linux/net/sctp/sm_statefuns.c
<<
>>
Prefs
   1/* SCTP kernel implementation
   2 * (C) Copyright IBM Corp. 2001, 2004
   3 * Copyright (c) 1999-2000 Cisco, Inc.
   4 * Copyright (c) 1999-2001 Motorola, Inc.
   5 * Copyright (c) 2001-2002 Intel Corp.
   6 * Copyright (c) 2002      Nokia Corp.
   7 *
   8 * This is part of the SCTP Linux Kernel Implementation.
   9 *
  10 * These are the state functions for the state machine.
  11 *
  12 * This SCTP implementation is free software;
  13 * you can redistribute it and/or modify it under the terms of
  14 * the GNU General Public License as published by
  15 * the Free Software Foundation; either version 2, or (at your option)
  16 * any later version.
  17 *
  18 * This SCTP implementation is distributed in the hope that it
  19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied
  20 *                 ************************
  21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  22 * See the GNU General Public License for more details.
  23 *
  24 * You should have received a copy of the GNU General Public License
  25 * along with GNU CC; see the file COPYING.  If not, write to
  26 * the Free Software Foundation, 59 Temple Place - Suite 330,
  27 * Boston, MA 02111-1307, USA.
  28 *
  29 * Please send any bug reports or fixes you make to the
  30 * email address(es):
  31 *    lksctp developers <lksctp-developers@lists.sourceforge.net>
  32 *
  33 * Or submit a bug report through the following website:
  34 *    http://www.sf.net/projects/lksctp
  35 *
  36 * Written or modified by:
  37 *    La Monte H.P. Yarroll <piggy@acm.org>
  38 *    Karl Knutson          <karl@athena.chicago.il.us>
  39 *    Mathew Kotowsky       <kotowsky@sctp.org>
  40 *    Sridhar Samudrala     <samudrala@us.ibm.com>
  41 *    Jon Grimm             <jgrimm@us.ibm.com>
  42 *    Hui Huang             <hui.huang@nokia.com>
  43 *    Dajiang Zhang         <dajiang.zhang@nokia.com>
  44 *    Daisy Chang           <daisyc@us.ibm.com>
  45 *    Ardelle Fan           <ardelle.fan@intel.com>
  46 *    Ryan Layer            <rmlayer@us.ibm.com>
  47 *    Kevin Gao             <kevin.gao@intel.com>
  48 *
  49 * Any bugs reported given to us we will try to fix... any fixes shared will
  50 * be incorporated into the next SCTP release.
  51 */
  52
  53#include <linux/types.h>
  54#include <linux/kernel.h>
  55#include <linux/ip.h>
  56#include <linux/ipv6.h>
  57#include <linux/net.h>
  58#include <linux/inet.h>
  59#include <net/sock.h>
  60#include <net/inet_ecn.h>
  61#include <linux/skbuff.h>
  62#include <net/sctp/sctp.h>
  63#include <net/sctp/sm.h>
  64#include <net/sctp/structs.h>
  65
  66static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep,
  67                                  const struct sctp_association *asoc,
  68                                  struct sctp_chunk *chunk,
  69                                  const void *payload,
  70                                  size_t paylen);
  71static int sctp_eat_data(const struct sctp_association *asoc,
  72                         struct sctp_chunk *chunk,
  73                         sctp_cmd_seq_t *commands);
  74static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc,
  75                                             const struct sctp_chunk *chunk);
  76static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep,
  77                                       const struct sctp_association *asoc,
  78                                       const struct sctp_chunk *chunk,
  79                                       sctp_cmd_seq_t *commands,
  80                                       struct sctp_chunk *err_chunk);
  81static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep,
  82                                                 const struct sctp_association *asoc,
  83                                                 const sctp_subtype_t type,
  84                                                 void *arg,
  85                                                 sctp_cmd_seq_t *commands);
  86static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep,
  87                                             const struct sctp_association *asoc,
  88                                             const sctp_subtype_t type,
  89                                             void *arg,
  90                                             sctp_cmd_seq_t *commands);
  91static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep,
  92                                        const struct sctp_association *asoc,
  93                                        const sctp_subtype_t type,
  94                                        void *arg,
  95                                        sctp_cmd_seq_t *commands);
  96static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
  97
  98static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands,
  99                                           __be16 error, int sk_err,
 100                                           const struct sctp_association *asoc,
 101                                           struct sctp_transport *transport);
 102
 103static sctp_disposition_t sctp_sf_abort_violation(
 104                                     const struct sctp_endpoint *ep,
 105                                     const struct sctp_association *asoc,
 106                                     void *arg,
 107                                     sctp_cmd_seq_t *commands,
 108                                     const __u8 *payload,
 109                                     const size_t paylen);
 110
 111static sctp_disposition_t sctp_sf_violation_chunklen(
 112                                     const struct sctp_endpoint *ep,
 113                                     const struct sctp_association *asoc,
 114                                     const sctp_subtype_t type,
 115                                     void *arg,
 116                                     sctp_cmd_seq_t *commands);
 117
 118static sctp_disposition_t sctp_sf_violation_paramlen(
 119                                     const struct sctp_endpoint *ep,
 120                                     const struct sctp_association *asoc,
 121                                     const sctp_subtype_t type,
 122                                     void *arg, void *ext,
 123                                     sctp_cmd_seq_t *commands);
 124
 125static sctp_disposition_t sctp_sf_violation_ctsn(
 126                                     const struct sctp_endpoint *ep,
 127                                     const struct sctp_association *asoc,
 128                                     const sctp_subtype_t type,
 129                                     void *arg,
 130                                     sctp_cmd_seq_t *commands);
 131
 132static sctp_disposition_t sctp_sf_violation_chunk(
 133                                     const struct sctp_endpoint *ep,
 134                                     const struct sctp_association *asoc,
 135                                     const sctp_subtype_t type,
 136                                     void *arg,
 137                                     sctp_cmd_seq_t *commands);
 138
 139static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep,
 140                                    const struct sctp_association *asoc,
 141                                    const sctp_subtype_t type,
 142                                    struct sctp_chunk *chunk);
 143
 144static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
 145                                        const struct sctp_association *asoc,
 146                                        const sctp_subtype_t type,
 147                                        void *arg,
 148                                        sctp_cmd_seq_t *commands);
 149
 150/* Small helper function that checks if the chunk length
 151 * is of the appropriate length.  The 'required_length' argument
 152 * is set to be the size of a specific chunk we are testing.
 153 * Return Values:  1 = Valid length
 154 *                 0 = Invalid length
 155 *
 156 */
 157static inline int
 158sctp_chunk_length_valid(struct sctp_chunk *chunk,
 159                           __u16 required_length)
 160{
 161        __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
 162
 163        if (unlikely(chunk_length < required_length))
 164                return 0;
 165
 166        return 1;
 167}
 168
 169/**********************************************************
 170 * These are the state functions for handling chunk events.
 171 **********************************************************/
 172
 173/*
 174 * Process the final SHUTDOWN COMPLETE.
 175 *
 176 * Section: 4 (C) (diagram), 9.2
 177 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
 178 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
 179 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
 180 * should stop the T2-shutdown timer and remove all knowledge of the
 181 * association (and thus the association enters the CLOSED state).
 182 *
 183 * Verification Tag: 8.5.1(C), sctpimpguide 2.41.
 184 * C) Rules for packet carrying SHUTDOWN COMPLETE:
 185 * ...
 186 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
 187 *   if the Verification Tag field of the packet matches its own tag and
 188 *   the T bit is not set
 189 *   OR
 190 *   it is set to its peer's tag and the T bit is set in the Chunk
 191 *   Flags.
 192 *   Otherwise, the receiver MUST silently discard the packet
 193 *   and take no further action.  An endpoint MUST ignore the
 194 *   SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.
 195 *
 196 * Inputs
 197 * (endpoint, asoc, chunk)
 198 *
 199 * Outputs
 200 * (asoc, reply_msg, msg_up, timers, counters)
 201 *
 202 * The return value is the disposition of the chunk.
 203 */
 204sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep,
 205                                  const struct sctp_association *asoc,
 206                                  const sctp_subtype_t type,
 207                                  void *arg,
 208                                  sctp_cmd_seq_t *commands)
 209{
 210        struct sctp_chunk *chunk = arg;
 211        struct sctp_ulpevent *ev;
 212
 213        if (!sctp_vtag_verify_either(chunk, asoc))
 214                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 215
 216        /* RFC 2960 6.10 Bundling
 217         *
 218         * An endpoint MUST NOT bundle INIT, INIT ACK or
 219         * SHUTDOWN COMPLETE with any other chunks.
 220         */
 221        if (!chunk->singleton)
 222                return sctp_sf_violation_chunk(ep, asoc, type, arg, commands);
 223
 224        /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */
 225        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
 226                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
 227                                                  commands);
 228
 229        /* RFC 2960 10.2 SCTP-to-ULP
 230         *
 231         * H) SHUTDOWN COMPLETE notification
 232         *
 233         * When SCTP completes the shutdown procedures (section 9.2) this
 234         * notification is passed to the upper layer.
 235         */
 236        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
 237                                             0, 0, 0, NULL, GFP_ATOMIC);
 238        if (ev)
 239                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 240                                SCTP_ULPEVENT(ev));
 241
 242        /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
 243         * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
 244         * not the chunk should be discarded. If the endpoint is in
 245         * the SHUTDOWN-ACK-SENT state the endpoint should stop the
 246         * T2-shutdown timer and remove all knowledge of the
 247         * association (and thus the association enters the CLOSED
 248         * state).
 249         */
 250        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 251                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
 252
 253        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 254                        SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
 255
 256        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 257                        SCTP_STATE(SCTP_STATE_CLOSED));
 258
 259        SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);
 260        SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
 261
 262        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
 263
 264        return SCTP_DISPOSITION_DELETE_TCB;
 265}
 266
 267/*
 268 * Respond to a normal INIT chunk.
 269 * We are the side that is being asked for an association.
 270 *
 271 * Section: 5.1 Normal Establishment of an Association, B
 272 * B) "Z" shall respond immediately with an INIT ACK chunk.  The
 273 *    destination IP address of the INIT ACK MUST be set to the source
 274 *    IP address of the INIT to which this INIT ACK is responding.  In
 275 *    the response, besides filling in other parameters, "Z" must set the
 276 *    Verification Tag field to Tag_A, and also provide its own
 277 *    Verification Tag (Tag_Z) in the Initiate Tag field.
 278 *
 279 * Verification Tag: Must be 0.
 280 *
 281 * Inputs
 282 * (endpoint, asoc, chunk)
 283 *
 284 * Outputs
 285 * (asoc, reply_msg, msg_up, timers, counters)
 286 *
 287 * The return value is the disposition of the chunk.
 288 */
 289sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep,
 290                                        const struct sctp_association *asoc,
 291                                        const sctp_subtype_t type,
 292                                        void *arg,
 293                                        sctp_cmd_seq_t *commands)
 294{
 295        struct sctp_chunk *chunk = arg;
 296        struct sctp_chunk *repl;
 297        struct sctp_association *new_asoc;
 298        struct sctp_chunk *err_chunk;
 299        struct sctp_packet *packet;
 300        sctp_unrecognized_param_t *unk_param;
 301        int len;
 302
 303        /* 6.10 Bundling
 304         * An endpoint MUST NOT bundle INIT, INIT ACK or
 305         * SHUTDOWN COMPLETE with any other chunks.
 306         *
 307         * IG Section 2.11.2
 308         * Furthermore, we require that the receiver of an INIT chunk MUST
 309         * enforce these rules by silently discarding an arriving packet
 310         * with an INIT chunk that is bundled with other chunks.
 311         */
 312        if (!chunk->singleton)
 313                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 314
 315        /* If the packet is an OOTB packet which is temporarily on the
 316         * control endpoint, respond with an ABORT.
 317         */
 318        if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) {
 319                SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
 320                return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
 321        }
 322
 323        /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
 324         * Tag.
 325         */
 326        if (chunk->sctp_hdr->vtag != 0)
 327                return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
 328
 329        /* Make sure that the INIT chunk has a valid length.
 330         * Normally, this would cause an ABORT with a Protocol Violation
 331         * error, but since we don't have an association, we'll
 332         * just discard the packet.
 333         */
 334        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
 335                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 336
 337        /* Verify the INIT chunk before processing it. */
 338        err_chunk = NULL;
 339        if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
 340                              (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
 341                              &err_chunk)) {
 342                /* This chunk contains fatal error. It is to be discarded.
 343                 * Send an ABORT, with causes if there is any.
 344                 */
 345                if (err_chunk) {
 346                        packet = sctp_abort_pkt_new(ep, asoc, arg,
 347                                        (__u8 *)(err_chunk->chunk_hdr) +
 348                                        sizeof(sctp_chunkhdr_t),
 349                                        ntohs(err_chunk->chunk_hdr->length) -
 350                                        sizeof(sctp_chunkhdr_t));
 351
 352                        sctp_chunk_free(err_chunk);
 353
 354                        if (packet) {
 355                                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
 356                                                SCTP_PACKET(packet));
 357                                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
 358                                return SCTP_DISPOSITION_CONSUME;
 359                        } else {
 360                                return SCTP_DISPOSITION_NOMEM;
 361                        }
 362                } else {
 363                        return sctp_sf_tabort_8_4_8(ep, asoc, type, arg,
 364                                                    commands);
 365                }
 366        }
 367
 368        /* Grab the INIT header.  */
 369        chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data;
 370
 371        /* Tag the variable length parameters.  */
 372        chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
 373
 374        new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
 375        if (!new_asoc)
 376                goto nomem;
 377
 378        /* The call, sctp_process_init(), can fail on memory allocation.  */
 379        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
 380                               sctp_source(chunk),
 381                               (sctp_init_chunk_t *)chunk->chunk_hdr,
 382                               GFP_ATOMIC))
 383                goto nomem_init;
 384
 385        /* B) "Z" shall respond immediately with an INIT ACK chunk.  */
 386
 387        /* If there are errors need to be reported for unknown parameters,
 388         * make sure to reserve enough room in the INIT ACK for them.
 389         */
 390        len = 0;
 391        if (err_chunk)
 392                len = ntohs(err_chunk->chunk_hdr->length) -
 393                        sizeof(sctp_chunkhdr_t);
 394
 395        if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0)
 396                goto nomem_init;
 397
 398        repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
 399        if (!repl)
 400                goto nomem_init;
 401
 402        /* If there are errors need to be reported for unknown parameters,
 403         * include them in the outgoing INIT ACK as "Unrecognized parameter"
 404         * parameter.
 405         */
 406        if (err_chunk) {
 407                /* Get the "Unrecognized parameter" parameter(s) out of the
 408                 * ERROR chunk generated by sctp_verify_init(). Since the
 409                 * error cause code for "unknown parameter" and the
 410                 * "Unrecognized parameter" type is the same, we can
 411                 * construct the parameters in INIT ACK by copying the
 412                 * ERROR causes over.
 413                 */
 414                unk_param = (sctp_unrecognized_param_t *)
 415                            ((__u8 *)(err_chunk->chunk_hdr) +
 416                            sizeof(sctp_chunkhdr_t));
 417                /* Replace the cause code with the "Unrecognized parameter"
 418                 * parameter type.
 419                 */
 420                sctp_addto_chunk(repl, len, unk_param);
 421                sctp_chunk_free(err_chunk);
 422        }
 423
 424        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
 425
 426        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
 427
 428        /*
 429         * Note:  After sending out INIT ACK with the State Cookie parameter,
 430         * "Z" MUST NOT allocate any resources, nor keep any states for the
 431         * new association.  Otherwise, "Z" will be vulnerable to resource
 432         * attacks.
 433         */
 434        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
 435
 436        return SCTP_DISPOSITION_DELETE_TCB;
 437
 438nomem_init:
 439        sctp_association_free(new_asoc);
 440nomem:
 441        if (err_chunk)
 442                sctp_chunk_free(err_chunk);
 443        return SCTP_DISPOSITION_NOMEM;
 444}
 445
 446/*
 447 * Respond to a normal INIT ACK chunk.
 448 * We are the side that is initiating the association.
 449 *
 450 * Section: 5.1 Normal Establishment of an Association, C
 451 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
 452 *    timer and leave COOKIE-WAIT state. "A" shall then send the State
 453 *    Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
 454 *    the T1-cookie timer, and enter the COOKIE-ECHOED state.
 455 *
 456 *    Note: The COOKIE ECHO chunk can be bundled with any pending outbound
 457 *    DATA chunks, but it MUST be the first chunk in the packet and
 458 *    until the COOKIE ACK is returned the sender MUST NOT send any
 459 *    other packets to the peer.
 460 *
 461 * Verification Tag: 3.3.3
 462 *   If the value of the Initiate Tag in a received INIT ACK chunk is
 463 *   found to be 0, the receiver MUST treat it as an error and close the
 464 *   association by transmitting an ABORT.
 465 *
 466 * Inputs
 467 * (endpoint, asoc, chunk)
 468 *
 469 * Outputs
 470 * (asoc, reply_msg, msg_up, timers, counters)
 471 *
 472 * The return value is the disposition of the chunk.
 473 */
 474sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,
 475                                       const struct sctp_association *asoc,
 476                                       const sctp_subtype_t type,
 477                                       void *arg,
 478                                       sctp_cmd_seq_t *commands)
 479{
 480        struct sctp_chunk *chunk = arg;
 481        sctp_init_chunk_t *initchunk;
 482        struct sctp_chunk *err_chunk;
 483        struct sctp_packet *packet;
 484
 485        if (!sctp_vtag_verify(chunk, asoc))
 486                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 487
 488        /* 6.10 Bundling
 489         * An endpoint MUST NOT bundle INIT, INIT ACK or
 490         * SHUTDOWN COMPLETE with any other chunks.
 491         */
 492        if (!chunk->singleton)
 493                return sctp_sf_violation_chunk(ep, asoc, type, arg, commands);
 494
 495        /* Make sure that the INIT-ACK chunk has a valid length */
 496        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t)))
 497                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
 498                                                  commands);
 499        /* Grab the INIT header.  */
 500        chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
 501
 502        /* Verify the INIT chunk before processing it. */
 503        err_chunk = NULL;
 504        if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
 505                              (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
 506                              &err_chunk)) {
 507
 508                sctp_error_t error = SCTP_ERROR_NO_RESOURCE;
 509
 510                /* This chunk contains fatal error. It is to be discarded.
 511                 * Send an ABORT, with causes.  If there are no causes,
 512                 * then there wasn't enough memory.  Just terminate
 513                 * the association.
 514                 */
 515                if (err_chunk) {
 516                        packet = sctp_abort_pkt_new(ep, asoc, arg,
 517                                        (__u8 *)(err_chunk->chunk_hdr) +
 518                                        sizeof(sctp_chunkhdr_t),
 519                                        ntohs(err_chunk->chunk_hdr->length) -
 520                                        sizeof(sctp_chunkhdr_t));
 521
 522                        sctp_chunk_free(err_chunk);
 523
 524                        if (packet) {
 525                                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
 526                                                SCTP_PACKET(packet));
 527                                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
 528                                error = SCTP_ERROR_INV_PARAM;
 529                        }
 530                }
 531
 532                /* SCTP-AUTH, Section 6.3:
 533                 *    It should be noted that if the receiver wants to tear
 534                 *    down an association in an authenticated way only, the
 535                 *    handling of malformed packets should not result in
 536                 *    tearing down the association.
 537                 *
 538                 * This means that if we only want to abort associations
 539                 * in an authenticated way (i.e AUTH+ABORT), then we
 540                 * can't destroy this association just becuase the packet
 541                 * was malformed.
 542                 */
 543                if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
 544                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 545
 546                SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
 547                return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED,
 548                                                asoc, chunk->transport);
 549        }
 550
 551        /* Tag the variable length parameters.  Note that we never
 552         * convert the parameters in an INIT chunk.
 553         */
 554        chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
 555
 556        initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr;
 557
 558        sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
 559                        SCTP_PEER_INIT(initchunk));
 560
 561        /* Reset init error count upon receipt of INIT-ACK.  */
 562        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
 563
 564        /* 5.1 C) "A" shall stop the T1-init timer and leave
 565         * COOKIE-WAIT state.  "A" shall then ... start the T1-cookie
 566         * timer, and enter the COOKIE-ECHOED state.
 567         */
 568        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 569                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
 570        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
 571                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
 572        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 573                        SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
 574
 575        /* SCTP-AUTH: genereate the assocition shared keys so that
 576         * we can potentially signe the COOKIE-ECHO.
 577         */
 578        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
 579
 580        /* 5.1 C) "A" shall then send the State Cookie received in the
 581         * INIT ACK chunk in a COOKIE ECHO chunk, ...
 582         */
 583        /* If there is any errors to report, send the ERROR chunk generated
 584         * for unknown parameters as well.
 585         */
 586        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
 587                        SCTP_CHUNK(err_chunk));
 588
 589        return SCTP_DISPOSITION_CONSUME;
 590}
 591
 592/*
 593 * Respond to a normal COOKIE ECHO chunk.
 594 * We are the side that is being asked for an association.
 595 *
 596 * Section: 5.1 Normal Establishment of an Association, D
 597 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
 598 *    with a COOKIE ACK chunk after building a TCB and moving to
 599 *    the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
 600 *    any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
 601 *    chunk MUST be the first chunk in the packet.
 602 *
 603 *   IMPLEMENTATION NOTE: An implementation may choose to send the
 604 *   Communication Up notification to the SCTP user upon reception
 605 *   of a valid COOKIE ECHO chunk.
 606 *
 607 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
 608 * D) Rules for packet carrying a COOKIE ECHO
 609 *
 610 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
 611 *   Initial Tag received in the INIT ACK.
 612 *
 613 * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
 614 *
 615 * Inputs
 616 * (endpoint, asoc, chunk)
 617 *
 618 * Outputs
 619 * (asoc, reply_msg, msg_up, timers, counters)
 620 *
 621 * The return value is the disposition of the chunk.
 622 */
 623sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep,
 624                                      const struct sctp_association *asoc,
 625                                      const sctp_subtype_t type, void *arg,
 626                                      sctp_cmd_seq_t *commands)
 627{
 628        struct sctp_chunk *chunk = arg;
 629        struct sctp_association *new_asoc;
 630        sctp_init_chunk_t *peer_init;
 631        struct sctp_chunk *repl;
 632        struct sctp_ulpevent *ev, *ai_ev = NULL;
 633        int error = 0;
 634        struct sctp_chunk *err_chk_p;
 635        struct sock *sk;
 636
 637        /* If the packet is an OOTB packet which is temporarily on the
 638         * control endpoint, respond with an ABORT.
 639         */
 640        if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) {
 641                SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
 642                return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
 643        }
 644
 645        /* Make sure that the COOKIE_ECHO chunk has a valid length.
 646         * In this case, we check that we have enough for at least a
 647         * chunk header.  More detailed verification is done
 648         * in sctp_unpack_cookie().
 649         */
 650        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
 651                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 652
 653        /* If the endpoint is not listening or if the number of associations
 654         * on the TCP-style socket exceed the max backlog, respond with an
 655         * ABORT.
 656         */
 657        sk = ep->base.sk;
 658        if (!sctp_sstate(sk, LISTENING) ||
 659            (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
 660                return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
 661
 662        /* "Decode" the chunk.  We have no optional parameters so we
 663         * are in good shape.
 664         */
 665        chunk->subh.cookie_hdr =
 666                (struct sctp_signed_cookie *)chunk->skb->data;
 667        if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
 668                                         sizeof(sctp_chunkhdr_t)))
 669                goto nomem;
 670
 671        /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
 672         * "Z" will reply with a COOKIE ACK chunk after building a TCB
 673         * and moving to the ESTABLISHED state.
 674         */
 675        new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
 676                                      &err_chk_p);
 677
 678        /* FIXME:
 679         * If the re-build failed, what is the proper error path
 680         * from here?
 681         *
 682         * [We should abort the association. --piggy]
 683         */
 684        if (!new_asoc) {
 685                /* FIXME: Several errors are possible.  A bad cookie should
 686                 * be silently discarded, but think about logging it too.
 687                 */
 688                switch (error) {
 689                case -SCTP_IERROR_NOMEM:
 690                        goto nomem;
 691
 692                case -SCTP_IERROR_STALE_COOKIE:
 693                        sctp_send_stale_cookie_err(ep, asoc, chunk, commands,
 694                                                   err_chk_p);
 695                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 696
 697                case -SCTP_IERROR_BAD_SIG:
 698                default:
 699                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 700                }
 701        }
 702
 703
 704        /* Delay state machine commands until later.
 705         *
 706         * Re-build the bind address for the association is done in
 707         * the sctp_unpack_cookie() already.
 708         */
 709        /* This is a brand-new association, so these are not yet side
 710         * effects--it is safe to run them here.
 711         */
 712        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
 713
 714        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
 715                               &chunk->subh.cookie_hdr->c.peer_addr,
 716                               peer_init, GFP_ATOMIC))
 717                goto nomem_init;
 718
 719        /* SCTP-AUTH:  Now that we've populate required fields in
 720         * sctp_process_init, set up the assocaition shared keys as
 721         * necessary so that we can potentially authenticate the ACK
 722         */
 723        error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
 724        if (error)
 725                goto nomem_init;
 726
 727        /* SCTP-AUTH:  auth_chunk pointer is only set when the cookie-echo
 728         * is supposed to be authenticated and we have to do delayed
 729         * authentication.  We've just recreated the association using
 730         * the information in the cookie and now it's much easier to
 731         * do the authentication.
 732         */
 733        if (chunk->auth_chunk) {
 734                struct sctp_chunk auth;
 735                sctp_ierror_t ret;
 736
 737                /* set-up our fake chunk so that we can process it */
 738                auth.skb = chunk->auth_chunk;
 739                auth.asoc = chunk->asoc;
 740                auth.sctp_hdr = chunk->sctp_hdr;
 741                auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk,
 742                                            sizeof(sctp_chunkhdr_t));
 743                skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t));
 744                auth.transport = chunk->transport;
 745
 746                ret = sctp_sf_authenticate(ep, new_asoc, type, &auth);
 747
 748                /* We can now safely free the auth_chunk clone */
 749                kfree_skb(chunk->auth_chunk);
 750
 751                if (ret != SCTP_IERROR_NO_ERROR) {
 752                        sctp_association_free(new_asoc);
 753                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 754                }
 755        }
 756
 757        repl = sctp_make_cookie_ack(new_asoc, chunk);
 758        if (!repl)
 759                goto nomem_init;
 760
 761        /* RFC 2960 5.1 Normal Establishment of an Association
 762         *
 763         * D) IMPLEMENTATION NOTE: An implementation may choose to
 764         * send the Communication Up notification to the SCTP user
 765         * upon reception of a valid COOKIE ECHO chunk.
 766         */
 767        ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
 768                                             new_asoc->c.sinit_num_ostreams,
 769                                             new_asoc->c.sinit_max_instreams,
 770                                             NULL, GFP_ATOMIC);
 771        if (!ev)
 772                goto nomem_ev;
 773
 774        /* Sockets API Draft Section 5.3.1.6
 775         * When a peer sends a Adaptation Layer Indication parameter , SCTP
 776         * delivers this notification to inform the application that of the
 777         * peers requested adaptation layer.
 778         */
 779        if (new_asoc->peer.adaptation_ind) {
 780                ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
 781                                                            GFP_ATOMIC);
 782                if (!ai_ev)
 783                        goto nomem_aiev;
 784        }
 785
 786        /* Add all the state machine commands now since we've created
 787         * everything.  This way we don't introduce memory corruptions
 788         * during side-effect processing and correclty count established
 789         * associations.
 790         */
 791        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
 792        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 793                        SCTP_STATE(SCTP_STATE_ESTABLISHED));
 794        SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
 795        SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS);
 796        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
 797
 798        if (new_asoc->autoclose)
 799                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
 800                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
 801
 802        /* This will send the COOKIE ACK */
 803        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
 804
 805        /* Queue the ASSOC_CHANGE event */
 806        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
 807
 808        /* Send up the Adaptation Layer Indication event */
 809        if (ai_ev)
 810                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 811                                SCTP_ULPEVENT(ai_ev));
 812
 813        return SCTP_DISPOSITION_CONSUME;
 814
 815nomem_aiev:
 816        sctp_ulpevent_free(ev);
 817nomem_ev:
 818        sctp_chunk_free(repl);
 819nomem_init:
 820        sctp_association_free(new_asoc);
 821nomem:
 822        return SCTP_DISPOSITION_NOMEM;
 823}
 824
 825/*
 826 * Respond to a normal COOKIE ACK chunk.
 827 * We are the side that is being asked for an association.
 828 *
 829 * RFC 2960 5.1 Normal Establishment of an Association
 830 *
 831 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
 832 *    COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
 833 *    timer. It may also notify its ULP about the successful
 834 *    establishment of the association with a Communication Up
 835 *    notification (see Section 10).
 836 *
 837 * Verification Tag:
 838 * Inputs
 839 * (endpoint, asoc, chunk)
 840 *
 841 * Outputs
 842 * (asoc, reply_msg, msg_up, timers, counters)
 843 *
 844 * The return value is the disposition of the chunk.
 845 */
 846sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep,
 847                                      const struct sctp_association *asoc,
 848                                      const sctp_subtype_t type, void *arg,
 849                                      sctp_cmd_seq_t *commands)
 850{
 851        struct sctp_chunk *chunk = arg;
 852        struct sctp_ulpevent *ev;
 853
 854        if (!sctp_vtag_verify(chunk, asoc))
 855                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 856
 857        /* Verify that the chunk length for the COOKIE-ACK is OK.
 858         * If we don't do this, any bundled chunks may be junked.
 859         */
 860        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
 861                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
 862                                                  commands);
 863
 864        /* Reset init error count upon receipt of COOKIE-ACK,
 865         * to avoid problems with the managemement of this
 866         * counter in stale cookie situations when a transition back
 867         * from the COOKIE-ECHOED state to the COOKIE-WAIT
 868         * state is performed.
 869         */
 870        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
 871
 872        /* RFC 2960 5.1 Normal Establishment of an Association
 873         *
 874         * E) Upon reception of the COOKIE ACK, endpoint "A" will move
 875         * from the COOKIE-ECHOED state to the ESTABLISHED state,
 876         * stopping the T1-cookie timer.
 877         */
 878        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 879                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
 880        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 881                        SCTP_STATE(SCTP_STATE_ESTABLISHED));
 882        SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
 883        SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS);
 884        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
 885        if (asoc->autoclose)
 886                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
 887                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
 888
 889        /* It may also notify its ULP about the successful
 890         * establishment of the association with a Communication Up
 891         * notification (see Section 10).
 892         */
 893        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
 894                                             0, asoc->c.sinit_num_ostreams,
 895                                             asoc->c.sinit_max_instreams,
 896                                             NULL, GFP_ATOMIC);
 897
 898        if (!ev)
 899                goto nomem;
 900
 901        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
 902
 903        /* Sockets API Draft Section 5.3.1.6
 904         * When a peer sends a Adaptation Layer Indication parameter , SCTP
 905         * delivers this notification to inform the application that of the
 906         * peers requested adaptation layer.
 907         */
 908        if (asoc->peer.adaptation_ind) {
 909                ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
 910                if (!ev)
 911                        goto nomem;
 912
 913                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 914                                SCTP_ULPEVENT(ev));
 915        }
 916
 917        return SCTP_DISPOSITION_CONSUME;
 918nomem:
 919        return SCTP_DISPOSITION_NOMEM;
 920}
 921
 922/* Generate and sendout a heartbeat packet.  */
 923static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep,
 924                                            const struct sctp_association *asoc,
 925                                            const sctp_subtype_t type,
 926                                            void *arg,
 927                                            sctp_cmd_seq_t *commands)
 928{
 929        struct sctp_transport *transport = (struct sctp_transport *) arg;
 930        struct sctp_chunk *reply;
 931        sctp_sender_hb_info_t hbinfo;
 932        size_t paylen = 0;
 933
 934        hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO;
 935        hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t));
 936        hbinfo.daddr = transport->ipaddr;
 937        hbinfo.sent_at = jiffies;
 938        hbinfo.hb_nonce = transport->hb_nonce;
 939
 940        /* Send a heartbeat to our peer.  */
 941        paylen = sizeof(sctp_sender_hb_info_t);
 942        reply = sctp_make_heartbeat(asoc, transport, &hbinfo, paylen);
 943        if (!reply)
 944                return SCTP_DISPOSITION_NOMEM;
 945
 946        /* Set rto_pending indicating that an RTT measurement
 947         * is started with this heartbeat chunk.
 948         */
 949        sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
 950                        SCTP_TRANSPORT(transport));
 951
 952        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
 953        return SCTP_DISPOSITION_CONSUME;
 954}
 955
 956/* Generate a HEARTBEAT packet on the given transport.  */
 957sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep,
 958                                        const struct sctp_association *asoc,
 959                                        const sctp_subtype_t type,
 960                                        void *arg,
 961                                        sctp_cmd_seq_t *commands)
 962{
 963        struct sctp_transport *transport = (struct sctp_transport *) arg;
 964
 965        if (asoc->overall_error_count > asoc->max_retrans) {
 966                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
 967                                SCTP_ERROR(ETIMEDOUT));
 968                /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
 969                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
 970                                SCTP_PERR(SCTP_ERROR_NO_ERROR));
 971                SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
 972                SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
 973                return SCTP_DISPOSITION_DELETE_TCB;
 974        }
 975
 976        /* Section 3.3.5.
 977         * The Sender-specific Heartbeat Info field should normally include
 978         * information about the sender's current time when this HEARTBEAT
 979         * chunk is sent and the destination transport address to which this
 980         * HEARTBEAT is sent (see Section 8.3).
 981         */
 982
 983        if (transport->param_flags & SPP_HB_ENABLE) {
 984                if (SCTP_DISPOSITION_NOMEM ==
 985                                sctp_sf_heartbeat(ep, asoc, type, arg,
 986                                                  commands))
 987                        return SCTP_DISPOSITION_NOMEM;
 988                /* Set transport error counter and association error counter
 989                 * when sending heartbeat.
 990                 */
 991                sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
 992                                SCTP_TRANSPORT(transport));
 993                sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
 994                                SCTP_TRANSPORT(transport));
 995        }
 996        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
 997                        SCTP_TRANSPORT(transport));
 998
 999        return SCTP_DISPOSITION_CONSUME;
1000}
1001
1002/*
1003 * Process an heartbeat request.
1004 *
1005 * Section: 8.3 Path Heartbeat
1006 * The receiver of the HEARTBEAT should immediately respond with a
1007 * HEARTBEAT ACK that contains the Heartbeat Information field copied
1008 * from the received HEARTBEAT chunk.
1009 *
1010 * Verification Tag:  8.5 Verification Tag [Normal verification]
1011 * When receiving an SCTP packet, the endpoint MUST ensure that the
1012 * value in the Verification Tag field of the received SCTP packet
1013 * matches its own Tag. If the received Verification Tag value does not
1014 * match the receiver's own tag value, the receiver shall silently
1015 * discard the packet and shall not process it any further except for
1016 * those cases listed in Section 8.5.1 below.
1017 *
1018 * Inputs
1019 * (endpoint, asoc, chunk)
1020 *
1021 * Outputs
1022 * (asoc, reply_msg, msg_up, timers, counters)
1023 *
1024 * The return value is the disposition of the chunk.
1025 */
1026sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep,
1027                                    const struct sctp_association *asoc,
1028                                    const sctp_subtype_t type,
1029                                    void *arg,
1030                                    sctp_cmd_seq_t *commands)
1031{
1032        struct sctp_chunk *chunk = arg;
1033        struct sctp_chunk *reply;
1034        size_t paylen = 0;
1035
1036        if (!sctp_vtag_verify(chunk, asoc))
1037                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1038
1039        /* Make sure that the HEARTBEAT chunk has a valid length. */
1040        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t)))
1041                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1042                                                  commands);
1043
1044        /* 8.3 The receiver of the HEARTBEAT should immediately
1045         * respond with a HEARTBEAT ACK that contains the Heartbeat
1046         * Information field copied from the received HEARTBEAT chunk.
1047         */
1048        chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data;
1049        paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
1050        if (!pskb_pull(chunk->skb, paylen))
1051                goto nomem;
1052
1053        reply = sctp_make_heartbeat_ack(asoc, chunk,
1054                                        chunk->subh.hb_hdr, paylen);
1055        if (!reply)
1056                goto nomem;
1057
1058        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1059        return SCTP_DISPOSITION_CONSUME;
1060
1061nomem:
1062        return SCTP_DISPOSITION_NOMEM;
1063}
1064
1065/*
1066 * Process the returning HEARTBEAT ACK.
1067 *
1068 * Section: 8.3 Path Heartbeat
1069 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
1070 * should clear the error counter of the destination transport
1071 * address to which the HEARTBEAT was sent, and mark the destination
1072 * transport address as active if it is not so marked. The endpoint may
1073 * optionally report to the upper layer when an inactive destination
1074 * address is marked as active due to the reception of the latest
1075 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
1076 * clear the association overall error count as well (as defined
1077 * in section 8.1).
1078 *
1079 * The receiver of the HEARTBEAT ACK should also perform an RTT
1080 * measurement for that destination transport address using the time
1081 * value carried in the HEARTBEAT ACK chunk.
1082 *
1083 * Verification Tag:  8.5 Verification Tag [Normal verification]
1084 *
1085 * Inputs
1086 * (endpoint, asoc, chunk)
1087 *
1088 * Outputs
1089 * (asoc, reply_msg, msg_up, timers, counters)
1090 *
1091 * The return value is the disposition of the chunk.
1092 */
1093sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep,
1094                                        const struct sctp_association *asoc,
1095                                        const sctp_subtype_t type,
1096                                        void *arg,
1097                                        sctp_cmd_seq_t *commands)
1098{
1099        struct sctp_chunk *chunk = arg;
1100        union sctp_addr from_addr;
1101        struct sctp_transport *link;
1102        sctp_sender_hb_info_t *hbinfo;
1103        unsigned long max_interval;
1104
1105        if (!sctp_vtag_verify(chunk, asoc))
1106                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1107
1108        /* Make sure that the HEARTBEAT-ACK chunk has a valid length.  */
1109        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t)))
1110                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1111                                                  commands);
1112
1113        hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
1114        /* Make sure that the length of the parameter is what we expect */
1115        if (ntohs(hbinfo->param_hdr.length) !=
1116                                    sizeof(sctp_sender_hb_info_t)) {
1117                return SCTP_DISPOSITION_DISCARD;
1118        }
1119
1120        from_addr = hbinfo->daddr;
1121        link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1122
1123        /* This should never happen, but lets log it if so.  */
1124        if (unlikely(!link)) {
1125                if (from_addr.sa.sa_family == AF_INET6) {
1126                        if (net_ratelimit())
1127                                printk(KERN_WARNING
1128                                    "%s association %p could not find address %pI6\n",
1129                                    __func__,
1130                                    asoc,
1131                                    &from_addr.v6.sin6_addr);
1132                } else {
1133                        if (net_ratelimit())
1134                                printk(KERN_WARNING
1135                                    "%s association %p could not find address %pI4\n",
1136                                    __func__,
1137                                    asoc,
1138                                    &from_addr.v4.sin_addr.s_addr);
1139                }
1140                return SCTP_DISPOSITION_DISCARD;
1141        }
1142
1143        /* Validate the 64-bit random nonce. */
1144        if (hbinfo->hb_nonce != link->hb_nonce)
1145                return SCTP_DISPOSITION_DISCARD;
1146
1147        max_interval = link->hbinterval + link->rto;
1148
1149        /* Check if the timestamp looks valid.  */
1150        if (time_after(hbinfo->sent_at, jiffies) ||
1151            time_after(jiffies, hbinfo->sent_at + max_interval)) {
1152                SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp "
1153                                  "received for transport: %p\n",
1154                                   __func__, link);
1155                return SCTP_DISPOSITION_DISCARD;
1156        }
1157
1158        /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
1159         * the HEARTBEAT should clear the error counter of the
1160         * destination transport address to which the HEARTBEAT was
1161         * sent and mark the destination transport address as active if
1162         * it is not so marked.
1163         */
1164        sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1165
1166        return SCTP_DISPOSITION_CONSUME;
1167}
1168
1169/* Helper function to send out an abort for the restart
1170 * condition.
1171 */
1172static int sctp_sf_send_restart_abort(union sctp_addr *ssa,
1173                                      struct sctp_chunk *init,
1174                                      sctp_cmd_seq_t *commands)
1175{
1176        int len;
1177        struct sctp_packet *pkt;
1178        union sctp_addr_param *addrparm;
1179        struct sctp_errhdr *errhdr;
1180        struct sctp_endpoint *ep;
1181        char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)];
1182        struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1183
1184        /* Build the error on the stack.   We are way to malloc crazy
1185         * throughout the code today.
1186         */
1187        errhdr = (struct sctp_errhdr *)buffer;
1188        addrparm = (union sctp_addr_param *)errhdr->variable;
1189
1190        /* Copy into a parm format. */
1191        len = af->to_addr_param(ssa, addrparm);
1192        len += sizeof(sctp_errhdr_t);
1193
1194        errhdr->cause = SCTP_ERROR_RESTART;
1195        errhdr->length = htons(len);
1196
1197        /* Assign to the control socket. */
1198        ep = sctp_sk((sctp_get_ctl_sock()))->ep;
1199
1200        /* Association is NULL since this may be a restart attack and we
1201         * want to send back the attacker's vtag.
1202         */
1203        pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len);
1204
1205        if (!pkt)
1206                goto out;
1207        sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1208
1209        SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
1210
1211        /* Discard the rest of the inbound packet. */
1212        sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1213
1214out:
1215        /* Even if there is no memory, treat as a failure so
1216         * the packet will get dropped.
1217         */
1218        return 0;
1219}
1220
1221/* A restart is occurring, check to make sure no new addresses
1222 * are being added as we may be under a takeover attack.
1223 */
1224static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1225                                       const struct sctp_association *asoc,
1226                                       struct sctp_chunk *init,
1227                                       sctp_cmd_seq_t *commands)
1228{
1229        struct sctp_transport *new_addr, *addr;
1230        int found;
1231
1232        /* Implementor's Guide - Sectin 5.2.2
1233         * ...
1234         * Before responding the endpoint MUST check to see if the
1235         * unexpected INIT adds new addresses to the association. If new
1236         * addresses are added to the association, the endpoint MUST respond
1237         * with an ABORT..
1238         */
1239
1240        /* Search through all current addresses and make sure
1241         * we aren't adding any new ones.
1242         */
1243        new_addr = NULL;
1244        found = 0;
1245
1246        list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
1247                        transports) {
1248                found = 0;
1249                list_for_each_entry(addr, &asoc->peer.transport_addr_list,
1250                                transports) {
1251                        if (sctp_cmp_addr_exact(&new_addr->ipaddr,
1252                                                &addr->ipaddr)) {
1253                                found = 1;
1254                                break;
1255                        }
1256                }
1257                if (!found)
1258                        break;
1259        }
1260
1261        /* If a new address was added, ABORT the sender. */
1262        if (!found && new_addr) {
1263                sctp_sf_send_restart_abort(&new_addr->ipaddr, init, commands);
1264        }
1265
1266        /* Return success if all addresses were found. */
1267        return found;
1268}
1269
1270/* Populate the verification/tie tags based on overlapping INIT
1271 * scenario.
1272 *
1273 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
1274 */
1275static void sctp_tietags_populate(struct sctp_association *new_asoc,
1276                                  const struct sctp_association *asoc)
1277{
1278        switch (asoc->state) {
1279
1280        /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
1281
1282        case SCTP_STATE_COOKIE_WAIT:
1283                new_asoc->c.my_vtag     = asoc->c.my_vtag;
1284                new_asoc->c.my_ttag     = asoc->c.my_vtag;
1285                new_asoc->c.peer_ttag   = 0;
1286                break;
1287
1288        case SCTP_STATE_COOKIE_ECHOED:
1289                new_asoc->c.my_vtag     = asoc->c.my_vtag;
1290                new_asoc->c.my_ttag     = asoc->c.my_vtag;
1291                new_asoc->c.peer_ttag   = asoc->c.peer_vtag;
1292                break;
1293
1294        /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
1295         * COOKIE-WAIT and SHUTDOWN-ACK-SENT
1296         */
1297        default:
1298                new_asoc->c.my_ttag   = asoc->c.my_vtag;
1299                new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1300                break;
1301        }
1302
1303        /* Other parameters for the endpoint SHOULD be copied from the
1304         * existing parameters of the association (e.g. number of
1305         * outbound streams) into the INIT ACK and cookie.
1306         */
1307        new_asoc->rwnd                  = asoc->rwnd;
1308        new_asoc->c.sinit_num_ostreams  = asoc->c.sinit_num_ostreams;
1309        new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1310        new_asoc->c.initial_tsn         = asoc->c.initial_tsn;
1311}
1312
1313/*
1314 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
1315 * handling action.
1316 *
1317 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
1318 *
1319 * Returns value representing action to be taken.   These action values
1320 * correspond to Action/Description values in RFC 2960, Table 2.
1321 */
1322static char sctp_tietags_compare(struct sctp_association *new_asoc,
1323                                 const struct sctp_association *asoc)
1324{
1325        /* In this case, the peer may have restarted.  */
1326        if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1327            (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1328            (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1329            (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1330                return 'A';
1331
1332        /* Collision case B. */
1333        if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1334            ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1335             (0 == asoc->c.peer_vtag))) {
1336                return 'B';
1337        }
1338
1339        /* Collision case D. */
1340        if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1341            (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1342                return 'D';
1343
1344        /* Collision case C. */
1345        if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1346            (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1347            (0 == new_asoc->c.my_ttag) &&
1348            (0 == new_asoc->c.peer_ttag))
1349                return 'C';
1350
1351        /* No match to any of the special cases; discard this packet. */
1352        return 'E';
1353}
1354
1355/* Common helper routine for both duplicate and simulataneous INIT
1356 * chunk handling.
1357 */
1358static sctp_disposition_t sctp_sf_do_unexpected_init(
1359        const struct sctp_endpoint *ep,
1360        const struct sctp_association *asoc,
1361        const sctp_subtype_t type,
1362        void *arg, sctp_cmd_seq_t *commands)
1363{
1364        sctp_disposition_t retval;
1365        struct sctp_chunk *chunk = arg;
1366        struct sctp_chunk *repl;
1367        struct sctp_association *new_asoc;
1368        struct sctp_chunk *err_chunk;
1369        struct sctp_packet *packet;
1370        sctp_unrecognized_param_t *unk_param;
1371        int len;
1372
1373        /* 6.10 Bundling
1374         * An endpoint MUST NOT bundle INIT, INIT ACK or
1375         * SHUTDOWN COMPLETE with any other chunks.
1376         *
1377         * IG Section 2.11.2
1378         * Furthermore, we require that the receiver of an INIT chunk MUST
1379         * enforce these rules by silently discarding an arriving packet
1380         * with an INIT chunk that is bundled with other chunks.
1381         */
1382        if (!chunk->singleton)
1383                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1384
1385        /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
1386         * Tag.
1387         */
1388        if (chunk->sctp_hdr->vtag != 0)
1389                return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
1390
1391        /* Make sure that the INIT chunk has a valid length.
1392         * In this case, we generate a protocol violation since we have
1393         * an association established.
1394         */
1395        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
1396                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1397                                                  commands);
1398        /* Grab the INIT header.  */
1399        chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
1400
1401        /* Tag the variable length parameters.  */
1402        chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
1403
1404        /* Verify the INIT chunk before processing it. */
1405        err_chunk = NULL;
1406        if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
1407                              (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
1408                              &err_chunk)) {
1409                /* This chunk contains fatal error. It is to be discarded.
1410                 * Send an ABORT, with causes if there is any.
1411                 */
1412                if (err_chunk) {
1413                        packet = sctp_abort_pkt_new(ep, asoc, arg,
1414                                        (__u8 *)(err_chunk->chunk_hdr) +
1415                                        sizeof(sctp_chunkhdr_t),
1416                                        ntohs(err_chunk->chunk_hdr->length) -
1417                                        sizeof(sctp_chunkhdr_t));
1418
1419                        if (packet) {
1420                                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1421                                                SCTP_PACKET(packet));
1422                                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
1423                                retval = SCTP_DISPOSITION_CONSUME;
1424                        } else {
1425                                retval = SCTP_DISPOSITION_NOMEM;
1426                        }
1427                        goto cleanup;
1428                } else {
1429                        return sctp_sf_tabort_8_4_8(ep, asoc, type, arg,
1430                                                    commands);
1431                }
1432        }
1433
1434        /*
1435         * Other parameters for the endpoint SHOULD be copied from the
1436         * existing parameters of the association (e.g. number of
1437         * outbound streams) into the INIT ACK and cookie.
1438         * FIXME:  We are copying parameters from the endpoint not the
1439         * association.
1440         */
1441        new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1442        if (!new_asoc)
1443                goto nomem;
1444
1445        /* In the outbound INIT ACK the endpoint MUST copy its current
1446         * Verification Tag and Peers Verification tag into a reserved
1447         * place (local tie-tag and per tie-tag) within the state cookie.
1448         */
1449        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
1450                               sctp_source(chunk),
1451                               (sctp_init_chunk_t *)chunk->chunk_hdr,
1452                               GFP_ATOMIC))
1453                goto nomem;
1454
1455        /* Make sure no new addresses are being added during the
1456         * restart.   Do not do this check for COOKIE-WAIT state,
1457         * since there are no peer addresses to check against.
1458         * Upon return an ABORT will have been sent if needed.
1459         */
1460        if (!sctp_state(asoc, COOKIE_WAIT)) {
1461                if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1462                                                 commands)) {
1463                        retval = SCTP_DISPOSITION_CONSUME;
1464                        goto nomem_retval;
1465                }
1466        }
1467
1468        sctp_tietags_populate(new_asoc, asoc);
1469
1470        /* B) "Z" shall respond immediately with an INIT ACK chunk.  */
1471
1472        /* If there are errors need to be reported for unknown parameters,
1473         * make sure to reserve enough room in the INIT ACK for them.
1474         */
1475        len = 0;
1476        if (err_chunk) {
1477                len = ntohs(err_chunk->chunk_hdr->length) -
1478                        sizeof(sctp_chunkhdr_t);
1479        }
1480
1481        if (sctp_assoc_set_bind_addr_from_ep(new_asoc, GFP_ATOMIC) < 0)
1482                goto nomem;
1483
1484        repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1485        if (!repl)
1486                goto nomem;
1487
1488        /* If there are errors need to be reported for unknown parameters,
1489         * include them in the outgoing INIT ACK as "Unrecognized parameter"
1490         * parameter.
1491         */
1492        if (err_chunk) {
1493                /* Get the "Unrecognized parameter" parameter(s) out of the
1494                 * ERROR chunk generated by sctp_verify_init(). Since the
1495                 * error cause code for "unknown parameter" and the
1496                 * "Unrecognized parameter" type is the same, we can
1497                 * construct the parameters in INIT ACK by copying the
1498                 * ERROR causes over.
1499                 */
1500                unk_param = (sctp_unrecognized_param_t *)
1501                            ((__u8 *)(err_chunk->chunk_hdr) +
1502                            sizeof(sctp_chunkhdr_t));
1503                /* Replace the cause code with the "Unrecognized parameter"
1504                 * parameter type.
1505                 */
1506                sctp_addto_chunk(repl, len, unk_param);
1507        }
1508
1509        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1510        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1511
1512        /*
1513         * Note: After sending out INIT ACK with the State Cookie parameter,
1514         * "Z" MUST NOT allocate any resources for this new association.
1515         * Otherwise, "Z" will be vulnerable to resource attacks.
1516         */
1517        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1518        retval = SCTP_DISPOSITION_CONSUME;
1519
1520        return retval;
1521
1522nomem:
1523        retval = SCTP_DISPOSITION_NOMEM;
1524nomem_retval:
1525        if (new_asoc)
1526                sctp_association_free(new_asoc);
1527cleanup:
1528        if (err_chunk)
1529                sctp_chunk_free(err_chunk);
1530        return retval;
1531}
1532
1533/*
1534 * Handle simultanous INIT.
1535 * This means we started an INIT and then we got an INIT request from
1536 * our peer.
1537 *
1538 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
1539 * This usually indicates an initialization collision, i.e., each
1540 * endpoint is attempting, at about the same time, to establish an
1541 * association with the other endpoint.
1542 *
1543 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
1544 * endpoint MUST respond with an INIT ACK using the same parameters it
1545 * sent in its original INIT chunk (including its Verification Tag,
1546 * unchanged). These original parameters are combined with those from the
1547 * newly received INIT chunk. The endpoint shall also generate a State
1548 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
1549 * INIT to calculate the State Cookie.
1550 *
1551 * After that, the endpoint MUST NOT change its state, the T1-init
1552 * timer shall be left running and the corresponding TCB MUST NOT be
1553 * destroyed. The normal procedures for handling State Cookies when
1554 * a TCB exists will resolve the duplicate INITs to a single association.
1555 *
1556 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
1557 * its Tie-Tags with the Tag information of itself and its peer (see
1558 * section 5.2.2 for a description of the Tie-Tags).
1559 *
1560 * Verification Tag: Not explicit, but an INIT can not have a valid
1561 * verification tag, so we skip the check.
1562 *
1563 * Inputs
1564 * (endpoint, asoc, chunk)
1565 *
1566 * Outputs
1567 * (asoc, reply_msg, msg_up, timers, counters)
1568 *
1569 * The return value is the disposition of the chunk.
1570 */
1571sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep,
1572                                    const struct sctp_association *asoc,
1573                                    const sctp_subtype_t type,
1574                                    void *arg,
1575                                    sctp_cmd_seq_t *commands)
1576{
1577        /* Call helper to do the real work for both simulataneous and
1578         * duplicate INIT chunk handling.
1579         */
1580        return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands);
1581}
1582
1583/*
1584 * Handle duplicated INIT messages.  These are usually delayed
1585 * restransmissions.
1586 *
1587 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
1588 * COOKIE-ECHOED and COOKIE-WAIT
1589 *
1590 * Unless otherwise stated, upon reception of an unexpected INIT for
1591 * this association, the endpoint shall generate an INIT ACK with a
1592 * State Cookie.  In the outbound INIT ACK the endpoint MUST copy its
1593 * current Verification Tag and peer's Verification Tag into a reserved
1594 * place within the state cookie.  We shall refer to these locations as
1595 * the Peer's-Tie-Tag and the Local-Tie-Tag.  The outbound SCTP packet
1596 * containing this INIT ACK MUST carry a Verification Tag value equal to
1597 * the Initiation Tag found in the unexpected INIT.  And the INIT ACK
1598 * MUST contain a new Initiation Tag (randomly generated see Section
1599 * 5.3.1).  Other parameters for the endpoint SHOULD be copied from the
1600 * existing parameters of the association (e.g. number of outbound
1601 * streams) into the INIT ACK and cookie.
1602 *
1603 * After sending out the INIT ACK, the endpoint shall take no further
1604 * actions, i.e., the existing association, including its current state,
1605 * and the corresponding TCB MUST NOT be changed.
1606 *
1607 * Note: Only when a TCB exists and the association is not in a COOKIE-
1608 * WAIT state are the Tie-Tags populated.  For a normal association INIT
1609 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
1610 * set to 0 (indicating that no previous TCB existed).  The INIT ACK and
1611 * State Cookie are populated as specified in section 5.2.1.
1612 *
1613 * Verification Tag: Not specified, but an INIT has no way of knowing
1614 * what the verification tag could be, so we ignore it.
1615 *
1616 * Inputs
1617 * (endpoint, asoc, chunk)
1618 *
1619 * Outputs
1620 * (asoc, reply_msg, msg_up, timers, counters)
1621 *
1622 * The return value is the disposition of the chunk.
1623 */
1624sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep,
1625                                        const struct sctp_association *asoc,
1626                                        const sctp_subtype_t type,
1627                                        void *arg,
1628                                        sctp_cmd_seq_t *commands)
1629{
1630        /* Call helper to do the real work for both simulataneous and
1631         * duplicate INIT chunk handling.
1632         */
1633        return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands);
1634}
1635
1636
1637/*
1638 * Unexpected INIT-ACK handler.
1639 *
1640 * Section 5.2.3
1641 * If an INIT ACK received by an endpoint in any state other than the
1642 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
1643 * An unexpected INIT ACK usually indicates the processing of an old or
1644 * duplicated INIT chunk.
1645*/
1646sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep,
1647                                            const struct sctp_association *asoc,
1648                                            const sctp_subtype_t type,
1649                                            void *arg, sctp_cmd_seq_t *commands)
1650{
1651        /* Per the above section, we'll discard the chunk if we have an
1652         * endpoint.  If this is an OOTB INIT-ACK, treat it as such.
1653         */
1654        if (ep == sctp_sk((sctp_get_ctl_sock()))->ep)
1655                return sctp_sf_ootb(ep, asoc, type, arg, commands);
1656        else
1657                return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
1658}
1659
1660/* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
1661 *
1662 * Section 5.2.4
1663 *  A)  In this case, the peer may have restarted.
1664 */
1665static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep,
1666                                        const struct sctp_association *asoc,
1667                                        struct sctp_chunk *chunk,
1668                                        sctp_cmd_seq_t *commands,
1669                                        struct sctp_association *new_asoc)
1670{
1671        sctp_init_chunk_t *peer_init;
1672        struct sctp_ulpevent *ev;
1673        struct sctp_chunk *repl;
1674        struct sctp_chunk *err;
1675        sctp_disposition_t disposition;
1676
1677        /* new_asoc is a brand-new association, so these are not yet
1678         * side effects--it is safe to run them here.
1679         */
1680        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1681
1682        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
1683                               sctp_source(chunk), peer_init,
1684                               GFP_ATOMIC))
1685                goto nomem;
1686
1687        /* Make sure no new addresses are being added during the
1688         * restart.  Though this is a pretty complicated attack
1689         * since you'd have to get inside the cookie.
1690         */
1691        if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) {
1692                return SCTP_DISPOSITION_CONSUME;
1693        }
1694
1695        /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
1696         * the peer has restarted (Action A), it MUST NOT setup a new
1697         * association but instead resend the SHUTDOWN ACK and send an ERROR
1698         * chunk with a "Cookie Received while Shutting Down" error cause to
1699         * its peer.
1700        */
1701        if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1702                disposition = sctp_sf_do_9_2_reshutack(ep, asoc,
1703                                SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1704                                chunk, commands);
1705                if (SCTP_DISPOSITION_NOMEM == disposition)
1706                        goto nomem;
1707
1708                err = sctp_make_op_error(asoc, chunk,
1709                                         SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1710                                         NULL, 0);
1711                if (err)
1712                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1713                                        SCTP_CHUNK(err));
1714
1715                return SCTP_DISPOSITION_CONSUME;
1716        }
1717
1718        /* For now, fail any unsent/unacked data.  Consider the optional
1719         * choice of resending of this data.
1720         */
1721        sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1722
1723        repl = sctp_make_cookie_ack(new_asoc, chunk);
1724        if (!repl)
1725                goto nomem;
1726
1727        /* Report association restart to upper layer. */
1728        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1729                                             new_asoc->c.sinit_num_ostreams,
1730                                             new_asoc->c.sinit_max_instreams,
1731                                             NULL, GFP_ATOMIC);
1732        if (!ev)
1733                goto nomem_ev;
1734
1735        /* Update the content of current association. */
1736        sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1737        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1738        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1739        return SCTP_DISPOSITION_CONSUME;
1740
1741nomem_ev:
1742        sctp_chunk_free(repl);
1743nomem:
1744        return SCTP_DISPOSITION_NOMEM;
1745}
1746
1747/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
1748 *
1749 * Section 5.2.4
1750 *   B) In this case, both sides may be attempting to start an association
1751 *      at about the same time but the peer endpoint started its INIT
1752 *      after responding to the local endpoint's INIT
1753 */
1754/* This case represents an initialization collision.  */
1755static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep,
1756                                        const struct sctp_association *asoc,
1757                                        struct sctp_chunk *chunk,
1758                                        sctp_cmd_seq_t *commands,
1759                                        struct sctp_association *new_asoc)
1760{
1761        sctp_init_chunk_t *peer_init;
1762        struct sctp_chunk *repl;
1763
1764        /* new_asoc is a brand-new association, so these are not yet
1765         * side effects--it is safe to run them here.
1766         */
1767        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1768        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
1769                               sctp_source(chunk), peer_init,
1770                               GFP_ATOMIC))
1771                goto nomem;
1772
1773        /* Update the content of current association.  */
1774        sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1775        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1776                        SCTP_STATE(SCTP_STATE_ESTABLISHED));
1777        SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
1778        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
1779
1780        repl = sctp_make_cookie_ack(new_asoc, chunk);
1781        if (!repl)
1782                goto nomem;
1783
1784        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1785
1786        /* RFC 2960 5.1 Normal Establishment of an Association
1787         *
1788         * D) IMPLEMENTATION NOTE: An implementation may choose to
1789         * send the Communication Up notification to the SCTP user
1790         * upon reception of a valid COOKIE ECHO chunk.
1791         *
1792         * Sadly, this needs to be implemented as a side-effect, because
1793         * we are not guaranteed to have set the association id of the real
1794         * association and so these notifications need to be delayed until
1795         * the association id is allocated.
1796         */
1797
1798        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
1799
1800        /* Sockets API Draft Section 5.3.1.6
1801         * When a peer sends a Adaptation Layer Indication parameter , SCTP
1802         * delivers this notification to inform the application that of the
1803         * peers requested adaptation layer.
1804         *
1805         * This also needs to be done as a side effect for the same reason as
1806         * above.
1807         */
1808        if (asoc->peer.adaptation_ind)
1809                sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
1810
1811        return SCTP_DISPOSITION_CONSUME;
1812
1813nomem:
1814        return SCTP_DISPOSITION_NOMEM;
1815}
1816
1817/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
1818 *
1819 * Section 5.2.4
1820 *  C) In this case, the local endpoint's cookie has arrived late.
1821 *     Before it arrived, the local endpoint sent an INIT and received an
1822 *     INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
1823 *     but a new tag of its own.
1824 */
1825/* This case represents an initialization collision.  */
1826static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep,
1827                                        const struct sctp_association *asoc,
1828                                        struct sctp_chunk *chunk,
1829                                        sctp_cmd_seq_t *commands,
1830                                        struct sctp_association *new_asoc)
1831{
1832        /* The cookie should be silently discarded.
1833         * The endpoint SHOULD NOT change states and should leave
1834         * any timers running.
1835         */
1836        return SCTP_DISPOSITION_DISCARD;
1837}
1838
1839/* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
1840 *
1841 * Section 5.2.4
1842 *
1843 * D) When both local and remote tags match the endpoint should always
1844 *    enter the ESTABLISHED state, if it has not already done so.
1845 */
1846/* This case represents an initialization collision.  */
1847static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep,
1848                                        const struct sctp_association *asoc,
1849                                        struct sctp_chunk *chunk,
1850                                        sctp_cmd_seq_t *commands,
1851                                        struct sctp_association *new_asoc)
1852{
1853        struct sctp_ulpevent *ev = NULL, *ai_ev = NULL;
1854        struct sctp_chunk *repl;
1855
1856        /* Clarification from Implementor's Guide:
1857         * D) When both local and remote tags match the endpoint should
1858         * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
1859         * It should stop any cookie timer that may be running and send
1860         * a COOKIE ACK.
1861         */
1862
1863        /* Don't accidentally move back into established state. */
1864        if (asoc->state < SCTP_STATE_ESTABLISHED) {
1865                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1866                                SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
1867                sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1868                                SCTP_STATE(SCTP_STATE_ESTABLISHED));
1869                SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
1870                sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
1871                                SCTP_NULL());
1872
1873                /* RFC 2960 5.1 Normal Establishment of an Association
1874                 *
1875                 * D) IMPLEMENTATION NOTE: An implementation may choose
1876                 * to send the Communication Up notification to the
1877                 * SCTP user upon reception of a valid COOKIE
1878                 * ECHO chunk.
1879                 */
1880                ev = sctp_ulpevent_make_assoc_change(asoc, 0,
1881                                             SCTP_COMM_UP, 0,
1882                                             asoc->c.sinit_num_ostreams,
1883                                             asoc->c.sinit_max_instreams,
1884                                             NULL, GFP_ATOMIC);
1885                if (!ev)
1886                        goto nomem;
1887
1888                /* Sockets API Draft Section 5.3.1.6
1889                 * When a peer sends a Adaptation Layer Indication parameter,
1890                 * SCTP delivers this notification to inform the application
1891                 * that of the peers requested adaptation layer.
1892                 */
1893                if (asoc->peer.adaptation_ind) {
1894                        ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
1895                                                                 GFP_ATOMIC);
1896                        if (!ai_ev)
1897                                goto nomem;
1898
1899                }
1900        }
1901
1902        repl = sctp_make_cookie_ack(new_asoc, chunk);
1903        if (!repl)
1904                goto nomem;
1905
1906        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1907
1908        if (ev)
1909                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1910                                SCTP_ULPEVENT(ev));
1911        if (ai_ev)
1912                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1913                                        SCTP_ULPEVENT(ai_ev));
1914
1915        return SCTP_DISPOSITION_CONSUME;
1916
1917nomem:
1918        if (ai_ev)
1919                sctp_ulpevent_free(ai_ev);
1920        if (ev)
1921                sctp_ulpevent_free(ev);
1922        return SCTP_DISPOSITION_NOMEM;
1923}
1924
1925/*
1926 * Handle a duplicate COOKIE-ECHO.  This usually means a cookie-carrying
1927 * chunk was retransmitted and then delayed in the network.
1928 *
1929 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
1930 *
1931 * Verification Tag: None.  Do cookie validation.
1932 *
1933 * Inputs
1934 * (endpoint, asoc, chunk)
1935 *
1936 * Outputs
1937 * (asoc, reply_msg, msg_up, timers, counters)
1938 *
1939 * The return value is the disposition of the chunk.
1940 */
1941sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep,
1942                                        const struct sctp_association *asoc,
1943                                        const sctp_subtype_t type,
1944                                        void *arg,
1945                                        sctp_cmd_seq_t *commands)
1946{
1947        sctp_disposition_t retval;
1948        struct sctp_chunk *chunk = arg;
1949        struct sctp_association *new_asoc;
1950        int error = 0;
1951        char action;
1952        struct sctp_chunk *err_chk_p;
1953
1954        /* Make sure that the chunk has a valid length from the protocol
1955         * perspective.  In this case check to make sure we have at least
1956         * enough for the chunk header.  Cookie length verification is
1957         * done later.
1958         */
1959        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
1960                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1961                                                  commands);
1962
1963        /* "Decode" the chunk.  We have no optional parameters so we
1964         * are in good shape.
1965         */
1966        chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
1967        if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
1968                                        sizeof(sctp_chunkhdr_t)))
1969                goto nomem;
1970
1971        /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
1972         * of a duplicate COOKIE ECHO match the Verification Tags of the
1973         * current association, consider the State Cookie valid even if
1974         * the lifespan is exceeded.
1975         */
1976        new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
1977                                      &err_chk_p);
1978
1979        /* FIXME:
1980         * If the re-build failed, what is the proper error path
1981         * from here?
1982         *
1983         * [We should abort the association. --piggy]
1984         */
1985        if (!new_asoc) {
1986                /* FIXME: Several errors are possible.  A bad cookie should
1987                 * be silently discarded, but think about logging it too.
1988                 */
1989                switch (error) {
1990                case -SCTP_IERROR_NOMEM:
1991                        goto nomem;
1992
1993                case -SCTP_IERROR_STALE_COOKIE:
1994                        sctp_send_stale_cookie_err(ep, asoc, chunk, commands,
1995                                                   err_chk_p);
1996                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1997                case -SCTP_IERROR_BAD_SIG:
1998                default:
1999                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2000                }
2001        }
2002
2003        /* Compare the tie_tag in cookie with the verification tag of
2004         * current association.
2005         */
2006        action = sctp_tietags_compare(new_asoc, asoc);
2007
2008        switch (action) {
2009        case 'A': /* Association restart. */
2010                retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands,
2011                                              new_asoc);
2012                break;
2013
2014        case 'B': /* Collision case B. */
2015                retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands,
2016                                              new_asoc);
2017                break;
2018
2019        case 'C': /* Collision case C. */
2020                retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands,
2021                                              new_asoc);
2022                break;
2023
2024        case 'D': /* Collision case D. */
2025                retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands,
2026                                              new_asoc);
2027                break;
2028
2029        default: /* Discard packet for all others. */
2030                retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2031                break;
2032        }
2033
2034        /* Delete the tempory new association. */
2035        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
2036        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
2037
2038        return retval;
2039
2040nomem:
2041        return SCTP_DISPOSITION_NOMEM;
2042}
2043
2044/*
2045 * Process an ABORT.  (SHUTDOWN-PENDING state)
2046 *
2047 * See sctp_sf_do_9_1_abort().
2048 */
2049sctp_disposition_t sctp_sf_shutdown_pending_abort(
2050        const struct sctp_endpoint *ep,
2051        const struct sctp_association *asoc,
2052        const sctp_subtype_t type,
2053        void *arg,
2054        sctp_cmd_seq_t *commands)
2055{
2056        struct sctp_chunk *chunk = arg;
2057
2058        if (!sctp_vtag_verify_either(chunk, asoc))
2059                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2060
2061        /* Make sure that the ABORT chunk has a valid length.
2062         * Since this is an ABORT chunk, we have to discard it
2063         * because of the following text:
2064         * RFC 2960, Section 3.3.7
2065         *    If an endpoint receives an ABORT with a format error or for an
2066         *    association that doesn't exist, it MUST silently discard it.
2067         * Becasue the length is "invalid", we can't really discard just
2068         * as we do not know its true length.  So, to be safe, discard the
2069         * packet.
2070         */
2071        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2072                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2073
2074        /* ADD-IP: Special case for ABORT chunks
2075         * F4)  One special consideration is that ABORT Chunks arriving
2076         * destined to the IP address being deleted MUST be
2077         * ignored (see Section 5.3.1 for further details).
2078         */
2079        if (SCTP_ADDR_DEL ==
2080                    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2081                return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
2082
2083        return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);
2084}
2085
2086/*
2087 * Process an ABORT.  (SHUTDOWN-SENT state)
2088 *
2089 * See sctp_sf_do_9_1_abort().
2090 */
2091sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep,
2092                                        const struct sctp_association *asoc,
2093                                        const sctp_subtype_t type,
2094                                        void *arg,
2095                                        sctp_cmd_seq_t *commands)
2096{
2097        struct sctp_chunk *chunk = arg;
2098
2099        if (!sctp_vtag_verify_either(chunk, asoc))
2100                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2101
2102        /* Make sure that the ABORT chunk has a valid length.
2103         * Since this is an ABORT chunk, we have to discard it
2104         * because of the following text:
2105         * RFC 2960, Section 3.3.7
2106         *    If an endpoint receives an ABORT with a format error or for an
2107         *    association that doesn't exist, it MUST silently discard it.
2108         * Becasue the length is "invalid", we can't really discard just
2109         * as we do not know its true length.  So, to be safe, discard the
2110         * packet.
2111         */
2112        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2113                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2114
2115        /* ADD-IP: Special case for ABORT chunks
2116         * F4)  One special consideration is that ABORT Chunks arriving
2117         * destined to the IP address being deleted MUST be
2118         * ignored (see Section 5.3.1 for further details).
2119         */
2120        if (SCTP_ADDR_DEL ==
2121                    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2122                return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
2123
2124        /* Stop the T2-shutdown timer. */
2125        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2126                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2127
2128        /* Stop the T5-shutdown guard timer.  */
2129        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2130                        SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2131
2132        return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);
2133}
2134
2135/*
2136 * Process an ABORT.  (SHUTDOWN-ACK-SENT state)
2137 *
2138 * See sctp_sf_do_9_1_abort().
2139 */
2140sctp_disposition_t sctp_sf_shutdown_ack_sent_abort(
2141        const struct sctp_endpoint *ep,
2142        const struct sctp_association *asoc,
2143        const sctp_subtype_t type,
2144        void *arg,
2145        sctp_cmd_seq_t *commands)
2146{
2147        /* The same T2 timer, so we should be able to use
2148         * common function with the SHUTDOWN-SENT state.
2149         */
2150        return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands);
2151}
2152
2153/*
2154 * Handle an Error received in COOKIE_ECHOED state.
2155 *
2156 * Only handle the error type of stale COOKIE Error, the other errors will
2157 * be ignored.
2158 *
2159 * Inputs
2160 * (endpoint, asoc, chunk)
2161 *
2162 * Outputs
2163 * (asoc, reply_msg, msg_up, timers, counters)
2164 *
2165 * The return value is the disposition of the chunk.
2166 */
2167sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep,
2168                                        const struct sctp_association *asoc,
2169                                        const sctp_subtype_t type,
2170                                        void *arg,
2171                                        sctp_cmd_seq_t *commands)
2172{
2173        struct sctp_chunk *chunk = arg;
2174        sctp_errhdr_t *err;
2175
2176        if (!sctp_vtag_verify(chunk, asoc))
2177                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2178
2179        /* Make sure that the ERROR chunk has a valid length.
2180         * The parameter walking depends on this as well.
2181         */
2182        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
2183                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2184                                                  commands);
2185
2186        /* Process the error here */
2187        /* FUTURE FIXME:  When PR-SCTP related and other optional
2188         * parms are emitted, this will have to change to handle multiple
2189         * errors.
2190         */
2191        sctp_walk_errors(err, chunk->chunk_hdr) {
2192                if (SCTP_ERROR_STALE_COOKIE == err->cause)
2193                        return sctp_sf_do_5_2_6_stale(ep, asoc, type,
2194                                                        arg, commands);
2195        }
2196
2197        /* It is possible to have malformed error causes, and that
2198         * will cause us to end the walk early.  However, since
2199         * we are discarding the packet, there should be no adverse
2200         * affects.
2201         */
2202        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2203}
2204
2205/*
2206 * Handle a Stale COOKIE Error
2207 *
2208 * Section: 5.2.6 Handle Stale COOKIE Error
2209 * If the association is in the COOKIE-ECHOED state, the endpoint may elect
2210 * one of the following three alternatives.
2211 * ...
2212 * 3) Send a new INIT chunk to the endpoint, adding a Cookie
2213 *    Preservative parameter requesting an extension to the lifetime of
2214 *    the State Cookie. When calculating the time extension, an
2215 *    implementation SHOULD use the RTT information measured based on the
2216 *    previous COOKIE ECHO / ERROR exchange, and should add no more
2217 *    than 1 second beyond the measured RTT, due to long State Cookie
2218 *    lifetimes making the endpoint more subject to a replay attack.
2219 *
2220 * Verification Tag:  Not explicit, but safe to ignore.
2221 *
2222 * Inputs
2223 * (endpoint, asoc, chunk)
2224 *
2225 * Outputs
2226 * (asoc, reply_msg, msg_up, timers, counters)
2227 *
2228 * The return value is the disposition of the chunk.
2229 */
2230static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep,
2231                                                 const struct sctp_association *asoc,
2232                                                 const sctp_subtype_t type,
2233                                                 void *arg,
2234                                                 sctp_cmd_seq_t *commands)
2235{
2236        struct sctp_chunk *chunk = arg;
2237        time_t stale;
2238        sctp_cookie_preserve_param_t bht;
2239        sctp_errhdr_t *err;
2240        struct sctp_chunk *reply;
2241        struct sctp_bind_addr *bp;
2242        int attempts = asoc->init_err_counter + 1;
2243
2244        if (attempts > asoc->max_init_attempts) {
2245                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2246                                SCTP_ERROR(ETIMEDOUT));
2247                sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2248                                SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2249                return SCTP_DISPOSITION_DELETE_TCB;
2250        }
2251
2252        err = (sctp_errhdr_t *)(chunk->skb->data);
2253
2254        /* When calculating the time extension, an implementation
2255         * SHOULD use the RTT information measured based on the
2256         * previous COOKIE ECHO / ERROR exchange, and should add no
2257         * more than 1 second beyond the measured RTT, due to long
2258         * State Cookie lifetimes making the endpoint more subject to
2259         * a replay attack.
2260         * Measure of Staleness's unit is usec. (1/1000000 sec)
2261         * Suggested Cookie Life-span Increment's unit is msec.
2262         * (1/1000 sec)
2263         * In general, if you use the suggested cookie life, the value
2264         * found in the field of measure of staleness should be doubled
2265         * to give ample time to retransmit the new cookie and thus
2266         * yield a higher probability of success on the reattempt.
2267         */
2268        stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t)));
2269        stale = (stale * 2) / 1000;
2270
2271        bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2272        bht.param_hdr.length = htons(sizeof(bht));
2273        bht.lifespan_increment = htonl(stale);
2274
2275        /* Build that new INIT chunk.  */
2276        bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2277        reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2278        if (!reply)
2279                goto nomem;
2280
2281        sctp_addto_chunk(reply, sizeof(bht), &bht);
2282
2283        /* Clear peer's init_tag cached in assoc as we are sending a new INIT */
2284        sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2285
2286        /* Stop pending T3-rtx and heartbeat timers */
2287        sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2288        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2289
2290        /* Delete non-primary peer ip addresses since we are transitioning
2291         * back to the COOKIE-WAIT state
2292         */
2293        sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2294
2295        /* If we've sent any data bundled with COOKIE-ECHO we will need to
2296         * resend
2297         */
2298        sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
2299                        SCTP_TRANSPORT(asoc->peer.primary_path));
2300
2301        /* Cast away the const modifier, as we want to just
2302         * rerun it through as a sideffect.
2303         */
2304        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2305
2306        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2307                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2308        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2309                        SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2310        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2311                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2312
2313        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2314
2315        return SCTP_DISPOSITION_CONSUME;
2316
2317nomem:
2318        return SCTP_DISPOSITION_NOMEM;
2319}
2320
2321/*
2322 * Process an ABORT.
2323 *
2324 * Section: 9.1
2325 * After checking the Verification Tag, the receiving endpoint shall
2326 * remove the association from its record, and shall report the
2327 * termination to its upper layer.
2328 *
2329 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
2330 * B) Rules for packet carrying ABORT:
2331 *
2332 *  - The endpoint shall always fill in the Verification Tag field of the
2333 *    outbound packet with the destination endpoint's tag value if it
2334 *    is known.
2335 *
2336 *  - If the ABORT is sent in response to an OOTB packet, the endpoint
2337 *    MUST follow the procedure described in Section 8.4.
2338 *
2339 *  - The receiver MUST accept the packet if the Verification Tag
2340 *    matches either its own tag, OR the tag of its peer. Otherwise, the
2341 *    receiver MUST silently discard the packet and take no further
2342 *    action.
2343 *
2344 * Inputs
2345 * (endpoint, asoc, chunk)
2346 *
2347 * Outputs
2348 * (asoc, reply_msg, msg_up, timers, counters)
2349 *
2350 * The return value is the disposition of the chunk.
2351 */
2352sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
2353                                        const struct sctp_association *asoc,
2354                                        const sctp_subtype_t type,
2355                                        void *arg,
2356                                        sctp_cmd_seq_t *commands)
2357{
2358        struct sctp_chunk *chunk = arg;
2359
2360        if (!sctp_vtag_verify_either(chunk, asoc))
2361                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2362
2363        /* Make sure that the ABORT chunk has a valid length.
2364         * Since this is an ABORT chunk, we have to discard it
2365         * because of the following text:
2366         * RFC 2960, Section 3.3.7
2367         *    If an endpoint receives an ABORT with a format error or for an
2368         *    association that doesn't exist, it MUST silently discard it.
2369         * Becasue the length is "invalid", we can't really discard just
2370         * as we do not know its true length.  So, to be safe, discard the
2371         * packet.
2372         */
2373        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2374                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2375
2376        /* ADD-IP: Special case for ABORT chunks
2377         * F4)  One special consideration is that ABORT Chunks arriving
2378         * destined to the IP address being deleted MUST be
2379         * ignored (see Section 5.3.1 for further details).
2380         */
2381        if (SCTP_ADDR_DEL ==
2382                    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2383                return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
2384
2385        return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);
2386}
2387
2388static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
2389                                        const struct sctp_association *asoc,
2390                                        const sctp_subtype_t type,
2391                                        void *arg,
2392                                        sctp_cmd_seq_t *commands)
2393{
2394        struct sctp_chunk *chunk = arg;
2395        unsigned len;
2396        __be16 error = SCTP_ERROR_NO_ERROR;
2397
2398        /* See if we have an error cause code in the chunk.  */
2399        len = ntohs(chunk->chunk_hdr->length);
2400        if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2401                error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2402
2403        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2404        /* ASSOC_FAILED will DELETE_TCB. */
2405        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2406        SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
2407        SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
2408
2409        return SCTP_DISPOSITION_ABORT;
2410}
2411
2412/*
2413 * Process an ABORT.  (COOKIE-WAIT state)
2414 *
2415 * See sctp_sf_do_9_1_abort() above.
2416 */
2417sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep,
2418                                     const struct sctp_association *asoc,
2419                                     const sctp_subtype_t type,
2420                                     void *arg,
2421                                     sctp_cmd_seq_t *commands)
2422{
2423        struct sctp_chunk *chunk = arg;
2424        unsigned len;
2425        __be16 error = SCTP_ERROR_NO_ERROR;
2426
2427        if (!sctp_vtag_verify_either(chunk, asoc))
2428                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2429
2430        /* Make sure that the ABORT chunk has a valid length.
2431         * Since this is an ABORT chunk, we have to discard it
2432         * because of the following text:
2433         * RFC 2960, Section 3.3.7
2434         *    If an endpoint receives an ABORT with a format error or for an
2435         *    association that doesn't exist, it MUST silently discard it.
2436         * Becasue the length is "invalid", we can't really discard just
2437         * as we do not know its true length.  So, to be safe, discard the
2438         * packet.
2439         */
2440        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2441                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2442
2443        /* See if we have an error cause code in the chunk.  */
2444        len = ntohs(chunk->chunk_hdr->length);
2445        if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2446                error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2447
2448        return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc,
2449                                      chunk->transport);
2450}
2451
2452/*
2453 * Process an incoming ICMP as an ABORT.  (COOKIE-WAIT state)
2454 */
2455sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep,
2456                                        const struct sctp_association *asoc,
2457                                        const sctp_subtype_t type,
2458                                        void *arg,
2459                                        sctp_cmd_seq_t *commands)
2460{
2461        return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR,
2462                                      ENOPROTOOPT, asoc,
2463                                      (struct sctp_transport *)arg);
2464}
2465
2466/*
2467 * Process an ABORT.  (COOKIE-ECHOED state)
2468 */
2469sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep,
2470                                               const struct sctp_association *asoc,
2471                                               const sctp_subtype_t type,
2472                                               void *arg,
2473                                               sctp_cmd_seq_t *commands)
2474{
2475        /* There is a single T1 timer, so we should be able to use
2476         * common function with the COOKIE-WAIT state.
2477         */
2478        return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands);
2479}
2480
2481/*
2482 * Stop T1 timer and abort association with "INIT failed".
2483 *
2484 * This is common code called by several sctp_sf_*_abort() functions above.
2485 */
2486static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands,
2487                                           __be16 error, int sk_err,
2488                                           const struct sctp_association *asoc,
2489                                           struct sctp_transport *transport)
2490{
2491        SCTP_DEBUG_PRINTK("ABORT received (INIT).\n");
2492        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2493                        SCTP_STATE(SCTP_STATE_CLOSED));
2494        SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
2495        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2496                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2497        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2498        /* CMD_INIT_FAILED will DELETE_TCB. */
2499        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2500                        SCTP_PERR(error));
2501        return SCTP_DISPOSITION_ABORT;
2502}
2503
2504/*
2505 * sctp_sf_do_9_2_shut
2506 *
2507 * Section: 9.2
2508 * Upon the reception of the SHUTDOWN, the peer endpoint shall
2509 *  - enter the SHUTDOWN-RECEIVED state,
2510 *
2511 *  - stop accepting new data from its SCTP user
2512 *
2513 *  - verify, by checking the Cumulative TSN Ack field of the chunk,
2514 *    that all its outstanding DATA chunks have been received by the
2515 *    SHUTDOWN sender.
2516 *
2517 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT
2518 * send a SHUTDOWN in response to a ULP request. And should discard
2519 * subsequent SHUTDOWN chunks.
2520 *
2521 * If there are still outstanding DATA chunks left, the SHUTDOWN
2522 * receiver shall continue to follow normal data transmission
2523 * procedures defined in Section 6 until all outstanding DATA chunks
2524 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept
2525 * new data from its SCTP user.
2526 *
2527 * Verification Tag:  8.5 Verification Tag [Normal verification]
2528 *
2529 * Inputs
2530 * (endpoint, asoc, chunk)
2531 *
2532 * Outputs
2533 * (asoc, reply_msg, msg_up, timers, counters)
2534 *
2535 * The return value is the disposition of the chunk.
2536 */
2537sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep,
2538                                           const struct sctp_association *asoc,
2539                                           const sctp_subtype_t type,
2540                                           void *arg,
2541                                           sctp_cmd_seq_t *commands)
2542{
2543        struct sctp_chunk *chunk = arg;
2544        sctp_shutdownhdr_t *sdh;
2545        sctp_disposition_t disposition;
2546        struct sctp_ulpevent *ev;
2547        __u32 ctsn;
2548
2549        if (!sctp_vtag_verify(chunk, asoc))
2550                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2551
2552        /* Make sure that the SHUTDOWN chunk has a valid length. */
2553        if (!sctp_chunk_length_valid(chunk,
2554                                      sizeof(struct sctp_shutdown_chunk_t)))
2555                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2556                                                  commands);
2557
2558        /* Convert the elaborate header.  */
2559        sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
2560        skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t));
2561        chunk->subh.shutdown_hdr = sdh;
2562        ctsn = ntohl(sdh->cum_tsn_ack);
2563
2564        /* If Cumulative TSN Ack beyond the max tsn currently
2565         * send, terminating the association and respond to the
2566         * sender with an ABORT.
2567         */
2568        if (!TSN_lt(ctsn, asoc->next_tsn))
2569                return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);
2570
2571        /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
2572         * When a peer sends a SHUTDOWN, SCTP delivers this notification to
2573         * inform the application that it should cease sending data.
2574         */
2575        ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2576        if (!ev) {
2577                disposition = SCTP_DISPOSITION_NOMEM;
2578                goto out;
2579        }
2580        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2581
2582        /* Upon the reception of the SHUTDOWN, the peer endpoint shall
2583         *  - enter the SHUTDOWN-RECEIVED state,
2584         *  - stop accepting new data from its SCTP user
2585         *
2586         * [This is implicit in the new state.]
2587         */
2588        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2589                        SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2590        disposition = SCTP_DISPOSITION_CONSUME;
2591
2592        if (sctp_outq_is_empty(&asoc->outqueue)) {
2593                disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type,
2594                                                          arg, commands);
2595        }
2596
2597        if (SCTP_DISPOSITION_NOMEM == disposition)
2598                goto out;
2599
2600        /*  - verify, by checking the Cumulative TSN Ack field of the
2601         *    chunk, that all its outstanding DATA chunks have been
2602         *    received by the SHUTDOWN sender.
2603         */
2604        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2605                        SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2606
2607out:
2608        return disposition;
2609}
2610
2611/*
2612 * sctp_sf_do_9_2_shut_ctsn
2613 *
2614 * Once an endpoint has reached the SHUTDOWN-RECEIVED state,
2615 * it MUST NOT send a SHUTDOWN in response to a ULP request.
2616 * The Cumulative TSN Ack of the received SHUTDOWN chunk
2617 * MUST be processed.
2618 */
2619sctp_disposition_t sctp_sf_do_9_2_shut_ctsn(const struct sctp_endpoint *ep,
2620                                           const struct sctp_association *asoc,
2621                                           const sctp_subtype_t type,
2622                                           void *arg,
2623                                           sctp_cmd_seq_t *commands)
2624{
2625        struct sctp_chunk *chunk = arg;
2626        sctp_shutdownhdr_t *sdh;
2627
2628        if (!sctp_vtag_verify(chunk, asoc))
2629                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2630
2631        /* Make sure that the SHUTDOWN chunk has a valid length. */
2632        if (!sctp_chunk_length_valid(chunk,
2633                                      sizeof(struct sctp_shutdown_chunk_t)))
2634                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2635                                                  commands);
2636
2637        sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
2638
2639        /* If Cumulative TSN Ack beyond the max tsn currently
2640         * send, terminating the association and respond to the
2641         * sender with an ABORT.
2642         */
2643        if (!TSN_lt(ntohl(sdh->cum_tsn_ack), asoc->next_tsn))
2644                return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);
2645
2646        /* verify, by checking the Cumulative TSN Ack field of the
2647         * chunk, that all its outstanding DATA chunks have been
2648         * received by the SHUTDOWN sender.
2649         */
2650        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2651                        SCTP_BE32(sdh->cum_tsn_ack));
2652
2653        return SCTP_DISPOSITION_CONSUME;
2654}
2655
2656/* RFC 2960 9.2
2657 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk
2658 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination
2659 * transport addresses (either in the IP addresses or in the INIT chunk)
2660 * that belong to this association, it should discard the INIT chunk and
2661 * retransmit the SHUTDOWN ACK chunk.
2662 */
2663sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep,
2664                                    const struct sctp_association *asoc,
2665                                    const sctp_subtype_t type,
2666                                    void *arg,
2667                                    sctp_cmd_seq_t *commands)
2668{
2669        struct sctp_chunk *chunk = (struct sctp_chunk *) arg;
2670        struct sctp_chunk *reply;
2671
2672        /* Make sure that the chunk has a valid length */
2673        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
2674                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2675                                                  commands);
2676
2677        /* Since we are not going to really process this INIT, there
2678         * is no point in verifying chunk boundries.  Just generate
2679         * the SHUTDOWN ACK.
2680         */
2681        reply = sctp_make_shutdown_ack(asoc, chunk);
2682        if (NULL == reply)
2683                goto nomem;
2684
2685        /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
2686         * the T2-SHUTDOWN timer.
2687         */
2688        sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
2689
2690        /* and restart the T2-shutdown timer. */
2691        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2692                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2693
2694        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2695
2696        return SCTP_DISPOSITION_CONSUME;
2697nomem:
2698        return SCTP_DISPOSITION_NOMEM;
2699}
2700
2701/*
2702 * sctp_sf_do_ecn_cwr
2703 *
2704 * Section:  Appendix A: Explicit Congestion Notification
2705 *
2706 * CWR:
2707 *
2708 * RFC 2481 details a specific bit for a sender to send in the header of
2709 * its next outbound TCP segment to indicate to its peer that it has
2710 * reduced its congestion window.  This is termed the CWR bit.  For
2711 * SCTP the same indication is made by including the CWR chunk.
2712 * This chunk contains one data element, i.e. the TSN number that
2713 * was sent in the ECNE chunk.  This element represents the lowest
2714 * TSN number in the datagram that was originally marked with the
2715 * CE bit.
2716 *
2717 * Verification Tag: 8.5 Verification Tag [Normal verification]
2718 * Inputs
2719 * (endpoint, asoc, chunk)
2720 *
2721 * Outputs
2722 * (asoc, reply_msg, msg_up, timers, counters)
2723 *
2724 * The return value is the disposition of the chunk.
2725 */
2726sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep,
2727                                      const struct sctp_association *asoc,
2728                                      const sctp_subtype_t type,
2729                                      void *arg,
2730                                      sctp_cmd_seq_t *commands)
2731{
2732        sctp_cwrhdr_t *cwr;
2733        struct sctp_chunk *chunk = arg;
2734        u32 lowest_tsn;
2735
2736        if (!sctp_vtag_verify(chunk, asoc))
2737                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2738
2739        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2740                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2741                                                  commands);
2742
2743        cwr = (sctp_cwrhdr_t *) chunk->skb->data;
2744        skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t));
2745
2746        lowest_tsn = ntohl(cwr->lowest_tsn);
2747
2748        /* Does this CWR ack the last sent congestion notification? */
2749        if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
2750                /* Stop sending ECNE. */
2751                sctp_add_cmd_sf(commands,
2752                                SCTP_CMD_ECN_CWR,
2753                                SCTP_U32(lowest_tsn));
2754        }
2755        return SCTP_DISPOSITION_CONSUME;
2756}
2757
2758/*
2759 * sctp_sf_do_ecne
2760 *
2761 * Section:  Appendix A: Explicit Congestion Notification
2762 *
2763 * ECN-Echo
2764 *
2765 * RFC 2481 details a specific bit for a receiver to send back in its
2766 * TCP acknowledgements to notify the sender of the Congestion
2767 * Experienced (CE) bit having arrived from the network.  For SCTP this
2768 * same indication is made by including the ECNE chunk.  This chunk
2769 * contains one data element, i.e. the lowest TSN associated with the IP
2770 * datagram marked with the CE bit.....
2771 *
2772 * Verification Tag: 8.5 Verification Tag [Normal verification]
2773 * Inputs
2774 * (endpoint, asoc, chunk)
2775 *
2776 * Outputs
2777 * (asoc, reply_msg, msg_up, timers, counters)
2778 *
2779 * The return value is the disposition of the chunk.
2780 */
2781sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep,
2782                                   const struct sctp_association *asoc,
2783                                   const sctp_subtype_t type,
2784                                   void *arg,
2785                                   sctp_cmd_seq_t *commands)
2786{
2787        sctp_ecnehdr_t *ecne;
2788        struct sctp_chunk *chunk = arg;
2789
2790        if (!sctp_vtag_verify(chunk, asoc))
2791                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2792
2793        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2794                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2795                                                  commands);
2796
2797        ecne = (sctp_ecnehdr_t *) chunk->skb->data;
2798        skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t));
2799
2800        /* If this is a newer ECNE than the last CWR packet we sent out */
2801        sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
2802                        SCTP_U32(ntohl(ecne->lowest_tsn)));
2803
2804        return SCTP_DISPOSITION_CONSUME;
2805}
2806
2807/*
2808 * Section: 6.2  Acknowledgement on Reception of DATA Chunks
2809 *
2810 * The SCTP endpoint MUST always acknowledge the reception of each valid
2811 * DATA chunk.
2812 *
2813 * The guidelines on delayed acknowledgement algorithm specified in
2814 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
2815 * acknowledgement SHOULD be generated for at least every second packet
2816 * (not every second DATA chunk) received, and SHOULD be generated within
2817 * 200 ms of the arrival of any unacknowledged DATA chunk. In some
2818 * situations it may be beneficial for an SCTP transmitter to be more
2819 * conservative than the algorithms detailed in this document allow.
2820 * However, an SCTP transmitter MUST NOT be more aggressive than the
2821 * following algorithms allow.
2822 *
2823 * A SCTP receiver MUST NOT generate more than one SACK for every
2824 * incoming packet, other than to update the offered window as the
2825 * receiving application consumes new data.
2826 *
2827 * Verification Tag:  8.5 Verification Tag [Normal verification]
2828 *
2829 * Inputs
2830 * (endpoint, asoc, chunk)
2831 *
2832 * Outputs
2833 * (asoc, reply_msg, msg_up, timers, counters)
2834 *
2835 * The return value is the disposition of the chunk.
2836 */
2837sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep,
2838                                        const struct sctp_association *asoc,
2839                                        const sctp_subtype_t type,
2840                                        void *arg,
2841                                        sctp_cmd_seq_t *commands)
2842{
2843        struct sctp_chunk *chunk = arg;
2844        int error;
2845
2846        if (!sctp_vtag_verify(chunk, asoc)) {
2847                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
2848                                SCTP_NULL());
2849                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2850        }
2851
2852        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
2853                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2854                                                  commands);
2855
2856        error = sctp_eat_data(asoc, chunk, commands );
2857        switch (error) {
2858        case SCTP_IERROR_NO_ERROR:
2859                break;
2860        case SCTP_IERROR_HIGH_TSN:
2861        case SCTP_IERROR_BAD_STREAM:
2862                SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2863                goto discard_noforce;
2864        case SCTP_IERROR_DUP_TSN:
2865        case SCTP_IERROR_IGNORE_TSN:
2866                SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2867                goto discard_force;
2868        case SCTP_IERROR_NO_DATA:
2869                goto consume;
2870        default:
2871                BUG();
2872        }
2873
2874        if (asoc->autoclose) {
2875                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2876                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
2877        }
2878
2879        /* If this is the last chunk in a packet, we need to count it
2880         * toward sack generation.  Note that we need to SACK every
2881         * OTHER packet containing data chunks, EVEN IF WE DISCARD
2882         * THEM.  We elect to NOT generate SACK's if the chunk fails
2883         * the verification tag test.
2884         *
2885         * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
2886         *
2887         * The SCTP endpoint MUST always acknowledge the reception of
2888         * each valid DATA chunk.
2889         *
2890         * The guidelines on delayed acknowledgement algorithm
2891         * specified in  Section 4.2 of [RFC2581] SHOULD be followed.
2892         * Specifically, an acknowledgement SHOULD be generated for at
2893         * least every second packet (not every second DATA chunk)
2894         * received, and SHOULD be generated within 200 ms of the
2895         * arrival of any unacknowledged DATA chunk.  In some
2896         * situations it may be beneficial for an SCTP transmitter to
2897         * be more conservative than the algorithms detailed in this
2898         * document allow. However, an SCTP transmitter MUST NOT be
2899         * more aggressive than the following algorithms allow.
2900         */
2901        if (chunk->end_of_packet)
2902                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
2903
2904        return SCTP_DISPOSITION_CONSUME;
2905
2906discard_force:
2907        /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
2908         *
2909         * When a packet arrives with duplicate DATA chunk(s) and with
2910         * no new DATA chunk(s), the endpoint MUST immediately send a
2911         * SACK with no delay.  If a packet arrives with duplicate
2912         * DATA chunk(s) bundled with new DATA chunks, the endpoint
2913         * MAY immediately send a SACK.  Normally receipt of duplicate
2914         * DATA chunks will occur when the original SACK chunk was lost
2915         * and the peer's RTO has expired.  The duplicate TSN number(s)
2916         * SHOULD be reported in the SACK as duplicate.
2917         */
2918        /* In our case, we split the MAY SACK advice up whether or not
2919         * the last chunk is a duplicate.'
2920         */
2921        if (chunk->end_of_packet)
2922                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
2923        return SCTP_DISPOSITION_DISCARD;
2924
2925discard_noforce:
2926        if (chunk->end_of_packet)
2927                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
2928
2929        return SCTP_DISPOSITION_DISCARD;
2930consume:
2931        return SCTP_DISPOSITION_CONSUME;
2932
2933}
2934
2935/*
2936 * sctp_sf_eat_data_fast_4_4
2937 *
2938 * Section: 4 (4)
2939 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received
2940 *    DATA chunks without delay.
2941 *
2942 * Verification Tag:  8.5 Verification Tag [Normal verification]
2943 * Inputs
2944 * (endpoint, asoc, chunk)
2945 *
2946 * Outputs
2947 * (asoc, reply_msg, msg_up, timers, counters)
2948 *
2949 * The return value is the disposition of the chunk.
2950 */
2951sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep,
2952                                     const struct sctp_association *asoc,
2953                                     const sctp_subtype_t type,
2954                                     void *arg,
2955                                     sctp_cmd_seq_t *commands)
2956{
2957        struct sctp_chunk *chunk = arg;
2958        int error;
2959
2960        if (!sctp_vtag_verify(chunk, asoc)) {
2961                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
2962                                SCTP_NULL());
2963                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2964        }
2965
2966        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
2967                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2968                                                  commands);
2969
2970        error = sctp_eat_data(asoc, chunk, commands );
2971        switch (error) {
2972        case SCTP_IERROR_NO_ERROR:
2973        case SCTP_IERROR_HIGH_TSN:
2974        case SCTP_IERROR_DUP_TSN:
2975        case SCTP_IERROR_IGNORE_TSN:
2976        case SCTP_IERROR_BAD_STREAM:
2977                break;
2978        case SCTP_IERROR_NO_DATA:
2979                goto consume;
2980        default:
2981                BUG();
2982        }
2983
2984        /* Go a head and force a SACK, since we are shutting down. */
2985
2986        /* Implementor's Guide.
2987         *
2988         * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
2989         * respond to each received packet containing one or more DATA chunk(s)
2990         * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
2991         */
2992        if (chunk->end_of_packet) {
2993                /* We must delay the chunk creation since the cumulative
2994                 * TSN has not been updated yet.
2995                 */
2996                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
2997                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
2998                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2999                                SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3000        }
3001
3002consume:
3003        return SCTP_DISPOSITION_CONSUME;
3004}
3005
3006/*
3007 * Section: 6.2  Processing a Received SACK
3008 * D) Any time a SACK arrives, the endpoint performs the following:
3009 *
3010 *     i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,
3011 *     then drop the SACK.   Since Cumulative TSN Ack is monotonically
3012 *     increasing, a SACK whose Cumulative TSN Ack is less than the
3013 *     Cumulative TSN Ack Point indicates an out-of-order SACK.
3014 *
3015 *     ii) Set rwnd equal to the newly received a_rwnd minus the number
3016 *     of bytes still outstanding after processing the Cumulative TSN Ack
3017 *     and the Gap Ack Blocks.
3018 *
3019 *     iii) If the SACK is missing a TSN that was previously
3020 *     acknowledged via a Gap Ack Block (e.g., the data receiver
3021 *     reneged on the data), then mark the corresponding DATA chunk
3022 *     as available for retransmit:  Mark it as missing for fast
3023 *     retransmit as described in Section 7.2.4 and if no retransmit
3024 *     timer is running for the destination address to which the DATA
3025 *     chunk was originally transmitted, then T3-rtx is started for
3026 *     that destination address.
3027 *
3028 * Verification Tag:  8.5 Verification Tag [Normal verification]
3029 *
3030 * Inputs
3031 * (endpoint, asoc, chunk)
3032 *
3033 * Outputs
3034 * (asoc, reply_msg, msg_up, timers, counters)
3035 *
3036 * The return value is the disposition of the chunk.
3037 */
3038sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep,
3039                                        const struct sctp_association *asoc,
3040                                        const sctp_subtype_t type,
3041                                        void *arg,
3042                                        sctp_cmd_seq_t *commands)
3043{
3044        struct sctp_chunk *chunk = arg;
3045        sctp_sackhdr_t *sackh;
3046        __u32 ctsn;
3047
3048        if (!sctp_vtag_verify(chunk, asoc))
3049                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3050
3051        /* Make sure that the SACK chunk has a valid length. */
3052        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t)))
3053                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3054                                                  commands);
3055
3056        /* Pull the SACK chunk from the data buffer */
3057        sackh = sctp_sm_pull_sack(chunk);
3058        /* Was this a bogus SACK? */
3059        if (!sackh)
3060                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3061        chunk->subh.sack_hdr = sackh;
3062        ctsn = ntohl(sackh->cum_tsn_ack);
3063
3064        /* i) If Cumulative TSN Ack is less than the Cumulative TSN
3065         *     Ack Point, then drop the SACK.  Since Cumulative TSN
3066         *     Ack is monotonically increasing, a SACK whose
3067         *     Cumulative TSN Ack is less than the Cumulative TSN Ack
3068         *     Point indicates an out-of-order SACK.
3069         */
3070        if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
3071                SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
3072                SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
3073                return SCTP_DISPOSITION_DISCARD;
3074        }
3075
3076        /* If Cumulative TSN Ack beyond the max tsn currently
3077         * send, terminating the association and respond to the
3078         * sender with an ABORT.
3079         */
3080        if (!TSN_lt(ctsn, asoc->next_tsn))
3081                return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);
3082
3083        /* Return this SACK for further processing.  */
3084        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh));
3085
3086        /* Note: We do the rest of the work on the PROCESS_SACK
3087         * sideeffect.
3088         */
3089        return SCTP_DISPOSITION_CONSUME;
3090}
3091
3092/*
3093 * Generate an ABORT in response to a packet.
3094 *
3095 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41
3096 *
3097 * 8) The receiver should respond to the sender of the OOTB packet with
3098 *    an ABORT.  When sending the ABORT, the receiver of the OOTB packet
3099 *    MUST fill in the Verification Tag field of the outbound packet
3100 *    with the value found in the Verification Tag field of the OOTB
3101 *    packet and set the T-bit in the Chunk Flags to indicate that the
3102 *    Verification Tag is reflected.  After sending this ABORT, the
3103 *    receiver of the OOTB packet shall discard the OOTB packet and take
3104 *    no further action.
3105 *
3106 * Verification Tag:
3107 *
3108 * The return value is the disposition of the chunk.
3109*/
3110static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep,
3111                                        const struct sctp_association *asoc,
3112                                        const sctp_subtype_t type,
3113                                        void *arg,
3114                                        sctp_cmd_seq_t *commands)
3115{
3116        struct sctp_packet *packet = NULL;
3117        struct sctp_chunk *chunk = arg;
3118        struct sctp_chunk *abort;
3119
3120        packet = sctp_ootb_pkt_new(asoc, chunk);
3121
3122        if (packet) {
3123                /* Make an ABORT. The T bit will be set if the asoc
3124                 * is NULL.
3125                 */
3126                abort = sctp_make_abort(asoc, chunk, 0);
3127                if (!abort) {
3128                        sctp_ootb_pkt_free(packet);
3129                        return SCTP_DISPOSITION_NOMEM;
3130                }
3131
3132                /* Reflect vtag if T-Bit is set */
3133                if (sctp_test_T_bit(abort))
3134                        packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3135
3136                /* Set the skb to the belonging sock for accounting.  */
3137                abort->skb->sk = ep->base.sk;
3138
3139                sctp_packet_append_chunk(packet, abort);
3140
3141                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3142                                SCTP_PACKET(packet));
3143
3144                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
3145
3146                sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3147                return SCTP_DISPOSITION_CONSUME;
3148        }
3149
3150        return SCTP_DISPOSITION_NOMEM;
3151}
3152
3153/*
3154 * Received an ERROR chunk from peer.  Generate SCTP_REMOTE_ERROR
3155 * event as ULP notification for each cause included in the chunk.
3156 *
3157 * API 5.3.1.3 - SCTP_REMOTE_ERROR
3158 *
3159 * The return value is the disposition of the chunk.
3160*/
3161sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep,
3162                                        const struct sctp_association *asoc,
3163                                        const sctp_subtype_t type,
3164                                        void *arg,
3165                                        sctp_cmd_seq_t *commands)
3166{
3167        struct sctp_chunk *chunk = arg;
3168
3169        if (!sctp_vtag_verify(chunk, asoc))
3170                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3171
3172        /* Make sure that the ERROR chunk has a valid length. */
3173        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
3174                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3175                                                  commands);
3176
3177        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3178                        SCTP_CHUNK(chunk));
3179
3180        return SCTP_DISPOSITION_CONSUME;
3181}
3182
3183/*
3184 * Process an inbound SHUTDOWN ACK.
3185 *
3186 * From Section 9.2:
3187 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3188 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its
3189 * peer, and remove all record of the association.
3190 *
3191 * The return value is the disposition.
3192 */
3193sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep,
3194                                        const struct sctp_association *asoc,
3195                                        const sctp_subtype_t type,
3196                                        void *arg,
3197                                        sctp_cmd_seq_t *commands)
3198{
3199        struct sctp_chunk *chunk = arg;
3200        struct sctp_chunk *reply;
3201        struct sctp_ulpevent *ev;
3202
3203        if (!sctp_vtag_verify(chunk, asoc))
3204                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3205
3206        /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3207        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3208                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3209                                                  commands);
3210        /* 10.2 H) SHUTDOWN COMPLETE notification
3211         *
3212         * When SCTP completes the shutdown procedures (section 9.2) this
3213         * notification is passed to the upper layer.
3214         */
3215        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3216                                             0, 0, 0, NULL, GFP_ATOMIC);
3217        if (!ev)
3218                goto nomem;
3219
3220        /* ...send a SHUTDOWN COMPLETE chunk to its peer, */
3221        reply = sctp_make_shutdown_complete(asoc, chunk);
3222        if (!reply)
3223                goto nomem_chunk;
3224
3225        /* Do all the commands now (after allocation), so that we
3226         * have consistent state if memory allocation failes
3227         */
3228        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3229
3230        /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3231         * stop the T2-shutdown timer,
3232         */
3233        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3234                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3235
3236        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3237                        SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3238
3239        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3240                        SCTP_STATE(SCTP_STATE_CLOSED));
3241        SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);
3242        SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3243        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3244
3245        /* ...and remove all record of the association. */
3246        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3247        return SCTP_DISPOSITION_DELETE_TCB;
3248
3249nomem_chunk:
3250        sctp_ulpevent_free(ev);
3251nomem:
3252        return SCTP_DISPOSITION_NOMEM;
3253}
3254
3255/*
3256 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.
3257 *
3258 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3259 *    respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3260 *    When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3261 *    packet must fill in the Verification Tag field of the outbound
3262 *    packet with the Verification Tag received in the SHUTDOWN ACK and
3263 *    set the T-bit in the Chunk Flags to indicate that the Verification
3264 *    Tag is reflected.
3265 *
3266 * 8) The receiver should respond to the sender of the OOTB packet with
3267 *    an ABORT.  When sending the ABORT, the receiver of the OOTB packet
3268 *    MUST fill in the Verification Tag field of the outbound packet
3269 *    with the value found in the Verification Tag field of the OOTB
3270 *    packet and set the T-bit in the Chunk Flags to indicate that the
3271 *    Verification Tag is reflected.  After sending this ABORT, the
3272 *    receiver of the OOTB packet shall discard the OOTB packet and take
3273 *    no further action.
3274 */
3275sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
3276                                const struct sctp_association *asoc,
3277                                const sctp_subtype_t type,
3278                                void *arg,
3279                                sctp_cmd_seq_t *commands)
3280{
3281        struct sctp_chunk *chunk = arg;
3282        struct sk_buff *skb = chunk->skb;
3283        sctp_chunkhdr_t *ch;
3284        __u8 *ch_end;
3285        int ootb_shut_ack = 0;
3286
3287        SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
3288
3289        ch = (sctp_chunkhdr_t *) chunk->chunk_hdr;
3290        do {
3291                /* Report violation if the chunk is less then minimal */
3292                if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t))
3293                        return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3294                                                  commands);
3295
3296                /* Now that we know we at least have a chunk header,
3297                 * do things that are type appropriate.
3298                 */
3299                if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3300                        ootb_shut_ack = 1;
3301
3302                /* RFC 2960, Section 3.3.7
3303                 *   Moreover, under any circumstances, an endpoint that
3304                 *   receives an ABORT  MUST NOT respond to that ABORT by
3305                 *   sending an ABORT of its own.
3306                 */
3307                if (SCTP_CID_ABORT == ch->type)
3308                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3309
3310                /* Report violation if chunk len overflows */
3311                ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
3312                if (ch_end > skb_tail_pointer(skb))
3313                        return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3314                                                  commands);
3315
3316                ch = (sctp_chunkhdr_t *) ch_end;
3317        } while (ch_end < skb_tail_pointer(skb));
3318
3319        if (ootb_shut_ack)
3320                return sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands);
3321        else
3322                return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
3323}
3324
3325/*
3326 * Handle an "Out of the blue" SHUTDOWN ACK.
3327 *
3328 * Section: 8.4 5, sctpimpguide 2.41.
3329 *
3330 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3331 *    respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3332 *    When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3333 *    packet must fill in the Verification Tag field of the outbound
3334 *    packet with the Verification Tag received in the SHUTDOWN ACK and
3335 *    set the T-bit in the Chunk Flags to indicate that the Verification
3336 *    Tag is reflected.
3337 *
3338 * Inputs
3339 * (endpoint, asoc, type, arg, commands)
3340 *
3341 * Outputs
3342 * (sctp_disposition_t)
3343 *
3344 * The return value is the disposition of the chunk.
3345 */
3346static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep,
3347                                             const struct sctp_association *asoc,
3348                                             const sctp_subtype_t type,
3349                                             void *arg,
3350                                             sctp_cmd_seq_t *commands)
3351{
3352        struct sctp_packet *packet = NULL;
3353        struct sctp_chunk *chunk = arg;
3354        struct sctp_chunk *shut;
3355
3356        packet = sctp_ootb_pkt_new(asoc, chunk);
3357
3358        if (packet) {
3359                /* Make an SHUTDOWN_COMPLETE.
3360                 * The T bit will be set if the asoc is NULL.
3361                 */
3362                shut = sctp_make_shutdown_complete(asoc, chunk);
3363                if (!shut) {
3364                        sctp_ootb_pkt_free(packet);
3365                        return SCTP_DISPOSITION_NOMEM;
3366                }
3367
3368                /* Reflect vtag if T-Bit is set */
3369                if (sctp_test_T_bit(shut))
3370                        packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3371
3372                /* Set the skb to the belonging sock for accounting.  */
3373                shut->skb->sk = ep->base.sk;
3374
3375                sctp_packet_append_chunk(packet, shut);
3376
3377                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3378                                SCTP_PACKET(packet));
3379
3380                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
3381
3382                /* If the chunk length is invalid, we don't want to process
3383                 * the reset of the packet.
3384                 */
3385                if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3386                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3387
3388                /* We need to discard the rest of the packet to prevent
3389                 * potential bomming attacks from additional bundled chunks.
3390                 * This is documented in SCTP Threats ID.
3391                 */
3392                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3393        }
3394
3395        return SCTP_DISPOSITION_NOMEM;
3396}
3397
3398/*
3399 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.
3400 *
3401 * Verification Tag:  8.5.1 E) Rules for packet carrying a SHUTDOWN ACK
3402 *   If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the
3403 *   procedures in section 8.4 SHOULD be followed, in other words it
3404 *   should be treated as an Out Of The Blue packet.
3405 *   [This means that we do NOT check the Verification Tag on these
3406 *   chunks. --piggy ]
3407 *
3408 */
3409sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep,
3410                                      const struct sctp_association *asoc,
3411                                      const sctp_subtype_t type,
3412                                      void *arg,
3413                                      sctp_cmd_seq_t *commands)
3414{
3415        struct sctp_chunk *chunk = arg;
3416
3417        /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3418        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3419                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3420                                                  commands);
3421
3422        /* Although we do have an association in this case, it corresponds
3423         * to a restarted association. So the packet is treated as an OOTB
3424         * packet and the state function that handles OOTB SHUTDOWN_ACK is
3425         * called with a NULL association.
3426         */
3427        SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
3428
3429        return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands);
3430}
3431
3432/* ADDIP Section 4.2 Upon reception of an ASCONF Chunk.  */
3433sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep,
3434                                     const struct sctp_association *asoc,
3435                                     const sctp_subtype_t type, void *arg,
3436                                     sctp_cmd_seq_t *commands)
3437{
3438        struct sctp_chunk       *chunk = arg;
3439        struct sctp_chunk       *asconf_ack = NULL;
3440        struct sctp_paramhdr    *err_param = NULL;
3441        sctp_addiphdr_t         *hdr;
3442        union sctp_addr_param   *addr_param;
3443        __u32                   serial;
3444        int                     length;
3445
3446        if (!sctp_vtag_verify(chunk, asoc)) {
3447                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3448                                SCTP_NULL());
3449                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3450        }
3451
3452        /* ADD-IP: Section 4.1.1
3453         * This chunk MUST be sent in an authenticated way by using
3454         * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3455         * is received unauthenticated it MUST be silently discarded as
3456         * described in [I-D.ietf-tsvwg-sctp-auth].
3457         */
3458        if (!sctp_addip_noauth && !chunk->auth)
3459                return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
3460
3461        /* Make sure that the ASCONF ADDIP chunk has a valid length.  */
3462        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t)))
3463                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3464                                                  commands);
3465
3466        hdr = (sctp_addiphdr_t *)chunk->skb->data;
3467        serial = ntohl(hdr->serial);
3468
3469        addr_param = (union sctp_addr_param *)hdr->params;
3470        length = ntohs(addr_param->p.length);
3471        if (length < sizeof(sctp_paramhdr_t))
3472                return sctp_sf_violation_paramlen(ep, asoc, type, arg,
3473                           (void *)addr_param, commands);
3474
3475        /* Verify the ASCONF chunk before processing it. */
3476        if (!sctp_verify_asconf(asoc,
3477                            (sctp_paramhdr_t *)((void *)addr_param + length),
3478                            (void *)chunk->chunk_end,
3479                            &err_param))
3480                return sctp_sf_violation_paramlen(ep, asoc, type, arg,
3481                                                  (void *)err_param, commands);
3482
3483        /* ADDIP 5.2 E1) Compare the value of the serial number to the value
3484         * the endpoint stored in a new association variable
3485         * 'Peer-Serial-Number'.
3486         */
3487        if (serial == asoc->peer.addip_serial + 1) {
3488                /* If this is the first instance of ASCONF in the packet,
3489                 * we can clean our old ASCONF-ACKs.
3490                 */
3491                if (!chunk->has_asconf)
3492                        sctp_assoc_clean_asconf_ack_cache(asoc);
3493
3494                /* ADDIP 5.2 E4) When the Sequence Number matches the next one
3495                 * expected, process the ASCONF as described below and after
3496                 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to
3497                 * the response packet and cache a copy of it (in the event it
3498                 * later needs to be retransmitted).
3499                 *
3500                 * Essentially, do V1-V5.
3501                 */
3502                asconf_ack = sctp_process_asconf((struct sctp_association *)
3503                                                 asoc, chunk);
3504                if (!asconf_ack)
3505                        return SCTP_DISPOSITION_NOMEM;
3506        } else if (serial < asoc->peer.addip_serial + 1) {
3507                /* ADDIP 5.2 E2)
3508                 * If the value found in the Sequence Number is less than the
3509                 * ('Peer- Sequence-Number' + 1), simply skip to the next
3510                 * ASCONF, and include in the outbound response packet
3511                 * any previously cached ASCONF-ACK response that was
3512                 * sent and saved that matches the Sequence Number of the
3513                 * ASCONF.  Note: It is possible that no cached ASCONF-ACK
3514                 * Chunk exists.  This will occur when an older ASCONF
3515                 * arrives out of order.  In such a case, the receiver
3516                 * should skip the ASCONF Chunk and not include ASCONF-ACK
3517                 * Chunk for that chunk.
3518                 */
3519                asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);
3520                if (!asconf_ack)
3521                        return SCTP_DISPOSITION_DISCARD;
3522        } else {
3523                /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since
3524                 * it must be either a stale packet or from an attacker.
3525                 */
3526                return SCTP_DISPOSITION_DISCARD;
3527        }
3528
3529        /* ADDIP 5.2 E6)  The destination address of the SCTP packet
3530         * containing the ASCONF-ACK Chunks MUST be the source address of
3531         * the SCTP packet that held the ASCONF Chunks.
3532         *
3533         * To do this properly, we'll set the destination address of the chunk
3534         * and at the transmit time, will try look up the transport to use.
3535         * Since ASCONFs may be bundled, the correct transport may not be
3536         * created untill we process the entire packet, thus this workaround.
3537         */
3538        asconf_ack->dest = chunk->source;
3539        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3540
3541        return SCTP_DISPOSITION_CONSUME;
3542}
3543
3544/*
3545 * ADDIP Section 4.3 General rules for address manipulation
3546 * When building TLV parameters for the ASCONF Chunk that will add or
3547 * delete IP addresses the D0 to D13 rules should be applied:
3548 */
3549sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep,
3550                                         const struct sctp_association *asoc,
3551                                         const sctp_subtype_t type, void *arg,
3552                                         sctp_cmd_seq_t *commands)
3553{
3554        struct sctp_chunk       *asconf_ack = arg;
3555        struct sctp_chunk       *last_asconf = asoc->addip_last_asconf;
3556        struct sctp_chunk       *abort;
3557        struct sctp_paramhdr    *err_param = NULL;
3558        sctp_addiphdr_t         *addip_hdr;
3559        __u32                   sent_serial, rcvd_serial;
3560
3561        if (!sctp_vtag_verify(asconf_ack, asoc)) {
3562                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3563                                SCTP_NULL());
3564                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3565        }
3566
3567        /* ADD-IP, Section 4.1.2:
3568         * This chunk MUST be sent in an authenticated way by using
3569         * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3570         * is received unauthenticated it MUST be silently discarded as
3571         * described in [I-D.ietf-tsvwg-sctp-auth].
3572         */
3573        if (!sctp_addip_noauth && !asconf_ack->auth)
3574                return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
3575
3576        /* Make sure that the ADDIP chunk has a valid length.  */
3577        if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t)))
3578                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3579                                                  commands);
3580
3581        addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data;
3582        rcvd_serial = ntohl(addip_hdr->serial);
3583
3584        /* Verify the ASCONF-ACK chunk before processing it. */
3585        if (!sctp_verify_asconf(asoc,
3586            (sctp_paramhdr_t *)addip_hdr->params,
3587            (void *)asconf_ack->chunk_end,
3588            &err_param))
3589                return sctp_sf_violation_paramlen(ep, asoc, type, arg,
3590                           (void *)err_param, commands);
3591
3592        if (last_asconf) {
3593                addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr;
3594                sent_serial = ntohl(addip_hdr->serial);
3595        } else {
3596                sent_serial = asoc->addip_serial - 1;
3597        }
3598
3599        /* D0) If an endpoint receives an ASCONF-ACK that is greater than or
3600         * equal to the next serial number to be used but no ASCONF chunk is
3601         * outstanding the endpoint MUST ABORT the association. Note that a
3602         * sequence number is greater than if it is no more than 2^^31-1
3603         * larger than the current sequence number (using serial arithmetic).
3604         */
3605        if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
3606            !(asoc->addip_last_asconf)) {
3607                abort = sctp_make_abort(asoc, asconf_ack,
3608                                        sizeof(sctp_errhdr_t));
3609                if (abort) {
3610                        sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
3611                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3612                                        SCTP_CHUNK(abort));
3613                }
3614                /* We are going to ABORT, so we might as well stop
3615                 * processing the rest of the chunks in the packet.
3616                 */
3617                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3618                                SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3619                sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
3620                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3621                                SCTP_ERROR(ECONNABORTED));
3622                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3623                                SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3624                SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
3625                SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3626                return SCTP_DISPOSITION_ABORT;
3627        }
3628
3629        if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
3630                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3631                                SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3632
3633                if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
3634                                             asconf_ack))
3635                        return SCTP_DISPOSITION_CONSUME;
3636
3637                abort = sctp_make_abort(asoc, asconf_ack,
3638                                        sizeof(sctp_errhdr_t));
3639                if (abort) {
3640                        sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
3641                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3642                                        SCTP_CHUNK(abort));
3643                }
3644                /* We are going to ABORT, so we might as well stop
3645                 * processing the rest of the chunks in the packet.
3646                 */
3647                sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
3648                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3649                                SCTP_ERROR(ECONNABORTED));
3650                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3651                                SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3652                SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
3653                SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3654                return SCTP_DISPOSITION_ABORT;
3655        }
3656
3657        return SCTP_DISPOSITION_DISCARD;
3658}
3659
3660/*
3661 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP
3662 *
3663 * When a FORWARD TSN chunk arrives, the data receiver MUST first update
3664 * its cumulative TSN point to the value carried in the FORWARD TSN
3665 * chunk, and then MUST further advance its cumulative TSN point locally
3666 * if possible.
3667 * After the above processing, the data receiver MUST stop reporting any
3668 * missing TSNs earlier than or equal to the new cumulative TSN point.
3669 *
3670 * Verification Tag:  8.5 Verification Tag [Normal verification]
3671 *
3672 * The return value is the disposition of the chunk.
3673 */
3674sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep,
3675                                       const struct sctp_association *asoc,
3676                                       const sctp_subtype_t type,
3677                                       void *arg,
3678                                       sctp_cmd_seq_t *commands)
3679{
3680        struct sctp_chunk *chunk = arg;
3681        struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3682        struct sctp_fwdtsn_skip *skip;
3683        __u16 len;
3684        __u32 tsn;
3685
3686        if (!sctp_vtag_verify(chunk, asoc)) {
3687                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3688                                SCTP_NULL());
3689                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3690        }
3691
3692        /* Make sure that the FORWARD_TSN chunk has valid length.  */
3693        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3694                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3695                                                  commands);
3696
3697        fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3698        chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3699        len = ntohs(chunk->chunk_hdr->length);
3700        len -= sizeof(struct sctp_chunkhdr);
3701        skb_pull(chunk->skb, len);
3702
3703        tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3704        SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn);
3705
3706        /* The TSN is too high--silently discard the chunk and count on it
3707         * getting retransmitted later.
3708         */
3709        if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3710                goto discard_noforce;
3711
3712        /* Silently discard the chunk if stream-id is not valid */
3713        sctp_walk_fwdtsn(skip, chunk) {
3714                if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
3715                        goto discard_noforce;
3716        }
3717
3718        sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3719        if (len > sizeof(struct sctp_fwdtsn_hdr))
3720                sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3721                                SCTP_CHUNK(chunk));
3722
3723        /* Count this as receiving DATA. */
3724        if (asoc->autoclose) {
3725                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3726                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3727        }
3728
3729        /* FIXME: For now send a SACK, but DATA processing may
3730         * send another.
3731         */
3732        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
3733
3734        return SCTP_DISPOSITION_CONSUME;
3735
3736discard_noforce:
3737        return SCTP_DISPOSITION_DISCARD;
3738}
3739
3740sctp_disposition_t sctp_sf_eat_fwd_tsn_fast(
3741        const struct sctp_endpoint *ep,
3742        const struct sctp_association *asoc,
3743        const sctp_subtype_t type,
3744        void *arg,
3745        sctp_cmd_seq_t *commands)
3746{
3747        struct sctp_chunk *chunk = arg;
3748        struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3749        struct sctp_fwdtsn_skip *skip;
3750        __u16 len;
3751        __u32 tsn;
3752
3753        if (!sctp_vtag_verify(chunk, asoc)) {
3754                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3755                                SCTP_NULL());
3756                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3757        }
3758
3759        /* Make sure that the FORWARD_TSN chunk has a valid length.  */
3760        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3761                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3762                                                  commands);
3763
3764        fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3765        chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3766        len = ntohs(chunk->chunk_hdr->length);
3767        len -= sizeof(struct sctp_chunkhdr);
3768        skb_pull(chunk->skb, len);
3769
3770        tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3771        SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn);
3772
3773        /* The TSN is too high--silently discard the chunk and count on it
3774         * getting retransmitted later.
3775         */
3776        if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3777                goto gen_shutdown;
3778
3779        /* Silently discard the chunk if stream-id is not valid */
3780        sctp_walk_fwdtsn(skip, chunk) {
3781                if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
3782                        goto gen_shutdown;
3783        }
3784
3785        sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3786        if (len > sizeof(struct sctp_fwdtsn_hdr))
3787                sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3788                                SCTP_CHUNK(chunk));
3789
3790        /* Go a head and force a SACK, since we are shutting down. */
3791gen_shutdown:
3792        /* Implementor's Guide.
3793         *
3794         * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3795         * respond to each received packet containing one or more DATA chunk(s)
3796         * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3797         */
3798        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3799        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3800        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3801                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3802
3803        return SCTP_DISPOSITION_CONSUME;
3804}
3805
3806/*
3807 * SCTP-AUTH Section 6.3 Receving authenticated chukns
3808 *
3809 *    The receiver MUST use the HMAC algorithm indicated in the HMAC
3810 *    Identifier field.  If this algorithm was not specified by the
3811 *    receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
3812 *    during association setup, the AUTH chunk and all chunks after it MUST
3813 *    be discarded and an ERROR chunk SHOULD be sent with the error cause
3814 *    defined in Section 4.1.
3815 *
3816 *    If an endpoint with no shared key receives a Shared Key Identifier
3817 *    other than 0, it MUST silently discard all authenticated chunks.  If
3818 *    the endpoint has at least one endpoint pair shared key for the peer,
3819 *    it MUST use the key specified by the Shared Key Identifier if a
3820 *    key has been configured for that Shared Key Identifier.  If no
3821 *    endpoint pair shared key has been configured for that Shared Key
3822 *    Identifier, all authenticated chunks MUST be silently discarded.
3823 *
3824 * Verification Tag:  8.5 Verification Tag [Normal verification]
3825 *
3826 * The return value is the disposition of the chunk.
3827 */
3828static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep,
3829                                    const struct sctp_association *asoc,
3830                                    const sctp_subtype_t type,
3831                                    struct sctp_chunk *chunk)
3832{
3833        struct sctp_authhdr *auth_hdr;
3834        struct sctp_hmac *hmac;
3835        unsigned int sig_len;
3836        __u16 key_id;
3837        __u8 *save_digest;
3838        __u8 *digest;
3839
3840        /* Pull in the auth header, so we can do some more verification */
3841        auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
3842        chunk->subh.auth_hdr = auth_hdr;
3843        skb_pull(chunk->skb, sizeof(struct sctp_authhdr));
3844
3845        /* Make sure that we suport the HMAC algorithm from the auth
3846         * chunk.
3847         */
3848        if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))
3849                return SCTP_IERROR_AUTH_BAD_HMAC;
3850
3851        /* Make sure that the provided shared key identifier has been
3852         * configured
3853         */
3854        key_id = ntohs(auth_hdr->shkey_id);
3855        if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id))
3856                return SCTP_IERROR_AUTH_BAD_KEYID;
3857
3858
3859        /* Make sure that the length of the signature matches what
3860         * we expect.
3861         */
3862        sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t);
3863        hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));
3864        if (sig_len != hmac->hmac_len)
3865                return SCTP_IERROR_PROTO_VIOLATION;
3866
3867        /* Now that we've done validation checks, we can compute and
3868         * verify the hmac.  The steps involved are:
3869         *  1. Save the digest from the chunk.
3870         *  2. Zero out the digest in the chunk.
3871         *  3. Compute the new digest
3872         *  4. Compare saved and new digests.
3873         */
3874        digest = auth_hdr->hmac;
3875        skb_pull(chunk->skb, sig_len);
3876
3877        save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);
3878        if (!save_digest)
3879                goto nomem;
3880
3881        memset(digest, 0, sig_len);
3882
3883        sctp_auth_calculate_hmac(asoc, chunk->skb,
3884                                (struct sctp_auth_chunk *)chunk->chunk_hdr,
3885                                GFP_ATOMIC);
3886
3887        /* Discard the packet if the digests do not match */
3888        if (memcmp(save_digest, digest, sig_len)) {
3889                kfree(save_digest);
3890                return SCTP_IERROR_BAD_SIG;
3891        }
3892
3893        kfree(save_digest);
3894        chunk->auth = 1;
3895
3896        return SCTP_IERROR_NO_ERROR;
3897nomem:
3898        return SCTP_IERROR_NOMEM;
3899}
3900
3901sctp_disposition_t sctp_sf_eat_auth(const struct sctp_endpoint *ep,
3902                                    const struct sctp_association *asoc,
3903                                    const sctp_subtype_t type,
3904                                    void *arg,
3905                                    sctp_cmd_seq_t *commands)
3906{
3907        struct sctp_authhdr *auth_hdr;
3908        struct sctp_chunk *chunk = arg;
3909        struct sctp_chunk *err_chunk;
3910        sctp_ierror_t error;
3911
3912        /* Make sure that the peer has AUTH capable */
3913        if (!asoc->peer.auth_capable)
3914                return sctp_sf_unk_chunk(ep, asoc, type, arg, commands);
3915
3916        if (!sctp_vtag_verify(chunk, asoc)) {
3917                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3918                                SCTP_NULL());
3919                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3920        }
3921
3922        /* Make sure that the AUTH chunk has valid length.  */
3923        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))
3924                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3925                                                  commands);
3926
3927        auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
3928        error = sctp_sf_authenticate(ep, asoc, type, chunk);
3929        switch (error) {
3930                case SCTP_IERROR_AUTH_BAD_HMAC:
3931                        /* Generate the ERROR chunk and discard the rest
3932                         * of the packet
3933                         */
3934                        err_chunk = sctp_make_op_error(asoc, chunk,
3935                                                        SCTP_ERROR_UNSUP_HMAC,
3936                                                        &auth_hdr->hmac_id,
3937                                                        sizeof(__u16));
3938                        if (err_chunk) {
3939                                sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3940                                                SCTP_CHUNK(err_chunk));
3941                        }
3942                        /* Fall Through */
3943                case SCTP_IERROR_AUTH_BAD_KEYID:
3944                case SCTP_IERROR_BAD_SIG:
3945                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3946                        break;
3947                case SCTP_IERROR_PROTO_VIOLATION:
3948                        return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3949                                                          commands);
3950                        break;
3951                case SCTP_IERROR_NOMEM:
3952                        return SCTP_DISPOSITION_NOMEM;
3953                default:
3954                        break;
3955        }
3956
3957        if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) {
3958                struct sctp_ulpevent *ev;
3959
3960                ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),
3961                                    SCTP_AUTH_NEWKEY, GFP_ATOMIC);
3962
3963                if (!ev)
3964                        return -ENOMEM;
3965
3966                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
3967                                SCTP_ULPEVENT(ev));
3968        }
3969
3970        return SCTP_DISPOSITION_CONSUME;
3971}
3972
3973/*
3974 * Process an unknown chunk.
3975 *
3976 * Section: 3.2. Also, 2.1 in the implementor's guide.
3977 *
3978 * Chunk Types are encoded such that the highest-order two bits specify
3979 * the action that must be taken if the processing endpoint does not
3980 * recognize the Chunk Type.
3981 *
3982 * 00 - Stop processing this SCTP packet and discard it, do not process
3983 *      any further chunks within it.
3984 *
3985 * 01 - Stop processing this SCTP packet and discard it, do not process
3986 *      any further chunks within it, and report the unrecognized
3987 *      chunk in an 'Unrecognized Chunk Type'.
3988 *
3989 * 10 - Skip this chunk and continue processing.
3990 *
3991 * 11 - Skip this chunk and continue processing, but report in an ERROR
3992 *      Chunk using the 'Unrecognized Chunk Type' cause of error.
3993 *
3994 * The return value is the disposition of the chunk.
3995 */
3996sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep,
3997                                     const struct sctp_association *asoc,
3998                                     const sctp_subtype_t type,
3999                                     void *arg,
4000                                     sctp_cmd_seq_t *commands)
4001{
4002        struct sctp_chunk *unk_chunk = arg;
4003        struct sctp_chunk *err_chunk;
4004        sctp_chunkhdr_t *hdr;
4005
4006        SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk);
4007
4008        if (!sctp_vtag_verify(unk_chunk, asoc))
4009                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
4010
4011        /* Make sure that the chunk has a valid length.
4012         * Since we don't know the chunk type, we use a general
4013         * chunkhdr structure to make a comparison.
4014         */
4015        if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t)))
4016                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4017                                                  commands);
4018
4019        switch (type.chunk & SCTP_CID_ACTION_MASK) {
4020        case SCTP_CID_ACTION_DISCARD:
4021                /* Discard the packet.  */
4022                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
4023                break;
4024        case SCTP_CID_ACTION_DISCARD_ERR:
4025                /* Generate an ERROR chunk as response. */
4026                hdr = unk_chunk->chunk_hdr;
4027                err_chunk = sctp_make_op_error(asoc, unk_chunk,
4028                                               SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4029                                               WORD_ROUND(ntohs(hdr->length)));
4030                if (err_chunk) {
4031                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4032                                        SCTP_CHUNK(err_chunk));
4033                }
4034
4035                /* Discard the packet.  */
4036                sctp_sf_pdiscard(ep, asoc, type, arg, commands);
4037                return SCTP_DISPOSITION_CONSUME;
4038                break;
4039        case SCTP_CID_ACTION_SKIP:
4040                /* Skip the chunk.  */
4041                return SCTP_DISPOSITION_DISCARD;
4042                break;
4043        case SCTP_CID_ACTION_SKIP_ERR:
4044                /* Generate an ERROR chunk as response. */
4045                hdr = unk_chunk->chunk_hdr;
4046                err_chunk = sctp_make_op_error(asoc, unk_chunk,
4047                                               SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4048                                               WORD_ROUND(ntohs(hdr->length)));
4049                if (err_chunk) {
4050                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4051                                        SCTP_CHUNK(err_chunk));
4052                }
4053                /* Skip the chunk.  */
4054                return SCTP_DISPOSITION_CONSUME;
4055                break;
4056        default:
4057                break;
4058        }
4059
4060        return SCTP_DISPOSITION_DISCARD;
4061}
4062
4063/*
4064 * Discard the chunk.
4065 *
4066 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2
4067 * [Too numerous to mention...]
4068 * Verification Tag: No verification needed.
4069 * Inputs
4070 * (endpoint, asoc, chunk)
4071 *
4072 * Outputs
4073 * (asoc, reply_msg, msg_up, timers, counters)
4074 *
4075 * The return value is the disposition of the chunk.
4076 */
4077sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep,
4078                                         const struct sctp_association *asoc,
4079                                         const sctp_subtype_t type,
4080                                         void *arg,
4081                                         sctp_cmd_seq_t *commands)
4082{
4083        struct sctp_chunk *chunk = arg;
4084
4085        /* Make sure that the chunk has a valid length.
4086         * Since we don't know the chunk type, we use a general
4087         * chunkhdr structure to make a comparison.
4088         */
4089        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
4090                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4091                                                  commands);
4092
4093        SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk);
4094        return SCTP_DISPOSITION_DISCARD;
4095}
4096
4097/*
4098 * Discard the whole packet.
4099 *
4100 * Section: 8.4 2)
4101 *
4102 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST
4103 *    silently discard the OOTB packet and take no further action.
4104 *
4105 * Verification Tag: No verification necessary
4106 *
4107 * Inputs
4108 * (endpoint, asoc, chunk)
4109 *
4110 * Outputs
4111 * (asoc, reply_msg, msg_up, timers, counters)
4112 *
4113 * The return value is the disposition of the chunk.
4114 */
4115sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep,
4116                                    const struct sctp_association *asoc,
4117                                    const sctp_subtype_t type,
4118                                    void *arg,
4119                                    sctp_cmd_seq_t *commands)
4120{
4121        SCTP_INC_STATS(SCTP_MIB_IN_PKT_DISCARDS);
4122        sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4123
4124        return SCTP_DISPOSITION_CONSUME;
4125}
4126
4127
4128/*
4129 * The other end is violating protocol.
4130 *
4131 * Section: Not specified
4132 * Verification Tag: Not specified
4133 * Inputs
4134 * (endpoint, asoc, chunk)
4135 *
4136 * Outputs
4137 * (asoc, reply_msg, msg_up, timers, counters)
4138 *
4139 * We simply tag the chunk as a violation.  The state machine will log
4140 * the violation and continue.
4141 */
4142sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep,
4143                                     const struct sctp_association *asoc,
4144                                     const sctp_subtype_t type,
4145                                     void *arg,
4146                                     sctp_cmd_seq_t *commands)
4147{
4148        struct sctp_chunk *chunk = arg;
4149
4150        /* Make sure that the chunk has a valid length. */
4151        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
4152                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4153                                                  commands);
4154
4155        return SCTP_DISPOSITION_VIOLATION;
4156}
4157
4158/*
4159 * Common function to handle a protocol violation.
4160 */
4161static sctp_disposition_t sctp_sf_abort_violation(
4162                                     const struct sctp_endpoint *ep,
4163                                     const struct sctp_association *asoc,
4164                                     void *arg,
4165                                     sctp_cmd_seq_t *commands,
4166                                     const __u8 *payload,
4167                                     const size_t paylen)
4168{
4169        struct sctp_packet *packet = NULL;
4170        struct sctp_chunk *chunk =  arg;
4171        struct sctp_chunk *abort = NULL;
4172
4173        /* SCTP-AUTH, Section 6.3:
4174         *    It should be noted that if the receiver wants to tear
4175         *    down an association in an authenticated way only, the
4176         *    handling of malformed packets should not result in
4177         *    tearing down the association.
4178         *
4179         * This means that if we only want to abort associations
4180         * in an authenticated way (i.e AUTH+ABORT), then we
4181         * can't destroy this association just becuase the packet
4182         * was malformed.
4183         */
4184        if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4185                goto discard;
4186
4187        /* Make the abort chunk. */
4188        abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);
4189        if (!abort)
4190                goto nomem;
4191
4192        if (asoc) {
4193                /* Treat INIT-ACK as a special case during COOKIE-WAIT. */
4194                if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&
4195                    !asoc->peer.i.init_tag) {
4196                        sctp_initack_chunk_t *initack;
4197
4198                        initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
4199                        if (!sctp_chunk_length_valid(chunk,
4200                                                     sizeof(sctp_initack_chunk_t)))
4201                                abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
4202                        else {
4203                                unsigned int inittag;
4204
4205                                inittag = ntohl(initack->init_hdr.init_tag);
4206                                sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
4207                                                SCTP_U32(inittag));
4208                        }
4209                }
4210
4211                sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4212                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
4213
4214                if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
4215                        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4216                                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4217                        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4218                                        SCTP_ERROR(ECONNREFUSED));
4219                        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4220                                        SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4221                } else {
4222                        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4223                                        SCTP_ERROR(ECONNABORTED));
4224                        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4225                                        SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4226                        SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
4227                }
4228        } else {
4229                packet = sctp_ootb_pkt_new(asoc, chunk);
4230
4231                if (!packet)
4232                        goto nomem_pkt;
4233
4234                if (sctp_test_T_bit(abort))
4235                        packet->vtag = ntohl(chunk->sctp_hdr->vtag);
4236
4237                abort->skb->sk = ep->base.sk;
4238
4239                sctp_packet_append_chunk(packet, abort);
4240
4241                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
4242                        SCTP_PACKET(packet));
4243
4244                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
4245        }
4246
4247        SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
4248
4249discard:
4250        sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4251        return SCTP_DISPOSITION_ABORT;
4252
4253nomem_pkt:
4254        sctp_chunk_free(abort);
4255nomem:
4256        return SCTP_DISPOSITION_NOMEM;
4257}
4258
4259/*
4260 * Handle a protocol violation when the chunk length is invalid.
4261 * "Invalid" length is identified as smaller than the minimal length a
4262 * given chunk can be.  For example, a SACK chunk has invalid length
4263 * if its length is set to be smaller than the size of sctp_sack_chunk_t.
4264 *
4265 * We inform the other end by sending an ABORT with a Protocol Violation
4266 * error code.
4267 *
4268 * Section: Not specified
4269 * Verification Tag:  Nothing to do
4270 * Inputs
4271 * (endpoint, asoc, chunk)
4272 *
4273 * Outputs
4274 * (reply_msg, msg_up, counters)
4275 *
4276 * Generate an  ABORT chunk and terminate the association.
4277 */
4278static sctp_disposition_t sctp_sf_violation_chunklen(
4279                                     const struct sctp_endpoint *ep,
4280                                     const struct sctp_association *asoc,
4281                                     const sctp_subtype_t type,
4282                                     void *arg,
4283                                     sctp_cmd_seq_t *commands)
4284{
4285        static const char err_str[]="The following chunk had invalid length:";
4286
4287        return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,
4288                                        sizeof(err_str));
4289}
4290
4291/*
4292 * Handle a protocol violation when the parameter length is invalid.
4293 * "Invalid" length is identified as smaller than the minimal length a
4294 * given parameter can be.
4295 */
4296static sctp_disposition_t sctp_sf_violation_paramlen(
4297                                     const struct sctp_endpoint *ep,
4298                                     const struct sctp_association *asoc,
4299                                     const sctp_subtype_t type,
4300                                     void *arg, void *ext,
4301                                     sctp_cmd_seq_t *commands)
4302{
4303        struct sctp_chunk *chunk =  arg;
4304        struct sctp_paramhdr *param = ext;
4305        struct sctp_chunk *abort = NULL;
4306
4307        if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4308                goto discard;
4309
4310        /* Make the abort chunk. */
4311        abort = sctp_make_violation_paramlen(asoc, chunk, param);
4312        if (!abort)
4313                goto nomem;
4314
4315        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4316        SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
4317
4318        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4319                        SCTP_ERROR(ECONNABORTED));
4320        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4321                        SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4322        SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
4323        SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
4324
4325discard:
4326        sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4327        return SCTP_DISPOSITION_ABORT;
4328nomem:
4329        return SCTP_DISPOSITION_NOMEM;
4330}
4331
4332/* Handle a protocol violation when the peer trying to advance the
4333 * cumulative tsn ack to a point beyond the max tsn currently sent.
4334 *
4335 * We inform the other end by sending an ABORT with a Protocol Violation
4336 * error code.
4337 */
4338static sctp_disposition_t sctp_sf_violation_ctsn(
4339                                     const struct sctp_endpoint *ep,
4340                                     const struct sctp_association *asoc,
4341                                     const sctp_subtype_t type,
4342                                     void *arg,
4343                                     sctp_cmd_seq_t *commands)
4344{
4345        static const char err_str[]="The cumulative tsn ack beyond the max tsn currently sent:";
4346
4347        return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,
4348                                        sizeof(err_str));
4349}
4350
4351/* Handle protocol violation of an invalid chunk bundling.  For example,
4352 * when we have an association and we recieve bundled INIT-ACK, or
4353 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle"
4354 * statement from the specs.  Additinally, there might be an attacker
4355 * on the path and we may not want to continue this communication.
4356 */
4357static sctp_disposition_t sctp_sf_violation_chunk(
4358                                     const struct sctp_endpoint *ep,
4359                                     const struct sctp_association *asoc,
4360                                     const sctp_subtype_t type,
4361                                     void *arg,
4362                                     sctp_cmd_seq_t *commands)
4363{
4364        static const char err_str[]="The following chunk violates protocol:";
4365
4366        if (!asoc)
4367                return sctp_sf_violation(ep, asoc, type, arg, commands);
4368
4369        return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,
4370                                        sizeof(err_str));
4371}
4372/***************************************************************************
4373 * These are the state functions for handling primitive (Section 10) events.
4374 ***************************************************************************/
4375/*
4376 * sctp_sf_do_prm_asoc
4377 *
4378 * Section: 10.1 ULP-to-SCTP
4379 * B) Associate
4380 *
4381 * Format: ASSOCIATE(local SCTP instance name, destination transport addr,
4382 * outbound stream count)
4383 * -> association id [,destination transport addr list] [,outbound stream
4384 * count]
4385 *
4386 * This primitive allows the upper layer to initiate an association to a
4387 * specific peer endpoint.
4388 *
4389 * The peer endpoint shall be specified by one of the transport addresses
4390 * which defines the endpoint (see Section 1.4).  If the local SCTP
4391 * instance has not been initialized, the ASSOCIATE is considered an
4392 * error.
4393 * [This is not relevant for the kernel implementation since we do all
4394 * initialization at boot time.  It we hadn't initialized we wouldn't
4395 * get anywhere near this code.]
4396 *
4397 * An association id, which is a local handle to the SCTP association,
4398 * will be returned on successful establishment of the association. If
4399 * SCTP is not able to open an SCTP association with the peer endpoint,
4400 * an error is returned.
4401 * [In the kernel implementation, the struct sctp_association needs to
4402 * be created BEFORE causing this primitive to run.]
4403 *
4404 * Other association parameters may be returned, including the
4405 * complete destination transport addresses of the peer as well as the
4406 * outbound stream count of the local endpoint. One of the transport
4407 * address from the returned destination addresses will be selected by
4408 * the local endpoint as default primary path for sending SCTP packets
4409 * to this peer.  The returned "destination transport addr list" can
4410 * be used by the ULP to change the default primary path or to force
4411 * sending a packet to a specific transport address.  [All of this
4412 * stuff happens when the INIT ACK arrives.  This is a NON-BLOCKING
4413 * function.]
4414 *
4415 * Mandatory attributes:
4416 *
4417 * o local SCTP instance name - obtained from the INITIALIZE operation.
4418 *   [This is the argument asoc.]
4419 * o destination transport addr - specified as one of the transport
4420 * addresses of the peer endpoint with which the association is to be
4421 * established.
4422 *  [This is asoc->peer.active_path.]
4423 * o outbound stream count - the number of outbound streams the ULP
4424 * would like to open towards this peer endpoint.
4425 * [BUG: This is not currently implemented.]
4426 * Optional attributes:
4427 *
4428 * None.
4429 *
4430 * The return value is a disposition.
4431 */
4432sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep,
4433                                       const struct sctp_association *asoc,
4434                                       const sctp_subtype_t type,
4435                                       void *arg,
4436                                       sctp_cmd_seq_t *commands)
4437{
4438        struct sctp_chunk *repl;
4439        struct sctp_association* my_asoc;
4440
4441        /* The comment below says that we enter COOKIE-WAIT AFTER
4442         * sending the INIT, but that doesn't actually work in our
4443         * implementation...
4444         */
4445        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4446                        SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
4447
4448        /* RFC 2960 5.1 Normal Establishment of an Association
4449         *
4450         * A) "A" first sends an INIT chunk to "Z".  In the INIT, "A"
4451         * must provide its Verification Tag (Tag_A) in the Initiate
4452         * Tag field.  Tag_A SHOULD be a random number in the range of
4453         * 1 to 4294967295 (see 5.3.1 for Tag value selection). ...
4454         */
4455
4456        repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0);
4457        if (!repl)
4458                goto nomem;
4459
4460        /* Cast away the const modifier, as we want to just
4461         * rerun it through as a sideffect.
4462         */
4463        my_asoc = (struct sctp_association *)asoc;
4464        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc));
4465
4466        /* Choose transport for INIT. */
4467        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
4468                        SCTP_CHUNK(repl));
4469
4470        /* After sending the INIT, "A" starts the T1-init timer and
4471         * enters the COOKIE-WAIT state.
4472         */
4473        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
4474                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4475        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
4476        return SCTP_DISPOSITION_CONSUME;
4477
4478nomem:
4479        return SCTP_DISPOSITION_NOMEM;
4480}
4481
4482/*
4483 * Process the SEND primitive.
4484 *
4485 * Section: 10.1 ULP-to-SCTP
4486 * E) Send
4487 *
4488 * Format: SEND(association id, buffer address, byte count [,context]
4489 *         [,stream id] [,life time] [,destination transport address]
4490 *         [,unorder flag] [,no-bundle flag] [,payload protocol-id] )
4491 * -> result
4492 *
4493 * This is the main method to send user data via SCTP.
4494 *
4495 * Mandatory attributes:
4496 *
4497 *  o association id - local handle to the SCTP association
4498 *
4499 *  o buffer address - the location where the user message to be
4500 *    transmitted is stored;
4501 *
4502 *  o byte count - The size of the user data in number of bytes;
4503 *
4504 * Optional attributes:
4505 *
4506 *  o context - an optional 32 bit integer that will be carried in the
4507 *    sending failure notification to the ULP if the transportation of
4508 *    this User Message fails.
4509 *
4510 *  o stream id - to indicate which stream to send the data on. If not
4511 *    specified, stream 0 will be used.
4512 *
4513 *  o life time - specifies the life time of the user data. The user data
4514 *    will not be sent by SCTP after the life time expires. This
4515 *    parameter can be used to avoid efforts to transmit stale
4516 *    user messages. SCTP notifies the ULP if the data cannot be
4517 *    initiated to transport (i.e. sent to the destination via SCTP's
4518 *    send primitive) within the life time variable. However, the
4519 *    user data will be transmitted if SCTP has attempted to transmit a
4520 *    chunk before the life time expired.
4521 *
4522 *  o destination transport address - specified as one of the destination
4523 *    transport addresses of the peer endpoint to which this packet
4524 *    should be sent. Whenever possible, SCTP should use this destination
4525 *    transport address for sending the packets, instead of the current
4526 *    primary path.
4527 *
4528 *  o unorder flag - this flag, if present, indicates that the user
4529 *    would like the data delivered in an unordered fashion to the peer
4530 *    (i.e., the U flag is set to 1 on all DATA chunks carrying this
4531 *    message).
4532 *
4533 *  o no-bundle flag - instructs SCTP not to bundle this user data with
4534 *    other outbound DATA chunks. SCTP MAY still bundle even when
4535 *    this flag is present, when faced with network congestion.
4536 *
4537 *  o payload protocol-id - A 32 bit unsigned integer that is to be
4538 *    passed to the peer indicating the type of payload protocol data
4539 *    being transmitted. This value is passed as opaque data by SCTP.
4540 *
4541 * The return value is the disposition.
4542 */
4543sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep,
4544                                       const struct sctp_association *asoc,
4545                                       const sctp_subtype_t type,
4546                                       void *arg,
4547                                       sctp_cmd_seq_t *commands)
4548{
4549        struct sctp_chunk *chunk = arg;
4550
4551        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
4552        return SCTP_DISPOSITION_CONSUME;
4553}
4554
4555/*
4556 * Process the SHUTDOWN primitive.
4557 *
4558 * Section: 10.1:
4559 * C) Shutdown
4560 *
4561 * Format: SHUTDOWN(association id)
4562 * -> result
4563 *
4564 * Gracefully closes an association. Any locally queued user data
4565 * will be delivered to the peer. The association will be terminated only
4566 * after the peer acknowledges all the SCTP packets sent.  A success code
4567 * will be returned on successful termination of the association. If
4568 * attempting to terminate the association results in a failure, an error
4569 * code shall be retur