search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
cxgbe/t4_tom: Read the chip's DDP page sizes and save them in a
[freebsd-src.git] / sys / netinet / sctp_input.c
blobc07019c965c6fff598b3936ee86eeacb293ed418
1 /*-
2 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
3 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
4 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * a) Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 *
12 * b) Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the distribution.
15 *
16 * c) Neither the name of Cisco Systems, Inc. nor the names of its
17 * contributors may be used to endorse or promote products derived
18 * from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30 * THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
35
36 #include <netinet/sctp_os.h>
37 #include <netinet/sctp_var.h>
38 #include <netinet/sctp_sysctl.h>
39 #include <netinet/sctp_pcb.h>
40 #include <netinet/sctp_header.h>
41 #include <netinet/sctputil.h>
42 #include <netinet/sctp_output.h>
43 #include <netinet/sctp_input.h>
44 #include <netinet/sctp_auth.h>
45 #include <netinet/sctp_indata.h>
46 #include <netinet/sctp_asconf.h>
47 #include <netinet/sctp_bsd_addr.h>
48 #include <netinet/sctp_timer.h>
49 #include <netinet/sctp_crc32.h>
50 #if defined(INET) || defined(INET6)
51 #include <netinet/udp.h>
52 #endif
53 #include <sys/smp.h>
54
55
56
57 static void
58 sctp_stop_all_cookie_timers(struct sctp_tcb *stcb)
59 {
60 struct sctp_nets *net;
61
62 /*
63 * This now not only stops all cookie timers it also stops any INIT
64 * timers as well. This will make sure that the timers are stopped
65 * in all collision cases.
66 */
67 SCTP_TCB_LOCK_ASSERT(stcb);
68 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
69 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) {
70 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE,
71 stcb->sctp_ep,
72 stcb,
73 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1);
74 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) {
75 sctp_timer_stop(SCTP_TIMER_TYPE_INIT,
76 stcb->sctp_ep,
77 stcb,
78 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2);
79 }
80 }
81 }
82
83 /* INIT handler */
84 static void
85 sctp_handle_init(struct mbuf *m, int iphlen, int offset,
86 struct sockaddr *src, struct sockaddr *dst, struct sctphdr *sh,
87 struct sctp_init_chunk *cp, struct sctp_inpcb *inp,
88 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_no_unlock,
89 uint8_t mflowtype, uint32_t mflowid,
90 uint32_t vrf_id, uint16_t port)
91 {
92 struct sctp_init *init;
93 struct mbuf *op_err;
94
95 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_init: handling INIT tcb:%p\n",
96 (void *)stcb);
97 if (stcb == NULL) {
98 SCTP_INP_RLOCK(inp);
99 }
100 /* validate length */
101 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) {
102 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
103 sctp_abort_association(inp, stcb, m, iphlen, src, dst, sh, op_err,
104 mflowtype, mflowid,
105 vrf_id, port);
106 if (stcb)
107 *abort_no_unlock = 1;
108 goto outnow;
109 }
110 /* validate parameters */
111 init = &cp->init;
112 if (init->initiate_tag == 0) {
113 /* protocol error... send abort */
114 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
115 sctp_abort_association(inp, stcb, m, iphlen, src, dst, sh, op_err,
116 mflowtype, mflowid,
117 vrf_id, port);
118 if (stcb)
119 *abort_no_unlock = 1;
120 goto outnow;
121 }
122 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) {
123 /* invalid parameter... send abort */
124 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
125 sctp_abort_association(inp, stcb, m, iphlen, src, dst, sh, op_err,
126 mflowtype, mflowid,
127 vrf_id, port);
128 if (stcb)
129 *abort_no_unlock = 1;
130 goto outnow;
131 }
132 if (init->num_inbound_streams == 0) {
133 /* protocol error... send abort */
134 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
135 sctp_abort_association(inp, stcb, m, iphlen, src, dst, sh, op_err,
136 mflowtype, mflowid,
137 vrf_id, port);
138 if (stcb)
139 *abort_no_unlock = 1;
140 goto outnow;
141 }
142 if (init->num_outbound_streams == 0) {
143 /* protocol error... send abort */
144 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
145 sctp_abort_association(inp, stcb, m, iphlen, src, dst, sh, op_err,
146 mflowtype, mflowid,
147 vrf_id, port);
148 if (stcb)
149 *abort_no_unlock = 1;
150 goto outnow;
151 }
152 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp),
153 offset + ntohs(cp->ch.chunk_length))) {
154 /* auth parameter(s) error... send abort */
155 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
156 "Problem with AUTH parameters");
157 sctp_abort_association(inp, stcb, m, iphlen, src, dst, sh, op_err,
158 mflowtype, mflowid,
159 vrf_id, port);
160 if (stcb)
161 *abort_no_unlock = 1;
162 goto outnow;
163 }
164 /*
165 * We are only accepting if we have a socket with positive
166 * so_qlimit.
167 */
168 if ((stcb == NULL) &&
169 ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
170 (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
171 (inp->sctp_socket == NULL) ||
172 (inp->sctp_socket->so_qlimit == 0))) {
173 /*
174 * FIX ME ?? What about TCP model and we have a
175 * match/restart case? Actually no fix is needed. the lookup
176 * will always find the existing assoc so stcb would not be
177 * NULL. It may be questionable to do this since we COULD
178 * just send back the INIT-ACK and hope that the app did
179 * accept()'s by the time the COOKIE was sent. But there is
180 * a price to pay for COOKIE generation and I don't want to
181 * pay it on the chance that the app will actually do some
182 * accepts(). The App just looses and should NOT be in this
183 * state :-)
184 */
185 if (SCTP_BASE_SYSCTL(sctp_blackhole) == 0) {
186 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
187 "No listener");
188 sctp_send_abort(m, iphlen, src, dst, sh, 0, op_err,
189 mflowtype, mflowid, inp->fibnum,
190 vrf_id, port);
191 }
192 goto outnow;
193 }
194 if ((stcb != NULL) &&
195 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT)) {
196 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending SHUTDOWN-ACK\n");
197 sctp_send_shutdown_ack(stcb, NULL);
198 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
199 } else {
200 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending INIT-ACK\n");
201 sctp_send_initiate_ack(inp, stcb, net, m, iphlen, offset,
202 src, dst, sh, cp,
203 mflowtype, mflowid,
204 vrf_id, port,
205 ((stcb == NULL) ? SCTP_HOLDS_LOCK : SCTP_NOT_LOCKED));
206 }
207 outnow:
208 if (stcb == NULL) {
209 SCTP_INP_RUNLOCK(inp);
210 }
211 }
212
213 /*
214 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error
215 */
216
217 int
218 sctp_is_there_unsent_data(struct sctp_tcb *stcb, int so_locked
219 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
220 SCTP_UNUSED
221 #endif
222 )
223 {
224 int unsent_data = 0;
225 unsigned int i;
226 struct sctp_stream_queue_pending *sp;
227 struct sctp_association *asoc;
228
229 /*
230 * This function returns the number of streams that have true unsent
231 * data on them. Note that as it looks through it will clean up any
232 * places that have old data that has been sent but left at top of
233 * stream queue.
234 */
235 asoc = &stcb->asoc;
236 SCTP_TCB_SEND_LOCK(stcb);
237 if (!stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
238 /* Check to see if some data queued */
239 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
240 /* sa_ignore FREED_MEMORY */
241 sp = TAILQ_FIRST(&stcb->asoc.strmout[i].outqueue);
242 if (sp == NULL) {
243 continue;
244 }
245 if ((sp->msg_is_complete) &&
246 (sp->length == 0) &&
247 (sp->sender_all_done)) {
248 /*
249 * We are doing differed cleanup. Last time
250 * through when we took all the data the
251 * sender_all_done was not set.
252 */
253 if (sp->put_last_out == 0) {
254 SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n");
255 SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n",
256 sp->sender_all_done,
257 sp->length,
258 sp->msg_is_complete,
259 sp->put_last_out);
260 }
261 atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1);
262 TAILQ_REMOVE(&stcb->asoc.strmout[i].outqueue, sp, next);
263 if (sp->net) {
264 sctp_free_remote_addr(sp->net);
265 sp->net = NULL;
266 }
267 if (sp->data) {
268 sctp_m_freem(sp->data);
269 sp->data = NULL;
270 }
271 sctp_free_a_strmoq(stcb, sp, so_locked);
272 } else {
273 unsent_data++;
274 break;
275 }
276 }
277 }
278 SCTP_TCB_SEND_UNLOCK(stcb);
279 return (unsent_data);
280 }
281
282 static int
283 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb)
284 {
285 struct sctp_init *init;
286 struct sctp_association *asoc;
287 struct sctp_nets *lnet;
288 unsigned int i;
289
290 init = &cp->init;
291 asoc = &stcb->asoc;
292 /* save off parameters */
293 asoc->peer_vtag = ntohl(init->initiate_tag);
294 asoc->peers_rwnd = ntohl(init->a_rwnd);
295 /* init tsn's */
296 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1;
297
298 if (!TAILQ_EMPTY(&asoc->nets)) {
299 /* update any ssthresh's that may have a default */
300 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
301 lnet->ssthresh = asoc->peers_rwnd;
302 if (SCTP_BASE_SYSCTL(sctp_logging_level) & (SCTP_CWND_MONITOR_ENABLE | SCTP_CWND_LOGGING_ENABLE)) {
303 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION);
304 }
305 }
306 }
307 SCTP_TCB_SEND_LOCK(stcb);
308 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) {
309 unsigned int newcnt;
310 struct sctp_stream_out *outs;
311 struct sctp_stream_queue_pending *sp, *nsp;
312 struct sctp_tmit_chunk *chk, *nchk;
313
314 /* abandon the upper streams */
315 newcnt = ntohs(init->num_inbound_streams);
316 TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
317 if (chk->rec.data.stream_number >= newcnt) {
318 TAILQ_REMOVE(&asoc->send_queue, chk, sctp_next);
319 asoc->send_queue_cnt--;
320 if (asoc->strmout[chk->rec.data.stream_number].chunks_on_queues > 0) {
321 asoc->strmout[chk->rec.data.stream_number].chunks_on_queues--;
322 #ifdef INVARIANTS
323 } else {
324 panic("No chunks on the queues for sid %u.", chk->rec.data.stream_number);
325 #endif
326 }
327 if (chk->data != NULL) {
328 sctp_free_bufspace(stcb, asoc, chk, 1);
329 sctp_ulp_notify(SCTP_NOTIFY_UNSENT_DG_FAIL, stcb,
330 0, chk, SCTP_SO_NOT_LOCKED);
331 if (chk->data) {
332 sctp_m_freem(chk->data);
333 chk->data = NULL;
334 }
335 }
336 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
337 /* sa_ignore FREED_MEMORY */
338 }
339 }
340 if (asoc->strmout) {
341 for (i = newcnt; i < asoc->pre_open_streams; i++) {
342 outs = &asoc->strmout[i];
343 TAILQ_FOREACH_SAFE(sp, &outs->outqueue, next, nsp) {
344 TAILQ_REMOVE(&outs->outqueue, sp, next);
345 asoc->stream_queue_cnt--;
346 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL,
347 stcb, 0, sp, SCTP_SO_NOT_LOCKED);
348 if (sp->data) {
349 sctp_m_freem(sp->data);
350 sp->data = NULL;
351 }
352 if (sp->net) {
353 sctp_free_remote_addr(sp->net);
354 sp->net = NULL;
355 }
356 /* Free the chunk */
357 sctp_free_a_strmoq(stcb, sp, SCTP_SO_NOT_LOCKED);
358 /* sa_ignore FREED_MEMORY */
359 }
360 outs->state = SCTP_STREAM_CLOSED;
361 }
362 }
363 /* cut back the count */
364 asoc->pre_open_streams = newcnt;
365 }
366 SCTP_TCB_SEND_UNLOCK(stcb);
367 asoc->streamoutcnt = asoc->pre_open_streams;
368 if (asoc->strmout) {
369 for (i = 0; i < asoc->streamoutcnt; i++) {
370 asoc->strmout[i].state = SCTP_STREAM_OPEN;
371 }
372 }
373 /* EY - nr_sack: initialize highest tsn in nr_mapping_array */
374 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map;
375 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
376 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
377 }
378 /* This is the next one we expect */
379 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1;
380
381 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn);
382 asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->asconf_seq_in;
383
384 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
385 /* open the requested streams */
386
387 if (asoc->strmin != NULL) {
388 /* Free the old ones */
389 for (i = 0; i < asoc->streamincnt; i++) {
390 sctp_clean_up_stream(stcb, &asoc->strmin[i].inqueue);
391 sctp_clean_up_stream(stcb, &asoc->strmin[i].uno_inqueue);
392 }
393 SCTP_FREE(asoc->strmin, SCTP_M_STRMI);
394 }
395 if (asoc->max_inbound_streams > ntohs(init->num_outbound_streams)) {
396 asoc->streamincnt = ntohs(init->num_outbound_streams);
397 } else {
398 asoc->streamincnt = asoc->max_inbound_streams;
399 }
400 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt *
401 sizeof(struct sctp_stream_in), SCTP_M_STRMI);
402 if (asoc->strmin == NULL) {
403 /* we didn't get memory for the streams! */
404 SCTPDBG(SCTP_DEBUG_INPUT2, "process_init: couldn't get memory for the streams!\n");
405 return (-1);
406 }
407 for (i = 0; i < asoc->streamincnt; i++) {
408 asoc->strmin[i].stream_no = i;
409 asoc->strmin[i].last_sequence_delivered = 0xffffffff;
410 TAILQ_INIT(&asoc->strmin[i].inqueue);
411 TAILQ_INIT(&asoc->strmin[i].uno_inqueue);
412 asoc->strmin[i].pd_api_started = 0;
413 asoc->strmin[i].delivery_started = 0;
414 }
415 /*
416 * load_address_from_init will put the addresses into the
417 * association when the COOKIE is processed or the INIT-ACK is
418 * processed. Both types of COOKIE's existing and new call this
419 * routine. It will remove addresses that are no longer in the
420 * association (for the restarting case where addresses are
421 * removed). Up front when the INIT arrives we will discard it if it
422 * is a restart and new addresses have been added.
423 */
424 /* sa_ignore MEMLEAK */
425 return (0);
426 }
427
428 /*
429 * INIT-ACK message processing/consumption returns value < 0 on error
430 */
431 static int
432 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset,
433 struct sockaddr *src, struct sockaddr *dst, struct sctphdr *sh,
434 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
435 struct sctp_nets *net, int *abort_no_unlock,
436 uint8_t mflowtype, uint32_t mflowid,
437 uint32_t vrf_id)
438 {
439 struct sctp_association *asoc;
440 struct mbuf *op_err;
441 int retval, abort_flag;
442 uint32_t initack_limit;
443 int nat_friendly = 0;
444
445 /* First verify that we have no illegal param's */
446 abort_flag = 0;
447
448 op_err = sctp_arethere_unrecognized_parameters(m,
449 (offset + sizeof(struct sctp_init_chunk)),
450 &abort_flag, (struct sctp_chunkhdr *)cp, &nat_friendly);
451 if (abort_flag) {
452 /* Send an abort and notify peer */
453 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
454 *abort_no_unlock = 1;
455 return (-1);
456 }
457 asoc = &stcb->asoc;
458 asoc->peer_supports_nat = (uint8_t) nat_friendly;
459 /* process the peer's parameters in the INIT-ACK */
460 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb);
461 if (retval < 0) {
462 return (retval);
463 }
464 initack_limit = offset + ntohs(cp->ch.chunk_length);
465 /* load all addresses */
466 if ((retval = sctp_load_addresses_from_init(stcb, m,
467 (offset + sizeof(struct sctp_init_chunk)), initack_limit,
468 src, dst, NULL, stcb->asoc.port))) {
469 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
470 "Problem with address parameters");
471 SCTPDBG(SCTP_DEBUG_INPUT1,
472 "Load addresses from INIT causes an abort %d\n",
473 retval);
474 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
475 src, dst, sh, op_err,
476 mflowtype, mflowid,
477 vrf_id, net->port);
478 *abort_no_unlock = 1;
479 return (-1);
480 }
481 /* if the peer doesn't support asconf, flush the asconf queue */
482 if (asoc->asconf_supported == 0) {
483 struct sctp_asconf_addr *param, *nparam;
484
485 TAILQ_FOREACH_SAFE(param, &asoc->asconf_queue, next, nparam) {
486 TAILQ_REMOVE(&asoc->asconf_queue, param, next);
487 SCTP_FREE(param, SCTP_M_ASC_ADDR);
488 }
489 }
490 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs,
491 stcb->asoc.local_hmacs);
492 if (op_err) {
493 sctp_queue_op_err(stcb, op_err);
494 /* queuing will steal away the mbuf chain to the out queue */
495 op_err = NULL;
496 }
497 /* extract the cookie and queue it to "echo" it back... */
498 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
499 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
500 stcb->asoc.overall_error_count,
501 0,
502 SCTP_FROM_SCTP_INPUT,
503 __LINE__);
504 }
505 stcb->asoc.overall_error_count = 0;
506 net->error_count = 0;
507
508 /*
509 * Cancel the INIT timer, We do this first before queueing the
510 * cookie. We always cancel at the primary to assue that we are
511 * canceling the timer started by the INIT which always goes to the
512 * primary.
513 */
514 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb,
515 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3);
516
517 /* calculate the RTO */
518 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered, sctp_align_safe_nocopy,
519 SCTP_RTT_FROM_NON_DATA);
520 retval = sctp_send_cookie_echo(m, offset, stcb, net);
521 if (retval < 0) {
522 /*
523 * No cookie, we probably should send a op error. But in any
524 * case if there is no cookie in the INIT-ACK, we can
525 * abandon the peer, its broke.
526 */
527 if (retval == -3) {
528 uint16_t len;
529
530 len = (uint16_t) (sizeof(struct sctp_error_missing_param) + sizeof(uint16_t));
531 /* We abort with an error of missing mandatory param */
532 op_err = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA);
533 if (op_err != NULL) {
534 struct sctp_error_missing_param *cause;
535
536 SCTP_BUF_LEN(op_err) = len;
537 cause = mtod(op_err, struct sctp_error_missing_param *);
538 /* Subtract the reserved param */
539 cause->cause.code = htons(SCTP_CAUSE_MISSING_PARAM);
540 cause->cause.length = htons(len);
541 cause->num_missing_params = htonl(1);
542 cause->type[0] = htons(SCTP_STATE_COOKIE);
543 }
544 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
545 src, dst, sh, op_err,
546 mflowtype, mflowid,
547 vrf_id, net->port);
548 *abort_no_unlock = 1;
549 }
550 return (retval);
551 }
552 return (0);
553 }
554
555 static void
556 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp,
557 struct sctp_tcb *stcb, struct sctp_nets *net)
558 {
559 union sctp_sockstore store;
560 struct sctp_nets *r_net, *f_net;
561 struct timeval tv;
562 int req_prim = 0;
563 uint16_t old_error_counter;
564
565 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) {
566 /* Invalid length */
567 return;
568 }
569 memset(&store, 0, sizeof(store));
570 switch (cp->heartbeat.hb_info.addr_family) {
571 #ifdef INET
572 case AF_INET:
573 if (cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) {
574 store.sin.sin_family = cp->heartbeat.hb_info.addr_family;
575 store.sin.sin_len = cp->heartbeat.hb_info.addr_len;
576 store.sin.sin_port = stcb->rport;
577 memcpy(&store.sin.sin_addr, cp->heartbeat.hb_info.address,
578 sizeof(store.sin.sin_addr));
579 } else {
580 return;
581 }
582 break;
583 #endif
584 #ifdef INET6
585 case AF_INET6:
586 if (cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) {
587 store.sin6.sin6_family = cp->heartbeat.hb_info.addr_family;
588 store.sin6.sin6_len = cp->heartbeat.hb_info.addr_len;
589 store.sin6.sin6_port = stcb->rport;
590 memcpy(&store.sin6.sin6_addr, cp->heartbeat.hb_info.address, sizeof(struct in6_addr));
591 } else {
592 return;
593 }
594 break;
595 #endif
596 default:
597 return;
598 }
599 r_net = sctp_findnet(stcb, &store.sa);
600 if (r_net == NULL) {
601 SCTPDBG(SCTP_DEBUG_INPUT1, "Huh? I can't find the address I sent it to, discard\n");
602 return;
603 }
604 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) &&
605 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) &&
606 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) {
607 /*
608 * If the its a HB and it's random value is correct when can
609 * confirm the destination.
610 */
611 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
612 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) {
613 stcb->asoc.primary_destination = r_net;
614 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY;
615 f_net = TAILQ_FIRST(&stcb->asoc.nets);
616 if (f_net != r_net) {
617 /*
618 * first one on the list is NOT the primary
619 * sctp_cmpaddr() is much more efficient if
620 * the primary is the first on the list,
621 * make it so.
622 */
623 TAILQ_REMOVE(&stcb->asoc.nets, r_net, sctp_next);
624 TAILQ_INSERT_HEAD(&stcb->asoc.nets, r_net, sctp_next);
625 }
626 req_prim = 1;
627 }
628 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
629 stcb, 0, (void *)r_net, SCTP_SO_NOT_LOCKED);
630 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb,
631 r_net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4);
632 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net);
633 }
634 old_error_counter = r_net->error_count;
635 r_net->error_count = 0;
636 r_net->hb_responded = 1;
637 tv.tv_sec = cp->heartbeat.hb_info.time_value_1;
638 tv.tv_usec = cp->heartbeat.hb_info.time_value_2;
639 /* Now lets do a RTO with this */
640 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv, sctp_align_safe_nocopy,
641 SCTP_RTT_FROM_NON_DATA);
642 if (!(r_net->dest_state & SCTP_ADDR_REACHABLE)) {
643 r_net->dest_state |= SCTP_ADDR_REACHABLE;
644 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
645 0, (void *)r_net, SCTP_SO_NOT_LOCKED);
646 }
647 if (r_net->dest_state & SCTP_ADDR_PF) {
648 r_net->dest_state &= ~SCTP_ADDR_PF;
649 stcb->asoc.cc_functions.sctp_cwnd_update_exit_pf(stcb, net);
650 }
651 if (old_error_counter > 0) {
652 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
653 stcb, r_net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_5);
654 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net);
655 }
656 if (r_net == stcb->asoc.primary_destination) {
657 if (stcb->asoc.alternate) {
658 /* release the alternate, primary is good */
659 sctp_free_remote_addr(stcb->asoc.alternate);
660 stcb->asoc.alternate = NULL;
661 }
662 }
663 /* Mobility adaptation */
664 if (req_prim) {
665 if ((sctp_is_mobility_feature_on(stcb->sctp_ep,
666 SCTP_MOBILITY_BASE) ||
667 sctp_is_mobility_feature_on(stcb->sctp_ep,
668 SCTP_MOBILITY_FASTHANDOFF)) &&
669 sctp_is_mobility_feature_on(stcb->sctp_ep,
670 SCTP_MOBILITY_PRIM_DELETED)) {
671
672 sctp_timer_stop(SCTP_TIMER_TYPE_PRIM_DELETED,
673 stcb->sctp_ep, stcb, NULL,
674 SCTP_FROM_SCTP_INPUT + SCTP_LOC_6);
675 if (sctp_is_mobility_feature_on(stcb->sctp_ep,
676 SCTP_MOBILITY_FASTHANDOFF)) {
677 sctp_assoc_immediate_retrans(stcb,
678 stcb->asoc.primary_destination);
679 }
680 if (sctp_is_mobility_feature_on(stcb->sctp_ep,
681 SCTP_MOBILITY_BASE)) {
682 sctp_move_chunks_from_net(stcb,
683 stcb->asoc.deleted_primary);
684 }
685 sctp_delete_prim_timer(stcb->sctp_ep, stcb,
686 stcb->asoc.deleted_primary);
687 }
688 }
689 }
690
691 static int
692 sctp_handle_nat_colliding_state(struct sctp_tcb *stcb)
693 {
694 /*
695 * return 0 means we want you to proceed with the abort non-zero
696 * means no abort processing
697 */
698 struct sctpasochead *head;
699
700 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) {
701 /* generate a new vtag and send init */
702 LIST_REMOVE(stcb, sctp_asocs);
703 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1);
704 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
705 /*
706 * put it in the bucket in the vtag hash of assoc's for the
707 * system
708 */
709 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
710 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
711 return (1);
712 }
713 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED) {
714 /*
715 * treat like a case where the cookie expired i.e.: - dump
716 * current cookie. - generate a new vtag. - resend init.
717 */
718 /* generate a new vtag and send init */
719 LIST_REMOVE(stcb, sctp_asocs);
720 stcb->asoc.state &= ~SCTP_STATE_COOKIE_ECHOED;
721 stcb->asoc.state |= SCTP_STATE_COOKIE_WAIT;
722 sctp_stop_all_cookie_timers(stcb);
723 sctp_toss_old_cookies(stcb, &stcb->asoc);
724 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1);
725 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
726 /*
727 * put it in the bucket in the vtag hash of assoc's for the
728 * system
729 */
730 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
731 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
732 return (1);
733 }
734 return (0);
735 }
736
737 static int
738 sctp_handle_nat_missing_state(struct sctp_tcb *stcb,
739 struct sctp_nets *net)
740 {
741 /*
742 * return 0 means we want you to proceed with the abort non-zero
743 * means no abort processing
744 */
745 if (stcb->asoc.auth_supported == 0) {
746 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_nat_missing_state: Peer does not support AUTH, cannot send an asconf\n");
747 return (0);
748 }
749 sctp_asconf_send_nat_state_update(stcb, net);
750 return (1);
751 }
752
753
754 static void
755 sctp_handle_abort(struct sctp_abort_chunk *abort,
756 struct sctp_tcb *stcb, struct sctp_nets *net)
757 {
758 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
759 struct socket *so;
760
761 #endif
762 uint16_t len;
763 uint16_t error;
764
765 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: handling ABORT\n");
766 if (stcb == NULL)
767 return;
768
769 len = ntohs(abort->ch.chunk_length);
770 if (len > sizeof(struct sctp_chunkhdr)) {
771 /*
772 * Need to check the cause codes for our two magic nat
773 * aborts which don't kill the assoc necessarily.
774 */
775 struct sctp_gen_error_cause *cause;
776
777 cause = (struct sctp_gen_error_cause *)(abort + 1);
778 error = ntohs(cause->code);
779 if (error == SCTP_CAUSE_NAT_COLLIDING_STATE) {
780 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n",
781 abort->ch.chunk_flags);
782 if (sctp_handle_nat_colliding_state(stcb)) {
783 return;
784 }
785 } else if (error == SCTP_CAUSE_NAT_MISSING_STATE) {
786 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n",
787 abort->ch.chunk_flags);
788 if (sctp_handle_nat_missing_state(stcb, net)) {
789 return;
790 }
791 }
792 } else {
793 error = 0;
794 }
795 /* stop any receive timers */
796 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net,
797 SCTP_FROM_SCTP_INPUT + SCTP_LOC_7);
798 /* notify user of the abort and clean up... */
799 sctp_abort_notification(stcb, 1, error, abort, SCTP_SO_NOT_LOCKED);
800 /* free the tcb */
801 SCTP_STAT_INCR_COUNTER32(sctps_aborted);
802 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) ||
803 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
804 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
805 }
806 #ifdef SCTP_ASOCLOG_OF_TSNS
807 sctp_print_out_track_log(stcb);
808 #endif
809 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
810 so = SCTP_INP_SO(stcb->sctp_ep);
811 atomic_add_int(&stcb->asoc.refcnt, 1);
812 SCTP_TCB_UNLOCK(stcb);
813 SCTP_SOCKET_LOCK(so, 1);
814 SCTP_TCB_LOCK(stcb);
815 atomic_subtract_int(&stcb->asoc.refcnt, 1);
816 #endif
817 stcb->asoc.state |= SCTP_STATE_WAS_ABORTED;
818 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
819 SCTP_FROM_SCTP_INPUT + SCTP_LOC_8);
820 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
821 SCTP_SOCKET_UNLOCK(so, 1);
822 #endif
823 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: finished\n");
824 }
825
826 static void
827 sctp_start_net_timers(struct sctp_tcb *stcb)
828 {
829 uint32_t cnt_hb_sent;
830 struct sctp_nets *net;
831
832 cnt_hb_sent = 0;
833 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
834 /*
835 * For each network start: 1) A pmtu timer. 2) A HB timer 3)
836 * If the dest in unconfirmed send a hb as well if under
837 * max_hb_burst have been sent.
838 */
839 sctp_timer_start(SCTP_TIMER_TYPE_PATHMTURAISE, stcb->sctp_ep, stcb, net);
840 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net);
841 if ((net->dest_state & SCTP_ADDR_UNCONFIRMED) &&
842 (cnt_hb_sent < SCTP_BASE_SYSCTL(sctp_hb_maxburst))) {
843 sctp_send_hb(stcb, net, SCTP_SO_NOT_LOCKED);
844 cnt_hb_sent++;
845 }
846 }
847 if (cnt_hb_sent) {
848 sctp_chunk_output(stcb->sctp_ep, stcb,
849 SCTP_OUTPUT_FROM_COOKIE_ACK,
850 SCTP_SO_NOT_LOCKED);
851 }
852 }
853
854
855 static void
856 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp,
857 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag)
858 {
859 struct sctp_association *asoc;
860 int some_on_streamwheel;
861 int old_state;
862
863 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
864 struct socket *so;
865
866 #endif
867
868 SCTPDBG(SCTP_DEBUG_INPUT2,
869 "sctp_handle_shutdown: handling SHUTDOWN\n");
870 if (stcb == NULL)
871 return;
872 asoc = &stcb->asoc;
873 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
874 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
875 return;
876 }
877 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) {
878 /* Shutdown NOT the expected size */
879 return;
880 }
881 old_state = SCTP_GET_STATE(asoc);
882 sctp_update_acked(stcb, cp, abort_flag);
883 if (*abort_flag) {
884 return;
885 }
886 if (asoc->control_pdapi) {
887 /*
888 * With a normal shutdown we assume the end of last record.
889 */
890 SCTP_INP_READ_LOCK(stcb->sctp_ep);
891 if (asoc->control_pdapi->on_strm_q) {
892 struct sctp_stream_in *strm;
893
894 strm = &asoc->strmin[asoc->control_pdapi->sinfo_stream];
895 if (asoc->control_pdapi->on_strm_q == SCTP_ON_UNORDERED) {
896 /* Unordered */
897 TAILQ_REMOVE(&strm->uno_inqueue, asoc->control_pdapi, next_instrm);
898 asoc->control_pdapi->on_strm_q = 0;
899 } else if (asoc->control_pdapi->on_strm_q == SCTP_ON_ORDERED) {
900 /* Ordered */
901 TAILQ_REMOVE(&strm->inqueue, asoc->control_pdapi, next_instrm);
902 asoc->control_pdapi->on_strm_q = 0;
903 #ifdef INVARIANTS
904 } else {
905 panic("Unknown state on ctrl:%p on_strm_q:%d",
906 asoc->control_pdapi,
907 asoc->control_pdapi->on_strm_q);
908 #endif
909 }
910 }
911 asoc->control_pdapi->end_added = 1;
912 asoc->control_pdapi->pdapi_aborted = 1;
913 asoc->control_pdapi = NULL;
914 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
915 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
916 so = SCTP_INP_SO(stcb->sctp_ep);
917 atomic_add_int(&stcb->asoc.refcnt, 1);
918 SCTP_TCB_UNLOCK(stcb);
919 SCTP_SOCKET_LOCK(so, 1);
920 SCTP_TCB_LOCK(stcb);
921 atomic_subtract_int(&stcb->asoc.refcnt, 1);
922 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
923 /* assoc was freed while we were unlocked */
924 SCTP_SOCKET_UNLOCK(so, 1);
925 return;
926 }
927 #endif
928 if (stcb->sctp_socket) {
929 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
930 }
931 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
932 SCTP_SOCKET_UNLOCK(so, 1);
933 #endif
934 }
935 /* goto SHUTDOWN_RECEIVED state to block new requests */
936 if (stcb->sctp_socket) {
937 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
938 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) &&
939 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
940 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_RECEIVED);
941 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
942 /*
943 * notify upper layer that peer has initiated a
944 * shutdown
945 */
946 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
947
948 /* reset time */
949 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
950 }
951 }
952 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
953 /*
954 * stop the shutdown timer, since we WILL move to
955 * SHUTDOWN-ACK-SENT.
956 */
957 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
958 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_9);
959 }
960 /* Now is there unsent data on a stream somewhere? */
961 some_on_streamwheel = sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED);
962
963 if (!TAILQ_EMPTY(&asoc->send_queue) ||
964 !TAILQ_EMPTY(&asoc->sent_queue) ||
965 some_on_streamwheel) {
966 /* By returning we will push more data out */
967 return;
968 } else {
969 /* no outstanding data to send, so move on... */
970 /* send SHUTDOWN-ACK */
971 /* move to SHUTDOWN-ACK-SENT state */
972 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) ||
973 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
974 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
975 }
976 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
977 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) {
978 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT);
979 sctp_stop_timers_for_shutdown(stcb);
980 sctp_send_shutdown_ack(stcb, net);
981 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK,
982 stcb->sctp_ep, stcb, net);
983 } else if (old_state == SCTP_STATE_SHUTDOWN_ACK_SENT) {
984 sctp_send_shutdown_ack(stcb, net);
985 }
986 }
987 }
988
989 static void
990 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp SCTP_UNUSED,
991 struct sctp_tcb *stcb,
992 struct sctp_nets *net)
993 {
994 struct sctp_association *asoc;
995
996 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
997 struct socket *so;
998
999 so = SCTP_INP_SO(stcb->sctp_ep);
1000 #endif
1001 SCTPDBG(SCTP_DEBUG_INPUT2,
1002 "sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n");
1003 if (stcb == NULL)
1004 return;
1005
1006 asoc = &stcb->asoc;
1007 /* process according to association state */
1008 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
1009 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
1010 /* unexpected SHUTDOWN-ACK... do OOTB handling... */
1011 sctp_send_shutdown_complete(stcb, net, 1);
1012 SCTP_TCB_UNLOCK(stcb);
1013 return;
1014 }
1015 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
1016 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
1017 /* unexpected SHUTDOWN-ACK... so ignore... */
1018 SCTP_TCB_UNLOCK(stcb);
1019 return;
1020 }
1021 if (asoc->control_pdapi) {
1022 /*
1023 * With a normal shutdown we assume the end of last record.
1024 */
1025 SCTP_INP_READ_LOCK(stcb->sctp_ep);
1026 asoc->control_pdapi->end_added = 1;
1027 asoc->control_pdapi->pdapi_aborted = 1;
1028 asoc->control_pdapi = NULL;
1029 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
1030 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1031 atomic_add_int(&stcb->asoc.refcnt, 1);
1032 SCTP_TCB_UNLOCK(stcb);
1033 SCTP_SOCKET_LOCK(so, 1);
1034 SCTP_TCB_LOCK(stcb);
1035 atomic_subtract_int(&stcb->asoc.refcnt, 1);
1036 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
1037 /* assoc was freed while we were unlocked */
1038 SCTP_SOCKET_UNLOCK(so, 1);
1039 return;
1040 }
1041 #endif
1042 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
1043 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1044 SCTP_SOCKET_UNLOCK(so, 1);
1045 #endif
1046 }
1047 #ifdef INVARIANTS
1048 if (!TAILQ_EMPTY(&asoc->send_queue) ||
1049 !TAILQ_EMPTY(&asoc->sent_queue) ||
1050 !stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
1051 panic("Queues are not empty when handling SHUTDOWN-ACK");
1052 }
1053 #endif
1054 /* stop the timer */
1055 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net,
1056 SCTP_FROM_SCTP_INPUT + SCTP_LOC_10);
1057 /* send SHUTDOWN-COMPLETE */
1058 sctp_send_shutdown_complete(stcb, net, 0);
1059 /* notify upper layer protocol */
1060 if (stcb->sctp_socket) {
1061 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1062 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
1063 stcb->sctp_socket->so_snd.sb_cc = 0;
1064 }
1065 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
1066 }
1067 SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
1068 /* free the TCB but first save off the ep */
1069 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1070 atomic_add_int(&stcb->asoc.refcnt, 1);
1071 SCTP_TCB_UNLOCK(stcb);
1072 SCTP_SOCKET_LOCK(so, 1);
1073 SCTP_TCB_LOCK(stcb);
1074 atomic_subtract_int(&stcb->asoc.refcnt, 1);
1075 #endif
1076 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
1077 SCTP_FROM_SCTP_INPUT + SCTP_LOC_11);
1078 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1079 SCTP_SOCKET_UNLOCK(so, 1);
1080 #endif
1081 }
1082
1083 /*
1084 * Skip past the param header and then we will find the chunk that caused the
1085 * problem. There are two possibilities ASCONF or FWD-TSN other than that and
1086 * our peer must be broken.
1087 */
1088 static void
1089 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr,
1090 struct sctp_nets *net)
1091 {
1092 struct sctp_chunkhdr *chk;
1093
1094 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr));
1095 switch (chk->chunk_type) {
1096 case SCTP_ASCONF_ACK:
1097 case SCTP_ASCONF:
1098 sctp_asconf_cleanup(stcb, net);
1099 break;
1100 case SCTP_IFORWARD_CUM_TSN:
1101 case SCTP_FORWARD_CUM_TSN:
1102 stcb->asoc.prsctp_supported = 0;
1103 break;
1104 default:
1105 SCTPDBG(SCTP_DEBUG_INPUT2,
1106 "Peer does not support chunk type %d(%x)??\n",
1107 chk->chunk_type, (uint32_t) chk->chunk_type);
1108 break;
1109 }
1110 }
1111
1112 /*
1113 * Skip past the param header and then we will find the param that caused the
1114 * problem. There are a number of param's in a ASCONF OR the prsctp param
1115 * these will turn of specific features.
1116 * XXX: Is this the right thing to do?
1117 */
1118 static void
1119 sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr)
1120 {
1121 struct sctp_paramhdr *pbad;
1122
1123 pbad = phdr + 1;
1124 switch (ntohs(pbad->param_type)) {
1125 /* pr-sctp draft */
1126 case SCTP_PRSCTP_SUPPORTED:
1127 stcb->asoc.prsctp_supported = 0;
1128 break;
1129 case SCTP_SUPPORTED_CHUNK_EXT:
1130 break;
1131 /* draft-ietf-tsvwg-addip-sctp */
1132 case SCTP_HAS_NAT_SUPPORT:
1133 stcb->asoc.peer_supports_nat = 0;
1134 break;
1135 case SCTP_ADD_IP_ADDRESS:
1136 case SCTP_DEL_IP_ADDRESS:
1137 case SCTP_SET_PRIM_ADDR:
1138 stcb->asoc.asconf_supported = 0;
1139 break;
1140 case SCTP_SUCCESS_REPORT:
1141 case SCTP_ERROR_CAUSE_IND:
1142 SCTPDBG(SCTP_DEBUG_INPUT2, "Huh, the peer does not support success? or error cause?\n");
1143 SCTPDBG(SCTP_DEBUG_INPUT2,
1144 "Turning off ASCONF to this strange peer\n");
1145 stcb->asoc.asconf_supported = 0;
1146 break;
1147 default:
1148 SCTPDBG(SCTP_DEBUG_INPUT2,
1149 "Peer does not support param type %d(%x)??\n",
1150 pbad->param_type, (uint32_t) pbad->param_type);
1151 break;
1152 }
1153 }
1154
1155 static int
1156 sctp_handle_error(struct sctp_chunkhdr *ch,
1157 struct sctp_tcb *stcb, struct sctp_nets *net)
1158 {
1159 int chklen;
1160 struct sctp_paramhdr *phdr;
1161 uint16_t error, error_type;
1162 uint16_t error_len;
1163 struct sctp_association *asoc;
1164 int adjust;
1165
1166 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1167 struct socket *so;
1168
1169 #endif
1170
1171 /* parse through all of the errors and process */
1172 asoc = &stcb->asoc;
1173 phdr = (struct sctp_paramhdr *)((caddr_t)ch +
1174 sizeof(struct sctp_chunkhdr));
1175 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr);
1176 error = 0;
1177 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) {
1178 /* Process an Error Cause */
1179 error_type = ntohs(phdr->param_type);
1180 error_len = ntohs(phdr->param_length);
1181 if ((error_len > chklen) || (error_len == 0)) {
1182 /* invalid param length for this param */
1183 SCTPDBG(SCTP_DEBUG_INPUT1, "Bogus length in error param- chunk left:%d errorlen:%d\n",
1184 chklen, error_len);
1185 return (0);
1186 }
1187 if (error == 0) {
1188 /* report the first error cause */
1189 error = error_type;
1190 }
1191 switch (error_type) {
1192 case SCTP_CAUSE_INVALID_STREAM:
1193 case SCTP_CAUSE_MISSING_PARAM:
1194 case SCTP_CAUSE_INVALID_PARAM:
1195 case SCTP_CAUSE_NO_USER_DATA:
1196 SCTPDBG(SCTP_DEBUG_INPUT1, "Software error we got a %d back? We have a bug :/ (or do they?)\n",
1197 error_type);
1198 break;
1199 case SCTP_CAUSE_NAT_COLLIDING_STATE:
1200 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n",
1201 ch->chunk_flags);
1202 if (sctp_handle_nat_colliding_state(stcb)) {
1203 return (0);
1204 }
1205 break;
1206 case SCTP_CAUSE_NAT_MISSING_STATE:
1207 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n",
1208 ch->chunk_flags);
1209 if (sctp_handle_nat_missing_state(stcb, net)) {
1210 return (0);
1211 }
1212 break;
1213 case SCTP_CAUSE_STALE_COOKIE:
1214 /*
1215 * We only act if we have echoed a cookie and are
1216 * waiting.
1217 */
1218 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
1219 int *p;
1220
1221 p = (int *)((caddr_t)phdr + sizeof(*phdr));
1222 /* Save the time doubled */
1223 asoc->cookie_preserve_req = ntohl(*p) << 1;
1224 asoc->stale_cookie_count++;
1225 if (asoc->stale_cookie_count >
1226 asoc->max_init_times) {
1227 sctp_abort_notification(stcb, 0, 0, NULL, SCTP_SO_NOT_LOCKED);
1228 /* now free the asoc */
1229 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1230 so = SCTP_INP_SO(stcb->sctp_ep);
1231 atomic_add_int(&stcb->asoc.refcnt, 1);
1232 SCTP_TCB_UNLOCK(stcb);
1233 SCTP_SOCKET_LOCK(so, 1);
1234 SCTP_TCB_LOCK(stcb);
1235 atomic_subtract_int(&stcb->asoc.refcnt, 1);
1236 #endif
1237 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
1238 SCTP_FROM_SCTP_INPUT + SCTP_LOC_12);
1239 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1240 SCTP_SOCKET_UNLOCK(so, 1);
1241 #endif
1242 return (-1);
1243 }
1244 /* blast back to INIT state */
1245 sctp_toss_old_cookies(stcb, &stcb->asoc);
1246 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED;
1247 asoc->state |= SCTP_STATE_COOKIE_WAIT;
1248 sctp_stop_all_cookie_timers(stcb);
1249 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
1250 }
1251 break;
1252 case SCTP_CAUSE_UNRESOLVABLE_ADDR:
1253 /*
1254 * Nothing we can do here, we don't do hostname
1255 * addresses so if the peer does not like my IPv6
1256 * (or IPv4 for that matter) it does not matter. If
1257 * they don't support that type of address, they can
1258 * NOT possibly get that packet type... i.e. with no
1259 * IPv6 you can't receive a IPv6 packet. so we can
1260 * safely ignore this one. If we ever added support
1261 * for HOSTNAME Addresses, then we would need to do
1262 * something here.
1263 */
1264 break;
1265 case SCTP_CAUSE_UNRECOG_CHUNK:
1266 sctp_process_unrecog_chunk(stcb, phdr, net);
1267 break;
1268 case SCTP_CAUSE_UNRECOG_PARAM:
1269 sctp_process_unrecog_param(stcb, phdr);
1270 break;
1271 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN:
1272 /*
1273 * We ignore this since the timer will drive out a
1274 * new cookie anyway and there timer will drive us
1275 * to send a SHUTDOWN_COMPLETE. We can't send one
1276 * here since we don't have their tag.
1277 */
1278 break;
1279 case SCTP_CAUSE_DELETING_LAST_ADDR:
1280 case SCTP_CAUSE_RESOURCE_SHORTAGE:
1281 case SCTP_CAUSE_DELETING_SRC_ADDR:
1282 /*
1283 * We should NOT get these here, but in a
1284 * ASCONF-ACK.
1285 */
1286 SCTPDBG(SCTP_DEBUG_INPUT2, "Peer sends ASCONF errors in a Operational Error?<%d>?\n",
1287 error_type);
1288 break;
1289 case SCTP_CAUSE_OUT_OF_RESC:
1290 /*
1291 * And what, pray tell do we do with the fact that
1292 * the peer is out of resources? Not really sure we
1293 * could do anything but abort. I suspect this
1294 * should have came WITH an abort instead of in a
1295 * OP-ERROR.
1296 */
1297 break;
1298 default:
1299 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_handle_error: unknown error type = 0x%xh\n",
1300 error_type);
1301 break;
1302 }
1303 adjust = SCTP_SIZE32(error_len);
1304 chklen -= adjust;
1305 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust);
1306 }
1307 sctp_ulp_notify(SCTP_NOTIFY_REMOTE_ERROR, stcb, error, ch, SCTP_SO_NOT_LOCKED);
1308 return (0);
1309 }
1310
1311 static int
1312 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset,
1313 struct sockaddr *src, struct sockaddr *dst, struct sctphdr *sh,
1314 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
1315 struct sctp_nets *net, int *abort_no_unlock,
1316 uint8_t mflowtype, uint32_t mflowid,
1317 uint32_t vrf_id)
1318 {
1319 struct sctp_init_ack *init_ack;
1320 struct mbuf *op_err;
1321
1322 SCTPDBG(SCTP_DEBUG_INPUT2,
1323 "sctp_handle_init_ack: handling INIT-ACK\n");
1324
1325 if (stcb == NULL) {
1326 SCTPDBG(SCTP_DEBUG_INPUT2,
1327 "sctp_handle_init_ack: TCB is null\n");
1328 return (-1);
1329 }
1330 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) {
1331 /* Invalid length */
1332 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
1333 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1334 src, dst, sh, op_err,
1335 mflowtype, mflowid,
1336 vrf_id, net->port);
1337 *abort_no_unlock = 1;
1338 return (-1);
1339 }
1340 init_ack = &cp->init;
1341 /* validate parameters */
1342 if (init_ack->initiate_tag == 0) {
1343 /* protocol error... send an abort */
1344 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
1345 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1346 src, dst, sh, op_err,
1347 mflowtype, mflowid,
1348 vrf_id, net->port);
1349 *abort_no_unlock = 1;
1350 return (-1);
1351 }
1352 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) {
1353 /* protocol error... send an abort */
1354 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
1355 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1356 src, dst, sh, op_err,
1357 mflowtype, mflowid,
1358 vrf_id, net->port);
1359 *abort_no_unlock = 1;
1360 return (-1);
1361 }
1362 if (init_ack->num_inbound_streams == 0) {
1363 /* protocol error... send an abort */
1364 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
1365 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1366 src, dst, sh, op_err,
1367 mflowtype, mflowid,
1368 vrf_id, net->port);
1369 *abort_no_unlock = 1;
1370 return (-1);
1371 }
1372 if (init_ack->num_outbound_streams == 0) {
1373 /* protocol error... send an abort */
1374 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
1375 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1376 src, dst, sh, op_err,
1377 mflowtype, mflowid,
1378 vrf_id, net->port);
1379 *abort_no_unlock = 1;
1380 return (-1);
1381 }
1382 /* process according to association state... */
1383 switch (stcb->asoc.state & SCTP_STATE_MASK) {
1384 case SCTP_STATE_COOKIE_WAIT:
1385 /* this is the expected state for this chunk */
1386 /* process the INIT-ACK parameters */
1387 if (stcb->asoc.primary_destination->dest_state &
1388 SCTP_ADDR_UNCONFIRMED) {
1389 /*
1390 * The primary is where we sent the INIT, we can
1391 * always consider it confirmed when the INIT-ACK is
1392 * returned. Do this before we load addresses
1393 * though.
1394 */
1395 stcb->asoc.primary_destination->dest_state &=
1396 ~SCTP_ADDR_UNCONFIRMED;
1397 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
1398 stcb, 0, (void *)stcb->asoc.primary_destination, SCTP_SO_NOT_LOCKED);
1399 }
1400 if (sctp_process_init_ack(m, iphlen, offset, src, dst, sh, cp, stcb,
1401 net, abort_no_unlock,
1402 mflowtype, mflowid,
1403 vrf_id) < 0) {
1404 /* error in parsing parameters */
1405 return (-1);
1406 }
1407 /* update our state */
1408 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n");
1409 SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_COOKIE_ECHOED);
1410
1411 /* reset the RTO calc */
1412 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
1413 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
1414 stcb->asoc.overall_error_count,
1415 0,
1416 SCTP_FROM_SCTP_INPUT,
1417 __LINE__);
1418 }
1419 stcb->asoc.overall_error_count = 0;
1420 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
1421 /*
1422 * collapse the init timer back in case of a exponential
1423 * backoff
1424 */
1425 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep,
1426 stcb, net);
1427 /*
1428 * the send at the end of the inbound data processing will
1429 * cause the cookie to be sent
1430 */
1431 break;
1432 case SCTP_STATE_SHUTDOWN_SENT:
1433 /* incorrect state... discard */
1434 break;
1435 case SCTP_STATE_COOKIE_ECHOED:
1436 /* incorrect state... discard */
1437 break;
1438 case SCTP_STATE_OPEN:
1439 /* incorrect state... discard */
1440 break;
1441 case SCTP_STATE_EMPTY:
1442 case SCTP_STATE_INUSE:
1443 default:
1444 /* incorrect state... discard */
1445 return (-1);
1446 break;
1447 }
1448 SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n");
1449 return (0);
1450 }
1451
1452 static struct sctp_tcb *
1453 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
1454 struct sockaddr *src, struct sockaddr *dst,
1455 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1456 struct sctp_inpcb *inp, struct sctp_nets **netp,
1457 struct sockaddr *init_src, int *notification,
1458 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
1459 uint8_t mflowtype, uint32_t mflowid,
1460 uint32_t vrf_id, uint16_t port);
1461
1462
1463 /*
1464 * handle a state cookie for an existing association m: input packet mbuf
1465 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a
1466 * "split" mbuf and the cookie signature does not exist offset: offset into
1467 * mbuf to the cookie-echo chunk
1468 */
1469 static struct sctp_tcb *
1470 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
1471 struct sockaddr *src, struct sockaddr *dst,
1472 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1473 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets **netp,
1474 struct sockaddr *init_src, int *notification,
1475 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
1476 uint8_t mflowtype, uint32_t mflowid,
1477 uint32_t vrf_id, uint16_t port)
1478 {
1479 struct sctp_association *asoc;
1480 struct sctp_init_chunk *init_cp, init_buf;
1481 struct sctp_init_ack_chunk *initack_cp, initack_buf;
1482 struct sctp_nets *net;
1483 struct mbuf *op_err;
1484 int init_offset, initack_offset, i;
1485 int retval;
1486 int spec_flag = 0;
1487 uint32_t how_indx;
1488
1489 #if defined(SCTP_DETAILED_STR_STATS)
1490 int j;
1491
1492 #endif
1493
1494 net = *netp;
1495 /* I know that the TCB is non-NULL from the caller */
1496 asoc = &stcb->asoc;
1497 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) {
1498 if (asoc->cookie_how[how_indx] == 0)
1499 break;
1500 }
1501 if (how_indx < sizeof(asoc->cookie_how)) {
1502 asoc->cookie_how[how_indx] = 1;
1503 }
1504 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
1505 /* SHUTDOWN came in after sending INIT-ACK */
1506 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
1507 op_err = sctp_generate_cause(SCTP_CAUSE_COOKIE_IN_SHUTDOWN, "");
1508 sctp_send_operr_to(src, dst, sh, cookie->peers_vtag, op_err,
1509 mflowtype, mflowid, inp->fibnum,
1510 vrf_id, net->port);
1511 if (how_indx < sizeof(asoc->cookie_how))
1512 asoc->cookie_how[how_indx] = 2;
1513 return (NULL);
1514 }
1515 /*
1516 * find and validate the INIT chunk in the cookie (peer's info) the
1517 * INIT should start after the cookie-echo header struct (chunk
1518 * header, state cookie header struct)
1519 */
1520 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk);
1521
1522 init_cp = (struct sctp_init_chunk *)
1523 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1524 (uint8_t *) & init_buf);
1525 if (init_cp == NULL) {
1526 /* could not pull a INIT chunk in cookie */
1527 return (NULL);
1528 }
1529 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1530 return (NULL);
1531 }
1532 /*
1533 * find and validate the INIT-ACK chunk in the cookie (my info) the
1534 * INIT-ACK follows the INIT chunk
1535 */
1536 initack_offset = init_offset + SCTP_SIZE32(ntohs(init_cp->ch.chunk_length));
1537 initack_cp = (struct sctp_init_ack_chunk *)
1538 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
1539 (uint8_t *) & initack_buf);
1540 if (initack_cp == NULL) {
1541 /* could not pull INIT-ACK chunk in cookie */
1542 return (NULL);
1543 }
1544 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
1545 return (NULL);
1546 }
1547 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1548 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) {
1549 /*
1550 * case D in Section 5.2.4 Table 2: MMAA process accordingly
1551 * to get into the OPEN state
1552 */
1553 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
1554 /*-
1555 * Opps, this means that we somehow generated two vtag's
1556 * the same. I.e. we did:
1557 * Us Peer
1558 * <---INIT(tag=a)------
1559 * ----INIT-ACK(tag=t)-->
1560 * ----INIT(tag=t)------> *1
1561 * <---INIT-ACK(tag=a)---
1562 * <----CE(tag=t)------------- *2
1563 *
1564 * At point *1 we should be generating a different
1565 * tag t'. Which means we would throw away the CE and send
1566 * ours instead. Basically this is case C (throw away side).
1567 */
1568 if (how_indx < sizeof(asoc->cookie_how))
1569 asoc->cookie_how[how_indx] = 17;
1570 return (NULL);
1571
1572 }
1573 switch (SCTP_GET_STATE(asoc)) {
1574 case SCTP_STATE_COOKIE_WAIT:
1575 case SCTP_STATE_COOKIE_ECHOED:
1576 /*
1577 * INIT was sent but got a COOKIE_ECHO with the
1578 * correct tags... just accept it...but we must
1579 * process the init so that we can make sure we have
1580 * the right seq no's.
1581 */
1582 /* First we must process the INIT !! */
1583 retval = sctp_process_init(init_cp, stcb);
1584 if (retval < 0) {
1585 if (how_indx < sizeof(asoc->cookie_how))
1586 asoc->cookie_how[how_indx] = 3;
1587 return (NULL);
1588 }
1589 /* we have already processed the INIT so no problem */
1590 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp,
1591 stcb, net,
1592 SCTP_FROM_SCTP_INPUT + SCTP_LOC_13);
1593 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp,
1594 stcb, net,
1595 SCTP_FROM_SCTP_INPUT + SCTP_LOC_14);
1596 /* update current state */
1597 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)
1598 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
1599 else
1600 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
1601
1602 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1603 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1604 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1605 stcb->sctp_ep, stcb, asoc->primary_destination);
1606 }
1607 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1608 sctp_stop_all_cookie_timers(stcb);
1609 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1610 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1611 (inp->sctp_socket->so_qlimit == 0)
1612 ) {
1613 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1614 struct socket *so;
1615
1616 #endif
1617 /*
1618 * Here is where collision would go if we
1619 * did a connect() and instead got a
1620 * init/init-ack/cookie done before the
1621 * init-ack came back..
1622 */
1623 stcb->sctp_ep->sctp_flags |=
1624 SCTP_PCB_FLAGS_CONNECTED;
1625 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1626 so = SCTP_INP_SO(stcb->sctp_ep);
1627 atomic_add_int(&stcb->asoc.refcnt, 1);
1628 SCTP_TCB_UNLOCK(stcb);
1629 SCTP_SOCKET_LOCK(so, 1);
1630 SCTP_TCB_LOCK(stcb);
1631 atomic_add_int(&stcb->asoc.refcnt, -1);
1632 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
1633 SCTP_SOCKET_UNLOCK(so, 1);
1634 return (NULL);
1635 }
1636 #endif
1637 soisconnected(stcb->sctp_socket);
1638 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1639 SCTP_SOCKET_UNLOCK(so, 1);
1640 #endif
1641 }
1642 /* notify upper layer */
1643 *notification = SCTP_NOTIFY_ASSOC_UP;
1644 /*
1645 * since we did not send a HB make sure we don't
1646 * double things
1647 */
1648 net->hb_responded = 1;
1649 net->RTO = sctp_calculate_rto(stcb, asoc, net,
1650 &cookie->time_entered,
1651 sctp_align_unsafe_makecopy,
1652 SCTP_RTT_FROM_NON_DATA);
1653
1654 if (stcb->asoc.sctp_autoclose_ticks &&
1655 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) {
1656 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
1657 inp, stcb, NULL);
1658 }
1659 break;
1660 default:
1661 /*
1662 * we're in the OPEN state (or beyond), so peer must
1663 * have simply lost the COOKIE-ACK
1664 */
1665 break;
1666 } /* end switch */
1667 sctp_stop_all_cookie_timers(stcb);
1668 /*
1669 * We ignore the return code here.. not sure if we should
1670 * somehow abort.. but we do have an existing asoc. This
1671 * really should not fail.
1672 */
1673 if (sctp_load_addresses_from_init(stcb, m,
1674 init_offset + sizeof(struct sctp_init_chunk),
1675 initack_offset, src, dst, init_src, stcb->asoc.port)) {
1676 if (how_indx < sizeof(asoc->cookie_how))
1677 asoc->cookie_how[how_indx] = 4;
1678 return (NULL);
1679 }
1680 /* respond with a COOKIE-ACK */
1681 sctp_toss_old_cookies(stcb, asoc);
1682 sctp_send_cookie_ack(stcb);
1683 if (how_indx < sizeof(asoc->cookie_how))
1684 asoc->cookie_how[how_indx] = 5;
1685 return (stcb);
1686 }
1687 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1688 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag &&
1689 cookie->tie_tag_my_vtag == 0 &&
1690 cookie->tie_tag_peer_vtag == 0) {
1691 /*
1692 * case C in Section 5.2.4 Table 2: XMOO silently discard
1693 */
1694 if (how_indx < sizeof(asoc->cookie_how))
1695 asoc->cookie_how[how_indx] = 6;
1696 return (NULL);
1697 }
1698 /*
1699 * If nat support, and the below and stcb is established, send back
1700 * a ABORT(colliding state) if we are established.
1701 */
1702 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) &&
1703 (asoc->peer_supports_nat) &&
1704 ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1705 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) ||
1706 (asoc->peer_vtag == 0)))) {
1707 /*
1708 * Special case - Peer's support nat. We may have two init's
1709 * that we gave out the same tag on since one was not
1710 * established.. i.e. we get INIT from host-1 behind the nat
1711 * and we respond tag-a, we get a INIT from host-2 behind
1712 * the nat and we get tag-a again. Then we bring up host-1
1713 * (or 2's) assoc, Then comes the cookie from hsot-2 (or 1).
1714 * Now we have colliding state. We must send an abort here
1715 * with colliding state indication.
1716 */
1717 op_err = sctp_generate_cause(SCTP_CAUSE_NAT_COLLIDING_STATE, "");
1718 sctp_send_abort(m, iphlen, src, dst, sh, 0, op_err,
1719 mflowtype, mflowid, inp->fibnum,
1720 vrf_id, port);
1721 return (NULL);
1722 }
1723 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1724 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) ||
1725 (asoc->peer_vtag == 0))) {
1726 /*
1727 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info
1728 * should be ok, re-accept peer info
1729 */
1730 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
1731 /*
1732 * Extension of case C. If we hit this, then the
1733 * random number generator returned the same vtag
1734 * when we first sent our INIT-ACK and when we later
1735 * sent our INIT. The side with the seq numbers that
1736 * are different will be the one that normnally
1737 * would have hit case C. This in effect "extends"
1738 * our vtags in this collision case to be 64 bits.
1739 * The same collision could occur aka you get both
1740 * vtag and seq number the same twice in a row.. but
1741 * is much less likely. If it did happen then we
1742 * would proceed through and bring up the assoc.. we
1743 * may end up with the wrong stream setup however..
1744 * which would be bad.. but there is no way to
1745 * tell.. until we send on a stream that does not
1746 * exist :-)
1747 */
1748 if (how_indx < sizeof(asoc->cookie_how))
1749 asoc->cookie_how[how_indx] = 7;
1750
1751 return (NULL);
1752 }
1753 if (how_indx < sizeof(asoc->cookie_how))
1754 asoc->cookie_how[how_indx] = 8;
1755 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net,
1756 SCTP_FROM_SCTP_INPUT + SCTP_LOC_15);
1757 sctp_stop_all_cookie_timers(stcb);
1758 /*
1759 * since we did not send a HB make sure we don't double
1760 * things
1761 */
1762 net->hb_responded = 1;
1763 if (stcb->asoc.sctp_autoclose_ticks &&
1764 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
1765 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb,
1766 NULL);
1767 }
1768 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1769 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
1770
1771 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) {
1772 /*
1773 * Ok the peer probably discarded our data (if we
1774 * echoed a cookie+data). So anything on the
1775 * sent_queue should be marked for retransmit, we
1776 * may not get something to kick us so it COULD
1777 * still take a timeout to move these.. but it can't
1778 * hurt to mark them.
1779 */
1780 struct sctp_tmit_chunk *chk;
1781
1782 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) {
1783 if (chk->sent < SCTP_DATAGRAM_RESEND) {
1784 chk->sent = SCTP_DATAGRAM_RESEND;
1785 sctp_flight_size_decrease(chk);
1786 sctp_total_flight_decrease(stcb, chk);
1787 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
1788 spec_flag++;
1789 }
1790 }
1791
1792 }
1793 /* process the INIT info (peer's info) */
1794 retval = sctp_process_init(init_cp, stcb);
1795 if (retval < 0) {
1796 if (how_indx < sizeof(asoc->cookie_how))
1797 asoc->cookie_how[how_indx] = 9;
1798 return (NULL);
1799 }
1800 if (sctp_load_addresses_from_init(stcb, m,
1801 init_offset + sizeof(struct sctp_init_chunk),
1802 initack_offset, src, dst, init_src, stcb->asoc.port)) {
1803 if (how_indx < sizeof(asoc->cookie_how))
1804 asoc->cookie_how[how_indx] = 10;
1805 return (NULL);
1806 }
1807 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) ||
1808 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) {
1809 *notification = SCTP_NOTIFY_ASSOC_UP;
1810
1811 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1812 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1813 (inp->sctp_socket->so_qlimit == 0)) {
1814 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1815 struct socket *so;
1816
1817 #endif
1818 stcb->sctp_ep->sctp_flags |=
1819 SCTP_PCB_FLAGS_CONNECTED;
1820 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1821 so = SCTP_INP_SO(stcb->sctp_ep);
1822 atomic_add_int(&stcb->asoc.refcnt, 1);
1823 SCTP_TCB_UNLOCK(stcb);
1824 SCTP_SOCKET_LOCK(so, 1);
1825 SCTP_TCB_LOCK(stcb);
1826 atomic_add_int(&stcb->asoc.refcnt, -1);
1827 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
1828 SCTP_SOCKET_UNLOCK(so, 1);
1829 return (NULL);
1830 }
1831 #endif
1832 soisconnected(stcb->sctp_socket);
1833 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1834 SCTP_SOCKET_UNLOCK(so, 1);
1835 #endif
1836 }
1837 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)
1838 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
1839 else
1840 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
1841 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1842 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
1843 SCTP_STAT_INCR_COUNTER32(sctps_restartestab);
1844 } else {
1845 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
1846 }
1847 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1848 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1849 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1850 stcb->sctp_ep, stcb, asoc->primary_destination);
1851 }
1852 sctp_stop_all_cookie_timers(stcb);
1853 sctp_toss_old_cookies(stcb, asoc);
1854 sctp_send_cookie_ack(stcb);
1855 if (spec_flag) {
1856 /*
1857 * only if we have retrans set do we do this. What
1858 * this call does is get only the COOKIE-ACK out and
1859 * then when we return the normal call to
1860 * sctp_chunk_output will get the retrans out behind
1861 * this.
1862 */
1863 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK, SCTP_SO_NOT_LOCKED);
1864 }
1865 if (how_indx < sizeof(asoc->cookie_how))
1866 asoc->cookie_how[how_indx] = 11;
1867
1868 return (stcb);
1869 }
1870 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1871 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) &&
1872 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce &&
1873 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce &&
1874 cookie->tie_tag_peer_vtag != 0) {
1875 struct sctpasochead *head;
1876
1877 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1878 struct socket *so;
1879
1880 #endif
1881
1882 if (asoc->peer_supports_nat) {
1883 /*
1884 * This is a gross gross hack. Just call the
1885 * cookie_new code since we are allowing a duplicate
1886 * association. I hope this works...
1887 */
1888 return (sctp_process_cookie_new(m, iphlen, offset, src, dst,
1889 sh, cookie, cookie_len,
1890 inp, netp, init_src, notification,
1891 auth_skipped, auth_offset, auth_len,
1892 mflowtype, mflowid,
1893 vrf_id, port));
1894 }
1895 /*
1896 * case A in Section 5.2.4 Table 2: XXMM (peer restarted)
1897 */
1898 /* temp code */
1899 if (how_indx < sizeof(asoc->cookie_how))
1900 asoc->cookie_how[how_indx] = 12;
1901 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net,
1902 SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
1903 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net,
1904 SCTP_FROM_SCTP_INPUT + SCTP_LOC_17);
1905
1906 /* notify upper layer */
1907 *notification = SCTP_NOTIFY_ASSOC_RESTART;
1908 atomic_add_int(&stcb->asoc.refcnt, 1);
1909 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) &&
1910 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
1911 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
1912 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1913 }
1914 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
1915 SCTP_STAT_INCR_GAUGE32(sctps_restartestab);
1916 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) {
1917 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab);
1918 }
1919 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1920 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1921 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1922 stcb->sctp_ep, stcb, asoc->primary_destination);
1923
1924 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) {
1925 /* move to OPEN state, if not in SHUTDOWN_SENT */
1926 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1927 }
1928 asoc->pre_open_streams =
1929 ntohs(initack_cp->init.num_outbound_streams);
1930 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1931 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
1932 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
1933
1934 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1935
1936 asoc->str_reset_seq_in = asoc->init_seq_number;
1937
1938 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1939 if (asoc->mapping_array) {
1940 memset(asoc->mapping_array, 0,
1941 asoc->mapping_array_size);
1942 }
1943 if (asoc->nr_mapping_array) {
1944 memset(asoc->nr_mapping_array, 0,
1945 asoc->mapping_array_size);
1946 }
1947 SCTP_TCB_UNLOCK(stcb);
1948 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1949 so = SCTP_INP_SO(stcb->sctp_ep);
1950 SCTP_SOCKET_LOCK(so, 1);
1951 #endif
1952 SCTP_INP_INFO_WLOCK();
1953 SCTP_INP_WLOCK(stcb->sctp_ep);
1954 SCTP_TCB_LOCK(stcb);
1955 atomic_add_int(&stcb->asoc.refcnt, -1);
1956 /* send up all the data */
1957 SCTP_TCB_SEND_LOCK(stcb);
1958
1959 sctp_report_all_outbound(stcb, 0, 1, SCTP_SO_LOCKED);
1960 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
1961 stcb->asoc.strmout[i].chunks_on_queues = 0;
1962 #if defined(SCTP_DETAILED_STR_STATS)
1963 for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
1964 asoc->strmout[i].abandoned_sent[j] = 0;
1965 asoc->strmout[i].abandoned_unsent[j] = 0;
1966 }
1967 #else
1968 asoc->strmout[i].abandoned_sent[0] = 0;
1969 asoc->strmout[i].abandoned_unsent[0] = 0;
1970 #endif
1971 stcb->asoc.strmout[i].stream_no = i;
1972 stcb->asoc.strmout[i].next_mid_ordered = 0;
1973 stcb->asoc.strmout[i].next_mid_unordered = 0;
1974 stcb->asoc.strmout[i].last_msg_incomplete = 0;
1975 }
1976 /* process the INIT-ACK info (my info) */
1977 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
1978 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1979
1980 /* pull from vtag hash */
1981 LIST_REMOVE(stcb, sctp_asocs);
1982 /* re-insert to new vtag position */
1983 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag,
1984 SCTP_BASE_INFO(hashasocmark))];
1985 /*
1986 * put it in the bucket in the vtag hash of assoc's for the
1987 * system
1988 */
1989 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
1990
1991 SCTP_TCB_SEND_UNLOCK(stcb);
1992 SCTP_INP_WUNLOCK(stcb->sctp_ep);
1993 SCTP_INP_INFO_WUNLOCK();
1994 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1995 SCTP_SOCKET_UNLOCK(so, 1);
1996 #endif
1997 asoc->total_flight = 0;
1998 asoc->total_flight_count = 0;
1999 /* process the INIT info (peer's info) */
2000 retval = sctp_process_init(init_cp, stcb);
2001 if (retval < 0) {
2002 if (how_indx < sizeof(asoc->cookie_how))
2003 asoc->cookie_how[how_indx] = 13;
2004
2005 return (NULL);
2006 }
2007 /*
2008 * since we did not send a HB make sure we don't double
2009 * things
2010 */
2011 net->hb_responded = 1;
2012
2013 if (sctp_load_addresses_from_init(stcb, m,
2014 init_offset + sizeof(struct sctp_init_chunk),
2015 initack_offset, src, dst, init_src, stcb->asoc.port)) {
2016 if (how_indx < sizeof(asoc->cookie_how))
2017 asoc->cookie_how[how_indx] = 14;
2018
2019 return (NULL);
2020 }
2021 /* respond with a COOKIE-ACK */
2022 sctp_stop_all_cookie_timers(stcb);
2023 sctp_toss_old_cookies(stcb, asoc);
2024 sctp_send_cookie_ack(stcb);
2025 if (how_indx < sizeof(asoc->cookie_how))
2026 asoc->cookie_how[how_indx] = 15;
2027
2028 return (stcb);
2029 }
2030 if (how_indx < sizeof(asoc->cookie_how))
2031 asoc->cookie_how[how_indx] = 16;
2032 /* all other cases... */
2033 return (NULL);
2034 }
2035
2036
2037 /*
2038 * handle a state cookie for a new association m: input packet mbuf chain--
2039 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf
2040 * and the cookie signature does not exist offset: offset into mbuf to the
2041 * cookie-echo chunk length: length of the cookie chunk to: where the init
2042 * was from returns a new TCB
2043 */
2044 static struct sctp_tcb *
2045 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
2046 struct sockaddr *src, struct sockaddr *dst,
2047 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
2048 struct sctp_inpcb *inp, struct sctp_nets **netp,
2049 struct sockaddr *init_src, int *notification,
2050 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
2051 uint8_t mflowtype, uint32_t mflowid,
2052 uint32_t vrf_id, uint16_t port)
2053 {
2054 struct sctp_tcb *stcb;
2055 struct sctp_init_chunk *init_cp, init_buf;
2056 struct sctp_init_ack_chunk *initack_cp, initack_buf;
2057 union sctp_sockstore store;
2058 struct sctp_association *asoc;
2059 int init_offset, initack_offset, initack_limit;
2060 int retval;
2061 int error = 0;
2062 uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE];
2063
2064 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2065 struct socket *so;
2066
2067 so = SCTP_INP_SO(inp);
2068 #endif
2069
2070 /*
2071 * find and validate the INIT chunk in the cookie (peer's info) the
2072 * INIT should start after the cookie-echo header struct (chunk
2073 * header, state cookie header struct)
2074 */
2075 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk);
2076 init_cp = (struct sctp_init_chunk *)
2077 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
2078 (uint8_t *) & init_buf);
2079 if (init_cp == NULL) {
2080 /* could not pull a INIT chunk in cookie */
2081 SCTPDBG(SCTP_DEBUG_INPUT1,
2082 "process_cookie_new: could not pull INIT chunk hdr\n");
2083 return (NULL);
2084 }
2085 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
2086 SCTPDBG(SCTP_DEBUG_INPUT1, "HUH? process_cookie_new: could not find INIT chunk!\n");
2087 return (NULL);
2088 }
2089 initack_offset = init_offset + SCTP_SIZE32(ntohs(init_cp->ch.chunk_length));
2090 /*
2091 * find and validate the INIT-ACK chunk in the cookie (my info) the
2092 * INIT-ACK follows the INIT chunk
2093 */
2094 initack_cp = (struct sctp_init_ack_chunk *)
2095 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
2096 (uint8_t *) & initack_buf);
2097 if (initack_cp == NULL) {
2098 /* could not pull INIT-ACK chunk in cookie */
2099 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: could not pull INIT-ACK chunk hdr\n");
2100 return (NULL);
2101 }
2102 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
2103 return (NULL);
2104 }
2105 /*
2106 * NOTE: We can't use the INIT_ACK's chk_length to determine the
2107 * "initack_limit" value. This is because the chk_length field
2108 * includes the length of the cookie, but the cookie is omitted when
2109 * the INIT and INIT_ACK are tacked onto the cookie...
2110 */
2111 initack_limit = offset + cookie_len;
2112
2113 /*
2114 * now that we know the INIT/INIT-ACK are in place, create a new TCB
2115 * and popluate
2116 */
2117
2118 /*
2119 * Here we do a trick, we set in NULL for the proc/thread argument.
2120 * We do this since in effect we only use the p argument when the
2121 * socket is unbound and we must do an implicit bind. Since we are
2122 * getting a cookie, we cannot be unbound.
2123 */
2124 stcb = sctp_aloc_assoc(inp, init_src, &error,
2125 ntohl(initack_cp->init.initiate_tag), vrf_id,
2126 ntohs(initack_cp->init.num_outbound_streams),
2127 port,
2128 (struct thread *)NULL
2129 );
2130 if (stcb == NULL) {
2131 struct mbuf *op_err;
2132
2133 /* memory problem? */
2134 SCTPDBG(SCTP_DEBUG_INPUT1,
2135 "process_cookie_new: no room for another TCB!\n");
2136 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
2137 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
2138 src, dst, sh, op_err,
2139 mflowtype, mflowid,
2140 vrf_id, port);
2141 return (NULL);
2142 }
2143 /* get the correct sctp_nets */
2144 if (netp)
2145 *netp = sctp_findnet(stcb, init_src);
2146
2147 asoc = &stcb->asoc;
2148 /* get scope variables out of cookie */
2149 asoc->scope.ipv4_local_scope = cookie->ipv4_scope;
2150 asoc->scope.site_scope = cookie->site_scope;
2151 asoc->scope.local_scope = cookie->local_scope;
2152 asoc->scope.loopback_scope = cookie->loopback_scope;
2153
2154 if ((asoc->scope.ipv4_addr_legal != cookie->ipv4_addr_legal) ||
2155 (asoc->scope.ipv6_addr_legal != cookie->ipv6_addr_legal)) {
2156 struct mbuf *op_err;
2157
2158 /*
2159 * Houston we have a problem. The EP changed while the
2160 * cookie was in flight. Only recourse is to abort the
2161 * association.
2162 */
2163 atomic_add_int(&stcb->asoc.refcnt, 1);
2164 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
2165 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
2166 src, dst, sh, op_err,
2167 mflowtype, mflowid,
2168 vrf_id, port);
2169 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2170 SCTP_TCB_UNLOCK(stcb);
2171 SCTP_SOCKET_LOCK(so, 1);
2172 SCTP_TCB_LOCK(stcb);
2173 #endif
2174 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
2175 SCTP_FROM_SCTP_INPUT + SCTP_LOC_18);
2176 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2177 SCTP_SOCKET_UNLOCK(so, 1);
2178 #endif
2179 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2180 return (NULL);
2181 }
2182 /* process the INIT-ACK info (my info) */
2183 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
2184 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
2185 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
2186 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
2187 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
2188 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
2189 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
2190 asoc->str_reset_seq_in = asoc->init_seq_number;
2191
2192 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
2193
2194 /* process the INIT info (peer's info) */
2195 if (netp)
2196 retval = sctp_process_init(init_cp, stcb);
2197 else
2198 retval = 0;
2199 if (retval < 0) {
2200 atomic_add_int(&stcb->asoc.refcnt, 1);
2201 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2202 SCTP_TCB_UNLOCK(stcb);
2203 SCTP_SOCKET_LOCK(so, 1);
2204 SCTP_TCB_LOCK(stcb);
2205 #endif
2206 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
2207 SCTP_FROM_SCTP_INPUT + SCTP_LOC_19);
2208 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2209 SCTP_SOCKET_UNLOCK(so, 1);
2210 #endif
2211 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2212 return (NULL);
2213 }
2214 /* load all addresses */
2215 if (sctp_load_addresses_from_init(stcb, m,
2216 init_offset + sizeof(struct sctp_init_chunk), initack_offset,
2217 src, dst, init_src, port)) {
2218 atomic_add_int(&stcb->asoc.refcnt, 1);
2219 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2220 SCTP_TCB_UNLOCK(stcb);
2221 SCTP_SOCKET_LOCK(so, 1);
2222 SCTP_TCB_LOCK(stcb);
2223 #endif
2224 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
2225 SCTP_FROM_SCTP_INPUT + SCTP_LOC_20);
2226 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2227 SCTP_SOCKET_UNLOCK(so, 1);
2228 #endif
2229 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2230 return (NULL);
2231 }
2232 /*
2233 * verify any preceding AUTH chunk that was skipped
2234 */
2235 /* pull the local authentication parameters from the cookie/init-ack */
2236 sctp_auth_get_cookie_params(stcb, m,
2237 initack_offset + sizeof(struct sctp_init_ack_chunk),
2238 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)));
2239 if (auth_skipped) {
2240 struct sctp_auth_chunk *auth;
2241
2242 auth = (struct sctp_auth_chunk *)
2243 sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
2244 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) {
2245 /* auth HMAC failed, dump the assoc and packet */
2246 SCTPDBG(SCTP_DEBUG_AUTH1,
2247 "COOKIE-ECHO: AUTH failed\n");
2248 atomic_add_int(&stcb->asoc.refcnt, 1);
2249 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2250 SCTP_TCB_UNLOCK(stcb);
2251 SCTP_SOCKET_LOCK(so, 1);
2252 SCTP_TCB_LOCK(stcb);
2253 #endif
2254 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
2255 SCTP_FROM_SCTP_INPUT + SCTP_LOC_21);
2256 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2257 SCTP_SOCKET_UNLOCK(so, 1);
2258 #endif
2259 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2260 return (NULL);
2261 } else {
2262 /* remaining chunks checked... good to go */
2263 stcb->asoc.authenticated = 1;
2264 }
2265 }
2266 /* update current state */
2267 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
2268 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
2269 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
2270 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
2271 stcb->sctp_ep, stcb, asoc->primary_destination);
2272 }
2273 sctp_stop_all_cookie_timers(stcb);
2274 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab);
2275 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
2276
2277 /*
2278 * if we're doing ASCONFs, check to see if we have any new local
2279 * addresses that need to get added to the peer (eg. addresses
2280 * changed while cookie echo in flight). This needs to be done
2281 * after we go to the OPEN state to do the correct asconf
2282 * processing. else, make sure we have the correct addresses in our
2283 * lists
2284 */
2285
2286 /* warning, we re-use sin, sin6, sa_store here! */
2287 /* pull in local_address (our "from" address) */
2288 switch (cookie->laddr_type) {
2289 #ifdef INET
2290 case SCTP_IPV4_ADDRESS:
2291 /* source addr is IPv4 */
2292 memset(&store.sin, 0, sizeof(struct sockaddr_in));
2293 store.sin.sin_family = AF_INET;
2294 store.sin.sin_len = sizeof(struct sockaddr_in);
2295 store.sin.sin_addr.s_addr = cookie->laddress[0];
2296 break;
2297 #endif
2298 #ifdef INET6
2299 case SCTP_IPV6_ADDRESS:
2300 /* source addr is IPv6 */
2301 memset(&store.sin6, 0, sizeof(struct sockaddr_in6));
2302 store.sin6.sin6_family = AF_INET6;
2303 store.sin6.sin6_len = sizeof(struct sockaddr_in6);
2304 store.sin6.sin6_scope_id = cookie->scope_id;
2305 memcpy(&store.sin6.sin6_addr, cookie->laddress, sizeof(struct in6_addr));
2306 break;
2307 #endif
2308 default:
2309 atomic_add_int(&stcb->asoc.refcnt, 1);
2310 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2311 SCTP_TCB_UNLOCK(stcb);
2312 SCTP_SOCKET_LOCK(so, 1);
2313 SCTP_TCB_LOCK(stcb);
2314 #endif
2315 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
2316 SCTP_FROM_SCTP_INPUT + SCTP_LOC_22);
2317 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2318 SCTP_SOCKET_UNLOCK(so, 1);
2319 #endif
2320 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2321 return (NULL);
2322 }
2323
2324 /* set up to notify upper layer */
2325 *notification = SCTP_NOTIFY_ASSOC_UP;
2326 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2327 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
2328 (inp->sctp_socket->so_qlimit == 0)) {
2329 /*
2330 * This is an endpoint that called connect() how it got a
2331 * cookie that is NEW is a bit of a mystery. It must be that
2332 * the INIT was sent, but before it got there.. a complete
2333 * INIT/INIT-ACK/COOKIE arrived. But of course then it
2334 * should have went to the other code.. not here.. oh well..
2335 * a bit of protection is worth having..
2336 */
2337 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
2338 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2339 atomic_add_int(&stcb->asoc.refcnt, 1);
2340 SCTP_TCB_UNLOCK(stcb);
2341 SCTP_SOCKET_LOCK(so, 1);
2342 SCTP_TCB_LOCK(stcb);
2343 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2344 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
2345 SCTP_SOCKET_UNLOCK(so, 1);
2346 return (NULL);
2347 }
2348 #endif
2349 soisconnected(stcb->sctp_socket);
2350 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2351 SCTP_SOCKET_UNLOCK(so, 1);
2352 #endif
2353 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
2354 (inp->sctp_socket->so_qlimit)) {
2355 /*
2356 * We don't want to do anything with this one. Since it is
2357 * the listening guy. The timer will get started for
2358 * accepted connections in the caller.
2359 */
2360 ;
2361 }
2362 /* since we did not send a HB make sure we don't double things */
2363 if ((netp) && (*netp))
2364 (*netp)->hb_responded = 1;
2365
2366 if (stcb->asoc.sctp_autoclose_ticks &&
2367 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
2368 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
2369 }
2370 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
2371 if ((netp != NULL) && (*netp != NULL)) {
2372 /* calculate the RTT and set the encaps port */
2373 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp,
2374 &cookie->time_entered, sctp_align_unsafe_makecopy,
2375 SCTP_RTT_FROM_NON_DATA);
2376 }
2377 /* respond with a COOKIE-ACK */
2378 sctp_send_cookie_ack(stcb);
2379
2380 /*
2381 * check the address lists for any ASCONFs that need to be sent
2382 * AFTER the cookie-ack is sent
2383 */
2384 sctp_check_address_list(stcb, m,
2385 initack_offset + sizeof(struct sctp_init_ack_chunk),
2386 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)),
2387 &store.sa, cookie->local_scope, cookie->site_scope,
2388 cookie->ipv4_scope, cookie->loopback_scope);
2389
2390
2391 return (stcb);
2392 }
2393
2394 /*
2395 * CODE LIKE THIS NEEDS TO RUN IF the peer supports the NAT extension, i.e
2396 * we NEED to make sure we are not already using the vtag. If so we
2397 * need to send back an ABORT-TRY-AGAIN-WITH-NEW-TAG No middle box bit!
2398 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(tag,
2399 SCTP_BASE_INFO(hashasocmark))];
2400 LIST_FOREACH(stcb, head, sctp_asocs) {
2401 if ((stcb->asoc.my_vtag == tag) && (stcb->rport == rport) && (inp == stcb->sctp_ep)) {
2402 -- SEND ABORT - TRY AGAIN --
2403 }
2404 }
2405 */
2406
2407 /*
2408 * handles a COOKIE-ECHO message stcb: modified to either a new or left as
2409 * existing (non-NULL) TCB
2410 */
2411 static struct mbuf *
2412 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset,
2413 struct sockaddr *src, struct sockaddr *dst,
2414 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp,
2415 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp,
2416 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
2417 struct sctp_tcb **locked_tcb,
2418 uint8_t mflowtype, uint32_t mflowid,
2419 uint32_t vrf_id, uint16_t port)
2420 {
2421 struct sctp_state_cookie *cookie;
2422 struct sctp_tcb *l_stcb = *stcb;
2423 struct sctp_inpcb *l_inp;
2424 struct sockaddr *to;
2425 struct sctp_pcb *ep;
2426 struct mbuf *m_sig;
2427 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE];
2428 uint8_t *sig;
2429 uint8_t cookie_ok = 0;
2430 unsigned int sig_offset, cookie_offset;
2431 unsigned int cookie_len;
2432 struct timeval now;
2433 struct timeval time_expires;
2434 int notification = 0;
2435 struct sctp_nets *netl;
2436 int had_a_existing_tcb = 0;
2437 int send_int_conf = 0;
2438
2439 #ifdef INET
2440 struct sockaddr_in sin;
2441
2442 #endif
2443 #ifdef INET6
2444 struct sockaddr_in6 sin6;
2445
2446 #endif
2447
2448 SCTPDBG(SCTP_DEBUG_INPUT2,
2449 "sctp_handle_cookie: handling COOKIE-ECHO\n");
2450
2451 if (inp_p == NULL) {
2452 return (NULL);
2453 }
2454 cookie = &cp->cookie;
2455 cookie_offset = offset + sizeof(struct sctp_chunkhdr);
2456 cookie_len = ntohs(cp->ch.chunk_length);
2457
2458 if ((cookie->peerport != sh->src_port) ||
2459 (cookie->myport != sh->dest_port) ||
2460 (cookie->my_vtag != sh->v_tag)) {
2461 /*
2462 * invalid ports or bad tag. Note that we always leave the
2463 * v_tag in the header in network order and when we stored
2464 * it in the my_vtag slot we also left it in network order.
2465 * This maintains the match even though it may be in the
2466 * opposite byte order of the machine :->
2467 */
2468 return (NULL);
2469 }
2470 if (cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
2471 sizeof(struct sctp_init_chunk) +
2472 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
2473 /* cookie too small */
2474 return (NULL);
2475 }
2476 /*
2477 * split off the signature into its own mbuf (since it should not be
2478 * calculated in the sctp_hmac_m() call).
2479 */
2480 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE;
2481 m_sig = m_split(m, sig_offset, M_NOWAIT);
2482 if (m_sig == NULL) {
2483 /* out of memory or ?? */
2484 return (NULL);
2485 }
2486 #ifdef SCTP_MBUF_LOGGING
2487 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
2488 sctp_log_mbc(m_sig, SCTP_MBUF_SPLIT);
2489 }
2490 #endif
2491
2492 /*
2493 * compute the signature/digest for the cookie
2494 */
2495 ep = &(*inp_p)->sctp_ep;
2496 l_inp = *inp_p;
2497 if (l_stcb) {
2498 SCTP_TCB_UNLOCK(l_stcb);
2499 }
2500 SCTP_INP_RLOCK(l_inp);
2501 if (l_stcb) {
2502 SCTP_TCB_LOCK(l_stcb);
2503 }
2504 /* which cookie is it? */
2505 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) &&
2506 (ep->current_secret_number != ep->last_secret_number)) {
2507 /* it's the old cookie */
2508 (void)sctp_hmac_m(SCTP_HMAC,
2509 (uint8_t *) ep->secret_key[(int)ep->last_secret_number],
2510 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
2511 } else {
2512 /* it's the current cookie */
2513 (void)sctp_hmac_m(SCTP_HMAC,
2514 (uint8_t *) ep->secret_key[(int)ep->current_secret_number],
2515 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
2516 }
2517 /* get the signature */
2518 SCTP_INP_RUNLOCK(l_inp);
2519 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig);
2520 if (sig == NULL) {
2521 /* couldn't find signature */
2522 sctp_m_freem(m_sig);
2523 return (NULL);
2524 }
2525 /* compare the received digest with the computed digest */
2526 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) {
2527 /* try the old cookie? */
2528 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) &&
2529 (ep->current_secret_number != ep->last_secret_number)) {
2530 /* compute digest with old */
2531 (void)sctp_hmac_m(SCTP_HMAC,
2532 (uint8_t *) ep->secret_key[(int)ep->last_secret_number],
2533 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
2534 /* compare */
2535 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0)
2536 cookie_ok = 1;
2537 }
2538 } else {
2539 cookie_ok = 1;
2540 }
2541
2542 /*
2543 * Now before we continue we must reconstruct our mbuf so that
2544 * normal processing of any other chunks will work.
2545 */
2546 {
2547 struct mbuf *m_at;
2548
2549 m_at = m;
2550 while (SCTP_BUF_NEXT(m_at) != NULL) {
2551 m_at = SCTP_BUF_NEXT(m_at);
2552 }
2553 SCTP_BUF_NEXT(m_at) = m_sig;
2554 }
2555
2556 if (cookie_ok == 0) {
2557 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie signature validation failed!\n");
2558 SCTPDBG(SCTP_DEBUG_INPUT2,
2559 "offset = %u, cookie_offset = %u, sig_offset = %u\n",
2560 (uint32_t) offset, cookie_offset, sig_offset);
2561 return (NULL);
2562 }
2563 /*
2564 * check the cookie timestamps to be sure it's not stale
2565 */
2566 (void)SCTP_GETTIME_TIMEVAL(&now);
2567 /* Expire time is in Ticks, so we convert to seconds */
2568 time_expires.tv_sec = cookie->time_entered.tv_sec + TICKS_TO_SEC(cookie->cookie_life);
2569 time_expires.tv_usec = cookie->time_entered.tv_usec;
2570 /*
2571 * TODO sctp_constants.h needs alternative time macros when _KERNEL
2572 * is undefined.
2573 */
2574 if (timevalcmp(&now, &time_expires, >)) {
2575 /* cookie is stale! */
2576 struct mbuf *op_err;
2577 struct sctp_error_stale_cookie *cause;
2578 uint32_t tim;
2579
2580 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_error_stale_cookie),
2581 0, M_NOWAIT, 1, MT_DATA);
2582 if (op_err == NULL) {
2583 /* FOOBAR */
2584 return (NULL);
2585 }
2586 /* Set the len */
2587 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_error_stale_cookie);
2588 cause = mtod(op_err, struct sctp_error_stale_cookie *);
2589 cause->cause.code = htons(SCTP_CAUSE_STALE_COOKIE);
2590 cause->cause.length = htons((sizeof(struct sctp_paramhdr) +
2591 (sizeof(uint32_t))));
2592 /* seconds to usec */
2593 tim = (now.tv_sec - time_expires.tv_sec) * 1000000;
2594 /* add in usec */
2595 if (tim == 0)
2596 tim = now.tv_usec - cookie->time_entered.tv_usec;
2597 cause->stale_time = htonl(tim);
2598 sctp_send_operr_to(src, dst, sh, cookie->peers_vtag, op_err,
2599 mflowtype, mflowid, l_inp->fibnum,
2600 vrf_id, port);
2601 return (NULL);
2602 }
2603 /*
2604 * Now we must see with the lookup address if we have an existing
2605 * asoc. This will only happen if we were in the COOKIE-WAIT state
2606 * and a INIT collided with us and somewhere the peer sent the
2607 * cookie on another address besides the single address our assoc
2608 * had for him. In this case we will have one of the tie-tags set at
2609 * least AND the address field in the cookie can be used to look it
2610 * up.
2611 */
2612 to = NULL;
2613 switch (cookie->addr_type) {
2614 #ifdef INET6
2615 case SCTP_IPV6_ADDRESS:
2616 memset(&sin6, 0, sizeof(sin6));
2617 sin6.sin6_family = AF_INET6;
2618 sin6.sin6_len = sizeof(sin6);
2619 sin6.sin6_port = sh->src_port;
2620 sin6.sin6_scope_id = cookie->scope_id;
2621 memcpy(&sin6.sin6_addr.s6_addr, cookie->address,
2622 sizeof(sin6.sin6_addr.s6_addr));
2623 to = (struct sockaddr *)&sin6;
2624 break;
2625 #endif
2626 #ifdef INET
2627 case SCTP_IPV4_ADDRESS:
2628 memset(&sin, 0, sizeof(sin));
2629 sin.sin_family = AF_INET;
2630 sin.sin_len = sizeof(sin);
2631 sin.sin_port = sh->src_port;
2632 sin.sin_addr.s_addr = cookie->address[0];
2633 to = (struct sockaddr *)&sin;
2634 break;
2635 #endif
2636 default:
2637 /* This should not happen */
2638 return (NULL);
2639 }
2640 if (*stcb == NULL) {
2641 /* Yep, lets check */
2642 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, dst, NULL);
2643 if (*stcb == NULL) {
2644 /*
2645 * We should have only got back the same inp. If we
2646 * got back a different ep we have a problem. The
2647 * original findep got back l_inp and now
2648 */
2649 if (l_inp != *inp_p) {
2650 SCTP_PRINTF("Bad problem find_ep got a diff inp then special_locate?\n");
2651 }
2652 } else {
2653 if (*locked_tcb == NULL) {
2654 /*
2655 * In this case we found the assoc only
2656 * after we locked the create lock. This
2657 * means we are in a colliding case and we
2658 * must make sure that we unlock the tcb if
2659 * its one of the cases where we throw away
2660 * the incoming packets.
2661 */
2662 *locked_tcb = *stcb;
2663
2664 /*
2665 * We must also increment the inp ref count
2666 * since the ref_count flags was set when we
2667 * did not find the TCB, now we found it
2668 * which reduces the refcount.. we must
2669 * raise it back out to balance it all :-)
2670 */
2671 SCTP_INP_INCR_REF((*stcb)->sctp_ep);
2672 if ((*stcb)->sctp_ep != l_inp) {
2673 SCTP_PRINTF("Huh? ep:%p diff then l_inp:%p?\n",
2674 (void *)(*stcb)->sctp_ep, (void *)l_inp);
2675 }
2676 }
2677 }
2678 }
2679 cookie_len -= SCTP_SIGNATURE_SIZE;
2680 if (*stcb == NULL) {
2681 /* this is the "normal" case... get a new TCB */
2682 *stcb = sctp_process_cookie_new(m, iphlen, offset, src, dst, sh,
2683 cookie, cookie_len, *inp_p,
2684 netp, to, &notification,
2685 auth_skipped, auth_offset, auth_len,
2686 mflowtype, mflowid,
2687 vrf_id, port);
2688 } else {
2689 /* this is abnormal... cookie-echo on existing TCB */
2690 had_a_existing_tcb = 1;
2691 *stcb = sctp_process_cookie_existing(m, iphlen, offset,
2692 src, dst, sh,
2693 cookie, cookie_len, *inp_p, *stcb, netp, to,
2694 &notification, auth_skipped, auth_offset, auth_len,
2695 mflowtype, mflowid,
2696 vrf_id, port);
2697 }
2698
2699 if (*stcb == NULL) {
2700 /* still no TCB... must be bad cookie-echo */
2701 return (NULL);
2702 }
2703 if (*netp != NULL) {
2704 (*netp)->flowtype = mflowtype;
2705 (*netp)->flowid = mflowid;
2706 }
2707 /*
2708 * Ok, we built an association so confirm the address we sent the
2709 * INIT-ACK to.
2710 */
2711 netl = sctp_findnet(*stcb, to);
2712 /*
2713 * This code should in theory NOT run but
2714 */
2715 if (netl == NULL) {
2716 /* TSNH! Huh, why do I need to add this address here? */
2717 if (sctp_add_remote_addr(*stcb, to, NULL, port,
2718 SCTP_DONOT_SETSCOPE, SCTP_IN_COOKIE_PROC)) {
2719 return (NULL);
2720 }
2721 netl = sctp_findnet(*stcb, to);
2722 }
2723 if (netl) {
2724 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) {
2725 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
2726 (void)sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL,
2727 netl);
2728 send_int_conf = 1;
2729 }
2730 }
2731 sctp_start_net_timers(*stcb);
2732 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) {
2733 if (!had_a_existing_tcb ||
2734 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) {
2735 /*
2736 * If we have a NEW cookie or the connect never
2737 * reached the connected state during collision we
2738 * must do the TCP accept thing.
2739 */
2740 struct socket *so, *oso;
2741 struct sctp_inpcb *inp;
2742
2743 if (notification == SCTP_NOTIFY_ASSOC_RESTART) {
2744 /*
2745 * For a restart we will keep the same
2746 * socket, no need to do anything. I THINK!!
2747 */
2748 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2749 if (send_int_conf) {
2750 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
2751 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
2752 }
2753 return (m);
2754 }
2755 oso = (*inp_p)->sctp_socket;
2756 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2757 SCTP_TCB_UNLOCK((*stcb));
2758 CURVNET_SET(oso->so_vnet);
2759 so = sonewconn(oso, 0
2760 );
2761 CURVNET_RESTORE();
2762 SCTP_TCB_LOCK((*stcb));
2763 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2764
2765 if (so == NULL) {
2766 struct mbuf *op_err;
2767
2768 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2769 struct socket *pcb_so;
2770
2771 #endif
2772 /* Too many sockets */
2773 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: no room for another socket!\n");
2774 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
2775 sctp_abort_association(*inp_p, NULL, m, iphlen,
2776 src, dst, sh, op_err,
2777 mflowtype, mflowid,
2778 vrf_id, port);
2779 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2780 pcb_so = SCTP_INP_SO(*inp_p);
2781 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2782 SCTP_TCB_UNLOCK((*stcb));
2783 SCTP_SOCKET_LOCK(pcb_so, 1);
2784 SCTP_TCB_LOCK((*stcb));
2785 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2786 #endif
2787 (void)sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC,
2788 SCTP_FROM_SCTP_INPUT + SCTP_LOC_23);
2789 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2790 SCTP_SOCKET_UNLOCK(pcb_so, 1);
2791 #endif
2792 return (NULL);
2793 }
2794 inp = (struct sctp_inpcb *)so->so_pcb;
2795 SCTP_INP_INCR_REF(inp);
2796 /*
2797 * We add the unbound flag here so that if we get an
2798 * soabort() before we get the move_pcb done, we
2799 * will properly cleanup.
2800 */
2801 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE |
2802 SCTP_PCB_FLAGS_CONNECTED |
2803 SCTP_PCB_FLAGS_IN_TCPPOOL |
2804 SCTP_PCB_FLAGS_UNBOUND |
2805 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) |
2806 SCTP_PCB_FLAGS_DONT_WAKE);
2807 inp->sctp_features = (*inp_p)->sctp_features;
2808 inp->sctp_mobility_features = (*inp_p)->sctp_mobility_features;
2809 inp->sctp_socket = so;
2810 inp->sctp_frag_point = (*inp_p)->sctp_frag_point;
2811 inp->max_cwnd = (*inp_p)->max_cwnd;
2812 inp->sctp_cmt_on_off = (*inp_p)->sctp_cmt_on_off;
2813 inp->ecn_supported = (*inp_p)->ecn_supported;
2814 inp->prsctp_supported = (*inp_p)->prsctp_supported;
2815 inp->auth_supported = (*inp_p)->auth_supported;
2816 inp->asconf_supported = (*inp_p)->asconf_supported;
2817 inp->reconfig_supported = (*inp_p)->reconfig_supported;
2818 inp->nrsack_supported = (*inp_p)->nrsack_supported;
2819 inp->pktdrop_supported = (*inp_p)->pktdrop_supported;
2820 inp->partial_delivery_point = (*inp_p)->partial_delivery_point;
2821 inp->sctp_context = (*inp_p)->sctp_context;
2822 inp->local_strreset_support = (*inp_p)->local_strreset_support;
2823 inp->fibnum = (*inp_p)->fibnum;
2824 inp->inp_starting_point_for_iterator = NULL;
2825 /*
2826 * copy in the authentication parameters from the
2827 * original endpoint
2828 */
2829 if (inp->sctp_ep.local_hmacs)
2830 sctp_free_hmaclist(inp->sctp_ep.local_hmacs);
2831 inp->sctp_ep.local_hmacs =
2832 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs);
2833 if (inp->sctp_ep.local_auth_chunks)
2834 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks);
2835 inp->sctp_ep.local_auth_chunks =
2836 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks);
2837
2838 /*
2839 * Now we must move it from one hash table to
2840 * another and get the tcb in the right place.
2841 */
2842
2843 /*
2844 * This is where the one-2-one socket is put into
2845 * the accept state waiting for the accept!
2846 */
2847 if (*stcb) {
2848 (*stcb)->asoc.state |= SCTP_STATE_IN_ACCEPT_QUEUE;
2849 }
2850 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb);
2851
2852 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2853 SCTP_TCB_UNLOCK((*stcb));
2854
2855 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb,
2856 0);
2857 SCTP_TCB_LOCK((*stcb));
2858 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2859
2860
2861 /*
2862 * now we must check to see if we were aborted while
2863 * the move was going on and the lock/unlock
2864 * happened.
2865 */
2866 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
2867 /*
2868 * yep it was, we leave the assoc attached
2869 * to the socket since the sctp_inpcb_free()
2870 * call will send an abort for us.
2871 */
2872 SCTP_INP_DECR_REF(inp);
2873 return (NULL);
2874 }
2875 SCTP_INP_DECR_REF(inp);
2876 /* Switch over to the new guy */
2877 *inp_p = inp;
2878 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2879 if (send_int_conf) {
2880 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
2881 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
2882 }
2883 /*
2884 * Pull it from the incomplete queue and wake the
2885 * guy
2886 */
2887 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2888 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2889 SCTP_TCB_UNLOCK((*stcb));
2890 SCTP_SOCKET_LOCK(so, 1);
2891 #endif
2892 soisconnected(so);
2893 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2894 SCTP_TCB_LOCK((*stcb));
2895 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2896 SCTP_SOCKET_UNLOCK(so, 1);
2897 #endif
2898 return (m);
2899 }
2900 }
2901 if (notification) {
2902 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2903 }
2904 if (send_int_conf) {
2905 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
2906 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
2907 }
2908 return (m);
2909 }
2910
2911 static void
2912 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp SCTP_UNUSED,
2913 struct sctp_tcb *stcb, struct sctp_nets *net)
2914 {
2915 /* cp must not be used, others call this without a c-ack :-) */
2916 struct sctp_association *asoc;
2917
2918 SCTPDBG(SCTP_DEBUG_INPUT2,
2919 "sctp_handle_cookie_ack: handling COOKIE-ACK\n");
2920 if ((stcb == NULL) || (net == NULL)) {
2921 return;
2922 }
2923 asoc = &stcb->asoc;
2924
2925 sctp_stop_all_cookie_timers(stcb);
2926 /* process according to association state */
2927 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
2928 /* state change only needed when I am in right state */
2929 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
2930 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
2931 sctp_start_net_timers(stcb);
2932 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
2933 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
2934 stcb->sctp_ep, stcb, asoc->primary_destination);
2935
2936 }
2937 /* update RTO */
2938 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
2939 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
2940 if (asoc->overall_error_count == 0) {
2941 net->RTO = sctp_calculate_rto(stcb, asoc, net,
2942 &asoc->time_entered, sctp_align_safe_nocopy,
2943 SCTP_RTT_FROM_NON_DATA);
2944 }
2945 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
2946 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2947 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2948 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
2949 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2950 struct socket *so;
2951
2952 #endif
2953 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
2954 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2955 so = SCTP_INP_SO(stcb->sctp_ep);
2956 atomic_add_int(&stcb->asoc.refcnt, 1);
2957 SCTP_TCB_UNLOCK(stcb);
2958 SCTP_SOCKET_LOCK(so, 1);
2959 SCTP_TCB_LOCK(stcb);
2960 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2961 #endif
2962 if ((stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) == 0) {
2963 soisconnected(stcb->sctp_socket);
2964 }
2965 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2966 SCTP_SOCKET_UNLOCK(so, 1);
2967 #endif
2968 }
2969 /*
2970 * since we did not send a HB make sure we don't double
2971 * things
2972 */
2973 net->hb_responded = 1;
2974
2975 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
2976 /*
2977 * We don't need to do the asconf thing, nor hb or
2978 * autoclose if the socket is closed.
2979 */
2980 goto closed_socket;
2981 }
2982 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
2983 stcb, net);
2984
2985
2986 if (stcb->asoc.sctp_autoclose_ticks &&
2987 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) {
2988 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
2989 stcb->sctp_ep, stcb, NULL);
2990 }
2991 /*
2992 * send ASCONF if parameters are pending and ASCONFs are
2993 * allowed (eg. addresses changed when init/cookie echo were
2994 * in flight)
2995 */
2996 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) &&
2997 (stcb->asoc.asconf_supported == 1) &&
2998 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) {
2999 #ifdef SCTP_TIMER_BASED_ASCONF
3000 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF,
3001 stcb->sctp_ep, stcb,
3002 stcb->asoc.primary_destination);
3003 #else
3004 sctp_send_asconf(stcb, stcb->asoc.primary_destination,
3005 SCTP_ADDR_NOT_LOCKED);
3006 #endif
3007 }
3008 }
3009 closed_socket:
3010 /* Toss the cookie if I can */
3011 sctp_toss_old_cookies(stcb, asoc);
3012 if (!TAILQ_EMPTY(&asoc->sent_queue)) {
3013 /* Restart the timer if we have pending data */
3014 struct sctp_tmit_chunk *chk;
3015
3016 chk = TAILQ_FIRST(&asoc->sent_queue);
3017 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, chk->whoTo);
3018 }
3019 }
3020
3021 static void
3022 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp,
3023 struct sctp_tcb *stcb)
3024 {
3025 struct sctp_nets *net;
3026 struct sctp_tmit_chunk *lchk;
3027 struct sctp_ecne_chunk bkup;
3028 uint8_t override_bit;
3029 uint32_t tsn, window_data_tsn;
3030 int len;
3031 unsigned int pkt_cnt;
3032
3033 len = ntohs(cp->ch.chunk_length);
3034 if ((len != sizeof(struct sctp_ecne_chunk)) &&
3035 (len != sizeof(struct old_sctp_ecne_chunk))) {
3036 return;
3037 }
3038 if (len == sizeof(struct old_sctp_ecne_chunk)) {
3039 /* Its the old format */
3040 memcpy(&bkup, cp, sizeof(struct old_sctp_ecne_chunk));
3041 bkup.num_pkts_since_cwr = htonl(1);
3042 cp = &bkup;
3043 }
3044 SCTP_STAT_INCR(sctps_recvecne);
3045 tsn = ntohl(cp->tsn);
3046 pkt_cnt = ntohl(cp->num_pkts_since_cwr);
3047 lchk = TAILQ_LAST(&stcb->asoc.send_queue, sctpchunk_listhead);
3048 if (lchk == NULL) {
3049 window_data_tsn = stcb->asoc.sending_seq - 1;
3050 } else {
3051 window_data_tsn = lchk->rec.data.TSN_seq;
3052 }
3053
3054 /* Find where it was sent to if possible. */
3055 net = NULL;
3056 TAILQ_FOREACH(lchk, &stcb->asoc.sent_queue, sctp_next) {
3057 if (lchk->rec.data.TSN_seq == tsn) {
3058 net = lchk->whoTo;
3059 net->ecn_prev_cwnd = lchk->rec.data.cwnd_at_send;
3060 break;
3061 }
3062 if (SCTP_TSN_GT(lchk->rec.data.TSN_seq, tsn)) {
3063 break;
3064 }
3065 }
3066 if (net == NULL) {
3067 /*
3068 * What to do. A previous send of a CWR was possibly lost.
3069 * See how old it is, we may have it marked on the actual
3070 * net.
3071 */
3072 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
3073 if (tsn == net->last_cwr_tsn) {
3074 /* Found him, send it off */
3075 break;
3076 }
3077 }
3078 if (net == NULL) {
3079 /*
3080 * If we reach here, we need to send a special CWR
3081 * that says hey, we did this a long time ago and
3082 * you lost the response.
3083 */
3084 net = TAILQ_FIRST(&stcb->asoc.nets);
3085 if (net == NULL) {
3086 /* TSNH */
3087 return;
3088 }
3089 override_bit = SCTP_CWR_REDUCE_OVERRIDE;
3090 } else {
3091 override_bit = 0;
3092 }
3093 } else {
3094 override_bit = 0;
3095 }
3096 if (SCTP_TSN_GT(tsn, net->cwr_window_tsn) &&
3097 ((override_bit & SCTP_CWR_REDUCE_OVERRIDE) == 0)) {
3098 /*
3099 * JRS - Use the congestion control given in the pluggable
3100 * CC module
3101 */
3102 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net, 0, pkt_cnt);
3103 /*
3104 * We reduce once every RTT. So we will only lower cwnd at
3105 * the next sending seq i.e. the window_data_tsn
3106 */
3107 net->cwr_window_tsn = window_data_tsn;
3108 net->ecn_ce_pkt_cnt += pkt_cnt;
3109 net->lost_cnt = pkt_cnt;
3110 net->last_cwr_tsn = tsn;
3111 } else {
3112 override_bit |= SCTP_CWR_IN_SAME_WINDOW;
3113 if (SCTP_TSN_GT(tsn, net->last_cwr_tsn) &&
3114 ((override_bit & SCTP_CWR_REDUCE_OVERRIDE) == 0)) {
3115 /*
3116 * Another loss in the same window update how many
3117 * marks/packets lost we have had.
3118 */
3119 int cnt = 1;
3120
3121 if (pkt_cnt > net->lost_cnt) {
3122 /* Should be the case */
3123 cnt = (pkt_cnt - net->lost_cnt);
3124 net->ecn_ce_pkt_cnt += cnt;
3125 }
3126 net->lost_cnt = pkt_cnt;
3127 net->last_cwr_tsn = tsn;
3128 /*
3129 * Most CC functions will ignore this call, since we
3130 * are in-window yet of the initial CE the peer saw.
3131 */
3132 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net, 1, cnt);
3133 }
3134 }
3135 /*
3136 * We always send a CWR this way if our previous one was lost our
3137 * peer will get an update, or if it is not time again to reduce we
3138 * still get the cwr to the peer. Note we set the override when we
3139 * could not find the TSN on the chunk or the destination network.
3140 */
3141 sctp_send_cwr(stcb, net, net->last_cwr_tsn, override_bit);
3142 }
3143
3144 static void
3145 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb, struct sctp_nets *net)
3146 {
3147 /*
3148 * Here we get a CWR from the peer. We must look in the outqueue and
3149 * make sure that we have a covered ECNE in the control chunk part.
3150 * If so remove it.
3151 */
3152 struct sctp_tmit_chunk *chk;
3153 struct sctp_ecne_chunk *ecne;
3154 int override;
3155 uint32_t cwr_tsn;
3156
3157 cwr_tsn = ntohl(cp->tsn);
3158 override = cp->ch.chunk_flags & SCTP_CWR_REDUCE_OVERRIDE;
3159 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) {
3160 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) {
3161 continue;
3162 }
3163 if ((override == 0) && (chk->whoTo != net)) {
3164 /* Must be from the right src unless override is set */
3165 continue;
3166 }
3167 ecne = mtod(chk->data, struct sctp_ecne_chunk *);
3168 if (SCTP_TSN_GE(cwr_tsn, ntohl(ecne->tsn))) {
3169 /* this covers this ECNE, we can remove it */
3170 stcb->asoc.ecn_echo_cnt_onq--;
3171 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk,
3172 sctp_next);
3173 sctp_m_freem(chk->data);
3174 chk->data = NULL;
3175 stcb->asoc.ctrl_queue_cnt--;
3176 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
3177 if (override == 0) {
3178 break;
3179 }
3180 }
3181 }
3182 }
3183
3184 static void
3185 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp SCTP_UNUSED,
3186 struct sctp_tcb *stcb, struct sctp_nets *net)
3187 {
3188 struct sctp_association *asoc;
3189
3190 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3191 struct socket *so;
3192
3193 #endif
3194
3195 SCTPDBG(SCTP_DEBUG_INPUT2,
3196 "sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n");
3197 if (stcb == NULL)
3198 return;
3199
3200 asoc = &stcb->asoc;
3201 /* process according to association state */
3202 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) {
3203 /* unexpected SHUTDOWN-COMPLETE... so ignore... */
3204 SCTPDBG(SCTP_DEBUG_INPUT2,
3205 "sctp_handle_shutdown_complete: not in SCTP_STATE_SHUTDOWN_ACK_SENT --- ignore\n");
3206 SCTP_TCB_UNLOCK(stcb);
3207 return;
3208 }
3209 /* notify upper layer protocol */
3210 if (stcb->sctp_socket) {
3211 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
3212 }
3213 #ifdef INVARIANTS
3214 if (!TAILQ_EMPTY(&asoc->send_queue) ||
3215 !TAILQ_EMPTY(&asoc->sent_queue) ||
3216 !stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
3217 panic("Queues are not empty when handling SHUTDOWN-COMPLETE");
3218 }
3219 #endif
3220 /* stop the timer */
3221 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, stcb, net,
3222 SCTP_FROM_SCTP_INPUT + SCTP_LOC_24);
3223 SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
3224 /* free the TCB */
3225 SCTPDBG(SCTP_DEBUG_INPUT2,
3226 "sctp_handle_shutdown_complete: calls free-asoc\n");
3227 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3228 so = SCTP_INP_SO(stcb->sctp_ep);
3229 atomic_add_int(&stcb->asoc.refcnt, 1);
3230 SCTP_TCB_UNLOCK(stcb);
3231 SCTP_SOCKET_LOCK(so, 1);
3232 SCTP_TCB_LOCK(stcb);
3233 atomic_subtract_int(&stcb->asoc.refcnt, 1);
3234 #endif
3235 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
3236 SCTP_FROM_SCTP_INPUT + SCTP_LOC_25);
3237 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3238 SCTP_SOCKET_UNLOCK(so, 1);
3239 #endif
3240 return;
3241 }
3242
3243 static int
3244 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc,
3245 struct sctp_nets *net, uint8_t flg)
3246 {
3247 switch (desc->chunk_type) {
3248 case SCTP_DATA:
3249 /* find the tsn to resend (possibly */
3250 {
3251 uint32_t tsn;
3252 struct sctp_tmit_chunk *tp1;
3253
3254 tsn = ntohl(desc->tsn_ifany);
3255 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
3256 if (tp1->rec.data.TSN_seq == tsn) {
3257 /* found it */
3258 break;
3259 }
3260 if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, tsn)) {
3261 /* not found */
3262 tp1 = NULL;
3263 break;
3264 }
3265 }
3266 if (tp1 == NULL) {
3267 /*
3268 * Do it the other way , aka without paying
3269 * attention to queue seq order.
3270 */
3271 SCTP_STAT_INCR(sctps_pdrpdnfnd);
3272 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
3273 if (tp1->rec.data.TSN_seq == tsn) {
3274 /* found it */
3275 break;
3276 }
3277 }
3278 }
3279 if (tp1 == NULL) {
3280 SCTP_STAT_INCR(sctps_pdrptsnnf);
3281 }
3282 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) {
3283 uint8_t *ddp;
3284
3285 if (((flg & SCTP_BADCRC) == 0) &&
3286 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
3287 return (0);
3288 }
3289 if ((stcb->asoc.peers_rwnd == 0) &&
3290 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
3291 SCTP_STAT_INCR(sctps_pdrpdiwnp);
3292 return (0);
3293 }
3294 if (stcb->asoc.peers_rwnd == 0 &&
3295 (flg & SCTP_FROM_MIDDLE_BOX)) {
3296 SCTP_STAT_INCR(sctps_pdrpdizrw);
3297 return (0);
3298 }
3299 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+
3300 sizeof(struct sctp_data_chunk));
3301 {
3302 unsigned int iii;
3303
3304 for (iii = 0; iii < sizeof(desc->data_bytes);
3305 iii++) {
3306 if (ddp[iii] != desc->data_bytes[iii]) {
3307 SCTP_STAT_INCR(sctps_pdrpbadd);
3308 return (-1);
3309 }
3310 }
3311 }
3312
3313 if (tp1->do_rtt) {
3314 /*
3315 * this guy had a RTO calculation
3316 * pending on it, cancel it
3317 */
3318 if (tp1->whoTo->rto_needed == 0) {
3319 tp1->whoTo->rto_needed = 1;
3320 }
3321 tp1->do_rtt = 0;
3322 }
3323 SCTP_STAT_INCR(sctps_pdrpmark);
3324 if (tp1->sent != SCTP_DATAGRAM_RESEND)
3325 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3326 /*
3327 * mark it as if we were doing a FR, since
3328 * we will be getting gap ack reports behind
3329 * the info from the router.
3330 */
3331 tp1->rec.data.doing_fast_retransmit = 1;
3332 /*
3333 * mark the tsn with what sequences can
3334 * cause a new FR.
3335 */
3336 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) {
3337 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq;
3338 } else {
3339 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq;
3340 }
3341
3342 /* restart the timer */
3343 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
3344 stcb, tp1->whoTo,
3345 SCTP_FROM_SCTP_INPUT + SCTP_LOC_26);
3346 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
3347 stcb, tp1->whoTo);
3348
3349 /* fix counts and things */
3350 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
3351 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP,
3352 tp1->whoTo->flight_size,
3353 tp1->book_size,
3354 (uint32_t) (uintptr_t) stcb,
3355 tp1->rec.data.TSN_seq);
3356 }
3357 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3358 sctp_flight_size_decrease(tp1);
3359 sctp_total_flight_decrease(stcb, tp1);
3360 }
3361 tp1->sent = SCTP_DATAGRAM_RESEND;
3362 } {
3363 /* audit code */
3364 unsigned int audit;
3365
3366 audit = 0;
3367 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
3368 if (tp1->sent == SCTP_DATAGRAM_RESEND)
3369 audit++;
3370 }
3371 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue,
3372 sctp_next) {
3373 if (tp1->sent == SCTP_DATAGRAM_RESEND)
3374 audit++;
3375 }
3376 if (audit != stcb->asoc.sent_queue_retran_cnt) {
3377 SCTP_PRINTF("**Local Audit finds cnt:%d asoc cnt:%d\n",
3378 audit, stcb->asoc.sent_queue_retran_cnt);
3379 #ifndef SCTP_AUDITING_ENABLED
3380 stcb->asoc.sent_queue_retran_cnt = audit;
3381 #endif
3382 }
3383 }
3384 }
3385 break;
3386 case SCTP_ASCONF:
3387 {
3388 struct sctp_tmit_chunk *asconf;
3389
3390 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue,
3391 sctp_next) {
3392 if (asconf->rec.chunk_id.id == SCTP_ASCONF) {
3393 break;
3394 }
3395 }
3396 if (asconf) {
3397 if (asconf->sent != SCTP_DATAGRAM_RESEND)
3398 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3399 asconf->sent = SCTP_DATAGRAM_RESEND;
3400 asconf->snd_count--;
3401 }
3402 }
3403 break;
3404 case SCTP_INITIATION:
3405 /* resend the INIT */
3406 stcb->asoc.dropped_special_cnt++;
3407 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) {
3408 /*
3409 * If we can get it in, in a few attempts we do
3410 * this, otherwise we let the timer fire.
3411 */
3412 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep,
3413 stcb, net,
3414 SCTP_FROM_SCTP_INPUT + SCTP_LOC_27);
3415 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
3416 }
3417 break;
3418 case SCTP_SELECTIVE_ACK:
3419 case SCTP_NR_SELECTIVE_ACK:
3420 /* resend the sack */
3421 sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED);
3422 break;
3423 case SCTP_HEARTBEAT_REQUEST:
3424 /* resend a demand HB */
3425 if ((stcb->asoc.overall_error_count + 3) < stcb->asoc.max_send_times) {
3426 /*
3427 * Only retransmit if we KNOW we wont destroy the
3428 * tcb
3429 */
3430 sctp_send_hb(stcb, net, SCTP_SO_NOT_LOCKED);
3431 }
3432 break;
3433 case SCTP_SHUTDOWN:
3434 sctp_send_shutdown(stcb, net);
3435 break;
3436 case SCTP_SHUTDOWN_ACK:
3437 sctp_send_shutdown_ack(stcb, net);
3438 break;
3439 case SCTP_COOKIE_ECHO:
3440 {
3441 struct sctp_tmit_chunk *cookie;
3442
3443 cookie = NULL;
3444 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue,
3445 sctp_next) {
3446 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
3447 break;
3448 }
3449 }
3450 if (cookie) {
3451 if (cookie->sent != SCTP_DATAGRAM_RESEND)
3452 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3453 cookie->sent = SCTP_DATAGRAM_RESEND;
3454 sctp_stop_all_cookie_timers(stcb);
3455 }
3456 }
3457 break;
3458 case SCTP_COOKIE_ACK:
3459 sctp_send_cookie_ack(stcb);
3460 break;
3461 case SCTP_ASCONF_ACK:
3462 /* resend last asconf ack */
3463 sctp_send_asconf_ack(stcb);
3464 break;
3465 case SCTP_IFORWARD_CUM_TSN:
3466 case SCTP_FORWARD_CUM_TSN:
3467 send_forward_tsn(stcb, &stcb->asoc);
3468 break;
3469 /* can't do anything with these */
3470 case SCTP_PACKET_DROPPED:
3471 case SCTP_INITIATION_ACK: /* this should not happen */
3472 case SCTP_HEARTBEAT_ACK:
3473 case SCTP_ABORT_ASSOCIATION:
3474 case SCTP_OPERATION_ERROR:
3475 case SCTP_SHUTDOWN_COMPLETE:
3476 case SCTP_ECN_ECHO:
3477 case SCTP_ECN_CWR:
3478 default:
3479 break;
3480 }
3481 return (0);
3482 }
3483
3484 void
3485 sctp_reset_in_stream(struct sctp_tcb *stcb, uint32_t number_entries, uint16_t * list)
3486 {
3487 uint32_t i;
3488 uint16_t temp;
3489
3490 /*
3491 * We set things to 0xffffffff since this is the last delivered
3492 * sequence and we will be sending in 0 after the reset.
3493 */
3494
3495 if (number_entries) {
3496 for (i = 0; i < number_entries; i++) {
3497 temp = ntohs(list[i]);
3498 if (temp >= stcb->asoc.streamincnt) {
3499 continue;
3500 }
3501 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffffffff;
3502 }
3503 } else {
3504 list = NULL;
3505 for (i = 0; i < stcb->asoc.streamincnt; i++) {
3506 stcb->asoc.strmin[i].last_sequence_delivered = 0xffffffff;
3507 }
3508 }
3509 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
3510 }
3511
3512 static void
3513 sctp_reset_out_streams(struct sctp_tcb *stcb, uint32_t number_entries, uint16_t * list)
3514 {
3515 uint32_t i;
3516 uint16_t temp;
3517
3518 if (number_entries > 0) {
3519 for (i = 0; i < number_entries; i++) {
3520 temp = ntohs(list[i]);
3521 if (temp >= stcb->asoc.streamoutcnt) {
3522 /* no such stream */
3523 continue;
3524 }
3525 stcb->asoc.strmout[temp].next_mid_ordered = 0;
3526 stcb->asoc.strmout[temp].next_mid_unordered = 0;
3527 }
3528 } else {
3529 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
3530 stcb->asoc.strmout[i].next_mid_ordered = 0;
3531 stcb->asoc.strmout[i].next_mid_unordered = 0;
3532 }
3533 }
3534 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
3535 }
3536
3537 static void
3538 sctp_reset_clear_pending(struct sctp_tcb *stcb, uint32_t number_entries, uint16_t * list)
3539 {
3540 uint32_t i;
3541 uint16_t temp;
3542
3543 if (number_entries > 0) {
3544 for (i = 0; i < number_entries; i++) {
3545 temp = ntohs(list[i]);
3546 if (temp >= stcb->asoc.streamoutcnt) {
3547 /* no such stream */
3548 continue;
3549 }
3550 stcb->asoc.strmout[temp].state = SCTP_STREAM_OPEN;
3551 }
3552 } else {
3553 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
3554 stcb->asoc.strmout[i].state = SCTP_STREAM_OPEN;
3555 }
3556 }
3557 }
3558
3559
3560 struct sctp_stream_reset_request *
3561 sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk)
3562 {
3563 struct sctp_association *asoc;
3564 struct sctp_chunkhdr *ch;
3565 struct sctp_stream_reset_request *r;
3566 struct sctp_tmit_chunk *chk;
3567 int len, clen;
3568
3569 asoc = &stcb->asoc;
3570 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
3571 asoc->stream_reset_outstanding = 0;
3572 return (NULL);
3573 }
3574 if (stcb->asoc.str_reset == NULL) {
3575 asoc->stream_reset_outstanding = 0;
3576 return (NULL);
3577 }
3578 chk = stcb->asoc.str_reset;
3579 if (chk->data == NULL) {
3580 return (NULL);
3581 }
3582 if (bchk) {
3583 /* he wants a copy of the chk pointer */
3584 *bchk = chk;
3585 }
3586 clen = chk->send_size;
3587 ch = mtod(chk->data, struct sctp_chunkhdr *);
3588 r = (struct sctp_stream_reset_request *)(ch + 1);
3589 if (ntohl(r->request_seq) == seq) {
3590 /* found it */
3591 return (r);
3592 }
3593 len = SCTP_SIZE32(ntohs(r->ph.param_length));
3594 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) {
3595 /* move to the next one, there can only be a max of two */
3596 r = (struct sctp_stream_reset_request *)((caddr_t)r + len);
3597 if (ntohl(r->request_seq) == seq) {
3598 return (r);
3599 }
3600 }
3601 /* that seq is not here */
3602 return (NULL);
3603 }
3604
3605 static void
3606 sctp_clean_up_stream_reset(struct sctp_tcb *stcb)
3607 {
3608 struct sctp_association *asoc;
3609 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset;
3610
3611 if (stcb->asoc.str_reset == NULL) {
3612 return;
3613 }
3614 asoc = &stcb->asoc;
3615
3616 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb,
3617 chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_28);
3618 TAILQ_REMOVE(&asoc->control_send_queue,
3619 chk,
3620 sctp_next);
3621 if (chk->data) {
3622 sctp_m_freem(chk->data);
3623 chk->data = NULL;
3624 }
3625 asoc->ctrl_queue_cnt--;
3626 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
3627 /* sa_ignore NO_NULL_CHK */
3628 stcb->asoc.str_reset = NULL;
3629 }
3630
3631
3632 static int
3633 sctp_handle_stream_reset_response(struct sctp_tcb *stcb,
3634 uint32_t seq, uint32_t action,
3635 struct sctp_stream_reset_response *respin)
3636 {
3637 uint16_t type;
3638 int lparm_len;
3639 struct sctp_association *asoc = &stcb->asoc;
3640 struct sctp_tmit_chunk *chk;
3641 struct sctp_stream_reset_request *req_param;
3642 struct sctp_stream_reset_out_request *req_out_param;
3643 struct sctp_stream_reset_in_request *req_in_param;
3644 uint32_t number_entries;
3645
3646 if (asoc->stream_reset_outstanding == 0) {
3647 /* duplicate */
3648 return (0);
3649 }
3650 if (seq == stcb->asoc.str_reset_seq_out) {
3651 req_param = sctp_find_stream_reset(stcb, seq, &chk);
3652 if (req_param != NULL) {
3653 stcb->asoc.str_reset_seq_out++;
3654 type = ntohs(req_param->ph.param_type);
3655 lparm_len = ntohs(req_param->ph.param_length);
3656 if (type == SCTP_STR_RESET_OUT_REQUEST) {
3657 int no_clear = 0;
3658
3659 req_out_param = (struct sctp_stream_reset_out_request *)req_param;
3660 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t);
3661 asoc->stream_reset_out_is_outstanding = 0;
3662 if (asoc->stream_reset_outstanding)
3663 asoc->stream_reset_outstanding--;
3664 if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
3665 /* do it */
3666 sctp_reset_out_streams(stcb, number_entries, req_out_param->list_of_streams);
3667 } else if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
3668 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_DENIED_OUT, stcb, number_entries, req_out_param->list_of_streams, SCTP_SO_NOT_LOCKED);
3669 } else if (action == SCTP_STREAM_RESET_RESULT_IN_PROGRESS) {
3670 /*
3671 * Set it up so we don't stop
3672 * retransmitting
3673 */
3674 asoc->stream_reset_outstanding++;
3675 stcb->asoc.str_reset_seq_out--;
3676 asoc->stream_reset_out_is_outstanding = 1;
3677 no_clear = 1;
3678 } else {
3679 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, req_out_param->list_of_streams, SCTP_SO_NOT_LOCKED);
3680 }
3681 if (no_clear == 0) {
3682 sctp_reset_clear_pending(stcb, number_entries, req_out_param->list_of_streams);
3683 }
3684 } else if (type == SCTP_STR_RESET_IN_REQUEST) {
3685 req_in_param = (struct sctp_stream_reset_in_request *)req_param;
3686 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t);
3687 if (asoc->stream_reset_outstanding)
3688 asoc->stream_reset_outstanding--;
3689 if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
3690 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_DENIED_IN, stcb,
3691 number_entries, req_in_param->list_of_streams, SCTP_SO_NOT_LOCKED);
3692 } else if (action != SCTP_STREAM_RESET_RESULT_PERFORMED) {
3693 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb,
3694 number_entries, req_in_param->list_of_streams, SCTP_SO_NOT_LOCKED);
3695 }
3696 } else if (type == SCTP_STR_RESET_ADD_OUT_STREAMS) {
3697 /* Ok we now may have more streams */
3698 int num_stream;
3699
3700 num_stream = stcb->asoc.strm_pending_add_size;
3701 if (num_stream > (stcb->asoc.strm_realoutsize - stcb->asoc.streamoutcnt)) {
3702 /* TSNH */
3703 num_stream = stcb->asoc.strm_realoutsize - stcb->asoc.streamoutcnt;
3704 }
3705 stcb->asoc.strm_pending_add_size = 0;
3706 if (asoc->stream_reset_outstanding)
3707 asoc->stream_reset_outstanding--;
3708 if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
3709 /* Put the new streams into effect */
3710 int i;
3711
3712 for (i = asoc->streamoutcnt; i < (asoc->streamoutcnt + num_stream); i++) {
3713 asoc->strmout[i].state = SCTP_STREAM_OPEN;
3714 }
3715 asoc->streamoutcnt += num_stream;
3716 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt, 0);
3717 } else if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
3718 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
3719 SCTP_STREAM_CHANGE_DENIED);
3720 } else {
3721 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
3722 SCTP_STREAM_CHANGE_FAILED);
3723 }
3724 } else if (type == SCTP_STR_RESET_ADD_IN_STREAMS) {
3725 if (asoc->stream_reset_outstanding)
3726 asoc->stream_reset_outstanding--;
3727 if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
3728 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
3729 SCTP_STREAM_CHANGE_DENIED);
3730 } else if (action != SCTP_STREAM_RESET_RESULT_PERFORMED) {
3731 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
3732 SCTP_STREAM_CHANGE_FAILED);
3733 }
3734 } else if (type == SCTP_STR_RESET_TSN_REQUEST) {
3735 /**
3736 * a) Adopt the new in tsn.
3737 * b) reset the map
3738 * c) Adopt the new out-tsn
3739 */
3740 struct sctp_stream_reset_response_tsn *resp;
3741 struct sctp_forward_tsn_chunk fwdtsn;
3742 int abort_flag = 0;
3743
3744 if (respin == NULL) {
3745 /* huh ? */
3746 return (0);
3747 }
3748 if (ntohs(respin->ph.param_length) < sizeof(struct sctp_stream_reset_response_tsn)) {
3749 return (0);
3750 }
3751 if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
3752 resp = (struct sctp_stream_reset_response_tsn *)respin;
3753 asoc->stream_reset_outstanding--;
3754 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
3755 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
3756 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1);
3757 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
3758 if (abort_flag) {
3759 return (1);
3760 }
3761 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1);
3762 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
3763 sctp_log_map(0, 7, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
3764 }
3765 stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map;
3766 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn);
3767 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
3768
3769 stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map;
3770 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size);
3771
3772 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn);
3773 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn;
3774
3775 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
3776 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
3777 sctp_notify_stream_reset_tsn(stcb, stcb->asoc.sending_seq, (stcb->asoc.mapping_array_base_tsn + 1), 0);
3778 } else if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
3779 sctp_notify_stream_reset_tsn(stcb, stcb->asoc.sending_seq, (stcb->asoc.mapping_array_base_tsn + 1),
3780 SCTP_ASSOC_RESET_DENIED);
3781 } else {
3782 sctp_notify_stream_reset_tsn(stcb, stcb->asoc.sending_seq, (stcb->asoc.mapping_array_base_tsn + 1),
3783 SCTP_ASSOC_RESET_FAILED);
3784 }
3785 }
3786 /* get rid of the request and get the request flags */
3787 if (asoc->stream_reset_outstanding == 0) {
3788 sctp_clean_up_stream_reset(stcb);
3789 }
3790 }
3791 }
3792 if (asoc->stream_reset_outstanding == 0) {
3793 sctp_send_stream_reset_out_if_possible(stcb, SCTP_SO_NOT_LOCKED);
3794 }
3795 return (0);
3796 }
3797
3798 static void
3799 sctp_handle_str_reset_request_in(struct sctp_tcb *stcb,
3800 struct sctp_tmit_chunk *chk,
3801 struct sctp_stream_reset_in_request *req, int trunc)
3802 {
3803 uint32_t seq;
3804 int len, i;
3805 int number_entries;
3806 uint16_t temp;
3807
3808 /*
3809 * peer wants me to send a str-reset to him for my outgoing seq's if
3810 * seq_in is right.
3811 */
3812 struct sctp_association *asoc = &stcb->asoc;
3813
3814 seq = ntohl(req->request_seq);
3815 if (asoc->str_reset_seq_in == seq) {
3816 asoc->last_reset_action[1] = asoc->last_reset_action[0];
3817 if (!(asoc->local_strreset_support & SCTP_ENABLE_RESET_STREAM_REQ)) {
3818 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3819 } else if (trunc) {
3820 /* Can't do it, since they exceeded our buffer size */
3821 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3822 } else if (stcb->asoc.stream_reset_out_is_outstanding == 0) {
3823 len = ntohs(req->ph.param_length);
3824 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t));
3825 if (number_entries) {
3826 for (i = 0; i < number_entries; i++) {
3827 temp = ntohs(req->list_of_streams[i]);
3828 if (temp >= stcb->asoc.streamoutcnt) {
3829 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3830 goto bad_boy;
3831 }
3832 req->list_of_streams[i] = temp;
3833 }
3834 for (i = 0; i < number_entries; i++) {
3835 if (stcb->asoc.strmout[req->list_of_streams[i]].state == SCTP_STREAM_OPEN) {
3836 stcb->asoc.strmout[req->list_of_streams[i]].state = SCTP_STREAM_RESET_PENDING;
3837 }
3838 }
3839 } else {
3840 /* Its all */
3841 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
3842 if (stcb->asoc.strmout[i].state == SCTP_STREAM_OPEN)
3843 stcb->asoc.strmout[i].state = SCTP_STREAM_RESET_PENDING;
3844 }
3845 }
3846 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
3847 } else {
3848 /* Can't do it, since we have sent one out */
3849 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_ERR_IN_PROGRESS;
3850 }
3851 bad_boy:
3852 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3853 asoc->str_reset_seq_in++;
3854 } else if (asoc->str_reset_seq_in - 1 == seq) {
3855 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3856 } else if (asoc->str_reset_seq_in - 2 == seq) {
3857 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
3858 } else {
3859 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
3860 }
3861 sctp_send_stream_reset_out_if_possible(stcb, SCTP_SO_NOT_LOCKED);
3862 }
3863
3864 static int
3865 sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb,
3866 struct sctp_tmit_chunk *chk,
3867 struct sctp_stream_reset_tsn_request *req)
3868 {
3869 /* reset all in and out and update the tsn */
3870 /*
3871 * A) reset my str-seq's on in and out. B) Select a receive next,
3872 * and set cum-ack to it. Also process this selected number as a
3873 * fwd-tsn as well. C) set in the response my next sending seq.
3874 */
3875 struct sctp_forward_tsn_chunk fwdtsn;
3876 struct sctp_association *asoc = &stcb->asoc;
3877 int abort_flag = 0;
3878 uint32_t seq;
3879
3880 seq = ntohl(req->request_seq);
3881 if (asoc->str_reset_seq_in == seq) {
3882 asoc->last_reset_action[1] = stcb->asoc.last_reset_action[0];
3883 if (!(asoc->local_strreset_support & SCTP_ENABLE_CHANGE_ASSOC_REQ)) {
3884 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3885 } else {
3886 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
3887 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
3888 fwdtsn.ch.chunk_flags = 0;
3889 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1);
3890 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
3891 if (abort_flag) {
3892 return (1);
3893 }
3894 asoc->highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA;
3895 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
3896 sctp_log_map(0, 10, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
3897 }
3898 asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->highest_tsn_inside_map;
3899 asoc->mapping_array_base_tsn = asoc->highest_tsn_inside_map + 1;
3900 memset(asoc->mapping_array, 0, asoc->mapping_array_size);
3901 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map;
3902 memset(asoc->nr_mapping_array, 0, asoc->mapping_array_size);
3903 atomic_add_int(&asoc->sending_seq, 1);
3904 /* save off historical data for retrans */
3905 asoc->last_sending_seq[1] = asoc->last_sending_seq[0];
3906 asoc->last_sending_seq[0] = asoc->sending_seq;
3907 asoc->last_base_tsnsent[1] = asoc->last_base_tsnsent[0];
3908 asoc->last_base_tsnsent[0] = asoc->mapping_array_base_tsn;
3909 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
3910 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
3911 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
3912 sctp_notify_stream_reset_tsn(stcb, asoc->sending_seq, (asoc->mapping_array_base_tsn + 1), 0);
3913 }
3914 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0],
3915 asoc->last_sending_seq[0], asoc->last_base_tsnsent[0]);
3916 asoc->str_reset_seq_in++;
3917 } else if (asoc->str_reset_seq_in - 1 == seq) {
3918 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0],
3919 asoc->last_sending_seq[0], asoc->last_base_tsnsent[0]);
3920 } else if (asoc->str_reset_seq_in - 2 == seq) {
3921 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1],
3922 asoc->last_sending_seq[1], asoc->last_base_tsnsent[1]);
3923 } else {
3924 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
3925 }
3926 return (0);
3927 }
3928
3929 static void
3930 sctp_handle_str_reset_request_out(struct sctp_tcb *stcb,
3931 struct sctp_tmit_chunk *chk,
3932 struct sctp_stream_reset_out_request *req, int trunc)
3933 {
3934 uint32_t seq, tsn;
3935 int number_entries, len;
3936 struct sctp_association *asoc = &stcb->asoc;
3937
3938 seq = ntohl(req->request_seq);
3939
3940 /* now if its not a duplicate we process it */
3941 if (asoc->str_reset_seq_in == seq) {
3942 len = ntohs(req->ph.param_length);
3943 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t));
3944 /*
3945 * the sender is resetting, handle the list issue.. we must
3946 * a) verify if we can do the reset, if so no problem b) If
3947 * we can't do the reset we must copy the request. c) queue
3948 * it, and setup the data in processor to trigger it off
3949 * when needed and dequeue all the queued data.
3950 */
3951 tsn = ntohl(req->send_reset_at_tsn);
3952
3953 /* move the reset action back one */
3954 asoc->last_reset_action[1] = asoc->last_reset_action[0];
3955 if (!(asoc->local_strreset_support & SCTP_ENABLE_RESET_STREAM_REQ)) {
3956 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3957 } else if (trunc) {
3958 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3959 } else if (SCTP_TSN_GE(asoc->cumulative_tsn, tsn)) {
3960 /* we can do it now */
3961 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams);
3962 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
3963 } else {
3964 /*
3965 * we must queue it up and thus wait for the TSN's
3966 * to arrive that are at or before tsn
3967 */
3968 struct sctp_stream_reset_list *liste;
3969 int siz;
3970
3971 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t));
3972 SCTP_MALLOC(liste, struct sctp_stream_reset_list *,
3973 siz, SCTP_M_STRESET);
3974 if (liste == NULL) {
3975 /* gak out of memory */
3976 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3977 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3978 return;
3979 }
3980 liste->seq = seq;
3981 liste->tsn = tsn;
3982 liste->number_entries = number_entries;
3983 memcpy(&liste->list_of_streams, req->list_of_streams, number_entries * sizeof(uint16_t));
3984 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp);
3985 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_IN_PROGRESS;
3986 }
3987 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3988 asoc->str_reset_seq_in++;
3989 } else if ((asoc->str_reset_seq_in - 1) == seq) {
3990 /*
3991 * one seq back, just echo back last action since my
3992 * response was lost.
3993 */
3994 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3995 } else if ((asoc->str_reset_seq_in - 2) == seq) {
3996 /*
3997 * two seq back, just echo back last action since my
3998 * response was lost.
3999 */
4000 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
4001 } else {
4002 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
4003 }
4004 }
4005
4006 static void
4007 sctp_handle_str_reset_add_strm(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk,
4008 struct sctp_stream_reset_add_strm *str_add)
4009 {
4010 /*
4011 * Peer is requesting to add more streams. If its within our
4012 * max-streams we will allow it.
4013 */
4014 uint32_t num_stream, i;
4015 uint32_t seq;
4016 struct sctp_association *asoc = &stcb->asoc;
4017 struct sctp_queued_to_read *ctl, *nctl;
4018
4019 /* Get the number. */
4020 seq = ntohl(str_add->request_seq);
4021 num_stream = ntohs(str_add->number_of_streams);
4022 /* Now what would be the new total? */
4023 if (asoc->str_reset_seq_in == seq) {
4024 num_stream += stcb->asoc.streamincnt;
4025 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0];
4026 if (!(asoc->local_strreset_support & SCTP_ENABLE_CHANGE_ASSOC_REQ)) {
4027 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
4028 } else if ((num_stream > stcb->asoc.max_inbound_streams) ||
4029 (num_stream > 0xffff)) {
4030 /* We must reject it they ask for to many */
4031 denied:
4032 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
4033 } else {
4034 /* Ok, we can do that :-) */
4035 struct sctp_stream_in *oldstrm;
4036
4037 /* save off the old */
4038 oldstrm = stcb->asoc.strmin;
4039 SCTP_MALLOC(stcb->asoc.strmin, struct sctp_stream_in *,
4040 (num_stream * sizeof(struct sctp_stream_in)),
4041 SCTP_M_STRMI);
4042 if (stcb->asoc.strmin == NULL) {
4043 stcb->asoc.strmin = oldstrm;
4044 goto denied;
4045 }
4046 /* copy off the old data */
4047 for (i = 0; i < stcb->asoc.streamincnt; i++) {
4048 TAILQ_INIT(&stcb->asoc.strmin[i].inqueue);
4049 TAILQ_INIT(&stcb->asoc.strmin[i].uno_inqueue);
4050 stcb->asoc.strmin[i].stream_no = i;
4051 stcb->asoc.strmin[i].last_sequence_delivered = oldstrm[i].last_sequence_delivered;
4052 stcb->asoc.strmin[i].delivery_started = oldstrm[i].delivery_started;
4053 stcb->asoc.strmin[i].pd_api_started = oldstrm[i].pd_api_started;
4054 /* now anything on those queues? */
4055 TAILQ_FOREACH_SAFE(ctl, &oldstrm[i].inqueue, next_instrm, nctl) {
4056 TAILQ_REMOVE(&oldstrm[i].inqueue, ctl, next_instrm);
4057 TAILQ_INSERT_TAIL(&stcb->asoc.strmin[i].inqueue, ctl, next_instrm);
4058 }
4059 TAILQ_FOREACH_SAFE(ctl, &oldstrm[i].uno_inqueue, next_instrm, nctl) {
4060 TAILQ_REMOVE(&oldstrm[i].uno_inqueue, ctl, next_instrm);
4061 TAILQ_INSERT_TAIL(&stcb->asoc.strmin[i].uno_inqueue, ctl, next_instrm);
4062 }
4063 }
4064 /* Init the new streams */
4065 for (i = stcb->asoc.streamincnt; i < num_stream; i++) {
4066 TAILQ_INIT(&stcb->asoc.strmin[i].inqueue);
4067 TAILQ_INIT(&stcb->asoc.strmin[i].uno_inqueue);
4068 stcb->asoc.strmin[i].stream_no = i;
4069 stcb->asoc.strmin[i].last_sequence_delivered = 0xffffffff;
4070 stcb->asoc.strmin[i].pd_api_started = 0;
4071 stcb->asoc.strmin[i].delivery_started = 0;
4072 }
4073 SCTP_FREE(oldstrm, SCTP_M_STRMI);
4074 /* update the size */
4075 stcb->asoc.streamincnt = num_stream;
4076 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
4077 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt, 0);
4078 }
4079 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
4080 asoc->str_reset_seq_in++;
4081 } else if ((asoc->str_reset_seq_in - 1) == seq) {
4082 /*
4083 * one seq back, just echo back last action since my
4084 * response was lost.
4085 */
4086 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
4087 } else if ((asoc->str_reset_seq_in - 2) == seq) {
4088 /*
4089 * two seq back, just echo back last action since my
4090 * response was lost.
4091 */
4092 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
4093 } else {
4094 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
4095
4096 }
4097 }
4098
4099 static void
4100 sctp_handle_str_reset_add_out_strm(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk,
4101 struct sctp_stream_reset_add_strm *str_add)
4102 {
4103 /*
4104 * Peer is requesting to add more streams. If its within our
4105 * max-streams we will allow it.
4106 */
4107 uint16_t num_stream;
4108 uint32_t seq;
4109 struct sctp_association *asoc = &stcb->asoc;
4110
4111 /* Get the number. */
4112 seq = ntohl(str_add->request_seq);
4113 num_stream = ntohs(str_add->number_of_streams);
4114 /* Now what would be the new total? */
4115 if (asoc->str_reset_seq_in == seq) {
4116 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0];
4117 if (!(asoc->local_strreset_support & SCTP_ENABLE_CHANGE_ASSOC_REQ)) {
4118 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
4119 } else if (stcb->asoc.stream_reset_outstanding) {
4120 /* We must reject it we have something pending */
4121 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_ERR_IN_PROGRESS;
4122 } else {
4123 /* Ok, we can do that :-) */
4124 int mychk;
4125
4126 mychk = stcb->asoc.streamoutcnt;
4127 mychk += num_stream;
4128 if (mychk < 0x10000) {
4129 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
4130 if (sctp_send_str_reset_req(stcb, 0, NULL, 0, 0, 1, num_stream, 0, 1)) {
4131 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
4132 }
4133 } else {
4134 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
4135 }
4136 }
4137 sctp_add_stream_reset_result(chk, seq, stcb->asoc.last_reset_action[0]);
4138 asoc->str_reset_seq_in++;
4139 } else if ((asoc->str_reset_seq_in - 1) == seq) {
4140 /*
4141 * one seq back, just echo back last action since my
4142 * response was lost.
4143 */
4144 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
4145 } else if ((asoc->str_reset_seq_in - 2) == seq) {
4146 /*
4147 * two seq back, just echo back last action since my
4148 * response was lost.
4149 */
4150 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
4151 } else {
4152 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
4153 }
4154 }
4155
4156 #ifdef __GNUC__
4157 __attribute__((noinline))
4158 #endif
4159 static int
4160 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset,
4161 struct sctp_chunkhdr *ch_req)
4162 {
4163 uint16_t remaining_length, param_len, ptype;
4164 struct sctp_paramhdr pstore;
4165 uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE];
4166 uint32_t seq = 0;
4167 int num_req = 0;
4168 int trunc = 0;
4169 struct sctp_tmit_chunk *chk;
4170 struct sctp_chunkhdr *ch;
4171 struct sctp_paramhdr *ph;
4172 int ret_code = 0;
4173 int num_param = 0;
4174
4175 /* now it may be a reset or a reset-response */
4176 remaining_length = ntohs(ch_req->chunk_length) - sizeof(struct sctp_chunkhdr);
4177
4178 /* setup for adding the response */
4179 sctp_alloc_a_chunk(stcb, chk);
4180 if (chk == NULL) {
4181 return (ret_code);
4182 }
4183 chk->copy_by_ref = 0;
4184 chk->rec.chunk_id.id = SCTP_STREAM_RESET;
4185 chk->rec.chunk_id.can_take_data = 0;
4186 chk->flags = 0;
4187 chk->asoc = &stcb->asoc;
4188 chk->no_fr_allowed = 0;
4189 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr);
4190 chk->book_size_scale = 0;
4191 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
4192 if (chk->data == NULL) {
4193 strres_nochunk:
4194 if (chk->data) {
4195 sctp_m_freem(chk->data);
4196 chk->data = NULL;
4197 }
4198 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
4199 return (ret_code);
4200 }
4201 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
4202
4203 /* setup chunk parameters */
4204 chk->sent = SCTP_DATAGRAM_UNSENT;
4205 chk->snd_count = 0;
4206 chk->whoTo = NULL;
4207
4208 ch = mtod(chk->data, struct sctp_chunkhdr *);
4209 ch->chunk_type = SCTP_STREAM_RESET;
4210 ch->chunk_flags = 0;
4211 ch->chunk_length = htons(chk->send_size);
4212 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
4213 offset += sizeof(struct sctp_chunkhdr);
4214 while (remaining_length >= sizeof(struct sctp_paramhdr)) {
4215 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *) & pstore);
4216 if (ph == NULL) {
4217 /* TSNH */
4218 break;
4219 }
4220 param_len = ntohs(ph->param_length);
4221 if ((param_len > remaining_length) ||
4222 (param_len < (sizeof(struct sctp_paramhdr) + sizeof(uint32_t)))) {
4223 /* bad parameter length */
4224 break;
4225 }
4226 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, sizeof(cstore)),
4227 (uint8_t *) & cstore);
4228 if (ph == NULL) {
4229 /* TSNH */
4230 break;
4231 }
4232 ptype = ntohs(ph->param_type);
4233 num_param++;
4234 if (param_len > sizeof(cstore)) {
4235 trunc = 1;
4236 } else {
4237 trunc = 0;
4238 }
4239 if (num_param > SCTP_MAX_RESET_PARAMS) {
4240 /* hit the max of parameters already sorry.. */
4241 break;
4242 }
4243 if (ptype == SCTP_STR_RESET_OUT_REQUEST) {
4244 struct sctp_stream_reset_out_request *req_out;
4245
4246 if (param_len < sizeof(struct sctp_stream_reset_out_request)) {
4247 break;
4248 }
4249 req_out = (struct sctp_stream_reset_out_request *)ph;
4250 num_req++;
4251 if (stcb->asoc.stream_reset_outstanding) {
4252 seq = ntohl(req_out->response_seq);
4253 if (seq == stcb->asoc.str_reset_seq_out) {
4254 /* implicit ack */
4255 (void)sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_RESULT_PERFORMED, NULL);
4256 }
4257 }
4258 sctp_handle_str_reset_request_out(stcb, chk, req_out, trunc);
4259 } else if (ptype == SCTP_STR_RESET_ADD_OUT_STREAMS) {
4260 struct sctp_stream_reset_add_strm *str_add;
4261
4262 if (param_len < sizeof(struct sctp_stream_reset_add_strm)) {
4263 break;
4264 }
4265 str_add = (struct sctp_stream_reset_add_strm *)ph;
4266 num_req++;
4267 sctp_handle_str_reset_add_strm(stcb, chk, str_add);
4268 } else if (ptype == SCTP_STR_RESET_ADD_IN_STREAMS) {
4269 struct sctp_stream_reset_add_strm *str_add;
4270
4271 if (param_len < sizeof(struct sctp_stream_reset_add_strm)) {
4272 break;
4273 }
4274 str_add = (struct sctp_stream_reset_add_strm *)ph;
4275 num_req++;
4276 sctp_handle_str_reset_add_out_strm(stcb, chk, str_add);
4277 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) {
4278 struct sctp_stream_reset_in_request *req_in;
4279
4280 num_req++;
4281 req_in = (struct sctp_stream_reset_in_request *)ph;
4282 sctp_handle_str_reset_request_in(stcb, chk, req_in, trunc);
4283 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) {
4284 struct sctp_stream_reset_tsn_request *req_tsn;
4285
4286 num_req++;
4287 req_tsn = (struct sctp_stream_reset_tsn_request *)ph;
4288 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) {
4289 ret_code = 1;
4290 goto strres_nochunk;
4291 }
4292 /* no more */
4293 break;
4294 } else if (ptype == SCTP_STR_RESET_RESPONSE) {
4295 struct sctp_stream_reset_response *resp;
4296 uint32_t result;
4297
4298 if (param_len < sizeof(struct sctp_stream_reset_response)) {
4299 break;
4300 }
4301 resp = (struct sctp_stream_reset_response *)ph;
4302 seq = ntohl(resp->response_seq);
4303 result = ntohl(resp->result);
4304 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) {
4305 ret_code = 1;
4306 goto strres_nochunk;
4307 }
4308 } else {
4309 break;
4310 }
4311 offset += SCTP_SIZE32(param_len);
4312 if (remaining_length >= SCTP_SIZE32(param_len)) {
4313 remaining_length -= SCTP_SIZE32(param_len);
4314 } else {
4315 remaining_length = 0;
4316 }
4317 }
4318 if (num_req == 0) {
4319 /* we have no response free the stuff */
4320 goto strres_nochunk;
4321 }
4322 /* ok we have a chunk to link in */
4323 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue,
4324 chk,
4325 sctp_next);
4326 stcb->asoc.ctrl_queue_cnt++;
4327 return (ret_code);
4328 }
4329
4330 /*
4331 * Handle a router or endpoints report of a packet loss, there are two ways
4332 * to handle this, either we get the whole packet and must disect it
4333 * ourselves (possibly with truncation and or corruption) or it is a summary
4334 * from a middle box that did the disectting for us.
4335 */
4336 static void
4337 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp,
4338 struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit)
4339 {
4340 uint32_t bottle_bw, on_queue;
4341 uint16_t trunc_len;
4342 unsigned int chlen;
4343 unsigned int at;
4344 struct sctp_chunk_desc desc;
4345 struct sctp_chunkhdr *ch;
4346
4347 chlen = ntohs(cp->ch.chunk_length);
4348 chlen -= sizeof(struct sctp_pktdrop_chunk);
4349 /* XXX possible chlen underflow */
4350 if (chlen == 0) {
4351 ch = NULL;
4352 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)
4353 SCTP_STAT_INCR(sctps_pdrpbwrpt);
4354 } else {
4355 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr));
4356 chlen -= sizeof(struct sctphdr);
4357 /* XXX possible chlen underflow */
4358 memset(&desc, 0, sizeof(desc));
4359 }
4360 trunc_len = (uint16_t) ntohs(cp->trunc_len);
4361 if (trunc_len > limit) {
4362 trunc_len = limit;
4363 }
4364 /* now the chunks themselves */
4365 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) {
4366 desc.chunk_type = ch->chunk_type;
4367 /* get amount we need to move */
4368 at = ntohs(ch->chunk_length);
4369 if (at < sizeof(struct sctp_chunkhdr)) {
4370 /* corrupt chunk, maybe at the end? */
4371 SCTP_STAT_INCR(sctps_pdrpcrupt);
4372 break;
4373 }
4374 if (trunc_len == 0) {
4375 /* we are supposed to have all of it */
4376 if (at > chlen) {
4377 /* corrupt skip it */
4378 SCTP_STAT_INCR(sctps_pdrpcrupt);
4379 break;
4380 }
4381 } else {
4382 /* is there enough of it left ? */
4383 if (desc.chunk_type == SCTP_DATA) {
4384 if (chlen < (sizeof(struct sctp_data_chunk) +
4385 sizeof(desc.data_bytes))) {
4386 break;
4387 }
4388 } else {
4389 if (chlen < sizeof(struct sctp_chunkhdr)) {
4390 break;
4391 }
4392 }
4393 }
4394 if (desc.chunk_type == SCTP_DATA) {
4395 /* can we get out the tsn? */
4396 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
4397 SCTP_STAT_INCR(sctps_pdrpmbda);
4398
4399 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) {
4400 /* yep */
4401 struct sctp_data_chunk *dcp;
4402 uint8_t *ddp;
4403 unsigned int iii;
4404
4405 dcp = (struct sctp_data_chunk *)ch;
4406 ddp = (uint8_t *) (dcp + 1);
4407 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) {
4408 desc.data_bytes[iii] = ddp[iii];
4409 }
4410 desc.tsn_ifany = dcp->dp.tsn;
4411 } else {
4412 /* nope we are done. */
4413 SCTP_STAT_INCR(sctps_pdrpnedat);
4414 break;
4415 }
4416 } else {
4417 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
4418 SCTP_STAT_INCR(sctps_pdrpmbct);
4419 }
4420
4421 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) {
4422 SCTP_STAT_INCR(sctps_pdrppdbrk);
4423 break;
4424 }
4425 if (SCTP_SIZE32(at) > chlen) {
4426 break;
4427 }
4428 chlen -= SCTP_SIZE32(at);
4429 if (chlen < sizeof(struct sctp_chunkhdr)) {
4430 /* done, none left */
4431 break;
4432 }
4433 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at));
4434 }
4435 /* Now update any rwnd --- possibly */
4436 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) {
4437 /* From a peer, we get a rwnd report */
4438 uint32_t a_rwnd;
4439
4440 SCTP_STAT_INCR(sctps_pdrpfehos);
4441
4442 bottle_bw = ntohl(cp->bottle_bw);
4443 on_queue = ntohl(cp->current_onq);
4444 if (bottle_bw && on_queue) {
4445 /* a rwnd report is in here */
4446 if (bottle_bw > on_queue)
4447 a_rwnd = bottle_bw - on_queue;
4448 else
4449 a_rwnd = 0;
4450
4451 if (a_rwnd == 0)
4452 stcb->asoc.peers_rwnd = 0;
4453 else {
4454 if (a_rwnd > stcb->asoc.total_flight) {
4455 stcb->asoc.peers_rwnd =
4456 a_rwnd - stcb->asoc.total_flight;
4457 } else {
4458 stcb->asoc.peers_rwnd = 0;
4459 }
4460 if (stcb->asoc.peers_rwnd <
4461 stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
4462 /* SWS sender side engages */
4463 stcb->asoc.peers_rwnd = 0;
4464 }
4465 }
4466 }
4467 } else {
4468 SCTP_STAT_INCR(sctps_pdrpfmbox);
4469 }
4470
4471 /* now middle boxes in sat networks get a cwnd bump */
4472 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) &&
4473 (stcb->asoc.sat_t3_loss_recovery == 0) &&
4474 (stcb->asoc.sat_network)) {
4475 /*
4476 * This is debatable but for sat networks it makes sense
4477 * Note if a T3 timer has went off, we will prohibit any
4478 * changes to cwnd until we exit the t3 loss recovery.
4479 */
4480 stcb->asoc.cc_functions.sctp_cwnd_update_after_packet_dropped(stcb,
4481 net, cp, &bottle_bw, &on_queue);
4482 }
4483 }
4484
4485 /*
4486 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to
4487 * still contain IP/SCTP header - stcb: is the tcb found for this packet -
4488 * offset: offset into the mbuf chain to first chunkhdr - length: is the
4489 * length of the complete packet outputs: - length: modified to remaining
4490 * length after control processing - netp: modified to new sctp_nets after
4491 * cookie-echo processing - return NULL to discard the packet (ie. no asoc,
4492 * bad packet,...) otherwise return the tcb for this packet
4493 */
4494 #ifdef __GNUC__
4495 __attribute__((noinline))
4496 #endif
4497 static struct sctp_tcb *
4498 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
4499 struct sockaddr *src, struct sockaddr *dst,
4500 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp,
4501 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen,
4502 uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
4503 uint32_t vrf_id, uint16_t port)
4504 {
4505 struct sctp_association *asoc;
4506 struct mbuf *op_err;
4507 char msg[SCTP_DIAG_INFO_LEN];
4508 uint32_t vtag_in;
4509 int num_chunks = 0; /* number of control chunks processed */
4510 uint32_t chk_length;
4511 int ret;
4512 int abort_no_unlock = 0;
4513 int ecne_seen = 0;
4514
4515 /*
4516 * How big should this be, and should it be alloc'd? Lets try the
4517 * d-mtu-ceiling for now (2k) and that should hopefully work ...
4518 * until we get into jumbo grams and such..
4519 */
4520 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE];
4521 struct sctp_tcb *locked_tcb = stcb;
4522 int got_auth = 0;
4523 uint32_t auth_offset = 0, auth_len = 0;
4524 int auth_skipped = 0;
4525 int asconf_cnt = 0;
4526
4527 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4528 struct socket *so;
4529
4530 #endif
4531
4532 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n",
4533 iphlen, *offset, length, (void *)stcb);
4534
4535 /* validate chunk header length... */
4536 if (ntohs(ch->chunk_length) < sizeof(*ch)) {
4537 SCTPDBG(SCTP_DEBUG_INPUT1, "Invalid header length %d\n",
4538 ntohs(ch->chunk_length));
4539 if (locked_tcb) {
4540 SCTP_TCB_UNLOCK(locked_tcb);
4541 }
4542 return (NULL);
4543 }
4544 /*
4545 * validate the verification tag
4546 */
4547 vtag_in = ntohl(sh->v_tag);
4548
4549 if (locked_tcb) {
4550 SCTP_TCB_LOCK_ASSERT(locked_tcb);
4551 }
4552 if (ch->chunk_type == SCTP_INITIATION) {
4553 SCTPDBG(SCTP_DEBUG_INPUT1, "Its an INIT of len:%d vtag:%x\n",
4554 ntohs(ch->chunk_length), vtag_in);
4555 if (vtag_in != 0) {
4556 /* protocol error- silently discard... */
4557 SCTP_STAT_INCR(sctps_badvtag);
4558 if (locked_tcb) {
4559 SCTP_TCB_UNLOCK(locked_tcb);
4560 }
4561 return (NULL);
4562 }
4563 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) {
4564 /*
4565 * If there is no stcb, skip the AUTH chunk and process
4566 * later after a stcb is found (to validate the lookup was
4567 * valid.
4568 */
4569 if ((ch->chunk_type == SCTP_AUTHENTICATION) &&
4570 (stcb == NULL) &&
4571 (inp->auth_supported == 1)) {
4572 /* save this chunk for later processing */
4573 auth_skipped = 1;
4574 auth_offset = *offset;
4575 auth_len = ntohs(ch->chunk_length);
4576
4577 /* (temporarily) move past this chunk */
4578 *offset += SCTP_SIZE32(auth_len);
4579 if (*offset >= length) {
4580 /* no more data left in the mbuf chain */
4581 *offset = length;
4582 if (locked_tcb) {
4583 SCTP_TCB_UNLOCK(locked_tcb);
4584 }
4585 return (NULL);
4586 }
4587 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4588 sizeof(struct sctp_chunkhdr), chunk_buf);
4589 }
4590 if (ch == NULL) {
4591 /* Help */
4592 *offset = length;
4593 if (locked_tcb) {
4594 SCTP_TCB_UNLOCK(locked_tcb);
4595 }
4596 return (NULL);
4597 }
4598 if (ch->chunk_type == SCTP_COOKIE_ECHO) {
4599 goto process_control_chunks;
4600 }
4601 /*
4602 * first check if it's an ASCONF with an unknown src addr we
4603 * need to look inside to find the association
4604 */
4605 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) {
4606 struct sctp_chunkhdr *asconf_ch = ch;
4607 uint32_t asconf_offset = 0, asconf_len = 0;
4608
4609 /* inp's refcount may be reduced */
4610 SCTP_INP_INCR_REF(inp);
4611
4612 asconf_offset = *offset;
4613 do {
4614 asconf_len = ntohs(asconf_ch->chunk_length);
4615 if (asconf_len < sizeof(struct sctp_asconf_paramhdr))
4616 break;
4617 stcb = sctp_findassociation_ep_asconf(m,
4618 *offset,
4619 dst,
4620 sh, &inp, netp, vrf_id);
4621 if (stcb != NULL)
4622 break;
4623 asconf_offset += SCTP_SIZE32(asconf_len);
4624 asconf_ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, asconf_offset,
4625 sizeof(struct sctp_chunkhdr), chunk_buf);
4626 } while (asconf_ch != NULL && asconf_ch->chunk_type == SCTP_ASCONF);
4627 if (stcb == NULL) {
4628 /*
4629 * reduce inp's refcount if not reduced in
4630 * sctp_findassociation_ep_asconf().
4631 */
4632 SCTP_INP_DECR_REF(inp);
4633 } else {
4634 locked_tcb = stcb;
4635 }
4636
4637 /* now go back and verify any auth chunk to be sure */
4638 if (auth_skipped && (stcb != NULL)) {
4639 struct sctp_auth_chunk *auth;
4640
4641 auth = (struct sctp_auth_chunk *)
4642 sctp_m_getptr(m, auth_offset,
4643 auth_len, chunk_buf);
4644 got_auth = 1;
4645 auth_skipped = 0;
4646 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m,
4647 auth_offset)) {
4648 /* auth HMAC failed so dump it */
4649 *offset = length;
4650 if (locked_tcb) {
4651 SCTP_TCB_UNLOCK(locked_tcb);
4652 }
4653 return (NULL);
4654 } else {
4655 /* remaining chunks are HMAC checked */
4656 stcb->asoc.authenticated = 1;
4657 }
4658 }
4659 }
4660 if (stcb == NULL) {
4661 snprintf(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__);
4662 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
4663 msg);
4664 /* no association, so it's out of the blue... */
4665 sctp_handle_ootb(m, iphlen, *offset, src, dst, sh, inp, op_err,
4666 mflowtype, mflowid, inp->fibnum,
4667 vrf_id, port);
4668 *offset = length;
4669 if (locked_tcb) {
4670 SCTP_TCB_UNLOCK(locked_tcb);
4671 }
4672 return (NULL);
4673 }
4674 asoc = &stcb->asoc;
4675 /* ABORT and SHUTDOWN can use either v_tag... */
4676 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) ||
4677 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) ||
4678 (ch->chunk_type == SCTP_PACKET_DROPPED)) {
4679 /* Take the T-bit always into account. */
4680 if ((((ch->chunk_flags & SCTP_HAD_NO_TCB) == 0) &&
4681 (vtag_in == asoc->my_vtag)) ||
4682 (((ch->chunk_flags & SCTP_HAD_NO_TCB) == SCTP_HAD_NO_TCB) &&
4683 (vtag_in == asoc->peer_vtag))) {
4684 /* this is valid */
4685 } else {
4686 /* drop this packet... */
4687 SCTP_STAT_INCR(sctps_badvtag);
4688 if (locked_tcb) {
4689 SCTP_TCB_UNLOCK(locked_tcb);
4690 }
4691 return (NULL);
4692 }
4693 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
4694 if (vtag_in != asoc->my_vtag) {
4695 /*
4696 * this could be a stale SHUTDOWN-ACK or the
4697 * peer never got the SHUTDOWN-COMPLETE and
4698 * is still hung; we have started a new asoc
4699 * but it won't complete until the shutdown
4700 * is completed
4701 */
4702 if (locked_tcb) {
4703 SCTP_TCB_UNLOCK(locked_tcb);
4704 }
4705 snprintf(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__);
4706 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
4707 msg);
4708 sctp_handle_ootb(m, iphlen, *offset, src, dst,
4709 sh, inp, op_err,
4710 mflowtype, mflowid, fibnum,
4711 vrf_id, port);
4712 return (NULL);
4713 }
4714 } else {
4715 /* for all other chunks, vtag must match */
4716 if (vtag_in != asoc->my_vtag) {
4717 /* invalid vtag... */
4718 SCTPDBG(SCTP_DEBUG_INPUT3,
4719 "invalid vtag: %xh, expect %xh\n",
4720 vtag_in, asoc->my_vtag);
4721 SCTP_STAT_INCR(sctps_badvtag);
4722 if (locked_tcb) {
4723 SCTP_TCB_UNLOCK(locked_tcb);
4724 }
4725 *offset = length;
4726 return (NULL);
4727 }
4728 }
4729 } /* end if !SCTP_COOKIE_ECHO */
4730 /*
4731 * process all control chunks...
4732 */
4733 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) ||
4734 (ch->chunk_type == SCTP_NR_SELECTIVE_ACK) ||
4735 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) &&
4736 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) {
4737 /* implied cookie-ack.. we must have lost the ack */
4738 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
4739 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4740 stcb->asoc.overall_error_count,
4741 0,
4742 SCTP_FROM_SCTP_INPUT,
4743 __LINE__);
4744 }
4745 stcb->asoc.overall_error_count = 0;
4746 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb,
4747 *netp);
4748 }
4749 process_control_chunks:
4750 while (IS_SCTP_CONTROL(ch)) {
4751 /* validate chunk length */
4752 chk_length = ntohs(ch->chunk_length);
4753 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_process_control: processing a chunk type=%u, len=%u\n",
4754 ch->chunk_type, chk_length);
4755 SCTP_LTRACE_CHK(inp, stcb, ch->chunk_type, chk_length);
4756 if (chk_length < sizeof(*ch) ||
4757 (*offset + (int)chk_length) > length) {
4758 *offset = length;
4759 if (locked_tcb) {
4760 SCTP_TCB_UNLOCK(locked_tcb);
4761 }
4762 return (NULL);
4763 }
4764 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks);
4765 /*
4766 * INIT-ACK only gets the init ack "header" portion only
4767 * because we don't have to process the peer's COOKIE. All
4768 * others get a complete chunk.
4769 */
4770 if ((ch->chunk_type == SCTP_INITIATION_ACK) ||
4771 (ch->chunk_type == SCTP_INITIATION)) {
4772 /* get an init-ack chunk */
4773 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4774 sizeof(struct sctp_init_ack_chunk), chunk_buf);
4775 if (ch == NULL) {
4776 *offset = length;
4777 if (locked_tcb) {
4778 SCTP_TCB_UNLOCK(locked_tcb);
4779 }
4780 return (NULL);
4781 }
4782 } else {
4783 /* For cookies and all other chunks. */
4784 if (chk_length > sizeof(chunk_buf)) {
4785 /*
4786 * use just the size of the chunk buffer so
4787 * the front part of our chunks fit in
4788 * contiguous space up to the chunk buffer
4789 * size (508 bytes). For chunks that need to
4790 * get more than that they must use the
4791 * sctp_m_getptr() function or other means
4792 * (e.g. know how to parse mbuf chains).
4793 * Cookies do this already.
4794 */
4795 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4796 (sizeof(chunk_buf) - 4),
4797 chunk_buf);
4798 if (ch == NULL) {
4799 *offset = length;
4800 if (locked_tcb) {
4801 SCTP_TCB_UNLOCK(locked_tcb);
4802 }
4803 return (NULL);
4804 }
4805 } else {
4806 /* We can fit it all */
4807 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4808 chk_length, chunk_buf);
4809 if (ch == NULL) {
4810 SCTP_PRINTF("sctp_process_control: Can't get the all data....\n");
4811 *offset = length;
4812 if (locked_tcb) {
4813 SCTP_TCB_UNLOCK(locked_tcb);
4814 }
4815 return (NULL);
4816 }
4817 }
4818 }
4819 num_chunks++;
4820 /* Save off the last place we got a control from */
4821 if (stcb != NULL) {
4822 if (((netp != NULL) && (*netp != NULL)) || (ch->chunk_type == SCTP_ASCONF)) {
4823 /*
4824 * allow last_control to be NULL if
4825 * ASCONF... ASCONF processing will find the
4826 * right net later
4827 */
4828 if ((netp != NULL) && (*netp != NULL))
4829 stcb->asoc.last_control_chunk_from = *netp;
4830 }
4831 }
4832 #ifdef SCTP_AUDITING_ENABLED
4833 sctp_audit_log(0xB0, ch->chunk_type);
4834 #endif
4835
4836 /* check to see if this chunk required auth, but isn't */
4837 if ((stcb != NULL) &&
4838 (stcb->asoc.auth_supported == 1) &&
4839 sctp_auth_is_required_chunk(ch->chunk_type, stcb->asoc.local_auth_chunks) &&
4840 !stcb->asoc.authenticated) {
4841 /* "silently" ignore */
4842 SCTP_STAT_INCR(sctps_recvauthmissing);
4843 goto next_chunk;
4844 }
4845 switch (ch->chunk_type) {
4846 case SCTP_INITIATION:
4847 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT\n");
4848 /* The INIT chunk must be the only chunk. */
4849 if ((num_chunks > 1) ||
4850 (length - *offset > (int)SCTP_SIZE32(chk_length))) {
4851 /* RFC 4960 requires that no ABORT is sent */
4852 *offset = length;
4853 if (locked_tcb) {
4854 SCTP_TCB_UNLOCK(locked_tcb);
4855 }
4856 return (NULL);
4857 }
4858 /* Honor our resource limit. */
4859 if (chk_length > SCTP_LARGEST_INIT_ACCEPTED) {
4860 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
4861 sctp_abort_association(inp, stcb, m, iphlen,
4862 src, dst, sh, op_err,
4863 mflowtype, mflowid,
4864 vrf_id, port);
4865 *offset = length;
4866 return (NULL);
4867 }
4868 sctp_handle_init(m, iphlen, *offset, src, dst, sh,
4869 (struct sctp_init_chunk *)ch, inp,
4870 stcb, *netp, &abort_no_unlock,
4871 mflowtype, mflowid,
4872 vrf_id, port);
4873 *offset = length;
4874 if ((!abort_no_unlock) && (locked_tcb)) {
4875 SCTP_TCB_UNLOCK(locked_tcb);
4876 }
4877 return (NULL);
4878 break;
4879 case SCTP_PAD_CHUNK:
4880 break;
4881 case SCTP_INITIATION_ACK:
4882 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT-ACK\n");
4883 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4884 /* We are not interested anymore */
4885 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
4886 ;
4887 } else {
4888 if ((locked_tcb != NULL) && (locked_tcb != stcb)) {
4889 /* Very unlikely */
4890 SCTP_TCB_UNLOCK(locked_tcb);
4891 }
4892 *offset = length;
4893 if (stcb) {
4894 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4895 so = SCTP_INP_SO(inp);
4896 atomic_add_int(&stcb->asoc.refcnt, 1);
4897 SCTP_TCB_UNLOCK(stcb);
4898 SCTP_SOCKET_LOCK(so, 1);
4899 SCTP_TCB_LOCK(stcb);
4900 atomic_subtract_int(&stcb->asoc.refcnt, 1);
4901 #endif
4902 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
4903 SCTP_FROM_SCTP_INPUT + SCTP_LOC_29);
4904 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4905 SCTP_SOCKET_UNLOCK(so, 1);
4906 #endif
4907 }
4908 return (NULL);
4909 }
4910 }
4911 /* The INIT-ACK chunk must be the only chunk. */
4912 if ((num_chunks > 1) ||
4913 (length - *offset > (int)SCTP_SIZE32(chk_length))) {
4914 *offset = length;
4915 if (locked_tcb) {
4916 SCTP_TCB_UNLOCK(locked_tcb);
4917 }
4918 return (NULL);
4919 }
4920 if ((netp) && (*netp)) {
4921 ret = sctp_handle_init_ack(m, iphlen, *offset,
4922 src, dst, sh,
4923 (struct sctp_init_ack_chunk *)ch,
4924 stcb, *netp,
4925 &abort_no_unlock,
4926 mflowtype, mflowid,
4927 vrf_id);
4928 } else {
4929 ret = -1;
4930 }
4931 *offset = length;
4932 if (abort_no_unlock) {
4933 return (NULL);
4934 }
4935 /*
4936 * Special case, I must call the output routine to
4937 * get the cookie echoed
4938 */
4939 if ((stcb != NULL) && (ret == 0)) {
4940 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
4941 }
4942 if (locked_tcb) {
4943 SCTP_TCB_UNLOCK(locked_tcb);
4944 }
4945 return (NULL);
4946 break;
4947 case SCTP_SELECTIVE_ACK:
4948 {
4949 struct sctp_sack_chunk *sack;
4950 int abort_now = 0;
4951 uint32_t a_rwnd, cum_ack;
4952 uint16_t num_seg, num_dup;
4953 uint8_t flags;
4954 int offset_seg, offset_dup;
4955
4956 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK\n");
4957 SCTP_STAT_INCR(sctps_recvsacks);
4958 if (stcb == NULL) {
4959 SCTPDBG(SCTP_DEBUG_INDATA1, "No stcb when processing SACK chunk\n");
4960 break;
4961 }
4962 if (chk_length < sizeof(struct sctp_sack_chunk)) {
4963 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on SACK chunk, too small\n");
4964 break;
4965 }
4966 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
4967 /*-
4968 * If we have sent a shutdown-ack, we will pay no
4969 * attention to a sack sent in to us since
4970 * we don't care anymore.
4971 */
4972 break;
4973 }
4974 sack = (struct sctp_sack_chunk *)ch;
4975 flags = ch->chunk_flags;
4976 cum_ack = ntohl(sack->sack.cum_tsn_ack);
4977 num_seg = ntohs(sack->sack.num_gap_ack_blks);
4978 num_dup = ntohs(sack->sack.num_dup_tsns);
4979 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd);
4980 if (sizeof(struct sctp_sack_chunk) +
4981 num_seg * sizeof(struct sctp_gap_ack_block) +
4982 num_dup * sizeof(uint32_t) != chk_length) {
4983 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of SACK chunk\n");
4984 break;
4985 }
4986 offset_seg = *offset + sizeof(struct sctp_sack_chunk);
4987 offset_dup = offset_seg + num_seg * sizeof(struct sctp_gap_ack_block);
4988 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n",
4989 cum_ack, num_seg, a_rwnd);
4990 stcb->asoc.seen_a_sack_this_pkt = 1;
4991 if ((stcb->asoc.pr_sctp_cnt == 0) &&
4992 (num_seg == 0) &&
4993 SCTP_TSN_GE(cum_ack, stcb->asoc.last_acked_seq) &&
4994 (stcb->asoc.saw_sack_with_frags == 0) &&
4995 (stcb->asoc.saw_sack_with_nr_frags == 0) &&
4996 (!TAILQ_EMPTY(&stcb->asoc.sent_queue))
4997 ) {
4998 /*
4999 * We have a SIMPLE sack having no
5000 * prior segments and data on sent
5001 * queue to be acked.. Use the
5002 * faster path sack processing. We
5003 * also allow window update sacks
5004 * with no missing segments to go
5005 * this way too.
5006 */
5007 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, &abort_now, ecne_seen);
5008 } else {
5009 if (netp && *netp)
5010 sctp_handle_sack(m, offset_seg, offset_dup, stcb,
5011 num_seg, 0, num_dup, &abort_now, flags,
5012 cum_ack, a_rwnd, ecne_seen);
5013 }
5014 if (abort_now) {
5015 /* ABORT signal from sack processing */
5016 *offset = length;
5017 return (NULL);
5018 }
5019 if (TAILQ_EMPTY(&stcb->asoc.send_queue) &&
5020 TAILQ_EMPTY(&stcb->asoc.sent_queue) &&
5021 (stcb->asoc.stream_queue_cnt == 0)) {
5022 sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
5023 }
5024 }
5025 break;
5026 /*
5027 * EY - nr_sack: If the received chunk is an
5028 * nr_sack chunk
5029 */
5030 case SCTP_NR_SELECTIVE_ACK:
5031 {
5032 struct sctp_nr_sack_chunk *nr_sack;
5033 int abort_now = 0;
5034 uint32_t a_rwnd, cum_ack;
5035 uint16_t num_seg, num_nr_seg, num_dup;
5036 uint8_t flags;
5037 int offset_seg, offset_dup;
5038
5039 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK\n");
5040 SCTP_STAT_INCR(sctps_recvsacks);
5041 if (stcb == NULL) {
5042 SCTPDBG(SCTP_DEBUG_INDATA1, "No stcb when processing NR-SACK chunk\n");
5043 break;
5044 }
5045 if (stcb->asoc.nrsack_supported == 0) {
5046 goto unknown_chunk;
5047 }
5048 if (chk_length < sizeof(struct sctp_nr_sack_chunk)) {
5049 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on NR-SACK chunk, too small\n");
5050 break;
5051 }
5052 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
5053 /*-
5054 * If we have sent a shutdown-ack, we will pay no
5055 * attention to a sack sent in to us since
5056 * we don't care anymore.
5057 */
5058 break;
5059 }
5060 nr_sack = (struct sctp_nr_sack_chunk *)ch;
5061 flags = ch->chunk_flags;
5062 cum_ack = ntohl(nr_sack->nr_sack.cum_tsn_ack);
5063 num_seg = ntohs(nr_sack->nr_sack.num_gap_ack_blks);
5064 num_nr_seg = ntohs(nr_sack->nr_sack.num_nr_gap_ack_blks);
5065 num_dup = ntohs(nr_sack->nr_sack.num_dup_tsns);
5066 a_rwnd = (uint32_t) ntohl(nr_sack->nr_sack.a_rwnd);
5067 if (sizeof(struct sctp_nr_sack_chunk) +
5068 (num_seg + num_nr_seg) * sizeof(struct sctp_gap_ack_block) +
5069 num_dup * sizeof(uint32_t) != chk_length) {
5070 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of NR_SACK chunk\n");
5071 break;
5072 }
5073 offset_seg = *offset + sizeof(struct sctp_nr_sack_chunk);
5074 offset_dup = offset_seg + num_seg * sizeof(struct sctp_gap_ack_block);
5075 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n",
5076 cum_ack, num_seg, a_rwnd);
5077 stcb->asoc.seen_a_sack_this_pkt = 1;
5078 if ((stcb->asoc.pr_sctp_cnt == 0) &&
5079 (num_seg == 0) && (num_nr_seg == 0) &&
5080 SCTP_TSN_GE(cum_ack, stcb->asoc.last_acked_seq) &&
5081 (stcb->asoc.saw_sack_with_frags == 0) &&
5082 (stcb->asoc.saw_sack_with_nr_frags == 0) &&
5083 (!TAILQ_EMPTY(&stcb->asoc.sent_queue))) {
5084 /*
5085 * We have a SIMPLE sack having no
5086 * prior segments and data on sent
5087 * queue to be acked. Use the faster
5088 * path sack processing. We also
5089 * allow window update sacks with no
5090 * missing segments to go this way
5091 * too.
5092 */
5093 sctp_express_handle_sack(stcb, cum_ack, a_rwnd,
5094 &abort_now, ecne_seen);
5095 } else {
5096 if (netp && *netp)
5097 sctp_handle_sack(m, offset_seg, offset_dup, stcb,
5098 num_seg, num_nr_seg, num_dup, &abort_now, flags,
5099 cum_ack, a_rwnd, ecne_seen);
5100 }
5101 if (abort_now) {
5102 /* ABORT signal from sack processing */
5103 *offset = length;
5104 return (NULL);
5105 }
5106 if (TAILQ_EMPTY(&stcb->asoc.send_queue) &&
5107 TAILQ_EMPTY(&stcb->asoc.sent_queue) &&
5108 (stcb->asoc.stream_queue_cnt == 0)) {
5109 sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
5110 }
5111 }
5112 break;
5113
5114 case SCTP_HEARTBEAT_REQUEST:
5115 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT\n");
5116 if ((stcb) && netp && *netp) {
5117 SCTP_STAT_INCR(sctps_recvheartbeat);
5118 sctp_send_heartbeat_ack(stcb, m, *offset,
5119 chk_length, *netp);
5120
5121 /* He's alive so give him credit */
5122 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5123 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5124 stcb->asoc.overall_error_count,
5125 0,
5126 SCTP_FROM_SCTP_INPUT,
5127 __LINE__);
5128 }
5129 stcb->asoc.overall_error_count = 0;
5130 }
5131 break;
5132 case SCTP_HEARTBEAT_ACK:
5133 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT-ACK\n");
5134 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_heartbeat_chunk))) {
5135 /* Its not ours */
5136 *offset = length;
5137 if (locked_tcb) {
5138 SCTP_TCB_UNLOCK(locked_tcb);
5139 }
5140 return (NULL);
5141 }
5142 /* He's alive so give him credit */
5143 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5144 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5145 stcb->asoc.overall_error_count,
5146 0,
5147 SCTP_FROM_SCTP_INPUT,
5148 __LINE__);
5149 }
5150 stcb->asoc.overall_error_count = 0;
5151 SCTP_STAT_INCR(sctps_recvheartbeatack);
5152 if (netp && *netp)
5153 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch,
5154 stcb, *netp);
5155 break;
5156 case SCTP_ABORT_ASSOCIATION:
5157 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ABORT, stcb %p\n",
5158 (void *)stcb);
5159 if ((stcb) && netp && *netp)
5160 sctp_handle_abort((struct sctp_abort_chunk *)ch,
5161 stcb, *netp);
5162 *offset = length;
5163 return (NULL);
5164 break;
5165 case SCTP_SHUTDOWN:
5166 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN, stcb %p\n",
5167 (void *)stcb);
5168 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_shutdown_chunk))) {
5169 *offset = length;
5170 if (locked_tcb) {
5171 SCTP_TCB_UNLOCK(locked_tcb);
5172 }
5173 return (NULL);
5174 }
5175 if (netp && *netp) {
5176 int abort_flag = 0;
5177
5178 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch,
5179 stcb, *netp, &abort_flag);
5180 if (abort_flag) {
5181 *offset = length;
5182 return (NULL);
5183 }
5184 }
5185 break;
5186 case SCTP_SHUTDOWN_ACK:
5187 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-ACK, stcb %p\n", (void *)stcb);
5188 if ((stcb) && (netp) && (*netp))
5189 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp);
5190 *offset = length;
5191 return (NULL);
5192 break;
5193
5194 case SCTP_OPERATION_ERROR:
5195 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_OP-ERR\n");
5196 if ((stcb) && netp && *netp && sctp_handle_error(ch, stcb, *netp) < 0) {
5197 *offset = length;
5198 return (NULL);
5199 }
5200 break;
5201 case SCTP_COOKIE_ECHO:
5202 SCTPDBG(SCTP_DEBUG_INPUT3,
5203 "SCTP_COOKIE-ECHO, stcb %p\n", (void *)stcb);
5204 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
5205 ;
5206 } else {
5207 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
5208 /* We are not interested anymore */
5209 abend:
5210 if (stcb) {
5211 SCTP_TCB_UNLOCK(stcb);
5212 }
5213 *offset = length;
5214 return (NULL);
5215 }
5216 }
5217 /*
5218 * First are we accepting? We do this again here
5219 * since it is possible that a previous endpoint WAS
5220 * listening responded to a INIT-ACK and then
5221 * closed. We opened and bound.. and are now no
5222 * longer listening.
5223 */
5224
5225 if ((stcb == NULL) && (inp->sctp_socket->so_qlen >= inp->sctp_socket->so_qlimit)) {
5226 if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
5227 (SCTP_BASE_SYSCTL(sctp_abort_if_one_2_one_hits_limit))) {
5228 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
5229 sctp_abort_association(inp, stcb, m, iphlen,
5230 src, dst, sh, op_err,
5231 mflowtype, mflowid,
5232 vrf_id, port);
5233 }
5234 *offset = length;
5235 return (NULL);
5236 } else {
5237 struct mbuf *ret_buf;
5238 struct sctp_inpcb *linp;
5239
5240 if (stcb) {
5241 linp = NULL;
5242 } else {
5243 linp = inp;
5244 }
5245
5246 if (linp) {
5247 SCTP_ASOC_CREATE_LOCK(linp);
5248 if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
5249 (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
5250 SCTP_ASOC_CREATE_UNLOCK(linp);
5251 goto abend;
5252 }
5253 }
5254 if (netp) {
5255 ret_buf =
5256 sctp_handle_cookie_echo(m, iphlen,
5257 *offset,
5258 src, dst,
5259 sh,
5260 (struct sctp_cookie_echo_chunk *)ch,
5261 &inp, &stcb, netp,
5262 auth_skipped,
5263 auth_offset,
5264 auth_len,
5265 &locked_tcb,
5266 mflowtype,
5267 mflowid,
5268 vrf_id,
5269 port);
5270 } else {
5271 ret_buf = NULL;
5272 }
5273 if (linp) {
5274 SCTP_ASOC_CREATE_UNLOCK(linp);
5275 }
5276 if (ret_buf == NULL) {
5277 if (locked_tcb) {
5278 SCTP_TCB_UNLOCK(locked_tcb);
5279 }
5280 SCTPDBG(SCTP_DEBUG_INPUT3,
5281 "GAK, null buffer\n");
5282 *offset = length;
5283 return (NULL);
5284 }
5285 /* if AUTH skipped, see if it verified... */
5286 if (auth_skipped) {
5287 got_auth = 1;
5288 auth_skipped = 0;
5289 }
5290 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) {
5291 /*
5292 * Restart the timer if we have
5293 * pending data
5294 */
5295 struct sctp_tmit_chunk *chk;
5296
5297 chk = TAILQ_FIRST(&stcb->asoc.sent_queue);
5298 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, chk->whoTo);
5299 }
5300 }
5301 break;
5302 case SCTP_COOKIE_ACK:
5303 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_COOKIE-ACK, stcb %p\n", (void *)stcb);
5304 if ((stcb == NULL) || chk_length != sizeof(struct sctp_cookie_ack_chunk)) {
5305 if (locked_tcb) {
5306 SCTP_TCB_UNLOCK(locked_tcb);
5307 }
5308 return (NULL);
5309 }
5310 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
5311 /* We are not interested anymore */
5312 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
5313 ;
5314 } else if (stcb) {
5315 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5316 so = SCTP_INP_SO(inp);
5317 atomic_add_int(&stcb->asoc.refcnt, 1);
5318 SCTP_TCB_UNLOCK(stcb);
5319 SCTP_SOCKET_LOCK(so, 1);
5320 SCTP_TCB_LOCK(stcb);
5321 atomic_subtract_int(&stcb->asoc.refcnt, 1);
5322 #endif
5323 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
5324 SCTP_FROM_SCTP_INPUT + SCTP_LOC_30);
5325 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5326 SCTP_SOCKET_UNLOCK(so, 1);
5327 #endif
5328 *offset = length;
5329 return (NULL);
5330 }
5331 }
5332 /* He's alive so give him credit */
5333 if ((stcb) && netp && *netp) {
5334 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5335 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5336 stcb->asoc.overall_error_count,
5337 0,
5338 SCTP_FROM_SCTP_INPUT,
5339 __LINE__);
5340 }
5341 stcb->asoc.overall_error_count = 0;
5342 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp);
5343 }
5344 break;
5345 case SCTP_ECN_ECHO:
5346 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-ECHO\n");
5347 /* He's alive so give him credit */
5348 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_ecne_chunk))) {
5349 /* Its not ours */
5350 if (locked_tcb) {
5351 SCTP_TCB_UNLOCK(locked_tcb);
5352 }
5353 *offset = length;
5354 return (NULL);
5355 }
5356 if (stcb) {
5357 if (stcb->asoc.ecn_supported == 0) {
5358 goto unknown_chunk;
5359 }
5360 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5361 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5362 stcb->asoc.overall_error_count,
5363 0,
5364 SCTP_FROM_SCTP_INPUT,
5365 __LINE__);
5366 }
5367 stcb->asoc.overall_error_count = 0;
5368 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch,
5369 stcb);
5370 ecne_seen = 1;
5371 }
5372 break;
5373 case SCTP_ECN_CWR:
5374 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-CWR\n");
5375 /* He's alive so give him credit */
5376 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_cwr_chunk))) {
5377 /* Its not ours */
5378 if (locked_tcb) {
5379 SCTP_TCB_UNLOCK(locked_tcb);
5380 }
5381 *offset = length;
5382 return (NULL);
5383 }
5384 if (stcb) {
5385 if (stcb->asoc.ecn_supported == 0) {
5386 goto unknown_chunk;
5387 }
5388 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5389 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5390 stcb->asoc.overall_error_count,
5391 0,
5392 SCTP_FROM_SCTP_INPUT,
5393 __LINE__);
5394 }
5395 stcb->asoc.overall_error_count = 0;
5396 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb, *netp);
5397 }
5398 break;
5399 case SCTP_SHUTDOWN_COMPLETE:
5400 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-COMPLETE, stcb %p\n", (void *)stcb);
5401 /* must be first and only chunk */
5402 if ((num_chunks > 1) ||
5403 (length - *offset > (int)SCTP_SIZE32(chk_length))) {
5404 *offset = length;
5405 if (locked_tcb) {
5406 SCTP_TCB_UNLOCK(locked_tcb);
5407 }
5408 return (NULL);
5409 }
5410 if ((stcb) && netp && *netp) {
5411 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch,
5412 stcb, *netp);
5413 }
5414 *offset = length;
5415 return (NULL);
5416 break;
5417 case SCTP_ASCONF:
5418 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF\n");
5419 /* He's alive so give him credit */
5420 if (stcb) {
5421 if (stcb->asoc.asconf_supported == 0) {
5422 goto unknown_chunk;
5423 }
5424 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5425 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5426 stcb->asoc.overall_error_count,
5427 0,
5428 SCTP_FROM_SCTP_INPUT,
5429 __LINE__);
5430 }
5431 stcb->asoc.overall_error_count = 0;
5432 sctp_handle_asconf(m, *offset, src,
5433 (struct sctp_asconf_chunk *)ch, stcb, asconf_cnt == 0);
5434 asconf_cnt++;
5435 }
5436 break;
5437 case SCTP_ASCONF_ACK:
5438 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF-ACK\n");
5439 if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) {
5440 /* Its not ours */
5441 if (locked_tcb) {
5442 SCTP_TCB_UNLOCK(locked_tcb);
5443 }
5444 *offset = length;
5445 return (NULL);
5446 }
5447 if ((stcb) && netp && *netp) {
5448 if (stcb->asoc.asconf_supported == 0) {
5449 goto unknown_chunk;
5450 }
5451 /* He's alive so give him credit */
5452 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5453 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5454 stcb->asoc.overall_error_count,
5455 0,
5456 SCTP_FROM_SCTP_INPUT,
5457 __LINE__);
5458 }
5459 stcb->asoc.overall_error_count = 0;
5460 sctp_handle_asconf_ack(m, *offset,
5461 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp, &abort_no_unlock);
5462 if (abort_no_unlock)
5463 return (NULL);
5464 }
5465 break;
5466 case SCTP_FORWARD_CUM_TSN:
5467 case SCTP_IFORWARD_CUM_TSN:
5468 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_FWD-TSN\n");
5469 if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) {
5470 /* Its not ours */
5471 if (locked_tcb) {
5472 SCTP_TCB_UNLOCK(locked_tcb);
5473 }
5474 *offset = length;
5475 return (NULL);
5476 }
5477 /* He's alive so give him credit */
5478 if (stcb) {
5479 int abort_flag = 0;
5480
5481 if (stcb->asoc.prsctp_supported == 0) {
5482 goto unknown_chunk;
5483 }
5484 stcb->asoc.overall_error_count = 0;
5485 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5486 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5487 stcb->asoc.overall_error_count,
5488 0,
5489 SCTP_FROM_SCTP_INPUT,
5490 __LINE__);
5491 }
5492 *fwd_tsn_seen = 1;
5493 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
5494 /* We are not interested anymore */
5495 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5496 so = SCTP_INP_SO(inp);
5497 atomic_add_int(&stcb->asoc.refcnt, 1);
5498 SCTP_TCB_UNLOCK(stcb);
5499 SCTP_SOCKET_LOCK(so, 1);
5500 SCTP_TCB_LOCK(stcb);
5501 atomic_subtract_int(&stcb->asoc.refcnt, 1);
5502 #endif
5503 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
5504 SCTP_FROM_SCTP_INPUT + SCTP_LOC_31);
5505 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5506 SCTP_SOCKET_UNLOCK(so, 1);
5507 #endif
5508 *offset = length;
5509 return (NULL);
5510 }
5511 sctp_handle_forward_tsn(stcb,
5512 (struct sctp_forward_tsn_chunk *)ch, &abort_flag, m, *offset);
5513 if (abort_flag) {
5514 *offset = length;
5515 return (NULL);
5516 } else {
5517 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5518 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5519 stcb->asoc.overall_error_count,
5520 0,
5521 SCTP_FROM_SCTP_INPUT,
5522 __LINE__);
5523 }
5524 stcb->asoc.overall_error_count = 0;
5525 }
5526
5527 }
5528 break;
5529 case SCTP_STREAM_RESET:
5530 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_STREAM_RESET\n");
5531 if (((stcb == NULL) || (ch == NULL) || (chk_length < sizeof(struct sctp_stream_reset_tsn_req)))) {
5532 /* Its not ours */
5533 if (locked_tcb) {
5534 SCTP_TCB_UNLOCK(locked_tcb);
5535 }
5536 *offset = length;
5537 return (NULL);
5538 }
5539 if (stcb->asoc.reconfig_supported == 0) {
5540 goto unknown_chunk;
5541 }
5542 if (sctp_handle_stream_reset(stcb, m, *offset, ch)) {
5543 /* stop processing */
5544 *offset = length;
5545 return (NULL);
5546 }
5547 break;
5548 case SCTP_PACKET_DROPPED:
5549 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_PACKET_DROPPED\n");
5550 /* re-get it all please */
5551 if (chk_length < sizeof(struct sctp_pktdrop_chunk)) {
5552 /* Its not ours */
5553 if (locked_tcb) {
5554 SCTP_TCB_UNLOCK(locked_tcb);
5555 }
5556 *offset = length;
5557 return (NULL);
5558 }
5559 if (ch && (stcb) && netp && (*netp)) {
5560 if (stcb->asoc.pktdrop_supported == 0) {
5561 goto unknown_chunk;
5562 }
5563 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch,
5564 stcb, *netp,
5565 min(chk_length, (sizeof(chunk_buf) - 4)));
5566
5567 }
5568 break;
5569 case SCTP_AUTHENTICATION:
5570 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_AUTHENTICATION\n");
5571 if (stcb == NULL) {
5572 /* save the first AUTH for later processing */
5573 if (auth_skipped == 0) {
5574 auth_offset = *offset;
5575 auth_len = chk_length;
5576 auth_skipped = 1;
5577 }
5578 /* skip this chunk (temporarily) */
5579 goto next_chunk;
5580 }
5581 if (stcb->asoc.auth_supported == 0) {
5582 goto unknown_chunk;
5583 }
5584 if ((chk_length < (sizeof(struct sctp_auth_chunk))) ||
5585 (chk_length > (sizeof(struct sctp_auth_chunk) +
5586 SCTP_AUTH_DIGEST_LEN_MAX))) {
5587 /* Its not ours */
5588 if (locked_tcb) {
5589 SCTP_TCB_UNLOCK(locked_tcb);
5590 }
5591 *offset = length;
5592 return (NULL);
5593 }
5594 if (got_auth == 1) {
5595 /* skip this chunk... it's already auth'd */
5596 goto next_chunk;
5597 }
5598 got_auth = 1;
5599 if ((ch == NULL) || sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch,
5600 m, *offset)) {
5601 /* auth HMAC failed so dump the packet */
5602 *offset = length;
5603 return (stcb);
5604 } else {
5605 /* remaining chunks are HMAC checked */
5606 stcb->asoc.authenticated = 1;
5607 }
5608 break;
5609
5610 default:
5611 unknown_chunk:
5612 /* it's an unknown chunk! */
5613 if ((ch->chunk_type & 0x40) && (stcb != NULL)) {
5614 struct sctp_gen_error_cause *cause;
5615 int len;
5616
5617 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_gen_error_cause),
5618 0, M_NOWAIT, 1, MT_DATA);
5619 if (op_err != NULL) {
5620 len = min(SCTP_SIZE32(chk_length), (uint32_t) (length - *offset));
5621 cause = mtod(op_err, struct sctp_gen_error_cause *);
5622 cause->code = htons(SCTP_CAUSE_UNRECOG_CHUNK);
5623 cause->length = htons((uint16_t) (len + sizeof(struct sctp_gen_error_cause)));
5624 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_gen_error_cause);
5625 SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(m, *offset, len, M_NOWAIT);
5626 if (SCTP_BUF_NEXT(op_err) != NULL) {
5627 #ifdef SCTP_MBUF_LOGGING
5628 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
5629 sctp_log_mbc(SCTP_BUF_NEXT(op_err), SCTP_MBUF_ICOPY);
5630 }
5631 #endif
5632 sctp_queue_op_err(stcb, op_err);
5633 } else {
5634 sctp_m_freem(op_err);
5635 }
5636 }
5637 }
5638 if ((ch->chunk_type & 0x80) == 0) {
5639 /* discard this packet */
5640 *offset = length;
5641 return (stcb);
5642 } /* else skip this bad chunk and continue... */
5643 break;
5644 } /* switch (ch->chunk_type) */
5645
5646
5647 next_chunk:
5648 /* get the next chunk */
5649 *offset += SCTP_SIZE32(chk_length);
5650 if (*offset >= length) {
5651 /* no more data left in the mbuf chain */
5652 break;
5653 }
5654 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
5655 sizeof(struct sctp_chunkhdr), chunk_buf);
5656 if (ch == NULL) {
5657 if (locked_tcb) {
5658 SCTP_TCB_UNLOCK(locked_tcb);
5659 }
5660 *offset = length;
5661 return (NULL);
5662 }
5663 } /* while */
5664
5665 if (asconf_cnt > 0 && stcb != NULL) {
5666 sctp_send_asconf_ack(stcb);
5667 }
5668 return (stcb);
5669 }
5670
5671
5672 /*
5673 * common input chunk processing (v4 and v6)
5674 */
5675 void
5676 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, int length,
5677 struct sockaddr *src, struct sockaddr *dst,
5678 struct sctphdr *sh, struct sctp_chunkhdr *ch,
5679 #if !defined(SCTP_WITH_NO_CSUM)
5680 uint8_t compute_crc,
5681 #endif
5682 uint8_t ecn_bits,
5683 uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
5684 uint32_t vrf_id, uint16_t port)
5685 {
5686 uint32_t high_tsn;
5687 int fwd_tsn_seen = 0, data_processed = 0;
5688 struct mbuf *m = *mm, *op_err;
5689 char msg[SCTP_DIAG_INFO_LEN];
5690 int un_sent;
5691 int cnt_ctrl_ready = 0;
5692 struct sctp_inpcb *inp = NULL, *inp_decr = NULL;
5693 struct sctp_tcb *stcb = NULL;
5694 struct sctp_nets *net = NULL;
5695
5696 SCTP_STAT_INCR(sctps_recvdatagrams);
5697 #ifdef SCTP_AUDITING_ENABLED
5698 sctp_audit_log(0xE0, 1);
5699 sctp_auditing(0, inp, stcb, net);
5700 #endif
5701 #if !defined(SCTP_WITH_NO_CSUM)
5702 if (compute_crc != 0) {
5703 uint32_t check, calc_check;
5704
5705 check = sh->checksum;
5706 sh->checksum = 0;
5707 calc_check = sctp_calculate_cksum(m, iphlen);
5708 sh->checksum = check;
5709 if (calc_check != check) {
5710 SCTPDBG(SCTP_DEBUG_INPUT1, "Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n",
5711 calc_check, check, (void *)m, length, iphlen);
5712 stcb = sctp_findassociation_addr(m, offset, src, dst,
5713 sh, ch, &inp, &net, vrf_id);
5714 #if defined(INET) || defined(INET6)
5715 if ((ch->chunk_type != SCTP_INITIATION) &&
5716 (net != NULL) && (net->port != port)) {
5717 if (net->port == 0) {
5718 /* UDP encapsulation turned on. */
5719 net->mtu -= sizeof(struct udphdr);
5720 if (stcb->asoc.smallest_mtu > net->mtu) {
5721 sctp_pathmtu_adjustment(stcb, net->mtu);
5722 }
5723 } else if (port == 0) {
5724 /* UDP encapsulation turned off. */
5725 net->mtu += sizeof(struct udphdr);
5726 /* XXX Update smallest_mtu */
5727 }
5728 net->port = port;
5729 }
5730 #endif
5731 if (net != NULL) {
5732 net->flowtype = mflowtype;
5733 net->flowid = mflowid;
5734 }
5735 if ((inp != NULL) && (stcb != NULL)) {
5736 sctp_send_packet_dropped(stcb, net, m, length, iphlen, 1);
5737 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR, SCTP_SO_NOT_LOCKED);
5738 } else if ((inp != NULL) && (stcb == NULL)) {
5739 inp_decr = inp;
5740 }
5741 SCTP_STAT_INCR(sctps_badsum);
5742 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors);
5743 goto out;
5744 }
5745 }
5746 #endif
5747 /* Destination port of 0 is illegal, based on RFC4960. */
5748 if (sh->dest_port == 0) {
5749 SCTP_STAT_INCR(sctps_hdrops);
5750 goto out;
5751 }
5752 stcb = sctp_findassociation_addr(m, offset, src, dst,
5753 sh, ch, &inp, &net, vrf_id);
5754 #if defined(INET) || defined(INET6)
5755 if ((ch->chunk_type != SCTP_INITIATION) &&
5756 (net != NULL) && (net->port != port)) {
5757 if (net->port == 0) {
5758 /* UDP encapsulation turned on. */
5759 net->mtu -= sizeof(struct udphdr);
5760 if (stcb->asoc.smallest_mtu > net->mtu) {
5761 sctp_pathmtu_adjustment(stcb, net->mtu);
5762 }
5763 } else if (port == 0) {
5764 /* UDP encapsulation turned off. */
5765 net->mtu += sizeof(struct udphdr);
5766 /* XXX Update smallest_mtu */
5767 }
5768 net->port = port;
5769 }
5770 #endif
5771 if (net != NULL) {
5772 net->flowtype = mflowtype;
5773 net->flowid = mflowid;
5774 }
5775 if (inp == NULL) {
5776 SCTP_STAT_INCR(sctps_noport);
5777 if (badport_bandlim(BANDLIM_SCTP_OOTB) < 0) {
5778 goto out;
5779 }
5780 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
5781 sctp_send_shutdown_complete2(src, dst, sh,
5782 mflowtype, mflowid, fibnum,
5783 vrf_id, port);
5784 goto out;
5785 }
5786 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) {
5787 goto out;
5788 }
5789 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) {
5790 if ((SCTP_BASE_SYSCTL(sctp_blackhole) == 0) ||
5791 ((SCTP_BASE_SYSCTL(sctp_blackhole) == 1) &&
5792 (ch->chunk_type != SCTP_INIT))) {
5793 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5794 "Out of the blue");
5795 sctp_send_abort(m, iphlen, src, dst,
5796 sh, 0, op_err,
5797 mflowtype, mflowid, fibnum,
5798 vrf_id, port);
5799 }
5800 }
5801 goto out;
5802 } else if (stcb == NULL) {
5803 inp_decr = inp;
5804 }
5805 #ifdef IPSEC
5806 /*-
5807 * I very much doubt any of the IPSEC stuff will work but I have no
5808 * idea, so I will leave it in place.
5809 */
5810 if (inp != NULL) {
5811 switch (dst->sa_family) {
5812 #ifdef INET
5813 case AF_INET:
5814 if (ipsec4_in_reject(m, &inp->ip_inp.inp)) {
5815 SCTP_STAT_INCR(sctps_hdrops);
5816 goto out;
5817 }
5818 break;
5819 #endif
5820 #ifdef INET6
5821 case AF_INET6:
5822 if (ipsec6_in_reject(m, &inp->ip_inp.inp)) {
5823 SCTP_STAT_INCR(sctps_hdrops);
5824 goto out;
5825 }
5826 break;
5827 #endif
5828 default:
5829 break;
5830 }
5831 }
5832 #endif
5833 SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d stcb:%p\n",
5834 (void *)m, iphlen, offset, length, (void *)stcb);
5835 if (stcb) {
5836 /* always clear this before beginning a packet */
5837 stcb->asoc.authenticated = 0;
5838 stcb->asoc.seen_a_sack_this_pkt = 0;
5839 SCTPDBG(SCTP_DEBUG_INPUT1, "stcb:%p state:%x\n",
5840 (void *)stcb, stcb->asoc.state);
5841
5842 if ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) ||
5843 (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED)) {
5844 /*-
5845 * If we hit here, we had a ref count
5846 * up when the assoc was aborted and the
5847 * timer is clearing out the assoc, we should
5848 * NOT respond to any packet.. its OOTB.
5849 */
5850 SCTP_TCB_UNLOCK(stcb);
5851 stcb = NULL;
5852 snprintf(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__);
5853 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5854 msg);
5855 sctp_handle_ootb(m, iphlen, offset, src, dst, sh, inp, op_err,
5856 mflowtype, mflowid, inp->fibnum,
5857 vrf_id, port);
5858 goto out;
5859 }
5860 }
5861 if (IS_SCTP_CONTROL(ch)) {
5862 /* process the control portion of the SCTP packet */
5863 /* sa_ignore NO_NULL_CHK */
5864 stcb = sctp_process_control(m, iphlen, &offset, length,
5865 src, dst, sh, ch,
5866 inp, stcb, &net, &fwd_tsn_seen,
5867 mflowtype, mflowid, fibnum,
5868 vrf_id, port);
5869 if (stcb) {
5870 /*
5871 * This covers us if the cookie-echo was there and
5872 * it changes our INP.
5873 */
5874 inp = stcb->sctp_ep;
5875 #if defined(INET) || defined(INET6)
5876 if ((ch->chunk_type != SCTP_INITIATION) &&
5877 (net != NULL) && (net->port != port)) {
5878 if (net->port == 0) {
5879 /* UDP encapsulation turned on. */
5880 net->mtu -= sizeof(struct udphdr);
5881 if (stcb->asoc.smallest_mtu > net->mtu) {
5882 sctp_pathmtu_adjustment(stcb, net->mtu);
5883 }
5884 } else if (port == 0) {
5885 /* UDP encapsulation turned off. */
5886 net->mtu += sizeof(struct udphdr);
5887 /* XXX Update smallest_mtu */
5888 }
5889 net->port = port;
5890 }
5891 #endif
5892 }
5893 } else {
5894 /*
5895 * no control chunks, so pre-process DATA chunks (these
5896 * checks are taken care of by control processing)
5897 */
5898
5899 /*
5900 * if DATA only packet, and auth is required, then punt...
5901 * can't have authenticated without any AUTH (control)
5902 * chunks
5903 */
5904 if ((stcb != NULL) &&
5905 (stcb->asoc.auth_supported == 1) &&
5906 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks)) {
5907 /* "silently" ignore */
5908 SCTP_STAT_INCR(sctps_recvauthmissing);
5909 goto out;
5910 }
5911 if (stcb == NULL) {
5912 /* out of the blue DATA chunk */
5913 snprintf(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__);
5914 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5915 msg);
5916 sctp_handle_ootb(m, iphlen, offset, src, dst, sh, inp, op_err,
5917 mflowtype, mflowid, fibnum,
5918 vrf_id, port);
5919 goto out;
5920 }
5921 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) {
5922 /* v_tag mismatch! */
5923 SCTP_STAT_INCR(sctps_badvtag);
5924 goto out;
5925 }
5926 }
5927
5928 if (stcb == NULL) {
5929 /*
5930 * no valid TCB for this packet, or we found it's a bad
5931 * packet while processing control, or we're done with this
5932 * packet (done or skip rest of data), so we drop it...
5933 */
5934 goto out;
5935 }
5936 /*
5937 * DATA chunk processing
5938 */
5939 /* plow through the data chunks while length > offset */
5940
5941 /*
5942 * Rest should be DATA only. Check authentication state if AUTH for
5943 * DATA is required.
5944 */
5945 if ((length > offset) &&
5946 (stcb != NULL) &&
5947 (stcb->asoc.auth_supported == 1) &&
5948 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks) &&
5949 !stcb->asoc.authenticated) {
5950 /* "silently" ignore */
5951 SCTP_STAT_INCR(sctps_recvauthmissing);
5952 SCTPDBG(SCTP_DEBUG_AUTH1,
5953 "Data chunk requires AUTH, skipped\n");
5954 goto trigger_send;
5955 }
5956 if (length > offset) {
5957 int retval;
5958
5959 /*
5960 * First check to make sure our state is correct. We would
5961 * not get here unless we really did have a tag, so we don't
5962 * abort if this happens, just dump the chunk silently.
5963 */
5964 switch (SCTP_GET_STATE(&stcb->asoc)) {
5965 case SCTP_STATE_COOKIE_ECHOED:
5966 /*
5967 * we consider data with valid tags in this state
5968 * shows us the cookie-ack was lost. Imply it was
5969 * there.
5970 */
5971 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5972 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5973 stcb->asoc.overall_error_count,
5974 0,
5975 SCTP_FROM_SCTP_INPUT,
5976 __LINE__);
5977 }
5978 stcb->asoc.overall_error_count = 0;
5979 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net);
5980 break;
5981 case SCTP_STATE_COOKIE_WAIT:
5982 /*
5983 * We consider OOTB any data sent during asoc setup.
5984 */
5985 snprintf(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__);
5986 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5987 msg);
5988 sctp_handle_ootb(m, iphlen, offset, src, dst, sh, inp, op_err,
5989 mflowtype, mflowid, inp->fibnum,
5990 vrf_id, port);
5991 goto out;
5992 /* sa_ignore NOTREACHED */
5993 break;
5994 case SCTP_STATE_EMPTY: /* should not happen */
5995 case SCTP_STATE_INUSE: /* should not happen */
5996 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */
5997 case SCTP_STATE_SHUTDOWN_ACK_SENT:
5998 default:
5999 goto out;
6000 /* sa_ignore NOTREACHED */
6001 break;
6002 case SCTP_STATE_OPEN:
6003 case SCTP_STATE_SHUTDOWN_SENT:
6004 break;
6005 }
6006 /* plow through the data chunks while length > offset */
6007 retval = sctp_process_data(mm, iphlen, &offset, length,
6008 inp, stcb, net, &high_tsn);
6009 if (retval == 2) {
6010 /*
6011 * The association aborted, NO UNLOCK needed since
6012 * the association is destroyed.
6013 */
6014 stcb = NULL;
6015 goto out;
6016 }
6017 data_processed = 1;
6018 /*
6019 * Anything important needs to have been m_copy'ed in
6020 * process_data
6021 */
6022 }
6023 /* take care of ecn */
6024 if ((data_processed == 1) &&
6025 (stcb->asoc.ecn_supported == 1) &&
6026 ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS)) {
6027 /* Yep, we need to add a ECNE */
6028 sctp_send_ecn_echo(stcb, net, high_tsn);
6029 }
6030 if ((data_processed == 0) && (fwd_tsn_seen)) {
6031 int was_a_gap;
6032 uint32_t highest_tsn;
6033
6034 if (SCTP_TSN_GT(stcb->asoc.highest_tsn_inside_nr_map, stcb->asoc.highest_tsn_inside_map)) {
6035 highest_tsn = stcb->asoc.highest_tsn_inside_nr_map;
6036 } else {
6037 highest_tsn = stcb->asoc.highest_tsn_inside_map;
6038 }
6039 was_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn);
6040 stcb->asoc.send_sack = 1;
6041 sctp_sack_check(stcb, was_a_gap);
6042 } else if (fwd_tsn_seen) {
6043 stcb->asoc.send_sack = 1;
6044 }
6045 /* trigger send of any chunks in queue... */
6046 trigger_send:
6047 #ifdef SCTP_AUDITING_ENABLED
6048 sctp_audit_log(0xE0, 2);
6049 sctp_auditing(1, inp, stcb, net);
6050 #endif
6051 SCTPDBG(SCTP_DEBUG_INPUT1,
6052 "Check for chunk output prw:%d tqe:%d tf=%d\n",
6053 stcb->asoc.peers_rwnd,
6054 TAILQ_EMPTY(&stcb->asoc.control_send_queue),
6055 stcb->asoc.total_flight);
6056 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
6057 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
6058 cnt_ctrl_ready = stcb->asoc.ctrl_queue_cnt - stcb->asoc.ecn_echo_cnt_onq;
6059 }
6060 if (!TAILQ_EMPTY(&stcb->asoc.asconf_send_queue) ||
6061 cnt_ctrl_ready ||
6062 stcb->asoc.trigger_reset ||
6063 ((un_sent) &&
6064 (stcb->asoc.peers_rwnd > 0 ||
6065 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) {
6066 SCTPDBG(SCTP_DEBUG_INPUT3, "Calling chunk OUTPUT\n");
6067 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
6068 SCTPDBG(SCTP_DEBUG_INPUT3, "chunk OUTPUT returns\n");
6069 }
6070 #ifdef SCTP_AUDITING_ENABLED
6071 sctp_audit_log(0xE0, 3);
6072 sctp_auditing(2, inp, stcb, net);
6073 #endif
6074 out:
6075 if (stcb != NULL) {
6076 SCTP_TCB_UNLOCK(stcb);
6077 }
6078 if (inp_decr != NULL) {
6079 /* reduce ref-count */
6080 SCTP_INP_WLOCK(inp_decr);
6081 SCTP_INP_DECR_REF(inp_decr);
6082 SCTP_INP_WUNLOCK(inp_decr);
6083 }
6084 return;
6085 }
6086
6087 #ifdef INET
6088 void
6089 sctp_input_with_port(struct mbuf *i_pak, int off, uint16_t port)
6090 {
6091 struct mbuf *m;
6092 int iphlen;
6093 uint32_t vrf_id = 0;
6094 uint8_t ecn_bits;
6095 struct sockaddr_in src, dst;
6096 struct ip *ip;
6097 struct sctphdr *sh;
6098 struct sctp_chunkhdr *ch;
6099 int length, offset;
6100
6101 #if !defined(SCTP_WITH_NO_CSUM)
6102 uint8_t compute_crc;
6103
6104 #endif
6105 uint32_t mflowid;
6106 uint8_t mflowtype;
6107 uint16_t fibnum;
6108
6109 iphlen = off;
6110 if (SCTP_GET_PKT_VRFID(i_pak, vrf_id)) {
6111 SCTP_RELEASE_PKT(i_pak);
6112 return;
6113 }
6114 m = SCTP_HEADER_TO_CHAIN(i_pak);
6115 #ifdef SCTP_MBUF_LOGGING
6116 /* Log in any input mbufs */
6117 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6118 sctp_log_mbc(m, SCTP_MBUF_INPUT);
6119 }
6120 #endif
6121 #ifdef SCTP_PACKET_LOGGING
6122 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
6123 sctp_packet_log(m);
6124 }
6125 #endif
6126 SCTPDBG(SCTP_DEBUG_CRCOFFLOAD,
6127 "sctp_input(): Packet of length %d received on %s with csum_flags 0x%b.\n",
6128 m->m_pkthdr.len,
6129 if_name(m->m_pkthdr.rcvif),
6130 (int)m->m_pkthdr.csum_flags, CSUM_BITS);
6131 mflowid = m->m_pkthdr.flowid;
6132 mflowtype = M_HASHTYPE_GET(m);
6133 fibnum = M_GETFIB(m);
6134 SCTP_STAT_INCR(sctps_recvpackets);
6135 SCTP_STAT_INCR_COUNTER64(sctps_inpackets);
6136 /* Get IP, SCTP, and first chunk header together in the first mbuf. */
6137 offset = iphlen + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
6138 if (SCTP_BUF_LEN(m) < offset) {
6139 if ((m = m_pullup(m, offset)) == NULL) {
6140 SCTP_STAT_INCR(sctps_hdrops);
6141 return;
6142 }
6143 }
6144 ip = mtod(m, struct ip *);
6145 sh = (struct sctphdr *)((caddr_t)ip + iphlen);
6146 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(struct sctphdr));
6147 offset -= sizeof(struct sctp_chunkhdr);
6148 memset(&src, 0, sizeof(struct sockaddr_in));
6149 src.sin_family = AF_INET;
6150 src.sin_len = sizeof(struct sockaddr_in);
6151 src.sin_port = sh->src_port;
6152 src.sin_addr = ip->ip_src;
6153 memset(&dst, 0, sizeof(struct sockaddr_in));
6154 dst.sin_family = AF_INET;
6155 dst.sin_len = sizeof(struct sockaddr_in);
6156 dst.sin_port = sh->dest_port;
6157 dst.sin_addr = ip->ip_dst;
6158 length = ntohs(ip->ip_len);
6159 /* Validate mbuf chain length with IP payload length. */
6160 if (SCTP_HEADER_LEN(m) != length) {
6161 SCTPDBG(SCTP_DEBUG_INPUT1,
6162 "sctp_input() length:%d reported length:%d\n", length, SCTP_HEADER_LEN(m));
6163 SCTP_STAT_INCR(sctps_hdrops);
6164 goto out;
6165 }
6166 /* SCTP does not allow broadcasts or multicasts */
6167 if (IN_MULTICAST(ntohl(dst.sin_addr.s_addr))) {
6168 goto out;
6169 }
6170 if (SCTP_IS_IT_BROADCAST(dst.sin_addr, m)) {
6171 goto out;
6172 }
6173 ecn_bits = ip->ip_tos;
6174 #if defined(SCTP_WITH_NO_CSUM)
6175 SCTP_STAT_INCR(sctps_recvnocrc);
6176 #else
6177 if (m->m_pkthdr.csum_flags & CSUM_SCTP_VALID) {
6178 SCTP_STAT_INCR(sctps_recvhwcrc);
6179 compute_crc = 0;
6180 } else {
6181 SCTP_STAT_INCR(sctps_recvswcrc);
6182 compute_crc = 1;
6183 }
6184 #endif
6185 sctp_common_input_processing(&m, iphlen, offset, length,
6186 (struct sockaddr *)&src,
6187 (struct sockaddr *)&dst,
6188 sh, ch,
6189 #if !defined(SCTP_WITH_NO_CSUM)
6190 compute_crc,
6191 #endif
6192 ecn_bits,
6193 mflowtype, mflowid, fibnum,
6194 vrf_id, port);
6195 out:
6196 if (m) {
6197 sctp_m_freem(m);
6198 }
6199 return;
6200 }
6201
6202 #if defined(__FreeBSD__) && defined(SCTP_MCORE_INPUT) && defined(SMP)
6203 extern int *sctp_cpuarry;
6204
6205 #endif
6206
6207 int
6208 sctp_input(struct mbuf **mp, int *offp, int proto SCTP_UNUSED)
6209 {
6210 struct mbuf *m;
6211 int off;
6212
6213 m = *mp;
6214 off = *offp;
6215 #if defined(__FreeBSD__) && defined(SCTP_MCORE_INPUT) && defined(SMP)
6216 if (mp_ncpus > 1) {
6217 struct ip *ip;
6218 struct sctphdr *sh;
6219 int offset;
6220 int cpu_to_use;
6221 uint32_t flowid, tag;
6222
6223 if (M_HASHTYPE_GET(m) != M_HASHTYPE_NONE) {
6224 flowid = m->m_pkthdr.flowid;
6225 } else {
6226 /*
6227 * No flow id built by lower layers fix it so we
6228 * create one.
6229 */
6230 offset = off + sizeof(struct sctphdr);
6231 if (SCTP_BUF_LEN(m) < offset) {
6232 if ((m = m_pullup(m, offset)) == NULL) {
6233 SCTP_STAT_INCR(sctps_hdrops);
6234 return (IPPROTO_DONE);
6235 }
6236 }
6237 ip = mtod(m, struct ip *);
6238 sh = (struct sctphdr *)((caddr_t)ip + off);
6239 tag = htonl(sh->v_tag);
6240 flowid = tag ^ ntohs(sh->dest_port) ^ ntohs(sh->src_port);
6241 m->m_pkthdr.flowid = flowid;
6242 M_HASHTYPE_SET(m, M_HASHTYPE_OPAQUE_HASH);
6243 }
6244 cpu_to_use = sctp_cpuarry[flowid % mp_ncpus];
6245 sctp_queue_to_mcore(m, off, cpu_to_use);
6246 return (IPPROTO_DONE);
6247 }
6248 #endif
6249 sctp_input_with_port(m, off, 0);
6250 return (IPPROTO_DONE);
6251 }
6252
6253 #endif
FreeBSD src