1 /* SCTP kernel implementation
2 * (C) Copyright IBM Corp. 2001, 2004
3 * Copyright (c) 1999-2000 Cisco, Inc.
4 * Copyright (c) 1999-2001 Motorola, Inc.
5 * Copyright (c) 2001-2002 Intel Corp.
6 * Copyright (c) 2002 Nokia Corp.
8 * This is part of the SCTP Linux Kernel Implementation.
10 * These are the state functions for the state machine.
12 * This SCTP implementation is free software;
13 * you can redistribute it and/or modify it under the terms of
14 * the GNU General Public License as published by
15 * the Free Software Foundation; either version 2, or (at your option)
18 * This SCTP implementation is distributed in the hope that it
19 * will be useful, but WITHOUT ANY WARRANTY; without even the implied
20 * ************************
21 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
22 * See the GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with GNU CC; see the file COPYING. If not, write to
26 * the Free Software Foundation, 59 Temple Place - Suite 330,
27 * Boston, MA 02111-1307, USA.
29 * Please send any bug reports or fixes you make to the
31 * lksctp developers <lksctp-developers@lists.sourceforge.net>
33 * Or submit a bug report through the following website:
34 * http://www.sf.net/projects/lksctp
36 * Written or modified by:
37 * La Monte H.P. Yarroll <piggy@acm.org>
38 * Karl Knutson <karl@athena.chicago.il.us>
39 * Mathew Kotowsky <kotowsky@sctp.org>
40 * Sridhar Samudrala <samudrala@us.ibm.com>
41 * Jon Grimm <jgrimm@us.ibm.com>
42 * Hui Huang <hui.huang@nokia.com>
43 * Dajiang Zhang <dajiang.zhang@nokia.com>
44 * Daisy Chang <daisyc@us.ibm.com>
45 * Ardelle Fan <ardelle.fan@intel.com>
46 * Ryan Layer <rmlayer@us.ibm.com>
47 * Kevin Gao <kevin.gao@intel.com>
49 * Any bugs reported given to us we will try to fix... any fixes shared will
50 * be incorporated into the next SCTP release.
53 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
55 #include <linux/types.h>
56 #include <linux/kernel.h>
58 #include <linux/ipv6.h>
59 #include <linux/net.h>
60 #include <linux/inet.h>
61 #include <linux/slab.h>
63 #include <net/inet_ecn.h>
64 #include <linux/skbuff.h>
65 #include <net/sctp/sctp.h>
66 #include <net/sctp/sm.h>
67 #include <net/sctp/structs.h>
69 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep,
70 const struct sctp_association *asoc,
71 struct sctp_chunk *chunk,
74 static int sctp_eat_data(const struct sctp_association *asoc,
75 struct sctp_chunk *chunk,
76 sctp_cmd_seq_t *commands);
77 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc,
78 const struct sctp_chunk *chunk);
79 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep,
80 const struct sctp_association *asoc,
81 const struct sctp_chunk *chunk,
82 sctp_cmd_seq_t *commands,
83 struct sctp_chunk *err_chunk);
84 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep,
85 const struct sctp_association *asoc,
86 const sctp_subtype_t type,
88 sctp_cmd_seq_t *commands);
89 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep,
90 const struct sctp_association *asoc,
91 const sctp_subtype_t type,
93 sctp_cmd_seq_t *commands);
94 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep,
95 const struct sctp_association *asoc,
96 const sctp_subtype_t type,
98 sctp_cmd_seq_t *commands);
99 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
101 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands,
102 __be16 error, int sk_err,
103 const struct sctp_association *asoc,
104 struct sctp_transport *transport);
106 static sctp_disposition_t sctp_sf_abort_violation(
107 const struct sctp_endpoint *ep,
108 const struct sctp_association *asoc,
110 sctp_cmd_seq_t *commands,
112 const size_t paylen);
114 static sctp_disposition_t sctp_sf_violation_chunklen(
115 const struct sctp_endpoint *ep,
116 const struct sctp_association *asoc,
117 const sctp_subtype_t type,
119 sctp_cmd_seq_t *commands);
121 static sctp_disposition_t sctp_sf_violation_paramlen(
122 const struct sctp_endpoint *ep,
123 const struct sctp_association *asoc,
124 const sctp_subtype_t type,
125 void *arg, void *ext,
126 sctp_cmd_seq_t *commands);
128 static sctp_disposition_t sctp_sf_violation_ctsn(
129 const struct sctp_endpoint *ep,
130 const struct sctp_association *asoc,
131 const sctp_subtype_t type,
133 sctp_cmd_seq_t *commands);
135 static sctp_disposition_t sctp_sf_violation_chunk(
136 const struct sctp_endpoint *ep,
137 const struct sctp_association *asoc,
138 const sctp_subtype_t type,
140 sctp_cmd_seq_t *commands);
142 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep,
143 const struct sctp_association *asoc,
144 const sctp_subtype_t type,
145 struct sctp_chunk *chunk);
147 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
148 const struct sctp_association *asoc,
149 const sctp_subtype_t type,
151 sctp_cmd_seq_t *commands);
153 /* Small helper function that checks if the chunk length
154 * is of the appropriate length. The 'required_length' argument
155 * is set to be the size of a specific chunk we are testing.
156 * Return Values: 1 = Valid length
161 sctp_chunk_length_valid(struct sctp_chunk *chunk,
162 __u16 required_length)
164 __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
166 if (unlikely(chunk_length < required_length))
172 /**********************************************************
173 * These are the state functions for handling chunk events.
174 **********************************************************/
177 * Process the final SHUTDOWN COMPLETE.
179 * Section: 4 (C) (diagram), 9.2
180 * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
181 * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
182 * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
183 * should stop the T2-shutdown timer and remove all knowledge of the
184 * association (and thus the association enters the CLOSED state).
186 * Verification Tag: 8.5.1(C), sctpimpguide 2.41.
187 * C) Rules for packet carrying SHUTDOWN COMPLETE:
189 * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
190 * if the Verification Tag field of the packet matches its own tag and
191 * the T bit is not set
193 * it is set to its peer's tag and the T bit is set in the Chunk
195 * Otherwise, the receiver MUST silently discard the packet
196 * and take no further action. An endpoint MUST ignore the
197 * SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.
200 * (endpoint, asoc, chunk)
203 * (asoc, reply_msg, msg_up, timers, counters)
205 * The return value is the disposition of the chunk.
207 sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep,
208 const struct sctp_association *asoc,
209 const sctp_subtype_t type,
211 sctp_cmd_seq_t *commands)
213 struct sctp_chunk *chunk = arg;
214 struct sctp_ulpevent *ev;
216 if (!sctp_vtag_verify_either(chunk, asoc))
217 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
219 /* RFC 2960 6.10 Bundling
221 * An endpoint MUST NOT bundle INIT, INIT ACK or
222 * SHUTDOWN COMPLETE with any other chunks.
224 if (!chunk->singleton)
225 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands);
227 /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */
228 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
229 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
232 /* RFC 2960 10.2 SCTP-to-ULP
234 * H) SHUTDOWN COMPLETE notification
236 * When SCTP completes the shutdown procedures (section 9.2) this
237 * notification is passed to the upper layer.
239 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
240 0, 0, 0, NULL, GFP_ATOMIC);
242 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
245 /* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
246 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
247 * not the chunk should be discarded. If the endpoint is in
248 * the SHUTDOWN-ACK-SENT state the endpoint should stop the
249 * T2-shutdown timer and remove all knowledge of the
250 * association (and thus the association enters the CLOSED
253 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
254 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
256 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
257 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
259 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
260 SCTP_STATE(SCTP_STATE_CLOSED));
262 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);
263 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
265 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
267 return SCTP_DISPOSITION_DELETE_TCB;
271 * Respond to a normal INIT chunk.
272 * We are the side that is being asked for an association.
274 * Section: 5.1 Normal Establishment of an Association, B
275 * B) "Z" shall respond immediately with an INIT ACK chunk. The
276 * destination IP address of the INIT ACK MUST be set to the source
277 * IP address of the INIT to which this INIT ACK is responding. In
278 * the response, besides filling in other parameters, "Z" must set the
279 * Verification Tag field to Tag_A, and also provide its own
280 * Verification Tag (Tag_Z) in the Initiate Tag field.
282 * Verification Tag: Must be 0.
285 * (endpoint, asoc, chunk)
288 * (asoc, reply_msg, msg_up, timers, counters)
290 * The return value is the disposition of the chunk.
292 sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep,
293 const struct sctp_association *asoc,
294 const sctp_subtype_t type,
296 sctp_cmd_seq_t *commands)
298 struct sctp_chunk *chunk = arg;
299 struct sctp_chunk *repl;
300 struct sctp_association *new_asoc;
301 struct sctp_chunk *err_chunk;
302 struct sctp_packet *packet;
303 sctp_unrecognized_param_t *unk_param;
307 * An endpoint MUST NOT bundle INIT, INIT ACK or
308 * SHUTDOWN COMPLETE with any other chunks.
311 * Furthermore, we require that the receiver of an INIT chunk MUST
312 * enforce these rules by silently discarding an arriving packet
313 * with an INIT chunk that is bundled with other chunks.
315 if (!chunk->singleton)
316 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
318 /* If the packet is an OOTB packet which is temporarily on the
319 * control endpoint, respond with an ABORT.
321 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) {
322 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
323 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
326 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
329 if (chunk->sctp_hdr->vtag != 0)
330 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
332 /* Make sure that the INIT chunk has a valid length.
333 * Normally, this would cause an ABORT with a Protocol Violation
334 * error, but since we don't have an association, we'll
335 * just discard the packet.
337 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
338 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
340 /* If the INIT is coming toward a closing socket, we'll send back
341 * and ABORT. Essentially, this catches the race of INIT being
342 * backloged to the socket at the same time as the user isses close().
343 * Since the socket and all its associations are going away, we
344 * can treat this OOTB
346 if (sctp_sstate(ep->base.sk, CLOSING))
347 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
349 /* Verify the INIT chunk before processing it. */
351 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
352 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
354 /* This chunk contains fatal error. It is to be discarded.
355 * Send an ABORT, with causes if there is any.
358 packet = sctp_abort_pkt_new(ep, asoc, arg,
359 (__u8 *)(err_chunk->chunk_hdr) +
360 sizeof(sctp_chunkhdr_t),
361 ntohs(err_chunk->chunk_hdr->length) -
362 sizeof(sctp_chunkhdr_t));
364 sctp_chunk_free(err_chunk);
367 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
368 SCTP_PACKET(packet));
369 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
370 return SCTP_DISPOSITION_CONSUME;
372 return SCTP_DISPOSITION_NOMEM;
375 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg,
380 /* Grab the INIT header. */
381 chunk->subh.init_hdr = (sctp_inithdr_t *)chunk->skb->data;
383 /* Tag the variable length parameters. */
384 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
386 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
390 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
391 sctp_scope(sctp_source(chunk)),
395 /* The call, sctp_process_init(), can fail on memory allocation. */
396 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
398 (sctp_init_chunk_t *)chunk->chunk_hdr,
402 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
404 /* If there are errors need to be reported for unknown parameters,
405 * make sure to reserve enough room in the INIT ACK for them.
409 len = ntohs(err_chunk->chunk_hdr->length) -
410 sizeof(sctp_chunkhdr_t);
412 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
416 /* If there are errors need to be reported for unknown parameters,
417 * include them in the outgoing INIT ACK as "Unrecognized parameter"
421 /* Get the "Unrecognized parameter" parameter(s) out of the
422 * ERROR chunk generated by sctp_verify_init(). Since the
423 * error cause code for "unknown parameter" and the
424 * "Unrecognized parameter" type is the same, we can
425 * construct the parameters in INIT ACK by copying the
428 unk_param = (sctp_unrecognized_param_t *)
429 ((__u8 *)(err_chunk->chunk_hdr) +
430 sizeof(sctp_chunkhdr_t));
431 /* Replace the cause code with the "Unrecognized parameter"
434 sctp_addto_chunk(repl, len, unk_param);
435 sctp_chunk_free(err_chunk);
438 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
440 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
443 * Note: After sending out INIT ACK with the State Cookie parameter,
444 * "Z" MUST NOT allocate any resources, nor keep any states for the
445 * new association. Otherwise, "Z" will be vulnerable to resource
448 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
450 return SCTP_DISPOSITION_DELETE_TCB;
453 sctp_association_free(new_asoc);
456 sctp_chunk_free(err_chunk);
457 return SCTP_DISPOSITION_NOMEM;
461 * Respond to a normal INIT ACK chunk.
462 * We are the side that is initiating the association.
464 * Section: 5.1 Normal Establishment of an Association, C
465 * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
466 * timer and leave COOKIE-WAIT state. "A" shall then send the State
467 * Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
468 * the T1-cookie timer, and enter the COOKIE-ECHOED state.
470 * Note: The COOKIE ECHO chunk can be bundled with any pending outbound
471 * DATA chunks, but it MUST be the first chunk in the packet and
472 * until the COOKIE ACK is returned the sender MUST NOT send any
473 * other packets to the peer.
475 * Verification Tag: 3.3.3
476 * If the value of the Initiate Tag in a received INIT ACK chunk is
477 * found to be 0, the receiver MUST treat it as an error and close the
478 * association by transmitting an ABORT.
481 * (endpoint, asoc, chunk)
484 * (asoc, reply_msg, msg_up, timers, counters)
486 * The return value is the disposition of the chunk.
488 sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,
489 const struct sctp_association *asoc,
490 const sctp_subtype_t type,
492 sctp_cmd_seq_t *commands)
494 struct sctp_chunk *chunk = arg;
495 sctp_init_chunk_t *initchunk;
496 struct sctp_chunk *err_chunk;
497 struct sctp_packet *packet;
499 if (!sctp_vtag_verify(chunk, asoc))
500 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
503 * An endpoint MUST NOT bundle INIT, INIT ACK or
504 * SHUTDOWN COMPLETE with any other chunks.
506 if (!chunk->singleton)
507 return sctp_sf_violation_chunk(ep, asoc, type, arg, commands);
509 /* Make sure that the INIT-ACK chunk has a valid length */
510 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t)))
511 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
513 /* Grab the INIT header. */
514 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
516 /* Verify the INIT chunk before processing it. */
518 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
519 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
522 sctp_error_t error = SCTP_ERROR_NO_RESOURCE;
524 /* This chunk contains fatal error. It is to be discarded.
525 * Send an ABORT, with causes. If there are no causes,
526 * then there wasn't enough memory. Just terminate
530 packet = sctp_abort_pkt_new(ep, asoc, arg,
531 (__u8 *)(err_chunk->chunk_hdr) +
532 sizeof(sctp_chunkhdr_t),
533 ntohs(err_chunk->chunk_hdr->length) -
534 sizeof(sctp_chunkhdr_t));
536 sctp_chunk_free(err_chunk);
539 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
540 SCTP_PACKET(packet));
541 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
542 error = SCTP_ERROR_INV_PARAM;
546 /* SCTP-AUTH, Section 6.3:
547 * It should be noted that if the receiver wants to tear
548 * down an association in an authenticated way only, the
549 * handling of malformed packets should not result in
550 * tearing down the association.
552 * This means that if we only want to abort associations
553 * in an authenticated way (i.e AUTH+ABORT), then we
554 * can't destroy this association just becuase the packet
557 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
558 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
560 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
561 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED,
562 asoc, chunk->transport);
565 /* Tag the variable length parameters. Note that we never
566 * convert the parameters in an INIT chunk.
568 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
570 initchunk = (sctp_init_chunk_t *) chunk->chunk_hdr;
572 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
573 SCTP_PEER_INIT(initchunk));
575 /* Reset init error count upon receipt of INIT-ACK. */
576 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
578 /* 5.1 C) "A" shall stop the T1-init timer and leave
579 * COOKIE-WAIT state. "A" shall then ... start the T1-cookie
580 * timer, and enter the COOKIE-ECHOED state.
582 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
583 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
584 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
585 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
586 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
587 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
589 /* SCTP-AUTH: genereate the assocition shared keys so that
590 * we can potentially signe the COOKIE-ECHO.
592 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
594 /* 5.1 C) "A" shall then send the State Cookie received in the
595 * INIT ACK chunk in a COOKIE ECHO chunk, ...
597 /* If there is any errors to report, send the ERROR chunk generated
598 * for unknown parameters as well.
600 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
601 SCTP_CHUNK(err_chunk));
603 return SCTP_DISPOSITION_CONSUME;
607 * Respond to a normal COOKIE ECHO chunk.
608 * We are the side that is being asked for an association.
610 * Section: 5.1 Normal Establishment of an Association, D
611 * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
612 * with a COOKIE ACK chunk after building a TCB and moving to
613 * the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
614 * any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
615 * chunk MUST be the first chunk in the packet.
617 * IMPLEMENTATION NOTE: An implementation may choose to send the
618 * Communication Up notification to the SCTP user upon reception
619 * of a valid COOKIE ECHO chunk.
621 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
622 * D) Rules for packet carrying a COOKIE ECHO
624 * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
625 * Initial Tag received in the INIT ACK.
627 * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
630 * (endpoint, asoc, chunk)
633 * (asoc, reply_msg, msg_up, timers, counters)
635 * The return value is the disposition of the chunk.
637 sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep,
638 const struct sctp_association *asoc,
639 const sctp_subtype_t type, void *arg,
640 sctp_cmd_seq_t *commands)
642 struct sctp_chunk *chunk = arg;
643 struct sctp_association *new_asoc;
644 sctp_init_chunk_t *peer_init;
645 struct sctp_chunk *repl;
646 struct sctp_ulpevent *ev, *ai_ev = NULL;
648 struct sctp_chunk *err_chk_p;
651 /* If the packet is an OOTB packet which is temporarily on the
652 * control endpoint, respond with an ABORT.
654 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) {
655 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
656 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
659 /* Make sure that the COOKIE_ECHO chunk has a valid length.
660 * In this case, we check that we have enough for at least a
661 * chunk header. More detailed verification is done
662 * in sctp_unpack_cookie().
664 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
665 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
667 /* If the endpoint is not listening or if the number of associations
668 * on the TCP-style socket exceed the max backlog, respond with an
672 if (!sctp_sstate(sk, LISTENING) ||
673 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
674 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
676 /* "Decode" the chunk. We have no optional parameters so we
679 chunk->subh.cookie_hdr =
680 (struct sctp_signed_cookie *)chunk->skb->data;
681 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
682 sizeof(sctp_chunkhdr_t)))
685 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
686 * "Z" will reply with a COOKIE ACK chunk after building a TCB
687 * and moving to the ESTABLISHED state.
689 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
693 * If the re-build failed, what is the proper error path
696 * [We should abort the association. --piggy]
699 /* FIXME: Several errors are possible. A bad cookie should
700 * be silently discarded, but think about logging it too.
703 case -SCTP_IERROR_NOMEM:
706 case -SCTP_IERROR_STALE_COOKIE:
707 sctp_send_stale_cookie_err(ep, asoc, chunk, commands,
709 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
711 case -SCTP_IERROR_BAD_SIG:
713 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
718 /* Delay state machine commands until later.
720 * Re-build the bind address for the association is done in
721 * the sctp_unpack_cookie() already.
723 /* This is a brand-new association, so these are not yet side
724 * effects--it is safe to run them here.
726 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
728 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
729 &chunk->subh.cookie_hdr->c.peer_addr,
730 peer_init, GFP_ATOMIC))
733 /* SCTP-AUTH: Now that we've populate required fields in
734 * sctp_process_init, set up the assocaition shared keys as
735 * necessary so that we can potentially authenticate the ACK
737 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
741 /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo
742 * is supposed to be authenticated and we have to do delayed
743 * authentication. We've just recreated the association using
744 * the information in the cookie and now it's much easier to
745 * do the authentication.
747 if (chunk->auth_chunk) {
748 struct sctp_chunk auth;
751 /* set-up our fake chunk so that we can process it */
752 auth.skb = chunk->auth_chunk;
753 auth.asoc = chunk->asoc;
754 auth.sctp_hdr = chunk->sctp_hdr;
755 auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk,
756 sizeof(sctp_chunkhdr_t));
757 skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t));
758 auth.transport = chunk->transport;
760 ret = sctp_sf_authenticate(ep, new_asoc, type, &auth);
762 /* We can now safely free the auth_chunk clone */
763 kfree_skb(chunk->auth_chunk);
765 if (ret != SCTP_IERROR_NO_ERROR) {
766 sctp_association_free(new_asoc);
767 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
771 repl = sctp_make_cookie_ack(new_asoc, chunk);
775 /* RFC 2960 5.1 Normal Establishment of an Association
777 * D) IMPLEMENTATION NOTE: An implementation may choose to
778 * send the Communication Up notification to the SCTP user
779 * upon reception of a valid COOKIE ECHO chunk.
781 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
782 new_asoc->c.sinit_num_ostreams,
783 new_asoc->c.sinit_max_instreams,
788 /* Sockets API Draft Section 5.3.1.6
789 * When a peer sends a Adaptation Layer Indication parameter , SCTP
790 * delivers this notification to inform the application that of the
791 * peers requested adaptation layer.
793 if (new_asoc->peer.adaptation_ind) {
794 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
800 /* Add all the state machine commands now since we've created
801 * everything. This way we don't introduce memory corruptions
802 * during side-effect processing and correclty count established
805 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
806 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
807 SCTP_STATE(SCTP_STATE_ESTABLISHED));
808 SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
809 SCTP_INC_STATS(SCTP_MIB_PASSIVEESTABS);
810 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
812 if (new_asoc->autoclose)
813 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
814 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
816 /* This will send the COOKIE ACK */
817 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
819 /* Queue the ASSOC_CHANGE event */
820 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
822 /* Send up the Adaptation Layer Indication event */
824 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
825 SCTP_ULPEVENT(ai_ev));
827 return SCTP_DISPOSITION_CONSUME;
830 sctp_ulpevent_free(ev);
832 sctp_chunk_free(repl);
834 sctp_association_free(new_asoc);
836 return SCTP_DISPOSITION_NOMEM;
840 * Respond to a normal COOKIE ACK chunk.
841 * We are the side that is being asked for an association.
843 * RFC 2960 5.1 Normal Establishment of an Association
845 * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
846 * COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
847 * timer. It may also notify its ULP about the successful
848 * establishment of the association with a Communication Up
849 * notification (see Section 10).
853 * (endpoint, asoc, chunk)
856 * (asoc, reply_msg, msg_up, timers, counters)
858 * The return value is the disposition of the chunk.
860 sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep,
861 const struct sctp_association *asoc,
862 const sctp_subtype_t type, void *arg,
863 sctp_cmd_seq_t *commands)
865 struct sctp_chunk *chunk = arg;
866 struct sctp_ulpevent *ev;
868 if (!sctp_vtag_verify(chunk, asoc))
869 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
871 /* Verify that the chunk length for the COOKIE-ACK is OK.
872 * If we don't do this, any bundled chunks may be junked.
874 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
875 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
878 /* Reset init error count upon receipt of COOKIE-ACK,
879 * to avoid problems with the managemement of this
880 * counter in stale cookie situations when a transition back
881 * from the COOKIE-ECHOED state to the COOKIE-WAIT
882 * state is performed.
884 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
886 /* RFC 2960 5.1 Normal Establishment of an Association
888 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
889 * from the COOKIE-ECHOED state to the ESTABLISHED state,
890 * stopping the T1-cookie timer.
892 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
893 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
894 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
895 SCTP_STATE(SCTP_STATE_ESTABLISHED));
896 SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
897 SCTP_INC_STATS(SCTP_MIB_ACTIVEESTABS);
898 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
900 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
901 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
903 /* It may also notify its ULP about the successful
904 * establishment of the association with a Communication Up
905 * notification (see Section 10).
907 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
908 0, asoc->c.sinit_num_ostreams,
909 asoc->c.sinit_max_instreams,
915 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
917 /* Sockets API Draft Section 5.3.1.6
918 * When a peer sends a Adaptation Layer Indication parameter , SCTP
919 * delivers this notification to inform the application that of the
920 * peers requested adaptation layer.
922 if (asoc->peer.adaptation_ind) {
923 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
927 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
931 return SCTP_DISPOSITION_CONSUME;
933 return SCTP_DISPOSITION_NOMEM;
936 /* Generate and sendout a heartbeat packet. */
937 static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep,
938 const struct sctp_association *asoc,
939 const sctp_subtype_t type,
941 sctp_cmd_seq_t *commands)
943 struct sctp_transport *transport = (struct sctp_transport *) arg;
944 struct sctp_chunk *reply;
945 sctp_sender_hb_info_t hbinfo;
948 hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO;
949 hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t));
950 hbinfo.daddr = transport->ipaddr;
951 hbinfo.sent_at = jiffies;
952 hbinfo.hb_nonce = transport->hb_nonce;
954 /* Send a heartbeat to our peer. */
955 paylen = sizeof(sctp_sender_hb_info_t);
956 reply = sctp_make_heartbeat(asoc, transport, &hbinfo, paylen);
958 return SCTP_DISPOSITION_NOMEM;
960 /* Set rto_pending indicating that an RTT measurement
961 * is started with this heartbeat chunk.
963 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
964 SCTP_TRANSPORT(transport));
966 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
967 return SCTP_DISPOSITION_CONSUME;
970 /* Generate a HEARTBEAT packet on the given transport. */
971 sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep,
972 const struct sctp_association *asoc,
973 const sctp_subtype_t type,
975 sctp_cmd_seq_t *commands)
977 struct sctp_transport *transport = (struct sctp_transport *) arg;
979 if (asoc->overall_error_count >= asoc->max_retrans) {
980 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
981 SCTP_ERROR(ETIMEDOUT));
982 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
983 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
984 SCTP_PERR(SCTP_ERROR_NO_ERROR));
985 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
986 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
987 return SCTP_DISPOSITION_DELETE_TCB;
991 * The Sender-specific Heartbeat Info field should normally include
992 * information about the sender's current time when this HEARTBEAT
993 * chunk is sent and the destination transport address to which this
994 * HEARTBEAT is sent (see Section 8.3).
997 if (transport->param_flags & SPP_HB_ENABLE) {
998 if (SCTP_DISPOSITION_NOMEM ==
999 sctp_sf_heartbeat(ep, asoc, type, arg,
1001 return SCTP_DISPOSITION_NOMEM;
1003 /* Set transport error counter and association error counter
1004 * when sending heartbeat.
1006 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
1007 SCTP_TRANSPORT(transport));
1009 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
1010 SCTP_TRANSPORT(transport));
1011 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
1012 SCTP_TRANSPORT(transport));
1014 return SCTP_DISPOSITION_CONSUME;
1018 * Process an heartbeat request.
1020 * Section: 8.3 Path Heartbeat
1021 * The receiver of the HEARTBEAT should immediately respond with a
1022 * HEARTBEAT ACK that contains the Heartbeat Information field copied
1023 * from the received HEARTBEAT chunk.
1025 * Verification Tag: 8.5 Verification Tag [Normal verification]
1026 * When receiving an SCTP packet, the endpoint MUST ensure that the
1027 * value in the Verification Tag field of the received SCTP packet
1028 * matches its own Tag. If the received Verification Tag value does not
1029 * match the receiver's own tag value, the receiver shall silently
1030 * discard the packet and shall not process it any further except for
1031 * those cases listed in Section 8.5.1 below.
1034 * (endpoint, asoc, chunk)
1037 * (asoc, reply_msg, msg_up, timers, counters)
1039 * The return value is the disposition of the chunk.
1041 sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep,
1042 const struct sctp_association *asoc,
1043 const sctp_subtype_t type,
1045 sctp_cmd_seq_t *commands)
1047 struct sctp_chunk *chunk = arg;
1048 struct sctp_chunk *reply;
1051 if (!sctp_vtag_verify(chunk, asoc))
1052 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1054 /* Make sure that the HEARTBEAT chunk has a valid length. */
1055 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t)))
1056 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1059 /* 8.3 The receiver of the HEARTBEAT should immediately
1060 * respond with a HEARTBEAT ACK that contains the Heartbeat
1061 * Information field copied from the received HEARTBEAT chunk.
1063 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data;
1064 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
1065 if (!pskb_pull(chunk->skb, paylen))
1068 reply = sctp_make_heartbeat_ack(asoc, chunk,
1069 chunk->subh.hb_hdr, paylen);
1073 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1074 return SCTP_DISPOSITION_CONSUME;
1077 return SCTP_DISPOSITION_NOMEM;
1081 * Process the returning HEARTBEAT ACK.
1083 * Section: 8.3 Path Heartbeat
1084 * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
1085 * should clear the error counter of the destination transport
1086 * address to which the HEARTBEAT was sent, and mark the destination
1087 * transport address as active if it is not so marked. The endpoint may
1088 * optionally report to the upper layer when an inactive destination
1089 * address is marked as active due to the reception of the latest
1090 * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
1091 * clear the association overall error count as well (as defined
1094 * The receiver of the HEARTBEAT ACK should also perform an RTT
1095 * measurement for that destination transport address using the time
1096 * value carried in the HEARTBEAT ACK chunk.
1098 * Verification Tag: 8.5 Verification Tag [Normal verification]
1101 * (endpoint, asoc, chunk)
1104 * (asoc, reply_msg, msg_up, timers, counters)
1106 * The return value is the disposition of the chunk.
1108 sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep,
1109 const struct sctp_association *asoc,
1110 const sctp_subtype_t type,
1112 sctp_cmd_seq_t *commands)
1114 struct sctp_chunk *chunk = arg;
1115 union sctp_addr from_addr;
1116 struct sctp_transport *link;
1117 sctp_sender_hb_info_t *hbinfo;
1118 unsigned long max_interval;
1120 if (!sctp_vtag_verify(chunk, asoc))
1121 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1123 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */
1124 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t) +
1125 sizeof(sctp_sender_hb_info_t)))
1126 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1129 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
1130 /* Make sure that the length of the parameter is what we expect */
1131 if (ntohs(hbinfo->param_hdr.length) !=
1132 sizeof(sctp_sender_hb_info_t)) {
1133 return SCTP_DISPOSITION_DISCARD;
1136 from_addr = hbinfo->daddr;
1137 link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1139 /* This should never happen, but lets log it if so. */
1140 if (unlikely(!link)) {
1141 if (from_addr.sa.sa_family == AF_INET6) {
1142 if (net_ratelimit())
1143 pr_warn("%s association %p could not find address %pI6\n",
1146 &from_addr.v6.sin6_addr);
1148 if (net_ratelimit())
1149 pr_warn("%s association %p could not find address %pI4\n",
1152 &from_addr.v4.sin_addr.s_addr);
1154 return SCTP_DISPOSITION_DISCARD;
1157 /* Validate the 64-bit random nonce. */
1158 if (hbinfo->hb_nonce != link->hb_nonce)
1159 return SCTP_DISPOSITION_DISCARD;
1161 max_interval = link->hbinterval + link->rto;
1163 /* Check if the timestamp looks valid. */
1164 if (time_after(hbinfo->sent_at, jiffies) ||
1165 time_after(jiffies, hbinfo->sent_at + max_interval)) {
1166 SCTP_DEBUG_PRINTK("%s: HEARTBEAT ACK with invalid timestamp "
1167 "received for transport: %p\n",
1169 return SCTP_DISPOSITION_DISCARD;
1172 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
1173 * the HEARTBEAT should clear the error counter of the
1174 * destination transport address to which the HEARTBEAT was
1175 * sent and mark the destination transport address as active if
1176 * it is not so marked.
1178 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1180 return SCTP_DISPOSITION_CONSUME;
1183 /* Helper function to send out an abort for the restart
1186 static int sctp_sf_send_restart_abort(union sctp_addr *ssa,
1187 struct sctp_chunk *init,
1188 sctp_cmd_seq_t *commands)
1191 struct sctp_packet *pkt;
1192 union sctp_addr_param *addrparm;
1193 struct sctp_errhdr *errhdr;
1194 struct sctp_endpoint *ep;
1195 char buffer[sizeof(struct sctp_errhdr)+sizeof(union sctp_addr_param)];
1196 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1198 /* Build the error on the stack. We are way to malloc crazy
1199 * throughout the code today.
1201 errhdr = (struct sctp_errhdr *)buffer;
1202 addrparm = (union sctp_addr_param *)errhdr->variable;
1204 /* Copy into a parm format. */
1205 len = af->to_addr_param(ssa, addrparm);
1206 len += sizeof(sctp_errhdr_t);
1208 errhdr->cause = SCTP_ERROR_RESTART;
1209 errhdr->length = htons(len);
1211 /* Assign to the control socket. */
1212 ep = sctp_sk((sctp_get_ctl_sock()))->ep;
1214 /* Association is NULL since this may be a restart attack and we
1215 * want to send back the attacker's vtag.
1217 pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len);
1221 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1223 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
1225 /* Discard the rest of the inbound packet. */
1226 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1229 /* Even if there is no memory, treat as a failure so
1230 * the packet will get dropped.
1235 static bool list_has_sctp_addr(const struct list_head *list,
1236 union sctp_addr *ipaddr)
1238 struct sctp_transport *addr;
1240 list_for_each_entry(addr, list, transports) {
1241 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
1247 /* A restart is occurring, check to make sure no new addresses
1248 * are being added as we may be under a takeover attack.
1250 static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1251 const struct sctp_association *asoc,
1252 struct sctp_chunk *init,
1253 sctp_cmd_seq_t *commands)
1255 struct sctp_transport *new_addr;
1258 /* Implementor's Guide - Section 5.2.2
1260 * Before responding the endpoint MUST check to see if the
1261 * unexpected INIT adds new addresses to the association. If new
1262 * addresses are added to the association, the endpoint MUST respond
1266 /* Search through all current addresses and make sure
1267 * we aren't adding any new ones.
1269 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
1271 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
1272 &new_addr->ipaddr)) {
1273 sctp_sf_send_restart_abort(&new_addr->ipaddr, init,
1280 /* Return success if all addresses were found. */
1284 /* Populate the verification/tie tags based on overlapping INIT
1287 * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
1289 static void sctp_tietags_populate(struct sctp_association *new_asoc,
1290 const struct sctp_association *asoc)
1292 switch (asoc->state) {
1294 /* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
1296 case SCTP_STATE_COOKIE_WAIT:
1297 new_asoc->c.my_vtag = asoc->c.my_vtag;
1298 new_asoc->c.my_ttag = asoc->c.my_vtag;
1299 new_asoc->c.peer_ttag = 0;
1302 case SCTP_STATE_COOKIE_ECHOED:
1303 new_asoc->c.my_vtag = asoc->c.my_vtag;
1304 new_asoc->c.my_ttag = asoc->c.my_vtag;
1305 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1308 /* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
1309 * COOKIE-WAIT and SHUTDOWN-ACK-SENT
1312 new_asoc->c.my_ttag = asoc->c.my_vtag;
1313 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1317 /* Other parameters for the endpoint SHOULD be copied from the
1318 * existing parameters of the association (e.g. number of
1319 * outbound streams) into the INIT ACK and cookie.
1321 new_asoc->rwnd = asoc->rwnd;
1322 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams;
1323 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1324 new_asoc->c.initial_tsn = asoc->c.initial_tsn;
1328 * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
1331 * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
1333 * Returns value representing action to be taken. These action values
1334 * correspond to Action/Description values in RFC 2960, Table 2.
1336 static char sctp_tietags_compare(struct sctp_association *new_asoc,
1337 const struct sctp_association *asoc)
1339 /* In this case, the peer may have restarted. */
1340 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1341 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1342 (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1343 (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1346 /* Collision case B. */
1347 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1348 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1349 (0 == asoc->c.peer_vtag))) {
1353 /* Collision case D. */
1354 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1355 (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1358 /* Collision case C. */
1359 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1360 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1361 (0 == new_asoc->c.my_ttag) &&
1362 (0 == new_asoc->c.peer_ttag))
1365 /* No match to any of the special cases; discard this packet. */
1369 /* Common helper routine for both duplicate and simulataneous INIT
1372 static sctp_disposition_t sctp_sf_do_unexpected_init(
1373 const struct sctp_endpoint *ep,
1374 const struct sctp_association *asoc,
1375 const sctp_subtype_t type,
1376 void *arg, sctp_cmd_seq_t *commands)
1378 sctp_disposition_t retval;
1379 struct sctp_chunk *chunk = arg;
1380 struct sctp_chunk *repl;
1381 struct sctp_association *new_asoc;
1382 struct sctp_chunk *err_chunk;
1383 struct sctp_packet *packet;
1384 sctp_unrecognized_param_t *unk_param;
1388 * An endpoint MUST NOT bundle INIT, INIT ACK or
1389 * SHUTDOWN COMPLETE with any other chunks.
1392 * Furthermore, we require that the receiver of an INIT chunk MUST
1393 * enforce these rules by silently discarding an arriving packet
1394 * with an INIT chunk that is bundled with other chunks.
1396 if (!chunk->singleton)
1397 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1399 /* 3.1 A packet containing an INIT chunk MUST have a zero Verification
1402 if (chunk->sctp_hdr->vtag != 0)
1403 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
1405 /* Make sure that the INIT chunk has a valid length.
1406 * In this case, we generate a protocol violation since we have
1407 * an association established.
1409 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_init_chunk_t)))
1410 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1412 /* Grab the INIT header. */
1413 chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
1415 /* Tag the variable length parameters. */
1416 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(sctp_inithdr_t));
1418 /* Verify the INIT chunk before processing it. */
1420 if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
1421 (sctp_init_chunk_t *)chunk->chunk_hdr, chunk,
1423 /* This chunk contains fatal error. It is to be discarded.
1424 * Send an ABORT, with causes if there is any.
1427 packet = sctp_abort_pkt_new(ep, asoc, arg,
1428 (__u8 *)(err_chunk->chunk_hdr) +
1429 sizeof(sctp_chunkhdr_t),
1430 ntohs(err_chunk->chunk_hdr->length) -
1431 sizeof(sctp_chunkhdr_t));
1434 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1435 SCTP_PACKET(packet));
1436 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
1437 retval = SCTP_DISPOSITION_CONSUME;
1439 retval = SCTP_DISPOSITION_NOMEM;
1443 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg,
1449 * Other parameters for the endpoint SHOULD be copied from the
1450 * existing parameters of the association (e.g. number of
1451 * outbound streams) into the INIT ACK and cookie.
1452 * FIXME: We are copying parameters from the endpoint not the
1455 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1459 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
1460 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
1463 /* In the outbound INIT ACK the endpoint MUST copy its current
1464 * Verification Tag and Peers Verification tag into a reserved
1465 * place (local tie-tag and per tie-tag) within the state cookie.
1467 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
1469 (sctp_init_chunk_t *)chunk->chunk_hdr,
1473 /* Make sure no new addresses are being added during the
1474 * restart. Do not do this check for COOKIE-WAIT state,
1475 * since there are no peer addresses to check against.
1476 * Upon return an ABORT will have been sent if needed.
1478 if (!sctp_state(asoc, COOKIE_WAIT)) {
1479 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1481 retval = SCTP_DISPOSITION_CONSUME;
1486 sctp_tietags_populate(new_asoc, asoc);
1488 /* B) "Z" shall respond immediately with an INIT ACK chunk. */
1490 /* If there are errors need to be reported for unknown parameters,
1491 * make sure to reserve enough room in the INIT ACK for them.
1495 len = ntohs(err_chunk->chunk_hdr->length) -
1496 sizeof(sctp_chunkhdr_t);
1499 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1503 /* If there are errors need to be reported for unknown parameters,
1504 * include them in the outgoing INIT ACK as "Unrecognized parameter"
1508 /* Get the "Unrecognized parameter" parameter(s) out of the
1509 * ERROR chunk generated by sctp_verify_init(). Since the
1510 * error cause code for "unknown parameter" and the
1511 * "Unrecognized parameter" type is the same, we can
1512 * construct the parameters in INIT ACK by copying the
1513 * ERROR causes over.
1515 unk_param = (sctp_unrecognized_param_t *)
1516 ((__u8 *)(err_chunk->chunk_hdr) +
1517 sizeof(sctp_chunkhdr_t));
1518 /* Replace the cause code with the "Unrecognized parameter"
1521 sctp_addto_chunk(repl, len, unk_param);
1524 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1525 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1528 * Note: After sending out INIT ACK with the State Cookie parameter,
1529 * "Z" MUST NOT allocate any resources for this new association.
1530 * Otherwise, "Z" will be vulnerable to resource attacks.
1532 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1533 retval = SCTP_DISPOSITION_CONSUME;
1538 retval = SCTP_DISPOSITION_NOMEM;
1541 sctp_association_free(new_asoc);
1544 sctp_chunk_free(err_chunk);
1549 * Handle simultanous INIT.
1550 * This means we started an INIT and then we got an INIT request from
1553 * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
1554 * This usually indicates an initialization collision, i.e., each
1555 * endpoint is attempting, at about the same time, to establish an
1556 * association with the other endpoint.
1558 * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
1559 * endpoint MUST respond with an INIT ACK using the same parameters it
1560 * sent in its original INIT chunk (including its Verification Tag,
1561 * unchanged). These original parameters are combined with those from the
1562 * newly received INIT chunk. The endpoint shall also generate a State
1563 * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
1564 * INIT to calculate the State Cookie.
1566 * After that, the endpoint MUST NOT change its state, the T1-init
1567 * timer shall be left running and the corresponding TCB MUST NOT be
1568 * destroyed. The normal procedures for handling State Cookies when
1569 * a TCB exists will resolve the duplicate INITs to a single association.
1571 * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
1572 * its Tie-Tags with the Tag information of itself and its peer (see
1573 * section 5.2.2 for a description of the Tie-Tags).
1575 * Verification Tag: Not explicit, but an INIT can not have a valid
1576 * verification tag, so we skip the check.
1579 * (endpoint, asoc, chunk)
1582 * (asoc, reply_msg, msg_up, timers, counters)
1584 * The return value is the disposition of the chunk.
1586 sctp_disposition_t sctp_sf_do_5_2_1_siminit(const struct sctp_endpoint *ep,
1587 const struct sctp_association *asoc,
1588 const sctp_subtype_t type,
1590 sctp_cmd_seq_t *commands)
1592 /* Call helper to do the real work for both simulataneous and
1593 * duplicate INIT chunk handling.
1595 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands);
1599 * Handle duplicated INIT messages. These are usually delayed
1602 * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
1603 * COOKIE-ECHOED and COOKIE-WAIT
1605 * Unless otherwise stated, upon reception of an unexpected INIT for
1606 * this association, the endpoint shall generate an INIT ACK with a
1607 * State Cookie. In the outbound INIT ACK the endpoint MUST copy its
1608 * current Verification Tag and peer's Verification Tag into a reserved
1609 * place within the state cookie. We shall refer to these locations as
1610 * the Peer's-Tie-Tag and the Local-Tie-Tag. The outbound SCTP packet
1611 * containing this INIT ACK MUST carry a Verification Tag value equal to
1612 * the Initiation Tag found in the unexpected INIT. And the INIT ACK
1613 * MUST contain a new Initiation Tag (randomly generated see Section
1614 * 5.3.1). Other parameters for the endpoint SHOULD be copied from the
1615 * existing parameters of the association (e.g. number of outbound
1616 * streams) into the INIT ACK and cookie.
1618 * After sending out the INIT ACK, the endpoint shall take no further
1619 * actions, i.e., the existing association, including its current state,
1620 * and the corresponding TCB MUST NOT be changed.
1622 * Note: Only when a TCB exists and the association is not in a COOKIE-
1623 * WAIT state are the Tie-Tags populated. For a normal association INIT
1624 * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
1625 * set to 0 (indicating that no previous TCB existed). The INIT ACK and
1626 * State Cookie are populated as specified in section 5.2.1.
1628 * Verification Tag: Not specified, but an INIT has no way of knowing
1629 * what the verification tag could be, so we ignore it.
1632 * (endpoint, asoc, chunk)
1635 * (asoc, reply_msg, msg_up, timers, counters)
1637 * The return value is the disposition of the chunk.
1639 sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep,
1640 const struct sctp_association *asoc,
1641 const sctp_subtype_t type,
1643 sctp_cmd_seq_t *commands)
1645 /* Call helper to do the real work for both simulataneous and
1646 * duplicate INIT chunk handling.
1648 return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands);
1653 * Unexpected INIT-ACK handler.
1656 * If an INIT ACK received by an endpoint in any state other than the
1657 * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
1658 * An unexpected INIT ACK usually indicates the processing of an old or
1659 * duplicated INIT chunk.
1661 sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep,
1662 const struct sctp_association *asoc,
1663 const sctp_subtype_t type,
1664 void *arg, sctp_cmd_seq_t *commands)
1666 /* Per the above section, we'll discard the chunk if we have an
1667 * endpoint. If this is an OOTB INIT-ACK, treat it as such.
1669 if (ep == sctp_sk((sctp_get_ctl_sock()))->ep)
1670 return sctp_sf_ootb(ep, asoc, type, arg, commands);
1672 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
1675 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
1678 * A) In this case, the peer may have restarted.
1680 static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep,
1681 const struct sctp_association *asoc,
1682 struct sctp_chunk *chunk,
1683 sctp_cmd_seq_t *commands,
1684 struct sctp_association *new_asoc)
1686 sctp_init_chunk_t *peer_init;
1687 struct sctp_ulpevent *ev;
1688 struct sctp_chunk *repl;
1689 struct sctp_chunk *err;
1690 sctp_disposition_t disposition;
1692 /* new_asoc is a brand-new association, so these are not yet
1693 * side effects--it is safe to run them here.
1695 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1697 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
1698 sctp_source(chunk), peer_init,
1702 /* Make sure no new addresses are being added during the
1703 * restart. Though this is a pretty complicated attack
1704 * since you'd have to get inside the cookie.
1706 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) {
1707 return SCTP_DISPOSITION_CONSUME;
1710 /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
1711 * the peer has restarted (Action A), it MUST NOT setup a new
1712 * association but instead resend the SHUTDOWN ACK and send an ERROR
1713 * chunk with a "Cookie Received while Shutting Down" error cause to
1716 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1717 disposition = sctp_sf_do_9_2_reshutack(ep, asoc,
1718 SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1720 if (SCTP_DISPOSITION_NOMEM == disposition)
1723 err = sctp_make_op_error(asoc, chunk,
1724 SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1727 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1730 return SCTP_DISPOSITION_CONSUME;
1733 /* For now, fail any unsent/unacked data. Consider the optional
1734 * choice of resending of this data.
1736 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1738 repl = sctp_make_cookie_ack(new_asoc, chunk);
1742 /* Report association restart to upper layer. */
1743 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1744 new_asoc->c.sinit_num_ostreams,
1745 new_asoc->c.sinit_max_instreams,
1750 /* Update the content of current association. */
1751 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1752 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1753 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1754 return SCTP_DISPOSITION_CONSUME;
1757 sctp_chunk_free(repl);
1759 return SCTP_DISPOSITION_NOMEM;
1762 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
1765 * B) In this case, both sides may be attempting to start an association
1766 * at about the same time but the peer endpoint started its INIT
1767 * after responding to the local endpoint's INIT
1769 /* This case represents an initialization collision. */
1770 static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep,
1771 const struct sctp_association *asoc,
1772 struct sctp_chunk *chunk,
1773 sctp_cmd_seq_t *commands,
1774 struct sctp_association *new_asoc)
1776 sctp_init_chunk_t *peer_init;
1777 struct sctp_chunk *repl;
1779 /* new_asoc is a brand-new association, so these are not yet
1780 * side effects--it is safe to run them here.
1782 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1783 if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
1784 sctp_source(chunk), peer_init,
1788 /* Update the content of current association. */
1789 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1790 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1791 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1792 SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
1793 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
1795 repl = sctp_make_cookie_ack(new_asoc, chunk);
1799 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1801 /* RFC 2960 5.1 Normal Establishment of an Association
1803 * D) IMPLEMENTATION NOTE: An implementation may choose to
1804 * send the Communication Up notification to the SCTP user
1805 * upon reception of a valid COOKIE ECHO chunk.
1807 * Sadly, this needs to be implemented as a side-effect, because
1808 * we are not guaranteed to have set the association id of the real
1809 * association and so these notifications need to be delayed until
1810 * the association id is allocated.
1813 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
1815 /* Sockets API Draft Section 5.3.1.6
1816 * When a peer sends a Adaptation Layer Indication parameter , SCTP
1817 * delivers this notification to inform the application that of the
1818 * peers requested adaptation layer.
1820 * This also needs to be done as a side effect for the same reason as
1823 if (asoc->peer.adaptation_ind)
1824 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
1826 return SCTP_DISPOSITION_CONSUME;
1829 return SCTP_DISPOSITION_NOMEM;
1832 /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
1835 * C) In this case, the local endpoint's cookie has arrived late.
1836 * Before it arrived, the local endpoint sent an INIT and received an
1837 * INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
1838 * but a new tag of its own.
1840 /* This case represents an initialization collision. */
1841 static sctp_disposition_t sctp_sf_do_dupcook_c(const struct sctp_endpoint *ep,
1842 const struct sctp_association *asoc,
1843 struct sctp_chunk *chunk,
1844 sctp_cmd_seq_t *commands,
1845 struct sctp_association *new_asoc)
1847 /* The cookie should be silently discarded.
1848 * The endpoint SHOULD NOT change states and should leave
1849 * any timers running.
1851 return SCTP_DISPOSITION_DISCARD;
1854 /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
1858 * D) When both local and remote tags match the endpoint should always
1859 * enter the ESTABLISHED state, if it has not already done so.
1861 /* This case represents an initialization collision. */
1862 static sctp_disposition_t sctp_sf_do_dupcook_d(const struct sctp_endpoint *ep,
1863 const struct sctp_association *asoc,
1864 struct sctp_chunk *chunk,
1865 sctp_cmd_seq_t *commands,
1866 struct sctp_association *new_asoc)
1868 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL;
1869 struct sctp_chunk *repl;
1871 /* Clarification from Implementor's Guide:
1872 * D) When both local and remote tags match the endpoint should
1873 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
1874 * It should stop any cookie timer that may be running and send
1878 /* Don't accidentally move back into established state. */
1879 if (asoc->state < SCTP_STATE_ESTABLISHED) {
1880 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1881 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
1882 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1883 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1884 SCTP_INC_STATS(SCTP_MIB_CURRESTAB);
1885 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
1888 /* RFC 2960 5.1 Normal Establishment of an Association
1890 * D) IMPLEMENTATION NOTE: An implementation may choose
1891 * to send the Communication Up notification to the
1892 * SCTP user upon reception of a valid COOKIE
1895 ev = sctp_ulpevent_make_assoc_change(asoc, 0,
1897 asoc->c.sinit_num_ostreams,
1898 asoc->c.sinit_max_instreams,
1903 /* Sockets API Draft Section 5.3.1.6
1904 * When a peer sends a Adaptation Layer Indication parameter,
1905 * SCTP delivers this notification to inform the application
1906 * that of the peers requested adaptation layer.
1908 if (asoc->peer.adaptation_ind) {
1909 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
1917 repl = sctp_make_cookie_ack(new_asoc, chunk);
1921 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1924 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1927 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
1928 SCTP_ULPEVENT(ai_ev));
1930 return SCTP_DISPOSITION_CONSUME;
1934 sctp_ulpevent_free(ai_ev);
1936 sctp_ulpevent_free(ev);
1937 return SCTP_DISPOSITION_NOMEM;
1941 * Handle a duplicate COOKIE-ECHO. This usually means a cookie-carrying
1942 * chunk was retransmitted and then delayed in the network.
1944 * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
1946 * Verification Tag: None. Do cookie validation.
1949 * (endpoint, asoc, chunk)
1952 * (asoc, reply_msg, msg_up, timers, counters)
1954 * The return value is the disposition of the chunk.
1956 sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep,
1957 const struct sctp_association *asoc,
1958 const sctp_subtype_t type,
1960 sctp_cmd_seq_t *commands)
1962 sctp_disposition_t retval;
1963 struct sctp_chunk *chunk = arg;
1964 struct sctp_association *new_asoc;
1967 struct sctp_chunk *err_chk_p;
1969 /* Make sure that the chunk has a valid length from the protocol
1970 * perspective. In this case check to make sure we have at least
1971 * enough for the chunk header. Cookie length verification is
1974 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
1975 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1978 /* "Decode" the chunk. We have no optional parameters so we
1979 * are in good shape.
1981 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
1982 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
1983 sizeof(sctp_chunkhdr_t)))
1986 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
1987 * of a duplicate COOKIE ECHO match the Verification Tags of the
1988 * current association, consider the State Cookie valid even if
1989 * the lifespan is exceeded.
1991 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
1995 * If the re-build failed, what is the proper error path
1998 * [We should abort the association. --piggy]
2001 /* FIXME: Several errors are possible. A bad cookie should
2002 * be silently discarded, but think about logging it too.
2005 case -SCTP_IERROR_NOMEM:
2008 case -SCTP_IERROR_STALE_COOKIE:
2009 sctp_send_stale_cookie_err(ep, asoc, chunk, commands,
2011 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2012 case -SCTP_IERROR_BAD_SIG:
2014 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2018 /* Compare the tie_tag in cookie with the verification tag of
2019 * current association.
2021 action = sctp_tietags_compare(new_asoc, asoc);
2024 case 'A': /* Association restart. */
2025 retval = sctp_sf_do_dupcook_a(ep, asoc, chunk, commands,
2029 case 'B': /* Collision case B. */
2030 retval = sctp_sf_do_dupcook_b(ep, asoc, chunk, commands,
2034 case 'C': /* Collision case C. */
2035 retval = sctp_sf_do_dupcook_c(ep, asoc, chunk, commands,
2039 case 'D': /* Collision case D. */
2040 retval = sctp_sf_do_dupcook_d(ep, asoc, chunk, commands,
2044 default: /* Discard packet for all others. */
2045 retval = sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2049 /* Delete the tempory new association. */
2050 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
2051 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
2056 return SCTP_DISPOSITION_NOMEM;
2060 * Process an ABORT. (SHUTDOWN-PENDING state)
2062 * See sctp_sf_do_9_1_abort().
2064 sctp_disposition_t sctp_sf_shutdown_pending_abort(
2065 const struct sctp_endpoint *ep,
2066 const struct sctp_association *asoc,
2067 const sctp_subtype_t type,
2069 sctp_cmd_seq_t *commands)
2071 struct sctp_chunk *chunk = arg;
2073 if (!sctp_vtag_verify_either(chunk, asoc))
2074 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2076 /* Make sure that the ABORT chunk has a valid length.
2077 * Since this is an ABORT chunk, we have to discard it
2078 * because of the following text:
2079 * RFC 2960, Section 3.3.7
2080 * If an endpoint receives an ABORT with a format error or for an
2081 * association that doesn't exist, it MUST silently discard it.
2082 * Becasue the length is "invalid", we can't really discard just
2083 * as we do not know its true length. So, to be safe, discard the
2086 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2087 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2089 /* ADD-IP: Special case for ABORT chunks
2090 * F4) One special consideration is that ABORT Chunks arriving
2091 * destined to the IP address being deleted MUST be
2092 * ignored (see Section 5.3.1 for further details).
2094 if (SCTP_ADDR_DEL ==
2095 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2096 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
2098 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);
2102 * Process an ABORT. (SHUTDOWN-SENT state)
2104 * See sctp_sf_do_9_1_abort().
2106 sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep,
2107 const struct sctp_association *asoc,
2108 const sctp_subtype_t type,
2110 sctp_cmd_seq_t *commands)
2112 struct sctp_chunk *chunk = arg;
2114 if (!sctp_vtag_verify_either(chunk, asoc))
2115 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2117 /* Make sure that the ABORT chunk has a valid length.
2118 * Since this is an ABORT chunk, we have to discard it
2119 * because of the following text:
2120 * RFC 2960, Section 3.3.7
2121 * If an endpoint receives an ABORT with a format error or for an
2122 * association that doesn't exist, it MUST silently discard it.
2123 * Becasue the length is "invalid", we can't really discard just
2124 * as we do not know its true length. So, to be safe, discard the
2127 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2128 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2130 /* ADD-IP: Special case for ABORT chunks
2131 * F4) One special consideration is that ABORT Chunks arriving
2132 * destined to the IP address being deleted MUST be
2133 * ignored (see Section 5.3.1 for further details).
2135 if (SCTP_ADDR_DEL ==
2136 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2137 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
2139 /* Stop the T2-shutdown timer. */
2140 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2141 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2143 /* Stop the T5-shutdown guard timer. */
2144 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2145 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2147 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);
2151 * Process an ABORT. (SHUTDOWN-ACK-SENT state)
2153 * See sctp_sf_do_9_1_abort().
2155 sctp_disposition_t sctp_sf_shutdown_ack_sent_abort(
2156 const struct sctp_endpoint *ep,
2157 const struct sctp_association *asoc,
2158 const sctp_subtype_t type,
2160 sctp_cmd_seq_t *commands)
2162 /* The same T2 timer, so we should be able to use
2163 * common function with the SHUTDOWN-SENT state.
2165 return sctp_sf_shutdown_sent_abort(ep, asoc, type, arg, commands);
2169 * Handle an Error received in COOKIE_ECHOED state.
2171 * Only handle the error type of stale COOKIE Error, the other errors will
2175 * (endpoint, asoc, chunk)
2178 * (asoc, reply_msg, msg_up, timers, counters)
2180 * The return value is the disposition of the chunk.
2182 sctp_disposition_t sctp_sf_cookie_echoed_err(const struct sctp_endpoint *ep,
2183 const struct sctp_association *asoc,
2184 const sctp_subtype_t type,
2186 sctp_cmd_seq_t *commands)
2188 struct sctp_chunk *chunk = arg;
2191 if (!sctp_vtag_verify(chunk, asoc))
2192 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2194 /* Make sure that the ERROR chunk has a valid length.
2195 * The parameter walking depends on this as well.
2197 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
2198 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2201 /* Process the error here */
2202 /* FUTURE FIXME: When PR-SCTP related and other optional
2203 * parms are emitted, this will have to change to handle multiple
2206 sctp_walk_errors(err, chunk->chunk_hdr) {
2207 if (SCTP_ERROR_STALE_COOKIE == err->cause)
2208 return sctp_sf_do_5_2_6_stale(ep, asoc, type,
2212 /* It is possible to have malformed error causes, and that
2213 * will cause us to end the walk early. However, since
2214 * we are discarding the packet, there should be no adverse
2217 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2221 * Handle a Stale COOKIE Error
2223 * Section: 5.2.6 Handle Stale COOKIE Error
2224 * If the association is in the COOKIE-ECHOED state, the endpoint may elect
2225 * one of the following three alternatives.
2227 * 3) Send a new INIT chunk to the endpoint, adding a Cookie
2228 * Preservative parameter requesting an extension to the lifetime of
2229 * the State Cookie. When calculating the time extension, an
2230 * implementation SHOULD use the RTT information measured based on the
2231 * previous COOKIE ECHO / ERROR exchange, and should add no more
2232 * than 1 second beyond the measured RTT, due to long State Cookie
2233 * lifetimes making the endpoint more subject to a replay attack.
2235 * Verification Tag: Not explicit, but safe to ignore.
2238 * (endpoint, asoc, chunk)
2241 * (asoc, reply_msg, msg_up, timers, counters)
2243 * The return value is the disposition of the chunk.
2245 static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep,
2246 const struct sctp_association *asoc,
2247 const sctp_subtype_t type,
2249 sctp_cmd_seq_t *commands)
2251 struct sctp_chunk *chunk = arg;
2253 sctp_cookie_preserve_param_t bht;
2255 struct sctp_chunk *reply;
2256 struct sctp_bind_addr *bp;
2257 int attempts = asoc->init_err_counter + 1;
2259 if (attempts > asoc->max_init_attempts) {
2260 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2261 SCTP_ERROR(ETIMEDOUT));
2262 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2263 SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2264 return SCTP_DISPOSITION_DELETE_TCB;
2267 err = (sctp_errhdr_t *)(chunk->skb->data);
2269 /* When calculating the time extension, an implementation
2270 * SHOULD use the RTT information measured based on the
2271 * previous COOKIE ECHO / ERROR exchange, and should add no
2272 * more than 1 second beyond the measured RTT, due to long
2273 * State Cookie lifetimes making the endpoint more subject to
2275 * Measure of Staleness's unit is usec. (1/1000000 sec)
2276 * Suggested Cookie Life-span Increment's unit is msec.
2278 * In general, if you use the suggested cookie life, the value
2279 * found in the field of measure of staleness should be doubled
2280 * to give ample time to retransmit the new cookie and thus
2281 * yield a higher probability of success on the reattempt.
2283 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(sctp_errhdr_t)));
2284 stale = (stale * 2) / 1000;
2286 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2287 bht.param_hdr.length = htons(sizeof(bht));
2288 bht.lifespan_increment = htonl(stale);
2290 /* Build that new INIT chunk. */
2291 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2292 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2296 sctp_addto_chunk(reply, sizeof(bht), &bht);
2298 /* Clear peer's init_tag cached in assoc as we are sending a new INIT */
2299 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2301 /* Stop pending T3-rtx and heartbeat timers */
2302 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2303 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2305 /* Delete non-primary peer ip addresses since we are transitioning
2306 * back to the COOKIE-WAIT state
2308 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2310 /* If we've sent any data bundled with COOKIE-ECHO we will need to
2313 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
2314 SCTP_TRANSPORT(asoc->peer.primary_path));
2316 /* Cast away the const modifier, as we want to just
2317 * rerun it through as a sideffect.
2319 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2321 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2322 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2323 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2324 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2325 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2326 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2328 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2330 return SCTP_DISPOSITION_CONSUME;
2333 return SCTP_DISPOSITION_NOMEM;
2340 * After checking the Verification Tag, the receiving endpoint shall
2341 * remove the association from its record, and shall report the
2342 * termination to its upper layer.
2344 * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
2345 * B) Rules for packet carrying ABORT:
2347 * - The endpoint shall always fill in the Verification Tag field of the
2348 * outbound packet with the destination endpoint's tag value if it
2351 * - If the ABORT is sent in response to an OOTB packet, the endpoint
2352 * MUST follow the procedure described in Section 8.4.
2354 * - The receiver MUST accept the packet if the Verification Tag
2355 * matches either its own tag, OR the tag of its peer. Otherwise, the
2356 * receiver MUST silently discard the packet and take no further
2360 * (endpoint, asoc, chunk)
2363 * (asoc, reply_msg, msg_up, timers, counters)
2365 * The return value is the disposition of the chunk.
2367 sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
2368 const struct sctp_association *asoc,
2369 const sctp_subtype_t type,
2371 sctp_cmd_seq_t *commands)
2373 struct sctp_chunk *chunk = arg;
2375 if (!sctp_vtag_verify_either(chunk, asoc))
2376 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2378 /* Make sure that the ABORT chunk has a valid length.
2379 * Since this is an ABORT chunk, we have to discard it
2380 * because of the following text:
2381 * RFC 2960, Section 3.3.7
2382 * If an endpoint receives an ABORT with a format error or for an
2383 * association that doesn't exist, it MUST silently discard it.
2384 * Becasue the length is "invalid", we can't really discard just
2385 * as we do not know its true length. So, to be safe, discard the
2388 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2389 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2391 /* ADD-IP: Special case for ABORT chunks
2392 * F4) One special consideration is that ABORT Chunks arriving
2393 * destined to the IP address being deleted MUST be
2394 * ignored (see Section 5.3.1 for further details).
2396 if (SCTP_ADDR_DEL ==
2397 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2398 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
2400 return __sctp_sf_do_9_1_abort(ep, asoc, type, arg, commands);
2403 static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
2404 const struct sctp_association *asoc,
2405 const sctp_subtype_t type,
2407 sctp_cmd_seq_t *commands)
2409 struct sctp_chunk *chunk = arg;
2411 __be16 error = SCTP_ERROR_NO_ERROR;
2413 /* See if we have an error cause code in the chunk. */
2414 len = ntohs(chunk->chunk_hdr->length);
2415 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2416 error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2418 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2419 /* ASSOC_FAILED will DELETE_TCB. */
2420 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2421 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
2422 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
2424 return SCTP_DISPOSITION_ABORT;
2428 * Process an ABORT. (COOKIE-WAIT state)
2430 * See sctp_sf_do_9_1_abort() above.
2432 sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep,
2433 const struct sctp_association *asoc,
2434 const sctp_subtype_t type,
2436 sctp_cmd_seq_t *commands)
2438 struct sctp_chunk *chunk = arg;
2440 __be16 error = SCTP_ERROR_NO_ERROR;
2442 if (!sctp_vtag_verify_either(chunk, asoc))
2443 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2445 /* Make sure that the ABORT chunk has a valid length.
2446 * Since this is an ABORT chunk, we have to discard it
2447 * because of the following text:
2448 * RFC 2960, Section 3.3.7
2449 * If an endpoint receives an ABORT with a format error or for an
2450 * association that doesn't exist, it MUST silently discard it.
2451 * Becasue the length is "invalid", we can't really discard just
2452 * as we do not know its true length. So, to be safe, discard the
2455 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_abort_chunk_t)))
2456 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2458 /* See if we have an error cause code in the chunk. */
2459 len = ntohs(chunk->chunk_hdr->length);
2460 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2461 error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
2463 return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc,
2468 * Process an incoming ICMP as an ABORT. (COOKIE-WAIT state)
2470 sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep,
2471 const struct sctp_association *asoc,
2472 const sctp_subtype_t type,
2474 sctp_cmd_seq_t *commands)
2476 return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR,
2478 (struct sctp_transport *)arg);
2482 * Process an ABORT. (COOKIE-ECHOED state)
2484 sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep,
2485 const struct sctp_association *asoc,
2486 const sctp_subtype_t type,
2488 sctp_cmd_seq_t *commands)
2490 /* There is a single T1 timer, so we should be able to use
2491 * common function with the COOKIE-WAIT state.
2493 return sctp_sf_cookie_wait_abort(ep, asoc, type, arg, commands);
2497 * Stop T1 timer and abort association with "INIT failed".
2499 * This is common code called by several sctp_sf_*_abort() functions above.
2501 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands,
2502 __be16 error, int sk_err,
2503 const struct sctp_association *asoc,
2504 struct sctp_transport *transport)
2506 SCTP_DEBUG_PRINTK("ABORT received (INIT).\n");
2507 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2508 SCTP_STATE(SCTP_STATE_CLOSED));
2509 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
2510 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2511 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2512 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2513 /* CMD_INIT_FAILED will DELETE_TCB. */
2514 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2516 return SCTP_DISPOSITION_ABORT;
2520 * sctp_sf_do_9_2_shut
2523 * Upon the reception of the SHUTDOWN, the peer endpoint shall
2524 * - enter the SHUTDOWN-RECEIVED state,
2526 * - stop accepting new data from its SCTP user
2528 * - verify, by checking the Cumulative TSN Ack field of the chunk,
2529 * that all its outstanding DATA chunks have been received by the
2532 * Once an endpoint as reached the SHUTDOWN-RECEIVED state it MUST NOT
2533 * send a SHUTDOWN in response to a ULP request. And should discard
2534 * subsequent SHUTDOWN chunks.
2536 * If there are still outstanding DATA chunks left, the SHUTDOWN
2537 * receiver shall continue to follow normal data transmission
2538 * procedures defined in Section 6 until all outstanding DATA chunks
2539 * are acknowledged; however, the SHUTDOWN receiver MUST NOT accept
2540 * new data from its SCTP user.
2542 * Verification Tag: 8.5 Verification Tag [Normal verification]
2545 * (endpoint, asoc, chunk)
2548 * (asoc, reply_msg, msg_up, timers, counters)
2550 * The return value is the disposition of the chunk.
2552 sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep,
2553 const struct sctp_association *asoc,
2554 const sctp_subtype_t type,
2556 sctp_cmd_seq_t *commands)
2558 struct sctp_chunk *chunk = arg;
2559 sctp_shutdownhdr_t *sdh;
2560 sctp_disposition_t disposition;
2561 struct sctp_ulpevent *ev;
2564 if (!sctp_vtag_verify(chunk, asoc))
2565 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2567 /* Make sure that the SHUTDOWN chunk has a valid length. */
2568 if (!sctp_chunk_length_valid(chunk,
2569 sizeof(struct sctp_shutdown_chunk_t)))
2570 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2573 /* Convert the elaborate header. */
2574 sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
2575 skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t));
2576 chunk->subh.shutdown_hdr = sdh;
2577 ctsn = ntohl(sdh->cum_tsn_ack);
2579 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2580 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
2581 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
2582 return SCTP_DISPOSITION_DISCARD;
2585 /* If Cumulative TSN Ack beyond the max tsn currently
2586 * send, terminating the association and respond to the
2587 * sender with an ABORT.
2589 if (!TSN_lt(ctsn, asoc->next_tsn))
2590 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);
2592 /* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
2593 * When a peer sends a SHUTDOWN, SCTP delivers this notification to
2594 * inform the application that it should cease sending data.
2596 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2598 disposition = SCTP_DISPOSITION_NOMEM;
2601 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2603 /* Upon the reception of the SHUTDOWN, the peer endpoint shall
2604 * - enter the SHUTDOWN-RECEIVED state,
2605 * - stop accepting new data from its SCTP user
2607 * [This is implicit in the new state.]
2609 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2610 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2611 disposition = SCTP_DISPOSITION_CONSUME;
2613 if (sctp_outq_is_empty(&asoc->outqueue)) {
2614 disposition = sctp_sf_do_9_2_shutdown_ack(ep, asoc, type,
2618 if (SCTP_DISPOSITION_NOMEM == disposition)
2621 /* - verify, by checking the Cumulative TSN Ack field of the
2622 * chunk, that all its outstanding DATA chunks have been
2623 * received by the SHUTDOWN sender.
2625 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2626 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2633 * sctp_sf_do_9_2_shut_ctsn
2635 * Once an endpoint has reached the SHUTDOWN-RECEIVED state,
2636 * it MUST NOT send a SHUTDOWN in response to a ULP request.
2637 * The Cumulative TSN Ack of the received SHUTDOWN chunk
2638 * MUST be processed.
2640 sctp_disposition_t sctp_sf_do_9_2_shut_ctsn(const struct sctp_endpoint *ep,
2641 const struct sctp_association *asoc,
2642 const sctp_subtype_t type,
2644 sctp_cmd_seq_t *commands)
2646 struct sctp_chunk *chunk = arg;
2647 sctp_shutdownhdr_t *sdh;
2650 if (!sctp_vtag_verify(chunk, asoc))
2651 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2653 /* Make sure that the SHUTDOWN chunk has a valid length. */
2654 if (!sctp_chunk_length_valid(chunk,
2655 sizeof(struct sctp_shutdown_chunk_t)))
2656 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2659 sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
2660 ctsn = ntohl(sdh->cum_tsn_ack);
2662 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2663 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
2664 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
2665 return SCTP_DISPOSITION_DISCARD;
2668 /* If Cumulative TSN Ack beyond the max tsn currently
2669 * send, terminating the association and respond to the
2670 * sender with an ABORT.
2672 if (!TSN_lt(ctsn, asoc->next_tsn))
2673 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);
2675 /* verify, by checking the Cumulative TSN Ack field of the
2676 * chunk, that all its outstanding DATA chunks have been
2677 * received by the SHUTDOWN sender.
2679 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2680 SCTP_BE32(sdh->cum_tsn_ack));
2682 return SCTP_DISPOSITION_CONSUME;
2686 * If an endpoint is in SHUTDOWN-ACK-SENT state and receives an INIT chunk
2687 * (e.g., if the SHUTDOWN COMPLETE was lost) with source and destination
2688 * transport addresses (either in the IP addresses or in the INIT chunk)
2689 * that belong to this association, it should discard the INIT chunk and
2690 * retransmit the SHUTDOWN ACK chunk.
2692 sctp_disposition_t sctp_sf_do_9_2_reshutack(const struct sctp_endpoint *ep,
2693 const struct sctp_association *asoc,
2694 const sctp_subtype_t type,
2696 sctp_cmd_seq_t *commands)
2698 struct sctp_chunk *chunk = (struct sctp_chunk *) arg;
2699 struct sctp_chunk *reply;
2701 /* Make sure that the chunk has a valid length */
2702 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
2703 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2706 /* Since we are not going to really process this INIT, there
2707 * is no point in verifying chunk boundries. Just generate
2710 reply = sctp_make_shutdown_ack(asoc, chunk);
2714 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
2715 * the T2-SHUTDOWN timer.
2717 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
2719 /* and restart the T2-shutdown timer. */
2720 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2721 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2723 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2725 return SCTP_DISPOSITION_CONSUME;
2727 return SCTP_DISPOSITION_NOMEM;
2731 * sctp_sf_do_ecn_cwr
2733 * Section: Appendix A: Explicit Congestion Notification
2737 * RFC 2481 details a specific bit for a sender to send in the header of
2738 * its next outbound TCP segment to indicate to its peer that it has
2739 * reduced its congestion window. This is termed the CWR bit. For
2740 * SCTP the same indication is made by including the CWR chunk.
2741 * This chunk contains one data element, i.e. the TSN number that
2742 * was sent in the ECNE chunk. This element represents the lowest
2743 * TSN number in the datagram that was originally marked with the
2746 * Verification Tag: 8.5 Verification Tag [Normal verification]
2748 * (endpoint, asoc, chunk)
2751 * (asoc, reply_msg, msg_up, timers, counters)
2753 * The return value is the disposition of the chunk.
2755 sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep,
2756 const struct sctp_association *asoc,
2757 const sctp_subtype_t type,
2759 sctp_cmd_seq_t *commands)
2762 struct sctp_chunk *chunk = arg;
2765 if (!sctp_vtag_verify(chunk, asoc))
2766 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2768 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2769 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2772 cwr = (sctp_cwrhdr_t *) chunk->skb->data;
2773 skb_pull(chunk->skb, sizeof(sctp_cwrhdr_t));
2775 lowest_tsn = ntohl(cwr->lowest_tsn);
2777 /* Does this CWR ack the last sent congestion notification? */
2778 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
2779 /* Stop sending ECNE. */
2780 sctp_add_cmd_sf(commands,
2782 SCTP_U32(lowest_tsn));
2784 return SCTP_DISPOSITION_CONSUME;
2790 * Section: Appendix A: Explicit Congestion Notification
2794 * RFC 2481 details a specific bit for a receiver to send back in its
2795 * TCP acknowledgements to notify the sender of the Congestion
2796 * Experienced (CE) bit having arrived from the network. For SCTP this
2797 * same indication is made by including the ECNE chunk. This chunk
2798 * contains one data element, i.e. the lowest TSN associated with the IP
2799 * datagram marked with the CE bit.....
2801 * Verification Tag: 8.5 Verification Tag [Normal verification]
2803 * (endpoint, asoc, chunk)
2806 * (asoc, reply_msg, msg_up, timers, counters)
2808 * The return value is the disposition of the chunk.
2810 sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep,
2811 const struct sctp_association *asoc,
2812 const sctp_subtype_t type,
2814 sctp_cmd_seq_t *commands)
2816 sctp_ecnehdr_t *ecne;
2817 struct sctp_chunk *chunk = arg;
2819 if (!sctp_vtag_verify(chunk, asoc))
2820 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2822 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_ecne_chunk_t)))
2823 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2826 ecne = (sctp_ecnehdr_t *) chunk->skb->data;
2827 skb_pull(chunk->skb, sizeof(sctp_ecnehdr_t));
2829 /* If this is a newer ECNE than the last CWR packet we sent out */
2830 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
2831 SCTP_U32(ntohl(ecne->lowest_tsn)));
2833 return SCTP_DISPOSITION_CONSUME;
2837 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
2839 * The SCTP endpoint MUST always acknowledge the reception of each valid
2842 * The guidelines on delayed acknowledgement algorithm specified in
2843 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
2844 * acknowledgement SHOULD be generated for at least every second packet
2845 * (not every second DATA chunk) received, and SHOULD be generated within
2846 * 200 ms of the arrival of any unacknowledged DATA chunk. In some
2847 * situations it may be beneficial for an SCTP transmitter to be more
2848 * conservative than the algorithms detailed in this document allow.
2849 * However, an SCTP transmitter MUST NOT be more aggressive than the
2850 * following algorithms allow.
2852 * A SCTP receiver MUST NOT generate more than one SACK for every
2853 * incoming packet, other than to update the offered window as the
2854 * receiving application consumes new data.
2856 * Verification Tag: 8.5 Verification Tag [Normal verification]
2859 * (endpoint, asoc, chunk)
2862 * (asoc, reply_msg, msg_up, timers, counters)
2864 * The return value is the disposition of the chunk.
2866 sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep,
2867 const struct sctp_association *asoc,
2868 const sctp_subtype_t type,
2870 sctp_cmd_seq_t *commands)
2872 struct sctp_chunk *chunk = arg;
2873 sctp_arg_t force = SCTP_NOFORCE();
2876 if (!sctp_vtag_verify(chunk, asoc)) {
2877 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
2879 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
2882 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
2883 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
2886 error = sctp_eat_data(asoc, chunk, commands );
2888 case SCTP_IERROR_NO_ERROR:
2890 case SCTP_IERROR_HIGH_TSN:
2891 case SCTP_IERROR_BAD_STREAM:
2892 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2893 goto discard_noforce;
2894 case SCTP_IERROR_DUP_TSN:
2895 case SCTP_IERROR_IGNORE_TSN:
2896 SCTP_INC_STATS(SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
2898 case SCTP_IERROR_NO_DATA:
2900 case SCTP_IERROR_PROTO_VIOLATION:
2901 return sctp_sf_abort_violation(ep, asoc, chunk, commands,
2902 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t));
2907 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)
2908 force = SCTP_FORCE();
2910 if (asoc->autoclose) {
2911 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2912 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
2915 /* If this is the last chunk in a packet, we need to count it
2916 * toward sack generation. Note that we need to SACK every
2917 * OTHER packet containing data chunks, EVEN IF WE DISCARD
2918 * THEM. We elect to NOT generate SACK's if the chunk fails
2919 * the verification tag test.
2921 * RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
2923 * The SCTP endpoint MUST always acknowledge the reception of
2924 * each valid DATA chunk.
2926 * The guidelines on delayed acknowledgement algorithm
2927 * specified in Section 4.2 of [RFC2581] SHOULD be followed.
2928 * Specifically, an acknowledgement SHOULD be generated for at
2929 * least every second packet (not every second DATA chunk)
2930 * received, and SHOULD be generated within 200 ms of the
2931 * arrival of any unacknowledged DATA chunk. In some
2932 * situations it may be beneficial for an SCTP transmitter to
2933 * be more conservative than the algorithms detailed in this
2934 * document allow. However, an SCTP transmitter MUST NOT be
2935 * more aggressive than the following algorithms allow.
2937 if (chunk->end_of_packet)
2938 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
2940 return SCTP_DISPOSITION_CONSUME;
2943 /* RFC 2960 6.2 Acknowledgement on Reception of DATA Chunks
2945 * When a packet arrives with duplicate DATA chunk(s) and with
2946 * no new DATA chunk(s), the endpoint MUST immediately send a
2947 * SACK with no delay. If a packet arrives with duplicate
2948 * DATA chunk(s) bundled with new DATA chunks, the endpoint
2949 * MAY immediately send a SACK. Normally receipt of duplicate
2950 * DATA chunks will occur when the original SACK chunk was lost
2951 * and the peer's RTO has expired. The duplicate TSN number(s)
2952 * SHOULD be reported in the SACK as duplicate.
2954 /* In our case, we split the MAY SACK advice up whether or not
2955 * the last chunk is a duplicate.'
2957 if (chunk->end_of_packet)
2958 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
2959 return SCTP_DISPOSITION_DISCARD;
2962 if (chunk->end_of_packet)
2963 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
2965 return SCTP_DISPOSITION_DISCARD;
2967 return SCTP_DISPOSITION_CONSUME;
2972 * sctp_sf_eat_data_fast_4_4
2975 * (4) In SHUTDOWN-SENT state the endpoint MUST acknowledge any received
2976 * DATA chunks without delay.
2978 * Verification Tag: 8.5 Verification Tag [Normal verification]
2980 * (endpoint, asoc, chunk)
2983 * (asoc, reply_msg, msg_up, timers, counters)
2985 * The return value is the disposition of the chunk.
2987 sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep,
2988 const struct sctp_association *asoc,
2989 const sctp_subtype_t type,
2991 sctp_cmd_seq_t *commands)
2993 struct sctp_chunk *chunk = arg;
2996 if (!sctp_vtag_verify(chunk, asoc)) {
2997 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
2999 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3002 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_data_chunk_t)))
3003 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3006 error = sctp_eat_data(asoc, chunk, commands );
3008 case SCTP_IERROR_NO_ERROR:
3009 case SCTP_IERROR_HIGH_TSN:
3010 case SCTP_IERROR_DUP_TSN:
3011 case SCTP_IERROR_IGNORE_TSN:
3012 case SCTP_IERROR_BAD_STREAM:
3014 case SCTP_IERROR_NO_DATA:
3016 case SCTP_IERROR_PROTO_VIOLATION:
3017 return sctp_sf_abort_violation(ep, asoc, chunk, commands,
3018 (u8 *)chunk->subh.data_hdr, sizeof(sctp_datahdr_t));
3023 /* Go a head and force a SACK, since we are shutting down. */
3025 /* Implementor's Guide.
3027 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3028 * respond to each received packet containing one or more DATA chunk(s)
3029 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3031 if (chunk->end_of_packet) {
3032 /* We must delay the chunk creation since the cumulative
3033 * TSN has not been updated yet.
3035 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3036 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3037 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3038 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3042 return SCTP_DISPOSITION_CONSUME;
3046 * Section: 6.2 Processing a Received SACK
3047 * D) Any time a SACK arrives, the endpoint performs the following:
3049 * i) If Cumulative TSN Ack is less than the Cumulative TSN Ack Point,
3050 * then drop the SACK. Since Cumulative TSN Ack is monotonically
3051 * increasing, a SACK whose Cumulative TSN Ack is less than the
3052 * Cumulative TSN Ack Point indicates an out-of-order SACK.
3054 * ii) Set rwnd equal to the newly received a_rwnd minus the number
3055 * of bytes still outstanding after processing the Cumulative TSN Ack
3056 * and the Gap Ack Blocks.
3058 * iii) If the SACK is missing a TSN that was previously
3059 * acknowledged via a Gap Ack Block (e.g., the data receiver
3060 * reneged on the data), then mark the corresponding DATA chunk
3061 * as available for retransmit: Mark it as missing for fast
3062 * retransmit as described in Section 7.2.4 and if no retransmit
3063 * timer is running for the destination address to which the DATA
3064 * chunk was originally transmitted, then T3-rtx is started for
3065 * that destination address.
3067 * Verification Tag: 8.5 Verification Tag [Normal verification]
3070 * (endpoint, asoc, chunk)
3073 * (asoc, reply_msg, msg_up, timers, counters)
3075 * The return value is the disposition of the chunk.
3077 sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep,
3078 const struct sctp_association *asoc,
3079 const sctp_subtype_t type,
3081 sctp_cmd_seq_t *commands)
3083 struct sctp_chunk *chunk = arg;
3084 sctp_sackhdr_t *sackh;
3087 if (!sctp_vtag_verify(chunk, asoc))
3088 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3090 /* Make sure that the SACK chunk has a valid length. */
3091 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_sack_chunk_t)))
3092 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3095 /* Pull the SACK chunk from the data buffer */
3096 sackh = sctp_sm_pull_sack(chunk);
3097 /* Was this a bogus SACK? */
3099 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3100 chunk->subh.sack_hdr = sackh;
3101 ctsn = ntohl(sackh->cum_tsn_ack);
3103 /* i) If Cumulative TSN Ack is less than the Cumulative TSN
3104 * Ack Point, then drop the SACK. Since Cumulative TSN
3105 * Ack is monotonically increasing, a SACK whose
3106 * Cumulative TSN Ack is less than the Cumulative TSN Ack
3107 * Point indicates an out-of-order SACK.
3109 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
3110 SCTP_DEBUG_PRINTK("ctsn %x\n", ctsn);
3111 SCTP_DEBUG_PRINTK("ctsn_ack_point %x\n", asoc->ctsn_ack_point);
3112 return SCTP_DISPOSITION_DISCARD;
3115 /* If Cumulative TSN Ack beyond the max tsn currently
3116 * send, terminating the association and respond to the
3117 * sender with an ABORT.
3119 if (!TSN_lt(ctsn, asoc->next_tsn))
3120 return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);
3122 /* Return this SACK for further processing. */
3123 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_SACKH(sackh));
3125 /* Note: We do the rest of the work on the PROCESS_SACK
3128 return SCTP_DISPOSITION_CONSUME;
3132 * Generate an ABORT in response to a packet.
3134 * Section: 8.4 Handle "Out of the blue" Packets, sctpimpguide 2.41
3136 * 8) The receiver should respond to the sender of the OOTB packet with
3137 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
3138 * MUST fill in the Verification Tag field of the outbound packet
3139 * with the value found in the Verification Tag field of the OOTB
3140 * packet and set the T-bit in the Chunk Flags to indicate that the
3141 * Verification Tag is reflected. After sending this ABORT, the
3142 * receiver of the OOTB packet shall discard the OOTB packet and take
3143 * no further action.
3147 * The return value is the disposition of the chunk.
3149 static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep,
3150 const struct sctp_association *asoc,
3151 const sctp_subtype_t type,
3153 sctp_cmd_seq_t *commands)
3155 struct sctp_packet *packet = NULL;
3156 struct sctp_chunk *chunk = arg;
3157 struct sctp_chunk *abort;
3159 packet = sctp_ootb_pkt_new(asoc, chunk);
3162 /* Make an ABORT. The T bit will be set if the asoc
3165 abort = sctp_make_abort(asoc, chunk, 0);
3167 sctp_ootb_pkt_free(packet);
3168 return SCTP_DISPOSITION_NOMEM;
3171 /* Reflect vtag if T-Bit is set */
3172 if (sctp_test_T_bit(abort))
3173 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3175 /* Set the skb to the belonging sock for accounting. */
3176 abort->skb->sk = ep->base.sk;
3178 sctp_packet_append_chunk(packet, abort);
3180 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3181 SCTP_PACKET(packet));
3183 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
3185 sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3186 return SCTP_DISPOSITION_CONSUME;
3189 return SCTP_DISPOSITION_NOMEM;
3193 * Received an ERROR chunk from peer. Generate SCTP_REMOTE_ERROR
3194 * event as ULP notification for each cause included in the chunk.
3196 * API 5.3.1.3 - SCTP_REMOTE_ERROR
3198 * The return value is the disposition of the chunk.
3200 sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep,
3201 const struct sctp_association *asoc,
3202 const sctp_subtype_t type,
3204 sctp_cmd_seq_t *commands)
3206 struct sctp_chunk *chunk = arg;
3208 if (!sctp_vtag_verify(chunk, asoc))
3209 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3211 /* Make sure that the ERROR chunk has a valid length. */
3212 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
3213 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3216 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3219 return SCTP_DISPOSITION_CONSUME;
3223 * Process an inbound SHUTDOWN ACK.
3226 * Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3227 * stop the T2-shutdown timer, send a SHUTDOWN COMPLETE chunk to its
3228 * peer, and remove all record of the association.
3230 * The return value is the disposition.
3232 sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep,
3233 const struct sctp_association *asoc,
3234 const sctp_subtype_t type,
3236 sctp_cmd_seq_t *commands)
3238 struct sctp_chunk *chunk = arg;
3239 struct sctp_chunk *reply;
3240 struct sctp_ulpevent *ev;
3242 if (!sctp_vtag_verify(chunk, asoc))
3243 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3245 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3246 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3247 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3249 /* 10.2 H) SHUTDOWN COMPLETE notification
3251 * When SCTP completes the shutdown procedures (section 9.2) this
3252 * notification is passed to the upper layer.
3254 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3255 0, 0, 0, NULL, GFP_ATOMIC);
3259 /* ...send a SHUTDOWN COMPLETE chunk to its peer, */
3260 reply = sctp_make_shutdown_complete(asoc, chunk);
3264 /* Do all the commands now (after allocation), so that we
3265 * have consistent state if memory allocation failes
3267 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3269 /* Upon the receipt of the SHUTDOWN ACK, the SHUTDOWN sender shall
3270 * stop the T2-shutdown timer,
3272 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3273 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3275 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3276 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3278 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3279 SCTP_STATE(SCTP_STATE_CLOSED));
3280 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);
3281 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3282 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3284 /* ...and remove all record of the association. */
3285 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3286 return SCTP_DISPOSITION_DELETE_TCB;
3289 sctp_ulpevent_free(ev);
3291 return SCTP_DISPOSITION_NOMEM;
3295 * RFC 2960, 8.4 - Handle "Out of the blue" Packets, sctpimpguide 2.41.
3297 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3298 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3299 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3300 * packet must fill in the Verification Tag field of the outbound
3301 * packet with the Verification Tag received in the SHUTDOWN ACK and
3302 * set the T-bit in the Chunk Flags to indicate that the Verification
3305 * 8) The receiver should respond to the sender of the OOTB packet with
3306 * an ABORT. When sending the ABORT, the receiver of the OOTB packet
3307 * MUST fill in the Verification Tag field of the outbound packet
3308 * with the value found in the Verification Tag field of the OOTB
3309 * packet and set the T-bit in the Chunk Flags to indicate that the
3310 * Verification Tag is reflected. After sending this ABORT, the
3311 * receiver of the OOTB packet shall discard the OOTB packet and take
3312 * no further action.
3314 sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
3315 const struct sctp_association *asoc,
3316 const sctp_subtype_t type,
3318 sctp_cmd_seq_t *commands)
3320 struct sctp_chunk *chunk = arg;
3321 struct sk_buff *skb = chunk->skb;
3322 sctp_chunkhdr_t *ch;
3324 int ootb_shut_ack = 0;
3326 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
3328 ch = (sctp_chunkhdr_t *) chunk->chunk_hdr;
3330 /* Report violation if the chunk is less then minimal */
3331 if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t))
3332 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3335 /* Now that we know we at least have a chunk header,
3336 * do things that are type appropriate.
3338 if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3341 /* RFC 2960, Section 3.3.7
3342 * Moreover, under any circumstances, an endpoint that
3343 * receives an ABORT MUST NOT respond to that ABORT by
3344 * sending an ABORT of its own.
3346 if (SCTP_CID_ABORT == ch->type)
3347 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3349 /* Report violation if chunk len overflows */
3350 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
3351 if (ch_end > skb_tail_pointer(skb))
3352 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3355 ch = (sctp_chunkhdr_t *) ch_end;
3356 } while (ch_end < skb_tail_pointer(skb));
3359 return sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands);
3361 return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
3365 * Handle an "Out of the blue" SHUTDOWN ACK.
3367 * Section: 8.4 5, sctpimpguide 2.41.
3369 * 5) If the packet contains a SHUTDOWN ACK chunk, the receiver should
3370 * respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.
3371 * When sending the SHUTDOWN COMPLETE, the receiver of the OOTB
3372 * packet must fill in the Verification Tag field of the outbound
3373 * packet with the Verification Tag received in the SHUTDOWN ACK and
3374 * set the T-bit in the Chunk Flags to indicate that the Verification
3378 * (endpoint, asoc, type, arg, commands)
3381 * (sctp_disposition_t)
3383 * The return value is the disposition of the chunk.
3385 static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep,
3386 const struct sctp_association *asoc,
3387 const sctp_subtype_t type,
3389 sctp_cmd_seq_t *commands)
3391 struct sctp_packet *packet = NULL;
3392 struct sctp_chunk *chunk = arg;
3393 struct sctp_chunk *shut;
3395 packet = sctp_ootb_pkt_new(asoc, chunk);
3398 /* Make an SHUTDOWN_COMPLETE.
3399 * The T bit will be set if the asoc is NULL.
3401 shut = sctp_make_shutdown_complete(asoc, chunk);
3403 sctp_ootb_pkt_free(packet);
3404 return SCTP_DISPOSITION_NOMEM;
3407 /* Reflect vtag if T-Bit is set */
3408 if (sctp_test_T_bit(shut))
3409 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3411 /* Set the skb to the belonging sock for accounting. */
3412 shut->skb->sk = ep->base.sk;
3414 sctp_packet_append_chunk(packet, shut);
3416 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3417 SCTP_PACKET(packet));
3419 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
3421 /* If the chunk length is invalid, we don't want to process
3422 * the reset of the packet.
3424 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3425 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3427 /* We need to discard the rest of the packet to prevent
3428 * potential bomming attacks from additional bundled chunks.
3429 * This is documented in SCTP Threats ID.
3431 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3434 return SCTP_DISPOSITION_NOMEM;
3438 * Handle SHUTDOWN ACK in COOKIE_ECHOED or COOKIE_WAIT state.
3440 * Verification Tag: 8.5.1 E) Rules for packet carrying a SHUTDOWN ACK
3441 * If the receiver is in COOKIE-ECHOED or COOKIE-WAIT state the
3442 * procedures in section 8.4 SHOULD be followed, in other words it
3443 * should be treated as an Out Of The Blue packet.
3444 * [This means that we do NOT check the Verification Tag on these
3448 sctp_disposition_t sctp_sf_do_8_5_1_E_sa(const struct sctp_endpoint *ep,
3449 const struct sctp_association *asoc,
3450 const sctp_subtype_t type,
3452 sctp_cmd_seq_t *commands)
3454 struct sctp_chunk *chunk = arg;
3456 /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
3457 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
3458 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3461 /* Although we do have an association in this case, it corresponds
3462 * to a restarted association. So the packet is treated as an OOTB
3463 * packet and the state function that handles OOTB SHUTDOWN_ACK is
3464 * called with a NULL association.
3466 SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
3468 return sctp_sf_shut_8_4_5(ep, NULL, type, arg, commands);
3471 /* ADDIP Section 4.2 Upon reception of an ASCONF Chunk. */
3472 sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep,
3473 const struct sctp_association *asoc,
3474 const sctp_subtype_t type, void *arg,
3475 sctp_cmd_seq_t *commands)
3477 struct sctp_chunk *chunk = arg;
3478 struct sctp_chunk *asconf_ack = NULL;
3479 struct sctp_paramhdr *err_param = NULL;
3480 sctp_addiphdr_t *hdr;
3481 union sctp_addr_param *addr_param;
3485 if (!sctp_vtag_verify(chunk, asoc)) {
3486 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3488 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3491 /* ADD-IP: Section 4.1.1
3492 * This chunk MUST be sent in an authenticated way by using
3493 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3494 * is received unauthenticated it MUST be silently discarded as
3495 * described in [I-D.ietf-tsvwg-sctp-auth].
3497 if (!sctp_addip_noauth && !chunk->auth)
3498 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
3500 /* Make sure that the ASCONF ADDIP chunk has a valid length. */
3501 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_addip_chunk_t)))
3502 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3505 hdr = (sctp_addiphdr_t *)chunk->skb->data;
3506 serial = ntohl(hdr->serial);
3508 addr_param = (union sctp_addr_param *)hdr->params;
3509 length = ntohs(addr_param->p.length);
3510 if (length < sizeof(sctp_paramhdr_t))
3511 return sctp_sf_violation_paramlen(ep, asoc, type, arg,
3512 (void *)addr_param, commands);
3514 /* Verify the ASCONF chunk before processing it. */
3515 if (!sctp_verify_asconf(asoc,
3516 (sctp_paramhdr_t *)((void *)addr_param + length),
3517 (void *)chunk->chunk_end,
3519 return sctp_sf_violation_paramlen(ep, asoc, type, arg,
3520 (void *)err_param, commands);
3522 /* ADDIP 5.2 E1) Compare the value of the serial number to the value
3523 * the endpoint stored in a new association variable
3524 * 'Peer-Serial-Number'.
3526 if (serial == asoc->peer.addip_serial + 1) {
3527 /* If this is the first instance of ASCONF in the packet,
3528 * we can clean our old ASCONF-ACKs.
3530 if (!chunk->has_asconf)
3531 sctp_assoc_clean_asconf_ack_cache(asoc);
3533 /* ADDIP 5.2 E4) When the Sequence Number matches the next one
3534 * expected, process the ASCONF as described below and after
3535 * processing the ASCONF Chunk, append an ASCONF-ACK Chunk to
3536 * the response packet and cache a copy of it (in the event it
3537 * later needs to be retransmitted).
3539 * Essentially, do V1-V5.
3541 asconf_ack = sctp_process_asconf((struct sctp_association *)
3544 return SCTP_DISPOSITION_NOMEM;
3545 } else if (serial < asoc->peer.addip_serial + 1) {
3547 * If the value found in the Sequence Number is less than the
3548 * ('Peer- Sequence-Number' + 1), simply skip to the next
3549 * ASCONF, and include in the outbound response packet
3550 * any previously cached ASCONF-ACK response that was
3551 * sent and saved that matches the Sequence Number of the
3552 * ASCONF. Note: It is possible that no cached ASCONF-ACK
3553 * Chunk exists. This will occur when an older ASCONF
3554 * arrives out of order. In such a case, the receiver
3555 * should skip the ASCONF Chunk and not include ASCONF-ACK
3556 * Chunk for that chunk.
3558 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);
3560 return SCTP_DISPOSITION_DISCARD;
3562 /* Reset the transport so that we select the correct one
3563 * this time around. This is to make sure that we don't
3564 * accidentally use a stale transport that's been removed.
3566 asconf_ack->transport = NULL;
3568 /* ADDIP 5.2 E5) Otherwise, the ASCONF Chunk is discarded since
3569 * it must be either a stale packet or from an attacker.
3571 return SCTP_DISPOSITION_DISCARD;
3574 /* ADDIP 5.2 E6) The destination address of the SCTP packet
3575 * containing the ASCONF-ACK Chunks MUST be the source address of
3576 * the SCTP packet that held the ASCONF Chunks.
3578 * To do this properly, we'll set the destination address of the chunk
3579 * and at the transmit time, will try look up the transport to use.
3580 * Since ASCONFs may be bundled, the correct transport may not be
3581 * created until we process the entire packet, thus this workaround.
3583 asconf_ack->dest = chunk->source;
3584 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3586 return SCTP_DISPOSITION_CONSUME;
3590 * ADDIP Section 4.3 General rules for address manipulation
3591 * When building TLV parameters for the ASCONF Chunk that will add or
3592 * delete IP addresses the D0 to D13 rules should be applied:
3594 sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep,
3595 const struct sctp_association *asoc,
3596 const sctp_subtype_t type, void *arg,
3597 sctp_cmd_seq_t *commands)
3599 struct sctp_chunk *asconf_ack = arg;
3600 struct sctp_chunk *last_asconf = asoc->addip_last_asconf;
3601 struct sctp_chunk *abort;
3602 struct sctp_paramhdr *err_param = NULL;
3603 sctp_addiphdr_t *addip_hdr;
3604 __u32 sent_serial, rcvd_serial;
3606 if (!sctp_vtag_verify(asconf_ack, asoc)) {
3607 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3609 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3612 /* ADD-IP, Section 4.1.2:
3613 * This chunk MUST be sent in an authenticated way by using
3614 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
3615 * is received unauthenticated it MUST be silently discarded as
3616 * described in [I-D.ietf-tsvwg-sctp-auth].
3618 if (!sctp_addip_noauth && !asconf_ack->auth)
3619 return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
3621 /* Make sure that the ADDIP chunk has a valid length. */
3622 if (!sctp_chunk_length_valid(asconf_ack, sizeof(sctp_addip_chunk_t)))
3623 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3626 addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data;
3627 rcvd_serial = ntohl(addip_hdr->serial);
3629 /* Verify the ASCONF-ACK chunk before processing it. */
3630 if (!sctp_verify_asconf(asoc,
3631 (sctp_paramhdr_t *)addip_hdr->params,
3632 (void *)asconf_ack->chunk_end,
3634 return sctp_sf_violation_paramlen(ep, asoc, type, arg,
3635 (void *)err_param, commands);
3638 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr;
3639 sent_serial = ntohl(addip_hdr->serial);
3641 sent_serial = asoc->addip_serial - 1;
3644 /* D0) If an endpoint receives an ASCONF-ACK that is greater than or
3645 * equal to the next serial number to be used but no ASCONF chunk is
3646 * outstanding the endpoint MUST ABORT the association. Note that a
3647 * sequence number is greater than if it is no more than 2^^31-1
3648 * larger than the current sequence number (using serial arithmetic).
3650 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
3651 !(asoc->addip_last_asconf)) {
3652 abort = sctp_make_abort(asoc, asconf_ack,
3653 sizeof(sctp_errhdr_t));
3655 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
3656 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3659 /* We are going to ABORT, so we might as well stop
3660 * processing the rest of the chunks in the packet.
3662 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3663 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3664 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
3665 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3666 SCTP_ERROR(ECONNABORTED));
3667 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3668 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3669 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
3670 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3671 return SCTP_DISPOSITION_ABORT;
3674 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
3675 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3676 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3678 if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
3680 /* Successfully processed ASCONF_ACK. We can
3681 * release the next asconf if we have one.
3683 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF,
3685 return SCTP_DISPOSITION_CONSUME;
3688 abort = sctp_make_abort(asoc, asconf_ack,
3689 sizeof(sctp_errhdr_t));
3691 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
3692 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3695 /* We are going to ABORT, so we might as well stop
3696 * processing the rest of the chunks in the packet.
3698 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
3699 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3700 SCTP_ERROR(ECONNABORTED));
3701 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3702 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3703 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
3704 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
3705 return SCTP_DISPOSITION_ABORT;
3708 return SCTP_DISPOSITION_DISCARD;
3712 * PR-SCTP Section 3.6 Receiver Side Implementation of PR-SCTP
3714 * When a FORWARD TSN chunk arrives, the data receiver MUST first update
3715 * its cumulative TSN point to the value carried in the FORWARD TSN
3716 * chunk, and then MUST further advance its cumulative TSN point locally
3718 * After the above processing, the data receiver MUST stop reporting any
3719 * missing TSNs earlier than or equal to the new cumulative TSN point.
3721 * Verification Tag: 8.5 Verification Tag [Normal verification]
3723 * The return value is the disposition of the chunk.
3725 sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep,
3726 const struct sctp_association *asoc,
3727 const sctp_subtype_t type,
3729 sctp_cmd_seq_t *commands)
3731 struct sctp_chunk *chunk = arg;
3732 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3733 struct sctp_fwdtsn_skip *skip;
3737 if (!sctp_vtag_verify(chunk, asoc)) {
3738 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3740 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3743 /* Make sure that the FORWARD_TSN chunk has valid length. */
3744 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3745 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3748 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3749 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3750 len = ntohs(chunk->chunk_hdr->length);
3751 len -= sizeof(struct sctp_chunkhdr);
3752 skb_pull(chunk->skb, len);
3754 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3755 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn);
3757 /* The TSN is too high--silently discard the chunk and count on it
3758 * getting retransmitted later.
3760 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3761 goto discard_noforce;
3763 /* Silently discard the chunk if stream-id is not valid */
3764 sctp_walk_fwdtsn(skip, chunk) {
3765 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
3766 goto discard_noforce;
3769 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3770 if (len > sizeof(struct sctp_fwdtsn_hdr))
3771 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3774 /* Count this as receiving DATA. */
3775 if (asoc->autoclose) {
3776 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3777 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3780 /* FIXME: For now send a SACK, but DATA processing may
3783 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
3785 return SCTP_DISPOSITION_CONSUME;
3788 return SCTP_DISPOSITION_DISCARD;
3791 sctp_disposition_t sctp_sf_eat_fwd_tsn_fast(
3792 const struct sctp_endpoint *ep,
3793 const struct sctp_association *asoc,
3794 const sctp_subtype_t type,
3796 sctp_cmd_seq_t *commands)
3798 struct sctp_chunk *chunk = arg;
3799 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
3800 struct sctp_fwdtsn_skip *skip;
3804 if (!sctp_vtag_verify(chunk, asoc)) {
3805 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3807 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3810 /* Make sure that the FORWARD_TSN chunk has a valid length. */
3811 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_fwdtsn_chunk)))
3812 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3815 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
3816 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
3817 len = ntohs(chunk->chunk_hdr->length);
3818 len -= sizeof(struct sctp_chunkhdr);
3819 skb_pull(chunk->skb, len);
3821 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
3822 SCTP_DEBUG_PRINTK("%s: TSN 0x%x.\n", __func__, tsn);
3824 /* The TSN is too high--silently discard the chunk and count on it
3825 * getting retransmitted later.
3827 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
3830 /* Silently discard the chunk if stream-id is not valid */
3831 sctp_walk_fwdtsn(skip, chunk) {
3832 if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
3836 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
3837 if (len > sizeof(struct sctp_fwdtsn_hdr))
3838 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
3841 /* Go a head and force a SACK, since we are shutting down. */
3843 /* Implementor's Guide.
3845 * While in SHUTDOWN-SENT state, the SHUTDOWN sender MUST immediately
3846 * respond to each received packet containing one or more DATA chunk(s)
3847 * with a SACK, a SHUTDOWN chunk, and restart the T2-shutdown timer
3849 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3850 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3851 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3852 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3854 return SCTP_DISPOSITION_CONSUME;
3858 * SCTP-AUTH Section 6.3 Receving authenticated chukns
3860 * The receiver MUST use the HMAC algorithm indicated in the HMAC
3861 * Identifier field. If this algorithm was not specified by the
3862 * receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk
3863 * during association setup, the AUTH chunk and all chunks after it MUST
3864 * be discarded and an ERROR chunk SHOULD be sent with the error cause
3865 * defined in Section 4.1.
3867 * If an endpoint with no shared key receives a Shared Key Identifier
3868 * other than 0, it MUST silently discard all authenticated chunks. If
3869 * the endpoint has at least one endpoint pair shared key for the peer,
3870 * it MUST use the key specified by the Shared Key Identifier if a
3871 * key has been configured for that Shared Key Identifier. If no
3872 * endpoint pair shared key has been configured for that Shared Key
3873 * Identifier, all authenticated chunks MUST be silently discarded.
3875 * Verification Tag: 8.5 Verification Tag [Normal verification]
3877 * The return value is the disposition of the chunk.
3879 static sctp_ierror_t sctp_sf_authenticate(const struct sctp_endpoint *ep,
3880 const struct sctp_association *asoc,
3881 const sctp_subtype_t type,
3882 struct sctp_chunk *chunk)
3884 struct sctp_authhdr *auth_hdr;
3885 struct sctp_hmac *hmac;
3886 unsigned int sig_len;
3891 /* Pull in the auth header, so we can do some more verification */
3892 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
3893 chunk->subh.auth_hdr = auth_hdr;
3894 skb_pull(chunk->skb, sizeof(struct sctp_authhdr));
3896 /* Make sure that we suport the HMAC algorithm from the auth
3899 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))
3900 return SCTP_IERROR_AUTH_BAD_HMAC;
3902 /* Make sure that the provided shared key identifier has been
3905 key_id = ntohs(auth_hdr->shkey_id);
3906 if (key_id != asoc->active_key_id && !sctp_auth_get_shkey(asoc, key_id))
3907 return SCTP_IERROR_AUTH_BAD_KEYID;
3910 /* Make sure that the length of the signature matches what
3913 sig_len = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_auth_chunk_t);
3914 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));
3915 if (sig_len != hmac->hmac_len)
3916 return SCTP_IERROR_PROTO_VIOLATION;
3918 /* Now that we've done validation checks, we can compute and
3919 * verify the hmac. The steps involved are:
3920 * 1. Save the digest from the chunk.
3921 * 2. Zero out the digest in the chunk.
3922 * 3. Compute the new digest
3923 * 4. Compare saved and new digests.
3925 digest = auth_hdr->hmac;
3926 skb_pull(chunk->skb, sig_len);
3928 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);
3932 memset(digest, 0, sig_len);
3934 sctp_auth_calculate_hmac(asoc, chunk->skb,
3935 (struct sctp_auth_chunk *)chunk->chunk_hdr,
3938 /* Discard the packet if the digests do not match */
3939 if (memcmp(save_digest, digest, sig_len)) {
3941 return SCTP_IERROR_BAD_SIG;
3947 return SCTP_IERROR_NO_ERROR;
3949 return SCTP_IERROR_NOMEM;
3952 sctp_disposition_t sctp_sf_eat_auth(const struct sctp_endpoint *ep,
3953 const struct sctp_association *asoc,
3954 const sctp_subtype_t type,
3956 sctp_cmd_seq_t *commands)
3958 struct sctp_authhdr *auth_hdr;
3959 struct sctp_chunk *chunk = arg;
3960 struct sctp_chunk *err_chunk;
3961 sctp_ierror_t error;
3963 /* Make sure that the peer has AUTH capable */
3964 if (!asoc->peer.auth_capable)
3965 return sctp_sf_unk_chunk(ep, asoc, type, arg, commands);
3967 if (!sctp_vtag_verify(chunk, asoc)) {
3968 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3970 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3973 /* Make sure that the AUTH chunk has valid length. */
3974 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))
3975 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
3978 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
3979 error = sctp_sf_authenticate(ep, asoc, type, chunk);
3981 case SCTP_IERROR_AUTH_BAD_HMAC:
3982 /* Generate the ERROR chunk and discard the rest
3985 err_chunk = sctp_make_op_error(asoc, chunk,
3986 SCTP_ERROR_UNSUP_HMAC,
3990 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3991 SCTP_CHUNK(err_chunk));
3994 case SCTP_IERROR_AUTH_BAD_KEYID:
3995 case SCTP_IERROR_BAD_SIG:
3996 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
3998 case SCTP_IERROR_PROTO_VIOLATION:
3999 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4002 case SCTP_IERROR_NOMEM:
4003 return SCTP_DISPOSITION_NOMEM;
4008 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) {
4009 struct sctp_ulpevent *ev;
4011 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),
4012 SCTP_AUTH_NEWKEY, GFP_ATOMIC);
4017 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4021 return SCTP_DISPOSITION_CONSUME;
4025 * Process an unknown chunk.
4027 * Section: 3.2. Also, 2.1 in the implementor's guide.
4029 * Chunk Types are encoded such that the highest-order two bits specify
4030 * the action that must be taken if the processing endpoint does not
4031 * recognize the Chunk Type.
4033 * 00 - Stop processing this SCTP packet and discard it, do not process
4034 * any further chunks within it.
4036 * 01 - Stop processing this SCTP packet and discard it, do not process
4037 * any further chunks within it, and report the unrecognized
4038 * chunk in an 'Unrecognized Chunk Type'.
4040 * 10 - Skip this chunk and continue processing.
4042 * 11 - Skip this chunk and continue processing, but report in an ERROR
4043 * Chunk using the 'Unrecognized Chunk Type' cause of error.
4045 * The return value is the disposition of the chunk.
4047 sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep,
4048 const struct sctp_association *asoc,
4049 const sctp_subtype_t type,
4051 sctp_cmd_seq_t *commands)
4053 struct sctp_chunk *unk_chunk = arg;
4054 struct sctp_chunk *err_chunk;
4055 sctp_chunkhdr_t *hdr;
4057 SCTP_DEBUG_PRINTK("Processing the unknown chunk id %d.\n", type.chunk);
4059 if (!sctp_vtag_verify(unk_chunk, asoc))
4060 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
4062 /* Make sure that the chunk has a valid length.
4063 * Since we don't know the chunk type, we use a general
4064 * chunkhdr structure to make a comparison.
4066 if (!sctp_chunk_length_valid(unk_chunk, sizeof(sctp_chunkhdr_t)))
4067 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4070 switch (type.chunk & SCTP_CID_ACTION_MASK) {
4071 case SCTP_CID_ACTION_DISCARD:
4072 /* Discard the packet. */
4073 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
4075 case SCTP_CID_ACTION_DISCARD_ERR:
4076 /* Generate an ERROR chunk as response. */
4077 hdr = unk_chunk->chunk_hdr;
4078 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4079 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4080 WORD_ROUND(ntohs(hdr->length)),
4083 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4084 SCTP_CHUNK(err_chunk));
4087 /* Discard the packet. */
4088 sctp_sf_pdiscard(ep, asoc, type, arg, commands);
4089 return SCTP_DISPOSITION_CONSUME;
4091 case SCTP_CID_ACTION_SKIP:
4092 /* Skip the chunk. */
4093 return SCTP_DISPOSITION_DISCARD;
4095 case SCTP_CID_ACTION_SKIP_ERR:
4096 /* Generate an ERROR chunk as response. */
4097 hdr = unk_chunk->chunk_hdr;
4098 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4099 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4100 WORD_ROUND(ntohs(hdr->length)),
4103 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4104 SCTP_CHUNK(err_chunk));
4106 /* Skip the chunk. */
4107 return SCTP_DISPOSITION_CONSUME;
4113 return SCTP_DISPOSITION_DISCARD;
4117 * Discard the chunk.
4119 * Section: 0.2, 5.2.3, 5.2.5, 5.2.6, 6.0, 8.4.6, 8.5.1c, 9.2
4120 * [Too numerous to mention...]
4121 * Verification Tag: No verification needed.
4123 * (endpoint, asoc, chunk)
4126 * (asoc, reply_msg, msg_up, timers, counters)
4128 * The return value is the disposition of the chunk.
4130 sctp_disposition_t sctp_sf_discard_chunk(const struct sctp_endpoint *ep,
4131 const struct sctp_association *asoc,
4132 const sctp_subtype_t type,
4134 sctp_cmd_seq_t *commands)
4136 struct sctp_chunk *chunk = arg;
4138 /* Make sure that the chunk has a valid length.
4139 * Since we don't know the chunk type, we use a general
4140 * chunkhdr structure to make a comparison.
4142 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
4143 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4146 SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk);
4147 return SCTP_DISPOSITION_DISCARD;
4151 * Discard the whole packet.
4155 * 2) If the OOTB packet contains an ABORT chunk, the receiver MUST
4156 * silently discard the OOTB packet and take no further action.
4158 * Verification Tag: No verification necessary
4161 * (endpoint, asoc, chunk)
4164 * (asoc, reply_msg, msg_up, timers, counters)
4166 * The return value is the disposition of the chunk.
4168 sctp_disposition_t sctp_sf_pdiscard(const struct sctp_endpoint *ep,
4169 const struct sctp_association *asoc,
4170 const sctp_subtype_t type,
4172 sctp_cmd_seq_t *commands)
4174 SCTP_INC_STATS(SCTP_MIB_IN_PKT_DISCARDS);
4175 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4177 return SCTP_DISPOSITION_CONSUME;
4182 * The other end is violating protocol.
4184 * Section: Not specified
4185 * Verification Tag: Not specified
4187 * (endpoint, asoc, chunk)
4190 * (asoc, reply_msg, msg_up, timers, counters)
4192 * We simply tag the chunk as a violation. The state machine will log
4193 * the violation and continue.
4195 sctp_disposition_t sctp_sf_violation(const struct sctp_endpoint *ep,
4196 const struct sctp_association *asoc,
4197 const sctp_subtype_t type,
4199 sctp_cmd_seq_t *commands)
4201 struct sctp_chunk *chunk = arg;
4203 /* Make sure that the chunk has a valid length. */
4204 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t)))
4205 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
4208 return SCTP_DISPOSITION_VIOLATION;
4212 * Common function to handle a protocol violation.
4214 static sctp_disposition_t sctp_sf_abort_violation(
4215 const struct sctp_endpoint *ep,
4216 const struct sctp_association *asoc,
4218 sctp_cmd_seq_t *commands,
4219 const __u8 *payload,
4220 const size_t paylen)
4222 struct sctp_packet *packet = NULL;
4223 struct sctp_chunk *chunk = arg;
4224 struct sctp_chunk *abort = NULL;
4226 /* SCTP-AUTH, Section 6.3:
4227 * It should be noted that if the receiver wants to tear
4228 * down an association in an authenticated way only, the
4229 * handling of malformed packets should not result in
4230 * tearing down the association.
4232 * This means that if we only want to abort associations
4233 * in an authenticated way (i.e AUTH+ABORT), then we
4234 * can't destroy this association just becuase the packet
4237 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4240 /* Make the abort chunk. */
4241 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);
4246 /* Treat INIT-ACK as a special case during COOKIE-WAIT. */
4247 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&
4248 !asoc->peer.i.init_tag) {
4249 sctp_initack_chunk_t *initack;
4251 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
4252 if (!sctp_chunk_length_valid(chunk,
4253 sizeof(sctp_initack_chunk_t)))
4254 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
4256 unsigned int inittag;
4258 inittag = ntohl(initack->init_hdr.init_tag);
4259 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
4264 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4265 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
4267 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
4268 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4269 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4270 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4271 SCTP_ERROR(ECONNREFUSED));
4272 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4273 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4275 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4276 SCTP_ERROR(ECONNABORTED));
4277 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4278 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4279 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
4282 packet = sctp_ootb_pkt_new(asoc, chunk);
4287 if (sctp_test_T_bit(abort))
4288 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
4290 abort->skb->sk = ep->base.sk;
4292 sctp_packet_append_chunk(packet, abort);
4294 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
4295 SCTP_PACKET(packet));
4297 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
4300 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
4303 sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4304 return SCTP_DISPOSITION_ABORT;
4307 sctp_chunk_free(abort);
4309 return SCTP_DISPOSITION_NOMEM;
4313 * Handle a protocol violation when the chunk length is invalid.
4314 * "Invalid" length is identified as smaller than the minimal length a
4315 * given chunk can be. For example, a SACK chunk has invalid length
4316 * if its length is set to be smaller than the size of sctp_sack_chunk_t.
4318 * We inform the other end by sending an ABORT with a Protocol Violation
4321 * Section: Not specified
4322 * Verification Tag: Nothing to do
4324 * (endpoint, asoc, chunk)
4327 * (reply_msg, msg_up, counters)
4329 * Generate an ABORT chunk and terminate the association.
4331 static sctp_disposition_t sctp_sf_violation_chunklen(
4332 const struct sctp_endpoint *ep,
4333 const struct sctp_association *asoc,
4334 const sctp_subtype_t type,
4336 sctp_cmd_seq_t *commands)
4338 static const char err_str[]="The following chunk had invalid length:";
4340 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,
4345 * Handle a protocol violation when the parameter length is invalid.
4346 * "Invalid" length is identified as smaller than the minimal length a
4347 * given parameter can be.
4349 static sctp_disposition_t sctp_sf_violation_paramlen(
4350 const struct sctp_endpoint *ep,
4351 const struct sctp_association *asoc,
4352 const sctp_subtype_t type,
4353 void *arg, void *ext,
4354 sctp_cmd_seq_t *commands)
4356 struct sctp_chunk *chunk = arg;
4357 struct sctp_paramhdr *param = ext;
4358 struct sctp_chunk *abort = NULL;
4360 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4363 /* Make the abort chunk. */
4364 abort = sctp_make_violation_paramlen(asoc, chunk, param);
4368 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4369 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
4371 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4372 SCTP_ERROR(ECONNABORTED));
4373 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4374 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4375 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
4376 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
4379 sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4380 return SCTP_DISPOSITION_ABORT;
4382 return SCTP_DISPOSITION_NOMEM;
4385 /* Handle a protocol violation when the peer trying to advance the
4386 * cumulative tsn ack to a point beyond the max tsn currently sent.
4388 * We inform the other end by sending an ABORT with a Protocol Violation
4391 static sctp_disposition_t sctp_sf_violation_ctsn(
4392 const struct sctp_endpoint *ep,
4393 const struct sctp_association *asoc,
4394 const sctp_subtype_t type,
4396 sctp_cmd_seq_t *commands)
4398 static const char err_str[]="The cumulative tsn ack beyond the max tsn currently sent:";
4400 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,
4404 /* Handle protocol violation of an invalid chunk bundling. For example,
4405 * when we have an association and we recieve bundled INIT-ACK, or
4406 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle"
4407 * statement from the specs. Additinally, there might be an attacker
4408 * on the path and we may not want to continue this communication.
4410 static sctp_disposition_t sctp_sf_violation_chunk(
4411 const struct sctp_endpoint *ep,
4412 const struct sctp_association *asoc,
4413 const sctp_subtype_t type,
4415 sctp_cmd_seq_t *commands)
4417 static const char err_str[]="The following chunk violates protocol:";
4420 return sctp_sf_violation(ep, asoc, type, arg, commands);
4422 return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str,
4425 /***************************************************************************
4426 * These are the state functions for handling primitive (Section 10) events.
4427 ***************************************************************************/
4429 * sctp_sf_do_prm_asoc
4431 * Section: 10.1 ULP-to-SCTP
4434 * Format: ASSOCIATE(local SCTP instance name, destination transport addr,
4435 * outbound stream count)
4436 * -> association id [,destination transport addr list] [,outbound stream
4439 * This primitive allows the upper layer to initiate an association to a
4440 * specific peer endpoint.
4442 * The peer endpoint shall be specified by one of the transport addresses
4443 * which defines the endpoint (see Section 1.4). If the local SCTP
4444 * instance has not been initialized, the ASSOCIATE is considered an
4446 * [This is not relevant for the kernel implementation since we do all
4447 * initialization at boot time. It we hadn't initialized we wouldn't
4448 * get anywhere near this code.]
4450 * An association id, which is a local handle to the SCTP association,
4451 * will be returned on successful establishment of the association. If
4452 * SCTP is not able to open an SCTP association with the peer endpoint,
4453 * an error is returned.
4454 * [In the kernel implementation, the struct sctp_association needs to
4455 * be created BEFORE causing this primitive to run.]
4457 * Other association parameters may be returned, including the
4458 * complete destination transport addresses of the peer as well as the
4459 * outbound stream count of the local endpoint. One of the transport
4460 * address from the returned destination addresses will be selected by
4461 * the local endpoint as default primary path for sending SCTP packets
4462 * to this peer. The returned "destination transport addr list" can
4463 * be used by the ULP to change the default primary path or to force
4464 * sending a packet to a specific transport address. [All of this
4465 * stuff happens when the INIT ACK arrives. This is a NON-BLOCKING
4468 * Mandatory attributes:
4470 * o local SCTP instance name - obtained from the INITIALIZE operation.
4471 * [This is the argument asoc.]
4472 * o destination transport addr - specified as one of the transport
4473 * addresses of the peer endpoint with which the association is to be
4475 * [This is asoc->peer.active_path.]
4476 * o outbound stream count - the number of outbound streams the ULP
4477 * would like to open towards this peer endpoint.
4478 * [BUG: This is not currently implemented.]
4479 * Optional attributes:
4483 * The return value is a disposition.
4485 sctp_disposition_t sctp_sf_do_prm_asoc(const struct sctp_endpoint *ep,
4486 const struct sctp_association *asoc,
4487 const sctp_subtype_t type,
4489 sctp_cmd_seq_t *commands)
4491 struct sctp_chunk *repl;
4492 struct sctp_association* my_asoc;
4494 /* The comment below says that we enter COOKIE-WAIT AFTER
4495 * sending the INIT, but that doesn't actually work in our
4498 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4499 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
4501 /* RFC 2960 5.1 Normal Establishment of an Association
4503 * A) "A" first sends an INIT chunk to "Z". In the INIT, "A"
4504 * must provide its Verification Tag (Tag_A) in the Initiate
4505 * Tag field. Tag_A SHOULD be a random number in the range of
4506 * 1 to 4294967295 (see 5.3.1 for Tag value selection). ...
4509 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0);
4513 /* Cast away the const modifier, as we want to just
4514 * rerun it through as a sideffect.
4516 my_asoc = (struct sctp_association *)asoc;
4517 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc));
4519 /* Choose transport for INIT. */
4520 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
4523 /* After sending the INIT, "A" starts the T1-init timer and
4524 * enters the COOKIE-WAIT state.
4526 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
4527 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4528 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
4529 return SCTP_DISPOSITION_CONSUME;
4532 return SCTP_DISPOSITION_NOMEM;
4536 * Process the SEND primitive.
4538 * Section: 10.1 ULP-to-SCTP
4541 * Format: SEND(association id, buffer address, byte count [,context]
4542 * [,stream id] [,life time] [,destination transport address]
4543 * [,unorder flag] [,no-bundle flag] [,payload protocol-id] )
4546 * This is the main method to send user data via SCTP.
4548 * Mandatory attributes:
4550 * o association id - local handle to the SCTP association
4552 * o buffer address - the location where the user message to be
4553 * transmitted is stored;
4555 * o byte count - The size of the user data in number of bytes;
4557 * Optional attributes:
4559 * o context - an optional 32 bit integer that will be carried in the
4560 * sending failure notification to the ULP if the transportation of
4561 * this User Message fails.
4563 * o stream id - to indicate which stream to send the data on. If not
4564 * specified, stream 0 will be used.
4566 * o life time - specifies the life time of the user data. The user data
4567 * will not be sent by SCTP after the life time expires. This
4568 * parameter can be used to avoid efforts to transmit stale
4569 * user messages. SCTP notifies the ULP if the data cannot be
4570 * initiated to transport (i.e. sent to the destination via SCTP's
4571 * send primitive) within the life time variable. However, the
4572 * user data will be transmitted if SCTP has attempted to transmit a
4573 * chunk before the life time expired.
4575 * o destination transport address - specified as one of the destination
4576 * transport addresses of the peer endpoint to which this packet
4577 * should be sent. Whenever possible, SCTP should use this destination
4578 * transport address for sending the packets, instead of the current
4581 * o unorder flag - this flag, if present, indicates that the user
4582 * would like the data delivered in an unordered fashion to the peer
4583 * (i.e., the U flag is set to 1 on all DATA chunks carrying this
4586 * o no-bundle flag - instructs SCTP not to bundle this user data with
4587 * other outbound DATA chunks. SCTP MAY still bundle even when
4588 * this flag is present, when faced with network congestion.
4590 * o payload protocol-id - A 32 bit unsigned integer that is to be
4591 * passed to the peer indicating the type of payload protocol data
4592 * being transmitted. This value is passed as opaque data by SCTP.
4594 * The return value is the disposition.
4596 sctp_disposition_t sctp_sf_do_prm_send(const struct sctp_endpoint *ep,
4597 const struct sctp_association *asoc,
4598 const sctp_subtype_t type,
4600 sctp_cmd_seq_t *commands)
4602 struct sctp_datamsg *msg = arg;
4604 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg));
4605 return SCTP_DISPOSITION_CONSUME;
4609 * Process the SHUTDOWN primitive.
4614 * Format: SHUTDOWN(association id)
4617 * Gracefully closes an association. Any locally queued user data
4618 * will be delivered to the peer. The association will be terminated only
4619 * after the peer acknowledges all the SCTP packets sent. A success code
4620 * will be returned on successful termination of the association. If
4621 * attempting to terminate the association results in a failure, an error
4622 * code shall be returned.
4624 * Mandatory attributes:
4626 * o association id - local handle to the SCTP association
4628 * Optional attributes:
4632 * The return value is the disposition.
4634 sctp_disposition_t sctp_sf_do_9_2_prm_shutdown(
4635 const struct sctp_endpoint *ep,
4636 const struct sctp_association *asoc,
4637 const sctp_subtype_t type,
4639 sctp_cmd_seq_t *commands)
4643 /* From 9.2 Shutdown of an Association
4644 * Upon receipt of the SHUTDOWN primitive from its upper
4645 * layer, the endpoint enters SHUTDOWN-PENDING state and
4646 * remains there until all outstanding data has been
4647 * acknowledged by its peer. The endpoint accepts no new data
4648 * from its upper layer, but retransmits data to the far end
4649 * if necessary to fill gaps.
4651 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4652 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
4654 disposition = SCTP_DISPOSITION_CONSUME;
4655 if (sctp_outq_is_empty(&asoc->outqueue)) {
4656 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type,
4663 * Process the ABORT primitive.
4668 * Format: Abort(association id [, cause code])
4671 * Ungracefully closes an association. Any locally queued user data
4672 * will be discarded and an ABORT chunk is sent to the peer. A success code
4673 * will be returned on successful abortion of the association. If
4674 * attempting to abort the association results in a failure, an error
4675 * code shall be returned.
4677 * Mandatory attributes:
4679 * o association id - local handle to the SCTP association
4681 * Optional attributes:
4683 * o cause code - reason of the abort to be passed to the peer
4687 * The return value is the disposition.
4689 sctp_disposition_t sctp_sf_do_9_1_prm_abort(
4690 const struct sctp_endpoint *ep,
4691 const struct sctp_association *asoc,
4692 const sctp_subtype_t type,
4694 sctp_cmd_seq_t *commands)
4696 /* From 9.1 Abort of an Association
4697 * Upon receipt of the ABORT primitive from its upper
4698 * layer, the endpoint enters CLOSED state and
4699 * discard all outstanding data has been
4700 * acknowledged by its peer. The endpoint accepts no new data
4701 * from its upper layer, but retransmits data to the far end
4702 * if necessary to fill gaps.
4704 struct sctp_chunk *abort = arg;
4705 sctp_disposition_t retval;
4707 retval = SCTP_DISPOSITION_CONSUME;
4709 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4711 /* Even if we can't send the ABORT due to low memory delete the
4712 * TCB. This is a departure from our typical NOMEM handling.
4715 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4716 SCTP_ERROR(ECONNABORTED));
4717 /* Delete the established association. */
4718 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4719 SCTP_PERR(SCTP_ERROR_USER_ABORT));
4721 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
4722 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
4727 /* We tried an illegal operation on an association which is closed. */
4728 sctp_disposition_t sctp_sf_error_closed(const struct sctp_endpoint *ep,
4729 const struct sctp_association *asoc,
4730 const sctp_subtype_t type,
4732 sctp_cmd_seq_t *commands)
4734 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL));
4735 return SCTP_DISPOSITION_CONSUME;
4738 /* We tried an illegal operation on an association which is shutting
4741 sctp_disposition_t sctp_sf_error_shutdown(const struct sctp_endpoint *ep,
4742 const struct sctp_association *asoc,
4743 const sctp_subtype_t type,
4745 sctp_cmd_seq_t *commands)
4747 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR,
4748 SCTP_ERROR(-ESHUTDOWN));
4749 return SCTP_DISPOSITION_CONSUME;
4753 * sctp_cookie_wait_prm_shutdown
4755 * Section: 4 Note: 2
4760 * The RFC does not explicitly address this issue, but is the route through the
4761 * state table when someone issues a shutdown while in COOKIE_WAIT state.
4766 sctp_disposition_t sctp_sf_cookie_wait_prm_shutdown(
4767 const struct sctp_endpoint *ep,
4768 const struct sctp_association *asoc,
4769 const sctp_subtype_t type,
4771 sctp_cmd_seq_t *commands)
4773 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4774 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4776 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4777 SCTP_STATE(SCTP_STATE_CLOSED));
4779 SCTP_INC_STATS(SCTP_MIB_SHUTDOWNS);
4781 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
4783 return SCTP_DISPOSITION_DELETE_TCB;
4787 * sctp_cookie_echoed_prm_shutdown
4789 * Section: 4 Note: 2
4794 * The RFC does not explcitly address this issue, but is the route through the
4795 * state table when someone issues a shutdown while in COOKIE_ECHOED state.
4800 sctp_disposition_t sctp_sf_cookie_echoed_prm_shutdown(
4801 const struct sctp_endpoint *ep,
4802 const struct sctp_association *asoc,
4803 const sctp_subtype_t type,
4804 void *arg, sctp_cmd_seq_t *commands)
4806 /* There is a single T1 timer, so we should be able to use
4807 * common function with the COOKIE-WAIT state.
4809 return sctp_sf_cookie_wait_prm_shutdown(ep, asoc, type, arg, commands);
4813 * sctp_sf_cookie_wait_prm_abort
4815 * Section: 4 Note: 2
4820 * The RFC does not explicitly address this issue, but is the route through the
4821 * state table when someone issues an abort while in COOKIE_WAIT state.
4826 sctp_disposition_t sctp_sf_cookie_wait_prm_abort(
4827 const struct sctp_endpoint *ep,
4828 const struct sctp_association *asoc,
4829 const sctp_subtype_t type,
4831 sctp_cmd_seq_t *commands)
4833 struct sctp_chunk *abort = arg;
4834 sctp_disposition_t retval;
4836 /* Stop T1-init timer */
4837 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4838 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4839 retval = SCTP_DISPOSITION_CONSUME;
4841 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4843 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4844 SCTP_STATE(SCTP_STATE_CLOSED));
4846 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
4848 /* Even if we can't send the ABORT due to low memory delete the
4849 * TCB. This is a departure from our typical NOMEM handling.
4852 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4853 SCTP_ERROR(ECONNREFUSED));
4854 /* Delete the established association. */
4855 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4856 SCTP_PERR(SCTP_ERROR_USER_ABORT));
4862 * sctp_sf_cookie_echoed_prm_abort
4864 * Section: 4 Note: 3
4869 * The RFC does not explcitly address this issue, but is the route through the
4870 * state table when someone issues an abort while in COOKIE_ECHOED state.
4875 sctp_disposition_t sctp_sf_cookie_echoed_prm_abort(
4876 const struct sctp_endpoint *ep,
4877 const struct sctp_association *asoc,
4878 const sctp_subtype_t type,
4880 sctp_cmd_seq_t *commands)
4882 /* There is a single T1 timer, so we should be able to use
4883 * common function with the COOKIE-WAIT state.
4885 return sctp_sf_cookie_wait_prm_abort(ep, asoc, type, arg, commands);
4889 * sctp_sf_shutdown_pending_prm_abort
4894 * The RFC does not explicitly address this issue, but is the route through the
4895 * state table when someone issues an abort while in SHUTDOWN-PENDING state.
4900 sctp_disposition_t sctp_sf_shutdown_pending_prm_abort(
4901 const struct sctp_endpoint *ep,
4902 const struct sctp_association *asoc,
4903 const sctp_subtype_t type,
4905 sctp_cmd_seq_t *commands)
4907 /* Stop the T5-shutdown guard timer. */
4908 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4909 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
4911 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands);
4915 * sctp_sf_shutdown_sent_prm_abort
4920 * The RFC does not explicitly address this issue, but is the route through the
4921 * state table when someone issues an abort while in SHUTDOWN-SENT state.
4926 sctp_disposition_t sctp_sf_shutdown_sent_prm_abort(
4927 const struct sctp_endpoint *ep,
4928 const struct sctp_association *asoc,
4929 const sctp_subtype_t type,
4931 sctp_cmd_seq_t *commands)
4933 /* Stop the T2-shutdown timer. */
4934 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4935 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
4937 /* Stop the T5-shutdown guard timer. */
4938 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4939 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
4941 return sctp_sf_do_9_1_prm_abort(ep, asoc, type, arg, commands);
4945 * sctp_sf_cookie_echoed_prm_abort
4950 * The RFC does not explcitly address this issue, but is the route through the
4951 * state table when someone issues an abort while in COOKIE_ECHOED state.
4956 sctp_disposition_t sctp_sf_shutdown_ack_sent_prm_abort(
4957 const struct sctp_endpoint *ep,
4958 const struct sctp_association *asoc,
4959 const sctp_subtype_t type,
4961 sctp_cmd_seq_t *commands)
4963 /* The same T2 timer, so we should be able to use
4964 * common function with the SHUTDOWN-SENT state.
4966 return sctp_sf_shutdown_sent_prm_abort(ep, asoc, type, arg, commands);
4970 * Process the REQUESTHEARTBEAT primitive
4973 * J) Request Heartbeat
4975 * Format: REQUESTHEARTBEAT(association id, destination transport address)
4979 * Instructs the local endpoint to perform a HeartBeat on the specified
4980 * destination transport address of the given association. The returned
4981 * result should indicate whether the transmission of the HEARTBEAT
4982 * chunk to the destination address is successful.
4984 * Mandatory attributes:
4986 * o association id - local handle to the SCTP association
4988 * o destination transport address - the transport address of the
4989 * association on which a heartbeat should be issued.
4991 sctp_disposition_t sctp_sf_do_prm_requestheartbeat(
4992 const struct sctp_endpoint *ep,
4993 const struct sctp_association *asoc,
4994 const sctp_subtype_t type,
4996 sctp_cmd_seq_t *commands)
4998 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type,
4999 (struct sctp_transport *)arg, commands))
5000 return SCTP_DISPOSITION_NOMEM;
5003 * RFC 2960 (bis), section 8.3
5005 * D) Request an on-demand HEARTBEAT on a specific destination
5006 * transport address of a given association.
5008 * The endpoint should increment the respective error counter of
5009 * the destination transport address each time a HEARTBEAT is sent
5010 * to that address and not acknowledged within one RTO.
5013 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
5014 SCTP_TRANSPORT(arg));
5015 return SCTP_DISPOSITION_CONSUME;
5019 * ADDIP Section 4.1 ASCONF Chunk Procedures
5020 * When an endpoint has an ASCONF signaled change to be sent to the
5021 * remote endpoint it should do A1 to A9
5023 sctp_disposition_t sctp_sf_do_prm_asconf(const struct sctp_endpoint *ep,
5024 const struct sctp_association *asoc,
5025 const sctp_subtype_t type,
5027 sctp_cmd_seq_t *commands)
5029 struct sctp_chunk *chunk = arg;
5031 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5032 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5033 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5034 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5035 return SCTP_DISPOSITION_CONSUME;
5039 * Ignore the primitive event
5041 * The return value is the disposition of the primitive.
5043 sctp_disposition_t sctp_sf_ignore_primitive(
5044 const struct sctp_endpoint *ep,
5045 const struct sctp_association *asoc,
5046 const sctp_subtype_t type,
5048 sctp_cmd_seq_t *commands)
5050 SCTP_DEBUG_PRINTK("Primitive type %d is ignored.\n", type.primitive);
5051 return SCTP_DISPOSITION_DISCARD;
5054 /***************************************************************************
5055 * These are the state functions for the OTHER events.
5056 ***************************************************************************/
5059 * Start the shutdown negotiation.
5062 * Once all its outstanding data has been acknowledged, the endpoint
5063 * shall send a SHUTDOWN chunk to its peer including in the Cumulative
5064 * TSN Ack field the last sequential TSN it has received from the peer.
5065 * It shall then start the T2-shutdown timer and enter the SHUTDOWN-SENT
5066 * state. If the timer expires, the endpoint must re-send the SHUTDOWN
5067 * with the updated last sequential TSN received from its peer.
5069 * The return value is the disposition.
5071 sctp_disposition_t sctp_sf_do_9_2_start_shutdown(
5072 const struct sctp_endpoint *ep,
5073 const struct sctp_association *asoc,
5074 const sctp_subtype_t type,
5076 sctp_cmd_seq_t *commands)
5078 struct sctp_chunk *reply;
5080 /* Once all its outstanding data has been acknowledged, the
5081 * endpoint shall send a SHUTDOWN chunk to its peer including
5082 * in the Cumulative TSN Ack field the last sequential TSN it
5083 * has received from the peer.
5085 reply = sctp_make_shutdown(asoc, NULL);
5089 /* Set the transport for the SHUTDOWN chunk and the timeout for the
5090 * T2-shutdown timer.
5092 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5094 /* It shall then start the T2-shutdown timer */
5095 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5096 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5098 /* RFC 4960 Section 9.2
5099 * The sender of the SHUTDOWN MAY also start an overall guard timer
5100 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5102 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5103 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5105 if (asoc->autoclose)
5106 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5107 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5109 /* and enter the SHUTDOWN-SENT state. */
5110 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5111 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT));
5113 /* sctp-implguide 2.10 Issues with Heartbeating and failover
5115 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5118 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5120 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5122 return SCTP_DISPOSITION_CONSUME;
5125 return SCTP_DISPOSITION_NOMEM;
5129 * Generate a SHUTDOWN ACK now that everything is SACK'd.
5133 * If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5134 * shall send a SHUTDOWN ACK and start a T2-shutdown timer of its own,
5135 * entering the SHUTDOWN-ACK-SENT state. If the timer expires, the
5136 * endpoint must re-send the SHUTDOWN ACK.
5138 * The return value is the disposition.
5140 sctp_disposition_t sctp_sf_do_9_2_shutdown_ack(
5141 const struct sctp_endpoint *ep,
5142 const struct sctp_association *asoc,
5143 const sctp_subtype_t type,
5145 sctp_cmd_seq_t *commands)
5147 struct sctp_chunk *chunk = (struct sctp_chunk *) arg;
5148 struct sctp_chunk *reply;
5150 /* There are 2 ways of getting here:
5151 * 1) called in response to a SHUTDOWN chunk
5152 * 2) called when SCTP_EVENT_NO_PENDING_TSN event is issued.
5154 * For the case (2), the arg parameter is set to NULL. We need
5155 * to check that we have a chunk before accessing it's fields.
5158 if (!sctp_vtag_verify(chunk, asoc))
5159 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
5161 /* Make sure that the SHUTDOWN chunk has a valid length. */
5162 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk_t)))
5163 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
5167 /* If it has no more outstanding DATA chunks, the SHUTDOWN receiver
5168 * shall send a SHUTDOWN ACK ...
5170 reply = sctp_make_shutdown_ack(asoc, chunk);
5174 /* Set the transport for the SHUTDOWN ACK chunk and the timeout for
5175 * the T2-shutdown timer.
5177 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5179 /* and start/restart a T2-shutdown timer of its own, */
5180 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5181 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5183 if (asoc->autoclose)
5184 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5185 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5187 /* Enter the SHUTDOWN-ACK-SENT state. */
5188 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5189 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT));
5191 /* sctp-implguide 2.10 Issues with Heartbeating and failover
5193 * HEARTBEAT ... is discontinued after sending either SHUTDOWN
5196 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5198 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5200 return SCTP_DISPOSITION_CONSUME;
5203 return SCTP_DISPOSITION_NOMEM;
5207 * Ignore the event defined as other
5209 * The return value is the disposition of the event.
5211 sctp_disposition_t sctp_sf_ignore_other(const struct sctp_endpoint *ep,
5212 const struct sctp_association *asoc,
5213 const sctp_subtype_t type,
5215 sctp_cmd_seq_t *commands)
5217 SCTP_DEBUG_PRINTK("The event other type %d is ignored\n", type.other);
5218 return SCTP_DISPOSITION_DISCARD;
5221 /************************************************************
5222 * These are the state functions for handling timeout events.
5223 ************************************************************/
5228 * Section: 6.3.3 Handle T3-rtx Expiration
5230 * Whenever the retransmission timer T3-rtx expires for a destination
5231 * address, do the following:
5234 * The return value is the disposition of the chunk.
5236 sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep,
5237 const struct sctp_association *asoc,
5238 const sctp_subtype_t type,
5240 sctp_cmd_seq_t *commands)
5242 struct sctp_transport *transport = arg;
5244 SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS);
5246 if (asoc->overall_error_count >= asoc->max_retrans) {
5247 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5248 SCTP_ERROR(ETIMEDOUT));
5249 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5250 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5251 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5252 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
5253 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
5254 return SCTP_DISPOSITION_DELETE_TCB;
5257 /* E1) For the destination address for which the timer
5258 * expires, adjust its ssthresh with rules defined in Section
5259 * 7.2.3 and set the cwnd <- MTU.
5262 /* E2) For the destination address for which the timer
5263 * expires, set RTO <- RTO * 2 ("back off the timer"). The
5264 * maximum value discussed in rule C7 above (RTO.max) may be
5265 * used to provide an upper bound to this doubling operation.
5268 /* E3) Determine how many of the earliest (i.e., lowest TSN)
5269 * outstanding DATA chunks for the address for which the
5270 * T3-rtx has expired will fit into a single packet, subject
5271 * to the MTU constraint for the path corresponding to the
5272 * destination transport address to which the retransmission
5273 * is being sent (this may be different from the address for
5274 * which the timer expires [see Section 6.4]). Call this
5275 * value K. Bundle and retransmit those K DATA chunks in a
5276 * single packet to the destination endpoint.
5278 * Note: Any DATA chunks that were sent to the address for
5279 * which the T3-rtx timer expired but did not fit in one MTU
5280 * (rule E3 above), should be marked for retransmission and
5281 * sent as soon as cwnd allows (normally when a SACK arrives).
5284 /* Do some failure management (Section 8.2). */
5285 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
5287 /* NB: Rules E4 and F1 are implicit in R1. */
5288 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport));
5290 return SCTP_DISPOSITION_CONSUME;
5294 * Generate delayed SACK on timeout
5296 * Section: 6.2 Acknowledgement on Reception of DATA Chunks
5298 * The guidelines on delayed acknowledgement algorithm specified in
5299 * Section 4.2 of [RFC2581] SHOULD be followed. Specifically, an
5300 * acknowledgement SHOULD be generated for at least every second packet
5301 * (not every second DATA chunk) received, and SHOULD be generated
5302 * within 200 ms of the arrival of any unacknowledged DATA chunk. In
5303 * some situations it may be beneficial for an SCTP transmitter to be
5304 * more conservative than the algorithms detailed in this document
5305 * allow. However, an SCTP transmitter MUST NOT be more aggressive than
5306 * the following algorithms allow.
5308 sctp_disposition_t sctp_sf_do_6_2_sack(const struct sctp_endpoint *ep,
5309 const struct sctp_association *asoc,
5310 const sctp_subtype_t type,
5312 sctp_cmd_seq_t *commands)
5314 SCTP_INC_STATS(SCTP_MIB_DELAY_SACK_EXPIREDS);
5315 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
5316 return SCTP_DISPOSITION_CONSUME;
5320 * sctp_sf_t1_init_timer_expire
5322 * Section: 4 Note: 2
5327 * RFC 2960 Section 4 Notes
5328 * 2) If the T1-init timer expires, the endpoint MUST retransmit INIT
5329 * and re-start the T1-init timer without changing state. This MUST
5330 * be repeated up to 'Max.Init.Retransmits' times. After that, the
5331 * endpoint MUST abort the initialization process and report the
5332 * error to SCTP user.
5338 sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep,
5339 const struct sctp_association *asoc,
5340 const sctp_subtype_t type,
5342 sctp_cmd_seq_t *commands)
5344 struct sctp_chunk *repl = NULL;
5345 struct sctp_bind_addr *bp;
5346 int attempts = asoc->init_err_counter + 1;
5348 SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n");
5349 SCTP_INC_STATS(SCTP_MIB_T1_INIT_EXPIREDS);
5351 if (attempts <= asoc->max_init_attempts) {
5352 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
5353 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0);
5355 return SCTP_DISPOSITION_NOMEM;
5357 /* Choose transport for INIT. */
5358 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5361 /* Issue a sideeffect to do the needed accounting. */
5362 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART,
5363 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5365 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5367 SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d"
5368 " max_init_attempts: %d\n",
5369 attempts, asoc->max_init_attempts);
5370 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5371 SCTP_ERROR(ETIMEDOUT));
5372 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5373 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5374 return SCTP_DISPOSITION_DELETE_TCB;
5377 return SCTP_DISPOSITION_CONSUME;
5381 * sctp_sf_t1_cookie_timer_expire
5383 * Section: 4 Note: 2
5388 * RFC 2960 Section 4 Notes
5389 * 3) If the T1-cookie timer expires, the endpoint MUST retransmit
5390 * COOKIE ECHO and re-start the T1-cookie timer without changing
5391 * state. This MUST be repeated up to 'Max.Init.Retransmits' times.
5392 * After that, the endpoint MUST abort the initialization process and
5393 * report the error to SCTP user.
5399 sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep,
5400 const struct sctp_association *asoc,
5401 const sctp_subtype_t type,
5403 sctp_cmd_seq_t *commands)
5405 struct sctp_chunk *repl = NULL;
5406 int attempts = asoc->init_err_counter + 1;
5408 SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n");
5409 SCTP_INC_STATS(SCTP_MIB_T1_COOKIE_EXPIREDS);
5411 if (attempts <= asoc->max_init_attempts) {
5412 repl = sctp_make_cookie_echo(asoc, NULL);
5414 return SCTP_DISPOSITION_NOMEM;
5416 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5418 /* Issue a sideeffect to do the needed accounting. */
5419 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART,
5420 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
5422 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5424 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5425 SCTP_ERROR(ETIMEDOUT));
5426 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5427 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5428 return SCTP_DISPOSITION_DELETE_TCB;
5431 return SCTP_DISPOSITION_CONSUME;
5434 /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN
5435 * with the updated last sequential TSN received from its peer.
5437 * An endpoint should limit the number of retransmissions of the
5438 * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'.
5439 * If this threshold is exceeded the endpoint should destroy the TCB and
5440 * MUST report the peer endpoint unreachable to the upper layer (and
5441 * thus the association enters the CLOSED state). The reception of any
5442 * packet from its peer (i.e. as the peer sends all of its queued DATA
5443 * chunks) should clear the endpoint's retransmission count and restart
5444 * the T2-Shutdown timer, giving its peer ample opportunity to transmit
5445 * all of its queued DATA chunks that have not yet been sent.
5447 sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep,
5448 const struct sctp_association *asoc,
5449 const sctp_subtype_t type,
5451 sctp_cmd_seq_t *commands)
5453 struct sctp_chunk *reply = NULL;
5455 SCTP_DEBUG_PRINTK("Timer T2 expired.\n");
5456 SCTP_INC_STATS(SCTP_MIB_T2_SHUTDOWN_EXPIREDS);
5458 ((struct sctp_association *)asoc)->shutdown_retries++;
5460 if (asoc->overall_error_count >= asoc->max_retrans) {
5461 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5462 SCTP_ERROR(ETIMEDOUT));
5463 /* Note: CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5464 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5465 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5466 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
5467 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
5468 return SCTP_DISPOSITION_DELETE_TCB;
5471 switch (asoc->state) {
5472 case SCTP_STATE_SHUTDOWN_SENT:
5473 reply = sctp_make_shutdown(asoc, NULL);
5476 case SCTP_STATE_SHUTDOWN_ACK_SENT:
5477 reply = sctp_make_shutdown_ack(asoc, NULL);
5488 /* Do some failure management (Section 8.2).
5489 * If we remove the transport an SHUTDOWN was last sent to, don't
5490 * do failure management.
5492 if (asoc->shutdown_last_sent_to)
5493 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5494 SCTP_TRANSPORT(asoc->shutdown_last_sent_to));
5496 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for
5497 * the T2-shutdown timer.
5499 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5501 /* Restart the T2-shutdown timer. */
5502 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5503 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5504 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5505 return SCTP_DISPOSITION_CONSUME;
5508 return SCTP_DISPOSITION_NOMEM;
5512 * ADDIP Section 4.1 ASCONF CHunk Procedures
5513 * If the T4 RTO timer expires the endpoint should do B1 to B5
5515 sctp_disposition_t sctp_sf_t4_timer_expire(
5516 const struct sctp_endpoint *ep,
5517 const struct sctp_association *asoc,
5518 const sctp_subtype_t type,
5520 sctp_cmd_seq_t *commands)
5522 struct sctp_chunk *chunk = asoc->addip_last_asconf;
5523 struct sctp_transport *transport = chunk->transport;
5525 SCTP_INC_STATS(SCTP_MIB_T4_RTO_EXPIREDS);
5527 /* ADDIP 4.1 B1) Increment the error counters and perform path failure
5528 * detection on the appropriate destination address as defined in
5529 * RFC2960 [5] section 8.1 and 8.2.
5532 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5533 SCTP_TRANSPORT(transport));
5535 /* Reconfig T4 timer and transport. */
5536 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5538 /* ADDIP 4.1 B2) Increment the association error counters and perform
5539 * endpoint failure detection on the association as defined in
5540 * RFC2960 [5] section 8.1 and 8.2.
5541 * association error counter is incremented in SCTP_CMD_STRIKE.
5543 if (asoc->overall_error_count >= asoc->max_retrans) {
5544 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5545 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5546 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5547 SCTP_ERROR(ETIMEDOUT));
5548 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5549 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5550 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
5551 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
5552 return SCTP_DISPOSITION_ABORT;
5555 /* ADDIP 4.1 B3) Back-off the destination address RTO value to which
5556 * the ASCONF chunk was sent by doubling the RTO timer value.
5557 * This is done in SCTP_CMD_STRIKE.
5560 /* ADDIP 4.1 B4) Re-transmit the ASCONF Chunk last sent and if possible
5561 * choose an alternate destination address (please refer to RFC2960
5562 * [5] section 6.4.1). An endpoint MUST NOT add new parameters to this
5563 * chunk, it MUST be the same (including its serial number) as the last
5566 sctp_chunk_hold(asoc->addip_last_asconf);
5567 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
5568 SCTP_CHUNK(asoc->addip_last_asconf));
5570 /* ADDIP 4.1 B5) Restart the T-4 RTO timer. Note that if a different
5571 * destination is selected, then the RTO used will be that of the new
5572 * destination address.
5574 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5575 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5577 return SCTP_DISPOSITION_CONSUME;
5580 /* sctpimpguide-05 Section 2.12.2
5581 * The sender of the SHUTDOWN MAY also start an overall guard timer
5582 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5583 * At the expiration of this timer the sender SHOULD abort the association
5584 * by sending an ABORT chunk.
5586 sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep,
5587 const struct sctp_association *asoc,
5588 const sctp_subtype_t type,
5590 sctp_cmd_seq_t *commands)
5592 struct sctp_chunk *reply = NULL;
5594 SCTP_DEBUG_PRINTK("Timer T5 expired.\n");
5595 SCTP_INC_STATS(SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS);
5597 reply = sctp_make_abort(asoc, NULL, 0);
5601 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5602 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5603 SCTP_ERROR(ETIMEDOUT));
5604 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5605 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5607 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
5608 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
5610 return SCTP_DISPOSITION_DELETE_TCB;
5612 return SCTP_DISPOSITION_NOMEM;
5615 /* Handle expiration of AUTOCLOSE timer. When the autoclose timer expires,
5616 * the association is automatically closed by starting the shutdown process.
5617 * The work that needs to be done is same as when SHUTDOWN is initiated by
5618 * the user. So this routine looks same as sctp_sf_do_9_2_prm_shutdown().
5620 sctp_disposition_t sctp_sf_autoclose_timer_expire(
5621 const struct sctp_endpoint *ep,
5622 const struct sctp_association *asoc,
5623 const sctp_subtype_t type,
5625 sctp_cmd_seq_t *commands)
5629 SCTP_INC_STATS(SCTP_MIB_AUTOCLOSE_EXPIREDS);
5631 /* From 9.2 Shutdown of an Association
5632 * Upon receipt of the SHUTDOWN primitive from its upper
5633 * layer, the endpoint enters SHUTDOWN-PENDING state and
5634 * remains there until all outstanding data has been
5635 * acknowledged by its peer. The endpoint accepts no new data
5636 * from its upper layer, but retransmits data to the far end
5637 * if necessary to fill gaps.
5639 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5640 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
5642 disposition = SCTP_DISPOSITION_CONSUME;
5643 if (sctp_outq_is_empty(&asoc->outqueue)) {
5644 disposition = sctp_sf_do_9_2_start_shutdown(ep, asoc, type,
5650 /*****************************************************************************
5651 * These are sa state functions which could apply to all types of events.
5652 ****************************************************************************/
5655 * This table entry is not implemented.
5658 * (endpoint, asoc, chunk)
5660 * The return value is the disposition of the chunk.
5662 sctp_disposition_t sctp_sf_not_impl(const struct sctp_endpoint *ep,
5663 const struct sctp_association *asoc,
5664 const sctp_subtype_t type,
5666 sctp_cmd_seq_t *commands)
5668 return SCTP_DISPOSITION_NOT_IMPL;
5672 * This table entry represents a bug.
5675 * (endpoint, asoc, chunk)
5677 * The return value is the disposition of the chunk.
5679 sctp_disposition_t sctp_sf_bug(const struct sctp_endpoint *ep,
5680 const struct sctp_association *asoc,
5681 const sctp_subtype_t type,
5683 sctp_cmd_seq_t *commands)
5685 return SCTP_DISPOSITION_BUG;
5689 * This table entry represents the firing of a timer in the wrong state.
5690 * Since timer deletion cannot be guaranteed a timer 'may' end up firing
5691 * when the association is in the wrong state. This event should
5692 * be ignored, so as to prevent any rearming of the timer.
5695 * (endpoint, asoc, chunk)
5697 * The return value is the disposition of the chunk.
5699 sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep,
5700 const struct sctp_association *asoc,
5701 const sctp_subtype_t type,
5703 sctp_cmd_seq_t *commands)
5705 SCTP_DEBUG_PRINTK("Timer %d ignored.\n", type.chunk);
5706 return SCTP_DISPOSITION_CONSUME;
5709 /********************************************************************
5710 * 2nd Level Abstractions
5711 ********************************************************************/
5713 /* Pull the SACK chunk based on the SACK header. */
5714 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk)
5716 struct sctp_sackhdr *sack;
5721 /* Protect ourselves from reading too far into
5722 * the skb from a bogus sender.
5724 sack = (struct sctp_sackhdr *) chunk->skb->data;
5726 num_blocks = ntohs(sack->num_gap_ack_blocks);
5727 num_dup_tsns = ntohs(sack->num_dup_tsns);
5728 len = sizeof(struct sctp_sackhdr);
5729 len += (num_blocks + num_dup_tsns) * sizeof(__u32);
5730 if (len > chunk->skb->len)
5733 skb_pull(chunk->skb, len);
5738 /* Create an ABORT packet to be sent as a response, with the specified
5741 static struct sctp_packet *sctp_abort_pkt_new(const struct sctp_endpoint *ep,
5742 const struct sctp_association *asoc,
5743 struct sctp_chunk *chunk,
5744 const void *payload,
5747 struct sctp_packet *packet;
5748 struct sctp_chunk *abort;
5750 packet = sctp_ootb_pkt_new(asoc, chunk);
5754 * The T bit will be set if the asoc is NULL.
5756 abort = sctp_make_abort(asoc, chunk, paylen);
5758 sctp_ootb_pkt_free(packet);
5762 /* Reflect vtag if T-Bit is set */
5763 if (sctp_test_T_bit(abort))
5764 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
5766 /* Add specified error causes, i.e., payload, to the
5769 sctp_addto_chunk(abort, paylen, payload);
5771 /* Set the skb to the belonging sock for accounting. */
5772 abort->skb->sk = ep->base.sk;
5774 sctp_packet_append_chunk(packet, abort);
5781 /* Allocate a packet for responding in the OOTB conditions. */
5782 static struct sctp_packet *sctp_ootb_pkt_new(const struct sctp_association *asoc,
5783 const struct sctp_chunk *chunk)
5785 struct sctp_packet *packet;
5786 struct sctp_transport *transport;
5791 /* Get the source and destination port from the inbound packet. */
5792 sport = ntohs(chunk->sctp_hdr->dest);
5793 dport = ntohs(chunk->sctp_hdr->source);
5795 /* The V-tag is going to be the same as the inbound packet if no
5796 * association exists, otherwise, use the peer's vtag.
5799 /* Special case the INIT-ACK as there is no peer's vtag
5802 switch(chunk->chunk_hdr->type) {
5803 case SCTP_CID_INIT_ACK:
5805 sctp_initack_chunk_t *initack;
5807 initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
5808 vtag = ntohl(initack->init_hdr.init_tag);
5812 vtag = asoc->peer.i.init_tag;
5816 /* Special case the INIT and stale COOKIE_ECHO as there is no
5819 switch(chunk->chunk_hdr->type) {
5822 sctp_init_chunk_t *init;
5824 init = (sctp_init_chunk_t *)chunk->chunk_hdr;
5825 vtag = ntohl(init->init_hdr.init_tag);
5829 vtag = ntohl(chunk->sctp_hdr->vtag);
5834 /* Make a transport for the bucket, Eliza... */
5835 transport = sctp_transport_new(sctp_source(chunk), GFP_ATOMIC);
5839 /* Cache a route for the transport with the chunk's destination as
5840 * the source address.
5842 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest,
5843 sctp_sk(sctp_get_ctl_sock()));
5845 packet = sctp_packet_init(&transport->packet, transport, sport, dport);
5846 packet = sctp_packet_config(packet, vtag, 0);
5854 /* Free the packet allocated earlier for responding in the OOTB condition. */
5855 void sctp_ootb_pkt_free(struct sctp_packet *packet)
5857 sctp_transport_free(packet->transport);
5860 /* Send a stale cookie error when a invalid COOKIE ECHO chunk is found */
5861 static void sctp_send_stale_cookie_err(const struct sctp_endpoint *ep,
5862 const struct sctp_association *asoc,
5863 const struct sctp_chunk *chunk,
5864 sctp_cmd_seq_t *commands,
5865 struct sctp_chunk *err_chunk)
5867 struct sctp_packet *packet;
5870 packet = sctp_ootb_pkt_new(asoc, chunk);
5872 struct sctp_signed_cookie *cookie;
5874 /* Override the OOTB vtag from the cookie. */
5875 cookie = chunk->subh.cookie_hdr;
5876 packet->vtag = cookie->c.peer_vtag;
5878 /* Set the skb to the belonging sock for accounting. */
5879 err_chunk->skb->sk = ep->base.sk;
5880 sctp_packet_append_chunk(packet, err_chunk);
5881 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
5882 SCTP_PACKET(packet));
5883 SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
5885 sctp_chunk_free (err_chunk);
5890 /* Process a data chunk */
5891 static int sctp_eat_data(const struct sctp_association *asoc,
5892 struct sctp_chunk *chunk,
5893 sctp_cmd_seq_t *commands)
5895 sctp_datahdr_t *data_hdr;
5896 struct sctp_chunk *err;
5898 sctp_verb_t deliver;
5901 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
5902 struct sock *sk = asoc->base.sk;
5907 data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data;
5908 skb_pull(chunk->skb, sizeof(sctp_datahdr_t));
5910 tsn = ntohl(data_hdr->tsn);
5911 SCTP_DEBUG_PRINTK("eat_data: TSN 0x%x.\n", tsn);
5913 /* ASSERT: Now skb->data is really the user data. */
5915 /* Process ECN based congestion.
5917 * Since the chunk structure is reused for all chunks within
5918 * a packet, we use ecn_ce_done to track if we've already
5919 * done CE processing for this packet.
5921 * We need to do ECN processing even if we plan to discard the
5925 if (!chunk->ecn_ce_done) {
5927 chunk->ecn_ce_done = 1;
5929 af = sctp_get_af_specific(
5930 ipver2af(ip_hdr(chunk->skb)->version));
5932 if (af && af->is_ce(chunk->skb) && asoc->peer.ecn_capable) {
5933 /* Do real work as sideffect. */
5934 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE,
5939 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn);
5941 /* The TSN is too high--silently discard the chunk and
5942 * count on it getting retransmitted later.
5944 return SCTP_IERROR_HIGH_TSN;
5945 } else if (tmp > 0) {
5946 /* This is a duplicate. Record it. */
5947 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn));
5948 return SCTP_IERROR_DUP_TSN;
5951 /* This is a new TSN. */
5953 /* Discard if there is no room in the receive window.
5954 * Actually, allow a little bit of overflow (up to a MTU).
5956 datalen = ntohs(chunk->chunk_hdr->length);
5957 datalen -= sizeof(sctp_data_chunk_t);
5959 deliver = SCTP_CMD_CHUNK_ULP;
5961 /* Think about partial delivery. */
5962 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) {
5964 /* Even if we don't accept this chunk there is
5967 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL());
5970 /* Spill over rwnd a little bit. Note: While allowed, this spill over
5971 * seems a bit troublesome in that frag_point varies based on
5972 * PMTU. In cases, such as loopback, this might be a rather
5975 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over ||
5976 (datalen > asoc->rwnd + asoc->frag_point))) {
5978 /* If this is the next TSN, consider reneging to make
5979 * room. Note: Playing nice with a confused sender. A
5980 * malicious sender can still eat up all our buffer
5981 * space and in the future we may want to detect and
5982 * do more drastic reneging.
5984 if (sctp_tsnmap_has_gap(map) &&
5985 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
5986 SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn);
5987 deliver = SCTP_CMD_RENEGE;
5989 SCTP_DEBUG_PRINTK("Discard tsn: %u len: %Zd, "
5990 "rwnd: %d\n", tsn, datalen,
5992 return SCTP_IERROR_IGNORE_TSN;
5997 * Also try to renege to limit our memory usage in the event that
5998 * we are under memory pressure
5999 * If we can't renege, don't worry about it, the sk_rmem_schedule
6000 * in sctp_ulpevent_make_rcvmsg will drop the frame if we grow our
6001 * memory usage too much
6003 if (*sk->sk_prot_creator->memory_pressure) {
6004 if (sctp_tsnmap_has_gap(map) &&
6005 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6006 SCTP_DEBUG_PRINTK("Under Pressure! Reneging for tsn:%u\n", tsn);
6007 deliver = SCTP_CMD_RENEGE;
6012 * Section 3.3.10.9 No User Data (9)
6016 * No User Data: This error cause is returned to the originator of a
6017 * DATA chunk if a received DATA chunk has no user data.
6019 if (unlikely(0 == datalen)) {
6020 err = sctp_make_abort_no_data(asoc, chunk, tsn);
6022 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6025 /* We are going to ABORT, so we might as well stop
6026 * processing the rest of the chunks in the packet.
6028 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
6029 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6030 SCTP_ERROR(ECONNABORTED));
6031 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6032 SCTP_PERR(SCTP_ERROR_NO_DATA));
6033 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
6034 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
6035 return SCTP_IERROR_NO_DATA;
6038 chunk->data_accepted = 1;
6040 /* Note: Some chunks may get overcounted (if we drop) or overcounted
6041 * if we renege and the chunk arrives again.
6043 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED)
6044 SCTP_INC_STATS(SCTP_MIB_INUNORDERCHUNKS);
6046 SCTP_INC_STATS(SCTP_MIB_INORDERCHUNKS);
6050 /* RFC 2960 6.5 Stream Identifier and Stream Sequence Number
6052 * If an endpoint receive a DATA chunk with an invalid stream
6053 * identifier, it shall acknowledge the reception of the DATA chunk
6054 * following the normal procedure, immediately send an ERROR chunk
6055 * with cause set to "Invalid Stream Identifier" (See Section 3.3.10)
6056 * and discard the DATA chunk.
6058 sid = ntohs(data_hdr->stream);
6059 if (sid >= asoc->c.sinit_max_instreams) {
6060 /* Mark tsn as received even though we drop it */
6061 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
6063 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM,
6065 sizeof(data_hdr->stream),
6068 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6070 return SCTP_IERROR_BAD_STREAM;
6073 /* Check to see if the SSN is possible for this TSN.
6074 * The biggest gap we can record is 4K wide. Since SSNs wrap
6075 * at an unsigned short, there is no way that an SSN can
6076 * wrap and for a valid TSN. We can simply check if the current
6077 * SSN is smaller then the next expected one. If it is, it wrapped
6080 ssn = ntohs(data_hdr->ssn);
6081 if (ordered && SSN_lt(ssn, sctp_ssn_peek(&asoc->ssnmap->in, sid))) {
6082 return SCTP_IERROR_PROTO_VIOLATION;
6085 /* Send the data up to the user. Note: Schedule the
6086 * SCTP_CMD_CHUNK_ULP cmd before the SCTP_CMD_GEN_SACK, as the SACK
6087 * chunk needs the updated rwnd.
6089 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk));
6091 return SCTP_IERROR_NO_ERROR;