1	// SPDX-License-Identifier: GPL-2.0-or-later
2	/* SCTP kernel implementation
3	* (C) Copyright IBM Corp. 2001, 2004
4	* Copyright (c) 1999-2000 Cisco, Inc.
5	* Copyright (c) 1999-2001 Motorola, Inc.
6	* Copyright (c) 2001-2002 Intel Corp.
7	*
8	* This file is part of the SCTP kernel implementation
9	*
10	* These functions work with the state functions in sctp_sm_statefuns.c
11	* to implement the state operations. These functions implement the
12	* steps which require modifying existing data structures.
13	*
14	* Please send any bug reports or fixes you make to the
15	* email address(es):
16	* lksctp developers <linux-sctp@vger.kernel.org>
17	*
18	* Written or modified by:
19	* La Monte H.P. Yarroll <piggy@acm.org>
20	* Karl Knutson <karl@athena.chicago.il.us>
21	* C. Robin <chris@hundredacre.ac.uk>
22	* Jon Grimm <jgrimm@us.ibm.com>
23	* Xingang Guo <xingang.guo@intel.com>
24	* Dajiang Zhang <dajiang.zhang@nokia.com>
25	* Sridhar Samudrala <sri@us.ibm.com>
26	* Daisy Chang <daisyc@us.ibm.com>
27	* Ardelle Fan <ardelle.fan@intel.com>
28	* Kevin Gao <kevin.gao@intel.com>
29	*/
30
31	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
32
33	#include <crypto/hash.h>
34	#include <linux/types.h>
35	#include <linux/kernel.h>
36	#include <linux/ip.h>
37	#include <linux/ipv6.h>
38	#include <linux/net.h>
39	#include <linux/inet.h>
40	#include <linux/scatterlist.h>
41	#include <linux/slab.h>
42	#include <net/sock.h>
43
44	#include <linux/skbuff.h>
45	#include <linux/random.h> /* for get_random_bytes */
46	#include <net/sctp/sctp.h>
47	#include <net/sctp/sm.h>
48
49	static struct sctp_chunk *sctp_make_control(const struct sctp_association *asoc,
50	__u8 type, __u8 flags, int paylen,
51	gfp_t gfp);
52	static struct sctp_chunk *sctp_make_data(const struct sctp_association *asoc,
53	__u8 flags, int paylen, gfp_t gfp);
54	static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc,
55	__u8 type, __u8 flags, int paylen,
56	gfp_t gfp);
57	static struct sctp_cookie_param *sctp_pack_cookie(
58	const struct sctp_endpoint *ep,
59	const struct sctp_association *asoc,
60	const struct sctp_chunk *init_chunk,
61	int *cookie_len,
62	const __u8 *raw_addrs, int addrs_len);
63	static int sctp_process_param(struct sctp_association *asoc,
64	union sctp_params param,
65	const union sctp_addr *peer_addr,
66	gfp_t gfp);
67	static void *sctp_addto_param(struct sctp_chunk *chunk, int len,
68	const void *data);
69
70	/* Control chunk destructor */
71	static void sctp_control_release_owner(struct sk_buff *skb)
72	{
73	struct sctp_chunk *chunk = skb_shinfo(skb)->destructor_arg;
74
75	if (chunk->shkey) {
76	struct sctp_shared_key *shkey = chunk->shkey;
77	struct sctp_association *asoc = chunk->asoc;
78
79	/* refcnt == 2 and !list_empty mean after this release, it's
80	* not being used anywhere, and it's time to notify userland
81	* that this shkey can be freed if it's been deactivated.
82	*/
83	if (shkey->deactivated && !list_empty(head: &shkey->key_list) &&
84	refcount_read(r: &shkey->refcnt) == 2) {
85	struct sctp_ulpevent *ev;
86
87	ev = sctp_ulpevent_make_authkey(asoc, key_id: shkey->key_id,
88	indication: SCTP_AUTH_FREE_KEY,
89	GFP_KERNEL);
90	if (ev)
91	asoc->stream.si->enqueue_event(&asoc->ulpq, ev);
92	}
93	sctp_auth_shkey_release(sh_key: chunk->shkey);
94	}
95	}
96
97	static void sctp_control_set_owner_w(struct sctp_chunk *chunk)
98	{
99	struct sctp_association *asoc = chunk->asoc;
100	struct sk_buff *skb = chunk->skb;
101
102	/* TODO: properly account for control chunks.
103	* To do it right we'll need:
104	* 1) endpoint if association isn't known.
105	* 2) proper memory accounting.
106	*
107	* For now don't do anything for now.
108	*/
109	if (chunk->auth) {
110	chunk->shkey = asoc->shkey;
111	sctp_auth_shkey_hold(sh_key: chunk->shkey);
112	}
113	skb->sk = asoc ? asoc->base.sk : NULL;
114	skb_shinfo(skb)->destructor_arg = chunk;
115	skb->destructor = sctp_control_release_owner;
116	}
117
118	/* What was the inbound interface for this chunk? */
119	int sctp_chunk_iif(const struct sctp_chunk *chunk)
120	{
121	struct sk_buff *skb = chunk->skb;
122
123	return SCTP_INPUT_CB(skb)->af->skb_iif(skb);
124	}
125
126	/* RFC 2960 3.3.2 Initiation (INIT) (1)
127	*
128	* Note 2: The ECN capable field is reserved for future use of
129	* Explicit Congestion Notification.
130	*/
131	static const struct sctp_paramhdr ecap_param = {
132	SCTP_PARAM_ECN_CAPABLE,
133	cpu_to_be16(sizeof(struct sctp_paramhdr)),
134	};
135	static const struct sctp_paramhdr prsctp_param = {
136	SCTP_PARAM_FWD_TSN_SUPPORT,
137	cpu_to_be16(sizeof(struct sctp_paramhdr)),
138	};
139
140	/* A helper to initialize an op error inside a provided chunk, as most
141	* cause codes will be embedded inside an abort chunk.
142	*/
143	int sctp_init_cause(struct sctp_chunk *chunk, __be16 cause_code,
144	size_t paylen)
145	{
146	struct sctp_errhdr err;
147	__u16 len;
148
149	/* Cause code constants are now defined in network order. */
150	err.cause = cause_code;
151	len = sizeof(err) + paylen;
152	err.length = htons(len);
153
154	if (skb_tailroom(skb: chunk->skb) < len)
155	return -ENOSPC;
156
157	chunk->subh.err_hdr = sctp_addto_chunk(chunk, len: sizeof(err), data: &err);
158
159	return 0;
160	}
161
162	/* 3.3.2 Initiation (INIT) (1)
163	*
164	* This chunk is used to initiate a SCTP association between two
165	* endpoints. The format of the INIT chunk is shown below:
166	*
167	* 0 1 2 3
168	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
169	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
170	* | Type = 1 | Chunk Flags | Chunk Length |
171	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
172	* | Initiate Tag |
173	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
174	* | Advertised Receiver Window Credit (a_rwnd) |
175	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
176	* | Number of Outbound Streams | Number of Inbound Streams |
177	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
178	* | Initial TSN |
179	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
180	* \ \
181	* / Optional/Variable-Length Parameters /
182	* \ \
183	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
184	*
185	*
186	* The INIT chunk contains the following parameters. Unless otherwise
187	* noted, each parameter MUST only be included once in the INIT chunk.
188	*
189	* Fixed Parameters Status
190	* ----------------------------------------------
191	* Initiate Tag Mandatory
192	* Advertised Receiver Window Credit Mandatory
193	* Number of Outbound Streams Mandatory
194	* Number of Inbound Streams Mandatory
195	* Initial TSN Mandatory
196	*
197	* Variable Parameters Status Type Value
198	* -------------------------------------------------------------
199	* IPv4 Address (Note 1) Optional 5
200	* IPv6 Address (Note 1) Optional 6
201	* Cookie Preservative Optional 9
202	* Reserved for ECN Capable (Note 2) Optional 32768 (0x8000)
203	* Host Name Address (Note 3) Optional 11
204	* Supported Address Types (Note 4) Optional 12
205	*/
206	struct sctp_chunk *sctp_make_init(const struct sctp_association *asoc,
207	const struct sctp_bind_addr *bp,
208	gfp_t gfp, int vparam_len)
209	{
210	struct sctp_supported_ext_param ext_param;
211	struct sctp_adaptation_ind_param aiparam;
212	struct sctp_paramhdr *auth_chunks = NULL;
213	struct sctp_paramhdr *auth_hmacs = NULL;
214	struct sctp_supported_addrs_param sat;
215	struct sctp_endpoint *ep = asoc->ep;
216	struct sctp_chunk *retval = NULL;
217	int num_types, addrs_len = 0;
218	struct sctp_inithdr init;
219	union sctp_params addrs;
220	struct sctp_sock *sp;
221	__u8 extensions[5];
222	size_t chunksize;
223	__be16 types[2];
224	int num_ext = 0;
225
226	/* RFC 2960 3.3.2 Initiation (INIT) (1)
227	*
228	* Note 1: The INIT chunks can contain multiple addresses that
229	* can be IPv4 and/or IPv6 in any combination.
230	*/
231
232	/* Convert the provided bind address list to raw format. */
233	addrs = sctp_bind_addrs_to_raw(bp, addrs_len: &addrs_len, gfp);
234
235	init.init_tag = htonl(asoc->c.my_vtag);
236	init.a_rwnd = htonl(asoc->rwnd);
237	init.num_outbound_streams = htons(asoc->c.sinit_num_ostreams);
238	init.num_inbound_streams = htons(asoc->c.sinit_max_instreams);
239	init.initial_tsn = htonl(asoc->c.initial_tsn);
240
241	/* How many address types are needed? */
242	sp = sctp_sk(asoc->base.sk);
243	num_types = sp->pf->supported_addrs(sp, types);
244
245	chunksize = sizeof(init) + addrs_len;
246	chunksize += SCTP_PAD4(SCTP_SAT_LEN(num_types));
247
248	if (asoc->ep->ecn_enable)
249	chunksize += sizeof(ecap_param);
250
251	if (asoc->ep->prsctp_enable)
252	chunksize += sizeof(prsctp_param);
253
254	/* ADDIP: Section 4.2.7:
255	* An implementation supporting this extension [ADDIP] MUST list
256	* the ASCONF,the ASCONF-ACK, and the AUTH chunks in its INIT and
257	* INIT-ACK parameters.
258	*/
259	if (asoc->ep->asconf_enable) {
260	extensions[num_ext] = SCTP_CID_ASCONF;
261	extensions[num_ext+1] = SCTP_CID_ASCONF_ACK;
262	num_ext += 2;
263	}
264
265	if (asoc->ep->reconf_enable) {
266	extensions[num_ext] = SCTP_CID_RECONF;
267	num_ext += 1;
268	}
269
270	if (sp->adaptation_ind)
271	chunksize += sizeof(aiparam);
272
273	if (asoc->ep->intl_enable) {
274	extensions[num_ext] = SCTP_CID_I_DATA;
275	num_ext += 1;
276	}
277
278	chunksize += vparam_len;
279
280	/* Account for AUTH related parameters */
281	if (ep->auth_enable) {
282	/* Add random parameter length*/
283	chunksize += sizeof(asoc->c.auth_random);
284
285	/* Add HMACS parameter length if any were defined */
286	auth_hmacs = (struct sctp_paramhdr *)asoc->c.auth_hmacs;
287	if (auth_hmacs->length)
288	chunksize += SCTP_PAD4(ntohs(auth_hmacs->length));
289	else
290	auth_hmacs = NULL;
291
292	/* Add CHUNKS parameter length */
293	auth_chunks = (struct sctp_paramhdr *)asoc->c.auth_chunks;
294	if (auth_chunks->length)
295	chunksize += SCTP_PAD4(ntohs(auth_chunks->length));
296	else
297	auth_chunks = NULL;
298
299	extensions[num_ext] = SCTP_CID_AUTH;
300	num_ext += 1;
301	}
302
303	/* If we have any extensions to report, account for that */
304	if (num_ext)
305	chunksize += SCTP_PAD4(sizeof(ext_param) + num_ext);
306
307	/* RFC 2960 3.3.2 Initiation (INIT) (1)
308	*
309	* Note 3: An INIT chunk MUST NOT contain more than one Host
310	* Name address parameter. Moreover, the sender of the INIT
311	* MUST NOT combine any other address types with the Host Name
312	* address in the INIT. The receiver of INIT MUST ignore any
313	* other address types if the Host Name address parameter is
314	* present in the received INIT chunk.
315	*
316	* PLEASE DO NOT FIXME [This version does not support Host Name.]
317	*/
318
319	retval = sctp_make_control(asoc, type: SCTP_CID_INIT, flags: 0, paylen: chunksize, gfp);
320	if (!retval)
321	goto nodata;
322
323	retval->subh.init_hdr =
324	sctp_addto_chunk(retval, len: sizeof(init), data: &init);
325	retval->param_hdr.v =
326	sctp_addto_chunk(retval, len: addrs_len, data: addrs.v);
327
328	/* RFC 2960 3.3.2 Initiation (INIT) (1)
329	*
330	* Note 4: This parameter, when present, specifies all the
331	* address types the sending endpoint can support. The absence
332	* of this parameter indicates that the sending endpoint can
333	* support any address type.
334	*/
335	sat.param_hdr.type = SCTP_PARAM_SUPPORTED_ADDRESS_TYPES;
336	sat.param_hdr.length = htons(SCTP_SAT_LEN(num_types));
337	sctp_addto_chunk(retval, len: sizeof(sat), data: &sat);
338	sctp_addto_chunk(retval, len: num_types * sizeof(__u16), data: &types);
339
340	if (asoc->ep->ecn_enable)
341	sctp_addto_chunk(retval, len: sizeof(ecap_param), data: &ecap_param);
342
343	/* Add the supported extensions parameter. Be nice and add this
344	* fist before addiding the parameters for the extensions themselves
345	*/
346	if (num_ext) {
347	ext_param.param_hdr.type = SCTP_PARAM_SUPPORTED_EXT;
348	ext_param.param_hdr.length = htons(sizeof(ext_param) + num_ext);
349	sctp_addto_chunk(retval, len: sizeof(ext_param), data: &ext_param);
350	sctp_addto_param(chunk: retval, len: num_ext, data: extensions);
351	}
352
353	if (asoc->ep->prsctp_enable)
354	sctp_addto_chunk(retval, len: sizeof(prsctp_param), data: &prsctp_param);
355
356	if (sp->adaptation_ind) {
357	aiparam.param_hdr.type = SCTP_PARAM_ADAPTATION_LAYER_IND;
358	aiparam.param_hdr.length = htons(sizeof(aiparam));
359	aiparam.adaptation_ind = htonl(sp->adaptation_ind);
360	sctp_addto_chunk(retval, len: sizeof(aiparam), data: &aiparam);
361	}
362
363	/* Add SCTP-AUTH chunks to the parameter list */
364	if (ep->auth_enable) {
365	sctp_addto_chunk(retval, len: sizeof(asoc->c.auth_random),
366	data: asoc->c.auth_random);
367	if (auth_hmacs)
368	sctp_addto_chunk(retval, ntohs(auth_hmacs->length),
369	data: auth_hmacs);
370	if (auth_chunks)
371	sctp_addto_chunk(retval, ntohs(auth_chunks->length),
372	data: auth_chunks);
373	}
374	nodata:
375	kfree(objp: addrs.v);
376	return retval;
377	}
378
379	struct sctp_chunk *sctp_make_init_ack(const struct sctp_association *asoc,
380	const struct sctp_chunk *chunk,
381	gfp_t gfp, int unkparam_len)
382	{
383	struct sctp_supported_ext_param ext_param;
384	struct sctp_adaptation_ind_param aiparam;
385	struct sctp_paramhdr *auth_chunks = NULL;
386	struct sctp_paramhdr *auth_random = NULL;
387	struct sctp_paramhdr *auth_hmacs = NULL;
388	struct sctp_chunk *retval = NULL;
389	struct sctp_cookie_param *cookie;
390	struct sctp_inithdr initack;
391	union sctp_params addrs;
392	struct sctp_sock *sp;
393	__u8 extensions[5];
394	size_t chunksize;
395	int num_ext = 0;
396	int cookie_len;
397	int addrs_len;
398
399	/* Note: there may be no addresses to embed. */
400	addrs = sctp_bind_addrs_to_raw(bp: &asoc->base.bind_addr, addrs_len: &addrs_len, gfp);
401
402	initack.init_tag = htonl(asoc->c.my_vtag);
403	initack.a_rwnd = htonl(asoc->rwnd);
404	initack.num_outbound_streams = htons(asoc->c.sinit_num_ostreams);
405	initack.num_inbound_streams = htons(asoc->c.sinit_max_instreams);
406	initack.initial_tsn = htonl(asoc->c.initial_tsn);
407
408	/* FIXME: We really ought to build the cookie right
409	* into the packet instead of allocating more fresh memory.
410	*/
411	cookie = sctp_pack_cookie(ep: asoc->ep, asoc, init_chunk: chunk, cookie_len: &cookie_len,
412	raw_addrs: addrs.v, addrs_len);
413	if (!cookie)
414	goto nomem_cookie;
415
416	/* Calculate the total size of allocation, include the reserved
417	* space for reporting unknown parameters if it is specified.
418	*/
419	sp = sctp_sk(asoc->base.sk);
420	chunksize = sizeof(initack) + addrs_len + cookie_len + unkparam_len;
421
422	/* Tell peer that we'll do ECN only if peer advertised such cap. */
423	if (asoc->peer.ecn_capable)
424	chunksize += sizeof(ecap_param);
425
426	if (asoc->peer.prsctp_capable)
427	chunksize += sizeof(prsctp_param);
428
429	if (asoc->peer.asconf_capable) {
430	extensions[num_ext] = SCTP_CID_ASCONF;
431	extensions[num_ext+1] = SCTP_CID_ASCONF_ACK;
432	num_ext += 2;
433	}
434
435	if (asoc->peer.reconf_capable) {
436	extensions[num_ext] = SCTP_CID_RECONF;
437	num_ext += 1;
438	}
439
440	if (sp->adaptation_ind)
441	chunksize += sizeof(aiparam);
442
443	if (asoc->peer.intl_capable) {
444	extensions[num_ext] = SCTP_CID_I_DATA;
445	num_ext += 1;
446	}
447
448	if (asoc->peer.auth_capable) {
449	auth_random = (struct sctp_paramhdr *)asoc->c.auth_random;
450	chunksize += ntohs(auth_random->length);
451
452	auth_hmacs = (struct sctp_paramhdr *)asoc->c.auth_hmacs;
453	if (auth_hmacs->length)
454	chunksize += SCTP_PAD4(ntohs(auth_hmacs->length));
455	else
456	auth_hmacs = NULL;
457
458	auth_chunks = (struct sctp_paramhdr *)asoc->c.auth_chunks;
459	if (auth_chunks->length)
460	chunksize += SCTP_PAD4(ntohs(auth_chunks->length));
461	else
462	auth_chunks = NULL;
463
464	extensions[num_ext] = SCTP_CID_AUTH;
465	num_ext += 1;
466	}
467
468	if (num_ext)
469	chunksize += SCTP_PAD4(sizeof(ext_param) + num_ext);
470
471	/* Now allocate and fill out the chunk. */
472	retval = sctp_make_control(asoc, type: SCTP_CID_INIT_ACK, flags: 0, paylen: chunksize, gfp);
473	if (!retval)
474	goto nomem_chunk;
475
476	/* RFC 2960 6.4 Multi-homed SCTP Endpoints
477	*
478	* An endpoint SHOULD transmit reply chunks (e.g., SACK,
479	* HEARTBEAT ACK, * etc.) to the same destination transport
480	* address from which it received the DATA or control chunk
481	* to which it is replying.
482	*
483	* [INIT ACK back to where the INIT came from.]
484	*/
485	if (chunk->transport)
486	retval->transport =
487	sctp_assoc_lookup_paddr(asoc,
488	&chunk->transport->ipaddr);
489
490	retval->subh.init_hdr =
491	sctp_addto_chunk(retval, len: sizeof(initack), data: &initack);
492	retval->param_hdr.v = sctp_addto_chunk(retval, len: addrs_len, data: addrs.v);
493	sctp_addto_chunk(retval, len: cookie_len, data: cookie);
494	if (asoc->peer.ecn_capable)
495	sctp_addto_chunk(retval, len: sizeof(ecap_param), data: &ecap_param);
496	if (num_ext) {
497	ext_param.param_hdr.type = SCTP_PARAM_SUPPORTED_EXT;
498	ext_param.param_hdr.length = htons(sizeof(ext_param) + num_ext);
499	sctp_addto_chunk(retval, len: sizeof(ext_param), data: &ext_param);
500	sctp_addto_param(chunk: retval, len: num_ext, data: extensions);
501	}
502	if (asoc->peer.prsctp_capable)
503	sctp_addto_chunk(retval, len: sizeof(prsctp_param), data: &prsctp_param);
504
505	if (sp->adaptation_ind) {
506	aiparam.param_hdr.type = SCTP_PARAM_ADAPTATION_LAYER_IND;
507	aiparam.param_hdr.length = htons(sizeof(aiparam));
508	aiparam.adaptation_ind = htonl(sp->adaptation_ind);
509	sctp_addto_chunk(retval, len: sizeof(aiparam), data: &aiparam);
510	}
511
512	if (asoc->peer.auth_capable) {
513	sctp_addto_chunk(retval, ntohs(auth_random->length),
514	data: auth_random);
515	if (auth_hmacs)
516	sctp_addto_chunk(retval, ntohs(auth_hmacs->length),
517	data: auth_hmacs);
518	if (auth_chunks)
519	sctp_addto_chunk(retval, ntohs(auth_chunks->length),
520	data: auth_chunks);
521	}
522
523	/* We need to remove the const qualifier at this point. */
524	retval->asoc = (struct sctp_association *) asoc;
525
526	nomem_chunk:
527	kfree(objp: cookie);
528	nomem_cookie:
529	kfree(objp: addrs.v);
530	return retval;
531	}
532
533	/* 3.3.11 Cookie Echo (COOKIE ECHO) (10):
534	*
535	* This chunk is used only during the initialization of an association.
536	* It is sent by the initiator of an association to its peer to complete
537	* the initialization process. This chunk MUST precede any DATA chunk
538	* sent within the association, but MAY be bundled with one or more DATA
539	* chunks in the same packet.
540	*
541	* 0 1 2 3
542	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
543	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
544	* | Type = 10 |Chunk Flags | Length |
545	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
546	* / Cookie /
547	* \ \
548	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
549	*
550	* Chunk Flags: 8 bit
551	*
552	* Set to zero on transmit and ignored on receipt.
553	*
554	* Length: 16 bits (unsigned integer)
555	*
556	* Set to the size of the chunk in bytes, including the 4 bytes of
557	* the chunk header and the size of the Cookie.
558	*
559	* Cookie: variable size
560	*
561	* This field must contain the exact cookie received in the
562	* State Cookie parameter from the previous INIT ACK.
563	*
564	* An implementation SHOULD make the cookie as small as possible
565	* to insure interoperability.
566	*/
567	struct sctp_chunk *sctp_make_cookie_echo(const struct sctp_association *asoc,
568	const struct sctp_chunk *chunk)
569	{
570	struct sctp_chunk *retval;
571	int cookie_len;
572	void *cookie;
573
574	cookie = asoc->peer.cookie;
575	cookie_len = asoc->peer.cookie_len;
576
577	/* Build a cookie echo chunk. */
578	retval = sctp_make_control(asoc, type: SCTP_CID_COOKIE_ECHO, flags: 0,
579	paylen: cookie_len, GFP_ATOMIC);
580	if (!retval)
581	goto nodata;
582	retval->subh.cookie_hdr =
583	sctp_addto_chunk(retval, len: cookie_len, data: cookie);
584
585	/* RFC 2960 6.4 Multi-homed SCTP Endpoints
586	*
587	* An endpoint SHOULD transmit reply chunks (e.g., SACK,
588	* HEARTBEAT ACK, * etc.) to the same destination transport
589	* address from which it * received the DATA or control chunk
590	* to which it is replying.
591	*
592	* [COOKIE ECHO back to where the INIT ACK came from.]
593	*/
594	if (chunk)
595	retval->transport = chunk->transport;
596
597	nodata:
598	return retval;
599	}
600
601	/* 3.3.12 Cookie Acknowledgement (COOKIE ACK) (11):
602	*
603	* This chunk is used only during the initialization of an
604	* association. It is used to acknowledge the receipt of a COOKIE
605	* ECHO chunk. This chunk MUST precede any DATA or SACK chunk sent
606	* within the association, but MAY be bundled with one or more DATA
607	* chunks or SACK chunk in the same SCTP packet.
608	*
609	* 0 1 2 3
610	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
611	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
612	* | Type = 11 |Chunk Flags | Length = 4 |
613	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
614	*
615	* Chunk Flags: 8 bits
616	*
617	* Set to zero on transmit and ignored on receipt.
618	*/
619	struct sctp_chunk *sctp_make_cookie_ack(const struct sctp_association *asoc,
620	const struct sctp_chunk *chunk)
621	{
622	struct sctp_chunk *retval;
623
624	retval = sctp_make_control(asoc, type: SCTP_CID_COOKIE_ACK, flags: 0, paylen: 0, GFP_ATOMIC);
625
626	/* RFC 2960 6.4 Multi-homed SCTP Endpoints
627	*
628	* An endpoint SHOULD transmit reply chunks (e.g., SACK,
629	* HEARTBEAT ACK, * etc.) to the same destination transport
630	* address from which it * received the DATA or control chunk
631	* to which it is replying.
632	*
633	* [COOKIE ACK back to where the COOKIE ECHO came from.]
634	*/
635	if (retval && chunk && chunk->transport)
636	retval->transport =
637	sctp_assoc_lookup_paddr(asoc,
638	&chunk->transport->ipaddr);
639
640	return retval;
641	}
642
643	/*
644	* Appendix A: Explicit Congestion Notification:
645	* CWR:
646	*
647	* RFC 2481 details a specific bit for a sender to send in the header of
648	* its next outbound TCP segment to indicate to its peer that it has
649	* reduced its congestion window. This is termed the CWR bit. For
650	* SCTP the same indication is made by including the CWR chunk.
651	* This chunk contains one data element, i.e. the TSN number that
652	* was sent in the ECNE chunk. This element represents the lowest
653	* TSN number in the datagram that was originally marked with the
654	* CE bit.
655	*
656	* 0 1 2 3
657	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
658	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
659	* | Chunk Type=13 | Flags=00000000| Chunk Length = 8 |
660	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
661	* | Lowest TSN Number |
662	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
663	*
664	* Note: The CWR is considered a Control chunk.
665	*/
666	struct sctp_chunk *sctp_make_cwr(const struct sctp_association *asoc,
667	const __u32 lowest_tsn,
668	const struct sctp_chunk *chunk)
669	{
670	struct sctp_chunk *retval;
671	struct sctp_cwrhdr cwr;
672
673	cwr.lowest_tsn = htonl(lowest_tsn);
674	retval = sctp_make_control(asoc, type: SCTP_CID_ECN_CWR, flags: 0,
675	paylen: sizeof(cwr), GFP_ATOMIC);
676
677	if (!retval)
678	goto nodata;
679
680	retval->subh.ecn_cwr_hdr =
681	sctp_addto_chunk(retval, len: sizeof(cwr), data: &cwr);
682
683	/* RFC 2960 6.4 Multi-homed SCTP Endpoints
684	*
685	* An endpoint SHOULD transmit reply chunks (e.g., SACK,
686	* HEARTBEAT ACK, * etc.) to the same destination transport
687	* address from which it * received the DATA or control chunk
688	* to which it is replying.
689	*
690	* [Report a reduced congestion window back to where the ECNE
691	* came from.]
692	*/
693	if (chunk)
694	retval->transport = chunk->transport;
695
696	nodata:
697	return retval;
698	}
699
700	/* Make an ECNE chunk. This is a congestion experienced report. */
701	struct sctp_chunk *sctp_make_ecne(const struct sctp_association *asoc,
702	const __u32 lowest_tsn)
703	{
704	struct sctp_chunk *retval;
705	struct sctp_ecnehdr ecne;
706
707	ecne.lowest_tsn = htonl(lowest_tsn);
708	retval = sctp_make_control(asoc, type: SCTP_CID_ECN_ECNE, flags: 0,
709	paylen: sizeof(ecne), GFP_ATOMIC);
710	if (!retval)
711	goto nodata;
712	retval->subh.ecne_hdr =
713	sctp_addto_chunk(retval, len: sizeof(ecne), data: &ecne);
714
715	nodata:
716	return retval;
717	}
718
719	/* Make a DATA chunk for the given association from the provided
720	* parameters. However, do not populate the data payload.
721	*/
722	struct sctp_chunk *sctp_make_datafrag_empty(const struct sctp_association *asoc,
723	const struct sctp_sndrcvinfo *sinfo,
724	int len, __u8 flags, gfp_t gfp)
725	{
726	struct sctp_chunk *retval;
727	struct sctp_datahdr dp;
728
729	/* We assign the TSN as LATE as possible, not here when
730	* creating the chunk.
731	*/
732	memset(&dp, 0, sizeof(dp));
733	dp.ppid = sinfo->sinfo_ppid;
734	dp.stream = htons(sinfo->sinfo_stream);
735
736	/* Set the flags for an unordered send. */
737	if (sinfo->sinfo_flags & SCTP_UNORDERED)
738	flags |= SCTP_DATA_UNORDERED;
739
740	retval = sctp_make_data(asoc, flags, paylen: sizeof(dp) + len, gfp);
741	if (!retval)
742	return NULL;
743
744	retval->subh.data_hdr = sctp_addto_chunk(retval, len: sizeof(dp), data: &dp);
745	memcpy(&retval->sinfo, sinfo, sizeof(struct sctp_sndrcvinfo));
746
747	return retval;
748	}
749
750	/* Create a selective ackowledgement (SACK) for the given
751	* association. This reports on which TSN's we've seen to date,
752	* including duplicates and gaps.
753	*/
754	struct sctp_chunk *sctp_make_sack(struct sctp_association *asoc)
755	{
756	struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
757	struct sctp_gap_ack_block gabs[SCTP_MAX_GABS];
758	__u16 num_gabs, num_dup_tsns;
759	struct sctp_transport *trans;
760	struct sctp_chunk *retval;
761	struct sctp_sackhdr sack;
762	__u32 ctsn;
763	int len;
764
765	memset(gabs, 0, sizeof(gabs));
766	ctsn = sctp_tsnmap_get_ctsn(map);
767
768	pr_debug("%s: sackCTSNAck sent:0x%x\n", __func__, ctsn);
769
770	/* How much room is needed in the chunk? */
771	num_gabs = sctp_tsnmap_num_gabs(map, gabs);
772	num_dup_tsns = sctp_tsnmap_num_dups(map);
773
774	/* Initialize the SACK header. */
775	sack.cum_tsn_ack = htonl(ctsn);
776	sack.a_rwnd = htonl(asoc->a_rwnd);
777	sack.num_gap_ack_blocks = htons(num_gabs);
778	sack.num_dup_tsns = htons(num_dup_tsns);
779
780	len = sizeof(sack)
781	+ sizeof(struct sctp_gap_ack_block) * num_gabs
782	+ sizeof(__u32) * num_dup_tsns;
783
784	/* Create the chunk. */
785	retval = sctp_make_control(asoc, type: SCTP_CID_SACK, flags: 0, paylen: len, GFP_ATOMIC);
786	if (!retval)
787	goto nodata;
788
789	/* RFC 2960 6.4 Multi-homed SCTP Endpoints
790	*
791	* An endpoint SHOULD transmit reply chunks (e.g., SACK,
792	* HEARTBEAT ACK, etc.) to the same destination transport
793	* address from which it received the DATA or control chunk to
794	* which it is replying. This rule should also be followed if
795	* the endpoint is bundling DATA chunks together with the
796	* reply chunk.
797	*
798	* However, when acknowledging multiple DATA chunks received
799	* in packets from different source addresses in a single
800	* SACK, the SACK chunk may be transmitted to one of the
801	* destination transport addresses from which the DATA or
802	* control chunks being acknowledged were received.
803	*
804	* [BUG: We do not implement the following paragraph.
805	* Perhaps we should remember the last transport we used for a
806	* SACK and avoid that (if possible) if we have seen any
807	* duplicates. --piggy]
808	*
809	* When a receiver of a duplicate DATA chunk sends a SACK to a
810	* multi- homed endpoint it MAY be beneficial to vary the
811	* destination address and not use the source address of the
812	* DATA chunk. The reason being that receiving a duplicate
813	* from a multi-homed endpoint might indicate that the return
814	* path (as specified in the source address of the DATA chunk)
815	* for the SACK is broken.
816	*
817	* [Send to the address from which we last received a DATA chunk.]
818	*/
819	retval->transport = asoc->peer.last_data_from;
820
821	retval->subh.sack_hdr =
822	sctp_addto_chunk(retval, len: sizeof(sack), data: &sack);
823
824	/* Add the gap ack block information. */
825	if (num_gabs)
826	sctp_addto_chunk(retval, len: sizeof(__u32) * num_gabs,
827	data: gabs);
828
829	/* Add the duplicate TSN information. */
830	if (num_dup_tsns) {
831	asoc->stats.idupchunks += num_dup_tsns;
832	sctp_addto_chunk(retval, len: sizeof(__u32) * num_dup_tsns,
833	data: sctp_tsnmap_get_dups(map));
834	}
835	/* Once we have a sack generated, check to see what our sack
836	* generation is, if its 0, reset the transports to 0, and reset
837	* the association generation to 1
838	*
839	* The idea is that zero is never used as a valid generation for the
840	* association so no transport will match after a wrap event like this,
841	* Until the next sack
842	*/
843	if (++asoc->peer.sack_generation == 0) {
844	list_for_each_entry(trans, &asoc->peer.transport_addr_list,
845	transports)
846	trans->sack_generation = 0;
847	asoc->peer.sack_generation = 1;
848	}
849	nodata:
850	return retval;
851	}
852
853	/* Make a SHUTDOWN chunk. */
854	struct sctp_chunk *sctp_make_shutdown(const struct sctp_association *asoc,
855	const struct sctp_chunk *chunk)
856	{
857	struct sctp_shutdownhdr shut;
858	struct sctp_chunk *retval;
859	__u32 ctsn;
860
861	ctsn = sctp_tsnmap_get_ctsn(map: &asoc->peer.tsn_map);
862	shut.cum_tsn_ack = htonl(ctsn);
863
864	retval = sctp_make_control(asoc, type: SCTP_CID_SHUTDOWN, flags: 0,
865	paylen: sizeof(shut), GFP_ATOMIC);
866	if (!retval)
867	goto nodata;
868
869	retval->subh.shutdown_hdr =
870	sctp_addto_chunk(retval, len: sizeof(shut), data: &shut);
871
872	if (chunk)
873	retval->transport = chunk->transport;
874	nodata:
875	return retval;
876	}
877
878	struct sctp_chunk *sctp_make_shutdown_ack(const struct sctp_association *asoc,
879	const struct sctp_chunk *chunk)
880	{
881	struct sctp_chunk *retval;
882
883	retval = sctp_make_control(asoc, type: SCTP_CID_SHUTDOWN_ACK, flags: 0, paylen: 0,
884	GFP_ATOMIC);
885
886	/* RFC 2960 6.4 Multi-homed SCTP Endpoints
887	*
888	* An endpoint SHOULD transmit reply chunks (e.g., SACK,
889	* HEARTBEAT ACK, * etc.) to the same destination transport
890	* address from which it * received the DATA or control chunk
891	* to which it is replying.
892	*
893	* [ACK back to where the SHUTDOWN came from.]
894	*/
895	if (retval && chunk)
896	retval->transport = chunk->transport;
897
898	return retval;
899	}
900
901	struct sctp_chunk *sctp_make_shutdown_complete(
902	const struct sctp_association *asoc,
903	const struct sctp_chunk *chunk)
904	{
905	struct sctp_chunk *retval;
906	__u8 flags = 0;
907
908	/* Set the T-bit if we have no association (vtag will be
909	* reflected)
910	*/
911	flags |= asoc ? 0 : SCTP_CHUNK_FLAG_T;
912
913	retval = sctp_make_control(asoc, type: SCTP_CID_SHUTDOWN_COMPLETE, flags,
914	paylen: 0, GFP_ATOMIC);
915
916	/* RFC 2960 6.4 Multi-homed SCTP Endpoints
917	*
918	* An endpoint SHOULD transmit reply chunks (e.g., SACK,
919	* HEARTBEAT ACK, * etc.) to the same destination transport
920	* address from which it * received the DATA or control chunk
921	* to which it is replying.
922	*
923	* [Report SHUTDOWN COMPLETE back to where the SHUTDOWN ACK
924	* came from.]
925	*/
926	if (retval && chunk)
927	retval->transport = chunk->transport;
928
929	return retval;
930	}
931
932	/* Create an ABORT. Note that we set the T bit if we have no
933	* association, except when responding to an INIT (sctpimpguide 2.41).
934	*/
935	struct sctp_chunk *sctp_make_abort(const struct sctp_association *asoc,
936	const struct sctp_chunk *chunk,
937	const size_t hint)
938	{
939	struct sctp_chunk *retval;
940	__u8 flags = 0;
941
942	/* Set the T-bit if we have no association and 'chunk' is not
943	* an INIT (vtag will be reflected).
944	*/
945	if (!asoc) {
946	if (chunk && chunk->chunk_hdr &&
947	chunk->chunk_hdr->type == SCTP_CID_INIT)
948	flags = 0;
949	else
950	flags = SCTP_CHUNK_FLAG_T;
951	}
952
953	retval = sctp_make_control(asoc, type: SCTP_CID_ABORT, flags, paylen: hint,
954	GFP_ATOMIC);
955
956	/* RFC 2960 6.4 Multi-homed SCTP Endpoints
957	*
958	* An endpoint SHOULD transmit reply chunks (e.g., SACK,
959	* HEARTBEAT ACK, * etc.) to the same destination transport
960	* address from which it * received the DATA or control chunk
961	* to which it is replying.
962	*
963	* [ABORT back to where the offender came from.]
964	*/
965	if (retval && chunk)
966	retval->transport = chunk->transport;
967
968	return retval;
969	}
970
971	/* Helper to create ABORT with a NO_USER_DATA error. */
972	struct sctp_chunk *sctp_make_abort_no_data(
973	const struct sctp_association *asoc,
974	const struct sctp_chunk *chunk,
975	__u32 tsn)
976	{
977	struct sctp_chunk *retval;
978	__be32 payload;
979
980	retval = sctp_make_abort(asoc, chunk,
981	hint: sizeof(struct sctp_errhdr) + sizeof(tsn));
982
983	if (!retval)
984	goto no_mem;
985
986	/* Put the tsn back into network byte order. */
987	payload = htonl(tsn);
988	sctp_init_cause(chunk: retval, cause_code: SCTP_ERROR_NO_DATA, paylen: sizeof(payload));
989	sctp_addto_chunk(retval, len: sizeof(payload), data: (const void *)&payload);
990
991	/* RFC 2960 6.4 Multi-homed SCTP Endpoints
992	*
993	* An endpoint SHOULD transmit reply chunks (e.g., SACK,
994	* HEARTBEAT ACK, * etc.) to the same destination transport
995	* address from which it * received the DATA or control chunk
996	* to which it is replying.
997	*
998	* [ABORT back to where the offender came from.]
999	*/
1000	if (chunk)
1001	retval->transport = chunk->transport;
1002
1003	no_mem:
1004	return retval;
1005	}
1006
1007	/* Helper to create ABORT with a SCTP_ERROR_USER_ABORT error. */
1008	struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *asoc,
1009	struct msghdr *msg,
1010	size_t paylen)
1011	{
1012	struct sctp_chunk *retval;
1013	void *payload = NULL;
1014	int err;
1015
1016	retval = sctp_make_abort(asoc, NULL,
1017	hint: sizeof(struct sctp_errhdr) + paylen);
1018	if (!retval)
1019	goto err_chunk;
1020
1021	if (paylen) {
1022	/* Put the msg_iov together into payload. */
1023	payload = kmalloc(size: paylen, GFP_KERNEL);
1024	if (!payload)
1025	goto err_payload;
1026
1027	err = memcpy_from_msg(data: payload, msg, len: paylen);
1028	if (err < 0)
1029	goto err_copy;
1030	}
1031
1032	sctp_init_cause(chunk: retval, cause_code: SCTP_ERROR_USER_ABORT, paylen);
1033	sctp_addto_chunk(retval, len: paylen, data: payload);
1034
1035	if (paylen)
1036	kfree(objp: payload);
1037
1038	return retval;
1039
1040	err_copy:
1041	kfree(objp: payload);
1042	err_payload:
1043	sctp_chunk_free(retval);
1044	retval = NULL;
1045	err_chunk:
1046	return retval;
1047	}
1048
1049	/* Append bytes to the end of a parameter. Will panic if chunk is not big
1050	* enough.
1051	*/
1052	static void *sctp_addto_param(struct sctp_chunk *chunk, int len,
1053	const void *data)
1054	{
1055	int chunklen = ntohs(chunk->chunk_hdr->length);
1056	void *target;
1057
1058	target = skb_put(skb: chunk->skb, len);
1059
1060	if (data)
1061	memcpy(target, data, len);
1062	else
1063	memset(target, 0, len);
1064
1065	/* Adjust the chunk length field. */
1066	chunk->chunk_hdr->length = htons(chunklen + len);
1067	chunk->chunk_end = skb_tail_pointer(skb: chunk->skb);
1068
1069	return target;
1070	}
1071
1072	/* Make an ABORT chunk with a PROTOCOL VIOLATION cause code. */
1073	struct sctp_chunk *sctp_make_abort_violation(
1074	const struct sctp_association *asoc,
1075	const struct sctp_chunk *chunk,
1076	const __u8 *payload,
1077	const size_t paylen)
1078	{
1079	struct sctp_chunk *retval;
1080	struct sctp_paramhdr phdr;
1081
1082	retval = sctp_make_abort(asoc, chunk, hint: sizeof(struct sctp_errhdr) +
1083	paylen + sizeof(phdr));
1084	if (!retval)
1085	goto end;
1086
1087	sctp_init_cause(chunk: retval, cause_code: SCTP_ERROR_PROTO_VIOLATION, paylen: paylen +
1088	sizeof(phdr));
1089
1090	phdr.type = htons(chunk->chunk_hdr->type);
1091	phdr.length = chunk->chunk_hdr->length;
1092	sctp_addto_chunk(retval, len: paylen, data: payload);
1093	sctp_addto_param(chunk: retval, len: sizeof(phdr), data: &phdr);
1094
1095	end:
1096	return retval;
1097	}
1098
1099	struct sctp_chunk *sctp_make_violation_paramlen(
1100	const struct sctp_association *asoc,
1101	const struct sctp_chunk *chunk,
1102	struct sctp_paramhdr *param)
1103	{
1104	static const char error[] = "The following parameter had invalid length:";
1105	size_t payload_len = sizeof(error) + sizeof(struct sctp_errhdr) +
1106	sizeof(*param);
1107	struct sctp_chunk *retval;
1108
1109	retval = sctp_make_abort(asoc, chunk, hint: payload_len);
1110	if (!retval)
1111	goto nodata;
1112
1113	sctp_init_cause(chunk: retval, cause_code: SCTP_ERROR_PROTO_VIOLATION,
1114	paylen: sizeof(error) + sizeof(*param));
1115	sctp_addto_chunk(retval, len: sizeof(error), data: error);
1116	sctp_addto_param(chunk: retval, len: sizeof(*param), data: param);
1117
1118	nodata:
1119	return retval;
1120	}
1121
1122	struct sctp_chunk *sctp_make_violation_max_retrans(
1123	const struct sctp_association *asoc,
1124	const struct sctp_chunk *chunk)
1125	{
1126	static const char error[] = "Association exceeded its max_retrans count";
1127	size_t payload_len = sizeof(error) + sizeof(struct sctp_errhdr);
1128	struct sctp_chunk *retval;
1129
1130	retval = sctp_make_abort(asoc, chunk, hint: payload_len);
1131	if (!retval)
1132	goto nodata;
1133
1134	sctp_init_cause(chunk: retval, cause_code: SCTP_ERROR_PROTO_VIOLATION, paylen: sizeof(error));
1135	sctp_addto_chunk(retval, len: sizeof(error), data: error);
1136
1137	nodata:
1138	return retval;
1139	}
1140
1141	struct sctp_chunk *sctp_make_new_encap_port(const struct sctp_association *asoc,
1142	const struct sctp_chunk *chunk)
1143	{
1144	struct sctp_new_encap_port_hdr nep;
1145	struct sctp_chunk *retval;
1146
1147	retval = sctp_make_abort(asoc, chunk,
1148	hint: sizeof(struct sctp_errhdr) + sizeof(nep));
1149	if (!retval)
1150	goto nodata;
1151
1152	sctp_init_cause(chunk: retval, cause_code: SCTP_ERROR_NEW_ENCAP_PORT, paylen: sizeof(nep));
1153	nep.cur_port = SCTP_INPUT_CB(chunk->skb)->encap_port;
1154	nep.new_port = chunk->transport->encap_port;
1155	sctp_addto_chunk(retval, len: sizeof(nep), data: &nep);
1156
1157	nodata:
1158	return retval;
1159	}
1160
1161	/* Make a HEARTBEAT chunk. */
1162	struct sctp_chunk *sctp_make_heartbeat(const struct sctp_association *asoc,
1163	const struct sctp_transport *transport,
1164	__u32 probe_size)
1165	{
1166	struct sctp_sender_hb_info hbinfo = {};
1167	struct sctp_chunk *retval;
1168
1169	retval = sctp_make_control(asoc, type: SCTP_CID_HEARTBEAT, flags: 0,
1170	paylen: sizeof(hbinfo), GFP_ATOMIC);
1171
1172	if (!retval)
1173	goto nodata;
1174
1175	hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO;
1176	hbinfo.param_hdr.length = htons(sizeof(hbinfo));
1177	hbinfo.daddr = transport->ipaddr;
1178	hbinfo.sent_at = jiffies;
1179	hbinfo.hb_nonce = transport->hb_nonce;
1180	hbinfo.probe_size = probe_size;
1181
1182	/* Cast away the 'const', as this is just telling the chunk
1183	* what transport it belongs to.
1184	*/
1185	retval->transport = (struct sctp_transport *) transport;
1186	retval->subh.hbs_hdr = sctp_addto_chunk(retval, len: sizeof(hbinfo),
1187	data: &hbinfo);
1188	retval->pmtu_probe = !!probe_size;
1189
1190	nodata:
1191	return retval;
1192	}
1193
1194	struct sctp_chunk *sctp_make_heartbeat_ack(const struct sctp_association *asoc,
1195	const struct sctp_chunk *chunk,
1196	const void *payload,
1197	const size_t paylen)
1198	{
1199	struct sctp_chunk *retval;
1200
1201	retval = sctp_make_control(asoc, type: SCTP_CID_HEARTBEAT_ACK, flags: 0, paylen,
1202	GFP_ATOMIC);
1203	if (!retval)
1204	goto nodata;
1205
1206	retval->subh.hbs_hdr = sctp_addto_chunk(retval, len: paylen, data: payload);
1207
1208	/* RFC 2960 6.4 Multi-homed SCTP Endpoints
1209	*
1210	* An endpoint SHOULD transmit reply chunks (e.g., SACK,
1211	* HEARTBEAT ACK, * etc.) to the same destination transport
1212	* address from which it * received the DATA or control chunk
1213	* to which it is replying.
1214	*
1215	* [HBACK back to where the HEARTBEAT came from.]
1216	*/
1217	if (chunk)
1218	retval->transport = chunk->transport;
1219
1220	nodata:
1221	return retval;
1222	}
1223
1224	/* RFC4820 3. Padding Chunk (PAD)
1225	* 0 1 2 3
1226	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1227	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1228	* | Type = 0x84 | Flags=0 | Length |
1229	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1230	* | |
1231	* \ Padding Data /
1232	* / \
1233	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1234	*/
1235	struct sctp_chunk *sctp_make_pad(const struct sctp_association *asoc, int len)
1236	{
1237	struct sctp_chunk *retval;
1238
1239	retval = sctp_make_control(asoc, type: SCTP_CID_PAD, flags: 0, paylen: len, GFP_ATOMIC);
1240	if (!retval)
1241	return NULL;
1242
1243	skb_put_zero(skb: retval->skb, len);
1244	retval->chunk_hdr->length = htons(ntohs(retval->chunk_hdr->length) + len);
1245	retval->chunk_end = skb_tail_pointer(skb: retval->skb);
1246
1247	return retval;
1248	}
1249
1250	/* Create an Operation Error chunk with the specified space reserved.
1251	* This routine can be used for containing multiple causes in the chunk.
1252	*/
1253	static struct sctp_chunk *sctp_make_op_error_space(
1254	const struct sctp_association *asoc,
1255	const struct sctp_chunk *chunk,
1256	size_t size)
1257	{
1258	struct sctp_chunk *retval;
1259
1260	retval = sctp_make_control(asoc, type: SCTP_CID_ERROR, flags: 0,
1261	paylen: sizeof(struct sctp_errhdr) + size,
1262	GFP_ATOMIC);
1263	if (!retval)
1264	goto nodata;
1265
1266	/* RFC 2960 6.4 Multi-homed SCTP Endpoints
1267	*
1268	* An endpoint SHOULD transmit reply chunks (e.g., SACK,
1269	* HEARTBEAT ACK, etc.) to the same destination transport
1270	* address from which it received the DATA or control chunk
1271	* to which it is replying.
1272	*
1273	*/
1274	if (chunk)
1275	retval->transport = chunk->transport;
1276
1277	nodata:
1278	return retval;
1279	}
1280
1281	/* Create an Operation Error chunk of a fixed size, specifically,
1282	* min(asoc->pathmtu, SCTP_DEFAULT_MAXSEGMENT) - overheads.
1283	* This is a helper function to allocate an error chunk for those
1284	* invalid parameter codes in which we may not want to report all the
1285	* errors, if the incoming chunk is large. If it can't fit in a single
1286	* packet, we ignore it.
1287	*/
1288	static inline struct sctp_chunk *sctp_make_op_error_limited(
1289	const struct sctp_association *asoc,
1290	const struct sctp_chunk *chunk)
1291	{
1292	size_t size = SCTP_DEFAULT_MAXSEGMENT;
1293	struct sctp_sock *sp = NULL;
1294
1295	if (asoc) {
1296	size = min_t(size_t, size, asoc->pathmtu);
1297	sp = sctp_sk(asoc->base.sk);
1298	}
1299
1300	size = sctp_mtu_payload(sp, mtu: size, extra: sizeof(struct sctp_errhdr));
1301
1302	return sctp_make_op_error_space(asoc, chunk, size);
1303	}
1304
1305	/* Create an Operation Error chunk. */
1306	struct sctp_chunk *sctp_make_op_error(const struct sctp_association *asoc,
1307	const struct sctp_chunk *chunk,
1308	__be16 cause_code, const void *payload,
1309	size_t paylen, size_t reserve_tail)
1310	{
1311	struct sctp_chunk *retval;
1312
1313	retval = sctp_make_op_error_space(asoc, chunk, size: paylen + reserve_tail);
1314	if (!retval)
1315	goto nodata;
1316
1317	sctp_init_cause(chunk: retval, cause_code, paylen: paylen + reserve_tail);
1318	sctp_addto_chunk(retval, len: paylen, data: payload);
1319	if (reserve_tail)
1320	sctp_addto_param(chunk: retval, len: reserve_tail, NULL);
1321
1322	nodata:
1323	return retval;
1324	}
1325
1326	struct sctp_chunk *sctp_make_auth(const struct sctp_association *asoc,
1327	__u16 key_id)
1328	{
1329	struct sctp_authhdr auth_hdr;
1330	struct sctp_hmac *hmac_desc;
1331	struct sctp_chunk *retval;
1332
1333	/* Get the first hmac that the peer told us to use */
1334	hmac_desc = sctp_auth_asoc_get_hmac(asoc);
1335	if (unlikely(!hmac_desc))
1336	return NULL;
1337
1338	retval = sctp_make_control(asoc, type: SCTP_CID_AUTH, flags: 0,
1339	paylen: hmac_desc->hmac_len + sizeof(auth_hdr),
1340	GFP_ATOMIC);
1341	if (!retval)
1342	return NULL;
1343
1344	auth_hdr.hmac_id = htons(hmac_desc->hmac_id);
1345	auth_hdr.shkey_id = htons(key_id);
1346
1347	retval->subh.auth_hdr = sctp_addto_chunk(retval, len: sizeof(auth_hdr),
1348	data: &auth_hdr);
1349
1350	skb_put_zero(skb: retval->skb, len: hmac_desc->hmac_len);
1351
1352	/* Adjust the chunk header to include the empty MAC */
1353	retval->chunk_hdr->length =
1354	htons(ntohs(retval->chunk_hdr->length) + hmac_desc->hmac_len);
1355	retval->chunk_end = skb_tail_pointer(skb: retval->skb);
1356
1357	return retval;
1358	}
1359
1360
1361	/********************************************************************
1362	* 2nd Level Abstractions
1363	********************************************************************/
1364
1365	/* Turn an skb into a chunk.
1366	* FIXME: Eventually move the structure directly inside the skb->cb[].
1367	*
1368	* sctpimpguide-05.txt Section 2.8.2
1369	* M1) Each time a new DATA chunk is transmitted
1370	* set the 'TSN.Missing.Report' count for that TSN to 0. The
1371	* 'TSN.Missing.Report' count will be used to determine missing chunks
1372	* and when to fast retransmit.
1373	*
1374	*/
1375	struct sctp_chunk *sctp_chunkify(struct sk_buff *skb,
1376	const struct sctp_association *asoc,
1377	struct sock *sk, gfp_t gfp)
1378	{
1379	struct sctp_chunk *retval;
1380
1381	retval = kmem_cache_zalloc(k: sctp_chunk_cachep, flags: gfp);
1382
1383	if (!retval)
1384	goto nodata;
1385	if (!sk)
1386	pr_debug("%s: chunkifying skb:%p w/o an sk\n", __func__, skb);
1387
1388	INIT_LIST_HEAD(list: &retval->list);
1389	retval->skb = skb;
1390	retval->asoc = (struct sctp_association *)asoc;
1391	retval->singleton = 1;
1392
1393	retval->fast_retransmit = SCTP_CAN_FRTX;
1394
1395	/* Polish the bead hole. */
1396	INIT_LIST_HEAD(list: &retval->transmitted_list);
1397	INIT_LIST_HEAD(list: &retval->frag_list);
1398	SCTP_DBG_OBJCNT_INC(chunk);
1399	refcount_set(r: &retval->refcnt, n: 1);
1400
1401	nodata:
1402	return retval;
1403	}
1404
1405	/* Set chunk->source and dest based on the IP header in chunk->skb. */
1406	void sctp_init_addrs(struct sctp_chunk *chunk, union sctp_addr *src,
1407	union sctp_addr *dest)
1408	{
1409	memcpy(&chunk->source, src, sizeof(union sctp_addr));
1410	memcpy(&chunk->dest, dest, sizeof(union sctp_addr));
1411	}
1412
1413	/* Extract the source address from a chunk. */
1414	const union sctp_addr *sctp_source(const struct sctp_chunk *chunk)
1415	{
1416	/* If we have a known transport, use that. */
1417	if (chunk->transport) {
1418	return &chunk->transport->ipaddr;
1419	} else {
1420	/* Otherwise, extract it from the IP header. */
1421	return &chunk->source;
1422	}
1423	}
1424
1425	/* Create a new chunk, setting the type and flags headers from the
1426	* arguments, reserving enough space for a 'paylen' byte payload.
1427	*/
1428	static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc,
1429	__u8 type, __u8 flags, int paylen,
1430	gfp_t gfp)
1431	{
1432	struct sctp_chunkhdr *chunk_hdr;
1433	struct sctp_chunk *retval;
1434	struct sk_buff *skb;
1435	struct sock *sk;
1436	int chunklen;
1437
1438	chunklen = SCTP_PAD4(sizeof(*chunk_hdr) + paylen);
1439	if (chunklen > SCTP_MAX_CHUNK_LEN)
1440	goto nodata;
1441
1442	/* No need to allocate LL here, as this is only a chunk. */
1443	skb = alloc_skb(size: chunklen, priority: gfp);
1444	if (!skb)
1445	goto nodata;
1446
1447	/* Make room for the chunk header. */
1448	chunk_hdr = (struct sctp_chunkhdr *)skb_put(skb, len: sizeof(*chunk_hdr));
1449	chunk_hdr->type = type;
1450	chunk_hdr->flags = flags;
1451	chunk_hdr->length = htons(sizeof(*chunk_hdr));
1452
1453	sk = asoc ? asoc->base.sk : NULL;
1454	retval = sctp_chunkify(skb, asoc, sk, gfp);
1455	if (!retval) {
1456	kfree_skb(skb);
1457	goto nodata;
1458	}
1459
1460	retval->chunk_hdr = chunk_hdr;
1461	retval->chunk_end = ((__u8 *)chunk_hdr) + sizeof(*chunk_hdr);
1462
1463	/* Determine if the chunk needs to be authenticated */
1464	if (sctp_auth_send_cid(chunk: type, asoc))
1465	retval->auth = 1;
1466
1467	return retval;
1468	nodata:
1469	return NULL;
1470	}
1471
1472	static struct sctp_chunk *sctp_make_data(const struct sctp_association *asoc,
1473	__u8 flags, int paylen, gfp_t gfp)
1474	{
1475	return _sctp_make_chunk(asoc, type: SCTP_CID_DATA, flags, paylen, gfp);
1476	}
1477
1478	struct sctp_chunk *sctp_make_idata(const struct sctp_association *asoc,
1479	__u8 flags, int paylen, gfp_t gfp)
1480	{
1481	return _sctp_make_chunk(asoc, type: SCTP_CID_I_DATA, flags, paylen, gfp);
1482	}
1483
1484	static struct sctp_chunk *sctp_make_control(const struct sctp_association *asoc,
1485	__u8 type, __u8 flags, int paylen,
1486	gfp_t gfp)
1487	{
1488	struct sctp_chunk *chunk;
1489
1490	chunk = _sctp_make_chunk(asoc, type, flags, paylen, gfp);
1491	if (chunk)
1492	sctp_control_set_owner_w(chunk);
1493
1494	return chunk;
1495	}
1496
1497	/* Release the memory occupied by a chunk. */
1498	static void sctp_chunk_destroy(struct sctp_chunk *chunk)
1499	{
1500	BUG_ON(!list_empty(&chunk->list));
1501	list_del_init(entry: &chunk->transmitted_list);
1502
1503	consume_skb(skb: chunk->skb);
1504	consume_skb(skb: chunk->auth_chunk);
1505
1506	SCTP_DBG_OBJCNT_DEC(chunk);
1507	kmem_cache_free(s: sctp_chunk_cachep, objp: chunk);
1508	}
1509
1510	/* Possibly, free the chunk. */
1511	void sctp_chunk_free(struct sctp_chunk *chunk)
1512	{
1513	/* Release our reference on the message tracker. */
1514	if (chunk->msg)
1515	sctp_datamsg_put(chunk->msg);
1516
1517	sctp_chunk_put(chunk);
1518	}
1519
1520	/* Grab a reference to the chunk. */
1521	void sctp_chunk_hold(struct sctp_chunk *ch)
1522	{
1523	refcount_inc(r: &ch->refcnt);
1524	}
1525
1526	/* Release a reference to the chunk. */
1527	void sctp_chunk_put(struct sctp_chunk *ch)
1528	{
1529	if (refcount_dec_and_test(r: &ch->refcnt))
1530	sctp_chunk_destroy(chunk: ch);
1531	}
1532
1533	/* Append bytes to the end of a chunk. Will panic if chunk is not big
1534	* enough.
1535	*/
1536	void *sctp_addto_chunk(struct sctp_chunk *chunk, int len, const void *data)
1537	{
1538	int chunklen = ntohs(chunk->chunk_hdr->length);
1539	int padlen = SCTP_PAD4(chunklen) - chunklen;
1540	void *target;
1541
1542	skb_put_zero(skb: chunk->skb, len: padlen);
1543	target = skb_put_data(skb: chunk->skb, data, len);
1544
1545	/* Adjust the chunk length field. */
1546	chunk->chunk_hdr->length = htons(chunklen + padlen + len);
1547	chunk->chunk_end = skb_tail_pointer(skb: chunk->skb);
1548
1549	return target;
1550	}
1551
1552	/* Append bytes from user space to the end of a chunk. Will panic if
1553	* chunk is not big enough.
1554	* Returns a kernel err value.
1555	*/
1556	int sctp_user_addto_chunk(struct sctp_chunk *chunk, int len,
1557	struct iov_iter *from)
1558	{
1559	void *target;
1560
1561	/* Make room in chunk for data. */
1562	target = skb_put(skb: chunk->skb, len);
1563
1564	/* Copy data (whole iovec) into chunk */
1565	if (!copy_from_iter_full(addr: target, bytes: len, i: from))
1566	return -EFAULT;
1567
1568	/* Adjust the chunk length field. */
1569	chunk->chunk_hdr->length =
1570	htons(ntohs(chunk->chunk_hdr->length) + len);
1571	chunk->chunk_end = skb_tail_pointer(skb: chunk->skb);
1572
1573	return 0;
1574	}
1575
1576	/* Helper function to assign a TSN if needed. This assumes that both
1577	* the data_hdr and association have already been assigned.
1578	*/
1579	void sctp_chunk_assign_ssn(struct sctp_chunk *chunk)
1580	{
1581	struct sctp_stream *stream;
1582	struct sctp_chunk *lchunk;
1583	struct sctp_datamsg *msg;
1584	__u16 ssn, sid;
1585
1586	if (chunk->has_ssn)
1587	return;
1588
1589	/* All fragments will be on the same stream */
1590	sid = ntohs(chunk->subh.data_hdr->stream);
1591	stream = &chunk->asoc->stream;
1592
1593	/* Now assign the sequence number to the entire message.
1594	* All fragments must have the same stream sequence number.
1595	*/
1596	msg = chunk->msg;
1597	list_for_each_entry(lchunk, &msg->chunks, frag_list) {
1598	if (lchunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) {
1599	ssn = 0;
1600	} else {
1601	if (lchunk->chunk_hdr->flags & SCTP_DATA_LAST_FRAG)
1602	ssn = sctp_ssn_next(stream, out, sid);
1603	else
1604	ssn = sctp_ssn_peek(stream, out, sid);
1605	}
1606
1607	lchunk->subh.data_hdr->ssn = htons(ssn);
1608	lchunk->has_ssn = 1;
1609	}
1610	}
1611
1612	/* Helper function to assign a TSN if needed. This assumes that both
1613	* the data_hdr and association have already been assigned.
1614	*/
1615	void sctp_chunk_assign_tsn(struct sctp_chunk *chunk)
1616	{
1617	if (!chunk->has_tsn) {
1618	/* This is the last possible instant to
1619	* assign a TSN.
1620	*/
1621	chunk->subh.data_hdr->tsn =
1622	htonl(sctp_association_get_next_tsn(chunk->asoc));
1623	chunk->has_tsn = 1;
1624	}
1625	}
1626
1627	/* Create a CLOSED association to use with an incoming packet. */
1628	struct sctp_association *sctp_make_temp_asoc(const struct sctp_endpoint *ep,
1629	struct sctp_chunk *chunk,
1630	gfp_t gfp)
1631	{
1632	struct sctp_association *asoc;
1633	enum sctp_scope scope;
1634	struct sk_buff *skb;
1635
1636	/* Create the bare association. */
1637	scope = sctp_scope(addr: sctp_source(chunk));
1638	asoc = sctp_association_new(ep, sk: ep->base.sk, scope, gfp);
1639	if (!asoc)
1640	goto nodata;
1641	asoc->temp = 1;
1642	skb = chunk->skb;
1643	/* Create an entry for the source address of the packet. */
1644	SCTP_INPUT_CB(skb)->af->from_skb(&asoc->c.peer_addr, skb, 1);
1645
1646	nodata:
1647	return asoc;
1648	}
1649
1650	/* Build a cookie representing asoc.
1651	* This INCLUDES the param header needed to put the cookie in the INIT ACK.
1652	*/
1653	static struct sctp_cookie_param *sctp_pack_cookie(
1654	const struct sctp_endpoint *ep,
1655	const struct sctp_association *asoc,
1656	const struct sctp_chunk *init_chunk,
1657	int *cookie_len, const __u8 *raw_addrs,
1658	int addrs_len)
1659	{
1660	struct sctp_signed_cookie *cookie;
1661	struct sctp_cookie_param *retval;
1662	int headersize, bodysize;
1663
1664	/* Header size is static data prior to the actual cookie, including
1665	* any padding.
1666	*/
1667	headersize = sizeof(struct sctp_paramhdr) +
1668	(sizeof(struct sctp_signed_cookie) -
1669	sizeof(struct sctp_cookie));
1670	bodysize = sizeof(struct sctp_cookie)
1671	+ ntohs(init_chunk->chunk_hdr->length) + addrs_len;
1672
1673	/* Pad out the cookie to a multiple to make the signature
1674	* functions simpler to write.
1675	*/
1676	if (bodysize % SCTP_COOKIE_MULTIPLE)
1677	bodysize += SCTP_COOKIE_MULTIPLE
1678	- (bodysize % SCTP_COOKIE_MULTIPLE);
1679	*cookie_len = headersize + bodysize;
1680
1681	/* Clear this memory since we are sending this data structure
1682	* out on the network.
1683	*/
1684	retval = kzalloc(size: *cookie_len, GFP_ATOMIC);
1685	if (!retval)
1686	goto nodata;
1687
1688	cookie = (struct sctp_signed_cookie *) retval->body;
1689
1690	/* Set up the parameter header. */
1691	retval->p.type = SCTP_PARAM_STATE_COOKIE;
1692	retval->p.length = htons(*cookie_len);
1693
1694	/* Copy the cookie part of the association itself. */
1695	cookie->c = asoc->c;
1696	/* Save the raw address list length in the cookie. */
1697	cookie->c.raw_addr_list_len = addrs_len;
1698
1699	/* Remember PR-SCTP capability. */
1700	cookie->c.prsctp_capable = asoc->peer.prsctp_capable;
1701
1702	/* Save adaptation indication in the cookie. */
1703	cookie->c.adaptation_ind = asoc->peer.adaptation_ind;
1704
1705	/* Set an expiration time for the cookie. */
1706	cookie->c.expiration = ktime_add(asoc->cookie_life,
1707	ktime_get_real());
1708
1709	/* Copy the peer's init packet. */
1710	memcpy(cookie + 1, init_chunk->chunk_hdr,
1711	ntohs(init_chunk->chunk_hdr->length));
1712
1713	/* Copy the raw local address list of the association. */
1714	memcpy((__u8 *)(cookie + 1) +
1715	ntohs(init_chunk->chunk_hdr->length), raw_addrs, addrs_len);
1716
1717	if (sctp_sk(ep->base.sk)->hmac) {
1718	struct crypto_shash *tfm = sctp_sk(ep->base.sk)->hmac;
1719	int err;
1720
1721	/* Sign the message. */
1722	err = crypto_shash_setkey(tfm, key: ep->secret_key,
1723	keylen: sizeof(ep->secret_key)) ?:
1724	crypto_shash_tfm_digest(tfm, data: (u8 *)&cookie->c, len: bodysize,
1725	out: cookie->signature);
1726	if (err)
1727	goto free_cookie;
1728	}
1729
1730	return retval;
1731
1732	free_cookie:
1733	kfree(objp: retval);
1734	nodata:
1735	*cookie_len = 0;
1736	return NULL;
1737	}
1738
1739	/* Unpack the cookie from COOKIE ECHO chunk, recreating the association. */
1740	struct sctp_association *sctp_unpack_cookie(
1741	const struct sctp_endpoint *ep,
1742	const struct sctp_association *asoc,
1743	struct sctp_chunk *chunk, gfp_t gfp,
1744	int *error, struct sctp_chunk **errp)
1745	{
1746	struct sctp_association *retval = NULL;
1747	int headersize, bodysize, fixed_size;
1748	struct sctp_signed_cookie *cookie;
1749	struct sk_buff *skb = chunk->skb;
1750	struct sctp_cookie *bear_cookie;
1751	__u8 *digest = ep->digest;
1752	enum sctp_scope scope;
1753	unsigned int len;
1754	ktime_t kt;
1755
1756	/* Header size is static data prior to the actual cookie, including
1757	* any padding.
1758	*/
1759	headersize = sizeof(struct sctp_chunkhdr) +
1760	(sizeof(struct sctp_signed_cookie) -
1761	sizeof(struct sctp_cookie));
1762	bodysize = ntohs(chunk->chunk_hdr->length) - headersize;
1763	fixed_size = headersize + sizeof(struct sctp_cookie);
1764
1765	/* Verify that the chunk looks like it even has a cookie.
1766	* There must be enough room for our cookie and our peer's
1767	* INIT chunk.
1768	*/
1769	len = ntohs(chunk->chunk_hdr->length);
1770	if (len < fixed_size + sizeof(struct sctp_chunkhdr))
1771	goto malformed;
1772
1773	/* Verify that the cookie has been padded out. */
1774	if (bodysize % SCTP_COOKIE_MULTIPLE)
1775	goto malformed;
1776
1777	/* Process the cookie. */
1778	cookie = chunk->subh.cookie_hdr;
1779	bear_cookie = &cookie->c;
1780
1781	if (!sctp_sk(ep->base.sk)->hmac)
1782	goto no_hmac;
1783
1784	/* Check the signature. */
1785	{
1786	struct crypto_shash *tfm = sctp_sk(ep->base.sk)->hmac;
1787	int err;
1788
1789	err = crypto_shash_setkey(tfm, key: ep->secret_key,
1790	keylen: sizeof(ep->secret_key)) ?:
1791	crypto_shash_tfm_digest(tfm, data: (u8 *)bear_cookie, len: bodysize,
1792	out: digest);
1793	if (err) {
1794	*error = -SCTP_IERROR_NOMEM;
1795	goto fail;
1796	}
1797	}
1798
1799	if (memcmp(p: digest, q: cookie->signature, SCTP_SIGNATURE_SIZE)) {
1800	*error = -SCTP_IERROR_BAD_SIG;
1801	goto fail;
1802	}
1803
1804	no_hmac:
1805	/* IG Section 2.35.2:
1806	* 3) Compare the port numbers and the verification tag contained
1807	* within the COOKIE ECHO chunk to the actual port numbers and the
1808	* verification tag within the SCTP common header of the received
1809	* packet. If these values do not match the packet MUST be silently
1810	* discarded,
1811	*/
1812	if (ntohl(chunk->sctp_hdr->vtag) != bear_cookie->my_vtag) {
1813	*error = -SCTP_IERROR_BAD_TAG;
1814	goto fail;
1815	}
1816
1817	if (chunk->sctp_hdr->source != bear_cookie->peer_addr.v4.sin_port ||
1818	ntohs(chunk->sctp_hdr->dest) != bear_cookie->my_port) {
1819	*error = -SCTP_IERROR_BAD_PORTS;
1820	goto fail;
1821	}
1822
1823	/* Check to see if the cookie is stale. If there is already
1824	* an association, there is no need to check cookie's expiration
1825	* for init collision case of lost COOKIE ACK.
1826	* If skb has been timestamped, then use the stamp, otherwise
1827	* use current time. This introduces a small possibility that
1828	* a cookie may be considered expired, but this would only slow
1829	* down the new association establishment instead of every packet.
1830	*/
1831	if (sock_flag(sk: ep->base.sk, flag: SOCK_TIMESTAMP))
1832	kt = skb_get_ktime(skb);
1833	else
1834	kt = ktime_get_real();
1835
1836	if (!asoc && ktime_before(cmp1: bear_cookie->expiration, cmp2: kt)) {
1837	suseconds_t usecs = ktime_to_us(ktime_sub(kt, bear_cookie->expiration));
1838	__be32 n = htonl(usecs);
1839
1840	/*
1841	* Section 3.3.10.3 Stale Cookie Error (3)
1842	*
1843	* Cause of error
1844	* ---------------
1845	* Stale Cookie Error: Indicates the receipt of a valid State
1846	* Cookie that has expired.
1847	*/
1848	*errp = sctp_make_op_error(asoc, chunk,
1849	cause_code: SCTP_ERROR_STALE_COOKIE, payload: &n,
1850	paylen: sizeof(n), reserve_tail: 0);
1851	if (*errp)
1852	*error = -SCTP_IERROR_STALE_COOKIE;
1853	else
1854	*error = -SCTP_IERROR_NOMEM;
1855
1856	goto fail;
1857	}
1858
1859	/* Make a new base association. */
1860	scope = sctp_scope(addr: sctp_source(chunk));
1861	retval = sctp_association_new(ep, sk: ep->base.sk, scope, gfp);
1862	if (!retval) {
1863	*error = -SCTP_IERROR_NOMEM;
1864	goto fail;
1865	}
1866
1867	/* Set up our peer's port number. */
1868	retval->peer.port = ntohs(chunk->sctp_hdr->source);
1869
1870	/* Populate the association from the cookie. */
1871	memcpy(&retval->c, bear_cookie, sizeof(*bear_cookie));
1872
1873	if (sctp_assoc_set_bind_addr_from_cookie(retval, bear_cookie,
1874	GFP_ATOMIC) < 0) {
1875	*error = -SCTP_IERROR_NOMEM;
1876	goto fail;
1877	}
1878
1879	/* Also, add the destination address. */
1880	if (list_empty(head: &retval->base.bind_addr.address_list)) {
1881	sctp_add_bind_addr(&retval->base.bind_addr, &chunk->dest,
1882	new_size: sizeof(chunk->dest), addr_state: SCTP_ADDR_SRC,
1883	GFP_ATOMIC);
1884	}
1885
1886	retval->next_tsn = retval->c.initial_tsn;
1887	retval->ctsn_ack_point = retval->next_tsn - 1;
1888	retval->addip_serial = retval->c.initial_tsn;
1889	retval->strreset_outseq = retval->c.initial_tsn;
1890	retval->adv_peer_ack_point = retval->ctsn_ack_point;
1891	retval->peer.prsctp_capable = retval->c.prsctp_capable;
1892	retval->peer.adaptation_ind = retval->c.adaptation_ind;
1893
1894	/* The INIT stuff will be done by the side effects. */
1895	return retval;
1896
1897	fail:
1898	if (retval)
1899	sctp_association_free(retval);
1900
1901	return NULL;
1902
1903	malformed:
1904	/* Yikes! The packet is either corrupt or deliberately
1905	* malformed.
1906	*/
1907	*error = -SCTP_IERROR_MALFORMED;
1908	goto fail;
1909	}
1910
1911	/********************************************************************
1912	* 3rd Level Abstractions
1913	********************************************************************/
1914
1915	struct __sctp_missing {
1916	__be32 num_missing;
1917	__be16 type;
1918	} __packed;
1919
1920	/*
1921	* Report a missing mandatory parameter.
1922	*/
1923	static int sctp_process_missing_param(const struct sctp_association *asoc,
1924	enum sctp_param paramtype,
1925	struct sctp_chunk *chunk,
1926	struct sctp_chunk **errp)
1927	{
1928	struct __sctp_missing report;
1929	__u16 len;
1930
1931	len = SCTP_PAD4(sizeof(report));
1932
1933	/* Make an ERROR chunk, preparing enough room for
1934	* returning multiple unknown parameters.
1935	*/
1936	if (!*errp)
1937	*errp = sctp_make_op_error_space(asoc, chunk, size: len);
1938
1939	if (*errp) {
1940	report.num_missing = htonl(1);
1941	report.type = paramtype;
1942	sctp_init_cause(chunk: *errp, cause_code: SCTP_ERROR_MISS_PARAM,
1943	paylen: sizeof(report));
1944	sctp_addto_chunk(chunk: *errp, len: sizeof(report), data: &report);
1945	}
1946
1947	/* Stop processing this chunk. */
1948	return 0;
1949	}
1950
1951	/* Report an Invalid Mandatory Parameter. */
1952	static int sctp_process_inv_mandatory(const struct sctp_association *asoc,
1953	struct sctp_chunk *chunk,
1954	struct sctp_chunk **errp)
1955	{
1956	/* Invalid Mandatory Parameter Error has no payload. */
1957
1958	if (!*errp)
1959	*errp = sctp_make_op_error_space(asoc, chunk, size: 0);
1960
1961	if (*errp)
1962	sctp_init_cause(chunk: *errp, cause_code: SCTP_ERROR_INV_PARAM, paylen: 0);
1963
1964	/* Stop processing this chunk. */
1965	return 0;
1966	}
1967
1968	static int sctp_process_inv_paramlength(const struct sctp_association *asoc,
1969	struct sctp_paramhdr *param,
1970	const struct sctp_chunk *chunk,
1971	struct sctp_chunk **errp)
1972	{
1973	/* This is a fatal error. Any accumulated non-fatal errors are
1974	* not reported.
1975	*/
1976	if (*errp)
1977	sctp_chunk_free(chunk: *errp);
1978
1979	/* Create an error chunk and fill it in with our payload. */
1980	*errp = sctp_make_violation_paramlen(asoc, chunk, param);
1981
1982	return 0;
1983	}
1984
1985
1986	/* Do not attempt to handle the HOST_NAME parm. However, do
1987	* send back an indicator to the peer.
1988	*/
1989	static int sctp_process_hn_param(const struct sctp_association *asoc,
1990	union sctp_params param,
1991	struct sctp_chunk *chunk,
1992	struct sctp_chunk **errp)
1993	{
1994	__u16 len = ntohs(param.p->length);
1995
1996	/* Processing of the HOST_NAME parameter will generate an
1997	* ABORT. If we've accumulated any non-fatal errors, they
1998	* would be unrecognized parameters and we should not include
1999	* them in the ABORT.
2000	*/
2001	if (*errp)
2002	sctp_chunk_free(chunk: *errp);
2003
2004	*errp = sctp_make_op_error(asoc, chunk, cause_code: SCTP_ERROR_DNS_FAILED,
2005	payload: param.v, paylen: len, reserve_tail: 0);
2006
2007	/* Stop processing this chunk. */
2008	return 0;
2009	}
2010
2011	static int sctp_verify_ext_param(struct net *net,
2012	const struct sctp_endpoint *ep,
2013	union sctp_params param)
2014	{
2015	__u16 num_ext = ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
2016	int have_asconf = 0;
2017	int have_auth = 0;
2018	int i;
2019
2020	for (i = 0; i < num_ext; i++) {
2021	switch (param.ext->chunks[i]) {
2022	case SCTP_CID_AUTH:
2023	have_auth = 1;
2024	break;
2025	case SCTP_CID_ASCONF:
2026	case SCTP_CID_ASCONF_ACK:
2027	have_asconf = 1;
2028	break;
2029	}
2030	}
2031
2032	/* ADD-IP Security: The draft requires us to ABORT or ignore the
2033	* INIT/INIT-ACK if ADD-IP is listed, but AUTH is not. Do this
2034	* only if ADD-IP is turned on and we are not backward-compatible
2035	* mode.
2036	*/
2037	if (net->sctp.addip_noauth)
2038	return 1;
2039
2040	if (ep->asconf_enable && !have_auth && have_asconf)
2041	return 0;
2042
2043	return 1;
2044	}
2045
2046	static void sctp_process_ext_param(struct sctp_association *asoc,
2047	union sctp_params param)
2048	{
2049	__u16 num_ext = ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
2050	int i;
2051
2052	for (i = 0; i < num_ext; i++) {
2053	switch (param.ext->chunks[i]) {
2054	case SCTP_CID_RECONF:
2055	if (asoc->ep->reconf_enable)
2056	asoc->peer.reconf_capable = 1;
2057	break;
2058	case SCTP_CID_FWD_TSN:
2059	if (asoc->ep->prsctp_enable)
2060	asoc->peer.prsctp_capable = 1;
2061	break;
2062	case SCTP_CID_AUTH:
2063	/* if the peer reports AUTH, assume that he
2064	* supports AUTH.
2065	*/
2066	if (asoc->ep->auth_enable)
2067	asoc->peer.auth_capable = 1;
2068	break;
2069	case SCTP_CID_ASCONF:
2070	case SCTP_CID_ASCONF_ACK:
2071	if (asoc->ep->asconf_enable)
2072	asoc->peer.asconf_capable = 1;
2073	break;
2074	case SCTP_CID_I_DATA:
2075	if (asoc->ep->intl_enable)
2076	asoc->peer.intl_capable = 1;
2077	break;
2078	default:
2079	break;
2080	}
2081	}
2082	}
2083
2084	/* RFC 3.2.1 & the Implementers Guide 2.2.
2085	*
2086	* The Parameter Types are encoded such that the
2087	* highest-order two bits specify the action that must be
2088	* taken if the processing endpoint does not recognize the
2089	* Parameter Type.
2090	*
2091	* 00 - Stop processing this parameter; do not process any further
2092	* parameters within this chunk
2093	*
2094	* 01 - Stop processing this parameter, do not process any further
2095	* parameters within this chunk, and report the unrecognized
2096	* parameter in an 'Unrecognized Parameter' ERROR chunk.
2097	*
2098	* 10 - Skip this parameter and continue processing.
2099	*
2100	* 11 - Skip this parameter and continue processing but
2101	* report the unrecognized parameter in an
2102	* 'Unrecognized Parameter' ERROR chunk.
2103	*
2104	* Return value:
2105	* SCTP_IERROR_NO_ERROR - continue with the chunk
2106	* SCTP_IERROR_ERROR - stop and report an error.
2107	* SCTP_IERROR_NOMEME - out of memory.
2108	*/
2109	static enum sctp_ierror sctp_process_unk_param(
2110	const struct sctp_association *asoc,
2111	union sctp_params param,
2112	struct sctp_chunk *chunk,
2113	struct sctp_chunk **errp)
2114	{
2115	int retval = SCTP_IERROR_NO_ERROR;
2116
2117	switch (param.p->type & SCTP_PARAM_ACTION_MASK) {
2118	case SCTP_PARAM_ACTION_DISCARD:
2119	retval = SCTP_IERROR_ERROR;
2120	break;
2121	case SCTP_PARAM_ACTION_SKIP:
2122	break;
2123	case SCTP_PARAM_ACTION_DISCARD_ERR:
2124	retval = SCTP_IERROR_ERROR;
2125	fallthrough;
2126	case SCTP_PARAM_ACTION_SKIP_ERR:
2127	/* Make an ERROR chunk, preparing enough room for
2128	* returning multiple unknown parameters.
2129	*/
2130	if (!*errp) {
2131	*errp = sctp_make_op_error_limited(asoc, chunk);
2132	if (!*errp) {
2133	/* If there is no memory for generating the
2134	* ERROR report as specified, an ABORT will be
2135	* triggered to the peer and the association
2136	* won't be established.
2137	*/
2138	retval = SCTP_IERROR_NOMEM;
2139	break;
2140	}
2141	}
2142
2143	if (!sctp_init_cause(chunk: *errp, cause_code: SCTP_ERROR_UNKNOWN_PARAM,
2144	ntohs(param.p->length)))
2145	sctp_addto_chunk(chunk: *errp, ntohs(param.p->length),
2146	data: param.v);
2147	break;
2148	default:
2149	break;
2150	}
2151
2152	return retval;
2153	}
2154
2155	/* Verify variable length parameters
2156	* Return values:
2157	* SCTP_IERROR_ABORT - trigger an ABORT
2158	* SCTP_IERROR_NOMEM - out of memory (abort)
2159	* SCTP_IERROR_ERROR - stop processing, trigger an ERROR
2160	* SCTP_IERROR_NO_ERROR - continue with the chunk
2161	*/
2162	static enum sctp_ierror sctp_verify_param(struct net *net,
2163	const struct sctp_endpoint *ep,
2164	const struct sctp_association *asoc,
2165	union sctp_params param,
2166	enum sctp_cid cid,
2167	struct sctp_chunk *chunk,
2168	struct sctp_chunk **err_chunk)
2169	{
2170	struct sctp_hmac_algo_param *hmacs;
2171	int retval = SCTP_IERROR_NO_ERROR;
2172	__u16 n_elt, id = 0;
2173	int i;
2174
2175	/* FIXME - This routine is not looking at each parameter per the
2176	* chunk type, i.e., unrecognized parameters should be further
2177	* identified based on the chunk id.
2178	*/
2179
2180	switch (param.p->type) {
2181	case SCTP_PARAM_IPV4_ADDRESS:
2182	case SCTP_PARAM_IPV6_ADDRESS:
2183	case SCTP_PARAM_COOKIE_PRESERVATIVE:
2184	case SCTP_PARAM_SUPPORTED_ADDRESS_TYPES:
2185	case SCTP_PARAM_STATE_COOKIE:
2186	case SCTP_PARAM_HEARTBEAT_INFO:
2187	case SCTP_PARAM_UNRECOGNIZED_PARAMETERS:
2188	case SCTP_PARAM_ECN_CAPABLE:
2189	case SCTP_PARAM_ADAPTATION_LAYER_IND:
2190	break;
2191
2192	case SCTP_PARAM_SUPPORTED_EXT:
2193	if (!sctp_verify_ext_param(net, ep, param))
2194	return SCTP_IERROR_ABORT;
2195	break;
2196
2197	case SCTP_PARAM_SET_PRIMARY:
2198	if (!ep->asconf_enable)
2199	goto unhandled;
2200
2201	if (ntohs(param.p->length) < sizeof(struct sctp_addip_param) +
2202	sizeof(struct sctp_paramhdr)) {
2203	sctp_process_inv_paramlength(asoc, param: param.p,
2204	chunk, errp: err_chunk);
2205	retval = SCTP_IERROR_ABORT;
2206	}
2207	break;
2208
2209	case SCTP_PARAM_HOST_NAME_ADDRESS:
2210	/* This param has been Deprecated, send ABORT. */
2211	sctp_process_hn_param(asoc, param, chunk, errp: err_chunk);
2212	retval = SCTP_IERROR_ABORT;
2213	break;
2214
2215	case SCTP_PARAM_FWD_TSN_SUPPORT:
2216	if (ep->prsctp_enable)
2217	break;
2218	goto unhandled;
2219
2220	case SCTP_PARAM_RANDOM:
2221	if (!ep->auth_enable)
2222	goto unhandled;
2223
2224	/* SCTP-AUTH: Secion 6.1
2225	* If the random number is not 32 byte long the association
2226	* MUST be aborted. The ABORT chunk SHOULD contain the error
2227	* cause 'Protocol Violation'.
2228	*/
2229	if (SCTP_AUTH_RANDOM_LENGTH != ntohs(param.p->length) -
2230	sizeof(struct sctp_paramhdr)) {
2231	sctp_process_inv_paramlength(asoc, param: param.p,
2232	chunk, errp: err_chunk);
2233	retval = SCTP_IERROR_ABORT;
2234	}
2235	break;
2236
2237	case SCTP_PARAM_CHUNKS:
2238	if (!ep->auth_enable)
2239	goto unhandled;
2240
2241	/* SCTP-AUTH: Section 3.2
2242	* The CHUNKS parameter MUST be included once in the INIT or
2243	* INIT-ACK chunk if the sender wants to receive authenticated
2244	* chunks. Its maximum length is 260 bytes.
2245	*/
2246	if (260 < ntohs(param.p->length)) {
2247	sctp_process_inv_paramlength(asoc, param: param.p,
2248	chunk, errp: err_chunk);
2249	retval = SCTP_IERROR_ABORT;
2250	}
2251	break;
2252
2253	case SCTP_PARAM_HMAC_ALGO:
2254	if (!ep->auth_enable)
2255	goto unhandled;
2256
2257	hmacs = (struct sctp_hmac_algo_param *)param.p;
2258	n_elt = (ntohs(param.p->length) -
2259	sizeof(struct sctp_paramhdr)) >> 1;
2260
2261	/* SCTP-AUTH: Section 6.1
2262	* The HMAC algorithm based on SHA-1 MUST be supported and
2263	* included in the HMAC-ALGO parameter.
2264	*/
2265	for (i = 0; i < n_elt; i++) {
2266	id = ntohs(hmacs->hmac_ids[i]);
2267
2268	if (id == SCTP_AUTH_HMAC_ID_SHA1)
2269	break;
2270	}
2271
2272	if (id != SCTP_AUTH_HMAC_ID_SHA1) {
2273	sctp_process_inv_paramlength(asoc, param: param.p, chunk,
2274	errp: err_chunk);
2275	retval = SCTP_IERROR_ABORT;
2276	}
2277	break;
2278	unhandled:
2279	default:
2280	pr_debug("%s: unrecognized param:%d for chunk:%d\n",
2281	__func__, ntohs(param.p->type), cid);
2282
2283	retval = sctp_process_unk_param(asoc, param, chunk, errp: err_chunk);
2284	break;
2285	}
2286	return retval;
2287	}
2288
2289	/* Verify the INIT packet before we process it. */
2290	int sctp_verify_init(struct net *net, const struct sctp_endpoint *ep,
2291	const struct sctp_association *asoc, enum sctp_cid cid,
2292	struct sctp_init_chunk *peer_init,
2293	struct sctp_chunk *chunk, struct sctp_chunk **errp)
2294	{
2295	union sctp_params param;
2296	bool has_cookie = false;
2297	int result;
2298
2299	/* Check for missing mandatory parameters. Note: Initial TSN is
2300	* also mandatory, but is not checked here since the valid range
2301	* is 0..2**32-1. RFC4960, section 3.3.3.
2302	*/
2303	if (peer_init->init_hdr.num_outbound_streams == 0 ||
2304	peer_init->init_hdr.num_inbound_streams == 0 ||
2305	peer_init->init_hdr.init_tag == 0 ||
2306	ntohl(peer_init->init_hdr.a_rwnd) < SCTP_DEFAULT_MINWINDOW)
2307	return sctp_process_inv_mandatory(asoc, chunk, errp);
2308
2309	sctp_walk_params(param, peer_init) {
2310	if (param.p->type == SCTP_PARAM_STATE_COOKIE)
2311	has_cookie = true;
2312	}
2313
2314	/* There is a possibility that a parameter length was bad and
2315	* in that case we would have stoped walking the parameters.
2316	* The current param.p would point at the bad one.
2317	* Current consensus on the mailing list is to generate a PROTOCOL
2318	* VIOLATION error. We build the ERROR chunk here and let the normal
2319	* error handling code build and send the packet.
2320	*/
2321	if (param.v != (void *)chunk->chunk_end)
2322	return sctp_process_inv_paramlength(asoc, param: param.p, chunk, errp);
2323
2324	/* The only missing mandatory param possible today is
2325	* the state cookie for an INIT-ACK chunk.
2326	*/
2327	if ((SCTP_CID_INIT_ACK == cid) && !has_cookie)
2328	return sctp_process_missing_param(asoc, paramtype: SCTP_PARAM_STATE_COOKIE,
2329	chunk, errp);
2330
2331	/* Verify all the variable length parameters */
2332	sctp_walk_params(param, peer_init) {
2333	result = sctp_verify_param(net, ep, asoc, param, cid,
2334	chunk, err_chunk: errp);
2335	switch (result) {
2336	case SCTP_IERROR_ABORT:
2337	case SCTP_IERROR_NOMEM:
2338	return 0;
2339	case SCTP_IERROR_ERROR:
2340	return 1;
2341	case SCTP_IERROR_NO_ERROR:
2342	default:
2343	break;
2344	}
2345
2346	} /* for (loop through all parameters) */
2347
2348	return 1;
2349	}
2350
2351	/* Unpack the parameters in an INIT packet into an association.
2352	* Returns 0 on failure, else success.
2353	* FIXME: This is an association method.
2354	*/
2355	int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk,
2356	const union sctp_addr *peer_addr,
2357	struct sctp_init_chunk *peer_init, gfp_t gfp)
2358	{
2359	struct sctp_transport *transport;
2360	struct list_head *pos, *temp;
2361	union sctp_params param;
2362	union sctp_addr addr;
2363	struct sctp_af *af;
2364	int src_match = 0;
2365
2366	/* We must include the address that the INIT packet came from.
2367	* This is the only address that matters for an INIT packet.
2368	* When processing a COOKIE ECHO, we retrieve the from address
2369	* of the INIT from the cookie.
2370	*/
2371
2372	/* This implementation defaults to making the first transport
2373	* added as the primary transport. The source address seems to
2374	* be a better choice than any of the embedded addresses.
2375	*/
2376	asoc->encap_port = SCTP_INPUT_CB(chunk->skb)->encap_port;
2377	if (!sctp_assoc_add_peer(asoc, address: peer_addr, gfp, peer_state: SCTP_ACTIVE))
2378	goto nomem;
2379
2380	if (sctp_cmp_addr_exact(ss1: sctp_source(chunk), ss2: peer_addr))
2381	src_match = 1;
2382
2383	/* Process the initialization parameters. */
2384	sctp_walk_params(param, peer_init) {
2385	if (!src_match &&
2386	(param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
2387	param.p->type == SCTP_PARAM_IPV6_ADDRESS)) {
2388	af = sctp_get_af_specific(param_type2af(type: param.p->type));
2389	if (!af->from_addr_param(&addr, param.addr,
2390	chunk->sctp_hdr->source, 0))
2391	continue;
2392	if (sctp_cmp_addr_exact(ss1: sctp_source(chunk), ss2: &addr))
2393	src_match = 1;
2394	}
2395
2396	if (!sctp_process_param(asoc, param, peer_addr, gfp))
2397	goto clean_up;
2398	}
2399
2400	/* source address of chunk may not match any valid address */
2401	if (!src_match)
2402	goto clean_up;
2403
2404	/* AUTH: After processing the parameters, make sure that we
2405	* have all the required info to potentially do authentications.
2406	*/
2407	if (asoc->peer.auth_capable && (!asoc->peer.peer_random ||
2408	!asoc->peer.peer_hmacs))
2409	asoc->peer.auth_capable = 0;
2410
2411	/* In a non-backward compatible mode, if the peer claims
2412	* support for ADD-IP but not AUTH, the ADD-IP spec states
2413	* that we MUST ABORT the association. Section 6. The section
2414	* also give us an option to silently ignore the packet, which
2415	* is what we'll do here.
2416	*/
2417	if (!asoc->base.net->sctp.addip_noauth &&
2418	(asoc->peer.asconf_capable && !asoc->peer.auth_capable)) {
2419	asoc->peer.addip_disabled_mask |= (SCTP_PARAM_ADD_IP |
2420	SCTP_PARAM_DEL_IP |
2421	SCTP_PARAM_SET_PRIMARY);
2422	asoc->peer.asconf_capable = 0;
2423	goto clean_up;
2424	}
2425
2426	/* Walk list of transports, removing transports in the UNKNOWN state. */
2427	list_for_each_safe(pos, temp, &asoc->peer.transport_addr_list) {
2428	transport = list_entry(pos, struct sctp_transport, transports);
2429	if (transport->state == SCTP_UNKNOWN) {
2430	sctp_assoc_rm_peer(asoc, peer: transport);
2431	}
2432	}
2433
2434	/* The fixed INIT headers are always in network byte
2435	* order.
2436	*/
2437	asoc->peer.i.init_tag =
2438	ntohl(peer_init->init_hdr.init_tag);
2439	asoc->peer.i.a_rwnd =
2440	ntohl(peer_init->init_hdr.a_rwnd);
2441	asoc->peer.i.num_outbound_streams =
2442	ntohs(peer_init->init_hdr.num_outbound_streams);
2443	asoc->peer.i.num_inbound_streams =
2444	ntohs(peer_init->init_hdr.num_inbound_streams);
2445	asoc->peer.i.initial_tsn =
2446	ntohl(peer_init->init_hdr.initial_tsn);
2447
2448	asoc->strreset_inseq = asoc->peer.i.initial_tsn;
2449
2450	/* Apply the upper bounds for output streams based on peer's
2451	* number of inbound streams.
2452	*/
2453	if (asoc->c.sinit_num_ostreams >
2454	ntohs(peer_init->init_hdr.num_inbound_streams)) {
2455	asoc->c.sinit_num_ostreams =
2456	ntohs(peer_init->init_hdr.num_inbound_streams);
2457	}
2458
2459	if (asoc->c.sinit_max_instreams >
2460	ntohs(peer_init->init_hdr.num_outbound_streams)) {
2461	asoc->c.sinit_max_instreams =
2462	ntohs(peer_init->init_hdr.num_outbound_streams);
2463	}
2464
2465	/* Copy Initiation tag from INIT to VT_peer in cookie. */
2466	asoc->c.peer_vtag = asoc->peer.i.init_tag;
2467
2468	/* Peer Rwnd : Current calculated value of the peer's rwnd. */
2469	asoc->peer.rwnd = asoc->peer.i.a_rwnd;
2470
2471	/* RFC 2960 7.2.1 The initial value of ssthresh MAY be arbitrarily
2472	* high (for example, implementations MAY use the size of the receiver
2473	* advertised window).
2474	*/
2475	list_for_each_entry(transport, &asoc->peer.transport_addr_list,
2476	transports) {
2477	transport->ssthresh = asoc->peer.i.a_rwnd;
2478	}
2479
2480	/* Set up the TSN tracking pieces. */
2481	if (!sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL,
2482	initial_tsn: asoc->peer.i.initial_tsn, gfp))
2483	goto clean_up;
2484
2485	/* RFC 2960 6.5 Stream Identifier and Stream Sequence Number
2486	*
2487	* The stream sequence number in all the streams shall start
2488	* from 0 when the association is established. Also, when the
2489	* stream sequence number reaches the value 65535 the next
2490	* stream sequence number shall be set to 0.
2491	*/
2492
2493	if (sctp_stream_init(stream: &asoc->stream, outcnt: asoc->c.sinit_num_ostreams,
2494	incnt: asoc->c.sinit_max_instreams, gfp))
2495	goto clean_up;
2496
2497	/* Update frag_point when stream_interleave may get changed. */
2498	sctp_assoc_update_frag_point(asoc);
2499
2500	if (!asoc->temp && sctp_assoc_set_id(asoc, gfp))
2501	goto clean_up;
2502
2503	/* ADDIP Section 4.1 ASCONF Chunk Procedures
2504	*
2505	* When an endpoint has an ASCONF signaled change to be sent to the
2506	* remote endpoint it should do the following:
2507	* ...
2508	* A2) A serial number should be assigned to the Chunk. The serial
2509	* number should be a monotonically increasing number. All serial
2510	* numbers are defined to be initialized at the start of the
2511	* association to the same value as the Initial TSN.
2512	*/
2513	asoc->peer.addip_serial = asoc->peer.i.initial_tsn - 1;
2514	return 1;
2515
2516	clean_up:
2517	/* Release the transport structures. */
2518	list_for_each_safe(pos, temp, &asoc->peer.transport_addr_list) {
2519	transport = list_entry(pos, struct sctp_transport, transports);
2520	if (transport->state != SCTP_ACTIVE)
2521	sctp_assoc_rm_peer(asoc, peer: transport);
2522	}
2523
2524	nomem:
2525	return 0;
2526	}
2527
2528
2529	/* Update asoc with the option described in param.
2530	*
2531	* RFC2960 3.3.2.1 Optional/Variable Length Parameters in INIT
2532	*
2533	* asoc is the association to update.
2534	* param is the variable length parameter to use for update.
2535	* cid tells us if this is an INIT, INIT ACK or COOKIE ECHO.
2536	* If the current packet is an INIT we want to minimize the amount of
2537	* work we do. In particular, we should not build transport
2538	* structures for the addresses.
2539	*/
2540	static int sctp_process_param(struct sctp_association *asoc,
2541	union sctp_params param,
2542	const union sctp_addr *peer_addr,
2543	gfp_t gfp)
2544	{
2545	struct sctp_endpoint *ep = asoc->ep;
2546	union sctp_addr_param *addr_param;
2547	struct net *net = asoc->base.net;
2548	struct sctp_transport *t;
2549	enum sctp_scope scope;
2550	union sctp_addr addr;
2551	struct sctp_af *af;
2552	int retval = 1, i;
2553	u32 stale;
2554	__u16 sat;
2555
2556	/* We maintain all INIT parameters in network byte order all the
2557	* time. This allows us to not worry about whether the parameters
2558	* came from a fresh INIT, and INIT ACK, or were stored in a cookie.
2559	*/
2560	switch (param.p->type) {
2561	case SCTP_PARAM_IPV6_ADDRESS:
2562	if (PF_INET6 != asoc->base.sk->sk_family)
2563	break;
2564	goto do_addr_param;
2565
2566	case SCTP_PARAM_IPV4_ADDRESS:
2567	/* v4 addresses are not allowed on v6-only socket */
2568	if (ipv6_only_sock(asoc->base.sk))
2569	break;
2570	do_addr_param:
2571	af = sctp_get_af_specific(param_type2af(type: param.p->type));
2572	if (!af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0))
2573	break;
2574	scope = sctp_scope(addr: peer_addr);
2575	if (sctp_in_scope(net, addr: &addr, scope))
2576	if (!sctp_assoc_add_peer(asoc, address: &addr, gfp, peer_state: SCTP_UNCONFIRMED))
2577	return 0;
2578	break;
2579
2580	case SCTP_PARAM_COOKIE_PRESERVATIVE:
2581	if (!net->sctp.cookie_preserve_enable)
2582	break;
2583
2584	stale = ntohl(param.life->lifespan_increment);
2585
2586	/* Suggested Cookie Life span increment's unit is msec,
2587	* (1/1000sec).
2588	*/
2589	asoc->cookie_life = ktime_add_ms(kt: asoc->cookie_life, msec: stale);
2590	break;
2591
2592	case SCTP_PARAM_SUPPORTED_ADDRESS_TYPES:
2593	/* Turn off the default values first so we'll know which
2594	* ones are really set by the peer.
2595	*/
2596	asoc->peer.ipv4_address = 0;
2597	asoc->peer.ipv6_address = 0;
2598
2599	/* Assume that peer supports the address family
2600	* by which it sends a packet.
2601	*/
2602	if (peer_addr->sa.sa_family == AF_INET6)
2603	asoc->peer.ipv6_address = 1;
2604	else if (peer_addr->sa.sa_family == AF_INET)
2605	asoc->peer.ipv4_address = 1;
2606
2607	/* Cycle through address types; avoid divide by 0. */
2608	sat = ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
2609	if (sat)
2610	sat /= sizeof(__u16);
2611
2612	for (i = 0; i < sat; ++i) {
2613	switch (param.sat->types[i]) {
2614	case SCTP_PARAM_IPV4_ADDRESS:
2615	asoc->peer.ipv4_address = 1;
2616	break;
2617
2618	case SCTP_PARAM_IPV6_ADDRESS:
2619	if (PF_INET6 == asoc->base.sk->sk_family)
2620	asoc->peer.ipv6_address = 1;
2621	break;
2622
2623	default: /* Just ignore anything else. */
2624	break;
2625	}
2626	}
2627	break;
2628
2629	case SCTP_PARAM_STATE_COOKIE:
2630	asoc->peer.cookie_len =
2631	ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
2632	kfree(objp: asoc->peer.cookie);
2633	asoc->peer.cookie = kmemdup(p: param.cookie->body, size: asoc->peer.cookie_len, gfp);
2634	if (!asoc->peer.cookie)
2635	retval = 0;
2636	break;
2637
2638	case SCTP_PARAM_HEARTBEAT_INFO:
2639	/* Would be odd to receive, but it causes no problems. */
2640	break;
2641
2642	case SCTP_PARAM_UNRECOGNIZED_PARAMETERS:
2643	/* Rejected during verify stage. */
2644	break;
2645
2646	case SCTP_PARAM_ECN_CAPABLE:
2647	if (asoc->ep->ecn_enable) {
2648	asoc->peer.ecn_capable = 1;
2649	break;
2650	}
2651	/* Fall Through */
2652	goto fall_through;
2653
2654
2655	case SCTP_PARAM_ADAPTATION_LAYER_IND:
2656	asoc->peer.adaptation_ind = ntohl(param.aind->adaptation_ind);
2657	break;
2658
2659	case SCTP_PARAM_SET_PRIMARY:
2660	if (!ep->asconf_enable)
2661	goto fall_through;
2662
2663	addr_param = param.v + sizeof(struct sctp_addip_param);
2664
2665	af = sctp_get_af_specific(param_type2af(type: addr_param->p.type));
2666	if (!af)
2667	break;
2668
2669	if (!af->from_addr_param(&addr, addr_param,
2670	htons(asoc->peer.port), 0))
2671	break;
2672
2673	if (!af->addr_valid(&addr, NULL, NULL))
2674	break;
2675
2676	t = sctp_assoc_lookup_paddr(asoc, &addr);
2677	if (!t)
2678	break;
2679
2680	sctp_assoc_set_primary(asoc, t);
2681	break;
2682
2683	case SCTP_PARAM_SUPPORTED_EXT:
2684	sctp_process_ext_param(asoc, param);
2685	break;
2686
2687	case SCTP_PARAM_FWD_TSN_SUPPORT:
2688	if (asoc->ep->prsctp_enable) {
2689	asoc->peer.prsctp_capable = 1;
2690	break;
2691	}
2692	/* Fall Through */
2693	goto fall_through;
2694
2695	case SCTP_PARAM_RANDOM:
2696	if (!ep->auth_enable)
2697	goto fall_through;
2698
2699	/* Save peer's random parameter */
2700	kfree(objp: asoc->peer.peer_random);
2701	asoc->peer.peer_random = kmemdup(p: param.p,
2702	ntohs(param.p->length), gfp);
2703	if (!asoc->peer.peer_random) {
2704	retval = 0;
2705	break;
2706	}
2707	break;
2708
2709	case SCTP_PARAM_HMAC_ALGO:
2710	if (!ep->auth_enable)
2711	goto fall_through;
2712
2713	/* Save peer's HMAC list */
2714	kfree(objp: asoc->peer.peer_hmacs);
2715	asoc->peer.peer_hmacs = kmemdup(p: param.p,
2716	ntohs(param.p->length), gfp);
2717	if (!asoc->peer.peer_hmacs) {
2718	retval = 0;
2719	break;
2720	}
2721
2722	/* Set the default HMAC the peer requested*/
2723	sctp_auth_asoc_set_default_hmac(asoc, hmacs: param.hmac_algo);
2724	break;
2725
2726	case SCTP_PARAM_CHUNKS:
2727	if (!ep->auth_enable)
2728	goto fall_through;
2729
2730	kfree(objp: asoc->peer.peer_chunks);
2731	asoc->peer.peer_chunks = kmemdup(p: param.p,
2732	ntohs(param.p->length), gfp);
2733	if (!asoc->peer.peer_chunks)
2734	retval = 0;
2735	break;
2736	fall_through:
2737	default:
2738	/* Any unrecognized parameters should have been caught
2739	* and handled by sctp_verify_param() which should be
2740	* called prior to this routine. Simply log the error
2741	* here.
2742	*/
2743	pr_debug("%s: ignoring param:%d for association:%p.\n",
2744	__func__, ntohs(param.p->type), asoc);
2745	break;
2746	}
2747
2748	return retval;
2749	}
2750
2751	/* Select a new verification tag. */
2752	__u32 sctp_generate_tag(const struct sctp_endpoint *ep)
2753	{
2754	/* I believe that this random number generator complies with RFC1750.
2755	* A tag of 0 is reserved for special cases (e.g. INIT).
2756	*/
2757	__u32 x;
2758
2759	do {
2760	get_random_bytes(buf: &x, len: sizeof(__u32));
2761	} while (x == 0);
2762
2763	return x;
2764	}
2765
2766	/* Select an initial TSN to send during startup. */
2767	__u32 sctp_generate_tsn(const struct sctp_endpoint *ep)
2768	{
2769	__u32 retval;
2770
2771	get_random_bytes(buf: &retval, len: sizeof(__u32));
2772	return retval;
2773	}
2774
2775	/*
2776	* ADDIP 3.1.1 Address Configuration Change Chunk (ASCONF)
2777	* 0 1 2 3
2778	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2779	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2780	* | Type = 0xC1 | Chunk Flags | Chunk Length |
2781	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2782	* | Serial Number |
2783	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2784	* | Address Parameter |
2785	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2786	* | ASCONF Parameter #1 |
2787	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2788	* \ \
2789	* / .... /
2790	* \ \
2791	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2792	* | ASCONF Parameter #N |
2793	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2794	*
2795	* Address Parameter and other parameter will not be wrapped in this function
2796	*/
2797	static struct sctp_chunk *sctp_make_asconf(struct sctp_association *asoc,
2798	union sctp_addr *addr,
2799	int vparam_len)
2800	{
2801	struct sctp_addiphdr asconf;
2802	struct sctp_chunk *retval;
2803	int length = sizeof(asconf) + vparam_len;
2804	union sctp_addr_param addrparam;
2805	int addrlen;
2806	struct sctp_af *af = sctp_get_af_specific(addr->v4.sin_family);
2807
2808	addrlen = af->to_addr_param(addr, &addrparam);
2809	if (!addrlen)
2810	return NULL;
2811	length += addrlen;
2812
2813	/* Create the chunk. */
2814	retval = sctp_make_control(asoc, type: SCTP_CID_ASCONF, flags: 0, paylen: length,
2815	GFP_ATOMIC);
2816	if (!retval)
2817	return NULL;
2818
2819	asconf.serial = htonl(asoc->addip_serial++);
2820
2821	retval->subh.addip_hdr =
2822	sctp_addto_chunk(chunk: retval, len: sizeof(asconf), data: &asconf);
2823	retval->param_hdr.v =
2824	sctp_addto_chunk(chunk: retval, len: addrlen, data: &addrparam);
2825
2826	return retval;
2827	}
2828
2829	/* ADDIP
2830	* 3.2.1 Add IP Address
2831	* 0 1 2 3
2832	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2833	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2834	* | Type = 0xC001 | Length = Variable |
2835	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2836	* | ASCONF-Request Correlation ID |
2837	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2838	* | Address Parameter |
2839	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2840	*
2841	* 3.2.2 Delete IP Address
2842	* 0 1 2 3
2843	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2844	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2845	* | Type = 0xC002 | Length = Variable |
2846	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2847	* | ASCONF-Request Correlation ID |
2848	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2849	* | Address Parameter |
2850	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2851	*
2852	*/
2853	struct sctp_chunk *sctp_make_asconf_update_ip(struct sctp_association *asoc,
2854	union sctp_addr *laddr,
2855	struct sockaddr *addrs,
2856	int addrcnt, __be16 flags)
2857	{
2858	union sctp_addr_param addr_param;
2859	struct sctp_addip_param param;
2860	int paramlen = sizeof(param);
2861	struct sctp_chunk *retval;
2862	int addr_param_len = 0;
2863	union sctp_addr *addr;
2864	int totallen = 0, i;
2865	int del_pickup = 0;
2866	struct sctp_af *af;
2867	void *addr_buf;
2868
2869	/* Get total length of all the address parameters. */
2870	addr_buf = addrs;
2871	for (i = 0; i < addrcnt; i++) {
2872	addr = addr_buf;
2873	af = sctp_get_af_specific(addr->v4.sin_family);
2874	addr_param_len = af->to_addr_param(addr, &addr_param);
2875
2876	totallen += paramlen;
2877	totallen += addr_param_len;
2878
2879	addr_buf += af->sockaddr_len;
2880	if (asoc->asconf_addr_del_pending && !del_pickup) {
2881	/* reuse the parameter length from the same scope one */
2882	totallen += paramlen;
2883	totallen += addr_param_len;
2884	del_pickup = 1;
2885
2886	pr_debug("%s: picked same-scope del_pending addr, "
2887	"totallen for all addresses is %d\n",
2888	__func__, totallen);
2889	}
2890	}
2891
2892	/* Create an asconf chunk with the required length. */
2893	retval = sctp_make_asconf(asoc, addr: laddr, vparam_len: totallen);
2894	if (!retval)
2895	return NULL;
2896
2897	/* Add the address parameters to the asconf chunk. */
2898	addr_buf = addrs;
2899	for (i = 0; i < addrcnt; i++) {
2900	addr = addr_buf;
2901	af = sctp_get_af_specific(addr->v4.sin_family);
2902	addr_param_len = af->to_addr_param(addr, &addr_param);
2903	param.param_hdr.type = flags;
2904	param.param_hdr.length = htons(paramlen + addr_param_len);
2905	param.crr_id = htonl(i);
2906
2907	sctp_addto_chunk(chunk: retval, len: paramlen, data: &param);
2908	sctp_addto_chunk(chunk: retval, len: addr_param_len, data: &addr_param);
2909
2910	addr_buf += af->sockaddr_len;
2911	}
2912	if (flags == SCTP_PARAM_ADD_IP && del_pickup) {
2913	addr = asoc->asconf_addr_del_pending;
2914	af = sctp_get_af_specific(addr->v4.sin_family);
2915	addr_param_len = af->to_addr_param(addr, &addr_param);
2916	param.param_hdr.type = SCTP_PARAM_DEL_IP;
2917	param.param_hdr.length = htons(paramlen + addr_param_len);
2918	param.crr_id = htonl(i);
2919
2920	sctp_addto_chunk(chunk: retval, len: paramlen, data: &param);
2921	sctp_addto_chunk(chunk: retval, len: addr_param_len, data: &addr_param);
2922	}
2923	return retval;
2924	}
2925
2926	/* ADDIP
2927	* 3.2.4 Set Primary IP Address
2928	* 0 1 2 3
2929	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2930	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2931	* | Type =0xC004 | Length = Variable |
2932	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2933	* | ASCONF-Request Correlation ID |
2934	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2935	* | Address Parameter |
2936	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2937	*
2938	* Create an ASCONF chunk with Set Primary IP address parameter.
2939	*/
2940	struct sctp_chunk *sctp_make_asconf_set_prim(struct sctp_association *asoc,
2941	union sctp_addr *addr)
2942	{
2943	struct sctp_af *af = sctp_get_af_specific(addr->v4.sin_family);
2944	union sctp_addr_param addrparam;
2945	struct sctp_addip_param param;
2946	struct sctp_chunk *retval;
2947	int len = sizeof(param);
2948	int addrlen;
2949
2950	addrlen = af->to_addr_param(addr, &addrparam);
2951	if (!addrlen)
2952	return NULL;
2953	len += addrlen;
2954
2955	/* Create the chunk and make asconf header. */
2956	retval = sctp_make_asconf(asoc, addr, vparam_len: len);
2957	if (!retval)
2958	return NULL;
2959
2960	param.param_hdr.type = SCTP_PARAM_SET_PRIMARY;
2961	param.param_hdr.length = htons(len);
2962	param.crr_id = 0;
2963
2964	sctp_addto_chunk(chunk: retval, len: sizeof(param), data: &param);
2965	sctp_addto_chunk(chunk: retval, len: addrlen, data: &addrparam);
2966
2967	return retval;
2968	}
2969
2970	/* ADDIP 3.1.2 Address Configuration Acknowledgement Chunk (ASCONF-ACK)
2971	* 0 1 2 3
2972	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2973	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2974	* | Type = 0x80 | Chunk Flags | Chunk Length |
2975	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2976	* | Serial Number |
2977	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2978	* | ASCONF Parameter Response#1 |
2979	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2980	* \ \
2981	* / .... /
2982	* \ \
2983	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2984	* | ASCONF Parameter Response#N |
2985	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2986	*
2987	* Create an ASCONF_ACK chunk with enough space for the parameter responses.
2988	*/
2989	static struct sctp_chunk *sctp_make_asconf_ack(const struct sctp_association *asoc,
2990	__u32 serial, int vparam_len)
2991	{
2992	struct sctp_addiphdr asconf;
2993	struct sctp_chunk *retval;
2994	int length = sizeof(asconf) + vparam_len;
2995
2996	/* Create the chunk. */
2997	retval = sctp_make_control(asoc, type: SCTP_CID_ASCONF_ACK, flags: 0, paylen: length,
2998	GFP_ATOMIC);
2999	if (!retval)
3000	return NULL;
3001
3002	asconf.serial = htonl(serial);
3003
3004	retval->subh.addip_hdr =
3005	sctp_addto_chunk(chunk: retval, len: sizeof(asconf), data: &asconf);
3006
3007	return retval;
3008	}
3009
3010	/* Add response parameters to an ASCONF_ACK chunk. */
3011	static void sctp_add_asconf_response(struct sctp_chunk *chunk, __be32 crr_id,
3012	__be16 err_code,
3013	struct sctp_addip_param *asconf_param)
3014	{
3015	struct sctp_addip_param ack_param;
3016	struct sctp_errhdr err_param;
3017	int asconf_param_len = 0;
3018	int err_param_len = 0;
3019	__be16 response_type;
3020
3021	if (SCTP_ERROR_NO_ERROR == err_code) {
3022	response_type = SCTP_PARAM_SUCCESS_REPORT;
3023	} else {
3024	response_type = SCTP_PARAM_ERR_CAUSE;
3025	err_param_len = sizeof(err_param);
3026	if (asconf_param)
3027	asconf_param_len =
3028	ntohs(asconf_param->param_hdr.length);
3029	}
3030
3031	/* Add Success Indication or Error Cause Indication parameter. */
3032	ack_param.param_hdr.type = response_type;
3033	ack_param.param_hdr.length = htons(sizeof(ack_param) +
3034	err_param_len +
3035	asconf_param_len);
3036	ack_param.crr_id = crr_id;
3037	sctp_addto_chunk(chunk, len: sizeof(ack_param), data: &ack_param);
3038
3039	if (SCTP_ERROR_NO_ERROR == err_code)
3040	return;
3041
3042	/* Add Error Cause parameter. */
3043	err_param.cause = err_code;
3044	err_param.length = htons(err_param_len + asconf_param_len);
3045	sctp_addto_chunk(chunk, len: err_param_len, data: &err_param);
3046
3047	/* Add the failed TLV copied from ASCONF chunk. */
3048	if (asconf_param)
3049	sctp_addto_chunk(chunk, len: asconf_param_len, data: asconf_param);
3050	}
3051
3052	/* Process a asconf parameter. */
3053	static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
3054	struct sctp_chunk *asconf,
3055	struct sctp_addip_param *asconf_param)
3056	{
3057	union sctp_addr_param *addr_param;
3058	struct sctp_transport *peer;
3059	union sctp_addr addr;
3060	struct sctp_af *af;
3061
3062	addr_param = (void *)asconf_param + sizeof(*asconf_param);
3063
3064	if (asconf_param->param_hdr.type != SCTP_PARAM_ADD_IP &&
3065	asconf_param->param_hdr.type != SCTP_PARAM_DEL_IP &&
3066	asconf_param->param_hdr.type != SCTP_PARAM_SET_PRIMARY)
3067	return SCTP_ERROR_UNKNOWN_PARAM;
3068
3069	switch (addr_param->p.type) {
3070	case SCTP_PARAM_IPV6_ADDRESS:
3071	if (!asoc->peer.ipv6_address)
3072	return SCTP_ERROR_DNS_FAILED;
3073	break;
3074	case SCTP_PARAM_IPV4_ADDRESS:
3075	if (!asoc->peer.ipv4_address)
3076	return SCTP_ERROR_DNS_FAILED;
3077	break;
3078	default:
3079	return SCTP_ERROR_DNS_FAILED;
3080	}
3081
3082	af = sctp_get_af_specific(param_type2af(type: addr_param->p.type));
3083	if (unlikely(!af))
3084	return SCTP_ERROR_DNS_FAILED;
3085
3086	if (!af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0))
3087	return SCTP_ERROR_DNS_FAILED;
3088
3089	/* ADDIP 4.2.1 This parameter MUST NOT contain a broadcast
3090	* or multicast address.
3091	* (note: wildcard is permitted and requires special handling so
3092	* make sure we check for that)
3093	*/
3094	if (!af->is_any(&addr) && !af->addr_valid(&addr, NULL, asconf->skb))
3095	return SCTP_ERROR_DNS_FAILED;
3096
3097	switch (asconf_param->param_hdr.type) {
3098	case SCTP_PARAM_ADD_IP:
3099	/* Section 4.2.1:
3100	* If the address 0.0.0.0 or ::0 is provided, the source
3101	* address of the packet MUST be added.
3102	*/
3103	if (af->is_any(&addr))
3104	memcpy(&addr, &asconf->source, sizeof(addr));
3105
3106	if (security_sctp_bind_connect(sk: asoc->ep->base.sk,
3107	optname: SCTP_PARAM_ADD_IP,
3108	address: (struct sockaddr *)&addr,
3109	addrlen: af->sockaddr_len))
3110	return SCTP_ERROR_REQ_REFUSED;
3111
3112	/* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
3113	* request and does not have the local resources to add this
3114	* new address to the association, it MUST return an Error
3115	* Cause TLV set to the new error code 'Operation Refused
3116	* Due to Resource Shortage'.
3117	*/
3118
3119	peer = sctp_assoc_add_peer(asoc, address: &addr, GFP_ATOMIC, peer_state: SCTP_UNCONFIRMED);
3120	if (!peer)
3121	return SCTP_ERROR_RSRC_LOW;
3122
3123	/* Start the heartbeat timer. */
3124	sctp_transport_reset_hb_timer(peer);
3125	asoc->new_transport = peer;
3126	break;
3127	case SCTP_PARAM_DEL_IP:
3128	/* ADDIP 4.3 D7) If a request is received to delete the
3129	* last remaining IP address of a peer endpoint, the receiver
3130	* MUST send an Error Cause TLV with the error cause set to the
3131	* new error code 'Request to Delete Last Remaining IP Address'.
3132	*/
3133	if (asoc->peer.transport_count == 1)
3134	return SCTP_ERROR_DEL_LAST_IP;
3135
3136	/* ADDIP 4.3 D8) If a request is received to delete an IP
3137	* address which is also the source address of the IP packet
3138	* which contained the ASCONF chunk, the receiver MUST reject
3139	* this request. To reject the request the receiver MUST send
3140	* an Error Cause TLV set to the new error code 'Request to
3141	* Delete Source IP Address'
3142	*/
3143	if (sctp_cmp_addr_exact(ss1: &asconf->source, ss2: &addr))
3144	return SCTP_ERROR_DEL_SRC_IP;
3145
3146	/* Section 4.2.2
3147	* If the address 0.0.0.0 or ::0 is provided, all
3148	* addresses of the peer except the source address of the
3149	* packet MUST be deleted.
3150	*/
3151	if (af->is_any(&addr)) {
3152	sctp_assoc_set_primary(asoc, asconf->transport);
3153	sctp_assoc_del_nonprimary_peers(asoc,
3154	asconf->transport);
3155	return SCTP_ERROR_NO_ERROR;
3156	}
3157
3158	/* If the address is not part of the association, the
3159	* ASCONF-ACK with Error Cause Indication Parameter
3160	* which including cause of Unresolvable Address should
3161	* be sent.
3162	*/
3163	peer = sctp_assoc_lookup_paddr(asoc, &addr);
3164	if (!peer)
3165	return SCTP_ERROR_DNS_FAILED;
3166
3167	sctp_assoc_rm_peer(asoc, peer);
3168	break;
3169	case SCTP_PARAM_SET_PRIMARY:
3170	/* ADDIP Section 4.2.4
3171	* If the address 0.0.0.0 or ::0 is provided, the receiver
3172	* MAY mark the source address of the packet as its
3173	* primary.
3174	*/
3175	if (af->is_any(&addr))
3176	memcpy(&addr, sctp_source(asconf), sizeof(addr));
3177
3178	if (security_sctp_bind_connect(sk: asoc->ep->base.sk,
3179	optname: SCTP_PARAM_SET_PRIMARY,
3180	address: (struct sockaddr *)&addr,
3181	addrlen: af->sockaddr_len))
3182	return SCTP_ERROR_REQ_REFUSED;
3183
3184	peer = sctp_assoc_lookup_paddr(asoc, &addr);
3185	if (!peer)
3186	return SCTP_ERROR_DNS_FAILED;
3187
3188	sctp_assoc_set_primary(asoc, peer);
3189	break;
3190	}
3191
3192	return SCTP_ERROR_NO_ERROR;
3193	}
3194
3195	/* Verify the ASCONF packet before we process it. */
3196	bool sctp_verify_asconf(const struct sctp_association *asoc,
3197	struct sctp_chunk *chunk, bool addr_param_needed,
3198	struct sctp_paramhdr **errp)
3199	{
3200	struct sctp_addip_chunk *addip;
3201	bool addr_param_seen = false;
3202	union sctp_params param;
3203
3204	addip = (struct sctp_addip_chunk *)chunk->chunk_hdr;
3205	sctp_walk_params(param, addip) {
3206	size_t length = ntohs(param.p->length);
3207
3208	*errp = param.p;
3209	switch (param.p->type) {
3210	case SCTP_PARAM_ERR_CAUSE:
3211	break;
3212	case SCTP_PARAM_IPV4_ADDRESS:
3213	if (length != sizeof(struct sctp_ipv4addr_param))
3214	return false;
3215	/* ensure there is only one addr param and it's in the
3216	* beginning of addip_hdr params, or we reject it.
3217	*/
3218	if (param.v != (addip + 1))
3219	return false;
3220	addr_param_seen = true;
3221	break;
3222	case SCTP_PARAM_IPV6_ADDRESS:
3223	if (length != sizeof(struct sctp_ipv6addr_param))
3224	return false;
3225	if (param.v != (addip + 1))
3226	return false;
3227	addr_param_seen = true;
3228	break;
3229	case SCTP_PARAM_ADD_IP:
3230	case SCTP_PARAM_DEL_IP:
3231	case SCTP_PARAM_SET_PRIMARY:
3232	/* In ASCONF chunks, these need to be first. */
3233	if (addr_param_needed && !addr_param_seen)
3234	return false;
3235	length = ntohs(param.addip->param_hdr.length);
3236	if (length < sizeof(struct sctp_addip_param) +
3237	sizeof(**errp))
3238	return false;
3239	break;
3240	case SCTP_PARAM_SUCCESS_REPORT:
3241	case SCTP_PARAM_ADAPTATION_LAYER_IND:
3242	if (length != sizeof(struct sctp_addip_param))
3243	return false;
3244	break;
3245	default:
3246	/* This is unknown to us, reject! */
3247	return false;
3248	}
3249	}
3250
3251	/* Remaining sanity checks. */
3252	if (addr_param_needed && !addr_param_seen)
3253	return false;
3254	if (!addr_param_needed && addr_param_seen)
3255	return false;
3256	if (param.v != chunk->chunk_end)
3257	return false;
3258
3259	return true;
3260	}
3261
3262	/* Process an incoming ASCONF chunk with the next expected serial no. and
3263	* return an ASCONF_ACK chunk to be sent in response.
3264	*/
3265	struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
3266	struct sctp_chunk *asconf)
3267	{
3268	union sctp_addr_param *addr_param;
3269	struct sctp_addip_chunk *addip;
3270	struct sctp_chunk *asconf_ack;
3271	bool all_param_pass = true;
3272	struct sctp_addiphdr *hdr;
3273	int length = 0, chunk_len;
3274	union sctp_params param;
3275	__be16 err_code;
3276	__u32 serial;
3277
3278	addip = (struct sctp_addip_chunk *)asconf->chunk_hdr;
3279	chunk_len = ntohs(asconf->chunk_hdr->length) -
3280	sizeof(struct sctp_chunkhdr);
3281	hdr = (struct sctp_addiphdr *)asconf->skb->data;
3282	serial = ntohl(hdr->serial);
3283
3284	/* Skip the addiphdr and store a pointer to address parameter. */
3285	length = sizeof(*hdr);
3286	addr_param = (union sctp_addr_param *)(asconf->skb->data + length);
3287	chunk_len -= length;
3288
3289	/* Skip the address parameter and store a pointer to the first
3290	* asconf parameter.
3291	*/
3292	length = ntohs(addr_param->p.length);
3293	chunk_len -= length;
3294
3295	/* create an ASCONF_ACK chunk.
3296	* Based on the definitions of parameters, we know that the size of
3297	* ASCONF_ACK parameters are less than or equal to the fourfold of ASCONF
3298	* parameters.
3299	*/
3300	asconf_ack = sctp_make_asconf_ack(asoc, serial, vparam_len: chunk_len * 4);
3301	if (!asconf_ack)
3302	goto done;
3303
3304	/* Process the TLVs contained within the ASCONF chunk. */
3305	sctp_walk_params(param, addip) {
3306	/* Skip preceding address parameters. */
3307	if (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
3308	param.p->type == SCTP_PARAM_IPV6_ADDRESS)
3309	continue;
3310
3311	err_code = sctp_process_asconf_param(asoc, asconf,
3312	asconf_param: param.addip);
3313	/* ADDIP 4.1 A7)
3314	* If an error response is received for a TLV parameter,
3315	* all TLVs with no response before the failed TLV are
3316	* considered successful if not reported. All TLVs after
3317	* the failed response are considered unsuccessful unless
3318	* a specific success indication is present for the parameter.
3319	*/
3320	if (err_code != SCTP_ERROR_NO_ERROR)
3321	all_param_pass = false;
3322	if (!all_param_pass)
3323	sctp_add_asconf_response(chunk: asconf_ack, crr_id: param.addip->crr_id,
3324	err_code, asconf_param: param.addip);
3325
3326	/* ADDIP 4.3 D11) When an endpoint receiving an ASCONF to add
3327	* an IP address sends an 'Out of Resource' in its response, it
3328	* MUST also fail any subsequent add or delete requests bundled
3329	* in the ASCONF.
3330	*/
3331	if (err_code == SCTP_ERROR_RSRC_LOW)
3332	goto done;
3333	}
3334	done:
3335	asoc->peer.addip_serial++;
3336
3337	/* If we are sending a new ASCONF_ACK hold a reference to it in assoc
3338	* after freeing the reference to old asconf ack if any.
3339	*/
3340	if (asconf_ack) {
3341	sctp_chunk_hold(ch: asconf_ack);
3342	list_add_tail(new: &asconf_ack->transmitted_list,
3343	head: &asoc->asconf_ack_list);
3344	}
3345
3346	return asconf_ack;
3347	}
3348
3349	/* Process a asconf parameter that is successfully acked. */
3350	static void sctp_asconf_param_success(struct sctp_association *asoc,
3351	struct sctp_addip_param *asconf_param)
3352	{
3353	struct sctp_bind_addr *bp = &asoc->base.bind_addr;
3354	union sctp_addr_param *addr_param;
3355	struct sctp_sockaddr_entry *saddr;
3356	struct sctp_transport *transport;
3357	union sctp_addr addr;
3358	struct sctp_af *af;
3359
3360	addr_param = (void *)asconf_param + sizeof(*asconf_param);
3361
3362	/* We have checked the packet before, so we do not check again. */
3363	af = sctp_get_af_specific(param_type2af(type: addr_param->p.type));
3364	if (!af->from_addr_param(&addr, addr_param, htons(bp->port), 0))
3365	return;
3366
3367	switch (asconf_param->param_hdr.type) {
3368	case SCTP_PARAM_ADD_IP:
3369	/* This is always done in BH context with a socket lock
3370	* held, so the list can not change.
3371	*/
3372	local_bh_disable();
3373	list_for_each_entry(saddr, &bp->address_list, list) {
3374	if (sctp_cmp_addr_exact(ss1: &saddr->a, ss2: &addr))
3375	saddr->state = SCTP_ADDR_SRC;
3376	}
3377	local_bh_enable();
3378	list_for_each_entry(transport, &asoc->peer.transport_addr_list,
3379	transports) {
3380	sctp_transport_dst_release(t: transport);
3381	}
3382	break;
3383	case SCTP_PARAM_DEL_IP:
3384	local_bh_disable();
3385	sctp_del_bind_addr(bp, &addr);
3386	if (asoc->asconf_addr_del_pending != NULL &&
3387	sctp_cmp_addr_exact(ss1: asoc->asconf_addr_del_pending, ss2: &addr)) {
3388	kfree(objp: asoc->asconf_addr_del_pending);
3389	asoc->asconf_addr_del_pending = NULL;
3390	}
3391	local_bh_enable();
3392	list_for_each_entry(transport, &asoc->peer.transport_addr_list,
3393	transports) {
3394	sctp_transport_dst_release(t: transport);
3395	}
3396	break;
3397	default:
3398	break;
3399	}
3400	}
3401
3402	/* Get the corresponding ASCONF response error code from the ASCONF_ACK chunk
3403	* for the given asconf parameter. If there is no response for this parameter,
3404	* return the error code based on the third argument 'no_err'.
3405	* ADDIP 4.1
3406	* A7) If an error response is received for a TLV parameter, all TLVs with no
3407	* response before the failed TLV are considered successful if not reported.
3408	* All TLVs after the failed response are considered unsuccessful unless a
3409	* specific success indication is present for the parameter.
3410	*/
3411	static __be16 sctp_get_asconf_response(struct sctp_chunk *asconf_ack,
3412	struct sctp_addip_param *asconf_param,
3413	int no_err)
3414	{
3415	struct sctp_addip_param *asconf_ack_param;
3416	struct sctp_errhdr *err_param;
3417	int asconf_ack_len;
3418	__be16 err_code;
3419	int length;
3420
3421	if (no_err)
3422	err_code = SCTP_ERROR_NO_ERROR;
3423	else
3424	err_code = SCTP_ERROR_REQ_REFUSED;
3425
3426	asconf_ack_len = ntohs(asconf_ack->chunk_hdr->length) -
3427	sizeof(struct sctp_chunkhdr);
3428
3429	/* Skip the addiphdr from the asconf_ack chunk and store a pointer to
3430	* the first asconf_ack parameter.
3431	*/
3432	length = sizeof(struct sctp_addiphdr);
3433	asconf_ack_param = (struct sctp_addip_param *)(asconf_ack->skb->data +
3434	length);
3435	asconf_ack_len -= length;
3436
3437	while (asconf_ack_len > 0) {
3438	if (asconf_ack_param->crr_id == asconf_param->crr_id) {
3439	switch (asconf_ack_param->param_hdr.type) {
3440	case SCTP_PARAM_SUCCESS_REPORT:
3441	return SCTP_ERROR_NO_ERROR;
3442	case SCTP_PARAM_ERR_CAUSE:
3443	length = sizeof(*asconf_ack_param);
3444	err_param = (void *)asconf_ack_param + length;
3445	asconf_ack_len -= length;
3446	if (asconf_ack_len > 0)
3447	return err_param->cause;
3448	else
3449	return SCTP_ERROR_INV_PARAM;
3450	break;
3451	default:
3452	return SCTP_ERROR_INV_PARAM;
3453	}
3454	}
3455
3456	length = ntohs(asconf_ack_param->param_hdr.length);
3457	asconf_ack_param = (void *)asconf_ack_param + length;
3458	asconf_ack_len -= length;
3459	}
3460
3461	return err_code;
3462	}
3463
3464	/* Process an incoming ASCONF_ACK chunk against the cached last ASCONF chunk. */
3465	int sctp_process_asconf_ack(struct sctp_association *asoc,
3466	struct sctp_chunk *asconf_ack)
3467	{
3468	struct sctp_chunk *asconf = asoc->addip_last_asconf;
3469	struct sctp_addip_param *asconf_param;
3470	__be16 err_code = SCTP_ERROR_NO_ERROR;
3471	union sctp_addr_param *addr_param;
3472	int asconf_len = asconf->skb->len;
3473	int all_param_pass = 0;
3474	int length = 0;
3475	int no_err = 1;
3476	int retval = 0;
3477
3478	/* Skip the chunkhdr and addiphdr from the last asconf sent and store
3479	* a pointer to address parameter.
3480	*/
3481	length = sizeof(struct sctp_addip_chunk);
3482	addr_param = (union sctp_addr_param *)(asconf->skb->data + length);
3483	asconf_len -= length;
3484
3485	/* Skip the address parameter in the last asconf sent and store a
3486	* pointer to the first asconf parameter.
3487	*/
3488	length = ntohs(addr_param->p.length);
3489	asconf_param = (void *)addr_param + length;
3490	asconf_len -= length;
3491
3492	/* ADDIP 4.1
3493	* A8) If there is no response(s) to specific TLV parameter(s), and no
3494	* failures are indicated, then all request(s) are considered
3495	* successful.
3496	*/
3497	if (asconf_ack->skb->len == sizeof(struct sctp_addiphdr))
3498	all_param_pass = 1;
3499
3500	/* Process the TLVs contained in the last sent ASCONF chunk. */
3501	while (asconf_len > 0) {
3502	if (all_param_pass)
3503	err_code = SCTP_ERROR_NO_ERROR;
3504	else {
3505	err_code = sctp_get_asconf_response(asconf_ack,
3506	asconf_param,
3507	no_err);
3508	if (no_err && (SCTP_ERROR_NO_ERROR != err_code))
3509	no_err = 0;
3510	}
3511
3512	switch (err_code) {
3513	case SCTP_ERROR_NO_ERROR:
3514	sctp_asconf_param_success(asoc, asconf_param);
3515	break;
3516
3517	case SCTP_ERROR_RSRC_LOW:
3518	retval = 1;
3519	break;
3520
3521	case SCTP_ERROR_UNKNOWN_PARAM:
3522	/* Disable sending this type of asconf parameter in
3523	* future.
3524	*/
3525	asoc->peer.addip_disabled_mask |=
3526	asconf_param->param_hdr.type;
3527	break;
3528
3529	case SCTP_ERROR_REQ_REFUSED:
3530	case SCTP_ERROR_DEL_LAST_IP:
3531	case SCTP_ERROR_DEL_SRC_IP:
3532	default:
3533	break;
3534	}
3535
3536	/* Skip the processed asconf parameter and move to the next
3537	* one.
3538	*/
3539	length = ntohs(asconf_param->param_hdr.length);
3540	asconf_param = (void *)asconf_param + length;
3541	asconf_len -= length;
3542	}
3543
3544	if (no_err && asoc->src_out_of_asoc_ok) {
3545	asoc->src_out_of_asoc_ok = 0;
3546	sctp_transport_immediate_rtx(asoc->peer.primary_path);
3547	}
3548
3549	/* Free the cached last sent asconf chunk. */
3550	list_del_init(entry: &asconf->transmitted_list);
3551	sctp_chunk_free(chunk: asconf);
3552	asoc->addip_last_asconf = NULL;
3553
3554	return retval;
3555	}
3556
3557	/* Make a FWD TSN chunk. */
3558	struct sctp_chunk *sctp_make_fwdtsn(const struct sctp_association *asoc,
3559	__u32 new_cum_tsn, size_t nstreams,
3560	struct sctp_fwdtsn_skip *skiplist)
3561	{
3562	struct sctp_chunk *retval = NULL;
3563	struct sctp_fwdtsn_hdr ftsn_hdr;
3564	struct sctp_fwdtsn_skip skip;
3565	size_t hint;
3566	int i;
3567
3568	hint = (nstreams + 1) * sizeof(__u32);
3569
3570	retval = sctp_make_control(asoc, type: SCTP_CID_FWD_TSN, flags: 0, paylen: hint, GFP_ATOMIC);
3571
3572	if (!retval)
3573	return NULL;
3574
3575	ftsn_hdr.new_cum_tsn = htonl(new_cum_tsn);
3576	retval->subh.fwdtsn_hdr =
3577	sctp_addto_chunk(chunk: retval, len: sizeof(ftsn_hdr), data: &ftsn_hdr);
3578
3579	for (i = 0; i < nstreams; i++) {
3580	skip.stream = skiplist[i].stream;
3581	skip.ssn = skiplist[i].ssn;
3582	sctp_addto_chunk(chunk: retval, len: sizeof(skip), data: &skip);
3583	}
3584
3585	return retval;
3586	}
3587
3588	struct sctp_chunk *sctp_make_ifwdtsn(const struct sctp_association *asoc,
3589	__u32 new_cum_tsn, size_t nstreams,
3590	struct sctp_ifwdtsn_skip *skiplist)
3591	{
3592	struct sctp_chunk *retval = NULL;
3593	struct sctp_ifwdtsn_hdr ftsn_hdr;
3594	size_t hint;
3595
3596	hint = (nstreams + 1) * sizeof(__u32);
3597
3598	retval = sctp_make_control(asoc, type: SCTP_CID_I_FWD_TSN, flags: 0, paylen: hint,
3599	GFP_ATOMIC);
3600	if (!retval)
3601	return NULL;
3602
3603	ftsn_hdr.new_cum_tsn = htonl(new_cum_tsn);
3604	retval->subh.ifwdtsn_hdr =
3605	sctp_addto_chunk(chunk: retval, len: sizeof(ftsn_hdr), data: &ftsn_hdr);
3606
3607	sctp_addto_chunk(chunk: retval, len: nstreams * sizeof(skiplist[0]), data: skiplist);
3608
3609	return retval;
3610	}
3611
3612	/* RE-CONFIG 3.1 (RE-CONFIG chunk)
3613	* 0 1 2 3
3614	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
3615	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3616	* | Type = 130 | Chunk Flags | Chunk Length |
3617	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3618	* \ \
3619	* / Re-configuration Parameter /
3620	* \ \
3621	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3622	* \ \
3623	* / Re-configuration Parameter (optional) /
3624	* \ \
3625	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3626	*/
3627	static struct sctp_chunk *sctp_make_reconf(const struct sctp_association *asoc,
3628	int length)
3629	{
3630	struct sctp_reconf_chunk *reconf;
3631	struct sctp_chunk *retval;
3632
3633	retval = sctp_make_control(asoc, type: SCTP_CID_RECONF, flags: 0, paylen: length,
3634	GFP_ATOMIC);
3635	if (!retval)
3636	return NULL;
3637
3638	reconf = (struct sctp_reconf_chunk *)retval->chunk_hdr;
3639	retval->param_hdr.v = (u8 *)(reconf + 1);
3640
3641	return retval;
3642	}
3643
3644	/* RE-CONFIG 4.1 (STREAM OUT RESET)
3645	* 0 1 2 3
3646	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
3647	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3648	* | Parameter Type = 13 | Parameter Length = 16 + 2 * N |
3649	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3650	* | Re-configuration Request Sequence Number |
3651	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3652	* | Re-configuration Response Sequence Number |
3653	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3654	* | Sender's Last Assigned TSN |
3655	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3656	* | Stream Number 1 (optional) | Stream Number 2 (optional) |
3657	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3658	* / ...... /
3659	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3660	* | Stream Number N-1 (optional) | Stream Number N (optional) |
3661	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3662	*
3663	* RE-CONFIG 4.2 (STREAM IN RESET)
3664	* 0 1 2 3
3665	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
3666	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3667	* | Parameter Type = 14 | Parameter Length = 8 + 2 * N |
3668	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3669	* | Re-configuration Request Sequence Number |
3670	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3671	* | Stream Number 1 (optional) | Stream Number 2 (optional) |
3672	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3673	* / ...... /
3674	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3675	* | Stream Number N-1 (optional) | Stream Number N (optional) |
3676	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3677	*/
3678	struct sctp_chunk *sctp_make_strreset_req(
3679	const struct sctp_association *asoc,
3680	__u16 stream_num, __be16 *stream_list,
3681	bool out, bool in)
3682	{
3683	__u16 stream_len = stream_num * sizeof(__u16);
3684	struct sctp_strreset_outreq outreq;
3685	struct sctp_strreset_inreq inreq;
3686	struct sctp_chunk *retval;
3687	__u16 outlen, inlen;
3688
3689	outlen = (sizeof(outreq) + stream_len) * out;
3690	inlen = (sizeof(inreq) + stream_len) * in;
3691
3692	retval = sctp_make_reconf(asoc, SCTP_PAD4(outlen) + SCTP_PAD4(inlen));
3693	if (!retval)
3694	return NULL;
3695
3696	if (outlen) {
3697	outreq.param_hdr.type = SCTP_PARAM_RESET_OUT_REQUEST;
3698	outreq.param_hdr.length = htons(outlen);
3699	outreq.request_seq = htonl(asoc->strreset_outseq);
3700	outreq.response_seq = htonl(asoc->strreset_inseq - 1);
3701	outreq.send_reset_at_tsn = htonl(asoc->next_tsn - 1);
3702
3703	sctp_addto_chunk(chunk: retval, len: sizeof(outreq), data: &outreq);
3704
3705	if (stream_len)
3706	sctp_addto_chunk(chunk: retval, len: stream_len, data: stream_list);
3707	}
3708
3709	if (inlen) {
3710	inreq.param_hdr.type = SCTP_PARAM_RESET_IN_REQUEST;
3711	inreq.param_hdr.length = htons(inlen);
3712	inreq.request_seq = htonl(asoc->strreset_outseq + out);
3713
3714	sctp_addto_chunk(chunk: retval, len: sizeof(inreq), data: &inreq);
3715
3716	if (stream_len)
3717	sctp_addto_chunk(chunk: retval, len: stream_len, data: stream_list);
3718	}
3719
3720	return retval;
3721	}
3722
3723	/* RE-CONFIG 4.3 (SSN/TSN RESET ALL)
3724	* 0 1 2 3
3725	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
3726	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3727	* | Parameter Type = 15 | Parameter Length = 8 |
3728	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3729	* | Re-configuration Request Sequence Number |
3730	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3731	*/
3732	struct sctp_chunk *sctp_make_strreset_tsnreq(
3733	const struct sctp_association *asoc)
3734	{
3735	struct sctp_strreset_tsnreq tsnreq;
3736	__u16 length = sizeof(tsnreq);
3737	struct sctp_chunk *retval;
3738
3739	retval = sctp_make_reconf(asoc, length);
3740	if (!retval)
3741	return NULL;
3742
3743	tsnreq.param_hdr.type = SCTP_PARAM_RESET_TSN_REQUEST;
3744	tsnreq.param_hdr.length = htons(length);
3745	tsnreq.request_seq = htonl(asoc->strreset_outseq);
3746
3747	sctp_addto_chunk(chunk: retval, len: sizeof(tsnreq), data: &tsnreq);
3748
3749	return retval;
3750	}
3751
3752	/* RE-CONFIG 4.5/4.6 (ADD STREAM)
3753	* 0 1 2 3
3754	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
3755	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3756	* | Parameter Type = 17 | Parameter Length = 12 |
3757	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3758	* | Re-configuration Request Sequence Number |
3759	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3760	* | Number of new streams | Reserved |
3761	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3762	*/
3763	struct sctp_chunk *sctp_make_strreset_addstrm(
3764	const struct sctp_association *asoc,
3765	__u16 out, __u16 in)
3766	{
3767	struct sctp_strreset_addstrm addstrm;
3768	__u16 size = sizeof(addstrm);
3769	struct sctp_chunk *retval;
3770
3771	retval = sctp_make_reconf(asoc, length: (!!out + !!in) * size);
3772	if (!retval)
3773	return NULL;
3774
3775	if (out) {
3776	addstrm.param_hdr.type = SCTP_PARAM_RESET_ADD_OUT_STREAMS;
3777	addstrm.param_hdr.length = htons(size);
3778	addstrm.number_of_streams = htons(out);
3779	addstrm.request_seq = htonl(asoc->strreset_outseq);
3780	addstrm.reserved = 0;
3781
3782	sctp_addto_chunk(chunk: retval, len: size, data: &addstrm);
3783	}
3784
3785	if (in) {
3786	addstrm.param_hdr.type = SCTP_PARAM_RESET_ADD_IN_STREAMS;
3787	addstrm.param_hdr.length = htons(size);
3788	addstrm.number_of_streams = htons(in);
3789	addstrm.request_seq = htonl(asoc->strreset_outseq + !!out);
3790	addstrm.reserved = 0;
3791
3792	sctp_addto_chunk(chunk: retval, len: size, data: &addstrm);
3793	}
3794
3795	return retval;
3796	}
3797
3798	/* RE-CONFIG 4.4 (RESP)
3799	* 0 1 2 3
3800	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
3801	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3802	* | Parameter Type = 16 | Parameter Length |
3803	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3804	* | Re-configuration Response Sequence Number |
3805	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3806	* | Result |
3807	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3808	*/
3809	struct sctp_chunk *sctp_make_strreset_resp(const struct sctp_association *asoc,
3810	__u32 result, __u32 sn)
3811	{
3812	struct sctp_strreset_resp resp;
3813	__u16 length = sizeof(resp);
3814	struct sctp_chunk *retval;
3815
3816	retval = sctp_make_reconf(asoc, length);
3817	if (!retval)
3818	return NULL;
3819
3820	resp.param_hdr.type = SCTP_PARAM_RESET_RESPONSE;
3821	resp.param_hdr.length = htons(length);
3822	resp.response_seq = htonl(sn);
3823	resp.result = htonl(result);
3824
3825	sctp_addto_chunk(chunk: retval, len: sizeof(resp), data: &resp);
3826
3827	return retval;
3828	}
3829
3830	/* RE-CONFIG 4.4 OPTIONAL (TSNRESP)
3831	* 0 1 2 3
3832	* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
3833	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3834	* | Parameter Type = 16 | Parameter Length |
3835	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3836	* | Re-configuration Response Sequence Number |
3837	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3838	* | Result |
3839	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3840	* | Sender's Next TSN (optional) |
3841	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3842	* | Receiver's Next TSN (optional) |
3843	* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3844	*/
3845	struct sctp_chunk *sctp_make_strreset_tsnresp(struct sctp_association *asoc,
3846	__u32 result, __u32 sn,
3847	__u32 sender_tsn,
3848	__u32 receiver_tsn)
3849	{
3850	struct sctp_strreset_resptsn tsnresp;
3851	__u16 length = sizeof(tsnresp);
3852	struct sctp_chunk *retval;
3853
3854	retval = sctp_make_reconf(asoc, length);
3855	if (!retval)
3856	return NULL;
3857
3858	tsnresp.param_hdr.type = SCTP_PARAM_RESET_RESPONSE;
3859	tsnresp.param_hdr.length = htons(length);
3860
3861	tsnresp.response_seq = htonl(sn);
3862	tsnresp.result = htonl(result);
3863	tsnresp.senders_next_tsn = htonl(sender_tsn);
3864	tsnresp.receivers_next_tsn = htonl(receiver_tsn);
3865
3866	sctp_addto_chunk(chunk: retval, len: sizeof(tsnresp), data: &tsnresp);
3867
3868	return retval;
3869	}
3870
3871	bool sctp_verify_reconf(const struct sctp_association *asoc,
3872	struct sctp_chunk *chunk,
3873	struct sctp_paramhdr **errp)
3874	{
3875	struct sctp_reconf_chunk *hdr;
3876	union sctp_params param;
3877	__be16 last = 0;
3878	__u16 cnt = 0;
3879
3880	hdr = (struct sctp_reconf_chunk *)chunk->chunk_hdr;
3881	sctp_walk_params(param, hdr) {
3882	__u16 length = ntohs(param.p->length);
3883
3884	*errp = param.p;
3885	if (cnt++ > 2)
3886	return false;
3887	switch (param.p->type) {
3888	case SCTP_PARAM_RESET_OUT_REQUEST:
3889	if (length < sizeof(struct sctp_strreset_outreq) ||
3890	(last && last != SCTP_PARAM_RESET_RESPONSE &&
3891	last != SCTP_PARAM_RESET_IN_REQUEST))
3892	return false;
3893	break;
3894	case SCTP_PARAM_RESET_IN_REQUEST:
3895	if (length < sizeof(struct sctp_strreset_inreq) ||
3896	(last && last != SCTP_PARAM_RESET_OUT_REQUEST))
3897	return false;
3898	break;
3899	case SCTP_PARAM_RESET_RESPONSE:
3900	if ((length != sizeof(struct sctp_strreset_resp) &&
3901	length != sizeof(struct sctp_strreset_resptsn)) ||
3902	(last && last != SCTP_PARAM_RESET_RESPONSE &&
3903	last != SCTP_PARAM_RESET_OUT_REQUEST))
3904	return false;
3905	break;
3906	case SCTP_PARAM_RESET_TSN_REQUEST:
3907	if (length !=
3908	sizeof(struct sctp_strreset_tsnreq) || last)
3909	return false;
3910	break;
3911	case SCTP_PARAM_RESET_ADD_IN_STREAMS:
3912	if (length != sizeof(struct sctp_strreset_addstrm) ||
3913	(last && last != SCTP_PARAM_RESET_ADD_OUT_STREAMS))
3914	return false;
3915	break;
3916	case SCTP_PARAM_RESET_ADD_OUT_STREAMS:
3917	if (length != sizeof(struct sctp_strreset_addstrm) ||
3918	(last && last != SCTP_PARAM_RESET_ADD_IN_STREAMS))
3919	return false;
3920	break;
3921	default:
3922	return false;
3923	}
3924
3925	last = param.p->type;
3926	}
3927
3928	return true;
3929	}
3930