[PATCH] zd1201: Possible NULL dereference
[linux-2.6] / net / dccp / feat.c
1 /*
2  *  net/dccp/feat.c
3  *
4  *  An implementation of the DCCP protocol
5  *  Andrea Bittau <a.bittau@cs.ucl.ac.uk>
6  *
7  *      This program is free software; you can redistribute it and/or
8  *      modify it under the terms of the GNU General Public License
9  *      as published by the Free Software Foundation; either version
10  *      2 of the License, or (at your option) any later version.
11  */
12
13 #include <linux/module.h>
14
15 #include "dccp.h"
16 #include "ccid.h"
17 #include "feat.h"
18
19 #define DCCP_FEAT_SP_NOAGREE (-123)
20
21 int dccp_feat_change(struct dccp_minisock *dmsk, u8 type, u8 feature,
22                      u8 *val, u8 len, gfp_t gfp)
23 {
24         struct dccp_opt_pend *opt;
25
26         dccp_pr_debug("feat change type=%d feat=%d\n", type, feature);
27
28         /* XXX sanity check feat change request */
29
30         /* check if that feature is already being negotiated */
31         list_for_each_entry(opt, &dmsk->dccpms_pending, dccpop_node) {
32                 /* ok we found a negotiation for this option already */
33                 if (opt->dccpop_feat == feature && opt->dccpop_type == type) {
34                         dccp_pr_debug("Replacing old\n");
35                         /* replace */
36                         BUG_ON(opt->dccpop_val == NULL);
37                         kfree(opt->dccpop_val);
38                         opt->dccpop_val  = val;
39                         opt->dccpop_len  = len;
40                         opt->dccpop_conf = 0;
41                         return 0;
42                 }
43         }
44
45         /* negotiation for a new feature */
46         opt = kmalloc(sizeof(*opt), gfp);
47         if (opt == NULL)
48                 return -ENOMEM;
49
50         opt->dccpop_type = type;
51         opt->dccpop_feat = feature;
52         opt->dccpop_len  = len;
53         opt->dccpop_val  = val;
54         opt->dccpop_conf = 0;
55         opt->dccpop_sc   = NULL;
56
57         BUG_ON(opt->dccpop_val == NULL);
58
59         list_add_tail(&opt->dccpop_node, &dmsk->dccpms_pending);
60         return 0;
61 }
62
63 EXPORT_SYMBOL_GPL(dccp_feat_change);
64
65 static int dccp_feat_update_ccid(struct sock *sk, u8 type, u8 new_ccid_nr)
66 {
67         struct dccp_sock *dp = dccp_sk(sk);
68         struct dccp_minisock *dmsk = dccp_msk(sk);
69         /* figure out if we are changing our CCID or the peer's */
70         const int rx = type == DCCPO_CHANGE_R;
71         const u8 ccid_nr = rx ? dmsk->dccpms_rx_ccid : dmsk->dccpms_tx_ccid;
72         struct ccid *new_ccid;
73
74         /* Check if nothing is being changed. */
75         if (ccid_nr == new_ccid_nr)
76                 return 0;
77
78         new_ccid = ccid_new(new_ccid_nr, sk, rx, GFP_ATOMIC);
79         if (new_ccid == NULL)
80                 return -ENOMEM;
81
82         if (rx) {
83                 ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
84                 dp->dccps_hc_rx_ccid = new_ccid;
85                 dmsk->dccpms_rx_ccid = new_ccid_nr;
86         } else {
87                 ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
88                 dp->dccps_hc_tx_ccid = new_ccid;
89                 dmsk->dccpms_tx_ccid = new_ccid_nr;
90         }
91
92         return 0;
93 }
94
95 /* XXX taking only u8 vals */
96 static int dccp_feat_update(struct sock *sk, u8 type, u8 feat, u8 val)
97 {
98         dccp_pr_debug("changing [%d] feat %d to %d\n", type, feat, val);
99
100         switch (feat) {
101         case DCCPF_CCID:
102                 return dccp_feat_update_ccid(sk, type, val);
103         default:
104                 dccp_pr_debug("IMPLEMENT changing [%d] feat %d to %d\n",
105                               type, feat, val);
106                 break;
107         }
108         return 0;
109 }
110
111 static int dccp_feat_reconcile(struct sock *sk, struct dccp_opt_pend *opt,
112                                u8 *rpref, u8 rlen)
113 {
114         struct dccp_sock *dp = dccp_sk(sk);
115         u8 *spref, slen, *res = NULL;
116         int i, j, rc, agree = 1;
117
118         BUG_ON(rpref == NULL);
119
120         /* check if we are the black sheep */
121         if (dp->dccps_role == DCCP_ROLE_CLIENT) {
122                 spref = rpref;
123                 slen  = rlen;
124                 rpref = opt->dccpop_val;
125                 rlen  = opt->dccpop_len;
126         } else {
127                 spref = opt->dccpop_val;
128                 slen  = opt->dccpop_len;
129         }
130         /*
131          * Now we have server preference list in spref and client preference in
132          * rpref
133          */
134         BUG_ON(spref == NULL);
135         BUG_ON(rpref == NULL);
136
137         /* FIXME sanity check vals */
138
139         /* Are values in any order?  XXX Lame "algorithm" here */
140         /* XXX assume values are 1 byte */
141         for (i = 0; i < slen; i++) {
142                 for (j = 0; j < rlen; j++) {
143                         if (spref[i] == rpref[j]) {
144                                 res = &spref[i];
145                                 break;
146                         }
147                 }
148                 if (res)
149                         break;
150         }
151
152         /* we didn't agree on anything */
153         if (res == NULL) {
154                 /* confirm previous value */
155                 switch (opt->dccpop_feat) {
156                 case DCCPF_CCID:
157                         /* XXX did i get this right? =P */
158                         if (opt->dccpop_type == DCCPO_CHANGE_L)
159                                 res = &dccp_msk(sk)->dccpms_tx_ccid;
160                         else
161                                 res = &dccp_msk(sk)->dccpms_rx_ccid;
162                         break;
163
164                 default:
165                         WARN_ON(1); /* XXX implement res */
166                         return -EFAULT;
167                 }
168
169                 dccp_pr_debug("Don't agree... reconfirming %d\n", *res);
170                 agree = 0; /* this is used for mandatory options... */
171         }
172
173         /* need to put result and our preference list */
174         /* XXX assume 1 byte vals */
175         rlen = 1 + opt->dccpop_len;
176         rpref = kmalloc(rlen, GFP_ATOMIC);
177         if (rpref == NULL)
178                 return -ENOMEM;
179
180         *rpref = *res;
181         memcpy(&rpref[1], opt->dccpop_val, opt->dccpop_len);
182
183         /* put it in the "confirm queue" */
184         if (opt->dccpop_sc == NULL) {
185                 opt->dccpop_sc = kmalloc(sizeof(*opt->dccpop_sc), GFP_ATOMIC);
186                 if (opt->dccpop_sc == NULL) {
187                         kfree(rpref);
188                         return -ENOMEM;
189                 }
190         } else {
191                 /* recycle the confirm slot */
192                 BUG_ON(opt->dccpop_sc->dccpoc_val == NULL);
193                 kfree(opt->dccpop_sc->dccpoc_val);
194                 dccp_pr_debug("recycling confirm slot\n");
195         }
196         memset(opt->dccpop_sc, 0, sizeof(*opt->dccpop_sc));
197
198         opt->dccpop_sc->dccpoc_val = rpref;
199         opt->dccpop_sc->dccpoc_len = rlen;
200
201         /* update the option on our side [we are about to send the confirm] */
202         rc = dccp_feat_update(sk, opt->dccpop_type, opt->dccpop_feat, *res);
203         if (rc) {
204                 kfree(opt->dccpop_sc->dccpoc_val);
205                 kfree(opt->dccpop_sc);
206                 opt->dccpop_sc = NULL;
207                 return rc;
208         }
209
210         dccp_pr_debug("Will confirm %d\n", *rpref);
211
212         /* say we want to change to X but we just got a confirm X, suppress our
213          * change
214          */
215         if (!opt->dccpop_conf) {
216                 if (*opt->dccpop_val == *res)
217                         opt->dccpop_conf = 1;
218                 dccp_pr_debug("won't ask for change of same feature\n");
219         }
220
221         return agree ? 0 : DCCP_FEAT_SP_NOAGREE; /* used for mandatory opts */
222 }
223
224 static int dccp_feat_sp(struct sock *sk, u8 type, u8 feature, u8 *val, u8 len)
225 {
226         struct dccp_minisock *dmsk = dccp_msk(sk);
227         struct dccp_opt_pend *opt;
228         int rc = 1;
229         u8 t;
230
231         /*
232          * We received a CHANGE.  We gotta match it against our own preference
233          * list.  If we got a CHANGE_R it means it's a change for us, so we need
234          * to compare our CHANGE_L list.
235          */
236         if (type == DCCPO_CHANGE_L)
237                 t = DCCPO_CHANGE_R;
238         else
239                 t = DCCPO_CHANGE_L;
240
241         /* find our preference list for this feature */
242         list_for_each_entry(opt, &dmsk->dccpms_pending, dccpop_node) {
243                 if (opt->dccpop_type != t || opt->dccpop_feat != feature)
244                         continue;
245
246                 /* find the winner from the two preference lists */
247                 rc = dccp_feat_reconcile(sk, opt, val, len);
248                 break;
249         }
250
251         /* We didn't deal with the change.  This can happen if we have no
252          * preference list for the feature.  In fact, it just shouldn't
253          * happen---if we understand a feature, we should have a preference list
254          * with at least the default value.
255          */
256         BUG_ON(rc == 1);
257
258         return rc;
259 }
260
261 static int dccp_feat_nn(struct sock *sk, u8 type, u8 feature, u8 *val, u8 len)
262 {
263         struct dccp_opt_pend *opt;
264         struct dccp_minisock *dmsk = dccp_msk(sk);
265         u8 *copy;
266         int rc;
267
268         /* NN features must be change L */
269         if (type == DCCPO_CHANGE_R) {
270                 dccp_pr_debug("received CHANGE_R %d for NN feat %d\n",
271                               type, feature);
272                 return -EFAULT;
273         }
274
275         /* XXX sanity check opt val */
276
277         /* copy option so we can confirm it */
278         opt = kzalloc(sizeof(*opt), GFP_ATOMIC);
279         if (opt == NULL)
280                 return -ENOMEM;
281
282         copy = kmalloc(len, GFP_ATOMIC);
283         if (copy == NULL) {
284                 kfree(opt);
285                 return -ENOMEM;
286         }
287         memcpy(copy, val, len);
288
289         opt->dccpop_type = DCCPO_CONFIRM_R; /* NN can only confirm R */
290         opt->dccpop_feat = feature;
291         opt->dccpop_val  = copy;
292         opt->dccpop_len  = len;
293
294         /* change feature */
295         rc = dccp_feat_update(sk, type, feature, *val);
296         if (rc) {
297                 kfree(opt->dccpop_val);
298                 kfree(opt);
299                 return rc;
300         }
301
302         dccp_pr_debug("Confirming NN feature %d (val=%d)\n", feature, *copy);
303         list_add_tail(&opt->dccpop_node, &dmsk->dccpms_conf);
304
305         return 0;
306 }
307
308 static void dccp_feat_empty_confirm(struct dccp_minisock *dmsk,
309                                     u8 type, u8 feature)
310 {
311         /* XXX check if other confirms for that are queued and recycle slot */
312         struct dccp_opt_pend *opt = kzalloc(sizeof(*opt), GFP_ATOMIC);
313
314         if (opt == NULL) {
315                 /* XXX what do we do?  Ignoring should be fine.  It's a change
316                  * after all =P
317                  */
318                 return;
319         }
320
321         opt->dccpop_type = type == DCCPO_CHANGE_L ? DCCPO_CONFIRM_R :
322                                                     DCCPO_CONFIRM_L;
323         opt->dccpop_feat = feature;
324         opt->dccpop_val  = NULL;
325         opt->dccpop_len  = 0;
326
327         /* change feature */
328         dccp_pr_debug("Empty confirm feature %d type %d\n", feature, type);
329         list_add_tail(&opt->dccpop_node, &dmsk->dccpms_conf);
330 }
331
332 static void dccp_feat_flush_confirm(struct sock *sk)
333 {
334         struct dccp_minisock *dmsk = dccp_msk(sk);
335         /* Check if there is anything to confirm in the first place */
336         int yes = !list_empty(&dmsk->dccpms_conf);
337
338         if (!yes) {
339                 struct dccp_opt_pend *opt;
340
341                 list_for_each_entry(opt, &dmsk->dccpms_pending, dccpop_node) {
342                         if (opt->dccpop_conf) {
343                                 yes = 1;
344                                 break;
345                         }
346                 }
347         }
348
349         if (!yes)
350                 return;
351
352         /* OK there is something to confirm... */
353         /* XXX check if packet is in flight?  Send delayed ack?? */
354         if (sk->sk_state == DCCP_OPEN)
355                 dccp_send_ack(sk);
356 }
357
358 int dccp_feat_change_recv(struct sock *sk, u8 type, u8 feature, u8 *val, u8 len)
359 {
360         int rc;
361
362         dccp_pr_debug("got feat change type=%d feat=%d\n", type, feature);
363
364         /* figure out if it's SP or NN feature */
365         switch (feature) {
366         /* deal with SP features */
367         case DCCPF_CCID:
368                 rc = dccp_feat_sp(sk, type, feature, val, len);
369                 break;
370
371         /* deal with NN features */
372         case DCCPF_ACK_RATIO:
373                 rc = dccp_feat_nn(sk, type, feature, val, len);
374                 break;
375
376         /* XXX implement other features */
377         default:
378                 rc = -EFAULT;
379                 break;
380         }
381
382         /* check if there were problems changing features */
383         if (rc) {
384                 /* If we don't agree on SP, we sent a confirm for old value.
385                  * However we propagate rc to caller in case option was
386                  * mandatory
387                  */
388                 if (rc != DCCP_FEAT_SP_NOAGREE)
389                         dccp_feat_empty_confirm(dccp_msk(sk), type, feature);
390         }
391
392         /* generate the confirm [if required] */
393         dccp_feat_flush_confirm(sk);
394
395         return rc;
396 }
397
398 EXPORT_SYMBOL_GPL(dccp_feat_change_recv);
399
400 int dccp_feat_confirm_recv(struct sock *sk, u8 type, u8 feature,
401                            u8 *val, u8 len)
402 {
403         u8 t;
404         struct dccp_opt_pend *opt;
405         struct dccp_minisock *dmsk = dccp_msk(sk);
406         int rc = 1;
407         int all_confirmed = 1;
408
409         dccp_pr_debug("got feat confirm type=%d feat=%d\n", type, feature);
410
411         /* XXX sanity check type & feat */
412
413         /* locate our change request */
414         t = type == DCCPO_CONFIRM_L ? DCCPO_CHANGE_R : DCCPO_CHANGE_L;
415
416         list_for_each_entry(opt, &dmsk->dccpms_pending, dccpop_node) {
417                 if (!opt->dccpop_conf && opt->dccpop_type == t &&
418                     opt->dccpop_feat == feature) {
419                         /* we found it */
420                         /* XXX do sanity check */
421
422                         opt->dccpop_conf = 1;
423
424                         /* We got a confirmation---change the option */
425                         dccp_feat_update(sk, opt->dccpop_type,
426                                          opt->dccpop_feat, *val);
427
428                         dccp_pr_debug("feat %d type %d confirmed %d\n",
429                                       feature, type, *val);
430                         rc = 0;
431                         break;
432                 }
433
434                 if (!opt->dccpop_conf)
435                         all_confirmed = 0;
436         }
437
438         /* fix re-transmit timer */
439         /* XXX gotta make sure that no option negotiation occurs during
440          * connection shutdown.  Consider that the CLOSEREQ is sent and timer is
441          * on.  if all options are confirmed it might kill timer which should
442          * remain alive until close is received.
443          */
444         if (all_confirmed) {
445                 dccp_pr_debug("clear feat negotiation timer %p\n", sk);
446                 inet_csk_clear_xmit_timer(sk, ICSK_TIME_RETRANS);
447         }
448
449         if (rc)
450                 dccp_pr_debug("feat %d type %d never requested\n",
451                               feature, type);
452         return 0;
453 }
454
455 EXPORT_SYMBOL_GPL(dccp_feat_confirm_recv);
456
457 void dccp_feat_clean(struct dccp_minisock *dmsk)
458 {
459         struct dccp_opt_pend *opt, *next;
460
461         list_for_each_entry_safe(opt, next, &dmsk->dccpms_pending,
462                                  dccpop_node) {
463                 BUG_ON(opt->dccpop_val == NULL);
464                 kfree(opt->dccpop_val);
465
466                 if (opt->dccpop_sc != NULL) {
467                         BUG_ON(opt->dccpop_sc->dccpoc_val == NULL);
468                         kfree(opt->dccpop_sc->dccpoc_val);
469                         kfree(opt->dccpop_sc);
470                 }
471
472                 kfree(opt);
473         }
474         INIT_LIST_HEAD(&dmsk->dccpms_pending);
475
476         list_for_each_entry_safe(opt, next, &dmsk->dccpms_conf, dccpop_node) {
477                 BUG_ON(opt == NULL);
478                 if (opt->dccpop_val != NULL)
479                         kfree(opt->dccpop_val);
480                 kfree(opt);
481         }
482         INIT_LIST_HEAD(&dmsk->dccpms_conf);
483 }
484
485 EXPORT_SYMBOL_GPL(dccp_feat_clean);
486
487 /* this is to be called only when a listening sock creates its child.  It is
488  * assumed by the function---the confirm is not duplicated, but rather it is
489  * "passed on".
490  */
491 int dccp_feat_clone(struct sock *oldsk, struct sock *newsk)
492 {
493         struct dccp_minisock *olddmsk = dccp_msk(oldsk);
494         struct dccp_minisock *newdmsk = dccp_msk(newsk);
495         struct dccp_opt_pend *opt;
496         int rc = 0;
497
498         INIT_LIST_HEAD(&newdmsk->dccpms_pending);
499         INIT_LIST_HEAD(&newdmsk->dccpms_conf);
500
501         list_for_each_entry(opt, &olddmsk->dccpms_pending, dccpop_node) {
502                 struct dccp_opt_pend *newopt;
503                 /* copy the value of the option */
504                 u8 *val = kmalloc(opt->dccpop_len, GFP_ATOMIC);
505
506                 if (val == NULL)
507                         goto out_clean;
508                 memcpy(val, opt->dccpop_val, opt->dccpop_len);
509
510                 newopt = kmalloc(sizeof(*newopt), GFP_ATOMIC);
511                 if (newopt == NULL) {
512                         kfree(val);
513                         goto out_clean;
514                 }
515
516                 /* insert the option */
517                 memcpy(newopt, opt, sizeof(*newopt));
518                 newopt->dccpop_val = val;
519                 list_add_tail(&newopt->dccpop_node, &newdmsk->dccpms_pending);
520
521                 /* XXX what happens with backlogs and multiple connections at
522                  * once...
523                  */
524                 /* the master socket no longer needs to worry about confirms */
525                 opt->dccpop_sc = NULL; /* it's not a memleak---new socket has it */
526
527                 /* reset state for a new socket */
528                 opt->dccpop_conf = 0;
529         }
530
531         /* XXX not doing anything about the conf queue */
532
533 out:
534         return rc;
535
536 out_clean:
537         dccp_feat_clean(newdmsk);
538         rc = -ENOMEM;
539         goto out;
540 }
541
542 EXPORT_SYMBOL_GPL(dccp_feat_clone);
543
544 static int __dccp_feat_init(struct dccp_minisock *dmsk, u8 type, u8 feat,
545                             u8 *val, u8 len)
546 {
547         int rc = -ENOMEM;
548         u8 *copy = kmalloc(len, GFP_KERNEL);
549
550         if (copy != NULL) {
551                 memcpy(copy, val, len);
552                 rc = dccp_feat_change(dmsk, type, feat, copy, len, GFP_KERNEL);
553                 if (rc)
554                         kfree(copy);
555         }
556         return rc;
557 }
558
559 int dccp_feat_init(struct dccp_minisock *dmsk)
560 {
561         int rc;
562
563         INIT_LIST_HEAD(&dmsk->dccpms_pending);
564         INIT_LIST_HEAD(&dmsk->dccpms_conf);
565
566         /* CCID L */
567         rc = __dccp_feat_init(dmsk, DCCPO_CHANGE_L, DCCPF_CCID,
568                               &dmsk->dccpms_tx_ccid, 1);
569         if (rc)
570                 goto out;
571
572         /* CCID R */
573         rc = __dccp_feat_init(dmsk, DCCPO_CHANGE_R, DCCPF_CCID,
574                               &dmsk->dccpms_rx_ccid, 1);
575         if (rc)
576                 goto out;
577
578         /* Ack ratio */
579         rc = __dccp_feat_init(dmsk, DCCPO_CHANGE_L, DCCPF_ACK_RATIO,
580                               &dmsk->dccpms_ack_ratio, 1);
581 out:
582         return rc;
583 }
584
585 EXPORT_SYMBOL_GPL(dccp_feat_init);