linux/net/sctp/sm_statefuns.c
<<
>>
Prefs
   1/* SCTP kernel implementation
   2 * (C) Copyright IBM Corp. 2001, 2004
   3 * Copyright (c) 1999-2000 Cisco, Inc.
   4 * Copyright (c) 1999-2001 Motorola, Inc.
   5 * Copyright (c) 2001-2002 Intel Corp.
   6 * Copyright (c) 2002      Nokia Corp.
   7 *
   8 * This is part of the SCTP Linux Kernel Implementation.
   9 *
  10 * These are the state functions for the state machine.
  11 *
  12 * This SCTP implementation is free software;
  13 * you can redistribute it and/or modify it under the terms of
  14 * the GNU General Public License as published by
  15 * the Free Software Foundation; either version 2, or (at your option)
  16 * any later version.
  17 *
  18 * This SCTP implementation is distributed in the hope that it
  19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied
  20 *                 ************************
  21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  22 * See the GNU General Public License for more details.
  23 *
  24 * You should have received a copy of the GNU General Public License
  25 * along with GNU CC; see the file COPYING.  If not, write to
  26 * the Free Software Foundation, 59 Temple Place - Suite 330,
  27 * Boston, MA 02111-1307, USA.
  28 *
  29 * Please send any bug reports or fixes you make to the
  30 * email address(es):
  31 *    lksctp developers <lksctp-developers@lists.sourceforge.net>
  32 *
  33 * Or submit a bug report through the following website:
  34 *    http://www.sf.net/projects/lksctp
  35 *
  36 * Written or modified by:
  37 *    La Monte H.P. Yarroll <piggy@acm.org>
  38 *    Karl Knutson          <karl@athena.chicago.il.us>
  39 *    Mathew Kotowsky       <kotowsky@sctp.org>
  40 *    Sridhar Samudrala     <samudrala@us.ibm.com>
  41 *    Jon Grimm             <jgrimm@us.ibm.com>
  42 *    Hui Huang             <hui.huang@nokia.com>
  43 *    Dajiang Zhang         <dajiang.zhang@nokia.com>
  44 *    Daisy Chang           <daisyc@us.ibm.com>
  45 *    Ardelle Fan           <ardelle.fan@intel.com>
  46 *    Ryan Layer            <rmlayer@us.ibm.com>
  47 *    Kevin Gao             <kevin.gao@intel.com>
  48 *
  49 * Any bugs reported given to us we will try to fix... any fixes shared will
  50 * be incorporated into the next SCTP release.
  51 */
  52
  53#include <linux/types.h>
  54#include <linux/kernel.h>
  55#include <linux/ip.h>
  56#include <linux/ipv6.h>
  57#include <linux/net.h>
  58#include <linux/inet.h>
  59#include <linux/slab.h>
  60#include <net/sock.h>
  61#include <net/inet_ecn.h>
  62#include <linux/skbuff.h>
  63#include <net/sctp/sctp.h>
  64#include <net/sctp/sm.h>
  65#include <net/sctp/structs.h>
  66
  67static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep,
  68                                  const struct sctp_association *asoc,
  69                                  struct sctp_chunk *chunk,
  70                                  const void *payload,
  71                                  size_t paylen);
  72static int sctp_eat_data(const struct sctp_association *asoc,
  73                         struct sctp_chunk *chunk,
  74                         sctp_cmd_seq_t *commands);
  75static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc,
  76                                             const struct sctp_chunk *chunk);
  77static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep,
  78                                       const struct sctp_association *asoc,
  79                                       const struct sctp_chunk *chunk,
  80                                       sctp_cmd_seq_t *commands,
  81                                       struct sctp_chunk *err_chunk);
  82static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep,
  83                                                 const struct sctp_association *asoc,
  84                                                 const sctp_subtype_t type,
  85                                                 void *arg,
  86                                                 sctp_cmd_seq_t *commands);
  87static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep,
  88                                             const struct sctp_association *asoc,
  89                                             const sctp_subtype_t type,
  90                                             void *arg,
  91                                             sctp_cmd_seq_t *commands);
  92static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep,
  93                                        const struct sctp_association *asoc,
  94                                        const sctp_subtype_t type,
  95                                        void *arg,
  96                                        sctp_cmd_seq_t *commands);
  97static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
  98
  99static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands,
 100                                           __be16 error, int sk_err,
 101                                           const struct sctp_association *asoc,
 102                                           struct sctp_transport *transport);
 103
 104static sctp_disposition_t sctp_sf_abort_violation(
 105                                     const struct sctp_endpoint *ep,
 106                                     const struct sctp_association *asoc,
 107                                     void *arg,
 108                                     sctp_cmd_seq_t *commands,
 109                                     const __u8 *payload,
 110                                     const size_t paylen);
 111
 112static sctp_disposition_t sctp_sf_violation_chunklen(
 113                                     const struct sctp_endpoint *ep,
 114                                     const struct sctp_association *asoc,
 115                                     const sctp_subtype_t type,
 116                                     void *arg,
 117                                     sctp_cmd_seq_t *commands);
 118
 119static sctp_disposition_t sctp_sf_violation_paramlen(
 120                                     const struct sctp_endpoint *ep,
 121                                     const struct sctp_association *asoc,
 122                                     const sctp_subtype_t type,
 123                                     void *arg, void *ext,
 124                                     sctp_cmd_seq_t *commands);
 125
 126static sctp_disposition_t sctp_sf_violation_ctsn(
 127                                     const struct sctp_endpoint *ep,
 128                                     const struct sctp_association *asoc,
 129                                     const sctp_subtype_t type,
 130                                     void *arg,
 131                                     sctp_cmd_seq_t *commands);
 132
 133static sctp_disposition_t sctp_sf_violation_chunk(
 134                                     const struct sctp_endpoint *ep,
 135                                     const struct sctp_association *asoc,
 136                                     const sctp_subtype_t type,
 137                                     void *arg,
 138                                     sctp_cmd_seq_t *commands);
 139
 140static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep,
 141                                    const struct sctp_association *asoc,
 142                                    const sctp_subtype_t type,
 143                                    struct sctp_chunk *chunk);
 144
 145static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
 146                                        const struct sctp_association *asoc,
 147                                        const sctp_subtype_t type,
 148                                        void *arg,
 149                                        sctp_cmd_seq_t *commands);
 150
 151/* Small helper function that checks if the chunk length
 152 * is of the appropriate length.  The 'required_length' argument
 153 * is set to be the size of a specific chunk we are testing.
 154 * Return Values:  1 = Valid length
 155 *                 0 = Invalid length
 156 *
 157 */
 158static inline int
 159sctp_chunk_length_valid(struct sctp_chunk *chunk,
 160                           __u16 required_length)
 161{
 162        __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
 163
 164        if (unlikely(chunk_length < required_length))
 165                return 0;
 166
 167        return 1;
 168}
 169
 170/**********************************************************
 171 * These are the state functions for handling chunk events.
 172 **********************************************************/
 173
 174/*
 175 * Process the final SHUTDOWN COMPLETE.
 176 *
 177 * Section: 4 (C) (diagram), 9.2
 178 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
 179 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
 180 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
 181 * should stop the T2-shutdown timer and remove all knowledge of the
 182 * association (and thus the association enters the CLOSED state).
 183 *
 184 * Verification Tag: 8.5.1(C), sctpimpguide 2.41.
 185 * C) Rules for packet carrying SHUTDOWN COMPLETE:
 186 * ...
 187 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
 188 *   if the Verification Tag field of the packet matches its own tag and
 189 *   the T bit is not set
 190 *   OR
 191 *   it is set to its peer's tag and the T bit is set in the Chunk
 192 *   Flags.
 193 *   Otherwise, the receiver MUST silently discard the packet
 194 *   and take no further action.  An endpoint MUST ignore the
 195 *   SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.
 196 *
 197 * Inputs
 198 * (endpoint, asoc, chunk)
 199 *
 200 * Outputs
 201 * (asoc, reply_msg, msg_up, timers, counters)
 202 *
 203 * The return value is the disposition of the chunk.
 204 */
 205sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep,
 206                                  const struct sctp_association *asoc,
 207                                  const sctp_subtype_t type,
 208                                  void *arg,
 209                                  sctp_cmd_seq_t *commands)
 210{
 211        struct sctp_chunk *chunk = arg;
 212        struct sctp_ulpevent *ev;
 213
 214        if (!sctp_vtag_verify_either(chunk, asoc))
 215                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 216
 217        /* RFC 2960 6.10 Bundling
 218         *
 219         * An endpoint MUST NOT bundle INIT, INIT ACK or
 220         * SHUTDOWN COMPLETE with any other chunks.
 221         */
 222        if (!chunk->singleton)
 223                return sctp_sf_violation_chunk(ep, asoc, type, arg, commands);
 224
 225        /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */
 226        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
 227                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
 228                                                  commands);
 229
 230        /* RFC 2960 10.2 SCTP-to-ULP
 231         *
 232         * H) SHUTDOWN COMPLETE notification
 233         *
 234         * When SCTP completes the shutdown procedures (section 9.2) this
 235         * notification is passed to the upper layer.
 236         */
 237        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
 238                                             0, 0, 0, NULL, GFP_ATOMIC);
 239        if (ev)
 240                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 241                                SCTP_ULPEVENT(ev));
 242
 243        /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
 244         * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
 245         * not the chunk should be discarded. If the endpoint is in
 246         * the SHUTDOWN-ACK-SENT state the endpoint should stop the
 247         * T2-shutdown timer and remove all knowledge of the
 248         * association (and thus the association enters the CLOSED
 249         * state).
 250         */
 251        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 252                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
 253
 254        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 255                        SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
 256
 257        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 258                        SCTP_STATE(SCTP_STATE_CLOSED));
 259
 260        SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);
 261        SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
 262
 263        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
 264
 265        return SCTP_DISPOSITION_DELETE_TCB;
 266}
 267
 268/*
 269 * Respond to a normal INIT chunk.
 270 * We are the side that is being asked for an association.
 271 *
 272 * Section: 5.1 Normal Establishment of an Association, B
 273 * B) "Z" shall respond immediately with an INIT ACK chunk.  The
 274 *    destination IP address of the INIT ACK MUST be set to the source
 275 *    IP address of the INIT to which this INIT ACK is responding.  In
 276 *    the response, besides filling in other parameters, "Z" must set the
 277 *    Verification Tag field to Tag_A, and also provide its own
 278 *    Verification Tag (Tag_Z) in the Initiate Tag field.
 279 *
 280 * Verification Tag: Must be 0.
 281 *
 282 * Inputs
 283 * (endpoint, asoc, chunk)
 284 *
 285 * Outputs
 286 * (asoc, reply_msg, msg_up, timers, counters)
 287 *
 288 * The return value is the disposition of the chunk.
 289 */
 290sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep,
 291                                        const struct sctp_association *asoc,
 292                                        const sctp_subtype_t type,
 293                                        void *arg,
 294                                        sctp_cmd_seq_t *commands)
 295{
 296        struct sctp_chunk *chunk = arg;
 297        struct sctp_chunk *repl;
 298        struct sctp_association *new_asoc;
 299        struct sctp_chunk *err_chunk;
 300        struct sctp_packet *packet;
 301        sctp_unrecognized_param_t *unk_param;
 302        int len;
 303
 304        /* 6.10 Bundling
 305         * An endpoint MUST NOT bundle INIT, INIT ACK or
 306         * SHUTDOWN COMPLETE with any other chunks.
 307         *
 308         * IG Section 2.11.2
 309         * Furthermore, we require that the receiver of an INIT chunk MUST
 310         * enforce these rules by silently discarding an arriving packet
 311         * with an INIT chunk that is bundled with other chunks.
 312         */
 313        if (!chunk->singleton)
 314                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 315
 316        /* If the packet is an OOTB packet which is temporarily on the
 317         * control endpoint, respond with an ABORT.
 318         */
 319        if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) {
 320                SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
 321                return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
 322        }
 323
 324        /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
 325         * Tag.
 326         */
 327        if (chunk->sctp_hdr->vtag != 0)
 328                return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
 329
 330        /* Make sure that the INIT chunk has a valid length.
 331         * Normally, this would cause an ABORT with a Protocol Violation
 332         * error, but since we don't have an association, we'll
 333         * just discard the packet.
 334         */
 335        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
 336                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 337
 338        /* If the INIT is coming toward a closing socket, we'll send back
 339         * and ABORT.  Essentially, this catches the race of INIT being
 340         * backloged to the socket at the same time as the user isses close().
 341         * Since the socket and all its associations are going away, we
 342         * can treat this OOTB
 343         */
 344        if (sctp_sstate(ep->base.sk, CLOSING))
 345                return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
 346
 347        /* Verify the INIT chunk before processing it. */
 348        err_chunk = NULL;
 349        if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
 350                              (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
 351                              &err_chunk)) {
 352                /* This chunk contains fatal error. It is to be discarded.
 353                 * Send an ABORT, with causes if there is any.
 354                 */
 355                if (err_chunk) {
 356                        packet = sctp_abort_pkt_new(ep, asoc, arg,
 357                                        (__u8 *)(err_chunk->chunk_hdr) +
 358                                        sizeof(sctp_chunkhdr_t),
 359                                        ntohs(err_chunk->chunk_hdr->length) -
 360                                        sizeof(sctp_chunkhdr_t));
 361
 362                        sctp_chunk_free(err_chunk);
 363
 364                        if (packet) {
 365                                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
 366                                                SCTP_PACKET(packet));
 367                                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
 368                                return SCTP_DISPOSITION_CONSUME;
 369                        } else {
 370                                return SCTP_DISPOSITION_NOMEM;
 371                        }
 372                } else {
 373                        return sctp_sf_tabort_8_4_8(ep, asoc, type, arg,
 374                                                    commands);
 375                }
 376        }
 377
 378        /* Grab the INIT header.  */
 379        chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data;
 380
 381        /* Tag the variable length parameters.  */
 382        chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
 383
 384        new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
 385        if (!new_asoc)
 386                goto nomem;
 387
 388        if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
 389                                             sctp_scope(sctp_source(chunk)),
 390                                             GFP_ATOMIC) < 0)
 391                goto nomem_init;
 392
 393        /* The call, sctp_process_init(), can fail on memory allocation.  */
 394        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
 395                               sctp_source(chunk),
 396                               (sctp_init_chunk_t *)chunk->chunk_hdr,
 397                               GFP_ATOMIC))
 398                goto nomem_init;
 399
 400        /* B) "Z" shall respond immediately with an INIT ACK chunk.  */
 401
 402        /* If there are errors need to be reported for unknown parameters,
 403         * make sure to reserve enough room in the INIT ACK for them.
 404         */
 405        len = 0;
 406        if (err_chunk)
 407                len = ntohs(err_chunk->chunk_hdr->length) -
 408                        sizeof(sctp_chunkhdr_t);
 409
 410        repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
 411        if (!repl)
 412                goto nomem_init;
 413
 414        /* If there are errors need to be reported for unknown parameters,
 415         * include them in the outgoing INIT ACK as "Unrecognized parameter"
 416         * parameter.
 417         */
 418        if (err_chunk) {
 419                /* Get the "Unrecognized parameter" parameter(s) out of the
 420                 * ERROR chunk generated by sctp_verify_init(). Since the
 421                 * error cause code for "unknown parameter" and the
 422                 * "Unrecognized parameter" type is the same, we can
 423                 * construct the parameters in INIT ACK by copying the
 424                 * ERROR causes over.
 425                 */
 426                unk_param = (sctp_unrecognized_param_t *)
 427                            ((__u8 *)(err_chunk->chunk_hdr) +
 428                            sizeof(sctp_chunkhdr_t));
 429                /* Replace the cause code with the "Unrecognized parameter"
 430                 * parameter type.
 431                 */
 432                sctp_addto_chunk(repl, len, unk_param);
 433                sctp_chunk_free(err_chunk);
 434        }
 435
 436        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
 437
 438        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
 439
 440        /*
 441         * Note:  After sending out INIT ACK with the State Cookie parameter,
 442         * "Z" MUST NOT allocate any resources, nor keep any states for the
 443         * new association.  Otherwise, "Z" will be vulnerable to resource
 444         * attacks.
 445         */
 446        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
 447
 448        return SCTP_DISPOSITION_DELETE_TCB;
 449
 450nomem_init:
 451        sctp_association_free(new_asoc);
 452nomem:
 453        if (err_chunk)
 454                sctp_chunk_free(err_chunk);
 455        return SCTP_DISPOSITION_NOMEM;
 456}
 457
 458/*
 459 * Respond to a normal INIT ACK chunk.
 460 * We are the side that is initiating the association.
 461 *
 462 * Section: 5.1 Normal Establishment of an Association, C
 463 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
 464 *    timer and leave COOKIE-WAIT state. "A" shall then send the State
 465 *    Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
 466 *    the T1-cookie timer, and enter the COOKIE-ECHOED state.
 467 *
 468 *    Note: The COOKIE ECHO chunk can be bundled with any pending outbound
 469 *    DATA chunks, but it MUST be the first chunk in the packet and
 470 *    until the COOKIE ACK is returned the sender MUST NOT send any
 471 *    other packets to the peer.
 472 *
 473 * Verification Tag: 3.3.3
 474 *   If the value of the Initiate Tag in a received INIT ACK chunk is
 475 *   found to be 0, the receiver MUST treat it as an error and close the
 476 *   association by transmitting an ABORT.
 477 *
 478 * Inputs
 479 * (endpoint, asoc, chunk)
 480 *
 481 * Outputs
 482 * (asoc, reply_msg, msg_up, timers, counters)
 483 *
 484 * The return value is the disposition of the chunk.
 485 */
 486sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,
 487                                       const struct sctp_association *asoc,
 488                                       const sctp_subtype_t type,
 489                                       void *arg,
 490                                       sctp_cmd_seq_t *commands)
 491{
 492        struct sctp_chunk *chunk = arg;
 493        sctp_init_chunk_t *initchunk;
 494        struct sctp_chunk *err_chunk;
 495        struct sctp_packet *packet;
 496
 497        if (!sctp_vtag_verify(chunk, asoc))
 498                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 499
 500        /* 6.10 Bundling
 501         * An endpoint MUST NOT bundle INIT, INIT ACK or
 502         * SHUTDOWN COMPLETE with any other chunks.
 503         */
 504        if (!chunk->singleton)
 505                return sctp_sf_violation_chunk(ep, asoc, type, arg, commands);
 506
 507        /* Make sure that the INIT-ACK chunk has a valid length */
 508        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t)))
 509                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
 510                                                  commands);
 511        /* Grab the INIT header.  */
 512        chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
 513
 514        /* Verify the INIT chunk before processing it. */
 515        err_chunk = NULL;
 516        if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
 517                              (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
 518                              &err_chunk)) {
 519
 520                sctp_error_t error = SCTP_ERROR_NO_RESOURCE;
 521
 522                /* This chunk contains fatal error. It is to be discarded.
 523                 * Send an ABORT, with causes.  If there are no causes,
 524                 * then there wasn't enough memory.  Just terminate
 525                 * the association.
 526                 */
 527                if (err_chunk) {
 528                        packet = sctp_abort_pkt_new(ep, asoc, arg,
 529                                        (__u8 *)(err_chunk->chunk_hdr) +
 530                                        sizeof(sctp_chunkhdr_t),
 531                                        ntohs(err_chunk->chunk_hdr->length) -
 532                                        sizeof(sctp_chunkhdr_t));
 533
 534                        sctp_chunk_free(err_chunk);
 535
 536                        if (packet) {
 537                                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
 538                                                SCTP_PACKET(packet));
 539                                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
 540                                error = SCTP_ERROR_INV_PARAM;
 541                        }
 542                }
 543
 544                /* SCTP-AUTH, Section 6.3:
 545                 *    It should be noted that if the receiver wants to tear
 546                 *    down an association in an authenticated way only, the
 547                 *    handling of malformed packets should not result in
 548                 *    tearing down the association.
 549                 *
 550                 * This means that if we only want to abort associations
 551                 * in an authenticated way (i.e AUTH+ABORT), then we
 552                 * can't destroy this association just becuase the packet
 553                 * was malformed.
 554                 */
 555                if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
 556                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 557
 558                SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
 559                return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED,
 560                                                asoc, chunk->transport);
 561        }
 562
 563        /* Tag the variable length parameters.  Note that we never
 564         * convert the parameters in an INIT chunk.
 565         */
 566        chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
 567
 568        initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr;
 569
 570        sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
 571                        SCTP_PEER_INIT(initchunk));
 572
 573        /* Reset init error count upon receipt of INIT-ACK.  */
 574        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
 575
 576        /* 5.1 C) "A" shall stop the T1-init timer and leave
 577         * COOKIE-WAIT state.  "A" shall then ... start the T1-cookie
 578         * timer, and enter the COOKIE-ECHOED state.
 579         */
 580        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 581                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
 582        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
 583                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
 584        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 585                        SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
 586
 587        /* SCTP-AUTH: genereate the assocition shared keys so that
 588         * we can potentially signe the COOKIE-ECHO.
 589         */
 590        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
 591
 592        /* 5.1 C) "A" shall then send the State Cookie received in the
 593         * INIT ACK chunk in a COOKIE ECHO chunk, ...
 594         */
 595        /* If there is any errors to report, send the ERROR chunk generated
 596         * for unknown parameters as well.
 597         */
 598        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
 599                        SCTP_CHUNK(err_chunk));
 600
 601        return SCTP_DISPOSITION_CONSUME;
 602}
 603
 604/*
 605 * Respond to a normal COOKIE ECHO chunk.
 606 * We are the side that is being asked for an association.
 607 *
 608 * Section: 5.1 Normal Establishment of an Association, D
 609 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
 610 *    with a COOKIE ACK chunk after building a TCB and moving to
 611 *    the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
 612 *    any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
 613 *    chunk MUST be the first chunk in the packet.
 614 *
 615 *   IMPLEMENTATION NOTE: An implementation may choose to send the
 616 *   Communication Up notification to the SCTP user upon reception
 617 *   of a valid COOKIE ECHO chunk.
 618 *
 619 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
 620 * D) Rules for packet carrying a COOKIE ECHO
 621 *
 622 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
 623 *   Initial Tag received in the INIT ACK.
 624 *
 625 * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
 626 *
 627 * Inputs
 628 * (endpoint, asoc, chunk)
 629 *
 630 * Outputs
 631 * (asoc, reply_msg, msg_up, timers, counters)
 632 *
 633 * The return value is the disposition of the chunk.
 634 */
 635sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep,
 636                                      const struct sctp_association *asoc,
 637                                      const sctp_subtype_t type, void *arg,
 638                                      sctp_cmd_seq_t *commands)
 639{
 640        struct sctp_chunk *chunk = arg;
 641        struct sctp_association *new_asoc;
 642        sctp_init_chunk_t *peer_init;
 643        struct sctp_chunk *repl;
 644        struct sctp_ulpevent *ev, *ai_ev = NULL;
 645        int error = 0;
 646        struct sctp_chunk *err_chk_p;
 647        struct sock *sk;
 648
 649        /* If the packet is an OOTB packet which is temporarily on the
 650         * control endpoint, respond with an ABORT.
 651         */
 652        if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) {
 653                SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
 654                return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
 655        }
 656
 657        /* Make sure that the COOKIE_ECHO chunk has a valid length.
 658         * In this case, we check that we have enough for at least a
 659         * chunk header.  More detailed verification is done
 660         * in sctp_unpack_cookie().
 661         */
 662        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
 663                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 664
 665        /* If the endpoint is not listening or if the number of associations
 666         * on the TCP-style socket exceed the max backlog, respond with an
 667         * ABORT.
 668         */
 669        sk = ep->base.sk;
 670        if (!sctp_sstate(sk, LISTENING) ||
 671            (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
 672                return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
 673
 674        /* "Decode" the chunk.  We have no optional parameters so we
 675         * are in good shape.
 676         */
 677        chunk->subh.cookie_hdr =
 678                (struct sctp_signed_cookie *)chunk->skb->data;
 679        if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
 680                                         sizeof(sctp_chunkhdr_t)))
 681                goto nomem;
 682
 683        /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
 684         * "Z" will reply with a COOKIE ACK chunk after building a TCB
 685         * and moving to the ESTABLISHED state.
 686         */
 687        new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
 688                                      &err_chk_p);
 689
 690        /* FIXME:
 691         * If the re-build failed, what is the proper error path
 692         * from here?
 693         *
 694         * [We should abort the association. --piggy]
 695         */
 696        if (!new_asoc) {
 697                /* FIXME: Several errors are possible.  A bad cookie should
 698                 * be silently discarded, but think about logging it too.
 699                 */
 700                switch (error) {
 701                case -SCTP_IERROR_NOMEM:
 702                        goto nomem;
 703
 704                case -SCTP_IERROR_STALE_COOKIE:
 705                        sctp_send_stale_cookie_err(ep, asoc, chunk, commands,
 706                                                   err_chk_p);
 707                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 708
 709                case -SCTP_IERROR_BAD_SIG:
 710                default:
 711                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 712                }
 713        }
 714
 715
 716        /* Delay state machine commands until later.
 717         *
 718         * Re-build the bind address for the association is done in
 719         * the sctp_unpack_cookie() already.
 720         */
 721        /* This is a brand-new association, so these are not yet side
 722         * effects--it is safe to run them here.
 723         */
 724        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
 725
 726        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
 727                               &chunk->subh.cookie_hdr->c.peer_addr,
 728                               peer_init, GFP_ATOMIC))
 729                goto nomem_init;
 730
 731        /* SCTP-AUTH:  Now that we've populate required fields in
 732         * sctp_process_init, set up the assocaition shared keys as
 733         * necessary so that we can potentially authenticate the ACK
 734         */
 735        error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
 736        if (error)
 737                goto nomem_init;
 738
 739        /* SCTP-AUTH:  auth_chunk pointer is only set when the cookie-echo
 740         * is supposed to be authenticated and we have to do delayed
 741         * authentication.  We've just recreated the association using
 742         * the information in the cookie and now it's much easier to
 743         * do the authentication.
 744         */
 745        if (chunk->auth_chunk) {
 746                struct sctp_chunk auth;
 747                sctp_ierror_t ret;
 748
 749                /* set-up our fake chunk so that we can process it */
 750                auth.skb = chunk->auth_chunk;
 751                auth.asoc = chunk->asoc;
 752                auth.sctp_hdr = chunk->sctp_hdr;
 753                auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk,
 754                                            sizeof(sctp_chunkhdr_t));
 755                skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t));
 756                auth.transport = chunk->transport;
 757
 758                ret = sctp_sf_authenticate(ep, new_asoc, type, &auth);
 759
 760                /* We can now safely free the auth_chunk clone */
 761                kfree_skb(chunk->auth_chunk);
 762
 763                if (ret != SCTP_IERROR_NO_ERROR) {
 764                        sctp_association_free(new_asoc);
 765                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 766                }
 767        }
 768
 769        repl = sctp_make_cookie_ack(new_asoc, chunk);
 770        if (!repl)
 771                goto nomem_init;
 772
 773        /* RFC 2960 5.1 Normal Establishment of an Association
 774         *
 775         * D) IMPLEMENTATION NOTE: An implementation may choose to
 776         * send the Communication Up notification to the SCTP user
 777         * upon reception of a valid COOKIE ECHO chunk.
 778         */
 779        ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
 780                                             new_asoc->c.sinit_num_ostreams,
 781                                             new_asoc->c.sinit_max_instreams,
 782                                             NULL, GFP_ATOMIC);
 783        if (!ev)
 784                goto nomem_ev;
 785
 786        /* Sockets API Draft Section 5.3.1.6
 787         * When a peer sends a Adaptation Layer Indication parameter , SCTP
 788         * delivers this notification to inform the application that of the
 789         * peers requested adaptation layer.
 790         */
 791        if (new_asoc->peer.adaptation_ind) {
 792                ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
 793                                                            GFP_ATOMIC);
 794                if (!ai_ev)
 795                        goto nomem_aiev;
 796        }
 797
 798        /* Add all the state machine commands now since we've created
 799         * everything.  This way we don't introduce memory corruptions
 800         * during side-effect processing and correclty count established
 801         * associations.
 802         */
 803        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
 804        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 805                        SCTP_STATE(SCTP_STATE_ESTABLISHED));
 806        SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
 807        SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS);
 808        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
 809
 810        if (new_asoc->autoclose)
 811                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
 812                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
 813
 814        /* This will send the COOKIE ACK */
 815        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
 816
 817        /* Queue the ASSOC_CHANGE event */
 818        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
 819
 820        /* Send up the Adaptation Layer Indication event */
 821        if (ai_ev)
 822                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 823                                SCTP_ULPEVENT(ai_ev));
 824
 825        return SCTP_DISPOSITION_CONSUME;
 826
 827nomem_aiev:
 828        sctp_ulpevent_free(ev);
 829nomem_ev:
 830        sctp_chunk_free(repl);
 831nomem_init:
 832        sctp_association_free(new_asoc);
 833nomem:
 834        return SCTP_DISPOSITION_NOMEM;
 835}
 836
 837/*
 838 * Respond to a normal COOKIE ACK chunk.
 839 * We are the side that is being asked for an association.
 840 *
 841 * RFC 2960 5.1 Normal Establishment of an Association
 842 *
 843 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
 844 *    COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
 845 *    timer. It may also notify its ULP about the successful
 846 *    establishment of the association with a Communication Up
 847 *    notification (see Section 10).
 848 *
 849 * Verification Tag:
 850 * Inputs
 851 * (endpoint, asoc, chunk)
 852 *
 853 * Outputs
 854 * (asoc, reply_msg, msg_up, timers, counters)
 855 *
 856 * The return value is the disposition of the chunk.
 857 */
 858sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep,
 859                                      const struct sctp_association *asoc,
 860                                      const sctp_subtype_t type, void *arg,
 861                                      sctp_cmd_seq_t *commands)
 862{
 863        struct sctp_chunk *chunk = arg;
 864        struct sctp_ulpevent *ev;
 865
 866        if (!sctp_vtag_verify(chunk, asoc))
 867                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
 868
 869        /* Verify that the chunk length for the COOKIE-ACK is OK.
 870         * If we don't do this, any bundled chunks may be junked.
 871         */
 872        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
 873                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
 874                                                  commands);
 875
 876        /* Reset init error count upon receipt of COOKIE-ACK,
 877         * to avoid problems with the managemement of this
 878         * counter in stale cookie situations when a transition back
 879         * from the COOKIE-ECHOED state to the COOKIE-WAIT
 880         * state is performed.
 881         */
 882        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
 883
 884        /* RFC 2960 5.1 Normal Establishment of an Association
 885         *
 886         * E) Upon reception of the COOKIE ACK, endpoint "A" will move
 887         * from the COOKIE-ECHOED state to the ESTABLISHED state,
 888         * stopping the T1-cookie timer.
 889         */
 890        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 891                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
 892        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 893                        SCTP_STATE(SCTP_STATE_ESTABLISHED));
 894        SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
 895        SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS);
 896        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
 897        if (asoc->autoclose)
 898                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
 899                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
 900
 901        /* It may also notify its ULP about the successful
 902         * establishment of the association with a Communication Up
 903         * notification (see Section 10).
 904         */
 905        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
 906                                             0, asoc->c.sinit_num_ostreams,
 907                                             asoc->c.sinit_max_instreams,
 908                                             NULL, GFP_ATOMIC);
 909
 910        if (!ev)
 911                goto nomem;
 912
 913        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
 914
 915        /* Sockets API Draft Section 5.3.1.6
 916         * When a peer sends a Adaptation Layer Indication parameter , SCTP
 917         * delivers this notification to inform the application that of the
 918         * peers requested adaptation layer.
 919         */
 920        if (asoc->peer.adaptation_ind) {
 921                ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
 922                if (!ev)
 923                        goto nomem;
 924
 925                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 926                                SCTP_ULPEVENT(ev));
 927        }
 928
 929        return SCTP_DISPOSITION_CONSUME;
 930nomem:
 931        return SCTP_DISPOSITION_NOMEM;
 932}
 933
 934/* Generate and sendout a heartbeat packet.  */
 935static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep,
 936                                            const struct sctp_association *asoc,
 937                                            const sctp_subtype_t type,
 938                                            void *arg,
 939                                            sctp_cmd_seq_t *commands)
 940{
 941        struct sctp_transport *transport = (struct sctp_transport *) arg;
 942        struct sctp_chunk *reply;
 943        sctp_sender_hb_info_t hbinfo;
 944        size_t paylen = 0;
 945
 946        hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO;
 947        hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t));
 948        hbinfo.daddr = transport->ipaddr;
 949        hbinfo.sent_at = jiffies;
 950        hbinfo.hb_nonce = transport->hb_nonce;
 951
 952        /* Send a heartbeat to our peer.  */
 953        paylen = sizeof(sctp_sender_hb_info_t);
 954        reply = sctp_make_heartbeat(asoc, transport, &hbinfo, paylen);
 955        if (!reply)
 956                return SCTP_DISPOSITION_NOMEM;
 957
 958        /* Set rto_pending indicating that an RTT measurement
 959         * is started with this heartbeat chunk.
 960         */
 961        sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
 962                        SCTP_TRANSPORT(transport));
 963
 964        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
 965        return SCTP_DISPOSITION_CONSUME;
 966}
 967
 968/* Generate a HEARTBEAT packet on the given transport.  */
 969sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep,
 970                                        const struct sctp_association *asoc,
 971                                        const sctp_subtype_t type,
 972                                        void *arg,
 973                                        sctp_cmd_seq_t *commands)
 974{
 975        struct sctp_transport *transport = (struct sctp_transport *) arg;
 976
 977        if (asoc->overall_error_count >= asoc->max_retrans) {
 978                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
 979                                SCTP_ERROR(ETIMEDOUT));
 980                /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
 981                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
 982                                SCTP_PERR(SCTP_ERROR_NO_ERROR));
 983                SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
 984                SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
 985                return SCTP_DISPOSITION_DELETE_TCB;
 986        }
 987
 988        /* Section 3.3.5.
 989         * The Sender-specific Heartbeat Info field should normally include
 990         * information about the sender's current time when this HEARTBEAT
 991         * chunk is sent and the destination transport address to which this
 992         * HEARTBEAT is sent (see Section 8.3).
 993         */
 994
 995        if (transport->param_flags & SPP_HB_ENABLE) {
 996                if (SCTP_DISPOSITION_NOMEM ==
 997                                sctp_sf_heartbeat(ep, asoc, type, arg,
 998                                                  commands))
 999                        return SCTP_DISPOSITION_NOMEM;
1000
1001                /* Set transport error counter and association error counter
1002                 * when sending heartbeat.
1003                 */
1004                sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
1005                                SCTP_TRANSPORT(transport));
1006        }
1007        sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
1008                        SCTP_TRANSPORT(transport));
1009        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
1010                        SCTP_TRANSPORT(transport));
1011
1012        return SCTP_DISPOSITION_CONSUME;
1013}
1014
1015/*
1016 * Process an heartbeat request.
1017 *
1018 * Section: 8.3 Path Heartbeat
1019 * The receiver of the HEARTBEAT should immediately respond with a
1020 * HEARTBEAT ACK that contains the Heartbeat Information field copied
1021 * from the received HEARTBEAT chunk.
1022 *
1023 * Verification Tag:  8.5 Verification Tag [Normal verification]
1024 * When receiving an SCTP packet, the endpoint MUST ensure that the
1025 * value in the Verification Tag field of the received SCTP packet
1026 * matches its own Tag. If the received Verification Tag value does not
1027 * match the receiver's own tag value, the receiver shall silently
1028 * discard the packet and shall not process it any further except for
1029 * those cases listed in Section 8.5.1 below.
1030 *
1031 * Inputs
1032 * (endpoint, asoc, chunk)
1033 *
1034 * Outputs
1035 * (asoc, reply_msg, msg_up, timers, counters)
1036 *
1037 * The return value is the disposition of the chunk.
1038 */
1039sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep,
1040                                    const struct sctp_association *asoc,
1041                                    const sctp_subtype_t type,
1042                                    void *arg,
1043                                    sctp_cmd_seq_t *commands)
1044{
1045        struct sctp_chunk *chunk = arg;
1046        struct sctp_chunk *reply;
1047        size_t paylen = 0;
1048
1049        if (!sctp_vtag_verify(chunk, asoc))
1050                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1051
1052        /* Make sure that the HEARTBEAT chunk has a valid length. */
1053        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t)))
1054                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1055                                                  commands);
1056
1057        /* 8.3 The receiver of the HEARTBEAT should immediately
1058         * respond with a HEARTBEAT ACK that contains the Heartbeat
1059         * Information field copied from the received HEARTBEAT chunk.
1060         */
1061        chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data;
1062        paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
1063        if (!pskb_pull(chunk->skb, paylen))
1064                goto nomem;
1065
1066        reply = sctp_make_heartbeat_ack(asoc, chunk,
1067                                        chunk->subh.hb_hdr, paylen);
1068        if (!reply)
1069                goto nomem;
1070
1071        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1072        return SCTP_DISPOSITION_CONSUME;
1073
1074nomem:
1075        return SCTP_DISPOSITION_NOMEM;
1076}
1077
1078/*
1079 * Process the returning HEARTBEAT ACK.
1080 *
1081 * Section: 8.3 Path Heartbeat
1082 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
1083 * should clear the error counter of the destination transport
1084 * address to which the HEARTBEAT was sent, and mark the destination
1085 * transport address as active if it is not so marked. The endpoint may
1086 * optionally report to the upper layer when an inactive destination
1087 * address is marked as active due to the reception of the latest
1088 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
1089 * clear the association overall error count as well (as defined
1090 * in section 8.1).
1091 *
1092 * The receiver of the HEARTBEAT ACK should also perform an RTT
1093 * measurement for that destination transport address using the time
1094 * value carried in the HEARTBEAT ACK chunk.
1095 *
1096 * Verification Tag:  8.5 Verification Tag [Normal verification]
1097 *
1098 * Inputs
1099 * (endpoint, asoc, chunk)
1100 *
1101 * Outputs
1102 * (asoc, reply_msg, msg_up, timers, counters)
1103 *
1104 * The return value is the disposition of the chunk.
1105 */
1106sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep,
1107                                        const struct sctp_association *asoc,
1108                                        const sctp_subtype_t type,
1109                                        void *arg,
1110                                        sctp_cmd_seq_t *commands)
1111{
1112        struct sctp_chunk *chunk = arg;
1113        union sctp_addr from_addr;
1114        struct sctp_transport *link;
1115        sctp_sender_hb_info_t *hbinfo;
1116        unsigned long max_interval;
1117
1118        if (!sctp_vtag_verify(chunk, asoc))
1119                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1120
1121        /* Make sure that the HEARTBEAT-ACK chunk has a valid length.  */
1122        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t) +
1123                                            sizeof(sctp_sender_hb_info_t)))
1124                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1125                                                  commands);
1126
1127        hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
1128        /* Make sure that the length of the parameter is what we expect */
1129        if (ntohs(hbinfo->param_hdr.length) !=
1130                                    sizeof(sctp_sender_hb_info_t)) {
1131                return SCTP_DISPOSITION_DISCARD;
1132        }
1133
1134        from_addr = hbinfo->daddr;
1135        link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1136
1137        /* This should never happen, but lets log it if so.  */
1138        if (unlikely(!link)) {
1139                if (from_addr.sa.sa_family == AF_INET6) {
1140                        if (net_ratelimit())
1141                                printk(KERN_WARNING
1142                                    "%s association %p could not find address %pI6\n",
1143                                    __func__,
1144                                    asoc,
1145                                    &from_addr.v6.sin6_addr);
1146                } else {
1147                        if (net_ratelimit())
1148                                printk(KERN_WARNING
1149                                    "%s association %p could not find address %pI4\n",
1150                                    __func__,
1151                                    asoc,
1152                                    &from_addr.v4.sin_addr.s_addr);
1153                }
1154                return SCTP_DISPOSITION_DISCARD;
1155        }
1156
1157        /* Validate the 64-bit random nonce. */
1158        if (hbinfo->hb_nonce != link->hb_nonce)
1159                return SCTP_DISPOSITION_DISCARD;
1160
1161        max_interval = link->hbinterval + link->rto;
1162
1163        /* Check if the timestamp looks valid.  */
1164        if (time_after(hbinfo->sent_at, jiffies) ||
1165            time_after(jiffies, hbinfo->sent_at + max_interval)) {
1166                SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp "
1167                                  "received for transport: %p\n",
1168                                   __func__, link);
1169                return SCTP_DISPOSITION_DISCARD;
1170        }
1171
1172        /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
1173         * the HEARTBEAT should clear the error counter of the
1174         * destination transport address to which the HEARTBEAT was
1175         * sent and mark the destination transport address as active if
1176         * it is not so marked.
1177         */
1178        sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1179
1180        return SCTP_DISPOSITION_CONSUME;
1181}
1182
1183/* Helper function to send out an abort for the restart
1184 * condition.
1185 */
1186static int sctp_sf_send_restart_abort(union sctp_addr *ssa,
1187                                      struct sctp_chunk *init,
1188                                      sctp_cmd_seq_t *commands)
1189{
1190        int len;
1191        struct sctp_packet *pkt;
1192        union sctp_addr_param *addrparm;
1193        struct sctp_errhdr *errhdr;
1194        struct sctp_endpoint *ep;
1195        char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)];
1196        struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1197
1198        /* Build the error on the stack.   We are way to malloc crazy
1199         * throughout the code today.
1200         */
1201        errhdr = (struct sctp_errhdr *)buffer;
1202        addrparm = (union sctp_addr_param *)errhdr->variable;
1203
1204        /* Copy into a parm format. */
1205        len = af->to_addr_param(ssa, addrparm);
1206        len += sizeof(sctp_errhdr_t);
1207
1208        errhdr->cause = SCTP_ERROR_RESTART;
1209        errhdr->length = htons(len);
1210
1211        /* Assign to the control socket. */
1212        ep = sctp_sk((sctp_get_ctl_sock()))->ep;
1213
1214        /* Association is NULL since this may be a restart attack and we
1215         * want to send back the attacker's vtag.
1216         */
1217        pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len);
1218
1219        if (!pkt)
1220                goto out;
1221        sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1222
1223        SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
1224
1225        /* Discard the rest of the inbound packet. */
1226        sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1227
1228out:
1229        /* Even if there is no memory, treat as a failure so
1230         * the packet will get dropped.
1231         */
1232        return 0;
1233}
1234
1235/* A restart is occurring, check to make sure no new addresses
1236 * are being added as we may be under a takeover attack.
1237 */
1238static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1239                                       const struct sctp_association *asoc,
1240                                       struct sctp_chunk *init,
1241                                       sctp_cmd_seq_t *commands)
1242{
1243        struct sctp_transport *new_addr, *addr;
1244        int found;
1245
1246        /* Implementor's Guide - Sectin 5.2.2
1247         * ...
1248         * Before responding the endpoint MUST check to see if the
1249         * unexpected INIT adds new addresses to the association. If new
1250         * addresses are added to the association, the endpoint MUST respond
1251         * with an ABORT..
1252         */
1253
1254        /* Search through all current addresses and make sure
1255         * we aren't adding any new ones.
1256         */
1257        new_addr = NULL;
1258        found = 0;
1259
1260        list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
1261                        transports) {
1262                found = 0;
1263                list_for_each_entry(addr, &asoc->peer.transport_addr_list,
1264                                transports) {
1265                        if (sctp_cmp_addr_exact(&new_addr->ipaddr,
1266                                                &addr->ipaddr)) {
1267                                found = 1;
1268                                break;
1269                        }
1270                }
1271                if (!found)
1272                        break;
1273        }
1274
1275        /* If a new address was added, ABORT the sender. */
1276        if (!found && new_addr) {
1277                sctp_sf_send_restart_abort(&new_addr->ipaddr, init, commands);
1278        }
1279
1280        /* Return success if all addresses were found. */
1281        return found;
1282}
1283
1284/* Populate the verification/tie tags based on overlapping INIT
1285 * scenario.
1286 *
1287 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
1288 */
1289static void sctp_tietags_populate(struct sctp_association *new_asoc,
1290                                  const struct sctp_association *asoc)
1291{
1292        switch (asoc->state) {
1293
1294        /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
1295
1296        case SCTP_STATE_COOKIE_WAIT:
1297                new_asoc->c.my_vtag     = asoc->c.my_vtag;
1298                new_asoc->c.my_ttag     = asoc->c.my_vtag;
1299                new_asoc->c.peer_ttag   = 0;
1300                break;
1301
1302        case SCTP_STATE_COOKIE_ECHOED:
1303                new_asoc->c.my_vtag     = asoc->c.my_vtag;
1304                new_asoc->c.my_ttag     = asoc->c.my_vtag;
1305                new_asoc->c.peer_ttag   = asoc->c.peer_vtag;
1306                break;
1307
1308        /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
1309         * COOKIE-WAIT and SHUTDOWN-ACK-SENT
1310         */
1311        default:
1312                new_asoc->c.my_ttag   = asoc->c.my_vtag;
1313                new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1314                break;
1315        }
1316
1317        /* Other parameters for the endpoint SHOULD be copied from the
1318         * existing parameters of the association (e.g. number of
1319         * outbound streams) into the INIT ACK and cookie.
1320         */
1321        new_asoc->rwnd                  = asoc->rwnd;
1322        new_asoc->c.sinit_num_ostreams  = asoc->c.sinit_num_ostreams;
1323        new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1324        new_asoc->c.initial_tsn         = asoc->c.initial_tsn;
1325}
1326
1327/*
1328 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
1329 * handling action.
1330 *
1331 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
1332 *
1333 * Returns value representing action to be taken.   These action values
1334 * correspond to Action/Description values in RFC 2960, Table 2.
1335 */
1336static char sctp_tietags_compare(struct sctp_association *new_asoc,
1337                                 const struct sctp_association *asoc)
1338{
1339        /* In this case, the peer may have restarted.  */
1340        if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1341            (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1342            (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1343            (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1344                return 'A';
1345
1346        /* Collision case B. */
1347        if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1348            ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1349             (0 == asoc->c.peer_vtag))) {
1350                return 'B';
1351        }
1352
1353        /* Collision case D. */
1354        if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1355            (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1356                return 'D';
1357
1358        /* Collision case C. */
1359        if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1360            (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1361            (0 == new_asoc->c.my_ttag) &&
1362            (0 == new_asoc->c.peer_ttag))
1363                return 'C';
1364
1365        /* No match to any of the special cases; discard this packet. */
1366        return 'E';
1367}
1368
1369/* Common helper routine for both duplicate and simulataneous INIT
1370 * chunk handling.
1371 */
1372static sctp_disposition_t sctp_sf_do_unexpected_init(
1373        const struct sctp_endpoint *ep,
1374        const struct sctp_association *asoc,
1375        const sctp_subtype_t type,
1376        void *arg, sctp_cmd_seq_t *commands)
1377{
1378        sctp_disposition_t retval;
1379        struct sctp_chunk *chunk = arg;
1380        struct sctp_chunk *repl;
1381        struct sctp_association *new_asoc;
1382        struct sctp_chunk *err_chunk;
1383        struct sctp_packet *packet;
1384        sctp_unrecognized_param_t *unk_param;
1385        int len;
1386
1387        /* 6.10 Bundling
1388         * An endpoint MUST NOT bundle INIT, INIT ACK or
1389         * SHUTDOWN COMPLETE with any other chunks.
1390         *
1391         * IG Section 2.11.2
1392         * Furthermore, we require that the receiver of an INIT chunk MUST
1393         * enforce these rules by silently discarding an arriving packet
1394         * with an INIT chunk that is bundled with other chunks.
1395         */
1396        if (!chunk->singleton)
1397                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1398
1399        /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
1400         * Tag.
1401         */
1402        if (chunk->sctp_hdr->vtag != 0)
1403                return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
1404
1405        /* Make sure that the INIT chunk has a valid length.
1406         * In this case, we generate a protocol violation since we have
1407         * an association established.
1408         */
1409        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
1410                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1411                                                  commands);
1412        /* Grab the INIT header.  */
1413        chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
1414
1415        /* Tag the variable length parameters.  */
1416        chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
1417
1418        /* Verify the INIT chunk before processing it. */
1419        err_chunk = NULL;
1420        if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
1421                              (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
1422                              &err_chunk)) {
1423                /* This chunk contains fatal error. It is to be discarded.
1424                 * Send an ABORT, with causes if there is any.
1425                 */
1426                if (err_chunk) {
1427                        packet = sctp_abort_pkt_new(ep, asoc, arg,
1428                                        (__u8 *)(err_chunk->chunk_hdr) +
1429                                        sizeof(sctp_chunkhdr_t),
1430                                        ntohs(err_chunk->chunk_hdr->length) -
1431                                        sizeof(sctp_chunkhdr_t));
1432
1433                        if (packet) {
1434                                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1435                                                SCTP_PACKET(packet));
1436                                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
1437                                retval = SCTP_DISPOSITION_CONSUME;
1438                        } else {
1439                                retval = SCTP_DISPOSITION_NOMEM;
1440                        }
1441                        goto cleanup;
1442                } else {
1443                        return sctp_sf_tabort_8_4_8(ep, asoc, type, arg,
1444                                                    commands);
1445                }
1446        }
1447
1448        /*
1449         * Other parameters for the endpoint SHOULD be copied from the
1450         * existing parameters of the association (e.g. number of
1451         * outbound streams) into the INIT ACK and cookie.
1452         * FIXME:  We are copying parameters from the endpoint not the
1453         * association.
1454         */
1455        new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1456        if (!new_asoc)
1457                goto nomem;
1458
1459        if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
1460                                sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
1461                goto nomem;
1462
1463        /* In the outbound INIT ACK the endpoint MUST copy its current
1464         * Verification Tag and Peers Verification tag into a reserved
1465         * place (local tie-tag and per tie-tag) within the state cookie.
1466         */
1467        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
1468                               sctp_source(chunk),
1469                               (sctp_init_chunk_t *)chunk->chunk_hdr,
1470                               GFP_ATOMIC))
1471                goto nomem;
1472
1473        /* Make sure no new addresses are being added during the
1474         * restart.   Do not do this check for COOKIE-WAIT state,
1475         * since there are no peer addresses to check against.
1476         * Upon return an ABORT will have been sent if needed.
1477         */
1478        if (!sctp_state(asoc, COOKIE_WAIT)) {
1479                if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1480                                                 commands)) {
1481                        retval = SCTP_DISPOSITION_CONSUME;
1482                        goto nomem_retval;
1483                }
1484        }
1485
1486        sctp_tietags_populate(new_asoc, asoc);
1487
1488        /* B) "Z" shall respond immediately with an INIT ACK chunk.  */
1489
1490        /* If there are errors need to be reported for unknown parameters,
1491         * make sure to reserve enough room in the INIT ACK for them.
1492         */
1493        len = 0;
1494        if (err_chunk) {
1495                len = ntohs(err_chunk->chunk_hdr->length) -
1496                        sizeof(sctp_chunkhdr_t);
1497        }
1498
1499        repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1500        if (!repl)
1501                goto nomem;
1502
1503        /* If there are errors need to be reported for unknown parameters,
1504         * include them in the outgoing INIT ACK as "Unrecognized parameter"
1505         * parameter.
1506         */
1507        if (err_chunk) {
1508                /* Get the "Unrecognized parameter" parameter(s) out of the
1509                 * ERROR chunk generated by sctp_verify_init(). Since the
1510                 * error cause code for "unknown parameter" and the
1511                 * "Unrecognized parameter" type is the same, we can
1512                 * construct the parameters in INIT ACK by copying the
1513                 * ERROR causes over.
1514                 */
1515                unk_param = (sctp_unrecognized_param_t *)
1516                            ((__u8 *)(err_chunk->chunk_hdr) +
1517                            sizeof(sctp_chunkhdr_t));
1518                /* Replace the cause code with the "Unrecognized parameter"
1519                 * parameter type.
1520                 */
1521                sctp_addto_chunk(repl, len, unk_param);
1522        }
1523
1524        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1525        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1526
1527        /*
1528         * Note: After sending out INIT ACK with the State Cookie parameter,
1529         * "Z" MUST NOT allocate any resources for this new association.
1530         * Otherwise, "Z" will be vulnerable to resource attacks.
1531         */
1532        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1533        retval = SCTP_DISPOSITION_CONSUME;
1534
1535        return retval;
1536
1537nomem:
1538        retval = SCTP_DISPOSITION_NOMEM;
1539nomem_retval:
1540        if (new_asoc)
1541                sctp_association_free(new_asoc);
1542cleanup:
1543        if (err_chunk)
1544                sctp_chunk_free(err_chunk);
1545        return retval;
1546}
1547
1548/*
1549 * Handle simultanous INIT.
1550 * This means we started an INIT and then we got an INIT request from
1551 * our peer.
1552 *
1553 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
1554 * This usually indicates an initialization collision, i.e., each
1555 * endpoint is attempting, at about the same time, to establish an
1556 * association with the other endpoint.
1557 *
1558 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
1559 * endpoint MUST respond with an INIT ACK using the same parameters it
1560 * sent in its original INIT chunk (including its Verification Tag,
1561 * unchanged). These original parameters are combined with those from the
1562 * newly received INIT chunk. The endpoint shall also generate a State
1563 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
1564 * INIT to calculate the State Cookie.
1565 *
1566 * After that, the endpoint MUST NOT change its state, the T1-init
1567 * timer shall be left running and the corresponding TCB MUST NOT be
1568 * destroyed. The normal procedures for handling State Cookies when
1569 * a TCB exists will resolve the duplicate INITs to a single association.
1570 *
1571 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
1572 * its Tie-Tags with the Tag information of itself and its peer (see
1573 * section 5.2.2 for a description of the Tie-Tags).
1574 *
1575 * Verification Tag: Not explicit, but an INIT can not have a valid
1576 * verification tag, so we skip the check.
1577 *
1578 * Inputs
1579 * (endpoint, asoc, chunk)
1580 *
1581 * Outputs
1582 * (asoc, reply_msg, msg_up, timers, counters)
1583 *
1584 * The return value is the disposition of the chunk.
1585 */
1586sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep,
1587                                    const struct sctp_association *asoc,
1588                                    const sctp_subtype_t type,
1589                                    void *arg,
1590                                    sctp_cmd_seq_t *commands)
1591{
1592        /* Call helper to do the real work for both simulataneous and
1593         * duplicate INIT chunk handling.
1594         */
1595        return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands);
1596}
1597
1598/*
1599 * Handle duplicated INIT messages.  These are usually delayed
1600 * restransmissions.
1601 *
1602 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
1603 * COOKIE-ECHOED and COOKIE-WAIT
1604 *
1605 * Unless otherwise stated, upon reception of an unexpected INIT for
1606 * this association, the endpoint shall generate an INIT ACK with a
1607 * State Cookie.  In the outbound INIT ACK the endpoint MUST copy its
1608 * current Verification Tag and peer's Verification Tag into a reserved
1609 * place within the state cookie.  We shall refer to these locations as
1610 * the Peer's-Tie-Tag and the Local-Tie-Tag.  The outbound SCTP packet
1611 * containing this INIT ACK MUST carry a Verification Tag value equal to
1612 * the Initiation Tag found in the unexpected INIT.  And the INIT ACK
1613 * MUST contain a new Initiation Tag (randomly generated see Section
1614 * 5.3.1).  Other parameters for the endpoint SHOULD be copied from the
1615 * existing parameters of the association (e.g. number of outbound
1616 * streams) into the INIT ACK and cookie.
1617 *
1618 * After sending out the INIT ACK, the endpoint shall take no further
1619 * actions, i.e., the existing association, including its current state,
1620 * and the corresponding TCB MUST NOT be changed.
1621 *
1622 * Note: Only when a TCB exists and the association is not in a COOKIE-
1623 * WAIT state are the Tie-Tags populated.  For a normal association INIT
1624 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
1625 * set to 0 (indicating that no previous TCB existed).  The INIT ACK and
1626 * State Cookie are populated as specified in section 5.2.1.
1627 *
1628 * Verification Tag: Not specified, but an INIT has no way of knowing
1629 * what the verification tag could be, so we ignore it.
1630 *
1631 * Inputs
1632 * (endpoint, asoc, chunk)
1633 *
1634 * Outputs
1635 * (asoc, reply_msg, msg_up, timers, counters)
1636 *
1637 * The return value is the disposition of the chunk.
1638 */
1639sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep,
1640                                        const struct sctp_association *asoc,
1641                                        const sctp_subtype_t type,
1642                                        void *arg,
1643                                        sctp_cmd_seq_t *commands)
1644{
1645        /* Call helper to do the real work for both simulataneous and
1646         * duplicate INIT chunk handling.
1647         */
1648        return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands);
1649}
1650
1651
1652/*
1653 * Unexpected INIT-ACK handler.
1654 *
1655 * Section 5.2.3
1656 * If an INIT ACK received by an endpoint in any state other than the
1657 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
1658 * An unexpected INIT ACK usually indicates the processing of an old or
1659 * duplicated INIT chunk.
1660*/
1661sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep,
1662                                            const struct sctp_association *asoc,
1663                                            const sctp_subtype_t type,
1664                                            void *arg, sctp_cmd_seq_t *commands)
1665{
1666        /* Per the above section, we'll discard the chunk if we have an
1667         * endpoint.  If this is an OOTB INIT-ACK, treat it as such.
1668         */
1669        if (ep == sctp_sk((sctp_get_ctl_sock()))->ep)
1670                return sctp_sf_ootb(ep, asoc, type, arg, commands);
1671        else
1672                return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
1673}
1674
1675/* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
1676 *
1677 * Section 5.2.4
1678 *  A)  In this case, the peer may have restarted.
1679 */
1680static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep,
1681                                        const struct sctp_association *asoc,
1682                                        struct sctp_chunk *chunk,
1683                                        sctp_cmd_seq_t *commands,
1684                                        struct sctp_association *new_asoc)
1685{
1686        sctp_init_chunk_t *peer_init;
1687        struct sctp_ulpevent *ev;
1688        struct sctp_chunk *repl;
1689        struct sctp_chunk *err;
1690        sctp_disposition_t disposition;
1691
1692        /* new_asoc is a brand-new association, so these are not yet
1693         * side effects--it is safe to run them here.
1694         */
1695        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1696
1697        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
1698                               sctp_source(chunk), peer_init,
1699                               GFP_ATOMIC))
1700                goto nomem;
1701
1702        /* Make sure no new addresses are being added during the
1703         * restart.  Though this is a pretty complicated attack
1704         * since you'd have to get inside the cookie.
1705         */
1706        if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) {
1707                return SCTP_DISPOSITION_CONSUME;
1708        }
1709
1710        /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
1711         * the peer has restarted (Action A), it MUST NOT setup a new
1712         * association but instead resend the SHUTDOWN ACK and send an ERROR
1713         * chunk with a "Cookie Received while Shutting Down" error cause to
1714         * its peer.
1715        */
1716        if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1717                disposition = sctp_sf_do_9_2_reshutack(ep, asoc,
1718                                SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1719                                chunk, commands);
1720                if (SCTP_DISPOSITION_NOMEM == disposition)
1721                        goto nomem;
1722
1723                err = sctp_make_op_error(asoc, chunk,
1724                                         SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1725                                         NULL, 0, 0);
1726                if (err)
1727                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1728                                        SCTP_CHUNK(err));
1729
1730                return SCTP_DISPOSITION_CONSUME;
1731        }
1732
1733        /* For now, fail any unsent/unacked data.  Consider the optional
1734         * choice of resending of this data.
1735         */
1736        sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1737
1738        repl = sctp_make_cookie_ack(new_asoc, chunk);
1739        if (!repl)
1740                goto nomem;
1741
1742        /* Report association restart to upper layer. */
1743        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1744                                             new_asoc->c.sinit_num_ostreams,
1745                                             new_asoc->c.sinit_max_instreams,
1746                                             NULL, GFP_ATOMIC);
1747        if (!ev)
1748                goto nomem_ev;
1749
1750        /* Update the content of current association. */
1751        sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1752        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1753        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1754        return SCTP_DISPOSITION_CONSUME;
1755
1756nomem_ev:
1757        sctp_chunk_free(repl);
1758nomem:
1759        return SCTP_DISPOSITION_NOMEM;
1760}
1761
1762/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
1763 *
1764 * Section 5.2.4
1765 *   B) In this case, both sides may be attempting to start an association
1766 *      at about the same time but the peer endpoint started its INIT
1767 *      after responding to the local endpoint's INIT
1768 */
1769/* This case represents an initialization collision.  */
1770static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep,
1771                                        const struct sctp_association *asoc,
1772                                        struct sctp_chunk *chunk,
1773                                        sctp_cmd_seq_t *commands,
1774                                        struct sctp_association *new_asoc)
1775{
1776        sctp_init_chunk_t *peer_init;
1777        struct sctp_chunk *repl;
1778
1779        /* new_asoc is a brand-new association, so these are not yet
1780         * side effects--it is safe to run them here.
1781         */
1782        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1783        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
1784                               sctp_source(chunk), peer_init,
1785                               GFP_ATOMIC))
1786                goto nomem;
1787
1788        /* Update the content of current association.  */
1789        sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1790        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1791                        SCTP_STATE(SCTP_STATE_ESTABLISHED));
1792        SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
1793        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
1794
1795        repl = sctp_make_cookie_ack(new_asoc, chunk);
1796        if (!repl)
1797                goto nomem;
1798
1799        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1800
1801        /* RFC 2960 5.1 Normal Establishment of an Association
1802         *
1803         * D) IMPLEMENTATION NOTE: An implementation may choose to
1804         * send the Communication Up notification to the SCTP user
1805         * upon reception of a valid COOKIE ECHO chunk.
1806         *
1807         * Sadly, this needs to be implemented as a side-effect, because
1808         * we are not guaranteed to have set the association id of the real
1809         * association and so these notifications need to be delayed until
1810         * the association id is allocated.
1811         */
1812
1813        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
1814
1815        /* Sockets API Draft Section 5.3.1.6
1816         * When a peer sends a Adaptation Layer Indication parameter , SCTP
1817         * delivers this notification to inform the application that of the
1818         * peers requested adaptation layer.
1819         *
1820         * This also needs to be done as a side effect for the same reason as
1821         * above.
1822         */
1823        if (asoc->peer.adaptation_ind)
1824                sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
1825
1826        return SCTP_DISPOSITION_CONSUME;
1827
1828nomem:
1829        return SCTP_DISPOSITION_NOMEM;
1830}
1831
1832/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
1833 *
1834 * Section 5.2.4
1835 *  C) In this case, the local endpoint's cookie has arrived late.
1836 *     Before it arrived, the local endpoint sent an INIT and received an
1837 *     INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
1838 *     but a new tag of its own.
1839 */
1840/* This case represents an initialization collision.  */
1841static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep,
1842                                        const struct sctp_association *asoc,
1843                                        struct sctp_chunk *chunk,
1844                                        sctp_cmd_seq_t *commands,
1845                                        struct sctp_association *new_asoc)
1846{
1847        /* The cookie should be silently discarded.
1848         * The endpoint SHOULD NOT change states and should leave
1849         * any timers running.
1850         */
1851        return SCTP_DISPOSITION_DISCARD;
1852}
1853
1854/* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
1855 *
1856 * Section 5.2.4
1857 *
1858 * D) When both local and remote tags match the endpoint should always
1859 *    enter the ESTABLISHED state, if it has not already done so.
1860 */
1861/* This case represents an initialization collision.  */
1862static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep,
1863                                        const struct sctp_association *asoc,
1864                                        struct sctp_chunk *chunk,
1865                                        sctp_cmd_seq_t *commands,
1866                                        struct sctp_association *new_asoc)
1867{
1868        struct sctp_ulpevent *ev = NULL, *ai_ev = NULL;
1869        struct sctp_chunk *repl;
1870
1871        /* Clarification from Implementor's Guide:
1872         * D) When both local and remote tags match the endpoint should
1873         * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
1874         * It should stop any cookie timer that may be running and send
1875         * a COOKIE ACK.
1876         */
1877
1878        /* Don't accidentally move back into established state. */
1879        if (asoc->state < SCTP_STATE_ESTABLISHED) {
1880                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1881                                SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
1882                sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1883                                SCTP_STATE(SCTP_STATE_ESTABLISHED));
1884                SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
1885                sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
1886                                SCTP_NULL());
1887
1888                /* RFC 2960 5.1 Normal Establishment of an Association
1889                 *
1890                 * D) IMPLEMENTATION NOTE: An implementation may choose
1891                 * to send the Communication Up notification to the
1892                 * SCTP user upon reception of a valid COOKIE
1893                 * ECHO chunk.
1894                 */
1895                ev = sctp_ulpevent_make_assoc_change(asoc, 0,
1896                                             SCTP_COMM_UP, 0,
1897                                             asoc->c.sinit_num_ostreams,
1898                                             asoc->c.sinit_max_instreams,
1899                                             NULL, GFP_ATOMIC);
1900                if (!ev)
1901                        goto nomem;
1902
1903                /* Sockets API Draft Section 5.3.1.6
1904                 * When a peer sends a Adaptation Layer Indication parameter,
1905                 * SCTP delivers this notification to inform the application
1906                 * that of the peers requested adaptation layer.
1907                 */
1908                if (asoc->peer.adaptation_ind) {
1909                        ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
1910                                                                 GFP_ATOMIC);
1911                        if (!ai_ev)
1912                                goto nomem;
1913
1914                }
1915        }
1916
1917        repl = sctp_make_cookie_ack(new_asoc, chunk);
1918        if (!repl)
1919                goto nomem;
1920
1921        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1922
1923        if (ev)
1924                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1925                                SCTP_ULPEVENT(ev));
1926        if (ai_ev)
1927                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1928                                        SCTP_ULPEVENT(ai_ev));
1929
1930        return SCTP_DISPOSITION_CONSUME;
1931
1932nomem:
1933        if (ai_ev)
1934                sctp_ulpevent_free(ai_ev);
1935        if (ev)
1936                sctp_ulpevent_free(ev);
1937        return SCTP_DISPOSITION_NOMEM;
1938}
1939
1940/*
1941 * Handle a duplicate COOKIE-ECHO.  This usually means a cookie-carrying
1942 * chunk was retransmitted and then delayed in the network.
1943 *
1944 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
1945 *
1946 * Verification Tag: None.  Do cookie validation.
1947 *
1948 * Inputs
1949 * (endpoint, asoc, chunk)
1950 *
1951 * Outputs
1952 * (asoc, reply_msg, msg_up, timers, counters)
1953 *
1954 * The return value is the disposition of the chunk.
1955 */
1956sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep,
1957                                        const struct sctp_association *asoc,
1958                                        const sctp_subtype_t type,
1959                                        void *arg,
1960                                        sctp_cmd_seq_t *commands)
1961{
1962        sctp_disposition_t retval;
1963        struct sctp_chunk *chunk = arg;
1964        struct sctp_association *new_asoc;
1965        int error = 0;
1966        char action;
1967        struct sctp_chunk *err_chk_p;
1968
1969        /* Make sure that the chunk has a valid length from the protocol
1970         * perspective.  In this case check to make sure we have at least
1971         * enough for the chunk header.  Cookie length verification is
1972         * done later.
1973         */
1974        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
1975                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1976                                                  commands);
1977
1978        /* "Decode" the chunk.  We have no optional parameters so we
1979         * are in good shape.
1980         */
1981        chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
1982        if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
1983                                        sizeof(sctp_chunkhdr_t)))
1984                goto nomem;
1985
1986        /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
1987         * of a duplicate COOKIE ECHO match the Verification Tags of the
1988         * current association, consider the State Cookie valid even if
1989         * the lifespan is exceeded.
1990         */
1991        new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
1992                                      &err_chk_p);
1993
1994        /* FIXME:
1995         * If the re-build failed, what is the proper error path
1996         * from here?
1997         *
1998         * [We should abort the association. --piggy]
1999         */
2000        if (!new_asoc) {
2001                /* FIXME: Several errors are possible.  A bad cookie should
2002                 * be silently discarded, but think about logging it too.
2003                 */
2004                switch (error) {
2005                case -SCTP_IERROR_NOMEM:
2006                        goto nomem;
2007
2008                case -SCTP_IERROR_STALE_COOKIE:
2009                        sctp_send_stale_cookie_err(ep, asoc, chunk, commands,
2010                                                   err_chk_p);
2011                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2012                case -SCTP_IERROR_BAD_SIG:
2013                default:
2014                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2015                }
2016        }
2017
2018        /* Compare the tie_tag in cookie with the verification tag of
2019         * current association.
2020         */
2021        action = sctp_tietags_compare(new_asoc, asoc);
2022
2023        switch (action) {
2024        case 'A': /* Association restart. */
2025                retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands,
2026                                              new_asoc);
2027                break;
2028
2029        case 'B': /* Collision case B. */
2030                retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands,
2031                                              new_asoc);
2032                break;
2033
2034        case 'C': /* Collision case C. */
2035                retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands,
2036                                              new_asoc);
2037                break;
2038
2039        case 'D': /* Collision case D. */
2040                retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands,
2041                                              new_asoc);
2042                break;
2043
2044        default: /* Discard packet for all others. */
2045                retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2046                break;
2047        }
2048
2049        /* Delete the tempory new association. */
2050        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
2051        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
2052
2053        return retval;
2054
2055nomem:
2056        return SCTP_DISPOSITION_NOMEM;
2057}
2058
2059/*
2060 * Process an ABORT.  (SHUTDOWN-PENDING state)
2061 *
2062 * See sctp_sf_do_9_1_abort().
2063 */
2064sctp_disposition_t sctp_sf_shutdown_pending_abort(
2065        const struct sctp_endpoint *ep,
2066        const struct sctp_association *asoc,
2067        const sctp_subtype_t type,
2068        void *arg,
2069        sctp_cmd_seq_t *commands)
2070{
2071        struct sctp_chunk *chunk = arg;
2072
2073        if (!sctp_vtag_verify_either(chunk, asoc))
2074                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2075
2076        /* Make sure that the ABORT chunk has a valid length.
2077         * Since this is an ABORT chunk, we have to discard it
2078         * because of the following text:
2079         * RFC 2960, Section 3.3.7
2080         *    If an endpoint receives an ABORT with a format error or for an
2081         *    association that doesn't exist, it MUST silently discard it.
2082         * Becasue the length is "invalid", we can't really discard just
2083         * as we do not know its true length.  So, to be safe, discard the
2084         * packet.
2085         */
2086        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2087                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2088
2089        /* ADD-IP: Special case for ABORT chunks
2090         * F4)  One special consideration is that ABORT Chunks arriving
2091         * destined to the IP address being deleted MUST be
2092         * ignored (see Section 5.3.1 for further details).
2093         */
2094        if (SCTP_ADDR_DEL ==
2095                    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2096                return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
2097
2098        return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);
2099}
2100
2101/*
2102 * Process an ABORT.  (SHUTDOWN-SENT state)
2103 *
2104 * See sctp_sf_do_9_1_abort().
2105 */
2106sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep,
2107                                        const struct sctp_association *asoc,
2108                                        const sctp_subtype_t type,
2109                                        void *arg,
2110                                        sctp_cmd_seq_t *commands)
2111{
2112        struct sctp_chunk *chunk = arg;
2113
2114        if (!sctp_vtag_verify_either(chunk, asoc))
2115                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2116
2117        /* Make sure that the ABORT chunk has a valid length.
2118         * Since this is an ABORT chunk, we have to discard it
2119         * because of the following text:
2120         * RFC 2960, Section 3.3.7
2121         *    If an endpoint receives an ABORT with a format error or for an
2122         *    association that doesn't exist, it MUST silently discard it.
2123         * Becasue the length is "invalid", we can't really discard just
2124         * as we do not know its true length.  So, to be safe, discard the
2125         * packet.
2126         */
2127        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2128                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2129
2130        /* ADD-IP: Special case for ABORT chunks
2131         * F4)  One special consideration is that ABORT Chunks arriving
2132         * destined to the IP address being deleted MUST be
2133         * ignored (see Section 5.3.1 for further details).
2134         */
2135        if (SCTP_ADDR_DEL ==
2136                    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2137                return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
2138
2139        /* Stop the T2-shutdown timer. */
2140        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2141                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2142
2143        /* Stop the T5-shutdown guard timer.  */
2144        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2145                        SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2146
2147        return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);
2148}
2149
2150/*
2151 * Process an ABORT.  (SHUTDOWN-ACK-SENT state)
2152 *
2153 * See sctp_sf_do_9_1_abort().
2154 */
2155sctp_disposition_t sctp_sf_shutdown_ack_sent_abort(
2156        const struct sctp_endpoint *ep,
2157        const struct sctp_association *asoc,
2158        const sctp_subtype_t type,
2159        void *arg,
2160        sctp_cmd_seq_t *commands)
2161{
2162        /* The same T2 timer, so we should be able to use
2163         * common function with the SHUTDOWN-SENT state.
2164         */
2165        return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands);
2166}
2167
2168/*
2169 * Handle an Error received in COOKIE_ECHOED state.
2170 *
2171 * Only handle the error type of stale COOKIE Error, the other errors will
2172 * be ignored.
2173 *
2174 * Inputs
2175 * (endpoint, asoc, chunk)
2176 *
2177 * Outputs
2178 * (asoc, reply_msg, msg_up, timers, counters)
2179 *
2180 * The return value is the disposition of the chunk.
2181 */
2182sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep,
2183                                        const struct sctp_association *asoc,
2184                                        const sctp_subtype_t type,
2185                                        void *arg,
2186                                        sctp_cmd_seq_t *commands)
2187{
2188        struct sctp_chunk *chunk = arg;
2189        sctp_errhdr_t *err;
2190
2191        if (!sctp_vtag_verify(chunk, asoc))
2192                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2193
2194        /* Make sure that the ERROR chunk has a valid length.
2195         * The parameter walking depends on this as well.
2196         */
2197        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
2198                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2199                                                  commands);
2200
2201        /* Process the error here */
2202        /* FUTURE FIXME:  When PR-SCTP related and other optional
2203         * parms are emitted, this will have to change to handle multiple
2204         * errors.
2205         */
2206        sctp_walk_errors(err, chunk->chunk_hdr) {
2207                if (SCTP_ERROR_STALE_COOKIE == err->cause)
2208                        return sctp_sf_do_5_2_6_stale(ep, asoc, type,
2209                                                        arg, commands);
2210        }
2211
2212        /* It is possible to have malformed error causes, and that
2213         * will cause us to end the walk early.  However, since
2214         * we are discarding the packet, there should be no adverse
2215         * affects.
2216         */
2217        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2218}
2219
2220/*
2221 * Handle a Stale COOKIE Error
2222 *
2223 * Section: 5.2.6 Handle Stale COOKIE Error
2224 * If the association is in the COOKIE-ECHOED state, the endpoint may elect
2225 * one of the following three alternatives.
2226 * ...
2227 * 3) Send a new INIT chunk to the endpoint, adding a Cookie
2228 *    Preservative parameter requesting an extension to the lifetime of
2229 *    the State Cookie. When calculating the time extension, an
2230 *    implementation SHOULD use the RTT information measured based on the
2231 *    previous COOKIE ECHO / ERROR exchange, and should add no more
2232 *    than 1 second beyond the measured RTT, due to long State Cookie
2233 *    lifetimes making the endpoint more subject to a replay attack.
2234 *
2235 * Verification Tag:  Not explicit, but safe to ignore.
2236 *
2237 * Inputs
2238 * (endpoint, asoc, chunk)
2239 *
2240 * Outputs
2241 * (asoc, reply_msg, msg_up, timers, counters)
2242 *
2243 * The return value is the disposition of the chunk.
2244 */
2245static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep,
2246                                                 const struct sctp_association *asoc,
2247                                                 const sctp_subtype_t type,
2248                                                 void *arg,
2249                                                 sctp_cmd_seq_t *commands)
2250{
2251        struct sctp_chunk *chunk = arg;
2252        time_t stale;
2253        sctp_cookie_preserve_param_t bht;
2254        sctp_errhdr_t *err;
2255        struct sctp_chunk *reply;
2256        struct sctp_bind_addr *bp;
2257        int attempts = asoc->init_err_counter + 1;
2258
2259        if (attempts > asoc->max_init_attempts) {
2260                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2261                                SCTP_ERROR(ETIMEDOUT));
2262                sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2263                                SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2264                return SCTP_DISPOSITION_DELETE_TCB;
2265        }
2266
2267        err = (sctp_errhdr_t *)(chunk->skb->data);
2268
2269        /* When calculating the time extension, an implementation
2270         * SHOULD use the RTT information measured based on the
2271         * previous COOKIE ECHO / ERROR exchange, and should add no
2272         * more than 1 second beyond the measured RTT, due to long
2273         * State Cookie lifetimes making the endpoint more subject to
2274         * a replay attack.
2275         * Measure of Staleness's unit is usec. (1/1000000 sec)
2276         * Suggested Cookie Life-span Increment's unit is msec.
2277         * (1/1000 sec)
2278         * In general, if you use the suggested cookie life, the value
2279         * found in the field of measure of staleness should be doubled
2280         * to give ample time to retransmit the new cookie and thus
2281         * yield a higher probability of success on the reattempt.
2282         */
2283        stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t)));
2284        stale = (stale * 2) / 1000;
2285
2286        bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2287        bht.param_hdr.length = htons(sizeof(bht));
2288        bht.lifespan_increment = htonl(stale);
2289
2290        /* Build that new INIT chunk.  */
2291        bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2292        reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2293        if (!reply)
2294                goto nomem;
2295
2296        sctp_addto_chunk(reply, sizeof(bht), &bht);
2297
2298        /* Clear peer's init_tag cached in assoc as we are sending a new INIT */
2299        sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2300
2301        /* Stop pending T3-rtx and heartbeat timers */
2302        sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2303        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2304
2305        /* Delete non-primary peer ip addresses since we are transitioning
2306         * back to the COOKIE-WAIT state
2307         */
2308        sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2309
2310        /* If we've sent any data bundled with COOKIE-ECHO we will need to
2311         * resend
2312         */
2313        sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
2314                        SCTP_TRANSPORT(asoc->peer.primary_path));
2315
2316        /* Cast away the const modifier, as we want to just
2317         * rerun it through as a sideffect.
2318         */
2319        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2320
2321        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2322                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2323        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2324                        SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2325        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2326                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2327
2328        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2329
2330        return SCTP_DISPOSITION_CONSUME;
2331
2332nomem:
2333        return SCTP_DISPOSITION_NOMEM;
2334}
2335
2336/*
2337 * Process an ABORT.
2338 *
2339 * Section: 9.1
2340 * After checking the Verification Tag, the receiving endpoint shall
2341 * remove the association from its record, and shall report the
2342 * termination to its upper layer.
2343 *
2344 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
2345 * B) Rules for packet carrying ABORT:
2346 *
2347 *  - The endpoint shall always fill in the Verification Tag field of the
2348 *    outbound packet with the destination endpoint's tag value if it
2349 *    is known.
2350 *
2351 *  - If the ABORT is sent in response to an OOTB packet, the endpoint
2352 *    MUST follow the procedure described in Section 8.4.
2353 *
2354 *  - The receiver MUST accept the packet if the Verification Tag
2355 *    matches either its own tag, OR the tag of its peer. Otherwise, the
2356 *    receiver MUST silently discard the packet and take no further
2357 *    action.
2358 *
2359 * Inputs
2360 * (endpoint, asoc, chunk)
2361 *
2362 * Outputs
2363 * (asoc, reply_msg, msg_up, timers, counters)
2364 *
2365 * The return value is the disposition of the chunk.
2366 */
2367sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
2368                                        const struct sctp_association *asoc,
2369                                        const sctp_subtype_t type,
2370                                        void *arg,
2371                                        sctp_cmd_seq_t *commands)
2372{
2373        struct sctp_chunk *chunk = arg;
2374
2375        if (!sctp_vtag_verify_either(chunk, asoc))
2376                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2377
2378        /* Make sure that the ABORT chunk has a valid length.
2379         * Since this is an ABORT chunk, we have to discard it
2380         * because of the following text:
2381         * RFC 2960, Section 3.3.7
2382         *    If an endpoint receives an ABORT with a format error or for an
2383         *    association that doesn't exist, it MUST silently discard it.
2384         * Becasue the length is "invalid", we can't really discard just
2385         * as we do not know its true length.  So, to be safe, discard the
2386         * packet.
2387         */
2388        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2389                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2390
2391        /* ADD-IP: Special case for ABORT chunks
2392         * F4)  One special consideration is that ABORT Chunks arriving
2393         * destined to the IP address being deleted MUST be
2394         * ignored (see Section 5.3.1 for further details).
2395         */
2396        if (SCTP_ADDR_DEL ==
2397                    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2398                return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
2399
2400        return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);
2401}
2402
2403static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
2404                                        const struct sctp_association *asoc,
2405                                        const sctp_subtype_t type,
2406                                        void *arg,
2407                                        sctp_cmd_seq_t *commands)
2408{
2409        struct sctp_chunk *chunk = arg;
2410        unsigned len;
2411        __be16 error = SCTP_ERROR_NO_ERROR;
2412
2413        /* See if we have an error cause code in the chunk.  */
2414        len = ntohs(chunk->chunk_hdr->length);
2415        if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2416                error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2417
2418        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2419        /* ASSOC_FAILED will DELETE_TCB. */
2420        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2421        SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
2422        SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
2423
2424        return SCTP_DISPOSITION_ABORT;
2425}
2426
2427/*
2428 * Process an ABORT.  (COOKIE-WAIT state)
2429 *
2430 * See sctp_sf_do_9_1_abort() above.
2431 */
2432sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep,
2433                                     const struct sctp_association *asoc,
2434                                     const sctp_subtype_t type,
2435                                     void *arg,
2436                                     sctp_cmd_seq_t *commands)
2437{
2438        struct sctp_chunk *chunk = arg;
2439        unsigned len;
2440        __be16 error = SCTP_ERROR_NO_ERROR;
2441
2442        if (!sctp_vtag_verify_either(chunk, asoc))
2443                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2444
2445        /* Make sure that the ABORT chunk has a valid length.
2446         * Since this is an ABORT chunk, we have to discard it
2447         * because of the following text:
2448         * RFC 2960, Section 3.3.7
2449         *    If an endpoint receives an ABORT with a format error or for an
2450         *    association that doesn't exist, it MUST silently discard it.
2451         * Becasue the length is "invalid", we can't really discard just
2452         * as we do not know its true length.  So, to be safe, discard the
2453         * packet.
2454         */
2455        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2456                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2457
2458        /* See if we have an error cause code in the chunk.  */
2459        len = ntohs(chunk->chunk_hdr->length);
2460        if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2461                error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2462
2463        return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc,
2464                                      chunk->transport);
2465}
2466
2467/*
2468 * Process an incoming ICMP as an ABORT.  (COOKIE-WAIT state)
2469 */
2470sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep,
2471                                        const struct sctp_association *asoc,
2472                                        const sctp_subtype_t type,
2473                                        void *arg,
2474                                        sctp_cmd_seq_t *commands)
2475{
2476        return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR,
2477                                      ENOPROTOOPT, asoc,
2478                                      (struct sctp_transport *)arg);
2479}
2480
2481/*
2482 * Process an ABORT.  (COOKIE-ECHOED state)
2483 */
2484sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep,
2485                                               const struct sctp_association *asoc,
2486                                               const sctp_subtype_t type,
2487                                               void *arg,
2488                                               sctp_cmd_seq_t *commands)
2489{
2490        /* There is a single T1 timer, so we should be able to use
2491         * common function with the COOKIE-WAIT state.
2492         */
2493        return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands);
2494}
2495
2496/*
2497 * Stop T1 timer and abort association with "INIT failed".
2498 *
2499 * This is common code called by several sctp_sf_*_abort() functions above.
2500 */
2501static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands,
2502                                           __be16 error, int sk_err,
2503                                           const struct sctp_association *asoc,
2504                                           struct sctp_transport *transport)
2505{
2506        SCTP_DEBUG_PRINTK("ABORT received (INIT).\n");
2507        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2508                        SCTP_STATE(SCTP_STATE_CLOSED));
2509        SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
2510        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2511                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2512        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2513        /* CMD_INIT_FAILED will DELETE_TCB. */
2514        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2515                        SCTP_PERR(error));
2516        return SCTP_DISPOSITION_ABORT;
2517}
2518
2519/*
2520 * sctp_sf_do_9_2_shut
2521 *
2522 * Section: 9.2
2523 * Upon the reception of the SHUTDOWN, the peer endpoint shall
2524 *  - enter the SHUTDOWN-RECEIVED state,
2525 *
2526 *  - stop accepting new data from its SCTP user
2527 *
2528 *  - verify, by checking the Cumulative TSN Ack field of the chunk,
2529 *    that all its outstanding DATA chunks have been received by the
2530 *    SHUTDOWN sender.
2531 *
2532 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT
2533 * send a SHUTDOWN in response to a ULP request. And should discard
2534 * subsequent SHUTDOWN chunks.
2535 *
2536 * If there are still outstanding DATA chunks left, the SHUTDOWN
2537 * receiver shall continue to follow normal data transmission
2538 * procedures defined in Section 6 until all outstanding DATA chunks
2539 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept
2540 * new data from its SCTP user.
2541 *
2542 * Verification Tag:  8.5 Verification Tag [Normal verification]
2543 *
2544 * Inputs
2545 * (endpoint, asoc, chunk)
2546 *
2547 * Outputs
2548 * (asoc, reply_msg, msg_up, timers, counters)
2549 *
2550 * The return value is the disposition of the chunk.
2551 */
2552sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep,
2553                                           const struct sctp_association *asoc,
2554                                           const sctp_subtype_t type,
2555                                           void *arg,
2556                                           sctp_cmd_seq_t *commands)
2557{
2558        struct sctp_chunk *chunk = arg;
2559        sctp_shutdownhdr_t *sdh;
2560        sctp_disposition_t disposition;
2561        struct sctp_ulpevent *ev;
2562        __u32 ctsn;
2563
2564        if (!sctp_vtag_verify(chunk, asoc))
2565                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2566
2567        /* Make sure that the SHUTDOWN chunk has a valid length. */
2568        if (!sctp_chunk_length_valid(chunk,
2569                                      sizeof(struct sctp_shutdown_chunk_t)))
2570                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2571                                                  commands);
2572
2573        /* Convert the elaborate header.  */
2574        sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
2575        skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t));
2576        chunk->subh.shutdown_hdr = sdh;
2577        ctsn = ntohl(sdh->cum_tsn_ack);
2578
2579        if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2580                SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
2581                SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
2582                return SCTP_DISPOSITION_DISCARD;
2583        }
2584
2585        /* If Cumulative TSN Ack beyond the max tsn currently
2586         * send, terminating the association and respond to the
2587         * sender with an ABORT.
2588         */
2589        if (!TSN_lt(ctsn, asoc->next_tsn))
2590                return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);
2591
2592        /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
2593         * When a peer sends a SHUTDOWN, SCTP delivers this notification to
2594         * inform the application that it should cease sending data.
2595         */
2596        ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2597        if (!ev) {
2598                disposition = SCTP_DISPOSITION_NOMEM;
2599                goto out;
2600        }
2601        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2602
2603        /* Upon the reception of the SHUTDOWN, the peer endpoint shall
2604         *  - enter the SHUTDOWN-RECEIVED state,
2605         *  - stop accepting new data from its SCTP user
2606         *
2607         * [This is implicit in the new state.]
2608         */
2609        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2610                        SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2611        disposition = SCTP_DISPOSITION_CONSUME;
2612
2613        if (sctp_outq_is_empty(&asoc->outqueue)) {
2614                disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type,
2615                                                          arg, commands);
2616        }
2617
2618        if (SCTP_DISPOSITION_NOMEM == disposition)
2619                goto out;
2620
2621        /*  - verify, by checking the Cumulative TSN Ack field of the
2622         *    chunk, that all its outstanding DATA chunks have been
2623         *    received by the SHUTDOWN sender.
2624         */
2625        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2626                        SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2627
2628out:
2629        return disposition;
2630}
2631
2632/*
2633 * sctp_sf_do_9_2_shut_ctsn
2634 *
2635 * Once an endpoint has reached the SHUTDOWN-RECEIVED state,
2636 * it MUST NOT send a SHUTDOWN in response to a ULP request.
2637 * The Cumulative TSN Ack of the received SHUTDOWN chunk
2638 * MUST be processed.
2639 */
2640sctp_disposition_t sctp_sf_do_9_2_shut_ctsn(const struct sctp_endpoint *ep,
2641                                           const struct sctp_association *asoc,
2642                                           const sctp_subtype_t type,
2643                                           void *arg,
2644                                           sctp_cmd_seq_t *commands)
2645{
2646        struct sctp_chunk *chunk = arg;
2647        sctp_shutdownhdr_t *sdh;
2648        __u32 ctsn;
2649
2650        if (!sctp_vtag_verify(chunk, asoc))
2651                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2652
2653        /* Make sure that the SHUTDOWN chunk has a valid length. */
2654        if (!sctp_chunk_length_valid(chunk,
2655                                      sizeof(struct sctp_shutdown_chunk_t)))
2656                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2657                                                  commands);
2658
2659        sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
2660        ctsn = ntohl(sdh->cum_tsn_ack);
2661
2662        if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2663                SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
2664                SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
2665                return SCTP_DISPOSITION_DISCARD;
2666        }
2667
2668        /* If Cumulative TSN Ack beyond the max tsn currently
2669         * send, terminating the association and respond to the
2670         * sender with an ABORT.
2671         */
2672        if (!TSN_lt(ctsn, asoc->next_tsn))
2673                return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);
2674
2675        /* verify, by checking the Cumulative TSN Ack field of the
2676         * chunk, that all its outstanding DATA chunks have been
2677         * received by the SHUTDOWN sender.
2678         */
2679        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2680                        SCTP_BE32(sdh->cum_tsn_ack));
2681
2682        return SCTP_DISPOSITION_CONSUME;
2683}
2684
2685/* RFC 2960 9.2
2686 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk
2687 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination
2688 * transport addresses (either in the IP addresses or in the INIT chunk)
2689 * that belong to this association, it should discard the INIT chunk and
2690 * retransmit the SHUTDOWN ACK chunk.
2691 */
2692sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep,
2693                                    const struct sctp_association *asoc,
2694                                    const sctp_subtype_t type,
2695                                    void *arg,
2696                                    sctp_cmd_seq_t *commands)
2697{
2698        struct sctp_chunk *chunk = (struct sctp_chunk *) arg;
2699        struct sctp_chunk *reply;
2700
2701        /* Make sure that the chunk has a valid length */
2702        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
2703                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2704                                                  commands);
2705
2706        /* Since we are not going to really process this INIT, there
2707         * is no point in verifying chunk boundries.  Just generate
2708         * the SHUTDOWN ACK.
2709         */
2710        reply = sctp_make_shutdown_ack(asoc, chunk);
2711        if (NULL == reply)
2712                goto nomem;
2713
2714        /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
2715         * the T2-SHUTDOWN timer.
2716         */
2717        sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
2718
2719        /* and restart the T2-shutdown timer. */
2720        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2721                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2722
2723        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2724
2725        return SCTP_DISPOSITION_CONSUME;
2726nomem:
2727        return SCTP_DISPOSITION_NOMEM;
2728}
2729
2730/*
2731 * sctp_sf_do_ecn_cwr
2732 *
2733 * Section:  Appendix A: Explicit Congestion Notification
2734 *
2735 * CWR:
2736 *
2737 * RFC 2481 details a specific bit for a sender to send in the header of
2738 * its next outbound TCP segment to indicate to its peer that it has
2739 * reduced its congestion window.  This is termed the CWR bit.  For
2740 * SCTP the same indication is made by including the CWR chunk.
2741 * This chunk contains one data element, i.e. the TSN number that
2742 * was sent in the ECNE chunk.  This element represents the lowest
2743 * TSN number in the datagram that was originally marked with the
2744 * CE bit.
2745 *
2746 * Verification Tag: 8.5 Verification Tag [Normal verification]
2747 * Inputs
2748 * (endpoint, asoc, chunk)
2749 *
2750 * Outputs
2751 * (asoc, reply_msg, msg_up, timers, counters)
2752 *
2753 * The return value is the disposition of the chunk.
2754 */
2755sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep,
2756                                      const struct sctp_association *asoc,
2757                                      const sctp_subtype_t type,
2758                                      void *arg,
2759                                      sctp_cmd_seq_t *commands)
2760{
2761        sctp_cwrhdr_t *cwr;
2762        struct sctp_chunk *chunk = arg;
2763        u32 lowest_tsn;
2764
2765        if (!sctp_vtag_verify(chunk, asoc))
2766                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2767
2768        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2769                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2770                                                  commands);
2771
2772        cwr = (sctp_cwrhdr_t *) chunk->skb->data;
2773        skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t));
2774
2775        lowest_tsn = ntohl(cwr->lowest_tsn);
2776
2777        /* Does this CWR ack the last sent congestion notification? */
2778        if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
2779                /* Stop sending ECNE. */
2780                sctp_add_cmd_sf(commands,
2781                                SCTP_CMD_ECN_CWR,
2782                                SCTP_U32(lowest_tsn));
2783        }
2784        return SCTP_DISPOSITION_CONSUME;
2785}
2786
2787/*
2788 * sctp_sf_do_ecne
2789 *
2790 * Section:  Appendix A: Explicit Congestion Notification
2791 *
2792 * ECN-Echo
2793 *
2794 * RFC 2481 details a specific bit for a receiver to send back in its
2795 * TCP acknowledgements to notify the sender of the Congestion
2796 * Experienced (CE) bit having arrived from the network.  For SCTP this
2797 * same indication is made by including the ECNE chunk.  This chunk
2798 * contains one data element, i.e. the lowest TSN associated with the IP
2799 * datagram marked with the CE bit.....
2800 *
2801 * Verification Tag: 8.5 Verification Tag [Normal verification]
2802 * Inputs
2803 * (endpoint, asoc, chunk)
2804 *
2805 * Outputs
2806 * (asoc, reply_msg, msg_up, timers, counters)
2807 *
2808 * The return value is the disposition of the chunk.
2809 */
2810sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep,
2811                                   const struct sctp_association *asoc,
2812                                   const sctp_subtype_t type,
2813                                   void *arg,
2814                                   sctp_cmd_seq_t *commands)
2815{
2816        sctp_ecnehdr_t *ecne;
2817        struct sctp_chunk *chunk = arg;
2818
2819        if (!sctp_vtag_verify(chunk, asoc))
2820                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2821
2822        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2823                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2824                                                  commands);
2825
2826        ecne = (sctp_ecnehdr_t *) chunk->skb->data;
2827        skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t));
2828
2829        /* If this is a newer ECNE than the last CWR packet we sent out */
2830        sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
2831                        SCTP_U32(ntohl(ecne->lowest_tsn)));
2832
2833        return SCTP_DISPOSITION_CONSUME;
2834}
2835
2836/*
2837 * Section: 6.2  Acknowledgement on Reception of DATA Chunks
2838 *
2839 * The SCTP endpoint MUST always acknowledge the reception of each valid
2840 * DATA chunk.
2841 *
2842 * The guidelines on delayed acknowledgement algorithm specified in
2843 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
2844 * acknowledgement SHOULD be generated for at least every second packet
2845 * (not every second DATA chunk) received, and SHOULD be generated within
2846 * 200 ms of the arrival of any unacknowledged DATA chunk. In some
2847 * situations it may be beneficial for an SCTP transmitter to be more
2848 * conservative than the algorithms detailed in this document allow.
2849 * However, an SCTP transmitter MUST NOT be more aggressive than the
2850 * following algorithms allow.
2851 *
2852 * A SCTP receiver MUST NOT generate more than one SACK for every
2853 * incoming packet, other than to update the offered window as the
2854 * receiving application consumes new data.
2855 *
2856 * Verification Tag:  8.5 Verification Tag [Normal verification]
2857 *
2858 * Inputs
2859 * (endpoint, asoc, chunk)
2860 *
2861 * Outputs
2862 * (asoc, reply_msg, msg_up, timers, counters)
2863 *
2864 * The return value is the disposition of the chunk.
2865 */
2866sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep,
2867                                        const struct sctp_association *asoc,
2868                                        const sctp_subtype_t type,
2869                                        void *arg,
2870                                        sctp_cmd_seq_t *commands)
2871{
2872        struct sctp_chunk *chunk = arg;
2873        sctp_arg_t force = SCTP_NOFORCE();
2874        int error;
2875
2876        if (!sctp_vtag_verify(chunk, asoc)) {
2877                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
2878                                SCTP_NULL());
2879                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2880        }
2881
2882        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
2883                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2884                                                  commands);
2885
2886        error = sctp_eat_data(asoc, chunk, commands );
2887        switch (error) {
2888        case SCTP_IERROR_NO_ERROR:
2889                break;
2890        case SCTP_IERROR_HIGH_TSN:
2891        case SCTP_IERROR_BAD_STREAM:
2892                SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2893                goto discard_noforce;
2894        case SCTP_IERROR_DUP_TSN:
2895        case SCTP_IERROR_IGNORE_TSN:
2896                SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2897                goto discard_force;
2898        case SCTP_IERROR_NO_DATA:
2899                goto consume;
2900        case SCTP_IERROR_PROTO_VIOLATION:
2901                return sctp_sf_abort_violation(ep, asoc, chunk, commands,
2902                        (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t));
2903        default:
2904                BUG();
2905        }
2906
2907        if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)
2908                force = SCTP_FORCE();
2909
2910        if (asoc->autoclose) {
2911                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2912                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
2913        }
2914
2915        /* If this is the last chunk in a packet, we need to count it
2916         * toward sack generation.  Note that we need to SACK every
2917         * OTHER packet containing data chunks, EVEN IF WE DISCARD
2918         * THEM.  We elect to NOT generate SACK's if the chunk fails
2919         * the verification tag test.
2920         *
2921         * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
2922         *
2923         * The SCTP endpoint MUST always acknowledge the reception of
2924         * each valid DATA chunk.
2925         *
2926         * The guidelines on delayed acknowledgement algorithm
2927         * specified in  Section 4.2 of [RFC2581] SHOULD be followed.
2928         * Specifically, an acknowledgement SHOULD be generated for at
2929         * least every second packet (not every second DATA chunk)
2930         * received, and SHOULD be generated within 200 ms of the
2931         * arrival of any unacknowledged DATA chunk.  In some
2932         * situations it may be beneficial for an SCTP transmitter to
2933         * be more conservative than the algorithms detailed in this
2934         * document allow. However, an SCTP transmitter MUST NOT be
2935         * more aggressive than the following algorithms allow.
2936         */
2937        if (chunk->end_of_packet)
2938                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
2939
2940        return SCTP_DISPOSITION_CONSUME;
2941
2942discard_force:
2943        /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
2944         *
2945         * When a packet arrives with duplicate DATA chunk(s) and with
2946         * no new DATA chunk(s), the endpoint MUST immediately send a
2947         * SACK with no delay.  If a packet arrives with duplicate
2948         * DATA chunk(s) bundled with new DATA chunks, the endpoint
2949         * MAY immediately send a SACK.  Normally receipt of duplicate
2950         * DATA chunks will occur when the original SACK chunk was lost
2951         * and the peer's RTO has expired.  The duplicate TSN number(s)
2952         * SHOULD be reported in the SACK as duplicate.
2953         */
2954        /* In our case, we split the MAY SACK advice up whether or not
2955         * the last chunk is a duplicate.'
2956         */
2957        if (chunk->end_of_packet)
2958                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
2959        return SCTP_DISPOSITION_DISCARD;
2960
2961discard_noforce:
2962        if (chunk->end_of_packet)
2963                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
2964
2965        return SCTP_DISPOSITION_DISCARD;
2966consume:
2967        return SCTP_DISPOSITION_CONSUME;
2968
2969}
2970
2971/*
2972 * sctp_sf_eat_data_fast_4_4
2973 *
2974 * Section: 4 (4)
2975 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received
2976 *    DATA chunks without delay.
2977 *
2978 * Verification Tag:  8.5 Verification Tag [Normal verification]
2979 * Inputs
2980 * (endpoint, asoc, chunk)
2981 *
2982 * Outputs
2983 * (asoc, reply_msg, msg_up, timers, counters)
2984 *
2985 * The return value is the disposition of the chunk.
2986 */
2987sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep,
2988                                     const struct sctp_association *asoc,
2989                                     const sctp_subtype_t type,
2990                                     void *arg,
2991                                     sctp_cmd_seq_t *commands)
2992{
2993        struct sctp_chunk *chunk = arg;
2994        int error;
2995
2996        if (!sctp_vtag_verify(chunk, asoc)) {
2997                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
2998                                SCTP_NULL());
2999                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3000        }
3001
3002        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
3003                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3004                                                  commands);
3005
3006        error = sctp_eat_data(asoc, chunk, commands );
3007        switch (error) {
3008        case SCTP_IERROR_NO_ERROR:
3009        case SCTP_IERROR_HIGH_TSN:
3010        case SCTP_IERROR_DUP_TSN:
3011        case SCTP_IERROR_IGNORE_TSN:
3012        case SCTP_IERROR_BAD_STREAM:
3013                break;
3014        case SCTP_IERROR_NO_DATA:
3015                goto consume;
3016        case SCTP_IERROR_PROTO_VIOLATION:
3017                return sctp_sf_abort_violation(ep, asoc, chunk, commands,
3018                        (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t));
3019        default:
3020                BUG();
3021        }
3022
3023        /* Go a head and force a SACK, since we are shutting down. */
3024
3025        /* Implementor's Guide.
3026         *
3027         * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3028         * respond to each received packet containing one or more DATA chunk(s)
3029         * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3030         */
3031        if (chunk->end_of_packet) {
3032                /* We must delay the chunk creation since the cumulative
3033                 * TSN has not been updated yet.
3034                 */
3035                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3036                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3037                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3038                                SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3039        }
3040
3041consume:
3042        return SCTP_DISPOSITION_CONSUME;
3043}
3044
3045/*
3046 * Section: 6.2  Processing a Received SACK
3047 * D) Any time a SACK arrives, the endpoint performs the following:
3048 *
3049 *     i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,
3050 *     then drop the SACK.   Since Cumulative TSN Ack is monotonically
3051 *     increasing, a SACK whose Cumulative TSN Ack is less than the
3052 *     Cumulative TSN Ack Point indicates an out-of-order SACK.
3053 *
3054 *     ii) Set rwnd equal to the newly received a_rwnd minus the number
3055 *     of bytes still outstanding after processing the Cumulative TSN Ack
3056 *     and the Gap Ack Blocks.
3057 *
3058 *     iii) If the SACK is missing a TSN that was previously
3059 *     acknowledged via a Gap Ack Block (e.g., the data receiver
3060 *     reneged on the data), then mark the corresponding DATA chunk
3061 *     as available for retransmit:  Mark it as missing for fast
3062 *     retransmit as described in Section 7.2.4 and if no retransmit
3063 *     timer is running for the destination address to which the DATA
3064 *     chunk was originally transmitted, then T3-rtx is started for
3065 *     that destination address.
3066 *
3067 * Verification Tag:  8.5 Verification Tag [Normal verification]
3068 *
3069 * Inputs
3070 * (endpoint, asoc, chunk)
3071 *
3072 * Outputs
3073 * (asoc, reply_msg, msg_up, timers, counters)
3074 *
3075 * The return value is the disposition of the chunk.
3076 */
3077sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep,
3078                                        const struct sctp_association *asoc,
3079                                        const sctp_subtype_t type,
3080                                        void *arg,
3081                                        sctp_cmd_seq_t *commands)
3082{
3083        struct sctp_chunk *chunk = arg;
3084        sctp_sackhdr_t *sackh;
3085        __u32 ctsn;
3086
3087        if (!sctp_vtag_verify(chunk, asoc))
3088                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3089
3090        /* Make sure that the SACK chunk has a valid length. */
3091        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t)))
3092                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3093                                                  commands);
3094
3095        /* Pull the SACK chunk from the data buffer */
3096        sackh = sctp_sm_pull_sack(chunk);
3097        /* Was this a bogus SACK? */
3098        if (!sackh)
3099                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3100        chunk->subh.sack_hdr = sackh;
3101        ctsn = ntohl(sackh->cum_tsn_ack);
3102
3103        /* i) If Cumulative TSN Ack is less than the Cumulative TSN
3104         *     Ack Point, then drop the SACK.  Since Cumulative TSN
3105         *     Ack is monotonically increasing, a SACK whose
3106         *     Cumulative TSN Ack is less than the Cumulative TSN Ack
3107         *     Point indicates an out-of-order SACK.
3108         */
3109        if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
3110                SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
3111                SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
3112                return SCTP_DISPOSITION_DISCARD;
3113        }
3114
3115        /* If Cumulative TSN Ack beyond the max tsn currently
3116         * send, terminating the association and respond to the
3117         * sender with an ABORT.
3118         */
3119        if (!TSN_lt(ctsn, asoc->next_tsn))
3120                return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);
3121
3122        /* Return this SACK for further processing.  */
3123        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh));
3124
3125        /* Note: We do the rest of the work on the PROCESS_SACK
3126         * sideeffect.
3127         */
3128        return SCTP_DISPOSITION_CONSUME;
3129}
3130
3131/*
3132 * Generate an ABORT in response to a packet.
3133 *
3134 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41
3135 *
3136 * 8) The receiver should respond to the sender of the OOTB packet with
3137 *    an ABORT.  When sending the ABORT, the receiver of the OOTB packet
3138 *    MUST fill in the Verification Tag field of the outbound packet
3139 *    with the value found in the Verification Tag field of the OOTB
3140 *    packet and set the T-bit in the Chunk Flags to indicate that the
3141 *    Verification Tag is reflected.  After sending this ABORT, the
3142 *    receiver of the OOTB packet shall discard the OOTB packet and take
3143 *    no further action.
3144 *
3145 * Verification Tag:
3146 *
3147 * The return value is the disposition of the chunk.
3148*/
3149static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep,
3150                                        const struct sctp_association *asoc,
3151                                        const sctp_subtype_t type,
3152                                        void *arg,
3153                                        sctp_cmd_seq_t *commands)
3154{
3155        struct sctp_packet *packet = NULL;
3156        struct sctp_chunk *chunk = arg;
3157        struct sctp_chunk *abort;
3158
3159        packet = sctp_ootb_pkt_new(asoc, chunk);
3160
3161        if (packet) {
3162                /* Make an ABORT. The T bit will be set if the asoc
3163                 * is NULL.
3164                 */
3165                abort = sctp_make_abort(asoc, chunk, 0);
3166                if (!abort) {
3167                        sctp_ootb_pkt_free(packet);
3168                        return SCTP_DISPOSITION_NOMEM;
3169                }
3170
3171                /* Reflect vtag if T-Bit is set */
3172                if (sctp_test_T_bit(abort))
3173                        packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3174
3175                /* Set the skb to the belonging sock for accounting.  */
3176                abort->skb->sk = ep->base.sk;
3177
3178                sctp_packet_append_chunk(packet, abort);
3179
3180                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3181                                SCTP_PACKET(packet));
3182
3183                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
3184
3185                sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3186                return SCTP_DISPOSITION_CONSUME;
3187        }
3188
3189        return SCTP_DISPOSITION_NOMEM;
3190}
3191
3192/*
3193 * Received an ERROR chunk from peer.  Generate SCTP_REMOTE_ERROR
3194 * event as ULP notification for each cause included in the chunk.
3195 *
3196 * API 5.3.1.3 - SCTP_REMOTE_ERROR
3197 *
3198 * The return value is the disposition of the chunk.
3199*/
3200sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep,
3201                                        const struct sctp_association *asoc,
3202                                        const sctp_subtype_t type,
3203                                        void *arg,
3204                                        sctp_cmd_seq_t *commands)
3205{
3206        struct sctp_chunk *chunk = arg;
3207
3208        if (!sctp_vtag_verify(chunk, asoc))
3209                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3210
3211        /* Make sure that the ERROR chunk has a valid length. */
3212        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
3213                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3214                                                  commands);
3215
3216        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3217                        SCTP_CHUNK(chunk));
3218
3219        return SCTP_DISPOSITION_CONSUME;
3220}
3221
3222/*
3223 * Process an inbound SHUTDOWN ACK.
3224 *
3225 * From Section 9.2:
3226 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3227 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its
3228 * peer, and remove all record of the association.
3229 *
3230 * The return value is the disposition.
3231 */
3232sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep,
3233                                        const struct sctp_association *asoc,
3234                                        const sctp_subtype_t type,
3235                                        void *arg,
3236                                        sctp_cmd_seq_t *commands)
3237{
3238        struct sctp_chunk *chunk = arg;
3239        struct sctp_chunk *reply;
3240        struct sctp_ulpevent *ev;
3241
3242        if (!sctp_vtag_verify(chunk, asoc))
3243                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3244
3245        /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3246        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3247                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3248                                                  commands);
3249        /* 10.2 H) SHUTDOWN COMPLETE notification
3250         *
3251         * When SCTP completes the shutdown procedures (section 9.2) this
3252         * notification is passed to the upper layer.
3253         */
3254        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3255                                             0, 0, 0, NULL, GFP_ATOMIC);
3256        if (!ev)
3257                goto nomem;
3258
3259        /* ...send a SHUTDOWN COMPLETE chunk to its peer, */
3260        reply = sctp_make_shutdown_complete(asoc, chunk);
3261        if (!reply)
3262                goto nomem_chunk;
3263
3264        /* Do all the commands now (after allocation), so that we
3265         * have consistent state if memory allocation failes
3266         */
3267        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3268
3269        /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3270         * stop the T2-shutdown timer,
3271         */
3272        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3273                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3274
3275        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3276                        SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3277
3278        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3279                        SCTP_STATE(SCTP_STATE_CLOSED));
3280        SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);
3281        SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3282        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3283
3284        /* ...and remove all record of the association. */
3285        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3286        return SCTP_DISPOSITION_DELETE_TCB;
3287
3288nomem_chunk:
3289        sctp_ulpevent_free(ev);
3290nomem:
3291        return SCTP_DISPOSITION_NOMEM;
3292}
3293
3294/*
3295 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.
3296 *
3297 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3298 *    respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3299 *    When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3300 *    packet must fill in the Verification Tag field of the outbound
3301 *    packet with the Verification Tag received in the SHUTDOWN ACK and
3302 *    set the T-bit in the Chunk Flags to indicate that the Verification
3303 *    Tag is reflected.
3304 *
3305 * 8) The receiver should respond to the sender of the OOTB packet with
3306 *    an ABORT.  When sending the ABORT, the receiver of the OOTB packet
3307 *    MUST fill in the Verification Tag field of the outbound packet
3308 *    with the value found in the Verification Tag field of the OOTB
3309 *    packet and set the T-bit in the Chunk Flags to indicate that the
3310 *    Verification Tag is reflected.  After sending this ABORT, the
3311 *    receiver of the OOTB packet shall discard the OOTB packet and take
3312 *    no further action.
3313 */
3314sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
3315                                const struct sctp_association *asoc,
3316                                const sctp_subtype_t type,
3317                                void *arg,
3318                                sctp_cmd_seq_t *commands)
3319{
3320        struct sctp_chunk *chunk = arg;
3321        struct sk_buff *skb = chunk->skb;
3322        sctp_chunkhdr_t *ch;
3323        __u8 *ch_end;
3324        int ootb_shut_ack = 0;
3325
3326        SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
3327
3328        ch = (sctp_chunkhdr_t *) chunk->chunk_hdr;
3329        do {
3330                /* Report violation if the chunk is less then minimal */
3331                if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t))
3332                        return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3333                                                  commands);
3334
3335                /* Now that we know we at least have a chunk header,
3336                 * do things that are type appropriate.
3337                 */
3338                if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3339                        ootb_shut_ack = 1;
3340
3341                /* RFC 2960, Section 3.3.7
3342                 *   Moreover, under any circumstances, an endpoint that
3343                 *   receives an ABORT  MUST NOT respond to that ABORT by
3344                 *   sending an ABORT of its own.
3345                 */
3346                if (SCTP_CID_ABORT == ch->type)
3347                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3348
3349                /* Report violation if chunk len overflows */
3350                ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
3351                if (ch_end > skb_tail_pointer(skb))
3352                        return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3353                                                  commands);
3354
3355                ch = (sctp_chunkhdr_t *) ch_end;
3356        } while (ch_end < skb_tail_pointer(skb));
3357
3358        if (ootb_shut_ack)
3359                return sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands);
3360        else
3361                return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
3362}
3363
3364/*
3365 * Handle an "Out of the blue" SHUTDOWN ACK.
3366 *
3367 * Section: 8.4 5, sctpimpguide 2.41.
3368 *
3369 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3370 *    respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3371 *    When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3372 *    packet must fill in the Verification Tag field of the outbound
3373 *    packet with the Verification Tag received in the SHUTDOWN ACK and
3374 *    set the T-bit in the Chunk Flags to indicate that the Verification
3375 *    Tag is reflected.
3376 *
3377 * Inputs
3378 * (endpoint, asoc, type, arg, commands)
3379 *
3380 * Outputs
3381 * (sctp_disposition_t)
3382 *
3383 * The return value is the disposition of the chunk.
3384 */
3385static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep,
3386                                             const struct sctp_association *asoc,
3387                                             const sctp_subtype_t type,
3388                                             void *arg,
3389                                             sctp_cmd_seq_t *commands)
3390{
3391        struct sctp_packet *packet = NULL;
3392        struct sctp_chunk *chunk = arg;
3393        struct sctp_chunk *shut;
3394
3395        packet = sctp_ootb_pkt_new(asoc, chunk);
3396
3397        if (packet) {
3398                /* Make an SHUTDOWN_COMPLETE.
3399                 * The T bit will be set if the asoc is NULL.
3400                 */
3401                shut = sctp_make_shutdown_complete(asoc, chunk);
3402                if (!shut) {
3403                        sctp_ootb_pkt_free(packet);
3404                        return SCTP_DISPOSITION_NOMEM;
3405                }
3406
3407                /* Reflect vtag if T-Bit is set */
3408                if (sctp_test_T_bit(shut))
3409                        packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3410
3411                /* Set the skb to the belonging sock for accounting.  */
3412                shut->skb->sk = ep->base.sk;
3413
3414                sctp_packet_append_chunk(packet, shut);
3415
3416                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3417                                SCTP_PACKET(packet));
3418
3419                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
3420
3421                /* If the chunk length is invalid, we don't want to process
3422                 * the reset of the packet.
3423                 */
3424                if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3425                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3426
3427                /* We need to discard the rest of the packet to prevent
3428                 * potential bomming attacks from additional bundled chunks.
3429                 * This is documented in SCTP Threats ID.
3430                 */
3431                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3432        }
3433
3434        return SCTP_DISPOSITION_NOMEM;
3435}
3436
3437/*
3438 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.
3439 *
3440 * Verification Tag:  8.5.1 E) Rules for packet carrying a SHUTDOWN ACK
3441 *   If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the
3442 *   procedures in section 8.4 SHOULD be followed, in other words it
3443 *   should be treated as an Out Of The Blue packet.
3444 *   [This means that we do NOT check the Verification Tag on these
3445 *   chunks. --piggy ]
3446 *
3447 */
3448sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep,
3449                                      const struct sctp_association *asoc,
3450                                      const sctp_subtype_t type,
3451                                      void *arg,
3452                                      sctp_cmd_seq_t *commands)
3453{
3454        struct sctp_chunk *chunk = arg;
3455
3456        /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3457        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3458                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3459                                                  commands);
3460
3461        /* Although we do have an association in this case, it corresponds
3462         * to a restarted association. So the packet is treated as an OOTB
3463         * packet and the state function that handles OOTB SHUTDOWN_ACK is
3464         * called with a NULL association.
3465         */
3466        SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
3467
3468        return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands);
3469}
3470
3471/* ADDIP Section 4.2 Upon reception of an ASCONF Chunk.  */
3472sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep,
3473                                     const struct sctp_association *asoc,
3474                                     const sctp_subtype_t type, void *arg,
3475                                     sctp_cmd_seq_t *commands)
3476{
3477        struct sctp_chunk       *chunk = arg;
3478        struct sctp_chunk       *asconf_ack = NULL;
3479        struct sctp_paramhdr    *err_param = NULL;
3480        sctp_addiphdr_t         *hdr;
3481        union sctp_addr_param   *addr_param;
3482        __u32                   serial;
3483        int                     length;
3484
3485        if (!sctp_vtag_verify(chunk, asoc)) {
3486                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3487                                SCTP_NULL());
3488                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3489        }
3490
3491        /* ADD-IP: Section 4.1.1
3492         * This chunk MUST be sent in an authenticated way by using
3493         * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3494         * is received unauthenticated it MUST be silently discarded as
3495         * described in [I-D.ietf-tsvwg-sctp-auth].
3496         */
3497        if (!sctp_addip_noauth && !chunk->auth)
3498                return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
3499
3500        /* Make sure that the ASCONF ADDIP chunk has a valid length.  */
3501        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t)))
3502                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3503                                                  commands);
3504
3505        hdr = (sctp_addiphdr_t *)chunk->skb->data;
3506        serial = ntohl(hdr->serial);
3507
3508        addr_param = (union sctp_addr_param *)hdr->params;
3509        length = ntohs(addr_param->p.length);
3510        if (length < sizeof(sctp_paramhdr_t))
3511                return sctp_sf_violation_paramlen(ep, asoc, type, arg,
3512                           (void *)addr_param, commands);
3513
3514        /* Verify the ASCONF chunk before processing it. */
3515        if (!sctp_verify_asconf(asoc,
3516                            (sctp_paramhdr_t *)((void *)addr_param + length),
3517                            (void *)chunk->chunk_end,
3518                            &err_param))
3519                return sctp_sf_violation_paramlen(ep, asoc, type, arg,
3520                                                  (void *)err_param, commands);
3521
3522        /* ADDIP 5.2 E1) Compare the value of the serial number to the value
3523         * the endpoint stored in a new association variable
3524         * 'Peer-Serial-Number'.
3525         */
3526        if (serial == asoc->peer.addip_serial + 1) {
3527                /* If this is the first instance of ASCONF in the packet,
3528                 * we can clean our old ASCONF-ACKs.
3529                 */
3530                if (!chunk->has_asconf)
3531                        sctp_assoc_clean_asconf_ack_cache(asoc);
3532
3533                /* ADDIP 5.2 E4) When the Sequence Number matches the next one
3534                 * expected, process the ASCONF as described below and after
3535                 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to
3536                 * the response packet and cache a copy of it (in the event it
3537                 * later needs to be retransmitted).
3538                 *
3539                 * Essentially, do V1-V5.
3540                 */
3541                asconf_ack = sctp_process_asconf((struct sctp_association *)
3542                                                 asoc, chunk);
3543                if (!asconf_ack)
3544                        return SCTP_DISPOSITION_NOMEM;
3545        } else if (serial < asoc->peer.addip_serial + 1) {
3546                /* ADDIP 5.2 E2)
3547                 * If the value found in the Sequence Number is less than the
3548                 * ('Peer- Sequence-Number' + 1), simply skip to the next
3549                 * ASCONF, and include in the outbound response packet
3550                 * any previously cached ASCONF-ACK response that was
3551                 * sent and saved that matches the Sequence Number of the
3552                 * ASCONF.  Note: It is possible that no cached ASCONF-ACK
3553                 * Chunk exists.  This will occur when an older ASCONF
3554                 * arrives out of order.  In such a case, the receiver
3555                 * should skip the ASCONF Chunk and not include ASCONF-ACK
3556                 * Chunk for that chunk.
3557                 */
3558                asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);
3559                if (!asconf_ack)
3560                        return SCTP_DISPOSITION_DISCARD;
3561
3562                /* Reset the transport so that we select the correct one
3563                 * this time around.  This is to make sure that we don't
3564                 * accidentally use a stale transport that's been removed.
3565                 */
3566                asconf_ack->transport = NULL;
3567        } else {
3568                /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since
3569                 * it must be either a stale packet or from an attacker.
3570                 */
3571                return SCTP_DISPOSITION_DISCARD;
3572        }
3573
3574        /* ADDIP 5.2 E6)  The destination address of the SCTP packet
3575         * containing the ASCONF-ACK Chunks MUST be the source address of
3576         * the SCTP packet that held the ASCONF Chunks.
3577         *
3578         * To do this properly, we'll set the destination address of the chunk
3579         * and at the transmit time, will try look up the transport to use.
3580         * Since ASCONFs may be bundled, the correct transport may not be
3581         * created until we process the entire packet, thus this workaround.
3582         */
3583        asconf_ack->dest = chunk->source;
3584        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3585
3586        return SCTP_DISPOSITION_CONSUME;
3587}
3588
3589/*
3590 * ADDIP Section 4.3 General rules for address manipulation
3591 * When building TLV parameters for the ASCONF Chunk that will add or
3592 * delete IP addresses the D0 to D13 rules should be applied:
3593 */
3594sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep,
3595                                         const struct sctp_association *asoc,
3596                                         const sctp_subtype_t type, void *arg,
3597                                         sctp_cmd_seq_t *commands)
3598{
3599        struct sctp_chunk       *asconf_ack = arg;
3600        struct sctp_chunk       *last_asconf = asoc->addip_last_asconf;
3601        struct sctp_chunk       *abort;
3602        struct sctp_paramhdr    *err_param = NULL;
3603        sctp_addiphdr_t         *addip_hdr;
3604        __u32                   sent_serial, rcvd_serial;
3605
3606        if (!sctp_vtag_verify(asconf_ack, asoc)) {
3607                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3608                                SCTP_NULL());
3609                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3610        }
3611
3612        /* ADD-IP, Section 4.1.2:
3613         * This chunk MUST be sent in an authenticated way by using
3614         * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3615         * is received unauthenticated it MUST be silently discarded as
3616         * described in [I-D.ietf-tsvwg-sctp-auth].
3617         */
3618        if (!sctp_addip_noauth && !asconf_ack->auth)
3619                return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
3620
3621        /* Make sure that the ADDIP chunk has a valid length.  */
3622        if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t)))
3623                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3624                                                  commands);
3625
3626        addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data;
3627        rcvd_serial = ntohl(addip_hdr->serial);
3628
3629        /* Verify the ASCONF-ACK chunk before processing it. */
3630        if (!sctp_verify_asconf(asoc,
3631            (sctp_paramhdr_t *)addip_hdr->params,
3632            (void *)asconf_ack->chunk_end,
3633            &err_param))
3634                return sctp_sf_violation_paramlen(ep, asoc, type, arg,
3635                           (void *)err_param, commands);
3636
3637        if (last_asconf) {
3638                addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr;
3639                sent_serial = ntohl(addip_hdr->serial);
3640        } else {
3641                sent_serial = asoc->addip_serial - 1;
3642        }
3643
3644        /* D0) If an endpoint receives an ASCONF-ACK that is greater than or
3645         * equal to the next serial number to be used but no ASCONF chunk is
3646         * outstanding the endpoint MUST ABORT the association. Note that a
3647         * sequence number is greater than if it is no more than 2^^31-1
3648         * larger than the current sequence number (using serial arithmetic).
3649         */
3650        if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
3651            !(asoc->addip_last_asconf)) {
3652                abort = sctp_make_abort(asoc, asconf_ack,
3653                                        sizeof(sctp_errhdr_t));
3654                if (abort) {
3655                        sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
3656                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3657                                        SCTP_CHUNK(abort));
3658                }
3659                /* We are going to ABORT, so we might as well stop
3660                 * processing the rest of the chunks in the packet.
3661                 */
3662                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3663                                SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3664                sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
3665                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3666                                SCTP_ERROR(ECONNABORTED));
3667                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3668                                SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3669                SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
3670                SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3671                return SCTP_DISPOSITION_ABORT;
3672        }
3673
3674        if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
3675                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3676                                SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3677
3678                if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
3679                                             asconf_ack)) {
3680                        /* Successfully processed ASCONF_ACK.  We can
3681                         * release the next asconf if we have one.
3682                         */
3683                        sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF,
3684                                        SCTP_NULL());
3685                        return SCTP_DISPOSITION_CONSUME;
3686                }
3687
3688                abort = sctp_make_abort(asoc, asconf_ack,
3689                                        sizeof(sctp_errhdr_t));
3690                if (abort) {
3691                        sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
3692                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3693                                        SCTP_CHUNK(abort));
3694                }
3695                /* We are going to ABORT, so we might as well stop
3696                 * processing the rest of the chunks in the packet.
3697                 */
3698                sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
3699                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3700                                SCTP_ERROR(ECONNABORTED));
3701                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3702                                SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3703                SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
3704                SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3705                return SCTP_DISPOSITION_ABORT;
3706        }
3707
3708        return SCTP_DISPOSITION_DISCARD;
3709}
3710
3711/*
3712 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP
3713 *
3714 * When a FORWARD TSN chunk arrives, the data receiver MUST first update
3715 * its cumulative TSN point to the value carried in the FORWARD TSN
3716 * chunk, and then MUST further advance its cumulative TSN point locally
3717 * if possible.
3718 * After the above processing, the data receiver MUST stop reporting any
3719 * missing TSNs earlier than or equal to the new cumulative TSN point.
3720 *
3721 * Verification Tag:  8.5 Verification Tag [Normal verification]
3722 *
3723 * The return value is the disposition of the chunk.
3724 */
3725sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep,
3726                                       const struct sctp_association *asoc,
3727                                       const sctp_subtype_t type,
3728                                       void *arg,
3729                                       sctp_cmd_seq_t *commands)
3730{
3731        struct sctp_chunk *chunk = arg;
3732        struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3733        struct sctp_fwdtsn_skip *skip;
3734        __u16 len;
3735        __u32 tsn;
3736
3737        if (!sctp_vtag_verify(chunk, asoc)) {
3738                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3739                                SCTP_NULL());
3740                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3741        }
3742
3743        /* Make sure that the FORWARD_TSN chunk has valid length.  */
3744        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3745                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3746                                                  commands);
3747
3748        fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3749        chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3750        len = ntohs(chunk->chunk_hdr->length);
3751        len -= sizeof(struct sctp_chunkhdr);
3752        skb_pull(chunk->skb, len);
3753
3754        tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3755        SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn);
3756
3757        /* The TSN is too high--silently discard the chunk and count on it
3758         * getting retransmitted later.
3759         */
3760        if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3761                goto discard_noforce;
3762
3763        /* Silently discard the chunk if stream-id is not valid */
3764        sctp_walk_fwdtsn(skip, chunk) {
3765                if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
3766                        goto discard_noforce;
3767        }
3768
3769        sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3770        if (len > sizeof(struct sctp_fwdtsn_hdr))
3771                sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3772                                SCTP_CHUNK(chunk));
3773
3774        /* Count this as receiving DATA. */
3775        if (asoc->autoclose) {
3776                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3777                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3778        }
3779
3780        /* FIXME: For now send a SACK, but DATA processing may
3781         * send another.
3782         */
3783        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
3784
3785        return SCTP_DISPOSITION_CONSUME;
3786
3787discard_noforce:
3788        return SCTP_DISPOSITION_DISCARD;
3789}
3790
3791sctp_disposition_t sctp_sf_eat_fwd_tsn_fast(
3792        const struct sctp_endpoint *ep,
3793        const struct sctp_association *asoc,
3794        const sctp_subtype_t type,
3795        void *arg,
3796        sctp_cmd_seq_t *commands)
3797{
3798        struct sctp_chunk *chunk = arg;
3799        struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3800        struct sctp_fwdtsn_skip *skip;
3801        __u16 len;
3802        __u32 tsn;
3803
3804        if (!sctp_vtag_verify(chunk, asoc)) {
3805                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3806                                SCTP_NULL());
3807                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3808        }
3809
3810        /* Make sure that the FORWARD_TSN chunk has a valid length.  */
3811        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3812                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3813                                                  commands);
3814
3815        fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3816        chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3817        len = ntohs(chunk->chunk_hdr->length);
3818        len -= sizeof(struct sctp_chunkhdr);
3819        skb_pull(chunk->skb, len);
3820
3821        tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3822        SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn);
3823
3824        /* The TSN is too high--silently discard the chunk and count on it
3825         * getting retransmitted later.
3826         */
3827        if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3828                goto gen_shutdown;
3829
3830        /* Silently discard the chunk if stream-id is not valid */
3831        sctp_walk_fwdtsn(skip, chunk) {
3832                if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
3833                        goto gen_shutdown;
3834        }
3835
3836        sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3837        if (len > sizeof(struct sctp_fwdtsn_hdr))
3838                sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3839                                SCTP_CHUNK(chunk));
3840
3841        /* Go a head and force a SACK, since we are shutting down. */
3842gen_shutdown:
3843        /* Implementor's Guide.
3844         *
3845         * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3846         * respond to each received packet containing one or more DATA chunk(s)
3847         * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3848         */
3849        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3850        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3851        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3852                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3853
3854        return SCTP_DISPOSITION_CONSUME;
3855}
3856
3857/*
3858 * SCTP-AUTH Section 6.3 Receving authenticated chukns
3859 *
3860 *    The receiver MUST use the HMAC algorithm indicated in the HMAC
3861 *    Identifier field.  If this algorithm was not specified by the
3862 *    receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
3863 *    during association setup, the AUTH chunk and all chunks after it MUST
3864 *    be discarded and an ERROR chunk SHOULD be sent with the error cause
3865 *    defined in Section 4.1.
3866 *
3867 *    If an endpoint with no shared key receives a Shared Key Identifier
3868 *    other than 0, it MUST silently discard all authenticated chunks.  If
3869 *    the endpoint has at least one endpoint pair shared key for the peer,
3870 *    it MUST use the key specified by the Shared Key Identifier if a
3871 *    key has been configured for that Shared Key Identifier.  If no
3872 *    endpoint pair shared key has been configured for that Shared Key
3873 *    Identifier, all authenticated chunks MUST be silently discarded.
3874 *
3875 * Verification Tag:  8.5 Verification Tag [Normal verification]
3876 *
3877 * The return value is the disposition of the chunk.
3878 */
3879static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep,
3880                                    const struct sctp_association *asoc,
3881                                    const sctp_subtype_t type,
3882                                    struct sctp_chunk *chunk)
3883{
3884        struct sctp_authhdr *auth_hdr;
3885        struct sctp_hmac *hmac;
3886        unsigned int sig_len;
3887        __u16 key_id;
3888        __u8 *save_digest;
3889        __u8 *digest;
3890
3891        /* Pull in the auth header, so we can do some more verification */
3892        auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
3893        chunk->subh.auth_hdr = auth_hdr;
3894        skb_pull(chunk->skb, sizeof(struct sctp_authhdr));
3895
3896        /* Make sure that we suport the HMAC algorithm from the auth
3897         * chunk.
3898         */
3899        if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))
3900                return SCTP_IERROR_AUTH_BAD_HMAC;
3901
3902        /* Make sure that the provided shared key identifier has been
3903         * configured
3904         */
3905        key_id = ntohs(auth_hdr->shkey_id);
3906        if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id))
3907                return SCTP_IERROR_AUTH_BAD_KEYID;
3908
3909
3910        /* Make sure that the length of the signature matches what
3911         * we expect.
3912         */
3913        sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t);
3914        hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));
3915        if (sig_len != hmac->hmac_len)
3916                return SCTP_IERROR_PROTO_VIOLATION;
3917
3918        /* Now that we've done validation checks, we can compute and
3919         * verify the hmac.  The steps involved are:
3920         *  1. Save the digest from the chunk.
3921         *  2. Zero out the digest in the chunk.
3922         *  3. Compute the new digest
3923         *  4. Compare saved and new digests.
3924         */
3925        digest = auth_hdr->hmac;
3926        skb_pull(chunk->skb, sig_len);
3927
3928        save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);
3929        if (!save_digest)
3930                goto nomem;
3931
3932        memset(digest, 0, sig_len);
3933
3934        sctp_auth_calculate_hmac(asoc, chunk->skb,
3935                                (struct sctp_auth_chunk *)chunk->chunk_hdr,
3936                                GFP_ATOMIC);
3937
3938        /* Discard the packet if the digests do not match */
3939        if (memcmp(save_digest, digest, sig_len)) {
3940                kfree(save_digest);
3941                return SCTP_IERROR_BAD_SIG;
3942        }
3943
3944        kfree(save_digest);
3945        chunk->auth = 1;
3946
3947        return SCTP_IERROR_NO_ERROR;
3948nomem:
3949        return SCTP_IERROR_NOMEM;
3950}
3951
3952sctp_disposition_t sctp_sf_eat_auth(const struct sctp_endpoint *ep,
3953                                    const struct sctp_association *asoc,
3954                                    const sctp_subtype_t type,
3955                                    void *arg,
3956                                    sctp_cmd_seq_t *commands)
3957{
3958        struct sctp_authhdr *auth_hdr;
3959        struct sctp_chunk *chunk = arg;
3960        struct sctp_chunk *err_chunk;
3961        sctp_ierror_t error;
3962
3963        /* Make sure that the peer has AUTH capable */
3964        if (!asoc->peer.auth_capable)
3965                return sctp_sf_unk_chunk(ep, asoc, type, arg, commands);
3966
3967        if (!sctp_vtag_verify(chunk, asoc)) {
3968                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3969                                SCTP_NULL());
3970                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3971        }
3972
3973        /* Make sure that the AUTH chunk has valid length.  */
3974        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))
3975                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3976                                                  commands);
3977
3978        auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
3979        error = sctp_sf_authenticate(ep, asoc, type, chunk);
3980        switch (error) {
3981                case SCTP_IERROR_AUTH_BAD_HMAC:
3982                        /* Generate the ERROR chunk and discard the rest
3983                         * of the packet
3984                         */
3985                        err_chunk = sctp_make_op_error(asoc, chunk,
3986                                                        SCTP_ERROR_UNSUP_HMAC,
3987                                                        &auth_hdr->hmac_id,
3988                                                        sizeof(__u16), 0);
3989                        if (err_chunk) {
3990                                sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3991                                                SCTP_CHUNK(err_chunk));
3992                        }
3993                        /* Fall Through */
3994                case SCTP_IERROR_AUTH_BAD_KEYID:
3995                case SCTP_IERROR_BAD_SIG:
3996                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3997                        break;
3998                case SCTP_IERROR_PROTO_VIOLATION:
3999                        return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4000                                                          commands);
4001                        break;
4002                case SCTP_IERROR_NOMEM:
4003                        return SCTP_DISPOSITION_NOMEM;
4004                default:
4005                        break;
4006        }
4007
4008        if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) {
4009                struct sctp_ulpevent *ev;
4010
4011                ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),
4012                                    SCTP_AUTH_NEWKEY, GFP_ATOMIC);
4013
4014                if (!ev)
4015                        return -ENOMEM;
4016
4017                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4018                                SCTP_ULPEVENT(ev));
4019        }
4020
4021        return SCTP_DISPOSITION_CONSUME;
4022}
4023
4024/*
4025 * Process an unknown chunk.
4026 *
4027 * Section: 3.2. Also, 2.1 in the implementor's guide.
4028 *
4029 * Chunk Types are encoded such that the highest-order two bits specify
4030 * the action that must be taken if the processing endpoint does not
4031 * recognize the Chunk Type.
4032 *
4033 * 00 - Stop processing this SCTP packet and discard it, do not process
4034 *      any further chunks within it.
4035 *
4036 * 01 - Stop processing this SCTP packet and discard it, do not process
4037 *      any further chunks within it, and report the unrecognized
4038 *      chunk in an 'Unrecognized Chunk Type'.
4039 *
4040 * 10 - Skip this chunk and continue processing.
4041 *
4042 * 11 - Skip this chunk and continue processing, but report in an ERROR
4043 *      Chunk using the 'Unrecognized Chunk Type' cause of error.
4044 *
4045 * The return value is the disposition of the chunk.
4046 */
4047sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep,
4048                                     const struct sctp_association *asoc,
4049                                     const sctp_subtype_t type,
4050                                     void *arg,
4051                                     sctp_cmd_seq_t *commands)
4052{
4053        struct sctp_chunk *unk_chunk = arg;
4054        struct sctp_chunk *err_chunk;
4055        sctp_chunkhdr_t *hdr;
4056
4057        SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk);
4058
4059        if (!sctp_vtag_verify(unk_chunk, asoc))
4060                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
4061
4062        /* Make sure that the chunk has a valid length.
4063         * Since we don't know the chunk type, we use a general
4064         * chunkhdr structure to make a comparison.
4065         */
4066        if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t)))
4067                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4068                                                  commands);
4069
4070        switch (type.chunk & SCTP_CID_ACTION_MASK) {
4071        case SCTP_CID_ACTION_DISCARD:
4072                /* Discard the packet.  */
4073                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
4074                break;
4075        case SCTP_CID_ACTION_DISCARD_ERR:
4076                /* Generate an ERROR chunk as response. */
4077                hdr = unk_chunk->chunk_hdr;
4078                err_chunk = sctp_make_op_error(asoc, unk_chunk,
4079                                               SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4080                                               WORD_ROUND(ntohs(hdr->length)),
4081                                               0);
4082                if (err_chunk) {
4083                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4084                                        SCTP_CHUNK(err_chunk));
4085                }
4086
4087                /* Discard the packet.  */
4088                sctp_sf_pdiscard(ep, asoc, type, arg, commands);
4089                return SCTP_DISPOSITION_CONSUME;
4090                break;
4091        case SCTP_CID_ACTION_SKIP:
4092                /* Skip the chunk.  */
4093                return SCTP_DISPOSITION_DISCARD;
4094                break;
4095        case SCTP_CID_ACTION_SKIP_ERR:
4096                /* Generate an ERROR chunk as response. */
4097                hdr = unk_chunk->chunk_hdr;
4098                err_chunk = sctp_make_op_error(asoc, unk_chunk,
4099                                               SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4100                                               WORD_ROUND(ntohs(hdr->length)),
4101                                               0);
4102                if (err_chunk) {
4103                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4104                                        SCTP_CHUNK(err_chunk));
4105                }
4106                /* Skip the chunk.  */
4107                return SCTP_DISPOSITION_CONSUME;
4108                break;
4109        default:
4110                break;
4111        }
4112
4113        return SCTP_DISPOSITION_DISCARD;
4114}
4115
4116/*
4117 * Discard the chunk.
4118 *
4119 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2
4120 * [Too numerous to mention...]
4121 * Verification Tag: No verification needed.
4122 * Inputs
4123 * (endpoint, asoc, chunk)
4124 *
4125 * Outputs
4126 * (asoc, reply_msg, msg_up, timers, counters)
4127 *
4128 * The return value is the disposition of the chunk.
4129 */
4130sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep,
4131                                         const struct sctp_association *asoc,
4132                                         const sctp_subtype_t type,
4133                                         void *arg,
4134                                         sctp_cmd_seq_t *commands)
4135{
4136        struct sctp_chunk *chunk = arg;
4137
4138        /* Make sure that the chunk has a valid length.
4139         * Since we don't know the chunk type, we use a general
4140         * chunkhdr structure to make a comparison.
4141         */
4142        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
4143                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4144                                                  commands);
4145
4146        SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk);
4147        return SCTP_DISPOSITION_DISCARD;
4148}
4149
4150/*
4151 * Discard the whole packet.
4152 *
4153 * Section: 8.4 2)
4154 *
4155 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST
4156 *    silently discard the OOTB packet and take no further action.
4157 *
4158 * Verification Tag: No verification necessary
4159 *
4160 * Inputs
4161 * (endpoint, asoc, chunk)
4162 *
4163 * Outputs
4164 * (asoc, reply_msg, msg_up, timers, counters)
4165 *
4166 * The return value is the disposition of the chunk.
4167 */
4168sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep,
4169                                    const struct sctp_association *asoc,
4170                                    const sctp_subtype_t type,
4171                                    void *arg,
4172                                    sctp_cmd_seq_t *commands)
4173{
4174        SCTP_INC_STATS(SCTP_MIB_IN_PKT_DISCARDS);
4175        sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4176
4177        return SCTP_DISPOSITION_CONSUME;
4178}
4179
4180
4181/*
4182 * The other end is violating protocol.
4183 *
4184 * Section: Not specified
4185 * Verification Tag: Not specified
4186 * Inputs
4187 * (endpoint, asoc, chunk)
4188 *
4189 * Outputs
4190 * (asoc, reply_msg, msg_up, timers, counters)
4191 *
4192 * We simply tag the chunk as a violation.  The state machine will log
4193 * the violation and continue.
4194 */
4195sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep,
4196                                     const struct sctp_association *asoc,
4197                                     const sctp_subtype_t type,
4198                                     void *arg,
4199                                     sctp_cmd_seq_t *commands)
4200{
4201        struct sctp_chunk *chunk = arg;
4202
4203        /* Make sure that the chunk has a valid length. */
4204        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
4205                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4206                                                  commands);
4207
4208        return SCTP_DISPOSITION_VIOLATION;
4209}
4210
4211/*
4212 * Common function to handle a protocol violation.
4213 */
4214static sctp_disposition_t sctp_sf_abort_violation(
4215                                     const struct sctp_endpoint *ep,
4216                                     const struct sctp_association *asoc,
4217                                     void *arg,
4218                                     sctp_cmd_seq_t *commands,
4219                                     const __u8 *payload,
4220                                     const size_t paylen)
4221{
4222        struct sctp_packet *packet = NULL;
4223        struct sctp_chunk *chunk =  arg;
4224        struct sctp_chunk *abort = NULL;
4225
4226        /* SCTP-AUTH, Section 6.3:
4227         *    It should be noted that if the receiver wants to tear
4228         *    down an association in an authenticated way only, the
4229         *    handling of malformed packets should not result in
4230         *    tearing down the association.
4231         *
4232         * This means that if we only want to abort associations
4233         * in an authenticated way (i.e AUTH+ABORT), then we
4234         * can't destroy this association just becuase the packet
4235         * was malformed.
4236         */
4237        if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4238                goto discard;
4239
4240        /* Make the abort chunk. */
4241        abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);
4242        if (!abort)
4243                goto nomem;
4244
4245        if (asoc) {
4246                /* Treat INIT-ACK as a special case during COOKIE-WAIT. */
4247                if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&
4248                    !asoc->peer.i.init_tag) {
4249                        sctp_initack_chunk_t *initack;
4250
4251                        initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
4252                        if (!sctp_chunk_length_valid(chunk,
4253                                                     sizeof(sctp_initack_chunk_t)))
4254                                abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
4255                        else {
4256                                unsigned int inittag;
4257
4258                                inittag = ntohl(initack->init_hdr.init_tag);
4259                                sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
4260                                                SCTP_U32(inittag));
4261                        }
4262                }
4263
4264                sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4265                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
4266
4267                if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
4268                        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4269                                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4270                        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4271                                        SCTP_ERROR(ECONNREFUSED));
4272                        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4273                                        SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4274                } else {
4275                        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4276                                        SCTP_ERROR(ECONNABORTED));
4277                        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4278                                        SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4279                        SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
4280                }
4281        } else {
4282                packet = sctp_ootb_pkt_new(asoc, chunk);
4283
4284                if (!packet)
4285                        goto nomem_pkt;
4286
4287                if (sctp_test_T_bit(abort))
4288                        packet->vtag = ntohl(chunk->sctp_hdr->vtag);
4289
4290                abort->skb->sk = ep->base.sk;
4291
4292                sctp_packet_append_chunk(packet, abort);
4293
4294                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
4295                        SCTP_PACKET(packet));
4296
4297                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
4298        }
4299
4300        SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
4301
4302discard:
4303        sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4304        return SCTP_DISPOSITION_ABORT;
4305
4306nomem_pkt:
4307        sctp_chunk_free(abort);
4308nomem:
4309        return SCTP_DISPOSITION_NOMEM;
4310}
4311
4312/*
4313 * Handle a protocol violation when the chunk length is invalid.
4314 * "Invalid" length is identified as smaller than the minimal length a
4315 * given chunk can be.  For example, a SACK chunk has invalid length
4316 * if its length is set to be smaller than the size of sctp_sack_chunk_t.
4317 *
4318 * We inform the other end by sending an ABORT with a Protocol Violation
4319 * error code.
4320 *
4321 * Section: Not specified
4322 * Verification Tag:  Nothing to do
4323 * Inputs
4324 * (endpoint, asoc, chunk)
4325 *
4326 * Outputs
4327 * (reply_msg, msg_up, counters)
4328 *
4329 * Generate an  ABORT chunk and terminate the association.
4330 */
4331static sctp_disposition_t sctp_sf_violation_chunklen(
4332                                     const struct sctp_endpoint *ep,
4333                                     const struct sctp_association *asoc,
4334                                     const sctp_subtype_t type,
4335                                     void *arg,
4336                                     sctp_cmd_seq_t *commands)
4337{
4338        static const char err_str[]="The following chunk had invalid length:";
4339
4340        return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,
4341                                        sizeof(err_str));
4342}
4343
4344/*
4345 * Handle a protocol violation when the parameter length is invalid.
4346 * "Invalid" length is identified as smaller than the minimal length a
4347 * given parameter can be.
4348 */
4349static sctp_disposition_t sctp_sf_violation_paramlen(
4350