCTP_NULL());
3847                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3848        }
3849
3850        /* Make sure that the FORWARD_TSN chunk has valid length.  */
3851        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3852                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3853                                                  commands);
3854
3855        fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3856        chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3857        len = ntohs(chunk->chunk_hdr->length);
3858        len -= sizeof(struct sctp_chunkhdr);
3859        skb_pull(chunk->skb, len);
3860
3861        tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3862        SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn);
3863
3864        /* The TSN is too high--silently discard the chunk and count on it
3865         * getting retransmitted later.
3866         */
3867        if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3868                goto discard_noforce;
3869
3870        /* Silently discard the chunk if stream-id is not valid */
3871        sctp_walk_fwdtsn(skip, chunk) {
3872                if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
3873                        goto discard_noforce;
3874        }
3875
3876        sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3877        if (len > sizeof(struct sctp_fwdtsn_hdr))
3878                sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3879                                SCTP_CHUNK(chunk));
3880
3881        /* Count this as receiving DATA. */
3882        if (asoc->autoclose) {
3883                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3884                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3885        }
3886
3887        /* FIXME: For now send a SACK, but DATA processing may
3888         * send another.
3889         */
3890        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
3891
3892        return SCTP_DISPOSITION_CONSUME;
3893
3894discard_noforce:
3895        return SCTP_DISPOSITION_DISCARD;
3896}
3897
3898sctp_disposition_t sctp_sf_eat_fwd_tsn_fast(
3899        struct net *net,
3900        const struct sctp_endpoint *ep,
3901        const struct sctp_association *asoc,
3902        const sctp_subtype_t type,
3903        void *arg,
3904        sctp_cmd_seq_t *commands)
3905{
3906        struct sctp_chunk *chunk = arg;
3907        struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3908        struct sctp_fwdtsn_skip *skip;
3909        __u16 len;
3910        __u32 tsn;
3911
3912        if (!sctp_vtag_verify(chunk, asoc)) {
3913                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3914                                SCTP_NULL());
3915                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3916        }
3917
3918        /* Make sure that the FORWARD_TSN chunk has a valid length.  */
3919        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3920                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3921                                                  commands);
3922
3923        fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3924        chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3925        len = ntohs(chunk->chunk_hdr->length);
3926        len -= sizeof(struct sctp_chunkhdr);
3927        skb_pull(chunk->skb, len);
3928
3929        tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3930        SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn);
3931
3932        /* The TSN is too high--silently discard the chunk and count on it
3933         * getting retransmitted later.
3934         */
3935        if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3936                goto gen_shutdown;
3937
3938        /* Silently discard the chunk if stream-id is not valid */
3939        sctp_walk_fwdtsn(skip, chunk) {
3940                if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
3941                        goto gen_shutdown;
3942        }
3943
3944        sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3945        if (len > sizeof(struct sctp_fwdtsn_hdr))
3946                sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3947                                SCTP_CHUNK(chunk));
3948
3949        /* Go a head and force a SACK, since we are shutting down. */
3950gen_shutdown:
3951        /* Implementor's Guide.
3952         *
3953         * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3954         * respond to each received packet containing one or more DATA chunk(s)
3955         * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3956         */
3957        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3958        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3959        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3960                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3961
3962        return SCTP_DISPOSITION_CONSUME;
3963}
3964
3965/*
3966 * SCTP-AUTH Section 6.3 Receiving authenticated chukns
3967 *
3968 *    The receiver MUST use the HMAC algorithm indicated in the HMAC
3969 *    Identifier field.  If this algorithm was not specified by the
3970 *    receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
3971 *    during association setup, the AUTH chunk and all chunks after it MUST
3972 *    be discarded and an ERROR chunk SHOULD be sent with the error cause
3973 *    defined in Section 4.1.
3974 *
3975 *    If an endpoint with no shared key receives a Shared Key Identifier
3976 *    other than 0, it MUST silently discard all authenticated chunks.  If
3977 *    the endpoint has at least one endpoint pair shared key for the peer,
3978 *    it MUST use the key specified by the Shared Key Identifier if a
3979 *    key has been configured for that Shared Key Identifier.  If no
3980 *    endpoint pair shared key has been configured for that Shared Key
3981 *    Identifier, all authenticated chunks MUST be silently discarded.
3982 *
3983 * Verification Tag:  8.5 Verification Tag [Normal verification]
3984 *
3985 * The return value is the disposition of the chunk.
3986 */
3987static sctp_ierror_t sctp_sf_authenticate(struct net *net,
3988                                    const struct sctp_endpoint *ep,
3989                                    const struct sctp_association *asoc,
3990                                    const sctp_subtype_t type,
3991                                    struct sctp_chunk *chunk)
3992{
3993        struct sctp_authhdr *auth_hdr;
3994        struct sctp_hmac *hmac;
3995        unsigned int sig_len;
3996        __u16 key_id;
3997        __u8 *save_digest;
3998        __u8 *digest;
3999
4000        /* Pull in the auth header, so we can do some more verification */
4001        auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4002        chunk->subh.auth_hdr = auth_hdr;
4003        skb_pull(chunk->skb, sizeof(struct sctp_authhdr));
4004
4005        /* Make sure that we support the HMAC algorithm from the auth
4006         * chunk.
4007         */
4008        if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))
4009                return SCTP_IERROR_AUTH_BAD_HMAC;
4010
4011        /* Make sure that the provided shared key identifier has been
4012         * configured
4013         */
4014        key_id = ntohs(auth_hdr->shkey_id);
4015        if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id))
4016                return SCTP_IERROR_AUTH_BAD_KEYID;
4017
4018
4019        /* Make sure that the length of the signature matches what
4020         * we expect.
4021         */
4022        sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t);
4023        hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));
4024        if (sig_len != hmac->hmac_len)
4025                return SCTP_IERROR_PROTO_VIOLATION;
4026
4027        /* Now that we've done validation checks, we can compute and
4028         * verify the hmac.  The steps involved are:
4029         *  1. Save the digest from the chunk.
4030         *  2. Zero out the digest in the chunk.
4031         *  3. Compute the new digest
4032         *  4. Compare saved and new digests.
4033         */
4034        digest = auth_hdr->hmac;
4035        skb_pull(chunk->skb, sig_len);
4036
4037        save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);
4038        if (!save_digest)
4039                goto nomem;
4040
4041        memset(digest, 0, sig_len);
4042
4043        sctp_auth_calculate_hmac(asoc, chunk->skb,
4044                                (struct sctp_auth_chunk *)chunk->chunk_hdr,
4045                                GFP_ATOMIC);
4046
4047        /* Discard the packet if the digests do not match */
4048        if (memcmp(save_digest, digest, sig_len)) {
4049                kfree(save_digest);
4050                return SCTP_IERROR_BAD_SIG;
4051        }
4052
4053        kfree(save_digest);
4054        chunk->auth = 1;
4055
4056        return SCTP_IERROR_NO_ERROR;
4057nomem:
4058        return SCTP_IERROR_NOMEM;
4059}
4060
4061sctp_disposition_t sctp_sf_eat_auth(struct net *net,
4062                                    const struct sctp_endpoint *ep,
4063                                    const struct sctp_association *asoc,
4064                                    const sctp_subtype_t type,
4065                                    void *arg,
4066                                    sctp_cmd_seq_t *commands)
4067{
4068        struct sctp_authhdr *auth_hdr;
4069        struct sctp_chunk *chunk = arg;
4070        struct sctp_chunk *err_chunk;
4071        sctp_ierror_t error;
4072
4073        /* Make sure that the peer has AUTH capable */
4074        if (!asoc->peer.auth_capable)
4075                return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4076
4077        if (!sctp_vtag_verify(chunk, asoc)) {
4078                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4079                                SCTP_NULL());
4080                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4081        }
4082
4083        /* Make sure that the AUTH chunk has valid length.  */
4084        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))
4085                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4086                                                  commands);
4087
4088        auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4089        error = sctp_sf_authenticate(net, ep, asoc, type, chunk);
4090        switch (error) {
4091        case SCTP_IERROR_AUTH_BAD_HMAC:
4092                /* Generate the ERROR chunk and discard the rest
4093                 * of the packet
4094                 */
4095                err_chunk = sctp_make_op_error(asoc, chunk,
4096                                               SCTP_ERROR_UNSUP_HMAC,
4097                                               &auth_hdr->hmac_id,
4098                                               sizeof(__u16), 0);
4099                if (err_chunk) {
4100                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4101                                        SCTP_CHUNK(err_chunk));
4102                }
4103                /* Fall Through */
4104        case SCTP_IERROR_AUTH_BAD_KEYID:
4105        case SCTP_IERROR_BAD_SIG:
4106                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4107
4108        case SCTP_IERROR_PROTO_VIOLATION:
4109                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4110                                                  commands);
4111
4112        case SCTP_IERROR_NOMEM:
4113                return SCTP_DISPOSITION_NOMEM;
4114
4115        default:                        /* Prevent gcc warnings */
4116                break;
4117        }
4118
4119        if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) {
4120                struct sctp_ulpevent *ev;
4121
4122                ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),
4123                                    SCTP_AUTH_NEWKEY, GFP_ATOMIC);
4124
4125                if (!ev)
4126                        return -ENOMEM;
4127
4128                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4129                                SCTP_ULPEVENT(ev));
4130        }
4131
4132        return SCTP_DISPOSITION_CONSUME;
4133}
4134
4135/*
4136 * Process an unknown chunk.
4137 *
4138 * Section: 3.2. Also, 2.1 in the implementor's guide.
4139 *
4140 * Chunk Types are encoded such that the highest-order two bits specify
4141 * the action that must be taken if the processing endpoint does not
4142 * recognize the Chunk Type.
4143 *
4144 * 00 - Stop processing this SCTP packet and discard it, do not process
4145 *      any further chunks within it.
4146 *
4147 * 01 - Stop processing this SCTP packet and discard it, do not process
4148 *      any further chunks within it, and report the unrecognized
4149 *      chunk in an 'Unrecognized Chunk Type'.
4150 *
4151 * 10 - Skip this chunk and continue processing.
4152 *
4153 * 11 - Skip this chunk and continue processing, but report in an ERROR
4154 *      Chunk using the 'Unrecognized Chunk Type' cause of error.
4155 *
4156 * The return value is the disposition of the chunk.
4157 */
4158sctp_disposition_t sctp_sf_unk_chunk(struct net *net,
4159                                     const struct sctp_endpoint *ep,
4160                                     const struct sctp_association *asoc,
4161                                     const sctp_subtype_t type,
4162                                     void *arg,
4163                                     sctp_cmd_seq_t *commands)
4164{
4165        struct sctp_chunk *unk_chunk = arg;
4166        struct sctp_chunk *err_chunk;
4167        sctp_chunkhdr_t *hdr;
4168
4169        SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk);
4170
4171        if (!sctp_vtag_verify(unk_chunk, asoc))
4172                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4173
4174        /* Make sure that the chunk has a valid length.
4175         * Since we don't know the chunk type, we use a general
4176         * chunkhdr structure to make a comparison.
4177         */
4178        if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t)))
4179                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4180                                                  commands);
4181
4182        switch (type.chunk & SCTP_CID_ACTION_MASK) {
4183        case SCTP_CID_ACTION_DISCARD:
4184                /* Discard the packet.  */
4185                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4186                break;
4187        case SCTP_CID_ACTION_DISCARD_ERR:
4188                /* Generate an ERROR chunk as response. */
4189                hdr = unk_chunk->chunk_hdr;
4190                err_chunk = sctp_make_op_error(asoc, unk_chunk,
4191                                               SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4192                                               WORD_ROUND(ntohs(hdr->length)),
4193                                               0);
4194                if (err_chunk) {
4195                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4196                                        SCTP_CHUNK(err_chunk));
4197                }
4198
4199                /* Discard the packet.  */
4200                sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4201                return SCTP_DISPOSITION_CONSUME;
4202                break;
4203        case SCTP_CID_ACTION_SKIP:
4204                /* Skip the chunk.  */
4205                return SCTP_DISPOSITION_DISCARD;
4206                break;
4207        case SCTP_CID_ACTION_SKIP_ERR:
4208                /* Generate an ERROR chunk as response. */
4209                hdr = unk_chunk->chunk_hdr;
4210                err_chunk = sctp_make_op_error(asoc, unk_chunk,
4211                                               SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4212                                               WORD_ROUND(ntohs(hdr->length)),
4213                                               0);
4214                if (err_chunk) {
4215                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4216                                        SCTP_CHUNK(err_chunk));
4217                }
4218                /* Skip the chunk.  */
4219                return SCTP_DISPOSITION_CONSUME;
4220                break;
4221        default:
4222                break;
4223        }
4224
4225        return SCTP_DISPOSITION_DISCARD;
4226}
4227
4228/*
4229 * Discard the chunk.
4230 *
4231 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2
4232 * [Too numerous to mention...]
4233 * Verification Tag: No verification needed.
4234 * Inputs
4235 * (endpoint, asoc, chunk)
4236 *
4237 * Outputs
4238 * (asoc, reply_msg, msg_up, timers, counters)
4239 *
4240 * The return value is the disposition of the chunk.
4241 */
4242sctp_disposition_t sctp_sf_discard_chunk(struct net *net,
4243                                         const struct sctp_endpoint *ep,
4244                                         const struct sctp_association *asoc,
4245                                         const sctp_subtype_t type,
4246                                         void *arg,
4247                                         sctp_cmd_seq_t *commands)
4248{
4249        struct sctp_chunk *chunk = arg;
4250
4251        /* Make sure that the chunk has a valid length.
4252         * Since we don't know the chunk type, we use a general
4253         * chunkhdr structure to make a comparison.
4254         */
4255        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
4256                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4257                                                  commands);
4258
4259        SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk);
4260        return SCTP_DISPOSITION_DISCARD;
4261}
4262
4263/*
4264 * Discard the whole packet.
4265 *
4266 * Section: 8.4 2)
4267 *
4268 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST
4269 *    silently discard the OOTB packet and take no further action.
4270 *
4271 * Verification Tag: No verification necessary
4272 *
4273 * Inputs
4274 * (endpoint, asoc, chunk)
4275 *
4276 * Outputs
4277 * (asoc, reply_msg, msg_up, timers, counters)
4278 *
4279 * The return value is the disposition of the chunk.
4280 */
4281sctp_disposition_t sctp_sf_pdiscard(struct net *net,
4282                                    const struct sctp_endpoint *ep,
4283                                    const struct sctp_association *asoc,
4284                                    const sctp_subtype_t type,
4285                                    void *arg,
4286                                    sctp_cmd_seq_t *commands)
4287{
4288        SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS);
4289        sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4290
4291        return SCTP_DISPOSITION_CONSUME;
4292}
4293
4294
4295/*
4296 * The other end is violating protocol.
4297 *
4298 * Section: Not specified
4299 * Verification Tag: Not specified
4300 * Inputs
4301 * (endpoint, asoc, chunk)
4302 *
4303 * Outputs
4304 * (asoc, reply_msg, msg_up, timers, counters)
4305 *
4306 * We simply tag the chunk as a violation.  The state machine will log
4307 * the violation and continue.
4308 */
4309sctp_disposition_t sctp_sf_violation(struct net *net,
4310                                     const struct sctp_endpoint *ep,
4311                                     const struct sctp_association *asoc,
4312                                     const sctp_subtype_t type,
4313                                     void *arg,
4314                                     sctp_cmd_seq_t *commands)
4315{
4316        struct sctp_chunk *chunk = arg;
4317
4318        /* Make sure that the chunk has a valid length. */
4319        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
4320                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4321                                                  commands);
4322
4323        return SCTP_DISPOSITION_VIOLATION;
4324}
4325
4326/*
4327 * Common function to handle a protocol violation.
4328 */
4329static sctp_disposition_t sctp_sf_abort_violation(
4330                                     struct net *net,
4331                                     const struct sctp_endpoint *ep,
4332                                     const struct sctp_association *asoc,
4333                                     void *arg,
4334                                     sctp_cmd_seq_t *commands,
4335                                     const __u8 *payload,
4336                                     const size_t paylen)
4337{
4338        struct sctp_packet *packet = NULL;
4339        struct sctp_chunk *chunk =  arg;
4340        struct sctp_chunk *abort = NULL;
4341
4342        /* SCTP-AUTH, Section 6.3:
4343         *    It should be noted that if the receiver wants to tear
4344         *    down an association in an authenticated way only, the
4345         *    handling of malformed packets should not result in
4346         *    tearing down the association.
4347         *
4348         * This means that if we only want to abort associations
4349         * in an authenticated way (i.e AUTH+ABORT), then we
4350         * can't destroy this association just because the packet
4351         * was malformed.
4352         */
4353        if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4354                goto discard;
4355
4356        /* Make the abort chunk. */
4357        abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);
4358        if (!abort)
4359                goto nomem;
4360
4361        if (asoc) {
4362                /* Treat INIT-ACK as a special case during COOKIE-WAIT. */
4363                if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&
4364                    !asoc->peer.i.init_tag) {
4365                        sctp_initack_chunk_t *initack;
4366
4367                        initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
4368                        if (!sctp_chunk_length_valid(chunk,
4369                                                     sizeof(sctp_initack_chunk_t)))
4370                                abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
4371                        else {
4372                                unsigned int inittag;
4373
4374                                inittag = ntohl(initack->init_hdr.init_tag);
4375                                sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
4376                                                SCTP_U32(inittag));
4377                        }
4378                }
4379
4380                sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4381                SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4382
4383                if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
4384                        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4385                                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4386                        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4387                                        SCTP_ERROR(ECONNREFUSED));
4388                        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4389                                        SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4390                } else {
4391                        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4392                                        SCTP_ERROR(ECONNABORTED));
4393                        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4394                                        SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4395                        SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4396                }
4397        } else {
4398                packet = sctp_ootb_pkt_new(net, asoc, chunk);
4399
4400                if (!packet)
4401                        goto nomem_pkt;
4402
4403                if (sctp_test_T_bit(abort))
4404                        packet->vtag = ntohl(chunk->sctp_hdr->vtag);
4405
4406                abort->skb->sk = ep->base.sk;
4407
4408                sctp_packet_append_chunk(packet, abort);
4409
4410                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
4411                        SCTP_PACKET(packet));
4412
4413                SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4414        }
4415
4416        SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4417
4418discard:
4419        sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4420        return SCTP_DISPOSITION_ABORT;
4421
4422nomem_pkt:
4423        sctp_chunk_free(abort);
4424nomem:
4425        return SCTP_DISPOSITION_NOMEM;
4426}
4427
4428/*
4429 * Handle a protocol violation when the chunk length is invalid.
4430 * "Invalid" length is identified as smaller than the minimal length a
4431 * given chunk can be.  For example, a SACK chunk has invalid length
4432 * if its length is set to be smaller than the size of sctp_sack_chunk_t.
4433 *
4434 * We inform the other end by sending an ABORT with a Protocol Violation
4435 * error code.
4436 *
4437 * Section: Not specified
4438 * Verification Tag:  Nothing to do
4439 * Inputs
4440 * (endpoint, asoc, chunk)
4441 *
4442 * Outputs
4443 * (reply_msg, msg_up, counters)
4444 *
4445 * Generate an  ABORT chunk and terminate the association.
4446 */
4447static sctp_disposition_t sctp_sf_violation_chunklen(
4448                                     struct net *net,
4449                                     const struct sctp_endpoint *ep,
4450                                     const struct sctp_association *asoc,
4451                                     const sctp_subtype_t type,
4452                                     void *arg,
4453                                     sctp_cmd_seq_t *commands)
4454{
4455        static const char err_str[]="The following chunk had invalid length:";
4456
4457        return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4458                                        sizeof(err_str));
4459}
4460
4461/*
4462 * Handle a protocol violation when the parameter length is invalid.
4463 * If the length is smaller than the minimum length of a given parameter,
4464 * or accumulated length in multi parameters exceeds the end of the chunk,
4465 * the length is considered as invalid.
4466 */
4467static sctp_disposition_t sctp_sf_violation_paramlen(
4468                                     struct net *net,
4469                                     const struct sctp_endpoint *ep,
4470                                     const struct sctp_association *asoc,
4471                                     const sctp_subtype_t type,
4472                                     void *arg, void *ext,
4473                                     sctp_cmd_seq_t *commands)
4474{
4475        struct sctp_chunk *chunk =  arg;
4476        struct sctp_paramhdr *param = ext;
4477        struct sctp_chunk *abort = NULL;
4478
4479        if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4480                goto discard;
4481
4482        /* Make the abort chunk. */
4483        abort = sctp_make_violation_paramlen(asoc, chunk, param);
4484        if (!abort)
4485                goto nomem;
4486
4487        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4488        SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4489
4490        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4491                        SCTP_ERROR(ECONNABORTED));
4492        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4493                        SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4494        SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4495        SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4496
4497discard:
4498        sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4499        return SCTP_DISPOSITION_ABORT;
4500nomem:
4501        return SCTP_DISPOSITION_NOMEM;
4502}
4503
4504/* Handle a protocol violation when the peer trying to advance the
4505 * cumulative tsn ack to a point beyond the max tsn currently sent.
4506 *
4507 * We inform the other end by sending an ABORT with a Protocol Violation
4508 * error code.
4509 */
4510static sctp_disposition_t sctp_sf_violation_ctsn(
4511                                     struct net *net,
4512                                     const struct sctp_endpoint *ep,
4513                                     const struct sctp_association *asoc,
4514                                     const sctp_subtype_t type,
4515                                     void *arg,
4516                                     sctp_cmd_seq_t *commands)
4517{
4518        static const char err_str[]="The cumulative tsn ack beyond the max tsn currently sent:";
4519
4520        return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4521                                        sizeof(err_str));
4522}
4523
4524/* Handle protocol violation of an invalid chunk bundling.  For example,
4525 * when we have an association and we receive bundled INIT-ACK, or
4526 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle"
4527 * statement from the specs.  Additionally, there might be an attacker
4528 * on the path and we may not want to continue this communication.
4529 */
4530static sctp_disposition_t sctp_sf_violation_chunk(
4531                                     struct net *net,
4532                                     const struct sctp_endpoint *ep,
4533                                     const struct sctp_association *asoc,
4534                                     const sctp_subtype_t type,
4535                                     void *arg,
4536                                     sctp_cmd_seq_t *commands)
4537{
4538        static const char err_str[]="The following chunk violates protocol:";
4539
4540        if (!asoc)
4541                return sctp_sf_violation(net, ep, asoc, type, arg, commands);
4542
4543        return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4544                                        sizeof(err_str));
4545}
4546/***************************************************************************
4547 * These are the state functions for handling primitive (Section 10) events.
4548 ***************************************************************************/
4549/*
4550 * sctp_sf_do_prm_asoc
4551 *
4552 * Section: 10.1 ULP-to-SCTP
4553 * B) Associate
4554 *
4555 * Format: ASSOCIATE(local SCTP instance name, destination transport addr,
4556 * outbound stream count)
4557 * -> association id [,destination transport addr list] [,outbound stream
4558 * count]
4559 *
4560 * This primitive allows the upper layer to initiate an association to a
4561 * specific peer endpoint.
4562 *
4563 * The peer endpoint shall be specified by one of the transport addresses
4564 * which defines the endpoint (see Section 1.4).  If the local SCTP
4565 * instance has not been initialized, the ASSOCIATE is considered an
4566 * error.
4567 * [This is not relevant for the kernel implementation since we do all
4568 * initialization at boot time.  It we hadn't initialized we wouldn't
4569 * get anywhere near this code.]
4570 *
4571 * An association id, which is a local handle to the SCTP association,
4572 * will be returned on successful establishment of the association. If
4573 * SCTP is not able to open an SCTP association with the peer endpoint,
4574 * an error is returned.
4575 * [In the kernel implementation, the struct sctp_association needs to
4576 * be created BEFORE causing this primitive to run.]
4577 *
4578 * Other association parameters may be returned, including the
4579 * complete destination transport addresses of the peer as well as the
4580 * outbound stream count of the local endpoint. One of the transport
4581 * address from the returned destination addresses will be selected by
4582 * the local endpoint as default primary path for sending SCTP packets
4583 * to this peer.  The returned "destination transport addr list" can
4584 * be used by the ULP to change the default primary path or to force
4585 * sending a packet to a specific transport address.  [All of this
4586 * stuff happens when the INIT ACK arrives.  This is a NON-BLOCKING
4587 * function.]
4588 *
4589 * Mandatory attributes:
4590 *
4591 * o local SCTP instance name - obtained from the INITIALIZE operation.
4592 *   [This is the argument asoc.]
4593 * o destination transport addr - specified as one of the transport
4594 * addresses of the peer endpoint with which the association is to be
4595 * established.
4596 *  [This is asoc->peer.active_path.]
4597 * o outbound stream count - the number of outbound streams the ULP
4598 * would like to open towards this peer endpoint.
4599 * [BUG: This is not currently implemented.]
4600 * Optional attributes:
4601 *
4602 * None.
4603 *
4604 * The return value is a disposition.
4605 */
4606sctp_disposition_t sctp_sf_do_prm_asoc(struct net *net,
4607                                       const struct sctp_endpoint *ep,
4608                                       const struct sctp_association *asoc,
4609                                       const sctp_subtype_t type,
4610                                       void *arg,
4611                                       sctp_cmd_seq_t *commands)
4612{
4613        struct sctp_chunk *repl;
4614        struct sctp_association* my_asoc;
4615
4616        /* The comment below says that we enter COOKIE-WAIT AFTER
4617         * sending the INIT, but that doesn't actually work in our
4618         * implementation...
4619         */
4620        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4621                        SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
4622
4623        /* RFC 2960 5.1 Normal Establishment of an Association
4624         *
4625         * A) "A" first sends an INIT chunk to "Z".  In the INIT, "A"
4626         * must provide its Verification Tag (Tag_A) in the Initiate
4627         * Tag field.  Tag_A SHOULD be a random number in the range of
4628         * 1 to 4294967295 (see 5.3.1 for Tag value selection). ...
4629         */
4630
4631        repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0);
4632        if (!repl)
4633                goto nomem;
4634
4635        /* Cast away the const modifier, as we want to just
4636         * rerun it through as a sideffect.
4637         */
4638        my_asoc = (struct sctp_association *)asoc;
4639        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc));
4640
4641        /* Choose transport for INIT. */
4642        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
4643                        SCTP_CHUNK(repl));
4644
4645        /* After sending the INIT, "A" starts the T1-init timer and
4646         * enters the COOKIE-WAIT state.
4647         */
4648        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
4649                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4650        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
4651        return SCTP_DISPOSITION_CONSUME;
4652
4653nomem:
4654        return SCTP_DISPOSITION_NOMEM;
4655}
4656
4657/*
4658 * Process the SEND primitive.
4659 *
4660 * Section: 10.1 ULP-to-SCTP
4661 * E) Send
4662 *
4663 * Format: SEND(association id, buffer address, byte count [,context]
4664 *         [,stream id] [,life time] [,destination transport address]
4665 *         [,unorder flag] [,no-bundle flag] [,payload protocol-id] )
4666 * -> result
4667 *
4668 * This is the main method to send user data via SCTP.
4669 *
4670 * Mandatory attributes:
4671 *
4672 *  o association id - local handle to the SCTP association
4673 *
4674 *  o buffer address - the location where the user message to be
4675 *    transmitted is stored;
4676 *
4677 *  o byte count - The size of the user data in number of bytes;
4678 *
4679 * Optional attributes:
4680 *
4681 *  o context - an optional 32 bit integer that will be carried in the
4682 *    sending failure notification to the ULP if the transportation of
4683 *    this User Message fails.
4684 *
4685 *  o stream id - to indicate which stream to send the data on. If not
4686 *    specified, stream 0 will be used.
4687 *
4688 *  o life time - specifies the life time of the user data. The user data
4689 *    will not be sent by SCTP after the life time expires. This
4690 *    parameter can be used to avoid efforts to transmit stale
4691 *    user messages. SCTP notifies the ULP if the data cannot be
4692 *    initiated to transport (i.e. sent to the destination via SCTP's
4693 *    send primitive) within the life time variable. However, the
4694 *    user data will be transmitted if SCTP has attempted to transmit a
4695 *    chunk before the life time expired.
4696 *
4697 *  o destination transport address - specified as one of the destination
4698 *    transport addresses of the peer endpoint to which this packet
4699 *    should be sent. Whenever possible, SCTP should use this destination
4700 *    transport address for sending the packets, instead of the current
4701 *    primary path.
4702 *
4703 *  o unorder flag - this flag, if present, indicates that the user
4704 *    would like the data delivered in an unordered fashion to the peer
4705 *    (i.e., the U flag is set to 1 on all DATA chunks carrying this
4706 *    message).
4707 *
4708 *  o no-bundle flag - instructs SCTP not to bundle this user data with
4709 *    other outbound DATA chunks. SCTP MAY still bundle even when
4710 *    this flag is present, when faced with network congestion.
4711 *
4712 *  o payload protocol-id - A 32 bit unsigned integer that is to be
4713 *    passed to the peer indicating the type of payload protocol data
4714 *    being transmitted. This value is passed as opaque data by SCTP.
4715 *
4716 * The return value is the disposition.
4717 */
4718sctp_disposition_t sctp_sf_do_prm_send(struct net *net,
4719                                       const struct sctp_endpoint *ep,
4720                                       const struct sctp_association *asoc,
4721                                       const sctp_subtype_t type,
4722                                       void *arg,
4723                                       sctp_cmd_seq_t *commands)
4724{
4725        struct sctp_datamsg *msg = arg;
4726
4727        sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg));
4728        return SCTP_DISPOSITION_CONSUME;
4729}
4730
4731/*
4732 * Process the SHUTDOWN primitive.
4733 *
4734 * Section: 10.1:
4735 * C) Shutdown
4736 *
4737 * Format: SHUTDOWN(association id)
4738 * -> result
4739 *
4740 * Gracefully closes an association. Any locally queued user data
4741 * will be delivered to the peer. The association will be terminated only
4742 * after the peer acknowledges all the SCTP packets sent.  A success code
4743 * will be returned on successful termination of the association. If
4744 * attempting to terminate the association results in a failure, an error
4745 * code shall be returned.
4746 *
4747 * Mandatory attributes:
4748 *
4749 *  o association id - local handle to the SCTP association
4750 *
4751 * Optional attributes:
4752 *
4753 * None.
4754 *
4755 * The return value is the disposition.
4756 */
4757sctp_disposition_t sctp_sf_do_9_2_prm_shutdown(
4758        struct net *net,
4759        const struct sctp_endpoint *ep,
4760        const struct sctp_association *asoc,
4761        const sctp_subtype_t type,
4762        void *arg,
4763        sctp_cmd_seq_t *commands)
4764{
4765        int disposition;
4766
4767        /* From 9.2 Shutdown of an Association
4768         * Upon receipt of the SHUTDOWN primitive from its upper
4769         * layer, the endpoint enters SHUTDOWN-PENDING state and
4770         * remains there until all outstanding data has been
4771         * acknowledged by its peer. The endpoint accepts no new data
4772         * from its upper layer, but retransmits data to the far end
4773         * if necessary to fill gaps.
4774         */
4775        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4776                        SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
4777
4778        disposition = SCTP_DISPOSITION_CONSUME;
4779        if (sctp_outq_is_empty(&asoc->outqueue)) {
4780                disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
4781                                                            arg, commands);
4782        }
4783        return disposition;
4784}
4785
4786/*
4787 * Process the ABORT primitive.
4788 *
4789 * Section: 10.1:
4790 * C) Abort
4791 *
4792 * Format: Abort(association id [, cause code])
4793 * -> result
4794 *
4795 * Ungracefully closes an association. Any locally queued user data
4796 * will be discarded and an ABORT chunk is sent to the peer.  A success code
4797 * will be returned on successful abortion of the association. If
4798 * attempting to abort the association results in a failure, an error
4799 * code shall be returned.
4800 *
4801 * Mandatory attributes:
4802 *
4803 *  o association id - local handle to the SCTP association
4804 *
4805 * Optional attributes:
4806 *
4807 *  o cause code - reason of the abort to be passed to the peer
4808 *
4809 * None.
4810 *
4811 * The return value is the disposition.
4812 */
4813sctp_disposition_t sctp_sf_do_9_1_prm_abort(
4814        struct net *net,
4815        const struct sctp_endpoint *ep,
4816        const struct sctp_association *asoc,
4817        const sctp_subtype_t type,
4818        void *arg,
4819        sctp_cmd_seq_t *commands)
4820{
4821        /* From 9.1 Abort of an Association
4822         * Upon receipt of the ABORT primitive from its upper
4823         * layer, the endpoint enters CLOSED state and
4824         * discard all outstanding data has been
4825         * acknowledged by its peer. The endpoint accepts no new data
4826         * from its upper layer, but retransmits data to the far end
4827         * if necessary to fill gaps.
4828         */
4829        struct sctp_chunk *abort = arg;
4830        sctp_disposition_t retval;
4831
4832        retval = SCTP_DISPOSITION_CONSUME;
4833
4834        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4835
4836        /* Even if we can't send the ABORT due to low memory delete the
4837         * TCB.  This is a departure from our typical NOMEM handling.
4838         */
4839
4840        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4841                        SCTP_ERROR(ECONNABORTED));
4842        /* Delete the established association. */
4843        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4844                        SCTP_PERR(SCTP_ERROR_USER_ABORT));
4845
4846        SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4847        SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4848
4849        return retval;
4850}
4851
4852/* We tried an illegal operation on an association which is closed.  */
4853sctp_disposition_t sctp_sf_error_closed(struct net *net,
4854                                        const struct sctp_endpoint *ep,
4855                                        const struct sctp_association *asoc,
4856                                        const sctp_subtype_t type,
4857                                        void *arg,
4858                                        sctp_cmd_seq_t *commands)
4859{
4860        sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL));
4861        return SCTP_DISPOSITION_CONSUME;
4862}
4863
4864/* We tried an illegal operation on an association which is shutting
4865 * down.
4866 */
4867sctp_disposition_t sctp_sf_error_shutdown(struct net *net,
4868                                          const struct sctp_endpoint *ep,
4869                                          const struct sctp_association *asoc,
4870                                          const sctp_subtype_t type,
4871                                          void *arg,
4872                                          sctp_cmd_seq_t *commands)
4873{
4874        sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR,
4875                        SCTP_ERROR(-ESHUTDOWN));
4876        return SCTP_DISPOSITION_CONSUME;
4877}
4878
4879/*
4880 * sctp_cookie_wait_prm_shutdown
4881 *
4882 * Section: 4 Note: 2
4883 * Verification Tag:
4884 * Inputs
4885 * (endpoint, asoc)
4886 *
4887 * The RFC does not explicitly address this issue, but is the route through the
4888 * state table when someone issues a shutdown while in COOKIE_WAIT state.
4889 *
4890 * Outputs
4891 * (timers)
4892 */
4893sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown(
4894        struct net *net,
4895        const struct sctp_endpoint *ep,
4896        const struct sctp_association *asoc,
4897        const sctp_subtype_t type,
4898        void *arg,
4899        sctp_cmd_seq_t *commands)
4900{
4901        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4902                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4903
4904        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4905                        SCTP_STATE(SCTP_STATE_CLOSED));
4906
4907        SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
4908
4909        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
4910
4911        return SCTP_DISPOSITION_DELETE_TCB;
4912}
4913
4914/*
4915 * sctp_cookie_echoed_prm_shutdown
4916 *
4917 * Section: 4 Note: 2
4918 * Verification Tag:
4919 * Inputs
4920 * (endpoint, asoc)
4921 *
4922 * The RFC does not explcitly address this issue, but is the route through the
4923 * state table when someone issues a shutdown while in COOKIE_ECHOED state.
4924 *
4925 * Outputs
4926 * (timers)
4927 */
4928sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown(
4929        struct net *net,
4930        const struct sctp_endpoint *ep,
4931        const struct sctp_association *asoc,
4932        const sctp_subtype_t type,
4933        void *arg, sctp_cmd_seq_t *commands)
4934{
4935        /* There is a single T1 timer, so we should be able to use
4936         * common function with the COOKIE-WAIT state.
4937         */
4938        return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands);
4939}
4940
4941/*
4942 * sctp_sf_cookie_wait_prm_abort
4943 *
4944 * Section: 4 Note: 2
4945 * Verification Tag:
4946 * Inputs
4947 * (endpoint, asoc)
4948 *
4949 * The RFC does not explicitly address this issue, but is the route through the
4950 * state table when someone issues an abort while in COOKIE_WAIT state.
4951 *
4952 * Outputs
4953 * (timers)
4954 */
4955sctp_disposition_t sctp_sf_cookie_wait_prm_abort(
4956        struct net *net,
4957        const struct sctp_endpoint *ep,
4958        const struct sctp_association *asoc,
4959        const sctp_subtype_t type,
4960        void *arg,
4961        sctp_cmd_seq_t *commands)
4962{
4963        struct sctp_chunk *abort = arg;
4964        sctp_disposition_t retval;
4965
4966        /* Stop T1-init timer */
4967        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4968                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4969        retval = SCTP_DISPOSITION_CONSUME;
4970
4971        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4972
4973        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4974                        SCTP_STATE(SCTP_STATE_CLOSED));
4975
4976        SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4977
4978        /* Even if we can't send the ABORT due to low memory delete the
4979         * TCB.  This is a departure from our typical NOMEM handling.
4980         */
4981
4982        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4983                        SCTP_ERROR(ECONNREFUSED));
4984        /* Delete the established association. */
4985        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4986                        SCTP_PERR(SCTP_ERROR_USER_ABORT));
4987
4988        return retval;
4989}
4990
4991/*
4992 * sctp_sf_cookie_echoed_prm_abort
4993 *
4994 * Section: 4 Note: 3
4995 * Verification Tag:
4996 * Inputs
4997 * (endpoint, asoc)
4998 *
4999 * The RFC does not explcitly address this issue, but is the route through the
5000 * state table when someone issues an abort while in COOKIE_ECHOED state.
5001 *
5002 * Outputs
5003 * (timers)
5004 */
5005sctp_disposition_t sctp_sf_cookie_echoed_prm_abort(
5006        struct net *net,
5007        const struct sctp_endpoint *ep,
5008        const struct sctp_association *asoc,
5009        const sctp_subtype_t type,
5010        void *arg,
5011        sctp_cmd_seq_t *commands)
5012{
5013        /* There is a single T1 timer, so we should be able to use
5014         * common function with the COOKIE-WAIT state.
5015         */
5016        return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands);
5017}
5018
5019/*
5020 * sctp_sf_shutdown_pending_prm_abort
5021 *
5022 * Inputs
5023 * (endpoint, asoc)
5024 *
5025 * The RFC does not explicitly address this issue, but is the route through the
5026 * state table when someone issues an abort while in SHUTDOWN-PENDING state.
5027 *
5028 * Outputs
5029 * (timers)
5030 */
5031sctp_disposition_t sctp_sf_shutdown_pending_prm_abort(
5032        struct net *net,
5033        const struct sctp_endpoint *ep,
5034        const struct sctp_association *asoc,
5035        const sctp_subtype_t type,
5036        void *arg,
5037        sctp_cmd_seq_t *commands)
5038{
5039        /* Stop the T5-shutdown guard timer.  */
5040        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5041                        SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5042
5043        return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5044}
5045
5046/*
5047 * sctp_sf_shutdown_sent_prm_abort
5048 *
5049 * Inputs
5050 * (endpoint, asoc)
5051 *
5052 * The RFC does not explicitly address this issue, but is the route through the
5053 * state table when someone issues an abort while in SHUTDOWN-SENT state.
5054 *
5055 * Outputs
5056 * (timers)
5057 */
5058sctp_disposition_t sctp_sf_shutdown_sent_prm_abort(
5059        struct net *net,
5060        const struct sctp_endpoint *ep,
5061        const struct sctp_association *asoc,
5062        const sctp_subtype_t type,
5063        void *arg,
5064        sctp_cmd_seq_t *commands)
5065{
5066        /* Stop the T2-shutdown timer.  */
5067        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5068                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5069
5070        /* Stop the T5-shutdown guard timer.  */
5071        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5072                        SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5073
5074        return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5075}
5076
5077/*
5078 * sctp_sf_cookie_echoed_prm_abort
5079 *
5080 * Inputs
5081 * (endpoint, asoc)
5082 *
5083 * The RFC does not explcitly address this issue, but is the route through the
5084 * state table when someone issues an abort while in COOKIE_ECHOED state.
5085 *
5086 * Outputs
5087 * (timers)
5088 */
5089sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort(
5090        struct net *net,
5091        const struct sctp_endpoint *ep,
5092        const struct sctp_association *asoc,
5093        const sctp_subtype_t type,
5094        void *arg,
5095        sctp_cmd_seq_t *commands)
5096{
5097        /* The same T2 timer, so we should be able to use
5098         * common function with the SHUTDOWN-SENT state.
5099         */
5100        return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands);
5101}
5102
5103/*
5104 * Process the REQUESTHEARTBEAT primitive
5105 *
5106 * 10.1 ULP-to-SCTP
5107 * J) Request Heartbeat
5108 *
5109 * Format: REQUESTHEARTBEAT(association id, destination transport address)
5110 *
5111 * -> result
5112 *
5113 * Instructs the local endpoint to perform a HeartBeat on the specified
5114 * destination transport address of the given association. The returned
5115 * result should indicate whether the transmission of the HEARTBEAT
5116 * chunk to the destination address is successful.
5117 *
5118 * Mandatory attributes:
5119 *
5120 * o association id - local handle to the SCTP association
5121 *
5122 * o destination transport address - the transport address of the
5123 *   association on which a heartbeat should be issued.
5124 */
5125sctp_disposition_t sctp_sf_do_prm_requestheartbeat(
5126                                        struct net *net,
5127                                        const struct sctp_endpoint *ep,
5128                                        const struct sctp_association *asoc,
5129                                        const sctp_subtype_t type,
5130                                        void *arg,
5131                                        sctp_cmd_seq_t *commands)
5132{
5133        if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type,
5134                                      (struct sctp_transport *)arg, commands))
5135                return SCTP_DISPOSITION_NOMEM;
5136
5137        /*
5138         * RFC 2960 (bis), section 8.3
5139         *
5140         *    D) Request an on-demand HEARTBEAT on a specific destination
5141         *    transport address of a given association.
5142         *
5143         *    The endpoint should increment the respective error  counter of
5144         *    the destination transport address each time a HEARTBEAT is sent
5145         *    to that address and not acknowledged within one RTO.
5146         *
5147         */
5148        sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
5149                        SCTP_TRANSPORT(arg));
5150        return SCTP_DISPOSITION_CONSUME;
5151}
5152
5153/*
5154 * ADDIP Section 4.1 ASCONF Chunk Procedures
5155 * When an endpoint has an ASCONF signaled change to be sent to the
5156 * remote endpoint it should do A1 to A9
5157 */
5158sctp_disposition_t sctp_sf_do_prm_asconf(struct net *net,
5159                                        const struct sctp_endpoint *ep,
5160                                        const struct sctp_association *asoc,
5161                                        const sctp_subtype_t type,
5162                                        void *arg,
5163                                        sctp_cmd_seq_t *commands)
5164{
5165        struct sctp_chunk *chunk = arg;
5166
5167        sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5168        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5169                        SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5170        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5171        return SCTP_DISPOSITION_CONSUME;
5172}
5173
5174/*
5175 * Ignore the primitive event
5176 *
5177 * The return value is the disposition of the primitive.
5178 */
5179sctp_disposition_t sctp_sf_ignore_primitive(
5180        struct net *net,
5181        const struct sctp_endpoint *ep,
5182        const struct sctp_association *asoc,
5183        const sctp_subtype_t type,
5184        void *arg,
5185        sctp_cmd_seq_t *commands)
5186{
5187        SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive);
5188        return SCTP_DISPOSITION_DISCARD;
5189}
5190
5191/***************************************************************************
5192 * These are the state functions for the OTHER events.
5193 ***************************************************************************/
5194
5195/*
5196 * When the SCTP stack has no more user data to send or retransmit, this
5197 * notification is given to the user. Also, at the time when a user app
5198 * subscribes to this event, if there is no data to be sent or
5199 * retransmit, the stack will immediately send up this notification.
5200 */
5201sctp_disposition_t sctp_sf_do_no_pending_tsn(
5202        struct net *net,
5203        const struct sctp_endpoint *ep,
5204        const struct sctp_association *asoc,
5205        const sctp_subtype_t type,
5206        void *arg,
5207        sctp_cmd_seq_t *commands)
5208{
5209        struct sctp_ulpevent *event;
5210
5211        event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC);
5212        if (!event)
5213                return SCTP_DISPOSITION_NOMEM;
5214
5215        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event));
5216
5217        return SCTP_DISPOSITION_CONSUME;
5218}
5219
5220/*
5221 * Start the shutdown negotiation.
5222 *
5223 * From Section 9.2:
5224 * Once all its outstanding data has been acknowledged, the endpoint
5225 * shall send a SHUTDOWN chunk to its peer including in the Cumulative
5226 * TSN Ack field the last sequential TSN it has received from the peer.
5227 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT
5228 * state. If the timer expires, the endpoint must re-send the SHUTDOWN
5229 * with the updated last sequential TSN received from its peer.
5230 *
5231 * The return value is the disposition.
5232 */
5233sctp_disposition_t sctp_sf_do_9_2_start_shutdown(
5234        struct net *net,
5235        const struct sctp_endpoint *ep,
5236        const struct sctp_association *asoc,
5237        const sctp_subtype_t type,
5238        void *arg,
5239        sctp_cmd_seq_t *commands)
5240{
5241        struct sctp_chunk *reply;
5242
5243        /* Once all its outstanding data has been acknowledged, the
5244         * endpoint shall send