2 * Copyright (c) 2001-2006, Cisco Systems, Inc. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are met:
7 * a) Redistributions of source code must retain the above copyright notice,
8 * this list of conditions and the following disclaimer.
10 * b) Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the distribution.
14 * c) Neither the name of Cisco Systems, Inc. nor the names of its
15 * contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
20 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
28 * THE POSSIBILITY OF SUCH DAMAGE.
31 /* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
36 #include <netinet/sctp_os.h>
37 #include <netinet/sctp_var.h>
38 #include <netinet/sctp_pcb.h>
39 #include <netinet/sctp_header.h>
40 #include <netinet/sctputil.h>
41 #include <netinet/sctp_output.h>
42 #include <netinet/sctp_input.h>
43 #include <netinet/sctp_auth.h>
44 #include <netinet/sctp_indata.h>
45 #include <netinet/sctp_asconf.h>
49 extern uint32_t sctp_debug_on;
56 struct sctp_foo_stuff sctp_logoff[30000];
57 int sctp_logoff_stuff = 0;
61 sctp_stop_all_cookie_timers(struct sctp_tcb *stcb)
63 struct sctp_nets *net;
66 * This now not only stops all cookie timers it also stops any INIT
67 * timers as well. This will make sure that the timers are stopped
68 * in all collision cases.
70 SCTP_TCB_LOCK_ASSERT(stcb);
71 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
72 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) {
73 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE,
76 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1);
77 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) {
78 sctp_timer_stop(SCTP_TIMER_TYPE_INIT,
81 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2);
88 sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh,
89 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb,
90 struct sctp_nets *net)
92 struct sctp_init *init;
97 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
98 printf("sctp_handle_init: handling INIT tcb:%p\n", stcb);
103 /* First are we accepting? */
104 if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) {
106 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
107 printf("sctp_handle_init: Abort, so_qlimit:%d\n", inp->sctp_socket->so_qlimit);
111 * FIX ME ?? What about TCP model and we have a
112 * match/restart case?
114 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
117 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) {
119 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
120 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
123 /* validate parameters */
124 if (init->initiate_tag == 0) {
125 /* protocol error... send abort */
126 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
127 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
130 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) {
131 /* invalid parameter... send abort */
132 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
133 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
136 if (init->num_inbound_streams == 0) {
137 /* protocol error... send abort */
138 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
139 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
142 if (init->num_outbound_streams == 0) {
143 /* protocol error... send abort */
144 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
145 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
148 init_limit = offset + ntohs(cp->ch.chunk_length);
149 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp),
151 /* auth parameter(s) error... send abort */
152 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL);
155 /* send an INIT-ACK w/cookie */
157 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
158 printf("sctp_handle_init: sending INIT-ACK\n");
161 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp);
165 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error
168 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb,
169 struct sctp_nets *net)
171 struct sctp_init *init;
172 struct sctp_association *asoc;
173 struct sctp_nets *lnet;
178 /* save off parameters */
179 asoc->peer_vtag = ntohl(init->initiate_tag);
180 asoc->peers_rwnd = ntohl(init->a_rwnd);
181 if (TAILQ_FIRST(&asoc->nets)) {
182 /* update any ssthresh's that may have a default */
183 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
184 lnet->ssthresh = asoc->peers_rwnd;
186 #if defined(SCTP_CWND_MONITOR) || defined(SCTP_CWND_LOGGING)
187 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION);
192 SCTP_TCB_SEND_LOCK(stcb);
193 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) {
195 struct sctp_stream_out *outs;
196 struct sctp_stream_queue_pending *sp;
198 /* cut back on number of streams */
199 newcnt = ntohs(init->num_inbound_streams);
200 /* This if is probably not needed but I am cautious */
202 /* First make sure no data chunks are trapped */
203 for (i = newcnt; i < asoc->pre_open_streams; i++) {
204 outs = &asoc->strmout[i];
205 sp = TAILQ_FIRST(&outs->outqueue);
207 TAILQ_REMOVE(&outs->outqueue, sp,
209 asoc->stream_queue_cnt--;
210 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL,
211 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT,
214 sctp_m_freem(sp->data);
217 sctp_free_remote_addr(sp->net);
220 printf("sp:%p tcb:%p weird free case\n",
223 sctp_free_a_strmoq(stcb, sp);
224 sp = TAILQ_FIRST(&outs->outqueue);
228 /* cut back the count and abandon the upper streams */
229 asoc->pre_open_streams = newcnt;
231 SCTP_TCB_SEND_UNLOCK(stcb);
232 asoc->streamoutcnt = asoc->pre_open_streams;
234 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1;
235 #ifdef SCTP_MAP_LOGGING
236 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
238 /* This is the next one we expect */
239 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1;
241 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn);
242 asoc->cumulative_tsn = asoc->asconf_seq_in;
243 asoc->last_echo_tsn = asoc->asconf_seq_in;
244 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
245 /* open the requested streams */
246 if (asoc->strmin != NULL) {
247 /* Free the old ones */
248 struct sctp_queued_to_read *ctl;
250 for (i = 0; i < asoc->streamincnt; i++) {
251 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue);
253 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next);
254 sctp_free_remote_addr(ctl->whoFrom);
255 sctp_m_freem(ctl->data);
257 sctp_free_a_readq(stcb, ctl);
258 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue);
261 SCTP_FREE(asoc->strmin);
263 asoc->streamincnt = ntohs(init->num_outbound_streams);
264 if (asoc->streamincnt > MAX_SCTP_STREAMS) {
265 asoc->streamincnt = MAX_SCTP_STREAMS;
267 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt *
268 sizeof(struct sctp_stream_in), "StreamsIn");
269 if (asoc->strmin == NULL) {
270 /* we didn't get memory for the streams! */
272 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
273 printf("process_init: couldn't get memory for the streams!\n");
278 for (i = 0; i < asoc->streamincnt; i++) {
279 asoc->strmin[i].stream_no = i;
280 asoc->strmin[i].last_sequence_delivered = 0xffff;
282 * U-stream ranges will be set when the cookie is unpacked.
283 * Or for the INIT sender they are un set (if pr-sctp not
284 * supported) when the INIT-ACK arrives.
286 TAILQ_INIT(&asoc->strmin[i].inqueue);
288 * we are not on any wheel, pr-sctp streams will go on the
289 * wheel when they have data waiting for reorder.
291 asoc->strmin[i].next_spoke.tqe_next = 0;
292 asoc->strmin[i].next_spoke.tqe_prev = 0;
296 * load_address_from_init will put the addresses into the
297 * association when the COOKIE is processed or the INIT-ACK is
298 * processed. Both types of COOKIE's existing and new call this
299 * routine. It will remove addresses that are no longer in the
300 * association (for the restarting case where addresses are
301 * removed). Up front when the INIT arrives we will discard it if it
302 * is a restart and new addresses have been added.
308 * INIT-ACK message processing/consumption returns value < 0 on error
311 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset,
312 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
313 struct sctp_nets *net)
315 struct sctp_association *asoc;
317 int retval, abort_flag;
318 uint32_t initack_limit;
320 /* First verify that we have no illegal param's */
324 op_err = sctp_arethere_unrecognized_parameters(m,
325 (offset + sizeof(struct sctp_init_chunk)),
326 &abort_flag, (struct sctp_chunkhdr *)cp);
328 /* Send an abort and notify peer */
329 if (op_err != NULL) {
330 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag);
333 * Just notify (abort_assoc does this if we send an
336 sctp_abort_notification(stcb, 0);
338 * No sense in further INIT's since we will get the
341 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3);
346 /* process the peer's parameters in the INIT-ACK */
347 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net);
351 initack_limit = offset + ntohs(cp->ch.chunk_length);
352 /* load all addresses */
353 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen,
354 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh,
356 /* Huh, we should abort */
358 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
359 printf("Load addresses from INIT causes an abort %d\n", retval);
362 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
366 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs,
367 stcb->asoc.local_hmacs);
369 sctp_queue_op_err(stcb, op_err);
370 /* queuing will steal away the mbuf chain to the out queue */
373 /* extract the cookie and queue it to "echo" it back... */
374 stcb->asoc.overall_error_count = 0;
375 net->error_count = 0;
378 * Cancel the INIT timer, We do this first before queueing the
379 * cookie. We always cancel at the primary to assue that we are
380 * canceling the timer started by the INIT which always goes to the
383 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb,
384 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4);
386 /* calculate the RTO */
387 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered);
389 retval = sctp_send_cookie_echo(m, offset, stcb, net);
392 * No cookie, we probably should send a op error. But in any
393 * case if there is no cookie in the INIT-ACK, we can
394 * abandon the peer, its broke.
397 /* We abort with an error of missing mandatory param */
401 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM);
404 * Expand beyond to include the mandatory
407 struct sctp_inv_mandatory_param *mp;
409 SCTP_BUF_LEN(op_err) =
410 sizeof(struct sctp_inv_mandatory_param);
412 struct sctp_inv_mandatory_param *);
413 /* Subtract the reserved param */
415 htons(sizeof(struct sctp_inv_mandatory_param) - 2);
416 mp->num_param = htonl(1);
417 mp->param = htons(SCTP_STATE_COOKIE);
420 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
429 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp,
430 struct sctp_tcb *stcb, struct sctp_nets *net)
432 struct sockaddr_storage store;
433 struct sockaddr_in *sin;
434 struct sockaddr_in6 *sin6;
435 struct sctp_nets *r_net;
438 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) {
442 sin = (struct sockaddr_in *)&store;
443 sin6 = (struct sockaddr_in6 *)&store;
445 memset(&store, 0, sizeof(store));
446 if (cp->heartbeat.hb_info.addr_family == AF_INET &&
447 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) {
448 sin->sin_family = cp->heartbeat.hb_info.addr_family;
449 sin->sin_len = cp->heartbeat.hb_info.addr_len;
450 sin->sin_port = stcb->rport;
451 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address,
452 sizeof(sin->sin_addr));
453 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 &&
454 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) {
455 sin6->sin6_family = cp->heartbeat.hb_info.addr_family;
456 sin6->sin6_len = cp->heartbeat.hb_info.addr_len;
457 sin6->sin6_port = stcb->rport;
458 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address,
459 sizeof(sin6->sin6_addr));
463 r_net = sctp_findnet(stcb, (struct sockaddr *)sin);
466 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
467 printf("Huh? I can't find the address I sent it to, discard\n");
472 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) &&
473 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) &&
474 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) {
476 * If the its a HB and it's random value is correct when can
477 * confirm the destination.
479 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
480 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
481 stcb, 0, (void *)r_net);
483 r_net->error_count = 0;
484 r_net->hb_responded = 1;
485 tv.tv_sec = cp->heartbeat.hb_info.time_value_1;
486 tv.tv_usec = cp->heartbeat.hb_info.time_value_2;
487 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) {
488 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE;
489 r_net->dest_state |= SCTP_ADDR_REACHABLE;
490 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
491 SCTP_HEARTBEAT_SUCCESS, (void *)r_net);
492 /* now was it the primary? if so restore */
493 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) {
494 sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net);
497 /* Now lets do a RTO with this */
498 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv);
502 sctp_handle_abort(struct sctp_abort_chunk *cp,
503 struct sctp_tcb *stcb, struct sctp_nets *net)
507 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
508 printf("sctp_handle_abort: handling ABORT\n");
513 /* verify that the destination addr is in the association */
514 /* ignore abort for addresses being deleted */
516 /* stop any receive timers */
517 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_5);
518 /* notify user of the abort and clean up... */
519 sctp_abort_notification(stcb, 0);
521 SCTP_STAT_INCR_COUNTER32(sctps_aborted);
522 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) ||
523 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
524 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
526 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6);
528 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
529 printf("sctp_handle_abort: finished\n");
535 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp,
536 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag)
538 struct sctp_association *asoc;
539 int some_on_streamwheel;
542 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
543 printf("sctp_handle_shutdown: handling SHUTDOWN\n");
549 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
550 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
553 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) {
554 /* Shutdown NOT the expected size */
557 sctp_update_acked(stcb, cp, net, abort_flag);
559 if (asoc->control_pdapi) {
561 * With a normal shutdown we assume the end of last record.
563 SCTP_INP_READ_LOCK(stcb->sctp_ep);
564 asoc->control_pdapi->end_added = 1;
565 asoc->control_pdapi->pdapi_aborted = 1;
566 asoc->control_pdapi = NULL;
567 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
568 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
570 /* goto SHUTDOWN_RECEIVED state to block new requests */
571 if (stcb->sctp_socket) {
572 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
573 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
574 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED;
576 * notify upper layer that peer has initiated a
579 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL);
582 SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
585 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
587 * stop the shutdown timer, since we WILL move to
590 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_7);
592 /* Now are we there yet? */
593 some_on_streamwheel = 0;
594 if (!TAILQ_EMPTY(&asoc->out_wheel)) {
595 /* Check to see if some data queued */
596 struct sctp_stream_out *outs;
598 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) {
599 if (!TAILQ_EMPTY(&outs->outqueue)) {
600 some_on_streamwheel = 1;
605 if (!TAILQ_EMPTY(&asoc->send_queue) ||
606 !TAILQ_EMPTY(&asoc->sent_queue) ||
607 some_on_streamwheel) {
608 /* By returning we will push more data out */
611 /* no outstanding data to send, so move on... */
612 /* send SHUTDOWN-ACK */
613 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
614 /* move to SHUTDOWN-ACK-SENT state */
615 if (asoc->state == SCTP_STATE_SHUTDOWN_RECEIVED) {
616 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
618 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT;
620 /* start SHUTDOWN timer */
621 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep,
627 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp,
628 struct sctp_tcb *stcb, struct sctp_nets *net)
630 struct sctp_association *asoc;
633 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
634 printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n");
641 /* process according to association state */
642 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
643 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
644 /* unexpected SHUTDOWN-ACK... so ignore... */
645 SCTP_TCB_UNLOCK(stcb);
648 if (asoc->control_pdapi) {
650 * With a normal shutdown we assume the end of last record.
652 SCTP_INP_READ_LOCK(stcb->sctp_ep);
653 asoc->control_pdapi->end_added = 1;
654 asoc->control_pdapi->pdapi_aborted = 1;
655 asoc->control_pdapi = NULL;
656 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
657 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
659 /* are the queues empty? */
660 if (!TAILQ_EMPTY(&asoc->send_queue) ||
661 !TAILQ_EMPTY(&asoc->sent_queue) ||
662 !TAILQ_EMPTY(&asoc->out_wheel)) {
663 sctp_report_all_outbound(stcb, 0);
666 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8);
667 /* send SHUTDOWN-COMPLETE */
668 sctp_send_shutdown_complete(stcb, net);
669 /* notify upper layer protocol */
670 if (stcb->sctp_socket) {
671 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL);
672 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
673 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
674 /* Set the connected flag to disconnected */
675 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0;
678 SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
679 /* free the TCB but first save off the ep */
680 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
681 SCTP_FROM_SCTP_INPUT + SCTP_LOC_9);
685 * Skip past the param header and then we will find the chunk that caused the
686 * problem. There are two possiblities ASCONF or FWD-TSN other than that and
687 * our peer must be broken.
690 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr,
691 struct sctp_nets *net)
693 struct sctp_chunkhdr *chk;
695 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr));
696 switch (chk->chunk_type) {
697 case SCTP_ASCONF_ACK:
699 sctp_asconf_cleanup(stcb, net);
701 case SCTP_FORWARD_CUM_TSN:
702 stcb->asoc.peer_supports_prsctp = 0;
706 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
707 printf("Peer does not support chunk type %d(%x)??\n",
708 chk->chunk_type, (uint32_t) chk->chunk_type);
716 * Skip past the param header and then we will find the param that caused the
717 * problem. There are a number of param's in a ASCONF OR the prsctp param
718 * these will turn of specific features.
721 sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr)
723 struct sctp_paramhdr *pbad;
726 switch (ntohs(pbad->param_type)) {
728 case SCTP_PRSCTP_SUPPORTED:
729 stcb->asoc.peer_supports_prsctp = 0;
731 case SCTP_SUPPORTED_CHUNK_EXT:
733 /* draft-ietf-tsvwg-addip-sctp */
734 case SCTP_ECN_NONCE_SUPPORTED:
735 stcb->asoc.peer_supports_ecn_nonce = 0;
736 stcb->asoc.ecn_nonce_allowed = 0;
737 stcb->asoc.ecn_allowed = 0;
739 case SCTP_ADD_IP_ADDRESS:
740 case SCTP_DEL_IP_ADDRESS:
741 case SCTP_SET_PRIM_ADDR:
742 stcb->asoc.peer_supports_asconf = 0;
744 case SCTP_SUCCESS_REPORT:
745 case SCTP_ERROR_CAUSE_IND:
747 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
748 printf("Huh, the peer does not support success? or error cause?\n");
749 printf("Turning off ASCONF to this strange peer\n");
752 stcb->asoc.peer_supports_asconf = 0;
756 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
757 printf("Peer does not support param type %d(%x)??\n",
758 pbad->param_type, (uint32_t) pbad->param_type);
766 sctp_handle_error(struct sctp_chunkhdr *ch,
767 struct sctp_tcb *stcb, struct sctp_nets *net)
770 struct sctp_paramhdr *phdr;
773 struct sctp_association *asoc;
777 /* parse through all of the errors and process */
779 phdr = (struct sctp_paramhdr *)((caddr_t)ch +
780 sizeof(struct sctp_chunkhdr));
781 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr);
782 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) {
783 /* Process an Error Cause */
784 error_type = ntohs(phdr->param_type);
785 error_len = ntohs(phdr->param_length);
786 if ((error_len > chklen) || (error_len == 0)) {
787 /* invalid param length for this param */
789 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
790 printf("Bogus length in error param- chunk left:%d errorlen:%d\n",
793 #endif /* SCTP_DEBUG */
796 switch (error_type) {
797 case SCTP_CAUSE_INVALID_STREAM:
798 case SCTP_CAUSE_MISSING_PARAM:
799 case SCTP_CAUSE_INVALID_PARAM:
800 case SCTP_CAUSE_NO_USER_DATA:
802 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
803 printf("Software error we got a %d back? We have a bug :/ (or do they?)\n",
808 case SCTP_CAUSE_STALE_COOKIE:
810 * We only act if we have echoed a cookie and are
813 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
816 p = (int *)((caddr_t)phdr + sizeof(*phdr));
817 /* Save the time doubled */
818 asoc->cookie_preserve_req = ntohl(*p) << 1;
819 asoc->stale_cookie_count++;
820 if (asoc->stale_cookie_count >
821 asoc->max_init_times) {
822 sctp_abort_notification(stcb, 0);
823 /* now free the asoc */
824 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_10);
827 /* blast back to INIT state */
828 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED;
829 asoc->state |= SCTP_STATE_COOKIE_WAIT;
831 sctp_stop_all_cookie_timers(stcb);
832 sctp_send_initiate(stcb->sctp_ep, stcb);
835 case SCTP_CAUSE_UNRESOLVABLE_ADDR:
837 * Nothing we can do here, we don't do hostname
838 * addresses so if the peer does not like my IPv6
839 * (or IPv4 for that matter) it does not matter. If
840 * they don't support that type of address, they can
841 * NOT possibly get that packet type... i.e. with no
842 * IPv6 you can't recieve a IPv6 packet. so we can
843 * safely ignore this one. If we ever added support
844 * for HOSTNAME Addresses, then we would need to do
848 case SCTP_CAUSE_UNRECOG_CHUNK:
849 sctp_process_unrecog_chunk(stcb, phdr, net);
851 case SCTP_CAUSE_UNRECOG_PARAM:
852 sctp_process_unrecog_param(stcb, phdr);
854 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN:
856 * We ignore this since the timer will drive out a
857 * new cookie anyway and there timer will drive us
858 * to send a SHUTDOWN_COMPLETE. We can't send one
859 * here since we don't have their tag.
862 case SCTP_CAUSE_DELETING_LAST_ADDR:
863 case SCTP_CAUSE_RESOURCE_SHORTAGE:
864 case SCTP_CAUSE_DELETING_SRC_ADDR:
866 * We should NOT get these here, but in a
870 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
871 printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n",
876 case SCTP_CAUSE_OUT_OF_RESC:
878 * And what, pray tell do we do with the fact that
879 * the peer is out of resources? Not really sure we
880 * could do anything but abort. I suspect this
881 * should have came WITH an abort instead of in a
887 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
888 /* don't know what this error cause is... */
889 printf("sctp_handle_error: unknown error type = 0x%xh\n",
892 #endif /* SCTP_DEBUG */
895 adjust = SCTP_SIZE32(error_len);
897 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust);
903 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh,
904 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
905 struct sctp_nets *net)
907 struct sctp_init_ack *init_ack;
912 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
913 printf("sctp_handle_init_ack: handling INIT-ACK\n");
918 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
919 printf("sctp_handle_init_ack: TCB is null\n");
924 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) {
926 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
927 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
931 init_ack = &cp->init;
932 /* validate parameters */
933 if (init_ack->initiate_tag == 0) {
934 /* protocol error... send an abort */
935 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
936 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
940 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) {
941 /* protocol error... send an abort */
942 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
943 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
947 if (init_ack->num_inbound_streams == 0) {
948 /* protocol error... send an abort */
949 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
950 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
954 if (init_ack->num_outbound_streams == 0) {
955 /* protocol error... send an abort */
956 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
957 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
961 /* process according to association state... */
962 state = &stcb->asoc.state;
963 switch (*state & SCTP_STATE_MASK) {
964 case SCTP_STATE_COOKIE_WAIT:
965 /* this is the expected state for this chunk */
966 /* process the INIT-ACK parameters */
967 if (stcb->asoc.primary_destination->dest_state &
968 SCTP_ADDR_UNCONFIRMED) {
970 * The primary is where we sent the INIT, we can
971 * always consider it confirmed when the INIT-ACK is
972 * returned. Do this before we load addresses
975 stcb->asoc.primary_destination->dest_state &=
976 ~SCTP_ADDR_UNCONFIRMED;
977 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
978 stcb, 0, (void *)stcb->asoc.primary_destination);
980 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net
982 /* error in parsing parameters */
985 /* update our state */
987 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
988 printf("moving to COOKIE-ECHOED state\n");
991 if (*state & SCTP_STATE_SHUTDOWN_PENDING) {
992 *state = SCTP_STATE_COOKIE_ECHOED |
993 SCTP_STATE_SHUTDOWN_PENDING;
995 *state = SCTP_STATE_COOKIE_ECHOED;
998 /* reset the RTO calc */
999 stcb->asoc.overall_error_count = 0;
1000 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
1002 * collapse the init timer back in case of a exponential
1005 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep,
1008 * the send at the end of the inbound data processing will
1009 * cause the cookie to be sent
1012 case SCTP_STATE_SHUTDOWN_SENT:
1013 /* incorrect state... discard */
1015 case SCTP_STATE_COOKIE_ECHOED:
1016 /* incorrect state... discard */
1018 case SCTP_STATE_OPEN:
1019 /* incorrect state... discard */
1021 case SCTP_STATE_EMPTY:
1022 case SCTP_STATE_INUSE:
1024 /* incorrect state... discard */
1027 } /* end switch asoc state */
1029 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1030 printf("Leaving handle-init-ack end\n");
1038 * handle a state cookie for an existing association m: input packet mbuf
1039 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a
1040 * "split" mbuf and the cookie signature does not exist offset: offset into
1041 * mbuf to the cookie-echo chunk
1043 static struct sctp_tcb *
1044 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
1045 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1046 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net,
1047 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id)
1049 struct sctp_association *asoc;
1050 struct sctp_init_chunk *init_cp, init_buf;
1051 struct sctp_init_ack_chunk *initack_cp, initack_buf;
1053 int init_offset, initack_offset, i;
1058 /* I know that the TCB is non-NULL from the caller */
1060 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); i++) {
1061 if (asoc->cookie_how[how_indx] == 0)
1064 if (how_indx < sizeof(asoc->cookie_how)) {
1065 asoc->cookie_how[how_indx] = 1;
1067 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
1068 /* SHUTDOWN came in after sending INIT-ACK */
1069 struct mbuf *op_err;
1070 struct sctp_paramhdr *ph;
1072 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
1073 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
1074 0, M_DONTWAIT, 1, MT_DATA);
1075 if (op_err == NULL) {
1079 /* pre-reserve some space */
1080 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
1081 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
1082 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
1084 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr);
1085 ph = mtod(op_err, struct sctp_paramhdr *);
1086 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN);
1087 ph->param_length = htons(sizeof(struct sctp_paramhdr));
1088 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag);
1089 if (how_indx < sizeof(asoc->cookie_how))
1090 asoc->cookie_how[how_indx] = 2;
1094 * find and validate the INIT chunk in the cookie (peer's info) the
1095 * INIT should start after the cookie-echo header struct (chunk
1096 * header, state cookie header struct)
1098 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk);
1100 init_cp = (struct sctp_init_chunk *)
1101 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1102 (uint8_t *) & init_buf);
1103 if (init_cp == NULL) {
1104 /* could not pull a INIT chunk in cookie */
1107 chk_length = ntohs(init_cp->ch.chunk_length);
1108 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1112 * find and validate the INIT-ACK chunk in the cookie (my info) the
1113 * INIT-ACK follows the INIT chunk
1115 initack_offset = init_offset + SCTP_SIZE32(chk_length);
1116 initack_cp = (struct sctp_init_ack_chunk *)
1117 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
1118 (uint8_t *) & initack_buf);
1119 if (initack_cp == NULL) {
1120 /* could not pull INIT-ACK chunk in cookie */
1123 chk_length = ntohs(initack_cp->ch.chunk_length);
1124 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
1127 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1128 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) {
1130 * case D in Section 5.2.4 Table 2: MMAA process accordingly
1131 * to get into the OPEN state
1133 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
1135 panic("Case D and non-match seq?");
1137 printf("Case D, seq non-match %x vs %x?\n",
1138 ntohl(initack_cp->init.initial_tsn), asoc->init_seq_number);
1141 switch SCTP_GET_STATE
1143 case SCTP_STATE_COOKIE_WAIT:
1144 case SCTP_STATE_COOKIE_ECHOED:
1146 * INIT was sent, but got got a COOKIE_ECHO with the
1147 * correct tags... just accept it...but we must
1148 * process the init so that we can make sure we have
1149 * the right seq no's.
1151 /* First we must process the INIT !! */
1152 retval = sctp_process_init(init_cp, stcb, net);
1154 if (how_indx < sizeof(asoc->cookie_how))
1155 asoc->cookie_how[how_indx] = 3;
1158 /* we have already processed the INIT so no problem */
1159 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb,
1160 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_11);
1161 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12);
1162 /* update current state */
1163 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1164 asoc->state = SCTP_STATE_OPEN |
1165 SCTP_STATE_SHUTDOWN_PENDING;
1166 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1167 stcb->sctp_ep, stcb, asoc->primary_destination);
1169 } else if ((asoc->state & SCTP_STATE_SHUTDOWN_SENT) == 0) {
1170 /* if ok, move to OPEN state */
1171 asoc->state = SCTP_STATE_OPEN;
1173 sctp_stop_all_cookie_timers(stcb);
1174 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1175 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1176 (inp->sctp_socket->so_qlimit == 0)
1179 * Here is where collision would go if we
1180 * did a connect() and instead got a
1181 * init/init-ack/cookie done before the
1182 * init-ack came back..
1184 stcb->sctp_ep->sctp_flags |=
1185 SCTP_PCB_FLAGS_CONNECTED;
1186 soisconnected(stcb->sctp_ep->sctp_socket);
1188 /* notify upper layer */
1189 *notification = SCTP_NOTIFY_ASSOC_UP;
1191 * since we did not send a HB make sure we don't
1194 net->hb_responded = 1;
1196 if (stcb->asoc.sctp_autoclose_ticks &&
1197 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) {
1198 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
1204 * we're in the OPEN state (or beyond), so peer must
1205 * have simply lost the COOKIE-ACK
1209 sctp_stop_all_cookie_timers(stcb);
1211 * We ignore the return code here.. not sure if we should
1212 * somehow abort.. but we do have an existing asoc. This
1213 * really should not fail.
1215 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1216 init_offset + sizeof(struct sctp_init_chunk),
1217 initack_offset, sh, init_src)) {
1218 if (how_indx < sizeof(asoc->cookie_how))
1219 asoc->cookie_how[how_indx] = 4;
1222 /* respond with a COOKIE-ACK */
1223 sctp_toss_old_cookies(stcb, asoc);
1224 sctp_send_cookie_ack(stcb);
1225 if (how_indx < sizeof(asoc->cookie_how))
1226 asoc->cookie_how[how_indx] = 5;
1229 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1230 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag &&
1231 cookie->tie_tag_my_vtag == 0 &&
1232 cookie->tie_tag_peer_vtag == 0) {
1234 * case C in Section 5.2.4 Table 2: XMOO silently discard
1236 if (how_indx < sizeof(asoc->cookie_how))
1237 asoc->cookie_how[how_indx] = 6;
1240 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag &&
1241 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag ||
1242 init_cp->init.initiate_tag == 0)) {
1244 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info
1245 * should be ok, re-accept peer info
1247 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
1249 * Extension of case C. If we hit this, then the
1250 * random number generator returned the same vtag
1251 * when we first sent our INIT-ACK and when we later
1252 * sent our INIT. The side with the seq numbers that
1253 * are different will be the one that normnally
1254 * would have hit case C. This in effect "extends"
1255 * our vtags in this collision case to be 64 bits.
1256 * The same collision could occur aka you get both
1257 * vtag and seq number the same twice in a row.. but
1258 * is much less likely. If it did happen then we
1259 * would proceed through and bring up the assoc.. we
1260 * may end up with the wrong stream setup however..
1261 * which would be bad.. but there is no way to
1262 * tell.. until we send on a stream that does not
1265 if (how_indx < sizeof(asoc->cookie_how))
1266 asoc->cookie_how[how_indx] = 7;
1270 if (how_indx < sizeof(asoc->cookie_how))
1271 asoc->cookie_how[how_indx] = 8;
1272 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13);
1273 sctp_stop_all_cookie_timers(stcb);
1275 * since we did not send a HB make sure we don't double
1278 net->hb_responded = 1;
1279 if (stcb->asoc.sctp_autoclose_ticks &&
1280 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
1281 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb,
1284 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1285 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
1287 /* Note last_cwr_tsn? where is this used? */
1288 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1289 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) {
1291 * Ok the peer probably discarded our data (if we
1292 * echoed a cookie+data). So anything on the
1293 * sent_queue should be marked for retransmit, we
1294 * may not get something to kick us so it COULD
1295 * still take a timeout to move these.. but it can't
1296 * hurt to mark them.
1298 struct sctp_tmit_chunk *chk;
1300 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) {
1301 if (chk->sent < SCTP_DATAGRAM_RESEND) {
1302 chk->sent = SCTP_DATAGRAM_RESEND;
1303 stcb->asoc.sent_queue_retran_cnt++;
1309 /* process the INIT info (peer's info) */
1310 retval = sctp_process_init(init_cp, stcb, net);
1312 if (how_indx < sizeof(asoc->cookie_how))
1313 asoc->cookie_how[how_indx] = 9;
1316 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1317 init_offset + sizeof(struct sctp_init_chunk),
1318 initack_offset, sh, init_src)) {
1319 if (how_indx < sizeof(asoc->cookie_how))
1320 asoc->cookie_how[how_indx] = 10;
1323 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) ||
1324 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) {
1325 *notification = SCTP_NOTIFY_ASSOC_UP;
1327 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1328 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1329 (inp->sctp_socket->so_qlimit == 0)) {
1330 stcb->sctp_ep->sctp_flags |=
1331 SCTP_PCB_FLAGS_CONNECTED;
1332 soisconnected(stcb->sctp_ep->sctp_socket);
1335 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1336 asoc->state = SCTP_STATE_OPEN |
1337 SCTP_STATE_SHUTDOWN_PENDING;
1338 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1339 stcb->sctp_ep, stcb, asoc->primary_destination);
1342 asoc->state = SCTP_STATE_OPEN;
1344 sctp_stop_all_cookie_timers(stcb);
1345 sctp_toss_old_cookies(stcb, asoc);
1346 sctp_send_cookie_ack(stcb);
1349 * only if we have retrans set do we do this. What
1350 * this call does is get only the COOKIE-ACK out and
1351 * then when we return the normal call to
1352 * sctp_chunk_output will get the retrans out behind
1355 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK);
1357 if (how_indx < sizeof(asoc->cookie_how))
1358 asoc->cookie_how[how_indx] = 11;
1362 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1363 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) &&
1364 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce &&
1365 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce &&
1366 cookie->tie_tag_peer_vtag != 0) {
1367 struct sctpasochead *head;
1370 * case A in Section 5.2.4 Table 2: XXMM (peer restarted)
1373 if (how_indx < sizeof(asoc->cookie_how))
1374 asoc->cookie_how[how_indx] = 12;
1375 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14);
1376 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15);
1378 *sac_assoc_id = sctp_get_associd(stcb);
1379 /* notify upper layer */
1380 *notification = SCTP_NOTIFY_ASSOC_RESTART;
1381 atomic_add_int(&stcb->asoc.refcnt, 1);
1382 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1383 asoc->state = SCTP_STATE_OPEN |
1384 SCTP_STATE_SHUTDOWN_PENDING;
1385 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1386 stcb->sctp_ep, stcb, asoc->primary_destination);
1388 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) {
1389 /* move to OPEN state, if not in SHUTDOWN_SENT */
1390 asoc->state = SCTP_STATE_OPEN;
1392 asoc->pre_open_streams =
1393 ntohs(initack_cp->init.num_outbound_streams);
1394 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1395 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
1397 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1398 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1400 asoc->str_reset_seq_in = asoc->init_seq_number;
1402 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1403 if (asoc->mapping_array)
1404 memset(asoc->mapping_array, 0,
1405 asoc->mapping_array_size);
1406 SCTP_TCB_UNLOCK(stcb);
1407 SCTP_INP_INFO_WLOCK();
1408 SCTP_INP_WLOCK(stcb->sctp_ep);
1409 SCTP_TCB_LOCK(stcb);
1410 atomic_add_int(&stcb->asoc.refcnt, -1);
1411 /* send up all the data */
1412 SCTP_TCB_SEND_LOCK(stcb);
1414 sctp_report_all_outbound(stcb, 1);
1415 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
1416 stcb->asoc.strmout[i].stream_no = i;
1417 stcb->asoc.strmout[i].next_sequence_sent = 0;
1418 stcb->asoc.strmout[i].last_msg_incomplete = 0;
1420 /* process the INIT-ACK info (my info) */
1421 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
1422 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1424 /* pull from vtag hash */
1425 LIST_REMOVE(stcb, sctp_asocs);
1426 /* re-insert to new vtag position */
1427 head = &sctppcbinfo.sctp_asochash[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag,
1428 sctppcbinfo.hashasocmark)];
1430 * put it in the bucket in the vtag hash of assoc's for the
1433 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
1435 /* Is this the first restart? */
1436 if (stcb->asoc.in_restart_hash == 0) {
1437 /* Ok add it to assoc_id vtag hash */
1438 head = &sctppcbinfo.sctp_restarthash[SCTP_PCBHASH_ASOC(stcb->asoc.assoc_id,
1439 sctppcbinfo.hashrestartmark)];
1440 LIST_INSERT_HEAD(head, stcb, sctp_tcbrestarhash);
1441 stcb->asoc.in_restart_hash = 1;
1443 /* process the INIT info (peer's info) */
1444 SCTP_TCB_SEND_UNLOCK(stcb);
1445 SCTP_INP_WUNLOCK(stcb->sctp_ep);
1446 SCTP_INP_INFO_WUNLOCK();
1448 retval = sctp_process_init(init_cp, stcb, net);
1450 if (how_indx < sizeof(asoc->cookie_how))
1451 asoc->cookie_how[how_indx] = 13;
1456 * since we did not send a HB make sure we don't double
1459 net->hb_responded = 1;
1461 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1462 init_offset + sizeof(struct sctp_init_chunk),
1463 initack_offset, sh, init_src)) {
1464 if (how_indx < sizeof(asoc->cookie_how))
1465 asoc->cookie_how[how_indx] = 14;
1469 /* respond with a COOKIE-ACK */
1470 sctp_stop_all_cookie_timers(stcb);
1471 sctp_toss_old_cookies(stcb, asoc);
1472 sctp_send_cookie_ack(stcb);
1473 if (how_indx < sizeof(asoc->cookie_how))
1474 asoc->cookie_how[how_indx] = 15;
1478 if (how_indx < sizeof(asoc->cookie_how))
1479 asoc->cookie_how[how_indx] = 16;
1480 /* all other cases... */
1486 * handle a state cookie for a new association m: input packet mbuf chain--
1487 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf
1488 * and the cookie signature does not exist offset: offset into mbuf to the
1489 * cookie-echo chunk length: length of the cookie chunk to: where the init
1490 * was from returns a new TCB
1492 static struct sctp_tcb *
1493 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
1494 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1495 struct sctp_inpcb *inp, struct sctp_nets **netp,
1496 struct sockaddr *init_src, int *notification,
1497 int auth_skipped, uint32_t auth_offset, uint32_t auth_len)
1499 struct sctp_tcb *stcb;
1500 struct sctp_init_chunk *init_cp, init_buf;
1501 struct sctp_init_ack_chunk *initack_cp, initack_buf;
1502 struct sockaddr_storage sa_store;
1503 struct sockaddr *initack_src = (struct sockaddr *)&sa_store;
1504 struct sockaddr_in *sin;
1505 struct sockaddr_in6 *sin6;
1506 struct sctp_association *asoc;
1508 int init_offset, initack_offset, initack_limit;
1512 uint8_t chunk_buf[DEFAULT_CHUNK_BUFFER];
1515 * find and validate the INIT chunk in the cookie (peer's info) the
1516 * INIT should start after the cookie-echo header struct (chunk
1517 * header, state cookie header struct)
1519 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk);
1520 init_cp = (struct sctp_init_chunk *)
1521 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1522 (uint8_t *) & init_buf);
1523 if (init_cp == NULL) {
1524 /* could not pull a INIT chunk in cookie */
1526 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1527 printf("process_cookie_new: could not pull INIT chunk hdr\n");
1529 #endif /* SCTP_DEBUG */
1532 chk_length = ntohs(init_cp->ch.chunk_length);
1533 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1535 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1536 printf("HUH? process_cookie_new: could not find INIT chunk!\n");
1538 #endif /* SCTP_DEBUG */
1541 initack_offset = init_offset + SCTP_SIZE32(chk_length);
1543 * find and validate the INIT-ACK chunk in the cookie (my info) the
1544 * INIT-ACK follows the INIT chunk
1546 initack_cp = (struct sctp_init_ack_chunk *)
1547 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
1548 (uint8_t *) & initack_buf);
1549 if (initack_cp == NULL) {
1550 /* could not pull INIT-ACK chunk in cookie */
1552 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1553 printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n");
1555 #endif /* SCTP_DEBUG */
1558 chk_length = ntohs(initack_cp->ch.chunk_length);
1559 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
1563 * NOTE: We can't use the INIT_ACK's chk_length to determine the
1564 * "initack_limit" value. This is because the chk_length field
1565 * includes the length of the cookie, but the cookie is omitted when
1566 * the INIT and INIT_ACK are tacked onto the cookie...
1568 initack_limit = offset + cookie_len;
1571 * now that we know the INIT/INIT-ACK are in place, create a new TCB
1574 stcb = sctp_aloc_assoc(inp, init_src, 0, &error,
1575 ntohl(initack_cp->init.initiate_tag));
1577 struct mbuf *op_err;
1579 /* memory problem? */
1581 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1582 printf("process_cookie_new: no room for another TCB!\n");
1584 #endif /* SCTP_DEBUG */
1585 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
1586 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
1590 /* get the correct sctp_nets */
1591 *netp = sctp_findnet(stcb, init_src);
1593 /* get scope variables out of cookie */
1594 asoc->ipv4_local_scope = cookie->ipv4_scope;
1595 asoc->site_scope = cookie->site_scope;
1596 asoc->local_scope = cookie->local_scope;
1597 asoc->loopback_scope = cookie->loopback_scope;
1599 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) ||
1600 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) {
1601 struct mbuf *op_err;
1604 * Houston we have a problem. The EP changed while the
1605 * cookie was in flight. Only recourse is to abort the
1608 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
1609 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
1613 /* process the INIT-ACK info (my info) */
1614 old_tag = asoc->my_vtag;
1615 asoc->assoc_id = asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
1616 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1617 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
1618 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1619 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
1620 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1621 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1622 asoc->str_reset_seq_in = asoc->init_seq_number;
1624 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1626 /* process the INIT info (peer's info) */
1627 retval = sctp_process_init(init_cp, stcb, *netp);
1629 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
1632 /* load all addresses */
1633 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1634 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh,
1636 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17);
1640 * verify any preceding AUTH chunk that was skipped
1642 /* pull the local authentication parameters from the cookie/init-ack */
1643 sctp_auth_get_cookie_params(stcb, m,
1644 initack_offset + sizeof(struct sctp_init_ack_chunk),
1645 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)));
1647 struct sctp_auth_chunk *auth;
1649 auth = (struct sctp_auth_chunk *)
1650 sctp_m_getptr(m, auth_offset, auth_len, chunk_buf);
1651 if (sctp_handle_auth(stcb, auth, m, auth_offset)) {
1652 /* auth HMAC failed, dump the assoc and packet */
1654 if (sctp_debug_on & SCTP_DEBUG_AUTH1)
1655 printf("COOKIE-ECHO: AUTH failed\n");
1656 #endif /* SCTP_DEBUG */
1657 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18);
1660 /* remaining chunks checked... good to go */
1661 stcb->asoc.authenticated = 1;
1664 /* update current state */
1666 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1667 printf("moving to OPEN state\n");
1670 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1671 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING;
1672 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1673 stcb->sctp_ep, stcb, asoc->primary_destination);
1675 asoc->state = SCTP_STATE_OPEN;
1677 sctp_stop_all_cookie_timers(stcb);
1678 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab);
1679 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1682 * if we're doing ASCONFs, check to see if we have any new local
1683 * addresses that need to get added to the peer (eg. addresses
1684 * changed while cookie echo in flight). This needs to be done
1685 * after we go to the OPEN state to do the correct asconf
1686 * processing. else, make sure we have the correct addresses in our
1690 /* warning, we re-use sin, sin6, sa_store here! */
1691 /* pull in local_address (our "from" address) */
1692 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) {
1693 /* source addr is IPv4 */
1694 sin = (struct sockaddr_in *)initack_src;
1695 memset(sin, 0, sizeof(*sin));
1696 sin->sin_family = AF_INET;
1697 sin->sin_len = sizeof(struct sockaddr_in);
1698 sin->sin_addr.s_addr = cookie->laddress[0];
1699 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) {
1700 /* source addr is IPv6 */
1701 sin6 = (struct sockaddr_in6 *)initack_src;
1702 memset(sin6, 0, sizeof(*sin6));
1703 sin6->sin6_family = AF_INET6;
1704 sin6->sin6_len = sizeof(struct sockaddr_in6);
1705 sin6->sin6_scope_id = cookie->scope_id;
1706 memcpy(&sin6->sin6_addr, cookie->laddress,
1707 sizeof(sin6->sin6_addr));
1709 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19);
1713 sctp_check_address_list(stcb, m,
1714 initack_offset + sizeof(struct sctp_init_ack_chunk),
1715 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)),
1716 initack_src, cookie->local_scope, cookie->site_scope,
1717 cookie->ipv4_scope, cookie->loopback_scope);
1720 /* set up to notify upper layer */
1721 *notification = SCTP_NOTIFY_ASSOC_UP;
1722 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1723 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1724 (inp->sctp_socket->so_qlimit == 0)) {
1726 * This is an endpoint that called connect() how it got a
1727 * cookie that is NEW is a bit of a mystery. It must be that
1728 * the INIT was sent, but before it got there.. a complete
1729 * INIT/INIT-ACK/COOKIE arrived. But of course then it
1730 * should have went to the other code.. not here.. oh well..
1731 * a bit of protection is worth having..
1733 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
1734 soisconnected(stcb->sctp_ep->sctp_socket);
1735 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
1736 (inp->sctp_socket->so_qlimit)) {
1738 * We don't want to do anything with this one. Since it is
1739 * the listening guy. The timer will get started for
1740 * accepted connections in the caller.
1744 /* since we did not send a HB make sure we don't double things */
1745 (*netp)->hb_responded = 1;
1747 if (stcb->asoc.sctp_autoclose_ticks &&
1748 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
1749 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
1751 /* respond with a COOKIE-ACK */
1752 /* calculate the RTT */
1753 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp,
1754 &cookie->time_entered);
1755 sctp_send_cookie_ack(stcb);
1761 * handles a COOKIE-ECHO message stcb: modified to either a new or left as
1762 * existing (non-NULL) TCB
1764 static struct mbuf *
1765 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset,
1766 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp,
1767 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp,
1768 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, struct sctp_tcb **locked_tcb)
1770 struct sctp_state_cookie *cookie;
1771 struct sockaddr_in6 sin6;
1772 struct sockaddr_in sin;
1773 struct sctp_tcb *l_stcb = *stcb;
1774 struct sctp_inpcb *l_inp;
1775 struct sockaddr *to;
1776 sctp_assoc_t sac_restart_id;
1777 struct sctp_pcb *ep;
1779 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE];
1781 uint8_t cookie_ok = 0;
1782 unsigned int size_of_pkt, sig_offset, cookie_offset;
1783 unsigned int cookie_len;
1785 struct timeval time_expires;
1786 struct sockaddr_storage dest_store;
1787 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store;
1789 int notification = 0;
1790 struct sctp_nets *netl;
1791 int had_a_existing_tcb = 0;
1794 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1795 printf("sctp_handle_cookie: handling COOKIE-ECHO\n");
1799 if (inp_p == NULL) {
1802 /* First get the destination address setup too. */
1803 iph = mtod(m, struct ip *);
1804 if (iph->ip_v == IPVERSION) {
1806 struct sockaddr_in *sin;
1808 sin = (struct sockaddr_in *)(localep_sa);
1809 memset(sin, 0, sizeof(*sin));
1810 sin->sin_family = AF_INET;
1811 sin->sin_len = sizeof(*sin);
1812 sin->sin_port = sh->dest_port;
1813 sin->sin_addr.s_addr = iph->ip_dst.s_addr;
1814 size_of_pkt = SCTP_GET_IPV4_LENGTH(iph);
1816 } else if (iph->ip_v == (IPV6_VERSION >> 4)) {
1818 struct ip6_hdr *ip6;
1819 struct sockaddr_in6 *sin6;
1821 sin6 = (struct sockaddr_in6 *)(localep_sa);
1822 memset(sin6, 0, sizeof(*sin6));
1823 sin6->sin6_family = AF_INET6;
1824 sin6->sin6_len = sizeof(struct sockaddr_in6);
1825 ip6 = mtod(m, struct ip6_hdr *);
1826 sin6->sin6_port = sh->dest_port;
1827 sin6->sin6_addr = ip6->ip6_dst;
1828 size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6);
1833 cookie = &cp->cookie;
1834 cookie_offset = offset + sizeof(struct sctp_chunkhdr);
1835 cookie_len = ntohs(cp->ch.chunk_length);
1837 if ((cookie->peerport != sh->src_port) &&
1838 (cookie->myport != sh->dest_port) &&
1839 (cookie->my_vtag != sh->v_tag)) {
1841 * invalid ports or bad tag. Note that we always leave the
1842 * v_tag in the header in network order and when we stored
1843 * it in the my_vtag slot we also left it in network order.
1844 * This maintians the match even though it may be in the
1845 * opposite byte order of the machine :->
1849 if (cookie_len > size_of_pkt ||
1850 cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
1851 sizeof(struct sctp_init_chunk) +
1852 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
1853 /* cookie too long! or too small */
1857 * split off the signature into its own mbuf (since it should not be
1858 * calculated in the sctp_hmac_m() call).
1860 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE;
1861 if (sig_offset > size_of_pkt) {
1862 /* packet not correct size! */
1863 /* XXX this may already be accounted for earlier... */
1866 m_sig = m_split(m, sig_offset, M_DONTWAIT);
1867 if (m_sig == NULL) {
1868 /* out of memory or ?? */
1872 * compute the signature/digest for the cookie
1874 ep = &(*inp_p)->sctp_ep;
1877 SCTP_TCB_UNLOCK(l_stcb);
1879 SCTP_INP_RLOCK(l_inp);
1881 SCTP_TCB_LOCK(l_stcb);
1883 /* which cookie is it? */
1884 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) &&
1885 (ep->current_secret_number != ep->last_secret_number)) {
1886 /* it's the old cookie */
1887 sctp_hmac_m(SCTP_HMAC,
1888 (uint8_t *) ep->secret_key[(int)ep->last_secret_number],
1889 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig);
1891 /* it's the current cookie */
1892 sctp_hmac_m(SCTP_HMAC,
1893 (uint8_t *) ep->secret_key[(int)ep->current_secret_number],
1894 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig);
1896 /* get the signature */
1897 SCTP_INP_RUNLOCK(l_inp);
1898 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig);
1900 /* couldn't find signature */
1901 sctp_m_freem(m_sig);
1904 /* compare the received digest with the computed digest */
1905 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) {
1906 /* try the old cookie? */
1907 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) &&
1908 (ep->current_secret_number != ep->last_secret_number)) {
1909 /* compute digest with old */
1910 sctp_hmac_m(SCTP_HMAC,
1911 (uint8_t *) ep->secret_key[(int)ep->last_secret_number],
1912 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig);
1914 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0)
1922 * Now before we continue we must reconstruct our mbuf so that
1923 * normal processing of any other chunks will work.
1929 while (SCTP_BUF_NEXT(m_at) != NULL) {
1930 m_at = SCTP_BUF_NEXT(m_at);
1932 SCTP_BUF_NEXT(m_at) = m_sig;
1935 if (cookie_ok == 0) {
1937 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1938 printf("handle_cookie_echo: cookie signature validation failed!\n");
1939 printf("offset = %u, cookie_offset = %u, sig_offset = %u\n",
1940 (uint32_t) offset, cookie_offset, sig_offset);
1946 * check the cookie timestamps to be sure it's not stale
1948 SCTP_GETTIME_TIMEVAL(&now);
1949 /* Expire time is in Ticks, so we convert to seconds */
1950 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life;
1951 time_expires.tv_usec = cookie->time_entered.tv_usec;
1952 if (timevalcmp(&now, &time_expires, >)) {
1953 /* cookie is stale! */
1954 struct mbuf *op_err;
1955 struct sctp_stale_cookie_msg *scm;
1958 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg),
1959 0, M_DONTWAIT, 1, MT_DATA);
1960 if (op_err == NULL) {
1964 /* pre-reserve some space */
1965 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
1966 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
1967 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
1970 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg);
1971 scm = mtod(op_err, struct sctp_stale_cookie_msg *);
1972 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE);
1973 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) +
1974 (sizeof(uint32_t))));
1975 /* seconds to usec */
1976 tim = (now.tv_sec - time_expires.tv_sec) * 1000000;
1979 tim = now.tv_usec - cookie->time_entered.tv_usec;
1980 scm->time_usec = htonl(tim);
1981 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag);
1985 * Now we must see with the lookup address if we have an existing
1986 * asoc. This will only happen if we were in the COOKIE-WAIT state
1987 * and a INIT collided with us and somewhere the peer sent the
1988 * cookie on another address besides the single address our assoc
1989 * had for him. In this case we will have one of the tie-tags set at
1990 * least AND the address field in the cookie can be used to look it
1994 if (cookie->addr_type == SCTP_IPV6_ADDRESS) {
1995 memset(&sin6, 0, sizeof(sin6));
1996 sin6.sin6_family = AF_INET6;
1997 sin6.sin6_len = sizeof(sin6);
1998 sin6.sin6_port = sh->src_port;
1999 sin6.sin6_scope_id = cookie->scope_id;
2000 memcpy(&sin6.sin6_addr.s6_addr, cookie->address,
2001 sizeof(sin6.sin6_addr.s6_addr));
2002 to = (struct sockaddr *)&sin6;
2003 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) {
2004 memset(&sin, 0, sizeof(sin));
2005 sin.sin_family = AF_INET;
2006 sin.sin_len = sizeof(sin);
2007 sin.sin_port = sh->src_port;
2008 sin.sin_addr.s_addr = cookie->address[0];
2009 to = (struct sockaddr *)&sin;
2011 if ((*stcb == NULL) && to) {
2012 /* Yep, lets check */
2013 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL);
2014 if (*stcb == NULL) {
2016 * We should have only got back the same inp. If we
2017 * got back a different ep we have a problem. The
2018 * original findep got back l_inp and now
2020 if (l_inp != *inp_p) {
2021 printf("Bad problem find_ep got a diff inp then special_locate?\n");
2024 if (*locked_tcb == NULL) {
2026 * In this case we found the assoc only
2027 * after we locked the create lock. This
2028 * means we are in a colliding case and we
2029 * must make sure that we unlock the tcb if
2030 * its one of the cases where we throw away
2031 * the incoming packets.
2033 *locked_tcb = *stcb;
2036 * We must also increment the inp ref count
2037 * since the ref_count flags was set when we
2038 * did not find the TCB, now we found it
2039 * which reduces the refcount.. we must
2040 * raise it back out to balance it all :-)
2042 SCTP_INP_INCR_REF((*stcb)->sctp_ep);
2043 if ((*stcb)->sctp_ep != l_inp) {
2044 printf("Huh? ep:%p diff then l_inp:%p?\n",
2045 (*stcb)->sctp_ep, l_inp);
2050 cookie_len -= SCTP_SIGNATURE_SIZE;
2051 if (*stcb == NULL) {
2052 /* this is the "normal" case... get a new TCB */
2053 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie,
2054 cookie_len, *inp_p, netp, to, ¬ification,
2055 auth_skipped, auth_offset, auth_len);
2057 /* this is abnormal... cookie-echo on existing TCB */
2058 had_a_existing_tcb = 1;
2059 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh,
2060 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification,
2064 if (*stcb == NULL) {
2065 /* still no TCB... must be bad cookie-echo */
2069 * Ok, we built an association so confirm the address we sent the
2072 netl = sctp_findnet(*stcb, to);
2074 * This code should in theory NOT run but
2077 /* TSNH! Huh, why do I need to add this address here? */
2080 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE,
2081 SCTP_IN_COOKIE_PROC);
2082 netl = sctp_findnet(*stcb, to);
2085 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) {
2086 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
2087 sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL,
2089 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
2090 (*stcb), 0, (void *)netl);
2094 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p,
2097 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) {
2098 if (!had_a_existing_tcb ||
2099 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) {
2101 * If we have a NEW cookie or the connect never
2102 * reached the connected state during collision we
2103 * must do the TCP accept thing.
2105 struct socket *so, *oso;
2106 struct sctp_inpcb *inp;
2108 if (notification == SCTP_NOTIFY_ASSOC_RESTART) {
2110 * For a restart we will keep the same
2111 * socket, no need to do anything. I THINK!!
2113 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id);
2116 oso = (*inp_p)->sctp_socket;
2118 * We do this to keep the sockets side happy durin
2119 * the sonewcon ONLY.
2122 SCTP_TCB_UNLOCK((*stcb));
2123 so = sonewconn(oso, 0
2126 SCTP_INP_WLOCK((*stcb)->sctp_ep);
2127 SCTP_TCB_LOCK((*stcb));
2128 SCTP_INP_WUNLOCK((*stcb)->sctp_ep);
2130 struct mbuf *op_err;
2132 /* Too many sockets */
2134 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
2135 printf("process_cookie_new: no room for another socket!\n");
2137 #endif /* SCTP_DEBUG */
2138 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
2139 sctp_abort_association(*inp_p, NULL, m, iphlen,
2141 sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20);
2144 inp = (struct sctp_inpcb *)so->so_pcb;
2145 SCTP_INP_INCR_REF(inp);
2147 * We add the unbound flag here so that if we get an
2148 * soabort() before we get the move_pcb done, we
2149 * will properly cleanup.
2151 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE |
2152 SCTP_PCB_FLAGS_CONNECTED |
2153 SCTP_PCB_FLAGS_IN_TCPPOOL |
2154 SCTP_PCB_FLAGS_UNBOUND |
2155 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) |
2156 SCTP_PCB_FLAGS_DONT_WAKE);
2157 inp->sctp_features = (*inp_p)->sctp_features;
2158 inp->sctp_socket = so;
2159 inp->sctp_frag_point = (*inp_p)->sctp_frag_point;
2160 inp->partial_delivery_point = (*inp_p)->partial_delivery_point;
2161 inp->sctp_context = (*inp_p)->sctp_context;
2162 inp->inp_starting_point_for_iterator = NULL;
2164 * copy in the authentication parameters from the
2167 if (inp->sctp_ep.local_hmacs)
2168 sctp_free_hmaclist(inp->sctp_ep.local_hmacs);
2169 inp->sctp_ep.local_hmacs =
2170 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs);
2171 if (inp->sctp_ep.local_auth_chunks)
2172 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks);
2173 inp->sctp_ep.local_auth_chunks =
2174 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks);
2175 (void)sctp_copy_skeylist(&(*inp_p)->sctp_ep.shared_keys,
2176 &inp->sctp_ep.shared_keys);
2179 * Now we must move it from one hash table to
2180 * another and get the tcb in the right place.
2182 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb);
2183 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb);
2186 * now we must check to see if we were aborted while
2187 * the move was going on and the lock/unlock
2190 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
2192 * yep it was, we leave the assoc attached
2193 * to the socket since the sctp_inpcb_free()
2194 * call will send an abort for us.
2196 SCTP_INP_DECR_REF(inp);
2199 SCTP_INP_DECR_REF(inp);
2200 /* Switch over to the new guy */
2202 sctp_ulp_notify(notification, *stcb, 0, NULL);
2205 * Pull it from the incomplete queue and wake the
2212 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) {
2213 sctp_ulp_notify(notification, *stcb, 0, NULL);
2219 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp,
2220 struct sctp_tcb *stcb, struct sctp_nets *net)
2222 /* cp must not be used, others call this without a c-ack :-) */
2223 struct sctp_association *asoc;
2226 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2227 printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n");
2235 sctp_stop_all_cookie_timers(stcb);
2236 /* process according to association state */
2237 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
2238 /* state change only needed when I am in right state */
2240 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2241 printf("moving to OPEN state\n");
2244 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
2245 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING;
2246 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
2247 stcb->sctp_ep, stcb, asoc->primary_destination);
2250 asoc->state = SCTP_STATE_OPEN;
2253 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
2254 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
2255 if (asoc->overall_error_count == 0) {
2256 net->RTO = sctp_calculate_rto(stcb, asoc, net,
2257 &asoc->time_entered);
2259 SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
2260 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL);
2261 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2262 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
2263 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
2264 soisconnected(stcb->sctp_ep->sctp_socket);
2266 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
2269 * since we did not send a HB make sure we don't double
2272 net->hb_responded = 1;
2274 if (stcb->asoc.sctp_autoclose_ticks &&
2275 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) {
2276 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
2277 stcb->sctp_ep, stcb, NULL);
2280 * set ASCONF timer if ASCONFs are pending and allowed (eg.
2281 * addresses changed when init/cookie echo in flight)
2283 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) &&
2284 (stcb->asoc.peer_supports_asconf) &&
2285 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) {
2286 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF,
2287 stcb->sctp_ep, stcb,
2288 stcb->asoc.primary_destination);
2291 /* Toss the cookie if I can */
2292 sctp_toss_old_cookies(stcb, asoc);
2293 if (!TAILQ_EMPTY(&asoc->sent_queue)) {
2294 /* Restart the timer if we have pending data */
2295 struct sctp_tmit_chunk *chk;
2297 chk = TAILQ_FIRST(&asoc->sent_queue);
2299 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2306 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp,
2307 struct sctp_tcb *stcb)
2309 struct sctp_nets *net;
2310 struct sctp_tmit_chunk *lchk;
2313 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) {
2316 SCTP_STAT_INCR(sctps_recvecne);
2317 tsn = ntohl(cp->tsn);
2318 /* ECN Nonce stuff: need a resync and disable the nonce sum check */
2319 /* Also we make sure we disable the nonce_wait */
2320 lchk = TAILQ_FIRST(&stcb->asoc.send_queue);
2322 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq;
2324 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq;
2326 stcb->asoc.nonce_wait_for_ecne = 0;
2327 stcb->asoc.nonce_sum_check = 0;
2329 /* Find where it was sent, if possible */
2331 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue);
2333 if (lchk->rec.data.TSN_seq == tsn) {
2337 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ))
2339 lchk = TAILQ_NEXT(lchk, sctp_next);
2342 /* default is we use the primary */
2343 net = stcb->asoc.primary_destination;
2345 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) {
2346 #ifdef SCTP_CWND_MONITOR
2349 old_cwnd = net->cwnd;
2351 SCTP_STAT_INCR(sctps_ecnereducedcwnd);
2352 net->ssthresh = net->cwnd / 2;
2353 if (net->ssthresh < net->mtu) {
2354 net->ssthresh = net->mtu;
2355 /* here back off the timer as well, to slow us down */
2358 net->cwnd = net->ssthresh;
2359 #ifdef SCTP_CWND_MONITOR
2360 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), SCTP_CWND_LOG_FROM_SAT);
2363 * we reduce once every RTT. So we will only lower cwnd at
2364 * the next sending seq i.e. the resync_tsn.
2366 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn;
2369 * We always send a CWR this way if our previous one was lost our
2370 * peer will get an update, or if it is not time again to reduce we
2371 * still get the cwr to the peer.
2373 sctp_send_cwr(stcb, net, tsn);
2377 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb)
2380 * Here we get a CWR from the peer. We must look in the outqueue and
2381 * make sure that we have a covered ECNE in teh control chunk part.
2384 struct sctp_tmit_chunk *chk;
2385 struct sctp_ecne_chunk *ecne;
2387 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) {
2388 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) {
2392 * Look for and remove if it is the right TSN. Since there
2393 * is only ONE ECNE on the control queue at any one time we
2394 * don't need to worry about more than one!
2396 ecne = mtod(chk->data, struct sctp_ecne_chunk *);
2397 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn),
2398 MAX_TSN) || (cp->tsn == ecne->tsn)) {
2399 /* this covers this ECNE, we can remove it */
2400 stcb->asoc.ecn_echo_cnt_onq--;
2401 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk,
2404 sctp_m_freem(chk->data);
2407 stcb->asoc.ctrl_queue_cnt--;
2408 sctp_free_remote_addr(chk->whoTo);
2409 sctp_free_a_chunk(stcb, chk);
2416 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp,
2417 struct sctp_tcb *stcb, struct sctp_nets *net)
2419 struct sctp_association *asoc;
2422 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2423 printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n");
2430 /* process according to association state */
2431 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) {
2432 /* unexpected SHUTDOWN-COMPLETE... so ignore... */
2433 SCTP_TCB_UNLOCK(stcb);
2436 /* notify upper layer protocol */
2437 if (stcb->sctp_socket) {
2438 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL);
2439 /* are the queues empty? they should be */
2440 if (!TAILQ_EMPTY(&asoc->send_queue) ||
2441 !TAILQ_EMPTY(&asoc->sent_queue) ||
2442 !TAILQ_EMPTY(&asoc->out_wheel)) {
2443 sctp_report_all_outbound(stcb, 0);
2446 /* stop the timer */
2447 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_21);
2448 SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
2450 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22);
2455 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc,
2456 struct sctp_nets *net, uint8_t flg)
2458 switch (desc->chunk_type) {
2460 /* find the tsn to resend (possibly */
2463 struct sctp_tmit_chunk *tp1;
2465 tsn = ntohl(desc->tsn_ifany);
2466 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
2468 if (tp1->rec.data.TSN_seq == tsn) {
2472 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn,
2478 tp1 = TAILQ_NEXT(tp1, sctp_next);
2482 * Do it the other way , aka without paying
2483 * attention to queue seq order.
2485 SCTP_STAT_INCR(sctps_pdrpdnfnd);
2486 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
2488 if (tp1->rec.data.TSN_seq == tsn) {
2492 tp1 = TAILQ_NEXT(tp1, sctp_next);
2496 SCTP_STAT_INCR(sctps_pdrptsnnf);
2498 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) {
2501 if ((stcb->asoc.peers_rwnd == 0) &&
2502 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
2503 SCTP_STAT_INCR(sctps_pdrpdiwnp);
2506 if (stcb->asoc.peers_rwnd == 0 &&
2507 (flg & SCTP_FROM_MIDDLE_BOX)) {
2508 SCTP_STAT_INCR(sctps_pdrpdizrw);
2511 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+
2512 sizeof(struct sctp_data_chunk));
2516 for (iii = 0; iii < sizeof(desc->data_bytes);
2518 if (ddp[iii] != desc->data_bytes[iii]) {
2519 SCTP_STAT_INCR(sctps_pdrpbadd);
2525 * We zero out the nonce so resync not
2528 tp1->rec.data.ect_nonce = 0;
2532 * this guy had a RTO calculation
2533 * pending on it, cancel it
2535 tp1->whoTo->rto_pending = 0;
2538 SCTP_STAT_INCR(sctps_pdrpmark);
2539 if (tp1->sent != SCTP_DATAGRAM_RESEND)
2540 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
2541 tp1->sent = SCTP_DATAGRAM_RESEND;
2543 * mark it as if we were doing a FR, since
2544 * we will be getting gap ack reports behind
2545 * the info from the router.
2547 tp1->rec.data.doing_fast_retransmit = 1;
2549 * mark the tsn with what sequences can
2552 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) {
2553 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq;
2555 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq;
2558 /* restart the timer */
2559 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2560 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23);
2561 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2564 /* fix counts and things */
2565 #ifdef SCTP_FLIGHT_LOGGING
2566 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN,
2567 tp1->whoTo->flight_size,
2570 tp1->rec.data.TSN_seq);
2572 if (tp1->whoTo->flight_size >= tp1->book_size)
2573 tp1->whoTo->flight_size -= tp1->book_size;
2575 tp1->whoTo->flight_size = 0;
2577 if (stcb->asoc.total_flight >= tp1->book_size) {
2578 stcb->asoc.total_flight -= tp1->book_size;
2579 if (stcb->asoc.total_flight_count > 0)
2580 stcb->asoc.total_flight_count--;
2582 stcb->asoc.total_flight = 0;
2583 stcb->asoc.total_flight_count = 0;
2591 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
2592 if (tp1->sent == SCTP_DATAGRAM_RESEND)
2595 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue,
2597 if (tp1->sent == SCTP_DATAGRAM_RESEND)
2600 if (audit != stcb->asoc.sent_queue_retran_cnt) {
2601 printf("**Local Audit finds cnt:%d asoc cnt:%d\n",
2602 audit, stcb->asoc.sent_queue_retran_cnt);
2603 #ifndef SCTP_AUDITING_ENABLED
2604 stcb->asoc.sent_queue_retran_cnt = audit;
2612 struct sctp_tmit_chunk *asconf;
2614 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue,
2616 if (asconf->rec.chunk_id.id == SCTP_ASCONF) {
2621 if (asconf->sent != SCTP_DATAGRAM_RESEND)
2622 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
2623 asconf->sent = SCTP_DATAGRAM_RESEND;
2624 asconf->snd_count--;
2628 case SCTP_INITIATION:
2629 /* resend the INIT */
2630 stcb->asoc.dropped_special_cnt++;
2631 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) {
2633 * If we can get it in, in a few attempts we do
2634 * this, otherwise we let the timer fire.
2636 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep,
2637 stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24);
2638 sctp_send_initiate(stcb->sctp_ep, stcb);
2641 case SCTP_SELECTIVE_ACK:
2642 /* resend the sack */
2643 sctp_send_sack(stcb);
2645 case SCTP_HEARTBEAT_REQUEST:
2646 /* resend a demand HB */
2647 sctp_send_hb(stcb, 1, net);
2650 sctp_send_shutdown(stcb, net);
2652 case SCTP_SHUTDOWN_ACK:
2653 sctp_send_shutdown_ack(stcb, net);
2655 case SCTP_COOKIE_ECHO:
2657 struct sctp_tmit_chunk *cookie;
2660 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue,
2662 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
2667 if (cookie->sent != SCTP_DATAGRAM_RESEND)
2668 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
2669 cookie->sent = SCTP_DATAGRAM_RESEND;
2670 sctp_stop_all_cookie_timers(stcb);
2674 case SCTP_COOKIE_ACK:
2675 sctp_send_cookie_ack(stcb);
2677 case SCTP_ASCONF_ACK:
2678 /* resend last asconf ack */
2679 sctp_send_asconf_ack(stcb, 1);
2681 case SCTP_FORWARD_CUM_TSN:
2682 send_forward_tsn(stcb, &stcb->asoc);
2684 /* can't do anything with these */
2685 case SCTP_PACKET_DROPPED:
2686 case SCTP_INITIATION_ACK: /* this should not happen */
2687 case SCTP_HEARTBEAT_ACK:
2688 case SCTP_ABORT_ASSOCIATION:
2689 case SCTP_OPERATION_ERROR:
2690 case SCTP_SHUTDOWN_COMPLETE:
2700 sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list)
2706 * We set things to 0xffff since this is the last delivered sequence
2707 * and we will be sending in 0 after the reset.
2710 if (number_entries) {
2711 for (i = 0; i < number_entries; i++) {
2712 temp = ntohs(list[i]);
2713 if (temp >= stcb->asoc.streamincnt) {
2716 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff;
2720 for (i = 0; i < stcb->asoc.streamincnt; i++) {
2721 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff;
2724 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list);
2728 sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list)
2732 if (number_entries == 0) {
2733 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
2734 stcb->asoc.strmout[i].next_sequence_sent = 0;
2736 } else if (number_entries) {
2737 for (i = 0; i < number_entries; i++) {
2740 temp = ntohs(list[i]);
2741 if (temp >= stcb->asoc.streamoutcnt) {
2742 /* no such stream */
2745 stcb->asoc.strmout[temp].next_sequence_sent = 0;
2748 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list);
2752 struct sctp_stream_reset_out_request *
2753 sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk)
2755 struct sctp_association *asoc;
2756 struct sctp_stream_reset_out_req *req;
2757 struct sctp_stream_reset_out_request *r;
2758 struct sctp_tmit_chunk *chk;
2762 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
2765 if (stcb->asoc.str_reset == NULL) {
2768 chk = stcb->asoc.str_reset;
2769 if (chk->data == NULL) {
2773 /* he wants a copy of the chk pointer */
2776 clen = chk->send_size;
2777 req = mtod(chk->data, struct sctp_stream_reset_out_req *);
2779 if (ntohl(r->request_seq) == seq) {
2783 len = SCTP_SIZE32(ntohs(r->ph.param_length));
2784 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) {
2785 /* move to the next one, there can only be a max of two */
2786 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len);
2787 if (ntohl(r->request_seq) == seq) {
2791 /* that seq is not here */
2796 sctp_clean_up_stream_reset(struct sctp_tcb *stcb)
2798 struct sctp_association *asoc;
2801 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset;
2803 if (stcb->asoc.str_reset == NULL) {
2806 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25);
2807 TAILQ_REMOVE(&asoc->control_send_queue,
2811 sctp_m_freem(chk->data);
2814 asoc->ctrl_queue_cnt--;
2815 sctp_free_remote_addr(chk->whoTo);
2817 sctp_free_a_chunk(stcb, chk);
2818 stcb->asoc.str_reset = NULL;
2823 sctp_handle_stream_reset_response(struct sctp_tcb *stcb,
2824 uint32_t seq, uint32_t action,
2825 struct sctp_stream_reset_response *respin)
2829 struct sctp_association *asoc = &stcb->asoc;
2830 struct sctp_tmit_chunk *chk;
2831 struct sctp_stream_reset_out_request *srparam;
2834 if (asoc->stream_reset_outstanding == 0) {
2838 if (seq == stcb->asoc.str_reset_seq_out) {
2839 srparam = sctp_find_stream_reset(stcb, seq, &chk);
2841 stcb->asoc.str_reset_seq_out++;
2842 type = ntohs(srparam->ph.param_type);
2843 lparm_len = ntohs(srparam->ph.param_length);
2844 if (type == SCTP_STR_RESET_OUT_REQUEST) {
2845 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t);
2846 asoc->stream_reset_out_is_outstanding = 0;
2847 if (asoc->stream_reset_outstanding)
2848 asoc->stream_reset_outstanding--;
2849 if (action == SCTP_STREAM_RESET_PERFORMED) {
2851 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams);
2853 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams);
2855 } else if (type == SCTP_STR_RESET_IN_REQUEST) {
2856 /* Answered my request */
2857 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t);
2858 if (asoc->stream_reset_outstanding)
2859 asoc->stream_reset_outstanding--;
2860 if (action != SCTP_STREAM_RESET_PERFORMED) {
2861 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams);
2863 } else if (type == SCTP_STR_RESET_TSN_REQUEST) {
2865 * a) Adopt the new in tsn.
2867 * c) Adopt the new out-tsn
2869 struct sctp_stream_reset_response_tsn *resp;
2870 struct sctp_forward_tsn_chunk fwdtsn;
2873 if (respin == NULL) {
2877 if (action == SCTP_STREAM_RESET_PERFORMED) {
2878 resp = (struct sctp_stream_reset_response_tsn *)respin;
2879 asoc->stream_reset_outstanding--;
2880 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
2881 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
2882 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1);
2883 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag);
2887 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1);
2888 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map;
2889 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn);
2890 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
2891 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn);
2892 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn;
2894 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
2895 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
2899 /* get rid of the request and get the request flags */
2900 if (asoc->stream_reset_outstanding == 0) {
2901 sctp_clean_up_stream_reset(stcb);
2909 sctp_handle_str_reset_request_in(struct sctp_tcb *stcb,
2910 struct sctp_tmit_chunk *chk,
2911 struct sctp_stream_reset_in_request *req)
2919 * peer wants me to send a str-reset to him for my outgoing seq's if
2922 struct sctp_association *asoc = &stcb->asoc;
2924 seq = ntohl(req->request_seq);
2925 if (asoc->str_reset_seq_in == seq) {
2926 if (stcb->asoc.stream_reset_out_is_outstanding == 0) {
2927 len = ntohs(req->ph.param_length);
2928 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t));
2929 for (i = 0; i < number_entries; i++) {
2930 temp = ntohs(req->list_of_streams[i]);
2931 req->list_of_streams[i] = temp;
2933 /* move the reset action back one */
2934 asoc->last_reset_action[1] = asoc->last_reset_action[0];
2935 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
2936 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams,
2937 asoc->str_reset_seq_out,
2938 seq, (asoc->sending_seq - 1));
2939 asoc->stream_reset_out_is_outstanding = 1;
2940 asoc->str_reset = chk;
2941 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
2942 stcb->asoc.stream_reset_outstanding++;
2944 /* Can't do it, since we have sent one out */
2945 asoc->last_reset_action[1] = asoc->last_reset_action[0];
2946 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER;
2947 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
2949 asoc->str_reset_seq_in++;
2950 } else if (asoc->str_reset_seq_in - 1 == seq) {
2951 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
2952 } else if (asoc->str_reset_seq_in - 2 == seq) {
2953 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
2955 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO);
2960 sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb,
2961 struct sctp_tmit_chunk *chk,
2962 struct sctp_stream_reset_tsn_request *req)
2964 /* reset all in and out and update the tsn */
2966 * A) reset my str-seq's on in and out. B) Select a receive next,
2967 * and set cum-ack to it. Also process this selected number as a
2968 * fwd-tsn as well. C) set in the response my next sending seq.
2970 struct sctp_forward_tsn_chunk fwdtsn;
2971 struct sctp_association *asoc = &stcb->asoc;
2975 seq = ntohl(req->request_seq);
2976 if (asoc->str_reset_seq_in == seq) {
2977 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
2978 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
2979 fwdtsn.ch.chunk_flags = 0;
2980 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1);
2981 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag);
2985 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA;
2986 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map;
2987 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1;
2988 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
2989 atomic_add_int(&stcb->asoc.sending_seq, 1);
2990 /* save off historical data for retrans */
2991 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0];
2992 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq;
2993 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0];
2994 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn;
2996 sctp_add_stream_reset_result_tsn(chk,
2997 ntohl(req->request_seq),
2998 SCTP_STREAM_RESET_PERFORMED,
2999 stcb->asoc.sending_seq,
3000 stcb->asoc.mapping_array_base_tsn);
3001 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
3002 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
3003 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0];
3004 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
3006 asoc->str_reset_seq_in++;
3007 } else if (asoc->str_reset_seq_in - 1 == seq) {
3008 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0],
3009 stcb->asoc.last_sending_seq[0],
3010 stcb->asoc.last_base_tsnsent[0]
3012 } else if (asoc->str_reset_seq_in - 2 == seq) {
3013 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1],
3014 stcb->asoc.last_sending_seq[1],
3015 stcb->asoc.last_base_tsnsent[1]
3018 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO);
3024 sctp_handle_str_reset_request_out(struct sctp_tcb *stcb,
3025 struct sctp_tmit_chunk *chk,
3026 struct sctp_stream_reset_out_request *req)
3029 int number_entries, len;
3030 struct sctp_association *asoc = &stcb->asoc;
3032 seq = ntohl(req->request_seq);
3034 /* now if its not a duplicate we process it */
3035 if (asoc->str_reset_seq_in == seq) {
3036 len = ntohs(req->ph.param_length);
3037 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t));
3039 * the sender is resetting, handle the list issue.. we must
3040 * a) verify if we can do the reset, if so no problem b) If
3041 * we can't do the reset we must copy the request. c) queue
3042 * it, and setup the data in processor to trigger it off
3043 * when needed and dequeue all the queued data.
3045 tsn = ntohl(req->send_reset_at_tsn);
3047 /* move the reset action back one */
3048 asoc->last_reset_action[1] = asoc->last_reset_action[0];
3049 if ((tsn == asoc->cumulative_tsn) ||
3050 (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) {
3051 /* we can do it now */
3052 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams);
3053 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED);
3054 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
3057 * we must queue it up and thus wait for the TSN's
3058 * to arrive that are at or before tsn
3060 struct sctp_stream_reset_list *liste;
3063 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t));
3064 SCTP_MALLOC(liste, struct sctp_stream_reset_list *,
3066 if (liste == NULL) {
3067 /* gak out of memory */
3068 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED);
3069 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED;
3073 liste->number_entries = number_entries;
3074 memcpy(&liste->req, req,
3075 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t))));
3076 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp);
3077 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED);
3078 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
3080 asoc->str_reset_seq_in++;
3081 } else if ((asoc->str_reset_seq_in - 1) == seq) {
3083 * one seq back, just echo back last action since my
3084 * response was lost.
3086 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3087 } else if ((asoc->str_reset_seq_in - 2) == seq) {
3089 * two seq back, just echo back last action since my
3090 * response was lost.
3092 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
3094 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO);
3099 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_out_req *sr_req)
3101 int chk_length, param_len, ptype;
3104 struct sctp_tmit_chunk *chk;
3105 struct sctp_chunkhdr *ch;
3106 struct sctp_paramhdr *ph;
3108 /* now it may be a reset or a reset-response */
3109 chk_length = ntohs(sr_req->ch.chunk_length);
3113 /* setup for adding the response */
3114 sctp_alloc_a_chunk(stcb, chk);
3118 chk->rec.chunk_id.id = SCTP_STREAM_RESET;
3119 chk->asoc = &stcb->asoc;
3120 chk->no_fr_allowed = 0;
3121 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr);
3122 chk->book_size_scale = 0;
3123 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
3124 if (chk->data == NULL) {
3127 sctp_m_freem(chk->data);
3130 sctp_free_a_chunk(stcb, chk);
3133 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
3135 /* setup chunk parameters */
3136 chk->sent = SCTP_DATAGRAM_UNSENT;
3138 chk->whoTo = stcb->asoc.primary_destination;
3139 atomic_add_int(&chk->whoTo->ref_count, 1);
3141 ch = mtod(chk->data, struct sctp_chunkhdr *);
3142 ch->chunk_type = SCTP_STREAM_RESET;
3143 ch->chunk_flags = 0;
3144 ch->chunk_length = htons(chk->send_size);
3145 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
3148 ph = (struct sctp_paramhdr *)&sr_req->sr_req;
3149 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) {
3150 param_len = ntohs(ph->param_length);
3151 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) {
3155 ptype = ntohs(ph->param_type);
3157 if (num_param > SCTP_MAX_RESET_PARAMS) {
3158 /* hit the max of parameters already sorry.. */
3161 if (ptype == SCTP_STR_RESET_OUT_REQUEST) {
3162 struct sctp_stream_reset_out_request *req_out;
3164 req_out = (struct sctp_stream_reset_out_request *)ph;
3166 if (stcb->asoc.stream_reset_outstanding) {
3167 seq = ntohl(req_out->response_seq);
3168 if (seq == stcb->asoc.str_reset_seq_out) {
3170 sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL);
3173 sctp_handle_str_reset_request_out(stcb, chk, req_out);
3174 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) {
3175 struct sctp_stream_reset_in_request *req_in;
3178 req_in = (struct sctp_stream_reset_in_request *)ph;
3179 sctp_handle_str_reset_request_in(stcb, chk, req_in);
3180 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) {
3181 struct sctp_stream_reset_tsn_request *req_tsn;
3184 req_tsn = (struct sctp_stream_reset_tsn_request *)ph;
3185 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) {
3187 goto strres_nochunk;
3191 } else if (ptype == SCTP_STR_RESET_RESPONSE) {
3192 struct sctp_stream_reset_response *resp;
3195 resp = (struct sctp_stream_reset_response *)ph;
3196 seq = ntohl(resp->response_seq);
3197 result = ntohl(resp->result);
3198 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) {
3200 goto strres_nochunk;
3206 ph = (struct sctp_paramhdr *)((caddr_t)ph + SCTP_SIZE32(param_len));
3207 chk_length -= SCTP_SIZE32(param_len);
3210 /* we have no response free the stuff */
3211 goto strres_nochunk;
3213 /* ok we have a chunk to link in */
3214 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue,
3217 stcb->asoc.ctrl_queue_cnt++;
3222 * Handle a router or endpoints report of a packet loss, there are two ways
3223 * to handle this, either we get the whole packet and must disect it
3224 * ourselves (possibly with truncation and or corruption) or it is a summary
3225 * from a middle box that did the disectting for us.
3228 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp,
3229 struct sctp_tcb *stcb, struct sctp_nets *net)
3231 uint32_t bottle_bw, on_queue;
3235 struct sctp_chunk_desc desc;
3236 struct sctp_chunkhdr *ch;
3238 chlen = ntohs(cp->ch.chunk_length);
3239 chlen -= sizeof(struct sctp_pktdrop_chunk);
3240 /* XXX possible chlen underflow */
3243 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)
3244 SCTP_STAT_INCR(sctps_pdrpbwrpt);
3246 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr));
3247 chlen -= sizeof(struct sctphdr);
3248 /* XXX possible chlen underflow */
3249 memset(&desc, 0, sizeof(desc));
3251 trunc_len = (uint16_t) ntohs(cp->trunc_len);
3252 /* now the chunks themselves */
3253 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) {
3254 desc.chunk_type = ch->chunk_type;
3255 /* get amount we need to move */
3256 at = ntohs(ch->chunk_length);
3257 if (at < sizeof(struct sctp_chunkhdr)) {
3258 /* corrupt chunk, maybe at the end? */
3259 SCTP_STAT_INCR(sctps_pdrpcrupt);
3262 if (trunc_len == 0) {
3263 /* we are supposed to have all of it */
3265 /* corrupt skip it */
3266 SCTP_STAT_INCR(sctps_pdrpcrupt);
3270 /* is there enough of it left ? */
3271 if (desc.chunk_type == SCTP_DATA) {
3272 if (chlen < (sizeof(struct sctp_data_chunk) +
3273 sizeof(desc.data_bytes))) {
3277 if (chlen < sizeof(struct sctp_chunkhdr)) {
3282 if (desc.chunk_type == SCTP_DATA) {
3283 /* can we get out the tsn? */
3284 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
3285 SCTP_STAT_INCR(sctps_pdrpmbda);
3287 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) {
3289 struct sctp_data_chunk *dcp;
3293 dcp = (struct sctp_data_chunk *)ch;
3294 ddp = (uint8_t *) (dcp + 1);
3295 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) {
3296 desc.data_bytes[iii] = ddp[iii];
3298 desc.tsn_ifany = dcp->dp.tsn;
3300 /* nope we are done. */
3301 SCTP_STAT_INCR(sctps_pdrpnedat);
3305 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
3306 SCTP_STAT_INCR(sctps_pdrpmbct);
3309 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) {
3310 SCTP_STAT_INCR(sctps_pdrppdbrk);
3313 if (SCTP_SIZE32(at) > chlen) {
3316 chlen -= SCTP_SIZE32(at);
3317 if (chlen < sizeof(struct sctp_chunkhdr)) {
3318 /* done, none left */
3321 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at));
3323 /* Now update any rwnd --- possibly */
3324 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) {
3325 /* From a peer, we get a rwnd report */
3328 SCTP_STAT_INCR(sctps_pdrpfehos);
3330 bottle_bw = ntohl(cp->bottle_bw);
3331 on_queue = ntohl(cp->current_onq);
3332 if (bottle_bw && on_queue) {
3333 /* a rwnd report is in here */
3334 if (bottle_bw > on_queue)
3335 a_rwnd = bottle_bw - on_queue;
3340 stcb->asoc.peers_rwnd = 0;
3342 if (a_rwnd > stcb->asoc.total_flight) {
3343 stcb->asoc.peers_rwnd =
3344 a_rwnd - stcb->asoc.total_flight;
3346 stcb->asoc.peers_rwnd = 0;
3348 if (stcb->asoc.peers_rwnd <
3349 stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
3350 /* SWS sender side engages */
3351 stcb->asoc.peers_rwnd = 0;
3356 SCTP_STAT_INCR(sctps_pdrpfmbox);
3359 /* now middle boxes in sat networks get a cwnd bump */
3360 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) &&
3361 (stcb->asoc.sat_t3_loss_recovery == 0) &&
3362 (stcb->asoc.sat_network)) {
3364 * This is debateable but for sat networks it makes sense
3365 * Note if a T3 timer has went off, we will prohibit any
3366 * changes to cwnd until we exit the t3 loss recovery.
3371 #ifdef SCTP_CWND_MONITOR
3372 int old_cwnd = net->cwnd;
3375 /* need real RTT for this calc */
3376 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1;
3377 /* get bottle neck bw */
3378 bottle_bw = ntohl(cp->bottle_bw);
3379 /* and whats on queue */
3380 on_queue = ntohl(cp->current_onq);
3382 * adjust the on-queue if our flight is more it could be
3383 * that the router has not yet gotten data "in-flight" to it
3385 if (on_queue < net->flight_size)
3386 on_queue = net->flight_size;
3388 /* calculate the available space */
3389 bw_avail = (bottle_bw * rtt) / 1000;
3390 if (bw_avail > bottle_bw) {
3392 * Cap the growth to no more than the bottle neck.
3393 * This can happen as RTT slides up due to queues.
3394 * It also means if you have more than a 1 second
3395 * RTT with a empty queue you will be limited to the
3396 * bottle_bw per second no matter if other points
3397 * have 1/2 the RTT and you could get more out...
3399 bw_avail = bottle_bw;
3401 if (on_queue > bw_avail) {
3403 * No room for anything else don't allow anything
3404 * else to be "added to the fire".
3406 int seg_inflight, seg_onqueue, my_portion;
3408 net->partial_bytes_acked = 0;
3410 /* how much are we over queue size? */
3411 incr = on_queue - bw_avail;
3412 if (stcb->asoc.seen_a_sack_this_pkt) {
3414 * undo any cwnd adjustment that the sack
3417 net->cwnd = net->prev_cwnd;
3419 /* Now how much of that is mine? */
3420 seg_inflight = net->flight_size / net->mtu;
3421 seg_onqueue = on_queue / net->mtu;
3422 my_portion = (incr * seg_inflight) / seg_onqueue;
3424 /* Have I made an adjustment already */
3425 if (net->cwnd > net->flight_size) {
3427 * for this flight I made an adjustment we
3428 * need to decrease the portion by a share
3429 * our previous adjustment.
3433 diff_adj = net->cwnd - net->flight_size;
3434 if (diff_adj > my_portion)
3437 my_portion -= diff_adj;
3440 * back down to the previous cwnd (assume we have
3441 * had a sack before this packet). minus what ever
3442 * portion of the overage is my fault.
3444 net->cwnd -= my_portion;
3446 /* we will NOT back down more than 1 MTU */
3447 if (net->cwnd <= net->mtu) {
3448 net->cwnd = net->mtu;
3451 net->ssthresh = net->cwnd - 1;
3454 * Take 1/4 of the space left or max burst up ..
3455 * whichever is less.
3457 incr = min((bw_avail - on_queue) >> 2,
3458 (int)stcb->asoc.max_burst * (int)net->mtu);
3461 if (net->cwnd > bw_avail) {
3462 /* We can't exceed the pipe size */
3463 net->cwnd = bw_avail;
3465 if (net->cwnd < net->mtu) {
3466 /* We always have 1 MTU */
3467 net->cwnd = net->mtu;
3469 #ifdef SCTP_CWND_MONITOR
3470 if (net->cwnd - old_cwnd != 0) {
3471 /* log only changes */
3472 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd),
3473 SCTP_CWND_LOG_FROM_SAT);
3479 extern int sctp_strict_init;
3480 extern int sctp_abort_if_one_2_one_hits_limit;
3483 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to
3484 * still contain IP/SCTP header - stcb: is the tcb found for this packet -
3485 * offset: offset into the mbuf chain to first chunkhdr - length: is the
3486 * length of the complete packet outputs: - length: modified to remaining
3487 * length after control processing - netp: modified to new sctp_nets after
3488 * cookie-echo processing - return NULL to discard the packet (ie. no asoc,
3489 * bad packet,...) otherwise return the tcb for this packet
3491 static struct sctp_tcb *
3492 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
3493 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp,
3494 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen)
3496 struct sctp_association *asoc;
3498 int num_chunks = 0; /* number of control chunks processed */
3503 * How big should this be, and should it be alloc'd? Lets try the
3504 * d-mtu-ceiling for now (2k) and that should hopefully work ...
3505 * until we get into jumbo grams and such..
3507 uint8_t chunk_buf[DEFAULT_CHUNK_BUFFER];
3508 struct sctp_tcb *locked_tcb = stcb;
3510 uint32_t auth_offset = 0, auth_len = 0;
3511 int auth_skipped = 0;
3514 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3515 printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n",
3516 iphlen, *offset, length, stcb);
3518 #endif /* SCTP_DEBUG */
3520 /* validate chunk header length... */
3521 if (ntohs(ch->chunk_length) < sizeof(*ch)) {
3525 * validate the verification tag
3527 vtag_in = ntohl(sh->v_tag);
3530 SCTP_TCB_LOCK_ASSERT(locked_tcb);
3532 if (ch->chunk_type == SCTP_INITIATION) {
3534 /* protocol error- silently discard... */
3535 SCTP_STAT_INCR(sctps_badvtag);
3537 SCTP_TCB_UNLOCK(locked_tcb);
3540 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) {
3542 * If there is no stcb, skip the AUTH chunk and process
3543 * later after a stcb is found (to validate the lookup was
3546 if ((ch->chunk_type == SCTP_AUTHENTICATION) &&
3547 (stcb == NULL) && !sctp_auth_disable) {
3548 /* save this chunk for later processing */
3550 auth_offset = *offset;
3551 auth_len = ntohs(ch->chunk_length);
3553 /* (temporarily) move past this chunk */
3554 *offset += SCTP_SIZE32(auth_len);
3555 if (*offset >= length) {
3556 /* no more data left in the mbuf chain */
3560 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3561 sizeof(struct sctp_chunkhdr), chunk_buf);
3563 if (ch->chunk_type == SCTP_COOKIE_ECHO) {
3564 goto process_control_chunks;
3567 * first check if it's an ASCONF with an unknown src addr we
3568 * need to look inside to find the association
3570 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) {
3571 /* inp's refcount may be reduced */
3572 SCTP_INP_INCR_REF(inp);
3574 stcb = sctp_findassociation_ep_asconf(m, iphlen,
3575 *offset, sh, &inp, netp);
3578 * reduce inp's refcount if not reduced in
3579 * sctp_findassociation_ep_asconf().
3581 SCTP_INP_DECR_REF(inp);
3583 /* now go back and verify any auth chunk to be sure */
3584 if (auth_skipped && (stcb != NULL)) {
3585 struct sctp_auth_chunk *auth;
3587 auth = (struct sctp_auth_chunk *)
3588 sctp_m_getptr(m, auth_offset,
3589 auth_len, chunk_buf);
3592 if (sctp_handle_auth(stcb, auth, m,
3594 /* auth HMAC failed so dump it */
3598 /* remaining chunks are HMAC checked */
3599 stcb->asoc.authenticated = 1;
3604 /* no association, so it's out of the blue... */
3605 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL);
3608 SCTP_TCB_UNLOCK(locked_tcb);
3612 /* ABORT and SHUTDOWN can use either v_tag... */
3613 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) ||
3614 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) ||
3615 (ch->chunk_type == SCTP_PACKET_DROPPED)) {
3616 if ((vtag_in == asoc->my_vtag) ||
3617 ((ch->chunk_flags & SCTP_HAD_NO_TCB) &&
3618 (vtag_in == asoc->peer_vtag))) {
3621 /* drop this packet... */
3622 SCTP_STAT_INCR(sctps_badvtag);
3624 SCTP_TCB_UNLOCK(locked_tcb);
3627 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
3628 if (vtag_in != asoc->my_vtag) {
3630 * this could be a stale SHUTDOWN-ACK or the
3631 * peer never got the SHUTDOWN-COMPLETE and
3632 * is still hung; we have started a new asoc
3633 * but it won't complete until the shutdown
3637 SCTP_TCB_UNLOCK(locked_tcb);
3638 sctp_handle_ootb(m, iphlen, *offset, sh, inp,
3643 /* for all other chunks, vtag must match */
3644 if (vtag_in != asoc->my_vtag) {
3645 /* invalid vtag... */
3647 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3648 printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag);
3650 #endif /* SCTP_DEBUG */
3651 SCTP_STAT_INCR(sctps_badvtag);
3653 SCTP_TCB_UNLOCK(locked_tcb);
3658 } /* end if !SCTP_COOKIE_ECHO */
3660 * process all control chunks...
3662 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) ||
3663 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) &&
3664 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) {
3665 /* implied cookie-ack.. we must have lost the ack */
3666 stcb->asoc.overall_error_count = 0;
3667 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb,
3670 process_control_chunks:
3672 while (IS_SCTP_CONTROL(ch)) {
3673 /* validate chunk length */
3674 chk_length = ntohs(ch->chunk_length);
3676 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
3677 printf("sctp_process_control: processing a chunk type=%u, len=%u\n",
3678 ch->chunk_type, chk_length);
3680 #endif /* SCTP_DEBUG */
3681 if ((size_t)chk_length < sizeof(*ch) ||
3682 (*offset + chk_length) > length) {
3685 SCTP_TCB_UNLOCK(locked_tcb);
3688 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks);
3690 * INIT-ACK only gets the init ack "header" portion only
3691 * because we don't have to process the peer's COOKIE. All
3692 * others get a complete chunk.
3694 if (ch->chunk_type == SCTP_INITIATION_ACK) {
3695 /* get an init-ack chunk */
3696 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3697 sizeof(struct sctp_init_ack_chunk), chunk_buf);
3701 SCTP_TCB_UNLOCK(locked_tcb);
3705 /* get a complete chunk... */
3706 if ((size_t)chk_length > sizeof(chunk_buf)) {
3708 struct sctp_paramhdr *phdr;
3711 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
3712 0, M_DONTWAIT, 1, MT_DATA);
3714 /* pre-reserve some space */
3715 SCTP_BUF_RESV_UF(oper, sizeof(struct sctp_chunkhdr));
3716 SCTP_BUF_LEN(oper) = sizeof(struct sctp_paramhdr);
3717 phdr = mtod(oper, struct sctp_paramhdr *);
3718 phdr->param_type = htons(SCTP_CAUSE_OUT_OF_RESC);
3719 phdr->param_length = htons(sizeof(struct sctp_paramhdr));
3720 sctp_queue_op_err(stcb, oper);
3723 SCTP_TCB_UNLOCK(locked_tcb);
3726 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3727 chk_length, chunk_buf);
3729 printf("sctp_process_control: Can't get the all data....\n");
3732 SCTP_TCB_UNLOCK(locked_tcb);
3737 /* Save off the last place we got a control from */
3739 if ((*netp != NULL) || (ch->chunk_type == SCTP_ASCONF)) {
3741 * allow last_control to be NULL if
3742 * ASCONF... ASCONF processing will find the
3745 stcb->asoc.last_control_chunk_from = *netp;
3748 #ifdef SCTP_AUDITING_ENABLED
3749 sctp_audit_log(0xB0, ch->chunk_type);
3752 /* check to see if this chunk required auth, but isn't */
3753 if ((stcb != NULL) && !sctp_auth_disable &&
3754 sctp_auth_is_required_chunk(ch->chunk_type,
3755 stcb->asoc.local_auth_chunks) &&
3756 !stcb->asoc.authenticated) {
3757 /* "silently" ignore */
3758 SCTP_STAT_INCR(sctps_recvauthmissing);
3761 switch (ch->chunk_type) {
3762 case SCTP_INITIATION:
3763 /* must be first and only chunk */
3765 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3766 printf("SCTP_INIT\n");
3768 #endif /* SCTP_DEBUG */
3769 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
3770 /* We are not interested anymore? */
3771 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
3773 * collision case where we are
3774 * sending to them too
3779 SCTP_TCB_UNLOCK(locked_tcb);
3784 if ((num_chunks > 1) ||
3785 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) {
3788 SCTP_TCB_UNLOCK(locked_tcb);
3791 if ((stcb != NULL) &&
3792 (SCTP_GET_STATE(&stcb->asoc) ==
3793 SCTP_STATE_SHUTDOWN_ACK_SENT)) {
3794 sctp_send_shutdown_ack(stcb,
3795 stcb->asoc.primary_destination);
3797 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC);
3799 SCTP_TCB_UNLOCK(locked_tcb);
3802 sctp_handle_init(m, iphlen, *offset, sh,
3803 (struct sctp_init_chunk *)ch, inp, stcb, *netp);
3806 SCTP_TCB_UNLOCK(locked_tcb);
3809 case SCTP_INITIATION_ACK:
3810 /* must be first and only chunk */
3812 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3813 printf("SCTP_INIT-ACK\n");
3815 #endif /* SCTP_DEBUG */
3816 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
3817 /* We are not interested anymore */
3818 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
3822 SCTP_TCB_UNLOCK(locked_tcb);
3825 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26);
3830 if ((num_chunks > 1) ||
3831 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) {
3834 SCTP_TCB_UNLOCK(locked_tcb);
3837 ret = sctp_handle_init_ack(m, iphlen, *offset, sh,
3838 (struct sctp_init_ack_chunk *)ch, stcb, *netp);
3840 * Special case, I must call the output routine to
3841 * get the cookie echoed
3843 if ((stcb) && ret == 0)
3844 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC);
3847 SCTP_TCB_UNLOCK(locked_tcb);
3850 case SCTP_SELECTIVE_ACK:
3852 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3853 printf("SCTP_SACK\n");
3855 #endif /* SCTP_DEBUG */
3856 SCTP_STAT_INCR(sctps_recvsacks);
3858 struct sctp_sack_chunk *sack;
3860 uint32_t a_rwnd, cum_ack;
3864 sack = (struct sctp_sack_chunk *)ch;
3866 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM;
3867 cum_ack = ntohl(sack->sack.cum_tsn_ack);
3868 num_seg = ntohs(sack->sack.num_gap_ack_blks);
3869 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd);
3870 stcb->asoc.seen_a_sack_this_pkt = 1;
3871 if ((stcb->asoc.pr_sctp_cnt == 0) &&
3873 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) ||
3874 (cum_ack == stcb->asoc.last_acked_seq)) &&
3875 (stcb->asoc.saw_sack_with_frags == 0) &&
3876 (!TAILQ_EMPTY(&stcb->asoc.sent_queue))
3879 * We have a SIMPLE sack having no
3880 * prior segments and data on sent
3881 * queue to be acked.. Use the
3882 * faster path sack processing. We
3883 * also allow window update sacks
3884 * with no missing segments to go
3887 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag, &abort_now);
3889 sctp_handle_sack(sack, stcb, *netp, &abort_now);
3892 /* ABORT signal from sack processing */
3898 case SCTP_HEARTBEAT_REQUEST:
3900 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3901 printf("SCTP_HEARTBEAT\n");
3903 #endif /* SCTP_DEBUG */
3904 SCTP_STAT_INCR(sctps_recvheartbeat);
3905 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length,
3908 /* He's alive so give him credit */
3909 stcb->asoc.overall_error_count = 0;
3911 case SCTP_HEARTBEAT_ACK:
3913 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3914 printf("SCTP_HEARTBEAT-ACK\n");
3916 #endif /* SCTP_DEBUG */
3918 /* He's alive so give him credit */
3919 stcb->asoc.overall_error_count = 0;
3920 SCTP_STAT_INCR(sctps_recvheartbeatack);
3921 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch,
3924 case SCTP_ABORT_ASSOCIATION:
3926 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3927 printf("SCTP_ABORT\n");
3929 #endif /* SCTP_DEBUG */
3930 sctp_handle_abort((struct sctp_abort_chunk *)ch,
3937 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3938 printf("SCTP_SHUTDOWN\n");
3940 #endif /* SCTP_DEBUG */
3944 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch,
3945 stcb, *netp, &abort_flag);
3952 case SCTP_SHUTDOWN_ACK:
3954 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3955 printf("SCTP_SHUTDOWN-ACK\n");
3957 #endif /* SCTP_DEBUG */
3958 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp);
3962 case SCTP_OPERATION_ERROR:
3964 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3965 printf("SCTP_OP-ERR\n");
3967 #endif /* SCTP_DEBUG */
3968 if (sctp_handle_error(ch, stcb, *netp) < 0) {
3973 case SCTP_COOKIE_ECHO:
3975 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3976 printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb);
3978 #endif /* SCTP_DEBUG */
3979 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
3982 if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) &&
3984 /* We are not interested anymore */
3990 * First are we accepting? We do this again here
3991 * since it is possible that a previous endpoint WAS
3992 * listening responded to a INIT-ACK and then
3993 * closed. We opened and bound.. and are now no
3996 if (inp->sctp_socket->so_qlimit == 0) {
3997 if ((stcb) && (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
3999 * special case, is this a retran'd
4000 * COOKIE-ECHO or a restarting assoc
4001 * that is a peeled off or
4002 * one-to-one style socket.
4004 goto process_cookie_anyway;
4006 sctp_abort_association(inp, stcb, m, iphlen, sh,
4010 } else if (inp->sctp_socket->so_qlimit) {
4011 /* we are accepting so check limits like TCP */
4012 if (inp->sctp_socket->so_qlen >
4013 inp->sctp_socket->so_qlimit) {
4016 struct sctp_paramhdr *phdr;
4018 if (sctp_abort_if_one_2_one_hits_limit) {
4020 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
4021 0, M_DONTWAIT, 1, MT_DATA);
4023 SCTP_BUF_LEN(oper) =
4024 sizeof(struct sctp_paramhdr);
4026 struct sctp_paramhdr *);
4028 htons(SCTP_CAUSE_OUT_OF_RESC);
4029 phdr->param_length =
4030 htons(sizeof(struct sctp_paramhdr));
4032 sctp_abort_association(inp, stcb, m,
4039 process_cookie_anyway:
4041 struct mbuf *ret_buf;
4042 struct sctp_inpcb *linp;
4050 SCTP_ASOC_CREATE_LOCK(linp);
4052 sctp_handle_cookie_echo(m, iphlen,
4054 (struct sctp_cookie_echo_chunk *)ch,
4061 SCTP_ASOC_CREATE_UNLOCK(linp);
4062 if (ret_buf == NULL) {
4064 SCTP_TCB_UNLOCK(locked_tcb);
4067 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4068 printf("GAK, null buffer\n");
4070 #endif /* SCTP_DEBUG */
4075 /* if AUTH skipped, see if it verified... */
4080 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) {
4082 * Restart the timer if we have
4085 struct sctp_tmit_chunk *chk;
4087 chk = TAILQ_FIRST(&stcb->asoc.sent_queue);
4089 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
4090 stcb->sctp_ep, stcb,
4096 case SCTP_COOKIE_ACK:
4098 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4099 printf("SCTP_COOKIE-ACK\n");
4101 #endif /* SCTP_DEBUG */
4103 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4104 /* We are not interested anymore */
4105 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
4108 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27);
4113 /* He's alive so give him credit */
4114 stcb->asoc.overall_error_count = 0;
4115 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp);
4119 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4120 printf("SCTP_ECN-ECHO\n");
4122 #endif /* SCTP_DEBUG */
4123 /* He's alive so give him credit */
4124 stcb->asoc.overall_error_count = 0;
4125 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch,
4130 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4131 printf("SCTP_ECN-CWR\n");
4133 #endif /* SCTP_DEBUG */
4134 /* He's alive so give him credit */
4135 stcb->asoc.overall_error_count = 0;
4137 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb);
4139 case SCTP_SHUTDOWN_COMPLETE:
4141 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4142 printf("SCTP_SHUTDOWN-COMPLETE\n");
4144 #endif /* SCTP_DEBUG */
4145 /* must be first and only chunk */
4146 if ((num_chunks > 1) ||
4147 (length - *offset > SCTP_SIZE32(chk_length))) {
4150 SCTP_TCB_UNLOCK(locked_tcb);
4154 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch,
4161 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4162 printf("SCTP_ASCONF\n");
4164 #endif /* SCTP_DEBUG */
4165 /* He's alive so give him credit */
4166 stcb->asoc.overall_error_count = 0;
4168 sctp_handle_asconf(m, *offset,
4169 (struct sctp_asconf_chunk *)ch, stcb);
4171 case SCTP_ASCONF_ACK:
4173 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4174 printf("SCTP_ASCONF-ACK\n");
4176 #endif /* SCTP_DEBUG */
4177 /* He's alive so give him credit */
4178 stcb->asoc.overall_error_count = 0;
4180 sctp_handle_asconf_ack(m, *offset,
4181 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp);
4183 case SCTP_FORWARD_CUM_TSN:
4185 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4186 printf("SCTP_FWD-TSN\n");
4188 #endif /* SCTP_DEBUG */
4189 /* He's alive so give him credit */
4193 stcb->asoc.overall_error_count = 0;
4195 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4196 /* We are not interested anymore */
4197 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_28);
4201 sctp_handle_forward_tsn(stcb,
4202 (struct sctp_forward_tsn_chunk *)ch, &abort_flag);
4207 stcb->asoc.overall_error_count = 0;
4212 case SCTP_STREAM_RESET:
4214 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4215 printf("SCTP_STREAM_RESET\n");
4217 #endif /* SCTP_DEBUG */
4218 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4219 chk_length, chunk_buf);
4220 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4221 /* We are not interested anymore */
4222 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29);
4226 if (stcb->asoc.peer_supports_strreset == 0) {
4228 * hmm, peer should have announced this, but
4229 * we will turn it on since he is sending us
4232 stcb->asoc.peer_supports_strreset = 1;
4234 if (sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_out_req *)ch)) {
4235 /* stop processing */
4240 case SCTP_PACKET_DROPPED:
4242 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4243 printf("SCTP_PACKET_DROPPED\n");
4245 #endif /* SCTP_DEBUG */
4246 /* re-get it all please */
4247 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4248 chk_length, chunk_buf);
4250 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch,
4255 case SCTP_AUTHENTICATION:
4257 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4258 printf("SCTP_AUTHENTICATION\n");
4260 #endif /* SCTP_DEBUG */
4261 if (sctp_auth_disable)
4265 /* save the first AUTH for later processing */
4266 if (auth_skipped == 0) {
4267 auth_offset = *offset;
4268 auth_len = chk_length;
4271 /* skip this chunk (temporarily) */
4274 if (got_auth == 1) {
4275 /* skip this chunk... it's already auth'd */
4278 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4279 chk_length, chunk_buf);
4281 if (sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch,
4283 /* auth HMAC failed so dump the packet */
4287 /* remaining chunks are HMAC checked */
4288 stcb->asoc.authenticated = 1;
4294 /* it's an unknown chunk! */
4295 if ((ch->chunk_type & 0x40) && (stcb != NULL)) {
4297 struct sctp_paramhdr *phd;
4299 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
4300 0, M_DONTWAIT, 1, MT_DATA);
4302 phd = mtod(mm, struct sctp_paramhdr *);
4304 * We cheat and use param type since
4305 * we did not bother to define a
4306 * error cause struct. They are the
4307 * same basic format with different
4310 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK);
4311 phd->param_length = htons(chk_length + sizeof(*phd));
4312 SCTP_BUF_LEN(mm) = sizeof(*phd);
4313 SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length),
4315 if (SCTP_BUF_NEXT(mm)) {
4316 sctp_queue_op_err(stcb, mm);
4322 if ((ch->chunk_type & 0x80) == 0) {
4323 /* discard this packet */
4326 } /* else skip this bad chunk and continue... */
4328 } /* switch (ch->chunk_type) */
4332 /* get the next chunk */
4333 *offset += SCTP_SIZE32(chk_length);
4334 if (*offset >= length) {
4335 /* no more data left in the mbuf chain */
4338 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4339 sizeof(struct sctp_chunkhdr), chunk_buf);
4342 SCTP_TCB_UNLOCK(locked_tcb);
4352 * Process the ECN bits we have something set so we must look to see if it is
4353 * ECN(0) or ECN(1) or CE
4355 static __inline void
4356 sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net,
4359 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
4361 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) {
4363 * we only add to the nonce sum for ECT1, ECT0 does not
4364 * change the NS bit (that we have yet to find a way to send
4368 /* ECN Nonce stuff */
4369 stcb->asoc.receiver_nonce_sum++;
4370 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM;
4373 * Drag up the last_echo point if cumack is larger since we
4374 * don't want the point falling way behind by more than
4375 * 2^^31 and then having it be incorrect.
4377 if (compare_with_wrap(stcb->asoc.cumulative_tsn,
4378 stcb->asoc.last_echo_tsn, MAX_TSN)) {
4379 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
4381 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) {
4383 * Drag up the last_echo point if cumack is larger since we
4384 * don't want the point falling way behind by more than
4385 * 2^^31 and then having it be incorrect.
4387 if (compare_with_wrap(stcb->asoc.cumulative_tsn,
4388 stcb->asoc.last_echo_tsn, MAX_TSN)) {
4389 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
4394 static __inline void
4395 sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net,
4396 uint32_t high_tsn, uint8_t ecn_bits)
4398 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
4400 * we possibly must notify the sender that a congestion
4401 * window reduction is in order. We do this by adding a ECNE
4402 * chunk to the output chunk queue. The incoming CWR will
4403 * remove this chunk.
4405 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn,
4407 /* Yep, we need to add a ECNE */
4408 sctp_send_ecn_echo(stcb, net, high_tsn);
4409 stcb->asoc.last_echo_tsn = high_tsn;
4415 * common input chunk processing (v4 and v6)
4418 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset,
4419 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch,
4420 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net,
4424 * Control chunk processing
4427 int fwd_tsn_seen = 0, data_processed = 0;
4428 struct mbuf *m = *mm;
4432 SCTP_STAT_INCR(sctps_recvdatagrams);
4433 #ifdef SCTP_AUDITING_ENABLED
4434 sctp_audit_log(0xE0, 1);
4435 sctp_auditing(0, inp, stcb, net);
4439 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4440 printf("Ok, Common input processing called, m:%p iphlen:%d offset:%d\n",
4443 #endif /* SCTP_DEBUG */
4446 /* always clear this before beginning a packet */
4447 stcb->asoc.authenticated = 0;
4448 stcb->asoc.seen_a_sack_this_pkt = 0;
4450 if (IS_SCTP_CONTROL(ch)) {
4451 /* process the control portion of the SCTP packet */
4452 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch,
4453 inp, stcb, &net, &fwd_tsn_seen);
4456 * This covers us if the cookie-echo was there and
4457 * it changes our INP.
4459 inp = stcb->sctp_ep;
4463 * no control chunks, so pre-process DATA chunks (these
4464 * checks are taken care of by control processing)
4468 * if DATA only packet, and auth is required, then punt...
4469 * can't have authenticated without any AUTH (control)
4472 if ((stcb != NULL) && !sctp_auth_disable &&
4473 sctp_auth_is_required_chunk(SCTP_DATA,
4474 stcb->asoc.local_auth_chunks)) {
4475 /* "silently" ignore */
4476 SCTP_STAT_INCR(sctps_recvauthmissing);
4477 SCTP_TCB_UNLOCK(stcb);
4481 /* out of the blue DATA chunk */
4482 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL);
4485 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) {
4486 /* v_tag mismatch! */
4487 SCTP_STAT_INCR(sctps_badvtag);
4488 SCTP_TCB_UNLOCK(stcb);
4495 * no valid TCB for this packet, or we found it's a bad
4496 * packet while processing control, or we're done with this
4497 * packet (done or skip rest of data), so we drop it...
4502 * DATA chunk processing
4504 /* plow through the data chunks while length > offset */
4507 * Rest should be DATA only. Check authentication state if AUTH for
4510 if ((length > offset) && (stcb != NULL) && !sctp_auth_disable &&
4511 sctp_auth_is_required_chunk(SCTP_DATA,
4512 stcb->asoc.local_auth_chunks) &&
4513 !stcb->asoc.authenticated) {
4514 /* "silently" ignore */
4515 SCTP_STAT_INCR(sctps_recvauthmissing);
4517 if (sctp_debug_on & SCTP_DEBUG_AUTH1)
4518 printf("Data chunk requires AUTH, skipped\n");
4522 if (length > offset) {
4526 * First check to make sure our state is correct. We would
4527 * not get here unless we really did have a tag, so we don't
4528 * abort if this happens, just dump the chunk silently.
4530 switch (SCTP_GET_STATE(&stcb->asoc)) {
4531 case SCTP_STATE_COOKIE_ECHOED:
4533 * we consider data with valid tags in this state
4534 * shows us the cookie-ack was lost. Imply it was
4537 stcb->asoc.overall_error_count = 0;
4538 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net);
4540 case SCTP_STATE_COOKIE_WAIT:
4542 * We consider OOTB any data sent during asoc setup.
4544 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL);
4545 SCTP_TCB_UNLOCK(stcb);
4548 case SCTP_STATE_EMPTY: /* should not happen */
4549 case SCTP_STATE_INUSE: /* should not happen */
4550 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */
4551 case SCTP_STATE_SHUTDOWN_ACK_SENT:
4553 SCTP_TCB_UNLOCK(stcb);
4556 case SCTP_STATE_OPEN:
4557 case SCTP_STATE_SHUTDOWN_SENT:
4560 /* take care of ECN, part 1. */
4561 if (stcb->asoc.ecn_allowed &&
4562 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) {
4563 sctp_process_ecn_marked_a(stcb, net, ecn_bits);
4565 /* plow through the data chunks while length > offset */
4566 retval = sctp_process_data(mm, iphlen, &offset, length, sh,
4567 inp, stcb, net, &high_tsn);
4570 * The association aborted, NO UNLOCK needed since
4571 * the association is destroyed.
4577 /* take care of ecn part 2. */
4578 if (stcb->asoc.ecn_allowed &&
4579 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) {
4580 sctp_process_ecn_marked_b(stcb, net, high_tsn,
4585 * Anything important needs to have been m_copy'ed in
4589 if ((data_processed == 0) && (fwd_tsn_seen)) {
4592 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map,
4593 stcb->asoc.cumulative_tsn, MAX_TSN)) {
4594 /* there was a gap before this data was processed */
4597 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag);
4599 /* Again, we aborted so NO UNLOCK needed */
4603 /* trigger send of any chunks in queue... */
4605 #ifdef SCTP_AUDITING_ENABLED
4606 sctp_audit_log(0xE0, 2);
4607 sctp_auditing(1, inp, stcb, net);
4610 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4611 printf("Check for chunk output prw:%d tqe:%d tf=%d\n",
4612 stcb->asoc.peers_rwnd,
4613 TAILQ_EMPTY(&stcb->asoc.control_send_queue),
4614 stcb->asoc.total_flight);
4617 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
4619 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) ||
4621 (stcb->asoc.peers_rwnd > 0 ||
4622 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) {
4624 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4625 printf("Calling chunk OUTPUT\n");
4628 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC);
4630 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4631 printf("chunk OUTPUT returns\n");
4635 #ifdef SCTP_AUDITING_ENABLED
4636 sctp_audit_log(0xE0, 3);
4637 sctp_auditing(2, inp, stcb, net);
4639 SCTP_TCB_UNLOCK(stcb);
4643 extern int sctp_no_csum_on_loopback;
4646 int sctp_buf_index = 0;
4647 uint8_t sctp_list_of_chunks[30000];
4651 sctp_input(i_pak, off)
4656 #ifdef SCTP_MBUF_LOGGING
4665 struct sctp_inpcb *inp = NULL;
4667 uint32_t check, calc_check;
4668 struct sctp_nets *net;
4669 struct sctp_tcb *stcb = NULL;
4670 struct sctp_chunkhdr *ch;
4671 int refcount_up = 0;
4672 int length, mlen, offset;
4676 m = SCTP_HEADER_TO_CHAIN(i_pak);
4678 SCTP_STAT_INCR(sctps_recvpackets);
4679 SCTP_STAT_INCR_COUNTER64(sctps_inpackets);
4682 * Strip IP options, we don't allow any in or out.
4684 #ifdef SCTP_MBUF_LOGGING
4685 /* Log in any input mbufs */
4688 if (SCTP_BUF_IS_EXTENDED(mat)) {
4689 sctp_log_mb(mat, SCTP_MBUF_INPUT);
4691 mat = SCTP_BUF_NEXT(mat);
4694 if ((size_t)iphlen > sizeof(struct ip)) {
4695 ip_stripoptions(m, (struct mbuf *)0);
4696 iphlen = sizeof(struct ip);
4699 * Get IP, SCTP, and first chunk header together in first mbuf.
4701 ip = mtod(m, struct ip *);
4702 offset = iphlen + sizeof(*sh) + sizeof(*ch);
4703 if (SCTP_BUF_LEN(m) < offset) {
4704 if ((m = m_pullup(m, offset)) == 0) {
4705 SCTP_STAT_INCR(sctps_hdrops);
4708 ip = mtod(m, struct ip *);
4710 sh = (struct sctphdr *)((caddr_t)ip + iphlen);
4711 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh));
4713 /* SCTP does not allow broadcasts or multicasts */
4714 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
4717 if (((ch->chunk_type == SCTP_INITIATION) ||
4718 (ch->chunk_type == SCTP_INITIATION_ACK) ||
4719 (ch->chunk_type == SCTP_COOKIE_ECHO)) &&
4720 (SCTP_IS_IT_BROADCAST(ip->ip_dst, i_pak))) {
4722 * We only look at broadcast if its a front state, All
4723 * others we will not have a tcb for anyway.
4727 /* destination port of 0 is illegal, based on RFC2960. */
4728 if (sh->dest_port == 0) {
4729 SCTP_STAT_INCR(sctps_hdrops);
4732 /* validate SCTP checksum */
4733 if ((sctp_no_csum_on_loopback == 0) || !SCTP_IS_IT_LOOPBACK(i_pak)) {
4735 * we do NOT validate things from the loopback if the sysctl
4738 check = sh->checksum; /* save incoming checksum */
4739 if ((check == 0) && (sctp_no_csum_on_loopback)) {
4741 * special hook for where we got a local address
4742 * somehow routed across a non IFT_LOOP type
4745 if (ip->ip_src.s_addr == ip->ip_dst.s_addr)
4746 goto sctp_skip_csum_4;
4748 sh->checksum = 0; /* prepare for calc */
4749 calc_check = sctp_calculate_sum(m, &mlen, iphlen);
4750 if (calc_check != check) {
4752 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4753 printf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n",
4754 calc_check, check, m, mlen, iphlen);
4758 stcb = sctp_findassociation_addr(m, iphlen,
4759 offset - sizeof(*ch),
4760 sh, ch, &inp, &net);
4761 if ((inp) && (stcb)) {
4762 sctp_send_packet_dropped(stcb, net, m, iphlen, 1);
4763 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR);
4764 } else if ((inp != NULL) && (stcb == NULL)) {
4767 SCTP_STAT_INCR(sctps_badsum);
4768 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors);
4771 sh->checksum = calc_check;
4774 mlen = SCTP_HEADER_LEN(i_pak);
4776 /* validate mbuf chain length with IP payload length */
4777 if (mlen < (ip->ip_len - iphlen)) {
4778 SCTP_STAT_INCR(sctps_hdrops);
4781 /* TEMP log the first chunk */
4784 x = atomic_fetchadd_int(&sctp_buf_index, 1);
4789 sctp_list_of_chunks[x] = ch->chunk_type;
4792 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants
4793 * IP/SCTP/first chunk header...
4795 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch),
4796 sh, ch, &inp, &net);
4797 /* inp's ref-count increased && stcb locked */
4799 struct sctp_init_chunk *init_chk, chunk_buf;
4801 SCTP_STAT_INCR(sctps_noport);
4804 * we use the bandwidth limiting to protect against sending
4805 * too many ABORTS all at once. In this case these count the
4806 * same as an ICMP message.
4808 if (badport_bandlim(0) < 0)
4810 #endif /* ICMP_BANDLIM */
4812 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4813 printf("Sending a ABORT from packet entry!\n");
4816 if (ch->chunk_type == SCTP_INITIATION) {
4818 * we do a trick here to get the INIT tag, dig in
4819 * and get the tag from the INIT and put it in the
4822 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m,
4823 iphlen + sizeof(*sh), sizeof(*init_chk),
4824 (uint8_t *) & chunk_buf);
4825 if (init_chk != NULL)
4826 sh->v_tag = init_chk->init.initiate_tag;
4828 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
4829 sctp_send_shutdown_complete2(m, iphlen, sh);
4832 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) {
4835 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION)
4836 sctp_send_abort(m, iphlen, sh, 0, NULL);
4838 } else if (stcb == NULL) {
4843 * I very much doubt any of the IPSEC stuff will work but I have no
4844 * idea, so I will leave it in place.
4847 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) {
4848 ipsecstat.in_polvio++;
4849 SCTP_STAT_INCR(sctps_hdrops);
4857 * common chunk processing
4859 length = ip->ip_len + iphlen;
4860 offset -= sizeof(struct sctp_chunkhdr);
4862 ecn_bits = ip->ip_tos;
4864 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch,
4865 inp, stcb, net, ecn_bits);
4866 /* inp's ref-count reduced && stcb unlocked */
4870 if ((inp) && (refcount_up)) {
4871 /* reduce ref-count */
4872 SCTP_INP_WLOCK(inp);
4873 SCTP_INP_DECR_REF(inp);
4874 SCTP_INP_WUNLOCK(inp);
4879 SCTP_TCB_UNLOCK(stcb);
4881 if ((inp) && (refcount_up)) {
4882 /* reduce ref-count */
4883 SCTP_INP_WLOCK(inp);
4884 SCTP_INP_DECR_REF(inp);
4885 SCTP_INP_WUNLOCK(inp);