linux/net/sctp/sm_statefuns.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-or-later
   2/* SCTP kernel implementation
   3 * (C) Copyright IBM Corp. 2001, 2004
   4 * Copyright (c) 1999-2000 Cisco, Inc.
   5 * Copyright (c) 1999-2001 Motorola, Inc.
   6 * Copyright (c) 2001-2002 Intel Corp.
   7 * Copyright (c) 2002      Nokia Corp.
   8 *
   9 * This is part of the SCTP Linux Kernel Implementation.
  10 *
  11 * These are the state functions for the state machine.
  12 *
  13 * Please send any bug reports or fixes you make to the
  14 * email address(es):
  15 *    lksctp developers <linux-sctp@vger.kernel.org>
  16 *
  17 * Written or modified by:
  18 *    La Monte H.P. Yarroll <piggy@acm.org>
  19 *    Karl Knutson          <karl@athena.chicago.il.us>
  20 *    Mathew Kotowsky       <kotowsky@sctp.org>
  21 *    Sridhar Samudrala     <samudrala@us.ibm.com>
  22 *    Jon Grimm             <jgrimm@us.ibm.com>
  23 *    Hui Huang             <hui.huang@nokia.com>
  24 *    Dajiang Zhang         <dajiang.zhang@nokia.com>
  25 *    Daisy Chang           <daisyc@us.ibm.com>
  26 *    Ardelle Fan           <ardelle.fan@intel.com>
  27 *    Ryan Layer            <rmlayer@us.ibm.com>
  28 *    Kevin Gao             <kevin.gao@intel.com>
  29 */
  30
  31#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  32
  33#include <linux/types.h>
  34#include <linux/kernel.h>
  35#include <linux/ip.h>
  36#include <linux/ipv6.h>
  37#include <linux/net.h>
  38#include <linux/inet.h>
  39#include <linux/slab.h>
  40#include <net/sock.h>
  41#include <net/inet_ecn.h>
  42#include <linux/skbuff.h>
  43#include <net/sctp/sctp.h>
  44#include <net/sctp/sm.h>
  45#include <net/sctp/structs.h>
  46
  47#define CREATE_TRACE_POINTS
  48#include <trace/events/sctp.h>
  49
  50static struct sctp_packet *sctp_abort_pkt_new(
  51                                        struct net *net,
  52                                        const struct sctp_endpoint *ep,
  53                                        const struct sctp_association *asoc,
  54                                        struct sctp_chunk *chunk,
  55                                        const void *payload, size_t paylen);
  56static int sctp_eat_data(const struct sctp_association *asoc,
  57                         struct sctp_chunk *chunk,
  58                         struct sctp_cmd_seq *commands);
  59static struct sctp_packet *sctp_ootb_pkt_new(
  60                                        struct net *net,
  61                                        const struct sctp_association *asoc,
  62                                        const struct sctp_chunk *chunk);
  63static void sctp_send_stale_cookie_err(struct net *net,
  64                                       const struct sctp_endpoint *ep,
  65                                       const struct sctp_association *asoc,
  66                                       const struct sctp_chunk *chunk,
  67                                       struct sctp_cmd_seq *commands,
  68                                       struct sctp_chunk *err_chunk);
  69static enum sctp_disposition sctp_sf_do_5_2_6_stale(
  70                                        struct net *net,
  71                                        const struct sctp_endpoint *ep,
  72                                        const struct sctp_association *asoc,
  73                                        const union sctp_subtype type,
  74                                        void *arg,
  75                                        struct sctp_cmd_seq *commands);
  76static enum sctp_disposition sctp_sf_shut_8_4_5(
  77                                        struct net *net,
  78                                        const struct sctp_endpoint *ep,
  79                                        const struct sctp_association *asoc,
  80                                        const union sctp_subtype type,
  81                                        void *arg,
  82                                        struct sctp_cmd_seq *commands);
  83static enum sctp_disposition sctp_sf_tabort_8_4_8(
  84                                        struct net *net,
  85                                        const struct sctp_endpoint *ep,
  86                                        const struct sctp_association *asoc,
  87                                        const union sctp_subtype type,
  88                                        void *arg,
  89                                        struct sctp_cmd_seq *commands);
  90static enum sctp_disposition sctp_sf_new_encap_port(
  91                                        struct net *net,
  92                                        const struct sctp_endpoint *ep,
  93                                        const struct sctp_association *asoc,
  94                                        const union sctp_subtype type,
  95                                        void *arg,
  96                                        struct sctp_cmd_seq *commands);
  97static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
  98
  99static enum sctp_disposition sctp_stop_t1_and_abort(
 100                                        struct net *net,
 101                                        struct sctp_cmd_seq *commands,
 102                                        __be16 error, int sk_err,
 103                                        const struct sctp_association *asoc,
 104                                        struct sctp_transport *transport);
 105
 106static enum sctp_disposition sctp_sf_abort_violation(
 107                                        struct net *net,
 108                                        const struct sctp_endpoint *ep,
 109                                        const struct sctp_association *asoc,
 110                                        void *arg,
 111                                        struct sctp_cmd_seq *commands,
 112                                        const __u8 *payload,
 113                                        const size_t paylen);
 114
 115static enum sctp_disposition sctp_sf_violation_chunklen(
 116                                        struct net *net,
 117                                        const struct sctp_endpoint *ep,
 118                                        const struct sctp_association *asoc,
 119                                        const union sctp_subtype type,
 120                                        void *arg,
 121                                        struct sctp_cmd_seq *commands);
 122
 123static enum sctp_disposition sctp_sf_violation_paramlen(
 124                                        struct net *net,
 125                                        const struct sctp_endpoint *ep,
 126                                        const struct sctp_association *asoc,
 127                                        const union sctp_subtype type,
 128                                        void *arg, void *ext,
 129                                        struct sctp_cmd_seq *commands);
 130
 131static enum sctp_disposition sctp_sf_violation_ctsn(
 132                                        struct net *net,
 133                                        const struct sctp_endpoint *ep,
 134                                        const struct sctp_association *asoc,
 135                                        const union sctp_subtype type,
 136                                        void *arg,
 137                                        struct sctp_cmd_seq *commands);
 138
 139static enum sctp_disposition sctp_sf_violation_chunk(
 140                                        struct net *net,
 141                                        const struct sctp_endpoint *ep,
 142                                        const struct sctp_association *asoc,
 143                                        const union sctp_subtype type,
 144                                        void *arg,
 145                                        struct sctp_cmd_seq *commands);
 146
 147static enum sctp_ierror sctp_sf_authenticate(
 148                                        const struct sctp_association *asoc,
 149                                        struct sctp_chunk *chunk);
 150
 151static enum sctp_disposition __sctp_sf_do_9_1_abort(
 152                                        struct net *net,
 153                                        const struct sctp_endpoint *ep,
 154                                        const struct sctp_association *asoc,
 155                                        const union sctp_subtype type,
 156                                        void *arg,
 157                                        struct sctp_cmd_seq *commands);
 158
 159/* Small helper function that checks if the chunk length
 160 * is of the appropriate length.  The 'required_length' argument
 161 * is set to be the size of a specific chunk we are testing.
 162 * Return Values:  true  = Valid length
 163 *                 false = Invalid length
 164 *
 165 */
 166static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk,
 167                                           __u16 required_length)
 168{
 169        __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
 170
 171        /* Previously already marked? */
 172        if (unlikely(chunk->pdiscard))
 173                return false;
 174        if (unlikely(chunk_length < required_length))
 175                return false;
 176
 177        return true;
 178}
 179
 180/* Check for format error in an ABORT chunk */
 181static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk)
 182{
 183        struct sctp_errhdr *err;
 184
 185        sctp_walk_errors(err, chunk->chunk_hdr);
 186
 187        return (void *)err == (void *)chunk->chunk_end;
 188}
 189
 190/**********************************************************
 191 * These are the state functions for handling chunk events.
 192 **********************************************************/
 193
 194/*
 195 * Process the final SHUTDOWN COMPLETE.
 196 *
 197 * Section: 4 (C) (diagram), 9.2
 198 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
 199 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
 200 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
 201 * should stop the T2-shutdown timer and remove all knowledge of the
 202 * association (and thus the association enters the CLOSED state).
 203 *
 204 * Verification Tag: 8.5.1(C), sctpimpguide 2.41.
 205 * C) Rules for packet carrying SHUTDOWN COMPLETE:
 206 * ...
 207 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
 208 *   if the Verification Tag field of the packet matches its own tag and
 209 *   the T bit is not set
 210 *   OR
 211 *   it is set to its peer's tag and the T bit is set in the Chunk
 212 *   Flags.
 213 *   Otherwise, the receiver MUST silently discard the packet
 214 *   and take no further action.  An endpoint MUST ignore the
 215 *   SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.
 216 *
 217 * Inputs
 218 * (endpoint, asoc, chunk)
 219 *
 220 * Outputs
 221 * (asoc, reply_msg, msg_up, timers, counters)
 222 *
 223 * The return value is the disposition of the chunk.
 224 */
 225enum sctp_disposition sctp_sf_do_4_C(struct net *net,
 226                                     const struct sctp_endpoint *ep,
 227                                     const struct sctp_association *asoc,
 228                                     const union sctp_subtype type,
 229                                     void *arg, struct sctp_cmd_seq *commands)
 230{
 231        struct sctp_chunk *chunk = arg;
 232        struct sctp_ulpevent *ev;
 233
 234        if (!sctp_vtag_verify_either(chunk, asoc))
 235                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 236
 237        /* RFC 2960 6.10 Bundling
 238         *
 239         * An endpoint MUST NOT bundle INIT, INIT ACK or
 240         * SHUTDOWN COMPLETE with any other chunks.
 241         */
 242        if (!chunk->singleton)
 243                return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
 244
 245        /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */
 246        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
 247                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
 248                                                  commands);
 249
 250        /* RFC 2960 10.2 SCTP-to-ULP
 251         *
 252         * H) SHUTDOWN COMPLETE notification
 253         *
 254         * When SCTP completes the shutdown procedures (section 9.2) this
 255         * notification is passed to the upper layer.
 256         */
 257        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
 258                                             0, 0, 0, NULL, GFP_ATOMIC);
 259        if (ev)
 260                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 261                                SCTP_ULPEVENT(ev));
 262
 263        /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
 264         * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
 265         * not the chunk should be discarded. If the endpoint is in
 266         * the SHUTDOWN-ACK-SENT state the endpoint should stop the
 267         * T2-shutdown timer and remove all knowledge of the
 268         * association (and thus the association enters the CLOSED
 269         * state).
 270         */
 271        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 272                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
 273
 274        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 275                        SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
 276
 277        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 278                        SCTP_STATE(SCTP_STATE_CLOSED));
 279
 280        SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
 281        SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
 282
 283        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
 284
 285        return SCTP_DISPOSITION_DELETE_TCB;
 286}
 287
 288/*
 289 * Respond to a normal INIT chunk.
 290 * We are the side that is being asked for an association.
 291 *
 292 * Section: 5.1 Normal Establishment of an Association, B
 293 * B) "Z" shall respond immediately with an INIT ACK chunk.  The
 294 *    destination IP address of the INIT ACK MUST be set to the source
 295 *    IP address of the INIT to which this INIT ACK is responding.  In
 296 *    the response, besides filling in other parameters, "Z" must set the
 297 *    Verification Tag field to Tag_A, and also provide its own
 298 *    Verification Tag (Tag_Z) in the Initiate Tag field.
 299 *
 300 * Verification Tag: Must be 0.
 301 *
 302 * Inputs
 303 * (endpoint, asoc, chunk)
 304 *
 305 * Outputs
 306 * (asoc, reply_msg, msg_up, timers, counters)
 307 *
 308 * The return value is the disposition of the chunk.
 309 */
 310enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
 311                                           const struct sctp_endpoint *ep,
 312                                           const struct sctp_association *asoc,
 313                                           const union sctp_subtype type,
 314                                           void *arg,
 315                                           struct sctp_cmd_seq *commands)
 316{
 317        struct sctp_chunk *chunk = arg, *repl, *err_chunk;
 318        struct sctp_unrecognized_param *unk_param;
 319        struct sctp_association *new_asoc;
 320        struct sctp_packet *packet;
 321        int len;
 322
 323        /* Update socket peer label if first association. */
 324        if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
 325                                        chunk->skb))
 326                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 327
 328        /* 6.10 Bundling
 329         * An endpoint MUST NOT bundle INIT, INIT ACK or
 330         * SHUTDOWN COMPLETE with any other chunks.
 331         *
 332         * IG Section 2.11.2
 333         * Furthermore, we require that the receiver of an INIT chunk MUST
 334         * enforce these rules by silently discarding an arriving packet
 335         * with an INIT chunk that is bundled with other chunks.
 336         */
 337        if (!chunk->singleton)
 338                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 339
 340        /* If the packet is an OOTB packet which is temporarily on the
 341         * control endpoint, respond with an ABORT.
 342         */
 343        if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
 344                SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
 345                return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
 346        }
 347
 348        /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
 349         * Tag.
 350         */
 351        if (chunk->sctp_hdr->vtag != 0)
 352                return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
 353
 354        /* Make sure that the INIT chunk has a valid length.
 355         * Normally, this would cause an ABORT with a Protocol Violation
 356         * error, but since we don't have an association, we'll
 357         * just discard the packet.
 358         */
 359        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
 360                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 361
 362        /* If the INIT is coming toward a closing socket, we'll send back
 363         * and ABORT.  Essentially, this catches the race of INIT being
 364         * backloged to the socket at the same time as the user issues close().
 365         * Since the socket and all its associations are going away, we
 366         * can treat this OOTB
 367         */
 368        if (sctp_sstate(ep->base.sk, CLOSING))
 369                return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
 370
 371        /* Verify the INIT chunk before processing it. */
 372        err_chunk = NULL;
 373        if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
 374                              (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
 375                              &err_chunk)) {
 376                /* This chunk contains fatal error. It is to be discarded.
 377                 * Send an ABORT, with causes if there is any.
 378                 */
 379                if (err_chunk) {
 380                        packet = sctp_abort_pkt_new(net, ep, asoc, arg,
 381                                        (__u8 *)(err_chunk->chunk_hdr) +
 382                                        sizeof(struct sctp_chunkhdr),
 383                                        ntohs(err_chunk->chunk_hdr->length) -
 384                                        sizeof(struct sctp_chunkhdr));
 385
 386                        sctp_chunk_free(err_chunk);
 387
 388                        if (packet) {
 389                                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
 390                                                SCTP_PACKET(packet));
 391                                SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
 392                                return SCTP_DISPOSITION_CONSUME;
 393                        } else {
 394                                return SCTP_DISPOSITION_NOMEM;
 395                        }
 396                } else {
 397                        return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
 398                                                    commands);
 399                }
 400        }
 401
 402        /* Grab the INIT header.  */
 403        chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
 404
 405        /* Tag the variable length parameters.  */
 406        chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
 407
 408        new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
 409        if (!new_asoc)
 410                goto nomem;
 411
 412        if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
 413                                             sctp_scope(sctp_source(chunk)),
 414                                             GFP_ATOMIC) < 0)
 415                goto nomem_init;
 416
 417        /* The call, sctp_process_init(), can fail on memory allocation.  */
 418        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
 419                               (struct sctp_init_chunk *)chunk->chunk_hdr,
 420                               GFP_ATOMIC))
 421                goto nomem_init;
 422
 423        /* B) "Z" shall respond immediately with an INIT ACK chunk.  */
 424
 425        /* If there are errors need to be reported for unknown parameters,
 426         * make sure to reserve enough room in the INIT ACK for them.
 427         */
 428        len = 0;
 429        if (err_chunk)
 430                len = ntohs(err_chunk->chunk_hdr->length) -
 431                      sizeof(struct sctp_chunkhdr);
 432
 433        repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
 434        if (!repl)
 435                goto nomem_init;
 436
 437        /* If there are errors need to be reported for unknown parameters,
 438         * include them in the outgoing INIT ACK as "Unrecognized parameter"
 439         * parameter.
 440         */
 441        if (err_chunk) {
 442                /* Get the "Unrecognized parameter" parameter(s) out of the
 443                 * ERROR chunk generated by sctp_verify_init(). Since the
 444                 * error cause code for "unknown parameter" and the
 445                 * "Unrecognized parameter" type is the same, we can
 446                 * construct the parameters in INIT ACK by copying the
 447                 * ERROR causes over.
 448                 */
 449                unk_param = (struct sctp_unrecognized_param *)
 450                            ((__u8 *)(err_chunk->chunk_hdr) +
 451                            sizeof(struct sctp_chunkhdr));
 452                /* Replace the cause code with the "Unrecognized parameter"
 453                 * parameter type.
 454                 */
 455                sctp_addto_chunk(repl, len, unk_param);
 456                sctp_chunk_free(err_chunk);
 457        }
 458
 459        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
 460
 461        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
 462
 463        /*
 464         * Note:  After sending out INIT ACK with the State Cookie parameter,
 465         * "Z" MUST NOT allocate any resources, nor keep any states for the
 466         * new association.  Otherwise, "Z" will be vulnerable to resource
 467         * attacks.
 468         */
 469        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
 470
 471        return SCTP_DISPOSITION_DELETE_TCB;
 472
 473nomem_init:
 474        sctp_association_free(new_asoc);
 475nomem:
 476        if (err_chunk)
 477                sctp_chunk_free(err_chunk);
 478        return SCTP_DISPOSITION_NOMEM;
 479}
 480
 481/*
 482 * Respond to a normal INIT ACK chunk.
 483 * We are the side that is initiating the association.
 484 *
 485 * Section: 5.1 Normal Establishment of an Association, C
 486 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
 487 *    timer and leave COOKIE-WAIT state. "A" shall then send the State
 488 *    Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
 489 *    the T1-cookie timer, and enter the COOKIE-ECHOED state.
 490 *
 491 *    Note: The COOKIE ECHO chunk can be bundled with any pending outbound
 492 *    DATA chunks, but it MUST be the first chunk in the packet and
 493 *    until the COOKIE ACK is returned the sender MUST NOT send any
 494 *    other packets to the peer.
 495 *
 496 * Verification Tag: 3.3.3
 497 *   If the value of the Initiate Tag in a received INIT ACK chunk is
 498 *   found to be 0, the receiver MUST treat it as an error and close the
 499 *   association by transmitting an ABORT.
 500 *
 501 * Inputs
 502 * (endpoint, asoc, chunk)
 503 *
 504 * Outputs
 505 * (asoc, reply_msg, msg_up, timers, counters)
 506 *
 507 * The return value is the disposition of the chunk.
 508 */
 509enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
 510                                          const struct sctp_endpoint *ep,
 511                                          const struct sctp_association *asoc,
 512                                          const union sctp_subtype type,
 513                                          void *arg,
 514                                          struct sctp_cmd_seq *commands)
 515{
 516        struct sctp_init_chunk *initchunk;
 517        struct sctp_chunk *chunk = arg;
 518        struct sctp_chunk *err_chunk;
 519        struct sctp_packet *packet;
 520
 521        if (!sctp_vtag_verify(chunk, asoc))
 522                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 523
 524        /* 6.10 Bundling
 525         * An endpoint MUST NOT bundle INIT, INIT ACK or
 526         * SHUTDOWN COMPLETE with any other chunks.
 527         */
 528        if (!chunk->singleton)
 529                return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
 530
 531        /* Make sure that the INIT-ACK chunk has a valid length */
 532        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk)))
 533                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
 534                                                  commands);
 535        /* Grab the INIT header.  */
 536        chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
 537
 538        /* Verify the INIT chunk before processing it. */
 539        err_chunk = NULL;
 540        if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
 541                              (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
 542                              &err_chunk)) {
 543
 544                enum sctp_error error = SCTP_ERROR_NO_RESOURCE;
 545
 546                /* This chunk contains fatal error. It is to be discarded.
 547                 * Send an ABORT, with causes.  If there are no causes,
 548                 * then there wasn't enough memory.  Just terminate
 549                 * the association.
 550                 */
 551                if (err_chunk) {
 552                        packet = sctp_abort_pkt_new(net, ep, asoc, arg,
 553                                        (__u8 *)(err_chunk->chunk_hdr) +
 554                                        sizeof(struct sctp_chunkhdr),
 555                                        ntohs(err_chunk->chunk_hdr->length) -
 556                                        sizeof(struct sctp_chunkhdr));
 557
 558                        sctp_chunk_free(err_chunk);
 559
 560                        if (packet) {
 561                                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
 562                                                SCTP_PACKET(packet));
 563                                SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
 564                                error = SCTP_ERROR_INV_PARAM;
 565                        }
 566                }
 567
 568                /* SCTP-AUTH, Section 6.3:
 569                 *    It should be noted that if the receiver wants to tear
 570                 *    down an association in an authenticated way only, the
 571                 *    handling of malformed packets should not result in
 572                 *    tearing down the association.
 573                 *
 574                 * This means that if we only want to abort associations
 575                 * in an authenticated way (i.e AUTH+ABORT), then we
 576                 * can't destroy this association just because the packet
 577                 * was malformed.
 578                 */
 579                if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
 580                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 581
 582                SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
 583                return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED,
 584                                                asoc, chunk->transport);
 585        }
 586
 587        /* Tag the variable length parameters.  Note that we never
 588         * convert the parameters in an INIT chunk.
 589         */
 590        chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
 591
 592        initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr;
 593
 594        sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
 595                        SCTP_PEER_INIT(initchunk));
 596
 597        /* Reset init error count upon receipt of INIT-ACK.  */
 598        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
 599
 600        /* 5.1 C) "A" shall stop the T1-init timer and leave
 601         * COOKIE-WAIT state.  "A" shall then ... start the T1-cookie
 602         * timer, and enter the COOKIE-ECHOED state.
 603         */
 604        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 605                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
 606        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
 607                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
 608        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 609                        SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
 610
 611        /* SCTP-AUTH: generate the association shared keys so that
 612         * we can potentially sign the COOKIE-ECHO.
 613         */
 614        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
 615
 616        /* 5.1 C) "A" shall then send the State Cookie received in the
 617         * INIT ACK chunk in a COOKIE ECHO chunk, ...
 618         */
 619        /* If there is any errors to report, send the ERROR chunk generated
 620         * for unknown parameters as well.
 621         */
 622        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
 623                        SCTP_CHUNK(err_chunk));
 624
 625        return SCTP_DISPOSITION_CONSUME;
 626}
 627
 628static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk,
 629                                   const struct sctp_association *asoc)
 630{
 631        struct sctp_chunk auth;
 632
 633        if (!chunk->auth_chunk)
 634                return true;
 635
 636        /* SCTP-AUTH:  auth_chunk pointer is only set when the cookie-echo
 637         * is supposed to be authenticated and we have to do delayed
 638         * authentication.  We've just recreated the association using
 639         * the information in the cookie and now it's much easier to
 640         * do the authentication.
 641         */
 642
 643        /* Make sure that we and the peer are AUTH capable */
 644        if (!net->sctp.auth_enable || !asoc->peer.auth_capable)
 645                return false;
 646
 647        /* set-up our fake chunk so that we can process it */
 648        auth.skb = chunk->auth_chunk;
 649        auth.asoc = chunk->asoc;
 650        auth.sctp_hdr = chunk->sctp_hdr;
 651        auth.chunk_hdr = (struct sctp_chunkhdr *)
 652                                skb_push(chunk->auth_chunk,
 653                                         sizeof(struct sctp_chunkhdr));
 654        skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr));
 655        auth.transport = chunk->transport;
 656
 657        return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR;
 658}
 659
 660/*
 661 * Respond to a normal COOKIE ECHO chunk.
 662 * We are the side that is being asked for an association.
 663 *
 664 * Section: 5.1 Normal Establishment of an Association, D
 665 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
 666 *    with a COOKIE ACK chunk after building a TCB and moving to
 667 *    the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
 668 *    any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
 669 *    chunk MUST be the first chunk in the packet.
 670 *
 671 *   IMPLEMENTATION NOTE: An implementation may choose to send the
 672 *   Communication Up notification to the SCTP user upon reception
 673 *   of a valid COOKIE ECHO chunk.
 674 *
 675 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
 676 * D) Rules for packet carrying a COOKIE ECHO
 677 *
 678 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
 679 *   Initial Tag received in the INIT ACK.
 680 *
 681 * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
 682 *
 683 * Inputs
 684 * (endpoint, asoc, chunk)
 685 *
 686 * Outputs
 687 * (asoc, reply_msg, msg_up, timers, counters)
 688 *
 689 * The return value is the disposition of the chunk.
 690 */
 691enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
 692                                         const struct sctp_endpoint *ep,
 693                                         const struct sctp_association *asoc,
 694                                         const union sctp_subtype type,
 695                                         void *arg,
 696                                         struct sctp_cmd_seq *commands)
 697{
 698        struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL;
 699        struct sctp_association *new_asoc;
 700        struct sctp_init_chunk *peer_init;
 701        struct sctp_chunk *chunk = arg;
 702        struct sctp_chunk *err_chk_p;
 703        struct sctp_chunk *repl;
 704        struct sock *sk;
 705        int error = 0;
 706
 707        /* If the packet is an OOTB packet which is temporarily on the
 708         * control endpoint, respond with an ABORT.
 709         */
 710        if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
 711                SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
 712                return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
 713        }
 714
 715        /* Make sure that the COOKIE_ECHO chunk has a valid length.
 716         * In this case, we check that we have enough for at least a
 717         * chunk header.  More detailed verification is done
 718         * in sctp_unpack_cookie().
 719         */
 720        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
 721                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 722
 723        /* If the endpoint is not listening or if the number of associations
 724         * on the TCP-style socket exceed the max backlog, respond with an
 725         * ABORT.
 726         */
 727        sk = ep->base.sk;
 728        if (!sctp_sstate(sk, LISTENING) ||
 729            (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
 730                return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
 731
 732        /* "Decode" the chunk.  We have no optional parameters so we
 733         * are in good shape.
 734         */
 735        chunk->subh.cookie_hdr =
 736                (struct sctp_signed_cookie *)chunk->skb->data;
 737        if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
 738                                         sizeof(struct sctp_chunkhdr)))
 739                goto nomem;
 740
 741        /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
 742         * "Z" will reply with a COOKIE ACK chunk after building a TCB
 743         * and moving to the ESTABLISHED state.
 744         */
 745        new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
 746                                      &err_chk_p);
 747
 748        /* FIXME:
 749         * If the re-build failed, what is the proper error path
 750         * from here?
 751         *
 752         * [We should abort the association. --piggy]
 753         */
 754        if (!new_asoc) {
 755                /* FIXME: Several errors are possible.  A bad cookie should
 756                 * be silently discarded, but think about logging it too.
 757                 */
 758                switch (error) {
 759                case -SCTP_IERROR_NOMEM:
 760                        goto nomem;
 761
 762                case -SCTP_IERROR_STALE_COOKIE:
 763                        sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
 764                                                   err_chk_p);
 765                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 766
 767                case -SCTP_IERROR_BAD_SIG:
 768                default:
 769                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 770                }
 771        }
 772
 773
 774        /* Delay state machine commands until later.
 775         *
 776         * Re-build the bind address for the association is done in
 777         * the sctp_unpack_cookie() already.
 778         */
 779        /* This is a brand-new association, so these are not yet side
 780         * effects--it is safe to run them here.
 781         */
 782        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
 783
 784        if (!sctp_process_init(new_asoc, chunk,
 785                               &chunk->subh.cookie_hdr->c.peer_addr,
 786                               peer_init, GFP_ATOMIC))
 787                goto nomem_init;
 788
 789        /* SCTP-AUTH:  Now that we've populate required fields in
 790         * sctp_process_init, set up the association shared keys as
 791         * necessary so that we can potentially authenticate the ACK
 792         */
 793        error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
 794        if (error)
 795                goto nomem_init;
 796
 797        if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) {
 798                sctp_association_free(new_asoc);
 799                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 800        }
 801
 802        repl = sctp_make_cookie_ack(new_asoc, chunk);
 803        if (!repl)
 804                goto nomem_init;
 805
 806        /* RFC 2960 5.1 Normal Establishment of an Association
 807         *
 808         * D) IMPLEMENTATION NOTE: An implementation may choose to
 809         * send the Communication Up notification to the SCTP user
 810         * upon reception of a valid COOKIE ECHO chunk.
 811         */
 812        ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
 813                                             new_asoc->c.sinit_num_ostreams,
 814                                             new_asoc->c.sinit_max_instreams,
 815                                             NULL, GFP_ATOMIC);
 816        if (!ev)
 817                goto nomem_ev;
 818
 819        /* Sockets API Draft Section 5.3.1.6
 820         * When a peer sends a Adaptation Layer Indication parameter , SCTP
 821         * delivers this notification to inform the application that of the
 822         * peers requested adaptation layer.
 823         */
 824        if (new_asoc->peer.adaptation_ind) {
 825                ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
 826                                                            GFP_ATOMIC);
 827                if (!ai_ev)
 828                        goto nomem_aiev;
 829        }
 830
 831        if (!new_asoc->peer.auth_capable) {
 832                auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0,
 833                                                     SCTP_AUTH_NO_AUTH,
 834                                                     GFP_ATOMIC);
 835                if (!auth_ev)
 836                        goto nomem_authev;
 837        }
 838
 839        /* Add all the state machine commands now since we've created
 840         * everything.  This way we don't introduce memory corruptions
 841         * during side-effect processing and correctly count established
 842         * associations.
 843         */
 844        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
 845        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 846                        SCTP_STATE(SCTP_STATE_ESTABLISHED));
 847        SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
 848        SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS);
 849        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
 850
 851        if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
 852                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
 853                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
 854
 855        /* This will send the COOKIE ACK */
 856        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
 857
 858        /* Queue the ASSOC_CHANGE event */
 859        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
 860
 861        /* Send up the Adaptation Layer Indication event */
 862        if (ai_ev)
 863                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 864                                SCTP_ULPEVENT(ai_ev));
 865
 866        if (auth_ev)
 867                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 868                                SCTP_ULPEVENT(auth_ev));
 869
 870        return SCTP_DISPOSITION_CONSUME;
 871
 872nomem_authev:
 873        sctp_ulpevent_free(ai_ev);
 874nomem_aiev:
 875        sctp_ulpevent_free(ev);
 876nomem_ev:
 877        sctp_chunk_free(repl);
 878nomem_init:
 879        sctp_association_free(new_asoc);
 880nomem:
 881        return SCTP_DISPOSITION_NOMEM;
 882}
 883
 884/*
 885 * Respond to a normal COOKIE ACK chunk.
 886 * We are the side that is asking for an association.
 887 *
 888 * RFC 2960 5.1 Normal Establishment of an Association
 889 *
 890 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
 891 *    COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
 892 *    timer. It may also notify its ULP about the successful
 893 *    establishment of the association with a Communication Up
 894 *    notification (see Section 10).
 895 *
 896 * Verification Tag:
 897 * Inputs
 898 * (endpoint, asoc, chunk)
 899 *
 900 * Outputs
 901 * (asoc, reply_msg, msg_up, timers, counters)
 902 *
 903 * The return value is the disposition of the chunk.
 904 */
 905enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
 906                                         const struct sctp_endpoint *ep,
 907                                         const struct sctp_association *asoc,
 908                                         const union sctp_subtype type,
 909                                         void *arg,
 910                                         struct sctp_cmd_seq *commands)
 911{
 912        struct sctp_chunk *chunk = arg;
 913        struct sctp_ulpevent *ev;
 914
 915        if (!sctp_vtag_verify(chunk, asoc))
 916                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 917
 918        /* Verify that the chunk length for the COOKIE-ACK is OK.
 919         * If we don't do this, any bundled chunks may be junked.
 920         */
 921        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
 922                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
 923                                                  commands);
 924
 925        /* Reset init error count upon receipt of COOKIE-ACK,
 926         * to avoid problems with the management of this
 927         * counter in stale cookie situations when a transition back
 928         * from the COOKIE-ECHOED state to the COOKIE-WAIT
 929         * state is performed.
 930         */
 931        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
 932
 933        /* Set peer label for connection. */
 934        security_inet_conn_established(ep->base.sk, chunk->skb);
 935
 936        /* RFC 2960 5.1 Normal Establishment of an Association
 937         *
 938         * E) Upon reception of the COOKIE ACK, endpoint "A" will move
 939         * from the COOKIE-ECHOED state to the ESTABLISHED state,
 940         * stopping the T1-cookie timer.
 941         */
 942        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
 943                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
 944        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 945                        SCTP_STATE(SCTP_STATE_ESTABLISHED));
 946        SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
 947        SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS);
 948        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
 949        if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
 950                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
 951                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
 952
 953        /* It may also notify its ULP about the successful
 954         * establishment of the association with a Communication Up
 955         * notification (see Section 10).
 956         */
 957        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
 958                                             0, asoc->c.sinit_num_ostreams,
 959                                             asoc->c.sinit_max_instreams,
 960                                             NULL, GFP_ATOMIC);
 961
 962        if (!ev)
 963                goto nomem;
 964
 965        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
 966
 967        /* Sockets API Draft Section 5.3.1.6
 968         * When a peer sends a Adaptation Layer Indication parameter , SCTP
 969         * delivers this notification to inform the application that of the
 970         * peers requested adaptation layer.
 971         */
 972        if (asoc->peer.adaptation_ind) {
 973                ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
 974                if (!ev)
 975                        goto nomem;
 976
 977                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 978                                SCTP_ULPEVENT(ev));
 979        }
 980
 981        if (!asoc->peer.auth_capable) {
 982                ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH,
 983                                                GFP_ATOMIC);
 984                if (!ev)
 985                        goto nomem;
 986                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
 987                                SCTP_ULPEVENT(ev));
 988        }
 989
 990        return SCTP_DISPOSITION_CONSUME;
 991nomem:
 992        return SCTP_DISPOSITION_NOMEM;
 993}
 994
 995/* Generate and sendout a heartbeat packet.  */
 996static enum sctp_disposition sctp_sf_heartbeat(
 997                                        const struct sctp_endpoint *ep,
 998                                        const struct sctp_association *asoc,
 999                                        const union sctp_subtype type,
1000                                        void *arg,
1001                                        struct sctp_cmd_seq *commands)
1002{
1003        struct sctp_transport *transport = (struct sctp_transport *) arg;
1004        struct sctp_chunk *reply;
1005
1006        /* Send a heartbeat to our peer.  */
1007        reply = sctp_make_heartbeat(asoc, transport, 0);
1008        if (!reply)
1009                return SCTP_DISPOSITION_NOMEM;
1010
1011        /* Set rto_pending indicating that an RTT measurement
1012         * is started with this heartbeat chunk.
1013         */
1014        sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
1015                        SCTP_TRANSPORT(transport));
1016
1017        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1018        return SCTP_DISPOSITION_CONSUME;
1019}
1020
1021/* Generate a HEARTBEAT packet on the given transport.  */
1022enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net,
1023                                           const struct sctp_endpoint *ep,
1024                                           const struct sctp_association *asoc,
1025                                           const union sctp_subtype type,
1026                                           void *arg,
1027                                           struct sctp_cmd_seq *commands)
1028{
1029        struct sctp_transport *transport = (struct sctp_transport *) arg;
1030
1031        if (asoc->overall_error_count >= asoc->max_retrans) {
1032                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
1033                                SCTP_ERROR(ETIMEDOUT));
1034                /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
1035                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1036                                SCTP_PERR(SCTP_ERROR_NO_ERROR));
1037                SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1038                SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1039                return SCTP_DISPOSITION_DELETE_TCB;
1040        }
1041
1042        /* Section 3.3.5.
1043         * The Sender-specific Heartbeat Info field should normally include
1044         * information about the sender's current time when this HEARTBEAT
1045         * chunk is sent and the destination transport address to which this
1046         * HEARTBEAT is sent (see Section 8.3).
1047         */
1048
1049        if (transport->param_flags & SPP_HB_ENABLE) {
1050                if (SCTP_DISPOSITION_NOMEM ==
1051                                sctp_sf_heartbeat(ep, asoc, type, arg,
1052                                                  commands))
1053                        return SCTP_DISPOSITION_NOMEM;
1054
1055                /* Set transport error counter and association error counter
1056                 * when sending heartbeat.
1057                 */
1058                sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
1059                                SCTP_TRANSPORT(transport));
1060        }
1061        sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
1062                        SCTP_TRANSPORT(transport));
1063        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
1064                        SCTP_TRANSPORT(transport));
1065
1066        return SCTP_DISPOSITION_CONSUME;
1067}
1068
1069/* resend asoc strreset_chunk.  */
1070enum sctp_disposition sctp_sf_send_reconf(struct net *net,
1071                                          const struct sctp_endpoint *ep,
1072                                          const struct sctp_association *asoc,
1073                                          const union sctp_subtype type,
1074                                          void *arg,
1075                                          struct sctp_cmd_seq *commands)
1076{
1077        struct sctp_transport *transport = arg;
1078
1079        if (asoc->overall_error_count >= asoc->max_retrans) {
1080                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
1081                                SCTP_ERROR(ETIMEDOUT));
1082                /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
1083                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1084                                SCTP_PERR(SCTP_ERROR_NO_ERROR));
1085                SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1086                SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1087                return SCTP_DISPOSITION_DELETE_TCB;
1088        }
1089
1090        sctp_chunk_hold(asoc->strreset_chunk);
1091        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1092                        SCTP_CHUNK(asoc->strreset_chunk));
1093        sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
1094
1095        return SCTP_DISPOSITION_CONSUME;
1096}
1097
1098/* send hb chunk with padding for PLPMUTD.  */
1099enum sctp_disposition sctp_sf_send_probe(struct net *net,
1100                                         const struct sctp_endpoint *ep,
1101                                         const struct sctp_association *asoc,
1102                                         const union sctp_subtype type,
1103                                         void *arg,
1104                                         struct sctp_cmd_seq *commands)
1105{
1106        struct sctp_transport *transport = (struct sctp_transport *)arg;
1107        struct sctp_chunk *reply;
1108
1109        if (!sctp_transport_pl_enabled(transport))
1110                return SCTP_DISPOSITION_CONSUME;
1111
1112        if (sctp_transport_pl_send(transport)) {
1113                reply = sctp_make_heartbeat(asoc, transport, transport->pl.probe_size);
1114                if (!reply)
1115                        return SCTP_DISPOSITION_NOMEM;
1116                sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1117        }
1118        sctp_add_cmd_sf(commands, SCTP_CMD_PROBE_TIMER_UPDATE,
1119                        SCTP_TRANSPORT(transport));
1120
1121        return SCTP_DISPOSITION_CONSUME;
1122}
1123
1124/*
1125 * Process an heartbeat request.
1126 *
1127 * Section: 8.3 Path Heartbeat
1128 * The receiver of the HEARTBEAT should immediately respond with a
1129 * HEARTBEAT ACK that contains the Heartbeat Information field copied
1130 * from the received HEARTBEAT chunk.
1131 *
1132 * Verification Tag:  8.5 Verification Tag [Normal verification]
1133 * When receiving an SCTP packet, the endpoint MUST ensure that the
1134 * value in the Verification Tag field of the received SCTP packet
1135 * matches its own Tag. If the received Verification Tag value does not
1136 * match the receiver's own tag value, the receiver shall silently
1137 * discard the packet and shall not process it any further except for
1138 * those cases listed in Section 8.5.1 below.
1139 *
1140 * Inputs
1141 * (endpoint, asoc, chunk)
1142 *
1143 * Outputs
1144 * (asoc, reply_msg, msg_up, timers, counters)
1145 *
1146 * The return value is the disposition of the chunk.
1147 */
1148enum sctp_disposition sctp_sf_beat_8_3(struct net *net,
1149                                       const struct sctp_endpoint *ep,
1150                                       const struct sctp_association *asoc,
1151                                       const union sctp_subtype type,
1152                                       void *arg, struct sctp_cmd_seq *commands)
1153{
1154        struct sctp_paramhdr *param_hdr;
1155        struct sctp_chunk *chunk = arg;
1156        struct sctp_chunk *reply;
1157        size_t paylen = 0;
1158
1159        if (!sctp_vtag_verify(chunk, asoc))
1160                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1161
1162        /* Make sure that the HEARTBEAT chunk has a valid length. */
1163        if (!sctp_chunk_length_valid(chunk,
1164                                     sizeof(struct sctp_heartbeat_chunk)))
1165                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1166                                                  commands);
1167
1168        /* 8.3 The receiver of the HEARTBEAT should immediately
1169         * respond with a HEARTBEAT ACK that contains the Heartbeat
1170         * Information field copied from the received HEARTBEAT chunk.
1171         */
1172        chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data;
1173        param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr;
1174        paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr);
1175
1176        if (ntohs(param_hdr->length) > paylen)
1177                return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
1178                                                  param_hdr, commands);
1179
1180        if (!pskb_pull(chunk->skb, paylen))
1181                goto nomem;
1182
1183        reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen);
1184        if (!reply)
1185                goto nomem;
1186
1187        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1188        return SCTP_DISPOSITION_CONSUME;
1189
1190nomem:
1191        return SCTP_DISPOSITION_NOMEM;
1192}
1193
1194/*
1195 * Process the returning HEARTBEAT ACK.
1196 *
1197 * Section: 8.3 Path Heartbeat
1198 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
1199 * should clear the error counter of the destination transport
1200 * address to which the HEARTBEAT was sent, and mark the destination
1201 * transport address as active if it is not so marked. The endpoint may
1202 * optionally report to the upper layer when an inactive destination
1203 * address is marked as active due to the reception of the latest
1204 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
1205 * clear the association overall error count as well (as defined
1206 * in section 8.1).
1207 *
1208 * The receiver of the HEARTBEAT ACK should also perform an RTT
1209 * measurement for that destination transport address using the time
1210 * value carried in the HEARTBEAT ACK chunk.
1211 *
1212 * Verification Tag:  8.5 Verification Tag [Normal verification]
1213 *
1214 * Inputs
1215 * (endpoint, asoc, chunk)
1216 *
1217 * Outputs
1218 * (asoc, reply_msg, msg_up, timers, counters)
1219 *
1220 * The return value is the disposition of the chunk.
1221 */
1222enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net,
1223                                           const struct sctp_endpoint *ep,
1224                                           const struct sctp_association *asoc,
1225                                           const union sctp_subtype type,
1226                                           void *arg,
1227                                           struct sctp_cmd_seq *commands)
1228{
1229        struct sctp_sender_hb_info *hbinfo;
1230        struct sctp_chunk *chunk = arg;
1231        struct sctp_transport *link;
1232        unsigned long max_interval;
1233        union sctp_addr from_addr;
1234
1235        if (!sctp_vtag_verify(chunk, asoc))
1236                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1237
1238        /* Make sure that the HEARTBEAT-ACK chunk has a valid length.  */
1239        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) +
1240                                            sizeof(*hbinfo)))
1241                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1242                                                  commands);
1243
1244        hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data;
1245        /* Make sure that the length of the parameter is what we expect */
1246        if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo))
1247                return SCTP_DISPOSITION_DISCARD;
1248
1249        from_addr = hbinfo->daddr;
1250        link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1251
1252        /* This should never happen, but lets log it if so.  */
1253        if (unlikely(!link)) {
1254                if (from_addr.sa.sa_family == AF_INET6) {
1255                        net_warn_ratelimited("%s association %p could not find address %pI6\n",
1256                                             __func__,
1257                                             asoc,
1258                                             &from_addr.v6.sin6_addr);
1259                } else {
1260                        net_warn_ratelimited("%s association %p could not find address %pI4\n",
1261                                             __func__,
1262                                             asoc,
1263                                             &from_addr.v4.sin_addr.s_addr);
1264                }
1265                return SCTP_DISPOSITION_DISCARD;
1266        }
1267
1268        /* Validate the 64-bit random nonce. */
1269        if (hbinfo->hb_nonce != link->hb_nonce)
1270                return SCTP_DISPOSITION_DISCARD;
1271
1272        if (hbinfo->probe_size) {
1273                if (hbinfo->probe_size != link->pl.probe_size ||
1274                    !sctp_transport_pl_enabled(link))
1275                        return SCTP_DISPOSITION_DISCARD;
1276
1277                if (sctp_transport_pl_recv(link))
1278                        return SCTP_DISPOSITION_CONSUME;
1279
1280                return sctp_sf_send_probe(net, ep, asoc, type, link, commands);
1281        }
1282
1283        max_interval = link->hbinterval + link->rto;
1284
1285        /* Check if the timestamp looks valid.  */
1286        if (time_after(hbinfo->sent_at, jiffies) ||
1287            time_after(jiffies, hbinfo->sent_at + max_interval)) {
1288                pr_debug("%s: HEARTBEAT ACK with invalid timestamp received "
1289                         "for transport:%p\n", __func__, link);
1290
1291                return SCTP_DISPOSITION_DISCARD;
1292        }
1293
1294        /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
1295         * the HEARTBEAT should clear the error counter of the
1296         * destination transport address to which the HEARTBEAT was
1297         * sent and mark the destination transport address as active if
1298         * it is not so marked.
1299         */
1300        sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1301
1302        return SCTP_DISPOSITION_CONSUME;
1303}
1304
1305/* Helper function to send out an abort for the restart
1306 * condition.
1307 */
1308static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa,
1309                                      struct sctp_chunk *init,
1310                                      struct sctp_cmd_seq *commands)
1311{
1312        struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1313        union sctp_addr_param *addrparm;
1314        struct sctp_errhdr *errhdr;
1315        char buffer[sizeof(*errhdr) + sizeof(*addrparm)];
1316        struct sctp_endpoint *ep;
1317        struct sctp_packet *pkt;
1318        int len;
1319
1320        /* Build the error on the stack.   We are way to malloc crazy
1321         * throughout the code today.
1322         */
1323        errhdr = (struct sctp_errhdr *)buffer;
1324        addrparm = (union sctp_addr_param *)errhdr->variable;
1325
1326        /* Copy into a parm format. */
1327        len = af->to_addr_param(ssa, addrparm);
1328        len += sizeof(*errhdr);
1329
1330        errhdr->cause = SCTP_ERROR_RESTART;
1331        errhdr->length = htons(len);
1332
1333        /* Assign to the control socket. */
1334        ep = sctp_sk(net->sctp.ctl_sock)->ep;
1335
1336        /* Association is NULL since this may be a restart attack and we
1337         * want to send back the attacker's vtag.
1338         */
1339        pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len);
1340
1341        if (!pkt)
1342                goto out;
1343        sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1344
1345        SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1346
1347        /* Discard the rest of the inbound packet. */
1348        sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1349
1350out:
1351        /* Even if there is no memory, treat as a failure so
1352         * the packet will get dropped.
1353         */
1354        return 0;
1355}
1356
1357static bool list_has_sctp_addr(const struct list_head *list,
1358                               union sctp_addr *ipaddr)
1359{
1360        struct sctp_transport *addr;
1361
1362        list_for_each_entry(addr, list, transports) {
1363                if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
1364                        return true;
1365        }
1366
1367        return false;
1368}
1369/* A restart is occurring, check to make sure no new addresses
1370 * are being added as we may be under a takeover attack.
1371 */
1372static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1373                                       const struct sctp_association *asoc,
1374                                       struct sctp_chunk *init,
1375                                       struct sctp_cmd_seq *commands)
1376{
1377        struct net *net = new_asoc->base.net;
1378        struct sctp_transport *new_addr;
1379        int ret = 1;
1380
1381        /* Implementor's Guide - Section 5.2.2
1382         * ...
1383         * Before responding the endpoint MUST check to see if the
1384         * unexpected INIT adds new addresses to the association. If new
1385         * addresses are added to the association, the endpoint MUST respond
1386         * with an ABORT..
1387         */
1388
1389        /* Search through all current addresses and make sure
1390         * we aren't adding any new ones.
1391         */
1392        list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
1393                            transports) {
1394                if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
1395                                        &new_addr->ipaddr)) {
1396                        sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init,
1397                                                   commands);
1398                        ret = 0;
1399                        break;
1400                }
1401        }
1402
1403        /* Return success if all addresses were found. */
1404        return ret;
1405}
1406
1407/* Populate the verification/tie tags based on overlapping INIT
1408 * scenario.
1409 *
1410 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
1411 */
1412static void sctp_tietags_populate(struct sctp_association *new_asoc,
1413                                  const struct sctp_association *asoc)
1414{
1415        switch (asoc->state) {
1416
1417        /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
1418
1419        case SCTP_STATE_COOKIE_WAIT:
1420                new_asoc->c.my_vtag     = asoc->c.my_vtag;
1421                new_asoc->c.my_ttag     = asoc->c.my_vtag;
1422                new_asoc->c.peer_ttag   = 0;
1423                break;
1424
1425        case SCTP_STATE_COOKIE_ECHOED:
1426                new_asoc->c.my_vtag     = asoc->c.my_vtag;
1427                new_asoc->c.my_ttag     = asoc->c.my_vtag;
1428                new_asoc->c.peer_ttag   = asoc->c.peer_vtag;
1429                break;
1430
1431        /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
1432         * COOKIE-WAIT and SHUTDOWN-ACK-SENT
1433         */
1434        default:
1435                new_asoc->c.my_ttag   = asoc->c.my_vtag;
1436                new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1437                break;
1438        }
1439
1440        /* Other parameters for the endpoint SHOULD be copied from the
1441         * existing parameters of the association (e.g. number of
1442         * outbound streams) into the INIT ACK and cookie.
1443         */
1444        new_asoc->rwnd                  = asoc->rwnd;
1445        new_asoc->c.sinit_num_ostreams  = asoc->c.sinit_num_ostreams;
1446        new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1447        new_asoc->c.initial_tsn         = asoc->c.initial_tsn;
1448}
1449
1450/*
1451 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
1452 * handling action.
1453 *
1454 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
1455 *
1456 * Returns value representing action to be taken.   These action values
1457 * correspond to Action/Description values in RFC 2960, Table 2.
1458 */
1459static char sctp_tietags_compare(struct sctp_association *new_asoc,
1460                                 const struct sctp_association *asoc)
1461{
1462        /* In this case, the peer may have restarted.  */
1463        if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1464            (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1465            (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1466            (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1467                return 'A';
1468
1469        /* Collision case B. */
1470        if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1471            ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1472             (0 == asoc->c.peer_vtag))) {
1473                return 'B';
1474        }
1475
1476        /* Collision case D. */
1477        if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1478            (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1479                return 'D';
1480
1481        /* Collision case C. */
1482        if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1483            (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1484            (0 == new_asoc->c.my_ttag) &&
1485            (0 == new_asoc->c.peer_ttag))
1486                return 'C';
1487
1488        /* No match to any of the special cases; discard this packet. */
1489        return 'E';
1490}
1491
1492/* Common helper routine for both duplicate and simultaneous INIT
1493 * chunk handling.
1494 */
1495static enum sctp_disposition sctp_sf_do_unexpected_init(
1496                                        struct net *net,
1497                                        const struct sctp_endpoint *ep,
1498                                        const struct sctp_association *asoc,
1499                                        const union sctp_subtype type,
1500                                        void *arg,
1501                                        struct sctp_cmd_seq *commands)
1502{
1503        struct sctp_chunk *chunk = arg, *repl, *err_chunk;
1504        struct sctp_unrecognized_param *unk_param;
1505        struct sctp_association *new_asoc;
1506        enum sctp_disposition retval;
1507        struct sctp_packet *packet;
1508        int len;
1509
1510        /* Update socket peer label if first association. */
1511        if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
1512                                        chunk->skb))
1513                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1514
1515        /* 6.10 Bundling
1516         * An endpoint MUST NOT bundle INIT, INIT ACK or
1517         * SHUTDOWN COMPLETE with any other chunks.
1518         *
1519         * IG Section 2.11.2
1520         * Furthermore, we require that the receiver of an INIT chunk MUST
1521         * enforce these rules by silently discarding an arriving packet
1522         * with an INIT chunk that is bundled with other chunks.
1523         */
1524        if (!chunk->singleton)
1525                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1526
1527        /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
1528         * Tag.
1529         */
1530        if (chunk->sctp_hdr->vtag != 0)
1531                return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
1532
1533        /* Make sure that the INIT chunk has a valid length.
1534         * In this case, we generate a protocol violation since we have
1535         * an association established.
1536         */
1537        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
1538                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1539                                                  commands);
1540
1541        if (SCTP_INPUT_CB(chunk->skb)->encap_port != chunk->transport->encap_port)
1542                return sctp_sf_new_encap_port(net, ep, asoc, type, arg, commands);
1543
1544        /* Grab the INIT header.  */
1545        chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
1546
1547        /* Tag the variable length parameters.  */
1548        chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
1549
1550        /* Verify the INIT chunk before processing it. */
1551        err_chunk = NULL;
1552        if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
1553                              (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
1554                              &err_chunk)) {
1555                /* This chunk contains fatal error. It is to be discarded.
1556                 * Send an ABORT, with causes if there is any.
1557                 */
1558                if (err_chunk) {
1559                        packet = sctp_abort_pkt_new(net, ep, asoc, arg,
1560                                        (__u8 *)(err_chunk->chunk_hdr) +
1561                                        sizeof(struct sctp_chunkhdr),
1562                                        ntohs(err_chunk->chunk_hdr->length) -
1563                                        sizeof(struct sctp_chunkhdr));
1564
1565                        if (packet) {
1566                                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1567                                                SCTP_PACKET(packet));
1568                                SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1569                                retval = SCTP_DISPOSITION_CONSUME;
1570                        } else {
1571                                retval = SCTP_DISPOSITION_NOMEM;
1572                        }
1573                        goto cleanup;
1574                } else {
1575                        return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
1576                                                    commands);
1577                }
1578        }
1579
1580        /*
1581         * Other parameters for the endpoint SHOULD be copied from the
1582         * existing parameters of the association (e.g. number of
1583         * outbound streams) into the INIT ACK and cookie.
1584         * FIXME:  We are copying parameters from the endpoint not the
1585         * association.
1586         */
1587        new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1588        if (!new_asoc)
1589                goto nomem;
1590
1591        if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
1592                                sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
1593                goto nomem;
1594
1595        /* In the outbound INIT ACK the endpoint MUST copy its current
1596         * Verification Tag and Peers Verification tag into a reserved
1597         * place (local tie-tag and per tie-tag) within the state cookie.
1598         */
1599        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
1600                               (struct sctp_init_chunk *)chunk->chunk_hdr,
1601                               GFP_ATOMIC))
1602                goto nomem;
1603
1604        /* Make sure no new addresses are being added during the
1605         * restart.   Do not do this check for COOKIE-WAIT state,
1606         * since there are no peer addresses to check against.
1607         * Upon return an ABORT will have been sent if needed.
1608         */
1609        if (!sctp_state(asoc, COOKIE_WAIT)) {
1610                if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1611                                                 commands)) {
1612                        retval = SCTP_DISPOSITION_CONSUME;
1613                        goto nomem_retval;
1614                }
1615        }
1616
1617        sctp_tietags_populate(new_asoc, asoc);
1618
1619        /* B) "Z" shall respond immediately with an INIT ACK chunk.  */
1620
1621        /* If there are errors need to be reported for unknown parameters,
1622         * make sure to reserve enough room in the INIT ACK for them.
1623         */
1624        len = 0;
1625        if (err_chunk) {
1626                len = ntohs(err_chunk->chunk_hdr->length) -
1627                      sizeof(struct sctp_chunkhdr);
1628        }
1629
1630        repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1631        if (!repl)
1632                goto nomem;
1633
1634        /* If there are errors need to be reported for unknown parameters,
1635         * include them in the outgoing INIT ACK as "Unrecognized parameter"
1636         * parameter.
1637         */
1638        if (err_chunk) {
1639                /* Get the "Unrecognized parameter" parameter(s) out of the
1640                 * ERROR chunk generated by sctp_verify_init(). Since the
1641                 * error cause code for "unknown parameter" and the
1642                 * "Unrecognized parameter" type is the same, we can
1643                 * construct the parameters in INIT ACK by copying the
1644                 * ERROR causes over.
1645                 */
1646                unk_param = (struct sctp_unrecognized_param *)
1647                            ((__u8 *)(err_chunk->chunk_hdr) +
1648                            sizeof(struct sctp_chunkhdr));
1649                /* Replace the cause code with the "Unrecognized parameter"
1650                 * parameter type.
1651                 */
1652                sctp_addto_chunk(repl, len, unk_param);
1653        }
1654
1655        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1656        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1657
1658        /*
1659         * Note: After sending out INIT ACK with the State Cookie parameter,
1660         * "Z" MUST NOT allocate any resources for this new association.
1661         * Otherwise, "Z" will be vulnerable to resource attacks.
1662         */
1663        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1664        retval = SCTP_DISPOSITION_CONSUME;
1665
1666        return retval;
1667
1668nomem:
1669        retval = SCTP_DISPOSITION_NOMEM;
1670nomem_retval:
1671        if (new_asoc)
1672                sctp_association_free(new_asoc);
1673cleanup:
1674        if (err_chunk)
1675                sctp_chunk_free(err_chunk);
1676        return retval;
1677}
1678
1679/*
1680 * Handle simultaneous INIT.
1681 * This means we started an INIT and then we got an INIT request from
1682 * our peer.
1683 *
1684 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
1685 * This usually indicates an initialization collision, i.e., each
1686 * endpoint is attempting, at about the same time, to establish an
1687 * association with the other endpoint.
1688 *
1689 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
1690 * endpoint MUST respond with an INIT ACK using the same parameters it
1691 * sent in its original INIT chunk (including its Verification Tag,
1692 * unchanged). These original parameters are combined with those from the
1693 * newly received INIT chunk. The endpoint shall also generate a State
1694 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
1695 * INIT to calculate the State Cookie.
1696 *
1697 * After that, the endpoint MUST NOT change its state, the T1-init
1698 * timer shall be left running and the corresponding TCB MUST NOT be
1699 * destroyed. The normal procedures for handling State Cookies when
1700 * a TCB exists will resolve the duplicate INITs to a single association.
1701 *
1702 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
1703 * its Tie-Tags with the Tag information of itself and its peer (see
1704 * section 5.2.2 for a description of the Tie-Tags).
1705 *
1706 * Verification Tag: Not explicit, but an INIT can not have a valid
1707 * verification tag, so we skip the check.
1708 *
1709 * Inputs
1710 * (endpoint, asoc, chunk)
1711 *
1712 * Outputs
1713 * (asoc, reply_msg, msg_up, timers, counters)
1714 *
1715 * The return value is the disposition of the chunk.
1716 */
1717enum sctp_disposition sctp_sf_do_5_2_1_siminit(
1718                                        struct net *net,
1719                                        const struct sctp_endpoint *ep,
1720                                        const struct sctp_association *asoc,
1721                                        const union sctp_subtype type,
1722                                        void *arg,
1723                                        struct sctp_cmd_seq *commands)
1724{
1725        /* Call helper to do the real work for both simultaneous and
1726         * duplicate INIT chunk handling.
1727         */
1728        return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1729}
1730
1731/*
1732 * Handle duplicated INIT messages.  These are usually delayed
1733 * restransmissions.
1734 *
1735 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
1736 * COOKIE-ECHOED and COOKIE-WAIT
1737 *
1738 * Unless otherwise stated, upon reception of an unexpected INIT for
1739 * this association, the endpoint shall generate an INIT ACK with a
1740 * State Cookie.  In the outbound INIT ACK the endpoint MUST copy its
1741 * current Verification Tag and peer's Verification Tag into a reserved
1742 * place within the state cookie.  We shall refer to these locations as
1743 * the Peer's-Tie-Tag and the Local-Tie-Tag.  The outbound SCTP packet
1744 * containing this INIT ACK MUST carry a Verification Tag value equal to
1745 * the Initiation Tag found in the unexpected INIT.  And the INIT ACK
1746 * MUST contain a new Initiation Tag (randomly generated see Section
1747 * 5.3.1).  Other parameters for the endpoint SHOULD be copied from the
1748 * existing parameters of the association (e.g. number of outbound
1749 * streams) into the INIT ACK and cookie.
1750 *
1751 * After sending out the INIT ACK, the endpoint shall take no further
1752 * actions, i.e., the existing association, including its current state,
1753 * and the corresponding TCB MUST NOT be changed.
1754 *
1755 * Note: Only when a TCB exists and the association is not in a COOKIE-
1756 * WAIT state are the Tie-Tags populated.  For a normal association INIT
1757 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
1758 * set to 0 (indicating that no previous TCB existed).  The INIT ACK and
1759 * State Cookie are populated as specified in section 5.2.1.
1760 *
1761 * Verification Tag: Not specified, but an INIT has no way of knowing
1762 * what the verification tag could be, so we ignore it.
1763 *
1764 * Inputs
1765 * (endpoint, asoc, chunk)
1766 *
1767 * Outputs
1768 * (asoc, reply_msg, msg_up, timers, counters)
1769 *
1770 * The return value is the disposition of the chunk.
1771 */
1772enum sctp_disposition sctp_sf_do_5_2_2_dupinit(
1773                                        struct net *net,
1774                                        const struct sctp_endpoint *ep,
1775                                        const struct sctp_association *asoc,
1776                                        const union sctp_subtype type,
1777                                        void *arg,
1778                                        struct sctp_cmd_seq *commands)
1779{
1780        /* Call helper to do the real work for both simultaneous and
1781         * duplicate INIT chunk handling.
1782         */
1783        return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1784}
1785
1786
1787/*
1788 * Unexpected INIT-ACK handler.
1789 *
1790 * Section 5.2.3
1791 * If an INIT ACK received by an endpoint in any state other than the
1792 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
1793 * An unexpected INIT ACK usually indicates the processing of an old or
1794 * duplicated INIT chunk.
1795*/
1796enum sctp_disposition sctp_sf_do_5_2_3_initack(
1797                                        struct net *net,
1798                                        const struct sctp_endpoint *ep,
1799                                        const struct sctp_association *asoc,
1800                                        const union sctp_subtype type,
1801                                        void *arg,
1802                                        struct sctp_cmd_seq *commands)
1803{
1804        /* Per the above section, we'll discard the chunk if we have an
1805         * endpoint.  If this is an OOTB INIT-ACK, treat it as such.
1806         */
1807        if (ep == sctp_sk(net->sctp.ctl_sock)->ep)
1808                return sctp_sf_ootb(net, ep, asoc, type, arg, commands);
1809        else
1810                return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
1811}
1812
1813static int sctp_sf_do_assoc_update(struct sctp_association *asoc,
1814                                   struct sctp_association *new,
1815                                   struct sctp_cmd_seq *cmds)
1816{
1817        struct net *net = asoc->base.net;
1818        struct sctp_chunk *abort;
1819
1820        if (!sctp_assoc_update(asoc, new))
1821                return 0;
1822
1823        abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr));
1824        if (abort) {
1825                sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
1826                sctp_add_cmd_sf(cmds, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
1827        }
1828        sctp_add_cmd_sf(cmds, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED));
1829        sctp_add_cmd_sf(cmds, SCTP_CMD_ASSOC_FAILED,
1830                        SCTP_PERR(SCTP_ERROR_RSRC_LOW));
1831        SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1832        SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1833
1834        return -ENOMEM;
1835}
1836
1837/* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
1838 *
1839 * Section 5.2.4
1840 *  A)  In this case, the peer may have restarted.
1841 */
1842static enum sctp_disposition sctp_sf_do_dupcook_a(
1843                                        struct net *net,
1844                                        const struct sctp_endpoint *ep,
1845                                        const struct sctp_association *asoc,
1846                                        struct sctp_chunk *chunk,
1847                                        struct sctp_cmd_seq *commands,
1848                                        struct sctp_association *new_asoc)
1849{
1850        struct sctp_init_chunk *peer_init;
1851        enum sctp_disposition disposition;
1852        struct sctp_ulpevent *ev;
1853        struct sctp_chunk *repl;
1854        struct sctp_chunk *err;
1855
1856        /* new_asoc is a brand-new association, so these are not yet
1857         * side effects--it is safe to run them here.
1858         */
1859        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1860
1861        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1862                               GFP_ATOMIC))
1863                goto nomem;
1864
1865        if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
1866                goto nomem;
1867
1868        if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
1869                return SCTP_DISPOSITION_DISCARD;
1870
1871        /* Make sure no new addresses are being added during the
1872         * restart.  Though this is a pretty complicated attack
1873         * since you'd have to get inside the cookie.
1874         */
1875        if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands))
1876                return SCTP_DISPOSITION_CONSUME;
1877
1878        /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
1879         * the peer has restarted (Action A), it MUST NOT setup a new
1880         * association but instead resend the SHUTDOWN ACK and send an ERROR
1881         * chunk with a "Cookie Received while Shutting Down" error cause to
1882         * its peer.
1883        */
1884        if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1885                disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc,
1886                                SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1887                                chunk, commands);
1888                if (SCTP_DISPOSITION_NOMEM == disposition)
1889                        goto nomem;
1890
1891                err = sctp_make_op_error(asoc, chunk,
1892                                         SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1893                                         NULL, 0, 0);
1894                if (err)
1895                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1896                                        SCTP_CHUNK(err));
1897
1898                return SCTP_DISPOSITION_CONSUME;
1899        }
1900
1901        /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked
1902         * data. Consider the optional choice of resending of this data.
1903         */
1904        sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
1905        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1906                        SCTP_TO(SCTP_EVENT_TIMEOUT_SACK));
1907        sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1908
1909        /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue
1910         * and ASCONF-ACK cache.
1911         */
1912        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1913                        SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
1914        sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());
1915
1916        /* Update the content of current association. */
1917        if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands))
1918                goto nomem;
1919
1920        repl = sctp_make_cookie_ack(asoc, chunk);
1921        if (!repl)
1922                goto nomem;
1923
1924        /* Report association restart to upper layer. */
1925        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1926                                             asoc->c.sinit_num_ostreams,
1927                                             asoc->c.sinit_max_instreams,
1928                                             NULL, GFP_ATOMIC);
1929        if (!ev)
1930                goto nomem_ev;
1931
1932        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1933        if ((sctp_state(asoc, SHUTDOWN_PENDING) ||
1934             sctp_state(asoc, SHUTDOWN_SENT)) &&
1935            (sctp_sstate(asoc->base.sk, CLOSING) ||
1936             sock_flag(asoc->base.sk, SOCK_DEAD))) {
1937                /* If the socket has been closed by user, don't
1938                 * transition to ESTABLISHED. Instead trigger SHUTDOWN
1939                 * bundled with COOKIE_ACK.
1940                 */
1941                sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1942                return sctp_sf_do_9_2_start_shutdown(net, ep, asoc,
1943                                                     SCTP_ST_CHUNK(0), repl,
1944                                                     commands);
1945        } else {
1946                sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1947                                SCTP_STATE(SCTP_STATE_ESTABLISHED));
1948                sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1949        }
1950        return SCTP_DISPOSITION_CONSUME;
1951
1952nomem_ev:
1953        sctp_chunk_free(repl);
1954nomem:
1955        return SCTP_DISPOSITION_NOMEM;
1956}
1957
1958/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
1959 *
1960 * Section 5.2.4
1961 *   B) In this case, both sides may be attempting to start an association
1962 *      at about the same time but the peer endpoint started its INIT
1963 *      after responding to the local endpoint's INIT
1964 */
1965/* This case represents an initialization collision.  */
1966static enum sctp_disposition sctp_sf_do_dupcook_b(
1967                                        struct net *net,
1968                                        const struct sctp_endpoint *ep,
1969                                        const struct sctp_association *asoc,
1970                                        struct sctp_chunk *chunk,
1971                                        struct sctp_cmd_seq *commands,
1972                                        struct sctp_association *new_asoc)
1973{
1974        struct sctp_init_chunk *peer_init;
1975        struct sctp_chunk *repl;
1976
1977        /* new_asoc is a brand-new association, so these are not yet
1978         * side effects--it is safe to run them here.
1979         */
1980        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1981        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1982                               GFP_ATOMIC))
1983                goto nomem;
1984
1985        if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
1986                goto nomem;
1987
1988        if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
1989                return SCTP_DISPOSITION_DISCARD;
1990
1991        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1992                        SCTP_STATE(SCTP_STATE_ESTABLISHED));
1993        if (asoc->state < SCTP_STATE_ESTABLISHED)
1994                SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
1995        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
1996
1997        /* Update the content of current association.  */
1998        if (sctp_sf_do_assoc_update((struct sctp_association *)asoc, new_asoc, commands))
1999                goto nomem;
2000
2001        repl = sctp_make_cookie_ack(asoc, chunk);
2002        if (!repl)
2003                goto nomem;
2004
2005        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
2006
2007        /* RFC 2960 5.1 Normal Establishment of an Association
2008         *
2009         * D) IMPLEMENTATION NOTE: An implementation may choose to
2010         * send the Communication Up notification to the SCTP user
2011         * upon reception of a valid COOKIE ECHO chunk.
2012         *
2013         * Sadly, this needs to be implemented as a side-effect, because
2014         * we are not guaranteed to have set the association id of the real
2015         * association and so these notifications need to be delayed until
2016         * the association id is allocated.
2017         */
2018
2019        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
2020
2021        /* Sockets API Draft Section 5.3.1.6
2022         * When a peer sends a Adaptation Layer Indication parameter , SCTP
2023         * delivers this notification to inform the application that of the
2024         * peers requested adaptation layer.
2025         *
2026         * This also needs to be done as a side effect for the same reason as
2027         * above.
2028         */
2029        if (asoc->peer.adaptation_ind)
2030                sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
2031
2032        if (!asoc->peer.auth_capable)
2033                sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL());
2034
2035        return SCTP_DISPOSITION_CONSUME;
2036
2037nomem:
2038        return SCTP_DISPOSITION_NOMEM;
2039}
2040
2041/* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
2042 *
2043 * Section 5.2.4
2044 *  C) In this case, the local endpoint's cookie has arrived late.
2045 *     Before it arrived, the local endpoint sent an INIT and received an
2046 *     INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
2047 *     but a new tag of its own.
2048 */
2049/* This case represents an initialization collision.  */
2050static enum sctp_disposition sctp_sf_do_dupcook_c(
2051                                        struct net *net,
2052                                        const struct sctp_endpoint *ep,
2053                                        const struct sctp_association *asoc,
2054                                        struct sctp_chunk *chunk,
2055                                        struct sctp_cmd_seq *commands,
2056                                        struct sctp_association *new_asoc)
2057{
2058        /* The cookie should be silently discarded.
2059         * The endpoint SHOULD NOT change states and should leave
2060         * any timers running.
2061         */
2062        return SCTP_DISPOSITION_DISCARD;
2063}
2064
2065/* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
2066 *
2067 * Section 5.2.4
2068 *
2069 * D) When both local and remote tags match the endpoint should always
2070 *    enter the ESTABLISHED state, if it has not already done so.
2071 */
2072/* This case represents an initialization collision.  */
2073static enum sctp_disposition sctp_sf_do_dupcook_d(
2074                                        struct net *net,
2075                                        const struct sctp_endpoint *ep,
2076                                        const struct sctp_association *asoc,
2077                                        struct sctp_chunk *chunk,
2078                                        struct sctp_cmd_seq *commands,
2079                                        struct sctp_association *new_asoc)
2080{
2081        struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL;
2082        struct sctp_chunk *repl;
2083
2084        /* Clarification from Implementor's Guide:
2085         * D) When both local and remote tags match the endpoint should
2086         * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
2087         * It should stop any cookie timer that may be running and send
2088         * a COOKIE ACK.
2089         */
2090
2091        if (!sctp_auth_chunk_verify(net, chunk, asoc))
2092                return SCTP_DISPOSITION_DISCARD;
2093
2094        /* Don't accidentally move back into established state. */
2095        if (asoc->state < SCTP_STATE_ESTABLISHED) {
2096                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2097                                SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2098                sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2099                                SCTP_STATE(SCTP_STATE_ESTABLISHED));
2100                SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
2101                sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
2102                                SCTP_NULL());
2103
2104                /* RFC 2960 5.1 Normal Establishment of an Association
2105                 *
2106                 * D) IMPLEMENTATION NOTE: An implementation may choose
2107                 * to send the Communication Up notification to the
2108                 * SCTP user upon reception of a valid COOKIE
2109                 * ECHO chunk.
2110                 */
2111                ev = sctp_ulpevent_make_assoc_change(asoc, 0,
2112                                             SCTP_COMM_UP, 0,
2113                                             asoc->c.sinit_num_ostreams,
2114                                             asoc->c.sinit_max_instreams,
2115                                             NULL, GFP_ATOMIC);
2116                if (!ev)
2117                        goto nomem;
2118
2119                /* Sockets API Draft Section 5.3.1.6
2120                 * When a peer sends a Adaptation Layer Indication parameter,
2121                 * SCTP delivers this notification to inform the application
2122                 * that of the peers requested adaptation layer.
2123                 */
2124                if (asoc->peer.adaptation_ind) {
2125                        ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
2126                                                                 GFP_ATOMIC);
2127                        if (!ai_ev)
2128                                goto nomem;
2129
2130                }
2131
2132                if (!asoc->peer.auth_capable) {
2133                        auth_ev = sctp_ulpevent_make_authkey(asoc, 0,
2134                                                             SCTP_AUTH_NO_AUTH,
2135                                                             GFP_ATOMIC);
2136                        if (!auth_ev)
2137                                goto nomem;
2138                }
2139        }
2140
2141        repl = sctp_make_cookie_ack(asoc, chunk);
2142        if (!repl)
2143                goto nomem;
2144
2145        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
2146
2147        if (ev)
2148                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2149                                SCTP_ULPEVENT(ev));
2150        if (ai_ev)
2151                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2152                                        SCTP_ULPEVENT(ai_ev));
2153        if (auth_ev)
2154                sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2155                                SCTP_ULPEVENT(auth_ev));
2156
2157        return SCTP_DISPOSITION_CONSUME;
2158
2159nomem:
2160        if (auth_ev)
2161                sctp_ulpevent_free(auth_ev);
2162        if (ai_ev)
2163                sctp_ulpevent_free(ai_ev);
2164        if (ev)
2165                sctp_ulpevent_free(ev);
2166        return SCTP_DISPOSITION_NOMEM;
2167}
2168
2169/*
2170 * Handle a duplicate COOKIE-ECHO.  This usually means a cookie-carrying
2171 * chunk was retransmitted and then delayed in the network.
2172 *
2173 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
2174 *
2175 * Verification Tag: None.  Do cookie validation.
2176 *
2177 * Inputs
2178 * (endpoint, asoc, chunk)
2179 *
2180 * Outputs
2181 * (asoc, reply_msg, msg_up, timers, counters)
2182 *
2183 * The return value is the disposition of the chunk.
2184 */
2185enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
2186                                        struct net *net,
2187                                        const struct sctp_endpoint *ep,
2188                                        const struct sctp_association *asoc,
2189                                        const union sctp_subtype type,
2190                                        void *arg,
2191                                        struct sctp_cmd_seq *commands)
2192{
2193        struct sctp_association *new_asoc;
2194        struct sctp_chunk *chunk = arg;
2195        enum sctp_disposition retval;
2196        struct sctp_chunk *err_chk_p;
2197        int error = 0;
2198        char action;
2199
2200        /* Make sure that the chunk has a valid length from the protocol
2201         * perspective.  In this case check to make sure we have at least
2202         * enough for the chunk header.  Cookie length verification is
2203         * done later.
2204         */
2205        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
2206                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2207                                                  commands);
2208
2209        /* "Decode" the chunk.  We have no optional parameters so we
2210         * are in good shape.
2211         */
2212        chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
2213        if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
2214                                        sizeof(struct sctp_chunkhdr)))
2215                goto nomem;
2216
2217        /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
2218         * of a duplicate COOKIE ECHO match the Verification Tags of the
2219         * current association, consider the State Cookie valid even if
2220         * the lifespan is exceeded.
2221         */
2222        new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
2223                                      &err_chk_p);
2224
2225        /* FIXME:
2226         * If the re-build failed, what is the proper error path
2227         * from here?
2228         *
2229         * [We should abort the association. --piggy]
2230         */
2231        if (!new_asoc) {
2232                /* FIXME: Several errors are possible.  A bad cookie should
2233                 * be silently discarded, but think about logging it too.
2234                 */
2235                switch (error) {
2236                case -SCTP_IERROR_NOMEM:
2237                        goto nomem;
2238
2239                case -SCTP_IERROR_STALE_COOKIE:
2240                        sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
2241                                                   err_chk_p);
2242                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2243                case -SCTP_IERROR_BAD_SIG:
2244                default:
2245                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2246                }
2247        }
2248
2249        /* Update socket peer label if first association. */
2250        if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
2251                                        chunk->skb)) {
2252                sctp_association_free(new_asoc);
2253                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2254        }
2255
2256        /* Set temp so that it won't be added into hashtable */
2257        new_asoc->temp = 1;
2258
2259        /* Compare the tie_tag in cookie with the verification tag of
2260         * current association.
2261         */
2262        action = sctp_tietags_compare(new_asoc, asoc);
2263
2264        switch (action) {
2265        case 'A': /* Association restart. */
2266                retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands,
2267                                              new_asoc);
2268                break;
2269
2270        case 'B': /* Collision case B. */
2271                retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands,
2272                                              new_asoc);
2273                break;
2274
2275        case 'C': /* Collision case C. */
2276                retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands,
2277                                              new_asoc);
2278                break;
2279
2280        case 'D': /* Collision case D. */
2281                retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands,
2282                                              new_asoc);
2283                break;
2284
2285        default: /* Discard packet for all others. */
2286                retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2287                break;
2288        }
2289
2290        /* Delete the temporary new association. */
2291        sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc));
2292        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
2293
2294        /* Restore association pointer to provide SCTP command interpreter
2295         * with a valid context in case it needs to manipulate
2296         * the queues */
2297        sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC,
2298                         SCTP_ASOC((struct sctp_association *)asoc));
2299
2300        return retval;
2301
2302nomem:
2303        return SCTP_DISPOSITION_NOMEM;
2304}
2305
2306/*
2307 * Process an ABORT.  (SHUTDOWN-PENDING state)
2308 *
2309 * See sctp_sf_do_9_1_abort().
2310 */
2311enum sctp_disposition sctp_sf_shutdown_pending_abort(
2312                                        struct net *net,
2313                                        const struct sctp_endpoint *ep,
2314                                        const struct sctp_association *asoc,
2315                                        const union sctp_subtype type,
2316                                        void *arg,
2317                                        struct sctp_cmd_seq *commands)
2318{
2319        struct sctp_chunk *chunk = arg;
2320
2321        if (!sctp_vtag_verify_either(chunk, asoc))
2322                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2323
2324        /* Make sure that the ABORT chunk has a valid length.
2325         * Since this is an ABORT chunk, we have to discard it
2326         * because of the following text:
2327         * RFC 2960, Section 3.3.7
2328         *    If an endpoint receives an ABORT with a format error or for an
2329         *    association that doesn't exist, it MUST silently discard it.
2330         * Because the length is "invalid", we can't really discard just
2331         * as we do not know its true length.  So, to be safe, discard the
2332         * packet.
2333         */
2334        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2335                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2336
2337        /* ADD-IP: Special case for ABORT chunks
2338         * F4)  One special consideration is that ABORT Chunks arriving
2339         * destined to the IP address being deleted MUST be
2340         * ignored (see Section 5.3.1 for further details).
2341         */
2342        if (SCTP_ADDR_DEL ==
2343                    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2344                return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2345
2346        if (!sctp_err_chunk_valid(chunk))
2347                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2348
2349        return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2350}
2351
2352/*
2353 * Process an ABORT.  (SHUTDOWN-SENT state)
2354 *
2355 * See sctp_sf_do_9_1_abort().
2356 */
2357enum sctp_disposition sctp_sf_shutdown_sent_abort(
2358                                        struct net *net,
2359                                        const struct sctp_endpoint *ep,
2360                                        const struct sctp_association *asoc,
2361                                        const union sctp_subtype type,
2362                                        void *arg,
2363                                        struct sctp_cmd_seq *commands)
2364{
2365        struct sctp_chunk *chunk = arg;
2366
2367        if (!sctp_vtag_verify_either(chunk, asoc))
2368                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2369
2370        /* Make sure that the ABORT chunk has a valid length.
2371         * Since this is an ABORT chunk, we have to discard it
2372         * because of the following text:
2373         * RFC 2960, Section 3.3.7
2374         *    If an endpoint receives an ABORT with a format error or for an
2375         *    association that doesn't exist, it MUST silently discard it.
2376         * Because the length is "invalid", we can't really discard just
2377         * as we do not know its true length.  So, to be safe, discard the
2378         * packet.
2379         */
2380        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2381                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2382
2383        /* ADD-IP: Special case for ABORT chunks
2384         * F4)  One special consideration is that ABORT Chunks arriving
2385         * destined to the IP address being deleted MUST be
2386         * ignored (see Section 5.3.1 for further details).
2387         */
2388        if (SCTP_ADDR_DEL ==
2389                    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2390                return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2391
2392        if (!sctp_err_chunk_valid(chunk))
2393                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2394
2395        /* Stop the T2-shutdown timer. */
2396        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2397                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2398
2399        /* Stop the T5-shutdown guard timer.  */
2400        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2401                        SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2402
2403        return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2404}
2405
2406/*
2407 * Process an ABORT.  (SHUTDOWN-ACK-SENT state)
2408 *
2409 * See sctp_sf_do_9_1_abort().
2410 */
2411enum sctp_disposition sctp_sf_shutdown_ack_sent_abort(
2412                                        struct net *net,
2413                                        const struct sctp_endpoint *ep,
2414                                        const struct sctp_association *asoc,
2415                                        const union sctp_subtype type,
2416                                        void *arg,
2417                                        struct sctp_cmd_seq *commands)
2418{
2419        /* The same T2 timer, so we should be able to use
2420         * common function with the SHUTDOWN-SENT state.
2421         */
2422        return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands);
2423}
2424
2425/*
2426 * Handle an Error received in COOKIE_ECHOED state.
2427 *
2428 * Only handle the error type of stale COOKIE Error, the other errors will
2429 * be ignored.
2430 *
2431 * Inputs
2432 * (endpoint, asoc, chunk)
2433 *
2434 * Outputs
2435 * (asoc, reply_msg, msg_up, timers, counters)
2436 *
2437 * The return value is the disposition of the chunk.
2438 */
2439enum sctp_disposition sctp_sf_cookie_echoed_err(
2440                                        struct net *net,
2441                                        const struct sctp_endpoint *ep,
2442                                        const struct sctp_association *asoc,
2443                                        const union sctp_subtype type,
2444                                        void *arg,
2445                                        struct sctp_cmd_seq *commands)
2446{
2447        struct sctp_chunk *chunk = arg;
2448        struct sctp_errhdr *err;
2449
2450        if (!sctp_vtag_verify(chunk, asoc))
2451                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2452
2453        /* Make sure that the ERROR chunk has a valid length.
2454         * The parameter walking depends on this as well.
2455         */
2456        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
2457                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2458                                                  commands);
2459
2460        /* Process the error here */
2461        /* FUTURE FIXME:  When PR-SCTP related and other optional
2462         * parms are emitted, this will have to change to handle multiple
2463         * errors.
2464         */
2465        sctp_walk_errors(err, chunk->chunk_hdr) {
2466                if (SCTP_ERROR_STALE_COOKIE == err->cause)
2467                        return sctp_sf_do_5_2_6_stale(net, ep, asoc, type,
2468                                                        arg, commands);
2469        }
2470
2471        /* It is possible to have malformed error causes, and that
2472         * will cause us to end the walk early.  However, since
2473         * we are discarding the packet, there should be no adverse
2474         * affects.
2475         */
2476        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2477}
2478
2479/*
2480 * Handle a Stale COOKIE Error
2481 *
2482 * Section: 5.2.6 Handle Stale COOKIE Error
2483 * If the association is in the COOKIE-ECHOED state, the endpoint may elect
2484 * one of the following three alternatives.
2485 * ...
2486 * 3) Send a new INIT chunk to the endpoint, adding a Cookie
2487 *    Preservative parameter requesting an extension to the lifetime of
2488 *    the State Cookie. When calculating the time extension, an
2489 *    implementation SHOULD use the RTT information measured based on the
2490 *    previous COOKIE ECHO / ERROR exchange, and should add no more
2491 *    than 1 second beyond the measured RTT, due to long State Cookie
2492 *    lifetimes making the endpoint more subject to a replay attack.
2493 *
2494 * Verification Tag:  Not explicit, but safe to ignore.
2495 *
2496 * Inputs
2497 * (endpoint, asoc, chunk)
2498 *
2499 * Outputs
2500 * (asoc, reply_msg, msg_up, timers, counters)
2501 *
2502 * The return value is the disposition of the chunk.
2503 */
2504static enum sctp_disposition sctp_sf_do_5_2_6_stale(
2505                                        struct net *net,
2506                                        const struct sctp_endpoint *ep,
2507                                        const struct sctp_association *asoc,
2508                                        const union sctp_subtype type,
2509                                        void *arg,
2510                                        struct sctp_cmd_seq *commands)
2511{
2512        int attempts = asoc->init_err_counter + 1;
2513        struct sctp_chunk *chunk = arg, *reply;
2514        struct sctp_cookie_preserve_param bht;
2515        struct sctp_bind_addr *bp;
2516        struct sctp_errhdr *err;
2517        u32 stale;
2518
2519        if (attempts > asoc->max_init_attempts) {
2520                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2521                                SCTP_ERROR(ETIMEDOUT));
2522                sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2523                                SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2524                return SCTP_DISPOSITION_DELETE_TCB;
2525        }
2526
2527        err = (struct sctp_errhdr *)(chunk->skb->data);
2528
2529        /* When calculating the time extension, an implementation
2530         * SHOULD use the RTT information measured based on the
2531         * previous COOKIE ECHO / ERROR exchange, and should add no
2532         * more than 1 second beyond the measured RTT, due to long
2533         * State Cookie lifetimes making the endpoint more subject to
2534         * a replay attack.
2535         * Measure of Staleness's unit is usec. (1/1000000 sec)
2536         * Suggested Cookie Life-span Increment's unit is msec.
2537         * (1/1000 sec)
2538         * In general, if you use the suggested cookie life, the value
2539         * found in the field of measure of staleness should be doubled
2540         * to give ample time to retransmit the new cookie and thus
2541         * yield a higher probability of success on the reattempt.
2542         */
2543        stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err)));
2544        stale = (stale * 2) / 1000;
2545
2546        bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2547        bht.param_hdr.length = htons(sizeof(bht));
2548        bht.lifespan_increment = htonl(stale);
2549
2550        /* Build that new INIT chunk.  */
2551        bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2552        reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2553        if (!reply)
2554                goto nomem;
2555
2556        sctp_addto_chunk(reply, sizeof(bht), &bht);
2557
2558        /* Clear peer's init_tag cached in assoc as we are sending a new INIT */
2559        sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2560
2561        /* Stop pending T3-rtx and heartbeat timers */
2562        sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2563        sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2564
2565        /* Delete non-primary peer ip addresses since we are transitioning
2566         * back to the COOKIE-WAIT state
2567         */
2568        sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2569
2570        /* If we've sent any data bundled with COOKIE-ECHO we will need to
2571         * resend
2572         */
2573        sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
2574                        SCTP_TRANSPORT(asoc->peer.primary_path));
2575
2576        /* Cast away the const modifier, as we want to just
2577         * rerun it through as a sideffect.
2578         */
2579        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2580
2581        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2582                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2583        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2584                        SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2585        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2586                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2587
2588        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2589
2590        return SCTP_DISPOSITION_CONSUME;
2591
2592nomem:
2593        return SCTP_DISPOSITION_NOMEM;
2594}
2595
2596/*
2597 * Process an ABORT.
2598 *
2599 * Section: 9.1
2600 * After checking the Verification Tag, the receiving endpoint shall
2601 * remove the association from its record, and shall report the
2602 * termination to its upper layer.
2603 *
2604 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
2605 * B) Rules for packet carrying ABORT:
2606 *
2607 *  - The endpoint shall always fill in the Verification Tag field of the
2608 *    outbound packet with the destination endpoint's tag value if it
2609 *    is known.
2610 *
2611 *  - If the ABORT is sent in response to an OOTB packet, the endpoint
2612 *    MUST follow the procedure described in Section 8.4.
2613 *
2614 *  - The receiver MUST accept the packet if the Verification Tag
2615 *    matches either its own tag, OR the tag of its peer. Otherwise, the
2616 *    receiver MUST silently discard the packet and take no further
2617 *    action.
2618 *
2619 * Inputs
2620 * (endpoint, asoc, chunk)
2621 *
2622 * Outputs
2623 * (asoc, reply_msg, msg_up, timers, counters)
2624 *
2625 * The return value is the disposition of the chunk.
2626 */
2627enum sctp_disposition sctp_sf_do_9_1_abort(
2628                                        struct net *net,
2629                                        const struct sctp_endpoint *ep,
2630                                        const struct sctp_association *asoc,
2631                                        const union sctp_subtype type,
2632                                        void *arg,
2633                                        struct sctp_cmd_seq *commands)
2634{
2635        struct sctp_chunk *chunk = arg;
2636
2637        if (!sctp_vtag_verify_either(chunk, asoc))
2638                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2639
2640        /* Make sure that the ABORT chunk has a valid length.
2641         * Since this is an ABORT chunk, we have to discard it
2642         * because of the following text:
2643         * RFC 2960, Section 3.3.7
2644         *    If an endpoint receives an ABORT with a format error or for an
2645         *    association that doesn't exist, it MUST silently discard it.
2646         * Because the length is "invalid", we can't really discard just
2647         * as we do not know its true length.  So, to be safe, discard the
2648         * packet.
2649         */
2650        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2651                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2652
2653        /* ADD-IP: Special case for ABORT chunks
2654         * F4)  One special consideration is that ABORT Chunks arriving
2655         * destined to the IP address being deleted MUST be
2656         * ignored (see Section 5.3.1 for further details).
2657         */
2658        if (SCTP_ADDR_DEL ==
2659                    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2660                return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2661
2662        if (!sctp_err_chunk_valid(chunk))
2663                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2664
2665        return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2666}
2667
2668static enum sctp_disposition __sctp_sf_do_9_1_abort(
2669                                        struct net *net,
2670                                        const struct sctp_endpoint *ep,
2671                                        const struct sctp_association *asoc,
2672                                        const union sctp_subtype type,
2673                                        void *arg,
2674                                        struct sctp_cmd_seq *commands)
2675{
2676        __be16 error = SCTP_ERROR_NO_ERROR;
2677        struct sctp_chunk *chunk = arg;
2678        unsigned int len;
2679
2680        /* See if we have an error cause code in the chunk.  */
2681        len = ntohs(chunk->chunk_hdr->length);
2682        if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2683                error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2684
2685        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2686        /* ASSOC_FAILED will DELETE_TCB. */
2687        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2688        SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2689        SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
2690
2691        return SCTP_DISPOSITION_ABORT;
2692}
2693
2694/*
2695 * Process an ABORT.  (COOKIE-WAIT state)
2696 *
2697 * See sctp_sf_do_9_1_abort() above.
2698 */
2699enum sctp_disposition sctp_sf_cookie_wait_abort(
2700                                        struct net *net,
2701                                        const struct sctp_endpoint *ep,
2702                                        const struct sctp_association *asoc,
2703                                        const union sctp_subtype type,
2704                                        void *arg,
2705                                        struct sctp_cmd_seq *commands)
2706{
2707        __be16 error = SCTP_ERROR_NO_ERROR;
2708        struct sctp_chunk *chunk = arg;
2709        unsigned int len;
2710
2711        if (!sctp_vtag_verify_either(chunk, asoc))
2712                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2713
2714        /* Make sure that the ABORT chunk has a valid length.
2715         * Since this is an ABORT chunk, we have to discard it
2716         * because of the following text:
2717         * RFC 2960, Section 3.3.7
2718         *    If an endpoint receives an ABORT with a format error or for an
2719         *    association that doesn't exist, it MUST silently discard it.
2720         * Because the length is "invalid", we can't really discard just
2721         * as we do not know its true length.  So, to be safe, discard the
2722         * packet.
2723         */
2724        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2725                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2726
2727        /* See if we have an error cause code in the chunk.  */
2728        len = ntohs(chunk->chunk_hdr->length);
2729        if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2730                error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2731
2732        return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc,
2733                                      chunk->transport);
2734}
2735
2736/*
2737 * Process an incoming ICMP as an ABORT.  (COOKIE-WAIT state)
2738 */
2739enum sctp_disposition sctp_sf_cookie_wait_icmp_abort(
2740                                        struct net *net,
2741                                        const struct sctp_endpoint *ep,
2742                                        const struct sctp_association *asoc,
2743                                        const union sctp_subtype type,
2744                                        void *arg,
2745                                        struct sctp_cmd_seq *commands)
2746{
2747        return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR,
2748                                      ENOPROTOOPT, asoc,
2749                                      (struct sctp_transport *)arg);
2750}
2751
2752/*
2753 * Process an ABORT.  (COOKIE-ECHOED state)
2754 */
2755enum sctp_disposition sctp_sf_cookie_echoed_abort(
2756                                        struct net *net,
2757                                        const struct sctp_endpoint *ep,
2758                                        const struct sctp_association *asoc,
2759                                        const union sctp_subtype type,
2760                                        void *arg,
2761                                        struct sctp_cmd_seq *commands)
2762{
2763        /* There is a single T1 timer, so we should be able to use
2764         * common function with the COOKIE-WAIT state.
2765         */
2766        return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands);
2767}
2768
2769/*
2770 * Stop T1 timer and abort association with "INIT failed".
2771 *
2772 * This is common code called by several sctp_sf_*_abort() functions above.
2773 */
2774static enum sctp_disposition sctp_stop_t1_and_abort(
2775                                        struct net *net,
2776                                        struct sctp_cmd_seq *commands,
2777                                        __be16 error, int sk_err,
2778                                        const struct sctp_association *asoc,
2779                                        struct sctp_transport *transport)
2780{
2781        pr_debug("%s: ABORT received (INIT)\n", __func__);
2782
2783        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2784                        SCTP_STATE(SCTP_STATE_CLOSED));
2785        SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2786        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2787                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2788        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2789        /* CMD_INIT_FAILED will DELETE_TCB. */
2790        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2791                        SCTP_PERR(error));
2792
2793        return SCTP_DISPOSITION_ABORT;
2794}
2795
2796/*
2797 * sctp_sf_do_9_2_shut
2798 *
2799 * Section: 9.2
2800 * Upon the reception of the SHUTDOWN, the peer endpoint shall
2801 *  - enter the SHUTDOWN-RECEIVED state,
2802 *
2803 *  - stop accepting new data from its SCTP user
2804 *
2805 *  - verify, by checking the Cumulative TSN Ack field of the chunk,
2806 *    that all its outstanding DATA chunks have been received by the
2807 *    SHUTDOWN sender.
2808 *
2809 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT
2810 * send a SHUTDOWN in response to a ULP request. And should discard
2811 * subsequent SHUTDOWN chunks.
2812 *
2813 * If there are still outstanding DATA chunks left, the SHUTDOWN
2814 * receiver shall continue to follow normal data transmission
2815 * procedures defined in Section 6 until all outstanding DATA chunks
2816 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept
2817 * new data from its SCTP user.
2818 *
2819 * Verification Tag:  8.5 Verification Tag [Normal verification]
2820 *
2821 * Inputs
2822 * (endpoint, asoc, chunk)
2823 *
2824 * Outputs
2825 * (asoc, reply_msg, msg_up, timers, counters)
2826 *
2827 * The return value is the disposition of the chunk.
2828 */
2829enum sctp_disposition sctp_sf_do_9_2_shutdown(
2830                                        struct net *net,
2831                                        const struct sctp_endpoint *ep,
2832                                        const struct sctp_association *asoc,
2833                                        const union sctp_subtype type,
2834                                        void *arg,
2835                                        struct sctp_cmd_seq *commands)
2836{
2837        enum sctp_disposition disposition;
2838        struct sctp_chunk *chunk = arg;
2839        struct sctp_shutdownhdr *sdh;
2840        struct sctp_ulpevent *ev;
2841        __u32 ctsn;
2842
2843        if (!sctp_vtag_verify(chunk, asoc))
2844                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2845
2846        /* Make sure that the SHUTDOWN chunk has a valid length. */
2847        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2848                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2849                                                  commands);
2850
2851        /* Convert the elaborate header.  */
2852        sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2853        skb_pull(chunk->skb, sizeof(*sdh));
2854        chunk->subh.shutdown_hdr = sdh;
2855        ctsn = ntohl(sdh->cum_tsn_ack);
2856
2857        if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2858                pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2859                         asoc->ctsn_ack_point);
2860
2861                return SCTP_DISPOSITION_DISCARD;
2862        }
2863
2864        /* If Cumulative TSN Ack beyond the max tsn currently
2865         * send, terminating the association and respond to the
2866         * sender with an ABORT.
2867         */
2868        if (!TSN_lt(ctsn, asoc->next_tsn))
2869                return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2870
2871        /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
2872         * When a peer sends a SHUTDOWN, SCTP delivers this notification to
2873         * inform the application that it should cease sending data.
2874         */
2875        ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2876        if (!ev) {
2877                disposition = SCTP_DISPOSITION_NOMEM;
2878                goto out;
2879        }
2880        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2881
2882        /* Upon the reception of the SHUTDOWN, the peer endpoint shall
2883         *  - enter the SHUTDOWN-RECEIVED state,
2884         *  - stop accepting new data from its SCTP user
2885         *
2886         * [This is implicit in the new state.]
2887         */
2888        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2889                        SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2890        disposition = SCTP_DISPOSITION_CONSUME;
2891
2892        if (sctp_outq_is_empty(&asoc->outqueue)) {
2893                disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type,
2894                                                          arg, commands);
2895        }
2896
2897        if (SCTP_DISPOSITION_NOMEM == disposition)
2898                goto out;
2899
2900        /*  - verify, by checking the Cumulative TSN Ack field of the
2901         *    chunk, that all its outstanding DATA chunks have been
2902         *    received by the SHUTDOWN sender.
2903         */
2904        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2905                        SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2906
2907out:
2908        return disposition;
2909}
2910
2911/*
2912 * sctp_sf_do_9_2_shut_ctsn
2913 *
2914 * Once an endpoint has reached the SHUTDOWN-RECEIVED state,
2915 * it MUST NOT send a SHUTDOWN in response to a ULP request.
2916 * The Cumulative TSN Ack of the received SHUTDOWN chunk
2917 * MUST be processed.
2918 */
2919enum sctp_disposition sctp_sf_do_9_2_shut_ctsn(
2920                                        struct net *net,
2921                                        const struct sctp_endpoint *ep,
2922                                        const struct sctp_association *asoc,
2923                                        const union sctp_subtype type,
2924                                        void *arg,
2925                                        struct sctp_cmd_seq *commands)
2926{
2927        struct sctp_chunk *chunk = arg;
2928        struct sctp_shutdownhdr *sdh;
2929        __u32 ctsn;
2930
2931        if (!sctp_vtag_verify(chunk, asoc))
2932                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2933
2934        /* Make sure that the SHUTDOWN chunk has a valid length. */
2935        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2936                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2937                                                  commands);
2938
2939        sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2940        ctsn = ntohl(sdh->cum_tsn_ack);
2941
2942        if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2943                pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2944                         asoc->ctsn_ack_point);
2945
2946                return SCTP_DISPOSITION_DISCARD;
2947        }
2948
2949        /* If Cumulative TSN Ack beyond the max tsn currently
2950         * send, terminating the association and respond to the
2951         * sender with an ABORT.
2952         */
2953        if (!TSN_lt(ctsn, asoc->next_tsn))
2954                return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2955
2956        /* verify, by checking the Cumulative TSN Ack field of the
2957         * chunk, that all its outstanding DATA chunks have been
2958         * received by the SHUTDOWN sender.
2959         */
2960        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2961                        SCTP_BE32(sdh->cum_tsn_ack));
2962
2963        return SCTP_DISPOSITION_CONSUME;
2964}
2965
2966/* RFC 2960 9.2
2967 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk
2968 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination
2969 * transport addresses (either in the IP addresses or in the INIT chunk)
2970 * that belong to this association, it should discard the INIT chunk and
2971 * retransmit the SHUTDOWN ACK chunk.
2972 */
2973enum sctp_disposition sctp_sf_do_9_2_reshutack(
2974                                        struct net *net,
2975                                        const struct sctp_endpoint *ep,
2976                                        const struct sctp_association *asoc,
2977                                        const union sctp_subtype type,
2978                                        void *arg,
2979                                        struct sctp_cmd_seq *commands)
2980{
2981        struct sctp_chunk *chunk = arg;
2982        struct sctp_chunk *reply;
2983
2984        /* Make sure that the chunk has a valid length */
2985        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
2986                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2987                                                  commands);
2988
2989        /* Since we are not going to really process this INIT, there
2990         * is no point in verifying chunk boundaries.  Just generate
2991         * the SHUTDOWN ACK.
2992         */
2993        reply = sctp_make_shutdown_ack(asoc, chunk);
2994        if (NULL == reply)
2995                goto nomem;
2996
2997        /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
2998         * the T2-SHUTDOWN timer.
2999         */
3000        sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
3001
3002        /* and restart the T2-shutdown timer. */
3003        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3004                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3005
3006        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3007
3008        return SCTP_DISPOSITION_CONSUME;
3009nomem:
3010        return SCTP_DISPOSITION_NOMEM;
3011}
3012
3013/*
3014 * sctp_sf_do_ecn_cwr
3015 *
3016 * Section:  Appendix A: Explicit Congestion Notification
3017 *
3018 * CWR:
3019 *
3020 * RFC 2481 details a specific bit for a sender to send in the header of
3021 * its next outbound TCP segment to indicate to its peer that it has
3022 * reduced its congestion window.  This is termed the CWR bit.  For
3023 * SCTP the same indication is made by including the CWR chunk.
3024 * This chunk contains one data element, i.e. the TSN number that
3025 * was sent in the ECNE chunk.  This element represents the lowest
3026 * TSN number in the datagram that was originally marked with the
3027 * CE bit.
3028 *
3029 * Verification Tag: 8.5 Verification Tag [Normal verification]
3030 * Inputs
3031 * (endpoint, asoc, chunk)
3032 *
3033 * Outputs
3034 * (asoc, reply_msg, msg_up, timers, counters)
3035 *
3036 * The return value is the disposition of the chunk.
3037 */
3038enum sctp_disposition sctp_sf_do_ecn_cwr(struct net *net,
3039                                         const struct sctp_endpoint *ep,
3040                                         const struct sctp_association *asoc,
3041                                         const union sctp_subtype type,
3042                                         void *arg,
3043                                         struct sctp_cmd_seq *commands)
3044{
3045        struct sctp_chunk *chunk = arg;
3046        struct sctp_cwrhdr *cwr;
3047        u32 lowest_tsn;
3048
3049        if (!sctp_vtag_verify(chunk, asoc))
3050                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3051
3052        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
3053                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3054                                                  commands);
3055
3056        cwr = (struct sctp_cwrhdr *)chunk->skb->data;
3057        skb_pull(chunk->skb, sizeof(*cwr));
3058
3059        lowest_tsn = ntohl(cwr->lowest_tsn);
3060
3061        /* Does this CWR ack the last sent congestion notification? */
3062        if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
3063                /* Stop sending ECNE. */
3064                sctp_add_cmd_sf(commands,
3065                                SCTP_CMD_ECN_CWR,
3066                                SCTP_U32(lowest_tsn));
3067        }
3068        return SCTP_DISPOSITION_CONSUME;
3069}
3070
3071/*
3072 * sctp_sf_do_ecne
3073 *
3074 * Section:  Appendix A: Explicit Congestion Notification
3075 *
3076 * ECN-Echo
3077 *
3078 * RFC 2481 details a specific bit for a receiver to send back in its
3079 * TCP acknowledgements to notify the sender of the Congestion
3080 * Experienced (CE) bit having arrived from the network.  For SCTP this
3081 * same indication is made by including the ECNE chunk.  This chunk
3082 * contains one data element, i.e. the lowest TSN associated with the IP
3083 * datagram marked with the CE bit.....
3084 *
3085 * Verification Tag: 8.5 Verification Tag [Normal verification]
3086 * Inputs
3087 * (endpoint, asoc, chunk)
3088 *
3089 * Outputs
3090 * (asoc, reply_msg, msg_up, timers, counters)
3091 *
3092 * The return value is the disposition of the chunk.
3093 */
3094enum sctp_disposition sctp_sf_do_ecne(struct net *net,
3095                                      const struct sctp_endpoint *ep,
3096                                      const struct sctp_association *asoc,
3097                                      const union sctp_subtype type,
3098                                      void *arg, struct sctp_cmd_seq *commands)
3099{
3100        struct sctp_chunk *chunk = arg;
3101        struct sctp_ecnehdr *ecne;
3102
3103        if (!sctp_vtag_verify(chunk, asoc))
3104                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3105
3106        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
3107                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3108                                                  commands);
3109
3110        ecne = (struct sctp_ecnehdr *)chunk->skb->data;
3111        skb_pull(chunk->skb, sizeof(*ecne));
3112
3113        /* If this is a newer ECNE than the last CWR packet we sent out */
3114        sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
3115                        SCTP_U32(ntohl(ecne->lowest_tsn)));
3116
3117        return SCTP_DISPOSITION_CONSUME;
3118}
3119
3120/*
3121 * Section: 6.2  Acknowledgement on Reception of DATA Chunks
3122 *
3123 * The SCTP endpoint MUST always acknowledge the reception of each valid
3124 * DATA chunk.
3125 *
3126 * The guidelines on delayed acknowledgement algorithm specified in
3127 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
3128 * acknowledgement SHOULD be generated for at least every second packet
3129 * (not every second DATA chunk) received, and SHOULD be generated within
3130 * 200 ms of the arrival of any unacknowledged DATA chunk. In some
3131 * situations it may be beneficial for an SCTP transmitter to be more
3132 * conservative than the algorithms detailed in this document allow.
3133 * However, an SCTP transmitter MUST NOT be more aggressive than the
3134 * following algorithms allow.
3135 *
3136 * A SCTP receiver MUST NOT generate more than one SACK for every
3137 * incoming packet, other than to update the offered window as the
3138 * receiving application consumes new data.
3139 *
3140 * Verification Tag:  8.5 Verification Tag [Normal verification]
3141 *
3142 * Inputs
3143 * (endpoint, asoc, chunk)
3144 *
3145 * Outputs
3146 * (asoc, reply_msg, msg_up, timers, counters)
3147 *
3148 * The return value is the disposition of the chunk.
3149 */
3150enum sctp_disposition sctp_sf_eat_data_6_2(struct net *net,
3151                                           const struct sctp_endpoint *ep,
3152                                           const struct sctp_association *asoc,
3153                                           const union sctp_subtype type,
3154                                           void *arg,
3155                                           struct sctp_cmd_seq *commands)
3156{
3157        union sctp_arg force = SCTP_NOFORCE();
3158        struct sctp_chunk *chunk = arg;
3159        int error;
3160
3161        if (!sctp_vtag_verify(chunk, asoc)) {
3162                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3163                                SCTP_NULL());
3164                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3165        }
3166
3167        if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream)))
3168                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3169                                                  commands);
3170
3171        error = sctp_eat_data(asoc, chunk, commands);
3172        switch (error) {
3173        case SCTP_IERROR_NO_ERROR:
3174                break;
3175        case SCTP_IERROR_HIGH_TSN:
3176        case SCTP_IERROR_BAD_STREAM:
3177                SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
3178                goto discard_noforce;
3179        case SCTP_IERROR_DUP_TSN:
3180        case SCTP_IERROR_IGNORE_TSN:
3181                SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
3182                goto discard_force;
3183        case SCTP_IERROR_NO_DATA:
3184                return SCTP_DISPOSITION_ABORT;
3185        case SCTP_IERROR_PROTO_VIOLATION:
3186                return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3187                                               (u8 *)chunk->subh.data_hdr,
3188                                               sctp_datahdr_len(&asoc->stream));
3189        default:
3190                BUG();
3191        }
3192
3193        if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)
3194                force = SCTP_FORCE();
3195
3196        if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
3197                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3198                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3199        }
3200
3201        /* If this is the last chunk in a packet, we need to count it
3202         * toward sack generation.  Note that we need to SACK every
3203         * OTHER packet containing data chunks, EVEN IF WE DISCARD
3204         * THEM.  We elect to NOT generate SACK's if the chunk fails
3205         * the verification tag test.
3206         *
3207         * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3208         *
3209         * The SCTP endpoint MUST always acknowledge the reception of
3210         * each valid DATA chunk.
3211         *
3212         * The guidelines on delayed acknowledgement algorithm
3213         * specified in  Section 4.2 of [RFC2581] SHOULD be followed.
3214         * Specifically, an acknowledgement SHOULD be generated for at
3215         * least every second packet (not every second DATA chunk)
3216         * received, and SHOULD be generated within 200 ms of the
3217         * arrival of any unacknowledged DATA chunk.  In some
3218         * situations it may be beneficial for an SCTP transmitter to
3219         * be more conservative than the algorithms detailed in this
3220         * document allow. However, an SCTP transmitter MUST NOT be
3221         * more aggressive than the following algorithms allow.
3222         */
3223        if (chunk->end_of_packet)
3224                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3225
3226        return SCTP_DISPOSITION_CONSUME;
3227
3228discard_force:
3229        /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
3230         *
3231         * When a packet arrives with duplicate DATA chunk(s) and with
3232         * no new DATA chunk(s), the endpoint MUST immediately send a
3233         * SACK with no delay.  If a packet arrives with duplicate
3234         * DATA chunk(s) bundled with new DATA chunks, the endpoint
3235         * MAY immediately send a SACK.  Normally receipt of duplicate
3236         * DATA chunks will occur when the original SACK chunk was lost
3237         * and the peer's RTO has expired.  The duplicate TSN number(s)
3238         * SHOULD be reported in the SACK as duplicate.
3239         */
3240        /* In our case, we split the MAY SACK advice up whether or not
3241         * the last chunk is a duplicate.'
3242         */
3243        if (chunk->end_of_packet)
3244                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3245        return SCTP_DISPOSITION_DISCARD;
3246
3247discard_noforce:
3248        if (chunk->end_of_packet)
3249                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3250
3251        return SCTP_DISPOSITION_DISCARD;
3252}
3253
3254/*
3255 * sctp_sf_eat_data_fast_4_4
3256 *
3257 * Section: 4 (4)
3258 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received
3259 *    DATA chunks without delay.
3260 *
3261 * Verification Tag:  8.5 Verification Tag [Normal verification]
3262 * Inputs
3263 * (endpoint, asoc, chunk)
3264 *
3265 * Outputs
3266 * (asoc, reply_msg, msg_up, timers, counters)
3267 *
3268 * The return value is the disposition of the chunk.
3269 */
3270enum sctp_disposition sctp_sf_eat_data_fast_4_4(
3271                                        struct net *net,
3272                                        const struct sctp_endpoint *ep,
3273                                        const struct sctp_association *asoc,
3274                                        const union sctp_subtype type,
3275                                        void *arg,
3276                                        struct sctp_cmd_seq *commands)
3277{
3278        struct sctp_chunk *chunk = arg;
3279        int error;
3280
3281        if (!sctp_vtag_verify(chunk, asoc)) {
3282                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3283                                SCTP_NULL());
3284                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3285        }
3286
3287        if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream)))
3288                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3289                                                  commands);
3290
3291        error = sctp_eat_data(asoc, chunk, commands);
3292        switch (error) {
3293        case SCTP_IERROR_NO_ERROR:
3294        case SCTP_IERROR_HIGH_TSN:
3295        case SCTP_IERROR_DUP_TSN:
3296        case SCTP_IERROR_IGNORE_TSN:
3297        case SCTP_IERROR_BAD_STREAM:
3298                break;
3299        case SCTP_IERROR_NO_DATA:
3300                return SCTP_DISPOSITION_ABORT;
3301        case SCTP_IERROR_PROTO_VIOLATION:
3302                return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3303                                               (u8 *)chunk->subh.data_hdr,
3304                                               sctp_datahdr_len(&asoc->stream));
3305        default:
3306                BUG();
3307        }
3308
3309        /* Go a head and force a SACK, since we are shutting down. */
3310
3311        /* Implementor's Guide.
3312         *
3313         * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3314         * respond to each received packet containing one or more DATA chunk(s)
3315         * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3316         */
3317        if (chunk->end_of_packet) {
3318                /* We must delay the chunk creation since the cumulative
3319                 * TSN has not been updated yet.
3320                 */
3321                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3322                sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3323                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3324                                SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3325        }
3326
3327        return SCTP_DISPOSITION_CONSUME;
3328}
3329
3330/*
3331 * Section: 6.2  Processing a Received SACK
3332 * D) Any time a SACK arrives, the endpoint performs the following:
3333 *
3334 *     i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,
3335 *     then drop the SACK.   Since Cumulative TSN Ack is monotonically
3336 *     increasing, a SACK whose Cumulative TSN Ack is less than the
3337 *     Cumulative TSN Ack Point indicates an out-of-order SACK.
3338 *
3339 *     ii) Set rwnd equal to the newly received a_rwnd minus the number
3340 *     of bytes still outstanding after processing the Cumulative TSN Ack
3341 *     and the Gap Ack Blocks.
3342 *
3343 *     iii) If the SACK is missing a TSN that was previously
3344 *     acknowledged via a Gap Ack Block (e.g., the data receiver
3345 *     reneged on the data), then mark the corresponding DATA chunk
3346 *     as available for retransmit:  Mark it as missing for fast
3347 *     retransmit as described in Section 7.2.4 and if no retransmit
3348 *     timer is running for the destination address to which the DATA
3349 *     chunk was originally transmitted, then T3-rtx is started for
3350 *     that destination address.
3351 *
3352 * Verification Tag:  8.5 Verification Tag [Normal verification]
3353 *
3354 * Inputs
3355 * (endpoint, asoc, chunk)
3356 *
3357 * Outputs
3358 * (asoc, reply_msg, msg_up, timers, counters)
3359 *
3360 * The return value is the disposition of the chunk.
3361 */
3362enum sctp_disposition sctp_sf_eat_sack_6_2(struct net *net,
3363                                           const struct sctp_endpoint *ep,
3364                                           const struct sctp_association *asoc,
3365                                           const union sctp_subtype type,
3366                                           void *arg,
3367                                           struct sctp_cmd_seq *commands)
3368{
3369        struct sctp_chunk *chunk = arg;
3370        struct sctp_sackhdr *sackh;
3371        __u32 ctsn;
3372
3373        if (!sctp_vtag_verify(chunk, asoc))
3374                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3375
3376        /* Make sure that the SACK chunk has a valid length. */
3377        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_sack_chunk)))
3378                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3379                                                  commands);
3380
3381        /* Pull the SACK chunk from the data buffer */
3382        sackh = sctp_sm_pull_sack(chunk);
3383        /* Was this a bogus SACK? */
3384        if (!sackh)
3385                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3386        chunk->subh.sack_hdr = sackh;
3387        ctsn = ntohl(sackh->cum_tsn_ack);
3388
3389        /* If Cumulative TSN Ack beyond the max tsn currently
3390         * send, terminating the association and respond to the
3391         * sender with an ABORT.
3392         */
3393        if (TSN_lte(asoc->next_tsn, ctsn))
3394                return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
3395
3396        trace_sctp_probe(ep, asoc, chunk);
3397
3398        /* i) If Cumulative TSN Ack is less than the Cumulative TSN
3399         *     Ack Point, then drop the SACK.  Since Cumulative TSN
3400         *     Ack is monotonically increasing, a SACK whose
3401         *     Cumulative TSN Ack is less than the Cumulative TSN Ack
3402         *     Point indicates an out-of-order SACK.
3403         */
3404        if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
3405                pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
3406                         asoc->ctsn_ack_point);
3407
3408                return SCTP_DISPOSITION_DISCARD;
3409        }
3410
3411        /* Return this SACK for further processing.  */
3412        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk));
3413
3414        /* Note: We do the rest of the work on the PROCESS_SACK
3415         * sideeffect.
3416         */
3417        return SCTP_DISPOSITION_CONSUME;
3418}
3419
3420/*
3421 * Generate an ABORT in response to a packet.
3422 *
3423 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41
3424 *
3425 * 8) The receiver should respond to the sender of the OOTB packet with
3426 *    an ABORT.  When sending the ABORT, the receiver of the OOTB packet
3427 *    MUST fill in the Verification Tag field of the outbound packet
3428 *    with the value found in the Verification Tag field of the OOTB
3429 *    packet and set the T-bit in the Chunk Flags to indicate that the
3430 *    Verification Tag is reflected.  After sending this ABORT, the
3431 *    receiver of the OOTB packet shall discard the OOTB packet and take
3432 *    no further action.
3433 *
3434 * Verification Tag:
3435 *
3436 * The return value is the disposition of the chunk.
3437*/
3438static enum sctp_disposition sctp_sf_tabort_8_4_8(
3439                                        struct net *net,
3440                                        const struct sctp_endpoint *ep,
3441                                        const struct sctp_association *asoc,
3442                                        const union sctp_subtype type,
3443                                        void *arg,
3444                                        struct sctp_cmd_seq *commands)
3445{
3446        struct sctp_packet *packet = NULL;
3447        struct sctp_chunk *chunk = arg;
3448        struct sctp_chunk *abort;
3449
3450        packet = sctp_ootb_pkt_new(net, asoc, chunk);
3451        if (!packet)
3452                return SCTP_DISPOSITION_NOMEM;
3453
3454        /* Make an ABORT. The T bit will be set if the asoc
3455         * is NULL.
3456         */
3457        abort = sctp_make_abort(asoc, chunk, 0);
3458        if (!abort) {
3459                sctp_ootb_pkt_free(packet);
3460                return SCTP_DISPOSITION_NOMEM;
3461        }
3462
3463        /* Reflect vtag if T-Bit is set */
3464        if (sctp_test_T_bit(abort))
3465                packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3466
3467        /* Set the skb to the belonging sock for accounting.  */
3468        abort->skb->sk = ep->base.sk;
3469
3470        sctp_packet_append_chunk(packet, abort);
3471
3472        sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(packet));
3473
3474        SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3475
3476        sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3477        return SCTP_DISPOSITION_CONSUME;
3478}
3479
3480/* Handling of SCTP Packets Containing an INIT Chunk Matching an
3481 * Existing Associations when the UDP encap port is incorrect.
3482 *
3483 * From Section 4 at draft-tuexen-tsvwg-sctp-udp-encaps-cons-03.
3484 */
3485static enum sctp_disposition sctp_sf_new_encap_port(
3486                                        struct net *net,
3487                                        const struct sctp_endpoint *ep,
3488                                        const struct sctp_association *asoc,
3489                                        const union sctp_subtype type,
3490                                        void *arg,
3491                                        struct sctp_cmd_seq *commands)
3492{
3493        struct sctp_packet *packet = NULL;
3494        struct sctp_chunk *chunk = arg;
3495        struct sctp_chunk *abort;
3496
3497        packet = sctp_ootb_pkt_new(net, asoc, chunk);
3498        if (!packet)
3499                return SCTP_DISPOSITION_NOMEM;
3500
3501        abort = sctp_make_new_encap_port(asoc, chunk);
3502        if (!abort) {
3503                sctp_ootb_pkt_free(packet);
3504                return SCTP_DISPOSITION_NOMEM;
3505        }
3506
3507        abort->skb->sk = ep->base.sk;
3508
3509        sctp_packet_append_chunk(packet, abort);
3510
3511        sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3512                        SCTP_PACKET(packet));
3513
3514        SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3515
3516        sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3517        return SCTP_DISPOSITION_CONSUME;
3518}
3519
3520/*
3521 * Received an ERROR chunk from peer.  Generate SCTP_REMOTE_ERROR
3522 * event as ULP notification for each cause included in the chunk.
3523 *
3524 * API 5.3.1.3 - SCTP_REMOTE_ERROR
3525 *
3526 * The return value is the disposition of the chunk.
3527*/
3528enum sctp_disposition sctp_sf_operr_notify(struct net *net,
3529                                           const struct sctp_endpoint *ep,
3530                                           const struct sctp_association *asoc,
3531                                           const union sctp_subtype type,
3532                                           void *arg,
3533                                           struct sctp_cmd_seq *commands)
3534{
3535        struct sctp_chunk *chunk = arg;
3536        struct sctp_errhdr *err;
3537
3538        if (!sctp_vtag_verify(chunk, asoc))
3539                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3540
3541        /* Make sure that the ERROR chunk has a valid length. */
3542        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
3543                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3544                                                  commands);
3545        sctp_walk_errors(err, chunk->chunk_hdr);
3546        if ((void *)err != (void *)chunk->chunk_end)
3547                return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3548                                                  (void *)err, commands);
3549
3550        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3551                        SCTP_CHUNK(chunk));
3552
3553        return SCTP_DISPOSITION_CONSUME;
3554}
3555
3556/*
3557 * Process an inbound SHUTDOWN ACK.
3558 *
3559 * From Section 9.2:
3560 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3561 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its
3562 * peer, and remove all record of the association.
3563 *
3564 * The return value is the disposition.
3565 */
3566enum sctp_disposition sctp_sf_do_9_2_final(struct net *net,
3567                                           const struct sctp_endpoint *ep,
3568                                           const struct sctp_association *asoc,
3569                                           const union sctp_subtype type,
3570                                           void *arg,
3571                                           struct sctp_cmd_seq *commands)
3572{
3573        struct sctp_chunk *chunk = arg;
3574        struct sctp_chunk *reply;
3575        struct sctp_ulpevent *ev;
3576
3577        if (!sctp_vtag_verify(chunk, asoc))
3578                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3579
3580        /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3581        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3582                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3583                                                  commands);
3584        /* 10.2 H) SHUTDOWN COMPLETE notification
3585         *
3586         * When SCTP completes the shutdown procedures (section 9.2) this
3587         * notification is passed to the upper layer.
3588         */
3589        ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3590                                             0, 0, 0, NULL, GFP_ATOMIC);
3591        if (!ev)
3592                goto nomem;
3593
3594        /* ...send a SHUTDOWN COMPLETE chunk to its peer, */
3595        reply = sctp_make_shutdown_complete(asoc, chunk);
3596        if (!reply)
3597                goto nomem_chunk;
3598
3599        /* Do all the commands now (after allocation), so that we
3600         * have consistent state if memory allocation fails
3601         */
3602        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3603
3604        /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3605         * stop the T2-shutdown timer,
3606         */
3607        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3608                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3609
3610        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3611                        SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3612
3613        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3614                        SCTP_STATE(SCTP_STATE_CLOSED));
3615        SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
3616        SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3617        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3618
3619        /* ...and remove all record of the association. */
3620        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3621        return SCTP_DISPOSITION_DELETE_TCB;
3622
3623nomem_chunk:
3624        sctp_ulpevent_free(ev);
3625nomem:
3626        return SCTP_DISPOSITION_NOMEM;
3627}
3628
3629/*
3630 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.
3631 *
3632 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3633 *    respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3634 *    When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3635 *    packet must fill in the Verification Tag field of the outbound
3636 *    packet with the Verification Tag received in the SHUTDOWN ACK and
3637 *    set the T-bit in the Chunk Flags to indicate that the Verification
3638 *    Tag is reflected.
3639 *
3640 * 8) The receiver should respond to the sender of the OOTB packet with
3641 *    an ABORT.  When sending the ABORT, the receiver of the OOTB packet
3642 *    MUST fill in the Verification Tag field of the outbound packet
3643 *    with the value found in the Verification Tag field of the OOTB
3644 *    packet and set the T-bit in the Chunk Flags to indicate that the
3645 *    Verification Tag is reflected.  After sending this ABORT, the
3646 *    receiver of the OOTB packet shall discard the OOTB packet and take
3647 *    no further action.
3648 */
3649enum sctp_disposition sctp_sf_ootb(struct net *net,
3650                                   const struct sctp_endpoint *ep,
3651                                   const struct sctp_association *asoc,
3652                                   const union sctp_subtype type,
3653                                   void *arg, struct sctp_cmd_seq *commands)
3654{
3655        struct sctp_chunk *chunk = arg;
3656        struct sk_buff *skb = chunk->skb;
3657        struct sctp_chunkhdr *ch;
3658        struct sctp_errhdr *err;
3659        int ootb_cookie_ack = 0;
3660        int ootb_shut_ack = 0;
3661        __u8 *ch_end;
3662
3663        SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3664
3665        ch = (struct sctp_chunkhdr *)chunk->chunk_hdr;
3666        do {
3667                /* Report violation if the chunk is less then minimal */
3668                if (ntohs(ch->length) < sizeof(*ch))
3669                        return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3670                                                  commands);
3671
3672                /* Report violation if chunk len overflows */
3673                ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length));
3674                if (ch_end > skb_tail_pointer(skb))
3675                        return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3676                                                  commands);
3677
3678                /* Now that we know we at least have a chunk header,
3679                 * do things that are type appropriate.
3680                 */
3681                if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3682                        ootb_shut_ack = 1;
3683
3684                /* RFC 2960, Section 3.3.7
3685                 *   Moreover, under any circumstances, an endpoint that
3686                 *   receives an ABORT  MUST NOT respond to that ABORT by
3687                 *   sending an ABORT of its own.
3688                 */
3689                if (SCTP_CID_ABORT == ch->type)
3690                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3691
3692                /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR
3693                 * or a COOKIE ACK the SCTP Packet should be silently
3694                 * discarded.
3695                 */
3696
3697                if (SCTP_CID_COOKIE_ACK == ch->type)
3698                        ootb_cookie_ack = 1;
3699
3700                if (SCTP_CID_ERROR == ch->type) {
3701                        sctp_walk_errors(err, ch) {
3702                                if (SCTP_ERROR_STALE_COOKIE == err->cause) {
3703                                        ootb_cookie_ack = 1;
3704                                        break;
3705                                }
3706                        }
3707                }
3708
3709                ch = (struct sctp_chunkhdr *)ch_end;
3710        } while (ch_end < skb_tail_pointer(skb));
3711
3712        if (ootb_shut_ack)
3713                return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands);
3714        else if (ootb_cookie_ack)
3715                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3716        else
3717                return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
3718}
3719
3720/*
3721 * Handle an "Out of the blue" SHUTDOWN ACK.
3722 *
3723 * Section: 8.4 5, sctpimpguide 2.41.
3724 *
3725 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3726 *    respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3727 *    When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3728 *    packet must fill in the Verification Tag field of the outbound
3729 *    packet with the Verification Tag received in the SHUTDOWN ACK and
3730 *    set the T-bit in the Chunk Flags to indicate that the Verification
3731 *    Tag is reflected.
3732 *
3733 * Inputs
3734 * (endpoint, asoc, type, arg, commands)
3735 *
3736 * Outputs
3737 * (enum sctp_disposition)
3738 *
3739 * The return value is the disposition of the chunk.
3740 */
3741static enum sctp_disposition sctp_sf_shut_8_4_5(
3742                                        struct net *net,
3743                                        const struct sctp_endpoint *ep,
3744                                        const struct sctp_association *asoc,
3745                                        const union sctp_subtype type,
3746                                        void *arg,
3747                                        struct sctp_cmd_seq *commands)
3748{
3749        struct sctp_packet *packet = NULL;
3750        struct sctp_chunk *chunk = arg;
3751        struct sctp_chunk *shut;
3752
3753        packet = sctp_ootb_pkt_new(net, asoc, chunk);
3754        if (!packet)
3755                return SCTP_DISPOSITION_NOMEM;
3756
3757        /* Make an SHUTDOWN_COMPLETE.
3758         * The T bit will be set if the asoc is NULL.
3759         */
3760        shut = sctp_make_shutdown_complete(asoc, chunk);
3761        if (!shut) {
3762                sctp_ootb_pkt_free(packet);
3763                return SCTP_DISPOSITION_NOMEM;
3764        }
3765
3766        /* Reflect vtag if T-Bit is set */
3767        if (sctp_test_T_bit(shut))
3768                packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3769
3770        /* Set the skb to the belonging sock for accounting.  */
3771        shut->skb->sk = ep->base.sk;
3772
3773        sctp_packet_append_chunk(packet, shut);
3774
3775        sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3776                        SCTP_PACKET(packet));
3777
3778        SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3779
3780        /* If the chunk length is invalid, we don't want to process
3781         * the reset of the packet.
3782         */
3783        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3784                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3785
3786        /* We need to discard the rest of the packet to prevent
3787         * potential boomming attacks from additional bundled chunks.
3788         * This is documented in SCTP Threats ID.
3789         */
3790        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3791}
3792
3793/*
3794 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.
3795 *
3796 * Verification Tag:  8.5.1 E) Rules for packet carrying a SHUTDOWN ACK
3797 *   If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the
3798 *   procedures in section 8.4 SHOULD be followed, in other words it
3799 *   should be treated as an Out Of The Blue packet.
3800 *   [This means that we do NOT check the Verification Tag on these
3801 *   chunks. --piggy ]
3802 *
3803 */
3804enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net,
3805                                            const struct sctp_endpoint *ep,
3806                                            const struct sctp_association *asoc,
3807                                            const union sctp_subtype type,
3808                                            void *arg,
3809                                            struct sctp_cmd_seq *commands)
3810{
3811        struct sctp_chunk *chunk = arg;
3812
3813        /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3814        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3815                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3816                                                  commands);
3817
3818        /* Although we do have an association in this case, it corresponds
3819         * to a restarted association. So the packet is treated as an OOTB
3820         * packet and the state function that handles OOTB SHUTDOWN_ACK is
3821         * called with a NULL association.
3822         */
3823        SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3824
3825        return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands);
3826}
3827
3828/* ADDIP Section 4.2 Upon reception of an ASCONF Chunk.  */
3829enum sctp_disposition sctp_sf_do_asconf(struct net *net,
3830                                        const struct sctp_endpoint *ep,
3831                                        const struct sctp_association *asoc,
3832                                        const union sctp_subtype type,
3833                                        void *arg,
3834                                        struct sctp_cmd_seq *commands)
3835{
3836        struct sctp_paramhdr *err_param = NULL;
3837        struct sctp_chunk *asconf_ack = NULL;
3838        struct sctp_chunk *chunk = arg;
3839        struct sctp_addiphdr *hdr;
3840        __u32 serial;
3841
3842        if (!sctp_vtag_verify(chunk, asoc)) {
3843                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3844                                SCTP_NULL());
3845                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3846        }
3847
3848        /* ADD-IP: Section 4.1.1
3849         * This chunk MUST be sent in an authenticated way by using
3850         * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3851         * is received unauthenticated it MUST be silently discarded as
3852         * described in [I-D.ietf-tsvwg-sctp-auth].
3853         */
3854        if (!asoc->peer.asconf_capable ||
3855            (!net->sctp.addip_noauth && !chunk->auth))
3856                return sctp_sf_discard_chunk(net, ep, asoc, type, arg,
3857                                             commands);
3858
3859        /* Make sure that the ASCONF ADDIP chunk has a valid length.  */
3860        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk)))
3861                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3862                                                  commands);
3863
3864        hdr = (struct sctp_addiphdr *)chunk->skb->data;
3865        serial = ntohl(hdr->serial);
3866
3867        /* Verify the ASCONF chunk before processing it. */
3868        if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
3869                return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3870                                                  (void *)err_param, commands);
3871
3872        /* ADDIP 5.2 E1) Compare the value of the serial number to the value
3873         * the endpoint stored in a new association variable
3874         * 'Peer-Serial-Number'.
3875         */
3876        if (serial == asoc->peer.addip_serial + 1) {
3877                /* If this is the first instance of ASCONF in the packet,
3878                 * we can clean our old ASCONF-ACKs.
3879                 */
3880                if (!chunk->has_asconf)
3881                        sctp_assoc_clean_asconf_ack_cache(asoc);
3882
3883                /* ADDIP 5.2 E4) When the Sequence Number matches the next one
3884                 * expected, process the ASCONF as described below and after
3885                 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to
3886                 * the response packet and cache a copy of it (in the event it
3887                 * later needs to be retransmitted).
3888                 *
3889                 * Essentially, do V1-V5.
3890                 */
3891                asconf_ack = sctp_process_asconf((struct sctp_association *)
3892                                                 asoc, chunk);
3893                if (!asconf_ack)
3894                        return SCTP_DISPOSITION_NOMEM;
3895        } else if (serial < asoc->peer.addip_serial + 1) {
3896                /* ADDIP 5.2 E2)
3897                 * If the value found in the Sequence Number is less than the
3898                 * ('Peer- Sequence-Number' + 1), simply skip to the next
3899                 * ASCONF, and include in the outbound response packet
3900                 * any previously cached ASCONF-ACK response that was
3901                 * sent and saved that matches the Sequence Number of the
3902                 * ASCONF.  Note: It is possible that no cached ASCONF-ACK
3903                 * Chunk exists.  This will occur when an older ASCONF
3904                 * arrives out of order.  In such a case, the receiver
3905                 * should skip the ASCONF Chunk and not include ASCONF-ACK
3906                 * Chunk for that chunk.
3907                 */
3908                asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);
3909                if (!asconf_ack)
3910                        return SCTP_DISPOSITION_DISCARD;
3911
3912                /* Reset the transport so that we select the correct one
3913                 * this time around.  This is to make sure that we don't
3914                 * accidentally use a stale transport that's been removed.
3915                 */
3916                asconf_ack->transport = NULL;
3917        } else {
3918                /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since
3919                 * it must be either a stale packet or from an attacker.
3920                 */
3921                return SCTP_DISPOSITION_DISCARD;
3922        }
3923
3924        /* ADDIP 5.2 E6)  The destination address of the SCTP packet
3925         * containing the ASCONF-ACK Chunks MUST be the source address of
3926         * the SCTP packet that held the ASCONF Chunks.
3927         *
3928         * To do this properly, we'll set the destination address of the chunk
3929         * and at the transmit time, will try look up the transport to use.
3930         * Since ASCONFs may be bundled, the correct transport may not be
3931         * created until we process the entire packet, thus this workaround.
3932         */
3933        asconf_ack->dest = chunk->source;
3934        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3935        if (asoc->new_transport) {
3936                sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands);
3937                ((struct sctp_association *)asoc)->new_transport = NULL;
3938        }
3939
3940        return SCTP_DISPOSITION_CONSUME;
3941}
3942
3943static enum sctp_disposition sctp_send_next_asconf(
3944                                        struct net *net,
3945                                        const struct sctp_endpoint *ep,
3946                                        struct sctp_association *asoc,
3947                                        const union sctp_subtype type,
3948                                        struct sctp_cmd_seq *commands)
3949{
3950        struct sctp_chunk *asconf;
3951        struct list_head *entry;
3952
3953        if (list_empty(&asoc->addip_chunk_list))
3954                return SCTP_DISPOSITION_CONSUME;
3955
3956        entry = asoc->addip_chunk_list.next;
3957        asconf = list_entry(entry, struct sctp_chunk, list);
3958
3959        list_del_init(entry);
3960        sctp_chunk_hold(asconf);
3961        asoc->addip_last_asconf = asconf;
3962
3963        return sctp_sf_do_prm_asconf(net, ep, asoc, type, asconf, commands);
3964}
3965
3966/*
3967 * ADDIP Section 4.3 General rules for address manipulation
3968 * When building TLV parameters for the ASCONF Chunk that will add or
3969 * delete IP addresses the D0 to D13 rules should be applied:
3970 */
3971enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net,
3972                                            const struct sctp_endpoint *ep,
3973                                            const struct sctp_association *asoc,
3974                                            const union sctp_subtype type,
3975                                            void *arg,
3976                                            struct sctp_cmd_seq *commands)
3977{
3978        struct sctp_chunk *last_asconf = asoc->addip_last_asconf;
3979        struct sctp_paramhdr *err_param = NULL;
3980        struct sctp_chunk *asconf_ack = arg;
3981        struct sctp_addiphdr *addip_hdr;
3982        __u32 sent_serial, rcvd_serial;
3983        struct sctp_chunk *abort;
3984
3985        if (!sctp_vtag_verify(asconf_ack, asoc)) {
3986                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3987                                SCTP_NULL());
3988                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3989        }
3990
3991        /* ADD-IP, Section 4.1.2:
3992         * This chunk MUST be sent in an authenticated way by using
3993         * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3994         * is received unauthenticated it MUST be silently discarded as
3995         * described in [I-D.ietf-tsvwg-sctp-auth].
3996         */
3997        if (!asoc->peer.asconf_capable ||
3998            (!net->sctp.addip_noauth && !asconf_ack->auth))
3999                return sctp_sf_discard_chunk(net, ep, asoc, type, arg,
4000                                             commands);
4001
4002        /* Make sure that the ADDIP chunk has a valid length.  */
4003        if (!sctp_chunk_length_valid(asconf_ack,
4004                                     sizeof(struct sctp_addip_chunk)))
4005                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4006                                                  commands);
4007
4008        addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data;
4009        rcvd_serial = ntohl(addip_hdr->serial);
4010
4011        /* Verify the ASCONF-ACK chunk before processing it. */
4012        if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
4013                return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
4014                           (void *)err_param, commands);
4015
4016        if (last_asconf) {
4017                addip_hdr = (struct sctp_addiphdr *)last_asconf->subh.addip_hdr;
4018                sent_serial = ntohl(addip_hdr->serial);
4019        } else {
4020                sent_serial = asoc->addip_serial - 1;
4021        }
4022
4023        /* D0) If an endpoint receives an ASCONF-ACK that is greater than or
4024         * equal to the next serial number to be used but no ASCONF chunk is
4025         * outstanding the endpoint MUST ABORT the association. Note that a
4026         * sequence number is greater than if it is no more than 2^^31-1
4027         * larger than the current sequence number (using serial arithmetic).
4028         */
4029        if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
4030            !(asoc->addip_last_asconf)) {
4031                abort = sctp_make_abort(asoc, asconf_ack,
4032                                        sizeof(struct sctp_errhdr));
4033                if (abort) {
4034                        sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
4035                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4036                                        SCTP_CHUNK(abort));
4037                }
4038                /* We are going to ABORT, so we might as well stop
4039                 * processing the rest of the chunks in the packet.
4040                 */
4041                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4042                                SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
4043                sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4044                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4045                                SCTP_ERROR(ECONNABORTED));
4046                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4047                                SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
4048                SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4049                SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4050                return SCTP_DISPOSITION_ABORT;
4051        }
4052
4053        if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
4054                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4055                                SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
4056
4057                if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
4058                                             asconf_ack))
4059                        return sctp_send_next_asconf(net, ep,
4060                                        (struct sctp_association *)asoc,
4061                                                        type, commands);
4062
4063                abort = sctp_make_abort(asoc, asconf_ack,
4064                                        sizeof(struct sctp_errhdr));
4065                if (abort) {
4066                        sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
4067                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4068                                        SCTP_CHUNK(abort));
4069                }
4070                /* We are going to ABORT, so we might as well stop
4071                 * processing the rest of the chunks in the packet.
4072                 */
4073                sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4074                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4075                                SCTP_ERROR(ECONNABORTED));
4076                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4077                                SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
4078                SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4079                SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4080                return SCTP_DISPOSITION_ABORT;
4081        }
4082
4083        return SCTP_DISPOSITION_DISCARD;
4084}
4085
4086/* RE-CONFIG Section 5.2 Upon reception of an RECONF Chunk. */
4087enum sctp_disposition sctp_sf_do_reconf(struct net *net,
4088                                        const struct sctp_endpoint *ep,
4089                                        const struct sctp_association *asoc,
4090                                        const union sctp_subtype type,
4091                                        void *arg,
4092                                        struct sctp_cmd_seq *commands)
4093{
4094        struct sctp_paramhdr *err_param = NULL;
4095        struct sctp_chunk *chunk = arg;
4096        struct sctp_reconf_chunk *hdr;
4097        union sctp_params param;
4098
4099        if (!sctp_vtag_verify(chunk, asoc)) {
4100                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4101                                SCTP_NULL());
4102                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4103        }
4104
4105        /* Make sure that the RECONF chunk has a valid length.  */
4106        if (!sctp_chunk_length_valid(chunk, sizeof(*hdr)))
4107                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4108                                                  commands);
4109
4110        if (!sctp_verify_reconf(asoc, chunk, &err_param))
4111                return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
4112                                                  (void *)err_param, commands);
4113
4114        hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr;
4115        sctp_walk_params(param, hdr, params) {
4116                struct sctp_chunk *reply = NULL;
4117                struct sctp_ulpevent *ev = NULL;
4118
4119                if (param.p->type == SCTP_PARAM_RESET_OUT_REQUEST)
4120                        reply = sctp_process_strreset_outreq(
4121                                (struct sctp_association *)asoc, param, &ev);
4122                else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST)
4123                        reply = sctp_process_strreset_inreq(
4124                                (struct sctp_association *)asoc, param, &ev);
4125                else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST)
4126                        reply = sctp_process_strreset_tsnreq(
4127                                (struct sctp_association *)asoc, param, &ev);
4128                else if (param.p->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS)
4129                        reply = sctp_process_strreset_addstrm_out(
4130                                (struct sctp_association *)asoc, param, &ev);
4131                else if (param.p->type == SCTP_PARAM_RESET_ADD_IN_STREAMS)
4132                        reply = sctp_process_strreset_addstrm_in(
4133                                (struct sctp_association *)asoc, param, &ev);
4134                else if (param.p->type == SCTP_PARAM_RESET_RESPONSE)
4135                        reply = sctp_process_strreset_resp(
4136                                (struct sctp_association *)asoc, param, &ev);
4137
4138                if (ev)
4139                        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4140                                        SCTP_ULPEVENT(ev));
4141
4142                if (reply)
4143                        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4144                                        SCTP_CHUNK(reply));
4145        }
4146
4147        return SCTP_DISPOSITION_CONSUME;
4148}
4149
4150/*
4151 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP
4152 *
4153 * When a FORWARD TSN chunk arrives, the data receiver MUST first update
4154 * its cumulative TSN point to the value carried in the FORWARD TSN
4155 * chunk, and then MUST further advance its cumulative TSN point locally
4156 * if possible.
4157 * After the above processing, the data receiver MUST stop reporting any
4158 * missing TSNs earlier than or equal to the new cumulative TSN point.
4159 *
4160 * Verification Tag:  8.5 Verification Tag [Normal verification]
4161 *
4162 * The return value is the disposition of the chunk.
4163 */
4164enum sctp_disposition sctp_sf_eat_fwd_tsn(struct net *net,
4165                                          const struct sctp_endpoint *ep,
4166                                          const struct sctp_association *asoc,
4167                                          const union sctp_subtype type,
4168                                          void *arg,
4169                                          struct sctp_cmd_seq *commands)
4170{
4171        struct sctp_fwdtsn_hdr *fwdtsn_hdr;
4172        struct sctp_chunk *chunk = arg;
4173        __u16 len;
4174        __u32 tsn;
4175
4176        if (!sctp_vtag_verify(chunk, asoc)) {
4177                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4178                                SCTP_NULL());
4179                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4180        }
4181
4182        if (!asoc->peer.prsctp_capable)
4183                return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4184
4185        /* Make sure that the FORWARD_TSN chunk has valid length.  */
4186        if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream)))
4187                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4188                                                  commands);
4189
4190        fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
4191        chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
4192        len = ntohs(chunk->chunk_hdr->length);
4193        len -= sizeof(struct sctp_chunkhdr);
4194        skb_pull(chunk->skb, len);
4195
4196        tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
4197        pr_debug("%s: TSN 0x%x\n", __func__, tsn);
4198
4199        /* The TSN is too high--silently discard the chunk and count on it
4200         * getting retransmitted later.
4201         */
4202        if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
4203                goto discard_noforce;
4204
4205        if (!asoc->stream.si->validate_ftsn(chunk))
4206                goto discard_noforce;
4207
4208        sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
4209        if (len > sctp_ftsnhdr_len(&asoc->stream))
4210                sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
4211                                SCTP_CHUNK(chunk));
4212
4213        /* Count this as receiving DATA. */
4214        if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
4215                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4216                                SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
4217        }
4218
4219        /* FIXME: For now send a SACK, but DATA processing may
4220         * send another.
4221         */
4222        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
4223
4224        return SCTP_DISPOSITION_CONSUME;
4225
4226discard_noforce:
4227        return SCTP_DISPOSITION_DISCARD;
4228}
4229
4230enum sctp_disposition sctp_sf_eat_fwd_tsn_fast(
4231                                        struct net *net,
4232                                        const struct sctp_endpoint *ep,
4233                                        const struct sctp_association *asoc,
4234                                        const union sctp_subtype type,
4235                                        void *arg,
4236                                        struct sctp_cmd_seq *commands)
4237{
4238        struct sctp_fwdtsn_hdr *fwdtsn_hdr;
4239        struct sctp_chunk *chunk = arg;
4240        __u16 len;
4241        __u32 tsn;
4242
4243        if (!sctp_vtag_verify(chunk, asoc)) {
4244                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4245                                SCTP_NULL());
4246                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4247        }
4248
4249        if (!asoc->peer.prsctp_capable)
4250                return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4251
4252        /* Make sure that the FORWARD_TSN chunk has a valid length.  */
4253        if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream)))
4254                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4255                                                  commands);
4256
4257        fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
4258        chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
4259        len = ntohs(chunk->chunk_hdr->length);
4260        len -= sizeof(struct sctp_chunkhdr);
4261        skb_pull(chunk->skb, len);
4262
4263        tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
4264        pr_debug("%s: TSN 0x%x\n", __func__, tsn);
4265
4266        /* The TSN is too high--silently discard the chunk and count on it
4267         * getting retransmitted later.
4268         */
4269        if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
4270                goto gen_shutdown;
4271
4272        if (!asoc->stream.si->validate_ftsn(chunk))
4273                goto gen_shutdown;
4274
4275        sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
4276        if (len > sctp_ftsnhdr_len(&asoc->stream))
4277                sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
4278                                SCTP_CHUNK(chunk));
4279
4280        /* Go a head and force a SACK, since we are shutting down. */
4281gen_shutdown:
4282        /* Implementor's Guide.
4283         *
4284         * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
4285         * respond to each received packet containing one or more DATA chunk(s)
4286         * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
4287         */
4288        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
4289        sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
4290        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4291                        SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
4292
4293        return SCTP_DISPOSITION_CONSUME;
4294}
4295
4296/*
4297 * SCTP-AUTH Section 6.3 Receiving authenticated chunks
4298 *
4299 *    The receiver MUST use the HMAC algorithm indicated in the HMAC
4300 *    Identifier field.  If this algorithm was not specified by the
4301 *    receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
4302 *    during association setup, the AUTH chunk and all chunks after it MUST
4303 *    be discarded and an ERROR chunk SHOULD be sent with the error cause
4304 *    defined in Section 4.1.
4305 *
4306 *    If an endpoint with no shared key receives a Shared Key Identifier
4307 *    other than 0, it MUST silently discard all authenticated chunks.  If
4308 *    the endpoint has at least one endpoint pair shared key for the peer,
4309 *    it MUST use the key specified by the Shared Key Identifier if a
4310 *    key has been configured for that Shared Key Identifier.  If no
4311 *    endpoint pair shared key has been configured for that Shared Key
4312 *    Identifier, all authenticated chunks MUST be silently discarded.
4313 *
4314 * Verification Tag:  8.5 Verification Tag [Normal verification]
4315 *
4316 * The return value is the disposition of the chunk.
4317 */
4318static enum sctp_ierror sctp_sf_authenticate(
4319                                        const struct sctp_association *asoc,
4320                                        struct sctp_chunk *chunk)
4321{
4322        struct sctp_shared_key *sh_key = NULL;
4323        struct sctp_authhdr *auth_hdr;
4324        __u8 *save_digest, *digest;
4325        struct sctp_hmac *hmac;
4326        unsigned int sig_len;
4327        __u16 key_id;
4328
4329        /* Pull in the auth header, so we can do some more verification */
4330        auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4331        chunk->subh.auth_hdr = auth_hdr;
4332        skb_pull(chunk->skb, sizeof(*auth_hdr));
4333
4334        /* Make sure that we support the HMAC algorithm from the auth
4335         * chunk.
4336         */
4337        if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))
4338                return SCTP_IERROR_AUTH_BAD_HMAC;
4339
4340        /* Make sure that the provided shared key identifier has been
4341         * configured
4342         */
4343        key_id = ntohs(auth_hdr->shkey_id);
4344        if (key_id != asoc->active_key_id) {
4345                sh_key = sctp_auth_get_shkey(asoc, key_id);
4346                if (!sh_key)
4347                        return SCTP_IERROR_AUTH_BAD_KEYID;
4348        }
4349
4350        /* Make sure that the length of the signature matches what
4351         * we expect.
4352         */
4353        sig_len = ntohs(chunk->chunk_hdr->length) -
4354                  sizeof(struct sctp_auth_chunk);
4355        hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));
4356        if (sig_len != hmac->hmac_len)
4357                return SCTP_IERROR_PROTO_VIOLATION;
4358
4359        /* Now that we've done validation checks, we can compute and
4360         * verify the hmac.  The steps involved are:
4361         *  1. Save the digest from the chunk.
4362         *  2. Zero out the digest in the chunk.
4363         *  3. Compute the new digest
4364         *  4. Compare saved and new digests.
4365         */
4366        digest = auth_hdr->hmac;
4367        skb_pull(chunk->skb, sig_len);
4368
4369        save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);
4370        if (!save_digest)
4371                goto nomem;
4372
4373        memset(digest, 0, sig_len);
4374
4375        sctp_auth_calculate_hmac(asoc, chunk->skb,
4376                                 (struct sctp_auth_chunk *)chunk->chunk_hdr,
4377                                 sh_key, GFP_ATOMIC);
4378
4379        /* Discard the packet if the digests do not match */
4380        if (memcmp(save_digest, digest, sig_len)) {
4381                kfree(save_digest);
4382                return SCTP_IERROR_BAD_SIG;
4383        }
4384
4385        kfree(save_digest);
4386        chunk->auth = 1;
4387
4388        return SCTP_IERROR_NO_ERROR;
4389nomem:
4390        return SCTP_IERROR_NOMEM;
4391}
4392
4393enum sctp_disposition sctp_sf_eat_auth(struct net *net,
4394                                       const struct sctp_endpoint *ep,
4395                                       const struct sctp_association *asoc,
4396                                       const union sctp_subtype type,
4397                                       void *arg, struct sctp_cmd_seq *commands)
4398{
4399        struct sctp_chunk *chunk = arg;
4400        struct sctp_authhdr *auth_hdr;
4401        struct sctp_chunk *err_chunk;
4402        enum sctp_ierror error;
4403
4404        /* Make sure that the peer has AUTH capable */
4405        if (!asoc->peer.auth_capable)
4406                return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4407
4408        if (!sctp_vtag_verify(chunk, asoc)) {
4409                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4410                                SCTP_NULL());
4411                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4412        }
4413
4414        /* Make sure that the AUTH chunk has valid length.  */
4415        if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))
4416                return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4417                                                  commands);
4418
4419        auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4420        error = sctp_sf_authenticate(asoc, chunk);
4421        switch (error) {
4422        case SCTP_IERROR_AUTH_BAD_HMAC:
4423                /* Generate the ERROR chunk and discard the rest
4424                 * of the packet
4425                 */
4426                err_chunk = sctp_make_op_error(asoc, chunk,
4427                                               SCTP_ERROR_UNSUP_HMAC,
4428                                               &auth_hdr->hmac_id,