ClabureDB: Classified Bug-Reports Database

Project: Linux Kernel

Showing error 1899

User:	Jiri Slaby
Error type:	Invalid Pointer Dereference
Error type description:	A pointer which is invalid is being dereferenced
File location:	net/sctp/output.c
Line in file:	578
Project:	Linux Kernel
Project version:	2.6.28
Tools:	Smatch (1.59)
Entered:	2013-09-11 08:47:26 UTC
Source:

  1/* SCTP kernel implementation
  2 * (C) Copyright IBM Corp. 2001, 2004
  3 * Copyright (c) 1999-2000 Cisco, Inc.
  4 * Copyright (c) 1999-2001 Motorola, Inc.
  5 *
  6 * This file is part of the SCTP kernel implementation
  7 *
  8 * These functions handle output processing.
  9 *
 10 * This SCTP implementation is free software;
 11 * you can redistribute it and/or modify it under the terms of
 12 * the GNU General Public License as published by
 13 * the Free Software Foundation; either version 2, or (at your option)
 14 * any later version.
 15 *
 16 * This SCTP implementation is distributed in the hope that it
 17 * will be useful, but WITHOUT ANY WARRANTY; without even the implied
 18 *                 ************************
 19 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 20 * See the GNU General Public License for more details.
 21 *
 22 * You should have received a copy of the GNU General Public License
 23 * along with GNU CC; see the file COPYING.  If not, write to
 24 * the Free Software Foundation, 59 Temple Place - Suite 330,
 25 * Boston, MA 02111-1307, USA.
 26 *
 27 * Please send any bug reports or fixes you make to the
 28 * email address(es):
 29 *    lksctp developers <lksctp-developers@lists.sourceforge.net>
 30 *
 31 * Or submit a bug report through the following website:
 32 *    http://www.sf.net/projects/lksctp
 33 *
 34 * Written or modified by:
 35 *    La Monte H.P. Yarroll <piggy@acm.org>
 36 *    Karl Knutson          <karl@athena.chicago.il.us>
 37 *    Jon Grimm             <jgrimm@austin.ibm.com>
 38 *    Sridhar Samudrala     <sri@us.ibm.com>
 39 *
 40 * Any bugs reported given to us we will try to fix... any fixes shared will
 41 * be incorporated into the next SCTP release.
 42 */
 43
 44#include <linux/types.h>
 45#include <linux/kernel.h>
 46#include <linux/wait.h>
 47#include <linux/time.h>
 48#include <linux/ip.h>
 49#include <linux/ipv6.h>
 50#include <linux/init.h>
 51#include <net/inet_ecn.h>
 52#include <net/icmp.h>
 53#include <net/net_namespace.h>
 54
 55#ifndef TEST_FRAME
 56#include <net/tcp.h>
 57#endif /* TEST_FRAME (not defined) */
 58
 59#include <linux/socket.h> /* for sa_family_t */
 60#include <net/sock.h>
 61
 62#include <net/sctp/sctp.h>
 63#include <net/sctp/sm.h>
 64#include <net/sctp/checksum.h>
 65
 66/* Forward declarations for private helpers. */
 67static sctp_xmit_t sctp_packet_append_data(struct sctp_packet *packet,
 68                                           struct sctp_chunk *chunk);
 69
 70/* Config a packet.
 71 * This appears to be a followup set of initializations.
 72 */
 73struct sctp_packet *sctp_packet_config(struct sctp_packet *packet,
 74                                       __u32 vtag, int ecn_capable)
 75{
 76        struct sctp_chunk *chunk = NULL;
 77
 78        SCTP_DEBUG_PRINTK("%s: packet:%p vtag:0x%x\n", __func__,
 79                          packet, vtag);
 80
 81        packet->vtag = vtag;
 82        packet->has_cookie_echo = 0;
 83        packet->has_sack = 0;
 84        packet->has_auth = 0;
 85        packet->has_data = 0;
 86        packet->ipfragok = 0;
 87        packet->auth = NULL;
 88
 89        if (ecn_capable && sctp_packet_empty(packet)) {
 90                chunk = sctp_get_ecne_prepend(packet->transport->asoc);
 91
 92                /* If there a is a prepend chunk stick it on the list before
 93                 * any other chunks get appended.
 94                 */
 95                if (chunk)
 96                        sctp_packet_append_chunk(packet, chunk);
 97        }
 98
 99        return packet;
100}
101
102/* Initialize the packet structure. */
103struct sctp_packet *sctp_packet_init(struct sctp_packet *packet,
104                                     struct sctp_transport *transport,
105                                     __u16 sport, __u16 dport)
106{
107        struct sctp_association *asoc = transport->asoc;
108        size_t overhead;
109
110        SCTP_DEBUG_PRINTK("%s: packet:%p transport:%p\n", __func__,
111                          packet, transport);
112
113        packet->transport = transport;
114        packet->source_port = sport;
115        packet->destination_port = dport;
116        INIT_LIST_HEAD(&packet->chunk_list);
117        if (asoc) {
118                struct sctp_sock *sp = sctp_sk(asoc->base.sk);
119                overhead = sp->pf->af->net_header_len;
120        } else {
121                overhead = sizeof(struct ipv6hdr);
122        }
123        overhead += sizeof(struct sctphdr);
124        packet->overhead = overhead;
125        packet->size = overhead;
126        packet->vtag = 0;
127        packet->has_cookie_echo = 0;
128        packet->has_sack = 0;
129        packet->has_auth = 0;
130        packet->has_data = 0;
131        packet->ipfragok = 0;
132        packet->malloced = 0;
133        packet->auth = NULL;
134        return packet;
135}
136
137/* Free a packet.  */
138void sctp_packet_free(struct sctp_packet *packet)
139{
140        struct sctp_chunk *chunk, *tmp;
141
142        SCTP_DEBUG_PRINTK("%s: packet:%p\n", __func__, packet);
143
144        list_for_each_entry_safe(chunk, tmp, &packet->chunk_list, list) {
145                list_del_init(&chunk->list);
146                sctp_chunk_free(chunk);
147        }
148
149        if (packet->malloced)
150                kfree(packet);
151}
152
153/* This routine tries to append the chunk to the offered packet. If adding
154 * the chunk causes the packet to exceed the path MTU and COOKIE_ECHO chunk
155 * is not present in the packet, it transmits the input packet.
156 * Data can be bundled with a packet containing a COOKIE_ECHO chunk as long
157 * as it can fit in the packet, but any more data that does not fit in this
158 * packet can be sent only after receiving the COOKIE_ACK.
159 */
160sctp_xmit_t sctp_packet_transmit_chunk(struct sctp_packet *packet,
161                                       struct sctp_chunk *chunk,
162                                       int one_packet)
163{
164        sctp_xmit_t retval;
165        int error = 0;
166
167        SCTP_DEBUG_PRINTK("%s: packet:%p chunk:%p\n", __func__,
168                          packet, chunk);
169
170        switch ((retval = (sctp_packet_append_chunk(packet, chunk)))) {
171        case SCTP_XMIT_PMTU_FULL:
172                if (!packet->has_cookie_echo) {
173                        error = sctp_packet_transmit(packet);
174                        if (error < 0)
175                                chunk->skb->sk->sk_err = -error;
176
177                        /* If we have an empty packet, then we can NOT ever
178                         * return PMTU_FULL.
179                         */
180                        if (!one_packet)
181                                retval = sctp_packet_append_chunk(packet,
182                                                                  chunk);
183                }
184                break;
185
186        case SCTP_XMIT_RWND_FULL:
187        case SCTP_XMIT_OK:
188        case SCTP_XMIT_NAGLE_DELAY:
189                break;
190        }
191
192        return retval;
193}
194
195/* Try to bundle an auth chunk into the packet. */
196static sctp_xmit_t sctp_packet_bundle_auth(struct sctp_packet *pkt,
197                                           struct sctp_chunk *chunk)
198{
199        struct sctp_association *asoc = pkt->transport->asoc;
200        struct sctp_chunk *auth;
201        sctp_xmit_t retval = SCTP_XMIT_OK;
202
203        /* if we don't have an association, we can't do authentication */
204        if (!asoc)
205                return retval;
206
207        /* See if this is an auth chunk we are bundling or if
208         * auth is already bundled.
209         */
210        if (chunk->chunk_hdr->type == SCTP_CID_AUTH || pkt->auth)
211                return retval;
212
213        /* if the peer did not request this chunk to be authenticated,
214         * don't do it
215         */
216        if (!chunk->auth)
217                return retval;
218
219        auth = sctp_make_auth(asoc);
220        if (!auth)
221                return retval;
222
223        retval = sctp_packet_append_chunk(pkt, auth);
224
225        return retval;
226}
227
228/* Try to bundle a SACK with the packet. */
229static sctp_xmit_t sctp_packet_bundle_sack(struct sctp_packet *pkt,
230                                           struct sctp_chunk *chunk)
231{
232        sctp_xmit_t retval = SCTP_XMIT_OK;
233
234        /* If sending DATA and haven't aleady bundled a SACK, try to
235         * bundle one in to the packet.
236         */
237        if (sctp_chunk_is_data(chunk) && !pkt->has_sack &&
238            !pkt->has_cookie_echo) {
239                struct sctp_association *asoc;
240                asoc = pkt->transport->asoc;
241
242                if (asoc->a_rwnd > asoc->rwnd) {
243                        struct sctp_chunk *sack;
244                        asoc->a_rwnd = asoc->rwnd;
245                        sack = sctp_make_sack(asoc);
246                        if (sack) {
247                                struct timer_list *timer;
248                                retval = sctp_packet_append_chunk(pkt, sack);
249                                asoc->peer.sack_needed = 0;
250                                timer = &asoc->timers[SCTP_EVENT_TIMEOUT_SACK];
251                                if (timer_pending(timer) && del_timer(timer))
252                                        sctp_association_put(asoc);
253                        }
254                }
255        }
256        return retval;
257}
258
259/* Append a chunk to the offered packet reporting back any inability to do
260 * so.
261 */
262sctp_xmit_t sctp_packet_append_chunk(struct sctp_packet *packet,
263                                     struct sctp_chunk *chunk)
264{
265        sctp_xmit_t retval = SCTP_XMIT_OK;
266        __u16 chunk_len = WORD_ROUND(ntohs(chunk->chunk_hdr->length));
267        size_t psize;
268        size_t pmtu;
269        int too_big;
270
271        SCTP_DEBUG_PRINTK("%s: packet:%p chunk:%p\n", __func__, packet,
272                          chunk);
273
274        /* Try to bundle AUTH chunk */
275        retval = sctp_packet_bundle_auth(packet, chunk);
276        if (retval != SCTP_XMIT_OK)
277                goto finish;
278
279        /* Try to bundle SACK chunk */
280        retval = sctp_packet_bundle_sack(packet, chunk);
281        if (retval != SCTP_XMIT_OK)
282                goto finish;
283
284        psize = packet->size;
285        pmtu  = ((packet->transport->asoc) ?
286                 (packet->transport->asoc->pathmtu) :
287                 (packet->transport->pathmtu));
288
289        too_big = (psize + chunk_len > pmtu);
290
291        /* Decide if we need to fragment or resubmit later. */
292        if (too_big) {
293                /* It's OK to fragmet at IP level if any one of the following
294                 * is true:
295                 *         1. The packet is empty (meaning this chunk is greater
296                 *            the MTU)
297                 *         2. The chunk we are adding is a control chunk
298                 *         3. The packet doesn't have any data in it yet and data
299                 *         requires authentication.
300                 */
301                if (sctp_packet_empty(packet) || !sctp_chunk_is_data(chunk) ||
302                    (!packet->has_data && chunk->auth)) {
303                        /* We no longer do re-fragmentation.
304                         * Just fragment at the IP layer, if we
305                         * actually hit this condition
306                         */
307                        packet->ipfragok = 1;
308                        goto append;
309
310                } else {
311                        retval = SCTP_XMIT_PMTU_FULL;
312                        goto finish;
313                }
314        }
315
316append:
317        /* We believe that this chunk is OK to add to the packet (as
318         * long as we have the cwnd for it).
319         */
320
321        /* DATA is a special case since we must examine both rwnd and cwnd
322         * before we send DATA.
323         */
324        switch (chunk->chunk_hdr->type) {
325            case SCTP_CID_DATA:
326                retval = sctp_packet_append_data(packet, chunk);
327                /* Disallow SACK bundling after DATA. */
328                packet->has_sack = 1;
329                /* Disallow AUTH bundling after DATA */
330                packet->has_auth = 1;
331                /* Let it be knows that packet has DATA in it */
332                packet->has_data = 1;
333                if (SCTP_XMIT_OK != retval)
334                        goto finish;
335                break;
336            case SCTP_CID_COOKIE_ECHO:
337                packet->has_cookie_echo = 1;
338                break;
339
340            case SCTP_CID_SACK:
341                packet->has_sack = 1;
342                break;
343
344            case SCTP_CID_AUTH:
345                packet->has_auth = 1;
346                packet->auth = chunk;
347                break;
348        }
349
350        /* It is OK to send this chunk.  */
351        list_add_tail(&chunk->list, &packet->chunk_list);
352        packet->size += chunk_len;
353        chunk->transport = packet->transport;
354finish:
355        return retval;
356}
357
358/* All packets are sent to the network through this function from
359 * sctp_outq_tail().
360 *
361 * The return value is a normal kernel error return value.
362 */
363int sctp_packet_transmit(struct sctp_packet *packet)
364{
365        struct sctp_transport *tp = packet->transport;
366        struct sctp_association *asoc = tp->asoc;
367        struct sctphdr *sh;
368        __be32 crc32 = __constant_cpu_to_be32(0);
369        struct sk_buff *nskb;
370        struct sctp_chunk *chunk, *tmp;
371        struct sock *sk;
372        int err = 0;
373        int padding;                /* How much padding do we need?  */
374        __u8 has_data = 0;
375        struct dst_entry *dst = tp->dst;
376        unsigned char *auth = NULL;        /* pointer to auth in skb data */
377        __u32 cksum_buf_len = sizeof(struct sctphdr);
378
379        SCTP_DEBUG_PRINTK("%s: packet:%p\n", __func__, packet);
380
381        /* Do NOT generate a chunkless packet. */
382        if (list_empty(&packet->chunk_list))
383                return err;
384
385        /* Set up convenience variables... */
386        chunk = list_entry(packet->chunk_list.next, struct sctp_chunk, list);
387        sk = chunk->skb->sk;
388
389        /* Allocate the new skb.  */
390        nskb = alloc_skb(packet->size + LL_MAX_HEADER, GFP_ATOMIC);
391        if (!nskb)
392                goto nomem;
393
394        /* Make sure the outbound skb has enough header room reserved. */
395        skb_reserve(nskb, packet->overhead + LL_MAX_HEADER);
396
397        /* Set the owning socket so that we know where to get the
398         * destination IP address.
399         */
400        skb_set_owner_w(nskb, sk);
401
402        /* The 'obsolete' field of dst is set to 2 when a dst is freed. */
403        if (!dst || (dst->obsolete > 1)) {
404                dst_release(dst);
405                sctp_transport_route(tp, NULL, sctp_sk(sk));
406                if (asoc && (asoc->param_flags & SPP_PMTUD_ENABLE)) {
407                        sctp_assoc_sync_pmtu(asoc);
408                }
409        }
410        nskb->dst = dst_clone(tp->dst);
411        if (!nskb->dst)
412                goto no_route;
413        dst = nskb->dst;
414
415        /* Build the SCTP header.  */
416        sh = (struct sctphdr *)skb_push(nskb, sizeof(struct sctphdr));
417        sh->source = htons(packet->source_port);
418        sh->dest   = htons(packet->destination_port);
419
420        /* From 6.8 Adler-32 Checksum Calculation:
421         * After the packet is constructed (containing the SCTP common
422         * header and one or more control or DATA chunks), the
423         * transmitter shall:
424         *
425         * 1) Fill in the proper Verification Tag in the SCTP common
426         *    header and initialize the checksum field to 0's.
427         */
428        sh->vtag     = htonl(packet->vtag);
429        sh->checksum = 0;
430
431        /**
432         * 6.10 Bundling
433         *
434         *    An endpoint bundles chunks by simply including multiple
435         *    chunks in one outbound SCTP packet.  ...
436         */
437
438        /**
439         * 3.2  Chunk Field Descriptions
440         *
441         * The total length of a chunk (including Type, Length and
442         * Value fields) MUST be a multiple of 4 bytes.  If the length
443         * of the chunk is not a multiple of 4 bytes, the sender MUST
444         * pad the chunk with all zero bytes and this padding is not
445         * included in the chunk length field.  The sender should
446         * never pad with more than 3 bytes.
447         *
448         * [This whole comment explains WORD_ROUND() below.]
449         */
450        SCTP_DEBUG_PRINTK("***sctp_transmit_packet***\n");
451        list_for_each_entry_safe(chunk, tmp, &packet->chunk_list, list) {
452                list_del_init(&chunk->list);
453                if (sctp_chunk_is_data(chunk)) {
454
455                        if (!chunk->has_tsn) {
456                                sctp_chunk_assign_ssn(chunk);
457                                sctp_chunk_assign_tsn(chunk);
458
459                        /* 6.3.1 C4) When data is in flight and when allowed
460                         * by rule C5, a new RTT measurement MUST be made each
461                         * round trip.  Furthermore, new RTT measurements
462                         * SHOULD be made no more than once per round-trip
463                         * for a given destination transport address.
464                         */
465
466                                if (!tp->rto_pending) {
467                                        chunk->rtt_in_progress = 1;
468                                        tp->rto_pending = 1;
469                                }
470                        } else
471                                chunk->resent = 1;
472
473                        chunk->sent_at = jiffies;
474                        has_data = 1;
475                }
476
477                padding = WORD_ROUND(chunk->skb->len) - chunk->skb->len;
478                if (padding)
479                        memset(skb_put(chunk->skb, padding), 0, padding);
480
481                /* if this is the auth chunk that we are adding,
482                 * store pointer where it will be added and put
483                 * the auth into the packet.
484                 */
485                if (chunk == packet->auth)
486                        auth = skb_tail_pointer(nskb);
487
488                cksum_buf_len += chunk->skb->len;
489                memcpy(skb_put(nskb, chunk->skb->len),
490                               chunk->skb->data, chunk->skb->len);
491
492                SCTP_DEBUG_PRINTK("%s %p[%s] %s 0x%x, %s %d, %s %d, %s %d\n",
493                                  "*** Chunk", chunk,
494                                  sctp_cname(SCTP_ST_CHUNK(
495                                          chunk->chunk_hdr->type)),
496                                  chunk->has_tsn ? "TSN" : "No TSN",
497                                  chunk->has_tsn ?
498                                  ntohl(chunk->subh.data_hdr->tsn) : 0,
499                                  "length", ntohs(chunk->chunk_hdr->length),
500                                  "chunk->skb->len", chunk->skb->len,
501                                  "rtt_in_progress", chunk->rtt_in_progress);
502
503                /*
504                 * If this is a control chunk, this is our last
505                 * reference. Free data chunks after they've been
506                 * acknowledged or have failed.
507                 */
508                if (!sctp_chunk_is_data(chunk))
509                        sctp_chunk_free(chunk);
510        }
511
512        /* SCTP-AUTH, Section 6.2
513         *    The sender MUST calculate the MAC as described in RFC2104 [2]
514         *    using the hash function H as described by the MAC Identifier and
515         *    the shared association key K based on the endpoint pair shared key
516         *    described by the shared key identifier.  The 'data' used for the
517         *    computation of the AUTH-chunk is given by the AUTH chunk with its
518         *    HMAC field set to zero (as shown in Figure 6) followed by all
519         *    chunks that are placed after the AUTH chunk in the SCTP packet.
520         */
521        if (auth)
522                sctp_auth_calculate_hmac(asoc, nskb,
523                                        (struct sctp_auth_chunk *)auth,
524                                        GFP_ATOMIC);
525
526        /* 2) Calculate the Adler-32 checksum of the whole packet,
527         *    including the SCTP common header and all the
528         *    chunks.
529         *
530         * Note: Adler-32 is no longer applicable, as has been replaced
531         * by CRC32-C as described in <draft-ietf-tsvwg-sctpcsum-02.txt>.
532         */
533        if (!(dst->dev->features & NETIF_F_NO_CSUM)) {
534                crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len);
535                crc32 = sctp_end_cksum(crc32);
536        } else
537                nskb->ip_summed = CHECKSUM_UNNECESSARY;
538
539        /* 3) Put the resultant value into the checksum field in the
540         *    common header, and leave the rest of the bits unchanged.
541         */
542        sh->checksum = crc32;
543
544        /* IP layer ECN support
545         * From RFC 2481
546         *  "The ECN-Capable Transport (ECT) bit would be set by the
547         *   data sender to indicate that the end-points of the
548         *   transport protocol are ECN-capable."
549         *
550         * Now setting the ECT bit all the time, as it should not cause
551         * any problems protocol-wise even if our peer ignores it.
552         *
553         * Note: The works for IPv6 layer checks this bit too later
554         * in transmission.  See IP6_ECN_flow_xmit().
555         */
556        (*tp->af_specific->ecn_capable)(nskb->sk);
557
558        /* Set up the IP options.  */
559        /* BUG: not implemented
560         * For v4 this all lives somewhere in sk->sk_opt...
561         */
562
563        /* Dump that on IP!  */
564        if (asoc && asoc->peer.last_sent_to != tp) {
565                /* Considering the multiple CPU scenario, this is a
566                 * "correcter" place for last_sent_to.  --xguo
567                 */
568                asoc->peer.last_sent_to = tp;
569        }
570
571        if (has_data) {
572                struct timer_list *timer;
573                unsigned long timeout;
574
575                tp->last_time_used = jiffies;
576
577                /* Restart the AUTOCLOSE timer when sending data. */
578                if (sctp_state(asoc, ESTABLISHED) && asoc->autoclose) {
579                        timer = &asoc->timers[SCTP_EVENT_TIMEOUT_AUTOCLOSE];
580                        timeout = asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE];
581
582                        if (!mod_timer(timer, jiffies + timeout))
583                                sctp_association_hold(asoc);
584                }
585        }
586
587        SCTP_DEBUG_PRINTK("***sctp_transmit_packet*** skb len %d\n",
588                          nskb->len);
589
590        nskb->local_df = packet->ipfragok;
591        (*tp->af_specific->sctp_xmit)(nskb, tp);
592
593out:
594        packet->size = packet->overhead;
595        return err;
596no_route:
597        kfree_skb(nskb);
598        IP_INC_STATS_BH(&init_net, IPSTATS_MIB_OUTNOROUTES);
599
600        /* FIXME: Returning the 'err' will effect all the associations
601         * associated with a socket, although only one of the paths of the
602         * association is unreachable.
603         * The real failure of a transport or association can be passed on
604         * to the user via notifications. So setting this error may not be
605         * required.
606         */
607         /* err = -EHOSTUNREACH; */
608err:
609        /* Control chunks are unreliable so just drop them.  DATA chunks
610         * will get resent or dropped later.
611         */
612
613        list_for_each_entry_safe(chunk, tmp, &packet->chunk_list, list) {
614                list_del_init(&chunk->list);
615                if (!sctp_chunk_is_data(chunk))
616                        sctp_chunk_free(chunk);
617        }
618        goto out;
619nomem:
620        err = -ENOMEM;
621        goto err;
622}
623
624/********************************************************************
625 * 2nd Level Abstractions
626 ********************************************************************/
627
628/* This private function handles the specifics of appending DATA chunks.  */
629static sctp_xmit_t sctp_packet_append_data(struct sctp_packet *packet,
630                                           struct sctp_chunk *chunk)
631{
632        sctp_xmit_t retval = SCTP_XMIT_OK;
633        size_t datasize, rwnd, inflight;
634        struct sctp_transport *transport = packet->transport;
635        __u32 max_burst_bytes;
636        struct sctp_association *asoc = transport->asoc;
637        struct sctp_sock *sp = sctp_sk(asoc->base.sk);
638        struct sctp_outq *q = &asoc->outqueue;
639
640        /* RFC 2960 6.1  Transmission of DATA Chunks
641         *
642         * A) At any given time, the data sender MUST NOT transmit new data to
643         * any destination transport address if its peer's rwnd indicates
644         * that the peer has no buffer space (i.e. rwnd is 0, see Section
645         * 6.2.1).  However, regardless of the value of rwnd (including if it
646         * is 0), the data sender can always have one DATA chunk in flight to
647         * the receiver if allowed by cwnd (see rule B below).  This rule
648         * allows the sender to probe for a change in rwnd that the sender
649         * missed due to the SACK having been lost in transit from the data
650         * receiver to the data sender.
651         */
652
653        rwnd = asoc->peer.rwnd;
654        inflight = asoc->outqueue.outstanding_bytes;
655
656        datasize = sctp_data_size(chunk);
657
658        if (datasize > rwnd) {
659                if (inflight > 0) {
660                        /* We have (at least) one data chunk in flight,
661                         * so we can't fall back to rule 6.1 B).
662                         */
663                        retval = SCTP_XMIT_RWND_FULL;
664                        goto finish;
665                }
666        }
667
668        /* sctpimpguide-05 2.14.2
669         * D) When the time comes for the sender to
670         * transmit new DATA chunks, the protocol parameter Max.Burst MUST
671         * first be applied to limit how many new DATA chunks may be sent.
672         * The limit is applied by adjusting cwnd as follows:
673         *         if ((flightsize + Max.Burst * MTU) < cwnd)
674         *                cwnd = flightsize + Max.Burst * MTU
675         */
676        max_burst_bytes = asoc->max_burst * asoc->pathmtu;
677        if ((transport->flight_size + max_burst_bytes) < transport->cwnd) {
678                transport->cwnd = transport->flight_size + max_burst_bytes;
679                SCTP_DEBUG_PRINTK("%s: cwnd limited by max_burst: "
680                                  "transport: %p, cwnd: %d, "
681                                  "ssthresh: %d, flight_size: %d, "
682                                  "pba: %d\n",
683                                  __func__, transport,
684                                  transport->cwnd,
685                                  transport->ssthresh,
686                                  transport->flight_size,
687                                  transport->partial_bytes_acked);
688        }
689
690        /* RFC 2960 6.1  Transmission of DATA Chunks
691         *
692         * B) At any given time, the sender MUST NOT transmit new data
693         * to a given transport address if it has cwnd or more bytes
694         * of data outstanding to that transport address.
695         */
696        /* RFC 7.2.4 & the Implementers Guide 2.8.
697         *
698         * 3) ...
699         *    When a Fast Retransmit is being performed the sender SHOULD
700         *    ignore the value of cwnd and SHOULD NOT delay retransmission.
701         */
702        if (chunk->fast_retransmit != SCTP_NEED_FRTX)
703                if (transport->flight_size >= transport->cwnd) {
704                        retval = SCTP_XMIT_RWND_FULL;
705                        goto finish;
706                }
707
708        /* Nagle's algorithm to solve small-packet problem:
709         * Inhibit the sending of new chunks when new outgoing data arrives
710         * if any previously transmitted data on the connection remains
711         * unacknowledged.
712         */
713        if (!sp->nodelay && sctp_packet_empty(packet) &&
714            q->outstanding_bytes && sctp_state(asoc, ESTABLISHED)) {
715                unsigned len = datasize + q->out_qlen;
716
717                /* Check whether this chunk and all the rest of pending
718                 * data will fit or delay in hopes of bundling a full
719                 * sized packet.
720                 */
721                if (len < asoc->frag_point) {
722                        retval = SCTP_XMIT_NAGLE_DELAY;
723                        goto finish;
724                }
725        }
726
727        /* Keep track of how many bytes are in flight over this transport. */
728        transport->flight_size += datasize;
729
730        /* Keep track of how many bytes are in flight to the receiver. */
731        asoc->outqueue.outstanding_bytes += datasize;
732
733        /* Update our view of the receiver's rwnd. Include sk_buff overhead
734         * while updating peer.rwnd so that it reduces the chances of a
735         * receiver running out of receive buffer space even when receive
736         * window is still open. This can happen when a sender is sending
737         * sending small messages.
738         */
739        datasize += sizeof(struct sk_buff);
740        if (datasize < rwnd)
741                rwnd -= datasize;
742        else
743                rwnd = 0;
744
745        asoc->peer.rwnd = rwnd;
746        /* Has been accepted for transmission. */
747        if (!asoc->peer.prsctp_capable)
748                chunk->msg->can_abandon = 0;
749
750finish:
751        return retval;
752}