1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
47
48#include <linux/types.h>
49#include <linux/kernel.h>
50#include <linux/ip.h>
51#include <linux/ipv6.h>
52#include <linux/net.h>
53#include <linux/inet.h>
54#include <linux/slab.h>
55#include <net/sock.h>
56#include <net/inet_ecn.h>
57#include <linux/skbuff.h>
58#include <net/sctp/sctp.h>
59#include <net/sctp/sm.h>
60#include <net/sctp/structs.h>
61
62#define CREATE_TRACE_POINTS
63#include <trace/events/sctp.h>
64
65static struct sctp_packet *sctp_abort_pkt_new(
66 struct net *net,
67 const struct sctp_endpoint *ep,
68 const struct sctp_association *asoc,
69 struct sctp_chunk *chunk,
70 const void *payload, size_t paylen);
71static int sctp_eat_data(const struct sctp_association *asoc,
72 struct sctp_chunk *chunk,
73 struct sctp_cmd_seq *commands);
74static struct sctp_packet *sctp_ootb_pkt_new(
75 struct net *net,
76 const struct sctp_association *asoc,
77 const struct sctp_chunk *chunk);
78static void sctp_send_stale_cookie_err(struct net *net,
79 const struct sctp_endpoint *ep,
80 const struct sctp_association *asoc,
81 const struct sctp_chunk *chunk,
82 struct sctp_cmd_seq *commands,
83 struct sctp_chunk *err_chunk);
84static enum sctp_disposition sctp_sf_do_5_2_6_stale(
85 struct net *net,
86 const struct sctp_endpoint *ep,
87 const struct sctp_association *asoc,
88 const union sctp_subtype type,
89 void *arg,
90 struct sctp_cmd_seq *commands);
91static enum sctp_disposition sctp_sf_shut_8_4_5(
92 struct net *net,
93 const struct sctp_endpoint *ep,
94 const struct sctp_association *asoc,
95 const union sctp_subtype type,
96 void *arg,
97 struct sctp_cmd_seq *commands);
98static enum sctp_disposition sctp_sf_tabort_8_4_8(
99 struct net *net,
100 const struct sctp_endpoint *ep,
101 const struct sctp_association *asoc,
102 const union sctp_subtype type,
103 void *arg,
104 struct sctp_cmd_seq *commands);
105static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
106
107static enum sctp_disposition sctp_stop_t1_and_abort(
108 struct net *net,
109 struct sctp_cmd_seq *commands,
110 __be16 error, int sk_err,
111 const struct sctp_association *asoc,
112 struct sctp_transport *transport);
113
114static enum sctp_disposition sctp_sf_abort_violation(
115 struct net *net,
116 const struct sctp_endpoint *ep,
117 const struct sctp_association *asoc,
118 void *arg,
119 struct sctp_cmd_seq *commands,
120 const __u8 *payload,
121 const size_t paylen);
122
123static enum sctp_disposition sctp_sf_violation_chunklen(
124 struct net *net,
125 const struct sctp_endpoint *ep,
126 const struct sctp_association *asoc,
127 const union sctp_subtype type,
128 void *arg,
129 struct sctp_cmd_seq *commands);
130
131static enum sctp_disposition sctp_sf_violation_paramlen(
132 struct net *net,
133 const struct sctp_endpoint *ep,
134 const struct sctp_association *asoc,
135 const union sctp_subtype type,
136 void *arg, void *ext,
137 struct sctp_cmd_seq *commands);
138
139static enum sctp_disposition sctp_sf_violation_ctsn(
140 struct net *net,
141 const struct sctp_endpoint *ep,
142 const struct sctp_association *asoc,
143 const union sctp_subtype type,
144 void *arg,
145 struct sctp_cmd_seq *commands);
146
147static enum sctp_disposition sctp_sf_violation_chunk(
148 struct net *net,
149 const struct sctp_endpoint *ep,
150 const struct sctp_association *asoc,
151 const union sctp_subtype type,
152 void *arg,
153 struct sctp_cmd_seq *commands);
154
155static enum sctp_ierror sctp_sf_authenticate(
156 const struct sctp_association *asoc,
157 struct sctp_chunk *chunk);
158
159static enum sctp_disposition __sctp_sf_do_9_1_abort(
160 struct net *net,
161 const struct sctp_endpoint *ep,
162 const struct sctp_association *asoc,
163 const union sctp_subtype type,
164 void *arg,
165 struct sctp_cmd_seq *commands);
166
167
168
169
170
171
172
173
174static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk,
175 __u16 required_length)
176{
177 __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
178
179
180 if (unlikely(chunk->pdiscard))
181 return false;
182 if (unlikely(chunk_length < required_length))
183 return false;
184
185 return true;
186}
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223enum sctp_disposition sctp_sf_do_4_C(struct net *net,
224 const struct sctp_endpoint *ep,
225 const struct sctp_association *asoc,
226 const union sctp_subtype type,
227 void *arg, struct sctp_cmd_seq *commands)
228{
229 struct sctp_chunk *chunk = arg;
230 struct sctp_ulpevent *ev;
231
232 if (!sctp_vtag_verify_either(chunk, asoc))
233 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
234
235
236
237
238
239
240 if (!chunk->singleton)
241 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
242
243
244 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
245 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
246 commands);
247
248
249
250
251
252
253
254
255 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
256 0, 0, 0, NULL, GFP_ATOMIC);
257 if (ev)
258 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
259 SCTP_ULPEVENT(ev));
260
261
262
263
264
265
266
267
268
269 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
270 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
271
272 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
273 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
274
275 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
276 SCTP_STATE(SCTP_STATE_CLOSED));
277
278 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
279 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
280
281 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
282
283 return SCTP_DISPOSITION_DELETE_TCB;
284}
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
309 const struct sctp_endpoint *ep,
310 const struct sctp_association *asoc,
311 const union sctp_subtype type,
312 void *arg,
313 struct sctp_cmd_seq *commands)
314{
315 struct sctp_chunk *chunk = arg, *repl, *err_chunk;
316 struct sctp_unrecognized_param *unk_param;
317 struct sctp_association *new_asoc;
318 struct sctp_packet *packet;
319 int len;
320
321
322 if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
323 chunk->skb))
324 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
325
326
327
328
329
330
331
332
333
334
335 if (!chunk->singleton)
336 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
337
338
339
340
341 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
342 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
343 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
344 }
345
346
347
348
349 if (chunk->sctp_hdr->vtag != 0)
350 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
351
352
353
354
355
356
357 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
358 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
359
360
361
362
363
364
365
366 if (sctp_sstate(ep->base.sk, CLOSING))
367 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
368
369
370 err_chunk = NULL;
371 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
372 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
373 &err_chunk)) {
374
375
376
377 if (err_chunk) {
378 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
379 (__u8 *)(err_chunk->chunk_hdr) +
380 sizeof(struct sctp_chunkhdr),
381 ntohs(err_chunk->chunk_hdr->length) -
382 sizeof(struct sctp_chunkhdr));
383
384 sctp_chunk_free(err_chunk);
385
386 if (packet) {
387 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
388 SCTP_PACKET(packet));
389 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
390 return SCTP_DISPOSITION_CONSUME;
391 } else {
392 return SCTP_DISPOSITION_NOMEM;
393 }
394 } else {
395 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
396 commands);
397 }
398 }
399
400
401 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
402
403
404 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
405
406 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
407 if (!new_asoc)
408 goto nomem;
409
410 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
411 sctp_scope(sctp_source(chunk)),
412 GFP_ATOMIC) < 0)
413 goto nomem_init;
414
415
416 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
417 (struct sctp_init_chunk *)chunk->chunk_hdr,
418 GFP_ATOMIC))
419 goto nomem_init;
420
421
422
423
424
425
426 len = 0;
427 if (err_chunk)
428 len = ntohs(err_chunk->chunk_hdr->length) -
429 sizeof(struct sctp_chunkhdr);
430
431 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
432 if (!repl)
433 goto nomem_init;
434
435
436
437
438
439 if (err_chunk) {
440
441
442
443
444
445
446
447 unk_param = (struct sctp_unrecognized_param *)
448 ((__u8 *)(err_chunk->chunk_hdr) +
449 sizeof(struct sctp_chunkhdr));
450
451
452
453 sctp_addto_chunk(repl, len, unk_param);
454 sctp_chunk_free(err_chunk);
455 }
456
457 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
458
459 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
460
461
462
463
464
465
466
467 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
468
469 return SCTP_DISPOSITION_DELETE_TCB;
470
471nomem_init:
472 sctp_association_free(new_asoc);
473nomem:
474 if (err_chunk)
475 sctp_chunk_free(err_chunk);
476 return SCTP_DISPOSITION_NOMEM;
477}
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
508 const struct sctp_endpoint *ep,
509 const struct sctp_association *asoc,
510 const union sctp_subtype type,
511 void *arg,
512 struct sctp_cmd_seq *commands)
513{
514 struct sctp_init_chunk *initchunk;
515 struct sctp_chunk *chunk = arg;
516 struct sctp_chunk *err_chunk;
517 struct sctp_packet *packet;
518
519 if (!sctp_vtag_verify(chunk, asoc))
520 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
521
522
523
524
525
526 if (!chunk->singleton)
527 return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);
528
529
530 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk)))
531 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
532 commands);
533
534 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
535
536
537 err_chunk = NULL;
538 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
539 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
540 &err_chunk)) {
541
542 enum sctp_error error = SCTP_ERROR_NO_RESOURCE;
543
544
545
546
547
548
549 if (err_chunk) {
550 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
551 (__u8 *)(err_chunk->chunk_hdr) +
552 sizeof(struct sctp_chunkhdr),
553 ntohs(err_chunk->chunk_hdr->length) -
554 sizeof(struct sctp_chunkhdr));
555
556 sctp_chunk_free(err_chunk);
557
558 if (packet) {
559 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
560 SCTP_PACKET(packet));
561 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
562 error = SCTP_ERROR_INV_PARAM;
563 }
564 }
565
566
567
568
569
570
571
572
573
574
575
576
577 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
578 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
579
580 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
581 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED,
582 asoc, chunk->transport);
583 }
584
585
586
587
588 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
589
590 initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr;
591
592 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
593 SCTP_PEER_INIT(initchunk));
594
595
596 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
597
598
599
600
601
602 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
603 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
604 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
605 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
606 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
607 SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
608
609
610
611
612 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
613
614
615
616
617
618
619
620 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
621 SCTP_CHUNK(err_chunk));
622
623 return SCTP_DISPOSITION_CONSUME;
624}
625
626static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk,
627 const struct sctp_association *asoc)
628{
629 struct sctp_chunk auth;
630
631 if (!chunk->auth_chunk)
632 return true;
633
634
635
636
637
638
639
640
641
642 if (!net->sctp.auth_enable || !asoc->peer.auth_capable)
643 return false;
644
645
646 auth.skb = chunk->auth_chunk;
647 auth.asoc = chunk->asoc;
648 auth.sctp_hdr = chunk->sctp_hdr;
649 auth.chunk_hdr = (struct sctp_chunkhdr *)
650 skb_push(chunk->auth_chunk,
651 sizeof(struct sctp_chunkhdr));
652 skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr));
653 auth.transport = chunk->transport;
654
655 return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR;
656}
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
690 const struct sctp_endpoint *ep,
691 const struct sctp_association *asoc,
692 const union sctp_subtype type,
693 void *arg,
694 struct sctp_cmd_seq *commands)
695{
696 struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL;
697 struct sctp_association *new_asoc;
698 struct sctp_init_chunk *peer_init;
699 struct sctp_chunk *chunk = arg;
700 struct sctp_chunk *err_chk_p;
701 struct sctp_chunk *repl;
702 struct sock *sk;
703 int error = 0;
704
705
706
707
708 if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {
709 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
710 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
711 }
712
713
714
715
716
717
718 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
719 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
720
721
722
723
724
725 sk = ep->base.sk;
726 if (!sctp_sstate(sk, LISTENING) ||
727 (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))
728 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
729
730
731
732
733 chunk->subh.cookie_hdr =
734 (struct sctp_signed_cookie *)chunk->skb->data;
735 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
736 sizeof(struct sctp_chunkhdr)))
737 goto nomem;
738
739
740
741
742
743 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
744 &err_chk_p);
745
746
747
748
749
750
751
752 if (!new_asoc) {
753
754
755
756 switch (error) {
757 case -SCTP_IERROR_NOMEM:
758 goto nomem;
759
760 case -SCTP_IERROR_STALE_COOKIE:
761 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
762 err_chk_p);
763 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
764
765 case -SCTP_IERROR_BAD_SIG:
766 default:
767 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
768 }
769 }
770
771
772
773
774
775
776
777
778
779
780 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
781
782 if (!sctp_process_init(new_asoc, chunk,
783 &chunk->subh.cookie_hdr->c.peer_addr,
784 peer_init, GFP_ATOMIC))
785 goto nomem_init;
786
787
788
789
790
791 error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
792 if (error)
793 goto nomem_init;
794
795 if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) {
796 sctp_association_free(new_asoc);
797 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
798 }
799
800 repl = sctp_make_cookie_ack(new_asoc, chunk);
801 if (!repl)
802 goto nomem_init;
803
804
805
806
807
808
809
810 ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
811 new_asoc->c.sinit_num_ostreams,
812 new_asoc->c.sinit_max_instreams,
813 NULL, GFP_ATOMIC);
814 if (!ev)
815 goto nomem_ev;
816
817
818
819
820
821
822 if (new_asoc->peer.adaptation_ind) {
823 ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,
824 GFP_ATOMIC);
825 if (!ai_ev)
826 goto nomem_aiev;
827 }
828
829 if (!new_asoc->peer.auth_capable) {
830 auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0,
831 SCTP_AUTH_NO_AUTH,
832 GFP_ATOMIC);
833 if (!auth_ev)
834 goto nomem_authev;
835 }
836
837
838
839
840
841
842 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
843 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
844 SCTP_STATE(SCTP_STATE_ESTABLISHED));
845 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
846 SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS);
847 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
848
849 if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
850 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
851 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
852
853
854 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
855
856
857 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
858
859
860 if (ai_ev)
861 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
862 SCTP_ULPEVENT(ai_ev));
863
864 if (auth_ev)
865 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
866 SCTP_ULPEVENT(auth_ev));
867
868 return SCTP_DISPOSITION_CONSUME;
869
870nomem_authev:
871 sctp_ulpevent_free(ai_ev);
872nomem_aiev:
873 sctp_ulpevent_free(ev);
874nomem_ev:
875 sctp_chunk_free(repl);
876nomem_init:
877 sctp_association_free(new_asoc);
878nomem:
879 return SCTP_DISPOSITION_NOMEM;
880}
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
904 const struct sctp_endpoint *ep,
905 const struct sctp_association *asoc,
906 const union sctp_subtype type,
907 void *arg,
908 struct sctp_cmd_seq *commands)
909{
910 struct sctp_chunk *chunk = arg;
911 struct sctp_ulpevent *ev;
912
913 if (!sctp_vtag_verify(chunk, asoc))
914 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
915
916
917
918
919 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
920 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
921 commands);
922
923
924
925
926
927
928
929 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
930
931
932 security_inet_conn_established(ep->base.sk, chunk->skb);
933
934
935
936
937
938
939
940 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
941 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
942 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
943 SCTP_STATE(SCTP_STATE_ESTABLISHED));
944 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
945 SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS);
946 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
947 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
948 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
949 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
950
951
952
953
954
955 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
956 0, asoc->c.sinit_num_ostreams,
957 asoc->c.sinit_max_instreams,
958 NULL, GFP_ATOMIC);
959
960 if (!ev)
961 goto nomem;
962
963 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
964
965
966
967
968
969
970 if (asoc->peer.adaptation_ind) {
971 ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);
972 if (!ev)
973 goto nomem;
974
975 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
976 SCTP_ULPEVENT(ev));
977 }
978
979 if (!asoc->peer.auth_capable) {
980 ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH,
981 GFP_ATOMIC);
982 if (!ev)
983 goto nomem;
984 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
985 SCTP_ULPEVENT(ev));
986 }
987
988 return SCTP_DISPOSITION_CONSUME;
989nomem:
990 return SCTP_DISPOSITION_NOMEM;
991}
992
993
994static enum sctp_disposition sctp_sf_heartbeat(
995 const struct sctp_endpoint *ep,
996 const struct sctp_association *asoc,
997 const union sctp_subtype type,
998 void *arg,
999 struct sctp_cmd_seq *commands)
1000{
1001 struct sctp_transport *transport = (struct sctp_transport *) arg;
1002 struct sctp_chunk *reply;
1003
1004
1005 reply = sctp_make_heartbeat(asoc, transport);
1006 if (!reply)
1007 return SCTP_DISPOSITION_NOMEM;
1008
1009
1010
1011
1012 sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
1013 SCTP_TRANSPORT(transport));
1014
1015 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1016 return SCTP_DISPOSITION_CONSUME;
1017}
1018
1019
1020enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net,
1021 const struct sctp_endpoint *ep,
1022 const struct sctp_association *asoc,
1023 const union sctp_subtype type,
1024 void *arg,
1025 struct sctp_cmd_seq *commands)
1026{
1027 struct sctp_transport *transport = (struct sctp_transport *) arg;
1028
1029 if (asoc->overall_error_count >= asoc->max_retrans) {
1030 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
1031 SCTP_ERROR(ETIMEDOUT));
1032
1033 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1034 SCTP_PERR(SCTP_ERROR_NO_ERROR));
1035 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1036 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1037 return SCTP_DISPOSITION_DELETE_TCB;
1038 }
1039
1040
1041
1042
1043
1044
1045
1046
1047 if (transport->param_flags & SPP_HB_ENABLE) {
1048 if (SCTP_DISPOSITION_NOMEM ==
1049 sctp_sf_heartbeat(ep, asoc, type, arg,
1050 commands))
1051 return SCTP_DISPOSITION_NOMEM;
1052
1053
1054
1055
1056 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
1057 SCTP_TRANSPORT(transport));
1058 }
1059 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
1060 SCTP_TRANSPORT(transport));
1061 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
1062 SCTP_TRANSPORT(transport));
1063
1064 return SCTP_DISPOSITION_CONSUME;
1065}
1066
1067
1068enum sctp_disposition sctp_sf_send_reconf(struct net *net,
1069 const struct sctp_endpoint *ep,
1070 const struct sctp_association *asoc,
1071 const union sctp_subtype type,
1072 void *arg,
1073 struct sctp_cmd_seq *commands)
1074{
1075 struct sctp_transport *transport = arg;
1076
1077 if (asoc->overall_error_count >= asoc->max_retrans) {
1078 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
1079 SCTP_ERROR(ETIMEDOUT));
1080
1081 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
1082 SCTP_PERR(SCTP_ERROR_NO_ERROR));
1083 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
1084 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
1085 return SCTP_DISPOSITION_DELETE_TCB;
1086 }
1087
1088 sctp_chunk_hold(asoc->strreset_chunk);
1089 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1090 SCTP_CHUNK(asoc->strreset_chunk));
1091 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
1092
1093 return SCTP_DISPOSITION_CONSUME;
1094}
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120enum sctp_disposition sctp_sf_beat_8_3(struct net *net,
1121 const struct sctp_endpoint *ep,
1122 const struct sctp_association *asoc,
1123 const union sctp_subtype type,
1124 void *arg, struct sctp_cmd_seq *commands)
1125{
1126 struct sctp_paramhdr *param_hdr;
1127 struct sctp_chunk *chunk = arg;
1128 struct sctp_chunk *reply;
1129 size_t paylen = 0;
1130
1131 if (!sctp_vtag_verify(chunk, asoc))
1132 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1133
1134
1135 if (!sctp_chunk_length_valid(chunk,
1136 sizeof(struct sctp_heartbeat_chunk)))
1137 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1138 commands);
1139
1140
1141
1142
1143
1144 chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data;
1145 param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr;
1146 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr);
1147
1148 if (ntohs(param_hdr->length) > paylen)
1149 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
1150 param_hdr, commands);
1151
1152 if (!pskb_pull(chunk->skb, paylen))
1153 goto nomem;
1154
1155 reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen);
1156 if (!reply)
1157 goto nomem;
1158
1159 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
1160 return SCTP_DISPOSITION_CONSUME;
1161
1162nomem:
1163 return SCTP_DISPOSITION_NOMEM;
1164}
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net,
1195 const struct sctp_endpoint *ep,
1196 const struct sctp_association *asoc,
1197 const union sctp_subtype type,
1198 void *arg,
1199 struct sctp_cmd_seq *commands)
1200{
1201 struct sctp_sender_hb_info *hbinfo;
1202 struct sctp_chunk *chunk = arg;
1203 struct sctp_transport *link;
1204 unsigned long max_interval;
1205 union sctp_addr from_addr;
1206
1207 if (!sctp_vtag_verify(chunk, asoc))
1208 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1209
1210
1211 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) +
1212 sizeof(*hbinfo)))
1213 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1214 commands);
1215
1216 hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data;
1217
1218 if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo))
1219 return SCTP_DISPOSITION_DISCARD;
1220
1221 from_addr = hbinfo->daddr;
1222 link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1223
1224
1225 if (unlikely(!link)) {
1226 if (from_addr.sa.sa_family == AF_INET6) {
1227 net_warn_ratelimited("%s association %p could not find address %pI6\n",
1228 __func__,
1229 asoc,
1230 &from_addr.v6.sin6_addr);
1231 } else {
1232 net_warn_ratelimited("%s association %p could not find address %pI4\n",
1233 __func__,
1234 asoc,
1235 &from_addr.v4.sin_addr.s_addr);
1236 }
1237 return SCTP_DISPOSITION_DISCARD;
1238 }
1239
1240
1241 if (hbinfo->hb_nonce != link->hb_nonce)
1242 return SCTP_DISPOSITION_DISCARD;
1243
1244 max_interval = link->hbinterval + link->rto;
1245
1246
1247 if (time_after(hbinfo->sent_at, jiffies) ||
1248 time_after(jiffies, hbinfo->sent_at + max_interval)) {
1249 pr_debug("%s: HEARTBEAT ACK with invalid timestamp received "
1250 "for transport:%p\n", __func__, link);
1251
1252 return SCTP_DISPOSITION_DISCARD;
1253 }
1254
1255
1256
1257
1258
1259
1260
1261 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
1262
1263 return SCTP_DISPOSITION_CONSUME;
1264}
1265
1266
1267
1268
1269static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa,
1270 struct sctp_chunk *init,
1271 struct sctp_cmd_seq *commands)
1272{
1273 struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);
1274 union sctp_addr_param *addrparm;
1275 struct sctp_errhdr *errhdr;
1276 char buffer[sizeof(*errhdr) + sizeof(*addrparm)];
1277 struct sctp_endpoint *ep;
1278 struct sctp_packet *pkt;
1279 int len;
1280
1281
1282
1283
1284 errhdr = (struct sctp_errhdr *)buffer;
1285 addrparm = (union sctp_addr_param *)errhdr->variable;
1286
1287
1288 len = af->to_addr_param(ssa, addrparm);
1289 len += sizeof(*errhdr);
1290
1291 errhdr->cause = SCTP_ERROR_RESTART;
1292 errhdr->length = htons(len);
1293
1294
1295 ep = sctp_sk(net->sctp.ctl_sock)->ep;
1296
1297
1298
1299
1300 pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len);
1301
1302 if (!pkt)
1303 goto out;
1304 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
1305
1306 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1307
1308
1309 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
1310
1311out:
1312
1313
1314
1315 return 0;
1316}
1317
1318static bool list_has_sctp_addr(const struct list_head *list,
1319 union sctp_addr *ipaddr)
1320{
1321 struct sctp_transport *addr;
1322
1323 list_for_each_entry(addr, list, transports) {
1324 if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
1325 return true;
1326 }
1327
1328 return false;
1329}
1330
1331
1332
1333static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
1334 const struct sctp_association *asoc,
1335 struct sctp_chunk *init,
1336 struct sctp_cmd_seq *commands)
1337{
1338 struct net *net = sock_net(new_asoc->base.sk);
1339 struct sctp_transport *new_addr;
1340 int ret = 1;
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353 list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
1354 transports) {
1355 if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
1356 &new_addr->ipaddr)) {
1357 sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init,
1358 commands);
1359 ret = 0;
1360 break;
1361 }
1362 }
1363
1364
1365 return ret;
1366}
1367
1368
1369
1370
1371
1372
1373static void sctp_tietags_populate(struct sctp_association *new_asoc,
1374 const struct sctp_association *asoc)
1375{
1376 switch (asoc->state) {
1377
1378
1379
1380 case SCTP_STATE_COOKIE_WAIT:
1381 new_asoc->c.my_vtag = asoc->c.my_vtag;
1382 new_asoc->c.my_ttag = asoc->c.my_vtag;
1383 new_asoc->c.peer_ttag = 0;
1384 break;
1385
1386 case SCTP_STATE_COOKIE_ECHOED:
1387 new_asoc->c.my_vtag = asoc->c.my_vtag;
1388 new_asoc->c.my_ttag = asoc->c.my_vtag;
1389 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1390 break;
1391
1392
1393
1394
1395 default:
1396 new_asoc->c.my_ttag = asoc->c.my_vtag;
1397 new_asoc->c.peer_ttag = asoc->c.peer_vtag;
1398 break;
1399 }
1400
1401
1402
1403
1404
1405 new_asoc->rwnd = asoc->rwnd;
1406 new_asoc->c.sinit_num_ostreams = asoc->c.sinit_num_ostreams;
1407 new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
1408 new_asoc->c.initial_tsn = asoc->c.initial_tsn;
1409}
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420static char sctp_tietags_compare(struct sctp_association *new_asoc,
1421 const struct sctp_association *asoc)
1422{
1423
1424 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1425 (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
1426 (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
1427 (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
1428 return 'A';
1429
1430
1431 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1432 ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
1433 (0 == asoc->c.peer_vtag))) {
1434 return 'B';
1435 }
1436
1437
1438 if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
1439 (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
1440 return 'D';
1441
1442
1443 if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
1444 (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
1445 (0 == new_asoc->c.my_ttag) &&
1446 (0 == new_asoc->c.peer_ttag))
1447 return 'C';
1448
1449
1450 return 'E';
1451}
1452
1453
1454
1455
1456static enum sctp_disposition sctp_sf_do_unexpected_init(
1457 struct net *net,
1458 const struct sctp_endpoint *ep,
1459 const struct sctp_association *asoc,
1460 const union sctp_subtype type,
1461 void *arg,
1462 struct sctp_cmd_seq *commands)
1463{
1464 struct sctp_chunk *chunk = arg, *repl, *err_chunk;
1465 struct sctp_unrecognized_param *unk_param;
1466 struct sctp_association *new_asoc;
1467 enum sctp_disposition retval;
1468 struct sctp_packet *packet;
1469 int len;
1470
1471
1472 if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
1473 chunk->skb))
1474 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485 if (!chunk->singleton)
1486 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
1487
1488
1489
1490
1491 if (chunk->sctp_hdr->vtag != 0)
1492 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
1493
1494
1495
1496
1497
1498 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
1499 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
1500 commands);
1501
1502 chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;
1503
1504
1505 chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
1506
1507
1508 err_chunk = NULL;
1509 if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
1510 (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,
1511 &err_chunk)) {
1512
1513
1514
1515 if (err_chunk) {
1516 packet = sctp_abort_pkt_new(net, ep, asoc, arg,
1517 (__u8 *)(err_chunk->chunk_hdr) +
1518 sizeof(struct sctp_chunkhdr),
1519 ntohs(err_chunk->chunk_hdr->length) -
1520 sizeof(struct sctp_chunkhdr));
1521
1522 if (packet) {
1523 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
1524 SCTP_PACKET(packet));
1525 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
1526 retval = SCTP_DISPOSITION_CONSUME;
1527 } else {
1528 retval = SCTP_DISPOSITION_NOMEM;
1529 }
1530 goto cleanup;
1531 } else {
1532 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,
1533 commands);
1534 }
1535 }
1536
1537
1538
1539
1540
1541
1542
1543
1544 new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
1545 if (!new_asoc)
1546 goto nomem;
1547
1548 if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
1549 sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
1550 goto nomem;
1551
1552
1553
1554
1555
1556 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
1557 (struct sctp_init_chunk *)chunk->chunk_hdr,
1558 GFP_ATOMIC))
1559 goto nomem;
1560
1561
1562
1563
1564
1565
1566 if (!sctp_state(asoc, COOKIE_WAIT)) {
1567 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
1568 commands)) {
1569 retval = SCTP_DISPOSITION_CONSUME;
1570 goto nomem_retval;
1571 }
1572 }
1573
1574 sctp_tietags_populate(new_asoc, asoc);
1575
1576
1577
1578
1579
1580
1581 len = 0;
1582 if (err_chunk) {
1583 len = ntohs(err_chunk->chunk_hdr->length) -
1584 sizeof(struct sctp_chunkhdr);
1585 }
1586
1587 repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
1588 if (!repl)
1589 goto nomem;
1590
1591
1592
1593
1594
1595 if (err_chunk) {
1596
1597
1598
1599
1600
1601
1602
1603 unk_param = (struct sctp_unrecognized_param *)
1604 ((__u8 *)(err_chunk->chunk_hdr) +
1605 sizeof(struct sctp_chunkhdr));
1606
1607
1608
1609 sctp_addto_chunk(repl, len, unk_param);
1610 }
1611
1612 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
1613 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1614
1615
1616
1617
1618
1619
1620 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
1621 retval = SCTP_DISPOSITION_CONSUME;
1622
1623 return retval;
1624
1625nomem:
1626 retval = SCTP_DISPOSITION_NOMEM;
1627nomem_retval:
1628 if (new_asoc)
1629 sctp_association_free(new_asoc);
1630cleanup:
1631 if (err_chunk)
1632 sctp_chunk_free(err_chunk);
1633 return retval;
1634}
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674enum sctp_disposition sctp_sf_do_5_2_1_siminit(
1675 struct net *net,
1676 const struct sctp_endpoint *ep,
1677 const struct sctp_association *asoc,
1678 const union sctp_subtype type,
1679 void *arg,
1680 struct sctp_cmd_seq *commands)
1681{
1682
1683
1684
1685 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1686}
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729enum sctp_disposition sctp_sf_do_5_2_2_dupinit(
1730 struct net *net,
1731 const struct sctp_endpoint *ep,
1732 const struct sctp_association *asoc,
1733 const union sctp_subtype type,
1734 void *arg,
1735 struct sctp_cmd_seq *commands)
1736{
1737
1738
1739
1740 return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);
1741}
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753enum sctp_disposition sctp_sf_do_5_2_3_initack(
1754 struct net *net,
1755 const struct sctp_endpoint *ep,
1756 const struct sctp_association *asoc,
1757 const union sctp_subtype type,
1758 void *arg,
1759 struct sctp_cmd_seq *commands)
1760{
1761
1762
1763
1764 if (ep == sctp_sk(net->sctp.ctl_sock)->ep)
1765 return sctp_sf_ootb(net, ep, asoc, type, arg, commands);
1766 else
1767 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
1768}
1769
1770
1771
1772
1773
1774
1775static enum sctp_disposition sctp_sf_do_dupcook_a(
1776 struct net *net,
1777 const struct sctp_endpoint *ep,
1778 const struct sctp_association *asoc,
1779 struct sctp_chunk *chunk,
1780 struct sctp_cmd_seq *commands,
1781 struct sctp_association *new_asoc)
1782{
1783 struct sctp_init_chunk *peer_init;
1784 enum sctp_disposition disposition;
1785 struct sctp_ulpevent *ev;
1786 struct sctp_chunk *repl;
1787 struct sctp_chunk *err;
1788
1789
1790
1791
1792 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1793
1794 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1795 GFP_ATOMIC))
1796 goto nomem;
1797
1798 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
1799 goto nomem;
1800
1801 if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
1802 return SCTP_DISPOSITION_DISCARD;
1803
1804
1805
1806
1807
1808 if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands))
1809 return SCTP_DISPOSITION_CONSUME;
1810
1811
1812
1813
1814
1815
1816
1817 if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
1818 disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc,
1819 SCTP_ST_CHUNK(chunk->chunk_hdr->type),
1820 chunk, commands);
1821 if (SCTP_DISPOSITION_NOMEM == disposition)
1822 goto nomem;
1823
1824 err = sctp_make_op_error(asoc, chunk,
1825 SCTP_ERROR_COOKIE_IN_SHUTDOWN,
1826 NULL, 0, 0);
1827 if (err)
1828 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
1829 SCTP_CHUNK(err));
1830
1831 return SCTP_DISPOSITION_CONSUME;
1832 }
1833
1834
1835
1836
1837 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
1838 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1839 SCTP_TO(SCTP_EVENT_TIMEOUT_SACK));
1840 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
1841
1842
1843
1844
1845 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
1846 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
1847 sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());
1848
1849 repl = sctp_make_cookie_ack(new_asoc, chunk);
1850 if (!repl)
1851 goto nomem;
1852
1853
1854 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
1855 new_asoc->c.sinit_num_ostreams,
1856 new_asoc->c.sinit_max_instreams,
1857 NULL, GFP_ATOMIC);
1858 if (!ev)
1859 goto nomem_ev;
1860
1861
1862 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1863 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
1864 if (sctp_state(asoc, SHUTDOWN_PENDING) &&
1865 (sctp_sstate(asoc->base.sk, CLOSING) ||
1866 sock_flag(asoc->base.sk, SOCK_DEAD))) {
1867
1868
1869
1870
1871 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1872 return sctp_sf_do_9_2_start_shutdown(net, ep, asoc,
1873 SCTP_ST_CHUNK(0), NULL,
1874 commands);
1875 } else {
1876 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1877 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1878 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1879 }
1880 return SCTP_DISPOSITION_CONSUME;
1881
1882nomem_ev:
1883 sctp_chunk_free(repl);
1884nomem:
1885 return SCTP_DISPOSITION_NOMEM;
1886}
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896static enum sctp_disposition sctp_sf_do_dupcook_b(
1897 struct net *net,
1898 const struct sctp_endpoint *ep,
1899 const struct sctp_association *asoc,
1900 struct sctp_chunk *chunk,
1901 struct sctp_cmd_seq *commands,
1902 struct sctp_association *new_asoc)
1903{
1904 struct sctp_init_chunk *peer_init;
1905 struct sctp_chunk *repl;
1906
1907
1908
1909
1910 peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
1911 if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
1912 GFP_ATOMIC))
1913 goto nomem;
1914
1915 if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
1916 goto nomem;
1917
1918 if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
1919 return SCTP_DISPOSITION_DISCARD;
1920
1921
1922 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
1923 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
1924 SCTP_STATE(SCTP_STATE_ESTABLISHED));
1925 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
1926 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
1927
1928 repl = sctp_make_cookie_ack(new_asoc, chunk);
1929 if (!repl)
1930 goto nomem;
1931
1932 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956 if (asoc->peer.adaptation_ind)
1957 sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());
1958
1959 if (!asoc->peer.auth_capable)
1960 sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL());
1961
1962 return SCTP_DISPOSITION_CONSUME;
1963
1964nomem:
1965 return SCTP_DISPOSITION_NOMEM;
1966}
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977static enum sctp_disposition sctp_sf_do_dupcook_c(
1978 struct net *net,
1979 const struct sctp_endpoint *ep,
1980 const struct sctp_association *asoc,
1981 struct sctp_chunk *chunk,
1982 struct sctp_cmd_seq *commands,
1983 struct sctp_association *new_asoc)
1984{
1985
1986
1987
1988
1989 return SCTP_DISPOSITION_DISCARD;
1990}
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000static enum sctp_disposition sctp_sf_do_dupcook_d(
2001 struct net *net,
2002 const struct sctp_endpoint *ep,
2003 const struct sctp_association *asoc,
2004 struct sctp_chunk *chunk,
2005 struct sctp_cmd_seq *commands,
2006 struct sctp_association *new_asoc)
2007{
2008 struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL;
2009 struct sctp_chunk *repl;
2010
2011
2012
2013
2014
2015
2016
2017
2018 if (!sctp_auth_chunk_verify(net, chunk, asoc))
2019 return SCTP_DISPOSITION_DISCARD;
2020
2021
2022 if (asoc->state < SCTP_STATE_ESTABLISHED) {
2023 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2024 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2025 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2026 SCTP_STATE(SCTP_STATE_ESTABLISHED));
2027 SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
2028 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
2029 SCTP_NULL());
2030
2031
2032
2033
2034
2035
2036
2037
2038 ev = sctp_ulpevent_make_assoc_change(asoc, 0,
2039 SCTP_COMM_UP, 0,
2040 asoc->c.sinit_num_ostreams,
2041 asoc->c.sinit_max_instreams,
2042 NULL, GFP_ATOMIC);
2043 if (!ev)
2044 goto nomem;
2045
2046
2047
2048
2049
2050
2051 if (asoc->peer.adaptation_ind) {
2052 ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,
2053 GFP_ATOMIC);
2054 if (!ai_ev)
2055 goto nomem;
2056
2057 }
2058
2059 if (!asoc->peer.auth_capable) {
2060 auth_ev = sctp_ulpevent_make_authkey(asoc, 0,
2061 SCTP_AUTH_NO_AUTH,
2062 GFP_ATOMIC);
2063 if (!auth_ev)
2064 goto nomem;
2065 }
2066 }
2067
2068 repl = sctp_make_cookie_ack(asoc, chunk);
2069 if (!repl)
2070 goto nomem;
2071
2072 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
2073
2074 if (ev)
2075 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2076 SCTP_ULPEVENT(ev));
2077 if (ai_ev)
2078 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2079 SCTP_ULPEVENT(ai_ev));
2080 if (auth_ev)
2081 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
2082 SCTP_ULPEVENT(auth_ev));
2083
2084 return SCTP_DISPOSITION_CONSUME;
2085
2086nomem:
2087 if (auth_ev)
2088 sctp_ulpevent_free(auth_ev);
2089 if (ai_ev)
2090 sctp_ulpevent_free(ai_ev);
2091 if (ev)
2092 sctp_ulpevent_free(ev);
2093 return SCTP_DISPOSITION_NOMEM;
2094}
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
2113 struct net *net,
2114 const struct sctp_endpoint *ep,
2115 const struct sctp_association *asoc,
2116 const union sctp_subtype type,
2117 void *arg,
2118 struct sctp_cmd_seq *commands)
2119{
2120 struct sctp_association *new_asoc;
2121 struct sctp_chunk *chunk = arg;
2122 enum sctp_disposition retval;
2123 struct sctp_chunk *err_chk_p;
2124 int error = 0;
2125 char action;
2126
2127
2128
2129
2130
2131
2132 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
2133 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2134 commands);
2135
2136
2137
2138
2139 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
2140 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
2141 sizeof(struct sctp_chunkhdr)))
2142 goto nomem;
2143
2144
2145
2146
2147
2148
2149 new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
2150 &err_chk_p);
2151
2152
2153
2154
2155
2156
2157
2158 if (!new_asoc) {
2159
2160
2161
2162 switch (error) {
2163 case -SCTP_IERROR_NOMEM:
2164 goto nomem;
2165
2166 case -SCTP_IERROR_STALE_COOKIE:
2167 sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,
2168 err_chk_p);
2169 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2170 case -SCTP_IERROR_BAD_SIG:
2171 default:
2172 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2173 }
2174 }
2175
2176
2177 if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
2178 chunk->skb))
2179 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2180
2181
2182 new_asoc->temp = 1;
2183
2184
2185
2186
2187 action = sctp_tietags_compare(new_asoc, asoc);
2188
2189 switch (action) {
2190 case 'A':
2191 retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands,
2192 new_asoc);
2193 break;
2194
2195 case 'B':
2196 retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands,
2197 new_asoc);
2198 break;
2199
2200 case 'C':
2201 retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands,
2202 new_asoc);
2203 break;
2204
2205 case 'D':
2206 retval = sctp_sf_do_dupcook_d(net, ep, asoc, chunk, commands,
2207 new_asoc);
2208 break;
2209
2210 default:
2211 retval = sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2212 break;
2213 }
2214
2215
2216 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc));
2217 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
2218
2219
2220
2221
2222 sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC,
2223 SCTP_ASOC((struct sctp_association *)asoc));
2224
2225 return retval;
2226
2227nomem:
2228 return SCTP_DISPOSITION_NOMEM;
2229}
2230
2231
2232
2233
2234
2235
2236enum sctp_disposition sctp_sf_shutdown_pending_abort(
2237 struct net *net,
2238 const struct sctp_endpoint *ep,
2239 const struct sctp_association *asoc,
2240 const union sctp_subtype type,
2241 void *arg,
2242 struct sctp_cmd_seq *commands)
2243{
2244 struct sctp_chunk *chunk = arg;
2245
2246 if (!sctp_vtag_verify_either(chunk, asoc))
2247 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2260 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2261
2262
2263
2264
2265
2266
2267 if (SCTP_ADDR_DEL ==
2268 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2269 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2270
2271 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2272}
2273
2274
2275
2276
2277
2278
2279enum sctp_disposition sctp_sf_shutdown_sent_abort(
2280 struct net *net,
2281 const struct sctp_endpoint *ep,
2282 const struct sctp_association *asoc,
2283 const union sctp_subtype type,
2284 void *arg,
2285 struct sctp_cmd_seq *commands)
2286{
2287 struct sctp_chunk *chunk = arg;
2288
2289 if (!sctp_vtag_verify_either(chunk, asoc))
2290 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2303 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2304
2305
2306
2307
2308
2309
2310 if (SCTP_ADDR_DEL ==
2311 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2312 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2313
2314
2315 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2316 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2317
2318
2319 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2320 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
2321
2322 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2323}
2324
2325
2326
2327
2328
2329
2330enum sctp_disposition sctp_sf_shutdown_ack_sent_abort(
2331 struct net *net,
2332 const struct sctp_endpoint *ep,
2333 const struct sctp_association *asoc,
2334 const union sctp_subtype type,
2335 void *arg,
2336 struct sctp_cmd_seq *commands)
2337{
2338
2339
2340
2341 return sctp_sf_shutdown_sent_abort(net, ep, asoc, type, arg, commands);
2342}
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358enum sctp_disposition sctp_sf_cookie_echoed_err(
2359 struct net *net,
2360 const struct sctp_endpoint *ep,
2361 const struct sctp_association *asoc,
2362 const union sctp_subtype type,
2363 void *arg,
2364 struct sctp_cmd_seq *commands)
2365{
2366 struct sctp_chunk *chunk = arg;
2367 struct sctp_errhdr *err;
2368
2369 if (!sctp_vtag_verify(chunk, asoc))
2370 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2371
2372
2373
2374
2375 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
2376 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2377 commands);
2378
2379
2380
2381
2382
2383
2384 sctp_walk_errors(err, chunk->chunk_hdr) {
2385 if (SCTP_ERROR_STALE_COOKIE == err->cause)
2386 return sctp_sf_do_5_2_6_stale(net, ep, asoc, type,
2387 arg, commands);
2388 }
2389
2390
2391
2392
2393
2394
2395 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2396}
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423static enum sctp_disposition sctp_sf_do_5_2_6_stale(
2424 struct net *net,
2425 const struct sctp_endpoint *ep,
2426 const struct sctp_association *asoc,
2427 const union sctp_subtype type,
2428 void *arg,
2429 struct sctp_cmd_seq *commands)
2430{
2431 int attempts = asoc->init_err_counter + 1;
2432 struct sctp_chunk *chunk = arg, *reply;
2433 struct sctp_cookie_preserve_param bht;
2434 struct sctp_bind_addr *bp;
2435 struct sctp_errhdr *err;
2436 u32 stale;
2437
2438 if (attempts > asoc->max_init_attempts) {
2439 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
2440 SCTP_ERROR(ETIMEDOUT));
2441 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2442 SCTP_PERR(SCTP_ERROR_STALE_COOKIE));
2443 return SCTP_DISPOSITION_DELETE_TCB;
2444 }
2445
2446 err = (struct sctp_errhdr *)(chunk->skb->data);
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462 stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err)));
2463 stale = (stale * 2) / 1000;
2464
2465 bht.param_hdr.type = SCTP_PARAM_COOKIE_PRESERVATIVE;
2466 bht.param_hdr.length = htons(sizeof(bht));
2467 bht.lifespan_increment = htonl(stale);
2468
2469
2470 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
2471 reply = sctp_make_init(asoc, bp, GFP_ATOMIC, sizeof(bht));
2472 if (!reply)
2473 goto nomem;
2474
2475 sctp_addto_chunk(reply, sizeof(bht), &bht);
2476
2477
2478 sctp_add_cmd_sf(commands, SCTP_CMD_CLEAR_INIT_TAG, SCTP_NULL());
2479
2480
2481 sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
2482 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
2483
2484
2485
2486
2487 sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
2488
2489
2490
2491
2492 sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
2493 SCTP_TRANSPORT(asoc->peer.primary_path));
2494
2495
2496
2497
2498 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_INC, SCTP_NULL());
2499
2500 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2501 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
2502 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2503 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
2504 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
2505 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2506
2507 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2508
2509 return SCTP_DISPOSITION_CONSUME;
2510
2511nomem:
2512 return SCTP_DISPOSITION_NOMEM;
2513}
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546enum sctp_disposition sctp_sf_do_9_1_abort(
2547 struct net *net,
2548 const struct sctp_endpoint *ep,
2549 const struct sctp_association *asoc,
2550 const union sctp_subtype type,
2551 void *arg,
2552 struct sctp_cmd_seq *commands)
2553{
2554 struct sctp_chunk *chunk = arg;
2555
2556 if (!sctp_vtag_verify_either(chunk, asoc))
2557 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2570 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2571
2572
2573
2574
2575
2576
2577 if (SCTP_ADDR_DEL ==
2578 sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
2579 return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
2580
2581 return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
2582}
2583
2584static enum sctp_disposition __sctp_sf_do_9_1_abort(
2585 struct net *net,
2586 const struct sctp_endpoint *ep,
2587 const struct sctp_association *asoc,
2588 const union sctp_subtype type,
2589 void *arg,
2590 struct sctp_cmd_seq *commands)
2591{
2592 __be16 error = SCTP_ERROR_NO_ERROR;
2593 struct sctp_chunk *chunk = arg;
2594 unsigned int len;
2595
2596
2597 len = ntohs(chunk->chunk_hdr->length);
2598 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
2599 struct sctp_errhdr *err;
2600
2601 sctp_walk_errors(err, chunk->chunk_hdr);
2602 if ((void *)err != (void *)chunk->chunk_end)
2603 return sctp_sf_pdiscard(net, ep, asoc, type, arg,
2604 commands);
2605
2606 error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2607 }
2608
2609 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
2610
2611 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_PERR(error));
2612 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2613 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
2614
2615 return SCTP_DISPOSITION_ABORT;
2616}
2617
2618
2619
2620
2621
2622
2623enum sctp_disposition sctp_sf_cookie_wait_abort(
2624 struct net *net,
2625 const struct sctp_endpoint *ep,
2626 const struct sctp_association *asoc,
2627 const union sctp_subtype type,
2628 void *arg,
2629 struct sctp_cmd_seq *commands)
2630{
2631 __be16 error = SCTP_ERROR_NO_ERROR;
2632 struct sctp_chunk *chunk = arg;
2633 unsigned int len;
2634
2635 if (!sctp_vtag_verify_either(chunk, asoc))
2636 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_abort_chunk)))
2649 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2650
2651
2652 len = ntohs(chunk->chunk_hdr->length);
2653 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
2654 error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
2655
2656 return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED, asoc,
2657 chunk->transport);
2658}
2659
2660
2661
2662
2663enum sctp_disposition sctp_sf_cookie_wait_icmp_abort(
2664 struct net *net,
2665 const struct sctp_endpoint *ep,
2666 const struct sctp_association *asoc,
2667 const union sctp_subtype type,
2668 void *arg,
2669 struct sctp_cmd_seq *commands)
2670{
2671 return sctp_stop_t1_and_abort(net, commands, SCTP_ERROR_NO_ERROR,
2672 ENOPROTOOPT, asoc,
2673 (struct sctp_transport *)arg);
2674}
2675
2676
2677
2678
2679enum sctp_disposition sctp_sf_cookie_echoed_abort(
2680 struct net *net,
2681 const struct sctp_endpoint *ep,
2682 const struct sctp_association *asoc,
2683 const union sctp_subtype type,
2684 void *arg,
2685 struct sctp_cmd_seq *commands)
2686{
2687
2688
2689
2690 return sctp_sf_cookie_wait_abort(net, ep, asoc, type, arg, commands);
2691}
2692
2693
2694
2695
2696
2697
2698static enum sctp_disposition sctp_stop_t1_and_abort(
2699 struct net *net,
2700 struct sctp_cmd_seq *commands,
2701 __be16 error, int sk_err,
2702 const struct sctp_association *asoc,
2703 struct sctp_transport *transport)
2704{
2705 pr_debug("%s: ABORT received (INIT)\n", __func__);
2706
2707 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2708 SCTP_STATE(SCTP_STATE_CLOSED));
2709 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
2710 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
2711 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
2712 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
2713
2714 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
2715 SCTP_PERR(error));
2716
2717 return SCTP_DISPOSITION_ABORT;
2718}
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753enum sctp_disposition sctp_sf_do_9_2_shutdown(
2754 struct net *net,
2755 const struct sctp_endpoint *ep,
2756 const struct sctp_association *asoc,
2757 const union sctp_subtype type,
2758 void *arg,
2759 struct sctp_cmd_seq *commands)
2760{
2761 enum sctp_disposition disposition;
2762 struct sctp_chunk *chunk = arg;
2763 struct sctp_shutdownhdr *sdh;
2764 struct sctp_ulpevent *ev;
2765 __u32 ctsn;
2766
2767 if (!sctp_vtag_verify(chunk, asoc))
2768 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2769
2770
2771 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2772 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2773 commands);
2774
2775
2776 sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2777 skb_pull(chunk->skb, sizeof(*sdh));
2778 chunk->subh.shutdown_hdr = sdh;
2779 ctsn = ntohl(sdh->cum_tsn_ack);
2780
2781 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2782 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2783 asoc->ctsn_ack_point);
2784
2785 return SCTP_DISPOSITION_DISCARD;
2786 }
2787
2788
2789
2790
2791
2792 if (!TSN_lt(ctsn, asoc->next_tsn))
2793 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2794
2795
2796
2797
2798
2799 ev = sctp_ulpevent_make_shutdown_event(asoc, 0, GFP_ATOMIC);
2800 if (!ev) {
2801 disposition = SCTP_DISPOSITION_NOMEM;
2802 goto out;
2803 }
2804 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
2805
2806
2807
2808
2809
2810
2811
2812 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
2813 SCTP_STATE(SCTP_STATE_SHUTDOWN_RECEIVED));
2814 disposition = SCTP_DISPOSITION_CONSUME;
2815
2816 if (sctp_outq_is_empty(&asoc->outqueue)) {
2817 disposition = sctp_sf_do_9_2_shutdown_ack(net, ep, asoc, type,
2818 arg, commands);
2819 }
2820
2821 if (SCTP_DISPOSITION_NOMEM == disposition)
2822 goto out;
2823
2824
2825
2826
2827
2828 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2829 SCTP_BE32(chunk->subh.shutdown_hdr->cum_tsn_ack));
2830
2831out:
2832 return disposition;
2833}
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843enum sctp_disposition sctp_sf_do_9_2_shut_ctsn(
2844 struct net *net,
2845 const struct sctp_endpoint *ep,
2846 const struct sctp_association *asoc,
2847 const union sctp_subtype type,
2848 void *arg,
2849 struct sctp_cmd_seq *commands)
2850{
2851 struct sctp_chunk *chunk = arg;
2852 struct sctp_shutdownhdr *sdh;
2853 __u32 ctsn;
2854
2855 if (!sctp_vtag_verify(chunk, asoc))
2856 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2857
2858
2859 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_shutdown_chunk)))
2860 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2861 commands);
2862
2863 sdh = (struct sctp_shutdownhdr *)chunk->skb->data;
2864 ctsn = ntohl(sdh->cum_tsn_ack);
2865
2866 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
2867 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
2868 asoc->ctsn_ack_point);
2869
2870 return SCTP_DISPOSITION_DISCARD;
2871 }
2872
2873
2874
2875
2876
2877 if (!TSN_lt(ctsn, asoc->next_tsn))
2878 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
2879
2880
2881
2882
2883
2884 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_CTSN,
2885 SCTP_BE32(sdh->cum_tsn_ack));
2886
2887 return SCTP_DISPOSITION_CONSUME;
2888}
2889
2890
2891
2892
2893
2894
2895
2896
2897enum sctp_disposition sctp_sf_do_9_2_reshutack(
2898 struct net *net,
2899 const struct sctp_endpoint *ep,
2900 const struct sctp_association *asoc,
2901 const union sctp_subtype type,
2902 void *arg,
2903 struct sctp_cmd_seq *commands)
2904{
2905 struct sctp_chunk *chunk = arg;
2906 struct sctp_chunk *reply;
2907
2908
2909 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
2910 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2911 commands);
2912
2913
2914
2915
2916
2917 reply = sctp_make_shutdown_ack(asoc, chunk);
2918 if (NULL == reply)
2919 goto nomem;
2920
2921
2922
2923
2924 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
2925
2926
2927 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
2928 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
2929
2930 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
2931
2932 return SCTP_DISPOSITION_CONSUME;
2933nomem:
2934 return SCTP_DISPOSITION_NOMEM;
2935}
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962enum sctp_disposition sctp_sf_do_ecn_cwr(struct net *net,
2963 const struct sctp_endpoint *ep,
2964 const struct sctp_association *asoc,
2965 const union sctp_subtype type,
2966 void *arg,
2967 struct sctp_cmd_seq *commands)
2968{
2969 struct sctp_chunk *chunk = arg;
2970 struct sctp_cwrhdr *cwr;
2971 u32 lowest_tsn;
2972
2973 if (!sctp_vtag_verify(chunk, asoc))
2974 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
2975
2976 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
2977 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
2978 commands);
2979
2980 cwr = (struct sctp_cwrhdr *)chunk->skb->data;
2981 skb_pull(chunk->skb, sizeof(*cwr));
2982
2983 lowest_tsn = ntohl(cwr->lowest_tsn);
2984
2985
2986 if (TSN_lte(asoc->last_ecne_tsn, lowest_tsn)) {
2987
2988 sctp_add_cmd_sf(commands,
2989 SCTP_CMD_ECN_CWR,
2990 SCTP_U32(lowest_tsn));
2991 }
2992 return SCTP_DISPOSITION_CONSUME;
2993}
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018enum sctp_disposition sctp_sf_do_ecne(struct net *net,
3019 const struct sctp_endpoint *ep,
3020 const struct sctp_association *asoc,
3021 const union sctp_subtype type,
3022 void *arg, struct sctp_cmd_seq *commands)
3023{
3024 struct sctp_chunk *chunk = arg;
3025 struct sctp_ecnehdr *ecne;
3026
3027 if (!sctp_vtag_verify(chunk, asoc))
3028 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3029
3030 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_ecne_chunk)))
3031 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3032 commands);
3033
3034 ecne = (struct sctp_ecnehdr *)chunk->skb->data;
3035 skb_pull(chunk->skb, sizeof(*ecne));
3036
3037
3038 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_ECNE,
3039 SCTP_U32(ntohl(ecne->lowest_tsn)));
3040
3041 return SCTP_DISPOSITION_CONSUME;
3042}
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074enum sctp_disposition sctp_sf_eat_data_6_2(struct net *net,
3075 const struct sctp_endpoint *ep,
3076 const struct sctp_association *asoc,
3077 const union sctp_subtype type,
3078 void *arg,
3079 struct sctp_cmd_seq *commands)
3080{
3081 union sctp_arg force = SCTP_NOFORCE();
3082 struct sctp_chunk *chunk = arg;
3083 int error;
3084
3085 if (!sctp_vtag_verify(chunk, asoc)) {
3086 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3087 SCTP_NULL());
3088 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3089 }
3090
3091 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream)))
3092 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3093 commands);
3094
3095 error = sctp_eat_data(asoc, chunk, commands);
3096 switch (error) {
3097 case SCTP_IERROR_NO_ERROR:
3098 break;
3099 case SCTP_IERROR_HIGH_TSN:
3100 case SCTP_IERROR_BAD_STREAM:
3101 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
3102 goto discard_noforce;
3103 case SCTP_IERROR_DUP_TSN:
3104 case SCTP_IERROR_IGNORE_TSN:
3105 SCTP_INC_STATS(net, SCTP_MIB_IN_DATA_CHUNK_DISCARDS);
3106 goto discard_force;
3107 case SCTP_IERROR_NO_DATA:
3108 return SCTP_DISPOSITION_ABORT;
3109 case SCTP_IERROR_PROTO_VIOLATION:
3110 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3111 (u8 *)chunk->subh.data_hdr,
3112 sctp_datahdr_len(&asoc->stream));
3113 default:
3114 BUG();
3115 }
3116
3117 if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)
3118 force = SCTP_FORCE();
3119
3120 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
3121 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3122 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
3123 }
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147 if (chunk->end_of_packet)
3148 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3149
3150 return SCTP_DISPOSITION_CONSUME;
3151
3152discard_force:
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167 if (chunk->end_of_packet)
3168 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3169 return SCTP_DISPOSITION_DISCARD;
3170
3171discard_noforce:
3172 if (chunk->end_of_packet)
3173 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, force);
3174
3175 return SCTP_DISPOSITION_DISCARD;
3176}
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194enum sctp_disposition sctp_sf_eat_data_fast_4_4(
3195 struct net *net,
3196 const struct sctp_endpoint *ep,
3197 const struct sctp_association *asoc,
3198 const union sctp_subtype type,
3199 void *arg,
3200 struct sctp_cmd_seq *commands)
3201{
3202 struct sctp_chunk *chunk = arg;
3203 int error;
3204
3205 if (!sctp_vtag_verify(chunk, asoc)) {
3206 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3207 SCTP_NULL());
3208 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3209 }
3210
3211 if (!sctp_chunk_length_valid(chunk, sctp_datachk_len(&asoc->stream)))
3212 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3213 commands);
3214
3215 error = sctp_eat_data(asoc, chunk, commands);
3216 switch (error) {
3217 case SCTP_IERROR_NO_ERROR:
3218 case SCTP_IERROR_HIGH_TSN:
3219 case SCTP_IERROR_DUP_TSN:
3220 case SCTP_IERROR_IGNORE_TSN:
3221 case SCTP_IERROR_BAD_STREAM:
3222 break;
3223 case SCTP_IERROR_NO_DATA:
3224 return SCTP_DISPOSITION_ABORT;
3225 case SCTP_IERROR_PROTO_VIOLATION:
3226 return sctp_sf_abort_violation(net, ep, asoc, chunk, commands,
3227 (u8 *)chunk->subh.data_hdr,
3228 sctp_datahdr_len(&asoc->stream));
3229 default:
3230 BUG();
3231 }
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241 if (chunk->end_of_packet) {
3242
3243
3244
3245 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
3246 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
3247 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
3248 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3249 }
3250
3251 return SCTP_DISPOSITION_CONSUME;
3252}
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286enum sctp_disposition sctp_sf_eat_sack_6_2(struct net *net,
3287 const struct sctp_endpoint *ep,
3288 const struct sctp_association *asoc,
3289 const union sctp_subtype type,
3290 void *arg,
3291 struct sctp_cmd_seq *commands)
3292{
3293 struct sctp_chunk *chunk = arg;
3294 struct sctp_sackhdr *sackh;
3295 __u32 ctsn;
3296
3297 trace_sctp_probe(ep, asoc, chunk);
3298
3299 if (!sctp_vtag_verify(chunk, asoc))
3300 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3301
3302
3303 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_sack_chunk)))
3304 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3305 commands);
3306
3307
3308 sackh = sctp_sm_pull_sack(chunk);
3309
3310 if (!sackh)
3311 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3312 chunk->subh.sack_hdr = sackh;
3313 ctsn = ntohl(sackh->cum_tsn_ack);
3314
3315
3316
3317
3318
3319
3320
3321 if (TSN_lt(ctsn, asoc->ctsn_ack_point)) {
3322 pr_debug("%s: ctsn:%x, ctsn_ack_point:%x\n", __func__, ctsn,
3323 asoc->ctsn_ack_point);
3324
3325 return SCTP_DISPOSITION_DISCARD;
3326 }
3327
3328
3329
3330
3331
3332 if (!TSN_lt(ctsn, asoc->next_tsn))
3333 return sctp_sf_violation_ctsn(net, ep, asoc, type, arg, commands);
3334
3335
3336 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, SCTP_CHUNK(chunk));
3337
3338
3339
3340
3341 return SCTP_DISPOSITION_CONSUME;
3342}
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362static enum sctp_disposition sctp_sf_tabort_8_4_8(
3363 struct net *net,
3364 const struct sctp_endpoint *ep,
3365 const struct sctp_association *asoc,
3366 const union sctp_subtype type,
3367 void *arg,
3368 struct sctp_cmd_seq *commands)
3369{
3370 struct sctp_packet *packet = NULL;
3371 struct sctp_chunk *chunk = arg;
3372 struct sctp_chunk *abort;
3373
3374 packet = sctp_ootb_pkt_new(net, asoc, chunk);
3375 if (!packet)
3376 return SCTP_DISPOSITION_NOMEM;
3377
3378
3379
3380
3381 abort = sctp_make_abort(asoc, chunk, 0);
3382 if (!abort) {
3383 sctp_ootb_pkt_free(packet);
3384 return SCTP_DISPOSITION_NOMEM;
3385 }
3386
3387
3388 if (sctp_test_T_bit(abort))
3389 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3390
3391
3392 abort->skb->sk = ep->base.sk;
3393
3394 sctp_packet_append_chunk(packet, abort);
3395
3396 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3397 SCTP_PACKET(packet));
3398
3399 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3400
3401 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3402 return SCTP_DISPOSITION_CONSUME;
3403}
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413enum sctp_disposition sctp_sf_operr_notify(struct net *net,
3414 const struct sctp_endpoint *ep,
3415 const struct sctp_association *asoc,
3416 const union sctp_subtype type,
3417 void *arg,
3418 struct sctp_cmd_seq *commands)
3419{
3420 struct sctp_chunk *chunk = arg;
3421 struct sctp_errhdr *err;
3422
3423 if (!sctp_vtag_verify(chunk, asoc))
3424 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3425
3426
3427 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_operr_chunk)))
3428 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3429 commands);
3430 sctp_walk_errors(err, chunk->chunk_hdr);
3431 if ((void *)err != (void *)chunk->chunk_end)
3432 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3433 (void *)err, commands);
3434
3435 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
3436 SCTP_CHUNK(chunk));
3437
3438 return SCTP_DISPOSITION_CONSUME;
3439}
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451enum sctp_disposition sctp_sf_do_9_2_final(struct net *net,
3452 const struct sctp_endpoint *ep,
3453 const struct sctp_association *asoc,
3454 const union sctp_subtype type,
3455 void *arg,
3456 struct sctp_cmd_seq *commands)
3457{
3458 struct sctp_chunk *chunk = arg;
3459 struct sctp_chunk *reply;
3460 struct sctp_ulpevent *ev;
3461
3462 if (!sctp_vtag_verify(chunk, asoc))
3463 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3464
3465
3466 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3467 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3468 commands);
3469
3470
3471
3472
3473
3474 ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,
3475 0, 0, 0, NULL, GFP_ATOMIC);
3476 if (!ev)
3477 goto nomem;
3478
3479
3480 reply = sctp_make_shutdown_complete(asoc, chunk);
3481 if (!reply)
3482 goto nomem_chunk;
3483
3484
3485
3486
3487 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
3488
3489
3490
3491
3492 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3493 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
3494
3495 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3496 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
3497
3498 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
3499 SCTP_STATE(SCTP_STATE_CLOSED));
3500 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
3501 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3502 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
3503
3504
3505 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
3506 return SCTP_DISPOSITION_DELETE_TCB;
3507
3508nomem_chunk:
3509 sctp_ulpevent_free(ev);
3510nomem:
3511 return SCTP_DISPOSITION_NOMEM;
3512}
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524
3525
3526
3527
3528
3529
3530
3531
3532
3533
3534enum sctp_disposition sctp_sf_ootb(struct net *net,
3535 const struct sctp_endpoint *ep,
3536 const struct sctp_association *asoc,
3537 const union sctp_subtype type,
3538 void *arg, struct sctp_cmd_seq *commands)
3539{
3540 struct sctp_chunk *chunk = arg;
3541 struct sk_buff *skb = chunk->skb;
3542 struct sctp_chunkhdr *ch;
3543 struct sctp_errhdr *err;
3544 int ootb_cookie_ack = 0;
3545 int ootb_shut_ack = 0;
3546 __u8 *ch_end;
3547
3548 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3549
3550 ch = (struct sctp_chunkhdr *)chunk->chunk_hdr;
3551 do {
3552
3553 if (ntohs(ch->length) < sizeof(*ch))
3554 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3555 commands);
3556
3557
3558 ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length));
3559 if (ch_end > skb_tail_pointer(skb))
3560 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3561 commands);
3562
3563
3564
3565
3566 if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3567 ootb_shut_ack = 1;
3568
3569
3570
3571
3572
3573
3574 if (SCTP_CID_ABORT == ch->type)
3575 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3576
3577
3578
3579
3580
3581
3582 if (SCTP_CID_COOKIE_ACK == ch->type)
3583 ootb_cookie_ack = 1;
3584
3585 if (SCTP_CID_ERROR == ch->type) {
3586 sctp_walk_errors(err, ch) {
3587 if (SCTP_ERROR_STALE_COOKIE == err->cause) {
3588 ootb_cookie_ack = 1;
3589 break;
3590 }
3591 }
3592 }
3593
3594 ch = (struct sctp_chunkhdr *)ch_end;
3595 } while (ch_end < skb_tail_pointer(skb));
3596
3597 if (ootb_shut_ack)
3598 return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands);
3599 else if (ootb_cookie_ack)
3600 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3601 else
3602 return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
3603}
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626static enum sctp_disposition sctp_sf_shut_8_4_5(
3627 struct net *net,
3628 const struct sctp_endpoint *ep,
3629 const struct sctp_association *asoc,
3630 const union sctp_subtype type,
3631 void *arg,
3632 struct sctp_cmd_seq *commands)
3633{
3634 struct sctp_packet *packet = NULL;
3635 struct sctp_chunk *chunk = arg;
3636 struct sctp_chunk *shut;
3637
3638 packet = sctp_ootb_pkt_new(net, asoc, chunk);
3639 if (!packet)
3640 return SCTP_DISPOSITION_NOMEM;
3641
3642
3643
3644
3645 shut = sctp_make_shutdown_complete(asoc, chunk);
3646 if (!shut) {
3647 sctp_ootb_pkt_free(packet);
3648 return SCTP_DISPOSITION_NOMEM;
3649 }
3650
3651
3652 if (sctp_test_T_bit(shut))
3653 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
3654
3655
3656 shut->skb->sk = ep->base.sk;
3657
3658 sctp_packet_append_chunk(packet, shut);
3659
3660 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
3661 SCTP_PACKET(packet));
3662
3663 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
3664
3665
3666
3667
3668 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3669 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3670
3671
3672
3673
3674
3675 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3676}
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net,
3690 const struct sctp_endpoint *ep,
3691 const struct sctp_association *asoc,
3692 const union sctp_subtype type,
3693 void *arg,
3694 struct sctp_cmd_seq *commands)
3695{
3696 struct sctp_chunk *chunk = arg;
3697
3698
3699 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
3700 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3701 commands);
3702
3703
3704
3705
3706
3707
3708 SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
3709
3710 return sctp_sf_shut_8_4_5(net, ep, NULL, type, arg, commands);
3711}
3712
3713
3714enum sctp_disposition sctp_sf_do_asconf(struct net *net,
3715 const struct sctp_endpoint *ep,
3716 const struct sctp_association *asoc,
3717 const union sctp_subtype type,
3718 void *arg,
3719 struct sctp_cmd_seq *commands)
3720{
3721 struct sctp_paramhdr *err_param = NULL;
3722 struct sctp_chunk *asconf_ack = NULL;
3723 struct sctp_chunk *chunk = arg;
3724 struct sctp_addiphdr *hdr;
3725 __u32 serial;
3726
3727 if (!sctp_vtag_verify(chunk, asoc)) {
3728 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3729 SCTP_NULL());
3730 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3731 }
3732
3733
3734
3735
3736
3737
3738
3739 if (!net->sctp.addip_noauth && !chunk->auth)
3740 return sctp_sf_discard_chunk(net, ep, asoc, type, arg,
3741 commands);
3742
3743
3744 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk)))
3745 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3746 commands);
3747
3748 hdr = (struct sctp_addiphdr *)chunk->skb->data;
3749 serial = ntohl(hdr->serial);
3750
3751
3752 if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
3753 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3754 (void *)err_param, commands);
3755
3756
3757
3758
3759
3760 if (serial == asoc->peer.addip_serial + 1) {
3761
3762
3763
3764 if (!chunk->has_asconf)
3765 sctp_assoc_clean_asconf_ack_cache(asoc);
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775 asconf_ack = sctp_process_asconf((struct sctp_association *)
3776 asoc, chunk);
3777 if (!asconf_ack)
3778 return SCTP_DISPOSITION_NOMEM;
3779 } else if (serial < asoc->peer.addip_serial + 1) {
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792 asconf_ack = sctp_assoc_lookup_asconf_ack(asoc, hdr->serial);
3793 if (!asconf_ack)
3794 return SCTP_DISPOSITION_DISCARD;
3795
3796
3797
3798
3799
3800 asconf_ack->transport = NULL;
3801 } else {
3802
3803
3804
3805 return SCTP_DISPOSITION_DISCARD;
3806 }
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817 asconf_ack->dest = chunk->source;
3818 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(asconf_ack));
3819 if (asoc->new_transport) {
3820 sctp_sf_heartbeat(ep, asoc, type, asoc->new_transport, commands);
3821 ((struct sctp_association *)asoc)->new_transport = NULL;
3822 }
3823
3824 return SCTP_DISPOSITION_CONSUME;
3825}
3826
3827
3828
3829
3830
3831
3832enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net,
3833 const struct sctp_endpoint *ep,
3834 const struct sctp_association *asoc,
3835 const union sctp_subtype type,
3836 void *arg,
3837 struct sctp_cmd_seq *commands)
3838{
3839 struct sctp_chunk *last_asconf = asoc->addip_last_asconf;
3840 struct sctp_paramhdr *err_param = NULL;
3841 struct sctp_chunk *asconf_ack = arg;
3842 struct sctp_addiphdr *addip_hdr;
3843 __u32 sent_serial, rcvd_serial;
3844 struct sctp_chunk *abort;
3845
3846 if (!sctp_vtag_verify(asconf_ack, asoc)) {
3847 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3848 SCTP_NULL());
3849 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3850 }
3851
3852
3853
3854
3855
3856
3857
3858 if (!net->sctp.addip_noauth && !asconf_ack->auth)
3859 return sctp_sf_discard_chunk(net, ep, asoc, type, arg,
3860 commands);
3861
3862
3863 if (!sctp_chunk_length_valid(asconf_ack,
3864 sizeof(struct sctp_addip_chunk)))
3865 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3866 commands);
3867
3868 addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data;
3869 rcvd_serial = ntohl(addip_hdr->serial);
3870
3871
3872 if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
3873 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3874 (void *)err_param, commands);
3875
3876 if (last_asconf) {
3877 addip_hdr = (struct sctp_addiphdr *)last_asconf->subh.addip_hdr;
3878 sent_serial = ntohl(addip_hdr->serial);
3879 } else {
3880 sent_serial = asoc->addip_serial - 1;
3881 }
3882
3883
3884
3885
3886
3887
3888
3889 if (ADDIP_SERIAL_gte(rcvd_serial, sent_serial + 1) &&
3890 !(asoc->addip_last_asconf)) {
3891 abort = sctp_make_abort(asoc, asconf_ack,
3892 sizeof(struct sctp_errhdr));
3893 if (abort) {
3894 sctp_init_cause(abort, SCTP_ERROR_ASCONF_ACK, 0);
3895 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3896 SCTP_CHUNK(abort));
3897 }
3898
3899
3900
3901 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3902 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3903 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
3904 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3905 SCTP_ERROR(ECONNABORTED));
3906 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3907 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3908 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
3909 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3910 return SCTP_DISPOSITION_ABORT;
3911 }
3912
3913 if ((rcvd_serial == sent_serial) && asoc->addip_last_asconf) {
3914 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
3915 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3916
3917 if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
3918 asconf_ack)) {
3919
3920
3921
3922 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF,
3923 SCTP_NULL());
3924 return SCTP_DISPOSITION_CONSUME;
3925 }
3926
3927 abort = sctp_make_abort(asoc, asconf_ack,
3928 sizeof(struct sctp_errhdr));
3929 if (abort) {
3930 sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
3931 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
3932 SCTP_CHUNK(abort));
3933 }
3934
3935
3936
3937 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
3938 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
3939 SCTP_ERROR(ECONNABORTED));
3940 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
3941 SCTP_PERR(SCTP_ERROR_ASCONF_ACK));
3942 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
3943 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
3944 return SCTP_DISPOSITION_ABORT;
3945 }
3946
3947 return SCTP_DISPOSITION_DISCARD;
3948}
3949
3950
3951enum sctp_disposition sctp_sf_do_reconf(struct net *net,
3952 const struct sctp_endpoint *ep,
3953 const struct sctp_association *asoc,
3954 const union sctp_subtype type,
3955 void *arg,
3956 struct sctp_cmd_seq *commands)
3957{
3958 struct sctp_paramhdr *err_param = NULL;
3959 struct sctp_chunk *chunk = arg;
3960 struct sctp_reconf_chunk *hdr;
3961 union sctp_params param;
3962
3963 if (!sctp_vtag_verify(chunk, asoc)) {
3964 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
3965 SCTP_NULL());
3966 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
3967 }
3968
3969
3970 if (!sctp_chunk_length_valid(chunk, sizeof(*hdr)))
3971 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3972 commands);
3973
3974 if (!sctp_verify_reconf(asoc, chunk, &err_param))
3975 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
3976 (void *)err_param, commands);
3977
3978 hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr;
3979 sctp_walk_params(param, hdr, params) {
3980 struct sctp_chunk *reply = NULL;
3981 struct sctp_ulpevent *ev = NULL;
3982
3983 if (param.p->type == SCTP_PARAM_RESET_OUT_REQUEST)
3984 reply = sctp_process_strreset_outreq(
3985 (struct sctp_association *)asoc, param, &ev);
3986 else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST)
3987 reply = sctp_process_strreset_inreq(
3988 (struct sctp_association *)asoc, param, &ev);
3989 else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST)
3990 reply = sctp_process_strreset_tsnreq(
3991 (struct sctp_association *)asoc, param, &ev);
3992 else if (param.p->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS)
3993 reply = sctp_process_strreset_addstrm_out(
3994 (struct sctp_association *)asoc, param, &ev);
3995 else if (param.p->type == SCTP_PARAM_RESET_ADD_IN_STREAMS)
3996 reply = sctp_process_strreset_addstrm_in(
3997 (struct sctp_association *)asoc, param, &ev);
3998 else if (param.p->type == SCTP_PARAM_RESET_RESPONSE)
3999 reply = sctp_process_strreset_resp(
4000 (struct sctp_association *)asoc, param, &ev);
4001
4002 if (ev)
4003 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4004 SCTP_ULPEVENT(ev));
4005
4006 if (reply)
4007 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4008 SCTP_CHUNK(reply));
4009 }
4010
4011 return SCTP_DISPOSITION_CONSUME;
4012}
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028enum sctp_disposition sctp_sf_eat_fwd_tsn(struct net *net,
4029 const struct sctp_endpoint *ep,
4030 const struct sctp_association *asoc,
4031 const union sctp_subtype type,
4032 void *arg,
4033 struct sctp_cmd_seq *commands)
4034{
4035 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
4036 struct sctp_chunk *chunk = arg;
4037 __u16 len;
4038 __u32 tsn;
4039
4040 if (!sctp_vtag_verify(chunk, asoc)) {
4041 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4042 SCTP_NULL());
4043 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4044 }
4045
4046 if (!asoc->peer.prsctp_capable)
4047 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4048
4049
4050 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream)))
4051 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4052 commands);
4053
4054 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
4055 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
4056 len = ntohs(chunk->chunk_hdr->length);
4057 len -= sizeof(struct sctp_chunkhdr);
4058 skb_pull(chunk->skb, len);
4059
4060 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
4061 pr_debug("%s: TSN 0x%x\n", __func__, tsn);
4062
4063
4064
4065
4066 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
4067 goto discard_noforce;
4068
4069 if (!asoc->stream.si->validate_ftsn(chunk))
4070 goto discard_noforce;
4071
4072 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
4073 if (len > sctp_ftsnhdr_len(&asoc->stream))
4074 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
4075 SCTP_CHUNK(chunk));
4076
4077
4078 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
4079 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4080 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
4081 }
4082
4083
4084
4085
4086 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_NOFORCE());
4087
4088 return SCTP_DISPOSITION_CONSUME;
4089
4090discard_noforce:
4091 return SCTP_DISPOSITION_DISCARD;
4092}
4093
4094enum sctp_disposition sctp_sf_eat_fwd_tsn_fast(
4095 struct net *net,
4096 const struct sctp_endpoint *ep,
4097 const struct sctp_association *asoc,
4098 const union sctp_subtype type,
4099 void *arg,
4100 struct sctp_cmd_seq *commands)
4101{
4102 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
4103 struct sctp_chunk *chunk = arg;
4104 __u16 len;
4105 __u32 tsn;
4106
4107 if (!sctp_vtag_verify(chunk, asoc)) {
4108 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4109 SCTP_NULL());
4110 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4111 }
4112
4113 if (!asoc->peer.prsctp_capable)
4114 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4115
4116
4117 if (!sctp_chunk_length_valid(chunk, sctp_ftsnchk_len(&asoc->stream)))
4118 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4119 commands);
4120
4121 fwdtsn_hdr = (struct sctp_fwdtsn_hdr *)chunk->skb->data;
4122 chunk->subh.fwdtsn_hdr = fwdtsn_hdr;
4123 len = ntohs(chunk->chunk_hdr->length);
4124 len -= sizeof(struct sctp_chunkhdr);
4125 skb_pull(chunk->skb, len);
4126
4127 tsn = ntohl(fwdtsn_hdr->new_cum_tsn);
4128 pr_debug("%s: TSN 0x%x\n", __func__, tsn);
4129
4130
4131
4132
4133 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
4134 goto gen_shutdown;
4135
4136 if (!asoc->stream.si->validate_ftsn(chunk))
4137 goto gen_shutdown;
4138
4139 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
4140 if (len > sctp_ftsnhdr_len(&asoc->stream))
4141 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
4142 SCTP_CHUNK(chunk));
4143
4144
4145gen_shutdown:
4146
4147
4148
4149
4150
4151
4152 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SHUTDOWN, SCTP_NULL());
4153 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
4154 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
4155 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
4156
4157 return SCTP_DISPOSITION_CONSUME;
4158}
4159
4160
4161
4162
4163
4164
4165
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178
4179
4180
4181
4182static enum sctp_ierror sctp_sf_authenticate(
4183 const struct sctp_association *asoc,
4184 struct sctp_chunk *chunk)
4185{
4186 struct sctp_shared_key *sh_key = NULL;
4187 struct sctp_authhdr *auth_hdr;
4188 __u8 *save_digest, *digest;
4189 struct sctp_hmac *hmac;
4190 unsigned int sig_len;
4191 __u16 key_id;
4192
4193
4194 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4195 chunk->subh.auth_hdr = auth_hdr;
4196 skb_pull(chunk->skb, sizeof(*auth_hdr));
4197
4198
4199
4200
4201 if (!sctp_auth_asoc_verify_hmac_id(asoc, auth_hdr->hmac_id))
4202 return SCTP_IERROR_AUTH_BAD_HMAC;
4203
4204
4205
4206
4207 key_id = ntohs(auth_hdr->shkey_id);
4208 if (key_id != asoc->active_key_id) {
4209 sh_key = sctp_auth_get_shkey(asoc, key_id);
4210 if (!sh_key)
4211 return SCTP_IERROR_AUTH_BAD_KEYID;
4212 }
4213
4214
4215
4216
4217 sig_len = ntohs(chunk->chunk_hdr->length) -
4218 sizeof(struct sctp_auth_chunk);
4219 hmac = sctp_auth_get_hmac(ntohs(auth_hdr->hmac_id));
4220 if (sig_len != hmac->hmac_len)
4221 return SCTP_IERROR_PROTO_VIOLATION;
4222
4223
4224
4225
4226
4227
4228
4229
4230 digest = auth_hdr->hmac;
4231 skb_pull(chunk->skb, sig_len);
4232
4233 save_digest = kmemdup(digest, sig_len, GFP_ATOMIC);
4234 if (!save_digest)
4235 goto nomem;
4236
4237 memset(digest, 0, sig_len);
4238
4239 sctp_auth_calculate_hmac(asoc, chunk->skb,
4240 (struct sctp_auth_chunk *)chunk->chunk_hdr,
4241 sh_key, GFP_ATOMIC);
4242
4243
4244 if (memcmp(save_digest, digest, sig_len)) {
4245 kfree(save_digest);
4246 return SCTP_IERROR_BAD_SIG;
4247 }
4248
4249 kfree(save_digest);
4250 chunk->auth = 1;
4251
4252 return SCTP_IERROR_NO_ERROR;
4253nomem:
4254 return SCTP_IERROR_NOMEM;
4255}
4256
4257enum sctp_disposition sctp_sf_eat_auth(struct net *net,
4258 const struct sctp_endpoint *ep,
4259 const struct sctp_association *asoc,
4260 const union sctp_subtype type,
4261 void *arg, struct sctp_cmd_seq *commands)
4262{
4263 struct sctp_chunk *chunk = arg;
4264 struct sctp_authhdr *auth_hdr;
4265 struct sctp_chunk *err_chunk;
4266 enum sctp_ierror error;
4267
4268
4269 if (!asoc->peer.auth_capable)
4270 return sctp_sf_unk_chunk(net, ep, asoc, type, arg, commands);
4271
4272 if (!sctp_vtag_verify(chunk, asoc)) {
4273 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
4274 SCTP_NULL());
4275 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4276 }
4277
4278
4279 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_auth_chunk)))
4280 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4281 commands);
4282
4283 auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
4284 error = sctp_sf_authenticate(asoc, chunk);
4285 switch (error) {
4286 case SCTP_IERROR_AUTH_BAD_HMAC:
4287
4288
4289
4290 err_chunk = sctp_make_op_error(asoc, chunk,
4291 SCTP_ERROR_UNSUP_HMAC,
4292 &auth_hdr->hmac_id,
4293 sizeof(__u16), 0);
4294 if (err_chunk) {
4295 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4296 SCTP_CHUNK(err_chunk));
4297 }
4298
4299 case SCTP_IERROR_AUTH_BAD_KEYID:
4300 case SCTP_IERROR_BAD_SIG:
4301 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4302
4303 case SCTP_IERROR_PROTO_VIOLATION:
4304 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4305 commands);
4306
4307 case SCTP_IERROR_NOMEM:
4308 return SCTP_DISPOSITION_NOMEM;
4309
4310 default:
4311 break;
4312 }
4313
4314 if (asoc->active_key_id != ntohs(auth_hdr->shkey_id)) {
4315 struct sctp_ulpevent *ev;
4316
4317 ev = sctp_ulpevent_make_authkey(asoc, ntohs(auth_hdr->shkey_id),
4318 SCTP_AUTH_NEW_KEY, GFP_ATOMIC);
4319
4320 if (!ev)
4321 return -ENOMEM;
4322
4323 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
4324 SCTP_ULPEVENT(ev));
4325 }
4326
4327 return SCTP_DISPOSITION_CONSUME;
4328}
4329
4330
4331
4332
4333
4334
4335
4336
4337
4338
4339
4340
4341
4342
4343
4344
4345
4346
4347
4348
4349
4350
4351
4352
4353enum sctp_disposition sctp_sf_unk_chunk(struct net *net,
4354 const struct sctp_endpoint *ep,
4355 const struct sctp_association *asoc,
4356 const union sctp_subtype type,
4357 void *arg,
4358 struct sctp_cmd_seq *commands)
4359{
4360 struct sctp_chunk *unk_chunk = arg;
4361 struct sctp_chunk *err_chunk;
4362 struct sctp_chunkhdr *hdr;
4363
4364 pr_debug("%s: processing unknown chunk id:%d\n", __func__, type.chunk);
4365
4366 if (!sctp_vtag_verify(unk_chunk, asoc))
4367 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4368
4369
4370
4371
4372
4373 if (!sctp_chunk_length_valid(unk_chunk, sizeof(*hdr)))
4374 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4375 commands);
4376
4377 switch (type.chunk & SCTP_CID_ACTION_MASK) {
4378 case SCTP_CID_ACTION_DISCARD:
4379
4380 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4381 case SCTP_CID_ACTION_DISCARD_ERR:
4382
4383 hdr = unk_chunk->chunk_hdr;
4384 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4385 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4386 SCTP_PAD4(ntohs(hdr->length)),
4387 0);
4388 if (err_chunk) {
4389 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4390 SCTP_CHUNK(err_chunk));
4391 }
4392
4393
4394 sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
4395 return SCTP_DISPOSITION_CONSUME;
4396 case SCTP_CID_ACTION_SKIP:
4397
4398 return SCTP_DISPOSITION_DISCARD;
4399 case SCTP_CID_ACTION_SKIP_ERR:
4400
4401 hdr = unk_chunk->chunk_hdr;
4402 err_chunk = sctp_make_op_error(asoc, unk_chunk,
4403 SCTP_ERROR_UNKNOWN_CHUNK, hdr,
4404 SCTP_PAD4(ntohs(hdr->length)),
4405 0);
4406 if (err_chunk) {
4407 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
4408 SCTP_CHUNK(err_chunk));
4409 }
4410
4411 return SCTP_DISPOSITION_CONSUME;
4412 default:
4413 break;
4414 }
4415
4416 return SCTP_DISPOSITION_DISCARD;
4417}
4418
4419
4420
4421
4422
4423
4424
4425
4426
4427
4428
4429
4430
4431
4432
4433enum sctp_disposition sctp_sf_discard_chunk(struct net *net,
4434 const struct sctp_endpoint *ep,
4435 const struct sctp_association *asoc,
4436 const union sctp_subtype type,
4437 void *arg,
4438 struct sctp_cmd_seq *commands)
4439{
4440 struct sctp_chunk *chunk = arg;
4441
4442
4443
4444
4445
4446 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
4447 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4448 commands);
4449
4450 pr_debug("%s: chunk:%d is discarded\n", __func__, type.chunk);
4451
4452 return SCTP_DISPOSITION_DISCARD;
4453}
4454
4455
4456
4457
4458
4459
4460
4461
4462
4463
4464
4465
4466
4467
4468
4469
4470
4471
4472
4473enum sctp_disposition sctp_sf_pdiscard(struct net *net,
4474 const struct sctp_endpoint *ep,
4475 const struct sctp_association *asoc,
4476 const union sctp_subtype type,
4477 void *arg, struct sctp_cmd_seq *commands)
4478{
4479 SCTP_INC_STATS(net, SCTP_MIB_IN_PKT_DISCARDS);
4480 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
4481
4482 return SCTP_DISPOSITION_CONSUME;
4483}
4484
4485
4486
4487
4488
4489
4490
4491
4492
4493
4494
4495
4496
4497
4498
4499
4500enum sctp_disposition sctp_sf_violation(struct net *net,
4501 const struct sctp_endpoint *ep,
4502 const struct sctp_association *asoc,
4503 const union sctp_subtype type,
4504 void *arg,
4505 struct sctp_cmd_seq *commands)
4506{
4507 struct sctp_chunk *chunk = arg;
4508
4509
4510 if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
4511 return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
4512 commands);
4513
4514 return SCTP_DISPOSITION_VIOLATION;
4515}
4516
4517
4518
4519
4520static enum sctp_disposition sctp_sf_abort_violation(
4521 struct net *net,
4522 const struct sctp_endpoint *ep,
4523 const struct sctp_association *asoc,
4524 void *arg,
4525 struct sctp_cmd_seq *commands,
4526 const __u8 *payload,
4527 const size_t paylen)
4528{
4529 struct sctp_packet *packet = NULL;
4530 struct sctp_chunk *chunk = arg;
4531 struct sctp_chunk *abort = NULL;
4532
4533
4534
4535
4536
4537
4538
4539
4540
4541
4542
4543
4544 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4545 goto discard;
4546
4547
4548 abort = sctp_make_abort_violation(asoc, chunk, payload, paylen);
4549 if (!abort)
4550 goto nomem;
4551
4552 if (asoc) {
4553
4554 if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&
4555 !asoc->peer.i.init_tag) {
4556 struct sctp_initack_chunk *initack;
4557
4558 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr;
4559 if (!sctp_chunk_length_valid(chunk, sizeof(*initack)))
4560 abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
4561 else {
4562 unsigned int inittag;
4563
4564 inittag = ntohl(initack->init_hdr.init_tag);
4565 sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
4566 SCTP_U32(inittag));
4567 }
4568 }
4569
4570 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4571 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4572
4573 if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
4574 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
4575 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4576 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4577 SCTP_ERROR(ECONNREFUSED));
4578 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
4579 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4580 } else {
4581 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4582 SCTP_ERROR(ECONNABORTED));
4583 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4584 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4585 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4586 }
4587 } else {
4588 packet = sctp_ootb_pkt_new(net, asoc, chunk);
4589
4590 if (!packet)
4591 goto nomem_pkt;
4592
4593 if (sctp_test_T_bit(abort))
4594 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
4595
4596 abort->skb->sk = ep->base.sk;
4597
4598 sctp_packet_append_chunk(packet, abort);
4599
4600 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
4601 SCTP_PACKET(packet));
4602
4603 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4604 }
4605
4606 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4607
4608discard:
4609 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4610 return SCTP_DISPOSITION_ABORT;
4611
4612nomem_pkt:
4613 sctp_chunk_free(abort);
4614nomem:
4615 return SCTP_DISPOSITION_NOMEM;
4616}
4617
4618
4619
4620
4621
4622
4623
4624
4625
4626
4627
4628
4629
4630
4631
4632
4633
4634
4635
4636
4637static enum sctp_disposition sctp_sf_violation_chunklen(
4638 struct net *net,
4639 const struct sctp_endpoint *ep,
4640 const struct sctp_association *asoc,
4641 const union sctp_subtype type,
4642 void *arg,
4643 struct sctp_cmd_seq *commands)
4644{
4645 static const char err_str[] = "The following chunk had invalid length:";
4646
4647 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4648 sizeof(err_str));
4649}
4650
4651
4652
4653
4654
4655
4656
4657static enum sctp_disposition sctp_sf_violation_paramlen(
4658 struct net *net,
4659 const struct sctp_endpoint *ep,
4660 const struct sctp_association *asoc,
4661 const union sctp_subtype type,
4662 void *arg, void *ext,
4663 struct sctp_cmd_seq *commands)
4664{
4665 struct sctp_paramhdr *param = ext;
4666 struct sctp_chunk *abort = NULL;
4667 struct sctp_chunk *chunk = arg;
4668
4669 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
4670 goto discard;
4671
4672
4673 abort = sctp_make_violation_paramlen(asoc, chunk, param);
4674 if (!abort)
4675 goto nomem;
4676
4677 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4678 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
4679
4680 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
4681 SCTP_ERROR(ECONNABORTED));
4682 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
4683 SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION));
4684 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
4685 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
4686
4687discard:
4688 sctp_sf_pdiscard(net, ep, asoc, SCTP_ST_CHUNK(0), arg, commands);
4689 return SCTP_DISPOSITION_ABORT;
4690nomem:
4691 return SCTP_DISPOSITION_NOMEM;
4692}
4693
4694
4695
4696
4697
4698
4699
4700static enum sctp_disposition sctp_sf_violation_ctsn(
4701 struct net *net,
4702 const struct sctp_endpoint *ep,
4703 const struct sctp_association *asoc,
4704 const union sctp_subtype type,
4705 void *arg,
4706 struct sctp_cmd_seq *commands)
4707{
4708 static const char err_str[] = "The cumulative tsn ack beyond the max tsn currently sent:";
4709
4710 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4711 sizeof(err_str));
4712}
4713
4714
4715
4716
4717
4718
4719
4720static enum sctp_disposition sctp_sf_violation_chunk(
4721 struct net *net,
4722 const struct sctp_endpoint *ep,
4723 const struct sctp_association *asoc,
4724 const union sctp_subtype type,
4725 void *arg,
4726 struct sctp_cmd_seq *commands)
4727{
4728 static const char err_str[] = "The following chunk violates protocol:";
4729
4730 if (!asoc)
4731 return sctp_sf_violation(net, ep, asoc, type, arg, commands);
4732
4733 return sctp_sf_abort_violation(net, ep, asoc, arg, commands, err_str,
4734 sizeof(err_str));
4735}
4736
4737
4738
4739
4740
4741
4742
4743
4744
4745
4746
4747
4748
4749
4750
4751
4752
4753
4754
4755
4756
4757
4758
4759
4760
4761
4762
4763
4764
4765
4766
4767
4768
4769
4770
4771
4772
4773
4774
4775
4776
4777
4778
4779
4780
4781
4782
4783
4784
4785
4786
4787
4788
4789
4790
4791
4792
4793
4794
4795
4796enum sctp_disposition sctp_sf_do_prm_asoc(struct net *net,
4797 const struct sctp_endpoint *ep,
4798 const struct sctp_association *asoc,
4799 const union sctp_subtype type,
4800 void *arg,
4801 struct sctp_cmd_seq *commands)
4802{
4803 struct sctp_association *my_asoc;
4804 struct sctp_chunk *repl;
4805
4806
4807
4808
4809
4810 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4811 SCTP_STATE(SCTP_STATE_COOKIE_WAIT));
4812
4813
4814
4815
4816
4817
4818
4819
4820
4821 repl = sctp_make_init(asoc, &asoc->base.bind_addr, GFP_ATOMIC, 0);
4822 if (!repl)
4823 goto nomem;
4824
4825
4826 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
4827 SCTP_CHUNK(repl));
4828
4829
4830
4831
4832 my_asoc = (struct sctp_association *)asoc;
4833 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc));
4834
4835
4836
4837
4838 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
4839 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4840 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
4841 return SCTP_DISPOSITION_CONSUME;
4842
4843nomem:
4844 return SCTP_DISPOSITION_NOMEM;
4845}
4846
4847
4848
4849
4850
4851
4852
4853
4854
4855
4856
4857
4858
4859
4860
4861
4862
4863
4864
4865
4866
4867
4868
4869
4870
4871
4872
4873
4874
4875
4876
4877
4878
4879
4880
4881
4882
4883
4884
4885
4886
4887
4888
4889
4890
4891
4892
4893
4894
4895
4896
4897
4898
4899
4900
4901
4902
4903
4904
4905
4906
4907
4908enum sctp_disposition sctp_sf_do_prm_send(struct net *net,
4909 const struct sctp_endpoint *ep,
4910 const struct sctp_association *asoc,
4911 const union sctp_subtype type,
4912 void *arg,
4913 struct sctp_cmd_seq *commands)
4914{
4915 struct sctp_datamsg *msg = arg;
4916
4917 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_MSG, SCTP_DATAMSG(msg));
4918 return SCTP_DISPOSITION_CONSUME;
4919}
4920
4921
4922
4923
4924
4925
4926
4927
4928
4929
4930
4931
4932
4933
4934
4935
4936
4937
4938
4939
4940
4941
4942
4943
4944
4945
4946
4947enum sctp_disposition sctp_sf_do_9_2_prm_shutdown(
4948 struct net *net,
4949 const struct sctp_endpoint *ep,
4950 const struct sctp_association *asoc,
4951 const union sctp_subtype type,
4952 void *arg,
4953 struct sctp_cmd_seq *commands)
4954{
4955 enum sctp_disposition disposition;
4956
4957
4958
4959
4960
4961
4962
4963
4964
4965 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4966 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
4967
4968 disposition = SCTP_DISPOSITION_CONSUME;
4969 if (sctp_outq_is_empty(&asoc->outqueue)) {
4970 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
4971 arg, commands);
4972 }
4973
4974 return disposition;
4975}
4976
4977
4978
4979
4980
4981
4982
4983
4984
4985
4986
4987
4988
4989
4990
4991
4992
4993
4994
4995
4996
4997
4998
4999
5000
5001
5002
5003
5004enum sctp_disposition sctp_sf_do_9_1_prm_abort(
5005 struct net *net,
5006 const struct sctp_endpoint *ep,
5007 const struct sctp_association *asoc,
5008 const union sctp_subtype type,
5009 void *arg,
5010 struct sctp_cmd_seq *commands)
5011{
5012
5013
5014
5015
5016
5017
5018
5019
5020 struct sctp_chunk *abort = arg;
5021
5022 if (abort)
5023 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
5024
5025
5026
5027
5028
5029 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5030 SCTP_ERROR(ECONNABORTED));
5031
5032 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5033 SCTP_PERR(SCTP_ERROR_USER_ABORT));
5034
5035 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5036 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5037
5038 return SCTP_DISPOSITION_ABORT;
5039}
5040
5041
5042enum sctp_disposition sctp_sf_error_closed(struct net *net,
5043 const struct sctp_endpoint *ep,
5044 const struct sctp_association *asoc,
5045 const union sctp_subtype type,
5046 void *arg,
5047 struct sctp_cmd_seq *commands)
5048{
5049 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR, SCTP_ERROR(-EINVAL));
5050 return SCTP_DISPOSITION_CONSUME;
5051}
5052
5053
5054
5055
5056enum sctp_disposition sctp_sf_error_shutdown(
5057 struct net *net,
5058 const struct sctp_endpoint *ep,
5059 const struct sctp_association *asoc,
5060 const union sctp_subtype type,
5061 void *arg,
5062 struct sctp_cmd_seq *commands)
5063{
5064 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_ERROR,
5065 SCTP_ERROR(-ESHUTDOWN));
5066 return SCTP_DISPOSITION_CONSUME;
5067}
5068
5069
5070
5071
5072
5073
5074
5075
5076
5077
5078
5079
5080
5081
5082
5083enum sctp_disposition sctp_sf_cookie_wait_prm_shutdown(
5084 struct net *net,
5085 const struct sctp_endpoint *ep,
5086 const struct sctp_association *asoc,
5087 const union sctp_subtype type,
5088 void *arg,
5089 struct sctp_cmd_seq *commands)
5090{
5091 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5092 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5093
5094 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5095 SCTP_STATE(SCTP_STATE_CLOSED));
5096
5097 SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
5098
5099 sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
5100
5101 return SCTP_DISPOSITION_DELETE_TCB;
5102}
5103
5104
5105
5106
5107
5108
5109
5110
5111
5112
5113
5114
5115
5116
5117
5118enum sctp_disposition sctp_sf_cookie_echoed_prm_shutdown(
5119 struct net *net,
5120 const struct sctp_endpoint *ep,
5121 const struct sctp_association *asoc,
5122 const union sctp_subtype type,
5123 void *arg,
5124 struct sctp_cmd_seq *commands)
5125{
5126
5127
5128
5129 return sctp_sf_cookie_wait_prm_shutdown(net, ep, asoc, type, arg, commands);
5130}
5131
5132
5133
5134
5135
5136
5137
5138
5139
5140
5141
5142
5143
5144
5145
5146enum sctp_disposition sctp_sf_cookie_wait_prm_abort(
5147 struct net *net,
5148 const struct sctp_endpoint *ep,
5149 const struct sctp_association *asoc,
5150 const union sctp_subtype type,
5151 void *arg,
5152 struct sctp_cmd_seq *commands)
5153{
5154 struct sctp_chunk *abort = arg;
5155
5156
5157 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5158 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5159
5160 if (abort)
5161 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
5162
5163 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5164 SCTP_STATE(SCTP_STATE_CLOSED));
5165
5166 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5167
5168
5169
5170
5171
5172 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5173 SCTP_ERROR(ECONNREFUSED));
5174
5175 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5176 SCTP_PERR(SCTP_ERROR_USER_ABORT));
5177
5178 return SCTP_DISPOSITION_ABORT;
5179}
5180
5181
5182
5183
5184
5185
5186
5187
5188
5189
5190
5191
5192
5193
5194
5195enum sctp_disposition sctp_sf_cookie_echoed_prm_abort(
5196 struct net *net,
5197 const struct sctp_endpoint *ep,
5198 const struct sctp_association *asoc,
5199 const union sctp_subtype type,
5200 void *arg,
5201 struct sctp_cmd_seq *commands)
5202{
5203
5204
5205
5206 return sctp_sf_cookie_wait_prm_abort(net, ep, asoc, type, arg, commands);
5207}
5208
5209
5210
5211
5212
5213
5214
5215
5216
5217
5218
5219
5220
5221enum sctp_disposition sctp_sf_shutdown_pending_prm_abort(
5222 struct net *net,
5223 const struct sctp_endpoint *ep,
5224 const struct sctp_association *asoc,
5225 const union sctp_subtype type,
5226 void *arg,
5227 struct sctp_cmd_seq *commands)
5228{
5229
5230 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5231 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5232
5233 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5234}
5235
5236
5237
5238
5239
5240
5241
5242
5243
5244
5245
5246
5247
5248enum sctp_disposition sctp_sf_shutdown_sent_prm_abort(
5249 struct net *net,
5250 const struct sctp_endpoint *ep,
5251 const struct sctp_association *asoc,
5252 const union sctp_subtype type,
5253 void *arg,
5254 struct sctp_cmd_seq *commands)
5255{
5256
5257 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5258 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5259
5260
5261 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5262 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5263
5264 return sctp_sf_do_9_1_prm_abort(net, ep, asoc, type, arg, commands);
5265}
5266
5267
5268
5269
5270
5271
5272
5273
5274
5275
5276
5277
5278
5279enum sctp_disposition sctp_sf_shutdown_ack_sent_prm_abort(
5280 struct net *net,
5281 const struct sctp_endpoint *ep,
5282 const struct sctp_association *asoc,
5283 const union sctp_subtype type,
5284 void *arg,
5285 struct sctp_cmd_seq *commands)
5286{
5287
5288
5289
5290 return sctp_sf_shutdown_sent_prm_abort(net, ep, asoc, type, arg, commands);
5291}
5292
5293
5294
5295
5296
5297
5298
5299
5300
5301
5302
5303
5304
5305
5306
5307
5308
5309
5310
5311
5312
5313
5314
5315enum sctp_disposition sctp_sf_do_prm_requestheartbeat(
5316 struct net *net,
5317 const struct sctp_endpoint *ep,
5318 const struct sctp_association *asoc,
5319 const union sctp_subtype type,
5320 void *arg,
5321 struct sctp_cmd_seq *commands)
5322{
5323 if (SCTP_DISPOSITION_NOMEM == sctp_sf_heartbeat(ep, asoc, type,
5324 (struct sctp_transport *)arg, commands))
5325 return SCTP_DISPOSITION_NOMEM;
5326
5327
5328
5329
5330
5331
5332
5333
5334
5335
5336
5337
5338 sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,
5339 SCTP_TRANSPORT(arg));
5340 return SCTP_DISPOSITION_CONSUME;
5341}
5342
5343
5344
5345
5346
5347
5348enum sctp_disposition sctp_sf_do_prm_asconf(struct net *net,
5349 const struct sctp_endpoint *ep,
5350 const struct sctp_association *asoc,
5351 const union sctp_subtype type,
5352 void *arg,
5353 struct sctp_cmd_seq *commands)
5354{
5355 struct sctp_chunk *chunk = arg;
5356
5357 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5358 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5359 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5360 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5361 return SCTP_DISPOSITION_CONSUME;
5362}
5363
5364
5365enum sctp_disposition sctp_sf_do_prm_reconf(struct net *net,
5366 const struct sctp_endpoint *ep,
5367 const struct sctp_association *asoc,
5368 const union sctp_subtype type,
5369 void *arg,
5370 struct sctp_cmd_seq *commands)
5371{
5372 struct sctp_chunk *chunk = arg;
5373
5374 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(chunk));
5375 return SCTP_DISPOSITION_CONSUME;
5376}
5377
5378
5379
5380
5381
5382
5383enum sctp_disposition sctp_sf_ignore_primitive(
5384 struct net *net,
5385 const struct sctp_endpoint *ep,
5386 const struct sctp_association *asoc,
5387 const union sctp_subtype type,
5388 void *arg,
5389 struct sctp_cmd_seq *commands)
5390{
5391 pr_debug("%s: primitive type:%d is ignored\n", __func__,
5392 type.primitive);
5393
5394 return SCTP_DISPOSITION_DISCARD;
5395}
5396
5397
5398
5399
5400
5401
5402
5403
5404
5405
5406
5407enum sctp_disposition sctp_sf_do_no_pending_tsn(
5408 struct net *net,
5409 const struct sctp_endpoint *ep,
5410 const struct sctp_association *asoc,
5411 const union sctp_subtype type,
5412 void *arg,
5413 struct sctp_cmd_seq *commands)
5414{
5415 struct sctp_ulpevent *event;
5416
5417 event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC);
5418 if (!event)
5419 return SCTP_DISPOSITION_NOMEM;
5420
5421 sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event));
5422
5423 return SCTP_DISPOSITION_CONSUME;
5424}
5425
5426
5427
5428
5429
5430
5431
5432
5433
5434
5435
5436
5437
5438
5439enum sctp_disposition sctp_sf_do_9_2_start_shutdown(
5440 struct net *net,
5441 const struct sctp_endpoint *ep,
5442 const struct sctp_association *asoc,
5443 const union sctp_subtype type,
5444 void *arg,
5445 struct sctp_cmd_seq *commands)
5446{
5447 struct sctp_chunk *reply;
5448
5449
5450
5451
5452
5453
5454 reply = sctp_make_shutdown(asoc, NULL);
5455 if (!reply)
5456 goto nomem;
5457
5458
5459
5460
5461 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5462
5463
5464 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
5465 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5466
5467
5468
5469
5470
5471 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5472 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5473
5474 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5475 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5476 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5477
5478
5479 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5480 SCTP_STATE(SCTP_STATE_SHUTDOWN_SENT));
5481
5482
5483
5484
5485
5486
5487 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5488
5489 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5490
5491 return SCTP_DISPOSITION_CONSUME;
5492
5493nomem:
5494 return SCTP_DISPOSITION_NOMEM;
5495}
5496
5497
5498
5499
5500
5501
5502
5503
5504
5505
5506
5507
5508
5509enum sctp_disposition sctp_sf_do_9_2_shutdown_ack(
5510 struct net *net,
5511 const struct sctp_endpoint *ep,
5512 const struct sctp_association *asoc,
5513 const union sctp_subtype type,
5514 void *arg,
5515 struct sctp_cmd_seq *commands)
5516{
5517 struct sctp_chunk *chunk = arg;
5518 struct sctp_chunk *reply;
5519
5520
5521
5522
5523
5524
5525
5526
5527 if (chunk) {
5528 if (!sctp_vtag_verify(chunk, asoc))
5529 return sctp_sf_pdiscard(net, ep, asoc, type, arg,
5530 commands);
5531
5532
5533 if (!sctp_chunk_length_valid(
5534 chunk, sizeof(struct sctp_shutdown_chunk)))
5535 return sctp_sf_violation_chunklen(net, ep, asoc, type,
5536 arg, commands);
5537 }
5538
5539
5540
5541
5542 reply = sctp_make_shutdown_ack(asoc, chunk);
5543 if (!reply)
5544 goto nomem;
5545
5546
5547
5548
5549 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5550
5551
5552 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5553 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5554
5555 if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
5556 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5557 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
5558
5559
5560 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
5561 SCTP_STATE(SCTP_STATE_SHUTDOWN_ACK_SENT));
5562
5563
5564
5565
5566
5567
5568 sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_STOP, SCTP_NULL());
5569
5570 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5571
5572 return SCTP_DISPOSITION_CONSUME;
5573
5574nomem:
5575 return SCTP_DISPOSITION_NOMEM;
5576}
5577
5578
5579
5580
5581
5582
5583enum sctp_disposition sctp_sf_ignore_other(struct net *net,
5584 const struct sctp_endpoint *ep,
5585 const struct sctp_association *asoc,
5586 const union sctp_subtype type,
5587 void *arg,
5588 struct sctp_cmd_seq *commands)
5589{
5590 pr_debug("%s: the event other type:%d is ignored\n",
5591 __func__, type.other);
5592
5593 return SCTP_DISPOSITION_DISCARD;
5594}
5595
5596
5597
5598
5599
5600
5601
5602
5603
5604
5605
5606
5607
5608
5609
5610
5611enum sctp_disposition sctp_sf_do_6_3_3_rtx(struct net *net,
5612 const struct sctp_endpoint *ep,
5613 const struct sctp_association *asoc,
5614 const union sctp_subtype type,
5615 void *arg,
5616 struct sctp_cmd_seq *commands)
5617{
5618 struct sctp_transport *transport = arg;
5619
5620 SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS);
5621
5622 if (asoc->overall_error_count >= asoc->max_retrans) {
5623 if (asoc->peer.zero_window_announced &&
5624 asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
5625
5626
5627
5628
5629
5630
5631
5632
5633
5634 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE,
5635 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5636 } else {
5637 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5638 SCTP_ERROR(ETIMEDOUT));
5639
5640 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5641 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5642 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5643 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5644 return SCTP_DISPOSITION_DELETE_TCB;
5645 }
5646 }
5647
5648
5649
5650
5651
5652
5653
5654
5655
5656
5657
5658
5659
5660
5661
5662
5663
5664
5665
5666
5667
5668
5669
5670
5671
5672
5673
5674
5675
5676 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
5677
5678
5679 sctp_add_cmd_sf(commands, SCTP_CMD_RETRAN, SCTP_TRANSPORT(transport));
5680
5681 return SCTP_DISPOSITION_CONSUME;
5682}
5683
5684
5685
5686
5687
5688
5689
5690
5691
5692
5693
5694
5695
5696
5697
5698
5699enum sctp_disposition sctp_sf_do_6_2_sack(struct net *net,
5700 const struct sctp_endpoint *ep,
5701 const struct sctp_association *asoc,
5702 const union sctp_subtype type,
5703 void *arg,
5704 struct sctp_cmd_seq *commands)
5705{
5706 SCTP_INC_STATS(net, SCTP_MIB_DELAY_SACK_EXPIREDS);
5707 sctp_add_cmd_sf(commands, SCTP_CMD_GEN_SACK, SCTP_FORCE());
5708 return SCTP_DISPOSITION_CONSUME;
5709}
5710
5711
5712
5713
5714
5715
5716
5717
5718
5719
5720
5721
5722
5723
5724
5725
5726
5727
5728
5729
5730enum sctp_disposition sctp_sf_t1_init_timer_expire(
5731 struct net *net,
5732 const struct sctp_endpoint *ep,
5733 const struct sctp_association *asoc,
5734 const union sctp_subtype type,
5735 void *arg,
5736 struct sctp_cmd_seq *commands)
5737{
5738 int attempts = asoc->init_err_counter + 1;
5739 struct sctp_chunk *repl = NULL;
5740 struct sctp_bind_addr *bp;
5741
5742 pr_debug("%s: timer T1 expired (INIT)\n", __func__);
5743
5744 SCTP_INC_STATS(net, SCTP_MIB_T1_INIT_EXPIREDS);
5745
5746 if (attempts <= asoc->max_init_attempts) {
5747 bp = (struct sctp_bind_addr *) &asoc->base.bind_addr;
5748 repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0);
5749 if (!repl)
5750 return SCTP_DISPOSITION_NOMEM;
5751
5752
5753 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5754 SCTP_CHUNK(repl));
5755
5756
5757 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_RESTART,
5758 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
5759
5760 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5761 } else {
5762 pr_debug("%s: giving up on INIT, attempts:%d "
5763 "max_init_attempts:%d\n", __func__, attempts,
5764 asoc->max_init_attempts);
5765
5766 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5767 SCTP_ERROR(ETIMEDOUT));
5768 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5769 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5770 return SCTP_DISPOSITION_DELETE_TCB;
5771 }
5772
5773 return SCTP_DISPOSITION_CONSUME;
5774}
5775
5776
5777
5778
5779
5780
5781
5782
5783
5784
5785
5786
5787
5788
5789
5790
5791
5792
5793
5794
5795enum sctp_disposition sctp_sf_t1_cookie_timer_expire(
5796 struct net *net,
5797 const struct sctp_endpoint *ep,
5798 const struct sctp_association *asoc,
5799 const union sctp_subtype type,
5800 void *arg,
5801 struct sctp_cmd_seq *commands)
5802{
5803 int attempts = asoc->init_err_counter + 1;
5804 struct sctp_chunk *repl = NULL;
5805
5806 pr_debug("%s: timer T1 expired (COOKIE-ECHO)\n", __func__);
5807
5808 SCTP_INC_STATS(net, SCTP_MIB_T1_COOKIE_EXPIREDS);
5809
5810 if (attempts <= asoc->max_init_attempts) {
5811 repl = sctp_make_cookie_echo(asoc, NULL);
5812 if (!repl)
5813 return SCTP_DISPOSITION_NOMEM;
5814
5815 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
5816 SCTP_CHUNK(repl));
5817
5818 sctp_add_cmd_sf(commands, SCTP_CMD_COOKIEECHO_RESTART,
5819 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
5820
5821 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
5822 } else {
5823 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5824 SCTP_ERROR(ETIMEDOUT));
5825 sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
5826 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5827 return SCTP_DISPOSITION_DELETE_TCB;
5828 }
5829
5830 return SCTP_DISPOSITION_CONSUME;
5831}
5832
5833
5834
5835
5836
5837
5838
5839
5840
5841
5842
5843
5844
5845
5846enum sctp_disposition sctp_sf_t2_timer_expire(
5847 struct net *net,
5848 const struct sctp_endpoint *ep,
5849 const struct sctp_association *asoc,
5850 const union sctp_subtype type,
5851 void *arg,
5852 struct sctp_cmd_seq *commands)
5853{
5854 struct sctp_chunk *reply = NULL;
5855
5856 pr_debug("%s: timer T2 expired\n", __func__);
5857
5858 SCTP_INC_STATS(net, SCTP_MIB_T2_SHUTDOWN_EXPIREDS);
5859
5860 ((struct sctp_association *)asoc)->shutdown_retries++;
5861
5862 if (asoc->overall_error_count >= asoc->max_retrans) {
5863 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5864 SCTP_ERROR(ETIMEDOUT));
5865
5866 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5867 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5868 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5869 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5870 return SCTP_DISPOSITION_DELETE_TCB;
5871 }
5872
5873 switch (asoc->state) {
5874 case SCTP_STATE_SHUTDOWN_SENT:
5875 reply = sctp_make_shutdown(asoc, NULL);
5876 break;
5877
5878 case SCTP_STATE_SHUTDOWN_ACK_SENT:
5879 reply = sctp_make_shutdown_ack(asoc, NULL);
5880 break;
5881
5882 default:
5883 BUG();
5884 break;
5885 }
5886
5887 if (!reply)
5888 goto nomem;
5889
5890
5891
5892
5893
5894 if (asoc->shutdown_last_sent_to)
5895 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5896 SCTP_TRANSPORT(asoc->shutdown_last_sent_to));
5897
5898
5899
5900
5901 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T2, SCTP_CHUNK(reply));
5902
5903
5904 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5905 SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
5906 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
5907 return SCTP_DISPOSITION_CONSUME;
5908
5909nomem:
5910 return SCTP_DISPOSITION_NOMEM;
5911}
5912
5913
5914
5915
5916
5917enum sctp_disposition sctp_sf_t4_timer_expire(
5918 struct net *net,
5919 const struct sctp_endpoint *ep,
5920 const struct sctp_association *asoc,
5921 const union sctp_subtype type,
5922 void *arg,
5923 struct sctp_cmd_seq *commands)
5924{
5925 struct sctp_chunk *chunk = asoc->addip_last_asconf;
5926 struct sctp_transport *transport = chunk->transport;
5927
5928 SCTP_INC_STATS(net, SCTP_MIB_T4_RTO_EXPIREDS);
5929
5930
5931
5932
5933
5934 if (transport)
5935 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5936 SCTP_TRANSPORT(transport));
5937
5938
5939 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));
5940
5941
5942
5943
5944
5945
5946 if (asoc->overall_error_count >= asoc->max_retrans) {
5947 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
5948 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5949 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5950 SCTP_ERROR(ETIMEDOUT));
5951 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5952 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5953 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
5954 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
5955 return SCTP_DISPOSITION_ABORT;
5956 }
5957
5958
5959
5960
5961
5962
5963
5964
5965
5966
5967
5968
5969 sctp_chunk_hold(asoc->addip_last_asconf);
5970 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
5971 SCTP_CHUNK(asoc->addip_last_asconf));
5972
5973
5974
5975
5976
5977 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5978 SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
5979
5980 return SCTP_DISPOSITION_CONSUME;
5981}
5982
5983
5984
5985
5986
5987
5988
5989enum sctp_disposition sctp_sf_t5_timer_expire(
5990 struct net *net,
5991 const struct sctp_endpoint *ep,
5992 const struct sctp_association *asoc,
5993 const union sctp_subtype type,
5994 void *arg,
5995 struct sctp_cmd_seq *commands)
5996{
5997 struct sctp_chunk *reply = NULL;
5998
5999 pr_debug("%s: timer T5 expired\n", __func__);
6000
6001 SCTP_INC_STATS(net, SCTP_MIB_T5_SHUTDOWN_GUARD_EXPIREDS);
6002
6003 reply = sctp_make_abort(asoc, NULL, 0);
6004 if (!reply)
6005 goto nomem;
6006
6007 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
6008 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6009 SCTP_ERROR(ETIMEDOUT));
6010 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6011 SCTP_PERR(SCTP_ERROR_NO_ERROR));
6012
6013 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6014 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6015
6016 return SCTP_DISPOSITION_DELETE_TCB;
6017nomem:
6018 return SCTP_DISPOSITION_NOMEM;
6019}
6020
6021
6022
6023
6024
6025
6026enum sctp_disposition sctp_sf_autoclose_timer_expire(
6027 struct net *net,
6028 const struct sctp_endpoint *ep,
6029 const struct sctp_association *asoc,
6030 const union sctp_subtype type,
6031 void *arg,
6032 struct sctp_cmd_seq *commands)
6033{
6034 enum sctp_disposition disposition;
6035
6036 SCTP_INC_STATS(net, SCTP_MIB_AUTOCLOSE_EXPIREDS);
6037
6038
6039
6040
6041
6042
6043
6044
6045
6046 sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
6047 SCTP_STATE(SCTP_STATE_SHUTDOWN_PENDING));
6048
6049 disposition = SCTP_DISPOSITION_CONSUME;
6050 if (sctp_outq_is_empty(&asoc->outqueue)) {
6051 disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type,
6052 arg, commands);
6053 }
6054
6055 return disposition;
6056}
6057
6058
6059
6060
6061
6062
6063
6064
6065
6066
6067
6068
6069
6070enum sctp_disposition sctp_sf_not_impl(struct net *net,
6071 const struct sctp_endpoint *ep,
6072 const struct sctp_association *asoc,
6073 const union sctp_subtype type,
6074 void *arg, struct sctp_cmd_seq *commands)
6075{
6076 return SCTP_DISPOSITION_NOT_IMPL;
6077}
6078
6079
6080
6081
6082
6083
6084
6085
6086
6087enum sctp_disposition sctp_sf_bug(struct net *net,
6088 const struct sctp_endpoint *ep,
6089 const struct sctp_association *asoc,
6090 const union sctp_subtype type,
6091 void *arg, struct sctp_cmd_seq *commands)
6092{
6093 return SCTP_DISPOSITION_BUG;
6094}
6095
6096
6097
6098
6099
6100
6101
6102
6103
6104
6105
6106
6107enum sctp_disposition sctp_sf_timer_ignore(struct net *net,
6108 const struct sctp_endpoint *ep,
6109 const struct sctp_association *asoc,
6110 const union sctp_subtype type,
6111 void *arg,
6112 struct sctp_cmd_seq *commands)
6113{
6114 pr_debug("%s: timer %d ignored\n", __func__, type.chunk);
6115
6116 return SCTP_DISPOSITION_CONSUME;
6117}
6118
6119
6120
6121
6122
6123
6124static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk)
6125{
6126 struct sctp_sackhdr *sack;
6127 __u16 num_dup_tsns;
6128 unsigned int len;
6129 __u16 num_blocks;
6130
6131
6132
6133
6134 sack = (struct sctp_sackhdr *) chunk->skb->data;
6135
6136 num_blocks = ntohs(sack->num_gap_ack_blocks);
6137 num_dup_tsns = ntohs(sack->num_dup_tsns);
6138 len = sizeof(struct sctp_sackhdr);
6139 len += (num_blocks + num_dup_tsns) * sizeof(__u32);
6140 if (len > chunk->skb->len)
6141 return NULL;
6142
6143 skb_pull(chunk->skb, len);
6144
6145 return sack;
6146}
6147
6148
6149
6150
6151static struct sctp_packet *sctp_abort_pkt_new(
6152 struct net *net,
6153 const struct sctp_endpoint *ep,
6154 const struct sctp_association *asoc,
6155 struct sctp_chunk *chunk,
6156 const void *payload, size_t paylen)
6157{
6158 struct sctp_packet *packet;
6159 struct sctp_chunk *abort;
6160
6161 packet = sctp_ootb_pkt_new(net, asoc, chunk);
6162
6163 if (packet) {
6164
6165
6166
6167 abort = sctp_make_abort(asoc, chunk, paylen);
6168 if (!abort) {
6169 sctp_ootb_pkt_free(packet);
6170 return NULL;
6171 }
6172
6173
6174 if (sctp_test_T_bit(abort))
6175 packet->vtag = ntohl(chunk->sctp_hdr->vtag);
6176
6177
6178
6179
6180 sctp_addto_chunk(abort, paylen, payload);
6181
6182
6183 abort->skb->sk = ep->base.sk;
6184
6185 sctp_packet_append_chunk(packet, abort);
6186
6187 }
6188
6189 return packet;
6190}
6191
6192
6193static struct sctp_packet *sctp_ootb_pkt_new(
6194 struct net *net,
6195 const struct sctp_association *asoc,
6196 const struct sctp_chunk *chunk)
6197{
6198 struct sctp_transport *transport;
6199 struct sctp_packet *packet;
6200 __u16 sport, dport;
6201 __u32 vtag;
6202
6203
6204 sport = ntohs(chunk->sctp_hdr->dest);
6205 dport = ntohs(chunk->sctp_hdr->source);
6206
6207
6208
6209
6210 if (asoc) {
6211
6212
6213
6214 switch (chunk->chunk_hdr->type) {
6215 case SCTP_CID_INIT_ACK:
6216 {
6217 struct sctp_initack_chunk *initack;
6218
6219 initack = (struct sctp_initack_chunk *)chunk->chunk_hdr;
6220 vtag = ntohl(initack->init_hdr.init_tag);
6221 break;
6222 }
6223 default:
6224 vtag = asoc->peer.i.init_tag;
6225 break;
6226 }
6227 } else {
6228
6229
6230
6231 switch (chunk->chunk_hdr->type) {
6232 case SCTP_CID_INIT:
6233 {
6234 struct sctp_init_chunk *init;
6235
6236 init = (struct sctp_init_chunk *)chunk->chunk_hdr;
6237 vtag = ntohl(init->init_hdr.init_tag);
6238 break;
6239 }
6240 default:
6241 vtag = ntohl(chunk->sctp_hdr->vtag);
6242 break;
6243 }
6244 }
6245
6246
6247 transport = sctp_transport_new(net, sctp_source(chunk), GFP_ATOMIC);
6248 if (!transport)
6249 goto nomem;
6250
6251
6252
6253
6254 sctp_transport_route(transport, (union sctp_addr *)&chunk->dest,
6255 sctp_sk(net->sctp.ctl_sock));
6256
6257 packet = &transport->packet;
6258 sctp_packet_init(packet, transport, sport, dport);
6259 sctp_packet_config(packet, vtag, 0);
6260
6261 return packet;
6262
6263nomem:
6264 return NULL;
6265}
6266
6267
6268void sctp_ootb_pkt_free(struct sctp_packet *packet)
6269{
6270 sctp_transport_free(packet->transport);
6271}
6272
6273
6274static void sctp_send_stale_cookie_err(struct net *net,
6275 const struct sctp_endpoint *ep,
6276 const struct sctp_association *asoc,
6277 const struct sctp_chunk *chunk,
6278 struct sctp_cmd_seq *commands,
6279 struct sctp_chunk *err_chunk)
6280{
6281 struct sctp_packet *packet;
6282
6283 if (err_chunk) {
6284 packet = sctp_ootb_pkt_new(net, asoc, chunk);
6285 if (packet) {
6286 struct sctp_signed_cookie *cookie;
6287
6288
6289 cookie = chunk->subh.cookie_hdr;
6290 packet->vtag = cookie->c.peer_vtag;
6291
6292
6293 err_chunk->skb->sk = ep->base.sk;
6294 sctp_packet_append_chunk(packet, err_chunk);
6295 sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
6296 SCTP_PACKET(packet));
6297 SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
6298 } else
6299 sctp_chunk_free (err_chunk);
6300 }
6301}
6302
6303
6304
6305static int sctp_eat_data(const struct sctp_association *asoc,
6306 struct sctp_chunk *chunk,
6307 struct sctp_cmd_seq *commands)
6308{
6309 struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
6310 struct sock *sk = asoc->base.sk;
6311 struct net *net = sock_net(sk);
6312 struct sctp_datahdr *data_hdr;
6313 struct sctp_chunk *err;
6314 enum sctp_verb deliver;
6315 size_t datalen;
6316 __u32 tsn;
6317 int tmp;
6318
6319 data_hdr = (struct sctp_datahdr *)chunk->skb->data;
6320 chunk->subh.data_hdr = data_hdr;
6321 skb_pull(chunk->skb, sctp_datahdr_len(&asoc->stream));
6322
6323 tsn = ntohl(data_hdr->tsn);
6324 pr_debug("%s: TSN 0x%x\n", __func__, tsn);
6325
6326
6327
6328
6329
6330
6331
6332
6333
6334
6335
6336
6337
6338 if (asoc->peer.ecn_capable && !chunk->ecn_ce_done) {
6339 struct sctp_af *af = SCTP_INPUT_CB(chunk->skb)->af;
6340 chunk->ecn_ce_done = 1;
6341
6342 if (af->is_ce(sctp_gso_headskb(chunk->skb))) {
6343
6344 sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE,
6345 SCTP_U32(tsn));
6346 }
6347 }
6348
6349 tmp = sctp_tsnmap_check(&asoc->peer.tsn_map, tsn);
6350 if (tmp < 0) {
6351
6352
6353
6354 if (chunk->asoc)
6355 chunk->asoc->stats.outofseqtsns++;
6356 return SCTP_IERROR_HIGH_TSN;
6357 } else if (tmp > 0) {
6358
6359 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_DUP, SCTP_U32(tsn));
6360 return SCTP_IERROR_DUP_TSN;
6361 }
6362
6363
6364
6365
6366
6367
6368 datalen = ntohs(chunk->chunk_hdr->length);
6369 datalen -= sctp_datachk_len(&asoc->stream);
6370
6371 deliver = SCTP_CMD_CHUNK_ULP;
6372
6373
6374 if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) {
6375
6376
6377
6378
6379 sctp_add_cmd_sf(commands, SCTP_CMD_PART_DELIVER, SCTP_NULL());
6380 }
6381
6382
6383
6384
6385
6386
6387 if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over ||
6388 (datalen > asoc->rwnd + asoc->frag_point))) {
6389
6390
6391
6392
6393
6394
6395
6396 if (sctp_tsnmap_has_gap(map) &&
6397 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6398 pr_debug("%s: reneging for tsn:%u\n", __func__, tsn);
6399 deliver = SCTP_CMD_RENEGE;
6400 } else {
6401 pr_debug("%s: discard tsn:%u len:%zu, rwnd:%d\n",
6402 __func__, tsn, datalen, asoc->rwnd);
6403
6404 return SCTP_IERROR_IGNORE_TSN;
6405 }
6406 }
6407
6408
6409
6410
6411
6412
6413
6414
6415 if (*sk->sk_prot_creator->memory_pressure) {
6416 if (sctp_tsnmap_has_gap(map) &&
6417 (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
6418 pr_debug("%s: under pressure, reneging for tsn:%u\n",
6419 __func__, tsn);
6420 deliver = SCTP_CMD_RENEGE;
6421 }
6422 }
6423
6424
6425
6426
6427
6428
6429
6430
6431
6432 if (unlikely(0 == datalen)) {
6433 err = sctp_make_abort_no_data(asoc, chunk, tsn);
6434 if (err) {
6435 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6436 SCTP_CHUNK(err));
6437 }
6438
6439
6440
6441 sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
6442 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
6443 SCTP_ERROR(ECONNABORTED));
6444 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
6445 SCTP_PERR(SCTP_ERROR_NO_DATA));
6446 SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
6447 SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
6448 return SCTP_IERROR_NO_DATA;
6449 }
6450
6451 chunk->data_accepted = 1;
6452
6453
6454
6455
6456 if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) {
6457 SCTP_INC_STATS(net, SCTP_MIB_INUNORDERCHUNKS);
6458 if (chunk->asoc)
6459 chunk->asoc->stats.iuodchunks++;
6460 } else {
6461 SCTP_INC_STATS(net, SCTP_MIB_INORDERCHUNKS);
6462 if (chunk->asoc)
6463 chunk->asoc->stats.iodchunks++;
6464 }
6465
6466
6467
6468
6469
6470
6471
6472
6473
6474 if (ntohs(data_hdr->stream) >= asoc->stream.incnt) {
6475
6476 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
6477
6478 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM,
6479 &data_hdr->stream,
6480 sizeof(data_hdr->stream),
6481 sizeof(u16));
6482 if (err)
6483 sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
6484 SCTP_CHUNK(err));
6485 return SCTP_IERROR_BAD_STREAM;
6486 }
6487
6488
6489
6490
6491
6492
6493
6494
6495 if (!asoc->stream.si->validate_data(chunk))
6496 return SCTP_IERROR_PROTO_VIOLATION;
6497
6498
6499
6500
6501
6502 sctp_add_cmd_sf(commands, deliver, SCTP_CHUNK(chunk));
6503
6504 return SCTP_IERROR_NO_ERROR;
6505}
6506