]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/blob - sys/netinet/sctp_indata.c
netinet silence warnings
[FreeBSD/FreeBSD.git] / sys / netinet / sctp_indata.c
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (c) 2001-2007, by Cisco Systems, Inc. All rights reserved.
5  * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
6  * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions are met:
10  *
11  * a) Redistributions of source code must retain the above copyright notice,
12  *    this list of conditions and the following disclaimer.
13  *
14  * b) Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in
16  *    the documentation and/or other materials provided with the distribution.
17  *
18  * c) Neither the name of Cisco Systems, Inc. nor the names of its
19  *    contributors may be used to endorse or promote products derived
20  *    from this software without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
24  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
26  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
27  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
28  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
29  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
30  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
31  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
32  * THE POSSIBILITY OF SUCH DAMAGE.
33  */
34
35 #include <sys/cdefs.h>
36 __FBSDID("$FreeBSD$");
37
38 #include <netinet/sctp_os.h>
39 #include <sys/proc.h>
40 #include <netinet/sctp_var.h>
41 #include <netinet/sctp_sysctl.h>
42 #include <netinet/sctp_header.h>
43 #include <netinet/sctp_pcb.h>
44 #include <netinet/sctputil.h>
45 #include <netinet/sctp_output.h>
46 #include <netinet/sctp_uio.h>
47 #include <netinet/sctp_auth.h>
48 #include <netinet/sctp_timer.h>
49 #include <netinet/sctp_asconf.h>
50 #include <netinet/sctp_indata.h>
51 #include <netinet/sctp_bsd_addr.h>
52 #include <netinet/sctp_input.h>
53 #include <netinet/sctp_crc32.h>
54 #include <netinet/sctp_lock_bsd.h>
55 /*
56  * NOTES: On the outbound side of things I need to check the sack timer to
57  * see if I should generate a sack into the chunk queue (if I have data to
58  * send that is and will be sending it .. for bundling.
59  *
60  * The callback in sctp_usrreq.c will get called when the socket is read from.
61  * This will cause sctp_service_queues() to get called on the top entry in
62  * the list.
63  */
64 static uint32_t
65 sctp_add_chk_to_control(struct sctp_queued_to_read *control,
66     struct sctp_stream_in *strm,
67     struct sctp_tcb *stcb,
68     struct sctp_association *asoc,
69     struct sctp_tmit_chunk *chk, int lock_held);
70
71
72 void
73 sctp_set_rwnd(struct sctp_tcb *stcb, struct sctp_association *asoc)
74 {
75         asoc->my_rwnd = sctp_calc_rwnd(stcb, asoc);
76 }
77
78 /* Calculate what the rwnd would be */
79 uint32_t
80 sctp_calc_rwnd(struct sctp_tcb *stcb, struct sctp_association *asoc)
81 {
82         uint32_t calc = 0;
83
84         /*
85          * This is really set wrong with respect to a 1-2-m socket. Since
86          * the sb_cc is the count that everyone as put up. When we re-write
87          * sctp_soreceive then we will fix this so that ONLY this
88          * associations data is taken into account.
89          */
90         if (stcb->sctp_socket == NULL) {
91                 return (calc);
92         }
93         KASSERT(asoc->cnt_on_reasm_queue > 0 || asoc->size_on_reasm_queue == 0,
94             ("size_on_reasm_queue is %u", asoc->size_on_reasm_queue));
95         KASSERT(asoc->cnt_on_all_streams > 0 || asoc->size_on_all_streams == 0,
96             ("size_on_all_streams is %u", asoc->size_on_all_streams));
97         if (stcb->asoc.sb_cc == 0 &&
98             asoc->cnt_on_reasm_queue == 0 &&
99             asoc->cnt_on_all_streams == 0) {
100                 /* Full rwnd granted */
101                 calc = max(SCTP_SB_LIMIT_RCV(stcb->sctp_socket), SCTP_MINIMAL_RWND);
102                 return (calc);
103         }
104         /* get actual space */
105         calc = (uint32_t)sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv);
106         /*
107          * take out what has NOT been put on socket queue and we yet hold
108          * for putting up.
109          */
110         calc = sctp_sbspace_sub(calc, (uint32_t)(asoc->size_on_reasm_queue +
111             asoc->cnt_on_reasm_queue * MSIZE));
112         calc = sctp_sbspace_sub(calc, (uint32_t)(asoc->size_on_all_streams +
113             asoc->cnt_on_all_streams * MSIZE));
114         if (calc == 0) {
115                 /* out of space */
116                 return (calc);
117         }
118         /* what is the overhead of all these rwnd's */
119         calc = sctp_sbspace_sub(calc, stcb->asoc.my_rwnd_control_len);
120         /*
121          * If the window gets too small due to ctrl-stuff, reduce it to 1,
122          * even it is 0. SWS engaged
123          */
124         if (calc < stcb->asoc.my_rwnd_control_len) {
125                 calc = 1;
126         }
127         return (calc);
128 }
129
130
131
132 /*
133  * Build out our readq entry based on the incoming packet.
134  */
135 struct sctp_queued_to_read *
136 sctp_build_readq_entry(struct sctp_tcb *stcb,
137     struct sctp_nets *net,
138     uint32_t tsn, uint32_t ppid,
139     uint32_t context, uint16_t sid,
140     uint32_t mid, uint8_t flags,
141     struct mbuf *dm)
142 {
143         struct sctp_queued_to_read *read_queue_e = NULL;
144
145         sctp_alloc_a_readq(stcb, read_queue_e);
146         if (read_queue_e == NULL) {
147                 goto failed_build;
148         }
149         memset(read_queue_e, 0, sizeof(struct sctp_queued_to_read));
150         read_queue_e->sinfo_stream = sid;
151         read_queue_e->sinfo_flags = (flags << 8);
152         read_queue_e->sinfo_ppid = ppid;
153         read_queue_e->sinfo_context = context;
154         read_queue_e->sinfo_tsn = tsn;
155         read_queue_e->sinfo_cumtsn = tsn;
156         read_queue_e->sinfo_assoc_id = sctp_get_associd(stcb);
157         read_queue_e->mid = mid;
158         read_queue_e->top_fsn = read_queue_e->fsn_included = 0xffffffff;
159         TAILQ_INIT(&read_queue_e->reasm);
160         read_queue_e->whoFrom = net;
161         atomic_add_int(&net->ref_count, 1);
162         read_queue_e->data = dm;
163         read_queue_e->stcb = stcb;
164         read_queue_e->port_from = stcb->rport;
165 failed_build:
166         return (read_queue_e);
167 }
168
169 struct mbuf *
170 sctp_build_ctl_nchunk(struct sctp_inpcb *inp, struct sctp_sndrcvinfo *sinfo)
171 {
172         struct sctp_extrcvinfo *seinfo;
173         struct sctp_sndrcvinfo *outinfo;
174         struct sctp_rcvinfo *rcvinfo;
175         struct sctp_nxtinfo *nxtinfo;
176         struct cmsghdr *cmh;
177         struct mbuf *ret;
178         int len;
179         int use_extended;
180         int provide_nxt;
181
182         if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT) &&
183             sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVRCVINFO) &&
184             sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVNXTINFO)) {
185                 /* user does not want any ancillary data */
186                 return (NULL);
187         }
188         len = 0;
189         if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
190                 len += CMSG_SPACE(sizeof(struct sctp_rcvinfo));
191         }
192         seinfo = (struct sctp_extrcvinfo *)sinfo;
193         if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVNXTINFO) &&
194             (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_AVAIL)) {
195                 provide_nxt = 1;
196                 len += CMSG_SPACE(sizeof(struct sctp_nxtinfo));
197         } else {
198                 provide_nxt = 0;
199         }
200         if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT)) {
201                 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXT_RCVINFO)) {
202                         use_extended = 1;
203                         len += CMSG_SPACE(sizeof(struct sctp_extrcvinfo));
204                 } else {
205                         use_extended = 0;
206                         len += CMSG_SPACE(sizeof(struct sctp_sndrcvinfo));
207                 }
208         } else {
209                 use_extended = 0;
210         }
211
212         ret = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA);
213         if (ret == NULL) {
214                 /* No space */
215                 return (ret);
216         }
217         SCTP_BUF_LEN(ret) = 0;
218
219         /* We need a CMSG header followed by the struct */
220         cmh = mtod(ret, struct cmsghdr *);
221         /*
222          * Make sure that there is no un-initialized padding between the
223          * cmsg header and cmsg data and after the cmsg data.
224          */
225         memset(cmh, 0, len);
226         if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
227                 cmh->cmsg_level = IPPROTO_SCTP;
228                 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
229                 cmh->cmsg_type = SCTP_RCVINFO;
230                 rcvinfo = (struct sctp_rcvinfo *)CMSG_DATA(cmh);
231                 rcvinfo->rcv_sid = sinfo->sinfo_stream;
232                 rcvinfo->rcv_ssn = sinfo->sinfo_ssn;
233                 rcvinfo->rcv_flags = sinfo->sinfo_flags;
234                 rcvinfo->rcv_ppid = sinfo->sinfo_ppid;
235                 rcvinfo->rcv_tsn = sinfo->sinfo_tsn;
236                 rcvinfo->rcv_cumtsn = sinfo->sinfo_cumtsn;
237                 rcvinfo->rcv_context = sinfo->sinfo_context;
238                 rcvinfo->rcv_assoc_id = sinfo->sinfo_assoc_id;
239                 cmh = (struct cmsghdr *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_rcvinfo)));
240                 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_rcvinfo));
241         }
242         if (provide_nxt) {
243                 cmh->cmsg_level = IPPROTO_SCTP;
244                 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_nxtinfo));
245                 cmh->cmsg_type = SCTP_NXTINFO;
246                 nxtinfo = (struct sctp_nxtinfo *)CMSG_DATA(cmh);
247                 nxtinfo->nxt_sid = seinfo->serinfo_next_stream;
248                 nxtinfo->nxt_flags = 0;
249                 if (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_IS_UNORDERED) {
250                         nxtinfo->nxt_flags |= SCTP_UNORDERED;
251                 }
252                 if (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_IS_NOTIFICATION) {
253                         nxtinfo->nxt_flags |= SCTP_NOTIFICATION;
254                 }
255                 if (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_ISCOMPLETE) {
256                         nxtinfo->nxt_flags |= SCTP_COMPLETE;
257                 }
258                 nxtinfo->nxt_ppid = seinfo->serinfo_next_ppid;
259                 nxtinfo->nxt_length = seinfo->serinfo_next_length;
260                 nxtinfo->nxt_assoc_id = seinfo->serinfo_next_aid;
261                 cmh = (struct cmsghdr *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_nxtinfo)));
262                 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_nxtinfo));
263         }
264         if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT)) {
265                 cmh->cmsg_level = IPPROTO_SCTP;
266                 outinfo = (struct sctp_sndrcvinfo *)CMSG_DATA(cmh);
267                 if (use_extended) {
268                         cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_extrcvinfo));
269                         cmh->cmsg_type = SCTP_EXTRCV;
270                         memcpy(outinfo, sinfo, sizeof(struct sctp_extrcvinfo));
271                         SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_extrcvinfo));
272                 } else {
273                         cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_sndrcvinfo));
274                         cmh->cmsg_type = SCTP_SNDRCV;
275                         *outinfo = *sinfo;
276                         SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_sndrcvinfo));
277                 }
278         }
279         return (ret);
280 }
281
282
283 static void
284 sctp_mark_non_revokable(struct sctp_association *asoc, uint32_t tsn)
285 {
286         uint32_t gap, i, cumackp1;
287         int fnd = 0;
288         int in_r = 0, in_nr = 0;
289
290         if (SCTP_BASE_SYSCTL(sctp_do_drain) == 0) {
291                 return;
292         }
293         cumackp1 = asoc->cumulative_tsn + 1;
294         if (SCTP_TSN_GT(cumackp1, tsn)) {
295                 /*
296                  * this tsn is behind the cum ack and thus we don't need to
297                  * worry about it being moved from one to the other.
298                  */
299                 return;
300         }
301         SCTP_CALC_TSN_TO_GAP(gap, tsn, asoc->mapping_array_base_tsn);
302         in_r = SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap);
303         in_nr = SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, gap);
304         if ((in_r == 0) && (in_nr == 0)) {
305 #ifdef INVARIANTS
306                 panic("Things are really messed up now");
307 #else
308                 SCTP_PRINTF("gap:%x tsn:%x\n", gap, tsn);
309                 sctp_print_mapping_array(asoc);
310 #endif
311         }
312         if (in_nr == 0)
313                 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
314         if (in_r)
315                 SCTP_UNSET_TSN_PRESENT(asoc->mapping_array, gap);
316         if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
317                 asoc->highest_tsn_inside_nr_map = tsn;
318         }
319         if (tsn == asoc->highest_tsn_inside_map) {
320                 /* We must back down to see what the new highest is */
321                 for (i = tsn - 1; SCTP_TSN_GE(i, asoc->mapping_array_base_tsn); i--) {
322                         SCTP_CALC_TSN_TO_GAP(gap, i, asoc->mapping_array_base_tsn);
323                         if (SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap)) {
324                                 asoc->highest_tsn_inside_map = i;
325                                 fnd = 1;
326                                 break;
327                         }
328                 }
329                 if (!fnd) {
330                         asoc->highest_tsn_inside_map = asoc->mapping_array_base_tsn - 1;
331                 }
332         }
333 }
334
335 static int
336 sctp_place_control_in_stream(struct sctp_stream_in *strm,
337     struct sctp_association *asoc,
338     struct sctp_queued_to_read *control)
339 {
340         struct sctp_queued_to_read *at;
341         struct sctp_readhead *q;
342         uint8_t flags, unordered;
343
344         flags = (control->sinfo_flags >> 8);
345         unordered = flags & SCTP_DATA_UNORDERED;
346         if (unordered) {
347                 q = &strm->uno_inqueue;
348                 if (asoc->idata_supported == 0) {
349                         if (!TAILQ_EMPTY(q)) {
350                                 /*
351                                  * Only one stream can be here in old style
352                                  * -- abort
353                                  */
354                                 return (-1);
355                         }
356                         TAILQ_INSERT_TAIL(q, control, next_instrm);
357                         control->on_strm_q = SCTP_ON_UNORDERED;
358                         return (0);
359                 }
360         } else {
361                 q = &strm->inqueue;
362         }
363         if ((flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
364                 control->end_added = 1;
365                 control->first_frag_seen = 1;
366                 control->last_frag_seen = 1;
367         }
368         if (TAILQ_EMPTY(q)) {
369                 /* Empty queue */
370                 TAILQ_INSERT_HEAD(q, control, next_instrm);
371                 if (unordered) {
372                         control->on_strm_q = SCTP_ON_UNORDERED;
373                 } else {
374                         control->on_strm_q = SCTP_ON_ORDERED;
375                 }
376                 return (0);
377         } else {
378                 TAILQ_FOREACH(at, q, next_instrm) {
379                         if (SCTP_MID_GT(asoc->idata_supported, at->mid, control->mid)) {
380                                 /*
381                                  * one in queue is bigger than the new one,
382                                  * insert before this one
383                                  */
384                                 TAILQ_INSERT_BEFORE(at, control, next_instrm);
385                                 if (unordered) {
386                                         control->on_strm_q = SCTP_ON_UNORDERED;
387                                 } else {
388                                         control->on_strm_q = SCTP_ON_ORDERED;
389                                 }
390                                 break;
391                         } else if (SCTP_MID_EQ(asoc->idata_supported, at->mid, control->mid)) {
392                                 /*
393                                  * Gak, He sent me a duplicate msg id
394                                  * number?? return -1 to abort.
395                                  */
396                                 return (-1);
397                         } else {
398                                 if (TAILQ_NEXT(at, next_instrm) == NULL) {
399                                         /*
400                                          * We are at the end, insert it
401                                          * after this one
402                                          */
403                                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
404                                                 sctp_log_strm_del(control, at,
405                                                     SCTP_STR_LOG_FROM_INSERT_TL);
406                                         }
407                                         TAILQ_INSERT_AFTER(q, at, control, next_instrm);
408                                         if (unordered) {
409                                                 control->on_strm_q = SCTP_ON_UNORDERED;
410                                         } else {
411                                                 control->on_strm_q = SCTP_ON_ORDERED;
412                                         }
413                                         break;
414                                 }
415                         }
416                 }
417         }
418         return (0);
419 }
420
421 static void
422 sctp_abort_in_reasm(struct sctp_tcb *stcb,
423     struct sctp_queued_to_read *control,
424     struct sctp_tmit_chunk *chk,
425     int *abort_flag, int opspot)
426 {
427         char msg[SCTP_DIAG_INFO_LEN];
428         struct mbuf *oper;
429
430         if (stcb->asoc.idata_supported) {
431                 snprintf(msg, sizeof(msg),
432                     "Reass %x,CF:%x,TSN=%8.8x,SID=%4.4x,FSN=%8.8x,MID:%8.8x",
433                     opspot,
434                     control->fsn_included,
435                     chk->rec.data.tsn,
436                     chk->rec.data.sid,
437                     chk->rec.data.fsn, chk->rec.data.mid);
438         } else {
439                 snprintf(msg, sizeof(msg),
440                     "Reass %x,CI:%x,TSN=%8.8x,SID=%4.4x,FSN=%4.4x,SSN:%4.4x",
441                     opspot,
442                     control->fsn_included,
443                     chk->rec.data.tsn,
444                     chk->rec.data.sid,
445                     chk->rec.data.fsn,
446                     (uint16_t)chk->rec.data.mid);
447         }
448         oper = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
449         sctp_m_freem(chk->data);
450         chk->data = NULL;
451         sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
452         stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_1;
453         sctp_abort_an_association(stcb->sctp_ep, stcb, oper, SCTP_SO_NOT_LOCKED);
454         *abort_flag = 1;
455 }
456
457 static void
458 sctp_clean_up_control(struct sctp_tcb *stcb, struct sctp_queued_to_read *control)
459 {
460         /*
461          * The control could not be placed and must be cleaned.
462          */
463         struct sctp_tmit_chunk *chk, *nchk;
464
465         TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, nchk) {
466                 TAILQ_REMOVE(&control->reasm, chk, sctp_next);
467                 if (chk->data)
468                         sctp_m_freem(chk->data);
469                 chk->data = NULL;
470                 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
471         }
472         sctp_free_a_readq(stcb, control);
473 }
474
475 /*
476  * Queue the chunk either right into the socket buffer if it is the next one
477  * to go OR put it in the correct place in the delivery queue.  If we do
478  * append to the so_buf, keep doing so until we are out of order as
479  * long as the control's entered are non-fragmented.
480  */
481 static void
482 sctp_queue_data_to_stream(struct sctp_tcb *stcb,
483     struct sctp_association *asoc,
484     struct sctp_queued_to_read *control, int *abort_flag, int *need_reasm)
485 {
486         /*
487          * FIX-ME maybe? What happens when the ssn wraps? If we are getting
488          * all the data in one stream this could happen quite rapidly. One
489          * could use the TSN to keep track of things, but this scheme breaks
490          * down in the other type of stream usage that could occur. Send a
491          * single msg to stream 0, send 4Billion messages to stream 1, now
492          * send a message to stream 0. You have a situation where the TSN
493          * has wrapped but not in the stream. Is this worth worrying about
494          * or should we just change our queue sort at the bottom to be by
495          * TSN.
496          *
497          * Could it also be legal for a peer to send ssn 1 with TSN 2 and
498          * ssn 2 with TSN 1? If the peer is doing some sort of funky TSN/SSN
499          * assignment this could happen... and I don't see how this would be
500          * a violation. So for now I am undecided an will leave the sort by
501          * SSN alone. Maybe a hybred approach is the answer
502          *
503          */
504         struct sctp_queued_to_read *at;
505         int queue_needed;
506         uint32_t nxt_todel;
507         struct mbuf *op_err;
508         struct sctp_stream_in *strm;
509         char msg[SCTP_DIAG_INFO_LEN];
510
511         strm = &asoc->strmin[control->sinfo_stream];
512         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
513                 sctp_log_strm_del(control, NULL, SCTP_STR_LOG_FROM_INTO_STRD);
514         }
515         if (SCTP_MID_GT((asoc->idata_supported), strm->last_mid_delivered, control->mid)) {
516                 /* The incoming sseq is behind where we last delivered? */
517                 SCTPDBG(SCTP_DEBUG_INDATA1, "Duplicate S-SEQ: %u delivered: %u from peer, Abort association\n",
518                     strm->last_mid_delivered, control->mid);
519                 /*
520                  * throw it in the stream so it gets cleaned up in
521                  * association destruction
522                  */
523                 TAILQ_INSERT_HEAD(&strm->inqueue, control, next_instrm);
524                 if (asoc->idata_supported) {
525                         snprintf(msg, sizeof(msg), "Delivered MID=%8.8x, got TSN=%8.8x, SID=%4.4x, MID=%8.8x",
526                             strm->last_mid_delivered, control->sinfo_tsn,
527                             control->sinfo_stream, control->mid);
528                 } else {
529                         snprintf(msg, sizeof(msg), "Delivered SSN=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
530                             (uint16_t)strm->last_mid_delivered,
531                             control->sinfo_tsn,
532                             control->sinfo_stream,
533                             (uint16_t)control->mid);
534                 }
535                 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
536                 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_2;
537                 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
538                 *abort_flag = 1;
539                 return;
540
541         }
542         queue_needed = 1;
543         asoc->size_on_all_streams += control->length;
544         sctp_ucount_incr(asoc->cnt_on_all_streams);
545         nxt_todel = strm->last_mid_delivered + 1;
546         if (SCTP_MID_EQ(asoc->idata_supported, nxt_todel, control->mid)) {
547 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
548                 struct socket *so;
549
550                 so = SCTP_INP_SO(stcb->sctp_ep);
551                 atomic_add_int(&stcb->asoc.refcnt, 1);
552                 SCTP_TCB_UNLOCK(stcb);
553                 SCTP_SOCKET_LOCK(so, 1);
554                 SCTP_TCB_LOCK(stcb);
555                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
556                 if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
557                         SCTP_SOCKET_UNLOCK(so, 1);
558                         return;
559                 }
560 #endif
561                 /* can be delivered right away? */
562                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
563                         sctp_log_strm_del(control, NULL, SCTP_STR_LOG_FROM_IMMED_DEL);
564                 }
565                 /* EY it wont be queued if it could be delivered directly */
566                 queue_needed = 0;
567                 if (asoc->size_on_all_streams >= control->length) {
568                         asoc->size_on_all_streams -= control->length;
569                 } else {
570 #ifdef INVARIANTS
571                         panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
572 #else
573                         asoc->size_on_all_streams = 0;
574 #endif
575                 }
576                 sctp_ucount_decr(asoc->cnt_on_all_streams);
577                 strm->last_mid_delivered++;
578                 sctp_mark_non_revokable(asoc, control->sinfo_tsn);
579                 sctp_add_to_readq(stcb->sctp_ep, stcb,
580                     control,
581                     &stcb->sctp_socket->so_rcv, 1,
582                     SCTP_READ_LOCK_NOT_HELD, SCTP_SO_LOCKED);
583                 TAILQ_FOREACH_SAFE(control, &strm->inqueue, next_instrm, at) {
584                         /* all delivered */
585                         nxt_todel = strm->last_mid_delivered + 1;
586                         if (SCTP_MID_EQ(asoc->idata_supported, nxt_todel, control->mid) &&
587                             (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG)) {
588                                 if (control->on_strm_q == SCTP_ON_ORDERED) {
589                                         TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
590                                         if (asoc->size_on_all_streams >= control->length) {
591                                                 asoc->size_on_all_streams -= control->length;
592                                         } else {
593 #ifdef INVARIANTS
594                                                 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
595 #else
596                                                 asoc->size_on_all_streams = 0;
597 #endif
598                                         }
599                                         sctp_ucount_decr(asoc->cnt_on_all_streams);
600 #ifdef INVARIANTS
601                                 } else {
602                                         panic("Huh control: %p is on_strm_q: %d",
603                                             control, control->on_strm_q);
604 #endif
605                                 }
606                                 control->on_strm_q = 0;
607                                 strm->last_mid_delivered++;
608                                 /*
609                                  * We ignore the return of deliver_data here
610                                  * since we always can hold the chunk on the
611                                  * d-queue. And we have a finite number that
612                                  * can be delivered from the strq.
613                                  */
614                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
615                                         sctp_log_strm_del(control, NULL,
616                                             SCTP_STR_LOG_FROM_IMMED_DEL);
617                                 }
618                                 sctp_mark_non_revokable(asoc, control->sinfo_tsn);
619                                 sctp_add_to_readq(stcb->sctp_ep, stcb,
620                                     control,
621                                     &stcb->sctp_socket->so_rcv, 1,
622                                     SCTP_READ_LOCK_NOT_HELD,
623                                     SCTP_SO_LOCKED);
624                                 continue;
625                         } else if (SCTP_MID_EQ(asoc->idata_supported, nxt_todel, control->mid)) {
626                                 *need_reasm = 1;
627                         }
628                         break;
629                 }
630 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
631                 SCTP_SOCKET_UNLOCK(so, 1);
632 #endif
633         }
634         if (queue_needed) {
635                 /*
636                  * Ok, we did not deliver this guy, find the correct place
637                  * to put it on the queue.
638                  */
639                 if (sctp_place_control_in_stream(strm, asoc, control)) {
640                         snprintf(msg, sizeof(msg),
641                             "Queue to str MID: %u duplicate",
642                             control->mid);
643                         sctp_clean_up_control(stcb, control);
644                         op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
645                         stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_3;
646                         sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
647                         *abort_flag = 1;
648                 }
649         }
650 }
651
652
653 static void
654 sctp_setup_tail_pointer(struct sctp_queued_to_read *control)
655 {
656         struct mbuf *m, *prev = NULL;
657         struct sctp_tcb *stcb;
658
659         stcb = control->stcb;
660         control->held_length = 0;
661         control->length = 0;
662         m = control->data;
663         while (m) {
664                 if (SCTP_BUF_LEN(m) == 0) {
665                         /* Skip mbufs with NO length */
666                         if (prev == NULL) {
667                                 /* First one */
668                                 control->data = sctp_m_free(m);
669                                 m = control->data;
670                         } else {
671                                 SCTP_BUF_NEXT(prev) = sctp_m_free(m);
672                                 m = SCTP_BUF_NEXT(prev);
673                         }
674                         if (m == NULL) {
675                                 control->tail_mbuf = prev;
676                         }
677                         continue;
678                 }
679                 prev = m;
680                 atomic_add_int(&control->length, SCTP_BUF_LEN(m));
681                 if (control->on_read_q) {
682                         /*
683                          * On read queue so we must increment the SB stuff,
684                          * we assume caller has done any locks of SB.
685                          */
686                         sctp_sballoc(stcb, &stcb->sctp_socket->so_rcv, m);
687                 }
688                 m = SCTP_BUF_NEXT(m);
689         }
690         if (prev) {
691                 control->tail_mbuf = prev;
692         }
693 }
694
695 static void
696 sctp_add_to_tail_pointer(struct sctp_queued_to_read *control, struct mbuf *m, uint32_t *added)
697 {
698         struct mbuf *prev = NULL;
699         struct sctp_tcb *stcb;
700
701         stcb = control->stcb;
702         if (stcb == NULL) {
703 #ifdef INVARIANTS
704                 panic("Control broken");
705 #else
706                 return;
707 #endif
708         }
709         if (control->tail_mbuf == NULL) {
710                 /* TSNH */
711                 control->data = m;
712                 sctp_setup_tail_pointer(control);
713                 return;
714         }
715         control->tail_mbuf->m_next = m;
716         while (m) {
717                 if (SCTP_BUF_LEN(m) == 0) {
718                         /* Skip mbufs with NO length */
719                         if (prev == NULL) {
720                                 /* First one */
721                                 control->tail_mbuf->m_next = sctp_m_free(m);
722                                 m = control->tail_mbuf->m_next;
723                         } else {
724                                 SCTP_BUF_NEXT(prev) = sctp_m_free(m);
725                                 m = SCTP_BUF_NEXT(prev);
726                         }
727                         if (m == NULL) {
728                                 control->tail_mbuf = prev;
729                         }
730                         continue;
731                 }
732                 prev = m;
733                 if (control->on_read_q) {
734                         /*
735                          * On read queue so we must increment the SB stuff,
736                          * we assume caller has done any locks of SB.
737                          */
738                         sctp_sballoc(stcb, &stcb->sctp_socket->so_rcv, m);
739                 }
740                 *added += SCTP_BUF_LEN(m);
741                 atomic_add_int(&control->length, SCTP_BUF_LEN(m));
742                 m = SCTP_BUF_NEXT(m);
743         }
744         if (prev) {
745                 control->tail_mbuf = prev;
746         }
747 }
748
749 static void
750 sctp_build_readq_entry_from_ctl(struct sctp_queued_to_read *nc, struct sctp_queued_to_read *control)
751 {
752         memset(nc, 0, sizeof(struct sctp_queued_to_read));
753         nc->sinfo_stream = control->sinfo_stream;
754         nc->mid = control->mid;
755         TAILQ_INIT(&nc->reasm);
756         nc->top_fsn = control->top_fsn;
757         nc->mid = control->mid;
758         nc->sinfo_flags = control->sinfo_flags;
759         nc->sinfo_ppid = control->sinfo_ppid;
760         nc->sinfo_context = control->sinfo_context;
761         nc->fsn_included = 0xffffffff;
762         nc->sinfo_tsn = control->sinfo_tsn;
763         nc->sinfo_cumtsn = control->sinfo_cumtsn;
764         nc->sinfo_assoc_id = control->sinfo_assoc_id;
765         nc->whoFrom = control->whoFrom;
766         atomic_add_int(&nc->whoFrom->ref_count, 1);
767         nc->stcb = control->stcb;
768         nc->port_from = control->port_from;
769 }
770
771 static void
772 sctp_reset_a_control(struct sctp_queued_to_read *control,
773     struct sctp_inpcb *inp, uint32_t tsn)
774 {
775         control->fsn_included = tsn;
776         if (control->on_read_q) {
777                 /*
778                  * We have to purge it from there, hopefully this will work
779                  * :-)
780                  */
781                 TAILQ_REMOVE(&inp->read_queue, control, next);
782                 control->on_read_q = 0;
783         }
784 }
785
786 static int
787 sctp_handle_old_unordered_data(struct sctp_tcb *stcb,
788     struct sctp_association *asoc,
789     struct sctp_stream_in *strm,
790     struct sctp_queued_to_read *control,
791     uint32_t pd_point,
792     int inp_read_lock_held)
793 {
794         /*
795          * Special handling for the old un-ordered data chunk. All the
796          * chunks/TSN's go to mid 0. So we have to do the old style watching
797          * to see if we have it all. If you return one, no other control
798          * entries on the un-ordered queue will be looked at. In theory
799          * there should be no others entries in reality, unless the guy is
800          * sending both unordered NDATA and unordered DATA...
801          */
802         struct sctp_tmit_chunk *chk, *lchk, *tchk;
803         uint32_t fsn;
804         struct sctp_queued_to_read *nc;
805         int cnt_added;
806
807         if (control->first_frag_seen == 0) {
808                 /* Nothing we can do, we have not seen the first piece yet */
809                 return (1);
810         }
811         /* Collapse any we can */
812         cnt_added = 0;
813 restart:
814         fsn = control->fsn_included + 1;
815         /* Now what can we add? */
816         TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, lchk) {
817                 if (chk->rec.data.fsn == fsn) {
818                         /* Ok lets add it */
819                         sctp_alloc_a_readq(stcb, nc);
820                         if (nc == NULL) {
821                                 break;
822                         }
823                         memset(nc, 0, sizeof(struct sctp_queued_to_read));
824                         TAILQ_REMOVE(&control->reasm, chk, sctp_next);
825                         sctp_add_chk_to_control(control, strm, stcb, asoc, chk, SCTP_READ_LOCK_NOT_HELD);
826                         fsn++;
827                         cnt_added++;
828                         chk = NULL;
829                         if (control->end_added) {
830                                 /* We are done */
831                                 if (!TAILQ_EMPTY(&control->reasm)) {
832                                         /*
833                                          * Ok we have to move anything left
834                                          * on the control queue to a new
835                                          * control.
836                                          */
837                                         sctp_build_readq_entry_from_ctl(nc, control);
838                                         tchk = TAILQ_FIRST(&control->reasm);
839                                         if (tchk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
840                                                 TAILQ_REMOVE(&control->reasm, tchk, sctp_next);
841                                                 if (asoc->size_on_reasm_queue >= tchk->send_size) {
842                                                         asoc->size_on_reasm_queue -= tchk->send_size;
843                                                 } else {
844 #ifdef INVARIANTS
845                                                         panic("size_on_reasm_queue = %u smaller than chunk length %u", asoc->size_on_reasm_queue, tchk->send_size);
846 #else
847                                                         asoc->size_on_reasm_queue = 0;
848 #endif
849                                                 }
850                                                 sctp_ucount_decr(asoc->cnt_on_reasm_queue);
851                                                 nc->first_frag_seen = 1;
852                                                 nc->fsn_included = tchk->rec.data.fsn;
853                                                 nc->data = tchk->data;
854                                                 nc->sinfo_ppid = tchk->rec.data.ppid;
855                                                 nc->sinfo_tsn = tchk->rec.data.tsn;
856                                                 sctp_mark_non_revokable(asoc, tchk->rec.data.tsn);
857                                                 tchk->data = NULL;
858                                                 sctp_free_a_chunk(stcb, tchk, SCTP_SO_NOT_LOCKED);
859                                                 sctp_setup_tail_pointer(nc);
860                                                 tchk = TAILQ_FIRST(&control->reasm);
861                                         }
862                                         /* Spin the rest onto the queue */
863                                         while (tchk) {
864                                                 TAILQ_REMOVE(&control->reasm, tchk, sctp_next);
865                                                 TAILQ_INSERT_TAIL(&nc->reasm, tchk, sctp_next);
866                                                 tchk = TAILQ_FIRST(&control->reasm);
867                                         }
868                                         /*
869                                          * Now lets add it to the queue
870                                          * after removing control
871                                          */
872                                         TAILQ_INSERT_TAIL(&strm->uno_inqueue, nc, next_instrm);
873                                         nc->on_strm_q = SCTP_ON_UNORDERED;
874                                         if (control->on_strm_q) {
875                                                 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
876                                                 control->on_strm_q = 0;
877                                         }
878                                 }
879                                 if (control->pdapi_started) {
880                                         strm->pd_api_started = 0;
881                                         control->pdapi_started = 0;
882                                 }
883                                 if (control->on_strm_q) {
884                                         TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
885                                         control->on_strm_q = 0;
886                                         SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs);
887                                 }
888                                 if (control->on_read_q == 0) {
889                                         sctp_add_to_readq(stcb->sctp_ep, stcb, control,
890                                             &stcb->sctp_socket->so_rcv, control->end_added,
891                                             inp_read_lock_held, SCTP_SO_NOT_LOCKED);
892                                 }
893                                 sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
894                                 if ((nc->first_frag_seen) && !TAILQ_EMPTY(&nc->reasm)) {
895                                         /*
896                                          * Switch to the new guy and
897                                          * continue
898                                          */
899                                         control = nc;
900                                         goto restart;
901                                 } else {
902                                         if (nc->on_strm_q == 0) {
903                                                 sctp_free_a_readq(stcb, nc);
904                                         }
905                                 }
906                                 return (1);
907                         } else {
908                                 sctp_free_a_readq(stcb, nc);
909                         }
910                 } else {
911                         /* Can't add more */
912                         break;
913                 }
914         }
915         if ((control->length > pd_point) && (strm->pd_api_started == 0)) {
916                 strm->pd_api_started = 1;
917                 control->pdapi_started = 1;
918                 sctp_add_to_readq(stcb->sctp_ep, stcb, control,
919                     &stcb->sctp_socket->so_rcv, control->end_added,
920                     inp_read_lock_held, SCTP_SO_NOT_LOCKED);
921                 sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
922                 return (0);
923         } else {
924                 return (1);
925         }
926 }
927
928 static void
929 sctp_inject_old_unordered_data(struct sctp_tcb *stcb,
930     struct sctp_association *asoc,
931     struct sctp_queued_to_read *control,
932     struct sctp_tmit_chunk *chk,
933     int *abort_flag)
934 {
935         struct sctp_tmit_chunk *at;
936         int inserted;
937
938         /*
939          * Here we need to place the chunk into the control structure sorted
940          * in the correct order.
941          */
942         if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
943                 /* Its the very first one. */
944                 SCTPDBG(SCTP_DEBUG_XXX,
945                     "chunk is a first fsn: %u becomes fsn_included\n",
946                     chk->rec.data.fsn);
947                 if (control->first_frag_seen) {
948                         /*
949                          * In old un-ordered we can reassembly on one
950                          * control multiple messages. As long as the next
951                          * FIRST is greater then the old first (TSN i.e. FSN
952                          * wise)
953                          */
954                         struct mbuf *tdata;
955                         uint32_t tmp;
956
957                         if (SCTP_TSN_GT(chk->rec.data.fsn, control->fsn_included)) {
958                                 /*
959                                  * Easy way the start of a new guy beyond
960                                  * the lowest
961                                  */
962                                 goto place_chunk;
963                         }
964                         if ((chk->rec.data.fsn == control->fsn_included) ||
965                             (control->pdapi_started)) {
966                                 /*
967                                  * Ok this should not happen, if it does we
968                                  * started the pd-api on the higher TSN
969                                  * (since the equals part is a TSN failure
970                                  * it must be that).
971                                  *
972                                  * We are completly hosed in that case since
973                                  * I have no way to recover. This really
974                                  * will only happen if we can get more TSN's
975                                  * higher before the pd-api-point.
976                                  */
977                                 sctp_abort_in_reasm(stcb, control, chk,
978                                     abort_flag,
979                                     SCTP_FROM_SCTP_INDATA + SCTP_LOC_4);
980
981                                 return;
982                         }
983                         /*
984                          * Ok we have two firsts and the one we just got is
985                          * smaller than the one we previously placed.. yuck!
986                          * We must swap them out.
987                          */
988                         /* swap the mbufs */
989                         tdata = control->data;
990                         control->data = chk->data;
991                         chk->data = tdata;
992                         /* Save the lengths */
993                         chk->send_size = control->length;
994                         /* Recompute length of control and tail pointer */
995                         sctp_setup_tail_pointer(control);
996                         /* Fix the FSN included */
997                         tmp = control->fsn_included;
998                         control->fsn_included = chk->rec.data.fsn;
999                         chk->rec.data.fsn = tmp;
1000                         /* Fix the TSN included */
1001                         tmp = control->sinfo_tsn;
1002                         control->sinfo_tsn = chk->rec.data.tsn;
1003                         chk->rec.data.tsn = tmp;
1004                         /* Fix the PPID included */
1005                         tmp = control->sinfo_ppid;
1006                         control->sinfo_ppid = chk->rec.data.ppid;
1007                         chk->rec.data.ppid = tmp;
1008                         /* Fix tail pointer */
1009                         goto place_chunk;
1010                 }
1011                 control->first_frag_seen = 1;
1012                 control->fsn_included = chk->rec.data.fsn;
1013                 control->top_fsn = chk->rec.data.fsn;
1014                 control->sinfo_tsn = chk->rec.data.tsn;
1015                 control->sinfo_ppid = chk->rec.data.ppid;
1016                 control->data = chk->data;
1017                 sctp_mark_non_revokable(asoc, chk->rec.data.tsn);
1018                 chk->data = NULL;
1019                 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
1020                 sctp_setup_tail_pointer(control);
1021                 return;
1022         }
1023 place_chunk:
1024         inserted = 0;
1025         TAILQ_FOREACH(at, &control->reasm, sctp_next) {
1026                 if (SCTP_TSN_GT(at->rec.data.fsn, chk->rec.data.fsn)) {
1027                         /*
1028                          * This one in queue is bigger than the new one,
1029                          * insert the new one before at.
1030                          */
1031                         asoc->size_on_reasm_queue += chk->send_size;
1032                         sctp_ucount_incr(asoc->cnt_on_reasm_queue);
1033                         inserted = 1;
1034                         TAILQ_INSERT_BEFORE(at, chk, sctp_next);
1035                         break;
1036                 } else if (at->rec.data.fsn == chk->rec.data.fsn) {
1037                         /*
1038                          * They sent a duplicate fsn number. This really
1039                          * should not happen since the FSN is a TSN and it
1040                          * should have been dropped earlier.
1041                          */
1042                         sctp_abort_in_reasm(stcb, control, chk,
1043                             abort_flag,
1044                             SCTP_FROM_SCTP_INDATA + SCTP_LOC_5);
1045                         return;
1046                 }
1047         }
1048         if (inserted == 0) {
1049                 /* Its at the end */
1050                 asoc->size_on_reasm_queue += chk->send_size;
1051                 sctp_ucount_incr(asoc->cnt_on_reasm_queue);
1052                 control->top_fsn = chk->rec.data.fsn;
1053                 TAILQ_INSERT_TAIL(&control->reasm, chk, sctp_next);
1054         }
1055 }
1056
1057 static int
1058 sctp_deliver_reasm_check(struct sctp_tcb *stcb, struct sctp_association *asoc,
1059     struct sctp_stream_in *strm, int inp_read_lock_held)
1060 {
1061         /*
1062          * Given a stream, strm, see if any of the SSN's on it that are
1063          * fragmented are ready to deliver. If so go ahead and place them on
1064          * the read queue. In so placing if we have hit the end, then we
1065          * need to remove them from the stream's queue.
1066          */
1067         struct sctp_queued_to_read *control, *nctl = NULL;
1068         uint32_t next_to_del;
1069         uint32_t pd_point;
1070         int ret = 0;
1071
1072         if (stcb->sctp_socket) {
1073                 pd_point = min(SCTP_SB_LIMIT_RCV(stcb->sctp_socket) >> SCTP_PARTIAL_DELIVERY_SHIFT,
1074                     stcb->sctp_ep->partial_delivery_point);
1075         } else {
1076                 pd_point = stcb->sctp_ep->partial_delivery_point;
1077         }
1078         control = TAILQ_FIRST(&strm->uno_inqueue);
1079
1080         if ((control != NULL) &&
1081             (asoc->idata_supported == 0)) {
1082                 /* Special handling needed for "old" data format */
1083                 if (sctp_handle_old_unordered_data(stcb, asoc, strm, control, pd_point, inp_read_lock_held)) {
1084                         goto done_un;
1085                 }
1086         }
1087         if (strm->pd_api_started) {
1088                 /* Can't add more */
1089                 return (0);
1090         }
1091         while (control) {
1092                 SCTPDBG(SCTP_DEBUG_XXX, "Looking at control: %p e(%d) ssn: %u top_fsn: %u inc_fsn: %u -uo\n",
1093                     control, control->end_added, control->mid, control->top_fsn, control->fsn_included);
1094                 nctl = TAILQ_NEXT(control, next_instrm);
1095                 if (control->end_added) {
1096                         /* We just put the last bit on */
1097                         if (control->on_strm_q) {
1098 #ifdef INVARIANTS
1099                                 if (control->on_strm_q != SCTP_ON_UNORDERED) {
1100                                         panic("Huh control: %p on_q: %d -- not unordered?",
1101                                             control, control->on_strm_q);
1102                                 }
1103 #endif
1104                                 SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs);
1105                                 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
1106                                 control->on_strm_q = 0;
1107                         }
1108                         if (control->on_read_q == 0) {
1109                                 sctp_add_to_readq(stcb->sctp_ep, stcb,
1110                                     control,
1111                                     &stcb->sctp_socket->so_rcv, control->end_added,
1112                                     inp_read_lock_held, SCTP_SO_NOT_LOCKED);
1113                         }
1114                 } else {
1115                         /* Can we do a PD-API for this un-ordered guy? */
1116                         if ((control->length >= pd_point) && (strm->pd_api_started == 0)) {
1117                                 strm->pd_api_started = 1;
1118                                 control->pdapi_started = 1;
1119                                 sctp_add_to_readq(stcb->sctp_ep, stcb,
1120                                     control,
1121                                     &stcb->sctp_socket->so_rcv, control->end_added,
1122                                     inp_read_lock_held, SCTP_SO_NOT_LOCKED);
1123
1124                                 break;
1125                         }
1126                 }
1127                 control = nctl;
1128         }
1129 done_un:
1130         control = TAILQ_FIRST(&strm->inqueue);
1131         if (strm->pd_api_started) {
1132                 /* Can't add more */
1133                 return (0);
1134         }
1135         if (control == NULL) {
1136                 return (ret);
1137         }
1138         if (SCTP_MID_EQ(asoc->idata_supported, strm->last_mid_delivered, control->mid)) {
1139                 /*
1140                  * Ok the guy at the top was being partially delivered
1141                  * completed, so we remove it. Note the pd_api flag was
1142                  * taken off when the chunk was merged on in
1143                  * sctp_queue_data_for_reasm below.
1144                  */
1145                 nctl = TAILQ_NEXT(control, next_instrm);
1146                 SCTPDBG(SCTP_DEBUG_XXX,
1147                     "Looking at control: %p e(%d) ssn: %u top_fsn: %u inc_fsn: %u (lastdel: %u)- o\n",
1148                     control, control->end_added, control->mid,
1149                     control->top_fsn, control->fsn_included,
1150                     strm->last_mid_delivered);
1151                 if (control->end_added) {
1152                         if (control->on_strm_q) {
1153 #ifdef INVARIANTS
1154                                 if (control->on_strm_q != SCTP_ON_ORDERED) {
1155                                         panic("Huh control: %p on_q: %d -- not ordered?",
1156                                             control, control->on_strm_q);
1157                                 }
1158 #endif
1159                                 SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs);
1160                                 TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
1161                                 if (asoc->size_on_all_streams >= control->length) {
1162                                         asoc->size_on_all_streams -= control->length;
1163                                 } else {
1164 #ifdef INVARIANTS
1165                                         panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
1166 #else
1167                                         asoc->size_on_all_streams = 0;
1168 #endif
1169                                 }
1170                                 sctp_ucount_decr(asoc->cnt_on_all_streams);
1171                                 control->on_strm_q = 0;
1172                         }
1173                         if (strm->pd_api_started && control->pdapi_started) {
1174                                 control->pdapi_started = 0;
1175                                 strm->pd_api_started = 0;
1176                         }
1177                         if (control->on_read_q == 0) {
1178                                 sctp_add_to_readq(stcb->sctp_ep, stcb,
1179                                     control,
1180                                     &stcb->sctp_socket->so_rcv, control->end_added,
1181                                     inp_read_lock_held, SCTP_SO_NOT_LOCKED);
1182                         }
1183                         control = nctl;
1184                 }
1185         }
1186         if (strm->pd_api_started) {
1187                 /*
1188                  * Can't add more must have gotten an un-ordered above being
1189                  * partially delivered.
1190                  */
1191                 return (0);
1192         }
1193 deliver_more:
1194         next_to_del = strm->last_mid_delivered + 1;
1195         if (control) {
1196                 SCTPDBG(SCTP_DEBUG_XXX,
1197                     "Looking at control: %p e(%d) ssn: %u top_fsn: %u inc_fsn: %u (nxtdel: %u)- o\n",
1198                     control, control->end_added, control->mid, control->top_fsn, control->fsn_included,
1199                     next_to_del);
1200                 nctl = TAILQ_NEXT(control, next_instrm);
1201                 if (SCTP_MID_EQ(asoc->idata_supported, control->mid, next_to_del) &&
1202                     (control->first_frag_seen)) {
1203                         int done;
1204
1205                         /* Ok we can deliver it onto the stream. */
1206                         if (control->end_added) {
1207                                 /* We are done with it afterwards */
1208                                 if (control->on_strm_q) {
1209 #ifdef INVARIANTS
1210                                         if (control->on_strm_q != SCTP_ON_ORDERED) {
1211                                                 panic("Huh control: %p on_q: %d -- not ordered?",
1212                                                     control, control->on_strm_q);
1213                                         }
1214 #endif
1215                                         SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs);
1216                                         TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
1217                                         if (asoc->size_on_all_streams >= control->length) {
1218                                                 asoc->size_on_all_streams -= control->length;
1219                                         } else {
1220 #ifdef INVARIANTS
1221                                                 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
1222 #else
1223                                                 asoc->size_on_all_streams = 0;
1224 #endif
1225                                         }
1226                                         sctp_ucount_decr(asoc->cnt_on_all_streams);
1227                                         control->on_strm_q = 0;
1228                                 }
1229                                 ret++;
1230                         }
1231                         if (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
1232                                 /*
1233                                  * A singleton now slipping through - mark
1234                                  * it non-revokable too
1235                                  */
1236                                 sctp_mark_non_revokable(asoc, control->sinfo_tsn);
1237                         } else if (control->end_added == 0) {
1238                                 /*
1239                                  * Check if we can defer adding until its
1240                                  * all there
1241                                  */
1242                                 if ((control->length < pd_point) || (strm->pd_api_started)) {
1243                                         /*
1244                                          * Don't need it or cannot add more
1245                                          * (one being delivered that way)
1246                                          */
1247                                         goto out;
1248                                 }
1249                         }
1250                         done = (control->end_added) && (control->last_frag_seen);
1251                         if (control->on_read_q == 0) {
1252                                 if (!done) {
1253                                         if (asoc->size_on_all_streams >= control->length) {
1254                                                 asoc->size_on_all_streams -= control->length;
1255                                         } else {
1256 #ifdef INVARIANTS
1257                                                 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
1258 #else
1259                                                 asoc->size_on_all_streams = 0;
1260 #endif
1261                                         }
1262                                         strm->pd_api_started = 1;
1263                                         control->pdapi_started = 1;
1264                                 }
1265                                 sctp_add_to_readq(stcb->sctp_ep, stcb,
1266                                     control,
1267                                     &stcb->sctp_socket->so_rcv, control->end_added,
1268                                     inp_read_lock_held, SCTP_SO_NOT_LOCKED);
1269                         }
1270                         strm->last_mid_delivered = next_to_del;
1271                         if (done) {
1272                                 control = nctl;
1273                                 goto deliver_more;
1274                         }
1275                 }
1276         }
1277 out:
1278         return (ret);
1279 }
1280
1281
1282 uint32_t
1283 sctp_add_chk_to_control(struct sctp_queued_to_read *control,
1284     struct sctp_stream_in *strm,
1285     struct sctp_tcb *stcb, struct sctp_association *asoc,
1286     struct sctp_tmit_chunk *chk, int hold_rlock)
1287 {
1288         /*
1289          * Given a control and a chunk, merge the data from the chk onto the
1290          * control and free up the chunk resources.
1291          */
1292         uint32_t added = 0;
1293         int i_locked = 0;
1294
1295         if (control->on_read_q && (hold_rlock == 0)) {
1296                 /*
1297                  * Its being pd-api'd so we must do some locks.
1298                  */
1299                 SCTP_INP_READ_LOCK(stcb->sctp_ep);
1300                 i_locked = 1;
1301         }
1302         if (control->data == NULL) {
1303                 control->data = chk->data;
1304                 sctp_setup_tail_pointer(control);
1305         } else {
1306                 sctp_add_to_tail_pointer(control, chk->data, &added);
1307         }
1308         control->fsn_included = chk->rec.data.fsn;
1309         asoc->size_on_reasm_queue -= chk->send_size;
1310         sctp_ucount_decr(asoc->cnt_on_reasm_queue);
1311         sctp_mark_non_revokable(asoc, chk->rec.data.tsn);
1312         chk->data = NULL;
1313         if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
1314                 control->first_frag_seen = 1;
1315                 control->sinfo_tsn = chk->rec.data.tsn;
1316                 control->sinfo_ppid = chk->rec.data.ppid;
1317         }
1318         if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) {
1319                 /* Its complete */
1320                 if ((control->on_strm_q) && (control->on_read_q)) {
1321                         if (control->pdapi_started) {
1322                                 control->pdapi_started = 0;
1323                                 strm->pd_api_started = 0;
1324                         }
1325                         if (control->on_strm_q == SCTP_ON_UNORDERED) {
1326                                 /* Unordered */
1327                                 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
1328                                 control->on_strm_q = 0;
1329                         } else if (control->on_strm_q == SCTP_ON_ORDERED) {
1330                                 /* Ordered */
1331                                 TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
1332                                 /*
1333                                  * Don't need to decrement
1334                                  * size_on_all_streams, since control is on
1335                                  * the read queue.
1336                                  */
1337                                 sctp_ucount_decr(asoc->cnt_on_all_streams);
1338                                 control->on_strm_q = 0;
1339 #ifdef INVARIANTS
1340                         } else if (control->on_strm_q) {
1341                                 panic("Unknown state on ctrl: %p on_strm_q: %d", control,
1342                                     control->on_strm_q);
1343 #endif
1344                         }
1345                 }
1346                 control->end_added = 1;
1347                 control->last_frag_seen = 1;
1348         }
1349         if (i_locked) {
1350                 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
1351         }
1352         sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
1353         return (added);
1354 }
1355
1356 /*
1357  * Dump onto the re-assembly queue, in its proper place. After dumping on the
1358  * queue, see if anthing can be delivered. If so pull it off (or as much as
1359  * we can. If we run out of space then we must dump what we can and set the
1360  * appropriate flag to say we queued what we could.
1361  */
1362 static void
1363 sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc,
1364     struct sctp_queued_to_read *control,
1365     struct sctp_tmit_chunk *chk,
1366     int created_control,
1367     int *abort_flag, uint32_t tsn)
1368 {
1369         uint32_t next_fsn;
1370         struct sctp_tmit_chunk *at, *nat;
1371         struct sctp_stream_in *strm;
1372         int do_wakeup, unordered;
1373         uint32_t lenadded;
1374
1375         strm = &asoc->strmin[control->sinfo_stream];
1376         /*
1377          * For old un-ordered data chunks.
1378          */
1379         if ((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED) {
1380                 unordered = 1;
1381         } else {
1382                 unordered = 0;
1383         }
1384         /* Must be added to the stream-in queue */
1385         if (created_control) {
1386                 if (unordered == 0) {
1387                         sctp_ucount_incr(asoc->cnt_on_all_streams);
1388                 }
1389                 if (sctp_place_control_in_stream(strm, asoc, control)) {
1390                         /* Duplicate SSN? */
1391                         sctp_abort_in_reasm(stcb, control, chk,
1392                             abort_flag,
1393                             SCTP_FROM_SCTP_INDATA + SCTP_LOC_6);
1394                         sctp_clean_up_control(stcb, control);
1395                         return;
1396                 }
1397                 if ((tsn == (asoc->cumulative_tsn + 1) && (asoc->idata_supported == 0))) {
1398                         /*
1399                          * Ok we created this control and now lets validate
1400                          * that its legal i.e. there is a B bit set, if not
1401                          * and we have up to the cum-ack then its invalid.
1402                          */
1403                         if ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) == 0) {
1404                                 sctp_abort_in_reasm(stcb, control, chk,
1405                                     abort_flag,
1406                                     SCTP_FROM_SCTP_INDATA + SCTP_LOC_7);
1407                                 return;
1408                         }
1409                 }
1410         }
1411         if ((asoc->idata_supported == 0) && (unordered == 1)) {
1412                 sctp_inject_old_unordered_data(stcb, asoc, control, chk, abort_flag);
1413                 return;
1414         }
1415         /*
1416          * Ok we must queue the chunk into the reasembly portion: o if its
1417          * the first it goes to the control mbuf. o if its not first but the
1418          * next in sequence it goes to the control, and each succeeding one
1419          * in order also goes. o if its not in order we place it on the list
1420          * in its place.
1421          */
1422         if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
1423                 /* Its the very first one. */
1424                 SCTPDBG(SCTP_DEBUG_XXX,
1425                     "chunk is a first fsn: %u becomes fsn_included\n",
1426                     chk->rec.data.fsn);
1427                 if (control->first_frag_seen) {
1428                         /*
1429                          * Error on senders part, they either sent us two
1430                          * data chunks with FIRST, or they sent two
1431                          * un-ordered chunks that were fragmented at the
1432                          * same time in the same stream.
1433                          */
1434                         sctp_abort_in_reasm(stcb, control, chk,
1435                             abort_flag,
1436                             SCTP_FROM_SCTP_INDATA + SCTP_LOC_8);
1437                         return;
1438                 }
1439                 control->first_frag_seen = 1;
1440                 control->sinfo_ppid = chk->rec.data.ppid;
1441                 control->sinfo_tsn = chk->rec.data.tsn;
1442                 control->fsn_included = chk->rec.data.fsn;
1443                 control->data = chk->data;
1444                 sctp_mark_non_revokable(asoc, chk->rec.data.tsn);
1445                 chk->data = NULL;
1446                 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
1447                 sctp_setup_tail_pointer(control);
1448                 asoc->size_on_all_streams += control->length;
1449         } else {
1450                 /* Place the chunk in our list */
1451                 int inserted = 0;
1452
1453                 if (control->last_frag_seen == 0) {
1454                         /* Still willing to raise highest FSN seen */
1455                         if (SCTP_TSN_GT(chk->rec.data.fsn, control->top_fsn)) {
1456                                 SCTPDBG(SCTP_DEBUG_XXX,
1457                                     "We have a new top_fsn: %u\n",
1458                                     chk->rec.data.fsn);
1459                                 control->top_fsn = chk->rec.data.fsn;
1460                         }
1461                         if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) {
1462                                 SCTPDBG(SCTP_DEBUG_XXX,
1463                                     "The last fsn is now in place fsn: %u\n",
1464                                     chk->rec.data.fsn);
1465                                 control->last_frag_seen = 1;
1466                         }
1467                         if (asoc->idata_supported || control->first_frag_seen) {
1468                                 /*
1469                                  * For IDATA we always check since we know
1470                                  * that the first fragment is 0. For old
1471                                  * DATA we have to receive the first before
1472                                  * we know the first FSN (which is the TSN).
1473                                  */
1474                                 if (SCTP_TSN_GE(control->fsn_included, chk->rec.data.fsn)) {
1475                                         /*
1476                                          * We have already delivered up to
1477                                          * this so its a dup
1478                                          */
1479                                         sctp_abort_in_reasm(stcb, control, chk,
1480                                             abort_flag,
1481                                             SCTP_FROM_SCTP_INDATA + SCTP_LOC_9);
1482                                         return;
1483                                 }
1484                         }
1485                 } else {
1486                         if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) {
1487                                 /* Second last? huh? */
1488                                 SCTPDBG(SCTP_DEBUG_XXX,
1489                                     "Duplicate last fsn: %u (top: %u) -- abort\n",
1490                                     chk->rec.data.fsn, control->top_fsn);
1491                                 sctp_abort_in_reasm(stcb, control,
1492                                     chk, abort_flag,
1493                                     SCTP_FROM_SCTP_INDATA + SCTP_LOC_10);
1494                                 return;
1495                         }
1496                         if (asoc->idata_supported || control->first_frag_seen) {
1497                                 /*
1498                                  * For IDATA we always check since we know
1499                                  * that the first fragment is 0. For old
1500                                  * DATA we have to receive the first before
1501                                  * we know the first FSN (which is the TSN).
1502                                  */
1503
1504                                 if (SCTP_TSN_GE(control->fsn_included, chk->rec.data.fsn)) {
1505                                         /*
1506                                          * We have already delivered up to
1507                                          * this so its a dup
1508                                          */
1509                                         SCTPDBG(SCTP_DEBUG_XXX,
1510                                             "New fsn: %u is already seen in included_fsn: %u -- abort\n",
1511                                             chk->rec.data.fsn, control->fsn_included);
1512                                         sctp_abort_in_reasm(stcb, control, chk,
1513                                             abort_flag,
1514                                             SCTP_FROM_SCTP_INDATA + SCTP_LOC_11);
1515                                         return;
1516                                 }
1517                         }
1518                         /*
1519                          * validate not beyond top FSN if we have seen last
1520                          * one
1521                          */
1522                         if (SCTP_TSN_GT(chk->rec.data.fsn, control->top_fsn)) {
1523                                 SCTPDBG(SCTP_DEBUG_XXX,
1524                                     "New fsn: %u is beyond or at top_fsn: %u -- abort\n",
1525                                     chk->rec.data.fsn,
1526                                     control->top_fsn);
1527                                 sctp_abort_in_reasm(stcb, control, chk,
1528                                     abort_flag,
1529                                     SCTP_FROM_SCTP_INDATA + SCTP_LOC_12);
1530                                 return;
1531                         }
1532                 }
1533                 /*
1534                  * If we reach here, we need to place the new chunk in the
1535                  * reassembly for this control.
1536                  */
1537                 SCTPDBG(SCTP_DEBUG_XXX,
1538                     "chunk is a not first fsn: %u needs to be inserted\n",
1539                     chk->rec.data.fsn);
1540                 TAILQ_FOREACH(at, &control->reasm, sctp_next) {
1541                         if (SCTP_TSN_GT(at->rec.data.fsn, chk->rec.data.fsn)) {
1542                                 /*
1543                                  * This one in queue is bigger than the new
1544                                  * one, insert the new one before at.
1545                                  */
1546                                 SCTPDBG(SCTP_DEBUG_XXX,
1547                                     "Insert it before fsn: %u\n",
1548                                     at->rec.data.fsn);
1549                                 asoc->size_on_reasm_queue += chk->send_size;
1550                                 sctp_ucount_incr(asoc->cnt_on_reasm_queue);
1551                                 TAILQ_INSERT_BEFORE(at, chk, sctp_next);
1552                                 inserted = 1;
1553                                 break;
1554                         } else if (at->rec.data.fsn == chk->rec.data.fsn) {
1555                                 /*
1556                                  * Gak, He sent me a duplicate str seq
1557                                  * number
1558                                  */
1559                                 /*
1560                                  * foo bar, I guess I will just free this
1561                                  * new guy, should we abort too? FIX ME
1562                                  * MAYBE? Or it COULD be that the SSN's have
1563                                  * wrapped. Maybe I should compare to TSN
1564                                  * somehow... sigh for now just blow away
1565                                  * the chunk!
1566                                  */
1567                                 SCTPDBG(SCTP_DEBUG_XXX,
1568                                     "Duplicate to fsn: %u -- abort\n",
1569                                     at->rec.data.fsn);
1570                                 sctp_abort_in_reasm(stcb, control,
1571                                     chk, abort_flag,
1572                                     SCTP_FROM_SCTP_INDATA + SCTP_LOC_13);
1573                                 return;
1574                         }
1575                 }
1576                 if (inserted == 0) {
1577                         /* Goes on the end */
1578                         SCTPDBG(SCTP_DEBUG_XXX, "Inserting at tail of list fsn: %u\n",
1579                             chk->rec.data.fsn);
1580                         asoc->size_on_reasm_queue += chk->send_size;
1581                         sctp_ucount_incr(asoc->cnt_on_reasm_queue);
1582                         TAILQ_INSERT_TAIL(&control->reasm, chk, sctp_next);
1583                 }
1584         }
1585         /*
1586          * Ok lets see if we can suck any up into the control structure that
1587          * are in seq if it makes sense.
1588          */
1589         do_wakeup = 0;
1590         /*
1591          * If the first fragment has not been seen there is no sense in
1592          * looking.
1593          */
1594         if (control->first_frag_seen) {
1595                 next_fsn = control->fsn_included + 1;
1596                 TAILQ_FOREACH_SAFE(at, &control->reasm, sctp_next, nat) {
1597                         if (at->rec.data.fsn == next_fsn) {
1598                                 /* We can add this one now to the control */
1599                                 SCTPDBG(SCTP_DEBUG_XXX,
1600                                     "Adding more to control: %p at: %p fsn: %u next_fsn: %u included: %u\n",
1601                                     control, at,
1602                                     at->rec.data.fsn,
1603                                     next_fsn, control->fsn_included);
1604                                 TAILQ_REMOVE(&control->reasm, at, sctp_next);
1605                                 lenadded = sctp_add_chk_to_control(control, strm, stcb, asoc, at, SCTP_READ_LOCK_NOT_HELD);
1606                                 if (control->on_read_q) {
1607                                         do_wakeup = 1;
1608                                 } else {
1609                                         /*
1610                                          * We only add to the
1611                                          * size-on-all-streams if its not on
1612                                          * the read q. The read q flag will
1613                                          * cause a sballoc so its accounted
1614                                          * for there.
1615                                          */
1616                                         asoc->size_on_all_streams += lenadded;
1617                                 }
1618                                 next_fsn++;
1619                                 if (control->end_added && control->pdapi_started) {
1620                                         if (strm->pd_api_started) {
1621                                                 strm->pd_api_started = 0;
1622                                                 control->pdapi_started = 0;
1623                                         }
1624                                         if (control->on_read_q == 0) {
1625                                                 sctp_add_to_readq(stcb->sctp_ep, stcb,
1626                                                     control,
1627                                                     &stcb->sctp_socket->so_rcv, control->end_added,
1628                                                     SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
1629                                         }
1630                                         break;
1631                                 }
1632                         } else {
1633                                 break;
1634                         }
1635                 }
1636         }
1637         if (do_wakeup) {
1638                 /* Need to wakeup the reader */
1639                 sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
1640         }
1641 }
1642
1643 static struct sctp_queued_to_read *
1644 sctp_find_reasm_entry(struct sctp_stream_in *strm, uint32_t mid, int ordered, int idata_supported)
1645 {
1646         struct sctp_queued_to_read *control;
1647
1648         if (ordered) {
1649                 TAILQ_FOREACH(control, &strm->inqueue, next_instrm) {
1650                         if (SCTP_MID_EQ(idata_supported, control->mid, mid)) {
1651                                 break;
1652                         }
1653                 }
1654         } else {
1655                 if (idata_supported) {
1656                         TAILQ_FOREACH(control, &strm->uno_inqueue, next_instrm) {
1657                                 if (SCTP_MID_EQ(idata_supported, control->mid, mid)) {
1658                                         break;
1659                                 }
1660                         }
1661                 } else {
1662                         control = TAILQ_FIRST(&strm->uno_inqueue);
1663                 }
1664         }
1665         return (control);
1666 }
1667
1668 static int
1669 sctp_process_a_data_chunk(struct sctp_tcb *stcb, struct sctp_association *asoc,
1670     struct mbuf **m, int offset, int chk_length,
1671     struct sctp_nets *net, uint32_t *high_tsn, int *abort_flag,
1672     int *break_flag, int last_chunk, uint8_t chk_type)
1673 {
1674         /* Process a data chunk */
1675         struct sctp_tmit_chunk *chk = NULL;
1676         uint32_t tsn, fsn, gap, mid;
1677         struct mbuf *dmbuf;
1678         int the_len;
1679         int need_reasm_check = 0;
1680         uint16_t sid;
1681         struct mbuf *op_err;
1682         char msg[SCTP_DIAG_INFO_LEN];
1683         struct sctp_queued_to_read *control, *ncontrol;
1684         uint32_t ppid;
1685         uint8_t chk_flags;
1686         struct sctp_stream_reset_list *liste;
1687         int ordered;
1688         size_t clen;
1689         int created_control = 0;
1690
1691         if (chk_type == SCTP_IDATA) {
1692                 struct sctp_idata_chunk *chunk, chunk_buf;
1693
1694                 chunk = (struct sctp_idata_chunk *)sctp_m_getptr(*m, offset,
1695                     sizeof(struct sctp_idata_chunk), (uint8_t *)&chunk_buf);
1696                 chk_flags = chunk->ch.chunk_flags;
1697                 clen = sizeof(struct sctp_idata_chunk);
1698                 tsn = ntohl(chunk->dp.tsn);
1699                 sid = ntohs(chunk->dp.sid);
1700                 mid = ntohl(chunk->dp.mid);
1701                 if (chk_flags & SCTP_DATA_FIRST_FRAG) {
1702                         fsn = 0;
1703                         ppid = chunk->dp.ppid_fsn.ppid;
1704                 } else {
1705                         fsn = ntohl(chunk->dp.ppid_fsn.fsn);
1706                         ppid = 0xffffffff;      /* Use as an invalid value. */
1707                 }
1708         } else {
1709                 struct sctp_data_chunk *chunk, chunk_buf;
1710
1711                 chunk = (struct sctp_data_chunk *)sctp_m_getptr(*m, offset,
1712                     sizeof(struct sctp_data_chunk), (uint8_t *)&chunk_buf);
1713                 chk_flags = chunk->ch.chunk_flags;
1714                 clen = sizeof(struct sctp_data_chunk);
1715                 tsn = ntohl(chunk->dp.tsn);
1716                 sid = ntohs(chunk->dp.sid);
1717                 mid = (uint32_t)(ntohs(chunk->dp.ssn));
1718                 fsn = tsn;
1719                 ppid = chunk->dp.ppid;
1720         }
1721         if ((size_t)chk_length == clen) {
1722                 /*
1723                  * Need to send an abort since we had a empty data chunk.
1724                  */
1725                 op_err = sctp_generate_no_user_data_cause(tsn);
1726                 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_14;
1727                 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1728                 *abort_flag = 1;
1729                 return (0);
1730         }
1731         if ((chk_flags & SCTP_DATA_SACK_IMMEDIATELY) == SCTP_DATA_SACK_IMMEDIATELY) {
1732                 asoc->send_sack = 1;
1733         }
1734         ordered = ((chk_flags & SCTP_DATA_UNORDERED) == 0);
1735         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
1736                 sctp_log_map(tsn, asoc->cumulative_tsn, asoc->highest_tsn_inside_map, SCTP_MAP_TSN_ENTERS);
1737         }
1738         if (stcb == NULL) {
1739                 return (0);
1740         }
1741         SCTP_LTRACE_CHK(stcb->sctp_ep, stcb, chk_type, tsn);
1742         if (SCTP_TSN_GE(asoc->cumulative_tsn, tsn)) {
1743                 /* It is a duplicate */
1744                 SCTP_STAT_INCR(sctps_recvdupdata);
1745                 if (asoc->numduptsns < SCTP_MAX_DUP_TSNS) {
1746                         /* Record a dup for the next outbound sack */
1747                         asoc->dup_tsns[asoc->numduptsns] = tsn;
1748                         asoc->numduptsns++;
1749                 }
1750                 asoc->send_sack = 1;
1751                 return (0);
1752         }
1753         /* Calculate the number of TSN's between the base and this TSN */
1754         SCTP_CALC_TSN_TO_GAP(gap, tsn, asoc->mapping_array_base_tsn);
1755         if (gap >= (SCTP_MAPPING_ARRAY << 3)) {
1756                 /* Can't hold the bit in the mapping at max array, toss it */
1757                 return (0);
1758         }
1759         if (gap >= (uint32_t)(asoc->mapping_array_size << 3)) {
1760                 SCTP_TCB_LOCK_ASSERT(stcb);
1761                 if (sctp_expand_mapping_array(asoc, gap)) {
1762                         /* Can't expand, drop it */
1763                         return (0);
1764                 }
1765         }
1766         if (SCTP_TSN_GT(tsn, *high_tsn)) {
1767                 *high_tsn = tsn;
1768         }
1769         /* See if we have received this one already */
1770         if (SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap) ||
1771             SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, gap)) {
1772                 SCTP_STAT_INCR(sctps_recvdupdata);
1773                 if (asoc->numduptsns < SCTP_MAX_DUP_TSNS) {
1774                         /* Record a dup for the next outbound sack */
1775                         asoc->dup_tsns[asoc->numduptsns] = tsn;
1776                         asoc->numduptsns++;
1777                 }
1778                 asoc->send_sack = 1;
1779                 return (0);
1780         }
1781         /*
1782          * Check to see about the GONE flag, duplicates would cause a sack
1783          * to be sent up above
1784          */
1785         if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
1786             (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
1787             (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET))) {
1788                 /*
1789                  * wait a minute, this guy is gone, there is no longer a
1790                  * receiver. Send peer an ABORT!
1791                  */
1792                 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
1793                 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1794                 *abort_flag = 1;
1795                 return (0);
1796         }
1797         /*
1798          * Now before going further we see if there is room. If NOT then we
1799          * MAY let one through only IF this TSN is the one we are waiting
1800          * for on a partial delivery API.
1801          */
1802
1803         /* Is the stream valid? */
1804         if (sid >= asoc->streamincnt) {
1805                 struct sctp_error_invalid_stream *cause;
1806
1807                 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_error_invalid_stream),
1808                     0, M_NOWAIT, 1, MT_DATA);
1809                 if (op_err != NULL) {
1810                         /* add some space up front so prepend will work well */
1811                         SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
1812                         cause = mtod(op_err, struct sctp_error_invalid_stream *);
1813                         /*
1814                          * Error causes are just param's and this one has
1815                          * two back to back phdr, one with the error type
1816                          * and size, the other with the streamid and a rsvd
1817                          */
1818                         SCTP_BUF_LEN(op_err) = sizeof(struct sctp_error_invalid_stream);
1819                         cause->cause.code = htons(SCTP_CAUSE_INVALID_STREAM);
1820                         cause->cause.length = htons(sizeof(struct sctp_error_invalid_stream));
1821                         cause->stream_id = htons(sid);
1822                         cause->reserved = htons(0);
1823                         sctp_queue_op_err(stcb, op_err);
1824                 }
1825                 SCTP_STAT_INCR(sctps_badsid);
1826                 SCTP_TCB_LOCK_ASSERT(stcb);
1827                 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
1828                 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
1829                         asoc->highest_tsn_inside_nr_map = tsn;
1830                 }
1831                 if (tsn == (asoc->cumulative_tsn + 1)) {
1832                         /* Update cum-ack */
1833                         asoc->cumulative_tsn = tsn;
1834                 }
1835                 return (0);
1836         }
1837         /*
1838          * If its a fragmented message, lets see if we can find the control
1839          * on the reassembly queues.
1840          */
1841         if ((chk_type == SCTP_IDATA) &&
1842             ((chk_flags & SCTP_DATA_FIRST_FRAG) == 0) &&
1843             (fsn == 0)) {
1844                 /*
1845                  * The first *must* be fsn 0, and other (middle/end) pieces
1846                  * can *not* be fsn 0. XXX: This can happen in case of a
1847                  * wrap around. Ignore is for now.
1848                  */
1849                 snprintf(msg, sizeof(msg), "FSN zero for MID=%8.8x, but flags=%2.2x",
1850                     mid, chk_flags);
1851                 goto err_out;
1852         }
1853         control = sctp_find_reasm_entry(&asoc->strmin[sid], mid, ordered, asoc->idata_supported);
1854         SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags:0x%x look for control on queues %p\n",
1855             chk_flags, control);
1856         if ((chk_flags & SCTP_DATA_NOT_FRAG) != SCTP_DATA_NOT_FRAG) {
1857                 /* See if we can find the re-assembly entity */
1858                 if (control != NULL) {
1859                         /* We found something, does it belong? */
1860                         if (ordered && (mid != control->mid)) {
1861                                 snprintf(msg, sizeof(msg), "Reassembly problem (MID=%8.8x)", mid);
1862                 err_out:
1863                                 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1864                                 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_15;
1865                                 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1866                                 *abort_flag = 1;
1867                                 return (0);
1868                         }
1869                         if (ordered && ((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED)) {
1870                                 /*
1871                                  * We can't have a switched order with an
1872                                  * unordered chunk
1873                                  */
1874                                 snprintf(msg, sizeof(msg), "All fragments of a user message must be ordered or unordered (TSN=%8.8x)",
1875                                     tsn);
1876                                 goto err_out;
1877                         }
1878                         if (!ordered && (((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED) == 0)) {
1879                                 /*
1880                                  * We can't have a switched unordered with a
1881                                  * ordered chunk
1882                                  */
1883                                 snprintf(msg, sizeof(msg), "All fragments of a user message must be ordered or unordered (TSN=%8.8x)",
1884                                     tsn);
1885                                 goto err_out;
1886                         }
1887                 }
1888         } else {
1889                 /*
1890                  * Its a complete segment. Lets validate we don't have a
1891                  * re-assembly going on with the same Stream/Seq (for
1892                  * ordered) or in the same Stream for unordered.
1893                  */
1894                 if (control != NULL) {
1895                         if (ordered || asoc->idata_supported) {
1896                                 SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags: 0x%x dup detected on MID: %u\n",
1897                                     chk_flags, mid);
1898                                 snprintf(msg, sizeof(msg), "Duplicate MID=%8.8x detected.", mid);
1899                                 goto err_out;
1900                         } else {
1901                                 if ((tsn == control->fsn_included + 1) &&
1902                                     (control->end_added == 0)) {
1903                                         snprintf(msg, sizeof(msg), "Illegal message sequence, missing end for MID: %8.8x", control->fsn_included);
1904                                         goto err_out;
1905                                 } else {
1906                                         control = NULL;
1907                                 }
1908                         }
1909                 }
1910         }
1911         /* now do the tests */
1912         if (((asoc->cnt_on_all_streams +
1913             asoc->cnt_on_reasm_queue +
1914             asoc->cnt_msg_on_sb) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue)) ||
1915             (((int)asoc->my_rwnd) <= 0)) {
1916                 /*
1917                  * When we have NO room in the rwnd we check to make sure
1918                  * the reader is doing its job...
1919                  */
1920                 if (stcb->sctp_socket->so_rcv.sb_cc) {
1921                         /* some to read, wake-up */
1922 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1923                         struct socket *so;
1924
1925                         so = SCTP_INP_SO(stcb->sctp_ep);
1926                         atomic_add_int(&stcb->asoc.refcnt, 1);
1927                         SCTP_TCB_UNLOCK(stcb);
1928                         SCTP_SOCKET_LOCK(so, 1);
1929                         SCTP_TCB_LOCK(stcb);
1930                         atomic_subtract_int(&stcb->asoc.refcnt, 1);
1931                         if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
1932                                 /* assoc was freed while we were unlocked */
1933                                 SCTP_SOCKET_UNLOCK(so, 1);
1934                                 return (0);
1935                         }
1936 #endif
1937                         sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
1938 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1939                         SCTP_SOCKET_UNLOCK(so, 1);
1940 #endif
1941                 }
1942                 /* now is it in the mapping array of what we have accepted? */
1943                 if (chk_type == SCTP_DATA) {
1944                         if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_map) &&
1945                             SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
1946                                 /* Nope not in the valid range dump it */
1947                 dump_packet:
1948                                 sctp_set_rwnd(stcb, asoc);
1949                                 if ((asoc->cnt_on_all_streams +
1950                                     asoc->cnt_on_reasm_queue +
1951                                     asoc->cnt_msg_on_sb) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue)) {
1952                                         SCTP_STAT_INCR(sctps_datadropchklmt);
1953                                 } else {
1954                                         SCTP_STAT_INCR(sctps_datadroprwnd);
1955                                 }
1956                                 *break_flag = 1;
1957                                 return (0);
1958                         }
1959                 } else {
1960                         if (control == NULL) {
1961                                 goto dump_packet;
1962                         }
1963                         if (SCTP_TSN_GT(fsn, control->top_fsn)) {
1964                                 goto dump_packet;
1965                         }
1966                 }
1967         }
1968 #ifdef SCTP_ASOCLOG_OF_TSNS
1969         SCTP_TCB_LOCK_ASSERT(stcb);
1970         if (asoc->tsn_in_at >= SCTP_TSN_LOG_SIZE) {
1971                 asoc->tsn_in_at = 0;
1972                 asoc->tsn_in_wrapped = 1;
1973         }
1974         asoc->in_tsnlog[asoc->tsn_in_at].tsn = tsn;
1975         asoc->in_tsnlog[asoc->tsn_in_at].strm = sid;
1976         asoc->in_tsnlog[asoc->tsn_in_at].seq = mid;
1977         asoc->in_tsnlog[asoc->tsn_in_at].sz = chk_length;
1978         asoc->in_tsnlog[asoc->tsn_in_at].flgs = chunk_flags;
1979         asoc->in_tsnlog[asoc->tsn_in_at].stcb = (void *)stcb;
1980         asoc->in_tsnlog[asoc->tsn_in_at].in_pos = asoc->tsn_in_at;
1981         asoc->in_tsnlog[asoc->tsn_in_at].in_out = 1;
1982         asoc->tsn_in_at++;
1983 #endif
1984         /*
1985          * Before we continue lets validate that we are not being fooled by
1986          * an evil attacker. We can only have Nk chunks based on our TSN
1987          * spread allowed by the mapping array N * 8 bits, so there is no
1988          * way our stream sequence numbers could have wrapped. We of course
1989          * only validate the FIRST fragment so the bit must be set.
1990          */
1991         if ((chk_flags & SCTP_DATA_FIRST_FRAG) &&
1992             (TAILQ_EMPTY(&asoc->resetHead)) &&
1993             (chk_flags & SCTP_DATA_UNORDERED) == 0 &&
1994             SCTP_MID_GE(asoc->idata_supported, asoc->strmin[sid].last_mid_delivered, mid)) {
1995                 /* The incoming sseq is behind where we last delivered? */
1996                 SCTPDBG(SCTP_DEBUG_INDATA1, "EVIL/Broken-Dup S-SEQ: %u delivered: %u from peer, Abort!\n",
1997                     mid, asoc->strmin[sid].last_mid_delivered);
1998
1999                 if (asoc->idata_supported) {
2000                         snprintf(msg, sizeof(msg), "Delivered MID=%8.8x, got TSN=%8.8x, SID=%4.4x, MID=%8.8x",
2001                             asoc->strmin[sid].last_mid_delivered,
2002                             tsn,
2003                             sid,
2004                             mid);
2005                 } else {
2006                         snprintf(msg, sizeof(msg), "Delivered SSN=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
2007                             (uint16_t)asoc->strmin[sid].last_mid_delivered,
2008                             tsn,
2009                             sid,
2010                             (uint16_t)mid);
2011                 }
2012                 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
2013                 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_16;
2014                 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
2015                 *abort_flag = 1;
2016                 return (0);
2017         }
2018         if (chk_type == SCTP_IDATA) {
2019                 the_len = (chk_length - sizeof(struct sctp_idata_chunk));
2020         } else {
2021                 the_len = (chk_length - sizeof(struct sctp_data_chunk));
2022         }
2023         if (last_chunk == 0) {
2024                 if (chk_type == SCTP_IDATA) {
2025                         dmbuf = SCTP_M_COPYM(*m,
2026                             (offset + sizeof(struct sctp_idata_chunk)),
2027                             the_len, M_NOWAIT);
2028                 } else {
2029                         dmbuf = SCTP_M_COPYM(*m,
2030                             (offset + sizeof(struct sctp_data_chunk)),
2031                             the_len, M_NOWAIT);
2032                 }
2033 #ifdef SCTP_MBUF_LOGGING
2034                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
2035                         sctp_log_mbc(dmbuf, SCTP_MBUF_ICOPY);
2036                 }
2037 #endif
2038         } else {
2039                 /* We can steal the last chunk */
2040                 int l_len;
2041
2042                 dmbuf = *m;
2043                 /* lop off the top part */
2044                 if (chk_type == SCTP_IDATA) {
2045                         m_adj(dmbuf, (offset + sizeof(struct sctp_idata_chunk)));
2046                 } else {
2047                         m_adj(dmbuf, (offset + sizeof(struct sctp_data_chunk)));
2048                 }
2049                 if (SCTP_BUF_NEXT(dmbuf) == NULL) {
2050                         l_len = SCTP_BUF_LEN(dmbuf);
2051                 } else {
2052                         /*
2053                          * need to count up the size hopefully does not hit
2054                          * this to often :-0
2055                          */
2056                         struct mbuf *lat;
2057
2058                         l_len = 0;
2059                         for (lat = dmbuf; lat; lat = SCTP_BUF_NEXT(lat)) {
2060                                 l_len += SCTP_BUF_LEN(lat);
2061                         }
2062                 }
2063                 if (l_len > the_len) {
2064                         /* Trim the end round bytes off  too */
2065                         m_adj(dmbuf, -(l_len - the_len));
2066                 }
2067         }
2068         if (dmbuf == NULL) {
2069                 SCTP_STAT_INCR(sctps_nomem);
2070                 return (0);
2071         }
2072         /*
2073          * Now no matter what, we need a control, get one if we don't have
2074          * one (we may have gotten it above when we found the message was
2075          * fragmented
2076          */
2077         if (control == NULL) {
2078                 sctp_alloc_a_readq(stcb, control);
2079                 sctp_build_readq_entry_mac(control, stcb, asoc->context, net, tsn,
2080                     ppid,
2081                     sid,
2082                     chk_flags,
2083                     NULL, fsn, mid);
2084                 if (control == NULL) {
2085                         SCTP_STAT_INCR(sctps_nomem);
2086                         return (0);
2087                 }
2088                 if ((chk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
2089                         struct mbuf *mm;
2090
2091                         control->data = dmbuf;
2092                         for (mm = control->data; mm; mm = mm->m_next) {
2093                                 control->length += SCTP_BUF_LEN(mm);
2094                         }
2095                         control->tail_mbuf = NULL;
2096                         control->end_added = 1;
2097                         control->last_frag_seen = 1;
2098                         control->first_frag_seen = 1;
2099                         control->fsn_included = fsn;
2100                         control->top_fsn = fsn;
2101                 }
2102                 created_control = 1;
2103         }
2104         SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags: 0x%x ordered: %d MID: %u control: %p\n",
2105             chk_flags, ordered, mid, control);
2106         if ((chk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG &&
2107             TAILQ_EMPTY(&asoc->resetHead) &&
2108             ((ordered == 0) ||
2109             (SCTP_MID_EQ(asoc->idata_supported, asoc->strmin[sid].last_mid_delivered + 1, mid) &&
2110             TAILQ_EMPTY(&asoc->strmin[sid].inqueue)))) {
2111                 /* Candidate for express delivery */
2112                 /*
2113                  * Its not fragmented, No PD-API is up, Nothing in the
2114                  * delivery queue, Its un-ordered OR ordered and the next to
2115                  * deliver AND nothing else is stuck on the stream queue,
2116                  * And there is room for it in the socket buffer. Lets just
2117                  * stuff it up the buffer....
2118                  */
2119                 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
2120                 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
2121                         asoc->highest_tsn_inside_nr_map = tsn;
2122                 }
2123                 SCTPDBG(SCTP_DEBUG_XXX, "Injecting control: %p to be read (MID: %u)\n",
2124                     control, mid);
2125
2126                 sctp_add_to_readq(stcb->sctp_ep, stcb,
2127                     control, &stcb->sctp_socket->so_rcv,
2128                     1, SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
2129
2130                 if ((chk_flags & SCTP_DATA_UNORDERED) == 0) {
2131                         /* for ordered, bump what we delivered */
2132                         asoc->strmin[sid].last_mid_delivered++;
2133                 }
2134                 SCTP_STAT_INCR(sctps_recvexpress);
2135                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
2136                         sctp_log_strm_del_alt(stcb, tsn, mid, sid,
2137                             SCTP_STR_LOG_FROM_EXPRS_DEL);
2138                 }
2139                 control = NULL;
2140                 goto finish_express_del;
2141         }
2142         /* Now will we need a chunk too? */
2143         if ((chk_flags & SCTP_DATA_NOT_FRAG) != SCTP_DATA_NOT_FRAG) {
2144                 sctp_alloc_a_chunk(stcb, chk);
2145                 if (chk == NULL) {
2146                         /* No memory so we drop the chunk */
2147                         SCTP_STAT_INCR(sctps_nomem);
2148                         if (last_chunk == 0) {
2149                                 /* we copied it, free the copy */
2150                                 sctp_m_freem(dmbuf);
2151                         }
2152                         return (0);
2153                 }
2154                 chk->rec.data.tsn = tsn;
2155                 chk->no_fr_allowed = 0;
2156                 chk->rec.data.fsn = fsn;
2157                 chk->rec.data.mid = mid;
2158                 chk->rec.data.sid = sid;
2159                 chk->rec.data.ppid = ppid;
2160                 chk->rec.data.context = stcb->asoc.context;
2161                 chk->rec.data.doing_fast_retransmit = 0;
2162                 chk->rec.data.rcv_flags = chk_flags;
2163                 chk->asoc = asoc;
2164                 chk->send_size = the_len;
2165                 chk->whoTo = net;
2166                 SCTPDBG(SCTP_DEBUG_XXX, "Building ck: %p for control: %p to be read (MID: %u)\n",
2167                     chk,
2168                     control, mid);
2169                 atomic_add_int(&net->ref_count, 1);
2170                 chk->data = dmbuf;
2171         }
2172         /* Set the appropriate TSN mark */
2173         if (SCTP_BASE_SYSCTL(sctp_do_drain) == 0) {
2174                 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
2175                 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
2176                         asoc->highest_tsn_inside_nr_map = tsn;
2177                 }
2178         } else {
2179                 SCTP_SET_TSN_PRESENT(asoc->mapping_array, gap);
2180                 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_map)) {
2181                         asoc->highest_tsn_inside_map = tsn;
2182                 }
2183         }
2184         /* Now is it complete (i.e. not fragmented)? */
2185         if ((chk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
2186                 /*
2187                  * Special check for when streams are resetting. We could be
2188                  * more smart about this and check the actual stream to see
2189                  * if it is not being reset.. that way we would not create a
2190                  * HOLB when amongst streams being reset and those not being
2191                  * reset.
2192                  *
2193                  */
2194                 if (((liste = TAILQ_FIRST(&asoc->resetHead)) != NULL) &&
2195                     SCTP_TSN_GT(tsn, liste->tsn)) {
2196                         /*
2197                          * yep its past where we need to reset... go ahead
2198                          * and queue it.
2199                          */
2200                         if (TAILQ_EMPTY(&asoc->pending_reply_queue)) {
2201                                 /* first one on */
2202                                 TAILQ_INSERT_TAIL(&asoc->pending_reply_queue, control, next);
2203                         } else {
2204                                 struct sctp_queued_to_read *lcontrol, *nlcontrol;
2205                                 unsigned char inserted = 0;
2206
2207                                 TAILQ_FOREACH_SAFE(lcontrol, &asoc->pending_reply_queue, next, nlcontrol) {
2208                                         if (SCTP_TSN_GT(control->sinfo_tsn, lcontrol->sinfo_tsn)) {
2209
2210                                                 continue;
2211                                         } else {
2212                                                 /* found it */
2213                                                 TAILQ_INSERT_BEFORE(lcontrol, control, next);
2214                                                 inserted = 1;
2215                                                 break;
2216                                         }
2217                                 }
2218                                 if (inserted == 0) {
2219                                         /*
2220                                          * must be put at end, use prevP
2221                                          * (all setup from loop) to setup
2222                                          * nextP.
2223                                          */
2224                                         TAILQ_INSERT_TAIL(&asoc->pending_reply_queue, control, next);
2225                                 }
2226                         }
2227                         goto finish_express_del;
2228                 }
2229                 if (chk_flags & SCTP_DATA_UNORDERED) {
2230                         /* queue directly into socket buffer */
2231                         SCTPDBG(SCTP_DEBUG_XXX, "Unordered data to be read control: %p MID: %u\n",
2232                             control, mid);
2233                         sctp_mark_non_revokable(asoc, control->sinfo_tsn);
2234                         sctp_add_to_readq(stcb->sctp_ep, stcb,
2235                             control,
2236                             &stcb->sctp_socket->so_rcv, 1,
2237                             SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
2238
2239                 } else {
2240                         SCTPDBG(SCTP_DEBUG_XXX, "Queue control: %p for reordering MID: %u\n", control,
2241                             mid);
2242                         sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
2243                         if (*abort_flag) {
2244                                 if (last_chunk) {
2245                                         *m = NULL;
2246                                 }
2247                                 return (0);
2248                         }
2249                 }
2250                 goto finish_express_del;
2251         }
2252         /* If we reach here its a reassembly */
2253         need_reasm_check = 1;
2254         SCTPDBG(SCTP_DEBUG_XXX,
2255             "Queue data to stream for reasm control: %p MID: %u\n",
2256             control, mid);
2257         sctp_queue_data_for_reasm(stcb, asoc, control, chk, created_control, abort_flag, tsn);
2258         if (*abort_flag) {
2259                 /*
2260                  * the assoc is now gone and chk was put onto the reasm
2261                  * queue, which has all been freed.
2262                  */
2263                 if (last_chunk) {
2264                         *m = NULL;
2265                 }
2266                 return (0);
2267         }
2268 finish_express_del:
2269         /* Here we tidy up things */
2270         if (tsn == (asoc->cumulative_tsn + 1)) {
2271                 /* Update cum-ack */
2272                 asoc->cumulative_tsn = tsn;
2273         }
2274         if (last_chunk) {
2275                 *m = NULL;
2276         }
2277         if (ordered) {
2278                 SCTP_STAT_INCR_COUNTER64(sctps_inorderchunks);
2279         } else {
2280                 SCTP_STAT_INCR_COUNTER64(sctps_inunorderchunks);
2281         }
2282         SCTP_STAT_INCR(sctps_recvdata);
2283         /* Set it present please */
2284         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
2285                 sctp_log_strm_del_alt(stcb, tsn, mid, sid, SCTP_STR_LOG_FROM_MARK_TSN);
2286         }
2287         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
2288                 sctp_log_map(asoc->mapping_array_base_tsn, asoc->cumulative_tsn,
2289                     asoc->highest_tsn_inside_map, SCTP_MAP_PREPARE_SLIDE);
2290         }
2291         if (need_reasm_check) {
2292                 (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[sid], SCTP_READ_LOCK_NOT_HELD);
2293                 need_reasm_check = 0;
2294         }
2295         /* check the special flag for stream resets */
2296         if (((liste = TAILQ_FIRST(&asoc->resetHead)) != NULL) &&
2297             SCTP_TSN_GE(asoc->cumulative_tsn, liste->tsn)) {
2298                 /*
2299                  * we have finished working through the backlogged TSN's now
2300                  * time to reset streams. 1: call reset function. 2: free
2301                  * pending_reply space 3: distribute any chunks in
2302                  * pending_reply_queue.
2303                  */
2304                 sctp_reset_in_stream(stcb, liste->number_entries, liste->list_of_streams);
2305                 TAILQ_REMOVE(&asoc->resetHead, liste, next_resp);
2306                 sctp_send_deferred_reset_response(stcb, liste, SCTP_STREAM_RESET_RESULT_PERFORMED);
2307                 SCTP_FREE(liste, SCTP_M_STRESET);
2308                 /* sa_ignore FREED_MEMORY */
2309                 liste = TAILQ_FIRST(&asoc->resetHead);
2310                 if (TAILQ_EMPTY(&asoc->resetHead)) {
2311                         /* All can be removed */
2312                         TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, next, ncontrol) {
2313                                 TAILQ_REMOVE(&asoc->pending_reply_queue, control, next);
2314                                 sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
2315                                 if (*abort_flag) {
2316                                         return (0);
2317                                 }
2318                                 if (need_reasm_check) {
2319                                         (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD);
2320                                         need_reasm_check = 0;
2321                                 }
2322                         }
2323                 } else {
2324                         TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, next, ncontrol) {
2325                                 if (SCTP_TSN_GT(control->sinfo_tsn, liste->tsn)) {
2326                                         break;
2327                                 }
2328                                 /*
2329                                  * if control->sinfo_tsn is <= liste->tsn we
2330                                  * can process it which is the NOT of
2331                                  * control->sinfo_tsn > liste->tsn
2332                                  */
2333                                 TAILQ_REMOVE(&asoc->pending_reply_queue, control, next);
2334                                 sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
2335                                 if (*abort_flag) {
2336                                         return (0);
2337                                 }
2338                                 if (need_reasm_check) {
2339                                         (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD);
2340                                         need_reasm_check = 0;
2341                                 }
2342                         }
2343                 }
2344         }
2345         return (1);
2346 }
2347
2348 static const int8_t sctp_map_lookup_tab[256] = {
2349         0, 1, 0, 2, 0, 1, 0, 3,
2350         0, 1, 0, 2, 0, 1, 0, 4,
2351         0, 1, 0, 2, 0, 1, 0, 3,
2352         0, 1, 0, 2, 0, 1, 0, 5,
2353         0, 1, 0, 2, 0, 1, 0, 3,
2354         0, 1, 0, 2, 0, 1, 0, 4,
2355         0, 1, 0, 2, 0, 1, 0, 3,
2356         0, 1, 0, 2, 0, 1, 0, 6,
2357         0, 1, 0, 2, 0, 1, 0, 3,
2358         0, 1, 0, 2, 0, 1, 0, 4,
2359         0, 1, 0, 2, 0, 1, 0, 3,
2360         0, 1, 0, 2, 0, 1, 0, 5,
2361         0, 1, 0, 2, 0, 1, 0, 3,
2362         0, 1, 0, 2, 0, 1, 0, 4,
2363         0, 1, 0, 2, 0, 1, 0, 3,
2364         0, 1, 0, 2, 0, 1, 0, 7,
2365         0, 1, 0, 2, 0, 1, 0, 3,
2366         0, 1, 0, 2, 0, 1, 0, 4,
2367         0, 1, 0, 2, 0, 1, 0, 3,
2368         0, 1, 0, 2, 0, 1, 0, 5,
2369         0, 1, 0, 2, 0, 1, 0, 3,
2370         0, 1, 0, 2, 0, 1, 0, 4,
2371         0, 1, 0, 2, 0, 1, 0, 3,
2372         0, 1, 0, 2, 0, 1, 0, 6,
2373         0, 1, 0, 2, 0, 1, 0, 3,
2374         0, 1, 0, 2, 0, 1, 0, 4,
2375         0, 1, 0, 2, 0, 1, 0, 3,
2376         0, 1, 0, 2, 0, 1, 0, 5,
2377         0, 1, 0, 2, 0, 1, 0, 3,
2378         0, 1, 0, 2, 0, 1, 0, 4,
2379         0, 1, 0, 2, 0, 1, 0, 3,
2380         0, 1, 0, 2, 0, 1, 0, 8
2381 };
2382
2383
2384 void
2385 sctp_slide_mapping_arrays(struct sctp_tcb *stcb)
2386 {
2387         /*
2388          * Now we also need to check the mapping array in a couple of ways.
2389          * 1) Did we move the cum-ack point?
2390          *
2391          * When you first glance at this you might think that all entries
2392          * that make up the position of the cum-ack would be in the
2393          * nr-mapping array only.. i.e. things up to the cum-ack are always
2394          * deliverable. Thats true with one exception, when its a fragmented
2395          * message we may not deliver the data until some threshold (or all
2396          * of it) is in place. So we must OR the nr_mapping_array and
2397          * mapping_array to get a true picture of the cum-ack.
2398          */
2399         struct sctp_association *asoc;
2400         int at;
2401         uint8_t val;
2402         int slide_from, slide_end, lgap, distance;
2403         uint32_t old_cumack, old_base, old_highest, highest_tsn;
2404
2405         asoc = &stcb->asoc;
2406
2407         old_cumack = asoc->cumulative_tsn;
2408         old_base = asoc->mapping_array_base_tsn;
2409         old_highest = asoc->highest_tsn_inside_map;
2410         /*
2411          * We could probably improve this a small bit by calculating the
2412          * offset of the current cum-ack as the starting point.
2413          */
2414         at = 0;
2415         for (slide_from = 0; slide_from < stcb->asoc.mapping_array_size; slide_from++) {
2416                 val = asoc->nr_mapping_array[slide_from] | asoc->mapping_array[slide_from];
2417                 if (val == 0xff) {
2418                         at += 8;
2419                 } else {
2420                         /* there is a 0 bit */
2421                         at += sctp_map_lookup_tab[val];
2422                         break;
2423                 }
2424         }
2425         asoc->cumulative_tsn = asoc->mapping_array_base_tsn + (at - 1);
2426
2427         if (SCTP_TSN_GT(asoc->cumulative_tsn, asoc->highest_tsn_inside_map) &&
2428             SCTP_TSN_GT(asoc->cumulative_tsn, asoc->highest_tsn_inside_nr_map)) {
2429 #ifdef INVARIANTS
2430                 panic("huh, cumack 0x%x greater than high-tsn 0x%x in map",
2431                     asoc->cumulative_tsn, asoc->highest_tsn_inside_map);
2432 #else
2433                 SCTP_PRINTF("huh, cumack 0x%x greater than high-tsn 0x%x in map - should panic?\n",
2434                     asoc->cumulative_tsn, asoc->highest_tsn_inside_map);
2435                 sctp_print_mapping_array(asoc);
2436                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
2437                         sctp_log_map(0, 6, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
2438                 }
2439                 asoc->highest_tsn_inside_map = asoc->cumulative_tsn;
2440                 asoc->highest_tsn_inside_nr_map = asoc->cumulative_tsn;
2441 #endif
2442         }
2443         if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) {
2444                 highest_tsn = asoc->highest_tsn_inside_nr_map;
2445         } else {
2446                 highest_tsn = asoc->highest_tsn_inside_map;
2447         }
2448         if ((asoc->cumulative_tsn == highest_tsn) && (at >= 8)) {
2449                 /* The complete array was completed by a single FR */
2450                 /* highest becomes the cum-ack */
2451                 int clr;
2452 #ifdef INVARIANTS
2453                 unsigned int i;
2454 #endif
2455
2456                 /* clear the array */
2457                 clr = ((at + 7) >> 3);
2458                 if (clr > asoc->mapping_array_size) {
2459                         clr = asoc->mapping_array_size;
2460                 }
2461                 memset(asoc->mapping_array, 0, clr);
2462                 memset(asoc->nr_mapping_array, 0, clr);
2463 #ifdef INVARIANTS
2464                 for (i = 0; i < asoc->mapping_array_size; i++) {
2465                         if ((asoc->mapping_array[i]) || (asoc->nr_mapping_array[i])) {
2466                                 SCTP_PRINTF("Error Mapping array's not clean at clear\n");
2467                                 sctp_print_mapping_array(asoc);
2468                         }
2469                 }
2470 #endif
2471                 asoc->mapping_array_base_tsn = asoc->cumulative_tsn + 1;
2472                 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map = asoc->cumulative_tsn;
2473         } else if (at >= 8) {
2474                 /* we can slide the mapping array down */
2475                 /* slide_from holds where we hit the first NON 0xff byte */
2476
2477                 /*
2478                  * now calculate the ceiling of the move using our highest
2479                  * TSN value
2480                  */
2481                 SCTP_CALC_TSN_TO_GAP(lgap, highest_tsn, asoc->mapping_array_base_tsn);
2482                 slide_end = (lgap >> 3);
2483                 if (slide_end < slide_from) {
2484                         sctp_print_mapping_array(asoc);
2485 #ifdef INVARIANTS
2486                         panic("impossible slide");
2487 #else
2488                         SCTP_PRINTF("impossible slide lgap: %x slide_end: %x slide_from: %x? at: %d\n",
2489                             lgap, slide_end, slide_from, at);
2490                         return;
2491 #endif
2492                 }
2493                 if (slide_end > asoc->mapping_array_size) {
2494 #ifdef INVARIANTS
2495                         panic("would overrun buffer");
2496 #else
2497                         SCTP_PRINTF("Gak, would have overrun map end: %d slide_end: %d\n",
2498                             asoc->mapping_array_size, slide_end);
2499                         slide_end = asoc->mapping_array_size;
2500 #endif
2501                 }
2502                 distance = (slide_end - slide_from) + 1;
2503                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
2504                         sctp_log_map(old_base, old_cumack, old_highest,
2505                             SCTP_MAP_PREPARE_SLIDE);
2506                         sctp_log_map((uint32_t)slide_from, (uint32_t)slide_end,
2507                             (uint32_t)lgap, SCTP_MAP_SLIDE_FROM);
2508                 }
2509                 if (distance + slide_from > asoc->mapping_array_size ||
2510                     distance < 0) {
2511                         /*
2512                          * Here we do NOT slide forward the array so that
2513                          * hopefully when more data comes in to fill it up
2514                          * we will be able to slide it forward. Really I
2515                          * don't think this should happen :-0
2516                          */
2517
2518                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
2519                                 sctp_log_map((uint32_t)distance, (uint32_t)slide_from,
2520                                     (uint32_t)asoc->mapping_array_size,
2521                                     SCTP_MAP_SLIDE_NONE);
2522                         }
2523                 } else {
2524                         int ii;
2525
2526                         for (ii = 0; ii < distance; ii++) {
2527                                 asoc->mapping_array[ii] = asoc->mapping_array[slide_from + ii];
2528                                 asoc->nr_mapping_array[ii] = asoc->nr_mapping_array[slide_from + ii];
2529
2530                         }
2531                         for (ii = distance; ii < asoc->mapping_array_size; ii++) {
2532                                 asoc->mapping_array[ii] = 0;
2533                                 asoc->nr_mapping_array[ii] = 0;
2534                         }
2535                         if (asoc->highest_tsn_inside_map + 1 == asoc->mapping_array_base_tsn) {
2536                                 asoc->highest_tsn_inside_map += (slide_from << 3);
2537                         }
2538                         if (asoc->highest_tsn_inside_nr_map + 1 == asoc->mapping_array_base_tsn) {
2539                                 asoc->highest_tsn_inside_nr_map += (slide_from << 3);
2540                         }
2541                         asoc->mapping_array_base_tsn += (slide_from << 3);
2542                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
2543                                 sctp_log_map(asoc->mapping_array_base_tsn,
2544                                     asoc->cumulative_tsn, asoc->highest_tsn_inside_map,
2545                                     SCTP_MAP_SLIDE_RESULT);
2546                         }
2547                 }
2548         }
2549 }
2550
2551 void
2552 sctp_sack_check(struct sctp_tcb *stcb, int was_a_gap)
2553 {
2554         struct sctp_association *asoc;
2555         uint32_t highest_tsn;
2556         int is_a_gap;
2557
2558         sctp_slide_mapping_arrays(stcb);
2559         asoc = &stcb->asoc;
2560         if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) {
2561                 highest_tsn = asoc->highest_tsn_inside_nr_map;
2562         } else {
2563                 highest_tsn = asoc->highest_tsn_inside_map;
2564         }
2565         /* Is there a gap now? */
2566         is_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn);
2567
2568         /*
2569          * Now we need to see if we need to queue a sack or just start the
2570          * timer (if allowed).
2571          */
2572         if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
2573                 /*
2574                  * Ok special case, in SHUTDOWN-SENT case. here we maker
2575                  * sure SACK timer is off and instead send a SHUTDOWN and a
2576                  * SACK
2577                  */
2578                 if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
2579                         sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
2580                             stcb->sctp_ep, stcb, NULL,
2581                             SCTP_FROM_SCTP_INDATA + SCTP_LOC_17);
2582                 }
2583                 sctp_send_shutdown(stcb,
2584                     ((stcb->asoc.alternate) ? stcb->asoc.alternate : stcb->asoc.primary_destination));
2585                 if (is_a_gap) {
2586                         sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED);
2587                 }
2588         } else {
2589                 /*
2590                  * CMT DAC algorithm: increase number of packets received
2591                  * since last ack
2592                  */
2593                 stcb->asoc.cmt_dac_pkts_rcvd++;
2594
2595                 if ((stcb->asoc.send_sack == 1) ||      /* We need to send a
2596                                                          * SACK */
2597                     ((was_a_gap) && (is_a_gap == 0)) || /* was a gap, but no
2598                                                          * longer is one */
2599                     (stcb->asoc.numduptsns) ||  /* we have dup's */
2600                     (is_a_gap) ||       /* is still a gap */
2601                     (stcb->asoc.delayed_ack == 0) ||    /* Delayed sack disabled */
2602                     (stcb->asoc.data_pkts_seen >= stcb->asoc.sack_freq) /* hit limit of pkts */
2603                     ) {
2604
2605                         if ((stcb->asoc.sctp_cmt_on_off > 0) &&
2606                             (SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) &&
2607                             (stcb->asoc.send_sack == 0) &&
2608                             (stcb->asoc.numduptsns == 0) &&
2609                             (stcb->asoc.delayed_ack) &&
2610                             (!SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer))) {
2611
2612                                 /*
2613                                  * CMT DAC algorithm: With CMT, delay acks
2614                                  * even in the face of
2615                                  *
2616                                  * reordering. Therefore, if acks that do
2617                                  * not have to be sent because of the above
2618                                  * reasons, will be delayed. That is, acks
2619                                  * that would have been sent due to gap
2620                                  * reports will be delayed with DAC. Start
2621                                  * the delayed ack timer.
2622                                  */
2623                                 sctp_timer_start(SCTP_TIMER_TYPE_RECV,
2624                                     stcb->sctp_ep, stcb, NULL);
2625                         } else {
2626                                 /*
2627                                  * Ok we must build a SACK since the timer
2628                                  * is pending, we got our first packet OR
2629                                  * there are gaps or duplicates.
2630                                  */
2631                                 (void)SCTP_OS_TIMER_STOP(&stcb->asoc.dack_timer.timer);
2632                                 sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED);
2633                         }
2634                 } else {
2635                         if (!SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
2636                                 sctp_timer_start(SCTP_TIMER_TYPE_RECV,
2637                                     stcb->sctp_ep, stcb, NULL);
2638                         }
2639                 }
2640         }
2641 }
2642
2643 int
2644 sctp_process_data(struct mbuf **mm, int iphlen, int *offset, int length,
2645     struct sctp_inpcb *inp, struct sctp_tcb *stcb,
2646     struct sctp_nets *net, uint32_t *high_tsn)
2647 {
2648         struct sctp_chunkhdr *ch, chunk_buf;
2649         struct sctp_association *asoc;
2650         int num_chunks = 0;     /* number of control chunks processed */
2651         int stop_proc = 0;
2652         int break_flag, last_chunk;
2653         int abort_flag = 0, was_a_gap;
2654         struct mbuf *m;
2655         uint32_t highest_tsn;
2656         uint16_t chk_length;
2657
2658         /* set the rwnd */
2659         sctp_set_rwnd(stcb, &stcb->asoc);
2660
2661         m = *mm;
2662         SCTP_TCB_LOCK_ASSERT(stcb);
2663         asoc = &stcb->asoc;
2664         if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) {
2665                 highest_tsn = asoc->highest_tsn_inside_nr_map;
2666         } else {
2667                 highest_tsn = asoc->highest_tsn_inside_map;
2668         }
2669         was_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn);
2670         /*
2671          * setup where we got the last DATA packet from for any SACK that
2672          * may need to go out. Don't bump the net. This is done ONLY when a
2673          * chunk is assigned.
2674          */
2675         asoc->last_data_chunk_from = net;
2676
2677         /*-
2678          * Now before we proceed we must figure out if this is a wasted
2679          * cluster... i.e. it is a small packet sent in and yet the driver
2680          * underneath allocated a full cluster for it. If so we must copy it
2681          * to a smaller mbuf and free up the cluster mbuf. This will help
2682          * with cluster starvation. Note for __Panda__ we don't do this
2683          * since it has clusters all the way down to 64 bytes.
2684          */
2685         if (SCTP_BUF_LEN(m) < (long)MLEN && SCTP_BUF_NEXT(m) == NULL) {
2686                 /* we only handle mbufs that are singletons.. not chains */
2687                 m = sctp_get_mbuf_for_msg(SCTP_BUF_LEN(m), 0, M_NOWAIT, 1, MT_DATA);
2688                 if (m) {
2689                         /* ok lets see if we can copy the data up */
2690                         caddr_t *from, *to;
2691
2692                         /* get the pointers and copy */
2693                         to = mtod(m, caddr_t *);
2694                         from = mtod((*mm), caddr_t *);
2695                         memcpy(to, from, SCTP_BUF_LEN((*mm)));
2696                         /* copy the length and free up the old */
2697                         SCTP_BUF_LEN(m) = SCTP_BUF_LEN((*mm));
2698                         sctp_m_freem(*mm);
2699                         /* success, back copy */
2700                         *mm = m;
2701                 } else {
2702                         /* We are in trouble in the mbuf world .. yikes */
2703                         m = *mm;
2704                 }
2705         }
2706         /* get pointer to the first chunk header */
2707         ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
2708             sizeof(struct sctp_chunkhdr),
2709             (uint8_t *)&chunk_buf);
2710         if (ch == NULL) {
2711                 return (1);
2712         }
2713         /*
2714          * process all DATA chunks...
2715          */
2716         *high_tsn = asoc->cumulative_tsn;
2717         break_flag = 0;
2718         asoc->data_pkts_seen++;
2719         while (stop_proc == 0) {
2720                 /* validate chunk length */
2721                 chk_length = ntohs(ch->chunk_length);
2722                 if (length - *offset < chk_length) {
2723                         /* all done, mutulated chunk */
2724                         stop_proc = 1;
2725                         continue;
2726                 }
2727                 if ((asoc->idata_supported == 1) &&
2728                     (ch->chunk_type == SCTP_DATA)) {
2729                         struct mbuf *op_err;
2730                         char msg[SCTP_DIAG_INFO_LEN];
2731
2732                         snprintf(msg, sizeof(msg), "%s", "I-DATA chunk received when DATA was negotiated");
2733                         op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
2734                         stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_18;
2735                         sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED);
2736                         return (2);
2737                 }
2738                 if ((asoc->idata_supported == 0) &&
2739                     (ch->chunk_type == SCTP_IDATA)) {
2740                         struct mbuf *op_err;
2741                         char msg[SCTP_DIAG_INFO_LEN];
2742
2743                         snprintf(msg, sizeof(msg), "%s", "DATA chunk received when I-DATA was negotiated");
2744                         op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
2745                         stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_19;
2746                         sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED);
2747                         return (2);
2748                 }
2749                 if ((ch->chunk_type == SCTP_DATA) ||
2750                     (ch->chunk_type == SCTP_IDATA)) {
2751                         uint16_t clen;
2752
2753                         if (ch->chunk_type == SCTP_DATA) {
2754                                 clen = sizeof(struct sctp_data_chunk);
2755                         } else {
2756                                 clen = sizeof(struct sctp_idata_chunk);
2757                         }
2758                         if (chk_length < clen) {
2759                                 /*
2760                                  * Need to send an abort since we had a
2761                                  * invalid data chunk.
2762                                  */
2763                                 struct mbuf *op_err;
2764                                 char msg[SCTP_DIAG_INFO_LEN];
2765
2766                                 snprintf(msg, sizeof(msg), "%s chunk of length %u",
2767                                     ch->chunk_type == SCTP_DATA ? "DATA" : "I-DATA",
2768                                     chk_length);
2769                                 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
2770                                 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_20;
2771                                 sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED);
2772                                 return (2);
2773                         }
2774 #ifdef SCTP_AUDITING_ENABLED
2775                         sctp_audit_log(0xB1, 0);
2776 #endif
2777                         if (SCTP_SIZE32(chk_length) == (length - *offset)) {
2778                                 last_chunk = 1;
2779                         } else {
2780                                 last_chunk = 0;
2781                         }
2782                         if (sctp_process_a_data_chunk(stcb, asoc, mm, *offset,
2783                             chk_length, net, high_tsn, &abort_flag, &break_flag,
2784                             last_chunk, ch->chunk_type)) {
2785                                 num_chunks++;
2786                         }
2787                         if (abort_flag)
2788                                 return (2);
2789
2790                         if (break_flag) {
2791                                 /*
2792                                  * Set because of out of rwnd space and no
2793                                  * drop rep space left.
2794                                  */
2795                                 stop_proc = 1;
2796                                 continue;
2797                         }
2798                 } else {
2799                         /* not a data chunk in the data region */
2800                         switch (ch->chunk_type) {
2801                         case SCTP_INITIATION:
2802                         case SCTP_INITIATION_ACK:
2803                         case SCTP_SELECTIVE_ACK:
2804                         case SCTP_NR_SELECTIVE_ACK:
2805                         case SCTP_HEARTBEAT_REQUEST:
2806                         case SCTP_HEARTBEAT_ACK:
2807                         case SCTP_ABORT_ASSOCIATION:
2808                         case SCTP_SHUTDOWN:
2809                         case SCTP_SHUTDOWN_ACK:
2810                         case SCTP_OPERATION_ERROR:
2811                         case SCTP_COOKIE_ECHO:
2812                         case SCTP_COOKIE_ACK:
2813                         case SCTP_ECN_ECHO:
2814                         case SCTP_ECN_CWR:
2815                         case SCTP_SHUTDOWN_COMPLETE:
2816                         case SCTP_AUTHENTICATION:
2817                         case SCTP_ASCONF_ACK:
2818                         case SCTP_PACKET_DROPPED:
2819                         case SCTP_STREAM_RESET:
2820                         case SCTP_FORWARD_CUM_TSN:
2821                         case SCTP_ASCONF:
2822                                 {
2823                                         /*
2824                                          * Now, what do we do with KNOWN
2825                                          * chunks that are NOT in the right
2826                                          * place?
2827                                          *
2828                                          * For now, I do nothing but ignore
2829                                          * them. We may later want to add
2830                                          * sysctl stuff to switch out and do
2831                                          * either an ABORT() or possibly
2832                                          * process them.
2833                                          */
2834                                         struct mbuf *op_err;
2835                                         char msg[SCTP_DIAG_INFO_LEN];
2836
2837                                         snprintf(msg, sizeof(msg), "DATA chunk followed by chunk of type %2.2x",
2838                                             ch->chunk_type);
2839                                         op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
2840                                         sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED);
2841                                         return (2);
2842                                 }
2843                         default:
2844                                 /*
2845                                  * Unknown chunk type: use bit rules after
2846                                  * checking length
2847                                  */
2848                                 if (chk_length < sizeof(struct sctp_chunkhdr)) {
2849                                         /*
2850                                          * Need to send an abort since we
2851                                          * had a invalid chunk.
2852                                          */
2853                                         struct mbuf *op_err;
2854                                         char msg[SCTP_DIAG_INFO_LEN];
2855
2856                                         snprintf(msg, sizeof(msg), "Chunk of length %u",
2857                                             chk_length);
2858                                         op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
2859                                         stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_20;
2860                                         sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED);
2861                                         return (2);
2862                                 }
2863                                 if (ch->chunk_type & 0x40) {
2864                                         /* Add a error report to the queue */
2865                                         struct mbuf *op_err;
2866                                         struct sctp_gen_error_cause *cause;
2867
2868                                         op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_gen_error_cause),
2869                                             0, M_NOWAIT, 1, MT_DATA);
2870                                         if (op_err != NULL) {
2871                                                 cause = mtod(op_err, struct sctp_gen_error_cause *);
2872                                                 cause->code = htons(SCTP_CAUSE_UNRECOG_CHUNK);
2873                                                 cause->length = htons((uint16_t)(chk_length + sizeof(struct sctp_gen_error_cause)));
2874                                                 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_gen_error_cause);
2875                                                 SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(m, *offset, chk_length, M_NOWAIT);
2876                                                 if (SCTP_BUF_NEXT(op_err) != NULL) {
2877                                                         sctp_queue_op_err(stcb, op_err);
2878                                                 } else {
2879                                                         sctp_m_freem(op_err);
2880                                                 }
2881                                         }
2882                                 }
2883                                 if ((ch->chunk_type & 0x80) == 0) {
2884                                         /* discard the rest of this packet */
2885                                         stop_proc = 1;
2886                                 }       /* else skip this bad chunk and
2887                                          * continue... */
2888                                 break;
2889                         }       /* switch of chunk type */
2890                 }
2891                 *offset += SCTP_SIZE32(chk_length);
2892                 if ((*offset >= length) || stop_proc) {
2893                         /* no more data left in the mbuf chain */
2894                         stop_proc = 1;
2895                         continue;
2896                 }
2897                 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
2898                     sizeof(struct sctp_chunkhdr),
2899                     (uint8_t *)&chunk_buf);
2900                 if (ch == NULL) {
2901                         *offset = length;
2902                         stop_proc = 1;
2903                         continue;
2904                 }
2905         }
2906         if (break_flag) {
2907                 /*
2908                  * we need to report rwnd overrun drops.
2909                  */
2910                 sctp_send_packet_dropped(stcb, net, *mm, length, iphlen, 0);
2911         }
2912         if (num_chunks) {
2913                 /*
2914                  * Did we get data, if so update the time for auto-close and
2915                  * give peer credit for being alive.
2916                  */
2917                 SCTP_STAT_INCR(sctps_recvpktwithdata);
2918                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
2919                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
2920                             stcb->asoc.overall_error_count,
2921                             0,
2922                             SCTP_FROM_SCTP_INDATA,
2923                             __LINE__);
2924                 }
2925                 stcb->asoc.overall_error_count = 0;
2926                 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_last_rcvd);
2927         }
2928         /* now service all of the reassm queue if needed */
2929         if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
2930                 /* Assure that we ack right away */
2931                 stcb->asoc.send_sack = 1;
2932         }
2933         /* Start a sack timer or QUEUE a SACK for sending */
2934         sctp_sack_check(stcb, was_a_gap);
2935         return (0);
2936 }
2937
2938 static int
2939 sctp_process_segment_range(struct sctp_tcb *stcb, struct sctp_tmit_chunk **p_tp1, uint32_t last_tsn,
2940     uint16_t frag_strt, uint16_t frag_end, int nr_sacking,
2941     int *num_frs,
2942     uint32_t *biggest_newly_acked_tsn,
2943     uint32_t *this_sack_lowest_newack,
2944     int *rto_ok)
2945 {
2946         struct sctp_tmit_chunk *tp1;
2947         unsigned int theTSN;
2948         int j, wake_him = 0, circled = 0;
2949
2950         /* Recover the tp1 we last saw */
2951         tp1 = *p_tp1;
2952         if (tp1 == NULL) {
2953                 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
2954         }
2955         for (j = frag_strt; j <= frag_end; j++) {
2956                 theTSN = j + last_tsn;
2957                 while (tp1) {
2958                         if (tp1->rec.data.doing_fast_retransmit)
2959                                 (*num_frs) += 1;
2960
2961                         /*-
2962                          * CMT: CUCv2 algorithm. For each TSN being
2963                          * processed from the sent queue, track the
2964                          * next expected pseudo-cumack, or
2965                          * rtx_pseudo_cumack, if required. Separate
2966                          * cumack trackers for first transmissions,
2967                          * and retransmissions.
2968                          */
2969                         if ((tp1->sent < SCTP_DATAGRAM_RESEND) &&
2970                             (tp1->whoTo->find_pseudo_cumack == 1) &&
2971                             (tp1->snd_count == 1)) {
2972                                 tp1->whoTo->pseudo_cumack = tp1->rec.data.tsn;
2973                                 tp1->whoTo->find_pseudo_cumack = 0;
2974                         }
2975                         if ((tp1->sent < SCTP_DATAGRAM_RESEND) &&
2976                             (tp1->whoTo->find_rtx_pseudo_cumack == 1) &&
2977                             (tp1->snd_count > 1)) {
2978                                 tp1->whoTo->rtx_pseudo_cumack = tp1->rec.data.tsn;
2979                                 tp1->whoTo->find_rtx_pseudo_cumack = 0;
2980                         }
2981                         if (tp1->rec.data.tsn == theTSN) {
2982                                 if (tp1->sent != SCTP_DATAGRAM_UNSENT) {
2983                                         /*-
2984                                          * must be held until
2985                                          * cum-ack passes
2986                                          */
2987                                         if (tp1->sent < SCTP_DATAGRAM_RESEND) {
2988                                                 /*-
2989                                                  * If it is less than RESEND, it is
2990                                                  * now no-longer in flight.
2991                                                  * Higher values may already be set
2992                                                  * via previous Gap Ack Blocks...
2993                                                  * i.e. ACKED or RESEND.
2994                                                  */
2995                                                 if (SCTP_TSN_GT(tp1->rec.data.tsn,
2996                                                     *biggest_newly_acked_tsn)) {
2997                                                         *biggest_newly_acked_tsn = tp1->rec.data.tsn;
2998                                                 }
2999                                                 /*-
3000                                                  * CMT: SFR algo (and HTNA) - set
3001                                                  * saw_newack to 1 for dest being
3002                                                  * newly acked. update
3003                                                  * this_sack_highest_newack if
3004                                                  * appropriate.
3005                                                  */
3006                                                 if (tp1->rec.data.chunk_was_revoked == 0)
3007                                                         tp1->whoTo->saw_newack = 1;
3008
3009                                                 if (SCTP_TSN_GT(tp1->rec.data.tsn,
3010                                                     tp1->whoTo->this_sack_highest_newack)) {
3011                                                         tp1->whoTo->this_sack_highest_newack =
3012                                                             tp1->rec.data.tsn;
3013                                                 }
3014                                                 /*-
3015                                                  * CMT DAC algo: also update
3016                                                  * this_sack_lowest_newack
3017                                                  */
3018                                                 if (*this_sack_lowest_newack == 0) {
3019                                                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
3020                                                                 sctp_log_sack(*this_sack_lowest_newack,
3021                                                                     last_tsn,
3022                                                                     tp1->rec.data.tsn,
3023                                                                     0,
3024                                                                     0,
3025                                                                     SCTP_LOG_TSN_ACKED);
3026                                                         }
3027                                                         *this_sack_lowest_newack = tp1->rec.data.tsn;
3028                                                 }
3029                                                 /*-
3030                                                  * CMT: CUCv2 algorithm. If (rtx-)pseudo-cumack for corresp
3031                                                  * dest is being acked, then we have a new (rtx-)pseudo-cumack. Set
3032                                                  * new_(rtx_)pseudo_cumack to TRUE so that the cwnd for this dest can be
3033                                                  * updated. Also trigger search for the next expected (rtx-)pseudo-cumack.
3034                                                  * Separate pseudo_cumack trackers for first transmissions and
3035                                                  * retransmissions.
3036                                                  */
3037                                                 if (tp1->rec.data.tsn == tp1->whoTo->pseudo_cumack) {
3038                                                         if (tp1->rec.data.chunk_was_revoked == 0) {
3039                                                                 tp1->whoTo->new_pseudo_cumack = 1;
3040                                                         }
3041                                                         tp1->whoTo->find_pseudo_cumack = 1;
3042                                                 }
3043                                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
3044                                                         sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.tsn, SCTP_CWND_LOG_FROM_SACK);
3045                                                 }
3046                                                 if (tp1->rec.data.tsn == tp1->whoTo->rtx_pseudo_cumack) {
3047                                                         if (tp1->rec.data.chunk_was_revoked == 0) {
3048                                                                 tp1->whoTo->new_pseudo_cumack = 1;
3049                                                         }
3050                                                         tp1->whoTo->find_rtx_pseudo_cumack = 1;
3051                                                 }
3052                                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
3053                                                         sctp_log_sack(*biggest_newly_acked_tsn,
3054                                                             last_tsn,
3055                                                             tp1->rec.data.tsn,
3056                                                             frag_strt,
3057                                                             frag_end,
3058                                                             SCTP_LOG_TSN_ACKED);
3059                                                 }
3060                                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
3061                                                         sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_GAP,
3062                                                             tp1->whoTo->flight_size,
3063                                                             tp1->book_size,
3064                                                             (uint32_t)(uintptr_t)tp1->whoTo,
3065                                                             tp1->rec.data.tsn);
3066                                                 }
3067                                                 sctp_flight_size_decrease(tp1);
3068                                                 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
3069                                                         (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo,
3070                                                             tp1);
3071                                                 }
3072                                                 sctp_total_flight_decrease(stcb, tp1);
3073
3074                                                 tp1->whoTo->net_ack += tp1->send_size;
3075                                                 if (tp1->snd_count < 2) {
3076                                                         /*-
3077                                                          * True non-retransmited chunk
3078                                                          */
3079                                                         tp1->whoTo->net_ack2 += tp1->send_size;
3080
3081                                                         /*-
3082                                                          * update RTO too ?
3083                                                          */
3084                                                         if (tp1->do_rtt) {
3085                                                                 if (*rto_ok) {
3086                                                                         tp1->whoTo->RTO =
3087                                                                             sctp_calculate_rto(stcb,
3088                                                                             &stcb->asoc,
3089                                                                             tp1->whoTo,
3090                                                                             &tp1->sent_rcv_time,
3091                                                                             SCTP_RTT_FROM_DATA);
3092                                                                         *rto_ok = 0;
3093                                                                 }
3094                                                                 if (tp1->whoTo->rto_needed == 0) {
3095                                                                         tp1->whoTo->rto_needed = 1;
3096                                                                 }
3097                                                                 tp1->do_rtt = 0;
3098                                                         }
3099                                                 }
3100                                         }
3101                                         if (tp1->sent <= SCTP_DATAGRAM_RESEND) {
3102                                                 if (SCTP_TSN_GT(tp1->rec.data.tsn,
3103                                                     stcb->asoc.this_sack_highest_gap)) {
3104                                                         stcb->asoc.this_sack_highest_gap =
3105                                                             tp1->rec.data.tsn;
3106                                                 }
3107                                                 if (tp1->sent == SCTP_DATAGRAM_RESEND) {
3108                                                         sctp_ucount_decr(stcb->asoc.sent_queue_retran_cnt);
3109 #ifdef SCTP_AUDITING_ENABLED
3110                                                         sctp_audit_log(0xB2,
3111                                                             (stcb->asoc.sent_queue_retran_cnt & 0x000000ff));
3112 #endif
3113                                                 }
3114                                         }
3115                                         /*-
3116                                          * All chunks NOT UNSENT fall through here and are marked
3117                                          * (leave PR-SCTP ones that are to skip alone though)
3118                                          */
3119                                         if ((tp1->sent != SCTP_FORWARD_TSN_SKIP) &&
3120                                             (tp1->sent != SCTP_DATAGRAM_NR_ACKED)) {
3121                                                 tp1->sent = SCTP_DATAGRAM_MARKED;
3122                                         }
3123                                         if (tp1->rec.data.chunk_was_revoked) {
3124                                                 /* deflate the cwnd */
3125                                                 tp1->whoTo->cwnd -= tp1->book_size;
3126                                                 tp1->rec.data.chunk_was_revoked = 0;
3127                                         }
3128                                         /* NR Sack code here */
3129                                         if (nr_sacking &&
3130                                             (tp1->sent != SCTP_DATAGRAM_NR_ACKED)) {
3131                                                 if (stcb->asoc.strmout[tp1->rec.data.sid].chunks_on_queues > 0) {
3132                                                         stcb->asoc.strmout[tp1->rec.data.sid].chunks_on_queues--;
3133 #ifdef INVARIANTS
3134                                                 } else {
3135                                                         panic("No chunks on the queues for sid %u.", tp1->rec.data.sid);
3136 #endif
3137                                                 }
3138                                                 if ((stcb->asoc.strmout[tp1->rec.data.sid].chunks_on_queues == 0) &&
3139                                                     (stcb->asoc.strmout[tp1->rec.data.sid].state == SCTP_STREAM_RESET_PENDING) &&
3140                                                     TAILQ_EMPTY(&stcb->asoc.strmout[tp1->rec.data.sid].outqueue)) {
3141                                                         stcb->asoc.trigger_reset = 1;
3142                                                 }
3143                                                 tp1->sent = SCTP_DATAGRAM_NR_ACKED;
3144                                                 if (tp1->data) {
3145                                                         /*
3146                                                          * sa_ignore
3147                                                          * NO_NULL_CHK
3148                                                          */
3149                                                         sctp_free_bufspace(stcb, &stcb->asoc, tp1, 1);
3150                                                         sctp_m_freem(tp1->data);
3151                                                         tp1->data = NULL;
3152                                                 }
3153                                                 wake_him++;
3154                                         }
3155                                 }
3156                                 break;
3157                         }       /* if (tp1->tsn == theTSN) */
3158                         if (SCTP_TSN_GT(tp1->rec.data.tsn, theTSN)) {
3159                                 break;
3160                         }
3161                         tp1 = TAILQ_NEXT(tp1, sctp_next);
3162                         if ((tp1 == NULL) && (circled == 0)) {
3163                                 circled++;
3164                                 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
3165                         }
3166                 }               /* end while (tp1) */
3167                 if (tp1 == NULL) {
3168                         circled = 0;
3169                         tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
3170                 }
3171                 /* In case the fragments were not in order we must reset */
3172         }                       /* end for (j = fragStart */
3173         *p_tp1 = tp1;
3174         return (wake_him);      /* Return value only used for nr-sack */
3175 }
3176
3177
3178 static int
3179 sctp_handle_segments(struct mbuf *m, int *offset, struct sctp_tcb *stcb, struct sctp_association *asoc,
3180     uint32_t last_tsn, uint32_t *biggest_tsn_acked,
3181     uint32_t *biggest_newly_acked_tsn, uint32_t *this_sack_lowest_newack,
3182     int num_seg, int num_nr_seg, int *rto_ok)
3183 {
3184         struct sctp_gap_ack_block *frag, block;
3185         struct sctp_tmit_chunk *tp1;
3186         int i;
3187         int num_frs = 0;
3188         int chunk_freed;
3189         int non_revocable;
3190         uint16_t frag_strt, frag_end, prev_frag_end;
3191
3192         tp1 = TAILQ_FIRST(&asoc->sent_queue);
3193         prev_frag_end = 0;
3194         chunk_freed = 0;
3195
3196         for (i = 0; i < (num_seg + num_nr_seg); i++) {
3197                 if (i == num_seg) {
3198                         prev_frag_end = 0;
3199                         tp1 = TAILQ_FIRST(&asoc->sent_queue);
3200                 }
3201                 frag = (struct sctp_gap_ack_block *)sctp_m_getptr(m, *offset,
3202                     sizeof(struct sctp_gap_ack_block), (uint8_t *)&block);
3203                 *offset += sizeof(block);
3204                 if (frag == NULL) {
3205                         return (chunk_freed);
3206                 }
3207                 frag_strt = ntohs(frag->start);
3208                 frag_end = ntohs(frag->end);
3209
3210                 if (frag_strt > frag_end) {
3211                         /* This gap report is malformed, skip it. */
3212                         continue;
3213                 }
3214                 if (frag_strt <= prev_frag_end) {
3215                         /* This gap report is not in order, so restart. */
3216                         tp1 = TAILQ_FIRST(&asoc->sent_queue);
3217                 }
3218                 if (SCTP_TSN_GT((last_tsn + frag_end), *biggest_tsn_acked)) {
3219                         *biggest_tsn_acked = last_tsn + frag_end;
3220                 }
3221                 if (i < num_seg) {
3222                         non_revocable = 0;
3223                 } else {
3224                         non_revocable = 1;
3225                 }
3226                 if (sctp_process_segment_range(stcb, &tp1, last_tsn, frag_strt, frag_end,
3227                     non_revocable, &num_frs, biggest_newly_acked_tsn,
3228                     this_sack_lowest_newack, rto_ok)) {
3229                         chunk_freed = 1;
3230                 }
3231                 prev_frag_end = frag_end;
3232         }
3233         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3234                 if (num_frs)
3235                         sctp_log_fr(*biggest_tsn_acked,
3236                             *biggest_newly_acked_tsn,
3237                             last_tsn, SCTP_FR_LOG_BIGGEST_TSNS);
3238         }
3239         return (chunk_freed);
3240 }
3241
3242 static void
3243 sctp_check_for_revoked(struct sctp_tcb *stcb,
3244     struct sctp_association *asoc, uint32_t cumack,
3245     uint32_t biggest_tsn_acked)
3246 {
3247         struct sctp_tmit_chunk *tp1;
3248
3249         TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
3250                 if (SCTP_TSN_GT(tp1->rec.data.tsn, cumack)) {
3251                         /*
3252                          * ok this guy is either ACK or MARKED. If it is
3253                          * ACKED it has been previously acked but not this
3254                          * time i.e. revoked.  If it is MARKED it was ACK'ed
3255                          * again.
3256                          */
3257                         if (SCTP_TSN_GT(tp1->rec.data.tsn, biggest_tsn_acked)) {
3258                                 break;
3259                         }
3260                         if (tp1->sent == SCTP_DATAGRAM_ACKED) {
3261                                 /* it has been revoked */
3262                                 tp1->sent = SCTP_DATAGRAM_SENT;
3263                                 tp1->rec.data.chunk_was_revoked = 1;
3264                                 /*
3265                                  * We must add this stuff back in to assure
3266                                  * timers and such get started.
3267                                  */
3268                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
3269                                         sctp_misc_ints(SCTP_FLIGHT_LOG_UP_REVOKE,
3270                                             tp1->whoTo->flight_size,
3271                                             tp1->book_size,
3272                                             (uint32_t)(uintptr_t)tp1->whoTo,
3273                                             tp1->rec.data.tsn);
3274                                 }
3275                                 sctp_flight_size_increase(tp1);
3276                                 sctp_total_flight_increase(stcb, tp1);
3277                                 /*
3278                                  * We inflate the cwnd to compensate for our
3279                                  * artificial inflation of the flight_size.
3280                                  */
3281                                 tp1->whoTo->cwnd += tp1->book_size;
3282                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
3283                                         sctp_log_sack(asoc->last_acked_seq,
3284                                             cumack,
3285                                             tp1->rec.data.tsn,
3286                                             0,
3287                                             0,
3288                                             SCTP_LOG_TSN_REVOKED);
3289                                 }
3290                         } else if (tp1->sent == SCTP_DATAGRAM_MARKED) {
3291                                 /* it has been re-acked in this SACK */
3292                                 tp1->sent = SCTP_DATAGRAM_ACKED;
3293                         }
3294                 }
3295                 if (tp1->sent == SCTP_DATAGRAM_UNSENT)
3296                         break;
3297         }
3298 }
3299
3300
3301 static void
3302 sctp_strike_gap_ack_chunks(struct sctp_tcb *stcb, struct sctp_association *asoc,
3303     uint32_t biggest_tsn_acked, uint32_t biggest_tsn_newly_acked, uint32_t this_sack_lowest_newack, int accum_moved)
3304 {
3305         struct sctp_tmit_chunk *tp1;
3306         int strike_flag = 0;
3307         struct timeval now;
3308         int tot_retrans = 0;
3309         uint32_t sending_seq;
3310         struct sctp_nets *net;
3311         int num_dests_sacked = 0;
3312
3313         /*
3314          * select the sending_seq, this is either the next thing ready to be
3315          * sent but not transmitted, OR, the next seq we assign.
3316          */
3317         tp1 = TAILQ_FIRST(&stcb->asoc.send_queue);
3318         if (tp1 == NULL) {
3319                 sending_seq = asoc->sending_seq;
3320         } else {
3321                 sending_seq = tp1->rec.data.tsn;
3322         }
3323
3324         /* CMT DAC algo: finding out if SACK is a mixed SACK */
3325         if ((asoc->sctp_cmt_on_off > 0) &&
3326             SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
3327                 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
3328                         if (net->saw_newack)
3329                                 num_dests_sacked++;
3330                 }
3331         }
3332         if (stcb->asoc.prsctp_supported) {
3333                 (void)SCTP_GETTIME_TIMEVAL(&now);
3334         }
3335         TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
3336                 strike_flag = 0;
3337                 if (tp1->no_fr_allowed) {
3338                         /* this one had a timeout or something */
3339                         continue;
3340                 }
3341                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3342                         if (tp1->sent < SCTP_DATAGRAM_RESEND)
3343                                 sctp_log_fr(biggest_tsn_newly_acked,
3344                                     tp1->rec.data.tsn,
3345                                     tp1->sent,
3346                                     SCTP_FR_LOG_CHECK_STRIKE);
3347                 }
3348                 if (SCTP_TSN_GT(tp1->rec.data.tsn, biggest_tsn_acked) ||
3349                     tp1->sent == SCTP_DATAGRAM_UNSENT) {
3350                         /* done */
3351                         break;
3352                 }
3353                 if (stcb->asoc.prsctp_supported) {
3354                         if ((PR_SCTP_TTL_ENABLED(tp1->flags)) && tp1->sent < SCTP_DATAGRAM_ACKED) {
3355                                 /* Is it expired? */
3356                                 if (timevalcmp(&now, &tp1->rec.data.timetodrop, >)) {
3357                                         /* Yes so drop it */
3358                                         if (tp1->data != NULL) {
3359                                                 (void)sctp_release_pr_sctp_chunk(stcb, tp1, 1,
3360                                                     SCTP_SO_NOT_LOCKED);
3361                                         }
3362                                         continue;
3363                                 }
3364                         }
3365                 }
3366                 if (SCTP_TSN_GT(tp1->rec.data.tsn, asoc->this_sack_highest_gap) &&
3367                     !(accum_moved && asoc->fast_retran_loss_recovery)) {
3368                         /* we are beyond the tsn in the sack  */
3369                         break;
3370                 }
3371                 if (tp1->sent >= SCTP_DATAGRAM_RESEND) {
3372                         /* either a RESEND, ACKED, or MARKED */
3373                         /* skip */
3374                         if (tp1->sent == SCTP_FORWARD_TSN_SKIP) {
3375                                 /* Continue strikin FWD-TSN chunks */
3376                                 tp1->rec.data.fwd_tsn_cnt++;
3377                         }
3378                         continue;
3379                 }
3380                 /*
3381                  * CMT : SFR algo (covers part of DAC and HTNA as well)
3382                  */
3383                 if (tp1->whoTo && tp1->whoTo->saw_newack == 0) {
3384                         /*
3385                          * No new acks were receieved for data sent to this
3386                          * dest. Therefore, according to the SFR algo for
3387                          * CMT, no data sent to this dest can be marked for
3388                          * FR using this SACK.
3389                          */
3390                         continue;
3391                 } else if (tp1->whoTo &&
3392                             SCTP_TSN_GT(tp1->rec.data.tsn,
3393                             tp1->whoTo->this_sack_highest_newack) &&
3394                     !(accum_moved && asoc->fast_retran_loss_recovery)) {
3395                         /*
3396                          * CMT: New acks were receieved for data sent to
3397                          * this dest. But no new acks were seen for data
3398                          * sent after tp1. Therefore, according to the SFR
3399                          * algo for CMT, tp1 cannot be marked for FR using
3400                          * this SACK. This step covers part of the DAC algo
3401                          * and the HTNA algo as well.
3402                          */
3403                         continue;
3404                 }
3405                 /*
3406                  * Here we check to see if we were have already done a FR
3407                  * and if so we see if the biggest TSN we saw in the sack is
3408                  * smaller than the recovery point. If so we don't strike
3409                  * the tsn... otherwise we CAN strike the TSN.
3410                  */
3411                 /*
3412                  * @@@ JRI: Check for CMT if (accum_moved &&
3413                  * asoc->fast_retran_loss_recovery && (sctp_cmt_on_off ==
3414                  * 0)) {
3415                  */
3416                 if (accum_moved && asoc->fast_retran_loss_recovery) {
3417                         /*
3418                          * Strike the TSN if in fast-recovery and cum-ack
3419                          * moved.
3420                          */
3421                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3422                                 sctp_log_fr(biggest_tsn_newly_acked,
3423                                     tp1->rec.data.tsn,
3424                                     tp1->sent,
3425                                     SCTP_FR_LOG_STRIKE_CHUNK);
3426                         }
3427                         if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3428                                 tp1->sent++;
3429                         }
3430                         if ((asoc->sctp_cmt_on_off > 0) &&
3431                             SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
3432                                 /*
3433                                  * CMT DAC algorithm: If SACK flag is set to
3434                                  * 0, then lowest_newack test will not pass
3435                                  * because it would have been set to the
3436                                  * cumack earlier. If not already to be
3437                                  * rtx'd, If not a mixed sack and if tp1 is
3438                                  * not between two sacked TSNs, then mark by
3439                                  * one more. NOTE that we are marking by one
3440                                  * additional time since the SACK DAC flag
3441                                  * indicates that two packets have been
3442                                  * received after this missing TSN.
3443                                  */
3444                                 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && (num_dests_sacked == 1) &&
3445                                     SCTP_TSN_GT(this_sack_lowest_newack, tp1->rec.data.tsn)) {
3446                                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3447                                                 sctp_log_fr(16 + num_dests_sacked,
3448                                                     tp1->rec.data.tsn,
3449                                                     tp1->sent,
3450                                                     SCTP_FR_LOG_STRIKE_CHUNK);
3451                                         }
3452                                         tp1->sent++;
3453                                 }
3454                         }
3455                 } else if ((tp1->rec.data.doing_fast_retransmit) &&
3456                     (asoc->sctp_cmt_on_off == 0)) {
3457                         /*
3458                          * For those that have done a FR we must take
3459                          * special consideration if we strike. I.e the
3460                          * biggest_newly_acked must be higher than the
3461                          * sending_seq at the time we did the FR.
3462                          */
3463                         if (
3464 #ifdef SCTP_FR_TO_ALTERNATE
3465                         /*
3466                          * If FR's go to new networks, then we must only do
3467                          * this for singly homed asoc's. However if the FR's
3468                          * go to the same network (Armando's work) then its
3469                          * ok to FR multiple times.
3470                          */
3471                             (asoc->numnets < 2)
3472 #else
3473                             (1)
3474 #endif
3475                             ) {
3476
3477                                 if (SCTP_TSN_GE(biggest_tsn_newly_acked,
3478                                     tp1->rec.data.fast_retran_tsn)) {
3479                                         /*
3480                                          * Strike the TSN, since this ack is
3481                                          * beyond where things were when we
3482                                          * did a FR.
3483                                          */
3484                                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3485                                                 sctp_log_fr(biggest_tsn_newly_acked,
3486                                                     tp1->rec.data.tsn,
3487                                                     tp1->sent,
3488                                                     SCTP_FR_LOG_STRIKE_CHUNK);
3489                                         }
3490                                         if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3491                                                 tp1->sent++;
3492                                         }
3493                                         strike_flag = 1;
3494                                         if ((asoc->sctp_cmt_on_off > 0) &&
3495                                             SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
3496                                                 /*
3497                                                  * CMT DAC algorithm: If
3498                                                  * SACK flag is set to 0,
3499                                                  * then lowest_newack test
3500                                                  * will not pass because it
3501                                                  * would have been set to
3502                                                  * the cumack earlier. If
3503                                                  * not already to be rtx'd,
3504                                                  * If not a mixed sack and
3505                                                  * if tp1 is not between two
3506                                                  * sacked TSNs, then mark by
3507                                                  * one more. NOTE that we
3508                                                  * are marking by one
3509                                                  * additional time since the
3510                                                  * SACK DAC flag indicates
3511                                                  * that two packets have
3512                                                  * been received after this
3513                                                  * missing TSN.
3514                                                  */
3515                                                 if ((tp1->sent < SCTP_DATAGRAM_RESEND) &&
3516                                                     (num_dests_sacked == 1) &&
3517                                                     SCTP_TSN_GT(this_sack_lowest_newack,
3518                                                     tp1->rec.data.tsn)) {
3519                                                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3520                                                                 sctp_log_fr(32 + num_dests_sacked,
3521                                                                     tp1->rec.data.tsn,
3522                                                                     tp1->sent,
3523                                                                     SCTP_FR_LOG_STRIKE_CHUNK);
3524                                                         }
3525                                                         if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3526                                                                 tp1->sent++;
3527                                                         }
3528                                                 }
3529                                         }
3530                                 }
3531                         }
3532                         /*
3533                          * JRI: TODO: remove code for HTNA algo. CMT's SFR
3534                          * algo covers HTNA.
3535                          */
3536                 } else if (SCTP_TSN_GT(tp1->rec.data.tsn,
3537                     biggest_tsn_newly_acked)) {
3538                         /*
3539                          * We don't strike these: This is the  HTNA
3540                          * algorithm i.e. we don't strike If our TSN is
3541                          * larger than the Highest TSN Newly Acked.
3542                          */
3543                         ;
3544                 } else {
3545                         /* Strike the TSN */
3546                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3547                                 sctp_log_fr(biggest_tsn_newly_acked,
3548                                     tp1->rec.data.tsn,
3549                                     tp1->sent,
3550                                     SCTP_FR_LOG_STRIKE_CHUNK);
3551                         }
3552                         if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3553                                 tp1->sent++;
3554                         }
3555                         if ((asoc->sctp_cmt_on_off > 0) &&
3556                             SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
3557                                 /*
3558                                  * CMT DAC algorithm: If SACK flag is set to
3559                                  * 0, then lowest_newack test will not pass
3560                                  * because it would have been set to the
3561                                  * cumack earlier. If not already to be
3562                                  * rtx'd, If not a mixed sack and if tp1 is
3563                                  * not between two sacked TSNs, then mark by
3564                                  * one more. NOTE that we are marking by one
3565                                  * additional time since the SACK DAC flag
3566                                  * indicates that two packets have been
3567                                  * received after this missing TSN.
3568                                  */
3569                                 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && (num_dests_sacked == 1) &&
3570                                     SCTP_TSN_GT(this_sack_lowest_newack, tp1->rec.data.tsn)) {
3571                                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3572                                                 sctp_log_fr(48 + num_dests_sacked,
3573                                                     tp1->rec.data.tsn,
3574                                                     tp1->sent,
3575                                                     SCTP_FR_LOG_STRIKE_CHUNK);
3576                                         }
3577                                         tp1->sent++;
3578                                 }
3579                         }
3580                 }
3581                 if (tp1->sent == SCTP_DATAGRAM_RESEND) {
3582                         struct sctp_nets *alt;
3583
3584                         /* fix counts and things */
3585                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
3586                                 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_RSND,
3587                                     (tp1->whoTo ? (tp1->whoTo->flight_size) : 0),
3588                                     tp1->book_size,
3589                                     (uint32_t)(uintptr_t)tp1->whoTo,
3590                                     tp1->rec.data.tsn);
3591                         }
3592                         if (tp1->whoTo) {
3593                                 tp1->whoTo->net_ack++;
3594                                 sctp_flight_size_decrease(tp1);
3595                                 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
3596                                         (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo,
3597                                             tp1);
3598                                 }
3599                         }
3600                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
3601                                 sctp_log_rwnd(SCTP_INCREASE_PEER_RWND,
3602                                     asoc->peers_rwnd, tp1->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
3603                         }
3604                         /* add back to the rwnd */
3605                         asoc->peers_rwnd += (tp1->send_size + SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
3606
3607                         /* remove from the total flight */
3608                         sctp_total_flight_decrease(stcb, tp1);
3609
3610                         if ((stcb->asoc.prsctp_supported) &&
3611                             (PR_SCTP_RTX_ENABLED(tp1->flags))) {
3612                                 /*
3613                                  * Has it been retransmitted tv_sec times? -
3614                                  * we store the retran count there.
3615                                  */
3616                                 if (tp1->snd_count > tp1->rec.data.timetodrop.tv_sec) {
3617                                         /* Yes, so drop it */
3618                                         if (tp1->data != NULL) {
3619                                                 (void)sctp_release_pr_sctp_chunk(stcb, tp1, 1,
3620                                                     SCTP_SO_NOT_LOCKED);
3621                                         }
3622                                         /* Make sure to flag we had a FR */
3623                                         if (tp1->whoTo != NULL) {
3624                                                 tp1->whoTo->net_ack++;
3625                                         }
3626                                         continue;
3627                                 }
3628                         }
3629                         /*
3630                          * SCTP_PRINTF("OK, we are now ready to FR this
3631                          * guy\n");
3632                          */
3633                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3634                                 sctp_log_fr(tp1->rec.data.tsn, tp1->snd_count,
3635                                     0, SCTP_FR_MARKED);
3636                         }
3637                         if (strike_flag) {
3638                                 /* This is a subsequent FR */
3639                                 SCTP_STAT_INCR(sctps_sendmultfastretrans);
3640                         }
3641                         sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3642                         if (asoc->sctp_cmt_on_off > 0) {
3643                                 /*
3644                                  * CMT: Using RTX_SSTHRESH policy for CMT.
3645                                  * If CMT is being used, then pick dest with
3646                                  * largest ssthresh for any retransmission.
3647                                  */
3648                                 tp1->no_fr_allowed = 1;
3649                                 alt = tp1->whoTo;
3650                                 /* sa_ignore NO_NULL_CHK */
3651                                 if (asoc->sctp_cmt_pf > 0) {
3652                                         /*
3653                                          * JRS 5/18/07 - If CMT PF is on,
3654                                          * use the PF version of
3655                                          * find_alt_net()
3656                                          */
3657                                         alt = sctp_find_alternate_net(stcb, alt, 2);
3658                                 } else {
3659                                         /*
3660                                          * JRS 5/18/07 - If only CMT is on,
3661                                          * use the CMT version of
3662                                          * find_alt_net()
3663                                          */
3664                                         /* sa_ignore NO_NULL_CHK */
3665                                         alt = sctp_find_alternate_net(stcb, alt, 1);
3666                                 }
3667                                 if (alt == NULL) {
3668                                         alt = tp1->whoTo;
3669                                 }
3670                                 /*
3671                                  * CUCv2: If a different dest is picked for
3672                                  * the retransmission, then new
3673                                  * (rtx-)pseudo_cumack needs to be tracked
3674                                  * for orig dest. Let CUCv2 track new (rtx-)
3675                                  * pseudo-cumack always.
3676                                  */
3677                                 if (tp1->whoTo) {
3678                                         tp1->whoTo->find_pseudo_cumack = 1;
3679                                         tp1->whoTo->find_rtx_pseudo_cumack = 1;
3680                                 }
3681                         } else {        /* CMT is OFF */
3682
3683 #ifdef SCTP_FR_TO_ALTERNATE
3684                                 /* Can we find an alternate? */
3685                                 alt = sctp_find_alternate_net(stcb, tp1->whoTo, 0);
3686 #else
3687                                 /*
3688                                  * default behavior is to NOT retransmit
3689                                  * FR's to an alternate. Armando Caro's
3690                                  * paper details why.
3691                                  */
3692                                 alt = tp1->whoTo;
3693 #endif
3694                         }
3695
3696                         tp1->rec.data.doing_fast_retransmit = 1;
3697                         tot_retrans++;
3698                         /* mark the sending seq for possible subsequent FR's */
3699                         /*
3700                          * SCTP_PRINTF("Marking TSN for FR new value %x\n",
3701                          * (uint32_t)tpi->rec.data.tsn);
3702                          */
3703                         if (TAILQ_EMPTY(&asoc->send_queue)) {
3704                                 /*
3705                                  * If the queue of send is empty then its
3706                                  * the next sequence number that will be
3707                                  * assigned so we subtract one from this to
3708                                  * get the one we last sent.
3709                                  */
3710                                 tp1->rec.data.fast_retran_tsn = sending_seq;
3711                         } else {
3712                                 /*
3713                                  * If there are chunks on the send queue
3714                                  * (unsent data that has made it from the
3715                                  * stream queues but not out the door, we
3716                                  * take the first one (which will have the
3717                                  * lowest TSN) and subtract one to get the
3718                                  * one we last sent.
3719                                  */
3720                                 struct sctp_tmit_chunk *ttt;
3721
3722                                 ttt = TAILQ_FIRST(&asoc->send_queue);
3723                                 tp1->rec.data.fast_retran_tsn =
3724                                     ttt->rec.data.tsn;
3725                         }
3726
3727                         if (tp1->do_rtt) {
3728                                 /*
3729                                  * this guy had a RTO calculation pending on
3730                                  * it, cancel it
3731                                  */
3732                                 if ((tp1->whoTo != NULL) &&
3733                                     (tp1->whoTo->rto_needed == 0)) {
3734                                         tp1->whoTo->rto_needed = 1;
3735                                 }
3736                                 tp1->do_rtt = 0;
3737                         }
3738                         if (alt != tp1->whoTo) {
3739                                 /* yes, there is an alternate. */
3740                                 sctp_free_remote_addr(tp1->whoTo);
3741                                 /* sa_ignore FREED_MEMORY */
3742                                 tp1->whoTo = alt;
3743                                 atomic_add_int(&alt->ref_count, 1);
3744                         }
3745                 }
3746         }
3747 }
3748
3749 struct sctp_tmit_chunk *
3750 sctp_try_advance_peer_ack_point(struct sctp_tcb *stcb,
3751     struct sctp_association *asoc)
3752 {
3753         struct sctp_tmit_chunk *tp1, *tp2, *a_adv = NULL;
3754         struct timeval now;
3755         int now_filled = 0;
3756
3757         if (asoc->prsctp_supported == 0) {
3758                 return (NULL);
3759         }
3760         TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) {
3761                 if (tp1->sent != SCTP_FORWARD_TSN_SKIP &&
3762                     tp1->sent != SCTP_DATAGRAM_RESEND &&
3763                     tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
3764                         /* no chance to advance, out of here */
3765                         break;
3766                 }
3767                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
3768                         if ((tp1->sent == SCTP_FORWARD_TSN_SKIP) ||
3769                             (tp1->sent == SCTP_DATAGRAM_NR_ACKED)) {
3770                                 sctp_misc_ints(SCTP_FWD_TSN_CHECK,
3771                                     asoc->advanced_peer_ack_point,
3772                                     tp1->rec.data.tsn, 0, 0);
3773                         }
3774                 }
3775                 if (!PR_SCTP_ENABLED(tp1->flags)) {
3776                         /*
3777                          * We can't fwd-tsn past any that are reliable aka
3778                          * retransmitted until the asoc fails.
3779                          */
3780                         break;
3781                 }
3782                 if (!now_filled) {
3783                         (void)SCTP_GETTIME_TIMEVAL(&now);
3784                         now_filled = 1;
3785                 }
3786                 /*
3787                  * now we got a chunk which is marked for another
3788                  * retransmission to a PR-stream but has run out its chances
3789                  * already maybe OR has been marked to skip now. Can we skip
3790                  * it if its a resend?
3791                  */
3792                 if (tp1->sent == SCTP_DATAGRAM_RESEND &&
3793                     (PR_SCTP_TTL_ENABLED(tp1->flags))) {
3794                         /*
3795                          * Now is this one marked for resend and its time is
3796                          * now up?
3797                          */
3798                         if (timevalcmp(&now, &tp1->rec.data.timetodrop, >)) {
3799                                 /* Yes so drop it */
3800                                 if (tp1->data) {
3801                                         (void)sctp_release_pr_sctp_chunk(stcb, tp1,
3802                                             1, SCTP_SO_NOT_LOCKED);
3803                                 }
3804                         } else {
3805                                 /*
3806                                  * No, we are done when hit one for resend
3807                                  * whos time as not expired.
3808                                  */
3809                                 break;
3810                         }
3811                 }
3812                 /*
3813                  * Ok now if this chunk is marked to drop it we can clean up
3814                  * the chunk, advance our peer ack point and we can check
3815                  * the next chunk.
3816                  */
3817                 if ((tp1->sent == SCTP_FORWARD_TSN_SKIP) ||
3818                     (tp1->sent == SCTP_DATAGRAM_NR_ACKED)) {
3819                         /* advance PeerAckPoint goes forward */
3820                         if (SCTP_TSN_GT(tp1->rec.data.tsn, asoc->advanced_peer_ack_point)) {
3821                                 asoc->advanced_peer_ack_point = tp1->rec.data.tsn;
3822                                 a_adv = tp1;
3823                         } else if (tp1->rec.data.tsn == asoc->advanced_peer_ack_point) {
3824                                 /* No update but we do save the chk */
3825                                 a_adv = tp1;
3826                         }
3827                 } else {
3828                         /*
3829                          * If it is still in RESEND we can advance no
3830                          * further
3831                          */
3832                         break;
3833                 }
3834         }
3835         return (a_adv);
3836 }
3837
3838 static int
3839 sctp_fs_audit(struct sctp_association *asoc)
3840 {
3841         struct sctp_tmit_chunk *chk;
3842         int inflight = 0, resend = 0, inbetween = 0, acked = 0, above = 0;
3843         int ret;
3844 #ifndef INVARIANTS
3845         int entry_flight, entry_cnt;
3846 #endif
3847
3848         ret = 0;
3849 #ifndef INVARIANTS
3850         entry_flight = asoc->total_flight;
3851         entry_cnt = asoc->total_flight_count;
3852 #endif
3853         if (asoc->pr_sctp_cnt >= asoc->sent_queue_cnt)
3854                 return (0);
3855
3856         TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
3857                 if (chk->sent < SCTP_DATAGRAM_RESEND) {
3858                         SCTP_PRINTF("Chk TSN: %u size: %d inflight cnt: %d\n",
3859                             chk->rec.data.tsn,
3860                             chk->send_size,
3861                             chk->snd_count);
3862                         inflight++;
3863                 } else if (chk->sent == SCTP_DATAGRAM_RESEND) {
3864                         resend++;
3865                 } else if (chk->sent < SCTP_DATAGRAM_ACKED) {
3866                         inbetween++;
3867                 } else if (chk->sent > SCTP_DATAGRAM_ACKED) {
3868                         above++;
3869                 } else {
3870                         acked++;
3871                 }
3872         }
3873
3874         if ((inflight > 0) || (inbetween > 0)) {
3875 #ifdef INVARIANTS
3876                 panic("Flight size-express incorrect? \n");
3877 #else
3878                 SCTP_PRINTF("asoc->total_flight: %d cnt: %d\n",
3879                     entry_flight, entry_cnt);
3880
3881                 SCTP_PRINTF("Flight size-express incorrect F: %d I: %d R: %d Ab: %d ACK: %d\n",
3882                     inflight, inbetween, resend, above, acked);
3883                 ret = 1;
3884 #endif
3885         }
3886         return (ret);
3887 }
3888
3889
3890 static void
3891 sctp_window_probe_recovery(struct sctp_tcb *stcb,
3892     struct sctp_association *asoc,
3893     struct sctp_tmit_chunk *tp1)
3894 {
3895         tp1->window_probe = 0;
3896         if ((tp1->sent >= SCTP_DATAGRAM_ACKED) || (tp1->data == NULL)) {
3897                 /* TSN's skipped we do NOT move back. */
3898                 sctp_misc_ints(SCTP_FLIGHT_LOG_DWN_WP_FWD,
3899                     tp1->whoTo ? tp1->whoTo->flight_size : 0,
3900                     tp1->book_size,
3901                     (uint32_t)(uintptr_t)tp1->whoTo,
3902                     tp1->rec.data.tsn);
3903                 return;
3904         }
3905         /* First setup this by shrinking flight */
3906         if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
3907                 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo,
3908                     tp1);
3909         }
3910         sctp_flight_size_decrease(tp1);
3911         sctp_total_flight_decrease(stcb, tp1);
3912         /* Now mark for resend */
3913         tp1->sent = SCTP_DATAGRAM_RESEND;
3914         sctp_ucount_incr(asoc->sent_queue_retran_cnt);
3915
3916         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
3917                 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_WP,
3918                     tp1->whoTo->flight_size,
3919                     tp1->book_size,
3920                     (uint32_t)(uintptr_t)tp1->whoTo,
3921                     tp1->rec.data.tsn);
3922         }
3923 }
3924
3925 void
3926 sctp_express_handle_sack(struct sctp_tcb *stcb, uint32_t cumack,
3927     uint32_t rwnd, int *abort_now, int ecne_seen)
3928 {
3929         struct sctp_nets *net;
3930         struct sctp_association *asoc;
3931         struct sctp_tmit_chunk *tp1, *tp2;
3932         uint32_t old_rwnd;
3933         int win_probe_recovery = 0;
3934         int win_probe_recovered = 0;
3935         int j, done_once = 0;
3936         int rto_ok = 1;
3937         uint32_t send_s;
3938
3939         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_SACK_ARRIVALS_ENABLE) {
3940                 sctp_misc_ints(SCTP_SACK_LOG_EXPRESS, cumack,
3941                     rwnd, stcb->asoc.last_acked_seq, stcb->asoc.peers_rwnd);
3942         }
3943         SCTP_TCB_LOCK_ASSERT(stcb);
3944 #ifdef SCTP_ASOCLOG_OF_TSNS
3945         stcb->asoc.cumack_log[stcb->asoc.cumack_log_at] = cumack;
3946         stcb->asoc.cumack_log_at++;
3947         if (stcb->asoc.cumack_log_at > SCTP_TSN_LOG_SIZE) {
3948                 stcb->asoc.cumack_log_at = 0;
3949         }
3950 #endif
3951         asoc = &stcb->asoc;
3952         old_rwnd = asoc->peers_rwnd;
3953         if (SCTP_TSN_GT(asoc->last_acked_seq, cumack)) {
3954                 /* old ack */
3955                 return;
3956         } else if (asoc->last_acked_seq == cumack) {
3957                 /* Window update sack */
3958                 asoc->peers_rwnd = sctp_sbspace_sub(rwnd,
3959                     (uint32_t)(asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh))));
3960                 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
3961                         /* SWS sender side engages */
3962                         asoc->peers_rwnd = 0;
3963                 }
3964                 if (asoc->peers_rwnd > old_rwnd) {
3965                         goto again;
3966                 }
3967                 return;
3968         }
3969         /* First setup for CC stuff */
3970         TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
3971                 if (SCTP_TSN_GT(cumack, net->cwr_window_tsn)) {
3972                         /* Drag along the window_tsn for cwr's */
3973                         net->cwr_window_tsn = cumack;
3974                 }
3975                 net->prev_cwnd = net->cwnd;
3976                 net->net_ack = 0;
3977                 net->net_ack2 = 0;
3978
3979                 /*
3980                  * CMT: Reset CUC and Fast recovery algo variables before
3981                  * SACK processing
3982                  */
3983                 net->new_pseudo_cumack = 0;
3984                 net->will_exit_fast_recovery = 0;
3985                 if (stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) {
3986                         (*stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) (stcb, net);
3987                 }
3988         }
3989         if (!TAILQ_EMPTY(&asoc->sent_queue)) {
3990                 tp1 = TAILQ_LAST(&asoc->sent_queue,
3991                     sctpchunk_listhead);
3992                 send_s = tp1->rec.data.tsn + 1;
3993         } else {
3994                 send_s = asoc->sending_seq;
3995         }
3996         if (SCTP_TSN_GE(cumack, send_s)) {
3997                 struct mbuf *op_err;
3998                 char msg[SCTP_DIAG_INFO_LEN];
3999
4000                 *abort_now = 1;
4001                 /* XXX */
4002                 snprintf(msg, sizeof(msg), "Cum ack %8.8x greater or equal than TSN %8.8x",
4003                     cumack, send_s);
4004                 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
4005                 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_21;
4006                 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
4007                 return;
4008         }
4009         asoc->this_sack_highest_gap = cumack;
4010         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
4011                 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4012                     stcb->asoc.overall_error_count,
4013                     0,
4014                     SCTP_FROM_SCTP_INDATA,
4015                     __LINE__);
4016         }
4017         stcb->asoc.overall_error_count = 0;
4018         if (SCTP_TSN_GT(cumack, asoc->last_acked_seq)) {
4019                 /* process the new consecutive TSN first */
4020                 TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) {
4021                         if (SCTP_TSN_GE(cumack, tp1->rec.data.tsn)) {
4022                                 if (tp1->sent == SCTP_DATAGRAM_UNSENT) {
4023                                         SCTP_PRINTF("Warning, an unsent is now acked?\n");
4024                                 }
4025                                 if (tp1->sent < SCTP_DATAGRAM_ACKED) {
4026                                         /*
4027                                          * If it is less than ACKED, it is
4028                                          * now no-longer in flight. Higher
4029                                          * values may occur during marking
4030                                          */
4031                                         if (tp1->sent < SCTP_DATAGRAM_RESEND) {
4032                                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
4033                                                         sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_CA,
4034                                                             tp1->whoTo->flight_size,
4035                                                             tp1->book_size,
4036                                                             (uint32_t)(uintptr_t)tp1->whoTo,
4037                                                             tp1->rec.data.tsn);
4038                                                 }
4039                                                 sctp_flight_size_decrease(tp1);
4040                                                 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
4041                                                         (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo,
4042                                                             tp1);
4043                                                 }
4044                                                 /* sa_ignore NO_NULL_CHK */
4045                                                 sctp_total_flight_decrease(stcb, tp1);
4046                                         }
4047                                         tp1->whoTo->net_ack += tp1->send_size;
4048                                         if (tp1->snd_count < 2) {
4049                                                 /*
4050                                                  * True non-retransmited
4051                                                  * chunk
4052                                                  */
4053                                                 tp1->whoTo->net_ack2 +=
4054                                                     tp1->send_size;
4055
4056                                                 /* update RTO too? */
4057                                                 if (tp1->do_rtt) {
4058                                                         if (rto_ok) {
4059                                                                 tp1->whoTo->RTO =
4060                                                                 /*
4061                                                                  * sa_ignore
4062                                                                  * NO_NULL_CHK
4063                                                                  */
4064                                                                     sctp_calculate_rto(stcb,
4065                                                                     asoc, tp1->whoTo,
4066                                                                     &tp1->sent_rcv_time,
4067                                                                     SCTP_RTT_FROM_DATA);
4068                                                                 rto_ok = 0;
4069                                                         }
4070                                                         if (tp1->whoTo->rto_needed == 0) {
4071                                                                 tp1->whoTo->rto_needed = 1;
4072                                                         }
4073                                                         tp1->do_rtt = 0;
4074                                                 }
4075                                         }
4076                                         /*
4077                                          * CMT: CUCv2 algorithm. From the
4078                                          * cumack'd TSNs, for each TSN being
4079                                          * acked for the first time, set the
4080                                          * following variables for the
4081                                          * corresp destination.
4082                                          * new_pseudo_cumack will trigger a
4083                                          * cwnd update.
4084                                          * find_(rtx_)pseudo_cumack will
4085                                          * trigger search for the next
4086                                          * expected (rtx-)pseudo-cumack.
4087                                          */
4088                                         tp1->whoTo->new_pseudo_cumack = 1;
4089                                         tp1->whoTo->find_pseudo_cumack = 1;
4090                                         tp1->whoTo->find_rtx_pseudo_cumack = 1;
4091
4092                                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
4093                                                 /* sa_ignore NO_NULL_CHK */
4094                                                 sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.tsn, SCTP_CWND_LOG_FROM_SACK);
4095                                         }
4096                                 }
4097                                 if (tp1->sent == SCTP_DATAGRAM_RESEND) {
4098                                         sctp_ucount_decr(asoc->sent_queue_retran_cnt);
4099                                 }
4100                                 if (tp1->rec.data.chunk_was_revoked) {
4101                                         /* deflate the cwnd */
4102                                         tp1->whoTo->cwnd -= tp1->book_size;
4103                                         tp1->rec.data.chunk_was_revoked = 0;
4104                                 }
4105                                 if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
4106                                         if (asoc->strmout[tp1->rec.data.sid].chunks_on_queues > 0) {
4107                                                 asoc->strmout[tp1->rec.data.sid].chunks_on_queues--;
4108 #ifdef INVARIANTS
4109                                         } else {
4110                                                 panic("No chunks on the queues for sid %u.", tp1->rec.data.sid);
4111 #endif
4112                                         }
4113                                 }
4114                                 if ((asoc->strmout[tp1->rec.data.sid].chunks_on_queues == 0) &&
4115                                     (asoc->strmout[tp1->rec.data.sid].state == SCTP_STREAM_RESET_PENDING) &&
4116                                     TAILQ_EMPTY(&asoc->strmout[tp1->rec.data.sid].outqueue)) {
4117                                         asoc->trigger_reset = 1;
4118                                 }
4119                                 TAILQ_REMOVE(&asoc->sent_queue, tp1, sctp_next);
4120                                 if (tp1->data) {
4121                                         /* sa_ignore NO_NULL_CHK */
4122                                         sctp_free_bufspace(stcb, asoc, tp1, 1);
4123                                         sctp_m_freem(tp1->data);
4124                                         tp1->data = NULL;
4125                                 }
4126                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
4127                                         sctp_log_sack(asoc->last_acked_seq,
4128                                             cumack,
4129                                             tp1->rec.data.tsn,
4130                                             0,
4131                                             0,
4132                                             SCTP_LOG_FREE_SENT);
4133                                 }
4134                                 asoc->sent_queue_cnt--;
4135                                 sctp_free_a_chunk(stcb, tp1, SCTP_SO_NOT_LOCKED);
4136                         } else {
4137                                 break;
4138                         }
4139                 }
4140
4141         }
4142         /* sa_ignore NO_NULL_CHK */
4143         if (stcb->sctp_socket) {
4144 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4145                 struct socket *so;
4146
4147 #endif
4148                 SOCKBUF_LOCK(&stcb->sctp_socket->so_snd);
4149                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
4150                         /* sa_ignore NO_NULL_CHK */
4151                         sctp_wakeup_log(stcb, 1, SCTP_WAKESND_FROM_SACK);
4152                 }
4153 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4154                 so = SCTP_INP_SO(stcb->sctp_ep);
4155                 atomic_add_int(&stcb->asoc.refcnt, 1);
4156                 SCTP_TCB_UNLOCK(stcb);
4157                 SCTP_SOCKET_LOCK(so, 1);
4158                 SCTP_TCB_LOCK(stcb);
4159                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
4160                 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
4161                         /* assoc was freed while we were unlocked */
4162                         SCTP_SOCKET_UNLOCK(so, 1);
4163                         return;
4164                 }
4165 #endif
4166                 sctp_sowwakeup_locked(stcb->sctp_ep, stcb->sctp_socket);
4167 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4168                 SCTP_SOCKET_UNLOCK(so, 1);
4169 #endif
4170         } else {
4171                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
4172                         sctp_wakeup_log(stcb, 1, SCTP_NOWAKE_FROM_SACK);
4173                 }
4174         }
4175
4176         /* JRS - Use the congestion control given in the CC module */
4177         if ((asoc->last_acked_seq != cumack) && (ecne_seen == 0)) {
4178                 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4179                         if (net->net_ack2 > 0) {
4180                                 /*
4181                                  * Karn's rule applies to clearing error
4182                                  * count, this is optional.
4183                                  */
4184                                 net->error_count = 0;
4185                                 if (!(net->dest_state & SCTP_ADDR_REACHABLE)) {
4186                                         /* addr came good */
4187                                         net->dest_state |= SCTP_ADDR_REACHABLE;
4188                                         sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
4189                                             0, (void *)net, SCTP_SO_NOT_LOCKED);
4190                                 }
4191                                 if (net == stcb->asoc.primary_destination) {
4192                                         if (stcb->asoc.alternate) {
4193                                                 /*
4194                                                  * release the alternate,
4195                                                  * primary is good
4196                                                  */
4197                                                 sctp_free_remote_addr(stcb->asoc.alternate);
4198                                                 stcb->asoc.alternate = NULL;
4199                                         }
4200                                 }
4201                                 if (net->dest_state & SCTP_ADDR_PF) {
4202                                         net->dest_state &= ~SCTP_ADDR_PF;
4203                                         sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT,
4204                                             stcb->sctp_ep, stcb, net,
4205                                             SCTP_FROM_SCTP_INDATA + SCTP_LOC_22);
4206                                         sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net);
4207                                         asoc->cc_functions.sctp_cwnd_update_exit_pf(stcb, net);
4208                                         /* Done with this net */
4209                                         net->net_ack = 0;
4210                                 }
4211                                 /* restore any doubled timers */
4212                                 net->RTO = (net->lastsa >> SCTP_RTT_SHIFT) + net->lastsv;
4213                                 if (net->RTO < stcb->asoc.minrto) {
4214                                         net->RTO = stcb->asoc.minrto;
4215                                 }
4216                                 if (net->RTO > stcb->asoc.maxrto) {
4217                                         net->RTO = stcb->asoc.maxrto;
4218                                 }
4219                         }
4220                 }
4221                 asoc->cc_functions.sctp_cwnd_update_after_sack(stcb, asoc, 1, 0, 0);
4222         }
4223         asoc->last_acked_seq = cumack;
4224
4225         if (TAILQ_EMPTY(&asoc->sent_queue)) {
4226                 /* nothing left in-flight */
4227                 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4228                         net->flight_size = 0;
4229                         net->partial_bytes_acked = 0;
4230                 }
4231                 asoc->total_flight = 0;
4232                 asoc->total_flight_count = 0;
4233         }
4234         /* RWND update */
4235         asoc->peers_rwnd = sctp_sbspace_sub(rwnd,
4236             (uint32_t)(asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh))));
4237         if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
4238                 /* SWS sender side engages */
4239                 asoc->peers_rwnd = 0;
4240         }
4241         if (asoc->peers_rwnd > old_rwnd) {
4242                 win_probe_recovery = 1;
4243         }
4244         /* Now assure a timer where data is queued at */
4245 again:
4246         j = 0;
4247         TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4248                 if (win_probe_recovery && (net->window_probe)) {
4249                         win_probe_recovered = 1;
4250                         /*
4251                          * Find first chunk that was used with window probe
4252                          * and clear the sent
4253                          */
4254                         /* sa_ignore FREED_MEMORY */
4255                         TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
4256                                 if (tp1->window_probe) {
4257                                         /* move back to data send queue */
4258                                         sctp_window_probe_recovery(stcb, asoc, tp1);
4259                                         break;
4260                                 }
4261                         }
4262                 }
4263                 if (net->flight_size) {
4264                         j++;
4265                         sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, net);
4266                         if (net->window_probe) {
4267                                 net->window_probe = 0;
4268                         }
4269                 } else {
4270                         if (net->window_probe) {
4271                                 /*
4272                                  * In window probes we must assure a timer
4273                                  * is still running there
4274                                  */
4275                                 net->window_probe = 0;
4276                                 if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
4277                                         sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, net);
4278                                 }
4279                         } else if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
4280                                 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
4281                                     stcb, net,
4282                                     SCTP_FROM_SCTP_INDATA + SCTP_LOC_23);
4283                         }
4284                 }
4285         }
4286         if ((j == 0) &&
4287             (!TAILQ_EMPTY(&asoc->sent_queue)) &&
4288             (asoc->sent_queue_retran_cnt == 0) &&
4289             (win_probe_recovered == 0) &&
4290             (done_once == 0)) {
4291                 /*
4292                  * huh, this should not happen unless all packets are
4293                  * PR-SCTP and marked to skip of course.
4294                  */
4295                 if (sctp_fs_audit(asoc)) {
4296                         TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4297                                 net->flight_size = 0;
4298                         }
4299                         asoc->total_flight = 0;
4300                         asoc->total_flight_count = 0;
4301                         asoc->sent_queue_retran_cnt = 0;
4302                         TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
4303                                 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
4304                                         sctp_flight_size_increase(tp1);
4305                                         sctp_total_flight_increase(stcb, tp1);
4306                                 } else if (tp1->sent == SCTP_DATAGRAM_RESEND) {
4307                                         sctp_ucount_incr(asoc->sent_queue_retran_cnt);
4308                                 }
4309                         }
4310                 }
4311                 done_once = 1;
4312                 goto again;
4313         }
4314         /**********************************/
4315         /* Now what about shutdown issues */
4316         /**********************************/
4317         if (TAILQ_EMPTY(&asoc->send_queue) && TAILQ_EMPTY(&asoc->sent_queue)) {
4318                 /* nothing left on sendqueue.. consider done */
4319                 /* clean up */
4320                 if ((asoc->stream_queue_cnt == 1) &&
4321                     ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
4322                     (asoc->state & SCTP_STATE_SHUTDOWN_RECEIVED)) &&
4323                     ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc))) {
4324                         asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
4325                 }
4326                 if (((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
4327                     (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) &&
4328                     (asoc->stream_queue_cnt == 1) &&
4329                     (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
4330                         struct mbuf *op_err;
4331
4332                         *abort_now = 1;
4333                         /* XXX */
4334                         op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, "");
4335                         stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_24;
4336                         sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
4337                         return;
4338                 }
4339                 if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) &&
4340                     (asoc->stream_queue_cnt == 0)) {
4341                         struct sctp_nets *netp;
4342
4343                         if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) ||
4344                             (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
4345                                 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
4346                         }
4347                         SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
4348                         SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
4349                         sctp_stop_timers_for_shutdown(stcb);
4350                         if (asoc->alternate) {
4351                                 netp = asoc->alternate;
4352                         } else {
4353                                 netp = asoc->primary_destination;
4354                         }
4355                         sctp_send_shutdown(stcb, netp);
4356                         sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN,
4357                             stcb->sctp_ep, stcb, netp);
4358                         sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
4359                             stcb->sctp_ep, stcb, netp);
4360                 } else if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) &&
4361                     (asoc->stream_queue_cnt == 0)) {
4362                         struct sctp_nets *netp;
4363
4364                         SCTP_STAT_DECR_GAUGE32(sctps_currestab);
4365                         SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT);
4366                         SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
4367                         sctp_stop_timers_for_shutdown(stcb);
4368                         if (asoc->alternate) {
4369                                 netp = asoc->alternate;
4370                         } else {
4371                                 netp = asoc->primary_destination;
4372                         }
4373                         sctp_send_shutdown_ack(stcb, netp);
4374                         sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK,
4375                             stcb->sctp_ep, stcb, netp);
4376                 }
4377         }
4378         /*********************************************/
4379         /* Here we perform PR-SCTP procedures        */
4380         /* (section 4.2)                             */
4381         /*********************************************/
4382         /* C1. update advancedPeerAckPoint */
4383         if (SCTP_TSN_GT(cumack, asoc->advanced_peer_ack_point)) {
4384                 asoc->advanced_peer_ack_point = cumack;
4385         }
4386         /* PR-Sctp issues need to be addressed too */
4387         if ((asoc->prsctp_supported) && (asoc->pr_sctp_cnt > 0)) {
4388                 struct sctp_tmit_chunk *lchk;
4389                 uint32_t old_adv_peer_ack_point;
4390
4391                 old_adv_peer_ack_point = asoc->advanced_peer_ack_point;
4392                 lchk = sctp_try_advance_peer_ack_point(stcb, asoc);
4393                 /* C3. See if we need to send a Fwd-TSN */
4394                 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, cumack)) {
4395                         /*
4396                          * ISSUE with ECN, see FWD-TSN processing.
4397                          */
4398                         if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, old_adv_peer_ack_point)) {
4399                                 send_forward_tsn(stcb, asoc);
4400                         } else if (lchk) {
4401                                 /* try to FR fwd-tsn's that get lost too */
4402                                 if (lchk->rec.data.fwd_tsn_cnt >= 3) {
4403                                         send_forward_tsn(stcb, asoc);
4404                                 }
4405                         }
4406                 }
4407                 if (lchk) {
4408                         /* Assure a timer is up */
4409                         sctp_timer_start(SCTP_TIMER_TYPE_SEND,
4410                             stcb->sctp_ep, stcb, lchk->whoTo);
4411                 }
4412         }
4413         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_RWND_LOGGING_ENABLE) {
4414                 sctp_misc_ints(SCTP_SACK_RWND_UPDATE,
4415                     rwnd,
4416                     stcb->asoc.peers_rwnd,
4417                     stcb->asoc.total_flight,
4418                     stcb->asoc.total_output_queue_size);
4419         }
4420 }
4421
4422 void
4423 sctp_handle_sack(struct mbuf *m, int offset_seg, int offset_dup,
4424     struct sctp_tcb *stcb,
4425     uint16_t num_seg, uint16_t num_nr_seg, uint16_t num_dup,
4426     int *abort_now, uint8_t flags,
4427     uint32_t cum_ack, uint32_t rwnd, int ecne_seen)
4428 {
4429         struct sctp_association *asoc;
4430         struct sctp_tmit_chunk *tp1, *tp2;
4431         uint32_t last_tsn, biggest_tsn_acked, biggest_tsn_newly_acked, this_sack_lowest_newack;
4432         uint16_t wake_him = 0;
4433         uint32_t send_s = 0;
4434         long j;
4435         int accum_moved = 0;
4436         int will_exit_fast_recovery = 0;
4437         uint32_t a_rwnd, old_rwnd;
4438         int win_probe_recovery = 0;
4439         int win_probe_recovered = 0;
4440         struct sctp_nets *net = NULL;
4441         int done_once;
4442         int rto_ok = 1;
4443         uint8_t reneged_all = 0;
4444         uint8_t cmt_dac_flag;
4445
4446         /*
4447          * we take any chance we can to service our queues since we cannot
4448          * get awoken when the socket is read from :<
4449          */
4450         /*
4451          * Now perform the actual SACK handling: 1) Verify that it is not an
4452          * old sack, if so discard. 2) If there is nothing left in the send
4453          * queue (cum-ack is equal to last acked) then you have a duplicate
4454          * too, update any rwnd change and verify no timers are running.
4455          * then return. 3) Process any new consequtive data i.e. cum-ack
4456          * moved process these first and note that it moved. 4) Process any
4457          * sack blocks. 5) Drop any acked from the queue. 6) Check for any
4458          * revoked blocks and mark. 7) Update the cwnd. 8) Nothing left,
4459          * sync up flightsizes and things, stop all timers and also check
4460          * for shutdown_pending state. If so then go ahead and send off the
4461          * shutdown. If in shutdown recv, send off the shutdown-ack and
4462          * start that timer, Ret. 9) Strike any non-acked things and do FR
4463          * procedure if needed being sure to set the FR flag. 10) Do pr-sctp
4464          * procedures. 11) Apply any FR penalties. 12) Assure we will SACK
4465          * if in shutdown_recv state.
4466          */
4467         SCTP_TCB_LOCK_ASSERT(stcb);
4468         /* CMT DAC algo */
4469         this_sack_lowest_newack = 0;
4470         SCTP_STAT_INCR(sctps_slowpath_sack);
4471         last_tsn = cum_ack;
4472         cmt_dac_flag = flags & SCTP_SACK_CMT_DAC;
4473 #ifdef SCTP_ASOCLOG_OF_TSNS
4474         stcb->asoc.cumack_log[stcb->asoc.cumack_log_at] = cum_ack;
4475         stcb->asoc.cumack_log_at++;
4476         if (stcb->asoc.cumack_log_at > SCTP_TSN_LOG_SIZE) {
4477                 stcb->asoc.cumack_log_at = 0;
4478         }
4479 #endif
4480         a_rwnd = rwnd;
4481
4482         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_SACK_ARRIVALS_ENABLE) {
4483                 sctp_misc_ints(SCTP_SACK_LOG_NORMAL, cum_ack,
4484                     rwnd, stcb->asoc.last_acked_seq, stcb->asoc.peers_rwnd);
4485         }
4486         old_rwnd = stcb->asoc.peers_rwnd;
4487         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
4488                 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4489                     stcb->asoc.overall_error_count,
4490                     0,
4491                     SCTP_FROM_SCTP_INDATA,
4492                     __LINE__);
4493         }
4494         stcb->asoc.overall_error_count = 0;
4495         asoc = &stcb->asoc;
4496         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
4497                 sctp_log_sack(asoc->last_acked_seq,
4498                     cum_ack,
4499                     0,
4500                     num_seg,
4501                     num_dup,
4502                     SCTP_LOG_NEW_SACK);
4503         }
4504         if ((num_dup) && (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE)) {
4505                 uint16_t i;
4506                 uint32_t *dupdata, dblock;
4507
4508                 for (i = 0; i < num_dup; i++) {
4509                         dupdata = (uint32_t *)sctp_m_getptr(m, offset_dup + i * sizeof(uint32_t),
4510                             sizeof(uint32_t), (uint8_t *)&dblock);
4511                         if (dupdata == NULL) {
4512                                 break;
4513                         }
4514                         sctp_log_fr(*dupdata, 0, 0, SCTP_FR_DUPED);
4515                 }
4516         }
4517         /* reality check */
4518         if (!TAILQ_EMPTY(&asoc->sent_queue)) {
4519                 tp1 = TAILQ_LAST(&asoc->sent_queue,
4520                     sctpchunk_listhead);
4521                 send_s = tp1->rec.data.tsn + 1;
4522         } else {
4523                 tp1 = NULL;
4524                 send_s = asoc->sending_seq;
4525         }
4526         if (SCTP_TSN_GE(cum_ack, send_s)) {
4527                 struct mbuf *op_err;
4528                 char msg[SCTP_DIAG_INFO_LEN];
4529
4530                 /*
4531                  * no way, we have not even sent this TSN out yet. Peer is
4532                  * hopelessly messed up with us.
4533                  */
4534                 SCTP_PRINTF("NEW cum_ack:%x send_s:%x is smaller or equal\n",
4535                     cum_ack, send_s);
4536                 if (tp1) {
4537                         SCTP_PRINTF("Got send_s from tsn:%x + 1 of tp1: %p\n",
4538                             tp1->rec.data.tsn, (void *)tp1);
4539                 }
4540 hopeless_peer:
4541                 *abort_now = 1;
4542                 /* XXX */
4543                 snprintf(msg, sizeof(msg), "Cum ack %8.8x greater or equal than TSN %8.8x",
4544                     cum_ack, send_s);
4545                 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
4546                 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_25;
4547                 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
4548                 return;
4549         }
4550         /**********************/
4551         /* 1) check the range */
4552         /**********************/
4553         if (SCTP_TSN_GT(asoc->last_acked_seq, last_tsn)) {
4554                 /* acking something behind */
4555                 return;
4556         }
4557         /* update the Rwnd of the peer */
4558         if (TAILQ_EMPTY(&asoc->sent_queue) &&
4559             TAILQ_EMPTY(&asoc->send_queue) &&
4560             (asoc->stream_queue_cnt == 0)) {
4561                 /* nothing left on send/sent and strmq */
4562                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
4563                         sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK,
4564                             asoc->peers_rwnd, 0, 0, a_rwnd);
4565                 }
4566                 asoc->peers_rwnd = a_rwnd;
4567                 if (asoc->sent_queue_retran_cnt) {
4568                         asoc->sent_queue_retran_cnt = 0;
4569                 }
4570                 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
4571                         /* SWS sender side engages */
4572                         asoc->peers_rwnd = 0;
4573                 }
4574                 /* stop any timers */
4575                 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4576                         sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
4577                             stcb, net, SCTP_FROM_SCTP_INDATA + SCTP_LOC_26);
4578                         net->partial_bytes_acked = 0;
4579                         net->flight_size = 0;
4580                 }
4581                 asoc->total_flight = 0;
4582                 asoc->total_flight_count = 0;
4583                 return;
4584         }
4585         /*
4586          * We init netAckSz and netAckSz2 to 0. These are used to track 2
4587          * things. The total byte count acked is tracked in netAckSz AND
4588          * netAck2 is used to track the total bytes acked that are un-
4589          * amibguious and were never retransmitted. We track these on a per
4590          * destination address basis.
4591          */
4592         TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4593                 if (SCTP_TSN_GT(cum_ack, net->cwr_window_tsn)) {
4594                         /* Drag along the window_tsn for cwr's */
4595                         net->cwr_window_tsn = cum_ack;
4596                 }
4597                 net->prev_cwnd = net->cwnd;
4598                 net->net_ack = 0;
4599                 net->net_ack2 = 0;
4600
4601                 /*
4602                  * CMT: Reset CUC and Fast recovery algo variables before
4603                  * SACK processing
4604                  */
4605                 net->new_pseudo_cumack = 0;
4606                 net->will_exit_fast_recovery = 0;
4607                 if (stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) {
4608                         (*stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) (stcb, net);
4609                 }
4610                 /*
4611                  * CMT: SFR algo (and HTNA) - this_sack_highest_newack has
4612                  * to be greater than the cumack. Also reset saw_newack to 0
4613                  * for all dests.
4614                  */
4615                 net->saw_newack = 0;
4616                 net->this_sack_highest_newack = last_tsn;
4617         }
4618         /* process the new consecutive TSN first */
4619         TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
4620                 if (SCTP_TSN_GE(last_tsn, tp1->rec.data.tsn)) {
4621                         if (tp1->sent != SCTP_DATAGRAM_UNSENT) {
4622                                 accum_moved = 1;
4623                                 if (tp1->sent < SCTP_DATAGRAM_ACKED) {
4624                                         /*
4625                                          * If it is less than ACKED, it is
4626                                          * now no-longer in flight. Higher
4627                                          * values may occur during marking
4628                                          */
4629                                         if ((tp1->whoTo->dest_state &
4630                                             SCTP_ADDR_UNCONFIRMED) &&
4631                                             (tp1->snd_count < 2)) {
4632                                                 /*
4633                                                  * If there was no retran
4634                                                  * and the address is
4635                                                  * un-confirmed and we sent
4636                                                  * there and are now
4637                                                  * sacked.. its confirmed,
4638                                                  * mark it so.
4639                                                  */
4640                                                 tp1->whoTo->dest_state &=
4641                                                     ~SCTP_ADDR_UNCONFIRMED;
4642                                         }
4643                                         if (tp1->sent < SCTP_DATAGRAM_RESEND) {
4644                                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
4645                                                         sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_CA,
4646                                                             tp1->whoTo->flight_size,
4647                                                             tp1->book_size,
4648                                                             (uint32_t)(uintptr_t)tp1->whoTo,
4649                                                             tp1->rec.data.tsn);
4650                                                 }
4651                                                 sctp_flight_size_decrease(tp1);
4652                                                 sctp_total_flight_decrease(stcb, tp1);
4653                                                 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
4654                                                         (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo,
4655                                                             tp1);
4656                                                 }
4657                                         }
4658                                         tp1->whoTo->net_ack += tp1->send_size;
4659
4660                                         /* CMT SFR and DAC algos */
4661                                         this_sack_lowest_newack = tp1->rec.data.tsn;
4662                                         tp1->whoTo->saw_newack = 1;
4663
4664                                         if (tp1->snd_count < 2) {
4665                                                 /*
4666                                                  * True non-retransmited
4667                                                  * chunk
4668                                                  */
4669                                                 tp1->whoTo->net_ack2 +=
4670                                                     tp1->send_size;
4671
4672                                                 /* update RTO too? */
4673                                                 if (tp1->do_rtt) {
4674                                                         if (rto_ok) {
4675                                                                 tp1->whoTo->RTO =
4676                                                                     sctp_calculate_rto(stcb,
4677                                                                     asoc, tp1->whoTo,
4678                                                                     &tp1->sent_rcv_time,
4679                                                                     SCTP_RTT_FROM_DATA);
4680                                                                 rto_ok = 0;
4681                                                         }
4682                                                         if (tp1->whoTo->rto_needed == 0) {
4683                                                                 tp1->whoTo->rto_needed = 1;
4684                                                         }
4685                                                         tp1->do_rtt = 0;
4686                                                 }
4687                                         }
4688                                         /*
4689                                          * CMT: CUCv2 algorithm. From the
4690                                          * cumack'd TSNs, for each TSN being
4691                                          * acked for the first time, set the
4692                                          * following variables for the
4693                                          * corresp destination.
4694                                          * new_pseudo_cumack will trigger a
4695                                          * cwnd update.
4696                                          * find_(rtx_)pseudo_cumack will
4697                                          * trigger search for the next
4698                                          * expected (rtx-)pseudo-cumack.
4699                                          */
4700                                         tp1->whoTo->new_pseudo_cumack = 1;
4701                                         tp1->whoTo->find_pseudo_cumack = 1;
4702                                         tp1->whoTo->find_rtx_pseudo_cumack = 1;
4703
4704
4705                                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
4706                                                 sctp_log_sack(asoc->last_acked_seq,
4707                                                     cum_ack,
4708                                                     tp1->rec.data.tsn,
4709                                                     0,
4710                                                     0,
4711                                                     SCTP_LOG_TSN_ACKED);
4712                                         }
4713                                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
4714                                                 sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.tsn, SCTP_CWND_LOG_FROM_SACK);
4715                                         }
4716                                 }
4717                                 if (tp1->sent == SCTP_DATAGRAM_RESEND) {
4718                                         sctp_ucount_decr(asoc->sent_queue_retran_cnt);
4719 #ifdef SCTP_AUDITING_ENABLED
4720                                         sctp_audit_log(0xB3,
4721                                             (asoc->sent_queue_retran_cnt & 0x000000ff));
4722 #endif
4723                                 }
4724                                 if (tp1->rec.data.chunk_was_revoked) {
4725                                         /* deflate the cwnd */
4726                                         tp1->whoTo->cwnd -= tp1->book_size;
4727                                         tp1->rec.data.chunk_was_revoked = 0;
4728                                 }
4729                                 if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
4730                                         tp1->sent = SCTP_DATAGRAM_ACKED;
4731                                 }
4732                         }
4733                 } else {
4734                         break;
4735                 }
4736         }
4737         biggest_tsn_newly_acked = biggest_tsn_acked = last_tsn;
4738         /* always set this up to cum-ack */
4739         asoc->this_sack_highest_gap = last_tsn;
4740
4741         if ((num_seg > 0) || (num_nr_seg > 0)) {
4742
4743                 /*
4744                  * thisSackHighestGap will increase while handling NEW
4745                  * segments this_sack_highest_newack will increase while
4746                  * handling NEWLY ACKED chunks. this_sack_lowest_newack is
4747                  * used for CMT DAC algo. saw_newack will also change.
4748                  */
4749                 if (sctp_handle_segments(m, &offset_seg, stcb, asoc, last_tsn, &biggest_tsn_acked,
4750                     &biggest_tsn_newly_acked, &this_sack_lowest_newack,
4751                     num_seg, num_nr_seg, &rto_ok)) {
4752                         wake_him++;
4753                 }
4754                 /*
4755                  * validate the biggest_tsn_acked in the gap acks if strict
4756                  * adherence is wanted.
4757                  */
4758                 if (SCTP_TSN_GE(biggest_tsn_acked, send_s)) {
4759                         /*
4760                          * peer is either confused or we are under attack.
4761                          * We must abort.
4762                          */
4763                         SCTP_PRINTF("Hopeless peer! biggest_tsn_acked:%x largest seq:%x\n",
4764                             biggest_tsn_acked, send_s);
4765                         goto hopeless_peer;
4766                 }
4767         }
4768         /*******************************************/
4769         /* cancel ALL T3-send timer if accum moved */
4770         /*******************************************/
4771         if (asoc->sctp_cmt_on_off > 0) {
4772                 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4773                         if (net->new_pseudo_cumack)
4774                                 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
4775                                     stcb, net,
4776                                     SCTP_FROM_SCTP_INDATA + SCTP_LOC_27);
4777
4778                 }
4779         } else {
4780                 if (accum_moved) {
4781                         TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4782                                 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
4783                                     stcb, net, SCTP_FROM_SCTP_INDATA + SCTP_LOC_28);
4784                         }
4785                 }
4786         }
4787         /********************************************/
4788         /* drop the acked chunks from the sentqueue */
4789         /********************************************/
4790         asoc->last_acked_seq = cum_ack;
4791
4792         TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) {
4793                 if (SCTP_TSN_GT(tp1->rec.data.tsn, cum_ack)) {
4794                         break;
4795                 }
4796                 if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
4797                         if (asoc->strmout[tp1->rec.data.sid].chunks_on_queues > 0) {
4798                                 asoc->strmout[tp1->rec.data.sid].chunks_on_queues--;
4799 #ifdef INVARIANTS
4800                         } else {
4801                                 panic("No chunks on the queues for sid %u.", tp1->rec.data.sid);
4802 #endif
4803                         }
4804                 }
4805                 if ((asoc->strmout[tp1->rec.data.sid].chunks_on_queues == 0) &&
4806                     (asoc->strmout[tp1->rec.data.sid].state == SCTP_STREAM_RESET_PENDING) &&
4807                     TAILQ_EMPTY(&asoc->strmout[tp1->rec.data.sid].outqueue)) {
4808                         asoc->trigger_reset = 1;
4809                 }
4810                 TAILQ_REMOVE(&asoc->sent_queue, tp1, sctp_next);
4811                 if (PR_SCTP_ENABLED(tp1->flags)) {
4812                         if (asoc->pr_sctp_cnt != 0)
4813                                 asoc->pr_sctp_cnt--;
4814                 }
4815                 asoc->sent_queue_cnt--;
4816                 if (tp1->data) {
4817                         /* sa_ignore NO_NULL_CHK */
4818                         sctp_free_bufspace(stcb, asoc, tp1, 1);
4819                         sctp_m_freem(tp1->data);
4820                         tp1->data = NULL;
4821                         if (asoc->prsctp_supported && PR_SCTP_BUF_ENABLED(tp1->flags)) {
4822                                 asoc->sent_queue_cnt_removeable--;
4823                         }
4824                 }
4825                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
4826                         sctp_log_sack(asoc->last_acked_seq,
4827                             cum_ack,
4828                             tp1->rec.data.tsn,
4829                             0,
4830                             0,
4831                             SCTP_LOG_FREE_SENT);
4832                 }
4833                 sctp_free_a_chunk(stcb, tp1, SCTP_SO_NOT_LOCKED);
4834                 wake_him++;
4835         }
4836         if (TAILQ_EMPTY(&asoc->sent_queue) && (asoc->total_flight > 0)) {
4837 #ifdef INVARIANTS
4838                 panic("Warning flight size is positive and should be 0");
4839 #else
4840                 SCTP_PRINTF("Warning flight size incorrect should be 0 is %d\n",
4841                     asoc->total_flight);
4842 #endif
4843                 asoc->total_flight = 0;
4844         }
4845         /* sa_ignore NO_NULL_CHK */
4846         if ((wake_him) && (stcb->sctp_socket)) {
4847 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4848                 struct socket *so;
4849
4850 #endif
4851                 SOCKBUF_LOCK(&stcb->sctp_socket->so_snd);
4852                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
4853                         sctp_wakeup_log(stcb, wake_him, SCTP_WAKESND_FROM_SACK);
4854                 }
4855 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4856                 so = SCTP_INP_SO(stcb->sctp_ep);
4857                 atomic_add_int(&stcb->asoc.refcnt, 1);
4858                 SCTP_TCB_UNLOCK(stcb);
4859                 SCTP_SOCKET_LOCK(so, 1);
4860                 SCTP_TCB_LOCK(stcb);
4861                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
4862                 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
4863                         /* assoc was freed while we were unlocked */
4864                         SCTP_SOCKET_UNLOCK(so, 1);
4865                         return;
4866                 }
4867 #endif
4868                 sctp_sowwakeup_locked(stcb->sctp_ep, stcb->sctp_socket);
4869 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4870                 SCTP_SOCKET_UNLOCK(so, 1);
4871 #endif
4872         } else {
4873                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
4874                         sctp_wakeup_log(stcb, wake_him, SCTP_NOWAKE_FROM_SACK);
4875                 }
4876         }
4877
4878         if (asoc->fast_retran_loss_recovery && accum_moved) {
4879                 if (SCTP_TSN_GE(asoc->last_acked_seq, asoc->fast_recovery_tsn)) {
4880                         /* Setup so we will exit RFC2582 fast recovery */
4881                         will_exit_fast_recovery = 1;
4882                 }
4883         }
4884         /*
4885          * Check for revoked fragments:
4886          *
4887          * if Previous sack - Had no frags then we can't have any revoked if
4888          * Previous sack - Had frag's then - If we now have frags aka
4889          * num_seg > 0 call sctp_check_for_revoked() to tell if peer revoked
4890          * some of them. else - The peer revoked all ACKED fragments, since
4891          * we had some before and now we have NONE.
4892          */
4893
4894         if (num_seg) {
4895                 sctp_check_for_revoked(stcb, asoc, cum_ack, biggest_tsn_acked);
4896                 asoc->saw_sack_with_frags = 1;
4897         } else if (asoc->saw_sack_with_frags) {
4898                 int cnt_revoked = 0;
4899
4900                 /* Peer revoked all dg's marked or acked */
4901                 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
4902                         if (tp1->sent == SCTP_DATAGRAM_ACKED) {
4903                                 tp1->sent = SCTP_DATAGRAM_SENT;
4904                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
4905                                         sctp_misc_ints(SCTP_FLIGHT_LOG_UP_REVOKE,
4906                                             tp1->whoTo->flight_size,
4907                                             tp1->book_size,
4908                                             (uint32_t)(uintptr_t)tp1->whoTo,
4909                                             tp1->rec.data.tsn);
4910                                 }
4911                                 sctp_flight_size_increase(tp1);
4912                                 sctp_total_flight_increase(stcb, tp1);
4913                                 tp1->rec.data.chunk_was_revoked = 1;
4914                                 /*
4915                                  * To ensure that this increase in
4916                                  * flightsize, which is artificial, does not
4917                                  * throttle the sender, we also increase the
4918                                  * cwnd artificially.
4919                                  */
4920                                 tp1->whoTo->cwnd += tp1->book_size;
4921                                 cnt_revoked++;
4922                         }
4923                 }
4924                 if (cnt_revoked) {
4925                         reneged_all = 1;
4926                 }
4927                 asoc->saw_sack_with_frags = 0;
4928         }
4929         if (num_nr_seg > 0)
4930                 asoc->saw_sack_with_nr_frags = 1;
4931         else
4932                 asoc->saw_sack_with_nr_frags = 0;
4933
4934         /* JRS - Use the congestion control given in the CC module */
4935         if (ecne_seen == 0) {
4936                 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4937                         if (net->net_ack2 > 0) {
4938                                 /*
4939                                  * Karn's rule applies to clearing error
4940                                  * count, this is optional.
4941                                  */
4942                                 net->error_count = 0;
4943                                 if (!(net->dest_state & SCTP_ADDR_REACHABLE)) {
4944                                         /* addr came good */
4945                                         net->dest_state |= SCTP_ADDR_REACHABLE;
4946                                         sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
4947                                             0, (void *)net, SCTP_SO_NOT_LOCKED);
4948                                 }
4949                                 if (net == stcb->asoc.primary_destination) {
4950                                         if (stcb->asoc.alternate) {
4951                                                 /*
4952                                                  * release the alternate,
4953                                                  * primary is good
4954                                                  */
4955                                                 sctp_free_remote_addr(stcb->asoc.alternate);
4956                                                 stcb->asoc.alternate = NULL;
4957                                         }
4958                                 }
4959                                 if (net->dest_state & SCTP_ADDR_PF) {
4960                                         net->dest_state &= ~SCTP_ADDR_PF;
4961                                         sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT,
4962                                             stcb->sctp_ep, stcb, net,
4963                                             SCTP_FROM_SCTP_INDATA + SCTP_LOC_29);
4964                                         sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net);
4965                                         asoc->cc_functions.sctp_cwnd_update_exit_pf(stcb, net);
4966                                         /* Done with this net */
4967                                         net->net_ack = 0;
4968                                 }
4969                                 /* restore any doubled timers */
4970                                 net->RTO = (net->lastsa >> SCTP_RTT_SHIFT) + net->lastsv;
4971                                 if (net->RTO < stcb->asoc.minrto) {
4972                                         net->RTO = stcb->asoc.minrto;
4973                                 }
4974                                 if (net->RTO > stcb->asoc.maxrto) {
4975                                         net->RTO = stcb->asoc.maxrto;
4976                                 }
4977                         }
4978                 }
4979                 asoc->cc_functions.sctp_cwnd_update_after_sack(stcb, asoc, accum_moved, reneged_all, will_exit_fast_recovery);
4980         }
4981         if (TAILQ_EMPTY(&asoc->sent_queue)) {
4982                 /* nothing left in-flight */
4983                 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4984                         /* stop all timers */
4985                         sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
4986                             stcb, net,
4987                             SCTP_FROM_SCTP_INDATA + SCTP_LOC_30);
4988                         net->flight_size = 0;
4989                         net->partial_bytes_acked = 0;
4990                 }
4991                 asoc->total_flight = 0;
4992                 asoc->total_flight_count = 0;
4993         }
4994         /**********************************/
4995         /* Now what about shutdown issues */
4996         /**********************************/
4997         if (TAILQ_EMPTY(&asoc->send_queue) && TAILQ_EMPTY(&asoc->sent_queue)) {
4998                 /* nothing left on sendqueue.. consider done */
4999                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
5000                         sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK,
5001                             asoc->peers_rwnd, 0, 0, a_rwnd);
5002                 }
5003                 asoc->peers_rwnd = a_rwnd;
5004                 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
5005                         /* SWS sender side engages */
5006                         asoc->peers_rwnd = 0;
5007                 }
5008                 /* clean up */
5009                 if ((asoc->stream_queue_cnt == 1) &&
5010                     ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
5011                     (asoc->state & SCTP_STATE_SHUTDOWN_RECEIVED)) &&
5012                     ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc))) {
5013                         asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
5014                 }
5015                 if (((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
5016                     (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) &&
5017                     (asoc->stream_queue_cnt == 1) &&
5018                     (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
5019                         struct mbuf *op_err;
5020
5021                         *abort_now = 1;
5022                         /* XXX */
5023                         op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, "");
5024                         stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_24;
5025                         sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
5026                         return;
5027                 }
5028                 if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) &&
5029                     (asoc->stream_queue_cnt == 0)) {
5030                         struct sctp_nets *netp;
5031
5032                         if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) ||
5033                             (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
5034                                 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
5035                         }
5036                         SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
5037                         SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
5038                         sctp_stop_timers_for_shutdown(stcb);
5039                         if (asoc->alternate) {
5040                                 netp = asoc->alternate;
5041                         } else {
5042                                 netp = asoc->primary_destination;
5043                         }
5044                         sctp_send_shutdown(stcb, netp);
5045                         sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN,
5046                             stcb->sctp_ep, stcb, netp);
5047                         sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
5048                             stcb->sctp_ep, stcb, netp);
5049                         return;
5050                 } else if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) &&
5051                     (asoc->stream_queue_cnt == 0)) {
5052                         struct sctp_nets *netp;
5053
5054                         SCTP_STAT_DECR_GAUGE32(sctps_currestab);
5055                         SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT);
5056                         SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
5057                         sctp_stop_timers_for_shutdown(stcb);
5058                         if (asoc->alternate) {
5059                                 netp = asoc->alternate;
5060                         } else {
5061                                 netp = asoc->primary_destination;
5062                         }
5063                         sctp_send_shutdown_ack(stcb, netp);
5064                         sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK,
5065                             stcb->sctp_ep, stcb, netp);
5066                         return;
5067                 }
5068         }
5069         /*
5070          * Now here we are going to recycle net_ack for a different use...
5071          * HEADS UP.
5072          */
5073         TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5074                 net->net_ack = 0;
5075         }
5076
5077         /*
5078          * CMT DAC algorithm: If SACK DAC flag was 0, then no extra marking
5079          * to be done. Setting this_sack_lowest_newack to the cum_ack will
5080          * automatically ensure that.
5081          */
5082         if ((asoc->sctp_cmt_on_off > 0) &&
5083             SCTP_BASE_SYSCTL(sctp_cmt_use_dac) &&
5084             (cmt_dac_flag == 0)) {
5085                 this_sack_lowest_newack = cum_ack;
5086         }
5087         if ((num_seg > 0) || (num_nr_seg > 0)) {
5088                 sctp_strike_gap_ack_chunks(stcb, asoc, biggest_tsn_acked,
5089                     biggest_tsn_newly_acked, this_sack_lowest_newack, accum_moved);
5090         }
5091         /* JRS - Use the congestion control given in the CC module */
5092         asoc->cc_functions.sctp_cwnd_update_after_fr(stcb, asoc);
5093
5094         /* Now are we exiting loss recovery ? */
5095         if (will_exit_fast_recovery) {
5096                 /* Ok, we must exit fast recovery */
5097                 asoc->fast_retran_loss_recovery = 0;
5098         }
5099         if ((asoc->sat_t3_loss_recovery) &&
5100             SCTP_TSN_GE(asoc->last_acked_seq, asoc->sat_t3_recovery_tsn)) {
5101                 /* end satellite t3 loss recovery */
5102                 asoc->sat_t3_loss_recovery = 0;
5103         }
5104         /*
5105          * CMT Fast recovery
5106          */
5107         TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5108                 if (net->will_exit_fast_recovery) {
5109                         /* Ok, we must exit fast recovery */
5110                         net->fast_retran_loss_recovery = 0;
5111                 }
5112         }
5113
5114         /* Adjust and set the new rwnd value */
5115         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
5116                 sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK,
5117                     asoc->peers_rwnd, asoc->total_flight, (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)), a_rwnd);
5118         }
5119         asoc->peers_rwnd = sctp_sbspace_sub(a_rwnd,
5120             (uint32_t)(asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh))));
5121         if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
5122                 /* SWS sender side engages */
5123                 asoc->peers_rwnd = 0;
5124         }
5125         if (asoc->peers_rwnd > old_rwnd) {
5126                 win_probe_recovery = 1;
5127         }
5128         /*
5129          * Now we must setup so we have a timer up for anyone with
5130          * outstanding data.
5131          */
5132         done_once = 0;
5133 again:
5134         j = 0;
5135         TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5136                 if (win_probe_recovery && (net->window_probe)) {
5137                         win_probe_recovered = 1;
5138                         /*-
5139                          * Find first chunk that was used with
5140                          * window probe and clear the event. Put
5141                          * it back into the send queue as if has
5142                          * not been sent.
5143                          */
5144                         TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
5145                                 if (tp1->window_probe) {
5146                                         sctp_window_probe_recovery(stcb, asoc, tp1);
5147                                         break;
5148                                 }
5149                         }
5150                 }
5151                 if (net->flight_size) {
5152                         j++;
5153                         if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
5154                                 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
5155                                     stcb->sctp_ep, stcb, net);
5156                         }
5157                         if (net->window_probe) {
5158                                 net->window_probe = 0;
5159                         }
5160                 } else {
5161                         if (net->window_probe) {
5162                                 /*
5163                                  * In window probes we must assure a timer
5164                                  * is still running there
5165                                  */
5166                                 if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
5167                                         sctp_timer_start(SCTP_TIMER_TYPE_SEND,
5168                                             stcb->sctp_ep, stcb, net);
5169
5170                                 }
5171                         } else if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
5172                                 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
5173                                     stcb, net,
5174                                     SCTP_FROM_SCTP_INDATA + SCTP_LOC_32);
5175                         }
5176                 }
5177         }
5178         if ((j == 0) &&
5179             (!TAILQ_EMPTY(&asoc->sent_queue)) &&
5180             (asoc->sent_queue_retran_cnt == 0) &&
5181             (win_probe_recovered == 0) &&
5182             (done_once == 0)) {
5183                 /*
5184                  * huh, this should not happen unless all packets are
5185                  * PR-SCTP and marked to skip of course.
5186                  */
5187                 if (sctp_fs_audit(asoc)) {
5188                         TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5189                                 net->flight_size = 0;
5190                         }
5191                         asoc->total_flight = 0;
5192                         asoc->total_flight_count = 0;
5193                         asoc->sent_queue_retran_cnt = 0;
5194                         TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
5195                                 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
5196                                         sctp_flight_size_increase(tp1);
5197                                         sctp_total_flight_increase(stcb, tp1);
5198                                 } else if (tp1->sent == SCTP_DATAGRAM_RESEND) {
5199                                         sctp_ucount_incr(asoc->sent_queue_retran_cnt);
5200                                 }
5201                         }
5202                 }
5203                 done_once = 1;
5204                 goto again;
5205         }
5206         /*********************************************/
5207         /* Here we perform PR-SCTP procedures        */
5208         /* (section 4.2)                             */
5209         /*********************************************/
5210         /* C1. update advancedPeerAckPoint */
5211         if (SCTP_TSN_GT(cum_ack, asoc->advanced_peer_ack_point)) {
5212                 asoc->advanced_peer_ack_point = cum_ack;
5213         }
5214         /* C2. try to further move advancedPeerAckPoint ahead */
5215         if ((asoc->prsctp_supported) && (asoc->pr_sctp_cnt > 0)) {
5216                 struct sctp_tmit_chunk *lchk;
5217                 uint32_t old_adv_peer_ack_point;
5218
5219                 old_adv_peer_ack_point = asoc->advanced_peer_ack_point;
5220                 lchk = sctp_try_advance_peer_ack_point(stcb, asoc);
5221                 /* C3. See if we need to send a Fwd-TSN */
5222                 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, cum_ack)) {
5223                         /*
5224                          * ISSUE with ECN, see FWD-TSN processing.
5225                          */
5226                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
5227                                 sctp_misc_ints(SCTP_FWD_TSN_CHECK,
5228                                     0xee, cum_ack, asoc->advanced_peer_ack_point,
5229                                     old_adv_peer_ack_point);
5230                         }
5231                         if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, old_adv_peer_ack_point)) {
5232                                 send_forward_tsn(stcb, asoc);
5233                         } else if (lchk) {
5234                                 /* try to FR fwd-tsn's that get lost too */
5235                                 if (lchk->rec.data.fwd_tsn_cnt >= 3) {
5236                                         send_forward_tsn(stcb, asoc);
5237                                 }
5238                         }
5239                 }
5240                 if (lchk) {
5241                         /* Assure a timer is up */
5242                         sctp_timer_start(SCTP_TIMER_TYPE_SEND,
5243                             stcb->sctp_ep, stcb, lchk->whoTo);
5244                 }
5245         }
5246         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_RWND_LOGGING_ENABLE) {
5247                 sctp_misc_ints(SCTP_SACK_RWND_UPDATE,
5248                     a_rwnd,
5249                     stcb->asoc.peers_rwnd,
5250                     stcb->asoc.total_flight,
5251                     stcb->asoc.total_output_queue_size);
5252         }
5253 }
5254
5255 void
5256 sctp_update_acked(struct sctp_tcb *stcb, struct sctp_shutdown_chunk *cp, int *abort_flag)
5257 {
5258         /* Copy cum-ack */
5259         uint32_t cum_ack, a_rwnd;
5260
5261         cum_ack = ntohl(cp->cumulative_tsn_ack);
5262         /* Arrange so a_rwnd does NOT change */
5263         a_rwnd = stcb->asoc.peers_rwnd + stcb->asoc.total_flight;
5264
5265         /* Now call the express sack handling */
5266         sctp_express_handle_sack(stcb, cum_ack, a_rwnd, abort_flag, 0);
5267 }
5268
5269 static void
5270 sctp_kick_prsctp_reorder_queue(struct sctp_tcb *stcb,
5271     struct sctp_stream_in *strmin)
5272 {
5273         struct sctp_queued_to_read *control, *ncontrol;
5274         struct sctp_association *asoc;
5275         uint32_t mid;
5276         int need_reasm_check = 0;
5277
5278         asoc = &stcb->asoc;
5279         mid = strmin->last_mid_delivered;
5280         /*
5281          * First deliver anything prior to and including the stream no that
5282          * came in.
5283          */
5284         TAILQ_FOREACH_SAFE(control, &strmin->inqueue, next_instrm, ncontrol) {
5285                 if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) {
5286                         /* this is deliverable now */
5287                         if (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
5288                                 if (control->on_strm_q) {
5289                                         if (control->on_strm_q == SCTP_ON_ORDERED) {
5290                                                 TAILQ_REMOVE(&strmin->inqueue, control, next_instrm);
5291                                         } else if (control->on_strm_q == SCTP_ON_UNORDERED) {
5292                                                 TAILQ_REMOVE(&strmin->uno_inqueue, control, next_instrm);
5293 #ifdef INVARIANTS
5294                                         } else {
5295                                                 panic("strmin: %p ctl: %p unknown %d",
5296                                                     strmin, control, control->on_strm_q);
5297 #endif
5298                                         }
5299                                         control->on_strm_q = 0;
5300                                 }
5301                                 /* subtract pending on streams */
5302                                 if (asoc->size_on_all_streams >= control->length) {
5303                                         asoc->size_on_all_streams -= control->length;
5304                                 } else {
5305 #ifdef INVARIANTS
5306                                         panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
5307 #else
5308                                         asoc->size_on_all_streams = 0;
5309 #endif
5310                                 }
5311                                 sctp_ucount_decr(asoc->cnt_on_all_streams);
5312                                 /* deliver it to at least the delivery-q */
5313                                 if (stcb->sctp_socket) {
5314                                         sctp_mark_non_revokable(asoc, control->sinfo_tsn);
5315                                         sctp_add_to_readq(stcb->sctp_ep, stcb,
5316                                             control,
5317                                             &stcb->sctp_socket->so_rcv,
5318                                             1, SCTP_READ_LOCK_HELD,
5319                                             SCTP_SO_NOT_LOCKED);
5320                                 }
5321                         } else {
5322                                 /* Its a fragmented message */
5323                                 if (control->first_frag_seen) {
5324                                         /*
5325                                          * Make it so this is next to
5326                                          * deliver, we restore later
5327                                          */
5328                                         strmin->last_mid_delivered = control->mid - 1;
5329                                         need_reasm_check = 1;
5330                                         break;
5331                                 }
5332                         }
5333                 } else {
5334                         /* no more delivery now. */
5335                         break;
5336                 }
5337         }
5338         if (need_reasm_check) {
5339                 int ret;
5340
5341                 ret = sctp_deliver_reasm_check(stcb, &stcb->asoc, strmin, SCTP_READ_LOCK_HELD);
5342                 if (SCTP_MID_GT(asoc->idata_supported, mid, strmin->last_mid_delivered)) {
5343                         /* Restore the next to deliver unless we are ahead */
5344                         strmin->last_mid_delivered = mid;
5345                 }
5346                 if (ret == 0) {
5347                         /* Left the front Partial one on */
5348                         return;
5349                 }
5350                 need_reasm_check = 0;
5351         }
5352         /*
5353          * now we must deliver things in queue the normal way  if any are
5354          * now ready.
5355          */
5356         mid = strmin->last_mid_delivered + 1;
5357         TAILQ_FOREACH_SAFE(control, &strmin->inqueue, next_instrm, ncontrol) {
5358                 if (SCTP_MID_EQ(asoc->idata_supported, mid, control->mid)) {
5359                         if (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
5360                                 /* this is deliverable now */
5361                                 if (control->on_strm_q) {
5362                                         if (control->on_strm_q == SCTP_ON_ORDERED) {
5363                                                 TAILQ_REMOVE(&strmin->inqueue, control, next_instrm);
5364                                         } else if (control->on_strm_q == SCTP_ON_UNORDERED) {
5365                                                 TAILQ_REMOVE(&strmin->uno_inqueue, control, next_instrm);
5366 #ifdef INVARIANTS
5367                                         } else {
5368                                                 panic("strmin: %p ctl: %p unknown %d",
5369                                                     strmin, control, control->on_strm_q);
5370 #endif
5371                                         }
5372                                         control->on_strm_q = 0;
5373                                 }
5374                                 /* subtract pending on streams */
5375                                 if (asoc->size_on_all_streams >= control->length) {
5376                                         asoc->size_on_all_streams -= control->length;
5377                                 } else {
5378 #ifdef INVARIANTS
5379                                         panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
5380 #else
5381                                         asoc->size_on_all_streams = 0;
5382 #endif
5383                                 }
5384                                 sctp_ucount_decr(asoc->cnt_on_all_streams);
5385                                 /* deliver it to at least the delivery-q */
5386                                 strmin->last_mid_delivered = control->mid;
5387                                 if (stcb->sctp_socket) {
5388                                         sctp_mark_non_revokable(asoc, control->sinfo_tsn);
5389                                         sctp_add_to_readq(stcb->sctp_ep, stcb,
5390                                             control,
5391                                             &stcb->sctp_socket->so_rcv, 1,
5392                                             SCTP_READ_LOCK_HELD, SCTP_SO_NOT_LOCKED);
5393
5394                                 }
5395                                 mid = strmin->last_mid_delivered + 1;
5396                         } else {
5397                                 /* Its a fragmented message */
5398                                 if (control->first_frag_seen) {
5399                                         /*
5400                                          * Make it so this is next to
5401                                          * deliver
5402                                          */
5403                                         strmin->last_mid_delivered = control->mid - 1;
5404                                         need_reasm_check = 1;
5405                                         break;
5406                                 }
5407                         }
5408                 } else {
5409                         break;
5410                 }
5411         }
5412         if (need_reasm_check) {
5413                 (void)sctp_deliver_reasm_check(stcb, &stcb->asoc, strmin, SCTP_READ_LOCK_HELD);
5414         }
5415 }
5416
5417
5418
5419 static void
5420 sctp_flush_reassm_for_str_seq(struct sctp_tcb *stcb,
5421     struct sctp_association *asoc,
5422     uint16_t stream, uint32_t mid, int ordered, uint32_t cumtsn)
5423 {
5424         struct sctp_queued_to_read *control;
5425         struct sctp_stream_in *strm;
5426         struct sctp_tmit_chunk *chk, *nchk;
5427         int cnt_removed = 0;
5428
5429         /*
5430          * For now large messages held on the stream reasm that are complete
5431          * will be tossed too. We could in theory do more work to spin
5432          * through and stop after dumping one msg aka seeing the start of a
5433          * new msg at the head, and call the delivery function... to see if
5434          * it can be delivered... But for now we just dump everything on the
5435          * queue.
5436          */
5437         strm = &asoc->strmin[stream];
5438         control = sctp_find_reasm_entry(strm, mid, ordered, asoc->idata_supported);
5439         if (control == NULL) {
5440                 /* Not found */
5441                 return;
5442         }
5443         if (!asoc->idata_supported && !ordered && SCTP_TSN_GT(control->fsn_included, cumtsn)) {
5444                 return;
5445         }
5446         TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, nchk) {
5447                 /* Purge hanging chunks */
5448                 if (!asoc->idata_supported && (ordered == 0)) {
5449                         if (SCTP_TSN_GT(chk->rec.data.tsn, cumtsn)) {
5450                                 break;
5451                         }
5452                 }
5453                 cnt_removed++;
5454                 TAILQ_REMOVE(&control->reasm, chk, sctp_next);
5455                 if (asoc->size_on_reasm_queue >= chk->send_size) {
5456                         asoc->size_on_reasm_queue -= chk->send_size;
5457                 } else {
5458 #ifdef INVARIANTS
5459                         panic("size_on_reasm_queue = %u smaller than chunk length %u", asoc->size_on_reasm_queue, chk->send_size);
5460 #else
5461                         asoc->size_on_reasm_queue = 0;
5462 #endif
5463                 }
5464                 sctp_ucount_decr(asoc->cnt_on_reasm_queue);
5465                 if (chk->data) {
5466                         sctp_m_freem(chk->data);
5467                         chk->data = NULL;
5468                 }
5469                 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
5470         }
5471         if (!TAILQ_EMPTY(&control->reasm)) {
5472                 /* This has to be old data, unordered */
5473                 if (control->data) {
5474                         sctp_m_freem(control->data);
5475                         control->data = NULL;
5476                 }
5477                 sctp_reset_a_control(control, stcb->sctp_ep, cumtsn);
5478                 chk = TAILQ_FIRST(&control->reasm);
5479                 if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
5480                         TAILQ_REMOVE(&control->reasm, chk, sctp_next);
5481                         sctp_add_chk_to_control(control, strm, stcb, asoc,
5482                             chk, SCTP_READ_LOCK_HELD);
5483                 }
5484                 sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_HELD);
5485                 return;
5486         }
5487         if (control->on_strm_q == SCTP_ON_ORDERED) {
5488                 TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
5489                 if (asoc->size_on_all_streams >= control->length) {
5490                         asoc->size_on_all_streams -= control->length;
5491                 } else {
5492 #ifdef INVARIANTS
5493                         panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
5494 #else
5495                         asoc->size_on_all_streams = 0;
5496 #endif
5497                 }
5498                 sctp_ucount_decr(asoc->cnt_on_all_streams);
5499                 control->on_strm_q = 0;
5500         } else if (control->on_strm_q == SCTP_ON_UNORDERED) {
5501                 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
5502                 control->on_strm_q = 0;
5503 #ifdef INVARIANTS
5504         } else if (control->on_strm_q) {
5505                 panic("strm: %p ctl: %p unknown %d",
5506                     strm, control, control->on_strm_q);
5507 #endif
5508         }
5509         control->on_strm_q = 0;
5510         if (control->on_read_q == 0) {
5511                 sctp_free_remote_addr(control->whoFrom);
5512                 if (control->data) {
5513                         sctp_m_freem(control->data);
5514                         control->data = NULL;
5515                 }
5516                 sctp_free_a_readq(stcb, control);
5517         }
5518 }
5519
5520 void
5521 sctp_handle_forward_tsn(struct sctp_tcb *stcb,
5522     struct sctp_forward_tsn_chunk *fwd,
5523     int *abort_flag, struct mbuf *m, int offset)
5524 {
5525         /* The pr-sctp fwd tsn */
5526         /*
5527          * here we will perform all the data receiver side steps for
5528          * processing FwdTSN, as required in by pr-sctp draft:
5529          *
5530          * Assume we get FwdTSN(x):
5531          *
5532          * 1) update local cumTSN to x 2) try to further advance cumTSN to x
5533          * + others we have 3) examine and update re-ordering queue on
5534          * pr-in-streams 4) clean up re-assembly queue 5) Send a sack to
5535          * report where we are.
5536          */
5537         struct sctp_association *asoc;
5538         uint32_t new_cum_tsn, gap;
5539         unsigned int i, fwd_sz, m_size;
5540         uint32_t str_seq;
5541         struct sctp_stream_in *strm;
5542         struct sctp_queued_to_read *control, *sv;
5543
5544         asoc = &stcb->asoc;
5545         if ((fwd_sz = ntohs(fwd->ch.chunk_length)) < sizeof(struct sctp_forward_tsn_chunk)) {
5546                 SCTPDBG(SCTP_DEBUG_INDATA1,
5547                     "Bad size too small/big fwd-tsn\n");
5548                 return;
5549         }
5550         m_size = (stcb->asoc.mapping_array_size << 3);
5551         /*************************************************************/
5552         /* 1. Here we update local cumTSN and shift the bitmap array */
5553         /*************************************************************/
5554         new_cum_tsn = ntohl(fwd->new_cumulative_tsn);
5555
5556         if (SCTP_TSN_GE(asoc->cumulative_tsn, new_cum_tsn)) {
5557                 /* Already got there ... */
5558                 return;
5559         }
5560         /*
5561          * now we know the new TSN is more advanced, let's find the actual
5562          * gap
5563          */
5564         SCTP_CALC_TSN_TO_GAP(gap, new_cum_tsn, asoc->mapping_array_base_tsn);
5565         asoc->cumulative_tsn = new_cum_tsn;
5566         if (gap >= m_size) {
5567                 if ((long)gap > sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv)) {
5568                         struct mbuf *op_err;
5569                         char msg[SCTP_DIAG_INFO_LEN];
5570
5571                         /*
5572                          * out of range (of single byte chunks in the rwnd I
5573                          * give out). This must be an attacker.
5574                          */
5575                         *abort_flag = 1;
5576                         snprintf(msg, sizeof(msg),
5577                             "New cum ack %8.8x too high, highest TSN %8.8x",
5578                             new_cum_tsn, asoc->highest_tsn_inside_map);
5579                         op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
5580                         stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_33;
5581                         sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
5582                         return;
5583                 }
5584                 SCTP_STAT_INCR(sctps_fwdtsn_map_over);
5585
5586                 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
5587                 asoc->mapping_array_base_tsn = new_cum_tsn + 1;
5588                 asoc->highest_tsn_inside_map = new_cum_tsn;
5589
5590                 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size);
5591                 asoc->highest_tsn_inside_nr_map = new_cum_tsn;
5592
5593                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
5594                         sctp_log_map(0, 3, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
5595                 }
5596         } else {
5597                 SCTP_TCB_LOCK_ASSERT(stcb);
5598                 for (i = 0; i <= gap; i++) {
5599                         if (!SCTP_IS_TSN_PRESENT(asoc->mapping_array, i) &&
5600                             !SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, i)) {
5601                                 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, i);
5602                                 if (SCTP_TSN_GT(asoc->mapping_array_base_tsn + i, asoc->highest_tsn_inside_nr_map)) {
5603                                         asoc->highest_tsn_inside_nr_map = asoc->mapping_array_base_tsn + i;
5604                                 }
5605                         }
5606                 }
5607         }
5608         /*************************************************************/
5609         /* 2. Clear up re-assembly queue                             */
5610         /*************************************************************/
5611
5612         /* This is now done as part of clearing up the stream/seq */
5613         if (asoc->idata_supported == 0) {
5614                 uint16_t sid;
5615
5616                 /* Flush all the un-ordered data based on cum-tsn */
5617                 SCTP_INP_READ_LOCK(stcb->sctp_ep);
5618                 for (sid = 0; sid < asoc->streamincnt; sid++) {
5619                         sctp_flush_reassm_for_str_seq(stcb, asoc, sid, 0, 0, new_cum_tsn);
5620                 }
5621                 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
5622         }
5623         /*******************************************************/
5624         /* 3. Update the PR-stream re-ordering queues and fix  */
5625         /* delivery issues as needed.                       */
5626         /*******************************************************/
5627         fwd_sz -= sizeof(*fwd);
5628         if (m && fwd_sz) {
5629                 /* New method. */
5630                 unsigned int num_str;
5631                 uint32_t mid, cur_mid;
5632                 uint16_t sid;
5633                 uint16_t ordered, flags;
5634                 struct sctp_strseq *stseq, strseqbuf;
5635                 struct sctp_strseq_mid *stseq_m, strseqbuf_m;
5636
5637                 offset += sizeof(*fwd);
5638
5639                 SCTP_INP_READ_LOCK(stcb->sctp_ep);
5640                 if (asoc->idata_supported) {
5641                         num_str = fwd_sz / sizeof(struct sctp_strseq_mid);
5642                 } else {
5643                         num_str = fwd_sz / sizeof(struct sctp_strseq);
5644                 }
5645                 for (i = 0; i < num_str; i++) {
5646                         if (asoc->idata_supported) {
5647                                 stseq_m = (struct sctp_strseq_mid *)sctp_m_getptr(m, offset,
5648                                     sizeof(struct sctp_strseq_mid),
5649                                     (uint8_t *)&strseqbuf_m);
5650                                 offset += sizeof(struct sctp_strseq_mid);
5651                                 if (stseq_m == NULL) {
5652                                         break;
5653                                 }
5654                                 sid = ntohs(stseq_m->sid);
5655                                 mid = ntohl(stseq_m->mid);
5656                                 flags = ntohs(stseq_m->flags);
5657                                 if (flags & PR_SCTP_UNORDERED_FLAG) {
5658                                         ordered = 0;
5659                                 } else {
5660                                         ordered = 1;
5661                                 }
5662                         } else {
5663                                 stseq = (struct sctp_strseq *)sctp_m_getptr(m, offset,
5664                                     sizeof(struct sctp_strseq),
5665                                     (uint8_t *)&strseqbuf);
5666                                 offset += sizeof(struct sctp_strseq);
5667                                 if (stseq == NULL) {
5668                                         break;
5669                                 }
5670                                 sid = ntohs(stseq->sid);
5671                                 mid = (uint32_t)ntohs(stseq->ssn);
5672                                 ordered = 1;
5673                         }
5674                         /* Convert */
5675
5676                         /* now process */
5677
5678                         /*
5679                          * Ok we now look for the stream/seq on the read
5680                          * queue where its not all delivered. If we find it
5681                          * we transmute the read entry into a PDI_ABORTED.
5682                          */
5683                         if (sid >= asoc->streamincnt) {
5684                                 /* screwed up streams, stop!  */
5685                                 break;
5686                         }
5687                         if ((asoc->str_of_pdapi == sid) &&
5688                             (asoc->ssn_of_pdapi == mid)) {
5689                                 /*
5690                                  * If this is the one we were partially
5691                                  * delivering now then we no longer are.
5692                                  * Note this will change with the reassembly
5693                                  * re-write.
5694                                  */
5695                                 asoc->fragmented_delivery_inprogress = 0;
5696                         }
5697                         strm = &asoc->strmin[sid];
5698                         for (cur_mid = strm->last_mid_delivered; SCTP_MID_GE(asoc->idata_supported, mid, cur_mid); cur_mid++) {
5699                                 sctp_flush_reassm_for_str_seq(stcb, asoc, sid, cur_mid, ordered, new_cum_tsn);
5700                         }
5701                         TAILQ_FOREACH(control, &stcb->sctp_ep->read_queue, next) {
5702                                 if ((control->sinfo_stream == sid) &&
5703                                     (SCTP_MID_EQ(asoc->idata_supported, control->mid, mid))) {
5704                                         str_seq = (sid << 16) | (0x0000ffff & mid);
5705                                         control->pdapi_aborted = 1;
5706                                         sv = stcb->asoc.control_pdapi;
5707                                         control->end_added = 1;
5708                                         if (control->on_strm_q == SCTP_ON_ORDERED) {
5709                                                 TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
5710                                                 if (asoc->size_on_all_streams >= control->length) {
5711                                                         asoc->size_on_all_streams -= control->length;
5712                                                 } else {
5713 #ifdef INVARIANTS
5714                                                         panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
5715 #else
5716                                                         asoc->size_on_all_streams = 0;
5717 #endif
5718                                                 }
5719                                                 sctp_ucount_decr(asoc->cnt_on_all_streams);
5720                                         } else if (control->on_strm_q == SCTP_ON_UNORDERED) {
5721                                                 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
5722 #ifdef INVARIANTS
5723                                         } else if (control->on_strm_q) {
5724                                                 panic("strm: %p ctl: %p unknown %d",
5725                                                     strm, control, control->on_strm_q);
5726 #endif
5727                                         }
5728                                         control->on_strm_q = 0;
5729                                         stcb->asoc.control_pdapi = control;
5730                                         sctp_ulp_notify(SCTP_NOTIFY_PARTIAL_DELVIERY_INDICATION,
5731                                             stcb,
5732                                             SCTP_PARTIAL_DELIVERY_ABORTED,
5733                                             (void *)&str_seq,
5734                                             SCTP_SO_NOT_LOCKED);
5735                                         stcb->asoc.control_pdapi = sv;
5736                                         break;
5737                                 } else if ((control->sinfo_stream == sid) &&
5738                                     SCTP_MID_GT(asoc->idata_supported, control->mid, mid)) {
5739                                         /* We are past our victim SSN */
5740                                         break;
5741                                 }
5742                         }
5743                         if (SCTP_MID_GT(asoc->idata_supported, mid, strm->last_mid_delivered)) {
5744                                 /* Update the sequence number */
5745                                 strm->last_mid_delivered = mid;
5746                         }
5747                         /* now kick the stream the new way */
5748                         /* sa_ignore NO_NULL_CHK */
5749                         sctp_kick_prsctp_reorder_queue(stcb, strm);
5750                 }
5751                 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
5752         }
5753         /*
5754          * Now slide thing forward.
5755          */
5756         sctp_slide_mapping_arrays(stcb);
5757 }